This is a minimal variant of struct nft_expr for use in ruleset blob. Signed-off-by: Phil Sutter <phil@xxxxxx> --- include/net/netfilter/nf_tables.h | 9 ++++++++- net/netfilter/nf_tables_api.c | 11 ++++++++--- 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h index 3efdc68497148..d4da396052018 100644 --- a/include/net/netfilter/nf_tables.h +++ b/include/net/netfilter/nf_tables.h @@ -338,6 +338,8 @@ struct nft_set_estimate { #define NFT_EXPR_SIZE(size) size #define NFT_EXPR_FULL_SIZE(size) (sizeof(struct nft_expr) + \ ALIGN(size, __alignof__(struct nft_expr))) +#define NFT_EXPR_DP_SIZE(size) (sizeof(struct nft_expr_dp) + \ + ALIGN(size, __alignof__(struct nft_expr_dp))) /** * struct nft_expr - nf_tables expression @@ -993,12 +995,17 @@ static inline void nft_set_elem_update_expr(const struct nft_set_ext *ext, #define NFT_CHAIN_POLICY_UNSET U8_MAX +struct nft_expr_dp { + const struct nft_expr_ops *ops; + unsigned char data[] __aligned(__alignof__(u64)); +}; + struct nft_rule_dp { u64 is_last:1, dlen:12, handle:42; /* for tracing */ unsigned char data[] - __attribute__((aligned(__alignof__(struct nft_expr)))); + __aligned(__alignof__(struct nft_expr_dp)); }; struct nft_rule_blob { diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 609fc9137ac01..ba2f712823776 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -8363,6 +8363,7 @@ static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *cha struct nft_regs_track track = {}; void *data, *data_boundary; struct nft_rule_dp *prule; + struct nft_expr_dp *pexpr; struct nft_rule *rule; /* already handled or inactive chain? */ @@ -8372,7 +8373,9 @@ static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *cha data_size = 0; list_for_each_entry(rule, &chain->rules, list) { if (nft_is_active_next(net, rule)) { - data_size += sizeof(*prule) + rule->dlen; + data_size += sizeof(*prule); + nft_rule_for_each_expr(expr, last, rule) + data_size += NFT_EXPR_DP_SIZE(expr->ops->size); if (data_size > INT_MAX) return -ENOMEM; } @@ -8406,11 +8409,13 @@ static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *cha continue; } - expr_size = NFT_EXPR_FULL_SIZE(expr->ops->size); + expr_size = NFT_EXPR_DP_SIZE(expr->ops->size); if (WARN_ON_ONCE(data + expr_size > data_boundary)) return -ENOMEM; - memcpy(data + size, expr, expr_size); + pexpr = (struct nft_expr_dp *)(data + size); + pexpr->ops = expr->ops; + memcpy(pexpr->data, expr->data, expr->ops->size); size += expr_size; } if (WARN_ON_ONCE(size >= 1 << 12)) -- 2.34.1