[PATCH] entry_data

[PATCH] entry_data

[Massimiliano Hofer]

[-- Attachment #1: Type: text/plain, Size: 1020 bytes --]

Hi,
here is my proposed patch for an API change that supports entry specific data.

As explained in my previous posts the purpose of this patch is to give matches 
the opportunity to store entry specific data. Several matches already achieve 
this reserving some space in the data fields, but these come from userspace 
and I don't think it is the Right Way(TM) to do it.

How it works:
- xt_entry_match.u.kernel now includes void *entry_data;
- (*checkentry)() now receives void **entry_data that points to the above 
mentioned field and has the ability to write to it;
- (*match)() and (*destroy)() are fed back the value set by (*checkentry)().

I did it just for matches. If anyone feels that it could be useful for 
targets, plese let me know.

I split it into 2 patches. One lays the infrastructure (this is the real patch 
and is really short), while the other changes every match in the mainline 
kernel according to the new API.

Feel free to criticize and suggest improvements.

-- 
Bye,
   Massimiliano Hofer

[-- Attachment #2: 2.6.17-rc5-entry_data_core.patch --]
[-- Type: text/x-diff, Size: 4843 bytes --]

diff -Nru linux-2.6.17-rc5/include/linux/netfilter/x_tables.h linux-2.6.17-rc5.entry_data_core/include/linux/netfilter/x_tables.h
--- linux-2.6.17-rc5/include/linux/netfilter/x_tables.h	2006-06-04 21:30:58.000000000 +0200
+++ linux-2.6.17-rc5.entry_data_core/include/linux/netfilter/x_tables.h	2006-06-04 21:34:03.000000000 +0200
@@ -20,6 +20,7 @@
 
 			/* Used inside the kernel */
 			struct xt_match *match;
+			void *entry_data;
 		} kernel;
 
 		/* Total length */
@@ -166,7 +167,8 @@
 		     const void *matchinfo,
 		     int offset,
 		     unsigned int protoff,
-		     int *hotdrop);
+		     int *hotdrop,
+		     void *entry_data);
 
 	/* Called when user tries to insert an entry of this type. */
 	/* Should return true or false. */
@@ -175,11 +177,12 @@
 			  const struct xt_match *match,
 			  void *matchinfo,
 			  unsigned int matchinfosize,
-			  unsigned int hook_mask);
+			  unsigned int hook_mask,
+			  void **entry_data);
 
 	/* Called when entry of this type deleted. */
 	void (*destroy)(const struct xt_match *match, void *matchinfo,
-			unsigned int matchinfosize);
+			unsigned int matchinfosize, void *entry_data);
 
 	/* Called when userspace align differs from kernel space one */
 	int (*compat)(void *match, void **dstptr, int *size, int convert);
diff -Nru linux-2.6.17-rc5/net/ipv4/netfilter/ip_tables.c linux-2.6.17-rc5.entry_data_core/net/ipv4/netfilter/ip_tables.c
--- linux-2.6.17-rc5/net/ipv4/netfilter/ip_tables.c	2006-06-04 21:31:12.000000000 +0200
+++ linux-2.6.17-rc5.entry_data_core/net/ipv4/netfilter/ip_tables.c	2006-06-04 21:34:03.000000000 +0200
@@ -200,7 +200,8 @@
 {
 	/* Stop iteration if it doesn't match */
 	if (!m->u.kernel.match->match(skb, in, out, m->u.kernel.match, m->data,
-				      offset, skb->nh.iph->ihl*4, hotdrop))
+				      offset, skb->nh.iph->ihl*4, hotdrop,
+				      m->u.kernel.entry_data))
 		return 1;
 	else
 		return 0;
@@ -468,7 +469,8 @@
 
 	if (m->u.kernel.match->destroy)
 		m->u.kernel.match->destroy(m->u.kernel.match, m->data,
-					   m->u.match_size - sizeof(*m));
+					   m->u.match_size - sizeof(*m),
+					   m->u.kernel.entry_data);
 	module_put(m->u.kernel.match->me);
 	return 0;
 }
@@ -519,10 +521,12 @@
 	if (ret)
 		goto err;
 
+	m->u.kernel.entry_data=NULL;
 	if (m->u.kernel.match->checkentry
 	    && !m->u.kernel.match->checkentry(name, ip, match, m->data,
 					      m->u.match_size - sizeof(*m),
-					      hookmask)) {
+					      hookmask,
+					      &m->u.kernel.entry_data)) {
 		duprintf("ip_tables: check failed for `%s'.\n",
 			 m->u.kernel.match->name);
 		ret = -EINVAL;
@@ -2152,7 +2156,8 @@
 	   const void *matchinfo,
 	   int offset,
 	   unsigned int protoff,
-	   int *hotdrop)
+	   int *hotdrop,
+	   void *entry_data)
 {
 	struct icmphdr _icmph, *ic;
 	const struct ipt_icmp *icmpinfo = matchinfo;
@@ -2185,7 +2190,8 @@
 	   const struct xt_match *match,
 	   void *matchinfo,
 	   unsigned int matchsize,
-	   unsigned int hook_mask)
+	   unsigned int hook_mask,
+	   void **entry_data)
 {
 	const struct ipt_icmp *icmpinfo = matchinfo;
 
diff -Nru linux-2.6.17-rc5/net/ipv6/netfilter/ip6_tables.c linux-2.6.17-rc5.entry_data_core/net/ipv6/netfilter/ip6_tables.c
--- linux-2.6.17-rc5/net/ipv6/netfilter/ip6_tables.c	2006-06-04 21:31:13.000000000 +0200
+++ linux-2.6.17-rc5.entry_data_core/net/ipv6/netfilter/ip6_tables.c	2006-06-04 21:34:03.000000000 +0200
@@ -240,7 +240,8 @@
 {
 	/* Stop iteration if it doesn't match */
 	if (!m->u.kernel.match->match(skb, in, out, m->u.kernel.match, m->data,
-				      offset, protoff, hotdrop))
+				      offset, protoff, hotdrop,
+				      m->u.kernel.entry_data))
 		return 1;
 	else
 		return 0;
@@ -508,7 +509,8 @@
 
 	if (m->u.kernel.match->destroy)
 		m->u.kernel.match->destroy(m->u.kernel.match, m->data,
-					   m->u.match_size - sizeof(*m));
+					   m->u.match_size - sizeof(*m),
+					   m->u.kernel.entry_data);
 	module_put(m->u.kernel.match->me);
 	return 0;
 }
@@ -559,10 +561,12 @@
 	if (ret)
 		goto err;
 
+	m->u.kernel.entry_data=NULL;
 	if (m->u.kernel.match->checkentry
 	    && !m->u.kernel.match->checkentry(name, ipv6, match,  m->data,
 					      m->u.match_size - sizeof(*m),
-					      hookmask)) {
+					      hookmask,
+					      &m->u.kernel.entry_data)) {
 		duprintf("ip_tables: check failed for `%s'.\n",
 			 m->u.kernel.match->name);
 		ret = -EINVAL;
@@ -1320,7 +1324,8 @@
 	   const void *matchinfo,
 	   int offset,
 	   unsigned int protoff,
-	   int *hotdrop)
+	   int *hotdrop,
+	   void *entry_data)
 {
 	struct icmp6hdr _icmp, *ic;
 	const struct ip6t_icmp *icmpinfo = matchinfo;
@@ -1352,7 +1357,8 @@
 	   const struct xt_match *match,
 	   void *matchinfo,
 	   unsigned int matchsize,
-	   unsigned int hook_mask)
+	   unsigned int hook_mask,
+	   void **entry_data)
 {
 	const struct ip6t_icmp *icmpinfo = matchinfo;
 

[-- Attachment #3: 2.6.17-rc5-entry_data_matches.patch --]
[-- Type: text/x-diff, Size: 36294 bytes --]

diff -Nru linux-2.6.17-rc5.entry_data_core/net/ipv4/netfilter/ipt_addrtype.c linux-2.6.17-rc5.entry_data_matches/net/ipv4/netfilter/ipt_addrtype.c
--- linux-2.6.17-rc5.entry_data_core/net/ipv4/netfilter/ipt_addrtype.c	2006-06-04 21:33:27.000000000 +0200
+++ linux-2.6.17-rc5.entry_data_matches/net/ipv4/netfilter/ipt_addrtype.c	2006-06-04 20:52:42.000000000 +0200
@@ -30,7 +30,8 @@
 static int match(const struct sk_buff *skb,
 		 const struct net_device *in, const struct net_device *out,
 		 const struct xt_match *match, const void *matchinfo,
-		 int offset, unsigned int protoff, int *hotdrop)
+		 int offset, unsigned int protoff, int *hotdrop,
+		 void *entry_data)
 {
 	const struct ipt_addrtype_info *info = matchinfo;
 	const struct iphdr *iph = skb->nh.iph;
diff -Nru linux-2.6.17-rc5.entry_data_core/net/ipv4/netfilter/ipt_ah.c linux-2.6.17-rc5.entry_data_matches/net/ipv4/netfilter/ipt_ah.c
--- linux-2.6.17-rc5.entry_data_core/net/ipv4/netfilter/ipt_ah.c	2006-06-04 21:33:27.000000000 +0200
+++ linux-2.6.17-rc5.entry_data_matches/net/ipv4/netfilter/ipt_ah.c	2006-06-04 20:52:42.000000000 +0200
@@ -43,7 +43,8 @@
       const void *matchinfo,
       int offset,
       unsigned int protoff,
-      int *hotdrop)
+      int *hotdrop,
+      void *entry_data)
 {
 	struct ip_auth_hdr _ahdr, *ah;
 	const struct ipt_ah *ahinfo = matchinfo;
@@ -75,7 +76,8 @@
 	   const struct xt_match *match,
 	   void *matchinfo,
 	   unsigned int matchinfosize,
-	   unsigned int hook_mask)
+	   unsigned int hook_mask,
+	   void **entry_data)
 {
 	const struct ipt_ah *ahinfo = matchinfo;
 
diff -Nru linux-2.6.17-rc5.entry_data_core/net/ipv4/netfilter/ipt_dscp.c linux-2.6.17-rc5.entry_data_matches/net/ipv4/netfilter/ipt_dscp.c
--- linux-2.6.17-rc5.entry_data_core/net/ipv4/netfilter/ipt_dscp.c	2006-06-04 21:33:27.000000000 +0200
+++ linux-2.6.17-rc5.entry_data_matches/net/ipv4/netfilter/ipt_dscp.c	2006-06-04 20:52:42.000000000 +0200
@@ -22,7 +22,8 @@
 static int match(const struct sk_buff *skb,
 		 const struct net_device *in, const struct net_device *out,
 		 const struct xt_match *match, const void *matchinfo,
-		 int offset, unsigned int protoff, int *hotdrop)
+		 int offset, unsigned int protoff, int *hotdrop,
+		 void *entry_data)
 {
 	const struct ipt_dscp_info *info = matchinfo;
 	const struct iphdr *iph = skb->nh.iph;
diff -Nru linux-2.6.17-rc5.entry_data_core/net/ipv4/netfilter/ipt_ecn.c linux-2.6.17-rc5.entry_data_matches/net/ipv4/netfilter/ipt_ecn.c
--- linux-2.6.17-rc5.entry_data_core/net/ipv4/netfilter/ipt_ecn.c	2006-06-04 21:33:27.000000000 +0200
+++ linux-2.6.17-rc5.entry_data_matches/net/ipv4/netfilter/ipt_ecn.c	2006-06-04 20:52:42.000000000 +0200
@@ -68,7 +68,8 @@
 static int match(const struct sk_buff *skb,
 		 const struct net_device *in, const struct net_device *out,
 		 const struct xt_match *match, const void *matchinfo,
-		 int offset, unsigned int protoff, int *hotdrop)
+		 int offset, unsigned int protoff, int *hotdrop,
+		 void *entry_data)
 {
 	const struct ipt_ecn_info *info = matchinfo;
 
@@ -89,7 +90,7 @@
 static int checkentry(const char *tablename, const void *ip_void,
 		      const struct xt_match *match,
 		      void *matchinfo, unsigned int matchsize,
-		      unsigned int hook_mask)
+		      unsigned int hook_mask, void **entry_data)
 {
 	const struct ipt_ecn_info *info = matchinfo;
 	const struct ipt_ip *ip = ip_void;
diff -Nru linux-2.6.17-rc5.entry_data_core/net/ipv4/netfilter/ipt_hashlimit.c linux-2.6.17-rc5.entry_data_matches/net/ipv4/netfilter/ipt_hashlimit.c
--- linux-2.6.17-rc5.entry_data_core/net/ipv4/netfilter/ipt_hashlimit.c	2006-06-04 21:33:27.000000000 +0200
+++ linux-2.6.17-rc5.entry_data_matches/net/ipv4/netfilter/ipt_hashlimit.c	2006-06-04 20:52:42.000000000 +0200
@@ -432,7 +432,8 @@
 		const void *matchinfo,
 		int offset,
 		unsigned int protoff,
-		int *hotdrop)
+		int *hotdrop,
+		void *entry_data)
 {
 	struct ipt_hashlimit_info *r = 
 		((struct ipt_hashlimit_info *)matchinfo)->u.master;
@@ -511,7 +512,8 @@
 		     const struct xt_match *match,
 		     void *matchinfo,
 		     unsigned int matchsize,
-		     unsigned int hook_mask)
+		     unsigned int hook_mask,
+		     void **entry_data)
 {
 	struct ipt_hashlimit_info *r = matchinfo;
 
@@ -559,7 +561,7 @@
 
 static void
 hashlimit_destroy(const struct xt_match *match, void *matchinfo,
-		  unsigned int matchsize)
+		  unsigned int matchsize, void *entry_data)
 {
 	struct ipt_hashlimit_info *r = (struct ipt_hashlimit_info *) matchinfo;
 
diff -Nru linux-2.6.17-rc5.entry_data_core/net/ipv4/netfilter/ipt_iprange.c linux-2.6.17-rc5.entry_data_matches/net/ipv4/netfilter/ipt_iprange.c
--- linux-2.6.17-rc5.entry_data_core/net/ipv4/netfilter/ipt_iprange.c	2006-06-04 21:33:27.000000000 +0200
+++ linux-2.6.17-rc5.entry_data_matches/net/ipv4/netfilter/ipt_iprange.c	2006-06-04 20:52:42.000000000 +0200
@@ -29,7 +29,7 @@
       const struct net_device *out,
       const struct xt_match *match,
       const void *matchinfo,
-      int offset, unsigned int protoff, int *hotdrop)
+      int offset, unsigned int protoff, int *hotdrop, void *entry_data)
 {
 	const struct ipt_iprange_info *info = matchinfo;
 	const struct iphdr *iph = skb->nh.iph;
diff -Nru linux-2.6.17-rc5.entry_data_core/net/ipv4/netfilter/ipt_owner.c linux-2.6.17-rc5.entry_data_matches/net/ipv4/netfilter/ipt_owner.c
--- linux-2.6.17-rc5.entry_data_core/net/ipv4/netfilter/ipt_owner.c	2006-06-04 21:33:27.000000000 +0200
+++ linux-2.6.17-rc5.entry_data_matches/net/ipv4/netfilter/ipt_owner.c	2006-06-04 20:52:42.000000000 +0200
@@ -29,7 +29,8 @@
       const void *matchinfo,
       int offset,
       unsigned int protoff,
-      int *hotdrop)
+      int *hotdrop,
+      void *entry_data)
 {
 	const struct ipt_owner_info *info = matchinfo;
 
@@ -57,7 +58,8 @@
 	   const struct xt_match *match,
            void *matchinfo,
            unsigned int matchsize,
-           unsigned int hook_mask)
+           unsigned int hook_mask,
+           void **entry_data)
 {
 	const struct ipt_owner_info *info = matchinfo;
 
diff -Nru linux-2.6.17-rc5.entry_data_core/net/ipv4/netfilter/ipt_recent.c linux-2.6.17-rc5.entry_data_matches/net/ipv4/netfilter/ipt_recent.c
--- linux-2.6.17-rc5.entry_data_core/net/ipv4/netfilter/ipt_recent.c	2006-06-04 21:33:27.000000000 +0200
+++ linux-2.6.17-rc5.entry_data_matches/net/ipv4/netfilter/ipt_recent.c	2006-06-04 20:52:42.000000000 +0200
@@ -106,7 +106,8 @@
       const void *matchinfo,
       int offset,
       unsigned int protoff,
-      int *hotdrop);
+      int *hotdrop,
+      void *entry_data);
 
 /* Function to hash a given address into the hash table of table_size size */
 static int hash_func(unsigned int addr, int table_size)
@@ -319,7 +320,7 @@
 	skb->nh.iph->daddr = 0;
 	/* Clear ttl since we have no way of knowing it */
 	skb->nh.iph->ttl = 0;
-	match(skb,NULL,NULL,NULL,info,0,0,NULL);
+	match(skb,NULL,NULL,NULL,info,0,0,NULL,NULL);
 
 	kfree(skb->nh.iph);
 out_free_skb:
@@ -361,7 +362,8 @@
       const void *matchinfo,
       int offset,
       unsigned int protoff,
-      int *hotdrop)
+      int *hotdrop,
+      void *entry_data)
 {
 	int pkt_count, hits_found, ans;
 	unsigned long now;
@@ -662,7 +664,8 @@
 	   const struct xt_match *match,
            void *matchinfo,
            unsigned int matchsize,
-           unsigned int hook_mask)
+           unsigned int hook_mask,
+           void **entry_data)
 {
 	int flag = 0, c;
 	unsigned long *hold;
@@ -872,7 +875,8 @@
  * up its memory.
  */
 static void
-destroy(const struct xt_match *match, void *matchinfo, unsigned int matchsize)
+destroy(const struct xt_match *match, void *matchinfo,
+	unsigned int matchsize, void *entry_data)
 {
 	const struct ipt_recent_info *info = matchinfo;
 	struct recent_ip_tables *curr_table, *last_table;
diff -Nru linux-2.6.17-rc5.entry_data_core/net/ipv4/netfilter/ipt_tos.c linux-2.6.17-rc5.entry_data_matches/net/ipv4/netfilter/ipt_tos.c
--- linux-2.6.17-rc5.entry_data_core/net/ipv4/netfilter/ipt_tos.c	2006-06-04 21:33:27.000000000 +0200
+++ linux-2.6.17-rc5.entry_data_matches/net/ipv4/netfilter/ipt_tos.c	2006-06-04 20:52:42.000000000 +0200
@@ -25,7 +25,8 @@
       const void *matchinfo,
       int offset,
       unsigned int protoff,
-      int *hotdrop)
+      int *hotdrop,
+      void *entry_data)
 {
 	const struct ipt_tos_info *info = matchinfo;
 
diff -Nru linux-2.6.17-rc5.entry_data_core/net/ipv4/netfilter/ipt_ttl.c linux-2.6.17-rc5.entry_data_matches/net/ipv4/netfilter/ipt_ttl.c
--- linux-2.6.17-rc5.entry_data_core/net/ipv4/netfilter/ipt_ttl.c	2006-06-04 21:33:27.000000000 +0200
+++ linux-2.6.17-rc5.entry_data_matches/net/ipv4/netfilter/ipt_ttl.c	2006-06-04 20:52:42.000000000 +0200
@@ -22,7 +22,8 @@
 static int match(const struct sk_buff *skb,
 		 const struct net_device *in, const struct net_device *out,
 		 const struct xt_match *match, const void *matchinfo,
-		 int offset, unsigned int protoff, int *hotdrop)
+		 int offset, unsigned int protoff, int *hotdrop,
+		 void *entry_data)
 {
 	const struct ipt_ttl_info *info = matchinfo;
 
diff -Nru linux-2.6.17-rc5.entry_data_core/net/ipv6/netfilter/ip6t_ah.c linux-2.6.17-rc5.entry_data_matches/net/ipv6/netfilter/ip6t_ah.c
--- linux-2.6.17-rc5.entry_data_core/net/ipv6/netfilter/ip6t_ah.c	2006-06-04 21:33:27.000000000 +0200
+++ linux-2.6.17-rc5.entry_data_matches/net/ipv6/netfilter/ip6t_ah.c	2006-06-04 20:52:42.000000000 +0200
@@ -48,7 +48,8 @@
       const void *matchinfo,
       int offset,
       unsigned int protoff,
-      int *hotdrop)
+      int *hotdrop,
+      void *entry_data)
 {
 	struct ip_auth_hdr *ah, _ah;
 	const struct ip6t_ah *ahinfo = matchinfo;
@@ -103,7 +104,8 @@
 	  const struct xt_match *match,
           void *matchinfo,
           unsigned int matchinfosize,
-          unsigned int hook_mask)
+          unsigned int hook_mask,
+          void **entry_data)
 {
 	const struct ip6t_ah *ahinfo = matchinfo;
 
diff -Nru linux-2.6.17-rc5.entry_data_core/net/ipv6/netfilter/ip6t_dst.c linux-2.6.17-rc5.entry_data_matches/net/ipv6/netfilter/ip6t_dst.c
--- linux-2.6.17-rc5.entry_data_core/net/ipv6/netfilter/ip6t_dst.c	2006-06-04 21:33:27.000000000 +0200
+++ linux-2.6.17-rc5.entry_data_matches/net/ipv6/netfilter/ip6t_dst.c	2006-06-04 20:52:42.000000000 +0200
@@ -59,7 +59,8 @@
       const void *matchinfo,
       int offset,
       unsigned int protoff,
-      int *hotdrop)
+      int *hotdrop,
+      void *entry_data)
 {
 	struct ipv6_opt_hdr _optsh, *oh;
 	const struct ip6t_opts *optinfo = matchinfo;
@@ -183,7 +184,8 @@
 	   const struct xt_match *match,
 	   void *matchinfo,
 	   unsigned int matchinfosize,
-	   unsigned int hook_mask)
+	   unsigned int hook_mask,
+	   void **entry_data)
 {
 	const struct ip6t_opts *optsinfo = matchinfo;
 
diff -Nru linux-2.6.17-rc5.entry_data_core/net/ipv6/netfilter/ip6t_eui64.c linux-2.6.17-rc5.entry_data_matches/net/ipv6/netfilter/ip6t_eui64.c
--- linux-2.6.17-rc5.entry_data_core/net/ipv6/netfilter/ip6t_eui64.c	2006-06-04 21:33:27.000000000 +0200
+++ linux-2.6.17-rc5.entry_data_matches/net/ipv6/netfilter/ip6t_eui64.c	2006-06-04 20:52:42.000000000 +0200
@@ -26,7 +26,8 @@
       const void *matchinfo,
       int offset,
       unsigned int protoff,
-      int *hotdrop)
+      int *hotdrop,
+      void *entry_data)
 {
 	unsigned char eui64[8];
 	int i = 0;
diff -Nru linux-2.6.17-rc5.entry_data_core/net/ipv6/netfilter/ip6t_frag.c linux-2.6.17-rc5.entry_data_matches/net/ipv6/netfilter/ip6t_frag.c
--- linux-2.6.17-rc5.entry_data_core/net/ipv6/netfilter/ip6t_frag.c	2006-06-04 21:33:27.000000000 +0200
+++ linux-2.6.17-rc5.entry_data_matches/net/ipv6/netfilter/ip6t_frag.c	2006-06-04 20:52:42.000000000 +0200
@@ -47,7 +47,8 @@
       const void *matchinfo,
       int offset,
       unsigned int protoff,
-      int *hotdrop)
+      int *hotdrop,
+      void *entry_data)
 {
 	struct frag_hdr _frag, *fh;
 	const struct ip6t_frag *fraginfo = matchinfo;
@@ -120,7 +121,8 @@
 	   const struct xt_match *match,
 	   void *matchinfo,
 	   unsigned int matchinfosize,
-	   unsigned int hook_mask)
+	   unsigned int hook_mask,
+	   void **entry_data)
 {
 	const struct ip6t_frag *fraginfo = matchinfo;
 
diff -Nru linux-2.6.17-rc5.entry_data_core/net/ipv6/netfilter/ip6t_hbh.c linux-2.6.17-rc5.entry_data_matches/net/ipv6/netfilter/ip6t_hbh.c
--- linux-2.6.17-rc5.entry_data_core/net/ipv6/netfilter/ip6t_hbh.c	2006-06-04 21:33:27.000000000 +0200
+++ linux-2.6.17-rc5.entry_data_matches/net/ipv6/netfilter/ip6t_hbh.c	2006-06-04 20:52:42.000000000 +0200
@@ -59,7 +59,8 @@
       const void *matchinfo,
       int offset,
       unsigned int protoff,
-      int *hotdrop)
+      int *hotdrop,
+      void *entry_data)
 {
 	struct ipv6_opt_hdr _optsh, *oh;
 	const struct ip6t_opts *optinfo = matchinfo;
@@ -183,7 +184,8 @@
 	   const struct xt_match *match,
 	   void *matchinfo,
 	   unsigned int matchinfosize,
-	   unsigned int hook_mask)
+	   unsigned int hook_mask,
+	   void **entry_data)
 {
 	const struct ip6t_opts *optsinfo = matchinfo;
 
diff -Nru linux-2.6.17-rc5.entry_data_core/net/ipv6/netfilter/ip6t_hl.c linux-2.6.17-rc5.entry_data_matches/net/ipv6/netfilter/ip6t_hl.c
--- linux-2.6.17-rc5.entry_data_core/net/ipv6/netfilter/ip6t_hl.c	2006-06-04 21:33:27.000000000 +0200
+++ linux-2.6.17-rc5.entry_data_matches/net/ipv6/netfilter/ip6t_hl.c	2006-06-04 20:52:42.000000000 +0200
@@ -21,7 +21,8 @@
 static int match(const struct sk_buff *skb,
 		 const struct net_device *in, const struct net_device *out,
 		 const struct xt_match *match, const void *matchinfo,
-		 int offset, unsigned int protoff, int *hotdrop)
+		 int offset, unsigned int protoff, int *hotdrop,
+		 void *entry_data)
 {
 	const struct ip6t_hl_info *info = matchinfo;
 	const struct ipv6hdr *ip6h = skb->nh.ipv6h;
diff -Nru linux-2.6.17-rc5.entry_data_core/net/ipv6/netfilter/ip6t_ipv6header.c linux-2.6.17-rc5.entry_data_matches/net/ipv6/netfilter/ip6t_ipv6header.c
--- linux-2.6.17-rc5.entry_data_core/net/ipv6/netfilter/ip6t_ipv6header.c	2006-06-04 21:33:27.000000000 +0200
+++ linux-2.6.17-rc5.entry_data_matches/net/ipv6/netfilter/ip6t_ipv6header.c	2006-06-04 20:52:42.000000000 +0200
@@ -33,7 +33,8 @@
 		 const void *matchinfo,
 		 int offset,
 		 unsigned int protoff,
-		 int *hotdrop)
+		 int *hotdrop,
+		 void *entry_data)
 {
 	const struct ip6t_ipv6header_info *info = matchinfo;
 	unsigned int temp;
@@ -129,7 +130,8 @@
 		      const struct xt_match *match,
 		      void *matchinfo,
 		      unsigned int matchsize,
-		      unsigned int hook_mask)
+		      unsigned int hook_mask,
+		      void **entry_data)
 {
 	const struct ip6t_ipv6header_info *info = matchinfo;
 
diff -Nru linux-2.6.17-rc5.entry_data_core/net/ipv6/netfilter/ip6t_owner.c linux-2.6.17-rc5.entry_data_matches/net/ipv6/netfilter/ip6t_owner.c
--- linux-2.6.17-rc5.entry_data_core/net/ipv6/netfilter/ip6t_owner.c	2006-06-04 21:33:27.000000000 +0200
+++ linux-2.6.17-rc5.entry_data_matches/net/ipv6/netfilter/ip6t_owner.c	2006-06-04 20:52:42.000000000 +0200
@@ -30,7 +30,8 @@
       const void *matchinfo,
       int offset,
       unsigned int protoff,
-      int *hotdrop)
+      int *hotdrop,
+      void *entry_data)
 {
 	const struct ip6t_owner_info *info = matchinfo;
 
@@ -58,7 +59,8 @@
 	   const struct xt_match *match,
 	   void *matchinfo,
 	   unsigned int matchsize,
-	   unsigned int hook_mask)
+	   unsigned int hook_mask,
+	   void **entry_data)
 {
 	const struct ip6t_owner_info *info = matchinfo;
 
diff -Nru linux-2.6.17-rc5.entry_data_core/net/ipv6/netfilter/ip6t_rt.c linux-2.6.17-rc5.entry_data_matches/net/ipv6/netfilter/ip6t_rt.c
--- linux-2.6.17-rc5.entry_data_core/net/ipv6/netfilter/ip6t_rt.c	2006-06-04 21:33:27.000000000 +0200
+++ linux-2.6.17-rc5.entry_data_matches/net/ipv6/netfilter/ip6t_rt.c	2006-06-04 20:52:42.000000000 +0200
@@ -49,7 +49,8 @@
       const void *matchinfo,
       int offset,
       unsigned int protoff,
-      int *hotdrop)
+      int *hotdrop,
+      void *entry_data)
 {
 	struct ipv6_rt_hdr _route, *rh;
 	const struct ip6t_rt *rtinfo = matchinfo;
@@ -198,7 +199,8 @@
 	   const struct xt_match *match,
 	   void *matchinfo,
 	   unsigned int matchinfosize,
-	   unsigned int hook_mask)
+	   unsigned int hook_mask,
+	   void **entry_data)
 {
 	const struct ip6t_rt *rtinfo = matchinfo;
 
diff -Nru linux-2.6.17-rc5.entry_data_core/net/netfilter/xt_comment.c linux-2.6.17-rc5.entry_data_matches/net/netfilter/xt_comment.c
--- linux-2.6.17-rc5.entry_data_core/net/netfilter/xt_comment.c	2006-06-04 21:33:27.000000000 +0200
+++ linux-2.6.17-rc5.entry_data_matches/net/netfilter/xt_comment.c	2006-06-04 20:52:42.000000000 +0200
@@ -23,7 +23,8 @@
       const void *matchinfo,
       int offset,
       unsigned int protooff,
-      int *hotdrop)
+      int *hotdrop,
+      void *entry_data)
 {
 	/* We always match */
 	return 1;
diff -Nru linux-2.6.17-rc5.entry_data_core/net/netfilter/xt_connbytes.c linux-2.6.17-rc5.entry_data_matches/net/netfilter/xt_connbytes.c
--- linux-2.6.17-rc5.entry_data_core/net/netfilter/xt_connbytes.c	2006-06-04 21:33:27.000000000 +0200
+++ linux-2.6.17-rc5.entry_data_matches/net/netfilter/xt_connbytes.c	2006-06-04 20:52:42.000000000 +0200
@@ -48,7 +48,8 @@
       const void *matchinfo,
       int offset,
       unsigned int protoff,
-      int *hotdrop)
+      int *hotdrop,
+      void *entry_data)
 {
 	const struct xt_connbytes_info *sinfo = matchinfo;
 	u_int64_t what = 0;	/* initialize to make gcc happy */
@@ -126,7 +127,8 @@
 		 const struct xt_match *match,
 		 void *matchinfo,
 		 unsigned int matchsize,
-		 unsigned int hook_mask)
+		 unsigned int hook_mask,
+		 void **entry_data)
 {
 	const struct xt_connbytes_info *sinfo = matchinfo;
 
diff -Nru linux-2.6.17-rc5.entry_data_core/net/netfilter/xt_connmark.c linux-2.6.17-rc5.entry_data_matches/net/netfilter/xt_connmark.c
--- linux-2.6.17-rc5.entry_data_core/net/netfilter/xt_connmark.c	2006-06-04 21:33:27.000000000 +0200
+++ linux-2.6.17-rc5.entry_data_matches/net/netfilter/xt_connmark.c	2006-06-04 20:52:42.000000000 +0200
@@ -39,7 +39,8 @@
       const void *matchinfo,
       int offset,
       unsigned int protoff,
-      int *hotdrop)
+      int *hotdrop,
+      void *entry_data)
 {
 	const struct xt_connmark_info *info = matchinfo;
 	u_int32_t ctinfo;
@@ -56,7 +57,8 @@
 	   const struct xt_match *match,
 	   void *matchinfo,
 	   unsigned int matchsize,
-	   unsigned int hook_mask)
+	   unsigned int hook_mask,
+	   void **entry_data)
 {
 	struct xt_connmark_info *cm = (struct xt_connmark_info *)matchinfo;
 
@@ -75,7 +77,8 @@
 }
 
 static void
-destroy(const struct xt_match *match, void *matchinfo, unsigned int matchsize)
+destroy(const struct xt_match *match, void *matchinfo,
+	unsigned int matchsize, void *entry_data)
 {
 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
 	nf_ct_l3proto_module_put(match->family);
diff -Nru linux-2.6.17-rc5.entry_data_core/net/netfilter/xt_conntrack.c linux-2.6.17-rc5.entry_data_matches/net/netfilter/xt_conntrack.c
--- linux-2.6.17-rc5.entry_data_core/net/netfilter/xt_conntrack.c	2006-06-04 21:33:27.000000000 +0200
+++ linux-2.6.17-rc5.entry_data_matches/net/netfilter/xt_conntrack.c	2006-06-04 20:52:42.000000000 +0200
@@ -36,7 +36,8 @@
       const void *matchinfo,
       int offset,
       unsigned int protoff,
-      int *hotdrop)
+      int *hotdrop,
+      void *entry_data)
 {
 	const struct xt_conntrack_info *sinfo = matchinfo;
 	struct ip_conntrack *ct;
@@ -123,7 +124,8 @@
       const void *matchinfo,
       int offset,
       unsigned int protoff,
-      int *hotdrop)
+      int *hotdrop,
+      void *entry_data)
 {
 	const struct xt_conntrack_info *sinfo = matchinfo;
 	struct nf_conn *ct;
@@ -209,7 +211,8 @@
 	   const struct xt_match *match,
 	   void *matchinfo,
 	   unsigned int matchsize,
-	   unsigned int hook_mask)
+	   unsigned int hook_mask,
+	   void **entry_data)
 {
 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
 	if (nf_ct_l3proto_try_module_get(match->family) < 0) {
@@ -222,7 +225,8 @@
 }
 
 static void
-destroy(const struct xt_match *match, void *matchinfo, unsigned int matchsize)
+destroy(const struct xt_match *match, void *matchinfo,
+	unsigned int matchsize, void *entry_data)
 {
 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
 	nf_ct_l3proto_module_put(match->family);
diff -Nru linux-2.6.17-rc5.entry_data_core/net/netfilter/xt_dccp.c linux-2.6.17-rc5.entry_data_matches/net/netfilter/xt_dccp.c
--- linux-2.6.17-rc5.entry_data_core/net/netfilter/xt_dccp.c	2006-06-04 21:33:27.000000000 +0200
+++ linux-2.6.17-rc5.entry_data_matches/net/netfilter/xt_dccp.c	2006-06-04 20:52:42.000000000 +0200
@@ -99,7 +99,8 @@
       const void *matchinfo,
       int offset,
       unsigned int protoff,
-      int *hotdrop)
+      int *hotdrop,
+      void *entry_data)
 {
 	const struct xt_dccp_info *info = 
 				(const struct xt_dccp_info *)matchinfo;
@@ -133,7 +134,8 @@
 	   const struct xt_match *match,
 	   void *matchinfo,
 	   unsigned int matchsize,
-	   unsigned int hook_mask)
+	   unsigned int hook_mask,
+	   void **entry_data)
 {
 	const struct xt_dccp_info *info = matchinfo;
 
diff -Nru linux-2.6.17-rc5.entry_data_core/net/netfilter/xt_esp.c linux-2.6.17-rc5.entry_data_matches/net/netfilter/xt_esp.c
--- linux-2.6.17-rc5.entry_data_core/net/netfilter/xt_esp.c	2006-06-04 21:33:27.000000000 +0200
+++ linux-2.6.17-rc5.entry_data_matches/net/netfilter/xt_esp.c	2006-06-04 20:52:42.000000000 +0200
@@ -50,7 +50,8 @@
       const void *matchinfo,
       int offset,
       unsigned int protoff,
-      int *hotdrop)
+      int *hotdrop,
+      void *entry_data)
 {
 	struct ip_esp_hdr _esp, *eh;
 	const struct xt_esp *espinfo = matchinfo;
@@ -80,7 +81,8 @@
 	   const struct xt_match *match,
 	   void *matchinfo,
 	   unsigned int matchinfosize,
-	   unsigned int hook_mask)
+	   unsigned int hook_mask,
+	   void **entry_data)
 {
 	const struct xt_esp *espinfo = matchinfo;
 
diff -Nru linux-2.6.17-rc5.entry_data_core/net/netfilter/xt_helper.c linux-2.6.17-rc5.entry_data_matches/net/netfilter/xt_helper.c
--- linux-2.6.17-rc5.entry_data_core/net/netfilter/xt_helper.c	2006-06-04 21:33:27.000000000 +0200
+++ linux-2.6.17-rc5.entry_data_matches/net/netfilter/xt_helper.c	2006-06-04 20:52:42.000000000 +0200
@@ -46,7 +46,8 @@
       const void *matchinfo,
       int offset,
       unsigned int protoff,
-      int *hotdrop)
+      int *hotdrop,
+      void *entry_data)
 {
 	const struct xt_helper_info *info = matchinfo;
 	struct ip_conntrack *ct;
@@ -94,7 +95,8 @@
       const void *matchinfo,
       int offset,
       unsigned int protoff,
-      int *hotdrop)
+      int *hotdrop,
+      void *entry_data)
 {
 	const struct xt_helper_info *info = matchinfo;
 	struct nf_conn *ct;
@@ -140,7 +142,8 @@
 		 const struct xt_match *match,
 		 void *matchinfo,
 		 unsigned int matchsize,
-		 unsigned int hook_mask)
+		 unsigned int hook_mask,
+		 void **entry_data)
 {
 	struct xt_helper_info *info = matchinfo;
 
@@ -156,7 +159,8 @@
 }
 
 static void
-destroy(const struct xt_match *match, void *matchinfo, unsigned int matchsize)
+destroy(const struct xt_match *match, void *matchinfo,
+	unsigned int matchsize, void *entry_data)
 {
 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
 	nf_ct_l3proto_module_put(match->family);
diff -Nru linux-2.6.17-rc5.entry_data_core/net/netfilter/xt_length.c linux-2.6.17-rc5.entry_data_matches/net/netfilter/xt_length.c
--- linux-2.6.17-rc5.entry_data_core/net/netfilter/xt_length.c	2006-06-04 21:33:27.000000000 +0200
+++ linux-2.6.17-rc5.entry_data_matches/net/netfilter/xt_length.c	2006-06-04 20:52:42.000000000 +0200
@@ -28,7 +28,8 @@
       const void *matchinfo,
       int offset,
       unsigned int protoff,
-      int *hotdrop)
+      int *hotdrop,
+      void *entry_data)
 {
 	const struct xt_length_info *info = matchinfo;
 	u_int16_t pktlen = ntohs(skb->nh.iph->tot_len);
@@ -44,7 +45,8 @@
        const void *matchinfo,
        int offset,
        unsigned int protoff,
-       int *hotdrop)
+       int *hotdrop,
+       void *entry_data)
 {
 	const struct xt_length_info *info = matchinfo;
 	u_int16_t pktlen = ntohs(skb->nh.ipv6h->payload_len) + sizeof(struct ipv6hdr);
diff -Nru linux-2.6.17-rc5.entry_data_core/net/netfilter/xt_limit.c linux-2.6.17-rc5.entry_data_matches/net/netfilter/xt_limit.c
--- linux-2.6.17-rc5.entry_data_core/net/netfilter/xt_limit.c	2006-06-04 21:33:27.000000000 +0200
+++ linux-2.6.17-rc5.entry_data_matches/net/netfilter/xt_limit.c	2006-06-04 20:52:42.000000000 +0200
@@ -72,7 +72,8 @@
 		const void *matchinfo,
 		int offset,
 		unsigned int protoff,
-		int *hotdrop)
+		int *hotdrop,
+		void *entry_data)
 {
 	struct xt_rateinfo *r = ((struct xt_rateinfo *)matchinfo)->master;
 	unsigned long now = jiffies;
@@ -111,7 +112,8 @@
 		     const struct xt_match *match,
 		     void *matchinfo,
 		     unsigned int matchsize,
-		     unsigned int hook_mask)
+		     unsigned int hook_mask,
+		     void **entry_data)
 {
 	struct xt_rateinfo *r = matchinfo;
 
diff -Nru linux-2.6.17-rc5.entry_data_core/net/netfilter/xt_mac.c linux-2.6.17-rc5.entry_data_matches/net/netfilter/xt_mac.c
--- linux-2.6.17-rc5.entry_data_core/net/netfilter/xt_mac.c	2006-06-04 21:33:27.000000000 +0200
+++ linux-2.6.17-rc5.entry_data_matches/net/netfilter/xt_mac.c	2006-06-04 20:52:42.000000000 +0200
@@ -31,7 +31,8 @@
       const void *matchinfo,
       int offset,
       unsigned int protoff,
-      int *hotdrop)
+      int *hotdrop,
+      void *entry_data)
 {
     const struct xt_mac_info *info = matchinfo;
 
diff -Nru linux-2.6.17-rc5.entry_data_core/net/netfilter/xt_mark.c linux-2.6.17-rc5.entry_data_matches/net/netfilter/xt_mark.c
--- linux-2.6.17-rc5.entry_data_core/net/netfilter/xt_mark.c	2006-06-04 21:33:27.000000000 +0200
+++ linux-2.6.17-rc5.entry_data_matches/net/netfilter/xt_mark.c	2006-06-04 20:52:42.000000000 +0200
@@ -27,7 +27,8 @@
       const void *matchinfo,
       int offset,
       unsigned int protoff,
-      int *hotdrop)
+      int *hotdrop,
+      void *entry_data)
 {
 	const struct xt_mark_info *info = matchinfo;
 
@@ -40,7 +41,8 @@
 	   const struct xt_match *match,
            void *matchinfo,
            unsigned int matchsize,
-           unsigned int hook_mask)
+           unsigned int hook_mask,
+           void **entry_data)
 {
 	struct xt_mark_info *minfo = (struct xt_mark_info *) matchinfo;
 
diff -Nru linux-2.6.17-rc5.entry_data_core/net/netfilter/xt_multiport.c linux-2.6.17-rc5.entry_data_matches/net/netfilter/xt_multiport.c
--- linux-2.6.17-rc5.entry_data_core/net/netfilter/xt_multiport.c	2006-06-04 21:33:27.000000000 +0200
+++ linux-2.6.17-rc5.entry_data_matches/net/netfilter/xt_multiport.c	2006-06-04 20:52:42.000000000 +0200
@@ -102,7 +102,8 @@
       const void *matchinfo,
       int offset,
       unsigned int protoff,
-      int *hotdrop)
+      int *hotdrop,
+      void *entry_data)
 {
 	u16 _ports[2], *pptr;
 	const struct xt_multiport *multiinfo = matchinfo;
@@ -133,7 +134,8 @@
 	 const void *matchinfo,
 	 int offset,
 	 unsigned int protoff,
-	 int *hotdrop)
+	 int *hotdrop,
+	 void *entry_data)
 {
 	u16 _ports[2], *pptr;
 	const struct xt_multiport_v1 *multiinfo = matchinfo;
@@ -176,7 +178,8 @@
 	   const struct xt_match *match,
 	   void *matchinfo,
 	   unsigned int matchsize,
-	   unsigned int hook_mask)
+	   unsigned int hook_mask,
+	   void **entry_data)
 {
 	const struct ipt_ip *ip = info;
 	const struct xt_multiport *multiinfo = matchinfo;
@@ -191,7 +194,8 @@
 	      const struct xt_match *match,
 	      void *matchinfo,
 	      unsigned int matchsize,
-	      unsigned int hook_mask)
+	      unsigned int hook_mask,
+	      void **entry_data)
 {
 	const struct ipt_ip *ip = info;
 	const struct xt_multiport_v1 *multiinfo = matchinfo;
@@ -206,7 +210,8 @@
 	    const struct xt_match *match,
 	    void *matchinfo,
 	    unsigned int matchsize,
-	    unsigned int hook_mask)
+	    unsigned int hook_mask,
+	    void **entry_data)
 {
 	const struct ip6t_ip6 *ip = info;
 	const struct xt_multiport *multiinfo = matchinfo;
@@ -221,7 +226,8 @@
 	       const struct xt_match *match,
 	       void *matchinfo,
 	       unsigned int matchsize,
-	       unsigned int hook_mask)
+	       unsigned int hook_mask,
+	       void **entry_data)
 {
 	const struct ip6t_ip6 *ip = info;
 	const struct xt_multiport_v1 *multiinfo = matchinfo;
diff -Nru linux-2.6.17-rc5.entry_data_core/net/netfilter/xt_physdev.c linux-2.6.17-rc5.entry_data_matches/net/netfilter/xt_physdev.c
--- linux-2.6.17-rc5.entry_data_core/net/netfilter/xt_physdev.c	2006-06-04 21:33:27.000000000 +0200
+++ linux-2.6.17-rc5.entry_data_matches/net/netfilter/xt_physdev.c	2006-06-04 20:52:42.000000000 +0200
@@ -30,7 +30,8 @@
       const void *matchinfo,
       int offset,
       unsigned int protoff,
-      int *hotdrop)
+      int *hotdrop,
+      void *entry_data)
 {
 	int i;
 	static const char nulldevname[IFNAMSIZ];
@@ -106,7 +107,8 @@
 		       const struct xt_match *match,
 		       void *matchinfo,
 		       unsigned int matchsize,
-		       unsigned int hook_mask)
+		       unsigned int hook_mask,
+		       void **entry_data)
 {
 	const struct xt_physdev_info *info = matchinfo;
 
diff -Nru linux-2.6.17-rc5.entry_data_core/net/netfilter/xt_pkttype.c linux-2.6.17-rc5.entry_data_matches/net/netfilter/xt_pkttype.c
--- linux-2.6.17-rc5.entry_data_core/net/netfilter/xt_pkttype.c	2006-06-04 21:33:27.000000000 +0200
+++ linux-2.6.17-rc5.entry_data_matches/net/netfilter/xt_pkttype.c	2006-06-04 20:52:42.000000000 +0200
@@ -26,7 +26,8 @@
       const void *matchinfo,
       int offset,
       unsigned int protoff,
-      int *hotdrop)
+      int *hotdrop,
+      void *entry_data)
 {
 	const struct xt_pkttype_info *info = matchinfo;
 
diff -Nru linux-2.6.17-rc5.entry_data_core/net/netfilter/xt_policy.c linux-2.6.17-rc5.entry_data_matches/net/netfilter/xt_policy.c
--- linux-2.6.17-rc5.entry_data_core/net/netfilter/xt_policy.c	2006-06-04 21:33:27.000000000 +0200
+++ linux-2.6.17-rc5.entry_data_matches/net/netfilter/xt_policy.c	2006-06-04 20:52:42.000000000 +0200
@@ -116,7 +116,8 @@
                  const void *matchinfo,
                  int offset,
                  unsigned int protoff,
-                 int *hotdrop)
+                 int *hotdrop,
+                 void *entry_data)
 {
 	const struct xt_policy_info *info = matchinfo;
 	int ret;
@@ -137,7 +138,7 @@
 static int checkentry(const char *tablename, const void *ip_void,
                       const struct xt_match *match,
                       void *matchinfo, unsigned int matchsize,
-                      unsigned int hook_mask)
+                      unsigned int hook_mask, void **entry_data)
 {
 	struct xt_policy_info *info = matchinfo;
 
diff -Nru linux-2.6.17-rc5.entry_data_core/net/netfilter/xt_realm.c linux-2.6.17-rc5.entry_data_matches/net/netfilter/xt_realm.c
--- linux-2.6.17-rc5.entry_data_core/net/netfilter/xt_realm.c	2006-06-04 21:33:27.000000000 +0200
+++ linux-2.6.17-rc5.entry_data_matches/net/netfilter/xt_realm.c	2006-06-04 20:52:42.000000000 +0200
@@ -31,7 +31,8 @@
       const void *matchinfo,
       int offset,
       unsigned int protoff,
-      int *hotdrop)
+      int *hotdrop,
+      void *entry_data)
 {
 	const struct xt_realm_info *info = matchinfo;
 	struct dst_entry *dst = skb->dst;
diff -Nru linux-2.6.17-rc5.entry_data_core/net/netfilter/xt_sctp.c linux-2.6.17-rc5.entry_data_matches/net/netfilter/xt_sctp.c
--- linux-2.6.17-rc5.entry_data_core/net/netfilter/xt_sctp.c	2006-06-04 21:33:27.000000000 +0200
+++ linux-2.6.17-rc5.entry_data_matches/net/netfilter/xt_sctp.c	2006-06-04 20:52:42.000000000 +0200
@@ -127,7 +127,8 @@
       const void *matchinfo,
       int offset,
       unsigned int protoff,
-      int *hotdrop)
+      int *hotdrop,
+      void *entry_data)
 {
 	const struct xt_sctp_info *info;
 	sctp_sctphdr_t _sh, *sh;
@@ -166,7 +167,8 @@
 	   const struct xt_match *match,
 	   void *matchinfo,
 	   unsigned int matchsize,
-	   unsigned int hook_mask)
+	   unsigned int hook_mask,
+	   void **entry_data)
 {
 	const struct xt_sctp_info *info = matchinfo;
 
diff -Nru linux-2.6.17-rc5.entry_data_core/net/netfilter/xt_state.c linux-2.6.17-rc5.entry_data_matches/net/netfilter/xt_state.c
--- linux-2.6.17-rc5.entry_data_core/net/netfilter/xt_state.c	2006-06-04 21:33:27.000000000 +0200
+++ linux-2.6.17-rc5.entry_data_matches/net/netfilter/xt_state.c	2006-06-04 20:52:42.000000000 +0200
@@ -28,7 +28,8 @@
       const void *matchinfo,
       int offset,
       unsigned int protoff,
-      int *hotdrop)
+      int *hotdrop,
+      void *entry_data)
 {
 	const struct xt_state_info *sinfo = matchinfo;
 	enum ip_conntrack_info ctinfo;
@@ -49,7 +50,8 @@
 		 const struct xt_match *match,
 		 void *matchinfo,
 		 unsigned int matchsize,
-		 unsigned int hook_mask)
+		 unsigned int hook_mask,
+		 void **entry_data)
 {
 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
 	if (nf_ct_l3proto_try_module_get(match->family) < 0) {
@@ -62,7 +64,8 @@
 }
 
 static void
-destroy(const struct xt_match *match, void *matchinfo, unsigned int matchsize)
+destroy(const struct xt_match *match, void *matchinfo,
+	unsigned int matchsize, void *entry_data)
 {
 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
 	nf_ct_l3proto_module_put(match->family);
diff -Nru linux-2.6.17-rc5.entry_data_core/net/netfilter/xt_string.c linux-2.6.17-rc5.entry_data_matches/net/netfilter/xt_string.c
--- linux-2.6.17-rc5.entry_data_core/net/netfilter/xt_string.c	2006-06-04 21:33:27.000000000 +0200
+++ linux-2.6.17-rc5.entry_data_matches/net/netfilter/xt_string.c	2006-06-04 20:52:42.000000000 +0200
@@ -28,7 +28,8 @@
 		 const void *matchinfo,
 		 int offset,
 		 unsigned int protoff,
-		 int *hotdrop)
+		 int *hotdrop,
+		 void *entry_data)
 {
 	struct ts_state state;
 	struct xt_string_info *conf = (struct xt_string_info *) matchinfo;
@@ -47,7 +48,8 @@
 		      const struct xt_match *match,
 		      void *matchinfo,
 		      unsigned int matchsize,
-		      unsigned int hook_mask)
+		      unsigned int hook_mask,
+		      void **entry_data)
 {
 	struct xt_string_info *conf = matchinfo;
 	struct ts_config *ts_conf;
@@ -67,7 +69,7 @@
 }
 
 static void destroy(const struct xt_match *match, void *matchinfo,
-		    unsigned int matchsize)
+		    unsigned int matchsize, void *entry_data)
 {
 	textsearch_destroy(STRING_TEXT_PRIV(matchinfo)->config);
 }
diff -Nru linux-2.6.17-rc5.entry_data_core/net/netfilter/xt_tcpmss.c linux-2.6.17-rc5.entry_data_matches/net/netfilter/xt_tcpmss.c
--- linux-2.6.17-rc5.entry_data_core/net/netfilter/xt_tcpmss.c	2006-06-04 21:33:27.000000000 +0200
+++ linux-2.6.17-rc5.entry_data_matches/net/netfilter/xt_tcpmss.c	2006-06-04 20:52:42.000000000 +0200
@@ -85,7 +85,8 @@
       const void *matchinfo,
       int offset,
       unsigned int protoff,
-      int *hotdrop)
+      int *hotdrop,
+      void *entry_data)
 {
 	const struct xt_tcpmss_match_info *info = matchinfo;
 
diff -Nru linux-2.6.17-rc5.entry_data_core/net/netfilter/xt_tcpudp.c linux-2.6.17-rc5.entry_data_matches/net/netfilter/xt_tcpudp.c
--- linux-2.6.17-rc5.entry_data_core/net/netfilter/xt_tcpudp.c	2006-06-04 21:33:27.000000000 +0200
+++ linux-2.6.17-rc5.entry_data_matches/net/netfilter/xt_tcpudp.c	2006-06-04 20:52:42.000000000 +0200
@@ -78,7 +78,8 @@
 	  const void *matchinfo,
 	  int offset,
 	  unsigned int protoff,
-	  int *hotdrop)
+	  int *hotdrop,
+	  void *entry_data)
 {
 	struct tcphdr _tcph, *th;
 	const struct xt_tcp *tcpinfo = matchinfo;
@@ -142,7 +143,8 @@
 	       const struct xt_match *match,
 	       void *matchinfo,
 	       unsigned int matchsize,
-	       unsigned int hook_mask)
+	       unsigned int hook_mask,
+	       void **entry_data)
 {
 	const struct xt_tcp *tcpinfo = matchinfo;
 
@@ -158,7 +160,8 @@
 	  const void *matchinfo,
 	  int offset,
 	  unsigned int protoff,
-	  int *hotdrop)
+	  int *hotdrop,
+	  void *entry_data)
 {
 	struct udphdr _udph, *uh;
 	const struct xt_udp *udpinfo = matchinfo;
@@ -191,7 +194,8 @@
 	       const struct xt_match *match,
 	       void *matchinfo,
 	       unsigned int matchsize,
-	       unsigned int hook_mask)
+	       unsigned int hook_mask,
+	       void **entry_data)
 {
 	const struct xt_tcp *udpinfo = matchinfo;
 

Re: [PATCH] entry_data

[Massimiliano Hofer]

[-- Attachment #1: Type: text/plain, Size: 665 bytes --]

Hi,
an API isn't worth much if nobody uses it. :)
Here is an example of a module that takes advantage of the patch in my 
previous post.

It is a new version of xt_condition ported to 2.6.17-rc6 with entry_data. Just 
install the regular patchlet and substitute net/netfilter/xt_condition.c with 
the attacched source.

The advantages gained thanks to entry_data are that now match() and destroy() 
are O(1). The overall code is shorter and, IMHO, clearer.

WARNING: this version of condition is still experimental. It worked in my 
preliminary tests, but I will release a more reliable version as soon as 
2.6.17 becomes stable.

-- 
Saluti,
   Massimiliano Hofer

[-- Attachment #2: xt_condition.c --]
[-- Type: text/plain, Size: 8411 bytes --]

/*-------------------------------------------*\
|          Netfilter Condition Module         |
|                                             |
|  Description: This module allows firewall   |
|    rules to match using condition variables |
|    stored in /proc files.                   |
|                                             |
|  Author: Stephane Ouellette     2002-10-22  |
|          <ouellettes@videotron.ca>          |
|          Massimiliano Hofer     2006-05-15  |
|          <max@nucleus.it>                   |
|                                             |
|  History:                                   |
|    2003-02-10  Second version with improved |
|                locking and simplified code. |
|    2006-05-15  2.6.16 adaptations.          |
|                Locking overhaul.            |
|                Various bug fixes.           |
|                                             |
|  This software is distributed under the     |
|  terms of the GNU GPL.                      |
\*-------------------------------------------*/

#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/proc_fs.h>
#include <linux/spinlock.h>
#include <asm/semaphore.h>
#include <linux/string.h>
#include <linux/list.h>
#include <asm/atomic.h>
#include <asm/uaccess.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/xt_condition.h>

#ifndef CONFIG_PROC_FS
#error  "Proc file system support is required for this module"
#endif

/* Defaults, these can be overridden on the module command-line. */
static unsigned int condition_list_perms = 0644;
static unsigned int compat_dir_name = 0;
static unsigned int condition_uid_perms = 0;
static unsigned int condition_gid_perms = 0;

MODULE_AUTHOR("Stephane Ouellette <ouellettes@videotron.ca> and Massimiliano Hofer <max@nucleus.it>");
MODULE_DESCRIPTION("Allows rules to match against condition variables");
MODULE_LICENSE("GPL");
module_param(condition_list_perms, uint, 0600);
MODULE_PARM_DESC(condition_list_perms,"permissions on /proc/net/nf_condition/* files");
module_param(condition_uid_perms, uint, 0600);
MODULE_PARM_DESC(condition_uid_perms,"user owner of /proc/net/nf_condition/* files");
module_param(condition_gid_perms, uint, 0600);
MODULE_PARM_DESC(condition_gid_perms,"group owner of /proc/net/nf_condition/* files");
module_param(compat_dir_name, bool, 0400);
MODULE_PARM_DESC(compat_dir_name,"use old style /proc/net/ipt_condition/* files");
MODULE_ALIAS("ipt_condition");
MODULE_ALIAS("ip6t_condition");

struct condition_variable {
	struct list_head list;
	struct proc_dir_entry *status_proc;
	unsigned int refcount;
        int enabled;   /* TRUE == 1, FALSE == 0 */
};

/* proc_lock is a user context only semaphore used for write access */
/*           to the conditions' list.                               */
static DECLARE_MUTEX(proc_lock);

static LIST_HEAD(conditions_list);
static struct proc_dir_entry *proc_net_condition = NULL;
static const char *dir_name;

static int
xt_condition_read_info(char __user *buffer, char **start, off_t offset,
			int length, int *eof, void *data)
{
	struct condition_variable *var =
	    (struct condition_variable *) data;

	buffer[0] = (var->enabled) ? '1' : '0';
	buffer[1] = '\n';
	if (length>=2)
		*eof = 1;

	return 2;
}


static int
xt_condition_write_info(struct file *file, const char __user *buffer,
			 unsigned long length, void *data)
{
	struct condition_variable *var =
	    (struct condition_variable *) data;
	char newval;

	if (length>0) {
		if (get_user(newval, buffer))
			return -EFAULT;
	        /* Match only on the first character */
		switch (newval) {
		case '0':
			var->enabled = 0;
			break;
		case '1':
			var->enabled = 1;
			break;
		}
	}

	return (int) length;
}


static int
match(const struct sk_buff *skb, const struct net_device *in,
      const struct net_device *out, const struct xt_match *match,
      const void *matchinfo, int offset,
      unsigned int protoff, int *hotdrop, void *entry_data)
{
	const struct condition_info *info =
		(const struct condition_info *) matchinfo;
	struct condition_variable *var=
		(struct condition_variable *)entry_data;

	return var->enabled ^ info->invert;
}



static int
checkentry(const char *tablename, const void *ip,
	   const struct xt_match *match,
	   void *matchinfo, unsigned int matchsize,
	   unsigned int hook_mask, void **entry_data)
{
	static const char * const forbidden_names[]={ "", ".", ".." };
	struct condition_info *info = (struct condition_info *) matchinfo;
	struct list_head *pos;
	struct condition_variable *var, *newvar;
	int i;

	/* We don't want a '/' in a proc file name. */
	for (i=0; i < CONDITION_NAME_LEN && info->name[i] != '\0'; i++)
		if (info->name[i] == '/')
			return 0;
	/* We can't handle file names longer than CONDITION_NAME_LEN and */
	/* we want a NULL terminated string. */
	if (i == CONDITION_NAME_LEN)
		return 0;

