netfilter: nf_tables: use hook state from xt_action_param structure
authorPablo Neira Ayuso <pablo@netfilter.org>
Thu, 3 Nov 2016 09:56:26 +0000 (10:56 +0100)
committerPablo Neira Ayuso <pablo@netfilter.org>
Thu, 3 Nov 2016 10:52:34 +0000 (11:52 +0100)
Don't copy relevant fields from hook state structure, instead use the
one that is already available in struct xt_action_param.

This patch also adds a set of new wrapper functions to fetch relevant
hook state structure fields.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
24 files changed:
include/net/netfilter/nf_tables.h
net/bridge/netfilter/nft_meta_bridge.c
net/bridge/netfilter/nft_reject_bridge.c
net/ipv4/netfilter/nft_dup_ipv4.c
net/ipv4/netfilter/nft_fib_ipv4.c
net/ipv4/netfilter/nft_masq_ipv4.c
net/ipv4/netfilter/nft_redir_ipv4.c
net/ipv4/netfilter/nft_reject_ipv4.c
net/ipv6/netfilter/nft_dup_ipv6.c
net/ipv6/netfilter/nft_fib_ipv6.c
net/ipv6/netfilter/nft_masq_ipv6.c
net/ipv6/netfilter/nft_redir_ipv6.c
net/ipv6/netfilter/nft_reject_ipv6.c
net/netfilter/nf_dup_netdev.c
net/netfilter/nf_tables_core.c
net/netfilter/nf_tables_trace.c
net/netfilter/nft_fib.c
net/netfilter/nft_fib_inet.c
net/netfilter/nft_log.c
net/netfilter/nft_lookup.c
net/netfilter/nft_meta.c
net/netfilter/nft_queue.c
net/netfilter/nft_reject_inet.c
net/netfilter/nft_rt.c

index 44060344f958aecea315c00fc3e67f67b8adef0f..3295fb85bff6183a4a39e8476f8619ab5a83e1f1 100644 (file)
 
 struct nft_pktinfo {
        struct sk_buff                  *skb;
-       struct net                      *net;
-       const struct net_device         *in;
-       const struct net_device         *out;
-       u8                              pf;
-       u8                              hook;
        bool                            tprot_set;
        u8                              tprot;
        /* for x_tables compatibility */
        struct xt_action_param          xt;
 };
 
+static inline struct net *nft_net(const struct nft_pktinfo *pkt)
+{
+       return pkt->xt.state->net;
+}
+
+static inline unsigned int nft_hook(const struct nft_pktinfo *pkt)
+{
+       return pkt->xt.state->hook;
+}
+
+static inline u8 nft_pf(const struct nft_pktinfo *pkt)
+{
+       return pkt->xt.state->pf;
+}
+
+static inline const struct net_device *nft_in(const struct nft_pktinfo *pkt)
+{
+       return pkt->xt.state->in;
+}
+
+static inline const struct net_device *nft_out(const struct nft_pktinfo *pkt)
+{
+       return pkt->xt.state->out;
+}
+
 static inline void nft_set_pktinfo(struct nft_pktinfo *pkt,
                                   struct sk_buff *skb,
                                   const struct nf_hook_state *state)
 {
        pkt->skb = skb;
-       pkt->net = state->net;
-       pkt->in = state->in;
-       pkt->out = state->out;
-       pkt->hook = state->hook;
-       pkt->pf = state->pf;
        pkt->xt.state = state;
 }
 
index ad47a921b70152f7a802284a03ce690b03390d1c..5974dbc1ea240fa6b8b2d109891ab211a8d556ff 100644 (file)
@@ -23,7 +23,7 @@ static void nft_meta_bridge_get_eval(const struct nft_expr *expr,
                                     const struct nft_pktinfo *pkt)
 {
        const struct nft_meta *priv = nft_expr_priv(expr);
-       const struct net_device *in = pkt->in, *out = pkt->out;
+       const struct net_device *in = nft_in(pkt), *out = nft_out(pkt);
        u32 *dest = &regs->data[priv->dreg];
        const struct net_bridge_port *p;
 
index 4b3df6b0e3b93cc47531950a9b4c8e6c9b5d1c13..206dc266ecd237c2874d25352dd631e3bc31b002 100644 (file)
@@ -315,17 +315,20 @@ static void nft_reject_bridge_eval(const struct nft_expr *expr,
        case htons(ETH_P_IP):
                switch (priv->type) {
                case NFT_REJECT_ICMP_UNREACH:
-                       nft_reject_br_send_v4_unreach(pkt->net, pkt->skb,
-                                                     pkt->in, pkt->hook,
+                       nft_reject_br_send_v4_unreach(nft_net(pkt), pkt->skb,
+                                                     nft_in(pkt),
+                                                     nft_hook(pkt),
                                                      priv->icmp_code);
                        break;
                case NFT_REJECT_TCP_RST:
-                       nft_reject_br_send_v4_tcp_reset(pkt->net, pkt->skb,
-                                                       pkt->in, pkt->hook);
+                       nft_reject_br_send_v4_tcp_reset(nft_net(pkt), pkt->skb,
+                                                       nft_in(pkt),
+                                                       nft_hook(pkt));
                        break;
                case NFT_REJECT_ICMPX_UNREACH:
-                       nft_reject_br_send_v4_unreach(pkt->net, pkt->skb,
-                                                     pkt->in, pkt->hook,
+                       nft_reject_br_send_v4_unreach(nft_net(pkt), pkt->skb,
+                                                     nft_in(pkt),
+                                                     nft_hook(pkt),
                                                      nft_reject_icmp_code(priv->icmp_code));
                        break;
                }
@@ -333,17 +336,20 @@ static void nft_reject_bridge_eval(const struct nft_expr *expr,
        case htons(ETH_P_IPV6):
                switch (priv->type) {
                case NFT_REJECT_ICMP_UNREACH:
-                       nft_reject_br_send_v6_unreach(pkt->net, pkt->skb,
-                                                     pkt->in, pkt->hook,
+                       nft_reject_br_send_v6_unreach(nft_net(pkt), pkt->skb,
+                                                     nft_in(pkt),
+                                                     nft_hook(pkt),
                                                      priv->icmp_code);
                        break;
                case NFT_REJECT_TCP_RST:
-                       nft_reject_br_send_v6_tcp_reset(pkt->net, pkt->skb,
-                                                       pkt->in, pkt->hook);
+                       nft_reject_br_send_v6_tcp_reset(nft_net(pkt), pkt->skb,
+                                                       nft_in(pkt),
+                                                       nft_hook(pkt));
                        break;
                case NFT_REJECT_ICMPX_UNREACH:
-                       nft_reject_br_send_v6_unreach(pkt->net, pkt->skb,
-                                                     pkt->in, pkt->hook,
+                       nft_reject_br_send_v6_unreach(nft_net(pkt), pkt->skb,
+                                                     nft_in(pkt),
+                                                     nft_hook(pkt),
                                                      nft_reject_icmpv6_code(priv->icmp_code));
                        break;
                }
index bf855e64fc45c86fbf286bc34b2bd96fbac17cff..7ab544fbc382ec2973476e52f9d816a0e5dfbb22 100644 (file)
@@ -30,7 +30,7 @@ static void nft_dup_ipv4_eval(const struct nft_expr *expr,
        };
        int oif = regs->data[priv->sreg_dev];
 
-       nf_dup_ipv4(pkt->net, pkt->skb, pkt->hook, &gw, oif);
+       nf_dup_ipv4(nft_net(pkt), pkt->skb, nft_hook(pkt), &gw, oif);
 }
 
 static int nft_dup_ipv4_init(const struct nft_ctx *ctx,
index db91fd42db6705f4e41a60be9134b5d6149463e0..1b49966484b3dec94cb7fc79e94fd085d45e1cb9 100644 (file)
@@ -45,9 +45,9 @@ void nft_fib4_eval_type(const struct nft_expr *expr, struct nft_regs *regs,
        __be32 addr;
 
        if (priv->flags & NFTA_FIB_F_IIF)
-               dev = pkt->in;
+               dev = nft_in(pkt);
        else if (priv->flags & NFTA_FIB_F_OIF)
-               dev = pkt->out;
+               dev = nft_out(pkt);
 
        iph = ip_hdr(pkt->skb);
        if (priv->flags & NFTA_FIB_F_DADDR)
@@ -55,7 +55,7 @@ void nft_fib4_eval_type(const struct nft_expr *expr, struct nft_regs *regs,
        else
                addr = iph->saddr;
 
