netfilter: Make nf_hookfn use nf_hook_state.
Pass the nf_hook_state all the way down into the hook functions themselves. Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
David S. Miller
parent
1d1de89b9a
commit
238e54c9cb
35 changed files with 169 additions and 294 deletions
|
|
@ -56,9 +56,7 @@ struct nf_hook_state {
|
||||||
|
|
||||||
typedef unsigned int nf_hookfn(const struct nf_hook_ops *ops,
|
typedef unsigned int nf_hookfn(const struct nf_hook_ops *ops,
|
||||||
struct sk_buff *skb,
|
struct sk_buff *skb,
|
||||||
const struct net_device *in,
|
const struct nf_hook_state *state);
|
||||||
const struct net_device *out,
|
|
||||||
int (*okfn)(struct sk_buff *));
|
|
||||||
|
|
||||||
struct nf_hook_ops {
|
struct nf_hook_ops {
|
||||||
struct list_head list;
|
struct list_head list;
|
||||||
|
|
|
||||||
|
|
@ -562,9 +562,7 @@ bad:
|
||||||
* to ip6tables, which doesn't support NAT, so things are fairly simple. */
|
* to ip6tables, which doesn't support NAT, so things are fairly simple. */
|
||||||
static unsigned int br_nf_pre_routing_ipv6(const struct nf_hook_ops *ops,
|
static unsigned int br_nf_pre_routing_ipv6(const struct nf_hook_ops *ops,
|
||||||
struct sk_buff *skb,
|
struct sk_buff *skb,
|
||||||
const struct net_device *in,
|
const struct nf_hook_state *state)
|
||||||
const struct net_device *out,
|
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
const struct ipv6hdr *hdr;
|
const struct ipv6hdr *hdr;
|
||||||
u32 pkt_len;
|
u32 pkt_len;
|
||||||
|
|
@ -612,9 +610,7 @@ static unsigned int br_nf_pre_routing_ipv6(const struct nf_hook_ops *ops,
|
||||||
* address to be able to detect DNAT afterwards. */
|
* address to be able to detect DNAT afterwards. */
|
||||||
static unsigned int br_nf_pre_routing(const struct nf_hook_ops *ops,
|
static unsigned int br_nf_pre_routing(const struct nf_hook_ops *ops,
|
||||||
struct sk_buff *skb,
|
struct sk_buff *skb,
|
||||||
const struct net_device *in,
|
const struct nf_hook_state *state)
|
||||||
const struct net_device *out,
|
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
struct net_bridge_port *p;
|
struct net_bridge_port *p;
|
||||||
struct net_bridge *br;
|
struct net_bridge *br;
|
||||||
|
|
@ -623,7 +619,7 @@ static unsigned int br_nf_pre_routing(const struct nf_hook_ops *ops,
|
||||||
if (unlikely(!pskb_may_pull(skb, len)))
|
if (unlikely(!pskb_may_pull(skb, len)))
|
||||||
return NF_DROP;
|
return NF_DROP;
|
||||||
|
|
||||||
p = br_port_get_rcu(in);
|
p = br_port_get_rcu(state->in);
|
||||||
if (p == NULL)
|
if (p == NULL)
|
||||||
return NF_DROP;
|
return NF_DROP;
|
||||||
br = p->br;
|
br = p->br;
|
||||||
|
|
@ -633,7 +629,7 @@ static unsigned int br_nf_pre_routing(const struct nf_hook_ops *ops,
|
||||||
return NF_ACCEPT;
|
return NF_ACCEPT;
|
||||||
|
|
||||||
nf_bridge_pull_encap_header_rcsum(skb);
|
nf_bridge_pull_encap_header_rcsum(skb);
|
||||||
return br_nf_pre_routing_ipv6(ops, skb, in, out, okfn);
|
return br_nf_pre_routing_ipv6(ops, skb, state);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!brnf_call_iptables && !br->nf_call_iptables)
|
if (!brnf_call_iptables && !br->nf_call_iptables)
|
||||||
|
|
@ -671,9 +667,7 @@ static unsigned int br_nf_pre_routing(const struct nf_hook_ops *ops,
|
||||||
* prevent this from happening. */
|
* prevent this from happening. */
|
||||||
static unsigned int br_nf_local_in(const struct nf_hook_ops *ops,
|
static unsigned int br_nf_local_in(const struct nf_hook_ops *ops,
|
||||||
struct sk_buff *skb,
|
struct sk_buff *skb,
|
||||||
const struct net_device *in,
|
const struct nf_hook_state *state)
|
||||||
const struct net_device *out,
|
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
br_drop_fake_rtable(skb);
|
br_drop_fake_rtable(skb);
|
||||||
return NF_ACCEPT;
|
return NF_ACCEPT;
|
||||||
|
|
@ -710,9 +704,7 @@ static int br_nf_forward_finish(struct sk_buff *skb)
|
||||||
* bridge ports. */
|
* bridge ports. */
|
||||||
static unsigned int br_nf_forward_ip(const struct nf_hook_ops *ops,
|
static unsigned int br_nf_forward_ip(const struct nf_hook_ops *ops,
|
||||||
struct sk_buff *skb,
|
struct sk_buff *skb,
|
||||||
const struct net_device *in,
|
const struct nf_hook_state *state)
|
||||||
const struct net_device *out,
|
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
struct nf_bridge_info *nf_bridge;
|
struct nf_bridge_info *nf_bridge;
|
||||||
struct net_device *parent;
|
struct net_device *parent;
|
||||||
|
|
@ -726,7 +718,7 @@ static unsigned int br_nf_forward_ip(const struct nf_hook_ops *ops,
|
||||||
if (!nf_bridge_unshare(skb))
|
if (!nf_bridge_unshare(skb))
|
||||||
return NF_DROP;
|
return NF_DROP;
|
||||||
|
|
||||||
parent = bridge_parent(out);
|
parent = bridge_parent(state->out);
|
||||||
if (!parent)
|
if (!parent)
|
||||||
return NF_DROP;
|
return NF_DROP;
|
||||||
|
|
||||||
|
|
@ -754,23 +746,21 @@ static unsigned int br_nf_forward_ip(const struct nf_hook_ops *ops,
|
||||||
else
|
else
|
||||||
skb->protocol = htons(ETH_P_IPV6);
|
skb->protocol = htons(ETH_P_IPV6);
|
||||||
|
|
||||||
NF_HOOK(pf, NF_INET_FORWARD, skb, brnf_get_logical_dev(skb, in), parent,
|
NF_HOOK(pf, NF_INET_FORWARD, skb, brnf_get_logical_dev(skb, state->in),
|
||||||
br_nf_forward_finish);
|
parent, br_nf_forward_finish);
|
||||||
|
|
||||||
return NF_STOLEN;
|
return NF_STOLEN;
|
||||||
}
|
}
|
||||||
|
|
||||||
static unsigned int br_nf_forward_arp(const struct nf_hook_ops *ops,
|
static unsigned int br_nf_forward_arp(const struct nf_hook_ops *ops,
|
||||||
struct sk_buff *skb,
|
struct sk_buff *skb,
|
||||||
const struct net_device *in,
|
const struct nf_hook_state *state)
|
||||||
const struct net_device *out,
|
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
struct net_bridge_port *p;
|
struct net_bridge_port *p;
|
||||||
struct net_bridge *br;
|
struct net_bridge *br;
|
||||||
struct net_device **d = (struct net_device **)(skb->cb);
|
struct net_device **d = (struct net_device **)(skb->cb);
|
||||||
|
|
||||||
p = br_port_get_rcu(out);
|
p = br_port_get_rcu(state->out);
|
||||||
if (p == NULL)
|
if (p == NULL)
|
||||||
return NF_ACCEPT;
|
return NF_ACCEPT;
|
||||||
br = p->br;
|
br = p->br;
|
||||||
|
|
@ -789,9 +779,9 @@ static unsigned int br_nf_forward_arp(const struct nf_hook_ops *ops,
|
||||||
nf_bridge_push_encap_header(skb);
|
nf_bridge_push_encap_header(skb);
|
||||||
return NF_ACCEPT;
|
return NF_ACCEPT;
|
||||||
}
|
}
|
||||||
*d = (struct net_device *)in;
|
*d = state->in;
|
||||||
NF_HOOK(NFPROTO_ARP, NF_ARP_FORWARD, skb, (struct net_device *)in,
|
NF_HOOK(NFPROTO_ARP, NF_ARP_FORWARD, skb, state->in,
|
||||||
(struct net_device *)out, br_nf_forward_finish);
|
state->out, br_nf_forward_finish);
|
||||||
|
|
||||||
return NF_STOLEN;
|
return NF_STOLEN;
|
||||||
}
|
}
|
||||||
|
|
@ -859,9 +849,7 @@ static int br_nf_dev_queue_xmit(struct sk_buff *skb)
|
||||||
/* PF_BRIDGE/POST_ROUTING ********************************************/
|
/* PF_BRIDGE/POST_ROUTING ********************************************/
|
||||||
static unsigned int br_nf_post_routing(const struct nf_hook_ops *ops,
|
static unsigned int br_nf_post_routing(const struct nf_hook_ops *ops,
|
||||||
struct sk_buff *skb,
|
struct sk_buff *skb,
|
||||||
const struct net_device *in,
|
const struct nf_hook_state *state)
|
||||||
const struct net_device *out,
|
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
struct nf_bridge_info *nf_bridge = skb->nf_bridge;
|
struct nf_bridge_info *nf_bridge = skb->nf_bridge;
|
||||||
struct net_device *realoutdev = bridge_parent(skb->dev);
|
struct net_device *realoutdev = bridge_parent(skb->dev);
|
||||||
|
|
@ -910,9 +898,7 @@ static unsigned int br_nf_post_routing(const struct nf_hook_ops *ops,
|
||||||
* for the second time. */
|
* for the second time. */
|
||||||
static unsigned int ip_sabotage_in(const struct nf_hook_ops *ops,
|
static unsigned int ip_sabotage_in(const struct nf_hook_ops *ops,
|
||||||
struct sk_buff *skb,
|
struct sk_buff *skb,
|
||||||
const struct net_device *in,
|
const struct nf_hook_state *state)
|
||||||
const struct net_device *out,
|
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
if (skb->nf_bridge &&
|
if (skb->nf_bridge &&
|
||||||
!(skb->nf_bridge->mask & BRNF_NF_BRIDGE_PREROUTING)) {
|
!(skb->nf_bridge->mask & BRNF_NF_BRIDGE_PREROUTING)) {
|
||||||
|
|
|
||||||
|
|
@ -58,20 +58,18 @@ static const struct ebt_table frame_filter = {
|
||||||
|
|
||||||
static unsigned int
|
static unsigned int
|
||||||
ebt_in_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
ebt_in_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
||||||
const struct net_device *in, const struct net_device *out,
|
const struct nf_hook_state *state)
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
return ebt_do_table(ops->hooknum, skb, in, out,
|
return ebt_do_table(ops->hooknum, skb, state->in, state->out,
|
||||||
dev_net(in)->xt.frame_filter);
|
dev_net(state->in)->xt.frame_filter);
|
||||||
}
|
}
|
||||||
|
|
||||||
static unsigned int
|
static unsigned int
|
||||||
ebt_out_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
ebt_out_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
||||||
const struct net_device *in, const struct net_device *out,
|
const struct nf_hook_state *state)
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
return ebt_do_table(ops->hooknum, skb, in, out,
|
return ebt_do_table(ops->hooknum, skb, state->in, state->out,
|
||||||
dev_net(out)->xt.frame_filter);
|
dev_net(state->out)->xt.frame_filter);
|
||||||
}
|
}
|
||||||
|
|
||||||
static struct nf_hook_ops ebt_ops_filter[] __read_mostly = {
|
static struct nf_hook_ops ebt_ops_filter[] __read_mostly = {
|
||||||
|
|
|
||||||
|
|
@ -58,20 +58,18 @@ static struct ebt_table frame_nat = {
|
||||||
|
|
||||||
static unsigned int
|
static unsigned int
|
||||||
ebt_nat_in(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
ebt_nat_in(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
||||||
const struct net_device *in, const struct net_device *out,
|
const struct nf_hook_state *state)
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
return ebt_do_table(ops->hooknum, skb, in, out,
|
return ebt_do_table(ops->hooknum, skb, state->in, state->out,
|
||||||
dev_net(in)->xt.frame_nat);
|
dev_net(state->in)->xt.frame_nat);
|
||||||
}
|
}
|
||||||
|
|
||||||
static unsigned int
|
static unsigned int
|
||||||
ebt_nat_out(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
ebt_nat_out(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
||||||
const struct net_device *in, const struct net_device *out,
|
const struct nf_hook_state *state)
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
return ebt_do_table(ops->hooknum, skb, in, out,
|
return ebt_do_table(ops->hooknum, skb, state->in, state->out,
|
||||||
dev_net(out)->xt.frame_nat);
|
dev_net(state->out)->xt.frame_nat);
|
||||||
}
|
}
|
||||||
|
|
||||||
static struct nf_hook_ops ebt_ops_nat[] __read_mostly = {
|
static struct nf_hook_ops ebt_ops_nat[] __read_mostly = {
|
||||||
|
|
|
||||||
|
|
@ -93,21 +93,19 @@ static inline void nft_bridge_set_pktinfo_ipv6(struct nft_pktinfo *pkt,
|
||||||
static unsigned int
|
static unsigned int
|
||||||
nft_do_chain_bridge(const struct nf_hook_ops *ops,
|
nft_do_chain_bridge(const struct nf_hook_ops *ops,
|
||||||
struct sk_buff *skb,
|
struct sk_buff *skb,
|
||||||
const struct net_device *in,
|
const struct nf_hook_state *state)
|
||||||
const struct net_device *out,
|
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
struct nft_pktinfo pkt;
|
struct nft_pktinfo pkt;
|
||||||
|
|
||||||
switch (eth_hdr(skb)->h_proto) {
|
switch (eth_hdr(skb)->h_proto) {
|
||||||
case htons(ETH_P_IP):
|
case htons(ETH_P_IP):
|
||||||
nft_bridge_set_pktinfo_ipv4(&pkt, ops, skb, in, out);
|
nft_bridge_set_pktinfo_ipv4(&pkt, ops, skb, state->in, state->out);
|
||||||
break;
|
break;
|
||||||
case htons(ETH_P_IPV6):
|
case htons(ETH_P_IPV6):
|
||||||
nft_bridge_set_pktinfo_ipv6(&pkt, ops, skb, in, out);
|
nft_bridge_set_pktinfo_ipv6(&pkt, ops, skb, state->in, state->out);
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
nft_set_pktinfo(&pkt, ops, skb, in, out);
|
nft_set_pktinfo(&pkt, ops, skb, state->in, state->out);
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -89,9 +89,7 @@ static void dnrmg_send_peer(struct sk_buff *skb)
|
||||||
|
|
||||||
static unsigned int dnrmg_hook(const struct nf_hook_ops *ops,
|
static unsigned int dnrmg_hook(const struct nf_hook_ops *ops,
|
||||||
struct sk_buff *skb,
|
struct sk_buff *skb,
|
||||||
const struct net_device *in,
|
const struct nf_hook_state *state)
|
||||||
const struct net_device *out,
|
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
dnrmg_send_peer(skb);
|
dnrmg_send_peer(skb);
|
||||||
return NF_ACCEPT;
|
return NF_ACCEPT;
|
||||||
|
|
|
||||||
|
|
@ -28,12 +28,11 @@ static const struct xt_table packet_filter = {
|
||||||
/* The work comes in here from netfilter.c */
|
/* The work comes in here from netfilter.c */
|
||||||
static unsigned int
|
static unsigned int
|
||||||
arptable_filter_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
arptable_filter_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
||||||
const struct net_device *in, const struct net_device *out,
|
const struct nf_hook_state *state)
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
const struct net *net = dev_net((in != NULL) ? in : out);
|
const struct net *net = dev_net(state->in ? state->in : state->out);
|
||||||
|
|
||||||
return arpt_do_table(skb, ops->hooknum, in, out,
|
return arpt_do_table(skb, ops->hooknum, state->in, state->out,
|
||||||
net->ipv4.arptable_filter);
|
net->ipv4.arptable_filter);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -504,14 +504,12 @@ static void arp_print(struct arp_payload *payload)
|
||||||
static unsigned int
|
static unsigned int
|
||||||
arp_mangle(const struct nf_hook_ops *ops,
|
arp_mangle(const struct nf_hook_ops *ops,
|
||||||
struct sk_buff *skb,
|
struct sk_buff *skb,
|
||||||
const struct net_device *in,
|
const struct nf_hook_state *state)
|
||||||
const struct net_device *out,
|
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
struct arphdr *arp = arp_hdr(skb);
|
struct arphdr *arp = arp_hdr(skb);
|
||||||
struct arp_payload *payload;
|
struct arp_payload *payload;
|
||||||
struct clusterip_config *c;
|
struct clusterip_config *c;
|
||||||
struct net *net = dev_net(in ? in : out);
|
struct net *net = dev_net(state->in ? state->in : state->out);
|
||||||
|
|
||||||
/* we don't care about non-ethernet and non-ipv4 ARP */
|
/* we don't care about non-ethernet and non-ipv4 ARP */
|
||||||
if (arp->ar_hrd != htons(ARPHRD_ETHER) ||
|
if (arp->ar_hrd != htons(ARPHRD_ETHER) ||
|
||||||
|
|
@ -536,10 +534,10 @@ arp_mangle(const struct nf_hook_ops *ops,
|
||||||
* addresses on different interfacs. However, in the CLUSTERIP case
|
* addresses on different interfacs. However, in the CLUSTERIP case
|
||||||
* this wouldn't work, since we didn't subscribe the mcast group on
|
* this wouldn't work, since we didn't subscribe the mcast group on
|
||||||
* other interfaces */
|
* other interfaces */
|
||||||
if (c->dev != out) {
|
if (c->dev != state->out) {
|
||||||
pr_debug("not mangling arp reply on different "
|
pr_debug("not mangling arp reply on different "
|
||||||
"interface: cip'%s'-skb'%s'\n",
|
"interface: cip'%s'-skb'%s'\n",
|
||||||
c->dev->name, out->name);
|
c->dev->name, state->out->name);
|
||||||
clusterip_config_put(c);
|
clusterip_config_put(c);
|
||||||
return NF_ACCEPT;
|
return NF_ACCEPT;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -300,11 +300,9 @@ synproxy_tg4(struct sk_buff *skb, const struct xt_action_param *par)
|
||||||
|
|
||||||
static unsigned int ipv4_synproxy_hook(const struct nf_hook_ops *ops,
|
static unsigned int ipv4_synproxy_hook(const struct nf_hook_ops *ops,
|
||||||
struct sk_buff *skb,
|
struct sk_buff *skb,
|
||||||
const struct net_device *in,
|
const struct nf_hook_state *nhs)
|
||||||
const struct net_device *out,
|
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
struct synproxy_net *snet = synproxy_pernet(dev_net(in ? : out));
|
struct synproxy_net *snet = synproxy_pernet(dev_net(nhs->in ? : nhs->out));
|
||||||
enum ip_conntrack_info ctinfo;
|
enum ip_conntrack_info ctinfo;
|
||||||
struct nf_conn *ct;
|
struct nf_conn *ct;
|
||||||
struct nf_conn_synproxy *synproxy;
|
struct nf_conn_synproxy *synproxy;
|
||||||
|
|
|
||||||
|
|
@ -34,8 +34,7 @@ static const struct xt_table packet_filter = {
|
||||||
|
|
||||||
static unsigned int
|
static unsigned int
|
||||||
iptable_filter_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
iptable_filter_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
||||||
const struct net_device *in, const struct net_device *out,
|
const struct nf_hook_state *state)
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
const struct net *net;
|
const struct net *net;
|
||||||
|
|
||||||
|
|
@ -45,8 +44,8 @@ iptable_filter_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
||||||
/* root is playing with raw sockets. */
|
/* root is playing with raw sockets. */
|
||||||
return NF_ACCEPT;
|
return NF_ACCEPT;
|
||||||
|
|
||||||
net = dev_net((in != NULL) ? in : out);
|
net = dev_net(state->in ? state->in : state->out);
|
||||||
return ipt_do_table(skb, ops->hooknum, in, out,
|
return ipt_do_table(skb, ops->hooknum, state->in, state->out,
|
||||||
net->ipv4.iptable_filter);
|
net->ipv4.iptable_filter);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -81,18 +81,16 @@ ipt_mangle_out(struct sk_buff *skb, const struct net_device *out)
|
||||||
static unsigned int
|
static unsigned int
|
||||||
iptable_mangle_hook(const struct nf_hook_ops *ops,
|
iptable_mangle_hook(const struct nf_hook_ops *ops,
|
||||||
struct sk_buff *skb,
|
struct sk_buff *skb,
|
||||||
const struct net_device *in,
|
const struct nf_hook_state *state)
|
||||||
const struct net_device *out,
|
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
if (ops->hooknum == NF_INET_LOCAL_OUT)
|
if (ops->hooknum == NF_INET_LOCAL_OUT)
|
||||||
return ipt_mangle_out(skb, out);
|
return ipt_mangle_out(skb, state->out);
|
||||||
if (ops->hooknum == NF_INET_POST_ROUTING)
|
if (ops->hooknum == NF_INET_POST_ROUTING)
|
||||||
return ipt_do_table(skb, ops->hooknum, in, out,
|
return ipt_do_table(skb, ops->hooknum, state->in, state->out,
|
||||||
dev_net(out)->ipv4.iptable_mangle);
|
dev_net(state->out)->ipv4.iptable_mangle);
|
||||||
/* PREROUTING/INPUT/FORWARD: */
|
/* PREROUTING/INPUT/FORWARD: */
|
||||||
return ipt_do_table(skb, ops->hooknum, in, out,
|
return ipt_do_table(skb, ops->hooknum, state->in, state->out,
|
||||||
dev_net(in)->ipv4.iptable_mangle);
|
dev_net(state->in)->ipv4.iptable_mangle);
|
||||||
}
|
}
|
||||||
|
|
||||||
static struct nf_hook_ops *mangle_ops __read_mostly;
|
static struct nf_hook_ops *mangle_ops __read_mostly;
|
||||||
|
|
|
||||||
|
|
@ -41,38 +41,34 @@ static unsigned int iptable_nat_do_chain(const struct nf_hook_ops *ops,
|
||||||
|
|
||||||
static unsigned int iptable_nat_ipv4_fn(const struct nf_hook_ops *ops,
|
static unsigned int iptable_nat_ipv4_fn(const struct nf_hook_ops *ops,
|
||||||
struct sk_buff *skb,
|
struct sk_buff *skb,
|
||||||
const struct net_device *in,
|
const struct nf_hook_state *state)
|
||||||
const struct net_device *out,
|
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
return nf_nat_ipv4_fn(ops, skb, in, out, iptable_nat_do_chain);
|
return nf_nat_ipv4_fn(ops, skb, state->in, state->out,
|
||||||
|
iptable_nat_do_chain);
|
||||||
}
|
}
|
||||||
|
|
||||||
static unsigned int iptable_nat_ipv4_in(const struct nf_hook_ops *ops,
|
static unsigned int iptable_nat_ipv4_in(const struct nf_hook_ops *ops,
|
||||||
struct sk_buff *skb,
|
struct sk_buff *skb,
|
||||||
const struct net_device *in,
|
const struct nf_hook_state *state)
|
||||||
const struct net_device *out,
|
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
return nf_nat_ipv4_in(ops, skb, in, out, iptable_nat_do_chain);
|
return nf_nat_ipv4_in(ops, skb, state->in, state->out,
|
||||||
|
iptable_nat_do_chain);
|
||||||
}
|
}
|
||||||
|
|
||||||
static unsigned int iptable_nat_ipv4_out(const struct nf_hook_ops *ops,
|
static unsigned int iptable_nat_ipv4_out(const struct nf_hook_ops *ops,
|
||||||
struct sk_buff *skb,
|
struct sk_buff *skb,
|
||||||
const struct net_device *in,
|
const struct nf_hook_state *state)
|
||||||
const struct net_device *out,
|
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
return nf_nat_ipv4_out(ops, skb, in, out, iptable_nat_do_chain);
|
return nf_nat_ipv4_out(ops, skb, state->in, state->out,
|
||||||
|
iptable_nat_do_chain);
|
||||||
}
|
}
|
||||||
|
|
||||||
static unsigned int iptable_nat_ipv4_local_fn(const struct nf_hook_ops *ops,
|
static unsigned int iptable_nat_ipv4_local_fn(const struct nf_hook_ops *ops,
|
||||||
struct sk_buff *skb,
|
struct sk_buff *skb,
|
||||||
const struct net_device *in,
|
const struct nf_hook_state *state)
|
||||||
const struct net_device *out,
|
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
return nf_nat_ipv4_local_fn(ops, skb, in, out, iptable_nat_do_chain);
|
return nf_nat_ipv4_local_fn(ops, skb, state->in, state->out,
|
||||||
|
iptable_nat_do_chain);
|
||||||
}
|
}
|
||||||
|
|
||||||
static struct nf_hook_ops nf_nat_ipv4_ops[] __read_mostly = {
|
static struct nf_hook_ops nf_nat_ipv4_ops[] __read_mostly = {
|
||||||
|
|
|
||||||
|
|
@ -21,8 +21,7 @@ static const struct xt_table packet_raw = {
|
||||||
/* The work comes in here from netfilter.c. */
|
/* The work comes in here from netfilter.c. */
|
||||||
static unsigned int
|
static unsigned int
|
||||||
iptable_raw_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
iptable_raw_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
||||||
const struct net_device *in, const struct net_device *out,
|
const struct nf_hook_state *state)
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
const struct net *net;
|
const struct net *net;
|
||||||
|
|
||||||
|
|
@ -32,8 +31,9 @@ iptable_raw_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
||||||
/* root is playing with raw sockets. */
|
/* root is playing with raw sockets. */
|
||||||
return NF_ACCEPT;
|
return NF_ACCEPT;
|
||||||
|
|
||||||
net = dev_net((in != NULL) ? in : out);
|
net = dev_net(state->in ? state->in : state->out);
|
||||||
return ipt_do_table(skb, ops->hooknum, in, out, net->ipv4.iptable_raw);
|
return ipt_do_table(skb, ops->hooknum, state->in, state->out,
|
||||||
|
net->ipv4.iptable_raw);
|
||||||
}
|
}
|
||||||
|
|
||||||
static struct nf_hook_ops *rawtable_ops __read_mostly;
|
static struct nf_hook_ops *rawtable_ops __read_mostly;
|
||||||
|
|
|
||||||
|
|
@ -38,9 +38,7 @@ static const struct xt_table security_table = {
|
||||||
|
|
||||||
static unsigned int
|
static unsigned int
|
||||||
iptable_security_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
iptable_security_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
||||||
const struct net_device *in,
|
const struct nf_hook_state *state)
|
||||||
const struct net_device *out,
|
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
const struct net *net;
|
const struct net *net;
|
||||||
|
|
||||||
|
|
@ -50,8 +48,8 @@ iptable_security_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
||||||
/* Somebody is playing with raw sockets. */
|
/* Somebody is playing with raw sockets. */
|
||||||
return NF_ACCEPT;
|
return NF_ACCEPT;
|
||||||
|
|
||||||
net = dev_net((in != NULL) ? in : out);
|
net = dev_net(state->in ? state->in : state->out);
|
||||||
return ipt_do_table(skb, ops->hooknum, in, out,
|
return ipt_do_table(skb, ops->hooknum, state->in, state->out,
|
||||||
net->ipv4.iptable_security);
|
net->ipv4.iptable_security);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -94,9 +94,7 @@ static int ipv4_get_l4proto(const struct sk_buff *skb, unsigned int nhoff,
|
||||||
|
|
||||||
static unsigned int ipv4_helper(const struct nf_hook_ops *ops,
|
static unsigned int ipv4_helper(const struct nf_hook_ops *ops,
|
||||||
struct sk_buff *skb,
|
struct sk_buff *skb,
|
||||||
const struct net_device *in,
|
const struct nf_hook_state *state)
|
||||||
const struct net_device *out,
|
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
struct nf_conn *ct;
|
struct nf_conn *ct;
|
||||||
enum ip_conntrack_info ctinfo;
|
enum ip_conntrack_info ctinfo;
|
||||||
|
|
@ -123,9 +121,7 @@ static unsigned int ipv4_helper(const struct nf_hook_ops *ops,
|
||||||
|
|
||||||
static unsigned int ipv4_confirm(const struct nf_hook_ops *ops,
|
static unsigned int ipv4_confirm(const struct nf_hook_ops *ops,
|
||||||
struct sk_buff *skb,
|
struct sk_buff *skb,
|
||||||
const struct net_device *in,
|
const struct nf_hook_state *state)
|
||||||
const struct net_device *out,
|
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
struct nf_conn *ct;
|
struct nf_conn *ct;
|
||||||
enum ip_conntrack_info ctinfo;
|
enum ip_conntrack_info ctinfo;
|
||||||
|
|
@ -149,24 +145,20 @@ out:
|
||||||
|
|
||||||
static unsigned int ipv4_conntrack_in(const struct nf_hook_ops *ops,
|
static unsigned int ipv4_conntrack_in(const struct nf_hook_ops *ops,
|
||||||
struct sk_buff *skb,
|
struct sk_buff *skb,
|
||||||
const struct net_device *in,
|
const struct nf_hook_state *state)
|
||||||
const struct net_device *out,
|
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
return nf_conntrack_in(dev_net(in), PF_INET, ops->hooknum, skb);
|
return nf_conntrack_in(dev_net(state->in), PF_INET, ops->hooknum, skb);
|
||||||
}
|
}
|
||||||
|
|
||||||
static unsigned int ipv4_conntrack_local(const struct nf_hook_ops *ops,
|
static unsigned int ipv4_conntrack_local(const struct nf_hook_ops *ops,
|
||||||
struct sk_buff *skb,
|
struct sk_buff *skb,
|
||||||
const struct net_device *in,
|
const struct nf_hook_state *state)
|
||||||
const struct net_device *out,
|
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
/* root is playing with raw sockets. */
|
/* root is playing with raw sockets. */
|
||||||
if (skb->len < sizeof(struct iphdr) ||
|
if (skb->len < sizeof(struct iphdr) ||
|
||||||
ip_hdrlen(skb) < sizeof(struct iphdr))
|
ip_hdrlen(skb) < sizeof(struct iphdr))
|
||||||
return NF_ACCEPT;
|
return NF_ACCEPT;
|
||||||
return nf_conntrack_in(dev_net(out), PF_INET, ops->hooknum, skb);
|
return nf_conntrack_in(dev_net(state->out), PF_INET, ops->hooknum, skb);
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Connection tracking may drop packets, but never alters them, so
|
/* Connection tracking may drop packets, but never alters them, so
|
||||||
|
|
|
||||||
|
|
@ -63,9 +63,7 @@ static enum ip_defrag_users nf_ct_defrag_user(unsigned int hooknum,
|
||||||
|
|
||||||
static unsigned int ipv4_conntrack_defrag(const struct nf_hook_ops *ops,
|
static unsigned int ipv4_conntrack_defrag(const struct nf_hook_ops *ops,
|
||||||
struct sk_buff *skb,
|
struct sk_buff *skb,
|
||||||
const struct net_device *in,
|
const struct nf_hook_state *state)
|
||||||
const struct net_device *out,
|
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
struct sock *sk = skb->sk;
|
struct sock *sk = skb->sk;
|
||||||
struct inet_sock *inet = inet_sk(skb->sk);
|
struct inet_sock *inet = inet_sk(skb->sk);
|
||||||
|
|
|
||||||
|
|
@ -17,13 +17,11 @@
|
||||||
static unsigned int
|
static unsigned int
|
||||||
nft_do_chain_arp(const struct nf_hook_ops *ops,
|
nft_do_chain_arp(const struct nf_hook_ops *ops,
|
||||||
struct sk_buff *skb,
|
struct sk_buff *skb,
|
||||||
const struct net_device *in,
|
const struct nf_hook_state *state)
|
||||||
const struct net_device *out,
|
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
struct nft_pktinfo pkt;
|
struct nft_pktinfo pkt;
|
||||||
|
|
||||||
nft_set_pktinfo(&pkt, ops, skb, in, out);
|
nft_set_pktinfo(&pkt, ops, skb, state->in, state->out);
|
||||||
|
|
||||||
return nft_do_chain(&pkt, ops);
|
return nft_do_chain(&pkt, ops);
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -20,22 +20,18 @@
|
||||||
|
|
||||||
static unsigned int nft_do_chain_ipv4(const struct nf_hook_ops *ops,
|
static unsigned int nft_do_chain_ipv4(const struct nf_hook_ops *ops,
|
||||||
struct sk_buff *skb,
|
struct sk_buff *skb,
|
||||||
const struct net_device *in,
|
const struct nf_hook_state *state)
|
||||||
const struct net_device *out,
|
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
struct nft_pktinfo pkt;
|
struct nft_pktinfo pkt;
|
||||||
|
|
||||||
nft_set_pktinfo_ipv4(&pkt, ops, skb, in, out);
|
nft_set_pktinfo_ipv4(&pkt, ops, skb, state->in, state->out);
|
||||||
|
|
||||||
return nft_do_chain(&pkt, ops);
|
return nft_do_chain(&pkt, ops);
|
||||||
}
|
}
|
||||||
|
|
||||||
static unsigned int nft_ipv4_output(const struct nf_hook_ops *ops,
|
static unsigned int nft_ipv4_output(const struct nf_hook_ops *ops,
|
||||||
struct sk_buff *skb,
|
struct sk_buff *skb,
|
||||||
const struct net_device *in,
|
const struct nf_hook_state *state)
|
||||||
const struct net_device *out,
|
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
if (unlikely(skb->len < sizeof(struct iphdr) ||
|
if (unlikely(skb->len < sizeof(struct iphdr) ||
|
||||||
ip_hdr(skb)->ihl < sizeof(struct iphdr) / 4)) {
|
ip_hdr(skb)->ihl < sizeof(struct iphdr) / 4)) {
|
||||||
|
|
@ -45,7 +41,7 @@ static unsigned int nft_ipv4_output(const struct nf_hook_ops *ops,
|
||||||
return NF_ACCEPT;
|
return NF_ACCEPT;
|
||||||
}
|
}
|
||||||
|
|
||||||
return nft_do_chain_ipv4(ops, skb, in, out, okfn);
|
return nft_do_chain_ipv4(ops, skb, state);
|
||||||
}
|
}
|
||||||
|
|
||||||
struct nft_af_info nft_af_ipv4 __read_mostly = {
|
struct nft_af_info nft_af_ipv4 __read_mostly = {
|
||||||
|
|
|
||||||
|
|
@ -41,38 +41,31 @@ static unsigned int nft_nat_do_chain(const struct nf_hook_ops *ops,
|
||||||
|
|
||||||
static unsigned int nft_nat_ipv4_fn(const struct nf_hook_ops *ops,
|
static unsigned int nft_nat_ipv4_fn(const struct nf_hook_ops *ops,
|
||||||
struct sk_buff *skb,
|
struct sk_buff *skb,
|
||||||
const struct net_device *in,
|
const struct nf_hook_state *state)
|
||||||
const struct net_device *out,
|
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
return nf_nat_ipv4_fn(ops, skb, in, out, nft_nat_do_chain);
|
return nf_nat_ipv4_fn(ops, skb, state->in, state->out, nft_nat_do_chain);
|
||||||
}
|
}
|
||||||
|
|
||||||
static unsigned int nft_nat_ipv4_in(const struct nf_hook_ops *ops,
|
static unsigned int nft_nat_ipv4_in(const struct nf_hook_ops *ops,
