/branches/18.06.1/target/linux/generic/backport-4.14/312-v4.16-netfilter-nf_tables-remove-hooks-from-family-definit.patch |
@@ -0,0 +1,233 @@ |
From: Pablo Neira Ayuso <pablo@netfilter.org> |
Date: Sat, 9 Dec 2017 15:43:17 +0100 |
Subject: [PATCH] netfilter: nf_tables: remove hooks from family definition |
|
They don't belong to the family definition, move them to the filter |
chain type definition instead. |
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> |
--- |
|
--- a/include/net/netfilter/nf_tables.h |
+++ b/include/net/netfilter/nf_tables.h |
@@ -875,7 +875,7 @@ enum nft_chain_type { |
* @family: address family |
* @owner: module owner |
* @hook_mask: mask of valid hooks |
- * @hooks: hookfn overrides |
+ * @hooks: array of hook functions |
*/ |
struct nf_chain_type { |
const char *name; |
@@ -969,7 +969,6 @@ enum nft_af_flags { |
* @owner: module owner |
* @tables: used internally |
* @flags: family flags |
- * @hooks: hookfn overrides for packet validation |
*/ |
struct nft_af_info { |
struct list_head list; |
@@ -978,7 +977,6 @@ struct nft_af_info { |
struct module *owner; |
struct list_head tables; |
u32 flags; |
- nf_hookfn *hooks[NF_MAX_HOOKS]; |
}; |
|
int nft_register_afinfo(struct net *, struct nft_af_info *); |
--- a/net/bridge/netfilter/nf_tables_bridge.c |
+++ b/net/bridge/netfilter/nf_tables_bridge.c |
@@ -46,13 +46,6 @@ static struct nft_af_info nft_af_bridge |
.family = NFPROTO_BRIDGE, |
.nhooks = NF_BR_NUMHOOKS, |
.owner = THIS_MODULE, |
- .hooks = { |
- [NF_BR_PRE_ROUTING] = nft_do_chain_bridge, |
- [NF_BR_LOCAL_IN] = nft_do_chain_bridge, |
- [NF_BR_FORWARD] = nft_do_chain_bridge, |
- [NF_BR_LOCAL_OUT] = nft_do_chain_bridge, |
- [NF_BR_POST_ROUTING] = nft_do_chain_bridge, |
- }, |
}; |
|
static int nf_tables_bridge_init_net(struct net *net) |
@@ -93,6 +86,13 @@ static const struct nf_chain_type filter |
(1 << NF_BR_FORWARD) | |
(1 << NF_BR_LOCAL_OUT) | |
(1 << NF_BR_POST_ROUTING), |
+ .hooks = { |
+ [NF_BR_PRE_ROUTING] = nft_do_chain_bridge, |
+ [NF_BR_LOCAL_IN] = nft_do_chain_bridge, |
+ [NF_BR_FORWARD] = nft_do_chain_bridge, |
+ [NF_BR_LOCAL_OUT] = nft_do_chain_bridge, |
+ [NF_BR_POST_ROUTING] = nft_do_chain_bridge, |
+ }, |
}; |
|
static int __init nf_tables_bridge_init(void) |
--- a/net/ipv4/netfilter/nf_tables_arp.c |
+++ b/net/ipv4/netfilter/nf_tables_arp.c |
@@ -31,10 +31,6 @@ static struct nft_af_info nft_af_arp __r |
.family = NFPROTO_ARP, |
.nhooks = NF_ARP_NUMHOOKS, |
.owner = THIS_MODULE, |
- .hooks = { |
- [NF_ARP_IN] = nft_do_chain_arp, |
- [NF_ARP_OUT] = nft_do_chain_arp, |
- }, |
}; |
|
static int nf_tables_arp_init_net(struct net *net) |
@@ -72,6 +68,10 @@ static const struct nf_chain_type filter |
.owner = THIS_MODULE, |
.hook_mask = (1 << NF_ARP_IN) | |
(1 << NF_ARP_OUT), |
+ .hooks = { |
+ [NF_ARP_IN] = nft_do_chain_arp, |
+ [NF_ARP_OUT] = nft_do_chain_arp, |
+ }, |
}; |
|
static int __init nf_tables_arp_init(void) |
--- a/net/ipv4/netfilter/nf_tables_ipv4.c |
+++ b/net/ipv4/netfilter/nf_tables_ipv4.c |
@@ -49,13 +49,6 @@ static struct nft_af_info nft_af_ipv4 __ |
.family = NFPROTO_IPV4, |
.nhooks = NF_INET_NUMHOOKS, |
.owner = THIS_MODULE, |
- .hooks = { |
- [NF_INET_LOCAL_IN] = nft_do_chain_ipv4, |
- [NF_INET_LOCAL_OUT] = nft_ipv4_output, |
- [NF_INET_FORWARD] = nft_do_chain_ipv4, |
- [NF_INET_PRE_ROUTING] = nft_do_chain_ipv4, |
- [NF_INET_POST_ROUTING] = nft_do_chain_ipv4, |
- }, |
}; |
|
static int nf_tables_ipv4_init_net(struct net *net) |
@@ -96,6 +89,13 @@ static const struct nf_chain_type filter |
(1 << NF_INET_FORWARD) | |
(1 << NF_INET_PRE_ROUTING) | |
(1 << NF_INET_POST_ROUTING), |
+ .hooks = { |
+ [NF_INET_LOCAL_IN] = nft_do_chain_ipv4, |
+ [NF_INET_LOCAL_OUT] = nft_ipv4_output, |
+ [NF_INET_FORWARD] = nft_do_chain_ipv4, |
+ [NF_INET_PRE_ROUTING] = nft_do_chain_ipv4, |
+ [NF_INET_POST_ROUTING] = nft_do_chain_ipv4, |
+ }, |
}; |
|
static int __init nf_tables_ipv4_init(void) |
--- a/net/ipv6/netfilter/nf_tables_ipv6.c |
+++ b/net/ipv6/netfilter/nf_tables_ipv6.c |
@@ -46,13 +46,6 @@ static struct nft_af_info nft_af_ipv6 __ |
.family = NFPROTO_IPV6, |
.nhooks = NF_INET_NUMHOOKS, |
.owner = THIS_MODULE, |
- .hooks = { |
- [NF_INET_LOCAL_IN] = nft_do_chain_ipv6, |
- [NF_INET_LOCAL_OUT] = nft_ipv6_output, |
- [NF_INET_FORWARD] = nft_do_chain_ipv6, |
- [NF_INET_PRE_ROUTING] = nft_do_chain_ipv6, |
- [NF_INET_POST_ROUTING] = nft_do_chain_ipv6, |
- }, |
}; |
|
static int nf_tables_ipv6_init_net(struct net *net) |
@@ -93,6 +86,13 @@ static const struct nf_chain_type filter |
(1 << NF_INET_FORWARD) | |
(1 << NF_INET_PRE_ROUTING) | |
(1 << NF_INET_POST_ROUTING), |
+ .hooks = { |
+ [NF_INET_LOCAL_IN] = nft_do_chain_ipv6, |
+ [NF_INET_LOCAL_OUT] = nft_ipv6_output, |
+ [NF_INET_FORWARD] = nft_do_chain_ipv6, |
+ [NF_INET_PRE_ROUTING] = nft_do_chain_ipv6, |
+ [NF_INET_POST_ROUTING] = nft_do_chain_ipv6, |
+ }, |
}; |
|
static int __init nf_tables_ipv6_init(void) |
--- a/net/netfilter/nf_tables_api.c |
+++ b/net/netfilter/nf_tables_api.c |
@@ -1383,7 +1383,6 @@ static int nf_tables_addchain(struct nft |
if (nla[NFTA_CHAIN_HOOK]) { |
struct nft_chain_hook hook; |
struct nf_hook_ops *ops; |
- nf_hookfn *hookfn; |
|
err = nft_chain_parse_hook(net, nla, afi, &hook, create); |
if (err < 0) |
@@ -1409,7 +1408,6 @@ static int nf_tables_addchain(struct nft |
static_branch_inc(&nft_counters_enabled); |
} |
|
- hookfn = hook.type->hooks[hook.num]; |
basechain->type = hook.type; |
chain = &basechain->chain; |
|
@@ -1418,10 +1416,8 @@ static int nf_tables_addchain(struct nft |
ops->hooknum = hook.num; |
ops->priority = hook.priority; |
ops->priv = chain; |
- ops->hook = afi->hooks[ops->hooknum]; |
+ ops->hook = hook.type->hooks[ops->hooknum]; |
ops->dev = hook.dev; |
- if (hookfn) |
- ops->hook = hookfn; |
|
if (basechain->type->type == NFT_CHAIN_T_NAT) |
ops->nat_hook = true; |
--- a/net/netfilter/nf_tables_inet.c |
+++ b/net/netfilter/nf_tables_inet.c |
@@ -74,13 +74,6 @@ static struct nft_af_info nft_af_inet __ |
.family = NFPROTO_INET, |
.nhooks = NF_INET_NUMHOOKS, |
.owner = THIS_MODULE, |
- .hooks = { |
- [NF_INET_LOCAL_IN] = nft_do_chain_inet, |
- [NF_INET_LOCAL_OUT] = nft_inet_output, |
- [NF_INET_FORWARD] = nft_do_chain_inet, |
- [NF_INET_PRE_ROUTING] = nft_do_chain_inet, |
- [NF_INET_POST_ROUTING] = nft_do_chain_inet, |
- }, |
}; |
|
static int __net_init nf_tables_inet_init_net(struct net *net) |
@@ -121,6 +114,13 @@ static const struct nf_chain_type filter |
(1 << NF_INET_FORWARD) | |
(1 << NF_INET_PRE_ROUTING) | |
(1 << NF_INET_POST_ROUTING), |
+ .hooks = { |
+ [NF_INET_LOCAL_IN] = nft_do_chain_inet, |
+ [NF_INET_LOCAL_OUT] = nft_inet_output, |
+ [NF_INET_FORWARD] = nft_do_chain_inet, |
+ [NF_INET_PRE_ROUTING] = nft_do_chain_inet, |
+ [NF_INET_POST_ROUTING] = nft_do_chain_inet, |
+ }, |
}; |
|
static int __init nf_tables_inet_init(void) |
--- a/net/netfilter/nf_tables_netdev.c |
+++ b/net/netfilter/nf_tables_netdev.c |
@@ -43,9 +43,6 @@ static struct nft_af_info nft_af_netdev |
.nhooks = NF_NETDEV_NUMHOOKS, |
.owner = THIS_MODULE, |
.flags = NFT_AF_NEEDS_DEV, |
- .hooks = { |
- [NF_NETDEV_INGRESS] = nft_do_chain_netdev, |
- }, |
}; |
|
static int nf_tables_netdev_init_net(struct net *net) |
@@ -82,6 +79,9 @@ static const struct nf_chain_type nft_fi |
.family = NFPROTO_NETDEV, |
.owner = THIS_MODULE, |
.hook_mask = (1 << NF_NETDEV_INGRESS), |
+ .hooks = { |
+ [NF_NETDEV_INGRESS] = nft_do_chain_netdev, |
+ }, |
}; |
|
static void nft_netdev_event(unsigned long event, struct net_device *dev, |