Commit c37a2dfa authored by Joe Perches's avatar Joe Perches Committed by Pablo Neira Ayuso

netfilter: Convert FWINV<[foo]> macros and uses to NF_INVF

netfilter uses multiple FWINV #defines with identical form that hide a
specific structure variable and dereference it with a invflags member.

$ git grep "#define FWINV"
include/linux/netfilter_bridge/ebtables.h:#define FWINV(bool,invflg) ((bool) ^ !!(info->invflags & invflg))
net/bridge/netfilter/ebtables.c:#define FWINV2(bool, invflg) ((bool) ^ !!(e->invflags & invflg))
net/ipv4/netfilter/arp_tables.c:#define FWINV(bool, invflg) ((bool) ^ !!(arpinfo->invflags & (invflg)))
net/ipv4/netfilter/ip_tables.c:#define FWINV(bool, invflg) ((bool) ^ !!(ipinfo->invflags & (invflg)))
net/ipv6/netfilter/ip6_tables.c:#define FWINV(bool, invflg) ((bool) ^ !!(ip6info->invflags & (invflg)))
net/netfilter/xt_tcpudp.c:#define FWINVTCP(bool, invflg) ((bool) ^ !!(tcpinfo->invflags & (invflg)))

Consolidate these macros into a single NF_INVF macro.

Miscellanea:

o Neaten the alignment around these uses
o A few lines are > 80 columns for intelligibility
Signed-off-by: default avatarJoe Perches <joe@perches.com>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent f1504307
...@@ -6,6 +6,10 @@ ...@@ -6,6 +6,10 @@
#include <linux/static_key.h> #include <linux/static_key.h>
#include <uapi/linux/netfilter/x_tables.h> #include <uapi/linux/netfilter/x_tables.h>
/* Test a struct->invflags and a boolean for inequality */
#define NF_INVF(ptr, flag, boolean) \
((boolean) ^ !!((ptr)->invflags & (flag)))
/** /**
* struct xt_action_param - parameters for matches/targets * struct xt_action_param - parameters for matches/targets
* *
......
...@@ -115,8 +115,6 @@ extern unsigned int ebt_do_table(struct sk_buff *skb, ...@@ -115,8 +115,6 @@ extern unsigned int ebt_do_table(struct sk_buff *skb,
const struct nf_hook_state *state, const struct nf_hook_state *state,
struct ebt_table *table); struct ebt_table *table);
/* Used in the kernel match() functions */
#define FWINV(bool,invflg) ((bool) ^ !!(info->invflags & invflg))
/* True if the hook mask denotes that the rule is in a base chain, /* True if the hook mask denotes that the rule is in a base chain,
* used in the check() functions */ * used in the check() functions */
#define BASE_CHAIN (par->hook_mask & (1 << NF_BR_NUMHOOKS)) #define BASE_CHAIN (par->hook_mask & (1 << NF_BR_NUMHOOKS))
......
...@@ -20,16 +20,16 @@ ebt_802_3_mt(const struct sk_buff *skb, struct xt_action_param *par) ...@@ -20,16 +20,16 @@ ebt_802_3_mt(const struct sk_buff *skb, struct xt_action_param *par)
__be16 type = hdr->llc.ui.ctrl & IS_UI ? hdr->llc.ui.type : hdr->llc.ni.type; __be16 type = hdr->llc.ui.ctrl & IS_UI ? hdr->llc.ui.type : hdr->llc.ni.type;
if (info->bitmask & EBT_802_3_SAP) { if (info->bitmask & EBT_802_3_SAP) {
if (FWINV(info->sap != hdr->llc.ui.ssap, EBT_802_3_SAP)) if (NF_INVF(info, EBT_802_3_SAP, info->sap != hdr->llc.ui.ssap))
return false; return false;
if (FWINV(info->sap != hdr->llc.ui.dsap, EBT_802_3_SAP)) if (NF_INVF(info, EBT_802_3_SAP, info->sap != hdr->llc.ui.dsap))
return false; return false;
} }
if (info->bitmask & EBT_802_3_TYPE) { if (info->bitmask & EBT_802_3_TYPE) {
if (!(hdr->llc.ui.dsap == CHECK_TYPE && hdr->llc.ui.ssap == CHECK_TYPE)) if (!(hdr->llc.ui.dsap == CHECK_TYPE && hdr->llc.ui.ssap == CHECK_TYPE))
return false; return false;
if (FWINV(info->type != type, EBT_802_3_TYPE)) if (NF_INVF(info, EBT_802_3_TYPE, info->type != type))
return false; return false;
} }
......
