mirror of
				git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
				synced 2025-09-04 20:19:47 +08:00 
			
		
		
		
	netfilter: replace list_head with single linked list
The netfilter hook list never uses the prev pointer, and so can be trimmed to be a simple singly-linked list. In addition to having a more light weight structure for hook traversal, struct net becomes 5568 bytes (down from 6400) and struct net_device becomes 2176 bytes (down from 2240). Signed-off-by: Aaron Conole <aconole@bytheb.org> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
		
							parent
							
								
									54f17bbc52
								
							
						
					
					
						commit
						e3b37f11e6
					
				| @ -1783,7 +1783,7 @@ struct net_device { | ||||
| #endif | ||||
| 	struct netdev_queue __rcu *ingress_queue; | ||||
| #ifdef CONFIG_NETFILTER_INGRESS | ||||
| 	struct list_head	nf_hooks_ingress; | ||||
| 	struct nf_hook_entry __rcu *nf_hooks_ingress; | ||||
| #endif | ||||
| 
 | ||||
| 	unsigned char		broadcast[MAX_ADDR_LEN]; | ||||
|  | ||||
| @ -55,12 +55,34 @@ struct nf_hook_state { | ||||
| 	struct net_device *out; | ||||
| 	struct sock *sk; | ||||
| 	struct net *net; | ||||
| 	struct list_head *hook_list; | ||||
| 	struct nf_hook_entry __rcu *hook_entries; | ||||
| 	int (*okfn)(struct net *, struct sock *, struct sk_buff *); | ||||
| }; | ||||
| 
 | ||||
| typedef unsigned int nf_hookfn(void *priv, | ||||
| 			       struct sk_buff *skb, | ||||
| 			       const struct nf_hook_state *state); | ||||
| struct nf_hook_ops { | ||||
| 	struct list_head	list; | ||||
| 
 | ||||
| 	/* User fills in from here down. */ | ||||
| 	nf_hookfn		*hook; | ||||
| 	struct net_device	*dev; | ||||
| 	void			*priv; | ||||
| 	u_int8_t		pf; | ||||
| 	unsigned int		hooknum; | ||||
| 	/* Hooks are ordered in ascending priority. */ | ||||
| 	int			priority; | ||||
| }; | ||||
| 
 | ||||
| struct nf_hook_entry { | ||||
| 	struct nf_hook_entry __rcu	*next; | ||||
| 	struct nf_hook_ops		ops; | ||||
| 	const struct nf_hook_ops	*orig_ops; | ||||
| }; | ||||
| 
 | ||||
| static inline void nf_hook_state_init(struct nf_hook_state *p, | ||||
| 				      struct list_head *hook_list, | ||||
| 				      struct nf_hook_entry *hook_entry, | ||||
| 				      unsigned int hook, | ||||
| 				      int thresh, u_int8_t pf, | ||||
| 				      struct net_device *indev, | ||||
| @ -76,26 +98,11 @@ static inline void nf_hook_state_init(struct nf_hook_state *p, | ||||
| 	p->out = outdev; | ||||
| 	p->sk = sk; | ||||
| 	p->net = net; | ||||
| 	p->hook_list = hook_list; | ||||
| 	RCU_INIT_POINTER(p->hook_entries, hook_entry); | ||||
| 	p->okfn = okfn; | ||||
| } | ||||
| 
 | ||||
| typedef unsigned int nf_hookfn(void *priv, | ||||
| 			       struct sk_buff *skb, | ||||
| 			       const struct nf_hook_state *state); | ||||
| 
 | ||||
| struct nf_hook_ops { | ||||
| 	struct list_head 	list; | ||||
| 
 | ||||
| 	/* User fills in from here down. */ | ||||
| 	nf_hookfn		*hook; | ||||
| 	struct net_device	*dev; | ||||
| 	void			*priv; | ||||
| 	u_int8_t		pf; | ||||
| 	unsigned int		hooknum; | ||||
| 	/* Hooks are ordered in ascending priority. */ | ||||
| 	int			priority; | ||||
| }; | ||||
| 
 | ||||
| struct nf_sockopt_ops { | ||||
| 	struct list_head list; | ||||
| @ -161,7 +168,8 @@ static inline int nf_hook_thresh(u_int8_t pf, unsigned int hook, | ||||
| 				 int (*okfn)(struct net *, struct sock *, struct sk_buff *), | ||||
| 				 int thresh) | ||||
| { | ||||
| 	struct list_head *hook_list; | ||||
| 	struct nf_hook_entry *hook_head; | ||||
| 	int ret = 1; | ||||
| 
 | ||||
| #ifdef HAVE_JUMP_LABEL | ||||
| 	if (__builtin_constant_p(pf) && | ||||
| @ -170,22 +178,19 @@ static inline int nf_hook_thresh(u_int8_t pf, unsigned int hook, | ||||
| 		return 1; | ||||
| #endif | ||||
| 
 | ||||
| 	hook_list = &net->nf.hooks[pf][hook]; | ||||
| 
 | ||||
| 	if (!list_empty(hook_list)) { | ||||
| 	rcu_read_lock(); | ||||
| 	hook_head = rcu_dereference(net->nf.hooks[pf][hook]); | ||||
| 	if (hook_head) { | ||||
| 		struct nf_hook_state state; | ||||
| 		int ret; | ||||
| 
 | ||||
| 		/* We may already have this, but read-locks nest anyway */ | ||||
| 		rcu_read_lock(); | ||||
| 		nf_hook_state_init(&state, hook_list, hook, thresh, | ||||
| 		nf_hook_state_init(&state, hook_head, hook, thresh, | ||||
| 				   pf, indev, outdev, sk, net, okfn); | ||||
| 
 | ||||
| 		ret = nf_hook_slow(skb, &state); | ||||
| 		rcu_read_unlock(); | ||||
| 		return ret; | ||||
| 	} | ||||
| 	return 1; | ||||
| 	rcu_read_unlock(); | ||||
| 
 | ||||
| 	return ret; | ||||
| } | ||||
| 
 | ||||
| static inline int nf_hook(u_int8_t pf, unsigned int hook, struct net *net, | ||||
|  | ||||
| @ -11,23 +11,30 @@ static inline bool nf_hook_ingress_active(const struct sk_buff *skb) | ||||
| 	if (!static_key_false(&nf_hooks_needed[NFPROTO_NETDEV][NF_NETDEV_INGRESS])) | ||||
| 		return false; | ||||
| #endif | ||||
| 	return !list_empty(&skb->dev->nf_hooks_ingress); | ||||
| 	return rcu_access_pointer(skb->dev->nf_hooks_ingress); | ||||
| } | ||||
| 
 | ||||
| /* caller must hold rcu_read_lock */ | ||||
| static inline int nf_hook_ingress(struct sk_buff *skb) | ||||
| { | ||||
| 	struct nf_hook_entry *e = rcu_dereference(skb->dev->nf_hooks_ingress); | ||||
| 	struct nf_hook_state state; | ||||
| 
 | ||||
| 	nf_hook_state_init(&state, &skb->dev->nf_hooks_ingress, | ||||
| 			   NF_NETDEV_INGRESS, INT_MIN, NFPROTO_NETDEV, | ||||
| 			   skb->dev, NULL, NULL, dev_net(skb->dev), NULL); | ||||
| 	/* Must recheck the ingress hook head, in the event it became NULL
 | ||||
| 	 * after the check in nf_hook_ingress_active evaluated to true. | ||||
| 	 */ | ||||
| 	if (unlikely(!e)) | ||||
| 		return 0; | ||||
| 
 | ||||
| 	nf_hook_state_init(&state, e, NF_NETDEV_INGRESS, INT_MIN, | ||||
| 			   NFPROTO_NETDEV, skb->dev, NULL, NULL, | ||||
| 			   dev_net(skb->dev), NULL); | ||||
| 	return nf_hook_slow(skb, &state); | ||||
| } | ||||
| 
 | ||||
| static inline void nf_hook_ingress_init(struct net_device *dev) | ||||
| { | ||||
| 	INIT_LIST_HEAD(&dev->nf_hooks_ingress); | ||||
| 	RCU_INIT_POINTER(dev->nf_hooks_ingress, NULL); | ||||
| } | ||||
| #else /* CONFIG_NETFILTER_INGRESS */ | ||||
| static inline int nf_hook_ingress_active(struct sk_buff *skb) | ||||
|  | ||||
| @ -11,7 +11,6 @@ struct nf_queue_entry { | ||||
| 	struct sk_buff		*skb; | ||||
| 	unsigned int		id; | ||||
| 
 | ||||
| 	struct nf_hook_ops	*elem; | ||||
| 	struct nf_hook_state	state; | ||||
| 	u16			size; /* sizeof(entry) + saved route keys */ | ||||
| 
 | ||||
| @ -25,7 +24,7 @@ struct nf_queue_handler { | ||||
| 	int		(*outfn)(struct nf_queue_entry *entry, | ||||
| 				 unsigned int queuenum); | ||||
| 	void		(*nf_hook_drop)(struct net *net, | ||||
| 					struct nf_hook_ops *ops); | ||||
| 					const struct nf_hook_entry *hooks); | ||||
| }; | ||||
| 
 | ||||
| void nf_register_queue_handler(struct net *net, const struct nf_queue_handler *qh); | ||||
|  | ||||
| @ -16,6 +16,6 @@ struct netns_nf { | ||||
| #ifdef CONFIG_SYSCTL | ||||
| 	struct ctl_table_header *nf_log_dir_header; | ||||
| #endif | ||||
| 	struct list_head hooks[NFPROTO_NUMPROTO][NF_MAX_HOOKS]; | ||||
| 	struct nf_hook_entry __rcu *hooks[NFPROTO_NUMPROTO][NF_MAX_HOOKS]; | ||||
| }; | ||||
| #endif | ||||
|  | ||||
| @ -1002,28 +1002,21 @@ int br_nf_hook_thresh(unsigned int hook, struct net *net, | ||||
| 		      int (*okfn)(struct net *, struct sock *, | ||||
| 				  struct sk_buff *)) | ||||
| { | ||||
| 	struct nf_hook_ops *elem; | ||||
| 	struct nf_hook_entry *elem; | ||||
| 	struct nf_hook_state state; | ||||
| 	struct list_head *head; | ||||
| 	int ret; | ||||
| 
 | ||||
| 	head = &net->nf.hooks[NFPROTO_BRIDGE][hook]; | ||||
| 	elem = rcu_dereference(net->nf.hooks[NFPROTO_BRIDGE][hook]); | ||||
| 
 | ||||
| 	list_for_each_entry_rcu(elem, head, list) { | ||||
| 		struct nf_hook_ops *next; | ||||
| 	while (elem && (elem->ops.priority <= NF_BR_PRI_BRNF)) | ||||
| 		elem = rcu_dereference(elem->next); | ||||
| 
 | ||||
| 		next = list_entry_rcu(list_next_rcu(&elem->list), | ||||
| 				      struct nf_hook_ops, list); | ||||
| 		if (next->priority <= NF_BR_PRI_BRNF) | ||||
| 			continue; | ||||
| 	} | ||||
| 
 | ||||
| 	if (&elem->list == head) | ||||
| 	if (!elem) | ||||
| 		return okfn(net, sk, skb); | ||||
| 
 | ||||
| 	/* We may already have this, but read-locks nest anyway */ | ||||
| 	rcu_read_lock(); | ||||
| 	nf_hook_state_init(&state, head, hook, NF_BR_PRI_BRNF + 1, | ||||
| 	nf_hook_state_init(&state, elem, hook, NF_BR_PRI_BRNF + 1, | ||||
| 			   NFPROTO_BRIDGE, indev, outdev, sk, net, okfn); | ||||
| 
 | ||||
| 	ret = nf_hook_slow(skb, &state); | ||||
|  | ||||
| @ -22,6 +22,7 @@ | ||||
| #include <linux/proc_fs.h> | ||||
| #include <linux/mutex.h> | ||||
| #include <linux/slab.h> | ||||
| #include <linux/rcupdate.h> | ||||
| #include <net/net_namespace.h> | ||||
| #include <net/sock.h> | ||||
| 
 | ||||
| @ -61,33 +62,50 @@ EXPORT_SYMBOL(nf_hooks_needed); | ||||
| #endif | ||||
| 
 | ||||
| static DEFINE_MUTEX(nf_hook_mutex); | ||||
| #define nf_entry_dereference(e) \ | ||||
| 	rcu_dereference_protected(e, lockdep_is_held(&nf_hook_mutex)) | ||||
| 
 | ||||
| static struct list_head *nf_find_hook_list(struct net *net, | ||||
| 					   const struct nf_hook_ops *reg) | ||||
| static struct nf_hook_entry *nf_hook_entry_head(struct net *net, | ||||
| 						const struct nf_hook_ops *reg) | ||||
| { | ||||
| 	struct list_head *hook_list = NULL; | ||||
| 	struct nf_hook_entry *hook_head = NULL; | ||||
| 
 | ||||
| 	if (reg->pf != NFPROTO_NETDEV) | ||||
| 		hook_list = &net->nf.hooks[reg->pf][reg->hooknum]; | ||||
| 		hook_head = nf_entry_dereference(net->nf.hooks[reg->pf] | ||||
| 						 [reg->hooknum]); | ||||
| 	else if (reg->hooknum == NF_NETDEV_INGRESS) { | ||||
| #ifdef CONFIG_NETFILTER_INGRESS | ||||
| 		if (reg->dev && dev_net(reg->dev) == net) | ||||
| 			hook_list = ®->dev->nf_hooks_ingress; | ||||
| 			hook_head = | ||||
| 				nf_entry_dereference( | ||||
| 					reg->dev->nf_hooks_ingress); | ||||
| #endif | ||||
| 	} | ||||
| 	return hook_list; | ||||
| 	return hook_head; | ||||
| } | ||||
| 
 | ||||
| struct nf_hook_entry { | ||||
| 	const struct nf_hook_ops	*orig_ops; | ||||
| 	struct nf_hook_ops		ops; | ||||
| }; | ||||
| /* must hold nf_hook_mutex */ | ||||
| static void nf_set_hooks_head(struct net *net, const struct nf_hook_ops *reg, | ||||
| 			      struct nf_hook_entry *entry) | ||||
| { | ||||
| 	switch (reg->pf) { | ||||
| 	case NFPROTO_NETDEV: | ||||
| 		/* We already checked in nf_register_net_hook() that this is
 | ||||
| 		 * used from ingress. | ||||
| 		 */ | ||||
| 		rcu_assign_pointer(reg->dev->nf_hooks_ingress, entry); | ||||
| 		break; | ||||
| 	default: | ||||
| 		rcu_assign_pointer(net->nf.hooks[reg->pf][reg->hooknum], | ||||
| 				   entry); | ||||
| 		break; | ||||
| 	} | ||||
| } | ||||
| 
 | ||||
| int nf_register_net_hook(struct net *net, const struct nf_hook_ops *reg) | ||||
| { | ||||
| 	struct list_head *hook_list; | ||||
| 	struct nf_hook_entry *hooks_entry; | ||||
| 	struct nf_hook_entry *entry; | ||||
| 	struct nf_hook_ops *elem; | ||||
| 
 | ||||
| 	if (reg->pf == NFPROTO_NETDEV && | ||||
| 	    (reg->hooknum != NF_NETDEV_INGRESS || | ||||
| @ -100,19 +118,30 @@ int nf_register_net_hook(struct net *net, const struct nf_hook_ops *reg) | ||||
| 
 | ||||
| 	entry->orig_ops	= reg; | ||||
| 	entry->ops	= *reg; | ||||
| 
 | ||||
| 	hook_list = nf_find_hook_list(net, reg); | ||||
| 	if (!hook_list) { | ||||
| 		kfree(entry); | ||||
| 		return -ENOENT; | ||||
| 	} | ||||
| 	entry->next	= NULL; | ||||
| 
 | ||||
| 	mutex_lock(&nf_hook_mutex); | ||||
| 	list_for_each_entry(elem, hook_list, list) { | ||||
| 		if (reg->priority < elem->priority) | ||||
| 			break; | ||||
| 	hooks_entry = nf_hook_entry_head(net, reg); | ||||
| 
 | ||||
| 	if (hooks_entry && hooks_entry->orig_ops->priority > reg->priority) { | ||||
| 		/* This is the case where we need to insert at the head */ | ||||
| 		entry->next = hooks_entry; | ||||
| 		hooks_entry = NULL; | ||||
| 	} | ||||
| 	list_add_rcu(&entry->ops.list, elem->list.prev); | ||||
| 
 | ||||
| 	while (hooks_entry && | ||||
| 		reg->priority >= hooks_entry->orig_ops->priority && | ||||
| 		nf_entry_dereference(hooks_entry->next)) { | ||||
| 		hooks_entry = nf_entry_dereference(hooks_entry->next); | ||||
| 	} | ||||
| 
 | ||||
| 	if (hooks_entry) { | ||||
| 		entry->next = nf_entry_dereference(hooks_entry->next); | ||||
| 		rcu_assign_pointer(hooks_entry->next, entry); | ||||
| 	} else { | ||||
| 		nf_set_hooks_head(net, reg, entry); | ||||
| 	} | ||||
| 
 | ||||
| 	mutex_unlock(&nf_hook_mutex); | ||||
| #ifdef CONFIG_NETFILTER_INGRESS | ||||
| 	if (reg->pf == NFPROTO_NETDEV && reg->hooknum == NF_NETDEV_INGRESS) | ||||
| @ -127,24 +156,33 @@ EXPORT_SYMBOL(nf_register_net_hook); | ||||
| 
 | ||||
| void nf_unregister_net_hook(struct net *net, const struct nf_hook_ops *reg) | ||||
| { | ||||
| 	struct list_head *hook_list; | ||||
| 	struct nf_hook_entry *entry; | ||||
| 	struct nf_hook_ops *elem; | ||||
| 
 | ||||
| 	hook_list = nf_find_hook_list(net, reg); | ||||
| 	if (!hook_list) | ||||
| 		return; | ||||
| 	struct nf_hook_entry *hooks_entry; | ||||
| 
 | ||||
| 	mutex_lock(&nf_hook_mutex); | ||||
| 	list_for_each_entry(elem, hook_list, list) { | ||||
| 		entry = container_of(elem, struct nf_hook_entry, ops); | ||||
| 		if (entry->orig_ops == reg) { | ||||
| 			list_del_rcu(&entry->ops.list); | ||||
| 			break; | ||||
| 		} | ||||
| 	hooks_entry = nf_hook_entry_head(net, reg); | ||||
| 	if (hooks_entry->orig_ops == reg) { | ||||
| 		nf_set_hooks_head(net, reg, | ||||
| 				  nf_entry_dereference(hooks_entry->next)); | ||||
| 		goto unlock; | ||||
| 	} | ||||
| 	while (hooks_entry && nf_entry_dereference(hooks_entry->next)) { | ||||
| 		struct nf_hook_entry *next = | ||||
| 			nf_entry_dereference(hooks_entry->next); | ||||
| 		struct nf_hook_entry *nnext; | ||||
| 
 | ||||
| 		if (next->orig_ops != reg) { | ||||
| 			hooks_entry = next; | ||||
| 			continue; | ||||
| 		} | ||||
| 		nnext = nf_entry_dereference(next->next); | ||||
| 		rcu_assign_pointer(hooks_entry->next, nnext); | ||||
| 		hooks_entry = next; | ||||
| 		break; | ||||
| 	} | ||||
| 
 | ||||
| unlock: | ||||
| 	mutex_unlock(&nf_hook_mutex); | ||||
| 	if (&elem->list == hook_list) { | ||||
| 	if (!hooks_entry) { | ||||
| 		WARN(1, "nf_unregister_net_hook: hook not found!\n"); | ||||
| 		return; | ||||
| 	} | ||||
| @ -156,10 +194,10 @@ void nf_unregister_net_hook(struct net *net, const struct nf_hook_ops *reg) | ||||
| 	static_key_slow_dec(&nf_hooks_needed[reg->pf][reg->hooknum]); | ||||
| #endif | ||||
| 	synchronize_net(); | ||||
| 	nf_queue_nf_hook_drop(net, &entry->ops); | ||||
| 	nf_queue_nf_hook_drop(net, hooks_entry); | ||||
| 	/* other cpu might still process nfqueue verdict that used reg */ | ||||
| 	synchronize_net(); | ||||
| 	kfree(entry); | ||||
| 	kfree(hooks_entry); | ||||
| } | ||||
| EXPORT_SYMBOL(nf_unregister_net_hook); | ||||
| 
 | ||||
| @ -258,10 +296,9 @@ void nf_unregister_hooks(struct nf_hook_ops *reg, unsigned int n) | ||||
| } | ||||
| EXPORT_SYMBOL(nf_unregister_hooks); | ||||
| 
 | ||||
| unsigned int nf_iterate(struct list_head *head, | ||||
| 			struct sk_buff *skb, | ||||
| unsigned int nf_iterate(struct sk_buff *skb, | ||||
| 			struct nf_hook_state *state, | ||||
| 			struct nf_hook_ops **elemp) | ||||
| 			struct nf_hook_entry **entryp) | ||||
| { | ||||
| 	unsigned int verdict; | ||||
| 
 | ||||
| @ -269,20 +306,23 @@ unsigned int nf_iterate(struct list_head *head, | ||||
| 	 * The caller must not block between calls to this | ||||
| 	 * function because of risk of continuing from deleted element. | ||||
| 	 */ | ||||
| 	list_for_each_entry_continue_rcu((*elemp), head, list) { | ||||
| 		if (state->thresh > (*elemp)->priority) | ||||
| 	while (*entryp) { | ||||
| 		if (state->thresh > (*entryp)->ops.priority) { | ||||
| 			*entryp = rcu_dereference((*entryp)->next); | ||||
| 			continue; | ||||
| 		} | ||||
| 
 | ||||
| 		/* Optimization: we don't need to hold module
 | ||||
| 		   reference here, since function can't sleep. --RR */ | ||||
| repeat: | ||||
| 		verdict = (*elemp)->hook((*elemp)->priv, skb, state); | ||||
| 		verdict = (*entryp)->ops.hook((*entryp)->ops.priv, skb, state); | ||||
| 		if (verdict != NF_ACCEPT) { | ||||
| #ifdef CONFIG_NETFILTER_DEBUG | ||||
| 			if (unlikely((verdict & NF_VERDICT_MASK) | ||||
| 							> NF_MAX_VERDICT)) { | ||||
| 				NFDEBUG("Evil return from %p(%u).\n", | ||||
| 					(*elemp)->hook, state->hook); | ||||
| 					(*entryp)->ops.hook, state->hook); | ||||
| 				*entryp = rcu_dereference((*entryp)->next); | ||||
| 				continue; | ||||
| 			} | ||||
| #endif | ||||
| @ -290,6 +330,7 @@ repeat: | ||||
| 				return verdict; | ||||
| 			goto repeat; | ||||
| 		} | ||||
| 		*entryp = rcu_dereference((*entryp)->next); | ||||
| 	} | ||||
| 	return NF_ACCEPT; | ||||
| } | ||||
| @ -299,13 +340,13 @@ repeat: | ||||
|  * -EPERM for NF_DROP, 0 otherwise.  Caller must hold rcu_read_lock. */ | ||||
| int nf_hook_slow(struct sk_buff *skb, struct nf_hook_state *state) | ||||
| { | ||||
| 	struct nf_hook_ops *elem; | ||||
| 	struct nf_hook_entry *entry; | ||||
| 	unsigned int verdict; | ||||
| 	int ret = 0; | ||||
| 
 | ||||
| 	elem = list_entry_rcu(state->hook_list, struct nf_hook_ops, list); | ||||
| 	entry = rcu_dereference(state->hook_entries); | ||||
| next_hook: | ||||
| 	verdict = nf_iterate(state->hook_list, skb, state, &elem); | ||||
| 	verdict = nf_iterate(skb, state, &entry); | ||||
| 	if (verdict == NF_ACCEPT || verdict == NF_STOP) { | ||||
| 		ret = 1; | ||||
| 	} else if ((verdict & NF_VERDICT_MASK) == NF_DROP) { | ||||
| @ -314,8 +355,10 @@ next_hook: | ||||
| 		if (ret == 0) | ||||
| 			ret = -EPERM; | ||||
| 	} else if ((verdict & NF_VERDICT_MASK) == NF_QUEUE) { | ||||
| 		int err = nf_queue(skb, elem, state, | ||||
| 				   verdict >> NF_VERDICT_QBITS); | ||||
| 		int err; | ||||
| 
 | ||||
| 		RCU_INIT_POINTER(state->hook_entries, entry); | ||||
| 		err = nf_queue(skb, state, verdict >> NF_VERDICT_QBITS); | ||||
| 		if (err < 0) { | ||||
| 			if (err == -ESRCH && | ||||
| 			   (verdict & NF_VERDICT_FLAG_QUEUE_BYPASS)) | ||||
| @ -442,7 +485,7 @@ static int __net_init netfilter_net_init(struct net *net) | ||||
| 
 | ||||
| 	for (i = 0; i < ARRAY_SIZE(net->nf.hooks); i++) { | ||||
| 		for (h = 0; h < NF_MAX_HOOKS; h++) | ||||
| 			INIT_LIST_HEAD(&net->nf.hooks[i][h]); | ||||
| 			RCU_INIT_POINTER(net->nf.hooks[i][h], NULL); | ||||
| 	} | ||||
| 
 | ||||
| #ifdef CONFIG_PROC_FS | ||||
|  | ||||
| @ -13,13 +13,13 @@ | ||||
| 
 | ||||
| 
 | ||||
| /* core.c */ | ||||
| unsigned int nf_iterate(struct list_head *head, struct sk_buff *skb, | ||||
| 			struct nf_hook_state *state, struct nf_hook_ops **elemp); | ||||
| unsigned int nf_iterate(struct sk_buff *skb, struct nf_hook_state *state, | ||||
| 			struct nf_hook_entry **entryp); | ||||
| 
 | ||||
| /* nf_queue.c */ | ||||
| int nf_queue(struct sk_buff *skb, struct nf_hook_ops *elem, | ||||
| 	     struct nf_hook_state *state, unsigned int queuenum); | ||||
| void nf_queue_nf_hook_drop(struct net *net, struct nf_hook_ops *ops); | ||||
| int nf_queue(struct sk_buff *skb, struct nf_hook_state *state, | ||||
| 	     unsigned int queuenum); | ||||
| void nf_queue_nf_hook_drop(struct net *net, const struct nf_hook_entry *entry); | ||||
| int __init netfilter_queue_init(void); | ||||
| 
 | ||||
| /* nf_log.c */ | ||||
|  | ||||
| @ -96,14 +96,14 @@ void nf_queue_entry_get_refs(struct nf_queue_entry *entry) | ||||
| } | ||||
| EXPORT_SYMBOL_GPL(nf_queue_entry_get_refs); | ||||
| 
 | ||||
| void nf_queue_nf_hook_drop(struct net *net, struct nf_hook_ops *ops) | ||||
| void nf_queue_nf_hook_drop(struct net *net, const struct nf_hook_entry *entry) | ||||
| { | ||||
| 	const struct nf_queue_handler *qh; | ||||
| 
 | ||||
| 	rcu_read_lock(); | ||||
| 	qh = rcu_dereference(net->nf.queue_handler); | ||||
| 	if (qh) | ||||
| 		qh->nf_hook_drop(net, ops); | ||||
| 		qh->nf_hook_drop(net, entry); | ||||
| 	rcu_read_unlock(); | ||||
| } | ||||
| 
 | ||||
| @ -112,7 +112,6 @@ void nf_queue_nf_hook_drop(struct net *net, struct nf_hook_ops *ops) | ||||
|  * through nf_reinject(). | ||||
|  */ | ||||
| int nf_queue(struct sk_buff *skb, | ||||
| 	     struct nf_hook_ops *elem, | ||||
| 	     struct nf_hook_state *state, | ||||
| 	     unsigned int queuenum) | ||||
| { | ||||
| @ -141,7 +140,6 @@ int nf_queue(struct sk_buff *skb, | ||||
| 
 | ||||
| 	*entry = (struct nf_queue_entry) { | ||||
| 		.skb	= skb, | ||||
| 		.elem	= elem, | ||||
| 		.state	= *state, | ||||
| 		.size	= sizeof(*entry) + afinfo->route_key_size, | ||||
| 	}; | ||||
| @ -165,11 +163,15 @@ err: | ||||
| 
 | ||||
| void nf_reinject(struct nf_queue_entry *entry, unsigned int verdict) | ||||
| { | ||||
| 	struct nf_hook_entry *hook_entry; | ||||
| 	struct sk_buff *skb = entry->skb; | ||||
| 	struct nf_hook_ops *elem = entry->elem; | ||||
| 	const struct nf_afinfo *afinfo; | ||||
| 	struct nf_hook_ops *elem; | ||||
| 	int err; | ||||
| 
 | ||||
| 	hook_entry = rcu_dereference(entry->state.hook_entries); | ||||
| 	elem = &hook_entry->ops; | ||||
| 
 | ||||
| 	nf_queue_entry_release_refs(entry); | ||||
| 
 | ||||
| 	/* Continue traversal iff userspace said ok... */ | ||||
| @ -186,8 +188,7 @@ void nf_reinject(struct nf_queue_entry *entry, unsigned int verdict) | ||||
| 
 | ||||
| 	if (verdict == NF_ACCEPT) { | ||||
| 	next_hook: | ||||
| 		verdict = nf_iterate(entry->state.hook_list, | ||||
| 				     skb, &entry->state, &elem); | ||||
| 		verdict = nf_iterate(skb, &entry->state, &hook_entry); | ||||
| 	} | ||||
| 
 | ||||
| 	switch (verdict & NF_VERDICT_MASK) { | ||||
| @ -198,7 +199,8 @@ void nf_reinject(struct nf_queue_entry *entry, unsigned int verdict) | ||||
| 		local_bh_enable(); | ||||
| 		break; | ||||
| 	case NF_QUEUE: | ||||
| 		err = nf_queue(skb, elem, &entry->state, | ||||
| 		RCU_INIT_POINTER(entry->state.hook_entries, hook_entry); | ||||
| 		err = nf_queue(skb, &entry->state, | ||||
| 			       verdict >> NF_VERDICT_QBITS); | ||||
| 		if (err < 0) { | ||||
| 			if (err == -ESRCH && | ||||
|  | ||||
| @ -917,12 +917,14 @@ static struct notifier_block nfqnl_dev_notifier = { | ||||
| 	.notifier_call	= nfqnl_rcv_dev_event, | ||||
| }; | ||||
| 
 | ||||
| static int nf_hook_cmp(struct nf_queue_entry *entry, unsigned long ops_ptr) | ||||
| static int nf_hook_cmp(struct nf_queue_entry *entry, unsigned long entry_ptr) | ||||
| { | ||||
| 	return entry->elem == (struct nf_hook_ops *)ops_ptr; | ||||
| 	return rcu_access_pointer(entry->state.hook_entries) == | ||||
| 		(struct nf_hook_entry *)entry_ptr; | ||||
| } | ||||
| 
 | ||||
| static void nfqnl_nf_hook_drop(struct net *net, struct nf_hook_ops *hook) | ||||
| static void nfqnl_nf_hook_drop(struct net *net, | ||||
| 			       const struct nf_hook_entry *hook) | ||||
| { | ||||
| 	struct nfnl_queue_net *q = nfnl_queue_pernet(net); | ||||
| 	int i; | ||||
|  | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user
	 Aaron Conole
						Aaron Conole