From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org
Subject: [PATCH 37/53] netfilter: bridge: add and use br_nf_hook_thresh
Date: Mon, 26 Sep 2016 01:06:47 +0200 [thread overview]
Message-ID: <1474844823-2026-38-git-send-email-pablo@netfilter.org> (raw)
In-Reply-To: <1474844823-2026-1-git-send-email-pablo@netfilter.org>
From: Florian Westphal <fw@strlen.de>
This replaces the last uses of NF_HOOK_THRESH().
Followup patch will remove it and rename nf_hook_thresh.
The reason is that inet (non-bridge) netfilter no longer invokes the
hooks from hooks, so we do no longer need the thresh value to skip hooks
with a lower priority.
The bridge netfilter however may need to do this. br_nf_hook_thresh is a
wrapper that is supposed to do this, i.e. only call hooks with a
priority that exceeds NF_BR_PRI_BRNF.
It's used only in the recursion cases of br_netfilter. It invokes
nf_hook_slow while holding an rcu read-side critical section to make a
future cleanup simpler.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Aaron Conole <aconole@bytheb.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/net/netfilter/br_netfilter.h | 6 ++++
net/bridge/br_netfilter_hooks.c | 60 ++++++++++++++++++++++++++++++------
net/bridge/br_netfilter_ipv6.c | 12 +++-----
3 files changed, 62 insertions(+), 16 deletions(-)
diff --git a/include/net/netfilter/br_netfilter.h b/include/net/netfilter/br_netfilter.h
index e8d1448425a7..0b0c35c37125 100644
--- a/include/net/netfilter/br_netfilter.h
+++ b/include/net/netfilter/br_netfilter.h
@@ -15,6 +15,12 @@ static inline struct nf_bridge_info *nf_bridge_alloc(struct sk_buff *skb)
void nf_bridge_update_protocol(struct sk_buff *skb);
+int br_nf_hook_thresh(unsigned int hook, struct net *net, struct sock *sk,
+ struct sk_buff *skb, struct net_device *indev,
+ struct net_device *outdev,
+ int (*okfn)(struct net *, struct sock *,
+ struct sk_buff *));
+
static inline struct nf_bridge_info *
nf_bridge_info_get(const struct sk_buff *skb)
{
diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
index 77e7f69bf80d..6029af47377d 100644
--- a/net/bridge/br_netfilter_hooks.c
+++ b/net/bridge/br_netfilter_hooks.c
@@ -30,6 +30,7 @@
#include <linux/netfilter_ipv6.h>
#include <linux/netfilter_arp.h>
#include <linux/in_route.h>
+#include <linux/rculist.h>
#include <linux/inetdevice.h>
#include <net/ip.h>
@@ -395,11 +396,10 @@ bridged_dnat:
skb->dev = nf_bridge->physindev;
nf_bridge_update_protocol(skb);
nf_bridge_push_encap_header(skb);
- NF_HOOK_THRESH(NFPROTO_BRIDGE,
- NF_BR_PRE_ROUTING,
- net, sk, skb, skb->dev, NULL,
- br_nf_pre_routing_finish_bridge,
- 1);
+ br_nf_hook_thresh(NF_BR_PRE_ROUTING,
+ net, sk, skb, skb->dev,
+ NULL,
+ br_nf_pre_routing_finish);
return 0;
}
ether_addr_copy(eth_hdr(skb)->h_dest, dev->dev_addr);
@@ -417,10 +417,8 @@ bridged_dnat:
skb->dev = nf_bridge->physindev;
nf_bridge_update_protocol(skb);
nf_bridge_push_encap_header(skb);
- NF_HOOK_THRESH(NFPROTO_BRIDGE, NF_BR_PRE_ROUTING, net, sk, skb,
- skb->dev, NULL,
- br_handle_frame_finish, 1);
-
+ br_nf_hook_thresh(NF_BR_PRE_ROUTING, net, sk, skb, skb->dev, NULL,
+ br_handle_frame_finish);
return 0;
}
@@ -992,6 +990,50 @@ static struct notifier_block brnf_notifier __read_mostly = {
.notifier_call = brnf_device_event,
};
+/* recursively invokes nf_hook_slow (again), skipping already-called
+ * hooks (< NF_BR_PRI_BRNF).
+ *
+ * Called with rcu read lock held.
+ */
+int br_nf_hook_thresh(unsigned int hook, struct net *net,
+ struct sock *sk, struct sk_buff *skb,
+ struct net_device *indev,
+ struct net_device *outdev,
+ int (*okfn)(struct net *, struct sock *,
+ struct sk_buff *))
+{
+ struct nf_hook_ops *elem;
+ struct nf_hook_state state;
+ struct list_head *head;
+ int ret;
+
+ head = &net->nf.hooks[NFPROTO_BRIDGE][hook];
+
+ list_for_each_entry_rcu(elem, head, list) {
+ struct nf_hook_ops *next;
+
+ next = list_entry_rcu(list_next_rcu(&elem->list),
+ struct nf_hook_ops, list);
+ if (next->priority <= NF_BR_PRI_BRNF)
+ continue;
+ }
+
+ if (&elem->list == head)
+ return okfn(net, sk, skb);
+
+ /* We may already have this, but read-locks nest anyway */
+ rcu_read_lock();
+ nf_hook_state_init(&state, head, hook, NF_BR_PRI_BRNF + 1,
+ NFPROTO_BRIDGE, indev, outdev, sk, net, okfn);
+
+ ret = nf_hook_slow(skb, &state);
+ rcu_read_unlock();
+ if (ret == 1)
+ ret = okfn(net, sk, skb);
+
+ return ret;
+}
+
#ifdef CONFIG_SYSCTL
static
int brnf_sysctl_call_tables(struct ctl_table *ctl, int write,
diff --git a/net/bridge/br_netfilter_ipv6.c b/net/bridge/br_netfilter_ipv6.c
index 5e59a8457e7b..5989661c659f 100644
--- a/net/bridge/br_netfilter_ipv6.c
+++ b/net/bridge/br_netfilter_ipv6.c
@@ -187,10 +187,9 @@ static int br_nf_pre_routing_finish_ipv6(struct net *net, struct sock *sk, struc
skb->dev = nf_bridge->physindev;
nf_bridge_update_protocol(skb);
nf_bridge_push_encap_header(skb);
- NF_HOOK_THRESH(NFPROTO_BRIDGE, NF_BR_PRE_ROUTING,
- net, sk, skb, skb->dev, NULL,
- br_nf_pre_routing_finish_bridge,
- 1);
+ br_nf_hook_thresh(NF_BR_PRE_ROUTING,
+ net, sk, skb, skb->dev, NULL,
+ br_nf_pre_routing_finish_bridge);
return 0;
}
ether_addr_copy(eth_hdr(skb)->h_dest, dev->dev_addr);
@@ -207,9 +206,8 @@ static int br_nf_pre_routing_finish_ipv6(struct net *net, struct sock *sk, struc
skb->dev = nf_bridge->physindev;
nf_bridge_update_protocol(skb);
nf_bridge_push_encap_header(skb);
- NF_HOOK_THRESH(NFPROTO_BRIDGE, NF_BR_PRE_ROUTING, net, sk, skb,
- skb->dev, NULL,
- br_handle_frame_finish, 1);
+ br_nf_hook_thresh(NF_BR_PRE_ROUTING, net, sk, skb,
+ skb->dev, NULL, br_handle_frame_finish);
return 0;
}
--
2.1.4
next prev parent reply other threads:[~2016-09-25 23:07 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-25 23:06 [PATCH 00/53] Netfilter updates for net-next Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 01/53] netfilter: gre: Use consistent GRE_* macros instead of ones defined by netfilter Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 02/53] netfilter: gre: Use consistent GRE and PTTP header structure instead of the " Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 03/53] netfilter: nf_ct_sip: correct parsing of continuation lines in SIP headers Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 04/53] netfilter: nf_ct_sip: correct allowed characters in Call-ID SIP header Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 05/53] netfilter: ftp: Remove the useless dlen==0 condition check in find_pattern Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 06/53] netfilter: ftp: Remove the useless code Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 07/53] netfilter: nft_numgen: rename until attribute by modulus Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 08/53] netfilter: nft_quota: fix overquota logic Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 09/53] netfilter: nft_quota: introduce nft_overquota() Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 10/53] netfilter: nf_ct_sip: allow tab character in SIP headers Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 11/53] netfilter: nft_queue: check the validation of queues_total and queuenum Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 12/53] netfilter: nf_conntrack: remove unused ctl_table_path member in nf_conntrack_l3proto Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 13/53] netfilter: nft_hash: Add hash offset value Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 14/53] netfilter: nft_dynset: allow to invert match criteria Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 15/53] netfilter: nf_tables: ensure proper initialization of nft_pktinfo fields Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 16/53] netfilter: nf_tables_ipv6: setup pktinfo transport field on failure to parse Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 17/53] netfilter: introduce nft_set_pktinfo_{ipv4, ipv6}_validate() Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 18/53] netfilter: nf_tables_bridge: use nft_set_pktinfo_ipv{4, 6}_validate Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 19/53] netfilter: nf_tables: don't drop IPv6 packets that cannot parse transport Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 20/53] netfilter: nf_conntrack: simplify __nf_ct_try_assign_helper() return logic Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 21/53] netfilter: Add the missed return value check of register_netdevice_notifier Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 22/53] netfilter: Add the missed return value check of nft_register_chain_type Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 23/53] netfilter: nf_queue: get rid of dependency on IP6_NF_IPTABLES Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 24/53] netfilter: conntrack: remove packet hotpath stats Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 25/53] netfilter: nft_numgen: fix race between num generate and store it Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 26/53] netfilter: nft_hash: fix hash overflow validation Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 27/53] netfilter: nft_numgen: add number generation offset Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 28/53] netfilter: nf_tables: validate maximum value of u32 netlink attributes Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 29/53] netfilter: nft_queue: add _SREG_QNUM attr to select the queue number Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 30/53] netfilter: nf_queue: improve queue range support for bridge family Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 31/53] netfilter: nf_tables: improve nft payload fast eval Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 32/53] netfilter: nf_tables: check tprot_set first when we use xt.thoff Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 33/53] netfilter: Enhance the codes used to get random once Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 34/53] netfilter: xt_helper: Use sizeof(variable) instead of literal number Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 35/53] netfilter: nft_lookup: remove superfluous element found check Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 36/53] netfilter: xt_TCPMSS: Refactor the codes to decrease one condition check and more readable Pablo Neira Ayuso
2016-09-25 23:06 ` Pablo Neira Ayuso [this message]
2016-09-25 23:06 ` [PATCH 38/53] netfilter: call nf_hook_state_init with rcu_read_lock held Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 39/53] netfilter: call nf_hook_ingress with rcu_read_lock Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 40/53] netfilter: Remove explicit rcu_read_lock in nf_hook_slow Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 41/53] netfilter: Only allow sane values in nf_register_net_hook Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 42/53] netfilter: nf_queue: whitespace cleanup Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 43/53] netfilter: replace list_head with single linked list Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 44/53] netfilter: seqadj: Fix the wrong ack adjust for the RST packet without ack Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 45/53] netfilter: nft_ct: unnecessary to require dir when use ct l3proto/protocol Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 46/53] netfilter: nft_ct: report error if mark and dir specified simultaneously Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 47/53] netfilter: xt_hashlimit: Prepare for revision 2 Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 48/53] netfilter: xt_hashlimit: Create revision 2 to support higher pps rates Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 49/53] netfilter: evict stale entries when user reads /proc/net/nf_conntrack Pablo Neira Ayuso
2016-09-25 23:07 ` [PATCH 50/53] netfilter: xt_socket: fix transparent match for IPv6 request sockets Pablo Neira Ayuso
2016-09-25 23:07 ` [PATCH 51/53] netfilter: nf_tables: add range expression Pablo Neira Ayuso
2016-09-25 23:07 ` [PATCH 52/53] netfilter: nft_log: complete NFTA_LOG_FLAGS attr support Pablo Neira Ayuso
2016-09-25 23:07 ` [PATCH 53/53] netfilter: nf_log: get rid of XT_LOG_* macros Pablo Neira Ayuso
2016-09-26 1:05 ` [PATCH 00/53] Netfilter updates for net-next David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1474844823-2026-38-git-send-email-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).