diff options
| author | Florian Westphal <fw@strlen.de> | 2025-09-10 10:02:21 +0200 |
|---|---|---|
| committer | Florian Westphal <fw@strlen.de> | 2025-09-10 20:30:37 +0200 |
| commit | 11fe5a82e53ac3581a80c88e0e35fb8a80e15f48 (patch) | |
| tree | a55183109c972b9bec88761161a53af20be770b8 /include/net/netfilter | |
| parent | 64102d9bbc3d41dac5188b8fba75b1344c438970 (diff) | |
netfilter: nf_tables: make nft_set_do_lookup available unconditionally
This function was added for retpoline mitigation and is replaced by a
static inline helper if mitigations are not enabled.
Enable this helper function unconditionally so next patch can add a lookup
restart mechanism to fix possible false negatives while transactions are
in progress.
Adding lookup restarts in nft_lookup_eval doesn't work as nft_objref would
then need the same copypaste loop.
This patch is separate to ease review of the actual bug fix.
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'include/net/netfilter')
| -rw-r--r-- | include/net/netfilter/nf_tables_core.h | 10 |
1 files changed, 2 insertions, 8 deletions
diff --git a/include/net/netfilter/nf_tables_core.h b/include/net/netfilter/nf_tables_core.h index 6c2f483d9828..656e784714f3 100644 --- a/include/net/netfilter/nf_tables_core.h +++ b/include/net/netfilter/nf_tables_core.h @@ -109,17 +109,11 @@ nft_hash_lookup_fast(const struct net *net, const struct nft_set *set, const struct nft_set_ext * nft_hash_lookup(const struct net *net, const struct nft_set *set, const u32 *key); +#endif + const struct nft_set_ext * nft_set_do_lookup(const struct net *net, const struct nft_set *set, const u32 *key); -#else -static inline const struct nft_set_ext * -nft_set_do_lookup(const struct net *net, const struct nft_set *set, - const u32 *key) -{ - return set->ops->lookup(net, set, key); -} -#endif /* called from nft_pipapo_avx2.c */ const struct nft_set_ext * |