From: Jan Engelhardt <jengelh@medozas.de>
To: netfilter-devel@vger.kernel.org
Cc: kaber@trash.net
Subject: [PATCH 07/56] netfilter: xtables2: initial rule skeletal functions
Date: Tue, 29 Jun 2010 10:42:47 +0200 [thread overview]
Message-ID: <1277801017-30600-8-git-send-email-jengelh@medozas.de> (raw)
In-Reply-To: <1277801017-30600-1-git-send-email-jengelh@medozas.de>
Whereas iptables and its derivates (collectively, Xtables1) used a
serialized binary blob, Xtables2's internal layout will be linked
lists. This makes it possible to easily edit single rules later on
without userspace having to upload an entire table if it does not
want to.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter/x_tables.h | 15 +++++++++++++++
net/netfilter/x_tables.c | 35 +++++++++++++++++++++++++++++++++++
2 files changed, 50 insertions(+), 0 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index a55d4a4..2d21185 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -407,12 +407,22 @@ struct xt_table_info {
struct xt2_table;
/**
+ * @anchor: list anchor for parent (xt2_chain.rule_list)
+ */
+struct xt2_rule {
+ struct list_head anchor;
+ struct xt2_chain *chain;
+};
+
+/**
* @anchor: list anchor for parent (xt2_table.chain_list)
+ * @rule_list: list of struct xt2_rule
* @name: name of chain
* @table: back link to table chain is contained in
*/
struct xt2_chain {
struct list_head anchor;
+ struct list_head rule_list;
char name[XT_EXTENSION_MAXNAMELEN];
struct xt2_table *table;
};
@@ -439,6 +449,7 @@ enum {
* @name: name of this table
* @nfproto: nfproto the table is used exclusively with
* @entrypoint: start chains for hooks
+ * @underflow: base chain policy (rule)
* @owner: encompassing module
*/
struct xt2_table {
@@ -446,6 +457,7 @@ struct xt2_table {
char name[11];
uint8_t nfproto;
const struct xt2_chain *entrypoint[NF_INET_NUMHOOKS];
+ const struct xt2_rule *underflow[NF_INET_NUMHOOKS];
struct module *owner;
};
@@ -599,7 +611,10 @@ static inline unsigned long ifname_compare_aligned(const char *_a,
extern struct nf_hook_ops *xt_hook_link(const struct xt_table *, nf_hookfn *);
extern void xt_hook_unlink(const struct xt_table *, struct nf_hook_ops *);
+extern struct xt2_rule *xt2_rule_new(struct xt2_chain *);
+
extern struct xt2_chain *xt2_chain_new(struct xt2_table *, const char *);
+extern void xt2_chain_append(struct xt2_rule *);
extern struct xt2_table *xt2_table_new(void);
extern struct xt2_table_link *xt2_tlink_lookup(struct net *, const char *,
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index e807312..f23195e 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -1238,6 +1238,26 @@ void xt_hook_unlink(const struct xt_table *table, struct nf_hook_ops *ops)
}
EXPORT_SYMBOL_GPL(xt_hook_unlink);
+struct xt2_rule *xt2_rule_new(struct xt2_chain *chain)
+{
+ struct xt2_rule *rule;
+
+ rule = kmalloc(sizeof(*rule), GFP_KERNEL);
+ if (rule == NULL)
+ return NULL;
+
+ rule->chain = chain;
+ INIT_LIST_HEAD(&rule->anchor);
+ return rule;
+}
+EXPORT_SYMBOL_GPL(xt2_rule_new);
+
+static void xt2_rule_free(struct xt2_rule *rule)
+{
+ list_del(&rule->anchor);
+ kfree(rule);
+}
+
struct xt2_chain *xt2_chain_new(struct xt2_table *table, const char *name)
{
struct xt2_chain *chain;
@@ -1248,6 +1268,7 @@ struct xt2_chain *xt2_chain_new(struct xt2_table *table, const char *name)
chain->table = table;
INIT_LIST_HEAD(&chain->anchor);
+ INIT_LIST_HEAD(&chain->rule_list);
if (name != NULL)
strncpy(chain->name, name, sizeof(chain->name));
else
@@ -1258,9 +1279,23 @@ struct xt2_chain *xt2_chain_new(struct xt2_table *table, const char *name)
}
EXPORT_SYMBOL_GPL(xt2_chain_new);
+/**
+ * Rules are completely constructed first before appending to the chain,
+ * to avoid incomplete rules being run through in xt2_do_action.
