Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a67dd266 authored by Florian Westphal's avatar Florian Westphal Committed by Pablo Neira Ayuso
Browse files

netfilter: xtables: prepare for on-demand hook register 



This change prepares for upcoming on-demand xtables hook registration.

We change the protoypes of the register/unregister functions.
A followup patch will then add nf_hook_register/unregister calls
to the iptables one.

Once a hook is registered packets will be picked up, so all assignments
of the form

net->ipv4.iptable_$table = new_table

have to be moved to ip(6)t_register_table, else we can see NULL
net->ipv4.iptable_$table later.

This patch doesn't change functionality; without this the actual change
simply gets too big.

Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 5f547391

include/linux/netfilter_arp/arp_tables.h

+5 −4
Original line number Diff line number Diff line
@@ -48,10 +48,11 @@ struct arpt_error { 
}



extern void *arpt_alloc_initial_table(const struct xt_table *);

extern struct xt_table *arpt_register_table(struct net *net,

					    const struct xt_table *table,

					    const struct arpt_replace *repl);

extern void arpt_unregister_table(struct xt_table *table);

int arpt_register_table(struct net *net, const struct xt_table *table,

			const struct arpt_replace *repl,

			const struct nf_hook_ops *ops, struct xt_table **res);

void arpt_unregister_table(struct net *net, struct xt_table *table,

			   const struct nf_hook_ops *ops);

extern unsigned int arpt_do_table(struct sk_buff *skb,

				  const struct nf_hook_state *state,

				  struct xt_table *table);

include/linux/netfilter_ipv4/ip_tables.h

+5 −4
Original line number Diff line number Diff line
@@ -24,10 +24,11 @@ 


extern void ipt_init(void) __init;



extern struct xt_table *ipt_register_table(struct net *net,

					   const struct xt_table *table,

					   const struct ipt_replace *repl);

extern void ipt_unregister_table(struct net *net, struct xt_table *table);

int ipt_register_table(struct net *net, const struct xt_table *table,

		       const struct ipt_replace *repl,

		       const struct nf_hook_ops *ops, struct xt_table **res);

void ipt_unregister_table(struct net *net, struct xt_table *table,

			  const struct nf_hook_ops *ops);



/* Standard entry. */

struct ipt_standard {

include/linux/netfilter_ipv6/ip6_tables.h

+5 −4
Original line number Diff line number Diff line
@@ -25,10 +25,11 @@ 
extern void ip6t_init(void) __init;



extern void *ip6t_alloc_initial_table(const struct xt_table *);

extern struct xt_table *ip6t_register_table(struct net *net,

					    const struct xt_table *table,

					    const struct ip6t_replace *repl);

extern void ip6t_unregister_table(struct net *net, struct xt_table *table);

int ip6t_register_table(struct net *net, const struct xt_table *table,

			const struct ip6t_replace *repl,

			const struct nf_hook_ops *ops, struct xt_table **res);

void ip6t_unregister_table(struct net *net, struct xt_table *table,

			   const struct nf_hook_ops *ops);

extern unsigned int ip6t_do_table(struct sk_buff *skb,

				  const struct nf_hook_state *state,

				  struct xt_table *table);

net/ipv4/netfilter/arp_tables.c

+14 −11
Original line number Diff line number Diff line
@@ -1780,9 +1780,11 @@ static int do_arpt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len 
	return ret;

}



struct xt_table *arpt_register_table(struct net *net,

int arpt_register_table(struct net *net,

			const struct xt_table *table,

				     const struct arpt_replace *repl)

			const struct arpt_replace *repl,

			const struct nf_hook_ops *ops,

			struct xt_table **res)

{

	int ret;

	struct xt_table_info *newinfo;
@@ -1791,10 +1793,8 @@ struct xt_table *arpt_register_table(struct net *net, 
	struct xt_table *new_table;



	newinfo = xt_alloc_table_info(repl->size);

	if (!newinfo) {

		ret = -ENOMEM;

		goto out;

	}

	if (!newinfo)

		return -ENOMEM;



	loc_cpu_entry = newinfo->entries;

	memcpy(loc_cpu_entry, repl->entries, repl->size);
@@ -1809,15 +1809,18 @@ struct xt_table *arpt_register_table(struct net *net, 
		ret = PTR_ERR(new_table);

		goto out_free;

	}

	return new_table;



	WRITE_ONCE(*res, new_table);



	return ret;



out_free:

	xt_free_table_info(newinfo);

out:

	return ERR_PTR(ret);

	return ret;

}



void arpt_unregister_table(struct xt_table *table)

void arpt_unregister_table(struct net *net, struct xt_table *table,

			   const struct nf_hook_ops *ops)

{

	struct xt_table_info *private;

	void *loc_cpu_entry;

net/ipv4/netfilter/arptable_filter.c

+6 −5
Original line number Diff line number Diff line
@@ -38,19 +38,20 @@ static struct nf_hook_ops *arpfilter_ops __read_mostly; 
static int __net_init arptable_filter_net_init(struct net *net)

{

	struct arpt_replace *repl;

	int err;



	repl = arpt_alloc_initial_table(&packet_filter);

	if (repl == NULL)

		return -ENOMEM;

	net->ipv4.arptable_filter =

		arpt_register_table(net, &packet_filter, repl);

	err = arpt_register_table(net, &packet_filter, repl, arpfilter_ops,

				  &net->ipv4.arptable_filter);

	kfree(repl);

	return PTR_ERR_OR_ZERO(net->ipv4.arptable_filter);

	return err;

}



static void __net_exit arptable_filter_net_exit(struct net *net)

{

	arpt_unregister_table(net->ipv4.arptable_filter);

	arpt_unregister_table(net, net->ipv4.arptable_filter, arpfilter_ops);

}



static struct pernet_operations arptable_filter_net_ops = {