diff options
author | Phil Sutter <phil@nwl.cc> | 2020-10-30 14:08:33 +0100 |
---|---|---|
committer | Phil Sutter <phil@nwl.cc> | 2020-11-04 15:39:23 +0100 |
commit | 274cb05edc58d6fa982a34c84b2f4cf6acc3e335 (patch) | |
tree | c6575d918216e25f5328a4e19fe94f6c58fee92d /iptables/nft-ipv6.c | |
parent | 323259001d617ae359430a03ee3d3e7f107684e0 (diff) |
ebtables: Optimize masked MAC address matches
Just like with class-based prefix matches in iptables-nft, optimize
masked MAC address matches if the mask is on a byte-boundary.
To reuse the logic in add_addr(), extend it to accept the payload base
value via parameter.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Diffstat (limited to 'iptables/nft-ipv6.c')
-rw-r--r-- | iptables/nft-ipv6.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c index c877ec6d..130ad3e6 100644 --- a/iptables/nft-ipv6.c +++ b/iptables/nft-ipv6.c @@ -51,7 +51,8 @@ static int nft_ipv6_add(struct nft_handle *h, struct nftnl_rule *r, void *data) !IN6_IS_ADDR_UNSPECIFIED(&cs->fw6.ipv6.smsk) || (cs->fw6.ipv6.invflags & IPT_INV_SRCIP)) { op = nft_invflags2cmp(cs->fw6.ipv6.invflags, IPT_INV_SRCIP); - add_addr(r, offsetof(struct ip6_hdr, ip6_src), + add_addr(r, NFT_PAYLOAD_NETWORK_HEADER, + offsetof(struct ip6_hdr, ip6_src), &cs->fw6.ipv6.src, &cs->fw6.ipv6.smsk, sizeof(struct in6_addr), op); } @@ -59,7 +60,8 @@ static int nft_ipv6_add(struct nft_handle *h, struct nftnl_rule *r, void *data) !IN6_IS_ADDR_UNSPECIFIED(&cs->fw6.ipv6.dmsk) || (cs->fw6.ipv6.invflags & IPT_INV_DSTIP)) { op = nft_invflags2cmp(cs->fw6.ipv6.invflags, IPT_INV_DSTIP); - add_addr(r, offsetof(struct ip6_hdr, ip6_dst), + add_addr(r, NFT_PAYLOAD_NETWORK_HEADER, + offsetof(struct ip6_hdr, ip6_dst), &cs->fw6.ipv6.dst, &cs->fw6.ipv6.dmsk, sizeof(struct in6_addr), op); } |