[NETFILTER]: x_tables: return new table from {arp,ip,ip6}t_register_table()

Typical table module registers xt_table structure (i.e. packet_filter) and link it to list during it. We can't use one template for it because corresponding list_head will become corrupted. We also can't unregister with template because it wasn't changed at all and thus doesn't know in which list it is. So, we duplicate template at the very first step of table registration. Table modules will save it for use during unregistration time and actual filtering. Do it at once to not screw bisection. P.S.: renaming i.e. packet_filter => __packet_filter is temporary until full netnsization of table modules is done. Signed-off-by: Alexey Dobriyan <adobriyan@sw.ru> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Alexey Dobriyan <adobriyan@sw.ru> 2008-01-31 07:02:44 -0500
committer: David S. Miller <davem@davemloft.net> 2008-01-31 22:27:36 -0500
commit: 44d34e721e2c81ccdfb13cf34996309247ae2981 (patch)
tree: fec2063c8573700fd01cb6c11875769751744603 /net/ipv6
parent: 8d870052079d255917ec4f8431f5ec102707b7af (diff)
4 files changed, 40 insertions, 33 deletions
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 1aac3ef39414..b89f133f41d0 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -2074,7 +2074,7 @@ do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
        return ret;
 }
-int ip6t_register_table(struct xt_table *table, const struct ip6t_replace *repl)
+struct xt_table *ip6t_register_table(struct xt_table *table, const struct ip6t_replace *repl)
 {
        int ret;
        struct xt_table_info *newinfo;
@@ -2084,8 +2084,10 @@ int ip6t_register_table(struct xt_table *table, const struct ip6t_replace *repl)
        struct xt_table *new_table;
        newinfo = xt_alloc_table_info(repl->size);
-        if (!newinfo)
+        if (!newinfo) {
-                return -ENOMEM;
+                ret = -ENOMEM;
+                goto out;
+        }
        /* choose the copy on our node/cpu, but dont care about preemption */
        loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
@@ -2096,18 +2098,20 @@ int ip6t_register_table(struct xt_table *table, const struct ip6t_replace *repl)
                              repl->num_entries,
                              repl->hook_entry,
                              repl->underflow);
-        if (ret != 0) {
+        if (ret != 0)
-                xt_free_table_info(newinfo);
+                goto out_free;
-                return ret;
-        }
        new_table = xt_register_table(&init_net, table, &bootstrap, newinfo);
        if (IS_ERR(new_table)) {
-                xt_free_table_info(newinfo);
+                ret = PTR_ERR(new_table);
-                return PTR_ERR(new_table);
+                goto out_free;
        }
+        return new_table;
-        return 0;
+out_free:
+        xt_free_table_info(newinfo);
+out:
+        return ERR_PTR(ret);
 }
 void ip6t_unregister_table(struct xt_table *table)
diff --git a/net/ipv6/netfilter/ip6table_filter.c b/net/ipv6/netfilter/ip6table_filter.c
index 87d38d08aad0..bffd67f32359 100644
--- a/net/ipv6/netfilter/ip6table_filter.c
+++ b/net/ipv6/netfilter/ip6table_filter.c
@@ -51,13 +51,14 @@ static struct
        .term = IP6T_ERROR_INIT,                /* ERROR */
 };
-static struct xt_table packet_filter = {
+static struct xt_table __packet_filter = {
        .name           = "filter",
        .valid_hooks    = FILTER_VALID_HOOKS,
        .lock           = RW_LOCK_UNLOCKED,
        .me             = THIS_MODULE,
        .af             = AF_INET6,
 };
+static struct xt_table *packet_filter;
 /* The work comes in here from netfilter.c. */
 static unsigned int
@@ -67,7 +68,7 @@ ip6t_hook(unsigned int hook,
         const struct net_device *out,
         int (*okfn)(struct sk_buff *))
 {
-        return ip6t_do_table(skb, hook, in, out, &packet_filter);
+        return ip6t_do_table(skb, hook, in, out, packet_filter);
 }
 static unsigned int
@@ -87,7 +88,7 @@ ip6t_local_out_hook(unsigned int hook,
        }
 #endif
-        return ip6t_do_table(skb, hook, in, out, &packet_filter);
+        return ip6t_do_table(skb, hook, in, out, packet_filter);
 }
 static struct nf_hook_ops ip6t_ops[] __read_mostly = {
@@ -131,9 +132,9 @@ static int __init ip6table_filter_init(void)
        initial_table.entries[1].target.verdict = -forward - 1;
        /* Register table */
-        ret = ip6t_register_table(&packet_filter, &initial_table.repl);
+        packet_filter = ip6t_register_table(&__packet_filter, &initial_table.repl);
-        if (ret < 0)
+        if (IS_ERR(packet_filter))
-                return ret;
+                return PTR_ERR(packet_filter);
        /* Register hooks */
        ret = nf_register_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops));
@@ -143,14 +144,14 @@ static int __init ip6table_filter_init(void)
        return ret;
 cleanup_table:
-        ip6t_unregister_table(&packet_filter);
+        ip6t_unregister_table(packet_filter);
        return ret;
 }
 static void __exit ip6table_filter_fini(void)
 {
        nf_unregister_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops));
-        ip6t_unregister_table(&packet_filter);
+        ip6t_unregister_table(packet_filter);
 }
 module_init(ip6table_filter_init);
diff --git a/net/ipv6/netfilter/ip6table_mangle.c b/net/ipv6/netfilter/ip6table_mangle.c
index d6082600bc5d..63d334df3b40 100644
--- a/net/ipv6/netfilter/ip6table_mangle.c
+++ b/net/ipv6/netfilter/ip6table_mangle.c
@@ -57,13 +57,14 @@ static struct
        .term = IP6T_ERROR_INIT,                /* ERROR */
 };
-static struct xt_table packet_mangler = {
+static struct xt_table __packet_mangler = {
        .name           = "mangle",
        .valid_hooks    = MANGLE_VALID_HOOKS,
        .lock           = RW_LOCK_UNLOCKED,
        .me             = THIS_MODULE,
        .af             = AF_INET6,
 };
+static struct xt_table *packet_mangler;
 /* The work comes in here from netfilter.c. */
 static unsigned int
@@ -73,7 +74,7 @@ ip6t_route_hook(unsigned int hook,
         const struct net_device *out,
         int (*okfn)(struct sk_buff *))
 {
-        return ip6t_do_table(skb, hook, in, out, &packet_mangler);
+        return ip6t_do_table(skb, hook, in, out, packet_mangler);
 }
 static unsigned int
@@ -108,7 +109,7 @@ ip6t_local_hook(unsigned int hook,
        /* flowlabel and prio (includes version, which shouldn't change either */
        flowlabel = *((u_int32_t *)ipv6_hdr(skb));
-        ret = ip6t_do_table(skb, hook, in, out, &packet_mangler);
+        ret = ip6t_do_table(skb, hook, in, out, packet_mangler);
        if (ret != NF_DROP && ret != NF_STOLEN
                && (memcmp(&ipv6_hdr(skb)->saddr, &saddr, sizeof(saddr))
@@ -163,9 +164,9 @@ static int __init ip6table_mangle_init(void)
        int ret;
        /* Register table */
-        ret = ip6t_register_table(&packet_mangler, &initial_table.repl);
+        packet_mangler = ip6t_register_table(&__packet_mangler, &initial_table.repl);
-        if (ret < 0)
+        if (IS_ERR(packet_mangler))
-                return ret;
+                return PTR_ERR(packet_mangler);
        /* Register hooks */
        ret = nf_register_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops));
@@ -175,14 +176,14 @@ static int __init ip6table_mangle_init(void)
        return ret;
 cleanup_table:
-        ip6t_unregister_table(&packet_mangler);
+        ip6t_unregister_table(packet_mangler);
        return ret;
 }
 static void __exit ip6table_mangle_fini(void)
 {
        nf_unregister_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops));
-        ip6t_unregister_table(&packet_mangler);
+        ip6t_unregister_table(packet_mangler);
 }
 module_init(ip6table_mangle_init);
diff --git a/net/ipv6/netfilter/ip6table_raw.c b/net/ipv6/netfilter/ip6table_raw.c
index eccbaaa104af..7f55b236440e 100644
--- a/net/ipv6/netfilter/ip6table_raw.c
+++ b/net/ipv6/netfilter/ip6table_raw.c
@@ -35,13 +35,14 @@ static struct
        .term = IP6T_ERROR_INIT,                /* ERROR */
 };
-static struct xt_table packet_raw = {
+static struct xt_table __packet_raw = {
        .name = "raw",
        .valid_hooks = RAW_VALID_HOOKS,
        .lock = RW_LOCK_UNLOCKED,
        .me = THIS_MODULE,
        .af = AF_INET6,
 };
+static struct xt_table *packet_raw;
 /* The work comes in here from netfilter.c. */
 static unsigned int
@@ -51,7 +52,7 @@ ip6t_hook(unsigned int hook,
         const struct net_device *out,
         int (*okfn)(struct sk_buff *))
 {
-        return ip6t_do_table(skb, hook, in, out, &packet_raw);
+        return ip6t_do_table(skb, hook, in, out, packet_raw);
 }
 static struct nf_hook_ops ip6t_ops[] __read_mostly = {
@@ -76,9 +77,9 @@ static int __init ip6table_raw_init(void)
        int ret;
        /* Register table */
-        ret = ip6t_register_table(&packet_raw, &initial_table.repl);
+        packet_raw = ip6t_register_table(&__packet_raw, &initial_table.repl);
-        if (ret < 0)
+        if (IS_ERR(packet_raw))
-                return ret;
+                return PTR_ERR(packet_raw);
        /* Register hooks */
        ret = nf_register_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops));
@@ -88,14 +89,14 @@ static int __init ip6table_raw_init(void)
        return ret;
 cleanup_table:
-        ip6t_unregister_table(&packet_raw);
+        ip6t_unregister_table(packet_raw);
        return ret;
 }
 static void __exit ip6table_raw_fini(void)
 {
        nf_unregister_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops));
-        ip6t_unregister_table(&packet_raw);
+        ip6t_unregister_table(packet_raw);
 }
 module_init(ip6table_raw_init);
author	Alexey Dobriyan <adobriyan@sw.ru>	2008-01-31 07:02:44 -0500
committer	David S. Miller <davem@davemloft.net>	2008-01-31 22:27:36 -0500
commit	44d34e721e2c81ccdfb13cf34996309247ae2981 (patch)
tree	fec2063c8573700fd01cb6c11875769751744603 /net/ipv6
parent	8d870052079d255917ec4f8431f5ec102707b7af (diff)