diff options
| author | Jan Engelhardt <jengelh@medozas.de> | 2009-06-17 07:57:48 -0400 |
|---|---|---|
| committer | Jan Engelhardt <jengelh@medozas.de> | 2010-02-10 11:13:33 -0500 |
| commit | 2b95efe7f6bb750256a702cc32d33b0cb2cd8223 (patch) | |
| tree | 49ab6f0eb13fe524211f94db29c19827529f49a5 /net/ipv4 | |
| parent | 2b21e051472fdb4680076278b2ccf63ebc1cc3bc (diff) | |
netfilter: xtables: use xt_table for hook instantiation
The respective xt_table structures already have most of the metadata
needed for hook setup. Add a 'priority' field to struct xt_table so
that xt_hook_link() can be called with a reduced number of arguments.
So should we be having more tables in the future, it comes at no
static cost (only runtime, as before) - space saved:
6807373->6806555.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Diffstat (limited to 'net/ipv4')
| -rw-r--r-- | net/ipv4/netfilter/arptable_filter.c | 33 | ||||
| -rw-r--r-- | net/ipv4/netfilter/iptable_filter.c | 33 | ||||
| -rw-r--r-- | net/ipv4/netfilter/iptable_mangle.c | 47 | ||||
| -rw-r--r-- | net/ipv4/netfilter/iptable_raw.c | 27 | ||||
| -rw-r--r-- | net/ipv4/netfilter/iptable_security.c | 33 |
5 files changed, 35 insertions, 138 deletions
diff --git a/net/ipv4/netfilter/arptable_filter.c b/net/ipv4/netfilter/arptable_filter.c index deeda9b2cf05..b361de0dac4c 100644 --- a/net/ipv4/netfilter/arptable_filter.c +++ b/net/ipv4/netfilter/arptable_filter.c | |||
| @@ -50,6 +50,7 @@ static const struct xt_table packet_filter = { | |||
| 50 | .valid_hooks = FILTER_VALID_HOOKS, | 50 | .valid_hooks = FILTER_VALID_HOOKS, |
| 51 | .me = THIS_MODULE, | 51 | .me = THIS_MODULE, |
| 52 | .af = NFPROTO_ARP, | 52 | .af = NFPROTO_ARP, |
| 53 | .priority = NF_IP_PRI_FILTER, | ||
| 53 | }; | 54 | }; |
| 54 | 55 | ||
| 55 | /* The work comes in here from netfilter.c */ | 56 | /* The work comes in here from netfilter.c */ |
| @@ -63,29 +64,7 @@ arptable_filter_hook(unsigned int hook, struct sk_buff *skb, | |||
| 63 | return arpt_do_table(skb, hook, in, out, net->ipv4.arptable_filter); | 64 | return arpt_do_table(skb, hook, in, out, net->ipv4.arptable_filter); |
| 64 | } | 65 | } |
| 65 | 66 | ||
| 66 | static struct nf_hook_ops arpt_ops[] __read_mostly = { | 67 | static struct nf_hook_ops *arpfilter_ops __read_mostly; |
| 67 | { | ||
| 68 | .hook = arptable_filter_hook, | ||
| 69 | .owner = THIS_MODULE, | ||
| 70 | .pf = NFPROTO_ARP, | ||
| 71 | .hooknum = NF_ARP_IN, | ||
| 72 | .priority = NF_IP_PRI_FILTER, | ||
| 73 | }, | ||
| 74 | { | ||
| 75 | .hook = arptable_filter_hook, | ||
| 76 | .owner = THIS_MODULE, | ||
| 77 | .pf = NFPROTO_ARP, | ||
| 78 | .hooknum = NF_ARP_OUT, | ||
| 79 | .priority = NF_IP_PRI_FILTER, | ||
