Commit 4c38cd61aef20fce34c669caa901634ca5f88bf8
Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next
Pablo Neira Ayuso says: ==================== Netfilter/IPVS updates for net-next The following patchset contains Netfilter updates for your net-next tree, they are: 1) Remove useless debug message when deleting IPVS service, from Yannick Brosseau. 2) Get rid of compilation warning when CONFIG_PROC_FS is unset in several spots of the IPVS code, from Arnd Bergmann. 3) Add prandom_u32 support to nft_meta, from Florian Westphal. 4) Remove unused variable in xt_osf, from Sudip Mukherjee. 5) Don't calculate IP checksum twice from netfilter ipv4 defrag hook since fixing af_packet defragmentation issues, from Joe Stringer. 6) On-demand hook registration for iptables from netns. Instead of registering the hooks for every available netns whenever we need one of the support tables, we register this on the specific netns that needs it, patchset from Florian Westphal. 7) Add missing port range selection to nf_tables masquerading support. BTW, just for the record, there is a typo in the description of 5f6c253ebe93b0 ("netfilter: bridge: register hooks only when bridge interface is added") that refers to the cluster match as deprecated, but it is actually the CLUSTERIP target (which registers hooks inconditionally) the one that is scheduled for removal. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
Showing 32 changed files Side-by-side Diff
- include/linux/netfilter.h
- include/linux/netfilter/x_tables.h
- include/linux/netfilter_arp/arp_tables.h
- include/linux/netfilter_ipv4/ip_tables.h
- include/linux/netfilter_ipv6/ip6_tables.h
- include/net/netfilter/nft_masq.h
- include/uapi/linux/netfilter/nf_tables.h
- lib/random32.c
- net/bridge/br_netfilter_hooks.c
- net/ipv4/netfilter/arp_tables.c
- net/ipv4/netfilter/arptable_filter.c
- net/ipv4/netfilter/ip_tables.c
- net/ipv4/netfilter/iptable_filter.c
- net/ipv4/netfilter/iptable_mangle.c
- net/ipv4/netfilter/iptable_nat.c
- net/ipv4/netfilter/iptable_raw.c
- net/ipv4/netfilter/iptable_security.c
- net/ipv4/netfilter/nf_defrag_ipv4.c
- net/ipv4/netfilter/nft_masq_ipv4.c
- net/ipv6/netfilter/ip6_tables.c
- net/ipv6/netfilter/ip6table_filter.c
- net/ipv6/netfilter/ip6table_mangle.c
- net/ipv6/netfilter/ip6table_nat.c
- net/ipv6/netfilter/ip6table_raw.c
- net/ipv6/netfilter/ip6table_security.c
- net/ipv6/netfilter/nft_masq_ipv6.c
- net/netfilter/ipvs/ip_vs_app.c
- net/netfilter/ipvs/ip_vs_ctl.c
- net/netfilter/nft_masq.c
- net/netfilter/nft_meta.c
- net/netfilter/x_tables.c
- net/netfilter/xt_osf.c
include/linux/netfilter.h
... | ... | @@ -141,22 +141,6 @@ |
141 | 141 | |
142 | 142 | #ifdef HAVE_JUMP_LABEL |
143 | 143 | extern struct static_key nf_hooks_needed[NFPROTO_NUMPROTO][NF_MAX_HOOKS]; |
144 | - | |
145 | -static inline bool nf_hook_list_active(struct list_head *hook_list, | |
146 | - u_int8_t pf, unsigned int hook) | |
147 | -{ | |
148 | - if (__builtin_constant_p(pf) && | |
149 | - __builtin_constant_p(hook)) | |
150 | - return static_key_false(&nf_hooks_needed[pf][hook]); | |
151 | - | |
152 | - return !list_empty(hook_list); | |
153 | -} | |
154 | -#else | |
155 | -static inline bool nf_hook_list_active(struct list_head *hook_list, | |
156 | - u_int8_t pf, unsigned int hook) | |
157 | -{ | |
158 | - return !list_empty(hook_list); | |
159 | -} | |
160 | 144 | #endif |
161 | 145 | |
162 | 146 | int nf_hook_slow(struct sk_buff *skb, struct nf_hook_state *state); |
163 | 147 | |
... | ... | @@ -177,9 +161,18 @@ |
177 | 161 | int (*okfn)(struct net *, struct sock *, struct sk_buff *), |
178 | 162 | int thresh) |
179 | 163 | { |
180 | - struct list_head *hook_list = &net->nf.hooks[pf][hook]; | |
164 | + struct list_head *hook_list; | |
181 | 165 | |
182 | - if (nf_hook_list_active(hook_list, pf, hook)) { | |
166 | +#ifdef HAVE_JUMP_LABEL | |
167 | + if (__builtin_constant_p(pf) && | |
168 | + __builtin_constant_p(hook) && | |
169 | + !static_key_false(&nf_hooks_needed[pf][hook])) | |
170 | + return 1; | |
171 | +#endif | |
172 | + | |
173 | + hook_list = &net->nf.hooks[pf][hook]; | |
174 | + | |
175 | + if (!list_empty(hook_list)) { | |
183 | 176 | struct nf_hook_state state; |
184 | 177 | |
185 | 178 | nf_hook_state_init(&state, hook_list, hook, thresh, |
include/linux/netfilter/x_tables.h
... | ... | @@ -200,6 +200,9 @@ |
200 | 200 | u_int8_t af; /* address/protocol family */ |
201 | 201 | int priority; /* hook order */ |
202 | 202 | |
203 | + /* called when table is needed in the given netns */ | |
204 | + int (*table_init)(struct net *net); | |
205 | + | |
203 | 206 | /* A unique name... */ |
204 | 207 | const char name[XT_TABLE_MAXNAMELEN]; |
205 | 208 | }; |
... | ... | @@ -408,8 +411,7 @@ |
408 | 411 | return cnt; |
409 | 412 | } |
410 | 413 | |
411 | -struct nf_hook_ops *xt_hook_link(const struct xt_table *, nf_hookfn *); | |
412 | -void xt_hook_unlink(const struct xt_table *, struct nf_hook_ops *); | |
414 | +struct nf_hook_ops *xt_hook_ops_alloc(const struct xt_table *, nf_hookfn *); | |
413 | 415 | |
414 | 416 | #ifdef CONFIG_COMPAT |
415 | 417 | #include <net/compat.h> |
include/linux/netfilter_arp/arp_tables.h
... | ... | @@ -48,10 +48,11 @@ |
48 | 48 | } |
49 | 49 | |
50 | 50 | extern void *arpt_alloc_initial_table(const struct xt_table *); |
51 | -extern struct xt_table *arpt_register_table(struct net *net, | |
52 | - const struct xt_table *table, | |
53 | - const struct arpt_replace *repl); | |
54 | -extern void arpt_unregister_table(struct xt_table *table); | |
51 | +int arpt_register_table(struct net *net, const struct xt_table *table, | |
52 | + const struct arpt_replace *repl, | |
53 | + const struct nf_hook_ops *ops, struct xt_table **res); | |
54 | +void arpt_unregister_table(struct net *net, struct xt_table *table, | |
55 | + const struct nf_hook_ops *ops); | |
55 | 56 | extern unsigned int arpt_do_table(struct sk_buff *skb, |
56 | 57 | const struct nf_hook_state *state, |
57 | 58 | struct xt_table *table); |
include/linux/netfilter_ipv4/ip_tables.h
... | ... | @@ -24,10 +24,11 @@ |
24 | 24 | |
25 | 25 | extern void ipt_init(void) __init; |
26 | 26 | |
27 | -extern struct xt_table *ipt_register_table(struct net *net, | |
28 | - const struct xt_table *table, | |
29 | - const struct ipt_replace *repl); | |
30 | -extern void ipt_unregister_table(struct net *net, struct xt_table *table); | |
27 | +int ipt_register_table(struct net *net, const struct xt_table *table, | |
28 | + const struct ipt_replace *repl, | |
29 | + const struct nf_hook_ops *ops, struct xt_table **res); | |
30 | +void ipt_unregister_table(struct net *net, struct xt_table *table, | |
31 | + const struct nf_hook_ops *ops); | |
31 | 32 | |
32 | 33 | /* Standard entry. */ |
33 | 34 | struct ipt_standard { |
include/linux/netfilter_ipv6/ip6_tables.h
... | ... | @@ -25,10 +25,11 @@ |
25 | 25 | extern void ip6t_init(void) __init; |
26 | 26 | |
27 | 27 | extern void *ip6t_alloc_initial_table(const struct xt_table *); |
28 | -extern struct xt_table *ip6t_register_table(struct net *net, | |
29 | - const struct xt_table *table, | |
30 | - const struct ip6t_replace *repl); | |
31 | -extern void ip6t_unregister_table(struct net *net, struct xt_table *table); | |
28 | +int ip6t_register_table(struct net *net, const struct xt_table *table, | |
29 | + const struct ip6t_replace *repl, | |
30 | + const struct nf_hook_ops *ops, struct xt_table **res); | |
31 | +void ip6t_unregister_table(struct net *net, struct xt_table *table, | |
32 | + const struct nf_hook_ops *ops); | |
32 | 33 | extern unsigned int ip6t_do_table(struct sk_buff *skb, |
33 | 34 | const struct nf_hook_state *state, |
34 | 35 | struct xt_table *table); |
include/net/netfilter/nft_masq.h
include/uapi/linux/netfilter/nf_tables.h
... | ... | @@ -681,6 +681,7 @@ |
681 | 681 | * @NFT_META_IIFGROUP: packet input interface group |
682 | 682 | * @NFT_META_OIFGROUP: packet output interface group |
683 | 683 | * @NFT_META_CGROUP: socket control group (skb->sk->sk_classid) |
684 | + * @NFT_META_PRANDOM: a 32bit pseudo-random number | |
684 | 685 | */ |
685 | 686 | enum nft_meta_keys { |
686 | 687 | NFT_META_LEN, |
... | ... | @@ -707,6 +708,7 @@ |
707 | 708 | NFT_META_IIFGROUP, |
708 | 709 | NFT_META_OIFGROUP, |
709 | 710 | NFT_META_CGROUP, |
711 | + NFT_META_PRANDOM, | |
710 | 712 | }; |
711 | 713 | |
712 | 714 | /** |
713 | 715 | |
... | ... | @@ -949,10 +951,14 @@ |
949 | 951 | * enum nft_masq_attributes - nf_tables masquerade expression attributes |
950 | 952 | * |
951 | 953 | * @NFTA_MASQ_FLAGS: NAT flags (see NF_NAT_RANGE_* in linux/netfilter/nf_nat.h) (NLA_U32) |
954 | + * @NFTA_MASQ_REG_PROTO_MIN: source register of proto range start (NLA_U32: nft_registers) | |
955 | + * @NFTA_MASQ_REG_PROTO_MAX: source register of proto range end (NLA_U32: nft_registers) | |
952 | 956 | */ |
953 | 957 | enum nft_masq_attributes { |
954 | 958 | NFTA_MASQ_UNSPEC, |
955 | 959 | NFTA_MASQ_FLAGS, |
960 | + NFTA_MASQ_REG_PROTO_MIN, | |
961 | + NFTA_MASQ_REG_PROTO_MAX, | |
956 | 962 | __NFTA_MASQ_MAX |
957 | 963 | }; |
958 | 964 | #define NFTA_MASQ_MAX (__NFTA_MASQ_MAX - 1) |
lib/random32.c
net/bridge/br_netfilter_hooks.c
... | ... | @@ -37,6 +37,7 @@ |
37 | 37 | #include <net/addrconf.h> |
38 | 38 | #include <net/route.h> |
39 | 39 | #include <net/netfilter/br_netfilter.h> |
40 | +#include <net/netns/generic.h> | |
40 | 41 | |
41 | 42 | #include <asm/uaccess.h> |
42 | 43 | #include "br_private.h" |
... | ... | @@ -44,6 +45,12 @@ |
44 | 45 | #include <linux/sysctl.h> |
45 | 46 | #endif |
46 | 47 | |
48 | +static int brnf_net_id __read_mostly; | |
49 | + | |
50 | +struct brnf_net { | |
51 | + bool enabled; | |
52 | +}; | |
53 | + | |
47 | 54 | #ifdef CONFIG_SYSCTL |
48 | 55 | static struct ctl_table_header *brnf_sysctl_header; |
49 | 56 | static int brnf_call_iptables __read_mostly = 1; |
... | ... | @@ -938,6 +945,53 @@ |
938 | 945 | }, |
939 | 946 | }; |
940 | 947 | |
948 | +static int brnf_device_event(struct notifier_block *unused, unsigned long event, | |
949 | + void *ptr) | |
950 | +{ | |
951 | + struct net_device *dev = netdev_notifier_info_to_dev(ptr); | |
952 | + struct brnf_net *brnet; | |
953 | + struct net *net; | |
954 | + int ret; | |
955 | + | |
956 | + if (event != NETDEV_REGISTER || !(dev->priv_flags & IFF_EBRIDGE)) | |
957 | + return NOTIFY_DONE; | |
958 | + | |
959 | + ASSERT_RTNL(); | |
960 | + | |
961 | + net = dev_net(dev); | |
962 | + brnet = net_generic(net, brnf_net_id); | |
963 | + if (brnet->enabled) | |
964 | + return NOTIFY_OK; | |
965 | + | |
966 | + ret = nf_register_net_hooks(net, br_nf_ops, ARRAY_SIZE(br_nf_ops)); | |
967 | + if (ret) | |
968 | + return NOTIFY_BAD; | |
969 | + | |
970 | + brnet->enabled = true; | |
971 | + return NOTIFY_OK; | |
972 | +} | |
973 | + | |
974 | +static void __net_exit brnf_exit_net(struct net *net) | |
975 | +{ | |
976 | + struct brnf_net *brnet = net_generic(net, brnf_net_id); | |
977 | + | |
978 | + if (!brnet->enabled) | |
979 | + return; | |
980 | + | |
981 | + nf_unregister_net_hooks(net, br_nf_ops, ARRAY_SIZE(br_nf_ops)); | |
982 | + brnet->enabled = false; | |
983 | +} | |
984 | + | |
985 | +static struct pernet_operations brnf_net_ops __read_mostly = { | |
986 | + .exit = brnf_exit_net, | |
987 | + .id = &brnf_net_id, | |
988 | + .size = sizeof(struct brnf_net), | |
989 | +}; | |
990 | + | |
991 | +static struct notifier_block brnf_notifier __read_mostly = { | |
992 | + .notifier_call = brnf_device_event, | |
993 | +}; | |
994 | + | |
941 | 995 | #ifdef CONFIG_SYSCTL |
942 | 996 | static |
943 | 997 | int brnf_sysctl_call_tables(struct ctl_table *ctl, int write, |
944 | 998 | |
945 | 999 | |
... | ... | @@ -1003,16 +1057,23 @@ |
1003 | 1057 | { |
1004 | 1058 | int ret; |
1005 | 1059 | |
1006 | - ret = nf_register_hooks(br_nf_ops, ARRAY_SIZE(br_nf_ops)); | |
1060 | + ret = register_pernet_subsys(&brnf_net_ops); | |
1007 | 1061 | if (ret < 0) |
1008 | 1062 | return ret; |
1009 | 1063 | |
1064 | + ret = register_netdevice_notifier(&brnf_notifier); | |
1065 | + if (ret < 0) { | |
1066 | + unregister_pernet_subsys(&brnf_net_ops); | |
1067 | + return ret; | |
1068 | + } | |
1069 | + | |
1010 | 1070 | #ifdef CONFIG_SYSCTL |
1011 | 1071 | brnf_sysctl_header = register_net_sysctl(&init_net, "net/bridge", brnf_table); |
1012 | 1072 | if (brnf_sysctl_header == NULL) { |
1013 | 1073 | printk(KERN_WARNING |
1014 | 1074 | "br_netfilter: can't register to sysctl.\n"); |
1015 | - nf_unregister_hooks(br_nf_ops, ARRAY_SIZE(br_nf_ops)); | |
1075 | + unregister_netdevice_notifier(&brnf_notifier); | |
1076 | + unregister_pernet_subsys(&brnf_net_ops); | |
1016 | 1077 | return -ENOMEM; |
1017 | 1078 | } |
1018 | 1079 | #endif |
... | ... | @@ -1024,7 +1085,8 @@ |
1024 | 1085 | static void __exit br_netfilter_fini(void) |
1025 | 1086 | { |
1026 | 1087 | RCU_INIT_POINTER(nf_br_ops, NULL); |
1027 | - nf_unregister_hooks(br_nf_ops, ARRAY_SIZE(br_nf_ops)); | |
1088 | + unregister_netdevice_notifier(&brnf_notifier); | |
1089 | + unregister_pernet_subsys(&brnf_net_ops); | |
1028 | 1090 | #ifdef CONFIG_SYSCTL |
1029 | 1091 | unregister_net_sysctl_table(brnf_sysctl_header); |
1030 | 1092 | #endif |
net/ipv4/netfilter/arp_tables.c
... | ... | @@ -1780,10 +1780,30 @@ |
1780 | 1780 | return ret; |
1781 | 1781 | } |
1782 | 1782 | |
1783 | -struct xt_table *arpt_register_table(struct net *net, | |
1784 | - const struct xt_table *table, | |
1785 | - const struct arpt_replace *repl) | |
1783 | +static void __arpt_unregister_table(struct xt_table *table) | |
1786 | 1784 | { |
1785 | + struct xt_table_info *private; | |
1786 | + void *loc_cpu_entry; | |
1787 | + struct module *table_owner = table->me; | |
1788 | + struct arpt_entry *iter; | |
1789 | + | |
1790 | + private = xt_unregister_table(table); | |
1791 | + | |
1792 | + /* Decrease module usage counts and free resources */ | |
1793 | + loc_cpu_entry = private->entries; | |
1794 | + xt_entry_foreach(iter, loc_cpu_entry, private->size) | |
1795 | + cleanup_entry(iter); | |
1796 | + if (private->number > private->initial_entries) | |
1797 | + module_put(table_owner); | |
1798 | + xt_free_table_info(private); | |
1799 | +} | |
1800 | + | |
1801 | +int arpt_register_table(struct net *net, | |
1802 | + const struct xt_table *table, | |
1803 | + const struct arpt_replace *repl, | |
1804 | + const struct nf_hook_ops *ops, | |
1805 | + struct xt_table **res) | |
1806 | +{ | |
1787 | 1807 | int ret; |
1788 | 1808 | struct xt_table_info *newinfo; |
1789 | 1809 | struct xt_table_info bootstrap = {0}; |
... | ... | @@ -1791,10 +1811,8 @@ |
1791 | 1811 | struct xt_table *new_table; |
1792 | 1812 | |
1793 | 1813 | newinfo = xt_alloc_table_info(repl->size); |
1794 | - if (!newinfo) { | |
1795 | - ret = -ENOMEM; | |
1796 | - goto out; | |
1797 | - } | |
1814 | + if (!newinfo) | |
1815 | + return -ENOMEM; | |
1798 | 1816 | |
1799 | 1817 | loc_cpu_entry = newinfo->entries; |
1800 | 1818 | memcpy(loc_cpu_entry, repl->entries, repl->size); |
1801 | 1819 | |
1802 | 1820 | |
1803 | 1821 | |
1804 | 1822 | |
... | ... | @@ -1809,30 +1827,28 @@ |
1809 | 1827 | ret = PTR_ERR(new_table); |
1810 | 1828 | goto out_free; |
1811 | 1829 | } |
1812 | - return new_table; | |
1813 | 1830 | |
1831 | + /* set res now, will see skbs right after nf_register_net_hooks */ | |
1832 | + WRITE_ONCE(*res, new_table); | |
1833 | + | |
1834 | + ret = nf_register_net_hooks(net, ops, hweight32(table->valid_hooks)); | |
1835 | + if (ret != 0) { | |
1836 | + __arpt_unregister_table(new_table); | |
1837 | + *res = NULL; | |
1838 | + } | |
1839 | + | |
1840 | + return ret; | |
1841 | + | |
1814 | 1842 | out_free: |
1815 | 1843 | xt_free_table_info(newinfo); |
1816 | -out: | |
1817 | - return ERR_PTR(ret); | |
1844 | + return ret; | |
1818 | 1845 | } |
1819 | 1846 | |
1820 | -void arpt_unregister_table(struct xt_table *table) | |
1847 | +void arpt_unregister_table(struct net *net, struct xt_table *table, | |
1848 | + const struct nf_hook_ops *ops) | |
1821 | 1849 | { |
1822 | - struct xt_table_info *private; | |
1823 | - void *loc_cpu_entry; | |
1824 | - struct module *table_owner = table->me; | |
1825 | - struct arpt_entry *iter; | |
1826 | - | |
1827 | - private = xt_unregister_table(table); | |
1828 | - | |
1829 | - /* Decrease module usage counts and free resources */ | |
1830 | - loc_cpu_entry = private->entries; | |
1831 | - xt_entry_foreach(iter, loc_cpu_entry, private->size) | |
1832 | - cleanup_entry(iter); | |
1833 | - if (private->number > private->initial_entries) | |
1834 | - module_put(table_owner); | |
1835 | - xt_free_table_info(private); | |
1850 | + nf_unregister_net_hooks(net, ops, hweight32(table->valid_hooks)); | |
1851 | + __arpt_unregister_table(table); | |
1836 | 1852 | } |
1837 | 1853 | |
1838 | 1854 | /* The built-in targets: standard (NULL) and error. */ |
net/ipv4/netfilter/arptable_filter.c
... | ... | @@ -17,12 +17,15 @@ |
17 | 17 | #define FILTER_VALID_HOOKS ((1 << NF_ARP_IN) | (1 << NF_ARP_OUT) | \ |
18 | 18 | (1 << NF_ARP_FORWARD)) |
19 | 19 | |
20 | +static int __net_init arptable_filter_table_init(struct net *net); | |
21 | + | |
20 | 22 | static const struct xt_table packet_filter = { |
21 | 23 | .name = "filter", |
22 | 24 | .valid_hooks = FILTER_VALID_HOOKS, |
23 | 25 | .me = THIS_MODULE, |
24 | 26 | .af = NFPROTO_ARP, |
25 | 27 | .priority = NF_IP_PRI_FILTER, |
28 | + .table_init = arptable_filter_table_init, | |
26 | 29 | }; |
27 | 30 | |
28 | 31 | /* The work comes in here from netfilter.c */ |
29 | 32 | |
30 | 33 | |
31 | 34 | |
32 | 35 | |
33 | 36 | |
... | ... | @@ -35,26 +38,32 @@ |
35 | 38 | |
36 | 39 | static struct nf_hook_ops *arpfilter_ops __read_mostly; |
37 | 40 | |
38 | -static int __net_init arptable_filter_net_init(struct net *net) | |
41 | +static int __net_init arptable_filter_table_init(struct net *net) | |
39 | 42 | { |
40 | 43 | struct arpt_replace *repl; |
41 | - | |
44 | + int err; | |
45 | + | |
46 | + if (net->ipv4.arptable_filter) | |
47 | + return 0; | |
48 | + | |
42 | 49 | repl = arpt_alloc_initial_table(&packet_filter); |
43 | 50 | if (repl == NULL) |
44 | 51 | return -ENOMEM; |
45 | - net->ipv4.arptable_filter = | |
46 | - arpt_register_table(net, &packet_filter, repl); | |
52 | + err = arpt_register_table(net, &packet_filter, repl, arpfilter_ops, | |
53 | + &net->ipv4.arptable_filter); | |
47 | 54 | kfree(repl); |
48 | - return PTR_ERR_OR_ZERO(net->ipv4.arptable_filter); | |
55 | + return err; | |
49 | 56 | } |
50 | 57 | |
51 | 58 | static void __net_exit arptable_filter_net_exit(struct net *net) |
52 | 59 | { |
53 | - arpt_unregister_table(net->ipv4.arptable_filter); | |
60 | + if (!net->ipv4.arptable_filter) | |
61 | + return; | |
62 | + arpt_unregister_table(net, net->ipv4.arptable_filter, arpfilter_ops); | |
63 | + net->ipv4.arptable_filter = NULL; | |
54 | 64 | } |
55 | 65 | |
56 | 66 | static struct pernet_operations arptable_filter_net_ops = { |
57 | - .init = arptable_filter_net_init, | |
58 | 67 | .exit = arptable_filter_net_exit, |
59 | 68 | }; |
60 | 69 | |
61 | 70 | |
62 | 71 | |
63 | 72 | |
64 | 73 | |
65 | 74 | |
66 | 75 | |
... | ... | @@ -62,26 +71,23 @@ |
62 | 71 | { |
63 | 72 | int ret; |
64 | 73 | |
74 | + arpfilter_ops = xt_hook_ops_alloc(&packet_filter, arptable_filter_hook); | |
75 | + if (IS_ERR(arpfilter_ops)) | |
76 | + return PTR_ERR(arpfilter_ops); | |
77 | + | |
65 | 78 | ret = register_pernet_subsys(&arptable_filter_net_ops); |
66 | - if (ret < 0) | |
79 | + if (ret < 0) { | |
80 | + kfree(arpfilter_ops); | |
67 | 81 | return ret; |
68 | - | |
69 | - arpfilter_ops = xt_hook_link(&packet_filter, arptable_filter_hook); | |
70 | - if (IS_ERR(arpfilter_ops)) { | |
71 | - ret = PTR_ERR(arpfilter_ops); | |
72 | - goto cleanup_table; | |
73 | 82 | } |
74 | - return ret; | |
75 | 83 | |
76 | -cleanup_table: | |
77 | - unregister_pernet_subsys(&arptable_filter_net_ops); | |
78 | 84 | return ret; |
79 | 85 | } |
80 | 86 | |
81 | 87 | static void __exit arptable_filter_fini(void) |
82 | 88 | { |
83 | - xt_hook_unlink(&packet_filter, arpfilter_ops); | |
84 | 89 | unregister_pernet_subsys(&arptable_filter_net_ops); |
90 | + kfree(arpfilter_ops); | |
85 | 91 | } |
86 | 92 | |
87 | 93 | module_init(arptable_filter_init); |
net/ipv4/netfilter/ip_tables.c
... | ... | @@ -2062,10 +2062,28 @@ |
2062 | 2062 | return ret; |
2063 | 2063 | } |
2064 | 2064 | |
2065 | -struct xt_table *ipt_register_table(struct net *net, | |
2066 | - const struct xt_table *table, | |
2067 | - const struct ipt_replace *repl) | |
2065 | +static void __ipt_unregister_table(struct net *net, struct xt_table *table) | |
2068 | 2066 | { |
2067 | + struct xt_table_info *private; | |
2068 | + void *loc_cpu_entry; | |
2069 | + struct module *table_owner = table->me; | |
2070 | + struct ipt_entry *iter; | |
2071 | + | |
2072 | + private = xt_unregister_table(table); | |
2073 | + | |
2074 | + /* Decrease module usage counts and free resources */ | |
2075 | + loc_cpu_entry = private->entries; | |
2076 | + xt_entry_foreach(iter, loc_cpu_entry, private->size) | |
2077 | + cleanup_entry(iter, net); | |
2078 | + if (private->number > private->initial_entries) | |
2079 | + module_put(table_owner); | |
2080 | + xt_free_table_info(private); | |
2081 | +} | |
2082 | + | |
2083 | +int ipt_register_table(struct net *net, const struct xt_table *table, | |
2084 | + const struct ipt_replace *repl, | |
2085 | + const struct nf_hook_ops *ops, struct xt_table **res) | |
2086 | +{ | |
2069 | 2087 | int ret; |
2070 | 2088 | struct xt_table_info *newinfo; |
2071 | 2089 | struct xt_table_info bootstrap = {0}; |
... | ... | @@ -2073,10 +2091,8 @@ |
2073 | 2091 | struct xt_table *new_table; |
2074 | 2092 | |
2075 | 2093 | newinfo = xt_alloc_table_info(repl->size); |
2076 | - if (!newinfo) { | |
2077 | - ret = -ENOMEM; | |
2078 | - goto out; | |
2079 | - } | |
2094 | + if (!newinfo) | |
2095 | + return -ENOMEM; | |
2080 | 2096 | |
2081 | 2097 | loc_cpu_entry = newinfo->entries; |
2082 | 2098 | memcpy(loc_cpu_entry, repl->entries, repl->size); |
2083 | 2099 | |
2084 | 2100 | |
2085 | 2101 | |
2086 | 2102 | |
... | ... | @@ -2091,30 +2107,27 @@ |
2091 | 2107 | goto out_free; |
2092 | 2108 | } |
2093 | 2109 | |
2094 | - return new_table; | |
2110 | + /* set res now, will see skbs right after nf_register_net_hooks */ | |
2111 | + WRITE_ONCE(*res, new_table); | |
2095 | 2112 | |
2113 | + ret = nf_register_net_hooks(net, ops, hweight32(table->valid_hooks)); | |
2114 | + if (ret != 0) { | |
2115 | + __ipt_unregister_table(net, new_table); | |
2116 | + *res = NULL; | |
2117 | + } | |
2118 | + | |
2119 | + return ret; | |
2120 | + | |
2096 | 2121 | out_free: |
2097 | 2122 | xt_free_table_info(newinfo); |
2098 | -out: | |
2099 | - return ERR_PTR(ret); | |
2123 | + return ret; | |
2100 | 2124 | } |
2101 | 2125 | |
2102 | -void ipt_unregister_table(struct net *net, struct xt_table *table) | |
2126 | +void ipt_unregister_table(struct net *net, struct xt_table *table, | |
2127 | + const struct nf_hook_ops *ops) | |
2103 | 2128 | { |
2104 | - struct xt_table_info *private; | |
2105 | - void *loc_cpu_entry; | |
2106 | - struct module *table_owner = table->me; | |
2107 | - struct ipt_entry *iter; | |
2108 | - | |
2109 | - private = xt_unregister_table(table); | |
2110 | - | |
2111 | - /* Decrease module usage counts and free resources */ | |
2112 | - loc_cpu_entry = private->entries; | |
2113 | - xt_entry_foreach(iter, loc_cpu_entry, private->size) | |
2114 | - cleanup_entry(iter, net); | |
2115 | - if (private->number > private->initial_entries) | |
2116 | - module_put(table_owner); | |
2117 | - xt_free_table_info(private); | |
2129 | + nf_unregister_net_hooks(net, ops, hweight32(table->valid_hooks)); | |
2130 | + __ipt_unregister_table(net, table); | |
2118 | 2131 | } |
2119 | 2132 | |
2120 | 2133 | /* Returns 1 if the type and code is matched by the range, 0 otherwise */ |
net/ipv4/netfilter/iptable_filter.c
... | ... | @@ -23,6 +23,7 @@ |
23 | 23 | #define FILTER_VALID_HOOKS ((1 << NF_INET_LOCAL_IN) | \ |
24 | 24 | (1 << NF_INET_FORWARD) | \ |
25 | 25 | (1 << NF_INET_LOCAL_OUT)) |
26 | +static int __net_init iptable_filter_table_init(struct net *net); | |
26 | 27 | |
27 | 28 | static const struct xt_table packet_filter = { |
28 | 29 | .name = "filter", |
... | ... | @@ -30,6 +31,7 @@ |
30 | 31 | .me = THIS_MODULE, |
31 | 32 | .af = NFPROTO_IPV4, |
32 | 33 | .priority = NF_IP_PRI_FILTER, |
34 | + .table_init = iptable_filter_table_init, | |
33 | 35 | }; |
34 | 36 | |
35 | 37 | static unsigned int |
36 | 38 | |
37 | 39 | |
38 | 40 | |
... | ... | @@ -48,13 +50,17 @@ |
48 | 50 | static struct nf_hook_ops *filter_ops __read_mostly; |
49 | 51 | |
50 | 52 | /* Default to forward because I got too much mail already. */ |
51 | -static bool forward = true; | |
53 | +static bool forward __read_mostly = true; | |
52 | 54 | module_param(forward, bool, 0000); |
53 | 55 | |
54 | -static int __net_init iptable_filter_net_init(struct net *net) | |
56 | +static int __net_init iptable_filter_table_init(struct net *net) | |
55 | 57 | { |
56 | 58 | struct ipt_replace *repl; |
59 | + int err; | |
57 | 60 | |
61 | + if (net->ipv4.iptable_filter) | |
62 | + return 0; | |
63 | + | |
58 | 64 | repl = ipt_alloc_initial_table(&packet_filter); |
59 | 65 | if (repl == NULL) |
60 | 66 | return -ENOMEM; |
61 | 67 | |
62 | 68 | |
63 | 69 | |
... | ... | @@ -62,15 +68,26 @@ |
62 | 68 | ((struct ipt_standard *)repl->entries)[1].target.verdict = |
63 | 69 | forward ? -NF_ACCEPT - 1 : -NF_DROP - 1; |
64 | 70 | |
65 | - net->ipv4.iptable_filter = | |
66 | - ipt_register_table(net, &packet_filter, repl); | |
71 | + err = ipt_register_table(net, &packet_filter, repl, filter_ops, | |
72 | + &net->ipv4.iptable_filter); | |
67 | 73 | kfree(repl); |
68 | - return PTR_ERR_OR_ZERO(net->ipv4.iptable_filter); | |
74 | + return err; | |
69 | 75 | } |
70 | 76 | |
77 | +static int __net_init iptable_filter_net_init(struct net *net) | |
78 | +{ | |
79 | + if (net == &init_net || !forward) | |
80 | + return iptable_filter_table_init(net); | |
81 | + | |
82 | + return 0; | |
83 | +} | |
84 | + | |
71 | 85 | static void __net_exit iptable_filter_net_exit(struct net *net) |
72 | 86 | { |
73 | - ipt_unregister_table(net, net->ipv4.iptable_filter); | |
87 | + if (!net->ipv4.iptable_filter) | |
88 | + return; | |
89 | + ipt_unregister_table(net, net->ipv4.iptable_filter, filter_ops); | |
90 | + net->ipv4.iptable_filter = NULL; | |
74 | 91 | } |
75 | 92 | |
76 | 93 | static struct pernet_operations iptable_filter_net_ops = { |
77 | 94 | |
78 | 95 | |
79 | 96 | |
80 | 97 | |
... | ... | @@ -82,24 +99,21 @@ |
82 | 99 | { |
83 | 100 | int ret; |
84 | 101 | |
102 | + filter_ops = xt_hook_ops_alloc(&packet_filter, iptable_filter_hook); | |
103 | + if (IS_ERR(filter_ops)) | |
104 | + return PTR_ERR(filter_ops); | |
105 | + | |
85 | 106 | ret = register_pernet_subsys(&iptable_filter_net_ops); |
86 | 107 | if (ret < 0) |
87 | - return ret; | |
108 | + kfree(filter_ops); | |
88 | 109 | |
89 | - /* Register hooks */ | |
90 | - filter_ops = xt_hook_link(&packet_filter, iptable_filter_hook); | |
91 | - if (IS_ERR(filter_ops)) { | |
92 | - ret = PTR_ERR(filter_ops); | |
93 | - unregister_pernet_subsys(&iptable_filter_net_ops); | |
94 | - } | |
95 | - | |
96 | 110 | return ret; |
97 | 111 | } |
98 | 112 | |
99 | 113 | static void __exit iptable_filter_fini(void) |
100 | 114 | { |
101 | - xt_hook_unlink(&packet_filter, filter_ops); | |
102 | 115 | unregister_pernet_subsys(&iptable_filter_net_ops); |
116 | + kfree(filter_ops); | |
103 | 117 | } |
104 | 118 | |
105 | 119 | module_init(iptable_filter_init); |
net/ipv4/netfilter/iptable_mangle.c
... | ... | @@ -28,12 +28,15 @@ |
28 | 28 | (1 << NF_INET_LOCAL_OUT) | \ |
29 | 29 | (1 << NF_INET_POST_ROUTING)) |
30 | 30 | |
31 | +static int __net_init iptable_mangle_table_init(struct net *net); | |
32 | + | |
31 | 33 | static const struct xt_table packet_mangler = { |
32 | 34 | .name = "mangle", |
33 | 35 | .valid_hooks = MANGLE_VALID_HOOKS, |
34 | 36 | .me = THIS_MODULE, |
35 | 37 | .af = NFPROTO_IPV4, |
36 | 38 | .priority = NF_IP_PRI_MANGLE, |
39 | + .table_init = iptable_mangle_table_init, | |
37 | 40 | }; |
38 | 41 | |
39 | 42 | static unsigned int |
40 | 43 | |
41 | 44 | |
42 | 45 | |
43 | 46 | |
44 | 47 | |
45 | 48 | |
... | ... | @@ -92,27 +95,32 @@ |
92 | 95 | } |
93 | 96 | |
94 | 97 | static struct nf_hook_ops *mangle_ops __read_mostly; |
95 | - | |
96 | -static int __net_init iptable_mangle_net_init(struct net *net) | |
98 | +static int __net_init iptable_mangle_table_init(struct net *net) | |
97 | 99 | { |
98 | 100 | struct ipt_replace *repl; |
101 | + int ret; | |
99 | 102 | |
103 | + if (net->ipv4.iptable_mangle) | |
104 | + return 0; | |
105 | + | |
100 | 106 | repl = ipt_alloc_initial_table(&packet_mangler); |
101 | 107 | if (repl == NULL) |
102 | 108 | return -ENOMEM; |
103 | - net->ipv4.iptable_mangle = | |
104 | - ipt_register_table(net, &packet_mangler, repl); | |
109 | + ret = ipt_register_table(net, &packet_mangler, repl, mangle_ops, | |
110 | + &net->ipv4.iptable_mangle); | |
105 | 111 | kfree(repl); |
106 | - return PTR_ERR_OR_ZERO(net->ipv4.iptable_mangle); | |
112 | + return ret; | |
107 | 113 | } |
108 | 114 | |
109 | 115 | static void __net_exit iptable_mangle_net_exit(struct net *net) |
110 | 116 | { |
111 | - ipt_unregister_table(net, net->ipv4.iptable_mangle); | |
117 | + if (!net->ipv4.iptable_mangle) | |
118 | + return; | |
119 | + ipt_unregister_table(net, net->ipv4.iptable_mangle, mangle_ops); | |
120 | + net->ipv4.iptable_mangle = NULL; | |
112 | 121 | } |
113 | 122 | |
114 | 123 | static struct pernet_operations iptable_mangle_net_ops = { |
115 | - .init = iptable_mangle_net_init, | |
116 | 124 | .exit = iptable_mangle_net_exit, |
117 | 125 | }; |
118 | 126 | |
119 | 127 | |
120 | 128 | |
121 | 129 | |
122 | 130 | |
... | ... | @@ -120,15 +128,22 @@ |
120 | 128 | { |
121 | 129 | int ret; |
122 | 130 | |
131 | + mangle_ops = xt_hook_ops_alloc(&packet_mangler, iptable_mangle_hook); | |
132 | + if (IS_ERR(mangle_ops)) { | |
133 | + ret = PTR_ERR(mangle_ops); | |
134 | + return ret; | |
135 | + } | |
136 | + | |
123 | 137 | ret = register_pernet_subsys(&iptable_mangle_net_ops); |
124 | - if (ret < 0) | |
138 | + if (ret < 0) { | |
139 | + kfree(mangle_ops); | |
125 | 140 | return ret; |
141 | + } | |
126 | 142 | |
127 | - /* Register hooks */ | |
128 | - mangle_ops = xt_hook_link(&packet_mangler, iptable_mangle_hook); | |
129 | - if (IS_ERR(mangle_ops)) { | |
130 | - ret = PTR_ERR(mangle_ops); | |
143 | + ret = iptable_mangle_table_init(&init_net); | |
144 | + if (ret) { | |
131 | 145 | unregister_pernet_subsys(&iptable_mangle_net_ops); |
146 | + kfree(mangle_ops); | |
132 | 147 | } |
133 | 148 | |
134 | 149 | return ret; |
135 | 150 | |
... | ... | @@ -136,8 +151,8 @@ |
136 | 151 | |
137 | 152 | static void __exit iptable_mangle_fini(void) |
138 | 153 | { |
139 | - xt_hook_unlink(&packet_mangler, mangle_ops); | |
140 | 154 | unregister_pernet_subsys(&iptable_mangle_net_ops); |
155 | + kfree(mangle_ops); | |
141 | 156 | } |
142 | 157 | |
143 | 158 | module_init(iptable_mangle_init); |
net/ipv4/netfilter/iptable_nat.c
... | ... | @@ -18,6 +18,8 @@ |
18 | 18 | #include <net/netfilter/nf_nat_core.h> |
19 | 19 | #include <net/netfilter/nf_nat_l3proto.h> |
20 | 20 | |
21 | +static int __net_init iptable_nat_table_init(struct net *net); | |
22 | + | |
21 | 23 | static const struct xt_table nf_nat_ipv4_table = { |
22 | 24 | .name = "nat", |
23 | 25 | .valid_hooks = (1 << NF_INET_PRE_ROUTING) | |
... | ... | @@ -26,6 +28,7 @@ |
26 | 28 | (1 << NF_INET_LOCAL_IN), |
27 | 29 | .me = THIS_MODULE, |
28 | 30 | .af = NFPROTO_IPV4, |
31 | + .table_init = iptable_nat_table_init, | |
29 | 32 | }; |
30 | 33 | |
31 | 34 | static unsigned int iptable_nat_do_chain(void *priv, |
32 | 35 | |
33 | 36 | |
34 | 37 | |
35 | 38 | |
36 | 39 | |
37 | 40 | |
38 | 41 | |
39 | 42 | |
40 | 43 | |
41 | 44 | |
... | ... | @@ -95,50 +98,50 @@ |
95 | 98 | }, |
96 | 99 | }; |
97 | 100 | |
98 | -static int __net_init iptable_nat_net_init(struct net *net) | |
101 | +static int __net_init iptable_nat_table_init(struct net *net) | |
99 | 102 | { |
100 | 103 | struct ipt_replace *repl; |
104 | + int ret; | |
101 | 105 | |
106 | + if (net->ipv4.nat_table) | |
107 | + return 0; | |
108 | + | |
102 | 109 | repl = ipt_alloc_initial_table(&nf_nat_ipv4_table); |
103 | 110 | if (repl == NULL) |
104 | 111 | return -ENOMEM; |
105 | - net->ipv4.nat_table = ipt_register_table(net, &nf_nat_ipv4_table, repl); | |
112 | + ret = ipt_register_table(net, &nf_nat_ipv4_table, repl, | |
113 | + nf_nat_ipv4_ops, &net->ipv4.nat_table); | |
106 | 114 | kfree(repl); |
107 | - return PTR_ERR_OR_ZERO(net->ipv4.nat_table); | |
115 | + return ret; | |
108 | 116 | } |
109 | 117 | |
110 | 118 | static void __net_exit iptable_nat_net_exit(struct net *net) |
111 | 119 | { |
112 | - ipt_unregister_table(net, net->ipv4.nat_table); | |
120 | + if (!net->ipv4.nat_table) | |
121 | + return; | |
122 | + ipt_unregister_table(net, net->ipv4.nat_table, nf_nat_ipv4_ops); | |
123 | + net->ipv4.nat_table = NULL; | |
113 | 124 | } |
114 | 125 | |
115 | 126 | static struct pernet_operations iptable_nat_net_ops = { |
116 | - .init = iptable_nat_net_init, | |
117 | 127 | .exit = iptable_nat_net_exit, |
118 | 128 | }; |
119 | 129 | |
120 | 130 | static int __init iptable_nat_init(void) |
121 | 131 | { |
122 | - int err; | |
132 | + int ret = register_pernet_subsys(&iptable_nat_net_ops); | |
123 | 133 | |
124 | - err = register_pernet_subsys(&iptable_nat_net_ops); | |
125 | - if (err < 0) | |
126 | - goto err1; | |
134 | + if (ret) | |
135 | + return ret; | |
127 | 136 | |
128 | - err = nf_register_hooks(nf_nat_ipv4_ops, ARRAY_SIZE(nf_nat_ipv4_ops)); | |
129 | - if (err < 0) | |
130 | - goto err2; | |
131 | - return 0; | |
132 | - | |
133 | -err2: | |
134 | - unregister_pernet_subsys(&iptable_nat_net_ops); | |
135 | -err1: | |
136 | - return err; | |
137 | + ret = iptable_nat_table_init(&init_net); | |
138 | + if (ret) | |
139 | + unregister_pernet_subsys(&iptable_nat_net_ops); | |
140 | + return ret; | |
137 | 141 | } |
138 | 142 | |
139 | 143 | static void __exit iptable_nat_exit(void) |
140 | 144 | { |
141 | - nf_unregister_hooks(nf_nat_ipv4_ops, ARRAY_SIZE(nf_nat_ipv4_ops)); | |
142 | 145 | unregister_pernet_subsys(&iptable_nat_net_ops); |
143 | 146 | } |
144 | 147 |
net/ipv4/netfilter/iptable_raw.c
... | ... | @@ -10,12 +10,15 @@ |
10 | 10 | |
11 | 11 | #define RAW_VALID_HOOKS ((1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_LOCAL_OUT)) |
12 | 12 | |
13 | +static int __net_init iptable_raw_table_init(struct net *net); | |
14 | + | |
13 | 15 | static const struct xt_table packet_raw = { |
14 | 16 | .name = "raw", |
15 | 17 | .valid_hooks = RAW_VALID_HOOKS, |
16 | 18 | .me = THIS_MODULE, |
17 | 19 | .af = NFPROTO_IPV4, |
18 | 20 | .priority = NF_IP_PRI_RAW, |
21 | + .table_init = iptable_raw_table_init, | |
19 | 22 | }; |
20 | 23 | |
21 | 24 | /* The work comes in here from netfilter.c. */ |
22 | 25 | |
23 | 26 | |
24 | 27 | |
25 | 28 | |
26 | 29 | |
27 | 30 | |
... | ... | @@ -34,26 +37,32 @@ |
34 | 37 | |
35 | 38 | static struct nf_hook_ops *rawtable_ops __read_mostly; |
36 | 39 | |
37 | -static int __net_init iptable_raw_net_init(struct net *net) | |
40 | +static int __net_init iptable_raw_table_init(struct net *net) | |
38 | 41 | { |
39 | 42 | struct ipt_replace *repl; |
43 | + int ret; | |
40 | 44 | |
45 | + if (net->ipv4.iptable_raw) | |
46 | + return 0; | |
47 | + | |
41 | 48 | repl = ipt_alloc_initial_table(&packet_raw); |
42 | 49 | if (repl == NULL) |
43 | 50 | return -ENOMEM; |
44 | - net->ipv4.iptable_raw = | |
45 | - ipt_register_table(net, &packet_raw, repl); | |
51 | + ret = ipt_register_table(net, &packet_raw, repl, rawtable_ops, | |
52 | + &net->ipv4.iptable_raw); | |
46 | 53 | kfree(repl); |
47 | - return PTR_ERR_OR_ZERO(net->ipv4.iptable_raw); | |
54 | + return ret; | |
48 | 55 | } |
49 | 56 | |
50 | 57 | static void __net_exit iptable_raw_net_exit(struct net *net) |
51 | 58 | { |
52 | - ipt_unregister_table(net, net->ipv4.iptable_raw); | |
59 | + if (!net->ipv4.iptable_raw) | |
60 | + return; | |
61 | + ipt_unregister_table(net, net->ipv4.iptable_raw, rawtable_ops); | |
62 | + net->ipv4.iptable_raw = NULL; | |
53 | 63 | } |
54 | 64 | |
55 | 65 | static struct pernet_operations iptable_raw_net_ops = { |
56 | - .init = iptable_raw_net_init, | |
57 | 66 | .exit = iptable_raw_net_exit, |
58 | 67 | }; |
59 | 68 | |
60 | 69 | |
61 | 70 | |
62 | 71 | |
63 | 72 | |
... | ... | @@ -61,15 +70,20 @@ |
61 | 70 | { |
62 | 71 | int ret; |
63 | 72 | |
73 | + rawtable_ops = xt_hook_ops_alloc(&packet_raw, iptable_raw_hook); | |
74 | + if (IS_ERR(rawtable_ops)) | |
75 | + return PTR_ERR(rawtable_ops); | |
76 | + | |
64 | 77 | ret = register_pernet_subsys(&iptable_raw_net_ops); |
65 | - if (ret < 0) | |
78 | + if (ret < 0) { | |
79 | + kfree(rawtable_ops); | |
66 | 80 | return ret; |
81 | + } | |
67 | 82 | |
68 | - /* Register hooks */ | |
69 | - rawtable_ops = xt_hook_link(&packet_raw, iptable_raw_hook); | |
70 | - if (IS_ERR(rawtable_ops)) { | |
71 | - ret = PTR_ERR(rawtable_ops); | |
83 | + ret = iptable_raw_table_init(&init_net); | |
84 | + if (ret) { | |
72 | 85 | unregister_pernet_subsys(&iptable_raw_net_ops); |
86 | + kfree(rawtable_ops); | |
73 | 87 | } |
74 | 88 | |
75 | 89 | return ret; |
76 | 90 | |
... | ... | @@ -77,8 +91,8 @@ |
77 | 91 | |
78 | 92 | static void __exit iptable_raw_fini(void) |
79 | 93 | { |
80 | - xt_hook_unlink(&packet_raw, rawtable_ops); | |
81 | 94 | unregister_pernet_subsys(&iptable_raw_net_ops); |
95 | + kfree(rawtable_ops); | |
82 | 96 | } |
83 | 97 | |
84 | 98 | module_init(iptable_raw_init); |
net/ipv4/netfilter/iptable_security.c
... | ... | @@ -28,12 +28,15 @@ |
28 | 28 | (1 << NF_INET_FORWARD) | \ |
29 | 29 | (1 << NF_INET_LOCAL_OUT) |
30 | 30 | |
31 | +static int __net_init iptable_security_table_init(struct net *net); | |
32 | + | |
31 | 33 | static const struct xt_table security_table = { |
32 | 34 | .name = "security", |
33 | 35 | .valid_hooks = SECURITY_VALID_HOOKS, |
34 | 36 | .me = THIS_MODULE, |
35 | 37 | .af = NFPROTO_IPV4, |
36 | 38 | .priority = NF_IP_PRI_SECURITY, |
39 | + .table_init = iptable_security_table_init, | |
37 | 40 | }; |
38 | 41 | |
39 | 42 | static unsigned int |
40 | 43 | |
41 | 44 | |
42 | 45 | |
43 | 46 | |
44 | 47 | |
45 | 48 | |
... | ... | @@ -51,26 +54,33 @@ |
51 | 54 | |
52 | 55 | static struct nf_hook_ops *sectbl_ops __read_mostly; |
53 | 56 | |
54 | -static int __net_init iptable_security_net_init(struct net *net) | |
57 | +static int __net_init iptable_security_table_init(struct net *net) | |
55 | 58 | { |
56 | 59 | struct ipt_replace *repl; |
60 | + int ret; | |
57 | 61 | |
62 | + if (net->ipv4.iptable_security) | |
63 | + return 0; | |
64 | + | |
58 | 65 | repl = ipt_alloc_initial_table(&security_table); |
59 | 66 | if (repl == NULL) |
60 | 67 | return -ENOMEM; |
61 | - net->ipv4.iptable_security = | |
62 | - ipt_register_table(net, &security_table, repl); | |
68 | + ret = ipt_register_table(net, &security_table, repl, sectbl_ops, | |
69 | + &net->ipv4.iptable_security); | |
63 | 70 | kfree(repl); |
64 | - return PTR_ERR_OR_ZERO(net->ipv4.iptable_security); | |
71 | + return ret; | |
65 | 72 | } |
66 | 73 | |
67 | 74 | static void __net_exit iptable_security_net_exit(struct net *net) |
68 | 75 | { |
69 | - ipt_unregister_table(net, net->ipv4.iptable_security); | |
76 | + if (!net->ipv4.iptable_security) | |
77 | + return; | |
78 | + | |
79 | + ipt_unregister_table(net, net->ipv4.iptable_security, sectbl_ops); | |
80 | + net->ipv4.iptable_security = NULL; | |
70 | 81 | } |
71 | 82 | |
72 | 83 | static struct pernet_operations iptable_security_net_ops = { |
73 | - .init = iptable_security_net_init, | |
74 | 84 | .exit = iptable_security_net_exit, |
75 | 85 | }; |
76 | 86 | |
77 | 87 | |
78 | 88 | |
79 | 89 | |
80 | 90 | |
81 | 91 | |
82 | 92 | |
... | ... | @@ -78,27 +88,29 @@ |
78 | 88 | { |
79 | 89 | int ret; |
80 | 90 | |
91 | + sectbl_ops = xt_hook_ops_alloc(&security_table, iptable_security_hook); | |
92 | + if (IS_ERR(sectbl_ops)) | |
93 | + return PTR_ERR(sectbl_ops); | |
94 | + | |
81 | 95 | ret = register_pernet_subsys(&iptable_security_net_ops); |
82 | - if (ret < 0) | |
96 | + if (ret < 0) { | |
97 | + kfree(sectbl_ops); | |
83 | 98 | return ret; |
99 | + } | |
84 | 100 | |
85 | - sectbl_ops = xt_hook_link(&security_table, iptable_security_hook); | |
86 | - if (IS_ERR(sectbl_ops)) { | |
87 | - ret = PTR_ERR(sectbl_ops); | |
88 | - goto cleanup_table; | |
101 | + ret = iptable_security_table_init(&init_net); | |
102 | + if (ret) { | |
103 | + unregister_pernet_subsys(&iptable_security_net_ops); | |
104 | + kfree(sectbl_ops); | |
89 | 105 | } |
90 | 106 | |
91 | 107 | return ret; |
92 | - | |
93 | -cleanup_table: | |
94 | - unregister_pernet_subsys(&iptable_security_net_ops); | |
95 | - return ret; | |
96 | 108 | } |
97 | 109 | |
98 | 110 | static void __exit iptable_security_fini(void) |
99 | 111 | { |
100 | - xt_hook_unlink(&security_table, sectbl_ops); | |
101 | 112 | unregister_pernet_subsys(&iptable_security_net_ops); |
113 | + kfree(sectbl_ops); | |
102 | 114 | } |
103 | 115 | |
104 | 116 | module_init(iptable_security_init); |
net/ipv4/netfilter/nf_defrag_ipv4.c
net/ipv4/netfilter/nft_masq_ipv4.c
... | ... | @@ -25,7 +25,12 @@ |
25 | 25 | |
26 | 26 | memset(&range, 0, sizeof(range)); |
27 | 27 | range.flags = priv->flags; |
28 | - | |
28 | + if (priv->sreg_proto_min) { | |
29 | + range.min_proto.all = | |
30 | + *(__be16 *)®s->data[priv->sreg_proto_min]; | |
31 | + range.max_proto.all = | |
32 | + *(__be16 *)®s->data[priv->sreg_proto_max]; | |
33 | + } | |
29 | 34 | regs->verdict.code = nf_nat_masquerade_ipv4(pkt->skb, pkt->hook, |
30 | 35 | &range, pkt->out); |
31 | 36 | } |
net/ipv6/netfilter/ip6_tables.c
... | ... | @@ -2071,10 +2071,29 @@ |
2071 | 2071 | return ret; |
2072 | 2072 | } |
2073 | 2073 | |
2074 | -struct xt_table *ip6t_register_table(struct net *net, | |
2075 | - const struct xt_table *table, | |
2076 | - const struct ip6t_replace *repl) | |
2074 | +static void __ip6t_unregister_table(struct net *net, struct xt_table *table) | |
2077 | 2075 | { |
2076 | + struct xt_table_info *private; | |
2077 | + void *loc_cpu_entry; | |
2078 | + struct module *table_owner = table->me; | |
2079 | + struct ip6t_entry *iter; | |
2080 | + | |
2081 | + private = xt_unregister_table(table); | |
2082 | + | |
2083 | + /* Decrease module usage counts and free resources */ | |
2084 | + loc_cpu_entry = private->entries; | |
2085 | + xt_entry_foreach(iter, loc_cpu_entry, private->size) | |
2086 | + cleanup_entry(iter, net); | |
2087 | + if (private->number > private->initial_entries) | |
2088 | + module_put(table_owner); | |
2089 | + xt_free_table_info(private); | |
2090 | +} | |
2091 | + | |
2092 | +int ip6t_register_table(struct net *net, const struct xt_table *table, | |
2093 | + const struct ip6t_replace *repl, | |
2094 | + const struct nf_hook_ops *ops, | |
2095 | + struct xt_table **res) | |
2096 | +{ | |
2078 | 2097 | int ret; |
2079 | 2098 | struct xt_table_info *newinfo; |
2080 | 2099 | struct xt_table_info bootstrap = {0}; |
... | ... | @@ -2082,10 +2101,8 @@ |
2082 | 2101 | struct xt_table *new_table; |
2083 | 2102 | |
2084 | 2103 | newinfo = xt_alloc_table_info(repl->size); |
2085 | - if (!newinfo) { | |
2086 | - ret = -ENOMEM; | |
2087 | - goto out; | |
2088 | - } | |
2104 | + if (!newinfo) | |
2105 | + return -ENOMEM; | |
2089 | 2106 | |
2090 | 2107 | loc_cpu_entry = newinfo->entries; |
2091 | 2108 | memcpy(loc_cpu_entry, repl->entries, repl->size); |
2092 | 2109 | |
2093 | 2110 | |
2094 | 2111 | |
2095 | 2112 | |
... | ... | @@ -2099,30 +2116,28 @@ |
2099 | 2116 | ret = PTR_ERR(new_table); |
2100 | 2117 | goto out_free; |
2101 | 2118 | } |
2102 | - return new_table; | |
2103 | 2119 | |
2120 | + /* set res now, will see skbs right after nf_register_net_hooks */ | |
2121 | + WRITE_ONCE(*res, new_table); | |
2122 | + | |
2123 | + ret = nf_register_net_hooks(net, ops, hweight32(table->valid_hooks)); | |
2124 | + if (ret != 0) { | |
2125 | + __ip6t_unregister_table(net, new_table); | |
2126 | + *res = NULL; | |
2127 | + } | |
2128 | + | |
2129 | + return ret; | |
2130 | + | |
2104 | 2131 | out_free: |
2105 | 2132 | xt_free_table_info(newinfo); |
2106 | -out: | |
2107 | - return ERR_PTR(ret); | |
2133 | + return ret; | |
2108 | 2134 | } |
2109 | 2135 | |
2110 | -void ip6t_unregister_table(struct net *net, struct xt_table *table) | |
2136 | +void ip6t_unregister_table(struct net *net, struct xt_table *table, | |
2137 | + const struct nf_hook_ops *ops) | |
2111 | 2138 | { |
2112 | - struct xt_table_info *private; | |
2113 | - void *loc_cpu_entry; | |
2114 | - struct module *table_owner = table->me; | |
2115 | - struct ip6t_entry *iter; | |
2116 | - | |
2117 | - private = xt_unregister_table(table); | |
2118 | - | |
2119 | - /* Decrease module usage counts and free resources */ | |
2120 | - loc_cpu_entry = private->entries; | |
2121 | - xt_entry_foreach(iter, loc_cpu_entry, private->size) | |
2122 | - cleanup_entry(iter, net); | |
2123 | - if (private->number > private->initial_entries) | |
2124 | - module_put(table_owner); | |
2125 | - xt_free_table_info(private); | |
2139 | + nf_unregister_net_hooks(net, ops, hweight32(table->valid_hooks)); | |
2140 | + __ip6t_unregister_table(net, table); | |
2126 | 2141 | } |
2127 | 2142 | |
2128 | 2143 | /* Returns 1 if the type and code is matched by the range, 0 otherwise */ |
net/ipv6/netfilter/ip6table_filter.c
... | ... | @@ -22,12 +22,15 @@ |
22 | 22 | (1 << NF_INET_FORWARD) | \ |
23 | 23 | (1 << NF_INET_LOCAL_OUT)) |
24 | 24 | |
25 | +static int __net_init ip6table_filter_table_init(struct net *net); | |
26 | + | |
25 | 27 | static const struct xt_table packet_filter = { |
26 | 28 | .name = "filter", |
27 | 29 | .valid_hooks = FILTER_VALID_HOOKS, |
28 | 30 | .me = THIS_MODULE, |
29 | 31 | .af = NFPROTO_IPV6, |
30 | 32 | .priority = NF_IP6_PRI_FILTER, |
33 | + .table_init = ip6table_filter_table_init, | |
31 | 34 | }; |
32 | 35 | |
33 | 36 | /* The work comes in here from netfilter.c. */ |
34 | 37 | |
35 | 38 | |
... | ... | @@ -44,10 +47,14 @@ |
44 | 47 | static bool forward = true; |
45 | 48 | module_param(forward, bool, 0000); |
46 | 49 | |
47 | -static int __net_init ip6table_filter_net_init(struct net *net) | |
50 | +static int __net_init ip6table_filter_table_init(struct net *net) | |
48 | 51 | { |
49 | 52 | struct ip6t_replace *repl; |
53 | + int err; | |
50 | 54 | |
55 | + if (net->ipv6.ip6table_filter) | |
56 | + return 0; | |
57 | + | |
51 | 58 | repl = ip6t_alloc_initial_table(&packet_filter); |
52 | 59 | if (repl == NULL) |
53 | 60 | return -ENOMEM; |
54 | 61 | |
55 | 62 | |
56 | 63 | |
... | ... | @@ -55,15 +62,26 @@ |
55 | 62 | ((struct ip6t_standard *)repl->entries)[1].target.verdict = |
56 | 63 | forward ? -NF_ACCEPT - 1 : -NF_DROP - 1; |
57 | 64 | |
58 | - net->ipv6.ip6table_filter = | |
59 | - ip6t_register_table(net, &packet_filter, repl); | |
65 | + err = ip6t_register_table(net, &packet_filter, repl, filter_ops, | |
66 | + &net->ipv6.ip6table_filter); | |
60 | 67 | kfree(repl); |
61 | - return PTR_ERR_OR_ZERO(net->ipv6.ip6table_filter); | |
68 | + return err; | |
62 | 69 | } |
63 | 70 | |
71 | +static int __net_init ip6table_filter_net_init(struct net *net) | |
72 | +{ | |
73 | + if (net == &init_net || !forward) | |
74 | + return ip6table_filter_table_init(net); | |
75 | + | |
76 | + return 0; | |
77 | +} | |
78 | + | |
64 | 79 | static void __net_exit ip6table_filter_net_exit(struct net *net) |
65 | 80 | { |
66 | - ip6t_unregister_table(net, net->ipv6.ip6table_filter); | |
81 | + if (!net->ipv6.ip6table_filter) | |
82 | + return; | |
83 | + ip6t_unregister_table(net, net->ipv6.ip6table_filter, filter_ops); | |
84 | + net->ipv6.ip6table_filter = NULL; | |
67 | 85 | } |
68 | 86 | |
69 | 87 | static struct pernet_operations ip6table_filter_net_ops = { |
70 | 88 | |
71 | 89 | |
72 | 90 | |
73 | 91 | |
74 | 92 | |
... | ... | @@ -75,28 +93,21 @@ |
75 | 93 | { |
76 | 94 | int ret; |
77 | 95 | |
96 | + filter_ops = xt_hook_ops_alloc(&packet_filter, ip6table_filter_hook); | |
97 | + if (IS_ERR(filter_ops)) | |
98 | + return PTR_ERR(filter_ops); | |
99 | + | |
78 | 100 | ret = register_pernet_subsys(&ip6table_filter_net_ops); |
79 | 101 | if (ret < 0) |
80 | - return ret; | |
102 | + kfree(filter_ops); | |
81 | 103 | |
82 | - /* Register hooks */ | |
83 | - filter_ops = xt_hook_link(&packet_filter, ip6table_filter_hook); | |
84 | - if (IS_ERR(filter_ops)) { | |
85 | - ret = PTR_ERR(filter_ops); | |
86 | - goto cleanup_table; | |
87 | - } | |
88 | - | |
89 | 104 | return ret; |
90 | - | |
91 | - cleanup_table: | |
92 | - unregister_pernet_subsys(&ip6table_filter_net_ops); | |
93 | - return ret; | |
94 | 105 | } |
95 | 106 | |
96 | 107 | static void __exit ip6table_filter_fini(void) |
97 | 108 | { |
98 | - xt_hook_unlink(&packet_filter, filter_ops); | |
99 | 109 | unregister_pernet_subsys(&ip6table_filter_net_ops); |
110 | + kfree(filter_ops); | |
100 | 111 | } |
101 | 112 | |
102 | 113 | module_init(ip6table_filter_init); |
net/ipv6/netfilter/ip6table_mangle.c
... | ... | @@ -23,12 +23,15 @@ |
23 | 23 | (1 << NF_INET_LOCAL_OUT) | \ |
24 | 24 | (1 << NF_INET_POST_ROUTING)) |
25 | 25 | |
26 | +static int __net_init ip6table_mangle_table_init(struct net *net); | |
27 | + | |
26 | 28 | static const struct xt_table packet_mangler = { |
27 | 29 | .name = "mangle", |
28 | 30 | .valid_hooks = MANGLE_VALID_HOOKS, |
29 | 31 | .me = THIS_MODULE, |
30 | 32 | .af = NFPROTO_IPV6, |
31 | 33 | .priority = NF_IP6_PRI_MANGLE, |
34 | + .table_init = ip6table_mangle_table_init, | |
32 | 35 | }; |
33 | 36 | |
34 | 37 | static unsigned int |
35 | 38 | |
36 | 39 | |
37 | 40 | |
38 | 41 | |
39 | 42 | |
40 | 43 | |
... | ... | @@ -88,26 +91,33 @@ |
88 | 91 | } |
89 | 92 | |
90 | 93 | static struct nf_hook_ops *mangle_ops __read_mostly; |
91 | -static int __net_init ip6table_mangle_net_init(struct net *net) | |
94 | +static int __net_init ip6table_mangle_table_init(struct net *net) | |
92 | 95 | { |
93 | 96 | struct ip6t_replace *repl; |
97 | + int ret; | |
94 | 98 | |
99 | + if (net->ipv6.ip6table_mangle) | |
100 | + return 0; | |
101 | + | |
95 | 102 | repl = ip6t_alloc_initial_table(&packet_mangler); |
96 | 103 | if (repl == NULL) |
97 | 104 | return -ENOMEM; |
98 | - net->ipv6.ip6table_mangle = | |
99 | - ip6t_register_table(net, &packet_mangler, repl); | |
105 | + ret = ip6t_register_table(net, &packet_mangler, repl, mangle_ops, | |
106 | + &net->ipv6.ip6table_mangle); | |
100 | 107 | kfree(repl); |
101 | - return PTR_ERR_OR_ZERO(net->ipv6.ip6table_mangle); | |
108 | + return ret; | |
102 | 109 | } |
103 | 110 | |
104 | 111 | static void __net_exit ip6table_mangle_net_exit(struct net *net) |
105 | 112 | { |
106 | - ip6t_unregister_table(net, net->ipv6.ip6table_mangle); | |
113 | + if (!net->ipv6.ip6table_mangle) | |
114 | + return; | |
115 | + | |
116 | + ip6t_unregister_table(net, net->ipv6.ip6table_mangle, mangle_ops); | |
117 | + net->ipv6.ip6table_mangle = NULL; | |
107 | 118 | } |
108 | 119 | |
109 | 120 | static struct pernet_operations ip6table_mangle_net_ops = { |
110 | - .init = ip6table_mangle_net_init, | |
111 | 121 | .exit = ip6table_mangle_net_exit, |
112 | 122 | }; |
113 | 123 | |
114 | 124 | |
115 | 125 | |
116 | 126 | |
117 | 127 | |
118 | 128 | |
119 | 129 | |
... | ... | @@ -115,28 +125,28 @@ |
115 | 125 | { |
116 | 126 | int ret; |
117 | 127 | |
128 | + mangle_ops = xt_hook_ops_alloc(&packet_mangler, ip6table_mangle_hook); | |
129 | + if (IS_ERR(mangle_ops)) | |
130 | + return PTR_ERR(mangle_ops); | |
131 | + | |
118 | 132 | ret = register_pernet_subsys(&ip6table_mangle_net_ops); |
119 | - if (ret < 0) | |
133 | + if (ret < 0) { | |
134 | + kfree(mangle_ops); | |
120 | 135 | return ret; |
121 | - | |
122 | - /* Register hooks */ | |
123 | - mangle_ops = xt_hook_link(&packet_mangler, ip6table_mangle_hook); | |
124 | - if (IS_ERR(mangle_ops)) { | |
125 | - ret = PTR_ERR(mangle_ops); | |
126 | - goto cleanup_table; | |
127 | 136 | } |
128 | 137 | |
138 | + ret = ip6table_mangle_table_init(&init_net); | |
139 | + if (ret) { | |
140 | + unregister_pernet_subsys(&ip6table_mangle_net_ops); | |
141 | + kfree(mangle_ops); | |
142 | + } | |
129 | 143 | return ret; |
130 | - | |
131 | - cleanup_table: | |
132 | - unregister_pernet_subsys(&ip6table_mangle_net_ops); | |
133 | - return ret; | |
134 | 144 | } |
135 | 145 | |
136 | 146 | static void __exit ip6table_mangle_fini(void) |
137 | 147 | { |
138 | - xt_hook_unlink(&packet_mangler, mangle_ops); | |
139 | 148 | unregister_pernet_subsys(&ip6table_mangle_net_ops); |
149 | + kfree(mangle_ops); | |
140 | 150 | } |
141 | 151 | |
142 | 152 | module_init(ip6table_mangle_init); |
net/ipv6/netfilter/ip6table_nat.c
... | ... | @@ -20,6 +20,8 @@ |
20 | 20 | #include <net/netfilter/nf_nat_core.h> |
21 | 21 | #include <net/netfilter/nf_nat_l3proto.h> |
22 | 22 | |
23 | +static int __net_init ip6table_nat_table_init(struct net *net); | |
24 | + | |
23 | 25 | static const struct xt_table nf_nat_ipv6_table = { |
24 | 26 | .name = "nat", |
25 | 27 | .valid_hooks = (1 << NF_INET_PRE_ROUTING) | |
... | ... | @@ -28,6 +30,7 @@ |
28 | 30 | (1 << NF_INET_LOCAL_IN), |
29 | 31 | .me = THIS_MODULE, |
30 | 32 | .af = NFPROTO_IPV6, |
33 | + .table_init = ip6table_nat_table_init, | |
31 | 34 | }; |
32 | 35 | |
33 | 36 | static unsigned int ip6table_nat_do_chain(void *priv, |
34 | 37 | |
35 | 38 | |
36 | 39 | |
37 | 40 | |
38 | 41 | |
39 | 42 | |
40 | 43 | |
41 | 44 | |
42 | 45 | |
43 | 46 | |
... | ... | @@ -97,50 +100,50 @@ |
97 | 100 | }, |
98 | 101 | }; |
99 | 102 | |
100 | -static int __net_init ip6table_nat_net_init(struct net *net) | |
103 | +static int __net_init ip6table_nat_table_init(struct net *net) | |
101 | 104 | { |
102 | 105 | struct ip6t_replace *repl; |
106 | + int ret; | |
103 | 107 | |
108 | + if (net->ipv6.ip6table_nat) | |
109 | + return 0; | |
110 | + | |
104 | 111 | repl = ip6t_alloc_initial_table(&nf_nat_ipv6_table); |
105 | 112 | if (repl == NULL) |
106 | 113 | return -ENOMEM; |
107 | - net->ipv6.ip6table_nat = ip6t_register_table(net, &nf_nat_ipv6_table, repl); | |
114 | + ret = ip6t_register_table(net, &nf_nat_ipv6_table, repl, | |
115 | + nf_nat_ipv6_ops, &net->ipv6.ip6table_nat); | |
108 | 116 | kfree(repl); |
109 | - return PTR_ERR_OR_ZERO(net->ipv6.ip6table_nat); | |
117 | + return ret; | |
110 | 118 | } |
111 | 119 | |
112 | 120 | static void __net_exit ip6table_nat_net_exit(struct net *net) |
113 | 121 | { |
114 | - ip6t_unregister_table(net, net->ipv6.ip6table_nat); | |
122 | + if (!net->ipv6.ip6table_nat) | |
123 | + return; | |
124 | + ip6t_unregister_table(net, net->ipv6.ip6table_nat, nf_nat_ipv6_ops); | |
125 | + net->ipv6.ip6table_nat = NULL; | |
115 | 126 | } |
116 | 127 | |
117 | 128 | static struct pernet_operations ip6table_nat_net_ops = { |
118 | - .init = ip6table_nat_net_init, | |
119 | 129 | .exit = ip6table_nat_net_exit, |
120 | 130 | }; |
121 | 131 | |
122 | 132 | static int __init ip6table_nat_init(void) |
123 | 133 | { |
124 | - int err; | |
134 | + int ret = register_pernet_subsys(&ip6table_nat_net_ops); | |
125 | 135 | |
126 | - err = register_pernet_subsys(&ip6table_nat_net_ops); | |
127 | - if (err < 0) | |
128 | - goto err1; | |
136 | + if (ret) | |
137 | + return ret; | |
129 | 138 | |
130 | - err = nf_register_hooks(nf_nat_ipv6_ops, ARRAY_SIZE(nf_nat_ipv6_ops)); | |
131 | - if (err < 0) | |
132 | - goto err2; | |
133 | - return 0; | |
134 | - | |
135 | -err2: | |
136 | - unregister_pernet_subsys(&ip6table_nat_net_ops); | |
137 | -err1: | |
138 | - return err; | |
139 | + ret = ip6table_nat_table_init(&init_net); | |
140 | + if (ret) | |
141 | + unregister_pernet_subsys(&ip6table_nat_net_ops); | |
142 | + return ret; | |
139 | 143 | } |
140 | 144 | |
141 | 145 | static void __exit ip6table_nat_exit(void) |
142 | 146 | { |
143 | - nf_unregister_hooks(nf_nat_ipv6_ops, ARRAY_SIZE(nf_nat_ipv6_ops)); | |
144 | 147 | unregister_pernet_subsys(&ip6table_nat_net_ops); |
145 | 148 | } |
146 | 149 |
net/ipv6/netfilter/ip6table_raw.c
... | ... | @@ -9,12 +9,15 @@ |
9 | 9 | |
10 | 10 | #define RAW_VALID_HOOKS ((1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_LOCAL_OUT)) |
11 | 11 | |
12 | +static int __net_init ip6table_raw_table_init(struct net *net); | |
13 | + | |
12 | 14 | static const struct xt_table packet_raw = { |
13 | 15 | .name = "raw", |
14 | 16 | .valid_hooks = RAW_VALID_HOOKS, |
15 | 17 | .me = THIS_MODULE, |
16 | 18 | .af = NFPROTO_IPV6, |
17 | 19 | .priority = NF_IP6_PRI_RAW, |
20 | + .table_init = ip6table_raw_table_init, | |
18 | 21 | }; |
19 | 22 | |
20 | 23 | /* The work comes in here from netfilter.c. */ |
21 | 24 | |
22 | 25 | |
23 | 26 | |
24 | 27 | |
25 | 28 | |
26 | 29 | |
... | ... | @@ -27,26 +30,32 @@ |
27 | 30 | |
28 | 31 | static struct nf_hook_ops *rawtable_ops __read_mostly; |
29 | 32 | |
30 | -static int __net_init ip6table_raw_net_init(struct net *net) | |
33 | +static int __net_init ip6table_raw_table_init(struct net *net) | |
31 | 34 | { |
32 | 35 | struct ip6t_replace *repl; |
36 | + int ret; | |
33 | 37 | |
38 | + if (net->ipv6.ip6table_raw) | |
39 | + return 0; | |
40 | + | |
34 | 41 | repl = ip6t_alloc_initial_table(&packet_raw); |
35 | 42 | if (repl == NULL) |
36 | 43 | return -ENOMEM; |
37 | - net->ipv6.ip6table_raw = | |
38 | - ip6t_register_table(net, &packet_raw, repl); | |
44 | + ret = ip6t_register_table(net, &packet_raw, repl, rawtable_ops, | |
45 | + &net->ipv6.ip6table_raw); | |
39 | 46 | kfree(repl); |
40 | - return PTR_ERR_OR_ZERO(net->ipv6.ip6table_raw); | |
47 | + return ret; | |
41 | 48 | } |
42 | 49 | |
43 | 50 | static void __net_exit ip6table_raw_net_exit(struct net *net) |
44 | 51 | { |
45 | - ip6t_unregister_table(net, net->ipv6.ip6table_raw); | |
52 | + if (!net->ipv6.ip6table_raw) | |
53 | + return; | |
54 | + ip6t_unregister_table(net, net->ipv6.ip6table_raw, rawtable_ops); | |
55 | + net->ipv6.ip6table_raw = NULL; | |
46 | 56 | } |
47 | 57 | |
48 | 58 | static struct pernet_operations ip6table_raw_net_ops = { |
49 | - .init = ip6table_raw_net_init, | |
50 | 59 | .exit = ip6table_raw_net_exit, |
51 | 60 | }; |
52 | 61 | |
53 | 62 | |
54 | 63 | |
55 | 64 | |
56 | 65 | |
57 | 66 | |
58 | 67 | |
... | ... | @@ -54,28 +63,29 @@ |
54 | 63 | { |
55 | 64 | int ret; |
56 | 65 | |
66 | + /* Register hooks */ | |
67 | + rawtable_ops = xt_hook_ops_alloc(&packet_raw, ip6table_raw_hook); | |
68 | + if (IS_ERR(rawtable_ops)) | |
69 | + return PTR_ERR(rawtable_ops); | |
70 | + | |
57 | 71 | ret = register_pernet_subsys(&ip6table_raw_net_ops); |
58 | - if (ret < 0) | |
72 | + if (ret < 0) { | |
73 | + kfree(rawtable_ops); | |
59 | 74 | return ret; |
60 | - | |
61 | - /* Register hooks */ | |
62 | - rawtable_ops = xt_hook_link(&packet_raw, ip6table_raw_hook); | |
63 | - if (IS_ERR(rawtable_ops)) { | |
64 | - ret = PTR_ERR(rawtable_ops); | |
65 | - goto cleanup_table; | |
66 | 75 | } |
67 | 76 | |
77 | + ret = ip6table_raw_table_init(&init_net); | |
78 | + if (ret) { | |
79 | + unregister_pernet_subsys(&ip6table_raw_net_ops); | |
80 | + kfree(rawtable_ops); | |
81 | + } | |
68 | 82 | return ret; |
69 | - | |
70 | - cleanup_table: | |
71 | - unregister_pernet_subsys(&ip6table_raw_net_ops); | |
72 | - return ret; | |
73 | 83 | } |
74 | 84 | |
75 | 85 | static void __exit ip6table_raw_fini(void) |
76 | 86 | { |
77 | - xt_hook_unlink(&packet_raw, rawtable_ops); | |
78 | 87 | unregister_pernet_subsys(&ip6table_raw_net_ops); |
88 | + kfree(rawtable_ops); | |
79 | 89 | } |
80 | 90 | |
81 | 91 | module_init(ip6table_raw_init); |
net/ipv6/netfilter/ip6table_security.c
... | ... | @@ -27,12 +27,15 @@ |
27 | 27 | (1 << NF_INET_FORWARD) | \ |
28 | 28 | (1 << NF_INET_LOCAL_OUT) |
29 | 29 | |
30 | +static int __net_init ip6table_security_table_init(struct net *net); | |
31 | + | |
30 | 32 | static const struct xt_table security_table = { |
31 | 33 | .name = "security", |
32 | 34 | .valid_hooks = SECURITY_VALID_HOOKS, |
33 | 35 | .me = THIS_MODULE, |
34 | 36 | .af = NFPROTO_IPV6, |
35 | 37 | .priority = NF_IP6_PRI_SECURITY, |
38 | + .table_init = ip6table_security_table_init, | |
36 | 39 | }; |
37 | 40 | |
38 | 41 | static unsigned int |
39 | 42 | |
40 | 43 | |
41 | 44 | |
42 | 45 | |
43 | 46 | |
44 | 47 | |
... | ... | @@ -44,26 +47,32 @@ |
44 | 47 | |
45 | 48 | static struct nf_hook_ops *sectbl_ops __read_mostly; |
46 | 49 | |
47 | -static int __net_init ip6table_security_net_init(struct net *net) | |
50 | +static int __net_init ip6table_security_table_init(struct net *net) | |
48 | 51 | { |
49 | 52 | struct ip6t_replace *repl; |
53 | + int ret; | |
50 | 54 | |
55 | + if (net->ipv6.ip6table_security) | |
56 | + return 0; | |
57 | + | |
51 | 58 | repl = ip6t_alloc_initial_table(&security_table); |
52 | 59 | if (repl == NULL) |
53 | 60 | return -ENOMEM; |
54 | - net->ipv6.ip6table_security = | |
55 | - ip6t_register_table(net, &security_table, repl); | |
61 | + ret = ip6t_register_table(net, &security_table, repl, sectbl_ops, | |
62 | + &net->ipv6.ip6table_security); | |
56 | 63 | kfree(repl); |
57 | - return PTR_ERR_OR_ZERO(net->ipv6.ip6table_security); | |
64 | + return ret; | |
58 | 65 | } |
59 | 66 | |
60 | 67 | static void __net_exit ip6table_security_net_exit(struct net *net) |
61 | 68 | { |
62 | - ip6t_unregister_table(net, net->ipv6.ip6table_security); | |
69 | + if (!net->ipv6.ip6table_security) | |
70 | + return; | |
71 | + ip6t_unregister_table(net, net->ipv6.ip6table_security, sectbl_ops); | |
72 | + net->ipv6.ip6table_security = NULL; | |
63 | 73 | } |
64 | 74 | |
65 | 75 | static struct pernet_operations ip6table_security_net_ops = { |
66 | - .init = ip6table_security_net_init, | |
67 | 76 | .exit = ip6table_security_net_exit, |
68 | 77 | }; |
69 | 78 | |
70 | 79 | |
71 | 80 | |
72 | 81 | |
73 | 82 | |
74 | 83 | |
75 | 84 | |
... | ... | @@ -71,27 +80,28 @@ |
71 | 80 | { |
72 | 81 | int ret; |
73 | 82 | |
83 | + sectbl_ops = xt_hook_ops_alloc(&security_table, ip6table_security_hook); | |
84 | + if (IS_ERR(sectbl_ops)) | |
85 | + return PTR_ERR(sectbl_ops); | |
86 | + | |
74 | 87 | ret = register_pernet_subsys(&ip6table_security_net_ops); |
75 | - if (ret < 0) | |
88 | + if (ret < 0) { | |
89 | + kfree(sectbl_ops); | |
76 | 90 | return ret; |
77 | - | |
78 | - sectbl_ops = xt_hook_link(&security_table, ip6table_security_hook); | |
79 | - if (IS_ERR(sectbl_ops)) { | |
80 | - ret = PTR_ERR(sectbl_ops); | |
81 | - goto cleanup_table; | |
82 | 91 | } |
83 | 92 | |
93 | + ret = ip6table_security_table_init(&init_net); | |
94 | + if (ret) { | |
95 | + unregister_pernet_subsys(&ip6table_security_net_ops); | |
96 | + kfree(sectbl_ops); | |
97 | + } | |
84 | 98 | return ret; |
85 | - | |
86 | -cleanup_table: | |
87 | - unregister_pernet_subsys(&ip6table_security_net_ops); | |
88 | - return ret; | |
89 | 99 | } |
90 | 100 | |
91 | 101 | static void __exit ip6table_security_fini(void) |
92 | 102 | { |
93 | - xt_hook_unlink(&security_table, sectbl_ops); | |
94 | 103 | unregister_pernet_subsys(&ip6table_security_net_ops); |
104 | + kfree(sectbl_ops); | |
95 | 105 | } |
96 | 106 | |
97 | 107 | module_init(ip6table_security_init); |
net/ipv6/netfilter/nft_masq_ipv6.c
... | ... | @@ -26,7 +26,12 @@ |
26 | 26 | |
27 | 27 | memset(&range, 0, sizeof(range)); |
28 | 28 | range.flags = priv->flags; |
29 | - | |
29 | + if (priv->sreg_proto_min) { | |
30 | + range.min_proto.all = | |
31 | + *(__be16 *)®s->data[priv->sreg_proto_min]; | |
32 | + range.max_proto.all = | |
33 | + *(__be16 *)®s->data[priv->sreg_proto_max]; | |
34 | + } | |
30 | 35 | regs->verdict.code = nf_nat_masquerade_ipv6(pkt->skb, &range, pkt->out); |
31 | 36 | } |
32 | 37 |
net/netfilter/ipvs/ip_vs_app.c
... | ... | @@ -605,18 +605,14 @@ |
605 | 605 | |
606 | 606 | int __net_init ip_vs_app_net_init(struct netns_ipvs *ipvs) |
607 | 607 | { |
608 | - struct net *net = ipvs->net; | |
609 | - | |
610 | 608 | INIT_LIST_HEAD(&ipvs->app_list); |
611 | - proc_create("ip_vs_app", 0, net->proc_net, &ip_vs_app_fops); | |
609 | + proc_create("ip_vs_app", 0, ipvs->net->proc_net, &ip_vs_app_fops); | |
612 | 610 | return 0; |
613 | 611 | } |
614 | 612 | |
615 | 613 | void __net_exit ip_vs_app_net_cleanup(struct netns_ipvs *ipvs) |
616 | 614 | { |
617 | - struct net *net = ipvs->net; | |
618 | - | |
619 | 615 | unregister_ip_vs_app(ipvs, NULL /* all */); |
620 | - remove_proc_entry("ip_vs_app", net->proc_net); | |
616 | + remove_proc_entry("ip_vs_app", ipvs->net->proc_net); | |
621 | 617 | } |
net/netfilter/ipvs/ip_vs_ctl.c
... | ... | @@ -1376,8 +1376,6 @@ |
1376 | 1376 | struct ip_vs_pe *old_pe; |
1377 | 1377 | struct netns_ipvs *ipvs = svc->ipvs; |
1378 | 1378 | |
1379 | - pr_info("%s: enter\n", __func__); | |
1380 | - | |
1381 | 1379 | /* Count only IPv4 services for old get/setsockopt interface */ |
1382 | 1380 | if (svc->af == AF_INET) |
1383 | 1381 | ipvs->num_services--; |
... | ... | @@ -3947,7 +3945,6 @@ |
3947 | 3945 | |
3948 | 3946 | int __net_init ip_vs_control_net_init(struct netns_ipvs *ipvs) |
3949 | 3947 | { |
3950 | - struct net *net = ipvs->net; | |
3951 | 3948 | int i, idx; |
3952 | 3949 | |
3953 | 3950 | /* Initialize rs_table */ |
... | ... | @@ -3974,9 +3971,9 @@ |
3974 | 3971 | |
3975 | 3972 | spin_lock_init(&ipvs->tot_stats.lock); |
3976 | 3973 | |
3977 | - proc_create("ip_vs", 0, net->proc_net, &ip_vs_info_fops); | |
3978 | - proc_create("ip_vs_stats", 0, net->proc_net, &ip_vs_stats_fops); | |
3979 | - proc_create("ip_vs_stats_percpu", 0, net->proc_net, | |
3974 | + proc_create("ip_vs", 0, ipvs->net->proc_net, &ip_vs_info_fops); | |
3975 | + proc_create("ip_vs_stats", 0, ipvs->net->proc_net, &ip_vs_stats_fops); | |
3976 | + proc_create("ip_vs_stats_percpu", 0, ipvs->net->proc_net, | |
3980 | 3977 | &ip_vs_stats_percpu_fops); |
3981 | 3978 | |
3982 | 3979 | if (ip_vs_control_net_init_sysctl(ipvs)) |
3983 | 3980 | |
... | ... | @@ -3991,13 +3988,11 @@ |
3991 | 3988 | |
3992 | 3989 | void __net_exit ip_vs_control_net_cleanup(struct netns_ipvs *ipvs) |
3993 | 3990 | { |
3994 | - struct net *net = ipvs->net; | |
3995 | - | |
3996 | 3991 | ip_vs_trash_cleanup(ipvs); |
3997 | 3992 | ip_vs_control_net_cleanup_sysctl(ipvs); |
3998 | - remove_proc_entry("ip_vs_stats_percpu", net->proc_net); | |
3999 | - remove_proc_entry("ip_vs_stats", net->proc_net); | |
4000 | - remove_proc_entry("ip_vs", net->proc_net); | |
3993 | + remove_proc_entry("ip_vs_stats_percpu", ipvs->net->proc_net); | |
3994 | + remove_proc_entry("ip_vs_stats", ipvs->net->proc_net); | |
3995 | + remove_proc_entry("ip_vs", ipvs->net->proc_net); | |
4001 | 3996 | free_percpu(ipvs->tot_stats.cpustats); |
4002 | 3997 | } |
4003 | 3998 |
net/netfilter/nft_masq.c
... | ... | @@ -17,7 +17,9 @@ |
17 | 17 | #include <net/netfilter/nft_masq.h> |
18 | 18 | |
19 | 19 | const struct nla_policy nft_masq_policy[NFTA_MASQ_MAX + 1] = { |
20 | - [NFTA_MASQ_FLAGS] = { .type = NLA_U32 }, | |
20 | + [NFTA_MASQ_FLAGS] = { .type = NLA_U32 }, | |
21 | + [NFTA_MASQ_REG_PROTO_MIN] = { .type = NLA_U32 }, | |
22 | + [NFTA_MASQ_REG_PROTO_MAX] = { .type = NLA_U32 }, | |
21 | 23 | }; |
22 | 24 | EXPORT_SYMBOL_GPL(nft_masq_policy); |
23 | 25 | |
... | ... | @@ -40,6 +42,7 @@ |
40 | 42 | const struct nft_expr *expr, |
41 | 43 | const struct nlattr * const tb[]) |
42 | 44 | { |
45 | + u32 plen = FIELD_SIZEOF(struct nf_nat_range, min_addr.all); | |
43 | 46 | struct nft_masq *priv = nft_expr_priv(expr); |
44 | 47 | int err; |
45 | 48 | |
46 | 49 | |
47 | 50 | |
... | ... | @@ -47,13 +50,33 @@ |
47 | 50 | if (err) |
48 | 51 | return err; |
49 | 52 | |
50 | - if (tb[NFTA_MASQ_FLAGS] == NULL) | |
51 | - return 0; | |
53 | + if (tb[NFTA_MASQ_FLAGS]) { | |
54 | + priv->flags = ntohl(nla_get_be32(tb[NFTA_MASQ_FLAGS])); | |
55 | + if (priv->flags & ~NF_NAT_RANGE_MASK) | |
56 | + return -EINVAL; | |
57 | + } | |
52 | 58 | |
53 | - priv->flags = ntohl(nla_get_be32(tb[NFTA_MASQ_FLAGS])); | |
54 | - if (priv->flags & ~NF_NAT_RANGE_MASK) | |
55 | - return -EINVAL; | |
59 | + if (tb[NFTA_MASQ_REG_PROTO_MIN]) { | |
60 | + priv->sreg_proto_min = | |
61 | + nft_parse_register(tb[NFTA_MASQ_REG_PROTO_MIN]); | |
56 | 62 | |
63 | + err = nft_validate_register_load(priv->sreg_proto_min, plen); | |
64 | + if (err < 0) | |
65 | + return err; | |
66 | + | |
67 | + if (tb[NFTA_MASQ_REG_PROTO_MAX]) { | |
68 | + priv->sreg_proto_max = | |
69 | + nft_parse_register(tb[NFTA_MASQ_REG_PROTO_MAX]); | |
70 | + | |
71 | + err = nft_validate_register_load(priv->sreg_proto_max, | |
72 | + plen); | |
73 | + if (err < 0) | |
74 | + return err; | |
75 | + } else { | |
76 | + priv->sreg_proto_max = priv->sreg_proto_min; | |
77 | + } | |
78 | + } | |
79 | + | |
57 | 80 | return 0; |
58 | 81 | } |
59 | 82 | EXPORT_SYMBOL_GPL(nft_masq_init); |
60 | 83 | |
... | ... | @@ -62,11 +85,17 @@ |
62 | 85 | { |
63 | 86 | const struct nft_masq *priv = nft_expr_priv(expr); |
64 | 87 | |
65 | - if (priv->flags == 0) | |
66 | - return 0; | |
67 | - | |
68 | - if (nla_put_be32(skb, NFTA_MASQ_FLAGS, htonl(priv->flags))) | |
88 | + if (priv->flags != 0 && | |
89 | + nla_put_be32(skb, NFTA_MASQ_FLAGS, htonl(priv->flags))) | |
69 | 90 | goto nla_put_failure; |
91 | + | |
92 | + if (priv->sreg_proto_min) { | |
93 | + if (nft_dump_register(skb, NFTA_MASQ_REG_PROTO_MIN, | |
94 | + priv->sreg_proto_min) || | |
95 | + nft_dump_register(skb, NFTA_MASQ_REG_PROTO_MAX, | |
96 | + priv->sreg_proto_max)) | |
97 | + goto nla_put_failure; | |
98 | + } | |
70 | 99 | |
71 | 100 | return 0; |
72 | 101 |
net/netfilter/nft_meta.c
... | ... | @@ -28,6 +28,8 @@ |
28 | 28 | |
29 | 29 | #include <uapi/linux/netfilter_bridge.h> /* NF_BR_PRE_ROUTING */ |
30 | 30 | |
31 | +static DEFINE_PER_CPU(struct rnd_state, nft_prandom_state); | |
32 | + | |
31 | 33 | void nft_meta_get_eval(const struct nft_expr *expr, |
32 | 34 | struct nft_regs *regs, |
33 | 35 | const struct nft_pktinfo *pkt) |
... | ... | @@ -181,6 +183,11 @@ |
181 | 183 | *dest = sock_cgroup_classid(&sk->sk_cgrp_data); |
182 | 184 | break; |
183 | 185 | #endif |
186 | + case NFT_META_PRANDOM: { | |
187 | + struct rnd_state *state = this_cpu_ptr(&nft_prandom_state); | |
188 | + *dest = prandom_u32_state(state); | |
189 | + break; | |
190 | + } | |
184 | 191 | default: |
185 | 192 | WARN_ON(1); |
186 | 193 | goto err; |
... | ... | @@ -276,6 +283,10 @@ |
276 | 283 | case NFT_META_IIFNAME: |
277 | 284 | case NFT_META_OIFNAME: |
278 | 285 | len = IFNAMSIZ; |
286 | + break; | |
287 | + case NFT_META_PRANDOM: | |
288 | + prandom_init_once(&nft_prandom_state); | |
289 | + len = sizeof(u32); | |
279 | 290 | break; |
280 | 291 | default: |
281 | 292 | return -EOPNOTSUPP; |
net/netfilter/x_tables.c
... | ... | @@ -694,12 +694,45 @@ |
694 | 694 | struct xt_table *xt_find_table_lock(struct net *net, u_int8_t af, |
695 | 695 | const char *name) |
696 | 696 | { |
697 | - struct xt_table *t; | |
697 | + struct xt_table *t, *found = NULL; | |
698 | 698 | |
699 | 699 | mutex_lock(&xt[af].mutex); |
700 | 700 | list_for_each_entry(t, &net->xt.tables[af], list) |
701 | 701 | if (strcmp(t->name, name) == 0 && try_module_get(t->me)) |
702 | 702 | return t; |
703 | + | |
704 | + if (net == &init_net) | |
705 | + goto out; | |
706 | + | |
707 | + /* Table doesn't exist in this netns, re-try init */ | |
708 | + list_for_each_entry(t, &init_net.xt.tables[af], list) { | |
709 | + if (strcmp(t->name, name)) | |
710 | + continue; | |
711 | + if (!try_module_get(t->me)) | |
712 | + return NULL; | |
713 | + | |
714 | + mutex_unlock(&xt[af].mutex); | |
715 | + if (t->table_init(net) != 0) { | |
716 | + module_put(t->me); | |
717 | + return NULL; | |
718 | + } | |
719 | + | |
720 | + found = t; | |
721 | + | |
722 | + mutex_lock(&xt[af].mutex); | |
723 | + break; | |
724 | + } | |
725 | + | |
726 | + if (!found) | |
727 | + goto out; | |
728 | + | |
729 | + /* and once again: */ | |
730 | + list_for_each_entry(t, &net->xt.tables[af], list) | |
731 | + if (strcmp(t->name, name) == 0) | |
732 | + return t; | |
733 | + | |
734 | + module_put(found->me); | |
735 | + out: | |
703 | 736 | mutex_unlock(&xt[af].mutex); |
704 | 737 | return NULL; |
705 | 738 | } |
706 | 739 | |
707 | 740 | |
708 | 741 | |
... | ... | @@ -1170,20 +1203,20 @@ |
1170 | 1203 | #endif /* CONFIG_PROC_FS */ |
1171 | 1204 | |
1172 | 1205 | /** |
1173 | - * xt_hook_link - set up hooks for a new table | |
1206 | + * xt_hook_ops_alloc - set up hooks for a new table | |
1174 | 1207 | * @table: table with metadata needed to set up hooks |
1175 | 1208 | * @fn: Hook function |
1176 | 1209 | * |
1177 | - * This function will take care of creating and registering the necessary | |
1178 | - * Netfilter hooks for XT tables. | |
1210 | + * This function will create the nf_hook_ops that the x_table needs | |
1211 | + * to hand to xt_hook_link_net(). | |
1179 | 1212 | */ |
1180 | -struct nf_hook_ops *xt_hook_link(const struct xt_table *table, nf_hookfn *fn) | |
1213 | +struct nf_hook_ops * | |
1214 | +xt_hook_ops_alloc(const struct xt_table *table, nf_hookfn *fn) | |
1181 | 1215 | { |
1182 | 1216 | unsigned int hook_mask = table->valid_hooks; |
1183 | 1217 | uint8_t i, num_hooks = hweight32(hook_mask); |
1184 | 1218 | uint8_t hooknum; |
1185 | 1219 | struct nf_hook_ops *ops; |
1186 | - int ret; | |
1187 | 1220 | |
1188 | 1221 | ops = kmalloc(sizeof(*ops) * num_hooks, GFP_KERNEL); |
1189 | 1222 | if (ops == NULL) |
1190 | 1223 | |
... | ... | @@ -1200,27 +1233,9 @@ |
1200 | 1233 | ++i; |
1201 | 1234 | } |
1202 | 1235 | |
1203 | - ret = nf_register_hooks(ops, num_hooks); | |
1204 | - if (ret < 0) { | |
1205 | - kfree(ops); | |
1206 | - return ERR_PTR(ret); | |
1207 | - } | |
1208 | - | |
1209 | 1236 | return ops; |
1210 | 1237 | } |
1211 | -EXPORT_SYMBOL_GPL(xt_hook_link); | |
1212 | - | |
1213 | -/** | |
1214 | - * xt_hook_unlink - remove hooks for a table | |
1215 | - * @ops: nf_hook_ops array as returned by nf_hook_link | |
1216 | - * @hook_mask: the very same mask that was passed to nf_hook_link | |
1217 | - */ | |
1218 | -void xt_hook_unlink(const struct xt_table *table, struct nf_hook_ops *ops) | |
1219 | -{ | |
1220 | - nf_unregister_hooks(ops, hweight32(table->valid_hooks)); | |
1221 | - kfree(ops); | |
1222 | -} | |
1223 | -EXPORT_SYMBOL_GPL(xt_hook_unlink); | |
1238 | +EXPORT_SYMBOL_GPL(xt_hook_ops_alloc); | |
1224 | 1239 | |
1225 | 1240 | int xt_proto_init(struct net *net, u_int8_t af) |
1226 | 1241 | { |
net/netfilter/xt_osf.c
... | ... | @@ -262,7 +262,6 @@ |
262 | 262 | if (f->opt[optnum].kind == (*optp)) { |
263 | 263 | __u32 len = f->opt[optnum].length; |
264 | 264 | const __u8 *optend = optp + len; |
265 | - int loop_cont = 0; | |
266 | 265 | |
267 | 266 | fmatch = FMATCH_OK; |
268 | 267 | |
... | ... | @@ -275,7 +274,6 @@ |
275 | 274 | mss = ntohs((__force __be16)mss); |
276 | 275 | break; |
277 | 276 | case OSFOPT_TS: |
278 | - loop_cont = 1; | |
279 | 277 | break; |
280 | 278 | } |
281 | 279 |