Commit b4ba26119b06052888696491f614201817491a0d
1 parent
62fc805108
Exists in
master
and in
39 other branches
netfilter: xtables: change hotdrop pointer to direct modification
Since xt_action_param is writable, let's use it. The pointer to 'bool hotdrop' always worried (8 bytes (64-bit) to write 1 byte!). Surprisingly results in a reduction in size: text data bss filename 5457066 692730 357892 vmlinux.o-prev 5456554 692730 357892 vmlinux.o Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Showing 22 changed files with 47 additions and 47 deletions Side-by-side Diff
- include/linux/netfilter/x_tables.h
- net/bridge/netfilter/ebtables.c
- net/ipv4/netfilter/arp_tables.c
- net/ipv4/netfilter/ip_tables.c
- net/ipv4/netfilter/ipt_ah.c
- net/ipv4/netfilter/ipt_ecn.c
- net/ipv6/netfilter/ip6_tables.c
- net/ipv6/netfilter/ip6t_ah.c
- net/ipv6/netfilter/ip6t_eui64.c
- net/ipv6/netfilter/ip6t_frag.c
- net/ipv6/netfilter/ip6t_hbh.c
- net/ipv6/netfilter/ip6t_mh.c
- net/ipv6/netfilter/ip6t_rt.c
- net/netfilter/xt_connlimit.c
- net/netfilter/xt_dccp.c
- net/netfilter/xt_esp.c
- net/netfilter/xt_hashlimit.c
- net/netfilter/xt_multiport.c
- net/netfilter/xt_recent.c
- net/netfilter/xt_sctp.c
- net/netfilter/xt_tcpmss.c
- net/netfilter/xt_tcpudp.c
include/linux/netfilter/x_tables.h
| ... | ... | @@ -196,6 +196,9 @@ |
| 196 | 196 | * @hook: hook number given packet came from |
| 197 | 197 | * @family: Actual NFPROTO_* through which the function is invoked |
| 198 | 198 | * (helpful when match->family == NFPROTO_UNSPEC) |
| 199 | + * | |
| 200 | + * Fields written to by extensions: | |
| 201 | + * | |
| 199 | 202 | * @hotdrop: drop packet if we had inspection problems |
| 200 | 203 | * Network namespace obtainable using dev_net(in/out) |
| 201 | 204 | */ |
| ... | ... | @@ -212,7 +215,7 @@ |
| 212 | 215 | unsigned int thoff; |
| 213 | 216 | unsigned int hooknum; |
| 214 | 217 | u_int8_t family; |
| 215 | - bool *hotdrop; | |
| 218 | + bool hotdrop; | |
| 216 | 219 | }; |
| 217 | 220 | |
| 218 | 221 | /** |
net/bridge/netfilter/ebtables.c
| ... | ... | @@ -186,13 +186,12 @@ |
| 186 | 186 | struct ebt_entries *chaininfo; |
| 187 | 187 | const char *base; |
| 188 | 188 | const struct ebt_table_info *private; |
| 189 | - bool hotdrop = false; | |
| 190 | 189 | struct xt_action_param acpar; |
| 191 | 190 | |
| 192 | 191 | acpar.family = NFPROTO_BRIDGE; |
| 193 | 192 | acpar.in = in; |
| 194 | 193 | acpar.out = out; |
| 195 | - acpar.hotdrop = &hotdrop; | |
| 194 | + acpar.hotdrop = false; | |
| 196 | 195 | acpar.hooknum = hook; |
| 197 | 196 | |
| 198 | 197 | read_lock_bh(&table->lock); |
| ... | ... | @@ -216,7 +215,7 @@ |
| 216 | 215 | |
| 217 | 216 | if (EBT_MATCH_ITERATE(point, ebt_do_match, skb, &acpar) != 0) |
| 218 | 217 | goto letscontinue; |
| 219 | - if (hotdrop) { | |
| 218 | + if (acpar.hotdrop) { | |
| 220 | 219 | read_unlock_bh(&table->lock); |
| 221 | 220 | return NF_DROP; |
| 222 | 221 | } |
net/ipv4/netfilter/arp_tables.c
| ... | ... | @@ -260,7 +260,6 @@ |
| 260 | 260 | static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long)))); |
| 261 | 261 | unsigned int verdict = NF_DROP; |
| 262 | 262 | const struct arphdr *arp; |
| 263 | - bool hotdrop = false; | |
| 264 | 263 | struct arpt_entry *e, *back; |
| 265 | 264 | const char *indev, *outdev; |
| 266 | 265 | void *table_base; |
| ... | ... | @@ -284,6 +283,7 @@ |
| 284 | 283 | acpar.out = out; |
| 285 | 284 | acpar.hooknum = hook; |
| 286 | 285 | acpar.family = NFPROTO_ARP; |
| 286 | + acpar.hotdrop = false; | |
| 287 | 287 | |
| 288 | 288 | arp = arp_hdr(skb); |
| 289 | 289 | do { |
| 290 | 290 | |
| ... | ... | @@ -345,10 +345,10 @@ |
| 345 | 345 | else |
| 346 | 346 | /* Verdict */ |
| 347 | 347 | break; |
| 348 | - } while (!hotdrop); | |
| 348 | + } while (!acpar.hotdrop); | |
| 349 | 349 | xt_info_rdunlock_bh(); |
| 350 | 350 | |
| 351 | - if (hotdrop) | |
| 351 | + if (acpar.hotdrop) | |
| 352 | 352 | return NF_DROP; |
| 353 | 353 | else |
| 354 | 354 | return verdict; |
net/ipv4/netfilter/ip_tables.c
| ... | ... | @@ -308,7 +308,6 @@ |
| 308 | 308 | { |
| 309 | 309 | static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long)))); |
| 310 | 310 | const struct iphdr *ip; |
| 311 | - bool hotdrop = false; | |
| 312 | 311 | /* Initializing verdict to NF_DROP keeps gcc happy. */ |
| 313 | 312 | unsigned int verdict = NF_DROP; |
| 314 | 313 | const char *indev, *outdev; |
| ... | ... | @@ -330,7 +329,7 @@ |
| 330 | 329 | * match it. */ |
| 331 | 330 | acpar.fragoff = ntohs(ip->frag_off) & IP_OFFSET; |
| 332 | 331 | acpar.thoff = ip_hdrlen(skb); |
| 333 | - acpar.hotdrop = &hotdrop; | |
| 332 | + acpar.hotdrop = false; | |
| 334 | 333 | acpar.in = in; |
| 335 | 334 | acpar.out = out; |
| 336 | 335 | acpar.family = NFPROTO_IPV4; |
| ... | ... | @@ -432,7 +431,7 @@ |
| 432 | 431 | else |
| 433 | 432 | /* Verdict */ |
| 434 | 433 | break; |
| 435 | - } while (!hotdrop); | |
| 434 | + } while (!acpar.hotdrop); | |
| 436 | 435 | xt_info_rdunlock_bh(); |
| 437 | 436 | pr_debug("Exiting %s; resetting sp from %u to %u\n", |
| 438 | 437 | __func__, *stackptr, origptr); |
| ... | ... | @@ -440,7 +439,7 @@ |
| 440 | 439 | #ifdef DEBUG_ALLOW_ALL |
| 441 | 440 | return NF_ACCEPT; |
| 442 | 441 | #else |
| 443 | - if (hotdrop) | |
| 442 | + if (acpar.hotdrop) | |
| 444 | 443 | return NF_DROP; |
| 445 | 444 | else return verdict; |
| 446 | 445 | #endif |
| ... | ... | @@ -2154,7 +2153,7 @@ |
| 2154 | 2153 | * can't. Hence, no choice but to drop. |
| 2155 | 2154 | */ |
| 2156 | 2155 | duprintf("Dropping evil ICMP tinygram.\n"); |
| 2157 | - *par->hotdrop = true; | |
| 2156 | + par->hotdrop = true; | |
| 2158 | 2157 | return false; |
| 2159 | 2158 | } |
| 2160 | 2159 |
net/ipv4/netfilter/ipt_ah.c
net/ipv4/netfilter/ipt_ecn.c
net/ipv6/netfilter/ip6_tables.c
| ... | ... | @@ -337,7 +337,6 @@ |
| 337 | 337 | struct xt_table *table) |
| 338 | 338 | { |
| 339 | 339 | static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long)))); |
| 340 | - bool hotdrop = false; | |
| 341 | 340 | /* Initializing verdict to NF_DROP keeps gcc happy. */ |
| 342 | 341 | unsigned int verdict = NF_DROP; |
| 343 | 342 | const char *indev, *outdev; |
| ... | ... | @@ -356,7 +355,7 @@ |
| 356 | 355 | * things we don't know, ie. tcp syn flag or ports). If the |
| 357 | 356 | * rule is also a fragment-specific rule, non-fragments won't |
| 358 | 357 | * match it. */ |
| 359 | - acpar.hotdrop = &hotdrop; | |
| 358 | + acpar.hotdrop = false; | |
| 360 | 359 | acpar.in = in; |
| 361 | 360 | acpar.out = out; |
| 362 | 361 | acpar.family = NFPROTO_IPV6; |
| ... | ... | @@ -380,7 +379,7 @@ |
| 380 | 379 | |
| 381 | 380 | IP_NF_ASSERT(e); |
| 382 | 381 | if (!ip6_packet_match(skb, indev, outdev, &e->ipv6, |
| 383 | - &acpar.thoff, &acpar.fragoff, &hotdrop)) { | |
| 382 | + &acpar.thoff, &acpar.fragoff, &acpar.hotdrop)) { | |
| 384 | 383 | no_match: |
| 385 | 384 | e = ip6t_next_entry(e); |
| 386 | 385 | continue; |
| ... | ... | @@ -447,7 +446,7 @@ |
| 447 | 446 | else |
| 448 | 447 | /* Verdict */ |
| 449 | 448 | break; |
| 450 | - } while (!hotdrop); | |
| 449 | + } while (!acpar.hotdrop); | |
| 451 | 450 | |
| 452 | 451 | xt_info_rdunlock_bh(); |
| 453 | 452 | *stackptr = origptr; |
| ... | ... | @@ -455,7 +454,7 @@ |
| 455 | 454 | #ifdef DEBUG_ALLOW_ALL |
| 456 | 455 | return NF_ACCEPT; |
| 457 | 456 | #else |
| 458 | - if (hotdrop) | |
| 457 | + if (acpar.hotdrop) | |
| 459 | 458 | return NF_DROP; |
| 460 | 459 | else return verdict; |
| 461 | 460 | #endif |
| ... | ... | @@ -2170,7 +2169,7 @@ |
| 2170 | 2169 | * can't. Hence, no choice but to drop. |
| 2171 | 2170 | */ |
| 2172 | 2171 | duprintf("Dropping evil ICMP tinygram.\n"); |
| 2173 | - *par->hotdrop = true; | |
| 2172 | + par->hotdrop = true; | |
| 2174 | 2173 | return false; |
| 2175 | 2174 | } |
| 2176 | 2175 |
net/ipv6/netfilter/ip6t_ah.c
| ... | ... | @@ -48,13 +48,13 @@ |
| 48 | 48 | err = ipv6_find_hdr(skb, &ptr, NEXTHDR_AUTH, NULL); |
| 49 | 49 | if (err < 0) { |
| 50 | 50 | if (err != -ENOENT) |
| 51 | - *par->hotdrop = true; | |
| 51 | + par->hotdrop = true; | |
| 52 | 52 | return false; |
| 53 | 53 | } |
| 54 | 54 | |
| 55 | 55 | ah = skb_header_pointer(skb, ptr, sizeof(_ah), &_ah); |
| 56 | 56 | if (ah == NULL) { |
| 57 | - *par->hotdrop = true; | |
| 57 | + par->hotdrop = true; | |
| 58 | 58 | return false; |
| 59 | 59 | } |
| 60 | 60 |
net/ipv6/netfilter/ip6t_eui64.c
net/ipv6/netfilter/ip6t_frag.c
| ... | ... | @@ -46,13 +46,13 @@ |
| 46 | 46 | err = ipv6_find_hdr(skb, &ptr, NEXTHDR_FRAGMENT, NULL); |
| 47 | 47 | if (err < 0) { |
| 48 | 48 | if (err != -ENOENT) |
| 49 | - *par->hotdrop = true; | |
| 49 | + par->hotdrop = true; | |
| 50 | 50 | return false; |
| 51 | 51 | } |
| 52 | 52 | |