	/* We don't want certain reserved names. */
	for (i=0; i < sizeof(forbidden_names)/sizeof(char *); i++)
		if(strcmp(info->name, forbidden_names[i])==0)
			return 0;

	/* Let's acquire the lock, check for the condition and add it */
	/* or increase the reference counter.                         */
	if (down_interruptible(&proc_lock))
	   return -EINTR;

	list_for_each(pos, &conditions_list) {
		var = list_entry(pos, struct condition_variable, list);
		if (strcmp(info->name, var->status_proc->name) == 0) {
			var->refcount++;
			*entry_data=(void *)var;
			up(&proc_lock);
			return 1;
		}
	}

	/* At this point, we need to allocate a new condition variable. */
	newvar = kmalloc(sizeof(struct condition_variable), GFP_KERNEL);

	if (!newvar) {
		up(&proc_lock);
		return -ENOMEM;
	}

	/* Create the condition variable's proc file entry. */
	newvar->status_proc = create_proc_entry(info->name, condition_list_perms, proc_net_condition);

	if (!newvar->status_proc) {
		kfree(newvar);
		up(&proc_lock);
		return -ENOMEM;
	}

	newvar->refcount = 1;
	newvar->enabled = 0;
	newvar->status_proc->owner = THIS_MODULE;
	newvar->status_proc->data = newvar;
	wmb();
	newvar->status_proc->read_proc = xt_condition_read_info;
	newvar->status_proc->write_proc = xt_condition_write_info;

	list_add_rcu(&newvar->list, &conditions_list);

	newvar->status_proc->uid = condition_uid_perms;
	newvar->status_proc->gid = condition_gid_perms;

	up(&proc_lock);

	*entry_data=(void *)newvar;

	return 1;
}


static void
destroy(const struct xt_match *match, void *matchinfo,
	unsigned int matchsize, void *entry_data)
{
	struct condition_info *info = (struct condition_info *) matchinfo;
	struct condition_variable *var=
		(struct condition_variable *)entry_data;

	BUG_ON(entry_data==NULL);

	down(&proc_lock);

	if (--var->refcount == 0) {
		list_del_rcu(&var->list);
		remove_proc_entry(var->status_proc->name, proc_net_condition);
		up(&proc_lock);
		/* synchronize_rcu() would be goog enough, but synchronize_net() */
		/* guarantees that no packet will go out with the old rule after */
		/* succesful removal.                                            */
		synchronize_net();
		kfree(var);
		return;
	}

	up(&proc_lock);
}


static struct xt_match condition_match = {
	.name = "condition",
	.family = AF_INET,
	.matchsize = sizeof(struct condition_info),
	.match = &match,
	.checkentry = &checkentry,
	.destroy = &destroy,
	.me = THIS_MODULE
};

static struct xt_match condition6_match = {
	.name = "condition",
	.family = AF_INET,
	.matchsize = sizeof(struct condition_info),
	.match = &match,
	.checkentry = &checkentry,
	.destroy = &destroy,
	.me = THIS_MODULE
};

static int __init
init(void)
{
	int errorcode;

	dir_name = compat_dir_name? "ipt_condition": "nf_condition";

	proc_net_condition = proc_mkdir(dir_name, proc_net);
	if (!proc_net_condition) {
		remove_proc_entry(dir_name, proc_net);
		return -EACCES;
	}

        errorcode = xt_register_match(&condition_match);
	if (errorcode) {
		xt_unregister_match(&condition_match);
		remove_proc_entry(dir_name, proc_net);
		return errorcode;
	}

	errorcode = xt_register_match(&condition6_match);
	if (errorcode) {
		xt_unregister_match(&condition6_match);
		xt_unregister_match(&condition_match);
		remove_proc_entry(dir_name, proc_net);
		return errorcode;
	}

	return 0;
}


static void __exit
fini(void)
{
	xt_unregister_match(&condition6_match);
	xt_unregister_match(&condition_match);
	remove_proc_entry(dir_name, proc_net);
}

module_init(init);
module_exit(fini);

Re: [PATCH] entry_data

[Pablo Neira Ayuso]

Massimiliano Hofer wrote:
> an API isn't worth much if nobody uses it. :)
> Here is an example of a module that takes advantage of the patch in my 
> previous post.
> 
> It is a new version of xt_condition ported to 2.6.17-rc6 with entry_data. Just 
> install the regular patchlet and substitute net/netfilter/xt_condition.c with 
> the attacched source.
> 
> The advantages gained thanks to entry_data are that now match() and destroy() 
> are O(1). The overall code is shorter and, IMHO, clearer.
> 
> WARNING: this version of condition is still experimental. It worked in my 
> preliminary tests, but I will release a more reliable version as soon as 
> 2.6.17 becomes stable.

Fine, please next time send an incremental diff so we all can notice the 
changes by having a look at the attachment. Thanks.

Re: [PATCH] entry_data

[Massimiliano Hofer]

[-- Attachment #1: Type: text/plain, Size: 341 bytes --]

On Monday 12 June 2006 11:50 am, Pablo Neira Ayuso wrote:

> Fine, please next time send an incremental diff so we all can notice the
> changes by having a look at the attachment. Thanks.

OK. Here it is. Some of the changes in this diff are due to the 2.6.17 
porting, but they are minor.

-- 
Saluti,
   Massimiliano Hofer
        Nucleus

[-- Attachment #2: condition-entry_data.diff --]
[-- Type: text/x-diff, Size: 5272 bytes --]

diff -Nru linux-2.6.16/net/netfilter/xt_condition.c linux-2.6.17-entry_data/net/netfilter/xt_condition.c
--- linux-2.6.16/net/netfilter/xt_condition.c	2006-04-26 12:07:52.000000000 +0200
+++ linux-2.6.17-entry_data/net/netfilter/xt_condition.c	2006-06-12 01:49:05.000000000 +0200
@@ -116,42 +116,32 @@
 
 static int
 match(const struct sk_buff *skb, const struct net_device *in,
-      const struct net_device *out, const void *matchinfo, int offset,
-      unsigned int protoff, int *hotdrop)
+      const struct net_device *out, const struct xt_match *match,
+      const void *matchinfo, int offset,
+      unsigned int protoff, int *hotdrop, void *entry_data)
 {
 	const struct condition_info *info =
-	    (const struct condition_info *) matchinfo;
-	struct condition_variable *var;
-	int condition_status = 0;
+		(const struct condition_info *) matchinfo;
+	struct condition_variable *var=
+		(struct condition_variable *)entry_data;
 
-	rcu_read_lock();
-	list_for_each_entry_rcu(var, &conditions_list, list) {
-		if (strcmp(info->name, var->status_proc->name) == 0) {
-			condition_status = var->enabled;
-			break;
-		}
-	}
-	rcu_read_unlock();
-
-	return condition_status ^ info->invert;
+	return var->enabled ^ info->invert;
 }
 
 
 
 static int
 checkentry(const char *tablename, const void *ip,
-	   void *matchinfo, unsigned int matchsize, unsigned int hook_mask)
+	   const struct xt_match *match,
+	   void *matchinfo, unsigned int matchsize,
+	   unsigned int hook_mask, void **entry_data)
 {
 	static const char * const forbidden_names[]={ "", ".", ".." };
 	struct condition_info *info = (struct condition_info *) matchinfo;
 	struct list_head *pos;
 	struct condition_variable *var, *newvar;
-
 	int i;
 
-	if (matchsize != XT_ALIGN(sizeof(struct condition_info)))
-		return 0;
-
 	/* We don't want a '/' in a proc file name. */
 	for (i=0; i < CONDITION_NAME_LEN && info->name[i] != '\0'; i++)
 		if (info->name[i] == '/')
@@ -175,6 +165,7 @@
 		var = list_entry(pos, struct condition_variable, list);
 		if (strcmp(info->name, var->status_proc->name) == 0) {
 			var->refcount++;
+			*entry_data=(void *)var;
 			up(&proc_lock);
 			return 1;
 		}
@@ -212,38 +203,34 @@
 
 	up(&proc_lock);
 
+	*entry_data=(void *)newvar;
+
 	return 1;
 }
 
 
 static void
-destroy(void *matchinfo, unsigned int matchsize)
+destroy(const struct xt_match *match, void *matchinfo,
+	unsigned int matchsize, void *entry_data)
 {
 	struct condition_info *info = (struct condition_info *) matchinfo;
-	struct list_head *pos;
-	struct condition_variable *var;
+	struct condition_variable *var=
+		(struct condition_variable *)entry_data;
 
-	if (matchsize != XT_ALIGN(sizeof(struct condition_info)))
-		return;
+	BUG_ON(entry_data==NULL);
 
 	down(&proc_lock);
 
-	list_for_each(pos, &conditions_list) {
-		var = list_entry(pos, struct condition_variable, list);
-		if (strcmp(info->name, var->status_proc->name) == 0) {
-			if (--var->refcount == 0) {
-				list_del_rcu(pos);
-				remove_proc_entry(var->status_proc->name, proc_net_condition);
-				up(&proc_lock);
-				/* synchronize_rcu() would be goog enough, but synchronize_net() */
-				/* guarantees that no packet will go out with the old rule after */
-				/* succesful removal.                                            */
-				synchronize_net();
-				kfree(var);
-				return;
-			}
-			break;
-		}
+	if (--var->refcount == 0) {
+		list_del_rcu(&var->list);
+		remove_proc_entry(var->status_proc->name, proc_net_condition);
+		up(&proc_lock);
+		/* synchronize_rcu() would be goog enough, but synchronize_net() */
+		/* guarantees that no packet will go out with the old rule after */
+		/* succesful removal.                                            */
+		synchronize_net();
+		kfree(var);
+		return;
 	}
 
 	up(&proc_lock);
@@ -252,6 +239,8 @@
 
 static struct xt_match condition_match = {
 	.name = "condition",
+	.family = AF_INET,
+	.matchsize = sizeof(struct condition_info),
 	.match = &match,
 	.checkentry = &checkentry,
 	.destroy = &destroy,
@@ -260,6 +249,8 @@
 
 static struct xt_match condition6_match = {
 	.name = "condition",
+	.family = AF_INET,
+	.matchsize = sizeof(struct condition_info),
 	.match = &match,
 	.checkentry = &checkentry,
 	.destroy = &destroy,
@@ -279,17 +270,17 @@
 		return -EACCES;
 	}
 
-        errorcode = xt_register_match(AF_INET, &condition_match);
+        errorcode = xt_register_match(&condition_match);
 	if (errorcode) {
-		xt_unregister_match(AF_INET, &condition_match);
+		xt_unregister_match(&condition_match);
 		remove_proc_entry(dir_name, proc_net);
 		return errorcode;
 	}
 
-	errorcode = xt_register_match(AF_INET6, &condition6_match);
+	errorcode = xt_register_match(&condition6_match);
 	if (errorcode) {
-		xt_unregister_match(AF_INET6, &condition6_match);
-		xt_unregister_match(AF_INET, &condition_match);
+		xt_unregister_match(&condition6_match);
+		xt_unregister_match(&condition_match);
 		remove_proc_entry(dir_name, proc_net);
 		return errorcode;
 	}
@@ -301,8 +292,8 @@
 static void __exit
 fini(void)
 {
-	xt_unregister_match(AF_INET6, &condition6_match);
-	xt_unregister_match(AF_INET, &condition_match);
+	xt_unregister_match(&condition6_match);
+	xt_unregister_match(&condition_match);
 	remove_proc_entry(dir_name, proc_net);
 }
 

Re: [PATCH] entry_data

[Pablo Neira Ayuso]

Massimiliano Hofer wrote:
> On Monday 12 June 2006 11:50 am, Pablo Neira Ayuso wrote:
>  
>>Fine, please next time send an incremental diff so we all can notice the
>>changes by having a look at the attachment. Thanks.
> 
> OK. Here it is. Some of the changes in this diff are due to the 2.6.17 
> porting, but they are minor.
> 
> ------------------------------------------------------------------------
> 
> diff -Nru linux-2.6.16/net/netfilter/xt_condition.c linux-2.6.17-entry_data/net/netfilter/xt_condition.c
> --- linux-2.6.16/net/netfilter/xt_condition.c	2006-04-26 12:07:52.000000000 +0200
> +++ linux-2.6.17-entry_data/net/netfilter/xt_condition.c	2006-06-12 01:49:05.000000000 +0200
> @@ -116,42 +116,32 @@
>  
>  static int
>  match(const struct sk_buff *skb, const struct net_device *in,
> -      const struct net_device *out, const void *matchinfo, int offset,
> -      unsigned int protoff, int *hotdrop)
> +      const struct net_device *out, const struct xt_match *match,
> +      const void *matchinfo, int offset,
> +      unsigned int protoff, int *hotdrop, void *entry_data)

Hm, then you must have a patch to modify the interface match()?

-- 
The dawn of the fourth age of Linux firewalling is coming; a time of 
great struggle and heroic deeds -- J.Kadlecsik got inspired by J.Morris

Re: [PATCH] entry_data

[Massimiliano Hofer]

On Tuesday 13 June 2006 5:19 pm, Pablo Neira Ayuso wrote:

> >  static int
> >  match(const struct sk_buff *skb, const struct net_device *in,
> > -      const struct net_device *out, const void *matchinfo, int offset,
> > -      unsigned int protoff, int *hotdrop)
> > +      const struct net_device *out, const struct xt_match *match,
> > +      const void *matchinfo, int offset,
> > +      unsigned int protoff, int *hotdrop, void *entry_data)
>
> Hm, then you must have a patch to modify the interface match()?

Of course. I sent a patch in the previous message:
https://lists.netfilter.org/pipermail/netfilter-devel/2006-June/024656.html

The patches are available here:
https://lists.netfilter.org/pipermail/netfilter-devel/attachments/20060605/94b0d808/2.6.17-rc5-entry_data_core-0001.bin
https://lists.netfilter.org/pipermail/netfilter-devel/attachments/20060605/94b0d808/2.6.17-rc5-entry_data_matches-0001.bin

-- 
Bye,
   Massimiliano Hofer

Re: [PATCH] entry_data

[Pablo Neira Ayuso]

Massimiliano Hofer wrote:
> On Tuesday 13 June 2006 5:19 pm, Pablo Neira Ayuso wrote:
> 
> 
>>> static int
>>> match(const struct sk_buff *skb, const struct net_device *in,
>>>-      const struct net_device *out, const void *matchinfo, int offset,
>>>-      unsigned int protoff, int *hotdrop)
>>>+      const struct net_device *out, const struct xt_match *match,
>>>+      const void *matchinfo, int offset,
>>>+      unsigned int protoff, int *hotdrop, void *entry_data)
>>
>>Hm, then you must have a patch to modify the interface match()?
> 
> 
> Of course. I sent a patch in the previous message:
> https://lists.netfilter.org/pipermail/netfilter-devel/2006-June/024656.html
> 
> The patches are available here:
> https://lists.netfilter.org/pipermail/netfilter-devel/attachments/20060605/94b0d808/2.6.17-rc5-entry_data_core-0001.bin
> https://lists.netfilter.org/pipermail/netfilter-devel/attachments/20060605/94b0d808/2.6.17-rc5-entry_data_matches-0001.bin

Unfortunately, your patch breaks old iptables binaries, so it can't 
guarantee backward compatibility :(

pablo@Decadence:~$ head -10 2.6.17-rc5-entry_data_core-0001.bin
diff -Nru linux-2.6.17-rc5/include/linux/netfilter/x_tables.h 
linux-2.6.17-rc5.entry_data_core/include/linux/netfilter/x_tables.h
--- linux-2.6.17-rc5/include/linux/netfilter/x_tables.h 2006-06-04 
21:30:58.000000000 +0200
+++ linux-2.6.17-rc5.entry_data_core/include/linux/netfilter/x_tables.h 
2006-06-04 21:34:03.000000000 +0200
@@ -20,6 +20,7 @@

                         /* Used inside the kernel */
                         struct xt_match *match;
+                       void *entry_data;
                 } kernel;

You can't modify the layout of xt_entry_[match|target] since this 
structure is shared between userspace (iptables) and kernel space.

-- 
The dawn of the fourth age of Linux firewalling is coming; a time of 
great struggle and heroic deeds -- J.Kadlecsik got inspired by J.Morris

Re: [PATCH] entry_data

[Massimiliano Hofer]

On Monday 19 June 2006 2:15 am, Pablo Neira Ayuso wrote:

> Unfortunately, your patch breaks old iptables binaries, so it can't
> guarantee backward compatibility :(

I explicitly devoloped it in order not to break compatibility with userspace. 
Did you test it? What problems did you experience?

Of course I break API compatibility within the kernel, so this is an all or 
nothing patch. If people think it's useful it should be merged in the 
mainline kernel and every patchlet updated accordingly.

I think this API is cleaner and more expressive.

>                          /* Used inside the kernel */
>                          struct xt_match *match;
> +                       void *entry_data;
>                  } kernel;
>
> You can't modify the layout of xt_entry_[match|target] since this
> structure is shared between userspace (iptables) and kernel space.

You're right, but I modified the kernel side of a union and I was careful not 
to change the total size. This union is never really used by both sides 
simultaneously.

-- 
Saluti,
   Massimiliano Hofer
        Nucleus

Re: [PATCH] entry_data

[Pablo Neira Ayuso]

Massimiliano Hofer wrote:
> 
>>                         /* Used inside the kernel */
>>                         struct xt_match *match;
>>+                       void *entry_data;
>>                 } kernel;
>>
>>You can't modify the layout of xt_entry_[match|target] since this
>>structure is shared between userspace (iptables) and kernel space.
> 
> 
> You're right, but I modified the kernel side of a union and I was careful not 
> to change the total size. This union is never really used by both sides 
> simultaneously.

Indeed, you're right, I can't see any problem with your patch at this 
moment. Although apart from the out of tree xt_condition match, there is 
no other clients for entry_data. I'd like to know what Patrick thinks 
about this.

-- 
The dawn of the fourth age of Linux firewalling is coming; a time of 
great struggle and heroic deeds -- J.Kadlecsik got inspired by J.Morris

Re: [PATCH] entry_data

[Patrick McHardy]

Pablo Neira Ayuso wrote:
> Massimiliano Hofer wrote:
> 
>> You're right, but I modified the kernel side of a union and I was
>> careful not to change the total size. This union is never really used
>> by both sides simultaneously.
> 
> 
> Indeed, you're right, I can't see any problem with your patch at this
> moment. Although apart from the out of tree xt_condition match, there is
> no other clients for entry_data. I'd like to know what Patrick thinks
> about this.

Actually there are quite a few things that can benefit from this
(see also my other mail to netfilter-devel). Stateful matches like
limit, quota, statistic can store their state in externally allocated
memory and remove all the state and the pointers from the structure
shared with userspace. hashlimit, recent and other matches that lookup
global state can just keep a reference to it without affecting
userspace visible structures. Besides it is in my opinion a major
limitation of the iptables API that it doesn't cleanly support
per-instance state, so I'm quite supportive of this patch :)

Re: [PATCH] entry_data

[Sven Anders]

[-- Attachment #1: Type: text/plain, Size: 1413 bytes --]

Massimiliano Hofer schrieb:
> Hi,
> here is my proposed patch for an API change that supports entry specific data.
> 
> As explained in my previous posts the purpose of this patch is to give matches 
> the opportunity to store entry specific data. Several matches already achieve 
> this reserving some space in the data fields, but these come from userspace 
> and I don't think it is the Right Way(TM) to do it.

Does this mean we can reuse these fields for other puroposes without breaking
compatibility with iptables?


I'm particularly interested in adding a negation to the "limit" match and I
think the match is using one of these special data fields...

 > /* Ugly, ugly fucker. */
 >  struct xt_rateinfo *master;

If this gives us the possibility to add the negation, who do we distinguish
between the old and new limit version. In other words: Who do we reach a maximum
compatibility?

Gruß
 Sven

-- 
 Sven Anders <anders@anduras.de>                 () Ascii Ribbon Campaign
                                                 /\ Support plain text e-mail
 ANDURAS service solutions AG
 Innstraße 71 - 94036 Passau - Germany
 Web: www.anduras.de - Tel: +49 (0)851-4 90 50-0 - Fax: +49 (0)851-4 90 50-55

Rechtsform: Aktiengesellschaft - Sitz: Passau - Amtsgericht Passau HRB 6032
Mitglieder des Vorstands: Sven Anders, Marcus Junker, Michael Schön
Vorsitzender des Aufsichtsrats: Dipl. Kfm. Thomas Träger

Re: [PATCH] entry_data

[Massimiliano Hofer]

On Wednesday 14 June 2006 11:03 am, Sven Anders wrote:

> > As explained in my previous posts the purpose of this patch is to give
> > matches the opportunity to store entry specific data. Several matches
> > already achieve this reserving some space in the data fields, but these
> > come from userspace and I don't think it is the Right Way(TM) to do it.
>
> Does this mean we can reuse these fields for other puroposes without
> breaking compatibility with iptables?

Yes, with some caveats.

> I'm particularly interested in adding a negation to the "limit" match and I
> think the match is using one of these special data fields...
>
>  > /* Ugly, ugly fucker. */
>  >  struct xt_rateinfo *master;
>
> If this gives us the possibility to add the negation, who do we distinguish
> between the old and new limit version. In other words: Who do we reach a
> maximum compatibility?

In your case, the current version doesn't use master in userspace and
immediately wipes it in kernel space.
You could just replace it with another field (without changing the total
size), start using it in the new libipt_limit and detect it accordingly from
userspace while using my patch for the real master (supposing my patch is
accepted).
This would never lead to a crash, but the new userspace wouldn't be able to
distinguish if it has an appropriate kernel and it may silently drop the
negation with older versions.
For this purpose you could use the revision field and set a higher minum
revision when the limit is negated.

This leads me to a more radical proposal. Is there any reason we don't have a
general way to negate matches? It wouldn't be too difficult and we could
implement some new features such as negating the whole set of matches or a
single entry.
We could even abandon the madatory logical AND of every entry and pass a
minterm set (with AND as the default), but maybe this is too general.

--
Saluti,
   Massimiliano Hofer
        Nucleus

Re: [PATCH] entry_data

[Patrick McHardy]

Massimiliano Hofer wrote:
> This leads me to a more radical proposal. Is there any reason we don't have a
> general way to negate matches? It wouldn't be too difficult and we could
> implement some new features such as negating the whole set of matches or a
> single entry.
> We could even abandon the madatory logical AND of every entry and pass a
> minterm set (with AND as the default), but maybe this is too general.

It would be useful for some matches (basically those that only check
a single attribute), others may want to combine negated matching
on some attributes with non-negated matching on others. In these
cases it might still be useful to negate the entire result. It
would have the advantage of getting more consistent behaviour,
currently some matches treat unknown conditions or errors as
"always no match", independant of inversion.

For example xt_connmark:
        const u_int32_t *ctmark = nf_ct_get_mark(skb, &ctinfo);
        if (!ctmark)
                return 0;


... my opinion is that if the packet doesn't have a mark the expression
! <mark> is clearly true. Another questionable behaviour in my opinion
is using hotdrop to drop packets which are missing the information we
are interested in. The same argument holds here, if something is not
present, it just doesn't match. And negated it does match. The least
we should do is have consistent behaviour, so either connmark should
also use hotdrop, or nobody should (well, except for the few cases
where it is unsed in case of memory allocation failures and things
like that).

Re: [PATCH] entry_data

[Massimiliano Hofer]

On Monday 19 June 2006 7:45 pm, Patrick McHardy wrote:

> > This leads me to a more radical proposal. Is there any reason we don't
> > have a general way to negate matches? It wouldn't be too difficult and we
[...]
> It would be useful for some matches (basically those that only check
> a single attribute), others may want to combine negated matching
> on some attributes with non-negated matching on others. In these

I agree with you.
Let's suppose we want to implement this feature and we don't want to cause 
major breakage. I can't find a suitable bit in xt_entry_match, but we could 
define a "wrapper match". We could set u.name to "!" or something similar and 
data to:

struct {
   int invert;
   struct xt_entry_match nested_xt_entry_match;
};

Similar wrappers would effectively transform a simple linear data structure in 
a tree, so I don't think this is a thing we should endorse lighly.

Any better ideas?

> ... my opinion is that if the packet doesn't have a mark the expression
> ! <mark> is clearly true. Another questionable behaviour in my opinion
> is using hotdrop to drop packets which are missing the information we
> are interested in. The same argument holds here, if something is not
> present, it just doesn't match. And negated it does match. The least
> we should do is have consistent behaviour, so either connmark should
> also use hotdrop, or nobody should (well, except for the few cases
> where it is unsed in case of memory allocation failures and things
> like that).

I agree.

-- 
Saluti,
   Massimiliano Hofer
        Nucleus

Re: [PATCH] entry_data

[Patrick McHardy]

Massimiliano Hofer wrote:
> On Monday 19 June 2006 7:45 pm, Patrick McHardy wrote:
> 
> 
>>>This leads me to a more radical proposal. Is there any reason we don't
>>>have a general way to negate matches? It wouldn't be too difficult and we
> 
> [...]
> 
>>It would be useful for some matches (basically those that only check
>>a single attribute), others may want to combine negated matching
>>on some attributes with non-negated matching on others. In these
> 
> 
> I agree with you.
> Let's suppose we want to implement this feature and we don't want to cause 
> major breakage. I can't find a suitable bit in xt_entry_match, but we could 
> define a "wrapper match". We could set u.name to "!" or something similar and 
> data to:
> 
> struct {
>    int invert;
>    struct xt_entry_match nested_xt_entry_match;
> };
> 
> Similar wrappers would effectively transform a simple linear data structure in 
> a tree, so I don't think this is a thing we should endorse lighly.

I'm not sure how much effort we should put into glueing a generic
method around the matches, most already support proper negation and
we can just add it for the few(?) remaining ones manually (and I
don't accept new matches without proper negation support) and hope
for everything to get better with pkttables :)

Re: [PATCH] entry_data

[Patrick McHardy]

Sven Anders wrote:
> Massimiliano Hofer schrieb:
> 
>>Hi,
>>here is my proposed patch for an API change that supports entry specific data.
>>
>>As explained in my previous posts the purpose of this patch is to give matches 
>>the opportunity to store entry specific data. Several matches already achieve 
>>this reserving some space in the data fields, but these come from userspace 
>>and I don't think it is the Right Way(TM) to do it.
> 
> 
> Does this mean we can reuse these fields for other puroposes without breaking
> compatibility with iptables?

Yes, userspace ignores these fields. I still haven't really made up my
mind about this patch yet. I don't like the void ** approach very much,
but I didn't got around to thinking about something better yet. Please
stay patient with me :)

> I'm particularly interested in adding a negation to the "limit" match and I
> think the match is using one of these special data fields...
> 
>  > /* Ugly, ugly fucker. */
>  >  struct xt_rateinfo *master;
> 
> If this gives us the possibility to add the negation, who do we distinguish
> between the old and new limit version. In other words: Who do we reach a maximum
> compatibility?

IIRC userspace zeroes this field, so you could just do the usual
"0 -> no inversion, 1 -> inversion" thing and it would behave
correctly for both old and new userspace. But you need check
yourself if this is indeed true, I'm not really sure.

Re: [PATCH] entry_data

[Massimiliano Hofer]

On Monday 19 June 2006 7:34 pm, Patrick McHardy wrote:

> Yes, userspace ignores these fields. I still haven't really made up my
> mind about this patch yet. I don't like the void ** approach very much,

I understand your concerns, but it's either that or feeding it its own struct 
xt_entry_match *. This would be awfully circular, while the practice of 
passing someting * to functions is widespread. This only happens to be 
applied to a void *.

If anyone has a better way s?he's more than welcome.

> but I didn't got around to thinking about something better yet. Please
> stay patient with me :)

I'll be patient. :)

-- 
Saluti,
   Massimiliano Hofer
        Nucleus

Re: [PATCH] entry_data

[Patrick McHardy]

Massimiliano Hofer wrote:
> On Monday 19 June 2006 7:34 pm, Patrick McHardy wrote:
> 
> 
>>Yes, userspace ignores these fields. I still haven't really made up my
>>mind about this patch yet. I don't like the void ** approach very much,
> 
> 
> I understand your concerns, but it's either that or feeding it its own struct 
> xt_entry_match *. This would be awfully circular, while the practice of 
> passing someting * to functions is widespread. This only happens to be 
> applied to a void *.

I guess I just like externally allocated storage better (and a .privsize
field or something in the match structures). It avoids each match having
to deal with memory allocation failures and more complicated cleanup
code. Currently some matches store state in the structures shared with
userspace and keep a pointer to the first per-CPU copy so there is only
a single state on SMP, others allocate memory and keep a pointer in the
shared struct, yet others keep global state and do lookups based on some
identifier in the shared struct. The first two cases really just want
some amount of memory that is shared between per-CPU data and are happy
with externally allocated memory, the last one is usually used to share
state between selected instances of matches or targets, which will
always need to be handled internally.

So I think we should introduce a .priv_size field or something in struct
xt_match/xt_target and pass memory allocated by xtables to the matches
and targets.

Re: [PATCH] entry_data

[Massimiliano Hofer]

On Tuesday 20 June 2006 1:13 am, Patrick McHardy wrote:

> So I think we should introduce a .priv_size field or something in struct
> xt_match/xt_target and pass memory allocated by xtables to the matches
> and targets.

I changed the API on the (possibly wrong) assumption that most modules will 
need it for shared data (that's what I and at least some other modules need), 
but thinking about it there are other uses (multiple data with different 
sharing, non shared data that has no business in the userspace struct, etc.). 
In other words, you're right.

Following your suggestion I could add a .priv_size field and if it is non zero 
I allocate the requested memory and pass it as void * (the same type passed 
to (*checkentry)(), (*destroy)() and (*match)()).

We have 2 ways to implement this:
- we can allocate priv_size more bytes after data;
- we can separately allocate priv_size bytes and store a pointer in 
u.kernel.entry_data.

Seeing how the initialization code works, the first one is a bit hairy. The 
latter is really easy to implement, but if someone just needs 4 bytes we end 
up storing a pointer to a pointer with no good reason.

-- 
Saluti,
   Massimiliano Hofer
        Nucleus

Re: [PATCH] entry_data

[Patrick McHardy]

Massimiliano Hofer wrote:
> I changed the API on the (possibly wrong) assumption that most modules will 
> need it for shared data (that's what I and at least some other modules need), 
> but thinking about it there are other uses (multiple data with different 
> sharing, non shared data that has no business in the userspace struct, etc.). 
> In other words, you're right.
> 
> Following your suggestion I could add a .priv_size field and if it is non zero 
> I allocate the requested memory and pass it as void * (the same type passed 
> to (*checkentry)(), (*destroy)() and (*match)()).
> 
> We have 2 ways to implement this:
> - we can allocate priv_size more bytes after data;
> - we can separately allocate priv_size bytes and store a pointer in 
> u.kernel.entry_data.
> 
> Seeing how the initialization code works, the first one is a bit hairy. The 
> latter is really easy to implement, but if someone just needs 4 bytes we end 
> up storing a pointer to a pointer with no good reason.


The case of just needing a pointer is just an optimization for a
special-case in my opinion (avoid lookup of globally shared state),
per-instance state is probably more common. So I'd suggest to go
with the second possibility.

Re: [PATCH] priv_data (formerly entry_data)

[Massimiliano Hofer]

[-- Attachment #1: Type: text/plain, Size: 394 bytes --]

On Tuesday 20 June 2006 3:17 pm, Patrick McHardy wrote:

> The case of just needing a pointer is just an optimization for a
> special-case in my opinion (avoid lookup of globally shared state),
> per-instance state is probably more common. So I'd suggest to go
> with the second possibility.

Is this better?
I'll send an example of its use in a few minutes.

-- 
Saluti,
   Massimiliano Hofer

[-- Attachment #2: 2.6.17.1-priv_data_core.patch --]
[-- Type: text/x-diff, Size: 5290 bytes --]

diff -Nru linux-2.6.17.1/include/linux/netfilter/x_tables.h linux-2.6.17.1-priv_data_core/include/linux/netfilter/x_tables.h
--- linux-2.6.17.1/include/linux/netfilter/x_tables.h	2006-06-20 11:31:55.000000000 +0200
+++ linux-2.6.17.1-priv_data_core/include/linux/netfilter/x_tables.h	2006-06-21 00:49:03.000000000 +0200
@@ -20,6 +20,7 @@
 
 			/* Used inside the kernel */
 			struct xt_match *match;
+			void *priv_data;
 		} kernel;
 
 		/* Total length */
@@ -166,7 +167,8 @@
 		     const void *matchinfo,
 		     int offset,
 		     unsigned int protoff,
-		     int *hotdrop);
+		     int *hotdrop,
+		     void *priv_data);
 
 	/* Called when user tries to insert an entry of this type. */
 	/* Should return true or false. */
@@ -175,11 +177,12 @@
 			  const struct xt_match *match,
 			  void *matchinfo,
 			  unsigned int matchinfosize,
-			  unsigned int hook_mask);
+			  unsigned int hook_mask,
+			  void *priv_data);
 
 	/* Called when entry of this type deleted. */
 	void (*destroy)(const struct xt_match *match, void *matchinfo,
-			unsigned int matchinfosize);
+			unsigned int matchinfosize, void *priv_data);
 
 	/* Called when userspace align differs from kernel space one */
 	int (*compat)(void *match, void **dstptr, int *size, int convert);
@@ -189,6 +192,7 @@
 
 	char *table;
 	unsigned int matchsize;
+	size_t priv_size;
 	unsigned int hooks;
 	unsigned short proto;
 
diff -Nru linux-2.6.17.1/net/ipv4/netfilter/ip_tables.c linux-2.6.17.1-priv_data_core/net/ipv4/netfilter/ip_tables.c
--- linux-2.6.17.1/net/ipv4/netfilter/ip_tables.c	2006-06-20 11:31:55.000000000 +0200
+++ linux-2.6.17.1-priv_data_core/net/ipv4/netfilter/ip_tables.c	2006-06-21 00:49:12.000000000 +0200
@@ -200,7 +200,8 @@
 {
 	/* Stop iteration if it doesn't match */
 	if (!m->u.kernel.match->match(skb, in, out, m->u.kernel.match, m->data,
-				      offset, skb->nh.iph->ihl*4, hotdrop))
+				      offset, skb->nh.iph->ihl*4, hotdrop,
+				      m->u.kernel.priv_data))
 		return 1;
 	else
 		return 0;
@@ -468,7 +469,9 @@
 
 	if (m->u.kernel.match->destroy)
 		m->u.kernel.match->destroy(m->u.kernel.match, m->data,
-					   m->u.match_size - sizeof(*m));
+					   m->u.match_size - sizeof(*m),
+					   m->u.kernel.priv_data);
+	kfree(m->u.kernel.priv_data);
 	module_put(m->u.kernel.match->me);
 	return 0;
 }
@@ -519,10 +522,20 @@
 	if (ret)
 		goto err;
 
+	if (match->priv_size) {
+		m->u.kernel.priv_data = kzalloc(match->priv_size,
+					      GFP_KERNEL);
+		if (!m->u.kernel.priv_data) {
+			ret = -ENOMEM;
+			goto err;
+		}
+	}
+
 	if (m->u.kernel.match->checkentry
 	    && !m->u.kernel.match->checkentry(name, ip, match, m->data,
 					      m->u.match_size - sizeof(*m),
-					      hookmask)) {
+					      hookmask,
+					      m->u.kernel.priv_data)) {
 		duprintf("ip_tables: check failed for `%s'.\n",
 			 m->u.kernel.match->name);
 		ret = -EINVAL;
@@ -2152,7 +2165,8 @@
 	   const void *matchinfo,
 	   int offset,
 	   unsigned int protoff,
-	   int *hotdrop)
+	   int *hotdrop,
+	   void *priv_data)
 {
 	struct icmphdr _icmph, *ic;
 	const struct ipt_icmp *icmpinfo = matchinfo;
@@ -2185,7 +2199,8 @@
 	   const struct xt_match *match,
 	   void *matchinfo,
 	   unsigned int matchsize,
-	   unsigned int hook_mask)
+	   unsigned int hook_mask,
+	   void *priv_data)
 {
 	const struct ipt_icmp *icmpinfo = matchinfo;
 
diff -Nru linux-2.6.17.1/net/ipv6/netfilter/ip6_tables.c linux-2.6.17.1-priv_data_core/net/ipv6/netfilter/ip6_tables.c
--- linux-2.6.17.1/net/ipv6/netfilter/ip6_tables.c	2006-06-20 11:31:55.000000000 +0200
+++ linux-2.6.17.1-priv_data_core/net/ipv6/netfilter/ip6_tables.c	2006-06-21 00:49:25.000000000 +0200
@@ -240,7 +240,8 @@
 {
 	/* Stop iteration if it doesn't match */
 	if (!m->u.kernel.match->match(skb, in, out, m->u.kernel.match, m->data,
-				      offset, protoff, hotdrop))
+				      offset, protoff, hotdrop,
+				      m->u.kernel.priv_data))
 		return 1;
 	else
 		return 0;
@@ -508,7 +509,9 @@
 
 	if (m->u.kernel.match->destroy)
 		m->u.kernel.match->destroy(m->u.kernel.match, m->data,
-					   m->u.match_size - sizeof(*m));
+					   m->u.match_size - sizeof(*m),
+					   m->u.kernel.priv_data);
+	kfree(m->u.kernel.priv_data);
 	module_put(m->u.kernel.match->me);
 	return 0;
 }
@@ -559,10 +562,20 @@
 	if (ret)
 		goto err;
 
+	if (match->priv_size) {
+		m->u.kernel.priv_data = kzalloc(match->priv_size,
+					      GFP_KERNEL);
+		if (!m->u.kernel.priv_data) {
+			ret = -ENOMEM;
+			goto err;
+		}
+	}
+	
 	if (m->u.kernel.match->checkentry
 	    && !m->u.kernel.match->checkentry(name, ipv6, match,  m->data,
 					      m->u.match_size - sizeof(*m),
-					      hookmask)) {
+					      hookmask,
+					      m->u.kernel.priv_data)) {
 		duprintf("ip_tables: check failed for `%s'.\n",
 			 m->u.kernel.match->name);
 		ret = -EINVAL;
@@ -1320,7 +1333,8 @@
 	   const void *matchinfo,
 	   int offset,
 	   unsigned int protoff,
-	   int *hotdrop)
+	   int *hotdrop,
+	   void *priv_data)
 {
 	struct icmp6hdr _icmp, *ic;
 	const struct ip6t_icmp *icmpinfo = matchinfo;
@@ -1352,7 +1366,8 @@
 	   const struct xt_match *match,
 	   void *matchinfo,
 	   unsigned int matchsize,
-	   unsigned int hook_mask)
+	   unsigned int hook_mask,
+	   void *priv_data)
 {
 	const struct ip6t_icmp *icmpinfo = matchinfo;
 

[-- Attachment #3: 2.6.17.1-priv_data_matches.patch --]
[-- Type: text/x-diff, Size: 35699 bytes --]

diff -Nru linux-2.6.17.1-priv_data_core/net/ipv4/netfilter/ipt_addrtype.c linux-2.6.17.1-priv_data_matches/net/ipv4/netfilter/ipt_addrtype.c
--- linux-2.6.17.1-priv_data_core/net/ipv4/netfilter/ipt_addrtype.c	2006-06-20 11:31:55.000000000 +0200
+++ linux-2.6.17.1-priv_data_matches/net/ipv4/netfilter/ipt_addrtype.c	2006-06-21 01:09:57.000000000 +0200
@@ -30,7 +30,8 @@
 static int match(const struct sk_buff *skb,
 		 const struct net_device *in, const struct net_device *out,
 		 const struct xt_match *match, const void *matchinfo,
-		 int offset, unsigned int protoff, int *hotdrop)
+		 int offset, unsigned int protoff, int *hotdrop,
+		 void *priv_data)
 {
 	const struct ipt_addrtype_info *info = matchinfo;
 	const struct iphdr *iph = skb->nh.iph;
diff -Nru linux-2.6.17.1-priv_data_core/net/ipv4/netfilter/ipt_ah.c linux-2.6.17.1-priv_data_matches/net/ipv4/netfilter/ipt_ah.c
--- linux-2.6.17.1-priv_data_core/net/ipv4/netfilter/ipt_ah.c	2006-06-20 11:31:55.000000000 +0200
+++ linux-2.6.17.1-priv_data_matches/net/ipv4/netfilter/ipt_ah.c	2006-06-21 01:09:57.000000000 +0200
@@ -43,7 +43,8 @@
       const void *matchinfo,
       int offset,
       unsigned int protoff,
-      int *hotdrop)
+      int *hotdrop,
+      void *priv_data)
 {
 	struct ip_auth_hdr _ahdr, *ah;
 	const struct ipt_ah *ahinfo = matchinfo;
@@ -75,7 +76,8 @@
 	   const struct xt_match *match,
 	   void *matchinfo,
 	   unsigned int matchinfosize,
-	   unsigned int hook_mask)
+	   unsigned int hook_mask,
+	   void *priv_data)
 {
 	const struct ipt_ah *ahinfo = matchinfo;
 
diff -Nru linux-2.6.17.1-priv_data_core/net/ipv4/netfilter/ipt_dscp.c linux-2.6.17.1-priv_data_matches/net/ipv4/netfilter/ipt_dscp.c
--- linux-2.6.17.1-priv_data_core/net/ipv4/netfilter/ipt_dscp.c	2006-06-20 11:31:55.000000000 +0200
+++ linux-2.6.17.1-priv_data_matches/net/ipv4/netfilter/ipt_dscp.c	2006-06-21 01:09:57.000000000 +0200
@@ -22,7 +22,8 @@
 static int match(const struct sk_buff *skb,
 		 const struct net_device *in, const struct net_device *out,
 		 const struct xt_match *match, const void *matchinfo,
-		 int offset, unsigned int protoff, int *hotdrop)
+		 int offset, unsigned int protoff, int *hotdrop,
+		 void *priv_data)
 {
 	const struct ipt_dscp_info *info = matchinfo;
 	const struct iphdr *iph = skb->nh.iph;
diff -Nru linux-2.6.17.1-priv_data_core/net/ipv4/netfilter/ipt_ecn.c linux-2.6.17.1-priv_data_matches/net/ipv4/netfilter/ipt_ecn.c
--- linux-2.6.17.1-priv_data_core/net/ipv4/netfilter/ipt_ecn.c	2006-06-20 11:31:55.000000000 +0200
+++ linux-2.6.17.1-priv_data_matches/net/ipv4/netfilter/ipt_ecn.c	2006-06-21 01:09:57.000000000 +0200
@@ -68,7 +68,8 @@
 static int match(const struct sk_buff *skb,
 		 const struct net_device *in, const struct net_device *out,
 		 const struct xt_match *match, const void *matchinfo,
-		 int offset, unsigned int protoff, int *hotdrop)
+		 int offset, unsigned int protoff, int *hotdrop,
+		 void *priv_data)
 {
 	const struct ipt_ecn_info *info = matchinfo;
 
@@ -89,7 +90,7 @@
 static int checkentry(const char *tablename, const void *ip_void,
 		      const struct xt_match *match,
 		      void *matchinfo, unsigned int matchsize,
-		      unsigned int hook_mask)
+		      unsigned int hook_mask, void *priv_data)
 {
 	const struct ipt_ecn_info *info = matchinfo;
 	const struct ipt_ip *ip = ip_void;
diff -Nru linux-2.6.17.1-priv_data_core/net/ipv4/netfilter/ipt_hashlimit.c linux-2.6.17.1-priv_data_matches/net/ipv4/netfilter/ipt_hashlimit.c
--- linux-2.6.17.1-priv_data_core/net/ipv4/netfilter/ipt_hashlimit.c	2006-06-20 11:31:55.000000000 +0200
+++ linux-2.6.17.1-priv_data_matches/net/ipv4/netfilter/ipt_hashlimit.c	2006-06-21 01:09:57.000000000 +0200
@@ -432,7 +432,8 @@
 		const void *matchinfo,
 		int offset,
 		unsigned int protoff,
-		int *hotdrop)
+		int *hotdrop,
+		void *priv_data)
 {
 	struct ipt_hashlimit_info *r = 
 		((struct ipt_hashlimit_info *)matchinfo)->u.master;
@@ -511,7 +512,8 @@
 		     const struct xt_match *match,
 		     void *matchinfo,
 		     unsigned int matchsize,
-		     unsigned int hook_mask)
+		     unsigned int hook_mask,
+		     void *priv_data)
 {
 	struct ipt_hashlimit_info *r = matchinfo;
 
@@ -559,7 +561,7 @@
 
 static void
 hashlimit_destroy(const struct xt_match *match, void *matchinfo,
-		  unsigned int matchsize)
+		  unsigned int matchsize, void *priv_data)
 {
 	struct ipt_hashlimit_info *r = (struct ipt_hashlimit_info *) matchinfo;
 
diff -Nru linux-2.6.17.1-priv_data_core/net/ipv4/netfilter/ipt_iprange.c linux-2.6.17.1-priv_data_matches/net/ipv4/netfilter/ipt_iprange.c
--- linux-2.6.17.1-priv_data_core/net/ipv4/netfilter/ipt_iprange.c	2006-06-20 11:31:55.000000000 +0200
+++ linux-2.6.17.1-priv_data_matches/net/ipv4/netfilter/ipt_iprange.c	2006-06-21 01:09:57.000000000 +0200
@@ -29,7 +29,7 @@
       const struct net_device *out,
       const struct xt_match *match,
       const void *matchinfo,
-      int offset, unsigned int protoff, int *hotdrop)
+      int offset, unsigned int protoff, int *hotdrop, void *priv_data)
 {
 	const struct ipt_iprange_info *info = matchinfo;
 	const struct iphdr *iph = skb->nh.iph;
diff -Nru linux-2.6.17.1-priv_data_core/net/ipv4/netfilter/ipt_owner.c linux-2.6.17.1-priv_data_matches/net/ipv4/netfilter/ipt_owner.c
--- linux-2.6.17.1-priv_data_core/net/ipv4/netfilter/ipt_owner.c	2006-06-20 11:31:55.000000000 +0200
+++ linux-2.6.17.1-priv_data_matches/net/ipv4/netfilter/ipt_owner.c	2006-06-21 01:09:57.000000000 +0200
@@ -29,7 +29,8 @@
       const void *matchinfo,
       int offset,
       unsigned int protoff,
-      int *hotdrop)
+      int *hotdrop,
+      void *priv_data)
 {
 	const struct ipt_owner_info *info = matchinfo;
 
@@ -57,7 +58,8 @@
 	   const struct xt_match *match,
            void *matchinfo,
            unsigned int matchsize,
-           unsigned int hook_mask)
+           unsigned int hook_mask,
+           void *priv_data)
 {
 	const struct ipt_owner_info *info = matchinfo;
 
diff -Nru linux-2.6.17.1-priv_data_core/net/ipv4/netfilter/ipt_recent.c linux-2.6.17.1-priv_data_matches/net/ipv4/netfilter/ipt_recent.c
--- linux-2.6.17.1-priv_data_core/net/ipv4/netfilter/ipt_recent.c	2006-06-20 11:31:55.000000000 +0200
+++ linux-2.6.17.1-priv_data_matches/net/ipv4/netfilter/ipt_recent.c	2006-06-21 01:09:57.000000000 +0200
@@ -106,7 +106,8 @@
       const void *matchinfo,
       int offset,
       unsigned int protoff,
-      int *hotdrop);
+      int *hotdrop,
+      void *priv_data);
 
 /* Function to hash a given address into the hash table of table_size size */
 static int hash_func(unsigned int addr, int table_size)
@@ -319,7 +320,7 @@
 	skb->nh.iph->daddr = 0;
 	/* Clear ttl since we have no way of knowing it */
 	skb->nh.iph->ttl = 0;
-	match(skb,NULL,NULL,NULL,info,0,0,NULL);
+	match(skb,NULL,NULL,NULL,info,0,0,NULL,NULL);
 
 	kfree(skb->nh.iph);
 out_free_skb:
@@ -361,7 +362,8 @@
       const void *matchinfo,
       int offset,
       unsigned int protoff,
-      int *hotdrop)
+      int *hotdrop,
+      void *priv_data)
 {
 	int pkt_count, hits_found, ans;
 	unsigned long now;
@@ -662,7 +664,8 @@
 	   const struct xt_match *match,
            void *matchinfo,
            unsigned int matchsize,
-           unsigned int hook_mask)
+           unsigned int hook_mask,
+           void *priv_data)
 {
 	int flag = 0, c;
 	unsigned long *hold;
@@ -872,7 +875,8 @@
  * up its memory.
  */
 static void
-destroy(const struct xt_match *match, void *matchinfo, unsigned int matchsize)
+destroy(const struct xt_match *match, void *matchinfo,
+	unsigned int matchsize, void *priv_data)
 {
 	const struct ipt_recent_info *info = matchinfo;
 	struct recent_ip_tables *curr_table, *last_table;
diff -Nru linux-2.6.17.1-priv_data_core/net/ipv4/netfilter/ipt_tos.c linux-2.6.17.1-priv_data_matches/net/ipv4/netfilter/ipt_tos.c
--- linux-2.6.17.1-priv_data_core/net/ipv4/netfilter/ipt_tos.c	2006-06-20 11:31:55.000000000 +0200
+++ linux-2.6.17.1-priv_data_matches/net/ipv4/netfilter/ipt_tos.c	2006-06-21 01:09:57.000000000 +0200
@@ -25,7 +25,8 @@
       const void *matchinfo,
       int offset,
       unsigned int protoff,
-      int *hotdrop)
+      int *hotdrop,
+      void *priv_data)
 {
 	const struct ipt_tos_info *info = matchinfo;
 
diff -Nru linux-2.6.17.1-priv_data_core/net/ipv4/netfilter/ipt_ttl.c linux-2.6.17.1-priv_data_matches/net/ipv4/netfilter/ipt_ttl.c
--- linux-2.6.17.1-priv_data_core/net/ipv4/netfilter/ipt_ttl.c	2006-06-20 11:31:55.000000000 +0200
+++ linux-2.6.17.1-priv_data_matches/net/ipv4/netfilter/ipt_ttl.c	2006-06-21 01:09:57.000000000 +0200
@@ -22,7 +22,8 @@
 static int match(const struct sk_buff *skb,
 		 const struct net_device *in, const struct net_device *out,
 		 const struct xt_match *match, const void *matchinfo,
-		 int offset, unsigned int protoff, int *hotdrop)
+		 int offset, unsigned int protoff, int *hotdrop,
+		 void *priv_data)
 {
 	const struct ipt_ttl_info *info = matchinfo;
 
diff -Nru linux-2.6.17.1-priv_data_core/net/ipv6/netfilter/ip6t_ah.c linux-2.6.17.1-priv_data_matches/net/ipv6/netfilter/ip6t_ah.c
--- linux-2.6.17.1-priv_data_core/net/ipv6/netfilter/ip6t_ah.c	2006-06-20 11:31:55.000000000 +0200
+++ linux-2.6.17.1-priv_data_matches/net/ipv6/netfilter/ip6t_ah.c	2006-06-21 01:09:57.000000000 +0200
@@ -48,7 +48,8 @@
       const void *matchinfo,
       int offset,
       unsigned int protoff,
-      int *hotdrop)
+      int *hotdrop,
+      void *priv_data)
 {
 	struct ip_auth_hdr *ah, _ah;
 	const struct ip6t_ah *ahinfo = matchinfo;
@@ -103,7 +104,8 @@
 	  const struct xt_match *match,
           void *matchinfo,
           unsigned int matchinfosize,
-          unsigned int hook_mask)
+          unsigned int hook_mask,
+          void *priv_data)
 {
 	const struct ip6t_ah *ahinfo = matchinfo;
 
diff -Nru linux-2.6.17.1-priv_data_core/net/ipv6/netfilter/ip6t_dst.c linux-2.6.17.1-priv_data_matches/net/ipv6/netfilter/ip6t_dst.c
--- linux-2.6.17.1-priv_data_core/net/ipv6/netfilter/ip6t_dst.c	2006-06-20 11:31:55.000000000 +0200
+++ linux-2.6.17.1-priv_data_matches/net/ipv6/netfilter/ip6t_dst.c	2006-06-21 01:09:57.000000000 +0200
@@ -59,7 +59,8 @@
       const void *matchinfo,
       int offset,
       unsigned int protoff,
-      int *hotdrop)
+      int *hotdrop,
+      void *priv_data)
 {
 	struct ipv6_opt_hdr _optsh, *oh;
 	const struct ip6t_opts *optinfo = matchinfo;
@@ -183,7 +184,8 @@
 	   const struct xt_match *match,
 	   void *matchinfo,
 	   unsigned int matchinfosize,
-	   unsigned int hook_mask)
+	   unsigned int hook_mask,
+	   void *priv_data)
 {
 	const struct ip6t_opts *optsinfo = matchinfo;
 
diff -Nru linux-2.6.17.1-priv_data_core/net/ipv6/netfilter/ip6t_eui64.c linux-2.6.17.1-priv_data_matches/net/ipv6/netfilter/ip6t_eui64.c
--- linux-2.6.17.1-priv_data_core/net/ipv6/netfilter/ip6t_eui64.c	2006-06-20 11:31:55.000000000 +0200
+++ linux-2.6.17.1-priv_data_matches/net/ipv6/netfilter/ip6t_eui64.c	2006-06-21 01:09:57.000000000 +0200
@@ -26,7 +26,8 @@
       const void *matchinfo,
       int offset,
       unsigned int protoff,
-      int *hotdrop)
+      int *hotdrop,
+      void *priv_data)
 {
 	unsigned char eui64[8];
 	int i = 0;
diff -Nru linux-2.6.17.1-priv_data_core/net/ipv6/netfilter/ip6t_frag.c linux-2.6.17.1-priv_data_matches/net/ipv6/netfilter/ip6t_frag.c
--- linux-2.6.17.1-priv_data_core/net/ipv6/netfilter/ip6t_frag.c	2006-06-20 11:31:55.000000000 +0200
+++ linux-2.6.17.1-priv_data_matches/net/ipv6/netfilter/ip6t_frag.c	2006-06-21 01:09:57.000000000 +0200
@@ -47,7 +47,8 @@
       const void *matchinfo,
       int offset,
       unsigned int protoff,
-      int *hotdrop)
+      int *hotdrop,
+      void *priv_data)
 {
 	struct frag_hdr _frag, *fh;
 	const struct ip6t_frag *fraginfo = matchinfo;
@@ -120,7 +121,8 @@
 	   const struct xt_match *match,
 	   void *matchinfo,
 	   unsigned int matchinfosize,
-	   unsigned int hook_mask)
+	   unsigned int hook_mask,
+	   void *priv_data)
 {
 	const struct ip6t_frag *fraginfo = matchinfo;
 
diff -Nru linux-2.6.17.1-priv_data_core/net/ipv6/netfilter/ip6t_hbh.c linux-2.6.17.1-priv_data_matches/net/ipv6/netfilter/ip6t_hbh.c
--- linux-2.6.17.1-priv_data_core/net/ipv6/netfilter/ip6t_hbh.c	2006-06-20 11:31:55.000000000 +0200
+++ linux-2.6.17.1-priv_data_matches/net/ipv6/netfilter/ip6t_hbh.c	2006-06-21 01:09:57.000000000 +0200
@@ -59,7 +59,8 @@
       const void *matchinfo,
       int offset,
       unsigned int protoff,
-      int *hotdrop)
+      int *hotdrop,
+      void *priv_data)
 {
 	struct ipv6_opt_hdr _optsh, *oh;
 	const struct ip6t_opts *optinfo = matchinfo;
@@ -183,7 +184,8 @@
 	   const struct xt_match *match,
 	   void *matchinfo,
 	   unsigned int matchinfosize,
-	   unsigned int hook_mask)
+	   unsigned int hook_mask,
+	   void *priv_data)
 {
 	const struct ip6t_opts *optsinfo = matchinfo;
 
diff -Nru linux-2.6.17.1-priv_data_core/net/ipv6/netfilter/ip6t_hl.c linux-2.6.17.1-priv_data_matches/net/ipv6/netfilter/ip6t_hl.c
--- linux-2.6.17.1-priv_data_core/net/ipv6/netfilter/ip6t_hl.c	2006-06-20 11:31:55.000000000 +0200
+++ linux-2.6.17.1-priv_data_matches/net/ipv6/netfilter/ip6t_hl.c	2006-06-21 01:09:57.000000000 +0200
@@ -21,7 +21,8 @@
 static int match(const struct sk_buff *skb,
 		 const struct net_device *in, const struct net_device *out,
 		 const struct xt_match *match, const void *matchinfo,
-		 int offset, unsigned int protoff, int *hotdrop)
+		 int offset, unsigned int protoff, int *hotdrop,
+		 void *priv_data)
 {
 	const struct ip6t_hl_info *info = matchinfo;
 	const struct ipv6hdr *ip6h = skb->nh.ipv6h;
diff -Nru linux-2.6.17.1-priv_data_core/net/ipv6/netfilter/ip6t_ipv6header.c linux-2.6.17.1-priv_data_matches/net/ipv6/netfilter/ip6t_ipv6header.c
--- linux-2.6.17.1-priv_data_core/net/ipv6/netfilter/ip6t_ipv6header.c	2006-06-20 11:31:55.000000000 +0200
+++ linux-2.6.17.1-priv_data_matches/net/ipv6/netfilter/ip6t_ipv6header.c	2006-06-21 01:09:57.000000000 +0200
@@ -33,7 +33,8 @@
 		 const void *matchinfo,
 		 int offset,
 		 unsigned int protoff,
-		 int *hotdrop)
+		 int *hotdrop,
+		 void *priv_data)
 {
 	const struct ip6t_ipv6header_info *info = matchinfo;
 	unsigned int temp;
@@ -129,7 +130,8 @@
 		      const struct xt_match *match,
 		      void *matchinfo,
 		      unsigned int matchsize,
-		      unsigned int hook_mask)
+		      unsigned int hook_mask,
+		      void *priv_data)
 {
 	const struct ip6t_ipv6header_info *info = matchinfo;
 
diff -Nru linux-2.6.17.1-priv_data_core/net/ipv6/netfilter/ip6t_owner.c linux-2.6.17.1-priv_data_matches/net/ipv6/netfilter/ip6t_owner.c
--- linux-2.6.17.1-priv_data_core/net/ipv6/netfilter/ip6t_owner.c	2006-06-20 11:31:55.000000000 +0200
+++ linux-2.6.17.1-priv_data_matches/net/ipv6/netfilter/ip6t_owner.c	2006-06-21 01:09:57.000000000 +0200
@@ -30,7 +30,8 @@
       const void *matchinfo,
       int offset,
       unsigned int protoff,
-      int *hotdrop)
+      int *hotdrop,
+      void *priv_data)
 {
 	const struct ip6t_owner_info *info = matchinfo;
 
@@ -58,7 +59,8 @@
 	   const struct xt_match *match,
 	   void *matchinfo,
 	   unsigned int matchsize,
-	   unsigned int hook_mask)
+	   unsigned int hook_mask,
+	   void *priv_data)
 {
 	const struct ip6t_owner_info *info = matchinfo;
 
diff -Nru linux-2.6.17.1-priv_data_core/net/ipv6/netfilter/ip6t_rt.c linux-2.6.17.1-priv_data_matches/net/ipv6/netfilter/ip6t_rt.c
--- linux-2.6.17.1-priv_data_core/net/ipv6/netfilter/ip6t_rt.c	2006-06-20 11:31:55.000000000 +0200
+++ linux-2.6.17.1-priv_data_matches/net/ipv6/netfilter/ip6t_rt.c	2006-06-21 01:09:57.000000000 +0200
@@ -49,7 +49,8 @@
       const void *matchinfo,
       int offset,
       unsigned int protoff,
-      int *hotdrop)
+      int *hotdrop,
+      void *priv_data)
 {
 	struct ipv6_rt_hdr _route, *rh;
 	const struct ip6t_rt *rtinfo = matchinfo;
@@ -198,7 +199,8 @@
 	   const struct xt_match *match,
 	   void *matchinfo,
 	   unsigned int matchinfosize,
-	   unsigned int hook_mask)
+	   unsigned int hook_mask,
+	   void *priv_data)
 {
 	const struct ip6t_rt *rtinfo = matchinfo;
 
diff -Nru linux-2.6.17.1-priv_data_core/net/netfilter/xt_comment.c linux-2.6.17.1-priv_data_matches/net/netfilter/xt_comment.c
--- linux-2.6.17.1-priv_data_core/net/netfilter/xt_comment.c	2006-06-20 11:31:55.000000000 +0200
+++ linux-2.6.17.1-priv_data_matches/net/netfilter/xt_comment.c	2006-06-21 01:09:57.000000000 +0200
@@ -23,7 +23,8 @@
       const void *matchinfo,
       int offset,
       unsigned int protooff,
-      int *hotdrop)
+      int *hotdrop,
+      void *priv_data)
 {
 	/* We always match */
 	return 1;
diff -Nru linux-2.6.17.1-priv_data_core/net/netfilter/xt_connbytes.c linux-2.6.17.1-priv_data_matches/net/netfilter/xt_connbytes.c
--- linux-2.6.17.1-priv_data_core/net/netfilter/xt_connbytes.c	2006-06-20 11:31:55.000000000 +0200
+++ linux-2.6.17.1-priv_data_matches/net/netfilter/xt_connbytes.c	2006-06-21 01:09:57.000000000 +0200
@@ -48,7 +48,8 @@
       const void *matchinfo,
       int offset,
       unsigned int protoff,
-      int *hotdrop)
+      int *hotdrop,
+      void *priv_data)
 {
 	const struct xt_connbytes_info *sinfo = matchinfo;
 	u_int64_t what = 0;	/* initialize to make gcc happy */
@@ -126,7 +127,8 @@
 		 const struct xt_match *match,
 		 void *matchinfo,
 		 unsigned int matchsize,
-		 unsigned int hook_mask)
+		 unsigned int hook_mask,
+		 void *priv_data)
 {
 	const struct xt_connbytes_info *sinfo = matchinfo;
 
diff -Nru linux-2.6.17.1-priv_data_core/net/netfilter/xt_connmark.c linux-2.6.17.1-priv_data_matches/net/netfilter/xt_connmark.c
--- linux-2.6.17.1-priv_data_core/net/netfilter/xt_connmark.c	2006-06-20 11:31:55.000000000 +0200
+++ linux-2.6.17.1-priv_data_matches/net/netfilter/xt_connmark.c	2006-06-21 01:09:57.000000000 +0200
@@ -39,7 +39,8 @@
       const void *matchinfo,
       int offset,
       unsigned int protoff,
-      int *hotdrop)
+      int *hotdrop,
+      void *priv_data)
 {
 	const struct xt_connmark_info *info = matchinfo;
 	u_int32_t ctinfo;
@@ -56,7 +57,8 @@
 	   const struct xt_match *match,
 	   void *matchinfo,
 	   unsigned int matchsize,
-	   unsigned int hook_mask)
+	   unsigned int hook_mask,
+	   void *priv_data)
 {
 	struct xt_connmark_info *cm = (struct xt_connmark_info *)matchinfo;
 
@@ -75,7 +77,8 @@
 }
 
 static void
-destroy(const struct xt_match *match, void *matchinfo, unsigned int matchsize)
+destroy(const struct xt_match *match, void *matchinfo,
+	unsigned int matchsize, void *priv_data)
 {
 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
 	nf_ct_l3proto_module_put(match->family);
diff -Nru linux-2.6.17.1-priv_data_core/net/netfilter/xt_conntrack.c linux-2.6.17.1-priv_data_matches/net/netfilter/xt_conntrack.c
--- linux-2.6.17.1-priv_data_core/net/netfilter/xt_conntrack.c	2006-06-20 11:31:55.000000000 +0200
+++ linux-2.6.17.1-priv_data_matches/net/netfilter/xt_conntrack.c	2006-06-21 01:09:57.000000000 +0200
@@ -36,7 +36,8 @@
       const void *matchinfo,
       int offset,
       unsigned int protoff,
-      int *hotdrop)
+      int *hotdrop,
+      void *priv_data)
 {
 	const struct xt_conntrack_info *sinfo = matchinfo;
 	struct ip_conntrack *ct;
@@ -123,7 +124,8 @@
       const void *matchinfo,
       int offset,
       unsigned int protoff,
-      int *hotdrop)
+      int *hotdrop,
+      void *priv_data)
 {
 	const struct xt_conntrack_info *sinfo = matchinfo;
 	struct nf_conn *ct;
@@ -209,7 +211,8 @@
 	   const struct xt_match *match,
 	   void *matchinfo,
 	   unsigned int matchsize,
-	   unsigned int hook_mask)
+	   unsigned int hook_mask,
+	   void *priv_data)
 {
 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
 	if (nf_ct_l3proto_try_module_get(match->family) < 0) {
@@ -222,7 +225,8 @@
 }
 
 static void
-destroy(const struct xt_match *match, void *matchinfo, unsigned int matchsize)
+destroy(const struct xt_match *match, void *matchinfo,
+	unsigned int matchsize, void *priv_data)
 {
 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
 	nf_ct_l3proto_module_put(match->family);
diff -Nru linux-2.6.17.1-priv_data_core/net/netfilter/xt_dccp.c linux-2.6.17.1-priv_data_matches/net/netfilter/xt_dccp.c
--- linux-2.6.17.1-priv_data_core/net/netfilter/xt_dccp.c	2006-06-20 11:31:55.000000000 +0200
+++ linux-2.6.17.1-priv_data_matches/net/netfilter/xt_dccp.c	2006-06-21 01:09:57.000000000 +0200
@@ -99,7 +99,8 @@
       const void *matchinfo,
       int offset,
       unsigned int protoff,
-      int *hotdrop)
+      int *hotdrop,
+      void *priv_data)
 {
 	const struct xt_dccp_info *info = 
 				(const struct xt_dccp_info *)matchinfo;
@@ -133,7 +134,8 @@
 	   const struct xt_match *match,
 	   void *matchinfo,
 	   unsigned int matchsize,
-	   unsigned int hook_mask)
+	   unsigned int hook_mask,
+	   void *priv_data)
 {
 	const struct xt_dccp_info *info = matchinfo;
 
diff -Nru linux-2.6.17.1-priv_data_core/net/netfilter/xt_esp.c linux-2.6.17.1-priv_data_matches/net/netfilter/xt_esp.c
--- linux-2.6.17.1-priv_data_core/net/netfilter/xt_esp.c	2006-06-20 11:31:55.000000000 +0200
+++ linux-2.6.17.1-priv_data_matches/net/netfilter/xt_esp.c	2006-06-21 01:09:57.000000000 +0200
@@ -50,7 +50,8 @@
       const void *matchinfo,
       int offset,
       unsigned int protoff,
-      int *hotdrop)
+      int *hotdrop,
+      void *priv_data)
 {
 	struct ip_esp_hdr _esp, *eh;
 	const struct xt_esp *espinfo = matchinfo;
@@ -80,7 +81,8 @@
 	   const struct xt_match *match,
 	   void *matchinfo,
 	   unsigned int matchinfosize,
-	   unsigned int hook_mask)
+	   unsigned int hook_mask,
+	   void *priv_data)
 {
 	const struct xt_esp *espinfo = matchinfo;
 
diff -Nru linux-2.6.17.1-priv_data_core/net/netfilter/xt_helper.c linux-2.6.17.1-priv_data_matches/net/netfilter/xt_helper.c
--- linux-2.6.17.1-priv_data_core/net/netfilter/xt_helper.c	2006-06-20 11:31:55.000000000 +0200
+++ linux-2.6.17.1-priv_data_matches/net/netfilter/xt_helper.c	2006-06-21 01:09:57.000000000 +0200
@@ -46,7 +46,8 @@
       const void *matchinfo,
       int offset,
       unsigned int protoff,
-      int *hotdrop)
+      int *hotdrop,
+      void *priv_data)
 {
 	const struct xt_helper_info *info = matchinfo;
 	struct ip_conntrack *ct;
@@ -94,7 +95,8 @@
       const void *matchinfo,
       int offset,
       unsigned int protoff,
-      int *hotdrop)
+      int *hotdrop,
+      void *priv_data)
 {
 	const struct xt_helper_info *info = matchinfo;
 	struct nf_conn *ct;
@@ -140,7 +142,8 @@
 		 const struct xt_match *match,
 		 void *matchinfo,
 		 unsigned int matchsize,
-		 unsigned int hook_mask)
+		 unsigned int hook_mask,
+		 void *priv_data)
 {
 	struct xt_helper_info *info = matchinfo;
 
@@ -156,7 +159,8 @@
 }
 
 static void
-destroy(const struct xt_match *match, void *matchinfo, unsigned int matchsize)
+destroy(const struct xt_match *match, void *matchinfo,
+	unsigned int matchsize, void *priv_data)
 {
 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
 	nf_ct_l3proto_module_put(match->family);
diff -Nru linux-2.6.17.1-priv_data_core/net/netfilter/xt_length.c linux-2.6.17.1-priv_data_matches/net/netfilter/xt_length.c
--- linux-2.6.17.1-priv_data_core/net/netfilter/xt_length.c	2006-06-20 11:31:55.000000000 +0200
+++ linux-2.6.17.1-priv_data_matches/net/netfilter/xt_length.c	2006-06-21 01:09:57.000000000 +0200
@@ -28,7 +28,8 @@
       const void *matchinfo,
       int offset,
       unsigned int protoff,
-      int *hotdrop)
+      int *hotdrop,
+      void *priv_data)
 {
 	const struct xt_length_info *info = matchinfo;
 	u_int16_t pktlen = ntohs(skb->nh.iph->tot_len);
@@ -44,7 +45,8 @@
        const void *matchinfo,
        int offset,
        unsigned int protoff,
-       int *hotdrop)
+       int *hotdrop,
+       void *priv_data)
 {
 	const struct xt_length_info *info = matchinfo;
 	u_int16_t pktlen = ntohs(skb->nh.ipv6h->payload_len) + sizeof(struct ipv6hdr);
diff -Nru linux-2.6.17.1-priv_data_core/net/netfilter/xt_limit.c linux-2.6.17.1-priv_data_matches/net/netfilter/xt_limit.c
--- linux-2.6.17.1-priv_data_core/net/netfilter/xt_limit.c	2006-06-20 11:31:55.000000000 +0200
+++ linux-2.6.17.1-priv_data_matches/net/netfilter/xt_limit.c	2006-06-21 01:09:57.000000000 +0200
@@ -72,7 +72,8 @@
 		const void *matchinfo,
 		int offset,
 		unsigned int protoff,
-		int *hotdrop)
+		int *hotdrop,
+		void *priv_data)
 {
 	struct xt_rateinfo *r = ((struct xt_rateinfo *)matchinfo)->master;
 	unsigned long now = jiffies;
@@ -111,7 +112,8 @@
 		     const struct xt_match *match,
 		     void *matchinfo,
 		     unsigned int matchsize,
-		     unsigned int hook_mask)
+		     unsigned int hook_mask,
+		     void *priv_data)
 {
 	struct xt_rateinfo *r = matchinfo;
 
diff -Nru linux-2.6.17.1-priv_data_core/net/netfilter/xt_mac.c linux-2.6.17.1-priv_data_matches/net/netfilter/xt_mac.c
--- linux-2.6.17.1-priv_data_core/net/netfilter/xt_mac.c	2006-06-20 11:31:55.000000000 +0200
+++ linux-2.6.17.1-priv_data_matches/net/netfilter/xt_mac.c	2006-06-21 01:09:57.000000000 +0200
@@ -31,7 +31,8 @@
       const void *matchinfo,
       int offset,
       unsigned int protoff,
-      int *hotdrop)
+      int *hotdrop,
+      void *priv_data)
 {
     const struct xt_mac_info *info = matchinfo;
 
diff -Nru linux-2.6.17.1-priv_data_core/net/netfilter/xt_mark.c linux-2.6.17.1-priv_data_matches/net/netfilter/xt_mark.c
--- linux-2.6.17.1-priv_data_core/net/netfilter/xt_mark.c	2006-06-20 11:31:55.000000000 +0200
+++ linux-2.6.17.1-priv_data_matches/net/netfilter/xt_mark.c	2006-06-21 01:09:57.000000000 +0200
@@ -27,7 +27,8 @@
       const void *matchinfo,
       int offset,
       unsigned int protoff,
-      int *hotdrop)
+      int *hotdrop,
+      void *priv_data)
 {
 	const struct xt_mark_info *info = matchinfo;
 
@@ -40,7 +41,8 @@
 	   const struct xt_match *match,
            void *matchinfo,
            unsigned int matchsize,
-           unsigned int hook_mask)
+           unsigned int hook_mask,
+           void *priv_data)
 {
 	struct xt_mark_info *minfo = (struct xt_mark_info *) matchinfo;
 
diff -Nru linux-2.6.17.1-priv_data_core/net/netfilter/xt_multiport.c linux-2.6.17.1-priv_data_matches/net/netfilter/xt_multiport.c
--- linux-2.6.17.1-priv_data_core/net/netfilter/xt_multiport.c	2006-06-20 11:31:55.000000000 +0200
+++ linux-2.6.17.1-priv_data_matches/net/netfilter/xt_multiport.c	2006-06-21 01:09:57.000000000 +0200
@@ -102,7 +102,8 @@
       const void *matchinfo,
       int offset,
       unsigned int protoff,
-      int *hotdrop)
+      int *hotdrop,
+      void *priv_data)
 {
 	u16 _ports[2], *pptr;
 	const struct xt_multiport *multiinfo = matchinfo;
@@ -133,7 +134,8 @@
 	 const void *matchinfo,
 	 int offset,
 	 unsigned int protoff,
-	 int *hotdrop)
+	 int *hotdrop,
+	 void *priv_data)
 {
 	u16 _ports[2], *pptr;
 	const struct xt_multiport_v1 *multiinfo = matchinfo;
@@ -176,7 +178,8 @@
 	   const struct xt_match *match,
 	   void *matchinfo,
 	   unsigned int matchsize,
-	   unsigned int hook_mask)
+	   unsigned int hook_mask,
+	   void *priv_data)
 {
 	const struct ipt_ip *ip = info;
 	const struct xt_multiport *multiinfo = matchinfo;
@@ -191,7 +194,8 @@
 	      const struct xt_match *match,
 	      void *matchinfo,
 	      unsigned int matchsize,
-	      unsigned int hook_mask)
+	      unsigned int hook_mask,
+	      void *priv_data)
 {
 	const struct ipt_ip *ip = info;
 	const struct xt_multiport_v1 *multiinfo = matchinfo;
@@ -206,7 +210,8 @@
 	    const struct xt_match *match,
 	    void *matchinfo,
 	    unsigned int matchsize,
-	    unsigned int hook_mask)
+	    unsigned int hook_mask,
+	    void *priv_data)
 {
 	const struct ip6t_ip6 *ip = info;
 	const struct xt_multiport *multiinfo = matchinfo;
@@ -221,7 +226,8 @@
 	       const struct xt_match *match,
 	       void *matchinfo,
 	       unsigned int matchsize,
-	       unsigned int hook_mask)
+	       unsigned int hook_mask,
+	       void *priv_data)
 {
 	const struct ip6t_ip6 *ip = info;
 	const struct xt_multiport_v1 *multiinfo = matchinfo;
diff -Nru linux-2.6.17.1-priv_data_core/net/netfilter/xt_physdev.c linux-2.6.17.1-priv_data_matches/net/netfilter/xt_physdev.c
--- linux-2.6.17.1-priv_data_core/net/netfilter/xt_physdev.c	2006-06-20 11:31:55.000000000 +0200
+++ linux-2.6.17.1-priv_data_matches/net/netfilter/xt_physdev.c	2006-06-21 01:09:57.000000000 +0200
@@ -30,7 +30,8 @@
       const void *matchinfo,
       int offset,
       unsigned int protoff,
-      int *hotdrop)
+      int *hotdrop,
+      void *priv_data)
 {
 	int i;
 	static const char nulldevname[IFNAMSIZ];
@@ -106,7 +107,8 @@
 		       const struct xt_match *match,
 		       void *matchinfo,
 		       unsigned int matchsize,
-		       unsigned int hook_mask)
+		       unsigned int hook_mask,
+		       void *priv_data)
 {
 	const struct xt_physdev_info *info = matchinfo;
 
diff -Nru linux-2.6.17.1-priv_data_core/net/netfilter/xt_pkttype.c linux-2.6.17.1-priv_data_matches/net/netfilter/xt_pkttype.c
--- linux-2.6.17.1-priv_data_core/net/netfilter/xt_pkttype.c	2006-06-20 11:31:55.000000000 +0200
+++ linux-2.6.17.1-priv_data_matches/net/netfilter/xt_pkttype.c	2006-06-21 01:09:57.000000000 +0200
@@ -26,7 +26,8 @@
       const void *matchinfo,
       int offset,
       unsigned int protoff,
-      int *hotdrop)
+      int *hotdrop,
+      void *priv_data)
 {
 	const struct xt_pkttype_info *info = matchinfo;
 
diff -Nru linux-2.6.17.1-priv_data_core/net/netfilter/xt_policy.c linux-2.6.17.1-priv_data_matches/net/netfilter/xt_policy.c
--- linux-2.6.17.1-priv_data_core/net/netfilter/xt_policy.c	2006-06-20 11:31:55.000000000 +0200
+++ linux-2.6.17.1-priv_data_matches/net/netfilter/xt_policy.c	2006-06-21 01:09:57.000000000 +0200
@@ -116,7 +116,8 @@
                  const void *matchinfo,
                  int offset,
                  unsigned int protoff,
-                 int *hotdrop)
+                 int *hotdrop,
+                 void *priv_data)
 {
 	const struct xt_policy_info *info = matchinfo;
 	int ret;
@@ -137,7 +138,7 @@
 static int checkentry(const char *tablename, const void *ip_void,
                       const struct xt_match *match,
                       void *matchinfo, unsigned int matchsize,
-                      unsigned int hook_mask)
+                      unsigned int hook_mask, void *priv_data)
 {
 	struct xt_policy_info *info = matchinfo;
 
diff -Nru linux-2.6.17.1-priv_data_core/net/netfilter/xt_realm.c linux-2.6.17.1-priv_data_matches/net/netfilter/xt_realm.c
--- linux-2.6.17.1-priv_data_core/net/netfilter/xt_realm.c	2006-06-20 11:31:55.000000000 +0200
+++ linux-2.6.17.1-priv_data_matches/net/netfilter/xt_realm.c	2006-06-21 01:09:57.000000000 +0200
@@ -31,7 +31,8 @@
       const void *matchinfo,
       int offset,
       unsigned int protoff,
-      int *hotdrop)
+      int *hotdrop,
+      void *priv_data)
 {
 	const struct xt_realm_info *info = matchinfo;
 	struct dst_entry *dst = skb->dst;
diff -Nru linux-2.6.17.1-priv_data_core/net/netfilter/xt_sctp.c linux-2.6.17.1-priv_data_matches/net/netfilter/xt_sctp.c
--- linux-2.6.17.1-priv_data_core/net/netfilter/xt_sctp.c	2006-06-20 11:31:55.000000000 +0200
+++ linux-2.6.17.1-priv_data_matches/net/netfilter/xt_sctp.c	2006-06-21 01:09:57.000000000 +0200
@@ -127,7 +127,8 @@
       const void *matchinfo,
       int offset,
       unsigned int protoff,
-      int *hotdrop)
+      int *hotdrop,
+      void *priv_data)
 {
 	const struct xt_sctp_info *info;
 	sctp_sctphdr_t _sh, *sh;
@@ -166,7 +167,8 @@
 	   const struct xt_match *match,
 	   void *matchinfo,
 	   unsigned int matchsize,
-	   unsigned int hook_mask)
+	   unsigned int hook_mask,
+	   void *priv_data)
 {
 	const struct xt_sctp_info *info = matchinfo;
 
