You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
233 lines
7.1 KiB
233 lines
7.1 KiB
From: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Date: Sat, 9 Dec 2017 15:43:17 +0100
|
|
Subject: [PATCH] netfilter: nf_tables: remove hooks from family definition
|
|
|
|
They don't belong to the family definition, move them to the filter
|
|
chain type definition instead.
|
|
|
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
---
|
|
|
|
--- a/include/net/netfilter/nf_tables.h
|
|
+++ b/include/net/netfilter/nf_tables.h
|
|
@@ -870,7 +870,7 @@ enum nft_chain_type {
|
|
* @family: address family
|
|
* @owner: module owner
|
|
* @hook_mask: mask of valid hooks
|
|
- * @hooks: hookfn overrides
|
|
+ * @hooks: array of hook functions
|
|
*/
|
|
struct nf_chain_type {
|
|
const char *name;
|
|
@@ -964,7 +964,6 @@ enum nft_af_flags {
|
|
* @owner: module owner
|
|
* @tables: used internally
|
|
* @flags: family flags
|
|
- * @hooks: hookfn overrides for packet validation
|
|
*/
|
|
struct nft_af_info {
|
|
struct list_head list;
|
|
@@ -973,7 +972,6 @@ struct nft_af_info {
|
|
struct module *owner;
|
|
struct list_head tables;
|
|
u32 flags;
|
|
- nf_hookfn *hooks[NF_MAX_HOOKS];
|
|
};
|
|
|
|
int nft_register_afinfo(struct net *, struct nft_af_info *);
|
|
--- a/net/bridge/netfilter/nf_tables_bridge.c
|
|
+++ b/net/bridge/netfilter/nf_tables_bridge.c
|
|
@@ -46,13 +46,6 @@ static struct nft_af_info nft_af_bridge
|
|
.family = NFPROTO_BRIDGE,
|
|
.nhooks = NF_BR_NUMHOOKS,
|
|
.owner = THIS_MODULE,
|
|
- .hooks = {
|
|
- [NF_BR_PRE_ROUTING] = nft_do_chain_bridge,
|
|
- [NF_BR_LOCAL_IN] = nft_do_chain_bridge,
|
|
- [NF_BR_FORWARD] = nft_do_chain_bridge,
|
|
- [NF_BR_LOCAL_OUT] = nft_do_chain_bridge,
|
|
- [NF_BR_POST_ROUTING] = nft_do_chain_bridge,
|
|
- },
|
|
};
|
|
|
|
static int nf_tables_bridge_init_net(struct net *net)
|
|
@@ -93,6 +86,13 @@ static const struct nf_chain_type filter
|
|
(1 << NF_BR_FORWARD) |
|
|
(1 << NF_BR_LOCAL_OUT) |
|
|
(1 << NF_BR_POST_ROUTING),
|
|
+ .hooks = {
|
|
+ [NF_BR_PRE_ROUTING] = nft_do_chain_bridge,
|
|
+ [NF_BR_LOCAL_IN] = nft_do_chain_bridge,
|
|
+ [NF_BR_FORWARD] = nft_do_chain_bridge,
|
|
+ [NF_BR_LOCAL_OUT] = nft_do_chain_bridge,
|
|
+ [NF_BR_POST_ROUTING] = nft_do_chain_bridge,
|
|
+ },
|
|
};
|
|
|
|
static int __init nf_tables_bridge_init(void)
|
|
--- a/net/ipv4/netfilter/nf_tables_arp.c
|
|
+++ b/net/ipv4/netfilter/nf_tables_arp.c
|
|
@@ -31,10 +31,6 @@ static struct nft_af_info nft_af_arp __r
|
|
.family = NFPROTO_ARP,
|
|
.nhooks = NF_ARP_NUMHOOKS,
|
|
.owner = THIS_MODULE,
|
|
- .hooks = {
|
|
- [NF_ARP_IN] = nft_do_chain_arp,
|
|
- [NF_ARP_OUT] = nft_do_chain_arp,
|
|
- },
|
|
};
|
|
|
|
static int nf_tables_arp_init_net(struct net *net)
|
|
@@ -72,6 +68,10 @@ static const struct nf_chain_type filter
|
|
.owner = THIS_MODULE,
|
|
.hook_mask = (1 << NF_ARP_IN) |
|
|
(1 << NF_ARP_OUT),
|
|
+ .hooks = {
|
|
+ [NF_ARP_IN] = nft_do_chain_arp,
|
|
+ [NF_ARP_OUT] = nft_do_chain_arp,
|
|
+ },
|
|
};
|
|
|
|
static int __init nf_tables_arp_init(void)
|
|
--- a/net/ipv4/netfilter/nf_tables_ipv4.c
|
|
+++ b/net/ipv4/netfilter/nf_tables_ipv4.c
|
|
@@ -49,13 +49,6 @@ static struct nft_af_info nft_af_ipv4 __
|
|
.family = NFPROTO_IPV4,
|
|
.nhooks = NF_INET_NUMHOOKS,
|
|
.owner = THIS_MODULE,
|
|
- .hooks = {
|
|
- [NF_INET_LOCAL_IN] = nft_do_chain_ipv4,
|
|
- [NF_INET_LOCAL_OUT] = nft_ipv4_output,
|
|
- [NF_INET_FORWARD] = nft_do_chain_ipv4,
|
|
- [NF_INET_PRE_ROUTING] = nft_do_chain_ipv4,
|
|
- [NF_INET_POST_ROUTING] = nft_do_chain_ipv4,
|
|
- },
|
|
};
|
|
|
|
static int nf_tables_ipv4_init_net(struct net *net)
|
|
@@ -96,6 +89,13 @@ static const struct nf_chain_type filter
|
|
(1 << NF_INET_FORWARD) |
|
|
(1 << NF_INET_PRE_ROUTING) |
|
|
(1 << NF_INET_POST_ROUTING),
|
|
+ .hooks = {
|
|
+ [NF_INET_LOCAL_IN] = nft_do_chain_ipv4,
|
|
+ [NF_INET_LOCAL_OUT] = nft_ipv4_output,
|
|
+ [NF_INET_FORWARD] = nft_do_chain_ipv4,
|
|
+ [NF_INET_PRE_ROUTING] = nft_do_chain_ipv4,
|
|
+ [NF_INET_POST_ROUTING] = nft_do_chain_ipv4,
|
|
+ },
|
|
};
|
|
|
|
static int __init nf_tables_ipv4_init(void)
|
|
--- a/net/ipv6/netfilter/nf_tables_ipv6.c
|
|
+++ b/net/ipv6/netfilter/nf_tables_ipv6.c
|
|
@@ -46,13 +46,6 @@ static struct nft_af_info nft_af_ipv6 __
|
|
.family = NFPROTO_IPV6,
|
|
.nhooks = NF_INET_NUMHOOKS,
|
|
.owner = THIS_MODULE,
|
|
- .hooks = {
|
|
- [NF_INET_LOCAL_IN] = nft_do_chain_ipv6,
|
|
- [NF_INET_LOCAL_OUT] = nft_ipv6_output,
|
|
- [NF_INET_FORWARD] = nft_do_chain_ipv6,
|
|
- [NF_INET_PRE_ROUTING] = nft_do_chain_ipv6,
|
|
- [NF_INET_POST_ROUTING] = nft_do_chain_ipv6,
|
|
- },
|
|
};
|
|
|
|
static int nf_tables_ipv6_init_net(struct net *net)
|
|
@@ -93,6 +86,13 @@ static const struct nf_chain_type filter
|
|
(1 << NF_INET_FORWARD) |
|
|
(1 << NF_INET_PRE_ROUTING) |
|
|
(1 << NF_INET_POST_ROUTING),
|
|
+ .hooks = {
|
|
+ [NF_INET_LOCAL_IN] = nft_do_chain_ipv6,
|
|
+ [NF_INET_LOCAL_OUT] = nft_ipv6_output,
|
|
+ [NF_INET_FORWARD] = nft_do_chain_ipv6,
|
|
+ [NF_INET_PRE_ROUTING] = nft_do_chain_ipv6,
|
|
+ [NF_INET_POST_ROUTING] = nft_do_chain_ipv6,
|
|
+ },
|
|
};
|
|
|
|
static int __init nf_tables_ipv6_init(void)
|
|
--- a/net/netfilter/nf_tables_api.c
|
|
+++ b/net/netfilter/nf_tables_api.c
|
|
