mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
synced 2025-01-09 15:29:16 +00:00
inet netfilter: Remove hook from ip6t_do_table, arp_do_table, ipt_do_table
The values of ops->hooknum and state->hook are guaraneted to be equal making the hook argument to ip6t_do_table, arp_do_table, and ipt_do_table is unnecessary. Remove the unnecessary hook argument. In the callers use state->hook instead of ops->hooknum for clarity and to reduce the number of cachelines the callers touch. Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
parent
97b59c3a91
commit
6cb8ff3f1a
@ -53,7 +53,6 @@ extern struct xt_table *arpt_register_table(struct net *net,
|
|||||||
const struct arpt_replace *repl);
|
const struct arpt_replace *repl);
|
||||||
extern void arpt_unregister_table(struct xt_table *table);
|
extern void arpt_unregister_table(struct xt_table *table);
|
||||||
extern unsigned int arpt_do_table(struct sk_buff *skb,
|
extern unsigned int arpt_do_table(struct sk_buff *skb,
|
||||||
unsigned int hook,
|
|
||||||
const struct nf_hook_state *state,
|
const struct nf_hook_state *state,
|
||||||
struct xt_table *table);
|
struct xt_table *table);
|
||||||
|
|
||||||
|
@ -64,7 +64,6 @@ struct ipt_error {
|
|||||||
|
|
||||||
extern void *ipt_alloc_initial_table(const struct xt_table *);
|
extern void *ipt_alloc_initial_table(const struct xt_table *);
|
||||||
extern unsigned int ipt_do_table(struct sk_buff *skb,
|
extern unsigned int ipt_do_table(struct sk_buff *skb,
|
||||||
unsigned int hook,
|
|
||||||
const struct nf_hook_state *state,
|
const struct nf_hook_state *state,
|
||||||
struct xt_table *table);
|
struct xt_table *table);
|
||||||
|
|
||||||
|
@ -30,7 +30,6 @@ extern struct xt_table *ip6t_register_table(struct net *net,
|
|||||||
const struct ip6t_replace *repl);
|
const struct ip6t_replace *repl);
|
||||||
extern void ip6t_unregister_table(struct net *net, struct xt_table *table);
|
extern void ip6t_unregister_table(struct net *net, struct xt_table *table);
|
||||||
extern unsigned int ip6t_do_table(struct sk_buff *skb,
|
extern unsigned int ip6t_do_table(struct sk_buff *skb,
|
||||||
unsigned int hook,
|
|
||||||
const struct nf_hook_state *state,
|
const struct nf_hook_state *state,
|
||||||
struct xt_table *table);
|
struct xt_table *table);
|
||||||
|
|
||||||
|
@ -247,10 +247,10 @@ struct arpt_entry *arpt_next_entry(const struct arpt_entry *entry)
|
|||||||
}
|
}
|
||||||
|
|
||||||
unsigned int arpt_do_table(struct sk_buff *skb,
|
unsigned int arpt_do_table(struct sk_buff *skb,
|
||||||
unsigned int hook,
|
|
||||||
const struct nf_hook_state *state,
|
const struct nf_hook_state *state,
|
||||||
struct xt_table *table)
|
struct xt_table *table)
|
||||||
{
|
{
|
||||||
|
unsigned int hook = state->hook;
|
||||||
static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
|
static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
|
||||||
unsigned int verdict = NF_DROP;
|
unsigned int verdict = NF_DROP;
|
||||||
const struct arphdr *arp;
|
const struct arphdr *arp;
|
||||||
|
@ -30,8 +30,7 @@ static unsigned int
|
|||||||
arptable_filter_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
arptable_filter_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
||||||
const struct nf_hook_state *state)
|
const struct nf_hook_state *state)
|
||||||
{
|
{
|
||||||
return arpt_do_table(skb, ops->hooknum, state,
|
return arpt_do_table(skb, state, state->net->ipv4.arptable_filter);
|
||||||
state->net->ipv4.arptable_filter);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
static struct nf_hook_ops *arpfilter_ops __read_mostly;
|
static struct nf_hook_ops *arpfilter_ops __read_mostly;
|
||||||
|
@ -285,10 +285,10 @@ struct ipt_entry *ipt_next_entry(const struct ipt_entry *entry)
|
|||||||
/* Returns one of the generic firewall policies, like NF_ACCEPT. */
|
/* Returns one of the generic firewall policies, like NF_ACCEPT. */
|
||||||
unsigned int
|
unsigned int
|
||||||
ipt_do_table(struct sk_buff *skb,
|
ipt_do_table(struct sk_buff *skb,
|
||||||
unsigned int hook,
|
|
||||||
const struct nf_hook_state *state,
|
const struct nf_hook_state *state,
|
||||||
struct xt_table *table)
|
struct xt_table *table)
|
||||||
{
|
{
|
||||||
|
unsigned int hook = state->hook;
|
||||||
static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
|
static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
|
||||||
const struct iphdr *ip;
|
const struct iphdr *ip;
|
||||||
/* Initializing verdict to NF_DROP keeps gcc happy. */
|
/* Initializing verdict to NF_DROP keeps gcc happy. */
|
||||||
|
@ -36,14 +36,13 @@ static unsigned int
|
|||||||
iptable_filter_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
iptable_filter_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
||||||
const struct nf_hook_state *state)
|
const struct nf_hook_state *state)
|
||||||
{
|
{
|
||||||
if (ops->hooknum == NF_INET_LOCAL_OUT &&
|
if (state->hook == NF_INET_LOCAL_OUT &&
|
||||||
(skb->len < sizeof(struct iphdr) ||
|
(skb->len < sizeof(struct iphdr) ||
|
||||||
ip_hdrlen(skb) < sizeof(struct iphdr)))
|
ip_hdrlen(skb) < sizeof(struct iphdr)))
|
||||||
/* root is playing with raw sockets. */
|
/* root is playing with raw sockets. */
|
||||||
return NF_ACCEPT;
|
return NF_ACCEPT;
|
||||||
|
|
||||||
return ipt_do_table(skb, ops->hooknum, state,
|
return ipt_do_table(skb, state, state->net->ipv4.iptable_filter);
|
||||||
state->net->ipv4.iptable_filter);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
static struct nf_hook_ops *filter_ops __read_mostly;
|
static struct nf_hook_ops *filter_ops __read_mostly;
|
||||||
|
@ -58,8 +58,7 @@ ipt_mangle_out(struct sk_buff *skb, const struct nf_hook_state *state)
|
|||||||
daddr = iph->daddr;
|
daddr = iph->daddr;
|
||||||
tos = iph->tos;
|
tos = iph->tos;
|
||||||
|
|
||||||
ret = ipt_do_table(skb, NF_INET_LOCAL_OUT, state,
|
ret = ipt_do_table(skb, state, state->net->ipv4.iptable_mangle);
|
||||||
state->net->ipv4.iptable_mangle);
|
|
||||||
/* Reroute for ANY change. */
|
/* Reroute for ANY change. */
|
||||||
if (ret != NF_DROP && ret != NF_STOLEN) {
|
if (ret != NF_DROP && ret != NF_STOLEN) {
|
||||||
iph = ip_hdr(skb);
|
iph = ip_hdr(skb);
|
||||||
@ -83,14 +82,13 @@ iptable_mangle_hook(const struct nf_hook_ops *ops,
|
|||||||
struct sk_buff *skb,
|
struct sk_buff *skb,
|
||||||
const struct nf_hook_state *state)
|
const struct nf_hook_state *state)
|
||||||
{
|
{
|
||||||
if (ops->hooknum == NF_INET_LOCAL_OUT)
|
if (state->hook == NF_INET_LOCAL_OUT)
|
||||||
return ipt_mangle_out(skb, state);
|
return ipt_mangle_out(skb, state);
|
||||||
if (ops->hooknum == NF_INET_POST_ROUTING)
|
if (state->hook == NF_INET_POST_ROUTING)
|
||||||
return ipt_do_table(skb, ops->hooknum, state,
|
return ipt_do_table(skb, state,
|
||||||
state->net->ipv4.iptable_mangle);
|
state->net->ipv4.iptable_mangle);
|
||||||
/* PREROUTING/INPUT/FORWARD: */
|
/* PREROUTING/INPUT/FORWARD: */
|
||||||
return ipt_do_table(skb, ops->hooknum, state,
|
return ipt_do_table(skb, state, state->net->ipv4.iptable_mangle);
|
||||||
state->net->ipv4.iptable_mangle);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
static struct nf_hook_ops *mangle_ops __read_mostly;
|
static struct nf_hook_ops *mangle_ops __read_mostly;
|
||||||
|
@ -33,8 +33,7 @@ static unsigned int iptable_nat_do_chain(const struct nf_hook_ops *ops,
|
|||||||
const struct nf_hook_state *state,
|
const struct nf_hook_state *state,
|
||||||
struct nf_conn *ct)
|
struct nf_conn *ct)
|
||||||
{
|
{
|
||||||
return ipt_do_table(skb, ops->hooknum, state,
|
return ipt_do_table(skb, state, state->net->ipv4.nat_table);
|
||||||
state->net->ipv4.nat_table);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
static unsigned int iptable_nat_ipv4_fn(const struct nf_hook_ops *ops,
|
static unsigned int iptable_nat_ipv4_fn(const struct nf_hook_ops *ops,
|
||||||
|
@ -23,14 +23,13 @@ static unsigned int
|
|||||||
iptable_raw_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
iptable_raw_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
||||||
const struct nf_hook_state *state)
|
const struct nf_hook_state *state)
|
||||||
{
|
{
|
||||||
if (ops->hooknum == NF_INET_LOCAL_OUT &&
|
if (state->hook == NF_INET_LOCAL_OUT &&
|
||||||
(skb->len < sizeof(struct iphdr) ||
|
(skb->len < sizeof(struct iphdr) ||
|
||||||
ip_hdrlen(skb) < sizeof(struct iphdr)))
|
ip_hdrlen(skb) < sizeof(struct iphdr)))
|
||||||
/* root is playing with raw sockets. */
|
/* root is playing with raw sockets. */
|
||||||
return NF_ACCEPT;
|
return NF_ACCEPT;
|
||||||
|
|
||||||
return ipt_do_table(skb, ops->hooknum, state,
|
return ipt_do_table(skb, state, state->net->ipv4.iptable_raw);
|
||||||
state->net->ipv4.iptable_raw);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
static struct nf_hook_ops *rawtable_ops __read_mostly;
|
static struct nf_hook_ops *rawtable_ops __read_mostly;
|
||||||
|
@ -40,14 +40,13 @@ static unsigned int
|
|||||||
iptable_security_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
iptable_security_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
||||||
const struct nf_hook_state *state)
|
const struct nf_hook_state *state)
|
||||||
{
|
{
|
||||||
if (ops->hooknum == NF_INET_LOCAL_OUT &&
|
if (state->hook == NF_INET_LOCAL_OUT &&
|
||||||
(skb->len < sizeof(struct iphdr) ||
|
(skb->len < sizeof(struct iphdr) ||
|
||||||
ip_hdrlen(skb) < sizeof(struct iphdr)))
|
ip_hdrlen(skb) < sizeof(struct iphdr)))
|
||||||
/* Somebody is playing with raw sockets. */
|
/* Somebody is playing with raw sockets. */
|
||||||
return NF_ACCEPT;
|
return NF_ACCEPT;
|
||||||
|
|
||||||
return ipt_do_table(skb, ops->hooknum, state,
|
return ipt_do_table(skb, state, state->net->ipv4.iptable_security);
|
||||||
state->net->ipv4.iptable_security);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
static struct nf_hook_ops *sectbl_ops __read_mostly;
|
static struct nf_hook_ops *sectbl_ops __read_mostly;
|
||||||
|
@ -314,10 +314,10 @@ ip6t_next_entry(const struct ip6t_entry *entry)
|
|||||||
/* Returns one of the generic firewall policies, like NF_ACCEPT. */
|
/* Returns one of the generic firewall policies, like NF_ACCEPT. */
|
||||||
unsigned int
|
unsigned int
|
||||||
ip6t_do_table(struct sk_buff *skb,
|
ip6t_do_table(struct sk_buff *skb,
|
||||||
unsigned int hook,
|
|
||||||
const struct nf_hook_state *state,
|
const struct nf_hook_state *state,
|
||||||
struct xt_table *table)
|
struct xt_table *table)
|
||||||
{
|
{
|
||||||
|
unsigned int hook = state->hook;
|
||||||
static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
|
static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
|
||||||
/* Initializing verdict to NF_DROP keeps gcc happy. */
|
/* Initializing verdict to NF_DROP keeps gcc happy. */
|
||||||
unsigned int verdict = NF_DROP;
|
unsigned int verdict = NF_DROP;
|
||||||
|
@ -35,8 +35,7 @@ static unsigned int
|
|||||||
ip6table_filter_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
ip6table_filter_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
||||||
const struct nf_hook_state *state)
|
const struct nf_hook_state *state)
|
||||||
{
|
{
|
||||||
return ip6t_do_table(skb, ops->hooknum, state,
|
return ip6t_do_table(skb, state, state->net->ipv6.ip6table_filter);
|
||||||
state->net->ipv6.ip6table_filter);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
static struct nf_hook_ops *filter_ops __read_mostly;
|
static struct nf_hook_ops *filter_ops __read_mostly;
|
||||||
|
@ -57,8 +57,7 @@ ip6t_mangle_out(struct sk_buff *skb, const struct nf_hook_state *state)
|
|||||||
/* flowlabel and prio (includes version, which shouldn't change either */
|
/* flowlabel and prio (includes version, which shouldn't change either */
|
||||||
flowlabel = *((u_int32_t *)ipv6_hdr(skb));
|
flowlabel = *((u_int32_t *)ipv6_hdr(skb));
|
||||||
|
|
||||||
ret = ip6t_do_table(skb, NF_INET_LOCAL_OUT, state,
|
ret = ip6t_do_table(skb, state, state->net->ipv6.ip6table_mangle);
|
||||||
state->net->ipv6.ip6table_mangle);
|
|
||||||
|
|
||||||
if (ret != NF_DROP && ret != NF_STOLEN &&
|
if (ret != NF_DROP && ret != NF_STOLEN &&
|
||||||
(!ipv6_addr_equal(&ipv6_hdr(skb)->saddr, &saddr) ||
|
(!ipv6_addr_equal(&ipv6_hdr(skb)->saddr, &saddr) ||
|
||||||
@ -79,14 +78,13 @@ static unsigned int
|
|||||||
ip6table_mangle_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
ip6table_mangle_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
||||||
const struct nf_hook_state *state)
|
const struct nf_hook_state *state)
|
||||||
{
|
{
|
||||||
if (ops->hooknum == NF_INET_LOCAL_OUT)
|
if (state->hook == NF_INET_LOCAL_OUT)
|
||||||
return ip6t_mangle_out(skb, state);
|
return ip6t_mangle_out(skb, state);
|
||||||
if (ops->hooknum == NF_INET_POST_ROUTING)
|
if (state->hook == NF_INET_POST_ROUTING)
|
||||||
return ip6t_do_table(skb, ops->hooknum, state,
|
return ip6t_do_table(skb, state,
|
||||||
state->net->ipv6.ip6table_mangle);
|
state->net->ipv6.ip6table_mangle);
|
||||||
/* INPUT/FORWARD */
|
/* INPUT/FORWARD */
|
||||||
return ip6t_do_table(skb, ops->hooknum, state,
|
return ip6t_do_table(skb, state, state->net->ipv6.ip6table_mangle);
|
||||||
state->net->ipv6.ip6table_mangle);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
static struct nf_hook_ops *mangle_ops __read_mostly;
|
static struct nf_hook_ops *mangle_ops __read_mostly;
|
||||||
|
@ -35,8 +35,7 @@ static unsigned int ip6table_nat_do_chain(const struct nf_hook_ops *ops,
|
|||||||
const struct nf_hook_state *state,
|
const struct nf_hook_state *state,
|
||||||
struct nf_conn *ct)
|
struct nf_conn *ct)
|
||||||
{
|
{
|
||||||
return ip6t_do_table(skb, ops->hooknum, state,
|
return ip6t_do_table(skb, state, state->net->ipv6.ip6table_nat);
|
||||||
state->net->ipv6.ip6table_nat);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
static unsigned int ip6table_nat_fn(const struct nf_hook_ops *ops,
|
static unsigned int ip6table_nat_fn(const struct nf_hook_ops *ops,
|
||||||
|
@ -22,8 +22,7 @@ static unsigned int
|
|||||||
ip6table_raw_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
ip6table_raw_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
||||||
const struct nf_hook_state *state)
|
const struct nf_hook_state *state)
|
||||||
{
|
{
|
||||||
return ip6t_do_table(skb, ops->hooknum, state,
|
return ip6t_do_table(skb, state, state->net->ipv6.ip6table_raw);
|
||||||
state->net->ipv6.ip6table_raw);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
static struct nf_hook_ops *rawtable_ops __read_mostly;
|
static struct nf_hook_ops *rawtable_ops __read_mostly;
|
||||||
|
@ -39,8 +39,7 @@ static unsigned int
|
|||||||
ip6table_security_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
ip6table_security_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
||||||
const struct nf_hook_state *state)
|
const struct nf_hook_state *state)
|
||||||
{
|
{
|
||||||
return ip6t_do_table(skb, ops->hooknum, state,
|
return ip6t_do_table(skb, state, state->net->ipv6.ip6table_security);
|
||||||
state->net->ipv6.ip6table_security);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
static struct nf_hook_ops *sectbl_ops __read_mostly;
|
static struct nf_hook_ops *sectbl_ops __read_mostly;
|
||||||
|
Loading…
x
Reference in New Issue
Block a user