diff options
author | Phil Sutter <phil@nwl.cc> | 2020-10-30 14:08:33 +0100 |
---|---|---|
committer | Phil Sutter <phil@nwl.cc> | 2020-11-04 15:39:23 +0100 |
commit | 274cb05edc58d6fa982a34c84b2f4cf6acc3e335 (patch) | |
tree | c6575d918216e25f5328a4e19fe94f6c58fee92d /iptables/nft-bridge.c | |
parent | 323259001d617ae359430a03ee3d3e7f107684e0 (diff) |
ebtables: Optimize masked MAC address matches
Just like with class-based prefix matches in iptables-nft, optimize
masked MAC address matches if the mask is on a byte-boundary.
To reuse the logic in add_addr(), extend it to accept the payload base
value via parameter.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Diffstat (limited to 'iptables/nft-bridge.c')
-rw-r--r-- | iptables/nft-bridge.c | 22 |
1 files changed, 10 insertions, 12 deletions
diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c index dbf11eb5..c1a2c209 100644 --- a/iptables/nft-bridge.c +++ b/iptables/nft-bridge.c @@ -159,20 +159,16 @@ static int nft_bridge_add(struct nft_handle *h, if (fw->bitmask & EBT_ISOURCE) { op = nft_invflags2cmp(fw->invflags, EBT_ISOURCE); - add_payload(r, offsetof(struct ethhdr, h_source), 6, - NFT_PAYLOAD_LL_HEADER); - if (!mac_all_ones(fw->sourcemsk)) - add_bitwise(r, fw->sourcemsk, 6); - add_cmp_ptr(r, op, fw->sourcemac, 6); + add_addr(r, NFT_PAYLOAD_LL_HEADER, + offsetof(struct ethhdr, h_source), + fw->sourcemac, fw->sourcemsk, ETH_ALEN, op); } if (fw->bitmask & EBT_IDEST) { op = nft_invflags2cmp(fw->invflags, EBT_IDEST); - add_payload(r, offsetof(struct ethhdr, h_dest), 6, - NFT_PAYLOAD_LL_HEADER); - if (!mac_all_ones(fw->destmsk)) - add_bitwise(r, fw->destmsk, 6); - add_cmp_ptr(r, op, fw->destmac, 6); + add_addr(r, NFT_PAYLOAD_LL_HEADER, + offsetof(struct ethhdr, h_dest), + fw->destmac, fw->destmsk, ETH_ALEN, op); } if ((fw->bitmask & EBT_NOPROTO) == 0) { @@ -258,7 +254,8 @@ static void nft_bridge_parse_payload(struct nft_xt_ctx *ctx, memcpy(fw->destmsk, ctx->bitwise.mask, ETH_ALEN); ctx->flags &= ~NFT_XT_CTX_BITWISE; } else { - memset(&fw->destmsk, 0xff, ETH_ALEN); + memset(&fw->destmsk, 0xff, + min(ctx->payload.len, ETH_ALEN)); } fw->bitmask |= EBT_IDEST; break; @@ -272,7 +269,8 @@ static void nft_bridge_parse_payload(struct nft_xt_ctx *ctx, memcpy(fw->sourcemsk, ctx->bitwise.mask, ETH_ALEN); ctx->flags &= ~NFT_XT_CTX_BITWISE; } else { - memset(&fw->sourcemsk, 0xff, ETH_ALEN); + memset(&fw->sourcemsk, 0xff, + min(ctx->payload.len, ETH_ALEN)); } fw->bitmask |= EBT_ISOURCE; break; |