Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 1610a73c authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso
Browse files

netfilter: kill NF_HOOK_THRESH() and state->tresh 



Patch c5136b15 ("netfilter: bridge: add and use br_nf_hook_thresh")
introduced br_nf_hook_thresh().

Replace NF_HOOK_THRESH() by br_nf_hook_thresh from
br_nf_forward_finish(), so we have no more callers for this macro.

As a result, state->thresh and explicit thresh parameter in the hook
state structure is not required anymore. And we can get rid of
skip-hook-under-thresh loop in nf_iterate() in the core path that is
only used by br_netfilter to search for the filter hook.

Suggested-by: default avatarFlorian Westphal <fw@strlen.de>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent d2be66f6

include/linux/netfilter.h

+13 −37
Original line number Diff line number Diff line
@@ -49,7 +49,6 @@ struct sock; 


struct nf_hook_state {

	unsigned int hook;

	int thresh;

	u_int8_t pf;

	struct net_device *in;

	struct net_device *out;
@@ -84,7 +83,7 @@ struct nf_hook_entry { 
static inline void nf_hook_state_init(struct nf_hook_state *p,

				      struct nf_hook_entry *hook_entry,

				      unsigned int hook,

				      int thresh, u_int8_t pf,

				      u_int8_t pf,

				      struct net_device *indev,

				      struct net_device *outdev,

				      struct sock *sk,
@@ -92,7 +91,6 @@ static inline void nf_hook_state_init(struct nf_hook_state *p, 
				      int (*okfn)(struct net *, struct sock *, struct sk_buff *))

{

	p->hook = hook;

	p->thresh = thresh;

	p->pf = pf;

	p->in = indev;

	p->out = outdev;
@@ -155,20 +153,16 @@ extern struct static_key nf_hooks_needed[NFPROTO_NUMPROTO][NF_MAX_HOOKS]; 
int nf_hook_slow(struct sk_buff *skb, struct nf_hook_state *state);



/**

 *	nf_hook_thresh - call a netfilter hook

 *	nf_hook - call a netfilter hook

 *

 *	Returns 1 if the hook has allowed the packet to pass.  The function

 *	okfn must be invoked by the caller in this case.  Any other return

 *	value indicates the packet has been consumed by the hook.

 */

static inline int nf_hook_thresh(u_int8_t pf, unsigned int hook,

				 struct net *net,

				 struct sock *sk,

				 struct sk_buff *skb,

				 struct net_device *indev,

				 struct net_device *outdev,

				 int (*okfn)(struct net *, struct sock *, struct sk_buff *),

				 int thresh)

static inline int nf_hook(u_int8_t pf, unsigned int hook, struct net *net,

			  struct sock *sk, struct sk_buff *skb,

			  struct net_device *indev, struct net_device *outdev,

			  int (*okfn)(struct net *, struct sock *, struct sk_buff *))

{

	struct nf_hook_entry *hook_head;

	int ret = 1;
@@ -185,8 +179,8 @@ static inline int nf_hook_thresh(u_int8_t pf, unsigned int hook, 
	if (hook_head) {

		struct nf_hook_state state;



		nf_hook_state_init(&state, hook_head, hook, thresh,

				   pf, indev, outdev, sk, net, okfn);

		nf_hook_state_init(&state, hook_head, hook, pf, indev, outdev,

				   sk, net, okfn);



		ret = nf_hook_slow(skb, &state);

	}
@@ -195,14 +189,6 @@ static inline int nf_hook_thresh(u_int8_t pf, unsigned int hook, 
	return ret;

}



static inline int nf_hook(u_int8_t pf, unsigned int hook, struct net *net,

			  struct sock *sk, struct sk_buff *skb,

			  struct net_device *indev, struct net_device *outdev,

			  int (*okfn)(struct net *, struct sock *, struct sk_buff *))

{

	return nf_hook_thresh(pf, hook, net, sk, skb, indev, outdev, okfn, INT_MIN);

}

                   

/* Activate hook; either okfn or kfree_skb called, unless a hook

   returns NF_STOLEN (in which case, it's up to the hook to deal with

   the consequences).
@@ -220,19 +206,6 @@ static inline int nf_hook(u_int8_t pf, unsigned int hook, struct net *net, 
   coders :)

*/



static inline int

NF_HOOK_THRESH(uint8_t pf, unsigned int hook, struct net *net, struct sock *sk,

	       struct sk_buff *skb, struct net_device *in,

	       struct net_device *out,

	       int (*okfn)(struct net *, struct sock *, struct sk_buff *),

	       int thresh)

{

	int ret = nf_hook_thresh(pf, hook, net, sk, skb, in, out, okfn, thresh);

	if (ret == 1)

		ret = okfn(net, sk, skb);

	return ret;

}



static inline int

NF_HOOK_COND(uint8_t pf, unsigned int hook, struct net *net, struct sock *sk,

	     struct sk_buff *skb, struct net_device *in, struct net_device *out,
@@ -242,7 +215,7 @@ NF_HOOK_COND(uint8_t pf, unsigned int hook, struct net *net, struct sock *sk, 
	int ret;



	if (!cond ||

	    ((ret = nf_hook_thresh(pf, hook, net, sk, skb, in, out, okfn, INT_MIN)) == 1))

	    ((ret = nf_hook(pf, hook, net, sk, skb, in, out, okfn)) == 1))

		ret = okfn(net, sk, skb);

	return ret;

}
@@ -252,7 +225,10 @@ NF_HOOK(uint8_t pf, unsigned int hook, struct net *net, struct sock *sk, struct 
	struct net_device *in, struct net_device *out,

	int (*okfn)(struct net *, struct sock *, struct sk_buff *))

{

	return NF_HOOK_THRESH(pf, hook, net, sk, skb, in, out, okfn, INT_MIN);

	int ret = nf_hook(pf, hook, net, sk, skb, in, out, okfn);

	if (ret == 1)

		ret = okfn(net, sk, skb);

	return ret;

}



/* Call setsockopt() */

include/linux/netfilter_ingress.h

+1 −1
Original line number Diff line number Diff line
@@ -26,7 +26,7 @@ static inline int nf_hook_ingress(struct sk_buff *skb) 
	if (unlikely(!e))

		return 0;



	nf_hook_state_init(&state, e, NF_NETDEV_INGRESS, INT_MIN,

	nf_hook_state_init(&state, e, NF_NETDEV_INGRESS,

			   NFPROTO_NETDEV, skb->dev, NULL, NULL,

			   dev_net(skb->dev), NULL);

	return nf_hook_slow(skb, &state);

net/bridge/br_netfilter_hooks.c

+4 −4
Original line number Diff line number Diff line
@@ -561,8 +561,8 @@ static int br_nf_forward_finish(struct net *net, struct sock *sk, struct sk_buff 
	}

	nf_bridge_push_encap_header(skb);



	NF_HOOK_THRESH(NFPROTO_BRIDGE, NF_BR_FORWARD, net, sk, skb,

		       in, skb->dev, br_forward_finish, 1);

	br_nf_hook_thresh(NF_BR_FORWARD, net, sk, skb, in, skb->dev,

			  br_forward_finish);

	return 0;

}
@@ -1016,8 +1016,8 @@ int br_nf_hook_thresh(unsigned int hook, struct net *net, 


	/* We may already have this, but read-locks nest anyway */

	rcu_read_lock();

	nf_hook_state_init(&state, elem, hook, NF_BR_PRI_BRNF + 1,

			   NFPROTO_BRIDGE, indev, outdev, sk, net, okfn);

	nf_hook_state_init(&state, elem, hook, NFPROTO_BRIDGE, indev, outdev,

			   sk, net, okfn);



	ret = nf_hook_slow(skb, &state);

	rcu_read_unlock();

net/bridge/netfilter/ebtable_broute.c

+1 −1
Original line number Diff line number Diff line
@@ -53,7 +53,7 @@ static int ebt_broute(struct sk_buff *skb) 
	struct nf_hook_state state;

	int ret;



	nf_hook_state_init(&state, NULL, NF_BR_BROUTING, INT_MIN,

	nf_hook_state_init(&state, NULL, NF_BR_BROUTING,

			   NFPROTO_BRIDGE, skb->dev, NULL, NULL,

			   dev_net(skb->dev), NULL);

net/netfilter/core.c

+0 −4
Original line number Diff line number Diff line
@@ -309,10 +309,6 @@ unsigned int nf_iterate(struct sk_buff *skb, 
	unsigned int verdict;



	while (*entryp) {

		if (state->thresh > (*entryp)->ops.priority) {

			*entryp = rcu_dereference((*entryp)->next);

			continue;

		}

repeat:

		verdict = (*entryp)->ops.hook((*entryp)->ops.priv, skb, state);

		if (verdict != NF_ACCEPT) {