path: root/iptables/nft-shared.c
diff options
authorPhil Sutter <>2020-10-30 14:08:33 +0100
committerPhil Sutter <>2020-11-04 15:39:23 +0100
commit274cb05edc58d6fa982a34c84b2f4cf6acc3e335 (patch)
treec6575d918216e25f5328a4e19fe94f6c58fee92d /iptables/nft-shared.c
parent323259001d617ae359430a03ee3d3e7f107684e0 (diff)
ebtables: Optimize masked MAC address matches
Just like with class-based prefix matches in iptables-nft, optimize masked MAC address matches if the mask is on a byte-boundary. To reuse the logic in add_addr(), extend it to accept the payload base value via parameter. Signed-off-by: Phil Sutter <>
Diffstat (limited to 'iptables/nft-shared.c')
1 files changed, 2 insertions, 3 deletions
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index 545e9c60..10553ab2 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -20,7 +20,6 @@
#include <xtables.h>
-#include <linux/netfilter/nf_tables.h>
#include <linux/netfilter/xt_comment.h>
#include <linux/netfilter/xt_limit.h>
@@ -162,7 +161,7 @@ void add_outiface(struct nftnl_rule *r, char *iface, uint32_t op)
add_cmp_ptr(r, op, iface, iface_len + 1);
-void add_addr(struct nftnl_rule *r, int offset,
+void add_addr(struct nftnl_rule *r, enum nft_payload_bases base, int offset,
void *data, void *mask, size_t len, uint32_t op)
const unsigned char *m = mask;
@@ -179,7 +178,7 @@ void add_addr(struct nftnl_rule *r, int offset,
if (!bitwise)
len = i;
- add_payload(r, offset, len, NFT_PAYLOAD_NETWORK_HEADER);
+ add_payload(r, offset, len, base);
if (bitwise)
add_bitwise(r, mask, len);