OpenWrt – Blame information for rev 2
?pathlinks?
Rev | Author | Line No. | Line |
---|---|---|---|
1 | office | 1 | From: Pablo Neira Ayuso <pablo@netfilter.org> |
2 | Date: Sat, 9 Dec 2017 15:43:17 +0100 |
||
3 | Subject: [PATCH] netfilter: nf_tables: remove hooks from family definition |
||
4 | |||
5 | They don't belong to the family definition, move them to the filter |
||
6 | chain type definition instead. |
||
7 | |||
8 | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> |
||
9 | --- |
||
10 | |||
11 | --- a/include/net/netfilter/nf_tables.h |
||
12 | +++ b/include/net/netfilter/nf_tables.h |
||
13 | @@ -875,7 +875,7 @@ enum nft_chain_type { |
||
14 | * @family: address family |
||
15 | * @owner: module owner |
||
16 | * @hook_mask: mask of valid hooks |
||
17 | - * @hooks: hookfn overrides |
||
18 | + * @hooks: array of hook functions |
||
19 | */ |
||
20 | struct nf_chain_type { |
||
21 | const char *name; |
||
22 | @@ -969,7 +969,6 @@ enum nft_af_flags { |
||
23 | * @owner: module owner |
||
24 | * @tables: used internally |
||
25 | * @flags: family flags |
||
26 | - * @hooks: hookfn overrides for packet validation |
||
27 | */ |
||
28 | struct nft_af_info { |
||
29 | struct list_head list; |
||
30 | @@ -978,7 +977,6 @@ struct nft_af_info { |
||
31 | struct module *owner; |
||
32 | struct list_head tables; |
||
33 | u32 flags; |
||
34 | - nf_hookfn *hooks[NF_MAX_HOOKS]; |
||
35 | }; |
||
36 | |||
37 | int nft_register_afinfo(struct net *, struct nft_af_info *); |
||
38 | --- a/net/bridge/netfilter/nf_tables_bridge.c |
||
39 | +++ b/net/bridge/netfilter/nf_tables_bridge.c |
||
40 | @@ -46,13 +46,6 @@ static struct nft_af_info nft_af_bridge |
||
41 | .family = NFPROTO_BRIDGE, |
||
42 | .nhooks = NF_BR_NUMHOOKS, |
||
43 | .owner = THIS_MODULE, |
||
44 | - .hooks = { |
||
45 | - [NF_BR_PRE_ROUTING] = nft_do_chain_bridge, |
||
46 | - [NF_BR_LOCAL_IN] = nft_do_chain_bridge, |
||
47 | - [NF_BR_FORWARD] = nft_do_chain_bridge, |
||
48 | - [NF_BR_LOCAL_OUT] = nft_do_chain_bridge, |
||
49 | - [NF_BR_POST_ROUTING] = nft_do_chain_bridge, |
||
50 | - }, |
||
51 | }; |
||
52 | |||
53 | static int nf_tables_bridge_init_net(struct net *net) |
||
54 | @@ -93,6 +86,13 @@ static const struct nf_chain_type filter |
||
55 | (1 << NF_BR_FORWARD) | |
||
56 | (1 << NF_BR_LOCAL_OUT) | |
||
57 | (1 << NF_BR_POST_ROUTING), |
||
58 | + .hooks = { |
||
59 | + [NF_BR_PRE_ROUTING] = nft_do_chain_bridge, |
||
60 | + [NF_BR_LOCAL_IN] = nft_do_chain_bridge, |
||
61 | + [NF_BR_FORWARD] = nft_do_chain_bridge, |
||
62 | + [NF_BR_LOCAL_OUT] = nft_do_chain_bridge, |
||
63 | + [NF_BR_POST_ROUTING] = nft_do_chain_bridge, |
||
64 | + }, |
||
65 | }; |
||
66 | |||
67 | static int __init nf_tables_bridge_init(void) |
||
68 | --- a/net/ipv4/netfilter/nf_tables_arp.c |
||
69 | +++ b/net/ipv4/netfilter/nf_tables_arp.c |
||
70 | @@ -31,10 +31,6 @@ static struct nft_af_info nft_af_arp __r |
||
71 | .family = NFPROTO_ARP, |
||
72 | .nhooks = NF_ARP_NUMHOOKS, |
||
73 | .owner = THIS_MODULE, |
||
74 | - .hooks = { |
||
75 | - [NF_ARP_IN] = nft_do_chain_arp, |
||
76 | - [NF_ARP_OUT] = nft_do_chain_arp, |
||
77 | - }, |
||
78 | }; |
||
79 | |||
80 | static int nf_tables_arp_init_net(struct net *net) |
||
81 | @@ -72,6 +68,10 @@ static const struct nf_chain_type filter |
||
82 | .owner = THIS_MODULE, |
||
83 | .hook_mask = (1 << NF_ARP_IN) | |
||
84 | (1 << NF_ARP_OUT), |
||
85 | + .hooks = { |
||
86 | + [NF_ARP_IN] = nft_do_chain_arp, |
||
87 | + [NF_ARP_OUT] = nft_do_chain_arp, |
||
88 | + }, |
||
89 | }; |
||
90 | |||
91 | static int __init nf_tables_arp_init(void) |
||
92 | --- a/net/ipv4/netfilter/nf_tables_ipv4.c |
||
93 | +++ b/net/ipv4/netfilter/nf_tables_ipv4.c |
||
94 | @@ -49,13 +49,6 @@ static struct nft_af_info nft_af_ipv4 __ |
||
95 | .family = NFPROTO_IPV4, |
||
96 | .nhooks = NF_INET_NUMHOOKS, |
||
97 | .owner = THIS_MODULE, |
||
98 | - .hooks = { |
||
99 | - [NF_INET_LOCAL_IN] = nft_do_chain_ipv4, |
||
100 | - [NF_INET_LOCAL_OUT] = nft_ipv4_output, |
||
101 | - [NF_INET_FORWARD] = nft_do_chain_ipv4, |
||
102 | - [NF_INET_PRE_ROUTING] = nft_do_chain_ipv4, |
||
103 | - [NF_INET_POST_ROUTING] = nft_do_chain_ipv4, |
||
104 | - }, |
||
105 | }; |
||
106 | |||
107 | static int nf_tables_ipv4_init_net(struct net *net) |
||
108 | @@ -96,6 +89,13 @@ static const struct nf_chain_type filter |
||
109 | (1 << NF_INET_FORWARD) | |
||
110 | (1 << NF_INET_PRE_ROUTING) | |
||
111 | (1 << NF_INET_POST_ROUTING), |
||
112 | + .hooks = { |
||
113 | + [NF_INET_LOCAL_IN] = nft_do_chain_ipv4, |
||
114 | + [NF_INET_LOCAL_OUT] = nft_ipv4_output, |
||
115 | + [NF_INET_FORWARD] = nft_do_chain_ipv4, |
||
116 | + [NF_INET_PRE_ROUTING] = nft_do_chain_ipv4, |
||
117 | + [NF_INET_POST_ROUTING] = nft_do_chain_ipv4, |
||
118 | + }, |
||
119 | }; |
||
120 | |||
121 | static int __init nf_tables_ipv4_init(void) |
||
122 | --- a/net/ipv6/netfilter/nf_tables_ipv6.c |
||
123 | +++ b/net/ipv6/netfilter/nf_tables_ipv6.c |
||
124 | @@ -46,13 +46,6 @@ static struct nft_af_info nft_af_ipv6 __ |
||
125 | .family = NFPROTO_IPV6, |
||
126 | .nhooks = NF_INET_NUMHOOKS, |
||
127 | .owner = THIS_MODULE, |
||
128 | - .hooks = { |
||
129 | - [NF_INET_LOCAL_IN] = nft_do_chain_ipv6, |
||
130 | - [NF_INET_LOCAL_OUT] = nft_ipv6_output, |
||
131 | - [NF_INET_FORWARD] = nft_do_chain_ipv6, |
||
132 | - [NF_INET_PRE_ROUTING] = nft_do_chain_ipv6, |
||
133 | - [NF_INET_POST_ROUTING] = nft_do_chain_ipv6, |
||
134 | - }, |
||
135 | }; |
||
136 | |||
137 | static int nf_tables_ipv6_init_net(struct net *net) |
||
138 | @@ -93,6 +86,13 @@ static const struct nf_chain_type filter |
||
139 | (1 << NF_INET_FORWARD) | |
||
140 | (1 << NF_INET_PRE_ROUTING) | |
||
141 | (1 << NF_INET_POST_ROUTING), |
||
142 | + .hooks = { |
||
143 | + [NF_INET_LOCAL_IN] = nft_do_chain_ipv6, |
||
144 | + [NF_INET_LOCAL_OUT] = nft_ipv6_output, |
||
145 | + [NF_INET_FORWARD] = nft_do_chain_ipv6, |
||
146 | + [NF_INET_PRE_ROUTING] = nft_do_chain_ipv6, |
||
147 | + [NF_INET_POST_ROUTING] = nft_do_chain_ipv6, |
||
148 | + }, |
||
149 | }; |
||
150 | |||
151 | static int __init nf_tables_ipv6_init(void) |
||
152 | --- a/net/netfilter/nf_tables_api.c |
||
153 | +++ b/net/netfilter/nf_tables_api.c |
||
154 | @@ -1383,7 +1383,6 @@ static int nf_tables_addchain(struct nft |
||