+ */
+void xt2_chain_append(struct xt2_rule *rule)
+{
+ list_add_tail(&rule->anchor, &rule->chain->rule_list);
+}
+EXPORT_SYMBOL_GPL(xt2_chain_append);
+
static void xt2_chain_free(struct xt2_chain *chain)
{
+ struct xt2_rule *rule, *next_rule;
+
list_del(&chain->anchor);
+ list_for_each_entry_safe(rule, next_rule, &chain->rule_list, anchor)
+ xt2_rule_free(rule);
kfree(chain);
}
--
1.7.1
next prev parent reply other threads:[~2010-06-29 8:43 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-06-29 8:42 xt2 table core Jan Engelhardt
2010-06-29 8:42 ` [PATCH 01/56] netfilter: ebtables: simplify a device in/out check Jan Engelhardt
2010-06-29 8:42 ` [PATCH 02/56] netfilter: ebtables: change ebt_basic_match to xt convention Jan Engelhardt
2010-06-29 8:42 ` [PATCH 03/56] netfilter: xtables: move functions around Jan Engelhardt
2010-06-29 8:42 ` [PATCH 04/56] netfilter: xtables: convert basic nfproto match functions into xt matches Jan Engelhardt
2010-06-29 8:42 ` [PATCH 05/56] netfilter: xtables2: initial table skeletal functions Jan Engelhardt
2010-06-29 8:42 ` [PATCH 06/56] netfilter: xtables2: initial chain " Jan Engelhardt
2010-06-29 8:42 ` Jan Engelhardt [this message]
2010-06-29 8:42 ` [PATCH 08/56] netfilter: xtables: alternate size checking in xt_check_match Jan Engelhardt
2010-06-29 8:42 ` [PATCH 09/56] netfilter: xtables: alternate size checking in xt_check_target Jan Engelhardt
2010-06-29 8:42 ` [PATCH 10/56] netfilter: xtables2: per-rule match skeletal functions Jan Engelhardt
2010-06-29 8:42 ` [PATCH 11/56] netfilter: xtables2: per-rule target " Jan Engelhardt
2010-06-29 8:42 ` [PATCH 12/56] netfilter: xtables2: xt_check_target in combination with xt2 contexts Jan Engelhardt
2010-06-29 8:42 ` [PATCH 13/56] netfilter: xtables2: jumpstack (de)allocation functions Jan Engelhardt
2010-06-29 8:42 ` [PATCH 14/56] netfilter: xtables2: table traversal Jan Engelhardt
2010-06-29 8:42 ` [PATCH 15/56] netfilter: xtables: add xt_quota revision 3 Jan Engelhardt
2010-06-29 8:42 ` [PATCH 16/56] netfilter: xtables2: make a copy of the ipv6_filter table Jan Engelhardt
2010-06-29 8:42 ` [PATCH 17/56] netfilter: xtables2: initial xt1->xt2 translation for tables Jan Engelhardt
2010-06-29 8:42 ` [PATCH 18/56] netfilter: xtables2: xt2->xt1 translation - GET_INFO support Jan Engelhardt
2010-06-29 8:42 ` [PATCH 19/56] netfilter: xtables2: xt2->xt1 translation - GET_ENTRIES support Jan Engelhardt
2010-06-29 8:43 ` [PATCH 20/56] netfilter: xtables2: xt1->xt2 translation - SET_REPLACE support Jan Engelhardt
2010-06-29 8:43 ` [PATCH 21/56] netfilter: xtables2: return counters after SET_REPLACE Jan Engelhardt
2010-06-29 8:43 ` [PATCH 22/56] netfilter: xtables2: xt1->xt2 translation - ADD_COUNTERS support Jan Engelhardt
2010-06-29 8:43 ` [PATCH 23/56] netfilter: xtables2: xt2->xt1 translation - compat GET_INFO support Jan Engelhardt
2010-06-29 8:43 ` [PATCH 24/56] netfilter: ip6tables: move mark_chains to xt1_perproto.c Jan Engelhardt
2010-06-29 8:43 ` [PATCH 25/56] netfilter: xtables2: xt2<->xt1 translation - compat GET_ENTRIES/SET_REPLACE support Jan Engelhardt
2010-06-29 8:43 ` [PATCH 26/56] netfilter: xtables2: compat->normal match data translation Jan Engelhardt
2010-06-29 8:43 ` [PATCH 27/56] netfilter: xtables2: compat->normal target " Jan Engelhardt
2010-06-29 8:43 ` [PATCH 28/56] netfilter: xtables2: outsource code into xts_match_to_xt1 function Jan Engelhardt
2010-06-29 8:43 ` [PATCH 29/56] netfilter: xtables2: normal->compat match data translation Jan Engelhardt
2010-06-29 8:43 ` [PATCH 30/56] netfilter: xtables2: normal->compat target " Jan Engelhardt
2010-06-29 8:43 ` [PATCH 31/56] netfilter: xtables2: packet tracing Jan Engelhardt
2010-06-29 8:43 ` [PATCH 32/56] netfilter: xtables: turn procfs entries to walk xt2 table list Jan Engelhardt
2010-06-29 8:43 ` [PATCH 33/56] netfilter: xtables2: switch ip6's tables to the xt2 table format Jan Engelhardt
2010-06-29 8:47 ` xt2 table core [*/33, not */56] Jan Engelhardt
2010-07-02 3:32 ` xt2 table core Simon Lodal
2010-07-04 13:56 ` Jan Engelhardt
2010-07-04 17:22 ` Simon Lodal
2010-07-04 18:00 ` Jan Engelhardt
2010-07-05 8:55 ` Patrick McHardy
2010-07-05 9:13 ` Jan Engelhardt
2010-07-05 9:15 ` Patrick McHardy
2010-07-05 9:36 ` Eric Dumazet
2010-07-05 9:42 ` Jan Engelhardt
2010-07-05 10:22 ` Eric Dumazet
2010-07-05 10:34 ` Jan Engelhardt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1277801017-30600-8-git-send-email-jengelh@medozas.de \
--to=jengelh@medozas.de \
--cc=kaber@trash.net \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).