-       *dst = inet_dev_addr_type(pkt->net, dev, addr);
+       *dst = inet_dev_addr_type(nft_net(pkt), dev, addr);
 }
 EXPORT_SYMBOL_GPL(nft_fib4_eval_type);
 
@@ -89,13 +89,13 @@ void nft_fib4_eval(const struct nft_expr *expr, struct nft_regs *regs,
         * Search results for the desired outinterface instead.
         */
        if (priv->flags & NFTA_FIB_F_OIF)
-               oif = pkt->out;
+               oif = nft_out(pkt);
        else if (priv->flags & NFTA_FIB_F_IIF)
-               oif = pkt->in;
+               oif = nft_in(pkt);
        else
                oif = NULL;
 
-       if (pkt->hook == NF_INET_PRE_ROUTING && fib4_is_local(pkt->skb)) {
+       if (nft_hook(pkt) == NF_INET_PRE_ROUTING && fib4_is_local(pkt->skb)) {
                nft_fib_store_result(dest, priv->result, pkt, LOOPBACK_IFINDEX);
                return;
        }
@@ -122,7 +122,7 @@ void nft_fib4_eval(const struct nft_expr *expr, struct nft_regs *regs,
                fl4.saddr = get_saddr(iph->daddr);
        }
 
-       if (fib_lookup(pkt->net, &fl4, &res, FIB_LOOKUP_IGNORE_LINKSTATE))
+       if (fib_lookup(nft_net(pkt), &fl4, &res, FIB_LOOKUP_IGNORE_LINKSTATE))
                return;
 
        switch (res.type) {
index 51ced81b616c5aeb3f9d38244f444c8263ec5dca..4f697e43181160530d7ecfb5752538c121402d03 100644 (file)
@@ -31,8 +31,8 @@ static void nft_masq_ipv4_eval(const struct nft_expr *expr,
                range.max_proto.all =
                        *(__be16 *)&regs->data[priv->sreg_proto_max];
        }
-       regs->verdict.code = nf_nat_masquerade_ipv4(pkt->skb, pkt->hook,
-                                                   &range, pkt->out);
+       regs->verdict.code = nf_nat_masquerade_ipv4(pkt->skb, nft_hook(pkt),
+                                                   &range, nft_out(pkt));
 }
 
 static struct nft_expr_type nft_masq_ipv4_type;
index c09d4381427ea91d522fc6fd6ff961541f24956a..16df0493c5cefe81b2e8e97e614862947fb57f46 100644 (file)
@@ -35,8 +35,7 @@ static void nft_redir_ipv4_eval(const struct nft_expr *expr,
 
        mr.range[0].flags |= priv->flags;
 
-       regs->verdict.code = nf_nat_redirect_ipv4(pkt->skb, &mr,
-                                                 pkt->hook);
+       regs->verdict.code = nf_nat_redirect_ipv4(pkt->skb, &mr, nft_hook(pkt));
 }
 
 static struct nft_expr_type nft_redir_ipv4_type;
index 2c2553b9026cc652b6917529f71eba487c1ce711..517ce93699de3da0d0477061b0b80c056560d796 100644 (file)
@@ -27,10 +27,10 @@ static void nft_reject_ipv4_eval(const struct nft_expr *expr,
 
        switch (priv->type) {
        case NFT_REJECT_ICMP_UNREACH:
-               nf_send_unreach(pkt->skb, priv->icmp_code, pkt->hook);
+               nf_send_unreach(pkt->skb, priv->icmp_code, nft_hook(pkt));
                break;
        case NFT_REJECT_TCP_RST:
-               nf_send_reset(pkt->net, pkt->skb, pkt->hook);
+               nf_send_reset(nft_net(pkt), pkt->skb, nft_hook(pkt));
                break;
        default:
                break;
index 8bfd470cbe726678c5da89dff4f24b9fa089b356..26074a8bada7930ece2db74aa4e6e25e6d15ede3 100644 (file)
@@ -28,7 +28,7 @@ static void nft_dup_ipv6_eval(const struct nft_expr *expr,
        struct in6_addr *gw = (struct in6_addr *)&regs->data[priv->sreg_addr];
        int oif = regs->data[priv->sreg_dev];
 
-       nf_dup_ipv6(pkt->net, pkt->skb, pkt->hook, gw, oif);
+       nf_dup_ipv6(nft_net(pkt), pkt->skb, nft_hook(pkt), gw, oif);
 }
 
 static int nft_dup_ipv6_init(const struct nft_ctx *ctx,
index ff1f1b6b4a4a5bca431ab1223bf8b956c7037ea4..d526bb594956b2a128444e826f65e9729bec88f4 100644 (file)
@@ -80,17 +80,17 @@ static u32 __nft_fib6_eval_type(const struct nft_fib *priv,
                return RTN_UNREACHABLE;
 
        if (priv->flags & NFTA_FIB_F_IIF)
-               dev = pkt->in;
+               dev = nft_in(pkt);
        else if (priv->flags & NFTA_FIB_F_OIF)
-               dev = pkt->out;
+               dev = nft_out(pkt);
 
        nft_fib6_flowi_init(&fl6, priv, pkt, dev);
 
        v6ops = nf_get_ipv6_ops();
-       if (dev && v6ops && v6ops->chk_addr(pkt->net, &fl6.daddr, dev, true))
+       if (dev && v6ops && v6ops->chk_addr(nft_net(pkt), &fl6.daddr, dev, true))
                ret = RTN_LOCAL;
 
-       route_err = afinfo->route(pkt->net, (struct dst_entry **)&rt,
+       route_err = afinfo->route(nft_net(pkt), (struct dst_entry **)&rt,
                                  flowi6_to_flowi(&fl6), false);
        if (route_err)
                goto err;
@@ -158,20 +158,20 @@ void nft_fib6_eval(const struct nft_expr *expr, struct nft_regs *regs,
        int lookup_flags;
 
        if (priv->flags & NFTA_FIB_F_IIF)
-               oif = pkt->in;
+               oif = nft_in(pkt);
        else if (priv->flags & NFTA_FIB_F_OIF)
-               oif = pkt->out;
+               oif = nft_out(pkt);
 
        lookup_flags = nft_fib6_flowi_init(&fl6, priv, pkt, oif);
 
-       if (pkt->hook == NF_INET_PRE_ROUTING && fib6_is_local(pkt->skb)) {
+       if (nft_hook(pkt) == NF_INET_PRE_ROUTING && fib6_is_local(pkt->skb)) {
                nft_fib_store_result(dest, priv->result, pkt, LOOPBACK_IFINDEX);
                return;
        }
 
        *dest = 0;
  again:
-       rt = (void *)ip6_route_lookup(pkt->net, &fl6, lookup_flags);
+       rt = (void *)ip6_route_lookup(nft_net(pkt), &fl6, lookup_flags);
        if (rt->dst.error)
                goto put_rt_err;
 
index 9597ffb740773f37463706d26f29660a05f61abb..a2aff1277b405ac99a94d593034ab9a5238b0c4c 100644 (file)
@@ -32,7 +32,8 @@ static void nft_masq_ipv6_eval(const struct nft_expr *expr,
                range.max_proto.all =
                        *(__be16 *)&regs->data[priv->sreg_proto_max];
        }
-       regs->verdict.code = nf_nat_masquerade_ipv6(pkt->skb, &range, pkt->out);
+       regs->verdict.code = nf_nat_masquerade_ipv6(pkt->skb, &range,
+                                                   nft_out(pkt));
 }
 
 static struct nft_expr_type nft_masq_ipv6_type;
index aca44e89a88133575b3435f82d71ed5c05e98649..bfcd5af6bc153ad57409af7e2fd20df55c057700 100644 (file)
@@ -35,7 +35,8 @@ static void nft_redir_ipv6_eval(const struct nft_expr *expr,
 
        range.flags |= priv->flags;
 
