aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJoe Perches <joe@perches.com>2016-06-24 16:25:22 -0400
committerPablo Neira Ayuso <pablo@netfilter.org>2016-07-03 04:55:07 -0400
commitc37a2dfa67f7920b14ea77dc9f9f9660f7a1f6dd (patch)
treed170247b37a60ac138094e999f5dbed5a762b3a8
parentf1504307b9ab60e73ba31eece4be8298ebc9c1b7 (diff)
netfilter: Convert FWINV<[foo]> macros and uses to NF_INVF
netfilter uses multiple FWINV #defines with identical form that hide a specific structure variable and dereference it with a invflags member. $ git grep "#define FWINV" include/linux/netfilter_bridge/ebtables.h:#define FWINV(bool,invflg) ((bool) ^ !!(info->invflags & invflg)) net/bridge/netfilter/ebtables.c:#define FWINV2(bool, invflg) ((bool) ^ !!(e->invflags & invflg)) net/ipv4/netfilter/arp_tables.c:#define FWINV(bool, invflg) ((bool) ^ !!(arpinfo->invflags & (invflg))) net/ipv4/netfilter/ip_tables.c:#define FWINV(bool, invflg) ((bool) ^ !!(ipinfo->invflags & (invflg))) net/ipv6/netfilter/ip6_tables.c:#define FWINV(bool, invflg) ((bool) ^ !!(ip6info->invflags & (invflg))) net/netfilter/xt_tcpudp.c:#define FWINVTCP(bool, invflg) ((bool) ^ !!(tcpinfo->invflags & (invflg))) Consolidate these macros into a single NF_INVF macro. Miscellanea: o Neaten the alignment around these uses o A few lines are > 80 columns for intelligibility Signed-off-by: Joe Perches <joe@perches.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat
-rw-r--r--include/linux/netfilter/x_tables.h4
-rw-r--r--include/linux/netfilter_bridge/ebtables.h2
-rw-r--r--net/bridge/netfilter/ebt_802_3.c6
-rw-r--r--net/bridge/netfilter/ebt_arp.c38
-rw-r--r--net/bridge/netfilter/ebt_ip.c28
-rw-r--r--net/bridge/netfilter/ebt_ip6.c41
-rw-r--r--net/bridge/netfilter/ebt_stp.c52
-rw-r--r--net/bridge/netfilter/ebtables.c27
-rw-r--r--net/ipv4/netfilter/arp_tables.c41
-rw-r--r--net/ipv4/netfilter/ip_tables.c20
-rw-r--r--net/ipv6/netfilter/ip6_tables.c16
-rw-r--r--net/netfilter/xt_tcpudp.c7
12 files changed, 144 insertions, 138 deletions
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index dc4f58a3cdcc..e94e81ab2b58 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -6,6 +6,10 @@
6#include <linux/static_key.h> 6#include <linux/static_key.h>
7#include <uapi/linux/netfilter/x_tables.h> 7#include <uapi/linux/netfilter/x_tables.h>
8 8
9/* Test a struct->invflags and a boolean for inequality */
10#define NF_INVF(ptr, flag, boolean) \
11 ((boolean) ^ !!((ptr)->invflags & (flag)))
12
9/** 13/**
10 * struct xt_action_param - parameters for matches/targets 14 * struct xt_action_param - parameters for matches/targets
11 * 15 *
diff --git a/include/linux/netfilter_bridge/ebtables.h b/include/linux/netfilter_bridge/ebtables.h
index 2ea517c7c6b9..984b2112c77b 100644
--- a/include/linux/netfilter_bridge/ebtables.h
+++ b/include/linux/netfilter_bridge/ebtables.h
@@ -115,8 +115,6 @@ extern unsigned int ebt_do_table(struct sk_buff *skb,
115 const struct nf_hook_state *state, 115 const struct nf_hook_state *state,
116 struct ebt_table *table); 116 struct ebt_table *table);
117 117
118/* Used in the kernel match() functions */
119#define FWINV(bool,invflg) ((bool) ^ !!(info->invflags & invflg))
120/* True if the hook mask denotes that the rule is in a base chain, 118/* True if the hook mask denotes that the rule is in a base chain,
121 * used in the check() functions */ 119 * used in the check() functions */
122#define BASE_CHAIN (par->hook_mask & (1 << NF_BR_NUMHOOKS)) 120#define BASE_CHAIN (par->hook_mask & (1 << NF_BR_NUMHOOKS))
diff --git a/net/bridge/netfilter/ebt_802_3.c b/net/bridge/netfilter/ebt_802_3.c
index 2a449b7ab8fa..5fc4affd9fdb 100644
--- a/net/bridge/netfilter/ebt_802_3.c
+++ b/net/bridge/netfilter/ebt_802_3.c
@@ -20,16 +20,16 @@ ebt_802_3_mt(const struct sk_buff *skb, struct xt_action_param *par)
