netfilter: nf_tables_inet: don't use multihook infrastructure anymore

Use new native NFPROTO_INET support in netfilter core, this gets rid of ad-hoc code in the nf_tables API codebase. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2017-12-09 09:36:24 -0500
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2018-01-08 12:01:20 -0500
commit: 12355d3670dac0dde5aae3deefb59f8cc0a9ed2a (patch)
tree: e215f48aad6a2fba132bea70827fda64bc57fe81
parent: cb7ccd835ebb333669e400f99c650e4f3abf11c0 (diff)
5 files changed, 60 insertions, 20 deletions
diff --git a/include/net/netfilter/nf_tables_ipv4.h b/include/net/netfilter/nf_tables_ipv4.h
index b2deeb2755a4..ed7b511f0a59 100644
--- a/include/net/netfilter/nf_tables_ipv4.h
+++ b/include/net/netfilter/nf_tables_ipv4.h
@@ -53,6 +53,4 @@ static inline void nft_set_pktinfo_ipv4_validate(struct nft_pktinfo *pkt,
                nft_set_pktinfo_unspec(pkt, skb);
 }
-extern struct nft_af_info nft_af_ipv4;
 #endif
diff --git a/include/net/netfilter/nf_tables_ipv6.h b/include/net/netfilter/nf_tables_ipv6.h
index 1890c5bc3c3c..dabe6fdb553a 100644
--- a/include/net/netfilter/nf_tables_ipv6.h
+++ b/include/net/netfilter/nf_tables_ipv6.h
@@ -69,6 +69,4 @@ static inline void nft_set_pktinfo_ipv6_validate(struct nft_pktinfo *pkt,
                nft_set_pktinfo_unspec(pkt, skb);
 }
-extern struct nft_af_info nft_af_ipv6;
 #endif
diff --git a/net/ipv4/netfilter/nf_tables_ipv4.c b/net/ipv4/netfilter/nf_tables_ipv4.c
index 35fa265d1ce3..b6223f4b1315 100644
--- a/net/ipv4/netfilter/nf_tables_ipv4.c
+++ b/net/ipv4/netfilter/nf_tables_ipv4.c
@@ -45,7 +45,7 @@ static unsigned int nft_ipv4_output(void *priv,
        return nft_do_chain_ipv4(priv, skb, state);
 }
-struct nft_af_info nft_af_ipv4 __read_mostly = {
+static struct nft_af_info nft_af_ipv4 __read_mostly = {
        .family         = NFPROTO_IPV4,
        .nhooks         = NF_INET_NUMHOOKS,
        .owner          = THIS_MODULE,
@@ -58,7 +58,6 @@ struct nft_af_info nft_af_ipv4 __read_mostly = {
                [NF_INET_POST_ROUTING]  = nft_do_chain_ipv4,
        },
 };
-EXPORT_SYMBOL_GPL(nft_af_ipv4);
 static int nf_tables_ipv4_init_net(struct net *net)
 {
diff --git a/net/ipv6/netfilter/nf_tables_ipv6.c b/net/ipv6/netfilter/nf_tables_ipv6.c
index 71bac94770dd..b1b5d3824fc1 100644
--- a/net/ipv6/netfilter/nf_tables_ipv6.c
+++ b/net/ipv6/netfilter/nf_tables_ipv6.c
@@ -42,7 +42,7 @@ static unsigned int nft_ipv6_output(void *priv,
        return nft_do_chain_ipv6(priv, skb, state);
 }
-struct nft_af_info nft_af_ipv6 __read_mostly = {
+static struct nft_af_info nft_af_ipv6 __read_mostly = {
        .family         = NFPROTO_IPV6,
        .nhooks         = NF_INET_NUMHOOKS,
        .owner          = THIS_MODULE,
@@ -55,7 +55,6 @@ struct nft_af_info nft_af_ipv6 __read_mostly = {
                [NF_INET_POST_ROUTING]  = nft_do_chain_ipv6,
        },
 };
-EXPORT_SYMBOL_GPL(nft_af_ipv6);
 static int nf_tables_ipv6_init_net(struct net *net)
 {
diff --git a/net/netfilter/nf_tables_inet.c b/net/netfilter/nf_tables_inet.c
index f713cc205669..c6194b3509aa 100644
--- a/net/netfilter/nf_tables_inet.c
+++ b/net/netfilter/nf_tables_inet.c
@@ -9,6 +9,7 @@
 #include <linux/init.h>
 #include <linux/module.h>
 #include <linux/ip.h>
+#include <linux/ipv6.h>
 #include <linux/netfilter_ipv4.h>
 #include <linux/netfilter_ipv6.h>
 #include <net/netfilter/nf_tables.h>
@@ -16,26 +17,71 @@
 #include <net/netfilter/nf_tables_ipv6.h>
 #include <net/ip.h>
-static void nft_inet_hook_ops_init(struct nf_hook_ops *ops, unsigned int n)
+static unsigned int nft_do_chain_inet(void *priv, struct sk_buff *skb,
+                                      const struct nf_hook_state *state)
 {
-        struct nft_af_info *afi;
+        struct nft_pktinfo pkt;
-        if (n == 1)
+        nft_set_pktinfo(&pkt, skb, state);
-                afi = &nft_af_ipv4;
-        else
+        switch (state->pf) {
-                afi = &nft_af_ipv6;
+        case NFPROTO_IPV4:
+                nft_set_pktinfo_ipv4(&pkt, skb);
+                break;
+        case NFPROTO_IPV6:
+                nft_set_pktinfo_ipv6(&pkt, skb);
+                break;
+        default:
+                break;
+        }
+        return nft_do_chain(&pkt, priv);
+}
-        ops->pf = afi->family;
+static unsigned int nft_inet_output(void *priv, struct sk_buff *skb,
-        if (afi->hooks[ops->hooknum])
+                                    const struct nf_hook_state *state)
-                ops->hook = afi->hooks[ops->hooknum];
+{
+        struct nft_pktinfo pkt;
+        nft_set_pktinfo(&pkt, skb, state);
+        switch (state->pf) {
+        case NFPROTO_IPV4:
+                if (unlikely(skb->len < sizeof(struct iphdr) ||
+                             ip_hdr(skb)->ihl < sizeof(struct iphdr) / 4)) {
+                        if (net_ratelimit())
+                                pr_info("ignoring short SOCK_RAW packet\n");
+                        return NF_ACCEPT;
+                }
+                nft_set_pktinfo_ipv4(&pkt, skb);
+                break;
+        case NFPROTO_IPV6:
+                if (unlikely(skb->len < sizeof(struct ipv6hdr))) {
+                        if (net_ratelimit())
+                                pr_info("ignoring short SOCK_RAW packet\n");
+                        return NF_ACCEPT;
+                }
+                nft_set_pktinfo_ipv6(&pkt, skb);
+                break;
+        default:
+                break;
+        }
+        return nft_do_chain(&pkt, priv);
 }
 static struct nft_af_info nft_af_inet __read_mostly = {
        .family         = NFPROTO_INET,
        .nhooks         = NF_INET_NUMHOOKS,
        .owner          = THIS_MODULE,
-        .nops           = 2,
+        .nops           = 1,
-        .hook_ops_init  = nft_inet_hook_ops_init,
+        .hooks          = {
+                [NF_INET_LOCAL_IN]      = nft_do_chain_inet,
+                [NF_INET_LOCAL_OUT]     = nft_inet_output,
+                [NF_INET_FORWARD]       = nft_do_chain_inet,
+                [NF_INET_PRE_ROUTING]   = nft_do_chain_inet,
+                [NF_INET_POST_ROUTING]  = nft_do_chain_inet,
+        },
 };
 static int __net_init nf_tables_inet_init_net(struct net *net)
author	Pablo Neira Ayuso <pablo@netfilter.org>	2017-12-09 09:36:24 -0500
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2018-01-08 12:01:20 -0500
commit	12355d3670dac0dde5aae3deefb59f8cc0a9ed2a (patch)
tree	e215f48aad6a2fba132bea70827fda64bc57fe81
parent	cb7ccd835ebb333669e400f99c650e4f3abf11c0 (diff)

diff --git a/include/net/netfilter/nf_tables_ipv4.h b/include/net/netfilter/nf_tables_ipv4.h index b2deeb2755a4..ed7b511f0a59 100644 --- a/include/net/netfilter/nf_tables_ipv4.h +++ b/include/net/netfilter/nf_tables_ipv4.h
@@ -53,6 +53,4 @@ static inline void nft_set_pktinfo_ipv4_validate(struct nft_pktinfo *pkt,
53	nft_set_pktinfo_unspec(pkt, skb);	53	nft_set_pktinfo_unspec(pkt, skb);
54	}	54	}
55		55
56	extern struct nft_af_info nft_af_ipv4;
57
58	#endif	56	#endif


diff --git a/include/net/netfilter/nf_tables_ipv6.h b/include/net/netfilter/nf_tables_ipv6.h index 1890c5bc3c3c..dabe6fdb553a 100644 --- a/include/net/netfilter/nf_tables_ipv6.h +++ b/include/net/netfilter/nf_tables_ipv6.h
@@ -69,6 +69,4 @@ static inline void nft_set_pktinfo_ipv6_validate(struct nft_pktinfo *pkt,
69	nft_set_pktinfo_unspec(pkt, skb);	69	nft_set_pktinfo_unspec(pkt, skb);
70	}	70	}
71		71
72	extern struct nft_af_info nft_af_ipv6;
73
74	#endif	72	#endif


diff --git a/net/ipv4/netfilter/nf_tables_ipv4.c b/net/ipv4/netfilter/nf_tables_ipv4.c index 35fa265d1ce3..b6223f4b1315 100644 --- a/net/ipv4/netfilter/nf_tables_ipv4.c +++ b/net/ipv4/netfilter/nf_tables_ipv4.c
@@ -45,7 +45,7 @@ static unsigned int nft_ipv4_output(void *priv,
45	return nft_do_chain_ipv4(priv, skb, state);	45	return nft_do_chain_ipv4(priv, skb, state);
46	}	46	}
47		47
48	struct nft_af_info nft_af_ipv4 __read_mostly = {	48	static struct nft_af_info nft_af_ipv4 __read_mostly = {
49	.family = NFPROTO_IPV4,	49	.family = NFPROTO_IPV4,
50	.nhooks = NF_INET_NUMHOOKS,	50	.nhooks = NF_INET_NUMHOOKS,
51	.owner = THIS_MODULE,	51	.owner = THIS_MODULE,
@@ -58,7 +58,6 @@ struct nft_af_info nft_af_ipv4 __read_mostly = {
58	[NF_INET_POST_ROUTING] = nft_do_chain_ipv4,	58	[NF_INET_POST_ROUTING] = nft_do_chain_ipv4,
59	},	59	},
60	};	60	};
61	EXPORT_SYMBOL_GPL(nft_af_ipv4);
62		61
63	static int nf_tables_ipv4_init_net(struct net *net)	62	static int nf_tables_ipv4_init_net(struct net *net)
64	{	63	{


diff --git a/net/ipv6/netfilter/nf_tables_ipv6.c b/net/ipv6/netfilter/nf_tables_ipv6.c index 71bac94770dd..b1b5d3824fc1 100644 --- a/net/ipv6/netfilter/nf_tables_ipv6.c +++ b/net/ipv6/netfilter/nf_tables_ipv6.c
@@ -42,7 +42,7 @@ static unsigned int nft_ipv6_output(void *priv,
42	return nft_do_chain_ipv6(priv, skb, state);	42	return nft_do_chain_ipv6(priv, skb, state);
43	}	43	}
44		44
45	struct nft_af_info nft_af_ipv6 __read_mostly = {	45	static struct nft_af_info nft_af_ipv6 __read_mostly = {
46	.family = NFPROTO_IPV6,	46	.family = NFPROTO_IPV6,
47	.nhooks = NF_INET_NUMHOOKS,	47	.nhooks = NF_INET_NUMHOOKS,
48	.owner = THIS_MODULE,	48	.owner = THIS_MODULE,
@@ -55,7 +55,6 @@ struct nft_af_info nft_af_ipv6 __read_mostly = {
55	[NF_INET_POST_ROUTING] = nft_do_chain_ipv6,	55	[NF_INET_POST_ROUTING] = nft_do_chain_ipv6,
56	},	56	},
57	};	57	};
58	EXPORT_SYMBOL_GPL(nft_af_ipv6);
59		58
60	static int nf_tables_ipv6_init_net(struct net *net)	59	static int nf_tables_ipv6_init_net(struct net *net)
61	{	60	{


diff --git a/net/netfilter/nf_tables_inet.c b/net/netfilter/nf_tables_inet.c index f713cc205669..c6194b3509aa 100644 --- a/net/netfilter/nf_tables_inet.c +++ b/net/netfilter/nf_tables_inet.c
@@ -9,6 +9,7 @@
9	#include <linux/init.h>	9	#include <linux/init.h>
10	#include <linux/module.h>	10	#include <linux/module.h>
11	#include <linux/ip.h>	11	#include <linux/ip.h>
		12	#include <linux/ipv6.h>
12	#include <linux/netfilter_ipv4.h>	13	#include <linux/netfilter_ipv4.h>
13	#include <linux/netfilter_ipv6.h>	14	#include <linux/netfilter_ipv6.h>
14	#include <net/netfilter/nf_tables.h>	15	#include <net/netfilter/nf_tables.h>
@@ -16,26 +17,71 @@
16	#include <net/netfilter/nf_tables_ipv6.h>	17	#include <net/netfilter/nf_tables_ipv6.h>
17	#include <net/ip.h>	18	#include <net/ip.h>
18		19
19	static void nft_inet_hook_ops_init(struct nf_hook_ops *ops, unsigned int n)	20	static unsigned int nft_do_chain_inet(void priv, struct sk_buff skb,
		21	const struct nf_hook_state *state)
20	{	22	{
21	struct nft_af_info *afi;	23	struct nft_pktinfo pkt;
22		24
23	if (n == 1)	25	nft_set_pktinfo(&pkt, skb, state);
24	afi = &nft_af_ipv4;	26
25	else	27	switch (state->pf) {
26	afi = &nft_af_ipv6;	28	case NFPROTO_IPV4:
		29	nft_set_pktinfo_ipv4(&pkt, skb);
		30	break;
		31	case NFPROTO_IPV6:
		32	nft_set_pktinfo_ipv6(&pkt, skb);
		33	break;
		34	default:
		35	break;
		36	}
		37
		38	return nft_do_chain(&pkt, priv);
		39	}
27		40
28	ops->pf = afi->family;	41	static unsigned int nft_inet_output(void priv, struct sk_buff skb,
29	if (afi->hooks[ops->hooknum])	42	const struct nf_hook_state *state)
30	ops->hook = afi->hooks[ops->hooknum];	43	{
		44	struct nft_pktinfo pkt;
		45
		46	nft_set_pktinfo(&pkt, skb, state);
		47
		48	switch (state->pf) {
		49	case NFPROTO_IPV4:
		50	if (unlikely(skb->len < sizeof(struct iphdr) \|\|
		51	ip_hdr(skb)->ihl < sizeof(struct iphdr) / 4)) {
		52	if (net_ratelimit())
		53	pr_info("ignoring short SOCK_RAW packet\n");
		54	return NF_ACCEPT;
		55	}
		56	nft_set_pktinfo_ipv4(&pkt, skb);
		57	break;
		58	case NFPROTO_IPV6:
		59	if (unlikely(skb->len < sizeof(struct ipv6hdr))) {
		60	if (net_ratelimit())
		61	pr_info("ignoring short SOCK_RAW packet\n");
		62	return NF_ACCEPT;
		63	}
		64	nft_set_pktinfo_ipv6(&pkt, skb);
		65	break;
		66	default:
		67	break;
		68	}
		69
		70	return nft_do_chain(&pkt, priv);
31	}	71	}
32		72
33	static struct nft_af_info nft_af_inet __read_mostly = {	73	static struct nft_af_info nft_af_inet __read_mostly = {
34	.family = NFPROTO_INET,	74	.family = NFPROTO_INET,
35	.nhooks = NF_INET_NUMHOOKS,	75	.nhooks = NF_INET_NUMHOOKS,
36	.owner = THIS_MODULE,	76	.owner = THIS_MODULE,
37	.nops = 2,	77	.nops = 1,
38	.hook_ops_init = nft_inet_hook_ops_init,	78	.hooks = {
		79	[NF_INET_LOCAL_IN] = nft_do_chain_inet,
		80	[NF_INET_LOCAL_OUT] = nft_inet_output,
		81	[NF_INET_FORWARD] = nft_do_chain_inet,
		82	[NF_INET_PRE_ROUTING] = nft_do_chain_inet,
		83	[NF_INET_POST_ROUTING] = nft_do_chain_inet,
		84	},
39	};	85	};
40		86
41	static int __net_init nf_tables_inet_init_net(struct net *net)	87	static int __net_init nf_tables_inet_init_net(struct net *net)