Commit 082a758f authored by Eric W. Biederman's avatar Eric W. Biederman Committed by Pablo Neira Ayuso

inet netfilter: Prefer state->hook to ops->hooknum

The values of nf_hook_state.hook and nf_hook_ops.hooknum must be the
same by definition.

We are more likely to access the fields in nf_hook_state over the
fields in nf_hook_ops so with a little luck this results in
fewer cache line misses, and slightly more consistent code.
Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 6cb8ff3f
...@@ -147,7 +147,7 @@ static unsigned int ipv4_conntrack_in(const struct nf_hook_ops *ops, ...@@ -147,7 +147,7 @@ static unsigned int ipv4_conntrack_in(const struct nf_hook_ops *ops,
struct sk_buff *skb, struct sk_buff *skb,
const struct nf_hook_state *state) const struct nf_hook_state *state)
{ {
return nf_conntrack_in(state->net, PF_INET, ops->hooknum, skb); return nf_conntrack_in(state->net, PF_INET, state->hook, skb);
} }
static unsigned int ipv4_conntrack_local(const struct nf_hook_ops *ops, static unsigned int ipv4_conntrack_local(const struct nf_hook_ops *ops,
...@@ -158,7 +158,7 @@ static unsigned int ipv4_conntrack_local(const struct nf_hook_ops *ops, ...@@ -158,7 +158,7 @@ static unsigned int ipv4_conntrack_local(const struct nf_hook_ops *ops,
if (skb->len < sizeof(struct iphdr) || if (skb->len < sizeof(struct iphdr) ||
ip_hdrlen(skb) < sizeof(struct iphdr)) ip_hdrlen(skb) < sizeof(struct iphdr))
return NF_ACCEPT; return NF_ACCEPT;
return nf_conntrack_in(state->net, PF_INET, ops->hooknum, skb); return nf_conntrack_in(state->net, PF_INET, state->hook, skb);
} }
/* Connection tracking may drop packets, but never alters them, so /* Connection tracking may drop packets, but never alters them, so
......
...@@ -83,7 +83,7 @@ static unsigned int ipv4_conntrack_defrag(const struct nf_hook_ops *ops, ...@@ -83,7 +83,7 @@ static unsigned int ipv4_conntrack_defrag(const struct nf_hook_ops *ops,
/* Gather fragments. */ /* Gather fragments. */
if (ip_is_fragment(ip_hdr(skb))) { if (ip_is_fragment(ip_hdr(skb))) {
enum ip_defrag_users user = enum ip_defrag_users user =
nf_ct_defrag_user(ops->hooknum, skb); nf_ct_defrag_user(state->hook, skb);
if (nf_ct_ipv4_gather_frags(skb, user)) if (nf_ct_ipv4_gather_frags(skb, user))
return NF_STOLEN; return NF_STOLEN;
......
...@@ -266,7 +266,7 @@ nf_nat_ipv4_fn(const struct nf_hook_ops *ops, struct sk_buff *skb, ...@@ -266,7 +266,7 @@ nf_nat_ipv4_fn(const struct nf_hook_ops *ops, struct sk_buff *skb,
enum ip_conntrack_info ctinfo; enum ip_conntrack_info ctinfo;
struct nf_conn_nat *nat; struct nf_conn_nat *nat;
/* maniptype == SRC for postrouting. */ /* maniptype == SRC for postrouting. */
enum nf_nat_manip_type maniptype = HOOK2MANIP(ops->hooknum); enum nf_nat_manip_type maniptype = HOOK2MANIP(state->hook);
/* We never see fragments: conntrack defrags on pre-routing /* We never see fragments: conntrack defrags on pre-routing
* and local-out, and nf_nat_out protects post-routing. * and local-out, and nf_nat_out protects post-routing.