20 __be16 type = hdr->llc.ui.ctrl & IS_UI ? hdr->llc.ui.type : hdr->llc.ni.type; 20 __be16 type = hdr->llc.ui.ctrl & IS_UI ? hdr->llc.ui.type : hdr->llc.ni.type;
21 21
22 if (info->bitmask & EBT_802_3_SAP) { 22 if (info->bitmask & EBT_802_3_SAP) {
23 if (FWINV(info->sap != hdr->llc.ui.ssap, EBT_802_3_SAP)) 23 if (NF_INVF(info, EBT_802_3_SAP, info->sap != hdr->llc.ui.ssap))
24 return false; 24 return false;
25 if (FWINV(info->sap != hdr->llc.ui.dsap, EBT_802_3_SAP)) 25 if (NF_INVF(info, EBT_802_3_SAP, info->sap != hdr->llc.ui.dsap))
26 return false; 26 return false;
27 } 27 }
28 28
29 if (info->bitmask & EBT_802_3_TYPE) { 29 if (info->bitmask & EBT_802_3_TYPE) {
30 if (!(hdr->llc.ui.dsap == CHECK_TYPE && hdr->llc.ui.ssap == CHECK_TYPE)) 30 if (!(hdr->llc.ui.dsap == CHECK_TYPE && hdr->llc.ui.ssap == CHECK_TYPE))
31 return false; 31 return false;
32 if (FWINV(info->type != type, EBT_802_3_TYPE)) 32 if (NF_INVF(info, EBT_802_3_TYPE, info->type != type))
33 return false; 33 return false;
34 } 34 }
35 35
diff --git a/net/bridge/netfilter/ebt_arp.c b/net/bridge/netfilter/ebt_arp.c
index cca0a899ee15..227142282b45 100644
--- a/net/bridge/netfilter/ebt_arp.c
+++ b/net/bridge/netfilter/ebt_arp.c
@@ -25,14 +25,14 @@ ebt_arp_mt(const struct sk_buff *skb, struct xt_action_param *par)
25 ah = skb_header_pointer(skb, 0, sizeof(_arph), &_arph); 25 ah = skb_header_pointer(skb, 0, sizeof(_arph), &_arph);
26 if (ah == NULL) 26 if (ah == NULL)
27 return false; 27 return false;
28 if (info->bitmask & EBT_ARP_OPCODE && FWINV(info->opcode != 28 if ((info->bitmask & EBT_ARP_OPCODE) &&
29 ah->ar_op, EBT_ARP_OPCODE)) 29 NF_INVF(info, EBT_ARP_OPCODE, info->opcode != ah->ar_op))
30 return false; 30 return false;
31 if (info->bitmask & EBT_ARP_HTYPE && FWINV(info->htype != 31 if ((info->bitmask & EBT_ARP_HTYPE) &&
32 ah->ar_hrd, EBT_ARP_HTYPE)) 32 NF_INVF(info, EBT_ARP_HTYPE, info->htype != ah->ar_hrd))
33 return false; 33 return false;
34 if (info->bitmask & EBT_ARP_PTYPE && FWINV(info->ptype != 34 if ((info->bitmask & EBT_ARP_PTYPE) &&
35 ah->ar_pro, EBT_ARP_PTYPE)) 35 NF_INVF(info, EBT_ARP_PTYPE, info->ptype != ah->ar_pro))
36 return false; 36 return false;
37 37
38 if (info->bitmask & (EBT_ARP_SRC_IP | EBT_ARP_DST_IP | EBT_ARP_GRAT)) { 38 if (info->bitmask & (EBT_ARP_SRC_IP | EBT_ARP_DST_IP | EBT_ARP_GRAT)) {
@@ -51,14 +51,16 @@ ebt_arp_mt(const struct sk_buff *skb, struct xt_action_param *par)
51 sizeof(daddr), &daddr); 51 sizeof(daddr), &daddr);
52 if (dap == NULL) 52 if (dap == NULL)
53 return false; 53 return false;
54 if (info->bitmask & EBT_ARP_SRC_IP && 54 if ((info->bitmask & EBT_ARP_SRC_IP) &&
55 FWINV(info->saddr != (*sap & info->smsk), EBT_ARP_SRC_IP)) 55 NF_INVF(info, EBT_ARP_SRC_IP,
56 info->saddr != (*sap & info->smsk)))
56 return false; 57 return false;
57 if (info->bitmask & EBT_ARP_DST_IP && 58 if ((info->bitmask & EBT_ARP_DST_IP) &&
58 FWINV(info->daddr != (*dap & info->dmsk), EBT_ARP_DST_IP)) 59 NF_INVF(info, EBT_ARP_DST_IP,
60 info->daddr != (*dap & info->dmsk)))
59 return false; 61 return false;
60 if (info->bitmask & EBT_ARP_GRAT && 62 if ((info->bitmask & EBT_ARP_GRAT) &&
61 FWINV(*dap != *sap, EBT_ARP_GRAT)) 63 NF_INVF(info, EBT_ARP_GRAT, *dap != *sap))
62 return false; 64 return false;
63 } 65 }
64 66
@@ -73,9 +75,9 @@ ebt_arp_mt(const struct sk_buff *skb, struct xt_action_param *par)
73 sizeof(_mac), &_mac); 75 sizeof(_mac), &_mac);
74 if (mp == NULL) 76 if (mp == NULL)
75 return false; 77 return false;
76 if (FWINV(!ether_addr_equal_masked(mp, info->smaddr, 78 if (NF_INVF(info, EBT_ARP_SRC_MAC,
77 info->smmsk), 79 !ether_addr_equal_masked(mp, info->smaddr,
78 EBT_ARP_SRC_MAC)) 80 info->smmsk)))
79 return false; 81 return false;
80 } 82 }
81 83
@@ -85,9 +87,9 @@ ebt_arp_mt(const struct sk_buff *skb, struct xt_action_param *par)