@@ -1352,7 +1352,6 @@ static int nf_tables_addchain(struct nft
|
|
if (nla[NFTA_CHAIN_HOOK]) {
|
|
struct nft_chain_hook hook;
|
|
struct nf_hook_ops *ops;
|
|
- nf_hookfn *hookfn;
|
|
|
|
err = nft_chain_parse_hook(net, nla, afi, &hook, create);
|
|
if (err < 0)
|
|
@@ -1378,7 +1377,6 @@ static int nf_tables_addchain(struct nft
|
|
static_branch_inc(&nft_counters_enabled);
|
|
}
|
|
|
|
- hookfn = hook.type->hooks[hook.num];
|
|
basechain->type = hook.type;
|
|
chain = &basechain->chain;
|
|
|
|
@@ -1387,10 +1385,8 @@ static int nf_tables_addchain(struct nft
|
|
ops->hooknum = hook.num;
|
|
ops->priority = hook.priority;
|
|
ops->priv = chain;
|
|
- ops->hook = afi->hooks[ops->hooknum];
|
|
+ ops->hook = hook.type->hooks[ops->hooknum];
|
|
ops->dev = hook.dev;
|
|
- if (hookfn)
|
|
- ops->hook = hookfn;
|
|
|
|
if (basechain->type->type == NFT_CHAIN_T_NAT)
|
|
ops->nat_hook = true;
|
|
--- a/net/netfilter/nf_tables_inet.c
|
|
+++ b/net/netfilter/nf_tables_inet.c
|
|
@@ -74,13 +74,6 @@ static struct nft_af_info nft_af_inet __
|
|
.family = NFPROTO_INET,
|
|
.nhooks = NF_INET_NUMHOOKS,
|
|
.owner = THIS_MODULE,
|
|
- .hooks = {
|
|
- [NF_INET_LOCAL_IN] = nft_do_chain_inet,
|
|
- [NF_INET_LOCAL_OUT] = nft_inet_output,
|
|
- [NF_INET_FORWARD] = nft_do_chain_inet,
|
|
- [NF_INET_PRE_ROUTING] = nft_do_chain_inet,
|
|
- [NF_INET_POST_ROUTING] = nft_do_chain_inet,
|
|
- },
|
|
};
|
|
|
|
static int __net_init nf_tables_inet_init_net(struct net *net)
|
|
@@ -121,6 +114,13 @@ static const struct nf_chain_type filter
|
|
(1 << NF_INET_FORWARD) |
|
|
(1 << NF_INET_PRE_ROUTING) |
|
|
(1 << NF_INET_POST_ROUTING),
|
|
+ .hooks = {
|
|
+ [NF_INET_LOCAL_IN] = nft_do_chain_inet,
|
|
+ [NF_INET_LOCAL_OUT] = nft_inet_output,
|
|
+ [NF_INET_FORWARD] = nft_do_chain_inet,
|
|
+ [NF_INET_PRE_ROUTING] = nft_do_chain_inet,
|
|
+ [NF_INET_POST_ROUTING] = nft_do_chain_inet,
|
|
+ },
|
|
};
|
|
|
|
static int __init nf_tables_inet_init(void)
|
|
--- a/net/netfilter/nf_tables_netdev.c
|
|
+++ b/net/netfilter/nf_tables_netdev.c
|
|
@@ -43,9 +43,6 @@ static struct nft_af_info nft_af_netdev
|
|
.nhooks = NF_NETDEV_NUMHOOKS,
|
|
.owner = THIS_MODULE,
|
|
.flags = NFT_AF_NEEDS_DEV,
|
|
- .hooks = {
|
|
- [NF_NETDEV_INGRESS] = nft_do_chain_netdev,
|
|
- },
|
|
};
|
|
|
|
static int nf_tables_netdev_init_net(struct net *net)
|
|
@@ -82,6 +79,9 @@ static const struct nf_chain_type nft_fi
|
|
.family = NFPROTO_NETDEV,
|
|
.owner = THIS_MODULE,
|
|
.hook_mask = (1 << NF_NETDEV_INGRESS),
|
|
+ .hooks = {
|
|
+ [NF_NETDEV_INGRESS] = nft_do_chain_netdev,
|
|
+ },
|
|
};
|
|
|
|
static void nft_netdev_event(unsigned long event, struct net_device *dev,
|
|
|