aboutsummaryrefslogtreecommitdiffstats
path: root/net/ipv4
diff options
context:
space:
mode:
Diffstat (limited to 'net/ipv4')
-rw-r--r--net/ipv4/netfilter/arptable_filter.c30
-rw-r--r--net/ipv4/netfilter/iptable_filter.c50
-rw-r--r--net/ipv4/netfilter/iptable_mangle.c71
-rw-r--r--net/ipv4/netfilter/iptable_raw.c26
-rw-r--r--net/ipv4/netfilter/iptable_security.c50
5 files changed, 75 insertions, 152 deletions
diff --git a/net/ipv4/netfilter/arptable_filter.c b/net/ipv4/netfilter/arptable_filter.c
index 97337601827a..e9d823b149cd 100644
--- a/net/ipv4/netfilter/arptable_filter.c
+++ b/net/ipv4/netfilter/arptable_filter.c
@@ -53,43 +53,37 @@ static const struct xt_table packet_filter = {
53}; 53};
54 54
55/* The work comes in here from netfilter.c */ 55/* The work comes in here from netfilter.c */
56static unsigned int arpt_in_hook(unsigned int hook, 56static unsigned int
57 struct sk_buff *skb, 57arptable_filter_hook(unsigned int hook, struct sk_buff *skb,
58 const struct net_device *in, 58 const struct net_device *in, const struct net_device *out,
59 const struct net_device *out, 59 int (*okfn)(struct sk_buff *))
60 int (*okfn)(struct sk_buff *))
61{ 60{
62 return arpt_do_table(skb, hook, in, out, 61 if (hook == NF_ARP_OUT)
63 dev_net(in)->ipv4.arptable_filter); 62 return arpt_do_table(skb, hook, in, out,
64} 63 dev_net(out)->ipv4.arptable_filter);
65 64
66static unsigned int arpt_out_hook(unsigned int hook, 65 /* INPUT/FORWARD: */
67 struct sk_buff *skb,
68 const struct net_device *in,
69 const struct net_device *out,
70 int (*okfn)(struct sk_buff *))
71{
72 return arpt_do_table(skb, hook, in, out, 66 return arpt_do_table(skb, hook, in, out,
73 dev_net(out)->ipv4.arptable_filter); 67 dev_net(in)->ipv4.arptable_filter);
74} 68}
75 69
76static struct nf_hook_ops arpt_ops[] __read_mostly = { 70static struct nf_hook_ops arpt_ops[] __read_mostly = {
77 { 71 {
78 .hook = arpt_in_hook, 72 .hook = arptable_filter_hook,
79 .owner = THIS_MODULE, 73 .owner = THIS_MODULE,
80 .pf = NFPROTO_ARP, 74 .pf = NFPROTO_ARP,
81 .hooknum = NF_ARP_IN, 75 .hooknum = NF_ARP_IN,
82 .priority = NF_IP_PRI_FILTER, 76 .priority = NF_IP_PRI_FILTER,
83 }, 77 },
84 { 78 {
85 .hook = arpt_out_hook, 79 .hook = arptable_filter_hook,
86 .owner = THIS_MODULE, 80 .owner = THIS_MODULE,
87 .pf = NFPROTO_ARP, 81 .pf = NFPROTO_ARP,
88 .hooknum = NF_ARP_OUT, 82 .hooknum = NF_ARP_OUT,
89 .priority = NF_IP_PRI_FILTER, 83 .priority = NF_IP_PRI_FILTER,
90 }, 84 },
91 { 85 {
92 .hook = arpt_in_hook, 86 .hook = arptable_filter_hook,
93 .owner = THIS_MODULE, 87 .owner = THIS_MODULE,
94 .pf = NFPROTO_ARP, 88 .pf = NFPROTO_ARP,
95 .hooknum = NF_ARP_FORWARD, 89 .hooknum = NF_ARP_FORWARD,
diff --git a/net/ipv4/netfilter/iptable_filter.c b/net/ipv4/netfilter/iptable_filter.c
index dee90eb8aa47..5369833ad56a 100644
--- a/net/ipv4/netfilter/iptable_filter.c
+++ b/net/ipv4/netfilter/iptable_filter.c
@@ -60,61 +60,43 @@ static const struct xt_table packet_filter = {
60 .af = NFPROTO_IPV4, 60 .af = NFPROTO_IPV4,
61}; 61};
62 62
63/* The work comes in here from netfilter.c. */
64static unsigned int 63static unsigned int
65ipt_local_in_hook(unsigned int hook, 64iptable_filter_hook(unsigned int hook, struct sk_buff *skb,
66 struct sk_buff *skb, 65 const struct net_device *in, const struct net_device *out,
67 const struct net_device *in, 66 int (*okfn)(struct sk_buff *))
68 const struct net_device *out,
69 int (*okfn)(struct sk_buff *))
70{ 67{
71 return ipt_do_table(skb, hook, in, out, 68 if (hook == NF_INET_LOCAL_OUT) {
72 dev_net(in)->ipv4.iptable_filter); 69 if (skb->len < sizeof(struct iphdr) ||
73} 70 ip_hdrlen(skb) < sizeof(struct iphdr))
71 /* root is playing with raw sockets. */
72 return NF_ACCEPT;
73
74 return ipt_do_table(skb, hook, in, out,
75 dev_net(out)->ipv4.iptable_filter);
76 }
74 77
75static unsigned int 78 /* LOCAL_IN/FORWARD: */
76ipt_hook(unsigned int hook,
77 struct sk_buff *skb,
78 const struct net_device *in,
79 const struct net_device *out,
80 int (*okfn)(struct sk_buff *))
81{
82 return ipt_do_table(skb, hook, in, out, 79 return ipt_do_table(skb, hook, in, out,
83 dev_net(in)->ipv4.iptable_filter); 80 dev_net(in)->ipv4.iptable_filter);
84} 81}
85 82
86static unsigned int
87ipt_local_out_hook(unsigned int hook,
88 struct sk_buff *skb,
89 const struct net_device *in,
90 const struct net_device *out,
91 int (*okfn)(struct sk_buff *))
92{
93 /* root is playing with raw sockets. */
94 if (skb->len < sizeof(struct iphdr) ||
95 ip_hdrlen(skb) < sizeof(struct iphdr))
96 return NF_ACCEPT;
97 return ipt_do_table(skb, hook, in, out,
98 dev_net(out)->ipv4.iptable_filter);
99}
100
101static struct nf_hook_ops ipt_ops[] __read_mostly = { 83static struct nf_hook_ops ipt_ops[] __read_mostly = {
102 { 84 {
103 .hook = ipt_local_in_hook, 85 .hook = iptable_filter_hook,
104 .owner = THIS_MODULE, 86 .owner = THIS_MODULE,
105 .pf = NFPROTO_IPV4, 87 .pf = NFPROTO_IPV4,
106 .hooknum = NF_INET_LOCAL_IN, 88 .hooknum = NF_INET_LOCAL_IN,
107 .priority = NF_IP_PRI_FILTER, 89 .priority = NF_IP_PRI_FILTER,
108 }, 90 },
109 { 91 {
110 .hook = ipt_hook, 92 .hook = iptable_filter_hook,
111 .owner = THIS_MODULE, 93 .owner = THIS_MODULE,
112 .pf = NFPROTO_IPV4, 94 .pf = NFPROTO_IPV4,
113 .hooknum = NF_INET_FORWARD, 95 .hooknum = NF_INET_FORWARD,
114 .priority = NF_IP_PRI_FILTER, 96 .priority = NF_IP_PRI_FILTER,
115 }, 97 },
116 { 98 {
117 .hook = ipt_local_out_hook, 99 .hook = iptable_filter_hook,
118 .owner = THIS_MODULE, 100 .owner = THIS_MODULE,
119 .pf = NFPROTO_IPV4, 101 .pf = NFPROTO_IPV4,
120 .hooknum = NF_INET_LOCAL_OUT, 102 .hooknum = NF_INET_LOCAL_OUT,
diff --git a/net/ipv4/netfilter/iptable_mangle.c b/net/ipv4/netfilter/iptable_mangle.c
index e07bf242343a..4e699cd275c6 100644
--- a/net/ipv4/netfilter/iptable_mangle.c
+++ b/net/ipv4/netfilter/iptable_mangle.c
@@ -71,51 +71,6 @@ static const struct xt_table packet_mangler = {
71 .af = NFPROTO_IPV4, 71 .af = NFPROTO_IPV4,
72}; 72};
73 73
74/* The work comes in here from netfilter.c. */
75static unsigned int
76ipt_pre_routing_hook(unsigned int hook,
77 struct sk_buff *skb,
78 const struct net_device *in,
79 const struct net_device *out,
80 int (*okfn)(struct sk_buff *))
81{
82 return ipt_do_table(skb, hook, in, out,
83 dev_net(in)->ipv4.iptable_mangle);
84}
85
86static unsigned int
87ipt_post_routing_hook(unsigned int hook,
88 struct sk_buff *skb,
89 const struct net_device *in,
90 const struct net_device *out,
91 int (*okfn)(struct sk_buff *))
92{
93 return ipt_do_table(skb, hook, in, out,
94 dev_net(out)->ipv4.iptable_mangle);
95}
96
97static unsigned int
98ipt_local_in_hook(unsigned int hook,
99 struct sk_buff *skb,
100 const struct net_device *in,
101 const struct net_device *out,
102 int (*okfn)(struct sk_buff *))
103{
104 return ipt_do_table(skb, hook, in, out,
105 dev_net(in)->ipv4.iptable_mangle);
106}
107
108static unsigned int
109ipt_forward_hook(unsigned int hook,
110 struct sk_buff *skb,
111 const struct net_device *in,
112 const struct net_device *out,
113 int (*okfn)(struct sk_buff *))
114{
115 return ipt_do_table(skb, hook, in, out,
116 dev_net(in)->ipv4.iptable_mangle);
117}
118
119static unsigned int 74static unsigned int
120ipt_local_hook(unsigned int hook, 75ipt_local_hook(unsigned int hook,
121 struct sk_buff *skb, 76 struct sk_buff *skb,
@@ -158,37 +113,53 @@ ipt_local_hook(unsigned int hook,
158 return ret; 113 return ret;
159} 114}
160 115
116/* The work comes in here from netfilter.c. */
117static unsigned int
118iptable_mangle_hook(unsigned int hook,
119 struct sk_buff *skb,
120 const struct net_device *in,
121 const struct net_device *out,
122 int (*okfn)(struct sk_buff *))
123{
124 if (hook == NF_INET_LOCAL_OUT)
125 return ipt_local_hook(hook, skb, in, out, okfn);
126
127 /* PREROUTING/INPUT/FORWARD: */
128 return ipt_do_table(skb, hook, in, out,
129 dev_net(in)->ipv4.iptable_mangle);
130}
131
161static struct nf_hook_ops ipt_ops[] __read_mostly = { 132static struct nf_hook_ops ipt_ops[] __read_mostly = {
162 { 133 {
163 .hook = ipt_pre_routing_hook, 134 .hook = iptable_mangle_hook,
164 .owner = THIS_MODULE, 135 .owner = THIS_MODULE,
165 .pf = NFPROTO_IPV4, 136 .pf = NFPROTO_IPV4,
166 .hooknum = NF_INET_PRE_ROUTING, 137 .hooknum = NF_INET_PRE_ROUTING,
167 .priority = NF_IP_PRI_MANGLE, 138 .priority = NF_IP_PRI_MANGLE,
168 }, 139 },
169 { 140 {
170 .hook = ipt_local_in_hook, 141 .hook = iptable_mangle_hook,
171 .owner = THIS_MODULE, 142 .owner = THIS_MODULE,
172 .pf = NFPROTO_IPV4, 143 .pf = NFPROTO_IPV4,
173 .hooknum = NF_INET_LOCAL_IN, 144 .hooknum = NF_INET_LOCAL_IN,
174 .priority = NF_IP_PRI_MANGLE, 145 .priority = NF_IP_PRI_MANGLE,
175 }, 146 },
176 { 147 {
177 .hook = ipt_forward_hook, 148 .hook = iptable_mangle_hook,
178 .owner = THIS_MODULE, 149 .owner = THIS_MODULE,
179 .pf = NFPROTO_IPV4, 150 .pf = NFPROTO_IPV4,
180 .hooknum = NF_INET_FORWARD, 151 .hooknum = NF_INET_FORWARD,
181 .priority = NF_IP_PRI_MANGLE, 152 .priority = NF_IP_PRI_MANGLE,
182 }, 153 },
183 { 154 {
184 .hook = ipt_local_hook, 155 .hook = iptable_mangle_hook,
185 .owner = THIS_MODULE, 156 .owner = THIS_MODULE,
186 .pf = NFPROTO_IPV4, 157 .pf = NFPROTO_IPV4,
187 .hooknum = NF_INET_LOCAL_OUT, 158 .hooknum = NF_INET_LOCAL_OUT,
188 .priority = NF_IP_PRI_MANGLE, 159 .priority = NF_IP_PRI_MANGLE,
189 }, 160 },
190 { 161 {
191 .hook = ipt_post_routing_hook, 162 .hook = iptable_mangle_hook,
192 .owner = THIS_MODULE, 163 .owner = THIS_MODULE,
193 .pf = NFPROTO_IPV4, 164 .pf = NFPROTO_IPV4,
194 .hooknum = NF_INET_POST_ROUTING, 165 .hooknum = NF_INET_POST_ROUTING,
diff --git a/net/ipv4/netfilter/iptable_raw.c b/net/ipv4/netfilter/iptable_raw.c
index 40f2b9f611a2..2c55575e89f5 100644
--- a/net/ipv4/netfilter/iptable_raw.c
+++ b/net/ipv4/netfilter/iptable_raw.c
@@ -45,23 +45,15 @@ static const struct xt_table packet_raw = {
45 45
46/* The work comes in here from netfilter.c. */ 46/* The work comes in here from netfilter.c. */
47static unsigned int 47static unsigned int
48ipt_hook(unsigned int hook, 48iptable_raw_hook(unsigned int hook, struct sk_buff *skb,
49 struct sk_buff *skb, 49 const struct net_device *in, const struct net_device *out,
50 const struct net_device *in, 50 int (*okfn)(struct sk_buff *))
51 const struct net_device *out,
52 int (*okfn)(struct sk_buff *))
53{ 51{
54 return ipt_do_table(skb, hook, in, out, 52 if (hook == NF_INET_PRE_ROUTING)
55 dev_net(in)->ipv4.iptable_raw); 53 return ipt_do_table(skb, hook, in, out,
56} 54 dev_net(in)->ipv4.iptable_raw);
57 55
58static unsigned int 56 /* OUTPUT: */
59ipt_local_hook(unsigned int hook,
60 struct sk_buff *skb,
61 const struct net_device *in,
62 const struct net_device *out,
63 int (*okfn)(struct sk_buff *))
64{
65 /* root is playing with raw sockets. */ 57 /* root is playing with raw sockets. */
66 if (skb->len < sizeof(struct iphdr) || 58 if (skb->len < sizeof(struct iphdr) ||
67 ip_hdrlen(skb) < sizeof(struct iphdr)) 59 ip_hdrlen(skb) < sizeof(struct iphdr))
@@ -73,14 +65,14 @@ ipt_local_hook(unsigned int hook,
73/* 'raw' is the very first table. */ 65/* 'raw' is the very first table. */
74static struct nf_hook_ops ipt_ops[] __read_mostly = { 66static struct nf_hook_ops ipt_ops[] __read_mostly = {
75 { 67 {
76 .hook = ipt_hook, 68 .hook = iptable_raw_hook,
77 .pf = NFPROTO_IPV4, 69 .pf = NFPROTO_IPV4,
78 .hooknum = NF_INET_PRE_ROUTING, 70 .hooknum = NF_INET_PRE_ROUTING,
79 .priority = NF_IP_PRI_RAW, 71 .priority = NF_IP_PRI_RAW,
80 .owner = THIS_MODULE, 72 .owner = THIS_MODULE,
81 }, 73 },
82 { 74 {
83 .hook = ipt_local_hook, 75 .hook = iptable_raw_hook,
84 .pf = NFPROTO_IPV4, 76 .pf = NFPROTO_IPV4,
85 .hooknum = NF_INET_LOCAL_OUT, 77 .hooknum = NF_INET_LOCAL_OUT,
86 .priority = NF_IP_PRI_RAW, 78 .priority = NF_IP_PRI_RAW,
diff --git a/net/ipv4/netfilter/iptable_security.c b/net/ipv4/netfilter/iptable_security.c
index 7ce2366e4305..1c666bab3269 100644
--- a/net/ipv4/netfilter/iptable_security.c
+++ b/net/ipv4/netfilter/iptable_security.c
@@ -65,59 +65,43 @@ static const struct xt_table security_table = {
65}; 65};
66 66
67static unsigned int 67static unsigned int
68ipt_local_in_hook(unsigned int hook, 68iptable_security_hook(unsigned int hook, struct sk_buff *skb,
69 struct sk_buff *skb, 69 const struct net_device *in,
70 const struct net_device *in, 70 const struct net_device *out,
71 const struct net_device *out, 71 int (*okfn)(struct sk_buff *))
72 int (*okfn)(struct sk_buff *))
73{ 72{
74 return ipt_do_table(skb, hook, in, out, 73 if (hook == NF_INET_LOCAL_OUT) {
75 dev_net(in)->ipv4.iptable_security); 74 if (skb->len < sizeof(struct iphdr) ||
76} 75 ip_hdrlen(skb) < sizeof(struct iphdr))
76 /* Somebody is playing with raw sockets. */
77 return NF_ACCEPT;
77 78
78static unsigned int 79 return ipt_do_table(skb, hook, in, out,
79ipt_forward_hook(unsigned int hook, 80 dev_net(out)->ipv4.iptable_security);
80 struct sk_buff *skb, 81 }
81 const struct net_device *in,
82 const struct net_device *out,
83 int (*okfn)(struct sk_buff *))
84{
85 return ipt_do_table(skb, hook, in, out,
86 dev_net(in)->ipv4.iptable_security);
87}
88 82
89static unsigned int 83 /* INPUT/FORWARD: */
90ipt_local_out_hook(unsigned int hook,
91 struct sk_buff *skb,
92 const struct net_device *in,
93 const struct net_device *out,
94 int (*okfn)(struct sk_buff *))
95{
96 /* Somebody is playing with raw sockets. */
97 if (skb->len < sizeof(struct iphdr) ||
98 ip_hdrlen(skb) < sizeof(struct iphdr))
99 return NF_ACCEPT;
100 return ipt_do_table(skb, hook, in, out, 84 return ipt_do_table(skb, hook, in, out,
101 dev_net(out)->ipv4.iptable_security); 85 dev_net(in)->ipv4.iptable_security);
102} 86}
103 87
104static struct nf_hook_ops ipt_ops[] __read_mostly = { 88static struct nf_hook_ops ipt_ops[] __read_mostly = {
105 { 89 {
106 .hook = ipt_local_in_hook, 90 .hook = iptable_security_hook,
107 .owner = THIS_MODULE, 91 .owner = THIS_MODULE,
108 .pf = NFPROTO_IPV4, 92 .pf = NFPROTO_IPV4,
109 .hooknum = NF_INET_LOCAL_IN, 93 .hooknum = NF_INET_LOCAL_IN,
110 .priority = NF_IP_PRI_SECURITY, 94 .priority = NF_IP_PRI_SECURITY,
111 }, 95 },
112 { 96 {
113 .hook = ipt_forward_hook, 97 .hook = iptable_security_hook,
114 .owner = THIS_MODULE, 98 .owner = THIS_MODULE,
115 .pf = NFPROTO_IPV4, 99 .pf = NFPROTO_IPV4,
116 .hooknum = NF_INET_FORWARD, 100 .hooknum = NF_INET_FORWARD,
117 .priority = NF_IP_PRI_SECURITY, 101 .priority = NF_IP_PRI_SECURITY,
118 }, 102 },
119 { 103 {
120 .hook = ipt_local_out_hook, 104 .hook = iptable_security_hook,
121 .owner = THIS_MODULE, 105 .owner = THIS_MODULE,
122 .pf = NFPROTO_IPV4, 106 .pf = NFPROTO_IPV4,
123 .hooknum = NF_INET_LOCAL_OUT, 107 .hooknum = NF_INET_LOCAL_OUT,