netfilter: nf_tables: consolidate rule verdict trace call

author Pablo Neira Ayuso <pablo@netfilter.org>

Thu, 9 Dec 2021 23:10:12 +0000 (00:10 +0100)

committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Wed, 31 Aug 2022 15:16:41 +0000 (17:16 +0200)
author Pablo Neira Ayuso <pablo@netfilter.org>
Thu, 9 Dec 2021 23:10:12 +0000 (00:10 +0100)
committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Wed, 31 Aug 2022 15:16:41 +0000 (17:16 +0200)
diff --git a/net/netfilter/nf_tables_core.c b/net/netfilter/nf_tables_core.c

index d4d8f61..7defe5a 100644 (file)
--- a/net/netfilter/nf_tables_core.c
+++ b/net/netfilter/nf_tables_core.c
@@ -67,6 +67,36 @@ static void nft_cmp_fast_eval(const struct nft_expr *expr,
         regs->verdict.code = NFT_BREAK;
  }
  
+static noinline void __nft_trace_verdict(struct nft_traceinfo *info,
+                                        const struct nft_chain *chain,
+                                        const struct nft_regs *regs)
+{
+       enum nft_trace_types type;
+
+       switch (regs->verdict.code) {
+       case NFT_CONTINUE:
+       case NFT_RETURN:
+               type = NFT_TRACETYPE_RETURN;
+               break;
+       default:
+               type = NFT_TRACETYPE_RULE;
+               break;
+       }
+
+       __nft_trace_packet(info, chain, type);
+}
+
+static inline void nft_trace_verdict(struct nft_traceinfo *info,
+                                    const struct nft_chain *chain,
+                                    const struct nft_rule *rule,
+                                    const struct nft_regs *regs)
+{
+       if (static_branch_unlikely(&nft_trace_enabled)) {
+               info->rule = rule;
+               __nft_trace_verdict(info, chain, regs);
+       }
+}
+
  static bool nft_payload_fast_eval(const struct nft_expr *expr,
                                   struct nft_regs *regs,
                                   const struct nft_pktinfo *pkt)
@@ -207,13 +237,13 @@ next_rule:
                 break;
         }
  
+       nft_trace_verdict(&info, chain, rule, &regs);
+
         switch (regs.verdict.code & NF_VERDICT_MASK) {
         case NF_ACCEPT:
         case NF_DROP:
         case NF_QUEUE:
         case NF_STOLEN:
-               nft_trace_packet(&info, chain, rule,
-                                NFT_TRACETYPE_RULE);
                 return regs.verdict.code;
         }
  
@@ -226,15 +256,10 @@ next_rule:
                 stackptr++;
                 fallthrough;
         case NFT_GOTO:
-               nft_trace_packet(&info, chain, rule,
-                                NFT_TRACETYPE_RULE);
-
                 chain = regs.verdict.chain;
                 goto do_chain;
         case NFT_CONTINUE:
         case NFT_RETURN:
-               nft_trace_packet(&info, chain, rule,
-                                NFT_TRACETYPE_RETURN);
                 break;
         default:
                 WARN_ON(1);
author	Pablo Neira Ayuso <pablo@netfilter.org>
	Thu, 9 Dec 2021 23:10:12 +0000 (00:10 +0100)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 31 Aug 2022 15:16:41 +0000 (17:16 +0200)