-       regs->verdict.code = nf_nat_redirect_ipv6(pkt->skb, &range, pkt->hook);
+       regs->verdict.code =
+               nf_nat_redirect_ipv6(pkt->skb, &range, nft_hook(pkt));
 }
 
 static struct nft_expr_type nft_redir_ipv6_type;
index 92bda9908bb9a354e701fab450549b43e2f22bfa..057deeaff1cbc6d55b7e7ac6738dac5909af331f 100644 (file)
@@ -27,11 +27,11 @@ static void nft_reject_ipv6_eval(const struct nft_expr *expr,
 
        switch (priv->type) {
        case NFT_REJECT_ICMP_UNREACH:
-               nf_send_unreach6(pkt->net, pkt->skb, priv->icmp_code,
-                                pkt->hook);
+               nf_send_unreach6(nft_net(pkt), pkt->skb, priv->icmp_code,
+                                nft_hook(pkt));
                break;
        case NFT_REJECT_TCP_RST:
-               nf_send_reset6(pkt->net, pkt->skb, pkt->hook);
+               nf_send_reset6(nft_net(pkt), pkt->skb, nft_hook(pkt));
                break;
        default:
                break;
index 7ec69723940f120fb783160ebaa6889cf24fcb3b..44ae986c383f1312c4f17f0d27e7d05470aced27 100644 (file)
@@ -19,7 +19,7 @@ void nf_dup_netdev_egress(const struct nft_pktinfo *pkt, int oif)
        struct net_device *dev;
        struct sk_buff *skb;
 
-       dev = dev_get_by_index_rcu(pkt->net, oif);
+       dev = dev_get_by_index_rcu(nft_net(pkt), oif);
        if (dev == NULL)
                return;
 
index 70de32a6d5c0c350089229abef2b549897a2e813..b63b1edb76a66278e0751892b867d9d15e271caf 100644 (file)
@@ -53,10 +53,10 @@ static noinline void __nft_trace_packet(struct nft_traceinfo *info,
 
        nft_trace_notify(info);
 
-       nf_log_trace(pkt->net, pkt->pf, pkt->hook, pkt->skb, pkt->in,
-                    pkt->out, &trace_loginfo, "TRACE: %s:%s:%s:%u ",
-                    chain->table->name, chain->name, comments[type],
-                    rulenum);
+       nf_log_trace(nft_net(pkt), nft_pf(pkt), nft_hook(pkt), pkt->skb,
+                    nft_in(pkt), nft_out(pkt), &trace_loginfo,
+                    "TRACE: %s:%s:%s:%u ",
+                    chain->table->name, chain->name, comments[type], rulenum);
 }
 
 static inline void nft_trace_packet(struct nft_traceinfo *info,
@@ -124,7 +124,7 @@ unsigned int
 nft_do_chain(struct nft_pktinfo *pkt, void *priv)
 {
        const struct nft_chain *chain = priv, *basechain = chain;
-       const struct net *net = pkt->net;
+       const struct net *net = nft_net(pkt);
        const struct nft_rule *rule;
        const struct nft_expr *expr, *last;
        struct nft_regs regs;
index ab695f8e2d294b0c69df035cd3d153d03ab34fce..12eb9041dca284a398a2c1ac64924ba773a18489 100644 (file)
@@ -171,7 +171,7 @@ void nft_trace_notify(struct nft_traceinfo *info)
        unsigned int size;
        int event = (NFNL_SUBSYS_NFTABLES << 8) | NFT_MSG_TRACE;
 
-       if (!nfnetlink_has_listeners(pkt->net, NFNLGRP_NFTRACE))
+       if (!nfnetlink_has_listeners(nft_net(pkt), NFNLGRP_NFTRACE))
                return;
 
        size = nlmsg_total_size(sizeof(struct nfgenmsg)) +
@@ -207,7 +207,7 @@ void nft_trace_notify(struct nft_traceinfo *info)
        nfmsg->version          = NFNETLINK_V0;
        nfmsg->res_id           = 0;
 
