Skip to content

L
linux
Commit c2f9eafe authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso
Browse files
Options

netfilter: nf_tables: remove hooks from family definition 

They don't belong to the family definition, move them to the filter
chain type definition instead.
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent c974a3a3
Hide whitespace changes
Inline Side-by-side
Showing with 37 additions and 43 deletions
include/net/netfilter/nf_tables.h
View file @ c2f9eafe
...@@ -880,7 +880,7 @@ enum nft_chain_type { ...@@ -880,7 +880,7 @@ enum nft_chain_type {
* @family: address family * @family: address family
* @owner: module owner * @owner: module owner
* @hook_mask: mask of valid hooks * @hook_mask: mask of valid hooks
* @hooks: hookfn overrides * @hooks: array of hook functions
*/ */
struct nf_chain_type { struct nf_chain_type {
const char *name; const char *name;
...@@ -974,7 +974,6 @@ enum nft_af_flags { ...@@ -974,7 +974,6 @@ enum nft_af_flags {
* @owner: module owner * @owner: module owner
* @tables: used internally * @tables: used internally
* @flags: family flags * @flags: family flags
* @hooks: hookfn overrides for packet validation
*/ */
struct nft_af_info { struct nft_af_info {
struct list_head list; struct list_head list;
...@@ -983,7 +982,6 @@ struct nft_af_info { ...@@ -983,7 +982,6 @@ struct nft_af_info {
struct module *owner; struct module *owner;
struct list_head tables; struct list_head tables;
u32 flags; u32 flags;
nf_hookfn *hooks[NF_MAX_HOOKS];
}; };
int nft_register_afinfo(struct net *, struct nft_af_info *); int nft_register_afinfo(struct net *, struct nft_af_info *);
......
net/bridge/netfilter/nf_tables_bridge.c
View file @ c2f9eafe
...@@ -46,13 +46,6 @@ static struct nft_af_info nft_af_bridge __read_mostly = { ...@@ -46,13 +46,6 @@ static struct nft_af_info nft_af_bridge __read_mostly = {
.family = NFPROTO_BRIDGE, .family = NFPROTO_BRIDGE,
.nhooks = NF_BR_NUMHOOKS, .nhooks = NF_BR_NUMHOOKS,
.owner = THIS_MODULE, .owner = THIS_MODULE,
.hooks = {
[NF_BR_PRE_ROUTING] = nft_do_chain_bridge,
[NF_BR_LOCAL_IN] = nft_do_chain_bridge,
[NF_BR_FORWARD] = nft_do_chain_bridge,
[NF_BR_LOCAL_OUT] = nft_do_chain_bridge,
[NF_BR_POST_ROUTING] = nft_do_chain_bridge,
},
}; };
static int nf_tables_bridge_init_net(struct net *net) static int nf_tables_bridge_init_net(struct net *net)
...@@ -93,6 +86,13 @@ static const struct nf_chain_type filter_bridge = { ...@@ -93,6 +86,13 @@ static const struct nf_chain_type filter_bridge = {
(1 << NF_BR_FORWARD) | (1 << NF_BR_FORWARD) |
(1 << NF_BR_LOCAL_OUT) | (1 << NF_BR_LOCAL_OUT) |
(1 << NF_BR_POST_ROUTING), (1 << NF_BR_POST_ROUTING),
.hooks = {
[NF_BR_PRE_ROUTING] = nft_do_chain_bridge,
[NF_BR_LOCAL_IN] = nft_do_chain_bridge,
[NF_BR_FORWARD] = nft_do_chain_bridge,
[NF_BR_LOCAL_OUT] = nft_do_chain_bridge,
[NF_BR_POST_ROUTING] = nft_do_chain_bridge,
},
}; };
static void nf_br_saveroute(const struct sk_buff *skb, static void nf_br_saveroute(const struct sk_buff *skb,
......
net/ipv4/netfilter/nf_tables_arp.c
View file @ c2f9eafe
...@@ -31,10 +31,6 @@ static struct nft_af_info nft_af_arp __read_mostly = { ...@@ -31,10 +31,6 @@ static struct nft_af_info nft_af_arp __read_mostly = {
.family = NFPROTO_ARP, .family = NFPROTO_ARP,
.nhooks = NF_ARP_NUMHOOKS, .nhooks = NF_ARP_NUMHOOKS,
.owner = THIS_MODULE, .owner = THIS_MODULE,
.hooks = {
[NF_ARP_IN] = nft_do_chain_arp,
[NF_ARP_OUT] = nft_do_chain_arp,
},
}; };
static int nf_tables_arp_init_net(struct net *net) static int nf_tables_arp_init_net(struct net *net)
...@@ -72,6 +68,10 @@ static const struct nf_chain_type filter_arp = { ...@@ -72,6 +68,10 @@ static const struct nf_chain_type filter_arp = {
.owner = THIS_MODULE, .owner = THIS_MODULE,
.hook_mask = (1 << NF_ARP_IN) | .hook_mask = (1 << NF_ARP_IN) |
(1 << NF_ARP_OUT), (1 << NF_ARP_OUT),
.hooks = {
[NF_ARP_IN] = nft_do_chain_arp,
[NF_ARP_OUT] = nft_do_chain_arp,
},
}; };
static int __init nf_tables_arp_init(void) static int __init nf_tables_arp_init(void)
......
net/ipv4/netfilter/nf_tables_ipv4.c
View file @ c2f9eafe
...@@ -49,13 +49,6 @@ static struct nft_af_info nft_af_ipv4 __read_mostly = { ...@@ -49,13 +49,6 @@ static struct nft_af_info nft_af_ipv4 __read_mostly = {
.family = NFPROTO_IPV4, .family = NFPROTO_IPV4,
.nhooks = NF_INET_NUMHOOKS, .nhooks = NF_INET_NUMHOOKS,
.owner = THIS_MODULE, .owner = THIS_MODULE,
.hooks = {
[NF_INET_LOCAL_IN] = nft_do_chain_ipv4,
[NF_INET_LOCAL_OUT] = nft_ipv4_output,
[NF_INET_FORWARD] = nft_do_chain_ipv4,
[NF_INET_PRE_ROUTING] = nft_do_chain_ipv4,
[NF_INET_POST_ROUTING] = nft_do_chain_ipv4,
},
}; };
static int nf_tables_ipv4_init_net(struct net *net) static int nf_tables_ipv4_init_net(struct net *net)
...@@ -96,6 +89,13 @@ static const struct nf_chain_type filter_ipv4 = { ...@@ -96,6 +89,13 @@ static const struct nf_chain_type filter_ipv4 = {
(1 << NF_INET_FORWARD) | (1 << NF_INET_FORWARD) |
(1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_PRE_ROUTING) |
(1 << NF_INET_POST_ROUTING), (1 << NF_INET_POST_ROUTING),
.hooks = {
[NF_INET_LOCAL_IN] = nft_do_chain_ipv4,
[NF_INET_LOCAL_OUT] = nft_ipv4_output,
[NF_INET_FORWARD] = nft_do_chain_ipv4,
[NF_INET_PRE_ROUTING] = nft_do_chain_ipv4,
[NF_INET_POST_ROUTING] = nft_do_chain_ipv4,
},
}; };
static int __init nf_tables_ipv4_init(void) static int __init nf_tables_ipv4_init(void)
......
net/ipv6/netfilter/nf_tables_ipv6.c
View file @ c2f9eafe
...@@ -46,13 +46,6 @@ static struct nft_af_info nft_af_ipv6 __read_mostly = { ...@@ -46,13 +46,6 @@ static struct nft_af_info nft_af_ipv6 __read_mostly = {
.family = NFPROTO_IPV6, .family = NFPROTO_IPV6,
.nhooks = NF_INET_NUMHOOKS, .nhooks = NF_INET_NUMHOOKS,
.owner = THIS_MODULE, .owner = THIS_MODULE,
.hooks = {
[NF_INET_LOCAL_IN] = nft_do_chain_ipv6,
[NF_INET_LOCAL_OUT] = nft_ipv6_output,
[NF_INET_FORWARD] = nft_do_chain_ipv6,
[NF_INET_PRE_ROUTING] = nft_do_chain_ipv6,
[NF_INET_POST_ROUTING] = nft_do_chain_ipv6,
},
}; };
static int nf_tables_ipv6_init_net(struct net *net) static int nf_tables_ipv6_init_net(struct net *net)
...@@ -93,6 +86,13 @@ static const struct nf_chain_type filter_ipv6 = { ...@@ -93,6 +86,13 @@ static const struct nf_chain_type filter_ipv6 = {
(1 << NF_INET_FORWARD) | (1 << NF_INET_FORWARD) |
(1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_PRE_ROUTING) |
(1 << NF_INET_POST_ROUTING), (1 << NF_INET_POST_ROUTING),
.hooks = {
[NF_INET_LOCAL_IN] = nft_do_chain_ipv6,
[NF_INET_LOCAL_OUT] = nft_ipv6_output,
[NF_INET_FORWARD] = nft_do_chain_ipv6,
[NF_INET_PRE_ROUTING] = nft_do_chain_ipv6,
[NF_INET_POST_ROUTING] = nft_do_chain_ipv6,
},
}; };
static int __init nf_tables_ipv6_init(void) static int __init nf_tables_ipv6_init(void)
......
