tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

netfilter: remove hook owner refcounting

since commit 8405a8fff3f8 ("netfilter: nf_qeueue: Drop queue entries on
nf_unregister_hook") all pending queued entries are discarded.

So we can simply remove all of the owner handling -- when module is
removed it also needs to unregister all its hooks.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

authored by

Florian Westphal and committed by
Pablo Neira Ayuso 2ffbceb2 8cbc8708

-68
-1
include/linux/netfilter.h
··· 90 90 /* User fills in from here down. */ 91 91 nf_hookfn *hook; 92 92 struct net_device *dev; 93 - struct module *owner; 94 93 void *priv; 95 94 u_int8_t pf; 96 95 unsigned int hooknum;
-7
net/bridge/br_netfilter_hooks.c
··· 901 901 static struct nf_hook_ops br_nf_ops[] __read_mostly = { 902 902 { 903 903 .hook = br_nf_pre_routing, 904 - .owner = THIS_MODULE, 905 904 .pf = NFPROTO_BRIDGE, 906 905 .hooknum = NF_BR_PRE_ROUTING, 907 906 .priority = NF_BR_PRI_BRNF, 908 907 }, 909 908 { 910 909 .hook = br_nf_local_in, 911 - .owner = THIS_MODULE, 912 910 .pf = NFPROTO_BRIDGE, 913 911 .hooknum = NF_BR_LOCAL_IN, 914 912 .priority = NF_BR_PRI_BRNF, 915 913 }, 916 914 { 917 915 .hook = br_nf_forward_ip, 918 - .owner = THIS_MODULE, 919 916 .pf = NFPROTO_BRIDGE, 920 917 .hooknum = NF_BR_FORWARD, 921 918 .priority = NF_BR_PRI_BRNF - 1, 922 919 }, 923 920 { 924 921 .hook = br_nf_forward_arp, 925 - .owner = THIS_MODULE, 926 922 .pf = NFPROTO_BRIDGE, 927 923 .hooknum = NF_BR_FORWARD, 928 924 .priority = NF_BR_PRI_BRNF, 929 925 }, 930 926 { 931 927 .hook = br_nf_post_routing, 932 - .owner = THIS_MODULE, 933 928 .pf = NFPROTO_BRIDGE, 934 929 .hooknum = NF_BR_POST_ROUTING, 935 930 .priority = NF_BR_PRI_LAST, 936 931 }, 937 932 { 938 933 .hook = ip_sabotage_in, 939 - .owner = THIS_MODULE, 940 934 .pf = NFPROTO_IPV4, 941 935 .hooknum = NF_INET_PRE_ROUTING, 942 936 .priority = NF_IP_PRI_FIRST, 943 937 }, 944 938 { 945 939 .hook = ip_sabotage_in, 946 - .owner = THIS_MODULE, 947 940 .pf = NFPROTO_IPV6, 948 941 .hooknum = NF_INET_PRE_ROUTING, 949 942 .priority = NF_IP6_PRI_FIRST,
-3
net/bridge/netfilter/ebtable_filter.c
··· 73 73 static struct nf_hook_ops ebt_ops_filter[] __read_mostly = { 74 74 { 75 75 .hook = ebt_in_hook, 76 - .owner = THIS_MODULE, 77 76 .pf = NFPROTO_BRIDGE, 78 77 .hooknum = NF_BR_LOCAL_IN, 79 78 .priority = NF_BR_PRI_FILTER_BRIDGED, 80 79 }, 81 80 { 82 81 .hook = ebt_in_hook, 83 - .owner = THIS_MODULE, 84 82 .pf = NFPROTO_BRIDGE, 85 83 .hooknum = NF_BR_FORWARD, 86 84 .priority = NF_BR_PRI_FILTER_BRIDGED, 87 85 }, 88 86 { 89 87 .hook = ebt_out_hook, 90 - .owner = THIS_MODULE, 91 88 .pf = NFPROTO_BRIDGE, 92 89 .hooknum = NF_BR_LOCAL_OUT, 93 90 .priority = NF_BR_PRI_FILTER_OTHER,
-3
net/bridge/netfilter/ebtable_nat.c
··· 73 73 static struct nf_hook_ops ebt_ops_nat[] __read_mostly = { 74 74 { 75 75 .hook = ebt_nat_out, 76 - .owner = THIS_MODULE, 77 76 .pf = NFPROTO_BRIDGE, 78 77 .hooknum = NF_BR_LOCAL_OUT, 79 78 .priority = NF_BR_PRI_NAT_DST_OTHER, 80 79 }, 81 80 { 82 81 .hook = ebt_nat_out, 83 - .owner = THIS_MODULE, 84 82 .pf = NFPROTO_BRIDGE, 85 83 .hooknum = NF_BR_POST_ROUTING, 86 84 .priority = NF_BR_PRI_NAT_SRC, 87 85 }, 88 86 { 89 87 .hook = ebt_nat_in, 90 - .owner = THIS_MODULE, 91 88 .pf = NFPROTO_BRIDGE, 92 89 .hooknum = NF_BR_PRE_ROUTING, 93 90 .priority = NF_BR_PRI_NAT_DST_BRIDGED,
-2
net/ipv4/netfilter/ipt_SYNPROXY.c
··· 437 437 static struct nf_hook_ops ipv4_synproxy_ops[] __read_mostly = { 438 438 { 439 439 .hook = ipv4_synproxy_hook, 440 - .owner = THIS_MODULE, 441 440 .pf = NFPROTO_IPV4, 442 441 .hooknum = NF_INET_LOCAL_IN, 443 442 .priority = NF_IP_PRI_CONNTRACK_CONFIRM - 1, 444 443 }, 445 444 { 446 445 .hook = ipv4_synproxy_hook, 447 - .owner = THIS_MODULE, 448 446 .pf = NFPROTO_IPV4, 449 447 .hooknum = NF_INET_POST_ROUTING, 450 448 .priority = NF_IP_PRI_CONNTRACK_CONFIRM - 1,
-4
net/ipv4/netfilter/iptable_nat.c
··· 68 68 /* Before packet filtering, change destination */ 69 69 { 70 70 .hook = iptable_nat_ipv4_in, 71 - .owner = THIS_MODULE, 72 71 .pf = NFPROTO_IPV4, 73 72 .hooknum = NF_INET_PRE_ROUTING, 74 73 .priority = NF_IP_PRI_NAT_DST, ··· 75 76 /* After packet filtering, change source */ 76 77 { 77 78 .hook = iptable_nat_ipv4_out, 78 - .owner = THIS_MODULE, 79 79 .pf = NFPROTO_IPV4, 80 80 .hooknum = NF_INET_POST_ROUTING, 81 81 .priority = NF_IP_PRI_NAT_SRC, ··· 82 84 /* Before packet filtering, change destination */ 83 85 { 84 86 .hook = iptable_nat_ipv4_local_fn, 85 - .owner = THIS_MODULE, 86 87 .pf = NFPROTO_IPV4, 87 88 .hooknum = NF_INET_LOCAL_OUT, 88 89 .priority = NF_IP_PRI_NAT_DST, ··· 89 92 /* After packet filtering, change source */ 90 93 { 91 94 .hook = iptable_nat_ipv4_fn, 92 - .owner = THIS_MODULE, 93 95 .pf = NFPROTO_IPV4, 94 96 .hooknum = NF_INET_LOCAL_IN, 95 97 .priority = NF_IP_PRI_NAT_SRC,
-6
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
··· 166 166 static struct nf_hook_ops ipv4_conntrack_ops[] __read_mostly = { 167 167 { 168 168 .hook = ipv4_conntrack_in, 169 - .owner = THIS_MODULE, 170 169 .pf = NFPROTO_IPV4, 171 170 .hooknum = NF_INET_PRE_ROUTING, 172 171 .priority = NF_IP_PRI_CONNTRACK, 173 172 }, 174 173 { 175 174 .hook = ipv4_conntrack_local, 176 - .owner = THIS_MODULE, 177 175 .pf = NFPROTO_IPV4, 178 176 .hooknum = NF_INET_LOCAL_OUT, 179 177 .priority = NF_IP_PRI_CONNTRACK, 180 178 }, 181 179 { 182 180 .hook = ipv4_helper, 183 - .owner = THIS_MODULE, 184 181 .pf = NFPROTO_IPV4, 185 182 .hooknum = NF_INET_POST_ROUTING, 186 183 .priority = NF_IP_PRI_CONNTRACK_HELPER, 187 184 }, 188 185 { 189 186 .hook = ipv4_confirm, 190 - .owner = THIS_MODULE, 191 187 .pf = NFPROTO_IPV4, 192 188 .hooknum = NF_INET_POST_ROUTING, 193 189 .priority = NF_IP_PRI_CONNTRACK_CONFIRM, 194 190 }, 195 191 { 196 192 .hook = ipv4_helper, 197 - .owner = THIS_MODULE, 198 193 .pf = NFPROTO_IPV4, 199 194 .hooknum = NF_INET_LOCAL_IN, 200 195 .priority = NF_IP_PRI_CONNTRACK_HELPER, 201 196 }, 202 197 { 203 198 .hook = ipv4_confirm, 204 - .owner = THIS_MODULE, 205 199 .pf = NFPROTO_IPV4, 206 200 .hooknum = NF_INET_LOCAL_IN, 207 201 .priority = NF_IP_PRI_CONNTRACK_CONFIRM,
-2
net/ipv4/netfilter/nf_defrag_ipv4.c
··· 94 94 static struct nf_hook_ops ipv4_defrag_ops[] = { 95 95 { 96 96 .hook = ipv4_conntrack_defrag, 97 - .owner = THIS_MODULE, 98 97 .pf = NFPROTO_IPV4, 99 98 .hooknum = NF_INET_PRE_ROUTING, 100 99 .priority = NF_IP_PRI_CONNTRACK_DEFRAG, 101 100 }, 102 101 { 103 102 .hook = ipv4_conntrack_defrag, 104 - .owner = THIS_MODULE, 105 103 .pf = NFPROTO_IPV4, 106 104 .hooknum = NF_INET_LOCAL_OUT, 107 105 .priority = NF_IP_PRI_CONNTRACK_DEFRAG,
-2
net/ipv6/netfilter/ip6t_SYNPROXY.c
··· 458 458 static struct nf_hook_ops ipv6_synproxy_ops[] __read_mostly = { 459 459 { 460 460 .hook = ipv6_synproxy_hook, 461 - .owner = THIS_MODULE, 462 461 .pf = NFPROTO_IPV6, 463 462 .hooknum = NF_INET_LOCAL_IN, 464 463 .priority = NF_IP_PRI_CONNTRACK_CONFIRM - 1, 465 464 }, 466 465 { 467 466 .hook = ipv6_synproxy_hook, 468 - .owner = THIS_MODULE, 469 467 .pf = NFPROTO_IPV6, 470 468 .hooknum = NF_INET_POST_ROUTING, 471 469 .priority = NF_IP_PRI_CONNTRACK_CONFIRM - 1,
-4
net/ipv6/netfilter/ip6table_nat.c
··· 70 70 /* Before packet filtering, change destination */ 71 71 { 72 72 .hook = ip6table_nat_in, 73 - .owner = THIS_MODULE, 74 73 .pf = NFPROTO_IPV6, 75 74 .hooknum = NF_INET_PRE_ROUTING, 76 75 .priority = NF_IP6_PRI_NAT_DST, ··· 77 78 /* After packet filtering, change source */ 78 79 { 79 80 .hook = ip6table_nat_out, 80 - .owner = THIS_MODULE, 81 81 .pf = NFPROTO_IPV6, 82 82 .hooknum = NF_INET_POST_ROUTING, 83 83 .priority = NF_IP6_PRI_NAT_SRC, ··· 84 86 /* Before packet filtering, change destination */ 85 87 { 86 88 .hook = ip6table_nat_local_fn, 87 - .owner = THIS_MODULE, 88 89 .pf = NFPROTO_IPV6, 89 90 .hooknum = NF_INET_LOCAL_OUT, 90 91 .priority = NF_IP6_PRI_NAT_DST, ··· 91 94 /* After packet filtering, change source */ 92 95 { 93 96 .hook = ip6table_nat_fn, 94 - .owner = THIS_MODULE, 95 97 .pf = NFPROTO_IPV6, 96 98 .hooknum = NF_INET_LOCAL_IN, 97 99 .priority = NF_IP6_PRI_NAT_SRC,
-6
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
··· 187 187 static struct nf_hook_ops ipv6_conntrack_ops[] __read_mostly = { 188 188 { 189 189 .hook = ipv6_conntrack_in, 190 - .owner = THIS_MODULE, 191 190 .pf = NFPROTO_IPV6, 192 191 .hooknum = NF_INET_PRE_ROUTING, 193 192 .priority = NF_IP6_PRI_CONNTRACK, 194 193 }, 195 194 { 196 195 .hook = ipv6_conntrack_local, 197 - .owner = THIS_MODULE, 198 196 .pf = NFPROTO_IPV6, 199 197 .hooknum = NF_INET_LOCAL_OUT, 200 198 .priority = NF_IP6_PRI_CONNTRACK, 201 199 }, 202 200 { 203 201 .hook = ipv6_helper, 204 - .owner = THIS_MODULE, 205 202 .pf = NFPROTO_IPV6, 206 203 .hooknum = NF_INET_POST_ROUTING, 207 204 .priority = NF_IP6_PRI_CONNTRACK_HELPER, 208 205 }, 209 206 { 210 207 .hook = ipv6_confirm, 211 - .owner = THIS_MODULE, 212 208 .pf = NFPROTO_IPV6, 213 209 .hooknum = NF_INET_POST_ROUTING, 214 210 .priority = NF_IP6_PRI_LAST, 215 211 }, 216 212 { 217 213 .hook = ipv6_helper, 218 - .owner = THIS_MODULE, 219 214 .pf = NFPROTO_IPV6, 220 215 .hooknum = NF_INET_LOCAL_IN, 221 216 .priority = NF_IP6_PRI_CONNTRACK_HELPER, 222 217 }, 223 218 { 224 219 .hook = ipv6_confirm, 225 - .owner = THIS_MODULE, 226 220 .pf = NFPROTO_IPV6, 227 221 .hooknum = NF_INET_LOCAL_IN, 228 222 .priority = NF_IP6_PRI_LAST-1,
-2
net/ipv6/netfilter/nf_defrag_ipv6_hooks.c
··· 84 84 static struct nf_hook_ops ipv6_defrag_ops[] = { 85 85 { 86 86 .hook = ipv6_defrag, 87 - .owner = THIS_MODULE, 88 87 .pf = NFPROTO_IPV6, 89 88 .hooknum = NF_INET_PRE_ROUTING, 90 89 .priority = NF_IP6_PRI_CONNTRACK_DEFRAG, 91 90 }, 92 91 { 93 92 .hook = ipv6_defrag, 94 - .owner = THIS_MODULE, 95 93 .pf = NFPROTO_IPV6, 96 94 .hooknum = NF_INET_LOCAL_OUT, 97 95 .priority = NF_IP6_PRI_CONNTRACK_DEFRAG,
-12
net/netfilter/ipvs/ip_vs_core.c
··· 1923 1923 /* After packet filtering, change source only for VS/NAT */ 1924 1924 { 1925 1925 .hook = ip_vs_reply4, 1926 - .owner = THIS_MODULE, 1927 1926 .pf = NFPROTO_IPV4, 1928 1927 .hooknum = NF_INET_LOCAL_IN, 1929 1928 .priority = NF_IP_PRI_NAT_SRC - 2, ··· 1932 1933 * applied to IPVS. */ 1933 1934 { 1934 1935 .hook = ip_vs_remote_request4, 1935 - .owner = THIS_MODULE, 1936 1936 .pf = NFPROTO_IPV4, 1937 1937 .hooknum = NF_INET_LOCAL_IN, 1938 1938 .priority = NF_IP_PRI_NAT_SRC - 1, ··· 1939 1941 /* Before ip_vs_in, change source only for VS/NAT */ 1940 1942 { 1941 1943 .hook = ip_vs_local_reply4, 1942 - .owner = THIS_MODULE, 1943 1944 .pf = NFPROTO_IPV4, 1944 1945 .hooknum = NF_INET_LOCAL_OUT, 1945 1946 .priority = NF_IP_PRI_NAT_DST + 1, ··· 1946 1949 /* After mangle, schedule and forward local requests */ 1947 1950 { 1948 1951 .hook = ip_vs_local_request4, 1949 - .owner = THIS_MODULE, 1950 1952 .pf = NFPROTO_IPV4, 1951 1953 .hooknum = NF_INET_LOCAL_OUT, 1952 1954 .priority = NF_IP_PRI_NAT_DST + 2, ··· 1954 1958 * destined for 0.0.0.0/0, which is for incoming IPVS connections */ 1955 1959 { 1956 1960 .hook = ip_vs_forward_icmp, 1957 - .owner = THIS_MODULE, 1958 1961 .pf = NFPROTO_IPV4, 1959 1962 .hooknum = NF_INET_FORWARD, 1960 1963 .priority = 99, ··· 1961 1966 /* After packet filtering, change source only for VS/NAT */ 1962 1967 { 1963 1968 .hook = ip_vs_reply4, 1964 - .owner = THIS_MODULE, 1965 1969 .pf = NFPROTO_IPV4, 1966 1970 .hooknum = NF_INET_FORWARD, 1967 1971 .priority = 100, ··· 1969 1975 /* After packet filtering, change source only for VS/NAT */ 1970 1976 { 1971 1977 .hook = ip_vs_reply6, 1972 - .owner = THIS_MODULE, 1973 1978 .pf = NFPROTO_IPV6, 1974 1979 .hooknum = NF_INET_LOCAL_IN, 1975 1980 .priority = NF_IP6_PRI_NAT_SRC - 2, ··· 1978 1985 * applied to IPVS. */ 1979 1986 { 1980 1987 .hook = ip_vs_remote_request6, 1981 - .owner = THIS_MODULE, 1982 1988 .pf = NFPROTO_IPV6, 1983 1989 .hooknum = NF_INET_LOCAL_IN, 1984 1990 .priority = NF_IP6_PRI_NAT_SRC - 1, ··· 1985 1993 /* Before ip_vs_in, change source only for VS/NAT */ 1986 1994 { 1987 1995 .hook = ip_vs_local_reply6, 1988 - .owner = THIS_MODULE, 1989 1996 .pf = NFPROTO_IPV6, 1990 1997 .hooknum = NF_INET_LOCAL_OUT, 1991 1998 .priority = NF_IP6_PRI_NAT_DST + 1, ··· 1992 2001 /* After mangle, schedule and forward local requests */ 1993 2002 { 1994 2003 .hook = ip_vs_local_request6, 1995 - .owner = THIS_MODULE, 1996 2004 .pf = NFPROTO_IPV6, 1997 2005 .hooknum = NF_INET_LOCAL_OUT, 1998 2006 .priority = NF_IP6_PRI_NAT_DST + 2, ··· 2000 2010 * destined for 0.0.0.0/0, which is for incoming IPVS connections */ 2001 2011 { 2002 2012 .hook = ip_vs_forward_icmp_v6, 2003 - .owner = THIS_MODULE, 2004 2013 .pf = NFPROTO_IPV6, 2005 2014 .hooknum = NF_INET_FORWARD, 2006 2015 .priority = 99, ··· 2007 2018 /* After packet filtering, change source only for VS/NAT */ 2008 2019 { 2009 2020 .hook = ip_vs_reply6, 2010 - .owner = THIS_MODULE, 2011 2021 .pf = NFPROTO_IPV6, 2012 2022 .hooknum = NF_INET_FORWARD, 2013 2023 .priority = 100,
-5
net/netfilter/nf_queue.c
··· 69 69 dev_put(physdev); 70 70 } 71 71 #endif 72 - /* Drop reference to owner of hook which queued us. */ 73 - module_put(entry->elem->owner); 74 72 } 75 73 EXPORT_SYMBOL_GPL(nf_queue_entry_release_refs); 76 74 ··· 76 78 bool nf_queue_entry_get_refs(struct nf_queue_entry *entry) 77 79 { 78 80 struct nf_hook_state *state = &entry->state; 79 - 80 - if (!try_module_get(entry->elem->owner)) 81 - return false; 82 81 83 82 if (state->in) 84 83 dev_hold(state->in);
-1
net/netfilter/nf_tables_api.c
··· 1433 1433 for (i = 0; i < afi->nops; i++) { 1434 1434 ops = &basechain->ops[i]; 1435 1435 ops->pf = family; 1436 - ops->owner = afi->owner; 1437 1436 ops->hooknum = hooknum; 1438 1437 ops->priority = priority; 1439 1438 ops->priv = chain;
-1
net/netfilter/x_tables.c
··· 1193 1193 if (!(hook_mask & 1)) 1194 1194 continue; 1195 1195 ops[i].hook = fn; 1196 - ops[i].owner = table->me; 1197 1196 ops[i].pf = table->af; 1198 1197 ops[i].hooknum = hooknum; 1199 1198 ops[i].priority = table->priority;
-5
security/selinux/hooks.c
··· 6127 6127 static struct nf_hook_ops selinux_nf_ops[] = { 6128 6128 { 6129 6129 .hook = selinux_ipv4_postroute, 6130 - .owner = THIS_MODULE, 6131 6130 .pf = NFPROTO_IPV4, 6132 6131 .hooknum = NF_INET_POST_ROUTING, 6133 6132 .priority = NF_IP_PRI_SELINUX_LAST, 6134 6133 }, 6135 6134 { 6136 6135 .hook = selinux_ipv4_forward, 6137 - .owner = THIS_MODULE, 6138 6136 .pf = NFPROTO_IPV4, 6139 6137 .hooknum = NF_INET_FORWARD, 6140 6138 .priority = NF_IP_PRI_SELINUX_FIRST, 6141 6139 }, 6142 6140 { 6143 6141 .hook = selinux_ipv4_output, 6144 - .owner = THIS_MODULE, 6145 6142 .pf = NFPROTO_IPV4, 6146 6143 .hooknum = NF_INET_LOCAL_OUT, 6147 6144 .priority = NF_IP_PRI_SELINUX_FIRST, ··· 6146 6149 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 6147 6150 { 6148 6151 .hook = selinux_ipv6_postroute, 6149 - .owner = THIS_MODULE, 6150 6152 .pf = NFPROTO_IPV6, 6151 6153 .hooknum = NF_INET_POST_ROUTING, 6152 6154 .priority = NF_IP6_PRI_SELINUX_LAST, 6153 6155 }, 6154 6156 { 6155 6157 .hook = selinux_ipv6_forward, 6156 - .owner = THIS_MODULE, 6157 6158 .pf = NFPROTO_IPV6, 6158 6159 .hooknum = NF_INET_FORWARD, 6159 6160 .priority = NF_IP6_PRI_SELINUX_FIRST,
-2
security/smack/smack_netfilter.c
··· 57 57 static struct nf_hook_ops smack_nf_ops[] = { 58 58 { 59 59 .hook = smack_ipv4_output, 60 - .owner = THIS_MODULE, 61 60 .pf = NFPROTO_IPV4, 62 61 .hooknum = NF_INET_LOCAL_OUT, 63 62 .priority = NF_IP_PRI_SELINUX_FIRST, ··· 64 65 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 65 66 { 66 67 .hook = smack_ipv6_output, 67 - .owner = THIS_MODULE, 68 68 .pf = NFPROTO_IPV6, 69 69 .hooknum = NF_INET_LOCAL_OUT, 70 70 .priority = NF_IP6_PRI_SELINUX_FIRST,