tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
inet netfilter: Remove hook from ip6t_do_table, arp_do_table, ipt_do_table
The values of ops->hooknum and state->hook are guaraneted to be equal
making the hook argument to ip6t_do_table, arp_do_table, and
ipt_do_table is unnecessary. Remove the unnecessary hook argument.
In the callers use state->hook instead of ops->hooknum for clarity and
to reduce the number of cachelines the callers touch.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
authored by
Eric W. Biederman
and committed by
Pablo Neira Ayuso
6cb8ff3f
97b59c3a
+25
-41
-1
include/linux/netfilter_arp/arp_tables.h
-1
include/linux/netfilter_arp/arp_tables.h
-1
include/linux/netfilter_ipv4/ip_tables.h
-1
include/linux/netfilter_ipv4/ip_tables.h
-1
include/linux/netfilter_ipv6/ip6_tables.h
-1
include/linux/netfilter_ipv6/ip6_tables.h
+1
-1
net/ipv4/netfilter/arp_tables.c
+1
-1
net/ipv4/netfilter/arp_tables.c
···
247
247
}
248
248
249
249
unsigned int arpt_do_table(struct sk_buff *skb,
250
-
unsigned int hook,
251
250
const struct nf_hook_state *state,
252
251
struct xt_table *table)
253
252
{
253
+
unsigned int hook = state->hook;
254
254
static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
255
255
unsigned int verdict = NF_DROP;
256
256
const struct arphdr *arp;
+1
-2
net/ipv4/netfilter/arptable_filter.c
+1
-2
net/ipv4/netfilter/arptable_filter.c
···
30
30
arptable_filter_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
31
31
const struct nf_hook_state *state)
32
32
{
33
-
return arpt_do_table(skb, ops->hooknum, state,
34
-
state->net->ipv4.arptable_filter);
33
+
return arpt_do_table(skb, state, state->net->ipv4.arptable_filter);
35
34
}
36
35
37
36
static struct nf_hook_ops *arpfilter_ops __read_mostly;
+1
-1
net/ipv4/netfilter/ip_tables.c
+1
-1
net/ipv4/netfilter/ip_tables.c
···
285
285
/* Returns one of the generic firewall policies, like NF_ACCEPT. */
286
286
unsigned int
287
287
ipt_do_table(struct sk_buff *skb,
288
-
unsigned int hook,
289
288
const struct nf_hook_state *state,
290
289
struct xt_table *table)
291
290
{
291
+
unsigned int hook = state->hook;
292
292
static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
293
293
const struct iphdr *ip;
294
294
/* Initializing verdict to NF_DROP keeps gcc happy. */
+2
-3
net/ipv4/netfilter/iptable_filter.c
+2
-3
net/ipv4/netfilter/iptable_filter.c
···
36
36
iptable_filter_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
37
37
const struct nf_hook_state *state)
38
38
{
39
-
if (ops->hooknum == NF_INET_LOCAL_OUT &&
39
+
if (state->hook == NF_INET_LOCAL_OUT &&
40
40
(skb->len < sizeof(struct iphdr) ||
41
41
ip_hdrlen(skb) < sizeof(struct iphdr)))
42
42
/* root is playing with raw sockets. */
43
43
return NF_ACCEPT;
44
44
45
-
return ipt_do_table(skb, ops->hooknum, state,
46
-
state->net->ipv4.iptable_filter);
45
+
return ipt_do_table(skb, state, state->net->ipv4.iptable_filter);
47
46
}
48
47
49
48
static struct nf_hook_ops *filter_ops __read_mostly;
+5
-7
net/ipv4/netfilter/iptable_mangle.c
+5
-7
net/ipv4/netfilter/iptable_mangle.c
···
58
58
daddr = iph->daddr;
59
59
tos = iph->tos;
60
60
61
-
ret = ipt_do_table(skb, NF_INET_LOCAL_OUT, state,
62
-
state->net->ipv4.iptable_mangle);
61
+
ret = ipt_do_table(skb, state, state->net->ipv4.iptable_mangle);
63
62
/* Reroute for ANY change. */
64
63
if (ret != NF_DROP && ret != NF_STOLEN) {
65
64
iph = ip_hdr(skb);
···
82
83
struct sk_buff *skb,
83
84
const struct nf_hook_state *state)
84
85
{
85
-
if (ops->hooknum == NF_INET_LOCAL_OUT)
86
+
if (state->hook == NF_INET_LOCAL_OUT)
86
87
return ipt_mangle_out(skb, state);
87
-
if (ops->hooknum == NF_INET_POST_ROUTING)
88
-
return ipt_do_table(skb, ops->hooknum, state,
88
+
if (state->hook == NF_INET_POST_ROUTING)
89
+
return ipt_do_table(skb, state,
89
90
state->net->ipv4.iptable_mangle);
90
91
/* PREROUTING/INPUT/FORWARD: */
91
-
return ipt_do_table(skb, ops->hooknum, state,
92
-
state->net->ipv4.iptable_mangle);
92
+
return ipt_do_table(skb, state, state->net->ipv4.iptable_mangle);
93
93
}
94
94
95
95
static struct nf_hook_ops *mangle_ops __read_mostly;
+1
-2
net/ipv4/netfilter/iptable_nat.c
+1
-2
net/ipv4/netfilter/iptable_nat.c
···
33
33
const struct nf_hook_state *state,
34
34
struct nf_conn *ct)
35
35
{
36
-
return ipt_do_table(skb, ops->hooknum, state,
37
-
state->net->ipv4.nat_table);
36
+
return ipt_do_table(skb, state, state->net->ipv4.nat_table);
38
37
}
39
38
40
39
static unsigned int iptable_nat_ipv4_fn(const struct nf_hook_ops *ops,
+2
-3
net/ipv4/netfilter/iptable_raw.c
+2
-3
net/ipv4/netfilter/iptable_raw.c
···
23
23
iptable_raw_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
24
24
const struct nf_hook_state *state)
25
25
{
26
-
if (ops->hooknum == NF_INET_LOCAL_OUT &&
26
+
if (state->hook == NF_INET_LOCAL_OUT &&
27
27
(skb->len < sizeof(struct iphdr) ||
28
28
ip_hdrlen(skb) < sizeof(struct iphdr)))
29
29
/* root is playing with raw sockets. */
30
30
return NF_ACCEPT;
31
31
32
-
return ipt_do_table(skb, ops->hooknum, state,
33
-
state->net->ipv4.iptable_raw);
32
+
return ipt_do_table(skb, state, state->net->ipv4.iptable_raw);
34
33
}
35
34
36
35
static struct nf_hook_ops *rawtable_ops __read_mostly;
+2
-3
net/ipv4/netfilter/iptable_security.c
+2
-3
net/ipv4/netfilter/iptable_security.c
···
40
40
iptable_security_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
41
41
const struct nf_hook_state *state)
42
42
{
43
-
if (ops->hooknum == NF_INET_LOCAL_OUT &&
43
+
if (state->hook == NF_INET_LOCAL_OUT &&
44
44
(skb->len < sizeof(struct iphdr) ||
45
45
ip_hdrlen(skb) < sizeof(struct iphdr)))
46
46
/* Somebody is playing with raw sockets. */
47
47
return NF_ACCEPT;
48
48
49
-
return ipt_do_table(skb, ops->hooknum, state,
50
-
state->net->ipv4.iptable_security);
49
+
return ipt_do_table(skb, state, state->net->ipv4.iptable_security);
51
50
}
52
51
53
52
static struct nf_hook_ops *sectbl_ops __read_mostly;
+1
-1
net/ipv6/netfilter/ip6_tables.c
+1
-1
net/ipv6/netfilter/ip6_tables.c
···
314
314
/* Returns one of the generic firewall policies, like NF_ACCEPT. */
315
315
unsigned int
316
316
ip6t_do_table(struct sk_buff *skb,
317
-
unsigned int hook,
318
317
const struct nf_hook_state *state,
319
318
struct xt_table *table)
320
319
{
320
+
unsigned int hook = state->hook;
321
321
static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
322
322
/* Initializing verdict to NF_DROP keeps gcc happy. */
323
323
unsigned int verdict = NF_DROP;
+1
-2
net/ipv6/netfilter/ip6table_filter.c
+1
-2
net/ipv6/netfilter/ip6table_filter.c
···
35
35
ip6table_filter_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
36
36
const struct nf_hook_state *state)
37
37
{
38
-
return ip6t_do_table(skb, ops->hooknum, state,
39
-
state->net->ipv6.ip6table_filter);
38
+
return ip6t_do_table(skb, state, state->net->ipv6.ip6table_filter);
40
39
}
41
40
42
41
static struct nf_hook_ops *filter_ops __read_mostly;
+5
-7
net/ipv6/netfilter/ip6table_mangle.c
+5
-7
net/ipv6/netfilter/ip6table_mangle.c
···
57
57
/* flowlabel and prio (includes version, which shouldn't change either */
58
58
flowlabel = *((u_int32_t *)ipv6_hdr(skb));
59
59
60
-
ret = ip6t_do_table(skb, NF_INET_LOCAL_OUT, state,
61
-
state->net->ipv6.ip6table_mangle);
60
+
ret = ip6t_do_table(skb, state, state->net->ipv6.ip6table_mangle);
62
61
63
62
if (ret != NF_DROP && ret != NF_STOLEN &&
64
63
(!ipv6_addr_equal(&ipv6_hdr(skb)->saddr, &saddr) ||
···
78
79
ip6table_mangle_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
79
80
const struct nf_hook_state *state)
80
81
{
81
-
if (ops->hooknum == NF_INET_LOCAL_OUT)
82
+
if (state->hook == NF_INET_LOCAL_OUT)
82
83
return ip6t_mangle_out(skb, state);
83
-
if (ops->hooknum == NF_INET_POST_ROUTING)
84
-
return ip6t_do_table(skb, ops->hooknum, state,
84
+
if (state->hook == NF_INET_POST_ROUTING)
85
+
return ip6t_do_table(skb, state,
85
86
state->net->ipv6.ip6table_mangle);
86
87
/* INPUT/FORWARD */
87
-
return ip6t_do_table(skb, ops->hooknum, state,
88
-
state->net->ipv6.ip6table_mangle);
88
+
return ip6t_do_table(skb, state, state->net->ipv6.ip6table_mangle);
89
89
}
90
90
91
91
static struct nf_hook_ops *mangle_ops __read_mostly;
+1
-2
net/ipv6/netfilter/ip6table_nat.c
+1
-2
net/ipv6/netfilter/ip6table_nat.c
···
35
35
const struct nf_hook_state *state,
36
36
struct nf_conn *ct)
37
37
{
38
-
return ip6t_do_table(skb, ops->hooknum, state,
39
-
state->net->ipv6.ip6table_nat);
38
+
return ip6t_do_table(skb, state, state->net->ipv6.ip6table_nat);
40
39
}
41
40
42
41
static unsigned int ip6table_nat_fn(const struct nf_hook_ops *ops,
+1
-2
net/ipv6/netfilter/ip6table_raw.c
+1
-2
net/ipv6/netfilter/ip6table_raw.c
···
22
22
ip6table_raw_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
23
23
const struct nf_hook_state *state)
24
24
{
25
-
return ip6t_do_table(skb, ops->hooknum, state,
26
-
state->net->ipv6.ip6table_raw);
25
+
return ip6t_do_table(skb, state, state->net->ipv6.ip6table_raw);
27
26
}
28
27
29
28
static struct nf_hook_ops *rawtable_ops __read_mostly;
+1
-2
net/ipv6/netfilter/ip6table_security.c
+1
-2
net/ipv6/netfilter/ip6table_security.c
···
39
39
ip6table_security_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
40
40
const struct nf_hook_state *state)
41
41
{
42
-
return ip6t_do_table(skb, ops->hooknum, state,
43
-
state->net->ipv6.ip6table_security);
42
+
return ip6t_do_table(skb, state, state->net->ipv6.ip6table_security);
44
43
}
45
44
46
45
static struct nf_hook_ops *sectbl_ops __read_mostly;