netfilter: nf_tables: Carry reset flag in nft_rule_dump_ctx

This relieves the dump callback from having to check nlmsg_type upon
each call and instead performs the check once in .start callback.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index cd3c7dd15530374ee99ea1176ad4a4fd8e98771f..567c414351da8864b7dfe3c61f41fc2ee4dc2128 100644 (file)
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -3443,15 +3443,16 @@ static void audit_log_rule_reset(const struct nft_table *table,
 struct nft_rule_dump_ctx {
        char *table;
        char *chain;
+       bool reset;
 };
 
 static int __nf_tables_dump_rules(struct sk_buff *skb,
                                  unsigned int *idx,
                                  struct netlink_callback *cb,
                                  const struct nft_table *table,
-                                 const struct nft_chain *chain,
-                                 bool reset)
+                                 const struct nft_chain *chain)
 {
+       struct nft_rule_dump_ctx *ctx = cb->data;
        struct net *net = sock_net(skb->sk);
        const struct nft_rule *rule, *prule;
        unsigned int s_idx = cb->args[0];
@@ -3475,7 +3476,7 @@ static int __nf_tables_dump_rules(struct sk_buff *skb,
                                        NFT_MSG_NEWRULE,
                                        NLM_F_MULTI | NLM_F_APPEND,
                                        table->family,
-                                       table, chain, rule, handle, reset) < 0) {
+                                       table, chain, rule, handle, ctx->reset) < 0) {
                        ret = 1;
                        break;
                }
@@ -3487,7 +3488,7 @@ cont_skip:
                (*idx)++;
        }
 
-       if (reset && entries)
+       if (ctx->reset && entries)
                audit_log_rule_reset(table, cb->seq, entries);
 
        return ret;
@@ -3504,10 +3505,6 @@ static int nf_tables_dump_rules(struct sk_buff *skb,
        struct net *net = sock_net(skb->sk);
        int family = nfmsg->nfgen_family;
        struct nftables_pernet *nft_net;
-       bool reset = false;
-
-       if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETRULE_RESET)
-               reset = true;
 
        rcu_read_lock();
        nft_net = nft_pernet(net);
@@ -3532,7 +3529,7 @@ static int nf_tables_dump_rules(struct sk_buff *skb,
                                if (!nft_is_active(net, chain))
                                        continue;
                                __nf_tables_dump_rules(skb, &idx,
-                                                      cb, table, chain, reset);
+                                                      cb, table, chain);
                                break;
                        }
                        goto done;
@@ -3540,7 +3537,7 @@ static int nf_tables_dump_rules(struct sk_buff *skb,
 
                list_for_each_entry_rcu(chain, &table->chains, list) {
                        if (__nf_tables_dump_rules(skb, &idx,
-                                                  cb, table, chain, reset))
+                                                  cb, table, chain))
                                goto done;
                }
 
@@ -3578,6 +3575,8 @@ static int nf_tables_dump_rules_start(struct netlink_callback *cb)
                        return -ENOMEM;
                }
        }
+       if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETRULE_RESET)
+               ctx->reset = true;
 
        cb->data = ctx;
        return 0;