projects / openwrt / openwrt.git / blob
? search:


8f7d11bd679bb03949f5b16637cf61ac4417e5e1
[openwrt/openwrt.git] / target / linux / generic / backport-4.14 / 312-v4.16-netfilter-nf_tables-remove-hooks-from-family-definit.patch
1 From: Pablo Neira Ayuso <pablo@netfilter.org>
2 Date: Sat, 9 Dec 2017 15:43:17 +0100
3 Subject: [PATCH] netfilter: nf_tables: remove hooks from family definition
4
5 They don't belong to the family definition, move them to the filter
6 chain type definition instead.
7
8 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
9 ---
10
11 --- a/include/net/netfilter/nf_tables.h
12 +++ b/include/net/netfilter/nf_tables.h
13 @@ -875,7 +875,7 @@ enum nft_chain_type {
14 * @family: address family
15 * @owner: module owner
16 * @hook_mask: mask of valid hooks
17 - * @hooks: hookfn overrides
18 + * @hooks: array of hook functions
19 */
20 struct nf_chain_type {
21 const char *name;
22 @@ -969,7 +969,6 @@ enum nft_af_flags {
23 * @owner: module owner
24 * @tables: used internally
25 * @flags: family flags
26 - * @hooks: hookfn overrides for packet validation
27 */
28 struct nft_af_info {
29 struct list_head list;
30 @@ -978,7 +977,6 @@ struct nft_af_info {
31 struct module *owner;
32 struct list_head tables;
33 u32 flags;
34 - nf_hookfn *hooks[NF_MAX_HOOKS];
35 };
36
37 int nft_register_afinfo(struct net *, struct nft_af_info *);
38 --- a/net/bridge/netfilter/nf_tables_bridge.c
39 +++ b/net/bridge/netfilter/nf_tables_bridge.c
40 @@ -46,13 +46,6 @@ static struct nft_af_info nft_af_bridge
41 .family = NFPROTO_BRIDGE,
42 .nhooks = NF_BR_NUMHOOKS,
43 .owner = THIS_MODULE,
44 - .hooks = {
45 - [NF_BR_PRE_ROUTING] = nft_do_chain_bridge,
46 - [NF_BR_LOCAL_IN] = nft_do_chain_bridge,
47 - [NF_BR_FORWARD] = nft_do_chain_bridge,
48 - [NF_BR_LOCAL_OUT] = nft_do_chain_bridge,
49 - [NF_BR_POST_ROUTING] = nft_do_chain_bridge,
50 - },
51 };
52
53 static int nf_tables_bridge_init_net(struct net *net)
54 @@ -93,6 +86,13 @@ static const struct nf_chain_type filter
55 (1 << NF_BR_FORWARD) |
56 (1 << NF_BR_LOCAL_OUT) |
57 (1 << NF_BR_POST_ROUTING),
58 + .hooks = {
59 + [NF_BR_PRE_ROUTING] = nft_do_chain_bridge,
60 + [NF_BR_LOCAL_IN] = nft_do_chain_bridge,
61 + [NF_BR_FORWARD] = nft_do_chain_bridge,
62 + [NF_BR_LOCAL_OUT] = nft_do_chain_bridge,
63 + [NF_BR_POST_ROUTING] = nft_do_chain_bridge,
64 + },
65 };
66
67 static int __init nf_tables_bridge_init(void)
68 --- a/net/ipv4/netfilter/nf_tables_arp.c
69 +++ b/net/ipv4/netfilter/nf_tables_arp.c
70 @@ -31,10 +31,6 @@ static struct nft_af_info nft_af_arp __r
71 .family = NFPROTO_ARP,
72 .nhooks = NF_ARP_NUMHOOKS,
73 .owner = THIS_MODULE,
74 - .hooks = {
75 - [NF_ARP_IN] = nft_do_chain_arp,
76 - [NF_ARP_OUT] = nft_do_chain_arp,
77 - },
78 };
79
80 static int nf_tables_arp_init_net(struct net *net)
81 @@ -72,6 +68,10 @@ static const struct nf_chain_type filter
82 .owner = THIS_MODULE,
83 .hook_mask = (1 << NF_ARP_IN) |
84 (1 << NF_ARP_OUT),
85 + .hooks = {
86 + [NF_ARP_IN] = nft_do_chain_arp,
87 + [NF_ARP_OUT] = nft_do_chain_arp,
88 + },
89 };
90
91 static int __init nf_tables_arp_init(void)
92 --- a/net/ipv4/netfilter/nf_tables_ipv4.c
93 +++ b/net/ipv4/netfilter/nf_tables_ipv4.c
94 @@ -49,13 +49,6 @@ static struct nft_af_info nft_af_ipv4 __
95 .family = NFPROTO_IPV4,
96 .nhooks = NF_INET_NUMHOOKS,
97 .owner = THIS_MODULE,
98 - .hooks = {
99 - [NF_INET_LOCAL_IN] = nft_do_chain_ipv4,
100 - [NF_INET_LOCAL_OUT] = nft_ipv4_output,
101 - [NF_INET_FORWARD] = nft_do_chain_ipv4,
102 - [NF_INET_PRE_ROUTING] = nft_do_chain_ipv4,
103 - [NF_INET_POST_ROUTING] = nft_do_chain_ipv4,
104 - },
105 };
106
107 static int nf_tables_ipv4_init_net(struct net *net)
108 @@ -96,6 +89,13 @@ static const struct nf_chain_type filter
109 (1 << NF_INET_FORWARD) |
110 (1 << NF_INET_PRE_ROUTING) |
111 (1 << NF_INET_POST_ROUTING),
112 + .hooks = {
113 + [NF_INET_LOCAL_IN] = nft_do_chain_ipv4,
114 + [NF_INET_LOCAL_OUT] = nft_ipv4_output,
115 + [NF_INET_FORWARD] = nft_do_chain_ipv4,
116 + [NF_INET_PRE_ROUTING] = nft_do_chain_ipv4,
117 + [NF_INET_POST_ROUTING] = nft_do_chain_ipv4,
118 + },
119 };
120
121 static int __init nf_tables_ipv4_init(void)
122 --- a/net/ipv6/netfilter/nf_tables_ipv6.c
123 +++ b/net/ipv6/netfilter/nf_tables_ipv6.c
124 @@ -46,13 +46,6 @@ static struct nft_af_info nft_af_ipv6 __
125 .family = NFPROTO_IPV6,
126 .nhooks = NF_INET_NUMHOOKS,
127 .owner = THIS_MODULE,
128 - .hooks = {
129 - [NF_INET_LOCAL_IN] = nft_do_chain_ipv6,
130 - [NF_INET_LOCAL_OUT] = nft_ipv6_output,
131 - [NF_INET_FORWARD] = nft_do_chain_ipv6,
132 - [NF_INET_PRE_ROUTING] = nft_do_chain_ipv6,
133 - [NF_INET_POST_ROUTING] = nft_do_chain_ipv6,
134 - },
135 };
136
137 static int nf_tables_ipv6_init_net(struct net *net)
138 @@ -93,6 +86,13 @@ static const struct nf_chain_type filter
139 (1 << NF_INET_FORWARD) |
140 (1 << NF_INET_PRE_ROUTING) |
141 (1 << NF_INET_POST_ROUTING),
142 + .hooks = {
143 + [NF_INET_LOCAL_IN] = nft_do_chain_ipv6,
144 + [NF_INET_LOCAL_OUT] = nft_ipv6_output,
145 + [NF_INET_FORWARD] = nft_do_chain_ipv6,
146 + [NF_INET_PRE_ROUTING] = nft_do_chain_ipv6,
147 + [NF_INET_POST_ROUTING] = nft_do_chain_ipv6,
148 + },
149 };
150
151 static int __init nf_tables_ipv6_init(void)
152 --- a/net/netfilter/nf_tables_api.c
153 +++ b/net/netfilter/nf_tables_api.c
154 @@ -1398,7 +1398,6 @@ static int nf_tables_addchain(struct nft
155 if (nla[NFTA_CHAIN_HOOK]) {
156 struct nft_chain_hook hook;
157 struct nf_hook_ops *ops;
158 - nf_hookfn *hookfn;
159
160 err = nft_chain_parse_hook(net, nla, afi, &hook, create);
161 if (err < 0)
162 @@ -1424,7 +1423,6 @@ static int nf_tables_addchain(struct nft
163 static_branch_inc(&nft_counters_enabled);
164 }
165
166 - hookfn = hook.type->hooks[hook.num];
167 basechain->type = hook.type;
168 chain = &basechain->chain;
169
170 @@ -1433,10 +1431,8 @@ static int nf_tables_addchain(struct nft
171 ops->hooknum = hook.num;
172 ops->priority = hook.priority;
173 ops->priv = chain;
174 - ops->hook = afi->hooks[ops->hooknum];
175 + ops->hook = hook.type->hooks[ops->hooknum];
176 ops->dev = hook.dev;
177 - if (hookfn)
178 - ops->hook = hookfn;
179
180 if (basechain->type->type == NFT_CHAIN_T_NAT)
181 ops->nat_hook = true;
182 --- a/net/netfilter/nf_tables_inet.c
183 +++ b/net/netfilter/nf_tables_inet.c
184 @@ -74,13 +74,6 @@ static struct nft_af_info nft_af_inet __
185 .family = NFPROTO_INET,
186 .nhooks = NF_INET_NUMHOOKS,
187 .owner = THIS_MODULE,
188 - .hooks = {
189 - [NF_INET_LOCAL_IN] = nft_do_chain_inet,
190 - [NF_INET_LOCAL_OUT] = nft_inet_output,
191 - [NF_INET_FORWARD] = nft_do_chain_inet,
192 - [NF_INET_PRE_ROUTING] = nft_do_chain_inet,
193 - [NF_INET_POST_ROUTING] = nft_do_chain_inet,
194 - },
195 };
196
197 static int __net_init nf_tables_inet_init_net(struct net *net)
198 @@ -121,6 +114,13 @@ static const struct nf_chain_type filter
199 (1 << NF_INET_FORWARD) |
200 (1 << NF_INET_PRE_ROUTING) |
201 (1 << NF_INET_POST_ROUTING),
202 + .hooks = {
203 + [NF_INET_LOCAL_IN] = nft_do_chain_inet,
204 + [NF_INET_LOCAL_OUT] = nft_inet_output,
205 + [NF_INET_FORWARD] = nft_do_chain_inet,
206 + [NF_INET_PRE_ROUTING] = nft_do_chain_inet,
207 + [NF_INET_POST_ROUTING] = nft_do_chain_inet,
208 + },
209 };
210
211 static int __init nf_tables_inet_init(void)
212 --- a/net/netfilter/nf_tables_netdev.c
213 +++ b/net/netfilter/nf_tables_netdev.c
214 @@ -43,9 +43,6 @@ static struct nft_af_info nft_af_netdev
215 .nhooks = NF_NETDEV_NUMHOOKS,
216 .owner = THIS_MODULE,
217 .flags = NFT_AF_NEEDS_DEV,
218 - .hooks = {
219 - [NF_NETDEV_INGRESS] = nft_do_chain_netdev,
220 - },
221 };
222
223 static int nf_tables_netdev_init_net(struct net *net)
224 @@ -82,6 +79,9 @@ static const struct nf_chain_type nft_fi
225 .family = NFPROTO_NETDEV,
226 .owner = THIS_MODULE,
227 .hook_mask = (1 << NF_NETDEV_INGRESS),
228 + .hooks = {
229 + [NF_NETDEV_INGRESS] = nft_do_chain_netdev,
230 + },
231 };
232
233 static void nft_netdev_event(unsigned long event, struct net_device *dev,
OpenWrt Source Repository