307749763a9117987910e55ad1b53c97fc6f14b6
[oweals/openwrt.git] /
1 From: Pablo Neira Ayuso <pablo@netfilter.org>
2 Date: Tue, 19 Dec 2017 13:53:45 +0100
3 Subject: [PATCH] netfilter: nf_tables: remove nhooks field from struct
4  nft_af_info
5
6 We already validate the hook through bitmask, so this check is
7 superfluous. When removing this, this patch is also fixing a bug in the
8 new flowtable codebase, since ctx->afi points to the table family
9 instead of the netdev family which is where the flowtable is really
10 hooked in.
11
12 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
13 ---
14
15 --- a/include/net/netfilter/nf_tables.h
16 +++ b/include/net/netfilter/nf_tables.h
17 @@ -968,7 +968,6 @@ enum nft_af_flags {
18   *
19   *     @list: used internally
20   *     @family: address family
21 - *     @nhooks: number of hooks in this family
22   *     @owner: module owner
23   *     @tables: used internally
24   *     @flags: family flags
25 @@ -976,7 +975,6 @@ enum nft_af_flags {
26  struct nft_af_info {
27         struct list_head                list;
28         int                             family;
29 -       unsigned int                    nhooks;
30         struct module                   *owner;
31         struct list_head                tables;
32         u32                             flags;
33 --- a/net/bridge/netfilter/nf_tables_bridge.c
34 +++ b/net/bridge/netfilter/nf_tables_bridge.c
35 @@ -44,7 +44,6 @@ nft_do_chain_bridge(void *priv,
36  
37  static struct nft_af_info nft_af_bridge __read_mostly = {
38         .family         = NFPROTO_BRIDGE,
39 -       .nhooks         = NF_BR_NUMHOOKS,
40         .owner          = THIS_MODULE,
41  };
42  
43 --- a/net/ipv4/netfilter/nf_tables_arp.c
44 +++ b/net/ipv4/netfilter/nf_tables_arp.c
45 @@ -29,7 +29,6 @@ nft_do_chain_arp(void *priv,
46  
47  static struct nft_af_info nft_af_arp __read_mostly = {
48         .family         = NFPROTO_ARP,
49 -       .nhooks         = NF_ARP_NUMHOOKS,
50         .owner          = THIS_MODULE,
51  };
52  
53 --- a/net/ipv4/netfilter/nf_tables_ipv4.c
54 +++ b/net/ipv4/netfilter/nf_tables_ipv4.c
55 @@ -32,7 +32,6 @@ static unsigned int nft_do_chain_ipv4(vo
56  
57  static struct nft_af_info nft_af_ipv4 __read_mostly = {
58         .family         = NFPROTO_IPV4,
59 -       .nhooks         = NF_INET_NUMHOOKS,
60         .owner          = THIS_MODULE,
61  };
62  
63 --- a/net/ipv6/netfilter/nf_tables_ipv6.c
64 +++ b/net/ipv6/netfilter/nf_tables_ipv6.c
65 @@ -30,7 +30,6 @@ static unsigned int nft_do_chain_ipv6(vo
66  
67  static struct nft_af_info nft_af_ipv6 __read_mostly = {
68         .family         = NFPROTO_IPV6,
69 -       .nhooks         = NF_INET_NUMHOOKS,
70         .owner          = THIS_MODULE,
71  };
72  
73 --- a/net/netfilter/nf_tables_api.c
74 +++ b/net/netfilter/nf_tables_api.c
75 @@ -1359,9 +1359,6 @@ static int nft_chain_parse_hook(struct n
76                 return -EINVAL;
77  
78         hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
79 -       if (hook->num >= afi->nhooks)
80 -               return -EINVAL;
81 -
82         hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
83  
84         type = chain_type[afi->family][NFT_CHAIN_T_DEFAULT];
85 @@ -4969,7 +4966,7 @@ static int nf_tables_flowtable_parse_hoo
86                 return -EINVAL;
87  
88         hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
89 -       if (hooknum >= ctx->afi->nhooks)
90 +       if (hooknum != NF_NETDEV_INGRESS)
91                 return -EINVAL;
92  
93         priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
94 --- a/net/netfilter/nf_tables_inet.c
95 +++ b/net/netfilter/nf_tables_inet.c
96 @@ -40,7 +40,6 @@ static unsigned int nft_do_chain_inet(vo
97  
98  static struct nft_af_info nft_af_inet __read_mostly = {
99         .family         = NFPROTO_INET,
100 -       .nhooks         = NF_INET_NUMHOOKS,
101         .owner          = THIS_MODULE,
102  };
103  
104 --- a/net/netfilter/nf_tables_netdev.c
105 +++ b/net/netfilter/nf_tables_netdev.c
106 @@ -40,7 +40,6 @@ nft_do_chain_netdev(void *priv, struct s
107  
108  static struct nft_af_info nft_af_netdev __read_mostly = {
109         .family         = NFPROTO_NETDEV,
110 -       .nhooks         = NF_NETDEV_NUMHOOKS,
111         .owner          = THIS_MODULE,
112         .flags          = NFT_AF_NEEDS_DEV,
113  };