tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
netfilter: x_tables: move hook state into xt_action_param structure
Place pointer to hook state in xt_action_param structure instead of
copying the fields that we need. After this change xt_action_param fits
into one cacheline.
This patch also adds a set of new wrapper functions to fetch relevant
hook state structure fields.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+196
-169
+38
-10
include/linux/netfilter/x_tables.h
+38
-10
include/linux/netfilter/x_tables.h
···
4
4
5
5
#include <linux/netdevice.h>
6
6
#include <linux/static_key.h>
7
+
#include <linux/netfilter.h>
7
8
#include <uapi/linux/netfilter/x_tables.h>
8
9
9
10
/* Test a struct->invflags and a boolean for inequality */
···
18
17
* @target: the target extension
19
18
* @matchinfo: per-match data
20
19
* @targetinfo: per-target data
21
-
* @net network namespace through which the action was invoked
22
-
* @in: input netdevice
23
-
* @out: output netdevice
20
+
* @state: pointer to hook state this packet came from
24
21
* @fragoff: packet is a fragment, this is the data offset
25
22
* @thoff: position of transport header relative to skb->data
26
-
* @hook: hook number given packet came from
27
-
* @family: Actual NFPROTO_* through which the function is invoked
28
-
* (helpful when match->family == NFPROTO_UNSPEC)
29
23
*
30
24
* Fields written to by extensions:
31
25
*
···
34
38
union {
35
39
const void *matchinfo, *targinfo;
36
40
};
37
-
struct net *net;
38
-
const struct net_device *in, *out;
41
+
const struct nf_hook_state *state;
39
42
int fragoff;
40
43
unsigned int thoff;
41
-
unsigned int hooknum;
42
-
u_int8_t family;
43
44
bool hotdrop;
44
45
};
46
+
47
+
static inline struct net *xt_net(const struct xt_action_param *par)
48
+
{
49
+
return par->state->net;
50
+
}
51
+
52
+
static inline struct net_device *xt_in(const struct xt_action_param *par)
53
+
{
54
+
return par->state->in;
55
+
}
56
+
57
+
static inline const char *xt_inname(const struct xt_action_param *par)
58
+
{
59
+
return par->state->in->name;
60
+
}
61
+
62
+
static inline struct net_device *xt_out(const struct xt_action_param *par)
63
+
{
64
+
return par->state->out;
65
+
}
66
+
67
+
static inline const char *xt_outname(const struct xt_action_param *par)
68
+
{
69
+
return par->state->out->name;
70
+
}
71
+
72
+
static inline unsigned int xt_hooknum(const struct xt_action_param *par)
73
+
{
74
+
return par->state->hook;
75
+
}
76
+
77
+
static inline u_int8_t xt_family(const struct xt_action_param *par)
78
+
{
79
+
return par->state->pf;
80
+
}
45
81
46
82
/**
47
83
* struct xt_mtchk_param - parameters for match extensions'
+6
-5
include/net/netfilter/nf_tables.h
+6
-5
include/net/netfilter/nf_tables.h
···
30
30
const struct nf_hook_state *state)
31
31
{
32
32
pkt->skb = skb;
33
-
pkt->net = pkt->xt.net = state->net;
34
-
pkt->in = pkt->xt.in = state->in;
35
-
pkt->out = pkt->xt.out = state->out;
36
-
pkt->hook = pkt->xt.hooknum = state->hook;
37
-
pkt->pf = pkt->xt.family = state->pf;
33
+
pkt->net = state->net;
34
+
pkt->in = state->in;
35
+
pkt->out = state->out;
36
+
pkt->hook = state->hook;
37
+
pkt->pf = state->pf;
38
+
pkt->xt.state = state;
38
39
}
39
40
40
41
static inline void nft_set_pktinfo_proto_unspec(struct nft_pktinfo *pkt,
+2
-1
net/bridge/netfilter/ebt_arpreply.c
+2
-1
net/bridge/netfilter/ebt_arpreply.c
+6
-5
net/bridge/netfilter/ebt_log.c
+6
-5
net/bridge/netfilter/ebt_log.c
···
179
179
{
180
180
const struct ebt_log_info *info = par->targinfo;
181
181
struct nf_loginfo li;
182
-
struct net *net = par->net;
182
+
struct net *net = xt_net(par);
183
183
184
184
li.type = NF_LOG_TYPE_LOG;
185
185
li.u.log.level = info->loglevel;
···
190
190
* nf_log_packet() with NFT_LOG_TYPE_LOG here. --Pablo
191
191
*/
192
192
if (info->bitmask & EBT_LOG_NFLOG)
193
-
nf_log_packet(net, NFPROTO_BRIDGE, par->hooknum, skb,
194
-
par->in, par->out, &li, "%s", info->prefix);
193
+
nf_log_packet(net, NFPROTO_BRIDGE, xt_hooknum(par), skb,
194
+
xt_in(par), xt_out(par), &li, "%s",
195
+
info->prefix);
195
196
else
196
-
ebt_log_packet(net, NFPROTO_BRIDGE, par->hooknum, skb, par->in,
197
-
par->out, &li, info->prefix);
197
+
ebt_log_packet(net, NFPROTO_BRIDGE, xt_hooknum(par), skb,
198
+
xt_in(par), xt_out(par), &li, info->prefix);
198
199
return EBT_CONTINUE;
199
200
}
200
201
+3
-3
net/bridge/netfilter/ebt_nflog.c
+3
-3
net/bridge/netfilter/ebt_nflog.c
···
23
23
ebt_nflog_tg(struct sk_buff *skb, const struct xt_action_param *par)
24
24
{
25
25
const struct ebt_nflog_info *info = par->targinfo;
26
+
struct net *net = xt_net(par);
26
27
struct nf_loginfo li;
27
-
struct net *net = par->net;
28
28
29
29
li.type = NF_LOG_TYPE_ULOG;
30
30
li.u.ulog.copy_len = info->len;
31
31
li.u.ulog.group = info->group;
32
32
li.u.ulog.qthreshold = info->threshold;
33
33
34
-
nf_log_packet(net, PF_BRIDGE, par->hooknum, skb, par->in,
35
-
par->out, &li, "%s", info->prefix);
34
+
nf_log_packet(net, PF_BRIDGE, xt_hooknum(par), skb, xt_in(par),
35
+
xt_out(par), &li, "%s", info->prefix);
36
36
return EBT_CONTINUE;
37
37
}
38
38
+3
-3
net/bridge/netfilter/ebt_redirect.c
+3
-3
net/bridge/netfilter/ebt_redirect.c
···
23
23
if (!skb_make_writable(skb, 0))
24
24
return EBT_DROP;
25
25
26
-
if (par->hooknum != NF_BR_BROUTING)
26
+
if (xt_hooknum(par) != NF_BR_BROUTING)
27
27
/* rcu_read_lock()ed by nf_hook_thresh */
28
28
ether_addr_copy(eth_hdr(skb)->h_dest,
29
-
br_port_get_rcu(par->in)->br->dev->dev_addr);
29
+
br_port_get_rcu(xt_in(par))->br->dev->dev_addr);
30
30
else
31
-
ether_addr_copy(eth_hdr(skb)->h_dest, par->in->dev_addr);
31
+
ether_addr_copy(eth_hdr(skb)->h_dest, xt_in(par)->dev_addr);
32
32
skb->pkt_type = PACKET_HOST;
33
33
return info->target;
34
34
}
+1
-5
net/bridge/netfilter/ebtables.c
+1
-5
net/bridge/netfilter/ebtables.c
···
194
194
const struct ebt_table_info *private;
195
195
struct xt_action_param acpar;
196
196
197
-
acpar.family = NFPROTO_BRIDGE;
198
-
acpar.net = state->net;
199
-
acpar.in = state->in;
200
-
acpar.out = state->out;
197
+
acpar.state = state;
201
198
acpar.hotdrop = false;
202
-
acpar.hooknum = hook;
203
199
204
200
read_lock_bh(&table->lock);
205
201
private = table->private;
+1
-5
net/ipv4/netfilter/arp_tables.c
+1
-5
net/ipv4/netfilter/arp_tables.c
···
217
217
*/
218
218
e = get_entry(table_base, private->hook_entry[hook]);
219
219
220
-
acpar.net = state->net;
221
-
acpar.in = state->in;
222
-
acpar.out = state->out;
223
-
acpar.hooknum = hook;
224
-
acpar.family = NFPROTO_ARP;
220
+
acpar.state = state;
225
221
acpar.hotdrop = false;
226
222
227
223
arp = arp_hdr(skb);
+1
-5
net/ipv4/netfilter/ip_tables.c
+1
-5
net/ipv4/netfilter/ip_tables.c
···
261
261
acpar.fragoff = ntohs(ip->frag_off) & IP_OFFSET;
262
262
acpar.thoff = ip_hdrlen(skb);
263
263
acpar.hotdrop = false;
264
-
acpar.net = state->net;
265
-
acpar.in = state->in;
266
-
acpar.out = state->out;
267
-
acpar.family = NFPROTO_IPV4;
268
-
acpar.hooknum = hook;
264
+
acpar.state = state;
269
265
270
266
IP_NF_ASSERT(table->valid_hooks & (1 << hook));
271
267
local_bh_disable();
+2
-1
net/ipv4/netfilter/ipt_MASQUERADE.c
+2
-1
net/ipv4/netfilter/ipt_MASQUERADE.c
···
55
55
range.min_proto = mr->range[0].min;
56
56
range.max_proto = mr->range[0].max;
57
57
58
-
return nf_nat_masquerade_ipv4(skb, par->hooknum, &range, par->out);
58
+
return nf_nat_masquerade_ipv4(skb, xt_hooknum(par), &range,
59
+
xt_out(par));
59
60
}
60
61
61
62
static struct xt_target masquerade_tg_reg __read_mostly = {
+2
-2
net/ipv4/netfilter/ipt_REJECT.c
+2
-2
net/ipv4/netfilter/ipt_REJECT.c
···
34
34
reject_tg(struct sk_buff *skb, const struct xt_action_param *par)
35
35
{
36
36
const struct ipt_reject_info *reject = par->targinfo;
37
-
int hook = par->hooknum;
37
+
int hook = xt_hooknum(par);
38
38
39
39
switch (reject->with) {
40
40
case IPT_ICMP_NET_UNREACHABLE:
···
59
59
nf_send_unreach(skb, ICMP_PKT_FILTERED, hook);
60
60
break;
61
61
case IPT_TCP_RESET:
62
-
nf_send_reset(par->net, skb, hook);
62
+
nf_send_reset(xt_net(par), skb, hook);
63
63
case IPT_ICMP_ECHOREPLY:
64
64
/* Doesn't happen. */
65
65
break;
+2
-2
net/ipv4/netfilter/ipt_SYNPROXY.c
+2
-2
net/ipv4/netfilter/ipt_SYNPROXY.c
···
263
263
synproxy_tg4(struct sk_buff *skb, const struct xt_action_param *par)
264
264
{
265
265
const struct xt_synproxy_info *info = par->targinfo;
266
-
struct net *net = par->net;
266
+
struct net *net = xt_net(par);
267
267
struct synproxy_net *snet = synproxy_pernet(net);
268
268
struct synproxy_options opts = {};
269
269
struct tcphdr *th, _th;
270
270
271
-
if (nf_ip_checksum(skb, par->hooknum, par->thoff, IPPROTO_TCP))
271
+
if (nf_ip_checksum(skb, xt_hooknum(par), par->thoff, IPPROTO_TCP))
272
272
return NF_DROP;
273
273
274
274
th = skb_header_pointer(skb, par->thoff, sizeof(_th), &_th);
+1
-1
net/ipv4/netfilter/ipt_rpfilter.c
+1
-1
net/ipv4/netfilter/ipt_rpfilter.c
···
95
95
flow.flowi4_tos = RT_TOS(iph->tos);
96
96
flow.flowi4_scope = RT_SCOPE_UNIVERSE;
97
97
98
-
return rpfilter_lookup_reverse(par->net, &flow, par->in, info->flags) ^ invert;
98
+
return rpfilter_lookup_reverse(xt_net(par), &flow, xt_in(par), info->flags) ^ invert;
99
99
}
100
100
101
101
static int rpfilter_check(const struct xt_mtchk_param *par)
+1
-5
net/ipv6/netfilter/ip6_tables.c
+1
-5
net/ipv6/netfilter/ip6_tables.c
···
291
291
* rule is also a fragment-specific rule, non-fragments won't
292
292
* match it. */
293
293
acpar.hotdrop = false;
294
-
acpar.net = state->net;
295
-
acpar.in = state->in;
296
-
acpar.out = state->out;
297
-
acpar.family = NFPROTO_IPV6;
298
-
acpar.hooknum = hook;
294
+
acpar.state = state;
299
295
300
296
IP_NF_ASSERT(table->valid_hooks & (1 << hook));
301
297
+1
-1
net/ipv6/netfilter/ip6t_MASQUERADE.c
+1
-1
net/ipv6/netfilter/ip6t_MASQUERADE.c
···
24
24
static unsigned int
25
25
masquerade_tg6(struct sk_buff *skb, const struct xt_action_param *par)
26
26
{
27
-
return nf_nat_masquerade_ipv6(skb, par->targinfo, par->out);
27
+
return nf_nat_masquerade_ipv6(skb, par->targinfo, xt_out(par));
28
28
}
29
29
30
30
static int masquerade_tg6_checkentry(const struct xt_tgchk_param *par)
+14
-9
net/ipv6/netfilter/ip6t_REJECT.c
+14
-9
net/ipv6/netfilter/ip6t_REJECT.c
···
39
39
reject_tg6(struct sk_buff *skb, const struct xt_action_param *par)
40
40
{
41
41
const struct ip6t_reject_info *reject = par->targinfo;
42
-
struct net *net = par->net;
42
+
struct net *net = xt_net(par);
43
43
44
44
switch (reject->with) {
45
45
case IP6T_ICMP6_NO_ROUTE:
46
-
nf_send_unreach6(net, skb, ICMPV6_NOROUTE, par->hooknum);
46
+
nf_send_unreach6(net, skb, ICMPV6_NOROUTE, xt_hooknum(par));
47
47
break;
48
48
case IP6T_ICMP6_ADM_PROHIBITED:
49
-
nf_send_unreach6(net, skb, ICMPV6_ADM_PROHIBITED, par->hooknum);
49
+
nf_send_unreach6(net, skb, ICMPV6_ADM_PROHIBITED,
50
+
xt_hooknum(par));
50
51
break;
51
52
case IP6T_ICMP6_NOT_NEIGHBOUR:
52
-
nf_send_unreach6(net, skb, ICMPV6_NOT_NEIGHBOUR, par->hooknum);
53
+
nf_send_unreach6(net, skb, ICMPV6_NOT_NEIGHBOUR,
54
+
xt_hooknum(par));
53
55
break;
54
56
case IP6T_ICMP6_ADDR_UNREACH:
55
-
nf_send_unreach6(net, skb, ICMPV6_ADDR_UNREACH, par->hooknum);
57
+
nf_send_unreach6(net, skb, ICMPV6_ADDR_UNREACH,
58
+
xt_hooknum(par));
56
59
break;
57
60
case IP6T_ICMP6_PORT_UNREACH:
58
-
nf_send_unreach6(net, skb, ICMPV6_PORT_UNREACH, par->hooknum);
61
+
nf_send_unreach6(net, skb, ICMPV6_PORT_UNREACH,
62
+
xt_hooknum(par));
59
63
break;
60
64
case IP6T_ICMP6_ECHOREPLY:
61
65
/* Do nothing */
62
66
break;
63
67
case IP6T_TCP_RESET:
64
-
nf_send_reset6(net, skb, par->hooknum);
68
+
nf_send_reset6(net, skb, xt_hooknum(par));
65
69
break;
66
70
case IP6T_ICMP6_POLICY_FAIL:
67
-
nf_send_unreach6(net, skb, ICMPV6_POLICY_FAIL, par->hooknum);
71
+
nf_send_unreach6(net, skb, ICMPV6_POLICY_FAIL, xt_hooknum(par));
68
72
break;
69
73
case IP6T_ICMP6_REJECT_ROUTE:
70
-
nf_send_unreach6(net, skb, ICMPV6_REJECT_ROUTE, par->hooknum);
74
+
nf_send_unreach6(net, skb, ICMPV6_REJECT_ROUTE,
75
+
xt_hooknum(par));
71
76
break;
72
77
}
73
78
+2
-2
net/ipv6/netfilter/ip6t_SYNPROXY.c
+2
-2
net/ipv6/netfilter/ip6t_SYNPROXY.c
···
277
277
synproxy_tg6(struct sk_buff *skb, const struct xt_action_param *par)
278
278
{
279
279
const struct xt_synproxy_info *info = par->targinfo;
280
-
struct net *net = par->net;
280
+
struct net *net = xt_net(par);
281
281
struct synproxy_net *snet = synproxy_pernet(net);
282
282
struct synproxy_options opts = {};
283
283
struct tcphdr *th, _th;
284
284
285
-
if (nf_ip6_checksum(skb, par->hooknum, par->thoff, IPPROTO_TCP))
285
+
if (nf_ip6_checksum(skb, xt_hooknum(par), par->thoff, IPPROTO_TCP))
286
286
return NF_DROP;
287
287
288
288
th = skb_header_pointer(skb, par->thoff, sizeof(_th), &_th);
+2
-1
net/ipv6/netfilter/ip6t_rpfilter.c
+2
-1
net/ipv6/netfilter/ip6t_rpfilter.c
···
93
93
if (unlikely(saddrtype == IPV6_ADDR_ANY))
94
94
return true ^ invert; /* not routable: forward path will drop it */
95
95
96
-
return rpfilter_lookup_reverse6(par->net, skb, par->in, info->flags) ^ invert;
96
+
return rpfilter_lookup_reverse6(xt_net(par), skb, xt_in(par),
97
+
info->flags) ^ invert;
97
98
}
98
99
99
100
static int rpfilter_check(const struct xt_mtchk_param *par)
+3
-3
net/netfilter/ipset/ip_set_core.c
+3
-3
net/netfilter/ipset/ip_set_core.c
···
541
541
ip_set_test(ip_set_id_t index, const struct sk_buff *skb,
542
542
const struct xt_action_param *par, struct ip_set_adt_opt *opt)
543
543
{
544
-
struct ip_set *set = ip_set_rcu_get(par->net, index);
544
+
struct ip_set *set = ip_set_rcu_get(xt_net(par), index);
545
545
int ret = 0;
546
546
547
547
BUG_ON(!set);
···
579
579
ip_set_add(ip_set_id_t index, const struct sk_buff *skb,
580
580
const struct xt_action_param *par, struct ip_set_adt_opt *opt)
581
581
{
582
-
struct ip_set *set = ip_set_rcu_get(par->net, index);
582
+
struct ip_set *set = ip_set_rcu_get(xt_net(par), index);
583
583
int ret;
584
584
585
585
BUG_ON(!set);
···
601
601
ip_set_del(ip_set_id_t index, const struct sk_buff *skb,
602
602
const struct xt_action_param *par, struct ip_set_adt_opt *opt)
603
603
{
604
-
struct ip_set *set = ip_set_rcu_get(par->net, index);
604
+
struct ip_set *set = ip_set_rcu_get(xt_net(par), index);
605
605
int ret = 0;
606
606
607
607
BUG_ON(!set);
+1
-1
net/netfilter/ipset/ip_set_hash_netiface.c
+1
-1
net/netfilter/ipset/ip_set_hash_netiface.c
···
170
170
ip4addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &e.ip);
171
171
e.ip &= ip_set_netmask(e.cidr);
172
172
173
-
#define IFACE(dir) (par->dir ? par->dir->name : "")
173
+
#define IFACE(dir) (par->state->dir ? par->state->dir->name : "")
174
174
#define SRCDIR (opt->flags & IPSET_DIM_TWO_SRC)
175
175
176
176
if (opt->cmdflags & IPSET_FLAG_PHYSDEV) {
+5
-5
net/netfilter/xt_AUDIT.c
+5
-5
net/netfilter/xt_AUDIT.c
···
132
132
goto errout;
133
133
134
134
audit_log_format(ab, "action=%hhu hook=%u len=%u inif=%s outif=%s",
135
-
info->type, par->hooknum, skb->len,
136
-
par->in ? par->in->name : "?",
137
-
par->out ? par->out->name : "?");
135
+
info->type, xt_hooknum(par), skb->len,
136
+
xt_in(par) ? xt_inname(par) : "?",
137
+
xt_out(par) ? xt_outname(par) : "?");
138
138
139
139
if (skb->mark)
140
140
audit_log_format(ab, " mark=%#x", skb->mark);
···
144
144
eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest,
145
145
ntohs(eth_hdr(skb)->h_proto));
146
146
147
-
if (par->family == NFPROTO_BRIDGE) {
147
+
if (xt_family(par) == NFPROTO_BRIDGE) {
148
148
switch (eth_hdr(skb)->h_proto) {
149
149
case htons(ETH_P_IP):
150
150
audit_ip4(ab, skb);
···
157
157
}
158
158
}
159
159
160
-
switch (par->family) {
160
+
switch (xt_family(par)) {
161
161
case NFPROTO_IPV4:
162
162
audit_ip4(ab, skb);
163
163
break;
+3
-3
net/netfilter/xt_LOG.c
+3
-3
net/netfilter/xt_LOG.c
···
32
32
log_tg(struct sk_buff *skb, const struct xt_action_param *par)
33
33
{
34
34
const struct xt_log_info *loginfo = par->targinfo;
35
+
struct net *net = xt_net(par);
35
36
struct nf_loginfo li;
36
-
struct net *net = par->net;
37
37
38
38
li.type = NF_LOG_TYPE_LOG;
39
39
li.u.log.level = loginfo->level;
40
40
li.u.log.logflags = loginfo->logflags;
41
41
42
-
nf_log_packet(net, par->family, par->hooknum, skb, par->in, par->out,
43
-
&li, "%s", loginfo->prefix);
42
+
nf_log_packet(net, xt_family(par), xt_hooknum(par), skb, xt_in(par),
43
+
xt_out(par), &li, "%s", loginfo->prefix);
44
44
return XT_CONTINUE;
45
45
}
46
46
+10
-10
net/netfilter/xt_NETMAP.c
+10
-10
net/netfilter/xt_NETMAP.c
···
33
33
netmask.ip6[i] = ~(range->min_addr.ip6[i] ^
34
34
range->max_addr.ip6[i]);
35
35
36
-
if (par->hooknum == NF_INET_PRE_ROUTING ||
37
-
par->hooknum == NF_INET_LOCAL_OUT)
36
+
if (xt_hooknum(par) == NF_INET_PRE_ROUTING ||
37
+
xt_hooknum(par) == NF_INET_LOCAL_OUT)
38
38
new_addr.in6 = ipv6_hdr(skb)->daddr;
39
39
else
40
40
new_addr.in6 = ipv6_hdr(skb)->saddr;
···
51
51
newrange.min_proto = range->min_proto;
52
52
newrange.max_proto = range->max_proto;
53
53
54
-
return nf_nat_setup_info(ct, &newrange, HOOK2MANIP(par->hooknum));
54
+
return nf_nat_setup_info(ct, &newrange, HOOK2MANIP(xt_hooknum(par)));
55
55
}
56
56
57
57
static int netmap_tg6_checkentry(const struct xt_tgchk_param *par)
···
72
72
const struct nf_nat_ipv4_multi_range_compat *mr = par->targinfo;
73
73
struct nf_nat_range newrange;
74
74
75
-
NF_CT_ASSERT(par->hooknum == NF_INET_PRE_ROUTING ||
76
-
par->hooknum == NF_INET_POST_ROUTING ||
77
-
par->hooknum == NF_INET_LOCAL_OUT ||
78
-
par->hooknum == NF_INET_LOCAL_IN);
75
+
NF_CT_ASSERT(xt_hooknum(par) == NF_INET_PRE_ROUTING ||
76
+
xt_hooknum(par) == NF_INET_POST_ROUTING ||
77
+
xt_hooknum(par) == NF_INET_LOCAL_OUT ||
78
+
xt_hooknum(par) == NF_INET_LOCAL_IN);
79
79
ct = nf_ct_get(skb, &ctinfo);
80
80
81
81
netmask = ~(mr->range[0].min_ip ^ mr->range[0].max_ip);
82
82
83
-
if (par->hooknum == NF_INET_PRE_ROUTING ||
84
-
par->hooknum == NF_INET_LOCAL_OUT)
83
+
if (xt_hooknum(par) == NF_INET_PRE_ROUTING ||
84
+
xt_hooknum(par) == NF_INET_LOCAL_OUT)
85
85
new_ip = ip_hdr(skb)->daddr & ~netmask;
86
86
else
87
87
new_ip = ip_hdr(skb)->saddr & ~netmask;
···
96
96
newrange.max_proto = mr->range[0].max;
97
97
98
98
/* Hand modified range to generic setup. */
99
-
return nf_nat_setup_info(ct, &newrange, HOOK2MANIP(par->hooknum));
99
+
return nf_nat_setup_info(ct, &newrange, HOOK2MANIP(xt_hooknum(par)));
100
100
}
101
101
102
102
static int netmap_tg4_check(const struct xt_tgchk_param *par)
+3
-3
net/netfilter/xt_NFLOG.c
+3
-3
net/netfilter/xt_NFLOG.c
···
25
25
nflog_tg(struct sk_buff *skb, const struct xt_action_param *par)
26
26
{
27
27
const struct xt_nflog_info *info = par->targinfo;
28
+
struct net *net = xt_net(par);
28
29
struct nf_loginfo li;
29
-
struct net *net = par->net;
30
30
31
31
li.type = NF_LOG_TYPE_ULOG;
32
32
li.u.ulog.copy_len = info->len;
···
37
37
if (info->flags & XT_NFLOG_F_COPY_LEN)
38
38
li.u.ulog.flags |= NF_LOG_F_COPY_LEN;
39
39
40
-
nfulnl_log_packet(net, par->family, par->hooknum, skb, par->in,
41
-
par->out, &li, info->prefix);
40
+
nfulnl_log_packet(net, xt_family(par), xt_hooknum(par), skb,
41
+
xt_in(par), xt_out(par), &li, info->prefix);
42
42
return XT_CONTINUE;
43
43
}
44
44
+2
-2
net/netfilter/xt_NFQUEUE.c
+2
-2
net/netfilter/xt_NFQUEUE.c
···
43
43
44
44
if (info->queues_total > 1) {
45
45
queue = nfqueue_hash(skb, queue, info->queues_total,
46
-
par->family, jhash_initval);
46
+
xt_family(par), jhash_initval);
47
47
}
48
48
return NF_QUEUE_NR(queue);
49
49
}
···
98
98
queue = info->queuenum + cpu % info->queues_total;
99
99
} else {
100
100
queue = nfqueue_hash(skb, queue, info->queues_total,
101
-
par->family, jhash_initval);
101
+
xt_family(par), jhash_initval);
102
102
}
103
103
}
104
104
+2
-2
net/netfilter/xt_REDIRECT.c
+2
-2
net/netfilter/xt_REDIRECT.c
···
31
31
static unsigned int
32
32
redirect_tg6(struct sk_buff *skb, const struct xt_action_param *par)
33
33
{
34
-
return nf_nat_redirect_ipv6(skb, par->targinfo, par->hooknum);
34
+
return nf_nat_redirect_ipv6(skb, par->targinfo, xt_hooknum(par));
35
35
}
36
36
37
37
static int redirect_tg6_checkentry(const struct xt_tgchk_param *par)
···
62
62
static unsigned int
63
63
redirect_tg4(struct sk_buff *skb, const struct xt_action_param *par)
64
64
{
65
-
return nf_nat_redirect_ipv4(skb, par->targinfo, par->hooknum);
65
+
return nf_nat_redirect_ipv4(skb, par->targinfo, xt_hooknum(par));
66
66
}
67
67
68
68
static struct xt_target redirect_tg_reg[] __read_mostly = {
+2
-2
net/netfilter/xt_TCPMSS.c
+2
-2
net/netfilter/xt_TCPMSS.c
···
108
108
return -1;
109
109
110
110
if (info->mss == XT_TCPMSS_CLAMP_PMTU) {
111
-
struct net *net = par->net;
111
+
struct net *net = xt_net(par);
112
112
unsigned int in_mtu = tcpmss_reverse_mtu(net, skb, family);
113
113
unsigned int min_mtu = min(dst_mtu(skb_dst(skb)), in_mtu);
114
114
···
172
172
* length IPv6 header of 60, ergo the default MSS value is 1220
173
173
* Since no MSS was provided, we must use the default values
174
174
*/
175
-
if (par->family == NFPROTO_IPV4)
175
+
if (xt_family(par) == NFPROTO_IPV4)
176
176
newmss = min(newmss, (u16)536);
177
177
else
178
178
newmss = min(newmss, (u16)1220);
+2
-2
net/netfilter/xt_TEE.c
+2
-2
net/netfilter/xt_TEE.c
···
33
33
const struct xt_tee_tginfo *info = par->targinfo;
34
34
int oif = info->priv ? info->priv->oif : 0;
35
35
36
-
nf_dup_ipv4(par->net, skb, par->hooknum, &info->gw.in, oif);
36
+
nf_dup_ipv4(xt_net(par), skb, xt_hooknum(par), &info->gw.in, oif);
37
37
38
38
return XT_CONTINUE;
39
39
}
···
45
45
const struct xt_tee_tginfo *info = par->targinfo;
46
46
int oif = info->priv ? info->priv->oif : 0;
47
47
48
-
nf_dup_ipv6(par->net, skb, par->hooknum, &info->gw.in6, oif);
48
+
nf_dup_ipv6(xt_net(par), skb, xt_hooknum(par), &info->gw.in6, oif);
49
49
50
50
return XT_CONTINUE;
51
51
}
+9
-7
net/netfilter/xt_TPROXY.c
+9
-7
net/netfilter/xt_TPROXY.c
···
364
364
{
365
365
const struct xt_tproxy_target_info *tgi = par->targinfo;
366
366
367
-
return tproxy_tg4(par->net, skb, tgi->laddr, tgi->lport, tgi->mark_mask, tgi->mark_value);
367
+
return tproxy_tg4(xt_net(par), skb, tgi->laddr, tgi->lport,
368
+
tgi->mark_mask, tgi->mark_value);
368
369
}
369
370
370
371
static unsigned int
···
373
372
{
374
373
const struct xt_tproxy_target_info_v1 *tgi = par->targinfo;
375
374
376
-
return tproxy_tg4(par->net, skb, tgi->laddr.ip, tgi->lport, tgi->mark_mask, tgi->mark_value);
375
+
return tproxy_tg4(xt_net(par), skb, tgi->laddr.ip, tgi->lport,
376
+
tgi->mark_mask, tgi->mark_value);
377
377
}
378
378
379
379
#ifdef XT_TPROXY_HAVE_IPV6
···
444
442
* to a listener socket if there's one */
445
443
struct sock *sk2;
446
444
447
-
sk2 = nf_tproxy_get_sock_v6(par->net, skb, thoff, hp, tproto,
445
+
sk2 = nf_tproxy_get_sock_v6(xt_net(par), skb, thoff, hp, tproto,
448
446
&iph->saddr,
449
447
tproxy_laddr6(skb, &tgi->laddr.in6, &iph->daddr),
450
448
hp->source,
···
487
485
* addresses, this happens if the redirect already happened
488
486
* and the current packet belongs to an already established
489
487
* connection */
490
-
sk = nf_tproxy_get_sock_v6(par->net, skb, thoff, hp, tproto,
488
+
sk = nf_tproxy_get_sock_v6(xt_net(par), skb, thoff, hp, tproto,
491
489
&iph->saddr, &iph->daddr,
492
490
hp->source, hp->dest,
493
-
par->in, NFT_LOOKUP_ESTABLISHED);
491
+
xt_in(par), NFT_LOOKUP_ESTABLISHED);
494
492
495
493
laddr = tproxy_laddr6(skb, &tgi->laddr.in6, &iph->daddr);
496
494
lport = tgi->lport ? tgi->lport : hp->dest;
···
502
500
else if (!sk)
503
501
/* no there's no established connection, check if
504
502
* there's a listener on the redirected addr/port */
505
-
sk = nf_tproxy_get_sock_v6(par->net, skb, thoff, hp,
503
+
sk = nf_tproxy_get_sock_v6(xt_net(par), skb, thoff, hp,
506
504
tproto, &iph->saddr, laddr,
507
505
hp->source, lport,
508
-
par->in, NFT_LOOKUP_LISTENER);
506
+
xt_in(par), NFT_LOOKUP_LISTENER);
509
507
510
508
/* NOTE: assign_sock consumes our sk reference */
511
509
if (sk && tproxy_sk_is_transparent(sk)) {
+5
-5
net/netfilter/xt_addrtype.c
+5
-5
net/netfilter/xt_addrtype.c
···
125
125
static bool
126
126
addrtype_mt_v0(const struct sk_buff *skb, struct xt_action_param *par)
127
127
{
128
-
struct net *net = par->net;
128
+
struct net *net = xt_net(par);
129
129
const struct xt_addrtype_info *info = par->matchinfo;
130
130
const struct iphdr *iph = ip_hdr(skb);
131
131
bool ret = true;
···
143
143
static bool
144
144
addrtype_mt_v1(const struct sk_buff *skb, struct xt_action_param *par)
145
145
{
146
-
struct net *net = par->net;
146
+
struct net *net = xt_net(par);
147
147
const struct xt_addrtype_info_v1 *info = par->matchinfo;
148
148
const struct iphdr *iph;
149
149
const struct net_device *dev = NULL;
150
150
bool ret = true;
151
151
152
152
if (info->flags & XT_ADDRTYPE_LIMIT_IFACE_IN)
153
-
dev = par->in;
153
+
dev = xt_in(par);
154
154
else if (info->flags & XT_ADDRTYPE_LIMIT_IFACE_OUT)
155
-
dev = par->out;
155
+
dev = xt_out(par);
156
156
157
157
#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
158
-
if (par->family == NFPROTO_IPV6)
158
+
if (xt_family(par) == NFPROTO_IPV6)
159
159
return addrtype_mt6(net, dev, skb, info);
160
160
#endif
161
161
iph = ip_hdr(skb);
+1
-1
net/netfilter/xt_cluster.c
+1
-1
net/netfilter/xt_cluster.c
···
112
112
* know, matches should not alter packets, but we are doing this here
113
113
* because we would need to add a PKTTYPE target for this sole purpose.
114
114
*/
115
-
if (!xt_cluster_is_multicast_addr(skb, par->family) &&
115
+
if (!xt_cluster_is_multicast_addr(skb, xt_family(par)) &&
116
116
skb->pkt_type == PACKET_MULTICAST) {
117
117
pskb->pkt_type = PACKET_HOST;
118
118
}
+4
-4
net/netfilter/xt_connlimit.c
+4
-4
net/netfilter/xt_connlimit.c
···
317
317
static bool
318
318
connlimit_mt(const struct sk_buff *skb, struct xt_action_param *par)
319
319
{
320
-
struct net *net = par->net;
320
+
struct net *net = xt_net(par);
321
321
const struct xt_connlimit_info *info = par->matchinfo;
322
322
union nf_inet_addr addr;
323
323
struct nf_conntrack_tuple tuple;
···
332
332
tuple_ptr = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple;
333
333
zone = nf_ct_zone(ct);
334
334
} else if (!nf_ct_get_tuplepr(skb, skb_network_offset(skb),
335
-
par->family, net, &tuple)) {
335
+
xt_family(par), net, &tuple)) {
336
336
goto hotdrop;
337
337
}
338
338
339
-
if (par->family == NFPROTO_IPV6) {
339
+
if (xt_family(par) == NFPROTO_IPV6) {
340
340
const struct ipv6hdr *iph = ipv6_hdr(skb);
341
341
memcpy(&addr.ip6, (info->flags & XT_CONNLIMIT_DADDR) ?
342
342
&iph->daddr : &iph->saddr, sizeof(addr.ip6));
···
347
347
}
348
348
349
349
connections = count_them(net, info->data, tuple_ptr, &addr,
350
-
&info->mask, par->family, zone);
350
+
&info->mask, xt_family(par), zone);
351
351
if (connections == 0)
352
352
/* kmalloc failed, drop it entirely */
353
353
goto hotdrop;
+4
-4
net/netfilter/xt_conntrack.c
+4
-4
net/netfilter/xt_conntrack.c
···
200
200
return false;
201
201
202
202
if (info->match_flags & XT_CONNTRACK_ORIGSRC)
203
-
if (conntrack_mt_origsrc(ct, info, par->family) ^
203
+
if (conntrack_mt_origsrc(ct, info, xt_family(par)) ^
204
204
!(info->invert_flags & XT_CONNTRACK_ORIGSRC))
205
205
return false;
206
206
207
207
if (info->match_flags & XT_CONNTRACK_ORIGDST)
208
-
if (conntrack_mt_origdst(ct, info, par->family) ^
208
+
if (conntrack_mt_origdst(ct, info, xt_family(par)) ^
209
209
!(info->invert_flags & XT_CONNTRACK_ORIGDST))
210
210
return false;
211
211
212
212
if (info->match_flags & XT_CONNTRACK_REPLSRC)
213
-
if (conntrack_mt_replsrc(ct, info, par->family) ^
213
+
if (conntrack_mt_replsrc(ct, info, xt_family(par)) ^
214
214
!(info->invert_flags & XT_CONNTRACK_REPLSRC))
215
215
return false;
216
216
217
217
if (info->match_flags & XT_CONNTRACK_REPLDST)
218
-
if (conntrack_mt_repldst(ct, info, par->family) ^
218
+
if (conntrack_mt_repldst(ct, info, xt_family(par)) ^
219
219
!(info->invert_flags & XT_CONNTRACK_REPLDST))
220
220
return false;
221
221
+2
-2
net/netfilter/xt_devgroup.c
+2
-2
net/netfilter/xt_devgroup.c
···
24
24
const struct xt_devgroup_info *info = par->matchinfo;
25
25
26
26
if (info->flags & XT_DEVGROUP_MATCH_SRC &&
27
-
(((info->src_group ^ par->in->group) & info->src_mask ? 1 : 0) ^
27
+
(((info->src_group ^ xt_in(par)->group) & info->src_mask ? 1 : 0) ^
28
28
((info->flags & XT_DEVGROUP_INVERT_SRC) ? 1 : 0)))
29
29
return false;
30
30
31
31
if (info->flags & XT_DEVGROUP_MATCH_DST &&
32
-
(((info->dst_group ^ par->out->group) & info->dst_mask ? 1 : 0) ^
32
+
(((info->dst_group ^ xt_out(par)->group) & info->dst_mask ? 1 : 0) ^
33
33
((info->flags & XT_DEVGROUP_INVERT_DST) ? 1 : 0)))
34
34
return false;
35
35
+1
-1
net/netfilter/xt_dscp.c
+1
-1
net/netfilter/xt_dscp.c
+2
-2
net/netfilter/xt_ipvs.c
+2
-2
net/netfilter/xt_ipvs.c
···
48
48
ipvs_mt(const struct sk_buff *skb, struct xt_action_param *par)
49
49
{
50
50
const struct xt_ipvs_mtinfo *data = par->matchinfo;
51
-
struct netns_ipvs *ipvs = net_ipvs(par->net);
51
+
struct netns_ipvs *ipvs = net_ipvs(xt_net(par));
52
52
/* ipvs_mt_check ensures that family is only NFPROTO_IPV[46]. */
53
-
const u_int8_t family = par->family;
53
+
const u_int8_t family = xt_family(par);
54
54
struct ip_vs_iphdr iph;
55
55
struct ip_vs_protocol *pp;
56
56
struct ip_vs_conn *cp;
+1
-1
net/netfilter/xt_nfacct.c
+1
-1
net/netfilter/xt_nfacct.c
+5
-5
net/netfilter/xt_osf.c
+5
-5
net/netfilter/xt_osf.c
···
201
201
unsigned char opts[MAX_IPOPTLEN];
202
202
const struct xt_osf_finger *kf;
203
203
const struct xt_osf_user_finger *f;
204
-
struct net *net = p->net;
204
+
struct net *net = xt_net(p);
205
205
206
206
if (!info)
207
207
return false;
···
326
326
fcount++;
327
327
328
328
if (info->flags & XT_OSF_LOG)
329
-
nf_log_packet(net, p->family, p->hooknum, skb,
330
-
p->in, p->out, NULL,
329
+
nf_log_packet(net, xt_family(p), xt_hooknum(p), skb,
330
+
xt_in(p), xt_out(p), NULL,
331
331
"%s [%s:%s] : %pI4:%d -> %pI4:%d hops=%d\n",
332
332
f->genre, f->version, f->subtype,
333
333
&ip->saddr, ntohs(tcp->source),
···
341
341
rcu_read_unlock();
342
342
343
343
if (!fcount && (info->flags & XT_OSF_LOG))
344
-
nf_log_packet(net, p->family, p->hooknum, skb, p->in,
345
-
p->out, NULL,
344
+
nf_log_packet(net, xt_family(p), xt_hooknum(p), skb, xt_in(p),
345
+
xt_out(p), NULL,
346
346
"Remote OS is not known: %pI4:%u -> %pI4:%u\n",
347
347
&ip->saddr, ntohs(tcp->source),
348
348
&ip->daddr, ntohs(tcp->dest));
+1
-1
net/netfilter/xt_owner.c
+1
-1
net/netfilter/xt_owner.c
···
63
63
const struct xt_owner_match_info *info = par->matchinfo;
64
64
const struct file *filp;
65
65
struct sock *sk = skb_to_full_sk(skb);
66
-
struct net *net = par->net;
66
+
struct net *net = xt_net(par);
67
67
68
68
if (sk == NULL || sk->sk_socket == NULL)
69
69
return (info->match ^ info->invert) == 0;
+2
-2
net/netfilter/xt_pkttype.c
+2
-2
net/netfilter/xt_pkttype.c
···
30
30
31
31
if (skb->pkt_type != PACKET_LOOPBACK)
32
32
type = skb->pkt_type;
33
-
else if (par->family == NFPROTO_IPV4 &&
33
+
else if (xt_family(par) == NFPROTO_IPV4 &&
34
34
ipv4_is_multicast(ip_hdr(skb)->daddr))
35
35
type = PACKET_MULTICAST;
36
-
else if (par->family == NFPROTO_IPV6 &&
36
+
else if (xt_family(par) == NFPROTO_IPV6 &&
37
37
ipv6_hdr(skb)->daddr.s6_addr[0] == 0xFF)
38
38
type = PACKET_MULTICAST;
39
39
else
+2
-2
net/netfilter/xt_policy.c
+2
-2
net/netfilter/xt_policy.c
···
116
116
int ret;
117
117
118
118
if (info->flags & XT_POLICY_MATCH_IN)
119
-
ret = match_policy_in(skb, info, par->family);
119
+
ret = match_policy_in(skb, info, xt_family(par));
120
120
else
121
-
ret = match_policy_out(skb, info, par->family);
121
+
ret = match_policy_out(skb, info, xt_family(par));
122
122
123
123
if (ret < 0)
124
124
ret = info->flags & XT_POLICY_MATCH_NONE ? true : false;
+5
-5
net/netfilter/xt_recent.c
+5
-5
net/netfilter/xt_recent.c
···
236
236
static bool
237
237
recent_mt(const struct sk_buff *skb, struct xt_action_param *par)
238
238
{
239
-
struct net *net = par->net;
239
+
struct net *net = xt_net(par);
240
240
struct recent_net *recent_net = recent_pernet(net);
241
241
const struct xt_recent_mtinfo_v1 *info = par->matchinfo;
242
242
struct recent_table *t;
···
245
245
u_int8_t ttl;
246
246
bool ret = info->invert;
247
247
248
-
if (par->family == NFPROTO_IPV4) {
248
+
if (xt_family(par) == NFPROTO_IPV4) {
249
249
const struct iphdr *iph = ip_hdr(skb);
250
250
251
251
if (info->side == XT_RECENT_DEST)
···
266
266
}
267
267
268
268
/* use TTL as seen before forwarding */
269
-
if (par->out != NULL && skb->sk == NULL)
269
+
if (xt_out(par) != NULL && skb->sk == NULL)
270
270
ttl++;
271
271
272
272
spin_lock_bh(&recent_lock);
···
274
274
275
275
nf_inet_addr_mask(&addr, &addr_mask, &t->mask);
276
276
277
-
e = recent_entry_lookup(t, &addr_mask, par->family,
277
+
e = recent_entry_lookup(t, &addr_mask, xt_family(par),
278
278
(info->check_set & XT_RECENT_TTL) ? ttl : 0);
279
279
if (e == NULL) {
280
280
if (!(info->check_set & XT_RECENT_SET))
281
281
goto out;
282
-
e = recent_entry_init(t, &addr_mask, par->family, ttl);
282
+
e = recent_entry_init(t, &addr_mask, xt_family(par), ttl);
283
283
if (e == NULL)
284
284
par->hotdrop = true;
285
285
ret = !ret;
+13
-13
net/netfilter/xt_set.c
+13
-13
net/netfilter/xt_set.c
···
55
55
{
56
56
const struct xt_set_info_match_v0 *info = par->matchinfo;
57
57
58
-
ADT_OPT(opt, par->family, info->match_set.u.compat.dim,
58
+
ADT_OPT(opt, xt_family(par), info->match_set.u.compat.dim,
59
59
info->match_set.u.compat.flags, 0, UINT_MAX);
60
60
61
61
return match_set(info->match_set.index, skb, par, &opt,
···
118
118
{
119
119
const struct xt_set_info_match_v1 *info = par->matchinfo;
120
120
121
-
ADT_OPT(opt, par->family, info->match_set.dim,
121
+
ADT_OPT(opt, xt_family(par), info->match_set.dim,
122
122
info->match_set.flags, 0, UINT_MAX);
123
123
124
124
if (opt.flags & IPSET_RETURN_NOMATCH)
···
184
184
const struct xt_set_info_match_v3 *info = par->matchinfo;
185
185
int ret;
186
186
187
-
ADT_OPT(opt, par->family, info->match_set.dim,
187
+
ADT_OPT(opt, xt_family(par), info->match_set.dim,
188
188
info->match_set.flags, info->flags, UINT_MAX);
189
189
190
190
if (info->packets.op != IPSET_COUNTER_NONE ||
···
231
231
const struct xt_set_info_match_v4 *info = par->matchinfo;
232
232
int ret;
233
233
234
-
ADT_OPT(opt, par->family, info->match_set.dim,
234
+
ADT_OPT(opt, xt_family(par), info->match_set.dim,
235
235
info->match_set.flags, info->flags, UINT_MAX);
236
236
237
237
if (info->packets.op != IPSET_COUNTER_NONE ||
···
259
259
{
260
260
const struct xt_set_info_target_v0 *info = par->targinfo;
261
261
262
-
ADT_OPT(add_opt, par->family, info->add_set.u.compat.dim,
262
+
ADT_OPT(add_opt, xt_family(par), info->add_set.u.compat.dim,
263
263
info->add_set.u.compat.flags, 0, UINT_MAX);
264
-
ADT_OPT(del_opt, par->family, info->del_set.u.compat.dim,
264
+
ADT_OPT(del_opt, xt_family(par), info->del_set.u.compat.dim,
265
265
info->del_set.u.compat.flags, 0, UINT_MAX);
266
266
267
267
if (info->add_set.index != IPSET_INVALID_ID)
···
332
332
{
333
333
const struct xt_set_info_target_v1 *info = par->targinfo;
334
334
335
-
ADT_OPT(add_opt, par->family, info->add_set.dim,
335
+
ADT_OPT(add_opt, xt_family(par), info->add_set.dim,
336
336
info->add_set.flags, 0, UINT_MAX);
337
-
ADT_OPT(del_opt, par->family, info->del_set.dim,
337
+
ADT_OPT(del_opt, xt_family(par), info->del_set.dim,
338
338
info->del_set.flags, 0, UINT_MAX);
339
339
340
340
if (info->add_set.index != IPSET_INVALID_ID)
···
401
401
{
402
402
const struct xt_set_info_target_v2 *info = par->targinfo;
403
403
404
-
ADT_OPT(add_opt, par->family, info->add_set.dim,
404
+
ADT_OPT(add_opt, xt_family(par), info->add_set.dim,
405
405
info->add_set.flags, info->flags, info->timeout);
406
-
ADT_OPT(del_opt, par->family, info->del_set.dim,
406
+
ADT_OPT(del_opt, xt_family(par), info->del_set.dim,
407
407
info->del_set.flags, 0, UINT_MAX);
408
408
409
409
/* Normalize to fit into jiffies */
···
429
429
const struct xt_set_info_target_v3 *info = par->targinfo;
430
430
int ret;
431
431
432
-
ADT_OPT(add_opt, par->family, info->add_set.dim,
432
+
ADT_OPT(add_opt, xt_family(par), info->add_set.dim,
433
433
info->add_set.flags, info->flags, info->timeout);
434
-
ADT_OPT(del_opt, par->family, info->del_set.dim,
434
+
ADT_OPT(del_opt, xt_family(par), info->del_set.dim,
435
435
info->del_set.flags, 0, UINT_MAX);
436
-
ADT_OPT(map_opt, par->family, info->map_set.dim,
436
+
ADT_OPT(map_opt, xt_family(par), info->map_set.dim,
437
437
info->map_set.flags, 0, UINT_MAX);
438
438
439
439
/* Normalize to fit into jiffies */
+2
-2
net/netfilter/xt_socket.c
+2
-2
net/netfilter/xt_socket.c
···
57
57
struct sock *sk = skb->sk;
58
58
59
59
if (!sk)
60
-
sk = nf_sk_lookup_slow_v4(par->net, skb, par->in);
60
+
sk = nf_sk_lookup_slow_v4(xt_net(par), skb, xt_in(par));
61
61
if (sk) {
62
62
bool wildcard;
63
63
bool transparent = true;
···
114
114
struct sock *sk = skb->sk;
115
115
116
116
if (!sk)
117
-
sk = nf_sk_lookup_slow_v6(par->net, skb, par->in);
117
+
sk = nf_sk_lookup_slow_v6(xt_net(par), skb, xt_in(par));
118
118
if (sk) {
119
119
bool wildcard;
120
120
bool transparent = true;
+7
-5
net/sched/act_ipt.c
+7
-5
net/sched/act_ipt.c
···
213
213
int ret = 0, result = 0;
214
214
struct tcf_ipt *ipt = to_ipt(a);
215
215
struct xt_action_param par;
216
+
struct nf_hook_state state = {
217
+
.net = dev_net(skb->dev),
218
+
.in = skb->dev,
219
+
.hook = ipt->tcfi_hook,
220
+
.pf = NFPROTO_IPV4,
221
+
};
216
222
217
223
if (skb_unclone(skb, GFP_ATOMIC))
218
224
return TC_ACT_UNSPEC;
···
232
226
* worry later - danger - this API seems to have changed
233
227
* from earlier kernels
234
228
*/
235
-
par.net = dev_net(skb->dev);
236
-
par.in = skb->dev;
237
-
par.out = NULL;
238
-
par.hooknum = ipt->tcfi_hook;
229
+
par.state = &state;
239
230
par.target = ipt->tcfi_t->u.kernel.target;
240
231
par.targinfo = ipt->tcfi_t->data;
241
-
par.family = NFPROTO_IPV4;
242
232
ret = par.target->target(skb, &par);
243
233
244
234
switch (ret) {
+9
-8
net/sched/em_ipset.c
+9
-8
net/sched/em_ipset.c
···
57
57
struct xt_action_param acpar;
58
58
const struct xt_set_info *set = (const void *) em->data;
59
59
struct net_device *dev, *indev = NULL;
60
+
struct nf_hook_state state = {
61
+
.net = em->net,
62
+
};
60
63
int ret, network_offset;
61
64
62
65
switch (tc_skb_protocol(skb)) {
63
66
case htons(ETH_P_IP):
64
-
acpar.family = NFPROTO_IPV4;
67
+
state.pf = NFPROTO_IPV4;
65
68
if (!pskb_network_may_pull(skb, sizeof(struct iphdr)))
66
69
return 0;
67
70
acpar.thoff = ip_hdrlen(skb);
68
71
break;
69
72
case htons(ETH_P_IPV6):
70
-
acpar.family = NFPROTO_IPV6;
73
+
state.pf = NFPROTO_IPV6;
71
74
if (!pskb_network_may_pull(skb, sizeof(struct ipv6hdr)))
72
75
return 0;
73
76
/* doesn't call ipv6_find_hdr() because ipset doesn't use thoff, yet */
···
80
77
return 0;
81
78
}
82
79
83
-
acpar.hooknum = 0;
84
-
85
-
opt.family = acpar.family;
80
+
opt.family = state.pf;
86
81
opt.dim = set->dim;
87
82
opt.flags = set->flags;
88
83
opt.cmdflags = 0;
···
96
95
if (skb->skb_iif)
97
96
indev = dev_get_by_index_rcu(em->net, skb->skb_iif);
98
97
99
-
acpar.net = em->net;
100
-
acpar.in = indev ? indev : dev;
101
-
acpar.out = dev;
98
+
state.in = indev ? indev : dev;
99
+
state.out = dev;
100
+
acpar.state = &state;
102
101
103
102
ret = ip_set_test(set->index, skb, &acpar, &opt);
104
103