From b5f2faea325a315bfb932ebc634f3298d4824cae Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Tue, 1 Mar 2022 18:59:31 +0100 Subject: nft: Simplify immediate parsing Implementations of parse_immediate callback are mostly trivial, the only relevant part is access to family-specific parts of struct iptables_command_state when setting goto flag for iptables and ip6tables. Refactor them into simple set_goto_flag callbacks. Signed-off-by: Phil Sutter Acked-by: Florian Westphal --- iptables/nft-arp.c | 9 --------- iptables/nft-bridge.c | 9 --------- iptables/nft-ipv4.c | 12 +++--------- iptables/nft-ipv6.c | 12 +++--------- iptables/nft-shared.c | 17 +++++++---------- iptables/nft-shared.h | 2 +- 6 files changed, 14 insertions(+), 47 deletions(-) (limited to 'iptables') diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c index 1472b115..78509ce9 100644 --- a/iptables/nft-arp.c +++ b/iptables/nft-arp.c @@ -182,14 +182,6 @@ static void nft_arp_parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e, fw->arp.invflags |= flags; } -static void nft_arp_parse_immediate(const char *jumpto, bool nft_goto, - void *data) -{ - struct iptables_command_state *cs = data; - - cs->jumpto = jumpto; -} - static void parse_mask_ipv4(struct nft_xt_ctx *ctx, struct in_addr *mask) { mask->s_addr = ctx->bitwise.mask[0]; @@ -797,7 +789,6 @@ struct nft_family_ops nft_family_ops_arp = { .print_payload = NULL, .parse_meta = nft_arp_parse_meta, .parse_payload = nft_arp_parse_payload, - .parse_immediate = nft_arp_parse_immediate, .print_header = nft_arp_print_header, .print_rule = nft_arp_print_rule, .save_rule = nft_arp_save_rule, diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c index 90d55e44..d6a0d6e5 100644 --- a/iptables/nft-bridge.c +++ b/iptables/nft-bridge.c @@ -251,14 +251,6 @@ static void nft_bridge_parse_payload(struct nft_xt_ctx *ctx, } } -static void nft_bridge_parse_immediate(const char *jumpto, bool nft_goto, - void *data) -{ - struct iptables_command_state *cs = data; - - cs->jumpto = jumpto; -} - /* return 0 if saddr, 1 if daddr, -1 on error */ static int lookup_check_ether_payload(uint32_t base, uint32_t offset, uint32_t len) @@ -891,7 +883,6 @@ struct nft_family_ops nft_family_ops_bridge = { .print_payload = NULL, .parse_meta = nft_bridge_parse_meta, .parse_payload = nft_bridge_parse_payload, - .parse_immediate = nft_bridge_parse_immediate, .parse_lookup = nft_bridge_parse_lookup, .parse_match = nft_bridge_parse_match, .parse_target = nft_bridge_parse_target, diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c index f374d468..bdb105f8 100644 --- a/iptables/nft-ipv4.c +++ b/iptables/nft-ipv4.c @@ -215,15 +215,9 @@ static void nft_ipv4_parse_payload(struct nft_xt_ctx *ctx, } } -static void nft_ipv4_parse_immediate(const char *jumpto, bool nft_goto, - void *data) +static void nft_ipv4_set_goto_flag(struct iptables_command_state *cs) { - struct iptables_command_state *cs = data; - - cs->jumpto = jumpto; - - if (nft_goto) - cs->fw.ip.flags |= IPT_F_GOTO; + cs->fw.ip.flags |= IPT_F_GOTO; } static void nft_ipv4_print_rule(struct nft_handle *h, struct nftnl_rule *r, @@ -450,7 +444,7 @@ struct nft_family_ops nft_family_ops_ipv4 = { .is_same = nft_ipv4_is_same, .parse_meta = nft_ipv4_parse_meta, .parse_payload = nft_ipv4_parse_payload, - .parse_immediate = nft_ipv4_parse_immediate, + .set_goto_flag = nft_ipv4_set_goto_flag, .print_header = print_header, .print_rule = nft_ipv4_print_rule, .save_rule = nft_ipv4_save_rule, diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c index 9ecc754f..a5323171 100644 --- a/iptables/nft-ipv6.c +++ b/iptables/nft-ipv6.c @@ -180,15 +180,9 @@ static void nft_ipv6_parse_payload(struct nft_xt_ctx *ctx, } } -static void nft_ipv6_parse_immediate(const char *jumpto, bool nft_goto, - void *data) +static void nft_ipv6_set_goto_flag(struct iptables_command_state *cs) { - struct iptables_command_state *cs = data; - - cs->jumpto = jumpto; - - if (nft_goto) - cs->fw6.ipv6.flags |= IP6T_F_GOTO; + cs->fw6.ipv6.flags |= IP6T_F_GOTO; } static void nft_ipv6_print_rule(struct nft_handle *h, struct nftnl_rule *r, @@ -418,7 +412,7 @@ struct nft_family_ops nft_family_ops_ipv6 = { .is_same = nft_ipv6_is_same, .parse_meta = nft_ipv6_parse_meta, .parse_payload = nft_ipv6_parse_payload, - .parse_immediate = nft_ipv6_parse_immediate, + .set_goto_flag = nft_ipv6_set_goto_flag, .print_header = print_header, .print_rule = nft_ipv6_print_rule, .save_rule = nft_ipv6_save_rule, diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c index 746a948c..daa251ae 100644 --- a/iptables/nft-shared.c +++ b/iptables/nft-shared.c @@ -906,9 +906,7 @@ static void nft_parse_counter(struct nftnl_expr *e, struct xt_counters *counters static void nft_parse_immediate(struct nft_xt_ctx *ctx, struct nftnl_expr *e) { const char *chain = nftnl_expr_get_str(e, NFTNL_EXPR_IMM_CHAIN); - const char *jumpto = NULL; - bool nft_goto = false; - void *data = ctx->cs; + struct iptables_command_state *cs = ctx->cs; int verdict; if (nftnl_expr_is_set(e, NFTNL_EXPR_IMM_DATA)) { @@ -931,23 +929,22 @@ static void nft_parse_immediate(struct nft_xt_ctx *ctx, struct nftnl_expr *e) /* Standard target? */ switch(verdict) { case NF_ACCEPT: - jumpto = "ACCEPT"; + cs->jumpto = "ACCEPT"; break; case NF_DROP: - jumpto = "DROP"; + cs->jumpto = "DROP"; break; case NFT_RETURN: - jumpto = "RETURN"; + cs->jumpto = "RETURN"; break;; case NFT_GOTO: - nft_goto = true; + if (ctx->h->ops->set_goto_flag) + ctx->h->ops->set_goto_flag(cs); /* fall through */ case NFT_JUMP: - jumpto = chain; + cs->jumpto = chain; break; } - - ctx->h->ops->parse_immediate(jumpto, nft_goto, data); } static void nft_parse_limit(struct nft_xt_ctx *ctx, struct nftnl_expr *e) diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h index 0788e98a..04b1d97f 100644 --- a/iptables/nft-shared.h +++ b/iptables/nft-shared.h @@ -93,7 +93,7 @@ struct nft_family_ops { void *data); void (*parse_lookup)(struct nft_xt_ctx *ctx, struct nftnl_expr *e, void *data); - void (*parse_immediate)(const char *jumpto, bool nft_goto, void *data); + void (*set_goto_flag)(struct iptables_command_state *cs); void (*print_table_header)(const char *tablename); void (*print_header)(unsigned int format, const char *chain, -- cgit v1.2.3