1 From: Pablo Neira Ayuso <pablo@netfilter.org>
2 Date: Tue, 19 Dec 2017 13:53:45 +0100
3 Subject: [PATCH] netfilter: nf_tables: remove nhooks field from struct
6 We already validate the hook through bitmask, so this check is
7 superfluous. When removing this, this patch is also fixing a bug in the
8 new flowtable codebase, since ctx->afi points to the table family
9 instead of the netdev family which is where the flowtable is really
12 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
15 --- a/include/net/netfilter/nf_tables.h
16 +++ b/include/net/netfilter/nf_tables.h
17 @@ -971,7 +971,6 @@ enum nft_af_flags {
19 * @list: used internally
20 * @family: address family
21 - * @nhooks: number of hooks in this family
22 * @owner: module owner
23 * @tables: used internally
24 * @flags: family flags
25 @@ -979,7 +978,6 @@ enum nft_af_flags {
27 struct list_head list;
29 - unsigned int nhooks;
31 struct list_head tables;
33 --- a/net/bridge/netfilter/nf_tables_bridge.c
34 +++ b/net/bridge/netfilter/nf_tables_bridge.c
35 @@ -44,7 +44,6 @@ nft_do_chain_bridge(void *priv,
37 static struct nft_af_info nft_af_bridge __read_mostly = {
38 .family = NFPROTO_BRIDGE,
39 - .nhooks = NF_BR_NUMHOOKS,
43 --- a/net/ipv4/netfilter/nf_tables_arp.c
44 +++ b/net/ipv4/netfilter/nf_tables_arp.c
45 @@ -29,7 +29,6 @@ nft_do_chain_arp(void *priv,
47 static struct nft_af_info nft_af_arp __read_mostly = {
48 .family = NFPROTO_ARP,
49 - .nhooks = NF_ARP_NUMHOOKS,
53 --- a/net/ipv4/netfilter/nf_tables_ipv4.c
54 +++ b/net/ipv4/netfilter/nf_tables_ipv4.c
55 @@ -32,7 +32,6 @@ static unsigned int nft_do_chain_ipv4(vo
57 static struct nft_af_info nft_af_ipv4 __read_mostly = {
58 .family = NFPROTO_IPV4,
59 - .nhooks = NF_INET_NUMHOOKS,
63 --- a/net/ipv6/netfilter/nf_tables_ipv6.c
64 +++ b/net/ipv6/netfilter/nf_tables_ipv6.c
65 @@ -30,7 +30,6 @@ static unsigned int nft_do_chain_ipv6(vo
67 static struct nft_af_info nft_af_ipv6 __read_mostly = {
68 .family = NFPROTO_IPV6,
69 - .nhooks = NF_INET_NUMHOOKS,
73 --- a/net/netfilter/nf_tables_api.c
74 +++ b/net/netfilter/nf_tables_api.c
75 @@ -1374,9 +1374,6 @@ static int nft_chain_parse_hook(struct n
78 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
79 - if (hook->num >= afi->nhooks)
82 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
84 type = chain_type[afi->family][NFT_CHAIN_T_DEFAULT];
85 @@ -5019,7 +5016,7 @@ static int nf_tables_flowtable_parse_hoo
88 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
89 - if (hooknum >= ctx->afi->nhooks)
90 + if (hooknum != NF_NETDEV_INGRESS)
93 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
94 --- a/net/netfilter/nf_tables_inet.c
95 +++ b/net/netfilter/nf_tables_inet.c
96 @@ -40,7 +40,6 @@ static unsigned int nft_do_chain_inet(vo
98 static struct nft_af_info nft_af_inet __read_mostly = {
99 .family = NFPROTO_INET,
100 - .nhooks = NF_INET_NUMHOOKS,
101 .owner = THIS_MODULE,
104 --- a/net/netfilter/nf_tables_netdev.c
105 +++ b/net/netfilter/nf_tables_netdev.c
106 @@ -40,7 +40,6 @@ nft_do_chain_netdev(void *priv, struct s
108 static struct nft_af_info nft_af_netdev __read_mostly = {
109 .family = NFPROTO_NETDEV,
110 - .nhooks = NF_NETDEV_NUMHOOKS,
111 .owner = THIS_MODULE,
112 .flags = NFT_AF_NEEDS_DEV,