* Pull request for Stomping Static Data
@ 2009-08-10 19:19 Jan Engelhardt
2009-08-10 19:19 ` [PATCH 1/6] netfilter: xtables: consolidate table hook functions Jan Engelhardt
` (6 more replies)
0 siblings, 7 replies; 14+ messages in thread
From: Jan Engelhardt @ 2009-08-10 19:19 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
Summary:
In this 6-patch set, large quantities of static data are
eliminated and replaced by generate-at-runtime structures
(memory savings outside of the initialization phase).
The following changes since commit e2fe35c17fed62d4ab5038fa9bc489e967ff8416:
Jan Engelhardt (1):
netfilter: xtables: check for standard verdicts in policies
are available in the git repository at:
git://dev.medozas.de/linux master
Jan Engelhardt (6):
netfilter: xtables: consolidate table hook functions
netfilter: xtables: compact table hook functions
netfilter: xtables: generate nf_hook_ops on-demand
netfilter: xtables: mark initial tables constant
netfilter: xtables: use xt_table for hook instantiation
netfilter: xtables: generate initial table on-demand
include/linux/netfilter/x_tables.h | 7 +-
include/linux/netfilter_arp/arp_tables.h | 2 +-
include/linux/netfilter_bridge/ebtables.h | 2 +-
include/linux/netfilter_ipv4/ip_tables.h | 2 +-
include/linux/netfilter_ipv6/ip6_tables.h | 2 +-
net/bridge/netfilter/ebtable_broute.c | 2 +-
net/bridge/netfilter/ebtable_filter.c | 2 +-
net/bridge/netfilter/ebtables.c | 13 ++-
net/ipv4/netfilter/arp_tables.c | 3 +-
net/ipv4/netfilter/arptable_filter.c | 91 ++++-------------
net/ipv4/netfilter/ip_tables.c | 3 +-
net/ipv4/netfilter/iptable_filter.c | 118 +++++-----------------
net/ipv4/netfilter/iptable_mangle.c | 157 ++++++-----------------------
net/ipv4/netfilter/iptable_raw.c | 90 ++++------------
net/ipv4/netfilter/iptable_security.c | 110 ++++----------------
net/ipv4/netfilter/nf_nat_rule.c | 40 ++------
net/ipv6/netfilter/ip6_tables.c | 3 +-
net/ipv6/netfilter/ip6table_filter.c | 108 ++++----------------
net/ipv6/netfilter/ip6table_mangle.c | 134 ++++++-------------------
net/ipv6/netfilter/ip6table_raw.c | 81 ++++------------
net/ipv6/netfilter/ip6table_security.c | 103 ++++----------------
net/netfilter/x_tables.c | 125 ++++++++++++++++++++++-
22 files changed, 365 insertions(+), 833 deletions(-)
^ permalink raw reply [flat|nested] 14+ messages in thread
* [PATCH 1/6] netfilter: xtables: consolidate table hook functions
2009-08-10 19:19 Pull request for Stomping Static Data Jan Engelhardt
@ 2009-08-10 19:19 ` Jan Engelhardt
2009-08-10 20:12 ` Jan Engelhardt
2009-08-24 12:53 ` Patrick McHardy
2009-08-10 19:19 ` [PATCH 2/6] netfilter: xtables: compact " Jan Engelhardt
` (5 subsequent siblings)
6 siblings, 2 replies; 14+ messages in thread
From: Jan Engelhardt @ 2009-08-10 19:19 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
For a following patch in this series ("generate nf hook ops on
demand"), we will be requiring that a single hook entry function per
table does the processing. Would this not be done would I need to
pass multiple hook functions as arguments in that later patch, which
would have been not so nice.
This also removes exact duplicates of some hook functions —
ipt_pre_routing_hook, ipt_local_in_hook and ipt_forward_hook in
iptable_mangle.c all did the same.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
net/ipv4/netfilter/arptable_filter.c | 23 ++++------
net/ipv4/netfilter/iptable_filter.c | 46 +++++++--------------
net/ipv4/netfilter/iptable_mangle.c | 71 +++++++++----------------------
net/ipv4/netfilter/iptable_raw.c | 20 +++------
net/ipv4/netfilter/iptable_security.c | 43 ++++++-------------
net/ipv6/netfilter/ip6table_filter.c | 34 ++++-----------
net/ipv6/netfilter/ip6table_mangle.c | 49 +++++++++------------
net/ipv6/netfilter/ip6table_raw.c | 20 +++------
net/ipv6/netfilter/ip6table_security.c | 34 ++++------------
9 files changed, 111 insertions(+), 229 deletions(-)
diff --git a/net/ipv4/netfilter/arptable_filter.c b/net/ipv4/netfilter/arptable_filter.c
index 6ecfdae..c9b3b71 100644
--- a/net/ipv4/netfilter/arptable_filter.c
+++ b/net/ipv4/netfilter/arptable_filter.c
@@ -53,43 +53,38 @@ static struct xt_table packet_filter = {
};
/* The work comes in here from netfilter.c */
-static unsigned int arpt_in_hook(unsigned int hook,
+static unsigned int arptable_filter_hook(unsigned int hook,
struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
- return arpt_do_table(skb, hook, in, out,
- dev_net(in)->ipv4.arptable_filter);
-}
+ if (hook == NF_ARP_OUT)
+ return arpt_do_table(skb, hook, in, out,
+ dev_net(out)->ipv4.arptable_filter);
-static unsigned int arpt_out_hook(unsigned int hook,
- struct sk_buff *skb,
- const struct net_device *in,
- const struct net_device *out,
- int (*okfn)(struct sk_buff *))
-{
+ /* INPUT/FORWARD: */
return arpt_do_table(skb, hook, in, out,
- dev_net(out)->ipv4.arptable_filter);
+ dev_net(in)->ipv4.arptable_filter);
}
static struct nf_hook_ops arpt_ops[] __read_mostly = {
{
- .hook = arpt_in_hook,
+ .hook = arptable_filter_hook,
.owner = THIS_MODULE,
.pf = NFPROTO_ARP,
.hooknum = NF_ARP_IN,
.priority = NF_IP_PRI_FILTER,
},
{
- .hook = arpt_out_hook,
+ .hook = arptable_filter_hook,
.owner = THIS_MODULE,
.pf = NFPROTO_ARP,
.hooknum = NF_ARP_OUT,
.priority = NF_IP_PRI_FILTER,
},
{
- .hook = arpt_in_hook,
+ .hook = arptable_filter_hook,
.owner = THIS_MODULE,
.pf = NFPROTO_ARP,
.hooknum = NF_ARP_FORWARD,
diff --git a/net/ipv4/netfilter/iptable_filter.c b/net/ipv4/netfilter/iptable_filter.c
index 97dbd94..84f197a 100644
--- a/net/ipv4/netfilter/iptable_filter.c
+++ b/net/ipv4/netfilter/iptable_filter.c
@@ -60,61 +60,45 @@ static struct xt_table packet_filter = {
.af = NFPROTO_IPV4,
};
-/* The work comes in here from netfilter.c. */
static unsigned int
-ipt_local_in_hook(unsigned int hook,
- struct sk_buff *skb,
- const struct net_device *in,
- const struct net_device *out,
- int (*okfn)(struct sk_buff *))
-{
- return ipt_do_table(skb, hook, in, out,
- dev_net(in)->ipv4.iptable_filter);
-}
-
-static unsigned int
-ipt_hook(unsigned int hook,
+iptable_filter_hook(unsigned int hook,
struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
- return ipt_do_table(skb, hook, in, out,
- dev_net(in)->ipv4.iptable_filter);
-}
+ if (hook == NF_INET_LOCAL_OUT) {
+ if (skb->len < sizeof(struct iphdr) ||
+ ip_hdrlen(skb) < sizeof(struct iphdr))
+ /* root is playing with raw sockets. */
+ return NF_ACCEPT;
+
+ return ipt_do_table(skb, hook, in, out,
+ dev_net(out)->ipv4.iptable_filter);
+ }
-static unsigned int
-ipt_local_out_hook(unsigned int hook,
- struct sk_buff *skb,
- const struct net_device *in,
- const struct net_device *out,
- int (*okfn)(struct sk_buff *))
-{
- /* root is playing with raw sockets. */
- if (skb->len < sizeof(struct iphdr) ||
- ip_hdrlen(skb) < sizeof(struct iphdr))
- return NF_ACCEPT;
+ /* LOCAL_IN/FORWARD: */
return ipt_do_table(skb, hook, in, out,
- dev_net(out)->ipv4.iptable_filter);
+ dev_net(in)->ipv4.iptable_filter);
}
static struct nf_hook_ops ipt_ops[] __read_mostly = {
{
- .hook = ipt_local_in_hook,
+ .hook = iptable_filter_hook,
.owner = THIS_MODULE,
.pf = NFPROTO_IPV4,
.hooknum = NF_INET_LOCAL_IN,
.priority = NF_IP_PRI_FILTER,
},
{
- .hook = ipt_hook,
+ .hook = iptable_filter_hook,
.owner = THIS_MODULE,
.pf = NFPROTO_IPV4,
.hooknum = NF_INET_FORWARD,
.priority = NF_IP_PRI_FILTER,
},
{
- .hook = ipt_local_out_hook,
+ .hook = iptable_filter_hook,
.owner = THIS_MODULE,
.pf = NFPROTO_IPV4,
.hooknum = NF_INET_LOCAL_OUT,
diff --git a/net/ipv4/netfilter/iptable_mangle.c b/net/ipv4/netfilter/iptable_mangle.c
index 28647f1..0dd4c67 100644
--- a/net/ipv4/netfilter/iptable_mangle.c
+++ b/net/ipv4/netfilter/iptable_mangle.c
@@ -71,51 +71,6 @@ static struct xt_table packet_mangler = {
.af = NFPROTO_IPV4,
};
-/* The work comes in here from netfilter.c. */
-static unsigned int
-ipt_pre_routing_hook(unsigned int hook,
- struct sk_buff *skb,
- const struct net_device *in,
- const struct net_device *out,
- int (*okfn)(struct sk_buff *))
-{
- return ipt_do_table(skb, hook, in, out,
- dev_net(in)->ipv4.iptable_mangle);
-}
-
-static unsigned int
-ipt_post_routing_hook(unsigned int hook,
- struct sk_buff *skb,
- const struct net_device *in,
- const struct net_device *out,
- int (*okfn)(struct sk_buff *))
-{
- return ipt_do_table(skb, hook, in, out,
- dev_net(out)->ipv4.iptable_mangle);
-}
-
-static unsigned int
-ipt_local_in_hook(unsigned int hook,
- struct sk_buff *skb,
- const struct net_device *in,
- const struct net_device *out,
- int (*okfn)(struct sk_buff *))
-{
- return ipt_do_table(skb, hook, in, out,
- dev_net(in)->ipv4.iptable_mangle);
-}
-
-static unsigned int
-ipt_forward_hook(unsigned int hook,
- struct sk_buff *skb,
- const struct net_device *in,
- const struct net_device *out,
- int (*okfn)(struct sk_buff *))
-{
- return ipt_do_table(skb, hook, in, out,
- dev_net(in)->ipv4.iptable_mangle);
-}
-
static unsigned int
ipt_local_hook(unsigned int hook,
struct sk_buff *skb,
@@ -158,37 +113,53 @@ ipt_local_hook(unsigned int hook,
return ret;
}
+/* The work comes in here from netfilter.c. */
+static unsigned int
+iptable_mangle_hook(unsigned int hook,
+ struct sk_buff *skb,
+ const struct net_device *in,
+ const struct net_device *out,
+ int (*okfn)(struct sk_buff *))
+{
+ if (hook == NF_INET_LOCAL_OUT)
+ return ipt_local_hook(hook, skb, in, out, okfn);
+
+ /* PREROUTING/INPUT/FORWARD: */
+ return ipt_do_table(skb, hook, in, out,
+ dev_net(in)->ipv4.iptable_mangle);
+}
+
static struct nf_hook_ops ipt_ops[] __read_mostly = {
{
- .hook = ipt_pre_routing_hook,
+ .hook = iptable_mangle_hook,
.owner = THIS_MODULE,
.pf = NFPROTO_IPV4,
.hooknum = NF_INET_PRE_ROUTING,
.priority = NF_IP_PRI_MANGLE,
},
{
- .hook = ipt_local_in_hook,
+ .hook = iptable_mangle_hook,
.owner = THIS_MODULE,
.pf = NFPROTO_IPV4,
.hooknum = NF_INET_LOCAL_IN,
.priority = NF_IP_PRI_MANGLE,
},
{
- .hook = ipt_forward_hook,
+ .hook = iptable_mangle_hook,
.owner = THIS_MODULE,
.pf = NFPROTO_IPV4,
.hooknum = NF_INET_FORWARD,
.priority = NF_IP_PRI_MANGLE,
},
{
- .hook = ipt_local_hook,
+ .hook = iptable_mangle_hook,
.owner = THIS_MODULE,
.pf = NFPROTO_IPV4,
.hooknum = NF_INET_LOCAL_OUT,
.priority = NF_IP_PRI_MANGLE,
},
{
- .hook = ipt_post_routing_hook,
+ .hook = iptable_mangle_hook,
.owner = THIS_MODULE,
.pf = NFPROTO_IPV4,
.hooknum = NF_INET_POST_ROUTING,
diff --git a/net/ipv4/netfilter/iptable_raw.c b/net/ipv4/netfilter/iptable_raw.c
index 494784c..c6733c8 100644
--- a/net/ipv4/netfilter/iptable_raw.c
+++ b/net/ipv4/netfilter/iptable_raw.c
@@ -45,23 +45,17 @@ static struct xt_table packet_raw = {
/* The work comes in here from netfilter.c. */
static unsigned int
-ipt_hook(unsigned int hook,
+iptable_raw_hook(unsigned int hook,
struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
- return ipt_do_table(skb, hook, in, out,
- dev_net(in)->ipv4.iptable_raw);
-}
+ if (hook == NF_INET_PRE_ROUTING)
+ return ipt_do_table(skb, hook, in, out,
+ dev_net(in)->ipv4.iptable_raw);
-static unsigned int
-ipt_local_hook(unsigned int hook,
- struct sk_buff *skb,
- const struct net_device *in,
- const struct net_device *out,
- int (*okfn)(struct sk_buff *))
-{
+ /* OUTPUT: */
/* root is playing with raw sockets. */
if (skb->len < sizeof(struct iphdr) ||
ip_hdrlen(skb) < sizeof(struct iphdr))
@@ -73,14 +67,14 @@ ipt_local_hook(unsigned int hook,
/* 'raw' is the very first table. */
static struct nf_hook_ops ipt_ops[] __read_mostly = {
{
- .hook = ipt_hook,
+ .hook = iptable_raw_hook,
.pf = NFPROTO_IPV4,
.hooknum = NF_INET_PRE_ROUTING,
.priority = NF_IP_PRI_RAW,
.owner = THIS_MODULE,
},
{
- .hook = ipt_local_hook,
+ .hook = iptable_raw_hook,
.pf = NFPROTO_IPV4,
.hooknum = NF_INET_LOCAL_OUT,
.priority = NF_IP_PRI_RAW,
diff --git a/net/ipv4/netfilter/iptable_security.c b/net/ipv4/netfilter/iptable_security.c
index 8804e1a..aef8ba9 100644
--- a/net/ipv4/netfilter/iptable_security.c
+++ b/net/ipv4/netfilter/iptable_security.c
@@ -65,59 +65,44 @@ static struct xt_table security_table = {
};
static unsigned int
-ipt_local_in_hook(unsigned int hook,
+iptable_security_hook(unsigned int hook,
struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
- return ipt_do_table(skb, hook, in, out,
- dev_net(in)->ipv4.iptable_security);
-}
+ if (hook == NF_INET_LOCAL_OUT) {
+ if (skb->len < sizeof(struct iphdr) ||
+ ip_hdrlen(skb) < sizeof(struct iphdr))
+ /* Somebody is playing with raw sockets. */
+ return NF_ACCEPT;
-static unsigned int
-ipt_forward_hook(unsigned int hook,
- struct sk_buff *skb,
- const struct net_device *in,
- const struct net_device *out,
- int (*okfn)(struct sk_buff *))
-{
- return ipt_do_table(skb, hook, in, out,
- dev_net(in)->ipv4.iptable_security);
-}
+ return ipt_do_table(skb, hook, in, out,
+ dev_net(out)->ipv4.iptable_security);
+ }
-static unsigned int
-ipt_local_out_hook(unsigned int hook,
- struct sk_buff *skb,
- const struct net_device *in,
- const struct net_device *out,
- int (*okfn)(struct sk_buff *))
-{
- /* Somebody is playing with raw sockets. */
- if (skb->len < sizeof(struct iphdr)
- || ip_hdrlen(skb) < sizeof(struct iphdr))
- return NF_ACCEPT;
+ /* INPUT/FORWARD: */
return ipt_do_table(skb, hook, in, out,
- dev_net(out)->ipv4.iptable_security);
+ dev_net(in)->ipv4.iptable_security);
}
static struct nf_hook_ops ipt_ops[] __read_mostly = {
{
- .hook = ipt_local_in_hook,
+ .hook = iptable_security_hook,
.owner = THIS_MODULE,
.pf = NFPROTO_IPV4,
.hooknum = NF_INET_LOCAL_IN,
.priority = NF_IP_PRI_SECURITY,
},
{
- .hook = ipt_forward_hook,
+ .hook = iptable_security_hook,
.owner = THIS_MODULE,
.pf = NFPROTO_IPV4,
.hooknum = NF_INET_FORWARD,
.priority = NF_IP_PRI_SECURITY,
},
{
- .hook = ipt_local_out_hook,
+ .hook = iptable_security_hook,
.owner = THIS_MODULE,
.pf = NFPROTO_IPV4,
.hooknum = NF_INET_LOCAL_OUT,
diff --git a/net/ipv6/netfilter/ip6table_filter.c b/net/ipv6/netfilter/ip6table_filter.c
index 0a3ae48..175e408 100644
--- a/net/ipv6/netfilter/ip6table_filter.c
+++ b/net/ipv6/netfilter/ip6table_filter.c
@@ -60,54 +60,38 @@ static struct xt_table packet_filter = {
/* The work comes in here from netfilter.c. */
static unsigned int
-ip6t_in_hook(unsigned int hook,
+ip6table_filter_hook(unsigned int hook,
struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
- return ip6t_do_table(skb, hook, in, out,
- dev_net(in)->ipv6.ip6table_filter);
-}
-
-static unsigned int
-ip6t_local_out_hook(unsigned int hook,
- struct sk_buff *skb,
- const struct net_device *in,
- const struct net_device *out,
- int (*okfn)(struct sk_buff *))
-{
-#if 0
- /* root is playing with raw sockets. */
- if (skb->len < sizeof(struct iphdr)
- || ip_hdrlen(skb) < sizeof(struct iphdr)) {
- if (net_ratelimit())
- printk("ip6t_hook: happy cracking.\n");
- return NF_ACCEPT;
- }
-#endif
+ if (hook == NF_INET_LOCAL_OUT)
+ return ip6t_do_table(skb, hook, in, out,
+ dev_net(out)->ipv6.ip6table_filter);
+ /* INPUT/FORWARD: */
return ip6t_do_table(skb, hook, in, out,
- dev_net(out)->ipv6.ip6table_filter);
+ dev_net(in)->ipv6.ip6table_filter);
}
static struct nf_hook_ops ip6t_ops[] __read_mostly = {
{
- .hook = ip6t_in_hook,
+ .hook = ip6table_filter_hook,
.owner = THIS_MODULE,
.pf = NFPROTO_IPV6,
.hooknum = NF_INET_LOCAL_IN,
.priority = NF_IP6_PRI_FILTER,
},
{
- .hook = ip6t_in_hook,
+ .hook = ip6table_filter_hook,
.owner = THIS_MODULE,
.pf = NFPROTO_IPV6,
.hooknum = NF_INET_FORWARD,
.priority = NF_IP6_PRI_FILTER,
},
{
- .hook = ip6t_local_out_hook,
+ .hook = ip6table_filter_hook,
.owner = THIS_MODULE,
.pf = NFPROTO_IPV6,
.hooknum = NF_INET_LOCAL_OUT,
diff --git a/net/ipv6/netfilter/ip6table_mangle.c b/net/ipv6/netfilter/ip6table_mangle.c
index 0f49e00..63abcec 100644
--- a/net/ipv6/netfilter/ip6table_mangle.c
+++ b/net/ipv6/netfilter/ip6table_mangle.c
@@ -64,29 +64,6 @@ static struct xt_table packet_mangler = {
.af = NFPROTO_IPV6,
};
-/* The work comes in here from netfilter.c. */
-static unsigned int
-ip6t_in_hook(unsigned int hook,
- struct sk_buff *skb,
- const struct net_device *in,
- const struct net_device *out,
- int (*okfn)(struct sk_buff *))
-{
- return ip6t_do_table(skb, hook, in, out,
- dev_net(in)->ipv6.ip6table_mangle);
-}
-
-static unsigned int
-ip6t_post_routing_hook(unsigned int hook,
- struct sk_buff *skb,
- const struct net_device *in,
- const struct net_device *out,
- int (*okfn)(struct sk_buff *))
-{
- return ip6t_do_table(skb, hook, in, out,
- dev_net(out)->ipv6.ip6table_mangle);
-}
-
static unsigned int
ip6t_local_out_hook(unsigned int hook,
struct sk_buff *skb,
@@ -132,37 +109,53 @@ ip6t_local_out_hook(unsigned int hook,
return ret;
}
+/* The work comes in here from netfilter.c. */
+static unsigned int
+ip6table_mangle_hook(unsigned int hook,
+ struct sk_buff *skb,
+ const struct net_device *in,
+ const struct net_device *out,
+ int (*okfn)(struct sk_buff *))
+{
+ if (hook == NF_INET_LOCAL_OUT)
+ return ip6t_loacl_out_hook(hook, skb, hook, in, okfn);
+
+ /* INPUT/FORWARD */
+ return ip6t_do_table(skb, hook, in, out,
+ dev_net(in)->ipv6.ip6table_mangle);
+}
+
static struct nf_hook_ops ip6t_ops[] __read_mostly = {
{
- .hook = ip6t_in_hook,
+ .hook = ip6table_mangle_hook,
.owner = THIS_MODULE,
.pf = NFPROTO_IPV6,
.hooknum = NF_INET_PRE_ROUTING,
.priority = NF_IP6_PRI_MANGLE,
},
{
- .hook = ip6t_in_hook,
+ .hook = ip6table_mangle_hook,
.owner = THIS_MODULE,
.pf = NFPROTO_IPV6,
.hooknum = NF_INET_LOCAL_IN,
.priority = NF_IP6_PRI_MANGLE,
},
{
- .hook = ip6t_in_hook,
+ .hook = ip6table_mangle_hook,
.owner = THIS_MODULE,
.pf = NFPROTO_IPV6,
.hooknum = NF_INET_FORWARD,
.priority = NF_IP6_PRI_MANGLE,
},
{
- .hook = ip6t_local_out_hook,
+ .hook = ip6table_mangle_out_hook,
.owner = THIS_MODULE,
.pf = NFPROTO_IPV6,
.hooknum = NF_INET_LOCAL_OUT,
.priority = NF_IP6_PRI_MANGLE,
},
{
- .hook = ip6t_post_routing_hook,
+ .hook = ip6table_mangle_hook,
.owner = THIS_MODULE,
.pf = NFPROTO_IPV6,
.hooknum = NF_INET_POST_ROUTING,
diff --git a/net/ipv6/netfilter/ip6table_raw.c b/net/ipv6/netfilter/ip6table_raw.c
index 679865e..4bef7a1 100644
--- a/net/ipv6/netfilter/ip6table_raw.c
+++ b/net/ipv6/netfilter/ip6table_raw.c
@@ -44,37 +44,31 @@ static struct xt_table packet_raw = {
/* The work comes in here from netfilter.c. */
static unsigned int
-ip6t_pre_routing_hook(unsigned int hook,
+ip6table_raw_hook(unsigned int hook,
struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
- return ip6t_do_table(skb, hook, in, out,
- dev_net(in)->ipv6.ip6table_raw);
-}
+ if (hook == NF_INET_PRE_ROUTING)
+ return ip6t_do_table(skb, hook, in, out,
+ dev_net(in)->ipv6.ip6table_raw);
-static unsigned int
-ip6t_local_out_hook(unsigned int hook,
- struct sk_buff *skb,
- const struct net_device *in,
- const struct net_device *out,
- int (*okfn)(struct sk_buff *))
-{
+ /* OUTPUT: */
return ip6t_do_table(skb, hook, in, out,
dev_net(out)->ipv6.ip6table_raw);
}
static struct nf_hook_ops ip6t_ops[] __read_mostly = {
{
- .hook = ip6t_pre_routing_hook,
+ .hook = ip6table_raw_hook,
.pf = NFPROTO_IPV6,
.hooknum = NF_INET_PRE_ROUTING,
.priority = NF_IP6_PRI_FIRST,
.owner = THIS_MODULE,
},
{
- .hook = ip6t_local_out_hook,
+ .hook = ip6table_raw_hook,
.pf = NFPROTO_IPV6,
.hooknum = NF_INET_LOCAL_OUT,
.priority = NF_IP6_PRI_FIRST,
diff --git a/net/ipv6/netfilter/ip6table_security.c b/net/ipv6/netfilter/ip6table_security.c
index 822afab..a01c3c0 100644
--- a/net/ipv6/netfilter/ip6table_security.c
+++ b/net/ipv6/netfilter/ip6table_security.c
@@ -64,56 +64,38 @@ static struct xt_table security_table = {
};
static unsigned int
-ip6t_local_in_hook(unsigned int hook,
+ip6table_security_hook(unsigned int hook,
struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
- return ip6t_do_table(skb, hook, in, out,
- dev_net(in)->ipv6.ip6table_security);
-}
+ if (hook == NF_INET_LOCAL_OUT)
+ return ip6t_do_table(skb, hook, in, out,
+ dev_net(out)->ipv6.ip6table_security);
-static unsigned int
-ip6t_forward_hook(unsigned int hook,
- struct sk_buff *skb,
- const struct net_device *in,
- const struct net_device *out,
- int (*okfn)(struct sk_buff *))
-{
+ /* INPUT/FORWARD: */
return ip6t_do_table(skb, hook, in, out,
dev_net(in)->ipv6.ip6table_security);
}
-static unsigned int
-ip6t_local_out_hook(unsigned int hook,
- struct sk_buff *skb,
- const struct net_device *in,
- const struct net_device *out,
- int (*okfn)(struct sk_buff *))
-{
- /* TBD: handle short packets via raw socket */
- return ip6t_do_table(skb, hook, in, out,
- dev_net(out)->ipv6.ip6table_security);
-}
-
static struct nf_hook_ops ip6t_ops[] __read_mostly = {
{
- .hook = ip6t_local_in_hook,
+ .hook = ip6table_security_hook,
.owner = THIS_MODULE,
.pf = NFPROTO_IPV6,
.hooknum = NF_INET_LOCAL_IN,
.priority = NF_IP6_PRI_SECURITY,
},
{
- .hook = ip6t_forward_hook,
+ .hook = ip6table_security_hook,
.owner = THIS_MODULE,
.pf = NFPROTO_IPV6,
.hooknum = NF_INET_FORWARD,
.priority = NF_IP6_PRI_SECURITY,
},
{
- .hook = ip6t_local_out_hook,
+ .hook = ip6table_security_hook,
.owner = THIS_MODULE,
.pf = NFPROTO_IPV6,
.hooknum = NF_INET_LOCAL_OUT,
--
1.6.4
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH 2/6] netfilter: xtables: compact table hook functions
2009-08-10 19:19 Pull request for Stomping Static Data Jan Engelhardt
2009-08-10 19:19 ` [PATCH 1/6] netfilter: xtables: consolidate table hook functions Jan Engelhardt
@ 2009-08-10 19:19 ` Jan Engelhardt
2009-08-10 19:19 ` [PATCH 3/6] netfilter: xtables: generate nf_hook_ops on-demand Jan Engelhardt
` (4 subsequent siblings)
6 siblings, 0 replies; 14+ messages in thread
From: Jan Engelhardt @ 2009-08-10 19:19 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
The calls to ip6t_do_table only show minimal differences, so it seems
like a good cleanup to merge them to a single one too.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
net/ipv4/netfilter/arptable_filter.c | 8 ++------
net/ipv4/netfilter/iptable_filter.c | 18 +++++++-----------
net/ipv4/netfilter/iptable_raw.c | 16 +++++++---------
net/ipv4/netfilter/iptable_security.c | 18 +++++++-----------
net/ipv6/netfilter/ip6table_filter.c | 8 ++------
net/ipv6/netfilter/ip6table_raw.c | 8 ++------
net/ipv6/netfilter/ip6table_security.c | 8 ++------
7 files changed, 29 insertions(+), 55 deletions(-)
diff --git a/net/ipv4/netfilter/arptable_filter.c b/net/ipv4/netfilter/arptable_filter.c
index c9b3b71..b48ac6f 100644
--- a/net/ipv4/netfilter/arptable_filter.c
+++ b/net/ipv4/netfilter/arptable_filter.c
@@ -59,13 +59,9 @@ static unsigned int arptable_filter_hook(unsigned int hook,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
- if (hook == NF_ARP_OUT)
- return arpt_do_table(skb, hook, in, out,
- dev_net(out)->ipv4.arptable_filter);
+ const struct net *net = dev_net((in != NULL) ? in : out);
- /* INPUT/FORWARD: */
- return arpt_do_table(skb, hook, in, out,
- dev_net(in)->ipv4.arptable_filter);
+ return arpt_do_table(skb, hook, in, out, net->ipv4.arptable_filter);
}
static struct nf_hook_ops arpt_ops[] __read_mostly = {
diff --git a/net/ipv4/netfilter/iptable_filter.c b/net/ipv4/netfilter/iptable_filter.c
index 84f197a..73bda90 100644
--- a/net/ipv4/netfilter/iptable_filter.c
+++ b/net/ipv4/netfilter/iptable_filter.c
@@ -67,19 +67,15 @@ iptable_filter_hook(unsigned int hook,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
- if (hook == NF_INET_LOCAL_OUT) {
- if (skb->len < sizeof(struct iphdr) ||
- ip_hdrlen(skb) < sizeof(struct iphdr))
- /* root is playing with raw sockets. */
- return NF_ACCEPT;
-
- return ipt_do_table(skb, hook, in, out,
- dev_net(out)->ipv4.iptable_filter);
- }
+ const struct net *net;
+
+ if (hook == NF_INET_LOCAL_OUT && (skb->len < sizeof(struct iphdr) ||
+ ip_hdrlen(skb) < sizeof(struct iphdr)))
+ /* root is playing with raw sockets. */
+ return NF_ACCEPT;
- /* LOCAL_IN/FORWARD: */
- return ipt_do_table(skb, hook, in, out,
- dev_net(in)->ipv4.iptable_filter);
+ net = dev_net((in != NULL) ? in : out);
+ return ipt_do_table(skb, hook, in, out, net->ipv4.iptable_filter);
}
static struct nf_hook_ops ipt_ops[] __read_mostly = {
diff --git a/net/ipv4/netfilter/iptable_raw.c b/net/ipv4/netfilter/iptable_raw.c
index c6733c8..5fe83b2 100644
--- a/net/ipv4/netfilter/iptable_raw.c
+++ b/net/ipv4/netfilter/iptable_raw.c
@@ -51,17 +51,15 @@ iptable_raw_hook(unsigned int hook,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
- if (hook == NF_INET_PRE_ROUTING)
- return ipt_do_table(skb, hook, in, out,
- dev_net(in)->ipv4.iptable_raw);
-
- /* OUTPUT: */
- /* root is playing with raw sockets. */
- if (skb->len < sizeof(struct iphdr) ||
- ip_hdrlen(skb) < sizeof(struct iphdr))
+ const struct net *net;
+
+ if (hook == NF_INET_LOCAL_OUT && (skb->len < sizeof(struct iphdr) ||
+ ip_hdrlen(skb) < sizeof(struct iphdr)))
+ /* root is playing with raw sockets. */
return NF_ACCEPT;
- return ipt_do_table(skb, hook, in, out,
- dev_net(out)->ipv4.iptable_raw);
+
+ net = dev_net((in != NULL) ? in : out);
+ return ipt_do_table(skb, hook, in, out, net->ipv4.iptable_raw);
}
/* 'raw' is the very first table. */
diff --git a/net/ipv4/netfilter/iptable_security.c b/net/ipv4/netfilter/iptable_security.c
index aef8ba9..a308219 100644
--- a/net/ipv4/netfilter/iptable_security.c
+++ b/net/ipv4/netfilter/iptable_security.c
@@ -71,19 +71,15 @@ iptable_security_hook(unsigned int hook,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
- if (hook == NF_INET_LOCAL_OUT) {
- if (skb->len < sizeof(struct iphdr) ||
- ip_hdrlen(skb) < sizeof(struct iphdr))
- /* Somebody is playing with raw sockets. */
- return NF_ACCEPT;
-
- return ipt_do_table(skb, hook, in, out,
- dev_net(out)->ipv4.iptable_security);
- }
-
- /* INPUT/FORWARD: */
- return ipt_do_table(skb, hook, in, out,
- dev_net(in)->ipv4.iptable_security);
+ const struct net *net;
+
+ if (hook == NF_INET_LOCAL_OUT && (skb->len < sizeof(struct iphdr) ||
+ ip_hdrlen(skb) < sizeof(struct iphdr)))
+ /* Somebody is playing with raw sockets. */
+ return NF_ACCEPT;
+
+ net = dev_net((in != NULL) ? in : out);
+ return ipt_do_table(skb, hook, in, out, net->ipv4.iptable_security);
}
static struct nf_hook_ops ipt_ops[] __read_mostly = {
diff --git a/net/ipv6/netfilter/ip6table_filter.c b/net/ipv6/netfilter/ip6table_filter.c
index 175e408..c6ad7cd 100644
--- a/net/ipv6/netfilter/ip6table_filter.c
+++ b/net/ipv6/netfilter/ip6table_filter.c
@@ -66,13 +66,9 @@ ip6table_filter_hook(unsigned int hook,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
- if (hook == NF_INET_LOCAL_OUT)
- return ip6t_do_table(skb, hook, in, out,
- dev_net(out)->ipv6.ip6table_filter);
+ const struct net *net = dev_net((in != NULL) ? in : out);
- /* INPUT/FORWARD: */
- return ip6t_do_table(skb, hook, in, out,
- dev_net(in)->ipv6.ip6table_filter);
+ return ip6t_do_table(skb, hook, in, out, net->ipv6.ip6table_filter);
}
static struct nf_hook_ops ip6t_ops[] __read_mostly = {
diff --git a/net/ipv6/netfilter/ip6table_raw.c b/net/ipv6/netfilter/ip6table_raw.c
index 4bef7a1..f7eaf54 100644
--- a/net/ipv6/netfilter/ip6table_raw.c
+++ b/net/ipv6/netfilter/ip6table_raw.c
@@ -50,13 +50,9 @@ ip6table_raw_hook(unsigned int hook,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
- if (hook == NF_INET_PRE_ROUTING)
- return ip6t_do_table(skb, hook, in, out,
- dev_net(in)->ipv6.ip6table_raw);
+ const struct net *net = dev_net((in != NULL) ? in : out);
- /* OUTPUT: */
- return ip6t_do_table(skb, hook, in, out,
- dev_net(out)->ipv6.ip6table_raw);
+ return ip6t_do_table(skb, hook, in, out, net->ipv6.ip6table_raw);
}
static struct nf_hook_ops ip6t_ops[] __read_mostly = {
diff --git a/net/ipv6/netfilter/ip6table_security.c b/net/ipv6/netfilter/ip6table_security.c
index a01c3c0..9c9fe7e 100644
--- a/net/ipv6/netfilter/ip6table_security.c
+++ b/net/ipv6/netfilter/ip6table_security.c
@@ -70,13 +70,9 @@ ip6table_security_hook(unsigned int hook,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
- if (hook == NF_INET_LOCAL_OUT)
- return ip6t_do_table(skb, hook, in, out,
- dev_net(out)->ipv6.ip6table_security);
+ const struct net *net = dev_net((in != NULL) ? in : out);
- /* INPUT/FORWARD: */
- return ip6t_do_table(skb, hook, in, out,
- dev_net(in)->ipv6.ip6table_security);
+ return ip6t_do_table(skb, hook, in, out, net->ipv6.ip6table_security);
}
static struct nf_hook_ops ip6t_ops[] __read_mostly = {
--
1.6.4
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH 3/6] netfilter: xtables: generate nf_hook_ops on-demand
2009-08-10 19:19 Pull request for Stomping Static Data Jan Engelhardt
2009-08-10 19:19 ` [PATCH 1/6] netfilter: xtables: consolidate table hook functions Jan Engelhardt
2009-08-10 19:19 ` [PATCH 2/6] netfilter: xtables: compact " Jan Engelhardt
@ 2009-08-10 19:19 ` Jan Engelhardt
2009-08-10 19:19 ` [PATCH 4/6] netfilter: xtables: mark initial tables constant Jan Engelhardt
` (3 subsequent siblings)
6 siblings, 0 replies; 14+ messages in thread
From: Jan Engelhardt @ 2009-08-10 19:19 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
Nuking lots of repeated and only slightly deviating data definitions.
This should manifest itself in a few memory savings.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter/x_tables.h | 4 ++
net/ipv4/netfilter/arptable_filter.c | 35 ++++-------------
net/ipv4/netfilter/iptable_filter.c | 35 ++++-------------
net/ipv4/netfilter/iptable_mangle.c | 51 ++++--------------------
net/ipv4/netfilter/iptable_raw.c | 29 ++++----------
net/ipv4/netfilter/iptable_security.c | 35 ++++-------------
net/ipv6/netfilter/ip6table_filter.c | 35 ++++-------------
net/ipv6/netfilter/ip6table_mangle.c | 53 +++++---------------------
net/ipv6/netfilter/ip6table_raw.c | 28 ++++----------
net/ipv6/netfilter/ip6table_security.c | 35 ++++-------------
net/netfilter/x_tables.c | 66 ++++++++++++++++++++++++++++++++
11 files changed, 145 insertions(+), 261 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 4fa6e4c..1a1e4d2 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -525,6 +525,10 @@ static inline unsigned long ifname_compare_aligned(const char *_a,
return ret;
}
+extern struct nf_hook_ops *xt_hook_link(nf_hookfn *, uint8_t, int,
+ unsigned int, struct module *);
+extern void xt_hook_unlink(struct nf_hook_ops *, unsigned int);
+
#ifdef CONFIG_COMPAT
#include <net/compat.h>
diff --git a/net/ipv4/netfilter/arptable_filter.c b/net/ipv4/netfilter/arptable_filter.c
index b48ac6f..e07045b 100644
--- a/net/ipv4/netfilter/arptable_filter.c
+++ b/net/ipv4/netfilter/arptable_filter.c
@@ -64,30 +64,6 @@ static unsigned int arptable_filter_hook(unsigned int hook,
return arpt_do_table(skb, hook, in, out, net->ipv4.arptable_filter);
}
-static struct nf_hook_ops arpt_ops[] __read_mostly = {
- {
- .hook = arptable_filter_hook,
- .owner = THIS_MODULE,
- .pf = NFPROTO_ARP,
- .hooknum = NF_ARP_IN,
- .priority = NF_IP_PRI_FILTER,
- },
- {
- .hook = arptable_filter_hook,
- .owner = THIS_MODULE,
- .pf = NFPROTO_ARP,
- .hooknum = NF_ARP_OUT,
- .priority = NF_IP_PRI_FILTER,
- },
- {
- .hook = arptable_filter_hook,
- .owner = THIS_MODULE,
- .pf = NFPROTO_ARP,
- .hooknum = NF_ARP_FORWARD,
- .priority = NF_IP_PRI_FILTER,
- },
-};
-
static int __net_init arptable_filter_net_init(struct net *net)
{
/* Register table */
@@ -108,6 +84,8 @@ static struct pernet_operations arptable_filter_net_ops = {
.exit = arptable_filter_net_exit,
};
+static struct nf_hook_ops *arpfilter_ops;
+
static int __init arptable_filter_init(void)
{
int ret;
@@ -116,9 +94,12 @@ static int __init arptable_filter_init(void)
if (ret < 0)
return ret;
- ret = nf_register_hooks(arpt_ops, ARRAY_SIZE(arpt_ops));
- if (ret < 0)
+ arpfilter_ops = xt_hook_link(arptable_filter_hook, NFPROTO_ARP,
+ NF_IP_PRI_FILTER, FILTER_VALID_HOOKS, THIS_MODULE);
+ if (IS_ERR(arpfilter_ops)) {
+ ret = PTR_ERR(arpfilter_ops);
goto cleanup_table;
+ }
return ret;
cleanup_table:
@@ -128,7 +109,7 @@ cleanup_table:
static void __exit arptable_filter_fini(void)
{
- nf_unregister_hooks(arpt_ops, ARRAY_SIZE(arpt_ops));
+ xt_hook_unlink(arpfilter_ops, FILTER_VALID_HOOKS);
unregister_pernet_subsys(&arptable_filter_net_ops);
}
diff --git a/net/ipv4/netfilter/iptable_filter.c b/net/ipv4/netfilter/iptable_filter.c
index 73bda90..edfa552 100644
--- a/net/ipv4/netfilter/iptable_filter.c
+++ b/net/ipv4/netfilter/iptable_filter.c
@@ -78,30 +78,6 @@ iptable_filter_hook(unsigned int hook,
return ipt_do_table(skb, hook, in, out, net->ipv4.iptable_filter);
}
-static struct nf_hook_ops ipt_ops[] __read_mostly = {
- {
- .hook = iptable_filter_hook,
- .owner = THIS_MODULE,
- .pf = NFPROTO_IPV4,
- .hooknum = NF_INET_LOCAL_IN,
- .priority = NF_IP_PRI_FILTER,
- },
- {
- .hook = iptable_filter_hook,
- .owner = THIS_MODULE,
- .pf = NFPROTO_IPV4,
- .hooknum = NF_INET_FORWARD,
- .priority = NF_IP_PRI_FILTER,
- },
- {
- .hook = iptable_filter_hook,
- .owner = THIS_MODULE,
- .pf = NFPROTO_IPV4,
- .hooknum = NF_INET_LOCAL_OUT,
- .priority = NF_IP_PRI_FILTER,
- },
-};
-
/* Default to forward because I got too much mail already. */
static int forward = NF_ACCEPT;
module_param(forward, bool, 0000);
@@ -126,6 +102,8 @@ static struct pernet_operations iptable_filter_net_ops = {
.exit = iptable_filter_net_exit,
};
+static struct nf_hook_ops *filter_ops;
+
static int __init iptable_filter_init(void)
{
int ret;
@@ -143,9 +121,12 @@ static int __init iptable_filter_init(void)
return ret;
/* Register hooks */
- ret = nf_register_hooks(ipt_ops, ARRAY_SIZE(ipt_ops));
- if (ret < 0)
+ filter_ops = xt_hook_link(iptable_filter_hook, NFPROTO_IPV4,
+ NF_IP_PRI_FILTER, FILTER_VALID_HOOKS, THIS_MODULE);
+ if (IS_ERR(filter_ops)) {
+ ret = PTR_ERR(filter_ops);
goto cleanup_table;
+ }
return ret;
@@ -156,7 +137,7 @@ static int __init iptable_filter_init(void)
static void __exit iptable_filter_fini(void)
{
- nf_unregister_hooks(ipt_ops, ARRAY_SIZE(ipt_ops));
+ xt_hook_unlink(filter_ops, FILTER_VALID_HOOKS);
unregister_pernet_subsys(&iptable_filter_net_ops);
}
diff --git a/net/ipv4/netfilter/iptable_mangle.c b/net/ipv4/netfilter/iptable_mangle.c
index 0dd4c67..a6840f6 100644
--- a/net/ipv4/netfilter/iptable_mangle.c
+++ b/net/ipv4/netfilter/iptable_mangle.c
@@ -96,7 +96,7 @@ ipt_local_hook(unsigned int hook,
daddr = iph->daddr;
tos = iph->tos;
- ret = ipt_do_table(skb, hook, in, out,
+ ret = ipt_do_table(skb, NF_INET_LOCAL_OUT, NULL, out,
dev_net(out)->ipv4.iptable_mangle);
/* Reroute for ANY change. */
if (ret != NF_DROP && ret != NF_STOLEN && ret != NF_QUEUE) {
@@ -129,44 +129,6 @@ iptable_mangle_hook(unsigned int hook,
dev_net(in)->ipv4.iptable_mangle);
}
-static struct nf_hook_ops ipt_ops[] __read_mostly = {
- {
- .hook = iptable_mangle_hook,
- .owner = THIS_MODULE,
- .pf = NFPROTO_IPV4,
- .hooknum = NF_INET_PRE_ROUTING,
- .priority = NF_IP_PRI_MANGLE,
- },
- {
- .hook = iptable_mangle_hook,
- .owner = THIS_MODULE,
- .pf = NFPROTO_IPV4,
- .hooknum = NF_INET_LOCAL_IN,
- .priority = NF_IP_PRI_MANGLE,
- },
- {
- .hook = iptable_mangle_hook,
- .owner = THIS_MODULE,
- .pf = NFPROTO_IPV4,
- .hooknum = NF_INET_FORWARD,
- .priority = NF_IP_PRI_MANGLE,
- },
- {
- .hook = iptable_mangle_hook,
- .owner = THIS_MODULE,
- .pf = NFPROTO_IPV4,
- .hooknum = NF_INET_LOCAL_OUT,
- .priority = NF_IP_PRI_MANGLE,
- },
- {
- .hook = iptable_mangle_hook,
- .owner = THIS_MODULE,
- .pf = NFPROTO_IPV4,
- .hooknum = NF_INET_POST_ROUTING,
- .priority = NF_IP_PRI_MANGLE,
- },
-};
-
static int __net_init iptable_mangle_net_init(struct net *net)
{
/* Register table */
@@ -187,6 +149,8 @@ static struct pernet_operations iptable_mangle_net_ops = {
.exit = iptable_mangle_net_exit,
};
+static struct nf_hook_ops *mangle_ops;
+
static int __init iptable_mangle_init(void)
{
int ret;
@@ -196,9 +160,12 @@ static int __init iptable_mangle_init(void)
return ret;
/* Register hooks */
- ret = nf_register_hooks(ipt_ops, ARRAY_SIZE(ipt_ops));
- if (ret < 0)
+ mangle_ops = xt_hook_link(iptable_mangle_hook, NFPROTO_IPV4,
+ NF_IP_PRI_MANGLE, MANGLE_VALID_HOOKS, THIS_MODULE);
+ if (IS_ERR(mangle_ops)) {
+ ret = PTR_ERR(mangle_ops);
goto cleanup_table;
+ }
return ret;
@@ -209,7 +176,7 @@ static int __init iptable_mangle_init(void)
static void __exit iptable_mangle_fini(void)
{
- nf_unregister_hooks(ipt_ops, ARRAY_SIZE(ipt_ops));
+ xt_hook_unlink(mangle_ops, MANGLE_VALID_HOOKS);
unregister_pernet_subsys(&iptable_mangle_net_ops);
}
diff --git a/net/ipv4/netfilter/iptable_raw.c b/net/ipv4/netfilter/iptable_raw.c
index 5fe83b2..9f85c9a 100644
--- a/net/ipv4/netfilter/iptable_raw.c
+++ b/net/ipv4/netfilter/iptable_raw.c
@@ -62,24 +62,6 @@ iptable_raw_hook(unsigned int hook,
return ipt_do_table(skb, hook, in, out, net->ipv4.iptable_raw);
}
-/* 'raw' is the very first table. */
-static struct nf_hook_ops ipt_ops[] __read_mostly = {
- {
- .hook = iptable_raw_hook,
- .pf = NFPROTO_IPV4,
- .hooknum = NF_INET_PRE_ROUTING,
- .priority = NF_IP_PRI_RAW,
- .owner = THIS_MODULE,
- },
- {
- .hook = iptable_raw_hook,
- .pf = NFPROTO_IPV4,
- .hooknum = NF_INET_LOCAL_OUT,
- .priority = NF_IP_PRI_RAW,
- .owner = THIS_MODULE,
- },
-};
-
static int __net_init iptable_raw_net_init(struct net *net)
{
/* Register table */
@@ -100,6 +82,8 @@ static struct pernet_operations iptable_raw_net_ops = {
.exit = iptable_raw_net_exit,
};
+static struct nf_hook_ops *rawtable_ops;
+
static int __init iptable_raw_init(void)
{
int ret;
@@ -109,9 +93,12 @@ static int __init iptable_raw_init(void)
return ret;
/* Register hooks */
- ret = nf_register_hooks(ipt_ops, ARRAY_SIZE(ipt_ops));
- if (ret < 0)
+ rawtable_ops = xt_hook_link(iptable_raw_hook, NFPROTO_IPV4,
+ NF_IP_PRI_FIRST, RAW_VALID_HOOKS, THIS_MODULE);
+ if (IS_ERR(rawtable_ops)) {
+ ret = PTR_ERR(rawtable_ops);
goto cleanup_table;
+ }
return ret;
@@ -122,7 +109,7 @@ static int __init iptable_raw_init(void)
static void __exit iptable_raw_fini(void)
{
- nf_unregister_hooks(ipt_ops, ARRAY_SIZE(ipt_ops));
+ xt_hook_unlink(rawtable_ops, RAW_VALID_HOOKS);
unregister_pernet_subsys(&iptable_raw_net_ops);
}
diff --git a/net/ipv4/netfilter/iptable_security.c b/net/ipv4/netfilter/iptable_security.c
index a308219..ccb527e 100644
--- a/net/ipv4/netfilter/iptable_security.c
+++ b/net/ipv4/netfilter/iptable_security.c
@@ -82,30 +82,6 @@ iptable_security_hook(unsigned int hook,
return ipt_do_table(skb, hook, in, out, net->ipv4.iptable_security);
}
-static struct nf_hook_ops ipt_ops[] __read_mostly = {
- {
- .hook = iptable_security_hook,
- .owner = THIS_MODULE,
- .pf = NFPROTO_IPV4,
- .hooknum = NF_INET_LOCAL_IN,
- .priority = NF_IP_PRI_SECURITY,
- },
- {
- .hook = iptable_security_hook,
- .owner = THIS_MODULE,
- .pf = NFPROTO_IPV4,
- .hooknum = NF_INET_FORWARD,
- .priority = NF_IP_PRI_SECURITY,
- },
- {
- .hook = iptable_security_hook,
- .owner = THIS_MODULE,
- .pf = NFPROTO_IPV4,
- .hooknum = NF_INET_LOCAL_OUT,
- .priority = NF_IP_PRI_SECURITY,
- },
-};
-
static int __net_init iptable_security_net_init(struct net *net)
{
net->ipv4.iptable_security =
@@ -127,6 +103,8 @@ static struct pernet_operations iptable_security_net_ops = {
.exit = iptable_security_net_exit,
};
+static struct nf_hook_ops *sectbl_ops;
+
static int __init iptable_security_init(void)
{
int ret;
@@ -135,9 +113,12 @@ static int __init iptable_security_init(void)
if (ret < 0)
return ret;
- ret = nf_register_hooks(ipt_ops, ARRAY_SIZE(ipt_ops));
- if (ret < 0)
+ sectbl_ops = xt_hook_link(iptable_security_hook, NFPROTO_IPV4,
+ NF_IP_PRI_SECURITY, SECURITY_VALID_HOOKS, THIS_MODULE);
+ if (IS_ERR(sectbl_ops)) {
+ ret = PTR_ERR(sectbl_ops);
goto cleanup_table;
+ }
return ret;
@@ -148,7 +129,7 @@ cleanup_table:
static void __exit iptable_security_fini(void)
{
- nf_unregister_hooks(ipt_ops, ARRAY_SIZE(ipt_ops));
+ xt_hook_unlink(sectbl_ops, SECURITY_VALID_HOOKS);
unregister_pernet_subsys(&iptable_security_net_ops);
}
diff --git a/net/ipv6/netfilter/ip6table_filter.c b/net/ipv6/netfilter/ip6table_filter.c
index c6ad7cd..2be11ee 100644
--- a/net/ipv6/netfilter/ip6table_filter.c
+++ b/net/ipv6/netfilter/ip6table_filter.c
@@ -71,30 +71,6 @@ ip6table_filter_hook(unsigned int hook,
return ip6t_do_table(skb, hook, in, out, net->ipv6.ip6table_filter);
}
-static struct nf_hook_ops ip6t_ops[] __read_mostly = {
- {
- .hook = ip6table_filter_hook,
- .owner = THIS_MODULE,
- .pf = NFPROTO_IPV6,
- .hooknum = NF_INET_LOCAL_IN,
- .priority = NF_IP6_PRI_FILTER,
- },
- {
- .hook = ip6table_filter_hook,
- .owner = THIS_MODULE,
- .pf = NFPROTO_IPV6,
- .hooknum = NF_INET_FORWARD,
- .priority = NF_IP6_PRI_FILTER,
- },
- {
- .hook = ip6table_filter_hook,
- .owner = THIS_MODULE,
- .pf = NFPROTO_IPV6,
- .hooknum = NF_INET_LOCAL_OUT,
- .priority = NF_IP6_PRI_FILTER,
- },
-};
-
/* Default to forward because I got too much mail already. */
static int forward = NF_ACCEPT;
module_param(forward, bool, 0000);
@@ -119,6 +95,8 @@ static struct pernet_operations ip6table_filter_net_ops = {
.exit = ip6table_filter_net_exit,
};
+static struct nf_hook_ops *filter_ops;
+
static int __init ip6table_filter_init(void)
{
int ret;
@@ -136,9 +114,12 @@ static int __init ip6table_filter_init(void)
return ret;
/* Register hooks */
- ret = nf_register_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops));
- if (ret < 0)
+ filter_ops = xt_hook_link(ip6table_filter_hook, NFPROTO_IPV6,
+ NF_IP6_PRI_FILTER, FILTER_VALID_HOOKS, THIS_MODULE);
+ if (IS_ERR(filter_ops)) {
+ ret = PTR_ERR(filter_ops);
goto cleanup_table;
+ }
return ret;
@@ -149,7 +130,7 @@ static int __init ip6table_filter_init(void)
static void __exit ip6table_filter_fini(void)
{
- nf_unregister_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops));
+ xt_hook_unlink(filter_ops, FILTER_VALID_HOOKS);
unregister_pernet_subsys(&ip6table_filter_net_ops);
}
diff --git a/net/ipv6/netfilter/ip6table_mangle.c b/net/ipv6/netfilter/ip6table_mangle.c
index 63abcec..500bfbe 100644
--- a/net/ipv6/netfilter/ip6table_mangle.c
+++ b/net/ipv6/netfilter/ip6table_mangle.c
@@ -96,7 +96,7 @@ ip6t_local_out_hook(unsigned int hook,
/* flowlabel and prio (includes version, which shouldn't change either */
flowlabel = *((u_int32_t *)ipv6_hdr(skb));
- ret = ip6t_do_table(skb, hook, in, out,
+ ret = ip6t_do_table(skb, NF_INET_LOCAL_OUT, NULL, out,
dev_net(out)->ipv6.ip6table_mangle);
if (ret != NF_DROP && ret != NF_STOLEN
@@ -118,51 +118,13 @@ ip6table_mangle_hook(unsigned int hook,
int (*okfn)(struct sk_buff *))
{
if (hook == NF_INET_LOCAL_OUT)
- return ip6t_loacl_out_hook(hook, skb, hook, in, okfn);
+ return ip6t_local_out_hook(hook, skb, in, out, okfn);
/* INPUT/FORWARD */
return ip6t_do_table(skb, hook, in, out,
dev_net(in)->ipv6.ip6table_mangle);
}
-static struct nf_hook_ops ip6t_ops[] __read_mostly = {
- {
- .hook = ip6table_mangle_hook,
- .owner = THIS_MODULE,
- .pf = NFPROTO_IPV6,
- .hooknum = NF_INET_PRE_ROUTING,
- .priority = NF_IP6_PRI_MANGLE,
- },
- {
- .hook = ip6table_mangle_hook,
- .owner = THIS_MODULE,
- .pf = NFPROTO_IPV6,
- .hooknum = NF_INET_LOCAL_IN,
- .priority = NF_IP6_PRI_MANGLE,
- },
- {
- .hook = ip6table_mangle_hook,
- .owner = THIS_MODULE,
- .pf = NFPROTO_IPV6,
- .hooknum = NF_INET_FORWARD,
- .priority = NF_IP6_PRI_MANGLE,
- },
- {
- .hook = ip6table_mangle_out_hook,
- .owner = THIS_MODULE,
- .pf = NFPROTO_IPV6,
- .hooknum = NF_INET_LOCAL_OUT,
- .priority = NF_IP6_PRI_MANGLE,
- },
- {
- .hook = ip6table_mangle_hook,
- .owner = THIS_MODULE,
- .pf = NFPROTO_IPV6,
- .hooknum = NF_INET_POST_ROUTING,
- .priority = NF_IP6_PRI_MANGLE,
- },
-};
-
static int __net_init ip6table_mangle_net_init(struct net *net)
{
/* Register table */
@@ -183,6 +145,8 @@ static struct pernet_operations ip6table_mangle_net_ops = {
.exit = ip6table_mangle_net_exit,
};
+static struct nf_hook_ops *mangle_ops;
+
static int __init ip6table_mangle_init(void)
{
int ret;
@@ -192,9 +156,12 @@ static int __init ip6table_mangle_init(void)
return ret;
/* Register hooks */
- ret = nf_register_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops));
- if (ret < 0)
+ mangle_ops = xt_hook_link(ip6table_mangle_hook, NFPROTO_IPV6,
+ NF_IP6_PRI_MANGLE, MANGLE_VALID_HOOKS, THIS_MODULE);
+ if (IS_ERR(mangle_ops)) {
+ ret = PTR_ERR(mangle_ops);
goto cleanup_table;
+ }
return ret;
@@ -205,7 +172,7 @@ static int __init ip6table_mangle_init(void)
static void __exit ip6table_mangle_fini(void)
{
- nf_unregister_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops));
+ xt_hook_unlink(mangle_ops, MANGLE_VALID_HOOKS);
unregister_pernet_subsys(&ip6table_mangle_net_ops);
}
diff --git a/net/ipv6/netfilter/ip6table_raw.c b/net/ipv6/netfilter/ip6table_raw.c
index f7eaf54..b8f9b41 100644
--- a/net/ipv6/netfilter/ip6table_raw.c
+++ b/net/ipv6/netfilter/ip6table_raw.c
@@ -55,23 +55,6 @@ ip6table_raw_hook(unsigned int hook,
return ip6t_do_table(skb, hook, in, out, net->ipv6.ip6table_raw);
}
-static struct nf_hook_ops ip6t_ops[] __read_mostly = {
- {
- .hook = ip6table_raw_hook,
- .pf = NFPROTO_IPV6,
- .hooknum = NF_INET_PRE_ROUTING,
- .priority = NF_IP6_PRI_FIRST,
- .owner = THIS_MODULE,
- },
- {
- .hook = ip6table_raw_hook,
- .pf = NFPROTO_IPV6,
- .hooknum = NF_INET_LOCAL_OUT,
- .priority = NF_IP6_PRI_FIRST,
- .owner = THIS_MODULE,
- },
-};
-
static int __net_init ip6table_raw_net_init(struct net *net)
{
/* Register table */
@@ -92,6 +75,8 @@ static struct pernet_operations ip6table_raw_net_ops = {
.exit = ip6table_raw_net_exit,
};
+static struct nf_hook_ops *rawtable_ops;
+
static int __init ip6table_raw_init(void)
{
int ret;
@@ -101,9 +86,12 @@ static int __init ip6table_raw_init(void)
return ret;
/* Register hooks */
- ret = nf_register_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops));
- if (ret < 0)
+ rawtable_ops = xt_hook_link(ip6table_raw_hook, NFPROTO_IPV6,
+ NF_IP6_PRI_FIRST, RAW_VALID_HOOKS, THIS_MODULE);
+ if (IS_ERR(rawtable_ops)) {
+ ret = PTR_ERR(rawtable_ops);
goto cleanup_table;
+ }
return ret;
@@ -114,7 +102,7 @@ static int __init ip6table_raw_init(void)
static void __exit ip6table_raw_fini(void)
{
- nf_unregister_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops));
+ xt_hook_unlink(rawtable_ops, RAW_VALID_HOOKS);
unregister_pernet_subsys(&ip6table_raw_net_ops);
}
diff --git a/net/ipv6/netfilter/ip6table_security.c b/net/ipv6/netfilter/ip6table_security.c
index 9c9fe7e..6eab20d 100644
--- a/net/ipv6/netfilter/ip6table_security.c
+++ b/net/ipv6/netfilter/ip6table_security.c
@@ -75,30 +75,6 @@ ip6table_security_hook(unsigned int hook,
return ip6t_do_table(skb, hook, in, out, net->ipv6.ip6table_security);
}
-static struct nf_hook_ops ip6t_ops[] __read_mostly = {
- {
- .hook = ip6table_security_hook,
- .owner = THIS_MODULE,
- .pf = NFPROTO_IPV6,
- .hooknum = NF_INET_LOCAL_IN,
- .priority = NF_IP6_PRI_SECURITY,
- },
- {
- .hook = ip6table_security_hook,
- .owner = THIS_MODULE,
- .pf = NFPROTO_IPV6,
- .hooknum = NF_INET_FORWARD,
- .priority = NF_IP6_PRI_SECURITY,
- },
- {
- .hook = ip6table_security_hook,
- .owner = THIS_MODULE,
- .pf = NFPROTO_IPV6,
- .hooknum = NF_INET_LOCAL_OUT,
- .priority = NF_IP6_PRI_SECURITY,
- },
-};
-
static int __net_init ip6table_security_net_init(struct net *net)
{
net->ipv6.ip6table_security =
@@ -120,6 +96,8 @@ static struct pernet_operations ip6table_security_net_ops = {
.exit = ip6table_security_net_exit,
};
+static struct nf_hook_ops *sectbl_ops;
+
static int __init ip6table_security_init(void)
{
int ret;
@@ -128,9 +106,12 @@ static int __init ip6table_security_init(void)
if (ret < 0)
return ret;
- ret = nf_register_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops));
- if (ret < 0)
+ sectbl_ops = xt_hook_link(ip6table_security_hook, NFPROTO_IPV6,
+ NF_IP6_PRI_SECURITY, SECURITY_VALID_HOOKS, THIS_MODULE);
+ if (IS_ERR(sectbl_ops)) {
+ ret = PTR_ERR(sectbl_ops);
goto cleanup_table;
+ }
return ret;
@@ -141,7 +122,7 @@ cleanup_table:
static void __exit ip6table_security_fini(void)
{
- nf_unregister_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops));
+ xt_hook_unlink(sectbl_ops, SECURITY_VALID_HOOKS);
unregister_pernet_subsys(&ip6table_security_net_ops);
}
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 025d1a0..7e3f51d 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -1090,6 +1090,72 @@ static const struct file_operations xt_target_ops = {
#endif /* CONFIG_PROC_FS */
+static unsigned int xt_hookmask_bitcount(unsigned int mask)
+{
+ unsigned int bits = 0;
+
+ for (; mask != 0; mask >>= 1)
+ if (mask & 1)
+ ++bits;
+ return bits;
+}
+
+/**
+ * xt_hook_link - set up hooks for a new table
+ * @fn: Hook function
+ * @nfproto: %NFPROTO_*
+ * @prio: n'th place within @nfproto's hook list (%NF_IP_PRI_*, etc.)
+ * @hook_mask: Requested hooks
+ *
+ * This function will take care of creating and registering the necessary
+ * Netfilter hooks for XT tables.
+ */
+struct nf_hook_ops *xt_hook_link(nf_hookfn *fn, uint8_t nfproto, int prio,
+ unsigned int hook_mask, struct module *owner)
+{
+ uint8_t i, num_hooks = xt_hookmask_bitcount(hook_mask);
+ uint8_t hooknum;
+ struct nf_hook_ops *ops;
+ int ret;
+
+ ops = kmalloc(sizeof(*ops) * num_hooks, GFP_KERNEL);
+ if (ops == NULL)
+ return ERR_PTR(-ENOMEM);
+
+ for (i = 0, hooknum = 0; i < num_hooks && hook_mask != 0;
+ hook_mask >>= 1, ++hooknum) {
+ if (!(hook_mask & 1))
+ continue;
+ ops[i].hook = fn;
+ ops[i].owner = owner;
+ ops[i].pf = nfproto;
+ ops[i].hooknum = hooknum;
+ ops[i].priority = prio;
+ ++i;
+ }
+
+ ret = nf_register_hooks(ops, num_hooks);
+ if (ret < 0) {
+ kfree(ops);
+ return ERR_PTR(ret);
+ }
+
+ return ops;
+}
+EXPORT_SYMBOL_GPL(xt_hook_link);
+
+/**
+ * xt_hook_unlink - remove hooks for a table
+ * @ops: nf_hook_ops array as returned by nf_hook_link
+ * @hook_mask: the very same mask that was passed to nf_hook_link
+ */
+void xt_hook_unlink(struct nf_hook_ops *ops, unsigned int hook_mask)
+{
+ nf_unregister_hooks(ops, xt_hookmask_bitcount(hook_mask));
+ kfree(ops);
+}
+EXPORT_SYMBOL_GPL(xt_hook_unlink);
+
int xt_proto_init(struct net *net, u_int8_t af)
{
#ifdef CONFIG_PROC_FS
--
1.6.4
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH 4/6] netfilter: xtables: mark initial tables constant
2009-08-10 19:19 Pull request for Stomping Static Data Jan Engelhardt
` (2 preceding siblings ...)
2009-08-10 19:19 ` [PATCH 3/6] netfilter: xtables: generate nf_hook_ops on-demand Jan Engelhardt
@ 2009-08-10 19:19 ` Jan Engelhardt
2009-08-24 12:57 ` Patrick McHardy
2009-08-10 19:19 ` [PATCH 5/6] netfilter: xtables: use xt_table for hook instantiation Jan Engelhardt
` (2 subsequent siblings)
6 siblings, 1 reply; 14+ messages in thread
From: Jan Engelhardt @ 2009-08-10 19:19 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
The inputted table is never modified, so should be considered const.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter/x_tables.h | 2 +-
include/linux/netfilter_arp/arp_tables.h | 2 +-
include/linux/netfilter_bridge/ebtables.h | 2 +-
include/linux/netfilter_ipv4/ip_tables.h | 2 +-
include/linux/netfilter_ipv6/ip6_tables.h | 2 +-
net/bridge/netfilter/ebtable_broute.c | 2 +-
net/bridge/netfilter/ebtable_filter.c | 2 +-
net/bridge/netfilter/ebtables.c | 13 +++++++------
net/ipv4/netfilter/arp_tables.c | 3 ++-
net/ipv4/netfilter/arptable_filter.c | 4 ++--
net/ipv4/netfilter/ip_tables.c | 3 ++-
net/ipv4/netfilter/iptable_filter.c | 2 +-
net/ipv4/netfilter/iptable_mangle.c | 4 ++--
net/ipv4/netfilter/iptable_raw.c | 4 ++--
net/ipv4/netfilter/iptable_security.c | 4 ++--
net/ipv4/netfilter/nf_nat_rule.c | 4 ++--
net/ipv6/netfilter/ip6_tables.c | 3 ++-
net/ipv6/netfilter/ip6table_filter.c | 2 +-
net/ipv6/netfilter/ip6table_mangle.c | 4 ++--
net/ipv6/netfilter/ip6table_raw.c | 4 ++--
net/ipv6/netfilter/ip6table_security.c | 4 ++--
net/netfilter/x_tables.c | 7 ++++---
22 files changed, 42 insertions(+), 37 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 1a1e4d2..b71d9fa 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -407,7 +407,7 @@ extern int xt_check_target(struct xt_tgchk_param *,
unsigned int size, u_int8_t proto, bool inv_proto);
extern struct xt_table *xt_register_table(struct net *net,
- struct xt_table *table,
+ const struct xt_table *table,
struct xt_table_info *bootstrap,
struct xt_table_info *newinfo);
extern void *xt_unregister_table(struct xt_table *table);
diff --git a/include/linux/netfilter_arp/arp_tables.h b/include/linux/netfilter_arp/arp_tables.h
index 590ac3d..6fe3e6a 100644
--- a/include/linux/netfilter_arp/arp_tables.h
+++ b/include/linux/netfilter_arp/arp_tables.h
@@ -265,7 +265,7 @@ struct arpt_error
}
extern struct xt_table *arpt_register_table(struct net *net,
- struct xt_table *table,
+ const struct xt_table *table,
const struct arpt_replace *repl);
extern void arpt_unregister_table(struct xt_table *table);
extern unsigned int arpt_do_table(struct sk_buff *skb,
diff --git a/include/linux/netfilter_bridge/ebtables.h b/include/linux/netfilter_bridge/ebtables.h
index e40ddb9..ea281e6 100644
--- a/include/linux/netfilter_bridge/ebtables.h
+++ b/include/linux/netfilter_bridge/ebtables.h
@@ -301,7 +301,7 @@ struct ebt_table
#define EBT_ALIGN(s) (((s) + (__alignof__(struct ebt_replace)-1)) & \
~(__alignof__(struct ebt_replace)-1))
extern struct ebt_table *ebt_register_table(struct net *net,
- struct ebt_table *table);
+ const struct ebt_table *table);
extern void ebt_unregister_table(struct ebt_table *table);
extern unsigned int ebt_do_table(unsigned int hook, struct sk_buff *skb,
const struct net_device *in, const struct net_device *out,
diff --git a/include/linux/netfilter_ipv4/ip_tables.h b/include/linux/netfilter_ipv4/ip_tables.h
index 092bd50..61fafc8 100644
--- a/include/linux/netfilter_ipv4/ip_tables.h
+++ b/include/linux/netfilter_ipv4/ip_tables.h
@@ -245,7 +245,7 @@ ipt_get_target(struct ipt_entry *e)
extern void ipt_init(void) __init;
extern struct xt_table *ipt_register_table(struct net *net,
- struct xt_table *table,
+ const struct xt_table *table,
const struct ipt_replace *repl);
extern void ipt_unregister_table(struct xt_table *table);
diff --git a/include/linux/netfilter_ipv6/ip6_tables.h b/include/linux/netfilter_ipv6/ip6_tables.h
index 1089e33..a64e145 100644
--- a/include/linux/netfilter_ipv6/ip6_tables.h
+++ b/include/linux/netfilter_ipv6/ip6_tables.h
@@ -306,7 +306,7 @@ ip6t_get_target(struct ip6t_entry *e)
extern void ip6t_init(void) __init;
extern struct xt_table *ip6t_register_table(struct net *net,
- struct xt_table *table,
+ const struct xt_table *table,
const struct ip6t_replace *repl);
extern void ip6t_unregister_table(struct xt_table *table);
extern unsigned int ip6t_do_table(struct sk_buff *skb,
diff --git a/net/bridge/netfilter/ebtable_broute.c b/net/bridge/netfilter/ebtable_broute.c
index c751111..d32ab13 100644
--- a/net/bridge/netfilter/ebtable_broute.c
+++ b/net/bridge/netfilter/ebtable_broute.c
@@ -41,7 +41,7 @@ static int check(const struct ebt_table_info *info, unsigned int valid_hooks)
return 0;
}
-static struct ebt_table broute_table =
+static const struct ebt_table broute_table =
{
.name = "broute",
.table = &initial_table,
diff --git a/net/bridge/netfilter/ebtable_filter.c b/net/bridge/netfilter/ebtable_filter.c
index 4b988db..60b1a6c 100644
--- a/net/bridge/netfilter/ebtable_filter.c
+++ b/net/bridge/netfilter/ebtable_filter.c
@@ -50,7 +50,7 @@ static int check(const struct ebt_table_info *info, unsigned int valid_hooks)
return 0;
}
-static struct ebt_table frame_filter =
+static const struct ebt_table frame_filter =
{
.name = "filter",
.table = &initial_table,
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 37928d5..bd1c654 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -1103,23 +1103,24 @@ free_newinfo:
return ret;
}
-struct ebt_table *ebt_register_table(struct net *net, struct ebt_table *table)
+struct ebt_table *
+ebt_register_table(struct net *net, const struct ebt_table *input_table)
{
struct ebt_table_info *newinfo;
- struct ebt_table *t;
+ struct ebt_table *t, *table;
struct ebt_replace_kernel *repl;
int ret, i, countersize;
void *p;
- if (!table || !(repl = table->table) || !repl->entries ||
- repl->entries_size == 0 ||
- repl->counters || table->private) {
+ if (input_table == NULL || (repl = input_table->table) == NULL ||
+ repl->entries == 0 || repl->entries_size == 0 ||
+ repl->counters != NULL || input_table->private != NULL) {
BUGPRINT("Bad table data for ebt_register_table!!!\n");
return ERR_PTR(-EINVAL);
}
/* Don't add one table to multiple lists. */
- table = kmemdup(table, sizeof(struct ebt_table), GFP_KERNEL);
+ table = kmemdup(input_table, sizeof(struct ebt_table), GFP_KERNEL);
if (!table) {
ret = -ENOMEM;
goto out;
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 7bc11ff..27774c9 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -1778,7 +1778,8 @@ static int do_arpt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len
return ret;
}
-struct xt_table *arpt_register_table(struct net *net, struct xt_table *table,
+struct xt_table *arpt_register_table(struct net *net,
+ const struct xt_table *table,
const struct arpt_replace *repl)
{
int ret;
diff --git a/net/ipv4/netfilter/arptable_filter.c b/net/ipv4/netfilter/arptable_filter.c
index e07045b..1828a77 100644
--- a/net/ipv4/netfilter/arptable_filter.c
+++ b/net/ipv4/netfilter/arptable_filter.c
@@ -15,7 +15,7 @@ MODULE_DESCRIPTION("arptables filter table");
#define FILTER_VALID_HOOKS ((1 << NF_ARP_IN) | (1 << NF_ARP_OUT) | \
(1 << NF_ARP_FORWARD))
-static struct
+static const struct
{
struct arpt_replace repl;
struct arpt_standard entries[3];
