diff options
| author | Florian Westphal <fw@strlen.de> | 2018-04-16 13:15:53 -0400 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-04-24 04:29:22 -0400 |
| commit | bd2bbdb497dba24b9ca7f6257c83e496c64b6e9d (patch) | |
| tree | 495278eb26d1521c5a14eccc5d8c371e9626df78 /net/bridge | |
| parent | 99a0efbeeb83482893f7d5df343a2d2eb591933d (diff) | |
netfilter: merge meta_bridge into nft_meta
It overcomplicates things for no reason.
nft_meta_bridge only offers retrieval of bridge port interface name.
Because of this being its own module, we had to export all nft_meta
functions, which we can then make static again (which even reduces
the size of nft_meta -- including bridge port retrieval...):
before:
text data bss dec hex filename
1838 832 0 2670 a6e net/bridge/netfilter/nft_meta_bridge.ko
6147 936 1 7084 1bac net/netfilter/nft_meta.ko
after:
5826 936 1 6763 1a6b net/netfilter/nft_meta.ko
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/bridge')
| -rw-r--r-- | net/bridge/netfilter/Kconfig | 7 | ||||
| -rw-r--r-- | net/bridge/netfilter/Makefile | 1 | ||||
| -rw-r--r-- | net/bridge/netfilter/nft_meta_bridge.c | 135 |
3 files changed, 0 insertions, 143 deletions
diff --git a/net/bridge/netfilter/Kconfig b/net/bridge/netfilter/Kconfig index f212447794bd..9a0159aebe1a 100644 --- a/net/bridge/netfilter/Kconfig +++ b/net/bridge/netfilter/Kconfig | |||
| @@ -8,13 +8,6 @@ menuconfig NF_TABLES_BRIDGE | |||
| 8 | bool "Ethernet Bridge nf_tables support" | 8 | bool "Ethernet Bridge nf_tables support" |
| 9 | 9 | ||
| 10 | if NF_TABLES_BRIDGE | 10 | if NF_TABLES_BRIDGE |
| 11 | |||
| 12 | config NFT_BRIDGE_META | ||
| 13 | tristate "Netfilter nf_table bridge meta support" | ||
| 14 | depends on NFT_META | ||
| 15 | help | ||
| 16 | Add support for bridge dedicated meta key. | ||
| 17 | |||
| 18 | config NFT_BRIDGE_REJECT | 11 | config NFT_BRIDGE_REJECT |
| 19 | tristate "Netfilter nf_tables bridge reject support" | 12 | tristate "Netfilter nf_tables bridge reject support" |
| 20 | depends on NFT_REJECT && NFT_REJECT_IPV4 && NFT_REJECT_IPV6 | 13 | depends on NFT_REJECT && NFT_REJECT_IPV4 && NFT_REJECT_IPV6 |
diff --git a/net/bridge/netfilter/Makefile b/net/bridge/netfilter/Makefile index 4bc758dd4a8c..9b868861f21a 100644 --- a/net/bridge/netfilter/Makefile +++ b/net/bridge/netfilter/Makefile | |||
| @@ -3,7 +3,6 @@ | |||
| 3 | # Makefile for the netfilter modules for Link Layer filtering on a bridge. | 3 | # Makefile for the netfilter modules for Link Layer filtering on a bridge. |
| 4 | # | 4 | # |
| 5 | 5 | ||
| 6 | obj-$(CONFIG_NFT_BRIDGE_META) += nft_meta_bridge.o | ||
| 7 | obj-$(CONFIG_NFT_BRIDGE_REJECT) += nft_reject_bridge.o | 6 | obj-$(CONFIG_NFT_BRIDGE_REJECT) += nft_reject_bridge.o |
| 8 | 7 | ||
| 9 | # packet logging | 8 | # packet logging |
diff --git a/net/bridge/netfilter/nft_meta_bridge.c b/net/bridge/netfilter/nft_meta_bridge.c deleted file mode 100644 index bb63c9aed55d..000000000000 --- a/net/bridge/netfilter/nft_meta_bridge.c +++ /dev/null | |||
| @@ -1,135 +0,0 @@ | |||
| 1 | /* | ||
| 2 | * Copyright (c) 2014 Intel Corporation | ||
| 3 | * | ||
| 4 | * This program is free software; you can redistribute it and/or modify | ||
| 5 | * it under the terms of the GNU General Public License version 2 as | ||
| 6 | * published by the Free Software Foundation. | ||
| 7 | * | ||
| 8 | */ | ||
| 9 | |||
| 10 | #include <linux/kernel.h> | ||
| 11 | #include <linux/init.h> | ||
| 12 | #include <linux/module.h> | ||
| 13 | #include <linux/netlink.h> | ||
| 14 | #include <linux/netfilter.h> | ||
| 15 | #include <linux/netfilter/nf_tables.h> | ||
| 16 | #include <net/netfilter/nf_tables.h> | ||
| 17 | #include <net/netfilter/nft_meta.h> | ||
| 18 | |||
| 19 | #include "../br_private.h" | ||
| 20 | |||
| 21 | static void nft_meta_bridge_get_eval(const struct nft_expr *expr, | ||
| 22 | struct nft_regs *regs, | ||
| 23 | const struct nft_pktinfo *pkt) | ||
| 24 | { | ||
| 25 | const struct nft_meta *priv = nft_expr_priv(expr); | ||
| 26 | const struct net_device *in = nft_in(pkt), *out = nft_out(pkt); | ||
| 27 | u32 *dest = ®s->data[priv->dreg]; | ||
| 28 | const struct net_bridge_port *p; | ||
| 29 | |||
| 30 | switch (priv->key) { | ||
| 31 | case NFT_META_BRI_IIFNAME: | ||
| 32 | if (in == NULL || (p = br_port_get_rcu(in)) == NULL) | ||
| 33 | goto err; | ||
| 34 | break; | ||
| 35 | case NFT_META_BRI_OIFNAME: | ||
| 36 | if (out == NULL || (p = br_port_get_rcu(out)) == NULL) | ||
| 37 | goto err; | ||
| 38 | break; | ||
| 39 | default: | ||
| 40 | goto out; | ||
| 41 | } | ||
| 42 | |||
| 43 | strncpy((char *)dest, p->br->dev->name, IFNAMSIZ); | ||
| 44 | return; | ||
| 45 | out: | ||
| 46 | return nft_meta_get_eval(expr, regs, pkt); | ||
| 47 | err: | ||
| 48 | regs->verdict.code = NFT_BREAK; | ||
| 49 | } | ||
| 50 | |||
| 51 | static int nft_meta_bridge_get_init(const struct nft_ctx *ctx, | ||
| 52 | const struct nft_expr *expr, | ||
| 53 | const struct nlattr * const tb[]) | ||
| 54 | { | ||
| 55 | struct nft_meta *priv = nft_expr_priv(expr); | ||
| 56 | unsigned int len; | ||
| 57 | |||
| 58 | priv->key = ntohl(nla_get_be32(tb[NFTA_META_KEY])); | ||
| 59 | switch (priv->key) { | ||
| 60 | case NFT_META_BRI_IIFNAME: | ||
| 61 | case NFT_META_BRI_OIFNAME: | ||
| 62 | len = IFNAMSIZ; | ||
| 63 | break; | ||
| 64 | default: | ||
| 65 | return nft_meta_get_init(ctx, expr, tb); | ||
| 66 | } | ||
| 67 | |||
| 68 | priv->dreg = nft_parse_register(tb[NFTA_META_DREG]); | ||
| 69 | return nft_validate_register_store(ctx, priv->dreg, NULL, | ||
| 70 | NFT_DATA_VALUE, len); | ||
| 71 | } | ||
| 72 | |||
| 73 | static struct nft_expr_type nft_meta_bridge_type; | ||
| 74 | static const struct nft_expr_ops nft_meta_bridge_get_ops = { | ||
| 75 | .type = &nft_meta_bridge_type, | ||
| 76 | .size = NFT_EXPR_SIZE(sizeof(struct nft_meta)), | ||
| 77 | .eval = nft_meta_bridge_get_eval, | ||
| 78 | .init = nft_meta_bridge_get_init, | ||
| 79 | .dump = nft_meta_get_dump, | ||
| 80 | }; | ||
| 81 | |||
| 82 | static const struct nft_expr_ops nft_meta_bridge_set_ops = { | ||
| 83 | .type = &nft_meta_bridge_type, | ||
| 84 | .size = NFT_EXPR_SIZE(sizeof(struct nft_meta)), | ||
| 85 | .eval = nft_meta_set_eval, | ||
| 86 | .init = nft_meta_set_init, | ||
| 87 | .destroy = nft_meta_set_destroy, | ||
| 88 | .dump = nft_meta_set_dump, | ||
| 89 | .validate = nft_meta_set_validate, | ||
| 90 | }; | ||
| 91 | |||
| 92 | static const struct nft_expr_ops * | ||
| 93 | nft_meta_bridge_select_ops(const struct nft_ctx *ctx, | ||
| 94 | const struct nlattr * const tb[]) | ||
| 95 | { | ||
| 96 | if (tb[NFTA_META_KEY] == NULL) | ||
| 97 | return ERR_PTR(-EINVAL); | ||
| 98 | |||
| 99 | if (tb[NFTA_META_DREG] && tb[NFTA_META_SREG]) | ||
| 100 | return ERR_PTR(-EINVAL); | ||
| 101 | |||
| 102 | if (tb[NFTA_META_DREG]) | ||
| 103 | return &nft_meta_bridge_get_ops; | ||
| 104 | |||
| 105 | if (tb[NFTA_META_SREG]) | ||
| 106 | return &nft_meta_bridge_set_ops; | ||
| 107 | |||
| 108 | return ERR_PTR(-EINVAL); | ||
| 109 | } | ||
| 110 | |||
| 111 | static struct nft_expr_type nft_meta_bridge_type __read_mostly = { | ||
| 112 | .family = NFPROTO_BRIDGE, | ||
| 113 | .name = "meta", | ||
| 114 | .select_ops = nft_meta_bridge_select_ops, | ||
| 115 | .policy = nft_meta_policy, | ||
| 116 | .maxattr = NFTA_META_MAX, | ||
| 117 | .owner = THIS_MODULE, | ||
| 118 | }; | ||
| 119 | |||
| 120 | static int __init nft_meta_bridge_module_init(void) | ||
| 121 | { | ||
| 122 | return nft_register_expr(&nft_meta_bridge_type); | ||
| 123 | } | ||
| 124 | |||
| 125 | static void __exit nft_meta_bridge_module_exit(void) | ||
| 126 | { | ||
| 127 | nft_unregister_expr(&nft_meta_bridge_type); | ||
| 128 | } | ||
| 129 | |||
| 130 | module_init(nft_meta_bridge_module_init); | ||
| 131 | module_exit(nft_meta_bridge_module_exit); | ||
| 132 | |||
| 133 | MODULE_LICENSE("GPL"); | ||
| 134 | MODULE_AUTHOR("Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>"); | ||
| 135 | MODULE_ALIAS_NFT_AF_EXPR(AF_BRIDGE, "meta"); | ||