netfilter: core: remove synchronize_net call if nfqueue is used

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

since commit 960632ece6949b ("netfilter: convert hook list to an array")
nfqueue no longer stores a pointer to the hook that caused the packet
to be queued. Therefore no extra synchronize_net() call is needed after
dropping the packets enqueued by the old rule blob.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

authored by

Florian Westphal and committed by

Pablo Neira Ayuso 8 years ago 26888dfd 4e645b47

+7 -19

5 changed files

expand all

include

net

netfilter

nf_queue.h

net

netfilter

core.c

nf_internals.h

nf_queue.c

nfnetlink_queue.c

+1 -1

include/net/netfilter/nf_queue.h

··· 25 25 struct nf_queue_handler { 26 26 int (*outfn)(struct nf_queue_entry *entry, 27 27 unsigned int queuenum); 28 - unsigned int (*nf_hook_drop)(struct net *net); 28 + void (*nf_hook_drop)(struct net *net); 29 29 }; 30 30 31 31 void nf_register_queue_handler(struct net *net, const struct nf_queue_handler *qh);

+1 -5

net/netfilter/core.c

··· 341 341 { 342 342 struct nf_hook_entries __rcu **pp; 343 343 struct nf_hook_entries *p; 344 - unsigned int nfq; 345 344 346 345 pp = nf_hook_entry_head(net, reg); 347 346 if (!pp) ··· 363 364 364 365 synchronize_net(); 365 366 366 - /* other cpu might still process nfqueue verdict that used reg */ 367 - nfq = nf_queue_nf_hook_drop(net); 368 - if (nfq) 369 - synchronize_net(); 367 + nf_queue_nf_hook_drop(net); 370 368 kvfree(p); 371 369 } 372 370 EXPORT_SYMBOL(nf_unregister_net_hook);

+1 -1

net/netfilter/nf_internals.h

··· 10 10 int nf_queue(struct sk_buff *skb, struct nf_hook_state *state, 11 11 const struct nf_hook_entries *entries, unsigned int index, 12 12 unsigned int verdict); 13 - unsigned int nf_queue_nf_hook_drop(struct net *net); 13 + void nf_queue_nf_hook_drop(struct net *net); 14 14 15 15 /* nf_log.c */ 16 16 int __init netfilter_log_init(void);

+2 -5

net/netfilter/nf_queue.c

··· 96 96 } 97 97 EXPORT_SYMBOL_GPL(nf_queue_entry_get_refs); 98 98 99 - unsigned int nf_queue_nf_hook_drop(struct net *net) 99 + void nf_queue_nf_hook_drop(struct net *net) 100 100 { 101 101 const struct nf_queue_handler *qh; 102 - unsigned int count = 0; 103 102 104 103 rcu_read_lock(); 105 104 qh = rcu_dereference(net->nf.queue_handler); 106 105 if (qh) 107 - count = qh->nf_hook_drop(net); 106 + qh->nf_hook_drop(net); 108 107 rcu_read_unlock(); 109 - 110 - return count; 111 108 } 112 109 EXPORT_SYMBOL_GPL(nf_queue_nf_hook_drop); 113 110

+2 -7

net/netfilter/nfnetlink_queue.c

··· 941 941 .notifier_call = nfqnl_rcv_dev_event, 942 942 }; 943 943 944 - static unsigned int nfqnl_nf_hook_drop(struct net *net) 944 + static void nfqnl_nf_hook_drop(struct net *net) 945 945 { 946 946 struct nfnl_queue_net *q = nfnl_queue_pernet(net); 947 - unsigned int instances = 0; 948 947 int i; 949 948 950 949 for (i = 0; i < INSTANCE_BUCKETS; i++) { 951 950 struct nfqnl_instance *inst; 952 951 struct hlist_head *head = &q->instance_table[i]; 953 952 954 - hlist_for_each_entry_rcu(inst, head, hlist) { 953 + hlist_for_each_entry_rcu(inst, head, hlist) 955 954 nfqnl_flush(inst, NULL, 0); 956 - instances++; 957 - } 958 955 } 959 - 960 - return instances; 961 956 } 962 957 963 958 static int