@@ -45,7 +45,7 @@ static struct
.term = ARPT_ERROR_INIT,
};
-static struct xt_table packet_filter = {
+static const struct xt_table packet_filter = {
.name = "filter",
.valid_hooks = FILTER_VALID_HOOKS,
.me = THIS_MODULE,
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 0b43fd7..cde755d 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -2065,7 +2065,8 @@ do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
return ret;
}
-struct xt_table *ipt_register_table(struct net *net, struct xt_table *table,
+struct xt_table *ipt_register_table(struct net *net,
+ const struct xt_table *table,
const struct ipt_replace *repl)
{
int ret;
diff --git a/net/ipv4/netfilter/iptable_filter.c b/net/ipv4/netfilter/iptable_filter.c
index edfa552..18bd254 100644
--- a/net/ipv4/netfilter/iptable_filter.c
+++ b/net/ipv4/netfilter/iptable_filter.c
@@ -53,7 +53,7 @@ static struct
.term = IPT_ERROR_INIT, /* ERROR */
};
-static struct xt_table packet_filter = {
+static const struct xt_table packet_filter = {
.name = "filter",
.valid_hooks = FILTER_VALID_HOOKS,
.me = THIS_MODULE,
diff --git a/net/ipv4/netfilter/iptable_mangle.c b/net/ipv4/netfilter/iptable_mangle.c
index a6840f6..a217de4 100644
--- a/net/ipv4/netfilter/iptable_mangle.c
+++ b/net/ipv4/netfilter/iptable_mangle.c
@@ -28,7 +28,7 @@ MODULE_DESCRIPTION("iptables mangle table");
(1 << NF_INET_POST_ROUTING))
/* Ouch - five different hooks? Maybe this should be a config option..... -- BC */
-static struct
+static const struct
{
struct ipt_replace repl;
struct ipt_standard entries[5];
@@ -64,7 +64,7 @@ static struct
.term = IPT_ERROR_INIT, /* ERROR */
};
-static struct xt_table packet_mangler = {
+static const struct xt_table packet_mangler = {
.name = "mangle",
.valid_hooks = MANGLE_VALID_HOOKS,
.me = THIS_MODULE,
diff --git a/net/ipv4/netfilter/iptable_raw.c b/net/ipv4/netfilter/iptable_raw.c
index 9f85c9a..7767253 100644
--- a/net/ipv4/netfilter/iptable_raw.c
+++ b/net/ipv4/netfilter/iptable_raw.c
@@ -9,7 +9,7 @@
#define RAW_VALID_HOOKS ((1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_LOCAL_OUT))
-static struct
+static const struct
{
struct ipt_replace repl;
struct ipt_standard entries[2];
@@ -36,7 +36,7 @@ static struct
.term = IPT_ERROR_INIT, /* ERROR */
};
-static struct xt_table packet_raw = {
+static const struct xt_table packet_raw = {
.name = "raw",
.valid_hooks = RAW_VALID_HOOKS,
.me = THIS_MODULE,
diff --git a/net/ipv4/netfilter/iptable_security.c b/net/ipv4/netfilter/iptable_security.c
index ccb527e..118e514 100644
--- a/net/ipv4/netfilter/iptable_security.c
+++ b/net/ipv4/netfilter/iptable_security.c
@@ -27,7 +27,7 @@ MODULE_DESCRIPTION("iptables security table, for MAC rules");
(1 << NF_INET_FORWARD) | \
(1 << NF_INET_LOCAL_OUT)
-static struct
+static const struct
{
struct ipt_replace repl;
struct ipt_standard entries[3];
@@ -57,7 +57,7 @@ static struct
.term = IPT_ERROR_INIT, /* ERROR */
};
-static struct xt_table security_table = {
+static const struct xt_table security_table = {
.name = "security",
.valid_hooks = SECURITY_VALID_HOOKS,
.me = THIS_MODULE,
diff --git a/net/ipv4/netfilter/nf_nat_rule.c b/net/ipv4/netfilter/nf_nat_rule.c
index 6448a9b..9e81e0d 100644
--- a/net/ipv4/netfilter/nf_nat_rule.c
+++ b/net/ipv4/netfilter/nf_nat_rule.c
@@ -28,7 +28,7 @@
(1 << NF_INET_POST_ROUTING) | \
(1 << NF_INET_LOCAL_OUT))
-static struct
+static const struct
{
struct ipt_replace repl;
struct ipt_standard entries[3];
@@ -58,7 +58,7 @@ static struct
.term = IPT_ERROR_INIT, /* ERROR */
};
-static struct xt_table nat_table = {
+static const struct xt_table nat_table = {
.name = "nat",
.valid_hooks = NAT_VALID_HOOKS,
.me = THIS_MODULE,
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index a5d0c27..cc9f8ef 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -2100,7 +2100,8 @@ do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
return ret;
}
-struct xt_table *ip6t_register_table(struct net *net, struct xt_table *table,
+struct xt_table *ip6t_register_table(struct net *net,
+ const struct xt_table *table,
const struct ip6t_replace *repl)
{
int ret;
diff --git a/net/ipv6/netfilter/ip6table_filter.c b/net/ipv6/netfilter/ip6table_filter.c
index 2be11ee..c01d7c2 100644
--- a/net/ipv6/netfilter/ip6table_filter.c
+++ b/net/ipv6/netfilter/ip6table_filter.c
@@ -51,7 +51,7 @@ static struct
.term = IP6T_ERROR_INIT, /* ERROR */
};
-static struct xt_table packet_filter = {
+static const struct xt_table packet_filter = {
.name = "filter",
.valid_hooks = FILTER_VALID_HOOKS,
.me = THIS_MODULE,
diff --git a/net/ipv6/netfilter/ip6table_mangle.c b/net/ipv6/netfilter/ip6table_mangle.c
index 500bfbe..8765824 100644
--- a/net/ipv6/netfilter/ip6table_mangle.c
+++ b/net/ipv6/netfilter/ip6table_mangle.c
@@ -21,7 +21,7 @@ MODULE_DESCRIPTION("ip6tables mangle table");
(1 << NF_INET_LOCAL_OUT) | \
(1 << NF_INET_POST_ROUTING))
-static struct
+static const struct
{
struct ip6t_replace repl;
struct ip6t_standard entries[5];
@@ -57,7 +57,7 @@ static struct
.term = IP6T_ERROR_INIT, /* ERROR */
};
-static struct xt_table packet_mangler = {
+static const struct xt_table packet_mangler = {
.name = "mangle",
.valid_hooks = MANGLE_VALID_HOOKS,
.me = THIS_MODULE,
diff --git a/net/ipv6/netfilter/ip6table_raw.c b/net/ipv6/netfilter/ip6table_raw.c
index b8f9b41..228a665 100644
--- a/net/ipv6/netfilter/ip6table_raw.c
+++ b/net/ipv6/netfilter/ip6table_raw.c
@@ -8,7 +8,7 @@
#define RAW_VALID_HOOKS ((1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_LOCAL_OUT))
-static struct
+static const struct
{
struct ip6t_replace repl;
struct ip6t_standard entries[2];
@@ -35,7 +35,7 @@ static struct
.term = IP6T_ERROR_INIT, /* ERROR */
};
-static struct xt_table packet_raw = {
+static const struct xt_table packet_raw = {
.name = "raw",
.valid_hooks = RAW_VALID_HOOKS,
.me = THIS_MODULE,
diff --git a/net/ipv6/netfilter/ip6table_security.c b/net/ipv6/netfilter/ip6table_security.c
index 6eab20d..7928087 100644
--- a/net/ipv6/netfilter/ip6table_security.c
+++ b/net/ipv6/netfilter/ip6table_security.c
@@ -26,7 +26,7 @@ MODULE_DESCRIPTION("ip6tables security table, for MAC rules");
(1 << NF_INET_FORWARD) | \
(1 << NF_INET_LOCAL_OUT)
-static struct
+static const struct
{
struct ip6t_replace repl;
struct ip6t_standard entries[3];
@@ -56,7 +56,7 @@ static struct
.term = IP6T_ERROR_INIT, /* ERROR */
};
-static struct xt_table security_table = {
+static const struct xt_table security_table = {
.name = "security",
.valid_hooks = SECURITY_VALID_HOOKS,
.me = THIS_MODULE,
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 7e3f51d..f7c4c39 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -736,16 +736,17 @@ xt_replace_table(struct xt_table *table,
}
EXPORT_SYMBOL_GPL(xt_replace_table);
-struct xt_table *xt_register_table(struct net *net, struct xt_table *table,
+struct xt_table *xt_register_table(struct net *net,
+ const struct xt_table *input_table,
struct xt_table_info *bootstrap,
struct xt_table_info *newinfo)
{
int ret;
struct xt_table_info *private;
- struct xt_table *t;
+ struct xt_table *t, *table;
/* Don't add one object to multiple lists. */
- table = kmemdup(table, sizeof(struct xt_table), GFP_KERNEL);
+ table = kmemdup(input_table, sizeof(struct xt_table), GFP_KERNEL);
if (!table) {
ret = -ENOMEM;
goto out;
--
1.6.4
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH 5/6] netfilter: xtables: use xt_table for hook instantiation
2009-08-10 19:19 Pull request for Stomping Static Data Jan Engelhardt
` (3 preceding siblings ...)
2009-08-10 19:19 ` [PATCH 4/6] netfilter: xtables: mark initial tables constant Jan Engelhardt
@ 2009-08-10 19:19 ` Jan Engelhardt
2009-08-10 19:19 ` [PATCH 6/6] netfilter: xtables: generate initial table on-demand Jan Engelhardt
2009-08-16 10:19 ` Pull request for Stomping Static Data Jan Engelhardt
6 siblings, 0 replies; 14+ messages in thread
From: Jan Engelhardt @ 2009-08-10 19:19 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
The respective xt_table structures already have most of the metadata
needed for hook setup. Add a 'priority' field to struct xt_table so
that xt_hook_link() can be called with a reduced number of arguments.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter/x_tables.h | 6 +++---
net/ipv4/netfilter/arptable_filter.c | 6 +++---
net/ipv4/netfilter/iptable_filter.c | 6 +++---
net/ipv4/netfilter/iptable_mangle.c | 6 +++---
net/ipv4/netfilter/iptable_raw.c | 6 +++---
net/ipv4/netfilter/iptable_security.c | 6 +++---
net/ipv6/netfilter/ip6table_filter.c | 6 +++---
net/ipv6/netfilter/ip6table_mangle.c | 6 +++---
net/ipv6/netfilter/ip6table_raw.c | 6 +++---
net/ipv6/netfilter/ip6table_security.c | 6 +++---
net/netfilter/x_tables.c | 18 ++++++++----------
11 files changed, 38 insertions(+), 40 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index b71d9fa..2a47a01 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -363,6 +363,7 @@ struct xt_table
struct module *me;
u_int8_t af; /* address/protocol family */
+ int priority; /* hook order */
/* A unique name... */
const char name[XT_TABLE_MAXNAMELEN];
@@ -525,9 +526,8 @@ static inline unsigned long ifname_compare_aligned(const char *_a,
return ret;
}
-extern struct nf_hook_ops *xt_hook_link(nf_hookfn *, uint8_t, int,
- unsigned int, struct module *);
-extern void xt_hook_unlink(struct nf_hook_ops *, unsigned int);
+extern struct nf_hook_ops *xt_hook_link(const struct xt_table *, nf_hookfn *);
+extern void xt_hook_unlink(const struct xt_table *, struct nf_hook_ops *);
#ifdef CONFIG_COMPAT
#include <net/compat.h>
diff --git a/net/ipv4/netfilter/arptable_filter.c b/net/ipv4/netfilter/arptable_filter.c
index 1828a77..d5e822a 100644
--- a/net/ipv4/netfilter/arptable_filter.c
+++ b/net/ipv4/netfilter/arptable_filter.c
@@ -50,6 +50,7 @@ static const struct xt_table packet_filter = {
.valid_hooks = FILTER_VALID_HOOKS,
.me = THIS_MODULE,
.af = NFPROTO_ARP,
+ .priority = NF_IP_PRI_FILTER,
};
/* The work comes in here from netfilter.c */
@@ -94,8 +95,7 @@ static int __init arptable_filter_init(void)
if (ret < 0)
return ret;
- arpfilter_ops = xt_hook_link(arptable_filter_hook, NFPROTO_ARP,
- NF_IP_PRI_FILTER, FILTER_VALID_HOOKS, THIS_MODULE);
+ arpfilter_ops = xt_hook_link(&packet_filter, arptable_filter_hook);
if (IS_ERR(arpfilter_ops)) {
ret = PTR_ERR(arpfilter_ops);
goto cleanup_table;
@@ -109,7 +109,7 @@ cleanup_table:
static void __exit arptable_filter_fini(void)
{
- xt_hook_unlink(arpfilter_ops, FILTER_VALID_HOOKS);
+ xt_hook_unlink(&packet_filter, arpfilter_ops);
unregister_pernet_subsys(&arptable_filter_net_ops);
}
diff --git a/net/ipv4/netfilter/iptable_filter.c b/net/ipv4/netfilter/iptable_filter.c
index 18bd254..7f631a3 100644
--- a/net/ipv4/netfilter/iptable_filter.c
+++ b/net/ipv4/netfilter/iptable_filter.c
@@ -58,6 +58,7 @@ static const struct xt_table packet_filter = {
.valid_hooks = FILTER_VALID_HOOKS,
.me = THIS_MODULE,
.af = NFPROTO_IPV4,
+ .priority = NF_IP_PRI_FILTER,
};
static unsigned int
@@ -121,8 +122,7 @@ static int __init iptable_filter_init(void)
return ret;
/* Register hooks */
- filter_ops = xt_hook_link(iptable_filter_hook, NFPROTO_IPV4,
- NF_IP_PRI_FILTER, FILTER_VALID_HOOKS, THIS_MODULE);
+ filter_ops = xt_hook_link(&packet_filter, iptable_filter_hook);
if (IS_ERR(filter_ops)) {
ret = PTR_ERR(filter_ops);
goto cleanup_table;
@@ -137,7 +137,7 @@ static int __init iptable_filter_init(void)
static void __exit iptable_filter_fini(void)
{
- xt_hook_unlink(filter_ops, FILTER_VALID_HOOKS);
+ xt_hook_unlink(&packet_filter, filter_ops);
unregister_pernet_subsys(&iptable_filter_net_ops);
}
diff --git a/net/ipv4/netfilter/iptable_mangle.c b/net/ipv4/netfilter/iptable_mangle.c
index a217de4..02be0d9 100644
--- a/net/ipv4/netfilter/iptable_mangle.c
+++ b/net/ipv4/netfilter/iptable_mangle.c
@@ -69,6 +69,7 @@ static const struct xt_table packet_mangler = {
.valid_hooks = MANGLE_VALID_HOOKS,
.me = THIS_MODULE,
.af = NFPROTO_IPV4,
+ .priority = NF_IP_PRI_MANGLE,
};
static unsigned int
@@ -160,8 +161,7 @@ static int __init iptable_mangle_init(void)
return ret;
/* Register hooks */
- mangle_ops = xt_hook_link(iptable_mangle_hook, NFPROTO_IPV4,
- NF_IP_PRI_MANGLE, MANGLE_VALID_HOOKS, THIS_MODULE);
+ mangle_ops = xt_hook_link(&packet_mangler, iptable_mangle_hook);
if (IS_ERR(mangle_ops)) {
ret = PTR_ERR(mangle_ops);
goto cleanup_table;
@@ -176,7 +176,7 @@ static int __init iptable_mangle_init(void)
static void __exit iptable_mangle_fini(void)
{
- xt_hook_unlink(mangle_ops, MANGLE_VALID_HOOKS);
+ xt_hook_unlink(&packet_mangler, mangle_ops);
unregister_pernet_subsys(&iptable_mangle_net_ops);
}
diff --git a/net/ipv4/netfilter/iptable_raw.c b/net/ipv4/netfilter/iptable_raw.c
index 7767253..8828ba5 100644
--- a/net/ipv4/netfilter/iptable_raw.c
+++ b/net/ipv4/netfilter/iptable_raw.c
@@ -41,6 +41,7 @@ static const struct xt_table packet_raw = {
.valid_hooks = RAW_VALID_HOOKS,
.me = THIS_MODULE,
.af = NFPROTO_IPV4,
+ .priority = NF_IP_PRI_FIRST,
};
/* The work comes in here from netfilter.c. */
@@ -93,8 +94,7 @@ static int __init iptable_raw_init(void)
return ret;
/* Register hooks */
- rawtable_ops = xt_hook_link(iptable_raw_hook, NFPROTO_IPV4,
- NF_IP_PRI_FIRST, RAW_VALID_HOOKS, THIS_MODULE);
+ rawtable_ops = xt_hook_link(&packet_raw, iptable_raw_hook);
if (IS_ERR(rawtable_ops)) {
ret = PTR_ERR(rawtable_ops);
goto cleanup_table;
@@ -109,7 +109,7 @@ static int __init iptable_raw_init(void)
static void __exit iptable_raw_fini(void)
{
- xt_hook_unlink(rawtable_ops, RAW_VALID_HOOKS);
+ xt_hook_unlink(&packet_raw, rawtable_ops);
unregister_pernet_subsys(&iptable_raw_net_ops);
}
diff --git a/net/ipv4/netfilter/iptable_security.c b/net/ipv4/netfilter/iptable_security.c
index 118e514..175cf0f 100644
--- a/net/ipv4/netfilter/iptable_security.c
+++ b/net/ipv4/netfilter/iptable_security.c
@@ -62,6 +62,7 @@ static const struct xt_table security_table = {
.valid_hooks = SECURITY_VALID_HOOKS,
.me = THIS_MODULE,
.af = NFPROTO_IPV4,
+ .priority = NF_IP_PRI_SECURITY,
};
static unsigned int
@@ -113,8 +114,7 @@ static int __init iptable_security_init(void)
if (ret < 0)
return ret;
- sectbl_ops = xt_hook_link(iptable_security_hook, NFPROTO_IPV4,
- NF_IP_PRI_SECURITY, SECURITY_VALID_HOOKS, THIS_MODULE);
+ sectbl_ops = xt_hook_link(&security_table, iptable_security_hook);
if (IS_ERR(sectbl_ops)) {
ret = PTR_ERR(sectbl_ops);
goto cleanup_table;
@@ -129,7 +129,7 @@ cleanup_table:
static void __exit iptable_security_fini(void)
{
- xt_hook_unlink(sectbl_ops, SECURITY_VALID_HOOKS);
+ xt_hook_unlink(&security_table, sectbl_ops);
unregister_pernet_subsys(&iptable_security_net_ops);
}
diff --git a/net/ipv6/netfilter/ip6table_filter.c b/net/ipv6/netfilter/ip6table_filter.c
index c01d7c2..90cf866 100644
--- a/net/ipv6/netfilter/ip6table_filter.c
+++ b/net/ipv6/netfilter/ip6table_filter.c
@@ -56,6 +56,7 @@ static const struct xt_table packet_filter = {
.valid_hooks = FILTER_VALID_HOOKS,
.me = THIS_MODULE,
.af = NFPROTO_IPV6,
+ .priority = NF_IP6_PRI_FILTER,
};
/* The work comes in here from netfilter.c. */
@@ -114,8 +115,7 @@ static int __init ip6table_filter_init(void)
return ret;
/* Register hooks */
- filter_ops = xt_hook_link(ip6table_filter_hook, NFPROTO_IPV6,
- NF_IP6_PRI_FILTER, FILTER_VALID_HOOKS, THIS_MODULE);
+ filter_ops = xt_hook_link(&packet_filter, ip6table_filter_hook);
if (IS_ERR(filter_ops)) {
ret = PTR_ERR(filter_ops);
goto cleanup_table;
@@ -130,7 +130,7 @@ static int __init ip6table_filter_init(void)
static void __exit ip6table_filter_fini(void)
{
- xt_hook_unlink(filter_ops, FILTER_VALID_HOOKS);
+ xt_hook_unlink(&packet_filter, filter_ops);
unregister_pernet_subsys(&ip6table_filter_net_ops);
}
diff --git a/net/ipv6/netfilter/ip6table_mangle.c b/net/ipv6/netfilter/ip6table_mangle.c
index 8765824..f6ca1b7 100644
--- a/net/ipv6/netfilter/ip6table_mangle.c
+++ b/net/ipv6/netfilter/ip6table_mangle.c
@@ -62,6 +62,7 @@ static const struct xt_table packet_mangler = {
.valid_hooks = MANGLE_VALID_HOOKS,
.me = THIS_MODULE,
.af = NFPROTO_IPV6,
+ .priority = NF_IP6_PRI_MANGLE,
};
static unsigned int
@@ -156,8 +157,7 @@ static int __init ip6table_mangle_init(void)
return ret;
/* Register hooks */
- mangle_ops = xt_hook_link(ip6table_mangle_hook, NFPROTO_IPV6,
- NF_IP6_PRI_MANGLE, MANGLE_VALID_HOOKS, THIS_MODULE);
+ mangle_ops = xt_hook_link(&packet_mangler, ip6table_mangle_hook);
if (IS_ERR(mangle_ops)) {
ret = PTR_ERR(mangle_ops);
goto cleanup_table;
@@ -172,7 +172,7 @@ static int __init ip6table_mangle_init(void)
static void __exit ip6table_mangle_fini(void)
{
- xt_hook_unlink(mangle_ops, MANGLE_VALID_HOOKS);
+ xt_hook_unlink(&packet_mangler, mangle_ops);
unregister_pernet_subsys(&ip6table_mangle_net_ops);
}
diff --git a/net/ipv6/netfilter/ip6table_raw.c b/net/ipv6/netfilter/ip6table_raw.c
index 228a665..4ddc1ff 100644
--- a/net/ipv6/netfilter/ip6table_raw.c
+++ b/net/ipv6/netfilter/ip6table_raw.c
@@ -40,6 +40,7 @@ static const struct xt_table packet_raw = {
.valid_hooks = RAW_VALID_HOOKS,
.me = THIS_MODULE,
.af = NFPROTO_IPV6,
+ .priority = NF_IP6_PRI_FIRST,
};
/* The work comes in here from netfilter.c. */
@@ -86,8 +87,7 @@ static int __init ip6table_raw_init(void)
return ret;
/* Register hooks */
- rawtable_ops = xt_hook_link(ip6table_raw_hook, NFPROTO_IPV6,
- NF_IP6_PRI_FIRST, RAW_VALID_HOOKS, THIS_MODULE);
+ rawtable_ops = xt_hook_link(&packet_raw, ip6table_raw_hook);
if (IS_ERR(rawtable_ops)) {
ret = PTR_ERR(rawtable_ops);
goto cleanup_table;
@@ -102,7 +102,7 @@ static int __init ip6table_raw_init(void)
static void __exit ip6table_raw_fini(void)
{
- xt_hook_unlink(rawtable_ops, RAW_VALID_HOOKS);
+ xt_hook_unlink(&packet_raw, rawtable_ops);
unregister_pernet_subsys(&ip6table_raw_net_ops);
}
diff --git a/net/ipv6/netfilter/ip6table_security.c b/net/ipv6/netfilter/ip6table_security.c
index 7928087..82f56a0 100644
--- a/net/ipv6/netfilter/ip6table_security.c
+++ b/net/ipv6/netfilter/ip6table_security.c
@@ -61,6 +61,7 @@ static const struct xt_table security_table = {
.valid_hooks = SECURITY_VALID_HOOKS,
.me = THIS_MODULE,
.af = NFPROTO_IPV6,
+ .priority = NF_IP6_PRI_SECURITY,
};
static unsigned int
@@ -106,8 +107,7 @@ static int __init ip6table_security_init(void)
if (ret < 0)
return ret;
- sectbl_ops = xt_hook_link(ip6table_security_hook, NFPROTO_IPV6,
- NF_IP6_PRI_SECURITY, SECURITY_VALID_HOOKS, THIS_MODULE);
+ sectbl_ops = xt_hook_link(&security_table, ip6table_security_hook);
if (IS_ERR(sectbl_ops)) {
ret = PTR_ERR(sectbl_ops);
goto cleanup_table;
@@ -122,7 +122,7 @@ cleanup_table:
static void __exit ip6table_security_fini(void)
{
- xt_hook_unlink(sectbl_ops, SECURITY_VALID_HOOKS);
+ xt_hook_unlink(&security_table, sectbl_ops);
unregister_pernet_subsys(&ip6table_security_net_ops);
}
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index f7c4c39..46e0120 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -1103,17 +1103,15 @@ static unsigned int xt_hookmask_bitcount(unsigned int mask)
/**
* xt_hook_link - set up hooks for a new table
+ * @table: table with metadata needed to set up hooks
* @fn: Hook function
- * @nfproto: %NFPROTO_*
- * @prio: n'th place within @nfproto's hook list (%NF_IP_PRI_*, etc.)
- * @hook_mask: Requested hooks
*
* This function will take care of creating and registering the necessary
* Netfilter hooks for XT tables.
*/
-struct nf_hook_ops *xt_hook_link(nf_hookfn *fn, uint8_t nfproto, int prio,
- unsigned int hook_mask, struct module *owner)
+struct nf_hook_ops *xt_hook_link(const struct xt_table *table, nf_hookfn *fn)
{
+ unsigned int hook_mask = table->valid_hooks;
uint8_t i, num_hooks = xt_hookmask_bitcount(hook_mask);
uint8_t hooknum;
struct nf_hook_ops *ops;
@@ -1128,10 +1126,10 @@ struct nf_hook_ops *xt_hook_link(nf_hookfn *fn, uint8_t nfproto, int prio,
if (!(hook_mask & 1))
continue;
ops[i].hook = fn;
- ops[i].owner = owner;
- ops[i].pf = nfproto;
+ ops[i].owner = table->me;
+ ops[i].pf = table->af;
ops[i].hooknum = hooknum;
- ops[i].priority = prio;
+ ops[i].priority = table->priority;
++i;
}
@@ -1150,9 +1148,9 @@ EXPORT_SYMBOL_GPL(xt_hook_link);
* @ops: nf_hook_ops array as returned by nf_hook_link
* @hook_mask: the very same mask that was passed to nf_hook_link
*/
-void xt_hook_unlink(struct nf_hook_ops *ops, unsigned int hook_mask)
+void xt_hook_unlink(const struct xt_table *table, struct nf_hook_ops *ops)
{
- nf_unregister_hooks(ops, xt_hookmask_bitcount(hook_mask));
+ nf_unregister_hooks(ops, xt_hookmask_bitcount(table->valid_hooks));
kfree(ops);
}
EXPORT_SYMBOL_GPL(xt_hook_unlink);
--
1.6.4
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH 6/6] netfilter: xtables: generate initial table on-demand
2009-08-10 19:19 Pull request for Stomping Static Data Jan Engelhardt
` (4 preceding siblings ...)
2009-08-10 19:19 ` [PATCH 5/6] netfilter: xtables: use xt_table for hook instantiation Jan Engelhardt
@ 2009-08-10 19:19 ` Jan Engelhardt
2009-08-24 13:12 ` Patrick McHardy
2009-08-16 10:19 ` Pull request for Stomping Static Data Jan Engelhardt
6 siblings, 1 reply; 14+ messages in thread
From: Jan Engelhardt @ 2009-08-10 19:19 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
The static initial tables are pretty large, and after the net
namespace has been instantiated, they just hang around for nothing.
This commit removes them and creates tables on-demand at runtime when
needed.
Some numbers:
text data bss dec hex filename
-4043674 563169 512000 5118843 4e1b7b ./vmlinux[x86_64](before)
+4045071 550177 512000 5107248 4dee30 ./vmlinux[x86_64](after)
= +1397 -12992
=== -11595
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter/x_tables.h | 1 +
net/ipv4/netfilter/arptable_filter.c | 39 ++++-------------------
net/ipv4/netfilter/iptable_filter.c | 45 ++++++--------------------
net/ipv4/netfilter/iptable_mangle.c | 45 +++-----------------------
net/ipv4/netfilter/iptable_raw.c | 35 +++-----------------
net/ipv4/netfilter/iptable_security.c | 38 +++-------------------
net/ipv4/netfilter/nf_nat_rule.c | 38 +++-------------------
net/ipv6/netfilter/ip6table_filter.c | 45 ++++++--------------------
net/ipv6/netfilter/ip6table_mangle.c | 44 +++----------------------
net/ipv6/netfilter/ip6table_raw.c | 35 +++-----------------
net/ipv6/netfilter/ip6table_security.c | 38 +++-------------------
net/netfilter/x_tables.c | 54 +++++++++++++++++++++++++++++++-
12 files changed, 123 insertions(+), 334 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 2a47a01..bdcb2f6 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -528,6 +528,7 @@ static inline unsigned long ifname_compare_aligned(const char *_a,
extern struct nf_hook_ops *xt_hook_link(const struct xt_table *, nf_hookfn *);
extern void xt_hook_unlink(const struct xt_table *, struct nf_hook_ops *);
+extern void *xt_repldata_create(const struct xt_table *);
#ifdef CONFIG_COMPAT
#include <net/compat.h>
diff --git a/net/ipv4/netfilter/arptable_filter.c b/net/ipv4/netfilter/arptable_filter.c
index d5e822a..c68a65e 100644
--- a/net/ipv4/netfilter/arptable_filter.c
+++ b/net/ipv4/netfilter/arptable_filter.c
@@ -6,6 +6,7 @@
*/
#include <linux/module.h>
+#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_arp/arp_tables.h>
MODULE_LICENSE("GPL");
@@ -15,36 +16,6 @@ MODULE_DESCRIPTION("arptables filter table");
#define FILTER_VALID_HOOKS ((1 << NF_ARP_IN) | (1 << NF_ARP_OUT) | \
(1 << NF_ARP_FORWARD))
-static const struct
-{
- struct arpt_replace repl;
- struct arpt_standard entries[3];
- struct arpt_error term;
-} initial_table __net_initdata = {
- .repl = {
- .name = "filter",
- .valid_hooks = FILTER_VALID_HOOKS,
- .num_entries = 4,
- .size = sizeof(struct arpt_standard) * 3 + sizeof(struct arpt_error),
- .hook_entry = {
- [NF_ARP_IN] = 0,
- [NF_ARP_OUT] = sizeof(struct arpt_standard),
- [NF_ARP_FORWARD] = 2 * sizeof(struct arpt_standard),
- },
- .underflow = {
- [NF_ARP_IN] = 0,
- [NF_ARP_OUT] = sizeof(struct arpt_standard),
- [NF_ARP_FORWARD] = 2 * sizeof(struct arpt_standard),
- },
- },
- .entries = {
- ARPT_STANDARD_INIT(NF_ACCEPT), /* ARP_IN */
- ARPT_STANDARD_INIT(NF_ACCEPT), /* ARP_OUT */
- ARPT_STANDARD_INIT(NF_ACCEPT), /* ARP_FORWARD */
- },
- .term = ARPT_ERROR_INIT,
-};
-
static const struct xt_table packet_filter = {
.name = "filter",
.valid_hooks = FILTER_VALID_HOOKS,
@@ -67,9 +38,13 @@ static unsigned int arptable_filter_hook(unsigned int hook,
static int __net_init arptable_filter_net_init(struct net *net)
{
- /* Register table */
+ struct arpt_replace *repl = xt_repldata_create(&packet_filter);
+
+ if (repl == NULL)
+ return -ENOMEM;
net->ipv4.arptable_filter =
- arpt_register_table(net, &packet_filter, &initial_table.repl);
+ arpt_register_table(net, &packet_filter, repl);
+ kfree(repl);
if (IS_ERR(net->ipv4.arptable_filter))
return PTR_ERR(net->ipv4.arptable_filter);
return 0;
diff --git a/net/ipv4/netfilter/iptable_filter.c b/net/ipv4/netfilter/iptable_filter.c
index 7f631a3..aac6d18 100644
--- a/net/ipv4/netfilter/iptable_filter.c
+++ b/net/ipv4/netfilter/iptable_filter.c
@@ -23,36 +23,6 @@ MODULE_DESCRIPTION("iptables filter table");
(1 << NF_INET_FORWARD) | \
(1 << NF_INET_LOCAL_OUT))
-static struct
-{
- struct ipt_replace repl;
- struct ipt_standard entries[3];
- struct ipt_error term;
-} initial_table __net_initdata = {
- .repl = {
- .name = "filter",
- .valid_hooks = FILTER_VALID_HOOKS,
- .num_entries = 4,
- .size = sizeof(struct ipt_standard) * 3 + sizeof(struct ipt_error),
- .hook_entry = {
- [NF_INET_LOCAL_IN] = 0,
- [NF_INET_FORWARD] = sizeof(struct ipt_standard),
- [NF_INET_LOCAL_OUT] = sizeof(struct ipt_standard) * 2,
- },
- .underflow = {
- [NF_INET_LOCAL_IN] = 0,
- [NF_INET_FORWARD] = sizeof(struct ipt_standard),
- [NF_INET_LOCAL_OUT] = sizeof(struct ipt_standard) * 2,
- },
- },
- .entries = {
- IPT_STANDARD_INIT(NF_ACCEPT), /* LOCAL_IN */
- IPT_STANDARD_INIT(NF_ACCEPT), /* FORWARD */
- IPT_STANDARD_INIT(NF_ACCEPT), /* LOCAL_OUT */
- },
- .term = IPT_ERROR_INIT, /* ERROR */
-};
-
static const struct xt_table packet_filter = {
.name = "filter",
.valid_hooks = FILTER_VALID_HOOKS,
@@ -85,9 +55,17 @@ module_param(forward, bool, 0000);
static int __net_init iptable_filter_net_init(struct net *net)
{
- /* Register table */
+ struct ipt_replace *repl = xt_repldata_create(&packet_filter);
+
+ if (repl == NULL)
+ return -ENOMEM;
+ /* Entry 1 is the FORWARD hook */
+ ((struct ipt_standard *)repl->entries)[1].target.verdict =
+ -forward - 1;
+
net->ipv4.iptable_filter =
- ipt_register_table(net, &packet_filter, &initial_table.repl);
+ ipt_register_table(net, &packet_filter, repl);
+ kfree(repl);
if (IS_ERR(net->ipv4.iptable_filter))
return PTR_ERR(net->ipv4.iptable_filter);
return 0;
@@ -114,9 +92,6 @@ static int __init iptable_filter_init(void)
return -EINVAL;
}
- /* Entry 1 is the FORWARD hook */
- initial_table.entries[1].target.verdict = -forward - 1;
-
ret = register_pernet_subsys(&iptable_filter_net_ops);
if (ret < 0)
return ret;
diff --git a/net/ipv4/netfilter/iptable_mangle.c b/net/ipv4/netfilter/iptable_mangle.c
index 02be0d9..86f38d9 100644
--- a/net/ipv4/netfilter/iptable_mangle.c
+++ b/net/ipv4/netfilter/iptable_mangle.c
@@ -27,43 +27,6 @@ MODULE_DESCRIPTION("iptables mangle table");
(1 << NF_INET_LOCAL_OUT) | \
(1 << NF_INET_POST_ROUTING))
-/* Ouch - five different hooks? Maybe this should be a config option..... -- BC */
-static const struct
-{
- struct ipt_replace repl;
- struct ipt_standard entries[5];
- struct ipt_error term;
-} initial_table __net_initdata = {
- .repl = {
- .name = "mangle",
- .valid_hooks = MANGLE_VALID_HOOKS,
- .num_entries = 6,
- .size = sizeof(struct ipt_standard) * 5 + sizeof(struct ipt_error),
- .hook_entry = {
- [NF_INET_PRE_ROUTING] = 0,
- [NF_INET_LOCAL_IN] = sizeof(struct ipt_standard),
- [NF_INET_FORWARD] = sizeof(struct ipt_standard) * 2,
- [NF_INET_LOCAL_OUT] = sizeof(struct ipt_standard) * 3,
- [NF_INET_POST_ROUTING] = sizeof(struct ipt_standard) * 4,
- },
- .underflow = {
- [NF_INET_PRE_ROUTING] = 0,
- [NF_INET_LOCAL_IN] = sizeof(struct ipt_standard),
- [NF_INET_FORWARD] = sizeof(struct ipt_standard) * 2,
- [NF_INET_LOCAL_OUT] = sizeof(struct ipt_standard) * 3,
- [NF_INET_POST_ROUTING] = sizeof(struct ipt_standard) * 4,
- },
- },
- .entries = {
- IPT_STANDARD_INIT(NF_ACCEPT), /* PRE_ROUTING */
- IPT_STANDARD_INIT(NF_ACCEPT), /* LOCAL_IN */
- IPT_STANDARD_INIT(NF_ACCEPT), /* FORWARD */
- IPT_STANDARD_INIT(NF_ACCEPT), /* LOCAL_OUT */
- IPT_STANDARD_INIT(NF_ACCEPT), /* POST_ROUTING */
- },
- .term = IPT_ERROR_INIT, /* ERROR */
-};
-
static const struct xt_table packet_mangler = {
.name = "mangle",
.valid_hooks = MANGLE_VALID_HOOKS,
@@ -132,9 +95,13 @@ iptable_mangle_hook(unsigned int hook,
static int __net_init iptable_mangle_net_init(struct net *net)
{
- /* Register table */
+ struct ipt_replace *repl = xt_repldata_create(&packet_mangler);
+
+ if (repl == NULL)
+ return -ENOMEM;
net->ipv4.iptable_mangle =
- ipt_register_table(net, &packet_mangler, &initial_table.repl);
+ ipt_register_table(net, &packet_mangler, repl);
+ kfree(repl);
if (IS_ERR(net->ipv4.iptable_mangle))
return PTR_ERR(net->ipv4.iptable_mangle);
return 0;
diff --git a/net/ipv4/netfilter/iptable_raw.c b/net/ipv4/netfilter/iptable_raw.c
index 8828ba5..76d00bf 100644
--- a/net/ipv4/netfilter/iptable_raw.c
+++ b/net/ipv4/netfilter/iptable_raw.c
@@ -9,33 +9,6 @@
#define RAW_VALID_HOOKS ((1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_LOCAL_OUT))
-static const struct
-{
- struct ipt_replace repl;
- struct ipt_standard entries[2];
- struct ipt_error term;
-} initial_table __net_initdata = {
- .repl = {
- .name = "raw",
- .valid_hooks = RAW_VALID_HOOKS,
- .num_entries = 3,
- .size = sizeof(struct ipt_standard) * 2 + sizeof(struct ipt_error),
- .hook_entry = {
- [NF_INET_PRE_ROUTING] = 0,
- [NF_INET_LOCAL_OUT] = sizeof(struct ipt_standard)
- },
- .underflow = {
- [NF_INET_PRE_ROUTING] = 0,
- [NF_INET_LOCAL_OUT] = sizeof(struct ipt_standard)
- },
- },
- .entries = {
- IPT_STANDARD_INIT(NF_ACCEPT), /* PRE_ROUTING */
- IPT_STANDARD_INIT(NF_ACCEPT), /* LOCAL_OUT */
- },
- .term = IPT_ERROR_INIT, /* ERROR */
-};
-
static const struct xt_table packet_raw = {
.name = "raw",
.valid_hooks = RAW_VALID_HOOKS,
@@ -65,9 +38,13 @@ iptable_raw_hook(unsigned int hook,
static int __net_init iptable_raw_net_init(struct net *net)
{
- /* Register table */
+ struct ipt_replace *repl = xt_repldata_create(&packet_raw);
+
+ if (repl == NULL)
+ return -ENOMEM;
net->ipv4.iptable_raw =
- ipt_register_table(net, &packet_raw, &initial_table.repl);
+ ipt_register_table(net, &packet_raw, repl);
+ kfree(repl);
if (IS_ERR(net->ipv4.iptable_raw))
return PTR_ERR(net->ipv4.iptable_raw);
return 0;
diff --git a/net/ipv4/netfilter/iptable_security.c b/net/ipv4/netfilter/iptable_security.c
index 175cf0f..40c7e53 100644
--- a/net/ipv4/netfilter/iptable_security.c
+++ b/net/ipv4/netfilter/iptable_security.c
@@ -27,36 +27,6 @@ MODULE_DESCRIPTION("iptables security table, for MAC rules");
(1 << NF_INET_FORWARD) | \
(1 << NF_INET_LOCAL_OUT)
-static const struct
-{
- struct ipt_replace repl;
- struct ipt_standard entries[3];
- struct ipt_error term;
-} initial_table __net_initdata = {
- .repl = {
- .name = "security",
- .valid_hooks = SECURITY_VALID_HOOKS,
- .num_entries = 4,
- .size = sizeof(struct ipt_standard) * 3 + sizeof(struct ipt_error),
- .hook_entry = {
- [NF_INET_LOCAL_IN] = 0,
- [NF_INET_FORWARD] = sizeof(struct ipt_standard),
- [NF_INET_LOCAL_OUT] = sizeof(struct ipt_standard) * 2,
- },
- .underflow = {
- [NF_INET_LOCAL_IN] = 0,
- [NF_INET_FORWARD] = sizeof(struct ipt_standard),
- [NF_INET_LOCAL_OUT] = sizeof(struct ipt_standard) * 2,
- },
- },
- .entries = {
- IPT_STANDARD_INIT(NF_ACCEPT), /* LOCAL_IN */
- IPT_STANDARD_INIT(NF_ACCEPT), /* FORWARD */
- IPT_STANDARD_INIT(NF_ACCEPT), /* LOCAL_OUT */
- },
- .term = IPT_ERROR_INIT, /* ERROR */
-};
-
static const struct xt_table security_table = {
.name = "security",
.valid_hooks = SECURITY_VALID_HOOKS,
@@ -85,9 +55,13 @@ iptable_security_hook(unsigned int hook,
static int __net_init iptable_security_net_init(struct net *net)
{
- net->ipv4.iptable_security =
- ipt_register_table(net, &security_table, &initial_table.repl);
+ struct ipt_replace *repl = xt_repldata_create(&security_table);
+ if (repl == NULL)
+ return -ENOMEM;
+ net->ipv4.iptable_security =
+ ipt_register_table(net, &security_table, repl);
+ kfree(repl);
if (IS_ERR(net->ipv4.iptable_security))
return PTR_ERR(net->ipv4.iptable_security);
diff --git a/net/ipv4/netfilter/nf_nat_rule.c b/net/ipv4/netfilter/nf_nat_rule.c
index 9e81e0d..57f9d1d 100644
--- a/net/ipv4/netfilter/nf_nat_rule.c
+++ b/net/ipv4/netfilter/nf_nat_rule.c
@@ -28,36 +28,6 @@
(1 << NF_INET_POST_ROUTING) | \
(1 << NF_INET_LOCAL_OUT))
-static const struct
-{
- struct ipt_replace repl;
- struct ipt_standard entries[3];
- struct ipt_error term;
-} nat_initial_table __net_initdata = {
- .repl = {
- .name = "nat",
- .valid_hooks = NAT_VALID_HOOKS,
- .num_entries = 4,
- .size = sizeof(struct ipt_standard) * 3 + sizeof(struct ipt_error),
- .hook_entry = {
- [NF_INET_PRE_ROUTING] = 0,
- [NF_INET_POST_ROUTING] = sizeof(struct ipt_standard),
- [NF_INET_LOCAL_OUT] = sizeof(struct ipt_standard) * 2
- },
- .underflow = {
- [NF_INET_PRE_ROUTING] = 0,
- [NF_INET_POST_ROUTING] = sizeof(struct ipt_standard),
- [NF_INET_LOCAL_OUT] = sizeof(struct ipt_standard) * 2
- },
- },
- .entries = {
- IPT_STANDARD_INIT(NF_ACCEPT), /* PRE_ROUTING */
- IPT_STANDARD_INIT(NF_ACCEPT), /* POST_ROUTING */
- IPT_STANDARD_INIT(NF_ACCEPT), /* LOCAL_OUT */
- },
- .term = IPT_ERROR_INIT, /* ERROR */
-};
-
static const struct xt_table nat_table = {
.name = "nat",
.valid_hooks = NAT_VALID_HOOKS,
@@ -186,8 +156,12 @@ static struct xt_target ipt_dnat_reg __read_mostly = {
static int __net_init nf_nat_rule_net_init(struct net *net)
{
- net->ipv4.nat_table = ipt_register_table(net, &nat_table,
- &nat_initial_table.repl);
+ struct ipt_replace *repl = xt_repldata_create(&nat_table);
+
+ if (repl == NULL)
+ return -ENOMEM;
+ net->ipv4.nat_table = ipt_register_table(net, &nat_table, repl);
+ kfree(repl);
if (IS_ERR(net->ipv4.nat_table))
return PTR_ERR(net->ipv4.nat_table);
return 0;
diff --git a/net/ipv6/netfilter/ip6table_filter.c b/net/ipv6/netfilter/ip6table_filter.c
index 90cf866..dec2f7a 100644
--- a/net/ipv6/netfilter/ip6table_filter.c
+++ b/net/ipv6/netfilter/ip6table_filter.c
@@ -21,36 +21,6 @@ MODULE_DESCRIPTION("ip6tables filter table");
(1 << NF_INET_FORWARD) | \
(1 << NF_INET_LOCAL_OUT))
-static struct
-{
- struct ip6t_replace repl;
- struct ip6t_standard entries[3];
- struct ip6t_error term;
-} initial_table __net_initdata = {
- .repl = {
- .name = "filter",
- .valid_hooks = FILTER_VALID_HOOKS,
- .num_entries = 4,
- .size = sizeof(struct ip6t_standard) * 3 + sizeof(struct ip6t_error),
- .hook_entry = {
- [NF_INET_LOCAL_IN] = 0,
- [NF_INET_FORWARD] = sizeof(struct ip6t_standard),
- [NF_INET_LOCAL_OUT] = sizeof(struct ip6t_standard) * 2
- },
- .underflow = {
- [NF_INET_LOCAL_IN] = 0,
- [NF_INET_FORWARD] = sizeof(struct ip6t_standard),
- [NF_INET_LOCAL_OUT] = sizeof(struct ip6t_standard) * 2
- },
- },
- .entries = {
- IP6T_STANDARD_INIT(NF_ACCEPT), /* LOCAL_IN */
- IP6T_STANDARD_INIT(NF_ACCEPT), /* FORWARD */
- IP6T_STANDARD_INIT(NF_ACCEPT), /* LOCAL_OUT */
- },
- .term = IP6T_ERROR_INIT, /* ERROR */
-};
-
static const struct xt_table packet_filter = {
.name = "filter",
.valid_hooks = FILTER_VALID_HOOKS,
@@ -78,9 +48,17 @@ module_param(forward, bool, 0000);
static int __net_init ip6table_filter_net_init(struct net *net)
{
- /* Register table */
+ struct ip6t_replace *repl = xt_repldata_create(&packet_filter);
+
+ if (repl == NULL)
+ return -ENOMEM;
+ /* Entry 1 is the FORWARD hook */
+ ((struct ip6t_standard *)repl->entries)[1].target.verdict =
+ -forward - 1;
+
net->ipv6.ip6table_filter =
- ip6t_register_table(net, &packet_filter, &initial_table.repl);
+ ip6t_register_table(net, &packet_filter, repl);
+ kfree(repl);
if (IS_ERR(net->ipv6.ip6table_filter))
return PTR_ERR(net->ipv6.ip6table_filter);
return 0;
@@ -107,9 +85,6 @@ static int __init ip6table_filter_init(void)
return -EINVAL;
}
- /* Entry 1 is the FORWARD hook */
- initial_table.entries[1].target.verdict = -forward - 1;
-
ret = register_pernet_subsys(&ip6table_filter_net_ops);
if (ret < 0)
return ret;
diff --git a/net/ipv6/netfilter/ip6table_mangle.c b/net/ipv6/netfilter/ip6table_mangle.c
index f6ca1b7..33ea3f5 100644
--- a/net/ipv6/netfilter/ip6table_mangle.c
+++ b/net/ipv6/netfilter/ip6table_mangle.c
@@ -21,42 +21,6 @@ MODULE_DESCRIPTION("ip6tables mangle table");
(1 << NF_INET_LOCAL_OUT) | \
(1 << NF_INET_POST_ROUTING))
-static const struct
-{
- struct ip6t_replace repl;
- struct ip6t_standard entries[5];
- struct ip6t_error term;
-} initial_table __net_initdata = {
- .repl = {
- .name = "mangle",
- .valid_hooks = MANGLE_VALID_HOOKS,
- .num_entries = 6,
- .size = sizeof(struct ip6t_standard) * 5 + sizeof(struct ip6t_error),
- .hook_entry = {
- [NF_INET_PRE_ROUTING] = 0,
- [NF_INET_LOCAL_IN] = sizeof(struct ip6t_standard),
- [NF_INET_FORWARD] = sizeof(struct ip6t_standard) * 2,
- [NF_INET_LOCAL_OUT] = sizeof(struct ip6t_standard) * 3,
- [NF_INET_POST_ROUTING] = sizeof(struct ip6t_standard) * 4,
- },
- .underflow = {
- [NF_INET_PRE_ROUTING] = 0,
- [NF_INET_LOCAL_IN] = sizeof(struct ip6t_standard),
- [NF_INET_FORWARD] = sizeof(struct ip6t_standard) * 2,
- [NF_INET_LOCAL_OUT] = sizeof(struct ip6t_standard) * 3,
- [NF_INET_POST_ROUTING] = sizeof(struct ip6t_standard) * 4,
- },
- },
- .entries = {
- IP6T_STANDARD_INIT(NF_ACCEPT), /* PRE_ROUTING */
- IP6T_STANDARD_INIT(NF_ACCEPT), /* LOCAL_IN */
- IP6T_STANDARD_INIT(NF_ACCEPT), /* FORWARD */
- IP6T_STANDARD_INIT(NF_ACCEPT), /* LOCAL_OUT */
- IP6T_STANDARD_INIT(NF_ACCEPT), /* POST_ROUTING */
- },
- .term = IP6T_ERROR_INIT, /* ERROR */
-};
-
static const struct xt_table packet_mangler = {
.name = "mangle",
.valid_hooks = MANGLE_VALID_HOOKS,
@@ -128,9 +92,13 @@ ip6table_mangle_hook(unsigned int hook,
static int __net_init ip6table_mangle_net_init(struct net *net)
{
- /* Register table */
+ struct ip6t_replace *repl = xt_repldata_create(&packet_mangler);
+
+ if (repl == NULL)
+ return -ENOMEM;
net->ipv6.ip6table_mangle =
- ip6t_register_table(net, &packet_mangler, &initial_table.repl);
+ ip6t_register_table(net, &packet_mangler, repl);
+ kfree(repl);
if (IS_ERR(net->ipv6.ip6table_mangle))
return PTR_ERR(net->ipv6.ip6table_mangle);
return 0;
diff --git a/net/ipv6/netfilter/ip6table_raw.c b/net/ipv6/netfilter/ip6table_raw.c
index 4ddc1ff..345bbe9 100644
--- a/net/ipv6/netfilter/ip6table_raw.c
+++ b/net/ipv6/netfilter/ip6table_raw.c
@@ -8,33 +8,6 @@
#define RAW_VALID_HOOKS ((1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_LOCAL_OUT))
-static const struct
-{
- struct ip6t_replace repl;
- struct ip6t_standard entries[2];
- struct ip6t_error term;
-} initial_table __net_initdata = {
- .repl = {
- .name = "raw",
- .valid_hooks = RAW_VALID_HOOKS,
- .num_entries = 3,
- .size = sizeof(struct ip6t_standard) * 2 + sizeof(struct ip6t_error),
- .hook_entry = {
- [NF_INET_PRE_ROUTING] = 0,
- [NF_INET_LOCAL_OUT] = sizeof(struct ip6t_standard)
- },
- .underflow = {
- [NF_INET_PRE_ROUTING] = 0,
- [NF_INET_LOCAL_OUT] = sizeof(struct ip6t_standard)
- },
- },
- .entries = {
- IP6T_STANDARD_INIT(NF_ACCEPT), /* PRE_ROUTING */
- IP6T_STANDARD_INIT(NF_ACCEPT), /* LOCAL_OUT */
- },
- .term = IP6T_ERROR_INIT, /* ERROR */
-};
-
static const struct xt_table packet_raw = {
.name = "raw",
.valid_hooks = RAW_VALID_HOOKS,
@@ -58,9 +31,13 @@ ip6table_raw_hook(unsigned int hook,
static int __net_init ip6table_raw_net_init(struct net *net)
{
- /* Register table */
+ struct ip6t_replace *repl = xt_repldata_create(&packet_raw);
+
+ if (repl == NULL)
+ return -ENOMEM;
net->ipv6.ip6table_raw =
- ip6t_register_table(net, &packet_raw, &initial_table.repl);
+ ip6t_register_table(net, &packet_raw, repl);
+ kfree(repl);
if (IS_ERR(net->ipv6.ip6table_raw))
return PTR_ERR(net->ipv6.ip6table_raw);
return 0;
diff --git a/net/ipv6/netfilter/ip6table_security.c b/net/ipv6/netfilter/ip6table_security.c
index 82f56a0..2fb2d4d 100644
--- a/net/ipv6/netfilter/ip6table_security.c
+++ b/net/ipv6/netfilter/ip6table_security.c
@@ -26,36 +26,6 @@ MODULE_DESCRIPTION("ip6tables security table, for MAC rules");
(1 << NF_INET_FORWARD) | \
(1 << NF_INET_LOCAL_OUT)
-static const struct
-{
- struct ip6t_replace repl;
- struct ip6t_standard entries[3];
- struct ip6t_error term;
-} initial_table __net_initdata = {
- .repl = {
- .name = "security",
- .valid_hooks = SECURITY_VALID_HOOKS,
- .num_entries = 4,
- .size = sizeof(struct ip6t_standard) * 3 + sizeof(struct ip6t_error),
- .hook_entry = {
- [NF_INET_LOCAL_IN] = 0,
- [NF_INET_FORWARD] = sizeof(struct ip6t_standard),
- [NF_INET_LOCAL_OUT] = sizeof(struct ip6t_standard) * 2,
- },
- .underflow = {
- [NF_INET_LOCAL_IN] = 0,
- [NF_INET_FORWARD] = sizeof(struct ip6t_standard),
- [NF_INET_LOCAL_OUT] = sizeof(struct ip6t_standard) * 2,
- },
- },
- .entries = {
- IP6T_STANDARD_INIT(NF_ACCEPT), /* LOCAL_IN */
- IP6T_STANDARD_INIT(NF_ACCEPT), /* FORWARD */
- IP6T_STANDARD_INIT(NF_ACCEPT), /* LOCAL_OUT */
- },
- .term = IP6T_ERROR_INIT, /* ERROR */
-};
-
static const struct xt_table security_table = {
.name = "security",
.valid_hooks = SECURITY_VALID_HOOKS,
@@ -78,9 +48,13 @@ ip6table_security_hook(unsigned int hook,
static int __net_init ip6table_security_net_init(struct net *net)
{
- net->ipv6.ip6table_security =
- ip6t_register_table(net, &security_table, &initial_table.repl);
+ struct ip6t_replace *repl = xt_repldata_create(&security_table);
+ if (repl == NULL)
+ return -ENOMEM;
+ net->ipv6.ip6table_security =
+ ip6t_register_table(net, &security_table, repl);
+ kfree(repl);
if (IS_ERR(net->ipv6.ip6table_security))
return PTR_ERR(net->ipv6.ip6table_security);
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 46e0120..eff972f 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -26,7 +26,9 @@
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_arp.h>
-
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv6/ip6_tables.h>
+#include <linux/netfilter_arp/arp_tables.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
@@ -1155,6 +1157,56 @@ void xt_hook_unlink(const struct xt_table *table, struct nf_hook_ops *ops)
}
EXPORT_SYMBOL_GPL(xt_hook_unlink);
+/*
+ * Today's hack: quantum tunneling in structs
+ *
+ * 'entries' and 'term' are never anywhere referenced by word in code. In fact,
+ * they serve as the hanging-off data accessed through repl.data[]!
+ */
+#define xt_repldata_mk(type, typ2) \
+ struct { \
+ struct type##_replace repl; \
+ struct type##_standard entries[nhooks]; \
+ struct type##_error term; \
+ } *tbl = kzalloc(sizeof(*tbl), GFP_KERNEL); \
+ if (tbl == NULL) \
+ return NULL; \
+ strncpy(tbl->repl.name, info->name, sizeof(tbl->repl.name)); \
+ tbl->term = (struct type##_error)typ2##_ERROR_INIT; \
+ tbl->repl.valid_hooks = hook_mask; \
+ tbl->repl.num_entries = nhooks + 1; \
+ tbl->repl.size = nhooks * sizeof(struct type##_standard) + \
+ sizeof(struct type##_error); \
+ for (; hook_mask != 0; hook_mask >>= 1, ++hooknum) { \
+ if (!(hook_mask & 1)) \
+ continue; \
+ tbl->repl.hook_entry[hooknum] = bytes; \
+ tbl->repl.underflow[hooknum] = bytes; \
+ tbl->entries[i++] = (struct type##_standard) \
+ typ2##_STANDARD_INIT(NF_ACCEPT); \
+ bytes += sizeof(struct type##_standard); \
+ }
+
+void *xt_repldata_create(const struct xt_table *info)
+{
+ unsigned int hook_mask = info->valid_hooks;
+ unsigned int nhooks = xt_hookmask_bitcount(hook_mask);
+ unsigned int bytes = 0, hooknum = 0, i = 0;
+
+ if (info->af == NFPROTO_IPV6) {
+ xt_repldata_mk(ip6t, IP6T);
+ return tbl;
+ } else if (info->af == NFPROTO_IPV4) {
+ xt_repldata_mk(ipt, IPT);
+ return tbl;
+ } else if (info->af == NFPROTO_ARP) {
+ xt_repldata_mk(arpt, ARPT);
+ return tbl;
+ }
+ return NULL;
+}
+EXPORT_SYMBOL_GPL(xt_repldata_create);
+
int xt_proto_init(struct net *net, u_int8_t af)
{
#ifdef CONFIG_PROC_FS
--
1.6.4
^ permalink raw reply related [flat|nested] 14+ messages in thread
* Re: [PATCH 1/6] netfilter: xtables: consolidate table hook functions
2009-08-10 19:19 ` [PATCH 1/6] netfilter: xtables: consolidate table hook functions Jan Engelhardt
@ 2009-08-10 20:12 ` Jan Engelhardt
2009-08-24 12:53 ` Patrick McHardy
1 sibling, 0 replies; 14+ messages in thread
From: Jan Engelhardt @ 2009-08-10 20:12 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
On Monday 2009-08-10 21:19, Jan Engelhardt wrote:
>+/* The work comes in here from netfilter.c. */
>+static unsigned int
>+iptable_mangle_hook(unsigned int hook,
>+ struct sk_buff *skb,
>+ const struct net_device *in,
>+ const struct net_device *out,
>+ int (*okfn)(struct sk_buff *))
>+{
>+ if (hook == NF_INET_LOCAL_OUT)
>+ return ipt_local_hook(hook, skb, in, out, okfn);
>+
>+ /* PREROUTING/INPUT/FORWARD: */
>+ return ipt_do_table(skb, hook, in, out,
>+ dev_net(in)->ipv4.iptable_mangle);
>+}
And the little style nuances are already resolved in the git repo
(diffstat does not change, so I went for a quick repush before
anyone saw it) before we start arguing about the shade of pink
the bikeshed is supposed to have.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Pull request for Stomping Static Data
2009-08-10 19:19 Pull request for Stomping Static Data Jan Engelhardt
` (5 preceding siblings ...)
2009-08-10 19:19 ` [PATCH 6/6] netfilter: xtables: generate initial table on-demand Jan Engelhardt
@ 2009-08-16 10:19 ` Jan Engelhardt
6 siblings, 0 replies; 14+ messages in thread
From: Jan Engelhardt @ 2009-08-16 10:19 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
On Monday 2009-08-10 21:19, Jan Engelhardt wrote:
>
>Summary:
> In this 6-patch set, large quantities of static data are
> eliminated and replaced by generate-at-runtime structures
> (memory savings outside of the initialization phase).
>
>
>The following changes since commit e2fe35c17fed62d4ab5038fa9bc489e967ff8416:
> Jan Engelhardt (1):
> netfilter: xtables: check for standard verdicts in policies
>
>are available in the git repository at:
>
> git://dev.medozas.de/linux master
So what's with it now? If there is no interest then at least say so.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 1/6] netfilter: xtables: consolidate table hook functions
2009-08-10 19:19 ` [PATCH 1/6] netfilter: xtables: consolidate table hook functions Jan Engelhardt
2009-08-10 20:12 ` Jan Engelhardt
@ 2009-08-24 12:53 ` Patrick McHardy
2009-08-25 15:50 ` Jan Engelhardt
1 sibling, 1 reply; 14+ messages in thread
From: Patrick McHardy @ 2009-08-24 12:53 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter-devel
Jan Engelhardt wrote:
> For a following patch in this series ("generate nf hook ops on
> demand"), we will be requiring that a single hook entry function per
> table does the processing. Would this not be done would I need to
> pass multiple hook functions as arguments in that later patch, which
> would have been not so nice.
>
> This also removes exact duplicates of some hook functions —
> ipt_pre_routing_hook, ipt_local_in_hook and ipt_forward_hook in
> iptable_mangle.c all did the same.
Removing duplicates is fine of course, but I don't like the
"consolidation" of multiple different hook functions very much.
You're trading more runtime overhead (admittedly not that much,
but those functions are heavily used) for a small "unification",
which doesn't seem like a good trade to me.
The second problem is that your automatically generated hook ops
can't even represent all the cases we have since some tables
actually do use different priorities for the different hooks.
And I'm not sure where the memory savings you claim should come
from, the hook ops are still required at runtime.
So please explain the benefit of these patches (1-3) in more
detail.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 4/6] netfilter: xtables: mark initial tables constant
2009-08-10 19:19 ` [PATCH 4/6] netfilter: xtables: mark initial tables constant Jan Engelhardt
@ 2009-08-24 12:57 ` Patrick McHardy
0 siblings, 0 replies; 14+ messages in thread
From: Patrick McHardy @ 2009-08-24 12:57 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter-devel
Jan Engelhardt wrote:
> The inputted table is never modified, so should be considered const.
Applied, thanks.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 6/6] netfilter: xtables: generate initial table on-demand
2009-08-10 19:19 ` [PATCH 6/6] netfilter: xtables: generate initial table on-demand Jan Engelhardt
@ 2009-08-24 13:12 ` Patrick McHardy
0 siblings, 0 replies; 14+ messages in thread
From: Patrick McHardy @ 2009-08-24 13:12 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter-devel
Jan Engelhardt wrote:
> The static initial tables are pretty large, and after the net
> namespace has been instantiated, they just hang around for nothing.
> This commit removes them and creates tables on-demand at runtime when
> needed.
>
> Some numbers:
> text data bss dec hex filename
> -4043674 563169 512000 5118843 4e1b7b ./vmlinux[x86_64](before)
> +4045071 550177 512000 5107248 4dee30 ./vmlinux[x86_64](after)
> = +1397 -12992
> === -11595
They are actually freed when no network namespaces are used.
But I agree that this makes sense since distributors are going
to enable them.
> +/*
> + * Today's hack: quantum tunneling in structs
> + *
> + * 'entries' and 'term' are never anywhere referenced by word in code. In fact,
> + * they serve as the hanging-off data accessed through repl.data[]!
> + */
> +#define xt_repldata_mk(type, typ2) \
> + struct { \
> + struct type##_replace repl; \
> + struct type##_standard entries[nhooks]; \
> + struct type##_error term; \
> + } *tbl = kzalloc(sizeof(*tbl), GFP_KERNEL); \
> + if (tbl == NULL) \
> + return NULL; \
> + strncpy(tbl->repl.name, info->name, sizeof(tbl->repl.name)); \
> + tbl->term = (struct type##_error)typ2##_ERROR_INIT; \
> + tbl->repl.valid_hooks = hook_mask; \
> + tbl->repl.num_entries = nhooks + 1; \
> + tbl->repl.size = nhooks * sizeof(struct type##_standard) + \
> + sizeof(struct type##_error); \
> + for (; hook_mask != 0; hook_mask >>= 1, ++hooknum) { \
> + if (!(hook_mask & 1)) \
> + continue; \
> + tbl->repl.hook_entry[hooknum] = bytes; \
> + tbl->repl.underflow[hooknum] = bytes; \
> + tbl->entries[i++] = (struct type##_standard) \
> + typ2##_STANDARD_INIT(NF_ACCEPT); \
> + bytes += sizeof(struct type##_standard); \
> + }
> +
> +void *xt_repldata_create(const struct xt_table *info)
> +{
> + unsigned int hook_mask = info->valid_hooks;
> + unsigned int nhooks = xt_hookmask_bitcount(hook_mask);
> + unsigned int bytes = 0, hooknum = 0, i = 0;
> +
> + if (info->af == NFPROTO_IPV6) {
> + xt_repldata_mk(ip6t, IP6T);
> + return tbl;
Would look slightly nicer if the above macro would "return"
the table, then you could simply do "return xt_repldata_mk(..);"
without using variables declared within the macro.
> + } else if (info->af == NFPROTO_IPV4) {
> + xt_repldata_mk(ipt, IPT);
> + return tbl;
> + } else if (info->af == NFPROTO_ARP) {
> + xt_repldata_mk(arpt, ARPT);
> + return tbl;
> + }
> + return NULL;
> +}
> +EXPORT_SYMBOL_GPL(xt_repldata_create);
How about adding this beauty to the respective address-family
specific files (ip_tables.c etc)? That would avoid some of the
bloat of the new function (apparently almost 1300bytes) when
only some of those modules are used.
I also would prefer a nicer name, something like
xt_alloc_initial_table().
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 1/6] netfilter: xtables: consolidate table hook functions
2009-08-24 12:53 ` Patrick McHardy
@ 2009-08-25 15:50 ` Jan Engelhardt
2009-08-26 12:53 ` Patrick McHardy
0 siblings, 1 reply; 14+ messages in thread
From: Jan Engelhardt @ 2009-08-25 15:50 UTC (permalink / raw)
To: Patrick McHardy; +Cc: netfilter-devel
On Monday 2009-08-24 14:53, Patrick McHardy wrote:
>Jan Engelhardt wrote:
>> For a following patch in this series ("generate nf hook ops on
>> demand"), we will be requiring that a single hook entry function per
>> table does the processing. Would this not be done would I need to
>> pass multiple hook functions as arguments in that later patch, which
>> would have been not so nice.
>
>Removing duplicates is fine of course, but I don't like the
>"consolidation" of multiple different hook functions very much.
>You're trading more runtime overhead (admittedly not that much,
>but those functions are heavily used)
Heavily? Most systems run the initialization exactly once.
>The second problem is that your automatically generated hook ops
>can't even represent all the cases we have since some tables
>actually do use different priorities for the different hooks.
I never claimed it was a fits-it-all solution. The nat table
still has its original scheme.
>And I'm not sure where the memory savings you claim should come
>from, the hook ops are still required at runtime.
Hm, true. That's why someone is supposed to look over them :>
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 1/6] netfilter: xtables: consolidate table hook functions
2009-08-25 15:50 ` Jan Engelhardt
@ 2009-08-26 12:53 ` Patrick McHardy
0 siblings, 0 replies; 14+ messages in thread
From: Patrick McHardy @ 2009-08-26 12:53 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter-devel
Jan Engelhardt wrote:
> On Monday 2009-08-24 14:53, Patrick McHardy wrote:
>> Jan Engelhardt wrote:
>>> For a following patch in this series ("generate nf hook ops on
>>> demand"), we will be requiring that a single hook entry function per
>>> table does the processing. Would this not be done would I need to
>>> pass multiple hook functions as arguments in that later patch, which
>>> would have been not so nice.
>> Removing duplicates is fine of course, but I don't like the
>> "consolidation" of multiple different hook functions very much.
>> You're trading more runtime overhead (admittedly not that much,
>> but those functions are heavily used)
>
> Heavily? Most systems run the initialization exactly once.
I'm talking about the hook functions.
>> The second problem is that your automatically generated hook ops
>> can't even represent all the cases we have since some tables
>> actually do use different priorities for the different hooks.
>
> I never claimed it was a fits-it-all solution. The nat table
> still has its original scheme.
>
>> And I'm not sure where the memory savings you claim should come
>> from, the hook ops are still required at runtime.
>
> Hm, true. That's why someone is supposed to look over them :>
^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2009-08-26 12:53 UTC | newest]
Thread overview: 14+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-08-10 19:19 Pull request for Stomping Static Data Jan Engelhardt
2009-08-10 19:19 ` [PATCH 1/6] netfilter: xtables: consolidate table hook functions Jan Engelhardt
2009-08-10 20:12 ` Jan Engelhardt
2009-08-24 12:53 ` Patrick McHardy
2009-08-25 15:50 ` Jan Engelhardt
2009-08-26 12:53 ` Patrick McHardy
2009-08-10 19:19 ` [PATCH 2/6] netfilter: xtables: compact " Jan Engelhardt
2009-08-10 19:19 ` [PATCH 3/6] netfilter: xtables: generate nf_hook_ops on-demand Jan Engelhardt
2009-08-10 19:19 ` [PATCH 4/6] netfilter: xtables: mark initial tables constant Jan Engelhardt
2009-08-24 12:57 ` Patrick McHardy
2009-08-10 19:19 ` [PATCH 5/6] netfilter: xtables: use xt_table for hook instantiation Jan Engelhardt
2009-08-10 19:19 ` [PATCH 6/6] netfilter: xtables: generate initial table on-demand Jan Engelhardt
2009-08-24 13:12 ` Patrick McHardy
2009-08-16 10:19 ` Pull request for Stomping Static Data Jan Engelhardt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).