netfilter: nf_tables_offload: refactor the nft_flow_offload_chain function

Pass chain and policy parameters to nft_flow_offload_chain to reuse it.

Signed-off-by: wenxu <wenxu@ucloud.cn>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
wenxu 2019-09-11 12:53:22 +08:00 committed by Pablo Neira Ayuso
parent 504882db83
commit 8fc618c52d
1 changed files with 13 additions and 7 deletions

View File

@ -294,12 +294,13 @@ static int nft_indr_block_offload_cmd(struct nft_base_chain *chain,
#define FLOW_SETUP_BLOCK TC_SETUP_BLOCK #define FLOW_SETUP_BLOCK TC_SETUP_BLOCK
static int nft_flow_offload_chain(struct nft_trans *trans, static int nft_flow_offload_chain(struct nft_chain *chain,
u8 *ppolicy,
enum flow_block_command cmd) enum flow_block_command cmd)
{ {
struct nft_chain *chain = trans->ctx.chain;
struct nft_base_chain *basechain; struct nft_base_chain *basechain;
struct net_device *dev; struct net_device *dev;
u8 policy;
if (!nft_is_base_chain(chain)) if (!nft_is_base_chain(chain))
return -EOPNOTSUPP; return -EOPNOTSUPP;
@ -309,10 +310,10 @@ static int nft_flow_offload_chain(struct nft_trans *trans,
if (!dev) if (!dev)
return -EOPNOTSUPP; return -EOPNOTSUPP;
policy = ppolicy ? *ppolicy : basechain->policy;
/* Only default policy to accept is supported for now. */ /* Only default policy to accept is supported for now. */
if (cmd == FLOW_BLOCK_BIND && if (cmd == FLOW_BLOCK_BIND && policy != -1 && policy != NF_ACCEPT)
nft_trans_chain_policy(trans) != -1 &&
nft_trans_chain_policy(trans) != NF_ACCEPT)
return -EOPNOTSUPP; return -EOPNOTSUPP;
if (dev->netdev_ops->ndo_setup_tc) if (dev->netdev_ops->ndo_setup_tc)
@ -325,6 +326,7 @@ int nft_flow_rule_offload_commit(struct net *net)
{ {
struct nft_trans *trans; struct nft_trans *trans;
int err = 0; int err = 0;
u8 policy;
list_for_each_entry(trans, &net->nft.commit_list, list) { list_for_each_entry(trans, &net->nft.commit_list, list) {
if (trans->ctx.family != NFPROTO_NETDEV) if (trans->ctx.family != NFPROTO_NETDEV)
@ -335,13 +337,17 @@ int nft_flow_rule_offload_commit(struct net *net)
if (!(trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)) if (!(trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD))
continue; continue;
err = nft_flow_offload_chain(trans, FLOW_BLOCK_BIND); policy = nft_trans_chain_policy(trans);
err = nft_flow_offload_chain(trans->ctx.chain, &policy,
FLOW_BLOCK_BIND);
break; break;
case NFT_MSG_DELCHAIN: case NFT_MSG_DELCHAIN:
if (!(trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)) if (!(trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD))
continue; continue;
err = nft_flow_offload_chain(trans, FLOW_BLOCK_UNBIND); policy = nft_trans_chain_policy(trans);
err = nft_flow_offload_chain(trans->ctx.chain, &policy,
FLOW_BLOCK_BIND);
break; break;
case NFT_MSG_NEWRULE: case NFT_MSG_NEWRULE:
if (!(trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)) if (!(trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD))