123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113 |
- From: Pablo Neira Ayuso <pablo@netfilter.org>
- Date: Tue, 19 Dec 2017 13:53:45 +0100
- Subject: [PATCH] netfilter: nf_tables: remove nhooks field from struct
- nft_af_info
- We already validate the hook through bitmask, so this check is
- superfluous. When removing this, this patch is also fixing a bug in the
- new flowtable codebase, since ctx->afi points to the table family
- instead of the netdev family which is where the flowtable is really
- hooked in.
- Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
- ---
- --- a/include/net/netfilter/nf_tables.h
- +++ b/include/net/netfilter/nf_tables.h
- @@ -971,7 +971,6 @@ enum nft_af_flags {
- *
- * @list: used internally
- * @family: address family
- - * @nhooks: number of hooks in this family
- * @owner: module owner
- * @tables: used internally
- * @flags: family flags
- @@ -979,7 +978,6 @@ enum nft_af_flags {
- struct nft_af_info {
- struct list_head list;
- int family;
- - unsigned int nhooks;
- struct module *owner;
- struct list_head tables;
- u32 flags;
- --- a/net/bridge/netfilter/nf_tables_bridge.c
- +++ b/net/bridge/netfilter/nf_tables_bridge.c
- @@ -44,7 +44,6 @@ nft_do_chain_bridge(void *priv,
-
- static struct nft_af_info nft_af_bridge __read_mostly = {
- .family = NFPROTO_BRIDGE,
- - .nhooks = NF_BR_NUMHOOKS,
- .owner = THIS_MODULE,
- };
-
- --- a/net/ipv4/netfilter/nf_tables_arp.c
- +++ b/net/ipv4/netfilter/nf_tables_arp.c
- @@ -29,7 +29,6 @@ nft_do_chain_arp(void *priv,
-
- static struct nft_af_info nft_af_arp __read_mostly = {
- .family = NFPROTO_ARP,
- - .nhooks = NF_ARP_NUMHOOKS,
- .owner = THIS_MODULE,
- };
-
- --- a/net/ipv4/netfilter/nf_tables_ipv4.c
- +++ b/net/ipv4/netfilter/nf_tables_ipv4.c
- @@ -32,7 +32,6 @@ static unsigned int nft_do_chain_ipv4(vo
-
- static struct nft_af_info nft_af_ipv4 __read_mostly = {
- .family = NFPROTO_IPV4,
- - .nhooks = NF_INET_NUMHOOKS,
- .owner = THIS_MODULE,
- };
-
- --- a/net/ipv6/netfilter/nf_tables_ipv6.c
- +++ b/net/ipv6/netfilter/nf_tables_ipv6.c
- @@ -30,7 +30,6 @@ static unsigned int nft_do_chain_ipv6(vo
-
- static struct nft_af_info nft_af_ipv6 __read_mostly = {
- .family = NFPROTO_IPV6,
- - .nhooks = NF_INET_NUMHOOKS,
- .owner = THIS_MODULE,
- };
-
- --- a/net/netfilter/nf_tables_api.c
- +++ b/net/netfilter/nf_tables_api.c
- @@ -1374,9 +1374,6 @@ static int nft_chain_parse_hook(struct n
- return -EINVAL;
-
- hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
- - if (hook->num >= afi->nhooks)
- - return -EINVAL;
- -
- hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
-
- type = chain_type[afi->family][NFT_CHAIN_T_DEFAULT];
- @@ -5015,7 +5012,7 @@ static int nf_tables_flowtable_parse_hoo
- return -EINVAL;
-
- hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
- - if (hooknum >= ctx->afi->nhooks)
- + if (hooknum != NF_NETDEV_INGRESS)
- return -EINVAL;
-
- priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
- --- a/net/netfilter/nf_tables_inet.c
- +++ b/net/netfilter/nf_tables_inet.c
- @@ -40,7 +40,6 @@ static unsigned int nft_do_chain_inet(vo
-
- static struct nft_af_info nft_af_inet __read_mostly = {
- .family = NFPROTO_INET,
- - .nhooks = NF_INET_NUMHOOKS,
- .owner = THIS_MODULE,
- };
-
- --- a/net/netfilter/nf_tables_netdev.c
- +++ b/net/netfilter/nf_tables_netdev.c
- @@ -40,7 +40,6 @@ nft_do_chain_netdev(void *priv, struct s
-
- static struct nft_af_info nft_af_netdev __read_mostly = {
- .family = NFPROTO_NETDEV,
- - .nhooks = NF_NETDEV_NUMHOOKS,
- .owner = THIS_MODULE,
- .flags = NFT_AF_NEEDS_DEV,
- };
|