diff options
| author | David S. Miller <davem@davemloft.net> | 2015-04-03 20:32:56 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2015-04-04 12:31:38 -0400 |
| commit | 238e54c9cb9385a1ba99e92801f3615a2fb398b6 (patch) | |
| tree | 4efeb9b5c92f87028a6d321c7088b9d1e270360a /net/ipv4 | |
| parent | 1d1de89b9a4746f1dd055a3b8d073dd2f962a3b6 (diff) | |
netfilter: Make nf_hookfn use nf_hook_state.
Pass the nf_hook_state all the way down into the hook
functions themselves.
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv4')
| -rw-r--r-- | net/ipv4/netfilter/arptable_filter.c | 7 | ||||
| -rw-r--r-- | net/ipv4/netfilter/ipt_CLUSTERIP.c | 10 | ||||
| -rw-r--r-- | net/ipv4/netfilter/ipt_SYNPROXY.c | 6 | ||||
| -rw-r--r-- | net/ipv4/netfilter/iptable_filter.c | 7 | ||||
| -rw-r--r-- | net/ipv4/netfilter/iptable_mangle.c | 14 | ||||
| -rw-r--r-- | net/ipv4/netfilter/iptable_nat.c | 28 | ||||
| -rw-r--r-- | net/ipv4/netfilter/iptable_raw.c | 8 | ||||
| -rw-r--r-- | net/ipv4/netfilter/iptable_security.c | 8 | ||||
| -rw-r--r-- | net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 20 | ||||
| -rw-r--r-- | net/ipv4/netfilter/nf_defrag_ipv4.c | 4 | ||||
| -rw-r--r-- | net/ipv4/netfilter/nf_tables_arp.c | 6 | ||||
| -rw-r--r-- | net/ipv4/netfilter/nf_tables_ipv4.c | 12 | ||||
| -rw-r--r-- | net/ipv4/netfilter/nft_chain_nat_ipv4.c | 25 | ||||
| -rw-r--r-- | net/ipv4/netfilter/nft_chain_route_ipv4.c | 6 |
14 files changed, 61 insertions, 100 deletions
diff --git a/net/ipv4/netfilter/arptable_filter.c b/net/ipv4/netfilter/arptable_filter.c index 802ddecb30b8..6a641cb41062 100644 --- a/net/ipv4/netfilter/arptable_filter.c +++ b/net/ipv4/netfilter/arptable_filter.c | |||
| @@ -28,12 +28,11 @@ static const struct xt_table packet_filter = { | |||
| 28 | /* The work comes in here from netfilter.c */ | 28 | /* The work comes in here from netfilter.c */ |
| 29 | static unsigned int | 29 | static unsigned int |
| 30 | arptable_filter_hook(const struct nf_hook_ops *ops, struct sk_buff *skb, | 30 | arptable_filter_hook(const struct nf_hook_ops *ops, struct sk_buff *skb, |
| 31 | const struct net_device *in, const struct net_device *out, | 31 | const struct nf_hook_state *state) |
| 32 | int (*okfn)(struct sk_buff *)) | ||
| 33 | { | 32 | { |
| 34 | const struct net *net = dev_net((in != NULL) ? in : out); | 33 | const struct net *net = dev_net(state->in ? state->in : state->out); |
| 35 | 34 | ||
| 36 | return arpt_do_table(skb, ops->hooknum, in, out, | 35 | return arpt_do_table(skb, ops->hooknum, state->in, state->out, |
| 37 | net->ipv4.arptable_filter); | 36 | net->ipv4.arptable_filter); |
| 38 | } | 37 | } |
| 39 | 38 | ||
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c index f75e9df5e017..771ab3d01ad3 100644 --- a/net/ipv4/netfilter/ipt_CLUSTERIP.c +++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c | |||
| @@ -504,14 +504,12 @@ static void arp_print(struct arp_payload *payload) | |||
| 504 | static unsigned int | 504 | static unsigned int |
| 505 | arp_mangle(const struct nf_hook_ops *ops, | 505 | arp_mangle(const struct nf_hook_ops *ops, |
| 506 | struct sk_buff *skb, | 506 | struct sk_buff *skb, |
| 507 | const struct net_device *in, | 507 | const struct nf_hook_state *state) |
| 508 | const struct net_device *out, | ||
| 509 | int (*okfn)(struct sk_buff *)) | ||
| 510 | { | 508 | { |
| 511 | struct arphdr *arp = arp_hdr(skb); | 509 | struct arphdr *arp = arp_hdr(skb); |
| 512 | struct arp_payload *payload; | 510 | struct arp_payload *payload; |
| 513 | struct clusterip_config *c; | 511 | struct clusterip_config *c; |
| 514 | struct net *net = dev_net(in ? in : out); | 512 | struct net *net = dev_net(state->in ? state->in : state->out); |
| 515 | 513 | ||
| 516 | /* we don't care about non-ethernet and non-ipv4 ARP */ | 514 | /* we don't care about non-ethernet and non-ipv4 ARP */ |
| 517 | if (arp->ar_hrd != htons(ARPHRD_ETHER) || | 515 | if (arp->ar_hrd != htons(ARPHRD_ETHER) || |
| @@ -536,10 +534,10 @@ arp_mangle(const struct nf_hook_ops *ops, | |||
| 536 | * addresses on different interfacs. However, in the CLUSTERIP case | 534 | * addresses on different interfacs. However, in the CLUSTERIP case |
| 537 | * this wouldn't work, since we didn't subscribe the mcast group on | 535 | * this wouldn't work, since we didn't subscribe the mcast group on |
| 538 | * other interfaces */ | 536 | * other interfaces */ |
| 539 | if (c->dev != out) { | 537 | if (c->dev != state->out) { |
| 540 | pr_debug("not mangling arp reply on different " | 538 | pr_debug("not mangling arp reply on different " |
| 541 | "interface: cip'%s'-skb'%s'\n", | 539 | "interface: cip'%s'-skb'%s'\n", |
| 542 | c->dev->name, out->name); | 540 | c->dev->name, state->out->name); |
| 543 | clusterip_config_put(c); | 541 | clusterip_config_put(c); |
| 544 | return NF_ACCEPT; | 542 | return NF_ACCEPT; |
| 545 | } | 543 | } |
diff --git a/net/ipv4/netfilter/ipt_SYNPROXY.c b/net/ipv4/netfilter/ipt_SYNPROXY.c index a313c3fbeb46..e9e67793055f 100644 --- a/net/ipv4/netfilter/ipt_SYNPROXY.c +++ b/net/ipv4/netfilter/ipt_SYNPROXY.c | |||
| @@ -300,11 +300,9 @@ synproxy_tg4(struct sk_buff *skb, const struct xt_action_param *par) | |||
| 300 | 300 | ||
| 301 | static unsigned int ipv4_synproxy_hook(const struct nf_hook_ops *ops, | 301 | static unsigned int ipv4_synproxy_hook(const struct nf_hook_ops *ops, |
| 302 | struct sk_buff *skb, | 302 | struct sk_buff *skb, |
| 303 | const struct net_device *in, | 303 | const struct nf_hook_state *nhs) |
| 304 | const struct net_device *out, | ||
| 305 | int (*okfn)(struct sk_buff *)) | ||
| 306 | { | 304 | { |
| 307 | struct synproxy_net *snet = synproxy_pernet(dev_net(in ? : out)); | 305 | struct synproxy_net *snet = synproxy_pernet(dev_net(nhs->in ? : nhs->out)); |
| 308 | enum ip_conntrack_info ctinfo; | 306 | enum ip_conntrack_info ctinfo; |
| 309 | struct nf_conn *ct; | 307 | struct nf_conn *ct; |
| 310 | struct nf_conn_synproxy *synproxy; | 308 | struct nf_conn_synproxy *synproxy; |
diff --git a/net/ipv4/netfilter/iptable_filter.c b/net/ipv4/netfilter/iptable_filter.c index e08a74a243a8..1df0d42bfd39 100644 --- a/net/ipv4/netfilter/iptable_filter.c +++ b/net/ipv4/netfilter/iptable_filter.c | |||
| @@ -34,8 +34,7 @@ static const struct xt_table packet_filter = { | |||
| 34 | 34 | ||
| 35 | static unsigned int | 35 | static unsigned int |
| 36 | iptable_filter_hook(const struct nf_hook_ops *ops, struct sk_buff *skb, | 36 | iptable_filter_hook(const struct nf_hook_ops *ops, struct sk_buff *skb, |
| 37 | const struct net_device *in, const struct net_device *out, | 37 | const struct nf_hook_state *state) |
| 38 | int (*okfn)(struct sk_buff *)) | ||
| 39 | { | 38 | { |
| 40 | const struct net *net; | 39 | const struct net *net; |
| 41 | 40 | ||
| @@ -45,8 +44,8 @@ iptable_filter_hook(const struct nf_hook_ops *ops, struct sk_buff *skb, | |||
| 45 | /* root is playing with raw sockets. */ | 44 | /* root is playing with raw sockets. */ |
| 46 | return NF_ACCEPT; | 45 | return NF_ACCEPT; |
| 47 | 46 | ||
| 48 | net = dev_net((in != NULL) ? in : out); | 47 | net = dev_net(state->in ? state->in : state->out); |
| 49 | return ipt_do_table(skb, ops->hooknum, in, out, | 48 | return ipt_do_table(skb, ops->hooknum, state->in, state->out, |
| 50 | net->ipv4.iptable_filter); | 49 | net->ipv4.iptable_filter); |
| 51 | } | 50 | } |
| 52 | 51 | ||
diff --git a/net/ipv4/netfilter/iptable_mangle.c b/net/ipv4/netfilter/iptable_mangle.c index 6a5079c34bb3..7a825e740045 100644 --- a/net/ipv4/netfilter/iptable_mangle.c +++ b/net/ipv4/netfilter/iptable_mangle.c | |||
| @@ -81,18 +81,16 @@ ipt_mangle_out(struct sk_buff *skb, const struct net_device *out) | |||
| 81 | static unsigned int | 81 | static unsigned int |
| 82 | iptable_mangle_hook(const struct nf_hook_ops *ops, | 82 | iptable_mangle_hook(const struct nf_hook_ops *ops, |
| 83 | struct sk_buff *skb, | 83 | struct sk_buff *skb, |
| 84 | const struct net_device *in, | 84 | const struct nf_hook_state *state) |
| 85 | const struct net_device *out, | ||
| 86 | int (*okfn)(struct sk_buff *)) | ||
| 87 | { | 85 | { |
| 88 | if (ops->hooknum == NF_INET_LOCAL_OUT) | 86 | if (ops->hooknum == NF_INET_LOCAL_OUT) |
| 89 | return ipt_mangle_out(skb, out); | 87 | return ipt_mangle_out(skb, state->out); |
| 90 | if (ops->hooknum == NF_INET_POST_ROUTING) | 88 | if (ops->hooknum == NF_INET_POST_ROUTING) |
| 91 | return ipt_do_table(skb, ops->hooknum, in, out, | 89 | return ipt_do_table(skb, ops->hooknum, state->in, state->out, |
| 92 | dev_net(out)->ipv4.iptable_mangle); | 90 | dev_net(state->out)->ipv4.iptable_mangle); |
| 93 | /* PREROUTING/INPUT/FORWARD: */ | 91 | /* PREROUTING/INPUT/FORWARD: */ |
| 94 | return ipt_do_table(skb, ops->hooknum, in, out, | 92 | return ipt_do_table(skb, ops->hooknum, state->in, state->out, |
| 95 | dev_net(in)->ipv4.iptable_mangle); | 93 | dev_net(state->in)->ipv4.iptable_mangle); |
| 96 | } | 94 | } |
| 97 | 95 | ||
| 98 | static struct nf_hook_ops *mangle_ops __read_mostly; | 96 | static struct nf_hook_ops *mangle_ops __read_mostly; |
diff --git a/net/ipv4/netfilter/iptable_nat.c b/net/ipv4/netfilter/iptable_nat.c index 6b67d7e9a75d..7a7fea4711e5 100644 --- a/net/ipv4/netfilter/iptable_nat.c +++ b/net/ipv4/netfilter/iptable_nat.c | |||
| @@ -41,38 +41,34 @@ static unsigned int iptable_nat_do_chain(const struct nf_hook_ops *ops, | |||
| 41 | 41 | ||
| 42 | static unsigned int iptable_nat_ipv4_fn(const struct nf_hook_ops *ops, | 42 | static unsigned int iptable_nat_ipv4_fn(const struct nf_hook_ops *ops, |
| 43 | struct sk_buff *skb, | 43 | struct sk_buff *skb, |
| 44 | const struct net_device *in, | 44 | const struct nf_hook_state *state) |
| 45 | const struct net_device *out, | ||
| 46 | int (*okfn)(struct sk_buff *)) | ||
| 47 | { | 45 | { |
| 48 | return nf_nat_ipv4_fn(ops, skb, in, out, iptable_nat_do_chain); | 46 | return nf_nat_ipv4_fn(ops, skb, state->in, state->out, |
| 47 | iptable_nat_do_chain); | ||
| 49 | } | 48 | } |
| 50 | 49 | ||
| 51 | static unsigned int iptable_nat_ipv4_in(const struct nf_hook_ops *ops, | 50 | static unsigned int iptable_nat_ipv4_in(const struct nf_hook_ops *ops, |
| 52 | struct sk_buff *skb, | 51 | struct sk_buff *skb, |
| 53 | const struct net_device *in, | 52 | const struct nf_hook_state *state) |
| 54 | const struct net_device *out, | ||
| 55 | int (*okfn)(struct sk_buff *)) | ||
| 56 | { | 53 | { |
| 57 | return nf_nat_ipv4_in(ops, skb, in, out, iptable_nat_do_chain); | 54 | return nf_nat_ipv4_in(ops, skb, state->in, state->out, |
| 55 | iptable_nat_do_chain); | ||
| 58 | } | 56 | } |
| 59 | 57 | ||
| 60 | static unsigned int iptable_nat_ipv4_out(const struct nf_hook_ops *ops, | 58 | static unsigned int iptable_nat_ipv4_out(const struct nf_hook_ops *ops, |
| 61 | struct sk_buff *skb, | 59 | struct sk_buff *skb, |
| 62 | const struct net_device *in, | 60 | const struct nf_hook_state *state) |
| 63 | const struct net_device *out, | ||
| 64 | int (*okfn)(struct sk_buff *)) | ||
| 65 | { | 61 | { |
| 66 | return nf_nat_ipv4_out(ops, skb, in, out, iptable_nat_do_chain); | 62 | return nf_nat_ipv4_out(ops, skb, state->in, state->out, |
| 63 | iptable_nat_do_chain); | ||
| 67 | } | 64 | } |
| 68 | 65 | ||
| 69 | static unsigned int iptable_nat_ipv4_local_fn(const struct nf_hook_ops *ops, | 66 | static unsigned int iptable_nat_ipv4_local_fn(const struct nf_hook_ops *ops, |
| 70 | struct sk_buff *skb, | 67 | struct sk_buff *skb, |
| 71 | const struct net_device *in, | 68 | const struct nf_hook_state *state) |
| 72 | const struct net_device *out, | ||
| 73 | int (*okfn)(struct sk_buff *)) | ||
| 74 | { | 69 | { |
| 75 | return nf_nat_ipv4_local_fn(ops, skb, in, out, iptable_nat_do_chain); | 70 | return nf_nat_ipv4_local_fn(ops, skb, state->in, state->out, |
| 71 | iptable_nat_do_chain); | ||
| 76 | } | 72 | } |
| 77 | 73 | ||
| 78 | static struct nf_hook_ops nf_nat_ipv4_ops[] __read_mostly = { | 74 | static struct nf_hook_ops nf_nat_ipv4_ops[] __read_mostly = { |
diff --git a/net/ipv4/netfilter/iptable_raw.c b/net/ipv4/netfilter/iptable_raw.c index b2f7e8f98316..fac8f607c70b 100644 --- a/net/ipv4/netfilter/iptable_raw.c +++ b/net/ipv4/netfilter/iptable_raw.c | |||
| @@ -21,8 +21,7 @@ static const struct xt_table packet_raw = { | |||
| 21 | /* The work comes in here from netfilter.c. */ | 21 | /* The work comes in here from netfilter.c. */ |
| 22 | static unsigned int | 22 | static unsigned int |
| 23 | iptable_raw_hook(const struct nf_hook_ops *ops, struct sk_buff *skb, | 23 | iptable_raw_hook(const struct nf_hook_ops *ops, struct sk_buff *skb, |
| 24 | const struct net_device *in, const struct net_device *out, | 24 | const struct nf_hook_state *state) |
| 25 | int (*okfn)(struct sk_buff *)) | ||
| 26 | { | 25 | { |
| 27 | const struct net *net; | 26 | const struct net *net; |
| 28 | 27 | ||
| @@ -32,8 +31,9 @@ iptable_raw_hook(const struct nf_hook_ops *ops, struct sk_buff *skb, | |||
| 32 | /* root is playing with raw sockets. */ | 31 | /* root is playing with raw sockets. */ |
| 33 | return NF_ACCEPT; | 32 | return NF_ACCEPT; |
| 34 | 33 | ||
| 35 | net = dev_net((in != NULL) ? in : out); | 34 | net = dev_net(state->in ? state->in : state->out); |
| 36 | return ipt_do_table(skb, ops->hooknum, in, out, net->ipv4.iptable_raw); | 35 | return ipt_do_table(skb, ops->hooknum, state->in, state->out, |
| 36 | net->ipv4.iptable_raw); | ||
| 37 | } | 37 | } |
| 38 | 38 | ||
| 39 | static struct nf_hook_ops *rawtable_ops __read_mostly; | 39 | static struct nf_hook_ops *rawtable_ops __read_mostly; |
diff --git a/net/ipv4/netfilter/iptable_security.c b/net/ipv4/netfilter/iptable_security.c index c86647ed2078..d9ad60a57413 100644 --- a/net/ipv4/netfilter/iptable_security.c +++ b/net/ipv4/netfilter/iptable_security.c | |||
| @@ -38,9 +38,7 @@ static const struct xt_table security_table = { | |||
| 38 | 38 | ||
| 39 | static unsigned int | 39 | static unsigned int |
| 40 | iptable_security_hook(const struct nf_hook_ops *ops, struct sk_buff *skb, | 40 | iptable_security_hook(const struct nf_hook_ops *ops, struct sk_buff *skb, |
| 41 | const struct net_device *in, | 41 | const struct nf_hook_state *state) |
| 42 | const struct net_device *out, | ||
| 43 | int (*okfn)(struct sk_buff *)) | ||
| 44 | { | 42 | { |
| 45 | const struct net *net; | 43 | const struct net *net; |
| 46 | 44 | ||
| @@ -50,8 +48,8 @@ iptable_security_hook(const struct nf_hook_ops *ops, struct sk_buff *skb, | |||
| 50 | /* Somebody is playing with raw sockets. */ | 48 | /* Somebody is playing with raw sockets. */ |
| 51 | return NF_ACCEPT; | 49 | return NF_ACCEPT; |
| 52 | 50 | ||
| 53 | net = dev_net((in != NULL) ? in : out); | 51 | net = dev_net(state->in ? state->in : state->out); |
| 54 | return ipt_do_table(skb, ops->hooknum, in, out, | 52 | return ipt_do_table(skb, ops->hooknum, state->in, state->out, |
| 55 | net->ipv4.iptable_security); | 53 | net->ipv4.iptable_security); |
| 56 | } | 54 | } |
| 57 | 55 | ||
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c index 8c8d6642cbb0..30ad9554b5e9 100644 --- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c +++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | |||
| @@ -94,9 +94,7 @@ static int ipv4_get_l4proto(const struct sk_buff *skb, unsigned int nhoff, | |||
| 94 | 94 | ||
| 95 | static unsigned int ipv4_helper(const struct nf_hook_ops *ops, | 95 | static unsigned int ipv4_helper(const struct nf_hook_ops *ops, |
| 96 | struct sk_buff *skb, | 96 | struct sk_buff *skb, |
| 97 | const struct net_device *in, | 97 | const struct nf_hook_state *state) |
| 98 | const struct net_device *out, | ||
| 99 | int (*okfn)(struct sk_buff *)) | ||
| 100 | { | 98 | { |
| 101 | struct nf_conn *ct; | 99 | struct nf_conn *ct; |
| 102 | enum ip_conntrack_info ctinfo; | 100 | enum ip_conntrack_info ctinfo; |
| @@ -123,9 +121,7 @@ static unsigned int ipv4_helper(const struct nf_hook_ops *ops, | |||
| 123 | 121 | ||
| 124 | static unsigned int ipv4_confirm(const struct nf_hook_ops *ops, | 122 | static unsigned int ipv4_confirm(const struct nf_hook_ops *ops, |
| 125 | struct sk_buff *skb, | 123 | struct sk_buff *skb, |
| 126 | const struct net_device *in, | 124 | const struct nf_hook_state *state) |
| 127 | const struct net_device *out, | ||
| 128 | int (*okfn)(struct sk_buff *)) | ||
| 129 | { | 125 | { |
| 130 | struct nf_conn *ct; | 126 | struct nf_conn *ct; |
| 131 | enum ip_conntrack_info ctinfo; | 127 | enum ip_conntrack_info ctinfo; |
| @@ -149,24 +145,20 @@ out: | |||
| 149 | 145 | ||
| 150 | static unsigned int ipv4_conntrack_in(const struct nf_hook_ops *ops, | 146 | static unsigned int ipv4_conntrack_in(const struct nf_hook_ops *ops, |
| 151 | struct sk_buff *skb, | 147 | struct sk_buff *skb, |
| 152 | const struct net_device *in, | 148 | const struct nf_hook_state *state) |
| 153 | const struct net_device *out, | ||
| 154 | int (*okfn)(struct sk_buff *)) | ||
| 155 | { | 149 | { |
| 156 | return nf_conntrack_in(dev_net(in), PF_INET, ops->hooknum, skb); | 150 | return nf_conntrack_in(dev_net(state->in), PF_INET, ops->hooknum, skb); |
| 157 | } | 151 | } |
| 158 | 152 | ||
| 159 | static unsigned int ipv4_conntrack_local(const struct nf_hook_ops *ops, | 153 | static unsigned int ipv4_conntrack_local(const struct nf_hook_ops *ops, |
| 160 | struct sk_buff *skb, | 154 | struct sk_buff *skb, |
| 161 | const struct net_device *in, | 155 | const struct nf_hook_state *state) |
| 162 | const struct net_device *out, | ||
| 163 | int (*okfn)(struct sk_buff *)) | ||
| 164 | { | 156 | { |
| 165 | /* root is playing with raw sockets. */ | 157 | /* root is playing with raw sockets. */ |
| 166 | if (skb->len < sizeof(struct iphdr) || | 158 | if (skb->len < sizeof(struct iphdr) || |
| 167 | ip_hdrlen(skb) < sizeof(struct iphdr)) | 159 | ip_hdrlen(skb) < sizeof(struct iphdr)) |
| 168 | return NF_ACCEPT; | 160 | return NF_ACCEPT; |
| 169 | return nf_conntrack_in(dev_net(out), PF_INET, ops->hooknum, skb); | 161 | return nf_conntrack_in(dev_net(state->out), PF_INET, ops->hooknum, skb); |
| 170 | } | 162 | } |
| 171 | 163 | ||
| 172 | /* Connection tracking may drop packets, but never alters them, so | 164 | /* Connection tracking may drop packets, but never alters them, so |
diff --git a/net/ipv4/netfilter/nf_defrag_ipv4.c b/net/ipv4/netfilter/nf_defrag_ipv4.c index 7e5ca6f2d0cd..c88b7d434718 100644 --- a/net/ipv4/netfilter/nf_defrag_ipv4.c +++ b/net/ipv4/netfilter/nf_defrag_ipv4.c | |||
| @@ -63,9 +63,7 @@ static enum ip_defrag_users nf_ct_defrag_user(unsigned int hooknum, | |||
| 63 | 63 | ||
| 64 | static unsigned int ipv4_conntrack_defrag(const struct nf_hook_ops *ops, | 64 | static unsigned int ipv4_conntrack_defrag(const struct nf_hook_ops *ops, |
| 65 | struct sk_buff *skb, | 65 | struct sk_buff *skb, |
| 66 | const struct net_device *in, | 66 | const struct nf_hook_state *state) |
| 67 | const struct net_device *out, | ||
| 68 | int (*okfn)(struct sk_buff *)) | ||
| 69 | { | 67 | { |
| 70 | struct sock *sk = skb->sk; | 68 | struct sock *sk = skb->sk; |
| 71 | struct inet_sock *inet = inet_sk(skb->sk); | 69 | struct inet_sock *inet = inet_sk(skb->sk); |
diff --git a/net/ipv4/netfilter/nf_tables_arp.c b/net/ipv4/netfilter/nf_tables_arp.c index 19412a4063fb..fceb50e1e87d 100644 --- a/net/ipv4/netfilter/nf_tables_arp.c +++ b/net/ipv4/netfilter/nf_tables_arp.c | |||
| @@ -17,13 +17,11 @@ | |||
| 17 | static unsigned int | 17 | static unsigned int |
| 18 | nft_do_chain_arp(const struct nf_hook_ops *ops, | 18 | nft_do_chain_arp(const struct nf_hook_ops *ops, |
| 19 | struct sk_buff *skb, | 19 | struct sk_buff *skb, |
| 20 | const struct net_device *in, | 20 | const struct nf_hook_state *state) |
| 21 | const struct net_device *out, | ||
| 22 | int (*okfn)(struct sk_buff *)) | ||
| 23 | { | 21 | { |
| 24 | struct nft_pktinfo pkt; | 22 | struct nft_pktinfo pkt; |
| 25 | 23 | ||
| 26 | nft_set_pktinfo(&pkt, ops, skb, in, out); | 24 | nft_set_pktinfo(&pkt, ops, skb, state->in, state->out); |
| 27 | 25 | ||
| 28 | return nft_do_chain(&pkt, ops); | 26 | return nft_do_chain(&pkt, ops); |
| 29 | } | 27 | } |
diff --git a/net/ipv4/netfilter/nf_tables_ipv4.c b/net/ipv4/netfilter/nf_tables_ipv4.c index 6820c8c40842..708e388e3dbe 100644 --- a/net/ipv4/netfilter/nf_tables_ipv4.c +++ b/net/ipv4/netfilter/nf_tables_ipv4.c | |||
| @@ -20,22 +20,18 @@ | |||
| 20 | 20 | ||
| 21 | static unsigned int nft_do_chain_ipv4(const struct nf_hook_ops *ops, | 21 | static unsigned int nft_do_chain_ipv4(const struct nf_hook_ops *ops, |
| 22 | struct sk_buff *skb, | 22 | struct sk_buff *skb, |
| 23 | const struct net_device *in, | 23 | const struct nf_hook_state *state) |
| 24 | const struct net_device *out, | ||
| 25 | int (*okfn)(struct sk_buff *)) | ||
| 26 | { | 24 | { |
| 27 | struct nft_pktinfo pkt; | 25 | struct nft_pktinfo pkt; |
| 28 | 26 | ||
| 29 | nft_set_pktinfo_ipv4(&pkt, ops, skb, in, out); | 27 | nft_set_pktinfo_ipv4(&pkt, ops, skb, state->in, state->out); |
| 30 | 28 | ||
| 31 | return nft_do_chain(&pkt, ops); | 29 | return nft_do_chain(&pkt, ops); |
| 32 | } | 30 | } |
| 33 | 31 | ||
| 34 | static unsigned int nft_ipv4_output(const struct nf_hook_ops *ops, | 32 | static unsigned int nft_ipv4_output(const struct nf_hook_ops *ops, |
| 35 | struct sk_buff *skb, | 33 | struct sk_buff *skb, |
| 36 | const struct net_device *in, | 34 | const struct nf_hook_state *state) |
| 37 | const struct net_device *out, | ||
| 38 | int (*okfn)(struct sk_buff *)) | ||
| 39 | { | 35 | { |
| 40 | if (unlikely(skb->len < sizeof(struct iphdr) || | 36 | if (unlikely(skb->len < sizeof(struct iphdr) || |
| 41 | ip_hdr(skb)->ihl < sizeof(struct iphdr) / 4)) { | 37 | ip_hdr(skb)->ihl < sizeof(struct iphdr) / 4)) { |
| @@ -45,7 +41,7 @@ static unsigned int nft_ipv4_output(const struct nf_hook_ops *ops, | |||
| 45 | return NF_ACCEPT; | 41 | return NF_ACCEPT; |
| 46 | } | 42 | } |
| 47 | 43 | ||
| 48 | return nft_do_chain_ipv4(ops, skb, in, out, okfn); | 44 | return nft_do_chain_ipv4(ops, skb, state); |
| 49 | } | 45 | } |
| 50 | 46 | ||
| 51 | struct nft_af_info nft_af_ipv4 __read_mostly = { | 47 | struct nft_af_info nft_af_ipv4 __read_mostly = { |
diff --git a/net/ipv4/netfilter/nft_chain_nat_ipv4.c b/net/ipv4/netfilter/nft_chain_nat_ipv4.c index df547bf50078..d08db6b0fcc3 100644 --- a/net/ipv4/netfilter/nft_chain_nat_ipv4.c +++ b/net/ipv4/netfilter/nft_chain_nat_ipv4.c | |||
| @@ -41,38 +41,31 @@ static unsigned int nft_nat_do_chain(const struct nf_hook_ops *ops, | |||
| 41 | 41 | ||
| 42 | static unsigned int nft_nat_ipv4_fn(const struct nf_hook_ops *ops, | 42 | static unsigned int nft_nat_ipv4_fn(const struct nf_hook_ops *ops, |
| 43 | struct sk_buff *skb, | 43 | struct sk_buff *skb, |
| 44 | const struct net_device *in, | 44 | const struct nf_hook_state *state) |
| 45 | const struct net_device *out, | ||
| 46 | int (*okfn)(struct sk_buff *)) | ||
| 47 | { | 45 | { |
| 48 | return nf_nat_ipv4_fn(ops, skb, in, out, nft_nat_do_chain); | 46 | return nf_nat_ipv4_fn(ops, skb, state->in, state->out, nft_nat_do_chain); |
| 49 | } | 47 | } |
| 50 | 48 | ||
| 51 | static unsigned int nft_nat_ipv4_in(const struct nf_hook_ops *ops, | 49 | static unsigned int nft_nat_ipv4_in(const struct nf_hook_ops *ops, |
| 52 | struct sk_buff *skb, | 50 | struct sk_buff *skb, |
| 53 | const struct net_device *in, | 51 | const struct nf_hook_state *state) |
| 54 | const struct net_device *out, | ||
| 55 | int (*okfn)(struct sk_buff *)) | ||
| 56 | { | 52 | { |
| 57 | return nf_nat_ipv4_in(ops, skb, in, out, nft_nat_do_chain); | 53 | return nf_nat_ipv4_in(ops, skb, state->in, state->out, nft_nat_do_chain); |
| 58 | } | 54 | } |
| 59 | 55 | ||
| 60 | static unsigned int nft_nat_ipv4_out(const struct nf_hook_ops *ops, | 56 | static unsigned int nft_nat_ipv4_out(const struct nf_hook_ops *ops, |
| 61 | struct sk_buff *skb, | 57 | struct sk_buff *skb, |
| 62 | const struct net_device *in, | 58 | const struct nf_hook_state *state) |
| 63 | const struct net_device *out, | ||
| 64 | int (*okfn)(struct sk_buff *)) | ||
| 65 | { | 59 | { |
| 66 | return nf_nat_ipv4_out(ops, skb, in, out, nft_nat_do_chain); | 60 | return nf_nat_ipv4_out(ops, skb, state->in, state->out, nft_nat_do_chain); |
| 67 | } | 61 | } |
| 68 | 62 | ||
| 69 | static unsigned int nft_nat_ipv4_local_fn(const struct nf_hook_ops *ops, | 63 | static unsigned int nft_nat_ipv4_local_fn(const struct nf_hook_ops *ops, |
| 70 | struct sk_buff *skb, | 64 | struct sk_buff *skb, |
| 71 | const struct net_device *in, | 65 | const struct nf_hook_state *state) |
| 72 | const struct net_device *out, | ||
| 73 | int (*okfn)(struct sk_buff *)) | ||
| 74 | { | 66 | { |
| 75 | return nf_nat_ipv4_local_fn(ops, skb, in, out, nft_nat_do_chain); | 67 | return nf_nat_ipv4_local_fn(ops, skb, state->in, state->out, |
| 68 | nft_nat_do_chain); | ||
| 76 | } | 69 | } |
| 77 | 70 | ||
| 78 | static const struct nf_chain_type nft_chain_nat_ipv4 = { | 71 | static const struct nf_chain_type nft_chain_nat_ipv4 = { |
diff --git a/net/ipv4/netfilter/nft_chain_route_ipv4.c b/net/ipv4/netfilter/nft_chain_route_ipv4.c index 125b66766c0a..073d0776ae7f 100644 --- a/net/ipv4/netfilter/nft_chain_route_ipv4.c +++ b/net/ipv4/netfilter/nft_chain_route_ipv4.c | |||
| @@ -23,9 +23,7 @@ | |||
| 23 | 23 | ||
| 24 | static unsigned int nf_route_table_hook(const struct nf_hook_ops *ops, | 24 | static unsigned int nf_route_table_hook(const struct nf_hook_ops *ops, |
| 25 | struct sk_buff *skb, | 25 | struct sk_buff *skb, |
| 26 | const struct net_device *in, | 26 | const struct nf_hook_state *state) |
| 27 | const struct net_device *out, | ||
| 28 | int (*okfn)(struct sk_buff *)) | ||
| 29 | { | 27 | { |
| 30 | unsigned int ret; | 28 | unsigned int ret; |
| 31 | struct nft_pktinfo pkt; | 29 | struct nft_pktinfo pkt; |
| @@ -39,7 +37,7 @@ static unsigned int nf_route_table_hook(const struct nf_hook_ops *ops, | |||
| 39 | ip_hdrlen(skb) < sizeof(struct iphdr)) | 37 | ip_hdrlen(skb) < sizeof(struct iphdr)) |
| 40 | return NF_ACCEPT; | 38 | return NF_ACCEPT; |
| 41 | 39 | ||
| 42 | nft_set_pktinfo_ipv4(&pkt, ops, skb, in, out); | 40 | nft_set_pktinfo_ipv4(&pkt, ops, skb, state->in, state->out); |
| 43 | 41 | ||
| 44 | mark = skb->mark; | 42 | mark = skb->mark; |
| 45 | iph = ip_hdr(skb); | 43 | iph = ip_hdr(skb); |