aboutsummaryrefslogtreecommitdiffstats
path: root/net/ipv4
diff options
context:
space:
mode:
authorJan Engelhardt <jengelh@medozas.de>2009-07-07 14:54:30 -0400
committerJan Engelhardt <jengelh@medozas.de>2010-05-11 12:35:27 -0400
commitb4ba26119b06052888696491f614201817491a0d (patch)
treed6dc2a4e0f78641b5b64a1728322c81cbad09974 /net/ipv4
parent62fc8051083a334578c3f4b3488808f210b4565f (diff)
netfilter: xtables: change hotdrop pointer to direct modification
Since xt_action_param is writable, let's use it. The pointer to 'bool hotdrop' always worried (8 bytes (64-bit) to write 1 byte!). Surprisingly results in a reduction in size: text data bss filename 5457066 692730 357892 vmlinux.o-prev 5456554 692730 357892 vmlinux.o Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Diffstat (limited to 'net/ipv4')
-rw-r--r--net/ipv4/netfilter/arp_tables.c6
-rw-r--r--net/ipv4/netfilter/ip_tables.c9
-rw-r--r--net/ipv4/netfilter/ipt_ah.c2
-rw-r--r--net/ipv4/netfilter/ipt_ecn.c2
4 files changed, 9 insertions, 10 deletions
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 9e7d089f168a..8cc56d26e937 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -260,7 +260,6 @@ unsigned int arpt_do_table(struct sk_buff *skb,
260 static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long)))); 260 static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
261 unsigned int verdict = NF_DROP; 261 unsigned int verdict = NF_DROP;
262 const struct arphdr *arp; 262 const struct arphdr *arp;
263 bool hotdrop = false;
264 struct arpt_entry *e, *back; 263 struct arpt_entry *e, *back;
265 const char *indev, *outdev; 264 const char *indev, *outdev;
266 void *table_base; 265 void *table_base;
@@ -284,6 +283,7 @@ unsigned int arpt_do_table(struct sk_buff *skb,
284 acpar.out = out; 283 acpar.out = out;
285 acpar.hooknum = hook; 284 acpar.hooknum = hook;
286 acpar.family = NFPROTO_ARP; 285 acpar.family = NFPROTO_ARP;
286 acpar.hotdrop = false;
287 287
288 arp = arp_hdr(skb); 288 arp = arp_hdr(skb);
289 do { 289 do {
@@ -345,10 +345,10 @@ unsigned int arpt_do_table(struct sk_buff *skb,
345 else 345 else
346 /* Verdict */ 346 /* Verdict */
347 break; 347 break;
348 } while (!hotdrop); 348 } while (!acpar.hotdrop);
349 xt_info_rdunlock_bh(); 349 xt_info_rdunlock_bh();
350 350
351 if (hotdrop) 351 if (acpar.hotdrop)
352 return NF_DROP; 352 return NF_DROP;
353 else 353 else
354 return verdict; 354 return verdict;
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 4e674f2824a7..607f89f16b76 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -308,7 +308,6 @@ ipt_do_table(struct sk_buff *skb,
308{ 308{
309 static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long)))); 309 static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
310 const struct iphdr *ip; 310 const struct iphdr *ip;
311 bool hotdrop = false;
312 /* Initializing verdict to NF_DROP keeps gcc happy. */ 311 /* Initializing verdict to NF_DROP keeps gcc happy. */
313 unsigned int verdict = NF_DROP; 312 unsigned int verdict = NF_DROP;
314 const char *indev, *outdev; 313 const char *indev, *outdev;
@@ -330,7 +329,7 @@ ipt_do_table(struct sk_buff *skb,
330 * match it. */ 329 * match it. */
331 acpar.fragoff = ntohs(ip->frag_off) & IP_OFFSET; 330 acpar.fragoff = ntohs(ip->frag_off) & IP_OFFSET;
332 acpar.thoff = ip_hdrlen(skb); 331 acpar.thoff = ip_hdrlen(skb);
333 acpar.hotdrop = &hotdrop; 332 acpar.hotdrop = false;
334 acpar.in = in; 333 acpar.in = in;
335 acpar.out = out; 334 acpar.out = out;
336 acpar.family = NFPROTO_IPV4; 335 acpar.family = NFPROTO_IPV4;
@@ -432,7 +431,7 @@ ipt_do_table(struct sk_buff *skb,
432 else 431 else
433 /* Verdict */ 432 /* Verdict */
434 break; 433 break;
435 } while (!hotdrop); 434 } while (!acpar.hotdrop);
436 xt_info_rdunlock_bh(); 435 xt_info_rdunlock_bh();
437 pr_debug("Exiting %s; resetting sp from %u to %u\n", 436 pr_debug("Exiting %s; resetting sp from %u to %u\n",
438 __func__, *stackptr, origptr); 437 __func__, *stackptr, origptr);
@@ -440,7 +439,7 @@ ipt_do_table(struct sk_buff *skb,
440#ifdef DEBUG_ALLOW_ALL 439#ifdef DEBUG_ALLOW_ALL
441 return NF_ACCEPT; 440 return NF_ACCEPT;
442#else 441#else
443 if (hotdrop) 442 if (acpar.hotdrop)
444 return NF_DROP; 443 return NF_DROP;
445 else return verdict; 444 else return verdict;
446#endif 445#endif
@@ -2154,7 +2153,7 @@ icmp_match(const struct sk_buff *skb, struct xt_action_param *par)
2154 * can't. Hence, no choice but to drop. 2153 * can't. Hence, no choice but to drop.
2155 */ 2154 */
2156 duprintf("Dropping evil ICMP tinygram.\n"); 2155 duprintf("Dropping evil ICMP tinygram.\n");
2157 *par->hotdrop = true; 2156 par->hotdrop = true;
2158 return false; 2157 return false;
2159 } 2158 }
2160 2159
diff --git a/net/ipv4/netfilter/ipt_ah.c b/net/ipv4/netfilter/ipt_ah.c
index c9d83dc2d6fa..14a2aa8b8a14 100644
--- a/net/ipv4/netfilter/ipt_ah.c
+++ b/net/ipv4/netfilter/ipt_ah.c
@@ -46,7 +46,7 @@ static bool ah_mt(const struct sk_buff *skb, struct xt_action_param *par)
46 * can't. Hence, no choice but to drop. 46 * can't. Hence, no choice but to drop.
47 */ 47 */
48 pr_debug("Dropping evil AH tinygram.\n"); 48 pr_debug("Dropping evil AH tinygram.\n");
49 *par->hotdrop = true; 49 par->hotdrop = true;
50 return 0; 50 return 0;
51 } 51 }
52 52
diff --git a/net/ipv4/netfilter/ipt_ecn.c b/net/ipv4/netfilter/ipt_ecn.c
index b79dddc9edd6..af6e9c778345 100644
--- a/net/ipv4/netfilter/ipt_ecn.c
+++ b/net/ipv4/netfilter/ipt_ecn.c
@@ -78,7 +78,7 @@ static bool ecn_mt(const struct sk_buff *skb, struct xt_action_param *par)
78 if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR)) { 78 if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR)) {
79 if (ip_hdr(skb)->protocol != IPPROTO_TCP) 79 if (ip_hdr(skb)->protocol != IPPROTO_TCP)
80 return false; 80 return false;
81 if (!match_tcp(skb, info, par->hotdrop)) 81 if (!match_tcp(skb, info, &par->hotdrop))
82 return false; 82 return false;
83 } 83 }
84 84