85 sizeof(_mac), &_mac); 87 sizeof(_mac), &_mac);
86 if (mp == NULL) 88 if (mp == NULL)
87 return false; 89 return false;
88 if (FWINV(!ether_addr_equal_masked(mp, info->dmaddr, 90 if (NF_INVF(info, EBT_ARP_DST_MAC,
89 info->dmmsk), 91 !ether_addr_equal_masked(mp, info->dmaddr,
90 EBT_ARP_DST_MAC)) 92 info->dmmsk)))
91 return false; 93 return false;
92 } 94 }
93 } 95 }
diff --git a/net/bridge/netfilter/ebt_ip.c b/net/bridge/netfilter/ebt_ip.c
index 23bca62d58d2..d06968bdf5ec 100644
--- a/net/bridge/netfilter/ebt_ip.c
+++ b/net/bridge/netfilter/ebt_ip.c
@@ -36,19 +36,19 @@ ebt_ip_mt(const struct sk_buff *skb, struct xt_action_param *par)
36 ih = skb_header_pointer(skb, 0, sizeof(_iph), &_iph); 36 ih = skb_header_pointer(skb, 0, sizeof(_iph), &_iph);
37 if (ih == NULL) 37 if (ih == NULL)
38 return false; 38 return false;
39 if (info->bitmask & EBT_IP_TOS && 39 if ((info->bitmask & EBT_IP_TOS) &&
40 FWINV(info->tos != ih->tos, EBT_IP_TOS)) 40 NF_INVF(info, EBT_IP_TOS, info->tos != ih->tos))
41 return false; 41 return false;
42 if (info->bitmask & EBT_IP_SOURCE && 42 if ((info->bitmask & EBT_IP_SOURCE) &&
43 FWINV((ih->saddr & info->smsk) != 43 NF_INVF(info, EBT_IP_SOURCE,
44 info->saddr, EBT_IP_SOURCE)) 44 (ih->saddr & info->smsk) != info->saddr))
45 return false; 45 return false;
46 if ((info->bitmask & EBT_IP_DEST) && 46 if ((info->bitmask & EBT_IP_DEST) &&
47 FWINV((ih->daddr & info->dmsk) != 47 NF_INVF(info, EBT_IP_DEST,
48 info->daddr, EBT_IP_DEST)) 48 (ih->daddr & info->dmsk) != info->daddr))
49 return false; 49 return false;
50 if (info->bitmask & EBT_IP_PROTO) { 50 if (info->bitmask & EBT_IP_PROTO) {
51 if (FWINV(info->protocol != ih->protocol, EBT_IP_PROTO)) 51 if (NF_INVF(info, EBT_IP_PROTO, info->protocol != ih->protocol))
52 return false; 52 return false;
53 if (!(info->bitmask & EBT_IP_DPORT) && 53 if (!(info->bitmask & EBT_IP_DPORT) &&
54 !(info->bitmask & EBT_IP_SPORT)) 54 !(info->bitmask & EBT_IP_SPORT))
@@ -61,16 +61,16 @@ ebt_ip_mt(const struct sk_buff *skb, struct xt_action_param *par)
61 return false; 61 return false;
62 if (info->bitmask & EBT_IP_DPORT) { 62 if (info->bitmask & EBT_IP_DPORT) {
63 u32 dst = ntohs(pptr->dst); 63 u32 dst = ntohs(pptr->dst);
64 if (FWINV(dst < info->dport[0] || 64 if (NF_INVF(info, EBT_IP_DPORT,
65 dst > info->dport[1], 65 dst < info->dport[0] ||
66 EBT_IP_DPORT)) 66 dst > info->dport[1]))
67 return false; 67 return false;
68 } 68 }
69 if (info->bitmask & EBT_IP_SPORT) { 69 if (info->bitmask & EBT_IP_SPORT) {
70 u32 src = ntohs(pptr->src); 70 u32 src = ntohs(pptr->src);
71 if (FWINV(src < info->sport[0] || 71 if (NF_INVF(info, EBT_IP_SPORT,
72 src > info->sport[1], 72 src < info->sport[0] ||
73 EBT_IP_SPORT)) 73 src > info->sport[1]))
74 return false; 74 return false;
75 } 75 }
76 } 76 }
diff --git a/net/bridge/netfilter/ebt_ip6.c b/net/bridge/netfilter/ebt_ip6.c
index 98de6e7fd86d..4617491be41e 100644
--- a/net/bridge/netfilter/ebt_ip6.c
+++ b/net/bridge/netfilter/ebt_ip6.c
@@ -45,15 +45,18 @@ ebt_ip6_mt(const struct sk_buff *skb, struct xt_action_param *par)
45 ih6 = skb_header_pointer(skb, 0, sizeof(_ip6h), &_ip6h); 45 ih6 = skb_header_pointer(skb, 0, sizeof(_ip6h), &_ip6h);
46 if (ih6 == NULL) 46 if (ih6 == NULL)
47 return false; 47 return false;
48 if (info->bitmask & EBT_IP6_TCLASS && 48 if ((info->bitmask & EBT_IP6_TCLASS) &&
49 FWINV(info->tclass != ipv6_get_dsfield(ih6), EBT_IP6_TCLASS)) 49 NF_INVF(info, EBT_IP6_TCLASS,
50 info->tclass != ipv6_get_dsfield(ih6)))
50 return false; 51 return false;
51 if ((info->bitmask & EBT_IP6_SOURCE && 52 if (((info->bitmask & EBT_IP6_SOURCE) &&
52 FWINV(ipv6_masked_addr_cmp(&ih6->saddr, &info->smsk, 53 NF_INVF(info, EBT_IP6_SOURCE,
53 &info->saddr), EBT_IP6_SOURCE)) || 54 ipv6_masked_addr_cmp(&ih6->saddr, &info->smsk,
54 (info->bitmask & EBT_IP6_DEST && 55 &info->saddr))) ||
55 FWINV(ipv6_masked_addr_cmp(&ih6->daddr, &info->dmsk, 56 ((info->bitmask & EBT_IP6_DEST) &&
56 &info->daddr), EBT_IP6_DEST))) 57 NF_INVF(info, EBT_IP6_DEST,
58 ipv6_masked_addr_cmp(&ih6->daddr, &info->dmsk,
59 &info->daddr))))
57 return false; 60 return false;
58 if (info->bitmask & EBT_IP6_PROTO) { 61 if (info->bitmask & EBT_IP6_PROTO) {
59 uint8_t nexthdr = ih6->nexthdr; 62 uint8_t nexthdr = ih6->nexthdr;
@@ -63,7 +66,7 @@ ebt_ip6_mt(const struct sk_buff *skb, struct xt_action_param *par)
63 offset_ph = ipv6_skip_exthdr(skb, sizeof(_ip6h), &nexthdr, &frag_off); 66 offset_ph = ipv6_skip_exthdr(skb, sizeof(_ip6h), &nexthdr, &frag_off);
64 if (offset_ph == -1) 67 if (offset_ph == -1)
65 return false; 68 return false;
66 if (FWINV(info->protocol != nexthdr, EBT_IP6_PROTO)) 69 if (NF_INVF(info, EBT_IP6_PROTO, info->protocol != nexthdr))
67 return false; 70 return false;
68 if (!(info->bitmask & (EBT_IP6_DPORT | 71 if (!(info->bitmask & (EBT_IP6_DPORT |
69 EBT_IP6_SPORT | EBT_IP6_ICMP6))) 72 EBT_IP6_SPORT | EBT_IP6_ICMP6)))
@@ -76,22 +79,24 @@ ebt_ip6_mt(const struct sk_buff *skb, struct xt_action_param *par)
76 return false; 79 return false;
77 if (info->bitmask & EBT_IP6_DPORT) { 80 if (info->bitmask & EBT_IP6_DPORT) {
78 u16 dst = ntohs(pptr->tcpudphdr.dst); 81 u16 dst = ntohs(pptr->tcpudphdr.dst);
79 if (FWINV(dst < info->dport[0] || 82 if (NF_INVF(info, EBT_IP6_DPORT,
80 dst > info->dport[1], EBT_IP6_DPORT)) 83 dst < info->dport[0] ||
84 dst > info->dport[1]))
81 return false; 85 return false;
82 } 86 }
83 if (info->bitmask & EBT_IP6_SPORT) { 87 if (info->bitmask & EBT_IP6_SPORT) {
84 u16 src = ntohs(pptr->tcpudphdr.src); 88 u16 src = ntohs(pptr->tcpudphdr.src);
85 if (FWINV(src < info->sport[0] || 89 if (NF_INVF(info, EBT_IP6_SPORT,
86 src > info->sport[1], EBT_IP6_SPORT)) 90 src < info->sport[0] ||
91 src > info->sport[1]))
87 return false; 92 return false;
88 } 93 }
89 if ((info->bitmask & EBT_IP6_ICMP6) && 94 if ((info->bitmask & EBT_IP6_ICMP6) &&
90 FWINV(pptr->icmphdr.type < info->icmpv6_type[0] || 95 NF_INVF(info, EBT_IP6_ICMP6,
91 pptr->icmphdr.type > info->icmpv6_type[1] || 96 pptr->icmphdr.type < info->icmpv6_type[0] ||
92 pptr->icmphdr.code < info->icmpv6_code[0] || 97 pptr->icmphdr.type > info->icmpv6_type[1] ||
93 pptr->icmphdr.code > info->icmpv6_code[1], 98 pptr->icmphdr.code < info->icmpv6_code[0] ||
94 EBT_IP6_ICMP6)) 99 pptr->icmphdr.code > info->icmpv6_code[1]))
95 return false; 100 return false;
96 } 101 }
97 return true; 102 return true;
diff --git a/net/bridge/netfilter/ebt_stp.c b/net/bridge/netfilter/ebt_stp.c
index 45f73d55422f..3140eb912d7e 100644
--- a/net/bridge/netfilter/ebt_stp.c
+++ b/net/bridge/netfilter/ebt_stp.c
@@ -49,66 +49,68 @@ static bool ebt_filter_config(const struct ebt_stp_info *info,
49 49
50 c = &info->config; 50 c = &info->config;
51 if ((info->bitmask & EBT_STP_FLAGS) && 51 if ((info->bitmask & EBT_STP_FLAGS) &&
52 FWINV(c->flags != stpc->flags, EBT_STP_FLAGS)) 52 NF_INVF(info, EBT_STP_FLAGS, c->flags != stpc->flags))
53 return false; 53 return false;
54 if (info->bitmask & EBT_STP_ROOTPRIO) { 54 if (info->bitmask & EBT_STP_ROOTPRIO) {
55 v16 = NR16(stpc->root); 55 v16 = NR16(stpc->root);
56 if (FWINV(v16 < c->root_priol || v16 > c->root_priou, 56 if (NF_INVF(info, EBT_STP_ROOTPRIO,
57 EBT_STP_ROOTPRIO)) 57 v16 < c->root_priol || v16 > c->root_priou))
58 return false; 58 return false;
59 } 59 }
60 if (info->bitmask & EBT_STP_ROOTADDR) { 60 if (info->bitmask & EBT_STP_ROOTADDR) {
61 if (FWINV(!ether_addr_equal_masked(&stpc->root[2], c->root_addr, 61 if (NF_INVF(info, EBT_STP_ROOTADDR,
62 c->root_addrmsk), 62 !ether_addr_equal_masked(&stpc->root[2],
63 EBT_STP_ROOTADDR)) 63 c->root_addr,
64 c->root_addrmsk)))
64 return false; 65 return false;
65 } 66 }
66 if (info->bitmask & EBT_STP_ROOTCOST) { 67 if (info->bitmask & EBT_STP_ROOTCOST) {
67 v32 = NR32(stpc->root_cost); 68 v32 = NR32(stpc->root_cost);
68 if (FWINV(v32 < c->root_costl || v32 > c->root_costu, 69 if (NF_INVF(info, EBT_STP_ROOTCOST,
69 EBT_STP_ROOTCOST)) 70 v32 < c->root_costl || v32 > c->root_costu))
70 return false; 71 return false;
71 } 72 }
72 if (info->bitmask & EBT_STP_SENDERPRIO) { 73 if (info->bitmask & EBT_STP_SENDERPRIO) {
73 v16 = NR16(stpc->sender); 74 v16 = NR16(stpc->sender);
74 if (FWINV(v16 < c->sender_priol || v16 > c->sender_priou, 75 if (NF_INVF(info, EBT_STP_SENDERPRIO,
75 EBT_STP_SENDERPRIO)) 76 v16 < c->sender_priol || v16 > c->sender_priou))
76 return false; 77 return false;
77 } 78 }
78 if (info->bitmask & EBT_STP_SENDERADDR) { 79 if (info->bitmask & EBT_STP_SENDERADDR) {
79 if (FWINV(!ether_addr_equal_masked(&stpc->sender[2], 80 if (NF_INVF(info, EBT_STP_SENDERADDR,
80 c->sender_addr, 81 !ether_addr_equal_masked(&stpc->sender[2],
81 c->sender_addrmsk), 82 c->sender_addr,
82 EBT_STP_SENDERADDR)) 83 c->sender_addrmsk)))
83 return false; 84 return false;
84 } 85 }
85 if (info->bitmask & EBT_STP_PORT) { 86 if (info->bitmask & EBT_STP_PORT) {
86 v16 = NR16(stpc->port); 87 v16 = NR16(stpc->port);
87 if (FWINV(v16 < c->portl || v16 > c->portu, EBT_STP_PORT)) 88 if (NF_INVF(info, EBT_STP_PORT,
89 v16 < c->portl || v16 > c->portu))
88 return false; 90 return false;
89 } 91 }
90 if (info->bitmask & EBT_STP_MSGAGE) { 92 if (info->bitmask & EBT_STP_MSGAGE) {
91 v16 = NR16(stpc->msg_age); 93 v16 = NR16(stpc->msg_age);
92 if (FWINV(v16 < c->msg_agel || v16 > c->msg_ageu, 94 if (NF_INVF(info, EBT_STP_MSGAGE,
93 EBT_STP_MSGAGE)) 95 v16 < c->msg_agel || v16 > c->msg_ageu))
94 return false; 96 return false;
95 } 97 }
96 if (info->bitmask & EBT_STP_MAXAGE) { 98 if (info->bitmask & EBT_STP_MAXAGE) {
97 v16 = NR16(stpc->max_age); 99 v16 = NR16(stpc->max_age);
98 if (FWINV(v16 < c->max_agel || v16 > c->max_ageu, 100 if (NF_INVF(info, EBT_STP_MAXAGE,
99 EBT_STP_MAXAGE)) 101 v16 < c->max_agel || v16 > c->max_ageu))
100 return false; 102 return false;
101 } 103 }
102 if (info->bitmask & EBT_STP_HELLOTIME) { 104 if (info->bitmask & EBT_STP_HELLOTIME) {
103 v16 = NR16(stpc->hello_time); 105 v16 = NR16(stpc->hello_time);
104 if (FWINV(v16 < c->hello_timel || v16 > c->hello_timeu, 106 if (NF_INVF(info, EBT_STP_HELLOTIME,
105 EBT_STP_HELLOTIME)) 107 v16 < c->hello_timel || v16 > c->hello_timeu))
106 return false; 108 return false;
107 } 109 }
108 if (info->bitmask & EBT_STP_FWDD) { 110 if (info->bitmask & EBT_STP_FWDD) {
109 v16 = NR16(stpc->forward_delay); 111 v16 = NR16(stpc->forward_delay);
110 if (FWINV(v16 < c->forward_delayl || v16 > c->forward_delayu, 112 if (NF_INVF(info, EBT_STP_FWDD,
111 EBT_STP_FWDD)) 113 v16 < c->forward_delayl || v16 > c->forward_delayu))
112 return false; 114 return false;
113 } 115 }
114 return true; 116 return true;
@@ -130,8 +132,8 @@ ebt_stp_mt(const struct sk_buff *skb, struct xt_action_param *par)
130 if (memcmp(sp, header, sizeof(header))) 132 if (memcmp(sp, header, sizeof(header)))
131 return false; 133 return false;
132 134
133 if (info->bitmask & EBT_STP_TYPE && 135 if ((info->bitmask & EBT_STP_TYPE) &&
134 FWINV(info->type != sp->type, EBT_STP_TYPE)) 136 NF_INVF(info, EBT_STP_TYPE, info->type != sp->type))
135 return false; 137 return false;
136 138
137 if (sp->type == BPDU_TYPE_CONFIG && 139 if (sp->type == BPDU_TYPE_CONFIG &&
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 5721a25be860..cceac5bb658f 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -121,7 +121,6 @@ ebt_dev_check(const char *entry, const struct net_device *device)
121 return devname[i] != entry[i] && entry[i] != 1; 121 return devname[i] != entry[i] && entry[i] != 1;
122} 122}
123 123
124#define FWINV2(bool, invflg) ((bool) ^ !!(e->invflags & invflg))
125/* process standard matches */ 124/* process standard matches */
126static inline int 125static inline int
127ebt_basic_match(const struct ebt_entry *e, const struct sk_buff *skb, 126ebt_basic_match(const struct ebt_entry *e, const struct sk_buff *skb,
@@ -137,34 +136,36 @@ ebt_basic_match(const struct ebt_entry *e, const struct sk_buff *skb,
137 ethproto = h->h_proto; 136 ethproto = h->h_proto;
138 137
139 if (e->bitmask & EBT_802_3) { 138 if (e->bitmask & EBT_802_3) {
140 if (FWINV2(eth_proto_is_802_3(ethproto), EBT_IPROTO)) 139 if (NF_INVF(e, EBT_IPROTO, eth_proto_is_802_3(ethproto)))
141 return 1; 140 return 1;
142 } else if (!(e->bitmask & EBT_NOPROTO) && 141 } else if (!(e->bitmask & EBT_NOPROTO) &&
143 FWINV2(e->ethproto != ethproto, EBT_IPROTO)) 142 NF_INVF(e, EBT_IPROTO, e->ethproto != ethproto))
144 return 1; 143 return 1;
145 144
146 if (FWINV2(ebt_dev_check(e->in, in), EBT_IIN)) 145 if (NF_INVF(e, EBT_IIN, ebt_dev_check(e->in, in)))
147 return 1; 146 return 1;
148 if (FWINV2(ebt_dev_check(e->out, out), EBT_IOUT)) 147 if (NF_INVF(e, EBT_IOUT, ebt_dev_check(e->out, out)))
149 return 1; 148 return 1;
150 /* rcu_read_lock()ed by nf_hook_slow */ 149 /* rcu_read_lock()ed by nf_hook_slow */
151 if (in && (p = br_port_get_rcu(in)) != NULL && 150 if (in && (p = br_port_get_rcu(in)) != NULL &&
152 FWINV2(ebt_dev_check(e->logical_in, p->br->dev), EBT_ILOGICALIN)) 151 NF_INVF(e, EBT_ILOGICALIN,
152 ebt_dev_check(e->logical_in, p->br->dev)))
153 return 1; 153 return 1;
154 if (out && (p = br_port_get_rcu(out)) != NULL && 154 if (out && (p = br_port_get_rcu(out)) != NULL &&
155 FWINV2(ebt_dev_check(e->logical_out, p->br->dev), EBT_ILOGICALOUT)) 155 NF_INVF(e, EBT_ILOGICALOUT,
156 ebt_dev_check(e->logical_out, p->br->dev)))
156 return 1; 157 return 1;
157 158
158 if (e->bitmask & EBT_SOURCEMAC) { 159 if (e->bitmask & EBT_SOURCEMAC) {
159 if (FWINV2(!ether_addr_equal_masked(h->h_source, 160 if (NF_INVF(e, EBT_ISOURCE,
160 e->sourcemac, e->sourcemsk), 161 !ether_addr_equal_masked(h->h_source, e->sourcemac,
161 EBT_ISOURCE)) 162 e->sourcemsk)))
162 return 1; 163 return 1;
163 } 164 }
164 if (e->bitmask & EBT_DESTMAC) { 165 if (e->bitmask & EBT_DESTMAC) {
165 if (FWINV2(!ether_addr_equal_masked(h->h_dest, 166 if (NF_INVF(e, EBT_IDEST,
166 e->destmac, e->destmsk), 167 !ether_addr_equal_masked(h->h_dest, e->destmac,
167 EBT_IDEST)) 168 e->destmsk)))
168 return 1; 169 return 1;
169 } 170 }
170 return 0; 171 return 0;
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 2033f929aa66..c8dd9e26b185 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -89,22 +89,20 @@ static inline int arp_packet_match(const struct arphdr *arphdr,
89 __be32 src_ipaddr, tgt_ipaddr; 89 __be32 src_ipaddr, tgt_ipaddr;
90 long ret; 90 long ret;
91 91
92#define FWINV(bool, invflg) ((bool) ^ !!(arpinfo->invflags & (invflg))) 92 if (NF_INVF(arpinfo, ARPT_INV_ARPOP,
93 93 (arphdr->ar_op & arpinfo->arpop_mask) != arpinfo->arpop))
94 if (FWINV((arphdr->ar_op & arpinfo->arpop_mask) != arpinfo->arpop,
95 ARPT_INV_ARPOP))
96 return 0; 94 return 0;
97 95
98 if (FWINV((arphdr->ar_hrd & arpinfo->arhrd_mask) != arpinfo->arhrd, 96 if (NF_INVF(arpinfo, ARPT_INV_ARPHRD,
99 ARPT_INV_ARPHRD)) 97 (arphdr->ar_hrd & arpinfo->arhrd_mask) != arpinfo->arhrd))
100 return 0; 98 return 0;
101 99
102 if (FWINV((arphdr->ar_pro & arpinfo->arpro_mask) != arpinfo->arpro, 100 if (NF_INVF(arpinfo, ARPT_INV_ARPPRO,
103 ARPT_INV_ARPPRO)) 101 (arphdr->ar_pro & arpinfo->arpro_mask) != arpinfo->arpro))
104 return 0; 102 return 0;
105 103
106 if (FWINV((arphdr->ar_hln & arpinfo->arhln_mask) != arpinfo->arhln, 104 if (NF_INVF(arpinfo, ARPT_INV_ARPHLN,
107 ARPT_INV_ARPHLN)) 105 (arphdr->ar_hln & arpinfo->arhln_mask) != arpinfo->arhln))
108 return 0; 106 return 0;
109 107
110 src_devaddr = arpptr; 108 src_devaddr = arpptr;
@@ -115,31 +113,32 @@ static inline int arp_packet_match(const struct arphdr *arphdr,
115 arpptr += dev->addr_len; 113 arpptr += dev->addr_len;
116 memcpy(&tgt_ipaddr, arpptr, sizeof(u32)); 114 memcpy(&tgt_ipaddr, arpptr, sizeof(u32));
117 115
118 if (FWINV(arp_devaddr_compare(&arpinfo->src_devaddr, src_devaddr, dev->addr_len), 116 if (NF_INVF(arpinfo, ARPT_INV_SRCDEVADDR,
119 ARPT_INV_SRCDEVADDR) || 117 arp_devaddr_compare(&arpinfo->src_devaddr, src_devaddr,
120 FWINV(arp_devaddr_compare(&arpinfo->tgt_devaddr, tgt_devaddr, dev->addr_len), 118 dev->addr_len)) ||
121 ARPT_INV_TGTDEVADDR)) 119 NF_INVF(arpinfo, ARPT_INV_TGTDEVADDR,
120 arp_devaddr_compare(&arpinfo->tgt_devaddr, tgt_devaddr,
121 dev->addr_len)))
122 return 0; 122 return 0;
123 123
124 if (FWINV((src_ipaddr & arpinfo->smsk.s_addr) != arpinfo->src.s_addr, 124 if (NF_INVF(arpinfo, ARPT_INV_SRCIP,
125 ARPT_INV_SRCIP) || 125 (src_ipaddr & arpinfo->smsk.s_addr) != arpinfo->src.s_addr) ||
126 FWINV(((tgt_ipaddr & arpinfo->tmsk.s_addr) != arpinfo->tgt.s_addr), 126 NF_INVF(arpinfo, ARPT_INV_TGTIP,
127 ARPT_INV_TGTIP)) 127 (tgt_ipaddr & arpinfo->tmsk.s_addr) != arpinfo->tgt.s_addr))
128 return 0; 128 return 0;
129 129
130 /* Look for ifname matches. */ 130 /* Look for ifname matches. */
131 ret = ifname_compare(indev, arpinfo->iniface, arpinfo->iniface_mask); 131 ret = ifname_compare(indev, arpinfo->iniface, arpinfo->iniface_mask);
132 132
133 if (FWINV(ret != 0, ARPT_INV_VIA_IN)) 133 if (NF_INVF(arpinfo, ARPT_INV_VIA_IN, ret != 0))
134 return 0; 134 return 0;
135 135
136 ret = ifname_compare(outdev, arpinfo->outiface, arpinfo->outiface_mask); 136 ret = ifname_compare(outdev, arpinfo->outiface, arpinfo->outiface_mask);
137 137
138 if (FWINV(ret != 0, ARPT_INV_VIA_OUT)) 138 if (NF_INVF(arpinfo, ARPT_INV_VIA_OUT, ret != 0))
139 return 0; 139 return 0;
140 140
141 return 1; 141 return 1;
142#undef FWINV
143} 142}
144 143
145static inline int arp_checkentry(const struct arpt_arp *arp) 144static inline int arp_checkentry(const struct arpt_arp *arp)
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 54906e0e8e0c..f0df66f54ce6 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -58,32 +58,31 @@ ip_packet_match(const struct iphdr *ip,
58{ 58{
59 unsigned long ret; 59 unsigned long ret;
60 60
61#define FWINV(bool, invflg) ((bool) ^ !!(ipinfo->invflags & (invflg))) 61 if (NF_INVF(ipinfo, IPT_INV_SRCIP,
62 62 (ip->saddr & ipinfo->smsk.s_addr) != ipinfo->src.s_addr) ||
63 if (FWINV((ip->saddr&ipinfo->smsk.s_addr) != ipinfo->src.s_addr, 63 NF_INVF(ipinfo, IPT_INV_DSTIP,
64 IPT_INV_SRCIP) || 64 (ip->daddr & ipinfo->dmsk.s_addr) != ipinfo->dst.s_addr))
65 FWINV((ip->daddr&ipinfo->dmsk.s_addr) != ipinfo->dst.s_addr,
66 IPT_INV_DSTIP))
67 return false; 65 return false;
68 66
69 ret = ifname_compare_aligned(indev, ipinfo->iniface, ipinfo->iniface_mask); 67 ret = ifname_compare_aligned(indev, ipinfo->iniface, ipinfo->iniface_mask);
70 68
71 if (FWINV(ret != 0, IPT_INV_VIA_IN)) 69 if (NF_INVF(ipinfo, IPT_INV_VIA_IN, ret != 0))
72 return false; 70 return false;
73 71
74 ret = ifname_compare_aligned(outdev, ipinfo->outiface, ipinfo->outiface_mask); 72 ret = ifname_compare_aligned(outdev, ipinfo->outiface, ipinfo->outiface_mask);
75 73
76 if (FWINV(ret != 0, IPT_INV_VIA_OUT)) 74 if (NF_INVF(ipinfo, IPT_INV_VIA_OUT, ret != 0))
77 return false; 75 return false;
78 76
79 /* Check specific protocol */ 77 /* Check specific protocol */
80 if (ipinfo->proto && 78 if (ipinfo->proto &&
81 FWINV(ip->protocol != ipinfo->proto, IPT_INV_PROTO)) 79 NF_INVF(ipinfo, IPT_INV_PROTO, ip->protocol != ipinfo->proto))
82 return false; 80 return false;
83 81
84 /* If we have a fragment rule but the packet is not a fragment 82 /* If we have a fragment rule but the packet is not a fragment
85 * then we return zero */ 83 * then we return zero */
86 if (FWINV((ipinfo->flags&IPT_F_FRAG) && !isfrag, IPT_INV_FRAG)) 84 if (NF_INVF(ipinfo, IPT_INV_FRAG,
85 (ipinfo->flags & IPT_F_FRAG) && !isfrag))
87 return false; 86 return false;
88 87
89 return true; 88 return true;
@@ -122,7 +121,6 @@ static inline bool unconditional(const struct ipt_entry *e)
122 121
123 return e->target_offset == sizeof(struct ipt_entry) && 122 return e->target_offset == sizeof(struct ipt_entry) &&
124 memcmp(&e->ip, &uncond, sizeof(uncond)) == 0; 123 memcmp(&e->ip, &uncond, sizeof(uncond)) == 0;
125#undef FWINV
126} 124}
127 125
128/* for const-correctness */ 126/* for const-correctness */
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 63e06c3dd319..61ed95054efa 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -73,22 +73,22 @@ ip6_packet_match(const struct sk_buff *skb,
73 unsigned long ret; 73 unsigned long ret;
74 const struct ipv6hdr *ipv6 = ipv6_hdr(skb); 74 const struct ipv6hdr *ipv6 = ipv6_hdr(skb);
75 75
76#define FWINV(bool, invflg) ((bool) ^ !!(ip6info->invflags & (invflg))) 76 if (NF_INVF(ip6info, IP6T_INV_SRCIP,
77 77 ipv6_masked_addr_cmp(&ipv6->saddr, &ip6info->smsk,
78 if (FWINV(ipv6_masked_addr_cmp(&ipv6->saddr, &ip6info->smsk, 78 &ip6info->src)) ||
79 &ip6info->src), IP6T_INV_SRCIP) || 79 NF_INVF(ip6info, IP6T_INV_DSTIP,
80 FWINV(ipv6_masked_addr_cmp(&ipv6->daddr, &ip6info->dmsk, 80 ipv6_masked_addr_cmp(&ipv6->daddr, &ip6info->dmsk,
81 &ip6info->dst), IP6T_INV_DSTIP)) 81 &ip6info->dst)))
82 return false; 82 return false;
83 83
84 ret = ifname_compare_aligned(indev, ip6info->iniface, ip6info->iniface_mask); 84 ret = ifname_compare_aligned(indev, ip6info->iniface, ip6info->iniface_mask);
85 85
86 if (FWINV(ret != 0, IP6T_INV_VIA_IN)) 86 if (NF_INVF(ip6info, IP6T_INV_VIA_IN, ret != 0))
87 return false; 87 return false;
88 88
89 ret = ifname_compare_aligned(outdev, ip6info->outiface, ip6info->outiface_mask); 89 ret = ifname_compare_aligned(outdev, ip6info->outiface, ip6info->outiface_mask);
90 90
91 if (FWINV(ret != 0, IP6T_INV_VIA_OUT)) 91 if (NF_INVF(ip6info, IP6T_INV_VIA_OUT, ret != 0))
92 return false; 92 return false;
93 93
94/* ... might want to do something with class and flowlabel here ... */ 94/* ... might want to do something with class and flowlabel here ... */
diff --git a/net/netfilter/xt_tcpudp.c b/net/netfilter/xt_tcpudp.c
index c14d4645daa3..ade024c90f4f 100644
--- a/net/netfilter/xt_tcpudp.c
+++ b/net/netfilter/xt_tcpudp.c
@@ -83,8 +83,6 @@ static bool tcp_mt(const struct sk_buff *skb, struct xt_action_param *par)
83 return false; 83 return false;
84 } 84 }
85 85
86#define FWINVTCP(bool, invflg) ((bool) ^ !!(tcpinfo->invflags & (invflg)))
87
88 th = skb_header_pointer(skb, par->thoff, sizeof(_tcph), &_tcph); 86 th = skb_header_pointer(skb, par->thoff, sizeof(_tcph), &_tcph);
89 if (th == NULL) { 87 if (th == NULL) {
90 /* We've been asked to examine this packet, and we 88 /* We've been asked to examine this packet, and we
@@ -102,9 +100,8 @@ static bool tcp_mt(const struct sk_buff *skb, struct xt_action_param *par)
102 ntohs(th->dest), 100 ntohs(th->dest),
103 !!(tcpinfo->invflags & XT_TCP_INV_DSTPT))) 101 !!(tcpinfo->invflags & XT_TCP_INV_DSTPT)))
104 return false; 102 return false;
105 if (!FWINVTCP((((unsigned char *)th)[13] & tcpinfo->flg_mask) 103 if (!NF_INVF(tcpinfo, XT_TCP_INV_FLAGS,
106 == tcpinfo->flg_cmp, 104 (((unsigned char *)th)[13] & tcpinfo->flg_mask) == tcpinfo->flg_cmp))
107 XT_TCP_INV_FLAGS))
108 return false; 105 return false;
109 if (tcpinfo->option) { 106 if (tcpinfo->option) {
110 if (th->doff * 4 < sizeof(_tcph)) { 107 if (th->doff * 4 < sizeof(_tcph)) {
generated by cgit v1.2.2 (git 2.25.0) at 2025-10-09 10:35:04 -0400