Re: [RFC, PATCH 2/5]: netfilter+ipsec - output hooks
From: Herbert Xu <herbert@gondor.apana.org.au>
Date: 2004-03-19 10:59:39
Also in:
netfilter-devel
On Thu, Mar 18, 2004 at 05:31:40PM +0100, Patrick McHardy wrote:
This patch adds new output-hooks. Packets with dst->xfrm != NULL traverse the POST_ROUTING hook before dst_output is called. The transformers mark the packets in the control buffer with a new flag IPSKB_XFRM_TRANSFORMED, these packets then traverse the LOCAL_OUT hook when they hit ip_output.
Thank you very much for your patches. This is definitely the biggest show stopper with the current IPsec stack. I've just got a minor point about this one:
quoted hunk ↗ jump to hunk
@@ -119,12 +119,14 @@ /* This is gross, but inline doesn't cut it for avoiding the function call in fast path: gcc doesn't inline (needs value tracking?). --RR */ #ifdef CONFIG_NETFILTER_DEBUG -#define NF_HOOK(pf, hook, skb, indev, outdev, okfn) \ - nf_hook_slow((pf), (hook), (skb), (indev), (outdev), (okfn), INT_MIN) +#define NF_HOOK_COND(pf, hook, skb, indev, outdev, okfn, cond) \ +(!(cond) \ + ? (okfn)(skb) \ + : nf_hook_slow((pf), (hook), (skb), (indev), (outdev), (okfn), INT_MIN))
Any reason why this is written with a negated cond? I get confused by double negations :)
#define NF_HOOK_THRESH nf_hook_slow #else -#define NF_HOOK(pf, hook, skb, indev, outdev, okfn) \ -(list_empty(&nf_hooks[(pf)][(hook)]) \ +#define NF_HOOK_COND(pf, hook, skb, indev, outdev, okfn, cond) \ +(!(cond) || list_empty(&nf_hooks[(pf)][(hook)]) \
Ditto, what about ((cond) && !list_empty(&nf_hooks[(pf)][(hook)) \ ? nf_hook_slow((pf), (hook), (skb), (indev), (outdev), (okfn), INT_MIN) \ : (okfn)(skb)) -- Debian GNU/Linux 3.0 is out! ( http://www.debian.org/ ) Email: Herbert Xu ~{PmV>HI~} [off-list ref] Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt