netfilter: Pass nf_hook_state through ip6t_do_table().

tjh.dev / kernel

fork atom

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

fork atom

netfilter: Pass nf_hook_state through ip6t_do_table().

Signed-off-by: David S. Miller <davem@davemloft.net>

David S. Miller 11 years ago 8f8a3715 8fe22382

+17 -22

7 changed files

expand all

include

linux

netfilter_ipv6

ip6_tables.h

net

ipv6

netfilter

ip6_tables.c

ip6table_filter.c

ip6table_mangle.c

ip6table_nat.c

ip6table_raw.c

ip6table_security.c

+1 -2

include/linux/netfilter_ipv6/ip6_tables.h

··· 31 31 extern void ip6t_unregister_table(struct net *net, struct xt_table *table); 32 32 extern unsigned int ip6t_do_table(struct sk_buff *skb, 33 33 unsigned int hook, 34 - const struct net_device *in, 35 - const struct net_device *out, 34 + const struct nf_hook_state *state, 36 35 struct xt_table *table); 37 36 38 37 /* Check for an extension */

+6 -7

net/ipv6/netfilter/ip6_tables.c

··· 317 317 unsigned int 318 318 ip6t_do_table(struct sk_buff *skb, 319 319 unsigned int hook, 320 - const struct net_device *in, 321 - const struct net_device *out, 320 + const struct nf_hook_state *state, 322 321 struct xt_table *table) 323 322 { 324 323 static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long)))); ··· 332 333 unsigned int addend; 333 334 334 335 /* Initialization */ 335 - indev = in ? in->name : nulldevname; 336 - outdev = out ? out->name : nulldevname; 336 + indev = state->in ? state->in->name : nulldevname; 337 + outdev = state->out ? state->out->name : nulldevname; 337 338 /* We handle fragments by dealing with the first fragment as 338 339 * if it was a normal packet. All other fragments are treated 339 340 * normally, except that they will NEVER match rules that ask ··· 341 342 * rule is also a fragment-specific rule, non-fragments won't 342 343 * match it. */ 343 344 acpar.hotdrop = false; 344 - acpar.in = in; 345 - acpar.out = out; 345 + acpar.in = state->in; 346 + acpar.out = state->out; 346 347 acpar.family = NFPROTO_IPV6; 347 348 acpar.hooknum = hook; 348 349 ··· 392 393 #if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE) 393 394 /* The packet is traced: log it */ 394 395 if (unlikely(skb->nf_trace)) 395 - trace_packet(skb, hook, in, out, 396 + trace_packet(skb, hook, state->in, state->out, 396 397 table->name, private, e); 397 398 #endif 398 399 /* Standard target? */

+1 -2

net/ipv6/netfilter/ip6table_filter.c

··· 37 37 { 38 38 const struct net *net = dev_net(state->in ? state->in : state->out); 39 39 40 - return ip6t_do_table(skb, ops->hooknum, state->in, state->out, 41 - net->ipv6.ip6table_filter); 40 + return ip6t_do_table(skb, ops->hooknum, state, net->ipv6.ip6table_filter); 42 41 } 43 42 44 43 static struct nf_hook_ops *filter_ops __read_mostly;

+6 -6

net/ipv6/netfilter/ip6table_mangle.c

··· 32 32 }; 33 33 34 34 static unsigned int 35 - ip6t_mangle_out(struct sk_buff *skb, const struct net_device *out) 35 + ip6t_mangle_out(struct sk_buff *skb, const struct nf_hook_state *state) 36 36 { 37 37 unsigned int ret; 38 38 struct in6_addr saddr, daddr; ··· 57 57 /* flowlabel and prio (includes version, which shouldn't change either */ 58 58 flowlabel = *((u_int32_t *)ipv6_hdr(skb)); 59 59 60 - ret = ip6t_do_table(skb, NF_INET_LOCAL_OUT, NULL, out, 61 - dev_net(out)->ipv6.ip6table_mangle); 60 + ret = ip6t_do_table(skb, NF_INET_LOCAL_OUT, state, 61 + dev_net(state->out)->ipv6.ip6table_mangle); 62 62 63 63 if (ret != NF_DROP && ret != NF_STOLEN && 64 64 (!ipv6_addr_equal(&ipv6_hdr(skb)->saddr, &saddr) || ··· 80 80 const struct nf_hook_state *state) 81 81 { 82 82 if (ops->hooknum == NF_INET_LOCAL_OUT) 83 - return ip6t_mangle_out(skb, state->out); 83 + return ip6t_mangle_out(skb, state); 84 84 if (ops->hooknum == NF_INET_POST_ROUTING) 85 - return ip6t_do_table(skb, ops->hooknum, state->in, state->out, 85 + return ip6t_do_table(skb, ops->hooknum, state, 86 86 dev_net(state->out)->ipv6.ip6table_mangle); 87 87 /* INPUT/FORWARD */ 88 - return ip6t_do_table(skb, ops->hooknum, state->in, state->out, 88 + return ip6t_do_table(skb, ops->hooknum, state, 89 89 dev_net(state->in)->ipv6.ip6table_mangle); 90 90 } 91 91

+1 -2

net/ipv6/netfilter/ip6table_nat.c

··· 37 37 { 38 38 struct net *net = nf_ct_net(ct); 39 39 40 - return ip6t_do_table(skb, ops->hooknum, state->in, state->out, 41 - net->ipv6.ip6table_nat); 40 + return ip6t_do_table(skb, ops->hooknum, state, net->ipv6.ip6table_nat); 42 41 } 43 42 44 43 static unsigned int ip6table_nat_fn(const struct nf_hook_ops *ops,

+1 -2

net/ipv6/netfilter/ip6table_raw.c

··· 24 24 { 25 25 const struct net *net = dev_net(state->in ? state->in : state->out); 26 26 27 - return ip6t_do_table(skb, ops->hooknum, state->in, state->out, 28 - net->ipv6.ip6table_raw); 27 + return ip6t_do_table(skb, ops->hooknum, state, net->ipv6.ip6table_raw); 29 28 } 30 29 31 30 static struct nf_hook_ops *rawtable_ops __read_mostly;

+1 -1

net/ipv6/netfilter/ip6table_security.c

··· 41 41 { 42 42 const struct net *net = dev_net(state->in ? state->in : state->out); 43 43 44 - return ip6t_do_table(skb, ops->hooknum, state->in, state->out, 44 + return ip6t_do_table(skb, ops->hooknum, state, 45 45 net->ipv6.ip6table_security); 46 46 } 47 47