diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-02-14 16:26:31 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-02-15 16:29:32 +0100 |
commit | 3ddc637cc42cd0a854ea2e7232a855330bfe22e5 (patch) | |
tree | 5b0475f874fc50256776065ebb32d7a4cf770afb /src | |
parent | fb16c8b7f795e0dba5a2acea1b156a8796e75195 (diff) |
src: pass family to payload_dependency_kill()
This context information is very relevant when deciding if a redundant
dependency needs to be removed or not, specifically for the inet, bridge
and netdev families. This new parameter is used by follow up patch
entitled ("payload: add payload_may_dependency_kill()").
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src')
-rw-r--r-- | src/netlink.c | 2 | ||||
-rw-r--r-- | src/netlink_delinearize.c | 18 | ||||
-rw-r--r-- | src/payload.c | 14 |
3 files changed, 20 insertions, 14 deletions
diff --git a/src/netlink.c b/src/netlink.c index 488ae6f3..233bfd2d 100644 --- a/src/netlink.c +++ b/src/netlink.c @@ -2768,7 +2768,7 @@ next: pctx->pbase == PROTO_BASE_INVALID) { payload_dependency_store(pctx, stmt, base - stacked); } else { - payload_dependency_kill(pctx, lhs); + payload_dependency_kill(pctx, lhs, ctx->family); if (lhs->flags & EXPR_F_PROTOCOL) payload_dependency_store(pctx, stmt, base - stacked); } diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c index 256552b5..8d11969e 100644 --- a/src/netlink_delinearize.c +++ b/src/netlink_delinearize.c @@ -1352,7 +1352,8 @@ static void payload_match_expand(struct rule_pp_ctx *ctx, left->flags & EXPR_F_PROTOCOL) { payload_dependency_store(&ctx->pdctx, nstmt, base - stacked); } else { - payload_dependency_kill(&ctx->pdctx, nexpr->left); + payload_dependency_kill(&ctx->pdctx, nexpr->left, + ctx->pctx.family); if (expr->op == OP_EQ && left->flags & EXPR_F_PROTOCOL) payload_dependency_store(&ctx->pdctx, nstmt, base - stacked); } @@ -1383,7 +1384,7 @@ static void payload_match_postprocess(struct rule_pp_ctx *ctx, payload_expr_complete(payload, &ctx->pctx); expr_set_type(expr->right, payload->dtype, payload->byteorder); - payload_dependency_kill(&ctx->pdctx, payload); + payload_dependency_kill(&ctx->pdctx, payload, ctx->pctx.family); break; } } @@ -1406,7 +1407,8 @@ static void ct_meta_common_postprocess(struct rule_pp_ctx *ctx, left->flags & EXPR_F_PROTOCOL) { payload_dependency_store(&ctx->pdctx, ctx->stmt, base); } else if (ctx->pdctx.pbase < PROTO_BASE_TRANSPORT_HDR) { - __payload_dependency_kill(&ctx->pdctx, base); + __payload_dependency_kill(&ctx->pdctx, base, + ctx->pctx.family); if (left->flags & EXPR_F_PROTOCOL) payload_dependency_store(&ctx->pdctx, ctx->stmt, base); } @@ -1814,7 +1816,7 @@ static void expr_postprocess(struct rule_pp_ctx *ctx, struct expr **exprp) break; case EXPR_PAYLOAD: payload_expr_complete(expr, &ctx->pctx); - payload_dependency_kill(&ctx->pdctx, expr); + payload_dependency_kill(&ctx->pdctx, expr, ctx->pctx.family); break; case EXPR_VALUE: // FIXME @@ -1837,7 +1839,7 @@ static void expr_postprocess(struct rule_pp_ctx *ctx, struct expr **exprp) expr_postprocess(ctx, &expr->key); break; case EXPR_EXTHDR: - exthdr_dependency_kill(&ctx->pdctx, expr); + exthdr_dependency_kill(&ctx->pdctx, expr, ctx->pctx.family); break; case EXPR_SET_REF: case EXPR_META: @@ -1870,14 +1872,16 @@ static void stmt_reject_postprocess(struct rule_pp_ctx *rctx) stmt->reject.expr->dtype = &icmp_code_type; if (stmt->reject.type == NFT_REJECT_TCP_RST) __payload_dependency_kill(&rctx->pdctx, - PROTO_BASE_TRANSPORT_HDR); + PROTO_BASE_TRANSPORT_HDR, + rctx->pctx.family); break; case NFPROTO_IPV6: stmt->reject.family = rctx->pctx.family; stmt->reject.expr->dtype = &icmpv6_code_type; if (stmt->reject.type == NFT_REJECT_TCP_RST) __payload_dependency_kill(&rctx->pdctx, - PROTO_BASE_TRANSPORT_HDR); + PROTO_BASE_TRANSPORT_HDR, + rctx->pctx.family); break; case NFPROTO_INET: if (stmt->reject.type == NFT_REJECT_ICMPX_UNREACH) { diff --git a/src/payload.c b/src/payload.c index 60090acc..df3c8136 100644 --- a/src/payload.c +++ b/src/payload.c @@ -438,7 +438,7 @@ void payload_dependency_store(struct payload_dep_ctx *ctx, * implies its existance. */ void __payload_dependency_kill(struct payload_dep_ctx *ctx, - enum proto_bases base) + enum proto_bases base, unsigned int family) { if (ctx->pbase != PROTO_BASE_INVALID && ctx->pbase == base && @@ -453,19 +453,21 @@ void __payload_dependency_kill(struct payload_dep_ctx *ctx, } } -void payload_dependency_kill(struct payload_dep_ctx *ctx, struct expr *expr) +void payload_dependency_kill(struct payload_dep_ctx *ctx, struct expr *expr, + unsigned int family) { - __payload_dependency_kill(ctx, expr->payload.base); + __payload_dependency_kill(ctx, expr->payload.base, family); } -void exthdr_dependency_kill(struct payload_dep_ctx *ctx, struct expr *expr) +void exthdr_dependency_kill(struct payload_dep_ctx *ctx, struct expr *expr, + unsigned int family) { switch (expr->exthdr.op) { case NFT_EXTHDR_OP_TCPOPT: - __payload_dependency_kill(ctx, PROTO_BASE_TRANSPORT_HDR); + __payload_dependency_kill(ctx, PROTO_BASE_TRANSPORT_HDR, family); break; case NFT_EXTHDR_OP_IPV6: - __payload_dependency_kill(ctx, PROTO_BASE_NETWORK_HDR); + __payload_dependency_kill(ctx, PROTO_BASE_NETWORK_HDR, family); break; default: break; |