* [PATCH nf-next 1/7] netfilter: remove checksum indirection in struct nf_afinfo
2017-12-10 20:43 [PATCH nf-next 0/7] get rid of struct nf_afinfo Pablo Neira Ayuso
@ 2017-12-10 20:43 ` Pablo Neira Ayuso
2017-12-10 20:43 ` [PATCH nf-next 2/7] netfilter: remove checksum_partial " Pablo Neira Ayuso
` (5 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Pablo Neira Ayuso @ 2017-12-10 20:43 UTC (permalink / raw)
To: netfilter-devel
Simplify this infrastructure by replacing it by direction call.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/linux/netfilter.h | 19 +++----------------
include/linux/netfilter_ipv6.h | 13 +++++++++++--
net/ipv4/netfilter.c | 1 -
net/ipv6/netfilter.c | 1 -
net/netfilter/Makefile | 2 +-
net/netfilter/utils.c | 23 +++++++++++++++++++++++
6 files changed, 38 insertions(+), 21 deletions(-)
create mode 100644 net/netfilter/utils.c
diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index fcb391a0fbd9..3ae4cfb92b54 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -311,8 +311,6 @@ struct nf_queue_entry;
struct nf_afinfo {
unsigned short family;
- __sum16 (*checksum)(struct sk_buff *skb, unsigned int hook,
- unsigned int dataoff, u_int8_t protocol);
__sum16 (*checksum_partial)(struct sk_buff *skb,
unsigned int hook,
unsigned int dataoff,
@@ -333,20 +331,9 @@ static inline const struct nf_afinfo *nf_get_afinfo(unsigned short family)
return rcu_dereference(nf_afinfo[family]);
}
-static inline __sum16
-nf_checksum(struct sk_buff *skb, unsigned int hook, unsigned int dataoff,
- u_int8_t protocol, unsigned short family)
-{
- const struct nf_afinfo *afinfo;
- __sum16 csum = 0;
-
- rcu_read_lock();
- afinfo = nf_get_afinfo(family);
- if (afinfo)
- csum = afinfo->checksum(skb, hook, dataoff, protocol);
- rcu_read_unlock();
- return csum;
-}
+__sum16 nf_checksum(struct sk_buff *skb, unsigned int hook,
+ unsigned int dataoff, u_int8_t protocol,
+ unsigned short family);
static inline __sum16
nf_checksum_partial(struct sk_buff *skb, unsigned int hook,
diff --git a/include/linux/netfilter_ipv6.h b/include/linux/netfilter_ipv6.h
index 47c6b04c28c0..ea8c99e5112a 100644
--- a/include/linux/netfilter_ipv6.h
+++ b/include/linux/netfilter_ipv6.h
@@ -21,10 +21,19 @@ struct nf_ipv6_ops {
int (*output)(struct net *, struct sock *, struct sk_buff *));
};
-#ifdef CONFIG_NETFILTER
-int ip6_route_me_harder(struct net *net, struct sk_buff *skb);
+#if defined(CONFIG_IPV6)
__sum16 nf_ip6_checksum(struct sk_buff *skb, unsigned int hook,
unsigned int dataoff, u_int8_t protocol);
+#else
+static inline __sum16 nf_ip6_checksum(struct sk_buff *skb, unsigned int hook,
+ unsigned int dataoff, u_int8_t protocol)
+{
+ return 0;
+}
+#endif
+
+#ifdef CONFIG_NETFILTER
+int ip6_route_me_harder(struct net *net, struct sk_buff *skb);
int ipv6_netfilter_init(void);
void ipv6_netfilter_fini(void);
diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilter.c
index c0cc6aa8cfaa..2f7ffefd2732 100644
--- a/net/ipv4/netfilter.c
+++ b/net/ipv4/netfilter.c
@@ -188,7 +188,6 @@ static int nf_ip_route(struct net *net, struct dst_entry **dst,
static const struct nf_afinfo nf_ip_afinfo = {
.family = AF_INET,
- .checksum = nf_ip_checksum,
.checksum_partial = nf_ip_checksum_partial,
.route = nf_ip_route,
.saveroute = nf_ip_saveroute,
diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
index 39970e212ad5..a24810ecc432 100644
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
@@ -197,7 +197,6 @@ static const struct nf_ipv6_ops ipv6ops = {
static const struct nf_afinfo nf_ip6_afinfo = {
.family = AF_INET6,
- .checksum = nf_ip6_checksum,
.checksum_partial = nf_ip6_checksum_partial,
.route = nf_ip6_route,
.saveroute = nf_ip6_saveroute,
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index f78ed2470831..dea95fcb4e0a 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -1,5 +1,5 @@
# SPDX-License-Identifier: GPL-2.0
-netfilter-objs := core.o nf_log.o nf_queue.o nf_sockopt.o
+netfilter-objs := core.o nf_log.o nf_queue.o nf_sockopt.o utils.o
nf_conntrack-y := nf_conntrack_core.o nf_conntrack_standalone.o nf_conntrack_expect.o nf_conntrack_helper.o nf_conntrack_proto.o nf_conntrack_l3proto_generic.o nf_conntrack_proto_generic.o nf_conntrack_proto_tcp.o nf_conntrack_proto_udp.o nf_conntrack_extend.o nf_conntrack_acct.o nf_conntrack_seqadj.o
nf_conntrack-$(CONFIG_NF_CONNTRACK_TIMEOUT) += nf_conntrack_timeout.o
diff --git a/net/netfilter/utils.c b/net/netfilter/utils.c
new file mode 100644
index 000000000000..92a51e507fab
--- /dev/null
+++ b/net/netfilter/utils.c
@@ -0,0 +1,23 @@
+#include <linux/kernel.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter_ipv4.h>
+#include <linux/netfilter_ipv6.h>
+
+__sum16 nf_checksum(struct sk_buff *skb, unsigned int hook,
+ unsigned int dataoff, u_int8_t protocol,
+ unsigned short family)
+{
+ __sum16 csum = 0;
+
+ switch (family) {
+ case AF_INET:
+ csum = nf_ip_checksum(skb, hook, dataoff, protocol);
+ break;
+ case AF_INET6:
+ csum = nf_ip6_checksum(skb, hook, dataoff, protocol);
+ break;
+ }
+
+ return csum;
+}
+EXPORT_SYMBOL_GPL(nf_checksum);
--
2.11.0
^ permalink raw reply related [flat|nested] 8+ messages in thread* [PATCH nf-next 2/7] netfilter: remove checksum_partial indirection in struct nf_afinfo
2017-12-10 20:43 [PATCH nf-next 0/7] get rid of struct nf_afinfo Pablo Neira Ayuso
2017-12-10 20:43 ` [PATCH nf-next 1/7] netfilter: remove checksum indirection in " Pablo Neira Ayuso
@ 2017-12-10 20:43 ` Pablo Neira Ayuso
2017-12-10 20:43 ` [PATCH nf-next 3/7] netfilter: remove saveroute " Pablo Neira Ayuso
` (4 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Pablo Neira Ayuso @ 2017-12-10 20:43 UTC (permalink / raw)
To: netfilter-devel
Simplify this infrastructure by replacing it by direction call.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/linux/netfilter.h | 25 +++----------------------
include/linux/netfilter_ipv4.h | 3 +++
include/linux/netfilter_ipv6.h | 11 +++++++++++
net/ipv4/netfilter.c | 7 +++----
net/ipv6/netfilter.c | 7 +++----
net/netfilter/utils.c | 21 +++++++++++++++++++++
6 files changed, 44 insertions(+), 30 deletions(-)
diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index 3ae4cfb92b54..a2bb6fefde13 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -311,11 +311,6 @@ struct nf_queue_entry;
struct nf_afinfo {
unsigned short family;
- __sum16 (*checksum_partial)(struct sk_buff *skb,
- unsigned int hook,
- unsigned int dataoff,
- unsigned int len,
- u_int8_t protocol);
int (*route)(struct net *net, struct dst_entry **dst,
struct flowi *fl, bool strict);
void (*saveroute)(const struct sk_buff *skb,
@@ -334,23 +329,9 @@ static inline const struct nf_afinfo *nf_get_afinfo(unsigned short family)
__sum16 nf_checksum(struct sk_buff *skb, unsigned int hook,
unsigned int dataoff, u_int8_t protocol,
unsigned short family);
-
-static inline __sum16
-nf_checksum_partial(struct sk_buff *skb, unsigned int hook,
- unsigned int dataoff, unsigned int len,
- u_int8_t protocol, unsigned short family)
-{
- const struct nf_afinfo *afinfo;
- __sum16 csum = 0;
-
- rcu_read_lock();
- afinfo = nf_get_afinfo(family);
- if (afinfo)
- csum = afinfo->checksum_partial(skb, hook, dataoff, len,
- protocol);
- rcu_read_unlock();
- return csum;
-}
+__sum16 nf_checksum_partial(struct sk_buff *skb, unsigned int hook,
+ unsigned int dataoff, unsigned int len,
+ u_int8_t protocol, unsigned short family);
int nf_register_afinfo(const struct nf_afinfo *afinfo);
void nf_unregister_afinfo(const struct nf_afinfo *afinfo);
diff --git a/include/linux/netfilter_ipv4.h b/include/linux/netfilter_ipv4.h
index 98c03b2462b5..6d61ec0a7695 100644
--- a/include/linux/netfilter_ipv4.h
+++ b/include/linux/netfilter_ipv4.h
@@ -9,4 +9,7 @@
int ip_route_me_harder(struct net *net, struct sk_buff *skb, unsigned addr_type);
__sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int hook,
unsigned int dataoff, u_int8_t protocol);
+__sum16 nf_ip_checksum_partial(struct sk_buff *skb, unsigned int hook,
+ unsigned int dataoff, unsigned int len,
+ u_int8_t protocol);
#endif /*__LINUX_IP_NETFILTER_H*/
diff --git a/include/linux/netfilter_ipv6.h b/include/linux/netfilter_ipv6.h
index ea8c99e5112a..729cc76cb3db 100644
--- a/include/linux/netfilter_ipv6.h
+++ b/include/linux/netfilter_ipv6.h
@@ -24,12 +24,23 @@ struct nf_ipv6_ops {
#if defined(CONFIG_IPV6)
__sum16 nf_ip6_checksum(struct sk_buff *skb, unsigned int hook,
unsigned int dataoff, u_int8_t protocol);
+__sum16 nf_ip6_checksum_partial(struct sk_buff *skb, unsigned int hook,
+ unsigned int dataoff, unsigned int len,
+ u_int8_t protocol);
#else
static inline __sum16 nf_ip6_checksum(struct sk_buff *skb, unsigned int hook,
unsigned int dataoff, u_int8_t protocol)
{
return 0;
}
+static inline__sum16 nf_ip6_checksum_partial(struct sk_buff *skb,
+ unsigned int hook,
+ unsigned int dataoff,
+ unsigned int len,
+ u_int8_t protocol)
+{
+ return 0;
+}
#endif
#ifdef CONFIG_NETFILTER
diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilter.c
index 2f7ffefd2732..050b614662f8 100644
--- a/net/ipv4/netfilter.c
+++ b/net/ipv4/netfilter.c
@@ -155,9 +155,9 @@ __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int hook,
}
EXPORT_SYMBOL(nf_ip_checksum);
-static __sum16 nf_ip_checksum_partial(struct sk_buff *skb, unsigned int hook,
- unsigned int dataoff, unsigned int len,
- u_int8_t protocol)
+__sum16 nf_ip_checksum_partial(struct sk_buff *skb, unsigned int hook,
+ unsigned int dataoff, unsigned int len,
+ u_int8_t protocol)
{
const struct iphdr *iph = ip_hdr(skb);
__sum16 csum = 0;
@@ -188,7 +188,6 @@ static int nf_ip_route(struct net *net, struct dst_entry **dst,
static const struct nf_afinfo nf_ip_afinfo = {
.family = AF_INET,
- .checksum_partial = nf_ip_checksum_partial,
.route = nf_ip_route,
.saveroute = nf_ip_saveroute,
.reroute = nf_ip_reroute,
diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
index a24810ecc432..6e39b721136e 100644
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
@@ -163,9 +163,9 @@ __sum16 nf_ip6_checksum(struct sk_buff *skb, unsigned int hook,
}
EXPORT_SYMBOL(nf_ip6_checksum);
-static __sum16 nf_ip6_checksum_partial(struct sk_buff *skb, unsigned int hook,
- unsigned int dataoff, unsigned int len,
- u_int8_t protocol)
+__sum16 nf_ip6_checksum_partial(struct sk_buff *skb, unsigned int hook,
+ unsigned int dataoff, unsigned int len,
+ u_int8_t protocol)
{
const struct ipv6hdr *ip6h = ipv6_hdr(skb);
__wsum hsum;
@@ -197,7 +197,6 @@ static const struct nf_ipv6_ops ipv6ops = {
static const struct nf_afinfo nf_ip6_afinfo = {
.family = AF_INET6,
- .checksum_partial = nf_ip6_checksum_partial,
.route = nf_ip6_route,
.saveroute = nf_ip6_saveroute,
.reroute = nf_ip6_reroute,
diff --git a/net/netfilter/utils.c b/net/netfilter/utils.c
index 92a51e507fab..3fdad0c7b189 100644
--- a/net/netfilter/utils.c
+++ b/net/netfilter/utils.c
@@ -21,3 +21,24 @@ __sum16 nf_checksum(struct sk_buff *skb, unsigned int hook,
return csum;
}
EXPORT_SYMBOL_GPL(nf_checksum);
+
+__sum16 nf_checksum_partial(struct sk_buff *skb, unsigned int hook,
+ unsigned int dataoff, unsigned int len,
+ u_int8_t protocol, unsigned short family)
+{
+ __sum16 csum = 0;
+
+ switch (family) {
+ case AF_INET:
+ csum = nf_ip_checksum_partial(skb, hook, dataoff, len,
+ protocol);
+ break;
+ case AF_INET6:
+ csum = nf_ip6_checksum_partial(skb, hook, dataoff, len,
+ protocol);
+ break;
+ }
+
+ return csum;
+}
+EXPORT_SYMBOL_GPL(nf_checksum_partial);
--
2.11.0
^ permalink raw reply related [flat|nested] 8+ messages in thread* [PATCH nf-next 3/7] netfilter: remove saveroute indirection in struct nf_afinfo
2017-12-10 20:43 [PATCH nf-next 0/7] get rid of struct nf_afinfo Pablo Neira Ayuso
2017-12-10 20:43 ` [PATCH nf-next 1/7] netfilter: remove checksum indirection in " Pablo Neira Ayuso
2017-12-10 20:43 ` [PATCH nf-next 2/7] netfilter: remove checksum_partial " Pablo Neira Ayuso
@ 2017-12-10 20:43 ` Pablo Neira Ayuso
2017-12-10 20:43 ` [PATCH nf-next 4/7] netfilter: remove route " Pablo Neira Ayuso
` (3 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Pablo Neira Ayuso @ 2017-12-10 20:43 UTC (permalink / raw)
To: netfilter-devel
This is only used by nf_queue.c, and there we can replace it by a direct
function call.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/linux/netfilter.h | 3 +--
include/linux/netfilter_ipv4.h | 1 +
include/linux/netfilter_ipv6.h | 3 +++