|
||||||
struct sk_buff *skb,
|
struct sk_buff *skb,
|
||||||
const struct net_device *in,
|
const struct nf_hook_state *state)
|
||||||
const struct net_device *out,
|
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
return nf_nat_ipv4_in(ops, skb, in, out, nft_nat_do_chain);
|
return nf_nat_ipv4_in(ops, skb, state->in, state->out, nft_nat_do_chain);
|
||||||
}
|
}
|
||||||
|
|
||||||
static unsigned int nft_nat_ipv4_out(const struct nf_hook_ops *ops,
|
static unsigned int nft_nat_ipv4_out(const struct nf_hook_ops *ops,
|
||||||
struct sk_buff *skb,
|
struct sk_buff *skb,
|
||||||
const struct net_device *in,
|
const struct nf_hook_state *state)
|
||||||
const struct net_device *out,
|
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
return nf_nat_ipv4_out(ops, skb, in, out, nft_nat_do_chain);
|
return nf_nat_ipv4_out(ops, skb, state->in, state->out, nft_nat_do_chain);
|
||||||
}
|
}
|
||||||
|
|
||||||
static unsigned int nft_nat_ipv4_local_fn(const struct nf_hook_ops *ops,
|
static unsigned int nft_nat_ipv4_local_fn(const struct nf_hook_ops *ops,
|
||||||
struct sk_buff *skb,
|
struct sk_buff *skb,
|
||||||
const struct net_device *in,
|
const struct nf_hook_state *state)
|
||||||
const struct net_device *out,
|
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
return nf_nat_ipv4_local_fn(ops, skb, in, out, nft_nat_do_chain);
|
return nf_nat_ipv4_local_fn(ops, skb, state->in, state->out,
|
||||||
|
nft_nat_do_chain);
|
||||||
}
|
}
|
||||||
|
|
||||||
static const struct nf_chain_type nft_chain_nat_ipv4 = {
|
static const struct nf_chain_type nft_chain_nat_ipv4 = {
|
||||||
|
|
|
||||||
|
|
@ -23,9 +23,7 @@
|
||||||
|
|
||||||
static unsigned int nf_route_table_hook(const struct nf_hook_ops *ops,
|
static unsigned int nf_route_table_hook(const struct nf_hook_ops *ops,
|
||||||
struct sk_buff *skb,
|
struct sk_buff *skb,
|
||||||
const struct net_device *in,
|
const struct nf_hook_state *state)
|
||||||
const struct net_device *out,
|
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
unsigned int ret;
|
unsigned int ret;
|
||||||
struct nft_pktinfo pkt;
|
struct nft_pktinfo pkt;
|
||||||
|
|
@ -39,7 +37,7 @@ static unsigned int nf_route_table_hook(const struct nf_hook_ops *ops,
|
||||||
ip_hdrlen(skb) < sizeof(struct iphdr))
|
ip_hdrlen(skb) < sizeof(struct iphdr))
|
||||||
return NF_ACCEPT;
|
return NF_ACCEPT;
|
||||||
|
|
||||||
nft_set_pktinfo_ipv4(&pkt, ops, skb, in, out);
|
nft_set_pktinfo_ipv4(&pkt, ops, skb, state->in, state->out);
|
||||||
|
|
||||||
mark = skb->mark;
|
mark = skb->mark;
|
||||||
iph = ip_hdr(skb);
|
iph = ip_hdr(skb);
|
||||||
|
|
|
||||||
|
|
@ -315,11 +315,9 @@ synproxy_tg6(struct sk_buff *skb, const struct xt_action_param *par)
|
||||||
|
|
||||||
static unsigned int ipv6_synproxy_hook(const struct nf_hook_ops *ops,
|
static unsigned int ipv6_synproxy_hook(const struct nf_hook_ops *ops,
|
||||||
struct sk_buff *skb,
|
struct sk_buff *skb,
|
||||||
const struct net_device *in,
|
const struct nf_hook_state *nhs)
|
||||||
const struct net_device *out,
|
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
struct synproxy_net *snet = synproxy_pernet(dev_net(in ? : out));
|
struct synproxy_net *snet = synproxy_pernet(dev_net(nhs->in ? : nhs->out));
|
||||||
enum ip_conntrack_info ctinfo;
|
enum ip_conntrack_info ctinfo;
|
||||||
struct nf_conn *ct;
|
struct nf_conn *ct;
|
||||||
struct nf_conn_synproxy *synproxy;
|
struct nf_conn_synproxy *synproxy;
|
||||||
|
|
|
||||||
|
|
@ -33,12 +33,11 @@ static const struct xt_table packet_filter = {
|
||||||
/* The work comes in here from netfilter.c. */
|
/* The work comes in here from netfilter.c. */
|
||||||
static unsigned int
|
static unsigned int
|
||||||
ip6table_filter_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
ip6table_filter_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
||||||
const struct net_device *in, const struct net_device *out,
|
const struct nf_hook_state *state)
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
const struct net *net = dev_net((in != NULL) ? in : out);
|
const struct net *net = dev_net(state->in ? state->in : state->out);
|
||||||
|
|
||||||
return ip6t_do_table(skb, ops->hooknum, in, out,
|
return ip6t_do_table(skb, ops->hooknum, state->in, state->out,
|
||||||
net->ipv6.ip6table_filter);
|
net->ipv6.ip6table_filter);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -77,17 +77,16 @@ ip6t_mangle_out(struct sk_buff *skb, const struct net_device *out)
|
||||||
/* The work comes in here from netfilter.c. */
|
/* The work comes in here from netfilter.c. */
|
||||||
static unsigned int
|
static unsigned int
|
||||||
ip6table_mangle_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
ip6table_mangle_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
||||||
const struct net_device *in, const struct net_device *out,
|
const struct nf_hook_state *state)
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
if (ops->hooknum == NF_INET_LOCAL_OUT)
|
if (ops->hooknum == NF_INET_LOCAL_OUT)
|
||||||
return ip6t_mangle_out(skb, out);
|
return ip6t_mangle_out(skb, state->out);
|
||||||
if (ops->hooknum == NF_INET_POST_ROUTING)
|
if (ops->hooknum == NF_INET_POST_ROUTING)
|
||||||
return ip6t_do_table(skb, ops->hooknum, in, out,
|
return ip6t_do_table(skb, ops->hooknum, state->in, state->out,
|
||||||
dev_net(out)->ipv6.ip6table_mangle);
|
dev_net(state->out)->ipv6.ip6table_mangle);
|
||||||
/* INPUT/FORWARD */
|
/* INPUT/FORWARD */
|
||||||
return ip6t_do_table(skb, ops->hooknum, in, out,
|
return ip6t_do_table(skb, ops->hooknum, state->in, state->out,
|
||||||
dev_net(in)->ipv6.ip6table_mangle);
|
dev_net(state->in)->ipv6.ip6table_mangle);
|
||||||
}
|
}
|
||||||
|
|
||||||
static struct nf_hook_ops *mangle_ops __read_mostly;
|
static struct nf_hook_ops *mangle_ops __read_mostly;
|
||||||
|
|
|
||||||
|
|
@ -43,38 +43,34 @@ static unsigned int ip6table_nat_do_chain(const struct nf_hook_ops *ops,
|
||||||
|
|
||||||
static unsigned int ip6table_nat_fn(const struct nf_hook_ops *ops,
|
static unsigned int ip6table_nat_fn(const struct nf_hook_ops *ops,
|
||||||
struct sk_buff *skb,
|
struct sk_buff *skb,
|
||||||
const struct net_device *in,
|
const struct nf_hook_state *state)
|
||||||
const struct net_device *out,
|
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
return nf_nat_ipv6_fn(ops, skb, in, out, ip6table_nat_do_chain);
|
return nf_nat_ipv6_fn(ops, skb, state->in, state->out,
|
||||||
|
ip6table_nat_do_chain);
|
||||||
}
|
}
|
||||||
|
|
||||||
static unsigned int ip6table_nat_in(const struct nf_hook_ops *ops,
|
static unsigned int ip6table_nat_in(const struct nf_hook_ops *ops,
|
||||||
struct sk_buff *skb,
|
struct sk_buff *skb,
|
||||||
const struct net_device *in,
|
const struct nf_hook_state *state)
|
||||||
const struct net_device *out,
|
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
return nf_nat_ipv6_in(ops, skb, in, out, ip6table_nat_do_chain);
|
return nf_nat_ipv6_in(ops, skb, state->in, state->out,
|
||||||
|
ip6table_nat_do_chain);
|
||||||
}
|
}
|
||||||
|
|
||||||
static unsigned int ip6table_nat_out(const struct nf_hook_ops *ops,
|
static unsigned int ip6table_nat_out(const struct nf_hook_ops *ops,
|
||||||
struct sk_buff *skb,
|
struct sk_buff *skb,
|
||||||
const struct net_device *in,
|
const struct nf_hook_state *state)
|
||||||
const struct net_device *out,
|
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
return nf_nat_ipv6_out(ops, skb, in, out, ip6table_nat_do_chain);
|
return nf_nat_ipv6_out(ops, skb, state->in, state->out,
|
||||||
|
ip6table_nat_do_chain);
|
||||||
}
|
}
|
||||||
|
|
||||||
static unsigned int ip6table_nat_local_fn(const struct nf_hook_ops *ops,
|
static unsigned int ip6table_nat_local_fn(const struct nf_hook_ops *ops,
|
||||||
struct sk_buff *skb,
|
struct sk_buff *skb,
|
||||||
const struct net_device *in,
|
const struct nf_hook_state *state)
|
||||||
const struct net_device *out,
|
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
return nf_nat_ipv6_local_fn(ops, skb, in, out, ip6table_nat_do_chain);
|
return nf_nat_ipv6_local_fn(ops, skb, state->in, state->out,
|
||||||
|
ip6table_nat_do_chain);
|
||||||
}
|
}
|
||||||
|
|
||||||
static struct nf_hook_ops nf_nat_ipv6_ops[] __read_mostly = {
|
static struct nf_hook_ops nf_nat_ipv6_ops[] __read_mostly = {
|
||||||
|
|
|
||||||
|
|
@ -20,12 +20,11 @@ static const struct xt_table packet_raw = {
|
||||||
/* The work comes in here from netfilter.c. */
|
/* The work comes in here from netfilter.c. */
|
||||||
static unsigned int
|
static unsigned int
|
||||||
ip6table_raw_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
ip6table_raw_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
||||||
const struct net_device *in, const struct net_device *out,
|
const struct nf_hook_state *state)
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
const struct net *net = dev_net((in != NULL) ? in : out);
|
const struct net *net = dev_net(state->in ? state->in : state->out);
|
||||||
|
|
||||||
return ip6t_do_table(skb, ops->hooknum, in, out,
|
return ip6t_do_table(skb, ops->hooknum, state->in, state->out,
|
||||||
net->ipv6.ip6table_raw);
|
net->ipv6.ip6table_raw);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -37,13 +37,11 @@ static const struct xt_table security_table = {
|
||||||
|
|
||||||
static unsigned int
|
static unsigned int
|
||||||
ip6table_security_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
ip6table_security_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
||||||
const struct net_device *in,
|
const struct nf_hook_state *state)
|
||||||
const struct net_device *out,
|
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
const struct net *net = dev_net((in != NULL) ? in : out);
|
const struct net *net = dev_net(state->in ? state->in : state->out);
|
||||||
|
|
||||||
return ip6t_do_table(skb, ops->hooknum, in, out,
|
return ip6t_do_table(skb, ops->hooknum, state->in, state->out,
|
||||||
net->ipv6.ip6table_security);
|
net->ipv6.ip6table_security);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -97,9 +97,7 @@ static int ipv6_get_l4proto(const struct sk_buff *skb, unsigned int nhoff,
|
||||||
|
|
||||||
static unsigned int ipv6_helper(const struct nf_hook_ops *ops,
|
static unsigned int ipv6_helper(const struct nf_hook_ops *ops,
|
||||||
struct sk_buff *skb,
|
struct sk_buff *skb,
|
||||||
const struct net_device *in,
|
const struct nf_hook_state *state)
|
||||||
const struct net_device *out,
|
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
struct nf_conn *ct;
|
struct nf_conn *ct;
|
||||||
const struct nf_conn_help *help;
|
const struct nf_conn_help *help;
|
||||||
|
|
@ -135,9 +133,7 @@ static unsigned int ipv6_helper(const struct nf_hook_ops *ops,
|
||||||
|
|
||||||
static unsigned int ipv6_confirm(const struct nf_hook_ops *ops,
|
static unsigned int ipv6_confirm(const struct nf_hook_ops *ops,
|
||||||
struct sk_buff *skb,
|
struct sk_buff *skb,
|
||||||
const struct net_device *in,
|
const struct nf_hook_state *state)
|
||||||
const struct net_device *out,
|
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
struct nf_conn *ct;
|
struct nf_conn *ct;
|
||||||
enum ip_conntrack_info ctinfo;
|
enum ip_conntrack_info ctinfo;
|
||||||
|
|
@ -171,25 +167,21 @@ out:
|
||||||
|
|
||||||
static unsigned int ipv6_conntrack_in(const struct nf_hook_ops *ops,
|
static unsigned int ipv6_conntrack_in(const struct nf_hook_ops *ops,
|
||||||
struct sk_buff *skb,
|
struct sk_buff *skb,
|
||||||
const struct net_device *in,
|
const struct nf_hook_state *state)
|
||||||
const struct net_device *out,
|
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
return nf_conntrack_in(dev_net(in), PF_INET6, ops->hooknum, skb);
|
return nf_conntrack_in(dev_net(state->in), PF_INET6, ops->hooknum, skb);
|
||||||
}
|
}
|
||||||
|
|
||||||
static unsigned int ipv6_conntrack_local(const struct nf_hook_ops *ops,
|
static unsigned int ipv6_conntrack_local(const struct nf_hook_ops *ops,
|
||||||
struct sk_buff *skb,
|
struct sk_buff *skb,
|
||||||
const struct net_device *in,
|
const struct nf_hook_state *state)
|
||||||
const struct net_device *out,
|
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
/* root is playing with raw sockets. */
|
/* root is playing with raw sockets. */
|
||||||
if (skb->len < sizeof(struct ipv6hdr)) {
|
if (skb->len < sizeof(struct ipv6hdr)) {
|
||||||
net_notice_ratelimited("ipv6_conntrack_local: packet too short\n");
|
net_notice_ratelimited("ipv6_conntrack_local: packet too short\n");
|
||||||
return NF_ACCEPT;
|
return NF_ACCEPT;
|
||||||
}
|
}
|
||||||
return nf_conntrack_in(dev_net(out), PF_INET6, ops->hooknum, skb);
|
return nf_conntrack_in(dev_net(state->out), PF_INET6, ops->hooknum, skb);
|
||||||
}
|
}
|
||||||
|
|
||||||
static struct nf_hook_ops ipv6_conntrack_ops[] __read_mostly = {
|
static struct nf_hook_ops ipv6_conntrack_ops[] __read_mostly = {
|
||||||
|
|
|
||||||
|
|
@ -54,9 +54,7 @@ static enum ip6_defrag_users nf_ct6_defrag_user(unsigned int hooknum,
|
||||||
|
|
||||||
static unsigned int ipv6_defrag(const struct nf_hook_ops *ops,
|
static unsigned int ipv6_defrag(const struct nf_hook_ops *ops,
|
||||||
struct sk_buff *skb,
|
struct sk_buff *skb,
|
||||||
const struct net_device *in,
|
const struct nf_hook_state *state)
|
||||||
const struct net_device *out,
|
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
struct sk_buff *reasm;
|
struct sk_buff *reasm;
|
||||||
|
|
||||||
|
|
@ -78,8 +76,8 @@ static unsigned int ipv6_defrag(const struct nf_hook_ops *ops,
|
||||||
nf_ct_frag6_consume_orig(reasm);
|
nf_ct_frag6_consume_orig(reasm);
|
||||||
|
|
||||||
NF_HOOK_THRESH(NFPROTO_IPV6, ops->hooknum, reasm,
|
NF_HOOK_THRESH(NFPROTO_IPV6, ops->hooknum, reasm,
|
||||||
(struct net_device *) in, (struct net_device *) out,
|
state->in, state->out,
|
||||||
okfn, NF_IP6_PRI_CONNTRACK_DEFRAG + 1);
|
state->okfn, NF_IP6_PRI_CONNTRACK_DEFRAG + 1);
|
||||||
|
|
||||||
return NF_STOLEN;
|
return NF_STOLEN;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -18,14 +18,12 @@
|
||||||
|
|
||||||
static unsigned int nft_do_chain_ipv6(const struct nf_hook_ops *ops,
|
static unsigned int nft_do_chain_ipv6(const struct nf_hook_ops *ops,
|
||||||
struct sk_buff *skb,
|
struct sk_buff *skb,
|
||||||
const struct net_device *in,
|
const struct nf_hook_state *state)
|
||||||
const struct net_device *out,
|
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
struct nft_pktinfo pkt;
|
struct nft_pktinfo pkt;
|
||||||
|
|
||||||
/* malformed packet, drop it */
|
/* malformed packet, drop it */
|
||||||
if (nft_set_pktinfo_ipv6(&pkt, ops, skb, in, out) < 0)
|
if (nft_set_pktinfo_ipv6(&pkt, ops, skb, state->in, state->out) < 0)
|
||||||
return NF_DROP;
|
return NF_DROP;
|
||||||
|
|
||||||
return nft_do_chain(&pkt, ops);
|
return nft_do_chain(&pkt, ops);
|
||||||
|
|
@ -33,9 +31,7 @@ static unsigned int nft_do_chain_ipv6(const struct nf_hook_ops *ops,
|
||||||
|
|
||||||
static unsigned int nft_ipv6_output(const struct nf_hook_ops *ops,
|
static unsigned int nft_ipv6_output(const struct nf_hook_ops *ops,
|
||||||
struct sk_buff *skb,
|
struct sk_buff *skb,
|
||||||
const struct net_device *in,
|
const struct nf_hook_state *state)
|
||||||
const struct net_device *out,
|
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
if (unlikely(skb->len < sizeof(struct ipv6hdr))) {
|
if (unlikely(skb->len < sizeof(struct ipv6hdr))) {
|
||||||
if (net_ratelimit())
|
if (net_ratelimit())
|
||||||
|
|
@ -44,7 +40,7 @@ static unsigned int nft_ipv6_output(const struct nf_hook_ops *ops,
|
||||||
return NF_ACCEPT;
|
return NF_ACCEPT;
|
||||||
}
|
}
|
||||||
|
|
||||||
return nft_do_chain_ipv6(ops, skb, in, out, okfn);
|
return nft_do_chain_ipv6(ops, skb, state);
|
||||||
}
|
}
|
||||||
|
|
||||||
struct nft_af_info nft_af_ipv6 __read_mostly = {
|
struct nft_af_info nft_af_ipv6 __read_mostly = {
|
||||||
|
|
|
||||||
|
|
@ -39,38 +39,30 @@ static unsigned int nft_nat_do_chain(const struct nf_hook_ops *ops,
|
||||||
|
|
||||||
static unsigned int nft_nat_ipv6_fn(const struct nf_hook_ops *ops,
|
static unsigned int nft_nat_ipv6_fn(const struct nf_hook_ops *ops,
|
||||||
struct sk_buff *skb,
|
struct sk_buff *skb,
|
||||||
const struct net_device *in,
|
const struct nf_hook_state *state)
|
||||||
const struct net_device *out,
|
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
return nf_nat_ipv6_fn(ops, skb, in, out, nft_nat_do_chain);
|
return nf_nat_ipv6_fn(ops, skb, state->in, state->out, nft_nat_do_chain);
|
||||||
}
|
}
|
||||||
|
|
||||||
static unsigned int nft_nat_ipv6_in(const struct nf_hook_ops *ops,
|
static unsigned int nft_nat_ipv6_in(const struct nf_hook_ops *ops,
|
||||||
struct sk_buff *skb,
|
struct sk_buff *skb,
|
||||||
const struct net_device *in,
|
const struct nf_hook_state *state)
|
||||||
const struct net_device *out,
|
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
return nf_nat_ipv6_in(ops, skb, in, out, nft_nat_do_chain);
|
return nf_nat_ipv6_in(ops, skb, state->in, state->out, nft_nat_do_chain);
|
||||||
}
|
}
|
||||||
|
|
||||||
static unsigned int nft_nat_ipv6_out(const struct nf_hook_ops *ops,
|
static unsigned int nft_nat_ipv6_out(const struct nf_hook_ops *ops,
|
||||||
struct sk_buff *skb,
|
struct sk_buff *skb,
|
||||||
const struct net_device *in,
|
const struct nf_hook_state *state)
|
||||||
const struct net_device *out,
|
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
return nf_nat_ipv6_out(ops, skb, in, out, nft_nat_do_chain);
|
return nf_nat_ipv6_out(ops, skb, state->in, state->out, nft_nat_do_chain);
|
||||||
}
|
}
|
||||||
|
|
||||||
static unsigned int nft_nat_ipv6_local_fn(const struct nf_hook_ops *ops,
|
static unsigned int nft_nat_ipv6_local_fn(const struct nf_hook_ops *ops,
|
||||||
struct sk_buff *skb,
|
struct sk_buff *skb,
|
||||||
const struct net_device *in,
|
const struct nf_hook_state *state)
|
||||||
const struct net_device *out,
|
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
return nf_nat_ipv6_local_fn(ops, skb, in, out, nft_nat_do_chain);
|
return nf_nat_ipv6_local_fn(ops, skb, state->in, state->out, nft_nat_do_chain);
|
||||||
}
|
}
|
||||||
|
|
||||||
static const struct nf_chain_type nft_chain_nat_ipv6 = {
|
static const struct nf_chain_type nft_chain_nat_ipv6 = {
|
||||||
|
|
|
||||||
|
|
@ -24,9 +24,7 @@
|
||||||
|
|
||||||
static unsigned int nf_route_table_hook(const struct nf_hook_ops *ops,
|
static unsigned int nf_route_table_hook(const struct nf_hook_ops *ops,
|
||||||
struct sk_buff *skb,
|
struct sk_buff *skb,
|
||||||
const struct net_device *in,
|
const struct nf_hook_state *state)
|
||||||
const struct net_device *out,
|
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
unsigned int ret;
|
unsigned int ret;
|
||||||
struct nft_pktinfo pkt;
|
struct nft_pktinfo pkt;
|
||||||
|
|
@ -35,7 +33,7 @@ static unsigned int nf_route_table_hook(const struct nf_hook_ops *ops,
|
||||||
u32 mark, flowlabel;
|
u32 mark, flowlabel;
|
||||||
|
|
||||||
/* malformed packet, drop it */
|
/* malformed packet, drop it */
|
||||||
if (nft_set_pktinfo_ipv6(&pkt, ops, skb, in, out) < 0)
|
if (nft_set_pktinfo_ipv6(&pkt, ops, skb, state->in, state->out) < 0)
|
||||||
return NF_DROP;
|
return NF_DROP;
|
||||||
|
|
||||||
/* save source/dest address, mark, hoplimit, flowlabel, priority */
|
/* save source/dest address, mark, hoplimit, flowlabel, priority */
|
||||||
|
|
|
||||||
|
|
@ -136,8 +136,7 @@ unsigned int nf_iterate(struct list_head *head,
|
||||||
/* Optimization: we don't need to hold module
|
/* Optimization: we don't need to hold module
|
||||||
reference here, since function can't sleep. --RR */
|
reference here, since function can't sleep. --RR */
|
||||||
repeat:
|
repeat:
|
||||||
verdict = (*elemp)->hook(*elemp, skb, state->in, state->out,
|
verdict = (*elemp)->hook(*elemp, skb, state);
|
||||||
state->okfn);
|
|
||||||
if (verdict != NF_ACCEPT) {
|
if (verdict != NF_ACCEPT) {
|
||||||
#ifdef CONFIG_NETFILTER_DEBUG
|
#ifdef CONFIG_NETFILTER_DEBUG
|
||||||
if (unlikely((verdict & NF_VERDICT_MASK)
|
if (unlikely((verdict & NF_VERDICT_MASK)
|
||||||
|
|
|
||||||
|
|
@ -1272,8 +1272,7 @@ ip_vs_out(unsigned int hooknum, struct sk_buff *skb, int af)
|
||||||
*/
|
*/
|
||||||
static unsigned int
|
static unsigned int
|
||||||
ip_vs_reply4(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
ip_vs_reply4(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
||||||
const struct net_device *in, const struct net_device *out,
|
const struct nf_hook_state *state)
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
return ip_vs_out(ops->hooknum, skb, AF_INET);
|
return ip_vs_out(ops->hooknum, skb, AF_INET);
|
||||||
}
|
}
|
||||||
|
|
@ -1284,8 +1283,7 @@ ip_vs_reply4(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
||||||
*/
|
*/
|
||||||
static unsigned int
|
static unsigned int
|
||||||
ip_vs_local_reply4(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
ip_vs_local_reply4(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
||||||
const struct net_device *in, const struct net_device *out,
|
const struct nf_hook_state *state)
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
return ip_vs_out(ops->hooknum, skb, AF_INET);
|
return ip_vs_out(ops->hooknum, skb, AF_INET);
|
||||||
}
|
}
|
||||||
|
|
@ -1299,8 +1297,7 @@ ip_vs_local_reply4(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
||||||
*/
|
*/
|
||||||
static unsigned int
|
static unsigned int
|
||||||
ip_vs_reply6(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
ip_vs_reply6(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
||||||
const struct net_device *in, const struct net_device *out,
|
const struct nf_hook_state *state)
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
return ip_vs_out(ops->hooknum, skb, AF_INET6);
|
return ip_vs_out(ops->hooknum, skb, AF_INET6);
|
||||||
}
|
}
|
||||||
|
|
@ -1311,8 +1308,7 @@ ip_vs_reply6(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
||||||
*/
|
*/
|
||||||
static unsigned int
|
static unsigned int
|
||||||
ip_vs_local_reply6(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
ip_vs_local_reply6(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
||||||
const struct net_device *in, const struct net_device *out,
|
const struct nf_hook_state *state)
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
return ip_vs_out(ops->hooknum, skb, AF_INET6);
|
return ip_vs_out(ops->hooknum, skb, AF_INET6);
|
||||||
}
|
}
|
||||||
|
|
@ -1769,9 +1765,7 @@ ip_vs_in(unsigned int hooknum, struct sk_buff *skb, int af)
|
||||||
*/
|
*/
|
||||||
static unsigned int
|
static unsigned int
|
||||||
ip_vs_remote_request4(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
ip_vs_remote_request4(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
||||||
