+++ /dev/null
-From: Pablo Neira Ayuso <pablo@netfilter.org>
-Date: Sat, 9 Dec 2017 15:43:17 +0100
-Subject: [PATCH] netfilter: nf_tables: remove hooks from family definition
-
-They don't belong to the family definition, move them to the filter
-chain type definition instead.
-
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
----
-
---- a/include/net/netfilter/nf_tables.h
-+++ b/include/net/netfilter/nf_tables.h
-@@ -876,7 +876,7 @@ enum nft_chain_type {
- * @family: address family
- * @owner: module owner
- * @hook_mask: mask of valid hooks
-- * @hooks: hookfn overrides
-+ * @hooks: array of hook functions
- */
- struct nf_chain_type {
- const char *name;
-@@ -970,7 +970,6 @@ enum nft_af_flags {
- * @owner: module owner
- * @tables: used internally
- * @flags: family flags
-- * @hooks: hookfn overrides for packet validation
- */
- struct nft_af_info {
- struct list_head list;
-@@ -979,7 +978,6 @@ struct nft_af_info {
- struct module *owner;
- struct list_head tables;
- u32 flags;
-- nf_hookfn *hooks[NF_MAX_HOOKS];
- };
-
- int nft_register_afinfo(struct net *, struct nft_af_info *);
---- a/net/bridge/netfilter/nf_tables_bridge.c
-+++ b/net/bridge/netfilter/nf_tables_bridge.c
-@@ -46,13 +46,6 @@ static struct nft_af_info nft_af_bridge
- .family = NFPROTO_BRIDGE,
- .nhooks = NF_BR_NUMHOOKS,
- .owner = THIS_MODULE,
-- .hooks = {
-- [NF_BR_PRE_ROUTING] = nft_do_chain_bridge,
-- [NF_BR_LOCAL_IN] = nft_do_chain_bridge,
-- [NF_BR_FORWARD] = nft_do_chain_bridge,
-- [NF_BR_LOCAL_OUT] = nft_do_chain_bridge,
-- [NF_BR_POST_ROUTING] = nft_do_chain_bridge,
-- },
- };
-
- static int nf_tables_bridge_init_net(struct net *net)
-@@ -93,6 +86,13 @@ static const struct nf_chain_type filter
- (1 << NF_BR_FORWARD) |
- (1 << NF_BR_LOCAL_OUT) |
- (1 << NF_BR_POST_ROUTING),
-+ .hooks = {
-+ [NF_BR_PRE_ROUTING] = nft_do_chain_bridge,
-+ [NF_BR_LOCAL_IN] = nft_do_chain_bridge,
-+ [NF_BR_FORWARD] = nft_do_chain_bridge,
-+ [NF_BR_LOCAL_OUT] = nft_do_chain_bridge,
-+ [NF_BR_POST_ROUTING] = nft_do_chain_bridge,
-+ },
- };
-
- static int __init nf_tables_bridge_init(void)
---- a/net/ipv4/netfilter/nf_tables_arp.c
-+++ b/net/ipv4/netfilter/nf_tables_arp.c
-@@ -31,10 +31,6 @@ static struct nft_af_info nft_af_arp __r
- .family = NFPROTO_ARP,
- .nhooks = NF_ARP_NUMHOOKS,
- .owner = THIS_MODULE,
-- .hooks = {
-- [NF_ARP_IN] = nft_do_chain_arp,
-- [NF_ARP_OUT] = nft_do_chain_arp,
-- },
- };
-
- static int nf_tables_arp_init_net(struct net *net)
-@@ -72,6 +68,10 @@ static const struct nf_chain_type filter
- .owner = THIS_MODULE,
- .hook_mask = (1 << NF_ARP_IN) |
- (1 << NF_ARP_OUT),
-+ .hooks = {
-+ [NF_ARP_IN] = nft_do_chain_arp,
-+ [NF_ARP_OUT] = nft_do_chain_arp,
-+ },
- };
-
- static int __init nf_tables_arp_init(void)
---- a/net/ipv4/netfilter/nf_tables_ipv4.c
-+++ b/net/ipv4/netfilter/nf_tables_ipv4.c
-@@ -49,13 +49,6 @@ static struct nft_af_info nft_af_ipv4 __
- .family = NFPROTO_IPV4,
- .nhooks = NF_INET_NUMHOOKS,
- .owner = THIS_MODULE,
-- .hooks = {
-- [NF_INET_LOCAL_IN] = nft_do_chain_ipv4,
-- [NF_INET_LOCAL_OUT] = nft_ipv4_output,
-- [NF_INET_FORWARD] = nft_do_chain_ipv4,
-- [NF_INET_PRE_ROUTING] = nft_do_chain_ipv4,
-- [NF_INET_POST_ROUTING] = nft_do_chain_ipv4,
-- },
- };
-
- static int nf_tables_ipv4_init_net(struct net *net)
-@@ -96,6 +89,13 @@ static const struct nf_chain_type filter
- (1 << NF_INET_FORWARD) |
- (1 << NF_INET_PRE_ROUTING) |
- (1 << NF_INET_POST_ROUTING),
-+ .hooks = {
-+ [NF_INET_LOCAL_IN] = nft_do_chain_ipv4,
-+ [NF_INET_LOCAL_OUT] = nft_ipv4_output,
-+ [NF_INET_FORWARD] = nft_do_chain_ipv4,
-+ [NF_INET_PRE_ROUTING] = nft_do_chain_ipv4,
-+ [NF_INET_POST_ROUTING] = nft_do_chain_ipv4,
-+ },
- };
-
- static int __init nf_tables_ipv4_init(void)
---- a/net/ipv6/netfilter/nf_tables_ipv6.c
-+++ b/net/ipv6/netfilter/nf_tables_ipv6.c
-@@ -46,13 +46,6 @@ static struct nft_af_info nft_af_ipv6 __
- .family = NFPROTO_IPV6,
- .nhooks = NF_INET_NUMHOOKS,
- .owner = THIS_MODULE,
-- .hooks = {
-- [NF_INET_LOCAL_IN] = nft_do_chain_ipv6,
-- [NF_INET_LOCAL_OUT] = nft_ipv6_output,
-- [NF_INET_FORWARD] = nft_do_chain_ipv6,
-- [NF_INET_PRE_ROUTING] = nft_do_chain_ipv6,
-- [NF_INET_POST_ROUTING] = nft_do_chain_ipv6,
-- },
- };
-
- static int nf_tables_ipv6_init_net(struct net *net)
-@@ -93,6 +86,13 @@ static const struct nf_chain_type filter
- (1 << NF_INET_FORWARD) |
- (1 << NF_INET_PRE_ROUTING) |
- (1 << NF_INET_POST_ROUTING),
-+ .hooks = {
-+ [NF_INET_LOCAL_IN] = nft_do_chain_ipv6,
-+ [NF_INET_LOCAL_OUT] = nft_ipv6_output,
-+ [NF_INET_FORWARD] = nft_do_chain_ipv6,
-+ [NF_INET_PRE_ROUTING] = nft_do_chain_ipv6,
-+ [NF_INET_POST_ROUTING] = nft_do_chain_ipv6,
-+ },
- };
-
- static int __init nf_tables_ipv6_init(void)
---- a/net/netfilter/nf_tables_api.c
-+++ b/net/netfilter/nf_tables_api.c
-@@ -1398,7 +1398,6 @@ static int nf_tables_addchain(struct nft
- if (nla[NFTA_CHAIN_HOOK]) {
- struct nft_chain_hook hook;
- struct nf_hook_ops *ops;
-- nf_hookfn *hookfn;
-
- err = nft_chain_parse_hook(net, nla, afi, &hook, create);
- if (err < 0)
-@@ -1424,7 +1423,6 @@ static int nf_tables_addchain(struct nft
- static_branch_inc(&nft_counters_enabled);
- }
-
-- hookfn = hook.type->hooks[hook.num];
- basechain->type = hook.type;
- chain = &basechain->chain;
-
-@@ -1433,10 +1431,8 @@ static int nf_tables_addchain(struct nft
- ops->hooknum = hook.num;
- ops->priority = hook.priority;
- ops->priv = chain;
-- ops->hook = afi->hooks[ops->hooknum];
-+ ops->hook = hook.type->hooks[ops->hooknum];
- ops->dev = hook.dev;
-- if (hookfn)
-- ops->hook = hookfn;
-
- if (basechain->type->type == NFT_CHAIN_T_NAT)
- ops->nat_hook = true;
---- a/net/netfilter/nf_tables_inet.c
-+++ b/net/netfilter/nf_tables_inet.c
-@@ -74,13 +74,6 @@ static struct nft_af_info nft_af_inet __
- .family = NFPROTO_INET,
- .nhooks = NF_INET_NUMHOOKS,
- .owner = THIS_MODULE,
-- .hooks = {
-- [NF_INET_LOCAL_IN] = nft_do_chain_inet,
-- [NF_INET_LOCAL_OUT] = nft_inet_output,
-- [NF_INET_FORWARD] = nft_do_chain_inet,
-- [NF_INET_PRE_ROUTING] = nft_do_chain_inet,
-- [NF_INET_POST_ROUTING] = nft_do_chain_inet,
-- },
- };
-
- static int __net_init nf_tables_inet_init_net(struct net *net)
-@@ -121,6 +114,13 @@ static const struct nf_chain_type filter
- (1 << NF_INET_FORWARD) |
- (1 << NF_INET_PRE_ROUTING) |
- (1 << NF_INET_POST_ROUTING),
-+ .hooks = {
-+ [NF_INET_LOCAL_IN] = nft_do_chain_inet,
-+ [NF_INET_LOCAL_OUT] = nft_inet_output,
-+ [NF_INET_FORWARD] = nft_do_chain_inet,
-+ [NF_INET_PRE_ROUTING] = nft_do_chain_inet,
-+ [NF_INET_POST_ROUTING] = nft_do_chain_inet,
-+ },
- };
-
- static int __init nf_tables_inet_init(void)
---- a/net/netfilter/nf_tables_netdev.c
-+++ b/net/netfilter/nf_tables_netdev.c
-@@ -43,9 +43,6 @@ static struct nft_af_info nft_af_netdev
- .nhooks = NF_NETDEV_NUMHOOKS,
- .owner = THIS_MODULE,
- .flags = NFT_AF_NEEDS_DEV,
-- .hooks = {
-- [NF_NETDEV_INGRESS] = nft_do_chain_netdev,
-- },
- };
-
- static int nf_tables_netdev_init_net(struct net *net)
-@@ -82,6 +79,9 @@ static const struct nf_chain_type nft_fi
- .family = NFPROTO_NETDEV,
- .owner = THIS_MODULE,
- .hook_mask = (1 << NF_NETDEV_INGRESS),
-+ .hooks = {
-+ [NF_NETDEV_INGRESS] = nft_do_chain_netdev,
-+ },
- };
-
- static void nft_netdev_event(unsigned long event, struct net_device *dev,
projects / openwrt / openwrt.git / blobdiff