| 80 | }, | ||
| 81 | { | ||
| 82 | .hook = arptable_filter_hook, | ||
| 83 | .owner = THIS_MODULE, | ||
| 84 | .pf = NFPROTO_ARP, | ||
| 85 | .hooknum = NF_ARP_FORWARD, | ||
| 86 | .priority = NF_IP_PRI_FILTER, | ||
| 87 | }, | ||
| 88 | }; | ||
| 89 | 68 | ||
| 90 | static int __net_init arptable_filter_net_init(struct net *net) | 69 | static int __net_init arptable_filter_net_init(struct net *net) |
| 91 | { | 70 | { |
| @@ -115,9 +94,11 @@ static int __init arptable_filter_init(void) | |||
| 115 | if (ret < 0) | 94 | if (ret < 0) |
| 116 | return ret; | 95 | return ret; |
| 117 | 96 | ||
| 118 | ret = nf_register_hooks(arpt_ops, ARRAY_SIZE(arpt_ops)); | 97 | arpfilter_ops = xt_hook_link(&packet_filter, arptable_filter_hook); |
| 119 | if (ret < 0) | 98 | if (IS_ERR(arpfilter_ops)) { |
| 99 | ret = PTR_ERR(arpfilter_ops); | ||
| 120 | goto cleanup_table; | 100 | goto cleanup_table; |
| 101 | } | ||
| 121 | return ret; | 102 | return ret; |
| 122 | 103 | ||
| 123 | cleanup_table: | 104 | cleanup_table: |
| @@ -127,7 +108,7 @@ cleanup_table: | |||
| 127 | 108 | ||
| 128 | static void __exit arptable_filter_fini(void) | 109 | static void __exit arptable_filter_fini(void) |
| 129 | { | 110 | { |
| 130 | nf_unregister_hooks(arpt_ops, ARRAY_SIZE(arpt_ops)); | 111 | xt_hook_unlink(&packet_filter, arpfilter_ops); |
| 131 | unregister_pernet_subsys(&arptable_filter_net_ops); | 112 | unregister_pernet_subsys(&arptable_filter_net_ops); |
| 132 | } | 113 | } |
| 133 | 114 | ||
diff --git a/net/ipv4/netfilter/iptable_filter.c b/net/ipv4/netfilter/iptable_filter.c index 1bfeaae6f624..c14bb85db1d9 100644 --- a/net/ipv4/netfilter/iptable_filter.c +++ b/net/ipv4/netfilter/iptable_filter.c | |||
| @@ -58,6 +58,7 @@ static const struct xt_table packet_filter = { | |||
| 58 | .valid_hooks = FILTER_VALID_HOOKS, | 58 | .valid_hooks = FILTER_VALID_HOOKS, |
| 59 | .me = THIS_MODULE, | 59 | .me = THIS_MODULE, |
| 60 | .af = NFPROTO_IPV4, | 60 | .af = NFPROTO_IPV4, |
| 61 | .priority = NF_IP_PRI_FILTER, | ||
| 61 | }; | 62 | }; |
| 62 | 63 | ||
| 63 | static unsigned int | 64 | static unsigned int |
| @@ -77,29 +78,7 @@ iptable_filter_hook(unsigned int hook, struct sk_buff *skb, | |||
| 77 | return ipt_do_table(skb, hook, in, out, net->ipv4.iptable_filter); | 78 | return ipt_do_table(skb, hook, in, out, net->ipv4.iptable_filter); |
| 78 | } | 79 | } |
| 79 | 80 | ||
| 80 | static struct nf_hook_ops ipt_ops[] __read_mostly = { | 81 | static struct nf_hook_ops *filter_ops __read_mostly; |
| 81 | { | ||
| 82 | .hook = iptable_filter_hook, | ||
| 83 | .owner = THIS_MODULE, | ||
| 84 | .pf = NFPROTO_IPV4, | ||
| 85 | .hooknum = NF_INET_LOCAL_IN, | ||
| 86 | .priority = NF_IP_PRI_FILTER, | ||
| 87 | }, | ||
| 88 | { | ||
| 89 | .hook = iptable_filter_hook, | ||
| 90 | .owner = THIS_MODULE, | ||
| 91 | .pf = NFPROTO_IPV4, | ||
| 92 | .hooknum = NF_INET_FORWARD, | ||
| 93 | .priority = NF_IP_PRI_FILTER, | ||
| 94 | }, | ||
| 95 | { | ||
| 96 | .hook = iptable_filter_hook, | ||
| 97 | .owner = THIS_MODULE, | ||
| 98 | .pf = NFPROTO_IPV4, | ||
| 99 | .hooknum = NF_INET_LOCAL_OUT, | ||
| 100 | .priority = NF_IP_PRI_FILTER, | ||
| 101 | }, | ||
| 102 | }; | ||
| 103 | 82 | ||
| 104 | /* Default to forward because I got too much mail already. */ | 83 | /* Default to forward because I got too much mail already. */ |
| 105 | static int forward = NF_ACCEPT; | 84 | static int forward = NF_ACCEPT; |
| @@ -142,9 +121,11 @@ static int __init iptable_filter_init(void) | |||
| 142 | return ret; | 121 | return ret; |
| 143 | 122 | ||
| 144 | /* Register hooks */ | 123 | /* Register hooks */ |
| 145 | ret = nf_register_hooks(ipt_ops, ARRAY_SIZE(ipt_ops)); | 124 | filter_ops = xt_hook_link(&packet_filter, iptable_filter_hook); |
| 146 | if (ret < 0) | 125 | if (IS_ERR(filter_ops)) { |
| 126 | ret = PTR_ERR(filter_ops); | ||
| 147 | goto cleanup_table; | 127 | goto cleanup_table; |
| 128 | } | ||
| 148 | 129 | ||
| 149 | return ret; | 130 | return ret; |
| 150 | 131 | ||
| @@ -155,7 +136,7 @@ static int __init iptable_filter_init(void) | |||
| 155 | 136 | ||
| 156 | static void __exit iptable_filter_fini(void) | 137 | static void __exit iptable_filter_fini(void) |
| 157 | { | 138 | { |
| 158 | nf_unregister_hooks(ipt_ops, ARRAY_SIZE(ipt_ops)); | 139 | xt_hook_unlink(&packet_filter, filter_ops); |
| 159 | unregister_pernet_subsys(&iptable_filter_net_ops); | 140 | unregister_pernet_subsys(&iptable_filter_net_ops); |
| 160 | } | 141 | } |
| 161 | 142 | ||
diff --git a/net/ipv4/netfilter/iptable_mangle.c b/net/ipv4/netfilter/iptable_mangle.c index 4e699cd275c6..2355a229f8ee 100644 --- a/net/ipv4/netfilter/iptable_mangle.c +++ b/net/ipv4/netfilter/iptable_mangle.c | |||
| @@ -69,6 +69,7 @@ static const struct xt_table packet_mangler = { | |||
| 69 | .valid_hooks = MANGLE_VALID_HOOKS, | 69 | .valid_hooks = MANGLE_VALID_HOOKS, |
| 70 | .me = THIS_MODULE, | 70 | .me = THIS_MODULE, |
| 71 | .af = NFPROTO_IPV4, | 71 | .af = NFPROTO_IPV4, |
| 72 | .priority = NF_IP_PRI_MANGLE, | ||
| 72 | }; | 73 | }; |
| 73 | 74 | ||
| 74 | static unsigned int | 75 | static unsigned int |
| @@ -129,43 +130,7 @@ iptable_mangle_hook(unsigned int hook, | |||
| 129 | dev_net(in)->ipv4.iptable_mangle); | 130 | dev_net(in)->ipv4.iptable_mangle); |
| 130 | } | 131 | } |
| 131 | 132 | ||
| 132 | static struct nf_hook_ops ipt_ops[] __read_mostly = { | 133 | static struct nf_hook_ops *mangle_ops __read_mostly; |
| 133 | { | ||
| 134 | .hook = iptable_mangle_hook, | ||
| 135 | .owner = THIS_MODULE, | ||
| 136 | .pf = NFPROTO_IPV4, | ||
| 137 | .hooknum = NF_INET_PRE_ROUTING, | ||
| 138 | .priority = NF_IP_PRI_MANGLE, | ||
| 139 | }, | ||
| 140 | { | ||
| 141 | .hook = iptable_mangle_hook, | ||
| 142 | .owner = THIS_MODULE, | ||
| 143 | .pf = NFPROTO_IPV4, | ||
| 144 | .hooknum = NF_INET_LOCAL_IN, | ||
| 145 | .priority = NF_IP_PRI_MANGLE, | ||
| 146 | }, | ||
| 147 | { | ||
| 148 | .hook = iptable_mangle_hook, | ||
| 149 | .owner = THIS_MODULE, | ||
| 150 | .pf = NFPROTO_IPV4, | ||
| 151 | .hooknum = NF_INET_FORWARD, | ||
| 152 | .priority = NF_IP_PRI_MANGLE, | ||
| 153 | }, | ||
| 154 | { | ||
| 155 | .hook = iptable_mangle_hook, | ||
| 156 | .owner = THIS_MODULE, | ||
| 157 | .pf = NFPROTO_IPV4, | ||
| 158 | .hooknum = NF_INET_LOCAL_OUT, | ||
| 159 | .priority = NF_IP_PRI_MANGLE, | ||
| 160 | }, | ||
| 161 | { | ||
| 162 | .hook = iptable_mangle_hook, | ||
| 163 | .owner = THIS_MODULE, | ||
| 164 | .pf = NFPROTO_IPV4, | ||
| 165 | .hooknum = NF_INET_POST_ROUTING, | ||
| 166 | .priority = NF_IP_PRI_MANGLE, | ||
| 167 | }, | ||
| 168 | }; | ||
| 169 | 134 | ||
| 170 | static int __net_init iptable_mangle_net_init(struct net *net) | 135 | static int __net_init iptable_mangle_net_init(struct net *net) |
| 171 | { | 136 | { |
| @@ -196,9 +161,11 @@ static int __init iptable_mangle_init(void) | |||
| 196 | return ret; | 161 | return ret; |
| 197 | 162 | ||
| 198 | /* Register hooks */ | 163 | /* Register hooks */ |
| 199 | ret = nf_register_hooks(ipt_ops, ARRAY_SIZE(ipt_ops)); | 164 | mangle_ops = xt_hook_link(&packet_mangler, iptable_mangle_hook); |
| 200 | if (ret < 0) | 165 | if (IS_ERR(mangle_ops)) { |
| 166 | ret = PTR_ERR(mangle_ops); | ||
| 201 | goto cleanup_table; | 167 | goto cleanup_table; |
| 168 | } | ||
| 202 | 169 | ||
| 203 | return ret; | 170 | return ret; |
| 204 | 171 | ||
| @@ -209,7 +176,7 @@ static int __init iptable_mangle_init(void) | |||
| 209 | 176 | ||
| 210 | static void __exit iptable_mangle_fini(void) | 177 | static void __exit iptable_mangle_fini(void) |
| 211 | { | 178 | { |
| 212 | nf_unregister_hooks(ipt_ops, ARRAY_SIZE(ipt_ops)); | 179 | xt_hook_unlink(&packet_mangler, mangle_ops); |
| 213 | unregister_pernet_subsys(&iptable_mangle_net_ops); | 180 | unregister_pernet_subsys(&iptable_mangle_net_ops); |
| 214 | } | 181 | } |
| 215 | 182 | ||
diff --git a/net/ipv4/netfilter/iptable_raw.c b/net/ipv4/netfilter/iptable_raw.c index d16e43777c31..62a99154f14c 100644 --- a/net/ipv4/netfilter/iptable_raw.c +++ b/net/ipv4/netfilter/iptable_raw.c | |||
| @@ -41,6 +41,7 @@ static const struct xt_table packet_raw = { | |||
| 41 | .valid_hooks = RAW_VALID_HOOKS, | 41 | .valid_hooks = RAW_VALID_HOOKS, |
| 42 | .me = THIS_MODULE, | 42 | .me = THIS_MODULE, |
| 43 | .af = NFPROTO_IPV4, | 43 | .af = NFPROTO_IPV4, |
| 44 | .priority = NF_IP_PRI_RAW, | ||
| 44 | }; | 45 | }; |
| 45 | 46 | ||
| 46 | /* The work comes in here from netfilter.c. */ | 47 | /* The work comes in here from netfilter.c. */ |
| @@ -61,23 +62,7 @@ iptable_raw_hook(unsigned int hook, struct sk_buff *skb, | |||
| 61 | return ipt_do_table(skb, hook, in, out, net->ipv4.iptable_raw); | 62 | return ipt_do_table(skb, hook, in, out, net->ipv4.iptable_raw); |
| 62 | } | 63 | } |
| 63 | 64 | ||
| 64 | /* 'raw' is the very first table. */ | 65 | static struct nf_hook_ops *rawtable_ops __read_mostly; |
| 65 | static struct nf_hook_ops ipt_ops[] __read_mostly = { | ||
| 66 | { | ||
| 67 | .hook = iptable_raw_hook, | ||
| 68 | .pf = NFPROTO_IPV4, | ||
| 69 | .hooknum = NF_INET_PRE_ROUTING, | ||
| 70 | .priority = NF_IP_PRI_RAW, | ||
| 71 | .owner = THIS_MODULE, | ||
| 72 | }, | ||
| 73 | { | ||
| 74 | .hook = iptable_raw_hook, | ||
| 75 | .pf = NFPROTO_IPV4, | ||
| 76 | .hooknum = NF_INET_LOCAL_OUT, | ||
| 77 | .priority = NF_IP_PRI_RAW, | ||
| 78 | .owner = THIS_MODULE, | ||
| 79 | }, | ||
| 80 | }; | ||
| 81 | 66 | ||
| 82 | static int __net_init iptable_raw_net_init(struct net *net) | 67 | static int __net_init iptable_raw_net_init(struct net *net) |
| 83 | { | 68 | { |
| @@ -108,9 +93,11 @@ static int __init iptable_raw_init(void) | |||
| 108 | return ret; | 93 | return ret; |
| 109 | 94 | ||
| 110 | /* Register hooks */ | 95 | /* Register hooks */ |
| 111 | ret = nf_register_hooks(ipt_ops, ARRAY_SIZE(ipt_ops)); | 96 | rawtable_ops = xt_hook_link(&packet_raw, iptable_raw_hook); |
| 112 | if (ret < 0) | 97 | if (IS_ERR(rawtable_ops)) { |
| 98 | ret = PTR_ERR(rawtable_ops); | ||
| 113 | goto cleanup_table; | 99 | goto cleanup_table; |
| 100 | } | ||
| 114 | 101 | ||
| 115 | return ret; | 102 | return ret; |
| 116 | 103 | ||
| @@ -121,7 +108,7 @@ static int __init iptable_raw_init(void) | |||
| 121 | 108 | ||
| 122 | static void __exit iptable_raw_fini(void) | 109 | static void __exit iptable_raw_fini(void) |
| 123 | { | 110 | { |
| 124 | nf_unregister_hooks(ipt_ops, ARRAY_SIZE(ipt_ops)); | 111 | xt_hook_unlink(&packet_raw, rawtable_ops); |
| 125 | unregister_pernet_subsys(&iptable_raw_net_ops); | 112 | unregister_pernet_subsys(&iptable_raw_net_ops); |
| 126 | } | 113 | } |
| 127 | 114 | ||
diff --git a/net/ipv4/netfilter/iptable_security.c b/net/ipv4/netfilter/iptable_security.c index 324505aaaa73..b1bf3ca2c6c7 100644 --- a/net/ipv4/netfilter/iptable_security.c +++ b/net/ipv4/netfilter/iptable_security.c | |||
| @@ -62,6 +62,7 @@ static const struct xt_table security_table = { | |||
| 62 | .valid_hooks = SECURITY_VALID_HOOKS, | 62 | .valid_hooks = SECURITY_VALID_HOOKS, |
| 63 | .me = THIS_MODULE, | 63 | .me = THIS_MODULE, |
| 64 | .af = NFPROTO_IPV4, | 64 | .af = NFPROTO_IPV4, |
| 65 | .priority = NF_IP_PRI_SECURITY, | ||
| 65 | }; | 66 | }; |
| 66 | 67 | ||
| 67 | static unsigned int | 68 | static unsigned int |
| @@ -82,29 +83,7 @@ iptable_security_hook(unsigned int hook, struct sk_buff *skb, | |||
| 82 | return ipt_do_table(skb, hook, in, out, net->ipv4.iptable_security); | 83 | return ipt_do_table(skb, hook, in, out, net->ipv4.iptable_security); |
| 83 | } | 84 | } |
| 84 | 85 | ||
| 85 | static struct nf_hook_ops ipt_ops[] __read_mostly = { | 86 | static struct nf_hook_ops *sectbl_ops __read_mostly; |
| 86 | { | ||
| 87 | .hook = iptable_security_hook, | ||
| 88 | .owner = THIS_MODULE, | ||
| 89 | .pf = NFPROTO_IPV4, | ||
| 90 | .hooknum = NF_INET_LOCAL_IN, | ||
| 91 | .priority = NF_IP_PRI_SECURITY, | ||
| 92 | }, | ||
| 93 | { | ||
| 94 | .hook = iptable_security_hook, | ||
| 95 | .owner = THIS_MODULE, | ||
| 96 | .pf = NFPROTO_IPV4, | ||
| 97 | .hooknum = NF_INET_FORWARD, | ||
| 98 | .priority = NF_IP_PRI_SECURITY, | ||
| 99 | }, | ||
| 100 | { | ||
| 101 | .hook = iptable_security_hook, | ||
| 102 | .owner = THIS_MODULE, | ||
| 103 | .pf = NFPROTO_IPV4, | ||
| 104 | .hooknum = NF_INET_LOCAL_OUT, | ||
| 105 | .priority = NF_IP_PRI_SECURITY, | ||
| 106 | }, | ||
| 107 | }; | ||
| 108 | 87 | ||
| 109 | static int __net_init iptable_security_net_init(struct net *net) | 88 | static int __net_init iptable_security_net_init(struct net *net) |
| 110 | { | 89 | { |
| @@ -135,9 +114,11 @@ static int __init iptable_security_init(void) | |||
| 135 | if (ret < 0) | 114 | if (ret < 0) |
| 136 | return ret; | 115 | return ret; |
| 137 | 116 | ||
| 138 | ret = nf_register_hooks(ipt_ops, ARRAY_SIZE(ipt_ops)); | 117 | sectbl_ops = xt_hook_link(&security_table, iptable_security_hook); |
| 139 | if (ret < 0) | 118 | if (IS_ERR(sectbl_ops)) { |
| 119 | ret = PTR_ERR(sectbl_ops); | ||
| 140 | goto cleanup_table; | 120 | goto cleanup_table; |
| 121 | } | ||
| 141 | 122 | ||
| 142 | return ret; | 123 | return ret; |
| 143 | 124 | ||
| @@ -148,7 +129,7 @@ cleanup_table: | |||
| 148 | 129 | ||
| 149 | static void __exit iptable_security_fini(void) | 130 | static void __exit iptable_security_fini(void) |
| 150 | { | 131 | { |
| 151 | nf_unregister_hooks(ipt_ops, ARRAY_SIZE(ipt_ops)); | 132 | xt_hook_unlink(&security_table, sectbl_ops); |
| 152 | unregister_pernet_subsys(&iptable_security_net_ops); | 133 | unregister_pernet_subsys(&iptable_security_net_ops); |
| 153 | } | 134 | } |
| 154 | 135 | ||