diff -Nru linux-2.6.17.1-priv_data_core/net/netfilter/xt_state.c linux-2.6.17.1-priv_data_matches/net/netfilter/xt_state.c
--- linux-2.6.17.1-priv_data_core/net/netfilter/xt_state.c	2006-06-20 11:31:55.000000000 +0200
+++ linux-2.6.17.1-priv_data_matches/net/netfilter/xt_state.c	2006-06-21 01:09:57.000000000 +0200
@@ -28,7 +28,8 @@
       const void *matchinfo,
       int offset,
       unsigned int protoff,
-      int *hotdrop)
+      int *hotdrop,
+      void *priv_data)
 {
 	const struct xt_state_info *sinfo = matchinfo;
 	enum ip_conntrack_info ctinfo;
@@ -49,7 +50,8 @@
 		 const struct xt_match *match,
 		 void *matchinfo,
 		 unsigned int matchsize,
-		 unsigned int hook_mask)
+		 unsigned int hook_mask,
+		 void *priv_data)
 {
 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
 	if (nf_ct_l3proto_try_module_get(match->family) < 0) {
@@ -62,7 +64,8 @@
 }
 
 static void
-destroy(const struct xt_match *match, void *matchinfo, unsigned int matchsize)
+destroy(const struct xt_match *match, void *matchinfo,
+	unsigned int matchsize, void *priv_data)
 {
 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
 	nf_ct_l3proto_module_put(match->family);
diff -Nru linux-2.6.17.1-priv_data_core/net/netfilter/xt_string.c linux-2.6.17.1-priv_data_matches/net/netfilter/xt_string.c
--- linux-2.6.17.1-priv_data_core/net/netfilter/xt_string.c	2006-06-20 11:31:55.000000000 +0200
+++ linux-2.6.17.1-priv_data_matches/net/netfilter/xt_string.c	2006-06-21 01:09:57.000000000 +0200
@@ -28,7 +28,8 @@
 		 const void *matchinfo,
 		 int offset,
 		 unsigned int protoff,
-		 int *hotdrop)
+		 int *hotdrop,
+		 void *priv_data)
 {
 	struct ts_state state;
 	struct xt_string_info *conf = (struct xt_string_info *) matchinfo;
@@ -47,7 +48,8 @@
 		      const struct xt_match *match,
 		      void *matchinfo,
 		      unsigned int matchsize,
-		      unsigned int hook_mask)
+		      unsigned int hook_mask,
+		      void *priv_data)
 {
 	struct xt_string_info *conf = matchinfo;
 	struct ts_config *ts_conf;
@@ -67,7 +69,7 @@
 }
 
 static void destroy(const struct xt_match *match, void *matchinfo,
-		    unsigned int matchsize)
+		    unsigned int matchsize, void *priv_data)
 {
 	textsearch_destroy(STRING_TEXT_PRIV(matchinfo)->config);
 }
diff -Nru linux-2.6.17.1-priv_data_core/net/netfilter/xt_tcpmss.c linux-2.6.17.1-priv_data_matches/net/netfilter/xt_tcpmss.c
--- linux-2.6.17.1-priv_data_core/net/netfilter/xt_tcpmss.c	2006-06-20 11:31:55.000000000 +0200
+++ linux-2.6.17.1-priv_data_matches/net/netfilter/xt_tcpmss.c	2006-06-21 01:09:57.000000000 +0200
@@ -85,7 +85,8 @@
       const void *matchinfo,
       int offset,
       unsigned int protoff,
-      int *hotdrop)
+      int *hotdrop,
+      void *priv_data)
 {
 	const struct xt_tcpmss_match_info *info = matchinfo;
 
diff -Nru linux-2.6.17.1-priv_data_core/net/netfilter/xt_tcpudp.c linux-2.6.17.1-priv_data_matches/net/netfilter/xt_tcpudp.c
--- linux-2.6.17.1-priv_data_core/net/netfilter/xt_tcpudp.c	2006-06-20 11:31:55.000000000 +0200
+++ linux-2.6.17.1-priv_data_matches/net/netfilter/xt_tcpudp.c	2006-06-21 01:09:57.000000000 +0200
@@ -78,7 +78,8 @@
 	  const void *matchinfo,
 	  int offset,
 	  unsigned int protoff,
-	  int *hotdrop)
+	  int *hotdrop,
+	  void *priv_data)
 {
 	struct tcphdr _tcph, *th;
 	const struct xt_tcp *tcpinfo = matchinfo;
@@ -142,7 +143,8 @@
 	       const struct xt_match *match,
 	       void *matchinfo,
 	       unsigned int matchsize,
-	       unsigned int hook_mask)
+	       unsigned int hook_mask,
+	       void *priv_data)
 {
 	const struct xt_tcp *tcpinfo = matchinfo;
 
@@ -158,7 +160,8 @@
 	  const void *matchinfo,
 	  int offset,
 	  unsigned int protoff,
-	  int *hotdrop)
+	  int *hotdrop,
+	  void *priv_data)
 {
 	struct udphdr _udph, *uh;
 	const struct xt_udp *udpinfo = matchinfo;
@@ -191,7 +194,8 @@
 	       const struct xt_match *match,
 	       void *matchinfo,
 	       unsigned int matchsize,
-	       unsigned int hook_mask)
+	       unsigned int hook_mask,
+	       void *priv_data)
 {
 	const struct xt_tcp *udpinfo = matchinfo;
 

Re: [PATCH] priv_data (formerly entry_data)

[Patrick McHardy]

Massimiliano Hofer wrote:
> On Tuesday 20 June 2006 3:17 pm, Patrick McHardy wrote:
> 
> 
>>The case of just needing a pointer is just an optimization for a
>>special-case in my opinion (avoid lookup of globally shared state),
>>per-instance state is probably more common. So I'd suggest to go
>>with the second possibility.
> 
> 
> Is this better?
> I'll send an example of its use in a few minutes.

Very nice, thanks.

> diff -Nru linux-2.6.17.1/net/ipv4/netfilter/ip_tables.c linux-2.6.17.1-priv_data_core/net/ipv4/netfilter/ip_tables.c
> --- linux-2.6.17.1/net/ipv4/netfilter/ip_tables.c	2006-06-20 11:31:55.000000000 +0200
> +++ linux-2.6.17.1-priv_data_core/net/ipv4/netfilter/ip_tables.c	2006-06-21 00:49:12.000000000 +0200
> @@ -519,10 +522,20 @@
>  	if (ret)
>  		goto err;
>  
> +	if (match->priv_size) {
> +		m->u.kernel.priv_data = kzalloc(match->priv_size,
> +					      GFP_KERNEL);
> +		if (!m->u.kernel.priv_data) {
> +			ret = -ENOMEM;
> +			goto err;
> +		}
> +	}
> +

I think this should be done somewhere in x_tables. I think I would
rename xt_check_match to xt_init_match, put the allocation there
and finally rename ->checkentry to ->init .. the name doesn't really
fit anymore since people started doing real initialization in there,
and changing prototypes is a good opportunity for fixing that.

Re: [PATCH] priv_data (formerly entry_data)

[Massimiliano Hofer]

On Wednesday 21 June 2006 2:30 am, Patrick McHardy wrote:

> I think this should be done somewhere in x_tables. I think I would
> rename xt_check_match to xt_init_match, put the allocation there
> and finally rename ->checkentry to ->init .. the name doesn't really
> fit anymore since people started doing real initialization in there,
> and changing prototypes is a good opportunity for fixing that.

I was wandering why it was duplicated between IPv4 and IPv6.
Are these changes planned for 2.6.18?

-- 
Saluti,
   Massimiliano Hofer

Re: [PATCH] priv_data (formerly entry_data)

[Patrick McHardy]

Massimiliano Hofer wrote:
> On Wednesday 21 June 2006 2:30 am, Patrick McHardy wrote:
> 
> 
>>I think this should be done somewhere in x_tables. I think I would
>>rename xt_check_match to xt_init_match, put the allocation there
>>and finally rename ->checkentry to ->init .. the name doesn't really
>>fit anymore since people started doing real initialization in there,
>>and changing prototypes is a good opportunity for fixing that.
> 
> 
> I was wandering why it was duplicated between IPv4 and IPv6.

Do you mean the check_match functions and the ->checkentry calls?
The only reason is because they use a different type for the "ip"
argument.

> Are these changes planned for 2.6.18?

I was hoping you could do it while you're changing this stuff ..
I'd like to avoid touching all >30 files twice for a related
change.

Re: [PATCH] priv_data (formerly entry_data)

[Massimiliano Hofer]

On Wednesday 21 June 2006 3:04 am, Patrick McHardy wrote:

> >>I think this should be done somewhere in x_tables. I think I would
> >>rename xt_check_match to xt_init_match, put the allocation there
> >>and finally rename ->checkentry to ->init .. the name doesn't really
> >>fit anymore since people started doing real initialization in there,
> >>and changing prototypes is a good opportunity for fixing that.
> >
> > I was wandering why it was duplicated between IPv4 and IPv6.
>
> Do you mean the check_match functions and the ->checkentry calls?
> The only reason is because they use a different type for the "ip"
> argument.

No, I noticed several functions in ip_tables.c and ip6_tables.c that 
differentiate only by having struct ipt_entry_match * instead of struct 
ip6t_entry_match *, while they're both defines to xt_entry_match (the same 
goes for xt_entry_target).
I've not checked it throu yet, but I think that most of them could be moved to 
x_tables.c.

> > Are these changes planned for 2.6.18?
>
> I was hoping you could do it while you're changing this stuff ..
> I'd like to avoid touching all >30 files twice for a related
> change.

OK, I didn't know if someone else was already at work.
I can't do it today, though. I hope I'll start working on it tomorrow.

-- 
Saluti,
   Massimiliano Hofer
        Nucleus

Re: [PATCH] priv_data (formerly entry_data)

[Massimiliano Hofer]

On Wednesday 21 June 2006 2:30 am, Patrick McHardy wrote:

> and finally rename ->checkentry to ->init .. the name doesn't really

What about struct xt_target?
It has the same general structure, but I've not touched it yet.
It would be coherent to change it too, but I'd break compatibility with 
external targets for no real gain.
Would any target benefit from having priv_data?

-- 
Saluti,
   Massimiliano Hofer
        Nucleus

Re: [PATCH] priv_data (formerly entry_data)

[Patrick McHardy]

Massimiliano Hofer wrote:

> What about struct xt_target?
> It has the same general structure, but I've not touched it yet.
> It would be coherent to change it too, but I'd break compatibility with 
> external targets for no real gain.
> Would any target benefit from having priv_data?

I think the CLUSTERIP target would. I think we should keep the
interfaces in sync, we've changed it twice during the last two
kernel versions, so I don't really see external stuff as a problem.

Re: [PATCH] priv_data (formerly entry_data)

[Massimiliano Hofer]

[-- Attachment #1: Type: text/plain, Size: 209 bytes --]

Hi,
this is an example of how condition works with priv_data.

This is a patch against the new version of condition for kernel version 2.6.17 
(available on the repository).

-- 
Saluti,
   Massimiliano Hofer

[-- Attachment #2: condition-priv_data.patch --]
[-- Type: text/x-diff, Size: 3948 bytes --]

diff -Nru linux-2.6.17/net/netfilter/xt_condition.c linux-2.6.17-priv_data/net/netfilter/xt_condition.c
--- linux-2.6.17/net/netfilter/xt_condition.c	2006-06-21 02:26:18.000000000 +0200
+++ linux-2.6.17-priv_data/net/netfilter/xt_condition.c	2006-06-21 02:25:02.000000000 +0200
@@ -116,31 +116,25 @@
 
 static int
 match(const struct sk_buff *skb, const struct net_device *in,
-      const struct net_device *out, const void *matchinfo, int offset,
-      unsigned int protoff, int *hotdrop)
+      const struct net_device *out, const struct xt_match *match,
+      const void *matchinfo, int offset,
+      unsigned int protoff, int *hotdrop, void *priv_data)
 {
 	const struct condition_info *info =
-	    (const struct condition_info *) matchinfo;
-	struct condition_variable *var;
-	int condition_status = 0;
+		(const struct condition_info *) matchinfo;
+	struct condition_variable *var=
+		*(struct condition_variable **)priv_data;
 
-	rcu_read_lock();
-	list_for_each_entry_rcu(var, &conditions_list, list) {
-		if (strcmp(info->name, var->status_proc->name) == 0) {
-			condition_status = var->enabled;
-			break;
-		}
-	}
-	rcu_read_unlock();
-
-	return condition_status ^ info->invert;
+	return var->enabled ^ info->invert;
 }
 
 
 
 static int
 checkentry(const char *tablename, const void *ip,
-	   void *matchinfo, unsigned int matchsize, unsigned int hook_mask)
+	   const struct xt_match *match,
+	   void *matchinfo, unsigned int matchsize,
+	   unsigned int hook_mask, void *priv_data)
 {
 	static const char * const forbidden_names[]={ "", ".", ".." };
 	struct condition_info *info = (struct condition_info *) matchinfo;
@@ -172,6 +166,7 @@
 		var = list_entry(pos, struct condition_variable, list);
 		if (strcmp(info->name, var->status_proc->name) == 0) {
 			var->refcount++;
+			*(struct condition_variable **)priv_data=var;
 			up(&proc_lock);
 			return 1;
 		}
@@ -209,35 +204,34 @@
 
 	up(&proc_lock);
 
+	*(struct condition_variable **)priv_data=newvar;
+
 	return 1;
 }
 
 
 static void
-destroy(void *matchinfo, unsigned int matchsize)
+destroy(const struct xt_match *match, void *matchinfo,
+	unsigned int matchsize, void *priv_data)
 {
-	struct condition_info *info = (struct condition_info *) matchinfo;
-	struct list_head *pos;
-	struct condition_variable *var;
+	struct condition_variable *var=
+		*(struct condition_variable **)priv_data;
+
+	BUG_ON(priv_data==NULL);
+	BUG_ON(priv_var==NULL);
 
 	down(&proc_lock);
 
-	list_for_each(pos, &conditions_list) {
-		var = list_entry(pos, struct condition_variable, list);
-		if (strcmp(info->name, var->status_proc->name) == 0) {
-			if (--var->refcount == 0) {
-				list_del_rcu(pos);
-				remove_proc_entry(var->status_proc->name, proc_net_condition);
-				up(&proc_lock);
-				/* synchronize_rcu() would be goog enough, but synchronize_net() */
-				/* guarantees that no packet will go out with the old rule after */
-				/* succesful removal.                                            */
-				synchronize_net();
-				kfree(var);
-				return;
-			}
-			break;
-		}
+	if (--var->refcount == 0) {
+		list_del_rcu(&var->list);
+		remove_proc_entry(var->status_proc->name, proc_net_condition);
+		up(&proc_lock);
+		/* synchronize_rcu() would be goog enough, but synchronize_net() */
+		/* guarantees that no packet will go out with the old rule after */
+		/* succesful removal.                                            */
+		synchronize_net();
+		kfree(var);
+		return;
 	}
 
 	up(&proc_lock);
@@ -248,6 +242,7 @@
 	.name = "condition",
 	.family = AF_INET,
 	.matchsize = sizeof(struct condition_info),
+	.priv_size = sizeof(struct condition_variable *),
 	.match = &match,
 	.checkentry = &checkentry,
 	.destroy = &destroy,
@@ -258,6 +253,7 @@
 	.name = "condition",
 	.family = AF_INET6,
 	.matchsize = sizeof(struct condition_info),
+	.priv_size = sizeof(struct condition_variable *),
 	.match = &match,
 	.checkentry = &checkentry,
 	.destroy = &destroy,

Re: [PATCH] priv_data (formerly entry_data)

[Massimiliano Hofer]

[-- Attachment #1: Type: text/plain, Size: 291 bytes --]

On Wednesday 21 June 2006 2:33 am, Massimiliano Hofer wrote:

> This is a patch against the new version of condition for kernel version
> 2.6.17 (available on the repository).

Ops. I mixed 2 versions. Disregard my previous message. This is the real diff.

-- 
Saluti,
   Massimiliano Hofer

[-- Attachment #2: condition-priv_data.patch --]
[-- Type: text/x-diff, Size: 3874 bytes --]

diff -Nru linux-2.6.17/net/netfilter/xt_condition.c linux-2.6.17-priv_data/net/netfilter/xt_condition.c
--- linux-2.6.17/net/netfilter/xt_condition.c	2006-06-21 02:38:04.000000000 +0200
+++ linux-2.6.17-priv_data/net/netfilter/xt_condition.c	2006-06-21 02:25:02.000000000 +0200
@@ -118,23 +118,14 @@
 match(const struct sk_buff *skb, const struct net_device *in,
       const struct net_device *out, const struct xt_match *match,
       const void *matchinfo, int offset,
-      unsigned int protoff, int *hotdrop)
+      unsigned int protoff, int *hotdrop, void *priv_data)
 {
 	const struct condition_info *info =
-	    (const struct condition_info *) matchinfo;
-	struct condition_variable *var;
-	int condition_status = 0;
+		(const struct condition_info *) matchinfo;
+	struct condition_variable *var=
+		*(struct condition_variable **)priv_data;
 
-	rcu_read_lock();
-	list_for_each_entry_rcu(var, &conditions_list, list) {
-		if (strcmp(info->name, var->status_proc->name) == 0) {
-			condition_status = var->enabled;
-			break;
-		}
-	}
-	rcu_read_unlock();
-
-	return condition_status ^ info->invert;
+	return var->enabled ^ info->invert;
 }
 
 
@@ -143,7 +134,7 @@
 checkentry(const char *tablename, const void *ip,
 	   const struct xt_match *match,
 	   void *matchinfo, unsigned int matchsize,
-	   unsigned int hook_mask)
+	   unsigned int hook_mask, void *priv_data)
 {
 	static const char * const forbidden_names[]={ "", ".", ".." };
 	struct condition_info *info = (struct condition_info *) matchinfo;
@@ -175,6 +166,7 @@
 		var = list_entry(pos, struct condition_variable, list);
 		if (strcmp(info->name, var->status_proc->name) == 0) {
 			var->refcount++;
+			*(struct condition_variable **)priv_data=var;
 			up(&proc_lock);
 			return 1;
 		}
@@ -212,39 +204,34 @@
 
 	up(&proc_lock);
 
+	*(struct condition_variable **)priv_data=newvar;
+
 	return 1;
 }
 
 
 static void
 destroy(const struct xt_match *match, void *matchinfo,
-	unsigned int matchsize)
+	unsigned int matchsize, void *priv_data)
 {
-	struct condition_info *info = (struct condition_info *) matchinfo;
-	struct list_head *pos;
-	struct condition_variable *var;
+	struct condition_variable *var=
+		*(struct condition_variable **)priv_data;
 
-	if (matchsize != XT_ALIGN(sizeof(struct condition_info)))
-		return;
+	BUG_ON(priv_data==NULL);
+	BUG_ON(priv_var==NULL);
 
 	down(&proc_lock);
 
-	list_for_each(pos, &conditions_list) {
-		var = list_entry(pos, struct condition_variable, list);
-		if (strcmp(info->name, var->status_proc->name) == 0) {
-			if (--var->refcount == 0) {
-				list_del_rcu(pos);
-				remove_proc_entry(var->status_proc->name, proc_net_condition);
-				up(&proc_lock);
-				/* synchronize_rcu() would be goog enough, but synchronize_net() */
-				/* guarantees that no packet will go out with the old rule after */
-				/* succesful removal.                                            */
-				synchronize_net();
-				kfree(var);
-				return;
-			}
-			break;
-		}
+	if (--var->refcount == 0) {
+		list_del_rcu(&var->list);
+		remove_proc_entry(var->status_proc->name, proc_net_condition);
+		up(&proc_lock);
+		/* synchronize_rcu() would be goog enough, but synchronize_net() */
+		/* guarantees that no packet will go out with the old rule after */
+		/* succesful removal.                                            */
+		synchronize_net();
+		kfree(var);
+		return;
 	}
 
 	up(&proc_lock);
@@ -255,6 +242,7 @@
 	.name = "condition",
 	.family = AF_INET,
 	.matchsize = sizeof(struct condition_info),
+	.priv_size = sizeof(struct condition_variable *),
 	.match = &match,
 	.checkentry = &checkentry,
 	.destroy = &destroy,
@@ -265,6 +253,7 @@
 	.name = "condition",
 	.family = AF_INET6,
 	.matchsize = sizeof(struct condition_info),
+	.priv_size = sizeof(struct condition_variable *),
 	.match = &match,
 	.checkentry = &checkentry,
 	.destroy = &destroy,