From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org, kuba@kernel.org
Subject: [PATCH net-next 07/22] netfilter: iptables: unregister the tables by name
Date: Mon, 26 Apr 2021 19:10:41 +0200 [thread overview]
Message-ID: <20210426171056.345271-8-pablo@netfilter.org> (raw)
In-Reply-To: <20210426171056.345271-1-pablo@netfilter.org>
From: Florian Westphal <fw@strlen.de>
xtables stores the xt_table structs in the struct net. This isn't
needed anymore, the structures could be passed via the netfilter hook
'private' pointer to the hook functions, which would allow us to remove
those pointers from struct net.
As a first step, reduce the number of accesses to the
net->ipv4.ip6table_{raw,filter,...} pointers.
This allows the tables to get unregistered by name instead of having to
pass the raw address.
The xt_table structure cane looked up by name+address family instead.
This patch is useless as-is (the backends still have the raw pointer
address), but it lowers the bar to remove those.
It also allows to put the 'was table registered in the first place' check
into ip_tables.c rather than have it in each table sub module.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/linux/netfilter_ipv4/ip_tables.h | 6 +++---
net/ipv4/netfilter/ip_tables.c | 14 ++++++++++----
net/ipv4/netfilter/iptable_filter.c | 8 ++------
net/ipv4/netfilter/iptable_mangle.c | 8 ++------
net/ipv4/netfilter/iptable_nat.c | 6 ++----
net/ipv4/netfilter/iptable_raw.c | 8 ++------
net/ipv4/netfilter/iptable_security.c | 8 ++------
7 files changed, 23 insertions(+), 35 deletions(-)
diff --git a/include/linux/netfilter_ipv4/ip_tables.h b/include/linux/netfilter_ipv4/ip_tables.h
index 9f440eb6cf6c..73bcf7f261d2 100644
--- a/include/linux/netfilter_ipv4/ip_tables.h
+++ b/include/linux/netfilter_ipv4/ip_tables.h
@@ -26,10 +26,10 @@ int ipt_register_table(struct net *net, const struct xt_table *table,
const struct ipt_replace *repl,
const struct nf_hook_ops *ops, struct xt_table **res);
-void ipt_unregister_table_pre_exit(struct net *net, struct xt_table *table,
- const struct nf_hook_ops *ops);
+void ipt_unregister_table_pre_exit(struct net *net, const char *name,
+ const struct nf_hook_ops *ops);
-void ipt_unregister_table_exit(struct net *net, struct xt_table *table);
+void ipt_unregister_table_exit(struct net *net, const char *name);
/* Standard entry. */
struct ipt_standard {
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 2fa7f28b88e3..0b859ec2d3f8 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -1759,15 +1759,21 @@ int ipt_register_table(struct net *net, const struct xt_table *table,
return ret;
}
-void ipt_unregister_table_pre_exit(struct net *net, struct xt_table *table,
+void ipt_unregister_table_pre_exit(struct net *net, const char *name,
const struct nf_hook_ops *ops)
{
- nf_unregister_net_hooks(net, ops, hweight32(table->valid_hooks));
+ struct xt_table *table = xt_find_table(net, NFPROTO_IPV4, name);
+
+ if (table)
+ nf_unregister_net_hooks(net, ops, hweight32(table->valid_hooks));
}
-void ipt_unregister_table_exit(struct net *net, struct xt_table *table)
+void ipt_unregister_table_exit(struct net *net, const char *name)
{
- __ipt_unregister_table(net, table);
+ struct xt_table *table = xt_find_table(net, NFPROTO_IPV4, name);
+
+ if (table)
+ __ipt_unregister_table(net, table);
}
