tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
netfilter: Pass nf_hook_state through nf_nat_ipv4_{in,out,fn,local_fn}().
Signed-off-by: David S. Miller <davem@davemloft.net>
+36
-53
+8
-16
include/net/netfilter/nf_nat_l3proto.h
+8
-16
include/net/netfilter/nf_nat_l3proto.h
···
44
44
unsigned int hooknum);
45
45
46
46
unsigned int nf_nat_ipv4_in(const struct nf_hook_ops *ops, struct sk_buff *skb,
47
-
const struct net_device *in,
48
-
const struct net_device *out,
47
+
const struct nf_hook_state *state,
49
48
unsigned int (*do_chain)(const struct nf_hook_ops *ops,
50
49
struct sk_buff *skb,
51
-
const struct net_device *in,
52
-
const struct net_device *out,
50
+
const struct nf_hook_state *state,
53
51
struct nf_conn *ct));
54
52
55
53
unsigned int nf_nat_ipv4_out(const struct nf_hook_ops *ops, struct sk_buff *skb,
56
-
const struct net_device *in,
57
-
const struct net_device *out,
54
+
const struct nf_hook_state *state,
58
55
unsigned int (*do_chain)(const struct nf_hook_ops *ops,
59
56
struct sk_buff *skb,
60
-
const struct net_device *in,
61
-
const struct net_device *out,
57
+
const struct nf_hook_state *state,
62
58
struct nf_conn *ct));
63
59
64
60
unsigned int nf_nat_ipv4_local_fn(const struct nf_hook_ops *ops,
65
61
struct sk_buff *skb,
66
-
const struct net_device *in,
67
-
const struct net_device *out,
62
+
const struct nf_hook_state *state,
68
63
unsigned int (*do_chain)(const struct nf_hook_ops *ops,
69
64
struct sk_buff *skb,
70
-
const struct net_device *in,
71
-
const struct net_device *out,
65
+
const struct nf_hook_state *state,
72
66
struct nf_conn *ct));
73
67
74
68
unsigned int nf_nat_ipv4_fn(const struct nf_hook_ops *ops, struct sk_buff *skb,
75
-
const struct net_device *in,
76
-
const struct net_device *out,
69
+
const struct nf_hook_state *state,
77
70
unsigned int (*do_chain)(const struct nf_hook_ops *ops,
78
71
struct sk_buff *skb,
79
-
const struct net_device *in,
80
-
const struct net_device *out,
72
+
const struct nf_hook_state *state,
81
73
struct nf_conn *ct));
82
74
83
75
int nf_nat_icmpv6_reply_translation(struct sk_buff *skb, struct nf_conn *ct,
+7
-11
net/ipv4/netfilter/iptable_nat.c
+7
-11
net/ipv4/netfilter/iptable_nat.c
···
30
30
31
31
static unsigned int iptable_nat_do_chain(const struct nf_hook_ops *ops,
32
32
struct sk_buff *skb,
33
-
const struct net_device *in,
34
-
const struct net_device *out,
33
+
const struct nf_hook_state *state,
35
34
struct nf_conn *ct)
36
35
{
37
36
struct net *net = nf_ct_net(ct);
38
37
39
-
return ipt_do_table(skb, ops->hooknum, in, out, net->ipv4.nat_table);
38
+
return ipt_do_table(skb, ops->hooknum, state->in, state->out,
39
+
net->ipv4.nat_table);
40
40
}
41
41
42
42
static unsigned int iptable_nat_ipv4_fn(const struct nf_hook_ops *ops,
43
43
struct sk_buff *skb,
44
44
const struct nf_hook_state *state)
45
45
{
46
-
return nf_nat_ipv4_fn(ops, skb, state->in, state->out,
47
-
iptable_nat_do_chain);
46
+
return nf_nat_ipv4_fn(ops, skb, state, iptable_nat_do_chain);
48
47
}
49
48
50
49
static unsigned int iptable_nat_ipv4_in(const struct nf_hook_ops *ops,
51
50
struct sk_buff *skb,
52
51
const struct nf_hook_state *state)
53
52
{
54
-
return nf_nat_ipv4_in(ops, skb, state->in, state->out,
55
-
iptable_nat_do_chain);
53
+
return nf_nat_ipv4_in(ops, skb, state, iptable_nat_do_chain);
56
54
}
57
55
58
56
static unsigned int iptable_nat_ipv4_out(const struct nf_hook_ops *ops,
59
57
struct sk_buff *skb,
60
58
const struct nf_hook_state *state)
61
59
{
62
-
return nf_nat_ipv4_out(ops, skb, state->in, state->out,
63
-
iptable_nat_do_chain);
60
+
return nf_nat_ipv4_out(ops, skb, state, iptable_nat_do_chain);
64
61
}
65
62
66
63
static unsigned int iptable_nat_ipv4_local_fn(const struct nf_hook_ops *ops,
67
64
struct sk_buff *skb,
68
65
const struct nf_hook_state *state)
69
66
{
70
-
return nf_nat_ipv4_local_fn(ops, skb, state->in, state->out,
71
-
iptable_nat_do_chain);
67
+
return nf_nat_ipv4_local_fn(ops, skb, state, iptable_nat_do_chain);
72
68
}
73
69
74
70
static struct nf_hook_ops nf_nat_ipv4_ops[] __read_mostly = {
+15
-18
net/ipv4/netfilter/nf_nat_l3proto_ipv4.c
+15
-18
net/ipv4/netfilter/nf_nat_l3proto_ipv4.c
···
256
256
257
257
unsigned int
258
258
nf_nat_ipv4_fn(const struct nf_hook_ops *ops, struct sk_buff *skb,
259
-
const struct net_device *in, const struct net_device *out,
259
+
const struct nf_hook_state *state,
260
260
unsigned int (*do_chain)(const struct nf_hook_ops *ops,
261
261
struct sk_buff *skb,
262
-
const struct net_device *in,
263
-
const struct net_device *out,
262
+
const struct nf_hook_state *state,
264
263
struct nf_conn *ct))
265
264
{
266
265
struct nf_conn *ct;
···
308
309
if (!nf_nat_initialized(ct, maniptype)) {
309
310
unsigned int ret;
310
311
311
-
ret = do_chain(ops, skb, in, out, ct);
312
+
ret = do_chain(ops, skb, state, ct);
312
313
if (ret != NF_ACCEPT)
313
314
return ret;
314
315
···
322
323
pr_debug("Already setup manip %s for ct %p\n",
323
324
maniptype == NF_NAT_MANIP_SRC ? "SRC" : "DST",
324
325
ct);
325
-
if (nf_nat_oif_changed(ops->hooknum, ctinfo, nat, out))
326
+
if (nf_nat_oif_changed(ops->hooknum, ctinfo, nat,
327
+
state->out))
326
328
goto oif_changed;
327
329
}
328
330
break;
···
332
332
/* ESTABLISHED */
333
333
NF_CT_ASSERT(ctinfo == IP_CT_ESTABLISHED ||
334
334
ctinfo == IP_CT_ESTABLISHED_REPLY);
335
-
if (nf_nat_oif_changed(ops->hooknum, ctinfo, nat, out))
335
+
if (nf_nat_oif_changed(ops->hooknum, ctinfo, nat, state->out))
336
336
goto oif_changed;
337
337
}
338
338
···
346
346
347
347
unsigned int
348
348
nf_nat_ipv4_in(const struct nf_hook_ops *ops, struct sk_buff *skb,
349
-
const struct net_device *in, const struct net_device *out,
349
+
const struct nf_hook_state *state,
350
350
unsigned int (*do_chain)(const struct nf_hook_ops *ops,
351
351
struct sk_buff *skb,
352
-
const struct net_device *in,
353
-
const struct net_device *out,
352
+
const struct nf_hook_state *state,
354
353
struct nf_conn *ct))
355
354
{
356
355
unsigned int ret;
357
356
__be32 daddr = ip_hdr(skb)->daddr;
358
357
359
-
ret = nf_nat_ipv4_fn(ops, skb, in, out, do_chain);
358
+
ret = nf_nat_ipv4_fn(ops, skb, state, do_chain);
360
359
if (ret != NF_DROP && ret != NF_STOLEN &&
361
360
daddr != ip_hdr(skb)->daddr)
362
361
skb_dst_drop(skb);
···
366
367
367
368
unsigned int
368
369
nf_nat_ipv4_out(const struct nf_hook_ops *ops, struct sk_buff *skb,
369
-
const struct net_device *in, const struct net_device *out,
370
+
const struct nf_hook_state *state,
370
371
unsigned int (*do_chain)(const struct nf_hook_ops *ops,
371
372
struct sk_buff *skb,
372
-
const struct net_device *in,
373
-
const struct net_device *out,
373
+
const struct nf_hook_state *state,
374
374
struct nf_conn *ct))
375
375
{
376
376
#ifdef CONFIG_XFRM
···
384
386
ip_hdrlen(skb) < sizeof(struct iphdr))
385
387
return NF_ACCEPT;
386
388
387
-
ret = nf_nat_ipv4_fn(ops, skb, in, out, do_chain);
389
+
ret = nf_nat_ipv4_fn(ops, skb, state, do_chain);
388
390
#ifdef CONFIG_XFRM
389
391
if (ret != NF_DROP && ret != NF_STOLEN &&
390
392
!(IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED) &&
···
408
410
409
411
unsigned int
410
412
nf_nat_ipv4_local_fn(const struct nf_hook_ops *ops, struct sk_buff *skb,
411
-
const struct net_device *in, const struct net_device *out,
413
+
const struct nf_hook_state *state,
412
414
unsigned int (*do_chain)(const struct nf_hook_ops *ops,
413
415
struct sk_buff *skb,
414
-
const struct net_device *in,
415
-
const struct net_device *out,
416
+
const struct nf_hook_state *state,
416
417
struct nf_conn *ct))
417
418
{
418
419
const struct nf_conn *ct;
···
424
427
ip_hdrlen(skb) < sizeof(struct iphdr))
425
428
return NF_ACCEPT;
426
429
427
-
ret = nf_nat_ipv4_fn(ops, skb, in, out, do_chain);
430
+
ret = nf_nat_ipv4_fn(ops, skb, state, do_chain);
428
431
if (ret != NF_DROP && ret != NF_STOLEN &&
429
432
(ct = nf_ct_get(skb, &ctinfo)) != NULL) {
430
433
enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
+6
-8
net/ipv4/netfilter/nft_chain_nat_ipv4.c
+6
-8
net/ipv4/netfilter/nft_chain_nat_ipv4.c
···
28
28
29
29
static unsigned int nft_nat_do_chain(const struct nf_hook_ops *ops,
30
30
struct sk_buff *skb,
31
-
const struct net_device *in,
32
-
const struct net_device *out,
31
+
const struct nf_hook_state *state,
33
32
struct nf_conn *ct)
34
33
{
35
34
struct nft_pktinfo pkt;
36
35
37
-
nft_set_pktinfo_ipv4(&pkt, ops, skb, in, out);
36
+
nft_set_pktinfo_ipv4(&pkt, ops, skb, state->in, state->out);
38
37
39
38
return nft_do_chain(&pkt, ops);
40
39
}
···
42
43
struct sk_buff *skb,
43
44
const struct nf_hook_state *state)
44
45
{
45
-
return nf_nat_ipv4_fn(ops, skb, state->in, state->out, nft_nat_do_chain);
46
+
return nf_nat_ipv4_fn(ops, skb, state, nft_nat_do_chain);
46
47
}
47
48
48
49
static unsigned int nft_nat_ipv4_in(const struct nf_hook_ops *ops,
49
50
struct sk_buff *skb,
50
51
const struct nf_hook_state *state)
51
52
{
52
-
return nf_nat_ipv4_in(ops, skb, state->in, state->out, nft_nat_do_chain);
53
+
return nf_nat_ipv4_in(ops, skb, state, nft_nat_do_chain);
53
54
}
54
55
55
56
static unsigned int nft_nat_ipv4_out(const struct nf_hook_ops *ops,
56
57
struct sk_buff *skb,
57
58
const struct nf_hook_state *state)
58
59
{
59
-
return nf_nat_ipv4_out(ops, skb, state->in, state->out, nft_nat_do_chain);
60
+
return nf_nat_ipv4_out(ops, skb, state, nft_nat_do_chain);
60
61
}
61
62
62
63
static unsigned int nft_nat_ipv4_local_fn(const struct nf_hook_ops *ops,
63
64
struct sk_buff *skb,
64
65
const struct nf_hook_state *state)
65
66
{
66
-
return nf_nat_ipv4_local_fn(ops, skb, state->in, state->out,
67
-
nft_nat_do_chain);
67
+
return nf_nat_ipv4_local_fn(ops, skb, state, nft_nat_do_chain);
68
68
}
69
69
70
70
static const struct nf_chain_type nft_chain_nat_ipv4 = {