korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2024-11-27 22:24:11 +08:00
Code Issues Packages Projects Releases Wiki Activity

netfilter: nf_tables: kill nft_pktinfo.ops

Browse Source 
- Add nft_pktinfo.pf to replace ops->pf
- Add nft_pktinfo.hook to replace ops->hooknum

This simplifies the code, makes it more readable, and likely reduces
cache line misses.  Maintainability is enhanced as the details of
nft_hook_ops are of no concern to the recpients of nft_pktinfo.

Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
Eric W. Biederman 2015-09-18 14:32:57 -05:00 committed by Pablo Neira Ayuso
parent 082a758f04
commit 6aa187f21c
25 changed files with 54 additions and 64 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
include/net/netfilter/nf_tables.h
View File

@ -16,7 +16,8 @@ struct nft_pktinfo {
struct sk_buff *skb;
const struct net_device *in;
const struct net_device *out;
const struct nf_hook_ops *ops;
u8 pf;
u8 hook;
u8 nhoff;
u8 thoff;
u8 tprot;
@ -25,16 +26,14 @@ struct nft_pktinfo {
};
static inline void nft_set_pktinfo(struct nft_pktinfo *pkt,
const struct nf_hook_ops *ops,
struct sk_buff *skb,
const struct nf_hook_state *state)
{
pkt->skb = skb;
pkt->in = pkt->xt.in = state->in;
pkt->out = pkt->xt.out = state->out;
pkt->ops = ops;
pkt->xt.hooknum = ops->hooknum;
pkt->xt.family = ops->pf;
pkt->hook = pkt->xt.hooknum = state->hook;
pkt->pf = pkt->xt.family = state->pf;
}
/**

3
include/net/netfilter/nf_tables_ipv4.h
View File

@ -6,13 +6,12 @@
static inline void
nft_set_pktinfo_ipv4(struct nft_pktinfo *pkt,
const struct nf_hook_ops *ops,
struct sk_buff *skb,
const struct nf_hook_state *state)
{
struct iphdr *ip;
nft_set_pktinfo(pkt, ops, skb, state);
nft_set_pktinfo(pkt, skb, state);
ip = ip_hdr(pkt->skb);
pkt->tprot = ip->protocol;

3
include/net/netfilter/nf_tables_ipv6.h
View File

@ -6,14 +6,13 @@
static inline int
nft_set_pktinfo_ipv6(struct nft_pktinfo *pkt,
const struct nf_hook_ops *ops,
struct sk_buff *skb,
const struct nf_hook_state *state)
{
int protohdr, thoff = 0;
unsigned short frag_off;
nft_set_pktinfo(pkt, ops, skb, state);
nft_set_pktinfo(pkt, skb, state);
protohdr = ipv6_find_hdr(pkt->skb, &thoff, -1, &frag_off, NULL);
/* If malformed, drop it */

16
net/bridge/netfilter/nf_tables_bridge.c
View File

@ -65,27 +65,25 @@ int nft_bridge_ip6hdr_validate(struct sk_buff *skb)
EXPORT_SYMBOL_GPL(nft_bridge_ip6hdr_validate);
static inline void nft_bridge_set_pktinfo_ipv4(struct nft_pktinfo *pkt,
const struct nf_hook_ops *ops,
struct sk_buff *skb,
const struct nf_hook_state *state)
{
if (nft_bridge_iphdr_validate(skb))
nft_set_pktinfo_ipv4(pkt, ops, skb, state);
nft_set_pktinfo_ipv4(pkt, skb, state);
else
nft_set_pktinfo(pkt, ops, skb, state);
nft_set_pktinfo(pkt, skb, state);
}
static inline void nft_bridge_set_pktinfo_ipv6(struct nft_pktinfo *pkt,
const struct nf_hook_ops *ops,
struct sk_buff *skb,
const struct nf_hook_state *state)
{
#if IS_ENABLED(CONFIG_IPV6)
if (nft_bridge_ip6hdr_validate(skb) &&
nft_set_pktinfo_ipv6(pkt, ops, skb, state) == 0)
nft_set_pktinfo_ipv6(pkt, skb, state) == 0)
return;
#endif
nft_set_pktinfo(pkt, ops, skb, state);
nft_set_pktinfo(pkt, skb, state);
}
static unsigned int
@ -97,13 +95,13 @@ nft_do_chain_bridge(const struct nf_hook_ops *ops,
switch (eth_hdr(skb)->h_proto) {
case htons(ETH_P_IP):
nft_bridge_set_pktinfo_ipv4(&pkt, ops, skb, state);
nft_bridge_set_pktinfo_ipv4(&pkt, skb, state);
break;
case htons(ETH_P_IPV6):
nft_bridge_set_pktinfo_ipv6(&pkt, ops, skb, state);
nft_bridge_set_pktinfo_ipv6(&pkt, skb, state);
break;
default:
nft_set_pktinfo(&pkt, ops, skb, state);
nft_set_pktinfo(&pkt, skb, state);
break;
}

12
net/bridge/netfilter/nft_reject_bridge.c
View File

@ -273,16 +273,16 @@ static void nft_reject_bridge_eval(const struct nft_expr *expr,
switch (priv->type) {
case NFT_REJECT_ICMP_UNREACH:
nft_reject_br_send_v4_unreach(pkt->skb, pkt->in,
pkt->ops->hooknum,
pkt->hook,
priv->icmp_code);
break;
case NFT_REJECT_TCP_RST:
nft_reject_br_send_v4_tcp_reset(pkt->skb, pkt->in,
pkt->ops->hooknum);
pkt->hook);
break;
case NFT_REJECT_ICMPX_UNREACH:
nft_reject_br_send_v4_unreach(pkt->skb, pkt->in,
pkt->ops->hooknum,
pkt->hook,
nft_reject_icmp_code(priv->icmp_code));
break;
}
@ -291,16 +291,16 @@ static void nft_reject_bridge_eval(const struct nft_expr *expr,
switch (priv->type) {
case NFT_REJECT_ICMP_UNREACH:
nft_reject_br_send_v6_unreach(net, pkt->skb, pkt->in,
pkt->ops->hooknum,
pkt->hook,
priv->icmp_code);
break;
case NFT_REJECT_TCP_RST:
nft_reject_br_send_v6_tcp_reset(net, pkt->skb, pkt->in,
pkt->ops->hooknum);
pkt->hook);
break;
case NFT_REJECT_ICMPX_UNREACH:
nft_reject_br_send_v6_unreach(net, pkt->skb, pkt->in,
pkt->ops->hooknum,
pkt->hook,
nft_reject_icmpv6_code(priv->icmp_code));
break;
}

2
net/ipv4/netfilter/nf_tables_arp.c
View File

@ -21,7 +21,7 @@ nft_do_chain_arp(const struct nf_hook_ops *ops,
{
struct nft_pktinfo pkt;
nft_set_pktinfo(&pkt, ops, skb, state);
nft_set_pktinfo(&pkt, skb, state);
return nft_do_chain(&pkt, ops);
}

2
net/ipv4/netfilter/nf_tables_ipv4.c
View File

@ -24,7 +24,7 @@ static unsigned int nft_do_chain_ipv4(const struct nf_hook_ops *ops,
{
struct nft_pktinfo pkt;
nft_set_pktinfo_ipv4(&pkt, ops, skb, state);
nft_set_pktinfo_ipv4(&pkt, skb, state);
return nft_do_chain(&pkt, ops);
}

2
net/ipv4/netfilter/nft_chain_nat_ipv4.c
View File

@ -33,7 +33,7 @@ static unsigned int nft_nat_do_chain(const struct nf_hook_ops *ops,
{
struct nft_pktinfo pkt;
nft_set_pktinfo_ipv4(&pkt, ops, skb, state);
nft_set_pktinfo_ipv4(&pkt, skb, state);
return nft_do_chain(&pkt, ops);
}

2
net/ipv4/netfilter/nft_chain_route_ipv4.c
View File

@ -37,7 +37,7 @@ static unsigned int nf_route_table_hook(const struct nf_hook_ops *ops,
ip_hdrlen(skb) < sizeof(struct iphdr))
return NF_ACCEPT;
nft_set_pktinfo_ipv4(&pkt, ops, skb, state);
nft_set_pktinfo_ipv4(&pkt, skb, state);
mark = skb->mark;
iph = ip_hdr(skb);

2
net/ipv4/netfilter/nft_dup_ipv4.c
View File

@ -30,7 +30,7 @@ static void nft_dup_ipv4_eval(const struct nft_expr *expr,
};
int oif = regs->data[priv->sreg_dev];
nf_dup_ipv4(pkt->skb, pkt->ops->hooknum, &gw, oif);
nf_dup_ipv4(pkt->skb, pkt->hook, &gw, oif);
}
static int nft_dup_ipv4_init(const struct nft_ctx *ctx,

2
net/ipv4/netfilter/nft_masq_ipv4.c
View File

@ -26,7 +26,7 @@ static void nft_masq_ipv4_eval(const struct nft_expr *expr,
memset(&range, 0, sizeof(range));
range.flags = priv->flags;
regs->verdict.code = nf_nat_masquerade_ipv4(pkt->skb, pkt->ops->hooknum,
regs->verdict.code = nf_nat_masquerade_ipv4(pkt->skb, pkt->hook,
&range, pkt->out);
}

2
net/ipv4/netfilter/nft_redir_ipv4.c
View File

@ -36,7 +36,7 @@ static void nft_redir_ipv4_eval(const struct nft_expr *expr,
mr.range[0].flags |= priv->flags;
regs->verdict.code = nf_nat_redirect_ipv4(pkt->skb, &mr,
pkt->ops->hooknum);
pkt->hook);
}
static struct nft_expr_type nft_redir_ipv4_type;

5
net/ipv4/netfilter/nft_reject_ipv4.c
View File

@ -27,11 +27,10 @@ static void nft_reject_ipv4_eval(const struct nft_expr *expr,
switch (priv->type) {
case NFT_REJECT_ICMP_UNREACH:
nf_send_unreach(pkt->skb, priv->icmp_code,
pkt->ops->hooknum);
nf_send_unreach(pkt->skb, priv->icmp_code, pkt->hook);
break;
case NFT_REJECT_TCP_RST:
nf_send_reset(pkt->skb, pkt->ops->hooknum);
nf_send_reset(pkt->skb, pkt->hook);
break;
default:
break;

2
net/ipv6/netfilter/nf_tables_ipv6.c
View File

@ -23,7 +23,7 @@ static unsigned int nft_do_chain_ipv6(const struct nf_hook_ops *ops,
struct nft_pktinfo pkt;
/* malformed packet, drop it */
if (nft_set_pktinfo_ipv6(&pkt, ops, skb, state) < 0)
if (nft_set_pktinfo_ipv6(&pkt, skb, state) < 0)
return NF_DROP;
return nft_do_chain(&pkt, ops);

2
net/ipv6/netfilter/nft_chain_nat_ipv6.c
View File

@ -31,7 +31,7 @@ static unsigned int nft_nat_do_chain(const struct nf_hook_ops *ops,
{
struct nft_pktinfo pkt;
nft_set_pktinfo_ipv6(&pkt, ops, skb, state);
nft_set_pktinfo_ipv6(&pkt, skb, state);
return nft_do_chain(&pkt, ops);
}

2
net/ipv6/netfilter/nft_chain_route_ipv6.c
View File

@ -33,7 +33,7 @@ static unsigned int nf_route_table_hook(const struct nf_hook_ops *ops,
u32 mark, flowlabel;
/* malformed packet, drop it */
if (nft_set_pktinfo_ipv6(&pkt, ops, skb, state) < 0)
if (nft_set_pktinfo_ipv6(&pkt, skb, state) < 0)
return NF_DROP;
/* save source/dest address, mark, hoplimit, flowlabel, priority */

2
net/ipv6/netfilter/nft_dup_ipv6.c
View File

@ -28,7 +28,7 @@ static void nft_dup_ipv6_eval(const struct nft_expr *expr,
struct in6_addr *gw = (struct in6_addr *)&regs->data[priv->sreg_addr];
int oif = regs->data[priv->sreg_dev];
nf_dup_ipv6(pkt->skb, pkt->ops->hooknum, gw, oif);
nf_dup_ipv6(pkt->skb, pkt->hook, gw, oif);
}
static int nft_dup_ipv6_init(const struct nft_ctx *ctx,

3
net/ipv6/netfilter/nft_redir_ipv6.c
View File

@ -35,8 +35,7 @@ static void nft_redir_ipv6_eval(const struct nft_expr *expr,
range.flags |= priv->flags;
regs->verdict.code = nf_nat_redirect_ipv6(pkt->skb, &range,
pkt->ops->hooknum);
regs->verdict.code = nf_nat_redirect_ipv6(pkt->skb, &range, pkt->hook);
}
static struct nft_expr_type nft_redir_ipv6_type;

5
net/ipv6/netfilter/nft_reject_ipv6.c
View File

@ -28,11 +28,10 @@ static void nft_reject_ipv6_eval(const struct nft_expr *expr,
switch (priv->type) {
case NFT_REJECT_ICMP_UNREACH:
nf_send_unreach6(net, pkt->skb, priv->icmp_code,
pkt->ops->hooknum);
nf_send_unreach6(net, pkt->skb, priv->icmp_code, pkt->hook);
break;
case NFT_REJECT_TCP_RST:
nf_send_reset6(net, pkt->skb, pkt->ops->hooknum);
nf_send_reset6(net, pkt->skb, pkt->hook);
break;
default:
break;

2
net/netfilter/nf_tables_core.c
View File

@ -50,7 +50,7 @@ static void __nft_trace_packet(const struct nft_pktinfo *pkt,
{
struct net *net = dev_net(pkt->in ? pkt->in : pkt->out);
nf_log_trace(net, pkt->xt.family, pkt->ops->hooknum, pkt->skb, pkt->in,
nf_log_trace(net, pkt->pf, pkt->hook, pkt->skb, pkt->in,
pkt->out, &trace_loginfo, "TRACE: %s:%s:%s:%u ",
chain->table->name, chain->name, comments[type],
rulenum);

16
net/netfilter/nf_tables_netdev.c
View File

@ -17,13 +17,13 @@
static inline void
nft_netdev_set_pktinfo_ipv4(struct nft_pktinfo *pkt,
const struct nf_hook_ops *ops, struct sk_buff *skb,
struct sk_buff *skb,
const struct nf_hook_state *state)
{
struct iphdr *iph, _iph;
u32 len, thoff;
nft_set_pktinfo(pkt, ops, skb, state);
nft_set_pktinfo(pkt, skb, state);
iph = skb_header_pointer(skb, skb_network_offset(skb), sizeof(*iph),
&_iph);
@ -48,7 +48,6 @@ nft_netdev_set_pktinfo_ipv4(struct nft_pktinfo *pkt,
static inline void
__nft_netdev_set_pktinfo_ipv6(struct nft_pktinfo *pkt,
const struct nf_hook_ops *ops,
struct sk_buff *skb,
const struct nf_hook_state *state)
{
@ -82,12 +81,11 @@ __nft_netdev_set_pktinfo_ipv6(struct nft_pktinfo *pkt,
}
static inline void nft_netdev_set_pktinfo_ipv6(struct nft_pktinfo *pkt,
const struct nf_hook_ops *ops,
struct sk_buff *skb,
const struct nf_hook_state *state)
{
nft_set_pktinfo(pkt, ops, skb, state);
__nft_netdev_set_pktinfo_ipv6(pkt, ops, skb, state);
nft_set_pktinfo(pkt, skb, state);
__nft_netdev_set_pktinfo_ipv6(pkt, skb, state);
}
static unsigned int
@ -98,13 +96,13 @@ nft_do_chain_netdev(const struct nf_hook_ops *ops, struct sk_buff *skb,
switch (eth_hdr(skb)->h_proto) {
case htons(ETH_P_IP):
nft_netdev_set_pktinfo_ipv4(&pkt, ops, skb, state);
nft_netdev_set_pktinfo_ipv4(&pkt, skb, state);
break;
case htons(ETH_P_IPV6):
nft_netdev_set_pktinfo_ipv6(&pkt, ops, skb, state);
nft_netdev_set_pktinfo_ipv6(&pkt, skb, state);
break;
default:
nft_set_pktinfo(&pkt, ops, skb, state);
nft_set_pktinfo(&pkt, skb, state);
break;
}

2
net/netfilter/nft_log.c
View File

@ -33,7 +33,7 @@ static void nft_log_eval(const struct nft_expr *expr,
const struct nft_log *priv = nft_expr_priv(expr);
struct net *net = dev_net(pkt->in ? pkt->in : pkt->out);
nf_log_packet(net, pkt->ops->pf, pkt->ops->hooknum, pkt->skb, pkt->in,
nf_log_packet(net, pkt->pf, pkt->hook, pkt->skb, pkt->in,
pkt->out, &priv->loginfo, "%s", priv->prefix);
}

4
net/netfilter/nft_meta.c
View File

@ -42,7 +42,7 @@ void nft_meta_get_eval(const struct nft_expr *expr,
*(__be16 *)dest = skb->protocol;
break;
case NFT_META_NFPROTO:
*dest = pkt->ops->pf;
*dest = pkt->pf;
break;
case NFT_META_L4PROTO:
*dest = pkt->tprot;
@ -135,7 +135,7 @@ void nft_meta_get_eval(const struct nft_expr *expr,
break;
}
switch (pkt->ops->pf) {
switch (pkt->pf) {
case NFPROTO_IPV4:
if (ipv4_is_multicast(ip_hdr(skb)->daddr))
*dest = PACKET_MULTICAST;

2
net/netfilter/nft_queue.c
View File

@ -42,7 +42,7 @@ static void nft_queue_eval(const struct nft_expr *expr,
queue = priv->queuenum + cpu % priv->queues_total;
} else {
queue = nfqueue_hash(pkt->skb, queue,
priv->queues_total, pkt->ops->pf,
priv->queues_total, pkt->pf,
jhash_initval);
}
}

14
net/netfilter/nft_reject_inet.c
View File

@ -24,20 +24,20 @@ static void nft_reject_inet_eval(const struct nft_expr *expr,
struct nft_reject *priv = nft_expr_priv(expr);
struct net *net = dev_net((pkt->in != NULL) ? pkt->in : pkt->out);
switch (pkt->ops->pf) {
switch (pkt->pf) {
case NFPROTO_IPV4:
switch (priv->type) {
case NFT_REJECT_ICMP_UNREACH:
nf_send_unreach(pkt->skb, priv->icmp_code,
pkt->ops->hooknum);
pkt->hook);
break;
case NFT_REJECT_TCP_RST:
nf_send_reset(pkt->skb, pkt->ops->hooknum);
nf_send_reset(pkt->skb, pkt->hook);
break;
case NFT_REJECT_ICMPX_UNREACH:
nf_send_unreach(pkt->skb,
nft_reject_icmp_code(priv->icmp_code),
pkt->ops->hooknum);
pkt->hook);
break;
}
break;
@ -45,15 +45,15 @@ static void nft_reject_inet_eval(const struct nft_expr *expr,
switch (priv->type) {
case NFT_REJECT_ICMP_UNREACH:
nf_send_unreach6(net, pkt->skb, priv->icmp_code,
pkt->ops->hooknum);
pkt->hook);
break;
case NFT_REJECT_TCP_RST:
nf_send_reset6(net, pkt->skb, pkt->ops->hooknum);
nf_send_reset6(net, pkt->skb, pkt->hook);
break;
case NFT_REJECT_ICMPX_UNREACH:
nf_send_unreach6(net, pkt->skb,
nft_reject_icmpv6_code(priv->icmp_code),
pkt->ops->hooknum);
pkt->hook);
break;
}
break;