netfilter: nf_tables: avoid usage of embedded nft_ctx

nft_ctx is stored in nft_trans object, but nft_ctx is large
(48 bytes on 64-bit platforms), it should not be embedded in
the transaction structures.

Reduce its usage so we can remove it eventually.

This replaces trans->ctx.chain with the chain pointer
already available in nft_trans_chain structure.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 62a4da955574ec362f567ecce2ee17a6e5f79e49..f4e39816104fdbadcfb734c2fcbb983688bb3391 100644 (file)
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -9682,10 +9682,10 @@ static void nf_tables_commit_chain_prepare_cancel(struct net *net)
        struct nft_trans *trans, *next;
 
        list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
-               struct nft_chain *chain = trans->ctx.chain;
-
                if (trans->msg_type == NFT_MSG_NEWRULE ||
                    trans->msg_type == NFT_MSG_DELRULE) {
+                       struct nft_chain *chain = trans->ctx.chain;
+
                        kvfree(chain->blob_next);
                        chain->blob_next = NULL;
                }
@@ -10318,7 +10318,7 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb)
                                /* trans destroyed after rcu grace period */
                        } else {
                                nft_chain_commit_drop_policy(nft_trans_container_chain(trans));
-                               nft_clear(net, trans->ctx.chain);
+                               nft_clear(net, nft_trans_chain(trans));
                                nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN, NULL);
                                nft_trans_destroy(trans);
                        }
@@ -10334,11 +10334,11 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb)
                                                                    true);
                                }
                        } else {
-                               nft_chain_del(trans->ctx.chain);
+                               nft_chain_del(nft_trans_chain(trans));
                                nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN,
                                                       NULL);
                                nf_tables_unregister_hook(trans->ctx.net, table,
-                                                         trans->ctx.chain);
+                                                         nft_trans_chain(trans));
                        }
                        break;
                case NFT_MSG_NEWRULE:

diff --git a/net/netfilter/nf_tables_offload.c b/net/netfilter/nf_tables_offload.c
index 12ab78fa5d8420b34eb99582f345be4c5c38cc1d..8d892a0d2438f0409c3674a61b9cea01a406b8f5 100644 (file)
--- a/net/netfilter/nf_tables_offload.c
+++ b/net/netfilter/nf_tables_offload.c
@@ -518,18 +518,18 @@ static void nft_flow_rule_offload_abort(struct net *net,
 
                switch (trans->msg_type) {
                case NFT_MSG_NEWCHAIN:
-                       if (!(trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD) ||
+                       if (!(nft_trans_chain(trans)->flags & NFT_CHAIN_HW_OFFLOAD) ||
                            nft_trans_chain_update(trans))
                                continue;
 
-                       err = nft_flow_offload_chain(trans->ctx.chain, NULL,
+                       err = nft_flow_offload_chain(nft_trans_chain(trans), NULL,
                                                     FLOW_BLOCK_UNBIND);
                        break;
                case NFT_MSG_DELCHAIN:
-                       if (!(trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD))
+                       if (!(nft_trans_chain(trans)->flags & NFT_CHAIN_HW_OFFLOAD))
                                continue;
 
-                       err = nft_flow_offload_chain(trans->ctx.chain, NULL,
+                       err = nft_flow_offload_chain(nft_trans_chain(trans), NULL,
                                                     FLOW_BLOCK_BIND);
                        break;
                case NFT_MSG_NEWRULE:
@@ -569,20 +569,20 @@ int nft_flow_rule_offload_commit(struct net *net)
 
                switch (trans->msg_type) {
                case NFT_MSG_NEWCHAIN:
-                       if (!(trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD) ||
+                       if (!(nft_trans_chain(trans)->flags & NFT_CHAIN_HW_OFFLOAD) ||
                            nft_trans_chain_update(trans))
                                continue;
 
                        policy = nft_trans_chain_policy(trans);
-                       err = nft_flow_offload_chain(trans->ctx.chain, &policy,
+                       err = nft_flow_offload_chain(nft_trans_chain(trans), &policy,
                                                     FLOW_BLOCK_BIND);
                        break;
                case NFT_MSG_DELCHAIN:
-                       if (!(trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD))
+                       if (!(nft_trans_chain(trans)->flags & NFT_CHAIN_HW_OFFLOAD))
                                continue;
 
                        policy = nft_trans_chain_policy(trans);
-                       err = nft_flow_offload_chain(trans->ctx.chain, &policy,
+                       err = nft_flow_offload_chain(nft_trans_chain(trans), &policy,
                                                     FLOW_BLOCK_UNBIND);
                        break;
                case NFT_MSG_NEWRULE: