This context information is very relevant when deciding if a redundant dependency needs to be removed or not, specifically for the inet, bridge and netdev families. This new parameter is used by follow up patch entitled ("payload: add payload_should_dependency_kill()"). Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> --- include/payload.h | 7 ++++--- src/netlink.c | 2 +- src/netlink_delinearize.c | 18 +++++++++++------- src/payload.c | 14 ++++++++------ 4 files changed, 24 insertions(+), 17 deletions(-) diff --git a/include/payload.h b/include/payload.h index 8e357aef461e..294ff2706e30 100644 --- a/include/payload.h +++ b/include/payload.h @@ -41,11 +41,12 @@ extern void payload_dependency_store(struct payload_dep_ctx *ctx, struct stmt *stmt, enum proto_bases base); extern void __payload_dependency_kill(struct payload_dep_ctx *ctx, - enum proto_bases base); + enum proto_bases base, + unsigned int family); extern void payload_dependency_kill(struct payload_dep_ctx *ctx, - struct expr *expr); + struct expr *expr, unsigned int family); extern void exthdr_dependency_kill(struct payload_dep_ctx *ctx, - struct expr *expr); + struct expr *expr, unsigned int family); extern bool payload_can_merge(const struct expr *e1, const struct expr *e2); extern struct expr *payload_expr_join(const struct expr *e1, diff --git a/src/netlink.c b/src/netlink.c index 488ae6f3971f..233bfd2df764 100644 --- a/src/netlink.c +++ b/src/netlink.c @@ -2768,7 +2768,7 @@ next: pctx->pbase == PROTO_BASE_INVALID) { payload_dependency_store(pctx, stmt, base - stacked); } else { - payload_dependency_kill(pctx, lhs); + payload_dependency_kill(pctx, lhs, ctx->family); if (lhs->flags & EXPR_F_PROTOCOL) payload_dependency_store(pctx, stmt, base - stacked); } diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c index 256552b5b46e..8d11969e0fb1 100644 --- a/src/netlink_delinearize.c +++ b/src/netlink_delinearize.c @@ -1352,7 +1352,8 @@ static void payload_match_expand(struct rule_pp_ctx *ctx, left->flags & EXPR_F_PROTOCOL) { payload_dependency_store(&ctx->pdctx, nstmt, base - stacked); } else { - payload_dependency_kill(&ctx->pdctx, nexpr->left); + payload_dependency_kill(&ctx->pdctx, nexpr->left, + ctx->pctx.family); if (expr->op == OP_EQ && left->flags & EXPR_F_PROTOCOL) payload_dependency_store(&ctx->pdctx, nstmt, base - stacked); } @@ -1383,7 +1384,7 @@ static void payload_match_postprocess(struct rule_pp_ctx *ctx, payload_expr_complete(payload, &ctx->pctx); expr_set_type(expr->right, payload->dtype, payload->byteorder); - payload_dependency_kill(&ctx->pdctx, payload); + payload_dependency_kill(&ctx->pdctx, payload, ctx->pctx.family); break; } } @@ -1406,7 +1407,8 @@ static void ct_meta_common_postprocess(struct rule_pp_ctx *ctx, left->flags & EXPR_F_PROTOCOL) { payload_dependency_store(&ctx->pdctx, ctx->stmt, base); } else if (ctx->pdctx.pbase < PROTO_BASE_TRANSPORT_HDR) { - __payload_dependency_kill(&ctx->pdctx, base); + __payload_dependency_kill(&ctx->pdctx, base, + ctx->pctx.family); if (left->flags & EXPR_F_PROTOCOL) payload_dependency_store(&ctx->pdctx, ctx->stmt, base); } @@ -1814,7 +1816,7 @@ static void expr_postprocess(struct rule_pp_ctx *ctx, struct expr **exprp) break; case EXPR_PAYLOAD: payload_expr_complete(expr, &ctx->pctx); - payload_dependency_kill(&ctx->pdctx, expr); + payload_dependency_kill(&ctx->pdctx, expr, ctx->pctx.family); break; case EXPR_VALUE: // FIXME @@ -1837,7 +1839,7 @@ static void expr_postprocess(struct rule_pp_ctx *ctx, struct expr **exprp) expr_postprocess(ctx, &expr->key); break; case EXPR_EXTHDR: - exthdr_dependency_kill(&ctx->pdctx, expr); + exthdr_dependency_kill(&ctx->pdctx, expr, ctx->pctx.family); break; case EXPR_SET_REF: case EXPR_META: @@ -1870,14 +1872,16 @@ static void stmt_reject_postprocess(struct rule_pp_ctx *rctx) stmt->reject.expr->dtype = &icmp_code_type; if (stmt->reject.type == NFT_REJECT_TCP_RST) __payload_dependency_kill(&rctx->pdctx, - PROTO_BASE_TRANSPORT_HDR); + PROTO_BASE_TRANSPORT_HDR, + rctx->pctx.family); break; case NFPROTO_IPV6: stmt->reject.family = rctx->pctx.family; stmt->reject.expr->dtype = &icmpv6_code_type; if (stmt->reject.type == NFT_REJECT_TCP_RST) __payload_dependency_kill(&rctx->pdctx, - PROTO_BASE_TRANSPORT_HDR); + PROTO_BASE_TRANSPORT_HDR, + rctx->pctx.family); break; case NFPROTO_INET: if (stmt->reject.type == NFT_REJECT_ICMPX_UNREACH) { diff --git a/src/payload.c b/src/payload.c index 60090accbcd8..df3c8136c88c 100644 --- a/src/payload.c +++ b/src/payload.c @@ -438,7 +438,7 @@ void payload_dependency_store(struct payload_dep_ctx *ctx, * implies its existance. */ void __payload_dependency_kill(struct payload_dep_ctx *ctx, - enum proto_bases base) + enum proto_bases base, unsigned int family) { if (ctx->pbase != PROTO_BASE_INVALID && ctx->pbase == base && @@ -453,19 +453,21 @@ void __payload_dependency_kill(struct payload_dep_ctx *ctx, } } -void payload_dependency_kill(struct payload_dep_ctx *ctx, struct expr *expr) +void payload_dependency_kill(struct payload_dep_ctx *ctx, struct expr *expr, + unsigned int family) { - __payload_dependency_kill(ctx, expr->payload.base); + __payload_dependency_kill(ctx, expr->payload.base, family); } -void exthdr_dependency_kill(struct payload_dep_ctx *ctx, struct expr *expr) +void exthdr_dependency_kill(struct payload_dep_ctx *ctx, struct expr *expr, + unsigned int family) { switch (expr->exthdr.op) { case NFT_EXTHDR_OP_TCPOPT: - __payload_dependency_kill(ctx, PROTO_BASE_TRANSPORT_HDR); + __payload_dependency_kill(ctx, PROTO_BASE_TRANSPORT_HDR, family); break; case NFT_EXTHDR_OP_IPV6: - __payload_dependency_kill(ctx, PROTO_BASE_NETWORK_HDR); + __payload_dependency_kill(ctx, PROTO_BASE_NETWORK_HDR, family); break; default: break; -- 2.11.0 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html