...@@ -295,7 +295,7 @@ nf_nat_ipv4_fn(const struct nf_hook_ops *ops, struct sk_buff *skb, ...@@ -295,7 +295,7 @@ nf_nat_ipv4_fn(const struct nf_hook_ops *ops, struct sk_buff *skb,
case IP_CT_RELATED_REPLY: case IP_CT_RELATED_REPLY:
if (ip_hdr(skb)->protocol == IPPROTO_ICMP) { if (ip_hdr(skb)->protocol == IPPROTO_ICMP) {
if (!nf_nat_icmp_reply_translation(skb, ct, ctinfo, if (!nf_nat_icmp_reply_translation(skb, ct, ctinfo,
ops->hooknum)) state->hook))
return NF_DROP; return NF_DROP;
else else
return NF_ACCEPT; return NF_ACCEPT;
...@@ -312,17 +312,17 @@ nf_nat_ipv4_fn(const struct nf_hook_ops *ops, struct sk_buff *skb, ...@@ -312,17 +312,17 @@ nf_nat_ipv4_fn(const struct nf_hook_ops *ops, struct sk_buff *skb,
if (ret != NF_ACCEPT) if (ret != NF_ACCEPT)
return ret; return ret;
if (nf_nat_initialized(ct, HOOK2MANIP(ops->hooknum))) if (nf_nat_initialized(ct, HOOK2MANIP(state->hook)))
break; break;
ret = nf_nat_alloc_null_binding(ct, ops->hooknum); ret = nf_nat_alloc_null_binding(ct, state->hook);
if (ret != NF_ACCEPT) if (ret != NF_ACCEPT)
return ret; return ret;
} else { } else {
pr_debug("Already setup manip %s for ct %p\n", pr_debug("Already setup manip %s for ct %p\n",
maniptype == NF_NAT_MANIP_SRC ? "SRC" : "DST", maniptype == NF_NAT_MANIP_SRC ? "SRC" : "DST",
ct); ct);
if (nf_nat_oif_changed(ops->hooknum, ctinfo, nat, if (nf_nat_oif_changed(state->hook, ctinfo, nat,
state->out)) state->out))
goto oif_changed; goto oif_changed;
} }
...@@ -332,11 +332,11 @@ nf_nat_ipv4_fn(const struct nf_hook_ops *ops, struct sk_buff *skb, ...@@ -332,11 +332,11 @@ nf_nat_ipv4_fn(const struct nf_hook_ops *ops, struct sk_buff *skb,
/* ESTABLISHED */ /* ESTABLISHED */
NF_CT_ASSERT(ctinfo == IP_CT_ESTABLISHED || NF_CT_ASSERT(ctinfo == IP_CT_ESTABLISHED ||
ctinfo == IP_CT_ESTABLISHED_REPLY); ctinfo == IP_CT_ESTABLISHED_REPLY);
if (nf_nat_oif_changed(ops->hooknum, ctinfo, nat, state->out)) if (nf_nat_oif_changed(state->hook, ctinfo, nat, state->out))
goto oif_changed; goto oif_changed;
} }
return nf_nat_packet(ct, ctinfo, ops->hooknum, skb); return nf_nat_packet(ct, ctinfo, state->hook, skb);
oif_changed: oif_changed:
nf_ct_kill_acct(ct, ctinfo, skb); nf_ct_kill_acct(ct, ctinfo, skb);
......
...@@ -169,7 +169,7 @@ static unsigned int ipv6_conntrack_in(const struct nf_hook_ops *ops, ...@@ -169,7 +169,7 @@ static unsigned int ipv6_conntrack_in(const struct nf_hook_ops *ops,
struct sk_buff *skb, struct sk_buff *skb,
const struct nf_hook_state *state) const struct nf_hook_state *state)
{ {
return nf_conntrack_in(state->net, PF_INET6, ops->hooknum, skb); return nf_conntrack_in(state->net, PF_INET6, state->hook, skb);
} }
static unsigned int ipv6_conntrack_local(const struct nf_hook_ops *ops, static unsigned int ipv6_conntrack_local(const struct nf_hook_ops *ops,
...@@ -181,7 +181,7 @@ static unsigned int ipv6_conntrack_local(const struct nf_hook_ops *ops, ...@@ -181,7 +181,7 @@ static unsigned int ipv6_conntrack_local(const struct nf_hook_ops *ops,
net_notice_ratelimited("ipv6_conntrack_local: packet too short\n"); net_notice_ratelimited("ipv6_conntrack_local: packet too short\n");
return NF_ACCEPT; return NF_ACCEPT;
} }
return nf_conntrack_in(state->net, PF_INET6, ops->hooknum, skb); return nf_conntrack_in(state->net, PF_INET6, state->hook, skb);
} }
static struct nf_hook_ops ipv6_conntrack_ops[] __read_mostly = { static struct nf_hook_ops ipv6_conntrack_ops[] __read_mostly = {
......
...@@ -63,7 +63,7 @@ static unsigned int ipv6_defrag(const struct nf_hook_ops *ops, ...@@ -63,7 +63,7 @@ static unsigned int ipv6_defrag(const struct nf_hook_ops *ops,
return NF_ACCEPT; return NF_ACCEPT;
#endif #endif
reasm = nf_ct_frag6_gather(skb, nf_ct6_defrag_user(ops->hooknum, skb)); reasm = nf_ct_frag6_gather(skb, nf_ct6_defrag_user(state->hook, skb));
/* queued */ /* queued */
if (reasm == NULL) if (reasm == NULL)
return NF_STOLEN; return NF_STOLEN;
...@@ -74,7 +74,7 @@ static unsigned int ipv6_defrag(const struct nf_hook_ops *ops, ...@@ -74,7 +74,7 @@ static unsigned int ipv6_defrag(const struct nf_hook_ops *ops,
nf_ct_frag6_consume_orig(reasm); nf_ct_frag6_consume_orig(reasm);
NF_HOOK_THRESH(NFPROTO_IPV6, ops->hooknum, state->net, state->sk, reasm, NF_HOOK_THRESH(NFPROTO_IPV6, state->hook, state->net, state->sk, reasm,
state->in, state->out, state->in, state->out,
state->okfn, NF_IP6_PRI_CONNTRACK_DEFRAG + 1); state->okfn, NF_IP6_PRI_CONNTRACK_DEFRAG + 1);
......
...@@ -272,7 +272,7 @@ nf_nat_ipv6_fn(const struct nf_hook_ops *ops, struct sk_buff *skb, ...@@ -272,7 +272,7 @@ nf_nat_ipv6_fn(const struct nf_hook_ops *ops, struct sk_buff *skb,
struct nf_conn *ct; struct nf_conn *ct;
enum ip_conntrack_info ctinfo; enum ip_conntrack_info ctinfo;
struct nf_conn_nat *nat; struct nf_conn_nat *nat;
enum nf_nat_manip_type maniptype = HOOK2MANIP(ops->hooknum); enum nf_nat_manip_type maniptype = HOOK2MANIP(state->hook);
__be16 frag_off; __be16 frag_off;
int hdrlen; int hdrlen;
u8 nexthdr; u8 nexthdr;
...@@ -303,7 +303,7 @@ nf_nat_ipv6_fn(const struct nf_hook_ops *ops, struct sk_buff *skb, ...@@ -303,7 +303,7 @@ nf_nat_ipv6_fn(const struct nf_hook_ops *ops, struct sk_buff *skb,
if (hdrlen >= 0 && nexthdr == IPPROTO_ICMPV6) { if (hdrlen >= 0 && nexthdr == IPPROTO_ICMPV6) {
if (!nf_nat_icmpv6_reply_translation(skb, ct, ctinfo, if (!nf_nat_icmpv6_reply_translation(skb, ct, ctinfo,
ops->hooknum, state->hook,
hdrlen)) hdrlen))
return NF_DROP; return NF_DROP;
else else
...@@ -321,17 +321,17 @@ nf_nat_ipv6_fn(const struct nf_hook_ops *ops, struct sk_buff *skb, ...@@ -321,17 +321,17 @@ nf_nat_ipv6_fn(const struct nf_hook_ops *ops, struct sk_buff *skb,
if (ret != NF_ACCEPT) if (ret != NF_ACCEPT)
return ret; return ret;
if (nf_nat_initialized(ct, HOOK2MANIP(ops->hooknum))) if (nf_nat_initialized(ct, HOOK2MANIP(state->hook)))
break; break;
ret = nf_nat_alloc_null_binding(ct, ops->hooknum); ret = nf_nat_alloc_null_binding(ct, state->hook);
if (ret != NF_ACCEPT) if (ret != NF_ACCEPT)
return ret; return ret;
} else { } else {
pr_debug("Already setup manip %s for ct %p\n", pr_debug("Already setup manip %s for ct %p\n",
maniptype == NF_NAT_MANIP_SRC ? "SRC" : "DST", maniptype == NF_NAT_MANIP_SRC ? "SRC" : "DST",
ct); ct);
if (nf_nat_oif_changed(ops->hooknum, ctinfo, nat, state->out)) if (nf_nat_oif_changed(state->hook, ctinfo, nat, state->out))
goto oif_changed; goto oif_changed;
} }
break; break;
...@@ -340,11 +340,11 @@ nf_nat_ipv6_fn(const struct nf_hook_ops *ops, struct sk_buff *skb, ...@@ -340,11 +340,11 @@ nf_nat_ipv6_fn(const struct nf_hook_ops *ops, struct sk_buff *skb,
/* ESTABLISHED */ /* ESTABLISHED */
NF_CT_ASSERT(ctinfo == IP_CT_ESTABLISHED || NF_CT_ASSERT(ctinfo == IP_CT_ESTABLISHED ||
ctinfo == IP_CT_ESTABLISHED_REPLY); ctinfo == IP_CT_ESTABLISHED_REPLY);
if (nf_nat_oif_changed(ops->hooknum, ctinfo, nat, state->out)) if (nf_nat_oif_changed(state->hook, ctinfo, nat, state->out))
goto oif_changed; goto oif_changed;
} }
return nf_nat_packet(ct, ctinfo, ops->hooknum, skb); return nf_nat_packet(ct, ctinfo, state->hook, skb);
oif_changed: oif_changed:
nf_ct_kill_acct(ct, ctinfo, skb); nf_ct_kill_acct(ct, ctinfo, skb);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment