Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 06198b34 authored by Eric W. Biederman's avatar Eric W. Biederman Committed by Pablo Neira Ayuso
Browse files

netfilter: Pass priv instead of nf_hook_ops to netfilter hooks 



Only pass the void *priv parameter out of the nf_hook_ops.  That is
all any of the functions are interested now, and by limiting what is
passed it becomes simpler to change implementation details.

Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 176971b3

include/linux/netfilter.h

+1 −1
Original line number Diff line number Diff line
@@ -80,7 +80,7 @@ static inline void nf_hook_state_init(struct nf_hook_state *p, 
	p->okfn = okfn;

}



typedef unsigned int nf_hookfn(const struct nf_hook_ops *ops,

typedef unsigned int nf_hookfn(void *priv,

			       struct sk_buff *skb,

			       const struct nf_hook_state *state);

include/net/netfilter/br_netfilter.h

+1 −1
Original line number Diff line number Diff line
@@ -46,7 +46,7 @@ void br_netfilter_enable(void); 


#if IS_ENABLED(CONFIG_IPV6)

int br_validate_ipv6(struct sk_buff *skb);

unsigned int br_nf_pre_routing_ipv6(const struct nf_hook_ops *ops,

unsigned int br_nf_pre_routing_ipv6(void *priv,

				    struct sk_buff *skb,

				    const struct nf_hook_state *state);

#else

include/net/netfilter/nf_nat_l3proto.h

+16 −16
Original line number Diff line number Diff line
@@ -43,31 +43,31 @@ int nf_nat_icmp_reply_translation(struct sk_buff *skb, struct nf_conn *ct, 
				  enum ip_conntrack_info ctinfo,

				  unsigned int hooknum);



unsigned int nf_nat_ipv4_in(const struct nf_hook_ops *ops, struct sk_buff *skb,

unsigned int nf_nat_ipv4_in(void *priv, struct sk_buff *skb,

			    const struct nf_hook_state *state,

			    unsigned int (*do_chain)(const struct nf_hook_ops *ops,

			    unsigned int (*do_chain)(void *priv,

						     struct sk_buff *skb,

						     const struct nf_hook_state *state,

						     struct nf_conn *ct));



unsigned int nf_nat_ipv4_out(const struct nf_hook_ops *ops, struct sk_buff *skb,

unsigned int nf_nat_ipv4_out(void *priv, struct sk_buff *skb,

			     const struct nf_hook_state *state,

			     unsigned int (*do_chain)(const struct nf_hook_ops *ops,

			     unsigned int (*do_chain)(void *priv,

						      struct sk_buff *skb,

						      const struct nf_hook_state *state,

						      struct nf_conn *ct));



unsigned int nf_nat_ipv4_local_fn(const struct nf_hook_ops *ops,

unsigned int nf_nat_ipv4_local_fn(void *priv,

				  struct sk_buff *skb,

				  const struct nf_hook_state *state,

				  unsigned int (*do_chain)(const struct nf_hook_ops *ops,

				  unsigned int (*do_chain)(void *priv,

							   struct sk_buff *skb,

							   const struct nf_hook_state *state,

							   struct nf_conn *ct));



unsigned int nf_nat_ipv4_fn(const struct nf_hook_ops *ops, struct sk_buff *skb,

unsigned int nf_nat_ipv4_fn(void *priv, struct sk_buff *skb,

			    const struct nf_hook_state *state,

			    unsigned int (*do_chain)(const struct nf_hook_ops *ops,

			    unsigned int (*do_chain)(void *priv,

						     struct sk_buff *skb,

						     const struct nf_hook_state *state,

						     struct nf_conn *ct));
@@ -76,31 +76,31 @@ int nf_nat_icmpv6_reply_translation(struct sk_buff *skb, struct nf_conn *ct, 
				    enum ip_conntrack_info ctinfo,

				    unsigned int hooknum, unsigned int hdrlen);



unsigned int nf_nat_ipv6_in(const struct nf_hook_ops *ops, struct sk_buff *skb,

unsigned int nf_nat_ipv6_in(void *priv, struct sk_buff *skb,

			    const struct nf_hook_state *state,

			    unsigned int (*do_chain)(const struct nf_hook_ops *ops,

			    unsigned int (*do_chain)(void *priv,

						     struct sk_buff *skb,

						     const struct nf_hook_state *state,

						     struct nf_conn *ct));



unsigned int nf_nat_ipv6_out(const struct nf_hook_ops *ops, struct sk_buff *skb,

unsigned int nf_nat_ipv6_out(void *priv, struct sk_buff *skb,

			     const struct nf_hook_state *state,

			     unsigned int (*do_chain)(const struct nf_hook_ops *ops,

			     unsigned int (*do_chain)(void *priv,

						      struct sk_buff *skb,

						      const struct nf_hook_state *state,

						      struct nf_conn *ct));



unsigned int nf_nat_ipv6_local_fn(const struct nf_hook_ops *ops,

unsigned int nf_nat_ipv6_local_fn(void *priv,

				  struct sk_buff *skb,

				  const struct nf_hook_state *state,

				  unsigned int (*do_chain)(const struct nf_hook_ops *ops,

				  unsigned int (*do_chain)(void *priv,

							   struct sk_buff *skb,

							   const struct nf_hook_state *state,

							   struct nf_conn *ct));



unsigned int nf_nat_ipv6_fn(const struct nf_hook_ops *ops, struct sk_buff *skb,

unsigned int nf_nat_ipv6_fn(void *priv, struct sk_buff *skb,

			    const struct nf_hook_state *state,

			    unsigned int (*do_chain)(const struct nf_hook_ops *ops,

			    unsigned int (*do_chain)(void *priv,

						     struct sk_buff *skb,

						     const struct nf_hook_state *state,

						     struct nf_conn *ct));

include/net/netfilter/nf_tables.h

+1 −2
Original line number Diff line number Diff line
@@ -816,8 +816,7 @@ int nft_register_basechain(struct nft_base_chain *basechain, 
void nft_unregister_basechain(struct nft_base_chain *basechain,

			      unsigned int hook_nops);



unsigned int nft_do_chain(struct nft_pktinfo *pkt,

			  const struct nf_hook_ops *ops);

unsigned int nft_do_chain(struct nft_pktinfo *pkt, void *priv);



/**

 *	struct nft_table - nf_tables table

net/bridge/br_netfilter_hooks.c

+7 −7
Original line number Diff line number Diff line
@@ -464,7 +464,7 @@ struct net_device *setup_pre_routing(struct sk_buff *skb) 
 * receiving device) to make netfilter happy, the REDIRECT

 * target in particular.  Save the original destination IP

 * address to be able to detect DNAT afterwards. */

static unsigned int br_nf_pre_routing(const struct nf_hook_ops *ops,

static unsigned int br_nf_pre_routing(void *priv,

				      struct sk_buff *skb,

				      const struct nf_hook_state *state)

{
@@ -486,7 +486,7 @@ static unsigned int br_nf_pre_routing(const struct nf_hook_ops *ops, 
			return NF_ACCEPT;



		nf_bridge_pull_encap_header_rcsum(skb);

		return br_nf_pre_routing_ipv6(ops, skb, state);

		return br_nf_pre_routing_ipv6(priv, skb, state);

	}



	if (!brnf_call_iptables && !br->nf_call_iptables)
@@ -526,7 +526,7 @@ static unsigned int br_nf_pre_routing(const struct nf_hook_ops *ops, 
 * took place when the packet entered the bridge), but we

 * register an IPv4 PRE_ROUTING 'sabotage' hook that will

 * prevent this from happening. */

static unsigned int br_nf_local_in(const struct nf_hook_ops *ops,

static unsigned int br_nf_local_in(void *priv,

				   struct sk_buff *skb,

				   const struct nf_hook_state *state)

{
@@ -570,7 +570,7 @@ static int br_nf_forward_finish(struct net *net, struct sock *sk, struct sk_buff 
 * but we are still able to filter on the 'real' indev/outdev

 * because of the physdev module. For ARP, indev and outdev are the

 * bridge ports. */

static unsigned int br_nf_forward_ip(const struct nf_hook_ops *ops,

static unsigned int br_nf_forward_ip(void *priv,

				     struct sk_buff *skb,

				     const struct nf_hook_state *state)

{
@@ -633,7 +633,7 @@ static unsigned int br_nf_forward_ip(const struct nf_hook_ops *ops, 
	return NF_STOLEN;

}



static unsigned int br_nf_forward_arp(const struct nf_hook_ops *ops,

static unsigned int br_nf_forward_arp(void *priv,

				      struct sk_buff *skb,

				      const struct nf_hook_state *state)

{
@@ -801,7 +801,7 @@ static int br_nf_dev_queue_xmit(struct net *net, struct sock *sk, struct sk_buff 
}



/* PF_BRIDGE/POST_ROUTING ********************************************/

static unsigned int br_nf_post_routing(const struct nf_hook_ops *ops,

static unsigned int br_nf_post_routing(void *priv,

				       struct sk_buff *skb,

				       const struct nf_hook_state *state)

{
@@ -850,7 +850,7 @@ static unsigned int br_nf_post_routing(const struct nf_hook_ops *ops, 
/* IP/SABOTAGE *****************************************************/

/* Don't hand locally destined packets to PF_INET(6)/PRE_ROUTING

 * for the second time. */

static unsigned int ip_sabotage_in(const struct nf_hook_ops *ops,

static unsigned int ip_sabotage_in(void *priv,

				   struct sk_buff *skb,

				   const struct nf_hook_state *state)

{