...@@ -25,14 +25,14 @@ ebt_arp_mt(const struct sk_buff *skb, struct xt_action_param *par) ...@@ -25,14 +25,14 @@ ebt_arp_mt(const struct sk_buff *skb, struct xt_action_param *par)
ah = skb_header_pointer(skb, 0, sizeof(_arph), &_arph); ah = skb_header_pointer(skb, 0, sizeof(_arph), &_arph);
if (ah == NULL) if (ah == NULL)
return false; return false;
if (info->bitmask & EBT_ARP_OPCODE && FWINV(info->opcode != if ((info->bitmask & EBT_ARP_OPCODE) &&
ah->ar_op, EBT_ARP_OPCODE)) NF_INVF(info, EBT_ARP_OPCODE, info->opcode != ah->ar_op))
return false; return false;
if (info->bitmask & EBT_ARP_HTYPE && FWINV(info->htype != if ((info->bitmask & EBT_ARP_HTYPE) &&
ah->ar_hrd, EBT_ARP_HTYPE)) NF_INVF(info, EBT_ARP_HTYPE, info->htype != ah->ar_hrd))
return false; return false;
if (info->bitmask & EBT_ARP_PTYPE && FWINV(info->ptype != if ((info->bitmask & EBT_ARP_PTYPE) &&
ah->ar_pro, EBT_ARP_PTYPE)) NF_INVF(info, EBT_ARP_PTYPE, info->ptype != ah->ar_pro))
return false; return false;
if (info->bitmask & (EBT_ARP_SRC_IP | EBT_ARP_DST_IP | EBT_ARP_GRAT)) { if (info->bitmask & (EBT_ARP_SRC_IP | EBT_ARP_DST_IP | EBT_ARP_GRAT)) {
...@@ -51,14 +51,16 @@ ebt_arp_mt(const struct sk_buff *skb, struct xt_action_param *par) ...@@ -51,14 +51,16 @@ ebt_arp_mt(const struct sk_buff *skb, struct xt_action_param *par)
sizeof(daddr), &daddr); sizeof(daddr), &daddr);
if (dap == NULL) if (dap == NULL)
return false; return false;
if (info->bitmask & EBT_ARP_SRC_IP && if ((info->bitmask & EBT_ARP_SRC_IP) &&
FWINV(info->saddr != (*sap & info->smsk), EBT_ARP_SRC_IP)) NF_INVF(info, EBT_ARP_SRC_IP,
info->saddr != (*sap & info->smsk)))
return false; return false;
if (info->bitmask & EBT_ARP_DST_IP && if ((info->bitmask & EBT_ARP_DST_IP) &&
FWINV(info->daddr != (*dap & info->dmsk), EBT_ARP_DST_IP)) NF_INVF(info, EBT_ARP_DST_IP,
info->daddr != (*dap & info->dmsk)))
return false; return false;
if (info->bitmask & EBT_ARP_GRAT && if ((info->bitmask & EBT_ARP_GRAT) &&
FWINV(*dap != *sap, EBT_ARP_GRAT)) NF_INVF(info, EBT_ARP_GRAT, *dap != *sap))
return false; return false;
} }
...@@ -73,9 +75,9 @@ ebt_arp_mt(const struct sk_buff *skb, struct xt_action_param *par) ...@@ -73,9 +75,9 @@ ebt_arp_mt(const struct sk_buff *skb, struct xt_action_param *par)
sizeof(_mac), &_mac); sizeof(_mac), &_mac);
if (mp == NULL) if (mp == NULL)
return false; return false;
if (FWINV(!ether_addr_equal_masked(mp, info->smaddr, if (NF_INVF(info, EBT_ARP_SRC_MAC,
info->smmsk), !ether_addr_equal_masked(mp, info->smaddr,
EBT_ARP_SRC_MAC)) info->smmsk)))
return false; return false;
} }
...@@ -85,9 +87,9 @@ ebt_arp_mt(const struct sk_buff *skb, struct xt_action_param *par) ...@@ -85,9 +87,9 @@ ebt_arp_mt(const struct sk_buff *skb, struct xt_action_param *par)
sizeof(_mac), &_mac); sizeof(_mac), &_mac);
if (mp == NULL) if (mp == NULL)
return false; return false;
if (FWINV(!ether_addr_equal_masked(mp, info->dmaddr, if (NF_INVF(info, EBT_ARP_DST_MAC,
info->dmmsk), !ether_addr_equal_masked(mp, info->dmaddr,
EBT_ARP_DST_MAC)) info->dmmsk)))
return false; return false;
} }
} }
......
...@@ -36,19 +36,19 @@ ebt_ip_mt(const struct sk_buff *skb, struct xt_action_param *par) ...@@ -36,19 +36,19 @@ ebt_ip_mt(const struct sk_buff *skb, struct xt_action_param *par)
ih = skb_header_pointer(skb, 0, sizeof(_iph), &_iph); ih = skb_header_pointer(skb, 0, sizeof(_iph), &_iph);
if (ih == NULL) if (ih == NULL)
return false; return false;
if (info->bitmask & EBT_IP_TOS && if ((info->bitmask & EBT_IP_TOS) &&
FWINV(info->tos != ih->tos, EBT_IP_TOS)) NF_INVF(info, EBT_IP_TOS, info->tos != ih->tos))
return false; return false;
if (info->bitmask & EBT_IP_SOURCE && if ((info->bitmask & EBT_IP_SOURCE) &&
FWINV((ih->saddr & info->smsk) != NF_INVF(info, EBT_IP_SOURCE,
info->saddr, EBT_IP_SOURCE)) (ih->saddr & info->smsk) != info->saddr))
return false; return false;
if ((info->bitmask & EBT_IP_DEST) && if ((info->bitmask & EBT_IP_DEST) &&
FWINV((ih->daddr & info->dmsk) != NF_INVF(info, EBT_IP_DEST,
info->daddr, EBT_IP_DEST)) (ih->daddr & info->dmsk) != info->daddr))
return false; return false;
if (info->bitmask & EBT_IP_PROTO) { if (info->bitmask & EBT_IP_PROTO) {
if (FWINV(info->protocol != ih->protocol, EBT_IP_PROTO)) if (NF_INVF(info, EBT_IP_PROTO, info->protocol != ih->protocol))
return false; return false;
if (!(info->bitmask & EBT_IP_DPORT) && if (!(info->bitmask & EBT_IP_DPORT) &&
!(info->bitmask & EBT_IP_SPORT)) !(info->bitmask & EBT_IP_SPORT))
...@@ -61,16 +61,16 @@ ebt_ip_mt(const struct sk_buff *skb, struct xt_action_param *par) ...@@ -61,16 +61,16 @@ ebt_ip_mt(const struct sk_buff *skb, struct xt_action_param *par)
return false; return false;
if (info->bitmask & EBT_IP_DPORT) { if (info->bitmask & EBT_IP_DPORT) {
u32 dst = ntohs(pptr->dst); u32 dst = ntohs(pptr->dst);
if (FWINV(dst < info->dport[0] || if (NF_INVF(info, EBT_IP_DPORT,
dst > info->dport[1], dst < info->dport[0] ||
EBT_IP_DPORT)) dst > info->dport[1]))
return false; return false;
} }
if (info->bitmask & EBT_IP_SPORT) { if (info->bitmask & EBT_IP_SPORT) {
u32 src = ntohs(pptr->src); u32 src = ntohs(pptr->src);
if (FWINV(src < info->sport[0] || if (NF_INVF(info, EBT_IP_SPORT,
src > info->sport[1], src < info->sport[0] ||
EBT_IP_SPORT)) src > info->sport[1]))
return false; return false;
} }
} }
......
...@@ -45,15 +45,18 @@ ebt_ip6_mt(const struct sk_buff *skb, struct xt_action_param *par) ...@@ -45,15 +45,18 @@ ebt_ip6_mt(const struct sk_buff *skb, struct xt_action_param *par)
ih6 = skb_header_pointer(skb, 0, sizeof(_ip6h), &_ip6h); ih6 = skb_header_pointer(skb, 0, sizeof(_ip6h), &_ip6h);
if (ih6 == NULL) if (ih6 == NULL)
return false; return false;
if (info->bitmask & EBT_IP6_TCLASS && if ((info->bitmask & EBT_IP6_TCLASS) &&
FWINV(info->tclass != ipv6_get_dsfield(ih6), EBT_IP6_TCLASS)) NF_INVF(info, EBT_IP6_TCLASS,
info->tclass != ipv6_get_dsfield(ih6)))
return false; return false;
if ((info->bitmask & EBT_IP6_SOURCE && if (((info->bitmask & EBT_IP6_SOURCE) &&
FWINV(ipv6_masked_addr_cmp(&ih6->saddr, &info->smsk, NF_INVF(info, EBT_IP6_SOURCE,
&info->saddr), EBT_IP6_SOURCE)) || ipv6_masked_addr_cmp(&ih6->saddr, &info->smsk,
(info->bitmask & EBT_IP6_DEST && &info->saddr))) ||
FWINV(ipv6_masked_addr_cmp(&ih6->daddr, &info->dmsk, ((info->bitmask & EBT_IP6_DEST) &&
&info->daddr), EBT_IP6_DEST))) NF_INVF(info, EBT_IP6_DEST,
ipv6_masked_addr_cmp(&ih6->daddr, &info->dmsk,
&info->daddr))))
return false; return false;
if (info->bitmask & EBT_IP6_PROTO) { if (info->bitmask & EBT_IP6_PROTO) {
uint8_t nexthdr = ih6->nexthdr; uint8_t nexthdr = ih6->nexthdr;
...@@ -63,7 +66,7 @@ ebt_ip6_mt(const struct sk_buff *skb, struct xt_action_param *par) ...@@ -63,7 +66,7 @@ ebt_ip6_mt(const struct sk_buff *skb, struct xt_action_param *par)
offset_ph = ipv6_skip_exthdr(skb, sizeof(_ip6h), &nexthdr, &frag_off); offset_ph = ipv6_skip_exthdr(skb, sizeof(_ip6h), &nexthdr, &frag_off);
if (offset_ph == -1) if (offset_ph == -1)
return false; return false;
if (FWINV(info->protocol != nexthdr, EBT_IP6_PROTO)) if (NF_INVF(info, EBT_IP6_PROTO, info->protocol != nexthdr))
return false; return false;
if (!(info->bitmask & (EBT_IP6_DPORT | if (!(info->bitmask & (EBT_IP6_DPORT |
EBT_IP6_SPORT | EBT_IP6_ICMP6))) EBT_IP6_SPORT | EBT_IP6_ICMP6)))
...@@ -76,22 +79,24 @@ ebt_ip6_mt(const struct sk_buff *skb, struct xt_action_param *par) ...@@ -76,22 +79,24 @@ ebt_ip6_mt(const struct sk_buff *skb, struct xt_action_param *par)
return false; return false;
if (info->bitmask & EBT_IP6_DPORT) { if (info->bitmask & EBT_IP6_DPORT) {
u16 dst = ntohs(pptr->tcpudphdr.dst); u16 dst = ntohs(pptr->tcpudphdr.dst);
if (FWINV(dst < info->dport[0] || if (NF_INVF(info, EBT_IP6_DPORT,
dst > info->dport[1], EBT_IP6_DPORT)) dst < info->dport[0] ||
dst > info->dport[1]))
return false; return false;
} }
if (info->bitmask & EBT_IP6_SPORT) { if (info->bitmask & EBT_IP6_SPORT) {
u16 src = ntohs(pptr->tcpudphdr.src); u16 src = ntohs(pptr->tcpudphdr.src);
if (FWINV(src < info->sport[0] || if (NF_INVF(info, EBT_IP6_SPORT,
src > info->sport[1], EBT_IP6_SPORT)) src < info->sport[0] ||
src > info->sport[1]))
return false; return false;
} }
if ((info->bitmask & EBT_IP6_ICMP6) && if ((info->bitmask & EBT_IP6_ICMP6) &&
FWINV(pptr->icmphdr.type < info->icmpv6_type[0] || NF_INVF(info, EBT_IP6_ICMP6,
pptr->icmphdr.type < info->icmpv6_type[0] ||
pptr->icmphdr.type > info->icmpv6_type[1] || pptr->icmphdr.type > info->icmpv6_type[1] ||
pptr->icmphdr.code < info->icmpv6_code[0] || pptr->icmphdr.code < info->icmpv6_code[0] ||
pptr->icmphdr.code > info->icmpv6_code[1], pptr->icmphdr.code > info->icmpv6_code[1]))
EBT_IP6_ICMP6))
return false; return false;
} }
return true; return true;
......
...@@ -49,66 +49,68 @@ static bool ebt_filter_config(const struct ebt_stp_info *info, ...@@ -49,66 +49,68 @@ static bool ebt_filter_config(const struct ebt_stp_info *info,
c = &info->config; c = &info->config;
if ((info->bitmask & EBT_STP_FLAGS) && if ((info->bitmask & EBT_STP_FLAGS) &&
FWINV(c->flags != stpc->flags, EBT_STP_FLAGS)) NF_INVF(info, EBT_STP_FLAGS, c->flags != stpc->flags))
return false; return false;
if (info->bitmask & EBT_STP_ROOTPRIO) { if (info->bitmask & EBT_STP_ROOTPRIO) {
v16 = NR16(stpc->root); v16 = NR16(stpc->root);
if (FWINV(v16 < c->root_priol || v16 > c->root_priou, if (NF_INVF(info, EBT_STP_ROOTPRIO,
EBT_STP_ROOTPRIO)) v16 < c->root_priol || v16 > c->root_priou))
return false; return false;
} }
if (info->bitmask & EBT_STP_ROOTADDR) { if (info->bitmask & EBT_STP_ROOTADDR) {
if (FWINV(!ether_addr_equal_masked(&stpc->root[2], c->root_addr, if (NF_INVF(info, EBT_STP_ROOTADDR,
c->root_addrmsk), !ether_addr_equal_masked(&stpc->root[2],
