diff options
| author | Jan Engelhardt <jengelh@medozas.de> | 2009-06-17 07:57:48 -0400 |
|---|---|---|
| committer | Jan Engelhardt <jengelh@medozas.de> | 2010-02-10 11:13:33 -0500 |
| commit | 2b95efe7f6bb750256a702cc32d33b0cb2cd8223 (patch) | |
| tree | 49ab6f0eb13fe524211f94db29c19827529f49a5 /net/ipv6 | |
| parent | 2b21e051472fdb4680076278b2ccf63ebc1cc3bc (diff) | |
netfilter: xtables: use xt_table for hook instantiation
The respective xt_table structures already have most of the metadata
needed for hook setup. Add a 'priority' field to struct xt_table so
that xt_hook_link() can be called with a reduced number of arguments.
So should we be having more tables in the future, it comes at no
static cost (only runtime, as before) - space saved:
6807373->6806555.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Diffstat (limited to 'net/ipv6')
| -rw-r--r-- | net/ipv6/netfilter/ip6table_filter.c | 33 | ||||
| -rw-r--r-- | net/ipv6/netfilter/ip6table_mangle.c | 48 | ||||
| -rw-r--r-- | net/ipv6/netfilter/ip6table_raw.c | 26 | ||||
| -rw-r--r-- | net/ipv6/netfilter/ip6table_security.c | 33 |
4 files changed, 28 insertions, 112 deletions
diff --git a/net/ipv6/netfilter/ip6table_filter.c b/net/ipv6/netfilter/ip6table_filter.c index 866f34ae236..6e95d0614ca 100644 --- a/net/ipv6/netfilter/ip6table_filter.c +++ b/net/ipv6/netfilter/ip6table_filter.c | |||
| @@ -56,6 +56,7 @@ static const struct xt_table packet_filter = { | |||
| 56 | .valid_hooks = FILTER_VALID_HOOKS, | 56 | .valid_hooks = FILTER_VALID_HOOKS, |
| 57 | .me = THIS_MODULE, | 57 | .me = THIS_MODULE, |
| 58 | .af = NFPROTO_IPV6, | 58 | .af = NFPROTO_IPV6, |
| 59 | .priority = NF_IP6_PRI_FILTER, | ||
| 59 | }; | 60 | }; |
| 60 | 61 | ||
| 61 | /* The work comes in here from netfilter.c. */ | 62 | /* The work comes in here from netfilter.c. */ |
| @@ -69,29 +70,7 @@ ip6table_filter_hook(unsigned int hook, struct sk_buff *skb, | |||
| 69 | return ip6t_do_table(skb, hook, in, out, net->ipv6.ip6table_filter); | 70 | return ip6t_do_table(skb, hook, in, out, net->ipv6.ip6table_filter); |
| 70 | } | 71 | } |
| 71 | 72 | ||
| 72 | static struct nf_hook_ops ip6t_ops[] __read_mostly = { | 73 | static struct nf_hook_ops *filter_ops __read_mostly; |
| 73 | { | ||
| 74 | .hook = ip6table_filter_hook, | ||
| 75 | .owner = THIS_MODULE, | ||
| 76 | .pf = NFPROTO_IPV6, | ||
| 77 | .hooknum = NF_INET_LOCAL_IN, | ||
| 78 | .priority = NF_IP6_PRI_FILTER, | ||
| 79 | }, | ||
| 80 | { | ||
| 81 | .hook = ip6table_filter_hook, | ||
| 82 | .owner = THIS_MODULE, | ||
| 83 | .pf = NFPROTO_IPV6, | ||
| 84 | .hooknum = NF_INET_FORWARD, | ||
| 85 | .priority = NF_IP6_PRI_FILTER, | ||
| 86 | }, | ||
| 87 | { | ||
| 88 | .hook = ip6table_filter_hook, | ||
| 89 | .owner = THIS_MODULE, | ||
| 90 | .pf = NFPROTO_IPV6, | ||
| 91 | .hooknum = NF_INET_LOCAL_OUT, | ||
| 92 | .priority = NF_IP6_PRI_FILTER, | ||
| 93 | }, | ||
| 94 | }; | ||
| 95 | 74 | ||
| 96 | /* Default to forward because I got too much mail already. */ | 75 | /* Default to forward because I got too much mail already. */ |
| 97 | static int forward = NF_ACCEPT; | 76 | static int forward = NF_ACCEPT; |
| @@ -134,9 +113,11 @@ static int __init ip6table_filter_init(void) | |||
| 134 | return ret; | 113 | return ret; |
| 135 | 114 | ||
| 136 | /* Register hooks */ | 115 | /* Register hooks */ |
| 137 | ret = nf_register_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops)); | 116 | filter_ops = xt_hook_link(&packet_filter, ip6table_filter_hook); |
| 138 | if (ret < 0) | 117 | if (IS_ERR(filter_ops)) { |
| 118 | ret = PTR_ERR(filter_ops); | ||
| 139 | goto cleanup_table; | 119 | goto cleanup_table; |
| 120 | } | ||
| 140 | 121 | ||
| 141 | return ret; | 122 | return ret; |
| 142 | 123 | ||
| @@ -147,7 +128,7 @@ static int __init ip6table_filter_init(void) | |||
| 147 | 128 | ||
| 148 | static void __exit ip6table_filter_fini(void) | 129 | static void __exit ip6table_filter_fini(void) |
| 149 | { | 130 | { |
| 150 | nf_unregister_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops)); | 131 | xt_hook_unlink(&packet_filter, filter_ops); |
| 151 | unregister_pernet_subsys(&ip6table_filter_net_ops); | 132 | unregister_pernet_subsys(&ip6table_filter_net_ops); |
| 152 | } | 133 | } |
| 153 | 134 | ||
diff --git a/net/ipv6/netfilter/ip6table_mangle.c b/net/ipv6/netfilter/ip6table_mangle.c index 405ac1f7639..5023ac52ffe 100644 --- a/net/ipv6/netfilter/ip6table_mangle.c +++ b/net/ipv6/netfilter/ip6table_mangle.c | |||
| @@ -62,6 +62,7 @@ static const struct xt_table packet_mangler = { | |||
| 62 | .valid_hooks = MANGLE_VALID_HOOKS, | 62 | .valid_hooks = MANGLE_VALID_HOOKS, |
| 63 | .me = THIS_MODULE, | 63 | .me = THIS_MODULE, |
| 64 | .af = NFPROTO_IPV6, | 64 | .af = NFPROTO_IPV6, |
| 65 | .priority = NF_IP6_PRI_MANGLE, | ||
| 65 | }; | 66 | }; |
| 66 | 67 | ||
| 67 | static unsigned int | 68 | static unsigned int |
| @@ -122,44 +123,7 @@ ip6table_mangle_hook(unsigned int hook, struct sk_buff *skb, | |||
| 122 | dev_net(in)->ipv6.ip6table_mangle); | 123 | dev_net(in)->ipv6.ip6table_mangle); |
| 123 | } | 124 | } |
| 124 | 125 | ||
| 125 | static struct nf_hook_ops ip6t_ops[] __read_mostly = { | 126 | static struct nf_hook_ops *mangle_ops __read_mostly; |
| 126 | { | ||
| 127 | .hook = ip6table_mangle_hook, | ||
| 128 | .owner = THIS_MODULE, | ||
| 129 | .pf = NFPROTO_IPV6, | ||
| 130 | .hooknum = NF_INET_PRE_ROUTING, | ||
| 131 | .priority = NF_IP6_PRI_MANGLE, | ||
| 132 | }, | ||
| 133 | { | ||
| 134 | .hook = ip6table_mangle_hook, | ||
| 135 | .owner = THIS_MODULE, | ||
| 136 | .pf = NFPROTO_IPV6, | ||
| 137 | .hooknum = NF_INET_LOCAL_IN, | ||
| 138 | .priority = NF_IP6_PRI_MANGLE, | ||
| 139 | }, | ||
| 140 | { | ||
| 141 | .hook = ip6table_mangle_hook, | ||
| 142 | .owner = THIS_MODULE, | ||
| 143 | .pf = NFPROTO_IPV6, | ||
| 144 | .hooknum = NF_INET_FORWARD, | ||
| 145 | .priority = NF_IP6_PRI_MANGLE, | ||
| 146 | }, | ||
| 147 | { | ||
| 148 | .hook = ip6table_mangle_hook, | ||
| 149 | .owner = THIS_MODULE, | ||
| 150 | .pf = NFPROTO_IPV6, | ||
| 151 | .hooknum = NF_INET_LOCAL_OUT, | ||
| 152 | .priority = NF_IP6_PRI_MANGLE, | ||
| 153 | }, | ||
| 154 | { | ||
| 155 | .hook = ip6table_mangle_hook, | ||
| 156 | .owner = THIS_MODULE, | ||
| 157 | .pf = NFPROTO_IPV6, | ||
| 158 | .hooknum = NF_INET_POST_ROUTING, | ||
| 159 | .priority = NF_IP6_PRI_MANGLE, | ||
| 160 | }, | ||
| 161 | }; | ||
| 162 | |||
| 163 | static int __net_init ip6table_mangle_net_init(struct net *net) | 127 | static int __net_init ip6table_mangle_net_init(struct net *net) |
| 164 | { | 128 | { |
| 165 | /* Register table */ | 129 | /* Register table */ |
| @@ -189,9 +153,11 @@ static int __init ip6table_mangle_init(void) | |||
| 189 | return ret; | 153 | return ret; |
| 190 | 154 | ||
| 191 | /* Register hooks */ | 155 | /* Register hooks */ |
| 192 | ret = nf_register_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops)); | 156 | mangle_ops = xt_hook_link(&packet_mangler, ip6table_mangle_hook); |
| 193 | if (ret < 0) | 157 | if (IS_ERR(mangle_ops)) { |
| 158 | ret = PTR_ERR(mangle_ops); | ||
| 194 | goto cleanup_table; | 159 | goto cleanup_table; |
| 160 | } | ||
| 195 | 161 | ||
| 196 | return ret; | 162 | return ret; |
| 197 | 163 | ||
| @@ -202,7 +168,7 @@ static int __init ip6table_mangle_init(void) | |||
| 202 | 168 | ||
| 203 | static void __exit ip6table_mangle_fini(void) | 169 | static void __exit ip6table_mangle_fini(void) |
| 204 | { | 170 | { |
| 205 | nf_unregister_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops)); | 171 | xt_hook_unlink(&packet_mangler, mangle_ops); |
| 206 | unregister_pernet_subsys(&ip6table_mangle_net_ops); | 172 | unregister_pernet_subsys(&ip6table_mangle_net_ops); |
| 207 | } | 173 | } |
| 208 | 174 | ||
diff --git a/net/ipv6/netfilter/ip6table_raw.c b/net/ipv6/netfilter/ip6table_raw.c index 5451a36fbc2..3bfa6951164 100644 --- a/net/ipv6/netfilter/ip6table_raw.c +++ b/net/ipv6/netfilter/ip6table_raw.c | |||
| @@ -40,6 +40,7 @@ static const struct xt_table packet_raw = { | |||
| 40 | .valid_hooks = RAW_VALID_HOOKS, | 40 | .valid_hooks = RAW_VALID_HOOKS, |
| 41 | .me = THIS_MODULE, | 41 | .me = THIS_MODULE, |
| 42 | .af = NFPROTO_IPV6, | 42 | .af = NFPROTO_IPV6, |
| 43 | .priority = NF_IP6_PRI_FIRST, | ||
| 43 | }; | 44 | }; |
| 44 | 45 | ||
| 45 | /* The work comes in here from netfilter.c. */ | 46 | /* The work comes in here from netfilter.c. */ |
| @@ -53,22 +54,7 @@ ip6table_raw_hook(unsigned int hook, struct sk_buff *skb, | |||
| 53 | return ip6t_do_table(skb, hook, in, out, net->ipv6.ip6table_raw); | 54 | return ip6t_do_table(skb, hook, in, out, net->ipv6.ip6table_raw); |
| 54 | } | 55 | } |
| 55 | 56 | ||
| 56 | static struct nf_hook_ops ip6t_ops[] __read_mostly = { | 57 | static struct nf_hook_ops *rawtable_ops __read_mostly; |
| 57 | { | ||
| 58 | .hook = ip6table_raw_hook, | ||
| 59 | .pf = NFPROTO_IPV6, | ||
| 60 | .hooknum = NF_INET_PRE_ROUTING, | ||
| 61 | .priority = NF_IP6_PRI_FIRST, | ||
| 62 | .owner = THIS_MODULE, | ||
| 63 | }, | ||
| 64 | { | ||
| 65 | .hook = ip6table_raw_hook, | ||
| 66 | .pf = NFPROTO_IPV6, | ||
| 67 | .hooknum = NF_INET_LOCAL_OUT, | ||
| 68 | .priority = NF_IP6_PRI_FIRST, | ||
| 69 | .owner = THIS_MODULE, | ||
| 70 | }, | ||
| 71 | }; | ||
| 72 | 58 | ||
| 73 | static int __net_init ip6table_raw_net_init(struct net *net) | 59 | static int __net_init ip6table_raw_net_init(struct net *net) |
| 74 | { | 60 | { |
| @@ -99,9 +85,11 @@ static int __init ip6table_raw_init(void) | |||
| 99 | return ret; | 85 | return ret; |
| 100 | 86 | ||
| 101 | /* Register hooks */ | 87 | /* Register hooks */ |
| 102 | ret = nf_register_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops)); | 88 | rawtable_ops = xt_hook_link(&packet_raw, ip6table_raw_hook); |
| 103 | if (ret < 0) | 89 | if (IS_ERR(rawtable_ops)) { |
| 90 | ret = PTR_ERR(rawtable_ops); | ||
| 104 | goto cleanup_table; | 91 | goto cleanup_table; |
| 92 | } | ||
| 105 | 93 | ||
| 106 | return ret; | 94 | return ret; |
| 107 | 95 | ||
| @@ -112,7 +100,7 @@ static int __init ip6table_raw_init(void) | |||
| 112 | 100 | ||
| 113 | static void __exit ip6table_raw_fini(void) | 101 | static void __exit ip6table_raw_fini(void) |
| 114 | { | 102 | { |
| 115 | nf_unregister_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops)); | 103 | xt_hook_unlink(&packet_raw, rawtable_ops); |
| 116 | unregister_pernet_subsys(&ip6table_raw_net_ops); | 104 | unregister_pernet_subsys(&ip6table_raw_net_ops); |
| 117 | } | 105 | } |
| 118 | 106 | ||
diff --git a/net/ipv6/netfilter/ip6table_security.c b/net/ipv6/netfilter/ip6table_security.c index 841ea77f521..dd2200f17a6 100644 --- a/net/ipv6/netfilter/ip6table_security.c +++ b/net/ipv6/netfilter/ip6table_security.c | |||
| @@ -61,6 +61,7 @@ static const struct xt_table security_table = { | |||
| 61 | .valid_hooks = SECURITY_VALID_HOOKS, | 61 | .valid_hooks = SECURITY_VALID_HOOKS, |
| 62 | .me = THIS_MODULE, | 62 | .me = THIS_MODULE, |
| 63 | .af = NFPROTO_IPV6, | 63 | .af = NFPROTO_IPV6, |
| 64 | .priority = NF_IP6_PRI_SECURITY, | ||
| 64 | }; | 65 | }; |
| 65 | 66 | ||
| 66 | static unsigned int | 67 | static unsigned int |
| @@ -74,29 +75,7 @@ ip6table_security_hook(unsigned int hook, struct sk_buff *skb, | |||
| 74 | return ip6t_do_table(skb, hook, in, out, net->ipv6.ip6table_security); | 75 | return ip6t_do_table(skb, hook, in, out, net->ipv6.ip6table_security); |
| 75 | } | 76 | } |
| 76 | 77 | ||
| 77 | static struct nf_hook_ops ip6t_ops[] __read_mostly = { | 78 | static struct nf_hook_ops *sectbl_ops __read_mostly; |
| 78 | { | ||
| 79 | .hook = ip6table_security_hook, | ||
| 80 | .owner = THIS_MODULE, | ||
| 81 | .pf = NFPROTO_IPV6, | ||
| 82 | .hooknum = NF_INET_LOCAL_IN, | ||
| 83 | .priority = NF_IP6_PRI_SECURITY, | ||
| 84 | }, | ||
| 85 | { | ||
| 86 | .hook = ip6table_security_hook, | ||
| 87 | .owner = THIS_MODULE, | ||
| 88 | .pf = NFPROTO_IPV6, | ||
| 89 | .hooknum = NF_INET_FORWARD, | ||
| 90 | .priority = NF_IP6_PRI_SECURITY, | ||
| 91 | }, | ||
| 92 | { | ||
| 93 | .hook = ip6table_security_hook, | ||
| 94 | .owner = THIS_MODULE, | ||
| 95 | .pf = NFPROTO_IPV6, | ||
| 96 | .hooknum = NF_INET_LOCAL_OUT, | ||
| 97 | .priority = NF_IP6_PRI_SECURITY, | ||
| 98 | }, | ||
| 99 | }; | ||
| 100 | 79 | ||
| 101 | static int __net_init ip6table_security_net_init(struct net *net) | 80 | static int __net_init ip6table_security_net_init(struct net *net) |
| 102 | { | 81 | { |
| @@ -127,9 +106,11 @@ static int __init ip6table_security_init(void) | |||
| 127 | if (ret < 0) | 106 | if (ret < 0) |
| 128 | return ret; | 107 | return ret; |
| 129 | 108 | ||
| 130 | ret = nf_register_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops)); | 109 | sectbl_ops = xt_hook_link(&security_table, ip6table_security_hook); |
| 131 | if (ret < 0) | 110 | if (IS_ERR(sectbl_ops)) { |
| 111 | ret = PTR_ERR(sectbl_ops); | ||
| 132 | goto cleanup_table; | 112 | goto cleanup_table; |
| 113 | } | ||
| 133 | 114 | ||
| 134 | return ret; | 115 | return ret; |
| 135 | 116 | ||
| @@ -140,7 +121,7 @@ cleanup_table: | |||
| 140 | 121 | ||
| 141 | static void __exit ip6table_security_fini(void) | 122 | static void __exit ip6table_security_fini(void) |
| 142 | { | 123 | { |
| 143 | nf_unregister_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops)); | 124 | xt_hook_unlink(&security_table, sectbl_ops); |
| 144 | unregister_pernet_subsys(&ip6table_security_net_ops); | 125 | unregister_pernet_subsys(&ip6table_security_net_ops); |
| 145 | } | 126 | } |
| 146 | 127 | ||