Skip to content

Commit 889f7ee

Browse files
ummakynesummakynes
committed
netfilter: nf_tables: add generic macros to check for generation mask
Thus, we can reuse these to check the genmask of any object type, not only rules. This is required now that tables, chain and sets will get a generation mask field too in follow up patches. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
1 parent 7643507 commit 889f7ee

File tree

2 files changed

+32
-38
lines changed

2 files changed

+32
-38
lines changed

include/net/netfilter/nf_tables.h

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -969,6 +969,30 @@ static inline u8 nft_genmask_cur(const struct net *net)
969969

970970
#define NFT_GENMASK_ANY ((1 << 0) | (1 << 1))
971971

972+
/*
973+
* Generic transaction helpers
974+
*/
975+
976+
/* Check if this object is currently active. */
977+
#define nft_is_active(__net, __obj) \
978+
(((__obj)->genmask & nft_genmask_cur(__net)) == 0)
979+
980+
/* Check if this object is active in the next generation. */
981+
#define nft_is_active_next(__net, __obj) \
982+
(((__obj)->genmask & nft_genmask_next(__net)) == 0)
983+
984+
/* This object becomes active in the next generation. */
985+
#define nft_activate_next(__net, __obj) \
986+
(__obj)->genmask = nft_genmask_cur(__net)
987+
988+
/* This object becomes inactive in the next generation. */
989+
#define nft_deactivate_next(__net, __obj) \
990+
(__obj)->genmask = nft_genmask_next(__net)
991+
992+
/* After committing the ruleset, clear the stale generation bit. */
993+
#define nft_clear(__net, __obj) \
994+
(__obj)->genmask &= ~nft_genmask_next(__net)
995+
972996
/*
973997
* Set element transaction helpers
974998
*/

net/netfilter/nf_tables_api.c

Lines changed: 8 additions & 38 deletions
Original file line numberDiff line numberDiff line change
@@ -234,42 +234,12 @@ static int nft_delchain(struct nft_ctx *ctx)
234234
return err;
235235
}
236236

237-
static inline bool
238-
nft_rule_is_active(struct net *net, const struct nft_rule *rule)
239-
{
240-
return (rule->genmask & nft_genmask_cur(net)) == 0;
241-
}
242-
243-
static inline int
244-
nft_rule_is_active_next(struct net *net, const struct nft_rule *rule)
245-
{
246-
return (rule->genmask & nft_genmask_next(net)) == 0;
247-
}
248-
249-
static inline void
250-
nft_rule_activate_next(struct net *net, struct nft_rule *rule)
251-
{
252-
/* Now inactive, will be active in the future */
253-
rule->genmask = nft_genmask_cur(net);
254-
}
255-
256-
static inline void
257-
nft_rule_deactivate_next(struct net *net, struct nft_rule *rule)
258-
{
259-
rule->genmask = nft_genmask_next(net);
260-
}
261-
262-
static inline void nft_rule_clear(struct net *net, struct nft_rule *rule)
263-
{
264-
rule->genmask &= ~nft_genmask_next(net);
265-
}
266-
267237
static int
268238
nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
269239
{
270240
/* You cannot delete the same rule twice */
271-
if (nft_rule_is_active_next(ctx->net, rule)) {
272-
nft_rule_deactivate_next(ctx->net, rule);
241+
if (nft_is_active_next(ctx->net, rule)) {
242+
nft_deactivate_next(ctx->net, rule);
273243
ctx->chain->use--;
274244
return 0;
275245
}
@@ -1898,7 +1868,7 @@ static int nf_tables_dump_rules(struct sk_buff *skb,
18981868
list_for_each_entry_rcu(table, &afi->tables, list) {
18991869
list_for_each_entry_rcu(chain, &table->chains, list) {
19001870
list_for_each_entry_rcu(rule, &chain->rules, list) {
1901-
if (!nft_rule_is_active(net, rule))
1871+
if (!nft_is_active(net, rule))
19021872
goto cont;
19031873
if (idx < s_idx)
19041874
goto cont;
@@ -2102,7 +2072,7 @@ static int nf_tables_newrule(struct net *net, struct sock *nlsk,
21022072
if (rule == NULL)
21032073
goto err1;
21042074

2105-
nft_rule_activate_next(net, rule);
2075+
nft_activate_next(net, rule);
21062076

21072077
rule->handle = handle;
21082078
rule->dlen = size;
@@ -2124,14 +2094,14 @@ static int nf_tables_newrule(struct net *net, struct sock *nlsk,
21242094
}
21252095

21262096
if (nlh->nlmsg_flags & NLM_F_REPLACE) {
2127-
if (nft_rule_is_active_next(net, old_rule)) {
2097+
if (nft_is_active_next(net, old_rule)) {
21282098
trans = nft_trans_rule_add(&ctx, NFT_MSG_DELRULE,
21292099
old_rule);
21302100
if (trans == NULL) {
21312101
err = -ENOMEM;
21322102
goto err2;
21332103
}
2134-
nft_rule_deactivate_next(net, old_rule);
2104+
nft_deactivate_next(net, old_rule);
21352105
chain->use--;
21362106
list_add_tail_rcu(&rule->list, &old_rule->list);
21372107
} else {
@@ -3980,7 +3950,7 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb)
39803950
trans->ctx.afi->nops);
39813951
break;
39823952
case NFT_MSG_NEWRULE:
3983-
nft_rule_clear(trans->ctx.net, nft_trans_rule(trans));
3953+
nft_clear(trans->ctx.net, nft_trans_rule(trans));
39843954
nf_tables_rule_notify(&trans->ctx,
39853955
nft_trans_rule(trans),
39863956
NFT_MSG_NEWRULE);
@@ -4116,7 +4086,7 @@ static int nf_tables_abort(struct net *net, struct sk_buff *skb)
41164086
break;
41174087
case NFT_MSG_DELRULE:
41184088
trans->ctx.chain->use++;
4119-
nft_rule_clear(trans->ctx.net, nft_trans_rule(trans));
4089+
nft_clear(trans->ctx.net, nft_trans_rule(trans));
41204090
nft_trans_destroy(trans);
41214091
break;
41224092
case NFT_MSG_NEWSET:

0 commit comments

Comments
 (0)