EBT_STP_ROOTADDR)) c->root_addr,
c->root_addrmsk)))
return false; return false;
} }
if (info->bitmask & EBT_STP_ROOTCOST) { if (info->bitmask & EBT_STP_ROOTCOST) {
v32 = NR32(stpc->root_cost); v32 = NR32(stpc->root_cost);
if (FWINV(v32 < c->root_costl || v32 > c->root_costu, if (NF_INVF(info, EBT_STP_ROOTCOST,
EBT_STP_ROOTCOST)) v32 < c->root_costl || v32 > c->root_costu))
return false; return false;
} }
if (info->bitmask & EBT_STP_SENDERPRIO) { if (info->bitmask & EBT_STP_SENDERPRIO) {
v16 = NR16(stpc->sender); v16 = NR16(stpc->sender);
if (FWINV(v16 < c->sender_priol || v16 > c->sender_priou, if (NF_INVF(info, EBT_STP_SENDERPRIO,
EBT_STP_SENDERPRIO)) v16 < c->sender_priol || v16 > c->sender_priou))
return false; return false;
} }
if (info->bitmask & EBT_STP_SENDERADDR) { if (info->bitmask & EBT_STP_SENDERADDR) {
if (FWINV(!ether_addr_equal_masked(&stpc->sender[2], if (NF_INVF(info, EBT_STP_SENDERADDR,
!ether_addr_equal_masked(&stpc->sender[2],
c->sender_addr, c->sender_addr,
c->sender_addrmsk), c->sender_addrmsk)))
EBT_STP_SENDERADDR))
return false; return false;
} }
if (info->bitmask & EBT_STP_PORT) { if (info->bitmask & EBT_STP_PORT) {
v16 = NR16(stpc->port); v16 = NR16(stpc->port);
if (FWINV(v16 < c->portl || v16 > c->portu, EBT_STP_PORT)) if (NF_INVF(info, EBT_STP_PORT,
v16 < c->portl || v16 > c->portu))
return false; return false;
} }
if (info->bitmask & EBT_STP_MSGAGE) { if (info->bitmask & EBT_STP_MSGAGE) {
v16 = NR16(stpc->msg_age); v16 = NR16(stpc->msg_age);
if (FWINV(v16 < c->msg_agel || v16 > c->msg_ageu, if (NF_INVF(info, EBT_STP_MSGAGE,
EBT_STP_MSGAGE)) v16 < c->msg_agel || v16 > c->msg_ageu))
return false; return false;
} }
if (info->bitmask & EBT_STP_MAXAGE) { if (info->bitmask & EBT_STP_MAXAGE) {
v16 = NR16(stpc->max_age); v16 = NR16(stpc->max_age);
if (FWINV(v16 < c->max_agel || v16 > c->max_ageu, if (NF_INVF(info, EBT_STP_MAXAGE,
EBT_STP_MAXAGE)) v16 < c->max_agel || v16 > c->max_ageu))
return false; return false;
} }
if (info->bitmask & EBT_STP_HELLOTIME) { if (info->bitmask & EBT_STP_HELLOTIME) {
v16 = NR16(stpc->hello_time); v16 = NR16(stpc->hello_time);
if (FWINV(v16 < c->hello_timel || v16 > c->hello_timeu, if (NF_INVF(info, EBT_STP_HELLOTIME,
EBT_STP_HELLOTIME)) v16 < c->hello_timel || v16 > c->hello_timeu))
return false; return false;
} }
if (info->bitmask & EBT_STP_FWDD) { if (info->bitmask & EBT_STP_FWDD) {
v16 = NR16(stpc->forward_delay); v16 = NR16(stpc->forward_delay);
if (FWINV(v16 < c->forward_delayl || v16 > c->forward_delayu, if (NF_INVF(info, EBT_STP_FWDD,
EBT_STP_FWDD)) v16 < c->forward_delayl || v16 > c->forward_delayu))
return false; return false;
} }
return true; return true;
...@@ -130,8 +132,8 @@ ebt_stp_mt(const struct sk_buff *skb, struct xt_action_param *par) ...@@ -130,8 +132,8 @@ ebt_stp_mt(const struct sk_buff *skb, struct xt_action_param *par)
if (memcmp(sp, header, sizeof(header))) if (memcmp(sp, header, sizeof(header)))
return false; return false;
if (info->bitmask & EBT_STP_TYPE && if ((info->bitmask & EBT_STP_TYPE) &&
FWINV(info->type != sp->type, EBT_STP_TYPE)) NF_INVF(info, EBT_STP_TYPE, info->type != sp->type))
return false; return false;
if (sp->type == BPDU_TYPE_CONFIG && if (sp->type == BPDU_TYPE_CONFIG &&
......
...@@ -121,7 +121,6 @@ ebt_dev_check(const char *entry, const struct net_device *device) ...@@ -121,7 +121,6 @@ ebt_dev_check(const char *entry, const struct net_device *device)
return devname[i] != entry[i] && entry[i] != 1; return devname[i] != entry[i] && entry[i] != 1;
} }
#define FWINV2(bool, invflg) ((bool) ^ !!(e->invflags & invflg))
/* process standard matches */ /* process standard matches */
static inline int static inline int
ebt_basic_match(const struct ebt_entry *e, const struct sk_buff *skb, ebt_basic_match(const struct ebt_entry *e, const struct sk_buff *skb,
...@@ -137,34 +136,36 @@ ebt_basic_match(const struct ebt_entry *e, const struct sk_buff *skb, ...@@ -137,34 +136,36 @@ ebt_basic_match(const struct ebt_entry *e, const struct sk_buff *skb,
ethproto = h->h_proto; ethproto = h->h_proto;
if (e->bitmask & EBT_802_3) { if (e->bitmask & EBT_802_3) {
if (FWINV2(eth_proto_is_802_3(ethproto), EBT_IPROTO)) if (NF_INVF(e, EBT_IPROTO, eth_proto_is_802_3(ethproto)))
return 1; return 1;
} else if (!(e->bitmask & EBT_NOPROTO) && } else if (!(e->bitmask & EBT_NOPROTO) &&
FWINV2(e->ethproto != ethproto, EBT_IPROTO)) NF_INVF(e, EBT_IPROTO, e->ethproto != ethproto))
return 1; return 1;
if (FWINV2(ebt_dev_check(e->in, in), EBT_IIN)) if (NF_INVF(e, EBT_IIN, ebt_dev_check(e->in, in)))
return 1; return 1;
if (FWINV2(ebt_dev_check(e->out, out), EBT_IOUT)) if (NF_INVF(e, EBT_IOUT, ebt_dev_check(e->out, out)))
return 1; return 1;
/* rcu_read_lock()ed by nf_hook_slow */ /* rcu_read_lock()ed by nf_hook_slow */
if (in && (p = br_port_get_rcu(in)) != NULL && if (in && (p = br_port_get_rcu(in)) != NULL &&
FWINV2(ebt_dev_check(e->logical_in, p->br->dev), EBT_ILOGICALIN)) NF_INVF(e, EBT_ILOGICALIN,
ebt_dev_check(e->logical_in, p->br->dev)))
return 1; return 1;
if (out && (p = br_port_get_rcu(out)) != NULL && if (out && (p = br_port_get_rcu(out)) != NULL &&
FWINV2(ebt_dev_check(e->logical_out, p->br->dev), EBT_ILOGICALOUT)) NF_INVF(e, EBT_ILOGICALOUT,
ebt_dev_check(e->logical_out, p->br->dev)))
return 1; return 1;
if (e->bitmask & EBT_SOURCEMAC) { if (e->bitmask & EBT_SOURCEMAC) {
if (FWINV2(!ether_addr_equal_masked(h->h_source, if (NF_INVF(e, EBT_ISOURCE,
e->sourcemac, e->sourcemsk), !ether_addr_equal_masked(h->h_source, e->sourcemac,
EBT_ISOURCE)) e->sourcemsk)))
return 1; return 1;
} }
if (e->bitmask & EBT_DESTMAC) { if (e->bitmask & EBT_DESTMAC) {
if (FWINV2(!ether_addr_equal_masked(h->h_dest, if (NF_INVF(e, EBT_IDEST,
e->destmac, e->destmsk), !ether_addr_equal_masked(h->h_dest, e->destmac,
EBT_IDEST)) e->destmsk)))
return 1; return 1;
} }
return 0; return 0;
......
...@@ -89,22 +89,20 @@ static inline int arp_packet_match(const struct arphdr *arphdr, ...@@ -89,22 +89,20 @@ static inline int arp_packet_match(const struct arphdr *arphdr,
__be32 src_ipaddr, tgt_ipaddr; __be32 src_ipaddr, tgt_ipaddr;
long ret; long ret;
#define FWINV(bool, invflg) ((bool) ^ !!(arpinfo->invflags & (invflg))) if (NF_INVF(arpinfo, ARPT_INV_ARPOP,
(arphdr->ar_op & arpinfo->arpop_mask) != arpinfo->arpop))
if (FWINV((arphdr->ar_op & arpinfo->arpop_mask) != arpinfo->arpop,
ARPT_INV_ARPOP))
return 0; return 0;
if (FWINV((arphdr->ar_hrd & arpinfo->arhrd_mask) != arpinfo->arhrd, if (NF_INVF(arpinfo, ARPT_INV_ARPHRD,
ARPT_INV_ARPHRD)) (arphdr->ar_hrd & arpinfo->arhrd_mask) != arpinfo->arhrd))
return 0; return 0;
if (FWINV((arphdr->ar_pro & arpinfo->arpro_mask) != arpinfo->arpro, if (NF_INVF(arpinfo, ARPT_INV_ARPPRO,
ARPT_INV_ARPPRO)) (arphdr->ar_pro & arpinfo->arpro_mask) != arpinfo->arpro))
return 0; return 0;
if (FWINV((arphdr->ar_hln & arpinfo->arhln_mask) != arpinfo->arhln, if (NF_INVF(arpinfo, ARPT_INV_ARPHLN,
ARPT_INV_ARPHLN)) (arphdr->ar_hln & arpinfo->arhln_mask) != arpinfo->arhln))
return 0; return 0;
src_devaddr = arpptr; src_devaddr = arpptr;
...@@ -115,31 +113,32 @@ static inline int arp_packet_match(const struct arphdr *arphdr, ...@@ -115,31 +113,32 @@ static inline int arp_packet_match(const struct arphdr *arphdr,
arpptr += dev->addr_len; arpptr += dev->addr_len;
memcpy(&tgt_ipaddr, arpptr, sizeof(u32)); memcpy(&tgt_ipaddr, arpptr, sizeof(u32));
if (FWINV(arp_devaddr_compare(&arpinfo->src_devaddr, src_devaddr, dev->addr_len), if (NF_INVF(arpinfo, ARPT_INV_SRCDEVADDR,
ARPT_INV_SRCDEVADDR) || arp_devaddr_compare(&arpinfo->src_devaddr, src_devaddr,
FWINV(arp_devaddr_compare(&arpinfo->tgt_devaddr, tgt_devaddr, dev->addr_len), dev->addr_len)) ||
ARPT_INV_TGTDEVADDR)) NF_INVF(arpinfo, ARPT_INV_TGTDEVADDR,
arp_devaddr_compare(&arpinfo->tgt_devaddr, tgt_devaddr,
dev->addr_len)))
return 0; return 0;
if (FWINV((src_ipaddr & arpinfo->smsk.s_addr) != arpinfo->src.s_addr, if (NF_INVF(arpinfo, ARPT_INV_SRCIP,
ARPT_INV_SRCIP) || (src_ipaddr & arpinfo->smsk.s_addr) != arpinfo->src.s_addr) ||
FWINV(((tgt_ipaddr & arpinfo->tmsk.s_addr) != arpinfo->tgt.s_addr), NF_INVF(arpinfo, ARPT_INV_TGTIP,
ARPT_INV_TGTIP)) (tgt_ipaddr & arpinfo->tmsk.s_addr) != arpinfo->tgt.s_addr))
return 0; return 0;
/* Look for ifname matches. */ /* Look for ifname matches. */
ret = ifname_compare(indev, arpinfo->iniface, arpinfo->iniface_mask); ret = ifname_compare(indev, arpinfo->iniface, arpinfo->iniface_mask);
if (FWINV(ret != 0, ARPT_INV_VIA_IN)) if (NF_INVF(arpinfo, ARPT_INV_VIA_IN, ret != 0))
return 0; return 0;
ret = ifname_compare(outdev, arpinfo->outiface, arpinfo->outiface_mask); ret = ifname_compare(outdev, arpinfo->outiface, arpinfo->outiface_mask);
if (FWINV(ret != 0, ARPT_INV_VIA_OUT)) if (NF_INVF(arpinfo, ARPT_INV_VIA_OUT, ret != 0))
return 0; return 0;
return 1; return 1;
#undef FWINV
} }
static inline int arp_checkentry(const struct arpt_arp *arp) static inline int arp_checkentry(const struct arpt_arp *arp)
......
...@@ -58,32 +58,31 @@ ip_packet_match(const struct iphdr *ip, ...@@ -58,32 +58,31 @@ ip_packet_match(const struct iphdr *ip,
{ {
unsigned long ret; unsigned long ret;
#define FWINV(bool, invflg) ((bool) ^ !!(ipinfo->invflags & (invflg))) if (NF_INVF(ipinfo, IPT_INV_SRCIP,
(ip->saddr & ipinfo->smsk.s_addr) != ipinfo->src.s_addr) ||
if (FWINV((ip->saddr&ipinfo->smsk.s_addr) != ipinfo->src.s_addr, NF_INVF(ipinfo, IPT_INV_DSTIP,
IPT_INV_SRCIP) || (ip->daddr & ipinfo->dmsk.s_addr) != ipinfo->dst.s_addr))
FWINV((ip->daddr&ipinfo->dmsk.s_addr) != ipinfo->dst.s_addr,
IPT_INV_DSTIP))
return false; return false;
ret = ifname_compare_aligned(indev, ipinfo->iniface, ipinfo->iniface_mask); ret = ifname_compare_aligned(indev, ipinfo->iniface, ipinfo->iniface_mask);
if (FWINV(ret != 0, IPT_INV_VIA_IN)) if (NF_INVF(ipinfo, IPT_INV_VIA_IN, ret != 0))
return false; return false;
ret = ifname_compare_aligned(outdev, ipinfo->outiface, ipinfo->outiface_mask); ret = ifname_compare_aligned(outdev, ipinfo->outiface, ipinfo->outiface_mask);
if (FWINV(ret != 0, IPT_INV_VIA_OUT)) if (NF_INVF(ipinfo, IPT_INV_VIA_OUT, ret != 0))
return false; return false;
/* Check specific protocol */ /* Check specific protocol */
if (ipinfo->proto && if (ipinfo->proto &&
FWINV(ip->protocol != ipinfo->proto, IPT_INV_PROTO)) NF_INVF(ipinfo, IPT_INV_PROTO, ip->protocol != ipinfo->proto))
return false; return false;
/* If we have a fragment rule but the packet is not a fragment /* If we have a fragment rule but the packet is not a fragment
* then we return zero */ * then we return zero */
if (FWINV((ipinfo->flags&IPT_F_FRAG) && !isfrag, IPT_INV_FRAG)) if (NF_INVF(ipinfo, IPT_INV_FRAG,
(ipinfo->flags & IPT_F_FRAG) && !isfrag))
return false; return false;
return true; return true;
...@@ -122,7 +121,6 @@ static inline bool unconditional(const struct ipt_entry *e) ...@@ -122,7 +121,6 @@ static inline bool unconditional(const struct ipt_entry *e)
return e->target_offset == sizeof(struct ipt_entry) && return e->target_offset == sizeof(struct ipt_entry) &&
memcmp(&e->ip, &uncond, sizeof(uncond)) == 0; memcmp(&e->ip, &uncond, sizeof(uncond)) == 0;
#undef FWINV
} }
/* for const-correctness */ /* for const-correctness */
......
