diff options
| author | Jan Engelhardt <jengelh@medozas.de> | 2009-06-13 00:46:36 -0400 |
|---|---|---|
| committer | Jan Engelhardt <jengelh@medozas.de> | 2010-02-10 10:44:58 -0500 |
| commit | 737535c5cf3524e4bfaa91e22edefd52eccabbce (patch) | |
| tree | 4c6918a8fb0b7568f30310947043320a03d10328 | |
| parent | 9ab99d5a43e9f283738fd9fd365539306d13eaac (diff) | |
netfilter: xtables: compact table hook functions (1/2)
This patch combines all the per-hook functions in a given table into
a single function. Together with the 2nd patch, further
simplifications are possible up to the point of output code reduction.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| -rw-r--r-- | net/ipv4/netfilter/arptable_filter.c | 30 | ||||
| -rw-r--r-- | net/ipv4/netfilter/iptable_filter.c | 50 | ||||
| -rw-r--r-- | net/ipv4/netfilter/iptable_mangle.c | 71 | ||||
| -rw-r--r-- | net/ipv4/netfilter/iptable_raw.c | 26 | ||||
| -rw-r--r-- | net/ipv4/netfilter/iptable_security.c | 50 | ||||
| -rw-r--r-- | net/ipv6/netfilter/ip6table_filter.c | 40 | ||||
| -rw-r--r-- | net/ipv6/netfilter/ip6table_mangle.c | 50 | ||||
| -rw-r--r-- | net/ipv6/netfilter/ip6table_raw.c | 26 | ||||
| -rw-r--r-- | net/ipv6/netfilter/ip6table_security.c | 41 |
9 files changed, 126 insertions, 258 deletions
diff --git a/net/ipv4/netfilter/arptable_filter.c b/net/ipv4/netfilter/arptable_filter.c index 97337601827a..e9d823b149cd 100644 --- a/net/ipv4/netfilter/arptable_filter.c +++ b/net/ipv4/netfilter/arptable_filter.c | |||
| @@ -53,43 +53,37 @@ static const struct xt_table packet_filter = { | |||
| 53 | }; | 53 | }; |
| 54 | 54 | ||
| 55 | /* The work comes in here from netfilter.c */ | 55 | /* The work comes in here from netfilter.c */ |
| 56 | static unsigned int arpt_in_hook(unsigned int hook, | 56 | static unsigned int |
| 57 | struct sk_buff *skb, | 57 | arptable_filter_hook(unsigned int hook, struct sk_buff *skb, |
| 58 | const struct net_device *in, | 58 | const struct net_device *in, const struct net_device *out, |
| 59 | const struct net_device *out, | 59 | int (*okfn)(struct sk_buff *)) |
| 60 | int (*okfn)(struct sk_buff *)) | ||
| 61 | { | 60 | { |
| 62 | return arpt_do_table(skb, hook, in, out, | 61 | if (hook == NF_ARP_OUT) |
| 63 | dev_net(in)->ipv4.arptable_filter); | 62 | return arpt_do_table(skb, hook, in, out, |
| 64 | } | 63 | dev_net(out)->ipv4.arptable_filter); |
| 65 | 64 | ||
| 66 | static unsigned int arpt_out_hook(unsigned int hook, | 65 | /* INPUT/FORWARD: */ |
| 67 | struct sk_buff *skb, | ||
| 68 | const struct net_device *in, | ||
| 69 | const struct net_device *out, | ||
| 70 | int (*okfn)(struct sk_buff *)) | ||
| 71 | { | ||
| 72 | return arpt_do_table(skb, hook, in, out, | 66 | return arpt_do_table(skb, hook, in, out, |
| 73 | dev_net(out)->ipv4.arptable_filter); | 67 | dev_net(in)->ipv4.arptable_filter); |
| 74 | } | 68 | } |
| 75 | 69 | ||
| 76 | static struct nf_hook_ops arpt_ops[] __read_mostly = { | 70 | static struct nf_hook_ops arpt_ops[] __read_mostly = { |
| 77 | { | 71 | { |
| 78 | .hook = arpt_in_hook, | 72 | .hook = arptable_filter_hook, |
| 79 | .owner = THIS_MODULE, | 73 | .owner = THIS_MODULE, |
| 80 | .pf = NFPROTO_ARP, | 74 | .pf = NFPROTO_ARP, |
| 81 | .hooknum = NF_ARP_IN, | 75 | .hooknum = NF_ARP_IN, |
| 82 | .priority = NF_IP_PRI_FILTER, | 76 | .priority = NF_IP_PRI_FILTER, |
| 83 | }, | 77 | }, |
| 84 | { | 78 | { |
| 85 | .hook = arpt_out_hook, | 79 | .hook = arptable_filter_hook, |
| 86 | .owner = THIS_MODULE, | 80 | .owner = THIS_MODULE, |
| 87 | .pf = NFPROTO_ARP, | 81 | .pf = NFPROTO_ARP, |
| 88 | .hooknum = NF_ARP_OUT, | 82 | .hooknum = NF_ARP_OUT, |
| 89 | .priority = NF_IP_PRI_FILTER, | 83 | .priority = NF_IP_PRI_FILTER, |
| 90 | }, | 84 | }, |
| 91 | { | 85 | { |
| 92 | .hook = arpt_in_hook, | 86 | .hook = arptable_filter_hook, |
| 93 | .owner = THIS_MODULE, | 87 | .owner = THIS_MODULE, |
| 94 | .pf = NFPROTO_ARP, | 88 | .pf = NFPROTO_ARP, |
| 95 | .hooknum = NF_ARP_FORWARD, | 89 | .hooknum = NF_ARP_FORWARD, |
diff --git a/net/ipv4/netfilter/iptable_filter.c b/net/ipv4/netfilter/iptable_filter.c index dee90eb8aa47..5369833ad56a 100644 --- a/net/ipv4/netfilter/iptable_filter.c +++ b/net/ipv4/netfilter/iptable_filter.c | |||
| @@ -60,61 +60,43 @@ static const struct xt_table packet_filter = { | |||
| 60 | .af = NFPROTO_IPV4, | 60 | .af = NFPROTO_IPV4, |
| 61 | }; | 61 | }; |
| 62 | 62 | ||
| 63 | /* The work comes in here from netfilter.c. */ | ||
| 64 | static unsigned int | 63 | static unsigned int |
| 65 | ipt_local_in_hook(unsigned int hook, | 64 | iptable_filter_hook(unsigned int hook, struct sk_buff *skb, |
| 66 | struct sk_buff *skb, | 65 | const struct net_device *in, const struct net_device *out, |
| 67 | const struct net_device *in, | 66 | int (*okfn)(struct sk_buff *)) |
| 68 | const struct net_device *out, | ||
| 69 | int (*okfn)(struct sk_buff *)) | ||
| 70 | { | 67 | { |
| 71 | return ipt_do_table(skb, hook, in, out, | 68 | if (hook == NF_INET_LOCAL_OUT) { |
| 72 | dev_net(in)->ipv4.iptable_filter); | 69 | if (skb->len < sizeof(struct iphdr) || |
| 73 | } | 70 | ip_hdrlen(skb) < sizeof(struct iphdr)) |
| 71 | /* root is playing with raw sockets. */ | ||
| 72 | return NF_ACCEPT; | ||
| 73 | |||
| 74 | return ipt_do_table(skb, hook, in, out, | ||
| 75 | dev_net(out)->ipv4.iptable_filter); | ||
| 76 | } | ||
| 74 | 77 | ||
| 75 | static unsigned int | 78 | /* LOCAL_IN/FORWARD: */ |
| 76 | ipt_hook(unsigned int hook, | ||
| 77 | struct sk_buff *skb, | ||
| 78 | const struct net_device *in, | ||
| 79 | const struct net_device *out, | ||
| 80 | int (*okfn)(struct sk_buff *)) | ||
| 81 | { | ||
| 82 | return ipt_do_table(skb, hook, in, out, | 79 | return ipt_do_table(skb, hook, in, out, |
| 83 | dev_net(in)->ipv4.iptable_filter); | 80 | dev_net(in)->ipv4.iptable_filter); |
| 84 | } | 81 | } |
| 85 | 82 | ||
| 86 | static unsigned int | ||
| 87 | ipt_local_out_hook(unsigned int hook, | ||
| 88 | struct sk_buff *skb, | ||
| 89 | const struct net_device *in, | ||
| 90 | const struct net_device *out, | ||
| 91 | int (*okfn)(struct sk_buff *)) | ||
| 92 | { | ||
| 93 | /* root is playing with raw sockets. */ | ||
| 94 | if (skb->len < sizeof(struct iphdr) || | ||
| 95 | ip_hdrlen(skb) < sizeof(struct iphdr)) | ||
| 96 | return NF_ACCEPT; | ||
| 97 | return ipt_do_table(skb, hook, in, out, | ||
| 98 | dev_net(out)->ipv4.iptable_filter); | ||
| 99 | } | ||
| 100 | |||
| 101 | static struct nf_hook_ops ipt_ops[] __read_mostly = { | 83 | static struct nf_hook_ops ipt_ops[] __read_mostly = { |
| 102 | { | 84 | { |
| 103 | .hook = ipt_local_in_hook, | 85 | .hook = iptable_filter_hook, |
| 104 | .owner = THIS_MODULE, | 86 | .owner = THIS_MODULE, |
| 105 | .pf = NFPROTO_IPV4, | 87 | .pf = NFPROTO_IPV4, |
| 106 | .hooknum = NF_INET_LOCAL_IN, | 88 | .hooknum = NF_INET_LOCAL_IN, |
| 107 | .priority = NF_IP_PRI_FILTER, | 89 | .priority = NF_IP_PRI_FILTER, |
| 108 | }, | 90 | }, |
| 109 | { | 91 | { |
| 110 | .hook = ipt_hook, | 92 | .hook = iptable_filter_hook, |
| 111 | .owner = THIS_MODULE, | 93 | .owner = THIS_MODULE, |
| 112 | .pf = NFPROTO_IPV4, | 94 | .pf = NFPROTO_IPV4, |
| 113 | .hooknum = NF_INET_FORWARD, | 95 | .hooknum = NF_INET_FORWARD, |
| 114 | .priority = NF_IP_PRI_FILTER, | 96 | .priority = NF_IP_PRI_FILTER, |
| 115 | }, | 97 | }, |
| 116 | { | 98 | { |
| 117 | .hook = ipt_local_out_hook, | 99 | .hook = iptable_filter_hook, |
| 118 | .owner = THIS_MODULE, | 100 | .owner = THIS_MODULE, |
| 119 | .pf = NFPROTO_IPV4, | 101 | .pf = NFPROTO_IPV4, |
| 120 | .hooknum = NF_INET_LOCAL_OUT, | 102 | .hooknum = NF_INET_LOCAL_OUT, |
diff --git a/net/ipv4/netfilter/iptable_mangle.c b/net/ipv4/netfilter/iptable_mangle.c index e07bf242343a..4e699cd275c6 100644 --- a/net/ipv4/netfilter/iptable_mangle.c +++ b/net/ipv4/netfilter/iptable_mangle.c | |||
| @@ -71,51 +71,6 @@ static const struct xt_table packet_mangler = { | |||
| 71 | .af = NFPROTO_IPV4, | 71 | .af = NFPROTO_IPV4, |
| 72 | }; | 72 | }; |
| 73 | 73 | ||
| 74 | /* The work comes in here from netfilter.c. */ | ||
| 75 | static unsigned int | ||
| 76 | ipt_pre_routing_hook(unsigned int hook, | ||
| 77 | struct sk_buff *skb, | ||
| 78 | const struct net_device *in, | ||
| 79 | const struct net_device *out, | ||
| 80 | int (*okfn)(struct sk_buff *)) | ||
| 81 | { | ||
| 82 | return ipt_do_table(skb, hook, in, out, | ||
| 83 | dev_net(in)->ipv4.iptable_mangle); | ||
| 84 | } | ||
| 85 | |||
| 86 | static unsigned int | ||
| 87 | ipt_post_routing_hook(unsigned int hook, | ||
| 88 | struct sk_buff *skb, | ||
| 89 | const struct net_device *in, | ||
| 90 | const struct net_device *out, | ||
| 91 | int (*okfn)(struct sk_buff *)) | ||
| 92 | { | ||
| 93 | return ipt_do_table(skb, hook, in, out, | ||
| 94 | dev_net(out)->ipv4.iptable_mangle); | ||
| 95 | } | ||
| 96 | |||
| 97 | static unsigned int | ||
| 98 | ipt_local_in_hook(unsigned int hook, | ||
| 99 | struct sk_buff *skb, | ||
| 100 | const struct net_device *in, | ||
| 101 | const struct net_device *out, | ||
| 102 | int (*okfn)(struct sk_buff *)) | ||
| 103 | { | ||
| 104 | return ipt_do_table(skb, hook, in, out, | ||
| 105 | dev_net(in)->ipv4.iptable_mangle); | ||
| 106 | } | ||
| 107 | |||
| 108 | static unsigned int | ||
| 109 | ipt_forward_hook(unsigned int hook, | ||
| 110 | struct sk_buff *skb, | ||
| 111 | const struct net_device *in, | ||
| 112 | const struct net_device *out, | ||
| 113 | int (*okfn)(struct sk_buff *)) | ||
| 114 | { | ||
| 115 | return ipt_do_table(skb, hook, in, out, | ||
| 116 | dev_net(in)->ipv4.iptable_mangle); | ||
| 117 | } | ||
| 118 | |||
| 119 | static unsigned int | 74 | static unsigned int |
| 120 | ipt_local_hook(unsigned int hook, | 75 | ipt_local_hook(unsigned int hook, |
| 121 | struct sk_buff *skb, | 76 | struct sk_buff *skb, |
| @@ -158,37 +113,53 @@ ipt_local_hook(unsigned int hook, | |||
| 158 | return ret; | 113 | return ret; |
| 159 | } | 114 | } |
| 160 | 115 | ||
| 116 | /* The work comes in here from netfilter.c. */ | ||
| 117 | static unsigned int | ||
| 118 | iptable_mangle_hook(unsigned int hook, | ||
| 119 | struct sk_buff *skb, | ||
| 120 | const struct net_device *in, | ||
| 121 | const struct net_device *out, | ||
| 122 | int (*okfn)(struct sk_buff *)) | ||
| 123 | { | ||
| 124 | if (hook == NF_INET_LOCAL_OUT) | ||
| 125 | return ipt_local_hook(hook, skb, in, out, okfn); | ||
| 126 | |||
| 127 | /* PREROUTING/INPUT/FORWARD: */ | ||
| 128 | return ipt_do_table(skb, hook, in, out, | ||
| 129 | dev_net(in)->ipv4.iptable_mangle); | ||
| 130 | } | ||
| 131 | |||
| 161 | static struct nf_hook_ops ipt_ops[] __read_mostly = { | 132 | static struct nf_hook_ops ipt_ops[] __read_mostly = { |
| 162 | { | 133 | { |
| 163 | .hook = ipt_pre_routing_hook, | 134 | .hook = iptable_mangle_hook, |
| 164 | .owner = THIS_MODULE, | 135 | .owner = THIS_MODULE, |
| 165 | .pf = NFPROTO_IPV4, | 136 | .pf = NFPROTO_IPV4, |
| 166 | .hooknum = NF_INET_PRE_ROUTING, | 137 | .hooknum = NF_INET_PRE_ROUTING, |
| 167 | .priority = NF_IP_PRI_MANGLE, | 138 | .priority = NF_IP_PRI_MANGLE, |
| 168 | }, | 139 | }, |
| 169 | { | 140 | { |
| 170 | .hook = ipt_local_in_hook, | 141 | .hook = iptable_mangle_hook, |
| 171 | .owner = THIS_MODULE, | 142 | .owner = THIS_MODULE, |
| 172 | .pf = NFPROTO_IPV4, | 143 | .pf = NFPROTO_IPV4, |
| 173 | .hooknum = NF_INET_LOCAL_IN, | 144 | .hooknum = NF_INET_LOCAL_IN, |
| 174 | .priority = NF_IP_PRI_MANGLE, | 145 | .priority = NF_IP_PRI_MANGLE, |
| 175 | }, | 146 | }, |
| 176 | { | 147 | { |
| 177 | .hook = ipt_forward_hook, | 148 | .hook = iptable_mangle_hook, |
| 178 | .owner = THIS_MODULE, | 149 | .owner = THIS_MODULE, |
| 179 | .pf = NFPROTO_IPV4, | 150 | .pf = NFPROTO_IPV4, |
| 180 | .hooknum = NF_INET_FORWARD, | 151 | .hooknum = NF_INET_FORWARD, |
| 181 | .priority = NF_IP_PRI_MANGLE, | 152 | .priority = NF_IP_PRI_MANGLE, |
| 182 | }, | 153 | }, |
| 183 | { | 154 | { |
| 184 | .hook = ipt_local_hook, | 155 | .hook = iptable_mangle_hook, |
| 185 | .owner = THIS_MODULE, | 156 | .owner = THIS_MODULE, |
| 186 | .pf = NFPROTO_IPV4, | 157 | .pf = NFPROTO_IPV4, |
| 187 | .hooknum = NF_INET_LOCAL_OUT, | 158 | .hooknum = NF_INET_LOCAL_OUT, |
| 188 | .priority = NF_IP_PRI_MANGLE, | 159 | .priority = NF_IP_PRI_MANGLE, |
| 189 | }, | 160 | }, |
| 190 | { | 161 | { |
| 191 | .hook = ipt_post_routing_hook, | 162 | .hook = iptable_mangle_hook, |
| 192 | .owner = THIS_MODULE, | 163 | .owner = THIS_MODULE, |
| 193 | .pf = NFPROTO_IPV4, | 164 | .pf = NFPROTO_IPV4, |
| 194 | .hooknum = NF_INET_POST_ROUTING, | 165 | .hooknum = NF_INET_POST_ROUTING, |
diff --git a/net/ipv4/netfilter/iptable_raw.c b/net/ipv4/netfilter/iptable_raw.c index 40f2b9f611a2..2c55575e89f5 100644 --- a/net/ipv4/netfilter/iptable_raw.c +++ b/net/ipv4/netfilter/iptable_raw.c | |||
| @@ -45,23 +45,15 @@ static const struct xt_table packet_raw = { | |||
| 45 | 45 | ||
| 46 | /* The work comes in here from netfilter.c. */ | 46 | /* The work comes in here from netfilter.c. */ |
| 47 | static unsigned int | 47 | static unsigned int |
| 48 | ipt_hook(unsigned int hook, | 48 | iptable_raw_hook(unsigned int hook, struct sk_buff *skb, |
| 49 | struct sk_buff *skb, | 49 | const struct net_device *in, const struct net_device *out, |
| 50 | const struct net_device *in, | 50 | int (*okfn)(struct sk_buff *)) |
| 51 | const struct net_device *out, | ||
| 52 | int (*okfn)(struct sk_buff *)) | ||
| 53 | { | 51 | { |
| 54 | return ipt_do_table(skb, hook, in, out, | 52 | if (hook == NF_INET_PRE_ROUTING) |
| 55 | dev_net(in)->ipv4.iptable_raw); | 53 | return ipt_do_table(skb, hook, in, out, |
| 56 | } | 54 | dev_net(in)->ipv4.iptable_raw); |
| 57 | 55 | ||
| 58 | static unsigned int | 56 | /* OUTPUT: */ |
| 59 | ipt_local_hook(unsigned int hook, | ||
| 60 | struct sk_buff *skb, | ||
| 61 | const struct net_device *in, | ||
| 62 | const struct net_device *out, | ||
| 63 | int (*okfn)(struct sk_buff *)) | ||
| 64 | { | ||
| 65 | /* root is playing with raw sockets. */ | 57 | /* root is playing with raw sockets. */ |
| 66 | if (skb->len < sizeof(struct iphdr) || | 58 | if (skb->len < sizeof(struct iphdr) || |
| 67 | ip_hdrlen(skb) < sizeof(struct iphdr)) | 59 | ip_hdrlen(skb) < sizeof(struct iphdr)) |
| @@ -73,14 +65,14 @@ ipt_local_hook(unsigned int hook, | |||
| 73 | /* 'raw' is the very first table. */ | 65 | /* 'raw' is the very first table. */ |
| 74 | static struct nf_hook_ops ipt_ops[] __read_mostly = { | 66 | static struct nf_hook_ops ipt_ops[] __read_mostly = { |
| 75 | { | 67 | { |
| 76 | .hook = ipt_hook, | 68 | .hook = iptable_raw_hook, |
| 77 | .pf = NFPROTO_IPV4, | 69 | .pf = NFPROTO_IPV4, |
| 78 | .hooknum = NF_INET_PRE_ROUTING, | 70 | .hooknum = NF_INET_PRE_ROUTING, |
| 79 | .priority = NF_IP_PRI_RAW, | 71 | .priority = NF_IP_PRI_RAW, |
| 80 | .owner = THIS_MODULE, | 72 | .owner = THIS_MODULE, |
| 81 | }, | 73 | }, |
| 82 | { | 74 | { |
| 83 | .hook = ipt_local_hook, | 75 | .hook = iptable_raw_hook, |
| 84 | .pf = NFPROTO_IPV4, | 76 | .pf = NFPROTO_IPV4, |
| 85 | .hooknum = NF_INET_LOCAL_OUT, | 77 | .hooknum = NF_INET_LOCAL_OUT, |
| 86 | .priority = NF_IP_PRI_RAW, | 78 | .priority = NF_IP_PRI_RAW, |
diff --git a/net/ipv4/netfilter/iptable_security.c b/net/ipv4/netfilter/iptable_security.c index 7ce2366e4305..1c666bab3269 100644 --- a/net/ipv4/netfilter/iptable_security.c +++ b/net/ipv4/netfilter/iptable_security.c | |||
| @@ -65,59 +65,43 @@ static const struct xt_table security_table = { | |||
| 65 | }; | 65 | }; |
| 66 | 66 | ||
| 67 | static unsigned int | 67 | static unsigned int |
| 68 | ipt_local_in_hook(unsigned int hook, | 68 | iptable_security_hook(unsigned int hook, struct sk_buff *skb, |
| 69 | struct sk_buff *skb, | 69 | const struct net_device *in, |
| 70 | const struct net_device *in, | 70 | const struct net_device *out, |
| 71 | const struct net_device *out, | 71 | int (*okfn)(struct sk_buff *)) |
| 72 | int (*okfn)(struct sk_buff *)) | ||
| 73 | { | 72 | { |
| 74 | return ipt_do_table(skb, hook, in, out, | 73 | if (hook == NF_INET_LOCAL_OUT) { |
| 75 | dev_net(in)->ipv4.iptable_security); | 74 | if (skb->len < sizeof(struct iphdr) || |
| 76 | } | 75 | ip_hdrlen(skb) < sizeof(struct iphdr)) |
| 76 | /* Somebody is playing with raw sockets. */ | ||
| 77 | return NF_ACCEPT; | ||
| 77 | 78 | ||
| 78 | static unsigned int | 79 | return ipt_do_table(skb, hook, in, out, |
| 79 | ipt_forward_hook(unsigned int hook, | 80 | dev_net(out)->ipv4.iptable_security); |
| 80 | struct sk_buff *skb, | 81 | } |
| 81 | const struct net_device *in, | ||
| 82 | const struct net_device *out, | ||
| 83 | int (*okfn)(struct sk_buff *)) | ||
| 84 | { | ||
| 85 | return ipt_do_table(skb, hook, in, out, | ||
| 86 | dev_net(in)->ipv4.iptable_security); | ||
| 87 | } | ||
| 88 | 82 | ||
| 89 | static unsigned int | 83 | /* INPUT/FORWARD: */ |
| 90 | ipt_local_out_hook(unsigned int hook, | ||
| 91 | struct sk_buff *skb, | ||
| 92 | const struct net_device *in, | ||
| 93 | const struct net_device *out, | ||
| 94 | int (*okfn)(struct sk_buff *)) | ||
| 95 | { | ||
| 96 | /* Somebody is playing with raw sockets. */ | ||
| 97 | if (skb->len < sizeof(struct iphdr) || | ||
| 98 | ip_hdrlen(skb) < sizeof(struct iphdr)) | ||
| 99 | return NF_ACCEPT; | ||
| 100 | return ipt_do_table(skb, hook, in, out, | 84 | return ipt_do_table(skb, hook, in, out, |
| 101 | dev_net(out)->ipv4.iptable_security); | 85 | dev_net(in)->ipv4.iptable_security); |
| 102 | } | 86 | } |
| 103 | 87 | ||
| 104 | static struct nf_hook_ops ipt_ops[] __read_mostly = { | 88 | static struct nf_hook_ops ipt_ops[] __read_mostly = { |
| 105 | { | 89 | { |
| 106 | .hook = ipt_local_in_hook, | 90 | .hook = iptable_security_hook, |
| 107 | .owner = THIS_MODULE, | 91 | .owner = THIS_MODULE, |
| 108 | .pf = NFPROTO_IPV4, | 92 | .pf = NFPROTO_IPV4, |
| 109 | .hooknum = NF_INET_LOCAL_IN, | 93 | .hooknum = NF_INET_LOCAL_IN, |
| 110 | .priority = NF_IP_PRI_SECURITY, | 94 | .priority = NF_IP_PRI_SECURITY, |
| 111 | }, | 95 | }, |
| 112 | { | 96 | { |
| 113 | .hook = ipt_forward_hook, | 97 | .hook = iptable_security_hook, |
| 114 | .owner = THIS_MODULE, | 98 | .owner = THIS_MODULE, |
| 115 | .pf = NFPROTO_IPV4, | 99 | .pf = NFPROTO_IPV4, |
| 116 | .hooknum = NF_INET_FORWARD, | 100 | .hooknum = NF_INET_FORWARD, |
| 117 | .priority = NF_IP_PRI_SECURITY, | 101 | .priority = NF_IP_PRI_SECURITY, |
| 118 | }, | 102 | }, |
| 119 | { | 103 | { |
| 120 | .hook = ipt_local_out_hook, | 104 | .hook = iptable_security_hook, |
| 121 | .owner = THIS_MODULE, | 105 | .owner = THIS_MODULE, |
| 122 | .pf = NFPROTO_IPV4, | 106 | .pf = NFPROTO_IPV4, |
| 123 | .hooknum = NF_INET_LOCAL_OUT, | 107 | .hooknum = NF_INET_LOCAL_OUT, |
diff --git a/net/ipv6/netfilter/ip6table_filter.c b/net/ipv6/netfilter/ip6table_filter.c index 33ddfe53e18d..38074e933f67 100644 --- a/net/ipv6/netfilter/ip6table_filter.c +++ b/net/ipv6/netfilter/ip6table_filter.c | |||
| @@ -60,54 +60,36 @@ static const struct xt_table packet_filter = { | |||
| 60 | 60 | ||
| 61 | /* The work comes in here from netfilter.c. */ | 61 | /* The work comes in here from netfilter.c. */ |
| 62 | static unsigned int | 62 | static unsigned int |
| 63 | ip6t_in_hook(unsigned int hook, | 63 | ip6table_filter_hook(unsigned int hook, struct sk_buff *skb, |
| 64 | struct sk_buff *skb, | 64 | const struct net_device *in, const struct net_device *out, |
| 65 | const struct net_device *in, | 65 | int (*okfn)(struct sk_buff *)) |
| 66 | const struct net_device *out, | ||
| 67 | int (*okfn)(struct sk_buff *)) | ||
| 68 | { | 66 | { |
| 69 | return ip6t_do_table(skb, hook, in, out, | 67 | if (hook == NF_INET_LOCAL_OUT) |
| 70 | dev_net(in)->ipv6.ip6table_filter); | 68 | return ip6t_do_table(skb, hook, in, out, |
| 71 | } | 69 | dev_net(out)->ipv6.ip6table_filter); |
| 72 | |||
| 73 | static unsigned int | ||
| 74 | ip6t_local_out_hook(unsigned int hook, | ||
| 75 | struct sk_buff *skb, | ||
| 76 | const struct net_device *in, | ||
| 77 | const struct net_device *out, | ||
| 78 | int (*okfn)(struct sk_buff *)) | ||
| 79 | { | ||
| 80 | #if 0 | ||
| 81 | /* root is playing with raw sockets. */ | ||
| 82 | if (skb->len < sizeof(struct iphdr) || | ||
| 83 | ip_hdrlen(skb) < sizeof(struct iphdr)) { | ||
| 84 | if (net_ratelimit()) | ||
| 85 | printk("ip6t_hook: happy cracking.\n"); | ||
| 86 | return NF_ACCEPT; | ||
| 87 | } | ||
| 88 | #endif | ||
| 89 | 70 | ||
| 71 | /* INPUT/FORWARD: */ | ||
| 90 | return ip6t_do_table(skb, hook, in, out, | 72 | return ip6t_do_table(skb, hook, in, out, |
| 91 | dev_net(out)->ipv6.ip6table_filter); | 73 | dev_net(in)->ipv6.ip6table_filter); |
| 92 | } | 74 | } |
| 93 | 75 | ||
| 94 | static struct nf_hook_ops ip6t_ops[] __read_mostly = { | 76 | static struct nf_hook_ops ip6t_ops[] __read_mostly = { |
| 95 | { | 77 | { |
| 96 | .hook = ip6t_in_hook, | 78 | .hook = ip6table_filter_hook, |
| 97 | .owner = THIS_MODULE, | 79 | .owner = THIS_MODULE, |
| 98 | .pf = NFPROTO_IPV6, | 80 | .pf = NFPROTO_IPV6, |
| 99 | .hooknum = NF_INET_LOCAL_IN, | 81 | .hooknum = NF_INET_LOCAL_IN, |
| 100 | .priority = NF_IP6_PRI_FILTER, | 82 | .priority = NF_IP6_PRI_FILTER, |
| 101 | }, | 83 | }, |
| 102 | { | 84 | { |
| 103 | .hook = ip6t_in_hook, | 85 | .hook = ip6table_filter_hook, |
| 104 | .owner = THIS_MODULE, | 86 | .owner = THIS_MODULE, |
| 105 | .pf = NFPROTO_IPV6, | 87 | .pf = NFPROTO_IPV6, |
| 106 | .hooknum = NF_INET_FORWARD, | 88 | .hooknum = NF_INET_FORWARD, |
| 107 | .priority = NF_IP6_PRI_FILTER, | 89 | .priority = NF_IP6_PRI_FILTER, |
| 108 | }, | 90 | }, |
| 109 | { | 91 | { |
| 110 | .hook = ip6t_local_out_hook, | 92 | .hook = ip6table_filter_hook, |
| 111 | .owner = THIS_MODULE, | 93 | .owner = THIS_MODULE, |
| 112 | .pf = NFPROTO_IPV6, | 94 | .pf = NFPROTO_IPV6, |
| 113 | .hooknum = NF_INET_LOCAL_OUT, | 95 | .hooknum = NF_INET_LOCAL_OUT, |
diff --git a/net/ipv6/netfilter/ip6table_mangle.c b/net/ipv6/netfilter/ip6table_mangle.c index 9bc483f000e5..405ac1f76390 100644 --- a/net/ipv6/netfilter/ip6table_mangle.c +++ b/net/ipv6/netfilter/ip6table_mangle.c | |||
| @@ -64,33 +64,9 @@ static const struct xt_table packet_mangler = { | |||
| 64 | .af = NFPROTO_IPV6, | 64 | .af = NFPROTO_IPV6, |
| 65 | }; | 65 | }; |
| 66 | 66 | ||
| 67 | /* The work comes in here from netfilter.c. */ | ||
| 68 | static unsigned int | ||
| 69 | ip6t_in_hook(unsigned int hook, | ||
| 70 | struct sk_buff *skb, | ||
| 71 | const struct net_device *in, | ||
| 72 | const struct net_device *out, | ||
| 73 | int (*okfn)(struct sk_buff *)) | ||
| 74 | { | ||
| 75 | return ip6t_do_table(skb, hook, in, out, | ||
| 76 | dev_net(in)->ipv6.ip6table_mangle); | ||
| 77 | } | ||
| 78 | |||
| 79 | static unsigned int | ||
| 80 | ip6t_post_routing_hook(unsigned int hook, | ||
| 81 | struct sk_buff *skb, | ||
| 82 | const struct net_device *in, | ||
| 83 | const struct net_device *out, | ||
| 84 | int (*okfn)(struct sk_buff *)) | ||
| 85 | { | ||
| 86 | return ip6t_do_table(skb, hook, in, out, | ||
| 87 | dev_net(out)->ipv6.ip6table_mangle); | ||
| 88 | } | ||
| 89 | |||
| 90 | static unsigned int | 67 | static unsigned int |
| 91 | ip6t_local_out_hook(unsigned int hook, | 68 | ip6t_local_out_hook(unsigned int hook, |
| 92 | struct sk_buff *skb, | 69 | struct sk_buff *skb, |
| 93 | const struct net_device *in, | ||
| 94 | const struct net_device *out, | 70 | const struct net_device *out, |
| 95 | int (*okfn)(struct sk_buff *)) | 71 | int (*okfn)(struct sk_buff *)) |
| 96 | { | 72 | { |
| @@ -119,7 +95,7 @@ ip6t_local_out_hook(unsigned int hook, | |||
| 119 | /* flowlabel and prio (includes version, which shouldn't change either */ | 95 | /* flowlabel and prio (includes version, which shouldn't change either */ |
| 120 | flowlabel = *((u_int32_t *)ipv6_hdr(skb)); | 96 | flowlabel = *((u_int32_t *)ipv6_hdr(skb)); |
| 121 | 97 | ||
| 122 | ret = ip6t_do_table(skb, hook, in, out, | 98 | ret = ip6t_do_table(skb, hook, NULL, out, |
| 123 | dev_net(out)->ipv6.ip6table_mangle); | 99 | dev_net(out)->ipv6.ip6table_mangle); |
| 124 | 100 | ||
| 125 | if (ret != NF_DROP && ret != NF_STOLEN && | 101 | if (ret != NF_DROP && ret != NF_STOLEN && |
| @@ -132,37 +108,51 @@ ip6t_local_out_hook(unsigned int hook, | |||
| 132 | return ret; | 108 | return ret; |
| 133 | } | 109 | } |
| 134 | 110 | ||
| 111 | /* The work comes in here from netfilter.c. */ | ||
| 112 | static unsigned int | ||
| 113 | ip6table_mangle_hook(unsigned int hook, struct sk_buff *skb, | ||
| 114 | const struct net_device *in, const struct net_device *out, | ||
| 115 | int (*okfn)(struct sk_buff *)) | ||
| 116 | { | ||
| 117 | if (hook == NF_INET_LOCAL_OUT) | ||
| 118 | return ip6t_local_out_hook(hook, skb, out, okfn); | ||
| 119 | |||
| 120 | /* INPUT/FORWARD */ | ||
| 121 | return ip6t_do_table(skb, hook, in, out, | ||
| 122 | dev_net(in)->ipv6.ip6table_mangle); | ||
| 123 | } | ||
| 124 | |||
| 135 | static struct nf_hook_ops ip6t_ops[] __read_mostly = { | 125 | static struct nf_hook_ops ip6t_ops[] __read_mostly = { |
| 136 | { | 126 | { |
| 137 | .hook = ip6t_in_hook, | 127 | .hook = ip6table_mangle_hook, |
| 138 | .owner = THIS_MODULE, | 128 | .owner = THIS_MODULE, |
| 139 | .pf = NFPROTO_IPV6, | 129 | .pf = NFPROTO_IPV6, |
| 140 | .hooknum = NF_INET_PRE_ROUTING, | 130 | .hooknum = NF_INET_PRE_ROUTING, |
| 141 | .priority = NF_IP6_PRI_MANGLE, | 131 | .priority = NF_IP6_PRI_MANGLE, |
| 142 | }, | 132 | }, |
| 143 | { | 133 | { |
| 144 | .hook = ip6t_in_hook, | 134 | .hook = ip6table_mangle_hook, |
| 145 | .owner = THIS_MODULE, | 135 | .owner = THIS_MODULE, |
| 146 | .pf = NFPROTO_IPV6, | 136 | .pf = NFPROTO_IPV6, |
| 147 | .hooknum = NF_INET_LOCAL_IN, | 137 | .hooknum = NF_INET_LOCAL_IN, |
| 148 | .priority = NF_IP6_PRI_MANGLE, | 138 | .priority = NF_IP6_PRI_MANGLE, |
| 149 | }, | 139 | }, |
| 150 | { | 140 | { |
| 151 | .hook = ip6t_in_hook, | 141 | .hook = ip6table_mangle_hook, |
| 152 | .owner = THIS_MODULE, | 142 | .owner = THIS_MODULE, |
| 153 | .pf = NFPROTO_IPV6, | 143 | .pf = NFPROTO_IPV6, |
| 154 | .hooknum = NF_INET_FORWARD, | 144 | .hooknum = NF_INET_FORWARD, |
| 155 | .priority = NF_IP6_PRI_MANGLE, | 145 | .priority = NF_IP6_PRI_MANGLE, |
| 156 | }, | 146 | }, |
| 157 | { | 147 | { |
| 158 | .hook = ip6t_local_out_hook, | 148 | .hook = ip6table_mangle_hook, |
| 159 | .owner = THIS_MODULE, | 149 | .owner = THIS_MODULE, |
| 160 | .pf = NFPROTO_IPV6, | 150 | .pf = NFPROTO_IPV6, |
| 161 | .hooknum = NF_INET_LOCAL_OUT, | 151 | .hooknum = NF_INET_LOCAL_OUT, |
| 162 | .priority = NF_IP6_PRI_MANGLE, | 152 | .priority = NF_IP6_PRI_MANGLE, |
| 163 | }, | 153 | }, |
| 164 | { | 154 | { |
| 165 | .hook = ip6t_post_routing_hook, | 155 | .hook = ip6table_mangle_hook, |
| 166 | .owner = THIS_MODULE, | 156 | .owner = THIS_MODULE, |
| 167 | .pf = NFPROTO_IPV6, | 157 | .pf = NFPROTO_IPV6, |
| 168 | .hooknum = NF_INET_POST_ROUTING, | 158 | .hooknum = NF_INET_POST_ROUTING, |
diff --git a/net/ipv6/netfilter/ip6table_raw.c b/net/ipv6/netfilter/ip6table_raw.c index 4c90b552e433..985e27cf1e0c 100644 --- a/net/ipv6/netfilter/ip6table_raw.c +++ b/net/ipv6/netfilter/ip6table_raw.c | |||
| @@ -44,37 +44,29 @@ static const struct xt_table packet_raw = { | |||
| 44 | 44 | ||
| 45 | /* The work comes in here from netfilter.c. */ | 45 | /* The work comes in here from netfilter.c. */ |
| 46 | static unsigned int | 46 | static unsigned int |
| 47 | ip6t_pre_routing_hook(unsigned int hook, | 47 | ip6table_raw_hook(unsigned int hook, struct sk_buff *skb, |
| 48 | struct sk_buff *skb, | 48 | const struct net_device *in, const struct net_device *out, |
| 49 | const struct net_device *in, | 49 | int (*okfn)(struct sk_buff *)) |
| 50 | const struct net_device *out, | ||
| 51 | int (*okfn)(struct sk_buff *)) | ||
| 52 | { | 50 | { |
| 53 | return ip6t_do_table(skb, hook, in, out, | 51 | if (hook == NF_INET_PRE_ROUTING) |
| 54 | dev_net(in)->ipv6.ip6table_raw); | 52 | return ip6t_do_table(skb, hook, in, out, |
| 55 | } | 53 | dev_net(in)->ipv6.ip6table_raw); |
| 56 | 54 | ||
| 57 | static unsigned int | 55 | /* OUTPUT: */ |
| 58 | ip6t_local_out_hook(unsigned int hook, | ||
| 59 | struct sk_buff *skb, | ||
| 60 | const struct net_device *in, | ||
| 61 | const struct net_device *out, | ||
| 62 | int (*okfn)(struct sk_buff *)) | ||
| 63 | { | ||
| 64 | return ip6t_do_table(skb, hook, in, out, | 56 | return ip6t_do_table(skb, hook, in, out, |
| 65 | dev_net(out)->ipv6.ip6table_raw); | 57 | dev_net(out)->ipv6.ip6table_raw); |
| 66 | } | 58 | } |
| 67 | 59 | ||
| 68 | static struct nf_hook_ops ip6t_ops[] __read_mostly = { | 60 | static struct nf_hook_ops ip6t_ops[] __read_mostly = { |
| 69 | { | 61 | { |
| 70 | .hook = ip6t_pre_routing_hook, | 62 | .hook = ip6table_raw_hook, |
| 71 | .pf = NFPROTO_IPV6, | 63 | .pf = NFPROTO_IPV6, |
| 72 | .hooknum = NF_INET_PRE_ROUTING, | 64 | .hooknum = NF_INET_PRE_ROUTING, |
| 73 | .priority = NF_IP6_PRI_FIRST, | 65 | .priority = NF_IP6_PRI_FIRST, |
| 74 | .owner = THIS_MODULE, | 66 | .owner = THIS_MODULE, |
| 75 | }, | 67 | }, |
| 76 | { | 68 | { |
| 77 | .hook = ip6t_local_out_hook, | 69 | .hook = ip6table_raw_hook, |
| 78 | .pf = NFPROTO_IPV6, | 70 | .pf = NFPROTO_IPV6, |
| 79 | .hooknum = NF_INET_LOCAL_OUT, | 71 | .hooknum = NF_INET_LOCAL_OUT, |
| 80 | .priority = NF_IP6_PRI_FIRST, | 72 | .priority = NF_IP6_PRI_FIRST, |
diff --git a/net/ipv6/netfilter/ip6table_security.c b/net/ipv6/netfilter/ip6table_security.c index baa8d4ef3b0a..835858929358 100644 --- a/net/ipv6/netfilter/ip6table_security.c +++ b/net/ipv6/netfilter/ip6table_security.c | |||
| @@ -64,56 +64,37 @@ static const struct xt_table security_table = { | |||
| 64 | }; | 64 | }; |
| 65 | 65 | ||
| 66 | static unsigned int | 66 | static unsigned int |
| 67 | ip6t_local_in_hook(unsigned int hook, | 67 | ip6table_security_hook(unsigned int hook, struct sk_buff *skb, |
| 68 | struct sk_buff *skb, | 68 | const struct net_device *in, |
| 69 | const struct net_device *in, | 69 | const struct net_device *out, |
| 70 | const struct net_device *out, | 70 | int (*okfn)(struct sk_buff *)) |
| 71 | int (*okfn)(struct sk_buff *)) | ||
| 72 | { | 71 | { |
| 73 | return ip6t_do_table(skb, hook, in, out, | 72 | if (hook == NF_INET_LOCAL_OUT) |
| 74 | dev_net(in)->ipv6.ip6table_security); | 73 | return ip6t_do_table(skb, hook, in, out, |
| 75 | } | 74 | dev_net(out)->ipv6.ip6table_security); |
| 76 | 75 | ||
| 77 | static unsigned int | 76 | /* INPUT/FORWARD: */ |
| 78 | ip6t_forward_hook(unsigned int hook, | ||
| 79 | struct sk_buff *skb, | ||
| 80 | const struct net_device *in, | ||
| 81 | const struct net_device *out, | ||
| 82 | int (*okfn)(struct sk_buff *)) | ||
| 83 | { | ||
| 84 | return ip6t_do_table(skb, hook, in, out, | 77 | return ip6t_do_table(skb, hook, in, out, |
| 85 | dev_net(in)->ipv6.ip6table_security); | 78 | dev_net(in)->ipv6.ip6table_security); |
| 86 | } | 79 | } |
| 87 | 80 | ||
| 88 | static unsigned int | ||
| 89 | ip6t_local_out_hook(unsigned int hook, | ||
| 90 | struct sk_buff *skb, | ||
| 91 | const struct net_device *in, | ||
| 92 | const struct net_device *out, | ||
| 93 | int (*okfn)(struct sk_buff *)) | ||
| 94 | { | ||
| 95 | /* TBD: handle short packets via raw socket */ | ||
| 96 | return ip6t_do_table(skb, hook, in, out, | ||
| 97 | dev_net(out)->ipv6.ip6table_security); | ||
| 98 | } | ||
| 99 | |||
| 100 | static struct nf_hook_ops ip6t_ops[] __read_mostly = { | 81 | static struct nf_hook_ops ip6t_ops[] __read_mostly = { |
| 101 | { | 82 | { |
| 102 | .hook = ip6t_local_in_hook, | 83 | .hook = ip6table_security_hook, |
| 103 | .owner = THIS_MODULE, | 84 | .owner = THIS_MODULE, |
| 104 | .pf = NFPROTO_IPV6, | 85 | .pf = NFPROTO_IPV6, |
| 105 | .hooknum = NF_INET_LOCAL_IN, | 86 | .hooknum = NF_INET_LOCAL_IN, |
| 106 | .priority = NF_IP6_PRI_SECURITY, | 87 | .priority = NF_IP6_PRI_SECURITY, |
| 107 | }, | 88 | }, |
| 108 | { | 89 | { |
| 109 | .hook = ip6t_forward_hook, | 90 | .hook = ip6table_security_hook, |
| 110 | .owner = THIS_MODULE, | 91 | .owner = THIS_MODULE, |
| 111 | .pf = NFPROTO_IPV6, | 92 | .pf = NFPROTO_IPV6, |
| 112 | .hooknum = NF_INET_FORWARD, | 93 | .hooknum = NF_INET_FORWARD, |
| 113 | .priority = NF_IP6_PRI_SECURITY, | 94 | .priority = NF_IP6_PRI_SECURITY, |
| 114 | }, | 95 | }, |
| 115 | { | 96 | { |
| 116 | .hook = ip6t_local_out_hook, | 97 | .hook = ip6table_security_hook, |
| 117 | .owner = THIS_MODULE, | 98 | .owner = THIS_MODULE, |
| 118 | .pf = NFPROTO_IPV6, | 99 | .pf = NFPROTO_IPV6, |
| 119 | .hooknum = NF_INET_LOCAL_OUT, | 100 | .hooknum = NF_INET_LOCAL_OUT, |