netfilter: nf_tables: add and use nft_sk helper

This allows to change storage placement later on without changing readers.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index 27eeb61..af1228f 100644 (file)
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -29,6 +29,11 @@ struct nft_pktinfo {
        struct xt_action_param          xt;
 };
 
+static inline struct sock *nft_sk(const struct nft_pktinfo *pkt)
+{
+       return pkt->xt.state->sk;
+}
+
 static inline struct net *nft_net(const struct nft_pktinfo *pkt)
 {
        return pkt->xt.state->net;

diff --git a/net/ipv4/netfilter/nft_reject_ipv4.c b/net/ipv4/netfilter/nft_reject_ipv4.c
index ff437e4..55fc23a 100644 (file)
--- a/net/ipv4/netfilter/nft_reject_ipv4.c
+++ b/net/ipv4/netfilter/nft_reject_ipv4.c
@@ -27,7 +27,7 @@ static void nft_reject_ipv4_eval(const struct nft_expr *expr,
                nf_send_unreach(pkt->skb, priv->icmp_code, nft_hook(pkt));
                break;
        case NFT_REJECT_TCP_RST:
-               nf_send_reset(nft_net(pkt), pkt->xt.state->sk, pkt->skb,
+               nf_send_reset(nft_net(pkt), nft_sk(pkt), pkt->skb,
                              nft_hook(pkt));
                break;
        default:

diff --git a/net/ipv6/netfilter/nft_reject_ipv6.c b/net/ipv6/netfilter/nft_reject_ipv6.c
index 7969d1f..ed69c76 100644 (file)
--- a/net/ipv6/netfilter/nft_reject_ipv6.c
+++ b/net/ipv6/netfilter/nft_reject_ipv6.c
@@ -28,7 +28,7 @@ static void nft_reject_ipv6_eval(const struct nft_expr *expr,
                                 nft_hook(pkt));
                break;
        case NFT_REJECT_TCP_RST:
-               nf_send_reset6(nft_net(pkt), pkt->xt.state->sk, pkt->skb,
+               nf_send_reset6(nft_net(pkt), nft_sk(pkt), pkt->skb,
                               nft_hook(pkt));
                break;
        default:

diff --git a/net/netfilter/nft_reject_inet.c b/net/netfilter/nft_reject_inet.c
index 9509018..554caf9 100644 (file)
--- a/net/netfilter/nft_reject_inet.c
+++ b/net/netfilter/nft_reject_inet.c
@@ -28,7 +28,7 @@ static void nft_reject_inet_eval(const struct nft_expr *expr,
                                        nft_hook(pkt));
                        break;
                case NFT_REJECT_TCP_RST:
-                       nf_send_reset(nft_net(pkt), pkt->xt.state->sk,
+                       nf_send_reset(nft_net(pkt), nft_sk(pkt),
                                      pkt->skb, nft_hook(pkt));
                        break;
                case NFT_REJECT_ICMPX_UNREACH:
@@ -45,7 +45,7 @@ static void nft_reject_inet_eval(const struct nft_expr *expr,
                                         priv->icmp_code, nft_hook(pkt));
                        break;
                case NFT_REJECT_TCP_RST:
-                       nf_send_reset6(nft_net(pkt), pkt->xt.state->sk,
+                       nf_send_reset6(nft_net(pkt), nft_sk(pkt),
                                       pkt->skb, nft_hook(pkt));
                        break;
                case NFT_REJECT_ICMPX_UNREACH: