* [PATCH 001/103] netfilter: xtables: remove xt_TOS v0
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
@ 2009-08-04 7:24 ` Jan Engelhardt
2009-08-04 7:24 ` [PATCH 002/103] netfilter: xtables: remove xt_CONNMARK v0 Jan Engelhardt
` (103 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:24 UTC (permalink / raw)
To: netfilter-devel
Superseded by xt_TOS v1 (v2.6.24-2396-g5c350e5).
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
Documentation/feature-removal-schedule.txt | 3 --
include/linux/netfilter_ipv4/Kbuild | 2 -
include/linux/netfilter_ipv4/ipt_TOS.h | 12 -------
include/linux/netfilter_ipv4/ipt_tos.h | 13 --------
net/netfilter/xt_DSCP.c | 46 ----------------------------
net/netfilter/xt_dscp.c | 17 ----------
6 files changed, 0 insertions(+), 93 deletions(-)
delete mode 100644 include/linux/netfilter_ipv4/ipt_TOS.h
delete mode 100644 include/linux/netfilter_ipv4/ipt_tos.h
diff --git a/Documentation/feature-removal-schedule.txt b/Documentation/feature-removal-schedule.txt
index f8cd450..3aa4a77 100644
--- a/Documentation/feature-removal-schedule.txt
+++ b/Documentation/feature-removal-schedule.txt
@@ -235,9 +235,6 @@ Who: Thomas Gleixner <tglx@linutronix.de>
---------------------------
What (Why):
- - include/linux/netfilter_ipv4/ipt_TOS.h ipt_tos.h header files
- (superseded by xt_TOS/xt_tos target & match)
-
- "forwarding" header files like ipt_mac.h in
include/linux/netfilter_ipv4/ and include/linux/netfilter_ipv6/
diff --git a/include/linux/netfilter_ipv4/Kbuild b/include/linux/netfilter_ipv4/Kbuild
index 3a7105b..86d81a2 100644
--- a/include/linux/netfilter_ipv4/Kbuild
+++ b/include/linux/netfilter_ipv4/Kbuild
@@ -9,7 +9,6 @@ header-y += ipt_NFQUEUE.h
header-y += ipt_REJECT.h
header-y += ipt_SAME.h
header-y += ipt_TCPMSS.h
-header-y += ipt_TOS.h
header-y += ipt_TTL.h
header-y += ipt_ULOG.h
header-y += ipt_addrtype.h
@@ -40,7 +39,6 @@ header-y += ipt_sctp.h
header-y += ipt_state.h
header-y += ipt_string.h
header-y += ipt_tcpmss.h
-header-y += ipt_tos.h
header-y += ipt_ttl.h
unifdef-y += ip_queue.h
diff --git a/include/linux/netfilter_ipv4/ipt_TOS.h b/include/linux/netfilter_ipv4/ipt_TOS.h
deleted file mode 100644
index 6bf9e1f..0000000
--- a/include/linux/netfilter_ipv4/ipt_TOS.h
+++ /dev/null
@@ -1,12 +0,0 @@
-#ifndef _IPT_TOS_H_target
-#define _IPT_TOS_H_target
-
-#ifndef IPTOS_NORMALSVC
-#define IPTOS_NORMALSVC 0
-#endif
-
-struct ipt_tos_target_info {
- u_int8_t tos;
-};
-
-#endif /*_IPT_TOS_H_target*/
diff --git a/include/linux/netfilter_ipv4/ipt_tos.h b/include/linux/netfilter_ipv4/ipt_tos.h
deleted file mode 100644
index a21f5df..0000000
--- a/include/linux/netfilter_ipv4/ipt_tos.h
+++ /dev/null
@@ -1,13 +0,0 @@
-#ifndef _IPT_TOS_H
-#define _IPT_TOS_H
-
-struct ipt_tos_info {
- u_int8_t tos;
- u_int8_t invert;
-};
-
-#ifndef IPTOS_NORMALSVC
-#define IPTOS_NORMALSVC 0
-#endif
-
-#endif /*_IPT_TOS_H*/
diff --git a/net/netfilter/xt_DSCP.c b/net/netfilter/xt_DSCP.c
index 6a347e7..74ce892 100644
--- a/net/netfilter/xt_DSCP.c
+++ b/net/netfilter/xt_DSCP.c
@@ -18,7 +18,6 @@
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/xt_DSCP.h>
-#include <linux/netfilter_ipv4/ipt_TOS.h>
MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
MODULE_DESCRIPTION("Xtables: DSCP/TOS field modification");
@@ -73,41 +72,6 @@ static bool dscp_tg_check(const struct xt_tgchk_param *par)
}
static unsigned int
-tos_tg_v0(struct sk_buff *skb, const struct xt_target_param *par)
-{
- const struct ipt_tos_target_info *info = par->targinfo;
- struct iphdr *iph = ip_hdr(skb);
- u_int8_t oldtos;
-
- if ((iph->tos & IPTOS_TOS_MASK) != info->tos) {
- if (!skb_make_writable(skb, sizeof(struct iphdr)))
- return NF_DROP;
-
- iph = ip_hdr(skb);
- oldtos = iph->tos;
- iph->tos = (iph->tos & IPTOS_PREC_MASK) | info->tos;
- csum_replace2(&iph->check, htons(oldtos), htons(iph->tos));
- }
-
- return XT_CONTINUE;
-}
-
-static bool tos_tg_check_v0(const struct xt_tgchk_param *par)
-{
- const struct ipt_tos_target_info *info = par->targinfo;
- const uint8_t tos = info->tos;
-
- if (tos != IPTOS_LOWDELAY && tos != IPTOS_THROUGHPUT &&
- tos != IPTOS_RELIABILITY && tos != IPTOS_MINCOST &&
- tos != IPTOS_NORMALSVC) {
- printk(KERN_WARNING "TOS: bad tos value %#x\n", tos);
- return false;
- }
-
- return true;
-}
-
-static unsigned int
tos_tg(struct sk_buff *skb, const struct xt_target_param *par)
{
const struct xt_tos_target_info *info = par->targinfo;
@@ -168,16 +132,6 @@ static struct xt_target dscp_tg_reg[] __read_mostly = {
},
{
.name = "TOS",
- .revision = 0,
- .family = NFPROTO_IPV4,
- .table = "mangle",
- .target = tos_tg_v0,
- .targetsize = sizeof(struct ipt_tos_target_info),
- .checkentry = tos_tg_check_v0,
- .me = THIS_MODULE,
- },
- {
- .name = "TOS",
.revision = 1,
.family = NFPROTO_IPV4,
.table = "mangle",
diff --git a/net/netfilter/xt_dscp.c b/net/netfilter/xt_dscp.c
index c3f8085..0280d3a 100644
--- a/net/netfilter/xt_dscp.c
+++ b/net/netfilter/xt_dscp.c
@@ -15,7 +15,6 @@
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/xt_dscp.h>
-#include <linux/netfilter_ipv4/ipt_tos.h>
MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
MODULE_DESCRIPTION("Xtables: DSCP/TOS field match");
@@ -55,14 +54,6 @@ static bool dscp_mt_check(const struct xt_mtchk_param *par)
return true;
}
-static bool
-tos_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
-{
- const struct ipt_tos_info *info = par->matchinfo;
-
- return (ip_hdr(skb)->tos == info->tos) ^ info->invert;
-}
-
static bool tos_mt(const struct sk_buff *skb, const struct xt_match_param *par)
{
const struct xt_tos_match_info *info = par->matchinfo;
@@ -94,14 +85,6 @@ static struct xt_match dscp_mt_reg[] __read_mostly = {
},
{
.name = "tos",
- .revision = 0,
- .family = NFPROTO_IPV4,
- .match = tos_mt_v0,
- .matchsize = sizeof(struct ipt_tos_info),
- .me = THIS_MODULE,
- },
- {
- .name = "tos",
.revision = 1,
.family = NFPROTO_IPV4,
.match = tos_mt,
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 002/103] netfilter: xtables: remove xt_CONNMARK v0
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
2009-08-04 7:24 ` [PATCH 001/103] netfilter: xtables: remove xt_TOS v0 Jan Engelhardt
@ 2009-08-04 7:24 ` Jan Engelhardt
2009-08-04 7:24 ` [PATCH 003/103] netfilter: xtables: remove xt_MARK v0, v1 Jan Engelhardt
` (102 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:24 UTC (permalink / raw)
To: netfilter-devel
Superseded by xt_CONNMARK v1 (v2.6.24-2917-g0dc8c76).
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
Documentation/feature-removal-schedule.txt | 3 -
include/linux/netfilter/xt_CONNMARK.h | 6 --
net/netfilter/xt_CONNMARK.c | 134 +++-------------------------
3 files changed, 11 insertions(+), 132 deletions(-)
diff --git a/Documentation/feature-removal-schedule.txt b/Documentation/feature-removal-schedule.txt
index 3aa4a77..7eccf94 100644
--- a/Documentation/feature-removal-schedule.txt
+++ b/Documentation/feature-removal-schedule.txt
@@ -238,9 +238,6 @@ What (Why):
- "forwarding" header files like ipt_mac.h in
include/linux/netfilter_ipv4/ and include/linux/netfilter_ipv6/
- - xt_CONNMARK match revision 0
- (superseded by xt_CONNMARK match revision 1)
-
- xt_MARK target revisions 0 and 1
(superseded by xt_MARK match revision 2)
diff --git a/include/linux/netfilter/xt_CONNMARK.h b/include/linux/netfilter/xt_CONNMARK.h
index 7635c8f..0a85458 100644
--- a/include/linux/netfilter/xt_CONNMARK.h
+++ b/include/linux/netfilter/xt_CONNMARK.h
@@ -18,12 +18,6 @@ enum {
XT_CONNMARK_RESTORE
};
-struct xt_connmark_target_info {
- unsigned long mark;
- unsigned long mask;
- __u8 mode;
-};
-
struct xt_connmark_tginfo1 {
__u32 ctmark, ctmask, nfmask;
__u8 mode;
diff --git a/net/netfilter/xt_CONNMARK.c b/net/netfilter/xt_CONNMARK.c
index d6e5ab4..5934570 100644
--- a/net/netfilter/xt_CONNMARK.c
+++ b/net/netfilter/xt_CONNMARK.c
@@ -36,45 +36,6 @@ MODULE_ALIAS("ip6t_CONNMARK");
#include <net/netfilter/nf_conntrack_ecache.h>
static unsigned int
-connmark_tg_v0(struct sk_buff *skb, const struct xt_target_param *par)
-{
- const struct xt_connmark_target_info *markinfo = par->targinfo;
- struct nf_conn *ct;
- enum ip_conntrack_info ctinfo;
- u_int32_t diff;
- u_int32_t mark;
- u_int32_t newmark;
-
- ct = nf_ct_get(skb, &ctinfo);
- if (ct) {
- switch(markinfo->mode) {
- case XT_CONNMARK_SET:
- newmark = (ct->mark & ~markinfo->mask) | markinfo->mark;
- if (newmark != ct->mark) {
- ct->mark = newmark;
- nf_conntrack_event_cache(IPCT_MARK, ct);
- }
- break;
- case XT_CONNMARK_SAVE:
- newmark = (ct->mark & ~markinfo->mask) |
- (skb->mark & markinfo->mask);
- if (ct->mark != newmark) {
- ct->mark = newmark;
- nf_conntrack_event_cache(IPCT_MARK, ct);
- }
- break;
- case XT_CONNMARK_RESTORE:
- mark = skb->mark;
- diff = (ct->mark ^ mark) & markinfo->mask;
- skb->mark = mark ^ diff;
- break;
- }
- }
-
- return XT_CONTINUE;
-}
-
-static unsigned int
connmark_tg(struct sk_buff *skb, const struct xt_target_param *par)
{
const struct xt_connmark_tginfo1 *info = par->targinfo;
@@ -112,30 +73,6 @@ connmark_tg(struct sk_buff *skb, const struct xt_target_param *par)
return XT_CONTINUE;
}
-static bool connmark_tg_check_v0(const struct xt_tgchk_param *par)
-{
- const struct xt_connmark_target_info *matchinfo = par->targinfo;
-
- if (matchinfo->mode == XT_CONNMARK_RESTORE) {
- if (strcmp(par->table, "mangle") != 0) {
- printk(KERN_WARNING "CONNMARK: restore can only be "
- "called from \"mangle\" table, not \"%s\"\n",
- par->table);
- return false;
- }
- }
- if (matchinfo->mark > 0xffffffff || matchinfo->mask > 0xffffffff) {
- printk(KERN_WARNING "CONNMARK: Only supports 32bit mark\n");
- return false;
- }
- if (nf_ct_l3proto_try_module_get(par->family) < 0) {
- printk(KERN_WARNING "can't load conntrack support for "
- "proto=%u\n", par->family);
- return false;
- }
- return true;
-}
-
static bool connmark_tg_check(const struct xt_tgchk_param *par)
{
if (nf_ct_l3proto_try_module_get(par->family) < 0) {
@@ -151,74 +88,25 @@ static void connmark_tg_destroy(const struct xt_tgdtor_param *par)
nf_ct_l3proto_module_put(par->family);
}
-#ifdef CONFIG_COMPAT
-struct compat_xt_connmark_target_info {
- compat_ulong_t mark, mask;
- u_int8_t mode;
- u_int8_t __pad1;
- u_int16_t __pad2;
-};
-
-static void connmark_tg_compat_from_user_v0(void *dst, void *src)
-{
- const struct compat_xt_connmark_target_info *cm = src;
- struct xt_connmark_target_info m = {
- .mark = cm->mark,
- .mask = cm->mask,
- .mode = cm->mode,
- };
- memcpy(dst, &m, sizeof(m));
-}
-
-static int connmark_tg_compat_to_user_v0(void __user *dst, void *src)
-{
- const struct xt_connmark_target_info *m = src;
- struct compat_xt_connmark_target_info cm = {
- .mark = m->mark,
- .mask = m->mask,
- .mode = m->mode,
- };
- return copy_to_user(dst, &cm, sizeof(cm)) ? -EFAULT : 0;
-}
-#endif /* CONFIG_COMPAT */
-
-static struct xt_target connmark_tg_reg[] __read_mostly = {
- {
- .name = "CONNMARK",
- .revision = 0,
- .family = NFPROTO_UNSPEC,
- .checkentry = connmark_tg_check_v0,
- .destroy = connmark_tg_destroy,
- .target = connmark_tg_v0,
- .targetsize = sizeof(struct xt_connmark_target_info),
-#ifdef CONFIG_COMPAT
- .compatsize = sizeof(struct compat_xt_connmark_target_info),
- .compat_from_user = connmark_tg_compat_from_user_v0,
- .compat_to_user = connmark_tg_compat_to_user_v0,
-#endif
- .me = THIS_MODULE
- },
- {
- .name = "CONNMARK",
- .revision = 1,
- .family = NFPROTO_UNSPEC,
- .checkentry = connmark_tg_check,
- .target = connmark_tg,
- .targetsize = sizeof(struct xt_connmark_tginfo1),
- .destroy = connmark_tg_destroy,
- .me = THIS_MODULE,
- },
+static struct xt_target connmark_tg_reg __read_mostly = {
+ .name = "CONNMARK",
+ .revision = 1,
+ .family = NFPROTO_UNSPEC,
+ .checkentry = connmark_tg_check,
+ .target = connmark_tg,
+ .targetsize = sizeof(struct xt_connmark_tginfo1),
+ .destroy = connmark_tg_destroy,
+ .me = THIS_MODULE,
};
static int __init connmark_tg_init(void)
{
- return xt_register_targets(connmark_tg_reg,
- ARRAY_SIZE(connmark_tg_reg));
+ return xt_register_target(&connmark_tg_reg);
}
static void __exit connmark_tg_exit(void)
{
- xt_unregister_targets(connmark_tg_reg, ARRAY_SIZE(connmark_tg_reg));
+ xt_unregister_target(&connmark_tg_reg);
}
module_init(connmark_tg_init);
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 003/103] netfilter: xtables: remove xt_MARK v0, v1
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
2009-08-04 7:24 ` [PATCH 001/103] netfilter: xtables: remove xt_TOS v0 Jan Engelhardt
2009-08-04 7:24 ` [PATCH 002/103] netfilter: xtables: remove xt_CONNMARK v0 Jan Engelhardt
@ 2009-08-04 7:24 ` Jan Engelhardt
2009-08-04 7:24 ` [PATCH 004/103] netfilter: xtables: remove xt_connmark v0 Jan Engelhardt
` (101 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:24 UTC (permalink / raw)
To: netfilter-devel
Superseded by xt_MARK v2 (v2.6.24-2918-ge0a812a).
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
Documentation/feature-removal-schedule.txt | 3 -
include/linux/netfilter/xt_MARK.h | 17 ---
net/netfilter/xt_MARK.c | 163 ++--------------------------
3 files changed, 9 insertions(+), 174 deletions(-)
diff --git a/Documentation/feature-removal-schedule.txt b/Documentation/feature-removal-schedule.txt
index 7eccf94..121e19c 100644
--- a/Documentation/feature-removal-schedule.txt
+++ b/Documentation/feature-removal-schedule.txt
@@ -238,9 +238,6 @@ What (Why):
- "forwarding" header files like ipt_mac.h in
include/linux/netfilter_ipv4/ and include/linux/netfilter_ipv6/
- - xt_MARK target revisions 0 and 1
- (superseded by xt_MARK match revision 2)
-
- xt_connmark match revision 0
(superseded by xt_connmark match revision 1)
diff --git a/include/linux/netfilter/xt_MARK.h b/include/linux/netfilter/xt_MARK.h
index 028304b..bc9561b 100644
--- a/include/linux/netfilter/xt_MARK.h
+++ b/include/linux/netfilter/xt_MARK.h
@@ -3,23 +3,6 @@
#include <linux/types.h>
-/* Version 0 */
-struct xt_mark_target_info {
- unsigned long mark;
-};
-
-/* Version 1 */
-enum {
- XT_MARK_SET=0,
- XT_MARK_AND,
- XT_MARK_OR,
-};
-
-struct xt_mark_target_info_v1 {
- unsigned long mark;
- __u8 mode;
-};
-
struct xt_mark_tginfo2 {
__u32 mark, mask;
};
diff --git a/net/netfilter/xt_MARK.c b/net/netfilter/xt_MARK.c
index 67574bc..225f8d1 100644
--- a/net/netfilter/xt_MARK.c
+++ b/net/netfilter/xt_MARK.c
@@ -25,39 +25,6 @@ MODULE_ALIAS("ipt_MARK");
MODULE_ALIAS("ip6t_MARK");
static unsigned int
-mark_tg_v0(struct sk_buff *skb, const struct xt_target_param *par)
-{
- const struct xt_mark_target_info *markinfo = par->targinfo;
-
- skb->mark = markinfo->mark;
- return XT_CONTINUE;
-}
-
-static unsigned int
-mark_tg_v1(struct sk_buff *skb, const struct xt_target_param *par)
-{
- const struct xt_mark_target_info_v1 *markinfo = par->targinfo;
- int mark = 0;
-
- switch (markinfo->mode) {
- case XT_MARK_SET:
- mark = markinfo->mark;
- break;
-
- case XT_MARK_AND:
- mark = skb->mark & markinfo->mark;
- break;
-
- case XT_MARK_OR:
- mark = skb->mark | markinfo->mark;
- break;
- }
-
- skb->mark = mark;
- return XT_CONTINUE;
-}
-
-static unsigned int
mark_tg(struct sk_buff *skb, const struct xt_target_param *par)
{
const struct xt_mark_tginfo2 *info = par->targinfo;
@@ -66,135 +33,23 @@ mark_tg(struct sk_buff *skb, const struct xt_target_param *par)
return XT_CONTINUE;
}
-static bool mark_tg_check_v0(const struct xt_tgchk_param *par)
-{
- const struct xt_mark_target_info *markinfo = par->targinfo;
-
- if (markinfo->mark > 0xffffffff) {
- printk(KERN_WARNING "MARK: Only supports 32bit wide mark\n");
- return false;
- }
- return true;
-}
-
-static bool mark_tg_check_v1(const struct xt_tgchk_param *par)
-{
- const struct xt_mark_target_info_v1 *markinfo = par->targinfo;
-
- if (markinfo->mode != XT_MARK_SET
- && markinfo->mode != XT_MARK_AND
- && markinfo->mode != XT_MARK_OR) {
- printk(KERN_WARNING "MARK: unknown mode %u\n",
- markinfo->mode);
- return false;
- }
- if (markinfo->mark > 0xffffffff) {
- printk(KERN_WARNING "MARK: Only supports 32bit wide mark\n");
- return false;
- }
- return true;
-}
-
-#ifdef CONFIG_COMPAT
-struct compat_xt_mark_target_info {
- compat_ulong_t mark;
-};
-
-static void mark_tg_compat_from_user_v0(void *dst, void *src)
-{
- const struct compat_xt_mark_target_info *cm = src;
- struct xt_mark_target_info m = {
- .mark = cm->mark,
- };
- memcpy(dst, &m, sizeof(m));
-}
-
-static int mark_tg_compat_to_user_v0(void __user *dst, void *src)
-{
- const struct xt_mark_target_info *m = src;
- struct compat_xt_mark_target_info cm = {
- .mark = m->mark,
- };
- return copy_to_user(dst, &cm, sizeof(cm)) ? -EFAULT : 0;
-}
-
-struct compat_xt_mark_target_info_v1 {
- compat_ulong_t mark;
- u_int8_t mode;
- u_int8_t __pad1;
- u_int16_t __pad2;
-};
-
-static void mark_tg_compat_from_user_v1(void *dst, void *src)
-{
- const struct compat_xt_mark_target_info_v1 *cm = src;
- struct xt_mark_target_info_v1 m = {
- .mark = cm->mark,
- .mode = cm->mode,
- };
- memcpy(dst, &m, sizeof(m));
-}
-
-static int mark_tg_compat_to_user_v1(void __user *dst, void *src)
-{
- const struct xt_mark_target_info_v1 *m = src;
- struct compat_xt_mark_target_info_v1 cm = {
- .mark = m->mark,
- .mode = m->mode,
- };
- return copy_to_user(dst, &cm, sizeof(cm)) ? -EFAULT : 0;
-}
-#endif /* CONFIG_COMPAT */
-
-static struct xt_target mark_tg_reg[] __read_mostly = {
- {
- .name = "MARK",
- .family = NFPROTO_UNSPEC,
- .revision = 0,
- .checkentry = mark_tg_check_v0,
- .target = mark_tg_v0,
- .targetsize = sizeof(struct xt_mark_target_info),
-#ifdef CONFIG_COMPAT
- .compatsize = sizeof(struct compat_xt_mark_target_info),
- .compat_from_user = mark_tg_compat_from_user_v0,
- .compat_to_user = mark_tg_compat_to_user_v0,
-#endif
- .table = "mangle",
- .me = THIS_MODULE,
- },
- {
- .name = "MARK",
- .family = NFPROTO_UNSPEC,
- .revision = 1,
- .checkentry = mark_tg_check_v1,
- .target = mark_tg_v1,
- .targetsize = sizeof(struct xt_mark_target_info_v1),
-#ifdef CONFIG_COMPAT
- .compatsize = sizeof(struct compat_xt_mark_target_info_v1),
- .compat_from_user = mark_tg_compat_from_user_v1,
- .compat_to_user = mark_tg_compat_to_user_v1,
-#endif
- .table = "mangle",
- .me = THIS_MODULE,
- },
- {
- .name = "MARK",
- .revision = 2,
- .family = NFPROTO_UNSPEC,
- .target = mark_tg,
- .targetsize = sizeof(struct xt_mark_tginfo2),
- .me = THIS_MODULE,
- },
+static struct xt_target mark_tg_reg __read_mostly = {
+ .name = "MARK",
+ .revision = 2,
+ .family = NFPROTO_UNSPEC,
+ .target = mark_tg,
+ .targetsize = sizeof(struct xt_mark_tginfo2),
+ .me = THIS_MODULE,
};
static int __init mark_tg_init(void)
{
- return xt_register_targets(mark_tg_reg, ARRAY_SIZE(mark_tg_reg));
+ return xt_register_target(&mark_tg_reg);
}
static void __exit mark_tg_exit(void)
{
- xt_unregister_targets(mark_tg_reg, ARRAY_SIZE(mark_tg_reg));
+ xt_unregister_target(&mark_tg_reg);
}
module_init(mark_tg_init);
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 004/103] netfilter: xtables: remove xt_connmark v0
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (2 preceding siblings ...)
2009-08-04 7:24 ` [PATCH 003/103] netfilter: xtables: remove xt_MARK v0, v1 Jan Engelhardt
@ 2009-08-04 7:24 ` Jan Engelhardt
2009-08-10 8:41 ` Patrick McHardy
2009-08-04 7:24 ` [PATCH 005/103] netfilter: xtables: remove xt_conntrack v0 Jan Engelhardt
` (100 subsequent siblings)
104 siblings, 1 reply; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:24 UTC (permalink / raw)
To: netfilter-devel
Superseded by xt_connmark v1 (v2.6.24-2919-g96e3227).
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
Documentation/feature-removal-schedule.txt | 3 -
include/linux/netfilter/xt_connmark.h | 5 --
net/netfilter/xt_connmark.c | 101 +++-------------------------
3 files changed, 11 insertions(+), 98 deletions(-)
diff --git a/Documentation/feature-removal-schedule.txt b/Documentation/feature-removal-schedule.txt
index 121e19c..54f9357 100644
--- a/Documentation/feature-removal-schedule.txt
+++ b/Documentation/feature-removal-schedule.txt
@@ -238,9 +238,6 @@ What (Why):
- "forwarding" header files like ipt_mac.h in
include/linux/netfilter_ipv4/ and include/linux/netfilter_ipv6/
- - xt_connmark match revision 0
- (superseded by xt_connmark match revision 1)
-
- xt_conntrack match revision 0
(superseded by xt_conntrack match revision 1)
diff --git a/include/linux/netfilter/xt_connmark.h b/include/linux/netfilter/xt_connmark.h
index 571e266..619e47c 100644
--- a/include/linux/netfilter/xt_connmark.h
+++ b/include/linux/netfilter/xt_connmark.h
@@ -12,11 +12,6 @@
* (at your option) any later version.
*/
-struct xt_connmark_info {
- unsigned long mark, mask;
- __u8 invert;
-};
-
struct xt_connmark_mtinfo1 {
__u32 mark, mask;
__u8 invert;
diff --git a/net/netfilter/xt_connmark.c b/net/netfilter/xt_connmark.c
index 86cacab..122aa8b 100644
--- a/net/netfilter/xt_connmark.c
+++ b/net/netfilter/xt_connmark.c
@@ -47,36 +47,6 @@ connmark_mt(const struct sk_buff *skb, const struct xt_match_param *par)
return ((ct->mark & info->mask) == info->mark) ^ info->invert;
}
-static bool
-connmark_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
-{
- const struct xt_connmark_info *info = par->matchinfo;
- const struct nf_conn *ct;
- enum ip_conntrack_info ctinfo;
-
- ct = nf_ct_get(skb, &ctinfo);
- if (!ct)
- return false;
-
- return ((ct->mark & info->mask) == info->mark) ^ info->invert;
-}
-
-static bool connmark_mt_check_v0(const struct xt_mtchk_param *par)
-{
- const struct xt_connmark_info *cm = par->matchinfo;
-
- if (cm->mark > 0xffffffff || cm->mask > 0xffffffff) {
- printk(KERN_WARNING "connmark: only support 32bit mark\n");
- return false;
- }
- if (nf_ct_l3proto_try_module_get(par->family) < 0) {
- printk(KERN_WARNING "can't load conntrack support for "
- "proto=%u\n", par->family);
- return false;
- }
- return true;
-}
-
static bool connmark_mt_check(const struct xt_mtchk_param *par)
{
if (nf_ct_l3proto_try_module_get(par->family) < 0) {
@@ -92,74 +62,25 @@ static void connmark_mt_destroy(const struct xt_mtdtor_param *par)
nf_ct_l3proto_module_put(par->family);
}
-#ifdef CONFIG_COMPAT
-struct compat_xt_connmark_info {
- compat_ulong_t mark, mask;
- u_int8_t invert;
- u_int8_t __pad1;
- u_int16_t __pad2;
-};
-
-static void connmark_mt_compat_from_user_v0(void *dst, void *src)
-{
- const struct compat_xt_connmark_info *cm = src;
- struct xt_connmark_info m = {
- .mark = cm->mark,
- .mask = cm->mask,
- .invert = cm->invert,
- };
- memcpy(dst, &m, sizeof(m));
-}
-
-static int connmark_mt_compat_to_user_v0(void __user *dst, void *src)
-{
- const struct xt_connmark_info *m = src;
- struct compat_xt_connmark_info cm = {
- .mark = m->mark,
- .mask = m->mask,
- .invert = m->invert,
- };
- return copy_to_user(dst, &cm, sizeof(cm)) ? -EFAULT : 0;
-}
-#endif /* CONFIG_COMPAT */
-
-static struct xt_match connmark_mt_reg[] __read_mostly = {
- {
- .name = "connmark",
- .revision = 0,
- .family = NFPROTO_UNSPEC,
- .checkentry = connmark_mt_check_v0,
- .match = connmark_mt_v0,
- .destroy = connmark_mt_destroy,
- .matchsize = sizeof(struct xt_connmark_info),
-#ifdef CONFIG_COMPAT
- .compatsize = sizeof(struct compat_xt_connmark_info),
- .compat_from_user = connmark_mt_compat_from_user_v0,
- .compat_to_user = connmark_mt_compat_to_user_v0,
-#endif
- .me = THIS_MODULE
- },
- {
- .name = "connmark",
- .revision = 1,
- .family = NFPROTO_UNSPEC,
- .checkentry = connmark_mt_check,
- .match = connmark_mt,
- .matchsize = sizeof(struct xt_connmark_mtinfo1),
- .destroy = connmark_mt_destroy,
- .me = THIS_MODULE,
- },
+static struct xt_match connmark_mt_reg __read_mostly = {
+ .name = "connmark",
+ .revision = 1,
+ .family = NFPROTO_UNSPEC,
+ .checkentry = connmark_mt_check,
+ .match = connmark_mt,
+ .matchsize = sizeof(struct xt_connmark_mtinfo1),
+ .destroy = connmark_mt_destroy,
+ .me = THIS_MODULE,
};
static int __init connmark_mt_init(void)
{
- return xt_register_matches(connmark_mt_reg,
- ARRAY_SIZE(connmark_mt_reg));
+ return xt_register_match(&connmark_mt_reg);
}
static void __exit connmark_mt_exit(void)
{
- xt_unregister_matches(connmark_mt_reg, ARRAY_SIZE(connmark_mt_reg));
+ xt_unregister_match(&connmark_mt_reg);
}
module_init(connmark_mt_init);
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* Re: [PATCH 004/103] netfilter: xtables: remove xt_connmark v0
2009-08-04 7:24 ` [PATCH 004/103] netfilter: xtables: remove xt_connmark v0 Jan Engelhardt
@ 2009-08-10 8:41 ` Patrick McHardy
2009-08-10 9:01 ` Patrick McHardy
0 siblings, 1 reply; 118+ messages in thread
From: Patrick McHardy @ 2009-08-10 8:41 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter-devel
Jan Engelhardt wrote:
> Superseded by xt_connmark v1 (v2.6.24-2919-g96e3227).
>
> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
> ---
> Documentation/feature-removal-schedule.txt | 3 -
> include/linux/netfilter/xt_connmark.h | 5 --
> net/netfilter/xt_connmark.c | 101 +++-------------------------
> 3 files changed, 11 insertions(+), 98 deletions(-)
This does not apply. You seem to have based your patches on an
old tree which doesn't include revision 2. Please use
git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6.git
as base.
^ permalink raw reply [flat|nested] 118+ messages in thread
* Re: [PATCH 004/103] netfilter: xtables: remove xt_connmark v0
2009-08-10 8:41 ` Patrick McHardy
@ 2009-08-10 9:01 ` Patrick McHardy
0 siblings, 0 replies; 118+ messages in thread
From: Patrick McHardy @ 2009-08-10 9:01 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter-devel
Patrick McHardy wrote:
> Jan Engelhardt wrote:
>> Superseded by xt_connmark v1 (v2.6.24-2919-g96e3227).
>>
>> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
>> ---
>> Documentation/feature-removal-schedule.txt | 3 -
>> include/linux/netfilter/xt_connmark.h | 5 --
>> net/netfilter/xt_connmark.c | 101 +++-------------------------
>> 3 files changed, 11 insertions(+), 98 deletions(-)
>
> This does not apply. You seem to have based your patches on an
> old tree which doesn't include revision 2. Please use
>
> git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6.git
>
> as base.
And please only the removal- and initial cleanup patches in your
first submission. We can continue with the real changes after that.
^ permalink raw reply [flat|nested] 118+ messages in thread
* [PATCH 005/103] netfilter: xtables: remove xt_conntrack v0
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (3 preceding siblings ...)
2009-08-04 7:24 ` [PATCH 004/103] netfilter: xtables: remove xt_connmark v0 Jan Engelhardt
@ 2009-08-04 7:24 ` Jan Engelhardt
2009-08-04 7:24 ` [PATCH 006/103] netfilter: xtables: remove xt_iprange v0 Jan Engelhardt
` (99 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:24 UTC (permalink / raw)
To: netfilter-devel
Superseded by xt_conntrack v1 (v2.6.24-2921-g64eb12f).
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
Documentation/feature-removal-schedule.txt | 3 -
include/linux/netfilter/xt_conntrack.h | 36 ------
net/netfilter/xt_conntrack.c | 180 ++--------------------------
3 files changed, 12 insertions(+), 207 deletions(-)
diff --git a/Documentation/feature-removal-schedule.txt b/Documentation/feature-removal-schedule.txt
index 54f9357..6746473 100644
--- a/Documentation/feature-removal-schedule.txt
+++ b/Documentation/feature-removal-schedule.txt
@@ -238,9 +238,6 @@ What (Why):
- "forwarding" header files like ipt_mac.h in
include/linux/netfilter_ipv4/ and include/linux/netfilter_ipv6/
- - xt_conntrack match revision 0
- (superseded by xt_conntrack match revision 1)
-
- xt_iprange match revision 0,
include/linux/netfilter_ipv4/ipt_iprange.h
(superseded by xt_iprange match revision 1)
diff --git a/include/linux/netfilter/xt_conntrack.h b/include/linux/netfilter/xt_conntrack.h
index 3430c77..51b1dc3 100644
--- a/include/linux/netfilter/xt_conntrack.h
+++ b/include/linux/netfilter/xt_conntrack.h
@@ -32,42 +32,6 @@ enum {
XT_CONNTRACK_DIRECTION = 1 << 12,
};
-/* This is exposed to userspace, so remains frozen in time. */
-struct ip_conntrack_old_tuple
-{
- struct {
- __be32 ip;
- union {
- __u16 all;
- } u;
- } src;
-
- struct {
- __be32 ip;
- union {
- __u16 all;
- } u;
-
- /* The protocol. */
- __u16 protonum;
- } dst;
-};
-
-struct xt_conntrack_info
-{
- unsigned int statemask, statusmask;
-
- struct ip_conntrack_old_tuple tuple[IP_CT_DIR_MAX];
- struct in_addr sipmsk[IP_CT_DIR_MAX], dipmsk[IP_CT_DIR_MAX];
-
- unsigned long expires_min, expires_max;
-
- /* Flags word */
- __u8 flags;
- /* Inverse flags */
- __u8 invflags;
-};
-
struct xt_conntrack_mtinfo1 {
union nf_inet_addr origsrc_addr, origsrc_mask;
union nf_inet_addr origdst_addr, origdst_mask;
diff --git a/net/netfilter/xt_conntrack.c b/net/netfilter/xt_conntrack.c
index 0b7139f..ccd9e1e 100644
--- a/net/netfilter/xt_conntrack.c
+++ b/net/netfilter/xt_conntrack.c
@@ -19,101 +19,12 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
-MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
+MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
MODULE_DESCRIPTION("Xtables: connection tracking state match");
MODULE_ALIAS("ipt_conntrack");
MODULE_ALIAS("ip6t_conntrack");
static bool
-conntrack_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
-{
- const struct xt_conntrack_info *sinfo = par->matchinfo;
- const struct nf_conn *ct;
- enum ip_conntrack_info ctinfo;
- unsigned int statebit;
-
- ct = nf_ct_get(skb, &ctinfo);
-
-#define FWINV(bool, invflg) ((bool) ^ !!(sinfo->invflags & (invflg)))
-
- if (ct == &nf_conntrack_untracked)
- statebit = XT_CONNTRACK_STATE_UNTRACKED;
- else if (ct)
- statebit = XT_CONNTRACK_STATE_BIT(ctinfo);
- else
- statebit = XT_CONNTRACK_STATE_INVALID;
-
- if (sinfo->flags & XT_CONNTRACK_STATE) {
- if (ct) {
- if (test_bit(IPS_SRC_NAT_BIT, &ct->status))
- statebit |= XT_CONNTRACK_STATE_SNAT;
- if (test_bit(IPS_DST_NAT_BIT, &ct->status))
- statebit |= XT_CONNTRACK_STATE_DNAT;
- }
- if (FWINV((statebit & sinfo->statemask) == 0,
- XT_CONNTRACK_STATE))
- return false;
- }
-
- if (ct == NULL) {
- if (sinfo->flags & ~XT_CONNTRACK_STATE)
- return false;
- return true;
- }
-
- if (sinfo->flags & XT_CONNTRACK_PROTO &&
- FWINV(nf_ct_protonum(ct) !=
- sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum,
- XT_CONNTRACK_PROTO))
- return false;
-
- if (sinfo->flags & XT_CONNTRACK_ORIGSRC &&
- FWINV((ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3.ip &
- sinfo->sipmsk[IP_CT_DIR_ORIGINAL].s_addr) !=
- sinfo->tuple[IP_CT_DIR_ORIGINAL].src.ip,
- XT_CONNTRACK_ORIGSRC))
- return false;
-
- if (sinfo->flags & XT_CONNTRACK_ORIGDST &&
- FWINV((ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.u3.ip &
- sinfo->dipmsk[IP_CT_DIR_ORIGINAL].s_addr) !=
- sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.ip,
- XT_CONNTRACK_ORIGDST))
- return false;
-
- if (sinfo->flags & XT_CONNTRACK_REPLSRC &&
- FWINV((ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.u3.ip &
- sinfo->sipmsk[IP_CT_DIR_REPLY].s_addr) !=
- sinfo->tuple[IP_CT_DIR_REPLY].src.ip,
- XT_CONNTRACK_REPLSRC))
- return false;
-
- if (sinfo->flags & XT_CONNTRACK_REPLDST &&
- FWINV((ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u3.ip &
- sinfo->dipmsk[IP_CT_DIR_REPLY].s_addr) !=
- sinfo->tuple[IP_CT_DIR_REPLY].dst.ip,
- XT_CONNTRACK_REPLDST))
- return false;
-
- if (sinfo->flags & XT_CONNTRACK_STATUS &&
- FWINV((ct->status & sinfo->statusmask) == 0,
- XT_CONNTRACK_STATUS))
- return false;
-
- if(sinfo->flags & XT_CONNTRACK_EXPIRES) {
- unsigned long expires = timer_pending(&ct->timeout) ?
- (ct->timeout.expires - jiffies)/HZ : 0;
-
- if (FWINV(!(expires >= sinfo->expires_min &&
- expires <= sinfo->expires_max),
- XT_CONNTRACK_EXPIRES))
- return false;
- }
- return true;
-#undef FWINV
-}
-
-static bool
conntrack_addrcmp(const union nf_inet_addr *kaddr,
const union nf_inet_addr *uaddr,
const union nf_inet_addr *umask, unsigned int l3proto)
@@ -293,92 +204,25 @@ static void conntrack_mt_destroy(const struct xt_mtdtor_param *par)
nf_ct_l3proto_module_put(par->family);
}
-#ifdef CONFIG_COMPAT
-struct compat_xt_conntrack_info
-{
- compat_uint_t statemask;
- compat_uint_t statusmask;
- struct ip_conntrack_old_tuple tuple[IP_CT_DIR_MAX];
- struct in_addr sipmsk[IP_CT_DIR_MAX];
- struct in_addr dipmsk[IP_CT_DIR_MAX];
- compat_ulong_t expires_min;
- compat_ulong_t expires_max;
- u_int8_t flags;
- u_int8_t invflags;
-};
-
-static void conntrack_mt_compat_from_user_v0(void *dst, void *src)
-{
- const struct compat_xt_conntrack_info *cm = src;
- struct xt_conntrack_info m = {
- .statemask = cm->statemask,
- .statusmask = cm->statusmask,
- .expires_min = cm->expires_min,
- .expires_max = cm->expires_max,
- .flags = cm->flags,
- .invflags = cm->invflags,
- };
- memcpy(m.tuple, cm->tuple, sizeof(m.tuple));
- memcpy(m.sipmsk, cm->sipmsk, sizeof(m.sipmsk));
- memcpy(m.dipmsk, cm->dipmsk, sizeof(m.dipmsk));
- memcpy(dst, &m, sizeof(m));
-}
-
-static int conntrack_mt_compat_to_user_v0(void __user *dst, void *src)
-{
- const struct xt_conntrack_info *m = src;
- struct compat_xt_conntrack_info cm = {
- .statemask = m->statemask,
- .statusmask = m->statusmask,
- .expires_min = m->expires_min,
- .expires_max = m->expires_max,
- .flags = m->flags,
- .invflags = m->invflags,
- };
- memcpy(cm.tuple, m->tuple, sizeof(cm.tuple));
- memcpy(cm.sipmsk, m->sipmsk, sizeof(cm.sipmsk));
- memcpy(cm.dipmsk, m->dipmsk, sizeof(cm.dipmsk));
- return copy_to_user(dst, &cm, sizeof(cm)) ? -EFAULT : 0;
-}
-#endif
-
-static struct xt_match conntrack_mt_reg[] __read_mostly = {
- {
- .name = "conntrack",
- .revision = 0,
- .family = NFPROTO_IPV4,
- .match = conntrack_mt_v0,
- .checkentry = conntrack_mt_check,
- .destroy = conntrack_mt_destroy,
- .matchsize = sizeof(struct xt_conntrack_info),
- .me = THIS_MODULE,
-#ifdef CONFIG_COMPAT
- .compatsize = sizeof(struct compat_xt_conntrack_info),
- .compat_from_user = conntrack_mt_compat_from_user_v0,
- .compat_to_user = conntrack_mt_compat_to_user_v0,
-#endif
- },
- {
- .name = "conntrack",
- .revision = 1,
- .family = NFPROTO_UNSPEC,
- .matchsize = sizeof(struct xt_conntrack_mtinfo1),
- .match = conntrack_mt,
- .checkentry = conntrack_mt_check,
- .destroy = conntrack_mt_destroy,
- .me = THIS_MODULE,
- },
+static struct xt_match conntrack_mt_reg __read_mostly = {
+ .name = "conntrack",
+ .revision = 1,
+ .family = NFPROTO_UNSPEC,
+ .matchsize = sizeof(struct xt_conntrack_mtinfo1),
+ .match = conntrack_mt,
+ .checkentry = conntrack_mt_check,
+ .destroy = conntrack_mt_destroy,
+ .me = THIS_MODULE,
};
static int __init conntrack_mt_init(void)
{
- return xt_register_matches(conntrack_mt_reg,
- ARRAY_SIZE(conntrack_mt_reg));
+ return xt_register_match(&conntrack_mt_reg);
}
static void __exit conntrack_mt_exit(void)
{
- xt_unregister_matches(conntrack_mt_reg, ARRAY_SIZE(conntrack_mt_reg));
+ xt_unregister_match(&conntrack_mt_reg);
}
module_init(conntrack_mt_init);
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 006/103] netfilter: xtables: remove xt_iprange v0
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (4 preceding siblings ...)
2009-08-04 7:24 ` [PATCH 005/103] netfilter: xtables: remove xt_conntrack v0 Jan Engelhardt
@ 2009-08-04 7:24 ` Jan Engelhardt
2009-08-04 7:24 ` [PATCH 007/103] netfilter: xtables: remove xt_mark v0 Jan Engelhardt
` (98 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:24 UTC (permalink / raw)
To: netfilter-devel
Superseded by xt_iprange v1 (v2.6.24-2928-g1a50c5a1).
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
Documentation/feature-removal-schedule.txt | 4 --
include/linux/netfilter_ipv4/Kbuild | 1 -
include/linux/netfilter_ipv4/ipt_iprange.h | 21 -------------
net/netfilter/xt_iprange.c | 45 +--------------------------
4 files changed, 2 insertions(+), 69 deletions(-)
delete mode 100644 include/linux/netfilter_ipv4/ipt_iprange.h
diff --git a/Documentation/feature-removal-schedule.txt b/Documentation/feature-removal-schedule.txt
index 6746473..8862b03 100644
--- a/Documentation/feature-removal-schedule.txt
+++ b/Documentation/feature-removal-schedule.txt
@@ -238,10 +238,6 @@ What (Why):
- "forwarding" header files like ipt_mac.h in
include/linux/netfilter_ipv4/ and include/linux/netfilter_ipv6/
- - xt_iprange match revision 0,
- include/linux/netfilter_ipv4/ipt_iprange.h
- (superseded by xt_iprange match revision 1)
-
- xt_mark match revision 0
(superseded by xt_mark match revision 1)
diff --git a/include/linux/netfilter_ipv4/Kbuild b/include/linux/netfilter_ipv4/Kbuild
index 86d81a2..5e361ef 100644
--- a/include/linux/netfilter_ipv4/Kbuild
+++ b/include/linux/netfilter_ipv4/Kbuild
@@ -23,7 +23,6 @@ header-y += ipt_ecn.h
header-y += ipt_esp.h
header-y += ipt_hashlimit.h
header-y += ipt_helper.h
-header-y += ipt_iprange.h
header-y += ipt_length.h
header-y += ipt_limit.h
header-y += ipt_mac.h
diff --git a/include/linux/netfilter_ipv4/ipt_iprange.h b/include/linux/netfilter_ipv4/ipt_iprange.h
deleted file mode 100644
index 5f1aebd..0000000
--- a/include/linux/netfilter_ipv4/ipt_iprange.h
+++ /dev/null
@@ -1,21 +0,0 @@
-#ifndef _IPT_IPRANGE_H
-#define _IPT_IPRANGE_H
-
-#include <linux/types.h>
-#include <linux/netfilter/xt_iprange.h>
-
-struct ipt_iprange {
- /* Inclusive: network order. */
- __be32 min_ip, max_ip;
-};
-
-struct ipt_iprange_info
-{
- struct ipt_iprange src;
- struct ipt_iprange dst;
-
- /* Flags from above */
- u_int8_t flags;
-};
-
-#endif /* _IPT_IPRANGE_H */
diff --git a/net/netfilter/xt_iprange.c b/net/netfilter/xt_iprange.c
index 501f9b6..ffc9638 100644
--- a/net/netfilter/xt_iprange.c
+++ b/net/netfilter/xt_iprange.c
@@ -14,40 +14,6 @@
#include <linux/ipv6.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/xt_iprange.h>
-#include <linux/netfilter_ipv4/ipt_iprange.h>
-
-static bool
-iprange_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
-{
- const struct ipt_iprange_info *info = par->matchinfo;
- const struct iphdr *iph = ip_hdr(skb);
-
- if (info->flags & IPRANGE_SRC) {
- if ((ntohl(iph->saddr) < ntohl(info->src.min_ip)
- || ntohl(iph->saddr) > ntohl(info->src.max_ip))
- ^ !!(info->flags & IPRANGE_SRC_INV)) {
- pr_debug("src IP %pI4 NOT in range %s%pI4-%pI4\n",
- &iph->saddr,
- info->flags & IPRANGE_SRC_INV ? "(INV) " : "",
- &info->src.min_ip,
- &info->src.max_ip);
- return false;
- }
- }
- if (info->flags & IPRANGE_DST) {
- if ((ntohl(iph->daddr) < ntohl(info->dst.min_ip)
- || ntohl(iph->daddr) > ntohl(info->dst.max_ip))
- ^ !!(info->flags & IPRANGE_DST_INV)) {
- pr_debug("dst IP %pI4 NOT in range %s%pI4-%pI4\n",
- &iph->daddr,
- info->flags & IPRANGE_DST_INV ? "(INV) " : "",
- &info->dst.min_ip,
- &info->dst.max_ip);
- return false;
- }
- }
- return true;
-}
static bool
iprange_mt4(const struct sk_buff *skb, const struct xt_match_param *par)
@@ -127,14 +93,6 @@ iprange_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
static struct xt_match iprange_mt_reg[] __read_mostly = {
{
.name = "iprange",
- .revision = 0,
- .family = NFPROTO_IPV4,
- .match = iprange_mt_v0,
- .matchsize = sizeof(struct ipt_iprange_info),
- .me = THIS_MODULE,
- },
- {
- .name = "iprange",
.revision = 1,
.family = NFPROTO_IPV4,
.match = iprange_mt4,
@@ -164,7 +122,8 @@ static void __exit iprange_mt_exit(void)
module_init(iprange_mt_init);
module_exit(iprange_mt_exit);
MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>, Jan Engelhardt <jengelh@computergmbh.de>");
+MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
+MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
MODULE_DESCRIPTION("Xtables: arbitrary IPv4 range matching");
MODULE_ALIAS("ipt_iprange");
MODULE_ALIAS("ip6t_iprange");
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 007/103] netfilter: xtables: remove xt_mark v0
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (5 preceding siblings ...)
2009-08-04 7:24 ` [PATCH 006/103] netfilter: xtables: remove xt_iprange v0 Jan Engelhardt
@ 2009-08-04 7:24 ` Jan Engelhardt
2009-08-04 7:24 ` [PATCH 008/103] netfilter: xtables: remove obsolete /proc/net/ipt_recent Jan Engelhardt
` (97 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:24 UTC (permalink / raw)
To: netfilter-devel
Superseded by xt_mark v1 (v2.6.24-2922-g17b0d7e).
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
Documentation/feature-removal-schedule.txt | 3 -
include/linux/netfilter/xt_mark.h | 5 --
net/netfilter/xt_mark.c | 86 +++------------------------
3 files changed, 10 insertions(+), 84 deletions(-)
diff --git a/Documentation/feature-removal-schedule.txt b/Documentation/feature-removal-schedule.txt
index 8862b03..5556d23 100644
--- a/Documentation/feature-removal-schedule.txt
+++ b/Documentation/feature-removal-schedule.txt
@@ -238,9 +238,6 @@ What (Why):
- "forwarding" header files like ipt_mac.h in
include/linux/netfilter_ipv4/ and include/linux/netfilter_ipv6/
- - xt_mark match revision 0
- (superseded by xt_mark match revision 1)
-
- xt_recent: the old ipt_recent proc dir
(superseded by /proc/net/xt_recent)
diff --git a/include/linux/netfilter/xt_mark.h b/include/linux/netfilter/xt_mark.h
index 6fa460a..6607c8f 100644
--- a/include/linux/netfilter/xt_mark.h
+++ b/include/linux/netfilter/xt_mark.h
@@ -3,11 +3,6 @@
#include <linux/types.h>
-struct xt_mark_info {
- unsigned long mark, mask;
- __u8 invert;
-};
-
struct xt_mark_mtinfo1 {
__u32 mark, mask;
__u8 invert;
diff --git a/net/netfilter/xt_mark.c b/net/netfilter/xt_mark.c
index 10b9e34..1db07d8 100644
--- a/net/netfilter/xt_mark.c
+++ b/net/netfilter/xt_mark.c
@@ -3,7 +3,7 @@
*
* (C) 1999-2001 Marc Boucher <marc@mbsi.ca>
* Copyright © CC Computer Consultants GmbH, 2007 - 2008
- * Jan Engelhardt <jengelh@computergmbh.de>
+ * Jan Engelhardt <jengelh@medozas.de>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
@@ -23,14 +23,6 @@ MODULE_ALIAS("ipt_mark");
MODULE_ALIAS("ip6t_mark");
static bool
-mark_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
-{
- const struct xt_mark_info *info = par->matchinfo;
-
- return ((skb->mark & info->mask) == info->mark) ^ info->invert;
-}
-
-static bool
mark_mt(const struct sk_buff *skb, const struct xt_match_param *par)
{
const struct xt_mark_mtinfo1 *info = par->matchinfo;
@@ -38,81 +30,23 @@ mark_mt(const struct sk_buff *skb, const struct xt_match_param *par)
return ((skb->mark & info->mask) == info->mark) ^ info->invert;
}
-static bool mark_mt_check_v0(const struct xt_mtchk_param *par)
-{
- const struct xt_mark_info *minfo = par->matchinfo;
-
- if (minfo->mark > 0xffffffff || minfo->mask > 0xffffffff) {
- printk(KERN_WARNING "mark: only supports 32bit mark\n");
- return false;
- }
- return true;
-}
-
-#ifdef CONFIG_COMPAT
-struct compat_xt_mark_info {
- compat_ulong_t mark, mask;
- u_int8_t invert;
- u_int8_t __pad1;
- u_int16_t __pad2;
-};
-
-static void mark_mt_compat_from_user_v0(void *dst, void *src)
-{
- const struct compat_xt_mark_info *cm = src;
- struct xt_mark_info m = {
- .mark = cm->mark,
- .mask = cm->mask,
- .invert = cm->invert,
- };
- memcpy(dst, &m, sizeof(m));
-}
-
-static int mark_mt_compat_to_user_v0(void __user *dst, void *src)
-{
- const struct xt_mark_info *m = src;
- struct compat_xt_mark_info cm = {
- .mark = m->mark,
- .mask = m->mask,
- .invert = m->invert,
- };
- return copy_to_user(dst, &cm, sizeof(cm)) ? -EFAULT : 0;
-}
-#endif /* CONFIG_COMPAT */
-
-static struct xt_match mark_mt_reg[] __read_mostly = {
- {
- .name = "mark",
- .revision = 0,
- .family = NFPROTO_UNSPEC,
- .checkentry = mark_mt_check_v0,
- .match = mark_mt_v0,
- .matchsize = sizeof(struct xt_mark_info),
-#ifdef CONFIG_COMPAT
- .compatsize = sizeof(struct compat_xt_mark_info),
- .compat_from_user = mark_mt_compat_from_user_v0,
- .compat_to_user = mark_mt_compat_to_user_v0,
-#endif
- .me = THIS_MODULE,
- },
- {
- .name = "mark",
- .revision = 1,
- .family = NFPROTO_UNSPEC,
- .match = mark_mt,
- .matchsize = sizeof(struct xt_mark_mtinfo1),
- .me = THIS_MODULE,
- },
+static struct xt_match mark_mt_reg __read_mostly = {
+ .name = "mark",
+ .revision = 1,
+ .family = NFPROTO_UNSPEC,
+ .match = mark_mt,
+ .matchsize = sizeof(struct xt_mark_mtinfo1),
+ .me = THIS_MODULE,
};
static int __init mark_mt_init(void)
{
- return xt_register_matches(mark_mt_reg, ARRAY_SIZE(mark_mt_reg));
+ return xt_register_match(&mark_mt_reg);
}
static void __exit mark_mt_exit(void)
{
- xt_unregister_matches(mark_mt_reg, ARRAY_SIZE(mark_mt_reg));
+ xt_unregister_match(&mark_mt_reg);
}
module_init(mark_mt_init);
--
1.6.3.3
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 008/103] netfilter: xtables: remove obsolete /proc/net/ipt_recent
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (6 preceding siblings ...)
2009-08-04 7:24 ` [PATCH 007/103] netfilter: xtables: remove xt_mark v0 Jan Engelhardt
@ 2009-08-04 7:24 ` Jan Engelhardt
2009-08-10 8:46 ` Patrick McHardy
2009-08-04 7:24 ` [PATCH 009/103] netfilter: xtables: remove xt_owner v0 Jan Engelhardt
` (96 subsequent siblings)
104 siblings, 1 reply; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:24 UTC (permalink / raw)
To: netfilter-devel
The directory has been superseded by /proc/net/xt_recent
(v2.6.27-rc8-889-g079aa88).
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
Documentation/feature-removal-schedule.txt | 3 -
net/netfilter/Kconfig | 7 --
net/netfilter/xt_recent.c | 109 ----------------------------
3 files changed, 0 insertions(+), 119 deletions(-)
diff --git a/Documentation/feature-removal-schedule.txt b/Documentation/feature-removal-schedule.txt
index 5556d23..420ea83 100644
--- a/Documentation/feature-removal-schedule.txt
+++ b/Documentation/feature-removal-schedule.txt
@@ -238,9 +238,6 @@ What (Why):
- "forwarding" header files like ipt_mac.h in
include/linux/netfilter_ipv4/ and include/linux/netfilter_ipv6/
- - xt_recent: the old ipt_recent proc dir
- (superseded by /proc/net/xt_recent)
-
When: January 2009 or Linux 2.7.0, whichever comes first
Why: Superseded by newer revisions or modules
Who: Jan Engelhardt <jengelh@computergmbh.de>
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 634d14a..773c360 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -811,13 +811,6 @@ config NETFILTER_XT_MATCH_RECENT
Short options are available by using 'iptables -m recent -h'
Official Website: <http://snowman.net/projects/ipt_recent/>
-config NETFILTER_XT_MATCH_RECENT_PROC_COMPAT
- bool 'Enable obsolete /proc/net/ipt_recent'
- depends on NETFILTER_XT_MATCH_RECENT && PROC_FS
- ---help---
- This option enables the old /proc/net/ipt_recent interface,
- which has been obsoleted by /proc/net/xt_recent.
-
config NETFILTER_XT_MATCH_SCTP
tristate '"sctp" protocol match support (EXPERIMENTAL)'
depends on EXPERIMENTAL
diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c
index eb0ceb8..350bede 100644
--- a/net/netfilter/xt_recent.c
+++ b/net/netfilter/xt_recent.c
@@ -83,9 +83,6 @@ static DEFINE_SPINLOCK(recent_lock);
static DEFINE_MUTEX(recent_mutex);
#ifdef CONFIG_PROC_FS
-#ifdef CONFIG_NETFILTER_XT_MATCH_RECENT_PROC_COMPAT
-static struct proc_dir_entry *proc_old_dir;
-#endif
static struct proc_dir_entry *recent_proc_dir;
static const struct file_operations recent_old_fops, recent_mt_fops;
#endif
@@ -326,17 +323,6 @@ static bool recent_mt_check(const struct xt_mtchk_param *par)
}
pde->uid = ip_list_uid;
pde->gid = ip_list_gid;
-#ifdef CONFIG_NETFILTER_XT_MATCH_RECENT_PROC_COMPAT
- pde = proc_create_data(t->name, ip_list_perms, proc_old_dir,
- &recent_old_fops, t);
- if (pde == NULL) {
- remove_proc_entry(t->name, proc_old_dir);
- kfree(t);
- goto out;
- }
- pde->uid = ip_list_uid;
- pde->gid = ip_list_gid;
-#endif
#endif
spin_lock_bh(&recent_lock);
list_add_tail(&t->list, &tables);
@@ -359,9 +345,6 @@ static void recent_mt_destroy(const struct xt_mtdtor_param *par)
list_del(&t->list);
spin_unlock_bh(&recent_lock);
#ifdef CONFIG_PROC_FS
-#ifdef CONFIG_NETFILTER_XT_MATCH_RECENT_PROC_COMPAT
- remove_proc_entry(t->name, proc_old_dir);
-#endif
remove_proc_entry(t->name, recent_proc_dir);
#endif
recent_table_flush(t);
@@ -453,85 +436,6 @@ static int recent_seq_open(struct inode *inode, struct file *file)
return 0;
}
-#ifdef CONFIG_NETFILTER_XT_MATCH_RECENT_PROC_COMPAT
-static int recent_old_seq_open(struct inode *inode, struct file *filp)
-{
- static bool warned_of_old;
-
- if (unlikely(!warned_of_old)) {
- printk(KERN_INFO KBUILD_MODNAME ": Use of /proc/net/ipt_recent"
- " is deprecated; use /proc/net/xt_recent.\n");
- warned_of_old = true;
- }
- return recent_seq_open(inode, filp);
-}
-
-static ssize_t recent_old_proc_write(struct file *file,
- const char __user *input,
- size_t size, loff_t *loff)
-{
- const struct proc_dir_entry *pde = PDE(file->f_path.dentry->d_inode);
- struct recent_table *t = pde->data;
- struct recent_entry *e;
- char buf[sizeof("+255.255.255.255")], *c = buf;
- union nf_inet_addr addr = {};
- int add;
-
- if (size > sizeof(buf))
- size = sizeof(buf);
- if (copy_from_user(buf, input, size))
- return -EFAULT;
-
- while (isspace(*c))
- c++;
-
- if (size - (c - buf) < 5)
- return c - buf;
- if (!strncmp(c, "clear", 5)) {
- c += 5;
- spin_lock_bh(&recent_lock);
- recent_table_flush(t);
- spin_unlock_bh(&recent_lock);
- return c - buf;
- }
-
- switch (*c) {
- case '-':
- add = 0;
- c++;
- break;
- case '+':
- c++;
- default:
- add = 1;
- break;
- }
- addr.ip = in_aton(c);
-
- spin_lock_bh(&recent_lock);
- e = recent_entry_lookup(t, &addr, NFPROTO_IPV4, 0);
- if (e == NULL) {
- if (add)
- recent_entry_init(t, &addr, NFPROTO_IPV4, 0);
- } else {
- if (add)
- recent_entry_update(t, e);
- else
- recent_entry_remove(t, e);
- }
- spin_unlock_bh(&recent_lock);
- return size;
-}
-
-static const struct file_operations recent_old_fops = {
- .open = recent_old_seq_open,
- .read = seq_read,
- .write = recent_old_proc_write,
- .release = seq_release_private,
- .owner = THIS_MODULE,
-};
-#endif
-
static ssize_t
recent_mt_proc_write(struct file *file, const char __user *input,
size_t size, loff_t *loff)
@@ -654,16 +558,6 @@ static int __init recent_mt_init(void)
xt_unregister_matches(recent_mt_reg, ARRAY_SIZE(recent_mt_reg));
err = -ENOMEM;
}
-#ifdef CONFIG_NETFILTER_XT_MATCH_RECENT_PROC_COMPAT
- if (err < 0)
- return err;
- proc_old_dir = proc_mkdir("ipt_recent", init_net.proc_net);
- if (proc_old_dir == NULL) {
- remove_proc_entry("xt_recent", init_net.proc_net);
- xt_unregister_matches(recent_mt_reg, ARRAY_SIZE(recent_mt_reg));
- err = -ENOMEM;
- }
-#endif
#endif
return err;
}
@@ -673,9 +567,6 @@ static void __exit recent_mt_exit(void)
BUG_ON(!list_empty(&tables));
xt_unregister_matches(recent_mt_reg, ARRAY_SIZE(recent_mt_reg));
#ifdef CONFIG_PROC_FS
-#ifdef CONFIG_NETFILTER_XT_MATCH_RECENT_PROC_COMPAT
- remove_proc_entry("ipt_recent", init_net.proc_net);
-#endif
remove_proc_entry("xt_recent", init_net.proc_net);
#endif
}
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 009/103] netfilter: xtables: remove xt_owner v0
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (7 preceding siblings ...)
2009-08-04 7:24 ` [PATCH 008/103] netfilter: xtables: remove obsolete /proc/net/ipt_recent Jan Engelhardt
@ 2009-08-04 7:24 ` Jan Engelhardt
2009-08-04 7:24 ` [PATCH 010/103] netfilter: xtables: remove redirecting header files Jan Engelhardt
` (95 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:24 UTC (permalink / raw)
To: netfilter-devel
Superseded by xt_owner v1 (v2.6.24-2388-g0265ab4).
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter_ipv4/Kbuild | 1 -
include/linux/netfilter_ipv4/ipt_owner.h | 20 -----
include/linux/netfilter_ipv6/Kbuild | 1 -
include/linux/netfilter_ipv6/ip6t_owner.h | 18 ----
net/netfilter/xt_owner.c | 130 +++--------------------------
5 files changed, 12 insertions(+), 158 deletions(-)
delete mode 100644 include/linux/netfilter_ipv4/ipt_owner.h
delete mode 100644 include/linux/netfilter_ipv6/ip6t_owner.h
diff --git a/include/linux/netfilter_ipv4/Kbuild b/include/linux/netfilter_ipv4/Kbuild
index 5e361ef..5413005 100644
--- a/include/linux/netfilter_ipv4/Kbuild
+++ b/include/linux/netfilter_ipv4/Kbuild
@@ -28,7 +28,6 @@ header-y += ipt_limit.h
header-y += ipt_mac.h
header-y += ipt_mark.h
header-y += ipt_multiport.h
-header-y += ipt_owner.h
header-y += ipt_physdev.h
header-y += ipt_pkttype.h
header-y += ipt_policy.h
diff --git a/include/linux/netfilter_ipv4/ipt_owner.h b/include/linux/netfilter_ipv4/ipt_owner.h
deleted file mode 100644
index a78445b..0000000
--- a/include/linux/netfilter_ipv4/ipt_owner.h
+++ /dev/null
@@ -1,20 +0,0 @@
-#ifndef _IPT_OWNER_H
-#define _IPT_OWNER_H
-
-/* match and invert flags */
-#define IPT_OWNER_UID 0x01
-#define IPT_OWNER_GID 0x02
-#define IPT_OWNER_PID 0x04
-#define IPT_OWNER_SID 0x08
-#define IPT_OWNER_COMM 0x10
-
-struct ipt_owner_info {
- __kernel_uid32_t uid;
- __kernel_gid32_t gid;
- __kernel_pid_t pid;
- __kernel_pid_t sid;
- char comm[16];
- u_int8_t match, invert; /* flags */
-};
-
-#endif /*_IPT_OWNER_H*/
diff --git a/include/linux/netfilter_ipv6/Kbuild b/include/linux/netfilter_ipv6/Kbuild
index aca4bd1..4610a16 100644
--- a/include/linux/netfilter_ipv6/Kbuild
+++ b/include/linux/netfilter_ipv6/Kbuild
@@ -14,7 +14,6 @@ header-y += ip6t_mark.h
header-y += ip6t_mh.h
header-y += ip6t_multiport.h
header-y += ip6t_opts.h
-header-y += ip6t_owner.h
header-y += ip6t_physdev.h
header-y += ip6t_policy.h
header-y += ip6t_rt.h
diff --git a/include/linux/netfilter_ipv6/ip6t_owner.h b/include/linux/netfilter_ipv6/ip6t_owner.h
deleted file mode 100644
index ec5cc7a..0000000
--- a/include/linux/netfilter_ipv6/ip6t_owner.h
+++ /dev/null
@@ -1,18 +0,0 @@
-#ifndef _IP6T_OWNER_H
-#define _IP6T_OWNER_H
-
-/* match and invert flags */
-#define IP6T_OWNER_UID 0x01
-#define IP6T_OWNER_GID 0x02
-#define IP6T_OWNER_PID 0x04
-#define IP6T_OWNER_SID 0x08
-
-struct ip6t_owner_info {
- __kernel_uid32_t uid;
- __kernel_gid32_t gid;
- __kernel_pid_t pid;
- __kernel_pid_t sid;
- u_int8_t match, invert; /* flags */
-};
-
-#endif /*_IPT_OWNER_H*/
diff --git a/net/netfilter/xt_owner.c b/net/netfilter/xt_owner.c
index 22b2a5e..d24c76d 100644
--- a/net/netfilter/xt_owner.c
+++ b/net/netfilter/xt_owner.c
@@ -5,7 +5,6 @@
* (C) 2000 Marc Boucher <marc@mbsi.ca>
*
* Copyright © CC Computer Consultants GmbH, 2007 - 2008
- * <jengelh@computergmbh.de>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
@@ -17,60 +16,6 @@
#include <net/sock.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/xt_owner.h>
-#include <linux/netfilter_ipv4/ipt_owner.h>
-#include <linux/netfilter_ipv6/ip6t_owner.h>
-
-static bool
-owner_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
-{
- const struct ipt_owner_info *info = par->matchinfo;
- const struct file *filp;
-
- if (skb->sk == NULL || skb->sk->sk_socket == NULL)
- return false;
-
- filp = skb->sk->sk_socket->file;
- if (filp == NULL)
- return false;
-
- if (info->match & IPT_OWNER_UID)
- if ((filp->f_cred->fsuid != info->uid) ^
- !!(info->invert & IPT_OWNER_UID))
- return false;
-
- if (info->match & IPT_OWNER_GID)
- if ((filp->f_cred->fsgid != info->gid) ^
- !!(info->invert & IPT_OWNER_GID))
- return false;
-
- return true;
-}
-
-static bool
-owner_mt6_v0(const struct sk_buff *skb, const struct xt_match_param *par)
-{
- const struct ip6t_owner_info *info = par->matchinfo;
- const struct file *filp;
-
- if (skb->sk == NULL || skb->sk->sk_socket == NULL)
- return false;
-
- filp = skb->sk->sk_socket->file;
- if (filp == NULL)
- return false;
-
- if (info->match & IP6T_OWNER_UID)
- if ((filp->f_cred->fsuid != info->uid) ^
- !!(info->invert & IP6T_OWNER_UID))
- return false;
-
- if (info->match & IP6T_OWNER_GID)
- if ((filp->f_cred->fsgid != info->gid) ^
- !!(info->invert & IP6T_OWNER_GID))
- return false;
-
- return true;
-}
static bool
owner_mt(const struct sk_buff *skb, const struct xt_match_param *par)
@@ -107,81 +52,30 @@ owner_mt(const struct sk_buff *skb, const struct xt_match_param *par)
return true;
}
-static bool owner_mt_check_v0(const struct xt_mtchk_param *par)
-{
- const struct ipt_owner_info *info = par->matchinfo;
-
- if (info->match & (IPT_OWNER_PID | IPT_OWNER_SID | IPT_OWNER_COMM)) {
- printk(KERN_WARNING KBUILD_MODNAME
- ": PID, SID and command matching is not "
- "supported anymore\n");
- return false;
- }
-
- return true;
-}
-
-static bool owner_mt6_check_v0(const struct xt_mtchk_param *par)
-{
- const struct ip6t_owner_info *info = par->matchinfo;
-
- if (info->match & (IP6T_OWNER_PID | IP6T_OWNER_SID)) {
- printk(KERN_WARNING KBUILD_MODNAME
- ": PID and SID matching is not supported anymore\n");
- return false;
- }
-
- return true;
-}
-
-static struct xt_match owner_mt_reg[] __read_mostly = {
- {
- .name = "owner",
- .revision = 0,
- .family = NFPROTO_IPV4,
- .match = owner_mt_v0,
- .matchsize = sizeof(struct ipt_owner_info),
- .checkentry = owner_mt_check_v0,
- .hooks = (1 << NF_INET_LOCAL_OUT) |
- (1 << NF_INET_POST_ROUTING),
- .me = THIS_MODULE,
- },
- {
- .name = "owner",
- .revision = 0,
- .family = NFPROTO_IPV6,
- .match = owner_mt6_v0,
- .matchsize = sizeof(struct ip6t_owner_info),
- .checkentry = owner_mt6_check_v0,
- .hooks = (1 << NF_INET_LOCAL_OUT) |
- (1 << NF_INET_POST_ROUTING),
- .me = THIS_MODULE,
- },
- {
- .name = "owner",
- .revision = 1,
- .family = NFPROTO_UNSPEC,
- .match = owner_mt,
- .matchsize = sizeof(struct xt_owner_match_info),
- .hooks = (1 << NF_INET_LOCAL_OUT) |
- (1 << NF_INET_POST_ROUTING),
- .me = THIS_MODULE,
- },
+static struct xt_match owner_mt_reg __read_mostly = {
+ .name = "owner",
+ .revision = 1,
+ .family = NFPROTO_UNSPEC,
+ .match = owner_mt,
+ .matchsize = sizeof(struct xt_owner_match_info),
+ .hooks = (1 << NF_INET_LOCAL_OUT) |
+ (1 << NF_INET_POST_ROUTING),
+ .me = THIS_MODULE,
};
static int __init owner_mt_init(void)
{
- return xt_register_matches(owner_mt_reg, ARRAY_SIZE(owner_mt_reg));
+ return xt_register_match(&owner_mt_reg);
}
static void __exit owner_mt_exit(void)
{
- xt_unregister_matches(owner_mt_reg, ARRAY_SIZE(owner_mt_reg));
+ xt_unregister_match(&owner_mt_reg);
}
module_init(owner_mt_init);
module_exit(owner_mt_exit);
-MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
+MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
MODULE_DESCRIPTION("Xtables: socket owner matching");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_owner");
--
1.6.3.3
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 010/103] netfilter: xtables: remove redirecting header files
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (8 preceding siblings ...)
2009-08-04 7:24 ` [PATCH 009/103] netfilter: xtables: remove xt_owner v0 Jan Engelhardt
@ 2009-08-04 7:24 ` Jan Engelhardt
2009-08-04 7:24 ` [PATCH 011/103] netfilter: conntrack: switch hook PFs to nfproto Jan Engelhardt
` (94 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:24 UTC (permalink / raw)
To: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
Documentation/feature-removal-schedule.txt | 10 ---
include/linux/netfilter_ipv4/Kbuild | 28 -------
include/linux/netfilter_ipv4/ipt_CLASSIFY.h | 7 --
include/linux/netfilter_ipv4/ipt_CONNMARK.h | 19 -----
include/linux/netfilter_ipv4/ipt_DSCP.h | 18 ----
include/linux/netfilter_ipv4/ipt_ECN.h | 4 +-
include/linux/netfilter_ipv4/ipt_MARK.h | 18 ----
include/linux/netfilter_ipv4/ipt_NFQUEUE.h | 16 ----
include/linux/netfilter_ipv4/ipt_TCPMSS.h | 9 --
| 10 ---
include/linux/netfilter_ipv4/ipt_connbytes.h | 18 ----
include/linux/netfilter_ipv4/ipt_connmark.h | 7 --
include/linux/netfilter_ipv4/ipt_conntrack.h | 28 -------
include/linux/netfilter_ipv4/ipt_dccp.h | 15 ----
include/linux/netfilter_ipv4/ipt_dscp.h | 21 -----
include/linux/netfilter_ipv4/ipt_ecn.h | 4 +-
include/linux/netfilter_ipv4/ipt_esp.h | 10 ---
include/linux/netfilter_ipv4/ipt_hashlimit.h | 14 ----
include/linux/netfilter_ipv4/ipt_helper.h | 7 --
include/linux/netfilter_ipv4/ipt_length.h | 7 --
include/linux/netfilter_ipv4/ipt_limit.h | 8 --
include/linux/netfilter_ipv4/ipt_mac.h | 7 --
include/linux/netfilter_ipv4/ipt_mark.h | 9 --
include/linux/netfilter_ipv4/ipt_multiport.h | 15 ----
include/linux/netfilter_ipv4/ipt_physdev.h | 17 ----
include/linux/netfilter_ipv4/ipt_pkttype.h | 7 --
include/linux/netfilter_ipv4/ipt_policy.h | 23 ------
include/linux/netfilter_ipv4/ipt_recent.h | 21 -----
include/linux/netfilter_ipv4/ipt_sctp.h | 105 -------------------------
include/linux/netfilter_ipv4/ipt_state.h | 15 ----
include/linux/netfilter_ipv4/ipt_string.h | 10 ---
include/linux/netfilter_ipv4/ipt_tcpmss.h | 7 --
include/linux/netfilter_ipv6/Kbuild | 11 +---
include/linux/netfilter_ipv6/ip6t_MARK.h | 9 --
include/linux/netfilter_ipv6/ip6t_esp.h | 10 ---
include/linux/netfilter_ipv6/ip6t_length.h | 8 --
include/linux/netfilter_ipv6/ip6t_limit.h | 8 --
include/linux/netfilter_ipv6/ip6t_mac.h | 7 --
include/linux/netfilter_ipv6/ip6t_mark.h | 9 --
include/linux/netfilter_ipv6/ip6t_multiport.h | 14 ----
include/linux/netfilter_ipv6/ip6t_physdev.h | 17 ----
include/linux/netfilter_ipv6/ip6t_policy.h | 23 ------
42 files changed, 5 insertions(+), 625 deletions(-)
delete mode 100644 include/linux/netfilter_ipv4/ipt_CLASSIFY.h
delete mode 100644 include/linux/netfilter_ipv4/ipt_CONNMARK.h
delete mode 100644 include/linux/netfilter_ipv4/ipt_DSCP.h
delete mode 100644 include/linux/netfilter_ipv4/ipt_MARK.h
delete mode 100644 include/linux/netfilter_ipv4/ipt_NFQUEUE.h
delete mode 100644 include/linux/netfilter_ipv4/ipt_TCPMSS.h
delete mode 100644 include/linux/netfilter_ipv4/ipt_comment.h
delete mode 100644 include/linux/netfilter_ipv4/ipt_connbytes.h
delete mode 100644 include/linux/netfilter_ipv4/ipt_connmark.h
delete mode 100644 include/linux/netfilter_ipv4/ipt_conntrack.h
delete mode 100644 include/linux/netfilter_ipv4/ipt_dccp.h
delete mode 100644 include/linux/netfilter_ipv4/ipt_dscp.h
delete mode 100644 include/linux/netfilter_ipv4/ipt_esp.h
delete mode 100644 include/linux/netfilter_ipv4/ipt_hashlimit.h
delete mode 100644 include/linux/netfilter_ipv4/ipt_helper.h
delete mode 100644 include/linux/netfilter_ipv4/ipt_length.h
delete mode 100644 include/linux/netfilter_ipv4/ipt_limit.h
delete mode 100644 include/linux/netfilter_ipv4/ipt_mac.h
delete mode 100644 include/linux/netfilter_ipv4/ipt_mark.h
delete mode 100644 include/linux/netfilter_ipv4/ipt_multiport.h
delete mode 100644 include/linux/netfilter_ipv4/ipt_physdev.h
delete mode 100644 include/linux/netfilter_ipv4/ipt_pkttype.h
delete mode 100644 include/linux/netfilter_ipv4/ipt_policy.h
delete mode 100644 include/linux/netfilter_ipv4/ipt_recent.h
delete mode 100644 include/linux/netfilter_ipv4/ipt_sctp.h
delete mode 100644 include/linux/netfilter_ipv4/ipt_state.h
delete mode 100644 include/linux/netfilter_ipv4/ipt_string.h
delete mode 100644 include/linux/netfilter_ipv4/ipt_tcpmss.h
delete mode 100644 include/linux/netfilter_ipv6/ip6t_MARK.h
delete mode 100644 include/linux/netfilter_ipv6/ip6t_esp.h
delete mode 100644 include/linux/netfilter_ipv6/ip6t_length.h
delete mode 100644 include/linux/netfilter_ipv6/ip6t_limit.h
delete mode 100644 include/linux/netfilter_ipv6/ip6t_mac.h
delete mode 100644 include/linux/netfilter_ipv6/ip6t_mark.h
delete mode 100644 include/linux/netfilter_ipv6/ip6t_multiport.h
delete mode 100644 include/linux/netfilter_ipv6/ip6t_physdev.h
delete mode 100644 include/linux/netfilter_ipv6/ip6t_policy.h
diff --git a/Documentation/feature-removal-schedule.txt b/Documentation/feature-removal-schedule.txt
index 420ea83..3b706a3 100644
--- a/Documentation/feature-removal-schedule.txt
+++ b/Documentation/feature-removal-schedule.txt
@@ -234,16 +234,6 @@ Who: Thomas Gleixner <tglx@linutronix.de>
---------------------------
-What (Why):
- - "forwarding" header files like ipt_mac.h in
- include/linux/netfilter_ipv4/ and include/linux/netfilter_ipv6/
-
-When: January 2009 or Linux 2.7.0, whichever comes first
-Why: Superseded by newer revisions or modules
-Who: Jan Engelhardt <jengelh@computergmbh.de>
-
----------------------------
-
What: GPIO autorequest on gpio_direction_{input,output}() in gpiolib
When: February 2010
Why: All callers should use explicit gpio_request()/gpio_free().
diff --git a/include/linux/netfilter_ipv4/Kbuild b/include/linux/netfilter_ipv4/Kbuild
index 5413005..431b407 100644
--- a/include/linux/netfilter_ipv4/Kbuild
+++ b/include/linux/netfilter_ipv4/Kbuild
@@ -1,42 +1,14 @@
-header-y += ipt_CLASSIFY.h
header-y += ipt_CLUSTERIP.h
-header-y += ipt_CONNMARK.h
-header-y += ipt_DSCP.h
header-y += ipt_ECN.h
header-y += ipt_LOG.h
-header-y += ipt_MARK.h
-header-y += ipt_NFQUEUE.h
header-y += ipt_REJECT.h
header-y += ipt_SAME.h
-header-y += ipt_TCPMSS.h
header-y += ipt_TTL.h
header-y += ipt_ULOG.h
header-y += ipt_addrtype.h
header-y += ipt_ah.h
-header-y += ipt_comment.h
-header-y += ipt_connbytes.h
-header-y += ipt_connmark.h
-header-y += ipt_conntrack.h
-header-y += ipt_dccp.h
-header-y += ipt_dscp.h
header-y += ipt_ecn.h
-header-y += ipt_esp.h
-header-y += ipt_hashlimit.h
-header-y += ipt_helper.h
-header-y += ipt_length.h
-header-y += ipt_limit.h
-header-y += ipt_mac.h
-header-y += ipt_mark.h
-header-y += ipt_multiport.h
-header-y += ipt_physdev.h
-header-y += ipt_pkttype.h
-header-y += ipt_policy.h
header-y += ipt_realm.h
-header-y += ipt_recent.h
-header-y += ipt_sctp.h
-header-y += ipt_state.h
-header-y += ipt_string.h
-header-y += ipt_tcpmss.h
header-y += ipt_ttl.h
unifdef-y += ip_queue.h
diff --git a/include/linux/netfilter_ipv4/ipt_CLASSIFY.h b/include/linux/netfilter_ipv4/ipt_CLASSIFY.h
deleted file mode 100644
index a46d511..0000000
--- a/include/linux/netfilter_ipv4/ipt_CLASSIFY.h
+++ /dev/null
@@ -1,7 +0,0 @@
-#ifndef _IPT_CLASSIFY_H
-#define _IPT_CLASSIFY_H
-
-#include <linux/netfilter/xt_CLASSIFY.h>
-#define ipt_classify_target_info xt_classify_target_info
-
-#endif /*_IPT_CLASSIFY_H */
diff --git a/include/linux/netfilter_ipv4/ipt_CONNMARK.h b/include/linux/netfilter_ipv4/ipt_CONNMARK.h
deleted file mode 100644
index 9ecfee0..0000000
--- a/include/linux/netfilter_ipv4/ipt_CONNMARK.h
+++ /dev/null
@@ -1,19 +0,0 @@
-#ifndef _IPT_CONNMARK_H_target
-#define _IPT_CONNMARK_H_target
-
-/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
- * by Henrik Nordstrom <hno@marasystems.com>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- */
-#include <linux/netfilter/xt_CONNMARK.h>
-#define IPT_CONNMARK_SET XT_CONNMARK_SET
-#define IPT_CONNMARK_SAVE XT_CONNMARK_SAVE
-#define IPT_CONNMARK_RESTORE XT_CONNMARK_RESTORE
-
-#define ipt_connmark_target_info xt_connmark_target_info
-
-#endif /*_IPT_CONNMARK_H_target*/
diff --git a/include/linux/netfilter_ipv4/ipt_DSCP.h b/include/linux/netfilter_ipv4/ipt_DSCP.h
deleted file mode 100644
index 3491e52..0000000
--- a/include/linux/netfilter_ipv4/ipt_DSCP.h
+++ /dev/null
@@ -1,18 +0,0 @@
-/* iptables module for setting the IPv4 DSCP field
- *
- * (C) 2002 Harald Welte <laforge@gnumonks.org>
- * based on ipt_FTOS.c (C) 2000 by Matthew G. Marsh <mgm@paktronix.com>
- * This software is distributed under GNU GPL v2, 1991
- *
- * See RFC2474 for a description of the DSCP field within the IP Header.
- *
- * ipt_DSCP.h,v 1.7 2002/03/14 12:03:13 laforge Exp
-*/
-#ifndef _IPT_DSCP_TARGET_H
-#define _IPT_DSCP_TARGET_H
-#include <linux/netfilter_ipv4/ipt_dscp.h>
-#include <linux/netfilter/xt_DSCP.h>
-
-#define ipt_DSCP_info xt_DSCP_info
-
-#endif /* _IPT_DSCP_TARGET_H */
diff --git a/include/linux/netfilter_ipv4/ipt_ECN.h b/include/linux/netfilter_ipv4/ipt_ECN.h
index 94e0d98..7ca4591 100644
--- a/include/linux/netfilter_ipv4/ipt_ECN.h
+++ b/include/linux/netfilter_ipv4/ipt_ECN.h
@@ -8,9 +8,9 @@
*/
#ifndef _IPT_ECN_TARGET_H
#define _IPT_ECN_TARGET_H
-#include <linux/netfilter_ipv4/ipt_DSCP.h>
+#include <linux/netfilter/xt_DSCP.h>
-#define IPT_ECN_IP_MASK (~IPT_DSCP_MASK)
+#define IPT_ECN_IP_MASK (~XT_DSCP_MASK)
#define IPT_ECN_OP_SET_IP 0x01 /* set ECN bits of IPv4 header */
#define IPT_ECN_OP_SET_ECE 0x10 /* set ECE bit of TCP header */
diff --git a/include/linux/netfilter_ipv4/ipt_MARK.h b/include/linux/netfilter_ipv4/ipt_MARK.h
deleted file mode 100644
index 697a486..0000000
--- a/include/linux/netfilter_ipv4/ipt_MARK.h
+++ /dev/null
@@ -1,18 +0,0 @@
-#ifndef _IPT_MARK_H_target
-#define _IPT_MARK_H_target
-
-/* Backwards compatibility for old userspace */
-
-#include <linux/netfilter/xt_MARK.h>
-
-/* Version 0 */
-#define ipt_mark_target_info xt_mark_target_info
-
-/* Version 1 */
-#define IPT_MARK_SET XT_MARK_SET
-#define IPT_MARK_AND XT_MARK_AND
-#define IPT_MARK_OR XT_MARK_OR
-
-#define ipt_mark_target_info_v1 xt_mark_target_info_v1
-
-#endif /*_IPT_MARK_H_target*/
diff --git a/include/linux/netfilter_ipv4/ipt_NFQUEUE.h b/include/linux/netfilter_ipv4/ipt_NFQUEUE.h
deleted file mode 100644
index 97a2a75..0000000
--- a/include/linux/netfilter_ipv4/ipt_NFQUEUE.h
+++ /dev/null
@@ -1,16 +0,0 @@
-/* iptables module for using NFQUEUE mechanism
- *
- * (C) 2005 Harald Welte <laforge@netfilter.org>
- *
- * This software is distributed under GNU GPL v2, 1991
- *
-*/
-#ifndef _IPT_NFQ_TARGET_H
-#define _IPT_NFQ_TARGET_H
-
-/* Backwards compatibility for old userspace */
-#include <linux/netfilter/xt_NFQUEUE.h>
-
-#define ipt_NFQ_info xt_NFQ_info
-
-#endif /* _IPT_DSCP_TARGET_H */
diff --git a/include/linux/netfilter_ipv4/ipt_TCPMSS.h b/include/linux/netfilter_ipv4/ipt_TCPMSS.h
deleted file mode 100644
index 7a850f9..0000000
--- a/include/linux/netfilter_ipv4/ipt_TCPMSS.h
+++ /dev/null
@@ -1,9 +0,0 @@
-#ifndef _IPT_TCPMSS_H
-#define _IPT_TCPMSS_H
-
-#include <linux/netfilter/xt_TCPMSS.h>
-
-#define ipt_tcpmss_info xt_tcpmss_info
-#define IPT_TCPMSS_CLAMP_PMTU XT_TCPMSS_CLAMP_PMTU
-
-#endif /*_IPT_TCPMSS_H*/
diff --git a/include/linux/netfilter_ipv4/ipt_comment.h b/include/linux/netfilter_ipv4/ipt_comment.h
deleted file mode 100644
index ae2afc2..0000000
--- a/include/linux/netfilter_ipv4/ipt_comment.h
+++ /dev/null
@@ -1,10 +0,0 @@
-#ifndef _IPT_COMMENT_H
-#define _IPT_COMMENT_H
-
-#include <linux/netfilter/xt_comment.h>
-
-#define IPT_MAX_COMMENT_LEN XT_MAX_COMMENT_LEN
-
-#define ipt_comment_info xt_comment_info
-
-#endif /* _IPT_COMMENT_H */
diff --git a/include/linux/netfilter_ipv4/ipt_connbytes.h b/include/linux/netfilter_ipv4/ipt_connbytes.h
deleted file mode 100644
index f63e6ee..0000000
--- a/include/linux/netfilter_ipv4/ipt_connbytes.h
+++ /dev/null
@@ -1,18 +0,0 @@
-#ifndef _IPT_CONNBYTES_H
-#define _IPT_CONNBYTES_H
-
-#include <linux/netfilter/xt_connbytes.h>
-#define ipt_connbytes_what xt_connbytes_what
-
-#define IPT_CONNBYTES_PKTS XT_CONNBYTES_PKTS
-#define IPT_CONNBYTES_BYTES XT_CONNBYTES_BYTES
-#define IPT_CONNBYTES_AVGPKT XT_CONNBYTES_AVGPKT
-
-#define ipt_connbytes_direction xt_connbytes_direction
-#define IPT_CONNBYTES_DIR_ORIGINAL XT_CONNBYTES_DIR_ORIGINAL
-#define IPT_CONNBYTES_DIR_REPLY XT_CONNBYTES_DIR_REPLY
-#define IPT_CONNBYTES_DIR_BOTH XT_CONNBYTES_DIR_BOTH
-
-#define ipt_connbytes_info xt_connbytes_info
-
-#endif
diff --git a/include/linux/netfilter_ipv4/ipt_connmark.h b/include/linux/netfilter_ipv4/ipt_connmark.h
deleted file mode 100644
index c7ba656..0000000
--- a/include/linux/netfilter_ipv4/ipt_connmark.h
+++ /dev/null
@@ -1,7 +0,0 @@
-#ifndef _IPT_CONNMARK_H
-#define _IPT_CONNMARK_H
-
-#include <linux/netfilter/xt_connmark.h>
-#define ipt_connmark_info xt_connmark_info
-
-#endif /*_IPT_CONNMARK_H*/
diff --git a/include/linux/netfilter_ipv4/ipt_conntrack.h b/include/linux/netfilter_ipv4/ipt_conntrack.h
deleted file mode 100644
index cde6762..0000000
--- a/include/linux/netfilter_ipv4/ipt_conntrack.h
+++ /dev/null
@@ -1,28 +0,0 @@
-/* Header file for kernel module to match connection tracking information.
- * GPL (C) 2001 Marc Boucher (marc@mbsi.ca).
- */
-
-#ifndef _IPT_CONNTRACK_H
-#define _IPT_CONNTRACK_H
-
-#include <linux/netfilter/xt_conntrack.h>
-
-#define IPT_CONNTRACK_STATE_BIT(ctinfo) XT_CONNTRACK_STATE_BIT(ctinfo)
-#define IPT_CONNTRACK_STATE_INVALID XT_CONNTRACK_STATE_INVALID
-
-#define IPT_CONNTRACK_STATE_SNAT XT_CONNTRACK_STATE_SNAT
-#define IPT_CONNTRACK_STATE_DNAT XT_CONNTRACK_STATE_DNAT
-#define IPT_CONNTRACK_STATE_UNTRACKED XT_CONNTRACK_STATE_UNTRACKED
-
-/* flags, invflags: */
-#define IPT_CONNTRACK_STATE XT_CONNTRACK_STATE
-#define IPT_CONNTRACK_PROTO XT_CONNTRACK_PROTO
-#define IPT_CONNTRACK_ORIGSRC XT_CONNTRACK_ORIGSRC
-#define IPT_CONNTRACK_ORIGDST XT_CONNTRACK_ORIGDST
-#define IPT_CONNTRACK_REPLSRC XT_CONNTRACK_REPLSRC
-#define IPT_CONNTRACK_REPLDST XT_CONNTRACK_REPLDST
-#define IPT_CONNTRACK_STATUS XT_CONNTRACK_STATUS
-#define IPT_CONNTRACK_EXPIRES XT_CONNTRACK_EXPIRES
-
-#define ipt_conntrack_info xt_conntrack_info
-#endif /*_IPT_CONNTRACK_H*/
diff --git a/include/linux/netfilter_ipv4/ipt_dccp.h b/include/linux/netfilter_ipv4/ipt_dccp.h
deleted file mode 100644
index e70d11e..0000000
--- a/include/linux/netfilter_ipv4/ipt_dccp.h
+++ /dev/null
@@ -1,15 +0,0 @@
-#ifndef _IPT_DCCP_H_
-#define _IPT_DCCP_H_
-
-#include <linux/netfilter/xt_dccp.h>
-#define IPT_DCCP_SRC_PORTS XT_DCCP_SRC_PORTS
-#define IPT_DCCP_DEST_PORTS XT_DCCP_DEST_PORTS
-#define IPT_DCCP_TYPE XT_DCCP_TYPE
-#define IPT_DCCP_OPTION XT_DCCP_OPTION
-
-#define IPT_DCCP_VALID_FLAGS XT_DCCP_VALID_FLAGS
-
-#define ipt_dccp_info xt_dccp_info
-
-#endif /* _IPT_DCCP_H_ */
-
diff --git a/include/linux/netfilter_ipv4/ipt_dscp.h b/include/linux/netfilter_ipv4/ipt_dscp.h
deleted file mode 100644
index 4b82ca9..0000000
--- a/include/linux/netfilter_ipv4/ipt_dscp.h
+++ /dev/null
@@ -1,21 +0,0 @@
-/* iptables module for matching the IPv4 DSCP field
- *
- * (C) 2002 Harald Welte <laforge@gnumonks.org>
- * This software is distributed under GNU GPL v2, 1991
- *
- * See RFC2474 for a description of the DSCP field within the IP Header.
- *
- * ipt_dscp.h,v 1.3 2002/08/05 19:00:21 laforge Exp
-*/
-#ifndef _IPT_DSCP_H
-#define _IPT_DSCP_H
-
-#include <linux/netfilter/xt_dscp.h>
-
-#define IPT_DSCP_MASK XT_DSCP_MASK
-#define IPT_DSCP_SHIFT XT_DSCP_SHIFT
-#define IPT_DSCP_MAX XT_DSCP_MAX
-
-#define ipt_dscp_info xt_dscp_info
-
-#endif /* _IPT_DSCP_H */
diff --git a/include/linux/netfilter_ipv4/ipt_ecn.h b/include/linux/netfilter_ipv4/ipt_ecn.h
index 1f0d9a4..9945baa 100644
--- a/include/linux/netfilter_ipv4/ipt_ecn.h
+++ b/include/linux/netfilter_ipv4/ipt_ecn.h
@@ -8,9 +8,9 @@
*/
#ifndef _IPT_ECN_H
#define _IPT_ECN_H
-#include <linux/netfilter_ipv4/ipt_dscp.h>
+#include <linux/netfilter/xt_dscp.h>
-#define IPT_ECN_IP_MASK (~IPT_DSCP_MASK)
+#define IPT_ECN_IP_MASK (~XT_DSCP_MASK)
#define IPT_ECN_OP_MATCH_IP 0x01
#define IPT_ECN_OP_MATCH_ECE 0x10
diff --git a/include/linux/netfilter_ipv4/ipt_esp.h b/include/linux/netfilter_ipv4/ipt_esp.h
deleted file mode 100644
index 78296e7..0000000
--- a/include/linux/netfilter_ipv4/ipt_esp.h
+++ /dev/null
@@ -1,10 +0,0 @@
-#ifndef _IPT_ESP_H
-#define _IPT_ESP_H
-
-#include <linux/netfilter/xt_esp.h>
-
-#define ipt_esp xt_esp
-#define IPT_ESP_INV_SPI XT_ESP_INV_SPI
-#define IPT_ESP_INV_MASK XT_ESP_INV_MASK
-
-#endif /*_IPT_ESP_H*/
diff --git a/include/linux/netfilter_ipv4/ipt_hashlimit.h b/include/linux/netfilter_ipv4/ipt_hashlimit.h
deleted file mode 100644
index 5662120..0000000
--- a/include/linux/netfilter_ipv4/ipt_hashlimit.h
+++ /dev/null
@@ -1,14 +0,0 @@
-#ifndef _IPT_HASHLIMIT_H
-#define _IPT_HASHLIMIT_H
-
-#include <linux/netfilter/xt_hashlimit.h>
-
-#define IPT_HASHLIMIT_SCALE XT_HASHLIMIT_SCALE
-#define IPT_HASHLIMIT_HASH_DIP XT_HASHLIMIT_HASH_DIP
-#define IPT_HASHLIMIT_HASH_DPT XT_HASHLIMIT_HASH_DPT
-#define IPT_HASHLIMIT_HASH_SIP XT_HASHLIMIT_HASH_SIP
-#define IPT_HASHLIMIT_HASH_SPT XT_HASHLIMIT_HASH_SPT
-
-#define ipt_hashlimit_info xt_hashlimit_info
-
-#endif /* _IPT_HASHLIMIT_H */
diff --git a/include/linux/netfilter_ipv4/ipt_helper.h b/include/linux/netfilter_ipv4/ipt_helper.h
deleted file mode 100644
index 80452c2..0000000
--- a/include/linux/netfilter_ipv4/ipt_helper.h
+++ /dev/null
@@ -1,7 +0,0 @@
-#ifndef _IPT_HELPER_H
-#define _IPT_HELPER_H
-
-#include <linux/netfilter/xt_helper.h>
-#define ipt_helper_info xt_helper_info
-
-#endif /* _IPT_HELPER_H */
diff --git a/include/linux/netfilter_ipv4/ipt_length.h b/include/linux/netfilter_ipv4/ipt_length.h
deleted file mode 100644
index 9b45206..0000000
--- a/include/linux/netfilter_ipv4/ipt_length.h
+++ /dev/null
@@ -1,7 +0,0 @@
-#ifndef _IPT_LENGTH_H
-#define _IPT_LENGTH_H
-
-#include <linux/netfilter/xt_length.h>
-#define ipt_length_info xt_length_info
-
-#endif /*_IPT_LENGTH_H*/
diff --git a/include/linux/netfilter_ipv4/ipt_limit.h b/include/linux/netfilter_ipv4/ipt_limit.h
deleted file mode 100644
index 92f5cd0..0000000
--- a/include/linux/netfilter_ipv4/ipt_limit.h
+++ /dev/null
@@ -1,8 +0,0 @@
-#ifndef _IPT_RATE_H
-#define _IPT_RATE_H
-
-#include <linux/netfilter/xt_limit.h>
-#define IPT_LIMIT_SCALE XT_LIMIT_SCALE
-#define ipt_rateinfo xt_rateinfo
-
-#endif /*_IPT_RATE_H*/
diff --git a/include/linux/netfilter_ipv4/ipt_mac.h b/include/linux/netfilter_ipv4/ipt_mac.h
deleted file mode 100644
index b186008..0000000
--- a/include/linux/netfilter_ipv4/ipt_mac.h
+++ /dev/null
@@ -1,7 +0,0 @@
-#ifndef _IPT_MAC_H
-#define _IPT_MAC_H
-
-#include <linux/netfilter/xt_mac.h>
-#define ipt_mac_info xt_mac_info
-
-#endif /*_IPT_MAC_H*/
diff --git a/include/linux/netfilter_ipv4/ipt_mark.h b/include/linux/netfilter_ipv4/ipt_mark.h
deleted file mode 100644
index bfde67c..0000000
--- a/include/linux/netfilter_ipv4/ipt_mark.h
+++ /dev/null
@@ -1,9 +0,0 @@
-#ifndef _IPT_MARK_H
-#define _IPT_MARK_H
-
-/* Backwards compatibility for old userspace */
-#include <linux/netfilter/xt_mark.h>
-
-#define ipt_mark_info xt_mark_info
-
-#endif /*_IPT_MARK_H*/
diff --git a/include/linux/netfilter_ipv4/ipt_multiport.h b/include/linux/netfilter_ipv4/ipt_multiport.h
deleted file mode 100644
index 55fe85e..0000000
--- a/include/linux/netfilter_ipv4/ipt_multiport.h
+++ /dev/null
@@ -1,15 +0,0 @@
-#ifndef _IPT_MULTIPORT_H
-#define _IPT_MULTIPORT_H
-
-#include <linux/netfilter/xt_multiport.h>
-
-#define IPT_MULTIPORT_SOURCE XT_MULTIPORT_SOURCE
-#define IPT_MULTIPORT_DESTINATION XT_MULTIPORT_DESTINATION
-#define IPT_MULTIPORT_EITHER XT_MULTIPORT_EITHER
-
-#define IPT_MULTI_PORTS XT_MULTI_PORTS
-
-#define ipt_multiport xt_multiport
-#define ipt_multiport_v1 xt_multiport_v1
-
-#endif /*_IPT_MULTIPORT_H*/
diff --git a/include/linux/netfilter_ipv4/ipt_physdev.h b/include/linux/netfilter_ipv4/ipt_physdev.h
deleted file mode 100644
index 2400e71..0000000
--- a/include/linux/netfilter_ipv4/ipt_physdev.h
+++ /dev/null
@@ -1,17 +0,0 @@
-#ifndef _IPT_PHYSDEV_H
-#define _IPT_PHYSDEV_H
-
-/* Backwards compatibility for old userspace */
-
-#include <linux/netfilter/xt_physdev.h>
-
-#define IPT_PHYSDEV_OP_IN XT_PHYSDEV_OP_IN
-#define IPT_PHYSDEV_OP_OUT XT_PHYSDEV_OP_OUT
-#define IPT_PHYSDEV_OP_BRIDGED XT_PHYSDEV_OP_BRIDGED
-#define IPT_PHYSDEV_OP_ISIN XT_PHYSDEV_OP_ISIN
-#define IPT_PHYSDEV_OP_ISOUT XT_PHYSDEV_OP_ISOUT
-#define IPT_PHYSDEV_OP_MASK XT_PHYSDEV_OP_MASK
-
-#define ipt_physdev_info xt_physdev_info
-
-#endif /*_IPT_PHYSDEV_H*/
diff --git a/include/linux/netfilter_ipv4/ipt_pkttype.h b/include/linux/netfilter_ipv4/ipt_pkttype.h
deleted file mode 100644
index ff1fbc9..0000000
--- a/include/linux/netfilter_ipv4/ipt_pkttype.h
+++ /dev/null
@@ -1,7 +0,0 @@
-#ifndef _IPT_PKTTYPE_H
-#define _IPT_PKTTYPE_H
-
-#include <linux/netfilter/xt_pkttype.h>
-#define ipt_pkttype_info xt_pkttype_info
-
-#endif /*_IPT_PKTTYPE_H*/
diff --git a/include/linux/netfilter_ipv4/ipt_policy.h b/include/linux/netfilter_ipv4/ipt_policy.h
deleted file mode 100644
index 1037fb2..0000000
--- a/include/linux/netfilter_ipv4/ipt_policy.h
+++ /dev/null
@@ -1,23 +0,0 @@
-#ifndef _IPT_POLICY_H
-#define _IPT_POLICY_H
-
-#include <linux/netfilter/xt_policy.h>
-
-#define IPT_POLICY_MAX_ELEM XT_POLICY_MAX_ELEM
-
-/* ipt_policy_flags */
-#define IPT_POLICY_MATCH_IN XT_POLICY_MATCH_IN
-#define IPT_POLICY_MATCH_OUT XT_POLICY_MATCH_OUT
-#define IPT_POLICY_MATCH_NONE XT_POLICY_MATCH_NONE
-#define IPT_POLICY_MATCH_STRICT XT_POLICY_MATCH_STRICT
-
-/* ipt_policy_modes */
-#define IPT_POLICY_MODE_TRANSPORT XT_POLICY_MODE_TRANSPORT
-#define IPT_POLICY_MODE_TUNNEL XT_POLICY_MODE_TUNNEL
-
-#define ipt_policy_spec xt_policy_spec
-#define ipt_policy_addr xt_policy_addr
-#define ipt_policy_elem xt_policy_elem
-#define ipt_policy_info xt_policy_info
-
-#endif /* _IPT_POLICY_H */
diff --git a/include/linux/netfilter_ipv4/ipt_recent.h b/include/linux/netfilter_ipv4/ipt_recent.h
deleted file mode 100644
index d636cca..0000000
--- a/include/linux/netfilter_ipv4/ipt_recent.h
+++ /dev/null
@@ -1,21 +0,0 @@
-#ifndef _IPT_RECENT_H
-#define _IPT_RECENT_H
-
-#include <linux/netfilter/xt_recent.h>
-
-#define ipt_recent_info xt_recent_mtinfo
-
-enum {
- IPT_RECENT_CHECK = XT_RECENT_CHECK,
- IPT_RECENT_SET = XT_RECENT_SET,
- IPT_RECENT_UPDATE = XT_RECENT_UPDATE,
- IPT_RECENT_REMOVE = XT_RECENT_REMOVE,
- IPT_RECENT_TTL = XT_RECENT_TTL,
-
- IPT_RECENT_SOURCE = XT_RECENT_SOURCE,
- IPT_RECENT_DEST = XT_RECENT_DEST,
-
- IPT_RECENT_NAME_LEN = XT_RECENT_NAME_LEN,
-};
-
-#endif /*_IPT_RECENT_H*/
diff --git a/include/linux/netfilter_ipv4/ipt_sctp.h b/include/linux/netfilter_ipv4/ipt_sctp.h
deleted file mode 100644
index 80b3dba..0000000
--- a/include/linux/netfilter_ipv4/ipt_sctp.h
+++ /dev/null
@@ -1,105 +0,0 @@
-#ifndef _IPT_SCTP_H_
-#define _IPT_SCTP_H_
-
-#define IPT_SCTP_SRC_PORTS 0x01
-#define IPT_SCTP_DEST_PORTS 0x02
-#define IPT_SCTP_CHUNK_TYPES 0x04
-
-#define IPT_SCTP_VALID_FLAGS 0x07
-
-
-struct ipt_sctp_flag_info {
- u_int8_t chunktype;
- u_int8_t flag;
- u_int8_t flag_mask;
-};
-
-#define IPT_NUM_SCTP_FLAGS 4
-
-struct ipt_sctp_info {
- u_int16_t dpts[2]; /* Min, Max */
- u_int16_t spts[2]; /* Min, Max */
-
- u_int32_t chunkmap[256 / sizeof (u_int32_t)]; /* Bit mask of chunks to be matched according to RFC 2960 */
-
-#define SCTP_CHUNK_MATCH_ANY 0x01 /* Match if any of the chunk types are present */
-#define SCTP_CHUNK_MATCH_ALL 0x02 /* Match if all of the chunk types are present */
-#define SCTP_CHUNK_MATCH_ONLY 0x04 /* Match if these are the only chunk types present */
-
- u_int32_t chunk_match_type;
- struct ipt_sctp_flag_info flag_info[IPT_NUM_SCTP_FLAGS];
- int flag_count;
-
- u_int32_t flags;
- u_int32_t invflags;
-};
-
-#define bytes(type) (sizeof(type) * 8)
-
-#define SCTP_CHUNKMAP_SET(chunkmap, type) \
- do { \
- chunkmap[type / bytes(u_int32_t)] |= \
- 1 << (type % bytes(u_int32_t)); \
- } while (0)
-
-#define SCTP_CHUNKMAP_CLEAR(chunkmap, type) \
- do { \
- chunkmap[type / bytes(u_int32_t)] &= \
- ~(1 << (type % bytes(u_int32_t))); \
- } while (0)
-
-#define SCTP_CHUNKMAP_IS_SET(chunkmap, type) \
-({ \
- (chunkmap[type / bytes (u_int32_t)] & \
- (1 << (type % bytes (u_int32_t)))) ? 1: 0; \
-})
-
-#define SCTP_CHUNKMAP_RESET(chunkmap) \
- do { \
- int i; \
- for (i = 0; i < ARRAY_SIZE(chunkmap); i++) \
- chunkmap[i] = 0; \
- } while (0)
-
-#define SCTP_CHUNKMAP_SET_ALL(chunkmap) \
- do { \
- int i; \
- for (i = 0; i < ARRAY_SIZE(chunkmap); i++) \
- chunkmap[i] = ~0; \
- } while (0)
-
-#define SCTP_CHUNKMAP_COPY(destmap, srcmap) \
- do { \
- int i; \
- for (i = 0; i < ARRAY_SIZE(chunkmap); i++) \
- destmap[i] = srcmap[i]; \
- } while (0)
-
-#define SCTP_CHUNKMAP_IS_CLEAR(chunkmap) \
-({ \
- int i; \
- int flag = 1; \
- for (i = 0; i < ARRAY_SIZE(chunkmap); i++) { \
- if (chunkmap[i]) { \
- flag = 0; \
- break; \
- } \
- } \
- flag; \
-})
-
-#define SCTP_CHUNKMAP_IS_ALL_SET(chunkmap) \
-({ \
- int i; \
- int flag = 1; \
- for (i = 0; i < ARRAY_SIZE(chunkmap); i++) { \
- if (chunkmap[i] != ~0) { \
- flag = 0; \
- break; \
- } \
- } \
- flag; \
-})
-
-#endif /* _IPT_SCTP_H_ */
-
diff --git a/include/linux/netfilter_ipv4/ipt_state.h b/include/linux/netfilter_ipv4/ipt_state.h
deleted file mode 100644
index a44a99c..0000000
--- a/include/linux/netfilter_ipv4/ipt_state.h
+++ /dev/null
@@ -1,15 +0,0 @@
-#ifndef _IPT_STATE_H
-#define _IPT_STATE_H
-
-/* Backwards compatibility for old userspace */
-
-#include <linux/netfilter/xt_state.h>
-
-#define IPT_STATE_BIT XT_STATE_BIT
-#define IPT_STATE_INVALID XT_STATE_INVALID
-
-#define IPT_STATE_UNTRACKED XT_STATE_UNTRACKED
-
-#define ipt_state_info xt_state_info
-
-#endif /*_IPT_STATE_H*/
diff --git a/include/linux/netfilter_ipv4/ipt_string.h b/include/linux/netfilter_ipv4/ipt_string.h
deleted file mode 100644
index c26de30..0000000
--- a/include/linux/netfilter_ipv4/ipt_string.h
+++ /dev/null
@@ -1,10 +0,0 @@
-#ifndef _IPT_STRING_H
-#define _IPT_STRING_H
-
-#include <linux/netfilter/xt_string.h>
-
-#define IPT_STRING_MAX_PATTERN_SIZE XT_STRING_MAX_PATTERN_SIZE
-#define IPT_STRING_MAX_ALGO_NAME_SIZE XT_STRING_MAX_ALGO_NAME_SIZE
-#define ipt_string_info xt_string_info
-
-#endif /*_IPT_STRING_H*/
diff --git a/include/linux/netfilter_ipv4/ipt_tcpmss.h b/include/linux/netfilter_ipv4/ipt_tcpmss.h
deleted file mode 100644
index 18bbc8e..0000000
--- a/include/linux/netfilter_ipv4/ipt_tcpmss.h
+++ /dev/null
@@ -1,7 +0,0 @@
-#ifndef _IPT_TCPMSS_MATCH_H
-#define _IPT_TCPMSS_MATCH_H
-
-#include <linux/netfilter/xt_tcpmss.h>
-#define ipt_tcpmss_match_info xt_tcpmss_match_info
-
-#endif /*_IPT_TCPMSS_MATCH_H*/
diff --git a/include/linux/netfilter_ipv6/Kbuild b/include/linux/netfilter_ipv6/Kbuild
index 4610a16..e864eae 100644
--- a/include/linux/netfilter_ipv6/Kbuild
+++ b/include/linux/netfilter_ipv6/Kbuild
@@ -1,21 +1,12 @@
header-y += ip6t_HL.h
header-y += ip6t_LOG.h
-header-y += ip6t_MARK.h
header-y += ip6t_REJECT.h
header-y += ip6t_ah.h
-header-y += ip6t_esp.h
header-y += ip6t_frag.h
-header-y += ip6t_hl.h
header-y += ip6t_ipv6header.h
-header-y += ip6t_length.h
-header-y += ip6t_limit.h
-header-y += ip6t_mac.h
-header-y += ip6t_mark.h
+header-y += ip6t_hl.h
header-y += ip6t_mh.h
-header-y += ip6t_multiport.h
header-y += ip6t_opts.h
-header-y += ip6t_physdev.h
-header-y += ip6t_policy.h
header-y += ip6t_rt.h
unifdef-y += ip6_tables.h
diff --git a/include/linux/netfilter_ipv6/ip6t_MARK.h b/include/linux/netfilter_ipv6/ip6t_MARK.h
deleted file mode 100644
index 7cf629a..0000000
--- a/include/linux/netfilter_ipv6/ip6t_MARK.h
+++ /dev/null
@@ -1,9 +0,0 @@
-#ifndef _IP6T_MARK_H_target
-#define _IP6T_MARK_H_target
-
-/* Backwards compatibility for old userspace */
-#include <linux/netfilter/xt_MARK.h>
-
-#define ip6t_mark_target_info xt_mark_target_info
-
-#endif /*_IP6T_MARK_H_target*/
diff --git a/include/linux/netfilter_ipv6/ip6t_esp.h b/include/linux/netfilter_ipv6/ip6t_esp.h
deleted file mode 100644
index f62eaf5..0000000
--- a/include/linux/netfilter_ipv6/ip6t_esp.h
+++ /dev/null
@@ -1,10 +0,0 @@
-#ifndef _IP6T_ESP_H
-#define _IP6T_ESP_H
-
-#include <linux/netfilter/xt_esp.h>
-
-#define ip6t_esp xt_esp
-#define IP6T_ESP_INV_SPI XT_ESP_INV_SPI
-#define IP6T_ESP_INV_MASK XT_ESP_INV_MASK
-
-#endif /*_IP6T_ESP_H*/
diff --git a/include/linux/netfilter_ipv6/ip6t_length.h b/include/linux/netfilter_ipv6/ip6t_length.h
deleted file mode 100644
index 9e9689d..0000000
--- a/include/linux/netfilter_ipv6/ip6t_length.h
+++ /dev/null
@@ -1,8 +0,0 @@
-#ifndef _IP6T_LENGTH_H
-#define _IP6T_LENGTH_H
-
-#include <linux/netfilter/xt_length.h>
-#define ip6t_length_info xt_length_info
-
-#endif /*_IP6T_LENGTH_H*/
-
diff --git a/include/linux/netfilter_ipv6/ip6t_limit.h b/include/linux/netfilter_ipv6/ip6t_limit.h
deleted file mode 100644
index 487e5ea..0000000
--- a/include/linux/netfilter_ipv6/ip6t_limit.h
+++ /dev/null
@@ -1,8 +0,0 @@
-#ifndef _IP6T_RATE_H
-#define _IP6T_RATE_H
-
-#include <linux/netfilter/xt_limit.h>
-#define IP6T_LIMIT_SCALE XT_LIMIT_SCALE
-#define ip6t_rateinfo xt_rateinfo
-
-#endif /*_IP6T_RATE_H*/
diff --git a/include/linux/netfilter_ipv6/ip6t_mac.h b/include/linux/netfilter_ipv6/ip6t_mac.h
deleted file mode 100644
index ac58e83..0000000
--- a/include/linux/netfilter_ipv6/ip6t_mac.h
+++ /dev/null
@@ -1,7 +0,0 @@
-#ifndef _IP6T_MAC_H
-#define _IP6T_MAC_H
-
-#include <linux/netfilter/xt_mac.h>
-#define ip6t_mac_info xt_mac_info
-
-#endif /*_IP6T_MAC_H*/
diff --git a/include/linux/netfilter_ipv6/ip6t_mark.h b/include/linux/netfilter_ipv6/ip6t_mark.h
deleted file mode 100644
index ff20495..0000000
--- a/include/linux/netfilter_ipv6/ip6t_mark.h
+++ /dev/null
@@ -1,9 +0,0 @@
-#ifndef _IP6T_MARK_H
-#define _IP6T_MARK_H
-
-/* Backwards compatibility for old userspace */
-#include <linux/netfilter/xt_mark.h>
-
-#define ip6t_mark_info xt_mark_info
-
-#endif /*_IPT_MARK_H*/
diff --git a/include/linux/netfilter_ipv6/ip6t_multiport.h b/include/linux/netfilter_ipv6/ip6t_multiport.h
deleted file mode 100644
index 042c926..0000000
--- a/include/linux/netfilter_ipv6/ip6t_multiport.h
+++ /dev/null
@@ -1,14 +0,0 @@
-#ifndef _IP6T_MULTIPORT_H
-#define _IP6T_MULTIPORT_H
-
-#include <linux/netfilter/xt_multiport.h>
-
-#define IP6T_MULTIPORT_SOURCE XT_MULTIPORT_SOURCE
-#define IP6T_MULTIPORT_DESTINATION XT_MULTIPORT_DESTINATION
-#define IP6T_MULTIPORT_EITHER XT_MULTIPORT_EITHER
-
-#define IP6T_MULTI_PORTS XT_MULTI_PORTS
-
-#define ip6t_multiport xt_multiport
-
-#endif /*_IP6T_MULTIPORT_H*/
diff --git a/include/linux/netfilter_ipv6/ip6t_physdev.h b/include/linux/netfilter_ipv6/ip6t_physdev.h
deleted file mode 100644
index c161c0a..0000000
--- a/include/linux/netfilter_ipv6/ip6t_physdev.h
+++ /dev/null
@@ -1,17 +0,0 @@
-#ifndef _IP6T_PHYSDEV_H
-#define _IP6T_PHYSDEV_H
-
-/* Backwards compatibility for old userspace */
-
-#include <linux/netfilter/xt_physdev.h>
-
-#define IP6T_PHYSDEV_OP_IN XT_PHYSDEV_OP_IN
-#define IP6T_PHYSDEV_OP_OUT XT_PHYSDEV_OP_OUT
-#define IP6T_PHYSDEV_OP_BRIDGED XT_PHYSDEV_OP_BRIDGED
-#define IP6T_PHYSDEV_OP_ISIN XT_PHYSDEV_OP_ISIN
-#define IP6T_PHYSDEV_OP_ISOUT XT_PHYSDEV_OP_ISOUT
-#define IP6T_PHYSDEV_OP_MASK XT_PHYSDEV_OP_MASK
-
-#define ip6t_physdev_info xt_physdev_info
-
-#endif /*_IP6T_PHYSDEV_H*/
diff --git a/include/linux/netfilter_ipv6/ip6t_policy.h b/include/linux/netfilter_ipv6/ip6t_policy.h
deleted file mode 100644
index b1c449d..0000000
--- a/include/linux/netfilter_ipv6/ip6t_policy.h
+++ /dev/null
@@ -1,23 +0,0 @@
-#ifndef _IP6T_POLICY_H
-#define _IP6T_POLICY_H
-
-#include <linux/netfilter/xt_policy.h>
-
-#define IP6T_POLICY_MAX_ELEM XT_POLICY_MAX_ELEM
-
-/* ip6t_policy_flags */
-#define IP6T_POLICY_MATCH_IN XT_POLICY_MATCH_IN
-#define IP6T_POLICY_MATCH_OUT XT_POLICY_MATCH_OUT
-#define IP6T_POLICY_MATCH_NONE XT_POLICY_MATCH_NONE
-#define IP6T_POLICY_MATCH_STRICT XT_POLICY_MATCH_STRICT
-
-/* ip6t_policy_modes */
-#define IP6T_POLICY_MODE_TRANSPORT XT_POLICY_MODE_TRANSPORT
-#define IP6T_POLICY_MODE_TUNNEL XT_POLICY_MODE_TUNNEL
-
-#define ip6t_policy_spec xt_policy_spec
-#define ip6t_policy_addr xt_policy_addr
-#define ip6t_policy_elem xt_policy_elem
-#define ip6t_policy_info xt_policy_info
-
-#endif /* _IP6T_POLICY_H */
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 011/103] netfilter: conntrack: switch hook PFs to nfproto
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (9 preceding siblings ...)
2009-08-04 7:24 ` [PATCH 010/103] netfilter: xtables: remove redirecting header files Jan Engelhardt
@ 2009-08-04 7:24 ` Jan Engelhardt
2009-08-04 7:24 ` [PATCH 012/103] netfilter: xtables: " Jan Engelhardt
` (93 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:24 UTC (permalink / raw)
To: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 8 ++++----
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 12 ++++++------
2 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
index 7d2ead7..8905cc7 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -158,28 +158,28 @@ static struct nf_hook_ops ipv4_conntrack_ops[] __read_mostly = {
{
.hook = ipv4_conntrack_in,
.owner = THIS_MODULE,
- .pf = PF_INET,
+ .pf = NFPROTO_IPV4,
.hooknum = NF_INET_PRE_ROUTING,
.priority = NF_IP_PRI_CONNTRACK,
},
{
.hook = ipv4_conntrack_local,
.owner = THIS_MODULE,
- .pf = PF_INET,
+ .pf = NFPROTO_IPV4,
.hooknum = NF_INET_LOCAL_OUT,
.priority = NF_IP_PRI_CONNTRACK,
},
{
.hook = ipv4_confirm,
.owner = THIS_MODULE,
- .pf = PF_INET,
+ .pf = NFPROTO_IPV4,
.hooknum = NF_INET_POST_ROUTING,
.priority = NF_IP_PRI_CONNTRACK_CONFIRM,
},
{
.hook = ipv4_confirm,
.owner = THIS_MODULE,
- .pf = PF_INET,
+ .pf = NFPROTO_IPV4,
.hooknum = NF_INET_LOCAL_IN,
.priority = NF_IP_PRI_CONNTRACK_CONFIRM,
},
diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
index 2a15c2d..a7f4cd6 100644
--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
@@ -265,42 +265,42 @@ static struct nf_hook_ops ipv6_conntrack_ops[] __read_mostly = {
{
.hook = ipv6_defrag,
.owner = THIS_MODULE,
- .pf = PF_INET6,
+ .pf = NFPROTO_IPV6,
.hooknum = NF_INET_PRE_ROUTING,
.priority = NF_IP6_PRI_CONNTRACK_DEFRAG,
},
{
.hook = ipv6_conntrack_in,
.owner = THIS_MODULE,
- .pf = PF_INET6,
+ .pf = NFPROTO_IPV6,
.hooknum = NF_INET_PRE_ROUTING,
.priority = NF_IP6_PRI_CONNTRACK,
},
{
.hook = ipv6_conntrack_local,
.owner = THIS_MODULE,
- .pf = PF_INET6,
+ .pf = NFPROTO_IPV6,
.hooknum = NF_INET_LOCAL_OUT,
.priority = NF_IP6_PRI_CONNTRACK,
},
{
.hook = ipv6_defrag,
.owner = THIS_MODULE,
- .pf = PF_INET6,
+ .pf = NFPROTO_IPV6,
.hooknum = NF_INET_LOCAL_OUT,
.priority = NF_IP6_PRI_CONNTRACK_DEFRAG,
},
{
.hook = ipv6_confirm,
.owner = THIS_MODULE,
- .pf = PF_INET6,
+ .pf = NFPROTO_IPV6,
.hooknum = NF_INET_POST_ROUTING,
.priority = NF_IP6_PRI_LAST,
},
{
.hook = ipv6_confirm,
.owner = THIS_MODULE,
- .pf = PF_INET6,
+ .pf = NFPROTO_IPV6,
.hooknum = NF_INET_LOCAL_IN,
.priority = NF_IP6_PRI_LAST-1,
},
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 012/103] netfilter: xtables: switch hook PFs to nfproto
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (10 preceding siblings ...)
2009-08-04 7:24 ` [PATCH 011/103] netfilter: conntrack: switch hook PFs to nfproto Jan Engelhardt
@ 2009-08-04 7:24 ` Jan Engelhardt
2009-08-04 7:24 ` [PATCH 013/103] netfilter: xtables: switch table AFs " Jan Engelhardt
` (92 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:24 UTC (permalink / raw)
To: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
net/bridge/netfilter/ebtable_filter.c | 6 +++---
net/bridge/netfilter/ebtable_nat.c | 6 +++---
net/ipv4/netfilter/iptable_filter.c | 6 +++---
net/ipv4/netfilter/iptable_mangle.c | 10 +++++-----
net/ipv4/netfilter/iptable_raw.c | 4 ++--
net/ipv4/netfilter/iptable_security.c | 6 +++---
net/ipv4/netfilter/nf_nat_standalone.c | 8 ++++----
net/ipv6/netfilter/ip6table_filter.c | 6 +++---
net/ipv6/netfilter/ip6table_mangle.c | 10 +++++-----
net/ipv6/netfilter/ip6table_raw.c | 4 ++--
net/ipv6/netfilter/ip6table_security.c | 6 +++---
11 files changed, 36 insertions(+), 36 deletions(-)
diff --git a/net/bridge/netfilter/ebtable_filter.c b/net/bridge/netfilter/ebtable_filter.c
index a5eea72..4b988db 100644
--- a/net/bridge/netfilter/ebtable_filter.c
+++ b/net/bridge/netfilter/ebtable_filter.c
@@ -77,21 +77,21 @@ static struct nf_hook_ops ebt_ops_filter[] __read_mostly = {
{
.hook = ebt_in_hook,
.owner = THIS_MODULE,
- .pf = PF_BRIDGE,
+ .pf = NFPROTO_BRIDGE,
.hooknum = NF_BR_LOCAL_IN,
.priority = NF_BR_PRI_FILTER_BRIDGED,
},
{
.hook = ebt_in_hook,
.owner = THIS_MODULE,
- .pf = PF_BRIDGE,
+ .pf = NFPROTO_BRIDGE,
.hooknum = NF_BR_FORWARD,
.priority = NF_BR_PRI_FILTER_BRIDGED,
},
{
.hook = ebt_out_hook,
.owner = THIS_MODULE,
- .pf = PF_BRIDGE,
+ .pf = NFPROTO_BRIDGE,
.hooknum = NF_BR_LOCAL_OUT,
.priority = NF_BR_PRI_FILTER_OTHER,
},
diff --git a/net/bridge/netfilter/ebtable_nat.c b/net/bridge/netfilter/ebtable_nat.c
index 6024c55..4a98804 100644
--- a/net/bridge/netfilter/ebtable_nat.c
+++ b/net/bridge/netfilter/ebtable_nat.c
@@ -77,21 +77,21 @@ static struct nf_hook_ops ebt_ops_nat[] __read_mostly = {
{
.hook = ebt_nat_out,
.owner = THIS_MODULE,
- .pf = PF_BRIDGE,
+ .pf = NFPROTO_BRIDGE,
.hooknum = NF_BR_LOCAL_OUT,
.priority = NF_BR_PRI_NAT_DST_OTHER,
},
{
.hook = ebt_nat_out,
.owner = THIS_MODULE,
- .pf = PF_BRIDGE,
+ .pf = NFPROTO_BRIDGE,
.hooknum = NF_BR_POST_ROUTING,
.priority = NF_BR_PRI_NAT_SRC,
},
{
.hook = ebt_nat_in,
.owner = THIS_MODULE,
- .pf = PF_BRIDGE,
+ .pf = NFPROTO_BRIDGE,
.hooknum = NF_BR_PRE_ROUTING,
.priority = NF_BR_PRI_NAT_DST_BRIDGED,
},
diff --git a/net/ipv4/netfilter/iptable_filter.c b/net/ipv4/netfilter/iptable_filter.c
index c30a969..bef326c 100644
--- a/net/ipv4/netfilter/iptable_filter.c
+++ b/net/ipv4/netfilter/iptable_filter.c
@@ -102,21 +102,21 @@ static struct nf_hook_ops ipt_ops[] __read_mostly = {
{
.hook = ipt_local_in_hook,
.owner = THIS_MODULE,
- .pf = PF_INET,
+ .pf = NFPROTO_IPV4,
.hooknum = NF_INET_LOCAL_IN,
.priority = NF_IP_PRI_FILTER,
},
{
.hook = ipt_hook,
.owner = THIS_MODULE,
- .pf = PF_INET,
+ .pf = NFPROTO_IPV4,
.hooknum = NF_INET_FORWARD,
.priority = NF_IP_PRI_FILTER,
},
{
.hook = ipt_local_out_hook,
.owner = THIS_MODULE,
- .pf = PF_INET,
+ .pf = NFPROTO_IPV4,
.hooknum = NF_INET_LOCAL_OUT,
.priority = NF_IP_PRI_FILTER,
},
diff --git a/net/ipv4/netfilter/iptable_mangle.c b/net/ipv4/netfilter/iptable_mangle.c
index 4087614..1442df7 100644
--- a/net/ipv4/netfilter/iptable_mangle.c
+++ b/net/ipv4/netfilter/iptable_mangle.c
@@ -162,35 +162,35 @@ static struct nf_hook_ops ipt_ops[] __read_mostly = {
{
.hook = ipt_pre_routing_hook,
.owner = THIS_MODULE,
- .pf = PF_INET,
+ .pf = NFPROTO_IPV4,
.hooknum = NF_INET_PRE_ROUTING,
.priority = NF_IP_PRI_MANGLE,
},
{
.hook = ipt_local_in_hook,
.owner = THIS_MODULE,
- .pf = PF_INET,
+ .pf = NFPROTO_IPV4,
.hooknum = NF_INET_LOCAL_IN,
.priority = NF_IP_PRI_MANGLE,
},
{
.hook = ipt_forward_hook,
.owner = THIS_MODULE,
- .pf = PF_INET,
+ .pf = NFPROTO_IPV4,
.hooknum = NF_INET_FORWARD,
.priority = NF_IP_PRI_MANGLE,
},
{
.hook = ipt_local_hook,
.owner = THIS_MODULE,
- .pf = PF_INET,
+ .pf = NFPROTO_IPV4,
.hooknum = NF_INET_LOCAL_OUT,
.priority = NF_IP_PRI_MANGLE,
},
{
.hook = ipt_post_routing_hook,
.owner = THIS_MODULE,
- .pf = PF_INET,
+ .pf = NFPROTO_IPV4,
.hooknum = NF_INET_POST_ROUTING,
.priority = NF_IP_PRI_MANGLE,
},
diff --git a/net/ipv4/netfilter/iptable_raw.c b/net/ipv4/netfilter/iptable_raw.c
index e5356da..1d28df8 100644
--- a/net/ipv4/netfilter/iptable_raw.c
+++ b/net/ipv4/netfilter/iptable_raw.c
@@ -74,14 +74,14 @@ ipt_local_hook(unsigned int hook,
static struct nf_hook_ops ipt_ops[] __read_mostly = {
{
.hook = ipt_hook,
- .pf = PF_INET,
+ .pf = NFPROTO_IPV4,
.hooknum = NF_INET_PRE_ROUTING,
.priority = NF_IP_PRI_RAW,
.owner = THIS_MODULE,
},
{
.hook = ipt_local_hook,
- .pf = PF_INET,
+ .pf = NFPROTO_IPV4,
.hooknum = NF_INET_LOCAL_OUT,
.priority = NF_IP_PRI_RAW,
.owner = THIS_MODULE,
diff --git a/net/ipv4/netfilter/iptable_security.c b/net/ipv4/netfilter/iptable_security.c
index 29ab630..8c5a250 100644
--- a/net/ipv4/netfilter/iptable_security.c
+++ b/net/ipv4/netfilter/iptable_security.c
@@ -105,21 +105,21 @@ static struct nf_hook_ops ipt_ops[] __read_mostly = {
{
.hook = ipt_local_in_hook,
.owner = THIS_MODULE,
- .pf = PF_INET,
+ .pf = NFPROTO_IPV4,
.hooknum = NF_INET_LOCAL_IN,
.priority = NF_IP_PRI_SECURITY,
},
{
.hook = ipt_forward_hook,
.owner = THIS_MODULE,
- .pf = PF_INET,
+ .pf = NFPROTO_IPV4,
.hooknum = NF_INET_FORWARD,
.priority = NF_IP_PRI_SECURITY,
},
{
.hook = ipt_local_out_hook,
.owner = THIS_MODULE,
- .pf = PF_INET,
+ .pf = NFPROTO_IPV4,
.hooknum = NF_INET_LOCAL_OUT,
.priority = NF_IP_PRI_SECURITY,
},
diff --git a/net/ipv4/netfilter/nf_nat_standalone.c b/net/ipv4/netfilter/nf_nat_standalone.c
index 5567bd0..5f41d01 100644
--- a/net/ipv4/netfilter/nf_nat_standalone.c
+++ b/net/ipv4/netfilter/nf_nat_standalone.c
@@ -251,7 +251,7 @@ static struct nf_hook_ops nf_nat_ops[] __read_mostly = {
{
.hook = nf_nat_in,
.owner = THIS_MODULE,
- .pf = PF_INET,
+ .pf = NFPROTO_IPV4,
.hooknum = NF_INET_PRE_ROUTING,
.priority = NF_IP_PRI_NAT_DST,
},
@@ -259,7 +259,7 @@ static struct nf_hook_ops nf_nat_ops[] __read_mostly = {
{
.hook = nf_nat_out,
.owner = THIS_MODULE,
- .pf = PF_INET,
+ .pf = NFPROTO_IPV4,
.hooknum = NF_INET_POST_ROUTING,
.priority = NF_IP_PRI_NAT_SRC,
},
@@ -267,7 +267,7 @@ static struct nf_hook_ops nf_nat_ops[] __read_mostly = {
{
.hook = nf_nat_local_fn,
.owner = THIS_MODULE,
- .pf = PF_INET,
+ .pf = NFPROTO_IPV4,
.hooknum = NF_INET_LOCAL_OUT,
.priority = NF_IP_PRI_NAT_DST,
},
@@ -275,7 +275,7 @@ static struct nf_hook_ops nf_nat_ops[] __read_mostly = {
{
.hook = nf_nat_fn,
.owner = THIS_MODULE,
- .pf = PF_INET,
+ .pf = NFPROTO_IPV4,
.hooknum = NF_INET_LOCAL_IN,
.priority = NF_IP_PRI_NAT_SRC,
},
diff --git a/net/ipv6/netfilter/ip6table_filter.c b/net/ipv6/netfilter/ip6table_filter.c
index ef5a0a3..b35c358 100644
--- a/net/ipv6/netfilter/ip6table_filter.c
+++ b/net/ipv6/netfilter/ip6table_filter.c
@@ -95,21 +95,21 @@ static struct nf_hook_ops ip6t_ops[] __read_mostly = {
{
.hook = ip6t_in_hook,
.owner = THIS_MODULE,
- .pf = PF_INET6,
+ .pf = NFPROTO_IPV6,
.hooknum = NF_INET_LOCAL_IN,
.priority = NF_IP6_PRI_FILTER,
},
{
.hook = ip6t_in_hook,
.owner = THIS_MODULE,
- .pf = PF_INET6,
+ .pf = NFPROTO_IPV6,
.hooknum = NF_INET_FORWARD,
.priority = NF_IP6_PRI_FILTER,
},
{
.hook = ip6t_local_out_hook,
.owner = THIS_MODULE,
- .pf = PF_INET6,
+ .pf = NFPROTO_IPV6,
.hooknum = NF_INET_LOCAL_OUT,
.priority = NF_IP6_PRI_FILTER,
},
diff --git a/net/ipv6/netfilter/ip6table_mangle.c b/net/ipv6/netfilter/ip6table_mangle.c
index ab0d398..a98ced1 100644
--- a/net/ipv6/netfilter/ip6table_mangle.c
+++ b/net/ipv6/netfilter/ip6table_mangle.c
@@ -136,35 +136,35 @@ static struct nf_hook_ops ip6t_ops[] __read_mostly = {
{
.hook = ip6t_in_hook,
.owner = THIS_MODULE,
- .pf = PF_INET6,
+ .pf = NFPROTO_IPV6,
.hooknum = NF_INET_PRE_ROUTING,
.priority = NF_IP6_PRI_MANGLE,
},
{
.hook = ip6t_in_hook,
.owner = THIS_MODULE,
- .pf = PF_INET6,
+ .pf = NFPROTO_IPV6,
.hooknum = NF_INET_LOCAL_IN,
.priority = NF_IP6_PRI_MANGLE,
},
{
.hook = ip6t_in_hook,
.owner = THIS_MODULE,
- .pf = PF_INET6,
+ .pf = NFPROTO_IPV6,
.hooknum = NF_INET_FORWARD,
.priority = NF_IP6_PRI_MANGLE,
},
{
.hook = ip6t_local_out_hook,
.owner = THIS_MODULE,
- .pf = PF_INET6,
+ .pf = NFPROTO_IPV6,
.hooknum = NF_INET_LOCAL_OUT,
.priority = NF_IP6_PRI_MANGLE,
},
{
.hook = ip6t_post_routing_hook,
.owner = THIS_MODULE,
- .pf = PF_INET6,
+ .pf = NFPROTO_IPV6,
.hooknum = NF_INET_POST_ROUTING,
.priority = NF_IP6_PRI_MANGLE,
},
diff --git a/net/ipv6/netfilter/ip6table_raw.c b/net/ipv6/netfilter/ip6table_raw.c
index 4b792b6..ec12540 100644
--- a/net/ipv6/netfilter/ip6table_raw.c
+++ b/net/ipv6/netfilter/ip6table_raw.c
@@ -68,14 +68,14 @@ ip6t_local_out_hook(unsigned int hook,
static struct nf_hook_ops ip6t_ops[] __read_mostly = {
{
.hook = ip6t_pre_routing_hook,
- .pf = PF_INET6,
+ .pf = NFPROTO_IPV6,
.hooknum = NF_INET_PRE_ROUTING,
.priority = NF_IP6_PRI_FIRST,
.owner = THIS_MODULE,
},
{
.hook = ip6t_local_out_hook,
- .pf = PF_INET6,
+ .pf = NFPROTO_IPV6,
.hooknum = NF_INET_LOCAL_OUT,
.priority = NF_IP6_PRI_FIRST,
.owner = THIS_MODULE,
diff --git a/net/ipv6/netfilter/ip6table_security.c b/net/ipv6/netfilter/ip6table_security.c
index 0ea37ff..d808507 100644
--- a/net/ipv6/netfilter/ip6table_security.c
+++ b/net/ipv6/netfilter/ip6table_security.c
@@ -101,21 +101,21 @@ static struct nf_hook_ops ip6t_ops[] __read_mostly = {
{
.hook = ip6t_local_in_hook,
.owner = THIS_MODULE,
- .pf = PF_INET6,
+ .pf = NFPROTO_IPV6,
.hooknum = NF_INET_LOCAL_IN,
.priority = NF_IP6_PRI_SECURITY,
},
{
.hook = ip6t_forward_hook,
.owner = THIS_MODULE,
- .pf = PF_INET6,
+ .pf = NFPROTO_IPV6,
.hooknum = NF_INET_FORWARD,
.priority = NF_IP6_PRI_SECURITY,
},
{
.hook = ip6t_local_out_hook,
.owner = THIS_MODULE,
- .pf = PF_INET6,
+ .pf = NFPROTO_IPV6,
.hooknum = NF_INET_LOCAL_OUT,
.priority = NF_IP6_PRI_SECURITY,
},
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 013/103] netfilter: xtables: switch table AFs to nfproto
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (11 preceding siblings ...)
2009-08-04 7:24 ` [PATCH 012/103] netfilter: xtables: " Jan Engelhardt
@ 2009-08-04 7:24 ` Jan Engelhardt
2009-08-04 7:24 ` [PATCH 014/103] netfilter: xtables: remove unneeded gotos in table error paths Jan Engelhardt
` (91 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:24 UTC (permalink / raw)
To: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
net/ipv4/netfilter/iptable_filter.c | 2 +-
net/ipv4/netfilter/iptable_mangle.c | 2 +-
net/ipv4/netfilter/iptable_raw.c | 2 +-
net/ipv4/netfilter/iptable_security.c | 2 +-
net/ipv4/netfilter/nf_nat_rule.c | 2 +-
net/ipv6/netfilter/ip6table_filter.c | 2 +-
net/ipv6/netfilter/ip6table_mangle.c | 2 +-
net/ipv6/netfilter/ip6table_raw.c | 2 +-
net/ipv6/netfilter/ip6table_security.c | 2 +-
9 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/net/ipv4/netfilter/iptable_filter.c b/net/ipv4/netfilter/iptable_filter.c
index bef326c..97dbd94 100644
--- a/net/ipv4/netfilter/iptable_filter.c
+++ b/net/ipv4/netfilter/iptable_filter.c
@@ -57,7 +57,7 @@ static struct xt_table packet_filter = {
.name = "filter",
.valid_hooks = FILTER_VALID_HOOKS,
.me = THIS_MODULE,
- .af = AF_INET,
+ .af = NFPROTO_IPV4,
};
/* The work comes in here from netfilter.c. */
diff --git a/net/ipv4/netfilter/iptable_mangle.c b/net/ipv4/netfilter/iptable_mangle.c
index 1442df7..28647f1 100644
--- a/net/ipv4/netfilter/iptable_mangle.c
+++ b/net/ipv4/netfilter/iptable_mangle.c
@@ -68,7 +68,7 @@ static struct xt_table packet_mangler = {
.name = "mangle",
.valid_hooks = MANGLE_VALID_HOOKS,
.me = THIS_MODULE,
- .af = AF_INET,
+ .af = NFPROTO_IPV4,
};
/* The work comes in here from netfilter.c. */
diff --git a/net/ipv4/netfilter/iptable_raw.c b/net/ipv4/netfilter/iptable_raw.c
index 1d28df8..494784c 100644
--- a/net/ipv4/netfilter/iptable_raw.c
+++ b/net/ipv4/netfilter/iptable_raw.c
@@ -40,7 +40,7 @@ static struct xt_table packet_raw = {
.name = "raw",
.valid_hooks = RAW_VALID_HOOKS,
.me = THIS_MODULE,
- .af = AF_INET,
+ .af = NFPROTO_IPV4,
};
/* The work comes in here from netfilter.c. */
diff --git a/net/ipv4/netfilter/iptable_security.c b/net/ipv4/netfilter/iptable_security.c
index 8c5a250..8804e1a 100644
--- a/net/ipv4/netfilter/iptable_security.c
+++ b/net/ipv4/netfilter/iptable_security.c
@@ -61,7 +61,7 @@ static struct xt_table security_table = {
.name = "security",
.valid_hooks = SECURITY_VALID_HOOKS,
.me = THIS_MODULE,
- .af = AF_INET,
+ .af = NFPROTO_IPV4,
};
static unsigned int
diff --git a/net/ipv4/netfilter/nf_nat_rule.c b/net/ipv4/netfilter/nf_nat_rule.c
index 6348a79..6448a9b 100644
--- a/net/ipv4/netfilter/nf_nat_rule.c
+++ b/net/ipv4/netfilter/nf_nat_rule.c
@@ -62,7 +62,7 @@ static struct xt_table nat_table = {
.name = "nat",
.valid_hooks = NAT_VALID_HOOKS,
.me = THIS_MODULE,
- .af = AF_INET,
+ .af = NFPROTO_IPV4,
};
/* Source NAT */
diff --git a/net/ipv6/netfilter/ip6table_filter.c b/net/ipv6/netfilter/ip6table_filter.c
index b35c358..0a3ae48 100644
--- a/net/ipv6/netfilter/ip6table_filter.c
+++ b/net/ipv6/netfilter/ip6table_filter.c
@@ -55,7 +55,7 @@ static struct xt_table packet_filter = {
.name = "filter",
.valid_hooks = FILTER_VALID_HOOKS,
.me = THIS_MODULE,
- .af = AF_INET6,
+ .af = NFPROTO_IPV6,
};
/* The work comes in here from netfilter.c. */
diff --git a/net/ipv6/netfilter/ip6table_mangle.c b/net/ipv6/netfilter/ip6table_mangle.c
index a98ced1..0f49e00 100644
--- a/net/ipv6/netfilter/ip6table_mangle.c
+++ b/net/ipv6/netfilter/ip6table_mangle.c
@@ -61,7 +61,7 @@ static struct xt_table packet_mangler = {
.name = "mangle",
.valid_hooks = MANGLE_VALID_HOOKS,
.me = THIS_MODULE,
- .af = AF_INET6,
+ .af = NFPROTO_IPV6,
};
/* The work comes in here from netfilter.c. */
diff --git a/net/ipv6/netfilter/ip6table_raw.c b/net/ipv6/netfilter/ip6table_raw.c
index ec12540..679865e 100644
--- a/net/ipv6/netfilter/ip6table_raw.c
+++ b/net/ipv6/netfilter/ip6table_raw.c
@@ -39,7 +39,7 @@ static struct xt_table packet_raw = {
.name = "raw",
.valid_hooks = RAW_VALID_HOOKS,
.me = THIS_MODULE,
- .af = AF_INET6,
+ .af = NFPROTO_IPV6,
};
/* The work comes in here from netfilter.c. */
diff --git a/net/ipv6/netfilter/ip6table_security.c b/net/ipv6/netfilter/ip6table_security.c
index d808507..822afab 100644
--- a/net/ipv6/netfilter/ip6table_security.c
+++ b/net/ipv6/netfilter/ip6table_security.c
@@ -60,7 +60,7 @@ static struct xt_table security_table = {
.name = "security",
.valid_hooks = SECURITY_VALID_HOOKS,
.me = THIS_MODULE,
- .af = AF_INET6,
+ .af = NFPROTO_IPV6,
};
static unsigned int
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 014/103] netfilter: xtables: remove unneeded gotos in table error paths
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (12 preceding siblings ...)
2009-08-04 7:24 ` [PATCH 013/103] netfilter: xtables: switch table AFs " Jan Engelhardt
@ 2009-08-04 7:24 ` Jan Engelhardt
2009-08-10 8:48 ` Patrick McHardy
2009-08-04 7:24 ` [PATCH 015/103] netfilter: xtables: realign struct xt_target_param Jan Engelhardt
` (90 subsequent siblings)
104 siblings, 1 reply; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:24 UTC (permalink / raw)
To: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
net/ipv4/netfilter/arptable_filter.c | 6 +-----
net/ipv4/netfilter/iptable_filter.c | 6 +-----
net/ipv4/netfilter/iptable_mangle.c | 6 +-----
net/ipv4/netfilter/iptable_raw.c | 6 +-----
net/ipv4/netfilter/iptable_security.c | 6 +-----
net/ipv6/netfilter/ip6table_filter.c | 6 +-----
net/ipv6/netfilter/ip6table_mangle.c | 6 +-----
net/ipv6/netfilter/ip6table_raw.c | 6 +-----
net/ipv6/netfilter/ip6table_security.c | 6 +-----
9 files changed, 9 insertions(+), 45 deletions(-)
diff --git a/net/ipv4/netfilter/arptable_filter.c b/net/ipv4/netfilter/arptable_filter.c
index 6ecfdae..87ecd3e 100644
--- a/net/ipv4/netfilter/arptable_filter.c
+++ b/net/ipv4/netfilter/arptable_filter.c
@@ -127,11 +127,7 @@ static int __init arptable_filter_init(void)
ret = nf_register_hooks(arpt_ops, ARRAY_SIZE(arpt_ops));
if (ret < 0)
- goto cleanup_table;
- return ret;
-
-cleanup_table:
- unregister_pernet_subsys(&arptable_filter_net_ops);
+ unregister_pernet_subsys(&arptable_filter_net_ops);
return ret;
}
diff --git a/net/ipv4/netfilter/iptable_filter.c b/net/ipv4/netfilter/iptable_filter.c
index 97dbd94..24d39cb 100644
--- a/net/ipv4/netfilter/iptable_filter.c
+++ b/net/ipv4/netfilter/iptable_filter.c
@@ -165,13 +165,9 @@ static int __init iptable_filter_init(void)
/* Register hooks */
ret = nf_register_hooks(ipt_ops, ARRAY_SIZE(ipt_ops));
if (ret < 0)
- goto cleanup_table;
+ unregister_pernet_subsys(&iptable_filter_net_ops);
return ret;
-
- cleanup_table:
- unregister_pernet_subsys(&iptable_filter_net_ops);
- return ret;
}
static void __exit iptable_filter_fini(void)
diff --git a/net/ipv4/netfilter/iptable_mangle.c b/net/ipv4/netfilter/iptable_mangle.c
index 28647f1..107baf8 100644
--- a/net/ipv4/netfilter/iptable_mangle.c
+++ b/net/ipv4/netfilter/iptable_mangle.c
@@ -227,13 +227,9 @@ static int __init iptable_mangle_init(void)
/* Register hooks */
ret = nf_register_hooks(ipt_ops, ARRAY_SIZE(ipt_ops));
if (ret < 0)
- goto cleanup_table;
+ unregister_pernet_subsys(&iptable_mangle_net_ops);
return ret;
-
- cleanup_table:
- unregister_pernet_subsys(&iptable_mangle_net_ops);
- return ret;
}
static void __exit iptable_mangle_fini(void)
diff --git a/net/ipv4/netfilter/iptable_raw.c b/net/ipv4/netfilter/iptable_raw.c
index 494784c..8864a82 100644
--- a/net/ipv4/netfilter/iptable_raw.c
+++ b/net/ipv4/netfilter/iptable_raw.c
@@ -119,13 +119,9 @@ static int __init iptable_raw_init(void)
/* Register hooks */
ret = nf_register_hooks(ipt_ops, ARRAY_SIZE(ipt_ops));
if (ret < 0)
- goto cleanup_table;
+ unregister_pernet_subsys(&iptable_raw_net_ops);
return ret;
-
- cleanup_table:
- unregister_pernet_subsys(&iptable_raw_net_ops);
- return ret;
}
static void __exit iptable_raw_fini(void)
diff --git a/net/ipv4/netfilter/iptable_security.c b/net/ipv4/netfilter/iptable_security.c
index 8804e1a..cab3eaa 100644
--- a/net/ipv4/netfilter/iptable_security.c
+++ b/net/ipv4/netfilter/iptable_security.c
@@ -156,13 +156,9 @@ static int __init iptable_security_init(void)
ret = nf_register_hooks(ipt_ops, ARRAY_SIZE(ipt_ops));
if (ret < 0)
- goto cleanup_table;
+ unregister_pernet_subsys(&iptable_security_net_ops);
return ret;
-
-cleanup_table:
- unregister_pernet_subsys(&iptable_security_net_ops);
- return ret;
}
static void __exit iptable_security_fini(void)
diff --git a/net/ipv6/netfilter/ip6table_filter.c b/net/ipv6/netfilter/ip6table_filter.c
index 0a3ae48..5a81188 100644
--- a/net/ipv6/netfilter/ip6table_filter.c
+++ b/net/ipv6/netfilter/ip6table_filter.c
@@ -158,13 +158,9 @@ static int __init ip6table_filter_init(void)
/* Register hooks */
ret = nf_register_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops));
if (ret < 0)
- goto cleanup_table;
+ unregister_pernet_subsys(&ip6table_filter_net_ops);
return ret;
-
- cleanup_table:
- unregister_pernet_subsys(&ip6table_filter_net_ops);
- return ret;
}
static void __exit ip6table_filter_fini(void)
diff --git a/net/ipv6/netfilter/ip6table_mangle.c b/net/ipv6/netfilter/ip6table_mangle.c
index 0f49e00..db44cef 100644
--- a/net/ipv6/netfilter/ip6table_mangle.c
+++ b/net/ipv6/netfilter/ip6table_mangle.c
@@ -201,13 +201,9 @@ static int __init ip6table_mangle_init(void)
/* Register hooks */
ret = nf_register_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops));
if (ret < 0)
- goto cleanup_table;
+ unregister_pernet_subsys(&ip6table_mangle_net_ops);
return ret;
-
- cleanup_table:
- unregister_pernet_subsys(&ip6table_mangle_net_ops);
- return ret;
}
static void __exit ip6table_mangle_fini(void)
diff --git a/net/ipv6/netfilter/ip6table_raw.c b/net/ipv6/netfilter/ip6table_raw.c
index 679865e..30e4ca5 100644
--- a/net/ipv6/netfilter/ip6table_raw.c
+++ b/net/ipv6/netfilter/ip6table_raw.c
@@ -113,13 +113,9 @@ static int __init ip6table_raw_init(void)
/* Register hooks */
ret = nf_register_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops));
if (ret < 0)
- goto cleanup_table;
+ unregister_pernet_subsys(&ip6table_raw_net_ops);
return ret;
-
- cleanup_table:
- unregister_pernet_subsys(&ip6table_raw_net_ops);
- return ret;
}
static void __exit ip6table_raw_fini(void)
diff --git a/net/ipv6/netfilter/ip6table_security.c b/net/ipv6/netfilter/ip6table_security.c
index 822afab..5044521 100644
--- a/net/ipv6/netfilter/ip6table_security.c
+++ b/net/ipv6/netfilter/ip6table_security.c
@@ -152,13 +152,9 @@ static int __init ip6table_security_init(void)
ret = nf_register_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops));
if (ret < 0)
- goto cleanup_table;
+ unregister_pernet_subsys(&ip6table_security_net_ops);
return ret;
-
-cleanup_table:
- unregister_pernet_subsys(&ip6table_security_net_ops);
- return ret;
}
static void __exit ip6table_security_fini(void)
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* Re: [PATCH 014/103] netfilter: xtables: remove unneeded gotos in table error paths
2009-08-04 7:24 ` [PATCH 014/103] netfilter: xtables: remove unneeded gotos in table error paths Jan Engelhardt
@ 2009-08-10 8:48 ` Patrick McHardy
0 siblings, 0 replies; 118+ messages in thread
From: Patrick McHardy @ 2009-08-10 8:48 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter-devel
Jan Engelhardt wrote:
> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
> ---
> net/ipv4/netfilter/arptable_filter.c | 6 +-----
> net/ipv4/netfilter/iptable_filter.c | 6 +-----
> net/ipv4/netfilter/iptable_mangle.c | 6 +-----
> net/ipv4/netfilter/iptable_raw.c | 6 +-----
> net/ipv4/netfilter/iptable_security.c | 6 +-----
> net/ipv6/netfilter/ip6table_filter.c | 6 +-----
> net/ipv6/netfilter/ip6table_mangle.c | 6 +-----
> net/ipv6/netfilter/ip6table_raw.c | 6 +-----
> net/ipv6/netfilter/ip6table_security.c | 6 +-----
> 9 files changed, 9 insertions(+), 45 deletions(-)
>
> diff --git a/net/ipv4/netfilter/arptable_filter.c b/net/ipv4/netfilter/arptable_filter.c
> index 6ecfdae..87ecd3e 100644
> --- a/net/ipv4/netfilter/arptable_filter.c
> +++ b/net/ipv4/netfilter/arptable_filter.c
> @@ -127,11 +127,7 @@ static int __init arptable_filter_init(void)
>
> ret = nf_register_hooks(arpt_ops, ARRAY_SIZE(arpt_ops));
> if (ret < 0)
> - goto cleanup_table;
> - return ret;
> -
> -cleanup_table:
> - unregister_pernet_subsys(&arptable_filter_net_ops);
> + unregister_pernet_subsys(&arptable_filter_net_ops);
> return ret;
> }
This is pointless, anyone adding something to the init path
will have to undo your change. I'm not applying this.
^ permalink raw reply [flat|nested] 118+ messages in thread
* [PATCH 015/103] netfilter: xtables: realign struct xt_target_param
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (13 preceding siblings ...)
2009-08-04 7:24 ` [PATCH 014/103] netfilter: xtables: remove unneeded gotos in table error paths Jan Engelhardt
@ 2009-08-04 7:24 ` Jan Engelhardt
2009-08-04 7:25 ` [PATCH 016/103] netfilter: iptables: remove unused datalen variable Jan Engelhardt
` (89 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:24 UTC (permalink / raw)
To: netfilter-devel
Saves 8 bytes on x86_64.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter/x_tables.h | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 1030b75..4fa6e4c 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -238,9 +238,9 @@ struct xt_mtdtor_param {
*/
struct xt_target_param {
const struct net_device *in, *out;
- unsigned int hooknum;
const struct xt_target *target;
const void *targinfo;
+ unsigned int hooknum;
u_int8_t family;
};
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 016/103] netfilter: iptables: remove unused datalen variable
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (14 preceding siblings ...)
2009-08-04 7:24 ` [PATCH 015/103] netfilter: xtables: realign struct xt_target_param Jan Engelhardt
@ 2009-08-04 7:25 ` Jan Engelhardt
2009-08-04 7:25 ` [PATCH 017/103] netfilter: xtables: use better unconditional check Jan Engelhardt
` (88 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:25 UTC (permalink / raw)
To: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
net/ipv4/netfilter/ip_tables.c | 4 ----
1 files changed, 0 insertions(+), 4 deletions(-)
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index fdefae6..3856aa3 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -315,7 +315,6 @@ ipt_do_table(struct sk_buff *skb,
static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
const struct iphdr *ip;
- u_int16_t datalen;
bool hotdrop = false;
/* Initializing verdict to NF_DROP keeps gcc happy. */
unsigned int verdict = NF_DROP;
@@ -328,7 +327,6 @@ ipt_do_table(struct sk_buff *skb,
/* Initialization */
ip = ip_hdr(skb);
- datalen = skb->len - ip->ihl * 4;
indev = in ? in->name : nulldevname;
outdev = out ? out->name : nulldevname;
/* We handle fragments by dealing with the first fragment as
@@ -427,8 +425,6 @@ ipt_do_table(struct sk_buff *skb,
#endif
/* Target might have changed stuff. */
ip = ip_hdr(skb);
- datalen = skb->len - ip->ihl * 4;
-
if (verdict == IPT_CONTINUE)
e = ipt_next_entry(e);
else
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 017/103] netfilter: xtables: use better unconditional check
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (15 preceding siblings ...)
2009-08-04 7:25 ` [PATCH 016/103] netfilter: iptables: remove unused datalen variable Jan Engelhardt
@ 2009-08-04 7:25 ` Jan Engelhardt
2009-08-10 8:54 ` Patrick McHardy
2009-08-04 7:25 ` [PATCH 018/103] netfilter: xtables: ignore unassigned hooks in check_entry_size_and_hooks Jan Engelhardt
` (87 subsequent siblings)
104 siblings, 1 reply; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:25 UTC (permalink / raw)
To: netfilter-devel
The use of memcmp should enable architecture-preferred comparison
methods, for example 64-bit comparisons that would complete in [more
than] half the time than inspecting just each u32/char.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
net/ipv4/netfilter/arp_tables.c | 10 +++-------
net/ipv4/netfilter/ip_tables.c | 11 +++--------
net/ipv6/netfilter/ip6_tables.c | 11 +++--------
3 files changed, 9 insertions(+), 23 deletions(-)
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 7505dff..b9f7243 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -341,15 +341,11 @@ unsigned int arpt_do_table(struct sk_buff *skb,
}
/* All zeroes == unconditional rule. */
-static inline int unconditional(const struct arpt_arp *arp)
+static inline bool unconditional(const struct arpt_arp *arp)
{
- unsigned int i;
-
- for (i = 0; i < sizeof(*arp)/sizeof(__u32); i++)
- if (((__u32 *)arp)[i])
- return 0;
+ static const struct arpt_arp uncond;
- return 1;
+ return memcmp(arp, &uncond, sizeof(uncond)) == 0;
}
/* Figures out from what hook each rule can be called: returns 0 if
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 3856aa3..3431a77 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -190,16 +190,11 @@ get_entry(void *base, unsigned int offset)
/* All zeroes == unconditional rule. */
/* Mildly perf critical (only if packet tracing is on) */
-static inline int
-unconditional(const struct ipt_ip *ip)
+static inline bool unconditional(const struct ipt_ip *ip)
{
- unsigned int i;
+ static const struct ipt_ip uncond;
- for (i = 0; i < sizeof(*ip)/sizeof(__u32); i++)
- if (((__u32 *)ip)[i])
- return 0;
-
- return 1;
+ return memcmp(ip, &uncond, sizeof(uncond)) == 0;
#undef FWINV
}
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index ced1f2c..1389ad9 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -222,16 +222,11 @@ get_entry(void *base, unsigned int offset)
/* All zeroes == unconditional rule. */
/* Mildly perf critical (only if packet tracing is on) */
-static inline int
-unconditional(const struct ip6t_ip6 *ipv6)
+static inline bool unconditional(const struct ip6t_ip6 *ipv6)
{
- unsigned int i;
-
- for (i = 0; i < sizeof(*ipv6); i++)
- if (((char *)ipv6)[i])
- break;
+ static const struct ip6t_ip6 uncond;
- return (i == sizeof(*ipv6));
+ return memcmp(ipv6, &uncond, sizeof(uncond)) == 0;
}
#if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* Re: [PATCH 017/103] netfilter: xtables: use better unconditional check
2009-08-04 7:25 ` [PATCH 017/103] netfilter: xtables: use better unconditional check Jan Engelhardt
@ 2009-08-10 8:54 ` Patrick McHardy
2009-08-10 9:27 ` Jan Engelhardt
0 siblings, 1 reply; 118+ messages in thread
From: Patrick McHardy @ 2009-08-10 8:54 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter-devel
Jan Engelhardt wrote:
> The use of memcmp should enable architecture-preferred comparison
> methods, for example 64-bit comparisons that would complete in [more
> than] half the time than inspecting just each u32/char.
I don't object to the change as cleanup, but that reasoning makes
no sense. memcmp can't assume alignment, so unless there's a
version checking for compile-time known alignment, this won't happen.
Please fix up the changelog and label this as cleanup.
^ permalink raw reply [flat|nested] 118+ messages in thread
* Re: [PATCH 017/103] netfilter: xtables: use better unconditional check
2009-08-10 8:54 ` Patrick McHardy
@ 2009-08-10 9:27 ` Jan Engelhardt
2009-08-10 9:31 ` Patrick McHardy
0 siblings, 1 reply; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-10 9:27 UTC (permalink / raw)
To: Patrick McHardy; +Cc: netfilter-devel
On Monday 2009-08-10 10:54, Patrick McHardy wrote:
>Jan Engelhardt wrote:
>> The use of memcmp should enable architecture-preferred comparison
>> methods, for example 64-bit comparisons that would complete in [more
>> than] half the time than inspecting just each u32/char.
>
>I don't object to the change as cleanup, but that reasoning makes
>no sense. memcmp can't assume alignment,
Right, memcmp itself cannot, and there is usually a prealignment check
in libcs that clears a few bytes and advances the pointer until it is
aligned.
>so unless there's a
>version checking for compile-time known alignment, this won't happen.
static void func(int r)
{
static int q = 1234;
memcmp(&q, &r, sizeof(q));
}
There is GCC's __builtin_memcmp, which should generally have
knowledge about alignment. q and r are known here.
>Please fix up the changelog and label this as cleanup.
Will do.
^ permalink raw reply [flat|nested] 118+ messages in thread* Re: [PATCH 017/103] netfilter: xtables: use better unconditional check
2009-08-10 9:27 ` Jan Engelhardt
@ 2009-08-10 9:31 ` Patrick McHardy
0 siblings, 0 replies; 118+ messages in thread
From: Patrick McHardy @ 2009-08-10 9:31 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter-devel
Jan Engelhardt wrote:
> On Monday 2009-08-10 10:54, Patrick McHardy wrote:
>> Jan Engelhardt wrote:
>>> The use of memcmp should enable architecture-preferred comparison
>>> methods, for example 64-bit comparisons that would complete in [more
>>> than] half the time than inspecting just each u32/char.
>> I don't object to the change as cleanup, but that reasoning makes
>> no sense. memcmp can't assume alignment,
>
> Right, memcmp itself cannot, and there is usually a prealignment check
> in libcs that clears a few bytes and advances the pointer until it is
> aligned.
>
>> so unless there's a
>> version checking for compile-time known alignment, this won't happen.
>
> static void func(int r)
> {
> static int q = 1234;
> memcmp(&q, &r, sizeof(q));
> }
>
> There is GCC's __builtin_memcmp, which should generally have
> knowledge about alignment. q and r are known here.
Good point. I was just looking at the kernel provided implementations.
>
>> Please fix up the changelog and label this as cleanup.
>
> Will do.
>
^ permalink raw reply [flat|nested] 118+ messages in thread
* [PATCH 018/103] netfilter: xtables: ignore unassigned hooks in check_entry_size_and_hooks
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (16 preceding siblings ...)
2009-08-04 7:25 ` [PATCH 017/103] netfilter: xtables: use better unconditional check Jan Engelhardt
@ 2009-08-04 7:25 ` Jan Engelhardt
2009-08-04 7:25 ` [PATCH 019/103] netfilter: xtables: check for unconditionality of policies Jan Engelhardt
` (86 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:25 UTC (permalink / raw)
To: netfilter-devel
The "hook_entry" and "underflow" array contains values even for hooks
not provided, such as PREROUTING in conjunction with the "filter"
table. Usually, the values point to whatever the next rule is. For
the upcoming unconditionality and underflow checking patches however,
we must not inspect that arbitrary rule.
Skipping unassigned hooks seems like a good idea, also because
newinfo->hook_entry and newinfo->underflow will then continue to have
the poison value for detecting abnormalities.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
net/ipv4/netfilter/arp_tables.c | 5 ++++-
net/ipv4/netfilter/ip_tables.c | 5 ++++-
net/ipv6/netfilter/ip6_tables.c | 5 ++++-
3 files changed, 12 insertions(+), 3 deletions(-)
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index b9f7243..d91f083 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -539,6 +539,7 @@ static inline int check_entry_size_and_hooks(struct arpt_entry *e,
unsigned char *limit,
const unsigned int *hook_entries,
const unsigned int *underflows,
+ unsigned int valid_hooks,
unsigned int *i)
{
unsigned int h;
@@ -558,6 +559,8 @@ static inline int check_entry_size_and_hooks(struct arpt_entry *e,
/* Check hooks & underflows */
for (h = 0; h < NF_ARP_NUMHOOKS; h++) {
+ if (!(valid_hooks & (1 << h)))
+ continue;
if ((unsigned char *)e - base == hook_entries[h])
newinfo->hook_entry[h] = hook_entries[h];
if ((unsigned char *)e - base == underflows[h])
@@ -626,7 +629,7 @@ static int translate_table(const char *name,
newinfo,
entry0,
entry0 + size,
- hook_entries, underflows, &i);
+ hook_entries, underflows, valid_hooks, &i);
duprintf("translate_table: ARPT_ENTRY_ITERATE gives %d\n", ret);
if (ret != 0)
return ret;
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 3431a77..6e7b7e8 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -714,6 +714,7 @@ check_entry_size_and_hooks(struct ipt_entry *e,
unsigned char *limit,
const unsigned int *hook_entries,
const unsigned int *underflows,
+ unsigned int valid_hooks,
unsigned int *i)
{
unsigned int h;
@@ -733,6 +734,8 @@ check_entry_size_and_hooks(struct ipt_entry *e,
/* Check hooks & underflows */
for (h = 0; h < NF_INET_NUMHOOKS; h++) {
+ if (!(valid_hooks & (1 << h)))
+ continue;
if ((unsigned char *)e - base == hook_entries[h])
newinfo->hook_entry[h] = hook_entries[h];
if ((unsigned char *)e - base == underflows[h])
@@ -804,7 +807,7 @@ translate_table(const char *name,
newinfo,
entry0,
entry0 + size,
- hook_entries, underflows, &i);
+ hook_entries, underflows, valid_hooks, &i);
if (ret != 0)
return ret;
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 1389ad9..8e4921a 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -747,6 +747,7 @@ check_entry_size_and_hooks(struct ip6t_entry *e,
unsigned char *limit,
const unsigned int *hook_entries,
const unsigned int *underflows,
+ unsigned int valid_hooks,
unsigned int *i)
{
unsigned int h;
@@ -766,6 +767,8 @@ check_entry_size_and_hooks(struct ip6t_entry *e,
/* Check hooks & underflows */
for (h = 0; h < NF_INET_NUMHOOKS; h++) {
+ if (!(valid_hooks & (1 << h)))
+ continue;
if ((unsigned char *)e - base == hook_entries[h])
newinfo->hook_entry[h] = hook_entries[h];
if ((unsigned char *)e - base == underflows[h])
@@ -837,7 +840,7 @@ translate_table(const char *name,
newinfo,
entry0,
entry0 + size,
- hook_entries, underflows, &i);
+ hook_entries, underflows, valid_hooks, &i);
if (ret != 0)
return ret;
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 019/103] netfilter: xtables: check for unconditionality of policies
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (17 preceding siblings ...)
2009-08-04 7:25 ` [PATCH 018/103] netfilter: xtables: ignore unassigned hooks in check_entry_size_and_hooks Jan Engelhardt
@ 2009-08-04 7:25 ` Jan Engelhardt
2009-08-10 8:55 ` Patrick McHardy
2009-08-04 7:25 ` [PATCH 020/103] netfilter: xtables: check for standard verdicts in policies Jan Engelhardt
` (85 subsequent siblings)
104 siblings, 1 reply; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:25 UTC (permalink / raw)
To: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
net/ipv4/netfilter/arp_tables.c | 12 +++++++-----
net/ipv4/netfilter/ip_tables.c | 11 +++++++----
net/ipv6/netfilter/ip6_tables.c | 12 +++++++-----
3 files changed, 21 insertions(+), 14 deletions(-)
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index d91f083..064082d 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -8,7 +8,7 @@
* Copyright (C) 2002 David S. Miller (davem@redhat.com)
*
*/
-
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/kernel.h>
#include <linux/skbuff.h>
#include <linux/netdevice.h>
@@ -563,13 +563,15 @@ static inline int check_entry_size_and_hooks(struct arpt_entry *e,
continue;
if ((unsigned char *)e - base == hook_entries[h])
newinfo->hook_entry[h] = hook_entries[h];
- if ((unsigned char *)e - base == underflows[h])
+ if ((unsigned char *)e - base == underflows[h]) {
+ if (!unconditional(&e->arp)) {
+ pr_err("Underflows must be unconditional\n");
+ return -EINVAL;
+ }
newinfo->underflow[h] = underflows[h];
+ }
}
- /* FIXME: underflows must be unconditional, standard verdicts
- < 0 (not ARPT_RETURN). --RR */
-
/* Clear counters and comefrom */
e->counters = ((struct xt_counters) { 0, 0 });
e->comefrom = 0;
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 6e7b7e8..6e546d5 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -8,6 +8,7 @@
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*/
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/cache.h>
#include <linux/capability.h>
#include <linux/skbuff.h>
@@ -738,13 +739,15 @@ check_entry_size_and_hooks(struct ipt_entry *e,
continue;
if ((unsigned char *)e - base == hook_entries[h])
newinfo->hook_entry[h] = hook_entries[h];
- if ((unsigned char *)e - base == underflows[h])
+ if ((unsigned char *)e - base == underflows[h]) {
+ if (!unconditional(&e->ip)) {
+ pr_err("Underflows must be unconditional\n");
+ return -EINVAL;
+ }
newinfo->underflow[h] = underflows[h];
+ }
}
- /* FIXME: underflows must be unconditional, standard verdicts
- < 0 (not IPT_RETURN). --RR */
-
/* Clear counters and comefrom */
e->counters = ((struct xt_counters) { 0, 0 });
e->comefrom = 0;
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 8e4921a..b0599b9 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -8,7 +8,7 @@
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*/
-
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/capability.h>
#include <linux/in.h>
#include <linux/skbuff.h>
@@ -771,13 +771,15 @@ check_entry_size_and_hooks(struct ip6t_entry *e,
continue;
if ((unsigned char *)e - base == hook_entries[h])
newinfo->hook_entry[h] = hook_entries[h];
- if ((unsigned char *)e - base == underflows[h])
+ if ((unsigned char *)e - base == underflows[h]) {
+ if (!unconditional(&e->ipv6)) {
+ pr_err("Underflows must be unconditional\n");
+ return -EINVAL;
+ }
newinfo->underflow[h] = underflows[h];
+ }
}
- /* FIXME: underflows must be unconditional, standard verdicts
- < 0 (not IP6T_RETURN). --RR */
-
/* Clear counters and comefrom */
e->counters = ((struct xt_counters) { 0, 0 });
e->comefrom = 0;
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 020/103] netfilter: xtables: check for standard verdicts in policies
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (18 preceding siblings ...)
2009-08-04 7:25 ` [PATCH 019/103] netfilter: xtables: check for unconditionality of policies Jan Engelhardt
@ 2009-08-04 7:25 ` Jan Engelhardt
2009-08-04 7:25 ` [PATCH 021/103] netfilter: xtables: consolidate table hook functions Jan Engelhardt
` (84 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:25 UTC (permalink / raw)
To: netfilter-devel
This adds the second check that Rusty wanted to have a long time ago. :)
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
net/ipv4/netfilter/arp_tables.c | 21 +++++++++++++++++++--
net/ipv4/netfilter/ip_tables.c | 21 +++++++++++++++++++--
net/ipv6/netfilter/ip6_tables.c | 21 +++++++++++++++++++--
3 files changed, 57 insertions(+), 6 deletions(-)
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 064082d..7bc11ff 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -533,6 +533,21 @@ out:
return ret;
}
+static bool check_underflow(struct arpt_entry *e)
+{
+ const struct arpt_entry_target *t;
+ unsigned int verdict;
+
+ if (!unconditional(&e->arp))
+ return false;
+ t = arpt_get_target(e);
+ if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0)
+ return false;
+ verdict = ((struct arpt_standard_target *)t)->verdict;
+ verdict = -verdict - 1;
+ return verdict == NF_DROP || verdict == NF_ACCEPT;
+}
+
static inline int check_entry_size_and_hooks(struct arpt_entry *e,
struct xt_table_info *newinfo,
unsigned char *base,
@@ -564,8 +579,10 @@ static inline int check_entry_size_and_hooks(struct arpt_entry *e,
if ((unsigned char *)e - base == hook_entries[h])
newinfo->hook_entry[h] = hook_entries[h];
if ((unsigned char *)e - base == underflows[h]) {
- if (!unconditional(&e->arp)) {
- pr_err("Underflows must be unconditional\n");
+ if (!check_underflow(e)) {
+ pr_err("Underflows must be unconditional and "
+ "use the STANDARD target with "
+ "ACCEPT/DROP\n");
return -EINVAL;
}
newinfo->underflow[h] = underflows[h];
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 6e546d5..0b43fd7 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -708,6 +708,21 @@ find_check_entry(struct ipt_entry *e, const char *name, unsigned int size,
return ret;
}
+static bool check_underflow(struct ipt_entry *e)
+{
+ const struct ipt_entry_target *t;
+ unsigned int verdict;
+
+ if (!unconditional(&e->ip))
+ return false;
+ t = ipt_get_target(e);
+ if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0)
+ return false;
+ verdict = ((struct ipt_standard_target *)t)->verdict;
+ verdict = -verdict - 1;
+ return verdict == NF_DROP || verdict == NF_ACCEPT;
+}
+
static int
check_entry_size_and_hooks(struct ipt_entry *e,
struct xt_table_info *newinfo,
@@ -740,8 +755,10 @@ check_entry_size_and_hooks(struct ipt_entry *e,
if ((unsigned char *)e - base == hook_entries[h])
newinfo->hook_entry[h] = hook_entries[h];
if ((unsigned char *)e - base == underflows[h]) {
- if (!unconditional(&e->ip)) {
- pr_err("Underflows must be unconditional\n");
+ if (!check_underflow(e)) {
+ pr_err("Underflows must be unconditional and "
+ "use the STANDARD target with "
+ "ACCEPT/DROP\n");
return -EINVAL;
}
newinfo->underflow[h] = underflows[h];
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index b0599b9..a5d0c27 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -740,6 +740,21 @@ find_check_entry(struct ip6t_entry *e, const char *name, unsigned int size,
return ret;
}
+static bool check_underflow(struct ip6t_entry *e)
+{
+ const struct ip6t_entry_target *t;
+ unsigned int verdict;
+
+ if (!unconditional(&e->ipv6))
+ return false;
+ t = ip6t_get_target(e);
+ if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0)
+ return false;
+ verdict = ((struct ip6t_standard_target *)t)->verdict;
+ verdict = -verdict - 1;
+ return verdict == NF_DROP || verdict == NF_ACCEPT;
+}
+
static int
check_entry_size_and_hooks(struct ip6t_entry *e,
struct xt_table_info *newinfo,
@@ -772,8 +787,10 @@ check_entry_size_and_hooks(struct ip6t_entry *e,
if ((unsigned char *)e - base == hook_entries[h])
newinfo->hook_entry[h] = hook_entries[h];
if ((unsigned char *)e - base == underflows[h]) {
- if (!unconditional(&e->ipv6)) {
- pr_err("Underflows must be unconditional\n");
+ if (!check_underflow(e)) {
+ pr_err("Underflows must be unconditional and "
+ "use the STANDARD target with "
+ "ACCEPT/DROP\n");
return -EINVAL;
}
newinfo->underflow[h] = underflows[h];
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 021/103] netfilter: xtables: consolidate table hook functions
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (19 preceding siblings ...)
2009-08-04 7:25 ` [PATCH 020/103] netfilter: xtables: check for standard verdicts in policies Jan Engelhardt
@ 2009-08-04 7:25 ` Jan Engelhardt
2009-08-10 8:58 ` Patrick McHardy
2009-08-04 7:25 ` [PATCH 022/103] netfilter: xtables: compact " Jan Engelhardt
` (83 subsequent siblings)
104 siblings, 1 reply; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:25 UTC (permalink / raw)
To: netfilter-devel
For a following patch in this series, we will be requiring that a
single hook function per table does the processing.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
net/ipv4/netfilter/arptable_filter.c | 23 +++++--------
net/ipv4/netfilter/iptable_filter.c | 45 ++++++++-------------------
net/ipv4/netfilter/iptable_mangle.c | 52 +++++++------------------------
net/ipv4/netfilter/iptable_raw.c | 20 ++++--------
net/ipv4/netfilter/iptable_security.c | 42 ++++++++------------------
net/ipv6/netfilter/ip6table_filter.c | 34 +++++---------------
net/ipv6/netfilter/ip6table_mangle.c | 30 +++++++-----------
net/ipv6/netfilter/ip6table_raw.c | 20 ++++--------
net/ipv6/netfilter/ip6table_security.c | 34 +++++----------------
9 files changed, 91 insertions(+), 209 deletions(-)
diff --git a/net/ipv4/netfilter/arptable_filter.c b/net/ipv4/netfilter/arptable_filter.c
index 87ecd3e..e46123e 100644
--- a/net/ipv4/netfilter/arptable_filter.c
+++ b/net/ipv4/netfilter/arptable_filter.c
@@ -53,43 +53,38 @@ static struct xt_table packet_filter = {
};
/* The work comes in here from netfilter.c */
-static unsigned int arpt_in_hook(unsigned int hook,
+static unsigned int arptable_filter_hook(unsigned int hook,
struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
- return arpt_do_table(skb, hook, in, out,
- dev_net(in)->ipv4.arptable_filter);
-}
+ if (hook == NF_ARP_OUT)
+ return arpt_do_table(skb, hook, in, out,
+ dev_net(out)->ipv4.arptable_filter);
-static unsigned int arpt_out_hook(unsigned int hook,
- struct sk_buff *skb,
- const struct net_device *in,
- const struct net_device *out,
- int (*okfn)(struct sk_buff *))
-{
+ /* INPUT/FORWARD: */
return arpt_do_table(skb, hook, in, out,
- dev_net(out)->ipv4.arptable_filter);
+ dev_net(in)->ipv4.arptable_filter);
}
static struct nf_hook_ops arpt_ops[] __read_mostly = {
{
- .hook = arpt_in_hook,
+ .hook = arptable_filter_hook,
.owner = THIS_MODULE,
.pf = NFPROTO_ARP,
.hooknum = NF_ARP_IN,
.priority = NF_IP_PRI_FILTER,
},
{
- .hook = arpt_out_hook,
+ .hook = arptable_filter_hook,
.owner = THIS_MODULE,
.pf = NFPROTO_ARP,
.hooknum = NF_ARP_OUT,
.priority = NF_IP_PRI_FILTER,
},
{
- .hook = arpt_in_hook,
+ .hook = arptable_filter_hook,
.owner = THIS_MODULE,
.pf = NFPROTO_ARP,
.hooknum = NF_ARP_FORWARD,
diff --git a/net/ipv4/netfilter/iptable_filter.c b/net/ipv4/netfilter/iptable_filter.c
index 24d39cb..26a4ff5 100644
--- a/net/ipv4/netfilter/iptable_filter.c
+++ b/net/ipv4/netfilter/iptable_filter.c
@@ -60,61 +60,44 @@ static struct xt_table packet_filter = {
.af = NFPROTO_IPV4,
};
-/* The work comes in here from netfilter.c. */
static unsigned int
-ipt_local_in_hook(unsigned int hook,
- struct sk_buff *skb,
- const struct net_device *in,
- const struct net_device *out,
- int (*okfn)(struct sk_buff *))
-{
- return ipt_do_table(skb, hook, in, out,
- dev_net(in)->ipv4.iptable_filter);
-}
-
-static unsigned int
-ipt_hook(unsigned int hook,
+iptable_filter_hook(unsigned int hook,
struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
- return ipt_do_table(skb, hook, in, out,
- dev_net(in)->ipv4.iptable_filter);
-}
+ if (hook == NF_INET_LOCAL_OUT) {
+ /* root is playing with raw sockets. */
+ if (skb->len < sizeof(struct iphdr) ||
+ ip_hdrlen(skb) < sizeof(struct iphdr))
+ return NF_ACCEPT;
+ return ipt_do_table(skb, hook, in, out,
+ dev_net(out)->ipv4.iptable_filter);
+ }
-static unsigned int
-ipt_local_out_hook(unsigned int hook,
- struct sk_buff *skb,
- const struct net_device *in,
- const struct net_device *out,
- int (*okfn)(struct sk_buff *))
-{
- /* root is playing with raw sockets. */
- if (skb->len < sizeof(struct iphdr) ||
- ip_hdrlen(skb) < sizeof(struct iphdr))
- return NF_ACCEPT;
+ /* LOCAL_IN/FORWARD: */
return ipt_do_table(skb, hook, in, out,
- dev_net(out)->ipv4.iptable_filter);
+ dev_net(in)->ipv4.iptable_filter);
}
static struct nf_hook_ops ipt_ops[] __read_mostly = {
{
- .hook = ipt_local_in_hook,
+ .hook = iptable_filter_hook,
.owner = THIS_MODULE,
.pf = NFPROTO_IPV4,
.hooknum = NF_INET_LOCAL_IN,
.priority = NF_IP_PRI_FILTER,
},
{
- .hook = ipt_hook,
+ .hook = iptable_filter_hook,
.owner = THIS_MODULE,
.pf = NFPROTO_IPV4,
.hooknum = NF_INET_FORWARD,
.priority = NF_IP_PRI_FILTER,
},
{
- .hook = ipt_local_out_hook,
+ .hook = iptable_filter_hook,
.owner = THIS_MODULE,
.pf = NFPROTO_IPV4,
.hooknum = NF_INET_LOCAL_OUT,
diff --git a/net/ipv4/netfilter/iptable_mangle.c b/net/ipv4/netfilter/iptable_mangle.c
index 107baf8..e5e4233 100644
--- a/net/ipv4/netfilter/iptable_mangle.c
+++ b/net/ipv4/netfilter/iptable_mangle.c
@@ -73,51 +73,23 @@ static struct xt_table packet_mangler = {
/* The work comes in here from netfilter.c. */
static unsigned int
-ipt_pre_routing_hook(unsigned int hook,
+iptable_mangle_hook(unsigned int hook,
struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
- return ipt_do_table(skb, hook, in, out,
- dev_net(in)->ipv4.iptable_mangle);
-}
-
-static unsigned int
-ipt_post_routing_hook(unsigned int hook,
- struct sk_buff *skb,
- const struct net_device *in,
- const struct net_device *out,
- int (*okfn)(struct sk_buff *))
-{
- return ipt_do_table(skb, hook, in, out,
- dev_net(out)->ipv4.iptable_mangle);
-}
+ if (hook == NF_INET_POST_ROUTING)
+ return ipt_do_table(skb, hook, in, out,
+ dev_net(out)->ipv4.iptable_mangle);
-static unsigned int
-ipt_local_in_hook(unsigned int hook,
- struct sk_buff *skb,
- const struct net_device *in,
- const struct net_device *out,
- int (*okfn)(struct sk_buff *))
-{
- return ipt_do_table(skb, hook, in, out,
- dev_net(in)->ipv4.iptable_mangle);
-}
-
-static unsigned int
-ipt_forward_hook(unsigned int hook,
- struct sk_buff *skb,
- const struct net_device *in,
- const struct net_device *out,
- int (*okfn)(struct sk_buff *))
-{
+ /* PREROUTING/INPUT/FORWARD: */
return ipt_do_table(skb, hook, in, out,
- dev_net(in)->ipv4.iptable_mangle);
+ dev_net(in)->ipv4.iptable_mangle);
}
static unsigned int
-ipt_local_hook(unsigned int hook,
+iptable_mangle_out_hook(unsigned int hook,
struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
@@ -160,35 +132,35 @@ ipt_local_hook(unsigned int hook,
static struct nf_hook_ops ipt_ops[] __read_mostly = {
{
- .hook = ipt_pre_routing_hook,
+ .hook = iptable_mangle_hook,
.owner = THIS_MODULE,
.pf = NFPROTO_IPV4,
.hooknum = NF_INET_PRE_ROUTING,
.priority = NF_IP_PRI_MANGLE,
},
{
- .hook = ipt_local_in_hook,
+ .hook = iptable_mangle_hook,
.owner = THIS_MODULE,
.pf = NFPROTO_IPV4,
.hooknum = NF_INET_LOCAL_IN,
.priority = NF_IP_PRI_MANGLE,
},
{
- .hook = ipt_forward_hook,
+ .hook = iptable_mangle_hook,
.owner = THIS_MODULE,
.pf = NFPROTO_IPV4,
.hooknum = NF_INET_FORWARD,
.priority = NF_IP_PRI_MANGLE,
},
{
- .hook = ipt_local_hook,
+ .hook = iptable_mangle_out_hook,
.owner = THIS_MODULE,
.pf = NFPROTO_IPV4,
.hooknum = NF_INET_LOCAL_OUT,
.priority = NF_IP_PRI_MANGLE,
},
{
- .hook = ipt_post_routing_hook,
+ .hook = iptable_mangle_hook,
.owner = THIS_MODULE,
.pf = NFPROTO_IPV4,
.hooknum = NF_INET_POST_ROUTING,
diff --git a/net/ipv4/netfilter/iptable_raw.c b/net/ipv4/netfilter/iptable_raw.c
index 8864a82..e7021d1 100644
--- a/net/ipv4/netfilter/iptable_raw.c
+++ b/net/ipv4/netfilter/iptable_raw.c
@@ -45,23 +45,17 @@ static struct xt_table packet_raw = {
/* The work comes in here from netfilter.c. */
static unsigned int
-ipt_hook(unsigned int hook,
+iptable_raw_hook(unsigned int hook,
struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
- return ipt_do_table(skb, hook, in, out,
- dev_net(in)->ipv4.iptable_raw);
-}
+ if (hook == NF_INET_PRE_ROUTING)
+ return ipt_do_table(skb, hook, in, out,
+ dev_net(in)->ipv4.iptable_raw);
-static unsigned int
-ipt_local_hook(unsigned int hook,
- struct sk_buff *skb,
- const struct net_device *in,
- const struct net_device *out,
- int (*okfn)(struct sk_buff *))
-{
+ /* OUTPUT: */
/* root is playing with raw sockets. */
if (skb->len < sizeof(struct iphdr) ||
ip_hdrlen(skb) < sizeof(struct iphdr))
@@ -73,14 +67,14 @@ ipt_local_hook(unsigned int hook,
/* 'raw' is the very first table. */
static struct nf_hook_ops ipt_ops[] __read_mostly = {
{
- .hook = ipt_hook,
+ .hook = iptable_raw_hook,
.pf = NFPROTO_IPV4,
.hooknum = NF_INET_PRE_ROUTING,
.priority = NF_IP_PRI_RAW,
.owner = THIS_MODULE,
},
{
- .hook = ipt_local_hook,
+ .hook = iptable_raw_hook,
.pf = NFPROTO_IPV4,
.hooknum = NF_INET_LOCAL_OUT,
.priority = NF_IP_PRI_RAW,
diff --git a/net/ipv4/netfilter/iptable_security.c b/net/ipv4/netfilter/iptable_security.c
index cab3eaa..1686f90 100644
--- a/net/ipv4/netfilter/iptable_security.c
+++ b/net/ipv4/netfilter/iptable_security.c
@@ -65,59 +65,43 @@ static struct xt_table security_table = {
};
static unsigned int
-ipt_local_in_hook(unsigned int hook,
+iptable_security_hook(unsigned int hook,
struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
+ if (hook == NF_INET_LOCAL_OUT) {
+ /* Somebody is playing with raw sockets. */
+ if (skb->len < sizeof(struct iphdr)
+ || ip_hdrlen(skb) < sizeof(struct iphdr))
+ return NF_ACCEPT;
+ return ipt_do_table(skb, hook, in, out,
+ dev_net(out)->ipv4.iptable_security);
+ }
+
+ /* INPUT/FORWARD: */
return ipt_do_table(skb, hook, in, out,
dev_net(in)->ipv4.iptable_security);
}
-static unsigned int
-ipt_forward_hook(unsigned int hook,
- struct sk_buff *skb,
- const struct net_device *in,
- const struct net_device *out,
- int (*okfn)(struct sk_buff *))
-{
- return ipt_do_table(skb, hook, in, out,
- dev_net(in)->ipv4.iptable_security);
-}
-
-static unsigned int
-ipt_local_out_hook(unsigned int hook,
- struct sk_buff *skb,
- const struct net_device *in,
- const struct net_device *out,
- int (*okfn)(struct sk_buff *))
-{
- /* Somebody is playing with raw sockets. */
- if (skb->len < sizeof(struct iphdr)
- || ip_hdrlen(skb) < sizeof(struct iphdr))
- return NF_ACCEPT;
- return ipt_do_table(skb, hook, in, out,
- dev_net(out)->ipv4.iptable_security);
-}
-
static struct nf_hook_ops ipt_ops[] __read_mostly = {
{
- .hook = ipt_local_in_hook,
+ .hook = iptable_security_hook,
.owner = THIS_MODULE,
.pf = NFPROTO_IPV4,
.hooknum = NF_INET_LOCAL_IN,
.priority = NF_IP_PRI_SECURITY,
},
{
- .hook = ipt_forward_hook,
+ .hook = iptable_security_hook,
.owner = THIS_MODULE,
.pf = NFPROTO_IPV4,
.hooknum = NF_INET_FORWARD,
.priority = NF_IP_PRI_SECURITY,
},
{
- .hook = ipt_local_out_hook,
+ .hook = iptable_security_hook,
.owner = THIS_MODULE,
.pf = NFPROTO_IPV4,
.hooknum = NF_INET_LOCAL_OUT,
diff --git a/net/ipv6/netfilter/ip6table_filter.c b/net/ipv6/netfilter/ip6table_filter.c
index 5a81188..1b8c64f 100644
--- a/net/ipv6/netfilter/ip6table_filter.c
+++ b/net/ipv6/netfilter/ip6table_filter.c
@@ -60,54 +60,38 @@ static struct xt_table packet_filter = {
/* The work comes in here from netfilter.c. */
static unsigned int
-ip6t_in_hook(unsigned int hook,
+ip6table_filter_hook(unsigned int hook,
struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
- return ip6t_do_table(skb, hook, in, out,
- dev_net(in)->ipv6.ip6table_filter);
-}
-
-static unsigned int
-ip6t_local_out_hook(unsigned int hook,
- struct sk_buff *skb,
- const struct net_device *in,
- const struct net_device *out,
- int (*okfn)(struct sk_buff *))
-{
-#if 0
- /* root is playing with raw sockets. */
- if (skb->len < sizeof(struct iphdr)
- || ip_hdrlen(skb) < sizeof(struct iphdr)) {
- if (net_ratelimit())
- printk("ip6t_hook: happy cracking.\n");
- return NF_ACCEPT;
- }
-#endif
+ if (hook == NF_INET_LOCAL_OUT)
+ return ip6t_do_table(skb, hook, in, out,
+ dev_net(out)->ipv6.ip6table_filter);
+ /* INPUT/FORWARD: */
return ip6t_do_table(skb, hook, in, out,
- dev_net(out)->ipv6.ip6table_filter);
+ dev_net(in)->ipv6.ip6table_filter);
}
static struct nf_hook_ops ip6t_ops[] __read_mostly = {
{
- .hook = ip6t_in_hook,
+ .hook = ip6table_filter_hook,
.owner = THIS_MODULE,
.pf = NFPROTO_IPV6,
.hooknum = NF_INET_LOCAL_IN,
.priority = NF_IP6_PRI_FILTER,
},
{
- .hook = ip6t_in_hook,
+ .hook = ip6table_filter_hook,
.owner = THIS_MODULE,
.pf = NFPROTO_IPV6,
.hooknum = NF_INET_FORWARD,
.priority = NF_IP6_PRI_FILTER,
},
{
- .hook = ip6t_local_out_hook,
+ .hook = ip6table_filter_hook,
.owner = THIS_MODULE,
.pf = NFPROTO_IPV6,
.hooknum = NF_INET_LOCAL_OUT,
diff --git a/net/ipv6/netfilter/ip6table_mangle.c b/net/ipv6/netfilter/ip6table_mangle.c
index db44cef..17bb452 100644
--- a/net/ipv6/netfilter/ip6table_mangle.c
+++ b/net/ipv6/netfilter/ip6table_mangle.c
@@ -66,29 +66,23 @@ static struct xt_table packet_mangler = {
/* The work comes in here from netfilter.c. */
static unsigned int
-ip6t_in_hook(unsigned int hook,
+ip6table_mangle_hook(unsigned int hook,
struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
- return ip6t_do_table(skb, hook, in, out,
- dev_net(in)->ipv6.ip6table_mangle);
-}
+ if (hook == NF_INET_POST_ROUTING)
+ return ip6t_do_table(skb, hook, in, out,
+ dev_net(out)->ipv6.ip6table_mangle);
-static unsigned int
-ip6t_post_routing_hook(unsigned int hook,
- struct sk_buff *skb,
- const struct net_device *in,
- const struct net_device *out,
- int (*okfn)(struct sk_buff *))
-{
+ /* INPUT/FORWARD */
return ip6t_do_table(skb, hook, in, out,
- dev_net(out)->ipv6.ip6table_mangle);
+ dev_net(in)->ipv6.ip6table_mangle);
}
static unsigned int
-ip6t_local_out_hook(unsigned int hook,
+ip6table_mangle_out_hook(unsigned int hook,
struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
@@ -134,35 +128,35 @@ ip6t_local_out_hook(unsigned int hook,
static struct nf_hook_ops ip6t_ops[] __read_mostly = {
{
- .hook = ip6t_in_hook,
+ .hook = ip6table_mangle_hook,
.owner = THIS_MODULE,
.pf = NFPROTO_IPV6,
.hooknum = NF_INET_PRE_ROUTING,
.priority = NF_IP6_PRI_MANGLE,
},
{
- .hook = ip6t_in_hook,
+ .hook = ip6table_mangle_hook,
.owner = THIS_MODULE,
.pf = NFPROTO_IPV6,
.hooknum = NF_INET_LOCAL_IN,
.priority = NF_IP6_PRI_MANGLE,
},
{
- .hook = ip6t_in_hook,
+ .hook = ip6table_mangle_hook,
.owner = THIS_MODULE,
.pf = NFPROTO_IPV6,
.hooknum = NF_INET_FORWARD,
.priority = NF_IP6_PRI_MANGLE,
},
{
- .hook = ip6t_local_out_hook,
+ .hook = ip6table_mangle_out_hook,
.owner = THIS_MODULE,
.pf = NFPROTO_IPV6,
.hooknum = NF_INET_LOCAL_OUT,
.priority = NF_IP6_PRI_MANGLE,
},
{
- .hook = ip6t_post_routing_hook,
+ .hook = ip6table_mangle_hook,
.owner = THIS_MODULE,
.pf = NFPROTO_IPV6,
.hooknum = NF_INET_POST_ROUTING,
diff --git a/net/ipv6/netfilter/ip6table_raw.c b/net/ipv6/netfilter/ip6table_raw.c
index 30e4ca5..2b758ec 100644
--- a/net/ipv6/netfilter/ip6table_raw.c
+++ b/net/ipv6/netfilter/ip6table_raw.c
@@ -44,37 +44,31 @@ static struct xt_table packet_raw = {
/* The work comes in here from netfilter.c. */
static unsigned int
-ip6t_pre_routing_hook(unsigned int hook,
+ip6table_raw_hook(unsigned int hook,
struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
- return ip6t_do_table(skb, hook, in, out,
- dev_net(in)->ipv6.ip6table_raw);
-}
+ if (hook == NF_INET_PRE_ROUTING)
+ return ip6t_do_table(skb, hook, in, out,
+ dev_net(in)->ipv6.ip6table_raw);
-static unsigned int
-ip6t_local_out_hook(unsigned int hook,
- struct sk_buff *skb,
- const struct net_device *in,
- const struct net_device *out,
- int (*okfn)(struct sk_buff *))
-{
+ /* OUTPUT: */
return ip6t_do_table(skb, hook, in, out,
dev_net(out)->ipv6.ip6table_raw);
}
static struct nf_hook_ops ip6t_ops[] __read_mostly = {
{
- .hook = ip6t_pre_routing_hook,
+ .hook = ip6table_raw_hook,
.pf = NFPROTO_IPV6,
.hooknum = NF_INET_PRE_ROUTING,
.priority = NF_IP6_PRI_FIRST,
.owner = THIS_MODULE,
},
{
- .hook = ip6t_local_out_hook,
+ .hook = ip6table_raw_hook,
.pf = NFPROTO_IPV6,
.hooknum = NF_INET_LOCAL_OUT,
.priority = NF_IP6_PRI_FIRST,
diff --git a/net/ipv6/netfilter/ip6table_security.c b/net/ipv6/netfilter/ip6table_security.c
index 5044521..51223eb 100644
--- a/net/ipv6/netfilter/ip6table_security.c
+++ b/net/ipv6/netfilter/ip6table_security.c
@@ -64,56 +64,38 @@ static struct xt_table security_table = {
};
static unsigned int
-ip6t_local_in_hook(unsigned int hook,
+ip6table_security_hook(unsigned int hook,
struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
- return ip6t_do_table(skb, hook, in, out,
- dev_net(in)->ipv6.ip6table_security);
-}
+ if (hook == NF_INET_LOCAL_OUT)
+ return ip6t_do_table(skb, hook, in, out,
+ dev_net(out)->ipv6.ip6table_security);
-static unsigned int
-ip6t_forward_hook(unsigned int hook,
- struct sk_buff *skb,
- const struct net_device *in,
- const struct net_device *out,
- int (*okfn)(struct sk_buff *))
-{
+ /* INPUT/FORWARD: */
return ip6t_do_table(skb, hook, in, out,
dev_net(in)->ipv6.ip6table_security);
}
-static unsigned int
-ip6t_local_out_hook(unsigned int hook,
- struct sk_buff *skb,
- const struct net_device *in,
- const struct net_device *out,
- int (*okfn)(struct sk_buff *))
-{
- /* TBD: handle short packets via raw socket */
- return ip6t_do_table(skb, hook, in, out,
- dev_net(out)->ipv6.ip6table_security);
-}
-
static struct nf_hook_ops ip6t_ops[] __read_mostly = {
{
- .hook = ip6t_local_in_hook,
+ .hook = ip6table_security_hook,
.owner = THIS_MODULE,
.pf = NFPROTO_IPV6,
.hooknum = NF_INET_LOCAL_IN,
.priority = NF_IP6_PRI_SECURITY,
},
{
- .hook = ip6t_forward_hook,
+ .hook = ip6table_security_hook,
.owner = THIS_MODULE,
.pf = NFPROTO_IPV6,
.hooknum = NF_INET_FORWARD,
.priority = NF_IP6_PRI_SECURITY,
},
{
- .hook = ip6t_local_out_hook,
+ .hook = ip6table_security_hook,
.owner = THIS_MODULE,
.pf = NFPROTO_IPV6,
.hooknum = NF_INET_LOCAL_OUT,
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* Re: [PATCH 021/103] netfilter: xtables: consolidate table hook functions
2009-08-04 7:25 ` [PATCH 021/103] netfilter: xtables: consolidate table hook functions Jan Engelhardt
@ 2009-08-10 8:58 ` Patrick McHardy
2009-08-10 9:36 ` Jan Engelhardt
0 siblings, 1 reply; 118+ messages in thread
From: Patrick McHardy @ 2009-08-10 8:58 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter-devel
Jan Engelhardt wrote:
> For a following patch in this series, we will be requiring that a
> single hook function per table does the processing.
Which one?
> diff --git a/net/ipv4/netfilter/arptable_filter.c b/net/ipv4/netfilter/arptable_filter.c
> index 87ecd3e..e46123e 100644
> --- a/net/ipv4/netfilter/arptable_filter.c
> +++ b/net/ipv4/netfilter/arptable_filter.c
> @@ -53,43 +53,38 @@ static struct xt_table packet_filter = {
> };
>
> /* The work comes in here from netfilter.c */
> -static unsigned int arpt_in_hook(unsigned int hook,
> +static unsigned int arptable_filter_hook(unsigned int hook,
> struct sk_buff *skb,
> const struct net_device *in,
> const struct net_device *out,
> int (*okfn)(struct sk_buff *))
> {
> - return arpt_do_table(skb, hook, in, out,
> - dev_net(in)->ipv4.arptable_filter);
> -}
> + if (hook == NF_ARP_OUT)
> + return arpt_do_table(skb, hook, in, out,
> + dev_net(out)->ipv4.arptable_filter);
I have to say, I really dislike this strange formatting style (I
think its an emacs thing, you're not the only one doing this).
The arguments are all neatly aligned so far, please keep it that
way.
^ permalink raw reply [flat|nested] 118+ messages in thread* Re: [PATCH 021/103] netfilter: xtables: consolidate table hook functions
2009-08-10 8:58 ` Patrick McHardy
@ 2009-08-10 9:36 ` Jan Engelhardt
2009-08-10 9:51 ` Patrick McHardy
0 siblings, 1 reply; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-10 9:36 UTC (permalink / raw)
To: Patrick McHardy; +Cc: netfilter-devel
On Monday 2009-08-10 10:58, Patrick McHardy wrote:
>Jan Engelhardt wrote:
>> For a following patch in this series, we will be requiring that a
>> single hook function per table does the processing.
>
>Which one?
"generate nf_hook_ops on-demand"
>> {
>> - return arpt_do_table(skb, hook, in, out,
>> - dev_net(in)->ipv4.arptable_filter);
>> -}
>> + if (hook == NF_ARP_OUT)
>> + return arpt_do_table(skb, hook, in, out,
>> + dev_net(out)->ipv4.arptable_filter);
>
>I have to say, I really dislike this strange formatting style (I
>think its an emacs thing, you're not the only one doing this).
>The arguments are all neatly aligned so far, please keep it that
>way.
Well only good I am not into Emacs ;)
The reasoning for such unconscious action may simply be that some
function names are a bit long and cause an unnecessary indentation to
the right in such cases. Or you could argue all "arguments" to 'return'
are actually aligned - with respect to the return keyword that is.
^ permalink raw reply [flat|nested] 118+ messages in thread* Re: [PATCH 021/103] netfilter: xtables: consolidate table hook functions
2009-08-10 9:36 ` Jan Engelhardt
@ 2009-08-10 9:51 ` Patrick McHardy
0 siblings, 0 replies; 118+ messages in thread
From: Patrick McHardy @ 2009-08-10 9:51 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter-devel
Jan Engelhardt wrote:
> On Monday 2009-08-10 10:58, Patrick McHardy wrote:
>> Jan Engelhardt wrote:
>>> For a following patch in this series, we will be requiring that a
>>> single hook function per table does the processing.
>> Which one?
>
> "generate nf_hook_ops on-demand"
>
>>> {
>>> - return arpt_do_table(skb, hook, in, out,
>>> - dev_net(in)->ipv4.arptable_filter);
>>> -}
>>> + if (hook == NF_ARP_OUT)
>>> + return arpt_do_table(skb, hook, in, out,
>>> + dev_net(out)->ipv4.arptable_filter);
>> I have to say, I really dislike this strange formatting style (I
>> think its an emacs thing, you're not the only one doing this).
>> The arguments are all neatly aligned so far, please keep it that
>> way.
>
> Well only good I am not into Emacs ;)
That was only a guess :)
> The reasoning for such unconscious action may simply be that some
> function names are a bit long and cause an unnecessary indentation to
> the right in such cases. Or you could argue all "arguments" to 'return'
> are actually aligned - with respect to the return keyword that is.
One could .. but that argument doesn't make much sense to me :)
I've been letting this slip for too long, but these style
inconsistencies do bother me, so please keep it aligned to
the left parenthesis (or change it so it will be that way when
touching code).
^ permalink raw reply [flat|nested] 118+ messages in thread
* [PATCH 022/103] netfilter: xtables: compact table hook functions
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (20 preceding siblings ...)
2009-08-04 7:25 ` [PATCH 021/103] netfilter: xtables: consolidate table hook functions Jan Engelhardt
@ 2009-08-04 7:25 ` Jan Engelhardt
2009-08-04 7:25 ` [PATCH 023/103] netfilter: xtables: generate nf_hook_ops on-demand Jan Engelhardt
` (82 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:25 UTC (permalink / raw)
To: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
net/ipv4/netfilter/arptable_filter.c | 9 ++-------
net/ipv4/netfilter/iptable_filter.c | 12 +++++-------
net/ipv4/netfilter/iptable_mangle.c | 9 ++-------
net/ipv4/netfilter/iptable_raw.c | 19 +++++++++----------
net/ipv4/netfilter/iptable_security.c | 12 +++++-------
net/ipv6/netfilter/ip6table_filter.c | 9 ++-------
net/ipv6/netfilter/ip6table_mangle.c | 9 ++-------
net/ipv6/netfilter/ip6table_raw.c | 9 ++-------
net/ipv6/netfilter/ip6table_security.c | 9 ++-------
9 files changed, 31 insertions(+), 66 deletions(-)
diff --git a/net/ipv4/netfilter/arptable_filter.c b/net/ipv4/netfilter/arptable_filter.c
index e46123e..3092d74 100644
--- a/net/ipv4/netfilter/arptable_filter.c
+++ b/net/ipv4/netfilter/arptable_filter.c
@@ -59,13 +59,8 @@ static unsigned int arptable_filter_hook(unsigned int hook,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
- if (hook == NF_ARP_OUT)
- return arpt_do_table(skb, hook, in, out,
- dev_net(out)->ipv4.arptable_filter);
-
- /* INPUT/FORWARD: */
- return arpt_do_table(skb, hook, in, out,
- dev_net(in)->ipv4.arptable_filter);
+ const struct net *net = dev_net((in != NULL) ? in : out);
+ return arpt_do_table(skb, hook, in, out, net->ipv4.arptable_filter);
}
static struct nf_hook_ops arpt_ops[] __read_mostly = {
diff --git a/net/ipv4/netfilter/iptable_filter.c b/net/ipv4/netfilter/iptable_filter.c
index 26a4ff5..8eaef4a 100644
--- a/net/ipv4/netfilter/iptable_filter.c
+++ b/net/ipv4/netfilter/iptable_filter.c
@@ -67,18 +67,16 @@ iptable_filter_hook(unsigned int hook,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
- if (hook == NF_INET_LOCAL_OUT) {
+ const struct net *net;
+
+ if (hook == NF_INET_LOCAL_OUT)
/* root is playing with raw sockets. */
if (skb->len < sizeof(struct iphdr) ||
ip_hdrlen(skb) < sizeof(struct iphdr))
return NF_ACCEPT;
- return ipt_do_table(skb, hook, in, out,
- dev_net(out)->ipv4.iptable_filter);
- }
- /* LOCAL_IN/FORWARD: */
- return ipt_do_table(skb, hook, in, out,
- dev_net(in)->ipv4.iptable_filter);
+ net = dev_net((in != NULL) ? in : out);
+ return ipt_do_table(skb, hook, in, out, net->ipv4.iptable_filter);
}
static struct nf_hook_ops ipt_ops[] __read_mostly = {
diff --git a/net/ipv4/netfilter/iptable_mangle.c b/net/ipv4/netfilter/iptable_mangle.c
index e5e4233..c55c371 100644
--- a/net/ipv4/netfilter/iptable_mangle.c
+++ b/net/ipv4/netfilter/iptable_mangle.c
@@ -79,13 +79,8 @@ iptable_mangle_hook(unsigned int hook,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
- if (hook == NF_INET_POST_ROUTING)
- return ipt_do_table(skb, hook, in, out,
- dev_net(out)->ipv4.iptable_mangle);
-
- /* PREROUTING/INPUT/FORWARD: */
- return ipt_do_table(skb, hook, in, out,
- dev_net(in)->ipv4.iptable_mangle);
+ const struct net *net = dev_net((in != NULL) ? in : out);
+ return ipt_do_table(skb, hook, in, out, net->ipv4.iptable_mangle);
}
static unsigned int
diff --git a/net/ipv4/netfilter/iptable_raw.c b/net/ipv4/netfilter/iptable_raw.c
index e7021d1..b7d5257 100644
--- a/net/ipv4/netfilter/iptable_raw.c
+++ b/net/ipv4/netfilter/iptable_raw.c
@@ -51,17 +51,16 @@ iptable_raw_hook(unsigned int hook,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
- if (hook == NF_INET_PRE_ROUTING)
- return ipt_do_table(skb, hook, in, out,
- dev_net(in)->ipv4.iptable_raw);
-
- /* OUTPUT: */
- /* root is playing with raw sockets. */
- if (skb->len < sizeof(struct iphdr) ||
- ip_hdrlen(skb) < sizeof(struct iphdr))
- return NF_ACCEPT;
- return ipt_do_table(skb, hook, in, out,
- dev_net(out)->ipv4.iptable_raw);
+ const struct net *net;
+
+ if (hook == NF_INET_LOCAL_OUT)
+ /* root is playing with raw sockets. */
+ if (skb->len < sizeof(struct iphdr) ||
+ ip_hdrlen(skb) < sizeof(struct iphdr))
+ return NF_ACCEPT;
+
+ net = dev_net((in != NULL) ? in : out);
+ return ipt_do_table(skb, hook, in, out, net->ipv4.iptable_raw);
}
/* 'raw' is the very first table. */
diff --git a/net/ipv4/netfilter/iptable_security.c b/net/ipv4/netfilter/iptable_security.c
index 1686f90..d8ceb64 100644
--- a/net/ipv4/netfilter/iptable_security.c
+++ b/net/ipv4/netfilter/iptable_security.c
@@ -71,18 +71,16 @@ iptable_security_hook(unsigned int hook,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
- if (hook == NF_INET_LOCAL_OUT) {
+ const struct net *net;
+
+ if (hook == NF_INET_LOCAL_OUT)
/* Somebody is playing with raw sockets. */
if (skb->len < sizeof(struct iphdr)
|| ip_hdrlen(skb) < sizeof(struct iphdr))
return NF_ACCEPT;
- return ipt_do_table(skb, hook, in, out,
- dev_net(out)->ipv4.iptable_security);
- }
- /* INPUT/FORWARD: */
- return ipt_do_table(skb, hook, in, out,
- dev_net(in)->ipv4.iptable_security);
+ net = dev_net((in != NULL) ? in : out);
+ return ipt_do_table(skb, hook, in, out, net->ipv4.iptable_security);
}
static struct nf_hook_ops ipt_ops[] __read_mostly = {
diff --git a/net/ipv6/netfilter/ip6table_filter.c b/net/ipv6/netfilter/ip6table_filter.c
index 1b8c64f..79a302e 100644
--- a/net/ipv6/netfilter/ip6table_filter.c
+++ b/net/ipv6/netfilter/ip6table_filter.c
@@ -66,13 +66,8 @@ ip6table_filter_hook(unsigned int hook,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
- if (hook == NF_INET_LOCAL_OUT)
- return ip6t_do_table(skb, hook, in, out,
- dev_net(out)->ipv6.ip6table_filter);
-
- /* INPUT/FORWARD: */
- return ip6t_do_table(skb, hook, in, out,
- dev_net(in)->ipv6.ip6table_filter);
+ const struct net *net = dev_net((in != NULL) ? in : out);
+ return ip6t_do_table(skb, hook, in, out, net->ipv6.ip6table_filter);
}
static struct nf_hook_ops ip6t_ops[] __read_mostly = {
diff --git a/net/ipv6/netfilter/ip6table_mangle.c b/net/ipv6/netfilter/ip6table_mangle.c
index 17bb452..6fd2c37 100644
--- a/net/ipv6/netfilter/ip6table_mangle.c
+++ b/net/ipv6/netfilter/ip6table_mangle.c
@@ -72,13 +72,8 @@ ip6table_mangle_hook(unsigned int hook,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
- if (hook == NF_INET_POST_ROUTING)
- return ip6t_do_table(skb, hook, in, out,
- dev_net(out)->ipv6.ip6table_mangle);
-
- /* INPUT/FORWARD */
- return ip6t_do_table(skb, hook, in, out,
- dev_net(in)->ipv6.ip6table_mangle);
+ const struct net *net = dev_net((in != NULL) ? in : out);
+ return ip6t_do_table(skb, hook, in, out, net->ipv6.ip6table_mangle);
}
static unsigned int
diff --git a/net/ipv6/netfilter/ip6table_raw.c b/net/ipv6/netfilter/ip6table_raw.c
index 2b758ec..75c5c44 100644
--- a/net/ipv6/netfilter/ip6table_raw.c
+++ b/net/ipv6/netfilter/ip6table_raw.c
@@ -50,13 +50,8 @@ ip6table_raw_hook(unsigned int hook,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
- if (hook == NF_INET_PRE_ROUTING)
- return ip6t_do_table(skb, hook, in, out,
- dev_net(in)->ipv6.ip6table_raw);
-
- /* OUTPUT: */
- return ip6t_do_table(skb, hook, in, out,
- dev_net(out)->ipv6.ip6table_raw);
+ const struct net *net = dev_net((in != NULL) ? in : out);
+ return ip6t_do_table(skb, hook, in, out, net->ipv6.ip6table_raw);
}
static struct nf_hook_ops ip6t_ops[] __read_mostly = {
diff --git a/net/ipv6/netfilter/ip6table_security.c b/net/ipv6/netfilter/ip6table_security.c
index 51223eb..7d9781e 100644
--- a/net/ipv6/netfilter/ip6table_security.c
+++ b/net/ipv6/netfilter/ip6table_security.c
@@ -70,13 +70,8 @@ ip6table_security_hook(unsigned int hook,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
- if (hook == NF_INET_LOCAL_OUT)
- return ip6t_do_table(skb, hook, in, out,
- dev_net(out)->ipv6.ip6table_security);
-
- /* INPUT/FORWARD: */
- return ip6t_do_table(skb, hook, in, out,
- dev_net(in)->ipv6.ip6table_security);
+ const struct net *net = dev_net((in != NULL) ? in : out);
+ return ip6t_do_table(skb, hook, in, out, net->ipv6.ip6table_security);
}
static struct nf_hook_ops ip6t_ops[] __read_mostly = {
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 023/103] netfilter: xtables: generate nf_hook_ops on-demand
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (21 preceding siblings ...)
2009-08-04 7:25 ` [PATCH 022/103] netfilter: xtables: compact " Jan Engelhardt
@ 2009-08-04 7:25 ` Jan Engelhardt
2009-08-04 7:25 ` [PATCH 024/103] netfilter: xtables: mark table constant for registering functions Jan Engelhardt
` (81 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:25 UTC (permalink / raw)
To: netfilter-devel
Nuking lots of repeated and only slightly deviating data definitions.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter/x_tables.h | 4 ++
net/ipv4/netfilter/arptable_filter.c | 33 ++----------
net/ipv4/netfilter/iptable_filter.c | 35 +++----------
net/ipv4/netfilter/iptable_mangle.c | 83 ++++++++++----------------------
net/ipv4/netfilter/iptable_raw.c | 29 +++--------
net/ipv4/netfilter/iptable_security.c | 35 +++----------
net/ipv6/netfilter/ip6table_filter.c | 35 +++----------
net/ipv6/netfilter/ip6table_mangle.c | 82 +++++++++----------------------
net/ipv6/netfilter/ip6table_raw.c | 28 +++--------
net/ipv6/netfilter/ip6table_security.c | 35 +++----------
net/netfilter/x_tables.c | 66 +++++++++++++++++++++++++
11 files changed, 173 insertions(+), 292 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 4fa6e4c..1a1e4d2 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -525,6 +525,10 @@ static inline unsigned long ifname_compare_aligned(const char *_a,
return ret;
}
+extern struct nf_hook_ops *xt_hook_link(nf_hookfn *, uint8_t, int,
+ unsigned int, struct module *);
+extern void xt_hook_unlink(struct nf_hook_ops *, unsigned int);
+
#ifdef CONFIG_COMPAT
#include <net/compat.h>
diff --git a/net/ipv4/netfilter/arptable_filter.c b/net/ipv4/netfilter/arptable_filter.c
index 3092d74..c1a3797 100644
--- a/net/ipv4/netfilter/arptable_filter.c
+++ b/net/ipv4/netfilter/arptable_filter.c
@@ -63,30 +63,6 @@ static unsigned int arptable_filter_hook(unsigned int hook,
return arpt_do_table(skb, hook, in, out, net->ipv4.arptable_filter);
}
-static struct nf_hook_ops arpt_ops[] __read_mostly = {
- {
- .hook = arptable_filter_hook,
- .owner = THIS_MODULE,
- .pf = NFPROTO_ARP,
- .hooknum = NF_ARP_IN,
- .priority = NF_IP_PRI_FILTER,
- },
- {
- .hook = arptable_filter_hook,
- .owner = THIS_MODULE,
- .pf = NFPROTO_ARP,
- .hooknum = NF_ARP_OUT,
- .priority = NF_IP_PRI_FILTER,
- },
- {
- .hook = arptable_filter_hook,
- .owner = THIS_MODULE,
- .pf = NFPROTO_ARP,
- .hooknum = NF_ARP_FORWARD,
- .priority = NF_IP_PRI_FILTER,
- },
-};
-
static int __net_init arptable_filter_net_init(struct net *net)
{
/* Register table */
@@ -107,6 +83,8 @@ static struct pernet_operations arptable_filter_net_ops = {
.exit = arptable_filter_net_exit,
};
+static struct nf_hook_ops *arpfilter_ops;
+
static int __init arptable_filter_init(void)
{
int ret;
@@ -115,15 +93,16 @@ static int __init arptable_filter_init(void)
if (ret < 0)
return ret;
- ret = nf_register_hooks(arpt_ops, ARRAY_SIZE(arpt_ops));
- if (ret < 0)
+ arpfilter_ops = xt_hook_link(arptable_filter_hook, NFPROTO_ARP,
+ NF_IP_PRI_FILTER, FILTER_VALID_HOOKS, THIS_MODULE);
+ if (IS_ERR(arpfilter_ops))
unregister_pernet_subsys(&arptable_filter_net_ops);
return ret;
}
static void __exit arptable_filter_fini(void)
{
- nf_unregister_hooks(arpt_ops, ARRAY_SIZE(arpt_ops));
+ xt_hook_unlink(arpfilter_ops, FILTER_VALID_HOOKS);
unregister_pernet_subsys(&arptable_filter_net_ops);
}
diff --git a/net/ipv4/netfilter/iptable_filter.c b/net/ipv4/netfilter/iptable_filter.c
index 8eaef4a..212757f 100644
--- a/net/ipv4/netfilter/iptable_filter.c
+++ b/net/ipv4/netfilter/iptable_filter.c
@@ -79,30 +79,6 @@ iptable_filter_hook(unsigned int hook,
return ipt_do_table(skb, hook, in, out, net->ipv4.iptable_filter);
}
-static struct nf_hook_ops ipt_ops[] __read_mostly = {
- {
- .hook = iptable_filter_hook,
- .owner = THIS_MODULE,
- .pf = NFPROTO_IPV4,
- .hooknum = NF_INET_LOCAL_IN,
- .priority = NF_IP_PRI_FILTER,
- },
- {
- .hook = iptable_filter_hook,
- .owner = THIS_MODULE,
- .pf = NFPROTO_IPV4,
- .hooknum = NF_INET_FORWARD,
- .priority = NF_IP_PRI_FILTER,
- },
- {
- .hook = iptable_filter_hook,
- .owner = THIS_MODULE,
- .pf = NFPROTO_IPV4,
- .hooknum = NF_INET_LOCAL_OUT,
- .priority = NF_IP_PRI_FILTER,
- },
-};
-
/* Default to forward because I got too much mail already. */
static int forward = NF_ACCEPT;
module_param(forward, bool, 0000);
@@ -127,6 +103,8 @@ static struct pernet_operations iptable_filter_net_ops = {
.exit = iptable_filter_net_exit,
};
+static struct nf_hook_ops *filter_ops;
+
static int __init iptable_filter_init(void)
{
int ret;
@@ -144,16 +122,19 @@ static int __init iptable_filter_init(void)
return ret;
/* Register hooks */
- ret = nf_register_hooks(ipt_ops, ARRAY_SIZE(ipt_ops));
- if (ret < 0)
+ filter_ops = xt_hook_link(iptable_filter_hook, NFPROTO_IPV4,
+ NF_IP_PRI_FILTER, FILTER_VALID_HOOKS, THIS_MODULE);
+ if (IS_ERR(filter_ops)) {
unregister_pernet_subsys(&iptable_filter_net_ops);
+ return PTR_ERR(filter_ops);
+ }
return ret;
}
static void __exit iptable_filter_fini(void)
{
- nf_unregister_hooks(ipt_ops, ARRAY_SIZE(ipt_ops));
+ xt_hook_unlink(filter_ops, FILTER_VALID_HOOKS);
unregister_pernet_subsys(&iptable_filter_net_ops);
}
diff --git a/net/ipv4/netfilter/iptable_mangle.c b/net/ipv4/netfilter/iptable_mangle.c
index c55c371..9a2f0b5 100644
--- a/net/ipv4/netfilter/iptable_mangle.c
+++ b/net/ipv4/netfilter/iptable_mangle.c
@@ -73,22 +73,8 @@ static struct xt_table packet_mangler = {
/* The work comes in here from netfilter.c. */
static unsigned int
-iptable_mangle_hook(unsigned int hook,
- struct sk_buff *skb,
- const struct net_device *in,
- const struct net_device *out,
- int (*okfn)(struct sk_buff *))
-{
- const struct net *net = dev_net((in != NULL) ? in : out);
- return ipt_do_table(skb, hook, in, out, net->ipv4.iptable_mangle);
-}
-
-static unsigned int
-iptable_mangle_out_hook(unsigned int hook,
- struct sk_buff *skb,
- const struct net_device *in,
- const struct net_device *out,
- int (*okfn)(struct sk_buff *))
+iptable_mangle_out_hook(struct sk_buff *skb, const struct net_device *out,
+ const struct net *net)
{
unsigned int ret;
const struct iphdr *iph;
@@ -108,8 +94,8 @@ iptable_mangle_out_hook(unsigned int hook,
daddr = iph->daddr;
tos = iph->tos;
- ret = ipt_do_table(skb, hook, in, out,
- dev_net(out)->ipv4.iptable_mangle);
+ ret = ipt_do_table(skb, NF_INET_LOCAL_OUT, NULL, out,
+ net->ipv4.iptable_mangle);
/* Reroute for ANY change. */
if (ret != NF_DROP && ret != NF_STOLEN && ret != NF_QUEUE) {
iph = ip_hdr(skb);
@@ -125,43 +111,19 @@ iptable_mangle_out_hook(unsigned int hook,
return ret;
}
-static struct nf_hook_ops ipt_ops[] __read_mostly = {
- {
- .hook = iptable_mangle_hook,
- .owner = THIS_MODULE,
- .pf = NFPROTO_IPV4,
- .hooknum = NF_INET_PRE_ROUTING,
- .priority = NF_IP_PRI_MANGLE,
- },
- {
- .hook = iptable_mangle_hook,
- .owner = THIS_MODULE,
- .pf = NFPROTO_IPV4,
- .hooknum = NF_INET_LOCAL_IN,
- .priority = NF_IP_PRI_MANGLE,
- },
- {
- .hook = iptable_mangle_hook,
- .owner = THIS_MODULE,
- .pf = NFPROTO_IPV4,
- .hooknum = NF_INET_FORWARD,
- .priority = NF_IP_PRI_MANGLE,
- },
- {
- .hook = iptable_mangle_out_hook,
- .owner = THIS_MODULE,
- .pf = NFPROTO_IPV4,
- .hooknum = NF_INET_LOCAL_OUT,
- .priority = NF_IP_PRI_MANGLE,
- },
- {
- .hook = iptable_mangle_hook,
- .owner = THIS_MODULE,
- .pf = NFPROTO_IPV4,
- .hooknum = NF_INET_POST_ROUTING,
- .priority = NF_IP_PRI_MANGLE,
- },
-};
+static unsigned int
+iptable_mangle_hook(unsigned int hook, struct sk_buff *skb,
+ const struct net_device *in,
+ const struct net_device *out,
+ int (*okfn)(struct sk_buff *))
+{
+ const struct net *net = dev_net((in != NULL) ? in : out);
+
+ if (hook == NF_INET_LOCAL_OUT)
+ return iptable_mangle_out_hook(skb, out, net);
+
+ return ipt_do_table(skb, hook, in, out, net->ipv4.iptable_mangle);
+}
static int __net_init iptable_mangle_net_init(struct net *net)
{
@@ -183,6 +145,8 @@ static struct pernet_operations iptable_mangle_net_ops = {
.exit = iptable_mangle_net_exit,
};
+static struct nf_hook_ops *mangle_ops;
+
static int __init iptable_mangle_init(void)
{
int ret;
@@ -192,16 +156,19 @@ static int __init iptable_mangle_init(void)
return ret;
/* Register hooks */
- ret = nf_register_hooks(ipt_ops, ARRAY_SIZE(ipt_ops));
- if (ret < 0)
+ mangle_ops = xt_hook_link(iptable_mangle_hook, NFPROTO_IPV4,
+ NF_IP_PRI_MANGLE, MANGLE_VALID_HOOKS, THIS_MODULE);
+ if (IS_ERR(mangle_ops)) {
unregister_pernet_subsys(&iptable_mangle_net_ops);
+ return PTR_ERR(mangle_ops);
+ }
return ret;
}
static void __exit iptable_mangle_fini(void)
{
- nf_unregister_hooks(ipt_ops, ARRAY_SIZE(ipt_ops));
+ xt_hook_unlink(mangle_ops, MANGLE_VALID_HOOKS);
unregister_pernet_subsys(&iptable_mangle_net_ops);
}
diff --git a/net/ipv4/netfilter/iptable_raw.c b/net/ipv4/netfilter/iptable_raw.c
index b7d5257..c454ee9 100644
--- a/net/ipv4/netfilter/iptable_raw.c
+++ b/net/ipv4/netfilter/iptable_raw.c
@@ -63,24 +63,6 @@ iptable_raw_hook(unsigned int hook,
return ipt_do_table(skb, hook, in, out, net->ipv4.iptable_raw);
}
-/* 'raw' is the very first table. */
-static struct nf_hook_ops ipt_ops[] __read_mostly = {
- {
- .hook = iptable_raw_hook,
- .pf = NFPROTO_IPV4,
- .hooknum = NF_INET_PRE_ROUTING,
- .priority = NF_IP_PRI_RAW,
- .owner = THIS_MODULE,
- },
- {
- .hook = iptable_raw_hook,
- .pf = NFPROTO_IPV4,
- .hooknum = NF_INET_LOCAL_OUT,
- .priority = NF_IP_PRI_RAW,
- .owner = THIS_MODULE,
- },
-};
-
static int __net_init iptable_raw_net_init(struct net *net)
{
/* Register table */
@@ -101,6 +83,8 @@ static struct pernet_operations iptable_raw_net_ops = {
.exit = iptable_raw_net_exit,
};
+static struct nf_hook_ops *rawtable_ops;
+
static int __init iptable_raw_init(void)
{
int ret;
@@ -110,16 +94,19 @@ static int __init iptable_raw_init(void)
return ret;
/* Register hooks */
- ret = nf_register_hooks(ipt_ops, ARRAY_SIZE(ipt_ops));
- if (ret < 0)
+ rawtable_ops = xt_hook_link(iptable_raw_hook, NFPROTO_IPV4,
+ NF_IP_PRI_FIRST, RAW_VALID_HOOKS, THIS_MODULE);
+ if (IS_ERR(rawtable_ops)) {
unregister_pernet_subsys(&iptable_raw_net_ops);
+ return PTR_ERR(rawtable_ops);
+ }
return ret;
}
static void __exit iptable_raw_fini(void)
{
- nf_unregister_hooks(ipt_ops, ARRAY_SIZE(ipt_ops));
+ xt_hook_unlink(rawtable_ops, RAW_VALID_HOOKS);
unregister_pernet_subsys(&iptable_raw_net_ops);
}
diff --git a/net/ipv4/netfilter/iptable_security.c b/net/ipv4/netfilter/iptable_security.c
index d8ceb64..cab6baf 100644
--- a/net/ipv4/netfilter/iptable_security.c
+++ b/net/ipv4/netfilter/iptable_security.c
@@ -83,30 +83,6 @@ iptable_security_hook(unsigned int hook,
return ipt_do_table(skb, hook, in, out, net->ipv4.iptable_security);
}
-static struct nf_hook_ops ipt_ops[] __read_mostly = {
- {
- .hook = iptable_security_hook,
- .owner = THIS_MODULE,
- .pf = NFPROTO_IPV4,
- .hooknum = NF_INET_LOCAL_IN,
- .priority = NF_IP_PRI_SECURITY,
- },
- {
- .hook = iptable_security_hook,
- .owner = THIS_MODULE,
- .pf = NFPROTO_IPV4,
- .hooknum = NF_INET_FORWARD,
- .priority = NF_IP_PRI_SECURITY,
- },
- {
- .hook = iptable_security_hook,
- .owner = THIS_MODULE,
- .pf = NFPROTO_IPV4,
- .hooknum = NF_INET_LOCAL_OUT,
- .priority = NF_IP_PRI_SECURITY,
- },
-};
-
static int __net_init iptable_security_net_init(struct net *net)
{
net->ipv4.iptable_security =
@@ -128,6 +104,8 @@ static struct pernet_operations iptable_security_net_ops = {
.exit = iptable_security_net_exit,
};
+static struct nf_hook_ops *sectbl_ops;
+
static int __init iptable_security_init(void)
{
int ret;
@@ -136,16 +114,19 @@ static int __init iptable_security_init(void)
if (ret < 0)
return ret;
- ret = nf_register_hooks(ipt_ops, ARRAY_SIZE(ipt_ops));
- if (ret < 0)
+ sectbl_ops = xt_hook_link(iptable_security_hook, NFPROTO_IPV4,
+ NF_IP_PRI_SECURITY, SECURITY_VALID_HOOKS, THIS_MODULE);
+ if (IS_ERR(sectbl_ops)) {
unregister_pernet_subsys(&iptable_security_net_ops);
+ return PTR_ERR(sectbl_ops);
+ }
return ret;
}
static void __exit iptable_security_fini(void)
{
- nf_unregister_hooks(ipt_ops, ARRAY_SIZE(ipt_ops));
+ xt_hook_unlink(sectbl_ops, SECURITY_VALID_HOOKS);
unregister_pernet_subsys(&iptable_security_net_ops);
}
diff --git a/net/ipv6/netfilter/ip6table_filter.c b/net/ipv6/netfilter/ip6table_filter.c
index 79a302e..0b5f24b 100644
--- a/net/ipv6/netfilter/ip6table_filter.c
+++ b/net/ipv6/netfilter/ip6table_filter.c
@@ -70,30 +70,6 @@ ip6table_filter_hook(unsigned int hook,
return ip6t_do_table(skb, hook, in, out, net->ipv6.ip6table_filter);
}
-static struct nf_hook_ops ip6t_ops[] __read_mostly = {
- {
- .hook = ip6table_filter_hook,
- .owner = THIS_MODULE,
- .pf = NFPROTO_IPV6,
- .hooknum = NF_INET_LOCAL_IN,
- .priority = NF_IP6_PRI_FILTER,
- },
- {
- .hook = ip6table_filter_hook,
- .owner = THIS_MODULE,
- .pf = NFPROTO_IPV6,
- .hooknum = NF_INET_FORWARD,
- .priority = NF_IP6_PRI_FILTER,
- },
- {
- .hook = ip6table_filter_hook,
- .owner = THIS_MODULE,
- .pf = NFPROTO_IPV6,
- .hooknum = NF_INET_LOCAL_OUT,
- .priority = NF_IP6_PRI_FILTER,
- },
-};
-
/* Default to forward because I got too much mail already. */
static int forward = NF_ACCEPT;
module_param(forward, bool, 0000);
@@ -118,6 +94,8 @@ static struct pernet_operations ip6table_filter_net_ops = {
.exit = ip6table_filter_net_exit,
};
+static struct nf_hook_ops *filter_ops;
+
static int __init ip6table_filter_init(void)
{
int ret;
@@ -135,16 +113,19 @@ static int __init ip6table_filter_init(void)
return ret;
/* Register hooks */
- ret = nf_register_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops));
- if (ret < 0)
+ filter_ops = xt_hook_link(ip6table_filter_hook, NFPROTO_IPV6,
+ NF_IP6_PRI_FILTER, FILTER_VALID_HOOKS, THIS_MODULE);
+ if (IS_ERR(filter_ops)) {
unregister_pernet_subsys(&ip6table_filter_net_ops);
+ return PTR_ERR(filter_ops);
+ }
return ret;
}
static void __exit ip6table_filter_fini(void)
{
- nf_unregister_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops));
+ xt_hook_unlink(filter_ops, FILTER_VALID_HOOKS);
unregister_pernet_subsys(&ip6table_filter_net_ops);
}
diff --git a/net/ipv6/netfilter/ip6table_mangle.c b/net/ipv6/netfilter/ip6table_mangle.c
index 6fd2c37..c663d9c 100644
--- a/net/ipv6/netfilter/ip6table_mangle.c
+++ b/net/ipv6/netfilter/ip6table_mangle.c
@@ -66,22 +66,8 @@ static struct xt_table packet_mangler = {
/* The work comes in here from netfilter.c. */
static unsigned int
-ip6table_mangle_hook(unsigned int hook,
- struct sk_buff *skb,
- const struct net_device *in,
- const struct net_device *out,
- int (*okfn)(struct sk_buff *))
-{
- const struct net *net = dev_net((in != NULL) ? in : out);
- return ip6t_do_table(skb, hook, in, out, net->ipv6.ip6table_mangle);
-}
-
-static unsigned int
-ip6table_mangle_out_hook(unsigned int hook,
- struct sk_buff *skb,
- const struct net_device *in,
- const struct net_device *out,
- int (*okfn)(struct sk_buff *))
+ip6table_mangle_out(struct sk_buff *skb, const struct net_device *out,
+ const struct net *net)
{
unsigned int ret;
@@ -108,8 +94,8 @@ ip6table_mangle_out_hook(unsigned int hook,
/* flowlabel and prio (includes version, which shouldn't change either */
flowlabel = *((u_int32_t *)ipv6_hdr(skb));
- ret = ip6t_do_table(skb, hook, in, out,
- dev_net(out)->ipv6.ip6table_mangle);
+ ret = ip6t_do_table(skb, NF_INET_LOCAL_OUT, NULL, out,
+ net->ipv6.ip6table_mangle);
if (ret != NF_DROP && ret != NF_STOLEN
&& (memcmp(&ipv6_hdr(skb)->saddr, &saddr, sizeof(saddr))
@@ -121,43 +107,18 @@ ip6table_mangle_out_hook(unsigned int hook,
return ret;
}
-static struct nf_hook_ops ip6t_ops[] __read_mostly = {
- {
- .hook = ip6table_mangle_hook,
- .owner = THIS_MODULE,
- .pf = NFPROTO_IPV6,
- .hooknum = NF_INET_PRE_ROUTING,
- .priority = NF_IP6_PRI_MANGLE,
- },
- {
- .hook = ip6table_mangle_hook,
- .owner = THIS_MODULE,
- .pf = NFPROTO_IPV6,
- .hooknum = NF_INET_LOCAL_IN,
- .priority = NF_IP6_PRI_MANGLE,
- },
- {
- .hook = ip6table_mangle_hook,
- .owner = THIS_MODULE,
- .pf = NFPROTO_IPV6,
- .hooknum = NF_INET_FORWARD,
- .priority = NF_IP6_PRI_MANGLE,
- },
- {
- .hook = ip6table_mangle_out_hook,
- .owner = THIS_MODULE,
- .pf = NFPROTO_IPV6,
- .hooknum = NF_INET_LOCAL_OUT,
- .priority = NF_IP6_PRI_MANGLE,
- },
- {
- .hook = ip6table_mangle_hook,
- .owner = THIS_MODULE,
- .pf = NFPROTO_IPV6,
- .hooknum = NF_INET_POST_ROUTING,
- .priority = NF_IP6_PRI_MANGLE,
- },
-};
+static unsigned int
+ip6table_mangle_hook(unsigned int hook, struct sk_buff *skb,
+ const struct net_device *in,
+ const struct net_device *out,
+ int (*okfn)(struct sk_buff *))
+{
+ const struct net *net = dev_net((in != NULL) ? in : out);
+
+ if (hook == NF_INET_LOCAL_OUT)
+ return ip6table_mangle_out(skb, out, net);
+ return ip6t_do_table(skb, hook, in, out, net->ipv6.ip6table_mangle);
+}
static int __net_init ip6table_mangle_net_init(struct net *net)
{
@@ -179,6 +140,8 @@ static struct pernet_operations ip6table_mangle_net_ops = {
.exit = ip6table_mangle_net_exit,
};
+static struct nf_hook_ops *mangle_ops;
+
static int __init ip6table_mangle_init(void)
{
int ret;
@@ -188,16 +151,19 @@ static int __init ip6table_mangle_init(void)
return ret;
/* Register hooks */
- ret = nf_register_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops));
- if (ret < 0)
+ mangle_ops = xt_hook_link(ip6table_mangle_hook, NFPROTO_IPV6,
+ NF_IP6_PRI_MANGLE, MANGLE_VALID_HOOKS, THIS_MODULE);
+ if (IS_ERR(mangle_ops)) {
unregister_pernet_subsys(&ip6table_mangle_net_ops);
+ return PTR_ERR(mangle_ops);
+ }
return ret;
}
static void __exit ip6table_mangle_fini(void)
{
- nf_unregister_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops));
+ xt_hook_unlink(mangle_ops, MANGLE_VALID_HOOKS);
unregister_pernet_subsys(&ip6table_mangle_net_ops);
}
diff --git a/net/ipv6/netfilter/ip6table_raw.c b/net/ipv6/netfilter/ip6table_raw.c
index 75c5c44..17d32d4 100644
--- a/net/ipv6/netfilter/ip6table_raw.c
+++ b/net/ipv6/netfilter/ip6table_raw.c
@@ -54,23 +54,6 @@ ip6table_raw_hook(unsigned int hook,
return ip6t_do_table(skb, hook, in, out, net->ipv6.ip6table_raw);
}
-static struct nf_hook_ops ip6t_ops[] __read_mostly = {
- {
- .hook = ip6table_raw_hook,
- .pf = NFPROTO_IPV6,
- .hooknum = NF_INET_PRE_ROUTING,
- .priority = NF_IP6_PRI_FIRST,
- .owner = THIS_MODULE,
- },
- {
- .hook = ip6table_raw_hook,
- .pf = NFPROTO_IPV6,
- .hooknum = NF_INET_LOCAL_OUT,
- .priority = NF_IP6_PRI_FIRST,
- .owner = THIS_MODULE,
- },
-};
-
static int __net_init ip6table_raw_net_init(struct net *net)
{
/* Register table */
@@ -91,6 +74,8 @@ static struct pernet_operations ip6table_raw_net_ops = {
.exit = ip6table_raw_net_exit,
};
+static struct nf_hook_ops *rawtable_ops;
+
static int __init ip6table_raw_init(void)
{
int ret;
@@ -100,16 +85,19 @@ static int __init ip6table_raw_init(void)
return ret;
/* Register hooks */
- ret = nf_register_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops));
- if (ret < 0)
+ rawtable_ops = xt_hook_link(ip6table_raw_hook, NFPROTO_IPV6,
+ NF_IP6_PRI_FIRST, RAW_VALID_HOOKS, THIS_MODULE);
+ if (IS_ERR(rawtable_ops)) {
unregister_pernet_subsys(&ip6table_raw_net_ops);
+ return PTR_ERR(rawtable_ops);
+ }
return ret;
}
static void __exit ip6table_raw_fini(void)
{
- nf_unregister_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops));
+ xt_hook_unlink(rawtable_ops, RAW_VALID_HOOKS);
unregister_pernet_subsys(&ip6table_raw_net_ops);
}
diff --git a/net/ipv6/netfilter/ip6table_security.c b/net/ipv6/netfilter/ip6table_security.c
index 7d9781e..b402437 100644
--- a/net/ipv6/netfilter/ip6table_security.c
+++ b/net/ipv6/netfilter/ip6table_security.c
@@ -74,30 +74,6 @@ ip6table_security_hook(unsigned int hook,
return ip6t_do_table(skb, hook, in, out, net->ipv6.ip6table_security);
}
-static struct nf_hook_ops ip6t_ops[] __read_mostly = {
- {
- .hook = ip6table_security_hook,
- .owner = THIS_MODULE,
- .pf = NFPROTO_IPV6,
- .hooknum = NF_INET_LOCAL_IN,
- .priority = NF_IP6_PRI_SECURITY,
- },
- {
- .hook = ip6table_security_hook,
- .owner = THIS_MODULE,
- .pf = NFPROTO_IPV6,
- .hooknum = NF_INET_FORWARD,
- .priority = NF_IP6_PRI_SECURITY,
- },
- {
- .hook = ip6table_security_hook,
- .owner = THIS_MODULE,
- .pf = NFPROTO_IPV6,
- .hooknum = NF_INET_LOCAL_OUT,
- .priority = NF_IP6_PRI_SECURITY,
- },
-};
-
static int __net_init ip6table_security_net_init(struct net *net)
{
net->ipv6.ip6table_security =
@@ -119,6 +95,8 @@ static struct pernet_operations ip6table_security_net_ops = {
.exit = ip6table_security_net_exit,
};
+static struct nf_hook_ops *sectbl_ops;
+
static int __init ip6table_security_init(void)
{
int ret;
@@ -127,16 +105,19 @@ static int __init ip6table_security_init(void)
if (ret < 0)
return ret;
- ret = nf_register_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops));
- if (ret < 0)
+ sectbl_ops = xt_hook_link(ip6table_security_hook, NFPROTO_IPV6,
+ NF_IP6_PRI_SECURITY, SECURITY_VALID_HOOKS, THIS_MODULE);
+ if (IS_ERR(sectbl_ops)) {
unregister_pernet_subsys(&ip6table_security_net_ops);
+ return PTR_ERR(sectbl_ops);
+ }
return ret;
}
static void __exit ip6table_security_fini(void)
{
- nf_unregister_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops));
+ xt_hook_unlink(sectbl_ops, SECURITY_VALID_HOOKS);
unregister_pernet_subsys(&ip6table_security_net_ops);
}
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 025d1a0..7e3f51d 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -1090,6 +1090,72 @@ static const struct file_operations xt_target_ops = {
#endif /* CONFIG_PROC_FS */
+static unsigned int xt_hookmask_bitcount(unsigned int mask)
+{
+ unsigned int bits = 0;
+
+ for (; mask != 0; mask >>= 1)
+ if (mask & 1)
+ ++bits;
+ return bits;
+}
+
+/**
+ * xt_hook_link - set up hooks for a new table
+ * @fn: Hook function
+ * @nfproto: %NFPROTO_*
+ * @prio: n'th place within @nfproto's hook list (%NF_IP_PRI_*, etc.)
+ * @hook_mask: Requested hooks
+ *
+ * This function will take care of creating and registering the necessary
+ * Netfilter hooks for XT tables.
+ */
+struct nf_hook_ops *xt_hook_link(nf_hookfn *fn, uint8_t nfproto, int prio,
+ unsigned int hook_mask, struct module *owner)
+{
+ uint8_t i, num_hooks = xt_hookmask_bitcount(hook_mask);
+ uint8_t hooknum;
+ struct nf_hook_ops *ops;
+ int ret;
+
+ ops = kmalloc(sizeof(*ops) * num_hooks, GFP_KERNEL);
+ if (ops == NULL)
+ return ERR_PTR(-ENOMEM);
+
+ for (i = 0, hooknum = 0; i < num_hooks && hook_mask != 0;
+ hook_mask >>= 1, ++hooknum) {
+ if (!(hook_mask & 1))
+ continue;
+ ops[i].hook = fn;
+ ops[i].owner = owner;
+ ops[i].pf = nfproto;
+ ops[i].hooknum = hooknum;
+ ops[i].priority = prio;
+ ++i;
+ }
+
+ ret = nf_register_hooks(ops, num_hooks);
+ if (ret < 0) {
+ kfree(ops);
+ return ERR_PTR(ret);
+ }
+
+ return ops;
+}
+EXPORT_SYMBOL_GPL(xt_hook_link);
+
+/**
+ * xt_hook_unlink - remove hooks for a table
+ * @ops: nf_hook_ops array as returned by nf_hook_link
+ * @hook_mask: the very same mask that was passed to nf_hook_link
+ */
+void xt_hook_unlink(struct nf_hook_ops *ops, unsigned int hook_mask)
+{
+ nf_unregister_hooks(ops, xt_hookmask_bitcount(hook_mask));
+ kfree(ops);
+}
+EXPORT_SYMBOL_GPL(xt_hook_unlink);
+
int xt_proto_init(struct net *net, u_int8_t af)
{
#ifdef CONFIG_PROC_FS
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 024/103] netfilter: xtables: mark table constant for registering functions
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (22 preceding siblings ...)
2009-08-04 7:25 ` [PATCH 023/103] netfilter: xtables: generate nf_hook_ops on-demand Jan Engelhardt
@ 2009-08-04 7:25 ` Jan Engelhardt
2009-08-04 7:25 ` [PATCH 025/103] netfilter: xtables: constify initial table data Jan Engelhardt
` (80 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:25 UTC (permalink / raw)
To: netfilter-devel
The inputted table is never modified, so should be considered const.
This will allow future constification of the next layers higher up.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter/x_tables.h | 2 +-
include/linux/netfilter_arp/arp_tables.h | 2 +-
include/linux/netfilter_bridge/ebtables.h | 2 +-
include/linux/netfilter_ipv4/ip_tables.h | 2 +-
include/linux/netfilter_ipv6/ip6_tables.h | 2 +-
net/bridge/netfilter/ebtables.c | 13 +++++++------
net/ipv4/netfilter/arp_tables.c | 3 ++-
net/ipv4/netfilter/ip_tables.c | 3 ++-
net/ipv6/netfilter/ip6_tables.c | 3 ++-
net/netfilter/x_tables.c | 7 ++++---
10 files changed, 22 insertions(+), 17 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 1a1e4d2..b71d9fa 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -407,7 +407,7 @@ extern int xt_check_target(struct xt_tgchk_param *,
unsigned int size, u_int8_t proto, bool inv_proto);
extern struct xt_table *xt_register_table(struct net *net,
- struct xt_table *table,
+ const struct xt_table *table,
struct xt_table_info *bootstrap,
struct xt_table_info *newinfo);
extern void *xt_unregister_table(struct xt_table *table);
diff --git a/include/linux/netfilter_arp/arp_tables.h b/include/linux/netfilter_arp/arp_tables.h
index 590ac3d..6fe3e6a 100644
--- a/include/linux/netfilter_arp/arp_tables.h
+++ b/include/linux/netfilter_arp/arp_tables.h
@@ -265,7 +265,7 @@ struct arpt_error
}
extern struct xt_table *arpt_register_table(struct net *net,
- struct xt_table *table,
+ const struct xt_table *table,
const struct arpt_replace *repl);
extern void arpt_unregister_table(struct xt_table *table);
extern unsigned int arpt_do_table(struct sk_buff *skb,
diff --git a/include/linux/netfilter_bridge/ebtables.h b/include/linux/netfilter_bridge/ebtables.h
index e40ddb9..ea281e6 100644
--- a/include/linux/netfilter_bridge/ebtables.h
+++ b/include/linux/netfilter_bridge/ebtables.h
@@ -301,7 +301,7 @@ struct ebt_table
#define EBT_ALIGN(s) (((s) + (__alignof__(struct ebt_replace)-1)) & \
~(__alignof__(struct ebt_replace)-1))
extern struct ebt_table *ebt_register_table(struct net *net,
- struct ebt_table *table);
+ const struct ebt_table *table);
extern void ebt_unregister_table(struct ebt_table *table);
extern unsigned int ebt_do_table(unsigned int hook, struct sk_buff *skb,
const struct net_device *in, const struct net_device *out,
diff --git a/include/linux/netfilter_ipv4/ip_tables.h b/include/linux/netfilter_ipv4/ip_tables.h
index 092bd50..61fafc8 100644
--- a/include/linux/netfilter_ipv4/ip_tables.h
+++ b/include/linux/netfilter_ipv4/ip_tables.h
@@ -245,7 +245,7 @@ ipt_get_target(struct ipt_entry *e)
extern void ipt_init(void) __init;
extern struct xt_table *ipt_register_table(struct net *net,
- struct xt_table *table,
+ const struct xt_table *table,
const struct ipt_replace *repl);
extern void ipt_unregister_table(struct xt_table *table);
diff --git a/include/linux/netfilter_ipv6/ip6_tables.h b/include/linux/netfilter_ipv6/ip6_tables.h
index 1089e33..a64e145 100644
--- a/include/linux/netfilter_ipv6/ip6_tables.h
+++ b/include/linux/netfilter_ipv6/ip6_tables.h
@@ -306,7 +306,7 @@ ip6t_get_target(struct ip6t_entry *e)
extern void ip6t_init(void) __init;
extern struct xt_table *ip6t_register_table(struct net *net,
- struct xt_table *table,
+ const struct xt_table *table,
const struct ip6t_replace *repl);
extern void ip6t_unregister_table(struct xt_table *table);
extern unsigned int ip6t_do_table(struct sk_buff *skb,
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 37928d5..bd1c654 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -1103,23 +1103,24 @@ free_newinfo:
return ret;
}
-struct ebt_table *ebt_register_table(struct net *net, struct ebt_table *table)
+struct ebt_table *
+ebt_register_table(struct net *net, const struct ebt_table *input_table)
{
struct ebt_table_info *newinfo;
- struct ebt_table *t;
+ struct ebt_table *t, *table;
struct ebt_replace_kernel *repl;
int ret, i, countersize;
void *p;
- if (!table || !(repl = table->table) || !repl->entries ||
- repl->entries_size == 0 ||
- repl->counters || table->private) {
+ if (input_table == NULL || (repl = input_table->table) == NULL ||
+ repl->entries == 0 || repl->entries_size == 0 ||
+ repl->counters != NULL || input_table->private != NULL) {
BUGPRINT("Bad table data for ebt_register_table!!!\n");
return ERR_PTR(-EINVAL);
}
/* Don't add one table to multiple lists. */
- table = kmemdup(table, sizeof(struct ebt_table), GFP_KERNEL);
+ table = kmemdup(input_table, sizeof(struct ebt_table), GFP_KERNEL);
if (!table) {
ret = -ENOMEM;
goto out;
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 7bc11ff..27774c9 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -1778,7 +1778,8 @@ static int do_arpt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len
return ret;
}
-struct xt_table *arpt_register_table(struct net *net, struct xt_table *table,
+struct xt_table *arpt_register_table(struct net *net,
+ const struct xt_table *table,
const struct arpt_replace *repl)
{
int ret;
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 0b43fd7..cde755d 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -2065,7 +2065,8 @@ do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
return ret;
}
-struct xt_table *ipt_register_table(struct net *net, struct xt_table *table,
+struct xt_table *ipt_register_table(struct net *net,
+ const struct xt_table *table,
const struct ipt_replace *repl)
{
int ret;
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index a5d0c27..cc9f8ef 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -2100,7 +2100,8 @@ do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
return ret;
}
-struct xt_table *ip6t_register_table(struct net *net, struct xt_table *table,
+struct xt_table *ip6t_register_table(struct net *net,
+ const struct xt_table *table,
const struct ip6t_replace *repl)
{
int ret;
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 7e3f51d..f7c4c39 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -736,16 +736,17 @@ xt_replace_table(struct xt_table *table,
}
EXPORT_SYMBOL_GPL(xt_replace_table);
-struct xt_table *xt_register_table(struct net *net, struct xt_table *table,
+struct xt_table *xt_register_table(struct net *net,
+ const struct xt_table *input_table,
struct xt_table_info *bootstrap,
struct xt_table_info *newinfo)
{
int ret;
struct xt_table_info *private;
- struct xt_table *t;
+ struct xt_table *t, *table;
/* Don't add one object to multiple lists. */
- table = kmemdup(table, sizeof(struct xt_table), GFP_KERNEL);
+ table = kmemdup(input_table, sizeof(struct xt_table), GFP_KERNEL);
if (!table) {
ret = -ENOMEM;
goto out;
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 025/103] netfilter: xtables: constify initial table data
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (23 preceding siblings ...)
2009-08-04 7:25 ` [PATCH 024/103] netfilter: xtables: mark table constant for registering functions Jan Engelhardt
@ 2009-08-04 7:25 ` Jan Engelhardt
2009-08-04 7:25 ` [PATCH 026/103] netfilter: xtables: use xt_table for hook instantiation Jan Engelhardt
` (79 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:25 UTC (permalink / raw)
To: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
net/bridge/netfilter/ebtable_broute.c | 2 +-
net/bridge/netfilter/ebtable_filter.c | 2 +-
net/ipv4/netfilter/arptable_filter.c | 4 ++--
net/ipv4/netfilter/iptable_filter.c | 2 +-
net/ipv4/netfilter/iptable_mangle.c | 4 ++--
net/ipv4/netfilter/iptable_raw.c | 4 ++--
net/ipv4/netfilter/iptable_security.c | 4 ++--
net/ipv4/netfilter/nf_nat_rule.c | 4 ++--
net/ipv6/netfilter/ip6table_filter.c | 2 +-
net/ipv6/netfilter/ip6table_mangle.c | 4 ++--
net/ipv6/netfilter/ip6table_raw.c | 4 ++--
net/ipv6/netfilter/ip6table_security.c | 4 ++--
12 files changed, 20 insertions(+), 20 deletions(-)
diff --git a/net/bridge/netfilter/ebtable_broute.c b/net/bridge/netfilter/ebtable_broute.c
index c751111..d32ab13 100644
--- a/net/bridge/netfilter/ebtable_broute.c
+++ b/net/bridge/netfilter/ebtable_broute.c
@@ -41,7 +41,7 @@ static int check(const struct ebt_table_info *info, unsigned int valid_hooks)
return 0;
}
-static struct ebt_table broute_table =
+static const struct ebt_table broute_table =
{
.name = "broute",
.table = &initial_table,
diff --git a/net/bridge/netfilter/ebtable_filter.c b/net/bridge/netfilter/ebtable_filter.c
index 4b988db..60b1a6c 100644
--- a/net/bridge/netfilter/ebtable_filter.c
+++ b/net/bridge/netfilter/ebtable_filter.c
@@ -50,7 +50,7 @@ static int check(const struct ebt_table_info *info, unsigned int valid_hooks)
return 0;
}
-static struct ebt_table frame_filter =
+static const struct ebt_table frame_filter =
{
.name = "filter",
.table = &initial_table,
diff --git a/net/ipv4/netfilter/arptable_filter.c b/net/ipv4/netfilter/arptable_filter.c
index c1a3797..c45a8a1 100644
--- a/net/ipv4/netfilter/arptable_filter.c
+++ b/net/ipv4/netfilter/arptable_filter.c
@@ -15,7 +15,7 @@ MODULE_DESCRIPTION("arptables filter table");
#define FILTER_VALID_HOOKS ((1 << NF_ARP_IN) | (1 << NF_ARP_OUT) | \
(1 << NF_ARP_FORWARD))
-static struct
+static const struct
{
struct arpt_replace repl;
struct arpt_standard entries[3];
@@ -45,7 +45,7 @@ static struct
.term = ARPT_ERROR_INIT,
};
-static struct xt_table packet_filter = {
+static const struct xt_table packet_filter = {
.name = "filter",
.valid_hooks = FILTER_VALID_HOOKS,
.me = THIS_MODULE,
diff --git a/net/ipv4/netfilter/iptable_filter.c b/net/ipv4/netfilter/iptable_filter.c
index 212757f..05c1d3c 100644
--- a/net/ipv4/netfilter/iptable_filter.c
+++ b/net/ipv4/netfilter/iptable_filter.c
@@ -53,7 +53,7 @@ static struct
.term = IPT_ERROR_INIT, /* ERROR */
};
-static struct xt_table packet_filter = {
+static const struct xt_table packet_filter = {
.name = "filter",
.valid_hooks = FILTER_VALID_HOOKS,
.me = THIS_MODULE,
diff --git a/net/ipv4/netfilter/iptable_mangle.c b/net/ipv4/netfilter/iptable_mangle.c
index 9a2f0b5..b504f72 100644
--- a/net/ipv4/netfilter/iptable_mangle.c
+++ b/net/ipv4/netfilter/iptable_mangle.c
@@ -28,7 +28,7 @@ MODULE_DESCRIPTION("iptables mangle table");
(1 << NF_INET_POST_ROUTING))
/* Ouch - five different hooks? Maybe this should be a config option..... -- BC */
-static struct
+static const struct
{
struct ipt_replace repl;
struct ipt_standard entries[5];
@@ -64,7 +64,7 @@ static struct
.term = IPT_ERROR_INIT, /* ERROR */
};
-static struct xt_table packet_mangler = {
+static const struct xt_table packet_mangler = {
.name = "mangle",
.valid_hooks = MANGLE_VALID_HOOKS,
.me = THIS_MODULE,
diff --git a/net/ipv4/netfilter/iptable_raw.c b/net/ipv4/netfilter/iptable_raw.c
index c454ee9..2f87098 100644
--- a/net/ipv4/netfilter/iptable_raw.c
+++ b/net/ipv4/netfilter/iptable_raw.c
@@ -9,7 +9,7 @@
#define RAW_VALID_HOOKS ((1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_LOCAL_OUT))
-static struct
+static const struct
{
struct ipt_replace repl;
struct ipt_standard entries[2];
@@ -36,7 +36,7 @@ static struct
.term = IPT_ERROR_INIT, /* ERROR */
};
-static struct xt_table packet_raw = {
+static const struct xt_table packet_raw = {
.name = "raw",
.valid_hooks = RAW_VALID_HOOKS,
.me = THIS_MODULE,
diff --git a/net/ipv4/netfilter/iptable_security.c b/net/ipv4/netfilter/iptable_security.c
index cab6baf..4cee3dc 100644
--- a/net/ipv4/netfilter/iptable_security.c
+++ b/net/ipv4/netfilter/iptable_security.c
@@ -27,7 +27,7 @@ MODULE_DESCRIPTION("iptables security table, for MAC rules");
(1 << NF_INET_FORWARD) | \
(1 << NF_INET_LOCAL_OUT)
-static struct
+static const struct
{
struct ipt_replace repl;
struct ipt_standard entries[3];
@@ -57,7 +57,7 @@ static struct
.term = IPT_ERROR_INIT, /* ERROR */
};
-static struct xt_table security_table = {
+static const struct xt_table security_table = {
.name = "security",
.valid_hooks = SECURITY_VALID_HOOKS,
.me = THIS_MODULE,
diff --git a/net/ipv4/netfilter/nf_nat_rule.c b/net/ipv4/netfilter/nf_nat_rule.c
index 6448a9b..9e81e0d 100644
--- a/net/ipv4/netfilter/nf_nat_rule.c
+++ b/net/ipv4/netfilter/nf_nat_rule.c
@@ -28,7 +28,7 @@
(1 << NF_INET_POST_ROUTING) | \
(1 << NF_INET_LOCAL_OUT))
-static struct
+static const struct
{
struct ipt_replace repl;
struct ipt_standard entries[3];
@@ -58,7 +58,7 @@ static struct
.term = IPT_ERROR_INIT, /* ERROR */
};
-static struct xt_table nat_table = {
+static const struct xt_table nat_table = {
.name = "nat",
.valid_hooks = NAT_VALID_HOOKS,
.me = THIS_MODULE,
diff --git a/net/ipv6/netfilter/ip6table_filter.c b/net/ipv6/netfilter/ip6table_filter.c
index 0b5f24b..e8d3a03 100644
--- a/net/ipv6/netfilter/ip6table_filter.c
+++ b/net/ipv6/netfilter/ip6table_filter.c
@@ -51,7 +51,7 @@ static struct
.term = IP6T_ERROR_INIT, /* ERROR */
};
-static struct xt_table packet_filter = {
+static const struct xt_table packet_filter = {
.name = "filter",
.valid_hooks = FILTER_VALID_HOOKS,
.me = THIS_MODULE,
diff --git a/net/ipv6/netfilter/ip6table_mangle.c b/net/ipv6/netfilter/ip6table_mangle.c
index c663d9c..ec803a2 100644
--- a/net/ipv6/netfilter/ip6table_mangle.c
+++ b/net/ipv6/netfilter/ip6table_mangle.c
@@ -21,7 +21,7 @@ MODULE_DESCRIPTION("ip6tables mangle table");
(1 << NF_INET_LOCAL_OUT) | \
(1 << NF_INET_POST_ROUTING))
-static struct
+static const struct
{
struct ip6t_replace repl;
struct ip6t_standard entries[5];
@@ -57,7 +57,7 @@ static struct
.term = IP6T_ERROR_INIT, /* ERROR */
};
-static struct xt_table packet_mangler = {
+static const struct xt_table packet_mangler = {
.name = "mangle",
.valid_hooks = MANGLE_VALID_HOOKS,
.me = THIS_MODULE,
diff --git a/net/ipv6/netfilter/ip6table_raw.c b/net/ipv6/netfilter/ip6table_raw.c
index 17d32d4..86ea699 100644
--- a/net/ipv6/netfilter/ip6table_raw.c
+++ b/net/ipv6/netfilter/ip6table_raw.c
@@ -8,7 +8,7 @@
#define RAW_VALID_HOOKS ((1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_LOCAL_OUT))
-static struct
+static const struct
{
struct ip6t_replace repl;
struct ip6t_standard entries[2];
@@ -35,7 +35,7 @@ static struct
.term = IP6T_ERROR_INIT, /* ERROR */
};
-static struct xt_table packet_raw = {
+static const struct xt_table packet_raw = {
.name = "raw",
.valid_hooks = RAW_VALID_HOOKS,
.me = THIS_MODULE,
diff --git a/net/ipv6/netfilter/ip6table_security.c b/net/ipv6/netfilter/ip6table_security.c
index b402437..7db37ba 100644
--- a/net/ipv6/netfilter/ip6table_security.c
+++ b/net/ipv6/netfilter/ip6table_security.c
@@ -26,7 +26,7 @@ MODULE_DESCRIPTION("ip6tables security table, for MAC rules");
(1 << NF_INET_FORWARD) | \
(1 << NF_INET_LOCAL_OUT)
-static struct
+static const struct
{
struct ip6t_replace repl;
struct ip6t_standard entries[3];
@@ -56,7 +56,7 @@ static struct
.term = IP6T_ERROR_INIT, /* ERROR */
};
-static struct xt_table security_table = {
+static const struct xt_table security_table = {
.name = "security",
.valid_hooks = SECURITY_VALID_HOOKS,
.me = THIS_MODULE,
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 026/103] netfilter: xtables: use xt_table for hook instantiation
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (24 preceding siblings ...)
2009-08-04 7:25 ` [PATCH 025/103] netfilter: xtables: constify initial table data Jan Engelhardt
@ 2009-08-04 7:25 ` Jan Engelhardt
2009-08-04 7:25 ` [PATCH 027/103] netfilter: xtables: generate initial table on-demand Jan Engelhardt
` (78 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:25 UTC (permalink / raw)
To: netfilter-devel
The respective xt_table structures already have all the metadata we
were passing in as separate arguments so far. Add a 'priority' field
to xt_table which was yet missing, but is required for hook setup.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter/x_tables.h | 6 +++---
net/ipv4/netfilter/arptable_filter.c | 6 +++---
net/ipv4/netfilter/iptable_filter.c | 6 +++---
net/ipv4/netfilter/iptable_mangle.c | 6 +++---
net/ipv4/netfilter/iptable_raw.c | 6 +++---
net/ipv4/netfilter/iptable_security.c | 6 +++---
net/ipv6/netfilter/ip6table_filter.c | 6 +++---
net/ipv6/netfilter/ip6table_mangle.c | 6 +++---
net/ipv6/netfilter/ip6table_raw.c | 6 +++---
net/ipv6/netfilter/ip6table_security.c | 6 +++---
net/netfilter/x_tables.c | 18 ++++++++----------
11 files changed, 38 insertions(+), 40 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index b71d9fa..2a47a01 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -363,6 +363,7 @@ struct xt_table
struct module *me;
u_int8_t af; /* address/protocol family */
+ int priority; /* hook order */
/* A unique name... */
const char name[XT_TABLE_MAXNAMELEN];
@@ -525,9 +526,8 @@ static inline unsigned long ifname_compare_aligned(const char *_a,
return ret;
}
-extern struct nf_hook_ops *xt_hook_link(nf_hookfn *, uint8_t, int,
- unsigned int, struct module *);
-extern void xt_hook_unlink(struct nf_hook_ops *, unsigned int);
+extern struct nf_hook_ops *xt_hook_link(const struct xt_table *, nf_hookfn *);
+extern void xt_hook_unlink(const struct xt_table *, struct nf_hook_ops *);
#ifdef CONFIG_COMPAT
#include <net/compat.h>
diff --git a/net/ipv4/netfilter/arptable_filter.c b/net/ipv4/netfilter/arptable_filter.c
index c45a8a1..11e6ee9 100644
--- a/net/ipv4/netfilter/arptable_filter.c
+++ b/net/ipv4/netfilter/arptable_filter.c
@@ -50,6 +50,7 @@ static const struct xt_table packet_filter = {
.valid_hooks = FILTER_VALID_HOOKS,
.me = THIS_MODULE,
.af = NFPROTO_ARP,
+ .priority = NF_IP_PRI_FILTER,
};
/* The work comes in here from netfilter.c */
@@ -93,8 +94,7 @@ static int __init arptable_filter_init(void)
if (ret < 0)
return ret;
- arpfilter_ops = xt_hook_link(arptable_filter_hook, NFPROTO_ARP,
- NF_IP_PRI_FILTER, FILTER_VALID_HOOKS, THIS_MODULE);
+ arpfilter_ops = xt_hook_link(&packet_filter, arptable_filter_hook);
if (IS_ERR(arpfilter_ops))
unregister_pernet_subsys(&arptable_filter_net_ops);
return ret;
@@ -102,7 +102,7 @@ static int __init arptable_filter_init(void)
static void __exit arptable_filter_fini(void)
{
- xt_hook_unlink(arpfilter_ops, FILTER_VALID_HOOKS);
+ xt_hook_unlink(&packet_filter, arpfilter_ops);
unregister_pernet_subsys(&arptable_filter_net_ops);
}
diff --git a/net/ipv4/netfilter/iptable_filter.c b/net/ipv4/netfilter/iptable_filter.c
index 05c1d3c..61b6faa 100644
--- a/net/ipv4/netfilter/iptable_filter.c
+++ b/net/ipv4/netfilter/iptable_filter.c
@@ -58,6 +58,7 @@ static const struct xt_table packet_filter = {
.valid_hooks = FILTER_VALID_HOOKS,
.me = THIS_MODULE,
.af = NFPROTO_IPV4,
+ .priority = NF_IP_PRI_FILTER,
};
static unsigned int
@@ -122,8 +123,7 @@ static int __init iptable_filter_init(void)
return ret;
/* Register hooks */
- filter_ops = xt_hook_link(iptable_filter_hook, NFPROTO_IPV4,
- NF_IP_PRI_FILTER, FILTER_VALID_HOOKS, THIS_MODULE);
+ filter_ops = xt_hook_link(&packet_filter, iptable_filter_hook);
if (IS_ERR(filter_ops)) {
unregister_pernet_subsys(&iptable_filter_net_ops);
return PTR_ERR(filter_ops);
@@ -134,7 +134,7 @@ static int __init iptable_filter_init(void)
static void __exit iptable_filter_fini(void)
{
- xt_hook_unlink(filter_ops, FILTER_VALID_HOOKS);
+ xt_hook_unlink(&packet_filter, filter_ops);
unregister_pernet_subsys(&iptable_filter_net_ops);
}
diff --git a/net/ipv4/netfilter/iptable_mangle.c b/net/ipv4/netfilter/iptable_mangle.c
index b504f72..c178bf1 100644
--- a/net/ipv4/netfilter/iptable_mangle.c
+++ b/net/ipv4/netfilter/iptable_mangle.c
@@ -69,6 +69,7 @@ static const struct xt_table packet_mangler = {
.valid_hooks = MANGLE_VALID_HOOKS,
.me = THIS_MODULE,
.af = NFPROTO_IPV4,
+ .priority = NF_IP_PRI_MANGLE,
};
/* The work comes in here from netfilter.c. */
@@ -156,8 +157,7 @@ static int __init iptable_mangle_init(void)
return ret;
/* Register hooks */
- mangle_ops = xt_hook_link(iptable_mangle_hook, NFPROTO_IPV4,
- NF_IP_PRI_MANGLE, MANGLE_VALID_HOOKS, THIS_MODULE);
+ mangle_ops = xt_hook_link(&packet_mangler, iptable_mangle_hook);
if (IS_ERR(mangle_ops)) {
unregister_pernet_subsys(&iptable_mangle_net_ops);
return PTR_ERR(mangle_ops);
@@ -168,7 +168,7 @@ static int __init iptable_mangle_init(void)
static void __exit iptable_mangle_fini(void)
{
- xt_hook_unlink(mangle_ops, MANGLE_VALID_HOOKS);
+ xt_hook_unlink(&packet_mangler, mangle_ops);
unregister_pernet_subsys(&iptable_mangle_net_ops);
}
diff --git a/net/ipv4/netfilter/iptable_raw.c b/net/ipv4/netfilter/iptable_raw.c
index 2f87098..9dcdad0 100644
--- a/net/ipv4/netfilter/iptable_raw.c
+++ b/net/ipv4/netfilter/iptable_raw.c
@@ -41,6 +41,7 @@ static const struct xt_table packet_raw = {
.valid_hooks = RAW_VALID_HOOKS,
.me = THIS_MODULE,
.af = NFPROTO_IPV4,
+ .priority = NF_IP_PRI_FIRST,
};
/* The work comes in here from netfilter.c. */
@@ -94,8 +95,7 @@ static int __init iptable_raw_init(void)
return ret;
/* Register hooks */
- rawtable_ops = xt_hook_link(iptable_raw_hook, NFPROTO_IPV4,
- NF_IP_PRI_FIRST, RAW_VALID_HOOKS, THIS_MODULE);
+ rawtable_ops = xt_hook_link(&packet_raw, iptable_raw_hook);
if (IS_ERR(rawtable_ops)) {
unregister_pernet_subsys(&iptable_raw_net_ops);
return PTR_ERR(rawtable_ops);
@@ -106,7 +106,7 @@ static int __init iptable_raw_init(void)
static void __exit iptable_raw_fini(void)
{
- xt_hook_unlink(rawtable_ops, RAW_VALID_HOOKS);
+ xt_hook_unlink(&packet_raw, rawtable_ops);
unregister_pernet_subsys(&iptable_raw_net_ops);
}
diff --git a/net/ipv4/netfilter/iptable_security.c b/net/ipv4/netfilter/iptable_security.c
index 4cee3dc..67d54c2 100644
--- a/net/ipv4/netfilter/iptable_security.c
+++ b/net/ipv4/netfilter/iptable_security.c
@@ -62,6 +62,7 @@ static const struct xt_table security_table = {
.valid_hooks = SECURITY_VALID_HOOKS,
.me = THIS_MODULE,
.af = NFPROTO_IPV4,
+ .priority = NF_IP_PRI_SECURITY,
};
static unsigned int
@@ -114,8 +115,7 @@ static int __init iptable_security_init(void)
if (ret < 0)
return ret;
- sectbl_ops = xt_hook_link(iptable_security_hook, NFPROTO_IPV4,
- NF_IP_PRI_SECURITY, SECURITY_VALID_HOOKS, THIS_MODULE);
+ sectbl_ops = xt_hook_link(&security_table, iptable_security_hook);
if (IS_ERR(sectbl_ops)) {
unregister_pernet_subsys(&iptable_security_net_ops);
return PTR_ERR(sectbl_ops);
@@ -126,7 +126,7 @@ static int __init iptable_security_init(void)
static void __exit iptable_security_fini(void)
{
- xt_hook_unlink(sectbl_ops, SECURITY_VALID_HOOKS);
+ xt_hook_unlink(&security_table, sectbl_ops);
unregister_pernet_subsys(&iptable_security_net_ops);
}
diff --git a/net/ipv6/netfilter/ip6table_filter.c b/net/ipv6/netfilter/ip6table_filter.c
index e8d3a03..8c8b218 100644
--- a/net/ipv6/netfilter/ip6table_filter.c
+++ b/net/ipv6/netfilter/ip6table_filter.c
@@ -56,6 +56,7 @@ static const struct xt_table packet_filter = {
.valid_hooks = FILTER_VALID_HOOKS,
.me = THIS_MODULE,
.af = NFPROTO_IPV6,
+ .priority = NF_IP6_PRI_FILTER,
};
/* The work comes in here from netfilter.c. */
@@ -113,8 +114,7 @@ static int __init ip6table_filter_init(void)
return ret;
/* Register hooks */
- filter_ops = xt_hook_link(ip6table_filter_hook, NFPROTO_IPV6,
- NF_IP6_PRI_FILTER, FILTER_VALID_HOOKS, THIS_MODULE);
+ filter_ops = xt_hook_link(&packet_filter, ip6table_filter_hook);
if (IS_ERR(filter_ops)) {
unregister_pernet_subsys(&ip6table_filter_net_ops);
return PTR_ERR(filter_ops);
@@ -125,7 +125,7 @@ static int __init ip6table_filter_init(void)
static void __exit ip6table_filter_fini(void)
{
- xt_hook_unlink(filter_ops, FILTER_VALID_HOOKS);
+ xt_hook_unlink(&packet_filter, filter_ops);
unregister_pernet_subsys(&ip6table_filter_net_ops);
}
diff --git a/net/ipv6/netfilter/ip6table_mangle.c b/net/ipv6/netfilter/ip6table_mangle.c
index ec803a2..e13adec 100644
--- a/net/ipv6/netfilter/ip6table_mangle.c
+++ b/net/ipv6/netfilter/ip6table_mangle.c
@@ -62,6 +62,7 @@ static const struct xt_table packet_mangler = {
.valid_hooks = MANGLE_VALID_HOOKS,
.me = THIS_MODULE,
.af = NFPROTO_IPV6,
+ .priority = NF_IP6_PRI_MANGLE,
};
/* The work comes in here from netfilter.c. */
@@ -151,8 +152,7 @@ static int __init ip6table_mangle_init(void)
return ret;
/* Register hooks */
- mangle_ops = xt_hook_link(ip6table_mangle_hook, NFPROTO_IPV6,
- NF_IP6_PRI_MANGLE, MANGLE_VALID_HOOKS, THIS_MODULE);
+ mangle_ops = xt_hook_link(&packet_mangler, ip6table_mangle_hook);
if (IS_ERR(mangle_ops)) {
unregister_pernet_subsys(&ip6table_mangle_net_ops);
return PTR_ERR(mangle_ops);
@@ -163,7 +163,7 @@ static int __init ip6table_mangle_init(void)
static void __exit ip6table_mangle_fini(void)
{
- xt_hook_unlink(mangle_ops, MANGLE_VALID_HOOKS);
+ xt_hook_unlink(&packet_mangler, mangle_ops);
unregister_pernet_subsys(&ip6table_mangle_net_ops);
}
diff --git a/net/ipv6/netfilter/ip6table_raw.c b/net/ipv6/netfilter/ip6table_raw.c
index 86ea699..b7c535d 100644
--- a/net/ipv6/netfilter/ip6table_raw.c
+++ b/net/ipv6/netfilter/ip6table_raw.c
@@ -40,6 +40,7 @@ static const struct xt_table packet_raw = {
.valid_hooks = RAW_VALID_HOOKS,
.me = THIS_MODULE,
.af = NFPROTO_IPV6,
+ .priority = NF_IP6_PRI_FIRST,
};
/* The work comes in here from netfilter.c. */
@@ -85,8 +86,7 @@ static int __init ip6table_raw_init(void)
return ret;
/* Register hooks */
- rawtable_ops = xt_hook_link(ip6table_raw_hook, NFPROTO_IPV6,
- NF_IP6_PRI_FIRST, RAW_VALID_HOOKS, THIS_MODULE);
+ rawtable_ops = xt_hook_link(&packet_raw, ip6table_raw_hook);
if (IS_ERR(rawtable_ops)) {
unregister_pernet_subsys(&ip6table_raw_net_ops);
return PTR_ERR(rawtable_ops);
@@ -97,7 +97,7 @@ static int __init ip6table_raw_init(void)
static void __exit ip6table_raw_fini(void)
{
- xt_hook_unlink(rawtable_ops, RAW_VALID_HOOKS);
+ xt_hook_unlink(&packet_raw, rawtable_ops);
unregister_pernet_subsys(&ip6table_raw_net_ops);
}
diff --git a/net/ipv6/netfilter/ip6table_security.c b/net/ipv6/netfilter/ip6table_security.c
index 7db37ba..ef3ad0b 100644
--- a/net/ipv6/netfilter/ip6table_security.c
+++ b/net/ipv6/netfilter/ip6table_security.c
@@ -61,6 +61,7 @@ static const struct xt_table security_table = {
.valid_hooks = SECURITY_VALID_HOOKS,
.me = THIS_MODULE,
.af = NFPROTO_IPV6,
+ .priority = NF_IP6_PRI_SECURITY,
};
static unsigned int
@@ -105,8 +106,7 @@ static int __init ip6table_security_init(void)
if (ret < 0)
return ret;
- sectbl_ops = xt_hook_link(ip6table_security_hook, NFPROTO_IPV6,
- NF_IP6_PRI_SECURITY, SECURITY_VALID_HOOKS, THIS_MODULE);
+ sectbl_ops = xt_hook_link(&security_table, ip6table_security_hook);
if (IS_ERR(sectbl_ops)) {
unregister_pernet_subsys(&ip6table_security_net_ops);
return PTR_ERR(sectbl_ops);
@@ -117,7 +117,7 @@ static int __init ip6table_security_init(void)
static void __exit ip6table_security_fini(void)
{
- xt_hook_unlink(sectbl_ops, SECURITY_VALID_HOOKS);
+ xt_hook_unlink(&security_table, sectbl_ops);
unregister_pernet_subsys(&ip6table_security_net_ops);
}
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index f7c4c39..46e0120 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -1103,17 +1103,15 @@ static unsigned int xt_hookmask_bitcount(unsigned int mask)
/**
* xt_hook_link - set up hooks for a new table
+ * @table: table with metadata needed to set up hooks
* @fn: Hook function
- * @nfproto: %NFPROTO_*
- * @prio: n'th place within @nfproto's hook list (%NF_IP_PRI_*, etc.)
- * @hook_mask: Requested hooks
*
* This function will take care of creating and registering the necessary
* Netfilter hooks for XT tables.
*/
-struct nf_hook_ops *xt_hook_link(nf_hookfn *fn, uint8_t nfproto, int prio,
- unsigned int hook_mask, struct module *owner)
+struct nf_hook_ops *xt_hook_link(const struct xt_table *table, nf_hookfn *fn)
{
+ unsigned int hook_mask = table->valid_hooks;
uint8_t i, num_hooks = xt_hookmask_bitcount(hook_mask);
uint8_t hooknum;
struct nf_hook_ops *ops;
@@ -1128,10 +1126,10 @@ struct nf_hook_ops *xt_hook_link(nf_hookfn *fn, uint8_t nfproto, int prio,
if (!(hook_mask & 1))
continue;
ops[i].hook = fn;
- ops[i].owner = owner;
- ops[i].pf = nfproto;
+ ops[i].owner = table->me;
+ ops[i].pf = table->af;
ops[i].hooknum = hooknum;
- ops[i].priority = prio;
+ ops[i].priority = table->priority;
++i;
}
@@ -1150,9 +1148,9 @@ EXPORT_SYMBOL_GPL(xt_hook_link);
* @ops: nf_hook_ops array as returned by nf_hook_link
* @hook_mask: the very same mask that was passed to nf_hook_link
*/
-void xt_hook_unlink(struct nf_hook_ops *ops, unsigned int hook_mask)
+void xt_hook_unlink(const struct xt_table *table, struct nf_hook_ops *ops)
{
- nf_unregister_hooks(ops, xt_hookmask_bitcount(hook_mask));
+ nf_unregister_hooks(ops, xt_hookmask_bitcount(table->valid_hooks));
kfree(ops);
}
EXPORT_SYMBOL_GPL(xt_hook_unlink);
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 027/103] netfilter: xtables: generate initial table on-demand
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (25 preceding siblings ...)
2009-08-04 7:25 ` [PATCH 026/103] netfilter: xtables: use xt_table for hook instantiation Jan Engelhardt
@ 2009-08-04 7:25 ` Jan Engelhardt
2009-08-04 7:25 ` [PATCH 028/103] netfilter: reduce NF_HOOK by one argument Jan Engelhardt
` (77 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:25 UTC (permalink / raw)
To: netfilter-devel
The static initial tables are pretty large (1K), and after the net
namespace has been instantiated, they just hang around for nothing.
Now they are gone from both your disk and memory. (During
initialization, memory use remains the same.)
Some numbers:
text data bss dec hex filename
-4043674 563169 512000 5118843 4e1b7b ./vmlinux[x86_64](before)
+4045071 550177 512000 5107248 4dee30 ./vmlinux[x86_64](after)
= +1397 -12992
=== -11595
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter/x_tables.h | 1 +
net/ipv4/netfilter/arptable_filter.c | 39 ++++-------------------
net/ipv4/netfilter/iptable_filter.c | 45 ++++++--------------------
net/ipv4/netfilter/iptable_mangle.c | 45 +++-----------------------
net/ipv4/netfilter/iptable_raw.c | 35 +++-----------------
net/ipv4/netfilter/iptable_security.c | 38 +++-------------------
net/ipv4/netfilter/nf_nat_rule.c | 38 +++-------------------
net/ipv6/netfilter/ip6table_filter.c | 45 ++++++--------------------
net/ipv6/netfilter/ip6table_mangle.c | 44 +++----------------------
net/ipv6/netfilter/ip6table_raw.c | 35 +++-----------------
net/ipv6/netfilter/ip6table_security.c | 38 +++-------------------
net/netfilter/x_tables.c | 54 +++++++++++++++++++++++++++++++-
12 files changed, 123 insertions(+), 334 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 2a47a01..bdcb2f6 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -528,6 +528,7 @@ static inline unsigned long ifname_compare_aligned(const char *_a,
extern struct nf_hook_ops *xt_hook_link(const struct xt_table *, nf_hookfn *);
extern void xt_hook_unlink(const struct xt_table *, struct nf_hook_ops *);
+extern void *xt_repldata_create(const struct xt_table *);
#ifdef CONFIG_COMPAT
#include <net/compat.h>
diff --git a/net/ipv4/netfilter/arptable_filter.c b/net/ipv4/netfilter/arptable_filter.c
index 11e6ee9..1299f08 100644
--- a/net/ipv4/netfilter/arptable_filter.c
+++ b/net/ipv4/netfilter/arptable_filter.c
@@ -6,6 +6,7 @@
*/
#include <linux/module.h>
+#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_arp/arp_tables.h>
MODULE_LICENSE("GPL");
@@ -15,36 +16,6 @@ MODULE_DESCRIPTION("arptables filter table");
#define FILTER_VALID_HOOKS ((1 << NF_ARP_IN) | (1 << NF_ARP_OUT) | \
(1 << NF_ARP_FORWARD))
-static const struct
-{
- struct arpt_replace repl;
- struct arpt_standard entries[3];
- struct arpt_error term;
-} initial_table __net_initdata = {
- .repl = {
- .name = "filter",
- .valid_hooks = FILTER_VALID_HOOKS,
- .num_entries = 4,
- .size = sizeof(struct arpt_standard) * 3 + sizeof(struct arpt_error),
- .hook_entry = {
- [NF_ARP_IN] = 0,
- [NF_ARP_OUT] = sizeof(struct arpt_standard),
- [NF_ARP_FORWARD] = 2 * sizeof(struct arpt_standard),
- },
- .underflow = {
- [NF_ARP_IN] = 0,
- [NF_ARP_OUT] = sizeof(struct arpt_standard),
- [NF_ARP_FORWARD] = 2 * sizeof(struct arpt_standard),
- },
- },
- .entries = {
- ARPT_STANDARD_INIT(NF_ACCEPT), /* ARP_IN */
- ARPT_STANDARD_INIT(NF_ACCEPT), /* ARP_OUT */
- ARPT_STANDARD_INIT(NF_ACCEPT), /* ARP_FORWARD */
- },
- .term = ARPT_ERROR_INIT,
-};
-
static const struct xt_table packet_filter = {
.name = "filter",
.valid_hooks = FILTER_VALID_HOOKS,
@@ -66,9 +37,13 @@ static unsigned int arptable_filter_hook(unsigned int hook,
static int __net_init arptable_filter_net_init(struct net *net)
{
- /* Register table */
+ struct arpt_replace *repl = xt_repldata_create(&packet_filter);
+
+ if (repl == NULL)
+ return -ENOMEM;
net->ipv4.arptable_filter =
- arpt_register_table(net, &packet_filter, &initial_table.repl);
+ arpt_register_table(net, &packet_filter, repl);
+ kfree(repl);
if (IS_ERR(net->ipv4.arptable_filter))
return PTR_ERR(net->ipv4.arptable_filter);
return 0;
diff --git a/net/ipv4/netfilter/iptable_filter.c b/net/ipv4/netfilter/iptable_filter.c
index 61b6faa..962d6f5 100644
--- a/net/ipv4/netfilter/iptable_filter.c
+++ b/net/ipv4/netfilter/iptable_filter.c
@@ -23,36 +23,6 @@ MODULE_DESCRIPTION("iptables filter table");
(1 << NF_INET_FORWARD) | \
(1 << NF_INET_LOCAL_OUT))
-static struct
-{
- struct ipt_replace repl;
- struct ipt_standard entries[3];
- struct ipt_error term;
-} initial_table __net_initdata = {
- .repl = {
- .name = "filter",
- .valid_hooks = FILTER_VALID_HOOKS,
- .num_entries = 4,
- .size = sizeof(struct ipt_standard) * 3 + sizeof(struct ipt_error),
- .hook_entry = {
- [NF_INET_LOCAL_IN] = 0,
- [NF_INET_FORWARD] = sizeof(struct ipt_standard),
- [NF_INET_LOCAL_OUT] = sizeof(struct ipt_standard) * 2,
- },
- .underflow = {
- [NF_INET_LOCAL_IN] = 0,
- [NF_INET_FORWARD] = sizeof(struct ipt_standard),
- [NF_INET_LOCAL_OUT] = sizeof(struct ipt_standard) * 2,
- },
- },
- .entries = {
- IPT_STANDARD_INIT(NF_ACCEPT), /* LOCAL_IN */
- IPT_STANDARD_INIT(NF_ACCEPT), /* FORWARD */
- IPT_STANDARD_INIT(NF_ACCEPT), /* LOCAL_OUT */
- },
- .term = IPT_ERROR_INIT, /* ERROR */
-};
-
static const struct xt_table packet_filter = {
.name = "filter",
.valid_hooks = FILTER_VALID_HOOKS,
@@ -86,9 +56,17 @@ module_param(forward, bool, 0000);
static int __net_init iptable_filter_net_init(struct net *net)
{
- /* Register table */
+ struct ipt_replace *repl = xt_repldata_create(&packet_filter);
+
+ if (repl == NULL)
+ return -ENOMEM;
+ /* Entry 1 is the FORWARD hook */
+ ((struct ipt_standard *)repl->entries)[1].target.verdict =
+ -forward - 1;
+
net->ipv4.iptable_filter =
- ipt_register_table(net, &packet_filter, &initial_table.repl);
+ ipt_register_table(net, &packet_filter, repl);
+ kfree(repl);
if (IS_ERR(net->ipv4.iptable_filter))
return PTR_ERR(net->ipv4.iptable_filter);
return 0;
@@ -115,9 +93,6 @@ static int __init iptable_filter_init(void)
return -EINVAL;
}
- /* Entry 1 is the FORWARD hook */
- initial_table.entries[1].target.verdict = -forward - 1;
-
ret = register_pernet_subsys(&iptable_filter_net_ops);
if (ret < 0)
return ret;
diff --git a/net/ipv4/netfilter/iptable_mangle.c b/net/ipv4/netfilter/iptable_mangle.c
index c178bf1..8434f57 100644
--- a/net/ipv4/netfilter/iptable_mangle.c
+++ b/net/ipv4/netfilter/iptable_mangle.c
@@ -27,43 +27,6 @@ MODULE_DESCRIPTION("iptables mangle table");
(1 << NF_INET_LOCAL_OUT) | \
(1 << NF_INET_POST_ROUTING))
-/* Ouch - five different hooks? Maybe this should be a config option..... -- BC */
-static const struct
-{
- struct ipt_replace repl;
- struct ipt_standard entries[5];
- struct ipt_error term;
-} initial_table __net_initdata = {
- .repl = {
- .name = "mangle",
- .valid_hooks = MANGLE_VALID_HOOKS,
- .num_entries = 6,
- .size = sizeof(struct ipt_standard) * 5 + sizeof(struct ipt_error),
- .hook_entry = {
- [NF_INET_PRE_ROUTING] = 0,
- [NF_INET_LOCAL_IN] = sizeof(struct ipt_standard),
- [NF_INET_FORWARD] = sizeof(struct ipt_standard) * 2,
- [NF_INET_LOCAL_OUT] = sizeof(struct ipt_standard) * 3,
- [NF_INET_POST_ROUTING] = sizeof(struct ipt_standard) * 4,
- },
- .underflow = {
- [NF_INET_PRE_ROUTING] = 0,
- [NF_INET_LOCAL_IN] = sizeof(struct ipt_standard),
- [NF_INET_FORWARD] = sizeof(struct ipt_standard) * 2,
- [NF_INET_LOCAL_OUT] = sizeof(struct ipt_standard) * 3,
- [NF_INET_POST_ROUTING] = sizeof(struct ipt_standard) * 4,
- },
- },
- .entries = {
- IPT_STANDARD_INIT(NF_ACCEPT), /* PRE_ROUTING */
- IPT_STANDARD_INIT(NF_ACCEPT), /* LOCAL_IN */
- IPT_STANDARD_INIT(NF_ACCEPT), /* FORWARD */
- IPT_STANDARD_INIT(NF_ACCEPT), /* LOCAL_OUT */
- IPT_STANDARD_INIT(NF_ACCEPT), /* POST_ROUTING */
- },
- .term = IPT_ERROR_INIT, /* ERROR */
-};
-
static const struct xt_table packet_mangler = {
.name = "mangle",
.valid_hooks = MANGLE_VALID_HOOKS,
@@ -128,9 +91,13 @@ iptable_mangle_hook(unsigned int hook, struct sk_buff *skb,
static int __net_init iptable_mangle_net_init(struct net *net)
{
- /* Register table */
+ struct ipt_replace *repl = xt_repldata_create(&packet_mangler);
+
+ if (repl == NULL)
+ return -ENOMEM;
net->ipv4.iptable_mangle =
- ipt_register_table(net, &packet_mangler, &initial_table.repl);
+ ipt_register_table(net, &packet_mangler, repl);
+ kfree(repl);
if (IS_ERR(net->ipv4.iptable_mangle))
return PTR_ERR(net->ipv4.iptable_mangle);
return 0;
diff --git a/net/ipv4/netfilter/iptable_raw.c b/net/ipv4/netfilter/iptable_raw.c
index 9dcdad0..243329c 100644
--- a/net/ipv4/netfilter/iptable_raw.c
+++ b/net/ipv4/netfilter/iptable_raw.c
@@ -9,33 +9,6 @@
#define RAW_VALID_HOOKS ((1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_LOCAL_OUT))
-static const struct
-{
- struct ipt_replace repl;
- struct ipt_standard entries[2];
- struct ipt_error term;
-} initial_table __net_initdata = {
- .repl = {
- .name = "raw",
- .valid_hooks = RAW_VALID_HOOKS,
- .num_entries = 3,
- .size = sizeof(struct ipt_standard) * 2 + sizeof(struct ipt_error),
- .hook_entry = {
- [NF_INET_PRE_ROUTING] = 0,
- [NF_INET_LOCAL_OUT] = sizeof(struct ipt_standard)
- },
- .underflow = {
- [NF_INET_PRE_ROUTING] = 0,
- [NF_INET_LOCAL_OUT] = sizeof(struct ipt_standard)
- },
- },
- .entries = {
- IPT_STANDARD_INIT(NF_ACCEPT), /* PRE_ROUTING */
- IPT_STANDARD_INIT(NF_ACCEPT), /* LOCAL_OUT */
- },
- .term = IPT_ERROR_INIT, /* ERROR */
-};
-
static const struct xt_table packet_raw = {
.name = "raw",
.valid_hooks = RAW_VALID_HOOKS,
@@ -66,9 +39,13 @@ iptable_raw_hook(unsigned int hook,
static int __net_init iptable_raw_net_init(struct net *net)
{
- /* Register table */
+ struct ipt_replace *repl = xt_repldata_create(&packet_raw);
+
+ if (repl == NULL)
+ return -ENOMEM;
net->ipv4.iptable_raw =
- ipt_register_table(net, &packet_raw, &initial_table.repl);
+ ipt_register_table(net, &packet_raw, repl);
+ kfree(repl);
if (IS_ERR(net->ipv4.iptable_raw))
return PTR_ERR(net->ipv4.iptable_raw);
return 0;
diff --git a/net/ipv4/netfilter/iptable_security.c b/net/ipv4/netfilter/iptable_security.c
index 67d54c2..d2aed39 100644
--- a/net/ipv4/netfilter/iptable_security.c
+++ b/net/ipv4/netfilter/iptable_security.c
@@ -27,36 +27,6 @@ MODULE_DESCRIPTION("iptables security table, for MAC rules");
(1 << NF_INET_FORWARD) | \
(1 << NF_INET_LOCAL_OUT)
-static const struct
-{
- struct ipt_replace repl;
- struct ipt_standard entries[3];
- struct ipt_error term;
-} initial_table __net_initdata = {
- .repl = {
- .name = "security",
- .valid_hooks = SECURITY_VALID_HOOKS,
- .num_entries = 4,
- .size = sizeof(struct ipt_standard) * 3 + sizeof(struct ipt_error),
- .hook_entry = {
- [NF_INET_LOCAL_IN] = 0,
- [NF_INET_FORWARD] = sizeof(struct ipt_standard),
- [NF_INET_LOCAL_OUT] = sizeof(struct ipt_standard) * 2,
- },
- .underflow = {
- [NF_INET_LOCAL_IN] = 0,
- [NF_INET_FORWARD] = sizeof(struct ipt_standard),
- [NF_INET_LOCAL_OUT] = sizeof(struct ipt_standard) * 2,
- },
- },
- .entries = {
- IPT_STANDARD_INIT(NF_ACCEPT), /* LOCAL_IN */
- IPT_STANDARD_INIT(NF_ACCEPT), /* FORWARD */
- IPT_STANDARD_INIT(NF_ACCEPT), /* LOCAL_OUT */
- },
- .term = IPT_ERROR_INIT, /* ERROR */
-};
-
static const struct xt_table security_table = {
.name = "security",
.valid_hooks = SECURITY_VALID_HOOKS,
@@ -86,9 +56,13 @@ iptable_security_hook(unsigned int hook,
static int __net_init iptable_security_net_init(struct net *net)
{
- net->ipv4.iptable_security =
- ipt_register_table(net, &security_table, &initial_table.repl);
+ struct ipt_replace *repl = xt_repldata_create(&security_table);
+ if (repl == NULL)
+ return -ENOMEM;
+ net->ipv4.iptable_security =
+ ipt_register_table(net, &security_table, repl);
+ kfree(repl);
if (IS_ERR(net->ipv4.iptable_security))
return PTR_ERR(net->ipv4.iptable_security);
diff --git a/net/ipv4/netfilter/nf_nat_rule.c b/net/ipv4/netfilter/nf_nat_rule.c
index 9e81e0d..57f9d1d 100644
--- a/net/ipv4/netfilter/nf_nat_rule.c
+++ b/net/ipv4/netfilter/nf_nat_rule.c
@@ -28,36 +28,6 @@
(1 << NF_INET_POST_ROUTING) | \
(1 << NF_INET_LOCAL_OUT))
-static const struct
-{
- struct ipt_replace repl;
- struct ipt_standard entries[3];
- struct ipt_error term;
-} nat_initial_table __net_initdata = {
- .repl = {
- .name = "nat",
- .valid_hooks = NAT_VALID_HOOKS,
- .num_entries = 4,
- .size = sizeof(struct ipt_standard) * 3 + sizeof(struct ipt_error),
- .hook_entry = {
- [NF_INET_PRE_ROUTING] = 0,
- [NF_INET_POST_ROUTING] = sizeof(struct ipt_standard),
- [NF_INET_LOCAL_OUT] = sizeof(struct ipt_standard) * 2
- },
- .underflow = {
- [NF_INET_PRE_ROUTING] = 0,
- [NF_INET_POST_ROUTING] = sizeof(struct ipt_standard),
- [NF_INET_LOCAL_OUT] = sizeof(struct ipt_standard) * 2
- },
- },
- .entries = {
- IPT_STANDARD_INIT(NF_ACCEPT), /* PRE_ROUTING */
- IPT_STANDARD_INIT(NF_ACCEPT), /* POST_ROUTING */
- IPT_STANDARD_INIT(NF_ACCEPT), /* LOCAL_OUT */
- },
- .term = IPT_ERROR_INIT, /* ERROR */
-};
-
static const struct xt_table nat_table = {
.name = "nat",
.valid_hooks = NAT_VALID_HOOKS,
@@ -186,8 +156,12 @@ static struct xt_target ipt_dnat_reg __read_mostly = {
static int __net_init nf_nat_rule_net_init(struct net *net)
{
- net->ipv4.nat_table = ipt_register_table(net, &nat_table,
- &nat_initial_table.repl);
+ struct ipt_replace *repl = xt_repldata_create(&nat_table);
+
+ if (repl == NULL)
+ return -ENOMEM;
+ net->ipv4.nat_table = ipt_register_table(net, &nat_table, repl);
+ kfree(repl);
if (IS_ERR(net->ipv4.nat_table))
return PTR_ERR(net->ipv4.nat_table);
return 0;
diff --git a/net/ipv6/netfilter/ip6table_filter.c b/net/ipv6/netfilter/ip6table_filter.c
index 8c8b218..5b8e67e 100644
--- a/net/ipv6/netfilter/ip6table_filter.c
+++ b/net/ipv6/netfilter/ip6table_filter.c
@@ -21,36 +21,6 @@ MODULE_DESCRIPTION("ip6tables filter table");
(1 << NF_INET_FORWARD) | \
(1 << NF_INET_LOCAL_OUT))
-static struct
-{
- struct ip6t_replace repl;
- struct ip6t_standard entries[3];
- struct ip6t_error term;
-} initial_table __net_initdata = {
- .repl = {
- .name = "filter",
- .valid_hooks = FILTER_VALID_HOOKS,
- .num_entries = 4,
- .size = sizeof(struct ip6t_standard) * 3 + sizeof(struct ip6t_error),
- .hook_entry = {
- [NF_INET_LOCAL_IN] = 0,
- [NF_INET_FORWARD] = sizeof(struct ip6t_standard),
- [NF_INET_LOCAL_OUT] = sizeof(struct ip6t_standard) * 2
- },
- .underflow = {
- [NF_INET_LOCAL_IN] = 0,
- [NF_INET_FORWARD] = sizeof(struct ip6t_standard),
- [NF_INET_LOCAL_OUT] = sizeof(struct ip6t_standard) * 2
- },
- },
- .entries = {
- IP6T_STANDARD_INIT(NF_ACCEPT), /* LOCAL_IN */
- IP6T_STANDARD_INIT(NF_ACCEPT), /* FORWARD */
- IP6T_STANDARD_INIT(NF_ACCEPT), /* LOCAL_OUT */
- },
- .term = IP6T_ERROR_INIT, /* ERROR */
-};
-
static const struct xt_table packet_filter = {
.name = "filter",
.valid_hooks = FILTER_VALID_HOOKS,
@@ -77,9 +47,17 @@ module_param(forward, bool, 0000);
static int __net_init ip6table_filter_net_init(struct net *net)
{
- /* Register table */
+ struct ip6t_replace *repl = xt_repldata_create(&packet_filter);
+
+ if (repl == NULL)
+ return -ENOMEM;
+ /* Entry 1 is the FORWARD hook */
+ ((struct ip6t_standard *)repl->entries)[1].target.verdict =
+ -forward - 1;
+
net->ipv6.ip6table_filter =
- ip6t_register_table(net, &packet_filter, &initial_table.repl);
+ ip6t_register_table(net, &packet_filter, repl);
+ kfree(repl);
if (IS_ERR(net->ipv6.ip6table_filter))
return PTR_ERR(net->ipv6.ip6table_filter);
return 0;
@@ -106,9 +84,6 @@ static int __init ip6table_filter_init(void)
return -EINVAL;
}
- /* Entry 1 is the FORWARD hook */
- initial_table.entries[1].target.verdict = -forward - 1;
-
ret = register_pernet_subsys(&ip6table_filter_net_ops);
if (ret < 0)
return ret;
diff --git a/net/ipv6/netfilter/ip6table_mangle.c b/net/ipv6/netfilter/ip6table_mangle.c
index e13adec..5d841e6 100644
--- a/net/ipv6/netfilter/ip6table_mangle.c
+++ b/net/ipv6/netfilter/ip6table_mangle.c
@@ -21,42 +21,6 @@ MODULE_DESCRIPTION("ip6tables mangle table");
(1 << NF_INET_LOCAL_OUT) | \
(1 << NF_INET_POST_ROUTING))
-static const struct
-{
- struct ip6t_replace repl;
- struct ip6t_standard entries[5];
- struct ip6t_error term;
-} initial_table __net_initdata = {
- .repl = {
- .name = "mangle",
- .valid_hooks = MANGLE_VALID_HOOKS,
- .num_entries = 6,
- .size = sizeof(struct ip6t_standard) * 5 + sizeof(struct ip6t_error),
- .hook_entry = {
- [NF_INET_PRE_ROUTING] = 0,
- [NF_INET_LOCAL_IN] = sizeof(struct ip6t_standard),
- [NF_INET_FORWARD] = sizeof(struct ip6t_standard) * 2,
- [NF_INET_LOCAL_OUT] = sizeof(struct ip6t_standard) * 3,
- [NF_INET_POST_ROUTING] = sizeof(struct ip6t_standard) * 4,
- },
- .underflow = {
- [NF_INET_PRE_ROUTING] = 0,
- [NF_INET_LOCAL_IN] = sizeof(struct ip6t_standard),
- [NF_INET_FORWARD] = sizeof(struct ip6t_standard) * 2,
- [NF_INET_LOCAL_OUT] = sizeof(struct ip6t_standard) * 3,
- [NF_INET_POST_ROUTING] = sizeof(struct ip6t_standard) * 4,
- },
- },
- .entries = {
- IP6T_STANDARD_INIT(NF_ACCEPT), /* PRE_ROUTING */
- IP6T_STANDARD_INIT(NF_ACCEPT), /* LOCAL_IN */
- IP6T_STANDARD_INIT(NF_ACCEPT), /* FORWARD */
- IP6T_STANDARD_INIT(NF_ACCEPT), /* LOCAL_OUT */
- IP6T_STANDARD_INIT(NF_ACCEPT), /* POST_ROUTING */
- },
- .term = IP6T_ERROR_INIT, /* ERROR */
-};
-
static const struct xt_table packet_mangler = {
.name = "mangle",
.valid_hooks = MANGLE_VALID_HOOKS,
@@ -123,9 +87,13 @@ ip6table_mangle_hook(unsigned int hook, struct sk_buff *skb,
static int __net_init ip6table_mangle_net_init(struct net *net)
{
- /* Register table */
+ struct ip6t_replace *repl = xt_repldata_create(&packet_mangler);
+
+ if (repl == NULL)
+ return -ENOMEM;
net->ipv6.ip6table_mangle =
- ip6t_register_table(net, &packet_mangler, &initial_table.repl);
+ ip6t_register_table(net, &packet_mangler, repl);
+ kfree(repl);
if (IS_ERR(net->ipv6.ip6table_mangle))
return PTR_ERR(net->ipv6.ip6table_mangle);
return 0;
diff --git a/net/ipv6/netfilter/ip6table_raw.c b/net/ipv6/netfilter/ip6table_raw.c
index b7c535d..b24b14a 100644
--- a/net/ipv6/netfilter/ip6table_raw.c
+++ b/net/ipv6/netfilter/ip6table_raw.c
@@ -8,33 +8,6 @@
#define RAW_VALID_HOOKS ((1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_LOCAL_OUT))
-static const struct
-{
- struct ip6t_replace repl;
- struct ip6t_standard entries[2];
- struct ip6t_error term;
-} initial_table __net_initdata = {
- .repl = {
- .name = "raw",
- .valid_hooks = RAW_VALID_HOOKS,
- .num_entries = 3,
- .size = sizeof(struct ip6t_standard) * 2 + sizeof(struct ip6t_error),
- .hook_entry = {
- [NF_INET_PRE_ROUTING] = 0,
- [NF_INET_LOCAL_OUT] = sizeof(struct ip6t_standard)
- },
- .underflow = {
- [NF_INET_PRE_ROUTING] = 0,
- [NF_INET_LOCAL_OUT] = sizeof(struct ip6t_standard)
- },
- },
- .entries = {
- IP6T_STANDARD_INIT(NF_ACCEPT), /* PRE_ROUTING */
- IP6T_STANDARD_INIT(NF_ACCEPT), /* LOCAL_OUT */
- },
- .term = IP6T_ERROR_INIT, /* ERROR */
-};
-
static const struct xt_table packet_raw = {
.name = "raw",
.valid_hooks = RAW_VALID_HOOKS,
@@ -57,9 +30,13 @@ ip6table_raw_hook(unsigned int hook,
static int __net_init ip6table_raw_net_init(struct net *net)
{
- /* Register table */
+ struct ip6t_replace *repl = xt_repldata_create(&packet_raw);
+
+ if (repl == NULL)
+ return -ENOMEM;
net->ipv6.ip6table_raw =
- ip6t_register_table(net, &packet_raw, &initial_table.repl);
+ ip6t_register_table(net, &packet_raw, repl);
+ kfree(repl);
if (IS_ERR(net->ipv6.ip6table_raw))
return PTR_ERR(net->ipv6.ip6table_raw);
return 0;
diff --git a/net/ipv6/netfilter/ip6table_security.c b/net/ipv6/netfilter/ip6table_security.c
index ef3ad0b..c039db8 100644
--- a/net/ipv6/netfilter/ip6table_security.c
+++ b/net/ipv6/netfilter/ip6table_security.c
@@ -26,36 +26,6 @@ MODULE_DESCRIPTION("ip6tables security table, for MAC rules");
(1 << NF_INET_FORWARD) | \
(1 << NF_INET_LOCAL_OUT)
-static const struct
-{
- struct ip6t_replace repl;
- struct ip6t_standard entries[3];
- struct ip6t_error term;
-} initial_table __net_initdata = {
- .repl = {
- .name = "security",
- .valid_hooks = SECURITY_VALID_HOOKS,
- .num_entries = 4,
- .size = sizeof(struct ip6t_standard) * 3 + sizeof(struct ip6t_error),
- .hook_entry = {
- [NF_INET_LOCAL_IN] = 0,
- [NF_INET_FORWARD] = sizeof(struct ip6t_standard),
- [NF_INET_LOCAL_OUT] = sizeof(struct ip6t_standard) * 2,
- },
- .underflow = {
- [NF_INET_LOCAL_IN] = 0,
- [NF_INET_FORWARD] = sizeof(struct ip6t_standard),
- [NF_INET_LOCAL_OUT] = sizeof(struct ip6t_standard) * 2,
- },
- },
- .entries = {
- IP6T_STANDARD_INIT(NF_ACCEPT), /* LOCAL_IN */
- IP6T_STANDARD_INIT(NF_ACCEPT), /* FORWARD */
- IP6T_STANDARD_INIT(NF_ACCEPT), /* LOCAL_OUT */
- },
- .term = IP6T_ERROR_INIT, /* ERROR */
-};
-
static const struct xt_table security_table = {
.name = "security",
.valid_hooks = SECURITY_VALID_HOOKS,
@@ -77,9 +47,13 @@ ip6table_security_hook(unsigned int hook,
static int __net_init ip6table_security_net_init(struct net *net)
{
- net->ipv6.ip6table_security =
- ip6t_register_table(net, &security_table, &initial_table.repl);
+ struct ip6t_replace *repl = xt_repldata_create(&security_table);
+ if (repl == NULL)
+ return -ENOMEM;
+ net->ipv6.ip6table_security =
+ ip6t_register_table(net, &security_table, repl);
+ kfree(repl);
if (IS_ERR(net->ipv6.ip6table_security))
return PTR_ERR(net->ipv6.ip6table_security);
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 46e0120..eff972f 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -26,7 +26,9 @@
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_arp.h>
-
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv6/ip6_tables.h>
+#include <linux/netfilter_arp/arp_tables.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
@@ -1155,6 +1157,56 @@ void xt_hook_unlink(const struct xt_table *table, struct nf_hook_ops *ops)
}
EXPORT_SYMBOL_GPL(xt_hook_unlink);
+/*
+ * Today's hack: quantum tunneling in structs
+ *
+ * 'entries' and 'term' are never anywhere referenced by word in code. In fact,
+ * they serve as the hanging-off data accessed through repl.data[]!
+ */
+#define xt_repldata_mk(type, typ2) \
+ struct { \
+ struct type##_replace repl; \
+ struct type##_standard entries[nhooks]; \
+ struct type##_error term; \
+ } *tbl = kzalloc(sizeof(*tbl), GFP_KERNEL); \
+ if (tbl == NULL) \
+ return NULL; \
+ strncpy(tbl->repl.name, info->name, sizeof(tbl->repl.name)); \
+ tbl->term = (struct type##_error)typ2##_ERROR_INIT; \
+ tbl->repl.valid_hooks = hook_mask; \
+ tbl->repl.num_entries = nhooks + 1; \
+ tbl->repl.size = nhooks * sizeof(struct type##_standard) + \
+ sizeof(struct type##_error); \
+ for (; hook_mask != 0; hook_mask >>= 1, ++hooknum) { \
+ if (!(hook_mask & 1)) \
+ continue; \
+ tbl->repl.hook_entry[hooknum] = bytes; \
+ tbl->repl.underflow[hooknum] = bytes; \
+ tbl->entries[i++] = (struct type##_standard) \
+ typ2##_STANDARD_INIT(NF_ACCEPT); \
+ bytes += sizeof(struct type##_standard); \
+ }
+
+void *xt_repldata_create(const struct xt_table *info)
+{
+ unsigned int hook_mask = info->valid_hooks;
+ unsigned int nhooks = xt_hookmask_bitcount(hook_mask);
+ unsigned int bytes = 0, hooknum = 0, i = 0;
+
+ if (info->af == NFPROTO_IPV6) {
+ xt_repldata_mk(ip6t, IP6T);
+ return tbl;
+ } else if (info->af == NFPROTO_IPV4) {
+ xt_repldata_mk(ipt, IPT);
+ return tbl;
+ } else if (info->af == NFPROTO_ARP) {
+ xt_repldata_mk(arpt, ARPT);
+ return tbl;
+ }
+ return NULL;
+}
+EXPORT_SYMBOL_GPL(xt_repldata_create);
+
int xt_proto_init(struct net *net, u_int8_t af)
{
#ifdef CONFIG_PROC_FS
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 028/103] netfilter: reduce NF_HOOK by one argument
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (26 preceding siblings ...)
2009-08-04 7:25 ` [PATCH 027/103] netfilter: xtables: generate initial table on-demand Jan Engelhardt
@ 2009-08-04 7:25 ` Jan Engelhardt
2009-08-04 7:25 ` [PATCH 029/103] netfilter: get rid of the grossness in netfilter.h Jan Engelhardt
` (76 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:25 UTC (permalink / raw)
To: netfilter-devel
No changes in vmlinux filesize.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter.h | 14 +++++---------
1 files changed, 5 insertions(+), 9 deletions(-)
diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index 48cfe51..9a5383c 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -163,11 +163,8 @@ static inline int nf_hook_thresh(u_int8_t pf, unsigned int hook,
struct sk_buff *skb,
struct net_device *indev,
struct net_device *outdev,
- int (*okfn)(struct sk_buff *), int thresh,
- int cond)
+ int (*okfn)(struct sk_buff *), int thresh)
{
- if (!cond)
- return 1;
#ifndef CONFIG_NETFILTER_DEBUG
if (list_empty(&nf_hooks[pf][hook]))
return 1;
@@ -179,7 +176,7 @@ static inline int nf_hook(u_int8_t pf, unsigned int hook, struct sk_buff *skb,
struct net_device *indev, struct net_device *outdev,
int (*okfn)(struct sk_buff *))
{
- return nf_hook_thresh(pf, hook, skb, indev, outdev, okfn, INT_MIN, 1);
+ return nf_hook_thresh(pf, hook, skb, indev, outdev, okfn, INT_MIN);
}
/* Activate hook; either okfn or kfree_skb called, unless a hook
@@ -206,13 +203,13 @@ static inline int nf_hook(u_int8_t pf, unsigned int hook, struct sk_buff *skb,
#define NF_HOOK_THRESH(pf, hook, skb, indev, outdev, okfn, thresh) \
({int __ret; \
-if ((__ret=nf_hook_thresh(pf, hook, (skb), indev, outdev, okfn, thresh, 1)) == 1)\
+if ((__ret=nf_hook_thresh(pf, hook, (skb), indev, outdev, okfn, thresh)) == 1)\
__ret = (okfn)(skb); \
__ret;})
#define NF_HOOK_COND(pf, hook, skb, indev, outdev, okfn, cond) \
({int __ret; \
-if ((__ret=nf_hook_thresh(pf, hook, (skb), indev, outdev, okfn, INT_MIN, cond)) == 1)\
+if ((cond) || (__ret = nf_hook_thresh(pf, hook, (skb), indev, outdev, okfn, INT_MIN)) == 1)\
__ret = (okfn)(skb); \
__ret;})
@@ -327,8 +324,7 @@ static inline int nf_hook_thresh(u_int8_t pf, unsigned int hook,
struct sk_buff *skb,
struct net_device *indev,
struct net_device *outdev,
- int (*okfn)(struct sk_buff *), int thresh,
- int cond)
+ int (*okfn)(struct sk_buff *), int thresh)
{
return okfn(skb);
}
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 029/103] netfilter: get rid of the grossness in netfilter.h
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (27 preceding siblings ...)
2009-08-04 7:25 ` [PATCH 028/103] netfilter: reduce NF_HOOK by one argument Jan Engelhardt
@ 2009-08-04 7:25 ` Jan Engelhardt
2009-08-04 7:25 ` [PATCH 030/103] netfilter: xtables: print details on size mismatch Jan Engelhardt
` (75 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:25 UTC (permalink / raw)
To: netfilter-devel
GCC is now smart enough to follow the inline trail correctly. vmlinux
size remain the same.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter.h | 42 +++++++++++++++++++++++++-----------------
1 files changed, 25 insertions(+), 17 deletions(-)
diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index 9a5383c..02bd472 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -196,25 +196,33 @@ static inline int nf_hook(u_int8_t pf, unsigned int hook, struct sk_buff *skb,
coders :)
*/
-/* This is gross, but inline doesn't cut it for avoiding the function
- call in fast path: gcc doesn't inline (needs value tracking?). --RR */
-
-/* HX: It's slightly less gross now. */
-
-#define NF_HOOK_THRESH(pf, hook, skb, indev, outdev, okfn, thresh) \
-({int __ret; \
-if ((__ret=nf_hook_thresh(pf, hook, (skb), indev, outdev, okfn, thresh)) == 1)\
- __ret = (okfn)(skb); \
-__ret;})
+static inline int NF_HOOK_THRESH(uint8_t pf, unsigned int hook,
+ struct sk_buff *skb, struct net_device *in, struct net_device *out,
+ int (*okfn)(struct sk_buff *), int thresh)
+{
+ int ret = nf_hook_thresh(pf, hook, skb, in, out, okfn, thresh);
+ if (ret == 1)
+ ret = okfn(skb);
+ return ret;
+}
-#define NF_HOOK_COND(pf, hook, skb, indev, outdev, okfn, cond) \
-({int __ret; \
-if ((cond) || (__ret = nf_hook_thresh(pf, hook, (skb), indev, outdev, okfn, INT_MIN)) == 1)\
- __ret = (okfn)(skb); \
-__ret;})
+static inline int NF_HOOK_COND(uint8_t pf, unsigned int hook,
+ struct sk_buff *skb, struct net_device *in, struct net_device *out,
+ int (*okfn)(struct sk_buff *), bool cond)
+{
+ int ret = 1;
+ if (cond ||
+ (ret = nf_hook_thresh(pf, hook, skb, in, out, okfn, INT_MIN) == 1))
+ ret = okfn(skb);
+ return ret;
+}
-#define NF_HOOK(pf, hook, skb, indev, outdev, okfn) \
- NF_HOOK_THRESH(pf, hook, skb, indev, outdev, okfn, INT_MIN)
+static inline int NF_HOOK(uint8_t pf, unsigned int hook, struct sk_buff *skb,
+ struct net_device *in, struct net_device *out,
+ int (*okfn)(struct sk_buff *))
+{
+ return NF_HOOK_THRESH(pf, hook, skb, in, out, okfn, INT_MIN);
+}
/* Call setsockopt() */
int nf_setsockopt(struct sock *sk, u_int8_t pf, int optval, char __user *opt,
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 030/103] netfilter: xtables: print details on size mismatch
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (28 preceding siblings ...)
2009-08-04 7:25 ` [PATCH 029/103] netfilter: get rid of the grossness in netfilter.h Jan Engelhardt
@ 2009-08-04 7:25 ` Jan Engelhardt
2009-08-04 7:25 ` [PATCH 031/103] netfilter: xtables: constify args in compat copying functions Jan Engelhardt
` (74 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:25 UTC (permalink / raw)
To: netfilter-devel
Print which revision has been used and which size are which
(kernel/user) for easier debugging.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
net/netfilter/x_tables.c | 8 ++++++--
1 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index eff972f..ff4bd71 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -366,8 +366,10 @@ int xt_check_match(struct xt_mtchk_param *par,
* ebt_among is exempt from centralized matchsize checking
* because it uses a dynamic-size data set.
*/
- pr_err("%s_tables: %s match: invalid size %Zu != %u\n",
+ pr_err("%s_tables: %s.%u match: invalid size "
+ "(kernel) %zu != (user) %u\n",
xt_prefix[par->family], par->match->name,
+ par->match->revision,
XT_ALIGN(par->match->matchsize), size);
return -EINVAL;
}
@@ -516,8 +518,10 @@ int xt_check_target(struct xt_tgchk_param *par,
unsigned int size, u_int8_t proto, bool inv_proto)
{
if (XT_ALIGN(par->target->targetsize) != size) {
- pr_err("%s_tables: %s target: invalid size %Zu != %u\n",
+ pr_err("%s_tables: %s.%u target: invalid size "
+ "(kernel) %zu != (user) %u\n",
xt_prefix[par->family], par->target->name,
+ par->target->revision,
XT_ALIGN(par->target->targetsize), size);
return -EINVAL;
}
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 031/103] netfilter: xtables: constify args in compat copying functions
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (29 preceding siblings ...)
2009-08-04 7:25 ` [PATCH 030/103] netfilter: xtables: print details on size mismatch Jan Engelhardt
@ 2009-08-04 7:25 ` Jan Engelhardt
2009-08-04 7:25 ` [PATCH 032/103] netfilter: xtables: add const qualifiers Jan Engelhardt
` (73 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:25 UTC (permalink / raw)
To: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter/x_tables.h | 12 ++++++------
net/ipv4/netfilter/arp_tables.c | 4 ++--
net/ipv4/netfilter/ip_tables.c | 4 ++--
net/ipv4/netfilter/ipt_ULOG.c | 4 ++--
net/ipv6/netfilter/ip6_tables.c | 4 ++--
net/netfilter/x_tables.c | 8 ++++----
net/netfilter/xt_hashlimit.c | 4 ++--
net/netfilter/xt_limit.c | 4 ++--
8 files changed, 22 insertions(+), 22 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index bdcb2f6..5e434a1 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -291,8 +291,8 @@ struct xt_match
void (*destroy)(const struct xt_mtdtor_param *);
/* Called when userspace align differs from kernel space one */
- void (*compat_from_user)(void *dst, void *src);
- int (*compat_to_user)(void __user *dst, void *src);
+ void (*compat_from_user)(void *dst, const void *src);
+ int (*compat_to_user)(void __user *dst, const void *src);
/* Set this to THIS_MODULE if you are a module, otherwise NULL */
struct module *me;
@@ -332,8 +332,8 @@ struct xt_target
void (*destroy)(const struct xt_tgdtor_param *);
/* Called when userspace align differs from kernel space one */
- void (*compat_from_user)(void *dst, void *src);
- int (*compat_to_user)(void __user *dst, void *src);
+ void (*compat_from_user)(void *dst, const void *src);
+ int (*compat_to_user)(void __user *dst, const void *src);
/* Set this to THIS_MODULE if you are a module, otherwise NULL */
struct module *me;
@@ -600,13 +600,13 @@ extern short xt_compat_calc_jump(u_int8_t af, unsigned int offset);
extern int xt_compat_match_offset(const struct xt_match *match);
extern int xt_compat_match_from_user(struct xt_entry_match *m,
void **dstptr, unsigned int *size);
-extern int xt_compat_match_to_user(struct xt_entry_match *m,
+extern int xt_compat_match_to_user(const struct xt_entry_match *m,
void __user **dstptr, unsigned int *size);
extern int xt_compat_target_offset(const struct xt_target *target);
extern void xt_compat_target_from_user(struct xt_entry_target *t,
void **dstptr, unsigned int *size);
-extern int xt_compat_target_to_user(struct xt_entry_target *t,
+extern int xt_compat_target_to_user(const struct xt_entry_target *t,
void __user **dstptr, unsigned int *size);
#endif /* CONFIG_COMPAT */
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 27774c9..e6ea3e5 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -835,7 +835,7 @@ static int copy_entries_to_user(unsigned int total_size,
}
#ifdef CONFIG_COMPAT
-static void compat_standard_from_user(void *dst, void *src)
+static void compat_standard_from_user(void *dst, const void *src)
{
int v = *(compat_int_t *)src;
@@ -844,7 +844,7 @@ static void compat_standard_from_user(void *dst, void *src)
memcpy(dst, &v, sizeof(v));
}
-static int compat_standard_to_user(void __user *dst, void *src)
+static int compat_standard_to_user(void __user *dst, const void *src)
{
compat_int_t cv = *(int *)src;
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index cde755d..4a0f22c 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -1035,7 +1035,7 @@ copy_entries_to_user(unsigned int total_size,
}
#ifdef CONFIG_COMPAT
-static void compat_standard_from_user(void *dst, void *src)
+static void compat_standard_from_user(void *dst, const void *src)
{
int v = *(compat_int_t *)src;
@@ -1044,7 +1044,7 @@ static void compat_standard_from_user(void *dst, void *src)
memcpy(dst, &v, sizeof(v));
}
-static int compat_standard_to_user(void __user *dst, void *src)
+static int compat_standard_to_user(void __user *dst, const void *src)
{
compat_int_t cv = *(int *)src;
diff --git a/net/ipv4/netfilter/ipt_ULOG.c b/net/ipv4/netfilter/ipt_ULOG.c
index d32cc4b..0b02768 100644
--- a/net/ipv4/netfilter/ipt_ULOG.c
+++ b/net/ipv4/netfilter/ipt_ULOG.c
@@ -338,7 +338,7 @@ struct compat_ipt_ulog_info {
char prefix[ULOG_PREFIX_LEN];
};
-static void ulog_tg_compat_from_user(void *dst, void *src)
+static void ulog_tg_compat_from_user(void *dst, const void *src)
{
const struct compat_ipt_ulog_info *cl = src;
struct ipt_ulog_info l = {
@@ -351,7 +351,7 @@ static void ulog_tg_compat_from_user(void *dst, void *src)
memcpy(dst, &l, sizeof(l));
}
-static int ulog_tg_compat_to_user(void __user *dst, void *src)
+static int ulog_tg_compat_to_user(void __user *dst, const void *src)
{
const struct ipt_ulog_info *l = src;
struct compat_ipt_ulog_info cl = {
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index cc9f8ef..47ed731 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -1067,7 +1067,7 @@ copy_entries_to_user(unsigned int total_size,
}
#ifdef CONFIG_COMPAT
-static void compat_standard_from_user(void *dst, void *src)
+static void compat_standard_from_user(void *dst, const void *src)
{
int v = *(compat_int_t *)src;
@@ -1076,7 +1076,7 @@ static void compat_standard_from_user(void *dst, void *src)
memcpy(dst, &v, sizeof(v));
}
-static int compat_standard_to_user(void __user *dst, void *src)
+static int compat_standard_to_user(void __user *dst, const void *src)
{
compat_int_t cv = *(int *)src;
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index ff4bd71..478e9c8 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -485,8 +485,8 @@ int xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr,
}
EXPORT_SYMBOL_GPL(xt_compat_match_from_user);
-int xt_compat_match_to_user(struct xt_entry_match *m, void __user **dstptr,
- unsigned int *size)
+int xt_compat_match_to_user(const struct xt_entry_match *m,
+ void __user **dstptr, unsigned int *size)
{
const struct xt_match *match = m->u.kernel.match;
struct compat_xt_entry_match __user *cm = *dstptr;
@@ -588,8 +588,8 @@ void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr,
}
EXPORT_SYMBOL_GPL(xt_compat_target_from_user);
-int xt_compat_target_to_user(struct xt_entry_target *t, void __user **dstptr,
- unsigned int *size)
+int xt_compat_target_to_user(const struct xt_entry_target *t,
+ void __user **dstptr, unsigned int *size)
{
const struct xt_target *target = t->u.kernel.target;
struct compat_xt_entry_target __user *ct = *dstptr;
diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
index 219dcdb..91ddabb 100644
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@@ -767,7 +767,7 @@ struct compat_xt_hashlimit_info {
compat_uptr_t master;
};
-static void hashlimit_mt_compat_from_user(void *dst, void *src)
+static void hashlimit_mt_compat_from_user(void *dst, const void *src)
{
int off = offsetof(struct compat_xt_hashlimit_info, hinfo);
@@ -775,7 +775,7 @@ static void hashlimit_mt_compat_from_user(void *dst, void *src)
memset(dst + off, 0, sizeof(struct compat_xt_hashlimit_info) - off);
}
-static int hashlimit_mt_compat_to_user(void __user *dst, void *src)
+static int hashlimit_mt_compat_to_user(void __user *dst, const void *src)
{
int off = offsetof(struct compat_xt_hashlimit_info, hinfo);
diff --git a/net/netfilter/xt_limit.c b/net/netfilter/xt_limit.c
index 2e8089e..dad26f9 100644
--- a/net/netfilter/xt_limit.c
+++ b/net/netfilter/xt_limit.c
@@ -148,7 +148,7 @@ struct compat_xt_rateinfo {
/* To keep the full "prev" timestamp, the upper 32 bits are stored in the
* master pointer, which does not need to be preserved. */
-static void limit_mt_compat_from_user(void *dst, void *src)
+static void limit_mt_compat_from_user(void *dst, const void *src)
{
const struct compat_xt_rateinfo *cm = src;
struct xt_rateinfo m = {
@@ -162,7 +162,7 @@ static void limit_mt_compat_from_user(void *dst, void *src)
memcpy(dst, &m, sizeof(m));
}
-static int limit_mt_compat_to_user(void __user *dst, void *src)
+static int limit_mt_compat_to_user(void __user *dst, const void *src)
{
const struct xt_rateinfo *m = src;
struct compat_xt_rateinfo cm = {
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 032/103] netfilter: xtables: add const qualifiers
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (30 preceding siblings ...)
2009-08-04 7:25 ` [PATCH 031/103] netfilter: xtables: constify args in compat copying functions Jan Engelhardt
@ 2009-08-04 7:25 ` Jan Engelhardt
2009-08-04 7:25 ` [PATCH 033/103] netfilter: xtables: replace XT_ENTRY_ITERATE macro Jan Engelhardt
` (72 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:25 UTC (permalink / raw)
To: netfilter-devel
This should make it easier to remove redundant arguments later.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
net/bridge/netfilter/ebtables.c | 56 ++++++++++++++-----------
net/ipv4/netfilter/arp_tables.c | 69 +++++++++++++++++-------------
net/ipv4/netfilter/ip_tables.c | 88 +++++++++++++++++++++-----------------
net/ipv6/netfilter/ip6_tables.c | 88 +++++++++++++++++++++------------------
4 files changed, 167 insertions(+), 134 deletions(-)
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index bd1c654..9ed98d9 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -82,7 +82,8 @@ static inline int ebt_do_match (struct ebt_entry_match *m,
return m->u.match->match(skb, par) ? EBT_MATCH : EBT_NOMATCH;
}
-static inline int ebt_dev_check(char *entry, const struct net_device *device)
+static inline int
+ebt_dev_check(const char *entry, const struct net_device *device)
{
int i = 0;
const char *devname;
@@ -100,8 +101,9 @@ static inline int ebt_dev_check(char *entry, const struct net_device *device)
#define FWINV2(bool,invflg) ((bool) ^ !!(e->invflags & invflg))
/* process standard matches */
-static inline int ebt_basic_match(struct ebt_entry *e, struct ethhdr *h,
- const struct net_device *in, const struct net_device *out)
+static inline int
+ebt_basic_match(const struct ebt_entry *e, const struct ethhdr *h,
+ const struct net_device *in, const struct net_device *out)
{
int verdict, i;
@@ -156,12 +158,12 @@ unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
int i, nentries;
struct ebt_entry *point;
struct ebt_counter *counter_base, *cb_base;
- struct ebt_entry_target *t;
+ const struct ebt_entry_target *t;
int verdict, sp = 0;
struct ebt_chainstack *cs;
struct ebt_entries *chaininfo;
- char *base;
- struct ebt_table_info *private;
+ const char *base;
+ const struct ebt_table_info *private;
bool hotdrop = false;
struct xt_match_param mtpar;
struct xt_target_param tgpar;
@@ -395,7 +397,7 @@ ebt_check_watcher(struct ebt_entry_watcher *w, struct xt_tgchk_param *par,
return 0;
}
-static int ebt_verify_pointers(struct ebt_replace *repl,
+static int ebt_verify_pointers(const struct ebt_replace *repl,
struct ebt_table_info *newinfo)
{
unsigned int limit = repl->entries_size;
@@ -466,8 +468,8 @@ static int ebt_verify_pointers(struct ebt_replace *repl,
* to parse the userspace data
*/
static inline int
-ebt_check_entry_size_and_hooks(struct ebt_entry *e,
- struct ebt_table_info *newinfo,
+ebt_check_entry_size_and_hooks(const struct ebt_entry *e,
+ const struct ebt_table_info *newinfo,
unsigned int *n, unsigned int *cnt,
unsigned int *totalcnt, unsigned int *udc_cnt)
{
@@ -619,7 +621,7 @@ ebt_cleanup_entry(struct ebt_entry *e, unsigned int *cnt)
}
static inline int
-ebt_check_entry(struct ebt_entry *e, struct ebt_table_info *newinfo,
+ebt_check_entry(struct ebt_entry *e, const struct ebt_table_info *newinfo,
const char *name, unsigned int *cnt,
struct ebt_cl_stack *cl_s, unsigned int udc_cnt)
{
@@ -737,12 +739,12 @@ cleanup_matches:
* the hook mask for udc tells us from which base chains the udc can be
* accessed. This mask is a parameter to the check() functions of the extensions
*/
-static int check_chainloops(struct ebt_entries *chain, struct ebt_cl_stack *cl_s,
+static int check_chainloops(const struct ebt_entries *chain, struct ebt_cl_stack *cl_s,
unsigned int udc_cnt, unsigned int hooknr, char *base)
{
int i, chain_nr = -1, pos = 0, nentries = chain->nentries, verdict;
- struct ebt_entry *e = (struct ebt_entry *)chain->data;
- struct ebt_entry_target *t;
+ const struct ebt_entry *e = (struct ebt_entry *)chain->data;
+ const struct ebt_entry_target *t;
while (pos < nentries || chain_nr != -1) {
/* end of udc, go back one 'recursion' step */
@@ -808,7 +810,7 @@ letscontinue:
}
/* do the parsing of the table/chains/entries/matches/watchers/targets, heh */
-static int translate_table(char *name, struct ebt_table_info *newinfo)
+static int translate_table(const char *name, struct ebt_table_info *newinfo)
{
unsigned int i, j, k, udc_cnt;
int ret;
@@ -927,7 +929,7 @@ static int translate_table(char *name, struct ebt_table_info *newinfo)
}
/* called under write_lock */
-static void get_counters(struct ebt_counter *oldcounters,
+static void get_counters(const struct ebt_counter *oldcounters,
struct ebt_counter *counters, unsigned int nentries)
{
int i, cpu;
@@ -950,7 +952,8 @@ static void get_counters(struct ebt_counter *oldcounters,
}
/* replace the table */
-static int do_replace(struct net *net, void __user *user, unsigned int len)
+static int do_replace(struct net *net, const void __user *user,
+ unsigned int len)
{
int ret, i, countersize;
struct ebt_table_info *newinfo;
@@ -1230,7 +1233,8 @@ void ebt_unregister_table(struct ebt_table *table)
}
/* userspace just supplied us with counters */
-static int update_counters(struct net *net, void __user *user, unsigned int len)
+static int update_counters(struct net *net, const void __user *user,
+ unsigned int len)
{
int i, ret;
struct ebt_counter *tmp;
@@ -1285,8 +1289,8 @@ free_tmp:
return ret;
}
-static inline int ebt_make_matchname(struct ebt_entry_match *m,
- char *base, char __user *ubase)
+static inline int ebt_make_matchname(const struct ebt_entry_match *m,
+ const char *base, char __user *ubase)
{
char __user *hlp = ubase + ((char *)m - base);
if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN))
@@ -1294,8 +1298,8 @@ static inline int ebt_make_matchname(struct ebt_entry_match *m,
return 0;
}
-static inline int ebt_make_watchername(struct ebt_entry_watcher *w,
- char *base, char __user *ubase)
+static inline int ebt_make_watchername(const struct ebt_entry_watcher *w,
+ const char *base, char __user *ubase)
{
char __user *hlp = ubase + ((char *)w - base);
if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN))
@@ -1303,11 +1307,12 @@ static inline int ebt_make_watchername(struct ebt_entry_watcher *w,
return 0;
}
-static inline int ebt_make_names(struct ebt_entry *e, char *base, char __user *ubase)
+static inline int
+ebt_make_names(struct ebt_entry *e, const char *base, char __user *ubase)
{
int ret;
char __user *hlp;
- struct ebt_entry_target *t;
+ const struct ebt_entry_target *t;
if (e->bitmask == 0)
return 0;
@@ -1328,10 +1333,11 @@ static inline int ebt_make_names(struct ebt_entry *e, char *base, char __user *u
/* called with ebt_mutex locked */
static int copy_everything_to_user(struct ebt_table *t, void __user *user,
- int *len, int cmd)
+ const int *len, int cmd)
{
struct ebt_replace tmp;
- struct ebt_counter *counterstmp, *oldcounters;
+ struct ebt_counter *counterstmp;
+ const struct ebt_counter *oldcounters;
unsigned int entries_size, nentries;
char *entries;
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index e6ea3e5..214dfd0 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -226,7 +226,14 @@ arpt_error(struct sk_buff *skb, const struct xt_target_param *par)
return NF_DROP;
}
-static inline struct arpt_entry *get_entry(void *base, unsigned int offset)
+static inline const struct arpt_entry_target *
+arpt_get_target_c(const struct arpt_entry *e)
+{
+ return arpt_get_target((struct arpt_entry *)e);
+}
+
+static inline struct arpt_entry *
+get_entry(const void *base, unsigned int offset)
{
return (struct arpt_entry *)(base + offset);
}
@@ -273,7 +280,7 @@ unsigned int arpt_do_table(struct sk_buff *skb,
arp = arp_hdr(skb);
do {
- struct arpt_entry_target *t;
+ const struct arpt_entry_target *t;
int hdr_len;
if (!arp_packet_match(arp, skb->dev, indev, outdev, &e->arp)) {
@@ -285,7 +292,7 @@ unsigned int arpt_do_table(struct sk_buff *skb,
(2 * skb->dev->addr_len);
ADD_COUNTER(e->counters, hdr_len, 1);
- t = arpt_get_target(e);
+ t = arpt_get_target_c(e);
/* Standard target? */
if (!t->u.kernel.target->target) {
@@ -351,7 +358,7 @@ static inline bool unconditional(const struct arpt_arp *arp)
/* Figures out from what hook each rule can be called: returns 0 if
* there are loops. Puts hook bitmask in comefrom.
*/
-static int mark_source_chains(struct xt_table_info *newinfo,
+static int mark_source_chains(const struct xt_table_info *newinfo,
unsigned int valid_hooks, void *entry0)
{
unsigned int hook;
@@ -372,7 +379,7 @@ static int mark_source_chains(struct xt_table_info *newinfo,
for (;;) {
const struct arpt_standard_target *t
- = (void *)arpt_get_target(e);
+ = (void *)arpt_get_target_c(e);
int visited = e->comefrom & (1 << hook);
if (e->comefrom & (1 << NF_ARP_NUMHOOKS)) {
@@ -456,7 +463,7 @@ static int mark_source_chains(struct xt_table_info *newinfo,
return 1;
}
-static inline int check_entry(struct arpt_entry *e, const char *name)
+static inline int check_entry(const struct arpt_entry *e, const char *name)
{
const struct arpt_entry_target *t;
@@ -468,7 +475,7 @@ static inline int check_entry(struct arpt_entry *e, const char *name)
if (e->target_offset + sizeof(struct arpt_entry_target) > e->next_offset)
return -EINVAL;
- t = arpt_get_target(e);
+ t = arpt_get_target_c(e);
if (e->target_offset + t->u.target_size > e->next_offset)
return -EINVAL;
@@ -533,14 +540,14 @@ out:
return ret;
}
-static bool check_underflow(struct arpt_entry *e)
+static bool check_underflow(const struct arpt_entry *e)
{
const struct arpt_entry_target *t;
unsigned int verdict;
if (!unconditional(&e->arp))
return false;
- t = arpt_get_target(e);
+ t = arpt_get_target_c(e);
if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0)
return false;
verdict = ((struct arpt_standard_target *)t)->verdict;
@@ -550,8 +557,8 @@ static bool check_underflow(struct arpt_entry *e)
static inline int check_entry_size_and_hooks(struct arpt_entry *e,
struct xt_table_info *newinfo,
- unsigned char *base,
- unsigned char *limit,
+ const unsigned char *base,
+ const unsigned char *limit,
const unsigned int *hook_entries,
const unsigned int *underflows,
unsigned int valid_hooks,
@@ -761,11 +768,11 @@ static void get_counters(const struct xt_table_info *t,
local_bh_enable();
}
-static struct xt_counters *alloc_counters(struct xt_table *table)
+static struct xt_counters *alloc_counters(const struct xt_table *table)
{
unsigned int countersize;
struct xt_counters *counters;
- struct xt_table_info *private = table->private;
+ const struct xt_table_info *private = table->private;
/* We need atomic snapshot of counters: rest doesn't change
* (other than comefrom, which userspace doesn't care
@@ -783,11 +790,11 @@ static struct xt_counters *alloc_counters(struct xt_table *table)
}
static int copy_entries_to_user(unsigned int total_size,
- struct xt_table *table,
+ const struct xt_table *table,
void __user *userptr)
{
unsigned int off, num;
- struct arpt_entry *e;
+ const struct arpt_entry *e;
struct xt_counters *counters;
struct xt_table_info *private = table->private;
int ret = 0;
@@ -807,7 +814,7 @@ static int copy_entries_to_user(unsigned int total_size,
/* FIXME: use iterator macros --RR */
/* ... then go back and fix counters and names */
for (off = 0, num = 0; off < total_size; off += e->next_offset, num++){
- struct arpt_entry_target *t;
+ const struct arpt_entry_target *t;
e = (struct arpt_entry *)(loc_cpu_entry + off);
if (copy_to_user(userptr + off
@@ -818,7 +825,7 @@ static int copy_entries_to_user(unsigned int total_size,
goto free_counters;
}
- t = arpt_get_target(e);
+ t = arpt_get_target_c(e);
if (copy_to_user(userptr + off + e->target_offset
+ offsetof(struct arpt_entry_target,
u.user.name),
@@ -853,18 +860,18 @@ static int compat_standard_to_user(void __user *dst, const void *src)
return copy_to_user(dst, &cv, sizeof(cv)) ? -EFAULT : 0;
}
-static int compat_calc_entry(struct arpt_entry *e,
+static int compat_calc_entry(const struct arpt_entry *e,
const struct xt_table_info *info,
- void *base, struct xt_table_info *newinfo)
+ const void *base, struct xt_table_info *newinfo)
{
- struct arpt_entry_target *t;
+ const struct arpt_entry_target *t;
unsigned int entry_offset;
int off, i, ret;
off = sizeof(struct arpt_entry) - sizeof(struct compat_arpt_entry);
entry_offset = (void *)e - base;
- t = arpt_get_target(e);
+ t = arpt_get_target_c(e);
off += xt_compat_target_offset(t->u.kernel.target);
newinfo->size -= off;
ret = xt_compat_add_offset(NFPROTO_ARP, entry_offset, off);
@@ -900,7 +907,8 @@ static int compat_table_info(const struct xt_table_info *info,
}
#endif
-static int get_info(struct net *net, void __user *user, int *len, int compat)
+static int get_info(struct net *net, void __user *user,
+ const int *len, int compat)
{
char name[ARPT_TABLE_MAXNAMELEN];
struct xt_table *t;
@@ -959,7 +967,7 @@ static int get_info(struct net *net, void __user *user, int *len, int compat)
}
static int get_entries(struct net *net, struct arpt_get_entries __user *uptr,
- int *len)
+ const int *len)
{
int ret;
struct arpt_get_entries get;
@@ -1073,7 +1081,8 @@ static int __do_replace(struct net *net, const char *name,
return ret;
}
-static int do_replace(struct net *net, void __user *user, unsigned int len)
+static int do_replace(struct net *net, const void __user *user,
+ unsigned int len)
{
int ret;
struct arpt_replace tmp;
@@ -1133,8 +1142,8 @@ add_counter_to_entry(struct arpt_entry *e,
return 0;
}
-static int do_add_counters(struct net *net, void __user *user, unsigned int len,
- int compat)
+static int do_add_counters(struct net *net, const void __user *user,
+ unsigned int len, int compat)
{
unsigned int i, curcpu;
struct xt_counters_info tmp;
@@ -1238,10 +1247,10 @@ static inline int
check_compat_entry_size_and_hooks(struct compat_arpt_entry *e,
struct xt_table_info *newinfo,
unsigned int *size,
- unsigned char *base,
- unsigned char *limit,
- unsigned int *hook_entries,
- unsigned int *underflows,
+ const unsigned char *base,
+ const unsigned char *limit,
+ const unsigned int *hook_entries,
+ const unsigned int *underflows,
unsigned int *i,
const char *name)
{
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 4a0f22c..2c34413 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -169,7 +169,7 @@ ipt_error(struct sk_buff *skb, const struct xt_target_param *par)
/* Performance critical - called for every packet */
static inline bool
-do_match(struct ipt_entry_match *m, const struct sk_buff *skb,
+do_match(const struct ipt_entry_match *m, const struct sk_buff *skb,
struct xt_match_param *par)
{
par->match = m->u.kernel.match;
@@ -184,7 +184,7 @@ do_match(struct ipt_entry_match *m, const struct sk_buff *skb,
/* Performance critical */
static inline struct ipt_entry *
-get_entry(void *base, unsigned int offset)
+get_entry(const void *base, unsigned int offset)
{
return (struct ipt_entry *)(base + offset);
}
@@ -199,6 +199,13 @@ static inline bool unconditional(const struct ipt_ip *ip)
#undef FWINV
}
+/* for const-correctness */
+static inline const struct ipt_entry_target *
+ipt_get_target_c(const struct ipt_entry *e)
+{
+ return ipt_get_target((struct ipt_entry *)e);
+}
+
#if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \
defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE)
static const char *const hooknames[] = {
@@ -233,11 +240,11 @@ static struct nf_loginfo trace_loginfo = {
/* Mildly perf critical (only if packet tracing is on) */
static inline int
-get_chainname_rulenum(struct ipt_entry *s, struct ipt_entry *e,
+get_chainname_rulenum(const struct ipt_entry *s, const struct ipt_entry *e,
const char *hookname, const char **chainname,
const char **comment, unsigned int *rulenum)
{
- struct ipt_standard_target *t = (void *)ipt_get_target(s);
+ const struct ipt_standard_target *t = (void *)ipt_get_target_c(s);
if (strcmp(t->target.u.kernel.target->name, IPT_ERROR_TARGET) == 0) {
/* Head of user chain: ERROR target with chainname */
@@ -263,15 +270,15 @@ get_chainname_rulenum(struct ipt_entry *s, struct ipt_entry *e,
return 0;
}
-static void trace_packet(struct sk_buff *skb,
+static void trace_packet(const struct sk_buff *skb,
unsigned int hook,
const struct net_device *in,
const struct net_device *out,
const char *tablename,
- struct xt_table_info *private,
- struct ipt_entry *e)
+ const struct xt_table_info *private,
+ const struct ipt_entry *e)
{
- void *table_base;
+ const void *table_base;
const struct ipt_entry *root;
const char *hookname, *chainname, *comment;
unsigned int rulenum = 0;
@@ -315,9 +322,9 @@ ipt_do_table(struct sk_buff *skb,
/* Initializing verdict to NF_DROP keeps gcc happy. */
unsigned int verdict = NF_DROP;
const char *indev, *outdev;
- void *table_base;
+ const void *table_base;
struct ipt_entry *e, *back;
- struct xt_table_info *private;
+ const struct xt_table_info *private;
struct xt_match_param mtpar;
struct xt_target_param tgpar;
@@ -350,7 +357,7 @@ ipt_do_table(struct sk_buff *skb,
back = get_entry(table_base, private->underflow[hook]);
do {
- struct ipt_entry_target *t;
+ const struct ipt_entry_target *t;
IP_NF_ASSERT(e);
IP_NF_ASSERT(back);
@@ -443,7 +450,7 @@ ipt_do_table(struct sk_buff *skb,
/* Figures out from what hook each rule can be called: returns 0 if
there are loops. Puts hook bitmask in comefrom. */
static int
-mark_source_chains(struct xt_table_info *newinfo,
+mark_source_chains(const struct xt_table_info *newinfo,
unsigned int valid_hooks, void *entry0)
{
unsigned int hook;
@@ -461,8 +468,8 @@ mark_source_chains(struct xt_table_info *newinfo,
e->counters.pcnt = pos;
for (;;) {
- struct ipt_standard_target *t
- = (void *)ipt_get_target(e);
+ const struct ipt_standard_target *t
+ = (void *)ipt_get_target_c(e);
int visited = e->comefrom & (1 << hook);
if (e->comefrom & (1 << NF_INET_NUMHOOKS)) {
@@ -570,9 +577,9 @@ cleanup_match(struct ipt_entry_match *m, unsigned int *i)
}
static int
-check_entry(struct ipt_entry *e, const char *name)
+check_entry(const struct ipt_entry *e, const char *name)
{
- struct ipt_entry_target *t;
+ const struct ipt_entry_target *t;
if (!ip_checkentry(&e->ip)) {
duprintf("ip_tables: ip check failed %p %s.\n", e, name);
@@ -583,7 +590,7 @@ check_entry(struct ipt_entry *e, const char *name)
e->next_offset)
return -EINVAL;
- t = ipt_get_target(e);
+ t = ipt_get_target_c(e);
if (e->target_offset + t->u.target_size > e->next_offset)
return -EINVAL;
@@ -708,14 +715,14 @@ find_check_entry(struct ipt_entry *e, const char *name, unsigned int size,
return ret;
}
-static bool check_underflow(struct ipt_entry *e)
+static bool check_underflow(const struct ipt_entry *e)
{
const struct ipt_entry_target *t;
unsigned int verdict;
if (!unconditional(&e->ip))
return false;
- t = ipt_get_target(e);
+ t = ipt_get_target_c(e);
if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0)
return false;
verdict = ((struct ipt_standard_target *)t)->verdict;
@@ -726,8 +733,8 @@ static bool check_underflow(struct ipt_entry *e)
static int
check_entry_size_and_hooks(struct ipt_entry *e,
struct xt_table_info *newinfo,
- unsigned char *base,
- unsigned char *limit,
+ const unsigned char *base,
+ const unsigned char *limit,
const unsigned int *hook_entries,
const unsigned int *underflows,
unsigned int valid_hooks,
@@ -940,11 +947,11 @@ get_counters(const struct xt_table_info *t,
local_bh_enable();
}
-static struct xt_counters * alloc_counters(struct xt_table *table)
+static struct xt_counters *alloc_counters(const struct xt_table *table)
{
unsigned int countersize;
struct xt_counters *counters;
- struct xt_table_info *private = table->private;
+ const struct xt_table_info *private = table->private;
/* We need atomic snapshot of counters: rest doesn't change
(other than comefrom, which userspace doesn't care
@@ -962,11 +969,11 @@ static struct xt_counters * alloc_counters(struct xt_table *table)
static int
copy_entries_to_user(unsigned int total_size,
- struct xt_table *table,
+ const struct xt_table *table,
void __user *userptr)
{
unsigned int off, num;
- struct ipt_entry *e;
+ const struct ipt_entry *e;
struct xt_counters *counters;
const struct xt_table_info *private = table->private;
int ret = 0;
@@ -1018,7 +1025,7 @@ copy_entries_to_user(unsigned int total_size,
}
}
- t = ipt_get_target(e);
+ t = ipt_get_target_c(e);
if (copy_to_user(userptr + off + e->target_offset
+ offsetof(struct ipt_entry_target,
u.user.name),
@@ -1054,24 +1061,24 @@ static int compat_standard_to_user(void __user *dst, const void *src)
}
static inline int
-compat_calc_match(struct ipt_entry_match *m, int *size)
+compat_calc_match(const struct ipt_entry_match *m, int *size)
{
*size += xt_compat_match_offset(m->u.kernel.match);
return 0;
}
-static int compat_calc_entry(struct ipt_entry *e,
+static int compat_calc_entry(const struct ipt_entry *e,
const struct xt_table_info *info,
- void *base, struct xt_table_info *newinfo)
+ const void *base, struct xt_table_info *newinfo)
{
- struct ipt_entry_target *t;
+ const struct ipt_entry_target *t;
unsigned int entry_offset;
int off, i, ret;
off = sizeof(struct ipt_entry) - sizeof(struct compat_ipt_entry);
entry_offset = (void *)e - base;
IPT_MATCH_ITERATE(e, compat_calc_match, &off);
- t = ipt_get_target(e);
+ t = ipt_get_target_c(e);
off += xt_compat_target_offset(t->u.kernel.target);
newinfo->size -= off;
ret = xt_compat_add_offset(AF_INET, entry_offset, off);
@@ -1107,7 +1114,8 @@ static int compat_table_info(const struct xt_table_info *info,
}
#endif
-static int get_info(struct net *net, void __user *user, int *len, int compat)
+static int get_info(struct net *net, void __user *user,
+ const int *len, int compat)
{
char name[IPT_TABLE_MAXNAMELEN];
struct xt_table *t;
@@ -1167,7 +1175,8 @@ static int get_info(struct net *net, void __user *user, int *len, int compat)
}
static int
-get_entries(struct net *net, struct ipt_get_entries __user *uptr, int *len)
+get_entries(struct net *net, struct ipt_get_entries __user *uptr,
+ const int *len)
{
int ret;
struct ipt_get_entries get;
@@ -1277,7 +1286,7 @@ __do_replace(struct net *net, const char *name, unsigned int valid_hooks,
}
static int
-do_replace(struct net *net, void __user *user, unsigned int len)
+do_replace(struct net *net, const void __user *user, unsigned int len)
{
int ret;
struct ipt_replace tmp;
@@ -1338,7 +1347,8 @@ add_counter_to_entry(struct ipt_entry *e,
}
static int
-do_add_counters(struct net *net, void __user *user, unsigned int len, int compat)
+do_add_counters(struct net *net, const void __user *user,
+ unsigned int len, int compat)
{
unsigned int i, curcpu;
struct xt_counters_info tmp;
@@ -1534,10 +1544,10 @@ static int
check_compat_entry_size_and_hooks(struct compat_ipt_entry *e,
struct xt_table_info *newinfo,
unsigned int *size,
- unsigned char *base,
- unsigned char *limit,
- unsigned int *hook_entries,
- unsigned int *underflows,
+ const unsigned char *base,
+ const unsigned char *limit,
+ const unsigned int *hook_entries,
+ const unsigned int *underflows,
unsigned int *i,
const char *name)
{
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 47ed731..654cdc7 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -201,7 +201,7 @@ ip6t_error(struct sk_buff *skb, const struct xt_target_param *par)
/* Performance critical - called for every packet */
static inline bool
-do_match(struct ip6t_entry_match *m, const struct sk_buff *skb,
+do_match(const struct ip6t_entry_match *m, const struct sk_buff *skb,
struct xt_match_param *par)
{
par->match = m->u.kernel.match;
@@ -215,7 +215,7 @@ do_match(struct ip6t_entry_match *m, const struct sk_buff *skb,
}
static inline struct ip6t_entry *
-get_entry(void *base, unsigned int offset)
+get_entry(const void *base, unsigned int offset)
{
return (struct ip6t_entry *)(base + offset);
}
@@ -229,6 +229,12 @@ static inline bool unconditional(const struct ip6t_ip6 *ipv6)
return memcmp(ipv6, &uncond, sizeof(uncond)) == 0;
}
+static inline const struct ip6t_entry_target *
+ip6t_get_target_c(const struct ip6t_entry *e)
+{
+ return ip6t_get_target((struct ip6t_entry *)e);
+}
+
#if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \
defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE)
/* This cries for unification! */
@@ -264,11 +270,11 @@ static struct nf_loginfo trace_loginfo = {
/* Mildly perf critical (only if packet tracing is on) */
static inline int
-get_chainname_rulenum(struct ip6t_entry *s, struct ip6t_entry *e,
+get_chainname_rulenum(const struct ip6t_entry *s, const struct ip6t_entry *e,
const char *hookname, const char **chainname,
const char **comment, unsigned int *rulenum)
{
- struct ip6t_standard_target *t = (void *)ip6t_get_target(s);
+ const struct ip6t_standard_target *t = (void *)ip6t_get_target_c(s);
if (strcmp(t->target.u.kernel.target->name, IP6T_ERROR_TARGET) == 0) {
/* Head of user chain: ERROR target with chainname */
@@ -294,15 +300,15 @@ get_chainname_rulenum(struct ip6t_entry *s, struct ip6t_entry *e,
return 0;
}
-static void trace_packet(struct sk_buff *skb,
+static void trace_packet(const struct sk_buff *skb,
unsigned int hook,
const struct net_device *in,
const struct net_device *out,
const char *tablename,
- struct xt_table_info *private,
- struct ip6t_entry *e)
+ const struct xt_table_info *private,
+ const struct ip6t_entry *e)
{
- void *table_base;
+ const void *table_base;
const struct ip6t_entry *root;
const char *hookname, *chainname, *comment;
unsigned int rulenum = 0;
@@ -345,9 +351,9 @@ ip6t_do_table(struct sk_buff *skb,
/* Initializing verdict to NF_DROP keeps gcc happy. */
unsigned int verdict = NF_DROP;
const char *indev, *outdev;
- void *table_base;
+ const void *table_base;
struct ip6t_entry *e, *back;
- struct xt_table_info *private;
+ const struct xt_table_info *private;
struct xt_match_param mtpar;
struct xt_target_param tgpar;
@@ -378,7 +384,7 @@ ip6t_do_table(struct sk_buff *skb,
back = get_entry(table_base, private->underflow[hook]);
do {
- struct ip6t_entry_target *t;
+ const struct ip6t_entry_target *t;
IP_NF_ASSERT(e);
IP_NF_ASSERT(back);
@@ -393,7 +399,7 @@ ip6t_do_table(struct sk_buff *skb,
ntohs(ipv6_hdr(skb)->payload_len) +
sizeof(struct ipv6hdr), 1);
- t = ip6t_get_target(e);
+ t = ip6t_get_target_c(e);
IP_NF_ASSERT(t->u.kernel.target);
#if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \
@@ -475,7 +481,7 @@ ip6t_do_table(struct sk_buff *skb,
/* Figures out from what hook each rule can be called: returns 0 if
there are loops. Puts hook bitmask in comefrom. */
static int
-mark_source_chains(struct xt_table_info *newinfo,
+mark_source_chains(const struct xt_table_info *newinfo,
unsigned int valid_hooks, void *entry0)
{
unsigned int hook;
@@ -493,8 +499,8 @@ mark_source_chains(struct xt_table_info *newinfo,
e->counters.pcnt = pos;
for (;;) {
- struct ip6t_standard_target *t
- = (void *)ip6t_get_target(e);
+ const struct ip6t_standard_target *t
+ = (void *)ip6t_get_target_c(e);
int visited = e->comefrom & (1 << hook);
if (e->comefrom & (1 << NF_INET_NUMHOOKS)) {
@@ -602,9 +608,9 @@ cleanup_match(struct ip6t_entry_match *m, unsigned int *i)
}
static int
-check_entry(struct ip6t_entry *e, const char *name)
+check_entry(const struct ip6t_entry *e, const char *name)
{
- struct ip6t_entry_target *t;
+ const struct ip6t_entry_target *t;
if (!ip6_checkentry(&e->ipv6)) {
duprintf("ip_tables: ip check failed %p %s.\n", e, name);
@@ -615,7 +621,7 @@ check_entry(struct ip6t_entry *e, const char *name)
e->next_offset)
return -EINVAL;
- t = ip6t_get_target(e);
+ t = ip6t_get_target_c(e);
if (e->target_offset + t->u.target_size > e->next_offset)
return -EINVAL;
@@ -740,14 +746,14 @@ find_check_entry(struct ip6t_entry *e, const char *name, unsigned int size,
return ret;
}
-static bool check_underflow(struct ip6t_entry *e)
+static bool check_underflow(const struct ip6t_entry *e)
{
const struct ip6t_entry_target *t;
unsigned int verdict;
if (!unconditional(&e->ipv6))
return false;
- t = ip6t_get_target(e);
+ t = ip6t_get_target_c(e);
if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0)
return false;
verdict = ((struct ip6t_standard_target *)t)->verdict;
@@ -758,8 +764,8 @@ static bool check_underflow(struct ip6t_entry *e)
static int
check_entry_size_and_hooks(struct ip6t_entry *e,
struct xt_table_info *newinfo,
- unsigned char *base,
- unsigned char *limit,
+ const unsigned char *base,
+ const unsigned char *limit,
const unsigned int *hook_entries,
const unsigned int *underflows,
unsigned int valid_hooks,
@@ -972,11 +978,11 @@ get_counters(const struct xt_table_info *t,
local_bh_enable();
}
-static struct xt_counters *alloc_counters(struct xt_table *table)
+static struct xt_counters *alloc_counters(const struct xt_table *table)
{
unsigned int countersize;
struct xt_counters *counters;
- struct xt_table_info *private = table->private;
+ const struct xt_table_info *private = table->private;
/* We need atomic snapshot of counters: rest doesn't change
(other than comefrom, which userspace doesn't care
@@ -994,11 +1000,11 @@ static struct xt_counters *alloc_counters(struct xt_table *table)
static int
copy_entries_to_user(unsigned int total_size,
- struct xt_table *table,
+ const struct xt_table *table,
void __user *userptr)
{
unsigned int off, num;
- struct ip6t_entry *e;
+ const struct ip6t_entry *e;
struct xt_counters *counters;
const struct xt_table_info *private = table->private;
int ret = 0;
@@ -1050,7 +1056,7 @@ copy_entries_to_user(unsigned int total_size,
}
}
- t = ip6t_get_target(e);
+ t = ip6t_get_target_c(e);
if (copy_to_user(userptr + off + e->target_offset
+ offsetof(struct ip6t_entry_target,
u.user.name),
@@ -1086,24 +1092,24 @@ static int compat_standard_to_user(void __user *dst, const void *src)
}
static inline int
-compat_calc_match(struct ip6t_entry_match *m, int *size)
+compat_calc_match(const struct ip6t_entry_match *m, int *size)
{
*size += xt_compat_match_offset(m->u.kernel.match);
return 0;
}
-static int compat_calc_entry(struct ip6t_entry *e,
+static int compat_calc_entry(const struct ip6t_entry *e,
const struct xt_table_info *info,
- void *base, struct xt_table_info *newinfo)
+ const void *base, struct xt_table_info *newinfo)
{
- struct ip6t_entry_target *t;
+ const struct ip6t_entry_target *t;
unsigned int entry_offset;
int off, i, ret;
off = sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
entry_offset = (void *)e - base;
IP6T_MATCH_ITERATE(e, compat_calc_match, &off);
- t = ip6t_get_target(e);
+ t = ip6t_get_target_c(e);
off += xt_compat_target_offset(t->u.kernel.target);
newinfo->size -= off;
ret = xt_compat_add_offset(AF_INET6, entry_offset, off);
@@ -1139,7 +1145,8 @@ static int compat_table_info(const struct xt_table_info *info,
}
#endif
-static int get_info(struct net *net, void __user *user, int *len, int compat)
+static int get_info(struct net *net, void __user *user,
+ const int *len, int compat)
{
char name[IP6T_TABLE_MAXNAMELEN];
struct xt_table *t;
@@ -1199,7 +1206,8 @@ static int get_info(struct net *net, void __user *user, int *len, int compat)
}
static int
-get_entries(struct net *net, struct ip6t_get_entries __user *uptr, int *len)
+get_entries(struct net *net, struct ip6t_get_entries __user *uptr,
+ const int *len)
{
int ret;
struct ip6t_get_entries get;
@@ -1310,7 +1318,7 @@ __do_replace(struct net *net, const char *name, unsigned int valid_hooks,
}
static int
-do_replace(struct net *net, void __user *user, unsigned int len)
+do_replace(struct net *net, const void __user *user, unsigned int len)
{
int ret;
struct ip6t_replace tmp;
@@ -1371,7 +1379,7 @@ add_counter_to_entry(struct ip6t_entry *e,
}
static int
-do_add_counters(struct net *net, void __user *user, unsigned int len,
+do_add_counters(struct net *net, const void __user *user, unsigned int len,
int compat)
{
unsigned int i, curcpu;
@@ -1570,10 +1578,10 @@ static int
check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e,
struct xt_table_info *newinfo,
unsigned int *size,
- unsigned char *base,
- unsigned char *limit,
- unsigned int *hook_entries,
- unsigned int *underflows,
+ const unsigned char *base,
+ const unsigned char *limit,
+ const unsigned int *hook_entries,
+ const unsigned int *underflows,
unsigned int *i,
const char *name)
{
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 033/103] netfilter: xtables: replace XT_ENTRY_ITERATE macro
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (31 preceding siblings ...)
2009-08-04 7:25 ` [PATCH 032/103] netfilter: xtables: add const qualifiers Jan Engelhardt
@ 2009-08-04 7:25 ` Jan Engelhardt
2009-08-04 7:25 ` [PATCH 034/103] netfilter: xtables: optimize call flow around xt_entry_foreach Jan Engelhardt
` (71 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:25 UTC (permalink / raw)
To: netfilter-devel
The macro is replaced by a list.h-like foreach loop. This makes
the code much more inspectable.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter/x_tables.h | 9 ++
include/linux/netfilter_arp/arp_tables.h | 10 +--
include/linux/netfilter_ipv4/ip_tables.h | 11 +--
include/linux/netfilter_ipv6/ip6_tables.h | 10 +--
net/ipv4/netfilter/arp_tables.c | 151 ++++++++++++++++++----------
net/ipv4/netfilter/ip_tables.c | 160 +++++++++++++++++++----------
net/ipv6/netfilter/ip6_tables.c | 160 +++++++++++++++++++----------
7 files changed, 321 insertions(+), 190 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 5e434a1..6e051c0 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -147,6 +147,7 @@ struct xt_counters_info
__ret; \
})
+#ifndef __KERNEL__
/* fn returns 0 to continue iteration */
#define XT_ENTRY_ITERATE_CONTINUE(type, entries, size, n, fn, args...) \
({ \
@@ -171,6 +172,14 @@ struct xt_counters_info
#define XT_ENTRY_ITERATE(type, entries, size, fn, args...) \
XT_ENTRY_ITERATE_CONTINUE(type, entries, size, 0, fn, args)
+#endif /* !__KERNEL__ */
+
+/* pos is normally a struct ipt_entry/ip6t_entry/etc. */
+#define xt_entry_foreach(pos, ehead, esize) \
+ for ((pos) = (typeof(pos))(ehead); \
+ (pos) < (typeof(pos))((char *)(ehead) + (esize)); \
+ (pos) = (typeof(pos))((char *)(pos) + (pos)->next_offset))
+
#ifdef __KERNEL__
#include <linux/netdevice.h>
diff --git a/include/linux/netfilter_arp/arp_tables.h b/include/linux/netfilter_arp/arp_tables.h
index 6fe3e6a..16313df 100644
--- a/include/linux/netfilter_arp/arp_tables.h
+++ b/include/linux/netfilter_arp/arp_tables.h
@@ -214,9 +214,11 @@ static __inline__ struct arpt_entry_target *arpt_get_target(struct arpt_entry *e
return (void *)e + e->target_offset;
}
+#ifndef __KERNEL__
/* fn returns 0 to continue iteration */
#define ARPT_ENTRY_ITERATE(entries, size, fn, args...) \
XT_ENTRY_ITERATE(struct arpt_entry, entries, size, fn, ## args)
+#endif
/*
* Main firewall chains definitions and global var's definitions.
@@ -297,14 +299,6 @@ compat_arpt_get_target(struct compat_arpt_entry *e)
#define COMPAT_ARPT_ALIGN(s) COMPAT_XT_ALIGN(s)
-/* fn returns 0 to continue iteration */
-#define COMPAT_ARPT_ENTRY_ITERATE(entries, size, fn, args...) \
- XT_ENTRY_ITERATE(struct compat_arpt_entry, entries, size, fn, ## args)
-
-#define COMPAT_ARPT_ENTRY_ITERATE_CONTINUE(entries, size, n, fn, args...) \
- XT_ENTRY_ITERATE_CONTINUE(struct compat_arpt_entry, entries, size, n, \
- fn, ## args)
-
#endif /* CONFIG_COMPAT */
#endif /*__KERNEL__*/
#endif /* _ARPTABLES_H */
diff --git a/include/linux/netfilter_ipv4/ip_tables.h b/include/linux/netfilter_ipv4/ip_tables.h
index 61fafc8..362b1f1 100644
--- a/include/linux/netfilter_ipv4/ip_tables.h
+++ b/include/linux/netfilter_ipv4/ip_tables.h
@@ -232,9 +232,11 @@ ipt_get_target(struct ipt_entry *e)
#define IPT_MATCH_ITERATE(e, fn, args...) \
XT_MATCH_ITERATE(struct ipt_entry, e, fn, ## args)
+#ifndef __KERNEL__
/* fn returns 0 to continue iteration */
#define IPT_ENTRY_ITERATE(entries, size, fn, args...) \
XT_ENTRY_ITERATE(struct ipt_entry, entries, size, fn, ## args)
+#endif
/*
* Main firewall chains definitions and global var's definitions.
@@ -325,15 +327,6 @@ compat_ipt_get_target(struct compat_ipt_entry *e)
#define COMPAT_IPT_MATCH_ITERATE(e, fn, args...) \
XT_MATCH_ITERATE(struct compat_ipt_entry, e, fn, ## args)
-/* fn returns 0 to continue iteration */
-#define COMPAT_IPT_ENTRY_ITERATE(entries, size, fn, args...) \
- XT_ENTRY_ITERATE(struct compat_ipt_entry, entries, size, fn, ## args)
-
-/* fn returns 0 to continue iteration */
-#define COMPAT_IPT_ENTRY_ITERATE_CONTINUE(entries, size, n, fn, args...) \
- XT_ENTRY_ITERATE_CONTINUE(struct compat_ipt_entry, entries, size, n, \
- fn, ## args)
-
#endif /* CONFIG_COMPAT */
#endif /*__KERNEL__*/
#endif /* _IPTABLES_H */
diff --git a/include/linux/netfilter_ipv6/ip6_tables.h b/include/linux/netfilter_ipv6/ip6_tables.h
index a64e145..43db986 100644
--- a/include/linux/netfilter_ipv6/ip6_tables.h
+++ b/include/linux/netfilter_ipv6/ip6_tables.h
@@ -292,9 +292,11 @@ ip6t_get_target(struct ip6t_entry *e)
#define IP6T_MATCH_ITERATE(e, fn, args...) \
XT_MATCH_ITERATE(struct ip6t_entry, e, fn, ## args)
+#ifndef __KERNEL__
/* fn returns 0 to continue iteration */
#define IP6T_ENTRY_ITERATE(entries, size, fn, args...) \
XT_ENTRY_ITERATE(struct ip6t_entry, entries, size, fn, ## args)
+#endif
/*
* Main firewall chains definitions and global var's definitions.
@@ -353,14 +355,6 @@ compat_ip6t_get_target(struct compat_ip6t_entry *e)
#define COMPAT_IP6T_MATCH_ITERATE(e, fn, args...) \
XT_MATCH_ITERATE(struct compat_ip6t_entry, e, fn, ## args)
-/* fn returns 0 to continue iteration */
-#define COMPAT_IP6T_ENTRY_ITERATE(entries, size, fn, args...) \
- XT_ENTRY_ITERATE(struct compat_ip6t_entry, entries, size, fn, ## args)
-
-#define COMPAT_IP6T_ENTRY_ITERATE_CONTINUE(entries, size, n, fn, args...) \
- XT_ENTRY_ITERATE_CONTINUE(struct compat_ip6t_entry, entries, size, n, \
- fn, ## args)
-
#endif /* CONFIG_COMPAT */
#endif /*__KERNEL__*/
#endif /* _IP6_TABLES_H */
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 214dfd0..95695e7 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -634,8 +634,9 @@ static int translate_table(const char *name,
const unsigned int *hook_entries,
const unsigned int *underflows)
{
+ struct arpt_entry *iter;
unsigned int i;
- int ret;
+ int ret = 0;
newinfo->size = size;
newinfo->number = number;
@@ -650,12 +651,13 @@ static int translate_table(const char *name,
i = 0;
/* Walk through entries, checking offsets. */
- ret = ARPT_ENTRY_ITERATE(entry0, newinfo->size,
- check_entry_size_and_hooks,
- newinfo,
- entry0,
- entry0 + size,
- hook_entries, underflows, valid_hooks, &i);
+ xt_entry_foreach(iter, entry0, newinfo->size) {
+ ret = check_entry_size_and_hooks(iter, newinfo, entry0,
+ entry0 + size, hook_entries, underflows,
+ valid_hooks, &i);
+ if (ret != 0)
+ break;
+ }
duprintf("translate_table: ARPT_ENTRY_ITERATE gives %d\n", ret);
if (ret != 0)
return ret;
@@ -690,12 +692,16 @@ static int translate_table(const char *name,
/* Finally, each sanity check must pass */
i = 0;
- ret = ARPT_ENTRY_ITERATE(entry0, newinfo->size,
- find_check_entry, name, size, &i);
+ xt_entry_foreach(iter, entry0, newinfo->size) {
+ ret = find_check_entry(iter, name, size, &i);
+ if (ret != 0)
+ break;
+ }
if (ret != 0) {
- ARPT_ENTRY_ITERATE(entry0, newinfo->size,
- cleanup_entry, &i);
+ xt_entry_foreach(iter, entry0, newinfo->size)
+ if (cleanup_entry(iter, &i) != 0)
+ break;
return ret;
}
@@ -732,6 +738,7 @@ static inline int set_entry_to_counter(const struct arpt_entry *e,
static void get_counters(const struct xt_table_info *t,
struct xt_counters counters[])
{
+ struct arpt_entry *iter;
unsigned int cpu;
unsigned int i;
unsigned int curcpu;
@@ -747,22 +754,18 @@ static void get_counters(const struct xt_table_info *t,
curcpu = smp_processor_id();
i = 0;
- ARPT_ENTRY_ITERATE(t->entries[curcpu],
- t->size,
- set_entry_to_counter,
- counters,
- &i);
+ xt_entry_foreach(iter, t->entries[curcpu], t->size)
+ if (set_entry_to_counter(iter, counters, &i) != 0)
+ break;
for_each_possible_cpu(cpu) {
if (cpu == curcpu)
continue;
i = 0;
xt_info_wrlock(cpu);
- ARPT_ENTRY_ITERATE(t->entries[cpu],
- t->size,
- add_entry_to_counter,
- counters,
- &i);
+ xt_entry_foreach(iter, t->entries[cpu], t->size)
+ if (add_entry_to_counter(iter, counters, &i) != 0)
+ break;
xt_info_wrunlock(cpu);
}
local_bh_enable();
@@ -892,7 +895,9 @@ static int compat_calc_entry(const struct arpt_entry *e,
static int compat_table_info(const struct xt_table_info *info,
struct xt_table_info *newinfo)
{
+ struct arpt_entry *iter;
void *loc_cpu_entry;
+ int ret = 0;
if (!newinfo || !info)
return -EINVAL;
@@ -901,9 +906,12 @@ static int compat_table_info(const struct xt_table_info *info,
memcpy(newinfo, info, offsetof(struct xt_table_info, entries));
newinfo->initial_entries = 0;
loc_cpu_entry = info->entries[raw_smp_processor_id()];
- return ARPT_ENTRY_ITERATE(loc_cpu_entry, info->size,
- compat_calc_entry, info, loc_cpu_entry,
- newinfo);
+ xt_entry_foreach(iter, loc_cpu_entry, info->size) {
+ ret = compat_calc_entry(iter, info, loc_cpu_entry, newinfo);
+ if (ret != 0)
+ break;
+ }
+ return ret;
}
#endif
@@ -1018,6 +1026,7 @@ static int __do_replace(struct net *net, const char *name,
struct xt_table_info *oldinfo;
struct xt_counters *counters;
void *loc_cpu_old_entry;
+ struct arpt_entry *iter;
ret = 0;
counters = vmalloc_node(num_counters * sizeof(struct xt_counters),
@@ -1061,8 +1070,9 @@ static int __do_replace(struct net *net, const char *name,
/* Decrease module usage counts and free resource */
loc_cpu_old_entry = oldinfo->entries[raw_smp_processor_id()];
- ARPT_ENTRY_ITERATE(loc_cpu_old_entry, oldinfo->size, cleanup_entry,
- NULL);
+ xt_entry_foreach(iter, loc_cpu_old_entry, oldinfo->size)
+ if (cleanup_entry(iter, NULL) != 0)
+ break;
xt_free_table_info(oldinfo);
if (copy_to_user(counters_ptr, counters,
@@ -1088,6 +1098,7 @@ static int do_replace(struct net *net, const void __user *user,
struct arpt_replace tmp;
struct xt_table_info *newinfo;
void *loc_cpu_entry;
+ struct arpt_entry *iter;
if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
return -EFAULT;
@@ -1123,7 +1134,9 @@ static int do_replace(struct net *net, const void __user *user,
return 0;
free_newinfo_untrans:
- ARPT_ENTRY_ITERATE(loc_cpu_entry, newinfo->size, cleanup_entry, NULL);
+ xt_entry_foreach(iter, loc_cpu_entry, newinfo->size)
+ if (cleanup_entry(iter, NULL) != 0)
+ break;
free_newinfo:
xt_free_table_info(newinfo);
return ret;
@@ -1156,6 +1169,7 @@ static int do_add_counters(struct net *net, const void __user *user,
const struct xt_table_info *private;
int ret = 0;
void *loc_cpu_entry;
+ struct arpt_entry *iter;
#ifdef CONFIG_COMPAT
struct compat_xt_counters_info compat_tmp;
@@ -1213,11 +1227,9 @@ static int do_add_counters(struct net *net, const void __user *user,
curcpu = smp_processor_id();
loc_cpu_entry = private->entries[curcpu];
xt_info_wrlock(curcpu);
- ARPT_ENTRY_ITERATE(loc_cpu_entry,
- private->size,
- add_counter_to_entry,
- paddc,
- &i);
+ xt_entry_foreach(iter, loc_cpu_entry, private->size)
+ if (add_counter_to_entry(iter, paddc, &i) != 0)
+ break;
xt_info_wrunlock(curcpu);
unlock_up_free:
local_bh_enable();
@@ -1381,8 +1393,10 @@ static int translate_compat_table(const char *name,
unsigned int i, j;
struct xt_table_info *newinfo, *info;
void *pos, *entry0, *entry1;
+ struct compat_arpt_entry *iter0;
+ struct arpt_entry *iter1;
unsigned int size;
- int ret;
+ int ret = 0;
info = *pinfo;
entry0 = *pentry0;
@@ -1399,11 +1413,13 @@ static int translate_compat_table(const char *name,
j = 0;
xt_compat_lock(NFPROTO_ARP);
/* Walk through entries, checking offsets. */
- ret = COMPAT_ARPT_ENTRY_ITERATE(entry0, total_size,
- check_compat_entry_size_and_hooks,
- info, &size, entry0,
- entry0 + total_size,
- hook_entries, underflows, &j, name);
+ xt_entry_foreach(iter0, entry0, total_size) {
+ ret = check_compat_entry_size_and_hooks(iter0, info, &size,
+ entry0, entry0 + total_size, hook_entries, underflows,
+ &j, name);
+ if (ret != 0)
+ break;
+ }
if (ret != 0)
goto out_unlock;
@@ -1444,9 +1460,12 @@ static int translate_compat_table(const char *name,
entry1 = newinfo->entries[raw_smp_processor_id()];
pos = entry1;
size = total_size;
- ret = COMPAT_ARPT_ENTRY_ITERATE(entry0, total_size,
- compat_copy_entry_from_user,
- &pos, &size, name, newinfo, entry1);
+ xt_entry_foreach(iter0, entry0, total_size) {
+ ret = compat_copy_entry_from_user(iter0, &pos,
+ &size, name, newinfo, entry1);
+ if (ret != 0)
+ break;
+ }
xt_compat_flush_offsets(NFPROTO_ARP);
xt_compat_unlock(NFPROTO_ARP);
if (ret)
@@ -1457,13 +1476,28 @@ static int translate_compat_table(const char *name,
goto free_newinfo;
i = 0;
- ret = ARPT_ENTRY_ITERATE(entry1, newinfo->size, compat_check_entry,
- name, &i);
+ xt_entry_foreach(iter1, entry1, newinfo->size) {
+ ret = compat_check_entry(iter1, name, &i);
+ if (ret != 0)
+ break;
+ }
if (ret) {
+ /*
+ * The first i matches need cleanup_entry (calls ->destroy)
+ * because they had called ->check already. The other j-i
+ * entries need only release.
+ */
+ int skip = i;
j -= i;
- COMPAT_ARPT_ENTRY_ITERATE_CONTINUE(entry0, newinfo->size, i,
- compat_release_entry, &j);
- ARPT_ENTRY_ITERATE(entry1, newinfo->size, cleanup_entry, &i);
+ xt_entry_foreach(iter0, entry0, newinfo->size) {
+ if (skip-- > 0)
+ continue;
+ if (compat_release_entry(iter0, &j) != 0)
+ break;
+ }
+ xt_entry_foreach(iter1, entry1, newinfo->size)
+ if (cleanup_entry(iter1, &i) != 0)
+ break;
xt_free_table_info(newinfo);
return ret;
}
@@ -1481,7 +1515,9 @@ static int translate_compat_table(const char *name,
free_newinfo:
xt_free_table_info(newinfo);
out:
- COMPAT_ARPT_ENTRY_ITERATE(entry0, total_size, compat_release_entry, &j);
+ xt_entry_foreach(iter0, entry0, total_size)
+ if (compat_release_entry(iter0, &j) != 0)
+ break;
return ret;
out_unlock:
xt_compat_flush_offsets(NFPROTO_ARP);
@@ -1508,6 +1544,7 @@ static int compat_do_replace(struct net *net, void __user *user,
struct compat_arpt_replace tmp;
struct xt_table_info *newinfo;
void *loc_cpu_entry;
+ struct arpt_entry *iter;
if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
return -EFAULT;
@@ -1545,7 +1582,9 @@ static int compat_do_replace(struct net *net, void __user *user,
return 0;
free_newinfo_untrans:
- ARPT_ENTRY_ITERATE(loc_cpu_entry, newinfo->size, cleanup_entry, NULL);
+ xt_entry_foreach(iter, loc_cpu_entry, newinfo->size)
+ if (cleanup_entry(iter, NULL) != 0)
+ break;
free_newinfo:
xt_free_table_info(newinfo);
return ret;
@@ -1629,6 +1668,7 @@ static int compat_copy_entries_to_user(unsigned int total_size,
int ret = 0;
void *loc_cpu_entry;
unsigned int i = 0;
+ struct arpt_entry *iter;
counters = alloc_counters(table);
if (IS_ERR(counters))
@@ -1638,9 +1678,12 @@ static int compat_copy_entries_to_user(unsigned int total_size,
loc_cpu_entry = private->entries[raw_smp_processor_id()];
pos = userptr;
size = total_size;
- ret = ARPT_ENTRY_ITERATE(loc_cpu_entry, total_size,
- compat_copy_entry_to_user,
- &pos, &size, counters, &i);
+ xt_entry_foreach(iter, loc_cpu_entry, total_size) {
+ ret = compat_copy_entry_to_user(iter, &pos,
+ &size, counters, &i);
+ if (ret != 0)
+ break;
+ }
vfree(counters);
return ret;
}
@@ -1836,13 +1879,15 @@ void arpt_unregister_table(struct xt_table *table)
struct xt_table_info *private;
void *loc_cpu_entry;
struct module *table_owner = table->me;
+ struct arpt_entry *iter;
private = xt_unregister_table(table);
/* Decrease module usage counts and free resources */
loc_cpu_entry = private->entries[raw_smp_processor_id()];
- ARPT_ENTRY_ITERATE(loc_cpu_entry, private->size,
- cleanup_entry, NULL);
+ xt_entry_foreach(iter, loc_cpu_entry, private->size)
+ if (cleanup_entry(iter, NULL) != 0)
+ break;
if (private->number > private->initial_entries)
module_put(table_owner);
xt_free_table_info(private);
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 2c34413..b902779 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -281,6 +281,7 @@ static void trace_packet(const struct sk_buff *skb,
const void *table_base;
const struct ipt_entry *root;
const char *hookname, *chainname, *comment;
+ const struct ipt_entry *iter;
unsigned int rulenum = 0;
table_base = private->entries[smp_processor_id()];
@@ -289,10 +290,10 @@ static void trace_packet(const struct sk_buff *skb,
hookname = chainname = hooknames[hook];
comment = comments[NF_IP_TRACE_COMMENT_RULE];
- IPT_ENTRY_ITERATE(root,
- private->size - private->hook_entry[hook],
- get_chainname_rulenum,
- e, hookname, &chainname, &comment, &rulenum);
+ xt_entry_foreach(iter, root, private->size - private->hook_entry[hook])
+ if (get_chainname_rulenum(iter, e, hookname,
+ &chainname, &comment, &rulenum) != 0)
+ break;
nf_log_packet(AF_INET, hook, skb, in, out, &trace_loginfo,
"TRACE: %s:%s:%s:%u ",
@@ -814,8 +815,9 @@ translate_table(const char *name,
const unsigned int *hook_entries,
const unsigned int *underflows)
{
+ struct ipt_entry *iter;
unsigned int i;
- int ret;
+ int ret = 0;
newinfo->size = size;
newinfo->number = number;
@@ -829,12 +831,13 @@ translate_table(const char *name,
duprintf("translate_table: size %u\n", newinfo->size);
i = 0;
/* Walk through entries, checking offsets. */
- ret = IPT_ENTRY_ITERATE(entry0, newinfo->size,
- check_entry_size_and_hooks,
- newinfo,
- entry0,
- entry0 + size,
- hook_entries, underflows, valid_hooks, &i);
+ xt_entry_foreach(iter, entry0, newinfo->size) {
+ ret = check_entry_size_and_hooks(iter, newinfo, entry0,
+ entry0 + size, hook_entries, underflows,
+ valid_hooks, &i);
+ if (ret != 0)
+ break;
+ }
if (ret != 0)
return ret;
@@ -866,12 +869,16 @@ translate_table(const char *name,
/* Finally, each sanity check must pass */
i = 0;
- ret = IPT_ENTRY_ITERATE(entry0, newinfo->size,
- find_check_entry, name, size, &i);
+ xt_entry_foreach(iter, entry0, newinfo->size) {
+ ret = find_check_entry(iter, name, size, &i);
+ if (ret != 0)
+ break;
+ }
if (ret != 0) {
- IPT_ENTRY_ITERATE(entry0, newinfo->size,
- cleanup_entry, &i);
+ xt_entry_foreach(iter, entry0, newinfo->size)
+ if (cleanup_entry(iter, &i) != 0)
+ break;
return ret;
}
@@ -911,6 +918,7 @@ static void
get_counters(const struct xt_table_info *t,
struct xt_counters counters[])
{
+ struct ipt_entry *iter;
unsigned int cpu;
unsigned int i;
unsigned int curcpu;
@@ -926,22 +934,18 @@ get_counters(const struct xt_table_info *t,
curcpu = smp_processor_id();
i = 0;
- IPT_ENTRY_ITERATE(t->entries[curcpu],
- t->size,
- set_entry_to_counter,
- counters,
- &i);
+ xt_entry_foreach(iter, t->entries[curcpu], t->size)
+ if (set_entry_to_counter(iter, counters, &i) != 0)
+ break;
for_each_possible_cpu(cpu) {
if (cpu == curcpu)
continue;
i = 0;
xt_info_wrlock(cpu);
- IPT_ENTRY_ITERATE(t->entries[cpu],
- t->size,
- add_entry_to_counter,
- counters,
- &i);
+ xt_entry_foreach(iter, t->entries[cpu], t->size)
+ if (add_entry_to_counter(iter, counters, &i) != 0)
+ break;
xt_info_wrunlock(cpu);
}
local_bh_enable();
@@ -1099,7 +1103,9 @@ static int compat_calc_entry(const struct ipt_entry *e,
static int compat_table_info(const struct xt_table_info *info,
struct xt_table_info *newinfo)
{
+ struct ipt_entry *iter;
void *loc_cpu_entry;
+ int ret = 0;
if (!newinfo || !info)
return -EINVAL;
@@ -1108,9 +1114,12 @@ static int compat_table_info(const struct xt_table_info *info,
memcpy(newinfo, info, offsetof(struct xt_table_info, entries));
newinfo->initial_entries = 0;
loc_cpu_entry = info->entries[raw_smp_processor_id()];
- return IPT_ENTRY_ITERATE(loc_cpu_entry, info->size,
- compat_calc_entry, info, loc_cpu_entry,
- newinfo);
+ xt_entry_foreach(iter, loc_cpu_entry, info->size) {
+ ret = compat_calc_entry(iter, info, loc_cpu_entry, newinfo);
+ if (ret != 0)
+ break;
+ }
+ return ret;
}
#endif
@@ -1224,6 +1233,7 @@ __do_replace(struct net *net, const char *name, unsigned int valid_hooks,
struct xt_table_info *oldinfo;
struct xt_counters *counters;
void *loc_cpu_old_entry;
+ struct ipt_entry *iter;
ret = 0;
counters = vmalloc(num_counters * sizeof(struct xt_counters));
@@ -1266,8 +1276,10 @@ __do_replace(struct net *net, const char *name, unsigned int valid_hooks,
/* Decrease module usage counts and free resource */
loc_cpu_old_entry = oldinfo->entries[raw_smp_processor_id()];
- IPT_ENTRY_ITERATE(loc_cpu_old_entry, oldinfo->size, cleanup_entry,
- NULL);
+ xt_entry_foreach(iter, loc_cpu_old_entry, oldinfo->size)
+ if (cleanup_entry(iter, NULL) != 0)
+ break;
+
xt_free_table_info(oldinfo);
if (copy_to_user(counters_ptr, counters,
sizeof(struct xt_counters) * num_counters) != 0)
@@ -1292,6 +1304,7 @@ do_replace(struct net *net, const void __user *user, unsigned int len)
struct ipt_replace tmp;
struct xt_table_info *newinfo;
void *loc_cpu_entry;
+ struct ipt_entry *iter;
if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
return -EFAULT;
@@ -1327,7 +1340,9 @@ do_replace(struct net *net, const void __user *user, unsigned int len)
return 0;
free_newinfo_untrans:
- IPT_ENTRY_ITERATE(loc_cpu_entry, newinfo->size, cleanup_entry, NULL);
+ xt_entry_foreach(iter, loc_cpu_entry, newinfo->size)
+ if (cleanup_entry(iter, NULL) != 0)
+ break;
free_newinfo:
xt_free_table_info(newinfo);
return ret;
@@ -1361,6 +1376,7 @@ do_add_counters(struct net *net, const void __user *user,
const struct xt_table_info *private;
int ret = 0;
void *loc_cpu_entry;
+ struct ipt_entry *iter;
#ifdef CONFIG_COMPAT
struct compat_xt_counters_info compat_tmp;
@@ -1418,11 +1434,9 @@ do_add_counters(struct net *net, const void __user *user,
curcpu = smp_processor_id();
loc_cpu_entry = private->entries[curcpu];
xt_info_wrlock(curcpu);
- IPT_ENTRY_ITERATE(loc_cpu_entry,
- private->size,
- add_counter_to_entry,
- paddc,
- &i);
+ xt_entry_foreach(iter, loc_cpu_entry, private->size)
+ if (add_counter_to_entry(iter, paddc, &i) != 0)
+ break;
xt_info_wrunlock(curcpu);
unlock_up_free:
local_bh_enable();
@@ -1706,8 +1720,10 @@ translate_compat_table(const char *name,
unsigned int i, j;
struct xt_table_info *newinfo, *info;
void *pos, *entry0, *entry1;
+ struct compat_ipt_entry *iter0;
+ struct ipt_entry *iter1;
unsigned int size;
- int ret;
+ int ret = 0;
info = *pinfo;
entry0 = *pentry0;
@@ -1724,11 +1740,13 @@ translate_compat_table(const char *name,
j = 0;
xt_compat_lock(AF_INET);
/* Walk through entries, checking offsets. */
- ret = COMPAT_IPT_ENTRY_ITERATE(entry0, total_size,
- check_compat_entry_size_and_hooks,
- info, &size, entry0,
- entry0 + total_size,
- hook_entries, underflows, &j, name);
+ xt_entry_foreach(iter0, entry0, total_size) {
+ ret = check_compat_entry_size_and_hooks(iter0, info, &size,
+ entry0, entry0 + total_size, hook_entries, underflows,
+ &j, name);
+ if (ret != 0)
+ break;
+ }
if (ret != 0)
goto out_unlock;
@@ -1769,9 +1787,12 @@ translate_compat_table(const char *name,
entry1 = newinfo->entries[raw_smp_processor_id()];
pos = entry1;
size = total_size;
- ret = COMPAT_IPT_ENTRY_ITERATE(entry0, total_size,
- compat_copy_entry_from_user,
- &pos, &size, name, newinfo, entry1);
+ xt_entry_foreach(iter0, entry0, total_size) {
+ ret = compat_copy_entry_from_user(iter0, &pos,
+ &size, name, newinfo, entry1);
+ if (ret != 0)
+ break;
+ }
xt_compat_flush_offsets(AF_INET);
xt_compat_unlock(AF_INET);
if (ret)
@@ -1782,13 +1803,28 @@ translate_compat_table(const char *name,
goto free_newinfo;
i = 0;
- ret = IPT_ENTRY_ITERATE(entry1, newinfo->size, compat_check_entry,
- name, &i);
+ xt_entry_foreach(iter1, entry1, newinfo->size) {
+ ret = compat_check_entry(iter1, name, &i);
+ if (ret != 0)
+ break;
+ }
if (ret) {
+ /*
+ * The first i matches need cleanup_entry (calls ->destroy)
+ * because they had called ->check already. The other j-i
+ * entries need only release.
+ */
+ int skip = i;
j -= i;
- COMPAT_IPT_ENTRY_ITERATE_CONTINUE(entry0, newinfo->size, i,
- compat_release_entry, &j);
- IPT_ENTRY_ITERATE(entry1, newinfo->size, cleanup_entry, &i);
+ xt_entry_foreach(iter0, entry0, newinfo->size) {
+ if (skip-- > 0)
+ continue;
+ if (compat_release_entry(iter0, &i) != 0)
+ break;
+ }
+ xt_entry_foreach(iter1, entry1, newinfo->size)
+ if (cleanup_entry(iter1, &i) != 0)
+ break;
xt_free_table_info(newinfo);
return ret;
}
@@ -1806,7 +1842,9 @@ translate_compat_table(const char *name,
free_newinfo:
xt_free_table_info(newinfo);
out:
- COMPAT_IPT_ENTRY_ITERATE(entry0, total_size, compat_release_entry, &j);
+ xt_entry_foreach(iter0, entry0, total_size)
+ if (compat_release_entry(iter0, &j) != 0)
+ break;
return ret;
out_unlock:
xt_compat_flush_offsets(AF_INET);
@@ -1821,6 +1859,7 @@ compat_do_replace(struct net *net, void __user *user, unsigned int len)
struct compat_ipt_replace tmp;
struct xt_table_info *newinfo;
void *loc_cpu_entry;
+ struct ipt_entry *iter;
if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
return -EFAULT;
@@ -1859,7 +1898,9 @@ compat_do_replace(struct net *net, void __user *user, unsigned int len)
return 0;
free_newinfo_untrans:
- IPT_ENTRY_ITERATE(loc_cpu_entry, newinfo->size, cleanup_entry, NULL);
+ xt_entry_foreach(iter, loc_cpu_entry, newinfo->size)
+ if (cleanup_entry(iter, NULL) != 0)
+ break;
free_newinfo:
xt_free_table_info(newinfo);
return ret;
@@ -1908,6 +1949,7 @@ compat_copy_entries_to_user(unsigned int total_size, struct xt_table *table,
int ret = 0;
const void *loc_cpu_entry;
unsigned int i = 0;
+ struct ipt_entry *iter;
counters = alloc_counters(table);
if (IS_ERR(counters))
@@ -1920,9 +1962,12 @@ compat_copy_entries_to_user(unsigned int total_size, struct xt_table *table,
loc_cpu_entry = private->entries[raw_smp_processor_id()];
pos = userptr;
size = total_size;
- ret = IPT_ENTRY_ITERATE(loc_cpu_entry, total_size,
- compat_copy_entry_to_user,
- &pos, &size, counters, &i);
+ xt_entry_foreach(iter, loc_cpu_entry, total_size) {
+ ret = compat_copy_entry_to_user(iter, &pos,
+ &size, counters, &i);
+ if (ret != 0)
+ break;
+ }
vfree(counters);
return ret;
@@ -2123,12 +2168,15 @@ void ipt_unregister_table(struct xt_table *table)
struct xt_table_info *private;
void *loc_cpu_entry;
struct module *table_owner = table->me;
+ struct ipt_entry *iter;
private = xt_unregister_table(table);
/* Decrease module usage counts and free resources */
loc_cpu_entry = private->entries[raw_smp_processor_id()];
- IPT_ENTRY_ITERATE(loc_cpu_entry, private->size, cleanup_entry, NULL);
+ xt_entry_foreach(iter, loc_cpu_entry, private->size)
+ if (cleanup_entry(iter, NULL) != 0)
+ break;
if (private->number > private->initial_entries)
module_put(table_owner);
xt_free_table_info(private);
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 654cdc7..23d7519 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -311,6 +311,7 @@ static void trace_packet(const struct sk_buff *skb,
const void *table_base;
const struct ip6t_entry *root;
const char *hookname, *chainname, *comment;
+ const struct ip6t_entry *iter;
unsigned int rulenum = 0;
table_base = private->entries[smp_processor_id()];
@@ -319,10 +320,10 @@ static void trace_packet(const struct sk_buff *skb,
hookname = chainname = hooknames[hook];
comment = comments[NF_IP6_TRACE_COMMENT_RULE];
- IP6T_ENTRY_ITERATE(root,
- private->size - private->hook_entry[hook],
- get_chainname_rulenum,
- e, hookname, &chainname, &comment, &rulenum);
+ xt_entry_foreach(iter, root, private->size - private->hook_entry[hook])
+ if (get_chainname_rulenum(iter, e, hookname,
+ &chainname, &comment, &rulenum) != 0)
+ break;
nf_log_packet(AF_INET6, hook, skb, in, out, &trace_loginfo,
"TRACE: %s:%s:%s:%u ",
@@ -845,8 +846,9 @@ translate_table(const char *name,
const unsigned int *hook_entries,
const unsigned int *underflows)
{
+ struct ip6t_entry *iter;
unsigned int i;
- int ret;
+ int ret = 0;
newinfo->size = size;
newinfo->number = number;
@@ -860,12 +862,13 @@ translate_table(const char *name,
duprintf("translate_table: size %u\n", newinfo->size);
i = 0;
/* Walk through entries, checking offsets. */
- ret = IP6T_ENTRY_ITERATE(entry0, newinfo->size,
- check_entry_size_and_hooks,
- newinfo,
- entry0,
- entry0 + size,
- hook_entries, underflows, valid_hooks, &i);
+ xt_entry_foreach(iter, entry0, newinfo->size) {
+ ret = check_entry_size_and_hooks(iter, newinfo, entry0,
+ entry0 + size, hook_entries, underflows,
+ valid_hooks, &i);
+ if (ret != 0)
+ break;
+ }
if (ret != 0)
return ret;
@@ -897,12 +900,16 @@ translate_table(const char *name,
/* Finally, each sanity check must pass */
i = 0;
- ret = IP6T_ENTRY_ITERATE(entry0, newinfo->size,
- find_check_entry, name, size, &i);
+ xt_entry_foreach(iter, entry0, newinfo->size) {
+ ret = find_check_entry(iter, name, size, &i);
+ if (ret != 0)
+ break;
+ }
if (ret != 0) {
- IP6T_ENTRY_ITERATE(entry0, newinfo->size,
- cleanup_entry, &i);
+ xt_entry_foreach(iter, entry0, newinfo->size)
+ if (cleanup_entry(iter, &i) != 0)
+ break;
return ret;
}
@@ -942,6 +949,7 @@ static void
get_counters(const struct xt_table_info *t,
struct xt_counters counters[])
{
+ struct ip6t_entry *iter;
unsigned int cpu;
unsigned int i;
unsigned int curcpu;
@@ -957,22 +965,18 @@ get_counters(const struct xt_table_info *t,
curcpu = smp_processor_id();
i = 0;
- IP6T_ENTRY_ITERATE(t->entries[curcpu],
- t->size,
- set_entry_to_counter,
- counters,
- &i);
+ xt_entry_foreach(iter, t->entries[curcpu], t->size)
+ if (set_entry_to_counter(iter, counters, &i) != 0)
+ break;
for_each_possible_cpu(cpu) {
if (cpu == curcpu)
continue;
i = 0;
xt_info_wrlock(cpu);
- IP6T_ENTRY_ITERATE(t->entries[cpu],
- t->size,
- add_entry_to_counter,
- counters,
- &i);
+ xt_entry_foreach(iter, t->entries[cpu], t->size)
+ if (add_entry_to_counter(iter, counters, &i) != 0)
+ break;
xt_info_wrunlock(cpu);
}
local_bh_enable();
@@ -1130,7 +1134,9 @@ static int compat_calc_entry(const struct ip6t_entry *e,
static int compat_table_info(const struct xt_table_info *info,
struct xt_table_info *newinfo)
{
+ struct ip6t_entry *iter;
void *loc_cpu_entry;
+ int ret = 0;
if (!newinfo || !info)
return -EINVAL;
@@ -1139,9 +1145,12 @@ static int compat_table_info(const struct xt_table_info *info,
memcpy(newinfo, info, offsetof(struct xt_table_info, entries));
newinfo->initial_entries = 0;
loc_cpu_entry = info->entries[raw_smp_processor_id()];
- return IP6T_ENTRY_ITERATE(loc_cpu_entry, info->size,
- compat_calc_entry, info, loc_cpu_entry,
- newinfo);
+ xt_entry_foreach(iter, loc_cpu_entry, info->size) {
+ ret = compat_calc_entry(iter, info, loc_cpu_entry, newinfo);
+ if (ret != 0)
+ break;
+ }
+ return ret;
}
#endif
@@ -1255,6 +1264,7 @@ __do_replace(struct net *net, const char *name, unsigned int valid_hooks,
struct xt_table_info *oldinfo;
struct xt_counters *counters;
const void *loc_cpu_old_entry;
+ struct ip6t_entry *iter;
ret = 0;
counters = vmalloc_node(num_counters * sizeof(struct xt_counters),
@@ -1298,8 +1308,10 @@ __do_replace(struct net *net, const char *name, unsigned int valid_hooks,
/* Decrease module usage counts and free resource */
loc_cpu_old_entry = oldinfo->entries[raw_smp_processor_id()];
- IP6T_ENTRY_ITERATE(loc_cpu_old_entry, oldinfo->size, cleanup_entry,
- NULL);
+ xt_entry_foreach(iter, loc_cpu_old_entry, oldinfo->size)
+ if (cleanup_entry(iter, NULL) != 0)
+ break;
+
xt_free_table_info(oldinfo);
if (copy_to_user(counters_ptr, counters,
sizeof(struct xt_counters) * num_counters) != 0)
@@ -1324,6 +1336,7 @@ do_replace(struct net *net, const void __user *user, unsigned int len)
struct ip6t_replace tmp;
struct xt_table_info *newinfo;
void *loc_cpu_entry;
+ struct ip6t_entry *iter;
if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
return -EFAULT;
@@ -1359,7 +1372,9 @@ do_replace(struct net *net, const void __user *user, unsigned int len)
return 0;
free_newinfo_untrans:
- IP6T_ENTRY_ITERATE(loc_cpu_entry, newinfo->size, cleanup_entry, NULL);
+ xt_entry_foreach(iter, loc_cpu_entry, newinfo->size)
+ if (cleanup_entry(iter, NULL) != 0)
+ break;
free_newinfo:
xt_free_table_info(newinfo);
return ret;
@@ -1393,6 +1408,7 @@ do_add_counters(struct net *net, const void __user *user, unsigned int len,
const struct xt_table_info *private;
int ret = 0;
const void *loc_cpu_entry;
+ struct ip6t_entry *iter;
#ifdef CONFIG_COMPAT
struct compat_xt_counters_info compat_tmp;
@@ -1451,11 +1467,9 @@ do_add_counters(struct net *net, const void __user *user, unsigned int len,
curcpu = smp_processor_id();
xt_info_wrlock(curcpu);
loc_cpu_entry = private->entries[curcpu];
- IP6T_ENTRY_ITERATE(loc_cpu_entry,
- private->size,
- add_counter_to_entry,
- paddc,
- &i);
+ xt_entry_foreach(iter, loc_cpu_entry, private->size)
+ if (add_counter_to_entry(iter, paddc, &i) != 0)
+ break;
xt_info_wrunlock(curcpu);
unlock_up_free:
@@ -1739,8 +1753,10 @@ translate_compat_table(const char *name,
unsigned int i, j;
struct xt_table_info *newinfo, *info;
void *pos, *entry0, *entry1;
+ struct compat_ip6t_entry *iter0;
+ struct ip6t_entry *iter1;
unsigned int size;
- int ret;
+ int ret = 0;
info = *pinfo;
entry0 = *pentry0;
@@ -1757,11 +1773,13 @@ translate_compat_table(const char *name,
j = 0;
xt_compat_lock(AF_INET6);
/* Walk through entries, checking offsets. */
- ret = COMPAT_IP6T_ENTRY_ITERATE(entry0, total_size,
- check_compat_entry_size_and_hooks,
- info, &size, entry0,
- entry0 + total_size,
- hook_entries, underflows, &j, name);
+ xt_entry_foreach(iter0, entry0, total_size) {
+ ret = check_compat_entry_size_and_hooks(iter0, info, &size,
+ entry0, entry0 + total_size, hook_entries, underflows,
+ &j, name);
+ if (ret != 0)
+ break;
+ }
if (ret != 0)
goto out_unlock;
@@ -1802,9 +1820,12 @@ translate_compat_table(const char *name,
entry1 = newinfo->entries[raw_smp_processor_id()];
pos = entry1;
size = total_size;
- ret = COMPAT_IP6T_ENTRY_ITERATE(entry0, total_size,
- compat_copy_entry_from_user,
- &pos, &size, name, newinfo, entry1);
+ xt_entry_foreach(iter0, entry0, total_size) {
+ ret = compat_copy_entry_from_user(iter0, &pos,
+ &size, name, newinfo, entry1);
+ if (ret != 0)
+ break;
+ }
xt_compat_flush_offsets(AF_INET6);
xt_compat_unlock(AF_INET6);
if (ret)
@@ -1815,13 +1836,28 @@ translate_compat_table(const char *name,
goto free_newinfo;
i = 0;
- ret = IP6T_ENTRY_ITERATE(entry1, newinfo->size, compat_check_entry,
- name, &i);
+ xt_entry_foreach(iter1, entry1, newinfo->size) {
+ ret = compat_check_entry(iter1, name, &i);
+ if (ret != 0)
+ break;
+ }
if (ret) {
+ /*
+ * The first i matches need cleanup_entry (calls ->destroy)
+ * because they had called ->check already. The other j-i
+ * entries need only release.
+ */
+ int skip = i;
j -= i;
- COMPAT_IP6T_ENTRY_ITERATE_CONTINUE(entry0, newinfo->size, i,
- compat_release_entry, &j);
- IP6T_ENTRY_ITERATE(entry1, newinfo->size, cleanup_entry, &i);
+ xt_entry_foreach(iter0, entry0, newinfo->size) {
+ if (skip-- > 0)
+ continue;
+ if (compat_release_entry(iter0, &j) != 0)
+ break;
+ }
+ xt_entry_foreach(iter1, entry1, newinfo->size)
+ if (cleanup_entry(iter1, &i) != 0)
+ break;
xt_free_table_info(newinfo);
return ret;
}
@@ -1839,7 +1875,9 @@ translate_compat_table(const char *name,
free_newinfo:
xt_free_table_info(newinfo);
out:
- COMPAT_IP6T_ENTRY_ITERATE(entry0, total_size, compat_release_entry, &j);
+ xt_entry_foreach(iter0, entry0, total_size)
+ if (compat_release_entry(iter0, &j) != 0)
+ break;
return ret;
out_unlock:
xt_compat_flush_offsets(AF_INET6);
@@ -1854,6 +1892,7 @@ compat_do_replace(struct net *net, void __user *user, unsigned int len)
struct compat_ip6t_replace tmp;
struct xt_table_info *newinfo;
void *loc_cpu_entry;
+ struct ip6t_entry *iter;
if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
return -EFAULT;
@@ -1892,7 +1931,9 @@ compat_do_replace(struct net *net, void __user *user, unsigned int len)
return 0;
free_newinfo_untrans:
- IP6T_ENTRY_ITERATE(loc_cpu_entry, newinfo->size, cleanup_entry, NULL);
+ xt_entry_foreach(iter, loc_cpu_entry, newinfo->size)
+ if (cleanup_entry(iter, NULL) != 0)
+ break;
free_newinfo:
xt_free_table_info(newinfo);
return ret;
@@ -1941,6 +1982,7 @@ compat_copy_entries_to_user(unsigned int total_size, struct xt_table *table,
int ret = 0;
const void *loc_cpu_entry;
unsigned int i = 0;
+ struct ip6t_entry *iter;
counters = alloc_counters(table);
if (IS_ERR(counters))
@@ -1953,9 +1995,12 @@ compat_copy_entries_to_user(unsigned int total_size, struct xt_table *table,
loc_cpu_entry = private->entries[raw_smp_processor_id()];
pos = userptr;
size = total_size;
- ret = IP6T_ENTRY_ITERATE(loc_cpu_entry, total_size,
- compat_copy_entry_to_user,
- &pos, &size, counters, &i);
+ xt_entry_foreach(iter, loc_cpu_entry, total_size) {
+ ret = compat_copy_entry_to_user(iter, &pos,
+ &size, counters, &i);
+ if (ret != 0)
+ break;
+ }
vfree(counters);
return ret;
@@ -2155,12 +2200,15 @@ void ip6t_unregister_table(struct xt_table *table)
struct xt_table_info *private;
void *loc_cpu_entry;
struct module *table_owner = table->me;
+ struct ip6t_entry *iter;
private = xt_unregister_table(table);
/* Decrease module usage counts and free resources */
loc_cpu_entry = private->entries[raw_smp_processor_id()];
- IP6T_ENTRY_ITERATE(loc_cpu_entry, private->size, cleanup_entry, NULL);
+ xt_entry_foreach(iter, loc_cpu_entry, private->size)
+ if (cleanup_entry(iter, NULL) != 0)
+ break;
if (private->number > private->initial_entries)
module_put(table_owner);
xt_free_table_info(private);
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 034/103] netfilter: xtables: optimize call flow around xt_entry_foreach
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (32 preceding siblings ...)
2009-08-04 7:25 ` [PATCH 033/103] netfilter: xtables: replace XT_ENTRY_ITERATE macro Jan Engelhardt
@ 2009-08-04 7:25 ` Jan Engelhardt
2009-08-04 7:25 ` [PATCH 035/103] netfilter: xtables: replace XT_MATCH_ITERATE macro Jan Engelhardt
` (70 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:25 UTC (permalink / raw)
To: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
net/ipv4/netfilter/arp_tables.c | 179 ++++++++++++-------------------------
net/ipv4/netfilter/ip_tables.c | 184 +++++++++++++-------------------------
net/ipv6/netfilter/ip6_tables.c | 181 +++++++++++++-------------------------
3 files changed, 182 insertions(+), 362 deletions(-)
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 95695e7..26b7157 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -505,8 +505,7 @@ static inline int check_target(struct arpt_entry *e, const char *name)
}
static inline int
-find_check_entry(struct arpt_entry *e, const char *name, unsigned int size,
- unsigned int *i)
+find_check_entry(struct arpt_entry *e, const char *name, unsigned int size)
{
struct arpt_entry_target *t;
struct xt_target *target;
@@ -532,7 +531,6 @@ find_check_entry(struct arpt_entry *e, const char *name, unsigned int size,
if (ret)
goto err;
- (*i)++;
return 0;
err:
module_put(t->u.kernel.target->me);
@@ -561,8 +559,7 @@ static inline int check_entry_size_and_hooks(struct arpt_entry *e,
const unsigned char *limit,
const unsigned int *hook_entries,
const unsigned int *underflows,
- unsigned int valid_hooks,
- unsigned int *i)
+ unsigned int valid_hooks)
{
unsigned int h;
@@ -599,19 +596,14 @@ static inline int check_entry_size_and_hooks(struct arpt_entry *e,
/* Clear counters and comefrom */
e->counters = ((struct xt_counters) { 0, 0 });
e->comefrom = 0;
-
- (*i)++;
return 0;
}
-static inline int cleanup_entry(struct arpt_entry *e, unsigned int *i)
+static inline void cleanup_entry(struct arpt_entry *e)
{
struct xt_tgdtor_param par;
struct arpt_entry_target *t;
- if (i && (*i)-- == 0)
- return 1;
-
t = arpt_get_target(e);
par.target = t->u.kernel.target;
par.targinfo = t->data;
@@ -619,7 +611,6 @@ static inline int cleanup_entry(struct arpt_entry *e, unsigned int *i)
if (par.target->destroy != NULL)
par.target->destroy(&par);
module_put(par.target->me);
- return 0;
}
/* Checks and translates the user-supplied table segment (held in
@@ -653,10 +644,10 @@ static int translate_table(const char *name,
/* Walk through entries, checking offsets. */
xt_entry_foreach(iter, entry0, newinfo->size) {
ret = check_entry_size_and_hooks(iter, newinfo, entry0,
- entry0 + size, hook_entries, underflows,
- valid_hooks, &i);
+ entry0 + size, hook_entries, underflows, valid_hooks);
if (ret != 0)
break;
+ ++i;
}
duprintf("translate_table: ARPT_ENTRY_ITERATE gives %d\n", ret);
if (ret != 0)
@@ -693,15 +684,18 @@ static int translate_table(const char *name,
/* Finally, each sanity check must pass */
i = 0;
xt_entry_foreach(iter, entry0, newinfo->size) {
- ret = find_check_entry(iter, name, size, &i);
+ ret = find_check_entry(iter, name, size);
if (ret != 0)
break;
+ ++i;
}
if (ret != 0) {
- xt_entry_foreach(iter, entry0, newinfo->size)
- if (cleanup_entry(iter, &i) != 0)
+ xt_entry_foreach(iter, entry0, newinfo->size) {
+ if (i-- == 0)
break;
+ cleanup_entry(iter);
+ }
return ret;
}
@@ -714,27 +708,6 @@ static int translate_table(const char *name,
return ret;
}
-/* Gets counters. */
-static inline int add_entry_to_counter(const struct arpt_entry *e,
- struct xt_counters total[],
- unsigned int *i)
-{
- ADD_COUNTER(total[*i], e->counters.bcnt, e->counters.pcnt);
-
- (*i)++;
- return 0;
-}
-
-static inline int set_entry_to_counter(const struct arpt_entry *e,
- struct xt_counters total[],
- unsigned int *i)
-{
- SET_COUNTER(total[*i], e->counters.bcnt, e->counters.pcnt);
-
- (*i)++;
- return 0;
-}
-
static void get_counters(const struct xt_table_info *t,
struct xt_counters counters[])
{
@@ -754,18 +727,22 @@ static void get_counters(const struct xt_table_info *t,
curcpu = smp_processor_id();
i = 0;
- xt_entry_foreach(iter, t->entries[curcpu], t->size)
- if (set_entry_to_counter(iter, counters, &i) != 0)
- break;
+ xt_entry_foreach(iter, t->entries[curcpu], t->size) {
+ SET_COUNTER(counters[i], iter->counters.bcnt,
+ iter->counters.pcnt);
+ ++i;
+ }
for_each_possible_cpu(cpu) {
if (cpu == curcpu)
continue;
i = 0;
xt_info_wrlock(cpu);
- xt_entry_foreach(iter, t->entries[cpu], t->size)
- if (add_entry_to_counter(iter, counters, &i) != 0)
- break;
+ xt_entry_foreach(iter, t->entries[cpu], t->size) {
+ ADD_COUNTER(counters[i], iter->counters.bcnt,
+ iter->counters.pcnt);
+ ++i;
+ }
xt_info_wrunlock(cpu);
}
local_bh_enable();
@@ -897,7 +874,7 @@ static int compat_table_info(const struct xt_table_info *info,
{
struct arpt_entry *iter;
void *loc_cpu_entry;
- int ret = 0;
+ int ret;
if (!newinfo || !info)
return -EINVAL;
@@ -909,9 +886,9 @@ static int compat_table_info(const struct xt_table_info *info,
xt_entry_foreach(iter, loc_cpu_entry, info->size) {
ret = compat_calc_entry(iter, info, loc_cpu_entry, newinfo);
if (ret != 0)
- break;
+ return ret;
}
- return ret;
+ return 0;
}
#endif
@@ -1071,8 +1048,7 @@ static int __do_replace(struct net *net, const char *name,
/* Decrease module usage counts and free resource */
loc_cpu_old_entry = oldinfo->entries[raw_smp_processor_id()];
xt_entry_foreach(iter, loc_cpu_old_entry, oldinfo->size)
- if (cleanup_entry(iter, NULL) != 0)
- break;
+ cleanup_entry(iter);
xt_free_table_info(oldinfo);
if (copy_to_user(counters_ptr, counters,
@@ -1135,26 +1111,12 @@ static int do_replace(struct net *net, const void __user *user,
free_newinfo_untrans:
xt_entry_foreach(iter, loc_cpu_entry, newinfo->size)
- if (cleanup_entry(iter, NULL) != 0)
- break;
+ cleanup_entry(iter);
free_newinfo:
xt_free_table_info(newinfo);
return ret;
}
-/* We're lazy, and add to the first CPU; overflow works its fey magic
- * and everything is OK. */
-static int
-add_counter_to_entry(struct arpt_entry *e,
- const struct xt_counters addme[],
- unsigned int *i)
-{
- ADD_COUNTER(e->counters, addme[*i].bcnt, addme[*i].pcnt);
-
- (*i)++;
- return 0;
-}
-
static int do_add_counters(struct net *net, const void __user *user,
unsigned int len, int compat)
{
@@ -1227,9 +1189,10 @@ static int do_add_counters(struct net *net, const void __user *user,
curcpu = smp_processor_id();
loc_cpu_entry = private->entries[curcpu];
xt_info_wrlock(curcpu);
- xt_entry_foreach(iter, loc_cpu_entry, private->size)
- if (add_counter_to_entry(iter, paddc, &i) != 0)
- break;
+ xt_entry_foreach(iter, loc_cpu_entry, private->size) {
+ ADD_COUNTER(iter->counters, paddc[i].bcnt, paddc[i].pcnt);
+ ++i;
+ }
xt_info_wrunlock(curcpu);
unlock_up_free:
local_bh_enable();
@@ -1242,17 +1205,12 @@ static int do_add_counters(struct net *net, const void __user *user,
}
#ifdef CONFIG_COMPAT
-static inline int
-compat_release_entry(struct compat_arpt_entry *e, unsigned int *i)
+static inline void compat_release_entry(struct compat_arpt_entry *e)
{
struct arpt_entry_target *t;
- if (i && (*i)-- == 0)
- return 1;
-
t = compat_arpt_get_target(e);
module_put(t->u.kernel.target->me);
- return 0;
}
static inline int
@@ -1263,7 +1221,6 @@ check_compat_entry_size_and_hooks(struct compat_arpt_entry *e,
const unsigned char *limit,
const unsigned int *hook_entries,
const unsigned int *underflows,
- unsigned int *i,
const char *name)
{
struct arpt_entry_target *t;
@@ -1323,8 +1280,6 @@ check_compat_entry_size_and_hooks(struct compat_arpt_entry *e,
/* Clear counters and comefrom */
memset(&e->counters, 0, sizeof(e->counters));
e->comefrom = 0;
-
- (*i)++;
return 0;
release_target:
@@ -1368,19 +1323,6 @@ compat_copy_entry_from_user(struct compat_arpt_entry *e, void **dstptr,
return ret;
}
-static inline int compat_check_entry(struct arpt_entry *e, const char *name,
- unsigned int *i)
-{
- int ret;
-
- ret = check_target(e, name);
- if (ret)
- return ret;
-
- (*i)++;
- return 0;
-}
-
static int translate_compat_table(const char *name,
unsigned int valid_hooks,
struct xt_table_info **pinfo,
@@ -1416,12 +1358,11 @@ static int translate_compat_table(const char *name,
xt_entry_foreach(iter0, entry0, total_size) {
ret = check_compat_entry_size_and_hooks(iter0, info, &size,
entry0, entry0 + total_size, hook_entries, underflows,
- &j, name);
+ name);
if (ret != 0)
- break;
+ goto out_unlock;
+ ++j;
}
- if (ret != 0)
- goto out_unlock;
ret = -EINVAL;
if (j != number) {
@@ -1477,9 +1418,10 @@ static int translate_compat_table(const char *name,
i = 0;
xt_entry_foreach(iter1, entry1, newinfo->size) {
- ret = compat_check_entry(iter1, name, &i);
+ ret = check_target(iter1, name);
if (ret != 0)
break;
+ ++i;
}
if (ret) {
/*
@@ -1492,12 +1434,15 @@ static int translate_compat_table(const char *name,
xt_entry_foreach(iter0, entry0, newinfo->size) {
if (skip-- > 0)
continue;
- if (compat_release_entry(iter0, &j) != 0)
+ if (j-- == 0)
break;
+ compat_release_entry(iter0);
}
- xt_entry_foreach(iter1, entry1, newinfo->size)
- if (cleanup_entry(iter1, &i) != 0)
+ xt_entry_foreach(iter1, entry1, newinfo->size) {
+ if (i-- == 0)
break;
+ cleanup_entry(iter1);
+ }
xt_free_table_info(newinfo);
return ret;
}
@@ -1515,9 +1460,11 @@ static int translate_compat_table(const char *name,
free_newinfo:
xt_free_table_info(newinfo);
out:
- xt_entry_foreach(iter0, entry0, total_size)
- if (compat_release_entry(iter0, &j) != 0)
+ xt_entry_foreach(iter0, entry0, total_size) {
+ if (j-- == 0)
break;
+ compat_release_entry(iter0);
+ }
return ret;
out_unlock:
xt_compat_flush_offsets(NFPROTO_ARP);
@@ -1583,8 +1530,7 @@ static int compat_do_replace(struct net *net, void __user *user,
free_newinfo_untrans:
xt_entry_foreach(iter, loc_cpu_entry, newinfo->size)
- if (cleanup_entry(iter, NULL) != 0)
- break;
+ cleanup_entry(iter);
free_newinfo:
xt_free_table_info(newinfo);
return ret;
@@ -1618,7 +1564,7 @@ static int compat_do_arpt_set_ctl(struct sock *sk, int cmd, void __user *user,
static int compat_copy_entry_to_user(struct arpt_entry *e, void __user **dstptr,
compat_uint_t *size,
struct xt_counters *counters,
- unsigned int *i)
+ unsigned int i)
{
struct arpt_entry_target *t;
struct compat_arpt_entry __user *ce;
@@ -1626,14 +1572,12 @@ static int compat_copy_entry_to_user(struct arpt_entry *e, void __user **dstptr,
compat_uint_t origsize;
int ret;
- ret = -EFAULT;
origsize = *size;
ce = (struct compat_arpt_entry __user *)*dstptr;
- if (copy_to_user(ce, e, sizeof(struct arpt_entry)))
- goto out;
-
- if (copy_to_user(&ce->counters, &counters[*i], sizeof(counters[*i])))
- goto out;
+ if (copy_to_user(ce, e, sizeof(struct arpt_entry)) != 0 ||
+ copy_to_user(&ce->counters, &counters[i],
+ sizeof(counters[i])) != 0)
+ return -EFAULT;
*dstptr += sizeof(struct compat_arpt_entry);
*size -= sizeof(struct arpt_entry) - sizeof(struct compat_arpt_entry);
@@ -1643,18 +1587,12 @@ static int compat_copy_entry_to_user(struct arpt_entry *e, void __user **dstptr,
t = arpt_get_target(e);
ret = xt_compat_target_to_user(t, dstptr, size);
if (ret)
- goto out;
- ret = -EFAULT;
+ return ret;
next_offset = e->next_offset - (origsize - *size);
- if (put_user(target_offset, &ce->target_offset))
- goto out;
- if (put_user(next_offset, &ce->next_offset))
- goto out;
-
- (*i)++;
+ if (put_user(target_offset, &ce->target_offset) != 0 ||
+ put_user(next_offset, &ce->next_offset) != 0)
+ return -EFAULT;
return 0;
-out:
- return ret;
}
static int compat_copy_entries_to_user(unsigned int total_size,
@@ -1680,7 +1618,7 @@ static int compat_copy_entries_to_user(unsigned int total_size,
size = total_size;
xt_entry_foreach(iter, loc_cpu_entry, total_size) {
ret = compat_copy_entry_to_user(iter, &pos,
- &size, counters, &i);
+ &size, counters, i++);
if (ret != 0)
break;
}
@@ -1886,8 +1824,7 @@ void arpt_unregister_table(struct xt_table *table)
/* Decrease module usage counts and free resources */
loc_cpu_entry = private->entries[raw_smp_processor_id()];
xt_entry_foreach(iter, loc_cpu_entry, private->size)
- if (cleanup_entry(iter, NULL) != 0)
- break;
+ cleanup_entry(iter);
if (private->number > private->initial_entries)
module_put(table_owner);
xt_free_table_info(private);
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index b902779..17c6ac7 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -669,8 +669,7 @@ static int check_target(struct ipt_entry *e, const char *name)
}
static int
-find_check_entry(struct ipt_entry *e, const char *name, unsigned int size,
- unsigned int *i)
+find_check_entry(struct ipt_entry *e, const char *name, unsigned int size)
{
struct ipt_entry_target *t;
struct xt_target *target;
@@ -706,8 +705,6 @@ find_check_entry(struct ipt_entry *e, const char *name, unsigned int size,
ret = check_target(e, name);
if (ret)
goto err;
-
- (*i)++;
return 0;
err:
module_put(t->u.kernel.target->me);
@@ -738,8 +735,7 @@ check_entry_size_and_hooks(struct ipt_entry *e,
const unsigned char *limit,
const unsigned int *hook_entries,
const unsigned int *underflows,
- unsigned int valid_hooks,
- unsigned int *i)
+ unsigned int valid_hooks)
{
unsigned int h;
@@ -776,20 +772,15 @@ check_entry_size_and_hooks(struct ipt_entry *e,
/* Clear counters and comefrom */
e->counters = ((struct xt_counters) { 0, 0 });
e->comefrom = 0;
-
- (*i)++;
return 0;
}
-static int
-cleanup_entry(struct ipt_entry *e, unsigned int *i)
+static void
+cleanup_entry(struct ipt_entry *e)
{
struct xt_tgdtor_param par;
struct ipt_entry_target *t;
- if (i && (*i)-- == 0)
- return 1;
-
/* Cleanup all matches */
IPT_MATCH_ITERATE(e, cleanup_match, NULL);
t = ipt_get_target(e);
@@ -800,7 +791,6 @@ cleanup_entry(struct ipt_entry *e, unsigned int *i)
if (par.target->destroy != NULL)
par.target->destroy(&par);
module_put(par.target->me);
- return 0;
}
/* Checks and translates the user-supplied table segment (held in
@@ -833,13 +823,11 @@ translate_table(const char *name,
/* Walk through entries, checking offsets. */
xt_entry_foreach(iter, entry0, newinfo->size) {
ret = check_entry_size_and_hooks(iter, newinfo, entry0,
- entry0 + size, hook_entries, underflows,
- valid_hooks, &i);
+ entry0 + size, hook_entries, underflows, valid_hooks);
if (ret != 0)
- break;
+ return ret;
+ ++i;
}
- if (ret != 0)
- return ret;
if (i != number) {
duprintf("translate_table: %u not %u entries\n",
@@ -870,15 +858,18 @@ translate_table(const char *name,
/* Finally, each sanity check must pass */
i = 0;
xt_entry_foreach(iter, entry0, newinfo->size) {
- ret = find_check_entry(iter, name, size, &i);
+ ret = find_check_entry(iter, name, size);
if (ret != 0)
break;
+ ++i;
}
if (ret != 0) {
- xt_entry_foreach(iter, entry0, newinfo->size)
- if (cleanup_entry(iter, &i) != 0)
+ xt_entry_foreach(iter, entry0, newinfo->size) {
+ if (i-- == 0)
break;
+ cleanup_entry(iter);
+ }
return ret;
}
@@ -891,29 +882,6 @@ translate_table(const char *name,
return ret;
}
-/* Gets counters. */
-static inline int
-add_entry_to_counter(const struct ipt_entry *e,
- struct xt_counters total[],
- unsigned int *i)
-{
- ADD_COUNTER(total[*i], e->counters.bcnt, e->counters.pcnt);
-
- (*i)++;
- return 0;
-}
-
-static inline int
-set_entry_to_counter(const struct ipt_entry *e,
- struct ipt_counters total[],
- unsigned int *i)
-{
- SET_COUNTER(total[*i], e->counters.bcnt, e->counters.pcnt);
-
- (*i)++;
- return 0;
-}
-
static void
get_counters(const struct xt_table_info *t,
struct xt_counters counters[])
@@ -934,18 +902,22 @@ get_counters(const struct xt_table_info *t,
curcpu = smp_processor_id();
i = 0;
- xt_entry_foreach(iter, t->entries[curcpu], t->size)
- if (set_entry_to_counter(iter, counters, &i) != 0)
- break;
+ xt_entry_foreach(iter, t->entries[curcpu], t->size) {
+ SET_COUNTER(counters[i], iter->counters.bcnt,
+ iter->counters.pcnt);
+ ++i;
+ }
for_each_possible_cpu(cpu) {
if (cpu == curcpu)
continue;
i = 0;
xt_info_wrlock(cpu);
- xt_entry_foreach(iter, t->entries[cpu], t->size)
- if (add_entry_to_counter(iter, counters, &i) != 0)
- break;
+ xt_entry_foreach(iter, t->entries[cpu], t->size) {
+ ADD_COUNTER(counters[i], iter->counters.bcnt,
+ iter->counters.pcnt);
+ ++i; /* macro does multi eval of i */
+ }
xt_info_wrunlock(cpu);
}
local_bh_enable();
@@ -1105,7 +1077,7 @@ static int compat_table_info(const struct xt_table_info *info,
{
struct ipt_entry *iter;
void *loc_cpu_entry;
- int ret = 0;
+ int ret;
if (!newinfo || !info)
return -EINVAL;
@@ -1117,9 +1089,9 @@ static int compat_table_info(const struct xt_table_info *info,
xt_entry_foreach(iter, loc_cpu_entry, info->size) {
ret = compat_calc_entry(iter, info, loc_cpu_entry, newinfo);
if (ret != 0)
- break;
+ return ret;
}
- return ret;
+ return 0;
}
#endif
@@ -1277,8 +1249,7 @@ __do_replace(struct net *net, const char *name, unsigned int valid_hooks,
/* Decrease module usage counts and free resource */
loc_cpu_old_entry = oldinfo->entries[raw_smp_processor_id()];
xt_entry_foreach(iter, loc_cpu_old_entry, oldinfo->size)
- if (cleanup_entry(iter, NULL) != 0)
- break;
+ cleanup_entry(iter);
xt_free_table_info(oldinfo);
if (copy_to_user(counters_ptr, counters,
@@ -1341,26 +1312,12 @@ do_replace(struct net *net, const void __user *user, unsigned int len)
free_newinfo_untrans:
xt_entry_foreach(iter, loc_cpu_entry, newinfo->size)
- if (cleanup_entry(iter, NULL) != 0)
- break;
+ cleanup_entry(iter);
free_newinfo:
xt_free_table_info(newinfo);
return ret;
}
-/* We're lazy, and add to the first CPU; overflow works its fey magic
- * and everything is OK. */
-static int
-add_counter_to_entry(struct ipt_entry *e,
- const struct xt_counters addme[],
- unsigned int *i)
-{
- ADD_COUNTER(e->counters, addme[*i].bcnt, addme[*i].pcnt);
-
- (*i)++;
- return 0;
-}
-
static int
do_add_counters(struct net *net, const void __user *user,
unsigned int len, int compat)
@@ -1434,9 +1391,10 @@ do_add_counters(struct net *net, const void __user *user,
curcpu = smp_processor_id();
loc_cpu_entry = private->entries[curcpu];
xt_info_wrlock(curcpu);
- xt_entry_foreach(iter, loc_cpu_entry, private->size)
- if (add_counter_to_entry(iter, paddc, &i) != 0)
- break;
+ xt_entry_foreach(iter, loc_cpu_entry, private->size) {
+ ADD_COUNTER(iter->counters, paddc[i].bcnt, paddc[i].pcnt);
+ ++i;
+ }
xt_info_wrunlock(curcpu);
unlock_up_free:
local_bh_enable();
@@ -1464,7 +1422,7 @@ struct compat_ipt_replace {
static int
compat_copy_entry_to_user(struct ipt_entry *e, void __user **dstptr,
unsigned int *size, struct xt_counters *counters,
- unsigned int *i)
+ unsigned int i)
{
struct ipt_entry_target *t;
struct compat_ipt_entry __user *ce;
@@ -1472,14 +1430,12 @@ compat_copy_entry_to_user(struct ipt_entry *e, void __user **dstptr,
compat_uint_t origsize;
int ret;
- ret = -EFAULT;
origsize = *size;
ce = (struct compat_ipt_entry __user *)*dstptr;
- if (copy_to_user(ce, e, sizeof(struct ipt_entry)))
- goto out;
-
- if (copy_to_user(&ce->counters, &counters[*i], sizeof(counters[*i])))
- goto out;
+ if (copy_to_user(ce, e, sizeof(struct ipt_entry)) != 0 ||
+ copy_to_user(&ce->counters, &counters[i],
+ sizeof(counters[i])) != 0)
+ return -EFAULT;
*dstptr += sizeof(struct compat_ipt_entry);
*size -= sizeof(struct ipt_entry) - sizeof(struct compat_ipt_entry);
@@ -1487,22 +1443,16 @@ compat_copy_entry_to_user(struct ipt_entry *e, void __user **dstptr,
ret = IPT_MATCH_ITERATE(e, xt_compat_match_to_user, dstptr, size);
target_offset = e->target_offset - (origsize - *size);
if (ret)
- goto out;
+ return ret;
t = ipt_get_target(e);
ret = xt_compat_target_to_user(t, dstptr, size);
if (ret)
- goto out;
- ret = -EFAULT;
+ return ret;
next_offset = e->next_offset - (origsize - *size);
- if (put_user(target_offset, &ce->target_offset))
- goto out;
- if (put_user(next_offset, &ce->next_offset))
- goto out;
-
- (*i)++;
+ if (put_user(target_offset, &ce->target_offset) != 0 ||
+ put_user(next_offset, &ce->next_offset) != 0)
+ return -EFAULT;
return 0;
-out:
- return ret;
}
static int
@@ -1539,19 +1489,14 @@ compat_release_match(struct ipt_entry_match *m, unsigned int *i)
return 0;
}
-static int
-compat_release_entry(struct compat_ipt_entry *e, unsigned int *i)
+static void compat_release_entry(struct compat_ipt_entry *e)
{
struct ipt_entry_target *t;
- if (i && (*i)-- == 0)
- return 1;
-
/* Cleanup all matches */
COMPAT_IPT_MATCH_ITERATE(e, compat_release_match, NULL);
t = compat_ipt_get_target(e);
module_put(t->u.kernel.target->me);
- return 0;
}
static int
@@ -1562,7 +1507,6 @@ check_compat_entry_size_and_hooks(struct compat_ipt_entry *e,
const unsigned char *limit,
const unsigned int *hook_entries,
const unsigned int *underflows,
- unsigned int *i,
const char *name)
{
struct ipt_entry_target *t;
@@ -1628,8 +1572,6 @@ check_compat_entry_size_and_hooks(struct compat_ipt_entry *e,
/* Clear counters and comefrom */
memset(&e->counters, 0, sizeof(e->counters));
e->comefrom = 0;
-
- (*i)++;
return 0;
out:
@@ -1679,8 +1621,7 @@ compat_copy_entry_from_user(struct compat_ipt_entry *e, void **dstptr,
}
static int
-compat_check_entry(struct ipt_entry *e, const char *name,
- unsigned int *i)
+compat_check_entry(struct ipt_entry *e, const char *name)
{
struct xt_mtchk_param mtpar;
unsigned int j;
@@ -1698,8 +1639,6 @@ compat_check_entry(struct ipt_entry *e, const char *name,
ret = check_target(e, name);
if (ret)
goto cleanup_matches;
-
- (*i)++;
return 0;
cleanup_matches:
@@ -1723,7 +1662,7 @@ translate_compat_table(const char *name,
struct compat_ipt_entry *iter0;
struct ipt_entry *iter1;
unsigned int size;
- int ret = 0;
+ int ret;
info = *pinfo;
entry0 = *pentry0;
@@ -1743,12 +1682,11 @@ translate_compat_table(const char *name,
xt_entry_foreach(iter0, entry0, total_size) {
ret = check_compat_entry_size_and_hooks(iter0, info, &size,
entry0, entry0 + total_size, hook_entries, underflows,
- &j, name);
+ name);
if (ret != 0)
- break;
+ goto out_unlock;
+ ++j;
}
- if (ret != 0)
- goto out_unlock;
ret = -EINVAL;
if (j != number) {
@@ -1804,9 +1742,10 @@ translate_compat_table(const char *name,
i = 0;
xt_entry_foreach(iter1, entry1, newinfo->size) {
- ret = compat_check_entry(iter1, name, &i);
+ ret = compat_check_entry(iter1, name);
if (ret != 0)
break;
+ ++i;
}
if (ret) {
/*
@@ -1819,12 +1758,15 @@ translate_compat_table(const char *name,
xt_entry_foreach(iter0, entry0, newinfo->size) {
if (skip-- > 0)
continue;
- if (compat_release_entry(iter0, &i) != 0)
+ if (j-- == 0)
break;
+ compat_release_entry(iter0);
}
- xt_entry_foreach(iter1, entry1, newinfo->size)
- if (cleanup_entry(iter1, &i) != 0)
+ xt_entry_foreach(iter1, entry1, newinfo->size) {
+ if (i-- == 0)
break;
+ cleanup_entry(iter1);
+ }
xt_free_table_info(newinfo);
return ret;
}
@@ -1842,9 +1784,11 @@ translate_compat_table(const char *name,
free_newinfo:
xt_free_table_info(newinfo);
out:
- xt_entry_foreach(iter0, entry0, total_size)
- if (compat_release_entry(iter0, &j) != 0)
+ xt_entry_foreach(iter0, entry0, total_size) {
+ if (j-- == 0)
break;
+ compat_release_entry(iter0);
+ }
return ret;
out_unlock:
xt_compat_flush_offsets(AF_INET);
@@ -1899,8 +1843,7 @@ compat_do_replace(struct net *net, void __user *user, unsigned int len)
free_newinfo_untrans:
xt_entry_foreach(iter, loc_cpu_entry, newinfo->size)
- if (cleanup_entry(iter, NULL) != 0)
- break;
+ cleanup_entry(iter);
free_newinfo:
xt_free_table_info(newinfo);
return ret;
@@ -1964,7 +1907,7 @@ compat_copy_entries_to_user(unsigned int total_size, struct xt_table *table,
size = total_size;
xt_entry_foreach(iter, loc_cpu_entry, total_size) {
ret = compat_copy_entry_to_user(iter, &pos,
- &size, counters, &i);
+ &size, counters, i++);
if (ret != 0)
break;
}
@@ -2175,8 +2118,7 @@ void ipt_unregister_table(struct xt_table *table)
/* Decrease module usage counts and free resources */
loc_cpu_entry = private->entries[raw_smp_processor_id()];
xt_entry_foreach(iter, loc_cpu_entry, private->size)
- if (cleanup_entry(iter, NULL) != 0)
- break;
+ cleanup_entry(iter);
if (private->number > private->initial_entries)
module_put(table_owner);
xt_free_table_info(private);
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 23d7519..9d666f3 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -700,8 +700,7 @@ static int check_target(struct ip6t_entry *e, const char *name)
}
static int
-find_check_entry(struct ip6t_entry *e, const char *name, unsigned int size,
- unsigned int *i)
+find_check_entry(struct ip6t_entry *e, const char *name, unsigned int size)
{
struct ip6t_entry_target *t;
struct xt_target *target;
@@ -737,8 +736,6 @@ find_check_entry(struct ip6t_entry *e, const char *name, unsigned int size,
ret = check_target(e, name);
if (ret)
goto err;
-
- (*i)++;
return 0;
err:
module_put(t->u.kernel.target->me);
@@ -769,8 +766,7 @@ check_entry_size_and_hooks(struct ip6t_entry *e,
const unsigned char *limit,
const unsigned int *hook_entries,
const unsigned int *underflows,
- unsigned int valid_hooks,
- unsigned int *i)
+ unsigned int valid_hooks)
{
unsigned int h;
@@ -807,20 +803,14 @@ check_entry_size_and_hooks(struct ip6t_entry *e,
/* Clear counters and comefrom */
e->counters = ((struct xt_counters) { 0, 0 });
e->comefrom = 0;
-
- (*i)++;
return 0;
}
-static int
-cleanup_entry(struct ip6t_entry *e, unsigned int *i)
+static void cleanup_entry(struct ip6t_entry *e)
{
struct xt_tgdtor_param par;
struct ip6t_entry_target *t;
- if (i && (*i)-- == 0)
- return 1;
-
/* Cleanup all matches */
IP6T_MATCH_ITERATE(e, cleanup_match, NULL);
t = ip6t_get_target(e);
@@ -831,7 +821,6 @@ cleanup_entry(struct ip6t_entry *e, unsigned int *i)
if (par.target->destroy != NULL)
par.target->destroy(&par);
module_put(par.target->me);
- return 0;
}
/* Checks and translates the user-supplied table segment (held in
@@ -864,13 +853,11 @@ translate_table(const char *name,
/* Walk through entries, checking offsets. */
xt_entry_foreach(iter, entry0, newinfo->size) {
ret = check_entry_size_and_hooks(iter, newinfo, entry0,
- entry0 + size, hook_entries, underflows,
- valid_hooks, &i);
+ entry0 + size, hook_entries, underflows, valid_hooks);
if (ret != 0)
- break;
+ return ret;
+ ++i;
}
- if (ret != 0)
- return ret;
if (i != number) {
duprintf("translate_table: %u not %u entries\n",
@@ -901,15 +888,18 @@ translate_table(const char *name,
/* Finally, each sanity check must pass */
i = 0;
xt_entry_foreach(iter, entry0, newinfo->size) {
- ret = find_check_entry(iter, name, size, &i);
+ ret = find_check_entry(iter, name, size);
if (ret != 0)
break;
+ ++i;
}
if (ret != 0) {
- xt_entry_foreach(iter, entry0, newinfo->size)
- if (cleanup_entry(iter, &i) != 0)
+ xt_entry_foreach(iter, entry0, newinfo->size) {
+ if (i-- == 0)
break;
+ cleanup_entry(iter);
+ }
return ret;
}
@@ -922,29 +912,6 @@ translate_table(const char *name,
return ret;
}
-/* Gets counters. */
-static inline int
-add_entry_to_counter(const struct ip6t_entry *e,
- struct xt_counters total[],
- unsigned int *i)
-{
- ADD_COUNTER(total[*i], e->counters.bcnt, e->counters.pcnt);
-
- (*i)++;
- return 0;
-}
-
-static inline int
-set_entry_to_counter(const struct ip6t_entry *e,
- struct ip6t_counters total[],
- unsigned int *i)
-{
- SET_COUNTER(total[*i], e->counters.bcnt, e->counters.pcnt);
-
- (*i)++;
- return 0;
-}
-
static void
get_counters(const struct xt_table_info *t,
struct xt_counters counters[])
@@ -965,18 +932,22 @@ get_counters(const struct xt_table_info *t,
curcpu = smp_processor_id();
i = 0;
- xt_entry_foreach(iter, t->entries[curcpu], t->size)
- if (set_entry_to_counter(iter, counters, &i) != 0)
- break;
+ xt_entry_foreach(iter, t->entries[curcpu], t->size) {
+ SET_COUNTER(counters[i], iter->counters.bcnt,
+ iter->counters.pcnt);
+ ++i;
+ }
for_each_possible_cpu(cpu) {
if (cpu == curcpu)
continue;
i = 0;
xt_info_wrlock(cpu);
- xt_entry_foreach(iter, t->entries[cpu], t->size)
- if (add_entry_to_counter(iter, counters, &i) != 0)
- break;
+ xt_entry_foreach(iter, t->entries[cpu], t->size) {
+ ADD_COUNTER(counters[i], iter->counters.bcnt,
+ iter->counters.pcnt);
+ ++i;
+ }
xt_info_wrunlock(cpu);
}
local_bh_enable();
@@ -1136,7 +1107,7 @@ static int compat_table_info(const struct xt_table_info *info,
{
struct ip6t_entry *iter;
void *loc_cpu_entry;
- int ret = 0;
+ int ret;
if (!newinfo || !info)
return -EINVAL;
@@ -1148,9 +1119,9 @@ static int compat_table_info(const struct xt_table_info *info,
xt_entry_foreach(iter, loc_cpu_entry, info->size) {
ret = compat_calc_entry(iter, info, loc_cpu_entry, newinfo);
if (ret != 0)
- break;
+ return ret;
}
- return ret;
+ return 0;
}
#endif
@@ -1309,8 +1280,7 @@ __do_replace(struct net *net, const char *name, unsigned int valid_hooks,
/* Decrease module usage counts and free resource */
loc_cpu_old_entry = oldinfo->entries[raw_smp_processor_id()];
xt_entry_foreach(iter, loc_cpu_old_entry, oldinfo->size)
- if (cleanup_entry(iter, NULL) != 0)
- break;
+ cleanup_entry(iter);
xt_free_table_info(oldinfo);
if (copy_to_user(counters_ptr, counters,
@@ -1373,26 +1343,12 @@ do_replace(struct net *net, const void __user *user, unsigned int len)
free_newinfo_untrans:
xt_entry_foreach(iter, loc_cpu_entry, newinfo->size)
- if (cleanup_entry(iter, NULL) != 0)
- break;
+ cleanup_entry(iter);
free_newinfo:
xt_free_table_info(newinfo);
return ret;
}
-/* We're lazy, and add to the first CPU; overflow works its fey magic
- * and everything is OK. */
-static int
-add_counter_to_entry(struct ip6t_entry *e,
- const struct xt_counters addme[],
- unsigned int *i)
-{
- ADD_COUNTER(e->counters, addme[*i].bcnt, addme[*i].pcnt);
-
- (*i)++;
- return 0;
-}
-
static int
do_add_counters(struct net *net, const void __user *user, unsigned int len,
int compat)
@@ -1467,9 +1423,10 @@ do_add_counters(struct net *net, const void __user *user, unsigned int len,
curcpu = smp_processor_id();
xt_info_wrlock(curcpu);
loc_cpu_entry = private->entries[curcpu];
- xt_entry_foreach(iter, loc_cpu_entry, private->size)
- if (add_counter_to_entry(iter, paddc, &i) != 0)
- break;
+ xt_entry_foreach(iter, loc_cpu_entry, private->size) {
+ ADD_COUNTER(iter->counters, paddc[i].bcnt, paddc[i].pcnt);
+ ++i;
+ }
xt_info_wrunlock(curcpu);
unlock_up_free:
@@ -1498,7 +1455,7 @@ struct compat_ip6t_replace {
static int
compat_copy_entry_to_user(struct ip6t_entry *e, void __user **dstptr,
unsigned int *size, struct xt_counters *counters,
- unsigned int *i)
+ unsigned int i)
{
struct ip6t_entry_target *t;
struct compat_ip6t_entry __user *ce;
@@ -1506,14 +1463,12 @@ compat_copy_entry_to_user(struct ip6t_entry *e, void __user **dstptr,
compat_uint_t origsize;
int ret;
- ret = -EFAULT;
origsize = *size;
ce = (struct compat_ip6t_entry __user *)*dstptr;
- if (copy_to_user(ce, e, sizeof(struct ip6t_entry)))
- goto out;
-
- if (copy_to_user(&ce->counters, &counters[*i], sizeof(counters[*i])))
- goto out;
+ if (copy_to_user(ce, e, sizeof(struct ip6t_entry)) != 0 ||
+ copy_to_user(&ce->counters, &counters[i],
+ sizeof(counters[i])) != 0)
+ return -EFAULT;
*dstptr += sizeof(struct compat_ip6t_entry);
*size -= sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
@@ -1521,22 +1476,16 @@ compat_copy_entry_to_user(struct ip6t_entry *e, void __user **dstptr,
ret = IP6T_MATCH_ITERATE(e, xt_compat_match_to_user, dstptr, size);
target_offset = e->target_offset - (origsize - *size);
if (ret)
- goto out;
+ return ret;
t = ip6t_get_target(e);
ret = xt_compat_target_to_user(t, dstptr, size);
if (ret)
- goto out;
- ret = -EFAULT;
+ return ret;
next_offset = e->next_offset - (origsize - *size);
- if (put_user(target_offset, &ce->target_offset))
- goto out;
- if (put_user(next_offset, &ce->next_offset))
- goto out;
-
- (*i)++;
+ if (put_user(target_offset, &ce->target_offset) != 0 ||
+ put_user(next_offset, &ce->next_offset) != 0)
+ return -EFAULT;
return 0;
-out:
- return ret;
}
static int
@@ -1573,19 +1522,14 @@ compat_release_match(struct ip6t_entry_match *m, unsigned int *i)
return 0;
}
-static int
-compat_release_entry(struct compat_ip6t_entry *e, unsigned int *i)
+static void compat_release_entry(struct compat_ip6t_entry *e)
{
struct ip6t_entry_target *t;
- if (i && (*i)-- == 0)
- return 1;
-
/* Cleanup all matches */
COMPAT_IP6T_MATCH_ITERATE(e, compat_release_match, NULL);
t = compat_ip6t_get_target(e);
module_put(t->u.kernel.target->me);
- return 0;
}
static int
@@ -1596,7 +1540,6 @@ check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e,
const unsigned char *limit,
const unsigned int *hook_entries,
const unsigned int *underflows,
- unsigned int *i,
const char *name)
{
struct ip6t_entry_target *t;
@@ -1662,8 +1605,6 @@ check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e,
/* Clear counters and comefrom */
memset(&e->counters, 0, sizeof(e->counters));
e->comefrom = 0;
-
- (*i)++;
return 0;
out:
@@ -1712,8 +1653,7 @@ compat_copy_entry_from_user(struct compat_ip6t_entry *e, void **dstptr,
return ret;
}
-static int compat_check_entry(struct ip6t_entry *e, const char *name,
- unsigned int *i)
+static int compat_check_entry(struct ip6t_entry *e, const char *name)
{
unsigned int j;
int ret;
@@ -1731,8 +1671,6 @@ static int compat_check_entry(struct ip6t_entry *e, const char *name,
ret = check_target(e, name);
if (ret)
goto cleanup_matches;
-
- (*i)++;
return 0;
cleanup_matches:
@@ -1776,12 +1714,11 @@ translate_compat_table(const char *name,
xt_entry_foreach(iter0, entry0, total_size) {
ret = check_compat_entry_size_and_hooks(iter0, info, &size,
entry0, entry0 + total_size, hook_entries, underflows,
- &j, name);
+ name);
if (ret != 0)
- break;
+ goto out_unlock;
+ ++j;
}
- if (ret != 0)
- goto out_unlock;
ret = -EINVAL;
if (j != number) {
@@ -1837,9 +1774,10 @@ translate_compat_table(const char *name,
i = 0;
xt_entry_foreach(iter1, entry1, newinfo->size) {
- ret = compat_check_entry(iter1, name, &i);
+ ret = compat_check_entry(iter1, name);
if (ret != 0)
break;
+ ++i;
}
if (ret) {
/*
@@ -1852,12 +1790,15 @@ translate_compat_table(const char *name,
xt_entry_foreach(iter0, entry0, newinfo->size) {
if (skip-- > 0)
continue;
- if (compat_release_entry(iter0, &j) != 0)
+ if (j-- == 0)
break;
+ compat_release_entry(iter0);
}
- xt_entry_foreach(iter1, entry1, newinfo->size)
- if (cleanup_entry(iter1, &i) != 0)
+ xt_entry_foreach(iter1, entry1, newinfo->size) {
+ if (i-- == 0)
break;
+ cleanup_entry(iter1);
+ }
xt_free_table_info(newinfo);
return ret;
}
@@ -1875,9 +1816,11 @@ translate_compat_table(const char *name,
free_newinfo:
xt_free_table_info(newinfo);
out:
- xt_entry_foreach(iter0, entry0, total_size)
- if (compat_release_entry(iter0, &j) != 0)
+ xt_entry_foreach(iter0, entry0, total_size) {
+ if (j-- == 0)
break;
+ compat_release_entry(iter0);
+ }
return ret;
out_unlock:
xt_compat_flush_offsets(AF_INET6);
@@ -1932,8 +1875,7 @@ compat_do_replace(struct net *net, void __user *user, unsigned int len)
free_newinfo_untrans:
xt_entry_foreach(iter, loc_cpu_entry, newinfo->size)
- if (cleanup_entry(iter, NULL) != 0)
- break;
+ cleanup_entry(iter);
free_newinfo:
xt_free_table_info(newinfo);
return ret;
@@ -1997,7 +1939,7 @@ compat_copy_entries_to_user(unsigned int total_size, struct xt_table *table,
size = total_size;
xt_entry_foreach(iter, loc_cpu_entry, total_size) {
ret = compat_copy_entry_to_user(iter, &pos,
- &size, counters, &i);
+ &size, counters, i++);
if (ret != 0)
break;
}
@@ -2207,8 +2149,7 @@ void ip6t_unregister_table(struct xt_table *table)
/* Decrease module usage counts and free resources */
loc_cpu_entry = private->entries[raw_smp_processor_id()];
xt_entry_foreach(iter, loc_cpu_entry, private->size)
- if (cleanup_entry(iter, NULL) != 0)
- break;
+ cleanup_entry(iter);
if (private->number > private->initial_entries)
module_put(table_owner);
xt_free_table_info(private);
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 035/103] netfilter: xtables: replace XT_MATCH_ITERATE macro
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (33 preceding siblings ...)
2009-08-04 7:25 ` [PATCH 034/103] netfilter: xtables: optimize call flow around xt_entry_foreach Jan Engelhardt
@ 2009-08-04 7:25 ` Jan Engelhardt
2009-08-04 7:25 ` [PATCH 036/103] netfilter: xtables: optimize call flow around xt_ematch_foreach Jan Engelhardt
` (69 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:25 UTC (permalink / raw)
To: netfilter-devel
The macro is replaced by a list.h-like foreach loop. This makes
the code more inspectable.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter/x_tables.h | 10 +++-
include/linux/netfilter_ipv4/ip_tables.h | 6 +--
include/linux/netfilter_ipv6/ip6_tables.h | 6 +--
net/ipv4/netfilter/ip_tables.c | 78 ++++++++++++++++++++++------
net/ipv6/netfilter/ip6_tables.c | 78 ++++++++++++++++++++++------
net/netfilter/xt_TCPMSS.c | 12 +++--
6 files changed, 141 insertions(+), 49 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 6e051c0..b4499d9 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -128,6 +128,7 @@ struct xt_counters_info
#define XT_INV_PROTO 0x40 /* Invert the sense of PROTO. */
+#ifndef __KERNEL__
/* fn returns 0 to continue iteration */
#define XT_MATCH_ITERATE(type, e, fn, args...) \
({ \
@@ -147,7 +148,6 @@ struct xt_counters_info
__ret; \
})
-#ifndef __KERNEL__
/* fn returns 0 to continue iteration */
#define XT_ENTRY_ITERATE_CONTINUE(type, entries, size, n, fn, args...) \
({ \
@@ -180,6 +180,14 @@ struct xt_counters_info
(pos) < (typeof(pos))((char *)(ehead) + (esize)); \
(pos) = (typeof(pos))((char *)(pos) + (pos)->next_offset))
+/* can only be xt_entry_match, so no use of typeof here */
+#define xt_ematch_foreach(pos, entry) \
+ for ((pos) = (struct xt_entry_match *)entry->elems; \
+ (pos) < (struct xt_entry_match *)((char *)(entry) + \
+ (entry)->target_offset); \
+ (pos) = (struct xt_entry_match *)((char *)(pos) + \
+ (pos)->u.match_size))
+
#ifdef __KERNEL__
#include <linux/netdevice.h>
diff --git a/include/linux/netfilter_ipv4/ip_tables.h b/include/linux/netfilter_ipv4/ip_tables.h
index 362b1f1..f50c06f 100644
--- a/include/linux/netfilter_ipv4/ip_tables.h
+++ b/include/linux/netfilter_ipv4/ip_tables.h
@@ -228,11 +228,11 @@ ipt_get_target(struct ipt_entry *e)
return (void *)e + e->target_offset;
}
+#ifndef __KERNEL__
/* fn returns 0 to continue iteration */
#define IPT_MATCH_ITERATE(e, fn, args...) \
XT_MATCH_ITERATE(struct ipt_entry, e, fn, ## args)
-#ifndef __KERNEL__
/* fn returns 0 to continue iteration */
#define IPT_ENTRY_ITERATE(entries, size, fn, args...) \
XT_ENTRY_ITERATE(struct ipt_entry, entries, size, fn, ## args)
@@ -323,10 +323,6 @@ compat_ipt_get_target(struct compat_ipt_entry *e)
#define COMPAT_IPT_ALIGN(s) COMPAT_XT_ALIGN(s)
-/* fn returns 0 to continue iteration */
-#define COMPAT_IPT_MATCH_ITERATE(e, fn, args...) \
- XT_MATCH_ITERATE(struct compat_ipt_entry, e, fn, ## args)
-
#endif /* CONFIG_COMPAT */
#endif /*__KERNEL__*/
#endif /* _IPTABLES_H */
diff --git a/include/linux/netfilter_ipv6/ip6_tables.h b/include/linux/netfilter_ipv6/ip6_tables.h
index 43db986..89e0ab1 100644
--- a/include/linux/netfilter_ipv6/ip6_tables.h
+++ b/include/linux/netfilter_ipv6/ip6_tables.h
@@ -288,11 +288,11 @@ ip6t_get_target(struct ip6t_entry *e)
return (void *)e + e->target_offset;
}
+#ifndef __KERNEL__
/* fn returns 0 to continue iteration */
#define IP6T_MATCH_ITERATE(e, fn, args...) \
XT_MATCH_ITERATE(struct ip6t_entry, e, fn, ## args)
-#ifndef __KERNEL__
/* fn returns 0 to continue iteration */
#define IP6T_ENTRY_ITERATE(entries, size, fn, args...) \
XT_ENTRY_ITERATE(struct ip6t_entry, entries, size, fn, ## args)
@@ -351,10 +351,6 @@ compat_ip6t_get_target(struct compat_ip6t_entry *e)
#define COMPAT_IP6T_ALIGN(s) COMPAT_XT_ALIGN(s)
-/* fn returns 0 to continue iteration */
-#define COMPAT_IP6T_MATCH_ITERATE(e, fn, args...) \
- XT_MATCH_ITERATE(struct compat_ip6t_entry, e, fn, ## args)
-
#endif /* CONFIG_COMPAT */
#endif /*__KERNEL__*/
#endif /* _IP6_TABLES_H */
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 17c6ac7..8271680 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -359,16 +359,21 @@ ipt_do_table(struct sk_buff *skb,
do {
const struct ipt_entry_target *t;
+ const struct xt_entry_match *ematch;
IP_NF_ASSERT(e);
IP_NF_ASSERT(back);
if (!ip_packet_match(ip, indev, outdev,
- &e->ip, mtpar.fragoff) ||
- IPT_MATCH_ITERATE(e, do_match, skb, &mtpar) != 0) {
+ &e->ip, mtpar.fragoff)) {
+ no_match:
e = ipt_next_entry(e);
continue;
}
+ xt_ematch_foreach(ematch, e)
+ if (do_match(ematch, skb, &mtpar) != 0)
+ goto no_match;
+
ADD_COUNTER(e->counters, ntohs(ip->tot_len), 1);
t = ipt_get_target(e);
@@ -676,6 +681,7 @@ find_check_entry(struct ipt_entry *e, const char *name, unsigned int size)
int ret;
unsigned int j;
struct xt_mtchk_param mtpar;
+ struct xt_entry_match *ematch;
ret = check_entry(e, name);
if (ret)
@@ -686,7 +692,11 @@ find_check_entry(struct ipt_entry *e, const char *name, unsigned int size)
mtpar.entryinfo = &e->ip;
mtpar.hook_mask = e->comefrom;
mtpar.family = NFPROTO_IPV4;
- ret = IPT_MATCH_ITERATE(e, find_check_match, &mtpar, &j);
+ xt_ematch_foreach(ematch, e) {
+ ret = find_check_match(ematch, &mtpar, &j);
+ if (ret != 0)
+ break;
+ }
if (ret != 0)
goto cleanup_matches;
@@ -709,7 +719,9 @@ find_check_entry(struct ipt_entry *e, const char *name, unsigned int size)
err:
module_put(t->u.kernel.target->me);
cleanup_matches:
- IPT_MATCH_ITERATE(e, cleanup_match, &j);
+ xt_ematch_foreach(ematch, e)
+ if (cleanup_match(ematch, &j) != 0)
+ break;
return ret;
}
@@ -780,9 +792,12 @@ cleanup_entry(struct ipt_entry *e)
{
struct xt_tgdtor_param par;
struct ipt_entry_target *t;
+ struct xt_entry_match *ematch;
/* Cleanup all matches */
- IPT_MATCH_ITERATE(e, cleanup_match, NULL);
+ xt_ematch_foreach(ematch, e)
+ if (cleanup_match(ematch, NULL) != 0)
+ break;
t = ipt_get_target(e);
par.target = t->u.kernel.target;
@@ -1047,13 +1062,16 @@ static int compat_calc_entry(const struct ipt_entry *e,
const struct xt_table_info *info,
const void *base, struct xt_table_info *newinfo)
{
+ const struct xt_entry_match *ematch;
const struct ipt_entry_target *t;
unsigned int entry_offset;
int off, i, ret;
off = sizeof(struct ipt_entry) - sizeof(struct compat_ipt_entry);
entry_offset = (void *)e - base;
- IPT_MATCH_ITERATE(e, compat_calc_match, &off);
+ xt_ematch_foreach(ematch, e)
+ if (compat_calc_match(ematch, &off) != 0)
+ break;
t = ipt_get_target_c(e);
off += xt_compat_target_offset(t->u.kernel.target);
newinfo->size -= off;
@@ -1428,7 +1446,8 @@ compat_copy_entry_to_user(struct ipt_entry *e, void __user **dstptr,
struct compat_ipt_entry __user *ce;
u_int16_t target_offset, next_offset;
compat_uint_t origsize;
- int ret;
+ const struct xt_entry_match *ematch;
+ int ret = 0;
origsize = *size;
ce = (struct compat_ipt_entry __user *)*dstptr;
@@ -1440,7 +1459,11 @@ compat_copy_entry_to_user(struct ipt_entry *e, void __user **dstptr,
*dstptr += sizeof(struct compat_ipt_entry);
*size -= sizeof(struct ipt_entry) - sizeof(struct compat_ipt_entry);
- ret = IPT_MATCH_ITERATE(e, xt_compat_match_to_user, dstptr, size);
+ xt_ematch_foreach(ematch, e) {
+ ret = xt_compat_match_to_user(ematch, dstptr, size);
+ if (ret != 0)
+ break;
+ }
target_offset = e->target_offset - (origsize - *size);
if (ret)
return ret;
@@ -1492,9 +1515,12 @@ compat_release_match(struct ipt_entry_match *m, unsigned int *i)
static void compat_release_entry(struct compat_ipt_entry *e)
{
struct ipt_entry_target *t;
+ struct xt_entry_match *ematch;
/* Cleanup all matches */
- COMPAT_IPT_MATCH_ITERATE(e, compat_release_match, NULL);
+ xt_ematch_foreach(ematch, e)
+ if (compat_release_match(ematch, NULL) != 0)
+ break;
t = compat_ipt_get_target(e);
module_put(t->u.kernel.target->me);
}
@@ -1509,6 +1535,7 @@ check_compat_entry_size_and_hooks(struct compat_ipt_entry *e,
const unsigned int *underflows,
const char *name)
{
+ struct xt_entry_match *ematch;
struct ipt_entry_target *t;
struct xt_target *target;
unsigned int entry_offset;
@@ -1537,8 +1564,12 @@ check_compat_entry_size_and_hooks(struct compat_ipt_entry *e,
off = sizeof(struct ipt_entry) - sizeof(struct compat_ipt_entry);
entry_offset = (void *)e - (void *)base;
j = 0;
- ret = COMPAT_IPT_MATCH_ITERATE(e, compat_find_calc_match, name,
- &e->ip, e->comefrom, &off, &j);
+ xt_ematch_foreach(ematch, e) {
+ ret = compat_find_calc_match(ematch, name,
+ &e->ip, e->comefrom, &off, &j);
+ if (ret != 0)
+ break;
+ }
if (ret != 0)
goto release_matches;
@@ -1577,7 +1608,9 @@ check_compat_entry_size_and_hooks(struct compat_ipt_entry *e,
out:
module_put(t->u.kernel.target->me);
release_matches:
- IPT_MATCH_ITERATE(e, compat_release_match, &j);
+ xt_ematch_foreach(ematch, e)
+ if (compat_release_match(ematch, &j) != 0)
+ break;
return ret;
}
@@ -1591,6 +1624,7 @@ compat_copy_entry_from_user(struct compat_ipt_entry *e, void **dstptr,
struct ipt_entry *de;
unsigned int origsize;
int ret, h;
+ struct xt_entry_match *ematch;
ret = 0;
origsize = *size;
@@ -1601,8 +1635,11 @@ compat_copy_entry_from_user(struct compat_ipt_entry *e, void **dstptr,
*dstptr += sizeof(struct ipt_entry);
*size += sizeof(struct ipt_entry) - sizeof(struct compat_ipt_entry);
- ret = COMPAT_IPT_MATCH_ITERATE(e, xt_compat_match_from_user,
- dstptr, size);
+ xt_ematch_foreach(ematch, e) {
+ ret = xt_compat_match_from_user(ematch, dstptr, size);
+ if (ret != 0)
+ break;
+ }
if (ret)
return ret;
de->target_offset = e->target_offset - (origsize - *size);
@@ -1623,16 +1660,21 @@ compat_copy_entry_from_user(struct compat_ipt_entry *e, void **dstptr,
static int
compat_check_entry(struct ipt_entry *e, const char *name)
{
+ struct xt_entry_match *ematch;
struct xt_mtchk_param mtpar;
unsigned int j;
- int ret;
+ int ret = 0;
j = 0;
mtpar.table = name;
mtpar.entryinfo = &e->ip;
mtpar.hook_mask = e->comefrom;
mtpar.family = NFPROTO_IPV4;
- ret = IPT_MATCH_ITERATE(e, check_match, &mtpar, &j);
+ xt_ematch_foreach(ematch, e) {
+ ret = check_match(ematch, &mtpar, &j);
+ if (ret != 0)
+ break;
+ }
if (ret)
goto cleanup_matches;
@@ -1642,7 +1684,9 @@ compat_check_entry(struct ipt_entry *e, const char *name)
return 0;
cleanup_matches:
- IPT_MATCH_ITERATE(e, cleanup_match, &j);
+ xt_ematch_foreach(ematch, e)
+ if (cleanup_match(ematch, &j) != 0)
+ break;
return ret;
}
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 9d666f3..c52b9a9 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -386,16 +386,21 @@ ip6t_do_table(struct sk_buff *skb,
do {
const struct ip6t_entry_target *t;
+ const struct xt_entry_match *ematch;
IP_NF_ASSERT(e);
IP_NF_ASSERT(back);
if (!ip6_packet_match(skb, indev, outdev, &e->ipv6,
- &mtpar.thoff, &mtpar.fragoff, &hotdrop) ||
- IP6T_MATCH_ITERATE(e, do_match, skb, &mtpar) != 0) {
+ &mtpar.thoff, &mtpar.fragoff, &hotdrop)) {
+ no_match:
e = ip6t_next_entry(e);
continue;
}
+ xt_ematch_foreach(ematch, e)
+ if (do_match(ematch, skb, &mtpar) != 0)
+ goto no_match;
+
ADD_COUNTER(e->counters,
ntohs(ipv6_hdr(skb)->payload_len) +
sizeof(struct ipv6hdr), 1);
@@ -707,6 +712,7 @@ find_check_entry(struct ip6t_entry *e, const char *name, unsigned int size)
int ret;
unsigned int j;
struct xt_mtchk_param mtpar;
+ struct xt_entry_match *ematch;
ret = check_entry(e, name);
if (ret)
@@ -717,7 +723,11 @@ find_check_entry(struct ip6t_entry *e, const char *name, unsigned int size)
mtpar.entryinfo = &e->ipv6;
mtpar.hook_mask = e->comefrom;
mtpar.family = NFPROTO_IPV6;
- ret = IP6T_MATCH_ITERATE(e, find_check_match, &mtpar, &j);
+ xt_ematch_foreach(ematch, e) {
+ ret = find_check_match(ematch, &mtpar, &j);
+ if (ret != 0)
+ break;
+ }
if (ret != 0)
goto cleanup_matches;
@@ -740,7 +750,9 @@ find_check_entry(struct ip6t_entry *e, const char *name, unsigned int size)
err:
module_put(t->u.kernel.target->me);
cleanup_matches:
- IP6T_MATCH_ITERATE(e, cleanup_match, &j);
+ xt_ematch_foreach(ematch, e)
+ if (cleanup_match(ematch, &j) != 0)
+ break;
return ret;
}
@@ -810,9 +822,12 @@ static void cleanup_entry(struct ip6t_entry *e)
{
struct xt_tgdtor_param par;
struct ip6t_entry_target *t;
+ struct xt_entry_match *ematch;
/* Cleanup all matches */
- IP6T_MATCH_ITERATE(e, cleanup_match, NULL);
+ xt_ematch_foreach(ematch, e)
+ if (cleanup_match(ematch, NULL) != 0)
+ break;
t = ip6t_get_target(e);
par.target = t->u.kernel.target;
@@ -1077,13 +1092,16 @@ static int compat_calc_entry(const struct ip6t_entry *e,
const struct xt_table_info *info,
const void *base, struct xt_table_info *newinfo)
{
+ const struct xt_entry_match *ematch;
const struct ip6t_entry_target *t;
unsigned int entry_offset;
int off, i, ret;
off = sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
entry_offset = (void *)e - base;
- IP6T_MATCH_ITERATE(e, compat_calc_match, &off);
+ xt_ematch_foreach(ematch, e)
+ if (compat_calc_match(ematch, &off) != 0)
+ break;
t = ip6t_get_target_c(e);
off += xt_compat_target_offset(t->u.kernel.target);
newinfo->size -= off;
@@ -1461,7 +1479,8 @@ compat_copy_entry_to_user(struct ip6t_entry *e, void __user **dstptr,
struct compat_ip6t_entry __user *ce;
u_int16_t target_offset, next_offset;
compat_uint_t origsize;
- int ret;
+ const struct xt_entry_match *ematch;
+ int ret = 0;
origsize = *size;
ce = (struct compat_ip6t_entry __user *)*dstptr;
@@ -1473,7 +1492,11 @@ compat_copy_entry_to_user(struct ip6t_entry *e, void __user **dstptr,
*dstptr += sizeof(struct compat_ip6t_entry);
*size -= sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
- ret = IP6T_MATCH_ITERATE(e, xt_compat_match_to_user, dstptr, size);
+ xt_ematch_foreach(ematch, e) {
+ ret = xt_compat_match_to_user(ematch, dstptr, size);
+ if (ret != 0)
+ break;
+ }
target_offset = e->target_offset - (origsize - *size);
if (ret)
return ret;
@@ -1525,9 +1548,12 @@ compat_release_match(struct ip6t_entry_match *m, unsigned int *i)
static void compat_release_entry(struct compat_ip6t_entry *e)
{
struct ip6t_entry_target *t;
+ struct xt_entry_match *ematch;
/* Cleanup all matches */
- COMPAT_IP6T_MATCH_ITERATE(e, compat_release_match, NULL);
+ xt_ematch_foreach(ematch, e)
+ if (compat_release_match(ematch, NULL) != 0)
+ break;
t = compat_ip6t_get_target(e);
module_put(t->u.kernel.target->me);
}
@@ -1542,6 +1568,7 @@ check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e,
const unsigned int *underflows,
const char *name)
{
+ struct xt_entry_match *ematch;
struct ip6t_entry_target *t;
struct xt_target *target;
unsigned int entry_offset;
@@ -1570,8 +1597,12 @@ check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e,
off = sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
entry_offset = (void *)e - (void *)base;
j = 0;
- ret = COMPAT_IP6T_MATCH_ITERATE(e, compat_find_calc_match, name,
- &e->ipv6, e->comefrom, &off, &j);
+ xt_ematch_foreach(ematch, e) {
+ ret = compat_find_calc_match(ematch, name,
+ &e->ipv6, e->comefrom, &off, &j);
+ if (ret != 0)
+ break;
+ }
if (ret != 0)
goto release_matches;
@@ -1610,7 +1641,9 @@ check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e,
out:
module_put(t->u.kernel.target->me);
release_matches:
- IP6T_MATCH_ITERATE(e, compat_release_match, &j);
+ xt_ematch_foreach(ematch, e)
+ if (compat_release_match(ematch, &j) != 0)
+ break;
return ret;
}
@@ -1624,6 +1657,7 @@ compat_copy_entry_from_user(struct compat_ip6t_entry *e, void **dstptr,
struct ip6t_entry *de;
unsigned int origsize;
int ret, h;
+ struct xt_entry_match *ematch;
ret = 0;
origsize = *size;
@@ -1634,8 +1668,11 @@ compat_copy_entry_from_user(struct compat_ip6t_entry *e, void **dstptr,
*dstptr += sizeof(struct ip6t_entry);
*size += sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
- ret = COMPAT_IP6T_MATCH_ITERATE(e, xt_compat_match_from_user,
- dstptr, size);
+ xt_ematch_foreach(ematch, e) {
+ ret = xt_compat_match_from_user(ematch, dstptr, size);
+ if (ret != 0)
+ break;
+ }
if (ret)
return ret;
de->target_offset = e->target_offset - (origsize - *size);
@@ -1656,15 +1693,20 @@ compat_copy_entry_from_user(struct compat_ip6t_entry *e, void **dstptr,
static int compat_check_entry(struct ip6t_entry *e, const char *name)
{
unsigned int j;
- int ret;
+ int ret = 0;
struct xt_mtchk_param mtpar;
+ struct xt_entry_match *ematch;
j = 0;
mtpar.table = name;
mtpar.entryinfo = &e->ipv6;
mtpar.hook_mask = e->comefrom;
mtpar.family = NFPROTO_IPV6;
- ret = IP6T_MATCH_ITERATE(e, check_match, &mtpar, &j);
+ xt_ematch_foreach(ematch, e) {
+ ret = check_match(ematch, &mtpar, &j);
+ if (ret != 0)
+ break;
+ }
if (ret)
goto cleanup_matches;
@@ -1674,7 +1716,9 @@ static int compat_check_entry(struct ip6t_entry *e, const char *name)
return 0;
cleanup_matches:
- IP6T_MATCH_ITERATE(e, cleanup_match, &j);
+ xt_ematch_foreach(ematch, e)
+ if (cleanup_match(ematch, &j) != 0)
+ break;
return ret;
}
diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c
index eda64c1..ea8933e 100644
--- a/net/netfilter/xt_TCPMSS.c
+++ b/net/netfilter/xt_TCPMSS.c
@@ -241,6 +241,7 @@ static bool tcpmss_tg4_check(const struct xt_tgchk_param *par)
{
const struct xt_tcpmss_info *info = par->targinfo;
const struct ipt_entry *e = par->entryinfo;
+ const struct xt_entry_match *ematch;
if (info->mss == XT_TCPMSS_CLAMP_PMTU &&
(par->hook_mask & ~((1 << NF_INET_FORWARD) |
@@ -250,8 +251,9 @@ static bool tcpmss_tg4_check(const struct xt_tgchk_param *par)
"FORWARD, OUTPUT and POSTROUTING hooks\n");
return false;
}
- if (IPT_MATCH_ITERATE(e, find_syn_match))
- return true;
+ xt_ematch_foreach(ematch, e)
+ if (find_syn_match(ematch))
+ return true;
printk("xt_TCPMSS: Only works on TCP SYN packets\n");
return false;
}
@@ -261,6 +263,7 @@ static bool tcpmss_tg6_check(const struct xt_tgchk_param *par)
{
const struct xt_tcpmss_info *info = par->targinfo;
const struct ip6t_entry *e = par->entryinfo;
+ const struct xt_entry_match *ematch;
if (info->mss == XT_TCPMSS_CLAMP_PMTU &&
(par->hook_mask & ~((1 << NF_INET_FORWARD) |
@@ -270,8 +273,9 @@ static bool tcpmss_tg6_check(const struct xt_tgchk_param *par)
"FORWARD, OUTPUT and POSTROUTING hooks\n");
return false;
}
- if (IP6T_MATCH_ITERATE(e, find_syn_match))
- return true;
+ xt_ematch_foreach(ematch, e)
+ if (find_syn_match(ematch))
+ return true;
printk("xt_TCPMSS: Only works on TCP SYN packets\n");
return false;
}
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 036/103] netfilter: xtables: optimize call flow around xt_ematch_foreach
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (34 preceding siblings ...)
2009-08-04 7:25 ` [PATCH 035/103] netfilter: xtables: replace XT_MATCH_ITERATE macro Jan Engelhardt
@ 2009-08-04 7:25 ` Jan Engelhardt
2009-08-04 7:25 ` [PATCH 037/103] netfilter: xtables: reduce arguments to translate_table Jan Engelhardt
` (68 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:25 UTC (permalink / raw)
To: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
net/ipv4/netfilter/ip_tables.c | 94 +++++++++++++-------------------------
net/ipv6/netfilter/ip6_tables.c | 94 +++++++++++++-------------------------
2 files changed, 64 insertions(+), 124 deletions(-)
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 8271680..5e92076 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -565,21 +565,16 @@ mark_source_chains(const struct xt_table_info *newinfo,
return 1;
}
-static int
-cleanup_match(struct ipt_entry_match *m, unsigned int *i)
+static void cleanup_match(struct ipt_entry_match *m)
{
struct xt_mtdtor_param par;
- if (i && (*i)-- == 0)
- return 1;
-
par.match = m->u.kernel.match;
par.matchinfo = m->data;
par.family = NFPROTO_IPV4;
if (par.match->destroy != NULL)
par.match->destroy(&par);
module_put(par.match->me);
- return 0;
}
static int
@@ -604,8 +599,7 @@ check_entry(const struct ipt_entry *e, const char *name)
}
static int
-check_match(struct ipt_entry_match *m, struct xt_mtchk_param *par,
- unsigned int *i)
+check_match(struct ipt_entry_match *m, struct xt_mtchk_param *par)
{
const struct ipt_ip *ip = par->entryinfo;
int ret;
@@ -620,13 +614,11 @@ check_match(struct ipt_entry_match *m, struct xt_mtchk_param *par,
par.match->name);
return ret;
}
- ++*i;
return 0;
}
static int
-find_check_match(struct ipt_entry_match *m, struct xt_mtchk_param *par,
- unsigned int *i)
+find_check_match(struct ipt_entry_match *m, struct xt_mtchk_param *par)
{
struct xt_match *match;
int ret;
@@ -640,7 +632,7 @@ find_check_match(struct ipt_entry_match *m, struct xt_mtchk_param *par,
}
m->u.kernel.match = match;
- ret = check_match(m, par, i);
+ ret = check_match(m, par);
if (ret)
goto err;
@@ -693,12 +685,11 @@ find_check_entry(struct ipt_entry *e, const char *name, unsigned int size)
mtpar.hook_mask = e->comefrom;
mtpar.family = NFPROTO_IPV4;
xt_ematch_foreach(ematch, e) {
- ret = find_check_match(ematch, &mtpar, &j);
+ ret = find_check_match(ematch, &mtpar);
if (ret != 0)
- break;
+ goto cleanup_matches;
+ ++j;
}
- if (ret != 0)
- goto cleanup_matches;
t = ipt_get_target(e);
target = try_then_request_module(xt_find_target(AF_INET,
@@ -719,9 +710,11 @@ find_check_entry(struct ipt_entry *e, const char *name, unsigned int size)
err:
module_put(t->u.kernel.target->me);
cleanup_matches:
- xt_ematch_foreach(ematch, e)
- if (cleanup_match(ematch, &j) != 0)
+ xt_ematch_foreach(ematch, e) {
+ if (j-- == 0)
break;
+ cleanup_match(ematch);
+ }
return ret;
}
@@ -796,8 +789,7 @@ cleanup_entry(struct ipt_entry *e)
/* Cleanup all matches */
xt_ematch_foreach(ematch, e)
- if (cleanup_match(ematch, NULL) != 0)
- break;
+ cleanup_match(ematch);
t = ipt_get_target(e);
par.target = t->u.kernel.target;
@@ -1051,13 +1043,6 @@ static int compat_standard_to_user(void __user *dst, const void *src)
return copy_to_user(dst, &cv, sizeof(cv)) ? -EFAULT : 0;
}
-static inline int
-compat_calc_match(const struct ipt_entry_match *m, int *size)
-{
- *size += xt_compat_match_offset(m->u.kernel.match);
- return 0;
-}
-
static int compat_calc_entry(const struct ipt_entry *e,
const struct xt_table_info *info,
const void *base, struct xt_table_info *newinfo)
@@ -1070,8 +1055,8 @@ static int compat_calc_entry(const struct ipt_entry *e,
off = sizeof(struct ipt_entry) - sizeof(struct compat_ipt_entry);
entry_offset = (void *)e - base;
xt_ematch_foreach(ematch, e)
- if (compat_calc_match(ematch, &off) != 0)
- break;
+ off += xt_compat_match_offset(ematch->u.kernel.match);
+
t = ipt_get_target_c(e);
off += xt_compat_target_offset(t->u.kernel.target);
newinfo->size -= off;
@@ -1462,11 +1447,9 @@ compat_copy_entry_to_user(struct ipt_entry *e, void __user **dstptr,
xt_ematch_foreach(ematch, e) {
ret = xt_compat_match_to_user(ematch, dstptr, size);
if (ret != 0)
- break;
+ return ret;
}
target_offset = e->target_offset - (origsize - *size);
- if (ret)
- return ret;
t = ipt_get_target(e);
ret = xt_compat_target_to_user(t, dstptr, size);
if (ret)
@@ -1483,7 +1466,7 @@ compat_find_calc_match(struct ipt_entry_match *m,
const char *name,
const struct ipt_ip *ip,
unsigned int hookmask,
- int *size, unsigned int *i)
+ int *size)
{
struct xt_match *match;
@@ -1497,18 +1480,6 @@ compat_find_calc_match(struct ipt_entry_match *m,
}
m->u.kernel.match = match;
*size += xt_compat_match_offset(match);
-
- (*i)++;
- return 0;
-}
-
-static int
-compat_release_match(struct ipt_entry_match *m, unsigned int *i)
-{
- if (i && (*i)-- == 0)
- return 1;
-
- module_put(m->u.kernel.match->me);
return 0;
}
@@ -1519,8 +1490,7 @@ static void compat_release_entry(struct compat_ipt_entry *e)
/* Cleanup all matches */
xt_ematch_foreach(ematch, e)
- if (compat_release_match(ematch, NULL) != 0)
- break;
+ module_put(ematch->u.kernel.match->me);
t = compat_ipt_get_target(e);
module_put(t->u.kernel.target->me);
}
@@ -1566,12 +1536,11 @@ check_compat_entry_size_and_hooks(struct compat_ipt_entry *e,
j = 0;
xt_ematch_foreach(ematch, e) {
ret = compat_find_calc_match(ematch, name,
- &e->ip, e->comefrom, &off, &j);
+ &e->ip, e->comefrom, &off);
if (ret != 0)
- break;
+ goto release_matches;
+ ++j;
}
- if (ret != 0)
- goto release_matches;
t = compat_ipt_get_target(e);
target = try_then_request_module(xt_find_target(AF_INET,
@@ -1608,9 +1577,11 @@ check_compat_entry_size_and_hooks(struct compat_ipt_entry *e,
out:
module_put(t->u.kernel.target->me);
release_matches:
- xt_ematch_foreach(ematch, e)
- if (compat_release_match(ematch, &j) != 0)
+ xt_ematch_foreach(ematch, e) {
+ if (j-- == 0)
break;
+ module_put(ematch->u.kernel.match->me);
+ }
return ret;
}
@@ -1638,10 +1609,8 @@ compat_copy_entry_from_user(struct compat_ipt_entry *e, void **dstptr,
xt_ematch_foreach(ematch, e) {
ret = xt_compat_match_from_user(ematch, dstptr, size);
if (ret != 0)
- break;
+ return ret;
}
- if (ret)
- return ret;
de->target_offset = e->target_offset - (origsize - *size);
t = compat_ipt_get_target(e);
target = t->u.kernel.target;
@@ -1671,12 +1640,11 @@ compat_check_entry(struct ipt_entry *e, const char *name)
mtpar.hook_mask = e->comefrom;
mtpar.family = NFPROTO_IPV4;
xt_ematch_foreach(ematch, e) {
- ret = check_match(ematch, &mtpar, &j);
+ ret = check_match(ematch, &mtpar);
if (ret != 0)
- break;
+ goto cleanup_matches;
+ ++j;
}
- if (ret)
- goto cleanup_matches;
ret = check_target(e, name);
if (ret)
@@ -1684,9 +1652,11 @@ compat_check_entry(struct ipt_entry *e, const char *name)
return 0;
cleanup_matches:
- xt_ematch_foreach(ematch, e)
- if (cleanup_match(ematch, &j) != 0)
+ xt_ematch_foreach(ematch, e) {
+ if (j-- == 0)
break;
+ cleanup_match(ematch);
+ }
return ret;
}
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index c52b9a9..b335ce7 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -596,21 +596,16 @@ mark_source_chains(const struct xt_table_info *newinfo,
return 1;
}
-static int
-cleanup_match(struct ip6t_entry_match *m, unsigned int *i)
+static void cleanup_match(struct ip6t_entry_match *m)
{
struct xt_mtdtor_param par;
- if (i && (*i)-- == 0)
- return 1;
-
par.match = m->u.kernel.match;
par.matchinfo = m->data;
par.family = NFPROTO_IPV6;
if (par.match->destroy != NULL)
par.match->destroy(&par);
module_put(par.match->me);
- return 0;
}
static int
@@ -634,8 +629,7 @@ check_entry(const struct ip6t_entry *e, const char *name)
return 0;
}
-static int check_match(struct ip6t_entry_match *m, struct xt_mtchk_param *par,
- unsigned int *i)
+static int check_match(struct ip6t_entry_match *m, struct xt_mtchk_param *par)
{
const struct ip6t_ip6 *ipv6 = par->entryinfo;
int ret;
@@ -650,13 +644,11 @@ static int check_match(struct ip6t_entry_match *m, struct xt_mtchk_param *par,
par.match->name);
return ret;
}
- ++*i;
return 0;
}
static int
-find_check_match(struct ip6t_entry_match *m, struct xt_mtchk_param *par,
- unsigned int *i)
+find_check_match(struct ip6t_entry_match *m, struct xt_mtchk_param *par)
{
struct xt_match *match;
int ret;
@@ -670,7 +662,7 @@ find_check_match(struct ip6t_entry_match *m, struct xt_mtchk_param *par,
}
m->u.kernel.match = match;
- ret = check_match(m, par, i);
+ ret = check_match(m, par);
if (ret)
goto err;
@@ -724,12 +716,11 @@ find_check_entry(struct ip6t_entry *e, const char *name, unsigned int size)
mtpar.hook_mask = e->comefrom;
mtpar.family = NFPROTO_IPV6;
xt_ematch_foreach(ematch, e) {
- ret = find_check_match(ematch, &mtpar, &j);
+ ret = find_check_match(ematch, &mtpar);
if (ret != 0)
- break;
+ goto cleanup_matches;
+ ++j;
}
- if (ret != 0)
- goto cleanup_matches;
t = ip6t_get_target(e);
target = try_then_request_module(xt_find_target(AF_INET6,
@@ -750,9 +741,11 @@ find_check_entry(struct ip6t_entry *e, const char *name, unsigned int size)
err:
module_put(t->u.kernel.target->me);
cleanup_matches:
- xt_ematch_foreach(ematch, e)
- if (cleanup_match(ematch, &j) != 0)
+ xt_ematch_foreach(ematch, e) {
+ if (j-- == 0)
break;
+ cleanup_match(ematch);
+ }
return ret;
}
@@ -826,8 +819,7 @@ static void cleanup_entry(struct ip6t_entry *e)
/* Cleanup all matches */
xt_ematch_foreach(ematch, e)
- if (cleanup_match(ematch, NULL) != 0)
- break;
+ cleanup_match(ematch);
t = ip6t_get_target(e);
par.target = t->u.kernel.target;
@@ -1081,13 +1073,6 @@ static int compat_standard_to_user(void __user *dst, const void *src)
return copy_to_user(dst, &cv, sizeof(cv)) ? -EFAULT : 0;
}
-static inline int
-compat_calc_match(const struct ip6t_entry_match *m, int *size)
-{
- *size += xt_compat_match_offset(m->u.kernel.match);
- return 0;
-}
-
static int compat_calc_entry(const struct ip6t_entry *e,
const struct xt_table_info *info,
const void *base, struct xt_table_info *newinfo)
@@ -1100,8 +1085,8 @@ static int compat_calc_entry(const struct ip6t_entry *e,
off = sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
entry_offset = (void *)e - base;
xt_ematch_foreach(ematch, e)
- if (compat_calc_match(ematch, &off) != 0)
- break;
+ off += xt_compat_match_offset(ematch->u.kernel.match);
+
t = ip6t_get_target_c(e);
off += xt_compat_target_offset(t->u.kernel.target);
newinfo->size -= off;
@@ -1495,11 +1480,9 @@ compat_copy_entry_to_user(struct ip6t_entry *e, void __user **dstptr,
xt_ematch_foreach(ematch, e) {
ret = xt_compat_match_to_user(ematch, dstptr, size);
if (ret != 0)
- break;
+ return ret;
}
target_offset = e->target_offset - (origsize - *size);
- if (ret)
- return ret;
t = ip6t_get_target(e);
ret = xt_compat_target_to_user(t, dstptr, size);
if (ret)
@@ -1516,7 +1499,7 @@ compat_find_calc_match(struct ip6t_entry_match *m,
const char *name,
const struct ip6t_ip6 *ipv6,
unsigned int hookmask,
- int *size, unsigned int *i)
+ int *size)
{
struct xt_match *match;
@@ -1530,18 +1513,6 @@ compat_find_calc_match(struct ip6t_entry_match *m,
}
m->u.kernel.match = match;
*size += xt_compat_match_offset(match);
-
- (*i)++;
- return 0;
-}
-
-static int
-compat_release_match(struct ip6t_entry_match *m, unsigned int *i)
-{
- if (i && (*i)-- == 0)
- return 1;
-
- module_put(m->u.kernel.match->me);
return 0;
}
@@ -1552,8 +1523,7 @@ static void compat_release_entry(struct compat_ip6t_entry *e)
/* Cleanup all matches */
xt_ematch_foreach(ematch, e)
- if (compat_release_match(ematch, NULL) != 0)
- break;
+ module_put(ematch->u.kernel.match->me);
t = compat_ip6t_get_target(e);
module_put(t->u.kernel.target->me);
}
@@ -1599,12 +1569,11 @@ check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e,
j = 0;
xt_ematch_foreach(ematch, e) {
ret = compat_find_calc_match(ematch, name,
- &e->ipv6, e->comefrom, &off, &j);
+ &e->ipv6, e->comefrom, &off);
if (ret != 0)
- break;
+ goto release_matches;
+ ++j;
}
- if (ret != 0)
- goto release_matches;
t = compat_ip6t_get_target(e);
target = try_then_request_module(xt_find_target(AF_INET6,
@@ -1641,9 +1610,11 @@ check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e,
out:
module_put(t->u.kernel.target->me);
release_matches:
- xt_ematch_foreach(ematch, e)
- if (compat_release_match(ematch, &j) != 0)
+ xt_ematch_foreach(ematch, e) {
+ if (j-- == 0)
break;
+ module_put(ematch->u.kernel.match->me);
+ }
return ret;
}
@@ -1671,10 +1642,8 @@ compat_copy_entry_from_user(struct compat_ip6t_entry *e, void **dstptr,
xt_ematch_foreach(ematch, e) {
ret = xt_compat_match_from_user(ematch, dstptr, size);
if (ret != 0)
- break;
+ return ret;
}
- if (ret)
- return ret;
de->target_offset = e->target_offset - (origsize - *size);
t = compat_ip6t_get_target(e);
target = t->u.kernel.target;
@@ -1703,12 +1672,11 @@ static int compat_check_entry(struct ip6t_entry *e, const char *name)
mtpar.hook_mask = e->comefrom;
mtpar.family = NFPROTO_IPV6;
xt_ematch_foreach(ematch, e) {
- ret = check_match(ematch, &mtpar, &j);
+ ret = check_match(ematch, &mtpar);
if (ret != 0)
- break;
+ goto cleanup_matches;
+ ++j;
}
- if (ret)
- goto cleanup_matches;
ret = check_target(e, name);
if (ret)
@@ -1716,9 +1684,11 @@ static int compat_check_entry(struct ip6t_entry *e, const char *name)
return 0;
cleanup_matches:
- xt_ematch_foreach(ematch, e)
- if (cleanup_match(ematch, &j) != 0)
+ xt_ematch_foreach(ematch, e) {
+ if (j-- == 0)
break;
+ cleanup_match(ematch);
+ }
return ret;
}
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 037/103] netfilter: xtables: reduce arguments to translate_table
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (35 preceding siblings ...)
2009-08-04 7:25 ` [PATCH 036/103] netfilter: xtables: optimize call flow around xt_ematch_foreach Jan Engelhardt
@ 2009-08-04 7:25 ` Jan Engelhardt
2009-08-04 7:25 ` [PATCH 038/103] netfilter: xtables2: make ip_tables reentrant Jan Engelhardt
` (67 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:25 UTC (permalink / raw)
To: netfilter-devel
Just pass in the entire repl struct. In case of a new table (e.g.
ip6t_register_table), the repldata has been previously filled with
table->name and table->size already (in xt_repldata_create).
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
net/ipv4/netfilter/arp_tables.c | 42 +++++++++++++-------------------------
net/ipv4/netfilter/ip_tables.c | 41 +++++++++++++------------------------
net/ipv6/netfilter/ip6_tables.c | 41 +++++++++++++------------------------
3 files changed, 45 insertions(+), 79 deletions(-)
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 26b7157..79ee12f 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -616,21 +616,15 @@ static inline void cleanup_entry(struct arpt_entry *e)
/* Checks and translates the user-supplied table segment (held in
* newinfo).
*/
-static int translate_table(const char *name,
- unsigned int valid_hooks,
- struct xt_table_info *newinfo,
- void *entry0,
- unsigned int size,
- unsigned int number,
- const unsigned int *hook_entries,
- const unsigned int *underflows)
+static int translate_table(struct xt_table_info *newinfo, void *entry0,
+ const struct arpt_replace *repl)
{
struct arpt_entry *iter;
unsigned int i;
int ret = 0;
- newinfo->size = size;
- newinfo->number = number;
+ newinfo->size = repl->size;
+ newinfo->number = repl->num_entries;
/* Init all hooks to impossible value. */
for (i = 0; i < NF_ARP_NUMHOOKS; i++) {
@@ -644,7 +638,8 @@ static int translate_table(const char *name,
/* Walk through entries, checking offsets. */
xt_entry_foreach(iter, entry0, newinfo->size) {
ret = check_entry_size_and_hooks(iter, newinfo, entry0,
- entry0 + size, hook_entries, underflows, valid_hooks);
+ entry0 + repl->size, repl->hook_entry, repl->underflow,
+ repl->valid_hooks);
if (ret != 0)
break;
++i;
@@ -653,30 +648,30 @@ static int translate_table(const char *name,
if (ret != 0)
return ret;
- if (i != number) {
+ if (i != repl->num_entries) {
duprintf("translate_table: %u not %u entries\n",
- i, number);
+ i, repl->num_entries);
return -EINVAL;
}
/* Check hooks all assigned */
for (i = 0; i < NF_ARP_NUMHOOKS; i++) {
/* Only hooks which are valid */
- if (!(valid_hooks & (1 << i)))
+ if (!(repl->valid_hooks & (1 << i)))
continue;
if (newinfo->hook_entry[i] == 0xFFFFFFFF) {
duprintf("Invalid hook entry %u %u\n",
- i, hook_entries[i]);
+ i, repl->hook_entry[i]);
return -EINVAL;
}
if (newinfo->underflow[i] == 0xFFFFFFFF) {
duprintf("Invalid underflow %u %u\n",
- i, underflows[i]);
+ i, repl->underflow[i]);
return -EINVAL;
}
}
- if (!mark_source_chains(newinfo, valid_hooks, entry0)) {
+ if (!mark_source_chains(newinfo, repl->valid_hooks, entry0)) {
duprintf("Looping hook\n");
return -ELOOP;
}
@@ -684,7 +679,7 @@ static int translate_table(const char *name,
/* Finally, each sanity check must pass */
i = 0;
xt_entry_foreach(iter, entry0, newinfo->size) {
- ret = find_check_entry(iter, name, size);
+ ret = find_check_entry(iter, repl->name, repl->size);
if (ret != 0)
break;
++i;
@@ -1095,9 +1090,7 @@ static int do_replace(struct net *net, const void __user *user,
goto free_newinfo;
}
- ret = translate_table(tmp.name, tmp.valid_hooks,
- newinfo, loc_cpu_entry, tmp.size, tmp.num_entries,
- tmp.hook_entry, tmp.underflow);
+ ret = translate_table(newinfo, loc_cpu_entry, &tmp);
if (ret != 0)
goto free_newinfo;
@@ -1789,12 +1782,7 @@ struct xt_table *arpt_register_table(struct net *net,
loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
memcpy(loc_cpu_entry, repl->entries, repl->size);
- ret = translate_table(table->name, table->valid_hooks,
- newinfo, loc_cpu_entry, repl->size,
- repl->num_entries,
- repl->hook_entry,
- repl->underflow);
-
+ ret = translate_table(newinfo, loc_cpu_entry, repl);
duprintf("arpt_register_table: translate table gives %d\n", ret);
if (ret != 0)
goto out_free;
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 5e92076..bde4754 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -803,21 +803,15 @@ cleanup_entry(struct ipt_entry *e)
/* Checks and translates the user-supplied table segment (held in
newinfo) */
static int
-translate_table(const char *name,
- unsigned int valid_hooks,
- struct xt_table_info *newinfo,
- void *entry0,
- unsigned int size,
- unsigned int number,
- const unsigned int *hook_entries,
- const unsigned int *underflows)
+translate_table(struct xt_table_info *newinfo, void *entry0,
+ const struct ipt_replace *repl)
{
struct ipt_entry *iter;
unsigned int i;
int ret = 0;
- newinfo->size = size;
- newinfo->number = number;
+ newinfo->size = repl->size;
+ newinfo->number = repl->num_entries;
/* Init all hooks to impossible value. */
for (i = 0; i < NF_INET_NUMHOOKS; i++) {
@@ -830,42 +824,43 @@ translate_table(const char *name,
/* Walk through entries, checking offsets. */
xt_entry_foreach(iter, entry0, newinfo->size) {
ret = check_entry_size_and_hooks(iter, newinfo, entry0,
- entry0 + size, hook_entries, underflows, valid_hooks);
+ entry0 + repl->size, repl->hook_entry, repl->underflow,
+ repl->valid_hooks);
if (ret != 0)
return ret;
++i;
}
- if (i != number) {
+ if (i != repl->num_entries) {
duprintf("translate_table: %u not %u entries\n",
- i, number);
+ i, repl->num_entries);
return -EINVAL;
}
/* Check hooks all assigned */
for (i = 0; i < NF_INET_NUMHOOKS; i++) {
/* Only hooks which are valid */
- if (!(valid_hooks & (1 << i)))
+ if (!(repl->valid_hooks & (1 << i)))
continue;
if (newinfo->hook_entry[i] == 0xFFFFFFFF) {
duprintf("Invalid hook entry %u %u\n",
- i, hook_entries[i]);
+ i, repl->hook_entry[i]);
return -EINVAL;
}
if (newinfo->underflow[i] == 0xFFFFFFFF) {
duprintf("Invalid underflow %u %u\n",
- i, underflows[i]);
+ i, repl->underflow[i]);
return -EINVAL;
}
}
- if (!mark_source_chains(newinfo, valid_hooks, entry0))
+ if (!mark_source_chains(newinfo, repl->valid_hooks, entry0))
return -ELOOP;
/* Finally, each sanity check must pass */
i = 0;
xt_entry_foreach(iter, entry0, newinfo->size) {
- ret = find_check_entry(iter, name, size);
+ ret = find_check_entry(iter, repl->name, repl->size);
if (ret != 0)
break;
++i;
@@ -1299,9 +1294,7 @@ do_replace(struct net *net, const void __user *user, unsigned int len)
goto free_newinfo;
}
- ret = translate_table(tmp.name, tmp.valid_hooks,
- newinfo, loc_cpu_entry, tmp.size, tmp.num_entries,
- tmp.hook_entry, tmp.underflow);
+ ret = translate_table(newinfo, loc_cpu_entry, &tmp);
if (ret != 0)
goto free_newinfo;
@@ -2098,11 +2091,7 @@ struct xt_table *ipt_register_table(struct net *net,
loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
memcpy(loc_cpu_entry, repl->entries, repl->size);
- ret = translate_table(table->name, table->valid_hooks,
- newinfo, loc_cpu_entry, repl->size,
- repl->num_entries,
- repl->hook_entry,
- repl->underflow);
+ ret = translate_table(newinfo, loc_cpu_entry, repl);
if (ret != 0)
goto out_free;
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index b335ce7..c491249 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -833,21 +833,15 @@ static void cleanup_entry(struct ip6t_entry *e)
/* Checks and translates the user-supplied table segment (held in
newinfo) */
static int
-translate_table(const char *name,
- unsigned int valid_hooks,
- struct xt_table_info *newinfo,
- void *entry0,
- unsigned int size,
- unsigned int number,
- const unsigned int *hook_entries,
- const unsigned int *underflows)
+translate_table(struct xt_table_info *newinfo, void *entry0,
+ const struct ip6t_replace *repl)
{
struct ip6t_entry *iter;
unsigned int i;
int ret = 0;
- newinfo->size = size;
- newinfo->number = number;
+ newinfo->size = repl->size;
+ newinfo->number = repl->num_entries;
/* Init all hooks to impossible value. */
for (i = 0; i < NF_INET_NUMHOOKS; i++) {
@@ -860,42 +854,43 @@ translate_table(const char *name,
/* Walk through entries, checking offsets. */
xt_entry_foreach(iter, entry0, newinfo->size) {
ret = check_entry_size_and_hooks(iter, newinfo, entry0,
- entry0 + size, hook_entries, underflows, valid_hooks);
+ entry0 + repl->size, repl->hook_entry, repl->underflow,
+ repl->valid_hooks);
if (ret != 0)
return ret;
++i;
}
- if (i != number) {
+ if (i != repl->num_entries) {
duprintf("translate_table: %u not %u entries\n",
- i, number);
+ i, repl->num_entries);
return -EINVAL;
}
/* Check hooks all assigned */
for (i = 0; i < NF_INET_NUMHOOKS; i++) {
/* Only hooks which are valid */
- if (!(valid_hooks & (1 << i)))
+ if (!(repl->valid_hooks & (1 << i)))
continue;
if (newinfo->hook_entry[i] == 0xFFFFFFFF) {
duprintf("Invalid hook entry %u %u\n",
- i, hook_entries[i]);
+ i, repl->hook_entry[i]);
return -EINVAL;
}
if (newinfo->underflow[i] == 0xFFFFFFFF) {
duprintf("Invalid underflow %u %u\n",
- i, underflows[i]);
+ i, repl->underflow[i]);
return -EINVAL;
}
}
- if (!mark_source_chains(newinfo, valid_hooks, entry0))
+ if (!mark_source_chains(newinfo, repl->valid_hooks, entry0))
return -ELOOP;
/* Finally, each sanity check must pass */
i = 0;
xt_entry_foreach(iter, entry0, newinfo->size) {
- ret = find_check_entry(iter, name, size);
+ ret = find_check_entry(iter, repl->name, repl->size);
if (ret != 0)
break;
++i;
@@ -1330,9 +1325,7 @@ do_replace(struct net *net, const void __user *user, unsigned int len)
goto free_newinfo;
}
- ret = translate_table(tmp.name, tmp.valid_hooks,
- newinfo, loc_cpu_entry, tmp.size, tmp.num_entries,
- tmp.hook_entry, tmp.underflow);
+ ret = translate_table(newinfo, loc_cpu_entry, &tmp);
if (ret != 0)
goto free_newinfo;
@@ -2130,11 +2123,7 @@ struct xt_table *ip6t_register_table(struct net *net,
loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
memcpy(loc_cpu_entry, repl->entries, repl->size);
- ret = translate_table(table->name, table->valid_hooks,
- newinfo, loc_cpu_entry, repl->size,
- repl->num_entries,
- repl->hook_entry,
- repl->underflow);
+ ret = translate_table(newinfo, loc_cpu_entry, repl);
if (ret != 0)
goto out_free;
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 038/103] netfilter: xtables2: make ip_tables reentrant
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (36 preceding siblings ...)
2009-08-04 7:25 ` [PATCH 037/103] netfilter: xtables: reduce arguments to translate_table Jan Engelhardt
@ 2009-08-04 7:25 ` Jan Engelhardt
2009-08-04 7:25 ` [PATCH 039/103] netfilter: xtables: dissolve do_match function Jan Engelhardt
` (66 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:25 UTC (permalink / raw)
To: netfilter-devel
Currently, the table traverser stores return addresses in the ruleset
itself (struct ip6t_entry->comefrom). This has a well-known drawback:
the jumpstack is overwritten on reentry, making it necessary for
targets to return absolute verdicts. Also, the ruleset (which might
be heavy memory-wise) needs to be replicated for each CPU that can
possibly invoke ip6t_do_table.
This patch decouples the jumpstack from struct ip6t_entry and instead
puts it into xt_table_info. Not being restricted by 'comefrom'
anymore, we can set up a stack as needed. By default, there is room
allocated for two entries into the traverser. The setting is
configurable at runtime through sysfs and will take effect when a
table is replaced by a new one.
arp_tables is not touched though, because there is just one/two
modules and further patches seek to collapse the table traverser
anyhow.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter/x_tables.h | 7 +++
net/ipv4/netfilter/arp_tables.c | 6 ++-
net/ipv4/netfilter/ip_tables.c | 65 +++++++++++++++++--------------
net/ipv6/netfilter/ip6_tables.c | 56 +++++++++++----------------
net/netfilter/x_tables.c | 74 ++++++++++++++++++++++++++++++++++++
5 files changed, 142 insertions(+), 66 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index b4499d9..d5ff621 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -402,6 +402,13 @@ struct xt_table_info
unsigned int hook_entry[NF_INET_NUMHOOKS];
unsigned int underflow[NF_INET_NUMHOOKS];
+ /*
+ * Number of user chains. Since tables cannot have loops, at
+ * most @user_chain jumps can possibly be made.
+ */
+ unsigned int stacksize;
+ unsigned int *stackptr;
+ void ***jumpstack;
/* ipt_entry tables: one per CPU */
/* Note : this field MUST be the last one, see XT_TABLE_INFO_SZ */
void *entries[1];
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 79ee12f..0150944 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -643,6 +643,9 @@ static int translate_table(struct xt_table_info *newinfo, void *entry0,
if (ret != 0)
break;
++i;
+ if (strcmp(arpt_get_target(iter)->u.user.name,
+ XT_ERROR_TARGET) == 0)
+ ++newinfo->stacksize;
}
duprintf("translate_table: ARPT_ENTRY_ITERATE gives %d\n", ret);
if (ret != 0)
@@ -1767,8 +1770,7 @@ struct xt_table *arpt_register_table(struct net *net,
{
int ret;
struct xt_table_info *newinfo;
- struct xt_table_info bootstrap
- = { 0, 0, 0, { 0 }, { 0 }, { } };
+ struct xt_table_info bootstrap = {};
void *loc_cpu_entry;
struct xt_table *new_table;
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index bde4754..55dd8ef 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -315,8 +315,6 @@ ipt_do_table(struct sk_buff *skb,
const struct net_device *out,
struct xt_table *table)
{
-#define tb_comefrom ((struct ipt_entry *)table_base)->comefrom
-
static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
const struct iphdr *ip;
bool hotdrop = false;
@@ -324,7 +322,8 @@ ipt_do_table(struct sk_buff *skb,
unsigned int verdict = NF_DROP;
const char *indev, *outdev;
const void *table_base;
- struct ipt_entry *e, *back;
+ struct ipt_entry *e, **jumpstack;
+ unsigned int *stackptr, origptr, cpu;
const struct xt_table_info *private;
struct xt_match_param mtpar;
struct xt_target_param tgpar;
@@ -350,19 +349,23 @@ ipt_do_table(struct sk_buff *skb,
IP_NF_ASSERT(table->valid_hooks & (1 << hook));
xt_info_rdlock_bh();
private = table->private;
- table_base = private->entries[smp_processor_id()];
+ cpu = smp_processor_id();
+ table_base = private->entries[cpu];
+ jumpstack = (struct ipt_entry **)private->jumpstack[cpu];
+ stackptr = &private->stackptr[cpu];
+ origptr = *stackptr;
e = get_entry(table_base, private->hook_entry[hook]);
- /* For return from builtin chain */
- back = get_entry(table_base, private->underflow[hook]);
+ pr_devel("Entering %s(hook %u); sp at %u (UF %p)\n", table->name,
+ hook, origptr,
+ get_entry(table_base, private->underflow[hook]));
do {
const struct ipt_entry_target *t;
const struct xt_entry_match *ematch;
IP_NF_ASSERT(e);
- IP_NF_ASSERT(back);
if (!ip_packet_match(ip, indev, outdev,
&e->ip, mtpar.fragoff)) {
no_match:
@@ -397,17 +400,28 @@ ipt_do_table(struct sk_buff *skb,
verdict = (unsigned)(-v) - 1;
break;
}
- e = back;
- back = get_entry(table_base, back->comefrom);
+ if (*stackptr == 0) {
+ e = get_entry(table_base,
+ private->underflow[hook]);
+ pr_devel("Underflow (this is normal) "
+ "to %p\n", e);
+ } else {
+ e = jumpstack[--*stackptr];
+ pr_devel("Pulled %p out from pos %u\n",
+ e, *stackptr);
+ e = ipt_next_entry(e);
+ }
continue;
}
if (table_base + v != ipt_next_entry(e)
&& !(e->ip.flags & IPT_F_GOTO)) {
- /* Save old back ptr in next entry */
- struct ipt_entry *next = ipt_next_entry(e);
- next->comefrom = (void *)back - table_base;
- /* set back pointer to next entry */
- back = next;
+ if (*stackptr >= private->stacksize) {
+ verdict = NF_DROP;
+ break;
+ }
+ jumpstack[(*stackptr)++] = e;
+ pr_devel("Pushed %p into pos %u\n",
+ e, *stackptr - 1);
}
e = get_entry(table_base, v);
@@ -420,18 +434,7 @@ ipt_do_table(struct sk_buff *skb,
tgpar.targinfo = t->data;
-#ifdef CONFIG_NETFILTER_DEBUG
- tb_comefrom = 0xeeeeeeec;
-#endif
verdict = t->u.kernel.target->target(skb, &tgpar);
-#ifdef CONFIG_NETFILTER_DEBUG
- if (tb_comefrom != 0xeeeeeeec && verdict == IPT_CONTINUE) {
- printk("Target %s reentered!\n",
- t->u.kernel.target->name);
- verdict = NF_DROP;
- }
- tb_comefrom = 0x57acc001;
-#endif
/* Target might have changed stuff. */
ip = ip_hdr(skb);
if (verdict == IPT_CONTINUE)
@@ -441,7 +444,9 @@ ipt_do_table(struct sk_buff *skb,
break;
} while (!hotdrop);
xt_info_rdunlock_bh();
-
+ pr_devel("Exiting %s; resetting sp from %u to %u\n",
+ __func__, *stackptr, origptr);
+ *stackptr = origptr;
#ifdef DEBUG_ALLOW_ALL
return NF_ACCEPT;
#else
@@ -449,8 +454,6 @@ ipt_do_table(struct sk_buff *skb,
return NF_DROP;
else return verdict;
#endif
-
-#undef tb_comefrom
}
/* Figures out from what hook each rule can be called: returns 0 if
@@ -829,6 +832,9 @@ translate_table(struct xt_table_info *newinfo, void *entry0,
if (ret != 0)
return ret;
++i;
+ if (strcmp(ipt_get_target(iter)->u.user.name,
+ XT_ERROR_TARGET) == 0)
+ ++newinfo->stacksize;
}
if (i != repl->num_entries) {
@@ -2076,8 +2082,7 @@ struct xt_table *ipt_register_table(struct net *net,
{
int ret;
struct xt_table_info *newinfo;
- struct xt_table_info bootstrap
- = { 0, 0, 0, { 0 }, { 0 }, { } };
+ struct xt_table_info bootstrap = {};
void *loc_cpu_entry;
struct xt_table *new_table;
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index c491249..f7570cd 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -345,15 +345,14 @@ ip6t_do_table(struct sk_buff *skb,
const struct net_device *out,
struct xt_table *table)
{
-#define tb_comefrom ((struct ip6t_entry *)table_base)->comefrom
-
static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
bool hotdrop = false;
/* Initializing verdict to NF_DROP keeps gcc happy. */
unsigned int verdict = NF_DROP;
const char *indev, *outdev;
const void *table_base;
- struct ip6t_entry *e, *back;
+ struct ip6t_entry *e, **jumpstack;
+ unsigned int *stackptr, origptr, cpu;
const struct xt_table_info *private;
struct xt_match_param mtpar;
struct xt_target_param tgpar;
@@ -377,19 +376,19 @@ ip6t_do_table(struct sk_buff *skb,
xt_info_rdlock_bh();
private = table->private;
- table_base = private->entries[smp_processor_id()];
+ cpu = smp_processor_id();
+ table_base = private->entries[cpu];
+ jumpstack = (struct ip6t_entry **)private->jumpstack[cpu];
+ stackptr = &private->stackptr[cpu];
+ origptr = *stackptr;
e = get_entry(table_base, private->hook_entry[hook]);
- /* For return from builtin chain */
- back = get_entry(table_base, private->underflow[hook]);
-
do {
const struct ip6t_entry_target *t;
const struct xt_entry_match *ematch;
IP_NF_ASSERT(e);
- IP_NF_ASSERT(back);
if (!ip6_packet_match(skb, indev, outdev, &e->ipv6,
&mtpar.thoff, &mtpar.fragoff, &hotdrop)) {
no_match:
@@ -426,17 +425,20 @@ ip6t_do_table(struct sk_buff *skb,
verdict = (unsigned)(-v) - 1;
break;
}
- e = back;
- back = get_entry(table_base, back->comefrom);
+ if (*stackptr == 0)
+ e = get_entry(table_base,
+ private->underflow[hook]);
+ else
+ e = ip6t_next_entry(jumpstack[--*stackptr]);
continue;
}
if (table_base + v != ip6t_next_entry(e)
&& !(e->ipv6.flags & IP6T_F_GOTO)) {
- /* Save old back ptr in next entry */
- struct ip6t_entry *next = ip6t_next_entry(e);
- next->comefrom = (void *)back - table_base;
- /* set back pointer to next entry */
- back = next;
+ if (*stackptr >= private->stacksize) {
+ verdict = NF_DROP;
+ break;
+ }
+ jumpstack[(*stackptr)++] = e;
}
e = get_entry(table_base, v);
@@ -448,19 +450,7 @@ ip6t_do_table(struct sk_buff *skb,
tgpar.target = t->u.kernel.target;
tgpar.targinfo = t->data;
-#ifdef CONFIG_NETFILTER_DEBUG
- tb_comefrom = 0xeeeeeeec;
-#endif
verdict = t->u.kernel.target->target(skb, &tgpar);
-
-#ifdef CONFIG_NETFILTER_DEBUG
- if (tb_comefrom != 0xeeeeeeec && verdict == IP6T_CONTINUE) {
- printk("Target %s reentered!\n",
- t->u.kernel.target->name);
- verdict = NF_DROP;
- }
- tb_comefrom = 0x57acc001;
-#endif
if (verdict == IP6T_CONTINUE)
e = ip6t_next_entry(e);
else
@@ -468,10 +458,8 @@ ip6t_do_table(struct sk_buff *skb,
break;
} while (!hotdrop);
-#ifdef CONFIG_NETFILTER_DEBUG
- tb_comefrom = NETFILTER_LINK_POISON;
-#endif
xt_info_rdunlock_bh();
+ *stackptr = origptr;
#ifdef DEBUG_ALLOW_ALL
return NF_ACCEPT;
@@ -480,8 +468,6 @@ ip6t_do_table(struct sk_buff *skb,
return NF_DROP;
else return verdict;
#endif
-
-#undef tb_comefrom
}
/* Figures out from what hook each rule can be called: returns 0 if
@@ -859,6 +845,9 @@ translate_table(struct xt_table_info *newinfo, void *entry0,
if (ret != 0)
return ret;
++i;
+ if (strcmp(ip6t_get_target(iter)->u.user.name,
+ XT_ERROR_TARGET) == 0)
+ ++newinfo->stacksize;
}
if (i != repl->num_entries) {
@@ -2108,8 +2097,7 @@ struct xt_table *ip6t_register_table(struct net *net,
{
int ret;
struct xt_table_info *newinfo;
- struct xt_table_info bootstrap
- = { 0, 0, 0, { 0 }, { 0 }, { } };
+ struct xt_table_info bootstrap = {};
void *loc_cpu_entry;
struct xt_table *new_table;
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 478e9c8..1f6b078 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -68,6 +68,11 @@ static const char *const xt_prefix[NFPROTO_NUMPROTO] = {
[NFPROTO_IPV6] = "ip6",
};
+/* Allow this many total entries. */
+static unsigned int xt_jumpstack_multiplier = 2;
+module_param_named(jumpstack_multiplier, xt_jumpstack_multiplier,
+ uint, S_IRUGO | S_IWUSR);
+
/* Registration hooks for targets. */
int
xt_register_target(struct xt_target *target)
@@ -661,6 +666,26 @@ void xt_free_table_info(struct xt_table_info *info)
else
vfree(info->entries[cpu]);
}
+
+ if (info->jumpstack != NULL) {
+ if (sizeof(void *) * info->stacksize > PAGE_SIZE) {
+ for_each_possible_cpu(cpu)
+ vfree(info->jumpstack[cpu]);
+ } else {
+ for_each_possible_cpu(cpu)
+ kfree(info->jumpstack[cpu]);
+ }
+ }
+
+ if (sizeof(void **) * nr_cpu_ids > PAGE_SIZE)
+ vfree(info->jumpstack);
+ else
+ kfree(info->jumpstack);
+ if (sizeof(unsigned int) * nr_cpu_ids > PAGE_SIZE)
+ vfree(info->stackptr);
+ else
+ kfree(info->stackptr);
+
kfree(info);
}
EXPORT_SYMBOL(xt_free_table_info);
@@ -705,6 +730,44 @@ EXPORT_SYMBOL_GPL(xt_compat_unlock);
DEFINE_PER_CPU(struct xt_info_lock, xt_info_locks);
EXPORT_PER_CPU_SYMBOL_GPL(xt_info_locks);
+static int xt_jumpstack_alloc(struct xt_table_info *i)
+{
+ unsigned int size;
+ int cpu;
+
+ size = sizeof(unsigned int) * nr_cpu_ids;
+ if (size > PAGE_SIZE)
+ i->stackptr = vmalloc(size);
+ else
+ i->stackptr = kmalloc(size, GFP_KERNEL);
+ if (i->stackptr == NULL)
+ return -ENOMEM;
+ memset(i->stackptr, 0, size);
+
+ size = sizeof(void **) * nr_cpu_ids;
+ if (size > PAGE_SIZE)
+ i->jumpstack = vmalloc(size);
+ else
+ i->jumpstack = kmalloc(size, GFP_KERNEL);
+ if (i->jumpstack == NULL)
+ return -ENOMEM;
+ memset(i->jumpstack, 0, size);
+
+ i->stacksize *= xt_jumpstack_multiplier;
+ size = sizeof(void *) * i->stacksize;
+ for_each_possible_cpu(cpu) {
+ if (size > PAGE_SIZE)
+ i->jumpstack[cpu] = vmalloc_node(size,
+ cpu_to_node(cpu));
+ else
+ i->jumpstack[cpu] = kmalloc_node(size,
+ GFP_KERNEL, cpu_to_node(cpu));
+ if (i->jumpstack[cpu] == NULL)
+ return -ENOMEM;
+ }
+
+ return 0;
+}
struct xt_table_info *
xt_replace_table(struct xt_table *table,
@@ -713,6 +776,7 @@ xt_replace_table(struct xt_table *table,
int *error)
{
struct xt_table_info *private;
+ int ret;
/* Do the substitution. */
local_bh_disable();
@@ -727,6 +791,12 @@ xt_replace_table(struct xt_table *table,
return NULL;
}
+ ret = xt_jumpstack_alloc(newinfo);
+ if (ret < 0) {
+ *error = ret;
+ return NULL;
+ }
+
table->private = newinfo;
newinfo->initial_entries = private->initial_entries;
@@ -751,6 +821,10 @@ struct xt_table *xt_register_table(struct net *net,
struct xt_table_info *private;
struct xt_table *t, *table;
+ ret = xt_jumpstack_alloc(newinfo);
+ if (ret < 0)
+ return ERR_PTR(ret);
+
/* Don't add one object to multiple lists. */
table = kmemdup(input_table, sizeof(struct xt_table), GFP_KERNEL);
if (!table) {
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 039/103] netfilter: xtables: dissolve do_match function
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (37 preceding siblings ...)
2009-08-04 7:25 ` [PATCH 038/103] netfilter: xtables2: make ip_tables reentrant Jan Engelhardt
@ 2009-08-04 7:25 ` Jan Engelhardt
2009-08-04 7:25 ` [PATCH 040/103] netfilter: xtables: combine struct xt_match_param and xt_target_param Jan Engelhardt
` (65 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:25 UTC (permalink / raw)
To: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
net/ipv4/netfilter/ip_tables.c | 22 +++++-----------------
net/ipv6/netfilter/ip6_tables.c | 22 +++++-----------------
2 files changed, 10 insertions(+), 34 deletions(-)
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 55dd8ef..173b33b 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -167,21 +167,6 @@ ipt_error(struct sk_buff *skb, const struct xt_target_param *par)
return NF_DROP;
}
-/* Performance critical - called for every packet */
-static inline bool
-do_match(const struct ipt_entry_match *m, const struct sk_buff *skb,
- struct xt_match_param *par)
-{
- par->match = m->u.kernel.match;
- par->matchinfo = m->data;
-
- /* Stop iteration if it doesn't match */
- if (!m->u.kernel.match->match(skb, par))
- return true;
- else
- return false;
-}
-
/* Performance critical */
static inline struct ipt_entry *
get_entry(const void *base, unsigned int offset)
@@ -373,9 +358,12 @@ ipt_do_table(struct sk_buff *skb,
continue;
}
- xt_ematch_foreach(ematch, e)
- if (do_match(ematch, skb, &mtpar) != 0)
+ xt_ematch_foreach(ematch, e) {
+ mtpar.match = ematch->u.kernel.match;
+ mtpar.matchinfo = ematch->data;
+ if (!mtpar.match->match(skb, &mtpar))
goto no_match;
+ }
ADD_COUNTER(e->counters, ntohs(ip->tot_len), 1);
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index f7570cd..d9d5477 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -199,21 +199,6 @@ ip6t_error(struct sk_buff *skb, const struct xt_target_param *par)
return NF_DROP;
}
-/* Performance critical - called for every packet */
-static inline bool
-do_match(const struct ip6t_entry_match *m, const struct sk_buff *skb,
- struct xt_match_param *par)
-{
- par->match = m->u.kernel.match;
- par->matchinfo = m->data;
-
- /* Stop iteration if it doesn't match */
- if (!m->u.kernel.match->match(skb, par))
- return true;
- else
- return false;
-}
-
static inline struct ip6t_entry *
get_entry(const void *base, unsigned int offset)
{
@@ -396,9 +381,12 @@ ip6t_do_table(struct sk_buff *skb,
continue;
}
- xt_ematch_foreach(ematch, e)
- if (do_match(ematch, skb, &mtpar) != 0)
+ xt_ematch_foreach(ematch, e) {
+ mtpar.match = ematch->u.kernel.match;
+ mtpar.matchinfo = ematch->data;
+ if (!mtpar.match->match(skb, &mtpar))
goto no_match;
+ }
ADD_COUNTER(e->counters,
ntohs(ipv6_hdr(skb)->payload_len) +
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 040/103] netfilter: xtables: combine struct xt_match_param and xt_target_param
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (38 preceding siblings ...)
2009-08-04 7:25 ` [PATCH 039/103] netfilter: xtables: dissolve do_match function Jan Engelhardt
@ 2009-08-04 7:25 ` Jan Engelhardt
2009-08-04 7:25 ` [PATCH 041/103] netfilter: xtables: substitute temporary defines by final name Jan Engelhardt
` (64 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:25 UTC (permalink / raw)
To: netfilter-devel
The structures carried - besides match/target - almost the same data.
Combining them makes ip6t_do_table and friends smaller.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter/x_tables.h | 42 ++++++++++++++---------------------
net/bridge/netfilter/ebtables.c | 27 +++++++++++------------
net/ipv4/netfilter/arp_tables.c | 16 ++++++------
net/ipv4/netfilter/ip_tables.c | 32 ++++++++++++--------------
net/ipv6/netfilter/ip6_tables.c | 27 +++++++++++------------
5 files changed, 66 insertions(+), 78 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index d5ff621..e918437 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -192,13 +192,17 @@ struct xt_counters_info
#include <linux/netdevice.h>
+#define xt_match_param xt_action_param
+#define xt_target_param xt_action_param
/**
- * struct xt_match_param - parameters for match extensions' match functions
+ * struct xt_action_param - parameters for matches/targets
*
+ * @match: the match extension
+ * @target: the target extension
+ * @matchinfo: per-match data
+ * @targetinfo: per-target data
* @in: input netdevice
* @out: output netdevice
- * @match: struct xt_match through which this function was invoked
- * @matchinfo: per-match data
* @fragoff: packet is a fragment, this is the data offset
* @thoff: position of transport header relative to skb->data
* @hook: hook number given packet came from
@@ -206,10 +210,15 @@ struct xt_counters_info
* (helpful when match->family == NFPROTO_UNSPEC)
* @hotdrop: drop packet if we had inspection problems
*/
-struct xt_match_param {
+struct xt_action_param {
+ union {
+ const struct xt_match *match;
+ const struct xt_target *target;
+ };
+ union {
+ const void *matchinfo, *targinfo;
+ };
const struct net_device *in, *out;
- const struct xt_match *match;
- const void *matchinfo;
int fragoff;
unsigned int thoff;
unsigned int hooknum;
@@ -245,23 +254,6 @@ struct xt_mtdtor_param {
};
/**
- * struct xt_target_param - parameters for target extensions' target functions
- *
- * @hooknum: hook through which this target was invoked
- * @target: struct xt_target through which this function was invoked
- * @targinfo: per-target data
- *
- * Other fields see above.
- */
-struct xt_target_param {
- const struct net_device *in, *out;
- const struct xt_target *target;
- const void *targinfo;
- unsigned int hooknum;
- u_int8_t family;
-};
-
-/**
* struct xt_tgchk_param - parameters for target extensions'
* checkentry functions
*
@@ -299,7 +291,7 @@ struct xt_match
non-linear skb, using skb_header_pointer and
skb_ip_make_writable. */
bool (*match)(const struct sk_buff *skb,
- const struct xt_match_param *);
+ const struct xt_action_param *);
/* Called when user tries to insert an entry of this type. */
bool (*checkentry)(const struct xt_mtchk_param *);
@@ -337,7 +329,7 @@ struct xt_target
must now handle non-linear skbs, using skb_copy_bits and
skb_ip_make_writable. */
unsigned int (*target)(struct sk_buff *skb,
- const struct xt_target_param *);
+ const struct xt_action_param *);
/* Called when user tries to insert an entry of this type:
hook_mask is a bitmask of hooks from which it can be
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 9ed98d9..281a531 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -65,7 +65,7 @@ static struct xt_target ebt_standard_target = {
static inline int
ebt_do_watcher(const struct ebt_entry_watcher *w, struct sk_buff *skb,
- struct xt_target_param *par)
+ struct xt_action_param *par)
{
par->target = w->u.watcher;
par->targinfo = w->data;
@@ -75,7 +75,7 @@ ebt_do_watcher(const struct ebt_entry_watcher *w, struct sk_buff *skb,
}
static inline int ebt_do_match (struct ebt_entry_match *m,
- const struct sk_buff *skb, struct xt_match_param *par)
+ const struct sk_buff *skb, struct xt_action_param *par)
{
par->match = m->u.match;
par->matchinfo = m->data;
@@ -165,14 +165,13 @@ unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
const char *base;
const struct ebt_table_info *private;
bool hotdrop = false;
- struct xt_match_param mtpar;
- struct xt_target_param tgpar;
+ struct xt_action_param acpar;
- mtpar.family = tgpar.family = NFPROTO_BRIDGE;
- mtpar.in = tgpar.in = in;
- mtpar.out = tgpar.out = out;
- mtpar.hotdrop = &hotdrop;
- mtpar.hooknum = tgpar.hooknum = hook;
+ acpar.family = NFPROTO_BRIDGE;
+ acpar.in = in;
+ acpar.out = out;
+ acpar.hotdrop = &hotdrop;
+ acpar.hooknum = hook;
read_lock_bh(&table->lock);
private = table->private;
@@ -193,7 +192,7 @@ unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
if (ebt_basic_match(point, eth_hdr(skb), in, out))
goto letscontinue;
- if (EBT_MATCH_ITERATE(point, ebt_do_match, skb, &mtpar) != 0)
+ if (EBT_MATCH_ITERATE(point, ebt_do_match, skb, &acpar) != 0)
goto letscontinue;
if (hotdrop) {
read_unlock_bh(&table->lock);
@@ -206,7 +205,7 @@ unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
/* these should only watch: not modify, nor tell us
what to do with the packet */
- EBT_WATCHER_ITERATE(point, ebt_do_watcher, skb, &tgpar);
+ EBT_WATCHER_ITERATE(point, ebt_do_watcher, skb, &acpar);
t = (struct ebt_entry_target *)
(((char *)point) + point->target_offset);
@@ -214,9 +213,9 @@ unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
if (!t->u.target->target)
verdict = ((struct ebt_standard_target *)t)->verdict;
else {
- tgpar.target = t->u.target;
- tgpar.targinfo = t->data;
- verdict = t->u.target->target(skb, &tgpar);
+ acpar.target = t->u.target;
+ acpar.targinfo = t->data;
+ verdict = t->u.target->target(skb, &acpar);
}
if (verdict == EBT_ACCEPT) {
read_unlock_bh(&table->lock);
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 0150944..f05858c 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -258,7 +258,7 @@ unsigned int arpt_do_table(struct sk_buff *skb,
const char *indev, *outdev;
void *table_base;
const struct xt_table_info *private;
- struct xt_target_param tgpar;
+ struct xt_action_param acpar;
if (!pskb_may_pull(skb, arp_hdr_len(skb->dev)))
return NF_DROP;
@@ -273,10 +273,10 @@ unsigned int arpt_do_table(struct sk_buff *skb,
e = get_entry(table_base, private->hook_entry[hook]);
back = get_entry(table_base, private->underflow[hook]);
- tgpar.in = in;
- tgpar.out = out;
- tgpar.hooknum = hook;
- tgpar.family = NFPROTO_ARP;
+ acpar.in = in;
+ acpar.out = out;
+ acpar.hooknum = hook;
+ acpar.family = NFPROTO_ARP;
arp = arp_hdr(skb);
do {
@@ -326,9 +326,9 @@ unsigned int arpt_do_table(struct sk_buff *skb,
/* Targets which reenter must return
* abs. verdicts
*/
- tgpar.target = t->u.kernel.target;
- tgpar.targinfo = t->data;
- verdict = t->u.kernel.target->target(skb, &tgpar);
+ acpar.target = t->u.kernel.target;
+ acpar.targinfo = t->data;
+ verdict = t->u.kernel.target->target(skb, &acpar);
/* Target might have changed stuff. */
arp = arp_hdr(skb);
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 173b33b..ff90bc4 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -310,8 +310,7 @@ ipt_do_table(struct sk_buff *skb,
struct ipt_entry *e, **jumpstack;
unsigned int *stackptr, origptr, cpu;
const struct xt_table_info *private;
- struct xt_match_param mtpar;
- struct xt_target_param tgpar;
+ struct xt_action_param acpar;
/* Initialization */
ip = ip_hdr(skb);
@@ -323,13 +322,13 @@ ipt_do_table(struct sk_buff *skb,
* things we don't know, ie. tcp syn flag or ports). If the
* rule is also a fragment-specific rule, non-fragments won't
* match it. */
- mtpar.fragoff = ntohs(ip->frag_off) & IP_OFFSET;
- mtpar.thoff = ip_hdrlen(skb);
- mtpar.hotdrop = &hotdrop;
- mtpar.in = tgpar.in = in;
- mtpar.out = tgpar.out = out;
- mtpar.family = tgpar.family = NFPROTO_IPV4;
- mtpar.hooknum = tgpar.hooknum = hook;
+ acpar.fragoff = ntohs(ip->frag_off) & IP_OFFSET;
+ acpar.thoff = ip_hdrlen(skb);
+ acpar.hotdrop = &hotdrop;
+ acpar.in = in;
+ acpar.out = out;
+ acpar.family = NFPROTO_IPV4;
+ acpar.hooknum = hook;
IP_NF_ASSERT(table->valid_hooks & (1 << hook));
xt_info_rdlock_bh();
@@ -352,16 +351,16 @@ ipt_do_table(struct sk_buff *skb,
IP_NF_ASSERT(e);
if (!ip_packet_match(ip, indev, outdev,
- &e->ip, mtpar.fragoff)) {
+ &e->ip, acpar.fragoff)) {
no_match:
e = ipt_next_entry(e);
continue;
}
xt_ematch_foreach(ematch, e) {
- mtpar.match = ematch->u.kernel.match;
- mtpar.matchinfo = ematch->data;
- if (!mtpar.match->match(skb, &mtpar))
+ acpar.match = ematch->u.kernel.match;
+ acpar.matchinfo = ematch->data;
+ if (!acpar.match->match(skb, &acpar))
goto no_match;
}
@@ -418,11 +417,10 @@ ipt_do_table(struct sk_buff *skb,
/* Targets which reenter must return
abs. verdicts */
- tgpar.target = t->u.kernel.target;
- tgpar.targinfo = t->data;
+ acpar.target = t->u.kernel.target;
+ acpar.targinfo = t->data;
-
- verdict = t->u.kernel.target->target(skb, &tgpar);
+ verdict = t->u.kernel.target->target(skb, &acpar);
/* Target might have changed stuff. */
ip = ip_hdr(skb);
if (verdict == IPT_CONTINUE)
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index d9d5477..296b76d 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -339,8 +339,7 @@ ip6t_do_table(struct sk_buff *skb,
struct ip6t_entry *e, **jumpstack;
unsigned int *stackptr, origptr, cpu;
const struct xt_table_info *private;
- struct xt_match_param mtpar;
- struct xt_target_param tgpar;
+ struct xt_action_param acpar;
/* Initialization */
indev = in ? in->name : nulldevname;
@@ -351,11 +350,11 @@ ip6t_do_table(struct sk_buff *skb,
* things we don't know, ie. tcp syn flag or ports). If the
* rule is also a fragment-specific rule, non-fragments won't
* match it. */
- mtpar.hotdrop = &hotdrop;
- mtpar.in = tgpar.in = in;
- mtpar.out = tgpar.out = out;
- mtpar.family = tgpar.family = NFPROTO_IPV6;
- mtpar.hooknum = tgpar.hooknum = hook;
+ acpar.hotdrop = &hotdrop;
+ acpar.in = in;
+ acpar.out = out;
+ acpar.family = NFPROTO_IPV6;
+ acpar.hooknum = hook;
IP_NF_ASSERT(table->valid_hooks & (1 << hook));
@@ -375,16 +374,16 @@ ip6t_do_table(struct sk_buff *skb,
IP_NF_ASSERT(e);
if (!ip6_packet_match(skb, indev, outdev, &e->ipv6,
- &mtpar.thoff, &mtpar.fragoff, &hotdrop)) {
+ &acpar.thoff, &acpar.fragoff, &hotdrop)) {
no_match:
e = ip6t_next_entry(e);
continue;
}
xt_ematch_foreach(ematch, e) {
- mtpar.match = ematch->u.kernel.match;
- mtpar.matchinfo = ematch->data;
- if (!mtpar.match->match(skb, &mtpar))
+ acpar.match = ematch->u.kernel.match;
+ acpar.matchinfo = ematch->data;
+ if (!acpar.match->match(skb, &acpar))
goto no_match;
}
@@ -435,10 +434,10 @@ ip6t_do_table(struct sk_buff *skb,
/* Targets which reenter must return
abs. verdicts */
- tgpar.target = t->u.kernel.target;
- tgpar.targinfo = t->data;
+ acpar.target = t->u.kernel.target;
+ acpar.targinfo = t->data;
- verdict = t->u.kernel.target->target(skb, &tgpar);
+ verdict = t->u.kernel.target->target(skb, &acpar);
if (verdict == IP6T_CONTINUE)
e = ip6t_next_entry(e);
else
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 041/103] netfilter: xtables: substitute temporary defines by final name
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (39 preceding siblings ...)
2009-08-04 7:25 ` [PATCH 040/103] netfilter: xtables: combine struct xt_match_param and xt_target_param Jan Engelhardt
@ 2009-08-04 7:25 ` Jan Engelhardt
2009-08-04 7:25 ` [PATCH 042/103] netfilter: xtables: make use of xt_request_find_target Jan Engelhardt
` (63 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:25 UTC (permalink / raw)
To: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter/x_tables.h | 2 --
net/bridge/netfilter/ebt_802_3.c | 2 +-
net/bridge/netfilter/ebt_among.c | 2 +-
net/bridge/netfilter/ebt_arp.c | 2 +-
net/bridge/netfilter/ebt_arpreply.c | 2 +-
net/bridge/netfilter/ebt_dnat.c | 2 +-
net/bridge/netfilter/ebt_ip.c | 2 +-
net/bridge/netfilter/ebt_ip6.c | 2 +-
net/bridge/netfilter/ebt_limit.c | 2 +-
net/bridge/netfilter/ebt_log.c | 2 +-
net/bridge/netfilter/ebt_mark.c | 2 +-
net/bridge/netfilter/ebt_mark_m.c | 2 +-
net/bridge/netfilter/ebt_nflog.c | 2 +-
net/bridge/netfilter/ebt_pkttype.c | 2 +-
net/bridge/netfilter/ebt_redirect.c | 2 +-
net/bridge/netfilter/ebt_snat.c | 2 +-
net/bridge/netfilter/ebt_stp.c | 2 +-
net/bridge/netfilter/ebt_ulog.c | 2 +-
net/bridge/netfilter/ebt_vlan.c | 2 +-
net/ipv4/netfilter/arp_tables.c | 2 +-
net/ipv4/netfilter/arpt_mangle.c | 2 +-
net/ipv4/netfilter/ip_tables.c | 4 ++--
net/ipv4/netfilter/ipt_CLUSTERIP.c | 2 +-
net/ipv4/netfilter/ipt_ECN.c | 2 +-
net/ipv4/netfilter/ipt_LOG.c | 2 +-
net/ipv4/netfilter/ipt_MASQUERADE.c | 2 +-
net/ipv4/netfilter/ipt_NETMAP.c | 2 +-
net/ipv4/netfilter/ipt_REDIRECT.c | 2 +-
net/ipv4/netfilter/ipt_REJECT.c | 2 +-
net/ipv4/netfilter/ipt_ULOG.c | 2 +-
net/ipv4/netfilter/ipt_addrtype.c | 4 ++--
net/ipv4/netfilter/ipt_ah.c | 2 +-
net/ipv4/netfilter/ipt_ecn.c | 2 +-
net/ipv4/netfilter/nf_nat_rule.c | 4 ++--
net/ipv6/netfilter/ip6_tables.c | 4 ++--
net/ipv6/netfilter/ip6t_LOG.c | 2 +-
net/ipv6/netfilter/ip6t_REJECT.c | 2 +-
net/ipv6/netfilter/ip6t_ah.c | 2 +-
net/ipv6/netfilter/ip6t_eui64.c | 2 +-
net/ipv6/netfilter/ip6t_frag.c | 2 +-
net/ipv6/netfilter/ip6t_hbh.c | 2 +-
| 2 +-
net/ipv6/netfilter/ip6t_mh.c | 2 +-
net/ipv6/netfilter/ip6t_rt.c | 2 +-
net/netfilter/xt_CLASSIFY.c | 2 +-
net/netfilter/xt_CONNMARK.c | 2 +-
net/netfilter/xt_CONNSECMARK.c | 2 +-
net/netfilter/xt_DSCP.c | 8 ++++----
net/netfilter/xt_HL.c | 4 ++--
net/netfilter/xt_LED.c | 2 +-
net/netfilter/xt_MARK.c | 2 +-
net/netfilter/xt_NFLOG.c | 2 +-
net/netfilter/xt_NFQUEUE.c | 6 +++---
net/netfilter/xt_NOTRACK.c | 2 +-
net/netfilter/xt_RATEEST.c | 2 +-
net/netfilter/xt_SECMARK.c | 2 +-
net/netfilter/xt_TCPMSS.c | 4 ++--
net/netfilter/xt_TCPOPTSTRIP.c | 4 ++--
net/netfilter/xt_TPROXY.c | 2 +-
net/netfilter/xt_TRACE.c | 2 +-
net/netfilter/xt_cluster.c | 2 +-
| 2 +-
net/netfilter/xt_connbytes.c | 2 +-
net/netfilter/xt_connlimit.c | 2 +-
net/netfilter/xt_connmark.c | 2 +-
net/netfilter/xt_conntrack.c | 2 +-
net/netfilter/xt_dccp.c | 2 +-
net/netfilter/xt_dscp.c | 6 +++---
net/netfilter/xt_esp.c | 2 +-
net/netfilter/xt_hashlimit.c | 4 ++--
net/netfilter/xt_helper.c | 2 +-
net/netfilter/xt_hl.c | 4 ++--
net/netfilter/xt_iprange.c | 4 ++--
net/netfilter/xt_length.c | 4 ++--
net/netfilter/xt_limit.c | 2 +-
net/netfilter/xt_mac.c | 2 +-
net/netfilter/xt_mark.c | 2 +-
net/netfilter/xt_multiport.c | 4 ++--
net/netfilter/xt_osf.c | 2 +-
net/netfilter/xt_owner.c | 2 +-
net/netfilter/xt_physdev.c | 2 +-
net/netfilter/xt_pkttype.c | 2 +-
net/netfilter/xt_policy.c | 2 +-
net/netfilter/xt_quota.c | 2 +-
net/netfilter/xt_rateest.c | 2 +-
net/netfilter/xt_realm.c | 2 +-
net/netfilter/xt_recent.c | 2 +-
net/netfilter/xt_sctp.c | 2 +-
net/netfilter/xt_socket.c | 6 +++---
net/netfilter/xt_state.c | 2 +-
net/netfilter/xt_statistic.c | 2 +-
net/netfilter/xt_string.c | 2 +-
net/netfilter/xt_tcpmss.c | 2 +-
net/netfilter/xt_tcpudp.c | 4 ++--
net/netfilter/xt_time.c | 2 +-
net/netfilter/xt_u32.c | 2 +-
net/sched/act_ipt.c | 2 +-
97 files changed, 118 insertions(+), 120 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index e918437..040cfc1 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -192,8 +192,6 @@ struct xt_counters_info
#include <linux/netdevice.h>
-#define xt_match_param xt_action_param
-#define xt_target_param xt_action_param
/**
* struct xt_action_param - parameters for matches/targets
*
diff --git a/net/bridge/netfilter/ebt_802_3.c b/net/bridge/netfilter/ebt_802_3.c
index bd91dc5..8a2347f 100644
--- a/net/bridge/netfilter/ebt_802_3.c
+++ b/net/bridge/netfilter/ebt_802_3.c
@@ -13,7 +13,7 @@
#include <linux/netfilter_bridge/ebt_802_3.h>
static bool
-ebt_802_3_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+ebt_802_3_mt(const struct sk_buff *skb, const struct xt_action_param *par)
{
const struct ebt_802_3_info *info = par->matchinfo;
const struct ebt_802_3_hdr *hdr = ebt_802_3_hdr(skb);
diff --git a/net/bridge/netfilter/ebt_among.c b/net/bridge/netfilter/ebt_among.c
index b595f09..39f1b4f 100644
--- a/net/bridge/netfilter/ebt_among.c
+++ b/net/bridge/netfilter/ebt_among.c
@@ -128,7 +128,7 @@ static int get_ip_src(const struct sk_buff *skb, __be32 *addr)
}
static bool
-ebt_among_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+ebt_among_mt(const struct sk_buff *skb, const struct xt_action_param *par)
{
const struct ebt_among_info *info = par->matchinfo;
const char *dmac, *smac;
diff --git a/net/bridge/netfilter/ebt_arp.c b/net/bridge/netfilter/ebt_arp.c
index b7ad604..488840e 100644
--- a/net/bridge/netfilter/ebt_arp.c
+++ b/net/bridge/netfilter/ebt_arp.c
@@ -16,7 +16,7 @@
#include <linux/netfilter_bridge/ebt_arp.h>
static bool
-ebt_arp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+ebt_arp_mt(const struct sk_buff *skb, const struct xt_action_param *par)
{
const struct ebt_arp_info *info = par->matchinfo;
const struct arphdr *ah;
diff --git a/net/bridge/netfilter/ebt_arpreply.c b/net/bridge/netfilter/ebt_arpreply.c
index 76584cd..c4b186c 100644
--- a/net/bridge/netfilter/ebt_arpreply.c
+++ b/net/bridge/netfilter/ebt_arpreply.c
@@ -16,7 +16,7 @@
#include <linux/netfilter_bridge/ebt_arpreply.h>
static unsigned int
-ebt_arpreply_tg(struct sk_buff *skb, const struct xt_target_param *par)
+ebt_arpreply_tg(struct sk_buff *skb, const struct xt_action_param *par)
{
const struct ebt_arpreply_info *info = par->targinfo;
const __be32 *siptr, *diptr;
diff --git a/net/bridge/netfilter/ebt_dnat.c b/net/bridge/netfilter/ebt_dnat.c
index 6b49ea9..38b5397 100644
--- a/net/bridge/netfilter/ebt_dnat.c
+++ b/net/bridge/netfilter/ebt_dnat.c
@@ -15,7 +15,7 @@
#include <linux/netfilter_bridge/ebt_nat.h>
static unsigned int
-ebt_dnat_tg(struct sk_buff *skb, const struct xt_target_param *par)
+ebt_dnat_tg(struct sk_buff *skb, const struct xt_action_param *par)
{
const struct ebt_nat_info *info = par->targinfo;
diff --git a/net/bridge/netfilter/ebt_ip.c b/net/bridge/netfilter/ebt_ip.c
index d771bbf..87701ec 100644
--- a/net/bridge/netfilter/ebt_ip.c
+++ b/net/bridge/netfilter/ebt_ip.c
@@ -25,7 +25,7 @@ struct tcpudphdr {
};
static bool
-ebt_ip_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+ebt_ip_mt(const struct sk_buff *skb, const struct xt_action_param *par)
{
const struct ebt_ip_info *info = par->matchinfo;
const struct iphdr *ih;
diff --git a/net/bridge/netfilter/ebt_ip6.c b/net/bridge/netfilter/ebt_ip6.c
index 784a657..ef73859 100644
--- a/net/bridge/netfilter/ebt_ip6.c
+++ b/net/bridge/netfilter/ebt_ip6.c
@@ -28,7 +28,7 @@ struct tcpudphdr {
};
static bool
-ebt_ip6_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+ebt_ip6_mt(const struct sk_buff *skb, const struct xt_action_param *par)
{
const struct ebt_ip6_info *info = par->matchinfo;
const struct ipv6hdr *ih6;
diff --git a/net/bridge/netfilter/ebt_limit.c b/net/bridge/netfilter/ebt_limit.c
index f7bd919..7dd55f8 100644
--- a/net/bridge/netfilter/ebt_limit.c
+++ b/net/bridge/netfilter/ebt_limit.c
@@ -31,7 +31,7 @@ static DEFINE_SPINLOCK(limit_lock);
#define CREDITS_PER_JIFFY POW2_BELOW32(MAX_CPJ)
static bool
-ebt_limit_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+ebt_limit_mt(const struct sk_buff *skb, const struct xt_action_param *par)
{
struct ebt_limit_info *info = (void *)par->matchinfo;
unsigned long now = jiffies;
diff --git a/net/bridge/netfilter/ebt_log.c b/net/bridge/netfilter/ebt_log.c
index a94f3cc..b65fcc7 100644
--- a/net/bridge/netfilter/ebt_log.c
+++ b/net/bridge/netfilter/ebt_log.c
@@ -186,7 +186,7 @@ out:
}
static unsigned int
-ebt_log_tg(struct sk_buff *skb, const struct xt_target_param *par)
+ebt_log_tg(struct sk_buff *skb, const struct xt_action_param *par)
{
const struct ebt_log_info *info = par->targinfo;
struct nf_loginfo li;
diff --git a/net/bridge/netfilter/ebt_mark.c b/net/bridge/netfilter/ebt_mark.c
index 2fee7e8..ff49b15 100644
--- a/net/bridge/netfilter/ebt_mark.c
+++ b/net/bridge/netfilter/ebt_mark.c
@@ -19,7 +19,7 @@
#include <linux/netfilter_bridge/ebt_mark_t.h>
static unsigned int
-ebt_mark_tg(struct sk_buff *skb, const struct xt_target_param *par)
+ebt_mark_tg(struct sk_buff *skb, const struct xt_action_param *par)
{
const struct ebt_mark_t_info *info = par->targinfo;
int action = info->target & -16;
diff --git a/net/bridge/netfilter/ebt_mark_m.c b/net/bridge/netfilter/ebt_mark_m.c
index ea570f2..598be12 100644
--- a/net/bridge/netfilter/ebt_mark_m.c
+++ b/net/bridge/netfilter/ebt_mark_m.c
@@ -13,7 +13,7 @@
#include <linux/netfilter_bridge/ebt_mark_m.h>
static bool
-ebt_mark_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+ebt_mark_mt(const struct sk_buff *skb, const struct xt_action_param *par)
{
const struct ebt_mark_m_info *info = par->matchinfo;
diff --git a/net/bridge/netfilter/ebt_nflog.c b/net/bridge/netfilter/ebt_nflog.c
index 2a63d99..ca7f579 100644
--- a/net/bridge/netfilter/ebt_nflog.c
+++ b/net/bridge/netfilter/ebt_nflog.c
@@ -20,7 +20,7 @@
#include <net/netfilter/nf_log.h>
static unsigned int
-ebt_nflog_tg(struct sk_buff *skb, const struct xt_target_param *par)
+ebt_nflog_tg(struct sk_buff *skb, const struct xt_action_param *par)
{
const struct ebt_nflog_info *info = par->targinfo;
struct nf_loginfo li;
diff --git a/net/bridge/netfilter/ebt_pkttype.c b/net/bridge/netfilter/ebt_pkttype.c
index 883e96e..c0e17a2 100644
--- a/net/bridge/netfilter/ebt_pkttype.c
+++ b/net/bridge/netfilter/ebt_pkttype.c
@@ -13,7 +13,7 @@
#include <linux/netfilter_bridge/ebt_pkttype.h>
static bool
-ebt_pkttype_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+ebt_pkttype_mt(const struct sk_buff *skb, const struct xt_action_param *par)
{
const struct ebt_pkttype_info *info = par->matchinfo;
diff --git a/net/bridge/netfilter/ebt_redirect.c b/net/bridge/netfilter/ebt_redirect.c
index c8a49f7..d7b6ba6 100644
--- a/net/bridge/netfilter/ebt_redirect.c
+++ b/net/bridge/netfilter/ebt_redirect.c
@@ -16,7 +16,7 @@
#include <linux/netfilter_bridge/ebt_redirect.h>
static unsigned int
-ebt_redirect_tg(struct sk_buff *skb, const struct xt_target_param *par)
+ebt_redirect_tg(struct sk_buff *skb, const struct xt_action_param *par)
{
const struct ebt_redirect_info *info = par->targinfo;
diff --git a/net/bridge/netfilter/ebt_snat.c b/net/bridge/netfilter/ebt_snat.c
index 8d04d4c..1a4fd88 100644
--- a/net/bridge/netfilter/ebt_snat.c
+++ b/net/bridge/netfilter/ebt_snat.c
@@ -17,7 +17,7 @@
#include <linux/netfilter_bridge/ebt_nat.h>
static unsigned int
-ebt_snat_tg(struct sk_buff *skb, const struct xt_target_param *par)
+ebt_snat_tg(struct sk_buff *skb, const struct xt_action_param *par)
{
const struct ebt_nat_info *info = par->targinfo;
diff --git a/net/bridge/netfilter/ebt_stp.c b/net/bridge/netfilter/ebt_stp.c
index 48527e6..dd1ca65 100644
--- a/net/bridge/netfilter/ebt_stp.c
+++ b/net/bridge/netfilter/ebt_stp.c
@@ -120,7 +120,7 @@ static bool ebt_filter_config(const struct ebt_stp_info *info,
}
static bool
-ebt_stp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+ebt_stp_mt(const struct sk_buff *skb, const struct xt_action_param *par)
{
const struct ebt_stp_info *info = par->matchinfo;
const struct stp_header *sp;
diff --git a/net/bridge/netfilter/ebt_ulog.c b/net/bridge/netfilter/ebt_ulog.c
index 133eeae..0235f6f 100644
--- a/net/bridge/netfilter/ebt_ulog.c
+++ b/net/bridge/netfilter/ebt_ulog.c
@@ -247,7 +247,7 @@ static void ebt_log_packet(u_int8_t pf, unsigned int hooknum,
}
static unsigned int
-ebt_ulog_tg(struct sk_buff *skb, const struct xt_target_param *par)
+ebt_ulog_tg(struct sk_buff *skb, const struct xt_action_param *par)
{
ebt_ulog_packet(par->hooknum, skb, par->in, par->out,
par->targinfo, NULL);
diff --git a/net/bridge/netfilter/ebt_vlan.c b/net/bridge/netfilter/ebt_vlan.c
index 3dddd48..528691c 100644
--- a/net/bridge/netfilter/ebt_vlan.c
+++ b/net/bridge/netfilter/ebt_vlan.c
@@ -41,7 +41,7 @@ MODULE_LICENSE("GPL");
#define EXIT_ON_MISMATCH(_MATCH_,_MASK_) {if (!((info->_MATCH_ == _MATCH_)^!!(info->invflags & _MASK_))) return false; }
static bool
-ebt_vlan_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+ebt_vlan_mt(const struct sk_buff *skb, const struct xt_action_param *par)
{
const struct ebt_vlan_info *info = par->matchinfo;
const struct vlan_hdr *fp;
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index f05858c..b88c069 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -217,7 +217,7 @@ static inline int arp_checkentry(const struct arpt_arp *arp)
}
static unsigned int
-arpt_error(struct sk_buff *skb, const struct xt_target_param *par)
+arpt_error(struct sk_buff *skb, const struct xt_action_param *par)
{
if (net_ratelimit())
printk("arp_tables: error: '%s'\n",
diff --git a/net/ipv4/netfilter/arpt_mangle.c b/net/ipv4/netfilter/arpt_mangle.c
index b0d5b1d..2c3c83f 100644
--- a/net/ipv4/netfilter/arpt_mangle.c
+++ b/net/ipv4/netfilter/arpt_mangle.c
@@ -9,7 +9,7 @@ MODULE_AUTHOR("Bart De Schuymer <bdschuym@pandora.be>");
MODULE_DESCRIPTION("arptables arp payload mangle target");
static unsigned int
-target(struct sk_buff *skb, const struct xt_target_param *par)
+target(struct sk_buff *skb, const struct xt_action_param *par)
{
const struct arpt_mangle *mangle = par->targinfo;
const struct arphdr *arp;
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index ff90bc4..3add32b 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -158,7 +158,7 @@ ip_checkentry(const struct ipt_ip *ip)
}
static unsigned int
-ipt_error(struct sk_buff *skb, const struct xt_target_param *par)
+ipt_error(struct sk_buff *skb, const struct xt_action_param *par)
{
if (net_ratelimit())
printk("ip_tables: error: `%s'\n",
@@ -2130,7 +2130,7 @@ icmp_type_code_match(u_int8_t test_type, u_int8_t min_code, u_int8_t max_code,
}
static bool
-icmp_match(const struct sk_buff *skb, const struct xt_match_param *par)
+icmp_match(const struct sk_buff *skb, const struct xt_action_param *par)
{
const struct icmphdr *ic;
struct icmphdr _icmph;
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index 2e4f98b..11a7f74 100644
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -281,7 +281,7 @@ clusterip_responsible(const struct clusterip_config *config, u_int32_t hash)
***********************************************************************/
static unsigned int
-clusterip_tg(struct sk_buff *skb, const struct xt_target_param *par)
+clusterip_tg(struct sk_buff *skb, const struct xt_action_param *par)
{
const struct ipt_clusterip_tgt_info *cipinfo = par->targinfo;
struct nf_conn *ct;
diff --git a/net/ipv4/netfilter/ipt_ECN.c b/net/ipv4/netfilter/ipt_ECN.c
index f7e2fa0..5d2b678 100644
--- a/net/ipv4/netfilter/ipt_ECN.c
+++ b/net/ipv4/netfilter/ipt_ECN.c
@@ -77,7 +77,7 @@ set_ect_tcp(struct sk_buff *skb, const struct ipt_ECN_info *einfo)
}
static unsigned int
-ecn_tg(struct sk_buff *skb, const struct xt_target_param *par)
+ecn_tg(struct sk_buff *skb, const struct xt_action_param *par)
{
const struct ipt_ECN_info *einfo = par->targinfo;
diff --git a/net/ipv4/netfilter/ipt_LOG.c b/net/ipv4/netfilter/ipt_LOG.c
index acc44c6..867b7c9 100644
--- a/net/ipv4/netfilter/ipt_LOG.c
+++ b/net/ipv4/netfilter/ipt_LOG.c
@@ -425,7 +425,7 @@ ipt_log_packet(u_int8_t pf,
}
static unsigned int
-log_tg(struct sk_buff *skb, const struct xt_target_param *par)
+log_tg(struct sk_buff *skb, const struct xt_action_param *par)
{
const struct ipt_log_info *loginfo = par->targinfo;
struct nf_loginfo li;
diff --git a/net/ipv4/netfilter/ipt_MASQUERADE.c b/net/ipv4/netfilter/ipt_MASQUERADE.c
index dada086..3a3b6be 100644
--- a/net/ipv4/netfilter/ipt_MASQUERADE.c
+++ b/net/ipv4/netfilter/ipt_MASQUERADE.c
@@ -44,7 +44,7 @@ static bool masquerade_tg_check(const struct xt_tgchk_param *par)
}
static unsigned int
-masquerade_tg(struct sk_buff *skb, const struct xt_target_param *par)
+masquerade_tg(struct sk_buff *skb, const struct xt_action_param *par)
{
struct nf_conn *ct;
struct nf_conn_nat *nat;
diff --git a/net/ipv4/netfilter/ipt_NETMAP.c b/net/ipv4/netfilter/ipt_NETMAP.c
index 7c29582..35065b6 100644
--- a/net/ipv4/netfilter/ipt_NETMAP.c
+++ b/net/ipv4/netfilter/ipt_NETMAP.c
@@ -38,7 +38,7 @@ static bool netmap_tg_check(const struct xt_tgchk_param *par)
}
static unsigned int
-netmap_tg(struct sk_buff *skb, const struct xt_target_param *par)
+netmap_tg(struct sk_buff *skb, const struct xt_action_param *par)
{
struct nf_conn *ct;
enum ip_conntrack_info ctinfo;
diff --git a/net/ipv4/netfilter/ipt_REDIRECT.c b/net/ipv4/netfilter/ipt_REDIRECT.c
index 698e5e7..12a75ef 100644
--- a/net/ipv4/netfilter/ipt_REDIRECT.c
+++ b/net/ipv4/netfilter/ipt_REDIRECT.c
@@ -42,7 +42,7 @@ static bool redirect_tg_check(const struct xt_tgchk_param *par)
}
static unsigned int
-redirect_tg(struct sk_buff *skb, const struct xt_target_param *par)
+redirect_tg(struct sk_buff *skb, const struct xt_action_param *par)
{
struct nf_conn *ct;
enum ip_conntrack_info ctinfo;
diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c
index c93ae44..628373a 100644
--- a/net/ipv4/netfilter/ipt_REJECT.c
+++ b/net/ipv4/netfilter/ipt_REJECT.c
@@ -135,7 +135,7 @@ static inline void send_unreach(struct sk_buff *skb_in, int code)
}
static unsigned int
-reject_tg(struct sk_buff *skb, const struct xt_target_param *par)
+reject_tg(struct sk_buff *skb, const struct xt_action_param *par)
{
const struct ipt_reject_info *reject = par->targinfo;
diff --git a/net/ipv4/netfilter/ipt_ULOG.c b/net/ipv4/netfilter/ipt_ULOG.c
index 0b02768..92ae5ea 100644
--- a/net/ipv4/netfilter/ipt_ULOG.c
+++ b/net/ipv4/netfilter/ipt_ULOG.c
@@ -281,7 +281,7 @@ alloc_failure:
}
static unsigned int
-ulog_tg(struct sk_buff *skb, const struct xt_target_param *par)
+ulog_tg(struct sk_buff *skb, const struct xt_action_param *par)
{
ipt_ulog_packet(par->hooknum, skb, par->in, par->out,
par->targinfo, NULL);
diff --git a/net/ipv4/netfilter/ipt_addrtype.c b/net/ipv4/netfilter/ipt_addrtype.c
index 3b216be..4d6c51d 100644
--- a/net/ipv4/netfilter/ipt_addrtype.c
+++ b/net/ipv4/netfilter/ipt_addrtype.c
@@ -30,7 +30,7 @@ static inline bool match_type(struct net *net, const struct net_device *dev,
}
static bool
-addrtype_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
+addrtype_mt_v0(const struct sk_buff *skb, const struct xt_action_param *par)
{
struct net *net = dev_net(par->in ? par->in : par->out);
const struct ipt_addrtype_info *info = par->matchinfo;
@@ -48,7 +48,7 @@ addrtype_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
}
static bool
-addrtype_mt_v1(const struct sk_buff *skb, const struct xt_match_param *par)
+addrtype_mt_v1(const struct sk_buff *skb, const struct xt_action_param *par)
{
struct net *net = dev_net(par->in ? par->in : par->out);
const struct ipt_addrtype_info_v1 *info = par->matchinfo;
diff --git a/net/ipv4/netfilter/ipt_ah.c b/net/ipv4/netfilter/ipt_ah.c
index 0104c0b..15b7b4a 100644
--- a/net/ipv4/netfilter/ipt_ah.c
+++ b/net/ipv4/netfilter/ipt_ah.c
@@ -36,7 +36,7 @@ spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, bool invert)
return r;
}
-static bool ah_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+static bool ah_mt(const struct sk_buff *skb, const struct xt_action_param *par)
{
struct ip_auth_hdr _ahdr;
const struct ip_auth_hdr *ah;
diff --git a/net/ipv4/netfilter/ipt_ecn.c b/net/ipv4/netfilter/ipt_ecn.c
index 6289b64..19dde8b 100644
--- a/net/ipv4/netfilter/ipt_ecn.c
+++ b/net/ipv4/netfilter/ipt_ecn.c
@@ -67,7 +67,7 @@ static inline bool match_tcp(const struct sk_buff *skb,
return true;
}
-static bool ecn_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+static bool ecn_mt(const struct sk_buff *skb, const struct xt_action_param *par)
{
const struct ipt_ecn_info *info = par->matchinfo;
diff --git a/net/ipv4/netfilter/nf_nat_rule.c b/net/ipv4/netfilter/nf_nat_rule.c
index 57f9d1d..8b44f1a 100644
--- a/net/ipv4/netfilter/nf_nat_rule.c
+++ b/net/ipv4/netfilter/nf_nat_rule.c
@@ -37,7 +37,7 @@ static const struct xt_table nat_table = {
/* Source NAT */
static unsigned int
-ipt_snat_target(struct sk_buff *skb, const struct xt_target_param *par)
+ipt_snat_target(struct sk_buff *skb, const struct xt_action_param *par)
{
struct nf_conn *ct;
enum ip_conntrack_info ctinfo;
@@ -56,7 +56,7 @@ ipt_snat_target(struct sk_buff *skb, const struct xt_target_param *par)
}
static unsigned int
-ipt_dnat_target(struct sk_buff *skb, const struct xt_target_param *par)
+ipt_dnat_target(struct sk_buff *skb, const struct xt_action_param *par)
{
struct nf_conn *ct;
enum ip_conntrack_info ctinfo;
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 296b76d..709d509 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -190,7 +190,7 @@ ip6_checkentry(const struct ip6t_ip6 *ipv6)
}
static unsigned int
-ip6t_error(struct sk_buff *skb, const struct xt_target_param *par)
+ip6t_error(struct sk_buff *skb, const struct xt_action_param *par)
{
if (net_ratelimit())
printk("ip6_tables: error: `%s'\n",
@@ -2144,7 +2144,7 @@ icmp6_type_code_match(u_int8_t test_type, u_int8_t min_code, u_int8_t max_code,
}
static bool
-icmp6_match(const struct sk_buff *skb, const struct xt_match_param *par)
+icmp6_match(const struct sk_buff *skb, const struct xt_action_param *par)
{
const struct icmp6hdr *ic;
struct icmp6hdr _icmph;
diff --git a/net/ipv6/netfilter/ip6t_LOG.c b/net/ipv6/netfilter/ip6t_LOG.c
index 7018cac..40252a2 100644
--- a/net/ipv6/netfilter/ip6t_LOG.c
+++ b/net/ipv6/netfilter/ip6t_LOG.c
@@ -437,7 +437,7 @@ ip6t_log_packet(u_int8_t pf,
}
static unsigned int
-log_tg6(struct sk_buff *skb, const struct xt_target_param *par)
+log_tg6(struct sk_buff *skb, const struct xt_action_param *par)
{
const struct ip6t_log_info *loginfo = par->targinfo;
struct nf_loginfo li;
diff --git a/net/ipv6/netfilter/ip6t_REJECT.c b/net/ipv6/netfilter/ip6t_REJECT.c
index 5a7f00c..16bb432 100644
--- a/net/ipv6/netfilter/ip6t_REJECT.c
+++ b/net/ipv6/netfilter/ip6t_REJECT.c
@@ -173,7 +173,7 @@ send_unreach(struct net *net, struct sk_buff *skb_in, unsigned char code,
}
static unsigned int
-reject_tg6(struct sk_buff *skb, const struct xt_target_param *par)
+reject_tg6(struct sk_buff *skb, const struct xt_action_param *par)
{
const struct ip6t_reject_info *reject = par->targinfo;
struct net *net = dev_net((par->in != NULL) ? par->in : par->out);
diff --git a/net/ipv6/netfilter/ip6t_ah.c b/net/ipv6/netfilter/ip6t_ah.c
index 3a82f24..b40e3b9 100644
--- a/net/ipv6/netfilter/ip6t_ah.c
+++ b/net/ipv6/netfilter/ip6t_ah.c
@@ -36,7 +36,7 @@ spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, bool invert)
return r;
}
-static bool ah_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
+static bool ah_mt6(const struct sk_buff *skb, const struct xt_action_param *par)
{
struct ip_auth_hdr _ah;
const struct ip_auth_hdr *ah;
diff --git a/net/ipv6/netfilter/ip6t_eui64.c b/net/ipv6/netfilter/ip6t_eui64.c
index db610ba..bd937c2 100644
--- a/net/ipv6/netfilter/ip6t_eui64.c
+++ b/net/ipv6/netfilter/ip6t_eui64.c
@@ -20,7 +20,7 @@ MODULE_LICENSE("GPL");
MODULE_AUTHOR("Andras Kis-Szabo <kisza@sch.bme.hu>");
static bool
-eui64_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
+eui64_mt6(const struct sk_buff *skb, const struct xt_action_param *par)
{
unsigned char eui64[8];
int i = 0;
diff --git a/net/ipv6/netfilter/ip6t_frag.c b/net/ipv6/netfilter/ip6t_frag.c
index 673aa0a..ab3e5eb 100644
--- a/net/ipv6/netfilter/ip6t_frag.c
+++ b/net/ipv6/netfilter/ip6t_frag.c
@@ -35,7 +35,7 @@ id_match(u_int32_t min, u_int32_t max, u_int32_t id, bool invert)
}
static bool
-frag_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
+frag_mt6(const struct sk_buff *skb, const struct xt_action_param *par)
{
struct frag_hdr _frag;
const struct frag_hdr *fh;
diff --git a/net/ipv6/netfilter/ip6t_hbh.c b/net/ipv6/netfilter/ip6t_hbh.c
index cbe8dec..ccce583 100644
--- a/net/ipv6/netfilter/ip6t_hbh.c
+++ b/net/ipv6/netfilter/ip6t_hbh.c
@@ -42,7 +42,7 @@ MODULE_ALIAS("ip6t_dst");
*/
static bool
-hbh_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
+hbh_mt6(const struct sk_buff *skb, const struct xt_action_param *par)
{
struct ipv6_opt_hdr _optsh;
const struct ipv6_opt_hdr *oh;
--git a/net/ipv6/netfilter/ip6t_ipv6header.c b/net/ipv6/netfilter/ip6t_ipv6header.c
index 91490ad..a1dca01 100644
--- a/net/ipv6/netfilter/ip6t_ipv6header.c
+++ b/net/ipv6/netfilter/ip6t_ipv6header.c
@@ -27,7 +27,7 @@ MODULE_DESCRIPTION("Xtables: IPv6 header types match");
MODULE_AUTHOR("Andras Kis-Szabo <kisza@sch.bme.hu>");
static bool
-ipv6header_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
+ipv6header_mt6(const struct sk_buff *skb, const struct xt_action_param *par)
{
const struct ip6t_ipv6header_info *info = par->matchinfo;
unsigned int temp;
diff --git a/net/ipv6/netfilter/ip6t_mh.c b/net/ipv6/netfilter/ip6t_mh.c
index aafe4e6..774ef11 100644
--- a/net/ipv6/netfilter/ip6t_mh.c
+++ b/net/ipv6/netfilter/ip6t_mh.c
@@ -37,7 +37,7 @@ type_match(u_int8_t min, u_int8_t max, u_int8_t type, bool invert)
return (type >= min && type <= max) ^ invert;
}
-static bool mh_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
+static bool mh_mt6(const struct sk_buff *skb, const struct xt_action_param *par)
{
struct ip6_mh _mh;
const struct ip6_mh *mh;
diff --git a/net/ipv6/netfilter/ip6t_rt.c b/net/ipv6/netfilter/ip6t_rt.c
index 356b8d6..51d20e8 100644
--- a/net/ipv6/netfilter/ip6t_rt.c
+++ b/net/ipv6/netfilter/ip6t_rt.c
@@ -36,7 +36,7 @@ segsleft_match(u_int32_t min, u_int32_t max, u_int32_t id, bool invert)
return r;
}
-static bool rt_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
+static bool rt_mt6(const struct sk_buff *skb, const struct xt_action_param *par)
{
struct ipv6_rt_hdr _route;
const struct ipv6_rt_hdr *rh;
diff --git a/net/netfilter/xt_CLASSIFY.c b/net/netfilter/xt_CLASSIFY.c
index 011bc80..c2c0e4a 100644
--- a/net/netfilter/xt_CLASSIFY.c
+++ b/net/netfilter/xt_CLASSIFY.c
@@ -27,7 +27,7 @@ MODULE_ALIAS("ipt_CLASSIFY");
MODULE_ALIAS("ip6t_CLASSIFY");
static unsigned int
-classify_tg(struct sk_buff *skb, const struct xt_target_param *par)
+classify_tg(struct sk_buff *skb, const struct xt_action_param *par)
{
const struct xt_classify_target_info *clinfo = par->targinfo;
diff --git a/net/netfilter/xt_CONNMARK.c b/net/netfilter/xt_CONNMARK.c
index 5934570..561cd7e 100644
--- a/net/netfilter/xt_CONNMARK.c
+++ b/net/netfilter/xt_CONNMARK.c
@@ -36,7 +36,7 @@ MODULE_ALIAS("ip6t_CONNMARK");
#include <net/netfilter/nf_conntrack_ecache.h>
static unsigned int
-connmark_tg(struct sk_buff *skb, const struct xt_target_param *par)
+connmark_tg(struct sk_buff *skb, const struct xt_action_param *par)
{
const struct xt_connmark_tginfo1 *info = par->targinfo;
enum ip_conntrack_info ctinfo;
diff --git a/net/netfilter/xt_CONNSECMARK.c b/net/netfilter/xt_CONNSECMARK.c
index b54c375..e28dade 100644
--- a/net/netfilter/xt_CONNSECMARK.c
+++ b/net/netfilter/xt_CONNSECMARK.c
@@ -65,7 +65,7 @@ static void secmark_restore(struct sk_buff *skb)
}
static unsigned int
-connsecmark_tg(struct sk_buff *skb, const struct xt_target_param *par)
+connsecmark_tg(struct sk_buff *skb, const struct xt_action_param *par)
{
const struct xt_connsecmark_target_info *info = par->targinfo;
diff --git a/net/netfilter/xt_DSCP.c b/net/netfilter/xt_DSCP.c
index 74ce892..01b2e08 100644
--- a/net/netfilter/xt_DSCP.c
+++ b/net/netfilter/xt_DSCP.c
@@ -28,7 +28,7 @@ MODULE_ALIAS("ipt_TOS");
MODULE_ALIAS("ip6t_TOS");
static unsigned int
-dscp_tg(struct sk_buff *skb, const struct xt_target_param *par)
+dscp_tg(struct sk_buff *skb, const struct xt_action_param *par)
{
const struct xt_DSCP_info *dinfo = par->targinfo;
u_int8_t dscp = ipv4_get_dsfield(ip_hdr(skb)) >> XT_DSCP_SHIFT;
@@ -45,7 +45,7 @@ dscp_tg(struct sk_buff *skb, const struct xt_target_param *par)
}
static unsigned int
-dscp_tg6(struct sk_buff *skb, const struct xt_target_param *par)
+dscp_tg6(struct sk_buff *skb, const struct xt_action_param *par)
{
const struct xt_DSCP_info *dinfo = par->targinfo;
u_int8_t dscp = ipv6_get_dsfield(ipv6_hdr(skb)) >> XT_DSCP_SHIFT;
@@ -72,7 +72,7 @@ static bool dscp_tg_check(const struct xt_tgchk_param *par)
}
static unsigned int
-tos_tg(struct sk_buff *skb, const struct xt_target_param *par)
+tos_tg(struct sk_buff *skb, const struct xt_action_param *par)
{
const struct xt_tos_target_info *info = par->targinfo;
struct iphdr *iph = ip_hdr(skb);
@@ -92,7 +92,7 @@ tos_tg(struct sk_buff *skb, const struct xt_target_param *par)
}
static unsigned int
-tos_tg6(struct sk_buff *skb, const struct xt_target_param *par)
+tos_tg6(struct sk_buff *skb, const struct xt_action_param *par)
{
const struct xt_tos_target_info *info = par->targinfo;
struct ipv6hdr *iph = ipv6_hdr(skb);
diff --git a/net/netfilter/xt_HL.c b/net/netfilter/xt_HL.c
index 10e789e..d29d65c 100644
--- a/net/netfilter/xt_HL.c
+++ b/net/netfilter/xt_HL.c
@@ -26,7 +26,7 @@ MODULE_DESCRIPTION("Xtables: Hoplimit/TTL Limit field modification target");
MODULE_LICENSE("GPL");
static unsigned int
-ttl_tg(struct sk_buff *skb, const struct xt_target_param *par)
+ttl_tg(struct sk_buff *skb, const struct xt_action_param *par)
{
struct iphdr *iph;
const struct ipt_TTL_info *info = par->targinfo;
@@ -66,7 +66,7 @@ ttl_tg(struct sk_buff *skb, const struct xt_target_param *par)
}
static unsigned int
-hl_tg6(struct sk_buff *skb, const struct xt_target_param *par)
+hl_tg6(struct sk_buff *skb, const struct xt_action_param *par)
{
struct ipv6hdr *ip6h;
const struct ip6t_HL_info *info = par->targinfo;
diff --git a/net/netfilter/xt_LED.c b/net/netfilter/xt_LED.c
index 8ff7843..ad21030 100644
--- a/net/netfilter/xt_LED.c
+++ b/net/netfilter/xt_LED.c
@@ -42,7 +42,7 @@ struct xt_led_info_internal {
};
static unsigned int
-led_tg(struct sk_buff *skb, const struct xt_target_param *par)
+led_tg(struct sk_buff *skb, const struct xt_action_param *par)
{
const struct xt_led_info *ledinfo = par->targinfo;
struct xt_led_info_internal *ledinternal = ledinfo->internal_data;
diff --git a/net/netfilter/xt_MARK.c b/net/netfilter/xt_MARK.c
index 225f8d1..274915b 100644
--- a/net/netfilter/xt_MARK.c
+++ b/net/netfilter/xt_MARK.c
@@ -25,7 +25,7 @@ MODULE_ALIAS("ipt_MARK");
MODULE_ALIAS("ip6t_MARK");
static unsigned int
-mark_tg(struct sk_buff *skb, const struct xt_target_param *par)
+mark_tg(struct sk_buff *skb, const struct xt_action_param *par)
{
const struct xt_mark_tginfo2 *info = par->targinfo;
diff --git a/net/netfilter/xt_NFLOG.c b/net/netfilter/xt_NFLOG.c
index a57c5cf..0cfc98f 100644
--- a/net/netfilter/xt_NFLOG.c
+++ b/net/netfilter/xt_NFLOG.c
@@ -22,7 +22,7 @@ MODULE_ALIAS("ipt_NFLOG");
MODULE_ALIAS("ip6t_NFLOG");
static unsigned int
-nflog_tg(struct sk_buff *skb, const struct xt_target_param *par)
+nflog_tg(struct sk_buff *skb, const struct xt_action_param *par)
{
const struct xt_nflog_info *info = par->targinfo;
struct nf_loginfo li;
diff --git a/net/netfilter/xt_NFQUEUE.c b/net/netfilter/xt_NFQUEUE.c
index f28f6a5..29cfd08 100644
--- a/net/netfilter/xt_NFQUEUE.c
+++ b/net/netfilter/xt_NFQUEUE.c
@@ -30,7 +30,7 @@ MODULE_ALIAS("arpt_NFQUEUE");
static u32 jhash_initval __read_mostly;
static unsigned int
-nfqueue_tg(struct sk_buff *skb, const struct xt_target_param *par)
+nfqueue_tg(struct sk_buff *skb, const struct xt_action_param *par)
{
const struct xt_NFQ_info *tinfo = par->targinfo;
@@ -49,7 +49,7 @@ static u32 hash_v4(const struct sk_buff *skb)
}
static unsigned int
-nfqueue_tg4_v1(struct sk_buff *skb, const struct xt_target_param *par)
+nfqueue_tg4_v1(struct sk_buff *skb, const struct xt_action_param *par)
{
const struct xt_NFQ_info_v1 *info = par->targinfo;
u32 queue = info->queuenum;
@@ -74,7 +74,7 @@ static u32 hash_v6(const struct sk_buff *skb)
}
static unsigned int
-nfqueue_tg6_v1(struct sk_buff *skb, const struct xt_target_param *par)
+nfqueue_tg6_v1(struct sk_buff *skb, const struct xt_action_param *par)
{
const struct xt_NFQ_info_v1 *info = par->targinfo;
u32 queue = info->queuenum;
diff --git a/net/netfilter/xt_NOTRACK.c b/net/netfilter/xt_NOTRACK.c
index e7a0a54..512b912 100644
--- a/net/netfilter/xt_NOTRACK.c
+++ b/net/netfilter/xt_NOTRACK.c
@@ -13,7 +13,7 @@ MODULE_ALIAS("ipt_NOTRACK");
MODULE_ALIAS("ip6t_NOTRACK");
static unsigned int
-notrack_tg(struct sk_buff *skb, const struct xt_target_param *par)
+notrack_tg(struct sk_buff *skb, const struct xt_action_param *par)
{
/* Previously seen (loopback)? Ignore. */
if (skb->nfct != NULL)
diff --git a/net/netfilter/xt_RATEEST.c b/net/netfilter/xt_RATEEST.c
index 43f5676..250472b 100644
--- a/net/netfilter/xt_RATEEST.c
+++ b/net/netfilter/xt_RATEEST.c
@@ -71,7 +71,7 @@ void xt_rateest_put(struct xt_rateest *est)
EXPORT_SYMBOL_GPL(xt_rateest_put);
static unsigned int
-xt_rateest_tg(struct sk_buff *skb, const struct xt_target_param *par)
+xt_rateest_tg(struct sk_buff *skb, const struct xt_action_param *par)
{
const struct xt_rateest_target_info *info = par->targinfo;
struct gnet_stats_basic *stats = &info->est->bstats;
diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c
index 7a6f9e6..0d28770 100644
--- a/net/netfilter/xt_SECMARK.c
+++ b/net/netfilter/xt_SECMARK.c
@@ -29,7 +29,7 @@ MODULE_ALIAS("ip6t_SECMARK");
static u8 mode;
static unsigned int
-secmark_tg(struct sk_buff *skb, const struct xt_target_param *par)
+secmark_tg(struct sk_buff *skb, const struct xt_action_param *par)
{
u32 secmark = 0;
const struct xt_secmark_target_info *info = par->targinfo;
diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c
index ea8933e..e757ce9 100644
--- a/net/netfilter/xt_TCPMSS.c
+++ b/net/netfilter/xt_TCPMSS.c
@@ -174,7 +174,7 @@ static u_int32_t tcpmss_reverse_mtu(const struct sk_buff *skb,
}
static unsigned int
-tcpmss_tg4(struct sk_buff *skb, const struct xt_target_param *par)
+tcpmss_tg4(struct sk_buff *skb, const struct xt_action_param *par)
{
struct iphdr *iph = ip_hdr(skb);
__be16 newlen;
@@ -197,7 +197,7 @@ tcpmss_tg4(struct sk_buff *skb, const struct xt_target_param *par)
#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
static unsigned int
-tcpmss_tg6(struct sk_buff *skb, const struct xt_target_param *par)
+tcpmss_tg6(struct sk_buff *skb, const struct xt_action_param *par)
{
struct ipv6hdr *ipv6h = ipv6_hdr(skb);
u8 nexthdr;
diff --git a/net/netfilter/xt_TCPOPTSTRIP.c b/net/netfilter/xt_TCPOPTSTRIP.c
index 9dd8c8e..9781339 100644
--- a/net/netfilter/xt_TCPOPTSTRIP.c
+++ b/net/netfilter/xt_TCPOPTSTRIP.c
@@ -75,7 +75,7 @@ tcpoptstrip_mangle_packet(struct sk_buff *skb,
}
static unsigned int
-tcpoptstrip_tg4(struct sk_buff *skb, const struct xt_target_param *par)
+tcpoptstrip_tg4(struct sk_buff *skb, const struct xt_action_param *par)
{
return tcpoptstrip_mangle_packet(skb, par->targinfo, ip_hdrlen(skb),
sizeof(struct iphdr) + sizeof(struct tcphdr));
@@ -83,7 +83,7 @@ tcpoptstrip_tg4(struct sk_buff *skb, const struct xt_target_param *par)
#if defined(CONFIG_IP6_NF_MANGLE) || defined(CONFIG_IP6_NF_MANGLE_MODULE)
static unsigned int
-tcpoptstrip_tg6(struct sk_buff *skb, const struct xt_target_param *par)
+tcpoptstrip_tg6(struct sk_buff *skb, const struct xt_action_param *par)
{
struct ipv6hdr *ipv6h = ipv6_hdr(skb);
int tcphoff;
diff --git a/net/netfilter/xt_TPROXY.c b/net/netfilter/xt_TPROXY.c
index 1340c2f..d806b7b 100644
--- a/net/netfilter/xt_TPROXY.c
+++ b/net/netfilter/xt_TPROXY.c
@@ -25,7 +25,7 @@
#include <net/netfilter/nf_tproxy_core.h>
static unsigned int
-tproxy_tg(struct sk_buff *skb, const struct xt_target_param *par)
+tproxy_tg(struct sk_buff *skb, const struct xt_action_param *par)
{
const struct iphdr *iph = ip_hdr(skb);
const struct xt_tproxy_target_info *tgi = par->targinfo;
diff --git a/net/netfilter/xt_TRACE.c b/net/netfilter/xt_TRACE.c
index fbb04b8..df48967 100644
--- a/net/netfilter/xt_TRACE.c
+++ b/net/netfilter/xt_TRACE.c
@@ -11,7 +11,7 @@ MODULE_ALIAS("ipt_TRACE");
MODULE_ALIAS("ip6t_TRACE");
static unsigned int
-trace_tg(struct sk_buff *skb, const struct xt_target_param *par)
+trace_tg(struct sk_buff *skb, const struct xt_action_param *par)
{
skb->nf_trace = 1;
return XT_CONTINUE;
diff --git a/net/netfilter/xt_cluster.c b/net/netfilter/xt_cluster.c
index 225ee3e..fc3e5fb 100644
--- a/net/netfilter/xt_cluster.c
+++ b/net/netfilter/xt_cluster.c
@@ -85,7 +85,7 @@ xt_cluster_is_multicast_addr(const struct sk_buff *skb, u_int8_t family)
}
static bool
-xt_cluster_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+xt_cluster_mt(const struct sk_buff *skb, const struct xt_action_param *par)
{
struct sk_buff *pskb = (struct sk_buff *)skb;
const struct xt_cluster_match_info *info = par->matchinfo;
--git a/net/netfilter/xt_comment.c b/net/netfilter/xt_comment.c
index e821798..1dbb3e1 100644
--- a/net/netfilter/xt_comment.c
+++ b/net/netfilter/xt_comment.c
@@ -16,7 +16,7 @@ MODULE_ALIAS("ipt_comment");
MODULE_ALIAS("ip6t_comment");
static bool
-comment_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+comment_mt(const struct sk_buff *skb, const struct xt_action_param *par)
{
/* We always match */
return true;
diff --git a/net/netfilter/xt_connbytes.c b/net/netfilter/xt_connbytes.c
index 955e659..a43b635 100644
--- a/net/netfilter/xt_connbytes.c
+++ b/net/netfilter/xt_connbytes.c
@@ -17,7 +17,7 @@ MODULE_ALIAS("ipt_connbytes");
MODULE_ALIAS("ip6t_connbytes");
static bool
-connbytes_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+connbytes_mt(const struct sk_buff *skb, const struct xt_action_param *par)
{
const struct xt_connbytes_info *sinfo = par->matchinfo;
const struct nf_conn *ct;
diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c
index 6809809..f580eea 100644
--- a/net/netfilter/xt_connlimit.c
+++ b/net/netfilter/xt_connlimit.c
@@ -180,7 +180,7 @@ static int count_them(struct xt_connlimit_data *data,
}
static bool
-connlimit_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+connlimit_mt(const struct sk_buff *skb, const struct xt_action_param *par)
{
const struct xt_connlimit_info *info = par->matchinfo;
union nf_inet_addr addr;
diff --git a/net/netfilter/xt_connmark.c b/net/netfilter/xt_connmark.c
index 122aa8b..3da9a9c 100644
--- a/net/netfilter/xt_connmark.c
+++ b/net/netfilter/xt_connmark.c
@@ -34,7 +34,7 @@ MODULE_ALIAS("ipt_connmark");
MODULE_ALIAS("ip6t_connmark");
static bool
-connmark_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+connmark_mt(const struct sk_buff *skb, const struct xt_action_param *par)
{
const struct xt_connmark_mtinfo1 *info = par->matchinfo;
enum ip_conntrack_info ctinfo;
diff --git a/net/netfilter/xt_conntrack.c b/net/netfilter/xt_conntrack.c
index ccd9e1e..fd9efe8 100644
--- a/net/netfilter/xt_conntrack.c
+++ b/net/netfilter/xt_conntrack.c
@@ -113,7 +113,7 @@ ct_proto_port_check(const struct xt_conntrack_mtinfo1 *info,
}
static bool
-conntrack_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+conntrack_mt(const struct sk_buff *skb, const struct xt_action_param *par)
{
const struct xt_conntrack_mtinfo1 *info = par->matchinfo;
enum ip_conntrack_info ctinfo;
diff --git a/net/netfilter/xt_dccp.c b/net/netfilter/xt_dccp.c
index 0989f29..4ae8284 100644
--- a/net/netfilter/xt_dccp.c
+++ b/net/netfilter/xt_dccp.c
@@ -95,7 +95,7 @@ match_option(u_int8_t option, const struct sk_buff *skb, unsigned int protoff,
}
static bool
-dccp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+dccp_mt(const struct sk_buff *skb, const struct xt_action_param *par)
{
const struct xt_dccp_info *info = par->matchinfo;
const struct dccp_hdr *dh;
diff --git a/net/netfilter/xt_dscp.c b/net/netfilter/xt_dscp.c
index 0280d3a..42787e1 100644
--- a/net/netfilter/xt_dscp.c
+++ b/net/netfilter/xt_dscp.c
@@ -25,7 +25,7 @@ MODULE_ALIAS("ipt_tos");
MODULE_ALIAS("ip6t_tos");
static bool
-dscp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+dscp_mt(const struct sk_buff *skb, const struct xt_action_param *par)
{
const struct xt_dscp_info *info = par->matchinfo;
u_int8_t dscp = ipv4_get_dsfield(ip_hdr(skb)) >> XT_DSCP_SHIFT;
@@ -34,7 +34,7 @@ dscp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
}
static bool
-dscp_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
+dscp_mt6(const struct sk_buff *skb, const struct xt_action_param *par)
{
const struct xt_dscp_info *info = par->matchinfo;
u_int8_t dscp = ipv6_get_dsfield(ipv6_hdr(skb)) >> XT_DSCP_SHIFT;
@@ -54,7 +54,7 @@ static bool dscp_mt_check(const struct xt_mtchk_param *par)
return true;
}
-static bool tos_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+static bool tos_mt(const struct sk_buff *skb, const struct xt_action_param *par)
{
const struct xt_tos_match_info *info = par->matchinfo;
diff --git a/net/netfilter/xt_esp.c b/net/netfilter/xt_esp.c
index 6094399..0f67833 100644
--- a/net/netfilter/xt_esp.c
+++ b/net/netfilter/xt_esp.c
@@ -42,7 +42,7 @@ spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, bool invert)
return r;
}
-static bool esp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+static bool esp_mt(const struct sk_buff *skb, const struct xt_action_param *par)
{
const struct ip_esp_hdr *eh;
struct ip_esp_hdr _esp;
diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
index 91ddabb..45100b0 100644
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@@ -563,7 +563,7 @@ hashlimit_init_dst(const struct xt_hashlimit_htable *hinfo,
}
static bool
-hashlimit_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
+hashlimit_mt_v0(const struct sk_buff *skb, const struct xt_action_param *par)
{
const struct xt_hashlimit_info *r = par->matchinfo;
struct xt_hashlimit_htable *hinfo = r->hinfo;
@@ -614,7 +614,7 @@ hotdrop:
}
static bool
-hashlimit_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+hashlimit_mt(const struct sk_buff *skb, const struct xt_action_param *par)
{
const struct xt_hashlimit_mtinfo1 *info = par->matchinfo;
struct xt_hashlimit_htable *hinfo = info->hinfo;
diff --git a/net/netfilter/xt_helper.c b/net/netfilter/xt_helper.c
index 64fc7f2..a163c9b 100644
--- a/net/netfilter/xt_helper.c
+++ b/net/netfilter/xt_helper.c
@@ -24,7 +24,7 @@ MODULE_ALIAS("ip6t_helper");
static bool
-helper_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+helper_mt(const struct sk_buff *skb, const struct xt_action_param *par)
{
const struct xt_helper_info *info = par->matchinfo;
const struct nf_conn *ct;
diff --git a/net/netfilter/xt_hl.c b/net/netfilter/xt_hl.c
index 7726154..ba7c86f 100644
--- a/net/netfilter/xt_hl.c
+++ b/net/netfilter/xt_hl.c
@@ -25,7 +25,7 @@ MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_ttl");
MODULE_ALIAS("ip6t_hl");
-static bool ttl_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+static bool ttl_mt(const struct sk_buff *skb, const struct xt_action_param *par)
{
const struct ipt_ttl_info *info = par->matchinfo;
const u8 ttl = ip_hdr(skb)->ttl;
@@ -48,7 +48,7 @@ static bool ttl_mt(const struct sk_buff *skb, const struct xt_match_param *par)
return false;
}
-static bool hl_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
+static bool hl_mt6(const struct sk_buff *skb, const struct xt_action_param *par)
{
const struct ip6t_hl_info *info = par->matchinfo;
const struct ipv6hdr *ip6h = ipv6_hdr(skb);
diff --git a/net/netfilter/xt_iprange.c b/net/netfilter/xt_iprange.c
index ffc9638..8c7e815 100644
--- a/net/netfilter/xt_iprange.c
+++ b/net/netfilter/xt_iprange.c
@@ -16,7 +16,7 @@
#include <linux/netfilter/xt_iprange.h>
static bool
-iprange_mt4(const struct sk_buff *skb, const struct xt_match_param *par)
+iprange_mt4(const struct sk_buff *skb, const struct xt_action_param *par)
{
const struct xt_iprange_mtinfo *info = par->matchinfo;
const struct iphdr *iph = ip_hdr(skb);
@@ -67,7 +67,7 @@ iprange_ipv6_sub(const struct in6_addr *a, const struct in6_addr *b)
}
static bool
-iprange_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
+iprange_mt6(const struct sk_buff *skb, const struct xt_action_param *par)
{
const struct xt_iprange_mtinfo *info = par->matchinfo;
const struct ipv6hdr *iph = ipv6_hdr(skb);
diff --git a/net/netfilter/xt_length.c b/net/netfilter/xt_length.c
index c4871ca..842149b 100644
--- a/net/netfilter/xt_length.c
+++ b/net/netfilter/xt_length.c
@@ -21,7 +21,7 @@ MODULE_ALIAS("ipt_length");
MODULE_ALIAS("ip6t_length");
static bool
-length_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+length_mt(const struct sk_buff *skb, const struct xt_action_param *par)
{
const struct xt_length_info *info = par->matchinfo;
u_int16_t pktlen = ntohs(ip_hdr(skb)->tot_len);
@@ -30,7 +30,7 @@ length_mt(const struct sk_buff *skb, const struct xt_match_param *par)
}
static bool
-length_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
+length_mt6(const struct sk_buff *skb, const struct xt_action_param *par)
{
const struct xt_length_info *info = par->matchinfo;
const u_int16_t pktlen = ntohs(ipv6_hdr(skb)->payload_len) +
diff --git a/net/netfilter/xt_limit.c b/net/netfilter/xt_limit.c
index dad26f9..6b038ad 100644
--- a/net/netfilter/xt_limit.c
+++ b/net/netfilter/xt_limit.c
@@ -63,7 +63,7 @@ static DEFINE_SPINLOCK(limit_lock);
#define CREDITS_PER_JIFFY POW2_BELOW32(MAX_CPJ)
static bool
-limit_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+limit_mt(const struct sk_buff *skb, const struct xt_action_param *par)
{
const struct xt_rateinfo *r = par->matchinfo;
struct xt_limit_priv *priv = r->master;
diff --git a/net/netfilter/xt_mac.c b/net/netfilter/xt_mac.c
index c200711..12249d7 100644
--- a/net/netfilter/xt_mac.c
+++ b/net/netfilter/xt_mac.c
@@ -24,7 +24,7 @@ MODULE_DESCRIPTION("Xtables: MAC address match");
MODULE_ALIAS("ipt_mac");
MODULE_ALIAS("ip6t_mac");
-static bool mac_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+static bool mac_mt(const struct sk_buff *skb, const struct xt_action_param *par)
{
const struct xt_mac_info *info = par->matchinfo;
diff --git a/net/netfilter/xt_mark.c b/net/netfilter/xt_mark.c
index 1db07d8..0c1a972 100644
--- a/net/netfilter/xt_mark.c
+++ b/net/netfilter/xt_mark.c
@@ -23,7 +23,7 @@ MODULE_ALIAS("ipt_mark");
MODULE_ALIAS("ip6t_mark");
static bool
-mark_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+mark_mt(const struct sk_buff *skb, const struct xt_action_param *par)
{
const struct xt_mark_mtinfo1 *info = par->matchinfo;
diff --git a/net/netfilter/xt_multiport.c b/net/netfilter/xt_multiport.c
index d06bb2d..d601791 100644
--- a/net/netfilter/xt_multiport.c
+++ b/net/netfilter/xt_multiport.c
@@ -95,7 +95,7 @@ ports_match_v1(const struct xt_multiport_v1 *minfo,
}
static bool
-multiport_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
+multiport_mt_v0(const struct sk_buff *skb, const struct xt_action_param *par)
{
const __be16 *pptr;
__be16 _ports[2];
@@ -119,7 +119,7 @@ multiport_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
}
static bool
-multiport_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+multiport_mt(const struct sk_buff *skb, const struct xt_action_param *par)
{
const __be16 *pptr;
__be16 _ports[2];
diff --git a/net/netfilter/xt_osf.c b/net/netfilter/xt_osf.c
index 863e409..e7fe1fc 100644
--- a/net/netfilter/xt_osf.c
+++ b/net/netfilter/xt_osf.c
@@ -192,7 +192,7 @@ static inline int xt_osf_ttl(const struct sk_buff *skb, const struct xt_osf_info
}
static bool xt_osf_match_packet(const struct sk_buff *skb,
- const struct xt_match_param *p)
+ const struct xt_action_param *p)
{
const struct xt_osf_info *info = p->matchinfo;
const struct iphdr *ip = ip_hdr(skb);
diff --git a/net/netfilter/xt_owner.c b/net/netfilter/xt_owner.c
index d24c76d..3dd1391 100644
--- a/net/netfilter/xt_owner.c
+++ b/net/netfilter/xt_owner.c
@@ -18,7 +18,7 @@
#include <linux/netfilter/xt_owner.h>
static bool
-owner_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+owner_mt(const struct sk_buff *skb, const struct xt_action_param *par)
{
const struct xt_owner_match_info *info = par->matchinfo;
const struct file *filp;
diff --git a/net/netfilter/xt_physdev.c b/net/netfilter/xt_physdev.c
index 8d28ca5..a344d82 100644
--- a/net/netfilter/xt_physdev.c
+++ b/net/netfilter/xt_physdev.c
@@ -22,7 +22,7 @@ MODULE_ALIAS("ip6t_physdev");
static bool
-physdev_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+physdev_mt(const struct sk_buff *skb, const struct xt_action_param *par)
{
static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
const struct xt_physdev_info *info = par->matchinfo;
diff --git a/net/netfilter/xt_pkttype.c b/net/netfilter/xt_pkttype.c
index 69da1d3..d95f214 100644
--- a/net/netfilter/xt_pkttype.c
+++ b/net/netfilter/xt_pkttype.c
@@ -23,7 +23,7 @@ MODULE_ALIAS("ipt_pkttype");
MODULE_ALIAS("ip6t_pkttype");
static bool
-pkttype_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+pkttype_mt(const struct sk_buff *skb, const struct xt_action_param *par)
{
const struct xt_pkttype_info *info = par->matchinfo;
u_int8_t type;
diff --git a/net/netfilter/xt_policy.c b/net/netfilter/xt_policy.c
index 4cbfebd..74125b5 100644
--- a/net/netfilter/xt_policy.c
+++ b/net/netfilter/xt_policy.c
@@ -110,7 +110,7 @@ match_policy_out(const struct sk_buff *skb, const struct xt_policy_info *info,
}
static bool
-policy_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+policy_mt(const struct sk_buff *skb, const struct xt_action_param *par)
{
const struct xt_policy_info *info = par->matchinfo;
int ret;
diff --git a/net/netfilter/xt_quota.c b/net/netfilter/xt_quota.c
index 98fc190..4fb170d 100644
--- a/net/netfilter/xt_quota.c
+++ b/net/netfilter/xt_quota.c
@@ -22,7 +22,7 @@ MODULE_ALIAS("ip6t_quota");
static DEFINE_SPINLOCK(quota_lock);
static bool
-quota_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+quota_mt(const struct sk_buff *skb, const struct xt_action_param *par)
{
struct xt_quota_info *q = (void *)par->matchinfo;
struct xt_quota_priv *priv = q->master;
diff --git a/net/netfilter/xt_rateest.c b/net/netfilter/xt_rateest.c
index 4fc6a91..80a9336 100644
--- a/net/netfilter/xt_rateest.c
+++ b/net/netfilter/xt_rateest.c
@@ -15,7 +15,7 @@
static bool
-xt_rateest_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+xt_rateest_mt(const struct sk_buff *skb, const struct xt_action_param *par)
{
const struct xt_rateest_match_info *info = par->matchinfo;
struct gnet_stats_rate_est *r;
diff --git a/net/netfilter/xt_realm.c b/net/netfilter/xt_realm.c
index 484d168..b063c78 100644
--- a/net/netfilter/xt_realm.c
+++ b/net/netfilter/xt_realm.c
@@ -22,7 +22,7 @@ MODULE_DESCRIPTION("Xtables: Routing realm match");
MODULE_ALIAS("ipt_realm");
static bool
-realm_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+realm_mt(const struct sk_buff *skb, const struct xt_action_param *par)
{
const struct xt_realm_info *info = par->matchinfo;
const struct dst_entry *dst = skb_dst(skb);
diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c
index 350bede..23763c0 100644
--- a/net/netfilter/xt_recent.c
+++ b/net/netfilter/xt_recent.c
@@ -198,7 +198,7 @@ static void recent_table_flush(struct recent_table *t)
}
static bool
-recent_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+recent_mt(const struct sk_buff *skb, const struct xt_action_param *par)
{
const struct xt_recent_mtinfo *info = par->matchinfo;
struct recent_table *t;
diff --git a/net/netfilter/xt_sctp.c b/net/netfilter/xt_sctp.c
index a189ada..e81e7e2 100644
--- a/net/netfilter/xt_sctp.c
+++ b/net/netfilter/xt_sctp.c
@@ -117,7 +117,7 @@ match_packet(const struct sk_buff *skb,
}
static bool
-sctp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+sctp_mt(const struct sk_buff *skb, const struct xt_action_param *par)
{
const struct xt_sctp_info *info = par->matchinfo;
const sctp_sctphdr_t *sh;
diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c
index ebf00ad..456e426 100644
--- a/net/netfilter/xt_socket.c
+++ b/net/netfilter/xt_socket.c
@@ -88,7 +88,7 @@ extract_icmp_fields(const struct sk_buff *skb,
static bool
-socket_match(const struct sk_buff *skb, const struct xt_match_param *par,
+socket_match(const struct sk_buff *skb, const struct xt_action_param *par,
const struct xt_socket_mtinfo1 *info)
{
const struct iphdr *iph = ip_hdr(skb);
@@ -175,13 +175,13 @@ socket_match(const struct sk_buff *skb, const struct xt_match_param *par,
}
static bool
-socket_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
+socket_mt_v0(const struct sk_buff *skb, const struct xt_action_param *par)
{
return socket_match(skb, par, NULL);
}
static bool
-socket_mt_v1(const struct sk_buff *skb, const struct xt_match_param *par)
+socket_mt_v1(const struct sk_buff *skb, const struct xt_action_param *par)
{
return socket_match(skb, par, par->matchinfo);
}
diff --git a/net/netfilter/xt_state.c b/net/netfilter/xt_state.c
index 4c946cb..b12c72e 100644
--- a/net/netfilter/xt_state.c
+++ b/net/netfilter/xt_state.c
@@ -21,7 +21,7 @@ MODULE_ALIAS("ipt_state");
MODULE_ALIAS("ip6t_state");
static bool
-state_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+state_mt(const struct sk_buff *skb, const struct xt_action_param *par)
{
const struct xt_state_info *sinfo = par->matchinfo;
enum ip_conntrack_info ctinfo;
diff --git a/net/netfilter/xt_statistic.c b/net/netfilter/xt_statistic.c
index d8c0f8f..427cd63 100644
--- a/net/netfilter/xt_statistic.c
+++ b/net/netfilter/xt_statistic.c
@@ -29,7 +29,7 @@ MODULE_ALIAS("ip6t_statistic");
static DEFINE_SPINLOCK(nth_lock);
static bool
-statistic_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+statistic_mt(const struct sk_buff *skb, const struct xt_action_param *par)
{
const struct xt_statistic_info *info = par->matchinfo;
bool ret = info->flags & XT_STATISTIC_INVERT;
diff --git a/net/netfilter/xt_string.c b/net/netfilter/xt_string.c
index b4d7741..d99d063 100644
--- a/net/netfilter/xt_string.c
+++ b/net/netfilter/xt_string.c
@@ -22,7 +22,7 @@ MODULE_ALIAS("ipt_string");
MODULE_ALIAS("ip6t_string");
static bool
-string_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+string_mt(const struct sk_buff *skb, const struct xt_action_param *par)
{
const struct xt_string_info *conf = par->matchinfo;
struct ts_state state;
diff --git a/net/netfilter/xt_tcpmss.c b/net/netfilter/xt_tcpmss.c
index 4809b34..5c8a7b4 100644
--- a/net/netfilter/xt_tcpmss.c
+++ b/net/netfilter/xt_tcpmss.c
@@ -25,7 +25,7 @@ MODULE_ALIAS("ipt_tcpmss");
MODULE_ALIAS("ip6t_tcpmss");
static bool
-tcpmss_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+tcpmss_mt(const struct sk_buff *skb, const struct xt_action_param *par)
{
const struct xt_tcpmss_match_info *info = par->matchinfo;
const struct tcphdr *th;
diff --git a/net/netfilter/xt_tcpudp.c b/net/netfilter/xt_tcpudp.c
index 1ebdc49..af2a4e7 100644
--- a/net/netfilter/xt_tcpudp.c
+++ b/net/netfilter/xt_tcpudp.c
@@ -68,7 +68,7 @@ tcp_find_option(u_int8_t option,
return invert;
}
-static bool tcp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+static bool tcp_mt(const struct sk_buff *skb, const struct xt_action_param *par)
{
const struct tcphdr *th;
struct tcphdr _tcph;
@@ -134,7 +134,7 @@ static bool tcp_mt_check(const struct xt_mtchk_param *par)
return !(tcpinfo->invflags & ~XT_TCP_INV_MASK);
}
-static bool udp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+static bool udp_mt(const struct sk_buff *skb, const struct xt_action_param *par)
{
const struct udphdr *uh;
struct udphdr _udph;
diff --git a/net/netfilter/xt_time.c b/net/netfilter/xt_time.c
index 93acaa5..69acfbd 100644
--- a/net/netfilter/xt_time.c
+++ b/net/netfilter/xt_time.c
@@ -153,7 +153,7 @@ static void localtime_3(struct xtm *r, time_t time)
}
static bool
-time_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+time_mt(const struct sk_buff *skb, const struct xt_action_param *par)
{
const struct xt_time_info *info = par->matchinfo;
unsigned int packet_time;
diff --git a/net/netfilter/xt_u32.c b/net/netfilter/xt_u32.c
index 24a5276..2bbd138 100644
--- a/net/netfilter/xt_u32.c
+++ b/net/netfilter/xt_u32.c
@@ -87,7 +87,7 @@ static bool u32_match_it(const struct xt_u32 *data,
return true;
}
-static bool u32_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+static bool u32_mt(const struct sk_buff *skb, const struct xt_action_param *par)
{
const struct xt_u32 *data = par->matchinfo;
bool ret;
diff --git a/net/sched/act_ipt.c b/net/sched/act_ipt.c
index 082c520..1e70540 100644
--- a/net/sched/act_ipt.c
+++ b/net/sched/act_ipt.c
@@ -198,7 +198,7 @@ static int tcf_ipt(struct sk_buff *skb, struct tc_action *a,
{
int ret = 0, result = 0;
struct tcf_ipt *ipt = a->priv;
- struct xt_target_param par;
+ struct xt_action_param par;
if (skb_cloned(skb)) {
if (pskb_expand_head(skb, 0, 0, GFP_ATOMIC))
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 042/103] netfilter: xtables: make use of xt_request_find_target
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (40 preceding siblings ...)
2009-08-04 7:25 ` [PATCH 041/103] netfilter: xtables: substitute temporary defines by final name Jan Engelhardt
@ 2009-08-04 7:25 ` Jan Engelhardt
2009-08-04 7:25 ` [PATCH 043/103] netfilter: xtables: consolidate code into xt_request_find_match Jan Engelhardt
` (62 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:25 UTC (permalink / raw)
To: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
net/bridge/netfilter/ebtables.c | 13 ++-----------
net/ipv4/netfilter/arp_tables.c | 20 ++++++++------------
net/ipv4/netfilter/ip_tables.c | 20 ++++++++------------
net/ipv6/netfilter/ip6_tables.c | 20 ++++++++------------
net/netfilter/x_tables.c | 4 +---
net/sched/act_ipt.c | 4 ++--
6 files changed, 29 insertions(+), 52 deletions(-)
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 281a531..9f081db 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -374,13 +374,9 @@ ebt_check_watcher(struct ebt_entry_watcher *w, struct xt_tgchk_param *par,
left - sizeof(struct ebt_entry_watcher) < w->watcher_size)
return -EINVAL;
- watcher = try_then_request_module(
- xt_find_target(NFPROTO_BRIDGE, w->u.name, 0),
- "ebt_%s", w->u.name);
+ watcher = xt_request_find_target(NFPROTO_BRIDGE, w->u.name, 0);
if (IS_ERR(watcher))
return PTR_ERR(watcher);
- if (watcher == NULL)
- return -ENOENT;
w->u.watcher = watcher;
par->target = watcher;
@@ -686,15 +682,10 @@ ebt_check_entry(struct ebt_entry *e, const struct ebt_table_info *newinfo,
t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
gap = e->next_offset - e->target_offset;
- target = try_then_request_module(
- xt_find_target(NFPROTO_BRIDGE, t->u.name, 0),
- "ebt_%s", t->u.name);
+ target = xt_request_find_target(NFPROTO_BRIDGE, t->u.name, 0);
if (IS_ERR(target)) {
ret = PTR_ERR(target);
goto cleanup_watchers;
- } else if (target == NULL) {
- ret = -ENOENT;
- goto cleanup_watchers;
}
t->u.target = target;
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index b88c069..db24dac 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -516,13 +516,11 @@ find_check_entry(struct arpt_entry *e, const char *name, unsigned int size)
return ret;
t = arpt_get_target(e);
- target = try_then_request_module(xt_find_target(NFPROTO_ARP,
- t->u.user.name,
- t->u.user.revision),
- "arpt_%s", t->u.user.name);
- if (IS_ERR(target) || !target) {
+ target = xt_request_find_target(NFPROTO_ARP, t->u.user.name,
+ t->u.user.revision);
+ if (IS_ERR(target)) {
duprintf("find_check_entry: `%s' not found\n", t->u.user.name);
- ret = target ? PTR_ERR(target) : -ENOENT;
+ ret = PTR_ERR(target);
goto out;
}
t->u.kernel.target = target;
@@ -1247,14 +1245,12 @@ check_compat_entry_size_and_hooks(struct compat_arpt_entry *e,
entry_offset = (void *)e - (void *)base;
t = compat_arpt_get_target(e);
- target = try_then_request_module(xt_find_target(NFPROTO_ARP,
- t->u.user.name,
- t->u.user.revision),
- "arpt_%s", t->u.user.name);
- if (IS_ERR(target) || !target) {
+ target = xt_request_find_target(NFPROTO_ARP, t->u.user.name,
+ t->u.user.revision);
+ if (IS_ERR(target)) {
duprintf("check_compat_entry_size_and_hooks: `%s' not found\n",
t->u.user.name);
- ret = target ? PTR_ERR(target) : -ENOENT;
+ ret = PTR_ERR(target);
goto out;
}
t->u.kernel.target = target;
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 3add32b..fdeb978 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -681,13 +681,11 @@ find_check_entry(struct ipt_entry *e, const char *name, unsigned int size)
}
t = ipt_get_target(e);
- target = try_then_request_module(xt_find_target(AF_INET,
- t->u.user.name,
- t->u.user.revision),
- "ipt_%s", t->u.user.name);
- if (IS_ERR(target) || !target) {
+ target = xt_request_find_target(NFPROTO_IPV4, t->u.user.name,
+ t->u.user.revision);
+ if (IS_ERR(target)) {
duprintf("find_check_entry: `%s' not found\n", t->u.user.name);
- ret = target ? PTR_ERR(target) : -ENOENT;
+ ret = PTR_ERR(target);
goto cleanup_matches;
}
t->u.kernel.target = target;
@@ -1528,14 +1526,12 @@ check_compat_entry_size_and_hooks(struct compat_ipt_entry *e,
}
t = compat_ipt_get_target(e);
- target = try_then_request_module(xt_find_target(AF_INET,
- t->u.user.name,
- t->u.user.revision),
- "ipt_%s", t->u.user.name);
- if (IS_ERR(target) || !target) {
+ target = xt_request_find_target(NFPROTO_IPV4, t->u.user.name,
+ t->u.user.revision);
+ if (IS_ERR(target)) {
duprintf("check_compat_entry_size_and_hooks: `%s' not found\n",
t->u.user.name);
- ret = target ? PTR_ERR(target) : -ENOENT;
+ ret = PTR_ERR(target);
goto release_matches;
}
t->u.kernel.target = target;
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 709d509..e107aa0 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -696,13 +696,11 @@ find_check_entry(struct ip6t_entry *e, const char *name, unsigned int size)
}
t = ip6t_get_target(e);
- target = try_then_request_module(xt_find_target(AF_INET6,
- t->u.user.name,
- t->u.user.revision),
- "ip6t_%s", t->u.user.name);
- if (IS_ERR(target) || !target) {
+ target = xt_request_find_target(NFPROTO_IPV6, t->u.user.name,
+ t->u.user.revision);
+ if (IS_ERR(target)) {
duprintf("find_check_entry: `%s' not found\n", t->u.user.name);
- ret = target ? PTR_ERR(target) : -ENOENT;
+ ret = PTR_ERR(target);
goto cleanup_matches;
}
t->u.kernel.target = target;
@@ -1545,14 +1543,12 @@ check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e,
}
t = compat_ip6t_get_target(e);
- target = try_then_request_module(xt_find_target(AF_INET6,
- t->u.user.name,
- t->u.user.revision),
- "ip6t_%s", t->u.user.name);
- if (IS_ERR(target) || !target) {
+ target = xt_request_find_target(NFPROTO_IPV6, t->u.user.name,
+ t->u.user.revision);
+ if (IS_ERR(target)) {
duprintf("check_compat_entry_size_and_hooks: `%s' not found\n",
t->u.user.name);
- ret = target ? PTR_ERR(target) : -ENOENT;
+ ret = PTR_ERR(target);
goto release_matches;
}
t->u.kernel.target = target;
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 1f6b078..a1be7df 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -261,9 +261,7 @@ struct xt_target *xt_request_find_target(u8 af, const char *name, u8 revision)
target = try_then_request_module(xt_find_target(af, name, revision),
"%st_%s", xt_prefix[af], name);
- if (IS_ERR(target) || !target)
- return NULL;
- return target;
+ return (target != NULL) ? target : ERR_PTR(-ENOENT);
}
EXPORT_SYMBOL_GPL(xt_request_find_target);
diff --git a/net/sched/act_ipt.c b/net/sched/act_ipt.c
index 1e70540..e4b4224 100644
--- a/net/sched/act_ipt.c
+++ b/net/sched/act_ipt.c
@@ -46,8 +46,8 @@ static int ipt_init_target(struct ipt_entry_target *t, char *table, unsigned int
target = xt_request_find_target(AF_INET, t->u.user.name,
t->u.user.revision);
- if (!target)
- return -ENOENT;
+ if (IS_ERR(target))
+ return PTR_ERR(target);
t->u.kernel.target = target;
par.table = table;
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 043/103] netfilter: xtables: consolidate code into xt_request_find_match
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (41 preceding siblings ...)
2009-08-04 7:25 ` [PATCH 042/103] netfilter: xtables: make use of xt_request_find_target Jan Engelhardt
@ 2009-08-04 7:25 ` Jan Engelhardt
2009-08-04 7:25 ` [PATCH 044/103] netfilter: xtables: deconstify struct xt_action_param for matches Jan Engelhardt
` (61 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:25 UTC (permalink / raw)
To: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter/x_tables.h | 1 +
net/bridge/netfilter/ebtables.c | 5 +----
net/ipv4/netfilter/ip_tables.c | 18 ++++++++----------
net/ipv6/netfilter/ip6_tables.c | 18 ++++++++----------
net/netfilter/x_tables.c | 11 +++++++++++
5 files changed, 29 insertions(+), 24 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 040cfc1..b20225f 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -434,6 +434,7 @@ extern struct xt_table_info *xt_replace_table(struct xt_table *table,
extern struct xt_match *xt_find_match(u8 af, const char *name, u8 revision);
extern struct xt_target *xt_find_target(u8 af, const char *name, u8 revision);
+extern struct xt_match *xt_request_find_match(uint8_t, const char *, uint8_t);
extern struct xt_target *xt_request_find_target(u8 af, const char *name,
u8 revision);
extern int xt_find_revision(u8 af, const char *name, u8 revision,
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 9f081db..290f7fa 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -340,12 +340,9 @@ ebt_check_match(struct ebt_entry_match *m, struct xt_mtchk_param *par,
left - sizeof(struct ebt_entry_match) < m->match_size)
return -EINVAL;
- match = try_then_request_module(xt_find_match(NFPROTO_BRIDGE,
- m->u.name, 0), "ebt_%s", m->u.name);
+ match = xt_request_find_match(NFPROTO_BRIDGE, m->u.name, 0);
if (IS_ERR(match))
return PTR_ERR(match);
- if (match == NULL)
- return -ENOENT;
m->u.match = match;
par->match = match;
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index fdeb978..8483d57 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -612,12 +612,11 @@ find_check_match(struct ipt_entry_match *m, struct xt_mtchk_param *par)
struct xt_match *match;
int ret;
- match = try_then_request_module(xt_find_match(AF_INET, m->u.user.name,
- m->u.user.revision),
- "ipt_%s", m->u.user.name);
- if (IS_ERR(match) || !match) {
+ match = xt_request_find_match(NFPROTO_IPV4, m->u.user.name,
+ m->u.user.revision);
+ if (IS_ERR(match)) {
duprintf("find_check_match: `%s' not found\n", m->u.user.name);
- return match ? PTR_ERR(match) : -ENOENT;
+ return PTR_ERR(match);
}
m->u.kernel.match = match;
@@ -1453,13 +1452,12 @@ compat_find_calc_match(struct ipt_entry_match *m,
{
struct xt_match *match;
- match = try_then_request_module(xt_find_match(AF_INET, m->u.user.name,
- m->u.user.revision),
- "ipt_%s", m->u.user.name);
- if (IS_ERR(match) || !match) {
+ match = xt_request_find_match(NFPROTO_IPV4, m->u.user.name,
+ m->u.user.revision);
+ if (IS_ERR(match)) {
duprintf("compat_check_calc_match: `%s' not found\n",
m->u.user.name);
- return match ? PTR_ERR(match) : -ENOENT;
+ return PTR_ERR(match);
}
m->u.kernel.match = match;
*size += xt_compat_match_offset(match);
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index e107aa0..0df417b 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -626,12 +626,11 @@ find_check_match(struct ip6t_entry_match *m, struct xt_mtchk_param *par)
struct xt_match *match;
int ret;
- match = try_then_request_module(xt_find_match(AF_INET6, m->u.user.name,
- m->u.user.revision),
- "ip6t_%s", m->u.user.name);
- if (IS_ERR(match) || !match) {
+ match = xt_request_find_match(NFPROTO_IPV6, m->u.user.name,
+ m->u.user.revision);
+ if (IS_ERR(match)) {
duprintf("find_check_match: `%s' not found\n", m->u.user.name);
- return match ? PTR_ERR(match) : -ENOENT;
+ return PTR_ERR(match);
}
m->u.kernel.match = match;
@@ -1470,13 +1469,12 @@ compat_find_calc_match(struct ip6t_entry_match *m,
{
struct xt_match *match;
- match = try_then_request_module(xt_find_match(AF_INET6, m->u.user.name,
- m->u.user.revision),
- "ip6t_%s", m->u.user.name);
- if (IS_ERR(match) || !match) {
+ match = xt_request_find_match(NFPROTO_IPV6, m->u.user.name,
+ m->u.user.revision);
+ if (IS_ERR(match)) {
duprintf("compat_check_calc_match: `%s' not found\n",
m->u.user.name);
- return match ? PTR_ERR(match) : -ENOENT;
+ return PTR_ERR(match);
}
m->u.kernel.match = match;
*size += xt_compat_match_offset(match);
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index a1be7df..9ee6770 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -225,6 +225,17 @@ struct xt_match *xt_find_match(u8 af, const char *name, u8 revision)
}
EXPORT_SYMBOL(xt_find_match);
+struct xt_match *
+xt_request_find_match(uint8_t nfproto, const char *name, uint8_t revision)
+{
+ struct xt_match *match;
+
+ match = try_then_request_module(xt_find_match(nfproto, name, revision),
+ "%st_%s", xt_prefix[nfproto], name);
+ return (match != NULL) ? match : ERR_PTR(-ENOENT);
+}
+EXPORT_SYMBOL_GPL(xt_request_find_match);
+
/* Find target, grabs ref. Returns ERR_PTR() on error. */
struct xt_target *xt_find_target(u8 af, const char *name, u8 revision)
{
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 044/103] netfilter: xtables: deconstify struct xt_action_param for matches
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (42 preceding siblings ...)
2009-08-04 7:25 ` [PATCH 043/103] netfilter: xtables: consolidate code into xt_request_find_match Jan Engelhardt
@ 2009-08-04 7:25 ` Jan Engelhardt
2009-08-04 7:25 ` [PATCH 045/103] netfilter: xtables: change hotdrop pointer to direct modification Jan Engelhardt
` (60 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:25 UTC (permalink / raw)
To: netfilter-devel
In future, layer-3 matches will be an xt module of their own, and
need to set the fragoff and thoff fields. Adding more pointers would
needlessy increase memory requirements (esp. so for 64-bit, where
pointers are wider).
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter/x_tables.h | 2 +-
net/bridge/netfilter/ebt_802_3.c | 2 +-
net/bridge/netfilter/ebt_among.c | 2 +-
net/bridge/netfilter/ebt_arp.c | 2 +-
net/bridge/netfilter/ebt_ip.c | 2 +-
net/bridge/netfilter/ebt_ip6.c | 2 +-
net/bridge/netfilter/ebt_limit.c | 2 +-
net/bridge/netfilter/ebt_mark_m.c | 2 +-
net/bridge/netfilter/ebt_pkttype.c | 2 +-
net/bridge/netfilter/ebt_stp.c | 2 +-
net/bridge/netfilter/ebt_vlan.c | 2 +-
net/ipv4/netfilter/ip_tables.c | 2 +-
net/ipv4/netfilter/ipt_addrtype.c | 4 ++--
net/ipv4/netfilter/ipt_ah.c | 2 +-
net/ipv4/netfilter/ipt_ecn.c | 2 +-
net/ipv6/netfilter/ip6_tables.c | 2 +-
net/ipv6/netfilter/ip6t_ah.c | 2 +-
net/ipv6/netfilter/ip6t_eui64.c | 2 +-
net/ipv6/netfilter/ip6t_frag.c | 2 +-
net/ipv6/netfilter/ip6t_hbh.c | 2 +-
| 2 +-
net/ipv6/netfilter/ip6t_mh.c | 2 +-
net/ipv6/netfilter/ip6t_rt.c | 2 +-
net/netfilter/xt_cluster.c | 2 +-
| 2 +-
net/netfilter/xt_connbytes.c | 2 +-
net/netfilter/xt_connlimit.c | 2 +-
net/netfilter/xt_connmark.c | 2 +-
net/netfilter/xt_conntrack.c | 2 +-
net/netfilter/xt_dccp.c | 2 +-
net/netfilter/xt_dscp.c | 6 +++---
net/netfilter/xt_esp.c | 2 +-
net/netfilter/xt_hashlimit.c | 4 ++--
net/netfilter/xt_helper.c | 2 +-
net/netfilter/xt_hl.c | 4 ++--
net/netfilter/xt_iprange.c | 4 ++--
net/netfilter/xt_length.c | 4 ++--
net/netfilter/xt_limit.c | 2 +-
net/netfilter/xt_mac.c | 2 +-
net/netfilter/xt_mark.c | 2 +-
net/netfilter/xt_multiport.c | 4 ++--
net/netfilter/xt_osf.c | 2 +-
net/netfilter/xt_owner.c | 2 +-
net/netfilter/xt_physdev.c | 2 +-
net/netfilter/xt_pkttype.c | 2 +-
net/netfilter/xt_policy.c | 2 +-
net/netfilter/xt_quota.c | 2 +-
net/netfilter/xt_rateest.c | 2 +-
net/netfilter/xt_realm.c | 2 +-
net/netfilter/xt_recent.c | 2 +-
net/netfilter/xt_sctp.c | 2 +-
net/netfilter/xt_socket.c | 6 +++---
net/netfilter/xt_state.c | 2 +-
net/netfilter/xt_statistic.c | 2 +-
net/netfilter/xt_string.c | 2 +-
net/netfilter/xt_tcpmss.c | 2 +-
net/netfilter/xt_tcpudp.c | 4 ++--
net/netfilter/xt_time.c | 2 +-
net/netfilter/xt_u32.c | 2 +-
59 files changed, 70 insertions(+), 70 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index b20225f..d8f8e2a 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -289,7 +289,7 @@ struct xt_match
non-linear skb, using skb_header_pointer and
skb_ip_make_writable. */
bool (*match)(const struct sk_buff *skb,
- const struct xt_action_param *);
+ struct xt_action_param *);
/* Called when user tries to insert an entry of this type. */
bool (*checkentry)(const struct xt_mtchk_param *);
diff --git a/net/bridge/netfilter/ebt_802_3.c b/net/bridge/netfilter/ebt_802_3.c
index 8a2347f..127cb0b 100644
--- a/net/bridge/netfilter/ebt_802_3.c
+++ b/net/bridge/netfilter/ebt_802_3.c
@@ -13,7 +13,7 @@
#include <linux/netfilter_bridge/ebt_802_3.h>
static bool
-ebt_802_3_mt(const struct sk_buff *skb, const struct xt_action_param *par)
+ebt_802_3_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct ebt_802_3_info *info = par->matchinfo;
const struct ebt_802_3_hdr *hdr = ebt_802_3_hdr(skb);
diff --git a/net/bridge/netfilter/ebt_among.c b/net/bridge/netfilter/ebt_among.c
index 39f1b4f..c3f29d5 100644
--- a/net/bridge/netfilter/ebt_among.c
+++ b/net/bridge/netfilter/ebt_among.c
@@ -128,7 +128,7 @@ static int get_ip_src(const struct sk_buff *skb, __be32 *addr)
}
static bool
-ebt_among_mt(const struct sk_buff *skb, const struct xt_action_param *par)
+ebt_among_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct ebt_among_info *info = par->matchinfo;
const char *dmac, *smac;
diff --git a/net/bridge/netfilter/ebt_arp.c b/net/bridge/netfilter/ebt_arp.c
index 488840e..988740a 100644
--- a/net/bridge/netfilter/ebt_arp.c
+++ b/net/bridge/netfilter/ebt_arp.c
@@ -16,7 +16,7 @@
#include <linux/netfilter_bridge/ebt_arp.h>
static bool
-ebt_arp_mt(const struct sk_buff *skb, const struct xt_action_param *par)
+ebt_arp_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct ebt_arp_info *info = par->matchinfo;
const struct arphdr *ah;
diff --git a/net/bridge/netfilter/ebt_ip.c b/net/bridge/netfilter/ebt_ip.c
index 87701ec..934d16c 100644
--- a/net/bridge/netfilter/ebt_ip.c
+++ b/net/bridge/netfilter/ebt_ip.c
@@ -25,7 +25,7 @@ struct tcpudphdr {
};
static bool
-ebt_ip_mt(const struct sk_buff *skb, const struct xt_action_param *par)
+ebt_ip_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct ebt_ip_info *info = par->matchinfo;
const struct iphdr *ih;
diff --git a/net/bridge/netfilter/ebt_ip6.c b/net/bridge/netfilter/ebt_ip6.c
index ef73859..559cd0a 100644
--- a/net/bridge/netfilter/ebt_ip6.c
+++ b/net/bridge/netfilter/ebt_ip6.c
@@ -28,7 +28,7 @@ struct tcpudphdr {
};
static bool
-ebt_ip6_mt(const struct sk_buff *skb, const struct xt_action_param *par)
+ebt_ip6_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct ebt_ip6_info *info = par->matchinfo;
const struct ipv6hdr *ih6;
diff --git a/net/bridge/netfilter/ebt_limit.c b/net/bridge/netfilter/ebt_limit.c
index 7dd55f8..2e97bba 100644
--- a/net/bridge/netfilter/ebt_limit.c
+++ b/net/bridge/netfilter/ebt_limit.c
@@ -31,7 +31,7 @@ static DEFINE_SPINLOCK(limit_lock);
#define CREDITS_PER_JIFFY POW2_BELOW32(MAX_CPJ)
static bool
-ebt_limit_mt(const struct sk_buff *skb, const struct xt_action_param *par)
+ebt_limit_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
struct ebt_limit_info *info = (void *)par->matchinfo;
unsigned long now = jiffies;
diff --git a/net/bridge/netfilter/ebt_mark_m.c b/net/bridge/netfilter/ebt_mark_m.c
index 598be12..a357f48 100644
--- a/net/bridge/netfilter/ebt_mark_m.c
+++ b/net/bridge/netfilter/ebt_mark_m.c
@@ -13,7 +13,7 @@
#include <linux/netfilter_bridge/ebt_mark_m.h>
static bool
-ebt_mark_mt(const struct sk_buff *skb, const struct xt_action_param *par)
+ebt_mark_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct ebt_mark_m_info *info = par->matchinfo;
diff --git a/net/bridge/netfilter/ebt_pkttype.c b/net/bridge/netfilter/ebt_pkttype.c
index c0e17a2..85b4b58 100644
--- a/net/bridge/netfilter/ebt_pkttype.c
+++ b/net/bridge/netfilter/ebt_pkttype.c
@@ -13,7 +13,7 @@
#include <linux/netfilter_bridge/ebt_pkttype.h>
static bool
-ebt_pkttype_mt(const struct sk_buff *skb, const struct xt_action_param *par)
+ebt_pkttype_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct ebt_pkttype_info *info = par->matchinfo;
diff --git a/net/bridge/netfilter/ebt_stp.c b/net/bridge/netfilter/ebt_stp.c
index dd1ca65..608406b 100644
--- a/net/bridge/netfilter/ebt_stp.c
+++ b/net/bridge/netfilter/ebt_stp.c
@@ -120,7 +120,7 @@ static bool ebt_filter_config(const struct ebt_stp_info *info,
}
static bool
-ebt_stp_mt(const struct sk_buff *skb, const struct xt_action_param *par)
+ebt_stp_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct ebt_stp_info *info = par->matchinfo;
const struct stp_header *sp;
diff --git a/net/bridge/netfilter/ebt_vlan.c b/net/bridge/netfilter/ebt_vlan.c
index 528691c..8c5927b 100644
--- a/net/bridge/netfilter/ebt_vlan.c
+++ b/net/bridge/netfilter/ebt_vlan.c
@@ -41,7 +41,7 @@ MODULE_LICENSE("GPL");
#define EXIT_ON_MISMATCH(_MATCH_,_MASK_) {if (!((info->_MATCH_ == _MATCH_)^!!(info->invflags & _MASK_))) return false; }
static bool
-ebt_vlan_mt(const struct sk_buff *skb, const struct xt_action_param *par)
+ebt_vlan_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct ebt_vlan_info *info = par->matchinfo;
const struct vlan_hdr *fp;
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 8483d57..a8398ae 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -2124,7 +2124,7 @@ icmp_type_code_match(u_int8_t test_type, u_int8_t min_code, u_int8_t max_code,
}
static bool
-icmp_match(const struct sk_buff *skb, const struct xt_action_param *par)
+icmp_match(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct icmphdr *ic;
struct icmphdr _icmph;
diff --git a/net/ipv4/netfilter/ipt_addrtype.c b/net/ipv4/netfilter/ipt_addrtype.c
index 4d6c51d..be1d2fa 100644
--- a/net/ipv4/netfilter/ipt_addrtype.c
+++ b/net/ipv4/netfilter/ipt_addrtype.c
@@ -30,7 +30,7 @@ static inline bool match_type(struct net *net, const struct net_device *dev,
}
static bool
-addrtype_mt_v0(const struct sk_buff *skb, const struct xt_action_param *par)
+addrtype_mt_v0(const struct sk_buff *skb, struct xt_action_param *par)
{
struct net *net = dev_net(par->in ? par->in : par->out);
const struct ipt_addrtype_info *info = par->matchinfo;
@@ -48,7 +48,7 @@ addrtype_mt_v0(const struct sk_buff *skb, const struct xt_action_param *par)
}
static bool
-addrtype_mt_v1(const struct sk_buff *skb, const struct xt_action_param *par)
+addrtype_mt_v1(const struct sk_buff *skb, struct xt_action_param *par)
{
struct net *net = dev_net(par->in ? par->in : par->out);
const struct ipt_addrtype_info_v1 *info = par->matchinfo;
diff --git a/net/ipv4/netfilter/ipt_ah.c b/net/ipv4/netfilter/ipt_ah.c
index 15b7b4a..90bc2be 100644
--- a/net/ipv4/netfilter/ipt_ah.c
+++ b/net/ipv4/netfilter/ipt_ah.c
@@ -36,7 +36,7 @@ spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, bool invert)
return r;
}
-static bool ah_mt(const struct sk_buff *skb, const struct xt_action_param *par)
+static bool ah_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
struct ip_auth_hdr _ahdr;
const struct ip_auth_hdr *ah;
diff --git a/net/ipv4/netfilter/ipt_ecn.c b/net/ipv4/netfilter/ipt_ecn.c
index 19dde8b..96056b0 100644
--- a/net/ipv4/netfilter/ipt_ecn.c
+++ b/net/ipv4/netfilter/ipt_ecn.c
@@ -67,7 +67,7 @@ static inline bool match_tcp(const struct sk_buff *skb,
return true;
}
-static bool ecn_mt(const struct sk_buff *skb, const struct xt_action_param *par)
+static bool ecn_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct ipt_ecn_info *info = par->matchinfo;
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 0df417b..46c675d 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -2138,7 +2138,7 @@ icmp6_type_code_match(u_int8_t test_type, u_int8_t min_code, u_int8_t max_code,
}
static bool
-icmp6_match(const struct sk_buff *skb, const struct xt_action_param *par)
+icmp6_match(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct icmp6hdr *ic;
struct icmp6hdr _icmph;
diff --git a/net/ipv6/netfilter/ip6t_ah.c b/net/ipv6/netfilter/ip6t_ah.c
index b40e3b9..c25af95 100644
--- a/net/ipv6/netfilter/ip6t_ah.c
+++ b/net/ipv6/netfilter/ip6t_ah.c
@@ -36,7 +36,7 @@ spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, bool invert)
return r;
}
-static bool ah_mt6(const struct sk_buff *skb, const struct xt_action_param *par)
+static bool ah_mt6(const struct sk_buff *skb, struct xt_action_param *par)
{
struct ip_auth_hdr _ah;
const struct ip_auth_hdr *ah;
diff --git a/net/ipv6/netfilter/ip6t_eui64.c b/net/ipv6/netfilter/ip6t_eui64.c
index bd937c2..86eb6ae 100644
--- a/net/ipv6/netfilter/ip6t_eui64.c
+++ b/net/ipv6/netfilter/ip6t_eui64.c
@@ -20,7 +20,7 @@ MODULE_LICENSE("GPL");
MODULE_AUTHOR("Andras Kis-Szabo <kisza@sch.bme.hu>");
static bool
-eui64_mt6(const struct sk_buff *skb, const struct xt_action_param *par)
+eui64_mt6(const struct sk_buff *skb, struct xt_action_param *par)
{
unsigned char eui64[8];
int i = 0;
diff --git a/net/ipv6/netfilter/ip6t_frag.c b/net/ipv6/netfilter/ip6t_frag.c
index ab3e5eb..35b9553 100644
--- a/net/ipv6/netfilter/ip6t_frag.c
+++ b/net/ipv6/netfilter/ip6t_frag.c
@@ -35,7 +35,7 @@ id_match(u_int32_t min, u_int32_t max, u_int32_t id, bool invert)
}
static bool
-frag_mt6(const struct sk_buff *skb, const struct xt_action_param *par)
+frag_mt6(const struct sk_buff *skb, struct xt_action_param *par)
{
struct frag_hdr _frag;
const struct frag_hdr *fh;
diff --git a/net/ipv6/netfilter/ip6t_hbh.c b/net/ipv6/netfilter/ip6t_hbh.c
index ccce583..e8a845e 100644
--- a/net/ipv6/netfilter/ip6t_hbh.c
+++ b/net/ipv6/netfilter/ip6t_hbh.c
@@ -42,7 +42,7 @@ MODULE_ALIAS("ip6t_dst");
*/
static bool
-hbh_mt6(const struct sk_buff *skb, const struct xt_action_param *par)
+hbh_mt6(const struct sk_buff *skb, struct xt_action_param *par)
{
struct ipv6_opt_hdr _optsh;
const struct ipv6_opt_hdr *oh;
--git a/net/ipv6/netfilter/ip6t_ipv6header.c b/net/ipv6/netfilter/ip6t_ipv6header.c
index a1dca01..77350c3 100644
--- a/net/ipv6/netfilter/ip6t_ipv6header.c
+++ b/net/ipv6/netfilter/ip6t_ipv6header.c
@@ -27,7 +27,7 @@ MODULE_DESCRIPTION("Xtables: IPv6 header types match");
MODULE_AUTHOR("Andras Kis-Szabo <kisza@sch.bme.hu>");
static bool
-ipv6header_mt6(const struct sk_buff *skb, const struct xt_action_param *par)
+ipv6header_mt6(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct ip6t_ipv6header_info *info = par->matchinfo;
unsigned int temp;
diff --git a/net/ipv6/netfilter/ip6t_mh.c b/net/ipv6/netfilter/ip6t_mh.c
index 774ef11..c001965 100644
--- a/net/ipv6/netfilter/ip6t_mh.c
+++ b/net/ipv6/netfilter/ip6t_mh.c
@@ -37,7 +37,7 @@ type_match(u_int8_t min, u_int8_t max, u_int8_t type, bool invert)
return (type >= min && type <= max) ^ invert;
}
-static bool mh_mt6(const struct sk_buff *skb, const struct xt_action_param *par)
+static bool mh_mt6(const struct sk_buff *skb, struct xt_action_param *par)
{
struct ip6_mh _mh;
const struct ip6_mh *mh;
diff --git a/net/ipv6/netfilter/ip6t_rt.c b/net/ipv6/netfilter/ip6t_rt.c
index 51d20e8..cd060f4 100644
--- a/net/ipv6/netfilter/ip6t_rt.c
+++ b/net/ipv6/netfilter/ip6t_rt.c
@@ -36,7 +36,7 @@ segsleft_match(u_int32_t min, u_int32_t max, u_int32_t id, bool invert)
return r;
}
-static bool rt_mt6(const struct sk_buff *skb, const struct xt_action_param *par)
+static bool rt_mt6(const struct sk_buff *skb, struct xt_action_param *par)
{
struct ipv6_rt_hdr _route;
const struct ipv6_rt_hdr *rh;
diff --git a/net/netfilter/xt_cluster.c b/net/netfilter/xt_cluster.c
index fc3e5fb..b3c2eb1 100644
--- a/net/netfilter/xt_cluster.c
+++ b/net/netfilter/xt_cluster.c
@@ -85,7 +85,7 @@ xt_cluster_is_multicast_addr(const struct sk_buff *skb, u_int8_t family)
}
static bool
-xt_cluster_mt(const struct sk_buff *skb, const struct xt_action_param *par)
+xt_cluster_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
struct sk_buff *pskb = (struct sk_buff *)skb;
const struct xt_cluster_match_info *info = par->matchinfo;
--git a/net/netfilter/xt_comment.c b/net/netfilter/xt_comment.c
index 1dbb3e1..5c861d2 100644
--- a/net/netfilter/xt_comment.c
+++ b/net/netfilter/xt_comment.c
@@ -16,7 +16,7 @@ MODULE_ALIAS("ipt_comment");
MODULE_ALIAS("ip6t_comment");
static bool
-comment_mt(const struct sk_buff *skb, const struct xt_action_param *par)
+comment_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
/* We always match */
return true;
diff --git a/net/netfilter/xt_connbytes.c b/net/netfilter/xt_connbytes.c
index a43b635..a7ca4ac 100644
--- a/net/netfilter/xt_connbytes.c
+++ b/net/netfilter/xt_connbytes.c
@@ -17,7 +17,7 @@ MODULE_ALIAS("ipt_connbytes");
MODULE_ALIAS("ip6t_connbytes");
static bool
-connbytes_mt(const struct sk_buff *skb, const struct xt_action_param *par)
+connbytes_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct xt_connbytes_info *sinfo = par->matchinfo;
const struct nf_conn *ct;
diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c
index f580eea..645a91c 100644
--- a/net/netfilter/xt_connlimit.c
+++ b/net/netfilter/xt_connlimit.c
@@ -180,7 +180,7 @@ static int count_them(struct xt_connlimit_data *data,
}
static bool
-connlimit_mt(const struct sk_buff *skb, const struct xt_action_param *par)
+connlimit_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct xt_connlimit_info *info = par->matchinfo;
union nf_inet_addr addr;
diff --git a/net/netfilter/xt_connmark.c b/net/netfilter/xt_connmark.c
index 3da9a9c..4f1e92d 100644
--- a/net/netfilter/xt_connmark.c
+++ b/net/netfilter/xt_connmark.c
@@ -34,7 +34,7 @@ MODULE_ALIAS("ipt_connmark");
MODULE_ALIAS("ip6t_connmark");
static bool
-connmark_mt(const struct sk_buff *skb, const struct xt_action_param *par)
+connmark_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct xt_connmark_mtinfo1 *info = par->matchinfo;
enum ip_conntrack_info ctinfo;
diff --git a/net/netfilter/xt_conntrack.c b/net/netfilter/xt_conntrack.c
index fd9efe8..da28808 100644
--- a/net/netfilter/xt_conntrack.c
+++ b/net/netfilter/xt_conntrack.c
@@ -113,7 +113,7 @@ ct_proto_port_check(const struct xt_conntrack_mtinfo1 *info,
}
static bool
-conntrack_mt(const struct sk_buff *skb, const struct xt_action_param *par)
+conntrack_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct xt_conntrack_mtinfo1 *info = par->matchinfo;
enum ip_conntrack_info ctinfo;
diff --git a/net/netfilter/xt_dccp.c b/net/netfilter/xt_dccp.c
index 4ae8284..d39a637 100644
--- a/net/netfilter/xt_dccp.c
+++ b/net/netfilter/xt_dccp.c
@@ -95,7 +95,7 @@ match_option(u_int8_t option, const struct sk_buff *skb, unsigned int protoff,
}
static bool
-dccp_mt(const struct sk_buff *skb, const struct xt_action_param *par)
+dccp_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct xt_dccp_info *info = par->matchinfo;
const struct dccp_hdr *dh;
diff --git a/net/netfilter/xt_dscp.c b/net/netfilter/xt_dscp.c
index 42787e1..e81a284 100644
--- a/net/netfilter/xt_dscp.c
+++ b/net/netfilter/xt_dscp.c
@@ -25,7 +25,7 @@ MODULE_ALIAS("ipt_tos");
MODULE_ALIAS("ip6t_tos");
static bool
-dscp_mt(const struct sk_buff *skb, const struct xt_action_param *par)
+dscp_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct xt_dscp_info *info = par->matchinfo;
u_int8_t dscp = ipv4_get_dsfield(ip_hdr(skb)) >> XT_DSCP_SHIFT;
@@ -34,7 +34,7 @@ dscp_mt(const struct sk_buff *skb, const struct xt_action_param *par)
}
static bool
-dscp_mt6(const struct sk_buff *skb, const struct xt_action_param *par)
+dscp_mt6(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct xt_dscp_info *info = par->matchinfo;
u_int8_t dscp = ipv6_get_dsfield(ipv6_hdr(skb)) >> XT_DSCP_SHIFT;
@@ -54,7 +54,7 @@ static bool dscp_mt_check(const struct xt_mtchk_param *par)
return true;
}
-static bool tos_mt(const struct sk_buff *skb, const struct xt_action_param *par)
+static bool tos_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct xt_tos_match_info *info = par->matchinfo;
diff --git a/net/netfilter/xt_esp.c b/net/netfilter/xt_esp.c
index 0f67833..2ae4a59 100644
--- a/net/netfilter/xt_esp.c
+++ b/net/netfilter/xt_esp.c
@@ -42,7 +42,7 @@ spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, bool invert)
return r;
}
-static bool esp_mt(const struct sk_buff *skb, const struct xt_action_param *par)
+static bool esp_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct ip_esp_hdr *eh;
struct ip_esp_hdr _esp;
diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
index 45100b0..32fb029 100644
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@@ -563,7 +563,7 @@ hashlimit_init_dst(const struct xt_hashlimit_htable *hinfo,
}
static bool
-hashlimit_mt_v0(const struct sk_buff *skb, const struct xt_action_param *par)
+hashlimit_mt_v0(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct xt_hashlimit_info *r = par->matchinfo;
struct xt_hashlimit_htable *hinfo = r->hinfo;
@@ -614,7 +614,7 @@ hotdrop:
}
static bool
-hashlimit_mt(const struct sk_buff *skb, const struct xt_action_param *par)
+hashlimit_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct xt_hashlimit_mtinfo1 *info = par->matchinfo;
struct xt_hashlimit_htable *hinfo = info->hinfo;
diff --git a/net/netfilter/xt_helper.c b/net/netfilter/xt_helper.c
index a163c9b..e030174 100644
--- a/net/netfilter/xt_helper.c
+++ b/net/netfilter/xt_helper.c
@@ -24,7 +24,7 @@ MODULE_ALIAS("ip6t_helper");
static bool
-helper_mt(const struct sk_buff *skb, const struct xt_action_param *par)
+helper_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct xt_helper_info *info = par->matchinfo;
const struct nf_conn *ct;
diff --git a/net/netfilter/xt_hl.c b/net/netfilter/xt_hl.c
index ba7c86f..de6af40 100644
--- a/net/netfilter/xt_hl.c
+++ b/net/netfilter/xt_hl.c
@@ -25,7 +25,7 @@ MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_ttl");
MODULE_ALIAS("ip6t_hl");
-static bool ttl_mt(const struct sk_buff *skb, const struct xt_action_param *par)
+static bool ttl_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct ipt_ttl_info *info = par->matchinfo;
const u8 ttl = ip_hdr(skb)->ttl;
@@ -48,7 +48,7 @@ static bool ttl_mt(const struct sk_buff *skb, const struct xt_action_param *par)
return false;
}
-static bool hl_mt6(const struct sk_buff *skb, const struct xt_action_param *par)
+static bool hl_mt6(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct ip6t_hl_info *info = par->matchinfo;
const struct ipv6hdr *ip6h = ipv6_hdr(skb);
diff --git a/net/netfilter/xt_iprange.c b/net/netfilter/xt_iprange.c
index 8c7e815..5606a0d 100644
--- a/net/netfilter/xt_iprange.c
+++ b/net/netfilter/xt_iprange.c
@@ -16,7 +16,7 @@
#include <linux/netfilter/xt_iprange.h>
static bool
-iprange_mt4(const struct sk_buff *skb, const struct xt_action_param *par)
+iprange_mt4(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct xt_iprange_mtinfo *info = par->matchinfo;
const struct iphdr *iph = ip_hdr(skb);
@@ -67,7 +67,7 @@ iprange_ipv6_sub(const struct in6_addr *a, const struct in6_addr *b)
}
static bool
-iprange_mt6(const struct sk_buff *skb, const struct xt_action_param *par)
+iprange_mt6(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct xt_iprange_mtinfo *info = par->matchinfo;
const struct ipv6hdr *iph = ipv6_hdr(skb);
diff --git a/net/netfilter/xt_length.c b/net/netfilter/xt_length.c
index 842149b..176e557 100644
--- a/net/netfilter/xt_length.c
+++ b/net/netfilter/xt_length.c
@@ -21,7 +21,7 @@ MODULE_ALIAS("ipt_length");
MODULE_ALIAS("ip6t_length");
static bool
-length_mt(const struct sk_buff *skb, const struct xt_action_param *par)
+length_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct xt_length_info *info = par->matchinfo;
u_int16_t pktlen = ntohs(ip_hdr(skb)->tot_len);
@@ -30,7 +30,7 @@ length_mt(const struct sk_buff *skb, const struct xt_action_param *par)
}
static bool
-length_mt6(const struct sk_buff *skb, const struct xt_action_param *par)
+length_mt6(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct xt_length_info *info = par->matchinfo;
const u_int16_t pktlen = ntohs(ipv6_hdr(skb)->payload_len) +
diff --git a/net/netfilter/xt_limit.c b/net/netfilter/xt_limit.c
index 6b038ad..b670b29 100644
--- a/net/netfilter/xt_limit.c
+++ b/net/netfilter/xt_limit.c
@@ -63,7 +63,7 @@ static DEFINE_SPINLOCK(limit_lock);
#define CREDITS_PER_JIFFY POW2_BELOW32(MAX_CPJ)
static bool
-limit_mt(const struct sk_buff *skb, const struct xt_action_param *par)
+limit_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct xt_rateinfo *r = par->matchinfo;
struct xt_limit_priv *priv = r->master;
diff --git a/net/netfilter/xt_mac.c b/net/netfilter/xt_mac.c
index 12249d7..367f66f 100644
--- a/net/netfilter/xt_mac.c
+++ b/net/netfilter/xt_mac.c
@@ -24,7 +24,7 @@ MODULE_DESCRIPTION("Xtables: MAC address match");
MODULE_ALIAS("ipt_mac");
MODULE_ALIAS("ip6t_mac");
-static bool mac_mt(const struct sk_buff *skb, const struct xt_action_param *par)
+static bool mac_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct xt_mac_info *info = par->matchinfo;
diff --git a/net/netfilter/xt_mark.c b/net/netfilter/xt_mark.c
index 0c1a972..132f193 100644
--- a/net/netfilter/xt_mark.c
+++ b/net/netfilter/xt_mark.c
@@ -23,7 +23,7 @@ MODULE_ALIAS("ipt_mark");
MODULE_ALIAS("ip6t_mark");
static bool
-mark_mt(const struct sk_buff *skb, const struct xt_action_param *par)
+mark_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct xt_mark_mtinfo1 *info = par->matchinfo;
diff --git a/net/netfilter/xt_multiport.c b/net/netfilter/xt_multiport.c
index d601791..ab967a5 100644
--- a/net/netfilter/xt_multiport.c
+++ b/net/netfilter/xt_multiport.c
@@ -95,7 +95,7 @@ ports_match_v1(const struct xt_multiport_v1 *minfo,
}
static bool
-multiport_mt_v0(const struct sk_buff *skb, const struct xt_action_param *par)
+multiport_mt_v0(const struct sk_buff *skb, struct xt_action_param *par)
{
const __be16 *pptr;
__be16 _ports[2];
@@ -119,7 +119,7 @@ multiport_mt_v0(const struct sk_buff *skb, const struct xt_action_param *par)
}
static bool
-multiport_mt(const struct sk_buff *skb, const struct xt_action_param *par)
+multiport_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
const __be16 *pptr;
__be16 _ports[2];
diff --git a/net/netfilter/xt_osf.c b/net/netfilter/xt_osf.c
index e7fe1fc..ac632bc 100644
--- a/net/netfilter/xt_osf.c
+++ b/net/netfilter/xt_osf.c
@@ -192,7 +192,7 @@ static inline int xt_osf_ttl(const struct sk_buff *skb, const struct xt_osf_info
}
static bool xt_osf_match_packet(const struct sk_buff *skb,
- const struct xt_action_param *p)
+ struct xt_action_param *p)
{
const struct xt_osf_info *info = p->matchinfo;
const struct iphdr *ip = ip_hdr(skb);
diff --git a/net/netfilter/xt_owner.c b/net/netfilter/xt_owner.c
index 3dd1391..772d738 100644
--- a/net/netfilter/xt_owner.c
+++ b/net/netfilter/xt_owner.c
@@ -18,7 +18,7 @@
#include <linux/netfilter/xt_owner.h>
static bool
-owner_mt(const struct sk_buff *skb, const struct xt_action_param *par)
+owner_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct xt_owner_match_info *info = par->matchinfo;
const struct file *filp;
diff --git a/net/netfilter/xt_physdev.c b/net/netfilter/xt_physdev.c
index a344d82..97f9078 100644
--- a/net/netfilter/xt_physdev.c
+++ b/net/netfilter/xt_physdev.c
@@ -22,7 +22,7 @@ MODULE_ALIAS("ip6t_physdev");
static bool
-physdev_mt(const struct sk_buff *skb, const struct xt_action_param *par)
+physdev_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
const struct xt_physdev_info *info = par->matchinfo;
diff --git a/net/netfilter/xt_pkttype.c b/net/netfilter/xt_pkttype.c
index d95f214..5b645cb 100644
--- a/net/netfilter/xt_pkttype.c
+++ b/net/netfilter/xt_pkttype.c
@@ -23,7 +23,7 @@ MODULE_ALIAS("ipt_pkttype");
MODULE_ALIAS("ip6t_pkttype");
static bool
-pkttype_mt(const struct sk_buff *skb, const struct xt_action_param *par)
+pkttype_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct xt_pkttype_info *info = par->matchinfo;
u_int8_t type;
diff --git a/net/netfilter/xt_policy.c b/net/netfilter/xt_policy.c
index 74125b5..6e48cb5 100644
--- a/net/netfilter/xt_policy.c
+++ b/net/netfilter/xt_policy.c
@@ -110,7 +110,7 @@ match_policy_out(const struct sk_buff *skb, const struct xt_policy_info *info,
}
static bool
-policy_mt(const struct sk_buff *skb, const struct xt_action_param *par)
+policy_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct xt_policy_info *info = par->matchinfo;
int ret;
diff --git a/net/netfilter/xt_quota.c b/net/netfilter/xt_quota.c
index 4fb170d..ad0ed79 100644
--- a/net/netfilter/xt_quota.c
+++ b/net/netfilter/xt_quota.c
@@ -22,7 +22,7 @@ MODULE_ALIAS("ip6t_quota");
static DEFINE_SPINLOCK(quota_lock);
static bool
-quota_mt(const struct sk_buff *skb, const struct xt_action_param *par)
+quota_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
struct xt_quota_info *q = (void *)par->matchinfo;
struct xt_quota_priv *priv = q->master;
diff --git a/net/netfilter/xt_rateest.c b/net/netfilter/xt_rateest.c
index 80a9336..f440410 100644
--- a/net/netfilter/xt_rateest.c
+++ b/net/netfilter/xt_rateest.c
@@ -15,7 +15,7 @@
static bool
-xt_rateest_mt(const struct sk_buff *skb, const struct xt_action_param *par)
+xt_rateest_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct xt_rateest_match_info *info = par->matchinfo;
struct gnet_stats_rate_est *r;
diff --git a/net/netfilter/xt_realm.c b/net/netfilter/xt_realm.c
index b063c78..459a7b2 100644
--- a/net/netfilter/xt_realm.c
+++ b/net/netfilter/xt_realm.c
@@ -22,7 +22,7 @@ MODULE_DESCRIPTION("Xtables: Routing realm match");
MODULE_ALIAS("ipt_realm");
static bool
-realm_mt(const struct sk_buff *skb, const struct xt_action_param *par)
+realm_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct xt_realm_info *info = par->matchinfo;
const struct dst_entry *dst = skb_dst(skb);
diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c
index 23763c0..6929c0b 100644
--- a/net/netfilter/xt_recent.c
+++ b/net/netfilter/xt_recent.c
@@ -198,7 +198,7 @@ static void recent_table_flush(struct recent_table *t)
}
static bool
-recent_mt(const struct sk_buff *skb, const struct xt_action_param *par)
+recent_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct xt_recent_mtinfo *info = par->matchinfo;
struct recent_table *t;
diff --git a/net/netfilter/xt_sctp.c b/net/netfilter/xt_sctp.c
index e81e7e2..182a272 100644
--- a/net/netfilter/xt_sctp.c
+++ b/net/netfilter/xt_sctp.c
@@ -117,7 +117,7 @@ match_packet(const struct sk_buff *skb,
}
static bool
-sctp_mt(const struct sk_buff *skb, const struct xt_action_param *par)
+sctp_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct xt_sctp_info *info = par->matchinfo;
const sctp_sctphdr_t *sh;
diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c
index 456e426..2dd6b72 100644
--- a/net/netfilter/xt_socket.c
+++ b/net/netfilter/xt_socket.c
@@ -88,7 +88,7 @@ extract_icmp_fields(const struct sk_buff *skb,
static bool
-socket_match(const struct sk_buff *skb, const struct xt_action_param *par,
+socket_match(const struct sk_buff *skb, struct xt_action_param *par,
const struct xt_socket_mtinfo1 *info)
{
const struct iphdr *iph = ip_hdr(skb);
@@ -175,13 +175,13 @@ socket_match(const struct sk_buff *skb, const struct xt_action_param *par,
}
static bool
-socket_mt_v0(const struct sk_buff *skb, const struct xt_action_param *par)
+socket_mt_v0(const struct sk_buff *skb, struct xt_action_param *par)
{
return socket_match(skb, par, NULL);
}
static bool
-socket_mt_v1(const struct sk_buff *skb, const struct xt_action_param *par)
+socket_mt_v1(const struct sk_buff *skb, struct xt_action_param *par)
{
return socket_match(skb, par, par->matchinfo);
}
diff --git a/net/netfilter/xt_state.c b/net/netfilter/xt_state.c
index b12c72e..fbfb7fb 100644
--- a/net/netfilter/xt_state.c
+++ b/net/netfilter/xt_state.c
@@ -21,7 +21,7 @@ MODULE_ALIAS("ipt_state");
MODULE_ALIAS("ip6t_state");
static bool
-state_mt(const struct sk_buff *skb, const struct xt_action_param *par)
+state_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct xt_state_info *sinfo = par->matchinfo;
enum ip_conntrack_info ctinfo;
diff --git a/net/netfilter/xt_statistic.c b/net/netfilter/xt_statistic.c
index 427cd63..c75d299 100644
--- a/net/netfilter/xt_statistic.c
+++ b/net/netfilter/xt_statistic.c
@@ -29,7 +29,7 @@ MODULE_ALIAS("ip6t_statistic");
static DEFINE_SPINLOCK(nth_lock);
static bool
-statistic_mt(const struct sk_buff *skb, const struct xt_action_param *par)
+statistic_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct xt_statistic_info *info = par->matchinfo;
bool ret = info->flags & XT_STATISTIC_INVERT;
diff --git a/net/netfilter/xt_string.c b/net/netfilter/xt_string.c
index d99d063..d896291 100644
--- a/net/netfilter/xt_string.c
+++ b/net/netfilter/xt_string.c
@@ -22,7 +22,7 @@ MODULE_ALIAS("ipt_string");
MODULE_ALIAS("ip6t_string");
static bool
-string_mt(const struct sk_buff *skb, const struct xt_action_param *par)
+string_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct xt_string_info *conf = par->matchinfo;
struct ts_state state;
diff --git a/net/netfilter/xt_tcpmss.c b/net/netfilter/xt_tcpmss.c
index 5c8a7b4..f90728f 100644
--- a/net/netfilter/xt_tcpmss.c
+++ b/net/netfilter/xt_tcpmss.c
@@ -25,7 +25,7 @@ MODULE_ALIAS("ipt_tcpmss");
MODULE_ALIAS("ip6t_tcpmss");
static bool
-tcpmss_mt(const struct sk_buff *skb, const struct xt_action_param *par)
+tcpmss_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct xt_tcpmss_match_info *info = par->matchinfo;
const struct tcphdr *th;
diff --git a/net/netfilter/xt_tcpudp.c b/net/netfilter/xt_tcpudp.c
index af2a4e7..d04ef76 100644
--- a/net/netfilter/xt_tcpudp.c
+++ b/net/netfilter/xt_tcpudp.c
@@ -68,7 +68,7 @@ tcp_find_option(u_int8_t option,
return invert;
}
-static bool tcp_mt(const struct sk_buff *skb, const struct xt_action_param *par)
+static bool tcp_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct tcphdr *th;
struct tcphdr _tcph;
@@ -134,7 +134,7 @@ static bool tcp_mt_check(const struct xt_mtchk_param *par)
return !(tcpinfo->invflags & ~XT_TCP_INV_MASK);
}
-static bool udp_mt(const struct sk_buff *skb, const struct xt_action_param *par)
+static bool udp_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct udphdr *uh;
struct udphdr _udph;
diff --git a/net/netfilter/xt_time.c b/net/netfilter/xt_time.c
index 69acfbd..744b87a 100644
--- a/net/netfilter/xt_time.c
+++ b/net/netfilter/xt_time.c
@@ -153,7 +153,7 @@ static void localtime_3(struct xtm *r, time_t time)
}
static bool
-time_mt(const struct sk_buff *skb, const struct xt_action_param *par)
+time_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct xt_time_info *info = par->matchinfo;
unsigned int packet_time;
diff --git a/net/netfilter/xt_u32.c b/net/netfilter/xt_u32.c
index 2bbd138..218e247 100644
--- a/net/netfilter/xt_u32.c
+++ b/net/netfilter/xt_u32.c
@@ -87,7 +87,7 @@ static bool u32_match_it(const struct xt_u32 *data,
return true;
}
-static bool u32_mt(const struct sk_buff *skb, const struct xt_action_param *par)
+static bool u32_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct xt_u32 *data = par->matchinfo;
bool ret;
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 045/103] netfilter: xtables: change hotdrop pointer to direct modification
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (43 preceding siblings ...)
2009-08-04 7:25 ` [PATCH 044/103] netfilter: xtables: deconstify struct xt_action_param for matches Jan Engelhardt
@ 2009-08-04 7:25 ` Jan Engelhardt
2009-08-04 7:25 ` [PATCH 046/103] netfilter: xtables: combine built-in extension structs Jan Engelhardt
` (59 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:25 UTC (permalink / raw)
To: netfilter-devel
Since xt_action_param is writable, let's use it. The pointer to
'bool hotdrop' always worried (8 bytes (64-bit) to write 1 byte!).
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter/x_tables.h | 5 ++++-
net/bridge/netfilter/ebtables.c | 5 ++---
net/ipv4/netfilter/arp_tables.c | 6 +++---
net/ipv4/netfilter/ip_tables.c | 9 ++++-----
net/ipv4/netfilter/ipt_ah.c | 2 +-
net/ipv4/netfilter/ipt_ecn.c | 2 +-
net/ipv6/netfilter/ip6_tables.c | 11 +++++------
net/ipv6/netfilter/ip6t_ah.c | 4 ++--
net/ipv6/netfilter/ip6t_eui64.c | 2 +-
net/ipv6/netfilter/ip6t_frag.c | 4 ++--
net/ipv6/netfilter/ip6t_hbh.c | 4 ++--
net/ipv6/netfilter/ip6t_mh.c | 4 ++--
net/ipv6/netfilter/ip6t_rt.c | 4 ++--
net/netfilter/xt_connlimit.c | 4 ++--
net/netfilter/xt_dccp.c | 4 ++--
net/netfilter/xt_esp.c | 2 +-
net/netfilter/xt_hashlimit.c | 4 ++--
net/netfilter/xt_multiport.c | 4 ++--
net/netfilter/xt_recent.c | 2 +-
net/netfilter/xt_sctp.c | 4 ++--
net/netfilter/xt_tcpmss.c | 2 +-
net/netfilter/xt_tcpudp.c | 10 +++++-----
22 files changed, 49 insertions(+), 49 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index d8f8e2a..4b7927a 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -206,6 +206,9 @@ struct xt_counters_info
* @hook: hook number given packet came from
* @family: Actual NFPROTO_* through which the function is invoked
* (helpful when match->family == NFPROTO_UNSPEC)
+ *
+ * Fields written to by extensions:
+ *
* @hotdrop: drop packet if we had inspection problems
*/
struct xt_action_param {
@@ -221,7 +224,7 @@ struct xt_action_param {
unsigned int thoff;
unsigned int hooknum;
u_int8_t family;
- bool *hotdrop;
+ bool hotdrop;
};
/**
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 290f7fa..df68825 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -164,13 +164,12 @@ unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
struct ebt_entries *chaininfo;
const char *base;
const struct ebt_table_info *private;
- bool hotdrop = false;
struct xt_action_param acpar;
acpar.family = NFPROTO_BRIDGE;
acpar.in = in;
acpar.out = out;
- acpar.hotdrop = &hotdrop;
+ acpar.hotdrop = false;
acpar.hooknum = hook;
read_lock_bh(&table->lock);
@@ -194,7 +193,7 @@ unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
if (EBT_MATCH_ITERATE(point, ebt_do_match, skb, &acpar) != 0)
goto letscontinue;
- if (hotdrop) {
+ if (acpar.hotdrop) {
read_unlock_bh(&table->lock);
return NF_DROP;
}
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index db24dac..c5bba1f 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -253,7 +253,6 @@ unsigned int arpt_do_table(struct sk_buff *skb,
static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
unsigned int verdict = NF_DROP;
const struct arphdr *arp;
- bool hotdrop = false;
struct arpt_entry *e, *back;
const char *indev, *outdev;
void *table_base;
@@ -277,6 +276,7 @@ unsigned int arpt_do_table(struct sk_buff *skb,
acpar.out = out;
acpar.hooknum = hook;
acpar.family = NFPROTO_ARP;
+ acpar.hotdrop = false;
arp = arp_hdr(skb);
do {
@@ -338,10 +338,10 @@ unsigned int arpt_do_table(struct sk_buff *skb,
else
/* Verdict */
break;
- } while (!hotdrop);
+ } while (!acpar.hotdrop);
xt_info_rdunlock_bh();
- if (hotdrop)
+ if (acpar.hotdrop)
return NF_DROP;
else
return verdict;
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index a8398ae..8bc1b65 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -302,7 +302,6 @@ ipt_do_table(struct sk_buff *skb,
{
static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
const struct iphdr *ip;
- bool hotdrop = false;
/* Initializing verdict to NF_DROP keeps gcc happy. */
unsigned int verdict = NF_DROP;
const char *indev, *outdev;
@@ -324,7 +323,7 @@ ipt_do_table(struct sk_buff *skb,
* match it. */
acpar.fragoff = ntohs(ip->frag_off) & IP_OFFSET;
acpar.thoff = ip_hdrlen(skb);
- acpar.hotdrop = &hotdrop;
+ acpar.hotdrop = false;
acpar.in = in;
acpar.out = out;
acpar.family = NFPROTO_IPV4;
@@ -428,7 +427,7 @@ ipt_do_table(struct sk_buff *skb,
else
/* Verdict */
break;
- } while (!hotdrop);
+ } while (!acpar.hotdrop);
xt_info_rdunlock_bh();
pr_devel("Exiting %s; resetting sp from %u to %u\n",
__func__, *stackptr, origptr);
@@ -436,7 +435,7 @@ ipt_do_table(struct sk_buff *skb,
#ifdef DEBUG_ALLOW_ALL
return NF_ACCEPT;
#else
- if (hotdrop)
+ if (acpar.hotdrop)
return NF_DROP;
else return verdict;
#endif
@@ -2140,7 +2139,7 @@ icmp_match(const struct sk_buff *skb, struct xt_action_param *par)
* can't. Hence, no choice but to drop.
*/
duprintf("Dropping evil ICMP tinygram.\n");
- *par->hotdrop = true;
+ par->hotdrop = true;
return false;
}
diff --git a/net/ipv4/netfilter/ipt_ah.c b/net/ipv4/netfilter/ipt_ah.c
index 90bc2be..2a85d25 100644
--- a/net/ipv4/netfilter/ipt_ah.c
+++ b/net/ipv4/netfilter/ipt_ah.c
@@ -52,7 +52,7 @@ static bool ah_mt(const struct sk_buff *skb, struct xt_action_param *par)
* can't. Hence, no choice but to drop.
*/
duprintf("Dropping evil AH tinygram.\n");
- *par->hotdrop = true;
+ par->hotdrop = true;
return 0;
}
diff --git a/net/ipv4/netfilter/ipt_ecn.c b/net/ipv4/netfilter/ipt_ecn.c
index 96056b0..5907351 100644
--- a/net/ipv4/netfilter/ipt_ecn.c
+++ b/net/ipv4/netfilter/ipt_ecn.c
@@ -78,7 +78,7 @@ static bool ecn_mt(const struct sk_buff *skb, struct xt_action_param *par)
if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR)) {
if (ip_hdr(skb)->protocol != IPPROTO_TCP)
return false;
- if (!match_tcp(skb, info, par->hotdrop))
+ if (!match_tcp(skb, info, &par->hotdrop))
return false;
}
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 46c675d..1b9ba79 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -331,7 +331,6 @@ ip6t_do_table(struct sk_buff *skb,
struct xt_table *table)
{
static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
- bool hotdrop = false;
/* Initializing verdict to NF_DROP keeps gcc happy. */
unsigned int verdict = NF_DROP;
const char *indev, *outdev;
@@ -350,7 +349,7 @@ ip6t_do_table(struct sk_buff *skb,
* things we don't know, ie. tcp syn flag or ports). If the
* rule is also a fragment-specific rule, non-fragments won't
* match it. */
- acpar.hotdrop = &hotdrop;
+ acpar.hotdrop = false;
acpar.in = in;
acpar.out = out;
acpar.family = NFPROTO_IPV6;
@@ -374,7 +373,7 @@ ip6t_do_table(struct sk_buff *skb,
IP_NF_ASSERT(e);
if (!ip6_packet_match(skb, indev, outdev, &e->ipv6,
- &acpar.thoff, &acpar.fragoff, &hotdrop)) {
+ &acpar.thoff, &acpar.fragoff, &acpar.hotdrop)) {
no_match:
e = ip6t_next_entry(e);
continue;
@@ -443,7 +442,7 @@ ip6t_do_table(struct sk_buff *skb,
else
/* Verdict */
break;
- } while (!hotdrop);
+ } while (!acpar.hotdrop);
xt_info_rdunlock_bh();
*stackptr = origptr;
@@ -451,7 +450,7 @@ ip6t_do_table(struct sk_buff *skb,
#ifdef DEBUG_ALLOW_ALL
return NF_ACCEPT;
#else
- if (hotdrop)
+ if (acpar.hotdrop)
return NF_DROP;
else return verdict;
#endif
@@ -2154,7 +2153,7 @@ icmp6_match(const struct sk_buff *skb, struct xt_action_param *par)
* can't. Hence, no choice but to drop.
*/
duprintf("Dropping evil ICMP tinygram.\n");
- *par->hotdrop = true;
+ par->hotdrop = true;
return false;
}
diff --git a/net/ipv6/netfilter/ip6t_ah.c b/net/ipv6/netfilter/ip6t_ah.c
index c25af95..ae46feb 100644
--- a/net/ipv6/netfilter/ip6t_ah.c
+++ b/net/ipv6/netfilter/ip6t_ah.c
@@ -48,13 +48,13 @@ static bool ah_mt6(const struct sk_buff *skb, struct xt_action_param *par)
err = ipv6_find_hdr(skb, &ptr, NEXTHDR_AUTH, NULL);
if (err < 0) {
if (err != -ENOENT)
- *par->hotdrop = true;
+ par->hotdrop = true;
return false;
}
ah = skb_header_pointer(skb, ptr, sizeof(_ah), &_ah);
if (ah == NULL) {
- *par->hotdrop = true;
+ par->hotdrop = true;
return false;
}
diff --git a/net/ipv6/netfilter/ip6t_eui64.c b/net/ipv6/netfilter/ip6t_eui64.c
index 86eb6ae..d2bec74 100644
--- a/net/ipv6/netfilter/ip6t_eui64.c
+++ b/net/ipv6/netfilter/ip6t_eui64.c
@@ -28,7 +28,7 @@ eui64_mt6(const struct sk_buff *skb, struct xt_action_param *par)
if (!(skb_mac_header(skb) >= skb->head &&
skb_mac_header(skb) + ETH_HLEN <= skb->data) &&
par->fragoff != 0) {
- *par->hotdrop = true;
+ par->hotdrop = true;
return false;
}
diff --git a/net/ipv6/netfilter/ip6t_frag.c b/net/ipv6/netfilter/ip6t_frag.c
index 35b9553..a4b6bb0 100644
--- a/net/ipv6/netfilter/ip6t_frag.c
+++ b/net/ipv6/netfilter/ip6t_frag.c
@@ -46,13 +46,13 @@ frag_mt6(const struct sk_buff *skb, struct xt_action_param *par)
err = ipv6_find_hdr(skb, &ptr, NEXTHDR_FRAGMENT, NULL);
if (err < 0) {
if (err != -ENOENT)
- *par->hotdrop = true;
+ par->hotdrop = true;
return false;
}
fh = skb_header_pointer(skb, ptr, sizeof(_frag), &_frag);
if (fh == NULL) {
- *par->hotdrop = true;
+ par->hotdrop = true;
return false;
}
diff --git a/net/ipv6/netfilter/ip6t_hbh.c b/net/ipv6/netfilter/ip6t_hbh.c
index e8a845e..08645e7 100644
--- a/net/ipv6/netfilter/ip6t_hbh.c
+++ b/net/ipv6/netfilter/ip6t_hbh.c
@@ -61,13 +61,13 @@ hbh_mt6(const struct sk_buff *skb, struct xt_action_param *par)
err = ipv6_find_hdr(skb, &ptr, par->match->data, NULL);
if (err < 0) {
if (err != -ENOENT)
- *par->hotdrop = true;
+ par->hotdrop = true;
return false;
}
oh = skb_header_pointer(skb, ptr, sizeof(_optsh), &_optsh);
if (oh == NULL) {
- *par->hotdrop = true;
+ par->hotdrop = true;
return false;
}
diff --git a/net/ipv6/netfilter/ip6t_mh.c b/net/ipv6/netfilter/ip6t_mh.c
index c001965..6393bf5 100644
--- a/net/ipv6/netfilter/ip6t_mh.c
+++ b/net/ipv6/netfilter/ip6t_mh.c
@@ -52,14 +52,14 @@ static bool mh_mt6(const struct sk_buff *skb, struct xt_action_param *par)
/* We've been asked to examine this packet, and we
can't. Hence, no choice but to drop. */
duprintf("Dropping evil MH tinygram.\n");
- *par->hotdrop = true;
+ par->hotdrop = true;
return false;
}
if (mh->ip6mh_proto != IPPROTO_NONE) {
duprintf("Dropping invalid MH Payload Proto: %u\n",
mh->ip6mh_proto);
- *par->hotdrop = true;
+ par->hotdrop = true;
return false;
}
diff --git a/net/ipv6/netfilter/ip6t_rt.c b/net/ipv6/netfilter/ip6t_rt.c
index cd060f4..3f7a176 100644
--- a/net/ipv6/netfilter/ip6t_rt.c
+++ b/net/ipv6/netfilter/ip6t_rt.c
@@ -52,13 +52,13 @@ static bool rt_mt6(const struct sk_buff *skb, struct xt_action_param *par)
err = ipv6_find_hdr(skb, &ptr, NEXTHDR_ROUTING, NULL);
if (err < 0) {
if (err != -ENOENT)
- *par->hotdrop = true;
+ par->hotdrop = true;
return false;
}
rh = skb_header_pointer(skb, ptr, sizeof(_route), &_route);
if (rh == NULL) {
- *par->hotdrop = true;
+ par->hotdrop = true;
return false;
}
diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c
index 645a91c..ddf0a2f 100644
--- a/net/netfilter/xt_connlimit.c
+++ b/net/netfilter/xt_connlimit.c
@@ -212,14 +212,14 @@ connlimit_mt(const struct sk_buff *skb, struct xt_action_param *par)
if (connections < 0) {
/* kmalloc failed, drop it entirely */
- *par->hotdrop = true;
+ par->hotdrop = true;
return false;
}
return (connections > info->limit) ^ info->inverse;
hotdrop:
- *par->hotdrop = true;
+ par->hotdrop = true;
return false;
}
diff --git a/net/netfilter/xt_dccp.c b/net/netfilter/xt_dccp.c
index d39a637..b217d93 100644
--- a/net/netfilter/xt_dccp.c
+++ b/net/netfilter/xt_dccp.c
@@ -106,7 +106,7 @@ dccp_mt(const struct sk_buff *skb, struct xt_action_param *par)
dh = skb_header_pointer(skb, par->thoff, sizeof(_dh), &_dh);
if (dh == NULL) {
- *par->hotdrop = true;
+ par->hotdrop = true;
return false;
}
@@ -119,7 +119,7 @@ dccp_mt(const struct sk_buff *skb, struct xt_action_param *par)
&& DCCHECK(match_types(dh, info->typemask),
XT_DCCP_TYPE, info->flags, info->invflags)
&& DCCHECK(match_option(info->option, skb, par->thoff, dh,
- par->hotdrop),
+ &par->hotdrop),
XT_DCCP_OPTION, info->flags, info->invflags);
}
diff --git a/net/netfilter/xt_esp.c b/net/netfilter/xt_esp.c
index 2ae4a59..fcd6940 100644
--- a/net/netfilter/xt_esp.c
+++ b/net/netfilter/xt_esp.c
@@ -58,7 +58,7 @@ static bool esp_mt(const struct sk_buff *skb, struct xt_action_param *par)
* can't. Hence, no choice but to drop.
*/
duprintf("Dropping evil ESP tinygram.\n");
- *par->hotdrop = true;
+ par->hotdrop = true;
return false;
}
diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
index 32fb029..1d8224c 100644
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@@ -609,7 +609,7 @@ hashlimit_mt_v0(const struct sk_buff *skb, struct xt_action_param *par)
return false;
hotdrop:
- *par->hotdrop = true;
+ par->hotdrop = true;
return false;
}
@@ -659,7 +659,7 @@ hashlimit_mt(const struct sk_buff *skb, struct xt_action_param *par)
return info->cfg.mode & XT_HASHLIMIT_INVERT;
hotdrop:
- *par->hotdrop = true;
+ par->hotdrop = true;
return false;
}
diff --git a/net/netfilter/xt_multiport.c b/net/netfilter/xt_multiport.c
index ab967a5..ab29604 100644
--- a/net/netfilter/xt_multiport.c
+++ b/net/netfilter/xt_multiport.c
@@ -110,7 +110,7 @@ multiport_mt_v0(const struct sk_buff *skb, struct xt_action_param *par)
* can't. Hence, no choice but to drop.
*/
duprintf("xt_multiport: Dropping evil offset=0 tinygram.\n");
- *par->hotdrop = true;
+ par->hotdrop = true;
return false;
}
@@ -134,7 +134,7 @@ multiport_mt(const struct sk_buff *skb, struct xt_action_param *par)
* can't. Hence, no choice but to drop.
*/
duprintf("xt_multiport: Dropping evil offset=0 tinygram.\n");
- *par->hotdrop = true;
+ par->hotdrop = true;
return false;
}
diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c
index 6929c0b..1431c0e 100644
--- a/net/netfilter/xt_recent.c
+++ b/net/netfilter/xt_recent.c
@@ -240,7 +240,7 @@ recent_mt(const struct sk_buff *skb, struct xt_action_param *par)
goto out;
e = recent_entry_init(t, &addr, par->match->family, ttl);
if (e == NULL)
- *par->hotdrop = true;
+ par->hotdrop = true;
ret = !ret;
goto out;
}
diff --git a/net/netfilter/xt_sctp.c b/net/netfilter/xt_sctp.c
index 182a272..7c9f650 100644
--- a/net/netfilter/xt_sctp.c
+++ b/net/netfilter/xt_sctp.c
@@ -131,7 +131,7 @@ sctp_mt(const struct sk_buff *skb, struct xt_action_param *par)
sh = skb_header_pointer(skb, par->thoff, sizeof(_sh), &_sh);
if (sh == NULL) {
duprintf("Dropping evil TCP offset=0 tinygram.\n");
- *par->hotdrop = true;
+ par->hotdrop = true;
return false;
}
duprintf("spt: %d\tdpt: %d\n", ntohs(sh->source), ntohs(sh->dest));
@@ -143,7 +143,7 @@ sctp_mt(const struct sk_buff *skb, struct xt_action_param *par)
&& ntohs(sh->dest) <= info->dpts[1],
XT_SCTP_DEST_PORTS, info->flags, info->invflags)
&& SCCHECK(match_packet(skb, par->thoff + sizeof(sctp_sctphdr_t),
- info, par->hotdrop),
+ info, &par->hotdrop),
XT_SCTP_CHUNK_TYPES, info->flags, info->invflags);
}
diff --git a/net/netfilter/xt_tcpmss.c b/net/netfilter/xt_tcpmss.c
index f90728f..c53d4d1 100644
--- a/net/netfilter/xt_tcpmss.c
+++ b/net/netfilter/xt_tcpmss.c
@@ -73,7 +73,7 @@ out:
return info->invert;
dropit:
- *par->hotdrop = true;
+ par->hotdrop = true;
return false;
}
diff --git a/net/netfilter/xt_tcpudp.c b/net/netfilter/xt_tcpudp.c
index d04ef76..e903042 100644
--- a/net/netfilter/xt_tcpudp.c
+++ b/net/netfilter/xt_tcpudp.c
@@ -83,7 +83,7 @@ static bool tcp_mt(const struct sk_buff *skb, struct xt_action_param *par)
*/
if (par->fragoff == 1) {
duprintf("Dropping evil TCP offset=1 frag.\n");
- *par->hotdrop = true;
+ par->hotdrop = true;
}
/* Must not be a fragment. */
return false;
@@ -96,7 +96,7 @@ static bool tcp_mt(const struct sk_buff *skb, struct xt_action_param *par)
/* We've been asked to examine this packet, and we
can't. Hence, no choice but to drop. */
duprintf("Dropping evil TCP offset=0 tinygram.\n");
- *par->hotdrop = true;
+ par->hotdrop = true;
return false;
}
@@ -114,13 +114,13 @@ static bool tcp_mt(const struct sk_buff *skb, struct xt_action_param *par)
return false;
if (tcpinfo->option) {
if (th->doff * 4 < sizeof(_tcph)) {
- *par->hotdrop = true;
+ par->hotdrop = true;
return false;
}
if (!tcp_find_option(tcpinfo->option, skb, par->thoff,
th->doff*4 - sizeof(_tcph),
tcpinfo->invflags & XT_TCP_INV_OPTION,
- par->hotdrop))
+ &par->hotdrop))
return false;
}
return true;
@@ -149,7 +149,7 @@ static bool udp_mt(const struct sk_buff *skb, struct xt_action_param *par)
/* We've been asked to examine this packet, and we
can't. Hence, no choice but to drop. */
duprintf("Dropping evil UDP tinygram.\n");
- *par->hotdrop = true;
+ par->hotdrop = true;
return false;
}
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 046/103] netfilter: xtables: combine built-in extension structs
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (44 preceding siblings ...)
2009-08-04 7:25 ` [PATCH 045/103] netfilter: xtables: change hotdrop pointer to direct modification Jan Engelhardt
@ 2009-08-04 7:25 ` Jan Engelhardt
2009-08-04 7:25 ` [PATCH 047/103] netfilter: xtables: move functions around Jan Engelhardt
` (58 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:25 UTC (permalink / raw)
To: netfilter-devel
Prepare the arrays for use with the multiregister function. The
future layer-3 xt matches can then be easily added to it without
needing more (un)register code.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
net/ipv4/netfilter/arp_tables.c | 41 +++++++++++--------------
net/ipv4/netfilter/ip_tables.c | 65 ++++++++++++++++++---------------------
net/ipv6/netfilter/ip6_tables.c | 64 ++++++++++++++++++--------------------
3 files changed, 78 insertions(+), 92 deletions(-)
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index c5bba1f..81e5b50 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -1817,22 +1817,23 @@ void arpt_unregister_table(struct xt_table *table)
}
/* The built-in targets: standard (NULL) and error. */
-static struct xt_target arpt_standard_target __read_mostly = {
- .name = ARPT_STANDARD_TARGET,
- .targetsize = sizeof(int),
- .family = NFPROTO_ARP,
+static struct xt_target arpt_builtin_tg[] __read_mostly = {
+ {
+ .name = ARPT_STANDARD_TARGET,
+ .targetsize = sizeof(int),
+ .family = NFPROTO_ARP,
#ifdef CONFIG_COMPAT
- .compatsize = sizeof(compat_int_t),
- .compat_from_user = compat_standard_from_user,
- .compat_to_user = compat_standard_to_user,
+ .compatsize = sizeof(compat_int_t),
+ .compat_from_user = compat_standard_from_user,
+ .compat_to_user = compat_standard_to_user,
#endif
-};
-
-static struct xt_target arpt_error_target __read_mostly = {
- .name = ARPT_ERROR_TARGET,
- .target = arpt_error,
- .targetsize = ARPT_FUNCTION_MAXNAMELEN,
- .family = NFPROTO_ARP,
+ },
+ {
+ .name = ARPT_ERROR_TARGET,
+ .target = arpt_error,
+ .targetsize = ARPT_FUNCTION_MAXNAMELEN,
+ .family = NFPROTO_ARP,
+ },
};
static struct nf_sockopt_ops arpt_sockopts = {
@@ -1876,12 +1877,9 @@ static int __init arp_tables_init(void)
goto err1;
/* Noone else will be downing sem now, so we won't sleep */
- ret = xt_register_target(&arpt_standard_target);
+ ret = xt_register_targets(arpt_builtin_tg, ARRAY_SIZE(arpt_builtin_tg));
if (ret < 0)
goto err2;
- ret = xt_register_target(&arpt_error_target);
- if (ret < 0)
- goto err3;
/* Register setsockopt */
ret = nf_register_sockopt(&arpt_sockopts);
@@ -1892,9 +1890,7 @@ static int __init arp_tables_init(void)
return 0;
err4:
- xt_unregister_target(&arpt_error_target);
-err3:
- xt_unregister_target(&arpt_standard_target);
+ xt_unregister_targets(arpt_builtin_tg, ARRAY_SIZE(arpt_builtin_tg));
err2:
unregister_pernet_subsys(&arp_tables_net_ops);
err1:
@@ -1904,8 +1900,7 @@ err1:
static void __exit arp_tables_fini(void)
{
nf_unregister_sockopt(&arpt_sockopts);
- xt_unregister_target(&arpt_error_target);
- xt_unregister_target(&arpt_standard_target);
+ xt_unregister_targets(arpt_builtin_tg, ARRAY_SIZE(arpt_builtin_tg));
unregister_pernet_subsys(&arp_tables_net_ops);
}
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 8bc1b65..7192e89 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -2158,23 +2158,23 @@ static bool icmp_checkentry(const struct xt_mtchk_param *par)
return !(icmpinfo->invflags & ~IPT_ICMP_INV);
}
-/* The built-in targets: standard (NULL) and error. */
-static struct xt_target ipt_standard_target __read_mostly = {
- .name = IPT_STANDARD_TARGET,
- .targetsize = sizeof(int),
- .family = NFPROTO_IPV4,
+static struct xt_target ipt_builtin_tg[] __read_mostly = {
+ {
+ .name = IPT_STANDARD_TARGET,
+ .targetsize = sizeof(int),
+ .family = NFPROTO_IPV4,
#ifdef CONFIG_COMPAT
- .compatsize = sizeof(compat_int_t),
- .compat_from_user = compat_standard_from_user,
- .compat_to_user = compat_standard_to_user,
+ .compatsize = sizeof(compat_int_t),
+ .compat_from_user = compat_standard_from_user,
+ .compat_to_user = compat_standard_to_user,
#endif
-};
-
-static struct xt_target ipt_error_target __read_mostly = {
- .name = IPT_ERROR_TARGET,
- .target = ipt_error,
- .targetsize = IPT_FUNCTION_MAXNAMELEN,
- .family = NFPROTO_IPV4,
+ },
+ {
+ .name = IPT_ERROR_TARGET,
+ .target = ipt_error,
+ .targetsize = IPT_FUNCTION_MAXNAMELEN,
+ .family = NFPROTO_IPV4,
+ },
};
static struct nf_sockopt_ops ipt_sockopts = {
@@ -2194,13 +2194,15 @@ static struct nf_sockopt_ops ipt_sockopts = {
.owner = THIS_MODULE,
};
-static struct xt_match icmp_matchstruct __read_mostly = {
- .name = "icmp",
- .match = icmp_match,
- .matchsize = sizeof(struct ipt_icmp),
- .checkentry = icmp_checkentry,
- .proto = IPPROTO_ICMP,
- .family = NFPROTO_IPV4,
+static struct xt_match ipt_builtin_mt[] __read_mostly = {
+ {
+ .name = "icmp",
+ .match = icmp_match,
+ .matchsize = sizeof(struct ipt_icmp),
+ .checkentry = icmp_checkentry,
+ .proto = IPPROTO_ICMP,
+ .family = NFPROTO_IPV4,
+ },
};
static int __net_init ip_tables_net_init(struct net *net)
@@ -2227,13 +2229,10 @@ static int __init ip_tables_init(void)
goto err1;
/* Noone else will be downing sem now, so we won't sleep */
- ret = xt_register_target(&ipt_standard_target);
+ ret = xt_register_targets(ipt_builtin_tg, ARRAY_SIZE(ipt_builtin_tg));
if (ret < 0)
goto err2;
- ret = xt_register_target(&ipt_error_target);
- if (ret < 0)
- goto err3;
- ret = xt_register_match(&icmp_matchstruct);
+ ret = xt_register_matches(ipt_builtin_mt, ARRAY_SIZE(ipt_builtin_mt));
if (ret < 0)
goto err4;
@@ -2246,11 +2245,9 @@ static int __init ip_tables_init(void)
return 0;
err5:
- xt_unregister_match(&icmp_matchstruct);
+ xt_unregister_matches(ipt_builtin_mt, ARRAY_SIZE(ipt_builtin_mt));
err4:
- xt_unregister_target(&ipt_error_target);
-err3:
- xt_unregister_target(&ipt_standard_target);
+ xt_unregister_targets(ipt_builtin_tg, ARRAY_SIZE(ipt_builtin_tg));
err2:
unregister_pernet_subsys(&ip_tables_net_ops);
err1:
@@ -2261,10 +2258,8 @@ static void __exit ip_tables_fini(void)
{
nf_unregister_sockopt(&ipt_sockopts);
- xt_unregister_match(&icmp_matchstruct);
- xt_unregister_target(&ipt_error_target);
- xt_unregister_target(&ipt_standard_target);
-
+ xt_unregister_matches(ipt_builtin_mt, ARRAY_SIZE(ipt_builtin_mt));
+ xt_unregister_targets(ipt_builtin_tg, ARRAY_SIZE(ipt_builtin_tg));
unregister_pernet_subsys(&ip_tables_net_ops);
}
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 1b9ba79..a34819b 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -2174,22 +2174,23 @@ static bool icmp6_checkentry(const struct xt_mtchk_param *par)
}
/* The built-in targets: standard (NULL) and error. */
-static struct xt_target ip6t_standard_target __read_mostly = {
- .name = IP6T_STANDARD_TARGET,
- .targetsize = sizeof(int),
- .family = NFPROTO_IPV6,
+static struct xt_target ip6t_builtin_tg[] __read_mostly = {
+ {
+ .name = IP6T_STANDARD_TARGET,
+ .targetsize = sizeof(int),
+ .family = NFPROTO_IPV6,
#ifdef CONFIG_COMPAT
- .compatsize = sizeof(compat_int_t),
- .compat_from_user = compat_standard_from_user,
- .compat_to_user = compat_standard_to_user,
+ .compatsize = sizeof(compat_int_t),
+ .compat_from_user = compat_standard_from_user,
+ .compat_to_user = compat_standard_to_user,
#endif
-};
-
-static struct xt_target ip6t_error_target __read_mostly = {
- .name = IP6T_ERROR_TARGET,
- .target = ip6t_error,
- .targetsize = IP6T_FUNCTION_MAXNAMELEN,
- .family = NFPROTO_IPV6,
+ },
+ {
+ .name = IP6T_ERROR_TARGET,
+ .target = ip6t_error,
+ .targetsize = IP6T_FUNCTION_MAXNAMELEN,
+ .family = NFPROTO_IPV6,
+ },
};
static struct nf_sockopt_ops ip6t_sockopts = {
@@ -2209,13 +2210,15 @@ static struct nf_sockopt_ops ip6t_sockopts = {
.owner = THIS_MODULE,
};
-static struct xt_match icmp6_matchstruct __read_mostly = {
- .name = "icmp6",
- .match = icmp6_match,
- .matchsize = sizeof(struct ip6t_icmp),
- .checkentry = icmp6_checkentry,
- .proto = IPPROTO_ICMPV6,
- .family = NFPROTO_IPV6,
+static struct xt_match ip6t_builtin_mt[] __read_mostly = {
+ {
+ .name = "icmp6",
+ .match = icmp6_match,
+ .matchsize = sizeof(struct ip6t_icmp),
+ .checkentry = icmp6_checkentry,
+ .proto = IPPROTO_ICMPV6,
+ .family = NFPROTO_IPV6,
+ },
};
static int __net_init ip6_tables_net_init(struct net *net)
@@ -2242,13 +2245,10 @@ static int __init ip6_tables_init(void)
goto err1;
/* Noone else will be downing sem now, so we won't sleep */
- ret = xt_register_target(&ip6t_standard_target);
+ ret = xt_register_targets(ip6t_builtin_tg, ARRAY_SIZE(ip6t_builtin_tg));
if (ret < 0)
goto err2;
- ret = xt_register_target(&ip6t_error_target);
- if (ret < 0)
- goto err3;
- ret = xt_register_match(&icmp6_matchstruct);
+ ret = xt_register_matches(ip6t_builtin_mt, ARRAY_SIZE(ip6t_builtin_mt));
if (ret < 0)
goto err4;
@@ -2261,11 +2261,9 @@ static int __init ip6_tables_init(void)
return 0;
err5:
- xt_unregister_match(&icmp6_matchstruct);
+ xt_unregister_matches(ip6t_builtin_mt, ARRAY_SIZE(ip6t_builtin_mt));
err4:
- xt_unregister_target(&ip6t_error_target);
-err3:
- xt_unregister_target(&ip6t_standard_target);
+ xt_unregister_targets(ip6t_builtin_tg, ARRAY_SIZE(ip6t_builtin_tg));
err2:
unregister_pernet_subsys(&ip6_tables_net_ops);
err1:
@@ -2276,10 +2274,8 @@ static void __exit ip6_tables_fini(void)
{
nf_unregister_sockopt(&ip6t_sockopts);
- xt_unregister_match(&icmp6_matchstruct);
- xt_unregister_target(&ip6t_error_target);
- xt_unregister_target(&ip6t_standard_target);
-
+ xt_unregister_matches(ip6t_builtin_mt, ARRAY_SIZE(ip6t_builtin_mt));
+ xt_unregister_targets(ip6t_builtin_tg, ARRAY_SIZE(ip6t_builtin_tg));
unregister_pernet_subsys(&ip6_tables_net_ops);
}
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 047/103] netfilter: xtables: move functions around
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (45 preceding siblings ...)
2009-08-04 7:25 ` [PATCH 046/103] netfilter: xtables: combine built-in extension structs Jan Engelhardt
@ 2009-08-04 7:25 ` Jan Engelhardt
2009-08-04 7:25 ` [PATCH 048/103] netfilter: ebtables: change ebt_basic_match to xt convention Jan Engelhardt
` (57 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:25 UTC (permalink / raw)
To: netfilter-devel
For the next patch, the builtin_mt object needs to be available ahead
of ip6t_do_table if we want to do without predeclartions.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
net/ipv4/netfilter/arp_tables.c | 77 +++++++-------
net/ipv4/netfilter/ip_tables.c | 192 +++++++++++++++++-----------------
net/ipv6/netfilter/ip6_tables.c | 219 ++++++++++++++++++++-------------------
3 files changed, 246 insertions(+), 242 deletions(-)
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 81e5b50..33fb603 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -216,6 +216,26 @@ static inline int arp_checkentry(const struct arpt_arp *arp)
return 1;
}
+#ifdef CONFIG_COMPAT
+static void compat_standard_from_user(void *dst, const void *src)
+{
+ int v = *(compat_int_t *)src;
+
+ if (v > 0)
+ v += xt_compat_calc_jump(NFPROTO_ARP, v);
+ memcpy(dst, &v, sizeof(v));
+}
+
+static int compat_standard_to_user(void __user *dst, const void *src)
+{
+ compat_int_t cv = *(int *)src;
+
+ if (cv > 0)
+ cv -= xt_compat_calc_jump(NFPROTO_ARP, cv);
+ return copy_to_user(dst, &cv, sizeof(cv)) ? -EFAULT : 0;
+}
+#endif
+
static unsigned int
arpt_error(struct sk_buff *skb, const struct xt_action_param *par)
{
@@ -226,6 +246,25 @@ arpt_error(struct sk_buff *skb, const struct xt_action_param *par)
return NF_DROP;
}
+static struct xt_target arpt_builtin_tg[] __read_mostly = {
+ {
+ .name = ARPT_STANDARD_TARGET,
+ .targetsize = sizeof(int),
+ .family = NFPROTO_ARP,
+#ifdef CONFIG_COMPAT
+ .compatsize = sizeof(compat_int_t),
+ .compat_from_user = compat_standard_from_user,
+ .compat_to_user = compat_standard_to_user,
+#endif
+ },
+ {
+ .name = ARPT_ERROR_TARGET,
+ .target = arpt_error,
+ .targetsize = ARPT_FUNCTION_MAXNAMELEN,
+ .family = NFPROTO_ARP,
+ },
+};
+
static inline const struct arpt_entry_target *
arpt_get_target_c(const struct arpt_entry *e)
{
@@ -818,24 +857,6 @@ static int copy_entries_to_user(unsigned int total_size,
}
#ifdef CONFIG_COMPAT
-static void compat_standard_from_user(void *dst, const void *src)
-{
- int v = *(compat_int_t *)src;
-
- if (v > 0)
- v += xt_compat_calc_jump(NFPROTO_ARP, v);
- memcpy(dst, &v, sizeof(v));
-}
-
-static int compat_standard_to_user(void __user *dst, const void *src)
-{
- compat_int_t cv = *(int *)src;
-
- if (cv > 0)
- cv -= xt_compat_calc_jump(NFPROTO_ARP, cv);
- return copy_to_user(dst, &cv, sizeof(cv)) ? -EFAULT : 0;
-}
-
static int compat_calc_entry(const struct arpt_entry *e,
const struct xt_table_info *info,
const void *base, struct xt_table_info *newinfo)
@@ -1816,26 +1837,6 @@ void arpt_unregister_table(struct xt_table *table)
xt_free_table_info(private);
}
-/* The built-in targets: standard (NULL) and error. */
-static struct xt_target arpt_builtin_tg[] __read_mostly = {
- {
- .name = ARPT_STANDARD_TARGET,
- .targetsize = sizeof(int),
- .family = NFPROTO_ARP,
-#ifdef CONFIG_COMPAT
- .compatsize = sizeof(compat_int_t),
- .compat_from_user = compat_standard_from_user,
- .compat_to_user = compat_standard_to_user,
-#endif
- },
- {
- .name = ARPT_ERROR_TARGET,
- .target = arpt_error,
- .targetsize = ARPT_FUNCTION_MAXNAMELEN,
- .family = NFPROTO_ARP,
- },
-};
-
static struct nf_sockopt_ops arpt_sockopts = {
.pf = PF_INET,
.set_optmin = ARPT_BASE_CTL,
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 7192e89..4a8d6ab 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -157,6 +157,73 @@ ip_checkentry(const struct ipt_ip *ip)
return true;
}
+/* Returns 1 if the type and code is matched by the range, 0 otherwise */
+static inline bool
+icmp_type_code_match(u_int8_t test_type, u_int8_t min_code, u_int8_t max_code,
+ u_int8_t type, u_int8_t code,
+ bool invert)
+{
+ return ((test_type == 0xFF) ||
+ (type == test_type && code >= min_code && code <= max_code))
+ ^ invert;
+}
+
+static bool
+icmp_match(const struct sk_buff *skb, struct xt_action_param *par)
+{
+ const struct icmphdr *ic;
+ struct icmphdr _icmph;
+ const struct ipt_icmp *icmpinfo = par->matchinfo;
+
+ /* Must not be a fragment. */
+ if (par->fragoff != 0)
+ return false;
+
+ ic = skb_header_pointer(skb, par->thoff, sizeof(_icmph), &_icmph);
+ if (ic == NULL) {
+ /* We've been asked to examine this packet, and we
+ * can't. Hence, no choice but to drop.
+ */
+ duprintf("Dropping evil ICMP tinygram.\n");
+ par->hotdrop = true;
+ return false;
+ }
+
+ return icmp_type_code_match(icmpinfo->type,
+ icmpinfo->code[0],
+ icmpinfo->code[1],
+ ic->type, ic->code,
+ !!(icmpinfo->invflags&IPT_ICMP_INV));
+}
+
+static bool icmp_checkentry(const struct xt_mtchk_param *par)
+{
+ const struct ipt_icmp *icmpinfo = par->matchinfo;
+
+ /* Must specify no unknown invflags */
+ return !(icmpinfo->invflags & ~IPT_ICMP_INV);
+}
+
+#ifdef CONFIG_COMPAT
+static void compat_standard_from_user(void *dst, const void *src)
+{
+ int v = *(compat_int_t *)src;
+
+ if (v > 0)
+ v += xt_compat_calc_jump(AF_INET, v);
+ memcpy(dst, &v, sizeof(v));
+}
+
+static int compat_standard_to_user(void __user *dst, const void *src)
+{
+ compat_int_t cv = *(int *)src;
+
+ if (cv > 0)
+ cv -= xt_compat_calc_jump(AF_INET, cv);
+ return copy_to_user(dst, &cv, sizeof(cv)) ? -EFAULT : 0;
+}
+#endif
+
static unsigned int
ipt_error(struct sk_buff *skb, const struct xt_action_param *par)
{
@@ -167,6 +234,36 @@ ipt_error(struct sk_buff *skb, const struct xt_action_param *par)
return NF_DROP;
}
+static struct xt_target ipt_builtin_tg[] __read_mostly = {
+ {
+ .name = IPT_STANDARD_TARGET,
+ .targetsize = sizeof(int),
+ .family = NFPROTO_IPV4,
+#ifdef CONFIG_COMPAT
+ .compatsize = sizeof(compat_int_t),
+ .compat_from_user = compat_standard_from_user,
+ .compat_to_user = compat_standard_to_user,
+#endif
+ },
+ {
+ .name = IPT_ERROR_TARGET,
+ .target = ipt_error,
+ .targetsize = IPT_FUNCTION_MAXNAMELEN,
+ .family = NFPROTO_IPV4,
+ },
+};
+
+static struct xt_match ipt_builtin_mt[] __read_mostly = {
+ {
+ .name = "icmp",
+ .match = icmp_match,
+ .matchsize = sizeof(struct ipt_icmp),
+ .checkentry = icmp_checkentry,
+ .proto = IPPROTO_ICMP,
+ .family = NFPROTO_IPV4,
+ },
+};
+
/* Performance critical */
static inline struct ipt_entry *
get_entry(const void *base, unsigned int offset)
@@ -1008,24 +1105,6 @@ copy_entries_to_user(unsigned int total_size,
}
#ifdef CONFIG_COMPAT
-static void compat_standard_from_user(void *dst, const void *src)
-{
- int v = *(compat_int_t *)src;
-
- if (v > 0)
- v += xt_compat_calc_jump(AF_INET, v);
- memcpy(dst, &v, sizeof(v));
-}
-
-static int compat_standard_to_user(void __user *dst, const void *src)
-{
- compat_int_t cv = *(int *)src;
-
- if (cv > 0)
- cv -= xt_compat_calc_jump(AF_INET, cv);
- return copy_to_user(dst, &cv, sizeof(cv)) ? -EFAULT : 0;
-}
-
static int compat_calc_entry(const struct ipt_entry *e,
const struct xt_table_info *info,
const void *base, struct xt_table_info *newinfo)
@@ -2111,72 +2190,6 @@ void ipt_unregister_table(struct xt_table *table)
xt_free_table_info(private);
}
-/* Returns 1 if the type and code is matched by the range, 0 otherwise */
-static inline bool
-icmp_type_code_match(u_int8_t test_type, u_int8_t min_code, u_int8_t max_code,
- u_int8_t type, u_int8_t code,
- bool invert)
-{
- return ((test_type == 0xFF) ||
- (type == test_type && code >= min_code && code <= max_code))
- ^ invert;
-}
-
-static bool
-icmp_match(const struct sk_buff *skb, struct xt_action_param *par)
-{
- const struct icmphdr *ic;
- struct icmphdr _icmph;
- const struct ipt_icmp *icmpinfo = par->matchinfo;
-
- /* Must not be a fragment. */
- if (par->fragoff != 0)
- return false;
-
- ic = skb_header_pointer(skb, par->thoff, sizeof(_icmph), &_icmph);
- if (ic == NULL) {
- /* We've been asked to examine this packet, and we
- * can't. Hence, no choice but to drop.
- */
- duprintf("Dropping evil ICMP tinygram.\n");
- par->hotdrop = true;
- return false;
- }
-
- return icmp_type_code_match(icmpinfo->type,
- icmpinfo->code[0],
- icmpinfo->code[1],
- ic->type, ic->code,
- !!(icmpinfo->invflags&IPT_ICMP_INV));
-}
-
-static bool icmp_checkentry(const struct xt_mtchk_param *par)
-{
- const struct ipt_icmp *icmpinfo = par->matchinfo;
-
- /* Must specify no unknown invflags */
- return !(icmpinfo->invflags & ~IPT_ICMP_INV);
-}
-
-static struct xt_target ipt_builtin_tg[] __read_mostly = {
- {
- .name = IPT_STANDARD_TARGET,
- .targetsize = sizeof(int),
- .family = NFPROTO_IPV4,
-#ifdef CONFIG_COMPAT
- .compatsize = sizeof(compat_int_t),
- .compat_from_user = compat_standard_from_user,
- .compat_to_user = compat_standard_to_user,
-#endif
- },
- {
- .name = IPT_ERROR_TARGET,
- .target = ipt_error,
- .targetsize = IPT_FUNCTION_MAXNAMELEN,
- .family = NFPROTO_IPV4,
- },
-};
-
static struct nf_sockopt_ops ipt_sockopts = {
.pf = PF_INET,
.set_optmin = IPT_BASE_CTL,
@@ -2194,17 +2207,6 @@ static struct nf_sockopt_ops ipt_sockopts = {
.owner = THIS_MODULE,
};
-static struct xt_match ipt_builtin_mt[] __read_mostly = {
- {
- .name = "icmp",
- .match = icmp_match,
- .matchsize = sizeof(struct ipt_icmp),
- .checkentry = icmp_checkentry,
- .proto = IPPROTO_ICMP,
- .family = NFPROTO_IPV4,
- },
-};
-
static int __net_init ip_tables_net_init(struct net *net)
{
return xt_proto_init(net, NFPROTO_IPV4);
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index a34819b..0911681 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -76,19 +76,6 @@ do { \
Hence the start of any table is given by get_table() below. */
-/* Check for an extension */
-int
-ip6t_ext_hdr(u8 nexthdr)
-{
- return ( (nexthdr == IPPROTO_HOPOPTS) ||
- (nexthdr == IPPROTO_ROUTING) ||
- (nexthdr == IPPROTO_FRAGMENT) ||
- (nexthdr == IPPROTO_ESP) ||
- (nexthdr == IPPROTO_AH) ||
- (nexthdr == IPPROTO_NONE) ||
- (nexthdr == IPPROTO_DSTOPTS) );
-}
-
/* Returns whether matches rule or not. */
/* Performance critical - called for every packet */
static inline bool
@@ -189,6 +176,73 @@ ip6_checkentry(const struct ip6t_ip6 *ipv6)
return true;
}
+/* Returns 1 if the type and code is matched by the range, 0 otherwise */
+static inline bool
+icmp6_type_code_match(u_int8_t test_type, u_int8_t min_code, u_int8_t max_code,
+ u_int8_t type, u_int8_t code,
+ bool invert)
+{
+ return (type == test_type && code >= min_code && code <= max_code)
+ ^ invert;
+}
+
+static bool
+icmp6_match(const struct sk_buff *skb, struct xt_action_param *par)
+{
+ const struct icmp6hdr *ic;
+ struct icmp6hdr _icmph;
+ const struct ip6t_icmp *icmpinfo = par->matchinfo;
+
+ /* Must not be a fragment. */
+ if (par->fragoff != 0)
+ return false;
+
+ ic = skb_header_pointer(skb, par->thoff, sizeof(_icmph), &_icmph);
+ if (ic == NULL) {
+ /* We've been asked to examine this packet, and we
+ * can't. Hence, no choice but to drop.
+ */
+ duprintf("Dropping evil ICMP tinygram.\n");
+ par->hotdrop = true;
+ return false;
+ }
+
+ return icmp6_type_code_match(icmpinfo->type,
+ icmpinfo->code[0],
+ icmpinfo->code[1],
+ ic->icmp6_type, ic->icmp6_code,
+ !!(icmpinfo->invflags&IP6T_ICMP_INV));
+}
+
+/* Called when user tries to insert an entry of this type. */
+static bool icmp6_checkentry(const struct xt_mtchk_param *par)
+{
+ const struct ip6t_icmp *icmpinfo = par->matchinfo;
+
+ /* Must specify no unknown invflags */
+ return !(icmpinfo->invflags & ~IP6T_ICMP_INV);
+}
+
+#ifdef CONFIG_COMPAT
+static void compat_standard_from_user(void *dst, const void *src)
+{
+ int v = *(compat_int_t *)src;
+
+ if (v > 0)
+ v += xt_compat_calc_jump(AF_INET6, v);
+ memcpy(dst, &v, sizeof(v));
+}
+
+static int compat_standard_to_user(void __user *dst, const void *src)
+{
+ compat_int_t cv = *(int *)src;
+
+ if (cv > 0)
+ cv -= xt_compat_calc_jump(AF_INET6, cv);
+ return copy_to_user(dst, &cv, sizeof(cv)) ? -EFAULT : 0;
+}
+#endif
+
static unsigned int
ip6t_error(struct sk_buff *skb, const struct xt_action_param *par)
{
@@ -199,6 +253,36 @@ ip6t_error(struct sk_buff *skb, const struct xt_action_param *par)
return NF_DROP;
}
+static struct xt_target ip6t_builtin_tg[] __read_mostly = {
+ {
+ .name = IP6T_STANDARD_TARGET,
+ .targetsize = sizeof(int),
+ .family = NFPROTO_IPV6,
+#ifdef CONFIG_COMPAT
+ .compatsize = sizeof(compat_int_t),
+ .compat_from_user = compat_standard_from_user,
+ .compat_to_user = compat_standard_to_user,
+#endif
+ },
+ {
+ .name = IP6T_ERROR_TARGET,
+ .target = ip6t_error,
+ .targetsize = IP6T_FUNCTION_MAXNAMELEN,
+ .family = NFPROTO_IPV6,
+ },
+};
+
+static struct xt_match ip6t_builtin_mt[] __read_mostly = {
+ {
+ .name = "icmp6",
+ .match = icmp6_match,
+ .matchsize = sizeof(struct ip6t_icmp),
+ .checkentry = icmp6_checkentry,
+ .proto = IPPROTO_ICMPV6,
+ .family = NFPROTO_IPV6,
+ },
+};
+
static inline struct ip6t_entry *
get_entry(const void *base, unsigned int offset)
{
@@ -1022,24 +1106,6 @@ copy_entries_to_user(unsigned int total_size,
}
#ifdef CONFIG_COMPAT
-static void compat_standard_from_user(void *dst, const void *src)
-{
- int v = *(compat_int_t *)src;
-
- if (v > 0)
- v += xt_compat_calc_jump(AF_INET6, v);
- memcpy(dst, &v, sizeof(v));
-}
-
-static int compat_standard_to_user(void __user *dst, const void *src)
-{
- compat_int_t cv = *(int *)src;
-
- if (cv > 0)
- cv -= xt_compat_calc_jump(AF_INET6, cv);
- return copy_to_user(dst, &cv, sizeof(cv)) ? -EFAULT : 0;
-}
-
static int compat_calc_entry(const struct ip6t_entry *e,
const struct xt_table_info *info,
const void *base, struct xt_table_info *newinfo)
@@ -2126,73 +2192,6 @@ void ip6t_unregister_table(struct xt_table *table)
xt_free_table_info(private);
}
-/* Returns 1 if the type and code is matched by the range, 0 otherwise */
-static inline bool
-icmp6_type_code_match(u_int8_t test_type, u_int8_t min_code, u_int8_t max_code,
- u_int8_t type, u_int8_t code,
- bool invert)
-{
- return (type == test_type && code >= min_code && code <= max_code)
- ^ invert;
-}
-
-static bool
-icmp6_match(const struct sk_buff *skb, struct xt_action_param *par)
-{
- const struct icmp6hdr *ic;
- struct icmp6hdr _icmph;
- const struct ip6t_icmp *icmpinfo = par->matchinfo;
-
- /* Must not be a fragment. */
- if (par->fragoff != 0)
- return false;
-
- ic = skb_header_pointer(skb, par->thoff, sizeof(_icmph), &_icmph);
- if (ic == NULL) {
- /* We've been asked to examine this packet, and we
- * can't. Hence, no choice but to drop.
- */
- duprintf("Dropping evil ICMP tinygram.\n");
- par->hotdrop = true;
- return false;
- }
-
- return icmp6_type_code_match(icmpinfo->type,
- icmpinfo->code[0],
- icmpinfo->code[1],
- ic->icmp6_type, ic->icmp6_code,
- !!(icmpinfo->invflags&IP6T_ICMP_INV));
-}
-
-/* Called when user tries to insert an entry of this type. */
-static bool icmp6_checkentry(const struct xt_mtchk_param *par)
-{
- const struct ip6t_icmp *icmpinfo = par->matchinfo;
-
- /* Must specify no unknown invflags */
- return !(icmpinfo->invflags & ~IP6T_ICMP_INV);
-}
-
-/* The built-in targets: standard (NULL) and error. */
-static struct xt_target ip6t_builtin_tg[] __read_mostly = {
- {
- .name = IP6T_STANDARD_TARGET,
- .targetsize = sizeof(int),
- .family = NFPROTO_IPV6,
-#ifdef CONFIG_COMPAT
- .compatsize = sizeof(compat_int_t),
- .compat_from_user = compat_standard_from_user,
- .compat_to_user = compat_standard_to_user,
-#endif
- },
- {
- .name = IP6T_ERROR_TARGET,
- .target = ip6t_error,
- .targetsize = IP6T_FUNCTION_MAXNAMELEN,
- .family = NFPROTO_IPV6,
- },
-};
-
static struct nf_sockopt_ops ip6t_sockopts = {
.pf = PF_INET6,
.set_optmin = IP6T_BASE_CTL,
@@ -2210,17 +2209,6 @@ static struct nf_sockopt_ops ip6t_sockopts = {
.owner = THIS_MODULE,
};
-static struct xt_match ip6t_builtin_mt[] __read_mostly = {
- {
- .name = "icmp6",
- .match = icmp6_match,
- .matchsize = sizeof(struct ip6t_icmp),
- .checkentry = icmp6_checkentry,
- .proto = IPPROTO_ICMPV6,
- .family = NFPROTO_IPV6,
- },
-};
-
static int __net_init ip6_tables_net_init(struct net *net)
{
return xt_proto_init(net, NFPROTO_IPV6);
@@ -2279,6 +2267,19 @@ static void __exit ip6_tables_fini(void)
unregister_pernet_subsys(&ip6_tables_net_ops);
}
+/* Check for an extension */
+int
+ip6t_ext_hdr(u8 nexthdr)
+{
+ return nexthdr == IPPROTO_HOPOPTS ||
+ nexthdr == IPPROTO_ROUTING ||
+ nexthdr == IPPROTO_FRAGMENT ||
+ nexthdr == IPPROTO_ESP ||
+ nexthdr == IPPROTO_AH ||
+ nexthdr == IPPROTO_NONE ||
+ nexthdr == IPPROTO_DSTOPTS;
+}
+
/*
* find the offset to specified header or the protocol number of last header
* if target < 0. "last header" is transport protocol header, ESP, or
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 048/103] netfilter: ebtables: change ebt_basic_match to xt convention
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (46 preceding siblings ...)
2009-08-04 7:25 ` [PATCH 047/103] netfilter: xtables: move functions around Jan Engelhardt
@ 2009-08-04 7:25 ` Jan Engelhardt
2009-08-04 7:25 ` [PATCH 049/103] netfilter: xtables: convert basic nfproto match functions into xt matches Jan Engelhardt
` (56 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:25 UTC (permalink / raw)
To: netfilter-devel
When this will become an xt_match, it needs the xt semantics;
this mandates changing the return values from 1/0 to 0/1.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
net/bridge/netfilter/ebtables.c | 22 +++++++++++-----------
1 files changed, 11 insertions(+), 11 deletions(-)
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index df68825..9f871e4 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -101,7 +101,7 @@ ebt_dev_check(const char *entry, const struct net_device *device)
#define FWINV2(bool,invflg) ((bool) ^ !!(e->invflags & invflg))
/* process standard matches */
-static inline int
+static inline bool
ebt_basic_match(const struct ebt_entry *e, const struct ethhdr *h,
const struct net_device *in, const struct net_device *out)
{
@@ -109,21 +109,21 @@ ebt_basic_match(const struct ebt_entry *e, const struct ethhdr *h,
if (e->bitmask & EBT_802_3) {
if (FWINV2(ntohs(h->h_proto) >= 1536, EBT_IPROTO))
- return 1;
+ return false;
} else if (!(e->bitmask & EBT_NOPROTO) &&
FWINV2(e->ethproto != h->h_proto, EBT_IPROTO))
- return 1;
+ return false;
if (FWINV2(ebt_dev_check(e->in, in), EBT_IIN))
- return 1;
+ return false;
if (FWINV2(ebt_dev_check(e->out, out), EBT_IOUT))
- return 1;
+ return false;
if ((!in || !in->br_port) ? 0 : FWINV2(ebt_dev_check(
e->logical_in, in->br_port->br->dev), EBT_ILOGICALIN))
- return 1;
+ return false;
if ((!out || !out->br_port) ? 0 : FWINV2(ebt_dev_check(
e->logical_out, out->br_port->br->dev), EBT_ILOGICALOUT))
- return 1;
+ return false;
if (e->bitmask & EBT_SOURCEMAC) {
verdict = 0;
@@ -131,7 +131,7 @@ ebt_basic_match(const struct ebt_entry *e, const struct ethhdr *h,
verdict |= (h->h_source[i] ^ e->sourcemac[i]) &
e->sourcemsk[i];
if (FWINV2(verdict != 0, EBT_ISOURCE) )
- return 1;
+ return false;
}
if (e->bitmask & EBT_DESTMAC) {
verdict = 0;
@@ -139,9 +139,9 @@ ebt_basic_match(const struct ebt_entry *e, const struct ethhdr *h,
verdict |= (h->h_dest[i] ^ e->destmac[i]) &
e->destmsk[i];
if (FWINV2(verdict != 0, EBT_IDEST) )
- return 1;
+ return false;
}
- return 0;
+ return true;
}
static inline __pure
@@ -188,7 +188,7 @@ unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
base = private->entries;
i = 0;
while (i < nentries) {
- if (ebt_basic_match(point, eth_hdr(skb), in, out))
+ if (!ebt_basic_match(point, eth_hdr(skb), in, out))
goto letscontinue;
if (EBT_MATCH_ITERATE(point, ebt_do_match, skb, &acpar) != 0)
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 049/103] netfilter: xtables: convert basic nfproto match functions into xt matches
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (47 preceding siblings ...)
2009-08-04 7:25 ` [PATCH 048/103] netfilter: ebtables: change ebt_basic_match to xt convention Jan Engelhardt
@ 2009-08-04 7:25 ` Jan Engelhardt
2009-08-04 7:25 ` [PATCH 050/103] netfilter: xtables2: initial table skeletal functions Jan Engelhardt
` (55 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:25 UTC (permalink / raw)
To: netfilter-devel
Each table implementation has a private built-in hardwired match
function for its corresponding nfproto data (e.g. ip_tables: struct
ipt6_ip6 processed by ip6_packet_match to match against the IPv6
header, etc.)
Rewrite the functions so that they are independent xt_matches and can
be used from an nfproto-independent table.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter/x_tables.h | 4 +-
net/bridge/netfilter/ebtables.c | 93 ++++++++++++++++++++---------
net/ipv4/netfilter/arp_tables.c | 114 +++++++++++++++++++++++-------------
net/ipv4/netfilter/ip_tables.c | 72 ++++++++++++++---------
net/ipv6/netfilter/ip6_tables.c | 78 ++++++++++++++-----------
5 files changed, 227 insertions(+), 134 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 4b7927a..62cce82 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -201,14 +201,14 @@ struct xt_counters_info
* @targetinfo: per-target data
* @in: input netdevice
* @out: output netdevice
- * @fragoff: packet is a fragment, this is the data offset
- * @thoff: position of transport header relative to skb->data
* @hook: hook number given packet came from
* @family: Actual NFPROTO_* through which the function is invoked
* (helpful when match->family == NFPROTO_UNSPEC)
*
* Fields written to by extensions:
*
+ * @fragoff: packet is a fragment, this is the data offset
+ * @thoff: position of transport header relative to skb->data
* @hotdrop: drop packet if we had inspection problems
*/
struct xt_action_param {
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 9f871e4..8b8cf09 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -101,10 +101,11 @@ ebt_dev_check(const char *entry, const struct net_device *device)
#define FWINV2(bool,invflg) ((bool) ^ !!(e->invflags & invflg))
/* process standard matches */
-static inline bool
-ebt_basic_match(const struct ebt_entry *e, const struct ethhdr *h,
- const struct net_device *in, const struct net_device *out)
+static bool
+ebt_basic_match(const struct sk_buff *skb, struct xt_action_param *par)
{
+ const struct ethhdr *h = eth_hdr(skb);
+ const struct ebt_entry *e = par->matchinfo;
int verdict, i;
if (e->bitmask & EBT_802_3) {
@@ -114,15 +115,17 @@ ebt_basic_match(const struct ebt_entry *e, const struct ethhdr *h,
FWINV2(e->ethproto != h->h_proto, EBT_IPROTO))
return false;
- if (FWINV2(ebt_dev_check(e->in, in), EBT_IIN))
+ if (FWINV2(ebt_dev_check(e->in, par->in), EBT_IIN))
return false;
- if (FWINV2(ebt_dev_check(e->out, out), EBT_IOUT))
+ if (FWINV2(ebt_dev_check(e->out, par->out), EBT_IOUT))
return false;
- if ((!in || !in->br_port) ? 0 : FWINV2(ebt_dev_check(
- e->logical_in, in->br_port->br->dev), EBT_ILOGICALIN))
+ if ((par->in == NULL || par->in->br_port == NULL) ? 0 :
+ FWINV2(ebt_dev_check(e->logical_in, par->in->br_port->br->dev),
+ EBT_ILOGICALIN))
return false;
- if ((!out || !out->br_port) ? 0 : FWINV2(ebt_dev_check(
- e->logical_out, out->br_port->br->dev), EBT_ILOGICALOUT))
+ if ((par->out == NULL || par->out->br_port == NULL) ? 0 :
+ FWINV2(ebt_dev_check(e->logical_out, par->out->br_port->br->dev),
+ EBT_ILOGICALOUT))
return false;
if (e->bitmask & EBT_SOURCEMAC) {
@@ -144,6 +147,35 @@ ebt_basic_match(const struct ebt_entry *e, const struct ethhdr *h,
return true;
}
+static bool ebt_basic_checkentry(const struct xt_mtchk_param *par)
+{
+ const struct ebt_entry *e = par->matchinfo;
+
+ if (e->bitmask & ~EBT_F_MASK) {
+ BUGPRINT("Unknown flag for bitmask\n");
+ return false;
+ }
+ if (e->invflags & ~EBT_INV_MASK) {
+ BUGPRINT("Unknown flag for inv bitmask\n");
+ return false;
+ }
+ if ((e->bitmask & EBT_NOPROTO) && (e->bitmask & EBT_802_3)) {
+ BUGPRINT("NOPROTO & 802_3 not allowed\n");
+ return false;
+ }
+
+ return true;
+}
+
+static struct xt_match ebt_builtin_mt __read_mostly = {
+ .name = "eth",
+ .revision = 0,
+ .family = NFPROTO_BRIDGE,
+ .matchsize = sizeof(struct ebt_entry),
+ .match = ebt_basic_match,
+ .checkentry = ebt_basic_checkentry,
+};
+
static inline __pure
struct ebt_entry *ebt_next_entry(const struct ebt_entry *entry)
{
@@ -188,7 +220,9 @@ unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
base = private->entries;
i = 0;
while (i < nentries) {
- if (!ebt_basic_match(point, eth_hdr(skb), in, out))
+ acpar.match = &ebt_builtin_mt;
+ acpar.matchinfo = point;
+ if (!ebt_basic_match(skb, &acpar))
goto letscontinue;
if (EBT_MATCH_ITERATE(point, ebt_do_match, skb, &acpar) != 0)
@@ -628,18 +662,16 @@ ebt_check_entry(struct ebt_entry *e, const struct ebt_table_info *newinfo,
if (e->bitmask == 0)
return 0;
- if (e->bitmask & ~EBT_F_MASK) {
- BUGPRINT("Unknown flag for bitmask\n");
- return -EINVAL;
- }
- if (e->invflags & ~EBT_INV_MASK) {
- BUGPRINT("Unknown flag for inv bitmask\n");
- return -EINVAL;
- }
- if ( (e->bitmask & EBT_NOPROTO) && (e->bitmask & EBT_802_3) ) {
- BUGPRINT("NOPROTO & 802_3 not allowed\n");
+ mtpar.table = tgpar.table = name;
+ mtpar.entryinfo = tgpar.entryinfo = e;
+ mtpar.hook_mask = tgpar.hook_mask = hookmask;
+ mtpar.family = tgpar.family = NFPROTO_BRIDGE;
+
+ mtpar.match = &ebt_builtin_mt;
+ mtpar.matchinfo = e;
+ if (!ebt_basic_checkentry(&mtpar))
return -EINVAL;
- }
+
/* what hook do we belong to? */
for (i = 0; i < NF_BR_NUMHOOKS; i++) {
if (!newinfo->hook_entry[i])
@@ -664,10 +696,6 @@ ebt_check_entry(struct ebt_entry *e, const struct ebt_table_info *newinfo,
}
i = 0;
- mtpar.table = tgpar.table = name;
- mtpar.entryinfo = tgpar.entryinfo = e;
- mtpar.hook_mask = tgpar.hook_mask = hookmask;
- mtpar.family = tgpar.family = NFPROTO_BRIDGE;
ret = EBT_MATCH_ITERATE(e, ebt_check_match, &mtpar, &i);
if (ret != 0)
goto cleanup_matches;
@@ -1483,19 +1511,26 @@ static int __init ebtables_init(void)
ret = xt_register_target(&ebt_standard_target);
if (ret < 0)
return ret;
+ ret = xt_register_match(&ebt_builtin_mt);
+ if (ret < 0)
+ goto out;
ret = nf_register_sockopt(&ebt_sockopts);
- if (ret < 0) {
- xt_unregister_target(&ebt_standard_target);
- return ret;
- }
+ if (ret < 0)
+ goto out2;
printk(KERN_INFO "Ebtables v2.0 registered\n");
return 0;
+ out2:
+ xt_unregister_match(&ebt_builtin_mt);
+ out:
+ xt_unregister_target(&ebt_standard_target);
+ return ret;
}
static void __exit ebtables_fini(void)
{
nf_unregister_sockopt(&ebt_sockopts);
+ xt_unregister_match(&ebt_builtin_mt);
xt_unregister_target(&ebt_standard_target);
printk(KERN_INFO "Ebtables v2.0 unregistered\n");
}
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 33fb603..f38444c 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -96,12 +96,12 @@ static unsigned long ifname_compare(const char *_a, const char *_b, const char *
}
/* Returns whether packet matches rule or not. */
-static inline int arp_packet_match(const struct arphdr *arphdr,
- struct net_device *dev,
- const char *indev,
- const char *outdev,
- const struct arpt_arp *arpinfo)
+static bool
+arp_packet_match(const struct sk_buff *skb, struct xt_action_param *par)
{
+ static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
+ const struct arphdr *arphdr = arp_hdr(skb);
+ const struct arpt_arp *arpinfo = par->matchinfo;
const char *arpptr = (char *)(arphdr + 1);
const char *src_devaddr, *tgt_devaddr;
__be32 src_ipaddr, tgt_ipaddr;
@@ -114,7 +114,7 @@ static inline int arp_packet_match(const struct arphdr *arphdr,
dprintf("ARP operation field mismatch.\n");
dprintf("ar_op: %04x info->arpop: %04x info->arpop_mask: %04x\n",
arphdr->ar_op, arpinfo->arpop, arpinfo->arpop_mask);
- return 0;
+ return false;
}
if (FWINV((arphdr->ar_hrd & arpinfo->arhrd_mask) != arpinfo->arhrd,
@@ -122,7 +122,7 @@ static inline int arp_packet_match(const struct arphdr *arphdr,
dprintf("ARP hardware address format mismatch.\n");
dprintf("ar_hrd: %04x info->arhrd: %04x info->arhrd_mask: %04x\n",
arphdr->ar_hrd, arpinfo->arhrd, arpinfo->arhrd_mask);
- return 0;
+ return false;
}
if (FWINV((arphdr->ar_pro & arpinfo->arpro_mask) != arpinfo->arpro,
@@ -130,7 +130,7 @@ static inline int arp_packet_match(const struct arphdr *arphdr,
dprintf("ARP protocol address format mismatch.\n");
dprintf("ar_pro: %04x info->arpro: %04x info->arpro_mask: %04x\n",
arphdr->ar_pro, arpinfo->arpro, arpinfo->arpro_mask);
- return 0;
+ return false;
}
if (FWINV((arphdr->ar_hln & arpinfo->arhln_mask) != arpinfo->arhln,
@@ -138,24 +138,24 @@ static inline int arp_packet_match(const struct arphdr *arphdr,
dprintf("ARP hardware address length mismatch.\n");
dprintf("ar_hln: %02x info->arhln: %02x info->arhln_mask: %02x\n",
arphdr->ar_hln, arpinfo->arhln, arpinfo->arhln_mask);
- return 0;
+ return false;
}
src_devaddr = arpptr;
- arpptr += dev->addr_len;
+ arpptr += skb->dev->addr_len;
memcpy(&src_ipaddr, arpptr, sizeof(u32));
arpptr += sizeof(u32);
tgt_devaddr = arpptr;
- arpptr += dev->addr_len;
+ arpptr += skb->dev->addr_len;
memcpy(&tgt_ipaddr, arpptr, sizeof(u32));
- if (FWINV(arp_devaddr_compare(&arpinfo->src_devaddr, src_devaddr, dev->addr_len),
- ARPT_INV_SRCDEVADDR) ||
- FWINV(arp_devaddr_compare(&arpinfo->tgt_devaddr, tgt_devaddr, dev->addr_len),
- ARPT_INV_TGTDEVADDR)) {
+ if (FWINV(arp_devaddr_compare(&arpinfo->src_devaddr, src_devaddr,
+ skb->dev->addr_len), ARPT_INV_SRCDEVADDR) ||
+ FWINV(arp_devaddr_compare(&arpinfo->tgt_devaddr, tgt_devaddr,
+ skb->dev->addr_len), ARPT_INV_TGTDEVADDR)) {
dprintf("Source or target device address mismatch.\n");
- return 0;
+ return false;
}
if (FWINV((src_ipaddr & arpinfo->smsk.s_addr) != arpinfo->src.s_addr,
@@ -174,46 +174,48 @@ static inline int arp_packet_match(const struct arphdr *arphdr,
&arpinfo->tmsk.s_addr,
&arpinfo->tgt.s_addr,
arpinfo->invflags & ARPT_INV_TGTIP ? " (INV)" : "");
- return 0;
+ return false;
}
/* Look for ifname matches. */
- ret = ifname_compare(indev, arpinfo->iniface, arpinfo->iniface_mask);
-
+ ret = ifname_compare((par->in == NULL) ? nulldevname : par->in->name,
+ arpinfo->iniface, arpinfo->iniface_mask);
if (FWINV(ret != 0, ARPT_INV_VIA_IN)) {
dprintf("VIA in mismatch (%s vs %s).%s\n",
- indev, arpinfo->iniface,
+ par->in->name, arpinfo->iniface,
arpinfo->invflags&ARPT_INV_VIA_IN ?" (INV)":"");
- return 0;
+ return false;
}
- ret = ifname_compare(outdev, arpinfo->outiface, arpinfo->outiface_mask);
-
+ ret = ifname_compare((par->out == NULL) ? nulldevname : par->out->name,
+ arpinfo->outiface, arpinfo->outiface_mask);
if (FWINV(ret != 0, ARPT_INV_VIA_OUT)) {
dprintf("VIA out mismatch (%s vs %s).%s\n",
- outdev, arpinfo->outiface,
+ par->out->name, arpinfo->outiface,
arpinfo->invflags&ARPT_INV_VIA_OUT ?" (INV)":"");
- return 0;
+ return false;
}
- return 1;
+ return true;
#undef FWINV
}
-static inline int arp_checkentry(const struct arpt_arp *arp)
+static bool arp_checkentry(const struct xt_mtchk_param *par)
{
+ const struct arpt_arp *arp = par->matchinfo;
+
if (arp->flags & ~ARPT_F_MASK) {
duprintf("Unknown flag bits set: %08X\n",
arp->flags & ~ARPT_F_MASK);
- return 0;
+ return false;
}
if (arp->invflags & ~ARPT_INV_MASK) {
duprintf("Unknown invflag bits set: %08X\n",
arp->invflags & ~ARPT_INV_MASK);
- return 0;
+ return false;
}
- return 1;
+ return true;
}
#ifdef CONFIG_COMPAT
@@ -265,6 +267,15 @@ static struct xt_target arpt_builtin_tg[] __read_mostly = {
},
};
+static struct xt_match arpt_builtin_mt __read_mostly = {
+ .name = "arp",
+ .revision = 0,
+ .family = NFPROTO_ARP,
+ .matchsize = sizeof(struct arpt_arp),
+ .match = arp_packet_match,
+ .checkentry = arp_checkentry,
+};
+
static inline const struct arpt_entry_target *
arpt_get_target_c(const struct arpt_entry *e)
{
@@ -289,11 +300,9 @@ unsigned int arpt_do_table(struct sk_buff *skb,
const struct net_device *out,
struct xt_table *table)
{
- static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
unsigned int verdict = NF_DROP;
const struct arphdr *arp;
struct arpt_entry *e, *back;
- const char *indev, *outdev;
void *table_base;
const struct xt_table_info *private;
struct xt_action_param acpar;
@@ -301,9 +310,6 @@ unsigned int arpt_do_table(struct sk_buff *skb,
if (!pskb_may_pull(skb, arp_hdr_len(skb->dev)))
return NF_DROP;
- indev = in ? in->name : nulldevname;
- outdev = out ? out->name : nulldevname;
-
xt_info_rdlock_bh();
private = table->private;
table_base = private->entries[smp_processor_id()];
@@ -317,12 +323,19 @@ unsigned int arpt_do_table(struct sk_buff *skb,
acpar.family = NFPROTO_ARP;
acpar.hotdrop = false;
+ /*
+ * For arptables, do these two outside the loop because arp_tables
+ * does not support other matches anyway.
+ */
+ acpar.match = &arpt_builtin_mt;
+ acpar.matchinfo = &e->arp;
+
arp = arp_hdr(skb);
do {
const struct arpt_entry_target *t;
int hdr_len;
- if (!arp_packet_match(arp, skb->dev, indev, outdev, &e->arp)) {
+ if (!arp_packet_match(skb, &acpar)) {
e = arpt_next_entry(e);
continue;
}
@@ -502,11 +515,14 @@ static int mark_source_chains(const struct xt_table_info *newinfo,
return 1;
}
-static inline int check_entry(const struct arpt_entry *e, const char *name)
+static inline int
+check_entry(struct arpt_entry *e, struct xt_mtchk_param *par)
{
const struct arpt_entry_target *t;
- if (!arp_checkentry(&e->arp)) {
+ par->match = &arpt_builtin_mt;
+ par->matchinfo = &e->arp;
+ if (!arp_checkentry(par)) {
duprintf("arp_tables: arp check failed %p %s.\n", e, name);
return -EINVAL;
}
@@ -548,9 +564,14 @@ find_check_entry(struct arpt_entry *e, const char *name, unsigned int size)
{
struct arpt_entry_target *t;
struct xt_target *target;
+ struct xt_mtchk_param mtpar;
int ret;
- ret = check_entry(e, name);
+ mtpar.table = name;
+ mtpar.entryinfo = &e->arp;
+ mtpar.hook_mask = e->comefrom;
+ mtpar.family = NFPROTO_ARP;
+ ret = check_entry(e, &mtpar);
if (ret)
return ret;
@@ -1242,6 +1263,7 @@ check_compat_entry_size_and_hooks(struct compat_arpt_entry *e,
struct xt_target *target;
unsigned int entry_offset;
int ret, off, h;
+ struct xt_mtchk_param mtpar;
duprintf("check_compat_entry_size_and_hooks %p\n", e);
if ((unsigned long)e % __alignof__(struct compat_arpt_entry) != 0
@@ -1258,7 +1280,13 @@ check_compat_entry_size_and_hooks(struct compat_arpt_entry *e,
}
/* For purposes of check_entry casting the compat entry is fine */
- ret = check_entry((struct arpt_entry *)e, name);
+ mtpar.table = name;
+ mtpar.entryinfo = &e->arp;
+ mtpar.hook_mask = e->comefrom;
+ mtpar.family = NFPROTO_ARP;
+ mtpar.match = &arpt_builtin_mt;
+ mtpar.matchinfo = &e->arp;
+ ret = check_entry((struct arpt_entry *)e, &mtpar);
if (ret)
return ret;
@@ -1881,6 +1909,9 @@ static int __init arp_tables_init(void)
ret = xt_register_targets(arpt_builtin_tg, ARRAY_SIZE(arpt_builtin_tg));
if (ret < 0)
goto err2;
+ ret = xt_register_match(&arpt_builtin_mt);
+ if (ret < 0)
+ goto err3;
/* Register setsockopt */
ret = nf_register_sockopt(&arpt_sockopts);
@@ -1891,6 +1922,8 @@ static int __init arp_tables_init(void)
return 0;
err4:
+ xt_unregister_match(&arpt_builtin_mt);
+err3:
xt_unregister_targets(arpt_builtin_tg, ARRAY_SIZE(arpt_builtin_tg));
err2:
unregister_pernet_subsys(&arp_tables_net_ops);
@@ -1901,6 +1934,7 @@ err1:
static void __exit arp_tables_fini(void)
{
nf_unregister_sockopt(&arpt_sockopts);
+ xt_unregister_match(&arpt_builtin_mt);
xt_unregister_targets(arpt_builtin_tg, ARRAY_SIZE(arpt_builtin_tg));
unregister_pernet_subsys(&arp_tables_net_ops);
}
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 4a8d6ab..7761470 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -77,13 +77,12 @@ do { \
/* Returns whether matches rule or not. */
/* Performance critical - called for every packet */
-static inline bool
-ip_packet_match(const struct iphdr *ip,
- const char *indev,
- const char *outdev,
- const struct ipt_ip *ipinfo,
- int isfrag)
+static bool
+ip_packet_match(const struct sk_buff *skb, struct xt_action_param *par)
{
+ static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
+ const struct iphdr *ip = ip_hdr(skb);
+ const struct ipt_ip *ipinfo = par->matchinfo;
unsigned long ret;
#define FWINV(bool, invflg) ((bool) ^ !!(ipinfo->invflags & (invflg)))
@@ -103,20 +102,20 @@ ip_packet_match(const struct iphdr *ip,
return false;
}
- ret = ifname_compare_aligned(indev, ipinfo->iniface, ipinfo->iniface_mask);
-
+ ret = ifname_compare_aligned((par->in == NULL) ? nulldevname :
+ par->in->name, ipinfo->iniface, ipinfo->iniface_mask);
if (FWINV(ret != 0, IPT_INV_VIA_IN)) {
dprintf("VIA in mismatch (%s vs %s).%s\n",
- indev, ipinfo->iniface,
+ par->in->name, ipinfo->iniface,
ipinfo->invflags&IPT_INV_VIA_IN ?" (INV)":"");
return false;
}
- ret = ifname_compare_aligned(outdev, ipinfo->outiface, ipinfo->outiface_mask);
-
+ ret = ifname_compare_aligned((par->out == NULL) ? nulldevname :
+ par->out->name, ipinfo->outiface, ipinfo->outiface_mask);
if (FWINV(ret != 0, IPT_INV_VIA_OUT)) {
dprintf("VIA out mismatch (%s vs %s).%s\n",
- outdev, ipinfo->outiface,
+ par->out->name, ipinfo->outiface,
ipinfo->invflags&IPT_INV_VIA_OUT ?" (INV)":"");
return false;
}
@@ -132,7 +131,8 @@ ip_packet_match(const struct iphdr *ip,
/* If we have a fragment rule but the packet is not a fragment
* then we return zero */
- if (FWINV((ipinfo->flags&IPT_F_FRAG) && !isfrag, IPT_INV_FRAG)) {
+ if (FWINV((ipinfo->flags&IPT_F_FRAG) &&
+ par->fragoff == 0, IPT_INV_FRAG)) {
dprintf("Fragment rule but not fragment.%s\n",
ipinfo->invflags & IPT_INV_FRAG ? " (INV)" : "");
return false;
@@ -141,9 +141,10 @@ ip_packet_match(const struct iphdr *ip,
return true;
}
-static bool
-ip_checkentry(const struct ipt_ip *ip)
+static bool ip_checkentry(const struct xt_mtchk_param *par)
{
+ const struct ipt_ip *ip = par->matchinfo;
+
if (ip->flags & ~IPT_F_MASK) {
duprintf("Unknown flag bits set: %08X\n",
ip->flags & ~IPT_F_MASK);
@@ -255,6 +256,14 @@ static struct xt_target ipt_builtin_tg[] __read_mostly = {
static struct xt_match ipt_builtin_mt[] __read_mostly = {
{
+ .name = "ipv4",
+ .revision = 0,
+ .family = NFPROTO_IPV4,
+ .matchsize = sizeof(struct ipt_ip),
+ .match = ip_packet_match,
+ .checkentry = ip_checkentry,
+ },
+ {
.name = "icmp",
.match = icmp_match,
.matchsize = sizeof(struct ipt_icmp),
@@ -397,11 +406,9 @@ ipt_do_table(struct sk_buff *skb,
const struct net_device *out,
struct xt_table *table)
{
- static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
const struct iphdr *ip;
/* Initializing verdict to NF_DROP keeps gcc happy. */
unsigned int verdict = NF_DROP;
- const char *indev, *outdev;
const void *table_base;
struct ipt_entry *e, **jumpstack;
unsigned int *stackptr, origptr, cpu;
@@ -410,8 +417,6 @@ ipt_do_table(struct sk_buff *skb,
/* Initialization */
ip = ip_hdr(skb);
- indev = in ? in->name : nulldevname;
- outdev = out ? out->name : nulldevname;
/* We handle fragments by dealing with the first fragment as
* if it was a normal packet. All other fragments are treated
* normally, except that they will NEVER match rules that ask
@@ -446,8 +451,9 @@ ipt_do_table(struct sk_buff *skb,
const struct xt_entry_match *ematch;
IP_NF_ASSERT(e);
- if (!ip_packet_match(ip, indev, outdev,
- &e->ip, acpar.fragoff)) {
+ acpar.match = &ipt_builtin_mt[0]; /* "ipv4" itself */
+ acpar.matchinfo = &e->ip;
+ if (!ip_packet_match(skb, &acpar)) {
no_match:
e = ipt_next_entry(e);
continue;
@@ -663,11 +669,13 @@ static void cleanup_match(struct ipt_entry_match *m)
}
static int
-check_entry(const struct ipt_entry *e, const char *name)
+check_entry(struct ipt_entry *e, struct xt_mtchk_param *par)
{
const struct ipt_entry_target *t;
- if (!ip_checkentry(&e->ip)) {
+ par->match = &ipt_builtin_mt[0]; /* ipv4 */
+ par->matchinfo = &e->ip;
+ if (!ip_checkentry(par)) {
duprintf("ip_tables: ip check failed %p %s.\n", e, name);
return -EINVAL;
}
@@ -759,15 +767,14 @@ find_check_entry(struct ipt_entry *e, const char *name, unsigned int size)
struct xt_mtchk_param mtpar;
struct xt_entry_match *ematch;
- ret = check_entry(e, name);
- if (ret)
- return ret;
-
- j = 0;
mtpar.table = name;
mtpar.entryinfo = &e->ip;
mtpar.hook_mask = e->comefrom;
mtpar.family = NFPROTO_IPV4;
+ ret = check_entry(e, &mtpar);
+ if (ret)
+ return ret;
+ j = 0;
xt_ematch_foreach(ematch, e) {
ret = find_check_match(ematch, &mtpar);
if (ret != 0)
@@ -1570,6 +1577,7 @@ check_compat_entry_size_and_hooks(struct compat_ipt_entry *e,
unsigned int entry_offset;
unsigned int j;
int ret, off, h;
+ struct xt_mtchk_param mtpar;
duprintf("check_compat_entry_size_and_hooks %p\n", e);
if ((unsigned long)e % __alignof__(struct compat_ipt_entry) != 0
@@ -1586,7 +1594,13 @@ check_compat_entry_size_and_hooks(struct compat_ipt_entry *e,
}
/* For purposes of check_entry casting the compat entry is fine */
- ret = check_entry((struct ipt_entry *)e, name);
+ mtpar.table = name;
+ mtpar.entryinfo = &e->ip;
+ mtpar.hook_mask = e->comefrom;
+ mtpar.family = NFPROTO_IPV4;
+ mtpar.match = &ipt_builtin_mt[0]; /* ipv4 */
+ mtpar.matchinfo = &e->ip;
+ ret = check_entry((struct ipt_entry *)e, &mtpar);
if (ret)
return ret;
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 0911681..f00ecc0 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -78,16 +78,13 @@ do { \
/* Returns whether matches rule or not. */
/* Performance critical - called for every packet */
-static inline bool
-ip6_packet_match(const struct sk_buff *skb,
- const char *indev,
- const char *outdev,
- const struct ip6t_ip6 *ip6info,
- unsigned int *protoff,
- int *fragoff, bool *hotdrop)
+static bool
+ip6_packet_match(const struct sk_buff *skb, struct xt_action_param *par)
{
+ static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
unsigned long ret;
const struct ipv6hdr *ipv6 = ipv6_hdr(skb);
+ const struct ip6t_ip6 *ip6info = par->matchinfo;
#define FWINV(bool, invflg) ((bool) ^ !!(ip6info->invflags & (invflg)))
@@ -106,20 +103,20 @@ ip6_packet_match(const struct sk_buff *skb,
return false;
}
- ret = ifname_compare_aligned(indev, ip6info->iniface, ip6info->iniface_mask);
-
+ ret = ifname_compare_aligned((par->in == NULL) ? nulldevname :
+ par->in->name, ip6info->iniface, ip6info->iniface_mask);
if (FWINV(ret != 0, IP6T_INV_VIA_IN)) {
dprintf("VIA in mismatch (%s vs %s).%s\n",
- indev, ip6info->iniface,
+ par->in->name, ip6info->iniface,
ip6info->invflags&IP6T_INV_VIA_IN ?" (INV)":"");
return false;
}
- ret = ifname_compare_aligned(outdev, ip6info->outiface, ip6info->outiface_mask);
-
+ ret = ifname_compare_aligned((par->out == NULL) ? nulldevname :
+ par->out->name, ip6info->outiface, ip6info->outiface_mask);
if (FWINV(ret != 0, IP6T_INV_VIA_OUT)) {
dprintf("VIA out mismatch (%s vs %s).%s\n",
- outdev, ip6info->outiface,
+ par->out->name, ip6info->outiface,
ip6info->invflags&IP6T_INV_VIA_OUT ?" (INV)":"");
return false;
}
@@ -131,13 +128,13 @@ ip6_packet_match(const struct sk_buff *skb,
int protohdr;
unsigned short _frag_off;
- protohdr = ipv6_find_hdr(skb, protoff, -1, &_frag_off);
+ protohdr = ipv6_find_hdr(skb, &par->thoff, -1, &_frag_off);
if (protohdr < 0) {
if (_frag_off == 0)
- *hotdrop = true;
+ par->hotdrop = true;
return false;
}
- *fragoff = _frag_off;
+ par->fragoff = _frag_off;
dprintf("Packet protocol %hi ?= %s%hi.\n",
protohdr,
@@ -160,9 +157,10 @@ ip6_packet_match(const struct sk_buff *skb,
}
/* should be ip6 safe */
-static bool
-ip6_checkentry(const struct ip6t_ip6 *ipv6)
+static bool ip6_checkentry(const struct xt_mtchk_param *par)
{
+ const struct ip6t_ip6 *ipv6 = par->matchinfo;
+
if (ipv6->flags & ~IP6T_F_MASK) {
duprintf("Unknown flag bits set: %08X\n",
ipv6->flags & ~IP6T_F_MASK);
@@ -274,6 +272,14 @@ static struct xt_target ip6t_builtin_tg[] __read_mostly = {
static struct xt_match ip6t_builtin_mt[] __read_mostly = {
{
+ .name = "ipv6",
+ .revision = 0,
+ .family = NFPROTO_IPV6,
+ .matchsize = sizeof(struct ip6t_ip6),
+ .match = ip6_packet_match,
+ .checkentry = ip6_checkentry,
+ },
+ {
.name = "icmp6",
.match = icmp6_match,
.matchsize = sizeof(struct ip6t_icmp),
@@ -414,19 +420,14 @@ ip6t_do_table(struct sk_buff *skb,
const struct net_device *out,
struct xt_table *table)
{
- static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
/* Initializing verdict to NF_DROP keeps gcc happy. */
unsigned int verdict = NF_DROP;
- const char *indev, *outdev;
const void *table_base;
struct ip6t_entry *e, **jumpstack;
unsigned int *stackptr, origptr, cpu;
const struct xt_table_info *private;
struct xt_action_param acpar;
- /* Initialization */
- indev = in ? in->name : nulldevname;
- outdev = out ? out->name : nulldevname;
/* We handle fragments by dealing with the first fragment as
* if it was a normal packet. All other fragments are treated
* normally, except that they will NEVER match rules that ask
@@ -456,8 +457,9 @@ ip6t_do_table(struct sk_buff *skb,
const struct xt_entry_match *ematch;
IP_NF_ASSERT(e);
- if (!ip6_packet_match(skb, indev, outdev, &e->ipv6,
- &acpar.thoff, &acpar.fragoff, &acpar.hotdrop)) {
+ acpar.match = &ip6t_builtin_mt[0];
+ acpar.matchinfo = &e->ipv6;
+ if (!ip6_packet_match(skb, &acpar)) {
no_match:
e = ip6t_next_entry(e);
continue;
@@ -665,12 +667,14 @@ static void cleanup_match(struct ip6t_entry_match *m)
}
static int
-check_entry(const struct ip6t_entry *e, const char *name)
+check_entry(struct ip6t_entry *e, struct xt_mtchk_param *par)
{
const struct ip6t_entry_target *t;
- if (!ip6_checkentry(&e->ipv6)) {
- duprintf("ip_tables: ip check failed %p %s.\n", e, name);
+ par->match = &ip6t_builtin_mt[0];
+ par->matchinfo = &e->ipv6;
+ if (!ip6_checkentry(par)) {
+ duprintf("ip6_tables: ip check failed %p %s.\n", e, name);
return -EINVAL;
}
@@ -761,15 +765,14 @@ find_check_entry(struct ip6t_entry *e, const char *name, unsigned int size)
struct xt_mtchk_param mtpar;
struct xt_entry_match *ematch;
- ret = check_entry(e, name);
- if (ret)
- return ret;
-
- j = 0;
mtpar.table = name;
mtpar.entryinfo = &e->ipv6;
mtpar.hook_mask = e->comefrom;
mtpar.family = NFPROTO_IPV6;
+ ret = check_entry(e, &mtpar);
+ if (ret)
+ return ret;
+ j = 0;
xt_ematch_foreach(ematch, e) {
ret = find_check_match(ematch, &mtpar);
if (ret != 0)
@@ -1574,6 +1577,7 @@ check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e,
unsigned int entry_offset;
unsigned int j;
int ret, off, h;
+ struct xt_mtchk_param mtpar;
duprintf("check_compat_entry_size_and_hooks %p\n", e);
if ((unsigned long)e % __alignof__(struct compat_ip6t_entry) != 0
@@ -1590,7 +1594,13 @@ check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e,
}
/* For purposes of check_entry casting the compat entry is fine */
- ret = check_entry((struct ip6t_entry *)e, name);
+ mtpar.table = name;
+ mtpar.entryinfo = &e->ipv6;
+ mtpar.hook_mask = e->comefrom;
+ mtpar.family = NFPROTO_IPV6;
+ mtpar.match = &ip6t_builtin_mt[0]; /* ipv6 */
+ mtpar.matchinfo = &e->ipv6;
+ ret = check_entry((struct ip6t_entry *)e, &mtpar);
if (ret)
return ret;
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 050/103] netfilter: xtables2: initial table skeletal functions
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (48 preceding siblings ...)
2009-08-04 7:25 ` [PATCH 049/103] netfilter: xtables: convert basic nfproto match functions into xt matches Jan Engelhardt
@ 2009-08-04 7:25 ` Jan Engelhardt
2009-08-04 7:25 ` [PATCH 051/103] netfilter: xtables2: initial chain " Jan Engelhardt
` (54 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:25 UTC (permalink / raw)
To: netfilter-devel
This patch adds the xt2 table functions. Of course this does not do
anything useful yet, chain and rule support directly follow.
Locking is currently only done at the table level, and that should be
at this point given I seek to get it running with the iptables
interfaces first, which do not manipulate rules while a table is
live.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter/x_tables.h | 50 ++++++++++++
include/net/net_namespace.h | 1 +
include/net/netns/x_tables.h | 6 ++
net/netfilter/x_tables.c | 145 +++++++++++++++++++++++++++++++++++-
4 files changed, 201 insertions(+), 1 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 62cce82..35d137b 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -407,6 +407,39 @@ struct xt_table_info
void *entries[1];
};
+/**
+ * For xt2_tlink_lookup/xt2_table_lookup:
+ *
+ * %XT2_NO_RCULOCK: Drop the RCU read lock after search. This is used for
+ * when the mutex is already held, or for basic
+ * presence-only checks.
+ * %XT2_TAKE_RCULOCK: Just a mnemonic for !XT2_NO_RCULOCK.
+ */
+enum {
+ XT2_NO_RCULOCK = 1 << 0,
+ XT2_TAKE_RCULOCK = 0,
+};
+
+/**
+ * @name: name of this table
+ * @nfproto: nfproto the table is used exclusively with
+ * @owner: encompassing module
+ */
+struct xt2_table {
+ char name[11];
+ uint8_t nfproto;
+ struct module *owner;
+};
+
+/**
+ * We need this as a permanent anchor point for external pointers, e.g.
+ * netns->xt2.ipv6_filter, or whatever else holds a pointer to a table.
+ */
+struct xt2_table_link {
+ struct list_head anchor;
+ struct xt2_table *table;
+};
+
#define XT_TABLE_INFO_SZ (offsetof(struct xt_table_info, entries) \
+ nr_cpu_ids * sizeof(char *))
extern int xt_register_target(struct xt_target *target);
@@ -548,6 +581,23 @@ extern struct nf_hook_ops *xt_hook_link(const struct xt_table *, nf_hookfn *);
extern void xt_hook_unlink(const struct xt_table *, struct nf_hook_ops *);
extern void *xt_repldata_create(const struct xt_table *);
+extern struct xt2_table *xt2_table_new(void);
+extern struct xt2_table_link *xt2_tlink_lookup(struct net *, const char *,
+ uint8_t, unsigned int);
+extern int xt2_table_register(struct net *, struct xt2_table *);
+extern struct xt2_table *xt2_table_replace(struct net *, struct xt2_table *);
+extern void xt2_table_destroy(struct net *, struct xt2_table *);
+
+static inline struct xt2_table *
+xt2_table_lookup(struct net *net, const char *name, uint8_t nfproto,
+ unsigned int lock_mask)
+{
+ struct xt2_table_link *link;
+
+ link = xt2_tlink_lookup(net, name, nfproto, lock_mask);
+ return (link != NULL) ? link->table : NULL;
+}
+
#ifdef CONFIG_COMPAT
#include <net/compat.h>
diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h
index ded434b..dc15df8 100644
--- a/include/net/net_namespace.h
+++ b/include/net/net_namespace.h
@@ -71,6 +71,7 @@ struct net {
#endif
#ifdef CONFIG_NETFILTER
struct netns_xt xt;
+ struct netns_xt2 xt2;
#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
struct netns_ct ct;
#endif
diff --git a/include/net/netns/x_tables.h b/include/net/netns/x_tables.h
index 9554a64..f2edc37 100644
--- a/include/net/netns/x_tables.h
+++ b/include/net/netns/x_tables.h
@@ -12,4 +12,10 @@ struct netns_xt {
struct ebt_table *frame_filter;
struct ebt_table *frame_nat;
};
+
+struct netns_xt2 {
+ struct mutex table_lock;
+ struct list_head table_list[NFPROTO_NUMPROTO];
+};
+
#endif
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 9ee6770..247285b 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -17,6 +17,7 @@
#include <linux/socket.h>
#include <linux/net.h>
#include <linux/proc_fs.h>
+#include <linux/rcupdate.h>
#include <linux/seq_file.h>
#include <linux/string.h>
#include <linux/vmalloc.h>
@@ -1294,6 +1295,144 @@ void *xt_repldata_create(const struct xt_table *info)
}
EXPORT_SYMBOL_GPL(xt_repldata_create);
+struct xt2_table *xt2_table_new(void)
+{
+ struct xt2_table *table;
+
+ table = kzalloc(sizeof(*table), GFP_KERNEL);
+ if (table == NULL)
+ return NULL;
+
+ return table;
+}
+EXPORT_SYMBOL_GPL(xt2_table_new);
+
+/**
+ * @net: Netspace to search in
+ * @name:
+ * @table: Name/nfproto to search for
+ * @lock_mask: Locking instructions (%XT2_GET_MODULE, %XT2_NO_RCULOCK)
+ */
+struct xt2_table_link *
+xt2_tlink_lookup(struct net *net, const char *name, uint8_t nfproto,
+ unsigned int lock_mask)
+{
+ struct xt2_table_link *link;
+
+ rcu_read_lock();
+ list_for_each_entry_rcu(link, &net->xt2.table_list[nfproto], anchor) {
+ if (strcmp(link->table->name, name) != 0)
+ continue;
+ if (lock_mask & XT2_NO_RCULOCK)
+ rcu_read_unlock();
+ return link;
+ }
+ rcu_read_unlock();
+ return NULL;
+}
+EXPORT_SYMBOL_GPL(xt2_tlink_lookup);
+
+int xt2_table_register(struct net *net, struct xt2_table *table)
+{
+ struct xt2_table_link *link;
+ int ret = 0;
+
+ if (*table->name == '\0')
+ /* Empty names don't fly with our strcmp. */
+ return -EINVAL;
+
+ mutex_lock(&net->xt2.table_lock);
+ if (xt2_table_lookup(net, table->name,
+ table->nfproto, XT2_NO_RCULOCK) != NULL) {
+ ret = -EEXIST;
+ goto out;
+ }
+
+ link = kmalloc(sizeof(*link), GFP_KERNEL);
+ if (link == NULL) {
+ ret = -ENOMEM;
+ goto out;
+ }
+
+ INIT_LIST_HEAD(&link->anchor);
+ link->table = table;
+ list_add_tail_rcu(&link->anchor, &net->xt2.table_list[table->nfproto]);
+ out:
+ mutex_unlock(&net->xt2.table_lock);
+ return ret;
+}
+EXPORT_SYMBOL_GPL(xt2_table_register);
+
+/**
+ * @net: accompanying net namespace
+ * @table: new table
+ *
+ * Replace existing table by a new one. The old one is found by scanning the
+ * list for a table with the same name as the new one.
+ * The old table is disconnected from its net namespace and hence, one must
+ * pass %NULL for the first argument to xt2_table_destroy for tables returned
+ * by xt2_table_replace.
+ */
+struct xt2_table *xt2_table_replace(struct net *net, struct xt2_table *table)
+{
+ struct xt2_table_link *link;
+ struct xt2_table *old_table;
+
+ if (*table->name == '\0')
+ return ERR_PTR(-EINVAL);
+
+ link = xt2_tlink_lookup(net, table->name, table->nfproto,
+ XT2_TAKE_RCULOCK);
+ if (link == NULL)
+ return ERR_PTR(-ENOENT);
+
+ mutex_lock(&net->xt2.table_lock);
+ old_table = rcu_dereference(link->table);
+ rcu_assign_pointer(link->table, table);
+ mutex_unlock(&net->xt2.table_lock);
+ rcu_read_unlock();
+ synchronize_rcu();
+ return old_table;
+}
+EXPORT_SYMBOL_GPL(xt2_table_replace);
+
+/**
+ * Unlink a table from the list of known tables. Synchronize RCU so that when
+ * execution in the caller xt2_table_destroy continues, it can free the table
+ * without worry.
+ */
+static void xt2_table_unregister(struct net *net, struct xt2_table *table)
+{
+ struct xt2_table_link *link;
+
+ if (*table->name == '\0')
+ return;
+
+ mutex_lock(&net->xt2.table_lock);
+ link = xt2_tlink_lookup(net, table->name, table->nfproto,
+ XT2_NO_RCULOCK);
+ if (link == NULL) {
+ pr_warning("%s: table %s not found in netns?!\n",
+ __func__, table->name);
+ mutex_unlock(&net->xt2.table_lock);
+ return;
+ }
+ list_del_rcu(&link->anchor);
+ mutex_unlock(&net->xt2.table_lock);
+ synchronize_rcu();
+ link->table = (void *)NETFILTER_LINK_POISON;
+ kfree(link);
+}
+
+void xt2_table_destroy(struct net *net, struct xt2_table *table)
+{
+ if (net != NULL)
+ xt2_table_unregister(net, table);
+
+ kfree(table);
+}
+EXPORT_SYMBOL_GPL(xt2_table_destroy);
+
int xt_proto_init(struct net *net, u_int8_t af)
{
#ifdef CONFIG_PROC_FS
@@ -1370,8 +1509,12 @@ static int __net_init xt_net_init(struct net *net)
{
int i;
- for (i = 0; i < NFPROTO_NUMPROTO; i++)
+ for (i = 0; i < NFPROTO_NUMPROTO; i++) {
INIT_LIST_HEAD(&net->xt.tables[i]);
+ INIT_LIST_HEAD(&net->xt2.table_list[i]);
+ }
+
+ mutex_init(&net->xt2.table_lock);
return 0;
}
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 051/103] netfilter: xtables2: initial chain skeletal functions
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (49 preceding siblings ...)
2009-08-04 7:25 ` [PATCH 050/103] netfilter: xtables2: initial table skeletal functions Jan Engelhardt
@ 2009-08-04 7:25 ` Jan Engelhardt
2009-08-04 7:25 ` [PATCH 052/103] netfilter: xtables2: initial rule " Jan Engelhardt
` (53 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:25 UTC (permalink / raw)
To: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter/x_tables.h | 19 +++++++++++++++++++
net/netfilter/x_tables.c | 31 +++++++++++++++++++++++++++++++
2 files changed, 50 insertions(+), 0 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 35d137b..5c9a034 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -407,6 +407,19 @@ struct xt_table_info
void *entries[1];
};
+struct xt2_table;
+
+/**
+ * @anchor: list anchor for parent (xt2_table.chain_list)
+ * @name: name of chain
+ * @table: back link to table chain is contained in
+ */
+struct xt2_chain {
+ struct list_head anchor;
+ char name[31];
+ struct xt2_table *table;
+};
+
/**
* For xt2_tlink_lookup/xt2_table_lookup:
*
@@ -421,13 +434,17 @@ enum {
};
/**
+ * @chain_list: list of chains (struct xt2_chain)
* @name: name of this table
* @nfproto: nfproto the table is used exclusively with
+ * @entrypoint: start chains for hooks
* @owner: encompassing module
*/
struct xt2_table {
+ struct list_head chain_list;
char name[11];
uint8_t nfproto;
+ const struct xt2_chain *entrypoint[NF_INET_NUMHOOKS];
struct module *owner;
};
@@ -581,6 +598,8 @@ extern struct nf_hook_ops *xt_hook_link(const struct xt_table *, nf_hookfn *);
extern void xt_hook_unlink(const struct xt_table *, struct nf_hook_ops *);
extern void *xt_repldata_create(const struct xt_table *);
+extern struct xt2_chain *xt2_chain_new(struct xt2_table *, const char *);
+
extern struct xt2_table *xt2_table_new(void);
extern struct xt2_table_link *xt2_tlink_lookup(struct net *, const char *,
uint8_t, unsigned int);
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 247285b..f2b0bc2 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -1295,6 +1295,32 @@ void *xt_repldata_create(const struct xt_table *info)
}
EXPORT_SYMBOL_GPL(xt_repldata_create);
+struct xt2_chain *xt2_chain_new(struct xt2_table *table, const char *name)
+{
+ struct xt2_chain *chain;
+
+ chain = kmalloc(sizeof(*chain), GFP_KERNEL);
+ if (chain == NULL)
+ return NULL;
+
+ chain->table = table;
+ INIT_LIST_HEAD(&chain->anchor);
+ if (name != NULL)
+ strncpy(chain->name, name, sizeof(chain->name));
+ else
+ chain->name[0] = '\0';
+ chain->name[sizeof(chain->name)-1] = '\0';
+ list_add_tail(&chain->anchor, &table->chain_list);
+ return chain;
+}
+EXPORT_SYMBOL_GPL(xt2_chain_new);
+
+static void xt2_chain_free(struct xt2_chain *chain)
+{
+ list_del(&chain->anchor);
+ kfree(chain);
+}
+
struct xt2_table *xt2_table_new(void)
{
struct xt2_table *table;
@@ -1303,6 +1329,7 @@ struct xt2_table *xt2_table_new(void)
if (table == NULL)
return NULL;
+ INIT_LIST_HEAD(&table->chain_list);
return table;
}
EXPORT_SYMBOL_GPL(xt2_table_new);
@@ -1426,9 +1453,13 @@ static void xt2_table_unregister(struct net *net, struct xt2_table *table)
void xt2_table_destroy(struct net *net, struct xt2_table *table)
{
+ struct xt2_chain *chain, *next_chain;
+
if (net != NULL)
xt2_table_unregister(net, table);
+ list_for_each_entry_safe(chain, next_chain, &table->chain_list, anchor)
+ xt2_chain_free(chain);
kfree(table);
}
EXPORT_SYMBOL_GPL(xt2_table_destroy);
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 052/103] netfilter: xtables2: initial rule skeletal functions
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (50 preceding siblings ...)
2009-08-04 7:25 ` [PATCH 051/103] netfilter: xtables2: initial chain " Jan Engelhardt
@ 2009-08-04 7:25 ` Jan Engelhardt
2009-08-04 7:25 ` [PATCH 053/103] netfilter: xtables: alternate size checking in xt_check_match Jan Engelhardt
` (52 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:25 UTC (permalink / raw)
To: netfilter-devel
Whereas iptables and its derivates (collectively, Xtables1) used a
serialized binary blob, Xtables2's internal layout will be linked
lists. This makes it possible to easily edit single rules later on
without userspace having to upload an entire table if it does not
want to.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter/x_tables.h | 15 +++++++++++++++
net/netfilter/x_tables.c | 35 +++++++++++++++++++++++++++++++++++
2 files changed, 50 insertions(+), 0 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 5c9a034..5119768 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -410,12 +410,22 @@ struct xt_table_info
struct xt2_table;
/**
+ * @anchor: list anchor for parent (xt2_chain.rule_list)
+ */
+struct xt2_rule {
+ struct list_head anchor;
+ struct xt2_chain *chain;
+};
+
+/**
* @anchor: list anchor for parent (xt2_table.chain_list)
+ * @rule_list: list of struct xt2_rule
* @name: name of chain
* @table: back link to table chain is contained in
*/
struct xt2_chain {
struct list_head anchor;
+ struct list_head rule_list;
char name[31];
struct xt2_table *table;
};
@@ -438,6 +448,7 @@ enum {
* @name: name of this table
* @nfproto: nfproto the table is used exclusively with
* @entrypoint: start chains for hooks
+ * @underflow: base chain policy (rule)
* @owner: encompassing module
*/
struct xt2_table {
@@ -445,6 +456,7 @@ struct xt2_table {
char name[11];
uint8_t nfproto;
const struct xt2_chain *entrypoint[NF_INET_NUMHOOKS];
+ const struct xt2_rule *underflow[NF_INET_NUMHOOKS];
struct module *owner;
};
@@ -598,7 +610,10 @@ extern struct nf_hook_ops *xt_hook_link(const struct xt_table *, nf_hookfn *);
extern void xt_hook_unlink(const struct xt_table *, struct nf_hook_ops *);
extern void *xt_repldata_create(const struct xt_table *);
+extern struct xt2_rule *xt2_rule_new(struct xt2_chain *);
+
extern struct xt2_chain *xt2_chain_new(struct xt2_table *, const char *);
+extern void xt2_chain_append(struct xt2_rule *);
extern struct xt2_table *xt2_table_new(void);
extern struct xt2_table_link *xt2_tlink_lookup(struct net *, const char *,
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index f2b0bc2..9e001c7 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -1295,6 +1295,26 @@ void *xt_repldata_create(const struct xt_table *info)
}
EXPORT_SYMBOL_GPL(xt_repldata_create);
+struct xt2_rule *xt2_rule_new(struct xt2_chain *chain)
+{
+ struct xt2_rule *rule;
+
+ rule = kmalloc(sizeof(*rule), GFP_KERNEL);
+ if (rule == NULL)
+ return NULL;
+
+ rule->chain = chain;
+ INIT_LIST_HEAD(&rule->anchor);
+ return rule;
+}
+EXPORT_SYMBOL_GPL(xt2_rule_new);
+
+static void xt2_rule_free(struct xt2_rule *rule)
+{
+ list_del(&rule->anchor);
+ kfree(rule);
+}
+
struct xt2_chain *xt2_chain_new(struct xt2_table *table, const char *name)
{
struct xt2_chain *chain;
@@ -1305,6 +1325,7 @@ struct xt2_chain *xt2_chain_new(struct xt2_table *table, const char *name)
chain->table = table;
INIT_LIST_HEAD(&chain->anchor);
+ INIT_LIST_HEAD(&chain->rule_list);
if (name != NULL)
strncpy(chain->name, name, sizeof(chain->name));
else
@@ -1315,9 +1336,23 @@ struct xt2_chain *xt2_chain_new(struct xt2_table *table, const char *name)
}
EXPORT_SYMBOL_GPL(xt2_chain_new);
+/**
+ * Rules are completely constructed first before appending to the chain,
+ * to avoid incomplete rules being run through in xt2_do_action.
+ */
+void xt2_chain_append(struct xt2_rule *rule)
+{
+ list_add_tail(&rule->anchor, &rule->chain->rule_list);
+}
+EXPORT_SYMBOL_GPL(xt2_chain_append);
+
static void xt2_chain_free(struct xt2_chain *chain)
{
+ struct xt2_rule *rule, *next_rule;
+
list_del(&chain->anchor);
+ list_for_each_entry_safe(rule, next_rule, &chain->rule_list, anchor)
+ xt2_rule_free(rule);
kfree(chain);
}
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 053/103] netfilter: xtables: alternate size checking in xt_check_match
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (51 preceding siblings ...)
2009-08-04 7:25 ` [PATCH 052/103] netfilter: xtables2: initial rule " Jan Engelhardt
@ 2009-08-04 7:25 ` Jan Engelhardt
2009-08-04 7:25 ` [PATCH 054/103] netfilter: xtables: alternate size checking in xt_check_target Jan Engelhardt
` (51 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:25 UTC (permalink / raw)
To: netfilter-devel
xt2 allows for unpadded data, but needs a way to tell xt_check_match.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter/x_tables.h | 3 ++-
net/bridge/netfilter/ebtables.c | 2 +-
net/ipv4/netfilter/ip_tables.c | 2 +-
net/ipv6/netfilter/ip6_tables.c | 3 ++-
net/netfilter/x_tables.c | 14 ++++++++------
5 files changed, 14 insertions(+), 10 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 5119768..956ff8a 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -482,7 +482,8 @@ extern int xt_register_matches(struct xt_match *match, unsigned int n);
extern void xt_unregister_matches(struct xt_match *match, unsigned int n);
extern int xt_check_match(struct xt_mtchk_param *,
- unsigned int size, u_int8_t proto, bool inv_proto);
+ unsigned int size, u_int8_t proto, bool inv_proto,
+ bool check_pad);
extern int xt_check_target(struct xt_tgchk_param *,
unsigned int size, u_int8_t proto, bool inv_proto);
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 8b8cf09..2a13e53 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -381,7 +381,7 @@ ebt_check_match(struct ebt_entry_match *m, struct xt_mtchk_param *par,
par->match = match;
par->matchinfo = m->data;
ret = xt_check_match(par, m->match_size,
- e->ethproto, e->invflags & EBT_IPROTO);
+ e->ethproto, e->invflags & EBT_IPROTO, true);
if (ret < 0) {
module_put(match->me);
return ret;
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 7761470..77cef82 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -701,7 +701,7 @@ check_match(struct ipt_entry_match *m, struct xt_mtchk_param *par)
par->matchinfo = m->data;
ret = xt_check_match(par, m->u.match_size - sizeof(*m),
- ip->proto, ip->invflags & IPT_INV_PROTO);
+ ip->proto, ip->invflags & IPT_INV_PROTO, true);
if (ret < 0) {
duprintf("ip_tables: check failed for `%s'.\n",
par.match->name);
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index f00ecc0..63ea701 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -698,7 +698,8 @@ static int check_match(struct ip6t_entry_match *m, struct xt_mtchk_param *par)
par->matchinfo = m->data;
ret = xt_check_match(par, m->u.match_size - sizeof(*m),
- ipv6->proto, ipv6->invflags & IP6T_INV_PROTO);
+ ipv6->proto, ipv6->invflags & IP6T_INV_PROTO,
+ true);
if (ret < 0) {
duprintf("ip_tables: check failed for `%s'.\n",
par.match->name);
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 9e001c7..1cdc982 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -373,19 +373,21 @@ static char *textify_hooks(char *buf, size_t size, unsigned int mask)
}
int xt_check_match(struct xt_mtchk_param *par,
- unsigned int size, u_int8_t proto, bool inv_proto)
+ unsigned int size, u_int8_t proto, bool inv_proto,
+ bool check_pad)
{
- if (XT_ALIGN(par->match->matchsize) != size &&
- par->match->matchsize != -1) {
+ unsigned int required = check_pad ? XT_ALIGN(par->match->matchsize) :
+ par->match->matchsize;
+
+ if (par->match->matchsize != -1 && required != size) {
/*
* ebt_among is exempt from centralized matchsize checking
* because it uses a dynamic-size data set.
*/
pr_err("%s_tables: %s.%u match: invalid size "
- "(kernel) %zu != (user) %u\n",
+ "(kernel) %u != (user) %u\n",
xt_prefix[par->family], par->match->name,
- par->match->revision,
- XT_ALIGN(par->match->matchsize), size);
+ par->match->revision, required, size);
return -EINVAL;
}
if (par->match->table != NULL &&
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 054/103] netfilter: xtables: alternate size checking in xt_check_target
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (52 preceding siblings ...)
2009-08-04 7:25 ` [PATCH 053/103] netfilter: xtables: alternate size checking in xt_check_match Jan Engelhardt
@ 2009-08-04 7:25 ` Jan Engelhardt
2009-08-04 7:25 ` [PATCH 055/103] netfilter: xtables2: per-rule match skeletal functions Jan Engelhardt
` (50 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:25 UTC (permalink / raw)
To: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter/x_tables.h | 3 ++-
net/bridge/netfilter/ebtables.c | 4 ++--
net/ipv4/netfilter/arp_tables.c | 3 ++-
net/ipv4/netfilter/ip_tables.c | 2 +-
net/ipv6/netfilter/ip6_tables.c | 2 +-
net/netfilter/x_tables.c | 13 ++++++++-----
net/sched/act_ipt.c | 3 ++-
7 files changed, 18 insertions(+), 12 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 956ff8a..8addd6f 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -485,7 +485,8 @@ extern int xt_check_match(struct xt_mtchk_param *,
unsigned int size, u_int8_t proto, bool inv_proto,
bool check_pad);
extern int xt_check_target(struct xt_tgchk_param *,
- unsigned int size, u_int8_t proto, bool inv_proto);
+ unsigned int size, u_int8_t proto, bool inv_proto,
+ bool check_pad);
extern struct xt_table *xt_register_table(struct net *net,
const struct xt_table *table,
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 2a13e53..06fd8f1 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -412,7 +412,7 @@ ebt_check_watcher(struct ebt_entry_watcher *w, struct xt_tgchk_param *par,
par->target = watcher;
par->targinfo = w->data;
ret = xt_check_target(par, w->watcher_size,
- e->ethproto, e->invflags & EBT_IPROTO);
+ e->ethproto, e->invflags & EBT_IPROTO, true);
if (ret < 0) {
module_put(watcher->me);
return ret;
@@ -734,7 +734,7 @@ ebt_check_entry(struct ebt_entry *e, const struct ebt_table_info *newinfo,
tgpar.target = target;
tgpar.targinfo = t->data;
ret = xt_check_target(&tgpar, t->target_size,
- e->ethproto, e->invflags & EBT_IPROTO);
+ e->ethproto, e->invflags & EBT_IPROTO, true);
if (ret < 0) {
module_put(target->me);
goto cleanup_watchers;
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index f38444c..95cddc8 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -550,7 +550,8 @@ static inline int check_target(struct arpt_entry *e, const char *name)
.family = NFPROTO_ARP,
};
- ret = xt_check_target(&par, t->u.target_size - sizeof(*t), 0, false);
+ ret = xt_check_target(&par, t->u.target_size - sizeof(*t),
+ 0, false, true);
if (ret < 0) {
duprintf("arp_tables: check failed for `%s'.\n",
t->u.kernel.target->name);
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 77cef82..043b620 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -748,7 +748,7 @@ static int check_target(struct ipt_entry *e, const char *name)
int ret;
ret = xt_check_target(&par, t->u.target_size - sizeof(*t),
- e->ip.proto, e->ip.invflags & IPT_INV_PROTO);
+ e->ip.proto, e->ip.invflags & IPT_INV_PROTO, true);
if (ret < 0) {
duprintf("ip_tables: check failed for `%s'.\n",
t->u.kernel.target->name);
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 63ea701..fa1d289 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -747,7 +747,7 @@ static int check_target(struct ip6t_entry *e, const char *name)
t = ip6t_get_target(e);
ret = xt_check_target(&par, t->u.target_size - sizeof(*t),
- e->ipv6.proto, e->ipv6.invflags & IP6T_INV_PROTO);
+ e->ipv6.proto, e->ipv6.invflags & IP6T_INV_PROTO, true);
if (ret < 0) {
duprintf("ip_tables: check failed for `%s'.\n",
t->u.kernel.target->name);
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 1cdc982..3906dfb 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -532,14 +532,17 @@ EXPORT_SYMBOL_GPL(xt_compat_match_to_user);
#endif /* CONFIG_COMPAT */
int xt_check_target(struct xt_tgchk_param *par,
- unsigned int size, u_int8_t proto, bool inv_proto)
+ unsigned int size, u_int8_t proto, bool inv_proto,
+ bool check_pad)
{
- if (XT_ALIGN(par->target->targetsize) != size) {
+ unsigned int required = check_pad ? XT_ALIGN(par->target->targetsize) :
+ par->target->targetsize;
+
+ if (required != size) {
pr_err("%s_tables: %s.%u target: invalid size "
- "(kernel) %zu != (user) %u\n",
+ "(kernel) %u != (user) %u\n",
xt_prefix[par->family], par->target->name,
- par->target->revision,
- XT_ALIGN(par->target->targetsize), size);
+ par->target->revision, required, size);
return -EINVAL;
}
if (par->target->table != NULL &&
diff --git a/net/sched/act_ipt.c b/net/sched/act_ipt.c
index e4b4224..23d3ea2 100644
--- a/net/sched/act_ipt.c
+++ b/net/sched/act_ipt.c
@@ -57,7 +57,8 @@ static int ipt_init_target(struct ipt_entry_target *t, char *table, unsigned int
par.hook_mask = hook;
par.family = NFPROTO_IPV4;
- ret = xt_check_target(&par, t->u.target_size - sizeof(*t), 0, false);
+ ret = xt_check_target(&par, t->u.target_size - sizeof(*t),
+ 0, false, true);
if (ret < 0) {
module_put(t->u.kernel.target->me);
return ret;
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 055/103] netfilter: xtables2: per-rule match skeletal functions
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (53 preceding siblings ...)
2009-08-04 7:25 ` [PATCH 054/103] netfilter: xtables: alternate size checking in xt_check_target Jan Engelhardt
@ 2009-08-04 7:25 ` Jan Engelhardt
2009-08-04 7:25 ` [PATCH 056/103] netfilter: xtables2: per-rule target " Jan Engelhardt
` (49 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:25 UTC (permalink / raw)
To: netfilter-devel
Notes: In xt2 rules, the layer-2/3 match structure (e.g. struct
ip6t_ip6) is now a standalone entry_match, together with the
recently-transformed layer-2/3 matches.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter/x_tables.h | 34 +++++++++++
net/netfilter/x_tables.c | 116 ++++++++++++++++++++++++++++++++++++
2 files changed, 150 insertions(+), 0 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 8addd6f..fbea89c 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -409,12 +409,34 @@ struct xt_table_info
struct xt2_table;
+enum {
+ XT2_INV_L4PROTO = 1 << 0,
+};
+
/**
* @anchor: list anchor for parent (xt2_chain.rule_list)
+ * @match_list: list of called match extensions (xt2_entry_match)
+ * @l4proto: layer-4 protocol used (needed for xt_check_*)
+ * @flags: extra flags (see above)
*/
struct xt2_rule {
struct list_head anchor;
+ struct list_head match_list;
struct xt2_chain *chain;
+ uint8_t l4proto, flags;
+};
+
+/**
+ * @anchor: list anchor for parent (xt2_rule.match_list)
+ * @ext: pointer to extension
+ * @data: parameter block for extension (aka. "matchinfo")
+ * @dsize: size of @data (since @ext->matchsize may be -1)
+ */
+struct xt2_entry_match {
+ struct list_head anchor;
+ const struct xt_match *ext;
+ void *data;
+ unsigned int dsize;
};
/**
@@ -422,12 +444,15 @@ struct xt2_rule {
* @rule_list: list of struct xt2_rule
* @name: name of chain
* @table: back link to table chain is contained in
+ * @comefrom: bitmask from which hooks the chain is entered
+ * (currently needed for xt_check_*)
*/
struct xt2_chain {
struct list_head anchor;
struct list_head rule_list;
char name[31];
struct xt2_table *table;
+ unsigned int comefrom;
};
/**
@@ -613,6 +638,8 @@ extern void xt_hook_unlink(const struct xt_table *, struct nf_hook_ops *);
extern void *xt_repldata_create(const struct xt_table *);
extern struct xt2_rule *xt2_rule_new(struct xt2_chain *);
+extern int xt2_rule_add_match(struct xt2_rule *, const char *, uint8_t,
+ const void *, unsigned int, bool);
extern struct xt2_chain *xt2_chain_new(struct xt2_table *, const char *);
extern void xt2_chain_append(struct xt2_rule *);
@@ -624,6 +651,13 @@ extern int xt2_table_register(struct net *, struct xt2_table *);
extern struct xt2_table *xt2_table_replace(struct net *, struct xt2_table *);
extern void xt2_table_destroy(struct net *, struct xt2_table *);
+static inline int
+xt2_rule_add_oldmatch(struct xt2_rule *rule, const struct xt_entry_match *m)
+{
+ return xt2_rule_add_match(rule, m->u.user.name, m->u.user.revision,
+ m->data, m->u.match_size - sizeof(*m), true);
+}
+
static inline struct xt2_table *
xt2_table_lookup(struct net *net, const char *name, uint8_t nfproto,
unsigned int lock_mask)
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 3906dfb..0d50942 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -1308,15 +1308,131 @@ struct xt2_rule *xt2_rule_new(struct xt2_chain *chain)
if (rule == NULL)
return NULL;
+ rule->l4proto = 0;
+ rule->flags = 0;
rule->chain = chain;
INIT_LIST_HEAD(&rule->anchor);
+ INIT_LIST_HEAD(&rule->match_list);
return rule;
}
EXPORT_SYMBOL_GPL(xt2_rule_new);
+/**
+ * Find the struct ip6t_ip6 from an xt2 rule. Compat needs this, for now.
+ * Returns %NULL if not found.
+ */
+static void *xt2_entryinfo_mt_get(const struct xt2_rule *rule)
+{
+ const struct xt2_entry_match *ematch;
+
+ if (list_empty(&rule->match_list))
+ return NULL;
+ ematch = list_first_entry(&rule->match_list, typeof(*ematch), anchor);
+
+ /* The entryinfo is always in first place in xt1-compat mode. */
+ switch (rule->chain->table->nfproto) {
+ case NFPROTO_IPV4:
+ if (strcmp(ematch->ext->name, "ipv4") != 0)
+ return NULL;
+ break;
+ case NFPROTO_IPV6:
+ if (strcmp(ematch->ext->name, "ipv6") != 0)
+ return NULL;
+ break;
+ case NFPROTO_ARP:
+ if (strcmp(ematch->ext->name, "arp") != 0)
+ return NULL;
+ break;
+ case NFPROTO_BRIDGE:
+ if (strcmp(ematch->ext->name, "eth") != 0)
+ return NULL;
+ break;
+ default:
+ return NULL;
+ }
+
+ return ematch->data;
+}
+
+/**
+ * @ext_name: name of extension
+ * @ext_rev: requested revision
+ * @data: private extension data block (parameters, etc.)
+ * @dsize: size of supplied data
+ */
+int xt2_rule_add_match(struct xt2_rule *rule, const char *ext_name,
+ uint8_t ext_rev, const void *data, unsigned int dsize,
+ bool check_pad)
+{
+ const uint8_t nfproto = rule->chain->table->nfproto;
+ struct xt2_entry_match *ematch;
+ struct xt_mtchk_param mtpar;
+ const struct xt_match *ext;
+ int ret;
+
+ ext = try_then_request_module(xt_find_match(nfproto,
+ ext_name, ext_rev), "%st_%s", xt_prefix[nfproto], ext_name);
+ if (ext == NULL)
+ return -ENOENT;
+ if (IS_ERR(ext))
+ return PTR_ERR(ext);
+
+ ret = -ENOMEM;
+ ematch = kmalloc(sizeof(*ematch), GFP_KERNEL);
+ if (ematch == NULL)
+ goto put_module;
+ ematch->ext = ext;
+ ematch->data = kmemdup(data, dsize, GFP_KERNEL);
+ ematch->dsize = dsize;
+ if (ematch->data == NULL)
+ goto free_ematch;
+
+ mtpar.table = rule->chain->table->name;
+ mtpar.match = ext;
+ mtpar.matchinfo = ematch->data;
+ mtpar.hook_mask = rule->chain->comefrom;
+ mtpar.family = rule->chain->table->nfproto;
+ mtpar.entryinfo = xt2_entryinfo_mt_get(rule);
+ ret = xt_check_match(&mtpar, dsize, rule->l4proto,
+ rule->flags & XT2_INV_L4PROTO, check_pad);
+ if (ret < 0)
+ goto free_edata;
+
+ INIT_LIST_HEAD(&ematch->anchor);
+ list_add_tail(&ematch->anchor, &rule->match_list);
+ return 0;
+
+ free_edata:
+ kfree(ematch->data);
+ free_ematch:
+ kfree(ematch);
+ put_module:
+ module_put(ext->me);
+ return ret;
+}
+EXPORT_SYMBOL_GPL(xt2_rule_add_match);
+
static void xt2_rule_free(struct xt2_rule *rule)
{
+ struct xt2_entry_match *ematch, *next_ematch;
+ struct xt_mtdtor_param mtpar;
+
+ mtpar.family = rule->chain->table->nfproto;
list_del(&rule->anchor);
+
+ list_for_each_entry_safe(ematch, next_ematch,
+ &rule->match_list, anchor) {
+ list_del(&ematch->anchor);
+ /* Note: ematch->ext is never NULL. */
+ if (ematch->ext->destroy != NULL) {
+ mtpar.match = ematch->ext;
+ mtpar.matchinfo = ematch->data;
+ ematch->ext->destroy(&mtpar);
+ }
+ module_put(ematch->ext->me);
+ kfree(ematch->data);
+ kfree(ematch);
+ }
kfree(rule);
}
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 056/103] netfilter: xtables2: per-rule target skeletal functions
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (54 preceding siblings ...)
2009-08-04 7:25 ` [PATCH 055/103] netfilter: xtables2: per-rule match skeletal functions Jan Engelhardt
@ 2009-08-04 7:25 ` Jan Engelhardt
2009-08-04 7:25 ` [PATCH 057/103] netfilter: xtables2: xt_check_target in combination with xt2 contexts Jan Engelhardt
` (48 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:25 UTC (permalink / raw)
To: netfilter-devel
This patch also introduces the possibly to use multiple targets
in a rule, an often-wanted feature (such as -j LOG -j DROP).
Loop detection and Origin Tracing is not included here yet. xt1
modules, e.g. ip6_tables, will (continue to) do the loop checking and
"comefrom" marking for the time being.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter/x_tables.h | 43 ++++++++++++++++++++++
net/netfilter/x_tables.c | 69 +++++++++++++++++++++++++++++++++++-
2 files changed, 111 insertions(+), 1 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index fbea89c..e71a84e 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -407,6 +407,14 @@ struct xt_table_info
void *entries[1];
};
+/*
+ * The use of low negative numbers means we can use IS_ERR()
+ * (See xt2_special_target below.)
+ */
+#define XT2_ACTION_JUMP ((const struct xt_target *)(-2))
+#define XT2_ACTION_GOTO ((const struct xt_target *)(-3))
+#define XT2_FINAL_VERDICT ((const struct xt_target *)(-4))
+
struct xt2_table;
enum {
@@ -416,12 +424,14 @@ enum {
/**
* @anchor: list anchor for parent (xt2_chain.rule_list)
* @match_list: list of called match extensions (xt2_entry_match)
+ * @target_list: list of called target extensions (xt2_entry_targets)
* @l4proto: layer-4 protocol used (needed for xt_check_*)
* @flags: extra flags (see above)
*/
struct xt2_rule {
struct list_head anchor;
struct list_head match_list;
+ struct list_head target_list;
struct xt2_chain *chain;
uint8_t l4proto, flags;
};
@@ -440,6 +450,25 @@ struct xt2_entry_match {
};
/**
+ * @anchor: list anchor for parent (xt2_rule.target_list)
+ * @ext: pointer to extension
+ * @data: parameter block for extension (aka. "targetinfo")
+ * @r_jump: jump target; requires that @ext is %XT2_ACTION_JUMP
+ * @r_goto: goto target; requires that @ext is %XT2_ACTION_GOTO
+ * @verdict: final verdict (%XT_* or %NF_*);
+ * requires that @ext is %XT2_FINAL_VERDICT
+ */
+struct xt2_entry_target {
+ struct list_head anchor;
+ const struct xt_target *ext;
+ union {
+ void *data;
+ const struct xt2_chain *r_jump, *r_goto;
+ unsigned int verdict;
+ };
+};
+
+/**
* @anchor: list anchor for parent (xt2_table.chain_list)
* @rule_list: list of struct xt2_rule
* @name: name of chain
@@ -640,6 +669,8 @@ extern void *xt_repldata_create(const struct xt_table *);
extern struct xt2_rule *xt2_rule_new(struct xt2_chain *);
extern int xt2_rule_add_match(struct xt2_rule *, const char *, uint8_t,
const void *, unsigned int, bool);
+extern int xt2_rule_add_target(struct xt2_rule *, const char *, uint8_t,
+ const void *, unsigned int, bool);
extern struct xt2_chain *xt2_chain_new(struct xt2_table *, const char *);
extern void xt2_chain_append(struct xt2_rule *);
@@ -651,6 +682,11 @@ extern int xt2_table_register(struct net *, struct xt2_table *);
extern struct xt2_table *xt2_table_replace(struct net *, struct xt2_table *);
extern void xt2_table_destroy(struct net *, struct xt2_table *);
+static inline bool xt2_special_target(const struct xt_target *t)
+{
+ return IS_ERR(t);
+}
+
static inline int
xt2_rule_add_oldmatch(struct xt2_rule *rule, const struct xt_entry_match *m)
{
@@ -658,6 +694,13 @@ xt2_rule_add_oldmatch(struct xt2_rule *rule, const struct xt_entry_match *m)
m->data, m->u.match_size - sizeof(*m), true);
}
+static inline int
+xt2_rule_add_oldtarget(struct xt2_rule *rule, const struct xt_entry_target *t)
+{
+ return xt2_rule_add_target(rule, t->u.user.name, t->u.user.revision,
+ t->data, t->u.target_size - sizeof(*t), true);
+}
+
static inline struct xt2_table *
xt2_table_lookup(struct net *net, const char *name, uint8_t nfproto,
unsigned int lock_mask)
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 0d50942..1e57517 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -1313,6 +1313,7 @@ struct xt2_rule *xt2_rule_new(struct xt2_chain *chain)
rule->chain = chain;
INIT_LIST_HEAD(&rule->anchor);
INIT_LIST_HEAD(&rule->match_list);
+ INIT_LIST_HEAD(&rule->target_list);
return rule;
}
EXPORT_SYMBOL_GPL(xt2_rule_new);
@@ -1412,14 +1413,80 @@ int xt2_rule_add_match(struct xt2_rule *rule, const char *ext_name,
}
EXPORT_SYMBOL_GPL(xt2_rule_add_match);
+int xt2_rule_add_target(struct xt2_rule *rule, const char *ext_name,
+ uint8_t ext_rev, const void *data, unsigned int dsize,
+ bool check_pad)
+{
+ const uint8_t nfproto = rule->chain->table->nfproto;
+ struct xt2_entry_target *etarget;
+ const struct xt_target *ext;
+ struct xt_tgchk_param tgpar;
+ int ret;
+
+ ext = try_then_request_module(xt_find_target(nfproto,
+ ext_name, ext_rev), "%st_%s", xt_prefix[nfproto], ext_name);
+ if (ext == NULL)
+ return -ENOENT;
+ if (IS_ERR(ext))
+ return PTR_ERR(ext);
+
+ ret = -ENOMEM;
+ etarget = kmalloc(sizeof(*etarget), GFP_KERNEL);
+ if (etarget == NULL)
+ goto put_module;
+ etarget->ext = ext;
+ etarget->data = kmemdup(data, dsize, GFP_KERNEL);
+ if (etarget->data == NULL)
+ goto free_etarget;
+
+ tgpar.table = rule->chain->table->name;
+ tgpar.target = ext;
+ tgpar.targinfo = etarget->data;
+ tgpar.hook_mask = rule->chain->comefrom;
+ tgpar.family = rule->chain->table->nfproto;
+ ret = xt_check_target(&tgpar, dsize, rule->l4proto,
+ rule->flags & XT2_INV_L4PROTO, check_pad);
+ if (ret < 0)
+ goto free_edata;
+
+ INIT_LIST_HEAD(&etarget->anchor);
+ list_add_tail(&etarget->anchor, &rule->target_list);
+ return 0;
+
+ free_edata:
+ kfree(etarget->data);
+ free_etarget:
+ kfree(etarget);
+ put_module:
+ module_put(ext->me);
+ return ret;
+}
+EXPORT_SYMBOL_GPL(xt2_rule_add_target);
+
static void xt2_rule_free(struct xt2_rule *rule)
{
+ struct xt2_entry_target *etarget, *next_etarget;
struct xt2_entry_match *ematch, *next_ematch;
struct xt_mtdtor_param mtpar;
+ struct xt_tgdtor_param tgpar;
- mtpar.family = rule->chain->table->nfproto;
+ mtpar.family = tgpar.family = rule->chain->table->nfproto;
list_del(&rule->anchor);
+ list_for_each_entry_safe(etarget, next_etarget,
+ &rule->target_list, anchor) {
+ list_del(&etarget->anchor);
+ if (!xt2_special_target(etarget->ext)) {
+ if (etarget->ext->destroy != NULL) {
+ tgpar.target = etarget->ext;
+ tgpar.targinfo = etarget->data;
+ etarget->ext->destroy(&tgpar);
+ }
+ module_put(etarget->ext->me);
+ kfree(etarget->data);
+ }
+ kfree(etarget);
+ }
list_for_each_entry_safe(ematch, next_ematch,
&rule->match_list, anchor) {
list_del(&ematch->anchor);
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 057/103] netfilter: xtables2: xt_check_target in combination with xt2 contexts
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (55 preceding siblings ...)
2009-08-04 7:25 ` [PATCH 056/103] netfilter: xtables2: per-rule target " Jan Engelhardt
@ 2009-08-04 7:25 ` Jan Engelhardt
2009-08-04 7:25 ` [PATCH 058/103] netfilter: xtables2: jumpstack (de)allocation functions Jan Engelhardt
` (47 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:25 UTC (permalink / raw)
To: netfilter-devel
The xt1 entryinfo (e.g. struct ip6t_entry) is not available in xt2
tables. Most targets only use it to get at struct ip6t_ip6 anyway,
but TCPMSS does an ematch traversal in order to look for xt_tcp.
So TCPMSS needs to learn about xt2 ematch traversal, while the other
modules are henceforth adjusted to not depend on entryinfo anymore,
but use the supplied nfp_info set from both xt1 and xt2 contexts.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter/x_tables.h | 7 +++++
net/bridge/netfilter/ebt_arpreply.c | 2 +-
net/bridge/netfilter/ebtables.c | 2 +-
net/ipv4/netfilter/arp_tables.c | 1 +
net/ipv4/netfilter/ip_tables.c | 1 +
net/ipv4/netfilter/ipt_CLUSTERIP.c | 17 ++++++-------
net/ipv4/netfilter/ipt_ECN.c | 4 +-
net/ipv4/netfilter/ipt_REJECT.c | 6 ++--
net/ipv6/netfilter/ip6_tables.c | 1 +
net/ipv6/netfilter/ip6t_REJECT.c | 6 ++--
net/netfilter/x_tables.c | 2 +
net/netfilter/xt_TCPMSS.c | 42 +++++++++++++++++++++-------------
net/netfilter/xt_TPROXY.c | 2 +-
net/sched/act_ipt.c | 3 ++
14 files changed, 60 insertions(+), 36 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index e71a84e..bba75b2 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -192,6 +192,8 @@ struct xt_counters_info
#include <linux/netdevice.h>
+struct xt2_rule;
+
/**
* struct xt_action_param - parameters for matches/targets
*
@@ -260,12 +262,17 @@ struct xt_mtdtor_param {
*
* @entryinfo: the family-specific rule data
* (struct ipt_entry, ip6t_entry, arpt_entry, ebt_entry)
+ * @nfproto_info: xt2 layer-2/3 data block (struct ipt_ip, ip6t_ip6,
+ * arpt_arp/ebt_entry). Always valid.
+ * @rule: Pointer to rule target is contained within.
*
* Other fields see above.
*/
struct xt_tgchk_param {
const char *table;
const void *entryinfo;
+ const void *nfproto_info;
+ const struct xt2_rule *rule;
const struct xt_target *target;
void *targinfo;
unsigned int hook_mask;
diff --git a/net/bridge/netfilter/ebt_arpreply.c b/net/bridge/netfilter/ebt_arpreply.c
index c4b186c..507a255 100644
--- a/net/bridge/netfilter/ebt_arpreply.c
+++ b/net/bridge/netfilter/ebt_arpreply.c
@@ -60,7 +60,7 @@ ebt_arpreply_tg(struct sk_buff *skb, const struct xt_action_param *par)
static bool ebt_arpreply_tg_check(const struct xt_tgchk_param *par)
{
const struct ebt_arpreply_info *info = par->targinfo;
- const struct ebt_entry *e = par->entryinfo;
+ const struct ebt_entry *e = par->nfproto_info;
if (BASE_CHAIN && info->target == EBT_RETURN)
return false;
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 06fd8f1..154f4f5 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -663,7 +663,7 @@ ebt_check_entry(struct ebt_entry *e, const struct ebt_table_info *newinfo,
return 0;
mtpar.table = tgpar.table = name;
- mtpar.entryinfo = tgpar.entryinfo = e;
+ mtpar.entryinfo = tgpar.entryinfo = tgpar.nfproto_info = e;
mtpar.hook_mask = tgpar.hook_mask = hookmask;
mtpar.family = tgpar.family = NFPROTO_BRIDGE;
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 95cddc8..e3911a0 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -544,6 +544,7 @@ static inline int check_target(struct arpt_entry *e, const char *name)
struct xt_tgchk_param par = {
.table = name,
.entryinfo = e,
+ .nfproto_info = &e->arp,
.target = t->u.kernel.target,
.targinfo = t->data,
.hook_mask = e->comefrom,
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 043b620..f409fcd 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -740,6 +740,7 @@ static int check_target(struct ipt_entry *e, const char *name)
struct xt_tgchk_param par = {
.table = name,
.entryinfo = e,
+ .nfproto_info = &e->ip,
.target = t->u.kernel.target,
.targinfo = t->data,
.hook_mask = e->comefrom,
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index 11a7f74..6785c0f 100644
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -350,7 +350,7 @@ clusterip_tg(struct sk_buff *skb, const struct xt_action_param *par)
static bool clusterip_tg_check(const struct xt_tgchk_param *par)
{
struct ipt_clusterip_tgt_info *cipinfo = par->targinfo;
- const struct ipt_entry *e = par->entryinfo;
+ const struct ipt_ip *eip = par->nfproto_info;
struct clusterip_config *config;
@@ -362,35 +362,34 @@ static bool clusterip_tg_check(const struct xt_tgchk_param *par)
return false;
}
- if (e->ip.dmsk.s_addr != htonl(0xffffffff)
- || e->ip.dst.s_addr == 0) {
+ if (eip->dmsk.s_addr != htonl(0xffffffff) || eip->dst.s_addr == 0) {
printk(KERN_ERR "CLUSTERIP: Please specify destination IP\n");
return false;
}
/* FIXME: further sanity checks */
- config = clusterip_config_find_get(e->ip.dst.s_addr, 1);
+ config = clusterip_config_find_get(eip->dst.s_addr, 1);
if (!config) {
if (!(cipinfo->flags & CLUSTERIP_FLAG_NEW)) {
- printk(KERN_WARNING "CLUSTERIP: no config found for %pI4, need 'new'\n", &e->ip.dst.s_addr);
+ printk(KERN_WARNING "CLUSTERIP: no config found for %pI4, need 'new'\n", &eip->dst.s_addr);
return false;
} else {
struct net_device *dev;
- if (e->ip.iniface[0] == '\0') {
+ if (eip->iniface[0] == '\0') {
printk(KERN_WARNING "CLUSTERIP: Please specify an interface name\n");
return false;
}
- dev = dev_get_by_name(&init_net, e->ip.iniface);
+ dev = dev_get_by_name(&init_net, eip->iniface);
if (!dev) {
- printk(KERN_WARNING "CLUSTERIP: no such interface %s\n", e->ip.iniface);
+ printk(KERN_WARNING "CLUSTERIP: no such interface %s\n", eip->iniface);
return false;
}
config = clusterip_config_init(cipinfo,
- e->ip.dst.s_addr, dev);
+ eip->dst.s_addr, dev);
if (!config) {
printk(KERN_WARNING "CLUSTERIP: cannot allocate config\n");
dev_put(dev);
diff --git a/net/ipv4/netfilter/ipt_ECN.c b/net/ipv4/netfilter/ipt_ECN.c
index 5d2b678..29571c9 100644
--- a/net/ipv4/netfilter/ipt_ECN.c
+++ b/net/ipv4/netfilter/ipt_ECN.c
@@ -96,7 +96,7 @@ ecn_tg(struct sk_buff *skb, const struct xt_action_param *par)
static bool ecn_tg_check(const struct xt_tgchk_param *par)
{
const struct ipt_ECN_info *einfo = par->targinfo;
- const struct ipt_entry *e = par->entryinfo;
+ const struct ipt_ip *eip = par->nfproto_info;
if (einfo->operation & IPT_ECN_OP_MASK) {
printk(KERN_WARNING "ECN: unsupported ECN operation %x\n",
@@ -109,7 +109,7 @@ static bool ecn_tg_check(const struct xt_tgchk_param *par)
return false;
}
if ((einfo->operation & (IPT_ECN_OP_SET_ECE|IPT_ECN_OP_SET_CWR))
- && (e->ip.proto != IPPROTO_TCP || (e->ip.invflags & XT_INV_PROTO))) {
+ && (eip->proto != IPPROTO_TCP || (eip->invflags & XT_INV_PROTO))) {
printk(KERN_WARNING "ECN: cannot use TCP operations on a "
"non-tcp rule\n");
return false;
diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c
index 628373a..4f73782 100644
--- a/net/ipv4/netfilter/ipt_REJECT.c
+++ b/net/ipv4/netfilter/ipt_REJECT.c
@@ -177,15 +177,15 @@ reject_tg(struct sk_buff *skb, const struct xt_action_param *par)
static bool reject_tg_check(const struct xt_tgchk_param *par)
{
const struct ipt_reject_info *rejinfo = par->targinfo;
- const struct ipt_entry *e = par->entryinfo;
+ const struct ipt_ip *eip = par->nfproto_info;
if (rejinfo->with == IPT_ICMP_ECHOREPLY) {
printk("ipt_REJECT: ECHOREPLY no longer supported.\n");
return false;
} else if (rejinfo->with == IPT_TCP_RESET) {
/* Must specify that it's a TCP packet */
- if (e->ip.proto != IPPROTO_TCP
- || (e->ip.invflags & XT_INV_PROTO)) {
+ if (eip->proto != IPPROTO_TCP ||
+ (eip->invflags & XT_INV_PROTO)) {
printk("ipt_REJECT: TCP_RESET invalid for non-tcp\n");
return false;
}
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index fa1d289..7eb9a57 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -738,6 +738,7 @@ static int check_target(struct ip6t_entry *e, const char *name)
struct xt_tgchk_param par = {
.table = name,
.entryinfo = e,
+ .nfproto_info = &e->ipv6,
.target = t->u.kernel.target,
.targinfo = t->data,
.hook_mask = e->comefrom,
diff --git a/net/ipv6/netfilter/ip6t_REJECT.c b/net/ipv6/netfilter/ip6t_REJECT.c
index 16bb432..0ab8ea9 100644
--- a/net/ipv6/netfilter/ip6t_REJECT.c
+++ b/net/ipv6/netfilter/ip6t_REJECT.c
@@ -216,15 +216,15 @@ reject_tg6(struct sk_buff *skb, const struct xt_action_param *par)
static bool reject_tg6_check(const struct xt_tgchk_param *par)
{
const struct ip6t_reject_info *rejinfo = par->targinfo;
- const struct ip6t_entry *e = par->entryinfo;
+ const struct ip6t_ip6 *eip = par->nfproto_info;
if (rejinfo->with == IP6T_ICMP6_ECHOREPLY) {
printk("ip6t_REJECT: ECHOREPLY is not supported.\n");
return false;
} else if (rejinfo->with == IP6T_TCP_RESET) {
/* Must specify that it's a TCP packet */
- if (e->ipv6.proto != IPPROTO_TCP
- || (e->ipv6.invflags & XT_INV_PROTO)) {
+ if (eip->proto != IPPROTO_TCP ||
+ (eip->invflags & XT_INV_PROTO)) {
printk("ip6t_REJECT: TCP_RESET illegal for non-tcp\n");
return false;
}
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 1e57517..6e6ff1c 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -1439,6 +1439,8 @@ int xt2_rule_add_target(struct xt2_rule *rule, const char *ext_name,
if (etarget->data == NULL)
goto free_etarget;
+ tgpar.nfproto_info = xt2_entryinfo_mt_get(rule);
+ tgpar.rule = rule;
tgpar.table = rule->chain->table->name;
tgpar.target = ext;
tgpar.targinfo = etarget->data;
diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c
index e757ce9..100037f 100644
--- a/net/netfilter/xt_TCPMSS.c
+++ b/net/netfilter/xt_TCPMSS.c
@@ -225,14 +225,30 @@ tcpmss_tg6(struct sk_buff *skb, const struct xt_action_param *par)
#define TH_SYN 0x02
/* Must specify -p tcp --syn */
-static inline bool find_syn_match(const struct xt_entry_match *m)
+static inline bool find_syn_match(const struct xt_tgchk_param *par)
{
- const struct xt_tcp *tcpinfo = (const struct xt_tcp *)m->data;
+ const struct xt_tcp *tcpinfo;
- if (strcmp(m->u.kernel.match->name, "tcp") == 0 &&
- tcpinfo->flg_cmp & TH_SYN &&
- !(tcpinfo->invflags & XT_TCP_INV_FLAGS))
- return true;
+ if (par->rule != NULL) {
+ const struct xt2_entry_match *ematch;
+
+ list_for_each_entry(ematch, &par->rule->match_list, anchor) {
+ tcpinfo = ematch->data;
+ if (strcmp(ematch->ext->name, "tcp") == 0 &&
+ (tcpinfo->flg_cmp & TH_SYN) &&
+ !(tcpinfo->invflags & XT_TCP_INV_FLAGS))
+ return true;
+ }
+ } else {
+ const struct xt_entry_match *ematch;
+ const struct ip6t_entry *e = par->entryinfo;
+
+ xt_ematch_foreach(ematch, e)
+ if (strcmp(ematch->u.kernel.match->name, "tcp") == 0 &&
+ (tcpinfo->flg_cmp & TH_SYN) &&
+ !(tcpinfo->invflags & XT_TCP_INV_FLAGS))
+ return true;
+ }
return false;
}
@@ -240,8 +256,6 @@ static inline bool find_syn_match(const struct xt_entry_match *m)
static bool tcpmss_tg4_check(const struct xt_tgchk_param *par)
{
const struct xt_tcpmss_info *info = par->targinfo;
- const struct ipt_entry *e = par->entryinfo;
- const struct xt_entry_match *ematch;
if (info->mss == XT_TCPMSS_CLAMP_PMTU &&
(par->hook_mask & ~((1 << NF_INET_FORWARD) |
@@ -251,9 +265,8 @@ static bool tcpmss_tg4_check(const struct xt_tgchk_param *par)
"FORWARD, OUTPUT and POSTROUTING hooks\n");
return false;
}
- xt_ematch_foreach(ematch, e)
- if (find_syn_match(ematch))
- return true;
+ if (find_syn_match(par))
+ return true;
printk("xt_TCPMSS: Only works on TCP SYN packets\n");
return false;
}
@@ -262,8 +275,6 @@ static bool tcpmss_tg4_check(const struct xt_tgchk_param *par)
static bool tcpmss_tg6_check(const struct xt_tgchk_param *par)
{
const struct xt_tcpmss_info *info = par->targinfo;
- const struct ip6t_entry *e = par->entryinfo;
- const struct xt_entry_match *ematch;
if (info->mss == XT_TCPMSS_CLAMP_PMTU &&
(par->hook_mask & ~((1 << NF_INET_FORWARD) |
@@ -273,9 +284,8 @@ static bool tcpmss_tg6_check(const struct xt_tgchk_param *par)
"FORWARD, OUTPUT and POSTROUTING hooks\n");
return false;
}
- xt_ematch_foreach(ematch, e)
- if (find_syn_match(ematch))
- return true;
+ if (find_syn_match(par))
+ return true;
printk("xt_TCPMSS: Only works on TCP SYN packets\n");
return false;
}
diff --git a/net/netfilter/xt_TPROXY.c b/net/netfilter/xt_TPROXY.c
index d806b7b..fefba3f 100644
--- a/net/netfilter/xt_TPROXY.c
+++ b/net/netfilter/xt_TPROXY.c
@@ -61,7 +61,7 @@ tproxy_tg(struct sk_buff *skb, const struct xt_action_param *par)
static bool tproxy_tg_check(const struct xt_tgchk_param *par)
{
- const struct ipt_ip *i = par->entryinfo;
+ const struct ipt_ip *i = par->nfproto_info;
if ((i->proto == IPPROTO_TCP || i->proto == IPPROTO_UDP)
&& !(i->invflags & IPT_INV_PROTO))
diff --git a/net/sched/act_ipt.c b/net/sched/act_ipt.c
index 23d3ea2..54aa858 100644
--- a/net/sched/act_ipt.c
+++ b/net/sched/act_ipt.c
@@ -40,6 +40,7 @@ static struct tcf_hashinfo ipt_hash_info = {
static int ipt_init_target(struct ipt_entry_target *t, char *table, unsigned int hook)
{
+ struct ipt_ip l3info = {};
struct xt_tgchk_param par;
struct xt_target *target;
int ret = 0;
@@ -50,6 +51,8 @@ static int ipt_init_target(struct ipt_entry_target *t, char *table, unsigned int
return PTR_ERR(target);
t->u.kernel.target = target;
+ par.nfproto_info = &l3info;
+ par.rule = NULL;
par.table = table;
par.entryinfo = NULL;
par.target = target;
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 058/103] netfilter: xtables2: jumpstack (de)allocation functions
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (56 preceding siblings ...)
2009-08-04 7:25 ` [PATCH 057/103] netfilter: xtables2: xt_check_target in combination with xt2 contexts Jan Engelhardt
@ 2009-08-04 7:25 ` Jan Engelhardt
2009-08-04 7:25 ` [PATCH 059/103] netfilter: xtables2: table traversal Jan Engelhardt
` (46 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:25 UTC (permalink / raw)
To: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter/x_tables.h | 13 ++++++
net/netfilter/x_tables.c | 76 +++++++++++++++++++++++++++++++++++-
2 files changed, 88 insertions(+), 1 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index bba75b2..f94820c 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -508,6 +508,14 @@ enum {
* @chain_list: list of chains (struct xt2_chain)
* @name: name of this table
* @nfproto: nfproto the table is used exclusively with
+ * @rq_stacksize: Size of the jumpstack. This is usually set to the
+ * number of user chains -- since tables cannot have
+ * loops, at most that many jumps can possibly be made --
+ * or a value dependent thereof, such as when it is
+ * multiplied to allow for reentry.
+ * @stacksize: current size of the stack (@stackptr, @jumpstack)
+ * @stackptr: current stack pointer, one per CPU
+ * @jumpstack: our stack, also one per CPU
* @entrypoint: start chains for hooks
* @underflow: base chain policy (rule)
* @owner: encompassing module
@@ -516,6 +524,11 @@ struct xt2_table {
struct list_head chain_list;
char name[11];
uint8_t nfproto;
+
+ unsigned int rq_stacksize, stacksize;
+ unsigned int *stackptr;
+ const struct xt2_rule ***jumpstack;
+
const struct xt2_chain *entrypoint[NF_INET_NUMHOOKS];
const struct xt2_rule *underflow[NF_INET_NUMHOOKS];
struct module *owner;
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 6e6ff1c..574d562 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -1513,6 +1513,7 @@ struct xt2_chain *xt2_chain_new(struct xt2_table *table, const char *name)
if (chain == NULL)
return NULL;
+ ++table->rq_stacksize;
chain->table = table;
INIT_LIST_HEAD(&chain->anchor);
INIT_LIST_HEAD(&chain->rule_list);
@@ -1541,11 +1542,79 @@ static void xt2_chain_free(struct xt2_chain *chain)
struct xt2_rule *rule, *next_rule;
list_del(&chain->anchor);
+ --chain->table->rq_stacksize;
list_for_each_entry_safe(rule, next_rule, &chain->rule_list, anchor)
xt2_rule_free(rule);
kfree(chain);
}
+/**
+ * Allocate jumpstacks. This is normally called sometime after the chain
+ * have all been added to the table.
+ */
+static int xt2_jumpstack_alloc(struct xt2_table *table)
+{
+ unsigned int size;
+ int cpu;
+
+ size = sizeof(unsigned int) * nr_cpu_ids;
+ if (size > PAGE_SIZE)
+ table->stackptr = vmalloc(size);
+ else
+ table->stackptr = kmalloc(size, GFP_KERNEL);
+ if (table->stackptr == NULL)
+ return -ENOMEM;
+ memset(table->stackptr, 0, size);
+
+ size = sizeof(struct xt2_rule **) * nr_cpu_ids;
+ if (size > PAGE_SIZE)
+ table->jumpstack = vmalloc(size);
+ else
+ table->jumpstack = kmalloc(size, GFP_KERNEL);
+ if (table->jumpstack == NULL)
+ return -ENOMEM;
+ memset(table->jumpstack, 0, size);
+
+ table->stacksize = table->rq_stacksize * xt_jumpstack_multiplier;
+ size = sizeof(struct xt2_rule *) * table->stacksize;
+ for_each_possible_cpu(cpu) {
+ if (size > PAGE_SIZE)
+ table->jumpstack[cpu] = vmalloc_node(size,
+ cpu_to_node(cpu));
+ else
+ table->jumpstack[cpu] = kmalloc_node(size,
+ GFP_KERNEL, cpu_to_node(cpu));
+ if (table->jumpstack[cpu] == NULL)
+ return -ENOMEM;
+ }
+
+ return 0;
+}
+
+static void xt2_jumpstack_free(struct xt2_table *table)
+{
+ int cpu;
+
+ if (table->jumpstack != NULL) {
+ if (sizeof(struct xt2_rule *) * table->stacksize > PAGE_SIZE) {
+ for_each_possible_cpu(cpu)
+ vfree(table->jumpstack[cpu]);
+ } else {
+ for_each_possible_cpu(cpu)
+ kfree(table->jumpstack[cpu]);
+ }
+ if (sizeof(struct xt2_rule **) * nr_cpu_ids > PAGE_SIZE)
+ vfree(table->jumpstack);
+ else
+ kfree(table->jumpstack);
+ }
+
+ if (sizeof(unsigned int) * nr_cpu_ids > PAGE_SIZE)
+ vfree(table->stackptr);
+ else
+ kfree(table->stackptr);
+}
+
struct xt2_table *xt2_table_new(void)
{
struct xt2_table *table;
@@ -1587,7 +1656,7 @@ EXPORT_SYMBOL_GPL(xt2_tlink_lookup);
int xt2_table_register(struct net *net, struct xt2_table *table)
{
struct xt2_table_link *link;
- int ret = 0;
+ int ret;
if (*table->name == '\0')
/* Empty names don't fly with our strcmp. */
@@ -1600,6 +1669,10 @@ int xt2_table_register(struct net *net, struct xt2_table *table)
goto out;
}
+ ret = xt2_jumpstack_alloc(table);
+ if (ret < 0)
+ goto out;
+
link = kmalloc(sizeof(*link), GFP_KERNEL);
if (link == NULL) {
ret = -ENOMEM;
@@ -1683,6 +1756,7 @@ void xt2_table_destroy(struct net *net, struct xt2_table *table)
if (net != NULL)
xt2_table_unregister(net, table);
+ xt2_jumpstack_free(table);
list_for_each_entry_safe(chain, next_chain, &table->chain_list, anchor)
xt2_chain_free(chain);
kfree(table);
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 059/103] netfilter: xtables2: table traversal
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (57 preceding siblings ...)
2009-08-04 7:25 ` [PATCH 058/103] netfilter: xtables2: jumpstack (de)allocation functions Jan Engelhardt
@ 2009-08-04 7:25 ` Jan Engelhardt
2009-08-04 7:25 ` [PATCH 060/103] netfilter: xt_quota: fix wrong return value (error case) Jan Engelhardt
` (45 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:25 UTC (permalink / raw)
To: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter/x_tables.h | 4 +
net/netfilter/x_tables.c | 115 ++++++++++++++++++++++++++++++++++++
2 files changed, 119 insertions(+), 0 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index f94820c..0608e64 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -702,6 +702,10 @@ extern int xt2_table_register(struct net *, struct xt2_table *);
extern struct xt2_table *xt2_table_replace(struct net *, struct xt2_table *);
extern void xt2_table_destroy(struct net *, struct xt2_table *);
+extern unsigned int xt2_do_table(struct sk_buff *, unsigned int,
+ const struct net_device *, const struct net_device *,
+ const struct xt2_table *);
+
static inline bool xt2_special_target(const struct xt_target *t)
{
return IS_ERR(t);
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 574d562..105039a 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -61,6 +61,17 @@ static struct xt_af *xt;
#define duprintf(format, args...)
#endif
+/***
+ * xt2 internal decisions -
+ *
+ * %XT_START_CHAIN: used to implement jump/goto after chain got switched
+ */
+enum {
+ XT_START_CHAIN = 0xFFFFFFF9,
+ /* XT_RETURN = 0xFFFFFFFB, */ /* reminder (x_tables.h) */
+ /* XT_CONTINUE = 0xFFFFFFFF, */ /* reminder (x_tables.h) */
+};
+
static const char *const xt_prefix[NFPROTO_NUMPROTO] = {
[NFPROTO_UNSPEC] = "x",
[NFPROTO_IPV4] = "ip",
@@ -1702,6 +1713,7 @@ struct xt2_table *xt2_table_replace(struct net *net, struct xt2_table *table)
{
struct xt2_table_link *link;
struct xt2_table *old_table;
+ int ret;
if (*table->name == '\0')
return ERR_PTR(-EINVAL);
@@ -1710,6 +1722,11 @@ struct xt2_table *xt2_table_replace(struct net *net, struct xt2_table *table)
XT2_TAKE_RCULOCK);
if (link == NULL)
return ERR_PTR(-ENOENT);
+ ret = xt2_jumpstack_alloc(table);
+ if (ret < 0) {
+ rcu_read_unlock();
+ return ERR_PTR(ret);
+ }
mutex_lock(&net->xt2.table_lock);
old_table = rcu_dereference(link->table);
@@ -1763,6 +1780,104 @@ void xt2_table_destroy(struct net *net, struct xt2_table *table)
}
EXPORT_SYMBOL_GPL(xt2_table_destroy);
+static unsigned int
+xt2_do_actions(struct sk_buff *skb, struct xt_action_param *acpar,
+ const struct xt2_rule *rule, const struct xt2_chain **chain_ptr,
+ unsigned int *stackptr, unsigned int stacksize,
+ const struct xt2_rule **jumpstack)
+{
+ const struct xt2_entry_target *etarget;
+ const struct xt2_entry_match *ematch;
+ /* For rules without targets: */
+ unsigned int verdict = XT_CONTINUE;
+ bool ret;
+
+ list_for_each_entry(ematch, &rule->match_list, anchor) {
+ acpar->match = ematch->ext;
+ acpar->matchinfo = ematch->data;
+ ret = ematch->ext->match(skb, acpar);
+ if (acpar->hotdrop)
+ return NF_DROP;
+ else if (!ret)
+ return XT_CONTINUE;
+ }
+
+ list_for_each_entry(etarget, &rule->target_list, anchor) {
+ if (etarget->ext == XT2_ACTION_GOTO) {
+ *chain_ptr = etarget->r_goto;
+ return XT_START_CHAIN;
+ } else if (etarget->ext == XT2_ACTION_JUMP) {
+ if (*stackptr >= stacksize)
+ return NF_DROP;
+ jumpstack[(*stackptr)++] = rule;
+ *chain_ptr = etarget->r_jump;
+ return XT_START_CHAIN;
+ } else if (etarget->ext == XT2_FINAL_VERDICT) {
+ verdict = etarget->verdict;
+ } else {
+ acpar->target = etarget->ext;
+ acpar->targinfo = etarget->data;
+ verdict = etarget->ext->target(skb, acpar);
+ }
+ if (verdict != XT_CONTINUE)
+ break;
+ }
+
+ return verdict;
+}
+
+unsigned int
+xt2_do_table(struct sk_buff *skb, unsigned int hook,
+ const struct net_device *in, const struct net_device *out,
+ const struct xt2_table *table)
+{
+ int cpu = smp_processor_id();
+ const struct xt2_rule **jumpstack = table->jumpstack[cpu];
+ unsigned int *stackptr = &table->stackptr[cpu];
+ unsigned int verdict = NF_DROP;
+ const struct xt2_chain *chain;
+ const struct xt2_rule *rule;
+ struct xt_action_param acpar = {
+ .family = table->nfproto,
+ .in = in,
+ .out = out,
+ .hooknum = hook,
+ };
+
+ chain = table->entrypoint[hook];
+ do_chain:
+ rule = list_first_entry(&chain->rule_list, typeof(*rule), anchor);
+ do_rule:
+ if (&rule->anchor == &chain->rule_list)
+ /* End of chain */
+ verdict = XT_RETURN;
+ else
+ verdict = xt2_do_actions(skb, &acpar, rule, &chain,
+ stackptr, table->stacksize, jumpstack);
+
+ switch (verdict) {
+ case XT_START_CHAIN:
+ goto do_chain;
+ case XT_RETURN:
+ if (*stackptr == 0) {
+ rule = table->underflow[hook];
+ chain = rule->chain;
+ goto do_rule;
+ }
+ /* What was on the stack was where we left... */
+ --*stackptr;
+ rule = jumpstack[*stackptr];
+ chain = rule->chain;
+ /* ...fallthru to advance */
+ case XT_CONTINUE:
+ rule = list_entry(rule->anchor.next, typeof(*rule), anchor);
+ goto do_rule;
+ }
+
+ return verdict;
+}
+EXPORT_SYMBOL_GPL(xt2_do_table);
+
int xt_proto_init(struct net *net, u_int8_t af)
{
#ifdef CONFIG_PROC_FS
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 060/103] netfilter: xt_quota: fix wrong return value (error case)
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (58 preceding siblings ...)
2009-08-04 7:25 ` [PATCH 059/103] netfilter: xtables2: table traversal Jan Engelhardt
@ 2009-08-04 7:25 ` Jan Engelhardt
2009-08-04 7:25 ` [PATCH 061/103] netfilter: xtables: add xt_quota revision 3 Jan Engelhardt
` (44 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:25 UTC (permalink / raw)
To: netfilter-devel
Success was indicated on a memory allocation failure, thereby causing
a crash due to a later NULL deref.
(Affects v2.6.30-rc1 up to here.)
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
net/netfilter/xt_quota.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/net/netfilter/xt_quota.c b/net/netfilter/xt_quota.c
index ad0ed79..0de9fcf 100644
--- a/net/netfilter/xt_quota.c
+++ b/net/netfilter/xt_quota.c
@@ -52,7 +52,7 @@ static bool quota_mt_check(const struct xt_mtchk_param *par)
q->master = kmalloc(sizeof(*q->master), GFP_KERNEL);
if (q->master == NULL)
- return -ENOMEM;
+ return false;
q->master->quota = q->quota;
return true;
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 061/103] netfilter: xtables: add xt_quota revision 3
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (59 preceding siblings ...)
2009-08-04 7:25 ` [PATCH 060/103] netfilter: xt_quota: fix wrong return value (error case) Jan Engelhardt
@ 2009-08-04 7:25 ` Jan Engelhardt
2009-08-04 7:25 ` [PATCH 062/103] netfilter: xtables2: make a copy of the ipv6_filter table Jan Engelhardt
` (43 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:25 UTC (permalink / raw)
To: netfilter-devel
The quota match has been extended in an out-of-tree project, whereby
it gained packet counting, upcounting support and procfs-based
read/write support.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter/xt_quota.h | 19 +++-
net/netfilter/xt_quota.c | 231 ++++++++++++++++++++++++++++++++++--
2 files changed, 236 insertions(+), 14 deletions(-)
diff --git a/include/linux/netfilter/xt_quota.h b/include/linux/netfilter/xt_quota.h
index 8dc89df..f14e36d 100644
--- a/include/linux/netfilter/xt_quota.h
+++ b/include/linux/netfilter/xt_quota.h
@@ -2,9 +2,11 @@
#define _XT_QUOTA_H
enum xt_quota_flags {
- XT_QUOTA_INVERT = 0x1,
+ XT_QUOTA_INVERT = 1 << 0,
+ XT_QUOTA_GROW = 1 << 1,
+ XT_QUOTA_PACKET = 1 << 2,
+ XT_QUOTA_MASK = 0x7,
};
-#define XT_QUOTA_MASK 0x1
struct xt_quota_priv;
@@ -17,4 +19,17 @@ struct xt_quota_info {
struct xt_quota_priv *master;
};
+struct xt_quota_counter;
+
+struct xt_quota_mtinfo3 {
+ char name[15];
+ u_int8_t flags;
+
+ /* Comparison-invariant */
+ aligned_u64 quota;
+
+ /* Used internally by the kernel */
+ struct xt_quota_counter *master __attribute__((aligned(8)));
+};
+
#endif /* _XT_QUOTA_H */
diff --git a/net/netfilter/xt_quota.c b/net/netfilter/xt_quota.c
index 0de9fcf..33ce76a 100644
--- a/net/netfilter/xt_quota.c
+++ b/net/netfilter/xt_quota.c
@@ -3,8 +3,11 @@
*
* Sam Johnston <samj@samj.net>
*/
+#include <linux/list.h>
+#include <linux/proc_fs.h>
#include <linux/skbuff.h>
#include <linux/spinlock.h>
+#include <asm/atomic.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/xt_quota.h>
@@ -13,14 +16,206 @@ struct xt_quota_priv {
uint64_t quota;
};
+struct xt_quota_counter {
+ u_int64_t quota;
+ spinlock_t lock;
+ struct list_head list;
+ atomic_t ref;
+ char name[sizeof(((struct xt_quota_mtinfo3 *)NULL)->name)];
+ struct proc_dir_entry *procfs_entry;
+};
+
MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
MODULE_AUTHOR("Sam Johnston <samj@samj.net>");
-MODULE_DESCRIPTION("Xtables: countdown quota match");
+MODULE_DESCRIPTION("Xtables: counter match");
MODULE_ALIAS("ipt_quota");
MODULE_ALIAS("ip6t_quota");
static DEFINE_SPINLOCK(quota_lock);
+static LIST_HEAD(counter_list);
+static DEFINE_SPINLOCK(counter_list_lock);
+
+static struct proc_dir_entry *proc_xt_quota;
+static unsigned int quota_list_perms = S_IRUGO | S_IWUSR;
+static unsigned int quota_list_uid;
+static unsigned int quota_list_gid;
+module_param_named(perms, quota_list_perms, uint, S_IRUGO | S_IWUSR);
+module_param_named(uid, quota_list_uid, uint, S_IRUGO | S_IWUSR);
+module_param_named(gid, quota_list_gid, uint, S_IRUGO | S_IWUSR);
+
+static int quota_proc_read(char *page, char **start, off_t offset,
+ int count, int *eof, void *data)
+{
+ struct xt_quota_counter *e = data;
+ int ret;
+
+ spin_lock_bh(&e->lock);
+ ret = snprintf(page, PAGE_SIZE, "%llu\n", e->quota);
+ spin_unlock_bh(&e->lock);
+ return ret;
+}
+
+static int quota_proc_write(struct file *file, const char __user *input,
+ unsigned long size, void *data)
+{
+ struct xt_quota_counter *e = data;
+ char buf[sizeof("18446744073709551616")];
+
+ if (size > sizeof(buf))
+ size = sizeof(buf);
+ if (copy_from_user(buf, input, size) != 0)
+ return -EFAULT;
+ buf[sizeof(buf)-1] = '\0';
+
+ spin_lock_bh(&e->lock);
+ e->quota = simple_strtoull(buf, NULL, 0);
+ spin_unlock_bh(&e->lock);
+ return size;
+}
+
+static struct xt_quota_counter *
+q3_new_counter(const struct xt_quota_mtinfo3 *q, bool anon)
+{
+ struct xt_quota_counter *e;
+ unsigned int size;
+
+ /* Do not need all the procfs things for anonymous counters. */
+ size = anon ? offsetof(typeof(*e), list) : sizeof(*e);
+ e = kmalloc(size, GFP_KERNEL);
+ if (e == NULL)
+ return NULL;
+
+ e->quota = q->quota;
+ spin_lock_init(&e->lock);
+ if (!anon) {
+ INIT_LIST_HEAD(&e->list);
+ atomic_set(&e->ref, 1);
+ strncpy(e->name, q->name, sizeof(e->name));
+ }
+ return e;
+}
+
+/**
+ * q3_get_counter - get ref to counter or create new
+ * @name: name of counter
+ */
+static struct xt_quota_counter *
+q3_get_counter(const struct xt_quota_mtinfo3 *q)
+{
+ struct proc_dir_entry *p;
+ struct xt_quota_counter *e;
+
+ if (*q->name == '\0')
+ return q3_new_counter(q, true);
+
+ spin_lock_bh(&counter_list_lock);
+ list_for_each_entry(e, &counter_list, list)
+ if (strcmp(e->name, q->name) == 0) {
+ atomic_inc(&e->ref);
+ spin_unlock_bh(&counter_list_lock);
+ return e;
+ }
+
+ e = q3_new_counter(q, false);
+ if (e == NULL)
+ goto out;
+
+ p = e->procfs_entry = create_proc_entry(e->name, quota_list_perms,
+ proc_xt_quota);
+ if (p == NULL || IS_ERR(p))
+ goto out;
+
+ p->data = e;
+ p->read_proc = quota_proc_read;
+ p->write_proc = quota_proc_write;
+ p->uid = quota_list_uid;
+ p->gid = quota_list_gid;
+ list_add_tail(&e->list, &counter_list);
+ spin_unlock_bh(&counter_list_lock);
+ return e;
+
+ out:
+ spin_unlock_bh(&counter_list_lock);
+ kfree(e);
+ return NULL;
+}
+
+static bool quota_mt3_check(const struct xt_mtchk_param *par)
+{
+ struct xt_quota_mtinfo3 *q = par->matchinfo;
+
+ if (q->flags & ~XT_QUOTA_MASK)
+ return false;
+
+ q->name[sizeof(q->name)-1] = '\0';
+ if (*q->name == '.' || strchr(q->name, '/') != NULL) {
+ printk(KERN_ERR "xt_quota<%u>: illegal name\n",
+ par->match->revision);
+ return false;
+ }
+
+ q->master = q3_get_counter(q);
+ if (q->master == NULL) {
+ printk(KERN_ERR "xt_quota<%u>: memory alloc failure\n",
+ par->match->revision);
+ return false;
+ }
+
+ return true;
+}
+
+static void quota_mt3_destroy(const struct xt_mtdtor_param *par)
+{
+ struct xt_quota_mtinfo3 *q = par->matchinfo;
+ struct xt_quota_counter *e = q->master;
+
+ if (*q->name == '\0') {
+ /* anon counter */
+ kfree(e);
+ return;
+ }
+
+ spin_lock_bh(&counter_list_lock);
+ if (!atomic_dec_and_test(&e->ref)) {
+ spin_unlock_bh(&counter_list_lock);
+ return;
+ }
+
+ list_del(&e->list);
+ remove_proc_entry(e->name, proc_xt_quota);
+ spin_unlock_bh(&counter_list_lock);
+ kfree(e);
+}
+
+static bool
+quota_mt3(const struct sk_buff *skb, struct xt_action_param *par)
+{
+ struct xt_quota_mtinfo3 *q = (void *)par->matchinfo;
+ struct xt_quota_counter *e = q->master;
+ bool ret = q->flags & XT_QUOTA_INVERT;
+
+ spin_lock_bh(&e->lock);
+ if (q->flags & XT_QUOTA_GROW) {
+ e->quota += (q->flags & XT_QUOTA_PACKET) ? 1 : skb->len;
+ q->quota = e->quota;
+ ret = true;
+ } else {
+ if (e->quota >= skb->len) {
+ e->quota -= (q->flags & XT_QUOTA_PACKET) ? 1 : skb->len;
+ ret = !ret;
+ } else {
+ /* we do not allow even small packets from now on */
+ e->quota = 0;
+ }
+ q->quota = e->quota;
+ }
+ spin_unlock_bh(&e->lock);
+ return ret;
+}
+
+
static bool
quota_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
@@ -65,25 +260,37 @@ static void quota_mt_destroy(const struct xt_mtdtor_param *par)
kfree(q->master);
}
-static struct xt_match quota_mt_reg __read_mostly = {
- .name = "quota",
- .revision = 0,
- .family = NFPROTO_UNSPEC,
- .match = quota_mt,
- .checkentry = quota_mt_check,
- .destroy = quota_mt_destroy,
- .matchsize = sizeof(struct xt_quota_info),
- .me = THIS_MODULE,
+static struct xt_match quota_mt_reg[] __read_mostly = {
+ {
+ .name = "quota",
+ .revision = 0,
+ .family = NFPROTO_UNSPEC,
+ .match = quota_mt,
+ .checkentry = quota_mt_check,
+ .destroy = quota_mt_destroy,
+ .matchsize = sizeof(struct xt_quota_info),
+ .me = THIS_MODULE,
+ },
+ {
+ .name = "quota",
+ .revision = 3,
+ .family = NFPROTO_UNSPEC,
+ .checkentry = quota_mt3_check,
+ .match = quota_mt3,
+ .destroy = quota_mt3_destroy,
+ .matchsize = sizeof(struct xt_quota_mtinfo3),
+ .me = THIS_MODULE,
+ },
};
static int __init quota_mt_init(void)
{
- return xt_register_match("a_mt_reg);
+ return xt_register_matches(quota_mt_reg, ARRAY_SIZE(quota_mt_reg));
}
static void __exit quota_mt_exit(void)
{
- xt_unregister_match("a_mt_reg);
+ xt_unregister_matches(quota_mt_reg, ARRAY_SIZE(quota_mt_reg));
}
module_init(quota_mt_init);
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 062/103] netfilter: xtables2: make a copy of the ipv6_filter table
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (60 preceding siblings ...)
2009-08-04 7:25 ` [PATCH 061/103] netfilter: xtables: add xt_quota revision 3 Jan Engelhardt
@ 2009-08-04 7:25 ` Jan Engelhardt
2009-08-04 7:25 ` [PATCH 063/103] netfilter: xtables2: initial xt1->xt2 translation for tables Jan Engelhardt
` (42 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:25 UTC (permalink / raw)
To: netfilter-devel
A "filter2" table is temporarily added for testing and patching, so
as to not break bisection operations where ip6table_filter needs to
remain fully functional. It is compiled unconditionally alongside
"filter" for simplicity, only developers see it anyhow while it lives.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/net/netns/x_tables.h | 1 +
net/ipv6/netfilter/Makefile | 2 +-
net/ipv6/netfilter/ip6table_filter2.c | 108 +++++++++++++++++++++++++++++++++
3 files changed, 110 insertions(+), 1 deletions(-)
create mode 100644 net/ipv6/netfilter/ip6table_filter2.c
diff --git a/include/net/netns/x_tables.h b/include/net/netns/x_tables.h
index f2edc37..c4abab8 100644
--- a/include/net/netns/x_tables.h
+++ b/include/net/netns/x_tables.h
@@ -16,6 +16,7 @@ struct netns_xt {
struct netns_xt2 {
struct mutex table_lock;
struct list_head table_list[NFPROTO_NUMPROTO];
+ struct xt_table *ipv6_filter;
};
#endif
diff --git a/net/ipv6/netfilter/Makefile b/net/ipv6/netfilter/Makefile
index aafbba3..35fa80f 100644
--- a/net/ipv6/netfilter/Makefile
+++ b/net/ipv6/netfilter/Makefile
@@ -4,7 +4,7 @@
# Link order matters here.
obj-$(CONFIG_IP6_NF_IPTABLES) += ip6_tables.o
-obj-$(CONFIG_IP6_NF_FILTER) += ip6table_filter.o
+obj-$(CONFIG_IP6_NF_FILTER) += ip6table_filter.o ip6table_filter2.o
obj-$(CONFIG_IP6_NF_MANGLE) += ip6table_mangle.o
obj-$(CONFIG_IP6_NF_QUEUE) += ip6_queue.o
obj-$(CONFIG_IP6_NF_RAW) += ip6table_raw.o
diff --git a/net/ipv6/netfilter/ip6table_filter2.c b/net/ipv6/netfilter/ip6table_filter2.c
new file mode 100644
index 0000000..790552b
--- /dev/null
+++ b/net/ipv6/netfilter/ip6table_filter2.c
@@ -0,0 +1,108 @@
+/*
+ * This is the 1999 rewrite of IP Firewalling, aiming for kernel 2.3.x.
+ *
+ * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
+ * Copyright (C) 2000-2004 Netfilter Core Team <coreteam@netfilter.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include <linux/module.h>
+#include <linux/moduleparam.h>
+#include <linux/netfilter_ipv6/ip6_tables.h>
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
+MODULE_DESCRIPTION("ip6tables filter table");
+
+#define FILTER_VALID_HOOKS ((1 << NF_INET_LOCAL_IN) | \
+ (1 << NF_INET_FORWARD) | \
+ (1 << NF_INET_LOCAL_OUT))
+
+static const struct xt_table packet_filter = {
+ .name = "filter2",
+ .valid_hooks = FILTER_VALID_HOOKS,
+ .me = THIS_MODULE,
+ .af = NFPROTO_IPV6,
+ .priority = NF_IP6_PRI_FILTER,
+};
+
+/* The work comes in here from netfilter.c. */
+static unsigned int
+ip6table_filter_hook(unsigned int hook,
+ struct sk_buff *skb,
+ const struct net_device *in,
+ const struct net_device *out,
+ int (*okfn)(struct sk_buff *))
+{
+ const struct net *net = dev_net((in != NULL) ? in : out);
+ return ip6t_do_table(skb, hook, in, out, net->ipv6.ip6table_filter);
+}
+
+/* Default to forward because I got too much mail already. */
+static int forward = NF_ACCEPT;
+module_param(forward, bool, 0000);
+
+static int __net_init ip6table_filter_net_init(struct net *net)
+{
+ struct ip6t_replace *repl = xt_repldata_create(&packet_filter);
+
+ if (repl == NULL)
+ return -ENOMEM;
+ /* Entry 1 is the FORWARD hook */
+ ((struct ip6t_standard *)repl->entries)[1].target.verdict =
+ -forward - 1;
+
+ net->xt2.ipv6_filter =
+ ip6t_register_table(net, &packet_filter, repl);
+ kfree(repl);
+ if (IS_ERR(net->xt2.ipv6_filter))
+ return PTR_ERR(net->xt2.ipv6_filter);
+ return 0;
+}
+
+static void __net_exit ip6table_filter_net_exit(struct net *net)
+{
+ ip6t_unregister_table(net->xt2.ipv6_filter);
+}
+
+static struct pernet_operations ip6table_filter_net_ops = {
+ .init = ip6table_filter_net_init,
+ .exit = ip6table_filter_net_exit,
+};
+
+static struct nf_hook_ops *filter_ops;
+
+static int __init ip6table_filter_init(void)
+{
+ int ret;
+
+ if (forward < 0 || forward > NF_MAX_VERDICT) {
+ printk("iptables forward must be 0 or 1\n");
+ return -EINVAL;
+ }
+
+ ret = register_pernet_subsys(&ip6table_filter_net_ops);
+ if (ret < 0)
+ return ret;
+
+ /* Register hooks */
+ filter_ops = xt_hook_link(&packet_filter, ip6table_filter_hook);
+ if (IS_ERR(filter_ops)) {
+ unregister_pernet_subsys(&ip6table_filter_net_ops);
+ return PTR_ERR(filter_ops);
+ }
+
+ return ret;
+}
+
+static void __exit ip6table_filter_fini(void)
+{
+ xt_hook_unlink(&packet_filter, filter_ops);
+ unregister_pernet_subsys(&ip6table_filter_net_ops);
+}
+
+module_init(ip6table_filter_init);
+module_exit(ip6table_filter_fini);
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 063/103] netfilter: xtables2: initial xt1->xt2 translation for tables
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (61 preceding siblings ...)
2009-08-04 7:25 ` [PATCH 062/103] netfilter: xtables2: make a copy of the ipv6_filter table Jan Engelhardt
@ 2009-08-04 7:25 ` Jan Engelhardt
2009-08-04 7:25 ` [PATCH 064/103] netfilter: xtables2: xt2->xt1 translation - GET_INFO support Jan Engelhardt
` (41 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:25 UTC (permalink / raw)
To: netfilter-devel
This commit adds enough logic to translate the initial table, as
provided by ip6table modules, to an xt2 table. The translation code
goes into a file xt1_compat.c that is planned to be shared with the
other *_tables too, hence the little #define/#include hack. I deem
this is the better evil -- at least when done right, and it looks
promising -- compared to the real code duplication that is currently
in place.
The "filter2" table can be used for testing: modprobing it/rmmod, and
that packets flow through xt2_do_table(). /usr/sbin/ip6tables cannot
interact with it yet as of this commit.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter/x_tables.h | 9 +
include/linux/netfilter_ipv6/ip6_tables.h | 3 +
include/net/netns/x_tables.h | 2 +-
net/ipv6/netfilter/Kconfig | 1 +
net/ipv6/netfilter/ip6_tables.c | 30 ++--
net/ipv6/netfilter/ip6table_filter2.c | 21 ++-
net/netfilter/Kconfig | 6 +
net/netfilter/Makefile | 1 +
net/netfilter/x_tables.c | 3 +-
net/netfilter/xt1_postshared.c | 51 +++++
net/netfilter/xt1_support.c | 37 ++++
net/netfilter/xt1_translat.c | 292 +++++++++++++++++++++++++++++
12 files changed, 432 insertions(+), 24 deletions(-)
create mode 100644 net/netfilter/xt1_postshared.c
create mode 100644 net/netfilter/xt1_support.c
create mode 100644 net/netfilter/xt1_translat.c
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 0608e64..cf8e65e 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -482,6 +482,8 @@ struct xt2_entry_target {
* @table: back link to table chain is contained in
* @comefrom: bitmask from which hooks the chain is entered
* (currently needed for xt_check_*)
+ * @xt1_offset: temporary field to hold the chain offset
+ * used during xt2->xt1 conversion (xt1_compat.c)
*/
struct xt2_chain {
struct list_head anchor;
@@ -489,6 +491,7 @@ struct xt2_chain {
char name[31];
struct xt2_table *table;
unsigned int comefrom;
+ unsigned int xt1_offset;
};
/**
@@ -508,6 +511,7 @@ enum {
* @chain_list: list of chains (struct xt2_chain)
* @name: name of this table
* @nfproto: nfproto the table is used exclusively with
+ * @valid_hooks: hooks the table can be entered on
* @rq_stacksize: Size of the jumpstack. This is usually set to the
* number of user chains -- since tables cannot have
* loops, at most that many jumps can possibly be made --
@@ -524,6 +528,7 @@ struct xt2_table {
struct list_head chain_list;
char name[11];
uint8_t nfproto;
+ unsigned int valid_hooks;
unsigned int rq_stacksize, stacksize;
unsigned int *stackptr;
@@ -686,11 +691,15 @@ extern struct nf_hook_ops *xt_hook_link(const struct xt_table *, nf_hookfn *);
extern void xt_hook_unlink(const struct xt_table *, struct nf_hook_ops *);
extern void *xt_repldata_create(const struct xt_table *);
+extern struct xt2_chain *xts_lookup_chain(const struct xt2_table *,
+ unsigned int);
+
extern struct xt2_rule *xt2_rule_new(struct xt2_chain *);
extern int xt2_rule_add_match(struct xt2_rule *, const char *, uint8_t,
const void *, unsigned int, bool);
extern int xt2_rule_add_target(struct xt2_rule *, const char *, uint8_t,
const void *, unsigned int, bool);
+extern void xt2_rule_free(struct xt2_rule *);
extern struct xt2_chain *xt2_chain_new(struct xt2_table *, const char *);
extern void xt2_chain_append(struct xt2_rule *);
diff --git a/include/linux/netfilter_ipv6/ip6_tables.h b/include/linux/netfilter_ipv6/ip6_tables.h
index 89e0ab1..421c2d5 100644
--- a/include/linux/netfilter_ipv6/ip6_tables.h
+++ b/include/linux/netfilter_ipv6/ip6_tables.h
@@ -317,6 +317,9 @@ extern unsigned int ip6t_do_table(struct sk_buff *skb,
const struct net_device *out,
struct xt_table *table);
+extern struct xt2_table *ip6t2_register_table(struct net *,
+ const struct xt_table *, const struct ip6t_replace *);
+
/* Check for an extension */
extern int ip6t_ext_hdr(u8 nexthdr);
/* find specified header and get offset to it */
diff --git a/include/net/netns/x_tables.h b/include/net/netns/x_tables.h
index c4abab8..a63aa04 100644
--- a/include/net/netns/x_tables.h
+++ b/include/net/netns/x_tables.h
@@ -16,7 +16,7 @@ struct netns_xt {
struct netns_xt2 {
struct mutex table_lock;
struct list_head table_list[NFPROTO_NUMPROTO];
- struct xt_table *ipv6_filter;
+ struct xt2_table_link *ipv6_filter;
};
#endif
diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
index 29d643b..46163b1 100644
--- a/net/ipv6/netfilter/Kconfig
+++ b/net/ipv6/netfilter/Kconfig
@@ -46,6 +46,7 @@ config IP6_NF_IPTABLES
tristate "IP6 tables support (required for filtering)"
depends on INET && IPV6
select NETFILTER_XTABLES
+ select NETFILTER_XT1_SUPPORT
default m if NETFILTER_ADVANCED=n
help
ip6tables is a general, extensible packet identification framework.
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 7eb9a57..edb00ad 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -67,6 +67,19 @@ do { \
#define inline
#endif
+static int mark_source_chains(const struct xt_table_info *,
+ unsigned int, void *);
+
+#define xtsub_entry ip6t_entry
+#define xtsub_replace ip6t_replace
+#define xtsub_error_target ip6t_error_target
+#define XTSUB_NFPROTO_IPV6 1
+#define XTSUB(x) ip6t_ ## x
+#define XTSUB2(x) ip6t2_ ## x
+
+#include "../../netfilter/xt1_translat.c"
+#include "../../netfilter/xt1_postshared.c"
+
/*
We keep a set of rules for each CPU, so we can avoid write-locking
them in the softirq when updating the counters and therefore
@@ -807,21 +820,6 @@ find_check_entry(struct ip6t_entry *e, const char *name, unsigned int size)
return ret;
}
-static bool check_underflow(const struct ip6t_entry *e)
-{
- const struct ip6t_entry_target *t;
- unsigned int verdict;
-
- if (!unconditional(&e->ipv6))
- return false;
- t = ip6t_get_target_c(e);
- if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0)
- return false;
- verdict = ((struct ip6t_standard_target *)t)->verdict;
- verdict = -verdict - 1;
- return verdict == NF_DROP || verdict == NF_ACCEPT;
-}
-
static int
check_entry_size_and_hooks(struct ip6t_entry *e,
struct xt_table_info *newinfo,
@@ -853,7 +851,7 @@ check_entry_size_and_hooks(struct ip6t_entry *e,
if ((unsigned char *)e - base == hook_entries[h])
newinfo->hook_entry[h] = hook_entries[h];
if ((unsigned char *)e - base == underflows[h]) {
- if (!check_underflow(e)) {
+ if (!ip6t2_check_underflow(e)) {
pr_err("Underflows must be unconditional and "
"use the STANDARD target with "
"ACCEPT/DROP\n");
diff --git a/net/ipv6/netfilter/ip6table_filter2.c b/net/ipv6/netfilter/ip6table_filter2.c
index 790552b..7456686 100644
--- a/net/ipv6/netfilter/ip6table_filter2.c
+++ b/net/ipv6/netfilter/ip6table_filter2.c
@@ -38,7 +38,14 @@ ip6table_filter_hook(unsigned int hook,
int (*okfn)(struct sk_buff *))
{
const struct net *net = dev_net((in != NULL) ? in : out);
- return ip6t_do_table(skb, hook, in, out, net->ipv6.ip6table_filter);
+ const struct xt2_table_link *link;
+ unsigned int verdict;
+
+ rcu_read_lock();
+ link = rcu_dereference(net->xt2.ipv6_filter);
+ verdict = xt2_do_table(skb, hook, in, out, link->table);
+ rcu_read_unlock();
+ return verdict;
}
/* Default to forward because I got too much mail already. */
@@ -48,6 +55,7 @@ module_param(forward, bool, 0000);
static int __net_init ip6table_filter_net_init(struct net *net)
{
struct ip6t_replace *repl = xt_repldata_create(&packet_filter);
+ struct xt2_table *table;
if (repl == NULL)
return -ENOMEM;
@@ -55,17 +63,18 @@ static int __net_init ip6table_filter_net_init(struct net *net)
((struct ip6t_standard *)repl->entries)[1].target.verdict =
-forward - 1;
- net->xt2.ipv6_filter =
- ip6t_register_table(net, &packet_filter, repl);
+ table = ip6t2_register_table(net, &packet_filter, repl);
kfree(repl);
- if (IS_ERR(net->xt2.ipv6_filter))
- return PTR_ERR(net->xt2.ipv6_filter);
+ if (IS_ERR(table))
+ return PTR_ERR(table);
+ net->xt2.ipv6_filter = xt2_tlink_lookup(net, table->name,
+ table->nfproto, XT2_NO_RCULOCK);
return 0;
}
static void __net_exit ip6table_filter_net_exit(struct net *net)
{
- ip6t_unregister_table(net->xt2.ipv6_filter);
+ xt2_table_destroy(net, net->xt2.ipv6_filter->table);
}
static struct pernet_operations ip6table_filter_net_ops = {
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 773c360..0f18528 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -301,6 +301,12 @@ config NETFILTER_XTABLES
if NETFILTER_XTABLES
+config NETFILTER_XT1_SUPPORT
+ tristate
+ select NETFILTER_XT_MATCH_QUOTA
+ ---help---
+ Protocol-agnostic part of the xt1 <-> xt2 translation layer.
+
# alphabetically ordered list of targets
config NETFILTER_XT_TARGET_CLASSIFY
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 49f62ee..fead6b4 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -39,6 +39,7 @@ obj-$(CONFIG_NETFILTER_TPROXY) += nf_tproxy_core.o
# generic X tables
obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o
+obj-$(CONFIG_NETFILTER_XT1_SUPPORT) += xt1_support.o
# targets
obj-$(CONFIG_NETFILTER_XT_TARGET_CLASSIFY) += xt_CLASSIFY.o
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 105039a..f8ff821 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -1476,7 +1476,7 @@ int xt2_rule_add_target(struct xt2_rule *rule, const char *ext_name,
}
EXPORT_SYMBOL_GPL(xt2_rule_add_target);
-static void xt2_rule_free(struct xt2_rule *rule)
+void xt2_rule_free(struct xt2_rule *rule)
{
struct xt2_entry_target *etarget, *next_etarget;
struct xt2_entry_match *ematch, *next_ematch;
@@ -1515,6 +1515,7 @@ static void xt2_rule_free(struct xt2_rule *rule)
}
kfree(rule);
}
+EXPORT_SYMBOL_GPL(xt2_rule_free);
struct xt2_chain *xt2_chain_new(struct xt2_table *table, const char *name)
{
diff --git a/net/netfilter/xt1_postshared.c b/net/netfilter/xt1_postshared.c
new file mode 100644
index 0000000..9dcbac1
--- /dev/null
+++ b/net/netfilter/xt1_postshared.c
@@ -0,0 +1,51 @@
+/*
+ * xt1 <-> xt2 translation layer, per-nfproto specific part
+ * Copyright © Jan Engelhardt, 2009
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ */
+#include <linux/kernel.h>
+#include <linux/netfilter.h>
+#include <linux/slab.h>
+#include <linux/string.h>
+#include <linux/netfilter_ipv6/ip6_tables.h>
+
+struct xt2_table *
+XTSUB2(register_table)(struct net *net, const struct xt_table *classic_table,
+ const struct xtsub_replace *repl)
+{
+ struct xt2_table *table;
+ void *blob;
+ int ret;
+
+ table = xt2_table_new();
+ if (table == NULL)
+ return ERR_PTR(-ENOMEM);
+ /* Need a writable copy for check_entry_and_size_hooks. */
+ ret = -ENOMEM;
+ blob = vmalloc(repl->size);
+ if (blob == NULL)
+ goto out;
+ memcpy(blob, repl->entries, repl->size);
+ strncpy(table->name, classic_table->name, sizeof(table->name));
+ table->name[sizeof(table->name)-1] = '\0';
+ table->valid_hooks = classic_table->valid_hooks;
+ table->nfproto = classic_table->af;
+
+ ret = XTSUB2(table_to_xt2)(table, blob, repl);
+ vfree(blob);
+ if (ret < 0)
+ goto out;
+ ret = xt2_table_register(net, table);
+ if (ret < 0)
+ goto out;
+ return table;
+
+ out:
+ xt2_table_destroy(NULL, table);
+ return ERR_PTR(ret);
+}
+EXPORT_SYMBOL_GPL(XTSUB2(register_table));
diff --git a/net/netfilter/xt1_support.c b/net/netfilter/xt1_support.c
new file mode 100644
index 0000000..d15bfb7
--- /dev/null
+++ b/net/netfilter/xt1_support.c
@@ -0,0 +1,37 @@
+/*
+ * xt1 <-> xt2 translation layer, protocol independent parts
+ * Copyright © Jan Engelhardt, 2009
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ */
+#include <linux/module.h>
+#include <linux/netfilter/x_tables.h>
+
+/**
+ * @table: table to search in
+ * @needle: rule offset in the xt1 blob
+ *
+ * Find the xt2 chain for a given xt1 offset. This assumes the chains are
+ * sorted by xt1_offset, which they should be given our linear translation
+ * mechanism in xt1_compat.c.
+ */
+struct xt2_chain *
+xts_lookup_chain(const struct xt2_table *table, unsigned int needle)
+{
+ struct xt2_chain *chain, *ret = NULL;
+
+ list_for_each_entry(chain, &table->chain_list, anchor) {
+ if (chain->xt1_offset <= needle)
+ ret = chain;
+ else
+ return ret;
+ }
+
+ return ret;
+}
+EXPORT_SYMBOL_GPL(xts_lookup_chain);
+
+MODULE_LICENSE("GPL");
diff --git a/net/netfilter/xt1_translat.c b/net/netfilter/xt1_translat.c
new file mode 100644
index 0000000..a1663ba
--- /dev/null
+++ b/net/netfilter/xt1_translat.c
@@ -0,0 +1,292 @@
+/*
+ * xt1 <-> xt2 translation layer, proto-format specific part
+ * Copyright © Jan Engelhardt, 2009
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ */
+#include <linux/kernel.h>
+#include <linux/netfilter.h>
+#include <linux/slab.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/xt_quota.h>
+#include <linux/netfilter_ipv6/ip6_tables.h>
+#if !defined(XTSUB_NFPROTO_IPV6)
+# error Need to define XTSUB_NFPROTO_xxx.
+#endif
+
+#ifdef XTSUB_NFPROTO_IPV6
+static const struct ip6t_ip6 xtsub_uncond;
+
+static inline bool XTSUB2(unconditional)(const struct xtsub_entry *e)
+{
+ return memcmp(&e->ipv6, &xtsub_uncond, sizeof(xtsub_uncond)) == 0;
+}
+#endif
+
+static inline struct xt_entry_target *
+XTSUB2(get_target)(const struct xtsub_entry *e)
+{
+ return (void *)e + e->target_offset;
+}
+
+static bool XTSUB2(check_underflow)(const struct xtsub_entry *e)
+{
+ const struct xt_entry_target *t;
+ unsigned int verdict;
+
+ if (!XTSUB2(unconditional)(e))
+ return false;
+ t = XTSUB2(get_target)(e);
+ if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0)
+ return false;
+ verdict = ((struct xt_standard_target *)t)->verdict;
+ verdict = -verdict - 1;
+ return verdict == NF_DROP || verdict == NF_ACCEPT;
+}
+
+/**
+ * Check an xt1 entry for sanity and create chains as we find them.
+ */
+static int
+XTSUB2(rule_check)(struct xtsub_entry *e, struct xt2_table *table,
+ const void *base, const struct xtsub_replace *repl)
+{
+ const void *limit = (void *)base + repl->size;
+ unsigned int delta = (void *)e - base;
+ struct xtsub_error_target *t;
+ struct xt2_chain *chain;
+ unsigned int hook;
+
+ if ((unsigned long)e % __alignof__(struct xtsub_entry) != 0 ||
+ (void *)e + sizeof(struct xtsub_entry) >= limit ||
+ e->next_offset < sizeof(struct xtsub_entry) +
+ sizeof(struct xt_entry_target))
+ return -EINVAL;
+
+ /* Check hooks & underflows */
+ for (hook = 0; hook < ARRAY_SIZE(repl->hook_entry); ++hook) {
+ if (!(repl->valid_hooks & (1 << hook)))
+ continue;
+ if (delta == repl->hook_entry[hook]) {
+ chain = xt2_chain_new(table, NULL);
+ if (chain == NULL)
+ return -ENOMEM;
+
+ table->entrypoint[hook] = chain;
+ chain->comefrom = e->comefrom;
+ /* Aid for finding chains for a given delta. */
+ chain->xt1_offset = delta;
+ }
+ if (delta == repl->underflow[hook])
+ if (!XTSUB2(check_underflow)(e)) {
+ pr_err("Underflows must be unconditional and "
+ "use the STANDARD target with "
+ "ACCEPT/DROP\n");
+ return -EINVAL;
+ }
+ }
+
+ /* Clear counters and comefrom */
+ memset(&e->counters, 0, sizeof(e->counters));
+ e->comefrom = 0;
+
+ t = (void *)XTSUB2(get_target)(e);
+ if (strcmp(t->target.u.user.name, XT_ERROR_TARGET) == 0) {
+ t->errorname[sizeof(t->errorname)-1] = '\0';
+ if (strcmp(t->errorname, XT_ERROR_TARGET) == 0)
+ /* End of ruleset */
+ return 0;
+ chain = xt2_chain_new(table, t->errorname);
+ if (chain == NULL)
+ return -ENOMEM;
+ chain->xt1_offset = delta;
+ /* Chain marker translated. */
+ return 0;
+ }
+
+ return 1;
+}
+
+static int
+XTSUB2(target_to_xt2)(struct xt2_rule *rule, const struct xtsub_entry *entry,
+ unsigned int entry_offset)
+{
+ const struct xt_entry_target *etarget = XTSUB2(get_target)(entry);
+ const struct xt_standard_target *st;
+ struct xt2_entry_target *ntarget;
+
+ if (strcmp(etarget->u.user.name, XT_STANDARD_TARGET) != 0)
+ return xt2_rule_add_oldtarget(rule, etarget);
+
+ ntarget = kmalloc(sizeof(*ntarget), GFP_KERNEL);
+ if (ntarget == NULL)
+ return -ENOMEM;
+ INIT_LIST_HEAD(&ntarget->anchor);
+
+ st = (void *)etarget;
+ if (st->verdict == XT_RETURN) {
+ ntarget->ext = XT2_FINAL_VERDICT;
+ ntarget->verdict = XT_RETURN;
+ } else if (st->verdict < 0) {
+ ntarget->ext = XT2_FINAL_VERDICT;
+ ntarget->verdict = -st->verdict - 1;
+ } else if (st->verdict == entry_offset + entry->next_offset) {
+ ntarget->ext = XT2_FINAL_VERDICT;
+ ntarget->verdict = XT_CONTINUE;
+#ifdef XTSUB_NFPROTO_IPV6
+ } else if (entry->ipv6.flags & IP6T_F_GOTO) {
+ ntarget->ext = XT2_ACTION_GOTO;
+ ntarget->r_goto = xts_lookup_chain(rule->chain->table,
+ st->verdict);
+ /* debug: (we already checked loopfreeness before) */
+ if (ntarget->r_goto == rule->chain)
+ return -ELOOP;
+#endif
+ } else {
+ ntarget->ext = XT2_ACTION_JUMP;
+ ntarget->r_jump = xts_lookup_chain(rule->chain->table,
+ st->verdict);
+ if (ntarget->r_jump == rule->chain)
+ return -ELOOP;
+ }
+
+ list_add_tail(&ntarget->anchor, &rule->target_list);
+ return 0;
+}
+
+/**
+ * Translate a single ip6t_entry into a xt2 rule.
+ */
+static struct xt2_rule *
+XTSUB2(rule_to_xt2)(struct xt2_chain *chain, const struct xtsub_entry *entry,
+ unsigned int entry_offset)
+{
+ const struct xt_entry_match *ematch;
+ struct xt_quota_mtinfo3 byte_counter = {.flags = XT_QUOTA_GROW};
+ struct xt_quota_mtinfo3 packet_counter =
+ {.flags = XT_QUOTA_GROW | XT_QUOTA_PACKET};
+ struct xt2_rule *rule;
+ int ret;
+
+ rule = xt2_rule_new(chain);
+ if (rule == NULL)
+ return ERR_PTR(-ENOMEM);
+
+ rule->chain->comefrom = entry->comefrom;
+#ifdef XTSUB_NFPROTO_IPV6
+ rule->l4proto = entry->ipv6.proto;
+ if (entry->ipv6.flags & IP6T_INV_PROTO)
+ rule->flags |= XT2_INV_L4PROTO;
+ ret = xt2_rule_add_match(rule, "ipv6", 0, &entry->ipv6,
+ sizeof(entry->ipv6), false);
+#endif
+ if (ret < 0)
+ goto out;
+
+ xt_ematch_foreach(ematch, entry) {
+ ret = xt2_rule_add_oldmatch(rule, ematch);
+ if (ret < 0)
+ goto out;
+ }
+
+ ret = xt2_rule_add_match(rule, "quota", 3, &byte_counter,
+ sizeof(byte_counter), false);
+ if (ret < 0)
+ goto out;
+ ret = xt2_rule_add_match(rule, "quota", 3, &packet_counter,
+ sizeof(packet_counter), false);
+ if (ret < 0)
+ goto out;
+ ret = XTSUB2(target_to_xt2)(rule, entry, entry_offset);
+ if (ret < 0)
+ goto out;
+ return rule;
+
+ out:
+ xt2_rule_free(rule);
+ return ERR_PTR(ret);
+}
+
+/**
+ * @table: new table
+ * @entry0: blob of <struct ip6t_entry>s
+ * @repl: blob metadata
+ *
+ * Convert a blob table into a xt2 table.
+ */
+static int XTSUB2(table_to_xt2)(struct xt2_table *table, void *entry0,
+ const struct xtsub_replace *repl)
+{
+ struct xt_table_info mark_param;
+ struct xtsub_entry *iter;
+ unsigned int i;
+ int ret = 0;
+
+ i = 0;
+ /* Walk through entries, checking offsets, creating chains. */
+ xt_entry_foreach(iter, entry0, repl->size) {
+ ret = XTSUB2(rule_check)(iter, table, entry0, repl);
+ ++i;
+ if (ret < 0)
+ return ret;
+ else if (ret == 0)
+ continue;
+ }
+
+ if (i != repl->num_entries)
+ return -EINVAL;
+
+ /* Check hooks all assigned */
+ for (i = 0; i < ARRAY_SIZE(repl->hook_entry); ++i) {
+ /* Only hooks which are valid */
+ if (!(repl->valid_hooks & (1 << i)))
+ continue;
+ if (table->entrypoint[i] == NULL)
+ return -EINVAL;
+ }
+
+ memcpy(mark_param.hook_entry, repl->hook_entry,
+ sizeof(repl->hook_entry));
+ mark_param.size = repl->size;
+ if (!mark_source_chains(&mark_param, repl->valid_hooks, entry0))
+ return -ELOOP;
+
+ /* Now process rules. */
+ xt_entry_foreach(iter, entry0, repl->size) {
+ unsigned int hook, delta = (void *)iter - (void *)entry0;
+ const struct xt_entry_target *t;
+ struct xt2_chain *chain;
+ struct xt2_rule *rule;
+
+ t = XTSUB2(get_target)(iter);
+ if (strcmp(t->u.user.name, XT_ERROR_TARGET) == 0)
+ /* already translated */
+ continue;
+
+ /*
+ * Do not ignore base chain policies (which are rules), though.
+ * We need these for the counters.
+ */
+ chain = xts_lookup_chain(table, delta);
+ if (chain == NULL)
+ return -EINVAL;
+ rule = XTSUB2(rule_to_xt2)(chain, iter, delta);
+ if (IS_ERR(rule))
+ return PTR_ERR(rule);
+ xt2_chain_append(rule);
+
+ for (hook = 0; hook < ARRAY_SIZE(repl->underflow); ++hook) {
+ if (!(table->valid_hooks & (1 << hook)))
+ continue;
+ if (delta == repl->underflow[hook]) {
+ table->underflow[hook] = rule;
+ break;
+ }
+ }
+ }
+
+ return 0;
+}
--
1.6.3.3
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 064/103] netfilter: xtables2: xt2->xt1 translation - GET_INFO support
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (62 preceding siblings ...)
2009-08-04 7:25 ` [PATCH 063/103] netfilter: xtables2: initial xt1->xt2 translation for tables Jan Engelhardt
@ 2009-08-04 7:25 ` Jan Engelhardt
2009-08-04 7:25 ` [PATCH 065/103] netfilter: xtables2: xt2->xt1 translation - GET_ENTRIES support Jan Engelhardt
` (40 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:25 UTC (permalink / raw)
To: netfilter-devel
Part 1 of the backwards translation. Calculates size and
hook_entry/underflow points.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter/x_tables.h | 28 ++++++++
net/ipv6/netfilter/ip6_tables.c | 41 +++++++++++-
net/netfilter/xt1_support.c | 123 ++++++++++++++++++++++++++++++++++++
3 files changed, 190 insertions(+), 2 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index cf8e65e..0c9d64f 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -414,6 +414,26 @@ struct xt_table_info
void *entries[1];
};
+/**
+ * xt1 size definitions
+ *
+ * @marker_size: size of a user-chain and end-of-ruleset marker
+ * @entry_hdr_size: size of struct ip6t_entry
+ * @pmatch_size: size of struct ip6t_ip6
+ * @first_match: required name of the first match
+ * @ematch_size: size of the ematch header
+ * @etarget_size: size of the etarget header
+ * @standard_tgsize: size of the complete standard target, includes
+ * etarget_size and alignment padding
+ */
+struct xt1_xlat_info {
+ unsigned int marker_size;
+ unsigned int entry_hdr_size, pmatch_size;
+ unsigned int ematch_size, etarget_size;
+ unsigned int standard_tgsize;
+ const char *first_match;
+};
+
/*
* The use of low negative numbers means we can use IS_ERR()
* (See xt2_special_target below.)
@@ -693,6 +713,9 @@ extern void *xt_repldata_create(const struct xt_table *);
extern struct xt2_chain *xts_lookup_chain(const struct xt2_table *,
unsigned int);
+extern unsigned int xts_blob_prep_table(const struct xt2_table *,
+ const struct xt1_xlat_info *, unsigned int *, unsigned int *,
+ unsigned int *);
extern struct xt2_rule *xt2_rule_new(struct xt2_chain *);
extern int xt2_rule_add_match(struct xt2_rule *, const char *, uint8_t,
@@ -715,6 +738,11 @@ extern unsigned int xt2_do_table(struct sk_buff *, unsigned int,
const struct net_device *, const struct net_device *,
const struct xt2_table *);
+static inline bool xt2_builtin_chain(const struct xt2_chain *c)
+{
+ return *c->name == '\0';
+}
+
static inline bool xt2_special_target(const struct xt_target *t)
{
return IS_ERR(t);
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index edb00ad..8dc507d 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -1164,10 +1164,36 @@ static int compat_table_info(const struct xt_table_info *info,
}
#endif
+static const struct xt1_xlat_info ip6t_xlat_info = {
+ .marker_size = sizeof(struct ip6t_error_target),
+ .entry_hdr_size = sizeof(struct ip6t_entry),
+ .pmatch_size = sizeof(struct ip6t_ip6),
+ .first_match = "ipv6",
+ .ematch_size = sizeof(struct xt_entry_match),
+ .etarget_size = sizeof(struct xt_entry_target),
+ .standard_tgsize = XT_ALIGN(sizeof(struct xt_entry_target) +
+ sizeof(int)),
+};
+
+static int ip6t2_get_info(void __user *uptr, int len,
+ const struct xt2_table *table)
+{
+ struct ip6t_getinfo info = {
+ .valid_hooks = table->valid_hooks,
+ };
+
+ strncpy(info.name, table->name,
+ min(sizeof(info.name), sizeof(table->name)));
+ info.size = xts_blob_prep_table(table, &ip6t_xlat_info,
+ info.hook_entry, info.underflow, &info.num_entries);
+ return (copy_to_user(uptr, &info, sizeof(info)) != 0) ? -EFAULT : 0;
+}
+
static int get_info(struct net *net, void __user *user,
const int *len, int compat)
{
char name[IP6T_TABLE_MAXNAMELEN];
+ struct xt2_table *xt2_table;
struct xt_table *t;
int ret;
@@ -1181,12 +1207,23 @@ static int get_info(struct net *net, void __user *user,
return -EFAULT;
name[IP6T_TABLE_MAXNAMELEN-1] = '\0';
+ t = try_then_request_module(xt_find_table_lock(net, AF_INET6, name),
+ "ip6table_%s", name);
+ xt2_table = xt2_table_lookup(net, name, NFPROTO_IPV6,
+ XT2_TAKE_RCULOCK);
+ if (xt2_table != NULL) {
+ ret = ip6t2_get_info(user, *len, xt2_table);
+ rcu_read_unlock();
+ if (t != NULL)
+ module_put(t->me);
+ return ret;
+ }
+ rcu_read_unlock();
+
#ifdef CONFIG_COMPAT
if (compat)
xt_compat_lock(AF_INET6);
#endif
- t = try_then_request_module(xt_find_table_lock(net, AF_INET6, name),
- "ip6table_%s", name);
if (t && !IS_ERR(t)) {
struct ip6t_getinfo info;
const struct xt_table_info *private = t->private;
diff --git a/net/netfilter/xt1_support.c b/net/netfilter/xt1_support.c
index d15bfb7..5900880 100644
--- a/net/netfilter/xt1_support.c
+++ b/net/netfilter/xt1_support.c
@@ -7,7 +7,9 @@
* the Free Software Foundation, either version 2 of the License, or
* (at your option) any later version.
*/
+#include <linux/list.h>
#include <linux/module.h>
+#include <linux/rcupdate.h>
#include <linux/netfilter/x_tables.h>
/**
@@ -34,4 +36,125 @@ xts_lookup_chain(const struct xt2_table *table, unsigned int needle)
}
EXPORT_SYMBOL_GPL(xts_lookup_chain);
+/**
+ * get pointer to quota ematches
+ *
+ * Also used for the xt2->xt1 converter. Generalized matches run until the two
+ * last quota matches.
+ */
+static const struct xt2_entry_match *
+xts_rule_quota_ptr(const struct xt2_rule *rule)
+{
+ const struct xt2_entry_match *ematch;
+
+ /* Need at least two ematches */
+ if (list_empty(&rule->match_list) ||
+ rule->match_list.next->next == &rule->match_list)
+ return NULL;
+
+ /* Now need exactly two trailing quota matches */
+ ematch = list_entry(rule->match_list.prev, typeof(*ematch), anchor);
+ if (strcmp(ematch->ext->name, "quota") != 0 &&
+ ematch->ext->revision != 3)
+ return NULL;
+ ematch = list_entry(ematch->anchor.prev, typeof(*ematch), anchor);
+ if (strcmp(ematch->ext->name, "quota") != 0 &&
+ ematch->ext->revision != 3)
+ return NULL;
+ return ematch;
+}
+
+static int
+xts_blob_prep_rule(const struct xt2_rule *rule, const struct xt1_xlat_info *io,
+ unsigned int *underflow, unsigned int z)
+{
+ const struct xt2_table *table = rule->chain->table;
+ const struct xt2_entry_match *ematch, *quota_stop;
+ const struct xt2_entry_target *etarget;
+ unsigned int h;
+
+ /* Quota check implies ematch list empty check. */
+ quota_stop = xts_rule_quota_ptr(rule);
+ if (quota_stop == NULL)
+ return -EIO;
+
+ /* Must have exactly one target */
+ if (list_empty(&rule->target_list) ||
+ rule->target_list.next->next != &rule->target_list)
+ return -EIO;
+
+ ematch = list_first_entry(&rule->match_list,
+ typeof(*ematch), anchor);
+ if (strcmp(ematch->ext->name, io->first_match) != 0)
+ return -EIO;
+
+ /* Do underflow assign first before @z is increased. */
+ for (h = 0; h < ARRAY_SIZE(table->underflow); ++h)
+ if (rule == table->underflow[h])
+ underflow[h] = z;
+
+ /* Subtracting, because it will already be added in the loop. */
+ z += io->entry_hdr_size - io->ematch_size - io->pmatch_size;
+
+ list_for_each_entry(ematch, &rule->match_list, anchor) {
+ if (ematch == quota_stop)
+ /* quotas included in entry_hdr */
+ break;
+ z += io->ematch_size + ematch->dsize;
+ }
+
+ etarget = list_first_entry(&rule->target_list,
+ typeof(*etarget), anchor);
+ z += xt2_special_target(etarget->ext) ? io->standard_tgsize :
+ io->etarget_size + XT_ALIGN(etarget->ext->targetsize);
+ return z;
+}
+
+/**
+ * - calculate details for GETINFO ioctl from xt2 table
+ * @table: the xt2 table
+ * @io: info block on blob's field sizes
+ *
+ * Calculate the details for a GETINFO ioctl from the supplied xt2 table.
+ * Returns -1 if the table cannot be converted to an xt1 blob without
+ * loss of information.
+ */
+unsigned int
+xts_blob_prep_table(const struct xt2_table *table,
+ const struct xt1_xlat_info *io,
+ unsigned int *hook_entry, unsigned int *underflow,
+ unsigned int *entries_ptr)
+{
+ const struct xt2_chain *chain;
+ const struct xt2_rule *rule;
+ unsigned int hook, entries = 0;
+ int z = 0;
+
+ rcu_read_lock();
+ list_for_each_entry(chain, &table->chain_list, anchor) {
+ for (hook = 0; hook < ARRAY_SIZE(table->entrypoint); ++hook)
+ if (table->entrypoint[hook] == chain)
+ hook_entry[hook] = z;
+
+ if (!xt2_builtin_chain(chain)) {
+ z += io->entry_hdr_size + io->marker_size;
+ ++entries;
+ }
+
+ list_for_each_entry(rule, &chain->rule_list, anchor) {
+ ++entries;
+ z = xts_blob_prep_rule(rule, io, underflow, z);
+ if (z < 0)
+ return z;
+ }
+ }
+ rcu_read_unlock();
+
+ /* Table terminator */
+ z += io->entry_hdr_size + io->marker_size;
+ *entries_ptr = ++entries;
+ return z;
+}
+EXPORT_SYMBOL_GPL(xts_blob_prep_table);
+
MODULE_LICENSE("GPL");
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 065/103] netfilter: xtables2: xt2->xt1 translation - GET_ENTRIES support
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (63 preceding siblings ...)
2009-08-04 7:25 ` [PATCH 064/103] netfilter: xtables2: xt2->xt1 translation - GET_INFO support Jan Engelhardt
@ 2009-08-04 7:25 ` Jan Engelhardt
2009-08-04 7:25 ` [PATCH 066/103] netfilter: xtables2: xt1->xt2 translation - SET_REPLACE support Jan Engelhardt
` (39 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:25 UTC (permalink / raw)
To: netfilter-devel
With this, `ip6tables -L` can display xt2 tables (if they are
representable in the old format, otherwise returns -EIO).
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter/x_tables.h | 37 +++++++++-
include/linux/netfilter/xt_quota.h | 11 +++
net/ipv6/netfilter/ip6_tables.c | 13 +++-
net/netfilter/x_tables.c | 1 +
net/netfilter/xt1_support.c | 106 +++++++++++++++++++++++---
net/netfilter/xt1_translat.c | 146 ++++++++++++++++++++++++++++++++++++
net/netfilter/xt_quota.c | 9 --
7 files changed, 300 insertions(+), 23 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 0c9d64f..589e0dc 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -543,6 +543,7 @@ enum {
* @entrypoint: start chains for hooks
* @underflow: base chain policy (rule)
* @owner: encompassing module
+ * @xt1_lock: lock for updating chains' xt1_offset
*/
struct xt2_table {
struct list_head chain_list;
@@ -557,6 +558,8 @@ struct xt2_table {
const struct xt2_chain *entrypoint[NF_INET_NUMHOOKS];
const struct xt2_rule *underflow[NF_INET_NUMHOOKS];
struct module *owner;
+
+ struct mutex xt1_lock;
};
/**
@@ -713,9 +716,17 @@ extern void *xt_repldata_create(const struct xt_table *);
extern struct xt2_chain *xts_lookup_chain(const struct xt2_table *,
unsigned int);
-extern unsigned int xts_blob_prep_table(const struct xt2_table *,
+extern const struct xt2_entry_match *
+ xts_rule_quota_ptr(const struct xt2_rule *);
+extern void xts_rule_get_quota(const struct xt2_entry_match *,
+ uint64_t *, uint64_t *);
+extern unsigned int xts_blob_prep_table(struct xt2_table *,
const struct xt1_xlat_info *, unsigned int *, unsigned int *,
unsigned int *);
+extern int xts_starget_to_xt1(void __user **, int *, unsigned int *,
+ const struct xt2_entry_target *, const struct xt1_xlat_info *);
+extern int xts_target_to_xt1(void __user **, int *, unsigned int *,
+ const struct xt2_entry_target *);
extern struct xt2_rule *xt2_rule_new(struct xt2_chain *);
extern int xt2_rule_add_match(struct xt2_rule *, const char *, uint8_t,
@@ -738,6 +749,30 @@ extern unsigned int xt2_do_table(struct sk_buff *, unsigned int,
const struct net_device *, const struct net_device *,
const struct xt2_table *);
+/**
+ * @pptr: user pointer
+ * @rem: remaining bytes in user area
+ * @data: source data
+ * @dsize: size of @data
+ * @z: bytes written so far
+ *
+ * Copy @data to userspace, advance pointer and offset,
+ * reduce remaining counter.
+ */
+static inline int
+xts_copy_to_user(void __user **pptr, int *rem, const void *data,
+ unsigned int dsize, unsigned int *z)
+{
+ if (*rem < dsize)
+ return -ENOSPC;
+ if (copy_to_user(*pptr, data, dsize) != 0)
+ return -EFAULT;
+ *pptr += dsize;
+ *z += dsize;
+ *rem -= dsize;
+ return 0;
+}
+
static inline bool xt2_builtin_chain(const struct xt2_chain *c)
{
return *c->name == '\0';
diff --git a/include/linux/netfilter/xt_quota.h b/include/linux/netfilter/xt_quota.h
index f14e36d..7538cd2 100644
--- a/include/linux/netfilter/xt_quota.h
+++ b/include/linux/netfilter/xt_quota.h
@@ -32,4 +32,15 @@ struct xt_quota_mtinfo3 {
struct xt_quota_counter *master __attribute__((aligned(8)));
};
+#ifdef __KERNEL__
+struct xt_quota_counter {
+ u_int64_t quota;
+ spinlock_t lock;
+ struct list_head list;
+ atomic_t ref;
+ char name[sizeof(((struct xt_quota_mtinfo3 *)NULL)->name)];
+ struct proc_dir_entry *procfs_entry;
+};
+#endif
+
#endif /* _XT_QUOTA_H */
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 8dc507d..7f722a8 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -1176,7 +1176,7 @@ static const struct xt1_xlat_info ip6t_xlat_info = {
};
static int ip6t2_get_info(void __user *uptr, int len,
- const struct xt2_table *table)
+ struct xt2_table *table)
{
struct ip6t_getinfo info = {
.valid_hooks = table->valid_hooks,
@@ -1267,6 +1267,7 @@ get_entries(struct net *net, struct ip6t_get_entries __user *uptr,
{
int ret;
struct ip6t_get_entries get;
+ struct xt2_table *xt2_table;
struct xt_table *t;
if (*len < sizeof(get)) {
@@ -1281,6 +1282,16 @@ get_entries(struct net *net, struct ip6t_get_entries __user *uptr,
return -EINVAL;
}
+ xt2_table = xt2_table_lookup(net, get.name, NFPROTO_IPV6,
+ XT2_TAKE_RCULOCK);
+ if (xt2_table != NULL) {
+ ret = ip6t2_table_to_xt1(uptr->entrytable, get.size,
+ xt2_table, &ip6t_xlat_info);
+ rcu_read_unlock();
+ return ret;
+ }
+ rcu_read_unlock();
+
t = xt_find_table_lock(net, AF_INET6, get.name);
if (t && !IS_ERR(t)) {
struct xt_table_info *private = t->private;
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index f8ff821..d19eb56 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -1636,6 +1636,7 @@ struct xt2_table *xt2_table_new(void)
return NULL;
INIT_LIST_HEAD(&table->chain_list);
+ mutex_init(&table->xt1_lock);
return table;
}
EXPORT_SYMBOL_GPL(xt2_table_new);
diff --git a/net/netfilter/xt1_support.c b/net/netfilter/xt1_support.c
index 5900880..d2124a3 100644
--- a/net/netfilter/xt1_support.c
+++ b/net/netfilter/xt1_support.c
@@ -11,6 +11,7 @@
#include <linux/module.h>
#include <linux/rcupdate.h>
#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/xt_quota.h>
/**
* @table: table to search in
@@ -42,7 +43,7 @@ EXPORT_SYMBOL_GPL(xts_lookup_chain);
* Also used for the xt2->xt1 converter. Generalized matches run until the two
* last quota matches.
*/
-static const struct xt2_entry_match *
+const struct xt2_entry_match *
xts_rule_quota_ptr(const struct xt2_rule *rule)
{
const struct xt2_entry_match *ematch;
@@ -63,6 +64,29 @@ xts_rule_quota_ptr(const struct xt2_rule *rule)
return NULL;
return ematch;
}
+EXPORT_SYMBOL_GPL(xts_rule_quota_ptr);
+
+/**
+ * @ematch: pointer to appropriate quota ematch (obtained from
+ * xt1_rule_quota_ptr)
+ */
+void xts_rule_get_quota(const struct xt2_entry_match *ematch,
+ uint64_t *bytes, uint64_t *pkts)
+{
+ const struct xt_quota_mtinfo3 *q;
+
+ /* Bytes */
+ q = ematch->data;
+ spin_lock_bh(&q->master->lock);
+ *bytes = q->master->quota;
+ spin_unlock_bh(&q->master->lock);
+ /* Packets */
+ q = list_entry(ematch->anchor.next, typeof(*ematch), anchor)->data;
+ spin_lock_bh(&q->master->lock);
+ *pkts = q->master->quota;
+ spin_unlock_bh(&q->master->lock);
+}
+EXPORT_SYMBOL_GPL(xts_rule_get_quota);
static int
xts_blob_prep_rule(const struct xt2_rule *rule, const struct xt1_xlat_info *io,
@@ -89,9 +113,10 @@ xts_blob_prep_rule(const struct xt2_rule *rule, const struct xt1_xlat_info *io,
return -EIO;
/* Do underflow assign first before @z is increased. */
- for (h = 0; h < ARRAY_SIZE(table->underflow); ++h)
- if (rule == table->underflow[h])
- underflow[h] = z;
+ if (underflow != NULL)
+ for (h = 0; h < ARRAY_SIZE(table->underflow); ++h)
+ if (rule == table->underflow[h])
+ underflow[h] = z;
/* Subtracting, because it will already be added in the loop. */
z += io->entry_hdr_size - io->ematch_size - io->pmatch_size;
@@ -120,22 +145,25 @@ xts_blob_prep_rule(const struct xt2_rule *rule, const struct xt1_xlat_info *io,
* loss of information.
*/
unsigned int
-xts_blob_prep_table(const struct xt2_table *table,
- const struct xt1_xlat_info *io,
+xts_blob_prep_table(struct xt2_table *table, const struct xt1_xlat_info *io,
unsigned int *hook_entry, unsigned int *underflow,
unsigned int *entries_ptr)
{
- const struct xt2_chain *chain;
+ struct xt2_chain *chain;
const struct xt2_rule *rule;
unsigned int hook, entries = 0;
int z = 0;
rcu_read_lock();
list_for_each_entry(chain, &table->chain_list, anchor) {
- for (hook = 0; hook < ARRAY_SIZE(table->entrypoint); ++hook)
- if (table->entrypoint[hook] == chain)
- hook_entry[hook] = z;
-
+ if (hook_entry != NULL)
+ for (hook = 0; hook < ARRAY_SIZE(table->entrypoint);
+ ++hook)
+ if (table->entrypoint[hook] == chain)
+ hook_entry[hook] = z;
+
+ /* Caller needs to take xt1_lock if xt1_offset is needed. */
+ chain->xt1_offset = z;
if (!xt2_builtin_chain(chain)) {
z += io->entry_hdr_size + io->marker_size;
++entries;
@@ -152,9 +180,63 @@ xts_blob_prep_table(const struct xt2_table *table,
/* Table terminator */
z += io->entry_hdr_size + io->marker_size;
- *entries_ptr = ++entries;
+ if (entries_ptr != NULL)
+ *entries_ptr = ++entries;
return z;
}
EXPORT_SYMBOL_GPL(xts_blob_prep_table);
+int xts_starget_to_xt1(void __user **user_ptr, int *len, unsigned int *z,
+ const struct xt2_entry_target *etarget,
+ const struct xt1_xlat_info *io)
+{
+ struct xt_standard_target blob = {
+ .target.u.user = {
+ .target_size = io->standard_tgsize,
+ .revision = 0,
+ },
+ };
+
+ strncpy(blob.target.u.user.name, XT_STANDARD_TARGET,
+ sizeof(blob.target.u.user.name));
+ if (etarget->ext == XT2_FINAL_VERDICT) {
+ if (etarget->verdict == XT_CONTINUE)
+ blob.verdict = *z + io->standard_tgsize;
+ else if (etarget->verdict == XT_RETURN)
+ blob.verdict = XT_RETURN;
+ else
+ blob.verdict = -etarget->verdict - 1;
+ } else if (etarget->ext == XT2_ACTION_GOTO) {
+ blob.verdict = etarget->r_goto->xt1_offset;
+ } else if (etarget->ext == XT2_ACTION_JUMP) {
+ blob.verdict = etarget->r_jump->xt1_offset;
+ } else {
+ return -EIO;
+ }
+ return xts_copy_to_user(user_ptr, len, &blob, io->standard_tgsize, z);
+}
+EXPORT_SYMBOL_GPL(xts_starget_to_xt1);
+
+int xts_target_to_xt1(void __user **user_ptr, int *len, unsigned int *z,
+ const struct xt2_entry_target *etarget)
+{
+ int ret;
+ struct xt_entry_target blob = {
+ .u.user = {
+ .target_size = sizeof(blob) +
+ XT_ALIGN(etarget->ext->targetsize),
+ .revision = etarget->ext->revision,
+ },
+ };
+
+ strncpy(blob.u.user.name, etarget->ext->name,
+ sizeof(blob.u.user.name));
+ ret = xts_copy_to_user(user_ptr, len, &blob, sizeof(blob), z);
+ if (ret < 0)
+ return ret;
+ return xts_copy_to_user(user_ptr, len, etarget->data,
+ XT_ALIGN(etarget->ext->targetsize), z);
+}
+EXPORT_SYMBOL_GPL(xts_target_to_xt1);
+
MODULE_LICENSE("GPL");
diff --git a/net/netfilter/xt1_translat.c b/net/netfilter/xt1_translat.c
index a1663ba..f0a9c4d 100644
--- a/net/netfilter/xt1_translat.c
+++ b/net/netfilter/xt1_translat.c
@@ -290,3 +290,149 @@ static int XTSUB2(table_to_xt2)(struct xt2_table *table, void *entry0,
return 0;
}
+
+static int
+XTSUB2(marker_to_xt1)(void __user **user_pptr, int *len,
+ const struct xt2_chain *chain, unsigned int *z)
+{
+ /*
+ * Must write structs separately, or otherwise there is padding between
+ * (compat_)xtsub_entry and xtsub_error_target.
+ */
+ struct xtsub_error_target target = {
+ .target.u.user = {
+ .target_size = sizeof(target),
+ .name = "ERROR",
+ .revision = 0,
+ },
+ };
+ struct xtsub_entry entry = {
+ .target_offset = sizeof(entry),
+ .next_offset = sizeof(entry) + sizeof(target),
+ };
+ int ret;
+
+ strncpy(target.errorname, chain->name,
+ min(sizeof(target.errorname), sizeof(chain->name)));
+ ret = xts_copy_to_user(user_pptr, len, &entry, sizeof(entry), z);
+ if (ret < 0)
+ return ret;
+ return xts_copy_to_user(user_pptr, len, &target, sizeof(target), z);
+}
+
+static int
+XTSUB2(rule_to_xt1)(void __user **user_ptr, int *len, unsigned int *z,
+ const struct xt2_rule *rule,
+ const struct xt1_xlat_info *io)
+{
+ const struct xt2_entry_match *ematch, *quota_ematch;
+ const struct xt2_entry_target *etarget;
+ struct xtsub_entry entry;
+ void __user *entry_uptr;
+ unsigned int z_start;
+ int ret;
+
+ quota_ematch = xts_rule_quota_ptr(rule);
+ if (quota_ematch == NULL)
+ return -EIO;
+
+ /* Must have exactly one target */
+ if (list_empty(&rule->target_list) ||
+ rule->target_list.next->next != &rule->target_list)
+ return -EIO;
+
+ /* Entry master */
+ z_start = *z;
+ ematch = list_first_entry(&rule->match_list,
+ typeof(*ematch), anchor);
+#ifdef XTSUB_NFPROTO_IPV6
+ if (strcmp(ematch->ext->name, "ipv6") != 0)
+ return -EIO;
+ memcpy(&entry.ipv6, ematch->data, sizeof(entry.ipv6));
+#endif
+ entry.comefrom = rule->chain->comefrom;
+ entry.nfcache = 0;
+ xts_rule_get_quota(quota_ematch, &entry.counters.bcnt,
+ &entry.counters.pcnt);
+
+ /* Remember offset for entry header for later update of offsets. */
+ entry_uptr = *user_ptr;
+ ret = xts_copy_to_user(user_ptr, len, &entry, sizeof(entry), z);
+ if (ret < 0)
+ return ret;
+
+ list_for_each_entry_continue(ematch, &rule->match_list, anchor) {
+ struct xt_entry_match blob;
+
+ if (ematch == quota_ematch)
+ break;
+
+ blob.u.match_size = sizeof(blob) + ematch->dsize;
+ blob.u.user.revision = ematch->ext->revision;
+ strncpy(blob.u.user.name, ematch->ext->name,
+ sizeof(blob.u.user.name));
+ ret = xts_copy_to_user(user_ptr, len, &blob, sizeof(blob), z);
+ if (ret < 0)
+ return ret;
+ ret = xts_copy_to_user(user_ptr, len, ematch->data,
+ ematch->dsize, z);
+ if (ret < 0)
+ return ret;
+ }
+
+ /* target and next offsets are relative to the start of the entry. */
+ entry.target_offset = *z - z_start;
+
+ list_for_each_entry(etarget, &rule->target_list, anchor) {
+ ret = xt2_special_target(etarget->ext) ?
+ xts_starget_to_xt1(user_ptr, len, z, etarget, io) :
+ xts_target_to_xt1(user_ptr, len, z, etarget);
+ if (ret < 0)
+ return ret;
+ }
+
+ entry.next_offset = *z - z_start;
+ return copy_to_user(entry_uptr, &entry, sizeof(entry));
+}
+
+static int
+XTSUB2(table_to_xt1)(void __user *user_ptr, int len, struct xt2_table *table,
+ const struct xt1_xlat_info *io)
+{
+ static const struct xt2_chain terminator = {.name = "ERROR"};
+ static const uint32_t filler = ~0U;
+ const struct xt2_rule *rule;
+ struct xt2_chain *chain;
+ unsigned int z = 0;
+ int i, ret;
+
+ for (i = 0; i <= len - sizeof(filler); i += sizeof(filler))
+ copy_to_user(user_ptr + i, &filler, sizeof(filler));
+
+ ret = mutex_lock_interruptible(&table->xt1_lock);
+ if (ret < 0)
+ return ret;
+
+ /* Calculate chain offsets. */
+ xts_blob_prep_table(table, io, NULL, NULL, NULL);
+
+ list_for_each_entry(chain, &table->chain_list, anchor) {
+ if (!xt2_builtin_chain(chain)) {
+ ret = XTSUB2(marker_to_xt1)(&user_ptr,
+ &len, chain, &z);
+ if (ret < 0)
+ goto out;
+ }
+ list_for_each_entry(rule, &chain->rule_list, anchor) {
+ ret = XTSUB2(rule_to_xt1)(&user_ptr, &len, &z,
+ rule, io);
+ if (ret < 0)
+ goto out;
+ }
+ }
+
+ ret = XTSUB2(marker_to_xt1)(&user_ptr, &len, &terminator, &z);
+ out:
+ mutex_unlock(&table->xt1_lock);
+ return ret;
+}
diff --git a/net/netfilter/xt_quota.c b/net/netfilter/xt_quota.c
index 33ce76a..69c8659 100644
--- a/net/netfilter/xt_quota.c
+++ b/net/netfilter/xt_quota.c
@@ -16,15 +16,6 @@ struct xt_quota_priv {
uint64_t quota;
};
-struct xt_quota_counter {
- u_int64_t quota;
- spinlock_t lock;
- struct list_head list;
- atomic_t ref;
- char name[sizeof(((struct xt_quota_mtinfo3 *)NULL)->name)];
- struct proc_dir_entry *procfs_entry;
-};
-
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
MODULE_AUTHOR("Sam Johnston <samj@samj.net>");
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 066/103] netfilter: xtables2: xt1->xt2 translation - SET_REPLACE support
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (64 preceding siblings ...)
2009-08-04 7:25 ` [PATCH 065/103] netfilter: xtables2: xt2->xt1 translation - GET_ENTRIES support Jan Engelhardt
@ 2009-08-04 7:25 ` Jan Engelhardt
2009-08-04 7:25 ` [PATCH 067/103] netfilter: xtables2: return counters after SET_REPLACE Jan Engelhardt
` (38 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:25 UTC (permalink / raw)
To: netfilter-devel
Support table replacement from userspace. Currently without
returning counters.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter/x_tables.h | 3 ++
net/ipv6/netfilter/ip6_tables.c | 9 ++++++
net/netfilter/x_tables.c | 3 +-
net/netfilter/xt1_support.c | 28 +++++++++++++++++++
net/netfilter/xt1_translat.c | 52 ++++++++++++++++++++++++++++++++++++
5 files changed, 94 insertions(+), 1 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 589e0dc..9514002 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -571,6 +571,8 @@ struct xt2_table_link {
struct xt2_table *table;
};
+extern const char *const xt_prefix[NFPROTO_NUMPROTO];
+
#define XT_TABLE_INFO_SZ (offsetof(struct xt_table_info, entries) \
+ nr_cpu_ids * sizeof(char *))
extern int xt_register_target(struct xt_target *target);
@@ -727,6 +729,7 @@ extern int xts_starget_to_xt1(void __user **, int *, unsigned int *,
const struct xt2_entry_target *, const struct xt1_xlat_info *);
extern int xts_target_to_xt1(void __user **, int *, unsigned int *,
const struct xt2_entry_target *);
+extern int xts_table_replace(struct net *, struct xt2_table *);
extern struct xt2_rule *xt2_rule_new(struct xt2_chain *);
extern int xt2_rule_add_match(struct xt2_rule *, const char *, uint8_t,
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 7f722a8..f6d4030 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -73,6 +73,7 @@ static int mark_source_chains(const struct xt_table_info *,
#define xtsub_entry ip6t_entry
#define xtsub_replace ip6t_replace
#define xtsub_error_target ip6t_error_target
+#define XTSUB_NFPROTO NFPROTO_IPV6
#define XTSUB_NFPROTO_IPV6 1
#define XTSUB(x) ip6t_ ## x
#define XTSUB2(x) ip6t2_ ## x
@@ -1398,6 +1399,14 @@ do_replace(struct net *net, const void __user *user, unsigned int len)
if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
return -EFAULT;
+ /*
+ * If the table goes away just moments later, no problem.
+ * Just dispatching here.
+ */
+ if (xt2_table_lookup(net, tmp.name,
+ NFPROTO_IPV6, XT2_NO_RCULOCK) != NULL)
+ return ip6t2_do_replace(net, user, len);
+
/* overflow check */
if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
return -ENOMEM;
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index d19eb56..0895016 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -72,13 +72,14 @@ enum {
/* XT_CONTINUE = 0xFFFFFFFF, */ /* reminder (x_tables.h) */
};
-static const char *const xt_prefix[NFPROTO_NUMPROTO] = {
+const char *const xt_prefix[NFPROTO_NUMPROTO] = {
[NFPROTO_UNSPEC] = "x",
[NFPROTO_IPV4] = "ip",
[NFPROTO_ARP] = "arp",
[NFPROTO_BRIDGE] = "eb",
[NFPROTO_IPV6] = "ip6",
};
+EXPORT_SYMBOL_GPL(xt_prefix);
/* Allow this many total entries. */
static unsigned int xt_jumpstack_multiplier = 2;
diff --git a/net/netfilter/xt1_support.c b/net/netfilter/xt1_support.c
index d2124a3..d7270dc 100644
--- a/net/netfilter/xt1_support.c
+++ b/net/netfilter/xt1_support.c
@@ -239,4 +239,32 @@ int xts_target_to_xt1(void __user **user_ptr, int *len, unsigned int *z,
}
EXPORT_SYMBOL_GPL(xts_target_to_xt1);
+/**
+ * Load table module, check hook masks, replace table.
+ */
+int xts_table_replace(struct net *net, struct xt2_table *table)
+{
+ struct xt2_table *old_table;
+
+ old_table = try_then_request_module(xt2_table_lookup(net,
+ table->name, table->nfproto, XT2_TAKE_RCULOCK),
+ "%stable_%s", xt_prefix[table->nfproto], table->name);
+ if (old_table == NULL)
+ return -ENOENT;
+ if (table->valid_hooks != old_table->valid_hooks) {
+ pr_err("Invalid hook mix: 0x%x (old) vs 0x%x (new)\n",
+ old_table->valid_hooks, table->valid_hooks);
+ rcu_read_unlock();
+ return -EINVAL;
+ }
+ rcu_read_unlock();
+
+ old_table = xt2_table_replace(net, table);
+ if (IS_ERR(old_table))
+ return PTR_ERR(old_table);
+ xt2_table_destroy(NULL, old_table);
+ return 0;
+}
+EXPORT_SYMBOL_GPL(xts_table_replace);
+
MODULE_LICENSE("GPL");
diff --git a/net/netfilter/xt1_translat.c b/net/netfilter/xt1_translat.c
index f0a9c4d..af413f5 100644
--- a/net/netfilter/xt1_translat.c
+++ b/net/netfilter/xt1_translat.c
@@ -436,3 +436,55 @@ XTSUB2(table_to_xt1)(void __user *user_ptr, int len, struct xt2_table *table,
mutex_unlock(&table->xt1_lock);
return ret;
}
+
+static int
+XTSUB2(do_replace)(struct net *net, const void __user *user, unsigned int len)
+{
+ struct xtsub_replace repl;
+ struct xt2_table *table;
+ void *blob;
+ int ret;
+
+ if (copy_from_user(&repl, user, sizeof(repl)) != 0)
+ return -EFAULT;
+
+ /* overflow check */
+ if (repl.num_counters >= INT_MAX / sizeof(struct xt_counters))
+ return -ENOMEM;
+
+#define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
+ /* Pedantry: prevent them from hitting BUG() in vmalloc.c --RR */
+ if ((SMP_ALIGN(repl.size) >> PAGE_SHIFT) + 2 > num_physpages)
+ return -ENOMEM;
+#undef SMP_ALIGN
+
+ table = xt2_table_new();
+ if (table == NULL)
+ return -ENOMEM;
+ /* Need a writable copy for check_entry_and_size_hooks. */
+ ret = -ENOMEM;
+ blob = vmalloc(repl.size);
+ if (blob == NULL)
+ goto out;
+ if (copy_from_user(blob, user + sizeof(repl), repl.size) != 0) {
+ ret = -EFAULT;
+ goto out;
+ }
+ strncpy(table->name, repl.name, sizeof(table->name));
+ table->name[sizeof(table->name)-1] = '\0';
+ table->valid_hooks = repl.valid_hooks;
+ table->nfproto = XTSUB_NFPROTO;
+
+ ret = XTSUB2(table_to_xt2)(table, blob, &repl);
+ vfree(blob);
+ if (ret < 0)
+ goto out;
+ ret = xts_table_replace(net, table);
+ if (ret < 0)
+ goto out;
+ return 0;
+
+ out:
+ xt2_table_destroy(NULL, table);
+ return ret;
+}
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 067/103] netfilter: xtables2: return counters after SET_REPLACE
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (65 preceding siblings ...)
2009-08-04 7:25 ` [PATCH 066/103] netfilter: xtables2: xt1->xt2 translation - SET_REPLACE support Jan Engelhardt
@ 2009-08-04 7:25 ` Jan Engelhardt
2009-08-04 7:25 ` [PATCH 068/103] netfilter: xtables2: xt1->xt2 translation - ADD_COUNTERS support Jan Engelhardt
` (37 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:25 UTC (permalink / raw)
To: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter/x_tables.h | 3 +-
net/netfilter/xt1_support.c | 58 ++++++++++++++++++++++++++++++++++-
net/netfilter/xt1_translat.c | 2 +-
3 files changed, 59 insertions(+), 4 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 9514002..a65a848 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -729,7 +729,8 @@ extern int xts_starget_to_xt1(void __user **, int *, unsigned int *,
const struct xt2_entry_target *, const struct xt1_xlat_info *);
extern int xts_target_to_xt1(void __user **, int *, unsigned int *,
const struct xt2_entry_target *);
-extern int xts_table_replace(struct net *, struct xt2_table *);
+extern int xts_table_replace(void __user *, unsigned int, struct net *,
+ struct xt2_table *);
extern struct xt2_rule *xt2_rule_new(struct xt2_chain *);
extern int xt2_rule_add_match(struct xt2_rule *, const char *, uint8_t,
diff --git a/net/netfilter/xt1_support.c b/net/netfilter/xt1_support.c
index d7270dc..9e66e25 100644
--- a/net/netfilter/xt1_support.c
+++ b/net/netfilter/xt1_support.c
@@ -240,11 +240,64 @@ int xts_target_to_xt1(void __user **user_ptr, int *len, unsigned int *z,
EXPORT_SYMBOL_GPL(xts_target_to_xt1);
/**
+ * @ptr: room for counters
+ * @cnum: maximum number of counters to copy
+ * @table: input xt2 table
+ */
+static int xts_put_counters(struct xt_counters __user *ptr, unsigned int cnum,
+ const struct xt2_table *table)
+{
+ const struct xt2_entry_match *ematch;
+ const struct xt2_chain *chain;
+ const struct xt2_rule *rule;
+ struct xt_counters ctinfo;
+ unsigned int i = 0;
+ int ret = 0;
+
+ rcu_read_lock();
+ list_for_each_entry(chain, &table->chain_list, anchor) {
+ if (i == cnum)
+ break;
+ if (!xt2_builtin_chain(chain)) {
+ ctinfo.bcnt = ctinfo.pcnt = 0;
+ ret = copy_to_user(&ptr[i++], &ctinfo, sizeof(ctinfo));
+ if (ret < 0)
+ goto out;
+ }
+
+ list_for_each_entry(rule, &chain->rule_list, anchor) {
+ if (i == cnum)
+ break;
+ ematch = xts_rule_quota_ptr(rule);
+ if (ematch == NULL) {
+ ret = -EIO;
+ goto out;
+ }
+ xts_rule_get_quota(ematch, &ctinfo.bcnt, &ctinfo.pcnt);
+ ret = copy_to_user(&ptr[i++], &ctinfo, sizeof(ctinfo));
+ if (ret < 0)
+ goto out;
+ }
+ }
+
+ if (i < cnum) {
+ /* end of ruleset marker: */
+ ctinfo.bcnt = ctinfo.pcnt = 0;
+ ret = copy_to_user(&ptr[i], &ctinfo, sizeof(ctinfo));
+ }
+ out:
+ rcu_read_unlock();
+ return ret;
+}
+
+/**
* Load table module, check hook masks, replace table.
*/
-int xts_table_replace(struct net *net, struct xt2_table *table)
+int xts_table_replace(void __user *counters_ptr, unsigned int num_counters,
+ struct net *net, struct xt2_table *table)
{
struct xt2_table *old_table;
+ int ret;
old_table = try_then_request_module(xt2_table_lookup(net,
table->name, table->nfproto, XT2_TAKE_RCULOCK),
@@ -262,8 +315,9 @@ int xts_table_replace(struct net *net, struct xt2_table *table)
old_table = xt2_table_replace(net, table);
if (IS_ERR(old_table))
return PTR_ERR(old_table);
+ ret = xts_put_counters(counters_ptr, num_counters, old_table);
xt2_table_destroy(NULL, old_table);
- return 0;
+ return ret;
}
EXPORT_SYMBOL_GPL(xts_table_replace);
diff --git a/net/netfilter/xt1_translat.c b/net/netfilter/xt1_translat.c
index af413f5..f88a72b 100644
--- a/net/netfilter/xt1_translat.c
+++ b/net/netfilter/xt1_translat.c
@@ -479,7 +479,7 @@ XTSUB2(do_replace)(struct net *net, const void __user *user, unsigned int len)
vfree(blob);
if (ret < 0)
goto out;
- ret = xts_table_replace(net, table);
+ ret = xts_table_replace(repl.counters, repl.num_counters, net, table);
if (ret < 0)
goto out;
return 0;
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 068/103] netfilter: xtables2: xt1->xt2 translation - ADD_COUNTERS support
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (66 preceding siblings ...)
2009-08-04 7:25 ` [PATCH 067/103] netfilter: xtables2: return counters after SET_REPLACE Jan Engelhardt
@ 2009-08-04 7:25 ` Jan Engelhardt
2009-08-04 7:25 ` [PATCH 069/103] netfilter: xtables2: xt2->xt1 translation - compat GET_INFO support Jan Engelhardt
` (36 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:25 UTC (permalink / raw)
To: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter/x_tables.h | 2 +
net/ipv6/netfilter/ip6_tables.c | 11 ++++++
net/netfilter/xt1_support.c | 63 ++++++++++++++++++++++++++++++++++++
3 files changed, 76 insertions(+), 0 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index a65a848..dda97db 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -731,6 +731,8 @@ extern int xts_target_to_xt1(void __user **, int *, unsigned int *,
const struct xt2_entry_target *);
extern int xts_table_replace(void __user *, unsigned int, struct net *,
struct xt2_table *);
+extern int xts_get_counters(struct xt2_table *,
+ const struct xt_counters __user *, unsigned int);
extern struct xt2_rule *xt2_rule_new(struct xt2_chain *);
extern int xt2_rule_add_match(struct xt2_rule *, const char *, uint8_t,
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index f6d4030..c4bcea6 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -1215,6 +1215,7 @@ static int get_info(struct net *net, void __user *user,
if (xt2_table != NULL) {
ret = ip6t2_get_info(user, *len, xt2_table);
rcu_read_unlock();
+ module_put(xt2_table->owner);
if (t != NULL)
module_put(t->me);
return ret;
@@ -1459,6 +1460,7 @@ do_add_counters(struct net *net, const void __user *user, unsigned int len,
int ret = 0;
const void *loc_cpu_entry;
struct ip6t_entry *iter;
+ struct xt2_table *xt2_table;
#ifdef CONFIG_COMPAT
struct compat_xt_counters_info compat_tmp;
@@ -1489,6 +1491,15 @@ do_add_counters(struct net *net, const void __user *user, unsigned int len,
if (len != size + num_counters * sizeof(struct xt_counters))
return -EINVAL;
+ xt2_table = xt2_table_lookup(net, name, NFPROTO_IPV6,
+ XT2_TAKE_RCULOCK);
+ if (xt2_table != NULL) {
+ ret = xts_get_counters(xt2_table, user + size, num_counters);
+ rcu_read_unlock();
+ return ret;
+ }
+ rcu_read_unlock();
+
paddc = vmalloc_node(len - size, numa_node_id());
if (!paddc)
return -ENOMEM;
diff --git a/net/netfilter/xt1_support.c b/net/netfilter/xt1_support.c
index 9e66e25..380c3da 100644
--- a/net/netfilter/xt1_support.c
+++ b/net/netfilter/xt1_support.c
@@ -88,6 +88,23 @@ void xts_rule_get_quota(const struct xt2_entry_match *ematch,
}
EXPORT_SYMBOL_GPL(xts_rule_get_quota);
+static void xts_rule_set_quota(const struct xt2_entry_match *ematch,
+ uint64_t bytes, uint64_t pkts)
+{
+ const struct xt_quota_mtinfo3 *q;
+
+ /* Bytes */
+ q = ematch->data;
+ spin_lock_bh(&q->master->lock);
+ q->master->quota = bytes;
+ spin_unlock_bh(&q->master->lock);
+ /* Packets */
+ q = list_entry(ematch->anchor.next, typeof(*ematch), anchor)->data;
+ spin_lock_bh(&q->master->lock);
+ q->master->quota = pkts;
+ spin_unlock_bh(&q->master->lock);
+}
+
static int
xts_blob_prep_rule(const struct xt2_rule *rule, const struct xt1_xlat_info *io,
unsigned int *underflow, unsigned int z)
@@ -321,4 +338,50 @@ int xts_table_replace(void __user *counters_ptr, unsigned int num_counters,
}
EXPORT_SYMBOL_GPL(xts_table_replace);
+/**
+ * @table: xt2 table with rules to modify
+ * @ptr: source counter array
+ * @cnum: maximum number of counters to read
+ */
+int xts_get_counters(struct xt2_table *table,
+ const struct xt_counters __user *ptr, unsigned int cnum)
+{
+ const struct xt2_entry_match *ematch;
+ const struct xt2_chain *chain;
+ const struct xt2_rule *rule;
+ struct xt_counters ctinfo;
+ unsigned int i = 0;
+ int ret = 0;
+
+ rcu_read_lock();
+ list_for_each_entry(chain, &table->chain_list, anchor) {
+ if (i == cnum)
+ break;
+ if (!xt2_builtin_chain(chain))
+ /* Skip counters for start-of-chain marker */
+ ++i;
+
+ list_for_each_entry(rule, &chain->rule_list, anchor) {
+ if (i == cnum)
+ break;
+ ematch = xts_rule_quota_ptr(rule);
+ if (ematch == NULL) {
+ ret = -EIO;
+ goto out;
+ }
+ ret = copy_from_user(&ctinfo, &ptr[i++],
+ sizeof(ctinfo));
+ if (ret < 0)
+ goto out;
+ xts_rule_set_quota(ematch, ctinfo.bcnt, ctinfo.pcnt);
+ }
+ }
+
+ /* Ignore EOR marker or additional counters. */
+ out:
+ rcu_read_unlock();
+ return ret;
+}
+EXPORT_SYMBOL_GPL(xts_get_counters);
+
MODULE_LICENSE("GPL");
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 069/103] netfilter: xtables2: xt2->xt1 translation - compat GET_INFO support
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (67 preceding siblings ...)
2009-08-04 7:25 ` [PATCH 068/103] netfilter: xtables2: xt1->xt2 translation - ADD_COUNTERS support Jan Engelhardt
@ 2009-08-04 7:25 ` Jan Engelhardt
2009-08-04 7:25 ` [PATCH 070/103] netfilter: xtables: use compat_u64 inside struct compat_xt_counters Jan Engelhardt
` (35 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:25 UTC (permalink / raw)
To: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
net/ipv6/netfilter/ip6_tables.c | 22 ++++++++++++++++++----
1 files changed, 18 insertions(+), 4 deletions(-)
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index c4bcea6..2f14ef4 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -1165,8 +1165,21 @@ static int compat_table_info(const struct xt_table_info *info,
}
#endif
+static const struct xt1_xlat_info ip6t_compat_xlat_info = {
+#ifdef CONFIG_COMPAT
+ .marker_size = COMPAT_XT_ALIGN(sizeof(struct ip6t_error_target)),
+ .entry_hdr_size = sizeof(struct compat_ip6t_entry),
+ .pmatch_size = sizeof(struct ip6t_ip6),
+ .first_match = "ipv6",
+ .ematch_size = sizeof(struct xt_entry_match),
+ .etarget_size = sizeof(struct xt_entry_target),
+ .standard_tgsize = COMPAT_XT_ALIGN(sizeof(struct xt_entry_target) +
+ sizeof(compat_uint_t)),
+#endif
+};
+
static const struct xt1_xlat_info ip6t_xlat_info = {
- .marker_size = sizeof(struct ip6t_error_target),
+ .marker_size = XT_ALIGN(sizeof(struct ip6t_error_target)),
.entry_hdr_size = sizeof(struct ip6t_entry),
.pmatch_size = sizeof(struct ip6t_ip6),
.first_match = "ipv6",
@@ -1177,7 +1190,7 @@ static const struct xt1_xlat_info ip6t_xlat_info = {
};
static int ip6t2_get_info(void __user *uptr, int len,
- struct xt2_table *table)
+ struct xt2_table *table, bool compat)
{
struct ip6t_getinfo info = {
.valid_hooks = table->valid_hooks,
@@ -1185,7 +1198,8 @@ static int ip6t2_get_info(void __user *uptr, int len,
strncpy(info.name, table->name,
min(sizeof(info.name), sizeof(table->name)));
- info.size = xts_blob_prep_table(table, &ip6t_xlat_info,
+ info.size = xts_blob_prep_table(table,
+ compat ? &ip6t_compat_xlat_info : &ip6t_xlat_info,
info.hook_entry, info.underflow, &info.num_entries);
return (copy_to_user(uptr, &info, sizeof(info)) != 0) ? -EFAULT : 0;
}
@@ -1213,7 +1227,7 @@ static int get_info(struct net *net, void __user *user,
xt2_table = xt2_table_lookup(net, name, NFPROTO_IPV6,
XT2_TAKE_RCULOCK);
if (xt2_table != NULL) {
- ret = ip6t2_get_info(user, *len, xt2_table);
+ ret = ip6t2_get_info(user, *len, xt2_table, compat);
rcu_read_unlock();
module_put(xt2_table->owner);
if (t != NULL)
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 070/103] netfilter: xtables: use compat_u64 inside struct compat_xt_counters
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (68 preceding siblings ...)
2009-08-04 7:25 ` [PATCH 069/103] netfilter: xtables2: xt2->xt1 translation - compat GET_INFO support Jan Engelhardt
@ 2009-08-04 7:25 ` Jan Engelhardt
2009-08-04 7:25 ` [PATCH 071/103] netfilter: ip6tables: move mark_chains to xt1_perproto.c Jan Engelhardt
` (34 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:25 UTC (permalink / raw)
To: netfilter-devel
It is better for the xt1_perproto.c "template" code when the fields
have the same name as struct xt_counters. To that end, we can just
use compat_u64 instead of having to hack with uint32_t.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter/x_tables.h | 6 +-----
1 files changed, 1 insertions(+), 5 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index dda97db..7e88120 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -856,11 +856,7 @@ struct compat_xt_entry_target
struct compat_xt_counters
{
-#if defined(CONFIG_X86_64) || defined(CONFIG_IA64)
- u_int32_t cnt[4];
-#else
- u_int64_t cnt[2];
-#endif
+ compat_u64 bcnt, pcnt;
};
struct compat_xt_counters_info
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 071/103] netfilter: ip6tables: move mark_chains to xt1_perproto.c
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (69 preceding siblings ...)
2009-08-04 7:25 ` [PATCH 070/103] netfilter: xtables: use compat_u64 inside struct compat_xt_counters Jan Engelhardt
@ 2009-08-04 7:25 ` Jan Engelhardt
2009-08-04 7:25 ` [PATCH 072/103] netfilter: xtables2: xt2<->xt1 translation - compat GET_ENTRIES/SET_REPLACE support Jan Engelhardt
` (33 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:25 UTC (permalink / raw)
To: netfilter-devel
In xt2, the xt1compat blob is not translated into xt1 anymore, but
directly to xt2. So we need a mark_chains that handles struct
compat_ip6t_entry.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
net/ipv6/netfilter/ip6_tables.c | 119 +--------------------------------------
net/netfilter/xt1_translat.c | 111 ++++++++++++++++++++++++++++++++++++-
2 files changed, 112 insertions(+), 118 deletions(-)
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 2f14ef4..464930a 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -67,9 +67,6 @@ do { \
#define inline
#endif
-static int mark_source_chains(const struct xt_table_info *,
- unsigned int, void *);
-
#define xtsub_entry ip6t_entry
#define xtsub_replace ip6t_replace
#define xtsub_error_target ip6t_error_target
@@ -556,118 +553,6 @@ ip6t_do_table(struct sk_buff *skb,
#endif
}
-/* Figures out from what hook each rule can be called: returns 0 if
- there are loops. Puts hook bitmask in comefrom. */
-static int
-mark_source_chains(const struct xt_table_info *newinfo,
- unsigned int valid_hooks, void *entry0)
-{
- unsigned int hook;
-
- /* No recursion; use packet counter to save back ptrs (reset
- to 0 as we leave), and comefrom to save source hook bitmask */
- for (hook = 0; hook < NF_INET_NUMHOOKS; hook++) {
- unsigned int pos = newinfo->hook_entry[hook];
- struct ip6t_entry *e = (struct ip6t_entry *)(entry0 + pos);
-
- if (!(valid_hooks & (1 << hook)))
- continue;
-
- /* Set initial back pointer. */
- e->counters.pcnt = pos;
-
- for (;;) {
- const struct ip6t_standard_target *t
- = (void *)ip6t_get_target_c(e);
- int visited = e->comefrom & (1 << hook);
-
- if (e->comefrom & (1 << NF_INET_NUMHOOKS)) {
- printk("iptables: loop hook %u pos %u %08X.\n",
- hook, pos, e->comefrom);
- return 0;
- }
- e->comefrom |= ((1 << hook) | (1 << NF_INET_NUMHOOKS));
-
- /* Unconditional return/END. */
- if ((e->target_offset == sizeof(struct ip6t_entry)
- && (strcmp(t->target.u.user.name,
- IP6T_STANDARD_TARGET) == 0)
- && t->verdict < 0
- && unconditional(&e->ipv6)) || visited) {
- unsigned int oldpos, size;
-
- if ((strcmp(t->target.u.user.name,
- IP6T_STANDARD_TARGET) == 0) &&
- t->verdict < -NF_MAX_VERDICT - 1) {
- duprintf("mark_source_chains: bad "
- "negative verdict (%i)\n",
- t->verdict);
- return 0;
- }
-
- /* Return: backtrack through the last
- big jump. */
- do {
- e->comefrom ^= (1<<NF_INET_NUMHOOKS);
-#ifdef DEBUG_IP_FIREWALL_USER
- if (e->comefrom
- & (1 << NF_INET_NUMHOOKS)) {
- duprintf("Back unset "
- "on hook %u "
- "rule %u\n",
- hook, pos);
- }
-#endif
- oldpos = pos;
- pos = e->counters.pcnt;
- e->counters.pcnt = 0;
-
- /* We're at the start. */
- if (pos == oldpos)
- goto next;
-
- e = (struct ip6t_entry *)
- (entry0 + pos);
- } while (oldpos == pos + e->next_offset);
-
- /* Move along one */
- size = e->next_offset;
- e = (struct ip6t_entry *)
- (entry0 + pos + size);
- e->counters.pcnt = pos;
- pos += size;
- } else {
- int newpos = t->verdict;
-
- if (strcmp(t->target.u.user.name,
- IP6T_STANDARD_TARGET) == 0
- && newpos >= 0) {
- if (newpos > newinfo->size -
- sizeof(struct ip6t_entry)) {
- duprintf("mark_source_chains: "
- "bad verdict (%i)\n",
- newpos);
- return 0;
- }
- /* This a jump; chase it. */
- duprintf("Jump rule %u -> %u\n",
- pos, newpos);
- } else {
- /* ... this is a fallthru */
- newpos = pos + e->next_offset;
- }
- e = (struct ip6t_entry *)
- (entry0 + newpos);
- e->counters.pcnt = pos;
- pos = newpos;
- }
- }
- next:
- duprintf("Finished chain %u\n", hook);
- }
- return 1;
-}
-
static void cleanup_match(struct ip6t_entry_match *m)
{
struct xt_mtdtor_param par;
@@ -944,7 +829,7 @@ translate_table(struct xt_table_info *newinfo, void *entry0,
}
}
- if (!mark_source_chains(newinfo, repl->valid_hooks, entry0))
+ if (!ip6t2_mark_chains(newinfo, repl->valid_hooks, entry0))
return -ELOOP;
/* Finally, each sanity check must pass */
@@ -1903,7 +1788,7 @@ translate_compat_table(const char *name,
goto free_newinfo;
ret = -ELOOP;
- if (!mark_source_chains(newinfo, valid_hooks, entry1))
+ if (!ip6t2_mark_chains(newinfo, valid_hooks, entry1))
goto free_newinfo;
i = 0;
diff --git a/net/netfilter/xt1_translat.c b/net/netfilter/xt1_translat.c
index f88a72b..a975a41 100644
--- a/net/netfilter/xt1_translat.c
+++ b/net/netfilter/xt1_translat.c
@@ -210,6 +210,115 @@ XTSUB2(rule_to_xt2)(struct xt2_chain *chain, const struct xtsub_entry *entry,
return ERR_PTR(ret);
}
+/* Figures out from what hook each rule can be called: returns 0 if
+ there are loops. Puts hook bitmask in comefrom. */
+static int
+XTSUB2(mark_chains)(const struct xt_table_info *newinfo,
+ unsigned int valid_hooks, void *entry0)
+{
+ unsigned int hook;
+
+ /* No recursion; use packet counter to save back ptrs (reset
+ to 0 as we leave), and comefrom to save source hook bitmask */
+ for (hook = 0; hook < NF_INET_NUMHOOKS; hook++) {
+ unsigned int pos = newinfo->hook_entry[hook];
+ struct xtsub_entry *e = (void *)(entry0 + pos);
+
+ if (!(valid_hooks & (1 << hook)))
+ continue;
+
+ /* Set initial back pointer. */
+ e->counters.pcnt = pos;
+
+ for (;;) {
+ const struct xt_standard_target *t
+ = (void *)XTSUB2(get_target)(e);
+ int visited = e->comefrom & (1 << hook);
+
+ if (e->comefrom & (1 << NF_INET_NUMHOOKS)) {
+ printk("iptables: loop hook %u pos %u %08X.\n",
+ hook, pos, e->comefrom);
+ return false;
+ }
+ e->comefrom |= ((1 << hook) | (1 << NF_INET_NUMHOOKS));
+
+ /* Unconditional return/END. */
+ if ((e->target_offset == sizeof(struct xtsub_entry) &&
+ strcmp(t->target.u.user.name,
+ XT_STANDARD_TARGET) == 0 &&
+ t->verdict < 0 &&
+ XTSUB2(unconditional)(e)) || visited) {
+ unsigned int oldpos, size;
+
+ if (strcmp(t->target.u.user.name,
+ XT_STANDARD_TARGET) == 0 &&
+ t->verdict < -NF_MAX_VERDICT - 1) {
+ pr_devel("mark_chains: bad "
+ "negative verdict (%i)\n",
+ t->verdict);
+ return false;
+ }
+
+ /* Return: backtrack through the last
+ big jump. */
+ do {
+ e->comefrom ^= (1<<NF_INET_NUMHOOKS);
+#ifdef DEBUG_IP_FIREWALL_USER
+ if (e->comefrom
+ & (1 << NF_INET_NUMHOOKS)) {
+ pr_devel("Back unset "
+ "on hook %u "
+ "rule %u\n",
+ hook, pos);
+ }
+#endif
+ oldpos = pos;
+ pos = e->counters.pcnt;
+ e->counters.pcnt = 0;
+
+ /* We're at the start. */
+ if (pos == oldpos)
+ goto next;
+
+ e = (void *)(entry0 + pos);
+ } while (oldpos == pos + e->next_offset);
+
+ /* Move along one */
+ size = e->next_offset;
+ e = (void *)(entry0 + pos + size);
+ e->counters.pcnt = pos;
+ pos += size;
+ } else {
+ int newpos = t->verdict;
+
+ if (strcmp(t->target.u.user.name,
+ XT_STANDARD_TARGET) == 0
+ && newpos >= 0) {
+ if (newpos > newinfo->size -
+ sizeof(struct xtsub_entry)) {
+ pr_devel("mark_chains: "
+ "bad verdict (%i)\n",
+ newpos);
+ return false;
+ }
+ /* This a jump; chase it. */
+ pr_devel("Jump rule %u -> %u\n",
+ pos, newpos);
+ } else {
+ /* ... this is a fallthru */
+ newpos = pos + e->next_offset;
+ }
+ e = (void *)(entry0 + newpos);
+ e->counters.pcnt = pos;
+ pos = newpos;
+ }
+ }
+ next:
+ pr_devel("Finished chain %u\n", hook);
+ }
+ return true;
+}
+
/**
* @table: new table
* @entry0: blob of <struct ip6t_entry>s
@@ -251,7 +360,7 @@ static int XTSUB2(table_to_xt2)(struct xt2_table *table, void *entry0,
memcpy(mark_param.hook_entry, repl->hook_entry,
sizeof(repl->hook_entry));
mark_param.size = repl->size;
- if (!mark_source_chains(&mark_param, repl->valid_hooks, entry0))
+ if (!XTSUB2(mark_chains)(&mark_param, repl->valid_hooks, entry0))
return -ELOOP;
/* Now process rules. */
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 072/103] netfilter: xtables2: xt2<->xt1 translation - compat GET_ENTRIES/SET_REPLACE support
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (70 preceding siblings ...)
2009-08-04 7:25 ` [PATCH 071/103] netfilter: ip6tables: move mark_chains to xt1_perproto.c Jan Engelhardt
@ 2009-08-04 7:25 ` Jan Engelhardt
2009-08-04 7:25 ` [PATCH 073/103] netfilter: xtables2: compat->normal match data translation Jan Engelhardt
` (32 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:25 UTC (permalink / raw)
To: netfilter-devel
This commit wires up the compat path to the translator. The
translator currently deals with the base entry, e.g. ip6t_entry.
compat<->normal translation of matchinfo data of arbitrary extensions
is done in an upcoming commit.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter_ipv6/ip6_tables.h | 12 +++++++++
net/ipv6/netfilter/ip6_tables.c | 38 +++++++++++++++++++---------
net/netfilter/xt1_translat.c | 3 +-
3 files changed, 40 insertions(+), 13 deletions(-)
diff --git a/include/linux/netfilter_ipv6/ip6_tables.h b/include/linux/netfilter_ipv6/ip6_tables.h
index 421c2d5..bad5135 100644
--- a/include/linux/netfilter_ipv6/ip6_tables.h
+++ b/include/linux/netfilter_ipv6/ip6_tables.h
@@ -346,6 +346,18 @@ struct compat_ip6t_entry
unsigned char elems[0];
};
+struct compat_ip6t_replace {
+ char name[IP6T_TABLE_MAXNAMELEN];
+ u32 valid_hooks;
+ u32 num_entries;
+ u32 size;
+ u32 hook_entry[NF_INET_NUMHOOKS];
+ u32 underflow[NF_INET_NUMHOOKS];
+ u32 num_counters;
+ compat_uptr_t counters; /* struct ip6t_counters * */
+ struct compat_ip6t_entry entries[0];
+};
+
static inline struct ip6t_entry_target *
compat_ip6t_get_target(struct compat_ip6t_entry *e)
{
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 464930a..b7901e3 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -68,6 +68,7 @@ do { \
#endif
#define xtsub_entry ip6t_entry
+#define xtsub_entry_nocompat ip6t_entry
#define xtsub_replace ip6t_replace
#define xtsub_error_target ip6t_error_target
#define XTSUB_NFPROTO NFPROTO_IPV6
@@ -77,6 +78,16 @@ do { \
#include "../../netfilter/xt1_translat.c"
#include "../../netfilter/xt1_postshared.c"
+#undef XTSUB2
+#undef xtsub_entry
+#undef xtsub_replace
+
+#ifdef CONFIG_COMPAT
+#define xtsub_entry compat_ip6t_entry
+#define xtsub_replace compat_ip6t_replace
+#define XTSUB2(x) ip6t2_compat_ ## x
+#include "../../netfilter/xt1_translat.c"
+#endif
/*
We keep a set of rules for each CPU, so we can avoid write-locking
@@ -1444,18 +1455,6 @@ do_add_counters(struct net *net, const void __user *user, unsigned int len,
}
#ifdef CONFIG_COMPAT
-struct compat_ip6t_replace {
- char name[IP6T_TABLE_MAXNAMELEN];
- u32 valid_hooks;
- u32 num_entries;
- u32 size;
- u32 hook_entry[NF_INET_NUMHOOKS];
- u32 underflow[NF_INET_NUMHOOKS];
- u32 num_counters;
- compat_uptr_t counters; /* struct ip6t_counters * */
- struct compat_ip6t_entry entries[0];
-};
-
static int
compat_copy_entry_to_user(struct ip6t_entry *e, void __user **dstptr,
unsigned int *size, struct xt_counters *counters,
@@ -1859,6 +1858,10 @@ compat_do_replace(struct net *net, void __user *user, unsigned int len)
if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
return -EFAULT;
+ if (xt2_table_lookup(net, tmp.name, NFPROTO_IPV6,
+ XT2_NO_RCULOCK) != NULL)
+ return ip6t2_compat_do_replace(net, user, len);
+
/* overflow check */
if (tmp.size >= INT_MAX / num_possible_cpus())
return -ENOMEM;
@@ -1973,6 +1976,7 @@ compat_get_entries(struct net *net, struct compat_ip6t_get_entries __user *uptr,
{
int ret;
struct compat_ip6t_get_entries get;
+ struct xt2_table *xt2_table;
struct xt_table *t;
if (*len < sizeof(get)) {
@@ -1989,6 +1993,16 @@ compat_get_entries(struct net *net, struct compat_ip6t_get_entries __user *uptr,
return -EINVAL;
}
+ xt2_table = xt2_table_lookup(net, get.name, NFPROTO_IPV6,
+ XT2_TAKE_RCULOCK);
+ if (xt2_table != NULL) {
+ ret = ip6t2_compat_table_to_xt1(uptr->entrytable, get.size,
+ xt2_table, &ip6t_compat_xlat_info);
+ rcu_read_unlock();
+ return ret;
+ }
+ rcu_read_unlock();
+
xt_compat_lock(AF_INET6);
t = xt_find_table_lock(net, AF_INET6, get.name);
if (t && !IS_ERR(t)) {
diff --git a/net/netfilter/xt1_translat.c b/net/netfilter/xt1_translat.c
index a975a41..7719d8b 100644
--- a/net/netfilter/xt1_translat.c
+++ b/net/netfilter/xt1_translat.c
@@ -588,7 +588,8 @@ XTSUB2(do_replace)(struct net *net, const void __user *user, unsigned int len)
vfree(blob);
if (ret < 0)
goto out;
- ret = xts_table_replace(repl.counters, repl.num_counters, net, table);
+ ret = xts_table_replace((void __user *)(unsigned long)repl.counters,
+ repl.num_counters, net, table);
if (ret < 0)
goto out;
return 0;
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 073/103] netfilter: xtables2: compat->normal match data translation
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (71 preceding siblings ...)
2009-08-04 7:25 ` [PATCH 072/103] netfilter: xtables2: xt2<->xt1 translation - compat GET_ENTRIES/SET_REPLACE support Jan Engelhardt
@ 2009-08-04 7:25 ` Jan Engelhardt
2009-08-04 7:25 ` [PATCH 074/103] netfilter: xtables2: compat->normal target " Jan Engelhardt
` (31 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:25 UTC (permalink / raw)
To: netfilter-devel
This patch will translate userspace requests in compat format
to the normalized format. Testable with e.g. `ip6tables -t filter2
-A INPUT -m limit --limit 1/s`, which will submit a struct
xt_entry_match with size 0x3C, and retrieving the ruleset will show
that it has been translated into a struct xt_entry_match with the
size field containing 0x48.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter/x_tables.h | 4 ++
net/ipv6/netfilter/ip6_tables.c | 1 +
net/netfilter/xt1_support.c | 57 ++++++++++++++++++++++++++++++++++++
net/netfilter/xt1_translat.c | 9 +++++-
4 files changed, 70 insertions(+), 1 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 7e88120..7695750 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -733,6 +733,10 @@ extern int xts_table_replace(void __user *, unsigned int, struct net *,
struct xt2_table *);
extern int xts_get_counters(struct xt2_table *,
const struct xt_counters __user *, unsigned int);
+#ifdef CONFIG_COMPAT
+extern int xts_rule_add_cmatch(struct xt2_rule *,
+ const struct xt_entry_match *);
+#endif
extern struct xt2_rule *xt2_rule_new(struct xt2_chain *);
extern int xt2_rule_add_match(struct xt2_rule *, const char *, uint8_t,
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index b7901e3..b0f04c7 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -83,6 +83,7 @@ do { \
#undef xtsub_replace
#ifdef CONFIG_COMPAT
+#define XTSUB_DO_COMPAT
#define xtsub_entry compat_ip6t_entry
#define xtsub_replace compat_ip6t_replace
#define XTSUB2(x) ip6t2_compat_ ## x
diff --git a/net/netfilter/xt1_support.c b/net/netfilter/xt1_support.c
index 380c3da..4508f7d 100644
--- a/net/netfilter/xt1_support.c
+++ b/net/netfilter/xt1_support.c
@@ -384,4 +384,61 @@ int xts_get_counters(struct xt2_table *table,
}
EXPORT_SYMBOL_GPL(xts_get_counters);
+#ifdef CONFIG_COMPAT
+int xts_rule_add_cmatch(struct xt2_rule *rule, const struct xt_entry_match *m)
+{
+ const uint8_t nfproto = rule->chain->table->nfproto;
+ const struct xt_match *ext;
+ unsigned int dsize, required;
+ void *data;
+ int ret;
+
+ ext = try_then_request_module(xt_find_match(nfproto,
+ m->u.user.name, m->u.user.revision),
+ "%st_%s", xt_prefix[nfproto], m->u.user.name);
+ if (ext == NULL)
+ return -ENOENT;
+ if (IS_ERR(ext))
+ return PTR_ERR(ext);
+
+ dsize = m->u.match_size - sizeof(*m);
+ if ((ext->compatsize == 0 && dsize == XT_ALIGN(ext->matchsize)) ||
+ ext->matchsize == -1) {
+ /*
+ * If extension does not have special ->compat_* functions and
+ * is already padded, proceed.
+ * ebt_among uses the -1 special case.
+ */
+ ret = xt2_rule_add_oldmatch(rule, m);
+ goto put_module;
+ }
+ required = (ext->compatsize == 0) ? ext->matchsize : ext->compatsize;
+ if (dsize != COMPAT_XT_ALIGN(required)) {
+ pr_err("%s_tables: %s.%u match: invalid size "
+ "(expected) %u != (given by user) %u\n",
+ xt_prefix[rule->chain->table->nfproto],
+ ext->name, ext->revision, required, dsize);
+ ret = -EINVAL;
+ goto put_module;
+ }
+
+ data = kzalloc(XT_ALIGN(ext->matchsize), GFP_KERNEL);
+ if (data == NULL) {
+ ret = -ENOMEM;
+ goto put_module;
+ }
+ if (ext->compat_from_user == NULL)
+ memcpy(data, m->data, dsize);
+ else
+ ext->compat_from_user(data, m->data);
+ ret = xt2_rule_add_match(rule, m->u.user.name, m->u.user.revision,
+ data, XT_ALIGN(ext->matchsize), true);
+ kfree(data);
+ put_module:
+ module_put(ext->me);
+ return ret;
+}
+EXPORT_SYMBOL_GPL(xts_rule_add_cmatch);
+#endif
+
MODULE_LICENSE("GPL");
diff --git a/net/netfilter/xt1_translat.c b/net/netfilter/xt1_translat.c
index 7719d8b..c7c570e 100644
--- a/net/netfilter/xt1_translat.c
+++ b/net/netfilter/xt1_translat.c
@@ -16,6 +16,11 @@
#if !defined(XTSUB_NFPROTO_IPV6)
# error Need to define XTSUB_NFPROTO_xxx.
#endif
+#ifdef XTSUB_DO_COMPAT
+# define xtsub_rule_add_match xts_rule_add_cmatch
+#else
+# define xtsub_rule_add_match xt2_rule_add_oldmatch
+#endif
#ifdef XTSUB_NFPROTO_IPV6
static const struct ip6t_ip6 xtsub_uncond;
@@ -187,7 +192,7 @@ XTSUB2(rule_to_xt2)(struct xt2_chain *chain, const struct xtsub_entry *entry,
goto out;
xt_ematch_foreach(ematch, entry) {
- ret = xt2_rule_add_oldmatch(rule, ematch);
+ ret = xtsub_rule_add_match(rule, ematch);
if (ret < 0)
goto out;
}
@@ -598,3 +603,5 @@ XTSUB2(do_replace)(struct net *net, const void __user *user, unsigned int len)
xt2_table_destroy(NULL, table);
return ret;
}
+
+#undef xtsub_rule_add_match
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 074/103] netfilter: xtables2: compat->normal target data translation
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (72 preceding siblings ...)
2009-08-04 7:25 ` [PATCH 073/103] netfilter: xtables2: compat->normal match data translation Jan Engelhardt
@ 2009-08-04 7:25 ` Jan Engelhardt
2009-08-04 7:25 ` [PATCH 075/103] netfilter: xtables2: outsource code into xts_match_to_xt1 function Jan Engelhardt
` (30 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:25 UTC (permalink / raw)
To: netfilter-devel
By this, `ip6tables -S` will now correctly receive 0x3C for xt_limit too.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter/x_tables.h | 2 +
net/netfilter/xt1_support.c | 50 ++++++++++++++++++++++++++++++++++++
net/netfilter/xt1_translat.c | 5 +++-
3 files changed, 56 insertions(+), 1 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 7695750..bab5b38 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -736,6 +736,8 @@ extern int xts_get_counters(struct xt2_table *,
#ifdef CONFIG_COMPAT
extern int xts_rule_add_cmatch(struct xt2_rule *,
const struct xt_entry_match *);
+extern int xts_rule_add_ctarget(struct xt2_rule *,
+ const struct xt_entry_target *);
#endif
extern struct xt2_rule *xt2_rule_new(struct xt2_chain *);
diff --git a/net/netfilter/xt1_support.c b/net/netfilter/xt1_support.c
index 4508f7d..09bbed9 100644
--- a/net/netfilter/xt1_support.c
+++ b/net/netfilter/xt1_support.c
@@ -439,6 +439,56 @@ int xts_rule_add_cmatch(struct xt2_rule *rule, const struct xt_entry_match *m)
return ret;
}
EXPORT_SYMBOL_GPL(xts_rule_add_cmatch);
+
+int xts_rule_add_ctarget(struct xt2_rule *rule,
+ const struct xt_entry_target *t)
+{
+ const uint8_t nfproto = rule->chain->table->nfproto;
+ const struct xt_target *ext;
+ unsigned int dsize, required;
+ void *data;
+ int ret;
+
+ ext = try_then_request_module(xt_find_target(nfproto,
+ t->u.user.name, t->u.user.revision),
+ "%st_%s", xt_prefix[nfproto], t->u.user.name);
+ if (ext == NULL)
+ return -ENOENT;
+ if (IS_ERR(ext))
+ return PTR_ERR(ext);
+
+ dsize = t->u.target_size - sizeof(*t);
+ if (ext->compatsize == 0 && dsize == XT_ALIGN(ext->targetsize)) {
+ ret = xt2_rule_add_oldtarget(rule, t);
+ goto put_module;
+ }
+ required = (ext->compatsize == 0) ? ext->targetsize : ext->compatsize;
+ if (dsize != COMPAT_XT_ALIGN(required)) {
+ pr_err("%s_tables: %s.%u target: invalid size "
+ "(expected) %u != (given by user) %u\n",
+ xt_prefix[rule->chain->table->nfproto],
+ ext->name, ext->revision, required, dsize);
+ ret = -EINVAL;
+ goto put_module;
+ }
+
+ data = kzalloc(XT_ALIGN(ext->targetsize), GFP_KERNEL);
+ if (data == NULL) {
+ ret = -ENOMEM;
+ goto put_module;
+ }
+ if (ext->compat_from_user == NULL)
+ memcpy(data, t->data, dsize);
+ else
+ ext->compat_from_user(data, t->data);
+ ret = xt2_rule_add_target(rule, t->u.user.name, t->u.user.revision,
+ data, XT_ALIGN(ext->targetsize), true);
+ kfree(data);
+ put_module:
+ module_put(ext->me);
+ return ret;
+}
+EXPORT_SYMBOL_GPL(xts_rule_add_ctarget);
#endif
MODULE_LICENSE("GPL");
diff --git a/net/netfilter/xt1_translat.c b/net/netfilter/xt1_translat.c
index c7c570e..515cc91 100644
--- a/net/netfilter/xt1_translat.c
+++ b/net/netfilter/xt1_translat.c
@@ -18,8 +18,10 @@
#endif
#ifdef XTSUB_DO_COMPAT
# define xtsub_rule_add_match xts_rule_add_cmatch
+# define xtsub_rule_add_target xts_rule_add_ctarget
#else
# define xtsub_rule_add_match xt2_rule_add_oldmatch
+# define xtsub_rule_add_target xt2_rule_add_oldtarget
#endif
#ifdef XTSUB_NFPROTO_IPV6
@@ -124,7 +126,7 @@ XTSUB2(target_to_xt2)(struct xt2_rule *rule, const struct xtsub_entry *entry,
struct xt2_entry_target *ntarget;
if (strcmp(etarget->u.user.name, XT_STANDARD_TARGET) != 0)
- return xt2_rule_add_oldtarget(rule, etarget);
+ return xtsub_rule_add_target(rule, etarget);
ntarget = kmalloc(sizeof(*ntarget), GFP_KERNEL);
if (ntarget == NULL)
@@ -605,3 +607,4 @@ XTSUB2(do_replace)(struct net *net, const void __user *user, unsigned int len)
}
#undef xtsub_rule_add_match
+#undef xtsub_rule_add_target
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 075/103] netfilter: xtables2: outsource code into xts_match_to_xt1 function
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (73 preceding siblings ...)
2009-08-04 7:25 ` [PATCH 074/103] netfilter: xtables2: compat->normal target " Jan Engelhardt
@ 2009-08-04 7:25 ` Jan Engelhardt
2009-08-04 7:26 ` [PATCH 076/103] netfilter: xtables2: normal->compat match data translation Jan Engelhardt
` (29 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:25 UTC (permalink / raw)
To: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter/x_tables.h | 2 ++
net/netfilter/xt1_support.c | 17 +++++++++++++++++
net/netfilter/xt1_translat.c | 13 +------------
3 files changed, 20 insertions(+), 12 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index bab5b38..0531f0d 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -725,6 +725,8 @@ extern void xts_rule_get_quota(const struct xt2_entry_match *,
extern unsigned int xts_blob_prep_table(struct xt2_table *,
const struct xt1_xlat_info *, unsigned int *, unsigned int *,
unsigned int *);
+extern int xts_match_to_xt1(void __user **, int *, unsigned int *,
+ const struct xt2_entry_match *);
extern int xts_starget_to_xt1(void __user **, int *, unsigned int *,
const struct xt2_entry_target *, const struct xt1_xlat_info *);
extern int xts_target_to_xt1(void __user **, int *, unsigned int *,
diff --git a/net/netfilter/xt1_support.c b/net/netfilter/xt1_support.c
index 09bbed9..be87e75 100644
--- a/net/netfilter/xt1_support.c
+++ b/net/netfilter/xt1_support.c
@@ -203,6 +203,23 @@ xts_blob_prep_table(struct xt2_table *table, const struct xt1_xlat_info *io,
}
EXPORT_SYMBOL_GPL(xts_blob_prep_table);
+int xts_match_to_xt1(void __user **user_ptr, int *len, unsigned int *z,
+ const struct xt2_entry_match *ematch)
+{
+ struct xt_entry_match blob;
+ int ret;
+
+ blob.u.match_size = sizeof(blob) + ematch->dsize;
+ blob.u.user.revision = ematch->ext->revision;
+ strncpy(blob.u.user.name, ematch->ext->name, sizeof(blob.u.user.name));
+ ret = xts_copy_to_user(user_ptr, len, &blob, sizeof(blob), z);
+ if (ret < 0)
+ return ret;
+ return xts_copy_to_user(user_ptr, len, ematch->data,
+ ematch->dsize, z);
+}
+EXPORT_SYMBOL_GPL(xts_match_to_xt1);
+
int xts_starget_to_xt1(void __user **user_ptr, int *len, unsigned int *z,
const struct xt2_entry_target *etarget,
const struct xt1_xlat_info *io)
diff --git a/net/netfilter/xt1_translat.c b/net/netfilter/xt1_translat.c
index 515cc91..469490d 100644
--- a/net/netfilter/xt1_translat.c
+++ b/net/netfilter/xt1_translat.c
@@ -478,20 +478,9 @@ XTSUB2(rule_to_xt1)(void __user **user_ptr, int *len, unsigned int *z,
return ret;
list_for_each_entry_continue(ematch, &rule->match_list, anchor) {
- struct xt_entry_match blob;
-
if (ematch == quota_ematch)
break;
-
- blob.u.match_size = sizeof(blob) + ematch->dsize;
- blob.u.user.revision = ematch->ext->revision;
- strncpy(blob.u.user.name, ematch->ext->name,
- sizeof(blob.u.user.name));
- ret = xts_copy_to_user(user_ptr, len, &blob, sizeof(blob), z);
- if (ret < 0)
- return ret;
- ret = xts_copy_to_user(user_ptr, len, ematch->data,
- ematch->dsize, z);
+ ret = xts_match_to_xt1(user_ptr, len, z, ematch);
if (ret < 0)
return ret;
}
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 076/103] netfilter: xtables2: normal->compat match data translation
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (74 preceding siblings ...)
2009-08-04 7:25 ` [PATCH 075/103] netfilter: xtables2: outsource code into xts_match_to_xt1 function Jan Engelhardt
@ 2009-08-04 7:26 ` Jan Engelhardt
2009-08-04 7:26 ` [PATCH 077/103] netfilter: xtables2: normal->compat target " Jan Engelhardt
` (28 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:26 UTC (permalink / raw)
To: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter/x_tables.h | 5 ++++
net/ipv6/netfilter/ip6_tables.c | 1 +
net/netfilter/xt1_support.c | 43 +++++++++++++++++++++++++++++++++++-
net/netfilter/xt1_translat.c | 5 +++-
4 files changed, 52 insertions(+), 2 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 0531f0d..ccd012a 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -425,6 +425,8 @@ struct xt_table_info
* @etarget_size: size of the etarget header
* @standard_tgsize: size of the complete standard target, includes
* etarget_size and alignment padding
+ * @compat: whether requestor is in normal or compat mode
+ * affects selection of ematch->dsize vs compatsize
*/
struct xt1_xlat_info {
unsigned int marker_size;
@@ -432,6 +434,7 @@ struct xt1_xlat_info {
unsigned int ematch_size, etarget_size;
unsigned int standard_tgsize;
const char *first_match;
+ bool compat;
};
/*
@@ -740,6 +743,8 @@ extern int xts_rule_add_cmatch(struct xt2_rule *,
const struct xt_entry_match *);
extern int xts_rule_add_ctarget(struct xt2_rule *,
const struct xt_entry_target *);
+extern int xts_cmatch_to_xt1(void __user **, int *, unsigned int *,
+ const struct xt2_entry_match *);
#endif
extern struct xt2_rule *xt2_rule_new(struct xt2_chain *);
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index b0f04c7..53186a2 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -1072,6 +1072,7 @@ static const struct xt1_xlat_info ip6t_compat_xlat_info = {
.etarget_size = sizeof(struct xt_entry_target),
.standard_tgsize = COMPAT_XT_ALIGN(sizeof(struct xt_entry_target) +
sizeof(compat_uint_t)),
+ .compat = true,
#endif
};
diff --git a/net/netfilter/xt1_support.c b/net/netfilter/xt1_support.c
index be87e75..48cfaba 100644
--- a/net/netfilter/xt1_support.c
+++ b/net/netfilter/xt1_support.c
@@ -142,7 +142,14 @@ xts_blob_prep_rule(const struct xt2_rule *rule, const struct xt1_xlat_info *io,
if (ematch == quota_stop)
/* quotas included in entry_hdr */
break;
- z += io->ematch_size + ematch->dsize;
+ z += io->ematch_size;
+#ifdef CONFIG_COMPAT
+ if (ematch->ext->matchsize != -1 && io->compat &&
+ ematch->ext->compatsize != 0)
+ z += COMPAT_XT_ALIGN(ematch->ext->compatsize);
+ else
+#endif
+ z += ematch->dsize;
}
etarget = list_first_entry(&rule->target_list,
@@ -506,6 +513,40 @@ int xts_rule_add_ctarget(struct xt2_rule *rule,
return ret;
}
EXPORT_SYMBOL_GPL(xts_rule_add_ctarget);
+
+int xts_cmatch_to_xt1(void __user **user_ptr, int *len, unsigned int *z,
+ const struct xt2_entry_match *ematch)
+{
+ struct xt_entry_match blob;
+ unsigned int dsize;
+ int ret;
+
+ if (ematch->ext->compatsize == 0)
+ return xts_match_to_xt1(user_ptr, len, z, ematch);
+
+ dsize = COMPAT_XT_ALIGN(ematch->ext->compatsize);
+ blob.u.match_size = sizeof(blob) + dsize;
+ blob.u.user.revision = ematch->ext->revision;
+ strncpy(blob.u.user.name, ematch->ext->name, sizeof(blob.u.user.name));
+ ret = xts_copy_to_user(user_ptr, len, &blob, sizeof(blob), z);
+ if (ret < 0)
+ return ret;
+
+ /*
+ * The awkward semantics of compat_to_user means we cannot
+ * use xts_copy_to_user.
+ */
+ if (*len < dsize)
+ return -ENOSPC;
+ ret = ematch->ext->compat_to_user(*user_ptr, ematch->data);
+ if (ret < 0)
+ return ret;
+ *user_ptr += dsize;
+ *z += dsize;
+ *len -= dsize;
+ return 0;
+}
+EXPORT_SYMBOL_GPL(xts_cmatch_to_xt1);
#endif
MODULE_LICENSE("GPL");
diff --git a/net/netfilter/xt1_translat.c b/net/netfilter/xt1_translat.c
index 469490d..ebcc3df 100644
--- a/net/netfilter/xt1_translat.c
+++ b/net/netfilter/xt1_translat.c
@@ -19,9 +19,11 @@
#ifdef XTSUB_DO_COMPAT
# define xtsub_rule_add_match xts_rule_add_cmatch
# define xtsub_rule_add_target xts_rule_add_ctarget
+# define xtsub_match_to_xt1 xts_cmatch_to_xt1
#else
# define xtsub_rule_add_match xt2_rule_add_oldmatch
# define xtsub_rule_add_target xt2_rule_add_oldtarget
+# define xtsub_match_to_xt1 xts_match_to_xt1
#endif
#ifdef XTSUB_NFPROTO_IPV6
@@ -480,7 +482,7 @@ XTSUB2(rule_to_xt1)(void __user **user_ptr, int *len, unsigned int *z,
list_for_each_entry_continue(ematch, &rule->match_list, anchor) {
if (ematch == quota_ematch)
break;
- ret = xts_match_to_xt1(user_ptr, len, z, ematch);
+ ret = xtsub_match_to_xt1(user_ptr, len, z, ematch);
if (ret < 0)
return ret;
}
@@ -597,3 +599,4 @@ XTSUB2(do_replace)(struct net *net, const void __user *user, unsigned int len)
#undef xtsub_rule_add_match
#undef xtsub_rule_add_target
+#undef xtsub_match_to_xt1
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 077/103] netfilter: xtables2: normal->compat target data translation
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (75 preceding siblings ...)
2009-08-04 7:26 ` [PATCH 076/103] netfilter: xtables2: normal->compat match data translation Jan Engelhardt
@ 2009-08-04 7:26 ` Jan Engelhardt
2009-08-04 7:26 ` [PATCH 078/103] netfilter: xtables2: packet tracing Jan Engelhardt
` (27 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:26 UTC (permalink / raw)
To: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter/x_tables.h | 2 +
net/netfilter/xt1_support.c | 42 ++++++++++++++++++++++++++++++++++-
net/netfilter/xt1_translat.c | 5 +++-
3 files changed, 46 insertions(+), 3 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index ccd012a..77573a5 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -745,6 +745,8 @@ extern int xts_rule_add_ctarget(struct xt2_rule *,
const struct xt_entry_target *);
extern int xts_cmatch_to_xt1(void __user **, int *, unsigned int *,
const struct xt2_entry_match *);
+extern int xts_ctarget_to_xt1(void __user **, int *, unsigned int *,
+ const struct xt2_entry_target *);
#endif
extern struct xt2_rule *xt2_rule_new(struct xt2_chain *);
diff --git a/net/netfilter/xt1_support.c b/net/netfilter/xt1_support.c
index 48cfaba..f02eff8 100644
--- a/net/netfilter/xt1_support.c
+++ b/net/netfilter/xt1_support.c
@@ -154,8 +154,15 @@ xts_blob_prep_rule(const struct xt2_rule *rule, const struct xt1_xlat_info *io,
etarget = list_first_entry(&rule->target_list,
typeof(*etarget), anchor);
- z += xt2_special_target(etarget->ext) ? io->standard_tgsize :
- io->etarget_size + XT_ALIGN(etarget->ext->targetsize);
+ if (xt2_special_target(etarget->ext))
+ z += io->standard_tgsize;
+#ifdef CONFIG_COMPAT
+ else if (io->compat && etarget->ext->compatsize != 0)
+ z += io->etarget_size +
+ COMPAT_XT_ALIGN(etarget->ext->compatsize);
+#endif
+ else
+ z += io->etarget_size + XT_ALIGN(etarget->ext->targetsize);
return z;
}
@@ -547,6 +554,37 @@ int xts_cmatch_to_xt1(void __user **user_ptr, int *len, unsigned int *z,
return 0;
}
EXPORT_SYMBOL_GPL(xts_cmatch_to_xt1);
+
+int xts_ctarget_to_xt1(void __user **user_ptr, int *len, unsigned int *z,
+ const struct xt2_entry_target *etarget)
+{
+ struct xt_entry_target blob;
+ unsigned int dsize;
+ int ret;
+
+ if (etarget->ext->compatsize == 0)
+ return xts_target_to_xt1(user_ptr, len, z, etarget);
+
+ dsize = COMPAT_XT_ALIGN(etarget->ext->compatsize);
+ blob.u.target_size = sizeof(blob) + dsize;
+ blob.u.user.revision = etarget->ext->revision;
+ strncpy(blob.u.user.name, etarget->ext->name,
+ sizeof(blob.u.user.name));
+ ret = xts_copy_to_user(user_ptr, len, &blob, sizeof(blob), z);
+ if (ret < 0)
+ return ret;
+
+ if (*len < dsize)
+ return -ENOSPC;
+ ret = etarget->ext->compat_to_user(*user_ptr, etarget->data);
+ if (ret < 0)
+ return ret;
+ *user_ptr += dsize;
+ *z += dsize;
+ *len -= dsize;
+ return 0;
+}
+EXPORT_SYMBOL_GPL(xts_ctarget_to_xt1);
#endif
MODULE_LICENSE("GPL");
diff --git a/net/netfilter/xt1_translat.c b/net/netfilter/xt1_translat.c
index ebcc3df..994fcc5 100644
--- a/net/netfilter/xt1_translat.c
+++ b/net/netfilter/xt1_translat.c
@@ -20,10 +20,12 @@
# define xtsub_rule_add_match xts_rule_add_cmatch
# define xtsub_rule_add_target xts_rule_add_ctarget
# define xtsub_match_to_xt1 xts_cmatch_to_xt1
+# define xtsub_target_to_xt1 xts_ctarget_to_xt1
#else
# define xtsub_rule_add_match xt2_rule_add_oldmatch
# define xtsub_rule_add_target xt2_rule_add_oldtarget
# define xtsub_match_to_xt1 xts_match_to_xt1
+# define xtsub_target_to_xt1 xts_target_to_xt1
#endif
#ifdef XTSUB_NFPROTO_IPV6
@@ -493,7 +495,7 @@ XTSUB2(rule_to_xt1)(void __user **user_ptr, int *len, unsigned int *z,
list_for_each_entry(etarget, &rule->target_list, anchor) {
ret = xt2_special_target(etarget->ext) ?
xts_starget_to_xt1(user_ptr, len, z, etarget, io) :
- xts_target_to_xt1(user_ptr, len, z, etarget);
+ xtsub_target_to_xt1(user_ptr, len, z, etarget);
if (ret < 0)
return ret;
}
@@ -600,3 +602,4 @@ XTSUB2(do_replace)(struct net *net, const void __user *user, unsigned int len)
#undef xtsub_rule_add_match
#undef xtsub_rule_add_target
#undef xtsub_match_to_xt1
+#undef xtsub_target_to_xt1
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 078/103] netfilter: xtables2: packet tracing
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (76 preceding siblings ...)
2009-08-04 7:26 ` [PATCH 077/103] netfilter: xtables2: normal->compat target " Jan Engelhardt
@ 2009-08-04 7:26 ` Jan Engelhardt
2009-08-04 7:26 ` [PATCH 079/103] netfilter: xtables: turn procfs entries to walk xt2 table list Jan Engelhardt
` (26 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:26 UTC (permalink / raw)
To: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
net/netfilter/x_tables.c | 76 ++++++++++++++++++++++++++++++++++++++++++++++
1 files changed, 76 insertions(+), 0 deletions(-)
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 0895016..6fb47b5 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -30,6 +30,7 @@
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter_ipv6/ip6_tables.h>
#include <linux/netfilter_arp/arp_tables.h>
+#include <net/netfilter/nf_log.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
@@ -1783,6 +1784,73 @@ void xt2_table_destroy(struct net *net, struct xt2_table *table)
}
EXPORT_SYMBOL_GPL(xt2_table_destroy);
+#if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \
+ defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE)
+static struct nf_loginfo xt2_trace_loginfo __read_mostly = {
+ .type = NF_LOG_TYPE_LOG,
+ .u.log = {
+ .level = 4,
+ .logflags = NF_LOG_MASK,
+ },
+};
+
+static const char *xt2_verdict_string(unsigned int verdict)
+{
+ switch (verdict) {
+ case XT_RETURN: return "RETURN"; break;
+ case XT_START_CHAIN: return "GOTO/JUMP"; break;
+ case XT_CONTINUE: return "CONTINUE"; break;
+ }
+ switch (verdict & NF_VERDICT_MASK) {
+ case NF_ACCEPT: return "ACCEPT"; break;
+ case NF_DROP: return "DROP"; break;
+ case NF_STOLEN: return "STOLEN"; break;
+ case NF_QUEUE: return "QUEUE"; break;
+ case NF_STOP: return "STOP"; break;
+ default: return "?"; break;
+ }
+}
+
+static void
+xt2_trace_packet(const struct sk_buff *skb, unsigned int hook,
+ const struct net_device *in, const struct net_device *out,
+ const struct xt2_chain *chain, const struct xt2_rule *rule,
+ unsigned int verdict)
+{
+ static const char *const builtin_chain_names[] = {
+ [NF_INET_PRE_ROUTING] = "PREROUTING",
+ [NF_INET_LOCAL_IN] = "INPUT",
+ [NF_INET_FORWARD] = "FORWARD",
+ [NF_INET_LOCAL_OUT] = "OUTPUT",
+ [NF_INET_POST_ROUTING] = "POSTROUTING",
+ };
+ const struct xt2_table *table = chain->table;
+ const struct xt2_rule *zrule;
+ unsigned int rule_index = 0;
+ const char *chain_name, *comment;
+
+ chain_name = xt2_builtin_chain(chain) ?
+ builtin_chain_names[hook] : chain->name;
+ if (rule != NULL)
+ list_for_each_entry(zrule, &chain->rule_list, anchor) {
+ ++rule_index;
+ if (zrule == rule)
+ break;
+ }
+
+ if (rule == NULL)
+ comment = "return"; /* end-of-chain */
+ else if (rule == chain->table->underflow[hook])
+ comment = "policy";
+ else
+ comment = "rule";
+
+ nf_log_packet(table->nfproto, hook, skb, in, out, &xt2_trace_loginfo,
+ "TRACE: %s:%s:%s:%u:%s ", table->name, chain_name,
+ comment, rule_index, xt2_verdict_string(verdict));
+}
+#endif
+
static unsigned int
xt2_do_actions(struct sk_buff *skb, struct xt_action_param *acpar,
const struct xt2_rule *rule, const struct xt2_chain **chain_ptr,
@@ -1858,6 +1926,14 @@ xt2_do_table(struct sk_buff *skb, unsigned int hook,
verdict = xt2_do_actions(skb, &acpar, rule, &chain,
stackptr, table->stacksize, jumpstack);
+#if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \
+ defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE)
+ if (unlikely(skb->nf_trace))
+ xt2_trace_packet(skb, hook, in, out, rule->chain,
+ (&rule->anchor == &chain->rule_list) ? NULL : rule,
+ verdict);
+#endif
+
switch (verdict) {
case XT_START_CHAIN:
goto do_chain;
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 079/103] netfilter: xtables: turn procfs entries to walk xt2 table list
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (77 preceding siblings ...)
2009-08-04 7:26 ` [PATCH 078/103] netfilter: xtables2: packet tracing Jan Engelhardt
@ 2009-08-04 7:26 ` Jan Engelhardt
2009-08-04 7:26 ` [PATCH 080/103] netfilter: xtables2: switch ip6's tables to the xt2 table format Jan Engelhardt
` (25 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:26 UTC (permalink / raw)
To: netfilter-devel
This commit makes /proc/net/ip6_tables_names traverse the xt2 table
list instead of the xt1 one. Developer note: Until the remaining xt1
tables are changed to xt2 (a few commits ahead), they will not show
up momentarily.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
net/netfilter/x_tables.c | 24 ++++++++++--------------
1 files changed, 10 insertions(+), 14 deletions(-)
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 6fb47b5..29d9ea8 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -918,39 +918,35 @@ struct xt_names_priv {
};
static void *xt_table_seq_start(struct seq_file *seq, loff_t *pos)
{
- struct xt_names_priv *priv = seq->private;
+ const struct xt_names_priv *priv = seq->private;
struct net *net = seq_file_net(seq);
u_int8_t af = priv->af;
- mutex_lock(&xt[af].mutex);
- return seq_list_start(&net->xt.tables[af], *pos);
+ rcu_read_lock();
+ return seq_list_start(&net->xt2.table_list[af], *pos);
}
static void *xt_table_seq_next(struct seq_file *seq, void *v, loff_t *pos)
{
- struct xt_names_priv *priv = seq->private;
+ const struct xt_names_priv *priv = seq->private;
struct net *net = seq_file_net(seq);
u_int8_t af = priv->af;
- return seq_list_next(v, &net->xt.tables[af], pos);
+ return seq_list_next(v, &net->xt2.table_list[af], pos);
}
static void xt_table_seq_stop(struct seq_file *seq, void *v)
{
- struct xt_names_priv *priv = seq->private;
- u_int8_t af = priv->af;
-
- mutex_unlock(&xt[af].mutex);
+ rcu_read_unlock();
}
static int xt_table_seq_show(struct seq_file *seq, void *v)
{
- struct xt_table *table = list_entry(v, struct xt_table, list);
+ const struct xt2_table_link *link =
+ list_entry_rcu(v, typeof(*link), anchor);
+ const struct xt2_table *table = rcu_dereference(link->table);
- if (strlen(table->name))
- return seq_printf(seq, "%s\n", table->name);
- else
- return 0;
+ return seq_printf(seq, "%s\n", table->name);
}
static const struct seq_operations xt_table_seq_ops = {
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 080/103] netfilter: xtables2: switch ip6's tables to the xt2 table format
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (78 preceding siblings ...)
2009-08-04 7:26 ` [PATCH 079/103] netfilter: xtables: turn procfs entries to walk xt2 table list Jan Engelhardt
@ 2009-08-04 7:26 ` Jan Engelhardt
2009-08-04 7:26 ` [PATCH 081/103] netfilter: ip6tables: remove obsolete packet tracing Jan Engelhardt
` (24 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:26 UTC (permalink / raw)
To: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/net/netns/x_tables.h | 3 +-
net/ipv6/netfilter/Makefile | 2 +-
net/ipv6/netfilter/ip6table_filter.c | 22 +++++--
net/ipv6/netfilter/ip6table_filter2.c | 117 --------------------------------
net/ipv6/netfilter/ip6table_mangle.c | 30 ++++++---
net/ipv6/netfilter/ip6table_raw.c | 22 +++++--
net/ipv6/netfilter/ip6table_security.c | 22 ++++--
7 files changed, 71 insertions(+), 147 deletions(-)
delete mode 100644 net/ipv6/netfilter/ip6table_filter2.c
diff --git a/include/net/netns/x_tables.h b/include/net/netns/x_tables.h
index a63aa04..5e38fcd 100644
--- a/include/net/netns/x_tables.h
+++ b/include/net/netns/x_tables.h
@@ -16,7 +16,8 @@ struct netns_xt {
struct netns_xt2 {
struct mutex table_lock;
struct list_head table_list[NFPROTO_NUMPROTO];
- struct xt2_table_link *ipv6_filter;
+ struct xt2_table_link
+ *ipv6_filter, *ipv6_mangle, *ipv6_raw, *ipv6_security;
};
#endif
diff --git a/net/ipv6/netfilter/Makefile b/net/ipv6/netfilter/Makefile
index 35fa80f..aafbba3 100644
--- a/net/ipv6/netfilter/Makefile
+++ b/net/ipv6/netfilter/Makefile
@@ -4,7 +4,7 @@
# Link order matters here.
obj-$(CONFIG_IP6_NF_IPTABLES) += ip6_tables.o
-obj-$(CONFIG_IP6_NF_FILTER) += ip6table_filter.o ip6table_filter2.o
+obj-$(CONFIG_IP6_NF_FILTER) += ip6table_filter.o
obj-$(CONFIG_IP6_NF_MANGLE) += ip6table_mangle.o
obj-$(CONFIG_IP6_NF_QUEUE) += ip6_queue.o
obj-$(CONFIG_IP6_NF_RAW) += ip6table_raw.o
diff --git a/net/ipv6/netfilter/ip6table_filter.c b/net/ipv6/netfilter/ip6table_filter.c
index 5b8e67e..d670ff4 100644
--- a/net/ipv6/netfilter/ip6table_filter.c
+++ b/net/ipv6/netfilter/ip6table_filter.c
@@ -11,6 +11,7 @@
#include <linux/module.h>
#include <linux/moduleparam.h>
+#include <linux/rcupdate.h>
#include <linux/netfilter_ipv6/ip6_tables.h>
MODULE_LICENSE("GPL");
@@ -38,7 +39,14 @@ ip6table_filter_hook(unsigned int hook,
int (*okfn)(struct sk_buff *))
{
const struct net *net = dev_net((in != NULL) ? in : out);
- return ip6t_do_table(skb, hook, in, out, net->ipv6.ip6table_filter);
+ const struct xt2_table_link *link;
+ unsigned int verdict;
+
+ rcu_read_lock();
+ link = rcu_dereference(net->xt2.ipv6_filter);
+ verdict = xt2_do_table(skb, hook, in, out, link->table);
+ rcu_read_unlock();
+ return verdict;
}
/* Default to forward because I got too much mail already. */
@@ -48,6 +56,7 @@ module_param(forward, bool, 0000);
static int __net_init ip6table_filter_net_init(struct net *net)
{
struct ip6t_replace *repl = xt_repldata_create(&packet_filter);
+ struct xt2_table *table;
if (repl == NULL)
return -ENOMEM;
@@ -55,17 +64,18 @@ static int __net_init ip6table_filter_net_init(struct net *net)
((struct ip6t_standard *)repl->entries)[1].target.verdict =
-forward - 1;
- net->ipv6.ip6table_filter =
- ip6t_register_table(net, &packet_filter, repl);
+ table = ip6t2_register_table(net, &packet_filter, repl);
kfree(repl);
- if (IS_ERR(net->ipv6.ip6table_filter))
- return PTR_ERR(net->ipv6.ip6table_filter);
+ if (IS_ERR(table))
+ return PTR_ERR(table);
+ net->xt2.ipv6_filter = xt2_tlink_lookup(net, table->name,
+ table->nfproto, XT2_NO_RCULOCK);
return 0;
}
static void __net_exit ip6table_filter_net_exit(struct net *net)
{
- ip6t_unregister_table(net->ipv6.ip6table_filter);
+ xt2_table_destroy(net, net->xt2.ipv6_filter->table);
}
static struct pernet_operations ip6table_filter_net_ops = {
diff --git a/net/ipv6/netfilter/ip6table_filter2.c b/net/ipv6/netfilter/ip6table_filter2.c
deleted file mode 100644
index 7456686..0000000
--- a/net/ipv6/netfilter/ip6table_filter2.c
+++ /dev/null
@@ -1,117 +0,0 @@
-/*
- * This is the 1999 rewrite of IP Firewalling, aiming for kernel 2.3.x.
- *
- * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
- * Copyright (C) 2000-2004 Netfilter Core Team <coreteam@netfilter.org>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- */
-
-#include <linux/module.h>
-#include <linux/moduleparam.h>
-#include <linux/netfilter_ipv6/ip6_tables.h>
-
-MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
-MODULE_DESCRIPTION("ip6tables filter table");
-
-#define FILTER_VALID_HOOKS ((1 << NF_INET_LOCAL_IN) | \
- (1 << NF_INET_FORWARD) | \
- (1 << NF_INET_LOCAL_OUT))
-
-static const struct xt_table packet_filter = {
- .name = "filter2",
- .valid_hooks = FILTER_VALID_HOOKS,
- .me = THIS_MODULE,
- .af = NFPROTO_IPV6,
- .priority = NF_IP6_PRI_FILTER,
-};
-
-/* The work comes in here from netfilter.c. */
-static unsigned int
-ip6table_filter_hook(unsigned int hook,
- struct sk_buff *skb,
- const struct net_device *in,
- const struct net_device *out,
- int (*okfn)(struct sk_buff *))
-{
- const struct net *net = dev_net((in != NULL) ? in : out);
- const struct xt2_table_link *link;
- unsigned int verdict;
-
- rcu_read_lock();
- link = rcu_dereference(net->xt2.ipv6_filter);
- verdict = xt2_do_table(skb, hook, in, out, link->table);
- rcu_read_unlock();
- return verdict;
-}
-
-/* Default to forward because I got too much mail already. */
-static int forward = NF_ACCEPT;
-module_param(forward, bool, 0000);
-
-static int __net_init ip6table_filter_net_init(struct net *net)
-{
- struct ip6t_replace *repl = xt_repldata_create(&packet_filter);
- struct xt2_table *table;
-
- if (repl == NULL)
- return -ENOMEM;
- /* Entry 1 is the FORWARD hook */
- ((struct ip6t_standard *)repl->entries)[1].target.verdict =
- -forward - 1;
-
- table = ip6t2_register_table(net, &packet_filter, repl);
- kfree(repl);
- if (IS_ERR(table))
- return PTR_ERR(table);
- net->xt2.ipv6_filter = xt2_tlink_lookup(net, table->name,
- table->nfproto, XT2_NO_RCULOCK);
- return 0;
-}
-
-static void __net_exit ip6table_filter_net_exit(struct net *net)
-{
- xt2_table_destroy(net, net->xt2.ipv6_filter->table);
-}
-
-static struct pernet_operations ip6table_filter_net_ops = {
- .init = ip6table_filter_net_init,
- .exit = ip6table_filter_net_exit,
-};
-
-static struct nf_hook_ops *filter_ops;
-
-static int __init ip6table_filter_init(void)
-{
- int ret;
-
- if (forward < 0 || forward > NF_MAX_VERDICT) {
- printk("iptables forward must be 0 or 1\n");
- return -EINVAL;
- }
-
- ret = register_pernet_subsys(&ip6table_filter_net_ops);
- if (ret < 0)
- return ret;
-
- /* Register hooks */
- filter_ops = xt_hook_link(&packet_filter, ip6table_filter_hook);
- if (IS_ERR(filter_ops)) {
- unregister_pernet_subsys(&ip6table_filter_net_ops);
- return PTR_ERR(filter_ops);
- }
-
- return ret;
-}
-
-static void __exit ip6table_filter_fini(void)
-{
- xt_hook_unlink(&packet_filter, filter_ops);
- unregister_pernet_subsys(&ip6table_filter_net_ops);
-}
-
-module_init(ip6table_filter_init);
-module_exit(ip6table_filter_fini);
diff --git a/net/ipv6/netfilter/ip6table_mangle.c b/net/ipv6/netfilter/ip6table_mangle.c
index 5d841e6..984f860 100644
--- a/net/ipv6/netfilter/ip6table_mangle.c
+++ b/net/ipv6/netfilter/ip6table_mangle.c
@@ -9,6 +9,7 @@
* published by the Free Software Foundation.
*/
#include <linux/module.h>
+#include <linux/rcupdate.h>
#include <linux/netfilter_ipv6/ip6_tables.h>
MODULE_LICENSE("GPL");
@@ -34,7 +35,7 @@ static unsigned int
ip6table_mangle_out(struct sk_buff *skb, const struct net_device *out,
const struct net *net)
{
-
+ const struct xt2_table_link *link;
unsigned int ret;
struct in6_addr saddr, daddr;
u_int8_t hop_limit;
@@ -59,8 +60,10 @@ ip6table_mangle_out(struct sk_buff *skb, const struct net_device *out,
/* flowlabel and prio (includes version, which shouldn't change either */
flowlabel = *((u_int32_t *)ipv6_hdr(skb));
- ret = ip6t_do_table(skb, NF_INET_LOCAL_OUT, NULL, out,
- net->ipv6.ip6table_mangle);
+ rcu_read_lock();
+ link = rcu_dereference(net->xt2.ipv6_mangle);
+ ret = xt2_do_table(skb, NF_INET_LOCAL_OUT, NULL, out, link->table);
+ rcu_read_unlock();
if (ret != NF_DROP && ret != NF_STOLEN
&& (memcmp(&ipv6_hdr(skb)->saddr, &saddr, sizeof(saddr))
@@ -79,29 +82,38 @@ ip6table_mangle_hook(unsigned int hook, struct sk_buff *skb,
int (*okfn)(struct sk_buff *))
{
const struct net *net = dev_net((in != NULL) ? in : out);
+ const struct xt2_table_link *link;
+ unsigned int verdict;
if (hook == NF_INET_LOCAL_OUT)
return ip6table_mangle_out(skb, out, net);
- return ip6t_do_table(skb, hook, in, out, net->ipv6.ip6table_mangle);
+
+ rcu_read_lock();
+ link = rcu_dereference(net->xt2.ipv6_mangle);
+ verdict = xt2_do_table(skb, hook, in, out, link->table);
+ rcu_read_unlock();
+ return verdict;
}
static int __net_init ip6table_mangle_net_init(struct net *net)
{
struct ip6t_replace *repl = xt_repldata_create(&packet_mangler);
+ struct xt2_table *table;
if (repl == NULL)
return -ENOMEM;
- net->ipv6.ip6table_mangle =
- ip6t_register_table(net, &packet_mangler, repl);
+ table = ip6t2_register_table(net, &packet_mangler, repl);
kfree(repl);
- if (IS_ERR(net->ipv6.ip6table_mangle))
- return PTR_ERR(net->ipv6.ip6table_mangle);
+ if (IS_ERR(table))
+ return PTR_ERR(table);
+ net->xt2.ipv6_mangle = xt2_tlink_lookup(net, table->name,
+ table->nfproto, XT2_NO_RCULOCK);
return 0;
}
static void __net_exit ip6table_mangle_net_exit(struct net *net)
{
- ip6t_unregister_table(net->ipv6.ip6table_mangle);
+ xt2_table_destroy(net, net->xt2.ipv6_mangle->table);
}
static struct pernet_operations ip6table_mangle_net_ops = {
diff --git a/net/ipv6/netfilter/ip6table_raw.c b/net/ipv6/netfilter/ip6table_raw.c
index b24b14a..32cd376 100644
--- a/net/ipv6/netfilter/ip6table_raw.c
+++ b/net/ipv6/netfilter/ip6table_raw.c
@@ -4,6 +4,7 @@
* Copyright (C) 2003 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
*/
#include <linux/module.h>
+#include <linux/rcupdate.h>
#include <linux/netfilter_ipv6/ip6_tables.h>
#define RAW_VALID_HOOKS ((1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_LOCAL_OUT))
@@ -25,26 +26,35 @@ ip6table_raw_hook(unsigned int hook,
int (*okfn)(struct sk_buff *))
{
const struct net *net = dev_net((in != NULL) ? in : out);
- return ip6t_do_table(skb, hook, in, out, net->ipv6.ip6table_raw);
+ const struct xt2_table_link *link;
+ unsigned int verdict;
+
+ rcu_read_lock();
+ link = rcu_dereference(net->xt2.ipv6_raw);
+ verdict = xt2_do_table(skb, hook, in, out, link->table);
+ rcu_read_unlock();
+ return verdict;
}
static int __net_init ip6table_raw_net_init(struct net *net)
{
struct ip6t_replace *repl = xt_repldata_create(&packet_raw);
+ struct xt2_table *table;
if (repl == NULL)
return -ENOMEM;
- net->ipv6.ip6table_raw =
- ip6t_register_table(net, &packet_raw, repl);
+ table = ip6t2_register_table(net, &packet_raw, repl);
kfree(repl);
- if (IS_ERR(net->ipv6.ip6table_raw))
- return PTR_ERR(net->ipv6.ip6table_raw);
+ if (IS_ERR(table))
+ return PTR_ERR(table);
+ net->xt2.ipv6_raw = xt2_tlink_lookup(net, table->name,
+ table->nfproto, XT2_NO_RCULOCK);
return 0;
}
static void __net_exit ip6table_raw_net_exit(struct net *net)
{
- ip6t_unregister_table(net->ipv6.ip6table_raw);
+ xt2_table_destroy(net, net->xt2.ipv6_raw->table);
}
static struct pernet_operations ip6table_raw_net_ops = {
diff --git a/net/ipv6/netfilter/ip6table_security.c b/net/ipv6/netfilter/ip6table_security.c
index c039db8..e50b7a6 100644
--- a/net/ipv6/netfilter/ip6table_security.c
+++ b/net/ipv6/netfilter/ip6table_security.c
@@ -42,27 +42,35 @@ ip6table_security_hook(unsigned int hook,
int (*okfn)(struct sk_buff *))
{
const struct net *net = dev_net((in != NULL) ? in : out);
- return ip6t_do_table(skb, hook, in, out, net->ipv6.ip6table_security);
+ const struct xt2_table_link *link;
+ unsigned int verdict;
+
+ rcu_read_lock();
+ link = rcu_dereference(net->xt2.ipv6_security);
+ verdict = xt2_do_table(skb, hook, in, out, link->table);
+ rcu_read_unlock();
+ return verdict;
}
static int __net_init ip6table_security_net_init(struct net *net)
{
struct ip6t_replace *repl = xt_repldata_create(&security_table);
+ struct xt2_table *table;
if (repl == NULL)
return -ENOMEM;
- net->ipv6.ip6table_security =
- ip6t_register_table(net, &security_table, repl);
+ table = ip6t2_register_table(net, &security_table, repl);
kfree(repl);
- if (IS_ERR(net->ipv6.ip6table_security))
- return PTR_ERR(net->ipv6.ip6table_security);
-
+ if (IS_ERR(table))
+ return PTR_ERR(table);
+ net->xt2.ipv6_security = xt2_tlink_lookup(net, table->name,
+ table->nfproto, XT2_NO_RCULOCK);
return 0;
}
static void __net_exit ip6table_security_net_exit(struct net *net)
{
- ip6t_unregister_table(net->ipv6.ip6table_security);
+ xt2_table_destroy(net, net->xt2.ipv6_security->table);
}
static struct pernet_operations ip6table_security_net_ops = {
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 081/103] netfilter: ip6tables: remove obsolete packet tracing
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (79 preceding siblings ...)
2009-08-04 7:26 ` [PATCH 080/103] netfilter: xtables2: switch ip6's tables to the xt2 table format Jan Engelhardt
@ 2009-08-04 7:26 ` Jan Engelhardt
2009-08-04 7:26 ` [PATCH 082/103] netfilter: ip6tables: remove xt1 GET_INFO code Jan Engelhardt
` (23 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:26 UTC (permalink / raw)
To: netfilter-devel
Packet tracking is now done by xt2_trace_packet.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
net/ipv6/netfilter/ip6_tables.c | 103 ---------------------------------------
1 files changed, 0 insertions(+), 103 deletions(-)
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 53186a2..67f676f 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -333,102 +333,6 @@ ip6t_get_target_c(const struct ip6t_entry *e)
return ip6t_get_target((struct ip6t_entry *)e);
}
-#if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \
- defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE)
-/* This cries for unification! */
-static const char *const hooknames[] = {
- [NF_INET_PRE_ROUTING] = "PREROUTING",
- [NF_INET_LOCAL_IN] = "INPUT",
- [NF_INET_FORWARD] = "FORWARD",
- [NF_INET_LOCAL_OUT] = "OUTPUT",
- [NF_INET_POST_ROUTING] = "POSTROUTING",
-};
-
-enum nf_ip_trace_comments {
- NF_IP6_TRACE_COMMENT_RULE,
- NF_IP6_TRACE_COMMENT_RETURN,
- NF_IP6_TRACE_COMMENT_POLICY,
-};
-
-static const char *const comments[] = {
- [NF_IP6_TRACE_COMMENT_RULE] = "rule",
- [NF_IP6_TRACE_COMMENT_RETURN] = "return",
- [NF_IP6_TRACE_COMMENT_POLICY] = "policy",
-};
-
-static struct nf_loginfo trace_loginfo = {
- .type = NF_LOG_TYPE_LOG,
- .u = {
- .log = {
- .level = 4,
- .logflags = NF_LOG_MASK,
- },
- },
-};
-
-/* Mildly perf critical (only if packet tracing is on) */
-static inline int
-get_chainname_rulenum(const struct ip6t_entry *s, const struct ip6t_entry *e,
- const char *hookname, const char **chainname,
- const char **comment, unsigned int *rulenum)
-{
- const struct ip6t_standard_target *t = (void *)ip6t_get_target_c(s);
-
- if (strcmp(t->target.u.kernel.target->name, IP6T_ERROR_TARGET) == 0) {
- /* Head of user chain: ERROR target with chainname */
- *chainname = t->target.data;
- (*rulenum) = 0;
- } else if (s == e) {
- (*rulenum)++;
-
- if (s->target_offset == sizeof(struct ip6t_entry)
- && strcmp(t->target.u.kernel.target->name,
- IP6T_STANDARD_TARGET) == 0
- && t->verdict < 0
- && unconditional(&s->ipv6)) {
- /* Tail of chains: STANDARD target (return/policy) */
- *comment = *chainname == hookname
- ? comments[NF_IP6_TRACE_COMMENT_POLICY]
- : comments[NF_IP6_TRACE_COMMENT_RETURN];
- }
- return 1;
- } else
- (*rulenum)++;
-
- return 0;
-}
-
-static void trace_packet(const struct sk_buff *skb,
- unsigned int hook,
- const struct net_device *in,
- const struct net_device *out,
- const char *tablename,
- const struct xt_table_info *private,
- const struct ip6t_entry *e)
-{
- const void *table_base;
- const struct ip6t_entry *root;
- const char *hookname, *chainname, *comment;
- const struct ip6t_entry *iter;
- unsigned int rulenum = 0;
-
- table_base = private->entries[smp_processor_id()];
- root = get_entry(table_base, private->hook_entry[hook]);
-
- hookname = chainname = hooknames[hook];
- comment = comments[NF_IP6_TRACE_COMMENT_RULE];
-
- xt_entry_foreach(iter, root, private->size - private->hook_entry[hook])
- if (get_chainname_rulenum(iter, e, hookname,
- &chainname, &comment, &rulenum) != 0)
- break;
-
- nf_log_packet(AF_INET6, hook, skb, in, out, &trace_loginfo,
- "TRACE: %s:%s:%s:%u ",
- tablename, chainname, comment, rulenum);
-}
-#endif
-
static inline __pure struct ip6t_entry *
ip6t_next_entry(const struct ip6t_entry *entry)
{
@@ -502,13 +406,6 @@ ip6t_do_table(struct sk_buff *skb,
t = ip6t_get_target_c(e);
IP_NF_ASSERT(t->u.kernel.target);
-#if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \
- defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE)
- /* The packet is traced: log it */
- if (unlikely(skb->nf_trace))
- trace_packet(skb, hook, in, out,
- table->name, private, e);
-#endif
/* Standard target? */
if (!t->u.kernel.target->target) {
int v;
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 082/103] netfilter: ip6tables: remove xt1 GET_INFO code
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (80 preceding siblings ...)
2009-08-04 7:26 ` [PATCH 081/103] netfilter: ip6tables: remove obsolete packet tracing Jan Engelhardt
@ 2009-08-04 7:26 ` Jan Engelhardt
2009-08-04 7:26 ` [PATCH 083/103] netfilter: ip6tables: remove xt1 GET_ENTRIES code Jan Engelhardt
` (22 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:26 UTC (permalink / raw)
To: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
net/ipv6/netfilter/ip6_tables.c | 60 ++++----------------------------------
1 files changed, 7 insertions(+), 53 deletions(-)
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 67f676f..fe420fb 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -1003,8 +1003,7 @@ static int get_info(struct net *net, void __user *user,
const int *len, int compat)
{
char name[IP6T_TABLE_MAXNAMELEN];
- struct xt2_table *xt2_table;
- struct xt_table *t;
+ struct xt2_table *table;
int ret;
if (*len != sizeof(struct ip6t_getinfo)) {
@@ -1017,58 +1016,13 @@ static int get_info(struct net *net, void __user *user,
return -EFAULT;
name[IP6T_TABLE_MAXNAMELEN-1] = '\0';
- t = try_then_request_module(xt_find_table_lock(net, AF_INET6, name),
- "ip6table_%s", name);
- xt2_table = xt2_table_lookup(net, name, NFPROTO_IPV6,
- XT2_TAKE_RCULOCK);
- if (xt2_table != NULL) {
- ret = ip6t2_get_info(user, *len, xt2_table, compat);
- rcu_read_unlock();
- module_put(xt2_table->owner);
- if (t != NULL)
- module_put(t->me);
- return ret;
- }
+ table = try_then_request_module(xt2_table_lookup(net,
+ name, NFPROTO_IPV6, XT2_TAKE_RCULOCK),
+ "ip6table_%s", name);
+ if (table == NULL)
+ return -ENOENT;
+ ret = ip6t2_get_info(user, *len, table, compat);
rcu_read_unlock();
-
-#ifdef CONFIG_COMPAT
- if (compat)
- xt_compat_lock(AF_INET6);
-#endif
- if (t && !IS_ERR(t)) {
- struct ip6t_getinfo info;
- const struct xt_table_info *private = t->private;
-
-#ifdef CONFIG_COMPAT
- if (compat) {
- struct xt_table_info tmp;
- ret = compat_table_info(private, &tmp);
- xt_compat_flush_offsets(AF_INET6);
- private = &tmp;
- }
-#endif
- info.valid_hooks = t->valid_hooks;
- memcpy(info.hook_entry, private->hook_entry,
- sizeof(info.hook_entry));
- memcpy(info.underflow, private->underflow,
- sizeof(info.underflow));
- info.num_entries = private->number;
- info.size = private->size;
- strcpy(info.name, name);
-
- if (copy_to_user(user, &info, *len) != 0)
- ret = -EFAULT;
- else
- ret = 0;
-
- xt_table_unlock(t);
- module_put(t->me);
- } else
- ret = t ? PTR_ERR(t) : -ENOENT;
-#ifdef CONFIG_COMPAT
- if (compat)
- xt_compat_unlock(AF_INET6);
-#endif
return ret;
}
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 083/103] netfilter: ip6tables: remove xt1 GET_ENTRIES code
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (81 preceding siblings ...)
2009-08-04 7:26 ` [PATCH 082/103] netfilter: ip6tables: remove xt1 GET_INFO code Jan Engelhardt
@ 2009-08-04 7:26 ` Jan Engelhardt
2009-08-04 7:26 ` [PATCH 084/103] netfilter: ip6tables: remove unused functions (GET_ENTRIES) Jan Engelhardt
` (21 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:26 UTC (permalink / raw)
To: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
net/ipv6/netfilter/ip6_tables.c | 75 +++++++-------------------------------
1 files changed, 14 insertions(+), 61 deletions(-)
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index fe420fb..8535995 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -1032,8 +1032,7 @@ get_entries(struct net *net, struct ip6t_get_entries __user *uptr,
{
int ret;
struct ip6t_get_entries get;
- struct xt2_table *xt2_table;
- struct xt_table *t;
+ struct xt2_table *table;
if (*len < sizeof(get)) {
duprintf("get_entries: %u < %zu\n", *len, sizeof(get));
@@ -1047,33 +1046,13 @@ get_entries(struct net *net, struct ip6t_get_entries __user *uptr,
return -EINVAL;
}
- xt2_table = xt2_table_lookup(net, get.name, NFPROTO_IPV6,
- XT2_TAKE_RCULOCK);
- if (xt2_table != NULL) {
- ret = ip6t2_table_to_xt1(uptr->entrytable, get.size,
- xt2_table, &ip6t_xlat_info);
- rcu_read_unlock();
- return ret;
- }
+ table = xt2_table_lookup(net, get.name, NFPROTO_IPV6,
+ XT2_TAKE_RCULOCK);
+ if (table == NULL)
+ return -ENOENT;
+ ret = ip6t2_table_to_xt1(uptr->entrytable, get.size,
+ table, &ip6t_xlat_info);
rcu_read_unlock();
-
- t = xt_find_table_lock(net, AF_INET6, get.name);
- if (t && !IS_ERR(t)) {
- struct xt_table_info *private = t->private;
- duprintf("t->private->number = %u\n", private->number);
- if (get.size == private->size)
- ret = copy_entries_to_user(private->size,
- t, uptr->entrytable);
- else {
- duprintf("get_entries: I've got %u not %u!\n",
- private->size, get.size);
- ret = -EAGAIN;
- }
- module_put(t->me);
- xt_table_unlock(t);
- } else
- ret = t ? PTR_ERR(t) : -ENOENT;
-
return ret;
}
@@ -1829,8 +1808,7 @@ compat_get_entries(struct net *net, struct compat_ip6t_get_entries __user *uptr,
{
int ret;
struct compat_ip6t_get_entries get;
- struct xt2_table *xt2_table;
- struct xt_table *t;
+ struct xt2_table *table;
if (*len < sizeof(get)) {
duprintf("compat_get_entries: %u < %zu\n", *len, sizeof(get));
@@ -1846,38 +1824,13 @@ compat_get_entries(struct net *net, struct compat_ip6t_get_entries __user *uptr,
return -EINVAL;
}
- xt2_table = xt2_table_lookup(net, get.name, NFPROTO_IPV6,
- XT2_TAKE_RCULOCK);
- if (xt2_table != NULL) {
- ret = ip6t2_compat_table_to_xt1(uptr->entrytable, get.size,
- xt2_table, &ip6t_compat_xlat_info);
- rcu_read_unlock();
- return ret;
- }
+ table = xt2_table_lookup(net, get.name, NFPROTO_IPV6,
+ XT2_TAKE_RCULOCK);
+ if (table == NULL)
+ return -ENOENT;
+ ret = ip6t2_compat_table_to_xt1(uptr->entrytable, get.size,
+ table, &ip6t_compat_xlat_info);
rcu_read_unlock();
-
- xt_compat_lock(AF_INET6);
- t = xt_find_table_lock(net, AF_INET6, get.name);
- if (t && !IS_ERR(t)) {
- const struct xt_table_info *private = t->private;
- struct xt_table_info info;
- duprintf("t->private->number = %u\n", private->number);
- ret = compat_table_info(private, &info);
- if (!ret && get.size == info.size) {
- ret = compat_copy_entries_to_user(private->size,
- t, uptr->entrytable);
- } else if (!ret) {
- duprintf("compat_get_entries: I've got %u not %u!\n",
- private->size, get.size);
- ret = -EAGAIN;
- }
- xt_compat_flush_offsets(AF_INET6);
- module_put(t->me);
- xt_table_unlock(t);
- } else
- ret = t ? PTR_ERR(t) : -ENOENT;
-
- xt_compat_unlock(AF_INET6);
return ret;
}
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 084/103] netfilter: ip6tables: remove unused functions (GET_ENTRIES)
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (82 preceding siblings ...)
2009-08-04 7:26 ` [PATCH 083/103] netfilter: ip6tables: remove xt1 GET_ENTRIES code Jan Engelhardt
@ 2009-08-04 7:26 ` Jan Engelhardt
2009-08-04 7:26 ` [PATCH 085/103] netfilter: ip6tables: remove xt1 SET_REPLACE code Jan Engelhardt
` (20 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:26 UTC (permalink / raw)
To: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
net/ipv6/netfilter/ip6_tables.c | 224 ---------------------------------------
1 files changed, 0 insertions(+), 224 deletions(-)
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 8535995..deb63f9 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -809,156 +809,6 @@ get_counters(const struct xt_table_info *t,
local_bh_enable();
}
-static struct xt_counters *alloc_counters(const struct xt_table *table)
-{
- unsigned int countersize;
- struct xt_counters *counters;
- const struct xt_table_info *private = table->private;
-
- /* We need atomic snapshot of counters: rest doesn't change
- (other than comefrom, which userspace doesn't care
- about). */
- countersize = sizeof(struct xt_counters) * private->number;
- counters = vmalloc_node(countersize, numa_node_id());
-
- if (counters == NULL)
- return ERR_PTR(-ENOMEM);
-
- get_counters(private, counters);
-
- return counters;
-}
-
-static int
-copy_entries_to_user(unsigned int total_size,
- const struct xt_table *table,
- void __user *userptr)
-{
- unsigned int off, num;
- const struct ip6t_entry *e;
- struct xt_counters *counters;
- const struct xt_table_info *private = table->private;
- int ret = 0;
- const void *loc_cpu_entry;
-
- counters = alloc_counters(table);
- if (IS_ERR(counters))
- return PTR_ERR(counters);
-
- /* choose the copy that is on our node/cpu, ...
- * This choice is lazy (because current thread is
- * allowed to migrate to another cpu)
- */
- loc_cpu_entry = private->entries[raw_smp_processor_id()];
- if (copy_to_user(userptr, loc_cpu_entry, total_size) != 0) {
- ret = -EFAULT;
- goto free_counters;
- }
-
- /* FIXME: use iterator macros --RR */
- /* ... then go back and fix counters and names */
- for (off = 0, num = 0; off < total_size; off += e->next_offset, num++){
- unsigned int i;
- const struct ip6t_entry_match *m;
- const struct ip6t_entry_target *t;
-
- e = (struct ip6t_entry *)(loc_cpu_entry + off);
- if (copy_to_user(userptr + off
- + offsetof(struct ip6t_entry, counters),
- &counters[num],
- sizeof(counters[num])) != 0) {
- ret = -EFAULT;
- goto free_counters;
- }
-
- for (i = sizeof(struct ip6t_entry);
- i < e->target_offset;
- i += m->u.match_size) {
- m = (void *)e + i;
-
- if (copy_to_user(userptr + off + i
- + offsetof(struct ip6t_entry_match,
- u.user.name),
- m->u.kernel.match->name,
- strlen(m->u.kernel.match->name)+1)
- != 0) {
- ret = -EFAULT;
- goto free_counters;
- }
- }
-
- t = ip6t_get_target_c(e);
- if (copy_to_user(userptr + off + e->target_offset
- + offsetof(struct ip6t_entry_target,
- u.user.name),
- t->u.kernel.target->name,
- strlen(t->u.kernel.target->name)+1) != 0) {
- ret = -EFAULT;
- goto free_counters;
- }
- }
-
- free_counters:
- vfree(counters);
- return ret;
-}
-
-#ifdef CONFIG_COMPAT
-static int compat_calc_entry(const struct ip6t_entry *e,
- const struct xt_table_info *info,
- const void *base, struct xt_table_info *newinfo)
-{
- const struct xt_entry_match *ematch;
- const struct ip6t_entry_target *t;
- unsigned int entry_offset;
- int off, i, ret;
-
- off = sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
- entry_offset = (void *)e - base;
- xt_ematch_foreach(ematch, e)
- off += xt_compat_match_offset(ematch->u.kernel.match);
-
- t = ip6t_get_target_c(e);
- off += xt_compat_target_offset(t->u.kernel.target);
- newinfo->size -= off;
- ret = xt_compat_add_offset(AF_INET6, entry_offset, off);
- if (ret)
- return ret;
-
- for (i = 0; i < NF_INET_NUMHOOKS; i++) {
- if (info->hook_entry[i] &&
- (e < (struct ip6t_entry *)(base + info->hook_entry[i])))
- newinfo->hook_entry[i] -= off;
- if (info->underflow[i] &&
- (e < (struct ip6t_entry *)(base + info->underflow[i])))
- newinfo->underflow[i] -= off;
- }
- return 0;
-}
-
-static int compat_table_info(const struct xt_table_info *info,
- struct xt_table_info *newinfo)
-{
- struct ip6t_entry *iter;
- void *loc_cpu_entry;
- int ret;
-
- if (!newinfo || !info)
- return -EINVAL;
-
- /* we dont care about newinfo->entries[] */
- memcpy(newinfo, info, offsetof(struct xt_table_info, entries));
- newinfo->initial_entries = 0;
- loc_cpu_entry = info->entries[raw_smp_processor_id()];
- xt_entry_foreach(iter, loc_cpu_entry, info->size) {
- ret = compat_calc_entry(iter, info, loc_cpu_entry, newinfo);
- if (ret != 0)
- return ret;
- }
- return 0;
-}
-#endif
-
static const struct xt1_xlat_info ip6t_compat_xlat_info = {
#ifdef CONFIG_COMPAT
.marker_size = COMPAT_XT_ALIGN(sizeof(struct ip6t_error_target)),
@@ -1288,45 +1138,6 @@ do_add_counters(struct net *net, const void __user *user, unsigned int len,
#ifdef CONFIG_COMPAT
static int
-compat_copy_entry_to_user(struct ip6t_entry *e, void __user **dstptr,
- unsigned int *size, struct xt_counters *counters,
- unsigned int i)
-{
- struct ip6t_entry_target *t;
- struct compat_ip6t_entry __user *ce;
- u_int16_t target_offset, next_offset;
- compat_uint_t origsize;
- const struct xt_entry_match *ematch;
- int ret = 0;
-
- origsize = *size;
- ce = (struct compat_ip6t_entry __user *)*dstptr;
- if (copy_to_user(ce, e, sizeof(struct ip6t_entry)) != 0 ||
- copy_to_user(&ce->counters, &counters[i],
- sizeof(counters[i])) != 0)
- return -EFAULT;
-
- *dstptr += sizeof(struct compat_ip6t_entry);
- *size -= sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
-
- xt_ematch_foreach(ematch, e) {
- ret = xt_compat_match_to_user(ematch, dstptr, size);
- if (ret != 0)
- return ret;
- }
- target_offset = e->target_offset - (origsize - *size);
- t = ip6t_get_target(e);
- ret = xt_compat_target_to_user(t, dstptr, size);
- if (ret)
- return ret;
- next_offset = e->next_offset - (origsize - *size);
- if (put_user(target_offset, &ce->target_offset) != 0 ||
- put_user(next_offset, &ce->next_offset) != 0)
- return -EFAULT;
- return 0;
-}
-
-static int
compat_find_calc_match(struct ip6t_entry_match *m,
const char *name,
const struct ip6t_ip6 *ipv6,
@@ -1768,41 +1579,6 @@ struct compat_ip6t_get_entries {
};
static int
-compat_copy_entries_to_user(unsigned int total_size, struct xt_table *table,
- void __user *userptr)
-{
- struct xt_counters *counters;
- const struct xt_table_info *private = table->private;
- void __user *pos;
- unsigned int size;
- int ret = 0;
- const void *loc_cpu_entry;
- unsigned int i = 0;
- struct ip6t_entry *iter;
-
- counters = alloc_counters(table);
- if (IS_ERR(counters))
- return PTR_ERR(counters);
-
- /* choose the copy that is on our node/cpu, ...
- * This choice is lazy (because current thread is
- * allowed to migrate to another cpu)
- */
- loc_cpu_entry = private->entries[raw_smp_processor_id()];
- pos = userptr;
- size = total_size;
- xt_entry_foreach(iter, loc_cpu_entry, total_size) {
- ret = compat_copy_entry_to_user(iter, &pos,
- &size, counters, i++);
- if (ret != 0)
- break;
- }
-
- vfree(counters);
- return ret;
-}
-
-static int
compat_get_entries(struct net *net, struct compat_ip6t_get_entries __user *uptr,
int *len)
{
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 085/103] netfilter: ip6tables: remove xt1 SET_REPLACE code
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (83 preceding siblings ...)
2009-08-04 7:26 ` [PATCH 084/103] netfilter: ip6tables: remove unused functions (GET_ENTRIES) Jan Engelhardt
@ 2009-08-04 7:26 ` Jan Engelhardt
2009-08-04 7:26 ` [PATCH 086/103] netfilter: ip6tables: remove unused functions (SET_REPLACE) Jan Engelhardt
` (19 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:26 UTC (permalink / raw)
To: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
net/ipv6/netfilter/ip6_tables.c | 6 ++----
1 files changed, 2 insertions(+), 4 deletions(-)
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index deb63f9..846d15c 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -1557,8 +1557,7 @@ compat_do_ip6t_set_ctl(struct sock *sk, int cmd, void __user *user,
switch (cmd) {
case IP6T_SO_SET_REPLACE:
- ret = compat_do_replace(sock_net(sk), user, len);
- break;
+ return ip6t2_compat_do_replace(sock_net(sk), user, len);
case IP6T_SO_SET_ADD_COUNTERS:
ret = do_add_counters(sock_net(sk), user, len, 1);
@@ -1644,8 +1643,7 @@ do_ip6t_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
switch (cmd) {
case IP6T_SO_SET_REPLACE:
- ret = do_replace(sock_net(sk), user, len);
- break;
+ return ip6t2_do_replace(sock_net(sk), user, len);
case IP6T_SO_SET_ADD_COUNTERS:
ret = do_add_counters(sock_net(sk), user, len, 0);
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 086/103] netfilter: ip6tables: remove unused functions (SET_REPLACE)
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (84 preceding siblings ...)
2009-08-04 7:26 ` [PATCH 085/103] netfilter: ip6tables: remove xt1 SET_REPLACE code Jan Engelhardt
@ 2009-08-04 7:26 ` Jan Engelhardt
2009-08-04 7:26 ` [PATCH 087/103] netfilter: ip6tables: remove xt1 ADD_COUNTERS code Jan Engelhardt
` (18 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:26 UTC (permalink / raw)
To: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
net/ipv6/netfilter/ip6_tables.c | 580 ---------------------------------------
1 files changed, 0 insertions(+), 580 deletions(-)
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 846d15c..69fe30d 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -768,47 +768,6 @@ translate_table(struct xt_table_info *newinfo, void *entry0,
return ret;
}
-static void
-get_counters(const struct xt_table_info *t,
- struct xt_counters counters[])
-{
- struct ip6t_entry *iter;
- unsigned int cpu;
- unsigned int i;
- unsigned int curcpu;
-
- /* Instead of clearing (by a previous call to memset())
- * the counters and using adds, we set the counters
- * with data used by 'current' CPU
- *
- * Bottom half has to be disabled to prevent deadlock
- * if new softirq were to run and call ipt_do_table
- */
- local_bh_disable();
- curcpu = smp_processor_id();
-
- i = 0;
- xt_entry_foreach(iter, t->entries[curcpu], t->size) {
- SET_COUNTER(counters[i], iter->counters.bcnt,
- iter->counters.pcnt);
- ++i;
- }
-
- for_each_possible_cpu(cpu) {
- if (cpu == curcpu)
- continue;
- i = 0;
- xt_info_wrlock(cpu);
- xt_entry_foreach(iter, t->entries[cpu], t->size) {
- ADD_COUNTER(counters[i], iter->counters.bcnt,
- iter->counters.pcnt);
- ++i;
- }
- xt_info_wrunlock(cpu);
- }
- local_bh_enable();
-}
-
static const struct xt1_xlat_info ip6t_compat_xlat_info = {
#ifdef CONFIG_COMPAT
.marker_size = COMPAT_XT_ALIGN(sizeof(struct ip6t_error_target)),
@@ -907,136 +866,6 @@ get_entries(struct net *net, struct ip6t_get_entries __user *uptr,
}
static int
-__do_replace(struct net *net, const char *name, unsigned int valid_hooks,
- struct xt_table_info *newinfo, unsigned int num_counters,
- void __user *counters_ptr)
-{
- int ret;
- struct xt_table *t;
- struct xt_table_info *oldinfo;
- struct xt_counters *counters;
- const void *loc_cpu_old_entry;
- struct ip6t_entry *iter;
-
- ret = 0;
- counters = vmalloc_node(num_counters * sizeof(struct xt_counters),
- numa_node_id());
- if (!counters) {
- ret = -ENOMEM;
- goto out;
- }
-
- t = try_then_request_module(xt_find_table_lock(net, AF_INET6, name),
- "ip6table_%s", name);
- if (!t || IS_ERR(t)) {
- ret = t ? PTR_ERR(t) : -ENOENT;
- goto free_newinfo_counters_untrans;
- }
-
- /* You lied! */
- if (valid_hooks != t->valid_hooks) {
- duprintf("Valid hook crap: %08X vs %08X\n",
- valid_hooks, t->valid_hooks);
- ret = -EINVAL;
- goto put_module;
- }
-
- oldinfo = xt_replace_table(t, num_counters, newinfo, &ret);
- if (!oldinfo)
- goto put_module;
-
- /* Update module usage count based on number of rules */
- duprintf("do_replace: oldnum=%u, initnum=%u, newnum=%u\n",
- oldinfo->number, oldinfo->initial_entries, newinfo->number);
- if ((oldinfo->number > oldinfo->initial_entries) ||
- (newinfo->number <= oldinfo->initial_entries))
- module_put(t->me);
- if ((oldinfo->number > oldinfo->initial_entries) &&
- (newinfo->number <= oldinfo->initial_entries))
- module_put(t->me);
-
- /* Get the old counters, and synchronize with replace */
- get_counters(oldinfo, counters);
-
- /* Decrease module usage counts and free resource */
- loc_cpu_old_entry = oldinfo->entries[raw_smp_processor_id()];
- xt_entry_foreach(iter, loc_cpu_old_entry, oldinfo->size)
- cleanup_entry(iter);
-
- xt_free_table_info(oldinfo);
- if (copy_to_user(counters_ptr, counters,
- sizeof(struct xt_counters) * num_counters) != 0)
- ret = -EFAULT;
- vfree(counters);
- xt_table_unlock(t);
- return ret;
-
- put_module:
- module_put(t->me);
- xt_table_unlock(t);
- free_newinfo_counters_untrans:
- vfree(counters);
- out:
- return ret;
-}
-
-static int
-do_replace(struct net *net, const void __user *user, unsigned int len)
-{
- int ret;
- struct ip6t_replace tmp;
- struct xt_table_info *newinfo;
- void *loc_cpu_entry;
- struct ip6t_entry *iter;
-
- if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
- return -EFAULT;
-
- /*
- * If the table goes away just moments later, no problem.
- * Just dispatching here.
- */
- if (xt2_table_lookup(net, tmp.name,
- NFPROTO_IPV6, XT2_NO_RCULOCK) != NULL)
- return ip6t2_do_replace(net, user, len);
-
- /* overflow check */
- if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
- return -ENOMEM;
-
- newinfo = xt_alloc_table_info(tmp.size);
- if (!newinfo)
- return -ENOMEM;
-
- /* choose the copy that is on our node/cpu */
- loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
- if (copy_from_user(loc_cpu_entry, user + sizeof(tmp),
- tmp.size) != 0) {
- ret = -EFAULT;
- goto free_newinfo;
- }
-
- ret = translate_table(newinfo, loc_cpu_entry, &tmp);
- if (ret != 0)
- goto free_newinfo;
-
- duprintf("ip_tables: Translated table\n");
-
- ret = __do_replace(net, tmp.name, tmp.valid_hooks, newinfo,
- tmp.num_counters, tmp.counters);
- if (ret)
- goto free_newinfo_untrans;
- return 0;
-
- free_newinfo_untrans:
- xt_entry_foreach(iter, loc_cpu_entry, newinfo->size)
- cleanup_entry(iter);
- free_newinfo:
- xt_free_table_info(newinfo);
- return ret;
-}
-
-static int
do_add_counters(struct net *net, const void __user *user, unsigned int len,
int compat)
{
@@ -1138,415 +967,6 @@ do_add_counters(struct net *net, const void __user *user, unsigned int len,
#ifdef CONFIG_COMPAT
static int
-compat_find_calc_match(struct ip6t_entry_match *m,
- const char *name,
- const struct ip6t_ip6 *ipv6,
- unsigned int hookmask,
- int *size)
-{
- struct xt_match *match;
-
- match = xt_request_find_match(NFPROTO_IPV6, m->u.user.name,
- m->u.user.revision);
- if (IS_ERR(match)) {
- duprintf("compat_check_calc_match: `%s' not found\n",
- m->u.user.name);
- return PTR_ERR(match);
- }
- m->u.kernel.match = match;
- *size += xt_compat_match_offset(match);
- return 0;
-}
-
-static void compat_release_entry(struct compat_ip6t_entry *e)
-{
- struct ip6t_entry_target *t;
- struct xt_entry_match *ematch;
-
- /* Cleanup all matches */
- xt_ematch_foreach(ematch, e)
- module_put(ematch->u.kernel.match->me);
- t = compat_ip6t_get_target(e);
- module_put(t->u.kernel.target->me);
-}
-
-static int
-check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e,
- struct xt_table_info *newinfo,
- unsigned int *size,
- const unsigned char *base,
- const unsigned char *limit,
- const unsigned int *hook_entries,
- const unsigned int *underflows,
- const char *name)
-{
- struct xt_entry_match *ematch;
- struct ip6t_entry_target *t;
- struct xt_target *target;
- unsigned int entry_offset;
- unsigned int j;
- int ret, off, h;
- struct xt_mtchk_param mtpar;
-
- duprintf("check_compat_entry_size_and_hooks %p\n", e);
- if ((unsigned long)e % __alignof__(struct compat_ip6t_entry) != 0
- || (unsigned char *)e + sizeof(struct compat_ip6t_entry) >= limit) {
- duprintf("Bad offset %p, limit = %p\n", e, limit);
- return -EINVAL;
- }
-
- if (e->next_offset < sizeof(struct compat_ip6t_entry) +
- sizeof(struct compat_xt_entry_target)) {
- duprintf("checking: element %p size %u\n",
- e, e->next_offset);
- return -EINVAL;
- }
-
- /* For purposes of check_entry casting the compat entry is fine */
- mtpar.table = name;
- mtpar.entryinfo = &e->ipv6;
- mtpar.hook_mask = e->comefrom;
- mtpar.family = NFPROTO_IPV6;
- mtpar.match = &ip6t_builtin_mt[0]; /* ipv6 */
- mtpar.matchinfo = &e->ipv6;
- ret = check_entry((struct ip6t_entry *)e, &mtpar);
- if (ret)
- return ret;
-
- off = sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
- entry_offset = (void *)e - (void *)base;
- j = 0;
- xt_ematch_foreach(ematch, e) {
- ret = compat_find_calc_match(ematch, name,
- &e->ipv6, e->comefrom, &off);
- if (ret != 0)
- goto release_matches;
- ++j;
- }
-
- t = compat_ip6t_get_target(e);
- target = xt_request_find_target(NFPROTO_IPV6, t->u.user.name,
- t->u.user.revision);
- if (IS_ERR(target)) {
- duprintf("check_compat_entry_size_and_hooks: `%s' not found\n",
- t->u.user.name);
- ret = PTR_ERR(target);
- goto release_matches;
- }
- t->u.kernel.target = target;
-
- off += xt_compat_target_offset(target);
- *size += off;
- ret = xt_compat_add_offset(AF_INET6, entry_offset, off);
- if (ret)
- goto out;
-
- /* Check hooks & underflows */
- for (h = 0; h < NF_INET_NUMHOOKS; h++) {
- if ((unsigned char *)e - base == hook_entries[h])
- newinfo->hook_entry[h] = hook_entries[h];
- if ((unsigned char *)e - base == underflows[h])
- newinfo->underflow[h] = underflows[h];
- }
-
- /* Clear counters and comefrom */
- memset(&e->counters, 0, sizeof(e->counters));
- e->comefrom = 0;
- return 0;
-
-out:
- module_put(t->u.kernel.target->me);
-release_matches:
- xt_ematch_foreach(ematch, e) {
- if (j-- == 0)
- break;
- module_put(ematch->u.kernel.match->me);
- }
- return ret;
-}
-
-static int
-compat_copy_entry_from_user(struct compat_ip6t_entry *e, void **dstptr,
- unsigned int *size, const char *name,
- struct xt_table_info *newinfo, unsigned char *base)
-{
- struct ip6t_entry_target *t;
- struct xt_target *target;
- struct ip6t_entry *de;
- unsigned int origsize;
- int ret, h;
- struct xt_entry_match *ematch;
-
- ret = 0;
- origsize = *size;
- de = (struct ip6t_entry *)*dstptr;
- memcpy(de, e, sizeof(struct ip6t_entry));
- memcpy(&de->counters, &e->counters, sizeof(e->counters));
-
- *dstptr += sizeof(struct ip6t_entry);
- *size += sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
-
- xt_ematch_foreach(ematch, e) {
- ret = xt_compat_match_from_user(ematch, dstptr, size);
- if (ret != 0)
- return ret;
- }
- de->target_offset = e->target_offset - (origsize - *size);
- t = compat_ip6t_get_target(e);
- target = t->u.kernel.target;
- xt_compat_target_from_user(t, dstptr, size);
-
- de->next_offset = e->next_offset - (origsize - *size);
- for (h = 0; h < NF_INET_NUMHOOKS; h++) {
- if ((unsigned char *)de - base < newinfo->hook_entry[h])
- newinfo->hook_entry[h] -= origsize - *size;
- if ((unsigned char *)de - base < newinfo->underflow[h])
- newinfo->underflow[h] -= origsize - *size;
- }
- return ret;
-}
-
-static int compat_check_entry(struct ip6t_entry *e, const char *name)
-{
- unsigned int j;
- int ret = 0;
- struct xt_mtchk_param mtpar;
- struct xt_entry_match *ematch;
-
- j = 0;
- mtpar.table = name;
- mtpar.entryinfo = &e->ipv6;
- mtpar.hook_mask = e->comefrom;
- mtpar.family = NFPROTO_IPV6;
- xt_ematch_foreach(ematch, e) {
- ret = check_match(ematch, &mtpar);
- if (ret != 0)
- goto cleanup_matches;
- ++j;
- }
-
- ret = check_target(e, name);
- if (ret)
- goto cleanup_matches;
- return 0;
-
- cleanup_matches:
- xt_ematch_foreach(ematch, e) {
- if (j-- == 0)
- break;
- cleanup_match(ematch);
- }
- return ret;
-}
-
-static int
-translate_compat_table(const char *name,
- unsigned int valid_hooks,
- struct xt_table_info **pinfo,
- void **pentry0,
- unsigned int total_size,
- unsigned int number,
- unsigned int *hook_entries,
- unsigned int *underflows)
-{
- unsigned int i, j;
- struct xt_table_info *newinfo, *info;
- void *pos, *entry0, *entry1;
- struct compat_ip6t_entry *iter0;
- struct ip6t_entry *iter1;
- unsigned int size;
- int ret = 0;
-
- info = *pinfo;
- entry0 = *pentry0;
- size = total_size;
- info->number = number;
-
- /* Init all hooks to impossible value. */
- for (i = 0; i < NF_INET_NUMHOOKS; i++) {
- info->hook_entry[i] = 0xFFFFFFFF;
- info->underflow[i] = 0xFFFFFFFF;
- }
-
- duprintf("translate_compat_table: size %u\n", info->size);
- j = 0;
- xt_compat_lock(AF_INET6);
- /* Walk through entries, checking offsets. */
- xt_entry_foreach(iter0, entry0, total_size) {
- ret = check_compat_entry_size_and_hooks(iter0, info, &size,
- entry0, entry0 + total_size, hook_entries, underflows,
- name);
- if (ret != 0)
- goto out_unlock;
- ++j;
- }
-
- ret = -EINVAL;
- if (j != number) {
- duprintf("translate_compat_table: %u not %u entries\n",
- j, number);
- goto out_unlock;
- }
-
- /* Check hooks all assigned */
- for (i = 0; i < NF_INET_NUMHOOKS; i++) {
- /* Only hooks which are valid */
- if (!(valid_hooks & (1 << i)))
- continue;
- if (info->hook_entry[i] == 0xFFFFFFFF) {
- duprintf("Invalid hook entry %u %u\n",
- i, hook_entries[i]);
- goto out_unlock;
- }
- if (info->underflow[i] == 0xFFFFFFFF) {
- duprintf("Invalid underflow %u %u\n",
- i, underflows[i]);
- goto out_unlock;
- }
- }
-
- ret = -ENOMEM;
- newinfo = xt_alloc_table_info(size);
- if (!newinfo)
- goto out_unlock;
-
- newinfo->number = number;
- for (i = 0; i < NF_INET_NUMHOOKS; i++) {
- newinfo->hook_entry[i] = info->hook_entry[i];
- newinfo->underflow[i] = info->underflow[i];
- }
- entry1 = newinfo->entries[raw_smp_processor_id()];
- pos = entry1;
- size = total_size;
- xt_entry_foreach(iter0, entry0, total_size) {
- ret = compat_copy_entry_from_user(iter0, &pos,
- &size, name, newinfo, entry1);
- if (ret != 0)
- break;
- }
- xt_compat_flush_offsets(AF_INET6);
- xt_compat_unlock(AF_INET6);
- if (ret)
- goto free_newinfo;
-
- ret = -ELOOP;
- if (!ip6t2_mark_chains(newinfo, valid_hooks, entry1))
- goto free_newinfo;
-
- i = 0;
- xt_entry_foreach(iter1, entry1, newinfo->size) {
- ret = compat_check_entry(iter1, name);
- if (ret != 0)
- break;
- ++i;
- }
- if (ret) {
- /*
- * The first i matches need cleanup_entry (calls ->destroy)
- * because they had called ->check already. The other j-i
- * entries need only release.
- */
- int skip = i;
- j -= i;
- xt_entry_foreach(iter0, entry0, newinfo->size) {
- if (skip-- > 0)
- continue;
- if (j-- == 0)
- break;
- compat_release_entry(iter0);
- }
- xt_entry_foreach(iter1, entry1, newinfo->size) {
- if (i-- == 0)
- break;
- cleanup_entry(iter1);
- }
- xt_free_table_info(newinfo);
- return ret;
- }
-
- /* And one copy for every other CPU */
- for_each_possible_cpu(i)
- if (newinfo->entries[i] && newinfo->entries[i] != entry1)
- memcpy(newinfo->entries[i], entry1, newinfo->size);
-
- *pinfo = newinfo;
- *pentry0 = entry1;
- xt_free_table_info(info);
- return 0;
-
-free_newinfo:
- xt_free_table_info(newinfo);
-out:
- xt_entry_foreach(iter0, entry0, total_size) {
- if (j-- == 0)
- break;
- compat_release_entry(iter0);
- }
- return ret;
-out_unlock:
- xt_compat_flush_offsets(AF_INET6);
- xt_compat_unlock(AF_INET6);
- goto out;
-}
-
-static int
-compat_do_replace(struct net *net, void __user *user, unsigned int len)
-{
- int ret;
- struct compat_ip6t_replace tmp;
- struct xt_table_info *newinfo;
- void *loc_cpu_entry;
- struct ip6t_entry *iter;
-
- if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
- return -EFAULT;
-
- if (xt2_table_lookup(net, tmp.name, NFPROTO_IPV6,
- XT2_NO_RCULOCK) != NULL)
- return ip6t2_compat_do_replace(net, user, len);
-
- /* overflow check */
- if (tmp.size >= INT_MAX / num_possible_cpus())
- return -ENOMEM;
- if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
- return -ENOMEM;
-
- newinfo = xt_alloc_table_info(tmp.size);
- if (!newinfo)
- return -ENOMEM;
-
- /* choose the copy that is on our node/cpu */
- loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
- if (copy_from_user(loc_cpu_entry, user + sizeof(tmp),
- tmp.size) != 0) {
- ret = -EFAULT;
- goto free_newinfo;
- }
-
- ret = translate_compat_table(tmp.name, tmp.valid_hooks,
- &newinfo, &loc_cpu_entry, tmp.size,
- tmp.num_entries, tmp.hook_entry,
- tmp.underflow);
- if (ret != 0)
- goto free_newinfo;
-
- duprintf("compat_do_replace: Translated table\n");
-
- ret = __do_replace(net, tmp.name, tmp.valid_hooks, newinfo,
- tmp.num_counters, compat_ptr(tmp.counters));
- if (ret)
- goto free_newinfo_untrans;
- return 0;
-
- free_newinfo_untrans:
- xt_entry_foreach(iter, loc_cpu_entry, newinfo->size)
- cleanup_entry(iter);
- free_newinfo:
- xt_free_table_info(newinfo);
- return ret;
-}
-
-static int
compat_do_ip6t_set_ctl(struct sock *sk, int cmd, void __user *user,
unsigned int len)
{
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 087/103] netfilter: ip6tables: remove xt1 ADD_COUNTERS code
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (85 preceding siblings ...)
2009-08-04 7:26 ` [PATCH 086/103] netfilter: ip6tables: remove unused functions (SET_REPLACE) Jan Engelhardt
@ 2009-08-04 7:26 ` Jan Engelhardt
2009-08-04 7:26 ` [PATCH 088/103] netfilter: ip6tables: remove xt1/ipv6 registration functions Jan Engelhardt
` (17 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:26 UTC (permalink / raw)
To: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
net/ipv6/netfilter/ip6_tables.c | 61 +++-----------------------------------
1 files changed, 5 insertions(+), 56 deletions(-)
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 69fe30d..0bd646d 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -869,19 +869,13 @@ static int
do_add_counters(struct net *net, const void __user *user, unsigned int len,
int compat)
{
- unsigned int i, curcpu;
struct xt_counters_info tmp;
- struct xt_counters *paddc;
unsigned int num_counters;
char *name;
int size;
void *ptmp;
- struct xt_table *t;
- const struct xt_table_info *private;
int ret = 0;
- const void *loc_cpu_entry;
- struct ip6t_entry *iter;
- struct xt2_table *xt2_table;
+ struct xt2_table *table;
#ifdef CONFIG_COMPAT
struct compat_xt_counters_info compat_tmp;
@@ -912,56 +906,11 @@ do_add_counters(struct net *net, const void __user *user, unsigned int len,
if (len != size + num_counters * sizeof(struct xt_counters))
return -EINVAL;
- xt2_table = xt2_table_lookup(net, name, NFPROTO_IPV6,
- XT2_TAKE_RCULOCK);
- if (xt2_table != NULL) {
- ret = xts_get_counters(xt2_table, user + size, num_counters);
- rcu_read_unlock();
- return ret;
- }
+ table = xt2_table_lookup(net, name, NFPROTO_IPV6, XT2_TAKE_RCULOCK);
+ if (table == NULL)
+ return -ENOENT;
+ ret = xts_get_counters(table, user + size, num_counters);
rcu_read_unlock();
-
- paddc = vmalloc_node(len - size, numa_node_id());
- if (!paddc)
- return -ENOMEM;
-
- if (copy_from_user(paddc, user + size, len - size) != 0) {
- ret = -EFAULT;
- goto free;
- }
-
- t = xt_find_table_lock(net, AF_INET6, name);
- if (!t || IS_ERR(t)) {
- ret = t ? PTR_ERR(t) : -ENOENT;
- goto free;
- }
-
-
- local_bh_disable();
- private = t->private;
- if (private->number != num_counters) {
- ret = -EINVAL;
- goto unlock_up_free;
- }
-
- i = 0;
- /* Choose the copy that is on our node */
- curcpu = smp_processor_id();
- xt_info_wrlock(curcpu);
- loc_cpu_entry = private->entries[curcpu];
- xt_entry_foreach(iter, loc_cpu_entry, private->size) {
- ADD_COUNTER(iter->counters, paddc[i].bcnt, paddc[i].pcnt);
- ++i;
- }
- xt_info_wrunlock(curcpu);
-
- unlock_up_free:
- local_bh_enable();
- xt_table_unlock(t);
- module_put(t->me);
- free:
- vfree(paddc);
-
return ret;
}
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 088/103] netfilter: ip6tables: remove xt1/ipv6 registration functions
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (86 preceding siblings ...)
2009-08-04 7:26 ` [PATCH 087/103] netfilter: ip6tables: remove xt1 ADD_COUNTERS code Jan Engelhardt
@ 2009-08-04 7:26 ` Jan Engelhardt
2009-08-04 7:26 ` [PATCH 089/103] netfilter: ip6tables: remove remaining xt1 code Jan Engelhardt
` (16 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:26 UTC (permalink / raw)
To: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter_ipv6/ip6_tables.h | 4 -
net/ipv6/netfilter/ip6_tables.c | 363 -----------------------------
2 files changed, 0 insertions(+), 367 deletions(-)
diff --git a/include/linux/netfilter_ipv6/ip6_tables.h b/include/linux/netfilter_ipv6/ip6_tables.h
index bad5135..63d5745 100644
--- a/include/linux/netfilter_ipv6/ip6_tables.h
+++ b/include/linux/netfilter_ipv6/ip6_tables.h
@@ -307,10 +307,6 @@ ip6t_get_target(struct ip6t_entry *e)
#include <linux/init.h>
extern void ip6t_init(void) __init;
-extern struct xt_table *ip6t_register_table(struct net *net,
- const struct xt_table *table,
- const struct ip6t_replace *repl);
-extern void ip6t_unregister_table(struct xt_table *table);
extern unsigned int ip6t_do_table(struct sk_buff *skb,
unsigned int hook,
const struct net_device *in,
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 0bd646d..a1c684b 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -462,312 +462,6 @@ ip6t_do_table(struct sk_buff *skb,
#endif
}
-static void cleanup_match(struct ip6t_entry_match *m)
-{
- struct xt_mtdtor_param par;
-
- par.match = m->u.kernel.match;
- par.matchinfo = m->data;
- par.family = NFPROTO_IPV6;
- if (par.match->destroy != NULL)
- par.match->destroy(&par);
- module_put(par.match->me);
-}
-
-static int
-check_entry(struct ip6t_entry *e, struct xt_mtchk_param *par)
-{
- const struct ip6t_entry_target *t;
-
- par->match = &ip6t_builtin_mt[0];
- par->matchinfo = &e->ipv6;
- if (!ip6_checkentry(par)) {
- duprintf("ip6_tables: ip check failed %p %s.\n", e, name);
- return -EINVAL;
- }
-
- if (e->target_offset + sizeof(struct ip6t_entry_target) >
- e->next_offset)
- return -EINVAL;
-
- t = ip6t_get_target_c(e);
- if (e->target_offset + t->u.target_size > e->next_offset)
- return -EINVAL;
-
- return 0;
-}
-
-static int check_match(struct ip6t_entry_match *m, struct xt_mtchk_param *par)
-{
- const struct ip6t_ip6 *ipv6 = par->entryinfo;
- int ret;
-
- par->match = m->u.kernel.match;
- par->matchinfo = m->data;
-
- ret = xt_check_match(par, m->u.match_size - sizeof(*m),
- ipv6->proto, ipv6->invflags & IP6T_INV_PROTO,
- true);
- if (ret < 0) {
- duprintf("ip_tables: check failed for `%s'.\n",
- par.match->name);
- return ret;
- }
- return 0;
-}
-
-static int
-find_check_match(struct ip6t_entry_match *m, struct xt_mtchk_param *par)
-{
- struct xt_match *match;
- int ret;
-
- match = xt_request_find_match(NFPROTO_IPV6, m->u.user.name,
- m->u.user.revision);
- if (IS_ERR(match)) {
- duprintf("find_check_match: `%s' not found\n", m->u.user.name);
- return PTR_ERR(match);
- }
- m->u.kernel.match = match;
-
- ret = check_match(m, par);
- if (ret)
- goto err;
-
- return 0;
-err:
- module_put(m->u.kernel.match->me);
- return ret;
-}
-
-static int check_target(struct ip6t_entry *e, const char *name)
-{
- struct ip6t_entry_target *t = ip6t_get_target(e);
- struct xt_tgchk_param par = {
- .table = name,
- .entryinfo = e,
- .nfproto_info = &e->ipv6,
- .target = t->u.kernel.target,
- .targinfo = t->data,
- .hook_mask = e->comefrom,
- .family = NFPROTO_IPV6,
- };
- int ret;
-
- t = ip6t_get_target(e);
- ret = xt_check_target(&par, t->u.target_size - sizeof(*t),
- e->ipv6.proto, e->ipv6.invflags & IP6T_INV_PROTO, true);
- if (ret < 0) {
- duprintf("ip_tables: check failed for `%s'.\n",
- t->u.kernel.target->name);
- return ret;
- }
- return 0;
-}
-
-static int
-find_check_entry(struct ip6t_entry *e, const char *name, unsigned int size)
-{
- struct ip6t_entry_target *t;
- struct xt_target *target;
- int ret;
- unsigned int j;
- struct xt_mtchk_param mtpar;
- struct xt_entry_match *ematch;
-
- mtpar.table = name;
- mtpar.entryinfo = &e->ipv6;
- mtpar.hook_mask = e->comefrom;
- mtpar.family = NFPROTO_IPV6;
- ret = check_entry(e, &mtpar);
- if (ret)
- return ret;
- j = 0;
- xt_ematch_foreach(ematch, e) {
- ret = find_check_match(ematch, &mtpar);
- if (ret != 0)
- goto cleanup_matches;
- ++j;
- }
-
- t = ip6t_get_target(e);
- target = xt_request_find_target(NFPROTO_IPV6, t->u.user.name,
- t->u.user.revision);
- if (IS_ERR(target)) {
- duprintf("find_check_entry: `%s' not found\n", t->u.user.name);
- ret = PTR_ERR(target);
- goto cleanup_matches;
- }
- t->u.kernel.target = target;
-
- ret = check_target(e, name);
- if (ret)
- goto err;
- return 0;
- err:
- module_put(t->u.kernel.target->me);
- cleanup_matches:
- xt_ematch_foreach(ematch, e) {
- if (j-- == 0)
- break;
- cleanup_match(ematch);
- }
- return ret;
-}
-
-static int
-check_entry_size_and_hooks(struct ip6t_entry *e,
- struct xt_table_info *newinfo,
- const unsigned char *base,
- const unsigned char *limit,
- const unsigned int *hook_entries,
- const unsigned int *underflows,
- unsigned int valid_hooks)
-{
- unsigned int h;
-
- if ((unsigned long)e % __alignof__(struct ip6t_entry) != 0
- || (unsigned char *)e + sizeof(struct ip6t_entry) >= limit) {
- duprintf("Bad offset %p\n", e);
- return -EINVAL;
- }
-
- if (e->next_offset
- < sizeof(struct ip6t_entry) + sizeof(struct ip6t_entry_target)) {
- duprintf("checking: element %p size %u\n",
- e, e->next_offset);
- return -EINVAL;
- }
-
- /* Check hooks & underflows */
- for (h = 0; h < NF_INET_NUMHOOKS; h++) {
- if (!(valid_hooks & (1 << h)))
- continue;
- if ((unsigned char *)e - base == hook_entries[h])
- newinfo->hook_entry[h] = hook_entries[h];
- if ((unsigned char *)e - base == underflows[h]) {
- if (!ip6t2_check_underflow(e)) {
- pr_err("Underflows must be unconditional and "
- "use the STANDARD target with "
- "ACCEPT/DROP\n");
- return -EINVAL;
- }
- newinfo->underflow[h] = underflows[h];
- }
- }
-
- /* Clear counters and comefrom */
- e->counters = ((struct xt_counters) { 0, 0 });
- e->comefrom = 0;
- return 0;
-}
-
-static void cleanup_entry(struct ip6t_entry *e)
-{
- struct xt_tgdtor_param par;
- struct ip6t_entry_target *t;
- struct xt_entry_match *ematch;
-
- /* Cleanup all matches */
- xt_ematch_foreach(ematch, e)
- cleanup_match(ematch);
- t = ip6t_get_target(e);
-
- par.target = t->u.kernel.target;
- par.targinfo = t->data;
- par.family = NFPROTO_IPV6;
- if (par.target->destroy != NULL)
- par.target->destroy(&par);
- module_put(par.target->me);
-}
-
-/* Checks and translates the user-supplied table segment (held in
- newinfo) */
-static int
-translate_table(struct xt_table_info *newinfo, void *entry0,
- const struct ip6t_replace *repl)
-{
- struct ip6t_entry *iter;
- unsigned int i;
- int ret = 0;
-
- newinfo->size = repl->size;
- newinfo->number = repl->num_entries;
-
- /* Init all hooks to impossible value. */
- for (i = 0; i < NF_INET_NUMHOOKS; i++) {
- newinfo->hook_entry[i] = 0xFFFFFFFF;
- newinfo->underflow[i] = 0xFFFFFFFF;
- }
-
- duprintf("translate_table: size %u\n", newinfo->size);
- i = 0;
- /* Walk through entries, checking offsets. */
- xt_entry_foreach(iter, entry0, newinfo->size) {
- ret = check_entry_size_and_hooks(iter, newinfo, entry0,
- entry0 + repl->size, repl->hook_entry, repl->underflow,
- repl->valid_hooks);
- if (ret != 0)
- return ret;
- ++i;
- if (strcmp(ip6t_get_target(iter)->u.user.name,
- XT_ERROR_TARGET) == 0)
- ++newinfo->stacksize;
- }
-
- if (i != repl->num_entries) {
- duprintf("translate_table: %u not %u entries\n",
- i, repl->num_entries);
- return -EINVAL;
- }
-
- /* Check hooks all assigned */
- for (i = 0; i < NF_INET_NUMHOOKS; i++) {
- /* Only hooks which are valid */
- if (!(repl->valid_hooks & (1 << i)))
- continue;
- if (newinfo->hook_entry[i] == 0xFFFFFFFF) {
- duprintf("Invalid hook entry %u %u\n",
- i, repl->hook_entry[i]);
- return -EINVAL;
- }
- if (newinfo->underflow[i] == 0xFFFFFFFF) {
- duprintf("Invalid underflow %u %u\n",
- i, repl->underflow[i]);
- return -EINVAL;
- }
- }
-
- if (!ip6t2_mark_chains(newinfo, repl->valid_hooks, entry0))
- return -ELOOP;
-
- /* Finally, each sanity check must pass */
- i = 0;
- xt_entry_foreach(iter, entry0, newinfo->size) {
- ret = find_check_entry(iter, repl->name, repl->size);
- if (ret != 0)
- break;
- ++i;
- }
-
- if (ret != 0) {
- xt_entry_foreach(iter, entry0, newinfo->size) {
- if (i-- == 0)
- break;
- cleanup_entry(iter);
- }
- return ret;
- }
-
- /* And one copy for every other CPU */
- for_each_possible_cpu(i) {
- if (newinfo->entries[i] && newinfo->entries[i] != entry0)
- memcpy(newinfo->entries[i], entry0, newinfo->size);
- }
-
- return ret;
-}
-
static const struct xt1_xlat_info ip6t_compat_xlat_info = {
#ifdef CONFIG_COMPAT
.marker_size = COMPAT_XT_ALIGN(sizeof(struct ip6t_error_target)),
@@ -1077,61 +771,6 @@ do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
return ret;
}
-struct xt_table *ip6t_register_table(struct net *net,
- const struct xt_table *table,
- const struct ip6t_replace *repl)
-{
- int ret;
- struct xt_table_info *newinfo;
- struct xt_table_info bootstrap = {};
- void *loc_cpu_entry;
- struct xt_table *new_table;
-
- newinfo = xt_alloc_table_info(repl->size);
- if (!newinfo) {
- ret = -ENOMEM;
- goto out;
- }
-
- /* choose the copy on our node/cpu, but dont care about preemption */
- loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
- memcpy(loc_cpu_entry, repl->entries, repl->size);
-
- ret = translate_table(newinfo, loc_cpu_entry, repl);
- if (ret != 0)
- goto out_free;
-
- new_table = xt_register_table(net, table, &bootstrap, newinfo);
- if (IS_ERR(new_table)) {
- ret = PTR_ERR(new_table);
- goto out_free;
- }
- return new_table;
-
-out_free:
- xt_free_table_info(newinfo);
-out:
- return ERR_PTR(ret);
-}
-
-void ip6t_unregister_table(struct xt_table *table)
-{
- struct xt_table_info *private;
- void *loc_cpu_entry;
- struct module *table_owner = table->me;
- struct ip6t_entry *iter;
-
- private = xt_unregister_table(table);
-
- /* Decrease module usage counts and free resources */
- loc_cpu_entry = private->entries[raw_smp_processor_id()];
- xt_entry_foreach(iter, loc_cpu_entry, private->size)
- cleanup_entry(iter);
- if (private->number > private->initial_entries)
- module_put(table_owner);
- xt_free_table_info(private);
-}
-
static struct nf_sockopt_ops ip6t_sockopts = {
.pf = PF_INET6,
.set_optmin = IP6T_BASE_CTL,
@@ -1297,8 +936,6 @@ int ipv6_find_hdr(const struct sk_buff *skb, unsigned int *offset,
return nexthdr;
}
-EXPORT_SYMBOL(ip6t_register_table);
-EXPORT_SYMBOL(ip6t_unregister_table);
EXPORT_SYMBOL(ip6t_do_table);
EXPORT_SYMBOL(ip6t_ext_hdr);
EXPORT_SYMBOL(ipv6_find_hdr);
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 089/103] netfilter: ip6tables: remove remaining xt1 code
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (87 preceding siblings ...)
2009-08-04 7:26 ` [PATCH 088/103] netfilter: ip6tables: remove xt1/ipv6 registration functions Jan Engelhardt
@ 2009-08-04 7:26 ` Jan Engelhardt
2009-08-04 7:26 ` [PATCH 090/103] netfilter: iptables: include xt1_perproto code in ip_tables Jan Engelhardt
` (15 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:26 UTC (permalink / raw)
To: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter_ipv6/ip6_tables.h | 19 ---
net/ipv6/netfilter/ip6_tables.c | 223 -----------------------------
2 files changed, 0 insertions(+), 242 deletions(-)
diff --git a/include/linux/netfilter_ipv6/ip6_tables.h b/include/linux/netfilter_ipv6/ip6_tables.h
index 63d5745..9f2f76a 100644
--- a/include/linux/netfilter_ipv6/ip6_tables.h
+++ b/include/linux/netfilter_ipv6/ip6_tables.h
@@ -304,15 +304,6 @@ ip6t_get_target(struct ip6t_entry *e)
#ifdef __KERNEL__
-#include <linux/init.h>
-extern void ip6t_init(void) __init;
-
-extern unsigned int ip6t_do_table(struct sk_buff *skb,
- unsigned int hook,
- const struct net_device *in,
- const struct net_device *out,
- struct xt_table *table);
-
extern struct xt2_table *ip6t2_register_table(struct net *,
const struct xt_table *, const struct ip6t_replace *);
@@ -326,8 +317,6 @@ extern int ip6_masked_addrcmp(const struct in6_addr *addr1,
const struct in6_addr *mask,
const struct in6_addr *addr2);
-#define IP6T_ALIGN(s) XT_ALIGN(s)
-
#ifdef CONFIG_COMPAT
#include <net/compat.h>
@@ -354,14 +343,6 @@ struct compat_ip6t_replace {
struct compat_ip6t_entry entries[0];
};
-static inline struct ip6t_entry_target *
-compat_ip6t_get_target(struct compat_ip6t_entry *e)
-{
- return (void *)e + e->target_offset;
-}
-
-#define COMPAT_IP6T_ALIGN(s) COMPAT_XT_ALIGN(s)
-
#endif /* CONFIG_COMPAT */
#endif /*__KERNEL__*/
#endif /* _IP6_TABLES_H */
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index a1c684b..dd242ad 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -50,23 +50,6 @@ MODULE_DESCRIPTION("IPv6 packet filter");
#define duprintf(format, args...)
#endif
-#ifdef CONFIG_NETFILTER_DEBUG
-#define IP_NF_ASSERT(x) \
-do { \
- if (!(x)) \
- printk("IP_NF_ASSERT: %s:%s:%u\n", \
- __func__, __FILE__, __LINE__); \
-} while(0)
-#else
-#define IP_NF_ASSERT(x)
-#endif
-
-#if 0
-/* All the better to debug you with... */
-#define static
-#define inline
-#endif
-
#define xtsub_entry ip6t_entry
#define xtsub_entry_nocompat ip6t_entry
#define xtsub_replace ip6t_replace
@@ -244,55 +227,6 @@ static bool icmp6_checkentry(const struct xt_mtchk_param *par)
return !(icmpinfo->invflags & ~IP6T_ICMP_INV);
}
-#ifdef CONFIG_COMPAT
-static void compat_standard_from_user(void *dst, const void *src)
-{
- int v = *(compat_int_t *)src;
-
- if (v > 0)
- v += xt_compat_calc_jump(AF_INET6, v);
- memcpy(dst, &v, sizeof(v));
-}
-
-static int compat_standard_to_user(void __user *dst, const void *src)
-{
- compat_int_t cv = *(int *)src;
-
- if (cv > 0)
- cv -= xt_compat_calc_jump(AF_INET6, cv);
- return copy_to_user(dst, &cv, sizeof(cv)) ? -EFAULT : 0;
-}
-#endif
-
-static unsigned int
-ip6t_error(struct sk_buff *skb, const struct xt_action_param *par)
-{
- if (net_ratelimit())
- printk("ip6_tables: error: `%s'\n",
- (const char *)par->targinfo);
-
- return NF_DROP;
-}
-
-static struct xt_target ip6t_builtin_tg[] __read_mostly = {
- {
- .name = IP6T_STANDARD_TARGET,
- .targetsize = sizeof(int),
- .family = NFPROTO_IPV6,
-#ifdef CONFIG_COMPAT
- .compatsize = sizeof(compat_int_t),
- .compat_from_user = compat_standard_from_user,
- .compat_to_user = compat_standard_to_user,
-#endif
- },
- {
- .name = IP6T_ERROR_TARGET,
- .target = ip6t_error,
- .targetsize = IP6T_FUNCTION_MAXNAMELEN,
- .family = NFPROTO_IPV6,
- },
-};
-
static struct xt_match ip6t_builtin_mt[] __read_mostly = {
{
.name = "ipv6",
@@ -312,156 +246,6 @@ static struct xt_match ip6t_builtin_mt[] __read_mostly = {
},
};
-static inline struct ip6t_entry *
-get_entry(const void *base, unsigned int offset)
-{
- return (struct ip6t_entry *)(base + offset);
-}
-
-/* All zeroes == unconditional rule. */
-/* Mildly perf critical (only if packet tracing is on) */
-static inline bool unconditional(const struct ip6t_ip6 *ipv6)
-{
- static const struct ip6t_ip6 uncond;
-
- return memcmp(ipv6, &uncond, sizeof(uncond)) == 0;
-}
-
-static inline const struct ip6t_entry_target *
-ip6t_get_target_c(const struct ip6t_entry *e)
-{
- return ip6t_get_target((struct ip6t_entry *)e);
-}
-
-static inline __pure struct ip6t_entry *
-ip6t_next_entry(const struct ip6t_entry *entry)
-{
- return (void *)entry + entry->next_offset;
-}
-
-/* Returns one of the generic firewall policies, like NF_ACCEPT. */
-unsigned int
-ip6t_do_table(struct sk_buff *skb,
- unsigned int hook,
- const struct net_device *in,
- const struct net_device *out,
- struct xt_table *table)
-{
- /* Initializing verdict to NF_DROP keeps gcc happy. */
- unsigned int verdict = NF_DROP;
- const void *table_base;
- struct ip6t_entry *e, **jumpstack;
- unsigned int *stackptr, origptr, cpu;
- const struct xt_table_info *private;
- struct xt_action_param acpar;
-
- /* We handle fragments by dealing with the first fragment as
- * if it was a normal packet. All other fragments are treated
- * normally, except that they will NEVER match rules that ask
- * things we don't know, ie. tcp syn flag or ports). If the
- * rule is also a fragment-specific rule, non-fragments won't
- * match it. */
- acpar.hotdrop = false;
- acpar.in = in;
- acpar.out = out;
- acpar.family = NFPROTO_IPV6;
- acpar.hooknum = hook;
-
- IP_NF_ASSERT(table->valid_hooks & (1 << hook));
-
- xt_info_rdlock_bh();
- private = table->private;
- cpu = smp_processor_id();
- table_base = private->entries[cpu];
- jumpstack = (struct ip6t_entry **)private->jumpstack[cpu];
- stackptr = &private->stackptr[cpu];
- origptr = *stackptr;
-
- e = get_entry(table_base, private->hook_entry[hook]);
-
- do {
- const struct ip6t_entry_target *t;
- const struct xt_entry_match *ematch;
-
- IP_NF_ASSERT(e);
- acpar.match = &ip6t_builtin_mt[0];
- acpar.matchinfo = &e->ipv6;
- if (!ip6_packet_match(skb, &acpar)) {
- no_match:
- e = ip6t_next_entry(e);
- continue;
- }
-
- xt_ematch_foreach(ematch, e) {
- acpar.match = ematch->u.kernel.match;
- acpar.matchinfo = ematch->data;
- if (!acpar.match->match(skb, &acpar))
- goto no_match;
- }
-
- ADD_COUNTER(e->counters,
- ntohs(ipv6_hdr(skb)->payload_len) +
- sizeof(struct ipv6hdr), 1);
-
- t = ip6t_get_target_c(e);
- IP_NF_ASSERT(t->u.kernel.target);
-
- /* Standard target? */
- if (!t->u.kernel.target->target) {
- int v;
-
- v = ((struct ip6t_standard_target *)t)->verdict;
- if (v < 0) {
- /* Pop from stack? */
- if (v != IP6T_RETURN) {
- verdict = (unsigned)(-v) - 1;
- break;
- }
- if (*stackptr == 0)
- e = get_entry(table_base,
- private->underflow[hook]);
- else
- e = ip6t_next_entry(jumpstack[--*stackptr]);
- continue;
- }
- if (table_base + v != ip6t_next_entry(e)
- && !(e->ipv6.flags & IP6T_F_GOTO)) {
- if (*stackptr >= private->stacksize) {
- verdict = NF_DROP;
- break;
- }
- jumpstack[(*stackptr)++] = e;
- }
-
- e = get_entry(table_base, v);
- continue;
- }
-
- /* Targets which reenter must return
- abs. verdicts */
- acpar.target = t->u.kernel.target;
- acpar.targinfo = t->data;
-
- verdict = t->u.kernel.target->target(skb, &acpar);
- if (verdict == IP6T_CONTINUE)
- e = ip6t_next_entry(e);
- else
- /* Verdict */
- break;
- } while (!acpar.hotdrop);
-
- xt_info_rdunlock_bh();
- *stackptr = origptr;
-
-#ifdef DEBUG_ALLOW_ALL
- return NF_ACCEPT;
-#else
- if (acpar.hotdrop)
- return NF_DROP;
- else return verdict;
-#endif
-}
-
static const struct xt1_xlat_info ip6t_compat_xlat_info = {
#ifdef CONFIG_COMPAT
.marker_size = COMPAT_XT_ALIGN(sizeof(struct ip6t_error_target)),
@@ -812,9 +596,6 @@ static int __init ip6_tables_init(void)
goto err1;
/* Noone else will be downing sem now, so we won't sleep */
- ret = xt_register_targets(ip6t_builtin_tg, ARRAY_SIZE(ip6t_builtin_tg));
- if (ret < 0)
- goto err2;
ret = xt_register_matches(ip6t_builtin_mt, ARRAY_SIZE(ip6t_builtin_mt));
if (ret < 0)
goto err4;
@@ -830,8 +611,6 @@ static int __init ip6_tables_init(void)
err5:
xt_unregister_matches(ip6t_builtin_mt, ARRAY_SIZE(ip6t_builtin_mt));
err4:
- xt_unregister_targets(ip6t_builtin_tg, ARRAY_SIZE(ip6t_builtin_tg));
-err2:
unregister_pernet_subsys(&ip6_tables_net_ops);
err1:
return ret;
@@ -842,7 +621,6 @@ static void __exit ip6_tables_fini(void)
nf_unregister_sockopt(&ip6t_sockopts);
xt_unregister_matches(ip6t_builtin_mt, ARRAY_SIZE(ip6t_builtin_mt));
- xt_unregister_targets(ip6t_builtin_tg, ARRAY_SIZE(ip6t_builtin_tg));
unregister_pernet_subsys(&ip6_tables_net_ops);
}
@@ -936,7 +714,6 @@ int ipv6_find_hdr(const struct sk_buff *skb, unsigned int *offset,
return nexthdr;
}
-EXPORT_SYMBOL(ip6t_do_table);
EXPORT_SYMBOL(ip6t_ext_hdr);
EXPORT_SYMBOL(ipv6_find_hdr);
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 090/103] netfilter: iptables: include xt1_perproto code in ip_tables
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (88 preceding siblings ...)
2009-08-04 7:26 ` [PATCH 089/103] netfilter: ip6tables: remove remaining xt1 code Jan Engelhardt
@ 2009-08-04 7:26 ` Jan Engelhardt
2009-08-04 7:26 ` [PATCH 091/103] netfilter: iptables: switch to xt2 tables Jan Engelhardt
` (14 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:26 UTC (permalink / raw)
To: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter_ipv4/ip_tables.h | 15 ++++++++++++
net/ipv4/netfilter/Kconfig | 1 +
net/ipv4/netfilter/ip_tables.c | 35 +++++++++++++++++++----------
net/netfilter/xt1_translat.c | 35 +++++++++++++++++++++++++----
4 files changed, 69 insertions(+), 17 deletions(-)
diff --git a/include/linux/netfilter_ipv4/ip_tables.h b/include/linux/netfilter_ipv4/ip_tables.h
index f50c06f..ab81dbe 100644
--- a/include/linux/netfilter_ipv4/ip_tables.h
+++ b/include/linux/netfilter_ipv4/ip_tables.h
@@ -251,6 +251,9 @@ extern struct xt_table *ipt_register_table(struct net *net,
const struct ipt_replace *repl);
extern void ipt_unregister_table(struct xt_table *table);
+extern struct xt2_table *ipt2_register_table(struct net *,
+ const struct xt_table *, const struct ipt_replace *);
+
/* Standard entry. */
struct ipt_standard
{
@@ -314,6 +317,18 @@ struct compat_ipt_entry
unsigned char elems[0];
};
+struct compat_ipt_replace {
+ char name[IPT_TABLE_MAXNAMELEN];
+ u32 valid_hooks;
+ u32 num_entries;
+ u32 size;
+ u32 hook_entry[NF_INET_NUMHOOKS];
+ u32 underflow[NF_INET_NUMHOOKS];
+ u32 num_counters;
+ compat_uptr_t counters; /* struct ipt_counters * */
+ struct compat_ipt_entry entries[0];
+};
+
/* Helper functions */
static inline struct ipt_entry_target *
compat_ipt_get_target(struct compat_ipt_entry *e)
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index 1833bdb..b960bbd 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -53,6 +53,7 @@ config IP_NF_IPTABLES
tristate "IP tables support (required for filtering/masq/NAT)"
default m if NETFILTER_ADVANCED=n
select NETFILTER_XTABLES
+ select NETFILTER_XT1_SUPPORT
help
iptables is a general, extensible packet identification framework.
The packet filtering and full NAT (masquerading, port forwarding,
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index f409fcd..7b7f1c3 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -66,6 +66,29 @@ do { \
#define inline
#endif
+#define xtsub_entry ipt_entry
+#define xtsub_entry_nocompat ipt_entry
+#define xtsub_replace ipt_replace
+#define xtsub_error_target ipt_error_target
+#define XTSUB_NFPROTO NFPROTO_IPV4
+#define XTSUB_NFPROTO_IPV4 1
+#define XTSUB(x) ipt_ ## x
+#define XTSUB2(x) ipt2_ ## x
+
+#include "../../netfilter/xt1_translat.c"
+#include "../../netfilter/xt1_postshared.c"
+#undef XTSUB2
+#undef xtsub_entry
+#undef xtsub_replace
+
+#ifdef CONFIG_COMPAT
+#define XTSUB_DO_COMPAT
+#define xtsub_entry compat_ipt_entry
+#define xtsub_replace compat_ipt_replace
+#define XTSUB2(x) ipt2_compat_ ## x
+#include "../../netfilter/xt1_translat.c"
+#endif
+
/*
We keep a set of rules for each CPU, so we can avoid write-locking
them in the softirq when updating the counters and therefore
@@ -1478,18 +1501,6 @@ do_add_counters(struct net *net, const void __user *user,
}
#ifdef CONFIG_COMPAT
-struct compat_ipt_replace {
- char name[IPT_TABLE_MAXNAMELEN];
- u32 valid_hooks;
- u32 num_entries;
- u32 size;
- u32 hook_entry[NF_INET_NUMHOOKS];
- u32 underflow[NF_INET_NUMHOOKS];
- u32 num_counters;
- compat_uptr_t counters; /* struct ipt_counters * */
- struct compat_ipt_entry entries[0];
-};
-
static int
compat_copy_entry_to_user(struct ipt_entry *e, void __user **dstptr,
unsigned int *size, struct xt_counters *counters,
diff --git a/net/netfilter/xt1_translat.c b/net/netfilter/xt1_translat.c
index 994fcc5..d45e674 100644
--- a/net/netfilter/xt1_translat.c
+++ b/net/netfilter/xt1_translat.c
@@ -12,8 +12,9 @@
#include <linux/slab.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/xt_quota.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter_ipv6/ip6_tables.h>
-#if !defined(XTSUB_NFPROTO_IPV6)
+#if !defined(XTSUB_NFPROTO_IPV4) && !defined(XTSUB_NFPROTO_IPV6)
# error Need to define XTSUB_NFPROTO_xxx.
#endif
#ifdef XTSUB_DO_COMPAT
@@ -28,7 +29,14 @@
# define xtsub_target_to_xt1 xts_target_to_xt1
#endif
-#ifdef XTSUB_NFPROTO_IPV6
+#ifdef XTSUB_NFPROTO_IPV4
+static const struct ipt_ip xtsub_uncond;
+
+static inline bool XTSUB2(unconditional)(const struct xtsub_entry *e)
+{
+ return memcmp(&e->ip, &xtsub_uncond, sizeof(xtsub_uncond)) == 0;
+}
+#elif defined(XTSUB_NFPROTO_IPV6)
static const struct ip6t_ip6 xtsub_uncond;
static inline bool XTSUB2(unconditional)(const struct xtsub_entry *e)
@@ -147,7 +155,14 @@ XTSUB2(target_to_xt2)(struct xt2_rule *rule, const struct xtsub_entry *entry,
} else if (st->verdict == entry_offset + entry->next_offset) {
ntarget->ext = XT2_FINAL_VERDICT;
ntarget->verdict = XT_CONTINUE;
-#ifdef XTSUB_NFPROTO_IPV6
+#if defined(XTSUB_NFPROTO_IPV4)
+ } else if (entry->ip.flags & IPT_F_GOTO) {
+ ntarget->ext = XT2_ACTION_GOTO;
+ ntarget->r_goto = xts_lookup_chain(rule->chain->table,
+ st->verdict);
+ if (ntarget->r_goto == rule->chain)
+ return -ELOOP;
+#elif defined(XTSUB_NFPROTO_IPV6)
} else if (entry->ipv6.flags & IP6T_F_GOTO) {
ntarget->ext = XT2_ACTION_GOTO;
ntarget->r_goto = xts_lookup_chain(rule->chain->table,
@@ -187,7 +202,13 @@ XTSUB2(rule_to_xt2)(struct xt2_chain *chain, const struct xtsub_entry *entry,
return ERR_PTR(-ENOMEM);
rule->chain->comefrom = entry->comefrom;
-#ifdef XTSUB_NFPROTO_IPV6
+#if defined(XTSUB_NFPROTO_IPV4)
+ rule->l4proto = entry->ip.proto;
+ if (entry->ip.flags & IPT_INV_PROTO)
+ rule->flags |= XT2_INV_L4PROTO;
+ ret = xt2_rule_add_match(rule, "ipv4", 0, &entry->ip,
+ sizeof(entry->ip), false);
+#elif defined(XTSUB_NFPROTO_IPV6)
rule->l4proto = entry->ipv6.proto;
if (entry->ipv6.flags & IP6T_INV_PROTO)
rule->flags |= XT2_INV_L4PROTO;
@@ -465,7 +486,11 @@ XTSUB2(rule_to_xt1)(void __user **user_ptr, int *len, unsigned int *z,
z_start = *z;
ematch = list_first_entry(&rule->match_list,
typeof(*ematch), anchor);
-#ifdef XTSUB_NFPROTO_IPV6
+#if defined(XTSUB_NFPROTO_IPV4)
+ if (strcmp(ematch->ext->name, "ipv4") != 0)
+ return -EIO;
+ memcpy(&entry.ip, ematch->data, sizeof(entry.ip));
+#elif defined(XTSUB_NFPROTO_IPV6)
if (strcmp(ematch->ext->name, "ipv6") != 0)
return -EIO;
memcpy(&entry.ipv6, ematch->data, sizeof(entry.ipv6));
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 091/103] netfilter: iptables: switch to xt2 tables
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (89 preceding siblings ...)
2009-08-04 7:26 ` [PATCH 090/103] netfilter: iptables: include xt1_perproto code in ip_tables Jan Engelhardt
@ 2009-08-04 7:26 ` Jan Engelhardt
2009-08-04 7:26 ` [PATCH 092/103] netfilter: iptables: remove unused functions Jan Engelhardt
` (13 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:26 UTC (permalink / raw)
To: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/net/netns/x_tables.h | 3 +
net/ipv4/netfilter/ip_tables.c | 201 ++++++++++++---------------------
net/ipv4/netfilter/iptable_filter.c | 21 +++-
net/ipv4/netfilter/iptable_mangle.c | 29 ++++--
net/ipv4/netfilter/iptable_raw.c | 21 +++-
net/ipv4/netfilter/iptable_security.c | 22 +++-
net/ipv4/netfilter/nf_nat_rule.c | 18 ++-
7 files changed, 154 insertions(+), 161 deletions(-)
diff --git a/include/net/netns/x_tables.h b/include/net/netns/x_tables.h
index 5e38fcd..68b0b4f 100644
--- a/include/net/netns/x_tables.h
+++ b/include/net/netns/x_tables.h
@@ -17,6 +17,9 @@ struct netns_xt2 {
struct mutex table_lock;
struct list_head table_list[NFPROTO_NUMPROTO];
struct xt2_table_link
+ *ipv4_filter, *ipv4_mangle, *ipv4_raw, *ipv4_security,
+ *ipv4_nat;
+ struct xt2_table_link
*ipv6_filter, *ipv6_mangle, *ipv6_raw, *ipv6_security;
};
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 7b7f1c3..6a45da8 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -1191,11 +1191,51 @@ static int compat_table_info(const struct xt_table_info *info,
}
#endif
+static const struct xt1_xlat_info ipt_compat_xlat_info = {
+#ifdef CONFIG_COMPAT
+ .marker_size = XT_ALIGN(sizeof(struct ipt_error_target)),
+ .entry_hdr_size = sizeof(struct compat_ipt_entry),
+ .pmatch_size = sizeof(struct ipt_ip),
+ .first_match = "ipv4",
+ .ematch_size = sizeof(struct xt_entry_match),
+ .etarget_size = sizeof(struct xt_entry_target),
+ .standard_tgsize = COMPAT_XT_ALIGN(sizeof(struct xt_entry_target) +
+ sizeof(compat_uint_t)),
+ .compat = true,
+#endif
+};
+
+static const struct xt1_xlat_info ipt_xlat_info = {
+ .marker_size = XT_ALIGN(sizeof(struct ipt_error_target)),
+ .entry_hdr_size = sizeof(struct ipt_entry),
+ .pmatch_size = sizeof(struct ipt_ip),
+ .first_match = "ipv4",
+ .ematch_size = sizeof(struct xt_entry_match),
+ .etarget_size = sizeof(struct xt_entry_target),
+ .standard_tgsize = XT_ALIGN(sizeof(struct xt_entry_target) +
+ sizeof(int)),
+};
+
+static int ipt2_get_info(void __user *uptr, int len,
+ struct xt2_table *table, bool compat)
+{
+ struct ipt_getinfo info = {
+ .valid_hooks = table->valid_hooks,
+ };
+
+ strncpy(info.name, table->name,
+ min(sizeof(info.name), sizeof(table->name)));
+ info.size = xts_blob_prep_table(table,
+ compat ? &ipt_compat_xlat_info : &ipt_xlat_info,
+ info.hook_entry, info.underflow, &info.num_entries);
+ return (copy_to_user(uptr, &info, sizeof(info)) != 0) ? -EFAULT : 0;
+}
+
static int get_info(struct net *net, void __user *user,
const int *len, int compat)
{
char name[IPT_TABLE_MAXNAMELEN];
- struct xt_table *t;
+ struct xt2_table *table;
int ret;
if (*len != sizeof(struct ipt_getinfo)) {
@@ -1208,46 +1248,13 @@ static int get_info(struct net *net, void __user *user,
return -EFAULT;
name[IPT_TABLE_MAXNAMELEN-1] = '\0';
-#ifdef CONFIG_COMPAT
- if (compat)
- xt_compat_lock(AF_INET);
-#endif
- t = try_then_request_module(xt_find_table_lock(net, AF_INET, name),
- "iptable_%s", name);
- if (t && !IS_ERR(t)) {
- struct ipt_getinfo info;
- const struct xt_table_info *private = t->private;
-
-#ifdef CONFIG_COMPAT
- if (compat) {
- struct xt_table_info tmp;
- ret = compat_table_info(private, &tmp);
- xt_compat_flush_offsets(AF_INET);
- private = &tmp;
- }
-#endif
- info.valid_hooks = t->valid_hooks;
- memcpy(info.hook_entry, private->hook_entry,
- sizeof(info.hook_entry));
- memcpy(info.underflow, private->underflow,
- sizeof(info.underflow));
- info.num_entries = private->number;
- info.size = private->size;
- strcpy(info.name, name);
-
- if (copy_to_user(user, &info, *len) != 0)
- ret = -EFAULT;
- else
- ret = 0;
-
- xt_table_unlock(t);
- module_put(t->me);
- } else
- ret = t ? PTR_ERR(t) : -ENOENT;
-#ifdef CONFIG_COMPAT
- if (compat)
- xt_compat_unlock(AF_INET);
-#endif
+ table = try_then_request_module(
+ xt2_table_lookup(net, name, NFPROTO_IPV4, XT2_TAKE_RCULOCK),
+ "iptable_%s", name);
+ if (table == NULL)
+ return -ENOENT;
+ ret = ipt2_get_info(user, *len, table, compat);
+ rcu_read_unlock();
return ret;
}
@@ -1257,7 +1264,7 @@ get_entries(struct net *net, struct ipt_get_entries __user *uptr,
{
int ret;
struct ipt_get_entries get;
- struct xt_table *t;
+ struct xt2_table *table;
if (*len < sizeof(get)) {
duprintf("get_entries: %u < %zu\n", *len, sizeof(get));
@@ -1271,23 +1278,13 @@ get_entries(struct net *net, struct ipt_get_entries __user *uptr,
return -EINVAL;
}
- t = xt_find_table_lock(net, AF_INET, get.name);
- if (t && !IS_ERR(t)) {
- const struct xt_table_info *private = t->private;
- duprintf("t->private->number = %u\n", private->number);
- if (get.size == private->size)
- ret = copy_entries_to_user(private->size,
- t, uptr->entrytable);
- else {
- duprintf("get_entries: I've got %u not %u!\n",
- private->size, get.size);
- ret = -EAGAIN;
- }
- module_put(t->me);
- xt_table_unlock(t);
- } else
- ret = t ? PTR_ERR(t) : -ENOENT;
-
+ table = xt2_table_lookup(net, get.name, NFPROTO_IPV4,
+ XT2_TAKE_RCULOCK);
+ if (table == NULL)
+ return -ENOENT;
+ ret = ipt2_table_to_xt1(uptr->entrytable, get.size,
+ table, &ipt_xlat_info);
+ rcu_read_unlock();
return ret;
}
@@ -1416,18 +1413,13 @@ static int
do_add_counters(struct net *net, const void __user *user,
unsigned int len, int compat)
{
- unsigned int i, curcpu;
struct xt_counters_info tmp;
- struct xt_counters *paddc;
unsigned int num_counters;
const char *name;
int size;
void *ptmp;
- struct xt_table *t;
- const struct xt_table_info *private;
int ret = 0;
- void *loc_cpu_entry;
- struct ipt_entry *iter;
+ struct xt2_table *table;
#ifdef CONFIG_COMPAT
struct compat_xt_counters_info compat_tmp;
@@ -1458,45 +1450,11 @@ do_add_counters(struct net *net, const void __user *user,
if (len != size + num_counters * sizeof(struct xt_counters))
return -EINVAL;
- paddc = vmalloc_node(len - size, numa_node_id());
- if (!paddc)
- return -ENOMEM;
-
- if (copy_from_user(paddc, user + size, len - size) != 0) {
- ret = -EFAULT;
- goto free;
- }
-
- t = xt_find_table_lock(net, AF_INET, name);
- if (!t || IS_ERR(t)) {
- ret = t ? PTR_ERR(t) : -ENOENT;
- goto free;
- }
-
- local_bh_disable();
- private = t->private;
- if (private->number != num_counters) {
- ret = -EINVAL;
- goto unlock_up_free;
- }
-
- i = 0;
- /* Choose the copy that is on our node */
- curcpu = smp_processor_id();
- loc_cpu_entry = private->entries[curcpu];
- xt_info_wrlock(curcpu);
- xt_entry_foreach(iter, loc_cpu_entry, private->size) {
- ADD_COUNTER(iter->counters, paddc[i].bcnt, paddc[i].pcnt);
- ++i;
- }
- xt_info_wrunlock(curcpu);
- unlock_up_free:
- local_bh_enable();
- xt_table_unlock(t);
- module_put(t->me);
- free:
- vfree(paddc);
-
+ table = xt2_table_lookup(net, name, NFPROTO_IPV4, XT2_TAKE_RCULOCK);
+ if (table == NULL)
+ return -ENOENT;
+ ret = xts_get_counters(table, user + size, num_counters);
+ rcu_read_unlock();
return ret;
}
@@ -1957,7 +1915,7 @@ compat_do_ipt_set_ctl(struct sock *sk, int cmd, void __user *user,
switch (cmd) {
case IPT_SO_SET_REPLACE:
- ret = compat_do_replace(sock_net(sk), user, len);
+ ret = ipt2_compat_do_replace(sock_net(sk), user, len);
break;
case IPT_SO_SET_ADD_COUNTERS:
@@ -2019,7 +1977,7 @@ compat_get_entries(struct net *net, struct compat_ipt_get_entries __user *uptr,
{
int ret;
struct compat_ipt_get_entries get;
- struct xt_table *t;
+ struct xt2_table *table;
if (*len < sizeof(get)) {
duprintf("compat_get_entries: %u < %zu\n", *len, sizeof(get));
@@ -2035,28 +1993,13 @@ compat_get_entries(struct net *net, struct compat_ipt_get_entries __user *uptr,
return -EINVAL;
}
- xt_compat_lock(AF_INET);
- t = xt_find_table_lock(net, AF_INET, get.name);
- if (t && !IS_ERR(t)) {
- const struct xt_table_info *private = t->private;
- struct xt_table_info info;
- duprintf("t->private->number = %u\n", private->number);
- ret = compat_table_info(private, &info);
- if (!ret && get.size == info.size) {
- ret = compat_copy_entries_to_user(private->size,
- t, uptr->entrytable);
- } else if (!ret) {
- duprintf("compat_get_entries: I've got %u not %u!\n",
- private->size, get.size);
- ret = -EAGAIN;
- }
- xt_compat_flush_offsets(AF_INET);
- module_put(t->me);
- xt_table_unlock(t);
- } else
- ret = t ? PTR_ERR(t) : -ENOENT;
-
- xt_compat_unlock(AF_INET);
+ table = xt2_table_lookup(net, get.name, NFPROTO_IPV4,
+ XT2_TAKE_RCULOCK);
+ if (table == NULL)
+ return -ENOENT;
+ ret = ipt2_compat_table_to_xt1(uptr->entrytable, get.size,
+ table, &ipt_compat_xlat_info);
+ rcu_read_unlock();
return ret;
}
@@ -2094,7 +2037,7 @@ do_ipt_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
switch (cmd) {
case IPT_SO_SET_REPLACE:
- ret = do_replace(sock_net(sk), user, len);
+ ret = ipt2_do_replace(sock_net(sk), user, len);
break;
case IPT_SO_SET_ADD_COUNTERS:
diff --git a/net/ipv4/netfilter/iptable_filter.c b/net/ipv4/netfilter/iptable_filter.c
index 962d6f5..d79474d 100644
--- a/net/ipv4/netfilter/iptable_filter.c
+++ b/net/ipv4/netfilter/iptable_filter.c
@@ -12,6 +12,7 @@
#include <linux/module.h>
#include <linux/moduleparam.h>
+#include <linux/rcupdate.h>
#include <linux/netfilter_ipv4/ip_tables.h>
#include <net/ip.h>
@@ -38,7 +39,9 @@ iptable_filter_hook(unsigned int hook,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
+ const struct xt2_table_link *link;
const struct net *net;
+ unsigned int verdict;
if (hook == NF_INET_LOCAL_OUT)
/* root is playing with raw sockets. */
@@ -47,7 +50,11 @@ iptable_filter_hook(unsigned int hook,
return NF_ACCEPT;
net = dev_net((in != NULL) ? in : out);
- return ipt_do_table(skb, hook, in, out, net->ipv4.iptable_filter);
+ rcu_read_lock();
+ link = rcu_dereference(net->xt2.ipv4_filter);
+ verdict = xt2_do_table(skb, hook, in, out, link->table);
+ rcu_read_unlock();
+ return verdict;
}
/* Default to forward because I got too much mail already. */
@@ -57,6 +64,7 @@ module_param(forward, bool, 0000);
static int __net_init iptable_filter_net_init(struct net *net)
{
struct ipt_replace *repl = xt_repldata_create(&packet_filter);
+ struct xt2_table *table;
if (repl == NULL)
return -ENOMEM;
@@ -64,17 +72,18 @@ static int __net_init iptable_filter_net_init(struct net *net)
((struct ipt_standard *)repl->entries)[1].target.verdict =
-forward - 1;
- net->ipv4.iptable_filter =
- ipt_register_table(net, &packet_filter, repl);
+ table = ipt2_register_table(net, &packet_filter, repl);
kfree(repl);
- if (IS_ERR(net->ipv4.iptable_filter))
- return PTR_ERR(net->ipv4.iptable_filter);
+ if (IS_ERR(table))
+ return PTR_ERR(table);
+ net->xt2.ipv4_filter = xt2_tlink_lookup(net, table->name,
+ table->nfproto, XT2_NO_RCULOCK);
return 0;
}
static void __net_exit iptable_filter_net_exit(struct net *net)
{
- ipt_unregister_table(net->ipv4.iptable_filter);
+ xt2_table_destroy(net, net->xt2.ipv4_filter->table);
}
static struct pernet_operations iptable_filter_net_ops = {
diff --git a/net/ipv4/netfilter/iptable_mangle.c b/net/ipv4/netfilter/iptable_mangle.c
index 8434f57..5a931c9 100644
--- a/net/ipv4/netfilter/iptable_mangle.c
+++ b/net/ipv4/netfilter/iptable_mangle.c
@@ -11,6 +11,7 @@
#include <linux/module.h>
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netdevice.h>
+#include <linux/rcupdate.h>
#include <linux/skbuff.h>
#include <net/sock.h>
#include <net/route.h>
@@ -40,6 +41,7 @@ static unsigned int
iptable_mangle_out_hook(struct sk_buff *skb, const struct net_device *out,
const struct net *net)
{
+ const struct xt2_table_link *link;
unsigned int ret;
const struct iphdr *iph;
u_int8_t tos;
@@ -58,8 +60,11 @@ iptable_mangle_out_hook(struct sk_buff *skb, const struct net_device *out,
daddr = iph->daddr;
tos = iph->tos;
- ret = ipt_do_table(skb, NF_INET_LOCAL_OUT, NULL, out,
- net->ipv4.iptable_mangle);
+ rcu_read_lock();
+ link = rcu_dereference(net->xt2.ipv4_mangle);
+ ret = xt2_do_table(skb, NF_INET_LOCAL_OUT, NULL, out, link->table);
+ rcu_read_unlock();
+
/* Reroute for ANY change. */
if (ret != NF_DROP && ret != NF_STOLEN && ret != NF_QUEUE) {
iph = ip_hdr(skb);
@@ -82,30 +87,38 @@ iptable_mangle_hook(unsigned int hook, struct sk_buff *skb,
int (*okfn)(struct sk_buff *))
{
const struct net *net = dev_net((in != NULL) ? in : out);
+ const struct xt2_table_link *link;
+ unsigned int verdict;
if (hook == NF_INET_LOCAL_OUT)
return iptable_mangle_out_hook(skb, out, net);
- return ipt_do_table(skb, hook, in, out, net->ipv4.iptable_mangle);
+ rcu_read_lock();
+ link = rcu_dereference(net->xt2.ipv4_mangle);
+ verdict = xt2_do_table(skb, hook, in, out, link->table);
+ rcu_read_unlock();
+ return verdict;
}
static int __net_init iptable_mangle_net_init(struct net *net)
{
struct ipt_replace *repl = xt_repldata_create(&packet_mangler);
+ struct xt2_table *table;
if (repl == NULL)
return -ENOMEM;
- net->ipv4.iptable_mangle =
- ipt_register_table(net, &packet_mangler, repl);
+ table = ipt2_register_table(net, &packet_mangler, repl);
kfree(repl);
- if (IS_ERR(net->ipv4.iptable_mangle))
- return PTR_ERR(net->ipv4.iptable_mangle);
+ if (IS_ERR(table))
+ return PTR_ERR(table);
+ net->xt2.ipv4_mangle = xt2_tlink_lookup(net, table->name,
+ table->nfproto, XT2_NO_RCULOCK);
return 0;
}
static void __net_exit iptable_mangle_net_exit(struct net *net)
{
- ipt_unregister_table(net->ipv4.iptable_mangle);
+ xt2_table_destroy(net, net->xt2.ipv4_mangle->table);
}
static struct pernet_operations iptable_mangle_net_ops = {
diff --git a/net/ipv4/netfilter/iptable_raw.c b/net/ipv4/netfilter/iptable_raw.c
index 243329c..757da0f 100644
--- a/net/ipv4/netfilter/iptable_raw.c
+++ b/net/ipv4/netfilter/iptable_raw.c
@@ -4,6 +4,7 @@
* Copyright (C) 2003 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
*/
#include <linux/module.h>
+#include <linux/rcupdate.h>
#include <linux/netfilter_ipv4/ip_tables.h>
#include <net/ip.h>
@@ -25,7 +26,9 @@ iptable_raw_hook(unsigned int hook,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
+ const struct xt2_table_link *link;
const struct net *net;
+ unsigned int verdict;
if (hook == NF_INET_LOCAL_OUT)
/* root is playing with raw sockets. */
@@ -34,26 +37,32 @@ iptable_raw_hook(unsigned int hook,
return NF_ACCEPT;
net = dev_net((in != NULL) ? in : out);
- return ipt_do_table(skb, hook, in, out, net->ipv4.iptable_raw);
+ rcu_read_lock();
+ link = rcu_dereference(net->xt2.ipv4_raw);
+ verdict = xt2_do_table(skb, hook, in, out, link->table);
+ rcu_read_unlock();
+ return verdict;
}
static int __net_init iptable_raw_net_init(struct net *net)
{
struct ipt_replace *repl = xt_repldata_create(&packet_raw);
+ struct xt2_table *table;
if (repl == NULL)
return -ENOMEM;
- net->ipv4.iptable_raw =
- ipt_register_table(net, &packet_raw, repl);
+ table = ipt2_register_table(net, &packet_raw, repl);
kfree(repl);
- if (IS_ERR(net->ipv4.iptable_raw))
- return PTR_ERR(net->ipv4.iptable_raw);
+ if (IS_ERR(table))
+ return PTR_ERR(table);
+ net->xt2.ipv4_raw = xt2_tlink_lookup(net, table->name,
+ table->nfproto, XT2_NO_RCULOCK);
return 0;
}
static void __net_exit iptable_raw_net_exit(struct net *net)
{
- ipt_unregister_table(net->ipv4.iptable_raw);
+ xt2_table_destroy(net, net->xt2.ipv4_raw->table);
}
static struct pernet_operations iptable_raw_net_ops = {
diff --git a/net/ipv4/netfilter/iptable_security.c b/net/ipv4/netfilter/iptable_security.c
index d2aed39..a999c8a 100644
--- a/net/ipv4/netfilter/iptable_security.c
+++ b/net/ipv4/netfilter/iptable_security.c
@@ -16,6 +16,7 @@
* published by the Free Software Foundation.
*/
#include <linux/module.h>
+#include <linux/rcupdate.h>
#include <linux/netfilter_ipv4/ip_tables.h>
#include <net/ip.h>
@@ -42,7 +43,9 @@ iptable_security_hook(unsigned int hook,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
+ const struct xt2_table_link *link;
const struct net *net;
+ unsigned int verdict;
if (hook == NF_INET_LOCAL_OUT)
/* Somebody is playing with raw sockets. */
@@ -51,27 +54,32 @@ iptable_security_hook(unsigned int hook,
return NF_ACCEPT;
net = dev_net((in != NULL) ? in : out);
- return ipt_do_table(skb, hook, in, out, net->ipv4.iptable_security);
+ rcu_read_lock();
+ link = rcu_dereference(net->xt2.ipv4_security);
+ verdict = xt2_do_table(skb, hook, in, out, link->table);
+ rcu_read_unlock();
+ return verdict;
}
static int __net_init iptable_security_net_init(struct net *net)
{
struct ipt_replace *repl = xt_repldata_create(&security_table);
+ struct xt2_table *table;
if (repl == NULL)
return -ENOMEM;
- net->ipv4.iptable_security =
- ipt_register_table(net, &security_table, repl);
+ table = ipt2_register_table(net, &security_table, repl);
kfree(repl);
- if (IS_ERR(net->ipv4.iptable_security))
- return PTR_ERR(net->ipv4.iptable_security);
-
+ if (IS_ERR(table))
+ return PTR_ERR(table);
+ net->xt2.ipv4_security = xt2_tlink_lookup(net, table->name,
+ table->nfproto, XT2_NO_RCULOCK);
return 0;
}
static void __net_exit iptable_security_net_exit(struct net *net)
{
- ipt_unregister_table(net->ipv4.iptable_security);
+ xt2_table_destroy(net, net->xt2.ipv4_security->table);
}
static struct pernet_operations iptable_security_net_ops = {
diff --git a/net/ipv4/netfilter/nf_nat_rule.c b/net/ipv4/netfilter/nf_nat_rule.c
index 8b44f1a..db1f1c0 100644
--- a/net/ipv4/netfilter/nf_nat_rule.c
+++ b/net/ipv4/netfilter/nf_nat_rule.c
@@ -13,6 +13,7 @@
#include <linux/netfilter_ipv4.h>
#include <linux/module.h>
#include <linux/kmod.h>
+#include <linux/rcupdate.h>
#include <linux/skbuff.h>
#include <linux/proc_fs.h>
#include <net/checksum.h>
@@ -121,10 +122,14 @@ int nf_nat_rule_find(struct sk_buff *skb,
const struct net_device *out,
struct nf_conn *ct)
{
+ const struct xt2_table_link *link;
struct net *net = nf_ct_net(ct);
int ret;
- ret = ipt_do_table(skb, hooknum, in, out, net->ipv4.nat_table);
+ rcu_read_lock();
+ link = rcu_dereference(net->xt2.ipv4_nat);
+ ret = xt2_do_table(skb, hooknum, in, out, link->table);
+ rcu_read_unlock();
if (ret == NF_ACCEPT) {
if (!nf_nat_initialized(ct, HOOK2MANIP(hooknum)))
@@ -157,19 +162,22 @@ static struct xt_target ipt_dnat_reg __read_mostly = {
static int __net_init nf_nat_rule_net_init(struct net *net)
{
struct ipt_replace *repl = xt_repldata_create(&nat_table);
+ struct xt2_table *table;
if (repl == NULL)
return -ENOMEM;
- net->ipv4.nat_table = ipt_register_table(net, &nat_table, repl);
+ table = ipt2_register_table(net, &nat_table, repl);
kfree(repl);
- if (IS_ERR(net->ipv4.nat_table))
- return PTR_ERR(net->ipv4.nat_table);
+ if (IS_ERR(table))
+ return PTR_ERR(table);
+ net->xt2.ipv4_nat = xt2_tlink_lookup(net, table->name,
+ table->nfproto, XT2_NO_RCULOCK);
return 0;
}
static void __net_exit nf_nat_rule_net_exit(struct net *net)
{
- ipt_unregister_table(net->ipv4.nat_table);
+ xt2_table_destroy(net, net->xt2.ipv4_nat->table);
}
static struct pernet_operations nf_nat_rule_net_ops = {
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 092/103] netfilter: iptables: remove unused functions
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (90 preceding siblings ...)
2009-08-04 7:26 ` [PATCH 091/103] netfilter: iptables: switch to xt2 tables Jan Engelhardt
@ 2009-08-04 7:26 ` Jan Engelhardt
2009-08-04 7:26 ` [PATCH 093/103] netfilter: iptables: remove xt1/ipv4 registration functions Jan Engelhardt
` (12 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:26 UTC (permalink / raw)
To: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
net/ipv4/netfilter/ip_tables.c | 792 ----------------------------------------
1 files changed, 0 insertions(+), 792 deletions(-)
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 6a45da8..3c98c7d 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -1000,197 +1000,6 @@ translate_table(struct xt_table_info *newinfo, void *entry0,
return ret;
}
-static void
-get_counters(const struct xt_table_info *t,
- struct xt_counters counters[])
-{
- struct ipt_entry *iter;
- unsigned int cpu;
- unsigned int i;
- unsigned int curcpu;
-
- /* Instead of clearing (by a previous call to memset())
- * the counters and using adds, we set the counters
- * with data used by 'current' CPU.
- *
- * Bottom half has to be disabled to prevent deadlock
- * if new softirq were to run and call ipt_do_table
- */
- local_bh_disable();
- curcpu = smp_processor_id();
-
- i = 0;
- xt_entry_foreach(iter, t->entries[curcpu], t->size) {
- SET_COUNTER(counters[i], iter->counters.bcnt,
- iter->counters.pcnt);
- ++i;
- }
-
- for_each_possible_cpu(cpu) {
- if (cpu == curcpu)
- continue;
- i = 0;
- xt_info_wrlock(cpu);
- xt_entry_foreach(iter, t->entries[cpu], t->size) {
- ADD_COUNTER(counters[i], iter->counters.bcnt,
- iter->counters.pcnt);
- ++i; /* macro does multi eval of i */
- }
- xt_info_wrunlock(cpu);
- }
- local_bh_enable();
-}
-
-static struct xt_counters *alloc_counters(const struct xt_table *table)
-{
- unsigned int countersize;
- struct xt_counters *counters;
- const struct xt_table_info *private = table->private;
-
- /* We need atomic snapshot of counters: rest doesn't change
- (other than comefrom, which userspace doesn't care
- about). */
- countersize = sizeof(struct xt_counters) * private->number;
- counters = vmalloc_node(countersize, numa_node_id());
-
- if (counters == NULL)
- return ERR_PTR(-ENOMEM);
-
- get_counters(private, counters);
-
- return counters;
-}
-
-static int
-copy_entries_to_user(unsigned int total_size,
- const struct xt_table *table,
- void __user *userptr)
-{
- unsigned int off, num;
- const struct ipt_entry *e;
- struct xt_counters *counters;
- const struct xt_table_info *private = table->private;
- int ret = 0;
- const void *loc_cpu_entry;
-
- counters = alloc_counters(table);
- if (IS_ERR(counters))
- return PTR_ERR(counters);
-
- /* choose the copy that is on our node/cpu, ...
- * This choice is lazy (because current thread is
- * allowed to migrate to another cpu)
- */
- loc_cpu_entry = private->entries[raw_smp_processor_id()];
- if (copy_to_user(userptr, loc_cpu_entry, total_size) != 0) {
- ret = -EFAULT;
- goto free_counters;
- }
-
- /* FIXME: use iterator macros --RR */
- /* ... then go back and fix counters and names */
- for (off = 0, num = 0; off < total_size; off += e->next_offset, num++){
- unsigned int i;
- const struct ipt_entry_match *m;
- const struct ipt_entry_target *t;
-
- e = (struct ipt_entry *)(loc_cpu_entry + off);
- if (copy_to_user(userptr + off
- + offsetof(struct ipt_entry, counters),
- &counters[num],
- sizeof(counters[num])) != 0) {
- ret = -EFAULT;
- goto free_counters;
- }
-
- for (i = sizeof(struct ipt_entry);
- i < e->target_offset;
- i += m->u.match_size) {
- m = (void *)e + i;
-
- if (copy_to_user(userptr + off + i
- + offsetof(struct ipt_entry_match,
- u.user.name),
- m->u.kernel.match->name,
- strlen(m->u.kernel.match->name)+1)
- != 0) {
- ret = -EFAULT;
- goto free_counters;
- }
- }
-
- t = ipt_get_target_c(e);
- if (copy_to_user(userptr + off + e->target_offset
- + offsetof(struct ipt_entry_target,
- u.user.name),
- t->u.kernel.target->name,
- strlen(t->u.kernel.target->name)+1) != 0) {
- ret = -EFAULT;
- goto free_counters;
- }
- }
-
- free_counters:
- vfree(counters);
- return ret;
-}
-
-#ifdef CONFIG_COMPAT
-static int compat_calc_entry(const struct ipt_entry *e,
- const struct xt_table_info *info,
- const void *base, struct xt_table_info *newinfo)
-{
- const struct xt_entry_match *ematch;
- const struct ipt_entry_target *t;
- unsigned int entry_offset;
- int off, i, ret;
-
- off = sizeof(struct ipt_entry) - sizeof(struct compat_ipt_entry);
- entry_offset = (void *)e - base;
- xt_ematch_foreach(ematch, e)
- off += xt_compat_match_offset(ematch->u.kernel.match);
-
- t = ipt_get_target_c(e);
- off += xt_compat_target_offset(t->u.kernel.target);
- newinfo->size -= off;
- ret = xt_compat_add_offset(AF_INET, entry_offset, off);
- if (ret)
- return ret;
-
- for (i = 0; i < NF_INET_NUMHOOKS; i++) {
- if (info->hook_entry[i] &&
- (e < (struct ipt_entry *)(base + info->hook_entry[i])))
- newinfo->hook_entry[i] -= off;
- if (info->underflow[i] &&
- (e < (struct ipt_entry *)(base + info->underflow[i])))
- newinfo->underflow[i] -= off;
- }
- return 0;
-}
-
-static int compat_table_info(const struct xt_table_info *info,
- struct xt_table_info *newinfo)
-{
- struct ipt_entry *iter;
- void *loc_cpu_entry;
- int ret;
-
- if (!newinfo || !info)
- return -EINVAL;
-
- /* we dont care about newinfo->entries[] */
- memcpy(newinfo, info, offsetof(struct xt_table_info, entries));
- newinfo->initial_entries = 0;
- loc_cpu_entry = info->entries[raw_smp_processor_id()];
- xt_entry_foreach(iter, loc_cpu_entry, info->size) {
- ret = compat_calc_entry(iter, info, loc_cpu_entry, newinfo);
- if (ret != 0)
- return ret;
- }
- return 0;
-}
-#endif
-
static const struct xt1_xlat_info ipt_compat_xlat_info = {
#ifdef CONFIG_COMPAT
.marker_size = XT_ALIGN(sizeof(struct ipt_error_target)),
@@ -1289,127 +1098,6 @@ get_entries(struct net *net, struct ipt_get_entries __user *uptr,
}
static int
-__do_replace(struct net *net, const char *name, unsigned int valid_hooks,
- struct xt_table_info *newinfo, unsigned int num_counters,
- void __user *counters_ptr)
-{
- int ret;
- struct xt_table *t;
- struct xt_table_info *oldinfo;
- struct xt_counters *counters;
- void *loc_cpu_old_entry;
- struct ipt_entry *iter;
-
- ret = 0;
- counters = vmalloc(num_counters * sizeof(struct xt_counters));
- if (!counters) {
- ret = -ENOMEM;
- goto out;
- }
-
- t = try_then_request_module(xt_find_table_lock(net, AF_INET, name),
- "iptable_%s", name);
- if (!t || IS_ERR(t)) {
- ret = t ? PTR_ERR(t) : -ENOENT;
- goto free_newinfo_counters_untrans;
- }
-
- /* You lied! */
- if (valid_hooks != t->valid_hooks) {
- duprintf("Valid hook crap: %08X vs %08X\n",
- valid_hooks, t->valid_hooks);
- ret = -EINVAL;
- goto put_module;
- }
-
- oldinfo = xt_replace_table(t, num_counters, newinfo, &ret);
- if (!oldinfo)
- goto put_module;
-
- /* Update module usage count based on number of rules */
- duprintf("do_replace: oldnum=%u, initnum=%u, newnum=%u\n",
- oldinfo->number, oldinfo->initial_entries, newinfo->number);
- if ((oldinfo->number > oldinfo->initial_entries) ||
- (newinfo->number <= oldinfo->initial_entries))
- module_put(t->me);
- if ((oldinfo->number > oldinfo->initial_entries) &&
- (newinfo->number <= oldinfo->initial_entries))
- module_put(t->me);
-
- /* Get the old counters, and synchronize with replace */
- get_counters(oldinfo, counters);
-
- /* Decrease module usage counts and free resource */
- loc_cpu_old_entry = oldinfo->entries[raw_smp_processor_id()];
- xt_entry_foreach(iter, loc_cpu_old_entry, oldinfo->size)
- cleanup_entry(iter);
-
- xt_free_table_info(oldinfo);
- if (copy_to_user(counters_ptr, counters,
- sizeof(struct xt_counters) * num_counters) != 0)
- ret = -EFAULT;
- vfree(counters);
- xt_table_unlock(t);
- return ret;
-
- put_module:
- module_put(t->me);
- xt_table_unlock(t);
- free_newinfo_counters_untrans:
- vfree(counters);
- out:
- return ret;
-}
-
-static int
-do_replace(struct net *net, const void __user *user, unsigned int len)
-{
- int ret;
- struct ipt_replace tmp;
- struct xt_table_info *newinfo;
- void *loc_cpu_entry;
- struct ipt_entry *iter;
-
- if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
- return -EFAULT;
-
- /* overflow check */
- if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
- return -ENOMEM;
-
- newinfo = xt_alloc_table_info(tmp.size);
- if (!newinfo)
- return -ENOMEM;
-
- /* choose the copy that is on our node/cpu */
- loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
- if (copy_from_user(loc_cpu_entry, user + sizeof(tmp),
- tmp.size) != 0) {
- ret = -EFAULT;
- goto free_newinfo;
- }
-
- ret = translate_table(newinfo, loc_cpu_entry, &tmp);
- if (ret != 0)
- goto free_newinfo;
-
- duprintf("ip_tables: Translated table\n");
-
- ret = __do_replace(net, tmp.name, tmp.valid_hooks, newinfo,
- tmp.num_counters, tmp.counters);
- if (ret)
- goto free_newinfo_untrans;
- return 0;
-
- free_newinfo_untrans:
- xt_entry_foreach(iter, loc_cpu_entry, newinfo->size)
- cleanup_entry(iter);
- free_newinfo:
- xt_free_table_info(newinfo);
- return ret;
-}
-
-static int
do_add_counters(struct net *net, const void __user *user,
unsigned int len, int compat)
{
@@ -1460,451 +1148,6 @@ do_add_counters(struct net *net, const void __user *user,
#ifdef CONFIG_COMPAT
static int
-compat_copy_entry_to_user(struct ipt_entry *e, void __user **dstptr,
- unsigned int *size, struct xt_counters *counters,
- unsigned int i)
-{
- struct ipt_entry_target *t;
- struct compat_ipt_entry __user *ce;
- u_int16_t target_offset, next_offset;
- compat_uint_t origsize;
- const struct xt_entry_match *ematch;
- int ret = 0;
-
- origsize = *size;
- ce = (struct compat_ipt_entry __user *)*dstptr;
- if (copy_to_user(ce, e, sizeof(struct ipt_entry)) != 0 ||
- copy_to_user(&ce->counters, &counters[i],
- sizeof(counters[i])) != 0)
- return -EFAULT;
-
- *dstptr += sizeof(struct compat_ipt_entry);
- *size -= sizeof(struct ipt_entry) - sizeof(struct compat_ipt_entry);
-
- xt_ematch_foreach(ematch, e) {
- ret = xt_compat_match_to_user(ematch, dstptr, size);
- if (ret != 0)
- return ret;
- }
- target_offset = e->target_offset - (origsize - *size);
- t = ipt_get_target(e);
- ret = xt_compat_target_to_user(t, dstptr, size);
- if (ret)
- return ret;
- next_offset = e->next_offset - (origsize - *size);
- if (put_user(target_offset, &ce->target_offset) != 0 ||
- put_user(next_offset, &ce->next_offset) != 0)
- return -EFAULT;
- return 0;
-}
-
-static int
-compat_find_calc_match(struct ipt_entry_match *m,
- const char *name,
- const struct ipt_ip *ip,
- unsigned int hookmask,
- int *size)
-{
- struct xt_match *match;
-
- match = xt_request_find_match(NFPROTO_IPV4, m->u.user.name,
- m->u.user.revision);
- if (IS_ERR(match)) {
- duprintf("compat_check_calc_match: `%s' not found\n",
- m->u.user.name);
- return PTR_ERR(match);
- }
- m->u.kernel.match = match;
- *size += xt_compat_match_offset(match);
- return 0;
-}
-
-static void compat_release_entry(struct compat_ipt_entry *e)
-{
- struct ipt_entry_target *t;
- struct xt_entry_match *ematch;
-
- /* Cleanup all matches */
- xt_ematch_foreach(ematch, e)
- module_put(ematch->u.kernel.match->me);
- t = compat_ipt_get_target(e);
- module_put(t->u.kernel.target->me);
-}
-
-static int
-check_compat_entry_size_and_hooks(struct compat_ipt_entry *e,
- struct xt_table_info *newinfo,
- unsigned int *size,
- const unsigned char *base,
- const unsigned char *limit,
- const unsigned int *hook_entries,
- const unsigned int *underflows,
- const char *name)
-{
- struct xt_entry_match *ematch;
- struct ipt_entry_target *t;
- struct xt_target *target;
- unsigned int entry_offset;
- unsigned int j;
- int ret, off, h;
- struct xt_mtchk_param mtpar;
-
- duprintf("check_compat_entry_size_and_hooks %p\n", e);
- if ((unsigned long)e % __alignof__(struct compat_ipt_entry) != 0
- || (unsigned char *)e + sizeof(struct compat_ipt_entry) >= limit) {
- duprintf("Bad offset %p, limit = %p\n", e, limit);
- return -EINVAL;
- }
-
- if (e->next_offset < sizeof(struct compat_ipt_entry) +
- sizeof(struct compat_xt_entry_target)) {
- duprintf("checking: element %p size %u\n",
- e, e->next_offset);
- return -EINVAL;
- }
-
- /* For purposes of check_entry casting the compat entry is fine */
- mtpar.table = name;
- mtpar.entryinfo = &e->ip;
- mtpar.hook_mask = e->comefrom;
- mtpar.family = NFPROTO_IPV4;
- mtpar.match = &ipt_builtin_mt[0]; /* ipv4 */
- mtpar.matchinfo = &e->ip;
- ret = check_entry((struct ipt_entry *)e, &mtpar);
- if (ret)
- return ret;
-
- off = sizeof(struct ipt_entry) - sizeof(struct compat_ipt_entry);
- entry_offset = (void *)e - (void *)base;
- j = 0;
- xt_ematch_foreach(ematch, e) {
- ret = compat_find_calc_match(ematch, name,
- &e->ip, e->comefrom, &off);
- if (ret != 0)
- goto release_matches;
- ++j;
- }
-
- t = compat_ipt_get_target(e);
- target = xt_request_find_target(NFPROTO_IPV4, t->u.user.name,
- t->u.user.revision);
- if (IS_ERR(target)) {
- duprintf("check_compat_entry_size_and_hooks: `%s' not found\n",
- t->u.user.name);
- ret = PTR_ERR(target);
- goto release_matches;
- }
- t->u.kernel.target = target;
-
- off += xt_compat_target_offset(target);
- *size += off;
- ret = xt_compat_add_offset(AF_INET, entry_offset, off);
- if (ret)
- goto out;
-
- /* Check hooks & underflows */
- for (h = 0; h < NF_INET_NUMHOOKS; h++) {
- if ((unsigned char *)e - base == hook_entries[h])
- newinfo->hook_entry[h] = hook_entries[h];
- if ((unsigned char *)e - base == underflows[h])
- newinfo->underflow[h] = underflows[h];
- }
-
- /* Clear counters and comefrom */
- memset(&e->counters, 0, sizeof(e->counters));
- e->comefrom = 0;
- return 0;
-
-out:
- module_put(t->u.kernel.target->me);
-release_matches:
- xt_ematch_foreach(ematch, e) {
- if (j-- == 0)
- break;
- module_put(ematch->u.kernel.match->me);
- }
- return ret;
-}
-
-static int
-compat_copy_entry_from_user(struct compat_ipt_entry *e, void **dstptr,
- unsigned int *size, const char *name,
- struct xt_table_info *newinfo, unsigned char *base)
-{
- struct ipt_entry_target *t;
- struct xt_target *target;
- struct ipt_entry *de;
- unsigned int origsize;
- int ret, h;
- struct xt_entry_match *ematch;
-
- ret = 0;
- origsize = *size;
- de = (struct ipt_entry *)*dstptr;
- memcpy(de, e, sizeof(struct ipt_entry));
- memcpy(&de->counters, &e->counters, sizeof(e->counters));
-
- *dstptr += sizeof(struct ipt_entry);
- *size += sizeof(struct ipt_entry) - sizeof(struct compat_ipt_entry);
-
- xt_ematch_foreach(ematch, e) {
- ret = xt_compat_match_from_user(ematch, dstptr, size);
- if (ret != 0)
- return ret;
- }
- de->target_offset = e->target_offset - (origsize - *size);
- t = compat_ipt_get_target(e);
- target = t->u.kernel.target;
- xt_compat_target_from_user(t, dstptr, size);
-
- de->next_offset = e->next_offset - (origsize - *size);
- for (h = 0; h < NF_INET_NUMHOOKS; h++) {
- if ((unsigned char *)de - base < newinfo->hook_entry[h])
- newinfo->hook_entry[h] -= origsize - *size;
- if ((unsigned char *)de - base < newinfo->underflow[h])
- newinfo->underflow[h] -= origsize - *size;
- }
- return ret;
-}
-
-static int
-compat_check_entry(struct ipt_entry *e, const char *name)
-{
- struct xt_entry_match *ematch;
- struct xt_mtchk_param mtpar;
- unsigned int j;
- int ret = 0;
-
- j = 0;
- mtpar.table = name;
- mtpar.entryinfo = &e->ip;
- mtpar.hook_mask = e->comefrom;
- mtpar.family = NFPROTO_IPV4;
- xt_ematch_foreach(ematch, e) {
- ret = check_match(ematch, &mtpar);
- if (ret != 0)
- goto cleanup_matches;
- ++j;
- }
-
- ret = check_target(e, name);
- if (ret)
- goto cleanup_matches;
- return 0;
-
- cleanup_matches:
- xt_ematch_foreach(ematch, e) {
- if (j-- == 0)
- break;
- cleanup_match(ematch);
- }
- return ret;
-}
-
-static int
-translate_compat_table(const char *name,
- unsigned int valid_hooks,
- struct xt_table_info **pinfo,
- void **pentry0,
- unsigned int total_size,
- unsigned int number,
- unsigned int *hook_entries,
- unsigned int *underflows)
-{
- unsigned int i, j;
- struct xt_table_info *newinfo, *info;
- void *pos, *entry0, *entry1;
- struct compat_ipt_entry *iter0;
- struct ipt_entry *iter1;
- unsigned int size;
- int ret;
-
- info = *pinfo;
- entry0 = *pentry0;
- size = total_size;
- info->number = number;
-
- /* Init all hooks to impossible value. */
- for (i = 0; i < NF_INET_NUMHOOKS; i++) {
- info->hook_entry[i] = 0xFFFFFFFF;
- info->underflow[i] = 0xFFFFFFFF;
- }
-
- duprintf("translate_compat_table: size %u\n", info->size);
- j = 0;
- xt_compat_lock(AF_INET);
- /* Walk through entries, checking offsets. */
- xt_entry_foreach(iter0, entry0, total_size) {
- ret = check_compat_entry_size_and_hooks(iter0, info, &size,
- entry0, entry0 + total_size, hook_entries, underflows,
- name);
- if (ret != 0)
- goto out_unlock;
- ++j;
- }
-
- ret = -EINVAL;
- if (j != number) {
- duprintf("translate_compat_table: %u not %u entries\n",
- j, number);
- goto out_unlock;
- }
-
- /* Check hooks all assigned */
- for (i = 0; i < NF_INET_NUMHOOKS; i++) {
- /* Only hooks which are valid */
- if (!(valid_hooks & (1 << i)))
- continue;
- if (info->hook_entry[i] == 0xFFFFFFFF) {
- duprintf("Invalid hook entry %u %u\n",
- i, hook_entries[i]);
- goto out_unlock;
- }
- if (info->underflow[i] == 0xFFFFFFFF) {
- duprintf("Invalid underflow %u %u\n",
- i, underflows[i]);
- goto out_unlock;
- }
- }
-
- ret = -ENOMEM;
- newinfo = xt_alloc_table_info(size);
- if (!newinfo)
- goto out_unlock;
-
- newinfo->number = number;
- for (i = 0; i < NF_INET_NUMHOOKS; i++) {
- newinfo->hook_entry[i] = info->hook_entry[i];
- newinfo->underflow[i] = info->underflow[i];
- }
- entry1 = newinfo->entries[raw_smp_processor_id()];
- pos = entry1;
- size = total_size;
- xt_entry_foreach(iter0, entry0, total_size) {
- ret = compat_copy_entry_from_user(iter0, &pos,
- &size, name, newinfo, entry1);
- if (ret != 0)
- break;
- }
- xt_compat_flush_offsets(AF_INET);
- xt_compat_unlock(AF_INET);
- if (ret)
- goto free_newinfo;
-
- ret = -ELOOP;
- if (!mark_source_chains(newinfo, valid_hooks, entry1))
- goto free_newinfo;
-
- i = 0;
- xt_entry_foreach(iter1, entry1, newinfo->size) {
- ret = compat_check_entry(iter1, name);
- if (ret != 0)
- break;
- ++i;
- }
- if (ret) {
- /*
- * The first i matches need cleanup_entry (calls ->destroy)
- * because they had called ->check already. The other j-i
- * entries need only release.
- */
- int skip = i;
- j -= i;
- xt_entry_foreach(iter0, entry0, newinfo->size) {
- if (skip-- > 0)
- continue;
- if (j-- == 0)
- break;
- compat_release_entry(iter0);
- }
- xt_entry_foreach(iter1, entry1, newinfo->size) {
- if (i-- == 0)
- break;
- cleanup_entry(iter1);
- }
- xt_free_table_info(newinfo);
- return ret;
- }
-
- /* And one copy for every other CPU */
- for_each_possible_cpu(i)
- if (newinfo->entries[i] && newinfo->entries[i] != entry1)
- memcpy(newinfo->entries[i], entry1, newinfo->size);
-
- *pinfo = newinfo;
- *pentry0 = entry1;
- xt_free_table_info(info);
- return 0;
-
-free_newinfo:
- xt_free_table_info(newinfo);
-out:
- xt_entry_foreach(iter0, entry0, total_size) {
- if (j-- == 0)
- break;
- compat_release_entry(iter0);
- }
- return ret;
-out_unlock:
- xt_compat_flush_offsets(AF_INET);
- xt_compat_unlock(AF_INET);
- goto out;
-}
-
-static int
-compat_do_replace(struct net *net, void __user *user, unsigned int len)
-{
- int ret;
- struct compat_ipt_replace tmp;
- struct xt_table_info *newinfo;
- void *loc_cpu_entry;
- struct ipt_entry *iter;
-
- if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
- return -EFAULT;
-
- /* overflow check */
- if (tmp.size >= INT_MAX / num_possible_cpus())
- return -ENOMEM;
- if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
- return -ENOMEM;
-
- newinfo = xt_alloc_table_info(tmp.size);
- if (!newinfo)
- return -ENOMEM;
-
- /* choose the copy that is on our node/cpu */
- loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
- if (copy_from_user(loc_cpu_entry, user + sizeof(tmp),
- tmp.size) != 0) {
- ret = -EFAULT;
- goto free_newinfo;
- }
-
- ret = translate_compat_table(tmp.name, tmp.valid_hooks,
- &newinfo, &loc_cpu_entry, tmp.size,
- tmp.num_entries, tmp.hook_entry,
- tmp.underflow);
- if (ret != 0)
- goto free_newinfo;
-
- duprintf("compat_do_replace: Translated table\n");
-
- ret = __do_replace(net, tmp.name, tmp.valid_hooks, newinfo,
- tmp.num_counters, compat_ptr(tmp.counters));
- if (ret)
- goto free_newinfo_untrans;
- return 0;
-
- free_newinfo_untrans:
- xt_entry_foreach(iter, loc_cpu_entry, newinfo->size)
- cleanup_entry(iter);
- free_newinfo:
- xt_free_table_info(newinfo);
- return ret;
-}
-
-static int
compat_do_ipt_set_ctl(struct sock *sk, int cmd, void __user *user,
unsigned int len)
{
@@ -1937,41 +1180,6 @@ struct compat_ipt_get_entries {
};
static int
-compat_copy_entries_to_user(unsigned int total_size, struct xt_table *table,
- void __user *userptr)
-{
- struct xt_counters *counters;
- const struct xt_table_info *private = table->private;
- void __user *pos;
- unsigned int size;
- int ret = 0;
- const void *loc_cpu_entry;
- unsigned int i = 0;
- struct ipt_entry *iter;
-
- counters = alloc_counters(table);
- if (IS_ERR(counters))
- return PTR_ERR(counters);
-
- /* choose the copy that is on our node/cpu, ...
- * This choice is lazy (because current thread is
- * allowed to migrate to another cpu)
- */
- loc_cpu_entry = private->entries[raw_smp_processor_id()];
- pos = userptr;
- size = total_size;
- xt_entry_foreach(iter, loc_cpu_entry, total_size) {
- ret = compat_copy_entry_to_user(iter, &pos,
- &size, counters, i++);
- if (ret != 0)
- break;
- }
-
- vfree(counters);
- return ret;
-}
-
-static int
compat_get_entries(struct net *net, struct compat_ipt_get_entries __user *uptr,
int *len)
{
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 093/103] netfilter: iptables: remove xt1/ipv4 registration functions
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (91 preceding siblings ...)
2009-08-04 7:26 ` [PATCH 092/103] netfilter: iptables: remove unused functions Jan Engelhardt
@ 2009-08-04 7:26 ` Jan Engelhardt
2009-08-04 7:26 ` [PATCH 094/103] netfilter: iptables: remove remaining xt1 code Jan Engelhardt
` (11 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:26 UTC (permalink / raw)
To: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter_ipv4/ip_tables.h | 5 -
net/ipv4/netfilter/ip_tables.c | 491 ------------------------------
2 files changed, 0 insertions(+), 496 deletions(-)
diff --git a/include/linux/netfilter_ipv4/ip_tables.h b/include/linux/netfilter_ipv4/ip_tables.h
index ab81dbe..73a8f55 100644
--- a/include/linux/netfilter_ipv4/ip_tables.h
+++ b/include/linux/netfilter_ipv4/ip_tables.h
@@ -246,11 +246,6 @@ ipt_get_target(struct ipt_entry *e)
#include <linux/init.h>
extern void ipt_init(void) __init;
-extern struct xt_table *ipt_register_table(struct net *net,
- const struct xt_table *table,
- const struct ipt_replace *repl);
-extern void ipt_unregister_table(struct xt_table *table);
-
extern struct xt2_table *ipt2_register_table(struct net *,
const struct xt_table *, const struct ipt_replace *);
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 3c98c7d..ed3056b 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -567,439 +567,6 @@ ipt_do_table(struct sk_buff *skb,
#endif
}
-/* Figures out from what hook each rule can be called: returns 0 if
- there are loops. Puts hook bitmask in comefrom. */
-static int
-mark_source_chains(const struct xt_table_info *newinfo,
- unsigned int valid_hooks, void *entry0)
-{
- unsigned int hook;
-
- /* No recursion; use packet counter to save back ptrs (reset
- to 0 as we leave), and comefrom to save source hook bitmask */
- for (hook = 0; hook < NF_INET_NUMHOOKS; hook++) {
- unsigned int pos = newinfo->hook_entry[hook];
- struct ipt_entry *e = (struct ipt_entry *)(entry0 + pos);
-
- if (!(valid_hooks & (1 << hook)))
- continue;
-
- /* Set initial back pointer. */
- e->counters.pcnt = pos;
-
- for (;;) {
- const struct ipt_standard_target *t
- = (void *)ipt_get_target_c(e);
- int visited = e->comefrom & (1 << hook);
-
- if (e->comefrom & (1 << NF_INET_NUMHOOKS)) {
- printk("iptables: loop hook %u pos %u %08X.\n",
- hook, pos, e->comefrom);
- return 0;
- }
- e->comefrom |= ((1 << hook) | (1 << NF_INET_NUMHOOKS));
-
- /* Unconditional return/END. */
- if ((e->target_offset == sizeof(struct ipt_entry)
- && (strcmp(t->target.u.user.name,
- IPT_STANDARD_TARGET) == 0)
- && t->verdict < 0
- && unconditional(&e->ip)) || visited) {
- unsigned int oldpos, size;
-
- if ((strcmp(t->target.u.user.name,
- IPT_STANDARD_TARGET) == 0) &&
- t->verdict < -NF_MAX_VERDICT - 1) {
- duprintf("mark_source_chains: bad "
- "negative verdict (%i)\n",
- t->verdict);
- return 0;
- }
-
- /* Return: backtrack through the last
- big jump. */
- do {
- e->comefrom ^= (1<<NF_INET_NUMHOOKS);
-#ifdef DEBUG_IP_FIREWALL_USER
- if (e->comefrom
- & (1 << NF_INET_NUMHOOKS)) {
- duprintf("Back unset "
- "on hook %u "
- "rule %u\n",
- hook, pos);
- }
-#endif
- oldpos = pos;
- pos = e->counters.pcnt;
- e->counters.pcnt = 0;
-
- /* We're at the start. */
- if (pos == oldpos)
- goto next;
-
- e = (struct ipt_entry *)
- (entry0 + pos);
- } while (oldpos == pos + e->next_offset);
-
- /* Move along one */
- size = e->next_offset;
- e = (struct ipt_entry *)
- (entry0 + pos + size);
- e->counters.pcnt = pos;
- pos += size;
- } else {
- int newpos = t->verdict;
-
- if (strcmp(t->target.u.user.name,
- IPT_STANDARD_TARGET) == 0
- && newpos >= 0) {
- if (newpos > newinfo->size -
- sizeof(struct ipt_entry)) {
- duprintf("mark_source_chains: "
- "bad verdict (%i)\n",
- newpos);
- return 0;
- }
- /* This a jump; chase it. */
- duprintf("Jump rule %u -> %u\n",
- pos, newpos);
- } else {
- /* ... this is a fallthru */
- newpos = pos + e->next_offset;
- }
- e = (struct ipt_entry *)
- (entry0 + newpos);
- e->counters.pcnt = pos;
- pos = newpos;
- }
- }
- next:
- duprintf("Finished chain %u\n", hook);
- }
- return 1;
-}
-
-static void cleanup_match(struct ipt_entry_match *m)
-{
- struct xt_mtdtor_param par;
-
- par.match = m->u.kernel.match;
- par.matchinfo = m->data;
- par.family = NFPROTO_IPV4;
- if (par.match->destroy != NULL)
- par.match->destroy(&par);
- module_put(par.match->me);
-}
-
-static int
-check_entry(struct ipt_entry *e, struct xt_mtchk_param *par)
-{
- const struct ipt_entry_target *t;
-
- par->match = &ipt_builtin_mt[0]; /* ipv4 */
- par->matchinfo = &e->ip;
- if (!ip_checkentry(par)) {
- duprintf("ip_tables: ip check failed %p %s.\n", e, name);
- return -EINVAL;
- }
-
- if (e->target_offset + sizeof(struct ipt_entry_target) >
- e->next_offset)
- return -EINVAL;
-
- t = ipt_get_target_c(e);
- if (e->target_offset + t->u.target_size > e->next_offset)
- return -EINVAL;
-
- return 0;
-}
-
-static int
-check_match(struct ipt_entry_match *m, struct xt_mtchk_param *par)
-{
- const struct ipt_ip *ip = par->entryinfo;
- int ret;
-
- par->match = m->u.kernel.match;
- par->matchinfo = m->data;
-
- ret = xt_check_match(par, m->u.match_size - sizeof(*m),
- ip->proto, ip->invflags & IPT_INV_PROTO, true);
- if (ret < 0) {
- duprintf("ip_tables: check failed for `%s'.\n",
- par.match->name);
- return ret;
- }
- return 0;
-}
-
-static int
-find_check_match(struct ipt_entry_match *m, struct xt_mtchk_param *par)
-{
- struct xt_match *match;
- int ret;
-
- match = xt_request_find_match(NFPROTO_IPV4, m->u.user.name,
- m->u.user.revision);
- if (IS_ERR(match)) {
- duprintf("find_check_match: `%s' not found\n", m->u.user.name);
- return PTR_ERR(match);
- }
- m->u.kernel.match = match;
-
- ret = check_match(m, par);
- if (ret)
- goto err;
-
- return 0;
-err:
- module_put(m->u.kernel.match->me);
- return ret;
-}
-
-static int check_target(struct ipt_entry *e, const char *name)
-{
- struct ipt_entry_target *t = ipt_get_target(e);
- struct xt_tgchk_param par = {
- .table = name,
- .entryinfo = e,
- .nfproto_info = &e->ip,
- .target = t->u.kernel.target,
- .targinfo = t->data,
- .hook_mask = e->comefrom,
- .family = NFPROTO_IPV4,
- };
- int ret;
-
- ret = xt_check_target(&par, t->u.target_size - sizeof(*t),
- e->ip.proto, e->ip.invflags & IPT_INV_PROTO, true);
- if (ret < 0) {
- duprintf("ip_tables: check failed for `%s'.\n",
- t->u.kernel.target->name);
- return ret;
- }
- return 0;
-}
-
-static int
-find_check_entry(struct ipt_entry *e, const char *name, unsigned int size)
-{
- struct ipt_entry_target *t;
- struct xt_target *target;
- int ret;
- unsigned int j;
- struct xt_mtchk_param mtpar;
- struct xt_entry_match *ematch;
-
- mtpar.table = name;
- mtpar.entryinfo = &e->ip;
- mtpar.hook_mask = e->comefrom;
- mtpar.family = NFPROTO_IPV4;
- ret = check_entry(e, &mtpar);
- if (ret)
- return ret;
- j = 0;
- xt_ematch_foreach(ematch, e) {
- ret = find_check_match(ematch, &mtpar);
- if (ret != 0)
- goto cleanup_matches;
- ++j;
- }
-
- t = ipt_get_target(e);
- target = xt_request_find_target(NFPROTO_IPV4, t->u.user.name,
- t->u.user.revision);
- if (IS_ERR(target)) {
- duprintf("find_check_entry: `%s' not found\n", t->u.user.name);
- ret = PTR_ERR(target);
- goto cleanup_matches;
- }
- t->u.kernel.target = target;
-
- ret = check_target(e, name);
- if (ret)
- goto err;
- return 0;
- err:
- module_put(t->u.kernel.target->me);
- cleanup_matches:
- xt_ematch_foreach(ematch, e) {
- if (j-- == 0)
- break;
- cleanup_match(ematch);
- }
- return ret;
-}
-
-static bool check_underflow(const struct ipt_entry *e)
-{
- const struct ipt_entry_target *t;
- unsigned int verdict;
-
- if (!unconditional(&e->ip))
- return false;
- t = ipt_get_target_c(e);
- if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0)
- return false;
- verdict = ((struct ipt_standard_target *)t)->verdict;
- verdict = -verdict - 1;
- return verdict == NF_DROP || verdict == NF_ACCEPT;
-}
-
-static int
-check_entry_size_and_hooks(struct ipt_entry *e,
- struct xt_table_info *newinfo,
- const unsigned char *base,
- const unsigned char *limit,
- const unsigned int *hook_entries,
- const unsigned int *underflows,
- unsigned int valid_hooks)
-{
- unsigned int h;
-
- if ((unsigned long)e % __alignof__(struct ipt_entry) != 0
- || (unsigned char *)e + sizeof(struct ipt_entry) >= limit) {
- duprintf("Bad offset %p\n", e);
- return -EINVAL;
- }
-
- if (e->next_offset
- < sizeof(struct ipt_entry) + sizeof(struct ipt_entry_target)) {
- duprintf("checking: element %p size %u\n",
- e, e->next_offset);
- return -EINVAL;
- }
-
- /* Check hooks & underflows */
- for (h = 0; h < NF_INET_NUMHOOKS; h++) {
- if (!(valid_hooks & (1 << h)))
- continue;
- if ((unsigned char *)e - base == hook_entries[h])
- newinfo->hook_entry[h] = hook_entries[h];
- if ((unsigned char *)e - base == underflows[h]) {
- if (!check_underflow(e)) {
- pr_err("Underflows must be unconditional and "
- "use the STANDARD target with "
- "ACCEPT/DROP\n");
- return -EINVAL;
- }
- newinfo->underflow[h] = underflows[h];
- }
- }
-
- /* Clear counters and comefrom */
- e->counters = ((struct xt_counters) { 0, 0 });
- e->comefrom = 0;
- return 0;
-}
-
-static void
-cleanup_entry(struct ipt_entry *e)
-{
- struct xt_tgdtor_param par;
- struct ipt_entry_target *t;
- struct xt_entry_match *ematch;
-
- /* Cleanup all matches */
- xt_ematch_foreach(ematch, e)
- cleanup_match(ematch);
- t = ipt_get_target(e);
-
- par.target = t->u.kernel.target;
- par.targinfo = t->data;
- par.family = NFPROTO_IPV4;
- if (par.target->destroy != NULL)
- par.target->destroy(&par);
- module_put(par.target->me);
-}
-
-/* Checks and translates the user-supplied table segment (held in
- newinfo) */
-static int
-translate_table(struct xt_table_info *newinfo, void *entry0,
- const struct ipt_replace *repl)
-{
- struct ipt_entry *iter;
- unsigned int i;
- int ret = 0;
-
- newinfo->size = repl->size;
- newinfo->number = repl->num_entries;
-
- /* Init all hooks to impossible value. */
- for (i = 0; i < NF_INET_NUMHOOKS; i++) {
- newinfo->hook_entry[i] = 0xFFFFFFFF;
- newinfo->underflow[i] = 0xFFFFFFFF;
- }
-
- duprintf("translate_table: size %u\n", newinfo->size);
- i = 0;
- /* Walk through entries, checking offsets. */
- xt_entry_foreach(iter, entry0, newinfo->size) {
- ret = check_entry_size_and_hooks(iter, newinfo, entry0,
- entry0 + repl->size, repl->hook_entry, repl->underflow,
- repl->valid_hooks);
- if (ret != 0)
- return ret;
- ++i;
- if (strcmp(ipt_get_target(iter)->u.user.name,
- XT_ERROR_TARGET) == 0)
- ++newinfo->stacksize;
- }
-
- if (i != repl->num_entries) {
- duprintf("translate_table: %u not %u entries\n",
- i, repl->num_entries);
- return -EINVAL;
- }
-
- /* Check hooks all assigned */
- for (i = 0; i < NF_INET_NUMHOOKS; i++) {
- /* Only hooks which are valid */
- if (!(repl->valid_hooks & (1 << i)))
- continue;
- if (newinfo->hook_entry[i] == 0xFFFFFFFF) {
- duprintf("Invalid hook entry %u %u\n",
- i, repl->hook_entry[i]);
- return -EINVAL;
- }
- if (newinfo->underflow[i] == 0xFFFFFFFF) {
- duprintf("Invalid underflow %u %u\n",
- i, repl->underflow[i]);
- return -EINVAL;
- }
- }
-
- if (!mark_source_chains(newinfo, repl->valid_hooks, entry0))
- return -ELOOP;
-
- /* Finally, each sanity check must pass */
- i = 0;
- xt_entry_foreach(iter, entry0, newinfo->size) {
- ret = find_check_entry(iter, repl->name, repl->size);
- if (ret != 0)
- break;
- ++i;
- }
-
- if (ret != 0) {
- xt_entry_foreach(iter, entry0, newinfo->size) {
- if (i-- == 0)
- break;
- cleanup_entry(iter);
- }
- return ret;
- }
-
- /* And one copy for every other CPU */
- for_each_possible_cpu(i) {
- if (newinfo->entries[i] && newinfo->entries[i] != entry0)
- memcpy(newinfo->entries[i], entry0, newinfo->size);
- }
-
- return ret;
-}
-
static const struct xt1_xlat_info ipt_compat_xlat_info = {
#ifdef CONFIG_COMPAT
.marker_size = XT_ALIGN(sizeof(struct ipt_error_target)),
@@ -1311,62 +878,6 @@ do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
return ret;
}
-struct xt_table *ipt_register_table(struct net *net,
- const struct xt_table *table,
- const struct ipt_replace *repl)
-{
- int ret;
- struct xt_table_info *newinfo;
- struct xt_table_info bootstrap = {};
- void *loc_cpu_entry;
- struct xt_table *new_table;
-
- newinfo = xt_alloc_table_info(repl->size);
- if (!newinfo) {
- ret = -ENOMEM;
- goto out;
- }
-
- /* choose the copy on our node/cpu, but dont care about preemption */
- loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
- memcpy(loc_cpu_entry, repl->entries, repl->size);
-
- ret = translate_table(newinfo, loc_cpu_entry, repl);
- if (ret != 0)
- goto out_free;
-
- new_table = xt_register_table(net, table, &bootstrap, newinfo);
- if (IS_ERR(new_table)) {
- ret = PTR_ERR(new_table);
- goto out_free;
- }
-
- return new_table;
-
-out_free:
- xt_free_table_info(newinfo);
-out:
- return ERR_PTR(ret);
-}
-
-void ipt_unregister_table(struct xt_table *table)
-{
- struct xt_table_info *private;
- void *loc_cpu_entry;
- struct module *table_owner = table->me;
- struct ipt_entry *iter;
-
- private = xt_unregister_table(table);
-
- /* Decrease module usage counts and free resources */
- loc_cpu_entry = private->entries[raw_smp_processor_id()];
- xt_entry_foreach(iter, loc_cpu_entry, private->size)
- cleanup_entry(iter);
- if (private->number > private->initial_entries)
- module_put(table_owner);
- xt_free_table_info(private);
-}
-
static struct nf_sockopt_ops ipt_sockopts = {
.pf = PF_INET,
.set_optmin = IPT_BASE_CTL,
@@ -1442,8 +953,6 @@ static void __exit ip_tables_fini(void)
unregister_pernet_subsys(&ip_tables_net_ops);
}
-EXPORT_SYMBOL(ipt_register_table);
-EXPORT_SYMBOL(ipt_unregister_table);
EXPORT_SYMBOL(ipt_do_table);
module_init(ip_tables_init);
module_exit(ip_tables_fini);
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 094/103] netfilter: iptables: remove remaining xt1 code
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (92 preceding siblings ...)
2009-08-04 7:26 ` [PATCH 093/103] netfilter: iptables: remove xt1/ipv4 registration functions Jan Engelhardt
@ 2009-08-04 7:26 ` Jan Engelhardt
2009-08-04 7:26 ` [PATCH 095/103] netfilter: xt_quota: enable module lookup via arpt Jan Engelhardt
` (10 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:26 UTC (permalink / raw)
To: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter_ipv4/ip_tables.h | 17 --
net/ipv4/netfilter/ip_tables.c | 344 ------------------------------
2 files changed, 0 insertions(+), 361 deletions(-)
diff --git a/include/linux/netfilter_ipv4/ip_tables.h b/include/linux/netfilter_ipv4/ip_tables.h
index 73a8f55..fdc7e4e 100644
--- a/include/linux/netfilter_ipv4/ip_tables.h
+++ b/include/linux/netfilter_ipv4/ip_tables.h
@@ -290,14 +290,6 @@ struct ipt_error
.target.errorname = "ERROR", \
}
-extern unsigned int ipt_do_table(struct sk_buff *skb,
- unsigned int hook,
- const struct net_device *in,
- const struct net_device *out,
- struct xt_table *table);
-
-#define IPT_ALIGN(s) XT_ALIGN(s)
-
#ifdef CONFIG_COMPAT
#include <net/compat.h>
@@ -324,15 +316,6 @@ struct compat_ipt_replace {
struct compat_ipt_entry entries[0];
};
-/* Helper functions */
-static inline struct ipt_entry_target *
-compat_ipt_get_target(struct compat_ipt_entry *e)
-{
- return (void *)e + e->target_offset;
-}
-
-#define COMPAT_IPT_ALIGN(s) COMPAT_XT_ALIGN(s)
-
#endif /* CONFIG_COMPAT */
#endif /*__KERNEL__*/
#endif /* _IPTABLES_H */
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index ed3056b..c58b5a1 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -49,23 +49,6 @@ MODULE_DESCRIPTION("IPv4 packet filter");
#define duprintf(format, args...)
#endif
-#ifdef CONFIG_NETFILTER_DEBUG
-#define IP_NF_ASSERT(x) \
-do { \
- if (!(x)) \
- printk("IP_NF_ASSERT: %s:%s:%u\n", \
- __func__, __FILE__, __LINE__); \
-} while(0)
-#else
-#define IP_NF_ASSERT(x)
-#endif
-
-#if 0
-/* All the better to debug you with... */
-#define static
-#define inline
-#endif
-
#define xtsub_entry ipt_entry
#define xtsub_entry_nocompat ipt_entry
#define xtsub_replace ipt_replace
@@ -228,55 +211,6 @@ static bool icmp_checkentry(const struct xt_mtchk_param *par)
return !(icmpinfo->invflags & ~IPT_ICMP_INV);
}
-#ifdef CONFIG_COMPAT
-static void compat_standard_from_user(void *dst, const void *src)
-{
- int v = *(compat_int_t *)src;
-
- if (v > 0)
- v += xt_compat_calc_jump(AF_INET, v);
- memcpy(dst, &v, sizeof(v));
-}
-
-static int compat_standard_to_user(void __user *dst, const void *src)
-{
- compat_int_t cv = *(int *)src;
-
- if (cv > 0)
- cv -= xt_compat_calc_jump(AF_INET, cv);
- return copy_to_user(dst, &cv, sizeof(cv)) ? -EFAULT : 0;
-}
-#endif
-
-static unsigned int
-ipt_error(struct sk_buff *skb, const struct xt_action_param *par)
-{
- if (net_ratelimit())
- printk("ip_tables: error: `%s'\n",
- (const char *)par->targinfo);
-
- return NF_DROP;
-}
-
-static struct xt_target ipt_builtin_tg[] __read_mostly = {
- {
- .name = IPT_STANDARD_TARGET,
- .targetsize = sizeof(int),
- .family = NFPROTO_IPV4,
-#ifdef CONFIG_COMPAT
- .compatsize = sizeof(compat_int_t),
- .compat_from_user = compat_standard_from_user,
- .compat_to_user = compat_standard_to_user,
-#endif
- },
- {
- .name = IPT_ERROR_TARGET,
- .target = ipt_error,
- .targetsize = IPT_FUNCTION_MAXNAMELEN,
- .family = NFPROTO_IPV4,
- },
-};
-
static struct xt_match ipt_builtin_mt[] __read_mostly = {
{
.name = "ipv4",
@@ -296,277 +230,6 @@ static struct xt_match ipt_builtin_mt[] __read_mostly = {
},
};
-/* Performance critical */
-static inline struct ipt_entry *
-get_entry(const void *base, unsigned int offset)
-{
- return (struct ipt_entry *)(base + offset);
-}
-
-/* All zeroes == unconditional rule. */
-/* Mildly perf critical (only if packet tracing is on) */
-static inline bool unconditional(const struct ipt_ip *ip)
-{
- static const struct ipt_ip uncond;
-
- return memcmp(ip, &uncond, sizeof(uncond)) == 0;
-#undef FWINV
-}
-
-/* for const-correctness */
-static inline const struct ipt_entry_target *
-ipt_get_target_c(const struct ipt_entry *e)
-{
- return ipt_get_target((struct ipt_entry *)e);
-}
-
-#if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \
- defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE)
-static const char *const hooknames[] = {
- [NF_INET_PRE_ROUTING] = "PREROUTING",
- [NF_INET_LOCAL_IN] = "INPUT",
- [NF_INET_FORWARD] = "FORWARD",
- [NF_INET_LOCAL_OUT] = "OUTPUT",
- [NF_INET_POST_ROUTING] = "POSTROUTING",
-};
-
-enum nf_ip_trace_comments {
- NF_IP_TRACE_COMMENT_RULE,
- NF_IP_TRACE_COMMENT_RETURN,
- NF_IP_TRACE_COMMENT_POLICY,
-};
-
-static const char *const comments[] = {
- [NF_IP_TRACE_COMMENT_RULE] = "rule",
- [NF_IP_TRACE_COMMENT_RETURN] = "return",
- [NF_IP_TRACE_COMMENT_POLICY] = "policy",
-};
-
-static struct nf_loginfo trace_loginfo = {
- .type = NF_LOG_TYPE_LOG,
- .u = {
- .log = {
- .level = 4,
- .logflags = NF_LOG_MASK,
- },
- },
-};
-
-/* Mildly perf critical (only if packet tracing is on) */
-static inline int
-get_chainname_rulenum(const struct ipt_entry *s, const struct ipt_entry *e,
- const char *hookname, const char **chainname,
- const char **comment, unsigned int *rulenum)
-{
- const struct ipt_standard_target *t = (void *)ipt_get_target_c(s);
-
- if (strcmp(t->target.u.kernel.target->name, IPT_ERROR_TARGET) == 0) {
- /* Head of user chain: ERROR target with chainname */
- *chainname = t->target.data;
- (*rulenum) = 0;
- } else if (s == e) {
- (*rulenum)++;
-
- if (s->target_offset == sizeof(struct ipt_entry)
- && strcmp(t->target.u.kernel.target->name,
- IPT_STANDARD_TARGET) == 0
- && t->verdict < 0
- && unconditional(&s->ip)) {
- /* Tail of chains: STANDARD target (return/policy) */
- *comment = *chainname == hookname
- ? comments[NF_IP_TRACE_COMMENT_POLICY]
- : comments[NF_IP_TRACE_COMMENT_RETURN];
- }
- return 1;
- } else
- (*rulenum)++;
-
- return 0;
-}
-
-static void trace_packet(const struct sk_buff *skb,
- unsigned int hook,
- const struct net_device *in,
- const struct net_device *out,
- const char *tablename,
- const struct xt_table_info *private,
- const struct ipt_entry *e)
-{
- const void *table_base;
- const struct ipt_entry *root;
- const char *hookname, *chainname, *comment;
- const struct ipt_entry *iter;
- unsigned int rulenum = 0;
-
- table_base = private->entries[smp_processor_id()];
- root = get_entry(table_base, private->hook_entry[hook]);
-
- hookname = chainname = hooknames[hook];
- comment = comments[NF_IP_TRACE_COMMENT_RULE];
-
- xt_entry_foreach(iter, root, private->size - private->hook_entry[hook])
- if (get_chainname_rulenum(iter, e, hookname,
- &chainname, &comment, &rulenum) != 0)
- break;
-
- nf_log_packet(AF_INET, hook, skb, in, out, &trace_loginfo,
- "TRACE: %s:%s:%s:%u ",
- tablename, chainname, comment, rulenum);
-}
-#endif
-
-static inline __pure
-struct ipt_entry *ipt_next_entry(const struct ipt_entry *entry)
-{
- return (void *)entry + entry->next_offset;
-}
-
-/* Returns one of the generic firewall policies, like NF_ACCEPT. */
-unsigned int
-ipt_do_table(struct sk_buff *skb,
- unsigned int hook,
- const struct net_device *in,
- const struct net_device *out,
- struct xt_table *table)
-{
- const struct iphdr *ip;
- /* Initializing verdict to NF_DROP keeps gcc happy. */
- unsigned int verdict = NF_DROP;
- const void *table_base;
- struct ipt_entry *e, **jumpstack;
- unsigned int *stackptr, origptr, cpu;
- const struct xt_table_info *private;
- struct xt_action_param acpar;
-
- /* Initialization */
- ip = ip_hdr(skb);
- /* We handle fragments by dealing with the first fragment as
- * if it was a normal packet. All other fragments are treated
- * normally, except that they will NEVER match rules that ask
- * things we don't know, ie. tcp syn flag or ports). If the
- * rule is also a fragment-specific rule, non-fragments won't
- * match it. */
- acpar.fragoff = ntohs(ip->frag_off) & IP_OFFSET;
- acpar.thoff = ip_hdrlen(skb);
- acpar.hotdrop = false;
- acpar.in = in;
- acpar.out = out;
- acpar.family = NFPROTO_IPV4;
- acpar.hooknum = hook;
-
- IP_NF_ASSERT(table->valid_hooks & (1 << hook));
- xt_info_rdlock_bh();
- private = table->private;
- cpu = smp_processor_id();
- table_base = private->entries[cpu];
- jumpstack = (struct ipt_entry **)private->jumpstack[cpu];
- stackptr = &private->stackptr[cpu];
- origptr = *stackptr;
-
- e = get_entry(table_base, private->hook_entry[hook]);
-
- pr_devel("Entering %s(hook %u); sp at %u (UF %p)\n", table->name,
- hook, origptr,
- get_entry(table_base, private->underflow[hook]));
-
- do {
- const struct ipt_entry_target *t;
- const struct xt_entry_match *ematch;
-
- IP_NF_ASSERT(e);
- acpar.match = &ipt_builtin_mt[0]; /* "ipv4" itself */
- acpar.matchinfo = &e->ip;
- if (!ip_packet_match(skb, &acpar)) {
- no_match:
- e = ipt_next_entry(e);
- continue;
- }
-
- xt_ematch_foreach(ematch, e) {
- acpar.match = ematch->u.kernel.match;
- acpar.matchinfo = ematch->data;
- if (!acpar.match->match(skb, &acpar))
- goto no_match;
- }
-
- ADD_COUNTER(e->counters, ntohs(ip->tot_len), 1);
-
- t = ipt_get_target(e);
- IP_NF_ASSERT(t->u.kernel.target);
-
-#if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \
- defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE)
- /* The packet is traced: log it */
- if (unlikely(skb->nf_trace))
- trace_packet(skb, hook, in, out,
- table->name, private, e);
-#endif
- /* Standard target? */
- if (!t->u.kernel.target->target) {
- int v;
-
- v = ((struct ipt_standard_target *)t)->verdict;
- if (v < 0) {
- /* Pop from stack? */
- if (v != IPT_RETURN) {
- verdict = (unsigned)(-v) - 1;
- break;
- }
- if (*stackptr == 0) {
- e = get_entry(table_base,
- private->underflow[hook]);
- pr_devel("Underflow (this is normal) "
- "to %p\n", e);
- } else {
- e = jumpstack[--*stackptr];
- pr_devel("Pulled %p out from pos %u\n",
- e, *stackptr);
- e = ipt_next_entry(e);
- }
- continue;
- }
- if (table_base + v != ipt_next_entry(e)
- && !(e->ip.flags & IPT_F_GOTO)) {
- if (*stackptr >= private->stacksize) {
- verdict = NF_DROP;
- break;
- }
- jumpstack[(*stackptr)++] = e;
- pr_devel("Pushed %p into pos %u\n",
- e, *stackptr - 1);
- }
-
- e = get_entry(table_base, v);
- continue;
- }
-
- /* Targets which reenter must return
- abs. verdicts */
- acpar.target = t->u.kernel.target;
- acpar.targinfo = t->data;
-
- verdict = t->u.kernel.target->target(skb, &acpar);
- /* Target might have changed stuff. */
- ip = ip_hdr(skb);
- if (verdict == IPT_CONTINUE)
- e = ipt_next_entry(e);
- else
- /* Verdict */
- break;
- } while (!acpar.hotdrop);
- xt_info_rdunlock_bh();
- pr_devel("Exiting %s; resetting sp from %u to %u\n",
- __func__, *stackptr, origptr);
- *stackptr = origptr;
-#ifdef DEBUG_ALLOW_ALL
- return NF_ACCEPT;
-#else
- if (acpar.hotdrop)
- return NF_DROP;
- else return verdict;
-#endif
-}
-
static const struct xt1_xlat_info ipt_compat_xlat_info = {
#ifdef CONFIG_COMPAT
.marker_size = XT_ALIGN(sizeof(struct ipt_error_target)),
@@ -919,9 +582,6 @@ static int __init ip_tables_init(void)
goto err1;
/* Noone else will be downing sem now, so we won't sleep */
- ret = xt_register_targets(ipt_builtin_tg, ARRAY_SIZE(ipt_builtin_tg));
- if (ret < 0)
- goto err2;
ret = xt_register_matches(ipt_builtin_mt, ARRAY_SIZE(ipt_builtin_mt));
if (ret < 0)
goto err4;
@@ -937,8 +597,6 @@ static int __init ip_tables_init(void)
err5:
xt_unregister_matches(ipt_builtin_mt, ARRAY_SIZE(ipt_builtin_mt));
err4:
- xt_unregister_targets(ipt_builtin_tg, ARRAY_SIZE(ipt_builtin_tg));
-err2:
unregister_pernet_subsys(&ip_tables_net_ops);
err1:
return ret;
@@ -949,10 +607,8 @@ static void __exit ip_tables_fini(void)
nf_unregister_sockopt(&ipt_sockopts);
xt_unregister_matches(ipt_builtin_mt, ARRAY_SIZE(ipt_builtin_mt));
- xt_unregister_targets(ipt_builtin_tg, ARRAY_SIZE(ipt_builtin_tg));
unregister_pernet_subsys(&ip_tables_net_ops);
}
-EXPORT_SYMBOL(ipt_do_table);
module_init(ip_tables_init);
module_exit(ip_tables_fini);
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 095/103] netfilter: xt_quota: enable module lookup via arpt
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (93 preceding siblings ...)
2009-08-04 7:26 ` [PATCH 094/103] netfilter: iptables: remove remaining xt1 code Jan Engelhardt
@ 2009-08-04 7:26 ` Jan Engelhardt
2009-08-04 7:26 ` [PATCH 096/103] netfilter: arptables: include xt1_perproto in arp_tables Jan Engelhardt
` (9 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:26 UTC (permalink / raw)
To: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
net/netfilter/xt_quota.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/net/netfilter/xt_quota.c b/net/netfilter/xt_quota.c
index 69c8659..81062ec 100644
--- a/net/netfilter/xt_quota.c
+++ b/net/netfilter/xt_quota.c
@@ -22,6 +22,7 @@ MODULE_AUTHOR("Sam Johnston <samj@samj.net>");
MODULE_DESCRIPTION("Xtables: counter match");
MODULE_ALIAS("ipt_quota");
MODULE_ALIAS("ip6t_quota");
+MODULE_ALIAS("arpt_quota");
static DEFINE_SPINLOCK(quota_lock);
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 096/103] netfilter: arptables: include xt1_perproto in arp_tables
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (94 preceding siblings ...)
2009-08-04 7:26 ` [PATCH 095/103] netfilter: xt_quota: enable module lookup via arpt Jan Engelhardt
@ 2009-08-04 7:26 ` Jan Engelhardt
2009-08-04 7:26 ` [PATCH 097/103] netfilter: arptables: switch to xt2 tables Jan Engelhardt
` (8 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:26 UTC (permalink / raw)
To: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter_arp/arp_tables.h | 15 ++++++++++++
net/ipv4/netfilter/Kconfig | 1 +
net/ipv4/netfilter/arp_tables.c | 35 +++++++++++++++++++----------
net/netfilter/xt1_translat.c | 23 ++++++++++++++++++-
4 files changed, 60 insertions(+), 14 deletions(-)
diff --git a/include/linux/netfilter_arp/arp_tables.h b/include/linux/netfilter_arp/arp_tables.h
index 16313df..8140700 100644
--- a/include/linux/netfilter_arp/arp_tables.h
+++ b/include/linux/netfilter_arp/arp_tables.h
@@ -276,6 +276,9 @@ extern unsigned int arpt_do_table(struct sk_buff *skb,
const struct net_device *out,
struct xt_table *table);
+extern struct xt2_table *arpt2_register_table(struct net *,
+ const struct xt_table *, const struct arpt_replace *);
+
#define ARPT_ALIGN(s) XT_ALIGN(s)
#ifdef CONFIG_COMPAT
@@ -291,6 +294,18 @@ struct compat_arpt_entry
unsigned char elems[0];
};
+struct compat_arpt_replace {
+ char name[ARPT_TABLE_MAXNAMELEN];
+ u32 valid_hooks;
+ u32 num_entries;
+ u32 size;
+ u32 hook_entry[NF_ARP_NUMHOOKS];
+ u32 underflow[NF_ARP_NUMHOOKS];
+ u32 num_counters;
+ compat_uptr_t counters;
+ struct compat_arpt_entry entries[0];
+};
+
static inline struct arpt_entry_target *
compat_arpt_get_target(struct compat_arpt_entry *e)
{
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index b960bbd..2019153 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -361,6 +361,7 @@ endif # IP_NF_IPTABLES
config IP_NF_ARPTABLES
tristate "ARP tables support"
select NETFILTER_XTABLES
+ select NETFILTER_XT1_SUPPORT
depends on NETFILTER_ADVANCED
help
arptables is a general, extensible packet identification framework.
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index e3911a0..850b248 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -58,6 +58,29 @@ do { \
#define ARP_NF_ASSERT(x)
#endif
+#define xtsub_entry arpt_entry
+#define xtsub_entry_nocompat arpt_entry
+#define xtsub_replace arpt_replace
+#define xtsub_error_target arpt_error_target
+#define XTSUB_NFPROTO NFPROTO_ARP
+#define XTSUB_NFPROTO_ARP 1
+#define XTSUB(x) arpt_ ## x
+#define XTSUB2(x) arpt2_ ## x
+
+#include "../../netfilter/xt1_translat.c"
+#include "../../netfilter/xt1_postshared.c"
+#undef XTSUB2
+#undef xtsub_entry
+#undef xtsub_replace
+
+#ifdef CONFIG_COMPAT
+#define XTSUB_DO_COMPAT
+#define xtsub_entry compat_arpt_entry
+#define xtsub_replace compat_arpt_replace
+#define XTSUB2(x) arpt2_compat_ ## x
+#include "../../netfilter/xt1_translat.c"
+#endif
+
static inline int arp_devaddr_compare(const struct arpt_devaddr_info *ap,
const char *hdr_addr, int len)
{
@@ -1515,18 +1538,6 @@ out_unlock:
goto out;
}
-struct compat_arpt_replace {
- char name[ARPT_TABLE_MAXNAMELEN];
- u32 valid_hooks;
- u32 num_entries;
- u32 size;
- u32 hook_entry[NF_ARP_NUMHOOKS];
- u32 underflow[NF_ARP_NUMHOOKS];
- u32 num_counters;
- compat_uptr_t counters;
- struct compat_arpt_entry entries[0];
-};
-
static int compat_do_replace(struct net *net, void __user *user,
unsigned int len)
{
diff --git a/net/netfilter/xt1_translat.c b/net/netfilter/xt1_translat.c
index d45e674..20a4217 100644
--- a/net/netfilter/xt1_translat.c
+++ b/net/netfilter/xt1_translat.c
@@ -12,9 +12,11 @@
#include <linux/slab.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/xt_quota.h>
+#include <linux/netfilter_arp/arp_tables.h>
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter_ipv6/ip6_tables.h>
-#if !defined(XTSUB_NFPROTO_IPV4) && !defined(XTSUB_NFPROTO_IPV6)
+#if !defined(XTSUB_NFPROTO_IPV4) && !defined(XTSUB_NFPROTO_IPV6) && \
+ !defined(XTSUB_NFPROTO_ARP)
# error Need to define XTSUB_NFPROTO_xxx.
#endif
#ifdef XTSUB_DO_COMPAT
@@ -43,6 +45,13 @@ static inline bool XTSUB2(unconditional)(const struct xtsub_entry *e)
{
return memcmp(&e->ipv6, &xtsub_uncond, sizeof(xtsub_uncond)) == 0;
}
+#elif defined(XTSUB_NFPROTO_ARP)
+static const struct arpt_arp xtsub_uncond;
+
+static inline bool XTSUB2(unconditional)(const struct xtsub_entry *e)
+{
+ return memcmp(&e->arp, &xtsub_uncond, sizeof(xtsub_uncond)) == 0;
+}
#endif
static inline struct xt_entry_target *
@@ -170,6 +179,8 @@ XTSUB2(target_to_xt2)(struct xt2_rule *rule, const struct xtsub_entry *entry,
/* debug: (we already checked loopfreeness before) */
if (ntarget->r_goto == rule->chain)
return -ELOOP;
+#elif defined(XTSUB_NFPROTO_ARP)
+ /* arptables does not support goto */
#endif
} else {
ntarget->ext = XT2_ACTION_JUMP;
@@ -214,6 +225,9 @@ XTSUB2(rule_to_xt2)(struct xt2_chain *chain, const struct xtsub_entry *entry,
rule->flags |= XT2_INV_L4PROTO;
ret = xt2_rule_add_match(rule, "ipv6", 0, &entry->ipv6,
sizeof(entry->ipv6), false);
+#elif defined(XTSUB_NFPROTO_ARP)
+ ret = xt2_rule_add_match(rule, "arp", 0, &entry->arp,
+ sizeof(entry->arp), false);
#endif
if (ret < 0)
goto out;
@@ -490,13 +504,18 @@ XTSUB2(rule_to_xt1)(void __user **user_ptr, int *len, unsigned int *z,
if (strcmp(ematch->ext->name, "ipv4") != 0)
return -EIO;
memcpy(&entry.ip, ematch->data, sizeof(entry.ip));
+ entry.nfcache = 0;
#elif defined(XTSUB_NFPROTO_IPV6)
if (strcmp(ematch->ext->name, "ipv6") != 0)
return -EIO;
memcpy(&entry.ipv6, ematch->data, sizeof(entry.ipv6));
+ entry.nfcache = 0;
+#elif defined(XTSUB_NFPROTO_ARP)
+ if (strcmp(ematch->ext->name, "arp") != 0)
+ return -EIO;
+ memcpy(&entry.arp, ematch->data, sizeof(entry.arp));
#endif
entry.comefrom = rule->chain->comefrom;
- entry.nfcache = 0;
xts_rule_get_quota(quota_ematch, &entry.counters.bcnt,
&entry.counters.pcnt);
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 097/103] netfilter: arptables: switch to xt2 tables
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (95 preceding siblings ...)
2009-08-04 7:26 ` [PATCH 096/103] netfilter: arptables: include xt1_perproto in arp_tables Jan Engelhardt
@ 2009-08-04 7:26 ` Jan Engelhardt
2009-08-04 7:26 ` [PATCH 098/103] netfilter: arptables: remove unused functions Jan Engelhardt
` (7 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:26 UTC (permalink / raw)
To: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/net/netns/x_tables.h | 1 +
net/ipv4/netfilter/arp_tables.c | 201 ++++++++++++----------------------
net/ipv4/netfilter/arptable_filter.c | 22 +++-
3 files changed, 87 insertions(+), 137 deletions(-)
diff --git a/include/net/netns/x_tables.h b/include/net/netns/x_tables.h
index 68b0b4f..f472744 100644
--- a/include/net/netns/x_tables.h
+++ b/include/net/netns/x_tables.h
@@ -21,6 +21,7 @@ struct netns_xt2 {
*ipv4_nat;
struct xt2_table_link
*ipv6_filter, *ipv6_mangle, *ipv6_raw, *ipv6_security;
+ struct xt2_table_link *arp_filter;
};
#endif
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 850b248..8d59b2a 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -955,11 +955,51 @@ static int compat_table_info(const struct xt_table_info *info,
}
#endif
+static const struct xt1_xlat_info arpt_compat_xlat_info = {
+#ifdef CONFIG_COMPAT
+ .marker_size = XT_ALIGN(sizeof(struct arpt_error_target)),
+ .entry_hdr_size = sizeof(struct compat_arpt_entry),
+ .pmatch_size = sizeof(struct arpt_arp),
+ .first_match = "arp",
+ .ematch_size = sizeof(struct xt_entry_match),
+ .etarget_size = sizeof(struct xt_entry_target),
+ .standard_tgsize = COMPAT_XT_ALIGN(sizeof(struct xt_entry_target) +
+ sizeof(compat_uint_t)),
+ .compat = true,
+#endif
+};
+
+static const struct xt1_xlat_info arpt_xlat_info = {
+ .marker_size = XT_ALIGN(sizeof(struct arpt_error_target)),
+ .entry_hdr_size = sizeof(struct arpt_entry),
+ .pmatch_size = sizeof(struct arpt_arp),
+ .first_match = "arp",
+ .ematch_size = sizeof(struct xt_entry_match),
+ .etarget_size = sizeof(struct xt_entry_target),
+ .standard_tgsize = XT_ALIGN(sizeof(struct xt_entry_target) +
+ sizeof(int)),
+};
+
+static int arpt2_get_info(void __user *uptr, int len,
+ struct xt2_table *table, bool compat)
+{
+ struct arpt_getinfo info = {
+ .valid_hooks = table->valid_hooks,
+ };
+
+ strncpy(info.name, table->name,
+ min(sizeof(info.name), sizeof(table->name)));
+ info.size = xts_blob_prep_table(table,
+ compat ? &arpt_compat_xlat_info : &arpt_xlat_info,
+ info.hook_entry, info.underflow, &info.num_entries);
+ return (copy_to_user(uptr, &info, sizeof(info)) != 0) ? -EFAULT : 0;
+}
+
static int get_info(struct net *net, void __user *user,
const int *len, int compat)
{
char name[ARPT_TABLE_MAXNAMELEN];
- struct xt_table *t;
+ struct xt2_table *table;
int ret;
if (*len != sizeof(struct arpt_getinfo)) {
@@ -972,45 +1012,13 @@ static int get_info(struct net *net, void __user *user,
return -EFAULT;
name[ARPT_TABLE_MAXNAMELEN-1] = '\0';
-#ifdef CONFIG_COMPAT
- if (compat)
- xt_compat_lock(NFPROTO_ARP);
-#endif
- t = try_then_request_module(xt_find_table_lock(net, NFPROTO_ARP, name),
- "arptable_%s", name);
- if (t && !IS_ERR(t)) {
- struct arpt_getinfo info;
- const struct xt_table_info *private = t->private;
-
-#ifdef CONFIG_COMPAT
- if (compat) {
- struct xt_table_info tmp;
- ret = compat_table_info(private, &tmp);
- xt_compat_flush_offsets(NFPROTO_ARP);
- private = &tmp;
- }
-#endif
- info.valid_hooks = t->valid_hooks;
- memcpy(info.hook_entry, private->hook_entry,
- sizeof(info.hook_entry));
- memcpy(info.underflow, private->underflow,
- sizeof(info.underflow));
- info.num_entries = private->number;
- info.size = private->size;
- strcpy(info.name, name);
-
- if (copy_to_user(user, &info, *len) != 0)
- ret = -EFAULT;
- else
- ret = 0;
- xt_table_unlock(t);
- module_put(t->me);
- } else
- ret = t ? PTR_ERR(t) : -ENOENT;
-#ifdef CONFIG_COMPAT
- if (compat)
- xt_compat_unlock(NFPROTO_ARP);
-#endif
+ table = try_then_request_module(
+ xt2_table_lookup(net, name, NFPROTO_ARP, XT2_TAKE_RCULOCK),
+ "arptable_%s", name);
+ if (table == NULL)
+ return -ENOENT;
+ ret = arpt2_get_info(user, *len, table, compat);
+ rcu_read_unlock();
return ret;
}
@@ -1019,7 +1027,7 @@ static int get_entries(struct net *net, struct arpt_get_entries __user *uptr,
{
int ret;
struct arpt_get_entries get;
- struct xt_table *t;
+ struct xt2_table *table;
if (*len < sizeof(get)) {
duprintf("get_entries: %u < %Zu\n", *len, sizeof(get));
@@ -1033,25 +1041,12 @@ static int get_entries(struct net *net, struct arpt_get_entries __user *uptr,
return -EINVAL;
}
- t = xt_find_table_lock(net, NFPROTO_ARP, get.name);
- if (t && !IS_ERR(t)) {
- const struct xt_table_info *private = t->private;
-
- duprintf("t->private->number = %u\n",
- private->number);
- if (get.size == private->size)
- ret = copy_entries_to_user(private->size,
- t, uptr->entrytable);
- else {
- duprintf("get_entries: I've got %u not %u!\n",
- private->size, get.size);
- ret = -EAGAIN;
- }
- module_put(t->me);
- xt_table_unlock(t);
- } else
- ret = t ? PTR_ERR(t) : -ENOENT;
-
+ table = xt2_table_lookup(net, get.name, NFPROTO_ARP, XT2_TAKE_RCULOCK);
+ if (table == NULL)
+ return -ENOENT;
+ ret = arpt2_table_to_xt1(uptr->entrytable, get.size,
+ table, &arpt_xlat_info);
+ rcu_read_unlock();
return ret;
}
@@ -1181,18 +1176,13 @@ static int do_replace(struct net *net, const void __user *user,
static int do_add_counters(struct net *net, const void __user *user,
unsigned int len, int compat)
{
- unsigned int i, curcpu;
struct xt_counters_info tmp;
- struct xt_counters *paddc;
unsigned int num_counters;
const char *name;
int size;
void *ptmp;
- struct xt_table *t;
- const struct xt_table_info *private;
int ret = 0;
- void *loc_cpu_entry;
- struct arpt_entry *iter;
+ struct xt2_table *table;
#ifdef CONFIG_COMPAT
struct compat_xt_counters_info compat_tmp;
@@ -1223,45 +1213,11 @@ static int do_add_counters(struct net *net, const void __user *user,
if (len != size + num_counters * sizeof(struct xt_counters))
return -EINVAL;
- paddc = vmalloc_node(len - size, numa_node_id());
- if (!paddc)
- return -ENOMEM;
-
- if (copy_from_user(paddc, user + size, len - size) != 0) {
- ret = -EFAULT;
- goto free;
- }
-
- t = xt_find_table_lock(net, NFPROTO_ARP, name);
- if (!t || IS_ERR(t)) {
- ret = t ? PTR_ERR(t) : -ENOENT;
- goto free;
- }
-
- local_bh_disable();
- private = t->private;
- if (private->number != num_counters) {
- ret = -EINVAL;
- goto unlock_up_free;
- }
-
- i = 0;
- /* Choose the copy that is on our node */
- curcpu = smp_processor_id();
- loc_cpu_entry = private->entries[curcpu];
- xt_info_wrlock(curcpu);
- xt_entry_foreach(iter, loc_cpu_entry, private->size) {
- ADD_COUNTER(iter->counters, paddc[i].bcnt, paddc[i].pcnt);
- ++i;
- }
- xt_info_wrunlock(curcpu);
- unlock_up_free:
- local_bh_enable();
- xt_table_unlock(t);
- module_put(t->me);
- free:
- vfree(paddc);
-
+ table = xt2_table_lookup(net, name, NFPROTO_ARP, XT2_TAKE_RCULOCK);
+ if (table == NULL)
+ return -ENOENT;
+ ret = xts_get_counters(table, user + size, num_counters);
+ rcu_read_unlock();
return ret;
}
@@ -1600,7 +1556,7 @@ static int compat_do_arpt_set_ctl(struct sock *sk, int cmd, void __user *user,
switch (cmd) {
case ARPT_SO_SET_REPLACE:
- ret = compat_do_replace(sock_net(sk), user, len);
+ ret = arpt2_compat_do_replace(sock_net(sk), user, len);
break;
case ARPT_SO_SET_ADD_COUNTERS:
@@ -1692,7 +1648,7 @@ static int compat_get_entries(struct net *net,
{
int ret;
struct compat_arpt_get_entries get;
- struct xt_table *t;
+ struct xt2_table *table;
if (*len < sizeof(get)) {
duprintf("compat_get_entries: %u < %zu\n", *len, sizeof(get));
@@ -1706,29 +1662,12 @@ static int compat_get_entries(struct net *net,
return -EINVAL;
}
- xt_compat_lock(NFPROTO_ARP);
- t = xt_find_table_lock(net, NFPROTO_ARP, get.name);
- if (t && !IS_ERR(t)) {
- const struct xt_table_info *private = t->private;
- struct xt_table_info info;
-
- duprintf("t->private->number = %u\n", private->number);
- ret = compat_table_info(private, &info);
- if (!ret && get.size == info.size) {
- ret = compat_copy_entries_to_user(private->size,
- t, uptr->entrytable);
- } else if (!ret) {
- duprintf("compat_get_entries: I've got %u not %u!\n",
- private->size, get.size);
- ret = -EAGAIN;
- }
- xt_compat_flush_offsets(NFPROTO_ARP);
- module_put(t->me);
- xt_table_unlock(t);
- } else
- ret = t ? PTR_ERR(t) : -ENOENT;
-
- xt_compat_unlock(NFPROTO_ARP);
+ table = xt2_table_lookup(net, get.name, NFPROTO_ARP, XT2_TAKE_RCULOCK);
+ if (table == NULL)
+ return -ENOENT;
+ ret = arpt2_compat_table_to_xt1(uptr->entrytable, get.size,
+ table, &arpt_compat_xlat_info);
+ rcu_read_unlock();
return ret;
}
@@ -1765,7 +1704,7 @@ static int do_arpt_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned
switch (cmd) {
case ARPT_SO_SET_REPLACE:
- ret = do_replace(sock_net(sk), user, len);
+ ret = arpt2_do_replace(sock_net(sk), user, len);
break;
case ARPT_SO_SET_ADD_COUNTERS:
diff --git a/net/ipv4/netfilter/arptable_filter.c b/net/ipv4/netfilter/arptable_filter.c
index 1299f08..341c0c8 100644
--- a/net/ipv4/netfilter/arptable_filter.c
+++ b/net/ipv4/netfilter/arptable_filter.c
@@ -6,6 +6,7 @@
*/
#include <linux/module.h>
+#include <linux/rcupdate.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_arp/arp_tables.h>
@@ -32,26 +33,35 @@ static unsigned int arptable_filter_hook(unsigned int hook,
int (*okfn)(struct sk_buff *))
{
const struct net *net = dev_net((in != NULL) ? in : out);
- return arpt_do_table(skb, hook, in, out, net->ipv4.arptable_filter);
+ const struct xt2_table_link *link;
+ unsigned int verdict;
+
+ rcu_read_lock();
+ link = rcu_dereference(net->xt2.arp_filter);
+ verdict = xt2_do_table(skb, hook, in, out, link->table);
+ rcu_read_unlock();
+ return verdict;
}
static int __net_init arptable_filter_net_init(struct net *net)
{
struct arpt_replace *repl = xt_repldata_create(&packet_filter);
+ struct xt2_table *table;
if (repl == NULL)
return -ENOMEM;
- net->ipv4.arptable_filter =
- arpt_register_table(net, &packet_filter, repl);
+ table = arpt2_register_table(net, &packet_filter, repl);
kfree(repl);
- if (IS_ERR(net->ipv4.arptable_filter))
- return PTR_ERR(net->ipv4.arptable_filter);
+ if (IS_ERR(table))
+ return PTR_ERR(table);
+ net->xt2.arp_filter = xt2_tlink_lookup(net, table->name,
+ table->nfproto, XT2_NO_RCULOCK);
return 0;
}
static void __net_exit arptable_filter_net_exit(struct net *net)
{
- arpt_unregister_table(net->ipv4.arptable_filter);
+ xt2_table_destroy(net, net->xt2.arp_filter->table);
}
static struct pernet_operations arptable_filter_net_ops = {
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 098/103] netfilter: arptables: remove unused functions
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (96 preceding siblings ...)
2009-08-04 7:26 ` [PATCH 097/103] netfilter: arptables: switch to xt2 tables Jan Engelhardt
@ 2009-08-04 7:26 ` Jan Engelhardt
2009-08-04 7:26 ` [PATCH 099/103] netfilter: arptables: remove xt1/arp registration functions Jan Engelhardt
` (6 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:26 UTC (permalink / raw)
To: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
net/ipv4/netfilter/arp_tables.c | 678 ---------------------------------------
1 files changed, 0 insertions(+), 678 deletions(-)
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 8d59b2a..d134f71 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -789,172 +789,6 @@ static int translate_table(struct xt_table_info *newinfo, void *entry0,
return ret;
}
-static void get_counters(const struct xt_table_info *t,
- struct xt_counters counters[])
-{
- struct arpt_entry *iter;
- unsigned int cpu;
- unsigned int i;
- unsigned int curcpu;
-
- /* Instead of clearing (by a previous call to memset())
- * the counters and using adds, we set the counters
- * with data used by 'current' CPU
- *
- * Bottom half has to be disabled to prevent deadlock
- * if new softirq were to run and call ipt_do_table
- */
- local_bh_disable();
- curcpu = smp_processor_id();
-
- i = 0;
- xt_entry_foreach(iter, t->entries[curcpu], t->size) {
- SET_COUNTER(counters[i], iter->counters.bcnt,
- iter->counters.pcnt);
- ++i;
- }
-
- for_each_possible_cpu(cpu) {
- if (cpu == curcpu)
- continue;
- i = 0;
- xt_info_wrlock(cpu);
- xt_entry_foreach(iter, t->entries[cpu], t->size) {
- ADD_COUNTER(counters[i], iter->counters.bcnt,
- iter->counters.pcnt);
- ++i;
- }
- xt_info_wrunlock(cpu);
- }
- local_bh_enable();
-}
-
-static struct xt_counters *alloc_counters(const struct xt_table *table)
-{
- unsigned int countersize;
- struct xt_counters *counters;
- const struct xt_table_info *private = table->private;
-
- /* We need atomic snapshot of counters: rest doesn't change
- * (other than comefrom, which userspace doesn't care
- * about).
- */
- countersize = sizeof(struct xt_counters) * private->number;
- counters = vmalloc_node(countersize, numa_node_id());
-
- if (counters == NULL)
- return ERR_PTR(-ENOMEM);
-
- get_counters(private, counters);
-
- return counters;
-}
-
-static int copy_entries_to_user(unsigned int total_size,
- const struct xt_table *table,
- void __user *userptr)
-{
- unsigned int off, num;
- const struct arpt_entry *e;
- struct xt_counters *counters;
- struct xt_table_info *private = table->private;
- int ret = 0;
- void *loc_cpu_entry;
-
- counters = alloc_counters(table);
- if (IS_ERR(counters))
- return PTR_ERR(counters);
-
- loc_cpu_entry = private->entries[raw_smp_processor_id()];
- /* ... then copy entire thing ... */
- if (copy_to_user(userptr, loc_cpu_entry, total_size) != 0) {
- ret = -EFAULT;
- goto free_counters;
- }
-
- /* FIXME: use iterator macros --RR */
- /* ... then go back and fix counters and names */
- for (off = 0, num = 0; off < total_size; off += e->next_offset, num++){
- const struct arpt_entry_target *t;
-
- e = (struct arpt_entry *)(loc_cpu_entry + off);
- if (copy_to_user(userptr + off
- + offsetof(struct arpt_entry, counters),
- &counters[num],
- sizeof(counters[num])) != 0) {
- ret = -EFAULT;
- goto free_counters;
- }
-
- t = arpt_get_target_c(e);
- if (copy_to_user(userptr + off + e->target_offset
- + offsetof(struct arpt_entry_target,
- u.user.name),
- t->u.kernel.target->name,
- strlen(t->u.kernel.target->name)+1) != 0) {
- ret = -EFAULT;
- goto free_counters;
- }
- }
-
- free_counters:
- vfree(counters);
- return ret;
-}
-
-#ifdef CONFIG_COMPAT
-static int compat_calc_entry(const struct arpt_entry *e,
- const struct xt_table_info *info,
- const void *base, struct xt_table_info *newinfo)
-{
- const struct arpt_entry_target *t;
- unsigned int entry_offset;
- int off, i, ret;
-
- off = sizeof(struct arpt_entry) - sizeof(struct compat_arpt_entry);
- entry_offset = (void *)e - base;
-
- t = arpt_get_target_c(e);
- off += xt_compat_target_offset(t->u.kernel.target);
- newinfo->size -= off;
- ret = xt_compat_add_offset(NFPROTO_ARP, entry_offset, off);
- if (ret)
- return ret;
-
- for (i = 0; i < NF_ARP_NUMHOOKS; i++) {
- if (info->hook_entry[i] &&
- (e < (struct arpt_entry *)(base + info->hook_entry[i])))
- newinfo->hook_entry[i] -= off;
- if (info->underflow[i] &&
- (e < (struct arpt_entry *)(base + info->underflow[i])))
- newinfo->underflow[i] -= off;
- }
- return 0;
-}
-
-static int compat_table_info(const struct xt_table_info *info,
- struct xt_table_info *newinfo)
-{
- struct arpt_entry *iter;
- void *loc_cpu_entry;
- int ret;
-
- if (!newinfo || !info)
- return -EINVAL;
-
- /* we dont care about newinfo->entries[] */
- memcpy(newinfo, info, offsetof(struct xt_table_info, entries));
- newinfo->initial_entries = 0;
- loc_cpu_entry = info->entries[raw_smp_processor_id()];
- xt_entry_foreach(iter, loc_cpu_entry, info->size) {
- ret = compat_calc_entry(iter, info, loc_cpu_entry, newinfo);
- if (ret != 0)
- return ret;
- }
- return 0;
-}
-#endif
-
static const struct xt1_xlat_info arpt_compat_xlat_info = {
#ifdef CONFIG_COMPAT
.marker_size = XT_ALIGN(sizeof(struct arpt_error_target)),
@@ -1050,129 +884,6 @@ static int get_entries(struct net *net, struct arpt_get_entries __user *uptr,
return ret;
}
-static int __do_replace(struct net *net, const char *name,
- unsigned int valid_hooks,
- struct xt_table_info *newinfo,
- unsigned int num_counters,
- void __user *counters_ptr)
-{
- int ret;
- struct xt_table *t;
- struct xt_table_info *oldinfo;
- struct xt_counters *counters;
- void *loc_cpu_old_entry;
- struct arpt_entry *iter;
-
- ret = 0;
- counters = vmalloc_node(num_counters * sizeof(struct xt_counters),
- numa_node_id());
- if (!counters) {
- ret = -ENOMEM;
- goto out;
- }
-
- t = try_then_request_module(xt_find_table_lock(net, NFPROTO_ARP, name),
- "arptable_%s", name);
- if (!t || IS_ERR(t)) {
- ret = t ? PTR_ERR(t) : -ENOENT;
- goto free_newinfo_counters_untrans;
- }
-
- /* You lied! */
- if (valid_hooks != t->valid_hooks) {
- duprintf("Valid hook crap: %08X vs %08X\n",
- valid_hooks, t->valid_hooks);
- ret = -EINVAL;
- goto put_module;
- }
-
- oldinfo = xt_replace_table(t, num_counters, newinfo, &ret);
- if (!oldinfo)
- goto put_module;
-
- /* Update module usage count based on number of rules */
- duprintf("do_replace: oldnum=%u, initnum=%u, newnum=%u\n",
- oldinfo->number, oldinfo->initial_entries, newinfo->number);
- if ((oldinfo->number > oldinfo->initial_entries) ||
- (newinfo->number <= oldinfo->initial_entries))
- module_put(t->me);
- if ((oldinfo->number > oldinfo->initial_entries) &&
- (newinfo->number <= oldinfo->initial_entries))
- module_put(t->me);
-
- /* Get the old counters, and synchronize with replace */
- get_counters(oldinfo, counters);
-
- /* Decrease module usage counts and free resource */
- loc_cpu_old_entry = oldinfo->entries[raw_smp_processor_id()];
- xt_entry_foreach(iter, loc_cpu_old_entry, oldinfo->size)
- cleanup_entry(iter);
-
- xt_free_table_info(oldinfo);
- if (copy_to_user(counters_ptr, counters,
- sizeof(struct xt_counters) * num_counters) != 0)
- ret = -EFAULT;
- vfree(counters);
- xt_table_unlock(t);
- return ret;
-
- put_module:
- module_put(t->me);
- xt_table_unlock(t);
- free_newinfo_counters_untrans:
- vfree(counters);
- out:
- return ret;
-}
-
-static int do_replace(struct net *net, const void __user *user,
- unsigned int len)
-{
- int ret;
- struct arpt_replace tmp;
- struct xt_table_info *newinfo;
- void *loc_cpu_entry;
- struct arpt_entry *iter;
-
- if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
- return -EFAULT;
-
- /* overflow check */
- if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
- return -ENOMEM;
-
- newinfo = xt_alloc_table_info(tmp.size);
- if (!newinfo)
- return -ENOMEM;
-
- /* choose the copy that is on our node/cpu */
- loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
- if (copy_from_user(loc_cpu_entry, user + sizeof(tmp),
- tmp.size) != 0) {
- ret = -EFAULT;
- goto free_newinfo;
- }
-
- ret = translate_table(newinfo, loc_cpu_entry, &tmp);
- if (ret != 0)
- goto free_newinfo;
-
- duprintf("arp_tables: Translated table\n");
-
- ret = __do_replace(net, tmp.name, tmp.valid_hooks, newinfo,
- tmp.num_counters, tmp.counters);
- if (ret)
- goto free_newinfo_untrans;
- return 0;
-
- free_newinfo_untrans:
- xt_entry_foreach(iter, loc_cpu_entry, newinfo->size)
- cleanup_entry(iter);
- free_newinfo:
- xt_free_table_info(newinfo);
- return ret;
-}
-
static int do_add_counters(struct net *net, const void __user *user,
unsigned int len, int compat)
{
@@ -1222,330 +933,6 @@ static int do_add_counters(struct net *net, const void __user *user,
}
#ifdef CONFIG_COMPAT
-static inline void compat_release_entry(struct compat_arpt_entry *e)
-{
- struct arpt_entry_target *t;
-
- t = compat_arpt_get_target(e);
- module_put(t->u.kernel.target->me);
-}
-
-static inline int
-check_compat_entry_size_and_hooks(struct compat_arpt_entry *e,
- struct xt_table_info *newinfo,
- unsigned int *size,
- const unsigned char *base,
- const unsigned char *limit,
- const unsigned int *hook_entries,
- const unsigned int *underflows,
- const char *name)
-{
- struct arpt_entry_target *t;
- struct xt_target *target;
- unsigned int entry_offset;
- int ret, off, h;
- struct xt_mtchk_param mtpar;
-
- duprintf("check_compat_entry_size_and_hooks %p\n", e);
- if ((unsigned long)e % __alignof__(struct compat_arpt_entry) != 0
- || (unsigned char *)e + sizeof(struct compat_arpt_entry) >= limit) {
- duprintf("Bad offset %p, limit = %p\n", e, limit);
- return -EINVAL;
- }
-
- if (e->next_offset < sizeof(struct compat_arpt_entry) +
- sizeof(struct compat_xt_entry_target)) {
- duprintf("checking: element %p size %u\n",
- e, e->next_offset);
- return -EINVAL;
- }
-
- /* For purposes of check_entry casting the compat entry is fine */
- mtpar.table = name;
- mtpar.entryinfo = &e->arp;
- mtpar.hook_mask = e->comefrom;
- mtpar.family = NFPROTO_ARP;
- mtpar.match = &arpt_builtin_mt;
- mtpar.matchinfo = &e->arp;
- ret = check_entry((struct arpt_entry *)e, &mtpar);
- if (ret)
- return ret;
-
- off = sizeof(struct arpt_entry) - sizeof(struct compat_arpt_entry);
- entry_offset = (void *)e - (void *)base;
-
- t = compat_arpt_get_target(e);
- target = xt_request_find_target(NFPROTO_ARP, t->u.user.name,
- t->u.user.revision);
- if (IS_ERR(target)) {
- duprintf("check_compat_entry_size_and_hooks: `%s' not found\n",
- t->u.user.name);
- ret = PTR_ERR(target);
- goto out;
- }
- t->u.kernel.target = target;
-
- off += xt_compat_target_offset(target);
- *size += off;
- ret = xt_compat_add_offset(NFPROTO_ARP, entry_offset, off);
- if (ret)
- goto release_target;
-
- /* Check hooks & underflows */
- for (h = 0; h < NF_ARP_NUMHOOKS; h++) {
- if ((unsigned char *)e - base == hook_entries[h])
- newinfo->hook_entry[h] = hook_entries[h];
- if ((unsigned char *)e - base == underflows[h])
- newinfo->underflow[h] = underflows[h];
- }
-
- /* Clear counters and comefrom */
- memset(&e->counters, 0, sizeof(e->counters));
- e->comefrom = 0;
- return 0;
-
-release_target:
- module_put(t->u.kernel.target->me);
-out:
- return ret;
-}
-
-static int
-compat_copy_entry_from_user(struct compat_arpt_entry *e, void **dstptr,
- unsigned int *size, const char *name,
- struct xt_table_info *newinfo, unsigned char *base)
-{
- struct arpt_entry_target *t;
- struct xt_target *target;
- struct arpt_entry *de;
- unsigned int origsize;
- int ret, h;
-
- ret = 0;
- origsize = *size;
- de = (struct arpt_entry *)*dstptr;
- memcpy(de, e, sizeof(struct arpt_entry));
- memcpy(&de->counters, &e->counters, sizeof(e->counters));
-
- *dstptr += sizeof(struct arpt_entry);
- *size += sizeof(struct arpt_entry) - sizeof(struct compat_arpt_entry);
-
- de->target_offset = e->target_offset - (origsize - *size);
- t = compat_arpt_get_target(e);
- target = t->u.kernel.target;
- xt_compat_target_from_user(t, dstptr, size);
-
- de->next_offset = e->next_offset - (origsize - *size);
- for (h = 0; h < NF_ARP_NUMHOOKS; h++) {
- if ((unsigned char *)de - base < newinfo->hook_entry[h])
- newinfo->hook_entry[h] -= origsize - *size;
- if ((unsigned char *)de - base < newinfo->underflow[h])
- newinfo->underflow[h] -= origsize - *size;
- }
- return ret;
-}
-
-static int translate_compat_table(const char *name,
- unsigned int valid_hooks,
- struct xt_table_info **pinfo,
- void **pentry0,
- unsigned int total_size,
- unsigned int number,
- unsigned int *hook_entries,
- unsigned int *underflows)
-{
- unsigned int i, j;
- struct xt_table_info *newinfo, *info;
- void *pos, *entry0, *entry1;
- struct compat_arpt_entry *iter0;
- struct arpt_entry *iter1;
- unsigned int size;
- int ret = 0;
-
- info = *pinfo;
- entry0 = *pentry0;
- size = total_size;
- info->number = number;
-
- /* Init all hooks to impossible value. */
- for (i = 0; i < NF_ARP_NUMHOOKS; i++) {
- info->hook_entry[i] = 0xFFFFFFFF;
- info->underflow[i] = 0xFFFFFFFF;
- }
-
- duprintf("translate_compat_table: size %u\n", info->size);
- j = 0;
- xt_compat_lock(NFPROTO_ARP);
- /* Walk through entries, checking offsets. */
- xt_entry_foreach(iter0, entry0, total_size) {
- ret = check_compat_entry_size_and_hooks(iter0, info, &size,
- entry0, entry0 + total_size, hook_entries, underflows,
- name);
- if (ret != 0)
- goto out_unlock;
- ++j;
- }
-
- ret = -EINVAL;
- if (j != number) {
- duprintf("translate_compat_table: %u not %u entries\n",
- j, number);
- goto out_unlock;
- }
-
- /* Check hooks all assigned */
- for (i = 0; i < NF_ARP_NUMHOOKS; i++) {
- /* Only hooks which are valid */
- if (!(valid_hooks & (1 << i)))
- continue;
- if (info->hook_entry[i] == 0xFFFFFFFF) {
- duprintf("Invalid hook entry %u %u\n",
- i, hook_entries[i]);
- goto out_unlock;
- }
- if (info->underflow[i] == 0xFFFFFFFF) {
- duprintf("Invalid underflow %u %u\n",
- i, underflows[i]);
- goto out_unlock;
- }
- }
-
- ret = -ENOMEM;
- newinfo = xt_alloc_table_info(size);
- if (!newinfo)
- goto out_unlock;
-
- newinfo->number = number;
- for (i = 0; i < NF_ARP_NUMHOOKS; i++) {
- newinfo->hook_entry[i] = info->hook_entry[i];
- newinfo->underflow[i] = info->underflow[i];
- }
- entry1 = newinfo->entries[raw_smp_processor_id()];
- pos = entry1;
- size = total_size;
- xt_entry_foreach(iter0, entry0, total_size) {
- ret = compat_copy_entry_from_user(iter0, &pos,
- &size, name, newinfo, entry1);
- if (ret != 0)
- break;
- }
- xt_compat_flush_offsets(NFPROTO_ARP);
- xt_compat_unlock(NFPROTO_ARP);
- if (ret)
- goto free_newinfo;
-
- ret = -ELOOP;
- if (!mark_source_chains(newinfo, valid_hooks, entry1))
- goto free_newinfo;
-
- i = 0;
- xt_entry_foreach(iter1, entry1, newinfo->size) {
- ret = check_target(iter1, name);
- if (ret != 0)
- break;
- ++i;
- }
- if (ret) {
- /*
- * The first i matches need cleanup_entry (calls ->destroy)
- * because they had called ->check already. The other j-i
- * entries need only release.
- */
- int skip = i;
- j -= i;
- xt_entry_foreach(iter0, entry0, newinfo->size) {
- if (skip-- > 0)
- continue;
- if (j-- == 0)
- break;
- compat_release_entry(iter0);
- }
- xt_entry_foreach(iter1, entry1, newinfo->size) {
- if (i-- == 0)
- break;
- cleanup_entry(iter1);
- }
- xt_free_table_info(newinfo);
- return ret;
- }
-
- /* And one copy for every other CPU */
- for_each_possible_cpu(i)
- if (newinfo->entries[i] && newinfo->entries[i] != entry1)
- memcpy(newinfo->entries[i], entry1, newinfo->size);
-
- *pinfo = newinfo;
- *pentry0 = entry1;
- xt_free_table_info(info);
- return 0;
-
-free_newinfo:
- xt_free_table_info(newinfo);
-out:
- xt_entry_foreach(iter0, entry0, total_size) {
- if (j-- == 0)
- break;
- compat_release_entry(iter0);
- }
- return ret;
-out_unlock:
- xt_compat_flush_offsets(NFPROTO_ARP);
- xt_compat_unlock(NFPROTO_ARP);
- goto out;
-}
-
-static int compat_do_replace(struct net *net, void __user *user,
- unsigned int len)
-{
- int ret;
- struct compat_arpt_replace tmp;
- struct xt_table_info *newinfo;
- void *loc_cpu_entry;
- struct arpt_entry *iter;
-
- if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
- return -EFAULT;
-
- /* overflow check */
- if (tmp.size >= INT_MAX / num_possible_cpus())
- return -ENOMEM;
- if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
- return -ENOMEM;
-
- newinfo = xt_alloc_table_info(tmp.size);
- if (!newinfo)
- return -ENOMEM;
-
- /* choose the copy that is on our node/cpu */
- loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
- if (copy_from_user(loc_cpu_entry, user + sizeof(tmp), tmp.size) != 0) {
- ret = -EFAULT;
- goto free_newinfo;
- }
-
- ret = translate_compat_table(tmp.name, tmp.valid_hooks,
- &newinfo, &loc_cpu_entry, tmp.size,
- tmp.num_entries, tmp.hook_entry,
- tmp.underflow);
- if (ret != 0)
- goto free_newinfo;
-
- duprintf("compat_do_replace: Translated table\n");
-
- ret = __do_replace(net, tmp.name, tmp.valid_hooks, newinfo,
- tmp.num_counters, compat_ptr(tmp.counters));
- if (ret)
- goto free_newinfo_untrans;
- return 0;
-
- free_newinfo_untrans:
- xt_entry_foreach(iter, loc_cpu_entry, newinfo->size)
- cleanup_entry(iter);
- free_newinfo:
- xt_free_table_info(newinfo);
- return ret;
-}
-
static int compat_do_arpt_set_ctl(struct sock *sk, int cmd, void __user *user,
unsigned int len)
{
@@ -1571,71 +958,6 @@ static int compat_do_arpt_set_ctl(struct sock *sk, int cmd, void __user *user,
return ret;
}
-static int compat_copy_entry_to_user(struct arpt_entry *e, void __user **dstptr,
- compat_uint_t *size,
- struct xt_counters *counters,
- unsigned int i)
-{
- struct arpt_entry_target *t;
- struct compat_arpt_entry __user *ce;
- u_int16_t target_offset, next_offset;
- compat_uint_t origsize;
- int ret;
-
- origsize = *size;
- ce = (struct compat_arpt_entry __user *)*dstptr;
- if (copy_to_user(ce, e, sizeof(struct arpt_entry)) != 0 ||
- copy_to_user(&ce->counters, &counters[i],
- sizeof(counters[i])) != 0)
- return -EFAULT;
-
- *dstptr += sizeof(struct compat_arpt_entry);
- *size -= sizeof(struct arpt_entry) - sizeof(struct compat_arpt_entry);
-
- target_offset = e->target_offset - (origsize - *size);
-
- t = arpt_get_target(e);
- ret = xt_compat_target_to_user(t, dstptr, size);
- if (ret)
- return ret;
- next_offset = e->next_offset - (origsize - *size);
- if (put_user(target_offset, &ce->target_offset) != 0 ||
- put_user(next_offset, &ce->next_offset) != 0)
- return -EFAULT;
- return 0;
-}
-
-static int compat_copy_entries_to_user(unsigned int total_size,
- struct xt_table *table,
- void __user *userptr)
-{
- struct xt_counters *counters;
- const struct xt_table_info *private = table->private;
- void __user *pos;
- unsigned int size;
- int ret = 0;
- void *loc_cpu_entry;
- unsigned int i = 0;
- struct arpt_entry *iter;
-
- counters = alloc_counters(table);
- if (IS_ERR(counters))
- return PTR_ERR(counters);
-
- /* choose the copy on our node/cpu */
- loc_cpu_entry = private->entries[raw_smp_processor_id()];
- pos = userptr;
- size = total_size;
- xt_entry_foreach(iter, loc_cpu_entry, total_size) {
- ret = compat_copy_entry_to_user(iter, &pos,
- &size, counters, i++);
- if (ret != 0)
- break;
- }
- vfree(counters);
- return ret;
-}
-
struct compat_arpt_get_entries {
char name[ARPT_TABLE_MAXNAMELEN];
compat_uint_t size;
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 099/103] netfilter: arptables: remove xt1/arp registration functions
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (97 preceding siblings ...)
2009-08-04 7:26 ` [PATCH 098/103] netfilter: arptables: remove unused functions Jan Engelhardt
@ 2009-08-04 7:26 ` Jan Engelhardt
2009-08-04 7:26 ` [PATCH 100/103] netfilter: arptables: remove remaining xt1 code Jan Engelhardt
` (5 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:26 UTC (permalink / raw)
To: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter_arp/arp_tables.h | 4 -
net/ipv4/netfilter/arp_tables.c | 425 ------------------------------
2 files changed, 0 insertions(+), 429 deletions(-)
diff --git a/include/linux/netfilter_arp/arp_tables.h b/include/linux/netfilter_arp/arp_tables.h
index 8140700..b480fa6 100644
--- a/include/linux/netfilter_arp/arp_tables.h
+++ b/include/linux/netfilter_arp/arp_tables.h
@@ -266,10 +266,6 @@ struct arpt_error
.target.errorname = "ERROR", \
}
-extern struct xt_table *arpt_register_table(struct net *net,
- const struct xt_table *table,
- const struct arpt_replace *repl);
-extern void arpt_unregister_table(struct xt_table *table);
extern unsigned int arpt_do_table(struct sk_buff *skb,
unsigned int hook,
const struct net_device *in,
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index d134f71..b82a831 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -422,373 +422,6 @@ unsigned int arpt_do_table(struct sk_buff *skb,
return verdict;
}
-/* All zeroes == unconditional rule. */
-static inline bool unconditional(const struct arpt_arp *arp)
-{
- static const struct arpt_arp uncond;
-
- return memcmp(arp, &uncond, sizeof(uncond)) == 0;
-}
-
-/* Figures out from what hook each rule can be called: returns 0 if
- * there are loops. Puts hook bitmask in comefrom.
- */
-static int mark_source_chains(const struct xt_table_info *newinfo,
- unsigned int valid_hooks, void *entry0)
-{
- unsigned int hook;
-
- /* No recursion; use packet counter to save back ptrs (reset
- * to 0 as we leave), and comefrom to save source hook bitmask.
- */
- for (hook = 0; hook < NF_ARP_NUMHOOKS; hook++) {
- unsigned int pos = newinfo->hook_entry[hook];
- struct arpt_entry *e
- = (struct arpt_entry *)(entry0 + pos);
-
- if (!(valid_hooks & (1 << hook)))
- continue;
-
- /* Set initial back pointer. */
- e->counters.pcnt = pos;
-
- for (;;) {
- const struct arpt_standard_target *t
- = (void *)arpt_get_target_c(e);
- int visited = e->comefrom & (1 << hook);
-
- if (e->comefrom & (1 << NF_ARP_NUMHOOKS)) {
- printk("arptables: loop hook %u pos %u %08X.\n",
- hook, pos, e->comefrom);
- return 0;
- }
- e->comefrom
- |= ((1 << hook) | (1 << NF_ARP_NUMHOOKS));
-
- /* Unconditional return/END. */
- if ((e->target_offset == sizeof(struct arpt_entry)
- && (strcmp(t->target.u.user.name,
- ARPT_STANDARD_TARGET) == 0)
- && t->verdict < 0
- && unconditional(&e->arp)) || visited) {
- unsigned int oldpos, size;
-
- if ((strcmp(t->target.u.user.name,
- ARPT_STANDARD_TARGET) == 0) &&
- t->verdict < -NF_MAX_VERDICT - 1) {
- duprintf("mark_source_chains: bad "
- "negative verdict (%i)\n",
- t->verdict);
- return 0;
- }
-
- /* Return: backtrack through the last
- * big jump.
- */
- do {
- e->comefrom ^= (1<<NF_ARP_NUMHOOKS);
- oldpos = pos;
- pos = e->counters.pcnt;
- e->counters.pcnt = 0;
-
- /* We're at the start. */
- if (pos == oldpos)
- goto next;
-
- e = (struct arpt_entry *)
- (entry0 + pos);
- } while (oldpos == pos + e->next_offset);
-
- /* Move along one */
- size = e->next_offset;
- e = (struct arpt_entry *)
- (entry0 + pos + size);
- e->counters.pcnt = pos;
- pos += size;
- } else {
- int newpos = t->verdict;
-
- if (strcmp(t->target.u.user.name,
- ARPT_STANDARD_TARGET) == 0
- && newpos >= 0) {
- if (newpos > newinfo->size -
- sizeof(struct arpt_entry)) {
- duprintf("mark_source_chains: "
- "bad verdict (%i)\n",
- newpos);
- return 0;
- }
-
- /* This a jump; chase it. */
- duprintf("Jump rule %u -> %u\n",
- pos, newpos);
- } else {
- /* ... this is a fallthru */
- newpos = pos + e->next_offset;
- }
- e = (struct arpt_entry *)
- (entry0 + newpos);
- e->counters.pcnt = pos;
- pos = newpos;
- }
- }
- next:
- duprintf("Finished chain %u\n", hook);
- }
- return 1;
-}
-
-static inline int
-check_entry(struct arpt_entry *e, struct xt_mtchk_param *par)
-{
- const struct arpt_entry_target *t;
-
- par->match = &arpt_builtin_mt;
- par->matchinfo = &e->arp;
- if (!arp_checkentry(par)) {
- duprintf("arp_tables: arp check failed %p %s.\n", e, name);
- return -EINVAL;
- }
-
- if (e->target_offset + sizeof(struct arpt_entry_target) > e->next_offset)
- return -EINVAL;
-
- t = arpt_get_target_c(e);
- if (e->target_offset + t->u.target_size > e->next_offset)
- return -EINVAL;
-
- return 0;
-}
-
-static inline int check_target(struct arpt_entry *e, const char *name)
-{
- struct arpt_entry_target *t = arpt_get_target(e);
- int ret;
- struct xt_tgchk_param par = {
- .table = name,
- .entryinfo = e,
- .nfproto_info = &e->arp,
- .target = t->u.kernel.target,
- .targinfo = t->data,
- .hook_mask = e->comefrom,
- .family = NFPROTO_ARP,
- };
-
- ret = xt_check_target(&par, t->u.target_size - sizeof(*t),
- 0, false, true);
- if (ret < 0) {
- duprintf("arp_tables: check failed for `%s'.\n",
- t->u.kernel.target->name);
- return ret;
- }
- return 0;
-}
-
-static inline int
-find_check_entry(struct arpt_entry *e, const char *name, unsigned int size)
-{
- struct arpt_entry_target *t;
- struct xt_target *target;
- struct xt_mtchk_param mtpar;
- int ret;
-
- mtpar.table = name;
- mtpar.entryinfo = &e->arp;
- mtpar.hook_mask = e->comefrom;
- mtpar.family = NFPROTO_ARP;
- ret = check_entry(e, &mtpar);
- if (ret)
- return ret;
-
- t = arpt_get_target(e);
- target = xt_request_find_target(NFPROTO_ARP, t->u.user.name,
- t->u.user.revision);
- if (IS_ERR(target)) {
- duprintf("find_check_entry: `%s' not found\n", t->u.user.name);
- ret = PTR_ERR(target);
- goto out;
- }
- t->u.kernel.target = target;
-
- ret = check_target(e, name);
- if (ret)
- goto err;
-
- return 0;
-err:
- module_put(t->u.kernel.target->me);
-out:
- return ret;
-}
-
-static bool check_underflow(const struct arpt_entry *e)
-{
- const struct arpt_entry_target *t;
- unsigned int verdict;
-
- if (!unconditional(&e->arp))
- return false;
- t = arpt_get_target_c(e);
- if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0)
- return false;
- verdict = ((struct arpt_standard_target *)t)->verdict;
- verdict = -verdict - 1;
- return verdict == NF_DROP || verdict == NF_ACCEPT;
-}
-
-static inline int check_entry_size_and_hooks(struct arpt_entry *e,
- struct xt_table_info *newinfo,
- const unsigned char *base,
- const unsigned char *limit,
- const unsigned int *hook_entries,
- const unsigned int *underflows,
- unsigned int valid_hooks)
-{
- unsigned int h;
-
- if ((unsigned long)e % __alignof__(struct arpt_entry) != 0
- || (unsigned char *)e + sizeof(struct arpt_entry) >= limit) {
- duprintf("Bad offset %p\n", e);
- return -EINVAL;
- }
-
- if (e->next_offset
- < sizeof(struct arpt_entry) + sizeof(struct arpt_entry_target)) {
- duprintf("checking: element %p size %u\n",
- e, e->next_offset);
- return -EINVAL;
- }
-
- /* Check hooks & underflows */
- for (h = 0; h < NF_ARP_NUMHOOKS; h++) {
- if (!(valid_hooks & (1 << h)))
- continue;
- if ((unsigned char *)e - base == hook_entries[h])
- newinfo->hook_entry[h] = hook_entries[h];
- if ((unsigned char *)e - base == underflows[h]) {
- if (!check_underflow(e)) {
- pr_err("Underflows must be unconditional and "
- "use the STANDARD target with "
- "ACCEPT/DROP\n");
- return -EINVAL;
- }
- newinfo->underflow[h] = underflows[h];
- }
- }
-
- /* Clear counters and comefrom */
- e->counters = ((struct xt_counters) { 0, 0 });
- e->comefrom = 0;
- return 0;
-}
-
-static inline void cleanup_entry(struct arpt_entry *e)
-{
- struct xt_tgdtor_param par;
- struct arpt_entry_target *t;
-
- t = arpt_get_target(e);
- par.target = t->u.kernel.target;
- par.targinfo = t->data;
- par.family = NFPROTO_ARP;
- if (par.target->destroy != NULL)
- par.target->destroy(&par);
- module_put(par.target->me);
-}
-
-/* Checks and translates the user-supplied table segment (held in
- * newinfo).
- */
-static int translate_table(struct xt_table_info *newinfo, void *entry0,
- const struct arpt_replace *repl)
-{
- struct arpt_entry *iter;
- unsigned int i;
- int ret = 0;
-
- newinfo->size = repl->size;
- newinfo->number = repl->num_entries;
-
- /* Init all hooks to impossible value. */
- for (i = 0; i < NF_ARP_NUMHOOKS; i++) {
- newinfo->hook_entry[i] = 0xFFFFFFFF;
- newinfo->underflow[i] = 0xFFFFFFFF;
- }
-
- duprintf("translate_table: size %u\n", newinfo->size);
- i = 0;
-
- /* Walk through entries, checking offsets. */
- xt_entry_foreach(iter, entry0, newinfo->size) {
- ret = check_entry_size_and_hooks(iter, newinfo, entry0,
- entry0 + repl->size, repl->hook_entry, repl->underflow,
- repl->valid_hooks);
- if (ret != 0)
- break;
- ++i;
- if (strcmp(arpt_get_target(iter)->u.user.name,
- XT_ERROR_TARGET) == 0)
- ++newinfo->stacksize;
- }
- duprintf("translate_table: ARPT_ENTRY_ITERATE gives %d\n", ret);
- if (ret != 0)
- return ret;
-
- if (i != repl->num_entries) {
- duprintf("translate_table: %u not %u entries\n",
- i, repl->num_entries);
- return -EINVAL;
- }
-
- /* Check hooks all assigned */
- for (i = 0; i < NF_ARP_NUMHOOKS; i++) {
- /* Only hooks which are valid */
- if (!(repl->valid_hooks & (1 << i)))
- continue;
- if (newinfo->hook_entry[i] == 0xFFFFFFFF) {
- duprintf("Invalid hook entry %u %u\n",
- i, repl->hook_entry[i]);
- return -EINVAL;
- }
- if (newinfo->underflow[i] == 0xFFFFFFFF) {
- duprintf("Invalid underflow %u %u\n",
- i, repl->underflow[i]);
- return -EINVAL;
- }
- }
-
- if (!mark_source_chains(newinfo, repl->valid_hooks, entry0)) {
- duprintf("Looping hook\n");
- return -ELOOP;
- }
-
- /* Finally, each sanity check must pass */
- i = 0;
- xt_entry_foreach(iter, entry0, newinfo->size) {
- ret = find_check_entry(iter, repl->name, repl->size);
- if (ret != 0)
- break;
- ++i;
- }
-
- if (ret != 0) {
- xt_entry_foreach(iter, entry0, newinfo->size) {
- if (i-- == 0)
- break;
- cleanup_entry(iter);
- }
- return ret;
- }
-
- /* And one copy for every other CPU */
- for_each_possible_cpu(i) {
- if (newinfo->entries[i] && newinfo->entries[i] != entry0)
- memcpy(newinfo->entries[i], entry0, newinfo->size);
- }
-
- return ret;
-}
-
static const struct xt1_xlat_info arpt_compat_xlat_info = {
#ifdef CONFIG_COMPAT
.marker_size = XT_ALIGN(sizeof(struct arpt_error_target)),
@@ -1083,62 +716,6 @@ static int do_arpt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len
return ret;
}
-struct xt_table *arpt_register_table(struct net *net,
- const struct xt_table *table,
- const struct arpt_replace *repl)
-{
- int ret;
- struct xt_table_info *newinfo;
- struct xt_table_info bootstrap = {};
- void *loc_cpu_entry;
- struct xt_table *new_table;
-
- newinfo = xt_alloc_table_info(repl->size);
- if (!newinfo) {
- ret = -ENOMEM;
- goto out;
- }
-
- /* choose the copy on our node/cpu */
- loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
- memcpy(loc_cpu_entry, repl->entries, repl->size);
-
- ret = translate_table(newinfo, loc_cpu_entry, repl);
- duprintf("arpt_register_table: translate table gives %d\n", ret);
- if (ret != 0)
- goto out_free;
-
- new_table = xt_register_table(net, table, &bootstrap, newinfo);
- if (IS_ERR(new_table)) {
- ret = PTR_ERR(new_table);
- goto out_free;
- }
- return new_table;
-
-out_free:
- xt_free_table_info(newinfo);
-out:
- return ERR_PTR(ret);
-}
-
-void arpt_unregister_table(struct xt_table *table)
-{
- struct xt_table_info *private;
- void *loc_cpu_entry;
- struct module *table_owner = table->me;
- struct arpt_entry *iter;
-
- private = xt_unregister_table(table);
-
- /* Decrease module usage counts and free resources */
- loc_cpu_entry = private->entries[raw_smp_processor_id()];
- xt_entry_foreach(iter, loc_cpu_entry, private->size)
- cleanup_entry(iter);
- if (private->number > private->initial_entries)
- module_put(table_owner);
- xt_free_table_info(private);
-}
-
static struct nf_sockopt_ops arpt_sockopts = {
.pf = PF_INET,
.set_optmin = ARPT_BASE_CTL,
@@ -1213,8 +790,6 @@ static void __exit arp_tables_fini(void)
unregister_pernet_subsys(&arp_tables_net_ops);
}
-EXPORT_SYMBOL(arpt_register_table);
-EXPORT_SYMBOL(arpt_unregister_table);
EXPORT_SYMBOL(arpt_do_table);
module_init(arp_tables_init);
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 100/103] netfilter: arptables: remove remaining xt1 code
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (98 preceding siblings ...)
2009-08-04 7:26 ` [PATCH 099/103] netfilter: arptables: remove xt1/arp registration functions Jan Engelhardt
@ 2009-08-04 7:26 ` Jan Engelhardt
2009-08-04 7:26 ` [PATCH 101/103] netfilter: xtables1: remove xt1 table handling Jan Engelhardt
` (4 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:26 UTC (permalink / raw)
To: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter_arp/arp_tables.h | 16 ---
net/ipv4/netfilter/arp_tables.c | 191 ------------------------------
2 files changed, 0 insertions(+), 207 deletions(-)
diff --git a/include/linux/netfilter_arp/arp_tables.h b/include/linux/netfilter_arp/arp_tables.h
index b480fa6..6d896ff 100644
--- a/include/linux/netfilter_arp/arp_tables.h
+++ b/include/linux/netfilter_arp/arp_tables.h
@@ -266,17 +266,9 @@ struct arpt_error
.target.errorname = "ERROR", \
}
-extern unsigned int arpt_do_table(struct sk_buff *skb,
- unsigned int hook,
- const struct net_device *in,
- const struct net_device *out,
- struct xt_table *table);
-
extern struct xt2_table *arpt2_register_table(struct net *,
const struct xt_table *, const struct arpt_replace *);
-#define ARPT_ALIGN(s) XT_ALIGN(s)
-
#ifdef CONFIG_COMPAT
#include <net/compat.h>
@@ -302,14 +294,6 @@ struct compat_arpt_replace {
struct compat_arpt_entry entries[0];
};
-static inline struct arpt_entry_target *
-compat_arpt_get_target(struct compat_arpt_entry *e)
-{
- return (void *)e + e->target_offset;
-}
-
-#define COMPAT_ARPT_ALIGN(s) COMPAT_XT_ALIGN(s)
-
#endif /* CONFIG_COMPAT */
#endif /*__KERNEL__*/
#endif /* _ARPTABLES_H */
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index b82a831..200dcb6 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -47,17 +47,6 @@ MODULE_DESCRIPTION("arptables core");
#define duprintf(format, args...)
#endif
-#ifdef CONFIG_NETFILTER_DEBUG
-#define ARP_NF_ASSERT(x) \
-do { \
- if (!(x)) \
- printk("ARP_NF_ASSERT: %s:%s:%u\n", \
- __func__, __FILE__, __LINE__); \
-} while(0)
-#else
-#define ARP_NF_ASSERT(x)
-#endif
-
#define xtsub_entry arpt_entry
#define xtsub_entry_nocompat arpt_entry
#define xtsub_replace arpt_replace
@@ -241,55 +230,6 @@ static bool arp_checkentry(const struct xt_mtchk_param *par)
return true;
}
-#ifdef CONFIG_COMPAT
-static void compat_standard_from_user(void *dst, const void *src)
-{
- int v = *(compat_int_t *)src;
-
- if (v > 0)
- v += xt_compat_calc_jump(NFPROTO_ARP, v);
- memcpy(dst, &v, sizeof(v));
-}
-
-static int compat_standard_to_user(void __user *dst, const void *src)
-{
- compat_int_t cv = *(int *)src;
-
- if (cv > 0)
- cv -= xt_compat_calc_jump(NFPROTO_ARP, cv);
- return copy_to_user(dst, &cv, sizeof(cv)) ? -EFAULT : 0;
-}
-#endif
-
-static unsigned int
-arpt_error(struct sk_buff *skb, const struct xt_action_param *par)
-{
- if (net_ratelimit())
- printk("arp_tables: error: '%s'\n",
- (const char *)par->targinfo);
-
- return NF_DROP;
-}
-
-static struct xt_target arpt_builtin_tg[] __read_mostly = {
- {
- .name = ARPT_STANDARD_TARGET,
- .targetsize = sizeof(int),
- .family = NFPROTO_ARP,
-#ifdef CONFIG_COMPAT
- .compatsize = sizeof(compat_int_t),
- .compat_from_user = compat_standard_from_user,
- .compat_to_user = compat_standard_to_user,
-#endif
- },
- {
- .name = ARPT_ERROR_TARGET,
- .target = arpt_error,
- .targetsize = ARPT_FUNCTION_MAXNAMELEN,
- .family = NFPROTO_ARP,
- },
-};
-
static struct xt_match arpt_builtin_mt __read_mostly = {
.name = "arp",
.revision = 0,
@@ -299,129 +239,6 @@ static struct xt_match arpt_builtin_mt __read_mostly = {
.checkentry = arp_checkentry,
};
-static inline const struct arpt_entry_target *
-arpt_get_target_c(const struct arpt_entry *e)
-{
- return arpt_get_target((struct arpt_entry *)e);
-}
-
-static inline struct arpt_entry *
-get_entry(const void *base, unsigned int offset)
-{
- return (struct arpt_entry *)(base + offset);
-}
-
-static inline __pure
-struct arpt_entry *arpt_next_entry(const struct arpt_entry *entry)
-{
- return (void *)entry + entry->next_offset;
-}
-
-unsigned int arpt_do_table(struct sk_buff *skb,
- unsigned int hook,
- const struct net_device *in,
- const struct net_device *out,
- struct xt_table *table)
-{
- unsigned int verdict = NF_DROP;
- const struct arphdr *arp;
- struct arpt_entry *e, *back;
- void *table_base;
- const struct xt_table_info *private;
- struct xt_action_param acpar;
-
- if (!pskb_may_pull(skb, arp_hdr_len(skb->dev)))
- return NF_DROP;
-
- xt_info_rdlock_bh();
- private = table->private;
- table_base = private->entries[smp_processor_id()];
-
- e = get_entry(table_base, private->hook_entry[hook]);
- back = get_entry(table_base, private->underflow[hook]);
-
- acpar.in = in;
- acpar.out = out;
- acpar.hooknum = hook;
- acpar.family = NFPROTO_ARP;
- acpar.hotdrop = false;
-
- /*
- * For arptables, do these two outside the loop because arp_tables
- * does not support other matches anyway.
- */
- acpar.match = &arpt_builtin_mt;
- acpar.matchinfo = &e->arp;
-
- arp = arp_hdr(skb);
- do {
- const struct arpt_entry_target *t;
- int hdr_len;
-
- if (!arp_packet_match(skb, &acpar)) {
- e = arpt_next_entry(e);
- continue;
- }
-
- hdr_len = sizeof(*arp) + (2 * sizeof(struct in_addr)) +
- (2 * skb->dev->addr_len);
- ADD_COUNTER(e->counters, hdr_len, 1);
-
- t = arpt_get_target_c(e);
-
- /* Standard target? */
- if (!t->u.kernel.target->target) {
- int v;
-
- v = ((struct arpt_standard_target *)t)->verdict;
- if (v < 0) {
- /* Pop from stack? */
- if (v != ARPT_RETURN) {
- verdict = (unsigned)(-v) - 1;
- break;
- }
- e = back;
- back = get_entry(table_base, back->comefrom);
- continue;
- }
- if (table_base + v
- != arpt_next_entry(e)) {
- /* Save old back ptr in next entry */
- struct arpt_entry *next = arpt_next_entry(e);
- next->comefrom = (void *)back - table_base;
-
- /* set back pointer to next entry */
- back = next;
- }
-
- e = get_entry(table_base, v);
- continue;
- }
-
- /* Targets which reenter must return
- * abs. verdicts
- */
- acpar.target = t->u.kernel.target;
- acpar.targinfo = t->data;
- verdict = t->u.kernel.target->target(skb, &acpar);
-
- /* Target might have changed stuff. */
- arp = arp_hdr(skb);
-
- if (verdict == ARPT_CONTINUE)
- e = arpt_next_entry(e);
- else
- /* Verdict */
- break;
- } while (!acpar.hotdrop);
- xt_info_rdunlock_bh();
-
- if (acpar.hotdrop)
- return NF_DROP;
- else
- return verdict;
-}
-
static const struct xt1_xlat_info arpt_compat_xlat_info = {
#ifdef CONFIG_COMPAT
.marker_size = XT_ALIGN(sizeof(struct arpt_error_target)),
@@ -757,9 +574,6 @@ static int __init arp_tables_init(void)
goto err1;
/* Noone else will be downing sem now, so we won't sleep */
- ret = xt_register_targets(arpt_builtin_tg, ARRAY_SIZE(arpt_builtin_tg));
- if (ret < 0)
- goto err2;
ret = xt_register_match(&arpt_builtin_mt);
if (ret < 0)
goto err3;
@@ -775,8 +589,6 @@ static int __init arp_tables_init(void)
err4:
xt_unregister_match(&arpt_builtin_mt);
err3:
- xt_unregister_targets(arpt_builtin_tg, ARRAY_SIZE(arpt_builtin_tg));
-err2:
unregister_pernet_subsys(&arp_tables_net_ops);
err1:
return ret;
@@ -786,11 +598,8 @@ static void __exit arp_tables_fini(void)
{
nf_unregister_sockopt(&arpt_sockopts);
xt_unregister_match(&arpt_builtin_mt);
- xt_unregister_targets(arpt_builtin_tg, ARRAY_SIZE(arpt_builtin_tg));
unregister_pernet_subsys(&arp_tables_net_ops);
}
-EXPORT_SYMBOL(arpt_do_table);
-
module_init(arp_tables_init);
module_exit(arp_tables_fini);
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 101/103] netfilter: xtables1: remove xt1 table handling
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (99 preceding siblings ...)
2009-08-04 7:26 ` [PATCH 100/103] netfilter: arptables: remove remaining xt1 code Jan Engelhardt
@ 2009-08-04 7:26 ` Jan Engelhardt
2009-08-04 7:26 ` [PATCH 102/103] netfilter: xtables1: remove info lock Jan Engelhardt
` (3 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:26 UTC (permalink / raw)
To: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter/x_tables.h | 18 ---
net/netfilter/x_tables.c | 244 ------------------------------------
2 files changed, 0 insertions(+), 262 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 77573a5..1c37428 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -595,17 +595,6 @@ extern int xt_check_target(struct xt_tgchk_param *,
unsigned int size, u_int8_t proto, bool inv_proto,
bool check_pad);
-extern struct xt_table *xt_register_table(struct net *net,
- const struct xt_table *table,
- struct xt_table_info *bootstrap,
- struct xt_table_info *newinfo);
-extern void *xt_unregister_table(struct xt_table *table);
-
-extern struct xt_table_info *xt_replace_table(struct xt_table *table,
- unsigned int num_counters,
- struct xt_table_info *newinfo,
- int *error);
-
extern struct xt_match *xt_find_match(u8 af, const char *name, u8 revision);
extern struct xt_target *xt_find_target(u8 af, const char *name, u8 revision);
extern struct xt_match *xt_request_find_match(uint8_t, const char *, uint8_t);
@@ -614,16 +603,9 @@ extern struct xt_target *xt_request_find_target(u8 af, const char *name,
extern int xt_find_revision(u8 af, const char *name, u8 revision,
int target, int *err);
-extern struct xt_table *xt_find_table_lock(struct net *net, u_int8_t af,
- const char *name);
-extern void xt_table_unlock(struct xt_table *t);
-
extern int xt_proto_init(struct net *net, u_int8_t af);
extern void xt_proto_fini(struct net *net, u_int8_t af);
-extern struct xt_table_info *xt_alloc_table_info(unsigned int size);
-extern void xt_free_table_info(struct xt_table_info *info);
-
/*
* Per-CPU spinlock associated with per-cpu table entries, and
* with a counter for the "reading" side that allows a recursive
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 29d9ea8..167332c 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -650,97 +650,6 @@ int xt_compat_target_to_user(const struct xt_entry_target *t,
EXPORT_SYMBOL_GPL(xt_compat_target_to_user);
#endif
-struct xt_table_info *xt_alloc_table_info(unsigned int size)
-{
- struct xt_table_info *newinfo;
- int cpu;
-
- /* Pedantry: prevent them from hitting BUG() in vmalloc.c --RR */
- if ((SMP_ALIGN(size) >> PAGE_SHIFT) + 2 > num_physpages)
- return NULL;
-
- newinfo = kzalloc(XT_TABLE_INFO_SZ, GFP_KERNEL);
- if (!newinfo)
- return NULL;
-
- newinfo->size = size;
-
- for_each_possible_cpu(cpu) {
- if (size <= PAGE_SIZE)
- newinfo->entries[cpu] = kmalloc_node(size,
- GFP_KERNEL,
- cpu_to_node(cpu));
- else
- newinfo->entries[cpu] = vmalloc_node(size,
- cpu_to_node(cpu));
-
- if (newinfo->entries[cpu] == NULL) {
- xt_free_table_info(newinfo);
- return NULL;
- }
- }
-
- return newinfo;
-}
-EXPORT_SYMBOL(xt_alloc_table_info);
-
-void xt_free_table_info(struct xt_table_info *info)
-{
- int cpu;
-
- for_each_possible_cpu(cpu) {
- if (info->size <= PAGE_SIZE)
- kfree(info->entries[cpu]);
- else
- vfree(info->entries[cpu]);
- }
-
- if (info->jumpstack != NULL) {
- if (sizeof(void *) * info->stacksize > PAGE_SIZE) {
- for_each_possible_cpu(cpu)
- vfree(info->jumpstack[cpu]);
- } else {
- for_each_possible_cpu(cpu)
- kfree(info->jumpstack[cpu]);
- }
- }
-
- if (sizeof(void **) * nr_cpu_ids > PAGE_SIZE)
- vfree(info->jumpstack);
- else
- kfree(info->jumpstack);
- if (sizeof(unsigned int) * nr_cpu_ids > PAGE_SIZE)
- vfree(info->stackptr);
- else
- kfree(info->stackptr);
-
- kfree(info);
-}
-EXPORT_SYMBOL(xt_free_table_info);
-
-/* Find table by name, grabs mutex & ref. Returns ERR_PTR() on error. */
-struct xt_table *xt_find_table_lock(struct net *net, u_int8_t af,
- const char *name)
-{
- struct xt_table *t;
-
- if (mutex_lock_interruptible(&xt[af].mutex) != 0)
- return ERR_PTR(-EINTR);
-
- list_for_each_entry(t, &net->xt.tables[af], list)
- if (strcmp(t->name, name) == 0 && try_module_get(t->me))
- return t;
- mutex_unlock(&xt[af].mutex);
- return NULL;
-}
-EXPORT_SYMBOL_GPL(xt_find_table_lock);
-
-void xt_table_unlock(struct xt_table *table)
-{
- mutex_unlock(&xt[table->af].mutex);
-}
-EXPORT_SYMBOL_GPL(xt_table_unlock);
-
#ifdef CONFIG_COMPAT
void xt_compat_lock(u_int8_t af)
{
@@ -758,159 +667,6 @@ EXPORT_SYMBOL_GPL(xt_compat_unlock);
DEFINE_PER_CPU(struct xt_info_lock, xt_info_locks);
EXPORT_PER_CPU_SYMBOL_GPL(xt_info_locks);
-static int xt_jumpstack_alloc(struct xt_table_info *i)
-{
- unsigned int size;
- int cpu;
-
- size = sizeof(unsigned int) * nr_cpu_ids;
- if (size > PAGE_SIZE)
- i->stackptr = vmalloc(size);
- else
- i->stackptr = kmalloc(size, GFP_KERNEL);
- if (i->stackptr == NULL)
- return -ENOMEM;
- memset(i->stackptr, 0, size);
-
- size = sizeof(void **) * nr_cpu_ids;
- if (size > PAGE_SIZE)
- i->jumpstack = vmalloc(size);
- else
- i->jumpstack = kmalloc(size, GFP_KERNEL);
- if (i->jumpstack == NULL)
- return -ENOMEM;
- memset(i->jumpstack, 0, size);
-
- i->stacksize *= xt_jumpstack_multiplier;
- size = sizeof(void *) * i->stacksize;
- for_each_possible_cpu(cpu) {
- if (size > PAGE_SIZE)
- i->jumpstack[cpu] = vmalloc_node(size,
- cpu_to_node(cpu));
- else
- i->jumpstack[cpu] = kmalloc_node(size,
- GFP_KERNEL, cpu_to_node(cpu));
- if (i->jumpstack[cpu] == NULL)
- return -ENOMEM;
- }
-
- return 0;
-}
-
-struct xt_table_info *
-xt_replace_table(struct xt_table *table,
- unsigned int num_counters,
- struct xt_table_info *newinfo,
- int *error)
-{
- struct xt_table_info *private;
- int ret;
-
- /* Do the substitution. */
- local_bh_disable();
- private = table->private;
-
- /* Check inside lock: is the old number correct? */
- if (num_counters != private->number) {
- duprintf("num_counters != table->private->number (%u/%u)\n",
- num_counters, private->number);
- local_bh_enable();
- *error = -EAGAIN;
- return NULL;
- }
-
- ret = xt_jumpstack_alloc(newinfo);
- if (ret < 0) {
- *error = ret;
- return NULL;
- }
-
- table->private = newinfo;
- newinfo->initial_entries = private->initial_entries;
-
- /*
- * Even though table entries have now been swapped, other CPU's
- * may still be using the old entries. This is okay, because
- * resynchronization happens because of the locking done
- * during the get_counters() routine.
- */
- local_bh_enable();
-
- return private;
-}
-EXPORT_SYMBOL_GPL(xt_replace_table);
-
-struct xt_table *xt_register_table(struct net *net,
- const struct xt_table *input_table,
- struct xt_table_info *bootstrap,
- struct xt_table_info *newinfo)
-{
- int ret;
- struct xt_table_info *private;
- struct xt_table *t, *table;
-
- ret = xt_jumpstack_alloc(newinfo);
- if (ret < 0)
- return ERR_PTR(ret);
-
- /* Don't add one object to multiple lists. */
- table = kmemdup(input_table, sizeof(struct xt_table), GFP_KERNEL);
- if (!table) {
- ret = -ENOMEM;
- goto out;
- }
-
- ret = mutex_lock_interruptible(&xt[table->af].mutex);
- if (ret != 0)
- goto out_free;
-
- /* Don't autoload: we'd eat our tail... */
- list_for_each_entry(t, &net->xt.tables[table->af], list) {
- if (strcmp(t->name, table->name) == 0) {
- ret = -EEXIST;
- goto unlock;
- }
- }
-
- /* Simplifies replace_table code. */
- table->private = bootstrap;
-
- if (!xt_replace_table(table, 0, newinfo, &ret))
- goto unlock;
-
- private = table->private;
- duprintf("table->private->number = %u\n", private->number);
-
- /* save number of initial entries */
- private->initial_entries = private->number;
-
- list_add(&table->list, &net->xt.tables[table->af]);
- mutex_unlock(&xt[table->af].mutex);
- return table;
-
- unlock:
- mutex_unlock(&xt[table->af].mutex);
-out_free:
- kfree(table);
-out:
- return ERR_PTR(ret);
-}
-EXPORT_SYMBOL_GPL(xt_register_table);
-
-void *xt_unregister_table(struct xt_table *table)
-{
- struct xt_table_info *private;
-
- mutex_lock(&xt[table->af].mutex);
- private = table->private;
- list_del(&table->list);
- mutex_unlock(&xt[table->af].mutex);
- kfree(table);
-
- return private;
-}
-EXPORT_SYMBOL_GPL(xt_unregister_table);
-
#ifdef CONFIG_PROC_FS
struct xt_names_priv {
struct seq_net_private p;
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 102/103] netfilter: xtables1: remove info lock
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (100 preceding siblings ...)
2009-08-04 7:26 ` [PATCH 101/103] netfilter: xtables1: remove xt1 table handling Jan Engelhardt
@ 2009-08-04 7:26 ` Jan Engelhardt
2009-08-04 7:26 ` [PATCH 103/103] netfilter: xtables1: remove compat-userspace code Jan Engelhardt
` (2 subsequent siblings)
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:26 UTC (permalink / raw)
To: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter/x_tables.h | 68 ------------------------------------
net/netfilter/x_tables.c | 9 -----
2 files changed, 0 insertions(+), 77 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 1c37428..7befc66 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -607,74 +607,6 @@ extern int xt_proto_init(struct net *net, u_int8_t af);
extern void xt_proto_fini(struct net *net, u_int8_t af);
/*
- * Per-CPU spinlock associated with per-cpu table entries, and
- * with a counter for the "reading" side that allows a recursive
- * reader to avoid taking the lock and deadlocking.
- *
- * "reading" is used by ip/arp/ip6 tables rule processing which runs per-cpu.
- * It needs to ensure that the rules are not being changed while the packet
- * is being processed. In some cases, the read lock will be acquired
- * twice on the same CPU; this is okay because of the count.
- *
- * "writing" is used when reading counters.
- * During replace any readers that are using the old tables have to complete
- * before freeing the old table. This is handled by the write locking
- * necessary for reading the counters.
- */
-struct xt_info_lock {
- spinlock_t lock;
- unsigned char readers;
-};
-DECLARE_PER_CPU(struct xt_info_lock, xt_info_locks);
-
-/*
- * Note: we need to ensure that preemption is disabled before acquiring
- * the per-cpu-variable, so we do it as a two step process rather than
- * using "spin_lock_bh()".
- *
- * We _also_ need to disable bottom half processing before updating our
- * nesting count, to make sure that the only kind of re-entrancy is this
- * code being called by itself: since the count+lock is not an atomic
- * operation, we can allow no races.
- *
- * _Only_ that special combination of being per-cpu and never getting
- * re-entered asynchronously means that the count is safe.
- */
-static inline void xt_info_rdlock_bh(void)
-{
- struct xt_info_lock *lock;
-
- local_bh_disable();
- lock = &__get_cpu_var(xt_info_locks);
- if (likely(!lock->readers++))
- spin_lock(&lock->lock);
-}
-
-static inline void xt_info_rdunlock_bh(void)
-{
- struct xt_info_lock *lock = &__get_cpu_var(xt_info_locks);
-
- if (likely(!--lock->readers))
- spin_unlock(&lock->lock);
- local_bh_enable();
-}
-
-/*
- * The "writer" side needs to get exclusive access to the lock,
- * regardless of readers. This must be called with bottom half
- * processing (and thus also preemption) disabled.
- */
-static inline void xt_info_wrlock(unsigned int cpu)
-{
- spin_lock(&per_cpu(xt_info_locks, cpu).lock);
-}
-
-static inline void xt_info_wrunlock(unsigned int cpu)
-{
- spin_unlock(&per_cpu(xt_info_locks, cpu).lock);
-}
-
-/*
* This helper is performance critical and must be inlined
*/
static inline unsigned long ifname_compare_aligned(const char *_a,
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 167332c..1e43ab3 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -664,9 +664,6 @@ void xt_compat_unlock(u_int8_t af)
EXPORT_SYMBOL_GPL(xt_compat_unlock);
#endif
-DEFINE_PER_CPU(struct xt_info_lock, xt_info_locks);
-EXPORT_PER_CPU_SYMBOL_GPL(xt_info_locks);
-
#ifdef CONFIG_PROC_FS
struct xt_names_priv {
struct seq_net_private p;
@@ -1803,12 +1800,6 @@ static int __init xt_init(void)
unsigned int i;
int rv;
- for_each_possible_cpu(i) {
- struct xt_info_lock *lock = &per_cpu(xt_info_locks, i);
- spin_lock_init(&lock->lock);
- lock->readers = 0;
- }
-
xt = kmalloc(sizeof(struct xt_af) * NFPROTO_NUMPROTO, GFP_KERNEL);
if (!xt)
return -ENOMEM;
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* [PATCH 103/103] netfilter: xtables1: remove compat-userspace code
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (101 preceding siblings ...)
2009-08-04 7:26 ` [PATCH 102/103] netfilter: xtables1: remove info lock Jan Engelhardt
@ 2009-08-04 7:26 ` Jan Engelhardt
2009-08-04 12:47 ` Xtables2 snapshot 20090804 Patrick McHardy
2009-08-04 13:16 ` Jan Engelhardt
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 7:26 UTC (permalink / raw)
To: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter/x_tables.h | 57 ----------
net/netfilter/x_tables.c | 203 ------------------------------------
2 files changed, 0 insertions(+), 260 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 7befc66..0a33c8f 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -745,44 +745,6 @@ xt2_table_lookup(struct net *net, const char *name, uint8_t nfproto,
#ifdef CONFIG_COMPAT
#include <net/compat.h>
-struct compat_xt_entry_match
-{
- union {
- struct {
- u_int16_t match_size;
- char name[XT_FUNCTION_MAXNAMELEN - 1];
- u_int8_t revision;
- } user;
- struct {
- u_int16_t match_size;
- compat_uptr_t match;
- } kernel;
- u_int16_t match_size;
- } u;
- unsigned char data[0];
-};
-
-struct compat_xt_entry_target
-{
- union {
- struct {
- u_int16_t target_size;
- char name[XT_FUNCTION_MAXNAMELEN - 1];
- u_int8_t revision;
- } user;
- struct {
- u_int16_t target_size;
- compat_uptr_t target;
- } kernel;
- u_int16_t target_size;
- } u;
- unsigned char data[0];
-};
-
-/* FIXME: this works only on 32 bit tasks
- * need to change whole approach in order to calculate align as function of
- * current task alignment */
-
struct compat_xt_counters
{
compat_u64 bcnt, pcnt;
@@ -798,25 +760,6 @@ struct compat_xt_counters_info
#define COMPAT_XT_ALIGN(s) (((s) + (__alignof__(struct compat_xt_counters)-1)) \
& ~(__alignof__(struct compat_xt_counters)-1))
-extern void xt_compat_lock(u_int8_t af);
-extern void xt_compat_unlock(u_int8_t af);
-
-extern int xt_compat_add_offset(u_int8_t af, unsigned int offset, short delta);
-extern void xt_compat_flush_offsets(u_int8_t af);
-extern short xt_compat_calc_jump(u_int8_t af, unsigned int offset);
-
-extern int xt_compat_match_offset(const struct xt_match *match);
-extern int xt_compat_match_from_user(struct xt_entry_match *m,
- void **dstptr, unsigned int *size);
-extern int xt_compat_match_to_user(const struct xt_entry_match *m,
- void __user **dstptr, unsigned int *size);
-
-extern int xt_compat_target_offset(const struct xt_target *target);
-extern void xt_compat_target_from_user(struct xt_entry_target *t,
- void **dstptr, unsigned int *size);
-extern int xt_compat_target_to_user(const struct xt_entry_target *t,
- void __user **dstptr, unsigned int *size);
-
#endif /* CONFIG_COMPAT */
#endif /* __KERNEL__ */
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 1e43ab3..62297b7 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -38,20 +38,10 @@ MODULE_DESCRIPTION("{ip,ip6,arp,eb}_tables backend module");
#define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
-struct compat_delta {
- struct compat_delta *next;
- unsigned int offset;
- short delta;
-};
-
struct xt_af {
struct mutex mutex;
struct list_head match;
struct list_head target;
-#ifdef CONFIG_COMPAT
- struct mutex compat_mutex;
- struct compat_delta *compat_offsets;
-#endif
};
static struct xt_af *xt;
@@ -432,118 +422,6 @@ int xt_check_match(struct xt_mtchk_param *par,
}
EXPORT_SYMBOL_GPL(xt_check_match);
-#ifdef CONFIG_COMPAT
-int xt_compat_add_offset(u_int8_t af, unsigned int offset, short delta)
-{
- struct compat_delta *tmp;
-
- tmp = kmalloc(sizeof(struct compat_delta), GFP_KERNEL);
- if (!tmp)
- return -ENOMEM;
-
- tmp->offset = offset;
- tmp->delta = delta;
-
- if (xt[af].compat_offsets) {
- tmp->next = xt[af].compat_offsets->next;
- xt[af].compat_offsets->next = tmp;
- } else {
- xt[af].compat_offsets = tmp;
- tmp->next = NULL;
- }
- return 0;
-}
-EXPORT_SYMBOL_GPL(xt_compat_add_offset);
-
-void xt_compat_flush_offsets(u_int8_t af)
-{
- struct compat_delta *tmp, *next;
-
- if (xt[af].compat_offsets) {
- for (tmp = xt[af].compat_offsets; tmp; tmp = next) {
- next = tmp->next;
- kfree(tmp);
- }
- xt[af].compat_offsets = NULL;
- }
-}
-EXPORT_SYMBOL_GPL(xt_compat_flush_offsets);
-
-short xt_compat_calc_jump(u_int8_t af, unsigned int offset)
-{
- struct compat_delta *tmp;
- short delta;
-
- for (tmp = xt[af].compat_offsets, delta = 0; tmp; tmp = tmp->next)
- if (tmp->offset < offset)
- delta += tmp->delta;
- return delta;
-}
-EXPORT_SYMBOL_GPL(xt_compat_calc_jump);
-
-int xt_compat_match_offset(const struct xt_match *match)
-{
- u_int16_t csize = match->compatsize ? : match->matchsize;
- return XT_ALIGN(match->matchsize) - COMPAT_XT_ALIGN(csize);
-}
-EXPORT_SYMBOL_GPL(xt_compat_match_offset);
-
-int xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr,
- unsigned int *size)
-{
- const struct xt_match *match = m->u.kernel.match;
- struct compat_xt_entry_match *cm = (struct compat_xt_entry_match *)m;
- int pad, off = xt_compat_match_offset(match);
- u_int16_t msize = cm->u.user.match_size;
-
- m = *dstptr;
- memcpy(m, cm, sizeof(*cm));
- if (match->compat_from_user)
- match->compat_from_user(m->data, cm->data);
- else
- memcpy(m->data, cm->data, msize - sizeof(*cm));
- pad = XT_ALIGN(match->matchsize) - match->matchsize;
- if (pad > 0)
- memset(m->data + match->matchsize, 0, pad);
-
- msize += off;
- m->u.user.match_size = msize;
-
- *size += off;
- *dstptr += msize;
- return 0;
-}
-EXPORT_SYMBOL_GPL(xt_compat_match_from_user);
-
-int xt_compat_match_to_user(const struct xt_entry_match *m,
- void __user **dstptr, unsigned int *size)
-{
- const struct xt_match *match = m->u.kernel.match;
- struct compat_xt_entry_match __user *cm = *dstptr;
- int off = xt_compat_match_offset(match);
- u_int16_t msize = m->u.user.match_size - off;
-
- if (copy_to_user(cm, m, sizeof(*cm)) ||
- put_user(msize, &cm->u.user.match_size) ||
- copy_to_user(cm->u.user.name, m->u.kernel.match->name,
- strlen(m->u.kernel.match->name) + 1))
- return -EFAULT;
-
- if (match->compat_to_user) {
- if (match->compat_to_user((void __user *)cm->data, m->data))
- return -EFAULT;
- } else {
- if (copy_to_user(cm->data, m->data, msize - sizeof(*cm)))
- return -EFAULT;
- }
-
- *size -= off;
- *dstptr += msize;
- return 0;
-}
-EXPORT_SYMBOL_GPL(xt_compat_match_to_user);
-#endif /* CONFIG_COMPAT */
-
int xt_check_target(struct xt_tgchk_param *par,
unsigned int size, u_int8_t proto, bool inv_proto,
bool check_pad)
@@ -587,83 +465,6 @@ int xt_check_target(struct xt_tgchk_param *par,
}
EXPORT_SYMBOL_GPL(xt_check_target);
-#ifdef CONFIG_COMPAT
-int xt_compat_target_offset(const struct xt_target *target)
-{
- u_int16_t csize = target->compatsize ? : target->targetsize;
- return XT_ALIGN(target->targetsize) - COMPAT_XT_ALIGN(csize);
-}
-EXPORT_SYMBOL_GPL(xt_compat_target_offset);
-
-void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr,
- unsigned int *size)
-{
- const struct xt_target *target = t->u.kernel.target;
- struct compat_xt_entry_target *ct = (struct compat_xt_entry_target *)t;
- int pad, off = xt_compat_target_offset(target);
- u_int16_t tsize = ct->u.user.target_size;
-
- t = *dstptr;
- memcpy(t, ct, sizeof(*ct));
- if (target->compat_from_user)
- target->compat_from_user(t->data, ct->data);
- else
- memcpy(t->data, ct->data, tsize - sizeof(*ct));
- pad = XT_ALIGN(target->targetsize) - target->targetsize;
- if (pad > 0)
- memset(t->data + target->targetsize, 0, pad);
-
- tsize += off;
- t->u.user.target_size = tsize;
-
- *size += off;
- *dstptr += tsize;
-}
-EXPORT_SYMBOL_GPL(xt_compat_target_from_user);
-
-int xt_compat_target_to_user(const struct xt_entry_target *t,
- void __user **dstptr, unsigned int *size)
-{
- const struct xt_target *target = t->u.kernel.target;
- struct compat_xt_entry_target __user *ct = *dstptr;
- int off = xt_compat_target_offset(target);
- u_int16_t tsize = t->u.user.target_size - off;
-
- if (copy_to_user(ct, t, sizeof(*ct)) ||
- put_user(tsize, &ct->u.user.target_size) ||
- copy_to_user(ct->u.user.name, t->u.kernel.target->name,
- strlen(t->u.kernel.target->name) + 1))
- return -EFAULT;
-
- if (target->compat_to_user) {
- if (target->compat_to_user((void __user *)ct->data, t->data))
- return -EFAULT;
- } else {
- if (copy_to_user(ct->data, t->data, tsize - sizeof(*ct)))
- return -EFAULT;
- }
-
- *size -= off;
- *dstptr += tsize;
- return 0;
-}
-EXPORT_SYMBOL_GPL(xt_compat_target_to_user);
-#endif
-
-#ifdef CONFIG_COMPAT
-void xt_compat_lock(u_int8_t af)
-{
- mutex_lock(&xt[af].compat_mutex);
-}
-EXPORT_SYMBOL_GPL(xt_compat_lock);
-
-void xt_compat_unlock(u_int8_t af)
-{
- mutex_unlock(&xt[af].compat_mutex);
-}
-EXPORT_SYMBOL_GPL(xt_compat_unlock);
-#endif
-
#ifdef CONFIG_PROC_FS
struct xt_names_priv {
struct seq_net_private p;
@@ -1806,10 +1607,6 @@ static int __init xt_init(void)
for (i = 0; i < NFPROTO_NUMPROTO; i++) {
mutex_init(&xt[i].mutex);
-#ifdef CONFIG_COMPAT
- mutex_init(&xt[i].compat_mutex);
- xt[i].compat_offsets = NULL;
-#endif
INIT_LIST_HEAD(&xt[i].target);
INIT_LIST_HEAD(&xt[i].match);
}
--
1.6.3.3
^ permalink raw reply related [flat|nested] 118+ messages in thread* Re: Xtables2 snapshot 20090804
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (102 preceding siblings ...)
2009-08-04 7:26 ` [PATCH 103/103] netfilter: xtables1: remove compat-userspace code Jan Engelhardt
@ 2009-08-04 12:47 ` Patrick McHardy
2009-08-04 13:26 ` Jan Engelhardt
2009-08-04 13:16 ` Jan Engelhardt
104 siblings, 1 reply; 118+ messages in thread
From: Patrick McHardy @ 2009-08-04 12:47 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter-devel
Jan Engelhardt wrote:
> here is my prospected patch queue for 2.6.32. The important changes
> are the start of a patch-wise overhaul of the firewall(s), eventually
> leading to what I would bless as Xtables2 - a logical continuation of
> the x_tables consolidation work done by Patrick McHardy et al in
> 2006/2007. (Of course it does not yet have everything I wanted, so
> it's not a final v2. But it is usable.)
>
> The internal structure of the ruleset is switched from the serialized
> blob format (concatenated packed structs) to linked lists. Whereas
> classic iptables always exchanges complete tables with the kernel
> even if you just add a single rule from userspace, the linked-list
> preparatory spadework allows the manipulation of single rules in the
> future. Currently, only table-granularity swapping is supported;
> appropriate RCU for chains and rules is absent at this time.
>
> iptables compatibility is retained by means of a translation layer.
> ip_tables has shown itself to be very forkable, leading to 4 firewall
> subimplementations, supporting 7 data formats. The new translation
> layer was written in a template fashion (hopefully not too ugly),
> consolidating most of ip_tables, ip6_tables, arp_tables and their
> compat variants, leading to a drop of LOC by ~50%. Ebtables has not
> been touched yet.
>
>
> It can be retrieved from
>
> git://dev.medozas.de/linux xt2-20090804
>
> 181 files changed, 4060 insertions(+), 8823 deletions(-)
I suggest you begin by submitting the removal patches of old
revisions in a first series, then we can continue on with
cleanups and finally discuss your proposed functional changes.
But this is just too big to reasonably review in one go.
Thanks.
^ permalink raw reply [flat|nested] 118+ messages in thread* Re: Xtables2 snapshot 20090804
2009-08-04 12:47 ` Xtables2 snapshot 20090804 Patrick McHardy
@ 2009-08-04 13:26 ` Jan Engelhardt
0 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 13:26 UTC (permalink / raw)
To: Patrick McHardy; +Cc: netfilter-devel
Hi Patrick,
On Tuesday 2009-08-04 14:47, Patrick McHardy wrote:
>Jan Engelhardt wrote:
>>
>> It can be retrieved from
>>
>> git://dev.medozas.de/linux xt2-20090804
>>
>> 181 files changed, 4060 insertions(+), 8823 deletions(-)
>
>I suggest you begin by submitting the removal patches of old
>revisions in a first series, then we can continue on with
>cleanups and finally discuss your proposed functional changes.
>But this is just too big to reasonably review in one go.
Well, true. I did not expect you to look at it all at once. But that
should not stop you from being able to piece-wise reply to the first,
say, 20-or-so patches.
The cleanups obviously come first because I assumed they are relatively
easy to gulp.
01-16 cleanups
\__ 01-10 removals
\__ 11-16 cosmetics
If there is overly large discussion potential in a patch (and there
probably is), just stop at the one, and we'll take it from there, ok?
I do not think resending the first group (01-16) makes much sense
given there is no discussion preceding it as there would be for
patches 20+.
thank you very much,
Jan
^ permalink raw reply [flat|nested] 118+ messages in thread
* Re: Xtables2 snapshot 20090804
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
` (103 preceding siblings ...)
2009-08-04 12:47 ` Xtables2 snapshot 20090804 Patrick McHardy
@ 2009-08-04 13:16 ` Jan Engelhardt
104 siblings, 0 replies; 118+ messages in thread
From: Jan Engelhardt @ 2009-08-04 13:16 UTC (permalink / raw)
To: Netfilter Developer Mailing List; +Cc: Fred Moyer
Re,
by user request, I'll go into detail.
>Could you break up the last 100+ patches into a couple of bullet
>points for the rest of us?
>
>Obviously something significant is happening, but I'm trying to track
>what that really is.
There are not too many user-visible features in this set, the larger
part is kernel-side code cleanups, polishing, waxing.
>Jan Engelhardt (103):
> netfilter: xtables: remove xt_TOS v0
> netfilter: xtables: remove xt_CONNMARK v0
> netfilter: xtables: remove xt_MARK v0, v1
> netfilter: xtables: remove xt_connmark v0
> netfilter: xtables: remove xt_conntrack v0
> netfilter: xtables: remove xt_iprange v0
> netfilter: xtables: remove xt_mark v0
> netfilter: xtables: remove obsolete /proc/net/ipt_recent
> netfilter: xtables: remove xt_owner v0
> netfilter: xtables: remove redirecting header files
I start off with a few cleanup patches. Here, old revisions of
extensions are removed. This is nothing the end user would
normally see, as iptables and the kernel side will pick a
revision (call it data format, or something) both have -
this would be, for example, TOS v1. By applying these kernel
patches, the minimal iptables version shifts upwards a bit,
to 1.4.1-rc1, which as released over a year ago.
> netfilter: conntrack: switch hook PFs to nfproto
> netfilter: xtables: switch hook PFs to nfproto
> netfilter: xtables: switch table AFs to nfproto
> netfilter: xtables: remove unneeded gotos in table error paths
> netfilter: xtables: realign struct xt_target_param
> netfilter: iptables: remove unused datalen variable
Cosmetic correctness.
> netfilter: xtables: use better unconditional check
> netfilter: xtables: ignore unassigned hooks in check_entry_size_and_hooks
> netfilter: xtables: check for unconditionality of policies
> netfilter: xtables: check for standard verdicts in policies
Fixes a missing checking feature R.Russell meant to have implemented
years ago. It is to catch someone sending gibberish "rulesets" to
the kernel, tho that probably does not happen often.
> netfilter: xtables: consolidate table hook functions
> netfilter: xtables: compact table hook functions
> netfilter: xtables: generate nf_hook_ops on-demand
> netfilter: xtables: mark table constant for registering functions
> netfilter: xtables: constify initial table data
> netfilter: xtables: use xt_table for hook instantiation
> netfilter: xtables: generate initial table on-demand
This is for a reduction in runtime memory footprint - about 12-14K of
unswappable kernel memory resting in the initial tables, which really
goes unused if you are not actually initializing a new table (which
is, undoubtly, not something done every second).
> netfilter: reduce NF_HOOK by one argument
> netfilter: get rid of the grossness in netfilter.h
I was itched by the comments in netfilter.h ("this is gross"),
so, I cleaned it a little.
> netfilter: xtables: print details on size mismatch
This is for users and developers alike. Know that dreaded
"ip_tables: foo match: invalid size 8 != 4" in dmesg? It's
pretty ambiguous even for developers (read: me). Which revision?
Was 8 the kernel size or the user size? Now these three questions
are answered by printing the relevant details.
> netfilter: xtables: constify args in compat copying functions
> netfilter: xtables: add const qualifiers
> netfilter: xtables: replace XT_ENTRY_ITERATE macro
> netfilter: xtables: optimize call flow around xt_entry_foreach
> netfilter: xtables: replace XT_MATCH_ITERATE macro
> netfilter: xtables: optimize call flow around xt_ematch_foreach
> netfilter: xtables: reduce arguments to translate_table
Code cleanup. The serialized blob data format was horrifying enough,
only for the API to put the nail in the coffin.
IPT_ENTRY_ITERATE(base, size, foo, bar, varargs)
I found myself too often having to open the header file to merely
look for what each argument did. Thus, I turned it into a loop
resembling list_for_each, basically helping myself (and indirectly,
others) to get a clearer understanding.
xt_entry_foreach(i, base, size)
foo(i, bar);
N.B.: I could have ignored all these modifications on xt1 and move
directly to the xt2 internal format, but it seemed a little smarter
to reduce the ip_tables.c codes first before removing them as a
whole.
> netfilter: xtables2: make ip_tables reentrant
This patch makes it possible to track/work on packets created from within
Xtables itself. As you know, iptables provides flow control by means
of jumping to chains (iptables -j foo). For that, a jumpstack needs
to be recorded, but the way it was stored in classic iptables meant
that jumpstack would be overwritten.
The REJECT target for example sends a reply packet itself (using
dst_output) hence something like this would ensue:
• NF_HOOK[INPUT] → ip6t_do_table → dst_output
→ NF_HOOK[OUTPUT] → ip6t_do_table (!boom!)
That would trash the jumpstack of the first ip6t_do_table entry,
meaning you cannot do further actions on the original packet. There
are not many targets that have this "problem", in the mainline kernel
it's just REJECT, and outside, what I only know of what I
co-authored: xt_TARPIT xt_DELUDE xt_TEE and xt_ECHO. Especially
xt_TEE users will be liking the new reentrancy feature, as they can
now mangle cloned packets (say, tag it with TOS).
> netfilter: xtables: dissolve do_match function
> netfilter: xtables: combine struct xt_match_param and xt_target_param
> netfilter: xtables: substitute temporary defines by final name
> netfilter: xtables: make use of xt_request_find_target
> netfilter: xtables: consolidate code into xt_request_find_match
More cleanups. The amout needed for it just shows how much dust
iptables collected :-)
> netfilter: xtables: deconstify struct xt_action_param for matches
> netfilter: xtables: change hotdrop pointer to direct modification
> netfilter: xtables: combine built-in extension structs
> netfilter: xtables: move functions around
...Preparation work, nicely split into pieces for tracking...
> netfilter: ebtables: change ebt_basic_match to xt convention
> netfilter: xtables: convert basic nfproto match functions into xt matches
The reason for ip_tables having been forked so much ofter the past
decade is its lack of modularity at the very core, struct
ip6t_entry/ip6t_ip6 for example is a hardcoded component of the
binary xt1 format userspace and kernelspace exchange. Modularizing
that, so I thought, would finally break the frontier that stopped
ip_tables/ip6_tables from further code unification.
So, the basic match structures hardcoded in each of the 4 firewalls
are distilled into regular matches, which can then freely be used in
the xt2 table format like any other match. This is a step towards a
single multiprotocol table for IPv4-IPv6-ARP-etc.
> netfilter: xtables2: initial table skeletal functions
> netfilter: xtables2: initial chain skeletal functions
> netfilter: xtables2: initial rule skeletal functions
> netfilter: xtables: alternate size checking in xt_check_match
> netfilter: xtables: alternate size checking in xt_check_target
> netfilter: xtables2: per-rule match skeletal functions
> netfilter: xtables2: per-rule target skeletal functions
> netfilter: xtables2: xt_check_target in combination with xt2 contexts
> netfilter: xtables2: jumpstack (de)allocation functions
> netfilter: xtables2: table traversal
The xt2 table format. Table/chain/rule setup/construction/teardown.
> netfilter: xt_quota: fix wrong return value (error case)
> netfilter: xtables: add xt_quota revision 3
struct ip6t_entry not only housed ip6t_ip6, but also counters.
Similar to how ip6t_ip6 was extruded, the counters of an ip6t_entry
will be modeled using the quota match in its upwards counting mode.
So strictly speaking, there are no implicit counters in xt2 mode -
you add them to your rule when you deem necessary. Of course there
will always be some counters if you use the xt1<->xt2 translation
layer, because classic ip_tables requiers these.
> netfilter: xtables2: make a copy of the ipv6_filter table
> netfilter: xtables2: initial xt1->xt2 translation for tables
> netfilter: xtables2: xt2->xt1 translation - GET_INFO support
> netfilter: xtables2: xt2->xt1 translation - GET_ENTRIES support
> netfilter: xtables2: xt1->xt2 translation - SET_REPLACE support
> netfilter: xtables2: return counters after SET_REPLACE
> netfilter: xtables2: xt1->xt2 translation - ADD_COUNTERS support
> netfilter: xtables2: xt2->xt1 translation - compat GET_INFO support
> netfilter: xtables: use compat_u64 inside struct compat_xt_counters
> netfilter: ip6tables: move mark_chains to xt1_perproto.c
> netfilter: xtables2: xt2<->xt1 translation - compat GET_ENTRIES/SET_REPLACE support
> netfilter: xtables2: compat->normal match data translation
> netfilter: xtables2: compat->normal target data translation
> netfilter: xtables2: outsource code into xts_match_to_xt1 function
> netfilter: xtables2: normal->compat match data translation
> netfilter: xtables2: normal->compat target data translation
> netfilter: xtables2: packet tracing
> netfilter: xtables: turn procfs entries to walk xt2 table list
Stepwise wiring up of ip6tables with the xt2 table format. This is
done in a fashion that both classic tables and xt2 tables work,
for the moment.
> netfilter: xtables2: switch ip6's tables to the xt2 table format
> netfilter: ip6tables: remove obsolete packet tracing
> netfilter: ip6tables: remove xt1 GET_INFO code
> netfilter: ip6tables: remove xt1 GET_ENTRIES code
> netfilter: ip6tables: remove unused functions (GET_ENTRIES)
> netfilter: ip6tables: remove xt1 SET_REPLACE code
> netfilter: ip6tables: remove unused functions (SET_REPLACE)
> netfilter: ip6tables: remove xt1 ADD_COUNTERS code
> netfilter: ip6tables: remove xt1/ipv6 registration functions
> netfilter: ip6tables: remove remaining xt1 code
And since all ip6's tables are using xt2 functions or functions
from the translation layer, the now-unused classic code that is so
duplicated over the kernel gets weeded out, as there are no more
in-tree users.
> netfilter: iptables: include xt1_perproto code in ip_tables
> netfilter: iptables: switch to xt2 tables
> netfilter: iptables: remove unused functions
> netfilter: iptables: remove xt1/ipv4 registration functions
> netfilter: iptables: remove remaining xt1 code
Wiring up iptables to xt2.
> netfilter: xt_quota: enable module lookup via arpt
> netfilter: arptables: include xt1_perproto in arp_tables
> netfilter: arptables: switch to xt2 tables
> netfilter: arptables: remove unused functions
> netfilter: arptables: remove xt1/arp registration functions
> netfilter: arptables: remove remaining xt1 code
Same for arptables.
> netfilter: xtables1: remove xt1 table handling
> netfilter: xtables1: remove info lock
> netfilter: xtables1: remove compat-userspace code
Removal of more now-unused functions from x_tables.c as there are no
more in-kernel users.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 118+ messages in thread