net/ipv4/netfilter.c | 4 +---
net/ipv6/netfilter.c | 5 ++---
net/netfilter/nf_queue.c | 2 +-
net/netfilter/utils.c | 13 +++++++++++++
7 files changed, 22 insertions(+), 9 deletions(-)
diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index a2bb6fefde13..b3a46a374a89 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -313,8 +313,6 @@ struct nf_afinfo {
unsigned short family;
int (*route)(struct net *net, struct dst_entry **dst,
struct flowi *fl, bool strict);
- void (*saveroute)(const struct sk_buff *skb,
- struct nf_queue_entry *entry);
int (*reroute)(struct net *net, struct sk_buff *skb,
const struct nf_queue_entry *entry);
int route_key_size;
@@ -332,6 +330,7 @@ __sum16 nf_checksum(struct sk_buff *skb, unsigned int hook,
__sum16 nf_checksum_partial(struct sk_buff *skb, unsigned int hook,
unsigned int dataoff, unsigned int len,
u_int8_t protocol, unsigned short family);
+void nf_saveroute(const struct sk_buff *skb, struct nf_queue_entry *entry);
int nf_register_afinfo(const struct nf_afinfo *afinfo);
void nf_unregister_afinfo(const struct nf_afinfo *afinfo);
diff --git a/include/linux/netfilter_ipv4.h b/include/linux/netfilter_ipv4.h
index 6d61ec0a7695..640337bfa4b9 100644
--- a/include/linux/netfilter_ipv4.h
+++ b/include/linux/netfilter_ipv4.h
@@ -12,4 +12,5 @@ __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int hook,
__sum16 nf_ip_checksum_partial(struct sk_buff *skb, unsigned int hook,
unsigned int dataoff, unsigned int len,
u_int8_t protocol);
+void nf_ip_saveroute(const struct sk_buff *skb, struct nf_queue_entry *entry);
#endif /*__LINUX_IP_NETFILTER_H*/
diff --git a/include/linux/netfilter_ipv6.h b/include/linux/netfilter_ipv6.h
index 729cc76cb3db..d285181427a4 100644
--- a/include/linux/netfilter_ipv6.h
+++ b/include/linux/netfilter_ipv6.h
@@ -27,6 +27,7 @@ __sum16 nf_ip6_checksum(struct sk_buff *skb, unsigned int hook,
__sum16 nf_ip6_checksum_partial(struct sk_buff *skb, unsigned int hook,
unsigned int dataoff, unsigned int len,
u_int8_t protocol);
+void nf_ip6_saveroute(const struct sk_buff *skb, struct nf_queue_entry *entry);
#else
static inline __sum16 nf_ip6_checksum(struct sk_buff *skb, unsigned int hook,
unsigned int dataoff, u_int8_t protocol)
@@ -41,6 +42,8 @@ static inline__sum16 nf_ip6_checksum_partial(struct sk_buff *skb,
{
return 0;
}
+static inline void nf_ip6_saveroute(const struct sk_buff *skb,
+ struct nf_queue_entry *entry) {}
#endif
#ifdef CONFIG_NETFILTER
diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilter.c
index 050b614662f8..dc2021aaf885 100644
--- a/net/ipv4/netfilter.c
+++ b/net/ipv4/netfilter.c
@@ -92,8 +92,7 @@ struct ip_rt_info {
u_int32_t mark;
};
-static void nf_ip_saveroute(const struct sk_buff *skb,
- struct nf_queue_entry *entry)
+void nf_ip_saveroute(const struct sk_buff *skb, struct nf_queue_entry *entry)
{
struct ip_rt_info *rt_info = nf_queue_entry_reroute(entry);
@@ -189,7 +188,6 @@ static int nf_ip_route(struct net *net, struct dst_entry **dst,
static const struct nf_afinfo nf_ip_afinfo = {
.family = AF_INET,
.route = nf_ip_route,
- .saveroute = nf_ip_saveroute,
.reroute = nf_ip_reroute,
.route_key_size = sizeof(struct ip_rt_info),
};
diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
index 6e39b721136e..4894f030511e 100644
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
@@ -79,8 +79,7 @@ struct ip6_rt_info {
u_int32_t mark;
};
-static void nf_ip6_saveroute(const struct sk_buff *skb,
- struct nf_queue_entry *entry)
+void nf_ip6_saveroute(const struct sk_buff *skb, struct nf_queue_entry *entry)
{
struct ip6_rt_info *rt_info = nf_queue_entry_reroute(entry);
@@ -92,6 +91,7 @@ static void nf_ip6_saveroute(const struct sk_buff *skb,
rt_info->mark = skb->mark;
}
}
+EXPORT_SYMBOL_GPL(nf_ip6_saveroute);
static int nf_ip6_reroute(struct net *net, struct sk_buff *skb,
const struct nf_queue_entry *entry)
@@ -198,7 +198,6 @@ static const struct nf_ipv6_ops ipv6ops = {
static const struct nf_afinfo nf_ip6_afinfo = {
.family = AF_INET6,
.route = nf_ip6_route,
- .saveroute = nf_ip6_saveroute,
.reroute = nf_ip6_reroute,
.route_key_size = sizeof(struct ip6_rt_info),
};
diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c
index 0c02fdb7efc9..833710ee7654 100644
--- a/net/netfilter/nf_queue.c
+++ b/net/netfilter/nf_queue.c
@@ -144,7 +144,7 @@ static int __nf_queue(struct sk_buff *skb, const struct nf_hook_state *state,
nf_queue_entry_get_refs(entry);
skb_dst_force(skb);
- afinfo->saveroute(skb, entry);
+ nf_saveroute(skb, entry);
status = qh->outfn(entry, queuenum);
if (status < 0) {
diff --git a/net/netfilter/utils.c b/net/netfilter/utils.c
index 3fdad0c7b189..7d8c0fd283ee 100644
--- a/net/netfilter/utils.c
+++ b/net/netfilter/utils.c
@@ -2,6 +2,7 @@
#include <linux/netfilter.h>
#include <linux/netfilter_ipv4.h>
#include <linux/netfilter_ipv6.h>
+#include <net/netfilter/nf_queue.h>
__sum16 nf_checksum(struct sk_buff *skb, unsigned int hook,
unsigned int dataoff, u_int8_t protocol,
@@ -42,3 +43,15 @@ __sum16 nf_checksum_partial(struct sk_buff *skb, unsigned int hook,
return csum;
}
EXPORT_SYMBOL_GPL(nf_checksum_partial);
+
+void nf_saveroute(const struct sk_buff *skb, struct nf_queue_entry *entry)
+{
+ switch (entry->state.pf) {
+ case AF_INET:
+ nf_ip_saveroute(skb, entry);
+ break;
+ case AF_INET6:
+ nf_ip6_saveroute(skb, entry);
+ break;
+ }
+}
--
2.11.0
^ permalink raw reply related [flat|nested] 8+ messages in thread* [PATCH nf-next 4/7] netfilter: remove route indirection in struct nf_afinfo
2017-12-10 20:43 [PATCH nf-next 0/7] get rid of struct nf_afinfo Pablo Neira Ayuso
` (2 preceding siblings ...)
2017-12-10 20:43 ` [PATCH nf-next 3/7] netfilter: remove saveroute " Pablo Neira Ayuso
@ 2017-12-10 20:43 ` Pablo Neira Ayuso
2017-12-10 20:43 ` [PATCH nf-next 5/7] netfilter: remove reroute " Pablo Neira Ayuso
` (2 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Pablo Neira Ayuso @ 2017-12-10 20:43 UTC (permalink / raw)
To: netfilter-devel
This is not needed, we call the afinfo->route indirection for cases
where we just checked for family a few lines before. This patch also
adapts existing clients of this to use the direct call invocation.
Update clients of this indirection to use nf_ip_route() and
nf_ip6_route() where needed.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/linux/netfilter.h | 2 --
include/linux/netfilter_ipv4.h | 2 ++
include/linux/netfilter_ipv6.h | 7 +++++++
net/ipv4/netfilter.c | 6 +++---
net/ipv6/netfilter.c | 6 +++---
net/ipv6/netfilter/nft_fib_ipv6.c | 9 ++-------
net/netfilter/nf_conntrack_h323_main.c | 23 +++++++++--------------
net/netfilter/nft_rt.c | 17 +++++++----------
net/netfilter/xt_TCPMSS.c | 6 ++----
net/netfilter/xt_addrtype.c | 22 +++++++---------------
10 files changed, 42 insertions(+), 58 deletions(-)
diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index b3a46a374a89..e703b26025ec 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -311,8 +311,6 @@ struct nf_queue_entry;
struct nf_afinfo {
unsigned short family;
- int (*route)(struct net *net, struct dst_entry **dst,
- struct flowi *fl, bool strict);
int (*reroute)(struct net *net, struct sk_buff *skb,
const struct nf_queue_entry *entry);
int route_key_size;
diff --git a/include/linux/netfilter_ipv4.h b/include/linux/netfilter_ipv4.h
index 640337bfa4b9..d3a4c2d3f16b 100644
--- a/include/linux/netfilter_ipv4.h
+++ b/include/linux/netfilter_ipv4.h
@@ -12,5 +12,7 @@ __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int hook,
__sum16 nf_ip_checksum_partial(struct sk_buff *skb, unsigned int hook,
unsigned int dataoff, unsigned int len,
u_int8_t protocol);
+int nf_ip_route(struct net *net, struct dst_entry **dst, struct flowi *fl,
+ bool strict);
void nf_ip_saveroute(const struct sk_buff *skb, struct nf_queue_entry *entry);
#endif /*__LINUX_IP_NETFILTER_H*/
diff --git a/include/linux/netfilter_ipv6.h b/include/linux/netfilter_ipv6.h
index d285181427a4..cf26146f4425 100644
--- a/include/linux/netfilter_ipv6.h
+++ b/include/linux/netfilter_ipv6.h
@@ -27,6 +27,8 @@ __sum16 nf_ip6_checksum(struct sk_buff *skb, unsigned int hook,
__sum16 nf_ip6_checksum_partial(struct sk_buff *skb, unsigned int hook,
unsigned int dataoff, unsigned int len,
u_int8_t protocol);
+int nf_ip6_route(struct net *net, struct dst_entry **dst, struct flowi *fl,
+ bool strict);
void nf_ip6_saveroute(const struct sk_buff *skb, struct nf_queue_entry *entry);
#else
static inline __sum16 nf_ip6_checksum(struct sk_buff *skb, unsigned int hook,
@@ -42,6 +44,11 @@ static inline__sum16 nf_ip6_checksum_partial(struct sk_buff *skb,
{
return 0;
}
+static inline int nf_ip6_route(struct net *net, struct dst_entry **dst,
+ struct flowi *fl, bool strict)
+{
+ return -EOPNOTSUPP;
+}
static inline void nf_ip6_saveroute(const struct sk_buff *skb,
struct nf_queue_entry *entry) {}
#endif
diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilter.c
index dc2021aaf885..c6ba5770af0a 100644
--- a/net/ipv4/netfilter.c
+++ b/net/ipv4/netfilter.c
@@ -175,8 +175,8 @@ __sum16 nf_ip_checksum_partial(struct sk_buff *skb, unsigned int hook,
return csum;
}
-static int nf_ip_route(struct net *net, struct dst_entry **dst,
- struct flowi *fl, bool strict __always_unused)
+int nf_ip_route(struct net *net, struct dst_entry **dst, struct flowi *fl,
+ bool strict __always_unused)
{
struct rtable *rt = ip_route_output_key(net, &fl->u.ip4);
if (IS_ERR(rt))
@@ -184,10 +184,10 @@ static int nf_ip_route(struct net *net, struct dst_entry **dst,
*dst = &rt->dst;
return 0;
}
+EXPORT_SYMBOL(nf_ip_route);
static const struct nf_afinfo nf_ip_afinfo = {
.family = AF_INET,
- .route = nf_ip_route,
.reroute = nf_ip_reroute,
.route_key_size = sizeof(struct ip_rt_info),
};
diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
index 4894f030511e..72364f09253a 100644
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
@@ -108,8 +108,8 @@ static int nf_ip6_reroute(struct net *net, struct sk_buff *skb,
return 0;
}
-static int nf_ip6_route(struct net *net, struct dst_entry **dst,
- struct flowi *fl, bool strict)
+int nf_ip6_route(struct net *net, struct dst_entry **dst, struct flowi *fl,
+ bool strict)
{
static const struct ipv6_pinfo fake_pinfo;
static const struct inet_sock fake_sk = {
@@ -129,6 +129,7 @@ static int nf_ip6_route(struct net *net, struct dst_entry **dst,
*dst = result;
return err;
}
+EXPORT_SYMBOL_GPL(nf_ip6_route);
__sum16 nf_ip6_checksum(struct sk_buff *skb, unsigned int hook,
unsigned int dataoff, u_int8_t protocol)
@@ -197,7 +198,6 @@ static const struct nf_ipv6_ops ipv6ops = {
static const struct nf_afinfo nf_ip6_afinfo = {
.family = AF_INET6,
- .route = nf_ip6_route,
.reroute = nf_ip6_reroute,
.route_key_size = sizeof(struct ip6_rt_info),
};
diff --git a/net/ipv6/netfilter/nft_fib_ipv6.c b/net/ipv6/netfilter/nft_fib_ipv6.c
index 54b5899543ef..7fb4651957f1 100644
--- a/net/ipv6/netfilter/nft_fib_ipv6.c
+++ b/net/ipv6/netfilter/nft_fib_ipv6.c
@@ -60,7 +60,6 @@ static u32 __nft_fib6_eval_type(const struct nft_fib *priv,
{
const struct net_device *dev = NULL;
const struct nf_ipv6_ops *v6ops;
- const struct nf_afinfo *afinfo;
int route_err, addrtype;
struct rt6_info *rt;
struct flowi6 fl6 = {
@@ -69,10 +68,6 @@ static u32 __nft_fib6_eval_type(const struct nft_fib *priv,
};
u32 ret = 0;
- afinfo = nf_get_afinfo(NFPROTO_IPV6);
- if (!afinfo)
- return RTN_UNREACHABLE;
-
if (priv->flags & NFTA_FIB_F_IIF)
dev = nft_in(pkt);
else if (priv->flags & NFTA_FIB_F_OIF)
@@ -84,8 +79,8 @@ static u32 __nft_fib6_eval_type(const struct nft_fib *priv,
if (dev && v6ops && v6ops->chk_addr(nft_net(pkt), &fl6.daddr, dev, true))
ret = RTN_LOCAL;
- route_err = afinfo->route(nft_net(pkt), (struct dst_entry **)&rt,
- flowi6_to_flowi(&fl6), false);
+ route_err = nf_ip6_route(nft_net(pkt), (struct dst_entry **)&rt,
+ flowi6_to_flowi(&fl6), false);
if (route_err)
goto err;
diff --git a/net/netfilter/nf_conntrack_h323_main.c b/net/netfilter/nf_conntrack_h323_main.c
index 7f0e0f66e488..3009af56e194 100644
--- a/net/netfilter/nf_conntrack_h323_main.c
+++ b/net/netfilter/nf_conntrack_h323_main.c
@@ -25,6 +25,7 @@
#include <net/route.h>
#include <net/ip6_route.h>
+#include <linux/netfilter_ipv6.h>
#include <net/netfilter/nf_conntrack.h>
#include <net/netfilter/nf_conntrack_core.h>
#include <net/netfilter/nf_conntrack_tuple.h>
@@ -721,14 +722,8 @@ static int callforward_do_filter(struct net *net,
const union nf_inet_addr *dst,
u_int8_t family)
{
- const struct nf_afinfo *afinfo;
int ret = 0;
- /* rcu_read_lock()ed by nf_hook_thresh */
- afinfo = nf_get_afinfo(family);
- if (!afinfo)
- return 0;
-
switch (family) {
case AF_INET: {
struct flowi4 fl1, fl2;
@@ -739,10 +734,10 @@ static int callforward_do_filter(struct net *net,
memset(&fl2, 0, sizeof(fl2));
fl2.daddr = dst->ip;
- if (!afinfo->route(net, (struct dst_entry **)&rt1,
- flowi4_to_flowi(&fl1), false)) {
- if (!afinfo->route(net, (struct dst_entry **)&rt2,
- flowi4_to_flowi(&fl2), false)) {
+ if (!nf_ip_route(net, (struct dst_entry **)&rt1,
+ flowi4_to_flowi(&fl1), false)) {
+ if (!nf_ip_route(net, (struct dst_entry **)&rt2,
+ flowi4_to_flowi(&fl2), false)) {
if (rt_nexthop(rt1, fl1.daddr) ==
rt_nexthop(rt2, fl2.daddr) &&
rt1->dst.dev == rt2->dst.dev)
@@ -763,10 +758,10 @@ static int callforward_do_filter(struct net *net,
memset(&fl2, 0, sizeof(fl2));
fl2.daddr = dst->in6;
- if (!afinfo->route(net, (struct dst_entry **)&rt1,
- flowi6_to_flowi(&fl1), false)) {
- if (!afinfo->route(net, (struct dst_entry **)&rt2,
- flowi6_to_flowi(&fl2), false)) {
+ if (!nf_ip6_route(net, (struct dst_entry **)&rt1,
+ flowi6_to_flowi(&fl1), false)) {
+ if (!nf_ip6_route(net, (struct dst_entry **)&rt2,
+ flowi6_to_flowi(&fl2), false)) {
if (ipv6_addr_equal(rt6_nexthop(rt1, &fl1.daddr),
rt6_nexthop(rt2, &fl2.daddr)) &&
rt1->dst.dev == rt2->dst.dev)
diff --git a/net/netfilter/nft_rt.c b/net/netfilter/nft_rt.c
index a6b7d05aeacf..87ee16be033b 100644
--- a/net/netfilter/nft_rt.c
+++ b/net/netfilter/nft_rt.c
@@ -12,6 +12,7 @@
#include <linux/netlink.h>
#include <linux/netfilter.h>
#include <linux/netfilter/nf_tables.h>
+#include <linux/netfilter_ipv6.h>
#include <net/dst.h>
#include <net/ip6_route.h>
#include <net/route.h>
@@ -27,7 +28,7 @@ static u16 get_tcpmss(const struct nft_pktinfo *pkt, const struct dst_entry *skb
{
u32 minlen = sizeof(struct ipv6hdr), mtu = dst_mtu(skbdst);
const struct sk_buff *skb = pkt->skb;
- const struct nf_afinfo *ai;
+ struct dst_entry *dst = NULL;
struct flowi fl;
memset(&fl, 0, sizeof(fl));
@@ -36,22 +37,18 @@ static u16 get_tcpmss(const struct nft_pktinfo *pkt, const struct dst_entry *skb
case NFPROTO_IPV4:
fl.u.ip4.daddr = ip_hdr(skb)->saddr;
minlen = sizeof(struct iphdr) + sizeof(struct tcphdr);
+ nf_ip_route(nft_net(pkt), &dst, &fl, false);
break;
case NFPROTO_IPV6:
fl.u.ip6.daddr = ipv6_hdr(skb)->saddr;
minlen = sizeof(struct ipv6hdr) + sizeof(struct tcphdr);
+ nf_ip6_route(nft_net(pkt), &dst, &fl, false);
break;
}
- ai = nf_get_afinfo(nft_pf(pkt));
- if (ai) {
- struct dst_entry *dst = NULL;
-
- ai->route(nft_net(pkt), &dst, &fl, false);
- if (dst) {
- mtu = min(mtu, dst_mtu(dst));
- dst_release(dst);
- }
+ if (dst) {
+ mtu = min(mtu, dst_mtu(dst));
+ dst_release(dst);
}
if (mtu <= minlen || mtu > 0xffff)
diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c
index 9dae4d665965..f06b9c2697e9 100644
--- a/net/netfilter/xt_TCPMSS.c
+++ b/net/netfilter/xt_TCPMSS.c
@@ -48,7 +48,6 @@ static u_int32_t tcpmss_reverse_mtu(struct net *net,
unsigned int family)
{
struct flowi fl;
- const struct nf_afinfo *ai;
struct rtable *rt = NULL;
u_int32_t mtu = ~0U;
@@ -56,15 +55,14 @@ static u_int32_t tcpmss_reverse_mtu(struct net *net,
struct flowi4 *fl4 = &fl.u.ip4;
memset(fl4, 0, sizeof(*fl4));
fl4->daddr = ip_hdr(skb)->saddr;
+ nf_ip_route(net, (struct dst_entry **)&rt, &fl, false);
} else {
struct flowi6 *fl6 = &fl.u.ip6;
memset(fl6, 0, sizeof(*fl6));
fl6->daddr = ipv6_hdr(skb)->saddr;
+ nf_ip6_route(net, (struct dst_entry **)&rt, &fl, false);
}
- ai = nf_get_afinfo(family);
- if (ai != NULL)
- ai->route(net, (struct dst_entry **)&rt, &fl, false);
if (rt != NULL) {
mtu = dst_mtu(&rt->dst);
diff --git a/net/netfilter/xt_addrtype.c b/net/netfilter/xt_addrtype.c
index 3b2be2ae6987..4b8ecd0d9ae8 100644
--- a/net/netfilter/xt_addrtype.c
+++ b/net/netfilter/xt_addrtype.c
@@ -36,7 +36,7 @@ MODULE_ALIAS("ip6t_addrtype");
static u32 match_lookup_rt6(struct net *net, const struct net_device *dev,
const struct in6_addr *addr, u16 mask)
{
- const struct nf_afinfo *afinfo;
+ const struct nf_ipv6_ops *v6ops;
struct flowi6 flow;
struct rt6_info *rt;
u32 ret = 0;
@@ -47,21 +47,13 @@ static u32 match_lookup_rt6(struct net *net, const struct net_device *dev,
if (dev)
flow.flowi6_oif = dev->ifindex;
- afinfo = nf_get_afinfo(NFPROTO_IPV6);
- if (afinfo != NULL) {
- const struct nf_ipv6_ops *v6ops;
-
- if (dev && (mask & XT_ADDRTYPE_LOCAL)) {
- v6ops = nf_get_ipv6_ops();
- if (v6ops && v6ops->chk_addr(net, addr, dev, true))
- ret = XT_ADDRTYPE_LOCAL;
- }
- route_err = afinfo->route(net, (struct dst_entry **)&rt,
- flowi6_to_flowi(&flow), false);
- } else {
- route_err = 1;
+ if (dev && (mask & XT_ADDRTYPE_LOCAL)) {
+ v6ops = nf_get_ipv6_ops();
+ if (v6ops && v6ops->chk_addr(net, addr, dev, true))
+ ret = XT_ADDRTYPE_LOCAL;
}
-
+ route_err = nf_ip6_route(net, (struct dst_entry **)&rt,
+ flowi6_to_flowi(&flow), false);
if (route_err)
return XT_ADDRTYPE_UNREACHABLE;
--
2.11.0
^ permalink raw reply related [flat|nested] 8+ messages in thread* [PATCH nf-next 5/7] netfilter: remove reroute indirection in struct nf_afinfo
2017-12-10 20:43 [PATCH nf-next 0/7] get rid of struct nf_afinfo Pablo Neira Ayuso
` (3 preceding siblings ...)