| 53 | 53 | fh = skb_header_pointer(skb, ptr, sizeof(_frag), &_frag); |
| 54 | 54 | if (fh == NULL) { |
| 55 | - *par->hotdrop = true; | |
| 55 | + par->hotdrop = true; | |
| 56 | 56 | return false; |
| 57 | 57 | } |
| 58 | 58 |
net/ipv6/netfilter/ip6t_hbh.c
| ... | ... | @@ -65,13 +65,13 @@ |
| 65 | 65 | NEXTHDR_HOP : NEXTHDR_DEST, NULL); |
| 66 | 66 | if (err < 0) { |
| 67 | 67 | if (err != -ENOENT) |
| 68 | - *par->hotdrop = true; | |
| 68 | + par->hotdrop = true; | |
| 69 | 69 | return false; |
| 70 | 70 | } |
| 71 | 71 | |
| 72 | 72 | oh = skb_header_pointer(skb, ptr, sizeof(_optsh), &_optsh); |
| 73 | 73 | if (oh == NULL) { |
| 74 | - *par->hotdrop = true; | |
| 74 | + par->hotdrop = true; | |
| 75 | 75 | return false; |
| 76 | 76 | } |
| 77 | 77 |
net/ipv6/netfilter/ip6t_mh.c
| ... | ... | @@ -47,14 +47,14 @@ |
| 47 | 47 | /* We've been asked to examine this packet, and we |
| 48 | 48 | can't. Hence, no choice but to drop. */ |
| 49 | 49 | pr_debug("Dropping evil MH tinygram.\n"); |
| 50 | - *par->hotdrop = true; | |
| 50 | + par->hotdrop = true; | |
| 51 | 51 | return false; |
| 52 | 52 | } |
| 53 | 53 | |
| 54 | 54 | if (mh->ip6mh_proto != IPPROTO_NONE) { |
| 55 | 55 | pr_debug("Dropping invalid MH Payload Proto: %u\n", |
| 56 | 56 | mh->ip6mh_proto); |
| 57 | - *par->hotdrop = true; | |
| 57 | + par->hotdrop = true; | |
| 58 | 58 | return false; |
| 59 | 59 | } |
| 60 | 60 |
net/ipv6/netfilter/ip6t_rt.c
| ... | ... | @@ -52,13 +52,13 @@ |
| 52 | 52 | err = ipv6_find_hdr(skb, &ptr, NEXTHDR_ROUTING, NULL); |
| 53 | 53 | if (err < 0) { |
| 54 | 54 | if (err != -ENOENT) |
| 55 | - *par->hotdrop = true; | |
| 55 | + par->hotdrop = true; | |
| 56 | 56 | return false; |
| 57 | 57 | } |
| 58 | 58 | |
| 59 | 59 | rh = skb_header_pointer(skb, ptr, sizeof(_route), &_route); |
| 60 | 60 | if (rh == NULL) { |
| 61 | - *par->hotdrop = true; | |
| 61 | + par->hotdrop = true; | |
| 62 | 62 | return false; |
| 63 | 63 | } |
| 64 | 64 |
net/netfilter/xt_connlimit.c
| ... | ... | @@ -206,14 +206,14 @@ |
| 206 | 206 | |
| 207 | 207 | if (connections < 0) { |
| 208 | 208 | /* kmalloc failed, drop it entirely */ |
| 209 | - *par->hotdrop = true; | |
| 209 | + par->hotdrop = true; | |
| 210 | 210 | return false; |
| 211 | 211 | } |
| 212 | 212 | |
| 213 | 213 | return (connections > info->limit) ^ info->inverse; |
| 214 | 214 | |
| 215 | 215 | hotdrop: |
| 216 | - *par->hotdrop = true; | |
| 216 | + par->hotdrop = true; | |
| 217 | 217 | return false; |
| 218 | 218 | } |
| 219 | 219 |
net/netfilter/xt_dccp.c
| ... | ... | @@ -107,7 +107,7 @@ |
| 107 | 107 | |
| 108 | 108 | dh = skb_header_pointer(skb, par->thoff, sizeof(_dh), &_dh); |
| 109 | 109 | if (dh == NULL) { |
| 110 | - *par->hotdrop = true; | |
| 110 | + par->hotdrop = true; | |
| 111 | 111 | return false; |
| 112 | 112 | } |
| 113 | 113 | |
| ... | ... | @@ -120,7 +120,7 @@ |
| 120 | 120 | && DCCHECK(match_types(dh, info->typemask), |
| 121 | 121 | XT_DCCP_TYPE, info->flags, info->invflags) |
| 122 | 122 | && DCCHECK(match_option(info->option, skb, par->thoff, dh, |
| 123 | - par->hotdrop), | |
| 123 | + &par->hotdrop), | |
| 124 | 124 | XT_DCCP_OPTION, info->flags, info->invflags); |
| 125 | 125 | } |
| 126 | 126 |
net/netfilter/xt_esp.c
net/netfilter/xt_hashlimit.c
net/netfilter/xt_multiport.c
net/netfilter/xt_recent.c
net/netfilter/xt_sctp.c
| ... | ... | @@ -128,7 +128,7 @@ |
| 128 | 128 | sh = skb_header_pointer(skb, par->thoff, sizeof(_sh), &_sh); |
| 129 | 129 | if (sh == NULL) { |
| 130 | 130 | pr_debug("Dropping evil TCP offset=0 tinygram.\n"); |
| 131 | - *par->hotdrop = true; | |
| 131 | + par->hotdrop = true; | |
| 132 | 132 | return false; |
| 133 | 133 | } |
| 134 | 134 | pr_debug("spt: %d\tdpt: %d\n", ntohs(sh->source), ntohs(sh->dest)); |
| ... | ... | @@ -140,7 +140,7 @@ |
| 140 | 140 | && ntohs(sh->dest) <= info->dpts[1], |
| 141 | 141 | XT_SCTP_DEST_PORTS, info->flags, info->invflags) |
| 142 | 142 | && SCCHECK(match_packet(skb, par->thoff + sizeof(sctp_sctphdr_t), |
| 143 | - info, par->hotdrop), | |
| 143 | + info, &par->hotdrop), | |
| 144 | 144 | XT_SCTP_CHUNK_TYPES, info->flags, info->invflags); |
| 145 | 145 | } |
| 146 | 146 |
net/netfilter/xt_tcpmss.c
net/netfilter/xt_tcpudp.c
| ... | ... | @@ -77,7 +77,7 @@ |
| 77 | 77 | */ |
| 78 | 78 | if (par->fragoff == 1) { |
| 79 | 79 | pr_debug("Dropping evil TCP offset=1 frag.\n"); |
| 80 | - *par->hotdrop = true; | |
| 80 | + par->hotdrop = true; | |
| 81 | 81 | } |
| 82 | 82 | /* Must not be a fragment. */ |
| 83 | 83 | return false; |
| ... | ... | @@ -90,7 +90,7 @@ |
| 90 | 90 | /* We've been asked to examine this packet, and we |
| 91 | 91 | can't. Hence, no choice but to drop. */ |
| 92 | 92 | pr_debug("Dropping evil TCP offset=0 tinygram.\n"); |
| 93 | - *par->hotdrop = true; | |
| 93 | + par->hotdrop = true; | |
| 94 | 94 | return false; |
| 95 | 95 | } |
| 96 | 96 | |
| 97 | 97 | |
| ... | ... | @@ -108,13 +108,13 @@ |
| 108 | 108 | return false; |
| 109 | 109 | if (tcpinfo->option) { |
| 110 | 110 | if (th->doff * 4 < sizeof(_tcph)) { |
| 111 | - *par->hotdrop = true; | |
| 111 | + par->hotdrop = true; | |
| 112 | 112 | return false; |
| 113 | 113 | } |
| 114 | 114 | if (!tcp_find_option(tcpinfo->option, skb, par->thoff, |
| 115 | 115 | th->doff*4 - sizeof(_tcph), |
| 116 | 116 | tcpinfo->invflags & XT_TCP_INV_OPTION, |
| 117 | - par->hotdrop)) | |
| 117 | + &par->hotdrop)) | |
| 118 | 118 | return false; |
| 119 | 119 | } |
| 120 | 120 | return true; |
| ... | ... | @@ -143,7 +143,7 @@ |
| 143 | 143 | /* We've been asked to examine this packet, and we |
| 144 | 144 | can't. Hence, no choice but to drop. */ |
| 145 | 145 | pr_debug("Dropping evil UDP tinygram.\n"); |
| 146 | - *par->hotdrop = true; | |
| 146 | + par->hotdrop = true; | |
| 147 | 147 | return false; |
| 148 | 148 | } |
| 149 | 149 |