* [PATCH nf-next,v2 1/7] netfilter: remove checksum indirection in struct nf_afinfo
@ 2017-12-18 23:46 Pablo Neira Ayuso
2017-12-18 23:46 ` [PATCH nf-next,v2 2/7] netfilter: remove checksum_partial " Pablo Neira Ayuso
` (5 more replies)
0 siblings, 6 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2017-12-18 23:46 UTC (permalink / raw)
To: netfilter-devel
Simplify this infrastructure by replacing it by direction call.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
v2: remove .checksum from nf_tables_bridge. Reported by kbuild robot.
include/linux/netfilter.h | 19 +++----------------
include/linux/netfilter_ipv6.h | 13 +++++++++++--
net/bridge/netfilter/nf_tables_bridge.c | 7 -------
net/ipv4/netfilter.c | 1 -
net/ipv6/netfilter.c | 1 -
net/netfilter/Makefile | 2 +-
net/netfilter/utils.c | 23 +++++++++++++++++++++++
7 files changed, 38 insertions(+), 28 deletions(-)
create mode 100644 net/netfilter/utils.c
diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index fcb391a0fbd9..3ae4cfb92b54 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -311,8 +311,6 @@ struct nf_queue_entry;
struct nf_afinfo {
unsigned short family;
- __sum16 (*checksum)(struct sk_buff *skb, unsigned int hook,
- unsigned int dataoff, u_int8_t protocol);
__sum16 (*checksum_partial)(struct sk_buff *skb,
unsigned int hook,
unsigned int dataoff,
@@ -333,20 +331,9 @@ static inline const struct nf_afinfo *nf_get_afinfo(unsigned short family)
return rcu_dereference(nf_afinfo[family]);
}
-static inline __sum16
-nf_checksum(struct sk_buff *skb, unsigned int hook, unsigned int dataoff,
- u_int8_t protocol, unsigned short family)
-{
- const struct nf_afinfo *afinfo;
- __sum16 csum = 0;
-
- rcu_read_lock();
- afinfo = nf_get_afinfo(family);
- if (afinfo)
- csum = afinfo->checksum(skb, hook, dataoff, protocol);
- rcu_read_unlock();
- return csum;
-}
+__sum16 nf_checksum(struct sk_buff *skb, unsigned int hook,
+ unsigned int dataoff, u_int8_t protocol,
+ unsigned short family);
static inline __sum16
nf_checksum_partial(struct sk_buff *skb, unsigned int hook,
diff --git a/include/linux/netfilter_ipv6.h b/include/linux/netfilter_ipv6.h
index 47c6b04c28c0..ea8c99e5112a 100644
--- a/include/linux/netfilter_ipv6.h
+++ b/include/linux/netfilter_ipv6.h
@@ -21,10 +21,19 @@ struct nf_ipv6_ops {
int (*output)(struct net *, struct sock *, struct sk_buff *));
};
-#ifdef CONFIG_NETFILTER
-int ip6_route_me_harder(struct net *net, struct sk_buff *skb);
+#if defined(CONFIG_IPV6)
__sum16 nf_ip6_checksum(struct sk_buff *skb, unsigned int hook,
unsigned int dataoff, u_int8_t protocol);
+#else
+static inline __sum16 nf_ip6_checksum(struct sk_buff *skb, unsigned int hook,
+ unsigned int dataoff, u_int8_t protocol)
+{
+ return 0;
+}
+#endif
+
+#ifdef CONFIG_NETFILTER
+int ip6_route_me_harder(struct net *net, struct sk_buff *skb);
int ipv6_netfilter_init(void);
void ipv6_netfilter_fini(void);
diff --git a/net/bridge/netfilter/nf_tables_bridge.c b/net/bridge/netfilter/nf_tables_bridge.c
index 74260ffec74d..b850c17f02f5 100644
--- a/net/bridge/netfilter/nf_tables_bridge.c
+++ b/net/bridge/netfilter/nf_tables_bridge.c
@@ -106,12 +106,6 @@ static int nf_br_reroute(struct net *net, struct sk_buff *skb,
return 0;
}
-static __sum16 nf_br_checksum(struct sk_buff *skb, unsigned int hook,
- unsigned int dataoff, u_int8_t protocol)
-{
- return 0;
-}
-
static __sum16 nf_br_checksum_partial(struct sk_buff *skb, unsigned int hook,
unsigned int dataoff, unsigned int len,
u_int8_t protocol)
@@ -127,7 +121,6 @@ static int nf_br_route(struct net *net, struct dst_entry **dst,
static const struct nf_afinfo nf_br_afinfo = {
.family = AF_BRIDGE,
- .checksum = nf_br_checksum,
.checksum_partial = nf_br_checksum_partial,
.route = nf_br_route,
.saveroute = nf_br_saveroute,
diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilter.c
index c0cc6aa8cfaa..2f7ffefd2732 100644
--- a/net/ipv4/netfilter.c
+++ b/net/ipv4/netfilter.c
@@ -188,7 +188,6 @@ static int nf_ip_route(struct net *net, struct dst_entry **dst,
static const struct nf_afinfo nf_ip_afinfo = {
.family = AF_INET,
- .checksum = nf_ip_checksum,
.checksum_partial = nf_ip_checksum_partial,
.route = nf_ip_route,
.saveroute = nf_ip_saveroute,
diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
index 39970e212ad5..a24810ecc432 100644
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
@@ -197,7 +197,6 @@ static const struct nf_ipv6_ops ipv6ops = {
static const struct nf_afinfo nf_ip6_afinfo = {
.family = AF_INET6,
- .checksum = nf_ip6_checksum,
.checksum_partial = nf_ip6_checksum_partial,
.route = nf_ip6_route,
.saveroute = nf_ip6_saveroute,
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 490a55e7166d..eec0c3b72926 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -1,5 +1,5 @@
# SPDX-License-Identifier: GPL-2.0
-netfilter-objs := core.o nf_log.o nf_queue.o nf_sockopt.o
+netfilter-objs := core.o nf_log.o nf_queue.o nf_sockopt.o utils.o
nf_conntrack-y := nf_conntrack_core.o nf_conntrack_standalone.o nf_conntrack_expect.o nf_conntrack_helper.o nf_conntrack_proto.o nf_conntrack_l3proto_generic.o nf_conntrack_proto_generic.o nf_conntrack_proto_tcp.o nf_conntrack_proto_udp.o nf_conntrack_extend.o nf_conntrack_acct.o nf_conntrack_seqadj.o
nf_conntrack-$(CONFIG_NF_CONNTRACK_TIMEOUT) += nf_conntrack_timeout.o
diff --git a/net/netfilter/utils.c b/net/netfilter/utils.c
new file mode 100644
index 000000000000..92a51e507fab
--- /dev/null
+++ b/net/netfilter/utils.c
@@ -0,0 +1,23 @@
+#include <linux/kernel.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter_ipv4.h>
+#include <linux/netfilter_ipv6.h>
+
+__sum16 nf_checksum(struct sk_buff *skb, unsigned int hook,
+ unsigned int dataoff, u_int8_t protocol,
+ unsigned short family)
+{
+ __sum16 csum = 0;
+
+ switch (family) {
+ case AF_INET:
+ csum = nf_ip_checksum(skb, hook, dataoff, protocol);
+ break;
+ case AF_INET6:
+ csum = nf_ip6_checksum(skb, hook, dataoff, protocol);
+ break;
+ }
+
+ return csum;
+}
+EXPORT_SYMBOL_GPL(nf_checksum);
--
2.11.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH nf-next,v2 2/7] netfilter: remove checksum_partial indirection in struct nf_afinfo
2017-12-18 23:46 [PATCH nf-next,v2 1/7] netfilter: remove checksum indirection in struct nf_afinfo Pablo Neira Ayuso
@ 2017-12-18 23:46 ` Pablo Neira Ayuso
2017-12-18 23:46 ` [PATCH nf-next,v2 3/7] netfilter: remove saveroute " Pablo Neira Ayuso
` (4 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2017-12-18 23:46 UTC (permalink / raw)
To: netfilter-devel
Simplify this infrastructure by replacing it by direction call.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
v2: remove .checksum_partial from nf_tables_bridge. Reported by kbuild robot.
include/linux/netfilter.h | 25 +++----------------------
include/linux/netfilter_ipv4.h | 3 +++
include/linux/netfilter_ipv6.h | 11 +++++++++++
net/bridge/netfilter/nf_tables_bridge.c | 8 --------
net/ipv4/netfilter.c | 7 +++----
net/ipv6/netfilter.c | 7 +++----
net/netfilter/utils.c | 21 +++++++++++++++++++++
7 files changed, 44 insertions(+), 38 deletions(-)
diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index 3ae4cfb92b54..a2bb6fefde13 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -311,11 +311,6 @@ struct nf_queue_entry;
struct nf_afinfo {
unsigned short family;
- __sum16 (*checksum_partial)(struct sk_buff *skb,
- unsigned int hook,
- unsigned int dataoff,
- unsigned int len,
- u_int8_t protocol);
int (*route)(struct net *net, struct dst_entry **dst,
struct flowi *fl, bool strict);
void (*saveroute)(const struct sk_buff *skb,
@@ -334,23 +329,9 @@ static inline const struct nf_afinfo *nf_get_afinfo(unsigned short family)
__sum16 nf_checksum(struct sk_buff *skb, unsigned int hook,
unsigned int dataoff, u_int8_t protocol,
unsigned short family);
-
-static inline __sum16
-nf_checksum_partial(struct sk_buff *skb, unsigned int hook,
- unsigned int dataoff, unsigned int len,
- u_int8_t protocol, unsigned short family)
-{
- const struct nf_afinfo *afinfo;
- __sum16 csum = 0;
-
- rcu_read_lock();
- afinfo = nf_get_afinfo(family);
- if (afinfo)
- csum = afinfo->checksum_partial(skb, hook, dataoff, len,
- protocol);
- rcu_read_unlock();
- return csum;
-}
+__sum16 nf_checksum_partial(struct sk_buff *skb, unsigned int hook,
+ unsigned int dataoff, unsigned int len,
+ u_int8_t protocol, unsigned short family);
int nf_register_afinfo(const struct nf_afinfo *afinfo);
void nf_unregister_afinfo(const struct nf_afinfo *afinfo);
diff --git a/include/linux/netfilter_ipv4.h b/include/linux/netfilter_ipv4.h
index 98c03b2462b5..6d61ec0a7695 100644
--- a/include/linux/netfilter_ipv4.h
+++ b/include/linux/netfilter_ipv4.h
@@ -9,4 +9,7 @@
int ip_route_me_harder(struct net *net, struct sk_buff *skb, unsigned addr_type);
__sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int hook,
unsigned int dataoff, u_int8_t protocol);
+__sum16 nf_ip_checksum_partial(struct sk_buff *skb, unsigned int hook,
+ unsigned int dataoff, unsigned int len,
+ u_int8_t protocol);
#endif /*__LINUX_IP_NETFILTER_H*/
diff --git a/include/linux/netfilter_ipv6.h b/include/linux/netfilter_ipv6.h
index ea8c99e5112a..729cc76cb3db 100644
--- a/include/linux/netfilter_ipv6.h
+++ b/include/linux/netfilter_ipv6.h
@@ -24,12 +24,23 @@ struct nf_ipv6_ops {
#if defined(CONFIG_IPV6)
__sum16 nf_ip6_checksum(struct sk_buff *skb, unsigned int hook,
unsigned int dataoff, u_int8_t protocol);
+__sum16 nf_ip6_checksum_partial(struct sk_buff *skb, unsigned int hook,
+ unsigned int dataoff, unsigned int len,
+ u_int8_t protocol);
#else
static inline __sum16 nf_ip6_checksum(struct sk_buff *skb, unsigned int hook,
unsigned int dataoff, u_int8_t protocol)
{
return 0;
}
+static inline__sum16 nf_ip6_checksum_partial(struct sk_buff *skb,
+ unsigned int hook,
+ unsigned int dataoff,
+ unsigned int len,
+ u_int8_t protocol)
+{
+ return 0;
+}
#endif
#ifdef CONFIG_NETFILTER
diff --git a/net/bridge/netfilter/nf_tables_bridge.c b/net/bridge/netfilter/nf_tables_bridge.c
index b850c17f02f5..b24ac11cacc9 100644
--- a/net/bridge/netfilter/nf_tables_bridge.c
+++ b/net/bridge/netfilter/nf_tables_bridge.c
@@ -106,13 +106,6 @@ static int nf_br_reroute(struct net *net, struct sk_buff *skb,
return 0;
}
-static __sum16 nf_br_checksum_partial(struct sk_buff *skb, unsigned int hook,
- unsigned int dataoff, unsigned int len,
- u_int8_t protocol)
-{
- return 0;
-}
-
static int nf_br_route(struct net *net, struct dst_entry **dst,
struct flowi *fl, bool strict __always_unused)
{
@@ -121,7 +114,6 @@ static int nf_br_route(struct net *net, struct dst_entry **dst,
static const struct nf_afinfo nf_br_afinfo = {
.family = AF_BRIDGE,
- .checksum_partial = nf_br_checksum_partial,
.route = nf_br_route,
.saveroute = nf_br_saveroute,
.reroute = nf_br_reroute,
diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilter.c
index 2f7ffefd2732..050b614662f8 100644
--- a/net/ipv4/netfilter.c
+++ b/net/ipv4/netfilter.c
@@ -155,9 +155,9 @@ __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int hook,
}
EXPORT_SYMBOL(nf_ip_checksum);
-static __sum16 nf_ip_checksum_partial(struct sk_buff *skb, unsigned int hook,
- unsigned int dataoff, unsigned int len,
- u_int8_t protocol)
+__sum16 nf_ip_checksum_partial(struct sk_buff *skb, unsigned int hook,
+ unsigned int dataoff, unsigned int len,
+ u_int8_t protocol)
{
const struct iphdr *iph = ip_hdr(skb);
__sum16 csum = 0;
@@ -188,7 +188,6 @@ static int nf_ip_route(struct net *net, struct dst_entry **dst,
static const struct nf_afinfo nf_ip_afinfo = {
.family = AF_INET,
- .checksum_partial = nf_ip_checksum_partial,
.route = nf_ip_route,
.saveroute = nf_ip_saveroute,
.reroute = nf_ip_reroute,
diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
index a24810ecc432..6e39b721136e 100644
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
@@ -163,9 +163,9 @@ __sum16 nf_ip6_checksum(struct sk_buff *skb, unsigned int hook,
}
EXPORT_SYMBOL(nf_ip6_checksum);
-static __sum16 nf_ip6_checksum_partial(struct sk_buff *skb, unsigned int hook,
- unsigned int dataoff, unsigned int len,
- u_int8_t protocol)
+__sum16 nf_ip6_checksum_partial(struct sk_buff *skb, unsigned int hook,
+ unsigned int dataoff, unsigned int len,
+ u_int8_t protocol)
{
const struct ipv6hdr *ip6h = ipv6_hdr(skb);
__wsum hsum;
@@ -197,7 +197,6 @@ static const struct nf_ipv6_ops ipv6ops = {
static const struct nf_afinfo nf_ip6_afinfo = {
.family = AF_INET6,
- .checksum_partial = nf_ip6_checksum_partial,
.route = nf_ip6_route,
.saveroute = nf_ip6_saveroute,
.reroute = nf_ip6_reroute,
diff --git a/net/netfilter/utils.c b/net/netfilter/utils.c
index 92a51e507fab..3fdad0c7b189 100644
--- a/net/netfilter/utils.c
+++ b/net/netfilter/utils.c
@@ -21,3 +21,24 @@ __sum16 nf_checksum(struct sk_buff *skb, unsigned int hook,
return csum;
}
EXPORT_SYMBOL_GPL(nf_checksum);
+
+__sum16 nf_checksum_partial(struct sk_buff *skb, unsigned int hook,
+ unsigned int dataoff, unsigned int len,
+ u_int8_t protocol, unsigned short family)
+{
+ __sum16 csum = 0;
+
+ switch (family) {
+ case AF_INET:
+ csum = nf_ip_checksum_partial(skb, hook, dataoff, len,
+ protocol);
+ break;
+ case AF_INET6:
+ csum = nf_ip6_checksum_partial(skb, hook, dataoff, len,
+ protocol);
+ break;
+ }
+
+ return csum;
+}
+EXPORT_SYMBOL_GPL(nf_checksum_partial);
--
2.11.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH nf-next,v2 3/7] netfilter: remove saveroute indirection in struct nf_afinfo
2017-12-18 23:46 [PATCH nf-next,v2 1/7] netfilter: remove checksum indirection in struct nf_afinfo Pablo Neira Ayuso
2017-12-18 23:46 ` [PATCH nf-next,v2 2/7] netfilter: remove checksum_partial " Pablo Neira Ayuso
@ 2017-12-18 23:46 ` Pablo Neira Ayuso
2017-12-18 23:46 ` [PATCH nf-next,v2 4/7] netfilter: remove route " Pablo Neira Ayuso
` (3 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2017-12-18 23:46 UTC (permalink / raw)
To: netfilter-devel
This is only used by nf_queue.c, and there we can replace it by a direct
function call.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
v2: fix warning: 'struct nf_queue_entry' declared inside parameter list
remove .saveroute from nf_tables_bridge. Reported by kbuild robot.
include/linux/netfilter.h | 3 +--
include/linux/netfilter_ipv4.h | 3 +++
include/linux/netfilter_ipv6.h | 5 +++++
net/bridge/netfilter/nf_tables_bridge.c | 6 ------
net/ipv4/netfilter.c | 4 +---
net/ipv6/netfilter.c | 5 ++---
net/netfilter/nf_queue.c | 2 +-
net/netfilter/utils.c | 13 +++++++++++++
8 files changed, 26 insertions(+), 15 deletions(-)
diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index a2bb6fefde13..b3a46a374a89 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -313,8 +313,6 @@ struct nf_afinfo {
unsigned short family;
int (*route)(struct net *net, struct dst_entry **dst,
struct flowi *fl, bool strict);
- void (*saveroute)(const struct sk_buff *skb,
- struct nf_queue_entry *entry);
int (*reroute)(struct net *net, struct sk_buff *skb,
const struct nf_queue_entry *entry);
int route_key_size;
@@ -332,6 +330,7 @@ __sum16 nf_checksum(struct sk_buff *skb, unsigned int hook,
__sum16 nf_checksum_partial(struct sk_buff *skb, unsigned int hook,
unsigned int dataoff, unsigned int len,
u_int8_t protocol, unsigned short family);
+void nf_saveroute(const struct sk_buff *skb, struct nf_queue_entry *entry);
int nf_register_afinfo(const struct nf_afinfo *afinfo);
void nf_unregister_afinfo(const struct nf_afinfo *afinfo);
diff --git a/include/linux/netfilter_ipv4.h b/include/linux/netfilter_ipv4.h
index 6d61ec0a7695..f47e657f32ef 100644
--- a/include/linux/netfilter_ipv4.h
+++ b/include/linux/netfilter_ipv4.h
@@ -6,10 +6,13 @@
#include <uapi/linux/netfilter_ipv4.h>
+struct nf_queue_entry;
+
int ip_route_me_harder(struct net *net, struct sk_buff *skb, unsigned addr_type);
__sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int hook,
unsigned int dataoff, u_int8_t protocol);
__sum16 nf_ip_checksum_partial(struct sk_buff *skb, unsigned int hook,
unsigned int dataoff, unsigned int len,
u_int8_t protocol);
+void nf_ip_saveroute(const struct sk_buff *skb, struct nf_queue_entry *entry);
#endif /*__LINUX_IP_NETFILTER_H*/
diff --git a/include/linux/netfilter_ipv6.h b/include/linux/netfilter_ipv6.h
index 729cc76cb3db..d359ee1f3e37 100644
--- a/include/linux/netfilter_ipv6.h
+++ b/include/linux/netfilter_ipv6.h
@@ -21,12 +21,15 @@ struct nf_ipv6_ops {
int (*output)(struct net *, struct sock *, struct sk_buff *));
};
+struct nf_queue_entry;
+
#if defined(CONFIG_IPV6)
__sum16 nf_ip6_checksum(struct sk_buff *skb, unsigned int hook,
unsigned int dataoff, u_int8_t protocol);
__sum16 nf_ip6_checksum_partial(struct sk_buff *skb, unsigned int hook,
unsigned int dataoff, unsigned int len,
u_int8_t protocol);
+void nf_ip6_saveroute(const struct sk_buff *skb, struct nf_queue_entry *entry);
#else
static inline __sum16 nf_ip6_checksum(struct sk_buff *skb, unsigned int hook,
unsigned int dataoff, u_int8_t protocol)
@@ -41,6 +44,8 @@ static inline__sum16 nf_ip6_checksum_partial(struct sk_buff *skb,
{
return 0;
}
+static inline void nf_ip6_saveroute(const struct sk_buff *skb,
+ struct nf_queue_entry *entry) {}
#endif
#ifdef CONFIG_NETFILTER
diff --git a/net/bridge/netfilter/nf_tables_bridge.c b/net/bridge/netfilter/nf_tables_bridge.c
index b24ac11cacc9..f38350c6bc29 100644
--- a/net/bridge/netfilter/nf_tables_bridge.c
+++ b/net/bridge/netfilter/nf_tables_bridge.c
@@ -95,11 +95,6 @@ static const struct nf_chain_type filter_bridge = {
},
};
-static void nf_br_saveroute(const struct sk_buff *skb,
- struct nf_queue_entry *entry)
-{
-}
-
static int nf_br_reroute(struct net *net, struct sk_buff *skb,
const struct nf_queue_entry *entry)
{
@@ -115,7 +110,6 @@ static int nf_br_route(struct net *net, struct dst_entry **dst,
static const struct nf_afinfo nf_br_afinfo = {
.family = AF_BRIDGE,
.route = nf_br_route,
- .saveroute = nf_br_saveroute,
.reroute = nf_br_reroute,
.route_key_size = 0,
};
diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilter.c
index 050b614662f8..dc2021aaf885 100644
--- a/net/ipv4/netfilter.c
+++ b/net/ipv4/netfilter.c
@@ -92,8 +92,7 @@ struct ip_rt_info {
u_int32_t mark;
};
-static void nf_ip_saveroute(const struct sk_buff *skb,
- struct nf_queue_entry *entry)
+void nf_ip_saveroute(const struct sk_buff *skb, struct nf_queue_entry *entry)
{
struct ip_rt_info *rt_info = nf_queue_entry_reroute(entry);
@@ -189,7 +188,6 @@ static int nf_ip_route(struct net *net, struct dst_entry **dst,
static const struct nf_afinfo nf_ip_afinfo = {
.family = AF_INET,
.route = nf_ip_route,
- .saveroute = nf_ip_saveroute,
.reroute = nf_ip_reroute,
.route_key_size = sizeof(struct ip_rt_info),
};
diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
index 6e39b721136e..4894f030511e 100644
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
@@ -79,8 +79,7 @@ struct ip6_rt_info {
u_int32_t mark;
};
-static void nf_ip6_saveroute(const struct sk_buff *skb,
- struct nf_queue_entry *entry)
+void nf_ip6_saveroute(const struct sk_buff *skb, struct nf_queue_entry *entry)
{
struct ip6_rt_info *rt_info = nf_queue_entry_reroute(entry);
@@ -92,6 +91,7 @@ static void nf_ip6_saveroute(const struct sk_buff *skb,
rt_info->mark = skb->mark;
}
}
+EXPORT_SYMBOL_GPL(nf_ip6_saveroute);
static int nf_ip6_reroute(struct net *net, struct sk_buff *skb,
const struct nf_queue_entry *entry)
@@ -198,7 +198,6 @@ static const struct nf_ipv6_ops ipv6ops = {
static const struct nf_afinfo nf_ip6_afinfo = {
.family = AF_INET6,
.route = nf_ip6_route,
- .saveroute = nf_ip6_saveroute,
.reroute = nf_ip6_reroute,
.route_key_size = sizeof(struct ip6_rt_info),
};
diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c
index 0c02fdb7efc9..833710ee7654 100644
--- a/net/netfilter/nf_queue.c
+++ b/net/netfilter/nf_queue.c
@@ -144,7 +144,7 @@ static int __nf_queue(struct sk_buff *skb, const struct nf_hook_state *state,
nf_queue_entry_get_refs(entry);
skb_dst_force(skb);
- afinfo->saveroute(skb, entry);
+ nf_saveroute(skb, entry);
status = qh->outfn(entry, queuenum);
if (status < 0) {
diff --git a/net/netfilter/utils.c b/net/netfilter/utils.c
index 3fdad0c7b189..7d8c0fd283ee 100644
--- a/net/netfilter/utils.c
+++ b/net/netfilter/utils.c
@@ -2,6 +2,7 @@
#include <linux/netfilter.h>
#include <linux/netfilter_ipv4.h>
#include <linux/netfilter_ipv6.h>
+#include <net/netfilter/nf_queue.h>
__sum16 nf_checksum(struct sk_buff *skb, unsigned int hook,
unsigned int dataoff, u_int8_t protocol,
@@ -42,3 +43,15 @@ __sum16 nf_checksum_partial(struct sk_buff *skb, unsigned int hook,
return csum;
}
EXPORT_SYMBOL_GPL(nf_checksum_partial);
+
+void nf_saveroute(const struct sk_buff *skb, struct nf_queue_entry *entry)
+{
+ switch (entry->state.pf) {
+ case AF_INET:
+ nf_ip_saveroute(skb, entry);
+ break;
+ case AF_INET6:
+ nf_ip6_saveroute(skb, entry);
+ break;
+ }
+}
--
2.11.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH nf-next,v2 4/7] netfilter: remove route indirection in struct nf_afinfo
2017-12-18 23:46 [PATCH nf-next,v2 1/7] netfilter: remove checksum indirection in struct nf_afinfo Pablo Neira Ayuso
2017-12-18 23:46 ` [PATCH nf-next,v2 2/7] netfilter: remove checksum_partial " Pablo Neira Ayuso
2017-12-18 23:46 ` [PATCH nf-next,v2 3/7] netfilter: remove saveroute " Pablo Neira Ayuso
@ 2017-12-18 23:46 ` Pablo Neira Ayuso
2017-12-18 23:46 ` [PATCH nf-next,v2 5/7] netfilter: remove reroute " Pablo Neira Ayuso
` (2 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2017-12-18 23:46 UTC (permalink / raw)
To: netfilter-devel
This is not needed, we call the afinfo->route indirection for cases
where we just checked for family a few lines before. This patch also
adapts existing clients of this to use the direct call invocation.
Update clients of this indirection to use nf_ip_route() and
nf_ip6_route() where needed.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
v2: remove .route from nf_tables_bridge. Reported by kbuild robot.
include/linux/netfilter.h | 2 --
include/linux/netfilter_ipv4.h | 2 ++
include/linux/netfilter_ipv6.h | 7 +++++++
net/bridge/netfilter/nf_tables_bridge.c | 7 -------
net/ipv4/netfilter.c | 6 +++---
net/ipv6/netfilter.c | 6 +++---
net/ipv6/netfilter/nft_fib_ipv6.c | 9 ++-------
net/netfilter/nf_conntrack_h323_main.c | 23 +++++++++--------------
net/netfilter/nft_rt.c | 17 +++++++----------
net/netfilter/xt_TCPMSS.c | 6 ++----
net/netfilter/xt_addrtype.c | 22 +++++++---------------
11 files changed, 42 insertions(+), 65 deletions(-)
diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index b3a46a374a89..e703b26025ec 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -311,8 +311,6 @@ struct nf_queue_entry;
struct nf_afinfo {
unsigned short family;
- int (*route)(struct net *net, struct dst_entry **dst,
- struct flowi *fl, bool strict);
int (*reroute)(struct net *net, struct sk_buff *skb,
const struct nf_queue_entry *entry);
int route_key_size;
diff --git a/include/linux/netfilter_ipv4.h b/include/linux/netfilter_ipv4.h
index f47e657f32ef..97e8131f92d6 100644
--- a/include/linux/netfilter_ipv4.h
+++ b/include/linux/netfilter_ipv4.h
@@ -14,5 +14,7 @@ __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int hook,
__sum16 nf_ip_checksum_partial(struct sk_buff *skb, unsigned int hook,
unsigned int dataoff, unsigned int len,
u_int8_t protocol);
+int nf_ip_route(struct net *net, struct dst_entry **dst, struct flowi *fl,
+ bool strict);
void nf_ip_saveroute(const struct sk_buff *skb, struct nf_queue_entry *entry);
#endif /*__LINUX_IP_NETFILTER_H*/
diff --git a/include/linux/netfilter_ipv6.h b/include/linux/netfilter_ipv6.h
index d359ee1f3e37..e681738c8591 100644
--- a/include/linux/netfilter_ipv6.h
+++ b/include/linux/netfilter_ipv6.h
@@ -29,6 +29,8 @@ __sum16 nf_ip6_checksum(struct sk_buff *skb, unsigned int hook,
__sum16 nf_ip6_checksum_partial(struct sk_buff *skb, unsigned int hook,
unsigned int dataoff, unsigned int len,
u_int8_t protocol);
+int nf_ip6_route(struct net *net, struct dst_entry **dst, struct flowi *fl,
+ bool strict);
void nf_ip6_saveroute(const struct sk_buff *skb, struct nf_queue_entry *entry);
#else
static inline __sum16 nf_ip6_checksum(struct sk_buff *skb, unsigned int hook,
@@ -44,6 +46,11 @@ static inline__sum16 nf_ip6_checksum_partial(struct sk_buff *skb,
{
return 0;
}
+static inline int nf_ip6_route(struct net *net, struct dst_entry **dst,
+ struct flowi *fl, bool strict)
+{
+ return -EOPNOTSUPP;
+}
static inline void nf_ip6_saveroute(const struct sk_buff *skb,
struct nf_queue_entry *entry) {}
#endif
diff --git a/net/bridge/netfilter/nf_tables_bridge.c b/net/bridge/netfilter/nf_tables_bridge.c
index f38350c6bc29..014b6571f2ac 100644
--- a/net/bridge/netfilter/nf_tables_bridge.c
+++ b/net/bridge/netfilter/nf_tables_bridge.c
@@ -101,15 +101,8 @@ static int nf_br_reroute(struct net *net, struct sk_buff *skb,
return 0;
}
-static int nf_br_route(struct net *net, struct dst_entry **dst,
- struct flowi *fl, bool strict __always_unused)
-{
- return 0;
-}
-
static const struct nf_afinfo nf_br_afinfo = {
.family = AF_BRIDGE,
- .route = nf_br_route,
.reroute = nf_br_reroute,
.route_key_size = 0,
};
diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilter.c
index dc2021aaf885..c6ba5770af0a 100644
--- a/net/ipv4/netfilter.c
+++ b/net/ipv4/netfilter.c
@@ -175,8 +175,8 @@ __sum16 nf_ip_checksum_partial(struct sk_buff *skb, unsigned int hook,
return csum;
}
-static int nf_ip_route(struct net *net, struct dst_entry **dst,
- struct flowi *fl, bool strict __always_unused)
+int nf_ip_route(struct net *net, struct dst_entry **dst, struct flowi *fl,
+ bool strict __always_unused)
{
struct rtable *rt = ip_route_output_key(net, &fl->u.ip4);
if (IS_ERR(rt))
@@ -184,10 +184,10 @@ static int nf_ip_route(struct net *net, struct dst_entry **dst,
*dst = &rt->dst;
return 0;
}
+EXPORT_SYMBOL(nf_ip_route);
static const struct nf_afinfo nf_ip_afinfo = {
.family = AF_INET,
- .route = nf_ip_route,
.reroute = nf_ip_reroute,
.route_key_size = sizeof(struct ip_rt_info),
};
diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
index 4894f030511e..72364f09253a 100644
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
@@ -108,8 +108,8 @@ static int nf_ip6_reroute(struct net *net, struct sk_buff *skb,
return 0;
}
-static int nf_ip6_route(struct net *net, struct dst_entry **dst,
- struct flowi *fl, bool strict)
+int nf_ip6_route(struct net *net, struct dst_entry **dst, struct flowi *fl,
+ bool strict)
{
static const struct ipv6_pinfo fake_pinfo;
static const struct inet_sock fake_sk = {
@@ -129,6 +129,7 @@ static int nf_ip6_route(struct net *net, struct dst_entry **dst,
*dst = result;
return err;
}
+EXPORT_SYMBOL_GPL(nf_ip6_route);
__sum16 nf_ip6_checksum(struct sk_buff *skb, unsigned int hook,
unsigned int dataoff, u_int8_t protocol)
@@ -197,7 +198,6 @@ static const struct nf_ipv6_ops ipv6ops = {
static const struct nf_afinfo nf_ip6_afinfo = {
.family = AF_INET6,
- .route = nf_ip6_route,
.reroute = nf_ip6_reroute,
.route_key_size = sizeof(struct ip6_rt_info),
};
diff --git a/net/ipv6/netfilter/nft_fib_ipv6.c b/net/ipv6/netfilter/nft_fib_ipv6.c
index 54b5899543ef..7fb4651957f1 100644
--- a/net/ipv6/netfilter/nft_fib_ipv6.c
+++ b/net/ipv6/netfilter/nft_fib_ipv6.c
@@ -60,7 +60,6 @@ static u32 __nft_fib6_eval_type(const struct nft_fib *priv,
{
const struct net_device *dev = NULL;
const struct nf_ipv6_ops *v6ops;
- const struct nf_afinfo *afinfo;
int route_err, addrtype;
struct rt6_info *rt;
struct flowi6 fl6 = {
@@ -69,10 +68,6 @@ static u32 __nft_fib6_eval_type(const struct nft_fib *priv,
};
u32 ret = 0;
- afinfo = nf_get_afinfo(NFPROTO_IPV6);
- if (!afinfo)
- return RTN_UNREACHABLE;
-
if (priv->flags & NFTA_FIB_F_IIF)
dev = nft_in(pkt);
else if (priv->flags & NFTA_FIB_F_OIF)
@@ -84,8 +79,8 @@ static u32 __nft_fib6_eval_type(const struct nft_fib *priv,
if (dev && v6ops && v6ops->chk_addr(nft_net(pkt), &fl6.daddr, dev, true))
ret = RTN_LOCAL;
- route_err = afinfo->route(nft_net(pkt), (struct dst_entry **)&rt,
- flowi6_to_flowi(&fl6), false);
+ route_err = nf_ip6_route(nft_net(pkt), (struct dst_entry **)&rt,
+ flowi6_to_flowi(&fl6), false);
if (route_err)
goto err;
diff --git a/net/netfilter/nf_conntrack_h323_main.c b/net/netfilter/nf_conntrack_h323_main.c
index 7f0e0f66e488..3009af56e194 100644
--- a/net/netfilter/nf_conntrack_h323_main.c
+++ b/net/netfilter/nf_conntrack_h323_main.c
@@ -25,6 +25,7 @@
#include <net/route.h>
#include <net/ip6_route.h>
+#include <linux/netfilter_ipv6.h>
#include <net/netfilter/nf_conntrack.h>
#include <net/netfilter/nf_conntrack_core.h>
#include <net/netfilter/nf_conntrack_tuple.h>
@@ -721,14 +722,8 @@ static int callforward_do_filter(struct net *net,
const union nf_inet_addr *dst,
u_int8_t family)
{
- const struct nf_afinfo *afinfo;
int ret = 0;
- /* rcu_read_lock()ed by nf_hook_thresh */
- afinfo = nf_get_afinfo(family);
- if (!afinfo)
- return 0;
-
switch (family) {
case AF_INET: {
struct flowi4 fl1, fl2;
@@ -739,10 +734,10 @@ static int callforward_do_filter(struct net *net,
memset(&fl2, 0, sizeof(fl2));
fl2.daddr = dst->ip;
- if (!afinfo->route(net, (struct dst_entry **)&rt1,
- flowi4_to_flowi(&fl1), false)) {
- if (!afinfo->route(net, (struct dst_entry **)&rt2,
- flowi4_to_flowi(&fl2), false)) {
+ if (!nf_ip_route(net, (struct dst_entry **)&rt1,
+ flowi4_to_flowi(&fl1), false)) {
+ if (!nf_ip_route(net, (struct dst_entry **)&rt2,
+ flowi4_to_flowi(&fl2), false)) {
if (rt_nexthop(rt1, fl1.daddr) ==
rt_nexthop(rt2, fl2.daddr) &&
rt1->dst.dev == rt2->dst.dev)
@@ -763,10 +758,10 @@ static int callforward_do_filter(struct net *net,
memset(&fl2, 0, sizeof(fl2));
fl2.daddr = dst->in6;
- if (!afinfo->route(net, (struct dst_entry **)&rt1,
- flowi6_to_flowi(&fl1), false)) {
- if (!afinfo->route(net, (struct dst_entry **)&rt2,
- flowi6_to_flowi(&fl2), false)) {
+ if (!nf_ip6_route(net, (struct dst_entry **)&rt1,
+ flowi6_to_flowi(&fl1), false)) {
+ if (!nf_ip6_route(net, (struct dst_entry **)&rt2,
+ flowi6_to_flowi(&fl2), false)) {
if (ipv6_addr_equal(rt6_nexthop(rt1, &fl1.daddr),
rt6_nexthop(rt2, &fl2.daddr)) &&
rt1->dst.dev == rt2->dst.dev)
diff --git a/net/netfilter/nft_rt.c b/net/netfilter/nft_rt.c
index a6b7d05aeacf..87ee16be033b 100644
--- a/net/netfilter/nft_rt.c
+++ b/net/netfilter/nft_rt.c
@@ -12,6 +12,7 @@
#include <linux/netlink.h>
#include <linux/netfilter.h>
#include <linux/netfilter/nf_tables.h>
+#include <linux/netfilter_ipv6.h>
#include <net/dst.h>
#include <net/ip6_route.h>
#include <net/route.h>
@@ -27,7 +28,7 @@ static u16 get_tcpmss(const struct nft_pktinfo *pkt, const struct dst_entry *skb
{
u32 minlen = sizeof(struct ipv6hdr), mtu = dst_mtu(skbdst);
const struct sk_buff *skb = pkt->skb;
- const struct nf_afinfo *ai;
+ struct dst_entry *dst = NULL;
struct flowi fl;
memset(&fl, 0, sizeof(fl));
@@ -36,22 +37,18 @@ static u16 get_tcpmss(const struct nft_pktinfo *pkt, const struct dst_entry *skb
case NFPROTO_IPV4:
fl.u.ip4.daddr = ip_hdr(skb)->saddr;
minlen = sizeof(struct iphdr) + sizeof(struct tcphdr);
+ nf_ip_route(nft_net(pkt), &dst, &fl, false);
break;
case NFPROTO_IPV6:
fl.u.ip6.daddr = ipv6_hdr(skb)->saddr;
minlen = sizeof(struct ipv6hdr) + sizeof(struct tcphdr);
+ nf_ip6_route(nft_net(pkt), &dst, &fl, false);
break;
}
- ai = nf_get_afinfo(nft_pf(pkt));
- if (ai) {
- struct dst_entry *dst = NULL;
-
- ai->route(nft_net(pkt), &dst, &fl, false);
- if (dst) {
- mtu = min(mtu, dst_mtu(dst));
- dst_release(dst);
- }
+ if (dst) {
+ mtu = min(mtu, dst_mtu(dst));
+ dst_release(dst);
}
if (mtu <= minlen || mtu > 0xffff)
diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c
index 9dae4d665965..f06b9c2697e9 100644
--- a/net/netfilter/xt_TCPMSS.c
+++ b/net/netfilter/xt_TCPMSS.c
@@ -48,7 +48,6 @@ static u_int32_t tcpmss_reverse_mtu(struct net *net,
unsigned int family)
{
struct flowi fl;
- const struct nf_afinfo *ai;
struct rtable *rt = NULL;
u_int32_t mtu = ~0U;
@@ -56,15 +55,14 @@ static u_int32_t tcpmss_reverse_mtu(struct net *net,
struct flowi4 *fl4 = &fl.u.ip4;
memset(fl4, 0, sizeof(*fl4));
fl4->daddr = ip_hdr(skb)->saddr;
+ nf_ip_route(net, (struct dst_entry **)&rt, &fl, false);
} else {
struct flowi6 *fl6 = &fl.u.ip6;
memset(fl6, 0, sizeof(*fl6));
fl6->daddr = ipv6_hdr(skb)->saddr;
+ nf_ip6_route(net, (struct dst_entry **)&rt, &fl, false);
}
- ai = nf_get_afinfo(family);
- if (ai != NULL)
- ai->route(net, (struct dst_entry **)&rt, &fl, false);
if (rt != NULL) {
mtu = dst_mtu(&rt->dst);
diff --git a/net/netfilter/xt_addrtype.c b/net/netfilter/xt_addrtype.c
index 3b2be2ae6987..4b8ecd0d9ae8 100644
--- a/net/netfilter/xt_addrtype.c
+++ b/net/netfilter/xt_addrtype.c
@@ -36,7 +36,7 @@ MODULE_ALIAS("ip6t_addrtype");
static u32 match_lookup_rt6(struct net *net, const struct net_device *dev,
const struct in6_addr *addr, u16 mask)
{
- const struct nf_afinfo *afinfo;
+ const struct nf_ipv6_ops *v6ops;
struct flowi6 flow;
struct rt6_info *rt;
u32 ret = 0;
@@ -47,21 +47,13 @@ static u32 match_lookup_rt6(struct net *net, const struct net_device *dev,
if (dev)
flow.flowi6_oif = dev->ifindex;
- afinfo = nf_get_afinfo(NFPROTO_IPV6);
- if (afinfo != NULL) {
- const struct nf_ipv6_ops *v6ops;
-
- if (dev && (mask & XT_ADDRTYPE_LOCAL)) {
- v6ops = nf_get_ipv6_ops();
- if (v6ops && v6ops->chk_addr(net, addr, dev, true))
- ret = XT_ADDRTYPE_LOCAL;
- }
- route_err = afinfo->route(net, (struct dst_entry **)&rt,
- flowi6_to_flowi(&flow), false);
- } else {
- route_err = 1;
+ if (dev && (mask & XT_ADDRTYPE_LOCAL)) {
+ v6ops = nf_get_ipv6_ops();
+ if (v6ops && v6ops->chk_addr(net, addr, dev, true))
+ ret = XT_ADDRTYPE_LOCAL;
}
-
+ route_err = nf_ip6_route(net, (struct dst_entry **)&rt,
+ flowi6_to_flowi(&flow), false);
if (route_err)
return XT_ADDRTYPE_UNREACHABLE;
--
2.11.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH nf-next,v2 5/7] netfilter: remove reroute indirection in struct nf_afinfo
2017-12-18 23:46 [PATCH nf-next,v2 1/7] netfilter: remove checksum indirection in struct nf_afinfo Pablo Neira Ayuso
` (2 preceding siblings ...)
2017-12-18 23:46 ` [PATCH nf-next,v2 4/7] netfilter: remove route " Pablo Neira Ayuso
@ 2017-12-18 23:46 ` Pablo Neira Ayuso
2017-12-18 23:46 ` [PATCH nf-next,v2 6/7] netfilter: remove route_key_size field " Pablo Neira Ayuso
2017-12-18 23:46 ` [PATCH nf-next,v2 7/7] netfilter: core: remove struct nf_afinfo and its helper functions Pablo Neira Ayuso
5 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2017-12-18 23:46 UTC (permalink / raw)
To: netfilter-devel
This is only used by nf_queue.c, and there we can replace it by a direct
function call.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
v2: Fix 'ret' may be used uninitialized in this function.
remove .reroute from nf_tables_bridge. Reported by kbuild robot.
include/linux/netfilter.h | 3 +--
include/linux/netfilter_ipv4.h | 1 +
include/linux/netfilter_ipv6.h | 6 ++++++
net/bridge/netfilter/nf_tables_bridge.c | 7 -------
net/ipv4/netfilter.c | 7 +++----
net/ipv6/netfilter.c | 6 ++----
net/netfilter/nf_queue.c | 4 +---
net/netfilter/utils.c | 16 ++++++++++++++++
8 files changed, 30 insertions(+), 20 deletions(-)
diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index e703b26025ec..6bdb0e5706a9 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -311,8 +311,6 @@ struct nf_queue_entry;
struct nf_afinfo {
unsigned short family;
- int (*reroute)(struct net *net, struct sk_buff *skb,
- const struct nf_queue_entry *entry);
int route_key_size;
};
@@ -328,6 +326,7 @@ __sum16 nf_checksum(struct sk_buff *skb, unsigned int hook,
__sum16 nf_checksum_partial(struct sk_buff *skb, unsigned int hook,
unsigned int dataoff, unsigned int len,
u_int8_t protocol, unsigned short family);
+int nf_reroute(struct sk_buff *skb, struct nf_queue_entry *entry);
void nf_saveroute(const struct sk_buff *skb, struct nf_queue_entry *entry);
int nf_register_afinfo(const struct nf_afinfo *afinfo);
diff --git a/include/linux/netfilter_ipv4.h b/include/linux/netfilter_ipv4.h
index 97e8131f92d6..5f0aa8ca4dc5 100644
--- a/include/linux/netfilter_ipv4.h
+++ b/include/linux/netfilter_ipv4.h
@@ -16,5 +16,6 @@ __sum16 nf_ip_checksum_partial(struct sk_buff *skb, unsigned int hook,
u_int8_t protocol);
int nf_ip_route(struct net *net, struct dst_entry **dst, struct flowi *fl,
bool strict);
+int nf_ip_reroute(struct sk_buff *skb, const struct nf_queue_entry *entry);
void nf_ip_saveroute(const struct sk_buff *skb, struct nf_queue_entry *entry);
#endif /*__LINUX_IP_NETFILTER_H*/
diff --git a/include/linux/netfilter_ipv6.h b/include/linux/netfilter_ipv6.h
index e681738c8591..00b017aa2f2a 100644
--- a/include/linux/netfilter_ipv6.h
+++ b/include/linux/netfilter_ipv6.h
@@ -31,6 +31,7 @@ __sum16 nf_ip6_checksum_partial(struct sk_buff *skb, unsigned int hook,
u_int8_t protocol);
int nf_ip6_route(struct net *net, struct dst_entry **dst, struct flowi *fl,
bool strict);
+int nf_ip6_reroute(struct sk_buff *skb, const struct nf_queue_entry *entry);
void nf_ip6_saveroute(const struct sk_buff *skb, struct nf_queue_entry *entry);
#else
static inline __sum16 nf_ip6_checksum(struct sk_buff *skb, unsigned int hook,
@@ -51,6 +52,11 @@ static inline int nf_ip6_route(struct net *net, struct dst_entry **dst,
{
return -EOPNOTSUPP;
}
+static inline int nf_ip6_reroute(struct net *net, struct sk_buff *skb,
+ const struct nf_queue_entry *entry)
+{
+ return -EOPNOTSUPP;
+}
static inline void nf_ip6_saveroute(const struct sk_buff *skb,
struct nf_queue_entry *entry) {}
#endif
diff --git a/net/bridge/netfilter/nf_tables_bridge.c b/net/bridge/netfilter/nf_tables_bridge.c
index 014b6571f2ac..e7348b49bc0d 100644
--- a/net/bridge/netfilter/nf_tables_bridge.c
+++ b/net/bridge/netfilter/nf_tables_bridge.c
@@ -95,15 +95,8 @@ static const struct nf_chain_type filter_bridge = {
},
};
-static int nf_br_reroute(struct net *net, struct sk_buff *skb,
- const struct nf_queue_entry *entry)
-{
- return 0;
-}
-
static const struct nf_afinfo nf_br_afinfo = {
.family = AF_BRIDGE,
- .reroute = nf_br_reroute,
.route_key_size = 0,
};
diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilter.c
index c6ba5770af0a..57ed83687d35 100644
--- a/net/ipv4/netfilter.c
+++ b/net/ipv4/netfilter.c
@@ -106,8 +106,7 @@ void nf_ip_saveroute(const struct sk_buff *skb, struct nf_queue_entry *entry)
}
}
-static int nf_ip_reroute(struct net *net, struct sk_buff *skb,
- const struct nf_queue_entry *entry)
+int nf_ip_reroute(struct sk_buff *skb, const struct nf_queue_entry *entry)
{
const struct ip_rt_info *rt_info = nf_queue_entry_reroute(entry);
@@ -118,7 +117,8 @@ static int nf_ip_reroute(struct net *net, struct sk_buff *skb,
skb->mark == rt_info->mark &&
iph->daddr == rt_info->daddr &&
iph->saddr == rt_info->saddr))
- return ip_route_me_harder(net, skb, RTN_UNSPEC);
+ return ip_route_me_harder(entry->state.net, skb,
+ RTN_UNSPEC);
}
return 0;
}
@@ -188,7 +188,6 @@ EXPORT_SYMBOL(nf_ip_route);
static const struct nf_afinfo nf_ip_afinfo = {
.family = AF_INET,
- .reroute = nf_ip_reroute,
.route_key_size = sizeof(struct ip_rt_info),
};
diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
index 72364f09253a..9a842c5e809f 100644
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
@@ -93,8 +93,7 @@ void nf_ip6_saveroute(const struct sk_buff *skb, struct nf_queue_entry *entry)
}
EXPORT_SYMBOL_GPL(nf_ip6_saveroute);
-static int nf_ip6_reroute(struct net *net, struct sk_buff *skb,
- const struct nf_queue_entry *entry)
+int nf_ip6_reroute(struct sk_buff *skb, const struct nf_queue_entry *entry)
{
struct ip6_rt_info *rt_info = nf_queue_entry_reroute(entry);
@@ -103,7 +102,7 @@ static int nf_ip6_reroute(struct net *net, struct sk_buff *skb,
if (!ipv6_addr_equal(&iph->daddr, &rt_info->daddr) ||
!ipv6_addr_equal(&iph->saddr, &rt_info->saddr) ||
skb->mark != rt_info->mark)
- return ip6_route_me_harder(net, skb);
+ return ip6_route_me_harder(entry->state.net, skb);
}
return 0;
}
@@ -198,7 +197,6 @@ static const struct nf_ipv6_ops ipv6ops = {
static const struct nf_afinfo nf_ip6_afinfo = {
.family = AF_INET6,
- .reroute = nf_ip6_reroute,
.route_key_size = sizeof(struct ip6_rt_info),
};
diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c
index 833710ee7654..db87dfd1318e 100644
--- a/net/netfilter/nf_queue.c
+++ b/net/netfilter/nf_queue.c
@@ -226,7 +226,6 @@ void nf_reinject(struct nf_queue_entry *entry, unsigned int verdict)
const struct nf_hook_entry *hook_entry;
const struct nf_hook_entries *hooks;
struct sk_buff *skb = entry->skb;
- const struct nf_afinfo *afinfo;
const struct net *net;
unsigned int i;
int err;
@@ -253,8 +252,7 @@ void nf_reinject(struct nf_queue_entry *entry, unsigned int verdict)
verdict = nf_hook_entry_hookfn(hook_entry, skb, &entry->state);
if (verdict == NF_ACCEPT) {
- afinfo = nf_get_afinfo(entry->state.pf);
- if (!afinfo || afinfo->reroute(entry->state.net, skb, entry) < 0)
+ if (nf_reroute(skb, entry) < 0)
verdict = NF_DROP;
}
diff --git a/net/netfilter/utils.c b/net/netfilter/utils.c
index 7d8c0fd283ee..27200a72e6c3 100644
--- a/net/netfilter/utils.c
+++ b/net/netfilter/utils.c
@@ -44,6 +44,22 @@ __sum16 nf_checksum_partial(struct sk_buff *skb, unsigned int hook,
}
EXPORT_SYMBOL_GPL(nf_checksum_partial);
+int nf_reroute(struct sk_buff *skb, struct nf_queue_entry *entry)
+{
+ int ret = 0;
+
+ switch (entry->state.pf) {
+ case AF_INET:
+ ret = nf_ip_reroute(skb, entry);
+ break;
+ case AF_INET6:
+ ret = nf_ip6_reroute(skb, entry);
+ break;
+ }
+
+ return ret;
+}
+
void nf_saveroute(const struct sk_buff *skb, struct nf_queue_entry *entry)
{
switch (entry->state.pf) {
--
2.11.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH nf-next,v2 6/7] netfilter: remove route_key_size field in struct nf_afinfo
2017-12-18 23:46 [PATCH nf-next,v2 1/7] netfilter: remove checksum indirection in struct nf_afinfo Pablo Neira Ayuso
` (3 preceding siblings ...)
2017-12-18 23:46 ` [PATCH nf-next,v2 5/7] netfilter: remove reroute " Pablo Neira Ayuso
@ 2017-12-18 23:46 ` Pablo Neira Ayuso
2017-12-18 23:46 ` [PATCH nf-next,v2 7/7] netfilter: core: remove struct nf_afinfo and its helper functions Pablo Neira Ayuso
5 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2017-12-18 23:46 UTC (permalink / raw)
To: netfilter-devel
This is only needed by nf_queue, place this code where it belongs.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
v2: remove .route_key_size from nf_tables_bridge. Reported by kbuild robot.
include/linux/netfilter.h | 1 -
include/linux/netfilter_ipv4.h | 11 +++++++++++
include/linux/netfilter_ipv6.h | 9 +++++++++
net/bridge/netfilter/nf_tables_bridge.c | 1 -
net/ipv4/netfilter.c | 13 -------------
net/ipv6/netfilter.c | 12 ------------
net/netfilter/nf_queue.c | 22 ++++++++++++++++------
7 files changed, 36 insertions(+), 33 deletions(-)
diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index 6bdb0e5706a9..be52fa8a96e1 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -311,7 +311,6 @@ struct nf_queue_entry;
struct nf_afinfo {
unsigned short family;
- int route_key_size;
};
extern const struct nf_afinfo __rcu *nf_afinfo[NFPROTO_NUMPROTO];
diff --git a/include/linux/netfilter_ipv4.h b/include/linux/netfilter_ipv4.h
index 5f0aa8ca4dc5..806809e018df 100644
--- a/include/linux/netfilter_ipv4.h
+++ b/include/linux/netfilter_ipv4.h
@@ -18,4 +18,15 @@ int nf_ip_route(struct net *net, struct dst_entry **dst, struct flowi *fl,
bool strict);
int nf_ip_reroute(struct sk_buff *skb, const struct nf_queue_entry *entry);
void nf_ip_saveroute(const struct sk_buff *skb, struct nf_queue_entry *entry);
+
+/* Extra routing may needed on local out, as the QUEUE target never
+ * returns control to the table.
+ */
+struct ip_rt_info {
+ __be32 daddr;
+ __be32 saddr;
+ u_int8_t tos;
+ u_int32_t mark;
+};
+
#endif /*__LINUX_IP_NETFILTER_H*/
diff --git a/include/linux/netfilter_ipv6.h b/include/linux/netfilter_ipv6.h
index 00b017aa2f2a..614725f46313 100644
--- a/include/linux/netfilter_ipv6.h
+++ b/include/linux/netfilter_ipv6.h
@@ -79,4 +79,13 @@ static inline void ipv6_netfilter_fini(void) { return; }
static inline const struct nf_ipv6_ops *nf_get_ipv6_ops(void) { return NULL; }
#endif /* CONFIG_NETFILTER */
+/* Extra routing may needed on local out, as the QUEUE target never
+ * returns control to the table.
+ */
+struct ip6_rt_info {
+ struct in6_addr daddr;
+ struct in6_addr saddr;
+ u_int32_t mark;
+};
+
#endif /*__LINUX_IP6_NETFILTER_H*/
diff --git a/net/bridge/netfilter/nf_tables_bridge.c b/net/bridge/netfilter/nf_tables_bridge.c
index e7348b49bc0d..874b7e034f82 100644
--- a/net/bridge/netfilter/nf_tables_bridge.c
+++ b/net/bridge/netfilter/nf_tables_bridge.c
@@ -97,7 +97,6 @@ static const struct nf_chain_type filter_bridge = {
static const struct nf_afinfo nf_br_afinfo = {
.family = AF_BRIDGE,
- .route_key_size = 0,
};
static int __init nf_tables_bridge_init(void)
diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilter.c
index 57ed83687d35..9a27029038b5 100644
--- a/net/ipv4/netfilter.c
+++ b/net/ipv4/netfilter.c
@@ -80,18 +80,6 @@ int ip_route_me_harder(struct net *net, struct sk_buff *skb, unsigned int addr_t
}
EXPORT_SYMBOL(ip_route_me_harder);
-/*
- * Extra routing may needed on local out, as the QUEUE target never
- * returns control to the table.
- */
-
-struct ip_rt_info {
- __be32 daddr;
- __be32 saddr;
- u_int8_t tos;
- u_int32_t mark;
-};
-
void nf_ip_saveroute(const struct sk_buff *skb, struct nf_queue_entry *entry)
{
struct ip_rt_info *rt_info = nf_queue_entry_reroute(entry);
@@ -188,7 +176,6 @@ EXPORT_SYMBOL(nf_ip_route);
static const struct nf_afinfo nf_ip_afinfo = {
.family = AF_INET,
- .route_key_size = sizeof(struct ip_rt_info),
};
static int __init ipv4_netfilter_init(void)
diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
index 9a842c5e809f..319ff0655060 100644
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
@@ -68,17 +68,6 @@ int ip6_route_me_harder(struct net *net, struct sk_buff *skb)
}
EXPORT_SYMBOL(ip6_route_me_harder);
-/*
- * Extra routing may needed on local out, as the QUEUE target never
- * returns control to the table.
- */
-
-struct ip6_rt_info {
- struct in6_addr daddr;
- struct in6_addr saddr;
- u_int32_t mark;
-};
-
void nf_ip6_saveroute(const struct sk_buff *skb, struct nf_queue_entry *entry)
{
struct ip6_rt_info *rt_info = nf_queue_entry_reroute(entry);
@@ -197,7 +186,6 @@ static const struct nf_ipv6_ops ipv6ops = {
static const struct nf_afinfo nf_ip6_afinfo = {
.family = AF_INET6,
- .route_key_size = sizeof(struct ip6_rt_info),
};
int __init ipv6_netfilter_init(void)
diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c
index db87dfd1318e..325e2cafc832 100644
--- a/net/netfilter/nf_queue.c
+++ b/net/netfilter/nf_queue.c
@@ -13,6 +13,8 @@
#include <linux/netfilter_bridge.h>
#include <linux/seq_file.h>
#include <linux/rcupdate.h>
+#include <linux/netfilter_ipv4.h>
+#include <linux/netfilter_ipv6.h>
#include <net/protocol.h>
#include <net/netfilter/nf_queue.h>
#include <net/dst.h>
@@ -114,9 +116,9 @@ static int __nf_queue(struct sk_buff *skb, const struct nf_hook_state *state,
{
int status = -ENOENT;
struct nf_queue_entry *entry = NULL;
- const struct nf_afinfo *afinfo;
const struct nf_queue_handler *qh;
struct net *net = state->net;
+ unsigned int route_key_size;
/* QUEUE == DROP if no one is waiting, to be safe. */
qh = rcu_dereference(net->nf.queue_handler);
@@ -125,11 +127,19 @@ static int __nf_queue(struct sk_buff *skb, const struct nf_hook_state *state,
goto err;
}
- afinfo = nf_get_afinfo(state->pf);
- if (!afinfo)
- goto err;
+ switch (state->pf) {
+ case AF_INET:
+ route_key_size = sizeof(struct ip_rt_info);
+ break;
+ case AF_INET6:
+ route_key_size = sizeof(struct ip6_rt_info);
+ break;
+ default:
+ route_key_size = 0;
+ break;
+ }
- entry = kmalloc(sizeof(*entry) + afinfo->route_key_size, GFP_ATOMIC);
+ entry = kmalloc(sizeof(*entry) + route_key_size, GFP_ATOMIC);
if (!entry) {
status = -ENOMEM;
goto err;
@@ -139,7 +149,7 @@ static int __nf_queue(struct sk_buff *skb, const struct nf_hook_state *state,
.skb = skb,
.state = *state,
.hook_index = index,
- .size = sizeof(*entry) + afinfo->route_key_size,
+ .size = sizeof(*entry) + route_key_size,
};
nf_queue_entry_get_refs(entry);
--
2.11.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH nf-next,v2 7/7] netfilter: core: remove struct nf_afinfo and its helper functions
2017-12-18 23:46 [PATCH nf-next,v2 1/7] netfilter: remove checksum indirection in struct nf_afinfo Pablo Neira Ayuso
` (4 preceding siblings ...)
2017-12-18 23:46 ` [PATCH nf-next,v2 6/7] netfilter: remove route_key_size field " Pablo Neira Ayuso
@ 2017-12-18 23:46 ` Pablo Neira Ayuso
5 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2017-12-18 23:46 UTC (permalink / raw)
To: netfilter-devel
This abstraction has no clients anymore after converting many of them to
direct function call, now that is useless this patch removes it.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
v2: rebase patch on top of previous 6 patches.
include/linux/netfilter.h | 13 -------------
net/bridge/netfilter/nf_tables_bridge.c | 15 ++++-----------
net/ipv4/netfilter.c | 10 ----------
net/ipv6/netfilter.c | 7 +------
net/netfilter/core.c | 22 ----------------------
5 files changed, 5 insertions(+), 62 deletions(-)
diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index be52fa8a96e1..ba1d2c5a37ae 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -309,16 +309,6 @@ int skb_make_writable(struct sk_buff *skb, unsigned int writable_len);
struct flowi;
struct nf_queue_entry;
-struct nf_afinfo {
- unsigned short family;
-};
-
-extern const struct nf_afinfo __rcu *nf_afinfo[NFPROTO_NUMPROTO];
-static inline const struct nf_afinfo *nf_get_afinfo(unsigned short family)
-{
- return rcu_dereference(nf_afinfo[family]);
-}
-
__sum16 nf_checksum(struct sk_buff *skb, unsigned int hook,
unsigned int dataoff, u_int8_t protocol,
unsigned short family);
@@ -328,9 +318,6 @@ __sum16 nf_checksum_partial(struct sk_buff *skb, unsigned int hook,
int nf_reroute(struct sk_buff *skb, struct nf_queue_entry *entry);
void nf_saveroute(const struct sk_buff *skb, struct nf_queue_entry *entry);
-int nf_register_afinfo(const struct nf_afinfo *afinfo);
-void nf_unregister_afinfo(const struct nf_afinfo *afinfo);
-
#include <net/flow.h>
extern void (*nf_nat_decode_session_hook)(struct sk_buff *, struct flowi *);
diff --git a/net/bridge/netfilter/nf_tables_bridge.c b/net/bridge/netfilter/nf_tables_bridge.c
index 874b7e034f82..86774b5c3b73 100644
--- a/net/bridge/netfilter/nf_tables_bridge.c
+++ b/net/bridge/netfilter/nf_tables_bridge.c
@@ -95,29 +95,23 @@ static const struct nf_chain_type filter_bridge = {
},
};
-static const struct nf_afinfo nf_br_afinfo = {
- .family = AF_BRIDGE,
-};
-
static int __init nf_tables_bridge_init(void)
{
int ret;
- nf_register_afinfo(&nf_br_afinfo);
ret = nft_register_chain_type(&filter_bridge);
if (ret < 0)
- goto err1;
+ return ret;
ret = register_pernet_subsys(&nf_tables_bridge_net_ops);
if (ret < 0)
- goto err2;
+ goto err_register_subsys;
return ret;
-err2:
+err_register_subsys:
nft_unregister_chain_type(&filter_bridge);
-err1:
- nf_unregister_afinfo(&nf_br_afinfo);
+
return ret;
}
@@ -125,7 +119,6 @@ static void __exit nf_tables_bridge_exit(void)
{
unregister_pernet_subsys(&nf_tables_bridge_net_ops);
nft_unregister_chain_type(&filter_bridge);
- nf_unregister_afinfo(&nf_br_afinfo);
}
module_init(nf_tables_bridge_init);
diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilter.c
index 9a27029038b5..e42314b30809 100644
--- a/net/ipv4/netfilter.c
+++ b/net/ipv4/netfilter.c
@@ -173,13 +173,3 @@ int nf_ip_route(struct net *net, struct dst_entry **dst, struct flowi *fl,
return 0;
}
EXPORT_SYMBOL(nf_ip_route);
-
-static const struct nf_afinfo nf_ip_afinfo = {
- .family = AF_INET,
-};
-
-static int __init ipv4_netfilter_init(void)
-{
- return nf_register_afinfo(&nf_ip_afinfo);
-}
-subsys_initcall(ipv4_netfilter_init);
diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
index 319ff0655060..f32bf3aea423 100644
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
@@ -184,14 +184,10 @@ static const struct nf_ipv6_ops ipv6ops = {
.fragment = ip6_fragment
};
-static const struct nf_afinfo nf_ip6_afinfo = {
- .family = AF_INET6,
-};
-
int __init ipv6_netfilter_init(void)
{
RCU_INIT_POINTER(nf_ipv6_ops, &ipv6ops);
- return nf_register_afinfo(&nf_ip6_afinfo);
+ return 0;
}
/* This can be called from inet6_init() on errors, so it cannot
@@ -200,5 +196,4 @@ int __init ipv6_netfilter_init(void)
void ipv6_netfilter_fini(void)
{
RCU_INIT_POINTER(nf_ipv6_ops, NULL);
- nf_unregister_afinfo(&nf_ip6_afinfo);
}
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index 606efc9b14e1..3e25e7628fa2 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -28,34 +28,12 @@
#include "nf_internals.h"
-static DEFINE_MUTEX(afinfo_mutex);
-
-const struct nf_afinfo __rcu *nf_afinfo[NFPROTO_NUMPROTO] __read_mostly;
-EXPORT_SYMBOL(nf_afinfo);
const struct nf_ipv6_ops __rcu *nf_ipv6_ops __read_mostly;
EXPORT_SYMBOL_GPL(nf_ipv6_ops);
DEFINE_PER_CPU(bool, nf_skb_duplicated);
EXPORT_SYMBOL_GPL(nf_skb_duplicated);
-int nf_register_afinfo(const struct nf_afinfo *afinfo)
-{
- mutex_lock(&afinfo_mutex);
- RCU_INIT_POINTER(nf_afinfo[afinfo->family], afinfo);
- mutex_unlock(&afinfo_mutex);
- return 0;
-}
-EXPORT_SYMBOL_GPL(nf_register_afinfo);
-
-void nf_unregister_afinfo(const struct nf_afinfo *afinfo)
-{
- mutex_lock(&afinfo_mutex);
- RCU_INIT_POINTER(nf_afinfo[afinfo->family], NULL);
- mutex_unlock(&afinfo_mutex);
- synchronize_rcu();
-}
-EXPORT_SYMBOL_GPL(nf_unregister_afinfo);
-
#ifdef HAVE_JUMP_LABEL
struct static_key nf_hooks_needed[NFPROTO_NUMPROTO][NF_MAX_HOOKS];
EXPORT_SYMBOL(nf_hooks_needed);
--
2.11.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
end of thread, other threads:[~2017-12-18 23:47 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-12-18 23:46 [PATCH nf-next,v2 1/7] netfilter: remove checksum indirection in struct nf_afinfo Pablo Neira Ayuso
2017-12-18 23:46 ` [PATCH nf-next,v2 2/7] netfilter: remove checksum_partial " Pablo Neira Ayuso
2017-12-18 23:46 ` [PATCH nf-next,v2 3/7] netfilter: remove saveroute " Pablo Neira Ayuso
2017-12-18 23:46 ` [PATCH nf-next,v2 4/7] netfilter: remove route " Pablo Neira Ayuso
2017-12-18 23:46 ` [PATCH nf-next,v2 5/7] netfilter: remove reroute " Pablo Neira Ayuso
2017-12-18 23:46 ` [PATCH nf-next,v2 6/7] netfilter: remove route_key_size field " Pablo Neira Ayuso
2017-12-18 23:46 ` [PATCH nf-next,v2 7/7] netfilter: core: remove struct nf_afinfo and its helper functions Pablo Neira Ayuso
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.