-       if (nla_put_be32(skb, NFTA_TRACE_NFPROTO, htonl(pkt->pf)))
+       if (nla_put_be32(skb, NFTA_TRACE_NFPROTO, htonl(nft_pf(pkt))))
                goto nla_put_failure;
 
        if (nla_put_be32(skb, NFTA_TRACE_TYPE, htonl(info->type)))
@@ -249,7 +249,7 @@ void nft_trace_notify(struct nft_traceinfo *info)
                goto nla_put_failure;
 
        if (!info->packet_dumped) {
-               if (nf_trace_fill_dev_info(skb, pkt->in, pkt->out))
+               if (nf_trace_fill_dev_info(skb, nft_in(pkt), nft_out(pkt)))
                        goto nla_put_failure;
 
                if (nf_trace_fill_pkt_info(skb, pkt))
@@ -258,7 +258,7 @@ void nft_trace_notify(struct nft_traceinfo *info)
        }
 
        nlmsg_end(skb, nlh);
-       nfnetlink_send(skb, pkt->net, 0, NFNLGRP_NFTRACE, 0, GFP_ATOMIC);
+       nfnetlink_send(skb, nft_net(pkt), 0, NFNLGRP_NFTRACE, 0, GFP_ATOMIC);
        return;
 
  nla_put_failure:
index 4944a8b7f7a7d6ef7175218e78fa1ba18d2b2c31..249c9b80c1507250f7e944e9bc39e6dc670a0986 100644 (file)
@@ -144,7 +144,7 @@ void nft_fib_store_result(void *reg, enum nft_fib_result r,
                *dreg = index;
                break;
        case NFT_FIB_RESULT_OIFNAME:
-               dev = dev_get_by_index_rcu(pkt->net, index);
+               dev = dev_get_by_index_rcu(nft_net(pkt), index);
                strncpy(reg, dev ? dev->name : "", IFNAMSIZ);
                break;
        default:
index fe8943b572b7bbd9062728fe2d5f3c9fae4c7e7f..9120fc7228f4e1237939481dbc8e6b9b49131efa 100644 (file)
@@ -21,7 +21,7 @@ static void nft_fib_inet_eval(const struct nft_expr *expr,
 {
        const struct nft_fib *priv = nft_expr_priv(expr);
 
-       switch (pkt->pf) {
+       switch (nft_pf(pkt)) {
        case NFPROTO_IPV4:
                switch (priv->result) {
                case NFT_FIB_RESULT_OIF:
index 1b01404bb33fa7832b9cbe14ba9ad24142f363f9..6271e40a3dd6d00b0a19f31a5ef5509185120505 100644 (file)
@@ -32,8 +32,9 @@ static void nft_log_eval(const struct nft_expr *expr,
 {
        const struct nft_log *priv = nft_expr_priv(expr);
 
-       nf_log_packet(pkt->net, pkt->pf, pkt->hook, pkt->skb, pkt->in,
-                     pkt->out, &priv->loginfo, "%s", priv->prefix);
+       nf_log_packet(nft_net(pkt), nft_pf(pkt), nft_hook(pkt), pkt->skb,
+                     nft_in(pkt), nft_out(pkt), &priv->loginfo, "%s",
+                     priv->prefix);
 }
 
 static const struct nla_policy nft_log_policy[NFTA_LOG_MAX + 1] = {
index 8166b6994cc75dcd6a556172ae541c13ce337fc4..a8ce49bcda80c89f37d8483789ac14af17291a81 100644 (file)
@@ -35,9 +35,8 @@ static void nft_lookup_eval(const struct nft_expr *expr,
        const struct nft_set_ext *ext;
        bool found;
 
-       found = set->ops->lookup(pkt->net, set, &regs->data[priv->sreg], &ext) ^
-               priv->invert;
-
+       found = set->ops->lookup(nft_net(pkt), set, &regs->data[priv->sreg],
+                                &ext) ^ priv->invert;
        if (!found) {
                regs->verdict.code = NFT_BREAK;
                return;
index 64994023bf812a17cfba5840a54b32f9bba2adc1..66c7f4b4c49bda596d9151d162bc68d95d957560 100644 (file)
@@ -36,7 +36,7 @@ void nft_meta_get_eval(const struct nft_expr *expr,
 {
        const struct nft_meta *priv = nft_expr_priv(expr);
        const struct sk_buff *skb = pkt->skb;
-       const struct net_device *in = pkt->in, *out = pkt->out;
+       const struct net_device *in = nft_in(pkt), *out = nft_out(pkt);
        struct sock *sk;
        u32 *dest = &regs->data[priv->dreg];
 
@@ -49,7 +49,7 @@ void nft_meta_get_eval(const struct nft_expr *expr,
                *(__be16 *)dest = skb->protocol;
                break;
        case NFT_META_NFPROTO:
-               *dest = pkt->pf;
+               *dest = nft_pf(pkt);
                break;
        case NFT_META_L4PROTO:
                if (!pkt->tprot_set)
@@ -146,7 +146,7 @@ void nft_meta_get_eval(const struct nft_expr *expr,
                        break;
                }
 
-               switch (pkt->pf) {
+               switch (nft_pf(pkt)) {
                case NFPROTO_IPV4:
                        if (ipv4_is_multicast(ip_hdr(skb)->daddr))
                                *dest = PACKET_MULTICAST;
index 393d359a1889fe30541271973fadc489936d5c44..3e19fa1230dc6b9274090257be97b91827699485 100644 (file)
@@ -43,7 +43,7 @@ static void nft_queue_eval(const struct nft_expr *expr,
                        queue = priv->queuenum + cpu % priv->queues_total;
                } else {
                        queue = nfqueue_hash(pkt->skb, queue,
-                                            priv->queues_total, pkt->pf,
+                                            priv->queues_total, nft_pf(pkt),
                                             jhash_initval);
                }
        }
index e79d9ca2ffee0002e734ee27880c512da3066900..9e90a02cb104dad81daf84208902e90390a8f504 100644 (file)
@@ -23,36 +23,36 @@ static void nft_reject_inet_eval(const struct nft_expr *expr,
 {
        struct nft_reject *priv = nft_expr_priv(expr);
 
-       switch (pkt->pf) {
+       switch (nft_pf(pkt)) {
        case NFPROTO_IPV4:
                switch (priv->type) {
                case NFT_REJECT_ICMP_UNREACH:
                        nf_send_unreach(pkt->skb, priv->icmp_code,
-                                       pkt->hook);
+                                       nft_hook(pkt));
                        break;
                case NFT_REJECT_TCP_RST:
-                       nf_send_reset(pkt->net, pkt->skb, pkt->hook);
+                       nf_send_reset(nft_net(pkt), pkt->skb, nft_hook(pkt));
                        break;
                case NFT_REJECT_ICMPX_UNREACH:
                        nf_send_unreach(pkt->skb,
                                        nft_reject_icmp_code(priv->icmp_code),
-                                       pkt->hook);
+                                       nft_hook(pkt));
                        break;
                }
                break;
        case NFPROTO_IPV6:
                switch (priv->type) {
                case NFT_REJECT_ICMP_UNREACH:
-                       nf_send_unreach6(pkt->net, pkt->skb, priv->icmp_code,
-                                        pkt->hook);
+                       nf_send_unreach6(nft_net(pkt), pkt->skb,
+                                        priv->icmp_code, nft_hook(pkt));
                        break;
                case NFT_REJECT_TCP_RST:
-                       nf_send_reset6(pkt->net, pkt->skb, pkt->hook);
+                       nf_send_reset6(nft_net(pkt), pkt->skb, nft_hook(pkt));
                        break;
                case NFT_REJECT_ICMPX_UNREACH:
-                       nf_send_unreach6(pkt->net, pkt->skb,
+                       nf_send_unreach6(nft_net(pkt), pkt->skb,
                                         nft_reject_icmpv6_code(priv->icmp_code),
-                                        pkt->hook);
+                                        nft_hook(pkt));
                        break;
                }
                break;
index 9e5ec1f67020c4a23e166e818fd2f51c0f4a6842..d3eb640bc78498f84ff706f2c27042b54feb3bfc 100644 (file)
@@ -43,14 +43,14 @@ void nft_rt_get_eval(const struct nft_expr *expr,
                break;
 #endif
        case NFT_RT_NEXTHOP4:
-               if (pkt->pf != NFPROTO_IPV4)
+               if (nft_pf(pkt) != NFPROTO_IPV4)
                        goto err;
 
                *dest = rt_nexthop((const struct rtable *)dst,
                                   ip_hdr(skb)->daddr);
                break;
        case NFT_RT_NEXTHOP6:
-               if (pkt->pf != NFPROTO_IPV6)
+               if (nft_pf(pkt) != NFPROTO_IPV6)
                        goto err;
 
                memcpy(dest, rt6_nexthop((struct rt6_info *)dst,