aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--include/net/netfilter/nf_tables.h22
-rw-r--r--net/bridge/netfilter/nf_tables_bridge.c4
-rw-r--r--net/ipv4/netfilter/nf_tables_arp.c4
-rw-r--r--net/ipv4/netfilter/nf_tables_ipv4.c4
-rw-r--r--net/ipv4/netfilter/nft_chain_nat_ipv4.c6
-rw-r--r--net/ipv4/netfilter/nft_chain_route_ipv4.c6
-rw-r--r--net/ipv6/netfilter/nf_tables_ipv6.c4
-rw-r--r--net/ipv6/netfilter/nft_chain_nat_ipv6.c6
-rw-r--r--net/ipv6/netfilter/nft_chain_route_ipv6.c6
-rw-r--r--net/netfilter/nf_tables_api.c12
-rw-r--r--net/netfilter/nf_tables_inet.c4
11 files changed, 44 insertions, 34 deletions
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index d3f70530a59a..342236550ef9 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -498,13 +498,23 @@ struct nft_af_info {
498int nft_register_afinfo(struct net *, struct nft_af_info *); 498int nft_register_afinfo(struct net *, struct nft_af_info *);
499void nft_unregister_afinfo(struct nft_af_info *); 499void nft_unregister_afinfo(struct nft_af_info *);
500 500
501/**
502 * struct nf_chain_type - nf_tables chain type info
503 *
504 * @name: name of the type
505 * @type: numeric identifier
506 * @family: address family
507 * @owner: module owner
508 * @hook_mask: mask of valid hooks
509 * @hooks: hookfn overrides
510 */
501struct nf_chain_type { 511struct nf_chain_type {
502 unsigned int hook_mask; 512 const char *name;
503 const char *name; 513 enum nft_chain_type type;
504 enum nft_chain_type type; 514 int family;
505 nf_hookfn *fn[NF_MAX_HOOKS]; 515 struct module *owner;
506 struct module *me; 516 unsigned int hook_mask;
507 int family; 517 nf_hookfn *hooks[NF_MAX_HOOKS];
508}; 518};
509 519
510int nft_register_chain_type(const struct nf_chain_type *); 520int nft_register_chain_type(const struct nf_chain_type *);
diff --git a/net/bridge/netfilter/nf_tables_bridge.c b/net/bridge/netfilter/nf_tables_bridge.c
index 283658d21825..c83fab5f8736 100644
--- a/net/bridge/netfilter/nf_tables_bridge.c
+++ b/net/bridge/netfilter/nf_tables_bridge.c
@@ -69,10 +69,10 @@ static struct pernet_operations nf_tables_bridge_net_ops = {
69}; 69};
70 70
71static const struct nf_chain_type filter_bridge = { 71static const struct nf_chain_type filter_bridge = {
72 .family = NFPROTO_BRIDGE,
73 .name = "filter", 72 .name = "filter",
74 .type = NFT_CHAIN_T_DEFAULT, 73 .type = NFT_CHAIN_T_DEFAULT,
75 .me = THIS_MODULE, 74 .family = NFPROTO_BRIDGE,
75 .owner = THIS_MODULE,
76 .hook_mask = (1 << NF_BR_LOCAL_IN) | 76 .hook_mask = (1 << NF_BR_LOCAL_IN) |
77 (1 << NF_BR_FORWARD) | 77 (1 << NF_BR_FORWARD) |
78 (1 << NF_BR_LOCAL_OUT), 78 (1 << NF_BR_LOCAL_OUT),
diff --git a/net/ipv4/netfilter/nf_tables_arp.c b/net/ipv4/netfilter/nf_tables_arp.c
index 8af01a5e8f98..b90d16c332ab 100644
--- a/net/ipv4/netfilter/nf_tables_arp.c
+++ b/net/ipv4/netfilter/nf_tables_arp.c
@@ -69,10 +69,10 @@ static struct pernet_operations nf_tables_arp_net_ops = {
69}; 69};
70 70
71static const struct nf_chain_type filter_arp = { 71static const struct nf_chain_type filter_arp = {
72 .family = NFPROTO_ARP,
73 .name = "filter", 72 .name = "filter",
74 .type = NFT_CHAIN_T_DEFAULT, 73 .type = NFT_CHAIN_T_DEFAULT,
75 .me = THIS_MODULE, 74 .family = NFPROTO_ARP,
75 .owner = THIS_MODULE,
76 .hook_mask = (1 << NF_ARP_IN) | 76 .hook_mask = (1 << NF_ARP_IN) |
77 (1 << NF_ARP_OUT) | 77 (1 << NF_ARP_OUT) |
78 (1 << NF_ARP_FORWARD), 78 (1 << NF_ARP_FORWARD),
diff --git a/net/ipv4/netfilter/nf_tables_ipv4.c b/net/ipv4/netfilter/nf_tables_ipv4.c
index cec7805de3e3..66679fd4b022 100644
--- a/net/ipv4/netfilter/nf_tables_ipv4.c
+++ b/net/ipv4/netfilter/nf_tables_ipv4.c
@@ -92,10 +92,10 @@ static struct pernet_operations nf_tables_ipv4_net_ops = {
92}; 92};
93 93
94static const struct nf_chain_type filter_ipv4 = { 94static const struct nf_chain_type filter_ipv4 = {
95 .family = NFPROTO_IPV4,
96 .name = "filter", 95 .name = "filter",
97 .type = NFT_CHAIN_T_DEFAULT, 96 .type = NFT_CHAIN_T_DEFAULT,
98 .me = THIS_MODULE, 97 .family = NFPROTO_IPV4,
98 .owner = THIS_MODULE,
99 .hook_mask = (1 << NF_INET_LOCAL_IN) | 99 .hook_mask = (1 << NF_INET_LOCAL_IN) |
100 (1 << NF_INET_LOCAL_OUT) | 100 (1 << NF_INET_LOCAL_OUT) |
101 (1 << NF_INET_FORWARD) | 101 (1 << NF_INET_FORWARD) |
diff --git a/net/ipv4/netfilter/nft_chain_nat_ipv4.c b/net/ipv4/netfilter/nft_chain_nat_ipv4.c
index 9e535c2c2cd2..208d60afaaa0 100644
--- a/net/ipv4/netfilter/nft_chain_nat_ipv4.c
+++ b/net/ipv4/netfilter/nft_chain_nat_ipv4.c
@@ -165,20 +165,20 @@ static unsigned int nf_nat_output(const struct nf_hook_ops *ops,
165} 165}
166 166
167static const struct nf_chain_type nft_chain_nat_ipv4 = { 167static const struct nf_chain_type nft_chain_nat_ipv4 = {
168 .family = NFPROTO_IPV4,
169 .name = "nat", 168 .name = "nat",
170 .type = NFT_CHAIN_T_NAT, 169 .type = NFT_CHAIN_T_NAT,
170 .family = NFPROTO_IPV4,
171 .owner = THIS_MODULE,
171 .hook_mask = (1 << NF_INET_PRE_ROUTING) | 172 .hook_mask = (1 << NF_INET_PRE_ROUTING) |
172 (1 << NF_INET_POST_ROUTING) | 173 (1 << NF_INET_POST_ROUTING) |
173 (1 << NF_INET_LOCAL_OUT) | 174 (1 << NF_INET_LOCAL_OUT) |
174 (1 << NF_INET_LOCAL_IN), 175 (1 << NF_INET_LOCAL_IN),
175 .fn = { 176 .hooks = {
176 [NF_INET_PRE_ROUTING] = nf_nat_prerouting, 177 [NF_INET_PRE_ROUTING] = nf_nat_prerouting,
177 [NF_INET_POST_ROUTING] = nf_nat_postrouting, 178 [NF_INET_POST_ROUTING] = nf_nat_postrouting,
178 [NF_INET_LOCAL_OUT] = nf_nat_output, 179 [NF_INET_LOCAL_OUT] = nf_nat_output,
179 [NF_INET_LOCAL_IN] = nf_nat_fn, 180 [NF_INET_LOCAL_IN] = nf_nat_fn,
180 }, 181 },
181 .me = THIS_MODULE,
182}; 182};
183 183
184static int __init nft_chain_nat_init(void) 184static int __init nft_chain_nat_init(void)
diff --git a/net/ipv4/netfilter/nft_chain_route_ipv4.c b/net/ipv4/netfilter/nft_chain_route_ipv4.c
index 2dd2eeaad15f..67db1bbde1c8 100644
--- a/net/ipv4/netfilter/nft_chain_route_ipv4.c
+++ b/net/ipv4/netfilter/nft_chain_route_ipv4.c
@@ -62,14 +62,14 @@ static unsigned int nf_route_table_hook(const struct nf_hook_ops *ops,
62} 62}
63 63
64static const struct nf_chain_type nft_chain_route_ipv4 = { 64static const struct nf_chain_type nft_chain_route_ipv4 = {
65 .family = NFPROTO_IPV4,
66 .name = "route", 65 .name = "route",
67 .type = NFT_CHAIN_T_ROUTE, 66 .type = NFT_CHAIN_T_ROUTE,
67 .family = NFPROTO_IPV4,
68 .owner = THIS_MODULE,
68 .hook_mask = (1 << NF_INET_LOCAL_OUT), 69 .hook_mask = (1 << NF_INET_LOCAL_OUT),
69 .fn = { 70 .hooks = {
70 [NF_INET_LOCAL_OUT] = nf_route_table_hook, 71 [NF_INET_LOCAL_OUT] = nf_route_table_hook,
71 }, 72 },
72 .me = THIS_MODULE,
73}; 73};
74 74
75static int __init nft_chain_route_init(void) 75static int __init nft_chain_route_init(void)
diff --git a/net/ipv6/netfilter/nf_tables_ipv6.c b/net/ipv6/netfilter/nf_tables_ipv6.c
index 758a32b0e2ff..859fca0432ff 100644
--- a/net/ipv6/netfilter/nf_tables_ipv6.c
+++ b/net/ipv6/netfilter/nf_tables_ipv6.c
@@ -91,10 +91,10 @@ static struct pernet_operations nf_tables_ipv6_net_ops = {
91}; 91};
92 92
93static const struct nf_chain_type filter_ipv6 = { 93static const struct nf_chain_type filter_ipv6 = {
94 .family = NFPROTO_IPV6,
95 .name = "filter", 94 .name = "filter",
96 .type = NFT_CHAIN_T_DEFAULT, 95 .type = NFT_CHAIN_T_DEFAULT,
97 .me = THIS_MODULE, 96 .family = NFPROTO_IPV6,
97 .owner = THIS_MODULE,
98 .hook_mask = (1 << NF_INET_LOCAL_IN) | 98 .hook_mask = (1 << NF_INET_LOCAL_IN) |
99 (1 << NF_INET_LOCAL_OUT) | 99 (1 << NF_INET_LOCAL_OUT) |
100 (1 << NF_INET_FORWARD) | 100 (1 << NF_INET_FORWARD) |
diff --git a/net/ipv6/netfilter/nft_chain_nat_ipv6.c b/net/ipv6/netfilter/nft_chain_nat_ipv6.c
index efd1d57a610a..9ed60ab833f5 100644
--- a/net/ipv6/netfilter/nft_chain_nat_ipv6.c
+++ b/net/ipv6/netfilter/nft_chain_nat_ipv6.c
@@ -171,20 +171,20 @@ static unsigned int nf_nat_ipv6_output(const struct nf_hook_ops *ops,
171} 171}
172 172
173static const struct nf_chain_type nft_chain_nat_ipv6 = { 173static const struct nf_chain_type nft_chain_nat_ipv6 = {
174 .family = NFPROTO_IPV6,
175 .name = "nat", 174 .name = "nat",
176 .type = NFT_CHAIN_T_NAT, 175 .type = NFT_CHAIN_T_NAT,
176 .family = NFPROTO_IPV6,
177 .owner = THIS_MODULE,
177 .hook_mask = (1 << NF_INET_PRE_ROUTING) | 178 .hook_mask = (1 << NF_INET_PRE_ROUTING) |
178 (1 << NF_INET_POST_ROUTING) | 179 (1 << NF_INET_POST_ROUTING) |
179 (1 << NF_INET_LOCAL_OUT) | 180 (1 << NF_INET_LOCAL_OUT) |
180 (1 << NF_INET_LOCAL_IN), 181 (1 << NF_INET_LOCAL_IN),
181 .fn = { 182 .hooks = {
182 [NF_INET_PRE_ROUTING] = nf_nat_ipv6_prerouting, 183 [NF_INET_PRE_ROUTING] = nf_nat_ipv6_prerouting,
183 [NF_INET_POST_ROUTING] = nf_nat_ipv6_postrouting, 184 [NF_INET_POST_ROUTING] = nf_nat_ipv6_postrouting,
184 [NF_INET_LOCAL_OUT] = nf_nat_ipv6_output, 185 [NF_INET_LOCAL_OUT] = nf_nat_ipv6_output,
185 [NF_INET_LOCAL_IN] = nf_nat_ipv6_fn, 186 [NF_INET_LOCAL_IN] = nf_nat_ipv6_fn,
186 }, 187 },
187 .me = THIS_MODULE,
188}; 188};
189 189
190static int __init nft_chain_nat_ipv6_init(void) 190static int __init nft_chain_nat_ipv6_init(void)
diff --git a/net/ipv6/netfilter/nft_chain_route_ipv6.c b/net/ipv6/netfilter/nft_chain_route_ipv6.c
index 3620f8851eba..b2b7effa896b 100644
--- a/net/ipv6/netfilter/nft_chain_route_ipv6.c
+++ b/net/ipv6/netfilter/nft_chain_route_ipv6.c
@@ -60,14 +60,14 @@ static unsigned int nf_route_table_hook(const struct nf_hook_ops *ops,
60} 60}
61 61
62static const struct nf_chain_type nft_chain_route_ipv6 = { 62static const struct nf_chain_type nft_chain_route_ipv6 = {
63 .family = NFPROTO_IPV6,
64 .name = "route", 63 .name = "route",
65 .type = NFT_CHAIN_T_ROUTE, 64 .type = NFT_CHAIN_T_ROUTE,
65 .family = NFPROTO_IPV6,
66 .owner = THIS_MODULE,
66 .hook_mask = (1 << NF_INET_LOCAL_OUT), 67 .hook_mask = (1 << NF_INET_LOCAL_OUT),
67 .fn = { 68 .hooks = {
68 [NF_INET_LOCAL_OUT] = nf_route_table_hook, 69 [NF_INET_LOCAL_OUT] = nf_route_table_hook,
69 }, 70 },
70 .me = THIS_MODULE,
71}; 71};
72 72
73static int __init nft_chain_route_init(void) 73static int __init nft_chain_route_init(void)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index acdd9d68d52f..c8ca3b8762b4 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -929,9 +929,9 @@ static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb,
929 929
930 if (!(type->hook_mask & (1 << hooknum))) 930 if (!(type->hook_mask & (1 << hooknum)))
931 return -EOPNOTSUPP; 931 return -EOPNOTSUPP;
932 if (!try_module_get(type->me)) 932 if (!try_module_get(type->owner))
933 return -ENOENT; 933 return -ENOENT;
934 hookfn = type->fn[hooknum]; 934 hookfn = type->hooks[hooknum];
935 935
936 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL); 936 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
937 if (basechain == NULL) 937 if (basechain == NULL)
@@ -941,7 +941,7 @@ static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb,
941 err = nf_tables_counters(basechain, 941 err = nf_tables_counters(basechain,
942 nla[NFTA_CHAIN_COUNTERS]); 942 nla[NFTA_CHAIN_COUNTERS]);
943 if (err < 0) { 943 if (err < 0) {
944 module_put(type->me); 944 module_put(type->owner);
945 kfree(basechain); 945 kfree(basechain);
946 return err; 946 return err;
947 } 947 }
@@ -950,7 +950,7 @@ static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb,
950 950
951 newstats = alloc_percpu(struct nft_stats); 951 newstats = alloc_percpu(struct nft_stats);
952 if (newstats == NULL) { 952 if (newstats == NULL) {
953 module_put(type->me); 953 module_put(type->owner);
954 kfree(basechain); 954 kfree(basechain);
955 return -ENOMEM; 955 return -ENOMEM;
956 } 956 }
@@ -992,7 +992,7 @@ static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb,
992 chain->flags & NFT_BASE_CHAIN) { 992 chain->flags & NFT_BASE_CHAIN) {
993 err = nf_register_hooks(nft_base_chain(chain)->ops, afi->nops); 993 err = nf_register_hooks(nft_base_chain(chain)->ops, afi->nops);
994 if (err < 0) { 994 if (err < 0) {
995 module_put(basechain->type->me); 995 module_put(basechain->type->owner);
996 free_percpu(basechain->stats); 996 free_percpu(basechain->stats);
997 kfree(basechain); 997 kfree(basechain);
998 return err; 998 return err;
@@ -1013,7 +1013,7 @@ static void nf_tables_rcu_chain_destroy(struct rcu_head *head)
1013 BUG_ON(chain->use > 0); 1013 BUG_ON(chain->use > 0);
1014 1014
1015 if (chain->flags & NFT_BASE_CHAIN) { 1015 if (chain->flags & NFT_BASE_CHAIN) {
1016 module_put(nft_base_chain(chain)->type->me); 1016 module_put(nft_base_chain(chain)->type->owner);
1017 free_percpu(nft_base_chain(chain)->stats); 1017 free_percpu(nft_base_chain(chain)->stats);
1018 kfree(nft_base_chain(chain)); 1018 kfree(nft_base_chain(chain));
1019 } else 1019 } else
diff --git a/net/netfilter/nf_tables_inet.c b/net/netfilter/nf_tables_inet.c
index ee29ba2829d0..84478de179ea 100644
--- a/net/netfilter/nf_tables_inet.c
+++ b/net/netfilter/nf_tables_inet.c
@@ -67,10 +67,10 @@ static struct pernet_operations nf_tables_inet_net_ops = {
67}; 67};
68 68
69static const struct nf_chain_type filter_inet = { 69static const struct nf_chain_type filter_inet = {
70 .family = NFPROTO_INET,
71 .name = "filter", 70 .name = "filter",
72 .type = NFT_CHAIN_T_DEFAULT, 71 .type = NFT_CHAIN_T_DEFAULT,
73 .me = THIS_MODULE, 72 .family = NFPROTO_INET,
73 .owner = THIS_MODULE,
74 .hook_mask = (1 << NF_INET_LOCAL_IN) | 74 .hook_mask = (1 << NF_INET_LOCAL_IN) |
75 (1 << NF_INET_LOCAL_OUT) | 75 (1 << NF_INET_LOCAL_OUT) |
76 (1 << NF_INET_FORWARD) | 76 (1 << NF_INET_FORWARD) |
generated by cgit v1.2.2 (git 2.25.0) at 2025-12-31 05:46:14 -0500