net/netfilter/nf_tables_api.c
View file @ c2f9eafe
...@@ -1357,7 +1357,6 @@ static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask, ...@@ -1357,7 +1357,6 @@ static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
if (nla[NFTA_CHAIN_HOOK]) { if (nla[NFTA_CHAIN_HOOK]) {
struct nft_chain_hook hook; struct nft_chain_hook hook;
struct nf_hook_ops *ops; struct nf_hook_ops *ops;
nf_hookfn *hookfn;
err = nft_chain_parse_hook(net, nla, afi, &hook, create); err = nft_chain_parse_hook(net, nla, afi, &hook, create);
if (err < 0) if (err < 0)
...@@ -1383,7 +1382,6 @@ static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask, ...@@ -1383,7 +1382,6 @@ static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
static_branch_inc(&nft_counters_enabled); static_branch_inc(&nft_counters_enabled);
} }
hookfn = hook.type->hooks[hook.num];
basechain->type = hook.type; basechain->type = hook.type;
chain = &basechain->chain; chain = &basechain->chain;
...@@ -1392,10 +1390,8 @@ static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask, ...@@ -1392,10 +1390,8 @@ static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
ops->hooknum = hook.num; ops->hooknum = hook.num;
ops->priority = hook.priority; ops->priority = hook.priority;
ops->priv = chain; ops->priv = chain;
ops->hook = afi->hooks[ops->hooknum]; ops->hook = hook.type->hooks[ops->hooknum];
ops->dev = hook.dev; ops->dev = hook.dev;
if (hookfn)
ops->hook = hookfn;
if (basechain->type->type == NFT_CHAIN_T_NAT) if (basechain->type->type == NFT_CHAIN_T_NAT)
ops->nat_hook = true; ops->nat_hook = true;
......
net/netfilter/nf_tables_inet.c
View file @ c2f9eafe
...@@ -74,13 +74,6 @@ static struct nft_af_info nft_af_inet __read_mostly = { ...@@ -74,13 +74,6 @@ static struct nft_af_info nft_af_inet __read_mostly = {
.family = NFPROTO_INET, .family = NFPROTO_INET,
.nhooks = NF_INET_NUMHOOKS, .nhooks = NF_INET_NUMHOOKS,
.owner = THIS_MODULE, .owner = THIS_MODULE,
.hooks = {
[NF_INET_LOCAL_IN] = nft_do_chain_inet,
[NF_INET_LOCAL_OUT] = nft_inet_output,
[NF_INET_FORWARD] = nft_do_chain_inet,
[NF_INET_PRE_ROUTING] = nft_do_chain_inet,
[NF_INET_POST_ROUTING] = nft_do_chain_inet,
},
}; };
static int __net_init nf_tables_inet_init_net(struct net *net) static int __net_init nf_tables_inet_init_net(struct net *net)
...@@ -121,6 +114,13 @@ static const struct nf_chain_type filter_inet = { ...@@ -121,6 +114,13 @@ static const struct nf_chain_type filter_inet = {
(1 << NF_INET_FORWARD) | (1 << NF_INET_FORWARD) |
(1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_PRE_ROUTING) |
(1 << NF_INET_POST_ROUTING), (1 << NF_INET_POST_ROUTING),
.hooks = {
[NF_INET_LOCAL_IN] = nft_do_chain_inet,
[NF_INET_LOCAL_OUT] = nft_inet_output,
[NF_INET_FORWARD] = nft_do_chain_inet,
[NF_INET_PRE_ROUTING] = nft_do_chain_inet,
[NF_INET_POST_ROUTING] = nft_do_chain_inet,
},
}; };
static int __init nf_tables_inet_init(void) static int __init nf_tables_inet_init(void)
......
net/netfilter/nf_tables_netdev.c
View file @ c2f9eafe
...@@ -43,9 +43,6 @@ static struct nft_af_info nft_af_netdev __read_mostly = { ...@@ -43,9 +43,6 @@ static struct nft_af_info nft_af_netdev __read_mostly = {
.nhooks = NF_NETDEV_NUMHOOKS, .nhooks = NF_NETDEV_NUMHOOKS,
.owner = THIS_MODULE, .owner = THIS_MODULE,
.flags = NFT_AF_NEEDS_DEV, .flags = NFT_AF_NEEDS_DEV,
.hooks = {
[NF_NETDEV_INGRESS] = nft_do_chain_netdev,
},
}; };
static int nf_tables_netdev_init_net(struct net *net) static int nf_tables_netdev_init_net(struct net *net)
...@@ -82,6 +79,9 @@ static const struct nf_chain_type nft_filter_chain_netdev = { ...@@ -82,6 +79,9 @@ static const struct nf_chain_type nft_filter_chain_netdev = {
.family = NFPROTO_NETDEV, .family = NFPROTO_NETDEV,
.owner = THIS_MODULE, .owner = THIS_MODULE,
.hook_mask = (1 << NF_NETDEV_INGRESS), .hook_mask = (1 << NF_NETDEV_INGRESS),
.hooks = {
[NF_NETDEV_INGRESS] = nft_do_chain_netdev,
},
}; };
static void nft_netdev_event(unsigned long event, struct net_device *dev, static void nft_netdev_event(unsigned long event, struct net_device *dev,
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7