netfilter: x_tables: reduce xt_action_param by 8 byte

The fragment offset in ipv4/ipv6 is a 16bit field, so use
u16 instead of unsigned int.

On 64bit: 40 bytes to 32 bytes. By extension this also reduces
nft_pktinfo (56 to 48 byte).

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 07c6ad8f2a0236e0bde8e7c1ce63144159f7690d..28d7027cd4607651bcfdad8e212dd564d5cfb72f 100644 (file)
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -36,8 +36,8 @@ struct xt_action_param {
                const void *matchinfo, *targinfo;
        };
        const struct nf_hook_state *state;
-       int fragoff;
        unsigned int thoff;
+       u16 fragoff;
        bool hotdrop;
 };
 

diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index e810a23baf9977aba95cb72e0323286257ba7f4e..de2cf3943b91e4eed16937dc865b009eb451f76e 100644 (file)
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -51,7 +51,7 @@ ip6_packet_match(const struct sk_buff *skb,
                 const char *outdev,
                 const struct ip6t_ip6 *ip6info,
                 unsigned int *protoff,
-                int *fragoff, bool *hotdrop)
+                u16 *fragoff, bool *hotdrop)
 {
        unsigned long ret;
        const struct ipv6hdr *ipv6 = ipv6_hdr(skb);