tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

netfilter: xtables: add struct xt_mtchk_param::net

Some complex match modules (like xt_hashlimit/xt_recent) want netns
information at constructor and destructor time. We propably can play
games at match destruction time, because netns can be passed in object,
but I think it's cleaner to explicitly pass netns.

Add ->net, make sure it's set from ebtables/iptables/ip6tables code.

Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

authored by

Alexey Dobriyan and committed by
Patrick McHardy a83d8e8d a1004d8e

+32 -21
+1
include/linux/netfilter/x_tables.h
··· 205 205 * @hook_mask: via which hooks the new rule is reachable 206 206 */ 207 207 struct xt_mtchk_param { 208 + struct net *net; 208 209 const char *table; 209 210 const void *entryinfo; 210 211 const struct xt_match *match;
+9 -5
net/bridge/netfilter/ebtables.c
··· 619 619 } 620 620 621 621 static inline int 622 - ebt_check_entry(struct ebt_entry *e, struct ebt_table_info *newinfo, 622 + ebt_check_entry(struct ebt_entry *e, 623 + struct net *net, 624 + struct ebt_table_info *newinfo, 623 625 const char *name, unsigned int *cnt, 624 626 struct ebt_cl_stack *cl_s, unsigned int udc_cnt) 625 627 { ··· 673 671 } 674 672 i = 0; 675 673 674 + mtpar.net = net; 676 675 mtpar.table = tgpar.table = name; 677 676 mtpar.entryinfo = tgpar.entryinfo = e; 678 677 mtpar.hook_mask = tgpar.hook_mask = hookmask; ··· 811 808 } 812 809 813 810 /* do the parsing of the table/chains/entries/matches/watchers/targets, heh */ 814 - static int translate_table(char *name, struct ebt_table_info *newinfo) 811 + static int translate_table(struct net *net, char *name, 812 + struct ebt_table_info *newinfo) 815 813 { 816 814 unsigned int i, j, k, udc_cnt; 817 815 int ret; ··· 921 917 /* used to know what we need to clean up if something goes wrong */ 922 918 i = 0; 923 919 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size, 924 - ebt_check_entry, newinfo, name, &i, cl_s, udc_cnt); 920 + ebt_check_entry, net, newinfo, name, &i, cl_s, udc_cnt); 925 921 if (ret != 0) { 926 922 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size, 927 923 ebt_cleanup_entry, &i); ··· 1021 1017 if (ret != 0) 1022 1018 goto free_counterstmp; 1023 1019 1024 - ret = translate_table(tmp.name, newinfo); 1020 + ret = translate_table(net, tmp.name, newinfo); 1025 1021 1026 1022 if (ret != 0) 1027 1023 goto free_counterstmp; ··· 1158 1154 newinfo->hook_entry[i] = p + 1159 1155 ((char *)repl->hook_entry[i] - repl->entries); 1160 1156 } 1161 - ret = translate_table(repl->name, newinfo); 1157 + ret = translate_table(net, repl->name, newinfo); 1162 1158 if (ret != 0) { 1163 1159 BUGPRINT("Translate_table failed\n"); 1164 1160 goto free_chainstack;
+14 -10
net/ipv4/netfilter/ip_tables.c
··· 661 661 } 662 662 663 663 static int 664 - find_check_entry(struct ipt_entry *e, const char *name, unsigned int size, 665 - unsigned int *i) 664 + find_check_entry(struct ipt_entry *e, struct net *net, const char *name, 665 + unsigned int size, unsigned int *i) 666 666 { 667 667 struct ipt_entry_target *t; 668 668 struct xt_target *target; ··· 675 675 return ret; 676 676 677 677 j = 0; 678 + mtpar.net = net; 678 679 mtpar.table = name; 679 680 mtpar.entryinfo = &e->ip; 680 681 mtpar.hook_mask = e->comefrom; ··· 799 798 /* Checks and translates the user-supplied table segment (held in 800 799 newinfo) */ 801 800 static int 802 - translate_table(const char *name, 801 + translate_table(struct net *net, 802 + const char *name, 803 803 unsigned int valid_hooks, 804 804 struct xt_table_info *newinfo, 805 805 void *entry0, ··· 862 860 /* Finally, each sanity check must pass */ 863 861 i = 0; 864 862 ret = IPT_ENTRY_ITERATE(entry0, newinfo->size, 865 - find_check_entry, name, size, &i); 863 + find_check_entry, net, name, size, &i); 866 864 867 865 if (ret != 0) { 868 866 IPT_ENTRY_ITERATE(entry0, newinfo->size, ··· 1305 1303 goto free_newinfo; 1306 1304 } 1307 1305 1308 - ret = translate_table(tmp.name, tmp.valid_hooks, 1306 + ret = translate_table(net, tmp.name, tmp.valid_hooks, 1309 1307 newinfo, loc_cpu_entry, tmp.size, tmp.num_entries, 1310 1308 tmp.hook_entry, tmp.underflow); 1311 1309 if (ret != 0) ··· 1657 1655 } 1658 1656 1659 1657 static int 1660 - compat_check_entry(struct ipt_entry *e, const char *name, 1658 + compat_check_entry(struct ipt_entry *e, struct net *net, const char *name, 1661 1659 unsigned int *i) 1662 1660 { 1663 1661 struct xt_mtchk_param mtpar; ··· 1665 1663 int ret; 1666 1664 1667 1665 j = 0; 1666 + mtpar.net = net; 1668 1667 mtpar.table = name; 1669 1668 mtpar.entryinfo = &e->ip; 1670 1669 mtpar.hook_mask = e->comefrom; ··· 1687 1684 } 1688 1685 1689 1686 static int 1690 - translate_compat_table(const char *name, 1687 + translate_compat_table(struct net *net, 1688 + const char *name, 1691 1689 unsigned int valid_hooks, 1692 1690 struct xt_table_info **pinfo, 1693 1691 void **pentry0, ··· 1777 1773 1778 1774 i = 0; 1779 1775 ret = IPT_ENTRY_ITERATE(entry1, newinfo->size, compat_check_entry, 1780 - name, &i); 1776 + net, name, &i); 1781 1777 if (ret) { 1782 1778 j -= i; 1783 1779 COMPAT_IPT_ENTRY_ITERATE_CONTINUE(entry0, newinfo->size, i, ··· 1837 1833 goto free_newinfo; 1838 1834 } 1839 1835 1840 - ret = translate_compat_table(tmp.name, tmp.valid_hooks, 1836 + ret = translate_compat_table(net, tmp.name, tmp.valid_hooks, 1841 1837 &newinfo, &loc_cpu_entry, tmp.size, 1842 1838 tmp.num_entries, tmp.hook_entry, 1843 1839 tmp.underflow); ··· 2090 2086 loc_cpu_entry = newinfo->entries[raw_smp_processor_id()]; 2091 2087 memcpy(loc_cpu_entry, repl->entries, repl->size); 2092 2088 2093 - ret = translate_table(table->name, table->valid_hooks, 2089 + ret = translate_table(net, table->name, table->valid_hooks, 2094 2090 newinfo, loc_cpu_entry, repl->size, 2095 2091 repl->num_entries, 2096 2092 repl->hook_entry,
+8 -6
net/ipv6/netfilter/ip6_tables.c
··· 693 693 } 694 694 695 695 static int 696 - find_check_entry(struct ip6t_entry *e, const char *name, unsigned int size, 697 - unsigned int *i) 696 + find_check_entry(struct ip6t_entry *e, struct net *net, const char *name, 697 + unsigned int size, unsigned int *i) 698 698 { 699 699 struct ip6t_entry_target *t; 700 700 struct xt_target *target; ··· 707 707 return ret; 708 708 709 709 j = 0; 710 + mtpar.net = net; 710 711 mtpar.table = name; 711 712 mtpar.entryinfo = &e->ipv6; 712 713 mtpar.hook_mask = e->comefrom; ··· 831 830 /* Checks and translates the user-supplied table segment (held in 832 831 newinfo) */ 833 832 static int 834 - translate_table(const char *name, 833 + translate_table(struct net *net, 834 + const char *name, 835 835 unsigned int valid_hooks, 836 836 struct xt_table_info *newinfo, 837 837 void *entry0, ··· 894 892 /* Finally, each sanity check must pass */ 895 893 i = 0; 896 894 ret = IP6T_ENTRY_ITERATE(entry0, newinfo->size, 897 - find_check_entry, name, size, &i); 895 + find_check_entry, net, name, size, &i); 898 896 899 897 if (ret != 0) { 900 898 IP6T_ENTRY_ITERATE(entry0, newinfo->size, ··· 1338 1336 goto free_newinfo; 1339 1337 } 1340 1338 1341 - ret = translate_table(tmp.name, tmp.valid_hooks, 1339 + ret = translate_table(net, tmp.name, tmp.valid_hooks, 1342 1340 newinfo, loc_cpu_entry, tmp.size, tmp.num_entries, 1343 1341 tmp.hook_entry, tmp.underflow); 1344 1342 if (ret != 0) ··· 2123 2121 loc_cpu_entry = newinfo->entries[raw_smp_processor_id()]; 2124 2122 memcpy(loc_cpu_entry, repl->entries, repl->size); 2125 2123 2126 - ret = translate_table(table->name, table->valid_hooks, 2124 + ret = translate_table(net, table->name, table->valid_hooks, 2127 2125 newinfo, loc_cpu_entry, repl->size, 2128 2126 repl->num_entries, 2129 2127 repl->hook_entry,