[PATCH 33/56] netfilter: xtables2: switch ip6's tables to the xt2 table format

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Signed-off-by: Jan Engelhardt <jengelh@xxxxxxxxxx>
---
 include/net/netns/x_tables.h           |    3 +-
 net/ipv6/netfilter/Makefile            |    2 +-
 net/ipv6/netfilter/ip6table_filter.c   |   24 +++++--
 net/ipv6/netfilter/ip6table_filter2.c  |  122 --------------------------------
 net/ipv6/netfilter/ip6table_mangle.c   |   37 ++++++----
 net/ipv6/netfilter/ip6table_raw.c      |   23 ++++--
 net/ipv6/netfilter/ip6table_security.c |   24 ++++--
 7 files changed, 76 insertions(+), 159 deletions(-)
 delete mode 100644 net/ipv6/netfilter/ip6table_filter2.c

diff --git a/include/net/netns/x_tables.h b/include/net/netns/x_tables.h
index 9365569..580f27b 100644
--- a/include/net/netns/x_tables.h
+++ b/include/net/netns/x_tables.h
@@ -19,7 +19,8 @@ struct netns_xt {
 struct netns_xt2 {
 	struct mutex table_lock;
 	struct list_head table_list[NFPROTO_NUMPROTO];
-	struct xt2_table_link *ipv6_filter;
+	struct xt2_table_link
+		*ipv6_filter, *ipv6_mangle, *ipv6_raw, *ipv6_security;
 };
 
 #endif
diff --git a/net/ipv6/netfilter/Makefile b/net/ipv6/netfilter/Makefile
index 35fa80f..aafbba3 100644
--- a/net/ipv6/netfilter/Makefile
+++ b/net/ipv6/netfilter/Makefile
@@ -4,7 +4,7 @@
 
 # Link order matters here.
 obj-$(CONFIG_IP6_NF_IPTABLES) += ip6_tables.o
-obj-$(CONFIG_IP6_NF_FILTER) += ip6table_filter.o ip6table_filter2.o
+obj-$(CONFIG_IP6_NF_FILTER) += ip6table_filter.o
 obj-$(CONFIG_IP6_NF_MANGLE) += ip6table_mangle.o
 obj-$(CONFIG_IP6_NF_QUEUE) += ip6_queue.o
 obj-$(CONFIG_IP6_NF_RAW) += ip6table_raw.o
diff --git a/net/ipv6/netfilter/ip6table_filter.c b/net/ipv6/netfilter/ip6table_filter.c
index c9e37c8..99d0340 100644
--- a/net/ipv6/netfilter/ip6table_filter.c
+++ b/net/ipv6/netfilter/ip6table_filter.c
@@ -11,6 +11,7 @@
 
 #include <linux/module.h>
 #include <linux/moduleparam.h>
+#include <linux/rcupdate.h>
 #include <linux/netfilter_ipv6/ip6_tables.h>
 #include <linux/slab.h>
 
@@ -37,8 +38,14 @@ ip6table_filter_hook(unsigned int hook, struct sk_buff *skb,
 		     int (*okfn)(struct sk_buff *))
 {
 	const struct net *net = dev_net((in != NULL) ? in : out);
-
-	return ip6t_do_table(skb, hook, in, out, net->ipv6.ip6table_filter);
+	const struct xt2_table_link *link;
+	unsigned int verdict;
+
+	rcu_read_lock();
+	link    = rcu_dereference(net->xt2.ipv6_filter);
+	verdict = xt2_do_table(skb, hook, in, out, link->table);
+	rcu_read_unlock();
+	return verdict;
 }
 
 static struct nf_hook_ops *filter_ops __read_mostly;
@@ -50,6 +57,7 @@ module_param(forward, bool, 0000);
 static int __net_init ip6table_filter_net_init(struct net *net)
 {
 	struct ip6t_replace *repl;
+	struct xt2_table *table;
 
 	repl = ip6t_alloc_initial_table(&packet_filter);
 	if (repl == NULL)
@@ -58,17 +66,19 @@ static int __net_init ip6table_filter_net_init(struct net *net)
 	((struct ip6t_standard *)repl->entries)[1].target.verdict =
 		-forward - 1;
 
-	net->ipv6.ip6table_filter =
-		ip6t_register_table(net, &packet_filter, repl);
+	table = ip6t2_register_table(net, &packet_filter, repl);
 	kfree(repl);
-	if (IS_ERR(net->ipv6.ip6table_filter))
-		return PTR_ERR(net->ipv6.ip6table_filter);
+	if (IS_ERR(table))
+		return PTR_ERR(table);
+	net->xt2.ipv6_filter = xt2_tlink_lookup(net, table->name,
+						table->nfproto,
+						XT2_STD_RCULOCK);
 	return 0;
 }
 
 static void __net_exit ip6table_filter_net_exit(struct net *net)
 {
-	ip6t_unregister_table(net, net->ipv6.ip6table_filter);
+	xt2_table_destroy(net, net->xt2.ipv6_filter->table);
 }
 
 static struct pernet_operations ip6table_filter_net_ops = {
diff --git a/net/ipv6/netfilter/ip6table_filter2.c b/net/ipv6/netfilter/ip6table_filter2.c
deleted file mode 100644
index f81f98b..0000000
--- a/net/ipv6/netfilter/ip6table_filter2.c
+++ /dev/null
@@ -1,122 +0,0 @@
-/*
- * This is the 1999 rewrite of IP Firewalling, aiming for kernel 2.3.x.
- *
- * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
- * Copyright (C) 2000-2004 Netfilter Core Team <coreteam@xxxxxxxxxxxxx>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- */
-
-#include <linux/module.h>
-#include <linux/moduleparam.h>
-#include <linux/netfilter_ipv6/ip6_tables.h>
-#include <linux/slab.h>
-
-MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Netfilter Core Team <coreteam@xxxxxxxxxxxxx>");
-MODULE_DESCRIPTION("ip6tables filter table");
-
-#define FILTER_VALID_HOOKS ((1 << NF_INET_LOCAL_IN) | \
-			    (1 << NF_INET_FORWARD) | \
-			    (1 << NF_INET_LOCAL_OUT))
-
-static const struct xt_table packet_filter = {
-	.name		= "filter2",
-	.valid_hooks	= FILTER_VALID_HOOKS,
-	.me		= THIS_MODULE,
-	.af		= NFPROTO_IPV6,
-	.priority	= NF_IP6_PRI_FILTER,
-};
-
-/* The work comes in here from netfilter.c. */
-static unsigned int
-ip6table_filter_hook(unsigned int hook, struct sk_buff *skb,
-		     const struct net_device *in, const struct net_device *out,
-		     int (*okfn)(struct sk_buff *))
-{
-	const struct net *net = dev_net((in != NULL) ? in : out);
-	const struct xt2_table_link *link;
-	unsigned int verdict;
-
-	rcu_read_lock();
-	link = rcu_dereference(net->xt2.ipv6_filter);
-	verdict = xt2_do_table(skb, hook, in, out, link->table);
-	rcu_read_unlock();
-	return verdict;
-}
-
-static struct nf_hook_ops *filter_ops __read_mostly;
-
-/* Default to forward because I got too much mail already. */
-static int forward = NF_ACCEPT;
-module_param(forward, bool, 0000);
-
-static int __net_init ip6table_filter_net_init(struct net *net)
-{
-	struct ip6t_replace *repl;
-	struct xt2_table *table;
-
-	repl = ip6t_alloc_initial_table(&packet_filter);
-	if (repl == NULL)
-		return -ENOMEM;
-	/* Entry 1 is the FORWARD hook */
-	((struct ip6t_standard *)repl->entries)[1].target.verdict =
-		-forward - 1;
-
-	table = ip6t2_register_table(net, &packet_filter, repl);
-	kfree(repl);
-	if (IS_ERR(table))
-		return PTR_ERR(table);
-	net->xt2.ipv6_filter = xt2_tlink_lookup(net, table->name,
-						table->nfproto,
-						XT2_STD_RCULOCK);
-	return 0;
-}
-
-static void __net_exit ip6table_filter_net_exit(struct net *net)
-{
-	xt2_table_destroy(net, net->xt2.ipv6_filter->table);
-}
-
-static struct pernet_operations ip6table_filter_net_ops = {
-	.init = ip6table_filter_net_init,
-	.exit = ip6table_filter_net_exit,
-};
-
-static int __init ip6table_filter_init(void)
-{
-	int ret;
-
-	if (forward < 0 || forward > NF_MAX_VERDICT) {
-		pr_err("iptables forward must be 0 or 1\n");
-		return -EINVAL;
-	}
-
-	ret = register_pernet_subsys(&ip6table_filter_net_ops);
-	if (ret < 0)
-		return ret;
-
-	/* Register hooks */
-	filter_ops = xt_hook_link(&packet_filter, ip6table_filter_hook);
-	if (IS_ERR(filter_ops)) {
-		ret = PTR_ERR(filter_ops);
-		goto cleanup_table;
-	}
-
-	return ret;
-
- cleanup_table:
-	unregister_pernet_subsys(&ip6table_filter_net_ops);
-	return ret;
-}
-
-static void __exit ip6table_filter_fini(void)
-{
-	xt_hook_unlink(&packet_filter, filter_ops);
-	unregister_pernet_subsys(&ip6table_filter_net_ops);
-}
-
-module_init(ip6table_filter_init);
-module_exit(ip6table_filter_fini);
diff --git a/net/ipv6/netfilter/ip6table_mangle.c b/net/ipv6/netfilter/ip6table_mangle.c
index 679a0a3..f348782 100644
--- a/net/ipv6/netfilter/ip6table_mangle.c
+++ b/net/ipv6/netfilter/ip6table_mangle.c
@@ -9,6 +9,7 @@
  * published by the Free Software Foundation.
  */
 #include <linux/module.h>
+#include <linux/rcupdate.h>
 #include <linux/netfilter_ipv6/ip6_tables.h>
 #include <linux/slab.h>
 
@@ -33,6 +34,7 @@ static const struct xt_table packet_mangler = {
 static unsigned int
 ip6t_mangle_out(struct sk_buff *skb, const struct net_device *out)
 {
+	const struct xt2_table_link *link;
 	unsigned int ret;
 	struct in6_addr saddr, daddr;
 	u_int8_t hop_limit;
@@ -57,8 +59,10 @@ ip6t_mangle_out(struct sk_buff *skb, const struct net_device *out)
 	/* flowlabel and prio (includes version, which shouldn't change either */
 	flowlabel = *((u_int32_t *)ipv6_hdr(skb));
 
-	ret = ip6t_do_table(skb, NF_INET_LOCAL_OUT, NULL, out,
-			    dev_net(out)->ipv6.ip6table_mangle);
+	rcu_read_lock();
+	link = rcu_dereference(dev_net(out)->xt2.ipv6_mangle);
+	ret  = xt2_do_table(skb, NF_INET_LOCAL_OUT, NULL, out, link->table);
+	rcu_read_unlock();
 
 	if (ret != NF_DROP && ret != NF_STOLEN &&
 	    (memcmp(&ipv6_hdr(skb)->saddr, &saddr, sizeof(saddr)) ||
@@ -76,35 +80,42 @@ ip6table_mangle_hook(unsigned int hook, struct sk_buff *skb,
 		     const struct net_device *in, const struct net_device *out,
 		     int (*okfn)(struct sk_buff *))
 {
+	const struct net *net = dev_net((in != NULL) ? in : out);
+	const struct xt2_table_link *link;
+	unsigned int verdict;
+
 	if (hook == NF_INET_LOCAL_OUT)
 		return ip6t_mangle_out(skb, out);
-	if (hook == NF_INET_POST_ROUTING)
-		return ip6t_do_table(skb, hook, in, out,
-				     dev_net(out)->ipv6.ip6table_mangle);
-	/* INPUT/FORWARD */
-	return ip6t_do_table(skb, hook, in, out,
-			     dev_net(in)->ipv6.ip6table_mangle);
+
+	rcu_read_lock();
+	link    = rcu_dereference(net->xt2.ipv6_mangle);
+	verdict = xt2_do_table(skb, hook, in, out, link->table);
+	rcu_read_unlock();
+	return verdict;
 }
 
 static struct nf_hook_ops *mangle_ops __read_mostly;
 static int __net_init ip6table_mangle_net_init(struct net *net)
 {
 	struct ip6t_replace *repl;
+	struct xt2_table *table;
 
 	repl = ip6t_alloc_initial_table(&packet_mangler);
 	if (repl == NULL)
 		return -ENOMEM;
-	net->ipv6.ip6table_mangle =
-		ip6t_register_table(net, &packet_mangler, repl);
+	table = ip6t2_register_table(net, &packet_mangler, repl);
 	kfree(repl);
-	if (IS_ERR(net->ipv6.ip6table_mangle))
-		return PTR_ERR(net->ipv6.ip6table_mangle);
+	if (IS_ERR(table))
+		return PTR_ERR(table);
+	net->xt2.ipv6_mangle = xt2_tlink_lookup(net, table->name,
+						table->nfproto,
+						XT2_STD_RCULOCK);
 	return 0;
 }
 
 static void __net_exit ip6table_mangle_net_exit(struct net *net)
 {
-	ip6t_unregister_table(net, net->ipv6.ip6table_mangle);
+	xt2_table_destroy(net, net->xt2.ipv6_mangle->table);
 }
 
 static struct pernet_operations ip6table_mangle_net_ops = {
diff --git a/net/ipv6/netfilter/ip6table_raw.c b/net/ipv6/netfilter/ip6table_raw.c
index 5b9926a..a1f1741 100644
--- a/net/ipv6/netfilter/ip6table_raw.c
+++ b/net/ipv6/netfilter/ip6table_raw.c
@@ -4,6 +4,7 @@
  * Copyright (C) 2003 Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx>
  */
 #include <linux/module.h>
+#include <linux/rcupdate.h>
 #include <linux/netfilter_ipv6/ip6_tables.h>
 #include <linux/slab.h>
 
@@ -24,8 +25,14 @@ ip6table_raw_hook(unsigned int hook, struct sk_buff *skb,
 		  int (*okfn)(struct sk_buff *))
 {
 	const struct net *net = dev_net((in != NULL) ? in : out);
-
-	return ip6t_do_table(skb, hook, in, out, net->ipv6.ip6table_raw);
+	const struct xt2_table_link *link;
+	unsigned int verdict;
+
+	rcu_read_lock();
+	link    = rcu_dereference(net->xt2.ipv6_raw);
+	verdict = xt2_do_table(skb, hook, in, out, link->table);
+	rcu_read_unlock();
+	return verdict;
 }
 
 static struct nf_hook_ops *rawtable_ops __read_mostly;
@@ -33,21 +40,23 @@ static struct nf_hook_ops *rawtable_ops __read_mostly;
 static int __net_init ip6table_raw_net_init(struct net *net)
 {
 	struct ip6t_replace *repl;
+	struct xt2_table *table;
 
 	repl = ip6t_alloc_initial_table(&packet_raw);
 	if (repl == NULL)
 		return -ENOMEM;
-	net->ipv6.ip6table_raw =
-		ip6t_register_table(net, &packet_raw, repl);
+	table = ip6t2_register_table(net, &packet_raw, repl);
 	kfree(repl);
-	if (IS_ERR(net->ipv6.ip6table_raw))
-		return PTR_ERR(net->ipv6.ip6table_raw);
+	if (IS_ERR(table))
+		return PTR_ERR(table);
+	net->xt2.ipv6_raw = xt2_tlink_lookup(net, table->name,
+					     table->nfproto, XT2_STD_RCULOCK);
 	return 0;
 }
 
 static void __net_exit ip6table_raw_net_exit(struct net *net)
 {
-	ip6t_unregister_table(net, net->ipv6.ip6table_raw);
+	xt2_table_destroy(net, net->xt2.ipv6_raw->table);
 }
 
 static struct pernet_operations ip6table_raw_net_ops = {
diff --git a/net/ipv6/netfilter/ip6table_security.c b/net/ipv6/netfilter/ip6table_security.c
index 91aa2b4..8746620 100644
--- a/net/ipv6/netfilter/ip6table_security.c
+++ b/net/ipv6/netfilter/ip6table_security.c
@@ -42,8 +42,14 @@ ip6table_security_hook(unsigned int hook, struct sk_buff *skb,
 		       int (*okfn)(struct sk_buff *))
 {
 	const struct net *net = dev_net((in != NULL) ? in : out);
-
-	return ip6t_do_table(skb, hook, in, out, net->ipv6.ip6table_security);
+	const struct xt2_table_link *link;
+	unsigned int verdict;
+
+	rcu_read_lock();
+	link    = rcu_dereference(net->xt2.ipv6_security);
+	verdict = xt2_do_table(skb, hook, in, out, link->table);
+	rcu_read_unlock();
+	return verdict;
 }
 
 static struct nf_hook_ops *sectbl_ops __read_mostly;
@@ -51,22 +57,24 @@ static struct nf_hook_ops *sectbl_ops __read_mostly;
 static int __net_init ip6table_security_net_init(struct net *net)
 {
 	struct ip6t_replace *repl;
+	struct xt2_table *table;
 
 	repl = ip6t_alloc_initial_table(&security_table);
 	if (repl == NULL)
 		return -ENOMEM;
-	net->ipv6.ip6table_security =
-		ip6t_register_table(net, &security_table, repl);
+	table = ip6t2_register_table(net, &security_table, repl);
 	kfree(repl);
-	if (IS_ERR(net->ipv6.ip6table_security))
-		return PTR_ERR(net->ipv6.ip6table_security);
-
+	if (IS_ERR(table))
+		return PTR_ERR(table);
+	net->xt2.ipv6_security = xt2_tlink_lookup(net, table->name,
+						  table->nfproto,
+						  XT2_STD_RCULOCK);
 	return 0;
 }
 
 static void __net_exit ip6table_security_net_exit(struct net *net)
 {
-	ip6t_unregister_table(net, net->ipv6.ip6table_security);
+	xt2_table_destroy(net, net->xt2.ipv6_security->table);
 }
 
 static struct pernet_operations ip6table_security_net_ops = {
-- 
1.7.1

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux