Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 238e54c9 authored by David S. Miller's avatar David S. Miller
Browse files

netfilter: Make nf_hookfn use nf_hook_state. 



Pass the nf_hook_state all the way down into the hook
functions themselves.

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 1d1de89b

include/linux/netfilter.h

+1 −3
Original line number Diff line number Diff line
@@ -56,9 +56,7 @@ struct nf_hook_state { 


typedef unsigned int nf_hookfn(const struct nf_hook_ops *ops,

			       struct sk_buff *skb,

			       const struct net_device *in,

			       const struct net_device *out,

			       int (*okfn)(struct sk_buff *));

			       const struct nf_hook_state *state);



struct nf_hook_ops {

	struct list_head list;

net/bridge/br_netfilter.c

+16 −30
Original line number Diff line number Diff line
@@ -562,9 +562,7 @@ static int check_hbh_len(struct sk_buff *skb) 
 * to ip6tables, which doesn't support NAT, so things are fairly simple. */

static unsigned int br_nf_pre_routing_ipv6(const struct nf_hook_ops *ops,

					   struct sk_buff *skb,

					   const struct net_device *in,

					   const struct net_device *out,

					   int (*okfn)(struct sk_buff *))

					   const struct nf_hook_state *state)

{

	const struct ipv6hdr *hdr;

	u32 pkt_len;
@@ -612,9 +610,7 @@ static unsigned int br_nf_pre_routing_ipv6(const struct nf_hook_ops *ops, 
 * address to be able to detect DNAT afterwards. */

static unsigned int br_nf_pre_routing(const struct nf_hook_ops *ops,

				      struct sk_buff *skb,

				      const struct net_device *in,

				      const struct net_device *out,

				      int (*okfn)(struct sk_buff *))

				      const struct nf_hook_state *state)

{

	struct net_bridge_port *p;

	struct net_bridge *br;
@@ -623,7 +619,7 @@ static unsigned int br_nf_pre_routing(const struct nf_hook_ops *ops, 
	if (unlikely(!pskb_may_pull(skb, len)))

		return NF_DROP;



	p = br_port_get_rcu(in);

	p = br_port_get_rcu(state->in);

	if (p == NULL)

		return NF_DROP;

	br = p->br;
@@ -633,7 +629,7 @@ static unsigned int br_nf_pre_routing(const struct nf_hook_ops *ops, 
			return NF_ACCEPT;



		nf_bridge_pull_encap_header_rcsum(skb);

		return br_nf_pre_routing_ipv6(ops, skb, in, out, okfn);

		return br_nf_pre_routing_ipv6(ops, skb, state);

	}



	if (!brnf_call_iptables && !br->nf_call_iptables)
@@ -671,9 +667,7 @@ static unsigned int br_nf_pre_routing(const struct nf_hook_ops *ops, 
 * prevent this from happening. */

static unsigned int br_nf_local_in(const struct nf_hook_ops *ops,

				   struct sk_buff *skb,

				   const struct net_device *in,

				   const struct net_device *out,

				   int (*okfn)(struct sk_buff *))

				   const struct nf_hook_state *state)

{

	br_drop_fake_rtable(skb);

	return NF_ACCEPT;
@@ -710,9 +704,7 @@ static int br_nf_forward_finish(struct sk_buff *skb) 
 * bridge ports. */

static unsigned int br_nf_forward_ip(const struct nf_hook_ops *ops,

				     struct sk_buff *skb,

				     const struct net_device *in,

				     const struct net_device *out,

				     int (*okfn)(struct sk_buff *))

				     const struct nf_hook_state *state)

{

	struct nf_bridge_info *nf_bridge;

	struct net_device *parent;
@@ -726,7 +718,7 @@ static unsigned int br_nf_forward_ip(const struct nf_hook_ops *ops, 
	if (!nf_bridge_unshare(skb))

		return NF_DROP;



	parent = bridge_parent(out);

	parent = bridge_parent(state->out);

	if (!parent)

		return NF_DROP;
@@ -754,23 +746,21 @@ static unsigned int br_nf_forward_ip(const struct nf_hook_ops *ops, 
	else

		skb->protocol = htons(ETH_P_IPV6);



	NF_HOOK(pf, NF_INET_FORWARD, skb, brnf_get_logical_dev(skb, in), parent,

		br_nf_forward_finish);

	NF_HOOK(pf, NF_INET_FORWARD, skb, brnf_get_logical_dev(skb, state->in),

		parent,	br_nf_forward_finish);



	return NF_STOLEN;

}



static unsigned int br_nf_forward_arp(const struct nf_hook_ops *ops,

				      struct sk_buff *skb,

				      const struct net_device *in,

				      const struct net_device *out,

				      int (*okfn)(struct sk_buff *))

				      const struct nf_hook_state *state)

{

	struct net_bridge_port *p;

	struct net_bridge *br;

	struct net_device **d = (struct net_device **)(skb->cb);



	p = br_port_get_rcu(out);

	p = br_port_get_rcu(state->out);

	if (p == NULL)

		return NF_ACCEPT;

	br = p->br;
@@ -789,9 +779,9 @@ static unsigned int br_nf_forward_arp(const struct nf_hook_ops *ops, 
			nf_bridge_push_encap_header(skb);

		return NF_ACCEPT;

	}

	*d = (struct net_device *)in;

	NF_HOOK(NFPROTO_ARP, NF_ARP_FORWARD, skb, (struct net_device *)in,

		(struct net_device *)out, br_nf_forward_finish);

	*d = state->in;

	NF_HOOK(NFPROTO_ARP, NF_ARP_FORWARD, skb, state->in,

		state->out, br_nf_forward_finish);



	return NF_STOLEN;

}
@@ -859,9 +849,7 @@ static int br_nf_dev_queue_xmit(struct sk_buff *skb) 
/* PF_BRIDGE/POST_ROUTING ********************************************/

static unsigned int br_nf_post_routing(const struct nf_hook_ops *ops,

				       struct sk_buff *skb,

				       const struct net_device *in,

				       const struct net_device *out,

				       int (*okfn)(struct sk_buff *))

				       const struct nf_hook_state *state)

{

	struct nf_bridge_info *nf_bridge = skb->nf_bridge;

	struct net_device *realoutdev = bridge_parent(skb->dev);
@@ -910,9 +898,7 @@ static unsigned int br_nf_post_routing(const struct nf_hook_ops *ops, 
 * for the second time. */

static unsigned int ip_sabotage_in(const struct nf_hook_ops *ops,

				   struct sk_buff *skb,

				   const struct net_device *in,

				   const struct net_device *out,

				   int (*okfn)(struct sk_buff *))

				   const struct nf_hook_state *state)

{

	if (skb->nf_bridge &&

	    !(skb->nf_bridge->mask & BRNF_NF_BRIDGE_PREROUTING)) {

net/bridge/netfilter/ebtable_filter.c

+6 −8
Original line number Diff line number Diff line
@@ -58,20 +58,18 @@ static const struct ebt_table frame_filter = { 


static unsigned int

ebt_in_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,

	    const struct net_device *in, const struct net_device *out,

	    int (*okfn)(struct sk_buff *))

	    const struct nf_hook_state *state)

{

	return ebt_do_table(ops->hooknum, skb, in, out,

			    dev_net(in)->xt.frame_filter);

	return ebt_do_table(ops->hooknum, skb, state->in, state->out,

			    dev_net(state->in)->xt.frame_filter);

}



static unsigned int

ebt_out_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,

	     const struct net_device *in, const struct net_device *out,

	     int (*okfn)(struct sk_buff *))

	     const struct nf_hook_state *state)

{

	return ebt_do_table(ops->hooknum, skb, in, out,

			    dev_net(out)->xt.frame_filter);

	return ebt_do_table(ops->hooknum, skb, state->in, state->out,

			    dev_net(state->out)->xt.frame_filter);

}



static struct nf_hook_ops ebt_ops_filter[] __read_mostly = {

net/bridge/netfilter/ebtable_nat.c

+6 −8
Original line number Diff line number Diff line
@@ -58,20 +58,18 @@ static struct ebt_table frame_nat = { 


static unsigned int

ebt_nat_in(const struct nf_hook_ops *ops, struct sk_buff *skb,

	   const struct net_device *in, const struct net_device *out,

	   int (*okfn)(struct sk_buff *))

	   const struct nf_hook_state *state)

{

	return ebt_do_table(ops->hooknum, skb, in, out,

			    dev_net(in)->xt.frame_nat);

	return ebt_do_table(ops->hooknum, skb, state->in, state->out,

			    dev_net(state->in)->xt.frame_nat);

}



static unsigned int

ebt_nat_out(const struct nf_hook_ops *ops, struct sk_buff *skb,

	    const struct net_device *in, const struct net_device *out,

	    int (*okfn)(struct sk_buff *))

	    const struct nf_hook_state *state)

{

	return ebt_do_table(ops->hooknum, skb, in, out,

			    dev_net(out)->xt.frame_nat);

	return ebt_do_table(ops->hooknum, skb, state->in, state->out,

			    dev_net(state->out)->xt.frame_nat);

}



static struct nf_hook_ops ebt_ops_nat[] __read_mostly = {

net/bridge/netfilter/nf_tables_bridge.c

+4 −6
Original line number Diff line number Diff line
@@ -93,21 +93,19 @@ static inline void nft_bridge_set_pktinfo_ipv6(struct nft_pktinfo *pkt, 
static unsigned int

nft_do_chain_bridge(const struct nf_hook_ops *ops,

		    struct sk_buff *skb,

		    const struct net_device *in,

		    const struct net_device *out,

		    int (*okfn)(struct sk_buff *))

		    const struct nf_hook_state *state)

{

	struct nft_pktinfo pkt;



	switch (eth_hdr(skb)->h_proto) {

	case htons(ETH_P_IP):

		nft_bridge_set_pktinfo_ipv4(&pkt, ops, skb, in, out);

		nft_bridge_set_pktinfo_ipv4(&pkt, ops, skb, state->in, state->out);

		break;

	case htons(ETH_P_IPV6):

		nft_bridge_set_pktinfo_ipv6(&pkt, ops, skb, in, out);

		nft_bridge_set_pktinfo_ipv6(&pkt, ops, skb, state->in, state->out);

		break;

	default:

		nft_set_pktinfo(&pkt, ops, skb, in, out);

		nft_set_pktinfo(&pkt, ops, skb, state->in, state->out);

		break;

	}