netfilter: xtables: generate initial table on-demand

The static initial tables are pretty large, and after the net namespace has been instantiated, they just hang around for nothing. This commit removes them and creates tables on-demand at runtime when needed. Size shrinks by 7735 bytes (x86_64). Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
author: Jan Engelhardt <jengelh@medozas.de> 2009-06-17 16:14:54 -0400
committer: Jan Engelhardt <jengelh@medozas.de> 2010-02-10 11:50:47 -0500
commit: e3eaa9910b380530cfd2c0670fcd3f627674da8a (patch)
tree: 309e522e78f78149ec3cb99ffc386d1b72415a96 /net/ipv6
parent: 2b95efe7f6bb750256a702cc32d33b0cb2cd8223 (diff)
5 files changed, 39 insertions, 134 deletions
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 4332f4591482..dcd7825fe7b6 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -29,6 +29,7 @@
 #include <linux/netfilter_ipv6/ip6_tables.h>
 #include <linux/netfilter/x_tables.h>
 #include <net/netfilter/nf_log.h>
+#include "../../netfilter/xt_repldata.h"
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
@@ -67,6 +68,12 @@ do {								\
 #define inline
 #endif
+void *ip6t_alloc_initial_table(const struct xt_table *info)
+{
+        return xt_alloc_initial_table(ip6t, IP6T);
+}
+EXPORT_SYMBOL_GPL(ip6t_alloc_initial_table);
 /*
   We keep a set of rules for each CPU, so we can avoid write-locking
   them in the softirq when updating the counters and therefore
diff --git a/net/ipv6/netfilter/ip6table_filter.c b/net/ipv6/netfilter/ip6table_filter.c
index 6e95d0614ca9..36b72cafc227 100644
--- a/net/ipv6/netfilter/ip6table_filter.c
+++ b/net/ipv6/netfilter/ip6table_filter.c
@@ -21,36 +21,6 @@ MODULE_DESCRIPTION("ip6tables filter table");
                            (1 << NF_INET_FORWARD) | \
                            (1 << NF_INET_LOCAL_OUT))
-static struct
-{
-        struct ip6t_replace repl;
-        struct ip6t_standard entries[3];
-        struct ip6t_error term;
-} initial_table __net_initdata = {
-        .repl = {
-                .name = "filter",
-                .valid_hooks = FILTER_VALID_HOOKS,
-                .num_entries = 4,
-                .size = sizeof(struct ip6t_standard) * 3 + sizeof(struct ip6t_error),
-                .hook_entry = {
-                        [NF_INET_LOCAL_IN] = 0,
-                        [NF_INET_FORWARD] = sizeof(struct ip6t_standard),
-                        [NF_INET_LOCAL_OUT] = sizeof(struct ip6t_standard) * 2
-                },
-                .underflow = {
-                        [NF_INET_LOCAL_IN] = 0,
-                        [NF_INET_FORWARD] = sizeof(struct ip6t_standard),
-                        [NF_INET_LOCAL_OUT] = sizeof(struct ip6t_standard) * 2
-                },
-        },
-        .entries = {
-                IP6T_STANDARD_INIT(NF_ACCEPT),  /* LOCAL_IN */
-                IP6T_STANDARD_INIT(NF_ACCEPT),  /* FORWARD */
-                IP6T_STANDARD_INIT(NF_ACCEPT),  /* LOCAL_OUT */
-        },
-        .term = IP6T_ERROR_INIT,                /* ERROR */
-};
 static const struct xt_table packet_filter = {
        .name           = "filter",
        .valid_hooks    = FILTER_VALID_HOOKS,
@@ -78,9 +48,18 @@ module_param(forward, bool, 0000);
 static int __net_init ip6table_filter_net_init(struct net *net)
 {
-        /* Register table */
+        struct ip6t_replace *repl;
+        repl = ip6t_alloc_initial_table(&packet_filter);
+        if (repl == NULL)
+                return -ENOMEM;
+        /* Entry 1 is the FORWARD hook */
+        ((struct ip6t_standard *)repl->entries)[1].target.verdict =
+                -forward - 1;
        net->ipv6.ip6table_filter =
-                ip6t_register_table(net, &packet_filter, &initial_table.repl);
+                ip6t_register_table(net, &packet_filter, repl);
+        kfree(repl);
        if (IS_ERR(net->ipv6.ip6table_filter))
                return PTR_ERR(net->ipv6.ip6table_filter);
        return 0;
@@ -105,9 +84,6 @@ static int __init ip6table_filter_init(void)
                return -EINVAL;
        }
-        /* Entry 1 is the FORWARD hook */
-        initial_table.entries[1].target.verdict = -forward - 1;
        ret = register_pernet_subsys(&ip6table_filter_net_ops);
        if (ret < 0)
                return ret;
diff --git a/net/ipv6/netfilter/ip6table_mangle.c b/net/ipv6/netfilter/ip6table_mangle.c
index 5023ac52ffec..dc803b7e8e54 100644
--- a/net/ipv6/netfilter/ip6table_mangle.c
+++ b/net/ipv6/netfilter/ip6table_mangle.c
@@ -21,42 +21,6 @@ MODULE_DESCRIPTION("ip6tables mangle table");
                            (1 << NF_INET_LOCAL_OUT) | \
                            (1 << NF_INET_POST_ROUTING))
-static const struct
-{
-        struct ip6t_replace repl;
-        struct ip6t_standard entries[5];
-        struct ip6t_error term;
-} initial_table __net_initdata = {
-        .repl = {
-                .name = "mangle",
-                .valid_hooks = MANGLE_VALID_HOOKS,
-                .num_entries = 6,
-                .size = sizeof(struct ip6t_standard) * 5 + sizeof(struct ip6t_error),
-                .hook_entry = {
-                        [NF_INET_PRE_ROUTING]   = 0,
-                        [NF_INET_LOCAL_IN]      = sizeof(struct ip6t_standard),
-                        [NF_INET_FORWARD]       = sizeof(struct ip6t_standard) * 2,
-                        [NF_INET_LOCAL_OUT]     = sizeof(struct ip6t_standard) * 3,
-                        [NF_INET_POST_ROUTING]  = sizeof(struct ip6t_standard) * 4,
-                },
-                .underflow = {
-                        [NF_INET_PRE_ROUTING]   = 0,
-                        [NF_INET_LOCAL_IN]      = sizeof(struct ip6t_standard),
-                        [NF_INET_FORWARD]       = sizeof(struct ip6t_standard) * 2,
-                        [NF_INET_LOCAL_OUT]     = sizeof(struct ip6t_standard) * 3,
-                        [NF_INET_POST_ROUTING]  = sizeof(struct ip6t_standard) * 4,
-                },
-        },
-        .entries = {
-                IP6T_STANDARD_INIT(NF_ACCEPT),  /* PRE_ROUTING */
-                IP6T_STANDARD_INIT(NF_ACCEPT),  /* LOCAL_IN */
-                IP6T_STANDARD_INIT(NF_ACCEPT),  /* FORWARD */
-                IP6T_STANDARD_INIT(NF_ACCEPT),  /* LOCAL_OUT */
-                IP6T_STANDARD_INIT(NF_ACCEPT),  /* POST_ROUTING */
-        },
-        .term = IP6T_ERROR_INIT,                /* ERROR */
-};
 static const struct xt_table packet_mangler = {
        .name           = "mangle",
        .valid_hooks    = MANGLE_VALID_HOOKS,
@@ -126,9 +90,14 @@ ip6table_mangle_hook(unsigned int hook, struct sk_buff *skb,
 static struct nf_hook_ops *mangle_ops __read_mostly;
 static int __net_init ip6table_mangle_net_init(struct net *net)
 {
-        /* Register table */
+        struct ip6t_replace *repl;
+        repl = ip6t_alloc_initial_table(&packet_mangler);
+        if (repl == NULL)
+                return -ENOMEM;
        net->ipv6.ip6table_mangle =
-                ip6t_register_table(net, &packet_mangler, &initial_table.repl);
+                ip6t_register_table(net, &packet_mangler, repl);
+        kfree(repl);
        if (IS_ERR(net->ipv6.ip6table_mangle))
                return PTR_ERR(net->ipv6.ip6table_mangle);
        return 0;
diff --git a/net/ipv6/netfilter/ip6table_raw.c b/net/ipv6/netfilter/ip6table_raw.c
index 3bfa69511641..aef31a29de9e 100644
--- a/net/ipv6/netfilter/ip6table_raw.c
+++ b/net/ipv6/netfilter/ip6table_raw.c
@@ -8,33 +8,6 @@
 #define RAW_VALID_HOOKS ((1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_LOCAL_OUT))
-static const struct
-{
-        struct ip6t_replace repl;
-        struct ip6t_standard entries[2];
-        struct ip6t_error term;
-} initial_table __net_initdata = {
-        .repl = {
-                .name = "raw",
-                .valid_hooks = RAW_VALID_HOOKS,
-                .num_entries = 3,
-                .size = sizeof(struct ip6t_standard) * 2 + sizeof(struct ip6t_error),
-                .hook_entry = {
-                        [NF_INET_PRE_ROUTING] = 0,
-                        [NF_INET_LOCAL_OUT] = sizeof(struct ip6t_standard)
-                },
-                .underflow = {
-                        [NF_INET_PRE_ROUTING] = 0,
-                        [NF_INET_LOCAL_OUT] = sizeof(struct ip6t_standard)
-                },
-        },
-        .entries = {
-                IP6T_STANDARD_INIT(NF_ACCEPT),  /* PRE_ROUTING */
-                IP6T_STANDARD_INIT(NF_ACCEPT),  /* LOCAL_OUT */
-        },
-        .term = IP6T_ERROR_INIT,                /* ERROR */
-};
 static const struct xt_table packet_raw = {
        .name = "raw",
        .valid_hooks = RAW_VALID_HOOKS,
@@ -58,9 +31,14 @@ static struct nf_hook_ops *rawtable_ops __read_mostly;
 static int __net_init ip6table_raw_net_init(struct net *net)
 {
-        /* Register table */
+        struct ip6t_replace *repl;
+        repl = ip6t_alloc_initial_table(&packet_raw);
+        if (repl == NULL)
+                return -ENOMEM;
        net->ipv6.ip6table_raw =
-                ip6t_register_table(net, &packet_raw, &initial_table.repl);
+                ip6t_register_table(net, &packet_raw, repl);
+        kfree(repl);
        if (IS_ERR(net->ipv6.ip6table_raw))
                return PTR_ERR(net->ipv6.ip6table_raw);
        return 0;
diff --git a/net/ipv6/netfilter/ip6table_security.c b/net/ipv6/netfilter/ip6table_security.c
index dd2200f17a6c..0824d865aa9b 100644
--- a/net/ipv6/netfilter/ip6table_security.c
+++ b/net/ipv6/netfilter/ip6table_security.c
@@ -26,36 +26,6 @@ MODULE_DESCRIPTION("ip6tables security table, for MAC rules");
                                (1 << NF_INET_FORWARD) | \
                                (1 << NF_INET_LOCAL_OUT)
-static const struct
-{
-        struct ip6t_replace repl;
-        struct ip6t_standard entries[3];
-        struct ip6t_error term;
-} initial_table __net_initdata = {
-        .repl = {
-                .name = "security",
-                .valid_hooks = SECURITY_VALID_HOOKS,
-                .num_entries = 4,
-                .size = sizeof(struct ip6t_standard) * 3 + sizeof(struct ip6t_error),
-                .hook_entry = {
-                        [NF_INET_LOCAL_IN]      = 0,
-                        [NF_INET_FORWARD]       = sizeof(struct ip6t_standard),
-                        [NF_INET_LOCAL_OUT]     = sizeof(struct ip6t_standard) * 2,
-                },
-                .underflow = {
-                        [NF_INET_LOCAL_IN]      = 0,
-                        [NF_INET_FORWARD]       = sizeof(struct ip6t_standard),
-                        [NF_INET_LOCAL_OUT]     = sizeof(struct ip6t_standard) * 2,
-                },
-        },
-        .entries = {
-                IP6T_STANDARD_INIT(NF_ACCEPT),  /* LOCAL_IN */
-                IP6T_STANDARD_INIT(NF_ACCEPT),  /* FORWARD */
-                IP6T_STANDARD_INIT(NF_ACCEPT),  /* LOCAL_OUT */
-        },
-        .term = IP6T_ERROR_INIT,                /* ERROR */
-};
 static const struct xt_table security_table = {
        .name           = "security",
        .valid_hooks    = SECURITY_VALID_HOOKS,
@@ -79,9 +49,14 @@ static struct nf_hook_ops *sectbl_ops __read_mostly;
 static int __net_init ip6table_security_net_init(struct net *net)
 {
-        net->ipv6.ip6table_security =
+        struct ip6t_replace *repl;
-                ip6t_register_table(net, &security_table, &initial_table.repl);
+        repl = ip6t_alloc_initial_table(&security_table);
+        if (repl == NULL)
+                return -ENOMEM;
+        net->ipv6.ip6table_security =
+                ip6t_register_table(net, &security_table, repl);
+        kfree(repl);
        if (IS_ERR(net->ipv6.ip6table_security))
                return PTR_ERR(net->ipv6.ip6table_security);
author	Jan Engelhardt <jengelh@medozas.de>	2009-06-17 16:14:54 -0400
committer	Jan Engelhardt <jengelh@medozas.de>	2010-02-10 11:50:47 -0500
commit	e3eaa9910b380530cfd2c0670fcd3f627674da8a (patch)
tree	309e522e78f78149ec3cb99ffc386d1b72415a96 /net/ipv6
parent	2b95efe7f6bb750256a702cc32d33b0cb2cd8223 (diff)

diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c index 4332f4591482..dcd7825fe7b6 100644 --- a/net/ipv6/netfilter/ip6_tables.c +++ b/net/ipv6/netfilter/ip6_tables.c
@@ -29,6 +29,7 @@
29	#include <linux/netfilter_ipv6/ip6_tables.h>	29	#include <linux/netfilter_ipv6/ip6_tables.h>
30	#include <linux/netfilter/x_tables.h>	30	#include <linux/netfilter/x_tables.h>
31	#include <net/netfilter/nf_log.h>	31	#include <net/netfilter/nf_log.h>
		32	#include "../../netfilter/xt_repldata.h"
32		33
33	MODULE_LICENSE("GPL");	34	MODULE_LICENSE("GPL");
34	MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");	35	MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
@@ -67,6 +68,12 @@ do { \
67	#define inline	68	#define inline
68	#endif	69	#endif
69		70
		71	void ip6t_alloc_initial_table(const struct xt_table info)
		72	{
		73	return xt_alloc_initial_table(ip6t, IP6T);
		74	}
		75	EXPORT_SYMBOL_GPL(ip6t_alloc_initial_table);
		76
70	/*	77	/*
71	We keep a set of rules for each CPU, so we can avoid write-locking	78	We keep a set of rules for each CPU, so we can avoid write-locking
72	them in the softirq when updating the counters and therefore	79	them in the softirq when updating the counters and therefore


diff --git a/net/ipv6/netfilter/ip6table_filter.c b/net/ipv6/netfilter/ip6table_filter.c index 6e95d0614ca9..36b72cafc227 100644 --- a/net/ipv6/netfilter/ip6table_filter.c +++ b/net/ipv6/netfilter/ip6table_filter.c
@@ -21,36 +21,6 @@ MODULE_DESCRIPTION("ip6tables filter table");
21	(1 << NF_INET_FORWARD) \| \	21	(1 << NF_INET_FORWARD) \| \
22	(1 << NF_INET_LOCAL_OUT))	22	(1 << NF_INET_LOCAL_OUT))
23		23
24	static struct
25	{
26	struct ip6t_replace repl;
27	struct ip6t_standard entries[3];
28	struct ip6t_error term;
29	} initial_table __net_initdata = {
30	.repl = {
31	.name = "filter",
32	.valid_hooks = FILTER_VALID_HOOKS,
33	.num_entries = 4,
34	.size = sizeof(struct ip6t_standard) * 3 + sizeof(struct ip6t_error),
35	.hook_entry = {
36	[NF_INET_LOCAL_IN] = 0,
37	[NF_INET_FORWARD] = sizeof(struct ip6t_standard),
38	[NF_INET_LOCAL_OUT] = sizeof(struct ip6t_standard) * 2
39	},
40	.underflow = {
41	[NF_INET_LOCAL_IN] = 0,
42	[NF_INET_FORWARD] = sizeof(struct ip6t_standard),
43	[NF_INET_LOCAL_OUT] = sizeof(struct ip6t_standard) * 2
44	},
45	},
46	.entries = {
47	IP6T_STANDARD_INIT(NF_ACCEPT), /* LOCAL_IN */
48	IP6T_STANDARD_INIT(NF_ACCEPT), /* FORWARD */
49	IP6T_STANDARD_INIT(NF_ACCEPT), /* LOCAL_OUT */
50	},
51	.term = IP6T_ERROR_INIT, /* ERROR */
52	};
53
54	static const struct xt_table packet_filter = {	24	static const struct xt_table packet_filter = {
55	.name = "filter",	25	.name = "filter",
56	.valid_hooks = FILTER_VALID_HOOKS,	26	.valid_hooks = FILTER_VALID_HOOKS,
@@ -78,9 +48,18 @@ module_param(forward, bool, 0000);
78		48
79	static int __net_init ip6table_filter_net_init(struct net *net)	49	static int __net_init ip6table_filter_net_init(struct net *net)
80	{	50	{
81	/* Register table */	51	struct ip6t_replace *repl;
		52
		53	repl = ip6t_alloc_initial_table(&packet_filter);
		54	if (repl == NULL)
		55	return -ENOMEM;
		56	/* Entry 1 is the FORWARD hook */
		57	((struct ip6t_standard *)repl->entries)[1].target.verdict =
		58	-forward - 1;
		59
82	net->ipv6.ip6table_filter =	60	net->ipv6.ip6table_filter =
83	ip6t_register_table(net, &packet_filter, &initial_table.repl);	61	ip6t_register_table(net, &packet_filter, repl);
		62	kfree(repl);
84	if (IS_ERR(net->ipv6.ip6table_filter))	63	if (IS_ERR(net->ipv6.ip6table_filter))
85	return PTR_ERR(net->ipv6.ip6table_filter);	64	return PTR_ERR(net->ipv6.ip6table_filter);
86	return 0;	65	return 0;
@@ -105,9 +84,6 @@ static int __init ip6table_filter_init(void)
105	return -EINVAL;	84	return -EINVAL;
106	}	85	}
107		86
108	/* Entry 1 is the FORWARD hook */
109	initial_table.entries[1].target.verdict = -forward - 1;
110
111	ret = register_pernet_subsys(&ip6table_filter_net_ops);	87	ret = register_pernet_subsys(&ip6table_filter_net_ops);
112	if (ret < 0)	88	if (ret < 0)
113	return ret;	89	return ret;


diff --git a/net/ipv6/netfilter/ip6table_mangle.c b/net/ipv6/netfilter/ip6table_mangle.c index 5023ac52ffec..dc803b7e8e54 100644 --- a/net/ipv6/netfilter/ip6table_mangle.c +++ b/net/ipv6/netfilter/ip6table_mangle.c
@@ -21,42 +21,6 @@ MODULE_DESCRIPTION("ip6tables mangle table");
21	(1 << NF_INET_LOCAL_OUT) \| \	21	(1 << NF_INET_LOCAL_OUT) \| \
22	(1 << NF_INET_POST_ROUTING))	22	(1 << NF_INET_POST_ROUTING))
23		23
24	static const struct
25	{
26	struct ip6t_replace repl;
27	struct ip6t_standard entries[5];
28	struct ip6t_error term;
29	} initial_table __net_initdata = {
30	.repl = {
31	.name = "mangle",
32	.valid_hooks = MANGLE_VALID_HOOKS,
33	.num_entries = 6,
34	.size = sizeof(struct ip6t_standard) * 5 + sizeof(struct ip6t_error),
35	.hook_entry = {
36	[NF_INET_PRE_ROUTING] = 0,
37	[NF_INET_LOCAL_IN] = sizeof(struct ip6t_standard),
38	[NF_INET_FORWARD] = sizeof(struct ip6t_standard) * 2,
39	[NF_INET_LOCAL_OUT] = sizeof(struct ip6t_standard) * 3,
40	[NF_INET_POST_ROUTING] = sizeof(struct ip6t_standard) * 4,
41	},
42	.underflow = {
43	[NF_INET_PRE_ROUTING] = 0,
44	[NF_INET_LOCAL_IN] = sizeof(struct ip6t_standard),
45	[NF_INET_FORWARD] = sizeof(struct ip6t_standard) * 2,
46	[NF_INET_LOCAL_OUT] = sizeof(struct ip6t_standard) * 3,
47	[NF_INET_POST_ROUTING] = sizeof(struct ip6t_standard) * 4,
48	},
49	},
50	.entries = {
51	IP6T_STANDARD_INIT(NF_ACCEPT), /* PRE_ROUTING */
52	IP6T_STANDARD_INIT(NF_ACCEPT), /* LOCAL_IN */
53	IP6T_STANDARD_INIT(NF_ACCEPT), /* FORWARD */
54	IP6T_STANDARD_INIT(NF_ACCEPT), /* LOCAL_OUT */
55	IP6T_STANDARD_INIT(NF_ACCEPT), /* POST_ROUTING */
56	},
57	.term = IP6T_ERROR_INIT, /* ERROR */
58	};
59
60	static const struct xt_table packet_mangler = {	24	static const struct xt_table packet_mangler = {
61	.name = "mangle",	25	.name = "mangle",
62	.valid_hooks = MANGLE_VALID_HOOKS,	26	.valid_hooks = MANGLE_VALID_HOOKS,
@@ -126,9 +90,14 @@ ip6table_mangle_hook(unsigned int hook, struct sk_buff *skb,
126	static struct nf_hook_ops *mangle_ops __read_mostly;	90	static struct nf_hook_ops *mangle_ops __read_mostly;
127	static int __net_init ip6table_mangle_net_init(struct net *net)	91	static int __net_init ip6table_mangle_net_init(struct net *net)
128	{	92	{
129	/* Register table */	93	struct ip6t_replace *repl;
		94
		95	repl = ip6t_alloc_initial_table(&packet_mangler);
		96	if (repl == NULL)
		97	return -ENOMEM;
130	net->ipv6.ip6table_mangle =	98	net->ipv6.ip6table_mangle =
131	ip6t_register_table(net, &packet_mangler, &initial_table.repl);	99	ip6t_register_table(net, &packet_mangler, repl);
		100	kfree(repl);
132	if (IS_ERR(net->ipv6.ip6table_mangle))	101	if (IS_ERR(net->ipv6.ip6table_mangle))
133	return PTR_ERR(net->ipv6.ip6table_mangle);	102	return PTR_ERR(net->ipv6.ip6table_mangle);
134	return 0;	103	return 0;


diff --git a/net/ipv6/netfilter/ip6table_raw.c b/net/ipv6/netfilter/ip6table_raw.c index 3bfa69511641..aef31a29de9e 100644 --- a/net/ipv6/netfilter/ip6table_raw.c +++ b/net/ipv6/netfilter/ip6table_raw.c
@@ -8,33 +8,6 @@
8		8
9	#define RAW_VALID_HOOKS ((1 << NF_INET_PRE_ROUTING) \| (1 << NF_INET_LOCAL_OUT))	9	#define RAW_VALID_HOOKS ((1 << NF_INET_PRE_ROUTING) \| (1 << NF_INET_LOCAL_OUT))
10		10
11	static const struct
12	{
13	struct ip6t_replace repl;
14	struct ip6t_standard entries[2];
15	struct ip6t_error term;
16	} initial_table __net_initdata = {
17	.repl = {
18	.name = "raw",
19	.valid_hooks = RAW_VALID_HOOKS,
20	.num_entries = 3,
21	.size = sizeof(struct ip6t_standard) * 2 + sizeof(struct ip6t_error),
22	.hook_entry = {
23	[NF_INET_PRE_ROUTING] = 0,
24	[NF_INET_LOCAL_OUT] = sizeof(struct ip6t_standard)
25	},
26	.underflow = {
27	[NF_INET_PRE_ROUTING] = 0,
28	[NF_INET_LOCAL_OUT] = sizeof(struct ip6t_standard)
29	},
30	},
31	.entries = {
32	IP6T_STANDARD_INIT(NF_ACCEPT), /* PRE_ROUTING */
33	IP6T_STANDARD_INIT(NF_ACCEPT), /* LOCAL_OUT */
34	},
35	.term = IP6T_ERROR_INIT, /* ERROR */
36	};
37
38	static const struct xt_table packet_raw = {	11	static const struct xt_table packet_raw = {
39	.name = "raw",	12	.name = "raw",
40	.valid_hooks = RAW_VALID_HOOKS,	13	.valid_hooks = RAW_VALID_HOOKS,
@@ -58,9 +31,14 @@ static struct nf_hook_ops *rawtable_ops __read_mostly;
58		31
59	static int __net_init ip6table_raw_net_init(struct net *net)	32	static int __net_init ip6table_raw_net_init(struct net *net)
60	{	33	{
61	/* Register table */	34	struct ip6t_replace *repl;
		35
		36	repl = ip6t_alloc_initial_table(&packet_raw);
		37	if (repl == NULL)
		38	return -ENOMEM;
62	net->ipv6.ip6table_raw =	39	net->ipv6.ip6table_raw =
63	ip6t_register_table(net, &packet_raw, &initial_table.repl);	40	ip6t_register_table(net, &packet_raw, repl);
		41	kfree(repl);
64	if (IS_ERR(net->ipv6.ip6table_raw))	42	if (IS_ERR(net->ipv6.ip6table_raw))
65	return PTR_ERR(net->ipv6.ip6table_raw);	43	return PTR_ERR(net->ipv6.ip6table_raw);
66	return 0;	44	return 0;


diff --git a/net/ipv6/netfilter/ip6table_security.c b/net/ipv6/netfilter/ip6table_security.c index dd2200f17a6c..0824d865aa9b 100644 --- a/net/ipv6/netfilter/ip6table_security.c +++ b/net/ipv6/netfilter/ip6table_security.c
@@ -26,36 +26,6 @@ MODULE_DESCRIPTION("ip6tables security table, for MAC rules");
26	(1 << NF_INET_FORWARD) \| \	26	(1 << NF_INET_FORWARD) \| \
27	(1 << NF_INET_LOCAL_OUT)	27	(1 << NF_INET_LOCAL_OUT)
28		28
29	static const struct
30	{
31	struct ip6t_replace repl;
32	struct ip6t_standard entries[3];
33	struct ip6t_error term;
34	} initial_table __net_initdata = {
35	.repl = {
36	.name = "security",
37	.valid_hooks = SECURITY_VALID_HOOKS,
38	.num_entries = 4,
39	.size = sizeof(struct ip6t_standard) * 3 + sizeof(struct ip6t_error),
40	.hook_entry = {
41	[NF_INET_LOCAL_IN] = 0,
42	[NF_INET_FORWARD] = sizeof(struct ip6t_standard),
43	[NF_INET_LOCAL_OUT] = sizeof(struct ip6t_standard) * 2,
44	},
45	.underflow = {
46	[NF_INET_LOCAL_IN] = 0,
47	[NF_INET_FORWARD] = sizeof(struct ip6t_standard),
48	[NF_INET_LOCAL_OUT] = sizeof(struct ip6t_standard) * 2,
49	},
50	},
51	.entries = {
52	IP6T_STANDARD_INIT(NF_ACCEPT), /* LOCAL_IN */
53	IP6T_STANDARD_INIT(NF_ACCEPT), /* FORWARD */
54	IP6T_STANDARD_INIT(NF_ACCEPT), /* LOCAL_OUT */
55	},
56	.term = IP6T_ERROR_INIT, /* ERROR */
57	};
58
59	static const struct xt_table security_table = {	29	static const struct xt_table security_table = {
60	.name = "security",	30	.name = "security",
61	.valid_hooks = SECURITY_VALID_HOOKS,	31	.valid_hooks = SECURITY_VALID_HOOKS,
@@ -79,9 +49,14 @@ static struct nf_hook_ops *sectbl_ops __read_mostly;
79		49
80	static int __net_init ip6table_security_net_init(struct net *net)	50	static int __net_init ip6table_security_net_init(struct net *net)
81	{	51	{
82	net->ipv6.ip6table_security =	52	struct ip6t_replace *repl;
83	ip6t_register_table(net, &security_table, &initial_table.repl);
84		53
		54	repl = ip6t_alloc_initial_table(&security_table);
		55	if (repl == NULL)
		56	return -ENOMEM;
		57	net->ipv6.ip6table_security =
		58	ip6t_register_table(net, &security_table, repl);
		59	kfree(repl);
85	if (IS_ERR(net->ipv6.ip6table_security))	60	if (IS_ERR(net->ipv6.ip6table_security))
86	return PTR_ERR(net->ipv6.ip6table_security);	61	return PTR_ERR(net->ipv6.ip6table_security);
87		62