aboutsummaryrefslogtreecommitdiffstats
path: root/net/ipv6
diff options
context:
space:
mode:
authorDavid S. Miller <davem@davemloft.net>2015-04-03 20:32:56 -0400
committerDavid S. Miller <davem@davemloft.net>2015-04-04 12:31:38 -0400
commit238e54c9cb9385a1ba99e92801f3615a2fb398b6 (patch)
tree4efeb9b5c92f87028a6d321c7088b9d1e270360a /net/ipv6
parent1d1de89b9a4746f1dd055a3b8d073dd2f962a3b6 (diff)
netfilter: Make nf_hookfn use nf_hook_state.
Pass the nf_hook_state all the way down into the hook functions themselves. Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv6')
-rw-r--r--net/ipv6/netfilter/ip6t_SYNPROXY.c6
-rw-r--r--net/ipv6/netfilter/ip6table_filter.c7
-rw-r--r--net/ipv6/netfilter/ip6table_mangle.c13
-rw-r--r--net/ipv6/netfilter/ip6table_nat.c28
-rw-r--r--net/ipv6/netfilter/ip6table_raw.c7
-rw-r--r--net/ipv6/netfilter/ip6table_security.c8
-rw-r--r--net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c20
-rw-r--r--net/ipv6/netfilter/nf_defrag_ipv6_hooks.c8
-rw-r--r--net/ipv6/netfilter/nf_tables_ipv6.c12
-rw-r--r--net/ipv6/netfilter/nft_chain_nat_ipv6.c24
-rw-r--r--net/ipv6/netfilter/nft_chain_route_ipv6.c6
11 files changed, 52 insertions, 87 deletions
diff --git a/net/ipv6/netfilter/ip6t_SYNPROXY.c b/net/ipv6/netfilter/ip6t_SYNPROXY.c
index a0d17270117c..6edb7b106de7 100644
--- a/net/ipv6/netfilter/ip6t_SYNPROXY.c
+++ b/net/ipv6/netfilter/ip6t_SYNPROXY.c
@@ -315,11 +315,9 @@ synproxy_tg6(struct sk_buff *skb, const struct xt_action_param *par)
315 315
316static unsigned int ipv6_synproxy_hook(const struct nf_hook_ops *ops, 316static unsigned int ipv6_synproxy_hook(const struct nf_hook_ops *ops,
317 struct sk_buff *skb, 317 struct sk_buff *skb,
318 const struct net_device *in, 318 const struct nf_hook_state *nhs)
319 const struct net_device *out,
320 int (*okfn)(struct sk_buff *))
321{ 319{
322 struct synproxy_net *snet = synproxy_pernet(dev_net(in ? : out)); 320 struct synproxy_net *snet = synproxy_pernet(dev_net(nhs->in ? : nhs->out));
323 enum ip_conntrack_info ctinfo; 321 enum ip_conntrack_info ctinfo;
324 struct nf_conn *ct; 322 struct nf_conn *ct;
325 struct nf_conn_synproxy *synproxy; 323 struct nf_conn_synproxy *synproxy;
diff --git a/net/ipv6/netfilter/ip6table_filter.c b/net/ipv6/netfilter/ip6table_filter.c
index ca7f6c128086..eb9ef093454f 100644
--- a/net/ipv6/netfilter/ip6table_filter.c
+++ b/net/ipv6/netfilter/ip6table_filter.c
@@ -33,12 +33,11 @@ static const struct xt_table packet_filter = {
33/* The work comes in here from netfilter.c. */ 33/* The work comes in here from netfilter.c. */
34static unsigned int 34static unsigned int
35ip6table_filter_hook(const struct nf_hook_ops *ops, struct sk_buff *skb, 35ip6table_filter_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
36 const struct net_device *in, const struct net_device *out, 36 const struct nf_hook_state *state)
37 int (*okfn)(struct sk_buff *))
38{ 37{
39 const struct net *net = dev_net((in != NULL) ? in : out); 38 const struct net *net = dev_net(state->in ? state->in : state->out);
40 39
41 return ip6t_do_table(skb, ops->hooknum, in, out, 40 return ip6t_do_table(skb, ops->hooknum, state->in, state->out,
42 net->ipv6.ip6table_filter); 41 net->ipv6.ip6table_filter);
43} 42}
44 43
diff --git a/net/ipv6/netfilter/ip6table_mangle.c b/net/ipv6/netfilter/ip6table_mangle.c
index 307bbb782d14..e713b8d3dbbc 100644
--- a/net/ipv6/netfilter/ip6table_mangle.c
+++ b/net/ipv6/netfilter/ip6table_mangle.c
@@ -77,17 +77,16 @@ ip6t_mangle_out(struct sk_buff *skb, const struct net_device *out)
77/* The work comes in here from netfilter.c. */ 77/* The work comes in here from netfilter.c. */
78static unsigned int 78static unsigned int
79ip6table_mangle_hook(const struct nf_hook_ops *ops, struct sk_buff *skb, 79ip6table_mangle_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
80 const struct net_device *in, const struct net_device *out, 80 const struct nf_hook_state *state)
81 int (*okfn)(struct sk_buff *))
82{ 81{
83 if (ops->hooknum == NF_INET_LOCAL_OUT) 82 if (ops->hooknum == NF_INET_LOCAL_OUT)
84 return ip6t_mangle_out(skb, out); 83 return ip6t_mangle_out(skb, state->out);
85 if (ops->hooknum == NF_INET_POST_ROUTING) 84 if (ops->hooknum == NF_INET_POST_ROUTING)
86 return ip6t_do_table(skb, ops->hooknum, in, out, 85 return ip6t_do_table(skb, ops->hooknum, state->in, state->out,
87 dev_net(out)->ipv6.ip6table_mangle); 86 dev_net(state->out)->ipv6.ip6table_mangle);
88 /* INPUT/FORWARD */ 87 /* INPUT/FORWARD */
89 return ip6t_do_table(skb, ops->hooknum, in, out, 88 return ip6t_do_table(skb, ops->hooknum, state->in, state->out,
90 dev_net(in)->ipv6.ip6table_mangle); 89 dev_net(state->in)->ipv6.ip6table_mangle);
91} 90}
92 91
93static struct nf_hook_ops *mangle_ops __read_mostly; 92static struct nf_hook_ops *mangle_ops __read_mostly;
diff --git a/net/ipv6/netfilter/ip6table_nat.c b/net/ipv6/netfilter/ip6table_nat.c
index b0634ac996b7..e32b0d0315e6 100644
--- a/net/ipv6/netfilter/ip6table_nat.c
+++ b/net/ipv6/netfilter/ip6table_nat.c
@@ -43,38 +43,34 @@ static unsigned int ip6table_nat_do_chain(const struct nf_hook_ops *ops,
43 43
44static unsigned int ip6table_nat_fn(const struct nf_hook_ops *ops, 44static unsigned int ip6table_nat_fn(const struct nf_hook_ops *ops,
45 struct sk_buff *skb, 45 struct sk_buff *skb,
46 const struct net_device *in, 46 const struct nf_hook_state *state)
47 const struct net_device *out,
48 int (*okfn)(struct sk_buff *))
49{ 47{
50 return nf_nat_ipv6_fn(ops, skb, in, out, ip6table_nat_do_chain); 48 return nf_nat_ipv6_fn(ops, skb, state->in, state->out,
49 ip6table_nat_do_chain);
51} 50}
52 51
53static unsigned int ip6table_nat_in(const struct nf_hook_ops *ops, 52static unsigned int ip6table_nat_in(const struct nf_hook_ops *ops,
54 struct sk_buff *skb, 53 struct sk_buff *skb,
55 const struct net_device *in, 54 const struct nf_hook_state *state)
56 const struct net_device *out,
57 int (*okfn)(struct sk_buff *))
58{ 55{
59 return nf_nat_ipv6_in(ops, skb, in, out, ip6table_nat_do_chain); 56 return nf_nat_ipv6_in(ops, skb, state->in, state->out,
57 ip6table_nat_do_chain);
60} 58}
61 59
62static unsigned int ip6table_nat_out(const struct nf_hook_ops *ops, 60static unsigned int ip6table_nat_out(const struct nf_hook_ops *ops,
63 struct sk_buff *skb, 61 struct sk_buff *skb,
64 const struct net_device *in, 62 const struct nf_hook_state *state)
65 const struct net_device *out,
66 int (*okfn)(struct sk_buff *))
67{ 63{
68 return nf_nat_ipv6_out(ops, skb, in, out, ip6table_nat_do_chain); 64 return nf_nat_ipv6_out(ops, skb, state->in, state->out,
65 ip6table_nat_do_chain);
69} 66}
70 67
71static unsigned int ip6table_nat_local_fn(const struct nf_hook_ops *ops, 68static unsigned int ip6table_nat_local_fn(const struct nf_hook_ops *ops,
72 struct sk_buff *skb, 69 struct sk_buff *skb,
73 const struct net_device *in, 70 const struct nf_hook_state *state)
74 const struct net_device *out,
75 int (*okfn)(struct sk_buff *))
76{ 71{
77 return nf_nat_ipv6_local_fn(ops, skb, in, out, ip6table_nat_do_chain); 72 return nf_nat_ipv6_local_fn(ops, skb, state->in, state->out,
73 ip6table_nat_do_chain);
78} 74}
79 75
80static struct nf_hook_ops nf_nat_ipv6_ops[] __read_mostly = { 76static struct nf_hook_ops nf_nat_ipv6_ops[] __read_mostly = {
diff --git a/net/ipv6/netfilter/ip6table_raw.c b/net/ipv6/netfilter/ip6table_raw.c
index 5274740acecc..937908e25862 100644
--- a/net/ipv6/netfilter/ip6table_raw.c
+++ b/net/ipv6/netfilter/ip6table_raw.c
@@ -20,12 +20,11 @@ static const struct xt_table packet_raw = {
20/* The work comes in here from netfilter.c. */ 20/* The work comes in here from netfilter.c. */
21static unsigned int 21static unsigned int
22ip6table_raw_hook(const struct nf_hook_ops *ops, struct sk_buff *skb, 22ip6table_raw_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
23 const struct net_device *in, const struct net_device *out, 23 const struct nf_hook_state *state)
24 int (*okfn)(struct sk_buff *))
25{ 24{
26 const struct net *net = dev_net((in != NULL) ? in : out); 25 const struct net *net = dev_net(state->in ? state->in : state->out);
27 26
28 return ip6t_do_table(skb, ops->hooknum, in, out, 27 return ip6t_do_table(skb, ops->hooknum, state->in, state->out,
29 net->ipv6.ip6table_raw); 28 net->ipv6.ip6table_raw);
30} 29}
31 30
diff --git a/net/ipv6/netfilter/ip6table_security.c b/net/ipv6/netfilter/ip6table_security.c
index ab3b0219ecfa..f33b41e8e294 100644
--- a/net/ipv6/netfilter/ip6table_security.c
+++ b/net/ipv6/netfilter/ip6table_security.c
@@ -37,13 +37,11 @@ static const struct xt_table security_table = {
37 37
38static unsigned int 38static unsigned int
39ip6table_security_hook(const struct nf_hook_ops *ops, struct sk_buff *skb, 39ip6table_security_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
40 const struct net_device *in, 40 const struct nf_hook_state *state)
41 const struct net_device *out,
42 int (*okfn)(struct sk_buff *))
43{ 41{
44 const struct net *net = dev_net((in != NULL) ? in : out); 42 const struct net *net = dev_net(state->in ? state->in : state->out);
45 43
46 return ip6t_do_table(skb, ops->hooknum, in, out, 44 return ip6t_do_table(skb, ops->hooknum, state->in, state->out,
47 net->ipv6.ip6table_security); 45 net->ipv6.ip6table_security);
48} 46}
49 47
diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
index fba91c6fc7ca..4ba0c34c627b 100644
--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
@@ -97,9 +97,7 @@ static int ipv6_get_l4proto(const struct sk_buff *skb, unsigned int nhoff,
97 97
98static unsigned int ipv6_helper(const struct nf_hook_ops *ops, 98static unsigned int ipv6_helper(const struct nf_hook_ops *ops,
99 struct sk_buff *skb, 99 struct sk_buff *skb,
100 const struct net_device *in, 100 const struct nf_hook_state *state)
101 const struct net_device *out,
102 int (*okfn)(struct sk_buff *))
103{ 101{
104 struct nf_conn *ct; 102 struct nf_conn *ct;
105 const struct nf_conn_help *help; 103 const struct nf_conn_help *help;
@@ -135,9 +133,7 @@ static unsigned int ipv6_helper(const struct nf_hook_ops *ops,
135 133
136static unsigned int ipv6_confirm(const struct nf_hook_ops *ops, 134static unsigned int ipv6_confirm(const struct nf_hook_ops *ops,
137 struct sk_buff *skb, 135 struct sk_buff *skb,
138 const struct net_device *in, 136 const struct nf_hook_state *state)
139 const struct net_device *out,
140 int (*okfn)(struct sk_buff *))
141{ 137{
142 struct nf_conn *ct; 138 struct nf_conn *ct;
143 enum ip_conntrack_info ctinfo; 139 enum ip_conntrack_info ctinfo;
@@ -171,25 +167,21 @@ out:
171 167
172static unsigned int ipv6_conntrack_in(const struct nf_hook_ops *ops, 168static unsigned int ipv6_conntrack_in(const struct nf_hook_ops *ops,
173 struct sk_buff *skb, 169 struct sk_buff *skb,
174 const struct net_device *in, 170 const struct nf_hook_state *state)
175 const struct net_device *out,
176 int (*okfn)(struct sk_buff *))
177{ 171{
178 return nf_conntrack_in(dev_net(in), PF_INET6, ops->hooknum, skb); 172 return nf_conntrack_in(dev_net(state->in), PF_INET6, ops->hooknum, skb);
179} 173}
180 174
181static unsigned int ipv6_conntrack_local(const struct nf_hook_ops *ops, 175static unsigned int ipv6_conntrack_local(const struct nf_hook_ops *ops,
182 struct sk_buff *skb, 176 struct sk_buff *skb,
183 const struct net_device *in, 177 const struct nf_hook_state *state)
184 const struct net_device *out,
185 int (*okfn)(struct sk_buff *))
186{ 178{
187 /* root is playing with raw sockets. */ 179 /* root is playing with raw sockets. */
188 if (skb->len < sizeof(struct ipv6hdr)) { 180 if (skb->len < sizeof(struct ipv6hdr)) {
189 net_notice_ratelimited("ipv6_conntrack_local: packet too short\n"); 181 net_notice_ratelimited("ipv6_conntrack_local: packet too short\n");
190 return NF_ACCEPT; 182 return NF_ACCEPT;
191 } 183 }
192 return nf_conntrack_in(dev_net(out), PF_INET6, ops->hooknum, skb); 184 return nf_conntrack_in(dev_net(state->out), PF_INET6, ops->hooknum, skb);
193} 185}
194 186
195static struct nf_hook_ops ipv6_conntrack_ops[] __read_mostly = { 187static struct nf_hook_ops ipv6_conntrack_ops[] __read_mostly = {
diff --git a/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c b/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c
index e70382e4dfb5..e2b882056751 100644
--- a/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c
+++ b/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c
@@ -54,9 +54,7 @@ static enum ip6_defrag_users nf_ct6_defrag_user(unsigned int hooknum,
54 54
55static unsigned int ipv6_defrag(const struct nf_hook_ops *ops, 55static unsigned int ipv6_defrag(const struct nf_hook_ops *ops,
56 struct sk_buff *skb, 56 struct sk_buff *skb,
57 const struct net_device *in, 57 const struct nf_hook_state *state)
58 const struct net_device *out,
59 int (*okfn)(struct sk_buff *))
60{ 58{
61 struct sk_buff *reasm; 59 struct sk_buff *reasm;
62 60
@@ -78,8 +76,8 @@ static unsigned int ipv6_defrag(const struct nf_hook_ops *ops,
78 nf_ct_frag6_consume_orig(reasm); 76 nf_ct_frag6_consume_orig(reasm);
79 77
80 NF_HOOK_THRESH(NFPROTO_IPV6, ops->hooknum, reasm, 78 NF_HOOK_THRESH(NFPROTO_IPV6, ops->hooknum, reasm,
81 (struct net_device *) in, (struct net_device *) out, 79 state->in, state->out,
82 okfn, NF_IP6_PRI_CONNTRACK_DEFRAG + 1); 80 state->okfn, NF_IP6_PRI_CONNTRACK_DEFRAG + 1);
83 81
84 return NF_STOLEN; 82 return NF_STOLEN;
85} 83}
diff --git a/net/ipv6/netfilter/nf_tables_ipv6.c b/net/ipv6/netfilter/nf_tables_ipv6.c
index 0d812b31277d..224bc8971a0b 100644
--- a/net/ipv6/netfilter/nf_tables_ipv6.c
+++ b/net/ipv6/netfilter/nf_tables_ipv6.c
@@ -18,14 +18,12 @@
18 18
19static unsigned int nft_do_chain_ipv6(const struct nf_hook_ops *ops, 19static unsigned int nft_do_chain_ipv6(const struct nf_hook_ops *ops,
20 struct sk_buff *skb, 20 struct sk_buff *skb,
21 const struct net_device *in, 21 const struct nf_hook_state *state)
22 const struct net_device *out,
23 int (*okfn)(struct sk_buff *))
24{ 22{
25 struct nft_pktinfo pkt; 23 struct nft_pktinfo pkt;
26 24
27 /* malformed packet, drop it */ 25 /* malformed packet, drop it */
28 if (nft_set_pktinfo_ipv6(&pkt, ops, skb, in, out) < 0) 26 if (nft_set_pktinfo_ipv6(&pkt, ops, skb, state->in, state->out) < 0)
29 return NF_DROP; 27 return NF_DROP;
30 28
31 return nft_do_chain(&pkt, ops); 29 return nft_do_chain(&pkt, ops);
@@ -33,9 +31,7 @@ static unsigned int nft_do_chain_ipv6(const struct nf_hook_ops *ops,
33 31
34static unsigned int nft_ipv6_output(const struct nf_hook_ops *ops, 32static unsigned int nft_ipv6_output(const struct nf_hook_ops *ops,
35 struct sk_buff *skb, 33 struct sk_buff *skb,
36 const struct net_device *in, 34 const struct nf_hook_state *state)
37 const struct net_device *out,
38 int (*okfn)(struct sk_buff *))
39{ 35{
40 if (unlikely(skb->len < sizeof(struct ipv6hdr))) { 36 if (unlikely(skb->len < sizeof(struct ipv6hdr))) {
41 if (net_ratelimit()) 37 if (net_ratelimit())
@@ -44,7 +40,7 @@ static unsigned int nft_ipv6_output(const struct nf_hook_ops *ops,
44 return NF_ACCEPT; 40 return NF_ACCEPT;
45 } 41 }
46 42
47 return nft_do_chain_ipv6(ops, skb, in, out, okfn); 43 return nft_do_chain_ipv6(ops, skb, state);
48} 44}
49 45
50struct nft_af_info nft_af_ipv6 __read_mostly = { 46struct nft_af_info nft_af_ipv6 __read_mostly = {
diff --git a/net/ipv6/netfilter/nft_chain_nat_ipv6.c b/net/ipv6/netfilter/nft_chain_nat_ipv6.c
index 1c4b75dd425b..f73f4ae25bc2 100644
--- a/net/ipv6/netfilter/nft_chain_nat_ipv6.c
+++ b/net/ipv6/netfilter/nft_chain_nat_ipv6.c
@@ -39,38 +39,30 @@ static unsigned int nft_nat_do_chain(const struct nf_hook_ops *ops,
39 39
40static unsigned int nft_nat_ipv6_fn(const struct nf_hook_ops *ops, 40static unsigned int nft_nat_ipv6_fn(const struct nf_hook_ops *ops,
41 struct sk_buff *skb, 41 struct sk_buff *skb,
42 const struct net_device *in, 42 const struct nf_hook_state *state)
43 const struct net_device *out,
44 int (*okfn)(struct sk_buff *))
45{ 43{
46 return nf_nat_ipv6_fn(ops, skb, in, out, nft_nat_do_chain); 44 return nf_nat_ipv6_fn(ops, skb, state->in, state->out, nft_nat_do_chain);
47} 45}
48 46
49static unsigned int nft_nat_ipv6_in(const struct nf_hook_ops *ops, 47static unsigned int nft_nat_ipv6_in(const struct nf_hook_ops *ops,
50 struct sk_buff *skb, 48 struct sk_buff *skb,
51 const struct net_device *in, 49 const struct nf_hook_state *state)
52 const struct net_device *out,
53 int (*okfn)(struct sk_buff *))
54{ 50{
55 return nf_nat_ipv6_in(ops, skb, in, out, nft_nat_do_chain); 51 return nf_nat_ipv6_in(ops, skb, state->in, state->out, nft_nat_do_chain);
56} 52}
57 53
58static unsigned int nft_nat_ipv6_out(const struct nf_hook_ops *ops, 54static unsigned int nft_nat_ipv6_out(const struct nf_hook_ops *ops,
59 struct sk_buff *skb, 55 struct sk_buff *skb,
60 const struct net_device *in, 56 const struct nf_hook_state *state)
61 const struct net_device *out,
62 int (*okfn)(struct sk_buff *))
63{ 57{
64 return nf_nat_ipv6_out(ops, skb, in, out, nft_nat_do_chain); 58 return nf_nat_ipv6_out(ops, skb, state->in, state->out, nft_nat_do_chain);
65} 59}
66 60
67static unsigned int nft_nat_ipv6_local_fn(const struct nf_hook_ops *ops, 61static unsigned int nft_nat_ipv6_local_fn(const struct nf_hook_ops *ops,
68 struct sk_buff *skb, 62 struct sk_buff *skb,
69 const struct net_device *in, 63 const struct nf_hook_state *state)
70 const struct net_device *out,
71 int (*okfn)(struct sk_buff *))
72{ 64{
73 return nf_nat_ipv6_local_fn(ops, skb, in, out, nft_nat_do_chain); 65 return nf_nat_ipv6_local_fn(ops, skb, state->in, state->out, nft_nat_do_chain);
74} 66}
75 67
76static const struct nf_chain_type nft_chain_nat_ipv6 = { 68static const struct nf_chain_type nft_chain_nat_ipv6 = {
diff --git a/net/ipv6/netfilter/nft_chain_route_ipv6.c b/net/ipv6/netfilter/nft_chain_route_ipv6.c
index 42031299585e..c826c3c854b2 100644
--- a/net/ipv6/netfilter/nft_chain_route_ipv6.c
+++ b/net/ipv6/netfilter/nft_chain_route_ipv6.c
@@ -24,9 +24,7 @@
24 24
25static unsigned int nf_route_table_hook(const struct nf_hook_ops *ops, 25static unsigned int nf_route_table_hook(const struct nf_hook_ops *ops,
26 struct sk_buff *skb, 26 struct sk_buff *skb,
27 const struct net_device *in, 27 const struct nf_hook_state *state)
28 const struct net_device *out,
29 int (*okfn)(struct sk_buff *))
30{ 28{
31 unsigned int ret; 29 unsigned int ret;
32 struct nft_pktinfo pkt; 30 struct nft_pktinfo pkt;
@@ -35,7 +33,7 @@ static unsigned int nf_route_table_hook(const struct nf_hook_ops *ops,
35 u32 mark, flowlabel; 33 u32 mark, flowlabel;
36 34
37 /* malformed packet, drop it */ 35 /* malformed packet, drop it */
38 if (nft_set_pktinfo_ipv6(&pkt, ops, skb, in, out) < 0) 36 if (nft_set_pktinfo_ipv6(&pkt, ops, skb, state->in, state->out) < 0)
39 return NF_DROP; 37 return NF_DROP;
40 38
41 /* save source/dest address, mark, hoplimit, flowlabel, priority */ 39 /* save source/dest address, mark, hoplimit, flowlabel, priority */