const struct net_device *in,
|
const struct nf_hook_state *state)
|
||||||
const struct net_device *out,
|
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
return ip_vs_in(ops->hooknum, skb, AF_INET);
|
return ip_vs_in(ops->hooknum, skb, AF_INET);
|
||||||
}
|
}
|
||||||
|
|
@ -1782,8 +1776,7 @@ ip_vs_remote_request4(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
||||||
*/
|
*/
|
||||||
static unsigned int
|
static unsigned int
|
||||||
ip_vs_local_request4(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
ip_vs_local_request4(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
||||||
const struct net_device *in, const struct net_device *out,
|
const struct nf_hook_state *state)
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
return ip_vs_in(ops->hooknum, skb, AF_INET);
|
return ip_vs_in(ops->hooknum, skb, AF_INET);
|
||||||
}
|
}
|
||||||
|
|
@ -1796,9 +1789,7 @@ ip_vs_local_request4(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
||||||
*/
|
*/
|
||||||
static unsigned int
|
static unsigned int
|
||||||
ip_vs_remote_request6(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
ip_vs_remote_request6(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
||||||
const struct net_device *in,
|
const struct nf_hook_state *state)
|
||||||
const struct net_device *out,
|
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
return ip_vs_in(ops->hooknum, skb, AF_INET6);
|
return ip_vs_in(ops->hooknum, skb, AF_INET6);
|
||||||
}
|
}
|
||||||
|
|
@ -1809,8 +1800,7 @@ ip_vs_remote_request6(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
||||||
*/
|
*/
|
||||||
static unsigned int
|
static unsigned int
|
||||||
ip_vs_local_request6(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
ip_vs_local_request6(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
||||||
const struct net_device *in, const struct net_device *out,
|
const struct nf_hook_state *state)
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
return ip_vs_in(ops->hooknum, skb, AF_INET6);
|
return ip_vs_in(ops->hooknum, skb, AF_INET6);
|
||||||
}
|
}
|
||||||
|
|
@ -1829,8 +1819,7 @@ ip_vs_local_request6(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
||||||
*/
|
*/
|
||||||
static unsigned int
|
static unsigned int
|
||||||
ip_vs_forward_icmp(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
ip_vs_forward_icmp(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
||||||
const struct net_device *in, const struct net_device *out,
|
const struct nf_hook_state *state)
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
int r;
|
int r;
|
||||||
struct net *net;
|
struct net *net;
|
||||||
|
|
@ -1851,8 +1840,7 @@ ip_vs_forward_icmp(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
||||||
#ifdef CONFIG_IP_VS_IPV6
|
#ifdef CONFIG_IP_VS_IPV6
|
||||||
static unsigned int
|
static unsigned int
|
||||||
ip_vs_forward_icmp_v6(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
ip_vs_forward_icmp_v6(const struct nf_hook_ops *ops, struct sk_buff *skb,
|
||||||
const struct net_device *in, const struct net_device *out,
|
const struct nf_hook_state *state)
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
int r;
|
int r;
|
||||||
struct net *net;
|
struct net *net;
|
||||||
|
|
|
||||||
|
|
@ -4852,21 +4852,17 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb,
|
||||||
|
|
||||||
static unsigned int selinux_ipv4_forward(const struct nf_hook_ops *ops,
|
static unsigned int selinux_ipv4_forward(const struct nf_hook_ops *ops,
|
||||||
struct sk_buff *skb,
|
struct sk_buff *skb,
|
||||||
const struct net_device *in,
|
const struct nf_hook_state *state)
|
||||||
const struct net_device *out,
|
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
return selinux_ip_forward(skb, in, PF_INET);
|
return selinux_ip_forward(skb, state->in, PF_INET);
|
||||||
}
|
}
|
||||||
|
|
||||||
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
|
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
|
||||||
static unsigned int selinux_ipv6_forward(const struct nf_hook_ops *ops,
|
static unsigned int selinux_ipv6_forward(const struct nf_hook_ops *ops,
|
||||||
struct sk_buff *skb,
|
struct sk_buff *skb,
|
||||||
const struct net_device *in,
|
const struct nf_hook_state *state)
|
||||||
const struct net_device *out,
|
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
return selinux_ip_forward(skb, in, PF_INET6);
|
return selinux_ip_forward(skb, state->in, PF_INET6);
|
||||||
}
|
}
|
||||||
#endif /* IPV6 */
|
#endif /* IPV6 */
|
||||||
|
|
||||||
|
|
@ -4914,9 +4910,7 @@ static unsigned int selinux_ip_output(struct sk_buff *skb,
|
||||||
|
|
||||||
static unsigned int selinux_ipv4_output(const struct nf_hook_ops *ops,
|
static unsigned int selinux_ipv4_output(const struct nf_hook_ops *ops,
|
||||||
struct sk_buff *skb,
|
struct sk_buff *skb,
|
||||||
const struct net_device *in,
|
const struct nf_hook_state *state)
|
||||||
const struct net_device *out,
|
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
return selinux_ip_output(skb, PF_INET);
|
return selinux_ip_output(skb, PF_INET);
|
||||||
}
|
}
|
||||||
|
|
@ -5091,21 +5085,17 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb,
|
||||||
|
|
||||||
static unsigned int selinux_ipv4_postroute(const struct nf_hook_ops *ops,
|
static unsigned int selinux_ipv4_postroute(const struct nf_hook_ops *ops,
|
||||||
struct sk_buff *skb,
|
struct sk_buff *skb,
|
||||||
const struct net_device *in,
|
const struct nf_hook_state *state)
|
||||||
const struct net_device *out,
|
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
return selinux_ip_postroute(skb, out, PF_INET);
|
return selinux_ip_postroute(skb, state->out, PF_INET);
|
||||||
}
|
}
|
||||||
|
|
||||||
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
|
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
|
||||||
static unsigned int selinux_ipv6_postroute(const struct nf_hook_ops *ops,
|
static unsigned int selinux_ipv6_postroute(const struct nf_hook_ops *ops,
|
||||||
struct sk_buff *skb,
|
struct sk_buff *skb,
|
||||||
const struct net_device *in,
|
const struct nf_hook_state *state)
|
||||||
const struct net_device *out,
|
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
return selinux_ip_postroute(skb, out, PF_INET6);
|
return selinux_ip_postroute(skb, state->out, PF_INET6);
|
||||||
}
|
}
|
||||||
#endif /* IPV6 */
|
#endif /* IPV6 */
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -23,9 +23,7 @@
|
||||||
|
|
||||||
static unsigned int smack_ipv6_output(const struct nf_hook_ops *ops,
|
static unsigned int smack_ipv6_output(const struct nf_hook_ops *ops,
|
||||||
struct sk_buff *skb,
|
struct sk_buff *skb,
|
||||||
const struct net_device *in,
|
const struct nf_hook_state *state)
|
||||||
const struct net_device *out,
|
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
struct socket_smack *ssp;
|
struct socket_smack *ssp;
|
||||||
struct smack_known *skp;
|
struct smack_known *skp;
|
||||||
|
|
@ -42,9 +40,7 @@ static unsigned int smack_ipv6_output(const struct nf_hook_ops *ops,
|
||||||
|
|
||||||
static unsigned int smack_ipv4_output(const struct nf_hook_ops *ops,
|
static unsigned int smack_ipv4_output(const struct nf_hook_ops *ops,
|
||||||
struct sk_buff *skb,
|
struct sk_buff *skb,
|
||||||
const struct net_device *in,
|
const struct nf_hook_state *state)
|
||||||
const struct net_device *out,
|
|
||||||
int (*okfn)(struct sk_buff *))
|
|
||||||
{
|
{
|
||||||
struct socket_smack *ssp;
|
struct socket_smack *ssp;
|
||||||
struct smack_known *skp;
|
struct smack_known *skp;
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue