netfilter: pass hook ops to hookfn · tjh.dev/kernel@795aa6e

tjh.dev / kernel

fork atom

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

fork atom

netfilter: pass hook ops to hookfn

Pass the hook ops to the hookfn to allow for generic hook
functions. This change is required by nf_tables.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

authored by

Patrick McHardy and committed by

Pablo Neira Ayuso 12 years ago 795aa6ef ccdbb6e9

+148 -122

26 changed files

expand all collapse all

include

linux

netfilter.h

net

bridge

br_netfilter.c

netfilter

ebtable_filter.c

ebtable_nat.c

decnet

netfilter

dn_rtmsg.c

ipv4

netfilter

arptable_filter.c

ipt_CLUSTERIP.c

ipt_SYNPROXY.c

iptable_filter.c

iptable_mangle.c

iptable_nat.c

iptable_raw.c

iptable_security.c

nf_conntrack_l3proto_ipv4.c

nf_defrag_ipv4.c

ipv6

netfilter

ip6t_SYNPROXY.c

ip6table_filter.c

ip6table_mangle.c

ip6table_nat.c

ip6table_raw.c

ip6table_security.c

nf_conntrack_l3proto_ipv6.c

nf_defrag_ipv6_hooks.c

netfilter

core.c

ipvs

ip_vs_core.c

security

selinux

hooks.c

+2 -1

include/linux/netfilter.h

reviewed

··· 42 42 43 43 struct sk_buff; 44 44 45 45 - typedef unsigned int nf_hookfn(unsigned int hooknum, 45 45 + struct nf_hook_ops; 46 46 + typedef unsigned int nf_hookfn(const struct nf_hook_ops *ops, 46 47 struct sk_buff *skb, 47 48 const struct net_device *in, 48 49 const struct net_device *out,

+14 -8

net/bridge/br_netfilter.c

reviewed

··· 619 619 620 620 /* Replicate the checks that IPv6 does on packet reception and pass the packet 621 621 * to ip6tables, which doesn't support NAT, so things are fairly simple. */ 622 622 - static unsigned int br_nf_pre_routing_ipv6(unsigned int hook, 622 622 + static unsigned int br_nf_pre_routing_ipv6(const struct nf_hook_ops *ops, 623 623 struct sk_buff *skb, 624 624 const struct net_device *in, 625 625 const struct net_device *out, ··· 669 669 * receiving device) to make netfilter happy, the REDIRECT 670 670 * target in particular. Save the original destination IP 671 671 * address to be able to detect DNAT afterwards. */ 672 672 - static unsigned int br_nf_pre_routing(unsigned int hook, struct sk_buff *skb, 672 672 + static unsigned int br_nf_pre_routing(const struct nf_hook_ops *ops, 673 673 + struct sk_buff *skb, 673 674 const struct net_device *in, 674 675 const struct net_device *out, 675 676 int (*okfn)(struct sk_buff *)) ··· 692 691 return NF_ACCEPT; 693 692 694 693 nf_bridge_pull_encap_header_rcsum(skb); 695 695 - return br_nf_pre_routing_ipv6(hook, skb, in, out, okfn); 694 694 + return br_nf_pre_routing_ipv6(ops, skb, in, out, okfn); 696 695 } 697 696 698 697 if (!brnf_call_iptables && !br->nf_call_iptables) ··· 728 727 * took place when the packet entered the bridge), but we 729 728 * register an IPv4 PRE_ROUTING 'sabotage' hook that will 730 729 * prevent this from happening. */ 731 731 - static unsigned int br_nf_local_in(unsigned int hook, struct sk_buff *skb, 730 730 + static unsigned int br_nf_local_in(const struct nf_hook_ops *ops, 731 731 + struct sk_buff *skb, 732 732 const struct net_device *in, 733 733 const struct net_device *out, 734 734 int (*okfn)(struct sk_buff *)) ··· 767 765 * but we are still able to filter on the 'real' indev/outdev 768 766 * because of the physdev module. For ARP, indev and outdev are the 769 767 * bridge ports. */ 770 770 - static unsigned int br_nf_forward_ip(unsigned int hook, struct sk_buff *skb, 768 768 + static unsigned int br_nf_forward_ip(const struct nf_hook_ops *ops, 769 769 + struct sk_buff *skb, 771 770 const struct net_device *in, 772 771 const struct net_device *out, 773 772 int (*okfn)(struct sk_buff *)) ··· 821 818 return NF_STOLEN; 822 819 } 823 820 824 824 - static unsigned int br_nf_forward_arp(unsigned int hook, struct sk_buff *skb, 821 821 + static unsigned int br_nf_forward_arp(const struct nf_hook_ops *ops, 822 822 + struct sk_buff *skb, 825 823 const struct net_device *in, 826 824 const struct net_device *out, 827 825 int (*okfn)(struct sk_buff *)) ··· 882 878 #endif 883 879 884 880 /* PF_BRIDGE/POST_ROUTING ********************************************/ 885 885 - static unsigned int br_nf_post_routing(unsigned int hook, struct sk_buff *skb, 881 881 + static unsigned int br_nf_post_routing(const struct nf_hook_ops *ops, 882 882 + struct sk_buff *skb, 886 883 const struct net_device *in, 887 884 const struct net_device *out, 888 885 int (*okfn)(struct sk_buff *)) ··· 928 923 /* IP/SABOTAGE *****************************************************/ 929 924 /* Don't hand locally destined packets to PF_INET(6)/PRE_ROUTING 930 925 * for the second time. */ 931 931 - static unsigned int ip_sabotage_in(unsigned int hook, struct sk_buff *skb, 926 926 + static unsigned int ip_sabotage_in(const struct nf_hook_ops *ops, 927 927 + struct sk_buff *skb, 932 928 const struct net_device *in, 933 929 const struct net_device *out, 934 930 int (*okfn)(struct sk_buff *))

+10 -6

net/bridge/netfilter/ebtable_filter.c

reviewed

··· 60 60 }; 61 61 62 62 static unsigned int 63 63 - ebt_in_hook(unsigned int hook, struct sk_buff *skb, const struct net_device *in, 64 64 - const struct net_device *out, int (*okfn)(struct sk_buff *)) 63 63 + ebt_in_hook(const struct nf_hook_ops *ops, struct sk_buff *skb, 64 64 + const struct net_device *in, const struct net_device *out, 65 65 + int (*okfn)(struct sk_buff *)) 65 66 { 66 66 - return ebt_do_table(hook, skb, in, out, dev_net(in)->xt.frame_filter); 67 67 + return ebt_do_table(ops->hooknum, skb, in, out, 68 68 + dev_net(in)->xt.frame_filter); 67 69 } 68 70 69 71 static unsigned int 70 70 - ebt_out_hook(unsigned int hook, struct sk_buff *skb, const struct net_device *in, 71 71 - const struct net_device *out, int (*okfn)(struct sk_buff *)) 72 72 + ebt_out_hook(const struct nf_hook_ops *ops, struct sk_buff *skb, 73 73 + const struct net_device *in, const struct net_device *out, 74 74 + int (*okfn)(struct sk_buff *)) 72 75 { 73 73 - return ebt_do_table(hook, skb, in, out, dev_net(out)->xt.frame_filter); 76 76 + return ebt_do_table(ops->hooknum, skb, in, out, 77 77 + dev_net(out)->xt.frame_filter); 74 78 } 75 79 76 80 static struct nf_hook_ops ebt_ops_filter[] __read_mostly = {

+10 -6

net/bridge/netfilter/ebtable_nat.c

reviewed

··· 60 60 }; 61 61 62 62 static unsigned int 63 63 - ebt_nat_in(unsigned int hook, struct sk_buff *skb, const struct net_device *in 64 64 - , const struct net_device *out, int (*okfn)(struct sk_buff *)) 63 63 + ebt_nat_in(const struct nf_hook_ops *ops, struct sk_buff *skb, 64 64 + const struct net_device *in, const struct net_device *out, 65 65 + int (*okfn)(struct sk_buff *)) 65 66 { 66 66 - return ebt_do_table(hook, skb, in, out, dev_net(in)->xt.frame_nat); 67 67 + return ebt_do_table(ops->hooknum, skb, in, out, 68 68 + dev_net(in)->xt.frame_nat); 67 69 } 68 70 69 71 static unsigned int 70 70 - ebt_nat_out(unsigned int hook, struct sk_buff *skb, const struct net_device *in 71 71 - , const struct net_device *out, int (*okfn)(struct sk_buff *)) 72 72 + ebt_nat_out(const struct nf_hook_ops *ops, struct sk_buff *skb, 73 73 + const struct net_device *in, const struct net_device *out, 74 74 + int (*okfn)(struct sk_buff *)) 72 75 { 73 73 - return ebt_do_table(hook, skb, in, out, dev_net(out)->xt.frame_nat); 76 76 + return ebt_do_table(ops->hooknum, skb, in, out, 77 77 + dev_net(out)->xt.frame_nat); 74 78 } 75 79 76 80 static struct nf_hook_ops ebt_ops_nat[] __read_mostly = {

+1 -1

net/decnet/netfilter/dn_rtmsg.c

reviewed

··· 87 87 } 88 88 89 89 90 90 - static unsigned int dnrmg_hook(unsigned int hook, 90 90 + static unsigned int dnrmg_hook(const struct nf_hook_ops *ops, 91 91 struct sk_buff *skb, 92 92 const struct net_device *in, 93 93 const struct net_device *out,

+3 -2

net/ipv4/netfilter/arptable_filter.c

reviewed

··· 27 27 28 28 /* The work comes in here from netfilter.c */ 29 29 static unsigned int 30 30 - arptable_filter_hook(unsigned int hook, struct sk_buff *skb, 30 30 + arptable_filter_hook(const struct nf_hook_ops *ops, struct sk_buff *skb, 31 31 const struct net_device *in, const struct net_device *out, 32 32 int (*okfn)(struct sk_buff *)) 33 33 { 34 34 const struct net *net = dev_net((in != NULL) ? in : out); 35 35 36 36 - return arpt_do_table(skb, hook, in, out, net->ipv4.arptable_filter); 36 36 + return arpt_do_table(skb, ops->hooknum, in, out, 37 37 + net->ipv4.arptable_filter); 37 38 } 38 39 39 40 static struct nf_hook_ops *arpfilter_ops __read_mostly;

+1 -1

net/ipv4/netfilter/ipt_CLUSTERIP.c

reviewed

··· 483 483 #endif 484 484 485 485 static unsigned int 486 486 - arp_mangle(unsigned int hook, 486 486 + arp_mangle(const struct nf_hook_ops *ops, 487 487 struct sk_buff *skb, 488 488 const struct net_device *in, 489 489 const struct net_device *out,

+1 -1

net/ipv4/netfilter/ipt_SYNPROXY.c

reviewed

··· 297 297 return XT_CONTINUE; 298 298 } 299 299 300 300 - static unsigned int ipv4_synproxy_hook(unsigned int hooknum, 300 300 + static unsigned int ipv4_synproxy_hook(const struct nf_hook_ops *ops, 301 301 struct sk_buff *skb, 302 302 const struct net_device *in, 303 303 const struct net_device *out,

+4 -3

net/ipv4/netfilter/iptable_filter.c

reviewed

··· 33 33 }; 34 34 35 35 static unsigned int 36 36 - iptable_filter_hook(unsigned int hook, struct sk_buff *skb, 36 36 + iptable_filter_hook(const struct nf_hook_ops *ops, struct sk_buff *skb, 37 37 const struct net_device *in, const struct net_device *out, 38 38 int (*okfn)(struct sk_buff *)) 39 39 { 40 40 const struct net *net; 41 41 42 42 - if (hook == NF_INET_LOCAL_OUT && 42 42 + if (ops->hooknum == NF_INET_LOCAL_OUT && 43 43 (skb->len < sizeof(struct iphdr) || 44 44 ip_hdrlen(skb) < sizeof(struct iphdr))) 45 45 /* root is playing with raw sockets. */ 46 46 return NF_ACCEPT; 47 47 48 48 net = dev_net((in != NULL) ? in : out); 49 49 - return ipt_do_table(skb, hook, in, out, net->ipv4.iptable_filter); 49 49 + return ipt_do_table(skb, ops->hooknum, in, out, 50 50 + net->ipv4.iptable_filter); 50 51 } 51 52 52 53 static struct nf_hook_ops *filter_ops __read_mostly;

+5 -5

net/ipv4/netfilter/iptable_mangle.c

reviewed

··· 79 79 80 80 /* The work comes in here from netfilter.c. */ 81 81 static unsigned int 82 82 - iptable_mangle_hook(unsigned int hook, 82 82 + iptable_mangle_hook(const struct nf_hook_ops *ops, 83 83 struct sk_buff *skb, 84 84 const struct net_device *in, 85 85 const struct net_device *out, 86 86 int (*okfn)(struct sk_buff *)) 87 87 { 88 88 - if (hook == NF_INET_LOCAL_OUT) 88 88 + if (ops->hooknum == NF_INET_LOCAL_OUT) 89 89 return ipt_mangle_out(skb, out); 90 90 - if (hook == NF_INET_POST_ROUTING) 91 91 - return ipt_do_table(skb, hook, in, out, 90 90 + if (ops->hooknum == NF_INET_POST_ROUTING) 91 91 + return ipt_do_table(skb, ops->hooknum, in, out, 92 92 dev_net(out)->ipv4.iptable_mangle); 93 93 /* PREROUTING/INPUT/FORWARD: */ 94 94 - return ipt_do_table(skb, hook, in, out, 94 94 + return ipt_do_table(skb, ops->hooknum, in, out, 95 95 dev_net(in)->ipv4.iptable_mangle); 96 96 } 97 97

+13 -13

net/ipv4/netfilter/iptable_nat.c

reviewed

··· 61 61 } 62 62 63 63 static unsigned int 64 64 - nf_nat_ipv4_fn(unsigned int hooknum, 64 64 + nf_nat_ipv4_fn(const struct nf_hook_ops *ops, 65 65 struct sk_buff *skb, 66 66 const struct net_device *in, 67 67 const struct net_device *out, ··· 71 71 enum ip_conntrack_info ctinfo; 72 72 struct nf_conn_nat *nat; 73 73 /* maniptype == SRC for postrouting. */ 74 74 - enum nf_nat_manip_type maniptype = HOOK2MANIP(hooknum); 74 74 + enum nf_nat_manip_type maniptype = HOOK2MANIP(ops->hooknum); 75 75 76 76 /* We never see fragments: conntrack defrags on pre-routing 77 77 * and local-out, and nf_nat_out protects post-routing. ··· 108 108 case IP_CT_RELATED_REPLY: 109 109 if (ip_hdr(skb)->protocol == IPPROTO_ICMP) { 110 110 if (!nf_nat_icmp_reply_translation(skb, ct, ctinfo, 111 111 - hooknum)) 111 111 + ops->hooknum)) 112 112 return NF_DROP; 113 113 else 114 114 return NF_ACCEPT; ··· 121 121 if (!nf_nat_initialized(ct, maniptype)) { 122 122 unsigned int ret; 123 123 124 124 - ret = nf_nat_rule_find(skb, hooknum, in, out, ct); 124 124 + ret = nf_nat_rule_find(skb, ops->hooknum, in, out, ct); 125 125 if (ret != NF_ACCEPT) 126 126 return ret; 127 127 } else { 128 128 pr_debug("Already setup manip %s for ct %p\n", 129 129 maniptype == NF_NAT_MANIP_SRC ? "SRC" : "DST", 130 130 ct); 131 131 - if (nf_nat_oif_changed(hooknum, ctinfo, nat, out)) 131 131 + if (nf_nat_oif_changed(ops->hooknum, ctinfo, nat, out)) 132 132 goto oif_changed; 133 133 } 134 134 break; ··· 137 137 /* ESTABLISHED */ 138 138 NF_CT_ASSERT(ctinfo == IP_CT_ESTABLISHED || 139 139 ctinfo == IP_CT_ESTABLISHED_REPLY); 140 140 - if (nf_nat_oif_changed(hooknum, ctinfo, nat, out)) 140 140 + if (nf_nat_oif_changed(ops->hooknum, ctinfo, nat, out)) 141 141 goto oif_changed; 142 142 } 143 143 144 144 - return nf_nat_packet(ct, ctinfo, hooknum, skb); 144 144 + return nf_nat_packet(ct, ctinfo, ops->hooknum, skb); 145 145 146 146 oif_changed: 147 147 nf_ct_kill_acct(ct, ctinfo, skb); ··· 149 149 } 150 150 151 151 static unsigned int 152 152 - nf_nat_ipv4_in(unsigned int hooknum, 152 152 + nf_nat_ipv4_in(const struct nf_hook_ops *ops, 153 153 struct sk_buff *skb, 154 154 const struct net_device *in, 155 155 const struct net_device *out, ··· 158 158 unsigned int ret; 159 159 __be32 daddr = ip_hdr(skb)->daddr; 160 160 161 161 - ret = nf_nat_ipv4_fn(hooknum, skb, in, out, okfn); 161 161 + ret = nf_nat_ipv4_fn(ops, skb, in, out, okfn); 162 162 if (ret != NF_DROP && ret != NF_STOLEN && 163 163 daddr != ip_hdr(skb)->daddr) 164 164 skb_dst_drop(skb); ··· 167 167 } 168 168 169 169 static unsigned int 170 170 - nf_nat_ipv4_out(unsigned int hooknum, 170 170 + nf_nat_ipv4_out(const struct nf_hook_ops *ops, 171 171 struct sk_buff *skb, 172 172 const struct net_device *in, 173 173 const struct net_device *out, ··· 185 185 ip_hdrlen(skb) < sizeof(struct iphdr)) 186 186 return NF_ACCEPT; 187 187 188 188 - ret = nf_nat_ipv4_fn(hooknum, skb, in, out, okfn); 188 188 + ret = nf_nat_ipv4_fn(ops, skb, in, out, okfn); 189 189 #ifdef CONFIG_XFRM 190 190 if (ret != NF_DROP && ret != NF_STOLEN && 191 191 !(IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED) && ··· 207 207 } 208 208 209 209 static unsigned int 210 210 - nf_nat_ipv4_local_fn(unsigned int hooknum, 210 210 + nf_nat_ipv4_local_fn(const struct nf_hook_ops *ops, 211 211 struct sk_buff *skb, 212 212 const struct net_device *in, 213 213 const struct net_device *out, ··· 223 223 ip_hdrlen(skb) < sizeof(struct iphdr)) 224 224 return NF_ACCEPT; 225 225 226 226 - ret = nf_nat_ipv4_fn(hooknum, skb, in, out, okfn); 226 226 + ret = nf_nat_ipv4_fn(ops, skb, in, out, okfn); 227 227 if (ret != NF_DROP && ret != NF_STOLEN && 228 228 (ct = nf_ct_get(skb, &ctinfo)) != NULL) { 229 229 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);

+3 -3

net/ipv4/netfilter/iptable_raw.c

reviewed

··· 20 20 21 21 /* The work comes in here from netfilter.c. */ 22 22 static unsigned int 23 23 - iptable_raw_hook(unsigned int hook, struct sk_buff *skb, 23 23 + iptable_raw_hook(const struct nf_hook_ops *ops, struct sk_buff *skb, 24 24 const struct net_device *in, const struct net_device *out, 25 25 int (*okfn)(struct sk_buff *)) 26 26 { 27 27 const struct net *net; 28 28 29 29 - if (hook == NF_INET_LOCAL_OUT && 29 29 + if (ops->hooknum == NF_INET_LOCAL_OUT && 30 30 (skb->len < sizeof(struct iphdr) || 31 31 ip_hdrlen(skb) < sizeof(struct iphdr))) 32 32 /* root is playing with raw sockets. */ 33 33 return NF_ACCEPT; 34 34 35 35 net = dev_net((in != NULL) ? in : out); 36 36 - return ipt_do_table(skb, hook, in, out, net->ipv4.iptable_raw); 36 36 + return ipt_do_table(skb, ops->hooknum, in, out, net->ipv4.iptable_raw); 37 37 } 38 38 39 39 static struct nf_hook_ops *rawtable_ops __read_mostly;

+4 -3

net/ipv4/netfilter/iptable_security.c

reviewed

··· 37 37 }; 38 38 39 39 static unsigned int 40 40 - iptable_security_hook(unsigned int hook, struct sk_buff *skb, 40 40 + iptable_security_hook(const struct nf_hook_ops *ops, struct sk_buff *skb, 41 41 const struct net_device *in, 42 42 const struct net_device *out, 43 43 int (*okfn)(struct sk_buff *)) 44 44 { 45 45 const struct net *net; 46 46 47 47 - if (hook == NF_INET_LOCAL_OUT && 47 47 + if (ops->hooknum == NF_INET_LOCAL_OUT && 48 48 (skb->len < sizeof(struct iphdr) || 49 49 ip_hdrlen(skb) < sizeof(struct iphdr))) 50 50 /* Somebody is playing with raw sockets. */ 51 51 return NF_ACCEPT; 52 52 53 53 net = dev_net((in != NULL) ? in : out); 54 54 - return ipt_do_table(skb, hook, in, out, net->ipv4.iptable_security); 54 54 + return ipt_do_table(skb, ops->hooknum, in, out, 55 55 + net->ipv4.iptable_security); 55 56 } 56 57 57 58 static struct nf_hook_ops *sectbl_ops __read_mostly;

+6 -6

net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c

reviewed

··· 92 92 return NF_ACCEPT; 93 93 } 94 94 95 95 - static unsigned int ipv4_helper(unsigned int hooknum, 95 95 + static unsigned int ipv4_helper(const struct nf_hook_ops *ops, 96 96 struct sk_buff *skb, 97 97 const struct net_device *in, 98 98 const struct net_device *out, ··· 121 121 ct, ctinfo); 122 122 } 123 123 124 124 - static unsigned int ipv4_confirm(unsigned int hooknum, 124 124 + static unsigned int ipv4_confirm(const struct nf_hook_ops *ops, 125 125 struct sk_buff *skb, 126 126 const struct net_device *in, 127 127 const struct net_device *out, ··· 147 147 return nf_conntrack_confirm(skb); 148 148 } 149 149 150 150 - static unsigned int ipv4_conntrack_in(unsigned int hooknum, 150 150 + static unsigned int ipv4_conntrack_in(const struct nf_hook_ops *ops, 151 151 struct sk_buff *skb, 152 152 const struct net_device *in, 153 153 const struct net_device *out, 154 154 int (*okfn)(struct sk_buff *)) 155 155 { 156 156 - return nf_conntrack_in(dev_net(in), PF_INET, hooknum, skb); 156 156 + return nf_conntrack_in(dev_net(in), PF_INET, ops->hooknum, skb); 157 157 } 158 158 159 159 - static unsigned int ipv4_conntrack_local(unsigned int hooknum, 159 159 + static unsigned int ipv4_conntrack_local(const struct nf_hook_ops *ops, 160 160 struct sk_buff *skb, 161 161 const struct net_device *in, 162 162 const struct net_device *out, ··· 166 166 if (skb->len < sizeof(struct iphdr) || 167 167 ip_hdrlen(skb) < sizeof(struct iphdr)) 168 168 return NF_ACCEPT; 169 169 - return nf_conntrack_in(dev_net(out), PF_INET, hooknum, skb); 169 169 + return nf_conntrack_in(dev_net(out), PF_INET, ops->hooknum, skb); 170 170 } 171 171 172 172 /* Connection tracking may drop packets, but never alters them, so

+4 -2

net/ipv4/netfilter/nf_defrag_ipv4.c

reviewed

··· 60 60 return IP_DEFRAG_CONNTRACK_OUT + zone; 61 61 } 62 62 63 63 - static unsigned int ipv4_conntrack_defrag(unsigned int hooknum, 63 63 + static unsigned int ipv4_conntrack_defrag(const struct nf_hook_ops *ops, 64 64 struct sk_buff *skb, 65 65 const struct net_device *in, 66 66 const struct net_device *out, ··· 83 83 #endif 84 84 /* Gather fragments. */ 85 85 if (ip_is_fragment(ip_hdr(skb))) { 86 86 - enum ip_defrag_users user = nf_ct_defrag_user(hooknum, skb); 86 86 + enum ip_defrag_users user = 87 87 + nf_ct_defrag_user(ops->hooknum, skb); 88 88 + 87 89 if (nf_ct_ipv4_gather_frags(skb, user)) 88 90 return NF_STOLEN; 89 91 }

+1 -1

net/ipv6/netfilter/ip6t_SYNPROXY.c

reviewed

··· 312 312 return XT_CONTINUE; 313 313 } 314 314 315 315 - static unsigned int ipv6_synproxy_hook(unsigned int hooknum, 315 315 + static unsigned int ipv6_synproxy_hook(const struct nf_hook_ops *ops, 316 316 struct sk_buff *skb, 317 317 const struct net_device *in, 318 318 const struct net_device *out,

+3 -2

net/ipv6/netfilter/ip6table_filter.c

reviewed

··· 32 32 33 33 /* The work comes in here from netfilter.c. */ 34 34 static unsigned int 35 35 - ip6table_filter_hook(unsigned int hook, struct sk_buff *skb, 35 35 + ip6table_filter_hook(const struct nf_hook_ops *ops, struct sk_buff *skb, 36 36 const struct net_device *in, const struct net_device *out, 37 37 int (*okfn)(struct sk_buff *)) 38 38 { 39 39 const struct net *net = dev_net((in != NULL) ? in : out); 40 40 41 41 - return ip6t_do_table(skb, hook, in, out, net->ipv6.ip6table_filter); 41 41 + return ip6t_do_table(skb, ops->hooknum, in, out, 42 42 + net->ipv6.ip6table_filter); 42 43 } 43 44 44 45 static struct nf_hook_ops *filter_ops __read_mostly;

+5 -5

net/ipv6/netfilter/ip6table_mangle.c

reviewed

··· 76 76 77 77 /* The work comes in here from netfilter.c. */ 78 78 static unsigned int 79 79 - ip6table_mangle_hook(unsigned int hook, struct sk_buff *skb, 79 79 + ip6table_mangle_hook(const struct nf_hook_ops *ops, struct sk_buff *skb, 80 80 const struct net_device *in, const struct net_device *out, 81 81 int (*okfn)(struct sk_buff *)) 82 82 { 83 83 - if (hook == NF_INET_LOCAL_OUT) 83 83 + if (ops->hooknum == NF_INET_LOCAL_OUT) 84 84 return ip6t_mangle_out(skb, out); 85 85 - if (hook == NF_INET_POST_ROUTING) 86 86 - return ip6t_do_table(skb, hook, in, out, 85 85 + if (ops->hooknum == NF_INET_POST_ROUTING) 86 86 + return ip6t_do_table(skb, ops->hooknum, in, out, 87 87 dev_net(out)->ipv6.ip6table_mangle); 88 88 /* INPUT/FORWARD */ 89 89 - return ip6t_do_table(skb, hook, in, out, 89 89 + return ip6t_do_table(skb, ops->hooknum, in, out, 90 90 dev_net(in)->ipv6.ip6table_mangle); 91 91 } 92 92

+14 -13

net/ipv6/netfilter/ip6table_nat.c

reviewed

··· 63 63 } 64 64 65 65 static unsigned int 66 66 - nf_nat_ipv6_fn(unsigned int hooknum, 66 66 + nf_nat_ipv6_fn(const struct nf_hook_ops *ops, 67 67 struct sk_buff *skb, 68 68 const struct net_device *in, 69 69 const struct net_device *out, ··· 72 72 struct nf_conn *ct; 73 73 enum ip_conntrack_info ctinfo; 74 74 struct nf_conn_nat *nat; 75 75 - enum nf_nat_manip_type maniptype = HOOK2MANIP(hooknum); 75 75 + enum nf_nat_manip_type maniptype = HOOK2MANIP(ops->hooknum); 76 76 __be16 frag_off; 77 77 int hdrlen; 78 78 u8 nexthdr; ··· 111 111 112 112 if (hdrlen >= 0 && nexthdr == IPPROTO_ICMPV6) { 113 113 if (!nf_nat_icmpv6_reply_translation(skb, ct, ctinfo, 114 114 - hooknum, hdrlen)) 114 114 + ops->hooknum, 115 115 + hdrlen)) 115 116 return NF_DROP; 116 117 else 117 118 return NF_ACCEPT; ··· 125 124 if (!nf_nat_initialized(ct, maniptype)) { 126 125 unsigned int ret; 127 126 128 128 - ret = nf_nat_rule_find(skb, hooknum, in, out, ct); 127 127 + ret = nf_nat_rule_find(skb, ops->hooknum, in, out, ct); 129 128 if (ret != NF_ACCEPT) 130 129 return ret; 131 130 } else { 132 131 pr_debug("Already setup manip %s for ct %p\n", 133 132 maniptype == NF_NAT_MANIP_SRC ? "SRC" : "DST", 134 133 ct); 135 135 - if (nf_nat_oif_changed(hooknum, ctinfo, nat, out)) 134 134 + if (nf_nat_oif_changed(ops->hooknum, ctinfo, nat, out)) 136 135 goto oif_changed; 137 136 } 138 137 break; ··· 141 140 /* ESTABLISHED */ 142 141 NF_CT_ASSERT(ctinfo == IP_CT_ESTABLISHED || 143 142 ctinfo == IP_CT_ESTABLISHED_REPLY); 144 144 - if (nf_nat_oif_changed(hooknum, ctinfo, nat, out)) 143 143 + if (nf_nat_oif_changed(ops->hooknum, ctinfo, nat, out)) 145 144 goto oif_changed; 146 145 } 147 146 148 148 - return nf_nat_packet(ct, ctinfo, hooknum, skb); 147 147 + return nf_nat_packet(ct, ctinfo, ops->hooknum, skb); 149 148 150 149 oif_changed: 151 150 nf_ct_kill_acct(ct, ctinfo, skb); ··· 153 152 } 154 153 155 154 static unsigned int 156 156 - nf_nat_ipv6_in(unsigned int hooknum, 155 155 + nf_nat_ipv6_in(const struct nf_hook_ops *ops, 157 156 struct sk_buff *skb, 158 157 const struct net_device *in, 159 158 const struct net_device *out, ··· 162 161 unsigned int ret; 163 162 struct in6_addr daddr = ipv6_hdr(skb)->daddr; 164 163 165 165 - ret = nf_nat_ipv6_fn(hooknum, skb, in, out, okfn); 164 164 + ret = nf_nat_ipv6_fn(ops, skb, in, out, okfn); 166 165 if (ret != NF_DROP && ret != NF_STOLEN && 167 166 ipv6_addr_cmp(&daddr, &ipv6_hdr(skb)->daddr)) 168 167 skb_dst_drop(skb); ··· 171 170 } 172 171 173 172 static unsigned int 174 174 - nf_nat_ipv6_out(unsigned int hooknum, 173 173 + nf_nat_ipv6_out(const struct nf_hook_ops *ops, 175 174 struct sk_buff *skb, 176 175 const struct net_device *in, 177 176 const struct net_device *out, ··· 188 187 if (skb->len < sizeof(struct ipv6hdr)) 189 188 return NF_ACCEPT; 190 189 191 191 - ret = nf_nat_ipv6_fn(hooknum, skb, in, out, okfn); 190 190 + ret = nf_nat_ipv6_fn(ops, skb, in, out, okfn); 192 191 #ifdef CONFIG_XFRM 193 192 if (ret != NF_DROP && ret != NF_STOLEN && 194 193 !(IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) && ··· 210 209 } 211 210 212 211 static unsigned int 213 213 - nf_nat_ipv6_local_fn(unsigned int hooknum, 212 212 + nf_nat_ipv6_local_fn(const struct nf_hook_ops *ops, 214 213 struct sk_buff *skb, 215 214 const struct net_device *in, 216 215 const struct net_device *out, ··· 225 224 if (skb->len < sizeof(struct ipv6hdr)) 226 225 return NF_ACCEPT; 227 226 228 228 - ret = nf_nat_ipv6_fn(hooknum, skb, in, out, okfn); 227 227 + ret = nf_nat_ipv6_fn(ops, skb, in, out, okfn); 229 228 if (ret != NF_DROP && ret != NF_STOLEN && 230 229 (ct = nf_ct_get(skb, &ctinfo)) != NULL) { 231 230 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);

+3 -2

net/ipv6/netfilter/ip6table_raw.c

reviewed

··· 19 19 20 20 /* The work comes in here from netfilter.c. */ 21 21 static unsigned int 22 22 - ip6table_raw_hook(unsigned int hook, struct sk_buff *skb, 22 22 + ip6table_raw_hook(const struct nf_hook_ops *ops, struct sk_buff *skb, 23 23 const struct net_device *in, const struct net_device *out, 24 24 int (*okfn)(struct sk_buff *)) 25 25 { 26 26 const struct net *net = dev_net((in != NULL) ? in : out); 27 27 28 28 - return ip6t_do_table(skb, hook, in, out, net->ipv6.ip6table_raw); 28 28 + return ip6t_do_table(skb, ops->hooknum, in, out, 29 29 + net->ipv6.ip6table_raw); 29 30 } 30 31 31 32 static struct nf_hook_ops *rawtable_ops __read_mostly;

+3 -2

net/ipv6/netfilter/ip6table_security.c

reviewed

··· 36 36 }; 37 37 38 38 static unsigned int 39 39 - ip6table_security_hook(unsigned int hook, struct sk_buff *skb, 39 39 + ip6table_security_hook(const struct nf_hook_ops *ops, struct sk_buff *skb, 40 40 const struct net_device *in, 41 41 const struct net_device *out, 42 42 int (*okfn)(struct sk_buff *)) 43 43 { 44 44 const struct net *net = dev_net((in != NULL) ? in : out); 45 45 46 46 - return ip6t_do_table(skb, hook, in, out, net->ipv6.ip6table_security); 46 46 + return ip6t_do_table(skb, ops->hooknum, in, out, 47 47 + net->ipv6.ip6table_security); 47 48 } 48 49 49 50 static struct nf_hook_ops *sectbl_ops __read_mostly;

+8 -6

net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c

reviewed

··· 95 95 return NF_ACCEPT; 96 96 } 97 97 98 98 - static unsigned int ipv6_helper(unsigned int hooknum, 98 98 + static unsigned int ipv6_helper(const struct nf_hook_ops *ops, 99 99 struct sk_buff *skb, 100 100 const struct net_device *in, 101 101 const struct net_device *out, ··· 133 133 return helper->help(skb, protoff, ct, ctinfo); 134 134 } 135 135 136 136 - static unsigned int ipv6_confirm(unsigned int hooknum, 136 136 + static unsigned int ipv6_confirm(const struct nf_hook_ops *ops, 137 137 struct sk_buff *skb, 138 138 const struct net_device *in, 139 139 const struct net_device *out, ··· 219 219 return nf_conntrack_in(net, PF_INET6, hooknum, skb); 220 220 } 221 221 222 222 - static unsigned int ipv6_conntrack_in(unsigned int hooknum, 222 222 + static unsigned int ipv6_conntrack_in(const struct nf_hook_ops *ops, 223 223 struct sk_buff *skb, 224 224 const struct net_device *in, 225 225 const struct net_device *out, 226 226 int (*okfn)(struct sk_buff *)) 227 227 { 228 228 - return __ipv6_conntrack_in(dev_net(in), hooknum, skb, in, out, okfn); 228 228 + return __ipv6_conntrack_in(dev_net(in), ops->hooknum, skb, in, out, 229 229 + okfn); 229 230 } 230 231 231 231 - static unsigned int ipv6_conntrack_local(unsigned int hooknum, 232 232 + static unsigned int ipv6_conntrack_local(const struct nf_hook_ops *ops, 232 233 struct sk_buff *skb, 233 234 const struct net_device *in, 234 235 const struct net_device *out, ··· 240 239 net_notice_ratelimited("ipv6_conntrack_local: packet too short\n"); 241 240 return NF_ACCEPT; 242 241 } 243 243 - return __ipv6_conntrack_in(dev_net(out), hooknum, skb, in, out, okfn); 242 242 + return __ipv6_conntrack_in(dev_net(out), ops->hooknum, skb, in, out, 243 243 + okfn); 244 244 } 245 245 246 246 static struct nf_hook_ops ipv6_conntrack_ops[] __read_mostly = {

+3 -3

net/ipv6/netfilter/nf_defrag_ipv6_hooks.c

reviewed

··· 52 52 53 53 } 54 54 55 55 - static unsigned int ipv6_defrag(unsigned int hooknum, 55 55 + static unsigned int ipv6_defrag(const struct nf_hook_ops *ops, 56 56 struct sk_buff *skb, 57 57 const struct net_device *in, 58 58 const struct net_device *out, ··· 66 66 return NF_ACCEPT; 67 67 #endif 68 68 69 69 - reasm = nf_ct_frag6_gather(skb, nf_ct6_defrag_user(hooknum, skb)); 69 69 + reasm = nf_ct_frag6_gather(skb, nf_ct6_defrag_user(ops->hooknum, skb)); 70 70 /* queued */ 71 71 if (reasm == NULL) 72 72 return NF_STOLEN; ··· 75 75 if (reasm == skb) 76 76 return NF_ACCEPT; 77 77 78 78 - nf_ct_frag6_output(hooknum, reasm, (struct net_device *)in, 78 78 + nf_ct_frag6_output(ops->hooknum, reasm, (struct net_device *)in, 79 79 (struct net_device *)out, okfn); 80 80 81 81 return NF_STOLEN;

+1 -1

net/netfilter/core.c

reviewed

··· 146 146 /* Optimization: we don't need to hold module 147 147 reference here, since function can't sleep. --RR */ 148 148 repeat: 149 149 - verdict = (*elemp)->hook(hook, skb, indev, outdev, okfn); 149 149 + verdict = (*elemp)->hook(*elemp, skb, indev, outdev, okfn); 150 150 if (verdict != NF_ACCEPT) { 151 151 #ifdef CONFIG_NETFILTER_DEBUG 152 152 if (unlikely((verdict & NF_VERDICT_MASK)

+21 -21

net/netfilter/ipvs/ip_vs_core.c

reviewed

··· 1239 1239 * Check if packet is reply for established ip_vs_conn. 1240 1240 */ 1241 1241 static unsigned int 1242 1242 - ip_vs_reply4(unsigned int hooknum, struct sk_buff *skb, 1242 1242 + ip_vs_reply4(const struct nf_hook_ops *ops, struct sk_buff *skb, 1243 1243 const struct net_device *in, const struct net_device *out, 1244 1244 int (*okfn)(struct sk_buff *)) 1245 1245 { 1246 1246 - return ip_vs_out(hooknum, skb, AF_INET); 1246 1246 + return ip_vs_out(ops->hooknum, skb, AF_INET); 1247 1247 } 1248 1248 1249 1249 /* ··· 1251 1251 * Check if packet is reply for established ip_vs_conn. 1252 1252 */ 1253 1253 static unsigned int 1254 1254 - ip_vs_local_reply4(unsigned int hooknum, struct sk_buff *skb, 1254 1254 + ip_vs_local_reply4(const struct nf_hook_ops *ops, struct sk_buff *skb, 1255 1255 const struct net_device *in, const struct net_device *out, 1256 1256 int (*okfn)(struct sk_buff *)) 1257 1257 { 1258 1258 - return ip_vs_out(hooknum, skb, AF_INET); 1258 1258 + return ip_vs_out(ops->hooknum, skb, AF_INET); 1259 1259 } 1260 1260 1261 1261 #ifdef CONFIG_IP_VS_IPV6 ··· 1266 1266 * Check if packet is reply for established ip_vs_conn. 1267 1267 */ 1268 1268 static unsigned int 1269 1269 - ip_vs_reply6(unsigned int hooknum, struct sk_buff *skb, 1269 1269 + ip_vs_reply6(const struct nf_hook_ops *ops, struct sk_buff *skb, 1270 1270 const struct net_device *in, const struct net_device *out, 1271 1271 int (*okfn)(struct sk_buff *)) 1272 1272 { 1273 1273 - return ip_vs_out(hooknum, skb, AF_INET6); 1273 1273 + return ip_vs_out(ops->hooknum, skb, AF_INET6); 1274 1274 } 1275 1275 1276 1276 /* ··· 1278 1278 * Check if packet is reply for established ip_vs_conn. 1279 1279 */ 1280 1280 static unsigned int 1281 1281 - ip_vs_local_reply6(unsigned int hooknum, struct sk_buff *skb, 1281 1281 + ip_vs_local_reply6(const struct nf_hook_ops *ops, struct sk_buff *skb, 1282 1282 const struct net_device *in, const struct net_device *out, 1283 1283 int (*okfn)(struct sk_buff *)) 1284 1284 { 1285 1285 - return ip_vs_out(hooknum, skb, AF_INET6); 1285 1285 + return ip_vs_out(ops->hooknum, skb, AF_INET6); 1286 1286 } 1287 1287 1288 1288 #endif ··· 1733 1733 * Schedule and forward packets from remote clients 1734 1734 */ 1735 1735 static unsigned int 1736 1736 - ip_vs_remote_request4(unsigned int hooknum, struct sk_buff *skb, 1736 1736 + ip_vs_remote_request4(const struct nf_hook_ops *ops, struct sk_buff *skb, 1737 1737 const struct net_device *in, 1738 1738 const struct net_device *out, 1739 1739 int (*okfn)(struct sk_buff *)) 1740 1740 { 1741 1741 - return ip_vs_in(hooknum, skb, AF_INET); 1741 1741 + return ip_vs_in(ops->hooknum, skb, AF_INET); 1742 1742 } 1743 1743 1744 1744 /* ··· 1746 1746 * Schedule and forward packets from local clients 1747 1747 */ 1748 1748 static unsigned int 1749 1749 - ip_vs_local_request4(unsigned int hooknum, struct sk_buff *skb, 1749 1749 + ip_vs_local_request4(const struct nf_hook_ops *ops, struct sk_buff *skb, 1750 1750 const struct net_device *in, const struct net_device *out, 1751 1751 int (*okfn)(struct sk_buff *)) 1752 1752 { 1753 1753 - return ip_vs_in(hooknum, skb, AF_INET); 1753 1753 + return ip_vs_in(ops->hooknum, skb, AF_INET); 1754 1754 } 1755 1755 1756 1756 #ifdef CONFIG_IP_VS_IPV6 ··· 1760 1760 * Copy info from first fragment, to the rest of them. 1761 1761 */ 1762 1762 static unsigned int 1763 1763 - ip_vs_preroute_frag6(unsigned int hooknum, struct sk_buff *skb, 1763 1763 + ip_vs_preroute_frag6(const struct nf_hook_ops *ops, struct sk_buff *skb, 1764 1764 const struct net_device *in, 1765 1765 const struct net_device *out, 1766 1766 int (*okfn)(struct sk_buff *)) ··· 1792 1792 * Schedule and forward packets from remote clients 1793 1793 */ 1794 1794 static unsigned int 1795 1795 - ip_vs_remote_request6(unsigned int hooknum, struct sk_buff *skb, 1795 1795 + ip_vs_remote_request6(const struct nf_hook_ops *ops, struct sk_buff *skb, 1796 1796 const struct net_device *in, 1797 1797 const struct net_device *out, 1798 1798 int (*okfn)(struct sk_buff *)) 1799 1799 { 1800 1800 - return ip_vs_in(hooknum, skb, AF_INET6); 1800 1800 + return ip_vs_in(ops->hooknum, skb, AF_INET6); 1801 1801 } 1802 1802 1803 1803 /* ··· 1805 1805 * Schedule and forward packets from local clients 1806 1806 */ 1807 1807 static unsigned int 1808 1808 - ip_vs_local_request6(unsigned int hooknum, struct sk_buff *skb, 1808 1808 + ip_vs_local_request6(const struct nf_hook_ops *ops, struct sk_buff *skb, 1809 1809 const struct net_device *in, const struct net_device *out, 1810 1810 int (*okfn)(struct sk_buff *)) 1811 1811 { 1812 1812 - return ip_vs_in(hooknum, skb, AF_INET6); 1812 1812 + return ip_vs_in(ops->hooknum, skb, AF_INET6); 1813 1813 } 1814 1814 1815 1815 #endif ··· 1825 1825 * and send them to ip_vs_in_icmp. 1826 1826 */ 1827 1827 static unsigned int 1828 1828 - ip_vs_forward_icmp(unsigned int hooknum, struct sk_buff *skb, 1828 1828 + ip_vs_forward_icmp(const struct nf_hook_ops *ops, struct sk_buff *skb, 1829 1829 const struct net_device *in, const struct net_device *out, 1830 1830 int (*okfn)(struct sk_buff *)) 1831 1831 { ··· 1842 1842 if (unlikely(sysctl_backup_only(ipvs) || !ipvs->enable)) 1843 1843 return NF_ACCEPT; 1844 1844 1845 1845 - return ip_vs_in_icmp(skb, &r, hooknum); 1845 1845 + return ip_vs_in_icmp(skb, &r, ops->hooknum); 1846 1846 } 1847 1847 1848 1848 #ifdef CONFIG_IP_VS_IPV6 1849 1849 static unsigned int 1850 1850 - ip_vs_forward_icmp_v6(unsigned int hooknum, struct sk_buff *skb, 1850 1850 + ip_vs_forward_icmp_v6(const struct nf_hook_ops *ops, struct sk_buff *skb, 1851 1851 const struct net_device *in, const struct net_device *out, 1852 1852 int (*okfn)(struct sk_buff *)) 1853 1853 { ··· 1866 1866 if (unlikely(sysctl_backup_only(ipvs) || !ipvs->enable)) 1867 1867 return NF_ACCEPT; 1868 1868 1869 1869 - return ip_vs_in_icmp_v6(skb, &r, hooknum, &iphdr); 1869 1869 + return ip_vs_in_icmp_v6(skb, &r, ops->hooknum, &iphdr); 1870 1870 } 1871 1871 #endif 1872 1872

+5 -5

security/selinux/hooks.c

reviewed

··· 4668 4668 return NF_ACCEPT; 4669 4669 } 4670 4670 4671 4671 - static unsigned int selinux_ipv4_forward(unsigned int hooknum, 4671 4671 + static unsigned int selinux_ipv4_forward(const struct nf_hook_ops *ops, 4672 4672 struct sk_buff *skb, 4673 4673 const struct net_device *in, 4674 4674 const struct net_device *out, ··· 4678 4678 } 4679 4679 4680 4680 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 4681 4681 - static unsigned int selinux_ipv6_forward(unsigned int hooknum, 4681 4681 + static unsigned int selinux_ipv6_forward(const struct nf_hook_ops *ops, 4682 4682 struct sk_buff *skb, 4683 4683 const struct net_device *in, 4684 4684 const struct net_device *out, ··· 4710 4710 return NF_ACCEPT; 4711 4711 } 4712 4712 4713 4713 - static unsigned int selinux_ipv4_output(unsigned int hooknum, 4713 4713 + static unsigned int selinux_ipv4_output(const struct nf_hook_ops *ops, 4714 4714 struct sk_buff *skb, 4715 4715 const struct net_device *in, 4716 4716 const struct net_device *out, ··· 4837 4837 return NF_ACCEPT; 4838 4838 } 4839 4839 4840 4840 - static unsigned int selinux_ipv4_postroute(unsigned int hooknum, 4840 4840 + static unsigned int selinux_ipv4_postroute(const struct nf_hook_ops *ops, 4841 4841 struct sk_buff *skb, 4842 4842 const struct net_device *in, 4843 4843 const struct net_device *out, ··· 4847 4847 } 4848 4848 4849 4849 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 4850 4850 - static unsigned int selinux_ipv6_postroute(unsigned int hooknum, 4850 4850 + static unsigned int selinux_ipv6_postroute(const struct nf_hook_ops *ops, 4851 4851 struct sk_buff *skb, 4852 4852 const struct net_device *in, 4853 4853 const struct net_device *out,