From: "Maciej Żenczykowski" <zenczykowski@gmail.com>
To: "Maciej Żenczykowski" <maze@google.com>
Cc: netfilter-devel@vger.kernel.org, "Maciej Żenczykowski" <maze@google.com>
Subject: [PATCH 04/17] Delay (statically built) match/target initialization
Date: Thu, 31 Mar 2011 21:27:20 -0700 [thread overview]
Message-ID: <1301632053-3694-4-git-send-email-zenczykowski@gmail.com> (raw)
In-Reply-To: <AANLkTika7Hgg=AUkkoDE0QroXKnJvA8fr23q-trk8Wbv@mail.gmail.com>
From: Maciej Żenczykowski <maze@google.com>
Matches and targets built into the iptables static binary will always
be registered as the binary starts up, this may potentially (as a result
of kernel version support checking) result in modules being autoloaded.
This is undesirable (for example it may cause CONNMARK target to load
and thus cause the kernel to load the conntrack module, which isn't a no-op).
Transition to a system where matches and targets are registered into
a pending list, from whence they get fully registered only when required.
Signed-off-by: Maciej Żenczykowski <maze@google.com>
---
xtables.c | 58 +++++++++++++++++++++++++++++++++++++++++++++++++++++-----
1 files changed, 53 insertions(+), 5 deletions(-)
diff --git a/xtables.c b/xtables.c
index 7d36742..4c708b8 100644
--- a/xtables.c
+++ b/xtables.c
@@ -174,10 +174,18 @@ static const char *xtables_libdir;
/* the path to command to load kernel module */
const char *xtables_modprobe_program;
-/* Keeping track of external matches and targets: linked lists. */
+/* Keep track of matches/targets pending full registration: linked lists. */
+struct xtables_match *xtables_pending_matches;
+struct xtables_target *xtables_pending_targets;
+
+/* Keep track of fully registered external matches/targets: linked lists. */
struct xtables_match *xtables_matches;
struct xtables_target *xtables_targets;
+/* Fully register a match/target which was previously partially registered. */
+static void xtables_fully_register_pending_match(struct xtables_match *me);
+static void xtables_fully_register_pending_target(struct xtables_target *me);
+
void xtables_init(void)
{
xtables_libdir = getenv("XTABLES_LIBDIR");
@@ -556,6 +564,7 @@ struct xtables_match *
xtables_find_match(const char *name, enum xtables_tryload tryload,
struct xtables_rule_match **matches)
{
+ struct xtables_match **dptr;
struct xtables_match *ptr;
const char *icmp6 = "icmp6";
@@ -571,6 +580,18 @@ xtables_find_match(const char *name, enum xtables_tryload tryload,
(strcmp(name,"icmp6") == 0) )
name = icmp6;
+ /* Trigger delayed initialization */
+ for (dptr = &xtables_pending_matches; *dptr; ) {
+ if (strcmp(name, (*dptr)->name) == 0) {
+ ptr = *dptr;
+ *dptr = (*dptr)->next;
+ ptr->next = NULL;
+ xtables_fully_register_pending_match(ptr);
+ } else {
+ dptr = &((*dptr)->next);
+ }
+ }
+
for (ptr = xtables_matches; ptr; ptr = ptr->next) {
if (strcmp(name, ptr->name) == 0) {
struct xtables_match *clone;
@@ -636,6 +657,7 @@ xtables_find_match(const char *name, enum xtables_tryload tryload,
struct xtables_target *
xtables_find_target(const char *name, enum xtables_tryload tryload)
{
+ struct xtables_target **dptr;
struct xtables_target *ptr;
/* Standard target? */
@@ -646,6 +668,18 @@ xtables_find_target(const char *name, enum xtables_tryload tryload)
|| strcmp(name, XTC_LABEL_RETURN) == 0)
name = "standard";
+ /* Trigger delayed initialization */
+ for (dptr = &xtables_pending_targets; *dptr; ) {
+ if (strcmp(name, (*dptr)->name) == 0) {
+ ptr = *dptr;
+ *dptr = (*dptr)->next;
+ ptr->next = NULL;
+ xtables_fully_register_pending_target(ptr);
+ } else {
+ dptr = &((*dptr)->next);
+ }
+ }
+
for (ptr = xtables_targets; ptr; ptr = ptr->next) {
if (strcmp(name, ptr->name) == 0)
break;
@@ -757,8 +791,6 @@ static void xtables_check_options(const char *name, const struct option *opt)
void xtables_register_match(struct xtables_match *me)
{
- struct xtables_match **i, *old;
-
if (me->version == NULL) {
fprintf(stderr, "%s: match %s<%u> is missing a version\n",
xt_params->program_name, me->name, me->revision);
@@ -792,6 +824,15 @@ void xtables_register_match(struct xtables_match *me)
if (me->family != afinfo->family && me->family != AF_UNSPEC)
return;
