diff options
| author | Jan Engelhardt <jengelh@medozas.de> | 2009-07-07 14:54:30 -0400 |
|---|---|---|
| committer | Jan Engelhardt <jengelh@medozas.de> | 2010-05-11 12:35:27 -0400 |
| commit | b4ba26119b06052888696491f614201817491a0d (patch) | |
| tree | d6dc2a4e0f78641b5b64a1728322c81cbad09974 /net/ipv6 | |
| parent | 62fc8051083a334578c3f4b3488808f210b4565f (diff) | |
netfilter: xtables: change hotdrop pointer to direct modification
Since xt_action_param is writable, let's use it. The pointer to
'bool hotdrop' always worried (8 bytes (64-bit) to write 1 byte!).
Surprisingly results in a reduction in size:
text data bss filename
5457066 692730 357892 vmlinux.o-prev
5456554 692730 357892 vmlinux.o
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Diffstat (limited to 'net/ipv6')
| -rw-r--r-- | net/ipv6/netfilter/ip6_tables.c | 11 | ||||
| -rw-r--r-- | net/ipv6/netfilter/ip6t_ah.c | 4 | ||||
| -rw-r--r-- | net/ipv6/netfilter/ip6t_eui64.c | 2 | ||||
| -rw-r--r-- | net/ipv6/netfilter/ip6t_frag.c | 4 | ||||
| -rw-r--r-- | net/ipv6/netfilter/ip6t_hbh.c | 4 | ||||
| -rw-r--r-- | net/ipv6/netfilter/ip6t_mh.c | 4 | ||||
| -rw-r--r-- | net/ipv6/netfilter/ip6t_rt.c | 4 |
7 files changed, 16 insertions, 17 deletions
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c index 4549f8d6f88f..557fac9689c0 100644 --- a/net/ipv6/netfilter/ip6_tables.c +++ b/net/ipv6/netfilter/ip6_tables.c | |||
| @@ -337,7 +337,6 @@ ip6t_do_table(struct sk_buff *skb, | |||
| 337 | struct xt_table *table) | 337 | struct xt_table *table) |
| 338 | { | 338 | { |
| 339 | static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long)))); | 339 | static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long)))); |
| 340 | bool hotdrop = false; | ||
| 341 | /* Initializing verdict to NF_DROP keeps gcc happy. */ | 340 | /* Initializing verdict to NF_DROP keeps gcc happy. */ |
| 342 | unsigned int verdict = NF_DROP; | 341 | unsigned int verdict = NF_DROP; |
| 343 | const char *indev, *outdev; | 342 | const char *indev, *outdev; |
| @@ -356,7 +355,7 @@ ip6t_do_table(struct sk_buff *skb, | |||
| 356 | * things we don't know, ie. tcp syn flag or ports). If the | 355 | * things we don't know, ie. tcp syn flag or ports). If the |
| 357 | * rule is also a fragment-specific rule, non-fragments won't | 356 | * rule is also a fragment-specific rule, non-fragments won't |
| 358 | * match it. */ | 357 | * match it. */ |
| 359 | acpar.hotdrop = &hotdrop; | 358 | acpar.hotdrop = false; |
| 360 | acpar.in = in; | 359 | acpar.in = in; |
| 361 | acpar.out = out; | 360 | acpar.out = out; |
| 362 | acpar.family = NFPROTO_IPV6; | 361 | acpar.family = NFPROTO_IPV6; |
| @@ -380,7 +379,7 @@ ip6t_do_table(struct sk_buff *skb, | |||
| 380 | 379 | ||
| 381 | IP_NF_ASSERT(e); | 380 | IP_NF_ASSERT(e); |
| 382 | if (!ip6_packet_match(skb, indev, outdev, &e->ipv6, | 381 | if (!ip6_packet_match(skb, indev, outdev, &e->ipv6, |
| 383 | &acpar.thoff, &acpar.fragoff, &hotdrop)) { | 382 | &acpar.thoff, &acpar.fragoff, &acpar.hotdrop)) { |
| 384 | no_match: | 383 | no_match: |
| 385 | e = ip6t_next_entry(e); | 384 | e = ip6t_next_entry(e); |
| 386 | continue; | 385 | continue; |
| @@ -447,7 +446,7 @@ ip6t_do_table(struct sk_buff *skb, | |||
| 447 | else | 446 | else |
| 448 | /* Verdict */ | 447 | /* Verdict */ |
| 449 | break; | 448 | break; |
| 450 | } while (!hotdrop); | 449 | } while (!acpar.hotdrop); |
| 451 | 450 | ||
| 452 | xt_info_rdunlock_bh(); | 451 | xt_info_rdunlock_bh(); |
| 453 | *stackptr = origptr; | 452 | *stackptr = origptr; |
| @@ -455,7 +454,7 @@ ip6t_do_table(struct sk_buff *skb, | |||
| 455 | #ifdef DEBUG_ALLOW_ALL | 454 | #ifdef DEBUG_ALLOW_ALL |
| 456 | return NF_ACCEPT; | 455 | return NF_ACCEPT; |
| 457 | #else | 456 | #else |
| 458 | if (hotdrop) | 457 | if (acpar.hotdrop) |
| 459 | return NF_DROP; | 458 | return NF_DROP; |
| 460 | else return verdict; | 459 | else return verdict; |
| 461 | #endif | 460 | #endif |
| @@ -2170,7 +2169,7 @@ icmp6_match(const struct sk_buff *skb, struct xt_action_param *par) | |||
| 2170 | * can't. Hence, no choice but to drop. | 2169 | * can't. Hence, no choice but to drop. |
| 2171 | */ | 2170 | */ |
| 2172 | duprintf("Dropping evil ICMP tinygram.\n"); | 2171 | duprintf("Dropping evil ICMP tinygram.\n"); |
| 2173 | *par->hotdrop = true; | 2172 | par->hotdrop = true; |
| 2174 | return false; | 2173 | return false; |
| 2175 | } | 2174 | } |
| 2176 | 2175 | ||
diff --git a/net/ipv6/netfilter/ip6t_ah.c b/net/ipv6/netfilter/ip6t_ah.c index c89887f35a46..89cccc5a9c92 100644 --- a/net/ipv6/netfilter/ip6t_ah.c +++ b/net/ipv6/netfilter/ip6t_ah.c | |||
| @@ -48,13 +48,13 @@ static bool ah_mt6(const struct sk_buff *skb, struct xt_action_param *par) | |||
| 48 | err = ipv6_find_hdr(skb, &ptr, NEXTHDR_AUTH, NULL); | 48 | err = ipv6_find_hdr(skb, &ptr, NEXTHDR_AUTH, NULL); |
| 49 | if (err < 0) { | 49 | if (err < 0) { |
| 50 | if (err != -ENOENT) | 50 | if (err != -ENOENT) |
| 51 | *par->hotdrop = true; | 51 | par->hotdrop = true; |
| 52 | return false; | 52 | return false; |
| 53 | } | 53 | } |
| 54 | 54 | ||
| 55 | ah = skb_header_pointer(skb, ptr, sizeof(_ah), &_ah); | 55 | ah = skb_header_pointer(skb, ptr, sizeof(_ah), &_ah); |
| 56 | if (ah == NULL) { | 56 | if (ah == NULL) { |
| 57 | *par->hotdrop = true; | 57 | par->hotdrop = true; |
| 58 | return false; | 58 | return false; |
| 59 | } | 59 | } |
| 60 | 60 | ||
diff --git a/net/ipv6/netfilter/ip6t_eui64.c b/net/ipv6/netfilter/ip6t_eui64.c index f32fce34145a..aab0706908c5 100644 --- a/net/ipv6/netfilter/ip6t_eui64.c +++ b/net/ipv6/netfilter/ip6t_eui64.c | |||
| @@ -27,7 +27,7 @@ eui64_mt6(const struct sk_buff *skb, struct xt_action_param *par) | |||
| 27 | if (!(skb_mac_header(skb) >= skb->head && | 27 | if (!(skb_mac_header(skb) >= skb->head && |
| 28 | skb_mac_header(skb) + ETH_HLEN <= skb->data) && | 28 | skb_mac_header(skb) + ETH_HLEN <= skb->data) && |
| 29 | par->fragoff != 0) { | 29 | par->fragoff != 0) { |
| 30 | *par->hotdrop = true; | 30 | par->hotdrop = true; |
| 31 | return false; | 31 | return false; |
| 32 | } | 32 | } |
| 33 | 33 | ||
diff --git a/net/ipv6/netfilter/ip6t_frag.c b/net/ipv6/netfilter/ip6t_frag.c index fcc8c72f218e..eda898fda6ca 100644 --- a/net/ipv6/netfilter/ip6t_frag.c +++ b/net/ipv6/netfilter/ip6t_frag.c | |||
| @@ -46,13 +46,13 @@ frag_mt6(const struct sk_buff *skb, struct xt_action_param *par) | |||
| 46 | err = ipv6_find_hdr(skb, &ptr, NEXTHDR_FRAGMENT, NULL); | 46 | err = ipv6_find_hdr(skb, &ptr, NEXTHDR_FRAGMENT, NULL); |
| 47 | if (err < 0) { | 47 | if (err < 0) { |
| 48 | if (err != -ENOENT) | 48 | if (err != -ENOENT) |
| 49 | *par->hotdrop = true; | 49 | par->hotdrop = true; |
| 50 | return false; | 50 | return false; |
| 51 | } | 51 | } |
| 52 | 52 | ||
| 53 | fh = skb_header_pointer(skb, ptr, sizeof(_frag), &_frag); | 53 | fh = skb_header_pointer(skb, ptr, sizeof(_frag), &_frag); |
| 54 | if (fh == NULL) { | 54 | if (fh == NULL) { |
| 55 | *par->hotdrop = true; | 55 | par->hotdrop = true; |
| 56 | return false; | 56 | return false; |
| 57 | } | 57 | } |
| 58 | 58 | ||
diff --git a/net/ipv6/netfilter/ip6t_hbh.c b/net/ipv6/netfilter/ip6t_hbh.c index f8aebc098d71..59df051eaef6 100644 --- a/net/ipv6/netfilter/ip6t_hbh.c +++ b/net/ipv6/netfilter/ip6t_hbh.c | |||
| @@ -65,13 +65,13 @@ hbh_mt6(const struct sk_buff *skb, struct xt_action_param *par) | |||
| 65 | NEXTHDR_HOP : NEXTHDR_DEST, NULL); | 65 | NEXTHDR_HOP : NEXTHDR_DEST, NULL); |
| 66 | if (err < 0) { | 66 | if (err < 0) { |
| 67 | if (err != -ENOENT) | 67 | if (err != -ENOENT) |
| 68 | *par->hotdrop = true; | 68 | par->hotdrop = true; |
| 69 | return false; | 69 | return false; |
| 70 | } | 70 | } |
| 71 | 71 | ||
| 72 | oh = skb_header_pointer(skb, ptr, sizeof(_optsh), &_optsh); | 72 | oh = skb_header_pointer(skb, ptr, sizeof(_optsh), &_optsh); |
| 73 | if (oh == NULL) { | 73 | if (oh == NULL) { |
| 74 | *par->hotdrop = true; | 74 | par->hotdrop = true; |
| 75 | return false; | 75 | return false; |
| 76 | } | 76 | } |
| 77 | 77 | ||
diff --git a/net/ipv6/netfilter/ip6t_mh.c b/net/ipv6/netfilter/ip6t_mh.c index eb1c3d65271a..0c90c66b1992 100644 --- a/net/ipv6/netfilter/ip6t_mh.c +++ b/net/ipv6/netfilter/ip6t_mh.c | |||
| @@ -47,14 +47,14 @@ static bool mh_mt6(const struct sk_buff *skb, struct xt_action_param *par) | |||
| 47 | /* We've been asked to examine this packet, and we | 47 | /* We've been asked to examine this packet, and we |
| 48 | can't. Hence, no choice but to drop. */ | 48 | can't. Hence, no choice but to drop. */ |
| 49 | pr_debug("Dropping evil MH tinygram.\n"); | 49 | pr_debug("Dropping evil MH tinygram.\n"); |
| 50 | *par->hotdrop = true; | 50 | par->hotdrop = true; |
| 51 | return false; | 51 | return false; |
| 52 | } | 52 | } |
| 53 | 53 | ||
| 54 | if (mh->ip6mh_proto != IPPROTO_NONE) { | 54 | if (mh->ip6mh_proto != IPPROTO_NONE) { |
| 55 | pr_debug("Dropping invalid MH Payload Proto: %u\n", | 55 | pr_debug("Dropping invalid MH Payload Proto: %u\n", |
| 56 | mh->ip6mh_proto); | 56 | mh->ip6mh_proto); |
| 57 | *par->hotdrop = true; | 57 | par->hotdrop = true; |
| 58 | return false; | 58 | return false; |
| 59 | } | 59 | } |
| 60 | 60 | ||
diff --git a/net/ipv6/netfilter/ip6t_rt.c b/net/ipv6/netfilter/ip6t_rt.c index ee584693ee35..d8488c50a8e0 100644 --- a/net/ipv6/netfilter/ip6t_rt.c +++ b/net/ipv6/netfilter/ip6t_rt.c | |||
| @@ -52,13 +52,13 @@ static bool rt_mt6(const struct sk_buff *skb, struct xt_action_param *par) | |||
| 52 | err = ipv6_find_hdr(skb, &ptr, NEXTHDR_ROUTING, NULL); | 52 | err = ipv6_find_hdr(skb, &ptr, NEXTHDR_ROUTING, NULL); |
| 53 | if (err < 0) { | 53 | if (err < 0) { |
| 54 | if (err != -ENOENT) | 54 | if (err != -ENOENT) |
| 55 | *par->hotdrop = true; | 55 | par->hotdrop = true; |
| 56 | return false; | 56 | return false; |
| 57 | } | 57 | } |
| 58 | 58 | ||
| 59 | rh = skb_header_pointer(skb, ptr, sizeof(_route), &_route); | 59 | rh = skb_header_pointer(skb, ptr, sizeof(_route), &_route); |
| 60 | if (rh == NULL) { | 60 | if (rh == NULL) { |
| 61 | *par->hotdrop = true; | 61 | par->hotdrop = true; |
| 62 | return false; | 62 | return false; |
| 63 | } | 63 | } |
| 64 | 64 | ||