[PATCH next 0/15] netfilter: Stop guessing net (take 2)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is the next installment of my work to pass struct net through the
output path so the code does not need to guess how to figure out which
network namespace it is in, and ultimately routes can have output
devices in another network namespace.

This round the changes focus on using nf_hook_state->net in the
netfilter functions, and not passing nf_hook_ops to the functions on the
netfilter chains.

Given the way per network namespace operations are implemented callers
can not rely on addresses or games with container_of.  None of the
netfilter hooks do but we should remove the temptation.  Plus removing
the extra parameter and the extra jump to get at values should reduce
the number of cache line misses.

At a practical matter this is the bulk of the work that other pieces of
code in the netfilter stack will depend on.

Since the last round I have fixed my test config to build act_connmark
and added the patch that modifies act_connmark to track which network
namespace it was it.

The changes are also available against net-next at:
git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/net-next.git master

My entire pending set of changes for those who want to look ahead is at:
git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/net-next.git for-testing

Eric

Eric W. Biederman (15):
      ebtables: Simplify the arguments to ebt_do_table
      inet netfilter: Remove hook from ip6t_do_table, arp_do_table, ipt_do_table
      inet netfilter: Prefer state->hook to ops->hooknum
      nftables: kill nft_pktinfo.ops
      x_tables: Pass struct net in xt_action_param
      x_tables: Use par->net instead of computing from the passed net devices
      nftables: Pass struct net in nft_pktinfo
      nftables: Use pkt->net instead of computing net from the passed net_devices
      net: Pass net to nf_dup_ipv4 and nf_dup_ipv6
      act_connmark: Remember the struct net instead of guessing it.
      nf_conntrack: Add a struct net parameter to l4_pkt_to_tuple
      ipvs: Read hooknum from state rather than ops->hooknum
      netfilter: Pass priv instead of nf_hook_ops to netfilter hooks
      netfilter: Pass net into nf_xfrm_me_harder
      netfilter: Use nf_ct_net instead of dev_net(out) in
      nf_nat_masquerade_ipv6

 include/linux/netfilter.h                      |  2 +-
 include/linux/netfilter/x_tables.h             |  3 +-
 include/linux/netfilter_arp/arp_tables.h       |  1 -
 include/linux/netfilter_bridge/ebtables.h      |  6 ++--
 include/linux/netfilter_ipv4/ip_tables.h       |  1 -
 include/linux/netfilter_ipv6/ip6_tables.h      |  1 -
 include/net/netfilter/br_netfilter.h           |  2 +-
 include/net/netfilter/ipv4/nf_dup_ipv4.h       |  2 +-
 include/net/netfilter/ipv6/nf_dup_ipv6.h       |  2 +-
 include/net/netfilter/nf_conntrack.h           |  3 +-
 include/net/netfilter/nf_conntrack_core.h      |  1 +
 include/net/netfilter/nf_conntrack_l4proto.h   |  2 +-
 include/net/netfilter/nf_nat_core.h            |  2 +-
 include/net/netfilter/nf_nat_l3proto.h         | 32 ++++++++++----------
 include/net/netfilter/nf_tables.h              | 14 ++++-----
 include/net/netfilter/nf_tables_ipv4.h         |  3 +-
 include/net/netfilter/nf_tables_ipv6.h         |  3 +-
 include/net/tc_act/tc_connmark.h               |  1 +
 net/bridge/br_netfilter_hooks.c                | 14 ++++-----
 net/bridge/br_netfilter_ipv6.c                 |  2 +-
 net/bridge/netfilter/ebt_log.c                 |  2 +-
 net/bridge/netfilter/ebt_nflog.c               |  2 +-
 net/bridge/netfilter/ebtable_broute.c          |  8 +++--
 net/bridge/netfilter/ebtable_filter.c          | 10 +++---
 net/bridge/netfilter/ebtable_nat.c             | 10 +++---
 net/bridge/netfilter/ebtables.c                | 14 +++++----
 net/bridge/netfilter/nf_tables_bridge.c        | 20 ++++++------
 net/bridge/netfilter/nft_reject_bridge.c       | 19 ++++++------
 net/decnet/netfilter/dn_rtmsg.c                |  2 +-
 net/ipv4/netfilter/arp_tables.c                |  3 +-
 net/ipv4/netfilter/arptable_filter.c           |  5 ++-
 net/ipv4/netfilter/ip_tables.c                 |  3 +-
 net/ipv4/netfilter/ipt_CLUSTERIP.c             |  2 +-
 net/ipv4/netfilter/ipt_SYNPROXY.c              |  4 +--
 net/ipv4/netfilter/ipt_rpfilter.c              |  5 ++-
 net/ipv4/netfilter/iptable_filter.c            |  7 ++---
 net/ipv4/netfilter/iptable_mangle.c            | 14 ++++-----
 net/ipv4/netfilter/iptable_nat.c               | 21 ++++++-------
 net/ipv4/netfilter/iptable_raw.c               |  7 ++---
 net/ipv4/netfilter/iptable_security.c          |  7 ++---
 net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 12 ++++----
 net/ipv4/netfilter/nf_conntrack_proto_icmp.c   |  4 +--
 net/ipv4/netfilter/nf_defrag_ipv4.c            |  4 +--
 net/ipv4/netfilter/nf_dup_ipv4.c               | 23 +++-----------
 net/ipv4/netfilter/nf_nat_l3proto_ipv4.c       | 42 +++++++++++++-------------
 net/ipv4/netfilter/nf_tables_arp.c             |  6 ++--
 net/ipv4/netfilter/nf_tables_ipv4.c            | 10 +++---
 net/ipv4/netfilter/nft_chain_nat_ipv4.c        | 22 +++++++-------
 net/ipv4/netfilter/nft_chain_route_ipv4.c      |  6 ++--
 net/ipv4/netfilter/nft_dup_ipv4.c              |  2 +-
 net/ipv4/netfilter/nft_masq_ipv4.c             |  2 +-
 net/ipv4/netfilter/nft_redir_ipv4.c            |  2 +-
 net/ipv4/netfilter/nft_reject_ipv4.c           |  5 ++-
 net/ipv6/netfilter/ip6_tables.c                |  3 +-
 net/ipv6/netfilter/ip6t_REJECT.c               |  2 +-
 net/ipv6/netfilter/ip6t_SYNPROXY.c             |  4 +--
 net/ipv6/netfilter/ip6t_rpfilter.c             |  6 ++--
 net/ipv6/netfilter/ip6table_filter.c           |  5 ++-
 net/ipv6/netfilter/ip6table_mangle.c           | 14 ++++-----
 net/ipv6/netfilter/ip6table_nat.c              | 21 ++++++-------
 net/ipv6/netfilter/ip6table_raw.c              |  5 ++-
 net/ipv6/netfilter/ip6table_security.c         |  5 ++-
 net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 12 ++++----
 net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c |  3 +-
 net/ipv6/netfilter/nf_defrag_ipv6_hooks.c      |  6 ++--
 net/ipv6/netfilter/nf_dup_ipv6.c               | 23 +++-----------
 net/ipv6/netfilter/nf_nat_l3proto_ipv6.c       | 42 +++++++++++++-------------
 net/ipv6/netfilter/nf_nat_masquerade_ipv6.c    |  2 +-
 net/ipv6/netfilter/nf_tables_ipv6.c            | 10 +++---
 net/ipv6/netfilter/nft_chain_nat_ipv6.c        | 22 +++++++-------
 net/ipv6/netfilter/nft_chain_route_ipv6.c      |  6 ++--
 net/ipv6/netfilter/nft_dup_ipv6.c              |  2 +-
 net/ipv6/netfilter/nft_redir_ipv6.c            |  3 +-
 net/ipv6/netfilter/nft_reject_ipv6.c           |  7 ++---
 net/netfilter/core.c                           |  2 +-
 net/netfilter/ipset/ip_set_core.c              |  9 ++----
 net/netfilter/ipvs/ip_vs_core.c                | 40 ++++++++++++------------
 net/netfilter/nf_conntrack_core.c              | 10 +++---
 net/netfilter/nf_conntrack_proto_dccp.c        |  2 +-
 net/netfilter/nf_conntrack_proto_generic.c     |  2 +-
 net/netfilter/nf_conntrack_proto_gre.c         |  3 +-
 net/netfilter/nf_conntrack_proto_sctp.c        |  2 +-
 net/netfilter/nf_conntrack_proto_tcp.c         |  2 +-
 net/netfilter/nf_conntrack_proto_udp.c         |  1 +
 net/netfilter/nf_conntrack_proto_udplite.c     |  1 +
 net/netfilter/nf_nat_core.c                    |  4 +--
 net/netfilter/nf_tables_core.c                 | 10 +++---
 net/netfilter/nf_tables_netdev.c               | 20 ++++++------
 net/netfilter/nft_log.c                        |  3 +-
 net/netfilter/nft_meta.c                       |  4 +--
 net/netfilter/nft_queue.c                      |  2 +-
 net/netfilter/nft_reject_inet.c                | 19 ++++++------
 net/netfilter/xt_LOG.c                         |  2 +-
 net/netfilter/xt_NFLOG.c                       |  2 +-
 net/netfilter/xt_TCPMSS.c                      |  2 +-
 net/netfilter/xt_TEE.c                         |  4 +--
 net/netfilter/xt_TPROXY.c                      | 24 +++++++--------
 net/netfilter/xt_addrtype.c                    |  4 +--
 net/netfilter/xt_connlimit.c                   |  4 +--
 net/netfilter/xt_osf.c                         |  2 +-
 net/netfilter/xt_recent.c                      |  2 +-
 net/netfilter/xt_socket.c                      | 14 +++++----
 net/openvswitch/conntrack.c                    |  2 +-
 net/sched/act_connmark.c                       |  5 +--
 net/sched/act_ipt.c                            |  1 +
 net/sched/em_ipset.c                           |  1 +
 security/selinux/hooks.c                       | 10 +++---
 security/smack/smack_netfilter.c               |  4 +--
 108 files changed, 389 insertions(+), 435 deletions(-)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux