Home Explore Help
Register Sign In
libreCMC
/
libreCMC
17
18
Fork 12
Files Issues 59 Pull Requests 3 Wiki
Tree: 9003a2e19e
Branches Tags
libreCMC
/
target
/
linux
/
generic
/
backport-4.14
/
312-v4.16-netfilter-nf_tables-remove-hooks-from-family-definit.patch

312-v4.16-netfilter-nf_tables-remove-hooks-from-family-definit.patch 7.1 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233 
  1. From: Pablo Neira Ayuso <pablo@netfilter.org>
    2. 

  2. Date: Sat, 9 Dec 2017 15:43:17 +0100
    3. 

  3. Subject: [PATCH] netfilter: nf_tables: remove hooks from family definition
    4. 

  4. 

  5. They don't belong to the family definition, move them to the filter
    6. 

  6. chain type definition instead.
    7. 

  7. 

  8. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    9. 

  9. ---
    10. 

  10. 

  11. --- a/include/net/netfilter/nf_tables.h
    12. 

  12. +++ b/include/net/netfilter/nf_tables.h
    13. 

  13. @@ -878,7 +878,7 @@ enum nft_chain_type {
    14. 

  14.   * 	@family: address family
    15. 

  15.   * 	@owner: module owner
    16. 

  16.   * 	@hook_mask: mask of valid hooks
    17. 

  17. - * 	@hooks: hookfn overrides
    18. 

  18. + * 	@hooks: array of hook functions
    19. 

  19.   */
    20. 

  20.  struct nf_chain_type {
    21. 

  21.  	const char			*name;
    22. 

  22. @@ -972,7 +972,6 @@ enum nft_af_flags {
    23. 

  23.   *	@owner: module owner
    24. 

  24.   *	@tables: used internally
    25. 

  25.   *	@flags: family flags
    26. 

  26. - *	@hooks: hookfn overrides for packet validation
    27. 

  27.   */
    28. 

  28.  struct nft_af_info {
    29. 

  29.  	struct list_head		list;
    30. 

  30. @@ -981,7 +980,6 @@ struct nft_af_info {
    31. 

  31.  	struct module			*owner;
    32. 

  32.  	struct list_head		tables;
    33. 

  33.  	u32				flags;
    34. 

  34. -	nf_hookfn			*hooks[NF_MAX_HOOKS];
    35. 

  35.  };
    36. 

  36.  
    37. 

  37.  int nft_register_afinfo(struct net *, struct nft_af_info *);
    38. 

  38. --- a/net/bridge/netfilter/nf_tables_bridge.c
    39. 

  39. +++ b/net/bridge/netfilter/nf_tables_bridge.c
    40. 

  40. @@ -46,13 +46,6 @@ static struct nft_af_info nft_af_bridge
    41. 

  41.  	.family		= NFPROTO_BRIDGE,
    42. 

  42.  	.nhooks		= NF_BR_NUMHOOKS,
    43. 

  43.  	.owner		= THIS_MODULE,
    44. 

  44. -	.hooks		= {
    45. 

  45. -		[NF_BR_PRE_ROUTING]	= nft_do_chain_bridge,
    46. 

  46. -		[NF_BR_LOCAL_IN]	= nft_do_chain_bridge,
    47. 

  47. -		[NF_BR_FORWARD]		= nft_do_chain_bridge,
    48. 

  48. -		[NF_BR_LOCAL_OUT]	= nft_do_chain_bridge,
    49. 

  49. -		[NF_BR_POST_ROUTING]	= nft_do_chain_bridge,
    50. 

  50. -	},
    51. 

  51.  };
    52. 

  52.  
    53. 

  53.  static int nf_tables_bridge_init_net(struct net *net)
    54. 

  54. @@ -93,6 +86,13 @@ static const struct nf_chain_type filter
    55. 

  55.  			  (1 << NF_BR_FORWARD) |
    56. 

  56.  			  (1 << NF_BR_LOCAL_OUT) |
    57. 

  57.  			  (1 << NF_BR_POST_ROUTING),
    58. 

  58. +	.hooks		= {
    59. 

  59. +		[NF_BR_PRE_ROUTING]	= nft_do_chain_bridge,
    60. 

  60. +		[NF_BR_LOCAL_IN]	= nft_do_chain_bridge,
    61. 

  61. +		[NF_BR_FORWARD]		= nft_do_chain_bridge,
    62. 

  62. +		[NF_BR_LOCAL_OUT]	= nft_do_chain_bridge,
    63. 

  63. +		[NF_BR_POST_ROUTING]	= nft_do_chain_bridge,
    64. 

  64. +	},
    65. 

  65.  };
    66. 

  66.  
    67. 

  67.  static int __init nf_tables_bridge_init(void)
    68. 

  68. --- a/net/ipv4/netfilter/nf_tables_arp.c
    69. 

  69. +++ b/net/ipv4/netfilter/nf_tables_arp.c
    70. 

  70. @@ -31,10 +31,6 @@ static struct nft_af_info nft_af_arp __r
    71. 

  71.  	.family		= NFPROTO_ARP,
    72. 

  72.  	.nhooks		= NF_ARP_NUMHOOKS,
    73. 

  73.  	.owner		= THIS_MODULE,
    74. 

  74. -	.hooks		= {
    75. 

  75. -		[NF_ARP_IN]		= nft_do_chain_arp,
    76. 

  76. -		[NF_ARP_OUT]		= nft_do_chain_arp,
    77. 

  77. -	},
    78. 

  78.  };
    79. 

  79.  
    80. 

  80.  static int nf_tables_arp_init_net(struct net *net)
    81. 

  81. @@ -72,6 +68,10 @@ static const struct nf_chain_type filter
    82. 

  82.  	.owner		= THIS_MODULE,
    83. 

  83.  	.hook_mask	= (1 << NF_ARP_IN) |
    84. 

  84.  			  (1 << NF_ARP_OUT),
    85. 

  85. +	.hooks		= {
    86. 

  86. +		[NF_ARP_IN]		= nft_do_chain_arp,
    87. 

  87. +		[NF_ARP_OUT]		= nft_do_chain_arp,
    88. 

  88. +	},
    89. 

  89.  };
    90. 

  90.  
    91. 

  91.  static int __init nf_tables_arp_init(void)
    92. 

  92. --- a/net/ipv4/netfilter/nf_tables_ipv4.c
    93. 

  93. +++ b/net/ipv4/netfilter/nf_tables_ipv4.c
    94. 

  94. @@ -49,13 +49,6 @@ static struct nft_af_info nft_af_ipv4 __
    95. 

  95.  	.family		= NFPROTO_IPV4,
    96. 

  96.  	.nhooks		= NF_INET_NUMHOOKS,
    97. 

  97.  	.owner		= THIS_MODULE,
    98. 

  98. -	.hooks		= {
    99. 

  99. -		[NF_INET_LOCAL_IN]	= nft_do_chain_ipv4,
    100. 

  100. -		[NF_INET_LOCAL_OUT]	= nft_ipv4_output,
    101. 

  101. -		[NF_INET_FORWARD]	= nft_do_chain_ipv4,
    102. 

  102. -		[NF_INET_PRE_ROUTING]	= nft_do_chain_ipv4,
    103. 

  103. -		[NF_INET_POST_ROUTING]	= nft_do_chain_ipv4,
    104. 

  104. -	},
    105. 

  105.  };
    106. 

  106.  
    107. 

  107.  static int nf_tables_ipv4_init_net(struct net *net)
    108. 

  108. @@ -96,6 +89,13 @@ static const struct nf_chain_type filter
    109. 

  109.  			  (1 << NF_INET_FORWARD) |
    110. 

  110.  			  (1 << NF_INET_PRE_ROUTING) |
    111. 

  111.  			  (1 << NF_INET_POST_ROUTING),
    112. 

  112. +	.hooks		= {
    113. 

  113. +		[NF_INET_LOCAL_IN]	= nft_do_chain_ipv4,
    114. 

  114. +		[NF_INET_LOCAL_OUT]	= nft_ipv4_output,
    115. 

  115. +		[NF_INET_FORWARD]	= nft_do_chain_ipv4,
    116. 

  116. +		[NF_INET_PRE_ROUTING]	= nft_do_chain_ipv4,
    117. 

  117. +		[NF_INET_POST_ROUTING]	= nft_do_chain_ipv4,
    118. 

  118. +	},
    119. 

  119.  };
    120. 

  120.  
    121. 

  121.  static int __init nf_tables_ipv4_init(void)
    122. 

  122. --- a/net/ipv6/netfilter/nf_tables_ipv6.c
    123. 

  123. +++ b/net/ipv6/netfilter/nf_tables_ipv6.c
    124. 

  124. @@ -46,13 +46,6 @@ static struct nft_af_info nft_af_ipv6 __
    125. 

  125.  	.family		= NFPROTO_IPV6,
    126. 

  126.  	.nhooks		= NF_INET_NUMHOOKS,
    127. 

  127.  	.owner		= THIS_MODULE,
    128. 

  128. -	.hooks		= {
    129. 

  129. -		[NF_INET_LOCAL_IN]	= nft_do_chain_ipv6,
    130. 

  130. -		[NF_INET_LOCAL_OUT]	= nft_ipv6_output,
    131. 

  131. -		[NF_INET_FORWARD]	= nft_do_chain_ipv6,
    132. 

  132. -		[NF_INET_PRE_ROUTING]	= nft_do_chain_ipv6,
    133. 

  133. -		[NF_INET_POST_ROUTING]	= nft_do_chain_ipv6,
    134. 

  134. -	},
    135. 

  135.  };
    136. 

  136.  
    137. 

  137.  static int nf_tables_ipv6_init_net(struct net *net)
    138. 

  138. @@ -93,6 +86,13 @@ static const struct nf_chain_type filter
    139. 

  139.  			  (1 << NF_INET_FORWARD) |
    140. 

  140.  			  (1 << NF_INET_PRE_ROUTING) |
    141. 

  141.  			  (1 << NF_INET_POST_ROUTING),
    142. 

  142. +	.hooks		= {
    143. 

  143. +		[NF_INET_LOCAL_IN]	= nft_do_chain_ipv6,
    144. 

  144. +		[NF_INET_LOCAL_OUT]	= nft_ipv6_output,
    145. 

  145. +		[NF_INET_FORWARD]	= nft_do_chain_ipv6,
    146. 

  146. +		[NF_INET_PRE_ROUTING]	= nft_do_chain_ipv6,
    147. 

  147. +		[NF_INET_POST_ROUTING]	= nft_do_chain_ipv6,
    148. 

  148. +	},
    149. 

  149.  };
    150. 

  150.  
    151. 

  151.  static int __init nf_tables_ipv6_init(void)
    152. 

  152. --- a/net/netfilter/nf_tables_api.c
    153. 

  153. +++ b/net/netfilter/nf_tables_api.c
    154. 

  154. @@ -1398,7 +1398,6 @@ static int nf_tables_addchain(struct nft
    155. 

  155.  	if (nla[NFTA_CHAIN_HOOK]) {
    156. 

  156.  		struct nft_chain_hook hook;
    157. 

  157.  		struct nf_hook_ops *ops;
    158. 

  158. -		nf_hookfn *hookfn;
    159. 

  159.  
    160. 

  160.  		err = nft_chain_parse_hook(net, nla, afi, &hook, create);
    161. 

  161.  		if (err < 0)
    162. 

  162. @@ -1424,7 +1423,6 @@ static int nf_tables_addchain(struct nft
    163. 

  163.  			static_branch_inc(&nft_counters_enabled);
    164. 

  164.  		}
    165. 

  165.  
    166. 

  166. -		hookfn = hook.type->hooks[hook.num];
    167. 

  167.  		basechain->type = hook.type;
    168. 

  168.  		chain = &basechain->chain;
    169. 

  169.  
    170. 

  170. @@ -1433,10 +1431,8 @@ static int nf_tables_addchain(struct nft
    171. 

  171.  		ops->hooknum	= hook.num;
    172. 

  172.  		ops->priority	= hook.priority;
    173. 

  173.  		ops->priv	= chain;
    174. 

  174. -		ops->hook	= afi->hooks[ops->hooknum];
    175. 

  175. +		ops->hook	= hook.type->hooks[ops->hooknum];
    176. 

  176.  		ops->dev	= hook.dev;
    177. 

  177. -		if (hookfn)
    178. 

  178. -			ops->hook = hookfn;
    179. 

  179.  
    180. 

  180.  		if (basechain->type->type == NFT_CHAIN_T_NAT)
    181. 

  181.  			ops->nat_hook = true;
    182. 

  182. --- a/net/netfilter/nf_tables_inet.c
    183. 

  183. +++ b/net/netfilter/nf_tables_inet.c
    184. 

  184. @@ -74,13 +74,6 @@ static struct nft_af_info nft_af_inet __
    185. 

  185.  	.family		= NFPROTO_INET,
    186. 

  186.  	.nhooks		= NF_INET_NUMHOOKS,
    187. 

  187.  	.owner		= THIS_MODULE,
    188. 

  188. -	.hooks		= {
    189. 

  189. -		[NF_INET_LOCAL_IN]	= nft_do_chain_inet,
    190. 

  190. -		[NF_INET_LOCAL_OUT]	= nft_inet_output,
    191. 

  191. -		[NF_INET_FORWARD]	= nft_do_chain_inet,
    192. 

  192. -		[NF_INET_PRE_ROUTING]	= nft_do_chain_inet,
    193. 

  193. -		[NF_INET_POST_ROUTING]	= nft_do_chain_inet,
    194. 

  194. -        },
    195. 

  195.  };
    196. 

  196.  
    197. 

  197.  static int __net_init nf_tables_inet_init_net(struct net *net)
    198. 

  198. @@ -121,6 +114,13 @@ static const struct nf_chain_type filter
    199. 

  199.  			  (1 << NF_INET_FORWARD) |
    200. 

  200.  			  (1 << NF_INET_PRE_ROUTING) |
    201. 

  201.  			  (1 << NF_INET_POST_ROUTING),
    202. 

  202. +	.hooks		= {
    203. 

  203. +		[NF_INET_LOCAL_IN]	= nft_do_chain_inet,
    204. 

  204. +		[NF_INET_LOCAL_OUT]	= nft_inet_output,
    205. 

  205. +		[NF_INET_FORWARD]	= nft_do_chain_inet,
    206. 

  206. +		[NF_INET_PRE_ROUTING]	= nft_do_chain_inet,
    207. 

  207. +		[NF_INET_POST_ROUTING]	= nft_do_chain_inet,
    208. 

  208. +        },
    209. 

  209.  };
    210. 

  210.  
    211. 

  211.  static int __init nf_tables_inet_init(void)
    212. 

  212. --- a/net/netfilter/nf_tables_netdev.c
    213. 

  213. +++ b/net/netfilter/nf_tables_netdev.c
    214. 

  214. @@ -43,9 +43,6 @@ static struct nft_af_info nft_af_netdev
    215. 

  215.  	.nhooks		= NF_NETDEV_NUMHOOKS,
    216. 

  216.  	.owner		= THIS_MODULE,
    217. 

  217.  	.flags		= NFT_AF_NEEDS_DEV,
    218. 

  218. -	.hooks		= {
    219. 

  219. -		[NF_NETDEV_INGRESS]	= nft_do_chain_netdev,
    220. 

  220. -	},
    221. 

  221.  };
    222. 

  222.  
    223. 

  223.  static int nf_tables_netdev_init_net(struct net *net)
    224. 

  224. @@ -82,6 +79,9 @@ static const struct nf_chain_type nft_fi
    225. 

  225.  	.family		= NFPROTO_NETDEV,
    226. 

  226.  	.owner		= THIS_MODULE,
    227. 

  227.  	.hook_mask	= (1 << NF_NETDEV_INGRESS),
    228. 

  228. +	.hooks		= {
    229. 

  229. +		[NF_NETDEV_INGRESS]	= nft_do_chain_netdev,
    230. 

  230. +	},
    231. 

  231.  };
    232. 

  232.  
    233. 

  233.  static void nft_netdev_event(unsigned long event, struct net_device *dev,
    234.