+ /* place on linked list of matches pending full registration */
+ me->next = xtables_pending_matches;
+ xtables_pending_matches = me;
+}
+
+static void xtables_fully_register_pending_match(struct xtables_match *me)
+{
+ struct xtables_match **i, *old;
+
old = xtables_find_match(me->name, XTF_DURING_LOAD, NULL);
if (old) {
if (old->revision == me->revision &&
@@ -845,8 +886,6 @@ void xtables_register_matches(struct xtables_match *match, unsigned int n)
void xtables_register_target(struct xtables_target *me)
{
- struct xtables_target *old;
-
if (me->version == NULL) {
fprintf(stderr, "%s: target %s<%u> is missing a version\n",
xt_params->program_name, me->name, me->revision);
@@ -880,6 +919,15 @@ void xtables_register_target(struct xtables_target *me)
if (me->family != afinfo->family && me->family != AF_UNSPEC)
return;
+ /* place on linked list of targets pending full registration */
+ me->next = xtables_pending_targets;
+ xtables_pending_targets = me;
+}
+
+static void xtables_fully_register_pending_target(struct xtables_target *me)
+{
+ struct xtables_target *old;
+
old = xtables_find_target(me->name, XTF_DURING_LOAD);
if (old) {
struct xtables_target **i;
--
1.7.3.1
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2011-04-01 4:28 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-04-01 4:24 A small series of iptables userspace cleanups Maciej Żenczykowski
2011-04-01 4:27 ` [PATCH 01/17] man pages: allow underscores in match and target names Maciej Żenczykowski
2011-04-04 13:30 ` Patrick McHardy
2011-04-01 4:27 ` [PATCH 02/17] mark newly opened fds as FD_CLOEXEC (close on exec) Maciej Żenczykowski
2011-04-01 9:31 ` Jan Engelhardt
2011-04-01 21:34 ` Maciej Żenczykowski
2011-04-04 12:58 ` Patrick McHardy
2011-04-04 13:00 ` Jan Engelhardt
2011-04-04 13:30 ` Patrick McHardy
2011-04-01 4:27 ` [PATCH 03/17] xtables_ip6addr_to_numeric: fix typo in comment Maciej Żenczykowski
2011-04-04 13:31 ` Patrick McHardy
2011-04-01 4:27 ` Maciej Żenczykowski [this message]
2011-04-04 13:32 ` [PATCH 04/17] Delay (statically built) match/target initialization Patrick McHardy
2011-04-01 4:27 ` [PATCH 05/17] v4: rename init_extensions() to init_extensions4() Maciej Żenczykowski
2011-04-01 10:15 ` Jan Engelhardt
2011-04-01 21:38 ` Maciej Żenczykowski
2011-04-04 13:33 ` Patrick McHardy
2011-04-01 4:27 ` [PATCH 06/17] v6: rename init_extensions() to init_extensions6() Maciej Żenczykowski
2011-04-04 13:33 ` Patrick McHardy
2011-04-01 4:27 ` [PATCH 07/17] xtables.h: init_extensions() no longer exists Maciej Żenczykowski
2011-04-04 13:34 ` Patrick McHardy
2011-04-01 4:27 ` [PATCH 08/17] v4: rename for_each_chain() to for_each_chain4() Maciej Żenczykowski
2011-04-04 13:34 ` Patrick McHardy
2011-04-01 4:27 ` [PATCH 09/17] v6: rename for_each_chain() to for_each_chain6() Maciej Żenczykowski
2011-04-04 13:35 ` Patrick McHardy
2011-04-01 4:27 ` [PATCH 10/17] v4: rename flush_entries() to flush_entries4() Maciej Żenczykowski
2011-04-04 13:35 ` Patrick McHardy
2011-04-01 4:27 ` [PATCH 11/17] v6: rename flush_entries() to flush_entries6() Maciej Żenczykowski
2011-04-04 13:36 ` Patrick McHardy
2011-04-01 4:27 ` [PATCH 12/17] v4: rename delete_chain() to delete_chain4() Maciej Żenczykowski
2011-04-04 13:36 ` Patrick McHardy
2011-04-01 4:27 ` [PATCH 13/17] v6: rename delete_chain() to delete_chain6() Maciej Żenczykowski
2011-04-04 13:37 ` Patrick McHardy
2011-04-01 4:27 ` [PATCH 14/17] v4: rename print_rule() to print_rule4() Maciej Żenczykowski
2011-04-04 13:37 ` Patrick McHardy
2011-04-01 4:27 ` [PATCH 15/17] v6: rename print_rule() to print_rule6() Maciej Żenczykowski
2011-04-04 13:38 ` Patrick McHardy
2011-04-01 4:27 ` [PATCH 16/17] v4: rename do_command() to do_command4() Maciej Żenczykowski
2011-04-04 13:38 ` Patrick McHardy
2011-04-01 4:27 ` [PATCH 17/17] v6: rename do_command() to do_command6() Maciej Żenczykowski
2011-04-04 13:40 ` Patrick McHardy
2011-04-04 19:33 ` Maciej Żenczykowski
2011-04-04 19:48 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1301632053-3694-4-git-send-email-zenczykowski@gmail.com \
--to=zenczykowski@gmail.com \
--cc=maze@google.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).