From: Florian Westphal <fw@strlen.de>
To: <netdev@vger.kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>,
<netfilter-devel@vger.kernel.org>,
pablo@netfilter.org
Subject: [PATCH net-next 12/13] netfilter: nf_tables_offload: add nft_flow_action_entry_next() and use it
Date: Tue, 7 Apr 2026 16:15:39 +0200 [thread overview]
Message-ID: <20260407141540.11549-13-fw@strlen.de> (raw)
In-Reply-To: <20260407141540.11549-1-fw@strlen.de>
From: Pablo Neira Ayuso <pablo@netfilter.org>
Add a new helper function to retrieve the next action entry in flow
rule, check if the maximum number of actions is reached, bail out in
such case.
Replace existing opencoded iteration on the action array by this
helper function.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
include/net/netfilter/nf_tables_offload.h | 10 ++++++++++
net/netfilter/nf_dup_netdev.c | 5 ++++-
net/netfilter/nft_immediate.c | 4 +++-
3 files changed, 17 insertions(+), 2 deletions(-)
diff --git a/include/net/netfilter/nf_tables_offload.h b/include/net/netfilter/nf_tables_offload.h
index 3568b6a2f5f0..14c427891ee6 100644
--- a/include/net/netfilter/nf_tables_offload.h
+++ b/include/net/netfilter/nf_tables_offload.h
@@ -67,6 +67,16 @@ struct nft_flow_rule {
struct flow_rule *rule;
};
+static inline struct flow_action_entry *
+nft_flow_action_entry_next(struct nft_offload_ctx *ctx,
+ struct nft_flow_rule *flow)
+{
+ if (unlikely(ctx->num_actions >= flow->rule->action.num_entries))
+ return NULL;
+
+ return &flow->rule->action.entries[ctx->num_actions++];
+}
+
void nft_flow_rule_set_addr_type(struct nft_flow_rule *flow,
enum flow_dissector_key_id addr_type);
diff --git a/net/netfilter/nf_dup_netdev.c b/net/netfilter/nf_dup_netdev.c
index fab8b9011098..e348fb90b8dc 100644
--- a/net/netfilter/nf_dup_netdev.c
+++ b/net/netfilter/nf_dup_netdev.c
@@ -95,7 +95,10 @@ int nft_fwd_dup_netdev_offload(struct nft_offload_ctx *ctx,
if (!dev)
return -EOPNOTSUPP;
- entry = &flow->rule->action.entries[ctx->num_actions++];
+ entry = nft_flow_action_entry_next(ctx, flow);
+ if (!entry)
+ return -E2BIG;
+
entry->id = id;
entry->dev = dev;
diff --git a/net/netfilter/nft_immediate.c b/net/netfilter/nft_immediate.c
index 1b733c7b1b0e..d00eb2eb30e4 100644
--- a/net/netfilter/nft_immediate.c
+++ b/net/netfilter/nft_immediate.c
@@ -279,7 +279,9 @@ static int nft_immediate_offload_verdict(struct nft_offload_ctx *ctx,
struct flow_action_entry *entry;
const struct nft_data *data;
- entry = &flow->rule->action.entries[ctx->num_actions++];
+ entry = nft_flow_action_entry_next(ctx, flow);
+ if (!entry)
+ return -E2BIG;
data = &priv->data;
switch (data->verdict.code) {
--
2.52.0
next prev parent reply other threads:[~2026-04-07 14:16 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-07 14:15 [PATCH net-next 00/13] netfilter: updates for net-next Florian Westphal
2026-04-07 14:15 ` [PATCH net-next 01/13] netfilter: use function typedefs for __rcu NAT helper hook pointers Florian Westphal
2026-04-07 14:15 ` [PATCH net-next 02/13] netfilter: nf_tables: Fix typo in enum description Florian Westphal
2026-04-07 14:15 ` [PATCH net-next 03/13] netfilter: nf_conntrack_sip: remove net variable shadowing Florian Westphal
2026-04-07 14:15 ` [PATCH net-next 04/13] netfilter: add deprecation warning for dccp support Florian Westphal
2026-04-07 14:15 ` [PATCH net-next 05/13] netfilter: nf_conntrack_h323: remove unreliable debug code in decode_octstr Florian Westphal
2026-04-07 14:15 ` [PATCH net-next 06/13] netfilter: add more netlink-based policy range checks Florian Westphal
2026-04-07 14:15 ` [PATCH net-next 07/13] netfilter: nf_tables: add netlink policy based cap on registers Florian Westphal
2026-04-07 14:15 ` [PATCH net-next 08/13] netfilter: nft_set_pipapo: increment data in one step Florian Westphal
2026-04-07 14:15 ` [PATCH net-next 09/13] netfilter: nft_set_pipapo_avx2: remove redundant loop in lookup_slow Florian Westphal
2026-04-07 14:15 ` [PATCH net-next 10/13] netfilter: nft_meta: add double-tagged vlan and pppoe support Florian Westphal
2026-04-07 14:15 ` [PATCH net-next 11/13] netfilter: nf_conntrack_h323: Correct indentation when H323_TRACE defined Florian Westphal
2026-04-07 14:15 ` Florian Westphal [this message]
2026-04-07 14:15 ` [PATCH net-next 13/13] netfilter: ctnetlink: restrict expectfn to helper Florian Westphal
2026-04-07 14:27 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260407141540.11549-13-fw@strlen.de \
--to=fw@strlen.de \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox