diff options
| author | Patrick McHardy <kaber@trash.net> | 2014-01-03 07:16:13 -0500 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2014-01-07 17:50:43 -0500 |
| commit | 3b088c4bc0035da662faa81818ba217e34c4bba4 (patch) | |
| tree | 1d43e3ff229e464491a5764efae37ed030d11bd7 /net/ipv6 | |
| parent | 688d18636f77e360ae9078d7cd78a2556a1f35c1 (diff) | |
netfilter: nf_tables: make chain types override the default AF functions
Currently the AF-specific hook functions override the chain-type specific
hook functions. That doesn't make too much sense since the chain types
are a special case of the AF-specific hooks.
Make the AF-specific hook functions the default and make the optional
chain type hooks override them.
As a side effect, the necessary code restructuring reduces the code size,
f.i. in case of nf_tables_ipv4.o:
nf_tables_ipv4_init_net | -24
nft_do_chain_ipv4 | -113
2 functions changed, 137 bytes removed, diff: -137
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/ipv6')
| -rw-r--r-- | net/ipv6/netfilter/nf_tables_ipv6.c | 48 |
1 files changed, 20 insertions, 28 deletions
diff --git a/net/ipv6/netfilter/nf_tables_ipv6.c b/net/ipv6/netfilter/nf_tables_ipv6.c index d77db8a13505..54a2bcdc8a17 100644 --- a/net/ipv6/netfilter/nf_tables_ipv6.c +++ b/net/ipv6/netfilter/nf_tables_ipv6.c | |||
| @@ -16,24 +16,35 @@ | |||
| 16 | #include <net/netfilter/nf_tables.h> | 16 | #include <net/netfilter/nf_tables.h> |
| 17 | #include <net/netfilter/nf_tables_ipv6.h> | 17 | #include <net/netfilter/nf_tables_ipv6.h> |
| 18 | 18 | ||
| 19 | static unsigned int nft_do_chain_ipv6(const struct nf_hook_ops *ops, | ||
| 20 | struct sk_buff *skb, | ||
| 21 | const struct net_device *in, | ||
| 22 | const struct net_device *out, | ||
| 23 | int (*okfn)(struct sk_buff *)) | ||
| 24 | { | ||
| 25 | struct nft_pktinfo pkt; | ||
| 26 | |||
| 27 | /* malformed packet, drop it */ | ||
| 28 | if (nft_set_pktinfo_ipv6(&pkt, ops, skb, in, out) < 0) | ||
| 29 | return NF_DROP; | ||
| 30 | |||
| 31 | return nft_do_chain_pktinfo(&pkt, ops); | ||
| 32 | } | ||
| 33 | |||
| 19 | static unsigned int nft_ipv6_output(const struct nf_hook_ops *ops, | 34 | static unsigned int nft_ipv6_output(const struct nf_hook_ops *ops, |
| 20 | struct sk_buff *skb, | 35 | struct sk_buff *skb, |
| 21 | const struct net_device *in, | 36 | const struct net_device *in, |
| 22 | const struct net_device *out, | 37 | const struct net_device *out, |
| 23 | int (*okfn)(struct sk_buff *)) | 38 | int (*okfn)(struct sk_buff *)) |
| 24 | { | 39 | { |
| 25 | struct nft_pktinfo pkt; | ||
| 26 | |||
| 27 | if (unlikely(skb->len < sizeof(struct ipv6hdr))) { | 40 | if (unlikely(skb->len < sizeof(struct ipv6hdr))) { |
| 28 | if (net_ratelimit()) | 41 | if (net_ratelimit()) |
| 29 | pr_info("nf_tables_ipv6: ignoring short SOCK_RAW " | 42 | pr_info("nf_tables_ipv6: ignoring short SOCK_RAW " |
| 30 | "packet\n"); | 43 | "packet\n"); |
| 31 | return NF_ACCEPT; | 44 | return NF_ACCEPT; |
| 32 | } | 45 | } |
| 33 | if (nft_set_pktinfo_ipv6(&pkt, ops, skb, in, out) < 0) | ||
| 34 | return NF_DROP; | ||
| 35 | 46 | ||
| 36 | return nft_do_chain_pktinfo(&pkt, ops); | 47 | return nft_do_chain_ipv6(ops, skb, in, out, okfn); |
| 37 | } | 48 | } |
| 38 | 49 | ||
| 39 | static struct nft_af_info nft_af_ipv6 __read_mostly = { | 50 | static struct nft_af_info nft_af_ipv6 __read_mostly = { |
| @@ -41,7 +52,11 @@ static struct nft_af_info nft_af_ipv6 __read_mostly = { | |||
| 41 | .nhooks = NF_INET_NUMHOOKS, | 52 | .nhooks = NF_INET_NUMHOOKS, |
| 42 | .owner = THIS_MODULE, | 53 | .owner = THIS_MODULE, |
| 43 | .hooks = { | 54 | .hooks = { |
| 55 | [NF_INET_LOCAL_IN] = nft_do_chain_ipv6, | ||
| 44 | [NF_INET_LOCAL_OUT] = nft_ipv6_output, | 56 | [NF_INET_LOCAL_OUT] = nft_ipv6_output, |
| 57 | [NF_INET_FORWARD] = nft_do_chain_ipv6, | ||
| 58 | [NF_INET_PRE_ROUTING] = nft_do_chain_ipv6, | ||
| 59 | [NF_INET_POST_ROUTING] = nft_do_chain_ipv6, | ||
| 45 | }, | 60 | }, |
| 46 | }; | 61 | }; |
| 47 | 62 | ||
| @@ -73,22 +88,6 @@ static struct pernet_operations nf_tables_ipv6_net_ops = { | |||
| 73 | .exit = nf_tables_ipv6_exit_net, | 88 | .exit = nf_tables_ipv6_exit_net, |
| 74 | }; | 89 | }; |
| 75 | 90 | ||
| 76 | static unsigned int | ||
| 77 | nft_do_chain_ipv6(const struct nf_hook_ops *ops, | ||
| 78 | struct sk_buff *skb, | ||
| 79 | const struct net_device *in, | ||
| 80 | const struct net_device *out, | ||
| 81 | int (*okfn)(struct sk_buff *)) | ||
| 82 | { | ||
| 83 | struct nft_pktinfo pkt; | ||
| 84 | |||
| 85 | /* malformed packet, drop it */ | ||
| 86 | if (nft_set_pktinfo_ipv6(&pkt, ops, skb, in, out) < 0) | ||
| 87 | return NF_DROP; | ||
| 88 | |||
| 89 | return nft_do_chain_pktinfo(&pkt, ops); | ||
| 90 | } | ||
| 91 | |||
| 92 | static struct nf_chain_type filter_ipv6 = { | 91 | static struct nf_chain_type filter_ipv6 = { |
| 93 | .family = NFPROTO_IPV6, | 92 | .family = NFPROTO_IPV6, |
| 94 | .name = "filter", | 93 | .name = "filter", |
| @@ -98,13 +97,6 @@ static struct nf_chain_type filter_ipv6 = { | |||
| 98 | (1 << NF_INET_FORWARD) | | 97 | (1 << NF_INET_FORWARD) | |
| 99 | (1 << NF_INET_PRE_ROUTING) | | 98 | (1 << NF_INET_PRE_ROUTING) | |
| 100 | (1 << NF_INET_POST_ROUTING), | 99 | (1 << NF_INET_POST_ROUTING), |
| 101 | .fn = { | ||
| 102 | [NF_INET_LOCAL_IN] = nft_do_chain_ipv6, | ||
| 103 | [NF_INET_LOCAL_OUT] = nft_ipv6_output, | ||
| 104 | [NF_INET_FORWARD] = nft_do_chain_ipv6, | ||
| 105 | [NF_INET_PRE_ROUTING] = nft_do_chain_ipv6, | ||
| 106 | [NF_INET_POST_ROUTING] = nft_do_chain_ipv6, | ||
| 107 | }, | ||
| 108 | }; | 100 | }; |
| 109 | 101 | ||
| 110 | static int __init nf_tables_ipv6_init(void) | 102 | static int __init nf_tables_ipv6_init(void) |