netfilter: nf_tables: get rid of NFT_BASECHAIN_DISABLED

This flag was introduced to restore rulesets from the new netdev family, but since 5ebe0b0eec9d6f7 ("netfilter: nf_tables: destroy basechain and rules on netdevice removal") the ruleset is released once the netdev is gone. This also removes nft_register_basechain() and nft_unregister_basechain() since they have no clients anymore after this rework. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2016-06-22 08:26:33 -0400
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2016-06-24 05:03:28 -0400
commit: 82bec71d46b83f39860e2838ff8394e4fcd6efab (patch)
tree: f06e8722069d5ae0758b2dbc41b1fdafa70e53bc
parent: 3183ab8997a477c8d9ad175a1cef70dff77c6dbc (diff)
2 files changed, 25 insertions, 38 deletions
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index 07a5ba47cbda..1ea19a6e72e6 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -798,7 +798,6 @@ struct nft_stats {
 };
 #define NFT_HOOK_OPS_MAX                2
-#define NFT_BASECHAIN_DISABLED          (1 << 0)
 /**
 *      struct nft_base_chain - nf_tables base chain
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 3316bce0a878..92c9faeb2bf8 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -131,29 +131,8 @@ static void nft_trans_destroy(struct nft_trans *trans)
        kfree(trans);
 }
-static int nft_register_basechain(struct nft_base_chain *basechain,
+static int nf_tables_register_hooks(struct net *net,
-                                  unsigned int hook_nops)
+                                    const struct nft_table *table,
-{
-        struct net *net = read_pnet(&basechain->pnet);
-        if (basechain->flags & NFT_BASECHAIN_DISABLED)
-                return 0;
-        return nf_register_net_hooks(net, basechain->ops, hook_nops);
-}
-static void nft_unregister_basechain(struct nft_base_chain *basechain,
-                                     unsigned int hook_nops)
-{
-        struct net *net = read_pnet(&basechain->pnet);
-        if (basechain->flags & NFT_BASECHAIN_DISABLED)
-                return;
-        nf_unregister_net_hooks(net, basechain->ops, hook_nops);
-}
-static int nf_tables_register_hooks(const struct nft_table *table,
                                    struct nft_chain *chain,
                                    unsigned int hook_nops)
 {
@@ -161,10 +140,12 @@ static int nf_tables_register_hooks(const struct nft_table *table,
            !(chain->flags & NFT_BASE_CHAIN))
                return 0;
-        return nft_register_basechain(nft_base_chain(chain), hook_nops);
+        return nf_register_net_hooks(net, nft_base_chain(chain)->ops,
+                                     hook_nops);
 }
-static void nf_tables_unregister_hooks(const struct nft_table *table,
+static void nf_tables_unregister_hooks(struct net *net,
+                                       const struct nft_table *table,
                                       struct nft_chain *chain,
                                       unsigned int hook_nops)
 {
@@ -172,7 +153,7 @@ static void nf_tables_unregister_hooks(const struct nft_table *table,
            !(chain->flags & NFT_BASE_CHAIN))
                return;
-        nft_unregister_basechain(nft_base_chain(chain), hook_nops);
+        nf_unregister_net_hooks(net, nft_base_chain(chain)->ops, hook_nops);
 }
 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
@@ -569,7 +550,8 @@ static int nf_tables_table_enable(struct net *net,
                if (!(chain->flags & NFT_BASE_CHAIN))
                        continue;
-                err = nft_register_basechain(nft_base_chain(chain), afi->nops);
+                err = nf_register_net_hooks(net, nft_base_chain(chain)->ops,
+                                            afi->nops);
                if (err < 0)
                        goto err;
@@ -586,7 +568,8 @@ err:
                if (i-- <= 0)
                        break;
-                nft_unregister_basechain(nft_base_chain(chain), afi->nops);
+                nf_unregister_net_hooks(net, nft_base_chain(chain)->ops,
+                                        afi->nops);
        }
        return err;
 }
@@ -600,9 +583,11 @@ static void nf_tables_table_disable(struct net *net,
        list_for_each_entry(chain, &table->chains, list) {
                if (!nft_is_active_next(net, chain))
                        continue;
-                if (chain->flags & NFT_BASE_CHAIN)
+                if (!(chain->flags & NFT_BASE_CHAIN))
-                        nft_unregister_basechain(nft_base_chain(chain),
+                        continue;
-                                                 afi->nops);
+                nf_unregister_net_hooks(net, nft_base_chain(chain)->ops,
+                                        afi->nops);
        }
 }
@@ -1451,7 +1436,7 @@ static int nf_tables_newchain(struct net *net, struct sock *nlsk,
        chain->table = table;
        nla_strlcpy(chain->name, name, NFT_CHAIN_MAXNAMELEN);
-        err = nf_tables_register_hooks(table, chain, afi->nops);
+        err = nf_tables_register_hooks(net, table, chain, afi->nops);
        if (err < 0)
                goto err1;
@@ -1464,7 +1449,7 @@ static int nf_tables_newchain(struct net *net, struct sock *nlsk,
        list_add_tail_rcu(&chain->list, &table->chains);
        return 0;
 err2:
-        nf_tables_unregister_hooks(table, chain, afi->nops);
+        nf_tables_unregister_hooks(net, table, chain, afi->nops);
 err1:
        nf_tables_chain_destroy(chain);
        return err;
@@ -3995,7 +3980,8 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb)
                case NFT_MSG_DELCHAIN:
                        list_del_rcu(&trans->ctx.chain->list);
                        nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
-                        nf_tables_unregister_hooks(trans->ctx.table,
+                        nf_tables_unregister_hooks(trans->ctx.net,
+                                                   trans->ctx.table,
                                                   trans->ctx.chain,
                                                   trans->ctx.afi->nops);
                        break;
@@ -4120,7 +4106,8 @@ static int nf_tables_abort(struct net *net, struct sk_buff *skb)
                        } else {
                                trans->ctx.table->use--;
                                list_del_rcu(&trans->ctx.chain->list);
-                                nf_tables_unregister_hooks(trans->ctx.table,
+                                nf_tables_unregister_hooks(trans->ctx.net,
+                                                           trans->ctx.table,
                                                           trans->ctx.chain,
                                                           trans->ctx.afi->nops);
                        }
@@ -4662,7 +4649,7 @@ int __nft_release_basechain(struct nft_ctx *ctx)
        BUG_ON(!(ctx->chain->flags & NFT_BASE_CHAIN));
-        nf_tables_unregister_hooks(ctx->chain->table, ctx->chain,
+        nf_tables_unregister_hooks(ctx->net, ctx->chain->table, ctx->chain,
                                   ctx->afi->nops);
        list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
                list_del(&rule->list);
@@ -4691,7 +4678,8 @@ static void __nft_release_afinfo(struct net *net, struct nft_af_info *afi)
        list_for_each_entry_safe(table, nt, &afi->tables, list) {
                list_for_each_entry(chain, &table->chains, list)
-                        nf_tables_unregister_hooks(table, chain, afi->nops);
+                        nf_tables_unregister_hooks(net, table, chain,
+                                                   afi->nops);
                /* No packets are walking on these chains anymore. */
                ctx.table = table;
                list_for_each_entry(chain, &table->chains, list) {
author	Pablo Neira Ayuso <pablo@netfilter.org>	2016-06-22 08:26:33 -0400
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2016-06-24 05:03:28 -0400
commit	82bec71d46b83f39860e2838ff8394e4fcd6efab (patch)
tree	f06e8722069d5ae0758b2dbc41b1fdafa70e53bc
parent	3183ab8997a477c8d9ad175a1cef70dff77c6dbc (diff)

diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h index 07a5ba47cbda..1ea19a6e72e6 100644 --- a/include/net/netfilter/nf_tables.h +++ b/include/net/netfilter/nf_tables.h
@@ -798,7 +798,6 @@ struct nft_stats {
798	};	798	};
799		799
800	#define NFT_HOOK_OPS_MAX 2	800	#define NFT_HOOK_OPS_MAX 2
801	#define NFT_BASECHAIN_DISABLED (1 << 0)
802		801
803	/**	802	/**
804	* struct nft_base_chain - nf_tables base chain	803	* struct nft_base_chain - nf_tables base chain


diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 3316bce0a878..92c9faeb2bf8 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c
@@ -131,29 +131,8 @@ static void nft_trans_destroy(struct nft_trans *trans)
131	kfree(trans);	131	kfree(trans);
132	}	132	}
133		133
134	static int nft_register_basechain(struct nft_base_chain *basechain,	134	static int nf_tables_register_hooks(struct net *net,
135	unsigned int hook_nops)	135	const struct nft_table *table,
136	{
137	struct net *net = read_pnet(&basechain->pnet);
138
139	if (basechain->flags & NFT_BASECHAIN_DISABLED)
140	return 0;
141
142	return nf_register_net_hooks(net, basechain->ops, hook_nops);
143	}
144
145	static void nft_unregister_basechain(struct nft_base_chain *basechain,
146	unsigned int hook_nops)
147	{
148	struct net *net = read_pnet(&basechain->pnet);
149
150	if (basechain->flags & NFT_BASECHAIN_DISABLED)
151	return;
152
153	nf_unregister_net_hooks(net, basechain->ops, hook_nops);
154	}
155
156	static int nf_tables_register_hooks(const struct nft_table *table,
157	struct nft_chain *chain,	136	struct nft_chain *chain,
158	unsigned int hook_nops)	137	unsigned int hook_nops)
159	{	138	{
@@ -161,10 +140,12 @@ static int nf_tables_register_hooks(const struct nft_table *table,
161	!(chain->flags & NFT_BASE_CHAIN))	140	!(chain->flags & NFT_BASE_CHAIN))
162	return 0;	141	return 0;
163		142
164	return nft_register_basechain(nft_base_chain(chain), hook_nops);	143	return nf_register_net_hooks(net, nft_base_chain(chain)->ops,
		144	hook_nops);
165	}	145	}
166		146
167	static void nf_tables_unregister_hooks(const struct nft_table *table,	147	static void nf_tables_unregister_hooks(struct net *net,
		148	const struct nft_table *table,
168	struct nft_chain *chain,	149	struct nft_chain *chain,
169	unsigned int hook_nops)	150	unsigned int hook_nops)
170	{	151	{
@@ -172,7 +153,7 @@ static void nf_tables_unregister_hooks(const struct nft_table *table,
172	!(chain->flags & NFT_BASE_CHAIN))	153	!(chain->flags & NFT_BASE_CHAIN))
173	return;	154	return;
174		155
175	nft_unregister_basechain(nft_base_chain(chain), hook_nops);	156	nf_unregister_net_hooks(net, nft_base_chain(chain)->ops, hook_nops);
176	}	157	}
177		158
178	static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)	159	static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
@@ -569,7 +550,8 @@ static int nf_tables_table_enable(struct net *net,
569	if (!(chain->flags & NFT_BASE_CHAIN))	550	if (!(chain->flags & NFT_BASE_CHAIN))
570	continue;	551	continue;
571		552
572	err = nft_register_basechain(nft_base_chain(chain), afi->nops);	553	err = nf_register_net_hooks(net, nft_base_chain(chain)->ops,
		554	afi->nops);
573	if (err < 0)	555	if (err < 0)
574	goto err;	556	goto err;
575		557
@@ -586,7 +568,8 @@ err:
586	if (i-- <= 0)	568	if (i-- <= 0)
587	break;	569	break;
588		570
589	nft_unregister_basechain(nft_base_chain(chain), afi->nops);	571	nf_unregister_net_hooks(net, nft_base_chain(chain)->ops,
		572	afi->nops);
590	}	573	}
591	return err;	574	return err;
592	}	575	}
@@ -600,9 +583,11 @@ static void nf_tables_table_disable(struct net *net,
600	list_for_each_entry(chain, &table->chains, list) {	583	list_for_each_entry(chain, &table->chains, list) {
601	if (!nft_is_active_next(net, chain))	584	if (!nft_is_active_next(net, chain))
602	continue;	585	continue;
603	if (chain->flags & NFT_BASE_CHAIN)	586	if (!(chain->flags & NFT_BASE_CHAIN))
604	nft_unregister_basechain(nft_base_chain(chain),	587	continue;
605	afi->nops);	588
		589	nf_unregister_net_hooks(net, nft_base_chain(chain)->ops,
		590	afi->nops);
606	}	591	}
607	}	592	}
608		593
@@ -1451,7 +1436,7 @@ static int nf_tables_newchain(struct net net, struct sock nlsk,
1451	chain->table = table;	1436	chain->table = table;
1452	nla_strlcpy(chain->name, name, NFT_CHAIN_MAXNAMELEN);	1437	nla_strlcpy(chain->name, name, NFT_CHAIN_MAXNAMELEN);
1453		1438
1454	err = nf_tables_register_hooks(table, chain, afi->nops);	1439	err = nf_tables_register_hooks(net, table, chain, afi->nops);
1455	if (err < 0)	1440	if (err < 0)
1456	goto err1;	1441	goto err1;
1457		1442
@@ -1464,7 +1449,7 @@ static int nf_tables_newchain(struct net net, struct sock nlsk,
1464	list_add_tail_rcu(&chain->list, &table->chains);	1449	list_add_tail_rcu(&chain->list, &table->chains);
1465	return 0;	1450	return 0;
1466	err2:	1451	err2:
1467	nf_tables_unregister_hooks(table, chain, afi->nops);	1452	nf_tables_unregister_hooks(net, table, chain, afi->nops);
1468	err1:	1453	err1:
1469	nf_tables_chain_destroy(chain);	1454	nf_tables_chain_destroy(chain);
1470	return err;	1455	return err;
@@ -3995,7 +3980,8 @@ static int nf_tables_commit(struct net net, struct sk_buff skb)
3995	case NFT_MSG_DELCHAIN:	3980	case NFT_MSG_DELCHAIN:
3996	list_del_rcu(&trans->ctx.chain->list);	3981	list_del_rcu(&trans->ctx.chain->list);
3997	nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);	3982	nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
3998	nf_tables_unregister_hooks(trans->ctx.table,	3983	nf_tables_unregister_hooks(trans->ctx.net,
		3984	trans->ctx.table,
3999	trans->ctx.chain,	3985	trans->ctx.chain,
4000	trans->ctx.afi->nops);	3986	trans->ctx.afi->nops);
4001	break;	3987	break;
@@ -4120,7 +4106,8 @@ static int nf_tables_abort(struct net net, struct sk_buff skb)
4120	} else {	4106	} else {
4121	trans->ctx.table->use--;	4107	trans->ctx.table->use--;
4122	list_del_rcu(&trans->ctx.chain->list);	4108	list_del_rcu(&trans->ctx.chain->list);
4123	nf_tables_unregister_hooks(trans->ctx.table,	4109	nf_tables_unregister_hooks(trans->ctx.net,
		4110	trans->ctx.table,
4124	trans->ctx.chain,	4111	trans->ctx.chain,
4125	trans->ctx.afi->nops);	4112	trans->ctx.afi->nops);
4126	}	4113	}
@@ -4662,7 +4649,7 @@ int __nft_release_basechain(struct nft_ctx *ctx)
4662		4649
4663	BUG_ON(!(ctx->chain->flags & NFT_BASE_CHAIN));	4650	BUG_ON(!(ctx->chain->flags & NFT_BASE_CHAIN));
4664		4651
4665	nf_tables_unregister_hooks(ctx->chain->table, ctx->chain,	4652	nf_tables_unregister_hooks(ctx->net, ctx->chain->table, ctx->chain,
4666	ctx->afi->nops);	4653	ctx->afi->nops);
4667	list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {	4654	list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
4668	list_del(&rule->list);	4655	list_del(&rule->list);
@@ -4691,7 +4678,8 @@ static void __nft_release_afinfo(struct net net, struct nft_af_info afi)
4691		4678
4692	list_for_each_entry_safe(table, nt, &afi->tables, list) {	4679	list_for_each_entry_safe(table, nt, &afi->tables, list) {
4693	list_for_each_entry(chain, &table->chains, list)	4680	list_for_each_entry(chain, &table->chains, list)
4694	nf_tables_unregister_hooks(table, chain, afi->nops);	4681	nf_tables_unregister_hooks(net, table, chain,
		4682	afi->nops);
4695	/* No packets are walking on these chains anymore. */	4683	/* No packets are walking on these chains anymore. */
4696	ctx.table = table;	4684	ctx.table = table;
4697	list_for_each_entry(chain, &table->chains, list) {	4685	list_for_each_entry(chain, &table->chains, list) {