Commit 17a20e09 authored by Florian Westphal's avatar Florian Westphal Committed by Pablo Neira Ayuso
Browse files

netfilter: nft_set: remove one argument from lookup and update functions 



Return the extension pointer instead of passing it as a function
argument to be filled in by the callee.

As-is, whenever false is returned, the extension pointer is not used.

For all set types, when true is returned, the extension pointer was set
to the matching element.

Only exception: nft_set_bitmap doesn't support extensions.
Return a pointer to a static const empty element extension container.

return false -> return NULL
return true -> return the elements' extension pointer.

This saves one function argument.

Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
Reviewed-by: default avatarStefano Brivio <sbrivio@redhat.com>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 7792c1e0

include/net/netfilter/nf_tables.h

+4 −6
Original line number Diff line number Diff line
@@ -459,19 +459,17 @@ struct nft_set_ext; 
 *	control plane functions.

 */

struct nft_set_ops {

	bool				(*lookup)(const struct net *net,

	const struct nft_set_ext *	(*lookup)(const struct net *net,

						  const struct nft_set *set,

						  const u32 *key,

						  const struct nft_set_ext **ext);

	bool				(*update)(struct nft_set *set,

						  const u32 *key);

	const struct nft_set_ext *	(*update)(struct nft_set *set,

						  const u32 *key,

						  struct nft_elem_priv *

							(*new)(struct nft_set *,

							       const struct nft_expr *,

							       struct nft_regs *),

						  const struct nft_expr *expr,

						  struct nft_regs *regs,

						  const struct nft_set_ext **ext);

						  struct nft_regs *regs);

	bool				(*delete)(const struct nft_set *set,

						  const u32 *key);

include/net/netfilter/nf_tables_core.h

+27 −20
Original line number Diff line number Diff line
@@ -94,34 +94,41 @@ extern const struct nft_set_type nft_set_pipapo_type; 
extern const struct nft_set_type nft_set_pipapo_avx2_type;



#ifdef CONFIG_MITIGATION_RETPOLINE

bool nft_rhash_lookup(const struct net *net, const struct nft_set *set,

		      const u32 *key, const struct nft_set_ext **ext);

bool nft_rbtree_lookup(const struct net *net, const struct nft_set *set,

		       const u32 *key, const struct nft_set_ext **ext);

bool nft_bitmap_lookup(const struct net *net, const struct nft_set *set,

		       const u32 *key, const struct nft_set_ext **ext);

bool nft_hash_lookup_fast(const struct net *net,

			  const struct nft_set *set,

			  const u32 *key, const struct nft_set_ext **ext);

bool nft_hash_lookup(const struct net *net, const struct nft_set *set,

		     const u32 *key, const struct nft_set_ext **ext);

bool nft_set_do_lookup(const struct net *net, const struct nft_set *set,

		       const u32 *key, const struct nft_set_ext **ext);

const struct nft_set_ext *

nft_rhash_lookup(const struct net *net, const struct nft_set *set,

		 const u32 *key);

const struct nft_set_ext *

nft_rbtree_lookup(const struct net *net, const struct nft_set *set,

		  const u32 *key);

const struct nft_set_ext *

nft_bitmap_lookup(const struct net *net, const struct nft_set *set,

		  const u32 *key);

const struct nft_set_ext *

nft_hash_lookup_fast(const struct net *net, const struct nft_set *set,

		     const u32 *key);

const struct nft_set_ext *

nft_hash_lookup(const struct net *net, const struct nft_set *set,

		const u32 *key);

const struct nft_set_ext *

nft_set_do_lookup(const struct net *net, const struct nft_set *set,

		  const u32 *key);

#else

static inline bool

static inline const struct nft_set_ext *

nft_set_do_lookup(const struct net *net, const struct nft_set *set,

		  const u32 *key, const struct nft_set_ext **ext)

		  const u32 *key)

{

	return set->ops->lookup(net, set, key, ext);

	return set->ops->lookup(net, set, key);

}

#endif



/* called from nft_pipapo_avx2.c */

bool nft_pipapo_lookup(const struct net *net, const struct nft_set *set,

		       const u32 *key, const struct nft_set_ext **ext);

const struct nft_set_ext *

nft_pipapo_lookup(const struct net *net, const struct nft_set *set,

		  const u32 *key);

