dd969c12a6182ec768d8449395b6eeca69054105
[oweals/openwrt.git] /
1 From: Pablo Neira Ayuso <pablo@netfilter.org>
2 Date: Sat, 9 Dec 2017 15:43:17 +0100
3 Subject: [PATCH] netfilter: nf_tables: remove hooks from family definition
4
5 They don't belong to the family definition, move them to the filter
6 chain type definition instead.
7
8 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
9 ---
10
11 --- a/include/net/netfilter/nf_tables.h
12 +++ b/include/net/netfilter/nf_tables.h
13 @@ -870,7 +870,7 @@ enum nft_chain_type {
14   *     @family: address family
15   *     @owner: module owner
16   *     @hook_mask: mask of valid hooks
17 - *     @hooks: hookfn overrides
18 + *     @hooks: array of hook functions
19   */
20  struct nf_chain_type {
21         const char                      *name;
22 @@ -964,7 +964,6 @@ enum nft_af_flags {
23   *     @owner: module owner
24   *     @tables: used internally
25   *     @flags: family flags
26 - *     @hooks: hookfn overrides for packet validation
27   */
28  struct nft_af_info {
29         struct list_head                list;
30 @@ -973,7 +972,6 @@ struct nft_af_info {
31         struct module                   *owner;
32         struct list_head                tables;
33         u32                             flags;
34 -       nf_hookfn                       *hooks[NF_MAX_HOOKS];
35  };
36  
37  int nft_register_afinfo(struct net *, struct nft_af_info *);
38 --- a/net/bridge/netfilter/nf_tables_bridge.c
39 +++ b/net/bridge/netfilter/nf_tables_bridge.c
40 @@ -46,13 +46,6 @@ static struct nft_af_info nft_af_bridge
41         .family         = NFPROTO_BRIDGE,
42         .nhooks         = NF_BR_NUMHOOKS,
43         .owner          = THIS_MODULE,
44 -       .hooks          = {
45 -               [NF_BR_PRE_ROUTING]     = nft_do_chain_bridge,
46 -               [NF_BR_LOCAL_IN]        = nft_do_chain_bridge,
47 -               [NF_BR_FORWARD]         = nft_do_chain_bridge,
48 -               [NF_BR_LOCAL_OUT]       = nft_do_chain_bridge,
49 -               [NF_BR_POST_ROUTING]    = nft_do_chain_bridge,
50 -       },
51  };
52  
53  static int nf_tables_bridge_init_net(struct net *net)
54 @@ -93,6 +86,13 @@ static const struct nf_chain_type filter
55                           (1 << NF_BR_FORWARD) |
56                           (1 << NF_BR_LOCAL_OUT) |
57                           (1 << NF_BR_POST_ROUTING),
58 +       .hooks          = {
59 +               [NF_BR_PRE_ROUTING]     = nft_do_chain_bridge,
60 +               [NF_BR_LOCAL_IN]        = nft_do_chain_bridge,
61 +               [NF_BR_FORWARD]         = nft_do_chain_bridge,
62 +               [NF_BR_LOCAL_OUT]       = nft_do_chain_bridge,
63 +               [NF_BR_POST_ROUTING]    = nft_do_chain_bridge,
64 +       },
65  };
66  
67  static int __init nf_tables_bridge_init(void)
68 --- a/net/ipv4/netfilter/nf_tables_arp.c
69 +++ b/net/ipv4/netfilter/nf_tables_arp.c
70 @@ -31,10 +31,6 @@ static struct nft_af_info nft_af_arp __r
71         .family         = NFPROTO_ARP,
72         .nhooks         = NF_ARP_NUMHOOKS,
73         .owner          = THIS_MODULE,
74 -       .hooks          = {
75 -               [NF_ARP_IN]             = nft_do_chain_arp,
76 -               [NF_ARP_OUT]            = nft_do_chain_arp,
77 -       },
78  };
79  
80  static int nf_tables_arp_init_net(struct net *net)
81 @@ -72,6 +68,10 @@ static const struct nf_chain_type filter
82         .owner          = THIS_MODULE,
83         .hook_mask      = (1 << NF_ARP_IN) |
84                           (1 << NF_ARP_OUT),
85 +       .hooks          = {
86 +               [NF_ARP_IN]             = nft_do_chain_arp,
87 +               [NF_ARP_OUT]            = nft_do_chain_arp,
88 +       },
89  };
90  
91  static int __init nf_tables_arp_init(void)
92 --- a/net/ipv4/netfilter/nf_tables_ipv4.c
93 +++ b/net/ipv4/netfilter/nf_tables_ipv4.c
94 @@ -49,13 +49,6 @@ static struct nft_af_info nft_af_ipv4 __
95         .family         = NFPROTO_IPV4,
96         .nhooks         = NF_INET_NUMHOOKS,
97         .owner          = THIS_MODULE,
98 -       .hooks          = {
99 -               [NF_INET_LOCAL_IN]      = nft_do_chain_ipv4,
100 -               [NF_INET_LOCAL_OUT]     = nft_ipv4_output,
101 -               [NF_INET_FORWARD]       = nft_do_chain_ipv4,
102 -               [NF_INET_PRE_ROUTING]   = nft_do_chain_ipv4,
103 -               [NF_INET_POST_ROUTING]  = nft_do_chain_ipv4,
104 -       },
105  };
106  
107  static int nf_tables_ipv4_init_net(struct net *net)
108 @@ -96,6 +89,13 @@ static const struct nf_chain_type filter
109                           (1 << NF_INET_FORWARD) |
110                           (1 << NF_INET_PRE_ROUTING) |
111                           (1 << NF_INET_POST_ROUTING),
112 +       .hooks          = {
113 +               [NF_INET_LOCAL_IN]      = nft_do_chain_ipv4,
114 +               [NF_INET_LOCAL_OUT]     = nft_ipv4_output,
115 +               [NF_INET_FORWARD]       = nft_do_chain_ipv4,
116 +               [NF_INET_PRE_ROUTING]   = nft_do_chain_ipv4,
117 +               [NF_INET_POST_ROUTING]  = nft_do_chain_ipv4,
118 +       },
119  };
120  
121  static int __init nf_tables_ipv4_init(void)
122 --- a/net/ipv6/netfilter/nf_tables_ipv6.c
123 +++ b/net/ipv6/netfilter/nf_tables_ipv6.c
124 @@ -46,13 +46,6 @@ static struct nft_af_info nft_af_ipv6 __
125         .family         = NFPROTO_IPV6,
126         .nhooks         = NF_INET_NUMHOOKS,
127         .owner          = THIS_MODULE,
128 -       .hooks          = {
129 -               [NF_INET_LOCAL_IN]      = nft_do_chain_ipv6,
130 -               [NF_INET_LOCAL_OUT]     = nft_ipv6_output,
131 -               [NF_INET_FORWARD]       = nft_do_chain_ipv6,
132 -               [NF_INET_PRE_ROUTING]   = nft_do_chain_ipv6,
133 -               [NF_INET_POST_ROUTING]  = nft_do_chain_ipv6,
134 -       },
135  };
136  
137  static int nf_tables_ipv6_init_net(struct net *net)
138 @@ -93,6 +86,13 @@ static const struct nf_chain_type filter
139                           (1 << NF_INET_FORWARD) |
140                           (1 << NF_INET_PRE_ROUTING) |
141                           (1 << NF_INET_POST_ROUTING),
142 +       .hooks          = {
143 +               [NF_INET_LOCAL_IN]      = nft_do_chain_ipv6,
144 +               [NF_INET_LOCAL_OUT]     = nft_ipv6_output,
145 +               [NF_INET_FORWARD]       = nft_do_chain_ipv6,
146 +               [NF_INET_PRE_ROUTING]   = nft_do_chain_ipv6,
147 +               [NF_INET_POST_ROUTING]  = nft_do_chain_ipv6,
148 +       },
149  };
150  
151  static int __init nf_tables_ipv6_init(void)
152 --- a/net/netfilter/nf_tables_api.c
153 +++ b/net/netfilter/nf_tables_api.c
154 @@ -1352,7 +1352,6 @@ static int nf_tables_addchain(struct nft
155         if (nla[NFTA_CHAIN_HOOK]) {
156                 struct nft_chain_hook hook;
157                 struct nf_hook_ops *ops;
158 -               nf_hookfn *hookfn;
159  
160                 err = nft_chain_parse_hook(net, nla, afi, &hook, create);
161                 if (err < 0)
162 @@ -1378,7 +1377,6 @@ static int nf_tables_addchain(struct nft
163                         static_branch_inc(&nft_counters_enabled);
164                 }
165  
166 -               hookfn = hook.type->hooks[hook.num];
167                 basechain->type = hook.type;
168                 chain = &basechain->chain;
169  
170 @@ -1387,10 +1385,8 @@ static int nf_tables_addchain(struct nft
171                 ops->hooknum    = hook.num;
172                 ops->priority   = hook.priority;
173                 ops->priv       = chain;
174 -               ops->hook       = afi->hooks[ops->hooknum];
175 +               ops->hook       = hook.type->hooks[ops->hooknum];
176                 ops->dev        = hook.dev;
177 -               if (hookfn)
178 -                       ops->hook = hookfn;
179  
180                 if (basechain->type->type == NFT_CHAIN_T_NAT)
181                         ops->nat_hook = true;
182 --- a/net/netfilter/nf_tables_inet.c
183 +++ b/net/netfilter/nf_tables_inet.c
184 @@ -74,13 +74,6 @@ static struct nft_af_info nft_af_inet __
185         .family         = NFPROTO_INET,
186         .nhooks         = NF_INET_NUMHOOKS,
187         .owner          = THIS_MODULE,
188 -       .hooks          = {
189 -               [NF_INET_LOCAL_IN]      = nft_do_chain_inet,
190 -               [NF_INET_LOCAL_OUT]     = nft_inet_output,
191 -               [NF_INET_FORWARD]       = nft_do_chain_inet,
192 -               [NF_INET_PRE_ROUTING]   = nft_do_chain_inet,
193 -               [NF_INET_POST_ROUTING]  = nft_do_chain_inet,
194 -        },
195  };
196  
197  static int __net_init nf_tables_inet_init_net(struct net *net)
198 @@ -121,6 +114,13 @@ static const struct nf_chain_type filter
199                           (1 << NF_INET_FORWARD) |
200                           (1 << NF_INET_PRE_ROUTING) |
201                           (1 << NF_INET_POST_ROUTING),
202 +       .hooks          = {
203 +               [NF_INET_LOCAL_IN]      = nft_do_chain_inet,
204 +               [NF_INET_LOCAL_OUT]     = nft_inet_output,
205 +               [NF_INET_FORWARD]       = nft_do_chain_inet,
206 +               [NF_INET_PRE_ROUTING]   = nft_do_chain_inet,
207 +               [NF_INET_POST_ROUTING]  = nft_do_chain_inet,
208 +        },
209  };
210  
211  static int __init nf_tables_inet_init(void)
212 --- a/net/netfilter/nf_tables_netdev.c
213 +++ b/net/netfilter/nf_tables_netdev.c
214 @@ -43,9 +43,6 @@ static struct nft_af_info nft_af_netdev
215         .nhooks         = NF_NETDEV_NUMHOOKS,
216         .owner          = THIS_MODULE,
217         .flags          = NFT_AF_NEEDS_DEV,
218 -       .hooks          = {
219 -               [NF_NETDEV_INGRESS]     = nft_do_chain_netdev,
220 -       },
221  };
222  
223  static int nf_tables_netdev_init_net(struct net *net)
224 @@ -82,6 +79,9 @@ static const struct nf_chain_type nft_fi
225         .family         = NFPROTO_NETDEV,
226         .owner          = THIS_MODULE,
227         .hook_mask      = (1 << NF_NETDEV_INGRESS),
228 +       .hooks          = {
229 +               [NF_NETDEV_INGRESS]     = nft_do_chain_netdev,
230 +       },
231  };
232  
233  static void nft_netdev_event(unsigned long event, struct net_device *dev,