diff options
| author | Jan Engelhardt <jengelh@medozas.de> | 2009-06-13 00:46:36 -0400 |
|---|---|---|
| committer | Jan Engelhardt <jengelh@medozas.de> | 2010-02-10 10:44:58 -0500 |
| commit | 737535c5cf3524e4bfaa91e22edefd52eccabbce (patch) | |
| tree | 4c6918a8fb0b7568f30310947043320a03d10328 /net/ipv6 | |
| parent | 9ab99d5a43e9f283738fd9fd365539306d13eaac (diff) | |
netfilter: xtables: compact table hook functions (1/2)
This patch combines all the per-hook functions in a given table into
a single function. Together with the 2nd patch, further
simplifications are possible up to the point of output code reduction.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Diffstat (limited to 'net/ipv6')
| -rw-r--r-- | net/ipv6/netfilter/ip6table_filter.c | 40 | ||||
| -rw-r--r-- | net/ipv6/netfilter/ip6table_mangle.c | 50 | ||||
| -rw-r--r-- | net/ipv6/netfilter/ip6table_raw.c | 26 | ||||
| -rw-r--r-- | net/ipv6/netfilter/ip6table_security.c | 41 |
4 files changed, 51 insertions, 106 deletions
diff --git a/net/ipv6/netfilter/ip6table_filter.c b/net/ipv6/netfilter/ip6table_filter.c index 33ddfe53e18d..38074e933f67 100644 --- a/net/ipv6/netfilter/ip6table_filter.c +++ b/net/ipv6/netfilter/ip6table_filter.c | |||
| @@ -60,54 +60,36 @@ static const struct xt_table packet_filter = { | |||
| 60 | 60 | ||
| 61 | /* The work comes in here from netfilter.c. */ | 61 | /* The work comes in here from netfilter.c. */ |
| 62 | static unsigned int | 62 | static unsigned int |
| 63 | ip6t_in_hook(unsigned int hook, | 63 | ip6table_filter_hook(unsigned int hook, struct sk_buff *skb, |
| 64 | struct sk_buff *skb, | 64 | const struct net_device *in, const struct net_device *out, |
| 65 | const struct net_device *in, | 65 | int (*okfn)(struct sk_buff *)) |
| 66 | const struct net_device *out, | ||
| 67 | int (*okfn)(struct sk_buff *)) | ||
| 68 | { | 66 | { |
| 69 | return ip6t_do_table(skb, hook, in, out, | 67 | if (hook == NF_INET_LOCAL_OUT) |
| 70 | dev_net(in)->ipv6.ip6table_filter); | 68 | return ip6t_do_table(skb, hook, in, out, |
| 71 | } | 69 | dev_net(out)->ipv6.ip6table_filter); |
| 72 | |||
| 73 | static unsigned int | ||
| 74 | ip6t_local_out_hook(unsigned int hook, | ||
| 75 | struct sk_buff *skb, | ||
| 76 | const struct net_device *in, | ||
| 77 | const struct net_device *out, | ||
| 78 | int (*okfn)(struct sk_buff *)) | ||
| 79 | { | ||
| 80 | #if 0 | ||
| 81 | /* root is playing with raw sockets. */ | ||
| 82 | if (skb->len < sizeof(struct iphdr) || | ||
| 83 | ip_hdrlen(skb) < sizeof(struct iphdr)) { | ||
| 84 | if (net_ratelimit()) | ||
| 85 | printk("ip6t_hook: happy cracking.\n"); | ||
| 86 | return NF_ACCEPT; | ||
| 87 | } | ||
| 88 | #endif | ||
| 89 | 70 | ||
| 71 | /* INPUT/FORWARD: */ | ||
| 90 | return ip6t_do_table(skb, hook, in, out, | 72 | return ip6t_do_table(skb, hook, in, out, |
| 91 | dev_net(out)->ipv6.ip6table_filter); | 73 | dev_net(in)->ipv6.ip6table_filter); |
| 92 | } | 74 | } |
| 93 | 75 | ||
| 94 | static struct nf_hook_ops ip6t_ops[] __read_mostly = { | 76 | static struct nf_hook_ops ip6t_ops[] __read_mostly = { |
| 95 | { | 77 | { |
| 96 | .hook = ip6t_in_hook, | 78 | .hook = ip6table_filter_hook, |
| 97 | .owner = THIS_MODULE, | 79 | .owner = THIS_MODULE, |
| 98 | .pf = NFPROTO_IPV6, | 80 | .pf = NFPROTO_IPV6, |
| 99 | .hooknum = NF_INET_LOCAL_IN, | 81 | .hooknum = NF_INET_LOCAL_IN, |
| 100 | .priority = NF_IP6_PRI_FILTER, | 82 | .priority = NF_IP6_PRI_FILTER, |
| 101 | }, | 83 | }, |
| 102 | { | 84 | { |
| 103 | .hook = ip6t_in_hook, | 85 | .hook = ip6table_filter_hook, |
| 104 | .owner = THIS_MODULE, | 86 | .owner = THIS_MODULE, |
| 105 | .pf = NFPROTO_IPV6, | 87 | .pf = NFPROTO_IPV6, |
| 106 | .hooknum = NF_INET_FORWARD, | 88 | .hooknum = NF_INET_FORWARD, |
| 107 | .priority = NF_IP6_PRI_FILTER, | 89 | .priority = NF_IP6_PRI_FILTER, |
| 108 | }, | 90 | }, |
| 109 | { | 91 | { |
| 110 | .hook = ip6t_local_out_hook, | 92 | .hook = ip6table_filter_hook, |
| 111 | .owner = THIS_MODULE, | 93 | .owner = THIS_MODULE, |
| 112 | .pf = NFPROTO_IPV6, | 94 | .pf = NFPROTO_IPV6, |
| 113 | .hooknum = NF_INET_LOCAL_OUT, | 95 | .hooknum = NF_INET_LOCAL_OUT, |
diff --git a/net/ipv6/netfilter/ip6table_mangle.c b/net/ipv6/netfilter/ip6table_mangle.c index 9bc483f000e5..405ac1f76390 100644 --- a/net/ipv6/netfilter/ip6table_mangle.c +++ b/net/ipv6/netfilter/ip6table_mangle.c | |||
| @@ -64,33 +64,9 @@ static const struct xt_table packet_mangler = { | |||
| 64 | .af = NFPROTO_IPV6, | 64 | .af = NFPROTO_IPV6, |
| 65 | }; | 65 | }; |
| 66 | 66 | ||
| 67 | /* The work comes in here from netfilter.c. */ | ||
| 68 | static unsigned int | ||
| 69 | ip6t_in_hook(unsigned int hook, | ||
| 70 | struct sk_buff *skb, | ||
| 71 | const struct net_device *in, | ||
| 72 | const struct net_device *out, | ||
| 73 | int (*okfn)(struct sk_buff *)) | ||
| 74 | { | ||
| 75 | return ip6t_do_table(skb, hook, in, out, | ||
| 76 | dev_net(in)->ipv6.ip6table_mangle); | ||
| 77 | } | ||
| 78 | |||
| 79 | static unsigned int | ||
| 80 | ip6t_post_routing_hook(unsigned int hook, | ||
| 81 | struct sk_buff *skb, | ||
| 82 | const struct net_device *in, | ||
| 83 | const struct net_device *out, | ||
| 84 | int (*okfn)(struct sk_buff *)) | ||
| 85 | { | ||
| 86 | return ip6t_do_table(skb, hook, in, out, | ||
| 87 | dev_net(out)->ipv6.ip6table_mangle); | ||
| 88 | } | ||
| 89 | |||
| 90 | static unsigned int | 67 | static unsigned int |
| 91 | ip6t_local_out_hook(unsigned int hook, | 68 | ip6t_local_out_hook(unsigned int hook, |
| 92 | struct sk_buff *skb, | 69 | struct sk_buff *skb, |
| 93 | const struct net_device *in, | ||
| 94 | const struct net_device *out, | 70 | const struct net_device *out, |
| 95 | int (*okfn)(struct sk_buff *)) | 71 | int (*okfn)(struct sk_buff *)) |
| 96 | { | 72 | { |
| @@ -119,7 +95,7 @@ ip6t_local_out_hook(unsigned int hook, | |||
| 119 | /* flowlabel and prio (includes version, which shouldn't change either */ | 95 | /* flowlabel and prio (includes version, which shouldn't change either */ |
| 120 | flowlabel = *((u_int32_t *)ipv6_hdr(skb)); | 96 | flowlabel = *((u_int32_t *)ipv6_hdr(skb)); |
| 121 | 97 | ||
| 122 | ret = ip6t_do_table(skb, hook, in, out, | 98 | ret = ip6t_do_table(skb, hook, NULL, out, |
| 123 | dev_net(out)->ipv6.ip6table_mangle); | 99 | dev_net(out)->ipv6.ip6table_mangle); |
| 124 | 100 | ||
| 125 | if (ret != NF_DROP && ret != NF_STOLEN && | 101 | if (ret != NF_DROP && ret != NF_STOLEN && |
| @@ -132,37 +108,51 @@ ip6t_local_out_hook(unsigned int hook, | |||
| 132 | return ret; | 108 | return ret; |
| 133 | } | 109 | } |
| 134 | 110 | ||
| 111 | /* The work comes in here from netfilter.c. */ | ||
| 112 | static unsigned int | ||
| 113 | ip6table_mangle_hook(unsigned int hook, struct sk_buff *skb, | ||
| 114 | const struct net_device *in, const struct net_device *out, | ||
| 115 | int (*okfn)(struct sk_buff *)) | ||
| 116 | { | ||
| 117 | if (hook == NF_INET_LOCAL_OUT) | ||
| 118 | return ip6t_local_out_hook(hook, skb, out, okfn); | ||
| 119 | |||
| 120 | /* INPUT/FORWARD */ | ||
| 121 | return ip6t_do_table(skb, hook, in, out, | ||
| 122 | dev_net(in)->ipv6.ip6table_mangle); | ||
| 123 | } | ||
| 124 | |||
| 135 | static struct nf_hook_ops ip6t_ops[] __read_mostly = { | 125 | static struct nf_hook_ops ip6t_ops[] __read_mostly = { |
| 136 | { | 126 | { |
| 137 | .hook = ip6t_in_hook, | 127 | .hook = ip6table_mangle_hook, |
| 138 | .owner = THIS_MODULE, | 128 | .owner = THIS_MODULE, |
| 139 | .pf = NFPROTO_IPV6, | 129 | .pf = NFPROTO_IPV6, |
| 140 | .hooknum = NF_INET_PRE_ROUTING, | 130 | .hooknum = NF_INET_PRE_ROUTING, |
| 141 | .priority = NF_IP6_PRI_MANGLE, | 131 | .priority = NF_IP6_PRI_MANGLE, |
| 142 | }, | 132 | }, |
| 143 | { | 133 | { |
| 144 | .hook = ip6t_in_hook, | 134 | .hook = ip6table_mangle_hook, |
| 145 | .owner = THIS_MODULE, | 135 | .owner = THIS_MODULE, |
| 146 | .pf = NFPROTO_IPV6, | 136 | .pf = NFPROTO_IPV6, |
| 147 | .hooknum = NF_INET_LOCAL_IN, | 137 | .hooknum = NF_INET_LOCAL_IN, |
| 148 | .priority = NF_IP6_PRI_MANGLE, | 138 | .priority = NF_IP6_PRI_MANGLE, |
| 149 | }, | 139 | }, |
| 150 | { | 140 | { |
| 151 | .hook = ip6t_in_hook, | 141 | .hook = ip6table_mangle_hook, |
| 152 | .owner = THIS_MODULE, | 142 | .owner = THIS_MODULE, |
| 153 | .pf = NFPROTO_IPV6, | 143 | .pf = NFPROTO_IPV6, |
| 154 | .hooknum = NF_INET_FORWARD, | 144 | .hooknum = NF_INET_FORWARD, |
| 155 | .priority = NF_IP6_PRI_MANGLE, | 145 | .priority = NF_IP6_PRI_MANGLE, |
| 156 | }, | 146 | }, |
| 157 | { | 147 | { |
| 158 | .hook = ip6t_local_out_hook, | 148 | .hook = ip6table_mangle_hook, |
| 159 | .owner = THIS_MODULE, | 149 | .owner = THIS_MODULE, |
| 160 | .pf = NFPROTO_IPV6, | 150 | .pf = NFPROTO_IPV6, |
| 161 | .hooknum = NF_INET_LOCAL_OUT, | 151 | .hooknum = NF_INET_LOCAL_OUT, |
| 162 | .priority = NF_IP6_PRI_MANGLE, | 152 | .priority = NF_IP6_PRI_MANGLE, |
| 163 | }, | 153 | }, |
| 164 | { | 154 | { |
| 165 | .hook = ip6t_post_routing_hook, | 155 | .hook = ip6table_mangle_hook, |
| 166 | .owner = THIS_MODULE, | 156 | .owner = THIS_MODULE, |
| 167 | .pf = NFPROTO_IPV6, | 157 | .pf = NFPROTO_IPV6, |
| 168 | .hooknum = NF_INET_POST_ROUTING, | 158 | .hooknum = NF_INET_POST_ROUTING, |
diff --git a/net/ipv6/netfilter/ip6table_raw.c b/net/ipv6/netfilter/ip6table_raw.c index 4c90b552e433..985e27cf1e0c 100644 --- a/net/ipv6/netfilter/ip6table_raw.c +++ b/net/ipv6/netfilter/ip6table_raw.c | |||
| @@ -44,37 +44,29 @@ static const struct xt_table packet_raw = { | |||
| 44 | 44 | ||
| 45 | /* The work comes in here from netfilter.c. */ | 45 | /* The work comes in here from netfilter.c. */ |
| 46 | static unsigned int | 46 | static unsigned int |
| 47 | ip6t_pre_routing_hook(unsigned int hook, | 47 | ip6table_raw_hook(unsigned int hook, struct sk_buff *skb, |
| 48 | struct sk_buff *skb, | 48 | const struct net_device *in, const struct net_device *out, |
| 49 | const struct net_device *in, | 49 | int (*okfn)(struct sk_buff *)) |
| 50 | const struct net_device *out, | ||
| 51 | int (*okfn)(struct sk_buff *)) | ||
| 52 | { | 50 | { |
| 53 | return ip6t_do_table(skb, hook, in, out, | 51 | if (hook == NF_INET_PRE_ROUTING) |
| 54 | dev_net(in)->ipv6.ip6table_raw); | 52 | return ip6t_do_table(skb, hook, in, out, |
| 55 | } | 53 | dev_net(in)->ipv6.ip6table_raw); |
| 56 | 54 | ||
| 57 | static unsigned int | 55 | /* OUTPUT: */ |
| 58 | ip6t_local_out_hook(unsigned int hook, | ||
| 59 | struct sk_buff *skb, | ||
| 60 | const struct net_device *in, | ||
| 61 | const struct net_device *out, | ||
| 62 | int (*okfn)(struct sk_buff *)) | ||
| 63 | { | ||
| 64 | return ip6t_do_table(skb, hook, in, out, | 56 | return ip6t_do_table(skb, hook, in, out, |
| 65 | dev_net(out)->ipv6.ip6table_raw); | 57 | dev_net(out)->ipv6.ip6table_raw); |
| 66 | } | 58 | } |
| 67 | 59 | ||
| 68 | static struct nf_hook_ops ip6t_ops[] __read_mostly = { | 60 | static struct nf_hook_ops ip6t_ops[] __read_mostly = { |
| 69 | { | 61 | { |
| 70 | .hook = ip6t_pre_routing_hook, | 62 | .hook = ip6table_raw_hook, |
| 71 | .pf = NFPROTO_IPV6, | 63 | .pf = NFPROTO_IPV6, |
| 72 | .hooknum = NF_INET_PRE_ROUTING, | 64 | .hooknum = NF_INET_PRE_ROUTING, |
| 73 | .priority = NF_IP6_PRI_FIRST, | 65 | .priority = NF_IP6_PRI_FIRST, |
| 74 | .owner = THIS_MODULE, | 66 | .owner = THIS_MODULE, |
| 75 | }, | 67 | }, |
| 76 | { | 68 | { |
| 77 | .hook = ip6t_local_out_hook, | 69 | .hook = ip6table_raw_hook, |
| 78 | .pf = NFPROTO_IPV6, | 70 | .pf = NFPROTO_IPV6, |
| 79 | .hooknum = NF_INET_LOCAL_OUT, | 71 | .hooknum = NF_INET_LOCAL_OUT, |
| 80 | .priority = NF_IP6_PRI_FIRST, | 72 | .priority = NF_IP6_PRI_FIRST, |
diff --git a/net/ipv6/netfilter/ip6table_security.c b/net/ipv6/netfilter/ip6table_security.c index baa8d4ef3b0a..835858929358 100644 --- a/net/ipv6/netfilter/ip6table_security.c +++ b/net/ipv6/netfilter/ip6table_security.c | |||
| @@ -64,56 +64,37 @@ static const struct xt_table security_table = { | |||
| 64 | }; | 64 | }; |
| 65 | 65 | ||
| 66 | static unsigned int | 66 | static unsigned int |
| 67 | ip6t_local_in_hook(unsigned int hook, | 67 | ip6table_security_hook(unsigned int hook, struct sk_buff *skb, |
| 68 | struct sk_buff *skb, | 68 | const struct net_device *in, |
| 69 | const struct net_device *in, | 69 | const struct net_device *out, |
| 70 | const struct net_device *out, | 70 | int (*okfn)(struct sk_buff *)) |
| 71 | int (*okfn)(struct sk_buff *)) | ||
| 72 | { | 71 | { |
| 73 | return ip6t_do_table(skb, hook, in, out, | 72 | if (hook == NF_INET_LOCAL_OUT) |
| 74 | dev_net(in)->ipv6.ip6table_security); | 73 | return ip6t_do_table(skb, hook, in, out, |
| 75 | } | 74 | dev_net(out)->ipv6.ip6table_security); |
| 76 | 75 | ||
| 77 | static unsigned int | 76 | /* INPUT/FORWARD: */ |
| 78 | ip6t_forward_hook(unsigned int hook, | ||
| 79 | struct sk_buff *skb, | ||
| 80 | const struct net_device *in, | ||
| 81 | const struct net_device *out, | ||
| 82 | int (*okfn)(struct sk_buff *)) | ||
| 83 | { | ||
| 84 | return ip6t_do_table(skb, hook, in, out, | 77 | return ip6t_do_table(skb, hook, in, out, |
| 85 | dev_net(in)->ipv6.ip6table_security); | 78 | dev_net(in)->ipv6.ip6table_security); |
| 86 | } | 79 | } |
| 87 | 80 | ||
| 88 | static unsigned int | ||
| 89 | ip6t_local_out_hook(unsigned int hook, | ||
| 90 | struct sk_buff *skb, | ||
| 91 | const struct net_device *in, | ||
| 92 | const struct net_device *out, | ||
| 93 | int (*okfn)(struct sk_buff *)) | ||
| 94 | { | ||
| 95 | /* TBD: handle short packets via raw socket */ | ||
| 96 | return ip6t_do_table(skb, hook, in, out, | ||
| 97 | dev_net(out)->ipv6.ip6table_security); | ||
| 98 | } | ||
| 99 | |||
| 100 | static struct nf_hook_ops ip6t_ops[] __read_mostly = { | 81 | static struct nf_hook_ops ip6t_ops[] __read_mostly = { |
| 101 | { | 82 | { |
| 102 | .hook = ip6t_local_in_hook, | 83 | .hook = ip6table_security_hook, |
| 103 | .owner = THIS_MODULE, | 84 | .owner = THIS_MODULE, |
| 104 | .pf = NFPROTO_IPV6, | 85 | .pf = NFPROTO_IPV6, |
| 105 | .hooknum = NF_INET_LOCAL_IN, | 86 | .hooknum = NF_INET_LOCAL_IN, |
| 106 | .priority = NF_IP6_PRI_SECURITY, | 87 | .priority = NF_IP6_PRI_SECURITY, |
| 107 | }, | 88 | }, |
| 108 | { | 89 | { |
| 109 | .hook = ip6t_forward_hook, | 90 | .hook = ip6table_security_hook, |
| 110 | .owner = THIS_MODULE, | 91 | .owner = THIS_MODULE, |
| 111 | .pf = NFPROTO_IPV6, | 92 | .pf = NFPROTO_IPV6, |
| 112 | .hooknum = NF_INET_FORWARD, | 93 | .hooknum = NF_INET_FORWARD, |
| 113 | .priority = NF_IP6_PRI_SECURITY, | 94 | .priority = NF_IP6_PRI_SECURITY, |
| 114 | }, | 95 | }, |
| 115 | { | 96 | { |
| 116 | .hook = ip6t_local_out_hook, | 97 | .hook = ip6table_security_hook, |
| 117 | .owner = THIS_MODULE, | 98 | .owner = THIS_MODULE, |
| 118 | .pf = NFPROTO_IPV6, | 99 | .pf = NFPROTO_IPV6, |
| 119 | .hooknum = NF_INET_LOCAL_OUT, | 100 | .hooknum = NF_INET_LOCAL_OUT, |