tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

netfilter: ebtables: Simplify the arguments to ebt_do_table

Nearly everything thing of interest to ebt_do_table is already present
in nf_hook_state. Simplify ebt_do_table by just passing in the skb,
nf_hook_state, and the table. This make the code easier to read and
maintenance easier.

To support this create an nf_hook_state on the stack in ebt_broute
(the only caller without a nf_hook_state already available). This new
nf_hook_state adds no new computations to ebt_broute, but does use a
few more bytes of stack.

Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

authored by

Eric W. Biederman and committed by
Pablo Neira Ayuso 97b59c3a 36aea585

+20 -19
+3 -3
include/linux/netfilter_bridge/ebtables.h
··· 111 111 extern struct ebt_table *ebt_register_table(struct net *net, 112 112 const struct ebt_table *table); 113 113 extern void ebt_unregister_table(struct net *net, struct ebt_table *table); 114 - extern unsigned int ebt_do_table(unsigned int hook, struct sk_buff *skb, 115 - const struct net_device *in, const struct net_device *out, 116 - struct ebt_table *table); 114 + extern unsigned int ebt_do_table(struct sk_buff *skb, 115 + const struct nf_hook_state *state, 116 + struct ebt_table *table); 117 117 118 118 /* Used in the kernel match() functions */ 119 119 #define FWINV(bool,invflg) ((bool) ^ !!(info->invflags & invflg))
+6 -2
net/bridge/netfilter/ebtable_broute.c
··· 50 50 51 51 static int ebt_broute(struct sk_buff *skb) 52 52 { 53 + struct nf_hook_state state; 53 54 int ret; 54 55 55 - ret = ebt_do_table(NF_BR_BROUTING, skb, skb->dev, NULL, 56 - dev_net(skb->dev)->xt.broute_table); 56 + nf_hook_state_init(&state, NULL, NF_BR_BROUTING, INT_MIN, 57 + NFPROTO_BRIDGE, skb->dev, NULL, NULL, 58 + dev_net(skb->dev), NULL); 59 + 60 + ret = ebt_do_table(skb, &state, state.net->xt.broute_table); 57 61 if (ret == NF_DROP) 58 62 return 1; /* route it */ 59 63 return 0; /* bridge it */
+2 -4
net/bridge/netfilter/ebtable_filter.c
··· 60 60 ebt_in_hook(const struct nf_hook_ops *ops, struct sk_buff *skb, 61 61 const struct nf_hook_state *state) 62 62 { 63 - return ebt_do_table(ops->hooknum, skb, state->in, state->out, 64 - state->net->xt.frame_filter); 63 + return ebt_do_table(skb, state, state->net->xt.frame_filter); 65 64 } 66 65 67 66 static unsigned int 68 67 ebt_out_hook(const struct nf_hook_ops *ops, struct sk_buff *skb, 69 68 const struct nf_hook_state *state) 70 69 { 71 - return ebt_do_table(ops->hooknum, skb, state->in, state->out, 72 - state->net->xt.frame_filter); 70 + return ebt_do_table(skb, state, state->net->xt.frame_filter); 73 71 } 74 72 75 73 static struct nf_hook_ops ebt_ops_filter[] __read_mostly = {
+2 -4
net/bridge/netfilter/ebtable_nat.c
··· 60 60 ebt_nat_in(const struct nf_hook_ops *ops, struct sk_buff *skb, 61 61 const struct nf_hook_state *state) 62 62 { 63 - return ebt_do_table(ops->hooknum, skb, state->in, state->out, 64 - state->net->xt.frame_nat); 63 + return ebt_do_table(skb, state, state->net->xt.frame_nat); 65 64 } 66 65 67 66 static unsigned int 68 67 ebt_nat_out(const struct nf_hook_ops *ops, struct sk_buff *skb, 69 68 const struct nf_hook_state *state) 70 69 { 71 - return ebt_do_table(ops->hooknum, skb, state->in, state->out, 72 - state->net->xt.frame_nat); 70 + return ebt_do_table(skb, state, state->net->xt.frame_nat); 73 71 } 74 72 75 73 static struct nf_hook_ops ebt_ops_nat[] __read_mostly = {
+7 -6
net/bridge/netfilter/ebtables.c
··· 183 183 } 184 184 185 185 /* Do some firewalling */ 186 - unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb, 187 - const struct net_device *in, const struct net_device *out, 188 - struct ebt_table *table) 186 + unsigned int ebt_do_table(struct sk_buff *skb, 187 + const struct nf_hook_state *state, 188 + struct ebt_table *table) 189 189 { 190 + unsigned int hook = state->hook; 190 191 int i, nentries; 191 192 struct ebt_entry *point; 192 193 struct ebt_counter *counter_base, *cb_base; ··· 200 199 struct xt_action_param acpar; 201 200 202 201 acpar.family = NFPROTO_BRIDGE; 203 - acpar.in = in; 204 - acpar.out = out; 202 + acpar.in = state->in; 203 + acpar.out = state->out; 205 204 acpar.hotdrop = false; 206 205 acpar.hooknum = hook; 207 206 ··· 221 220 base = private->entries; 222 221 i = 0; 223 222 while (i < nentries) { 224 - if (ebt_basic_match(point, skb, in, out)) 223 + if (ebt_basic_match(point, skb, state->in, state->out)) 225 224 goto letscontinue; 226 225 227 226 if (EBT_MATCH_ITERATE(point, ebt_do_match, skb, &acpar) != 0)