diff options
| -rw-r--r-- | include/linux/netfilter.h | 23 | ||||
| -rw-r--r-- | net/ipv4/netfilter.c | 17 | ||||
| -rw-r--r-- | net/ipv6/netfilter.c | 17 | ||||
| -rw-r--r-- | net/netfilter/core.c | 23 | ||||
| -rw-r--r-- | net/netfilter/nf_queue.c | 49 |
5 files changed, 70 insertions, 59 deletions
diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h index 5aa931607923..6ee168c4978a 100644 --- a/include/linux/netfilter.h +++ b/include/linux/netfilter.h | |||
| @@ -283,16 +283,25 @@ extern void nf_invalidate_cache(int pf); | |||
| 283 | Returns true or false. */ | 283 | Returns true or false. */ |
| 284 | extern int skb_make_writable(struct sk_buff **pskb, unsigned int writable_len); | 284 | extern int skb_make_writable(struct sk_buff **pskb, unsigned int writable_len); |
| 285 | 285 | ||
| 286 | struct nf_queue_rerouter { | 286 | struct nf_afinfo { |
| 287 | void (*save)(const struct sk_buff *skb, struct nf_info *info); | 287 | unsigned short family; |
| 288 | int (*reroute)(struct sk_buff **skb, const struct nf_info *info); | 288 | void (*saveroute)(const struct sk_buff *skb, |
| 289 | int rer_size; | 289 | struct nf_info *info); |
| 290 | int (*reroute)(struct sk_buff **skb, | ||
| 291 | const struct nf_info *info); | ||
| 292 | int route_key_size; | ||
| 290 | }; | 293 | }; |
| 291 | 294 | ||
| 292 | #define nf_info_reroute(x) ((void *)x + sizeof(struct nf_info)) | 295 | extern struct nf_afinfo *nf_afinfo[]; |
| 296 | static inline struct nf_afinfo *nf_get_afinfo(unsigned short family) | ||
| 297 | { | ||
| 298 | return rcu_dereference(nf_afinfo[family]); | ||
| 299 | } | ||
| 293 | 300 | ||
| 294 | extern int nf_register_queue_rerouter(int pf, struct nf_queue_rerouter *rer); | 301 | extern int nf_register_afinfo(struct nf_afinfo *afinfo); |
| 295 | extern int nf_unregister_queue_rerouter(int pf); | 302 | extern void nf_unregister_afinfo(struct nf_afinfo *afinfo); |
| 303 | |||
| 304 | #define nf_info_reroute(x) ((void *)x + sizeof(struct nf_info)) | ||
| 296 | 305 | ||
| 297 | #include <net/flow.h> | 306 | #include <net/flow.h> |
| 298 | extern void (*ip_nat_decode_session)(struct sk_buff *, struct flowi *); | 307 | extern void (*ip_nat_decode_session)(struct sk_buff *, struct flowi *); |
diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilter.c index b5ad9ac2fbcc..b25339c11ea0 100644 --- a/net/ipv4/netfilter.c +++ b/net/ipv4/netfilter.c | |||
| @@ -133,7 +133,7 @@ struct ip_rt_info { | |||
| 133 | u_int8_t tos; | 133 | u_int8_t tos; |
| 134 | }; | 134 | }; |
| 135 | 135 | ||
| 136 | static void queue_save(const struct sk_buff *skb, struct nf_info *info) | 136 | static void nf_ip_saveroute(const struct sk_buff *skb, struct nf_info *info) |
| 137 | { | 137 | { |
| 138 | struct ip_rt_info *rt_info = nf_info_reroute(info); | 138 | struct ip_rt_info *rt_info = nf_info_reroute(info); |
| 139 | 139 | ||
| @@ -146,7 +146,7 @@ static void queue_save(const struct sk_buff *skb, struct nf_info *info) | |||
| 146 | } | 146 | } |
| 147 | } | 147 | } |
| 148 | 148 | ||
| 149 | static int queue_reroute(struct sk_buff **pskb, const struct nf_info *info) | 149 | static int nf_ip_reroute(struct sk_buff **pskb, const struct nf_info *info) |
| 150 | { | 150 | { |
| 151 | const struct ip_rt_info *rt_info = nf_info_reroute(info); | 151 | const struct ip_rt_info *rt_info = nf_info_reroute(info); |
| 152 | 152 | ||
| @@ -161,20 +161,21 @@ static int queue_reroute(struct sk_buff **pskb, const struct nf_info *info) | |||
| 161 | return 0; | 161 | return 0; |
| 162 | } | 162 | } |
| 163 | 163 | ||
| 164 | static struct nf_queue_rerouter ip_reroute = { | 164 | static struct nf_afinfo nf_ip_afinfo = { |
| 165 | .rer_size = sizeof(struct ip_rt_info), | 165 | .family = AF_INET, |
| 166 | .save = queue_save, | 166 | .saveroute = nf_ip_saveroute, |
| 167 | .reroute = queue_reroute, | 167 | .reroute = nf_ip_reroute, |
| 168 | .route_key_size = sizeof(struct ip_rt_info), | ||
| 168 | }; | 169 | }; |
| 169 | 170 | ||
| 170 | static int ipv4_netfilter_init(void) | 171 | static int ipv4_netfilter_init(void) |
| 171 | { | 172 | { |
| 172 | return nf_register_queue_rerouter(PF_INET, &ip_reroute); | 173 | return nf_register_afinfo(&nf_ip_afinfo); |
| 173 | } | 174 | } |
| 174 | 175 | ||
| 175 | static void ipv4_netfilter_fini(void) | 176 | static void ipv4_netfilter_fini(void) |
| 176 | { | 177 | { |
| 177 | nf_unregister_queue_rerouter(PF_INET); | 178 | nf_unregister_afinfo(&nf_ip_afinfo); |
| 178 | } | 179 | } |
| 179 | 180 | ||
| 180 | module_init(ipv4_netfilter_init); | 181 | module_init(ipv4_netfilter_init); |
diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c index d750cfc019dc..f514a0113b9f 100644 --- a/net/ipv6/netfilter.c +++ b/net/ipv6/netfilter.c | |||
| @@ -54,7 +54,7 @@ struct ip6_rt_info { | |||
| 54 | struct in6_addr saddr; | 54 | struct in6_addr saddr; |
| 55 | }; | 55 | }; |
| 56 | 56 | ||
| 57 | static void save(const struct sk_buff *skb, struct nf_info *info) | 57 | static void nf_ip6_saveroute(const struct sk_buff *skb, struct nf_info *info) |
| 58 | { | 58 | { |
| 59 | struct ip6_rt_info *rt_info = nf_info_reroute(info); | 59 | struct ip6_rt_info *rt_info = nf_info_reroute(info); |
| 60 | 60 | ||
| @@ -66,7 +66,7 @@ static void save(const struct sk_buff *skb, struct nf_info *info) | |||
| 66 | } | 66 | } |
| 67 | } | 67 | } |
| 68 | 68 | ||
| 69 | static int reroute(struct sk_buff **pskb, const struct nf_info *info) | 69 | static int nf_ip6_reroute(struct sk_buff **pskb, const struct nf_info *info) |
| 70 | { | 70 | { |
| 71 | struct ip6_rt_info *rt_info = nf_info_reroute(info); | 71 | struct ip6_rt_info *rt_info = nf_info_reroute(info); |
| 72 | 72 | ||
| @@ -79,15 +79,16 @@ static int reroute(struct sk_buff **pskb, const struct nf_info *info) | |||
| 79 | return 0; | 79 | return 0; |
| 80 | } | 80 | } |
| 81 | 81 | ||
| 82 | static struct nf_queue_rerouter ip6_reroute = { | 82 | static struct nf_afinfo nf_ip6_afinfo = { |
| 83 | .rer_size = sizeof(struct ip6_rt_info), | 83 | .family = AF_INET6, |
| 84 | .save = &save, | 84 | .saveroute = nf_ip6_saveroute, |
| 85 | .reroute = &reroute, | 85 | .reroute = nf_ip6_reroute, |
| 86 | .route_key_size = sizeof(struct ip6_rt_info), | ||
| 86 | }; | 87 | }; |
| 87 | 88 | ||
| 88 | int __init ipv6_netfilter_init(void) | 89 | int __init ipv6_netfilter_init(void) |
| 89 | { | 90 | { |
| 90 | return nf_register_queue_rerouter(PF_INET6, &ip6_reroute); | 91 | return nf_register_afinfo(&nf_ip6_afinfo); |
| 91 | } | 92 | } |
| 92 | 93 | ||
| 93 | /* This can be called from inet6_init() on errors, so it cannot | 94 | /* This can be called from inet6_init() on errors, so it cannot |
| @@ -95,5 +96,5 @@ int __init ipv6_netfilter_init(void) | |||
| 95 | */ | 96 | */ |
| 96 | void ipv6_netfilter_fini(void) | 97 | void ipv6_netfilter_fini(void) |
| 97 | { | 98 | { |
| 98 | nf_unregister_queue_rerouter(PF_INET6); | 99 | nf_unregister_afinfo(&nf_ip6_afinfo); |
| 99 | } | 100 | } |
diff --git a/net/netfilter/core.c b/net/netfilter/core.c index 645d62105571..8455a32ea5c4 100644 --- a/net/netfilter/core.c +++ b/net/netfilter/core.c | |||
| @@ -27,6 +27,29 @@ | |||
| 27 | 27 | ||
| 28 | #include "nf_internals.h" | 28 | #include "nf_internals.h" |
| 29 | 29 | ||
| 30 | static DEFINE_SPINLOCK(afinfo_lock); | ||
| 31 | |||
| 32 | struct nf_afinfo *nf_afinfo[NPROTO]; | ||
| 33 | EXPORT_SYMBOL(nf_afinfo); | ||
| 34 | |||
| 35 | int nf_register_afinfo(struct nf_afinfo *afinfo) | ||
| 36 | { | ||
| 37 | spin_lock(&afinfo_lock); | ||
| 38 | rcu_assign_pointer(nf_afinfo[afinfo->family], afinfo); | ||
| 39 | spin_unlock(&afinfo_lock); | ||
| 40 | return 0; | ||
| 41 | } | ||
| 42 | EXPORT_SYMBOL_GPL(nf_register_afinfo); | ||
| 43 | |||
| 44 | void nf_unregister_afinfo(struct nf_afinfo *afinfo) | ||
| 45 | { | ||
| 46 | spin_lock(&afinfo_lock); | ||
| 47 | rcu_assign_pointer(nf_afinfo[afinfo->family], NULL); | ||
| 48 | spin_unlock(&afinfo_lock); | ||
| 49 | synchronize_rcu(); | ||
| 50 | } | ||
| 51 | EXPORT_SYMBOL_GPL(nf_unregister_afinfo); | ||
| 52 | |||
| 30 | /* In this code, we can be waiting indefinitely for userspace to | 53 | /* In this code, we can be waiting indefinitely for userspace to |
| 31 | * service a packet if a hook returns NF_QUEUE. We could keep a count | 54 | * service a packet if a hook returns NF_QUEUE. We could keep a count |
| 32 | * of skbuffs queued for userspace, and not deregister a hook unless | 55 | * of skbuffs queued for userspace, and not deregister a hook unless |
diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c index d9f0d7ef103b..ee8f70889f47 100644 --- a/net/netfilter/nf_queue.c +++ b/net/netfilter/nf_queue.c | |||
| @@ -17,7 +17,6 @@ | |||
| 17 | * for queueing and must reinject all packets it receives, no matter what. | 17 | * for queueing and must reinject all packets it receives, no matter what. |
| 18 | */ | 18 | */ |
| 19 | static struct nf_queue_handler *queue_handler[NPROTO]; | 19 | static struct nf_queue_handler *queue_handler[NPROTO]; |
| 20 | static struct nf_queue_rerouter *queue_rerouter[NPROTO]; | ||
| 21 | 20 | ||
| 22 | static DEFINE_RWLOCK(queue_handler_lock); | 21 | static DEFINE_RWLOCK(queue_handler_lock); |
| 23 | 22 | ||
| @@ -59,32 +58,6 @@ int nf_unregister_queue_handler(int pf) | |||
| 59 | } | 58 | } |
| 60 | EXPORT_SYMBOL(nf_unregister_queue_handler); | 59 | EXPORT_SYMBOL(nf_unregister_queue_handler); |
| 61 | 60 | ||
| 62 | int nf_register_queue_rerouter(int pf, struct nf_queue_rerouter *rer) | ||
| 63 | { | ||
| 64 | if (pf >= NPROTO) | ||
| 65 | return -EINVAL; | ||
| 66 | |||
| 67 | write_lock_bh(&queue_handler_lock); | ||
| 68 | rcu_assign_pointer(queue_rerouter[pf], rer); | ||
| 69 | write_unlock_bh(&queue_handler_lock); | ||
| 70 | |||
| 71 | return 0; | ||
| 72 | } | ||
| 73 | EXPORT_SYMBOL_GPL(nf_register_queue_rerouter); | ||
| 74 | |||
| 75 | int nf_unregister_queue_rerouter(int pf) | ||
| 76 | { | ||
| 77 | if (pf >= NPROTO) | ||
| 78 | return -EINVAL; | ||
| 79 | |||
| 80 | write_lock_bh(&queue_handler_lock); | ||
| 81 | rcu_assign_pointer(queue_rerouter[pf], NULL); | ||
| 82 | write_unlock_bh(&queue_handler_lock); | ||
| 83 | synchronize_rcu(); | ||
| 84 | return 0; | ||
| 85 | } | ||
| 86 | EXPORT_SYMBOL_GPL(nf_unregister_queue_rerouter); | ||
| 87 | |||
| 88 | void nf_unregister_queue_handlers(struct nf_queue_handler *qh) | 61 | void nf_unregister_queue_handlers(struct nf_queue_handler *qh) |
| 89 | { | 62 | { |
| 90 | int pf; | 63 | int pf; |
| @@ -116,7 +89,7 @@ int nf_queue(struct sk_buff **skb, | |||
| 116 | struct net_device *physindev = NULL; | 89 | struct net_device *physindev = NULL; |
| 117 | struct net_device *physoutdev = NULL; | 90 | struct net_device *physoutdev = NULL; |
| 118 | #endif | 91 | #endif |
| 119 | struct nf_queue_rerouter *rerouter; | 92 | struct nf_afinfo *afinfo; |
| 120 | 93 | ||
| 121 | /* QUEUE == DROP if noone is waiting, to be safe. */ | 94 | /* QUEUE == DROP if noone is waiting, to be safe. */ |
| 122 | read_lock(&queue_handler_lock); | 95 | read_lock(&queue_handler_lock); |
| @@ -126,7 +99,14 @@ int nf_queue(struct sk_buff **skb, | |||
| 126 | return 1; | 99 | return 1; |
| 127 | } | 100 | } |
| 128 | 101 | ||
| 129 | info = kmalloc(sizeof(*info)+queue_rerouter[pf]->rer_size, GFP_ATOMIC); | 102 | afinfo = nf_get_afinfo(pf); |
| 103 | if (!afinfo) { | ||
| 104 | read_unlock(&queue_handler_lock); | ||
| 105 | kfree_skb(*skb); | ||
| 106 | return 1; | ||
| 107 | } | ||
| 108 | |||
| 109 | info = kmalloc(sizeof(*info) + afinfo->route_key_size, GFP_ATOMIC); | ||
| 130 | if (!info) { | 110 | if (!info) { |
| 131 | if (net_ratelimit()) | 111 | if (net_ratelimit()) |
| 132 | printk(KERN_ERR "OOM queueing packet %p\n", | 112 | printk(KERN_ERR "OOM queueing packet %p\n", |
| @@ -158,10 +138,7 @@ int nf_queue(struct sk_buff **skb, | |||
| 158 | if (physoutdev) dev_hold(physoutdev); | 138 | if (physoutdev) dev_hold(physoutdev); |
| 159 | } | 139 | } |
| 160 | #endif | 140 | #endif |
| 161 | rerouter = rcu_dereference(queue_rerouter[pf]); | 141 | afinfo->saveroute(*skb, info); |
| 162 | if (rerouter) | ||
| 163 | rerouter->save(*skb, info); | ||
| 164 | |||
| 165 | status = queue_handler[pf]->outfn(*skb, info, queuenum, | 142 | status = queue_handler[pf]->outfn(*skb, info, queuenum, |
| 166 | queue_handler[pf]->data); | 143 | queue_handler[pf]->data); |
| 167 | 144 | ||
| @@ -190,7 +167,7 @@ void nf_reinject(struct sk_buff *skb, struct nf_info *info, | |||
| 190 | { | 167 | { |
| 191 | struct list_head *elem = &info->elem->list; | 168 | struct list_head *elem = &info->elem->list; |
| 192 | struct list_head *i; | 169 | struct list_head *i; |
| 193 | struct nf_queue_rerouter *rerouter; | 170 | struct nf_afinfo *afinfo; |
| 194 | 171 | ||
| 195 | rcu_read_lock(); | 172 | rcu_read_lock(); |
| 196 | 173 | ||
| @@ -228,8 +205,8 @@ void nf_reinject(struct sk_buff *skb, struct nf_info *info, | |||
| 228 | } | 205 | } |
| 229 | 206 | ||
| 230 | if (verdict == NF_ACCEPT) { | 207 | if (verdict == NF_ACCEPT) { |
| 231 | rerouter = rcu_dereference(queue_rerouter[info->pf]); | 208 | afinfo = nf_get_afinfo(info->pf); |
| 232 | if (rerouter && rerouter->reroute(&skb, info) < 0) | 209 | if (!afinfo || afinfo->reroute(&skb, info) < 0) |
| 233 | verdict = NF_DROP; | 210 | verdict = NF_DROP; |
| 234 | } | 211 | } |
| 235 | 212 | ||