You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
116 lines
3.4 KiB
116 lines
3.4 KiB
From 26888dfd7e7454686b8d3ea9ba5045d5f236e4d7 Mon Sep 17 00:00:00 2001
|
|
From: Florian Westphal <fw@strlen.de>
|
|
Date: Fri, 1 Dec 2017 00:21:03 +0100
|
|
Subject: [PATCH 03/11] netfilter: core: remove synchronize_net call if nfqueue
|
|
is used
|
|
|
|
since commit 960632ece6949b ("netfilter: convert hook list to an array")
|
|
nfqueue no longer stores a pointer to the hook that caused the packet
|
|
to be queued. Therefore no extra synchronize_net() call is needed after
|
|
dropping the packets enqueued by the old rule blob.
|
|
|
|
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
---
|
|
include/net/netfilter/nf_queue.h | 2 +-
|
|
net/netfilter/core.c | 6 +-----
|
|
net/netfilter/nf_internals.h | 2 +-
|
|
net/netfilter/nf_queue.c | 7 ++-----
|
|
net/netfilter/nfnetlink_queue.c | 9 ++-------
|
|
5 files changed, 7 insertions(+), 19 deletions(-)
|
|
|
|
--- a/include/net/netfilter/nf_queue.h
|
|
+++ b/include/net/netfilter/nf_queue.h
|
|
@@ -25,7 +25,7 @@ struct nf_queue_entry {
|
|
struct nf_queue_handler {
|
|
int (*outfn)(struct nf_queue_entry *entry,
|
|
unsigned int queuenum);
|
|
- unsigned int (*nf_hook_drop)(struct net *net);
|
|
+ void (*nf_hook_drop)(struct net *net);
|
|
};
|
|
|
|
void nf_register_queue_handler(struct net *net, const struct nf_queue_handler *qh);
|
|
--- a/net/netfilter/core.c
|
|
+++ b/net/netfilter/core.c
|
|
@@ -341,7 +341,6 @@ void nf_unregister_net_hook(struct net *
|
|
{
|
|
struct nf_hook_entries __rcu **pp;
|
|
struct nf_hook_entries *p;
|
|
- unsigned int nfq;
|
|
|
|
pp = nf_hook_entry_head(net, reg);
|
|
if (!pp)
|
|
@@ -364,10 +363,7 @@ void nf_unregister_net_hook(struct net *
|
|
|
|
synchronize_net();
|
|
|
|
- /* other cpu might still process nfqueue verdict that used reg */
|
|
- nfq = nf_queue_nf_hook_drop(net);
|
|
- if (nfq)
|
|
- synchronize_net();
|
|
+ nf_queue_nf_hook_drop(net);
|
|
kvfree(p);
|
|
}
|
|
EXPORT_SYMBOL(nf_unregister_net_hook);
|
|
--- a/net/netfilter/nf_internals.h
|
|
+++ b/net/netfilter/nf_internals.h
|
|
@@ -10,7 +10,7 @@
|
|
int nf_queue(struct sk_buff *skb, struct nf_hook_state *state,
|
|
const struct nf_hook_entries *entries, unsigned int index,
|
|
unsigned int verdict);
|
|
-unsigned int nf_queue_nf_hook_drop(struct net *net);
|
|
+void nf_queue_nf_hook_drop(struct net *net);
|
|
|
|
/* nf_log.c */
|
|
int __init netfilter_log_init(void);
|
|
--- a/net/netfilter/nf_queue.c
|
|
+++ b/net/netfilter/nf_queue.c
|
|
@@ -96,18 +96,15 @@ void nf_queue_entry_get_refs(struct nf_q
|
|
}
|
|
EXPORT_SYMBOL_GPL(nf_queue_entry_get_refs);
|
|
|
|
-unsigned int nf_queue_nf_hook_drop(struct net *net)
|
|
+void nf_queue_nf_hook_drop(struct net *net)
|
|
{
|
|
const struct nf_queue_handler *qh;
|
|
- unsigned int count = 0;
|
|
|
|
rcu_read_lock();
|
|
qh = rcu_dereference(net->nf.queue_handler);
|
|
if (qh)
|
|
- count = qh->nf_hook_drop(net);
|
|
+ qh->nf_hook_drop(net);
|
|
rcu_read_unlock();
|
|
-
|
|
- return count;
|
|
}
|
|
EXPORT_SYMBOL_GPL(nf_queue_nf_hook_drop);
|
|
|
|
--- a/net/netfilter/nfnetlink_queue.c
|
|
+++ b/net/netfilter/nfnetlink_queue.c
|
|
@@ -941,23 +941,18 @@ static struct notifier_block nfqnl_dev_n
|
|
.notifier_call = nfqnl_rcv_dev_event,
|
|
};
|
|
|
|
-static unsigned int nfqnl_nf_hook_drop(struct net *net)
|
|
+static void nfqnl_nf_hook_drop(struct net *net)
|
|
{
|
|
struct nfnl_queue_net *q = nfnl_queue_pernet(net);
|
|
- unsigned int instances = 0;
|
|
int i;
|
|
|
|
for (i = 0; i < INSTANCE_BUCKETS; i++) {
|
|
struct nfqnl_instance *inst;
|
|
struct hlist_head *head = &q->instance_table[i];
|
|
|
|
- hlist_for_each_entry_rcu(inst, head, hlist) {
|
|
+ hlist_for_each_entry_rcu(inst, head, hlist)
|
|
nfqnl_flush(inst, NULL, 0);
|
|
- instances++;
|
|
- }
|
|
}
|
|
-
|
|
- return instances;
|
|
}
|
|
|
|
static int
|
|
|