/* Returns 1 if the type and code is matched by the range, 0 otherwise */
diff --git a/net/ipv4/netfilter/iptable_filter.c b/net/ipv4/netfilter/iptable_filter.c
index 8f7bc1ee7453..a39998c7977f 100644
--- a/net/ipv4/netfilter/iptable_filter.c
+++ b/net/ipv4/netfilter/iptable_filter.c
@@ -74,16 +74,12 @@ static int __net_init iptable_filter_net_init(struct net *net)
static void __net_exit iptable_filter_net_pre_exit(struct net *net)
{
- if (net->ipv4.iptable_filter)
- ipt_unregister_table_pre_exit(net, net->ipv4.iptable_filter,
- filter_ops);
+ ipt_unregister_table_pre_exit(net, "filter", filter_ops);
}
static void __net_exit iptable_filter_net_exit(struct net *net)
{
- if (!net->ipv4.iptable_filter)
- return;
- ipt_unregister_table_exit(net, net->ipv4.iptable_filter);
+ ipt_unregister_table_exit(net, "filter");
net->ipv4.iptable_filter = NULL;
}
diff --git a/net/ipv4/netfilter/iptable_mangle.c b/net/ipv4/netfilter/iptable_mangle.c
index 833079589273..7d1713e22553 100644
--- a/net/ipv4/netfilter/iptable_mangle.c
+++ b/net/ipv4/netfilter/iptable_mangle.c
@@ -102,16 +102,12 @@ static int __net_init iptable_mangle_table_init(struct net *net)
static void __net_exit iptable_mangle_net_pre_exit(struct net *net)
{
- if (net->ipv4.iptable_mangle)
- ipt_unregister_table_pre_exit(net, net->ipv4.iptable_mangle,
- mangle_ops);
+ ipt_unregister_table_pre_exit(net, "mangle", mangle_ops);
}
static void __net_exit iptable_mangle_net_exit(struct net *net)
{
- if (!net->ipv4.iptable_mangle)
- return;
- ipt_unregister_table_exit(net, net->ipv4.iptable_mangle);
+ ipt_unregister_table_exit(net, "mangle");
net->ipv4.iptable_mangle = NULL;
}
diff --git a/net/ipv4/netfilter/iptable_nat.c b/net/ipv4/netfilter/iptable_nat.c
index a89c1b9f94c2..16bf3009642e 100644
--- a/net/ipv4/netfilter/iptable_nat.c
+++ b/net/ipv4/netfilter/iptable_nat.c
@@ -105,7 +105,7 @@ static int __net_init iptable_nat_table_init(struct net *net)
ret = ipt_nat_register_lookups(net);
if (ret < 0) {
- ipt_unregister_table_exit(net, net->ipv4.nat_table);
+ ipt_unregister_table_exit(net, "nat");
net->ipv4.nat_table = NULL;
}
@@ -121,9 +121,7 @@ static void __net_exit iptable_nat_net_pre_exit(struct net *net)
static void __net_exit iptable_nat_net_exit(struct net *net)
{
- if (!net->ipv4.nat_table)
- return;
- ipt_unregister_table_exit(net, net->ipv4.nat_table);
+ ipt_unregister_table_exit(net, "nat");
net->ipv4.nat_table = NULL;
}
diff --git a/net/ipv4/netfilter/iptable_raw.c b/net/ipv4/netfilter/iptable_raw.c
index 9abfe6bf2cb9..a1f556464b93 100644
--- a/net/ipv4/netfilter/iptable_raw.c
+++ b/net/ipv4/netfilter/iptable_raw.c
@@ -69,16 +69,12 @@ static int __net_init iptable_raw_table_init(struct net *net)
static void __net_exit iptable_raw_net_pre_exit(struct net *net)
{
- if (net->ipv4.iptable_raw)
- ipt_unregister_table_pre_exit(net, net->ipv4.iptable_raw,
- rawtable_ops);
+ ipt_unregister_table_pre_exit(net, "raw", rawtable_ops);
}
static void __net_exit iptable_raw_net_exit(struct net *net)
{
- if (!net->ipv4.iptable_raw)
- return;
- ipt_unregister_table_exit(net, net->ipv4.iptable_raw);
+ ipt_unregister_table_exit(net, "raw");
net->ipv4.iptable_raw = NULL;
}
diff --git a/net/ipv4/netfilter/iptable_security.c b/net/ipv4/netfilter/iptable_security.c
index 415c1975d770..33eded4f9080 100644
--- a/net/ipv4/netfilter/iptable_security.c
+++ b/net/ipv4/netfilter/iptable_security.c
@@ -64,16 +64,12 @@ static int __net_init iptable_security_table_init(struct net *net)
static void __net_exit iptable_security_net_pre_exit(struct net *net)
{
- if (net->ipv4.iptable_security)
- ipt_unregister_table_pre_exit(net, net->ipv4.iptable_security,
- sectbl_ops);
+ ipt_unregister_table_pre_exit(net, "security", sectbl_ops);
}
static void __net_exit iptable_security_net_exit(struct net *net)
{
- if (!net->ipv4.iptable_security)
- return;
- ipt_unregister_table_exit(net, net->ipv4.iptable_security);
+ ipt_unregister_table_exit(net, "security");
net->ipv4.iptable_security = NULL;
}
--
2.30.2
next prev parent reply other threads:[~2021-04-26 17:11 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-26 17:10 [PATCH net-next 00/22] Netfilter updates for net-next Pablo Neira Ayuso
2021-04-26 17:10 ` [PATCH net-next 01/22] netfilter: nat: move nf_xfrm_me_harder to where it is used Pablo Neira Ayuso
2021-04-26 19:53 ` patchwork-bot+netdevbpf
2021-04-26 17:10 ` [PATCH net-next 02/22] netfilter: nft_socket: add support for cgroupsv2 Pablo Neira Ayuso
2021-04-26 17:10 ` [PATCH net-next 03/22] netfilter: disable defrag once its no longer needed Pablo Neira Ayuso
2021-04-26 17:10 ` [PATCH net-next 04/22] netfilter: ebtables: remove the 3 ebtables pointers from struct net Pablo Neira Ayuso
2021-04-26 17:10 ` [PATCH net-next 05/22] netfilter: x_tables: remove ipt_unregister_table Pablo Neira Ayuso
2021-04-26 17:10 ` [PATCH net-next 06/22] netfilter: x_tables: add xt_find_table Pablo Neira Ayuso
2021-04-26 17:10 ` Pablo Neira Ayuso [this message]
2021-04-26 17:10 ` [PATCH net-next 08/22] netfilter: ip6tables: unregister the tables by name Pablo Neira Ayuso
2021-04-26 17:10 ` [PATCH net-next 09/22] netfilter: arptables: " Pablo Neira Ayuso
2021-04-26 17:10 ` [PATCH net-next 10/22] netfilter: x_tables: remove paranoia tests Pablo Neira Ayuso
2021-04-26 17:10 ` [PATCH net-next 11/22] netfilter: xt_nat: pass table to hookfn Pablo Neira Ayuso
2021-04-26 17:10 ` [PATCH net-next 12/22] netfilter: ip_tables: pass table pointer via nf_hook_ops Pablo Neira Ayuso
2021-04-26 17:10 ` [PATCH net-next 13/22] netfilter: arp_tables: " Pablo Neira Ayuso
2021-04-26 17:10 ` [PATCH net-next 14/22] netfilter: ip6_tables: " Pablo Neira Ayuso
2021-04-26 17:10 ` [PATCH net-next 15/22] netfilter: remove all xt_table anchors from struct net Pablo Neira Ayuso
2021-04-26 17:10 ` [PATCH net-next 16/22] netfilter: nf_log_syslog: Unset bridge logger in pernet exit Pablo Neira Ayuso
2021-04-26 17:10 ` [PATCH net-next 17/22] netfilter: nftables: add nft_pernet() helper function Pablo Neira Ayuso
2021-04-26 17:10 ` [PATCH net-next 18/22] netfilter: nfnetlink: add struct nfnl_info and pass it to callbacks Pablo Neira Ayuso
2021-04-26 17:10 ` [PATCH net-next 19/22] netfilter: nfnetlink: pass struct nfnl_info to rcu callbacks Pablo Neira Ayuso
2021-04-26 17:10 ` [PATCH net-next 20/22] netfilter: nfnetlink: pass struct nfnl_info to batch callbacks Pablo Neira Ayuso
2021-04-26 17:10 ` [PATCH net-next 21/22] netfilter: nfnetlink: consolidate callback types Pablo Neira Ayuso
2021-04-26 17:10 ` [PATCH net-next 22/22] netfilter: allow to turn off xtables compat layer Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210426171056.345271-8-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).