...@@ -73,22 +73,22 @@ ip6_packet_match(const struct sk_buff *skb, ...@@ -73,22 +73,22 @@ ip6_packet_match(const struct sk_buff *skb,
unsigned long ret; unsigned long ret;
const struct ipv6hdr *ipv6 = ipv6_hdr(skb); const struct ipv6hdr *ipv6 = ipv6_hdr(skb);
#define FWINV(bool, invflg) ((bool) ^ !!(ip6info->invflags & (invflg))) if (NF_INVF(ip6info, IP6T_INV_SRCIP,
ipv6_masked_addr_cmp(&ipv6->saddr, &ip6info->smsk,
if (FWINV(ipv6_masked_addr_cmp(&ipv6->saddr, &ip6info->smsk, &ip6info->src)) ||
&ip6info->src), IP6T_INV_SRCIP) || NF_INVF(ip6info, IP6T_INV_DSTIP,
FWINV(ipv6_masked_addr_cmp(&ipv6->daddr, &ip6info->dmsk, ipv6_masked_addr_cmp(&ipv6->daddr, &ip6info->dmsk,
&ip6info->dst), IP6T_INV_DSTIP)) &ip6info->dst)))
return false; return false;
ret = ifname_compare_aligned(indev, ip6info->iniface, ip6info->iniface_mask); ret = ifname_compare_aligned(indev, ip6info->iniface, ip6info->iniface_mask);
if (FWINV(ret != 0, IP6T_INV_VIA_IN)) if (NF_INVF(ip6info, IP6T_INV_VIA_IN, ret != 0))
return false; return false;
ret = ifname_compare_aligned(outdev, ip6info->outiface, ip6info->outiface_mask); ret = ifname_compare_aligned(outdev, ip6info->outiface, ip6info->outiface_mask);
if (FWINV(ret != 0, IP6T_INV_VIA_OUT)) if (NF_INVF(ip6info, IP6T_INV_VIA_OUT, ret != 0))
return false; return false;
/* ... might want to do something with class and flowlabel here ... */ /* ... might want to do something with class and flowlabel here ... */
......
...@@ -83,8 +83,6 @@ static bool tcp_mt(const struct sk_buff *skb, struct xt_action_param *par) ...@@ -83,8 +83,6 @@ static bool tcp_mt(const struct sk_buff *skb, struct xt_action_param *par)
return false; return false;
} }
#define FWINVTCP(bool, invflg) ((bool) ^ !!(tcpinfo->invflags & (invflg)))
th = skb_header_pointer(skb, par->thoff, sizeof(_tcph), &_tcph); th = skb_header_pointer(skb, par->thoff, sizeof(_tcph), &_tcph);
if (th == NULL) { if (th == NULL) {
/* We've been asked to examine this packet, and we /* We've been asked to examine this packet, and we
...@@ -102,9 +100,8 @@ static bool tcp_mt(const struct sk_buff *skb, struct xt_action_param *par) ...@@ -102,9 +100,8 @@ static bool tcp_mt(const struct sk_buff *skb, struct xt_action_param *par)
ntohs(th->dest), ntohs(th->dest),
!!(tcpinfo->invflags & XT_TCP_INV_DSTPT))) !!(tcpinfo->invflags & XT_TCP_INV_DSTPT)))
return false; return false;
if (!FWINVTCP((((unsigned char *)th)[13] & tcpinfo->flg_mask) if (!NF_INVF(tcpinfo, XT_TCP_INV_FLAGS,
== tcpinfo->flg_cmp, (((unsigned char *)th)[13] & tcpinfo->flg_mask) == tcpinfo->flg_cmp))
XT_TCP_INV_FLAGS))
return false; return false;
if (tcpinfo->option) { if (tcpinfo->option) {
if (th->doff * 4 < sizeof(_tcph)) { if (th->doff * 4 < sizeof(_tcph)) {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment