diff options
author | Patrick McHardy <kaber@trash.net> | 2006-01-07 02:01:48 -0500 |
---|---|---|
committer | David S. Miller <davem@sunset.davemloft.net> | 2006-01-07 15:57:28 -0500 |
commit | 16a6677fdf1d1194f688f8291b06fbaff248c353 (patch) | |
tree | 61badedc44ed88eb8f39e082d1abf114252cc686 /include/linux | |
parent | ee2e6841b934d76cb944a3390bbea84da777d4fa (diff) |
[XFRM]: Netfilter IPsec output hooks
Call netfilter hooks before IPsec transforms. Packets visit the
FORWARD/LOCAL_OUT and POST_ROUTING hook before the first encapsulation
and the LOCAL_OUT and POST_ROUTING hook before each following tunnel mode
transform.
Patch from Herbert Xu <herbert@gondor.apana.org.au>:
Move the loop from dst_output into xfrm4_output/xfrm6_output since they're
the only ones who need to it. xfrm{4,6}_output_one() processes the first SA
all subsequent transport mode SAs and is called in a loop that calls the
netfilter hooks between each two calls.
In order to avoid the tail call issue, I've added the inline function
nf_hook which is nf_hook_slow plus the empty list check.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include/linux')
-rw-r--r-- | include/linux/netfilter.h | 61 |
1 files changed, 37 insertions, 24 deletions
diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h index be365e70ee99..79bb977afeac 100644 --- a/include/linux/netfilter.h +++ b/include/linux/netfilter.h | |||
@@ -168,6 +168,37 @@ void nf_log_packet(int pf, | |||
168 | const struct net_device *out, | 168 | const struct net_device *out, |
169 | struct nf_loginfo *li, | 169 | struct nf_loginfo *li, |
170 | const char *fmt, ...); | 170 | const char *fmt, ...); |
171 | |||
172 | int nf_hook_slow(int pf, unsigned int hook, struct sk_buff **pskb, | ||
173 | struct net_device *indev, struct net_device *outdev, | ||
174 | int (*okfn)(struct sk_buff *), int thresh); | ||
175 | |||
176 | /** | ||
177 | * nf_hook_thresh - call a netfilter hook | ||
178 | * | ||
179 | * Returns 1 if the hook has allowed the packet to pass. The function | ||
180 | * okfn must be invoked by the caller in this case. Any other return | ||
181 | * value indicates the packet has been consumed by the hook. | ||
182 | */ | ||
183 | static inline int nf_hook_thresh(int pf, unsigned int hook, | ||
184 | struct sk_buff **pskb, | ||
185 | struct net_device *indev, | ||
186 | struct net_device *outdev, | ||
187 | int (*okfn)(struct sk_buff *), int thresh) | ||
188 | { | ||
189 | #ifndef CONFIG_NETFILTER_DEBUG | ||
190 | if (list_empty(&nf_hooks[pf][hook])) | ||
191 | return 1; | ||
192 | #endif | ||
193 | return nf_hook_slow(pf, hook, pskb, indev, outdev, okfn, thresh); | ||
194 | } | ||
195 | |||
196 | static inline int nf_hook(int pf, unsigned int hook, struct sk_buff **pskb, | ||
197 | struct net_device *indev, struct net_device *outdev, | ||
198 | int (*okfn)(struct sk_buff *)) | ||
199 | { | ||
200 | return nf_hook_thresh(pf, hook, pskb, indev, outdev, okfn, INT_MIN); | ||
201 | } | ||
171 | 202 | ||
172 | /* Activate hook; either okfn or kfree_skb called, unless a hook | 203 | /* Activate hook; either okfn or kfree_skb called, unless a hook |
173 | returns NF_STOLEN (in which case, it's up to the hook to deal with | 204 | returns NF_STOLEN (in which case, it's up to the hook to deal with |
@@ -188,35 +219,17 @@ void nf_log_packet(int pf, | |||
188 | 219 | ||
189 | /* This is gross, but inline doesn't cut it for avoiding the function | 220 | /* This is gross, but inline doesn't cut it for avoiding the function |
190 | call in fast path: gcc doesn't inline (needs value tracking?). --RR */ | 221 | call in fast path: gcc doesn't inline (needs value tracking?). --RR */ |
191 | #ifdef CONFIG_NETFILTER_DEBUG | 222 | |
192 | #define NF_HOOK(pf, hook, skb, indev, outdev, okfn) \ | 223 | /* HX: It's slightly less gross now. */ |
193 | ({int __ret; \ | 224 | |
194 | if ((__ret=nf_hook_slow(pf, hook, &(skb), indev, outdev, okfn, INT_MIN)) == 1) \ | ||
195 | __ret = (okfn)(skb); \ | ||
196 | __ret;}) | ||
197 | #define NF_HOOK_THRESH(pf, hook, skb, indev, outdev, okfn, thresh) \ | ||
198 | ({int __ret; \ | ||
199 | if ((__ret=nf_hook_slow(pf, hook, &(skb), indev, outdev, okfn, thresh)) == 1) \ | ||
200 | __ret = (okfn)(skb); \ | ||
201 | __ret;}) | ||
202 | #else | ||
203 | #define NF_HOOK(pf, hook, skb, indev, outdev, okfn) \ | ||
204 | ({int __ret; \ | ||
205 | if (list_empty(&nf_hooks[pf][hook]) || \ | ||
206 | (__ret=nf_hook_slow(pf, hook, &(skb), indev, outdev, okfn, INT_MIN)) == 1) \ | ||
207 | __ret = (okfn)(skb); \ | ||
208 | __ret;}) | ||
209 | #define NF_HOOK_THRESH(pf, hook, skb, indev, outdev, okfn, thresh) \ | 225 | #define NF_HOOK_THRESH(pf, hook, skb, indev, outdev, okfn, thresh) \ |
210 | ({int __ret; \ | 226 | ({int __ret; \ |
211 | if (list_empty(&nf_hooks[pf][hook]) || \ | 227 | if ((__ret=nf_hook_thresh(pf, hook, &(skb), indev, outdev, okfn, thresh)) == 1)\ |
212 | (__ret=nf_hook_slow(pf, hook, &(skb), indev, outdev, okfn, thresh)) == 1) \ | ||
213 | __ret = (okfn)(skb); \ | 228 | __ret = (okfn)(skb); \ |
214 | __ret;}) | 229 | __ret;}) |
215 | #endif | ||
216 | 230 | ||
217 | int nf_hook_slow(int pf, unsigned int hook, struct sk_buff **pskb, | 231 | #define NF_HOOK(pf, hook, skb, indev, outdev, okfn) \ |
218 | struct net_device *indev, struct net_device *outdev, | 232 | NF_HOOK_THRESH(pf, hook, skb, indev, outdev, okfn, INT_MIN) |
219 | int (*okfn)(struct sk_buff *), int thresh); | ||
220 | 233 | ||
221 | /* Call setsockopt() */ | 234 | /* Call setsockopt() */ |
222 | int nf_setsockopt(struct sock *sk, int pf, int optval, char __user *opt, | 235 | int nf_setsockopt(struct sock *sk, int pf, int optval, char __user *opt, |