2017-12-10 20:43 ` [PATCH nf-next 4/7] netfilter: remove route " Pablo Neira Ayuso
@ 2017-12-10 20:43 ` Pablo Neira Ayuso
2017-12-10 20:43 ` [PATCH nf-next 6/7] netfilter: remove route_key_size field " Pablo Neira Ayuso
2017-12-10 20:43 ` [PATCH nf-next 7/7] netfilter: core: remove struct nf_afinfo and its helper functions Pablo Neira Ayuso
6 siblings, 0 replies; 8+ messages in thread
From: Pablo Neira Ayuso @ 2017-12-10 20:43 UTC (permalink / raw)
To: netfilter-devel
This is only used by nf_queue.c, and there we can replace it by a direct
function call.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/linux/netfilter.h | 3 +--
include/linux/netfilter_ipv4.h | 1 +
include/linux/netfilter_ipv6.h | 6 ++++++
net/ipv4/netfilter.c | 7 +++----
net/ipv6/netfilter.c | 6 ++----
net/netfilter/nf_queue.c | 4 +---
net/netfilter/utils.c | 16 ++++++++++++++++
7 files changed, 30 insertions(+), 13 deletions(-)
diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index e703b26025ec..6bdb0e5706a9 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -311,8 +311,6 @@ struct nf_queue_entry;
struct nf_afinfo {
unsigned short family;
- int (*reroute)(struct net *net, struct sk_buff *skb,
- const struct nf_queue_entry *entry);
int route_key_size;
};
@@ -328,6 +326,7 @@ __sum16 nf_checksum(struct sk_buff *skb, unsigned int hook,
__sum16 nf_checksum_partial(struct sk_buff *skb, unsigned int hook,
unsigned int dataoff, unsigned int len,
u_int8_t protocol, unsigned short family);
+int nf_reroute(struct sk_buff *skb, struct nf_queue_entry *entry);
void nf_saveroute(const struct sk_buff *skb, struct nf_queue_entry *entry);
int nf_register_afinfo(const struct nf_afinfo *afinfo);
diff --git a/include/linux/netfilter_ipv4.h b/include/linux/netfilter_ipv4.h
index d3a4c2d3f16b..43c217b861e7 100644
--- a/include/linux/netfilter_ipv4.h
+++ b/include/linux/netfilter_ipv4.h
@@ -14,5 +14,6 @@ __sum16 nf_ip_checksum_partial(struct sk_buff *skb, unsigned int hook,
u_int8_t protocol);
int nf_ip_route(struct net *net, struct dst_entry **dst, struct flowi *fl,
bool strict);
+int nf_ip_reroute(struct sk_buff *skb, const struct nf_queue_entry *entry);
void nf_ip_saveroute(const struct sk_buff *skb, struct nf_queue_entry *entry);
#endif /*__LINUX_IP_NETFILTER_H*/
diff --git a/include/linux/netfilter_ipv6.h b/include/linux/netfilter_ipv6.h
index cf26146f4425..c5d077d785ac 100644
--- a/include/linux/netfilter_ipv6.h
+++ b/include/linux/netfilter_ipv6.h
@@ -29,6 +29,7 @@ __sum16 nf_ip6_checksum_partial(struct sk_buff *skb, unsigned int hook,
u_int8_t protocol);
int nf_ip6_route(struct net *net, struct dst_entry **dst, struct flowi *fl,
bool strict);
+int nf_ip6_reroute(struct sk_buff *skb, const struct nf_queue_entry *entry);
void nf_ip6_saveroute(const struct sk_buff *skb, struct nf_queue_entry *entry);
#else
static inline __sum16 nf_ip6_checksum(struct sk_buff *skb, unsigned int hook,
@@ -49,6 +50,11 @@ static inline int nf_ip6_route(struct net *net, struct dst_entry **dst,
{
return -EOPNOTSUPP;
}
+static inline int nf_ip6_reroute(struct net *net, struct sk_buff *skb,
+ const struct nf_queue_entry *entry)
+{
+ return -EOPNOTSUPP;
+}
static inline void nf_ip6_saveroute(const struct sk_buff *skb,
struct nf_queue_entry *entry) {}
#endif
diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilter.c
index c6ba5770af0a..57ed83687d35 100644
--- a/net/ipv4/netfilter.c
+++ b/net/ipv4/netfilter.c
@@ -106,8 +106,7 @@ void nf_ip_saveroute(const struct sk_buff *skb, struct nf_queue_entry *entry)
}
}
-static int nf_ip_reroute(struct net *net, struct sk_buff *skb,
- const struct nf_queue_entry *entry)
+int nf_ip_reroute(struct sk_buff *skb, const struct nf_queue_entry *entry)
{
const struct ip_rt_info *rt_info = nf_queue_entry_reroute(entry);
@@ -118,7 +117,8 @@ static int nf_ip_reroute(struct net *net, struct sk_buff *skb,
skb->mark == rt_info->mark &&
iph->daddr == rt_info->daddr &&
iph->saddr == rt_info->saddr))
- return ip_route_me_harder(net, skb, RTN_UNSPEC);
+ return ip_route_me_harder(entry->state.net, skb,
+ RTN_UNSPEC);
}
return 0;
}
@@ -188,7 +188,6 @@ EXPORT_SYMBOL(nf_ip_route);
static const struct nf_afinfo nf_ip_afinfo = {
.family = AF_INET,
- .reroute = nf_ip_reroute,
.route_key_size = sizeof(struct ip_rt_info),
};
diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
index 72364f09253a..9a842c5e809f 100644
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
@@ -93,8 +93,7 @@ void nf_ip6_saveroute(const struct sk_buff *skb, struct nf_queue_entry *entry)
}
EXPORT_SYMBOL_GPL(nf_ip6_saveroute);
-static int nf_ip6_reroute(struct net *net, struct sk_buff *skb,
- const struct nf_queue_entry *entry)
+int nf_ip6_reroute(struct sk_buff *skb, const struct nf_queue_entry *entry)
{
struct ip6_rt_info *rt_info = nf_queue_entry_reroute(entry);
@@ -103,7 +102,7 @@ static int nf_ip6_reroute(struct net *net, struct sk_buff *skb,
if (!ipv6_addr_equal(&iph->daddr, &rt_info->daddr) ||
!ipv6_addr_equal(&iph->saddr, &rt_info->saddr) ||
skb->mark != rt_info->mark)
- return ip6_route_me_harder(net, skb);
+ return ip6_route_me_harder(entry->state.net, skb);
}
return 0;
}
@@ -198,7 +197,6 @@ static const struct nf_ipv6_ops ipv6ops = {
static const struct nf_afinfo nf_ip6_afinfo = {
.family = AF_INET6,
- .reroute = nf_ip6_reroute,
.route_key_size = sizeof(struct ip6_rt_info),
};
diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c
index 833710ee7654..db87dfd1318e 100644
--- a/net/netfilter/nf_queue.c
+++ b/net/netfilter/nf_queue.c
@@ -226,7 +226,6 @@ void nf_reinject(struct nf_queue_entry *entry, unsigned int verdict)
const struct nf_hook_entry *hook_entry;
const struct nf_hook_entries *hooks;
struct sk_buff *skb = entry->skb;
- const struct nf_afinfo *afinfo;
const struct net *net;
unsigned int i;
int err;
@@ -253,8 +252,7 @@ void nf_reinject(struct nf_queue_entry *entry, unsigned int verdict)
verdict = nf_hook_entry_hookfn(hook_entry, skb, &entry->state);
if (verdict == NF_ACCEPT) {
- afinfo = nf_get_afinfo(entry->state.pf);
- if (!afinfo || afinfo->reroute(entry->state.net, skb, entry) < 0)
+ if (nf_reroute(skb, entry) < 0)
verdict = NF_DROP;
}
diff --git a/net/netfilter/utils.c b/net/netfilter/utils.c
index 7d8c0fd283ee..f967d0a4f007 100644
--- a/net/netfilter/utils.c
+++ b/net/netfilter/utils.c
@@ -44,6 +44,22 @@ __sum16 nf_checksum_partial(struct sk_buff *skb, unsigned int hook,
}
EXPORT_SYMBOL_GPL(nf_checksum_partial);
+int nf_reroute(struct sk_buff *skb, struct nf_queue_entry *entry)
+{
+ int ret;
+
+ switch (entry->state.pf) {
+ case AF_INET:
+ ret = nf_ip_reroute(skb, entry);
+ break;
+ case AF_INET6:
+ ret = nf_ip6_reroute(skb, entry);
+ break;
+ }
+
+ return ret;
+}
+
void nf_saveroute(const struct sk_buff *skb, struct nf_queue_entry *entry)
{
switch (entry->state.pf) {
--
2.11.0
^ permalink raw reply related [flat|nested] 8+ messages in thread* [PATCH nf-next 6/7] netfilter: remove route_key_size field in struct nf_afinfo
2017-12-10 20:43 [PATCH nf-next 0/7] get rid of struct nf_afinfo Pablo Neira Ayuso
` (4 preceding siblings ...)
2017-12-10 20:43 ` [PATCH nf-next 5/7] netfilter: remove reroute " Pablo Neira Ayuso
@ 2017-12-10 20:43 ` Pablo Neira Ayuso
2017-12-10 20:43 ` [PATCH nf-next 7/7] netfilter: core: remove struct nf_afinfo and its helper functions Pablo Neira Ayuso
6 siblings, 0 replies; 8+ messages in thread
From: Pablo Neira Ayuso @ 2017-12-10 20:43 UTC (permalink / raw)
To: netfilter-devel
This is only needed by nf_queue, place this code where it belongs.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/linux/netfilter_ipv4.h | 11 +++++++++++
include/linux/netfilter_ipv6.h | 9 +++++++++
net/ipv4/netfilter.c | 13 -------------
net/ipv6/netfilter.c | 12 ------------
net/netfilter/nf_queue.c | 22 ++++++++++++++++------
5 files changed, 36 insertions(+), 31 deletions(-)
diff --git a/include/linux/netfilter_ipv4.h b/include/linux/netfilter_ipv4.h
index 43c217b861e7..e7c81b78edd4 100644
--- a/include/linux/netfilter_ipv4.h
+++ b/include/linux/netfilter_ipv4.h
@@ -16,4 +16,15 @@ int nf_ip_route(struct net *net, struct dst_entry **dst, struct flowi *fl,
bool strict);
int nf_ip_reroute(struct sk_buff *skb, const struct nf_queue_entry *entry);
void nf_ip_saveroute(const struct sk_buff *skb, struct nf_queue_entry *entry);
+
+/* Extra routing may needed on local out, as the QUEUE target never
+ * returns control to the table.
+ */
+struct ip_rt_info {
+ __be32 daddr;
+ __be32 saddr;
+ u_int8_t tos;
+ u_int32_t mark;
+};
+
#endif /*__LINUX_IP_NETFILTER_H*/
diff --git a/include/linux/netfilter_ipv6.h b/include/linux/netfilter_ipv6.h
index c5d077d785ac..dee7ce54fa5f 100644
--- a/include/linux/netfilter_ipv6.h
+++ b/include/linux/netfilter_ipv6.h
@@ -77,4 +77,13 @@ static inline void ipv6_netfilter_fini(void) { return; }
static inline const struct nf_ipv6_ops *nf_get_ipv6_ops(void) { return NULL; }
#endif /* CONFIG_NETFILTER */
+/* Extra routing may needed on local out, as the QUEUE target never
+ * returns control to the table.
+ */
+struct ip6_rt_info {
+ struct in6_addr daddr;
+ struct in6_addr saddr;
+ u_int32_t mark;
+};
+
#endif /*__LINUX_IP6_NETFILTER_H*/
diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilter.c
index 57ed83687d35..9a27029038b5 100644
--- a/net/ipv4/netfilter.c
+++ b/net/ipv4/netfilter.c
@@ -80,18 +80,6 @@ int ip_route_me_harder(struct net *net, struct sk_buff *skb, unsigned int addr_t
}
EXPORT_SYMBOL(ip_route_me_harder);
-/*
- * Extra routing may needed on local out, as the QUEUE target never
- * returns control to the table.
- */
-
-struct ip_rt_info {
- __be32 daddr;
- __be32 saddr;
- u_int8_t tos;
- u_int32_t mark;
-};
-
void nf_ip_saveroute(const struct sk_buff *skb, struct nf_queue_entry *entry)
{
struct ip_rt_info *rt_info = nf_queue_entry_reroute(entry);
@@ -188,7 +176,6 @@ EXPORT_SYMBOL(nf_ip_route);
static const struct nf_afinfo nf_ip_afinfo = {
.family = AF_INET,
- .route_key_size = sizeof(struct ip_rt_info),
};
static int __init ipv4_netfilter_init(void)
diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
index 9a842c5e809f..319ff0655060 100644
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
@@ -68,17 +68,6 @@ int ip6_route_me_harder(struct net *net, struct sk_buff *skb)
}
EXPORT_SYMBOL(ip6_route_me_harder);
-/*
- * Extra routing may needed on local out, as the QUEUE target never
- * returns control to the table.
- */
-
-struct ip6_rt_info {
- struct in6_addr daddr;
- struct in6_addr saddr;
- u_int32_t mark;
-};
-
void nf_ip6_saveroute(const struct sk_buff *skb, struct nf_queue_entry *entry)
{
struct ip6_rt_info *rt_info = nf_queue_entry_reroute(entry);
@@ -197,7 +186,6 @@ static const struct nf_ipv6_ops ipv6ops = {
static const struct nf_afinfo nf_ip6_afinfo = {
.family = AF_INET6,
- .route_key_size = sizeof(struct ip6_rt_info),
};
int __init ipv6_netfilter_init(void)
diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c
index db87dfd1318e..325e2cafc832 100644
--- a/net/netfilter/nf_queue.c
+++ b/net/netfilter/nf_queue.c
@@ -13,6 +13,8 @@
#include <linux/netfilter_bridge.h>
#include <linux/seq_file.h>
#include <linux/rcupdate.h>
+#include <linux/netfilter_ipv4.h>
+#include <linux/netfilter_ipv6.h>
#include <net/protocol.h>
#include <net/netfilter/nf_queue.h>
#include <net/dst.h>
@@ -114,9 +116,9 @@ static int __nf_queue(struct sk_buff *skb, const struct nf_hook_state *state,
{
int status = -ENOENT;
struct nf_queue_entry *entry = NULL;
- const struct nf_afinfo *afinfo;
const struct nf_queue_handler *qh;
struct net *net = state->net;
+ unsigned int route_key_size;
/* QUEUE == DROP if no one is waiting, to be safe. */
qh = rcu_dereference(net->nf.queue_handler);
@@ -125,11 +127,19 @@ static int __nf_queue(struct sk_buff *skb, const struct nf_hook_state *state,
goto err;
}
- afinfo = nf_get_afinfo(state->pf);
- if (!afinfo)
- goto err;
+ switch (state->pf) {
+ case AF_INET:
+ route_key_size = sizeof(struct ip_rt_info);
+ break;
+ case AF_INET6:
+ route_key_size = sizeof(struct ip6_rt_info);
+ break;
+ default:
+ route_key_size = 0;
+ break;
+ }
- entry = kmalloc(sizeof(*entry) + afinfo->route_key_size, GFP_ATOMIC);
+ entry = kmalloc(sizeof(*entry) + route_key_size, GFP_ATOMIC);
if (!entry) {
status = -ENOMEM;
goto err;
@@ -139,7 +149,7 @@ static int __nf_queue(struct sk_buff *skb, const struct nf_hook_state *state,
.skb = skb,
.state = *state,
.hook_index = index,
- .size = sizeof(*entry) + afinfo->route_key_size,
+ .size = sizeof(*entry) + route_key_size,
};
nf_queue_entry_get_refs(entry);
--
2.11.0
^ permalink raw reply related [flat|nested] 8+ messages in thread* [PATCH nf-next 7/7] netfilter: core: remove struct nf_afinfo and its helper functions
2017-12-10 20:43 [PATCH nf-next 0/7] get rid of struct nf_afinfo Pablo Neira Ayuso
` (5 preceding siblings ...)
2017-12-10 20:43 ` [PATCH nf-next 6/7] netfilter: remove route_key_size field " Pablo Neira Ayuso
@ 2017-12-10 20:43 ` Pablo Neira Ayuso
6 siblings, 0 replies; 8+ messages in thread
From: Pablo Neira Ayuso @ 2017-12-10 20:43 UTC (permalink / raw)
To: netfilter-devel
This abstraction has no clients anymore after converting many of them to
direct function call, now that is useless this patch removes it.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/linux/netfilter.h | 14 ---------
net/bridge/netfilter/nf_tables_bridge.c | 51 +++------------------------------
net/ipv4/netfilter.c | 10 -------
net/ipv6/netfilter.c | 7 +----
net/netfilter/core.c | 22 --------------
5 files changed, 5 insertions(+), 99 deletions(-)
diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index 6bdb0e5706a9..ba1d2c5a37ae 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -309,17 +309,6 @@ int skb_make_writable(struct sk_buff *skb, unsigned int writable_len);
struct flowi;
struct nf_queue_entry;
-struct nf_afinfo {
- unsigned short family;
- int route_key_size;
-};
-
-extern const struct nf_afinfo __rcu *nf_afinfo[NFPROTO_NUMPROTO];
-static inline const struct nf_afinfo *nf_get_afinfo(unsigned short family)
-{
- return rcu_dereference(nf_afinfo[family]);
-}
-
__sum16 nf_checksum(struct sk_buff *skb, unsigned int hook,
unsigned int dataoff, u_int8_t protocol,
unsigned short family);
@@ -329,9 +318,6 @@ __sum16 nf_checksum_partial(struct sk_buff *skb, unsigned int hook,
int nf_reroute(struct sk_buff *skb, struct nf_queue_entry *entry);
void nf_saveroute(const struct sk_buff *skb, struct nf_queue_entry *entry);
-int nf_register_afinfo(const struct nf_afinfo *afinfo);
-void nf_unregister_afinfo(const struct nf_afinfo *afinfo);
-
#include <net/flow.h>
extern void (*nf_nat_decode_session_hook)(struct sk_buff *, struct flowi *);
diff --git a/net/bridge/netfilter/nf_tables_bridge.c b/net/bridge/netfilter/nf_tables_bridge.c
index 74260ffec74d..86774b5c3b73 100644
--- a/net/bridge/netfilter/nf_tables_bridge.c
+++ b/net/bridge/netfilter/nf_tables_bridge.c
@@ -95,65 +95,23 @@ static const struct nf_chain_type filter_bridge = {
},
};
-static void nf_br_saveroute(const struct sk_buff *skb,
- struct nf_queue_entry *entry)
-{
-}
-
-static int nf_br_reroute(struct net *net, struct sk_buff *skb,
- const struct nf_queue_entry *entry)
-{
- return 0;
-}
-
-static __sum16 nf_br_checksum(struct sk_buff *skb, unsigned int hook,
- unsigned int dataoff, u_int8_t protocol)
-{
- return 0;
-}
-
-static __sum16 nf_br_checksum_partial(struct sk_buff *skb, unsigned int hook,
- unsigned int dataoff, unsigned int len,
- u_int8_t protocol)
-{
- return 0;
-}
-
-static int nf_br_route(struct net *net, struct dst_entry **dst,
- struct flowi *fl, bool strict __always_unused)
-{
- return 0;
-}
-
-static const struct nf_afinfo nf_br_afinfo = {
- .family = AF_BRIDGE,
- .checksum = nf_br_checksum,
- .checksum_partial = nf_br_checksum_partial,
- .route = nf_br_route,
- .saveroute = nf_br_saveroute,
- .reroute = nf_br_reroute,
- .route_key_size = 0,
-};
-
static int __init nf_tables_bridge_init(void)
{
int ret;
- nf_register_afinfo(&nf_br_afinfo);
ret = nft_register_chain_type(&filter_bridge);
if (ret < 0)
- goto err1;
+ return ret;
ret = register_pernet_subsys(&nf_tables_bridge_net_ops);
if (ret < 0)
- goto err2;
+ goto err_register_subsys;
return ret;
-err2:
+err_register_subsys:
nft_unregister_chain_type(&filter_bridge);
-err1:
- nf_unregister_afinfo(&nf_br_afinfo);
+
return ret;
}
@@ -161,7 +119,6 @@ static void __exit nf_tables_bridge_exit(void)
{
unregister_pernet_subsys(&nf_tables_bridge_net_ops);
nft_unregister_chain_type(&filter_bridge);
- nf_unregister_afinfo(&nf_br_afinfo);
}
module_init(nf_tables_bridge_init);
diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilter.c
index 9a27029038b5..e42314b30809 100644
--- a/net/ipv4/netfilter.c
+++ b/net/ipv4/netfilter.c
@@ -173,13 +173,3 @@ int nf_ip_route(struct net *net, struct dst_entry **dst, struct flowi *fl,
return 0;
}
EXPORT_SYMBOL(nf_ip_route);
-
-static const struct nf_afinfo nf_ip_afinfo = {
- .family = AF_INET,
-};
-
-static int __init ipv4_netfilter_init(void)
-{
- return nf_register_afinfo(&nf_ip_afinfo);
-}
-subsys_initcall(ipv4_netfilter_init);
diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
index 319ff0655060..f32bf3aea423 100644
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
@@ -184,14 +184,10 @@ static const struct nf_ipv6_ops ipv6ops = {
.fragment = ip6_fragment
};
-static const struct nf_afinfo nf_ip6_afinfo = {
- .family = AF_INET6,
-};
-
int __init ipv6_netfilter_init(void)
{
RCU_INIT_POINTER(nf_ipv6_ops, &ipv6ops);
- return nf_register_afinfo(&nf_ip6_afinfo);
+ return 0;
}
/* This can be called from inet6_init() on errors, so it cannot
@@ -200,5 +196,4 @@ int __init ipv6_netfilter_init(void)
void ipv6_netfilter_fini(void)
{
RCU_INIT_POINTER(nf_ipv6_ops, NULL);
- nf_unregister_afinfo(&nf_ip6_afinfo);
}
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index 606efc9b14e1..3e25e7628fa2 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -28,34 +28,12 @@
#include "nf_internals.h"
-static DEFINE_MUTEX(afinfo_mutex);
-
-const struct nf_afinfo __rcu *nf_afinfo[NFPROTO_NUMPROTO] __read_mostly;
-EXPORT_SYMBOL(nf_afinfo);
const struct nf_ipv6_ops __rcu *nf_ipv6_ops __read_mostly;
EXPORT_SYMBOL_GPL(nf_ipv6_ops);
DEFINE_PER_CPU(bool, nf_skb_duplicated);
EXPORT_SYMBOL_GPL(nf_skb_duplicated);
-int nf_register_afinfo(const struct nf_afinfo *afinfo)
-{
- mutex_lock(&afinfo_mutex);
- RCU_INIT_POINTER(nf_afinfo[afinfo->family], afinfo);
- mutex_unlock(&afinfo_mutex);
- return 0;
-}
-EXPORT_SYMBOL_GPL(nf_register_afinfo);
-
-void nf_unregister_afinfo(const struct nf_afinfo *afinfo)
-{
- mutex_lock(&afinfo_mutex);
- RCU_INIT_POINTER(nf_afinfo[afinfo->family], NULL);
- mutex_unlock(&afinfo_mutex);
- synchronize_rcu();
-}
-EXPORT_SYMBOL_GPL(nf_unregister_afinfo);
-
#ifdef HAVE_JUMP_LABEL
struct static_key nf_hooks_needed[NFPROTO_NUMPROTO][NF_MAX_HOOKS];
EXPORT_SYMBOL(nf_hooks_needed);
--
2.11.0
^ permalink raw reply related [flat|nested] 8+ messages in thread