From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org
Subject: [PATCH 09/39] netfilter: merge nf_iterate() into nf_hook_slow()
Date: Sun, 13 Nov 2016 23:25:03 +0100 [thread overview]
Message-ID: <1479075933-4491-10-git-send-email-pablo@netfilter.org> (raw)
In-Reply-To: <1479075933-4491-1-git-send-email-pablo@netfilter.org>
nf_iterate() has become rather simple, we can integrate this code into
nf_hook_slow() to reduce the amount of LOC in the core path.
However, we still need nf_iterate() around for nf_queue packet handling,
so move this function there where we only need it. I think it should be
possible to refactor nf_queue code to get rid of it definitely, but
given this is slow path anyway, let's have a look this later.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/core.c | 73 +++++++++++++++++---------------------------
net/netfilter/nf_internals.h | 5 ---
net/netfilter/nf_queue.c | 20 ++++++++++++
3 files changed, 48 insertions(+), 50 deletions(-)
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index ebece48b8392..bd9272eeccb5 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -302,26 +302,6 @@ void _nf_unregister_hooks(struct nf_hook_ops *reg, unsigned int n)
}
EXPORT_SYMBOL(_nf_unregister_hooks);
-unsigned int nf_iterate(struct sk_buff *skb,
- struct nf_hook_state *state,
- struct nf_hook_entry **entryp)
-{
- unsigned int verdict;
-
- do {
-repeat:
- verdict = (*entryp)->ops.hook((*entryp)->ops.priv, skb, state);
- if (verdict != NF_ACCEPT) {
- if (verdict != NF_REPEAT)
- return verdict;
- goto repeat;
- }
- *entryp = rcu_dereference((*entryp)->next);
- } while (*entryp);
- return NF_ACCEPT;
-}
-
-
/* Returns 1 if okfn() needs to be executed by the caller,
* -EPERM for NF_DROP, 0 otherwise. Caller must hold rcu_read_lock. */
int nf_hook_slow(struct sk_buff *skb, struct nf_hook_state *state,
@@ -330,31 +310,34 @@ int nf_hook_slow(struct sk_buff *skb, struct nf_hook_state *state,
unsigned int verdict;
int ret;
-next_hook:
- verdict = nf_iterate(skb, state, &entry);
- switch (verdict & NF_VERDICT_MASK) {
- case NF_ACCEPT:
- ret = 1;
- break;
- case NF_DROP:
- kfree_skb(skb);
- ret = NF_DROP_GETERR(verdict);
- if (ret == 0)
- ret = -EPERM;
- break;
- case NF_QUEUE:
- ret = nf_queue(skb, state, &entry, verdict);
- if (ret == 1 && entry)
- goto next_hook;
- /* Fall through. */
- default:
- /* Implicit handling for NF_STOLEN, as well as any other non
- * conventional verdicts.
- */
- ret = 0;
- break;
- }
- return ret;
+ do {
+ verdict = entry->ops.hook(entry->ops.priv, skb, state);
+ switch (verdict & NF_VERDICT_MASK) {
+ case NF_ACCEPT:
+ entry = rcu_dereference(entry->next);
+ break;
+ case NF_DROP:
+ kfree_skb(skb);
+ ret = NF_DROP_GETERR(verdict);
+ if (ret == 0)
+ ret = -EPERM;
+ return ret;
+ case NF_REPEAT:
+ continue;
+ case NF_QUEUE:
+ ret = nf_queue(skb, state, &entry, verdict);
+ if (ret == 1 && entry)
+ continue;
+ return ret;
+ default:
+ /* Implicit handling for NF_STOLEN, as well as any other
+ * non conventional verdicts.
+ */
+ return 0;
+ }
+ } while (entry);
+
+ return 1;
}
EXPORT_SYMBOL(nf_hook_slow);
diff --git a/net/netfilter/nf_internals.h b/net/netfilter/nf_internals.h
index 9fdb655f85bc..c46d214d5323 100644
--- a/net/netfilter/nf_internals.h
+++ b/net/netfilter/nf_internals.h
@@ -11,11 +11,6 @@
#define NFDEBUG(format, args...)
#endif
-
-/* core.c */
-unsigned int nf_iterate(struct sk_buff *skb, struct nf_hook_state *state,
- struct nf_hook_entry **entryp);
-
/* nf_queue.c */
int nf_queue(struct sk_buff *skb, struct nf_hook_state *state,
struct nf_hook_entry **entryp, unsigned int verdict);
diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c
index 2e39e38ae1c7..77cba9f6ccb6 100644
--- a/net/netfilter/nf_queue.c
+++ b/net/netfilter/nf_queue.c
@@ -177,6 +177,26 @@ int nf_queue(struct sk_buff *skb, struct nf_hook_state *state,
return 0;
}
+static unsigned int nf_iterate(struct sk_buff *skb,
+ struct nf_hook_state *state,
+ struct nf_hook_entry **entryp)
+{
+ unsigned int verdict;
+
+ do {
+repeat:
+ verdict = (*entryp)->ops.hook((*entryp)->ops.priv, skb, state);
+ if (verdict != NF_ACCEPT) {
+ if (verdict != NF_REPEAT)
+ return verdict;
+ goto repeat;
+ }
+ *entryp = rcu_dereference((*entryp)->next);
+ } while (*entryp);
+
+ return NF_ACCEPT;
+}
+
void nf_reinject(struct nf_queue_entry *entry, unsigned int verdict)
{
struct nf_hook_entry *hook_entry = entry->hook;
--
2.1.4
next prev parent reply other threads:[~2016-11-13 22:25 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-11-13 22:24 [PATCH 00/39] Netfilter updates for net-next Pablo Neira Ayuso
2016-11-13 22:24 ` [PATCH 01/39] netfilter: get rid of useless debugging from core Pablo Neira Ayuso
2016-11-13 22:24 ` [PATCH 02/39] netfilter: remove comments that predate rcu days Pablo Neira Ayuso
2016-11-13 22:24 ` [PATCH 03/39] netfilter: kill NF_HOOK_THRESH() and state->tresh Pablo Neira Ayuso
2016-11-13 22:24 ` [PATCH 04/39] netfilter: deprecate NF_STOP Pablo Neira Ayuso
2016-11-13 22:24 ` [PATCH 05/39] netfilter: x_tables: move hook state into xt_action_param structure Pablo Neira Ayuso
2016-11-13 22:25 ` [PATCH 06/39] netfilter: nf_tables: use hook state from " Pablo Neira Ayuso
2016-11-13 22:25 ` [PATCH 07/39] netfilter: use switch() to handle verdict cases from nf_hook_slow() Pablo Neira Ayuso
2016-11-13 22:25 ` [PATCH 08/39] netfilter: remove hook_entries field from nf_hook_state Pablo Neira Ayuso
2016-11-13 22:25 ` Pablo Neira Ayuso [this message]
2016-11-13 22:25 ` [PATCH 10/39] netfilter: handle NF_REPEAT from nf_conntrack_in() Pablo Neira Ayuso
2016-11-13 22:25 ` [PATCH 11/39] netfilter: nft_hash: get random bytes if seed is not specified Pablo Neira Ayuso
2016-11-13 22:25 ` [PATCH 12/39] netfilter: nf_tables: simplify the basic expressions' init routine Pablo Neira Ayuso
2016-11-13 22:25 ` [PATCH 13/39] netfilter: conntrack: simplify init/uninit of L4 protocol trackers Pablo Neira Ayuso
2016-11-13 22:25 ` [PATCH 14/39] udp: provide udp{4,6}_lib_lookup for nf_socket_ipv{4,6} Pablo Neira Ayuso
2016-11-13 22:25 ` [PATCH 15/39] netfilter: conntrack: fix NF_REPEAT handling Pablo Neira Ayuso
2016-11-13 22:25 ` [PATCH 16/39] netfilter: ipset: Remove extra whitespaces in ip_set.h Pablo Neira Ayuso
2016-11-13 22:25 ` [PATCH 17/39] netfilter: ipset: Mark some helper args as const Pablo Neira Ayuso
2016-11-13 22:25 ` [PATCH 18/39] netfilter: ipset: Headers file cleanup Pablo Neira Ayuso
2016-11-13 22:25 ` [PATCH 19/39] netfilter: ipset: Improve skbinfo get/init helpers Pablo Neira Ayuso
2016-11-13 22:25 ` [PATCH 20/39] netfilter: ipset: Use kmalloc() in comment extension helper Pablo Neira Ayuso
2016-11-15 10:48 ` David Laight
2016-11-13 22:25 ` [PATCH 21/39] netfilter: ipset: Split extensions into separate files Pablo Neira Ayuso
2016-11-13 22:25 ` [PATCH 22/39] netfilter: ipset: Separate memsize calculation code into dedicated function Pablo Neira Ayuso
2016-11-13 22:25 ` [PATCH 23/39] netfilter: ipset: Regroup ip_set_put_extensions and add extern Pablo Neira Ayuso
2016-11-13 22:25 ` [PATCH 24/39] netfilter: ipset: Add element count to hash headers Pablo Neira Ayuso
2016-11-13 22:25 ` [PATCH 25/39] netfilter: ipset: Add element count to all set types header Pablo Neira Ayuso
2016-11-13 22:25 ` [PATCH 26/39] netfilter: ipset: Count non-static extension memory for userspace Pablo Neira Ayuso
2016-11-13 22:25 ` [PATCH 27/39] netfilter: ipset: Remove redundant mtype_expire() arguments Pablo Neira Ayuso
2016-11-13 22:25 ` [PATCH 28/39] netfilter: ipset: Simplify mtype_expire() for hash types Pablo Neira Ayuso
2016-11-13 22:25 ` [PATCH 29/39] netfilter: ipset: Make NLEN compile time constant " Pablo Neira Ayuso
2016-11-13 22:25 ` [PATCH 30/39] netfilter: ipset: Make sure element data size is a multiple of u32 Pablo Neira Ayuso
2016-11-13 22:25 ` [PATCH 31/39] netfilter: ipset: Optimize hash creation routine Pablo Neira Ayuso
2016-11-13 22:25 ` [PATCH 32/39] netfilter: ipset: Make struct htype per ipset family Pablo Neira Ayuso
2016-11-13 22:25 ` [PATCH 33/39] netfilter: ipset: Collapse same condition body to a single one Pablo Neira Ayuso
2016-11-13 22:25 ` [PATCH 34/39] netfilter: ipset: Fix reported memory size for hash:* types Pablo Neira Ayuso
2016-11-13 22:25 ` [PATCH 35/39] netfilter: ipset: hash:ipmac type support added to ipset Pablo Neira Ayuso
2016-11-13 22:25 ` [PATCH 36/39] netfilter: ipset: use setup_timer() and mod_timer() Pablo Neira Ayuso
2016-11-13 22:25 ` [PATCH 37/39] netfilter: ipset: hash: fix boolreturn.cocci warnings Pablo Neira Ayuso
2016-11-13 22:25 ` [PATCH 38/39] netfilter: conntrack: remove unused netns_ct member Pablo Neira Ayuso
2016-11-13 22:25 ` [PATCH 39/39] netfilter: x_tables: simplify IS_ERR_OR_NULL to NULL test Pablo Neira Ayuso
2016-11-14 4:25 ` [PATCH 00/39] Netfilter updates for net-next David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1479075933-4491-10-git-send-email-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).