/* called from nft_set_pipapo.c */

bool nft_pipapo_avx2_lookup(const struct net *net, const struct nft_set *set,

			    const u32 *key, const struct nft_set_ext **ext);

const struct nft_set_ext *

nft_pipapo_avx2_lookup(const struct net *net, const struct nft_set *set,

			const u32 *key);



void nft_counter_init_seqcount(void);

net/netfilter/nft_dynset.c

+3 −2
Original line number Diff line number Diff line
@@ -91,8 +91,9 @@ void nft_dynset_eval(const struct nft_expr *expr, 
		return;

	}



	if (set->ops->update(set, &regs->data[priv->sreg_key], nft_dynset_new,

			     expr, regs, &ext)) {

	ext = set->ops->update(set, &regs->data[priv->sreg_key], nft_dynset_new,

			     expr, regs);

	if (ext) {

		if (priv->op == NFT_DYNSET_OP_UPDATE &&

		    nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&

		    READ_ONCE(nft_set_ext_timeout(ext)->timeout) != 0) {

net/netfilter/nft_lookup.c

+14 −13
Original line number Diff line number Diff line
@@ -25,32 +25,33 @@ struct nft_lookup { 
};



#ifdef CONFIG_MITIGATION_RETPOLINE

bool nft_set_do_lookup(const struct net *net, const struct nft_set *set,

		       const u32 *key, const struct nft_set_ext **ext)

const struct nft_set_ext *

nft_set_do_lookup(const struct net *net, const struct nft_set *set,

		  const u32 *key)

{

	if (set->ops == &nft_set_hash_fast_type.ops)

		return nft_hash_lookup_fast(net, set, key, ext);

		return nft_hash_lookup_fast(net, set, key);

	if (set->ops == &nft_set_hash_type.ops)

		return nft_hash_lookup(net, set, key, ext);

		return nft_hash_lookup(net, set, key);



	if (set->ops == &nft_set_rhash_type.ops)

		return nft_rhash_lookup(net, set, key, ext);

		return nft_rhash_lookup(net, set, key);



	if (set->ops == &nft_set_bitmap_type.ops)

		return nft_bitmap_lookup(net, set, key, ext);

		return nft_bitmap_lookup(net, set, key);



	if (set->ops == &nft_set_pipapo_type.ops)

		return nft_pipapo_lookup(net, set, key, ext);

		return nft_pipapo_lookup(net, set, key);

#if defined(CONFIG_X86_64) && !defined(CONFIG_UML)

	if (set->ops == &nft_set_pipapo_avx2_type.ops)

		return nft_pipapo_avx2_lookup(net, set, key, ext);

		return nft_pipapo_avx2_lookup(net, set, key);

#endif



	if (set->ops == &nft_set_rbtree_type.ops)

		return nft_rbtree_lookup(net, set, key, ext);

		return nft_rbtree_lookup(net, set, key);



	WARN_ON_ONCE(1);

	return set->ops->lookup(net, set, key, ext);

	return set->ops->lookup(net, set, key);

}

EXPORT_SYMBOL_GPL(nft_set_do_lookup);

#endif
@@ -61,12 +62,12 @@ void nft_lookup_eval(const struct nft_expr *expr, 
{

	const struct nft_lookup *priv = nft_expr_priv(expr);

	const struct nft_set *set = priv->set;

	const struct nft_set_ext *ext = NULL;

	const struct net *net = nft_net(pkt);

	const struct nft_set_ext *ext;

	bool found;



	found =	nft_set_do_lookup(net, set, &regs->data[priv->sreg], &ext) ^

				  priv->invert;

	ext = nft_set_do_lookup(net, set, &regs->data[priv->sreg]);

	found = !!ext ^ priv->invert;

	if (!found) {

		ext = nft_set_catchall_lookup(net, set);

		if (!ext) {

net/netfilter/nft_objref.c

+2 −3
Original line number Diff line number Diff line
@@ -111,10 +111,9 @@ void nft_objref_map_eval(const struct nft_expr *expr, 
	struct net *net = nft_net(pkt);

	const struct nft_set_ext *ext;

	struct nft_object *obj;

	bool found;



	found = nft_set_do_lookup(net, set, &regs->data[priv->sreg], &ext);

	if (!found) {

	ext = nft_set_do_lookup(net, set, &regs->data[priv->sreg]);

	if (!ext) {

		ext = nft_set_catchall_lookup(net, set);

		if (!ext) {

			regs->verdict.code = NFT_BREAK;