mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2025-01-07 13:43:51 +00:00
netfilter: xtables: change hotdrop pointer to direct modification
Since xt_action_param is writable, let's use it. The pointer to 'bool hotdrop' always worried (8 bytes (64-bit) to write 1 byte!). Surprisingly results in a reduction in size: text data bss filename 5457066 692730 357892 vmlinux.o-prev 5456554 692730 357892 vmlinux.o Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
This commit is contained in:
parent
62fc805108
commit
b4ba26119b
@ -196,6 +196,9 @@ struct xt_counters_info {
|
||||
* @hook: hook number given packet came from
|
||||
* @family: Actual NFPROTO_* through which the function is invoked
|
||||
* (helpful when match->family == NFPROTO_UNSPEC)
|
||||
*
|
||||
* Fields written to by extensions:
|
||||
*
|
||||
* @hotdrop: drop packet if we had inspection problems
|
||||
* Network namespace obtainable using dev_net(in/out)
|
||||
*/
|
||||
@ -212,7 +215,7 @@ struct xt_action_param {
|
||||
unsigned int thoff;
|
||||
unsigned int hooknum;
|
||||
u_int8_t family;
|
||||
bool *hotdrop;
|
||||
bool hotdrop;
|
||||
};
|
||||
|
||||
/**
|
||||
|
@ -186,13 +186,12 @@ unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
|
||||
struct ebt_entries *chaininfo;
|
||||
const char *base;
|
||||
const struct ebt_table_info *private;
|
||||
bool hotdrop = false;
|
||||
struct xt_action_param acpar;
|
||||
|
||||
acpar.family = NFPROTO_BRIDGE;
|
||||
acpar.in = in;
|
||||
acpar.out = out;
|
||||
acpar.hotdrop = &hotdrop;
|
||||
acpar.hotdrop = false;
|
||||
acpar.hooknum = hook;
|
||||
|
||||
read_lock_bh(&table->lock);
|
||||
@ -216,7 +215,7 @@ unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
|
||||
|
||||
if (EBT_MATCH_ITERATE(point, ebt_do_match, skb, &acpar) != 0)
|
||||
goto letscontinue;
|
||||
if (hotdrop) {
|
||||
if (acpar.hotdrop) {
|
||||
read_unlock_bh(&table->lock);
|
||||
return NF_DROP;
|
||||
}
|
||||
|
@ -260,7 +260,6 @@ unsigned int arpt_do_table(struct sk_buff *skb,
|
||||
static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
|
||||
unsigned int verdict = NF_DROP;
|
||||
const struct arphdr *arp;
|
||||
bool hotdrop = false;
|
||||
struct arpt_entry *e, *back;
|
||||
const char *indev, *outdev;
|
||||
void *table_base;
|
||||
@ -284,6 +283,7 @@ unsigned int arpt_do_table(struct sk_buff *skb,
|
||||
acpar.out = out;
|
||||
acpar.hooknum = hook;
|
||||
acpar.family = NFPROTO_ARP;
|
||||
acpar.hotdrop = false;
|
||||
|
||||
arp = arp_hdr(skb);
|
||||
do {
|
||||
@ -345,10 +345,10 @@ unsigned int arpt_do_table(struct sk_buff *skb,
|
||||
else
|
||||
/* Verdict */
|
||||
break;
|
||||
} while (!hotdrop);
|
||||
} while (!acpar.hotdrop);
|
||||
xt_info_rdunlock_bh();
|
||||
|
||||
if (hotdrop)
|
||||
if (acpar.hotdrop)
|
||||
return NF_DROP;
|
||||
else
|
||||
return verdict;
|
||||
|
@ -308,7 +308,6 @@ ipt_do_table(struct sk_buff *skb,
|
||||
{
|
||||
static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
|
||||
const struct iphdr *ip;
|
||||
bool hotdrop = false;
|
||||
/* Initializing verdict to NF_DROP keeps gcc happy. */
|
||||
unsigned int verdict = NF_DROP;
|
||||
const char *indev, *outdev;
|
||||
@ -330,7 +329,7 @@ ipt_do_table(struct sk_buff *skb,
|
||||
* match it. */
|
||||
acpar.fragoff = ntohs(ip->frag_off) & IP_OFFSET;
|
||||
acpar.thoff = ip_hdrlen(skb);
|
||||
acpar.hotdrop = &hotdrop;
|
||||
acpar.hotdrop = false;
|
||||
acpar.in = in;
|
||||
acpar.out = out;
|
||||
acpar.family = NFPROTO_IPV4;
|
||||
@ -432,7 +431,7 @@ ipt_do_table(struct sk_buff *skb,
|
||||
else
|
||||
/* Verdict */
|
||||
break;
|
||||
} while (!hotdrop);
|
||||
} while (!acpar.hotdrop);
|
||||
xt_info_rdunlock_bh();
|
||||
pr_debug("Exiting %s; resetting sp from %u to %u\n",
|
||||
__func__, *stackptr, origptr);
|
||||
@ -440,7 +439,7 @@ ipt_do_table(struct sk_buff *skb,
|
||||
#ifdef DEBUG_ALLOW_ALL
|
||||
return NF_ACCEPT;
|
||||
#else
|
||||
if (hotdrop)
|
||||
if (acpar.hotdrop)
|
||||
return NF_DROP;
|
||||
else return verdict;
|
||||
#endif
|
||||
@ -2154,7 +2153,7 @@ icmp_match(const struct sk_buff *skb, struct xt_action_param *par)
|
||||
* can't. Hence, no choice but to drop.
|
||||
*/
|
||||
duprintf("Dropping evil ICMP tinygram.\n");
|
||||
*par->hotdrop = true;
|
||||
par->hotdrop = true;
|
||||
return false;
|
||||
}
|
||||
|
||||
|
@ -46,7 +46,7 @@ static bool ah_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||
* can't. Hence, no choice but to drop.
|
||||
*/
|
||||
pr_debug("Dropping evil AH tinygram.\n");
|
||||
*par->hotdrop = true;
|
||||
par->hotdrop = true;
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
@ -78,7 +78,7 @@ static bool ecn_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||
if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR)) {
|
||||
if (ip_hdr(skb)->protocol != IPPROTO_TCP)
|
||||
return false;
|
||||
if (!match_tcp(skb, info, par->hotdrop))
|
||||
if (!match_tcp(skb, info, &par->hotdrop))
|
||||
return false;
|
||||
}
|
||||
|
||||
|
@ -337,7 +337,6 @@ ip6t_do_table(struct sk_buff *skb,
|
||||
struct xt_table *table)
|
||||
{
|
||||
static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
|
||||
bool hotdrop = false;
|
||||
/* Initializing verdict to NF_DROP keeps gcc happy. */
|
||||
unsigned int verdict = NF_DROP;
|
||||
const char *indev, *outdev;
|
||||
@ -356,7 +355,7 @@ ip6t_do_table(struct sk_buff *skb,
|
||||
* things we don't know, ie. tcp syn flag or ports). If the
|
||||
* rule is also a fragment-specific rule, non-fragments won't
|
||||
* match it. */
|
||||
acpar.hotdrop = &hotdrop;
|
||||
acpar.hotdrop = false;
|
||||
acpar.in = in;
|
||||
acpar.out = out;
|
||||
acpar.family = NFPROTO_IPV6;
|
||||
@ -380,7 +379,7 @@ ip6t_do_table(struct sk_buff *skb,
|
||||
|
||||
IP_NF_ASSERT(e);
|
||||
if (!ip6_packet_match(skb, indev, outdev, &e->ipv6,
|
||||
&acpar.thoff, &acpar.fragoff, &hotdrop)) {
|
||||
&acpar.thoff, &acpar.fragoff, &acpar.hotdrop)) {
|
||||
no_match:
|
||||
e = ip6t_next_entry(e);
|
||||
continue;
|
||||
@ -447,7 +446,7 @@ ip6t_do_table(struct sk_buff *skb,
|
||||
else
|
||||
/* Verdict */
|
||||
break;
|
||||
} while (!hotdrop);
|
||||
} while (!acpar.hotdrop);
|
||||
|
||||
xt_info_rdunlock_bh();
|
||||
*stackptr = origptr;
|
||||
@ -455,7 +454,7 @@ ip6t_do_table(struct sk_buff *skb,
|
||||
#ifdef DEBUG_ALLOW_ALL
|
||||
return NF_ACCEPT;
|
||||
#else
|
||||
if (hotdrop)
|
||||
if (acpar.hotdrop)
|
||||
return NF_DROP;
|
||||
else return verdict;
|
||||
#endif
|
||||
@ -2170,7 +2169,7 @@ icmp6_match(const struct sk_buff *skb, struct xt_action_param *par)
|
||||
* can't. Hence, no choice but to drop.
|
||||
*/
|
||||
duprintf("Dropping evil ICMP tinygram.\n");
|
||||
*par->hotdrop = true;
|
||||
par->hotdrop = true;
|
||||
return false;
|
||||
}
|
||||
|
||||
|
@ -48,13 +48,13 @@ static bool ah_mt6(const struct sk_buff *skb, struct xt_action_param *par)
|
||||
err = ipv6_find_hdr(skb, &ptr, NEXTHDR_AUTH, NULL);
|
||||
if (err < 0) {
|
||||
if (err != -ENOENT)
|
||||
*par->hotdrop = true;
|
||||
par->hotdrop = true;
|
||||
return false;
|
||||
}
|
||||
|
||||
ah = skb_header_pointer(skb, ptr, sizeof(_ah), &_ah);
|
||||
if (ah == NULL) {
|
||||
*par->hotdrop = true;
|
||||
par->hotdrop = true;
|
||||
return false;
|
||||
}
|
||||
|
||||
|
@ -27,7 +27,7 @@ eui64_mt6(const struct sk_buff *skb, struct xt_action_param *par)
|
||||
if (!(skb_mac_header(skb) >= skb->head &&
|
||||
skb_mac_header(skb) + ETH_HLEN <= skb->data) &&
|
||||
par->fragoff != 0) {
|
||||
*par->hotdrop = true;
|
||||
par->hotdrop = true;
|
||||
return false;
|
||||
}
|
||||
|
||||
|
@ -46,13 +46,13 @@ frag_mt6(const struct sk_buff *skb, struct xt_action_param *par)
|
||||
err = ipv6_find_hdr(skb, &ptr, NEXTHDR_FRAGMENT, NULL);
|
||||
if (err < 0) {
|
||||
if (err != -ENOENT)
|
||||
*par->hotdrop = true;
|
||||
par->hotdrop = true;
|
||||
return false;
|
||||
}
|
||||
|
||||
fh = skb_header_pointer(skb, ptr, sizeof(_frag), &_frag);
|
||||
if (fh == NULL) {
|
||||
*par->hotdrop = true;
|
||||
par->hotdrop = true;
|
||||
return false;
|
||||
}
|
||||
|
||||
|
@ -65,13 +65,13 @@ hbh_mt6(const struct sk_buff *skb, struct xt_action_param *par)
|
||||
NEXTHDR_HOP : NEXTHDR_DEST, NULL);
|
||||
if (err < 0) {
|
||||
if (err != -ENOENT)
|
||||
*par->hotdrop = true;
|
||||
par->hotdrop = true;
|
||||
return false;
|
||||
}
|
||||
|
||||
oh = skb_header_pointer(skb, ptr, sizeof(_optsh), &_optsh);
|
||||
if (oh == NULL) {
|
||||
*par->hotdrop = true;
|
||||
par->hotdrop = true;
|
||||
return false;
|
||||
}
|
||||
|
||||
|
@ -47,14 +47,14 @@ static bool mh_mt6(const struct sk_buff *skb, struct xt_action_param *par)
|
||||
/* We've been asked to examine this packet, and we
|
||||
can't. Hence, no choice but to drop. */
|
||||
pr_debug("Dropping evil MH tinygram.\n");
|
||||
*par->hotdrop = true;
|
||||
par->hotdrop = true;
|
||||
return false;
|
||||
}
|
||||
|
||||
if (mh->ip6mh_proto != IPPROTO_NONE) {
|
||||
pr_debug("Dropping invalid MH Payload Proto: %u\n",
|
||||
mh->ip6mh_proto);
|
||||
*par->hotdrop = true;
|
||||
par->hotdrop = true;
|
||||
return false;
|
||||
}
|
||||
|
||||
|
@ -52,13 +52,13 @@ static bool rt_mt6(const struct sk_buff *skb, struct xt_action_param *par)
|
||||
err = ipv6_find_hdr(skb, &ptr, NEXTHDR_ROUTING, NULL);
|
||||
if (err < 0) {
|
||||
if (err != -ENOENT)
|
||||
*par->hotdrop = true;
|
||||
par->hotdrop = true;
|
||||
return false;
|
||||
}
|
||||
|
||||
rh = skb_header_pointer(skb, ptr, sizeof(_route), &_route);
|
||||
if (rh == NULL) {
|
||||
*par->hotdrop = true;
|
||||
par->hotdrop = true;
|
||||
return false;
|
||||
}
|
||||
|
||||
|
@ -206,14 +206,14 @@ connlimit_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||
|
||||
if (connections < 0) {
|
||||
/* kmalloc failed, drop it entirely */
|
||||
*par->hotdrop = true;
|
||||
par->hotdrop = true;
|
||||
return false;
|
||||
}
|
||||
|
||||
return (connections > info->limit) ^ info->inverse;
|
||||
|
||||
hotdrop:
|
||||
*par->hotdrop = true;
|
||||
par->hotdrop = true;
|
||||
return false;
|
||||
}
|
||||
|
||||
|
@ -107,7 +107,7 @@ dccp_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||
|
||||
dh = skb_header_pointer(skb, par->thoff, sizeof(_dh), &_dh);
|
||||
if (dh == NULL) {
|
||||
*par->hotdrop = true;
|
||||
par->hotdrop = true;
|
||||
return false;
|
||||
}
|
||||
|
||||
@ -120,7 +120,7 @@ dccp_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||
&& DCCHECK(match_types(dh, info->typemask),
|
||||
XT_DCCP_TYPE, info->flags, info->invflags)
|
||||
&& DCCHECK(match_option(info->option, skb, par->thoff, dh,
|
||||
par->hotdrop),
|
||||
&par->hotdrop),
|
||||
XT_DCCP_OPTION, info->flags, info->invflags);
|
||||
}
|
||||
|
||||
|
@ -52,7 +52,7 @@ static bool esp_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||
* can't. Hence, no choice but to drop.
|
||||
*/
|
||||
pr_debug("Dropping evil ESP tinygram.\n");
|
||||
*par->hotdrop = true;
|
||||
par->hotdrop = true;
|
||||
return false;
|
||||
}
|
||||
|
||||
|
@ -562,7 +562,7 @@ hashlimit_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||
return info->cfg.mode & XT_HASHLIMIT_INVERT;
|
||||
|
||||
hotdrop:
|
||||
*par->hotdrop = true;
|
||||
par->hotdrop = true;
|
||||
return false;
|
||||
}
|
||||
|
||||
|
@ -87,7 +87,7 @@ multiport_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||
* can't. Hence, no choice but to drop.
|
||||
*/
|
||||
pr_debug("Dropping evil offset=0 tinygram.\n");
|
||||
*par->hotdrop = true;
|
||||
par->hotdrop = true;
|
||||
return false;
|
||||
}
|
||||
|
||||
|
@ -268,7 +268,7 @@ recent_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||
goto out;
|
||||
e = recent_entry_init(t, &addr, par->family, ttl);
|
||||
if (e == NULL)
|
||||
*par->hotdrop = true;
|
||||
par->hotdrop = true;
|
||||
ret = !ret;
|
||||
goto out;
|
||||
}
|
||||
|
@ -128,7 +128,7 @@ sctp_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||
sh = skb_header_pointer(skb, par->thoff, sizeof(_sh), &_sh);
|
||||
if (sh == NULL) {
|
||||
pr_debug("Dropping evil TCP offset=0 tinygram.\n");
|
||||
*par->hotdrop = true;
|
||||
par->hotdrop = true;
|
||||
return false;
|
||||
}
|
||||
pr_debug("spt: %d\tdpt: %d\n", ntohs(sh->source), ntohs(sh->dest));
|
||||
@ -140,7 +140,7 @@ sctp_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||
&& ntohs(sh->dest) <= info->dpts[1],
|
||||
XT_SCTP_DEST_PORTS, info->flags, info->invflags)
|
||||
&& SCCHECK(match_packet(skb, par->thoff + sizeof(sctp_sctphdr_t),
|
||||
info, par->hotdrop),
|
||||
info, &par->hotdrop),
|
||||
XT_SCTP_CHUNK_TYPES, info->flags, info->invflags);
|
||||
}
|
||||
|
||||
|
@ -73,7 +73,7 @@ tcpmss_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||
return info->invert;
|
||||
|
||||
dropit:
|
||||
*par->hotdrop = true;
|
||||
par->hotdrop = true;
|
||||
return false;
|
||||
}
|
||||
|
||||
|
@ -77,7 +77,7 @@ static bool tcp_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||
*/
|
||||
if (par->fragoff == 1) {
|
||||
pr_debug("Dropping evil TCP offset=1 frag.\n");
|
||||
*par->hotdrop = true;
|
||||
par->hotdrop = true;
|
||||
}
|
||||
/* Must not be a fragment. */
|
||||
return false;
|
||||
@ -90,7 +90,7 @@ static bool tcp_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||
/* We've been asked to examine this packet, and we
|
||||
can't. Hence, no choice but to drop. */
|
||||
pr_debug("Dropping evil TCP offset=0 tinygram.\n");
|
||||
*par->hotdrop = true;
|
||||
par->hotdrop = true;
|
||||
return false;
|
||||
}
|
||||
|
||||
@ -108,13 +108,13 @@ static bool tcp_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||
return false;
|
||||
if (tcpinfo->option) {
|
||||
if (th->doff * 4 < sizeof(_tcph)) {
|
||||
*par->hotdrop = true;
|
||||
par->hotdrop = true;
|
||||
return false;
|
||||
}
|
||||
if (!tcp_find_option(tcpinfo->option, skb, par->thoff,
|
||||
th->doff*4 - sizeof(_tcph),
|
||||
tcpinfo->invflags & XT_TCP_INV_OPTION,
|
||||
par->hotdrop))
|
||||
&par->hotdrop))
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
@ -143,7 +143,7 @@ static bool udp_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||
/* We've been asked to examine this packet, and we
|
||||
can't. Hence, no choice but to drop. */
|
||||
pr_debug("Dropping evil UDP tinygram.\n");
|
||||
*par->hotdrop = true;
|
||||
par->hotdrop = true;
|
||||
return false;
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user