155 | if (nla[NFTA_CHAIN_HOOK]) { |
||
156 | struct nft_chain_hook hook; |
||
157 | struct nf_hook_ops *ops; |
||
158 | - nf_hookfn *hookfn; |
||
159 | |||
160 | err = nft_chain_parse_hook(net, nla, afi, &hook, create); |
||
161 | if (err < 0) |
||
162 | @@ -1409,7 +1408,6 @@ static int nf_tables_addchain(struct nft |
||
163 | static_branch_inc(&nft_counters_enabled); |
||
164 | } |
||
165 | |||
166 | - hookfn = hook.type->hooks[hook.num]; |
||
167 | basechain->type = hook.type; |
||
168 | chain = &basechain->chain; |
||
169 | |||
170 | @@ -1418,10 +1416,8 @@ static int nf_tables_addchain(struct nft |
||
171 | ops->hooknum = hook.num; |
||
172 | ops->priority = hook.priority; |
||
173 | ops->priv = chain; |
||
174 | - ops->hook = afi->hooks[ops->hooknum]; |
||
175 | + ops->hook = hook.type->hooks[ops->hooknum]; |
||
176 | ops->dev = hook.dev; |
||
177 | - if (hookfn) |
||
178 | - ops->hook = hookfn; |
||
179 | |||
180 | if (basechain->type->type == NFT_CHAIN_T_NAT) |
||
181 | ops->nat_hook = true; |
||
182 | --- a/net/netfilter/nf_tables_inet.c |
||
183 | +++ b/net/netfilter/nf_tables_inet.c |
||
184 | @@ -74,13 +74,6 @@ static struct nft_af_info nft_af_inet __ |
||
185 | .family = NFPROTO_INET, |
||
186 | .nhooks = NF_INET_NUMHOOKS, |
||
187 | .owner = THIS_MODULE, |
||
188 | - .hooks = { |
||
189 | - [NF_INET_LOCAL_IN] = nft_do_chain_inet, |
||
190 | - [NF_INET_LOCAL_OUT] = nft_inet_output, |
||
191 | - [NF_INET_FORWARD] = nft_do_chain_inet, |
||
192 | - [NF_INET_PRE_ROUTING] = nft_do_chain_inet, |
||
193 | - [NF_INET_POST_ROUTING] = nft_do_chain_inet, |
||
194 | - }, |
||
195 | }; |
||
196 | |||
197 | static int __net_init nf_tables_inet_init_net(struct net *net) |
||
198 | @@ -121,6 +114,13 @@ static const struct nf_chain_type filter |
||
199 | (1 << NF_INET_FORWARD) | |
||
200 | (1 << NF_INET_PRE_ROUTING) | |
||
201 | (1 << NF_INET_POST_ROUTING), |
||
202 | + .hooks = { |
||
203 | + [NF_INET_LOCAL_IN] = nft_do_chain_inet, |
||
204 | + [NF_INET_LOCAL_OUT] = nft_inet_output, |
||
205 | + [NF_INET_FORWARD] = nft_do_chain_inet, |
||
206 | + [NF_INET_PRE_ROUTING] = nft_do_chain_inet, |
||
207 | + [NF_INET_POST_ROUTING] = nft_do_chain_inet, |
||
208 | + }, |
||
209 | }; |
||
210 | |||
211 | static int __init nf_tables_inet_init(void) |
||
212 | --- a/net/netfilter/nf_tables_netdev.c |
||
213 | +++ b/net/netfilter/nf_tables_netdev.c |
||
214 | @@ -43,9 +43,6 @@ static struct nft_af_info nft_af_netdev |
||
215 | .nhooks = NF_NETDEV_NUMHOOKS, |
||
216 | .owner = THIS_MODULE, |
||
217 | .flags = NFT_AF_NEEDS_DEV, |
||
218 | - .hooks = { |
||
219 | - [NF_NETDEV_INGRESS] = nft_do_chain_netdev, |
||
220 | - }, |
||
221 | }; |
||
222 | |||
223 | static int nf_tables_netdev_init_net(struct net *net) |
||
224 | @@ -82,6 +79,9 @@ static const struct nf_chain_type nft_fi |
||
225 | .family = NFPROTO_NETDEV, |
||
226 | .owner = THIS_MODULE, |
||
227 | .hook_mask = (1 << NF_NETDEV_INGRESS), |
||
228 | + .hooks = { |
||
229 | + [NF_NETDEV_INGRESS] = nft_do_chain_netdev, |
||
230 | + }, |
||
231 | }; |
||
232 | |||
233 | static void nft_netdev_event(unsigned long event, struct net_device *dev, |