diff options
author | Jan Engelhardt <jengelh@medozas.de> | 2009-07-07 14:54:30 -0400 |
---|---|---|
committer | Jan Engelhardt <jengelh@medozas.de> | 2010-05-11 12:35:27 -0400 |
commit | b4ba26119b06052888696491f614201817491a0d (patch) | |
tree | d6dc2a4e0f78641b5b64a1728322c81cbad09974 /net/ipv4 | |
parent | 62fc8051083a334578c3f4b3488808f210b4565f (diff) |
netfilter: xtables: change hotdrop pointer to direct modification
Since xt_action_param is writable, let's use it. The pointer to
'bool hotdrop' always worried (8 bytes (64-bit) to write 1 byte!).
Surprisingly results in a reduction in size:
text data bss filename
5457066 692730 357892 vmlinux.o-prev
5456554 692730 357892 vmlinux.o
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Diffstat (limited to 'net/ipv4')
-rw-r--r-- | net/ipv4/netfilter/arp_tables.c | 6 | ||||
-rw-r--r-- | net/ipv4/netfilter/ip_tables.c | 9 | ||||
-rw-r--r-- | net/ipv4/netfilter/ipt_ah.c | 2 | ||||
-rw-r--r-- | net/ipv4/netfilter/ipt_ecn.c | 2 |
4 files changed, 9 insertions, 10 deletions
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c index 9e7d089f168a..8cc56d26e937 100644 --- a/net/ipv4/netfilter/arp_tables.c +++ b/net/ipv4/netfilter/arp_tables.c | |||
@@ -260,7 +260,6 @@ unsigned int arpt_do_table(struct sk_buff *skb, | |||
260 | static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long)))); | 260 | static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long)))); |
261 | unsigned int verdict = NF_DROP; | 261 | unsigned int verdict = NF_DROP; |
262 | const struct arphdr *arp; | 262 | const struct arphdr *arp; |
263 | bool hotdrop = false; | ||
264 | struct arpt_entry *e, *back; | 263 | struct arpt_entry *e, *back; |
265 | const char *indev, *outdev; | 264 | const char *indev, *outdev; |
266 | void *table_base; | 265 | void *table_base; |
@@ -284,6 +283,7 @@ unsigned int arpt_do_table(struct sk_buff *skb, | |||
284 | acpar.out = out; | 283 | acpar.out = out; |
285 | acpar.hooknum = hook; | 284 | acpar.hooknum = hook; |
286 | acpar.family = NFPROTO_ARP; | 285 | acpar.family = NFPROTO_ARP; |
286 | acpar.hotdrop = false; | ||
287 | 287 | ||
288 | arp = arp_hdr(skb); | 288 | arp = arp_hdr(skb); |
289 | do { | 289 | do { |
@@ -345,10 +345,10 @@ unsigned int arpt_do_table(struct sk_buff *skb, | |||
345 | else | 345 | else |
346 | /* Verdict */ | 346 | /* Verdict */ |
347 | break; | 347 | break; |
348 | } while (!hotdrop); | 348 | } while (!acpar.hotdrop); |
349 | xt_info_rdunlock_bh(); | 349 | xt_info_rdunlock_bh(); |
350 | 350 | ||
351 | if (hotdrop) | 351 | if (acpar.hotdrop) |
352 | return NF_DROP; | 352 | return NF_DROP; |
353 | else | 353 | else |
354 | return verdict; | 354 | return verdict; |
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c index 4e674f2824a7..607f89f16b76 100644 --- a/net/ipv4/netfilter/ip_tables.c +++ b/net/ipv4/netfilter/ip_tables.c | |||
@@ -308,7 +308,6 @@ ipt_do_table(struct sk_buff *skb, | |||
308 | { | 308 | { |
309 | static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long)))); | 309 | static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long)))); |
310 | const struct iphdr *ip; | 310 | const struct iphdr *ip; |
311 | bool hotdrop = false; | ||
312 | /* Initializing verdict to NF_DROP keeps gcc happy. */ | 311 | /* Initializing verdict to NF_DROP keeps gcc happy. */ |
313 | unsigned int verdict = NF_DROP; | 312 | unsigned int verdict = NF_DROP; |
314 | const char *indev, *outdev; | 313 | const char *indev, *outdev; |
@@ -330,7 +329,7 @@ ipt_do_table(struct sk_buff *skb, | |||
330 | * match it. */ | 329 | * match it. */ |
331 | acpar.fragoff = ntohs(ip->frag_off) & IP_OFFSET; | 330 | acpar.fragoff = ntohs(ip->frag_off) & IP_OFFSET; |
332 | acpar.thoff = ip_hdrlen(skb); | 331 | acpar.thoff = ip_hdrlen(skb); |
333 | acpar.hotdrop = &hotdrop; | 332 | acpar.hotdrop = false; |
334 | acpar.in = in; | 333 | acpar.in = in; |
335 | acpar.out = out; | 334 | acpar.out = out; |
336 | acpar.family = NFPROTO_IPV4; | 335 | acpar.family = NFPROTO_IPV4; |
@@ -432,7 +431,7 @@ ipt_do_table(struct sk_buff *skb, | |||
432 | else | 431 | else |
433 | /* Verdict */ | 432 | /* Verdict */ |
434 | break; | 433 | break; |
435 | } while (!hotdrop); | 434 | } while (!acpar.hotdrop); |
436 | xt_info_rdunlock_bh(); | 435 | xt_info_rdunlock_bh(); |
437 | pr_debug("Exiting %s; resetting sp from %u to %u\n", | 436 | pr_debug("Exiting %s; resetting sp from %u to %u\n", |
438 | __func__, *stackptr, origptr); | 437 | __func__, *stackptr, origptr); |
@@ -440,7 +439,7 @@ ipt_do_table(struct sk_buff *skb, | |||
440 | #ifdef DEBUG_ALLOW_ALL | 439 | #ifdef DEBUG_ALLOW_ALL |
441 | return NF_ACCEPT; | 440 | return NF_ACCEPT; |
442 | #else | 441 | #else |
443 | if (hotdrop) | 442 | if (acpar.hotdrop) |
444 | return NF_DROP; | 443 | return NF_DROP; |
445 | else return verdict; | 444 | else return verdict; |
446 | #endif | 445 | #endif |
@@ -2154,7 +2153,7 @@ icmp_match(const struct sk_buff *skb, struct xt_action_param *par) | |||
2154 | * can't. Hence, no choice but to drop. | 2153 | * can't. Hence, no choice but to drop. |
2155 | */ | 2154 | */ |
2156 | duprintf("Dropping evil ICMP tinygram.\n"); | 2155 | duprintf("Dropping evil ICMP tinygram.\n"); |
2157 | *par->hotdrop = true; | 2156 | par->hotdrop = true; |
2158 | return false; | 2157 | return false; |
2159 | } | 2158 | } |
2160 | 2159 | ||
diff --git a/net/ipv4/netfilter/ipt_ah.c b/net/ipv4/netfilter/ipt_ah.c index c9d83dc2d6fa..14a2aa8b8a14 100644 --- a/net/ipv4/netfilter/ipt_ah.c +++ b/net/ipv4/netfilter/ipt_ah.c | |||
@@ -46,7 +46,7 @@ static bool ah_mt(const struct sk_buff *skb, struct xt_action_param *par) | |||
46 | * can't. Hence, no choice but to drop. | 46 | * can't. Hence, no choice but to drop. |
47 | */ | 47 | */ |
48 | pr_debug("Dropping evil AH tinygram.\n"); | 48 | pr_debug("Dropping evil AH tinygram.\n"); |
49 | *par->hotdrop = true; | 49 | par->hotdrop = true; |
50 | return 0; | 50 | return 0; |
51 | } | 51 | } |
52 | 52 | ||
diff --git a/net/ipv4/netfilter/ipt_ecn.c b/net/ipv4/netfilter/ipt_ecn.c index b79dddc9edd6..af6e9c778345 100644 --- a/net/ipv4/netfilter/ipt_ecn.c +++ b/net/ipv4/netfilter/ipt_ecn.c | |||
@@ -78,7 +78,7 @@ static bool ecn_mt(const struct sk_buff *skb, struct xt_action_param *par) | |||
78 | if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR)) { | 78 | if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR)) { |
79 | if (ip_hdr(skb)->protocol != IPPROTO_TCP) | 79 | if (ip_hdr(skb)->protocol != IPPROTO_TCP) |
80 | return false; | 80 | return false; |
81 | if (!match_tcp(skb, info, par->hotdrop)) | 81 | if (!match_tcp(skb, info, &par->hotdrop)) |
82 | return false; | 82 | return false; |
83 | } | 83 | } |
84 | 84 | ||