[NETFILTER]: Supress some sparse warnings

CHECK net/netfilter/nf_conntrack_expect.c
net/netfilter/nf_conntrack_expect.c:429:13: warning: context imbalance in 'exp_seq_start' - wrong count at exit
net/netfilter/nf_conntrack_expect.c:441:13: warning: context imbalance in 'exp_seq_stop' - unexpected unlock
CHECK net/netfilter/nf_log.c
net/netfilter/nf_log.c:105:13: warning: context imbalance in 'seq_start' - wrong count at exit
net/netfilter/nf_log.c:125:13: warning: context imbalance in 'seq_stop' - unexpected unlock
CHECK net/netfilter/nfnetlink_queue.c
net/netfilter/nfnetlink_queue.c:363:7: warning: symbol 'size' shadows an earlier one
net/netfilter/nfnetlink_queue.c:217:9: originally declared here
net/netfilter/nfnetlink_queue.c:847:13: warning: context imbalance in 'seq_start' - wrong count at exit
net/netfilter/nfnetlink_queue.c:859:13: warning: context imbalance in 'seq_stop' - unexpected unlock

Signed-off-by: Eric Dumazet <***@cosmosbay.com>
Signed-off-by: Patrick McHardy <***@trash.net>

---
commit 529b54d47425038bf231b8ce446447e957b3c89d
tree 939739c042fb1ec1423af3794e14dc9304b5c3fe
parent dd430ca20c40ecccd6954a7efd13d4398f507728
author Eric Dumazet <***@cosmosbay.com> Tue, 29 Jan 2008 16:21:48 +0100
committer Patrick McHardy <***@trash.net> Wed, 30 Jan 2008 15:04:11 +0100

net/netfilter/nf_conntrack_expect.c | 2 ++
net/netfilter/nf_log.c | 2 ++
net/netfilter/nfnetlink_queue.c | 6 ++++--
3 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c
index e0cd9d0..e405079 100644
--- a/net/netfilter/nf_conntrack_expect.c
+++ b/net/netfilter/nf_conntrack_expect.c
@@ -427,6 +427,7 @@ static struct hlist_node *ct_expect_get_idx(struct seq_file *seq, loff_t pos)
}

static void *exp_seq_start(struct seq_file *seq, loff_t *pos)
+ __acquires(nf_conntrack_lock)
{
read_lock_bh(&nf_conntrack_lock);
return ct_expect_get_idx(seq, *pos);
@@ -439,6 +440,7 @@ static void *exp_seq_next(struct seq_file *seq, void *v, loff_t *pos)
}

static void exp_seq_stop(struct seq_file *seq, void *v)
+ __releases(nf_conntrack_lock)
{
read_unlock_bh(&nf_conntrack_lock);
}
diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c
index 4f5f288..cec9976 100644
--- a/net/netfilter/nf_log.c
+++ b/net/netfilter/nf_log.c
@@ -103,6 +103,7 @@ EXPORT_SYMBOL(nf_log_packet);

#ifdef CONFIG_PROC_FS
static void *seq_start(struct seq_file *seq, loff_t *pos)
+ __acquires(RCU)
{
rcu_read_lock();

@@ -123,6 +124,7 @@ static void *seq_next(struct seq_file *s, void *v, loff_t *pos)
}

static void seq_stop(struct seq_file *s, void *v)
+ __releases(RCU)
{
rcu_read_unlock();
}
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index 51476f8..a48b20f 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -360,7 +360,7 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue,

if (data_len) {
struct nlattr *nla;
- int size = nla_attr_size(data_len);
+ int sz = nla_attr_size(data_len);

if (skb_tailroom(skb) < nla_total_size(data_len)) {
printk(KERN_WARNING "nf_queue: no tailroom!\n");
@@ -369,7 +369,7 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue,

nla = (struct nlattr *)skb_put(skb, nla_total_size(data_len));
nla->nla_type = NFQA_PAYLOAD;
- nla->nla_len = size;
+ nla->nla_len = sz;

if (skb_copy_bits(entskb, 0, nla_data(nla), data_len))
BUG();
@@ -845,6 +845,7 @@ static struct hlist_node *get_idx(struct seq_file *seq, loff_t pos)
}

static void *seq_start(struct seq_file *seq, loff_t *pos)
+ __acquires(instances_lock)
{
spin_lock(&instances_lock);
return get_idx(seq, *pos);
@@ -857,6 +858,7 @@ static void *seq_next(struct seq_file *s, void *v, loff_t *pos)
}

static void seq_stop(struct seq_file *s, void *v)
+ __releases(instances_lock)
{
spin_unlock(&instances_lock);
}
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

[NETFILTER]: nf_nat: remove double bysource hash initialization

The hash table is already initialized by nf_ct_alloc_hashtable().

Signed-off-by: Patrick McHardy <***@trash.net>

---
commit 4639b794086800b0bef00c06c880a47be1517853
tree 70dd7a1fda33819c1b1715722ca5b77f491a7c8f
parent 6276f9ebe13419b94f58dd9ef713c1c56c74e4ca
author Patrick McHardy <***@trash.net> Tue, 29 Jan 2008 16:21:50 +0100
committer Patrick McHardy <***@trash.net> Wed, 30 Jan 2008 15:04:12 +0100

net/ipv4/netfilter/nf_nat_core.c | 4 ----
1 files changed, 0 insertions(+), 4 deletions(-)

diff --git a/net/ipv4/netfilter/nf_nat_core.c b/net/ipv4/netfilter/nf_nat_core.c
index e53ae1e..c07575d 100644
--- a/net/ipv4/netfilter/nf_nat_core.c
+++ b/net/ipv4/netfilter/nf_nat_core.c
@@ -654,10 +654,6 @@ static int __init nf_nat_init(void)
rcu_assign_pointer(nf_nat_protos[IPPROTO_ICMP], &nf_nat_protocol_icmp);
write_unlock_bh(&nf_nat_lock);

- for (i = 0; i < nf_nat_htable_size; i++) {
- INIT_HLIST_HEAD(&bysource[i]);
- }
-
/* Initialize fake conntrack so that NAT will skip it */
nf_conntrack_untracked.status |= IPS_NAT_DONE_MASK;

-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

[NETFILTER]: Use const in struct xt_match, xt_target, xt_table

Signed-off-by: Jan Engelhardt <***@computergmbh.de>
Signed-off-by: Patrick McHardy <***@trash.net>

---
commit a2a8ddee99386b740ec6242b2a185617ba59edac
tree cd3566e5dd481ca08cb0c4e9baeb424c354895cf
parent 529b54d47425038bf231b8ce446447e957b3c89d
author Jan Engelhardt <***@computergmbh.de> Tue, 29 Jan 2008 16:21:49 +0100
committer Patrick McHardy <***@trash.net> Wed, 30 Jan 2008 15:04:12 +0100

include/linux/netfilter/x_tables.h | 6 +++---
net/ipv4/netfilter/ip_tables.c | 2 +-
net/ipv6/netfilter/ip6_tables.c | 2 +-
3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index b99ede5..90dc6ea 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -214,7 +214,7 @@ struct xt_match
/* Free to use by each match */
unsigned long data;

- char *table;
+ const char *table;
unsigned int matchsize;
unsigned int compatsize;
unsigned int hooks;
@@ -261,7 +261,7 @@ struct xt_target
/* Set this to THIS_MODULE if you are a module, otherwise NULL */
struct module *me;

- char *table;
+ const char *table;
unsigned int targetsize;
unsigned int compatsize;
unsigned int hooks;
@@ -277,7 +277,7 @@ struct xt_table
struct list_head list;

/* A unique name... */
- char name[XT_TABLE_MAXNAMELEN];
+ const char name[XT_TABLE_MAXNAMELEN];

/* What hooks you will enter on */
unsigned int valid_hooks;
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 982b7f9..628a6b5 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -291,7 +291,7 @@ static void trace_packet(struct sk_buff *skb,
unsigned int hook,
const struct net_device *in,
const struct net_device *out,
- char *tablename,
+ const char *tablename,
struct xt_table_info *private,
struct ipt_entry *e)
{
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index dd7860f..92b4898 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -320,7 +320,7 @@ static void trace_packet(struct sk_buff *skb,
unsigned int hook,
const struct net_device *in,
const struct net_device *out,
- char *tablename,
+ const char *tablename,
struct xt_table_info *private,
struct ip6t_entry *e)
{
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

[NETFILTER]: nfnetlink_log: fix typo

It should use htonl for the GID, not htons.

Signed-off-by: Patrick McHardy <***@trash.net>

---
commit b64a07de84c00708be436ec05a75c093430e262d
tree 0bfbb96d69717d2146e0f9683d8b0a22a3216910
parent 55a3ad929c35527e0ac6ccdb5535779ed1523be5
author Patrick McHardy <***@trash.net> Tue, 29 Jan 2008 16:21:52 +0100
committer Patrick McHardy <***@trash.net> Wed, 30 Jan 2008 15:04:13 +0100

net/netfilter/nfnetlink_log.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
index 5013cb9..2348fcb 100644
--- a/net/netfilter/nfnetlink_log.c
+++ b/net/netfilter/nfnetlink_log.c
@@ -467,7 +467,7 @@ __build_packet_message(struct nfulnl_instance *inst,
read_lock_bh(&skb->sk->sk_callback_lock);
if (skb->sk->sk_socket && skb->sk->sk_socket->file) {
__be32 uid = htonl(skb->sk->sk_socket->file->f_uid);
- __be32 gid = htons(skb->sk->sk_socket->file->f_gid);
+ __be32 gid = htonl(skb->sk->sk_socket->file->f_gid);
/* need to unlock here since NLA_PUT may goto */
read_unlock_bh(&skb->sk->sk_callback_lock);
NLA_PUT_BE32(inst->skb, NFULA_UID, uid);
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

linux/types.h: Use __u64 for aligned_u64

Signed-off-by: Jan Engelhardt <***@computergmbh.de>
Signed-off-by: Patrick McHardy <***@trash.net>

---
commit 6276f9ebe13419b94f58dd9ef713c1c56c74e4ca
tree 359d6748c8f98414b144ba3cac969c7bccc0f311
parent a2a8ddee99386b740ec6242b2a185617ba59edac
author Jan Engelhardt <***@computergmbh.de> Tue, 29 Jan 2008 16:21:49 +0100
committer Patrick McHardy <***@trash.net> Wed, 30 Jan 2008 15:04:12 +0100

include/linux/types.h | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/include/linux/types.h b/include/linux/types.h
index f4f8d19..b94c0e4 100644
--- a/include/linux/types.h
+++ b/include/linux/types.h
@@ -126,7 +126,7 @@ typedef __s64 int64_t;
#endif

/* this is a special 64bit data type that is 8-byte aligned */
-#define aligned_u64 unsigned long long __attribute__((aligned(8)))
+#define aligned_u64 __u64 __attribute__((aligned(8)))
#define aligned_be64 __be64 __attribute__((aligned(8)))
#define aligned_le64 __le64 __attribute__((aligned(8)))

-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

[NETFILTER]: bridge netfilter: remove nf_bridge_info read-only netoutdev member

Before the removal of the deferred output hooks, netoutdev was used in case
of VLANs on top of a bridge to store the VLAN device, so the deferred hooks
would see the correct output device. This isn't necessary anymore since we're
calling the output hooks for the correct device directly in the IP stack.

Signed-off-by: Patrick McHardy <***@trash.net>

---
commit 55a3ad929c35527e0ac6ccdb5535779ed1523be5
tree 3db79be7f7c220b1bbfbac83b4040e67ad65c127
parent 4639b794086800b0bef00c06c880a47be1517853
author Patrick McHardy <***@trash.net> Tue, 29 Jan 2008 16:21:51 +0100
committer Patrick McHardy <***@trash.net> Wed, 30 Jan 2008 15:04:12 +0100

include/linux/skbuff.h | 3 ---
net/bridge/br_netfilter.c | 4 ----
2 files changed, 0 insertions(+), 7 deletions(-)

diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index c618fbf..dfe975a 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -108,9 +108,6 @@ struct nf_bridge_info {
atomic_t use;
struct net_device *physindev;
struct net_device *physoutdev;
-#if defined(CONFIG_VLAN_8021Q) || defined(CONFIG_VLAN_8021Q_MODULE)
- struct net_device *netoutdev;
-#endif
unsigned int mask;
unsigned long data[32 / sizeof(unsigned long)];
};
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index 80014ba..1c0efd8 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -828,10 +828,6 @@ static unsigned int br_nf_post_routing(unsigned int hook, struct sk_buff *skb,
nf_bridge_pull_encap_header(skb);
nf_bridge_save_header(skb);

-#if defined(CONFIG_VLAN_8021Q) || defined(CONFIG_VLAN_8021Q_MODULE)
- if (nf_bridge->netoutdev)
- realoutdev = nf_bridge->netoutdev;
-#endif
NF_HOOK(pf, NF_INET_POST_ROUTING, skb, NULL, realoutdev,
br_nf_dev_queue_xmit);

-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

[NETFILTER]: xt_conntrack: add port and direction matching

Extend the xt_conntrack match revision 1 by port matching (all four
{orig,repl}{src,dst}) and by packet direction matching.

Signed-off-by: Jan Engelhardt <***@computergmbh.de>
Signed-off-by: Patrick McHardy <***@trash.net>

---
commit 62069912fa544382934395362fb73205475474d4
tree fb265d4b459d2eb956f4f79102d60b6fcebcc9fd
parent b64a07de84c00708be436ec05a75c093430e262d
author Jan Engelhardt <***@computergmbh.de> Tue, 29 Jan 2008 16:21:=
53 +0100
committer Patrick McHardy <***@trash.net> Wed, 30 Jan 2008 15:04:13 +=
0100

include/linux/netfilter/xt_conntrack.h | 30 ++++++++++++-------
net/netfilter/xt_conntrack.c | 50 ++++++++++++++++++++++++=
+++++---
2 files changed, 63 insertions(+), 17 deletions(-)

diff --git a/include/linux/netfilter/xt_conntrack.h b/include/linux/net=
filter/xt_conntrack.h
index d2492a3..f3fd83e 100644
--- a/include/linux/netfilter/xt_conntrack.h
+++ b/include/linux/netfilter/xt_conntrack.h
@@ -6,9 +6,6 @@
#define _XT_CONNTRACK_H
=20
#include <linux/netfilter/nf_conntrack_tuple_common.h>
-#ifdef __KERNEL__
-# include <linux/in.h>
-#endif
=20
#define XT_CONNTRACK_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+=
1))
#define XT_CONNTRACK_STATE_INVALID (1 << 0)
@@ -18,14 +15,21 @@
#define XT_CONNTRACK_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 3))
=20
/* flags, invflags: */
-#define XT_CONNTRACK_STATE 0x01
-#define XT_CONNTRACK_PROTO 0x02
-#define XT_CONNTRACK_ORIGSRC 0x04
-#define XT_CONNTRACK_ORIGDST 0x08
-#define XT_CONNTRACK_REPLSRC 0x10
-#define XT_CONNTRACK_REPLDST 0x20
-#define XT_CONNTRACK_STATUS 0x40
-#define XT_CONNTRACK_EXPIRES 0x80
+enum {
+ XT_CONNTRACK_STATE =3D 1 << 0,
+ XT_CONNTRACK_PROTO =3D 1 << 1,
+ XT_CONNTRACK_ORIGSRC =3D 1 << 2,
+ XT_CONNTRACK_ORIGDST =3D 1 << 3,
+ XT_CONNTRACK_REPLSRC =3D 1 << 4,
+ XT_CONNTRACK_REPLDST =3D 1 << 5,
+ XT_CONNTRACK_STATUS =3D 1 << 6,
+ XT_CONNTRACK_EXPIRES =3D 1 << 7,
+ XT_CONNTRACK_ORIGSRC_PORT =3D 1 << 8,
+ XT_CONNTRACK_ORIGDST_PORT =3D 1 << 9,
+ XT_CONNTRACK_REPLSRC_PORT =3D 1 << 10,
+ XT_CONNTRACK_REPLDST_PORT =3D 1 << 11,
+ XT_CONNTRACK_DIRECTION =3D 1 << 12,
+};
=20
/* This is exposed to userspace, so remains frozen in time. */
struct ip_conntrack_old_tuple
@@ -70,8 +74,10 @@ struct xt_conntrack_mtinfo1 {
union nf_inet_addr repldst_addr, repldst_mask;
u_int32_t expires_min, expires_max;
u_int16_t l4proto;
+ __be16 origsrc_port, origdst_port;
+ __be16 replsrc_port, repldst_port;
+ u_int16_t match_flags, invert_flags;
u_int8_t state_mask, status_mask;
- u_int8_t match_flags, invert_flags;
};
=20
#endif /*_XT_CONNTRACK_H*/
diff --git a/net/netfilter/xt_conntrack.c b/net/netfilter/xt_conntrack.=
c
index e92190e..8533085 100644
--- a/net/netfilter/xt_conntrack.c
+++ b/net/netfilter/xt_conntrack.c
@@ -4,7 +4,6 @@
*
* (C) 2001 Marc Boucher (***@mbsi.ca).
* Copyright =C2=A9 CC Computer Consultants GmbH, 2007 - 2008
- * Jan Engelhardt <***@computergmbh.de>
*
* This program is free software; you can redistribute it and/or modif=
y
* it under the terms of the GNU General Public License version 2 as
@@ -20,6 +19,7 @@
=20
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Marc Boucher <***@mbsi.ca>");
+MODULE_AUTHOR("Jan Engelhardt <***@computergmbh.de>");
MODULE_DESCRIPTION("Xtables: connection tracking state match");
MODULE_ALIAS("ipt_conntrack");
MODULE_ALIAS("ip6t_conntrack");
@@ -166,6 +166,44 @@ conntrack_mt_repldst(const struct nf_conn *ct,
&info->repldst_addr, &info->repldst_mask, family);
}
=20
+static inline bool
+ct_proto_port_check(const struct xt_conntrack_mtinfo1 *info,
+ const struct nf_conn *ct)
+{
+ const struct nf_conntrack_tuple *tuple;
+
+ tuple =3D &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple;
+ if ((info->match_flags & XT_CONNTRACK_PROTO) &&
+ (tuple->dst.protonum =3D=3D info->l4proto) ^
+ !(info->invert_flags & XT_CONNTRACK_PROTO))
+ return false;
+
+ /* Shortcut to match all recognized protocols by using ->src.all. */
+ if ((info->match_flags & XT_CONNTRACK_ORIGSRC_PORT) &&
+ (tuple->src.u.all =3D=3D info->origsrc_port) ^
+ !(info->invert_flags & XT_CONNTRACK_ORIGSRC_PORT))
+ return false;
+
+ if ((info->match_flags & XT_CONNTRACK_ORIGDST_PORT) &&
+ (tuple->dst.u.all =3D=3D info->origdst_port) ^
+ !(info->invert_flags & XT_CONNTRACK_ORIGDST_PORT))
+ return false;
+
+ tuple =3D &ct->tuplehash[IP_CT_DIR_REPLY].tuple;
+
+ if ((info->match_flags & XT_CONNTRACK_REPLSRC_PORT) &&
+ (tuple->src.u.all =3D=3D info->replsrc_port) ^
+ !(info->invert_flags & XT_CONNTRACK_REPLSRC_PORT))
+ return false;
+
+ if ((info->match_flags & XT_CONNTRACK_REPLDST_PORT) &&
+ (tuple->dst.u.all =3D=3D info->repldst_port) ^
+ !(info->invert_flags & XT_CONNTRACK_REPLDST_PORT))
+ return false;
+
+ return true;
+}
+
static bool
conntrack_mt(const struct sk_buff *skb, const struct net_device *in,
const struct net_device *out, const struct xt_match *matc=
h,
@@ -200,10 +238,9 @@ conntrack_mt(const struct sk_buff *skb, const stru=
ct net_device *in,
=20
if (ct =3D=3D NULL)
return info->match_flags & XT_CONNTRACK_STATE;
-
- if ((info->match_flags & XT_CONNTRACK_PROTO) &&
- ((ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum =3D=3D
- info->l4proto) ^ !(info->invert_flags & XT_CONNTRACK_PROTO)))
+ if ((info->match_flags & XT_CONNTRACK_DIRECTION) &&
+ (CTINFO2DIR(ctinfo) =3D=3D IP_CT_DIR_ORIGINAL) ^
+ !!(info->invert_flags & XT_CONNTRACK_DIRECTION))
return false;
=20
if (info->match_flags & XT_CONNTRACK_ORIGSRC)
@@ -226,6 +263,9 @@ conntrack_mt(const struct sk_buff *skb, const struc=
t net_device *in,
!(info->invert_flags & XT_CONNTRACK_REPLDST))
return false;
=20
+ if (!ct_proto_port_check(info, ct))
+ return false;
+
if ((info->match_flags & XT_CONNTRACK_STATUS) &&
(!!(info->status_mask & ct->status) ^
!(info->invert_flags & XT_CONNTRACK_STATUS)))
-
To unsubscribe from this list: send the line "unsubscribe netfilter-dev=
el" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

[NETFILTER]: ip6_tables: per-netns IPv6 FILTER, MANGLE, RAW

Now it's possible to list and manipulate per-netns ip6tables rules.
Filtering decisions are based on init_net's table so far.

P.S.: remove init_net check in inet6_create() to see the effect

Signed-off-by: Alexey Dobriyan <***@sw.ru>
Signed-off-by: Patrick McHardy <***@trash.net>

---
commit 084d68b97043319020232289b1f63c8c7afa2e97
tree c7eccef90b4c867d5c7ded7b65824f2d80ac4c69
parent 9b50679c5240114dfca105cd2f7e9df0d187eded
author Alexey Dobriyan <***@sw.ru> Tue, 29 Jan 2008 16:22:00 +0100
committer Patrick McHardy <***@trash.net> Wed, 30 Jan 2008 15:04:17 +0100

include/net/netns/ipv6.h | 5 ++++
net/ipv6/netfilter/ip6table_filter.c | 40 +++++++++++++++++++++++++---------
net/ipv6/netfilter/ip6table_mangle.c | 40 +++++++++++++++++++++++++---------
net/ipv6/netfilter/ip6table_raw.c | 38 ++++++++++++++++++++++++--------
4 files changed, 91 insertions(+), 32 deletions(-)

diff --git a/include/net/netns/ipv6.h b/include/net/netns/ipv6.h
index 187c424..1dd7de4 100644
--- a/include/net/netns/ipv6.h
+++ b/include/net/netns/ipv6.h
@@ -31,5 +31,10 @@ struct netns_ipv6 {
struct ipv6_devconf *devconf_all;
struct ipv6_devconf *devconf_dflt;
struct netns_frags frags;
+#ifdef CONFIG_NETFILTER
+ struct xt_table *ip6table_filter;
+ struct xt_table *ip6table_mangle;
+ struct xt_table *ip6table_raw;
+#endif
};
#endif
diff --git a/net/ipv6/netfilter/ip6table_filter.c b/net/ipv6/netfilter/ip6table_filter.c
index d0bf71d..2d9cd09 100644
--- a/net/ipv6/netfilter/ip6table_filter.c
+++ b/net/ipv6/netfilter/ip6table_filter.c
@@ -26,7 +26,7 @@ static struct
struct ip6t_replace repl;
struct ip6t_standard entries[3];
struct ip6t_error term;
-} initial_table __initdata = {
+} initial_table __net_initdata = {
.repl = {
.name = "filter",
.valid_hooks = FILTER_VALID_HOOKS,
@@ -51,14 +51,13 @@ static struct
.term = IP6T_ERROR_INIT, /* ERROR */
};

-static struct xt_table __packet_filter = {
+static struct xt_table packet_filter = {
.name = "filter",
.valid_hooks = FILTER_VALID_HOOKS,
.lock = RW_LOCK_UNLOCKED,
.me = THIS_MODULE,
.af = AF_INET6,
};
-static struct xt_table *packet_filter;

/* The work comes in here from netfilter.c. */
static unsigned int
@@ -68,7 +67,7 @@ ip6t_hook(unsigned int hook,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
- return ip6t_do_table(skb, hook, in, out, packet_filter);
+ return ip6t_do_table(skb, hook, in, out, init_net.ipv6.ip6table_filter);
}

static unsigned int
@@ -88,7 +87,7 @@ ip6t_local_out_hook(unsigned int hook,
}
#endif

- return ip6t_do_table(skb, hook, in, out, packet_filter);
+ return ip6t_do_table(skb, hook, in, out, init_net.ipv6.ip6table_filter);
}

static struct nf_hook_ops ip6t_ops[] __read_mostly = {
@@ -119,6 +118,26 @@ static struct nf_hook_ops ip6t_ops[] __read_mostly = {
static int forward = NF_ACCEPT;
module_param(forward, bool, 0000);

+static int __net_init ip6table_filter_net_init(struct net *net)
+{
+ /* Register table */
+ net->ipv6.ip6table_filter =
+ ip6t_register_table(net, &packet_filter, &initial_table.repl);
+ if (IS_ERR(net->ipv6.ip6table_filter))
+ return PTR_ERR(net->ipv6.ip6table_filter);
+ return 0;
+}
+
+static void __net_exit ip6table_filter_net_exit(struct net *net)
+{
+ ip6t_unregister_table(net->ipv6.ip6table_filter);
+}
+
+static struct pernet_operations ip6table_filter_net_ops = {
+ .init = ip6table_filter_net_init,
+ .exit = ip6table_filter_net_exit,
+};
+
static int __init ip6table_filter_init(void)
{
int ret;
@@ -131,10 +150,9 @@ static int __init ip6table_filter_init(void)
/* Entry 1 is the FORWARD hook */
initial_table.entries[1].target.verdict = -forward - 1;

- /* Register table */
- packet_filter = ip6t_register_table(&init_net, &__packet_filter, &initial_table.repl);
- if (IS_ERR(packet_filter))
- return PTR_ERR(packet_filter);
+ ret = register_pernet_subsys(&ip6table_filter_net_ops);
+ if (ret < 0)
+ return ret;

/* Register hooks */
ret = nf_register_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops));
@@ -144,14 +162,14 @@ static int __init ip6table_filter_init(void)
return ret;

cleanup_table:
- ip6t_unregister_table(packet_filter);
+ unregister_pernet_subsys(&ip6table_filter_net_ops);
return ret;
}

static void __exit ip6table_filter_fini(void)
{
nf_unregister_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops));
- ip6t_unregister_table(packet_filter);
+ unregister_pernet_subsys(&ip6table_filter_net_ops);
}

module_init(ip6table_filter_init);
diff --git a/net/ipv6/netfilter/ip6table_mangle.c b/net/ipv6/netfilter/ip6table_mangle.c
index abdfece..035343a 100644
--- a/net/ipv6/netfilter/ip6table_mangle.c
+++ b/net/ipv6/netfilter/ip6table_mangle.c
@@ -26,7 +26,7 @@ static struct
struct ip6t_replace repl;
struct ip6t_standard entries[5];
struct ip6t_error term;
-} initial_table __initdata = {
+} initial_table __net_initdata = {
.repl = {
.name = "mangle",
.valid_hooks = MANGLE_VALID_HOOKS,
@@ -57,14 +57,13 @@ static struct
.term = IP6T_ERROR_INIT, /* ERROR */
};

-static struct xt_table __packet_mangler = {
+static struct xt_table packet_mangler = {
.name = "mangle",
.valid_hooks = MANGLE_VALID_HOOKS,
.lock = RW_LOCK_UNLOCKED,
.me = THIS_MODULE,
.af = AF_INET6,
};
-static struct xt_table *packet_mangler;

/* The work comes in here from netfilter.c. */
static unsigned int
@@ -74,7 +73,7 @@ ip6t_route_hook(unsigned int hook,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
- return ip6t_do_table(skb, hook, in, out, packet_mangler);
+ return ip6t_do_table(skb, hook, in, out, init_net.ipv6.ip6table_mangle);
}

static unsigned int
@@ -109,7 +108,7 @@ ip6t_local_hook(unsigned int hook,
/* flowlabel and prio (includes version, which shouldn't change either */
flowlabel = *((u_int32_t *)ipv6_hdr(skb));

- ret = ip6t_do_table(skb, hook, in, out, packet_mangler);
+ ret = ip6t_do_table(skb, hook, in, out, init_net.ipv6.ip6table_mangle);

if (ret != NF_DROP && ret != NF_STOLEN
&& (memcmp(&ipv6_hdr(skb)->saddr, &saddr, sizeof(saddr))
@@ -159,14 +158,33 @@ static struct nf_hook_ops ip6t_ops[] __read_mostly = {
},
};

+static int __net_init ip6table_mangle_net_init(struct net *net)
+{
+ /* Register table */
+ net->ipv6.ip6table_mangle =
+ ip6t_register_table(net, &packet_mangler, &initial_table.repl);
+ if (IS_ERR(net->ipv6.ip6table_mangle))
+ return PTR_ERR(net->ipv6.ip6table_mangle);
+ return 0;
+}
+
+static void __net_exit ip6table_mangle_net_exit(struct net *net)
+{
+ ip6t_unregister_table(net->ipv6.ip6table_mangle);
+}
+
+static struct pernet_operations ip6table_mangle_net_ops = {
+ .init = ip6table_mangle_net_init,
+ .exit = ip6table_mangle_net_exit,
+};
+
static int __init ip6table_mangle_init(void)
{
int ret;

- /* Register table */
- packet_mangler = ip6t_register_table(&init_net, &__packet_mangler, &initial_table.repl);
- if (IS_ERR(packet_mangler))
- return PTR_ERR(packet_mangler);
+ ret = register_pernet_subsys(&ip6table_mangle_net_ops);
+ if (ret < 0)
+ return ret;

/* Register hooks */
ret = nf_register_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops));
@@ -176,14 +194,14 @@ static int __init ip6table_mangle_init(void)
return ret;

cleanup_table:
- ip6t_unregister_table(packet_mangler);
+ unregister_pernet_subsys(&ip6table_mangle_net_ops);
return ret;
}

static void __exit ip6table_mangle_fini(void)
{
nf_unregister_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops));
- ip6t_unregister_table(packet_mangler);
+ unregister_pernet_subsys(&ip6table_mangle_net_ops);
}

module_init(ip6table_mangle_init);
diff --git a/net/ipv6/netfilter/ip6table_raw.c b/net/ipv6/netfilter/ip6table_raw.c
index 12acd63..5cd8420 100644
--- a/net/ipv6/netfilter/ip6table_raw.c
+++ b/net/ipv6/netfilter/ip6table_raw.c
@@ -13,7 +13,7 @@ static struct
struct ip6t_replace repl;
struct ip6t_standard entries[2];
struct ip6t_error term;
-} initial_table __initdata = {
+} initial_table __net_initdata = {
.repl = {
.name = "raw",
.valid_hooks = RAW_VALID_HOOKS,
@@ -35,14 +35,13 @@ static struct
.term = IP6T_ERROR_INIT, /* ERROR */
};

-static struct xt_table __packet_raw = {
+static struct xt_table packet_raw = {
.name = "raw",
.valid_hooks = RAW_VALID_HOOKS,
.lock = RW_LOCK_UNLOCKED,
.me = THIS_MODULE,
.af = AF_INET6,
};
-static struct xt_table *packet_raw;

/* The work comes in here from netfilter.c. */
static unsigned int
@@ -52,7 +51,7 @@ ip6t_hook(unsigned int hook,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
- return ip6t_do_table(skb, hook, in, out, packet_raw);
+ return ip6t_do_table(skb, hook, in, out, init_net.ipv6.ip6table_raw);
}

static struct nf_hook_ops ip6t_ops[] __read_mostly = {
@@ -72,14 +71,33 @@ static struct nf_hook_ops ip6t_ops[] __read_mostly = {
},
};

+static int __net_init ip6table_raw_net_init(struct net *net)
+{
+ /* Register table */
+ net->ipv6.ip6table_raw =
+ ip6t_register_table(net, &packet_raw, &initial_table.repl);
+ if (IS_ERR(net->ipv6.ip6table_raw))
+ return PTR_ERR(net->ipv6.ip6table_raw);
+ return 0;
+}
+
+static void __net_exit ip6table_raw_net_exit(struct net *net)
+{
+ ip6t_unregister_table(net->ipv6.ip6table_raw);
+}
+
+static struct pernet_operations ip6table_raw_net_ops = {
+ .init = ip6table_raw_net_init,
+ .exit = ip6table_raw_net_exit,
+};
+
static int __init ip6table_raw_init(void)
{
int ret;

- /* Register table */
- packet_raw = ip6t_register_table(&init_net, &__packet_raw, &initial_table.repl);
- if (IS_ERR(packet_raw))
- return PTR_ERR(packet_raw);
+ ret = register_pernet_subsys(&ip6table_raw_net_ops);
+ if (ret < 0)
+ return ret;

/* Register hooks */
ret = nf_register_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops));
@@ -89,14 +107,14 @@ static int __init ip6table_raw_init(void)
return ret;

cleanup_table:
- ip6t_unregister_table(packet_raw);
+ unregister_pernet_subsys(&ip6table_raw_net_ops);
return ret;
}

static void __exit ip6table_raw_fini(void)
{
nf_unregister_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops));
- ip6t_unregister_table(packet_raw);
+ unregister_pernet_subsys(&ip6table_raw_net_ops);
}

module_init(ip6table_raw_init);
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

[NETFILTER]: nf_nat_snmp: sparse warning

Signed-off-by: Stephen Hemminger <***@vyatta.com>
Signed-off-by: Patrick McHardy <***@trash.net>

---
commit 1ba99fa44b76ee7a7dddffc965a296d46c70fd40
tree 8d6c2f8042f36119de85fdba76d46dfca177ac80
parent c1e9e8f11d30d54eb79e53ca02f0fd17a60407ef
author Stephen Hemminger <***@vyatta.com> Tue, 29 Jan 2008 16:22:04 +0100
committer Patrick McHardy <***@trash.net> Wed, 30 Jan 2008 15:04:18 +0100

net/ipv4/netfilter/nf_nat_snmp_basic.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/net/ipv4/netfilter/nf_nat_snmp_basic.c b/net/ipv4/netfilter/nf_nat_snmp_basic.c
index 07f2a49..540ce6a 100644
--- a/net/ipv4/netfilter/nf_nat_snmp_basic.c
+++ b/net/ipv4/netfilter/nf_nat_snmp_basic.c
@@ -260,7 +260,7 @@ static unsigned char asn1_eoc_decode(struct asn1_ctx *ctx, unsigned char *eoc)
{
unsigned char ch;

- if (eoc == 0) {
+ if (eoc == NULL) {
if (!asn1_octet_decode(ctx, &ch))
return 0;

-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

[NETFILTER]: nf_log: add netfilter gcc printf format checking

Signed-off-by: Helge Deller <***@gmx.de>
Signed-off-by: Patrick McHardy <***@trash.net>

---
commit 1b8b1c29feb7a42aceb8f62ea9378d492437acbe
tree b56dae8df90443115cb7eff3199a160be17b9631
parent 62069912fa544382934395362fb73205475474d4
author Helge Deller <***@gmx.de> Tue, 29 Jan 2008 16:21:53 +0100
committer Patrick McHardy <***@trash.net> Wed, 30 Jan 2008 15:04:13 +0100

include/net/netfilter/nf_log.h | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/include/net/netfilter/nf_log.h b/include/net/netfilter/nf_log.h
index 037e824..8c6b5ae 100644
--- a/include/net/netfilter/nf_log.h
+++ b/include/net/netfilter/nf_log.h
@@ -54,6 +54,6 @@ void nf_log_packet(int pf,
const struct net_device *in,
const struct net_device *out,
const struct nf_loginfo *li,
- const char *fmt, ...);
+ const char *fmt, ...) __attribute__ ((format(printf,7,8)));

#endif /* _NF_LOG_H */
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

[NETFILTER]: netns: put table module on netns stop

When number of entries exceeds number of initial entries, foo-tables code
will pin table module. But during table unregister on netns stop,
that additional pin was forgotten.

Signed-off-by: Alexey Dobriyan <***@sw.ru>
Signed-off-by: Patrick McHardy <***@trash.net>

---
commit 5925cf9534dffe7165056399a6911609bd1fb44b
tree f3085e7975b409f6ea2f5d6c56adc9abdd13aadc
parent e612deed898a9b2984bd7c2f4fef1a5a93f8160b
author Alexey Dobriyan <***@sw.ru> Tue, 29 Jan 2008 16:22:02 +0100
committer Patrick McHardy <***@trash.net> Wed, 30 Jan 2008 15:04:17 +0100

net/ipv4/netfilter/arp_tables.c | 3 +++
net/ipv4/netfilter/ip_tables.c | 3 +++
net/ipv6/netfilter/ip6_tables.c | 3 +++
3 files changed, 9 insertions(+), 0 deletions(-)

diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index ec64b67..3608675 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -1773,6 +1773,7 @@ void arpt_unregister_table(struct arpt_table *table)
{
struct xt_table_info *private;
void *loc_cpu_entry;
+ struct module *table_owner = table->me;

private = xt_unregister_table(table);

@@ -1780,6 +1781,8 @@ void arpt_unregister_table(struct arpt_table *table)
loc_cpu_entry = private->entries[raw_smp_processor_id()];
ARPT_ENTRY_ITERATE(loc_cpu_entry, private->size,
cleanup_entry, NULL);
+ if (private->number > private->initial_entries)
+ module_put(table_owner);
xt_free_table_info(private);
}

diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index c1b80f4..427bc9b 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -2095,12 +2095,15 @@ void ipt_unregister_table(struct xt_table *table)
{
struct xt_table_info *private;
void *loc_cpu_entry;
+ struct module *table_owner = table->me;

private = xt_unregister_table(table);

/* Decrease module usage counts and free resources */
loc_cpu_entry = private->entries[raw_smp_processor_id()];
IPT_ENTRY_ITERATE(loc_cpu_entry, private->size, cleanup_entry, NULL);
+ if (private->number > private->initial_entries)
+ module_put(table_owner);
xt_free_table_info(private);
}

diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 2453dfd..6fabb73 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -2121,12 +2121,15 @@ void ip6t_unregister_table(struct xt_table *table)
{
struct xt_table_info *private;
void *loc_cpu_entry;
+ struct module *table_owner = table->me;

private = xt_unregister_table(table);

/* Decrease module usage counts and free resources */
loc_cpu_entry = private->entries[raw_smp_processor_id()];
IP6T_ENTRY_ITERATE(loc_cpu_entry, private->size, cleanup_entry, NULL);
+ if (private->number > private->initial_entries)
+ module_put(table_owner);
xt_free_table_info(private);
}

-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

[NETFILTER]: ebtables: Update modules' descriptions

Update the MODULES_DESCRIPTION() tags for all Ebtables modules.

Reference to previous related commit: 3e53176b24b94f660ba61bfab5bcaf5c135bbcf2.

Signed-off-by: Jan Engelhardt <***@computergmbh.de>
Signed-off-by: Patrick McHardy <***@trash.net>

---
commit ddc4e00ab9447d62118a6a0506369726065d1df5
tree b5ed55dca07bd2bdb9e9a082ba05c9e1aba71c5b
parent b98625021b5c086ec97c2121eaf9f06873339d3e
author Jan Engelhardt <***@computergmbh.de> Tue, 29 Jan 2008 16:21:55 +0100
committer Patrick McHardy <***@trash.net> Wed, 30 Jan 2008 15:04:14 +0100

net/bridge/netfilter/ebt_802_3.c | 1 +
net/bridge/netfilter/ebt_among.c | 1 +
net/bridge/netfilter/ebt_arp.c | 1 +
net/bridge/netfilter/ebt_arpreply.c | 1 +
net/bridge/netfilter/ebt_dnat.c | 1 +
net/bridge/netfilter/ebt_ip.c | 1 +
net/bridge/netfilter/ebt_limit.c | 1 +
net/bridge/netfilter/ebt_log.c | 1 +
net/bridge/netfilter/ebt_mark.c | 1 +
net/bridge/netfilter/ebt_mark_m.c | 1 +
net/bridge/netfilter/ebt_pkttype.c | 1 +
net/bridge/netfilter/ebt_redirect.c | 1 +
net/bridge/netfilter/ebt_snat.c | 1 +
net/bridge/netfilter/ebt_stp.c | 1 +
net/bridge/netfilter/ebt_ulog.c | 3 +--
net/bridge/netfilter/ebt_vlan.c | 3 +--
16 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/net/bridge/netfilter/ebt_802_3.c b/net/bridge/netfilter/ebt_802_3.c
index ac1730b..ef73592 100644
--- a/net/bridge/netfilter/ebt_802_3.c
+++ b/net/bridge/netfilter/ebt_802_3.c
@@ -70,4 +70,5 @@ static void __exit ebt_802_3_fini(void)

module_init(ebt_802_3_init);
module_exit(ebt_802_3_fini);
+MODULE_DESCRIPTION("Ebtables: DSAP/SSAP field and SNAP type matching");
MODULE_LICENSE("GPL");
diff --git a/net/bridge/netfilter/ebt_among.c b/net/bridge/netfilter/ebt_among.c
index 318157e..bf0d1d9 100644
--- a/net/bridge/netfilter/ebt_among.c
+++ b/net/bridge/netfilter/ebt_among.c
@@ -231,4 +231,5 @@ static void __exit ebt_among_fini(void)

module_init(ebt_among_init);
module_exit(ebt_among_fini);
+MODULE_DESCRIPTION("Ebtables: Combined MAC/IP address list matching");
MODULE_LICENSE("GPL");
diff --git a/net/bridge/netfilter/ebt_arp.c b/net/bridge/netfilter/ebt_arp.c
index 933433e..8d6ab64 100644
--- a/net/bridge/netfilter/ebt_arp.c
+++ b/net/bridge/netfilter/ebt_arp.c
@@ -136,4 +136,5 @@ static void __exit ebt_arp_fini(void)

module_init(ebt_arp_init);
module_exit(ebt_arp_fini);
+MODULE_DESCRIPTION("Ebtables: ARP protocol packet match");
MODULE_LICENSE("GPL");
diff --git a/net/bridge/netfilter/ebt_arpreply.c b/net/bridge/netfilter/ebt_arpreply.c
index 7b6a8c1..9f25423 100644
--- a/net/bridge/netfilter/ebt_arpreply.c
+++ b/net/bridge/netfilter/ebt_arpreply.c
@@ -96,4 +96,5 @@ static void __exit ebt_arpreply_fini(void)

module_init(ebt_arpreply_init);
module_exit(ebt_arpreply_fini);
+MODULE_DESCRIPTION("Ebtables: ARP reply target");
MODULE_LICENSE("GPL");
diff --git a/net/bridge/netfilter/ebt_dnat.c b/net/bridge/netfilter/ebt_dnat.c
index 6ad9160..285378d 100644
--- a/net/bridge/netfilter/ebt_dnat.c
+++ b/net/bridge/netfilter/ebt_dnat.c
@@ -66,4 +66,5 @@ static void __exit ebt_dnat_fini(void)

module_init(ebt_dnat_init);
module_exit(ebt_dnat_fini);
+MODULE_DESCRIPTION("Ebtables: Destination MAC address translation");
MODULE_LICENSE("GPL");
diff --git a/net/bridge/netfilter/ebt_ip.c b/net/bridge/netfilter/ebt_ip.c
index 82934f9..78efe9b 100644
--- a/net/bridge/netfilter/ebt_ip.c
+++ b/net/bridge/netfilter/ebt_ip.c
@@ -127,4 +127,5 @@ static void __exit ebt_ip_fini(void)

module_init(ebt_ip_init);
module_exit(ebt_ip_fini);
+MODULE_DESCRIPTION("Ebtables: IPv4 protocol packet match");
MODULE_LICENSE("GPL");
diff --git a/net/bridge/netfilter/ebt_limit.c b/net/bridge/netfilter/ebt_limit.c
index 2eb5cb7..3c44bd6 100644
--- a/net/bridge/netfilter/ebt_limit.c
+++ b/net/bridge/netfilter/ebt_limit.c
@@ -110,4 +110,5 @@ static void __exit ebt_limit_fini(void)

module_init(ebt_limit_init);
module_exit(ebt_limit_fini);
+MODULE_DESCRIPTION("Ebtables: Rate-limit match");
MODULE_LICENSE("GPL");
diff --git a/net/bridge/netfilter/ebt_log.c b/net/bridge/netfilter/ebt_log.c
index 40560d6..0b209e4 100644
--- a/net/bridge/netfilter/ebt_log.c
+++ b/net/bridge/netfilter/ebt_log.c
@@ -212,4 +212,5 @@ static void __exit ebt_log_fini(void)

module_init(ebt_log_init);
module_exit(ebt_log_fini);
+MODULE_DESCRIPTION("Ebtables: Packet logging to syslog");
MODULE_LICENSE("GPL");
diff --git a/net/bridge/netfilter/ebt_mark.c b/net/bridge/netfilter/ebt_mark.c
index 6fe93df..93ea763 100644
--- a/net/bridge/netfilter/ebt_mark.c
+++ b/net/bridge/netfilter/ebt_mark.c
@@ -77,4 +77,5 @@ static void __exit ebt_mark_fini(void)

module_init(ebt_mark_init);
module_exit(ebt_mark_fini);
+MODULE_DESCRIPTION("Ebtables: Packet mark modification");
MODULE_LICENSE("GPL");
diff --git a/net/bridge/netfilter/ebt_mark_m.c b/net/bridge/netfilter/ebt_mark_m.c
index 0acab09..914c244 100644
--- a/net/bridge/netfilter/ebt_mark_m.c
+++ b/net/bridge/netfilter/ebt_mark_m.c
@@ -59,4 +59,5 @@ static void __exit ebt_mark_m_fini(void)

module_init(ebt_mark_m_init);
module_exit(ebt_mark_m_fini);
+MODULE_DESCRIPTION("Ebtables: Packet mark match");
MODULE_LICENSE("GPL");
diff --git a/net/bridge/netfilter/ebt_pkttype.c b/net/bridge/netfilter/ebt_pkttype.c
index a15cf06..19a69ea 100644
--- a/net/bridge/netfilter/ebt_pkttype.c
+++ b/net/bridge/netfilter/ebt_pkttype.c
@@ -56,4 +56,5 @@ static void __exit ebt_pkttype_fini(void)

module_init(ebt_pkttype_init);
module_exit(ebt_pkttype_fini);
+MODULE_DESCRIPTION("Ebtables: Link layer packet type match");
MODULE_LICENSE("GPL");
diff --git a/net/bridge/netfilter/ebt_redirect.c b/net/bridge/netfilter/ebt_redirect.c
index c1f9ca2..f206a27 100644
--- a/net/bridge/netfilter/ebt_redirect.c
+++ b/net/bridge/netfilter/ebt_redirect.c
@@ -71,4 +71,5 @@ static void __exit ebt_redirect_fini(void)

module_init(ebt_redirect_init);
module_exit(ebt_redirect_fini);
+MODULE_DESCRIPTION("Ebtables: Packet redirection to localhost");
MODULE_LICENSE("GPL");
diff --git a/net/bridge/netfilter/ebt_snat.c b/net/bridge/netfilter/ebt_snat.c
index 6bc263c..ed85858 100644
--- a/net/bridge/netfilter/ebt_snat.c
+++ b/net/bridge/netfilter/ebt_snat.c
@@ -88,4 +88,5 @@ static void __exit ebt_snat_fini(void)

module_init(ebt_snat_init);
module_exit(ebt_snat_fini);
+MODULE_DESCRIPTION("Ebtables: Source MAC address translation");
MODULE_LICENSE("GPL");
diff --git a/net/bridge/netfilter/ebt_stp.c b/net/bridge/netfilter/ebt_stp.c
index fe323c4..c264797 100644
--- a/net/bridge/netfilter/ebt_stp.c
+++ b/net/bridge/netfilter/ebt_stp.c
@@ -194,4 +194,5 @@ static void __exit ebt_stp_fini(void)

module_init(ebt_stp_init);
module_exit(ebt_stp_fini);
+MODULE_DESCRIPTION("Ebtables: Spanning Tree Protocol packet match");
MODULE_LICENSE("GPL");
diff --git a/net/bridge/netfilter/ebt_ulog.c b/net/bridge/netfilter/ebt_ulog.c
index 2015711..748eecd 100644
--- a/net/bridge/netfilter/ebt_ulog.c
+++ b/net/bridge/netfilter/ebt_ulog.c
@@ -340,5 +340,4 @@ module_init(ebt_ulog_init);
module_exit(ebt_ulog_fini);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Bart De Schuymer <***@pandora.be>");
-MODULE_DESCRIPTION("ebtables userspace logging module for bridged Ethernet"
- " frames");
+MODULE_DESCRIPTION("Ebtables: Packet logging to netlink using ULOG");
diff --git a/net/bridge/netfilter/ebt_vlan.c b/net/bridge/netfilter/ebt_vlan.c
index 097d067..96897e2 100644
--- a/net/bridge/netfilter/ebt_vlan.c
+++ b/net/bridge/netfilter/ebt_vlan.c
@@ -31,8 +31,7 @@ static int debug;
module_param(debug, int, 0);
MODULE_PARM_DESC(debug, "debug=1 is turn on debug messages");
MODULE_AUTHOR("Nick Fedchik <***@fedchik.org.ua>");
-MODULE_DESCRIPTION("802.1Q match module (ebtables extension), v"
- MODULE_VERS);
+MODULE_DESCRIPTION("Ebtables: 802.1Q VLAN tag match");
MODULE_LICENSE("GPL");


-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

[NETFILTER]: more sparse fixes

Some lock annotations, and make initializers static.

Signed-off-by: Stephen Hemminger <***@vyatta.com>
Signed-off-by: Patrick McHardy <***@trash.net>

---
commit cba4c67b58eee186ca8ff3e4588a01406d96a886
tree ed40d2d70fccb6aa1cb3c520ffc39b5a517b0018
parent a56984be5dde4c3ab631f9c66e15c1fa7a12f17e
author Stephen Hemminger <***@vyatta.com> Tue, 29 Jan 2008 16:22:06 +0100
committer Patrick McHardy <***@trash.net> Wed, 30 Jan 2008 15:04:19 +0100

net/ipv4/netfilter/nf_nat_proto_gre.c | 4 ++--
net/netfilter/xt_hashlimit.c | 2 ++
2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/net/ipv4/netfilter/nf_nat_proto_gre.c b/net/ipv4/netfilter/nf_nat_proto_gre.c
index 9fa272e..c9dbd55 100644
--- a/net/ipv4/netfilter/nf_nat_proto_gre.c
+++ b/net/ipv4/netfilter/nf_nat_proto_gre.c
@@ -148,12 +148,12 @@ static const struct nf_nat_protocol gre = {
#endif
};

-int __init nf_nat_proto_gre_init(void)
+static int __init nf_nat_proto_gre_init(void)
{
return nf_nat_protocol_register(&gre);
}

-void __exit nf_nat_proto_gre_fini(void)
+static void __exit nf_nat_proto_gre_fini(void)
{
nf_nat_protocol_unregister(&gre);
}
diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
index d479ca9..b224b8f 100644
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@@ -624,6 +624,7 @@ static struct xt_match hashlimit_mt_reg[] __read_mostly = {

/* PROC stuff */
static void *dl_seq_start(struct seq_file *s, loff_t *pos)
+ __acquires(htable->lock)
{
struct proc_dir_entry *pde = s->private;
struct xt_hashlimit_htable *htable = pde->data;
@@ -656,6 +657,7 @@ static void *dl_seq_next(struct seq_file *s, void *v, loff_t *pos)
}

static void dl_seq_stop(struct seq_file *s, void *v)
+ __releases(htable->lock)
{
struct proc_dir_entry *pde = s->private;
struct xt_hashlimit_htable *htable = pde->data;
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

[NETFILTER]: ip6_tables: netns preparation

* Propagate netns from userspace down to xt_find_table_lock()
* Register ip6 tables in netns (modules still use init_net)

Signed-off-by: Alexey Dobriyan <***@sw.ru>
Signed-off-by: Patrick McHardy <***@trash.net>

---
commit 9b50679c5240114dfca105cd2f7e9df0d187eded
tree ba5e0ad150b5efffa8cc57c44e45f435682d9ea3
parent 4885531d4b5ac7058b8d2414d6f6404eba84d0e8
author Alexey Dobriyan <***@sw.ru> Tue, 29 Jan 2008 16:21:59 +0100
committer Patrick McHardy <***@trash.net> Wed, 30 Jan 2008 15:04:16 +0100

include/linux/netfilter_ipv6/ip6_tables.h | 3 +-
net/ipv6/netfilter/ip6_tables.c | 51 +++++++++++++++--------------
net/ipv6/netfilter/ip6table_filter.c | 2 +
net/ipv6/netfilter/ip6table_mangle.c | 2 +
net/ipv6/netfilter/ip6table_raw.c | 2 +
5 files changed, 32 insertions(+), 28 deletions(-)

diff --git a/include/linux/netfilter_ipv6/ip6_tables.h b/include/linux/netfilter_ipv6/ip6_tables.h
index f716c75..f2507dc 100644
--- a/include/linux/netfilter_ipv6/ip6_tables.h
+++ b/include/linux/netfilter_ipv6/ip6_tables.h
@@ -305,7 +305,8 @@ ip6t_get_target(struct ip6t_entry *e)
#include <linux/init.h>
extern void ip6t_init(void) __init;

-extern struct xt_table *ip6t_register_table(struct xt_table *table,
+extern struct xt_table *ip6t_register_table(struct net *net,
+ struct xt_table *table,
const struct ip6t_replace *repl);
extern void ip6t_unregister_table(struct xt_table *table);
extern unsigned int ip6t_do_table(struct sk_buff *skb,
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index b89f133..2453dfd 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -1118,7 +1118,7 @@ static int compat_table_info(const struct xt_table_info *info,
}
#endif

-static int get_info(void __user *user, int *len, int compat)
+static int get_info(struct net *net, void __user *user, int *len, int compat)
{
char name[IP6T_TABLE_MAXNAMELEN];
struct xt_table *t;
@@ -1138,7 +1138,7 @@ static int get_info(void __user *user, int *len, int compat)
if (compat)
xt_compat_lock(AF_INET6);
#endif
- t = try_then_request_module(xt_find_table_lock(&init_net, AF_INET6, name),
+ t = try_then_request_module(xt_find_table_lock(net, AF_INET6, name),
"ip6table_%s", name);
if (t && !IS_ERR(t)) {
struct ip6t_getinfo info;
@@ -1178,7 +1178,7 @@ static int get_info(void __user *user, int *len, int compat)
}

static int
-get_entries(struct ip6t_get_entries __user *uptr, int *len)
+get_entries(struct net *net, struct ip6t_get_entries __user *uptr, int *len)
{
int ret;
struct ip6t_get_entries get;
@@ -1196,7 +1196,7 @@ get_entries(struct ip6t_get_entries __user *uptr, int *len)
return -EINVAL;
}

- t = xt_find_table_lock(&init_net, AF_INET6, get.name);
+ t = xt_find_table_lock(net, AF_INET6, get.name);
if (t && !IS_ERR(t)) {
struct xt_table_info *private = t->private;
duprintf("t->private->number = %u\n", private->number);
@@ -1217,7 +1217,7 @@ get_entries(struct ip6t_get_entries __user *uptr, int *len)
}

static int
-__do_replace(const char *name, unsigned int valid_hooks,
+__do_replace(struct net *net, const char *name, unsigned int valid_hooks,
struct xt_table_info *newinfo, unsigned int num_counters,
void __user *counters_ptr)
{
@@ -1235,7 +1235,7 @@ __do_replace(const char *name, unsigned int valid_hooks,
goto out;
}

- t = try_then_request_module(xt_find_table_lock(&init_net, AF_INET6, name),
+ t = try_then_request_module(xt_find_table_lock(net, AF_INET6, name),
"ip6table_%s", name);
if (!t || IS_ERR(t)) {
ret = t ? PTR_ERR(t) : -ENOENT;
@@ -1288,7 +1288,7 @@ __do_replace(const char *name, unsigned int valid_hooks,
}

static int
-do_replace(void __user *user, unsigned int len)
+do_replace(struct net *net, void __user *user, unsigned int len)
{
int ret;
struct ip6t_replace tmp;
@@ -1322,7 +1322,7 @@ do_replace(void __user *user, unsigned int len)

duprintf("ip_tables: Translated table\n");

- ret = __do_replace(tmp.name, tmp.valid_hooks, newinfo,
+ ret = __do_replace(net, tmp.name, tmp.valid_hooks, newinfo,
tmp.num_counters, tmp.counters);
if (ret)
goto free_newinfo_untrans;
@@ -1358,7 +1358,8 @@ add_counter_to_entry(struct ip6t_entry *e,
}

static int
-do_add_counters(void __user *user, unsigned int len, int compat)
+do_add_counters(struct net *net, void __user *user, unsigned int len,
+ int compat)
{
unsigned int i;
struct xt_counters_info tmp;
@@ -1410,7 +1411,7 @@ do_add_counters(void __user *user, unsigned int len, int compat)
goto free;
}

- t = xt_find_table_lock(&init_net, AF_INET6, name);
+ t = xt_find_table_lock(net, AF_INET6, name);
if (!t || IS_ERR(t)) {
ret = t ? PTR_ERR(t) : -ENOENT;
goto free;
@@ -1815,7 +1816,7 @@ out_unlock:
}

static int
-compat_do_replace(void __user *user, unsigned int len)
+compat_do_replace(struct net *net, void __user *user, unsigned int len)
{
int ret;
struct compat_ip6t_replace tmp;
@@ -1852,7 +1853,7 @@ compat_do_replace(void __user *user, unsigned int len)

duprintf("compat_do_replace: Translated table\n");

- ret = __do_replace(tmp.name, tmp.valid_hooks, newinfo,
+ ret = __do_replace(net, tmp.name, tmp.valid_hooks, newinfo,
tmp.num_counters, compat_ptr(tmp.counters));
if (ret)
goto free_newinfo_untrans;
@@ -1876,11 +1877,11 @@ compat_do_ip6t_set_ctl(struct sock *sk, int cmd, void __user *user,

switch (cmd) {
case IP6T_SO_SET_REPLACE:
- ret = compat_do_replace(user, len);
+ ret = compat_do_replace(sk->sk_net, user, len);
break;

case IP6T_SO_SET_ADD_COUNTERS:
- ret = do_add_counters(user, len, 1);
+ ret = do_add_counters(sk->sk_net, user, len, 1);
break;

default:
@@ -1929,7 +1930,8 @@ compat_copy_entries_to_user(unsigned int total_size, struct xt_table *table,
}

static int
-compat_get_entries(struct compat_ip6t_get_entries __user *uptr, int *len)
+compat_get_entries(struct net *net, struct compat_ip6t_get_entries __user *uptr,
+ int *len)
{
int ret;
struct compat_ip6t_get_entries get;
@@ -1950,7 +1952,7 @@ compat_get_entries(struct compat_ip6t_get_entries __user *uptr, int *len)
}

xt_compat_lock(AF_INET6);
- t = xt_find_table_lock(&init_net, AF_INET6, get.name);
+ t = xt_find_table_lock(net, AF_INET6, get.name);
if (t && !IS_ERR(t)) {
struct xt_table_info *private = t->private;
struct xt_table_info info;
@@ -1986,10 +1988,10 @@ compat_do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)

switch (cmd) {
case IP6T_SO_GET_INFO:
- ret = get_info(user, len, 1);
+ ret = get_info(sk->sk_net, user, len, 1);
break;
case IP6T_SO_GET_ENTRIES:
- ret = compat_get_entries(user, len);
+ ret = compat_get_entries(sk->sk_net, user, len);
break;
default:
ret = do_ip6t_get_ctl(sk, cmd, user, len);
@@ -2008,11 +2010,11 @@ do_ip6t_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)

switch (cmd) {
case IP6T_SO_SET_REPLACE:
- ret = do_replace(user, len);
+ ret = do_replace(sk->sk_net, user, len);
break;

case IP6T_SO_SET_ADD_COUNTERS:
- ret = do_add_counters(user, len, 0);
+ ret = do_add_counters(sk->sk_net, user, len, 0);
break;

default:
@@ -2033,11 +2035,11 @@ do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)

switch (cmd) {
case IP6T_SO_GET_INFO:
- ret = get_info(user, len, 0);
+ ret = get_info(sk->sk_net, user, len, 0);
break;

case IP6T_SO_GET_ENTRIES:
- ret = get_entries(user, len);
+ ret = get_entries(sk->sk_net, user, len);
break;

case IP6T_SO_GET_REVISION_MATCH:
@@ -2074,7 +2076,8 @@ do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
return ret;
}

-struct xt_table *ip6t_register_table(struct xt_table *table, const struct ip6t_replace *repl)
+struct xt_table *ip6t_register_table(struct net *net, struct xt_table *table,
+ const struct ip6t_replace *repl)
{
int ret;
struct xt_table_info *newinfo;
@@ -2101,7 +2104,7 @@ struct xt_table *ip6t_register_table(struct xt_table *table, const struct ip6t_r
if (ret != 0)
goto out_free;

- new_table = xt_register_table(&init_net, table, &bootstrap, newinfo);
+ new_table = xt_register_table(net, table, &bootstrap, newinfo);
if (IS_ERR(new_table)) {
ret = PTR_ERR(new_table);
goto out_free;
diff --git a/net/ipv6/netfilter/ip6table_filter.c b/net/ipv6/netfilter/ip6table_filter.c
index bffd67f..d0bf71d 100644
--- a/net/ipv6/netfilter/ip6table_filter.c
+++ b/net/ipv6/netfilter/ip6table_filter.c
@@ -132,7 +132,7 @@ static int __init ip6table_filter_init(void)
initial_table.entries[1].target.verdict = -forward - 1;

/* Register table */
- packet_filter = ip6t_register_table(&__packet_filter, &initial_table.repl);
+ packet_filter = ip6t_register_table(&init_net, &__packet_filter, &initial_table.repl);
if (IS_ERR(packet_filter))
return PTR_ERR(packet_filter);

diff --git a/net/ipv6/netfilter/ip6table_mangle.c b/net/ipv6/netfilter/ip6table_mangle.c
index 63d334d..abdfece 100644
--- a/net/ipv6/netfilter/ip6table_mangle.c
+++ b/net/ipv6/netfilter/ip6table_mangle.c
@@ -164,7 +164,7 @@ static int __init ip6table_mangle_init(void)
int ret;

/* Register table */
- packet_mangler = ip6t_register_table(&__packet_mangler, &initial_table.repl);
+ packet_mangler = ip6t_register_table(&init_net, &__packet_mangler, &initial_table.repl);
if (IS_ERR(packet_mangler))
return PTR_ERR(packet_mangler);

diff --git a/net/ipv6/netfilter/ip6table_raw.c b/net/ipv6/netfilter/ip6table_raw.c
index 7f55b23..12acd63 100644
--- a/net/ipv6/netfilter/ip6table_raw.c
+++ b/net/ipv6/netfilter/ip6table_raw.c
@@ -77,7 +77,7 @@ static int __init ip6table_raw_init(void)
int ret;

/* Register table */
- packet_raw = ip6t_register_table(&__packet_raw, &initial_table.repl);
+ packet_raw = ip6t_register_table(&init_net, &__packet_raw, &initial_table.repl);
if (IS_ERR(packet_raw))
return PTR_ERR(packet_raw);

-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

[NETFILTER]: x_tables: return new table from {arp,ip,ip6}t_register_table()

Typical table module registers xt_table structure (i.e. packet_filter)
and link it to list during it. We can't use one template for it because
corresponding list_head will become corrupted. We also can't unregister
with template because it wasn't changed at all and thus doesn't know in
which list it is.

So, we duplicate template at the very first step of table registration.
Table modules will save it for use during unregistration time and actual
filtering.

Do it at once to not screw bisection.

P.S.: renaming i.e. packet_filter => __packet_filter is temporary until
full netnsization of table modules is done.

Signed-off-by: Alexey Dobriyan <***@sw.ru>
Signed-off-by: Patrick McHardy <***@trash.net>

---
commit f4b4da65588dd50d6be047d9159315ba2909a944
tree 5ececddb8fbebe223455663ea9a3dcdf80ed44e5
parent bba40bde2fa36b10ecdca675e0cea782e562735b
author Alexey Dobriyan <***@sw.ru> Tue, 29 Jan 2008 16:21:57 +0100
committer Patrick McHardy <***@trash.net> Wed, 30 Jan 2008 15:04:15 +0100

include/linux/netfilter_arp/arp_tables.h | 4 ++--
include/linux/netfilter_ipv4/ip_tables.h | 5 +++--
include/linux/netfilter_ipv6/ip6_tables.h | 4 ++--
net/ipv4/netfilter/arp_tables.c | 22 ++++++++++++----------
net/ipv4/netfilter/arptable_filter.c | 15 ++++++++-------
net/ipv4/netfilter/ip_tables.c | 28 +++++++++++++++++-----------
net/ipv4/netfilter/iptable_filter.c | 18 ++++++++++--------
net/ipv4/netfilter/iptable_mangle.c | 18 ++++++++++--------
net/ipv4/netfilter/iptable_raw.c | 18 ++++++++++--------
net/ipv4/netfilter/nf_nat_rule.c | 16 +++++++++-------
net/ipv6/netfilter/ip6_tables.c | 24 ++++++++++++++----------
net/ipv6/netfilter/ip6table_filter.c | 17 +++++++++--------
net/ipv6/netfilter/ip6table_mangle.c | 17 +++++++++--------
net/ipv6/netfilter/ip6table_raw.c | 15 ++++++++-------
net/netfilter/x_tables.c | 12 +++++++++++-
15 files changed, 134 insertions(+), 99 deletions(-)

diff --git a/include/linux/netfilter_arp/arp_tables.h b/include/linux/netfilter_arp/arp_tables.h
index 53dd4df..f35486b 100644
--- a/include/linux/netfilter_arp/arp_tables.h
+++ b/include/linux/netfilter_arp/arp_tables.h
@@ -271,8 +271,8 @@ struct arpt_error
xt_register_target(tgt); })
#define arpt_unregister_target(tgt) xt_unregister_target(tgt)

-extern int arpt_register_table(struct arpt_table *table,
- const struct arpt_replace *repl);
+extern struct arpt_table *arpt_register_table(struct arpt_table *table,
+ const struct arpt_replace *repl);
extern void arpt_unregister_table(struct arpt_table *table);
extern unsigned int arpt_do_table(struct sk_buff *skb,
unsigned int hook,
diff --git a/include/linux/netfilter_ipv4/ip_tables.h b/include/linux/netfilter_ipv4/ip_tables.h
index 45fcad9..bfc889f 100644
--- a/include/linux/netfilter_ipv4/ip_tables.h
+++ b/include/linux/netfilter_ipv4/ip_tables.h
@@ -244,8 +244,9 @@ ipt_get_target(struct ipt_entry *e)
#include <linux/init.h>
extern void ipt_init(void) __init;

-extern int ipt_register_table(struct xt_table *table,
- const struct ipt_replace *repl);
+extern struct xt_table *ipt_register_table(struct net *net,
+ struct xt_table *table,
+ const struct ipt_replace *repl);
extern void ipt_unregister_table(struct xt_table *table);

/* Standard entry. */
diff --git a/include/linux/netfilter_ipv6/ip6_tables.h b/include/linux/netfilter_ipv6/ip6_tables.h
index 110801d..f716c75 100644
--- a/include/linux/netfilter_ipv6/ip6_tables.h
+++ b/include/linux/netfilter_ipv6/ip6_tables.h
@@ -305,8 +305,8 @@ ip6t_get_target(struct ip6t_entry *e)
#include <linux/init.h>
extern void ip6t_init(void) __init;

-extern int ip6t_register_table(struct xt_table *table,
- const struct ip6t_replace *repl);
+extern struct xt_table *ip6t_register_table(struct xt_table *table,
+ const struct ip6t_replace *repl);
extern void ip6t_unregister_table(struct xt_table *table);
extern unsigned int ip6t_do_table(struct sk_buff *skb,
unsigned int hook,
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 0da50a4..3a5afb8 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -1719,8 +1719,8 @@ static int do_arpt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len
return ret;
}

-int arpt_register_table(struct arpt_table *table,
- const struct arpt_replace *repl)
+struct arpt_table *arpt_register_table(struct arpt_table *table,
+ const struct arpt_replace *repl)
{
int ret;
struct xt_table_info *newinfo;
@@ -1732,7 +1732,7 @@ int arpt_register_table(struct arpt_table *table,
newinfo = xt_alloc_table_info(repl->size);
if (!newinfo) {
ret = -ENOMEM;
- return ret;
+ goto out;
}

/* choose the copy on our node/cpu */
@@ -1746,18 +1746,20 @@ int arpt_register_table(struct arpt_table *table,
repl->underflow);

duprintf("arpt_register_table: translate table gives %d\n", ret);
- if (ret != 0) {
- xt_free_table_info(newinfo);
- return ret;
- }
+ if (ret != 0)
+ goto out_free;

new_table = xt_register_table(&init_net, table, &bootstrap, newinfo);
if (IS_ERR(new_table)) {
- xt_free_table_info(newinfo);
- return PTR_ERR(new_table);
+ ret = PTR_ERR(new_table);
+ goto out_free;
}
+ return new_table;

- return 0;
+out_free:
+ xt_free_table_info(newinfo);
+out:
+ return ERR_PTR(ret);
}

void arpt_unregister_table(struct arpt_table *table)
diff --git a/net/ipv4/netfilter/arptable_filter.c b/net/ipv4/netfilter/arptable_filter.c
index 7201511..b003215 100644
--- a/net/ipv4/netfilter/arptable_filter.c
+++ b/net/ipv4/netfilter/arptable_filter.c
@@ -45,7 +45,7 @@ static struct
.term = ARPT_ERROR_INIT,
};

-static struct arpt_table packet_filter = {
+static struct arpt_table __packet_filter = {
.name = "filter",
.valid_hooks = FILTER_VALID_HOOKS,
.lock = RW_LOCK_UNLOCKED,
@@ -53,6 +53,7 @@ static struct arpt_table packet_filter = {
.me = THIS_MODULE,
.af = NF_ARP,
};
+static struct arpt_table *packet_filter;

/* The work comes in here from netfilter.c */
static unsigned int arpt_hook(unsigned int hook,
@@ -61,7 +62,7 @@ static unsigned int arpt_hook(unsigned int hook,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
- return arpt_do_table(skb, hook, in, out, &packet_filter);
+ return arpt_do_table(skb, hook, in, out, packet_filter);
}

static struct nf_hook_ops arpt_ops[] __read_mostly = {
@@ -90,9 +91,9 @@ static int __init arptable_filter_init(void)
int ret;

/* Register table */
- ret = arpt_register_table(&packet_filter, &initial_table.repl);
- if (ret < 0)
- return ret;
+ packet_filter = arpt_register_table(&__packet_filter, &initial_table.repl);
+ if (IS_ERR(packet_filter))
+ return PTR_ERR(packet_filter);

ret = nf_register_hooks(arpt_ops, ARRAY_SIZE(arpt_ops));
if (ret < 0)
@@ -100,14 +101,14 @@ static int __init arptable_filter_init(void)
return ret;

cleanup_table:
- arpt_unregister_table(&packet_filter);
+ arpt_unregister_table(packet_filter);
return ret;
}

static void __exit arptable_filter_fini(void)
{
nf_unregister_hooks(arpt_ops, ARRAY_SIZE(arpt_ops));
- arpt_unregister_table(&packet_filter);
+ arpt_unregister_table(packet_filter);
}

module_init(arptable_filter_init);
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index bc22ea4..99dd62d 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -2048,7 +2048,8 @@ do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
return ret;
}

-int ipt_register_table(struct xt_table *table, const struct ipt_replace *repl)
+struct xt_table *ipt_register_table(struct net *net, struct xt_table *table,
+ const struct ipt_replace *repl)
{
int ret;
struct xt_table_info *newinfo;
@@ -2058,8 +2059,10 @@ int ipt_register_table(struct xt_table *table, const struct ipt_replace *repl)
struct xt_table *new_table;

newinfo = xt_alloc_table_info(repl->size);
- if (!newinfo)
- return -ENOMEM;
+ if (!newinfo) {
+ ret = -ENOMEM;
+ goto out;
+ }

/* choose the copy on our node/cpu, but dont care about preemption */
loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
@@ -2070,18 +2073,21 @@ int ipt_register_table(struct xt_table *table, const struct ipt_replace *repl)
repl->num_entries,
repl->hook_entry,
repl->underflow);
- if (ret != 0) {
- xt_free_table_info(newinfo);
- return ret;
- }
+ if (ret != 0)
+ goto out_free;

- new_table = xt_register_table(&init_net, table, &bootstrap, newinfo);
+ new_table = xt_register_table(net, table, &bootstrap, newinfo);
if (IS_ERR(new_table)) {
- xt_free_table_info(newinfo);
- return PTR_ERR(new_table);
+ ret = PTR_ERR(new_table);
+ goto out_free;
}

- return 0;
+ return new_table;
+
+out_free:
+ xt_free_table_info(newinfo);
+out:
+ return ERR_PTR(ret);
}

void ipt_unregister_table(struct xt_table *table)
diff --git a/net/ipv4/netfilter/iptable_filter.c b/net/ipv4/netfilter/iptable_filter.c
index 29bb4f9..3b43ca0 100644
--- a/net/ipv4/netfilter/iptable_filter.c
+++ b/net/ipv4/netfilter/iptable_filter.c
@@ -53,13 +53,14 @@ static struct
.term = IPT_ERROR_INIT, /* ERROR */
};

-static struct xt_table packet_filter = {
+static struct xt_table __packet_filter = {
.name = "filter",
.valid_hooks = FILTER_VALID_HOOKS,
.lock = RW_LOCK_UNLOCKED,
.me = THIS_MODULE,
.af = AF_INET,
};
+static struct xt_table *packet_filter;

/* The work comes in here from netfilter.c. */
static unsigned int
@@ -69,7 +70,7 @@ ipt_hook(unsigned int hook,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
- return ipt_do_table(skb, hook, in, out, &packet_filter);
+ return ipt_do_table(skb, hook, in, out, packet_filter);
}

static unsigned int
@@ -88,7 +89,7 @@ ipt_local_out_hook(unsigned int hook,
return NF_ACCEPT;
}

- return ipt_do_table(skb, hook, in, out, &packet_filter);
+ return ipt_do_table(skb, hook, in, out, packet_filter);
}

static struct nf_hook_ops ipt_ops[] __read_mostly = {
@@ -132,9 +133,10 @@ static int __init iptable_filter_init(void)
initial_table.entries[1].target.verdict = -forward - 1;

/* Register table */
- ret = ipt_register_table(&packet_filter, &initial_table.repl);
- if (ret < 0)
- return ret;
+ packet_filter = ipt_register_table(&init_net, &__packet_filter,
+ &initial_table.repl);
+ if (IS_ERR(packet_filter))
+ return PTR_ERR(packet_filter);

/* Register hooks */
ret = nf_register_hooks(ipt_ops, ARRAY_SIZE(ipt_ops));
@@ -144,14 +146,14 @@ static int __init iptable_filter_init(void)
return ret;

cleanup_table:
- ipt_unregister_table(&packet_filter);
+ ipt_unregister_table(packet_filter);
return ret;
}

static void __exit iptable_filter_fini(void)
{
nf_unregister_hooks(ipt_ops, ARRAY_SIZE(ipt_ops));
- ipt_unregister_table(&packet_filter);
+ ipt_unregister_table(packet_filter);
}

module_init(iptable_filter_init);
diff --git a/net/ipv4/netfilter/iptable_mangle.c b/net/ipv4/netfilter/iptable_mangle.c
index 5c4be20..292f2ed 100644
--- a/net/ipv4/netfilter/iptable_mangle.c
+++ b/net/ipv4/netfilter/iptable_mangle.c
@@ -64,13 +64,14 @@ static struct
.term = IPT_ERROR_INIT, /* ERROR */
};

-static struct xt_table packet_mangler = {
+static struct xt_table __packet_mangler = {
.name = "mangle",
.valid_hooks = MANGLE_VALID_HOOKS,
.lock = RW_LOCK_UNLOCKED,
.me = THIS_MODULE,
.af = AF_INET,
};
+static struct xt_table *packet_mangler;

/* The work comes in here from netfilter.c. */
static unsigned int
@@ -80,7 +81,7 @@ ipt_route_hook(unsigned int hook,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
- return ipt_do_table(skb, hook, in, out, &packet_mangler);
+ return ipt_do_table(skb, hook, in, out, packet_mangler);
}

static unsigned int
@@ -112,7 +113,7 @@ ipt_local_hook(unsigned int hook,
daddr = iph->daddr;
tos = iph->tos;

- ret = ipt_do_table(skb, hook, in, out, &packet_mangler);
+ ret = ipt_do_table(skb, hook, in, out, packet_mangler);
/* Reroute for ANY change. */
if (ret != NF_DROP && ret != NF_STOLEN && ret != NF_QUEUE) {
iph = ip_hdr(skb);
@@ -171,9 +172,10 @@ static int __init iptable_mangle_init(void)
int ret;

/* Register table */
- ret = ipt_register_table(&packet_mangler, &initial_table.repl);
- if (ret < 0)
- return ret;
+ packet_mangler = ipt_register_table(&init_net, &__packet_mangler,
+ &initial_table.repl);
+ if (IS_ERR(packet_mangler))
+ return PTR_ERR(packet_mangler);

/* Register hooks */
ret = nf_register_hooks(ipt_ops, ARRAY_SIZE(ipt_ops));
@@ -183,14 +185,14 @@ static int __init iptable_mangle_init(void)
return ret;

cleanup_table:
- ipt_unregister_table(&packet_mangler);
+ ipt_unregister_table(packet_mangler);
return ret;
}

static void __exit iptable_mangle_fini(void)
{
nf_unregister_hooks(ipt_ops, ARRAY_SIZE(ipt_ops));
- ipt_unregister_table(&packet_mangler);
+ ipt_unregister_table(packet_mangler);
}

module_init(iptable_mangle_init);
diff --git a/net/ipv4/netfilter/iptable_raw.c b/net/ipv4/netfilter/iptable_raw.c
index dc34aa2..dab863d 100644
--- a/net/ipv4/netfilter/iptable_raw.c
+++ b/net/ipv4/netfilter/iptable_raw.c
@@ -36,13 +36,14 @@ static struct
.term = IPT_ERROR_INIT, /* ERROR */
};

-static struct xt_table packet_raw = {
+static struct xt_table __packet_raw = {
.name = "raw",
.valid_hooks = RAW_VALID_HOOKS,
.lock = RW_LOCK_UNLOCKED,
.me = THIS_MODULE,
.af = AF_INET,
};
+static struct xt_table *packet_raw;

/* The work comes in here from netfilter.c. */
static unsigned int
@@ -52,7 +53,7 @@ ipt_hook(unsigned int hook,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
- return ipt_do_table(skb, hook, in, out, &packet_raw);
+ return ipt_do_table(skb, hook, in, out, packet_raw);
}

static unsigned int
@@ -70,7 +71,7 @@ ipt_local_hook(unsigned int hook,
"packet.\n");
return NF_ACCEPT;
}
- return ipt_do_table(skb, hook, in, out, &packet_raw);
+ return ipt_do_table(skb, hook, in, out, packet_raw);
}

/* 'raw' is the very first table. */
@@ -96,9 +97,10 @@ static int __init iptable_raw_init(void)
int ret;

/* Register table */
- ret = ipt_register_table(&packet_raw, &initial_table.repl);
- if (ret < 0)
- return ret;
+ packet_raw = ipt_register_table(&init_net, &__packet_raw,
+ &initial_table.repl);
+ if (IS_ERR(packet_raw))
+ return PTR_ERR(packet_raw);

/* Register hooks */
ret = nf_register_hooks(ipt_ops, ARRAY_SIZE(ipt_ops));
@@ -108,14 +110,14 @@ static int __init iptable_raw_init(void)
return ret;

cleanup_table:
- ipt_unregister_table(&packet_raw);
+ ipt_unregister_table(packet_raw);
return ret;
}

static void __exit iptable_raw_fini(void)
{
nf_unregister_hooks(ipt_ops, ARRAY_SIZE(ipt_ops));
- ipt_unregister_table(&packet_raw);
+ ipt_unregister_table(packet_raw);
}

module_init(iptable_raw_init);
diff --git a/net/ipv4/netfilter/nf_nat_rule.c b/net/ipv4/netfilter/nf_nat_rule.c
index 5191822..f8fda57 100644
--- a/net/ipv4/netfilter/nf_nat_rule.c
+++ b/net/ipv4/netfilter/nf_nat_rule.c
@@ -58,13 +58,14 @@ static struct
.term = IPT_ERROR_INIT, /* ERROR */
};

-static struct xt_table nat_table = {
+static struct xt_table __nat_table = {
.name = "nat",
.valid_hooks = NAT_VALID_HOOKS,
.lock = RW_LOCK_UNLOCKED,
.me = THIS_MODULE,
.af = AF_INET,
};
+static struct xt_table *nat_table;

/* Source NAT */
static unsigned int ipt_snat_target(struct sk_buff *skb,
@@ -214,7 +215,7 @@ int nf_nat_rule_find(struct sk_buff *skb,
{
int ret;

- ret = ipt_do_table(skb, hooknum, in, out, &nat_table);
+ ret = ipt_do_table(skb, hooknum, in, out, nat_table);

if (ret == NF_ACCEPT) {
if (!nf_nat_initialized(ct, HOOK2MANIP(hooknum)))
@@ -248,9 +249,10 @@ int __init nf_nat_rule_init(void)
{
int ret;

- ret = ipt_register_table(&nat_table, &nat_initial_table.repl);
- if (ret != 0)
- return ret;
+ nat_table = ipt_register_table(&init_net, &__nat_table,
+ &nat_initial_table.repl);
+ if (IS_ERR(nat_table))
+ return PTR_ERR(nat_table);
ret = xt_register_target(&ipt_snat_reg);
if (ret != 0)
goto unregister_table;
@@ -264,7 +266,7 @@ int __init nf_nat_rule_init(void)
unregister_snat:
xt_unregister_target(&ipt_snat_reg);
unregister_table:
- ipt_unregister_table(&nat_table);
+ ipt_unregister_table(nat_table);

return ret;
}
@@ -273,5 +275,5 @@ void nf_nat_rule_cleanup(void)
{
xt_unregister_target(&ipt_dnat_reg);
xt_unregister_target(&ipt_snat_reg);
- ipt_unregister_table(&nat_table);
+ ipt_unregister_table(nat_table);
}
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 1aac3ef..b89f133 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -2074,7 +2074,7 @@ do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
return ret;
}

-int ip6t_register_table(struct xt_table *table, const struct ip6t_replace *repl)
+struct xt_table *ip6t_register_table(struct xt_table *table, const struct ip6t_replace *repl)
{
int ret;
struct xt_table_info *newinfo;
@@ -2084,8 +2084,10 @@ int ip6t_register_table(struct xt_table *table, const struct ip6t_replace *repl)
struct xt_table *new_table;

newinfo = xt_alloc_table_info(repl->size);
- if (!newinfo)
- return -ENOMEM;
+ if (!newinfo) {
+ ret = -ENOMEM;
+ goto out;
+ }

/* choose the copy on our node/cpu, but dont care about preemption */
loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
@@ -2096,18 +2098,20 @@ int ip6t_register_table(struct xt_table *table, const struct ip6t_replace *repl)
repl->num_entries,
repl->hook_entry,
repl->underflow);
- if (ret != 0) {
- xt_free_table_info(newinfo);
- return ret;
- }
+ if (ret != 0)
+ goto out_free;

new_table = xt_register_table(&init_net, table, &bootstrap, newinfo);
if (IS_ERR(new_table)) {
- xt_free_table_info(newinfo);
- return PTR_ERR(new_table);
+ ret = PTR_ERR(new_table);
+ goto out_free;
}
+ return new_table;

- return 0;
+out_free:
+ xt_free_table_info(newinfo);
+out:
+ return ERR_PTR(ret);
}

void ip6t_unregister_table(struct xt_table *table)
diff --git a/net/ipv6/netfilter/ip6table_filter.c b/net/ipv6/netfilter/ip6table_filter.c
index 87d38d0..bffd67f 100644
--- a/net/ipv6/netfilter/ip6table_filter.c
+++ b/net/ipv6/netfilter/ip6table_filter.c
@@ -51,13 +51,14 @@ static struct
.term = IP6T_ERROR_INIT, /* ERROR */
};

-static struct xt_table packet_filter = {
+static struct xt_table __packet_filter = {
.name = "filter",
.valid_hooks = FILTER_VALID_HOOKS,
.lock = RW_LOCK_UNLOCKED,
.me = THIS_MODULE,
.af = AF_INET6,
};
+static struct xt_table *packet_filter;

/* The work comes in here from netfilter.c. */
static unsigned int
@@ -67,7 +68,7 @@ ip6t_hook(unsigned int hook,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
- return ip6t_do_table(skb, hook, in, out, &packet_filter);
+ return ip6t_do_table(skb, hook, in, out, packet_filter);
}

static unsigned int
@@ -87,7 +88,7 @@ ip6t_local_out_hook(unsigned int hook,
}
#endif

- return ip6t_do_table(skb, hook, in, out, &packet_filter);
+ return ip6t_do_table(skb, hook, in, out, packet_filter);
}

static struct nf_hook_ops ip6t_ops[] __read_mostly = {
@@ -131,9 +132,9 @@ static int __init ip6table_filter_init(void)
initial_table.entries[1].target.verdict = -forward - 1;

/* Register table */
- ret = ip6t_register_table(&packet_filter, &initial_table.repl);
- if (ret < 0)
- return ret;
+ packet_filter = ip6t_register_table(&__packet_filter, &initial_table.repl);
+ if (IS_ERR(packet_filter))
+ return PTR_ERR(packet_filter);

/* Register hooks */
ret = nf_register_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops));
@@ -143,14 +144,14 @@ static int __init ip6table_filter_init(void)
return ret;

cleanup_table:
- ip6t_unregister_table(&packet_filter);
+ ip6t_unregister_table(packet_filter);
return ret;
}

static void __exit ip6table_filter_fini(void)
{
nf_unregister_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops));
- ip6t_unregister_table(&packet_filter);
+ ip6t_unregister_table(packet_filter);
}

module_init(ip6table_filter_init);
diff --git a/net/ipv6/netfilter/ip6table_mangle.c b/net/ipv6/netfilter/ip6table_mangle.c
index d608260..63d334d 100644
--- a/net/ipv6/netfilter/ip6table_mangle.c
+++ b/net/ipv6/netfilter/ip6table_mangle.c
@@ -57,13 +57,14 @@ static struct
.term = IP6T_ERROR_INIT, /* ERROR */
};

-static struct xt_table packet_mangler = {
+static struct xt_table __packet_mangler = {
.name = "mangle",
.valid_hooks = MANGLE_VALID_HOOKS,
.lock = RW_LOCK_UNLOCKED,
.me = THIS_MODULE,
.af = AF_INET6,
};
+static struct xt_table *packet_mangler;

/* The work comes in here from netfilter.c. */
static unsigned int
@@ -73,7 +74,7 @@ ip6t_route_hook(unsigned int hook,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
- return ip6t_do_table(skb, hook, in, out, &packet_mangler);
+ return ip6t_do_table(skb, hook, in, out, packet_mangler);
}

static unsigned int
@@ -108,7 +109,7 @@ ip6t_local_hook(unsigned int hook,
/* flowlabel and prio (includes version, which shouldn't change either */
flowlabel = *((u_int32_t *)ipv6_hdr(skb));

- ret = ip6t_do_table(skb, hook, in, out, &packet_mangler);
+ ret = ip6t_do_table(skb, hook, in, out, packet_mangler);

if (ret != NF_DROP && ret != NF_STOLEN
&& (memcmp(&ipv6_hdr(skb)->saddr, &saddr, sizeof(saddr))
@@ -163,9 +164,9 @@ static int __init ip6table_mangle_init(void)
int ret;

/* Register table */
- ret = ip6t_register_table(&packet_mangler, &initial_table.repl);
- if (ret < 0)
- return ret;
+ packet_mangler = ip6t_register_table(&__packet_mangler, &initial_table.repl);
+ if (IS_ERR(packet_mangler))
+ return PTR_ERR(packet_mangler);

/* Register hooks */
ret = nf_register_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops));
@@ -175,14 +176,14 @@ static int __init ip6table_mangle_init(void)
return ret;

cleanup_table:
- ip6t_unregister_table(&packet_mangler);
+ ip6t_unregister_table(packet_mangler);
return ret;
}

static void __exit ip6table_mangle_fini(void)
{
nf_unregister_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops));
- ip6t_unregister_table(&packet_mangler);
+ ip6t_unregister_table(packet_mangler);
}

module_init(ip6table_mangle_init);
diff --git a/net/ipv6/netfilter/ip6table_raw.c b/net/ipv6/netfilter/ip6table_raw.c
index eccbaaa..7f55b23 100644
--- a/net/ipv6/netfilter/ip6table_raw.c
+++ b/net/ipv6/netfilter/ip6table_raw.c
@@ -35,13 +35,14 @@ static struct
.term = IP6T_ERROR_INIT, /* ERROR */
};

-static struct xt_table packet_raw = {
+static struct xt_table __packet_raw = {
.name = "raw",
.valid_hooks = RAW_VALID_HOOKS,
.lock = RW_LOCK_UNLOCKED,
.me = THIS_MODULE,
.af = AF_INET6,
};
+static struct xt_table *packet_raw;

/* The work comes in here from netfilter.c. */
static unsigned int
@@ -51,7 +52,7 @@ ip6t_hook(unsigned int hook,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
- return ip6t_do_table(skb, hook, in, out, &packet_raw);
+ return ip6t_do_table(skb, hook, in, out, packet_raw);
}

static struct nf_hook_ops ip6t_ops[] __read_mostly = {
@@ -76,9 +77,9 @@ static int __init ip6table_raw_init(void)
int ret;

/* Register table */
- ret = ip6t_register_table(&packet_raw, &initial_table.repl);
- if (ret < 0)
- return ret;
+ packet_raw = ip6t_register_table(&__packet_raw, &initial_table.repl);
+ if (IS_ERR(packet_raw))
+ return PTR_ERR(packet_raw);

/* Register hooks */
ret = nf_register_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops));
@@ -88,14 +89,14 @@ static int __init ip6table_raw_init(void)
return ret;

cleanup_table:
- ip6t_unregister_table(&packet_raw);
+ ip6t_unregister_table(packet_raw);
return ret;
}

static void __exit ip6table_raw_fini(void)
{
nf_unregister_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops));
- ip6t_unregister_table(&packet_raw);
+ ip6t_unregister_table(packet_raw);
}

module_init(ip6table_raw_init);
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index d62f722..d7fbb1b 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -667,9 +667,16 @@ struct xt_table *xt_register_table(struct net *net, struct xt_table *table,
struct xt_table_info *private;
struct xt_table *t;

+ /* Don't add one object to multiple lists. */
+ table = kmemdup(table, sizeof(struct xt_table), GFP_KERNEL);
+ if (!table) {
+ ret = -ENOMEM;
+ goto out;
+ }
+
ret = mutex_lock_interruptible(&xt[table->af].mutex);
if (ret != 0)
- goto out;
+ goto out_free;

/* Don't autoload: we'd eat our tail... */
list_for_each_entry(t, &net->xt.tables[table->af], list) {
@@ -697,6 +704,8 @@ struct xt_table *xt_register_table(struct net *net, struct xt_table *table,

unlock:
mutex_unlock(&xt[table->af].mutex);
+out_free:
+ kfree(table);
out:
return ERR_PTR(ret);
}
@@ -710,6 +719,7 @@ void *xt_unregister_table(struct xt_table *table)
private = table->private;
list_del(&table->list);
mutex_unlock(&xt[table->af].mutex);
+ kfree(table);

return private;
}
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

[NETFILTER]: x_tables: per-netns xt_tables

In fact all we want is per-netns set of rules, however doing that will
unnecessary complicate routines such as ipt_hook()/ipt_do_table, so
make full xt_table array per-netns.

Every user stubbed with init_net for a while.

Signed-off-by: Alexey Dobriyan <***@sw.ru>
Signed-off-by: Patrick McHardy <***@trash.net>

---
commit bba40bde2fa36b10ecdca675e0cea782e562735b
tree a8c25f8bab188f8c0a02cb3bd52fc02a19247f8f
parent cb3634bafebc5decaaaa94c6b31885cfcc573712
author Alexey Dobriyan <***@sw.ru> Tue, 29 Jan 2008 16:21:57 +0100
committer Patrick McHardy <***@trash.net> Wed, 30 Jan 2008 15:04:14 +0100

include/linux/netfilter/x_tables.h | 6 ++++--
include/net/net_namespace.h | 4 ++++
include/net/netns/x_tables.h | 10 ++++++++++
net/ipv4/netfilter/arp_tables.c | 12 ++++++------
net/ipv4/netfilter/ip_tables.c | 12 ++++++------
net/ipv6/netfilter/ip6_tables.c | 12 ++++++------
net/netfilter/x_tables.c | 34 ++++++++++++++++++++++++----------
7 files changed, 60 insertions(+), 30 deletions(-)

diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 937cebb..91a1dd5 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -335,7 +335,8 @@ extern int xt_check_target(const struct xt_target *target, unsigned short family
unsigned int size, const char *table, unsigned int hook,
unsigned short proto, int inv_proto);

-extern struct xt_table *xt_register_table(struct xt_table *table,
+extern struct xt_table *xt_register_table(struct net *net,
+ struct xt_table *table,
struct xt_table_info *bootstrap,
struct xt_table_info *newinfo);
extern void *xt_unregister_table(struct xt_table *table);
@@ -352,7 +353,8 @@ extern struct xt_target *xt_request_find_target(int af, const char *name,
extern int xt_find_revision(int af, const char *name, u8 revision, int target,
int *err);

-extern struct xt_table *xt_find_table_lock(int af, const char *name);
+extern struct xt_table *xt_find_table_lock(struct net *net, int af,
+ const char *name);
extern void xt_table_unlock(struct xt_table *t);

extern int xt_proto_init(int af);
diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h
index b8c1d60..28738b7 100644
--- a/include/net/net_namespace.h
+++ b/include/net/net_namespace.h
@@ -12,6 +12,7 @@
#include <net/netns/packet.h>
#include <net/netns/ipv4.h>
#include <net/netns/ipv6.h>
+#include <net/netns/x_tables.h>

struct proc_dir_entry;
struct net_device;
@@ -56,6 +57,9 @@ struct net {
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
struct netns_ipv6 ipv6;
#endif
+#ifdef CONFIG_NETFILTER
+ struct netns_xt xt;
+#endif
};

#ifdef CONFIG_NET
diff --git a/include/net/netns/x_tables.h b/include/net/netns/x_tables.h
new file mode 100644
index 0000000..0cb63ed
--- /dev/null
+++ b/include/net/netns/x_tables.h
@@ -0,0 +1,10 @@
+#ifndef __NETNS_X_TABLES_H
+#define __NETNS_X_TABLES_H
+
+#include <linux/list.h>
+#include <linux/net.h>
+
+struct netns_xt {
+ struct list_head tables[NPROTO];
+};
+#endif
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 060de95..0da50a4 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -870,7 +870,7 @@ static int get_info(void __user *user, int *len, int compat)
if (compat)
xt_compat_lock(NF_ARP);
#endif
- t = try_then_request_module(xt_find_table_lock(NF_ARP, name),
+ t = try_then_request_module(xt_find_table_lock(&init_net, NF_ARP, name),
"arptable_%s", name);
if (t && !IS_ERR(t)) {
struct arpt_getinfo info;
@@ -926,7 +926,7 @@ static int get_entries(struct arpt_get_entries __user *uptr, int *len)
return -EINVAL;
}

- t = xt_find_table_lock(NF_ARP, get.name);
+ t = xt_find_table_lock(&init_net, NF_ARP, get.name);
if (t && !IS_ERR(t)) {
struct xt_table_info *private = t->private;
duprintf("t->private->number = %u\n",
@@ -966,7 +966,7 @@ static int __do_replace(const char *name, unsigned int valid_hooks,
goto out;
}

- t = try_then_request_module(xt_find_table_lock(NF_ARP, name),
+ t = try_then_request_module(xt_find_table_lock(&init_net, NF_ARP, name),
"arptable_%s", name);
if (!t || IS_ERR(t)) {
ret = t ? PTR_ERR(t) : -ENOENT;
@@ -1132,7 +1132,7 @@ static int do_add_counters(void __user *user, unsigned int len, int compat)
goto free;
}

- t = xt_find_table_lock(NF_ARP, name);
+ t = xt_find_table_lock(&init_net, NF_ARP, name);
if (!t || IS_ERR(t)) {
ret = t ? PTR_ERR(t) : -ENOENT;
goto free;
@@ -1604,7 +1604,7 @@ static int compat_get_entries(struct compat_arpt_get_entries __user *uptr,
}

xt_compat_lock(NF_ARP);
- t = xt_find_table_lock(NF_ARP, get.name);
+ t = xt_find_table_lock(&init_net, NF_ARP, get.name);
if (t && !IS_ERR(t)) {
struct xt_table_info *private = t->private;
struct xt_table_info info;
@@ -1751,7 +1751,7 @@ int arpt_register_table(struct arpt_table *table,
return ret;
}

- new_table = xt_register_table(table, &bootstrap, newinfo);
+ new_table = xt_register_table(&init_net, table, &bootstrap, newinfo);
if (IS_ERR(new_table)) {
xt_free_table_info(newinfo);
return PTR_ERR(new_table);
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 1b7c09e..bc22ea4 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -1112,7 +1112,7 @@ static int get_info(void __user *user, int *len, int compat)
if (compat)
xt_compat_lock(AF_INET);
#endif
- t = try_then_request_module(xt_find_table_lock(AF_INET, name),
+ t = try_then_request_module(xt_find_table_lock(&init_net, AF_INET, name),
"iptable_%s", name);
if (t && !IS_ERR(t)) {
struct ipt_getinfo info;
@@ -1170,7 +1170,7 @@ get_entries(struct ipt_get_entries __user *uptr, int *len)
return -EINVAL;
}

- t = xt_find_table_lock(AF_INET, get.name);
+ t = xt_find_table_lock(&init_net, AF_INET, get.name);
if (t && !IS_ERR(t)) {
struct xt_table_info *private = t->private;
duprintf("t->private->number = %u\n", private->number);
@@ -1208,7 +1208,7 @@ __do_replace(const char *name, unsigned int valid_hooks,
goto out;
}

- t = try_then_request_module(xt_find_table_lock(AF_INET, name),
+ t = try_then_request_module(xt_find_table_lock(&init_net, AF_INET, name),
"iptable_%s", name);
if (!t || IS_ERR(t)) {
ret = t ? PTR_ERR(t) : -ENOENT;
@@ -1383,7 +1383,7 @@ do_add_counters(void __user *user, unsigned int len, int compat)
goto free;
}

- t = xt_find_table_lock(AF_INET, name);
+ t = xt_find_table_lock(&init_net, AF_INET, name);
if (!t || IS_ERR(t)) {
ret = t ? PTR_ERR(t) : -ENOENT;
goto free;
@@ -1924,7 +1924,7 @@ compat_get_entries(struct compat_ipt_get_entries __user *uptr, int *len)
}

xt_compat_lock(AF_INET);
- t = xt_find_table_lock(AF_INET, get.name);
+ t = xt_find_table_lock(&init_net, AF_INET, get.name);
if (t && !IS_ERR(t)) {
struct xt_table_info *private = t->private;
struct xt_table_info info;
@@ -2075,7 +2075,7 @@ int ipt_register_table(struct xt_table *table, const struct ipt_replace *repl)
return ret;
}

- new_table = xt_register_table(table, &bootstrap, newinfo);
+ new_table = xt_register_table(&init_net, table, &bootstrap, newinfo);
if (IS_ERR(new_table)) {
xt_free_table_info(newinfo);
return PTR_ERR(new_table);
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index f7a6239..1aac3ef 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -1138,7 +1138,7 @@ static int get_info(void __user *user, int *len, int compat)
if (compat)
xt_compat_lock(AF_INET6);
#endif
- t = try_then_request_module(xt_find_table_lock(AF_INET6, name),
+ t = try_then_request_module(xt_find_table_lock(&init_net, AF_INET6, name),
"ip6table_%s", name);
if (t && !IS_ERR(t)) {
struct ip6t_getinfo info;
@@ -1196,7 +1196,7 @@ get_entries(struct ip6t_get_entries __user *uptr, int *len)
return -EINVAL;
}

- t = xt_find_table_lock(AF_INET6, get.name);
+ t = xt_find_table_lock(&init_net, AF_INET6, get.name);
if (t && !IS_ERR(t)) {
struct xt_table_info *private = t->private;
duprintf("t->private->number = %u\n", private->number);
@@ -1235,7 +1235,7 @@ __do_replace(const char *name, unsigned int valid_hooks,
goto out;
}

- t = try_then_request_module(xt_find_table_lock(AF_INET6, name),
+ t = try_then_request_module(xt_find_table_lock(&init_net, AF_INET6, name),
"ip6table_%s", name);
if (!t || IS_ERR(t)) {
ret = t ? PTR_ERR(t) : -ENOENT;
@@ -1410,7 +1410,7 @@ do_add_counters(void __user *user, unsigned int len, int compat)
goto free;
}

- t = xt_find_table_lock(AF_INET6, name);
+ t = xt_find_table_lock(&init_net, AF_INET6, name);
if (!t || IS_ERR(t)) {
ret = t ? PTR_ERR(t) : -ENOENT;
goto free;
@@ -1950,7 +1950,7 @@ compat_get_entries(struct compat_ip6t_get_entries __user *uptr, int *len)
}

xt_compat_lock(AF_INET6);
- t = xt_find_table_lock(AF_INET6, get.name);
+ t = xt_find_table_lock(&init_net, AF_INET6, get.name);
if (t && !IS_ERR(t)) {
struct xt_table_info *private = t->private;
struct xt_table_info info;
@@ -2101,7 +2101,7 @@ int ip6t_register_table(struct xt_table *table, const struct ip6t_replace *repl)
return ret;
}

- new_table = xt_register_table(table, &bootstrap, newinfo);
+ new_table = xt_register_table(&init_net, table, &bootstrap, newinfo);
if (IS_ERR(new_table)) {
xt_free_table_info(newinfo);
return PTR_ERR(new_table);
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index d8d8637..d62f722 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -44,7 +44,6 @@ struct xt_af {
struct mutex mutex;
struct list_head match;
struct list_head target;
- struct list_head tables;
#ifdef CONFIG_COMPAT
struct mutex compat_mutex;
struct compat_delta *compat_offsets;
@@ -597,14 +596,14 @@ void xt_free_table_info(struct xt_table_info *info)
EXPORT_SYMBOL(xt_free_table_info);

/* Find table by name, grabs mutex & ref. Returns ERR_PTR() on error. */
-struct xt_table *xt_find_table_lock(int af, const char *name)
+struct xt_table *xt_find_table_lock(struct net *net, int af, const char *name)
{
struct xt_table *t;

if (mutex_lock_interruptible(&xt[af].mutex) != 0)
return ERR_PTR(-EINTR);

- list_for_each_entry(t, &xt[af].tables, list)
+ list_for_each_entry(t, &net->xt.tables[af], list)
if (strcmp(t->name, name) == 0 && try_module_get(t->me))
return t;
mutex_unlock(&xt[af].mutex);
@@ -660,7 +659,7 @@ xt_replace_table(struct xt_table *table,
}
EXPORT_SYMBOL_GPL(xt_replace_table);

-struct xt_table *xt_register_table(struct xt_table *table,
+struct xt_table *xt_register_table(struct net *net, struct xt_table *table,
struct xt_table_info *bootstrap,
struct xt_table_info *newinfo)
{
@@ -673,7 +672,7 @@ struct xt_table *xt_register_table(struct xt_table *table,
goto out;

/* Don't autoload: we'd eat our tail... */
- list_for_each_entry(t, &xt[table->af].tables, list) {
+ list_for_each_entry(t, &net->xt.tables[table->af], list) {
if (strcmp(t->name, table->name) == 0) {
ret = -EEXIST;
goto unlock;
@@ -692,7 +691,7 @@ struct xt_table *xt_register_table(struct xt_table *table,
/* save number of initial entries */
private->initial_entries = private->number;

- list_add(&table->list, &xt[table->af].tables);
+ list_add(&table->list, &net->xt.tables[table->af]);
mutex_unlock(&xt[table->af].mutex);
return table;

@@ -744,7 +743,7 @@ static struct list_head *type2list(u_int16_t af, u_int16_t type)
list = &xt[af].match;
break;
case TABLE:
- list = &xt[af].tables;
+ list = &init_net.xt.tables[af];
break;
default:
list = NULL;
@@ -919,10 +918,22 @@ void xt_proto_fini(int af)
}
EXPORT_SYMBOL_GPL(xt_proto_fini);

+static int __net_init xt_net_init(struct net *net)
+{
+ int i;
+
+ for (i = 0; i < NPROTO; i++)
+ INIT_LIST_HEAD(&net->xt.tables[i]);
+ return 0;
+}
+
+static struct pernet_operations xt_net_ops = {
+ .init = xt_net_init,
+};

static int __init xt_init(void)
{
- int i;
+ int i, rv;

xt = kmalloc(sizeof(struct xt_af) * NPROTO, GFP_KERNEL);
if (!xt)
@@ -936,13 +947,16 @@ static int __init xt_init(void)
#endif
INIT_LIST_HEAD(&xt[i].target);
INIT_LIST_HEAD(&xt[i].match);
- INIT_LIST_HEAD(&xt[i].tables);
}
- return 0;
+ rv = register_pernet_subsys(&xt_net_ops);
+ if (rv < 0)
+ kfree(xt);
+ return rv;
}

static void __exit xt_fini(void)
{
+ unregister_pernet_subsys(&xt_net_ops);
kfree(xt);
}

-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

[NETFILTER]: nf_conntrack_h3223: sparse fixes

Sparse complains when a function is not really static. Putting static
on the function prototype is not enough.

Signed-off-by: Stephen Hemminger <***@vyatta.com>
Signed-off-by: Patrick McHardy <***@trash.net>

---
commit a0b8676ce8423a544c283c59ac3d0c97e2e64b21
tree db319ec2ba9e665323bb671638ebfcbc36dcc8d8
parent cba4c67b58eee186ca8ff3e4588a01406d96a886
author Stephen Hemminger <***@vyatta.com> Tue, 29 Jan 2008 16:22:07 +0100
committer Patrick McHardy <***@trash.net> Wed, 30 Jan 2008 15:04:19 +0100

net/netfilter/nf_conntrack_h323_asn1.c | 36 ++++++++++++++++----------------
1 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c
index ff66fba..f73e130 100644
--- a/net/netfilter/nf_conntrack_h323_asn1.c
+++ b/net/netfilter/nf_conntrack_h323_asn1.c
@@ -126,7 +126,7 @@ static int decode_choice(bitstr_t * bs, field_t * f, char *base, int level);

/* Decoder Functions Vector */
typedef int (*decoder_t) (bitstr_t *, field_t *, char *, int);
-static decoder_t Decoders[] = {
+static const decoder_t Decoders[] = {
decode_nul,
decode_bool,
decode_oid,
@@ -150,7 +150,7 @@ static decoder_t Decoders[] = {
* Functions
****************************************************************************/
/* Assume bs is aligned && v < 16384 */
-unsigned get_len(bitstr_t * bs)
+static unsigned get_len(bitstr_t * bs)
{
unsigned v;

@@ -166,7 +166,7 @@ unsigned get_len(bitstr_t * bs)
}

/****************************************************************************/
-unsigned get_bit(bitstr_t * bs)
+static unsigned get_bit(bitstr_t * bs)
{
unsigned b = (*bs->cur) & (0x80 >> bs->bit);

@@ -177,7 +177,7 @@ unsigned get_bit(bitstr_t * bs)

/****************************************************************************/
/* Assume b <= 8 */
-unsigned get_bits(bitstr_t * bs, unsigned b)
+static unsigned get_bits(bitstr_t * bs, unsigned b)
{
unsigned v, l;

@@ -203,7 +203,7 @@ unsigned get_bits(bitstr_t * bs, unsigned b)

/****************************************************************************/
/* Assume b <= 32 */
-unsigned get_bitmap(bitstr_t * bs, unsigned b)
+static unsigned get_bitmap(bitstr_t * bs, unsigned b)
{
unsigned v, l, shift, bytes;

@@ -242,7 +242,7 @@ unsigned get_bitmap(bitstr_t * bs, unsigned b)
/****************************************************************************
* Assume bs is aligned and sizeof(unsigned int) == 4
****************************************************************************/
-unsigned get_uint(bitstr_t * bs, int b)
+static unsigned get_uint(bitstr_t * bs, int b)
{
unsigned v = 0;

@@ -264,7 +264,7 @@ unsigned get_uint(bitstr_t * bs, int b)
}

/****************************************************************************/
-int decode_nul(bitstr_t * bs, field_t * f, char *base, int level)
+static int decode_nul(bitstr_t * bs, field_t * f, char *base, int level)
{
PRINT("%*.s%s\n", level * TAB_SIZE, " ", f->name);

@@ -272,7 +272,7 @@ int decode_nul(bitstr_t * bs, field_t * f, char *base, int level)
}

/****************************************************************************/
-int decode_bool(bitstr_t * bs, field_t * f, char *base, int level)
+static int decode_bool(bitstr_t * bs, field_t * f, char *base, int level)
{
PRINT("%*.s%s\n", level * TAB_SIZE, " ", f->name);

@@ -283,7 +283,7 @@ int decode_bool(bitstr_t * bs, field_t * f, char *base, int level)
}

/****************************************************************************/
-int decode_oid(bitstr_t * bs, field_t * f, char *base, int level)
+static int decode_oid(bitstr_t * bs, field_t * f, char *base, int level)
{
int len;

@@ -299,7 +299,7 @@ int decode_oid(bitstr_t * bs, field_t * f, char *base, int level)
}

/****************************************************************************/
-int decode_int(bitstr_t * bs, field_t * f, char *base, int level)
+static int decode_int(bitstr_t * bs, field_t * f, char *base, int level)
{
unsigned len;

@@ -342,7 +342,7 @@ int decode_int(bitstr_t * bs, field_t * f, char *base, int level)
}

/****************************************************************************/
-int decode_enum(bitstr_t * bs, field_t * f, char *base, int level)
+static int decode_enum(bitstr_t * bs, field_t * f, char *base, int level)
{
PRINT("%*.s%s\n", level * TAB_SIZE, " ", f->name);

@@ -357,7 +357,7 @@ int decode_enum(bitstr_t * bs, field_t * f, char *base, int level)
}

/****************************************************************************/
-int decode_bitstr(bitstr_t * bs, field_t * f, char *base, int level)
+static int decode_bitstr(bitstr_t * bs, field_t * f, char *base, int level)
{
unsigned len;

@@ -390,7 +390,7 @@ int decode_bitstr(bitstr_t * bs, field_t * f, char *base, int level)
}

/****************************************************************************/
-int decode_numstr(bitstr_t * bs, field_t * f, char *base, int level)
+static int decode_numstr(bitstr_t * bs, field_t * f, char *base, int level)
{
unsigned len;

@@ -407,7 +407,7 @@ int decode_numstr(bitstr_t * bs, field_t * f, char *base, int level)
}

/****************************************************************************/
-int decode_octstr(bitstr_t * bs, field_t * f, char *base, int level)
+static int decode_octstr(bitstr_t * bs, field_t * f, char *base, int level)
{
unsigned len;

@@ -455,7 +455,7 @@ int decode_octstr(bitstr_t * bs, field_t * f, char *base, int level)
}

/****************************************************************************/
-int decode_bmpstr(bitstr_t * bs, field_t * f, char *base, int level)
+static int decode_bmpstr(bitstr_t * bs, field_t * f, char *base, int level)
{
unsigned len;

@@ -480,7 +480,7 @@ int decode_bmpstr(bitstr_t * bs, field_t * f, char *base, int level)
}

/****************************************************************************/
-int decode_seq(bitstr_t * bs, field_t * f, char *base, int level)
+static int decode_seq(bitstr_t * bs, field_t * f, char *base, int level)
{
unsigned ext, bmp, i, opt, len = 0, bmp2, bmp2_len;
int err;
@@ -596,7 +596,7 @@ int decode_seq(bitstr_t * bs, field_t * f, char *base, int level)
}

/****************************************************************************/
-int decode_seqof(bitstr_t * bs, field_t * f, char *base, int level)
+static int decode_seqof(bitstr_t * bs, field_t * f, char *base, int level)
{
unsigned count, effective_count = 0, i, len = 0;
int err;
@@ -685,7 +685,7 @@ int decode_seqof(bitstr_t * bs, field_t * f, char *base, int level)


/****************************************************************************/
-int decode_choice(bitstr_t * bs, field_t * f, char *base, int level)
+static int decode_choice(bitstr_t * bs, field_t * f, char *base, int level)
{
unsigned type, ext, len = 0;
int err;
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

[NETFILTER]: x_tables: change xt_table_register() return value convention

Switch from 0/-E to ptr/PTR_ERR convention.

Signed-off-by: Alexey Dobriyan <***@sw.ru>
Signed-off-by: Patrick McHardy <***@trash.net>

---
commit cb3634bafebc5decaaaa94c6b31885cfcc573712
tree 9ef47e68b1d6306b8893cc48539af00f097202e4
parent 343530ff0e7ba8c4efd3ebac683f9a9b7295b73d
author Alexey Dobriyan <***@sw.ru> Tue, 29 Jan 2008 16:21:56 +0100
committer Patrick McHardy <***@trash.net> Wed, 30 Jan 2008 15:04:14 +0100

include/linux/netfilter/x_tables.h | 6 +++---
net/ipv4/netfilter/arp_tables.c | 7 ++++---
net/ipv4/netfilter/ip_tables.c | 7 ++++---
net/ipv6/netfilter/ip6_tables.c | 7 ++++---
net/netfilter/x_tables.c | 14 ++++++++------
5 files changed, 23 insertions(+), 18 deletions(-)

diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 90dc6ea..937cebb 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -335,9 +335,9 @@ extern int xt_check_target(const struct xt_target *target, unsigned short family
unsigned int size, const char *table, unsigned int hook,
unsigned short proto, int inv_proto);

-extern int xt_register_table(struct xt_table *table,
- struct xt_table_info *bootstrap,
- struct xt_table_info *newinfo);
+extern struct xt_table *xt_register_table(struct xt_table *table,
+ struct xt_table_info *bootstrap,
+ struct xt_table_info *newinfo);
extern void *xt_unregister_table(struct xt_table *table);

extern struct xt_table_info *xt_replace_table(struct xt_table *table,
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index b4a810c..060de95 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -1727,6 +1727,7 @@ int arpt_register_table(struct arpt_table *table,
struct xt_table_info bootstrap
= { 0, 0, 0, { 0 }, { 0 }, { } };
void *loc_cpu_entry;
+ struct xt_table *new_table;

newinfo = xt_alloc_table_info(repl->size);
if (!newinfo) {
@@ -1750,10 +1751,10 @@ int arpt_register_table(struct arpt_table *table,
return ret;
}

- ret = xt_register_table(table, &bootstrap, newinfo);
- if (ret != 0) {
+ new_table = xt_register_table(table, &bootstrap, newinfo);
+ if (IS_ERR(new_table)) {
xt_free_table_info(newinfo);
- return ret;
+ return PTR_ERR(new_table);
}

return 0;
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 628a6b5..1b7c09e 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -2055,6 +2055,7 @@ int ipt_register_table(struct xt_table *table, const struct ipt_replace *repl)
struct xt_table_info bootstrap
= { 0, 0, 0, { 0 }, { 0 }, { } };
void *loc_cpu_entry;
+ struct xt_table *new_table;

newinfo = xt_alloc_table_info(repl->size);
if (!newinfo)
@@ -2074,10 +2075,10 @@ int ipt_register_table(struct xt_table *table, const struct ipt_replace *repl)
return ret;
}

- ret = xt_register_table(table, &bootstrap, newinfo);
- if (ret != 0) {
+ new_table = xt_register_table(table, &bootstrap, newinfo);
+ if (IS_ERR(new_table)) {
xt_free_table_info(newinfo);
- return ret;
+ return PTR_ERR(new_table);
}

return 0;
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 92b4898..f7a6239 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -2081,6 +2081,7 @@ int ip6t_register_table(struct xt_table *table, const struct ip6t_replace *repl)
struct xt_table_info bootstrap
= { 0, 0, 0, { 0 }, { 0 }, { } };
void *loc_cpu_entry;
+ struct xt_table *new_table;

newinfo = xt_alloc_table_info(repl->size);
if (!newinfo)
@@ -2100,10 +2101,10 @@ int ip6t_register_table(struct xt_table *table, const struct ip6t_replace *repl)
return ret;
}

- ret = xt_register_table(table, &bootstrap, newinfo);
- if (ret != 0) {
+ new_table = xt_register_table(table, &bootstrap, newinfo);
+ if (IS_ERR(new_table)) {
xt_free_table_info(newinfo);
- return ret;
+ return PTR_ERR(new_table);
}

return 0;
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 8d4fca9..d8d8637 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -660,9 +660,9 @@ xt_replace_table(struct xt_table *table,
}
EXPORT_SYMBOL_GPL(xt_replace_table);

-int xt_register_table(struct xt_table *table,
- struct xt_table_info *bootstrap,
- struct xt_table_info *newinfo)
+struct xt_table *xt_register_table(struct xt_table *table,
+ struct xt_table_info *bootstrap,
+ struct xt_table_info *newinfo)
{
int ret;
struct xt_table_info *private;
@@ -670,7 +670,7 @@ int xt_register_table(struct xt_table *table,

ret = mutex_lock_interruptible(&xt[table->af].mutex);
if (ret != 0)
- return ret;
+ goto out;

/* Don't autoload: we'd eat our tail... */
list_for_each_entry(t, &xt[table->af].tables, list) {
@@ -693,11 +693,13 @@ int xt_register_table(struct xt_table *table,
private->initial_entries = private->number;

list_add(&table->list, &xt[table->af].tables);
+ mutex_unlock(&xt[table->af].mutex);
+ return table;

- ret = 0;
unlock:
mutex_unlock(&xt[table->af].mutex);
- return ret;
+out:
+ return ERR_PTR(ret);
}
EXPORT_SYMBOL_GPL(xt_register_table);

-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

[NETFILTER]: ebtables: mark matches, targets and watchers __read_mostly

Reference to previous related commit: 9f15c5302de4e8b0aac7ca24c36bf26a7fe1a513.

Signed-off-by: Jan Engelhardt <***@computergmbh.de>
Signed-off-by: Patrick McHardy <***@trash.net>

---
commit 343530ff0e7ba8c4efd3ebac683f9a9b7295b73d
tree 5eb23713f2427f996cc477c40506440eeeedb256
parent ddc4e00ab9447d62118a6a0506369726065d1df5
author Jan Engelhardt <***@computergmbh.de> Tue, 29 Jan 2008 16:21:55 +0100
committer Patrick McHardy <***@trash.net> Wed, 30 Jan 2008 15:04:14 +0100

net/bridge/netfilter/ebt_802_3.c | 3 +--
net/bridge/netfilter/ebt_among.c | 2 +-
net/bridge/netfilter/ebt_arp.c | 3 +--
net/bridge/netfilter/ebt_arpreply.c | 3 +--
net/bridge/netfilter/ebt_dnat.c | 3 +--
net/bridge/netfilter/ebt_ip.c | 3 +--
net/bridge/netfilter/ebt_limit.c | 3 +--
net/bridge/netfilter/ebt_mark.c | 3 +--
net/bridge/netfilter/ebt_mark_m.c | 3 +--
net/bridge/netfilter/ebt_pkttype.c | 3 +--
net/bridge/netfilter/ebt_redirect.c | 3 +--
net/bridge/netfilter/ebt_snat.c | 3 +--
net/bridge/netfilter/ebt_stp.c | 3 +--
net/bridge/netfilter/ebt_ulog.c | 2 +-
net/bridge/netfilter/ebt_vlan.c | 2 +-
15 files changed, 15 insertions(+), 27 deletions(-)

diff --git a/net/bridge/netfilter/ebt_802_3.c b/net/bridge/netfilter/ebt_802_3.c
index ef73592..9853402 100644
--- a/net/bridge/netfilter/ebt_802_3.c
+++ b/net/bridge/netfilter/ebt_802_3.c
@@ -50,8 +50,7 @@ static int ebt_802_3_check(const char *tablename, unsigned int hookmask,
return 0;
}

-static struct ebt_match filter_802_3 =
-{
+static struct ebt_match filter_802_3 __read_mostly = {
.name = EBT_802_3_MATCH,
.match = ebt_filter_802_3,
.check = ebt_802_3_check,
diff --git a/net/bridge/netfilter/ebt_among.c b/net/bridge/netfilter/ebt_among.c
index bf0d1d9..70b6dca 100644
--- a/net/bridge/netfilter/ebt_among.c
+++ b/net/bridge/netfilter/ebt_among.c
@@ -212,7 +212,7 @@ static int ebt_among_check(const char *tablename, unsigned int hookmask,
return 0;
}

-static struct ebt_match filter_among = {
+static struct ebt_match filter_among __read_mostly = {
.name = EBT_AMONG_MATCH,
.match = ebt_filter_among,
.check = ebt_among_check,
diff --git a/net/bridge/netfilter/ebt_arp.c b/net/bridge/netfilter/ebt_arp.c
index 8d6ab64..7c535be 100644
--- a/net/bridge/netfilter/ebt_arp.c
+++ b/net/bridge/netfilter/ebt_arp.c
@@ -116,8 +116,7 @@ static int ebt_arp_check(const char *tablename, unsigned int hookmask,
return 0;
}

-static struct ebt_match filter_arp =
-{
+static struct ebt_match filter_arp __read_mostly = {
.name = EBT_ARP_MATCH,
.match = ebt_filter_arp,
.check = ebt_arp_check,
diff --git a/net/bridge/netfilter/ebt_arpreply.c b/net/bridge/netfilter/ebt_arpreply.c
index 9f25423..0c42795 100644
--- a/net/bridge/netfilter/ebt_arpreply.c
+++ b/net/bridge/netfilter/ebt_arpreply.c
@@ -76,8 +76,7 @@ static int ebt_target_reply_check(const char *tablename, unsigned int hookmask,
return 0;
}

-static struct ebt_target reply_target =
-{
+static struct ebt_target reply_target __read_mostly = {
.name = EBT_ARPREPLY_TARGET,
.target = ebt_target_reply,
.check = ebt_target_reply_check,
diff --git a/net/bridge/netfilter/ebt_dnat.c b/net/bridge/netfilter/ebt_dnat.c
index 285378d..e700cbf 100644
--- a/net/bridge/netfilter/ebt_dnat.c
+++ b/net/bridge/netfilter/ebt_dnat.c
@@ -46,8 +46,7 @@ static int ebt_target_dnat_check(const char *tablename, unsigned int hookmask,
return 0;
}

-static struct ebt_target dnat =
-{
+static struct ebt_target dnat __read_mostly = {
.name = EBT_DNAT_TARGET,
.target = ebt_target_dnat,
.check = ebt_target_dnat_check,
diff --git a/net/bridge/netfilter/ebt_ip.c b/net/bridge/netfilter/ebt_ip.c
index 78efe9b..65caa00 100644
--- a/net/bridge/netfilter/ebt_ip.c
+++ b/net/bridge/netfilter/ebt_ip.c
@@ -107,8 +107,7 @@ static int ebt_ip_check(const char *tablename, unsigned int hookmask,
return 0;
}

-static struct ebt_match filter_ip =
-{
+static struct ebt_match filter_ip __read_mostly = {
.name = EBT_IP_MATCH,
.match = ebt_filter_ip,
.check = ebt_ip_check,
diff --git a/net/bridge/netfilter/ebt_limit.c b/net/bridge/netfilter/ebt_limit.c
index 3c44bd6..8cbdc01 100644
--- a/net/bridge/netfilter/ebt_limit.c
+++ b/net/bridge/netfilter/ebt_limit.c
@@ -90,8 +90,7 @@ static int ebt_limit_check(const char *tablename, unsigned int hookmask,
return 0;
}

-static struct ebt_match ebt_limit_reg =
-{
+static struct ebt_match ebt_limit_reg __read_mostly = {
.name = EBT_LIMIT_MATCH,
.match = ebt_limit_match,
.check = ebt_limit_check,
diff --git a/net/bridge/netfilter/ebt_mark.c b/net/bridge/netfilter/ebt_mark.c
index 93ea763..36723f4 100644
--- a/net/bridge/netfilter/ebt_mark.c
+++ b/net/bridge/netfilter/ebt_mark.c
@@ -57,8 +57,7 @@ static int ebt_target_mark_check(const char *tablename, unsigned int hookmask,
return 0;
}

-static struct ebt_target mark_target =
-{
+static struct ebt_target mark_target __read_mostly = {
.name = EBT_MARK_TARGET,
.target = ebt_target_mark,
.check = ebt_target_mark_check,
diff --git a/net/bridge/netfilter/ebt_mark_m.c b/net/bridge/netfilter/ebt_mark_m.c
index 914c244..9b0a454 100644
--- a/net/bridge/netfilter/ebt_mark_m.c
+++ b/net/bridge/netfilter/ebt_mark_m.c
@@ -39,8 +39,7 @@ static int ebt_mark_check(const char *tablename, unsigned int hookmask,
return 0;
}

-static struct ebt_match filter_mark =
-{
+static struct ebt_match filter_mark __read_mostly = {
.name = EBT_MARK_MATCH,
.match = ebt_filter_mark,
.check = ebt_mark_check,
diff --git a/net/bridge/netfilter/ebt_pkttype.c b/net/bridge/netfilter/ebt_pkttype.c
index 19a69ea..676db32 100644
--- a/net/bridge/netfilter/ebt_pkttype.c
+++ b/net/bridge/netfilter/ebt_pkttype.c
@@ -36,8 +36,7 @@ static int ebt_pkttype_check(const char *tablename, unsigned int hookmask,
return 0;
}

-static struct ebt_match filter_pkttype =
-{
+static struct ebt_match filter_pkttype __read_mostly = {
.name = EBT_PKTTYPE_MATCH,
.match = ebt_filter_pkttype,
.check = ebt_pkttype_check,
diff --git a/net/bridge/netfilter/ebt_redirect.c b/net/bridge/netfilter/ebt_redirect.c
index f206a27..bfdf2fb 100644
--- a/net/bridge/netfilter/ebt_redirect.c
+++ b/net/bridge/netfilter/ebt_redirect.c
@@ -51,8 +51,7 @@ static int ebt_target_redirect_check(const char *tablename, unsigned int hookmas
return 0;
}

-static struct ebt_target redirect_target =
-{
+static struct ebt_target redirect_target __read_mostly = {
.name = EBT_REDIRECT_TARGET,
.target = ebt_target_redirect,
.check = ebt_target_redirect_check,
diff --git a/net/bridge/netfilter/ebt_snat.c b/net/bridge/netfilter/ebt_snat.c
index ed85858..e252dab 100644
--- a/net/bridge/netfilter/ebt_snat.c
+++ b/net/bridge/netfilter/ebt_snat.c
@@ -68,8 +68,7 @@ static int ebt_target_snat_check(const char *tablename, unsigned int hookmask,
return 0;
}

-static struct ebt_target snat =
-{
+static struct ebt_target snat __read_mostly = {
.name = EBT_SNAT_TARGET,
.target = ebt_target_snat,
.check = ebt_target_snat_check,
diff --git a/net/bridge/netfilter/ebt_stp.c b/net/bridge/netfilter/ebt_stp.c
index c264797..40f36d3 100644
--- a/net/bridge/netfilter/ebt_stp.c
+++ b/net/bridge/netfilter/ebt_stp.c
@@ -174,8 +174,7 @@ static int ebt_stp_check(const char *tablename, unsigned int hookmask,
return 0;
}

-static struct ebt_match filter_stp =
-{
+static struct ebt_match filter_stp __read_mostly = {
.name = EBT_STP_MATCH,
.match = ebt_filter_stp,
.check = ebt_stp_check,
diff --git a/net/bridge/netfilter/ebt_ulog.c b/net/bridge/netfilter/ebt_ulog.c
index 748eecd..2d4c9ef 100644
--- a/net/bridge/netfilter/ebt_ulog.c
+++ b/net/bridge/netfilter/ebt_ulog.c
@@ -272,7 +272,7 @@ static int ebt_ulog_check(const char *tablename, unsigned int hookmask,
return 0;
}

-static struct ebt_watcher ulog = {
+static struct ebt_watcher ulog __read_mostly = {
.name = EBT_ULOG_WATCHER,
.watcher = ebt_ulog,
.check = ebt_ulog_check,
diff --git a/net/bridge/netfilter/ebt_vlan.c b/net/bridge/netfilter/ebt_vlan.c
index 96897e2..ab60b0d 100644
--- a/net/bridge/netfilter/ebt_vlan.c
+++ b/net/bridge/netfilter/ebt_vlan.c
@@ -169,7 +169,7 @@ ebt_check_vlan(const char *tablename,
return 0;
}

-static struct ebt_match filter_vlan = {
+static struct ebt_match filter_vlan __read_mostly = {
.name = EBT_VLAN_MATCH,
.match = ebt_filter_vlan,
.check = ebt_check_vlan,
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

[NETFILTER]: xt_TCPMSS: consider reverse route's MTU in clamp-to-pmtu

The TCPMSS target in Xtables should consider the MTU of the reverse
route on forwarded packets as part of the path MTU.

Point in case: IN=ppp0, OUT=eth0. MSS set to 1460 in spite of MTU of
ppp0 being 1392.

Signed-off-by: Jan Engelhardt <***@computergmbh.de>
Signed-off-by: Patrick McHardy <***@trash.net>

---
commit 09a855c601cbbf240e7f127705dea74317658c45
tree ee82dc3cf0ff1e97e3bfa126678b4625d3a6d7b1
parent 5925cf9534dffe7165056399a6911609bd1fb44b
author Jan Engelhardt <***@computergmbh.de> Tue, 29 Jan 2008 16:22:03 +0100
committer Patrick McHardy <***@trash.net> Wed, 30 Jan 2008 15:04:18 +0100

net/netfilter/xt_TCPMSS.c | 62 +++++++++++++++++++++++++++++++++++++++++++--
1 files changed, 59 insertions(+), 3 deletions(-)

diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c
index 60e3767..217e2b6 100644
--- a/net/netfilter/xt_TCPMSS.c
+++ b/net/netfilter/xt_TCPMSS.c
@@ -13,7 +13,10 @@
#include <linux/ip.h>
#include <linux/ipv6.h>
#include <linux/tcp.h>
+#include <net/dst.h>
+#include <net/flow.h>
#include <net/ipv6.h>
+#include <net/route.h>
#include <net/tcp.h>

#include <linux/netfilter_ipv4/ip_tables.h>
@@ -41,6 +44,7 @@ optlen(const u_int8_t *opt, unsigned int offset)
static int
tcpmss_mangle_packet(struct sk_buff *skb,
const struct xt_tcpmss_info *info,
+ unsigned int in_mtu,
unsigned int tcphoff,
unsigned int minlen)
{
@@ -76,7 +80,13 @@ tcpmss_mangle_packet(struct sk_buff *skb,
dst_mtu(skb->dst));
return -1;
}
- newmss = dst_mtu(skb->dst) - minlen;
+ if (in_mtu <= minlen) {
+ if (net_ratelimit())
+ printk(KERN_ERR "xt_TCPMSS: unknown or "
+ "invalid path-MTU (%u)\n", in_mtu);
+ return -1;
+ }
+ newmss = min(dst_mtu(skb->dst), in_mtu) - minlen;
} else
newmss = info->mss;

@@ -137,6 +147,28 @@ tcpmss_mangle_packet(struct sk_buff *skb,
return TCPOLEN_MSS;
}

+static u_int32_t tcpmss_reverse_mtu4(const struct iphdr *iph)
+{
+ struct flowi fl = {
+ .fl4_dst = iph->saddr,
+ };
+ const struct nf_afinfo *ai;
+ struct rtable *rt = NULL;
+ u_int32_t mtu = ~0U;
+
+ rcu_read_lock();
+ ai = nf_get_afinfo(AF_INET);
+ if (ai != NULL)
+ ai->route((struct dst_entry **)&rt, &fl);
+ rcu_read_unlock();
+
+ if (rt != NULL) {
+ mtu = dst_mtu(&rt->u.dst);
+ dst_release(&rt->u.dst);
+ }
+ return mtu;
+}
+
static unsigned int
tcpmss_tg4(struct sk_buff *skb, const struct net_device *in,
const struct net_device *out, unsigned int hooknum,
@@ -146,7 +178,8 @@ tcpmss_tg4(struct sk_buff *skb, const struct net_device *in,
__be16 newlen;
int ret;

- ret = tcpmss_mangle_packet(skb, targinfo, iph->ihl * 4,
+ ret = tcpmss_mangle_packet(skb, targinfo, tcpmss_reverse_mtu4(iph),
+ iph->ihl * 4,
sizeof(*iph) + sizeof(struct tcphdr));
if (ret < 0)
return NF_DROP;
@@ -160,6 +193,28 @@ tcpmss_tg4(struct sk_buff *skb, const struct net_device *in,
}

#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
+static u_int32_t tcpmss_reverse_mtu6(const struct ipv6hdr *iph)
+{
+ struct flowi fl = {
+ .fl6_dst = iph->saddr,
+ };
+ const struct nf_afinfo *ai;
+ struct rtable *rt = NULL;
+ u_int32_t mtu = ~0U;
+
+ rcu_read_lock();
+ ai = nf_get_afinfo(AF_INET6);
+ if (ai != NULL)
+ ai->route((struct dst_entry **)&rt, &fl);
+ rcu_read_unlock();
+
+ if (rt != NULL) {
+ mtu = dst_mtu(&rt->u.dst);
+ dst_release(&rt->u.dst);
+ }
+ return mtu;
+}
+
static unsigned int
tcpmss_tg6(struct sk_buff *skb, const struct net_device *in,
const struct net_device *out, unsigned int hooknum,
@@ -174,7 +229,8 @@ tcpmss_tg6(struct sk_buff *skb, const struct net_device *in,
tcphoff = ipv6_skip_exthdr(skb, sizeof(*ipv6h), &nexthdr);
if (tcphoff < 0)
return NF_DROP;
- ret = tcpmss_mangle_packet(skb, targinfo, tcphoff,
+ ret = tcpmss_mangle_packet(skb, targinfo, tcpmss_reverse_mtu6(ipv6h),
+ tcphoff,
sizeof(*ipv6h) + sizeof(struct tcphdr));
if (ret < 0)
return NF_DROP;
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

[NETFILTER]: arp_tables: per-netns arp_tables FILTER

Signed-off-by: Alexey Dobriyan <***@sw.ru>
Signed-off-by: Patrick McHardy <***@trash.net>

---
commit e612deed898a9b2984bd7c2f4fef1a5a93f8160b
tree 044a732a14be924f70a60258ac8424de575ac8f4
parent 5f826e6f0ca7a6d45279d1c4ed6860a4bf7bbf26
author Alexey Dobriyan <***@sw.ru> Tue, 29 Jan 2008 16:22:01 +0100
committer Patrick McHardy <***@trash.net> Wed, 30 Jan 2008 15:04:17 +0100

include/net/netns/ipv4.h | 1 +
net/ipv4/netfilter/arptable_filter.c | 38 +++++++++++++++++++++++++---------
2 files changed, 29 insertions(+), 10 deletions(-)

diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h
index aeb0c3b..a9b4f60 100644
--- a/include/net/netns/ipv4.h
+++ b/include/net/netns/ipv4.h
@@ -31,6 +31,7 @@ struct netns_ipv4 {
struct xt_table *iptable_filter;
struct xt_table *iptable_mangle;
struct xt_table *iptable_raw;
+ struct xt_table *arptable_filter;
#endif
};
#endif
diff --git a/net/ipv4/netfilter/arptable_filter.c b/net/ipv4/netfilter/arptable_filter.c
index 1a68860..4e9c496 100644
--- a/net/ipv4/netfilter/arptable_filter.c
+++ b/net/ipv4/netfilter/arptable_filter.c
@@ -20,7 +20,7 @@ static struct
struct arpt_replace repl;
struct arpt_standard entries[3];
struct arpt_error term;
-} initial_table __initdata = {
+} initial_table __net_initdata = {
.repl = {
.name = "filter",
.valid_hooks = FILTER_VALID_HOOKS,
@@ -45,7 +45,7 @@ static struct
.term = ARPT_ERROR_INIT,
};

-static struct arpt_table __packet_filter = {
+static struct arpt_table packet_filter = {
.name = "filter",
.valid_hooks = FILTER_VALID_HOOKS,
.lock = RW_LOCK_UNLOCKED,
@@ -53,7 +53,6 @@ static struct arpt_table __packet_filter = {
.me = THIS_MODULE,
.af = NF_ARP,
};
-static struct arpt_table *packet_filter;

/* The work comes in here from netfilter.c */
static unsigned int arpt_hook(unsigned int hook,
@@ -62,7 +61,7 @@ static unsigned int arpt_hook(unsigned int hook,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
- return arpt_do_table(skb, hook, in, out, packet_filter);
+ return arpt_do_table(skb, hook, in, out, init_net.ipv4.arptable_filter);
}

static struct nf_hook_ops arpt_ops[] __read_mostly = {
@@ -86,14 +85,33 @@ static struct nf_hook_ops arpt_ops[] __read_mostly = {
},
};

+static int __net_init arptable_filter_net_init(struct net *net)
+{
+ /* Register table */
+ net->ipv4.arptable_filter =
+ arpt_register_table(net, &packet_filter, &initial_table.repl);
+ if (IS_ERR(net->ipv4.arptable_filter))
+ return PTR_ERR(net->ipv4.arptable_filter);
+ return 0;
+}
+
+static void __net_exit arptable_filter_net_exit(struct net *net)
+{
+ arpt_unregister_table(net->ipv4.arptable_filter);
+}
+
+static struct pernet_operations arptable_filter_net_ops = {
+ .init = arptable_filter_net_init,
+ .exit = arptable_filter_net_exit,
+};
+
static int __init arptable_filter_init(void)
{
int ret;

- /* Register table */
- packet_filter = arpt_register_table(&init_net, &__packet_filter, &initial_table.repl);
- if (IS_ERR(packet_filter))
- return PTR_ERR(packet_filter);
+ ret = register_pernet_subsys(&arptable_filter_net_ops);
+ if (ret < 0)
+ return ret;

ret = nf_register_hooks(arpt_ops, ARRAY_SIZE(arpt_ops));
if (ret < 0)
@@ -101,14 +119,14 @@ static int __init arptable_filter_init(void)
return ret;

cleanup_table:
- arpt_unregister_table(packet_filter);
+ unregister_pernet_subsys(&arptable_filter_net_ops);
return ret;
}

static void __exit arptable_filter_fini(void)
{
nf_unregister_hooks(arpt_ops, ARRAY_SIZE(arpt_ops));
- arpt_unregister_table(packet_filter);
+ unregister_pernet_subsys(&arptable_filter_net_ops);
}

module_init(arptable_filter_init);
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

[NETFILTER]: nfnetlink_log: sparse warning fixes

Signed-off-by: Stephen Hemminger <***@vyatta.com>
Signed-off-by: Patrick McHardy <***@trash.net>

---
commit 7f16025ab2a78e16a58f5c4d655d568945ecc9dc
tree 64cf943b261f105fbfe0c076e78d71a5c414d1ba
parent 70d4a3d143164c03c11ad8d14a646e46453f4c76
author Stephen Hemminger <***@vyatta.com> Tue, 29 Jan 2008 16:22:05 +0100
committer Patrick McHardy <***@trash.net> Wed, 30 Jan 2008 15:04:18 +0100

net/netfilter/nfnetlink_log.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
index 2348fcb..7efa40d 100644
--- a/net/netfilter/nfnetlink_log.c
+++ b/net/netfilter/nfnetlink_log.c
@@ -866,6 +866,7 @@ static struct hlist_node *get_idx(struct iter_state *st, loff_t pos)
}

static void *seq_start(struct seq_file *seq, loff_t *pos)
+ __acquires(instances_lock)
{
read_lock_bh(&instances_lock);
return get_idx(seq->private, *pos);
@@ -878,6 +879,7 @@ static void *seq_next(struct seq_file *s, void *v, loff_t *pos)
}

static void seq_stop(struct seq_file *s, void *v)
+ __releases(instances_lock)
{
read_unlock_bh(&instances_lock);
}
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

[NETFILTER]: ebtables: remove casts, use consts

Signed-off-by: Jan Engelhardt <***@computergmbh.de>
Signed-off-by: Patrick McHardy <***@trash.net>

---
commit b98625021b5c086ec97c2121eaf9f06873339d3e
tree d6d438e305b31a69c641d6461c30688ed2174501
parent 1b8b1c29feb7a42aceb8f62ea9378d492437acbe
author Jan Engelhardt <***@computergmbh.de> Tue, 29 Jan 2008 16:21:54 +0100
committer Patrick McHardy <***@trash.net> Wed, 30 Jan 2008 15:04:13 +0100

include/net/arp.h | 8 +++++---
net/bridge/netfilter/ebt_802_3.c | 6 +++---
net/bridge/netfilter/ebt_among.c | 24 +++++++++++++++---------
net/bridge/netfilter/ebt_arp.c | 13 ++++++++-----
net/bridge/netfilter/ebt_arpreply.c | 13 ++++++++-----
net/bridge/netfilter/ebt_dnat.c | 4 ++--
net/bridge/netfilter/ebt_ip.c | 10 ++++++----
net/bridge/netfilter/ebt_limit.c | 2 +-
net/bridge/netfilter/ebt_log.c | 18 +++++++++++-------
net/bridge/netfilter/ebt_mark.c | 4 ++--
net/bridge/netfilter/ebt_mark_m.c | 4 ++--
net/bridge/netfilter/ebt_pkttype.c | 4 ++--
net/bridge/netfilter/ebt_redirect.c | 4 ++--
net/bridge/netfilter/ebt_snat.c | 7 ++++---
net/bridge/netfilter/ebt_stp.c | 24 +++++++++++++-----------
net/bridge/netfilter/ebt_ulog.c | 4 ++--
net/bridge/netfilter/ebt_vlan.c | 7 ++++---
net/ipv4/arp.c | 9 +++++----
18 files changed, 95 insertions(+), 70 deletions(-)

diff --git a/include/net/arp.h b/include/net/arp.h
index 752eb47..c236270 100644
--- a/include/net/arp.h
+++ b/include/net/arp.h
@@ -13,15 +13,17 @@ extern int arp_find(unsigned char *haddr, struct sk_buff *skb);
extern int arp_ioctl(struct net *net, unsigned int cmd, void __user *arg);
extern void arp_send(int type, int ptype, __be32 dest_ip,
struct net_device *dev, __be32 src_ip,
- unsigned char *dest_hw, unsigned char *src_hw, unsigned char *th);
+ const unsigned char *dest_hw,
+ const unsigned char *src_hw, const unsigned char *th);
extern int arp_bind_neighbour(struct dst_entry *dst);
extern int arp_mc_map(__be32 addr, u8 *haddr, struct net_device *dev, int dir);
extern void arp_ifdown(struct net_device *dev);

extern struct sk_buff *arp_create(int type, int ptype, __be32 dest_ip,
struct net_device *dev, __be32 src_ip,
- unsigned char *dest_hw, unsigned char *src_hw,
- unsigned char *target_hw);
+ const unsigned char *dest_hw,
+ const unsigned char *src_hw,
+ const unsigned char *target_hw);
extern void arp_xmit(struct sk_buff *skb);

extern struct neigh_ops arp_broken_ops;
diff --git a/net/bridge/netfilter/ebt_802_3.c b/net/bridge/netfilter/ebt_802_3.c
index 41a7807..ac1730b 100644
--- a/net/bridge/netfilter/ebt_802_3.c
+++ b/net/bridge/netfilter/ebt_802_3.c
@@ -15,8 +15,8 @@
static int ebt_filter_802_3(const struct sk_buff *skb, const struct net_device *in,
const struct net_device *out, const void *data, unsigned int datalen)
{
- struct ebt_802_3_info *info = (struct ebt_802_3_info *)data;
- struct ebt_802_3_hdr *hdr = ebt_802_3_hdr(skb);
+ const struct ebt_802_3_info *info = data;
+ const struct ebt_802_3_hdr *hdr = ebt_802_3_hdr(skb);
__be16 type = hdr->llc.ui.ctrl & IS_UI ? hdr->llc.ui.type : hdr->llc.ni.type;

if (info->bitmask & EBT_802_3_SAP) {
@@ -40,7 +40,7 @@ static struct ebt_match filter_802_3;
static int ebt_802_3_check(const char *tablename, unsigned int hookmask,
const struct ebt_entry *e, void *data, unsigned int datalen)
{
- struct ebt_802_3_info *info = (struct ebt_802_3_info *)data;
+ const struct ebt_802_3_info *info = data;

if (datalen < sizeof(struct ebt_802_3_info))
return -EINVAL;
diff --git a/net/bridge/netfilter/ebt_among.c b/net/bridge/netfilter/ebt_among.c
index 6436d30..318157e 100644
--- a/net/bridge/netfilter/ebt_among.c
+++ b/net/bridge/netfilter/ebt_among.c
@@ -25,7 +25,7 @@ static int ebt_mac_wormhash_contains(const struct ebt_mac_wormhash *wh,
const struct ebt_mac_wormhash_tuple *p;
int start, limit, i;
uint32_t cmp[2] = { 0, 0 };
- int key = (const unsigned char) mac[5];
+ int key = ((const unsigned char *)mac)[5];

memcpy(((char *) cmp) + 2, mac, 6);
start = wh->table[key];
@@ -73,15 +73,18 @@ static int ebt_mac_wormhash_check_integrity(const struct ebt_mac_wormhash
static int get_ip_dst(const struct sk_buff *skb, __be32 *addr)
{
if (eth_hdr(skb)->h_proto == htons(ETH_P_IP)) {
- struct iphdr _iph, *ih;
+ const struct iphdr *ih;
+ struct iphdr _iph;

ih = skb_header_pointer(skb, 0, sizeof(_iph), &_iph);
if (ih == NULL)
return -1;
*addr = ih->daddr;
} else if (eth_hdr(skb)->h_proto == htons(ETH_P_ARP)) {
- struct arphdr _arph, *ah;
- __be32 buf, *bp;
+ const struct arphdr *ah;
+ struct arphdr _arph;
+ const __be32 *bp;
+ __be32 buf;

ah = skb_header_pointer(skb, 0, sizeof(_arph), &_arph);
if (ah == NULL ||
@@ -101,15 +104,18 @@ static int get_ip_dst(const struct sk_buff *skb, __be32 *addr)
static int get_ip_src(const struct sk_buff *skb, __be32 *addr)
{
if (eth_hdr(skb)->h_proto == htons(ETH_P_IP)) {
- struct iphdr _iph, *ih;
+ const struct iphdr *ih;
+ struct iphdr _iph;

ih = skb_header_pointer(skb, 0, sizeof(_iph), &_iph);
if (ih == NULL)
return -1;
*addr = ih->saddr;
} else if (eth_hdr(skb)->h_proto == htons(ETH_P_ARP)) {
- struct arphdr _arph, *ah;
- __be32 buf, *bp;
+ const struct arphdr *ah;
+ struct arphdr _arph;
+ const __be32 *bp;
+ __be32 buf;

ah = skb_header_pointer(skb, 0, sizeof(_arph), &_arph);
if (ah == NULL ||
@@ -130,7 +136,7 @@ static int ebt_filter_among(const struct sk_buff *skb,
const struct net_device *out, const void *data,
unsigned int datalen)
{
- struct ebt_among_info *info = (struct ebt_among_info *) data;
+ const struct ebt_among_info *info = data;
const char *dmac, *smac;
const struct ebt_mac_wormhash *wh_dst, *wh_src;
__be32 dip = 0, sip = 0;
@@ -175,7 +181,7 @@ static int ebt_among_check(const char *tablename, unsigned int hookmask,
const struct ebt_entry *e, void *data,
unsigned int datalen)
{
- struct ebt_among_info *info = (struct ebt_among_info *) data;
+ const struct ebt_among_info *info = data;
int expected_length = sizeof(struct ebt_among_info);
const struct ebt_mac_wormhash *wh_dst, *wh_src;
int err;
diff --git a/net/bridge/netfilter/ebt_arp.c b/net/bridge/netfilter/ebt_arp.c
index 1814139..933433e 100644
--- a/net/bridge/netfilter/ebt_arp.c
+++ b/net/bridge/netfilter/ebt_arp.c
@@ -18,8 +18,9 @@
static int ebt_filter_arp(const struct sk_buff *skb, const struct net_device *in,
const struct net_device *out, const void *data, unsigned int datalen)
{
- struct ebt_arp_info *info = (struct ebt_arp_info *)data;
- struct arphdr _arph, *ah;
+ const struct ebt_arp_info *info = data;
+ const struct arphdr *ah;
+ struct arphdr _arph;

ah = skb_header_pointer(skb, 0, sizeof(_arph), &_arph);
if (ah == NULL)
@@ -35,7 +36,8 @@ static int ebt_filter_arp(const struct sk_buff *skb, const struct net_device *in
return EBT_NOMATCH;

if (info->bitmask & (EBT_ARP_SRC_IP | EBT_ARP_DST_IP | EBT_ARP_GRAT)) {
- __be32 saddr, daddr, *sap, *dap;
+ const __be32 *sap, *dap;
+ __be32 saddr, daddr;

if (ah->ar_pln != sizeof(__be32) || ah->ar_pro != htons(ETH_P_IP))
return EBT_NOMATCH;
@@ -61,7 +63,8 @@ static int ebt_filter_arp(const struct sk_buff *skb, const struct net_device *in
}

if (info->bitmask & (EBT_ARP_SRC_MAC | EBT_ARP_DST_MAC)) {
- unsigned char _mac[ETH_ALEN], *mp;
+ const unsigned char *mp;
+ unsigned char _mac[ETH_ALEN];
uint8_t verdict, i;

if (ah->ar_hln != ETH_ALEN || ah->ar_hrd != htons(ARPHRD_ETHER))
@@ -100,7 +103,7 @@ static int ebt_filter_arp(const struct sk_buff *skb, const struct net_device *in
static int ebt_arp_check(const char *tablename, unsigned int hookmask,
const struct ebt_entry *e, void *data, unsigned int datalen)
{
- struct ebt_arp_info *info = (struct ebt_arp_info *)data;
+ const struct ebt_arp_info *info = data;

if (datalen != EBT_ALIGN(sizeof(struct ebt_arp_info)))
return -EINVAL;
diff --git a/net/bridge/netfilter/ebt_arpreply.c b/net/bridge/netfilter/ebt_arpreply.c
index 48a80e4..7b6a8c1 100644
--- a/net/bridge/netfilter/ebt_arpreply.c
+++ b/net/bridge/netfilter/ebt_arpreply.c
@@ -19,10 +19,13 @@ static int ebt_target_reply(struct sk_buff *skb, unsigned int hooknr,
const struct net_device *in, const struct net_device *out,
const void *data, unsigned int datalen)
{
- struct ebt_arpreply_info *info = (struct ebt_arpreply_info *)data;
- __be32 _sip, *siptr, _dip, *diptr;
- struct arphdr _ah, *ap;
- unsigned char _sha[ETH_ALEN], *shp;
+ struct ebt_arpreply_info *info = (void *)data;
+ const __be32 *siptr, *diptr;
+ __be32 _sip, _dip;
+ const struct arphdr *ap;
+ struct arphdr _ah;
+ const unsigned char *shp;
+ unsigned char _sha[ETH_ALEN];

ap = skb_header_pointer(skb, 0, sizeof(_ah), &_ah);
if (ap == NULL)
@@ -58,7 +61,7 @@ static int ebt_target_reply(struct sk_buff *skb, unsigned int hooknr,
static int ebt_target_reply_check(const char *tablename, unsigned int hookmask,
const struct ebt_entry *e, void *data, unsigned int datalen)
{
- struct ebt_arpreply_info *info = (struct ebt_arpreply_info *)data;
+ const struct ebt_arpreply_info *info = data;

if (datalen != EBT_ALIGN(sizeof(struct ebt_arpreply_info)))
return -EINVAL;
diff --git a/net/bridge/netfilter/ebt_dnat.c b/net/bridge/netfilter/ebt_dnat.c
index 74262e9..6ad9160 100644
--- a/net/bridge/netfilter/ebt_dnat.c
+++ b/net/bridge/netfilter/ebt_dnat.c
@@ -18,7 +18,7 @@ static int ebt_target_dnat(struct sk_buff *skb, unsigned int hooknr,
const struct net_device *in, const struct net_device *out,
const void *data, unsigned int datalen)
{
- struct ebt_nat_info *info = (struct ebt_nat_info *)data;
+ const struct ebt_nat_info *info = data;

if (skb_make_writable(skb, 0))
return NF_DROP;
@@ -30,7 +30,7 @@ static int ebt_target_dnat(struct sk_buff *skb, unsigned int hooknr,
static int ebt_target_dnat_check(const char *tablename, unsigned int hookmask,
const struct ebt_entry *e, void *data, unsigned int datalen)
{
- struct ebt_nat_info *info = (struct ebt_nat_info *)data;
+ const struct ebt_nat_info *info = data;

if (BASE_CHAIN && info->target == EBT_RETURN)
return -EINVAL;
diff --git a/net/bridge/netfilter/ebt_ip.c b/net/bridge/netfilter/ebt_ip.c
index 69f7f0a..82934f9 100644
--- a/net/bridge/netfilter/ebt_ip.c
+++ b/net/bridge/netfilter/ebt_ip.c
@@ -28,9 +28,11 @@ static int ebt_filter_ip(const struct sk_buff *skb, const struct net_device *in,
const struct net_device *out, const void *data,
unsigned int datalen)
{
- struct ebt_ip_info *info = (struct ebt_ip_info *)data;
- struct iphdr _iph, *ih;
- struct tcpudphdr _ports, *pptr;
+ const struct ebt_ip_info *info = data;
+ const struct iphdr *ih;
+ struct iphdr _iph;
+ const struct tcpudphdr *pptr;
+ struct tcpudphdr _ports;

ih = skb_header_pointer(skb, 0, sizeof(_iph), &_iph);
if (ih == NULL)
@@ -79,7 +81,7 @@ static int ebt_filter_ip(const struct sk_buff *skb, const struct net_device *in,
static int ebt_ip_check(const char *tablename, unsigned int hookmask,
const struct ebt_entry *e, void *data, unsigned int datalen)
{
- struct ebt_ip_info *info = (struct ebt_ip_info *)data;
+ const struct ebt_ip_info *info = data;

if (datalen != EBT_ALIGN(sizeof(struct ebt_ip_info)))
return -EINVAL;
diff --git a/net/bridge/netfilter/ebt_limit.c b/net/bridge/netfilter/ebt_limit.c
index d48fa5c..2eb5cb7 100644
--- a/net/bridge/netfilter/ebt_limit.c
+++ b/net/bridge/netfilter/ebt_limit.c
@@ -69,7 +69,7 @@ user2credits(u_int32_t user)
static int ebt_limit_check(const char *tablename, unsigned int hookmask,
const struct ebt_entry *e, void *data, unsigned int datalen)
{
- struct ebt_limit_info *info = (struct ebt_limit_info *)data;
+ struct ebt_limit_info *info = data;

if (datalen != EBT_ALIGN(sizeof(struct ebt_limit_info)))
return -EINVAL;
diff --git a/net/bridge/netfilter/ebt_log.c b/net/bridge/netfilter/ebt_log.c
index 3be9e98..40560d6 100644
--- a/net/bridge/netfilter/ebt_log.c
+++ b/net/bridge/netfilter/ebt_log.c
@@ -24,7 +24,7 @@ static DEFINE_SPINLOCK(ebt_log_lock);
static int ebt_log_check(const char *tablename, unsigned int hookmask,
const struct ebt_entry *e, void *data, unsigned int datalen)
{
- struct ebt_log_info *info = (struct ebt_log_info *)data;
+ struct ebt_log_info *info = data;

if (datalen != EBT_ALIGN(sizeof(struct ebt_log_info)))
return -EINVAL;
@@ -50,7 +50,7 @@ struct arppayload
unsigned char ip_dst[4];
};

-static void print_MAC(unsigned char *p)
+static void print_MAC(const unsigned char *p)
{
int i;

@@ -84,7 +84,8 @@ ebt_log_packet(unsigned int pf, unsigned int hooknum,

if ((bitmask & EBT_LOG_IP) && eth_hdr(skb)->h_proto ==
htons(ETH_P_IP)){
- struct iphdr _iph, *ih;
+ const struct iphdr *ih;
+ struct iphdr _iph;

ih = skb_header_pointer(skb, 0, sizeof(_iph), &_iph);
if (ih == NULL) {
@@ -99,7 +100,8 @@ ebt_log_packet(unsigned int pf, unsigned int hooknum,
ih->protocol == IPPROTO_UDPLITE ||
ih->protocol == IPPROTO_SCTP ||
ih->protocol == IPPROTO_DCCP) {
- struct tcpudphdr _ports, *pptr;
+ const struct tcpudphdr *pptr;
+ struct tcpudphdr _ports;

pptr = skb_header_pointer(skb, ih->ihl*4,
sizeof(_ports), &_ports);
@@ -116,7 +118,8 @@ ebt_log_packet(unsigned int pf, unsigned int hooknum,
if ((bitmask & EBT_LOG_ARP) &&
((eth_hdr(skb)->h_proto == htons(ETH_P_ARP)) ||
(eth_hdr(skb)->h_proto == htons(ETH_P_RARP)))) {
- struct arphdr _arph, *ah;
+ const struct arphdr *ah;
+ struct arphdr _arph;

ah = skb_header_pointer(skb, 0, sizeof(_arph), &_arph);
if (ah == NULL) {
@@ -132,7 +135,8 @@ ebt_log_packet(unsigned int pf, unsigned int hooknum,
if (ah->ar_hrd == htons(1) &&
ah->ar_hln == ETH_ALEN &&
ah->ar_pln == sizeof(__be32)) {
- struct arppayload _arpp, *ap;
+ const struct arppayload *ap;
+ struct arppayload _arpp;

ap = skb_header_pointer(skb, sizeof(_arph),
sizeof(_arpp), &_arpp);
@@ -160,7 +164,7 @@ static void ebt_log(const struct sk_buff *skb, unsigned int hooknr,
const struct net_device *in, const struct net_device *out,
const void *data, unsigned int datalen)
{
- struct ebt_log_info *info = (struct ebt_log_info *)data;
+ const struct ebt_log_info *info = data;
struct nf_loginfo li;

li.type = NF_LOG_TYPE_LOG;
diff --git a/net/bridge/netfilter/ebt_mark.c b/net/bridge/netfilter/ebt_mark.c
index 6cba543..6fe93df 100644
--- a/net/bridge/netfilter/ebt_mark.c
+++ b/net/bridge/netfilter/ebt_mark.c
@@ -21,7 +21,7 @@ static int ebt_target_mark(struct sk_buff *skb, unsigned int hooknr,
const struct net_device *in, const struct net_device *out,
const void *data, unsigned int datalen)
{
- struct ebt_mark_t_info *info = (struct ebt_mark_t_info *)data;
+ const struct ebt_mark_t_info *info = data;
int action = info->target & -16;

if (action == MARK_SET_VALUE)
@@ -39,7 +39,7 @@ static int ebt_target_mark(struct sk_buff *skb, unsigned int hooknr,
static int ebt_target_mark_check(const char *tablename, unsigned int hookmask,
const struct ebt_entry *e, void *data, unsigned int datalen)
{
- struct ebt_mark_t_info *info = (struct ebt_mark_t_info *)data;
+ const struct ebt_mark_t_info *info = data;
int tmp;

if (datalen != EBT_ALIGN(sizeof(struct ebt_mark_t_info)))
diff --git a/net/bridge/netfilter/ebt_mark_m.c b/net/bridge/netfilter/ebt_mark_m.c
index 6b0d216..0acab09 100644
--- a/net/bridge/netfilter/ebt_mark_m.c
+++ b/net/bridge/netfilter/ebt_mark_m.c
@@ -16,7 +16,7 @@ static int ebt_filter_mark(const struct sk_buff *skb,
const struct net_device *in, const struct net_device *out, const void *data,
unsigned int datalen)
{
- struct ebt_mark_m_info *info = (struct ebt_mark_m_info *) data;
+ const struct ebt_mark_m_info *info = data;

if (info->bitmask & EBT_MARK_OR)
return !(!!(skb->mark & info->mask) ^ info->invert);
@@ -26,7 +26,7 @@ static int ebt_filter_mark(const struct sk_buff *skb,
static int ebt_mark_check(const char *tablename, unsigned int hookmask,
const struct ebt_entry *e, void *data, unsigned int datalen)
{
- struct ebt_mark_m_info *info = (struct ebt_mark_m_info *) data;
+ const struct ebt_mark_m_info *info = data;

if (datalen != EBT_ALIGN(sizeof(struct ebt_mark_m_info)))
return -EINVAL;
diff --git a/net/bridge/netfilter/ebt_pkttype.c b/net/bridge/netfilter/ebt_pkttype.c
index 4fffd70..a15cf06 100644
--- a/net/bridge/netfilter/ebt_pkttype.c
+++ b/net/bridge/netfilter/ebt_pkttype.c
@@ -18,7 +18,7 @@ static int ebt_filter_pkttype(const struct sk_buff *skb,
const void *data,
unsigned int datalen)
{
- struct ebt_pkttype_info *info = (struct ebt_pkttype_info *)data;
+ const struct ebt_pkttype_info *info = data;

return (skb->pkt_type != info->pkt_type) ^ info->invert;
}
@@ -26,7 +26,7 @@ static int ebt_filter_pkttype(const struct sk_buff *skb,
static int ebt_pkttype_check(const char *tablename, unsigned int hookmask,
const struct ebt_entry *e, void *data, unsigned int datalen)
{
- struct ebt_pkttype_info *info = (struct ebt_pkttype_info *)data;
+ const struct ebt_pkttype_info *info = data;

if (datalen != EBT_ALIGN(sizeof(struct ebt_pkttype_info)))
return -EINVAL;
diff --git a/net/bridge/netfilter/ebt_redirect.c b/net/bridge/netfilter/ebt_redirect.c
index 422cb83..c1f9ca2 100644
--- a/net/bridge/netfilter/ebt_redirect.c
+++ b/net/bridge/netfilter/ebt_redirect.c
@@ -19,7 +19,7 @@ static int ebt_target_redirect(struct sk_buff *skb, unsigned int hooknr,
const struct net_device *in, const struct net_device *out,
const void *data, unsigned int datalen)
{
- struct ebt_redirect_info *info = (struct ebt_redirect_info *)data;
+ const struct ebt_redirect_info *info = data;

if (skb_make_writable(skb, 0))
return NF_DROP;
@@ -36,7 +36,7 @@ static int ebt_target_redirect(struct sk_buff *skb, unsigned int hooknr,
static int ebt_target_redirect_check(const char *tablename, unsigned int hookmask,
const struct ebt_entry *e, void *data, unsigned int datalen)
{
- struct ebt_redirect_info *info = (struct ebt_redirect_info *)data;
+ const struct ebt_redirect_info *info = data;

if (datalen != EBT_ALIGN(sizeof(struct ebt_redirect_info)))
return -EINVAL;
diff --git a/net/bridge/netfilter/ebt_snat.c b/net/bridge/netfilter/ebt_snat.c
index 425ac92..6bc263c 100644
--- a/net/bridge/netfilter/ebt_snat.c
+++ b/net/bridge/netfilter/ebt_snat.c
@@ -20,7 +20,7 @@ static int ebt_target_snat(struct sk_buff *skb, unsigned int hooknr,
const struct net_device *in, const struct net_device *out,
const void *data, unsigned int datalen)
{
- struct ebt_nat_info *info = (struct ebt_nat_info *) data;
+ const struct ebt_nat_info *info = data;

if (skb_make_writable(skb, 0))
return NF_DROP;
@@ -28,7 +28,8 @@ static int ebt_target_snat(struct sk_buff *skb, unsigned int hooknr,
memcpy(eth_hdr(skb)->h_source, info->mac, ETH_ALEN);
if (!(info->target & NAT_ARP_BIT) &&
eth_hdr(skb)->h_proto == htons(ETH_P_ARP)) {
- struct arphdr _ah, *ap;
+ const struct arphdr *ap;
+ struct arphdr _ah;

ap = skb_header_pointer(skb, 0, sizeof(_ah), &_ah);
if (ap == NULL)
@@ -45,7 +46,7 @@ out:
static int ebt_target_snat_check(const char *tablename, unsigned int hookmask,
const struct ebt_entry *e, void *data, unsigned int datalen)
{
- struct ebt_nat_info *info = (struct ebt_nat_info *) data;
+ const struct ebt_nat_info *info = data;
int tmp;

if (datalen != EBT_ALIGN(sizeof(struct ebt_nat_info)))
diff --git a/net/bridge/netfilter/ebt_stp.c b/net/bridge/netfilter/ebt_stp.c
index 31b7736..fe323c4 100644
--- a/net/bridge/netfilter/ebt_stp.c
+++ b/net/bridge/netfilter/ebt_stp.c
@@ -40,10 +40,10 @@ struct stp_config_pdu {
#define NR16(p) (p[0] << 8 | p[1])
#define NR32(p) ((p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3])

-static int ebt_filter_config(struct ebt_stp_info *info,
- struct stp_config_pdu *stpc)
+static int ebt_filter_config(const struct ebt_stp_info *info,
+ const struct stp_config_pdu *stpc)
{
- struct ebt_stp_config_info *c;
+ const struct ebt_stp_config_info *c;
uint16_t v16;
uint32_t v32;
int verdict, i;
@@ -122,9 +122,10 @@ static int ebt_filter_config(struct ebt_stp_info *info,
static int ebt_filter_stp(const struct sk_buff *skb, const struct net_device *in,
const struct net_device *out, const void *data, unsigned int datalen)
{
- struct ebt_stp_info *info = (struct ebt_stp_info *)data;
- struct stp_header _stph, *sp;
- uint8_t header[6] = {0x42, 0x42, 0x03, 0x00, 0x00, 0x00};
+ const struct ebt_stp_info *info = data;
+ const struct stp_header *sp;
+ struct stp_header _stph;
+ const uint8_t header[6] = {0x42, 0x42, 0x03, 0x00, 0x00, 0x00};

sp = skb_header_pointer(skb, 0, sizeof(_stph), &_stph);
if (sp == NULL)
@@ -140,7 +141,8 @@ static int ebt_filter_stp(const struct sk_buff *skb, const struct net_device *in

if (sp->type == BPDU_TYPE_CONFIG &&
info->bitmask & EBT_STP_CONFIG_MASK) {
- struct stp_config_pdu _stpc, *st;
+ const struct stp_config_pdu *st;
+ struct stp_config_pdu _stpc;

st = skb_header_pointer(skb, sizeof(_stph),
sizeof(_stpc), &_stpc);
@@ -154,10 +156,10 @@ static int ebt_filter_stp(const struct sk_buff *skb, const struct net_device *in
static int ebt_stp_check(const char *tablename, unsigned int hookmask,
const struct ebt_entry *e, void *data, unsigned int datalen)
{
- struct ebt_stp_info *info = (struct ebt_stp_info *)data;
- int len = EBT_ALIGN(sizeof(struct ebt_stp_info));
- uint8_t bridge_ula[6] = { 0x01, 0x80, 0xc2, 0x00, 0x00, 0x00 };
- uint8_t msk[6] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
+ const struct ebt_stp_info *info = data;
+ const unsigned int len = EBT_ALIGN(sizeof(struct ebt_stp_info));
+ const uint8_t bridge_ula[6] = {0x01, 0x80, 0xc2, 0x00, 0x00, 0x00};
+ const uint8_t msk[6] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff};

if (info->bitmask & ~EBT_STP_MASK || info->invflags & ~EBT_STP_MASK ||
!(info->bitmask & EBT_STP_MASK))
diff --git a/net/bridge/netfilter/ebt_ulog.c b/net/bridge/netfilter/ebt_ulog.c
index 8e7b00b..2015711 100644
--- a/net/bridge/netfilter/ebt_ulog.c
+++ b/net/bridge/netfilter/ebt_ulog.c
@@ -249,7 +249,7 @@ static void ebt_ulog(const struct sk_buff *skb, unsigned int hooknr,
const struct net_device *in, const struct net_device *out,
const void *data, unsigned int datalen)
{
- struct ebt_ulog_info *uloginfo = (struct ebt_ulog_info *)data;
+ const struct ebt_ulog_info *uloginfo = data;

ebt_ulog_packet(hooknr, skb, in, out, uloginfo, NULL);
}
@@ -258,7 +258,7 @@ static void ebt_ulog(const struct sk_buff *skb, unsigned int hooknr,
static int ebt_ulog_check(const char *tablename, unsigned int hookmask,
const struct ebt_entry *e, void *data, unsigned int datalen)
{
- struct ebt_ulog_info *uloginfo = (struct ebt_ulog_info *)data;
+ struct ebt_ulog_info *uloginfo = data;

if (datalen != EBT_ALIGN(sizeof(struct ebt_ulog_info)) ||
uloginfo->nlgroup > 31)
diff --git a/net/bridge/netfilter/ebt_vlan.c b/net/bridge/netfilter/ebt_vlan.c
index 0ddf749..097d067 100644
--- a/net/bridge/netfilter/ebt_vlan.c
+++ b/net/bridge/netfilter/ebt_vlan.c
@@ -46,8 +46,9 @@ ebt_filter_vlan(const struct sk_buff *skb,
const struct net_device *out,
const void *data, unsigned int datalen)
{
- struct ebt_vlan_info *info = (struct ebt_vlan_info *) data;
- struct vlan_hdr _frame, *fp;
+ const struct ebt_vlan_info *info = data;
+ const struct vlan_hdr *fp;
+ struct vlan_hdr _frame;

unsigned short TCI; /* Whole TCI, given from parsed frame */
unsigned short id; /* VLAN ID, given from frame TCI */
@@ -91,7 +92,7 @@ ebt_check_vlan(const char *tablename,
unsigned int hooknr,
const struct ebt_entry *e, void *data, unsigned int datalen)
{
- struct ebt_vlan_info *info = (struct ebt_vlan_info *) data;
+ struct ebt_vlan_info *info = data;

/* Parameters buffer overflow check */
if (datalen != EBT_ALIGN(sizeof(struct ebt_vlan_info))) {
diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c
index 5976c59..8e17f65 100644
--- a/net/ipv4/arp.c
+++ b/net/ipv4/arp.c
@@ -558,8 +558,9 @@ static inline int arp_fwd_proxy(struct in_device *in_dev, struct rtable *rt)
*/
struct sk_buff *arp_create(int type, int ptype, __be32 dest_ip,
struct net_device *dev, __be32 src_ip,
- unsigned char *dest_hw, unsigned char *src_hw,
- unsigned char *target_hw)
+ const unsigned char *dest_hw,
+ const unsigned char *src_hw,
+ const unsigned char *target_hw)
{
struct sk_buff *skb;
struct arphdr *arp;
@@ -672,8 +673,8 @@ void arp_xmit(struct sk_buff *skb)
*/
void arp_send(int type, int ptype, __be32 dest_ip,
struct net_device *dev, __be32 src_ip,
- unsigned char *dest_hw, unsigned char *src_hw,
- unsigned char *target_hw)
+ const unsigned char *dest_hw, const unsigned char *src_hw,
+ const unsigned char *target_hw)
{
struct sk_buff *skb;

-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

[NETFILTER]: conntrack: get rid of sparse warnings

Teach sparse about locking here, and fix signed/unsigned warnings.

Signed-off-by: Stephen Hemminger <***@vyatta.com>
Signed-off-by: Patrick McHardy <***@trash.net>

---
commit a56984be5dde4c3ab631f9c66e15c1fa7a12f17e
tree 686c306b6e89f19951950a971d69785256387b2d
parent 7f16025ab2a78e16a58f5c4d655d568945ecc9dc
author Stephen Hemminger <***@vyatta.com> Tue, 29 Jan 2008 16:22:06 +0100
committer Patrick McHardy <***@trash.net> Wed, 30 Jan 2008 15:04:19 +0100

net/netfilter/nf_conntrack_irc.c | 2 +-
net/netfilter/nf_conntrack_proto_sctp.c | 4 ++--
net/netfilter/nf_conntrack_proto_tcp.c | 6 +++---
net/netfilter/nf_conntrack_sip.c | 4 ++--
net/netfilter/nf_conntrack_standalone.c | 2 ++
net/netfilter/nf_conntrack_tftp.c | 2 +-
6 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/net/netfilter/nf_conntrack_irc.c b/net/netfilter/nf_conntrack_irc.c
index dfaed4b..c336b07 100644
--- a/net/netfilter/nf_conntrack_irc.c
+++ b/net/netfilter/nf_conntrack_irc.c
@@ -23,7 +23,7 @@

#define MAX_PORTS 8
static unsigned short ports[MAX_PORTS];
-static int ports_c;
+static unsigned int ports_c;
static unsigned int max_dcc_channels = 8;
static unsigned int dcc_timeout __read_mostly = 300;
/* This is slow, but it's simple. --RR */
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
index 21d29e7..7017b16 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -624,7 +624,7 @@ static struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp6 __read_mostly = {
#endif
};

-int __init nf_conntrack_proto_sctp_init(void)
+static int __init nf_conntrack_proto_sctp_init(void)
{
int ret;

@@ -647,7 +647,7 @@ int __init nf_conntrack_proto_sctp_init(void)
return ret;
}

-void __exit nf_conntrack_proto_sctp_fini(void)
+static void __exit nf_conntrack_proto_sctp_fini(void)
{
nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_sctp6);
nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_sctp4);
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index 64c9b91..8e22075 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -1098,16 +1098,16 @@ static const struct nla_policy tcp_nla_policy[CTA_PROTOINFO_TCP_MAX+1] = {

static int nlattr_to_tcp(struct nlattr *cda[], struct nf_conn *ct)
{
- struct nlattr *attr = cda[CTA_PROTOINFO_TCP];
+ struct nlattr *pattr = cda[CTA_PROTOINFO_TCP];
struct nlattr *tb[CTA_PROTOINFO_TCP_MAX+1];
int err;

/* updates could not contain anything about the private
* protocol info, in that case skip the parsing */
- if (!attr)
+ if (!pattr)
return 0;

- err = nla_parse_nested(tb, CTA_PROTOINFO_TCP_MAX, attr, tcp_nla_policy);
+ err = nla_parse_nested(tb, CTA_PROTOINFO_TCP_MAX, pattr, tcp_nla_policy);
if (err < 0)
return err;

diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index 47d8947..775f7d4 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -28,7 +28,7 @@ MODULE_ALIAS("ip_conntrack_sip");

#define MAX_PORTS 8
static unsigned short ports[MAX_PORTS];
-static int ports_c;
+static unsigned int ports_c;
module_param_array(ports, ushort, &ports_c, 0400);
MODULE_PARM_DESC(ports, "port numbers of SIP servers");

@@ -407,7 +407,7 @@ static int sip_help(struct sk_buff *skb,
unsigned int dataoff, datalen;
const char *dptr;
int ret = NF_ACCEPT;
- int matchoff, matchlen;
+ unsigned int matchoff, matchlen;
u_int16_t port;
enum sip_header_pos pos;
typeof(nf_nat_sip_hook) nf_nat_sip;
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index 696074a..28c5ae8 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -93,6 +93,7 @@ static struct hlist_node *ct_get_idx(struct seq_file *seq, loff_t pos)
}

static void *ct_seq_start(struct seq_file *seq, loff_t *pos)
+ __acquires(nf_conntrack_lock)
{
read_lock_bh(&nf_conntrack_lock);
return ct_get_idx(seq, *pos);
@@ -105,6 +106,7 @@ static void *ct_seq_next(struct seq_file *s, void *v, loff_t *pos)
}

static void ct_seq_stop(struct seq_file *s, void *v)
+ __releases(nf_conntrack_lock)
{
read_unlock_bh(&nf_conntrack_lock);
}
diff --git a/net/netfilter/nf_conntrack_tftp.c b/net/netfilter/nf_conntrack_tftp.c
index e894aa1..176f769 100644
--- a/net/netfilter/nf_conntrack_tftp.c
+++ b/net/netfilter/nf_conntrack_tftp.c
@@ -25,7 +25,7 @@ MODULE_ALIAS("ip_conntrack_tftp");

#define MAX_PORTS 8
static unsigned short ports[MAX_PORTS];
-static int ports_c;
+static unsigned int ports_c;
module_param_array(ports, ushort, &ports_c, 0400);
MODULE_PARM_DESC(ports, "Port numbers of TFTP servers");

-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

[NETFILTER]: nf_conntrack: sparse warnings

The hashtable size is really unsigned so sparse complains when you pass
a signed integer. Change all uses to make it consistent.

Signed-off-by: Stephen Hemminger <***@vyatta.com>
Signed-off-by: Patrick McHardy <***@trash.net>

---
commit 70d4a3d143164c03c11ad8d14a646e46453f4c76
tree f2d2e1053d51c51dfdc934d0713a6bbec711b4c1
parent 1ba99fa44b76ee7a7dddffc965a296d46c70fd40
author Stephen Hemminger <***@vyatta.com> Tue, 29 Jan 2008 16:22:05 +0100
committer Patrick McHardy <***@trash.net> Wed, 30 Jan 2008 15:04:18 +0100

include/net/netfilter/nf_conntrack.h | 4 ++--
net/netfilter/nf_conntrack_core.c | 10 +++++-----
2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
index 857d899..dada041 100644
--- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h
@@ -171,9 +171,9 @@ static inline void nf_ct_put(struct nf_conn *ct)
extern int nf_ct_l3proto_try_module_get(unsigned short l3proto);
extern void nf_ct_l3proto_module_put(unsigned short l3proto);

-extern struct hlist_head *nf_ct_alloc_hashtable(int *sizep, int *vmalloced);
+extern struct hlist_head *nf_ct_alloc_hashtable(unsigned int *sizep, int *vmalloced);
extern void nf_ct_free_hashtable(struct hlist_head *hash, int vmalloced,
- int size);
+ unsigned int size);

extern struct nf_conntrack_tuple_hash *
__nf_conntrack_find(const struct nf_conntrack_tuple *tuple,
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 078fff0..7b1f7e8 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -939,7 +939,7 @@ static int kill_all(struct nf_conn *i, void *data)
return 1;
}

-void nf_ct_free_hashtable(struct hlist_head *hash, int vmalloced, int size)
+void nf_ct_free_hashtable(struct hlist_head *hash, int vmalloced, unsigned int size)
{
if (vmalloced)
vfree(hash);
@@ -988,7 +988,7 @@ void nf_conntrack_cleanup(void)
nf_conntrack_expect_fini();
}

-struct hlist_head *nf_ct_alloc_hashtable(int *sizep, int *vmalloced)
+struct hlist_head *nf_ct_alloc_hashtable(unsigned int *sizep, int *vmalloced)
{
struct hlist_head *hash;
unsigned int size, i;
@@ -1015,8 +1015,8 @@ EXPORT_SYMBOL_GPL(nf_ct_alloc_hashtable);

int nf_conntrack_set_hashsize(const char *val, struct kernel_param *kp)
{
- int i, bucket, hashsize, vmalloced;
- int old_vmalloced, old_size;
+ int i, bucket, vmalloced, old_vmalloced;
+ unsigned int hashsize, old_size;
int rnd;
struct hlist_head *hash, *old_hash;
struct nf_conntrack_tuple_hash *h;
@@ -1025,7 +1025,7 @@ int nf_conntrack_set_hashsize(const char *val, struct kernel_param *kp)
if (!nf_conntrack_htable_size)
return param_set_uint(val, kp);

- hashsize = simple_strtol(val, NULL, 0);
+ hashsize = simple_strtoul(val, NULL, 0);
if (!hashsize)
return -EINVAL;

-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

[NETFILTER]: ip_tables: per-netns FILTER, MANGLE, RAW

Now, iptables show and configure different set of rules in different
netnss'. Filtering decisions are still made by consulting only
init_net's set.

Changes are identical except naming so no splitting.

P.S.: one need to remove init_net checks in nf_sockopt.c and inet_create()
to see the effect.

Signed-off-by: Alexey Dobriyan <***@sw.ru>
Signed-off-by: Patrick McHardy <***@trash.net>

---
commit 4885531d4b5ac7058b8d2414d6f6404eba84d0e8
tree 66ed2423ba98c9a6a61d63310f5f4ecbe755427c
parent 5420d0d7491f2c9bf23ad1895c48438d9a09b9e2
author Alexey Dobriyan <***@sw.ru> Tue, 29 Jan 2008 16:21:59 +0100
committer Patrick McHardy <***@trash.net> Wed, 30 Jan 2008 15:04:16 +0100

include/net/netns/ipv4.h | 5 ++++
net/ipv4/netfilter/iptable_filter.c | 41 +++++++++++++++++++++++++----------
net/ipv4/netfilter/iptable_mangle.c | 41 +++++++++++++++++++++++++----------
net/ipv4/netfilter/iptable_raw.c | 41 +++++++++++++++++++++++++----------
4 files changed, 92 insertions(+), 36 deletions(-)

diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h
index 15a0b05..aeb0c3b 100644
--- a/include/net/netns/ipv4.h
+++ b/include/net/netns/ipv4.h
@@ -27,5 +27,10 @@ struct netns_ipv4 {
struct sock *fibnl;

struct netns_frags frags;
+#ifdef CONFIG_NETFILTER
+ struct xt_table *iptable_filter;
+ struct xt_table *iptable_mangle;
+ struct xt_table *iptable_raw;
+#endif
};
#endif
diff --git a/net/ipv4/netfilter/iptable_filter.c b/net/ipv4/netfilter/iptable_filter.c
index 3b43ca0..69f3d7e 100644
--- a/net/ipv4/netfilter/iptable_filter.c
+++ b/net/ipv4/netfilter/iptable_filter.c
@@ -28,7 +28,7 @@ static struct
struct ipt_replace repl;
struct ipt_standard entries[3];
struct ipt_error term;
-} initial_table __initdata = {
+} initial_table __net_initdata = {
.repl = {
.name = "filter",
.valid_hooks = FILTER_VALID_HOOKS,
@@ -53,14 +53,13 @@ static struct
.term = IPT_ERROR_INIT, /* ERROR */
};

-static struct xt_table __packet_filter = {
+static struct xt_table packet_filter = {
.name = "filter",
.valid_hooks = FILTER_VALID_HOOKS,
.lock = RW_LOCK_UNLOCKED,
.me = THIS_MODULE,
.af = AF_INET,
};
-static struct xt_table *packet_filter;

/* The work comes in here from netfilter.c. */
static unsigned int
@@ -70,7 +69,7 @@ ipt_hook(unsigned int hook,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
- return ipt_do_table(skb, hook, in, out, packet_filter);
+ return ipt_do_table(skb, hook, in, out, init_net.ipv4.iptable_filter);
}

static unsigned int
@@ -89,7 +88,7 @@ ipt_local_out_hook(unsigned int hook,
return NF_ACCEPT;
}

- return ipt_do_table(skb, hook, in, out, packet_filter);
+ return ipt_do_table(skb, hook, in, out, init_net.ipv4.iptable_filter);
}

static struct nf_hook_ops ipt_ops[] __read_mostly = {
@@ -120,6 +119,26 @@ static struct nf_hook_ops ipt_ops[] __read_mostly = {
static int forward = NF_ACCEPT;
module_param(forward, bool, 0000);

+static int __net_init iptable_filter_net_init(struct net *net)
+{
+ /* Register table */
+ net->ipv4.iptable_filter =
+ ipt_register_table(net, &packet_filter, &initial_table.repl);
+ if (IS_ERR(net->ipv4.iptable_filter))
+ return PTR_ERR(net->ipv4.iptable_filter);
+ return 0;
+}
+
+static void __net_exit iptable_filter_net_exit(struct net *net)
+{
+ ipt_unregister_table(net->ipv4.iptable_filter);
+}
+
+static struct pernet_operations iptable_filter_net_ops = {
+ .init = iptable_filter_net_init,
+ .exit = iptable_filter_net_exit,
+};
+
static int __init iptable_filter_init(void)
{
int ret;
@@ -132,11 +151,9 @@ static int __init iptable_filter_init(void)
/* Entry 1 is the FORWARD hook */
initial_table.entries[1].target.verdict = -forward - 1;

- /* Register table */
- packet_filter = ipt_register_table(&init_net, &__packet_filter,
- &initial_table.repl);
- if (IS_ERR(packet_filter))
- return PTR_ERR(packet_filter);
+ ret = register_pernet_subsys(&iptable_filter_net_ops);
+ if (ret < 0)
+ return ret;

/* Register hooks */
ret = nf_register_hooks(ipt_ops, ARRAY_SIZE(ipt_ops));
@@ -146,14 +163,14 @@ static int __init iptable_filter_init(void)
return ret;

cleanup_table:
- ipt_unregister_table(packet_filter);
+ unregister_pernet_subsys(&iptable_filter_net_ops);
return ret;
}

static void __exit iptable_filter_fini(void)
{
nf_unregister_hooks(ipt_ops, ARRAY_SIZE(ipt_ops));
- ipt_unregister_table(packet_filter);
+ unregister_pernet_subsys(&iptable_filter_net_ops);
}

module_init(iptable_filter_init);
diff --git a/net/ipv4/netfilter/iptable_mangle.c b/net/ipv4/netfilter/iptable_mangle.c
index 292f2ed..c55a210 100644
--- a/net/ipv4/netfilter/iptable_mangle.c
+++ b/net/ipv4/netfilter/iptable_mangle.c
@@ -33,7 +33,7 @@ static struct
struct ipt_replace repl;
struct ipt_standard entries[5];
struct ipt_error term;
-} initial_table __initdata = {
+} initial_table __net_initdata = {
.repl = {
.name = "mangle",
.valid_hooks = MANGLE_VALID_HOOKS,
@@ -64,14 +64,13 @@ static struct
.term = IPT_ERROR_INIT, /* ERROR */
};

-static struct xt_table __packet_mangler = {
+static struct xt_table packet_mangler = {
.name = "mangle",
.valid_hooks = MANGLE_VALID_HOOKS,
.lock = RW_LOCK_UNLOCKED,
.me = THIS_MODULE,
.af = AF_INET,
};
-static struct xt_table *packet_mangler;

/* The work comes in here from netfilter.c. */
static unsigned int
@@ -81,7 +80,7 @@ ipt_route_hook(unsigned int hook,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
- return ipt_do_table(skb, hook, in, out, packet_mangler);
+ return ipt_do_table(skb, hook, in, out, init_net.ipv4.iptable_mangle);
}

static unsigned int
@@ -113,7 +112,7 @@ ipt_local_hook(unsigned int hook,
daddr = iph->daddr;
tos = iph->tos;

- ret = ipt_do_table(skb, hook, in, out, packet_mangler);
+ ret = ipt_do_table(skb, hook, in, out, init_net.ipv4.iptable_mangle);
/* Reroute for ANY change. */
if (ret != NF_DROP && ret != NF_STOLEN && ret != NF_QUEUE) {
iph = ip_hdr(skb);
@@ -167,15 +166,33 @@ static struct nf_hook_ops ipt_ops[] __read_mostly = {
},
};

+static int __net_init iptable_mangle_net_init(struct net *net)
+{
+ /* Register table */
+ net->ipv4.iptable_mangle =
+ ipt_register_table(net, &packet_mangler, &initial_table.repl);
+ if (IS_ERR(net->ipv4.iptable_mangle))
+ return PTR_ERR(net->ipv4.iptable_mangle);
+ return 0;
+}
+
+static void __net_exit iptable_mangle_net_exit(struct net *net)
+{
+ ipt_unregister_table(net->ipv4.iptable_mangle);
+}
+
+static struct pernet_operations iptable_mangle_net_ops = {
+ .init = iptable_mangle_net_init,
+ .exit = iptable_mangle_net_exit,
+};
+
static int __init iptable_mangle_init(void)
{
int ret;

- /* Register table */
- packet_mangler = ipt_register_table(&init_net, &__packet_mangler,
- &initial_table.repl);
- if (IS_ERR(packet_mangler))
- return PTR_ERR(packet_mangler);
+ ret = register_pernet_subsys(&iptable_mangle_net_ops);
+ if (ret < 0)
+ return ret;

/* Register hooks */
ret = nf_register_hooks(ipt_ops, ARRAY_SIZE(ipt_ops));
@@ -185,14 +202,14 @@ static int __init iptable_mangle_init(void)
return ret;

cleanup_table:
- ipt_unregister_table(packet_mangler);
+ unregister_pernet_subsys(&iptable_mangle_net_ops);
return ret;
}

static void __exit iptable_mangle_fini(void)
{
nf_unregister_hooks(ipt_ops, ARRAY_SIZE(ipt_ops));
- ipt_unregister_table(packet_mangler);
+ unregister_pernet_subsys(&iptable_mangle_net_ops);
}

module_init(iptable_mangle_init);
diff --git a/net/ipv4/netfilter/iptable_raw.c b/net/ipv4/netfilter/iptable_raw.c
index dab863d..e41fe8c 100644
--- a/net/ipv4/netfilter/iptable_raw.c
+++ b/net/ipv4/netfilter/iptable_raw.c
@@ -14,7 +14,7 @@ static struct
struct ipt_replace repl;
struct ipt_standard entries[2];
struct ipt_error term;
-} initial_table __initdata = {
+} initial_table __net_initdata = {
.repl = {
.name = "raw",
.valid_hooks = RAW_VALID_HOOKS,
@@ -36,14 +36,13 @@ static struct
.term = IPT_ERROR_INIT, /* ERROR */
};

-static struct xt_table __packet_raw = {
+static struct xt_table packet_raw = {
.name = "raw",
.valid_hooks = RAW_VALID_HOOKS,
.lock = RW_LOCK_UNLOCKED,
.me = THIS_MODULE,
.af = AF_INET,
};
-static struct xt_table *packet_raw;

/* The work comes in here from netfilter.c. */
static unsigned int
@@ -53,7 +52,7 @@ ipt_hook(unsigned int hook,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
- return ipt_do_table(skb, hook, in, out, packet_raw);
+ return ipt_do_table(skb, hook, in, out, init_net.ipv4.iptable_raw);
}

static unsigned int
@@ -71,7 +70,7 @@ ipt_local_hook(unsigned int hook,
"packet.\n");
return NF_ACCEPT;
}
- return ipt_do_table(skb, hook, in, out, packet_raw);
+ return ipt_do_table(skb, hook, in, out, init_net.ipv4.iptable_raw);
}

/* 'raw' is the very first table. */
@@ -92,15 +91,33 @@ static struct nf_hook_ops ipt_ops[] __read_mostly = {
},
};

+static int __net_init iptable_raw_net_init(struct net *net)
+{
+ /* Register table */
+ net->ipv4.iptable_raw =
+ ipt_register_table(net, &packet_raw, &initial_table.repl);
+ if (IS_ERR(net->ipv4.iptable_raw))
+ return PTR_ERR(net->ipv4.iptable_raw);
+ return 0;
+}
+
+static void __net_exit iptable_raw_net_exit(struct net *net)
+{
+ ipt_unregister_table(net->ipv4.iptable_raw);
+}
+
+static struct pernet_operations iptable_raw_net_ops = {
+ .init = iptable_raw_net_init,
+ .exit = iptable_raw_net_exit,
+};
+
static int __init iptable_raw_init(void)
{
int ret;

- /* Register table */
- packet_raw = ipt_register_table(&init_net, &__packet_raw,
- &initial_table.repl);
- if (IS_ERR(packet_raw))
- return PTR_ERR(packet_raw);
+ ret = register_pernet_subsys(&iptable_raw_net_ops);
+ if (ret < 0)
+ return ret;

/* Register hooks */
ret = nf_register_hooks(ipt_ops, ARRAY_SIZE(ipt_ops));
@@ -110,14 +127,14 @@ static int __init iptable_raw_init(void)
return ret;

cleanup_table:
- ipt_unregister_table(packet_raw);
+ unregister_pernet_subsys(&iptable_raw_net_ops);
return ret;
}

static void __exit iptable_raw_fini(void)
{
nf_unregister_hooks(ipt_ops, ARRAY_SIZE(ipt_ops));
- ipt_unregister_table(packet_raw);
+ unregister_pernet_subsys(&iptable_raw_net_ops);
}

module_init(iptable_raw_init);
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

[NETFILTER]: arp_tables: netns preparation

* Propagate netns from userspace.
* arpt_register_table() registers table in supplied netns.

Signed-off-by: Alexey Dobriyan <***@sw.ru>
Signed-off-by: Patrick McHardy <***@trash.net>

---
commit 5f826e6f0ca7a6d45279d1c4ed6860a4bf7bbf26
tree a679f8f22cd3df21b5a13648dfa59ed6c8ec78e5
parent 084d68b97043319020232289b1f63c8c7afa2e97
author Alexey Dobriyan <***@sw.ru> Tue, 29 Jan 2008 16:22:01 +0100
committer Patrick McHardy <***@trash.net> Wed, 30 Jan 2008 15:04:17 +0100

include/linux/netfilter_arp/arp_tables.h | 3 +-
net/ipv4/netfilter/arp_tables.c | 55 +++++++++++++++++-------------
net/ipv4/netfilter/arptable_filter.c | 2 +
3 files changed, 34 insertions(+), 26 deletions(-)

diff --git a/include/linux/netfilter_arp/arp_tables.h b/include/linux/netfilter_arp/arp_tables.h
index f35486b..db223ca 100644
--- a/include/linux/netfilter_arp/arp_tables.h
+++ b/include/linux/netfilter_arp/arp_tables.h
@@ -271,7 +271,8 @@ struct arpt_error
xt_register_target(tgt); })
#define arpt_unregister_target(tgt) xt_unregister_target(tgt)

-extern struct arpt_table *arpt_register_table(struct arpt_table *table,
+extern struct arpt_table *arpt_register_table(struct net *net,
+ struct arpt_table *table,
const struct arpt_replace *repl);
extern void arpt_unregister_table(struct arpt_table *table);
extern unsigned int arpt_do_table(struct sk_buff *skb,
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 3a5afb8..ec64b67 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -22,6 +22,7 @@
#include <linux/mutex.h>
#include <linux/err.h>
#include <net/compat.h>
+#include <net/sock.h>
#include <asm/uaccess.h>

#include <linux/netfilter/x_tables.h>
@@ -850,7 +851,7 @@ static int compat_table_info(const struct xt_table_info *info,
}
#endif

-static int get_info(void __user *user, int *len, int compat)
+static int get_info(struct net *net, void __user *user, int *len, int compat)
{
char name[ARPT_TABLE_MAXNAMELEN];
struct arpt_table *t;
@@ -870,7 +871,7 @@ static int get_info(void __user *user, int *len, int compat)
if (compat)
xt_compat_lock(NF_ARP);
#endif
- t = try_then_request_module(xt_find_table_lock(&init_net, NF_ARP, name),
+ t = try_then_request_module(xt_find_table_lock(net, NF_ARP, name),
"arptable_%s", name);
if (t && !IS_ERR(t)) {
struct arpt_getinfo info;
@@ -908,7 +909,8 @@ static int get_info(void __user *user, int *len, int compat)
return ret;
}

-static int get_entries(struct arpt_get_entries __user *uptr, int *len)
+static int get_entries(struct net *net, struct arpt_get_entries __user *uptr,
+ int *len)
{
int ret;
struct arpt_get_entries get;
@@ -926,7 +928,7 @@ static int get_entries(struct arpt_get_entries __user *uptr, int *len)
return -EINVAL;
}

- t = xt_find_table_lock(&init_net, NF_ARP, get.name);
+ t = xt_find_table_lock(net, NF_ARP, get.name);
if (t && !IS_ERR(t)) {
struct xt_table_info *private = t->private;
duprintf("t->private->number = %u\n",
@@ -947,7 +949,8 @@ static int get_entries(struct arpt_get_entries __user *uptr, int *len)
return ret;
}

-static int __do_replace(const char *name, unsigned int valid_hooks,
+static int __do_replace(struct net *net, const char *name,
+ unsigned int valid_hooks,
struct xt_table_info *newinfo,
unsigned int num_counters,
void __user *counters_ptr)
@@ -966,7 +969,7 @@ static int __do_replace(const char *name, unsigned int valid_hooks,
goto out;
}

- t = try_then_request_module(xt_find_table_lock(&init_net, NF_ARP, name),
+ t = try_then_request_module(xt_find_table_lock(net, NF_ARP, name),
"arptable_%s", name);
if (!t || IS_ERR(t)) {
ret = t ? PTR_ERR(t) : -ENOENT;
@@ -1019,7 +1022,7 @@ static int __do_replace(const char *name, unsigned int valid_hooks,
return ret;
}

-static int do_replace(void __user *user, unsigned int len)
+static int do_replace(struct net *net, void __user *user, unsigned int len)
{
int ret;
struct arpt_replace tmp;
@@ -1053,7 +1056,7 @@ static int do_replace(void __user *user, unsigned int len)

duprintf("arp_tables: Translated table\n");

- ret = __do_replace(tmp.name, tmp.valid_hooks, newinfo,
+ ret = __do_replace(net, tmp.name, tmp.valid_hooks, newinfo,
tmp.num_counters, tmp.counters);
if (ret)
goto free_newinfo_untrans;
@@ -1080,7 +1083,8 @@ static inline int add_counter_to_entry(struct arpt_entry *e,
return 0;
}

-static int do_add_counters(void __user *user, unsigned int len, int compat)
+static int do_add_counters(struct net *net, void __user *user, unsigned int len,
+ int compat)
{
unsigned int i;
struct xt_counters_info tmp;
@@ -1132,7 +1136,7 @@ static int do_add_counters(void __user *user, unsigned int len, int compat)
goto free;
}

- t = xt_find_table_lock(&init_net, NF_ARP, name);
+ t = xt_find_table_lock(net, NF_ARP, name);
if (!t || IS_ERR(t)) {
ret = t ? PTR_ERR(t) : -ENOENT;
goto free;
@@ -1435,7 +1439,8 @@ struct compat_arpt_replace {
struct compat_arpt_entry entries[0];
};

-static int compat_do_replace(void __user *user, unsigned int len)
+static int compat_do_replace(struct net *net, void __user *user,
+ unsigned int len)
{
int ret;
struct compat_arpt_replace tmp;
@@ -1471,7 +1476,7 @@ static int compat_do_replace(void __user *user, unsigned int len)

duprintf("compat_do_replace: Translated table\n");

- ret = __do_replace(tmp.name, tmp.valid_hooks, newinfo,
+ ret = __do_replace(net, tmp.name, tmp.valid_hooks, newinfo,
tmp.num_counters, compat_ptr(tmp.counters));
if (ret)
goto free_newinfo_untrans;
@@ -1494,11 +1499,11 @@ static int compat_do_arpt_set_ctl(struct sock *sk, int cmd, void __user *user,

switch (cmd) {
case ARPT_SO_SET_REPLACE:
- ret = compat_do_replace(user, len);
+ ret = compat_do_replace(sk->sk_net, user, len);
break;

case ARPT_SO_SET_ADD_COUNTERS:
- ret = do_add_counters(user, len, 1);
+ ret = do_add_counters(sk->sk_net, user, len, 1);
break;

default:
@@ -1584,7 +1589,8 @@ struct compat_arpt_get_entries {
struct compat_arpt_entry entrytable[0];
};

-static int compat_get_entries(struct compat_arpt_get_entries __user *uptr,
+static int compat_get_entries(struct net *net,
+ struct compat_arpt_get_entries __user *uptr,
int *len)
{
int ret;
@@ -1604,7 +1610,7 @@ static int compat_get_entries(struct compat_arpt_get_entries __user *uptr,
}

xt_compat_lock(NF_ARP);
- t = xt_find_table_lock(&init_net, NF_ARP, get.name);
+ t = xt_find_table_lock(net, NF_ARP, get.name);
if (t && !IS_ERR(t)) {
struct xt_table_info *private = t->private;
struct xt_table_info info;
@@ -1641,10 +1647,10 @@ static int compat_do_arpt_get_ctl(struct sock *sk, int cmd, void __user *user,

switch (cmd) {
case ARPT_SO_GET_INFO:
- ret = get_info(user, len, 1);
+ ret = get_info(sk->sk_net, user, len, 1);
break;
case ARPT_SO_GET_ENTRIES:
- ret = compat_get_entries(user, len);
+ ret = compat_get_entries(sk->sk_net, user, len);
break;
default:
ret = do_arpt_get_ctl(sk, cmd, user, len);
@@ -1662,11 +1668,11 @@ static int do_arpt_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned

switch (cmd) {
case ARPT_SO_SET_REPLACE:
- ret = do_replace(user, len);
+ ret = do_replace(sk->sk_net, user, len);
break;

case ARPT_SO_SET_ADD_COUNTERS:
- ret = do_add_counters(user, len, 0);
+ ret = do_add_counters(sk->sk_net, user, len, 0);
break;

default:
@@ -1686,11 +1692,11 @@ static int do_arpt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len

switch (cmd) {
case ARPT_SO_GET_INFO:
- ret = get_info(user, len, 0);
+ ret = get_info(sk->sk_net, user, len, 0);
break;

case ARPT_SO_GET_ENTRIES:
- ret = get_entries(user, len);
+ ret = get_entries(sk->sk_net, user, len);
break;

case ARPT_SO_GET_REVISION_TARGET: {
@@ -1719,7 +1725,8 @@ static int do_arpt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len
return ret;
}

-struct arpt_table *arpt_register_table(struct arpt_table *table,
+struct arpt_table *arpt_register_table(struct net *net,
+ struct arpt_table *table,
const struct arpt_replace *repl)
{
int ret;
@@ -1749,7 +1756,7 @@ struct arpt_table *arpt_register_table(struct arpt_table *table,
if (ret != 0)
goto out_free;

- new_table = xt_register_table(&init_net, table, &bootstrap, newinfo);
+ new_table = xt_register_table(net, table, &bootstrap, newinfo);
if (IS_ERR(new_table)) {
ret = PTR_ERR(new_table);
goto out_free;
diff --git a/net/ipv4/netfilter/arptable_filter.c b/net/ipv4/netfilter/arptable_filter.c
index b003215..1a68860 100644
--- a/net/ipv4/netfilter/arptable_filter.c
+++ b/net/ipv4/netfilter/arptable_filter.c
@@ -91,7 +91,7 @@ static int __init arptable_filter_init(void)
int ret;

/* Register table */
- packet_filter = arpt_register_table(&__packet_filter, &initial_table.repl);
+ packet_filter = arpt_register_table(&init_net, &__packet_filter, &initial_table.repl);
if (IS_ERR(packet_filter))
return PTR_ERR(packet_filter);

-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

[NETFILTER]: ip_tables: propagate netns from userspace

.. all the way down to table searching functions.

Signed-off-by: Alexey Dobriyan <***@sw.ru>
Signed-off-by: Patrick McHardy <***@trash.net>

---
commit 5420d0d7491f2c9bf23ad1895c48438d9a09b9e2
tree 17e3b2e308a6c16662bf7d567706cc787b9ed380
parent f4b4da65588dd50d6be047d9159315ba2909a944
author Alexey Dobriyan <***@sw.ru> Tue, 29 Jan 2008 16:21:58 +0100
committer Patrick McHardy <***@trash.net> Wed, 30 Jan 2008 15:04:16 +0100

net/ipv4/netfilter/ip_tables.c | 45 ++++++++++++++++++++--------------------
1 files changed, 23 insertions(+), 22 deletions(-)

diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 99dd62d..c1b80f4 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -1092,7 +1092,7 @@ static int compat_table_info(const struct xt_table_info *info,
}
#endif

-static int get_info(void __user *user, int *len, int compat)
+static int get_info(struct net *net, void __user *user, int *len, int compat)
{
char name[IPT_TABLE_MAXNAMELEN];
struct xt_table *t;
@@ -1112,7 +1112,7 @@ static int get_info(void __user *user, int *len, int compat)
if (compat)
xt_compat_lock(AF_INET);
#endif
- t = try_then_request_module(xt_find_table_lock(&init_net, AF_INET, name),
+ t = try_then_request_module(xt_find_table_lock(net, AF_INET, name),
"iptable_%s", name);
if (t && !IS_ERR(t)) {
struct ipt_getinfo info;
@@ -1152,7 +1152,7 @@ static int get_info(void __user *user, int *len, int compat)
}

static int
-get_entries(struct ipt_get_entries __user *uptr, int *len)
+get_entries(struct net *net, struct ipt_get_entries __user *uptr, int *len)
{
int ret;
struct ipt_get_entries get;
@@ -1170,7 +1170,7 @@ get_entries(struct ipt_get_entries __user *uptr, int *len)
return -EINVAL;
}

- t = xt_find_table_lock(&init_net, AF_INET, get.name);
+ t = xt_find_table_lock(net, AF_INET, get.name);
if (t && !IS_ERR(t)) {
struct xt_table_info *private = t->private;
duprintf("t->private->number = %u\n", private->number);
@@ -1191,7 +1191,7 @@ get_entries(struct ipt_get_entries __user *uptr, int *len)
}

static int
-__do_replace(const char *name, unsigned int valid_hooks,
+__do_replace(struct net *net, const char *name, unsigned int valid_hooks,
struct xt_table_info *newinfo, unsigned int num_counters,
void __user *counters_ptr)
{
@@ -1208,7 +1208,7 @@ __do_replace(const char *name, unsigned int valid_hooks,
goto out;
}

- t = try_then_request_module(xt_find_table_lock(&init_net, AF_INET, name),
+ t = try_then_request_module(xt_find_table_lock(net, AF_INET, name),
"iptable_%s", name);
if (!t || IS_ERR(t)) {
ret = t ? PTR_ERR(t) : -ENOENT;
@@ -1261,7 +1261,7 @@ __do_replace(const char *name, unsigned int valid_hooks,
}

static int
-do_replace(void __user *user, unsigned int len)
+do_replace(struct net *net, void __user *user, unsigned int len)
{
int ret;
struct ipt_replace tmp;
@@ -1295,7 +1295,7 @@ do_replace(void __user *user, unsigned int len)

duprintf("ip_tables: Translated table\n");

- ret = __do_replace(tmp.name, tmp.valid_hooks, newinfo,
+ ret = __do_replace(net, tmp.name, tmp.valid_hooks, newinfo,
tmp.num_counters, tmp.counters);
if (ret)
goto free_newinfo_untrans;
@@ -1331,7 +1331,7 @@ add_counter_to_entry(struct ipt_entry *e,
}

static int
-do_add_counters(void __user *user, unsigned int len, int compat)
+do_add_counters(struct net *net, void __user *user, unsigned int len, int compat)
{
unsigned int i;
struct xt_counters_info tmp;
@@ -1383,7 +1383,7 @@ do_add_counters(void __user *user, unsigned int len, int compat)
goto free;
}

- t = xt_find_table_lock(&init_net, AF_INET, name);
+ t = xt_find_table_lock(net, AF_INET, name);
if (!t || IS_ERR(t)) {
ret = t ? PTR_ERR(t) : -ENOENT;
goto free;
@@ -1789,7 +1789,7 @@ out_unlock:
}

static int
-compat_do_replace(void __user *user, unsigned int len)
+compat_do_replace(struct net *net, void __user *user, unsigned int len)
{
int ret;
struct compat_ipt_replace tmp;
@@ -1826,7 +1826,7 @@ compat_do_replace(void __user *user, unsigned int len)

duprintf("compat_do_replace: Translated table\n");

- ret = __do_replace(tmp.name, tmp.valid_hooks, newinfo,
+ ret = __do_replace(net, tmp.name, tmp.valid_hooks, newinfo,
tmp.num_counters, compat_ptr(tmp.counters));
if (ret)
goto free_newinfo_untrans;
@@ -1850,11 +1850,11 @@ compat_do_ipt_set_ctl(struct sock *sk, int cmd, void __user *user,

switch (cmd) {
case IPT_SO_SET_REPLACE:
- ret = compat_do_replace(user, len);
+ ret = compat_do_replace(sk->sk_net, user, len);
break;

case IPT_SO_SET_ADD_COUNTERS:
- ret = do_add_counters(user, len, 1);
+ ret = do_add_counters(sk->sk_net, user, len, 1);
break;

default:
@@ -1903,7 +1903,8 @@ compat_copy_entries_to_user(unsigned int total_size, struct xt_table *table,
}

static int
-compat_get_entries(struct compat_ipt_get_entries __user *uptr, int *len)
+compat_get_entries(struct net *net, struct compat_ipt_get_entries __user *uptr,
+ int *len)
{
int ret;
struct compat_ipt_get_entries get;
@@ -1924,7 +1925,7 @@ compat_get_entries(struct compat_ipt_get_entries __user *uptr, int *len)
}

xt_compat_lock(AF_INET);
- t = xt_find_table_lock(&init_net, AF_INET, get.name);
+ t = xt_find_table_lock(net, AF_INET, get.name);
if (t && !IS_ERR(t)) {
struct xt_table_info *private = t->private;
struct xt_table_info info;
@@ -1960,10 +1961,10 @@ compat_do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)

switch (cmd) {
case IPT_SO_GET_INFO:
- ret = get_info(user, len, 1);
+ ret = get_info(sk->sk_net, user, len, 1);
break;
case IPT_SO_GET_ENTRIES:
- ret = compat_get_entries(user, len);
+ ret = compat_get_entries(sk->sk_net, user, len);
break;
default:
ret = do_ipt_get_ctl(sk, cmd, user, len);
@@ -1982,11 +1983,11 @@ do_ipt_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)

switch (cmd) {
case IPT_SO_SET_REPLACE:
- ret = do_replace(user, len);
+ ret = do_replace(sk->sk_net, user, len);
break;

case IPT_SO_SET_ADD_COUNTERS:
- ret = do_add_counters(user, len, 0);
+ ret = do_add_counters(sk->sk_net, user, len, 0);
break;

default:
@@ -2007,11 +2008,11 @@ do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)

switch (cmd) {
case IPT_SO_GET_INFO:
- ret = get_info(user, len, 0);
+ ret = get_info(sk->sk_net, user, len, 0);
break;

case IPT_SO_GET_ENTRIES:
- ret = get_entries(user, len);
+ ret = get_entries(sk->sk_net, user, len);
break;

case IPT_SO_GET_REVISION_MATCH:
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

[NETFILTER]: ipt_recent: fix sparse warnings

net/ipv4/netfilter/ipt_recent.c:215:17: warning: symbol 't' shadows an earlier one
net/ipv4/netfilter/ipt_recent.c:179:22: originally declared here
net/ipv4/netfilter/ipt_recent.c:322:13: warning: context imbalance in 'recent_seq_start' - wrong count at exit
net/ipv4/netfilter/ipt_recent.c:354:13: warning: context imbalance in 'recent_seq_stop' - unexpected unlock

Signed-off-by: Patrick McHardy <***@trash.net>

---
commit 15a3018c4c11086b7dc5310aae4d1f13640fe844
tree b053ffabbb0186460955dafe935653aaf2e83e4a
parent a0b8676ce8423a544c283c59ac3d0c97e2e64b21
author Patrick McHardy <***@trash.net> Tue, 29 Jan 2008 16:22:08 +0100
committer Patrick McHardy <***@trash.net> Wed, 30 Jan 2008 15:04:19 +0100

net/ipv4/netfilter/ipt_recent.c | 6 ++++--
1 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/net/ipv4/netfilter/ipt_recent.c b/net/ipv4/netfilter/ipt_recent.c
index e3154a9..68cbe3c 100644
--- a/net/ipv4/netfilter/ipt_recent.c
+++ b/net/ipv4/netfilter/ipt_recent.c
@@ -212,11 +212,11 @@ recent_mt(const struct sk_buff *skb, const struct net_device *in,
recent_entry_remove(t, e);
ret = !ret;
} else if (info->check_set & (IPT_RECENT_CHECK | IPT_RECENT_UPDATE)) {
- unsigned long t = jiffies - info->seconds * HZ;
+ unsigned long time = jiffies - info->seconds * HZ;
unsigned int i, hits = 0;

for (i = 0; i < e->nstamps; i++) {
- if (info->seconds && time_after(t, e->stamps[i]))
+ if (info->seconds && time_after(time, e->stamps[i]))
continue;
if (++hits >= info->hit_count) {
ret = !ret;
@@ -320,6 +320,7 @@ struct recent_iter_state {
};

static void *recent_seq_start(struct seq_file *seq, loff_t *pos)
+ __acquires(recent_lock)
{
struct recent_iter_state *st = seq->private;
const struct recent_table *t = st->table;
@@ -352,6 +353,7 @@ static void *recent_seq_next(struct seq_file *seq, void *v, loff_t *pos)
}

static void recent_seq_stop(struct seq_file *s, void *v)
+ __releases(recent_lock)
{
spin_unlock_bh(&recent_lock);
}
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

[NETFILTER]: nf_conntrack_ipv6: fix sparse warnings

CHECK net/ipv6/netfilter/nf_conntrack_reasm.c
net/ipv6/netfilter/nf_conntrack_reasm.c:77:18: warning: symbol 'nf_ct_ipv6_sysctl_table' was not declared. Should it be static?
net/ipv6/netfilter/nf_conntrack_reasm.c:586:16: warning: symbol 'nf_ct_frag6_gather' was not declared. Should it be static?
net/ipv6/netfilter/nf_conntrack_reasm.c:662:6: warning: symbol 'nf_ct_frag6_output' was not declared. Should it be static?
net/ipv6/netfilter/nf_conntrack_reasm.c:683:5: warning: symbol 'nf_ct_frag6_kfree_frags' was not declared. Should it be static?
net/ipv6/netfilter/nf_conntrack_reasm.c:698:5: warning: symbol 'nf_ct_frag6_init' was not declared. Should it be static?
net/ipv6/netfilter/nf_conntrack_reasm.c:717:6: warning: symbol 'nf_ct_frag6_cleanup' was not declared. Should it be static?

Based on patch by Stephen Hemminger with suggestions by Yasuyuki KOZAKAI.

Signed-off-by: Patrick McHardy <***@trash.net>

---
commit ec8971e984194b97af037d06dc40a23f9581276b
tree 12aa4bdb71e3226153aa2a47d90ae168757f4e8c
parent e31ab9c086cec05ec66429e4d60a12cb60615c0e
author Patrick McHardy <***@trash.net> Tue, 29 Jan 2008 16:22:09 +0100
committer Patrick McHardy <***@trash.net> Wed, 30 Jan 2008 21:03:05 +0100

net/ipv6/netfilter/nf_conntrack_reasm.c | 16 +---------------
1 files changed, 1 insertions(+), 15 deletions(-)

diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
index 022da6c..2a0d698 100644
--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
@@ -39,6 +39,7 @@
#include <net/rawv6.h>
#include <net/ndisc.h>
#include <net/addrconf.h>
+#include <net/netfilter/ipv6/nf_conntrack_ipv6.h>
#include <linux/sysctl.h>
#include <linux/netfilter.h>
#include <linux/netfilter_ipv6.h>
@@ -680,21 +681,6 @@ void nf_ct_frag6_output(unsigned int hooknum, struct sk_buff *skb,
nf_conntrack_put_reasm(skb);
}

-int nf_ct_frag6_kfree_frags(struct sk_buff *skb)
-{
- struct sk_buff *s, *s2;
-
- for (s = NFCT_FRAG6_CB(skb)->orig; s; s = s2) {
-
- s2 = s->next;
- kfree_skb(s);
- }
-
- kfree_skb(skb);
-
- return 0;
-}
-
int nf_ct_frag6_init(void)
{
nf_frags.hashfn = nf_hashfn;
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

[NETFILTER]: xt_owner: allow matching UID/GID ranges

Add support for ranges to the new revision. This doesn't affect
compatibility since the new revision was not released yet.

Signed-off-by: Jan Engelhardt <***@computergmbh.de>

---
commit c1e9e8f11d30d54eb79e53ca02f0fd17a60407ef
tree 8ad98d01d79a033fd2014a2de8fbc03a00a4f2cd
parent 09a855c601cbbf240e7f127705dea74317658c45
author Jan Engelhardt <***@computergmbh.de> Tue, 29 Jan 2008 16:22:=
03 +0100
committer Patrick McHardy <***@trash.net> Wed, 30 Jan 2008 15:04:18 +=
0100

include/linux/netfilter/xt_owner.h | 4 ++--
net/netfilter/xt_owner.c | 14 ++++++++------
2 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/include/linux/netfilter/xt_owner.h b/include/linux/netfilt=
er/xt_owner.h
index eacd34e..c84e52c 100644
--- a/include/linux/netfilter/xt_owner.h
+++ b/include/linux/netfilter/xt_owner.h
@@ -8,8 +8,8 @@ enum {
};
=20
struct xt_owner_match_info {
- u_int32_t uid;
- u_int32_t gid;
+ u_int32_t uid_min, uid_max;
+ u_int32_t gid_min, gid_max;
u_int8_t match, invert;
};
=20
diff --git a/net/netfilter/xt_owner.c b/net/netfilter/xt_owner.c
index d382f9c..9059c16 100644
--- a/net/netfilter/xt_owner.c
+++ b/net/netfilter/xt_owner.c
@@ -4,8 +4,8 @@
*
* (C) 2000 Marc Boucher <***@mbsi.ca>
*
- * Copyright =C2=A9 CC Computer Consultants GmbH, 2007
- * Contact: <***@computergmbh.de>
+ * Copyright =C2=A9 CC Computer Consultants GmbH, 2007 - 2008
+ * <***@computergmbh.de>
*
* This program is free software; you can redistribute it and/or modif=
y
* it under the terms of the GNU General Public License version 2 as
@@ -102,13 +102,15 @@ owner_mt(const struct sk_buff *skb, const struct =
net_device *in,
(XT_OWNER_UID | XT_OWNER_GID)) =3D=3D 0;
=20
if (info->match & XT_OWNER_UID)
- if ((filp->f_uid !=3D info->uid) ^
- !!(info->invert & XT_OWNER_UID))
+ if ((filp->f_uid >=3D info->uid_min &&
+ filp->f_uid <=3D info->uid_max) ^
+ !(info->invert & XT_OWNER_UID))
return false;
=20
if (info->match & XT_OWNER_GID)
- if ((filp->f_gid !=3D info->gid) ^
- !!(info->invert & XT_OWNER_GID))
+ if ((filp->f_gid >=3D info->gid_min &&
+ filp->f_gid <=3D info->gid_max) ^
+ !(info->invert & XT_OWNER_GID))
return false;
=20
return true;
-
To unsubscribe from this list: send the line "unsubscribe netfilter-dev=
el" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

[NETFILTER]: {ip,arp,ip6}_tables: fix sparse warnings in compat code

CHECK net/ipv4/netfilter/ip_tables.c
net/ipv4/netfilter/ip_tables.c:1453:8: warning: incorrect type in argument 3 (different signedness)
net/ipv4/netfilter/ip_tables.c:1453:8: expected int *size
net/ipv4/netfilter/ip_tables.c:1453:8: got unsigned int [usertype] *size
net/ipv4/netfilter/ip_tables.c:1458:44: warning: incorrect type in argument 3 (different signedness)
net/ipv4/netfilter/ip_tables.c:1458:44: expected int *size
net/ipv4/netfilter/ip_tables.c:1458:44: got unsigned int [usertype] *size
net/ipv4/netfilter/ip_tables.c:1603:2: warning: incorrect type in argument 2 (different signedness)
net/ipv4/netfilter/ip_tables.c:1603:2: expected unsigned int *i
net/ipv4/netfilter/ip_tables.c:1603:2: got int *<noident>
net/ipv4/netfilter/ip_tables.c:1627:8: warning: incorrect type in argument 3 (different signedness)
net/ipv4/netfilter/ip_tables.c:1627:8: expected int *size
net/ipv4/netfilter/ip_tables.c:1627:8: got unsigned int *size
net/ipv4/netfilter/ip_tables.c:1634:40: warning: incorrect type in argument 3 (different signedness)
net/ipv4/netfilter/ip_tables.c:1634:40: expected int *size
net/ipv4/netfilter/ip_tables.c:1634:40: got unsigned int *size
net/ipv4/netfilter/ip_tables.c:1653:8: warning: incorrect type in argument 5 (different signedness)
net/ipv4/netfilter/ip_tables.c:1653:8: expected unsigned int *i
net/ipv4/netfilter/ip_tables.c:1653:8: got int *<noident>
net/ipv4/netfilter/ip_tables.c:1666:2: warning: incorrect type in argument 2 (different signedness)
net/ipv4/netfilter/ip_tables.c:1666:2: expected unsigned int *i
net/ipv4/netfilter/ip_tables.c:1666:2: got int *<noident>
CHECK net/ipv4/netfilter/arp_tables.c
net/ipv4/netfilter/arp_tables.c:1285:40: warning: incorrect type in argument 3 (different signedness)
net/ipv4/netfilter/arp_tables.c:1285:40: expected int *size
net/ipv4/netfilter/arp_tables.c:1285:40: got unsigned int *size
net/ipv4/netfilter/arp_tables.c:1543:44: warning: incorrect type in argument 3 (different signedness)
net/ipv4/netfilter/arp_tables.c:1543:44: expected int *size
net/ipv4/netfilter/arp_tables.c:1543:44: got unsigned int [usertype] *size
CHECK net/ipv6/netfilter/ip6_tables.c
net/ipv6/netfilter/ip6_tables.c:1481:8: warning: incorrect type in argument 3 (different signedness)
net/ipv6/netfilter/ip6_tables.c:1481:8: expected int *size
net/ipv6/netfilter/ip6_tables.c:1481:8: got unsigned int [usertype] *size
net/ipv6/netfilter/ip6_tables.c:1486:44: warning: incorrect type in argument 3 (different signedness)
net/ipv6/netfilter/ip6_tables.c:1486:44: expected int *size
net/ipv6/netfilter/ip6_tables.c:1486:44: got unsigned int [usertype] *size
net/ipv6/netfilter/ip6_tables.c:1631:2: warning: incorrect type in argument 2 (different signedness)
net/ipv6/netfilter/ip6_tables.c:1631:2: expected unsigned int *i
net/ipv6/netfilter/ip6_tables.c:1631:2: got int *<noident>
net/ipv6/netfilter/ip6_tables.c:1655:8: warning: incorrect type in argument 3 (different signedness)
net/ipv6/netfilter/ip6_tables.c:1655:8: expected int *size
net/ipv6/netfilter/ip6_tables.c:1655:8: got unsigned int *size
net/ipv6/netfilter/ip6_tables.c:1662:40: warning: incorrect type in argument 3 (different signedness)
net/ipv6/netfilter/ip6_tables.c:1662:40: expected int *size
net/ipv6/netfilter/ip6_tables.c:1662:40: got unsigned int *size
net/ipv6/netfilter/ip6_tables.c:1680:8: warning: incorrect type in argument 5 (different signedness)
net/ipv6/netfilter/ip6_tables.c:1680:8: expected unsigned int *i
net/ipv6/netfilter/ip6_tables.c:1680:8: got int *<noident>
net/ipv6/netfilter/ip6_tables.c:1693:2: warning: incorrect type in argument 2 (different signedness)
net/ipv6/netfilter/ip6_tables.c:1693:2: expected unsigned int *i
net/ipv6/netfilter/ip6_tables.c:1693:2: got int *<noident>

Signed-off-by: Patrick McHardy <***@trash.net>

---
commit e31ab9c086cec05ec66429e4d60a12cb60615c0e
tree 7d55247673a73a6c25d1264ce4974a71012361af
parent 15a3018c4c11086b7dc5310aae4d1f13640fe844
author Patrick McHardy <***@trash.net> Tue, 29 Jan 2008 16:22:08 +0100
committer Patrick McHardy <***@trash.net> Wed, 30 Jan 2008 21:03:02 +0100

include/linux/netfilter/x_tables.h | 8 ++++----
net/ipv4/netfilter/ip_tables.c | 10 ++++++----
net/ipv6/netfilter/ip6_tables.c | 10 ++++++----
net/netfilter/x_tables.c | 8 ++++----
4 files changed, 20 insertions(+), 16 deletions(-)

diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 91a1dd5..11eea39 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -432,15 +432,15 @@ extern short xt_compat_calc_jump(int af, unsigned int offset);

extern int xt_compat_match_offset(struct xt_match *match);
extern int xt_compat_match_from_user(struct xt_entry_match *m,
- void **dstptr, int *size);
+ void **dstptr, unsigned int *size);
extern int xt_compat_match_to_user(struct xt_entry_match *m,
- void __user **dstptr, int *size);
+ void __user **dstptr, unsigned int *size);

extern int xt_compat_target_offset(struct xt_target *target);
extern void xt_compat_target_from_user(struct xt_entry_target *t,
- void **dstptr, int *size);
+ void **dstptr, unsigned int *size);
extern int xt_compat_target_to_user(struct xt_entry_target *t,
- void __user **dstptr, int *size);
+ void __user **dstptr, unsigned int *size);

#endif /* CONFIG_COMPAT */
#endif /* __KERNEL__ */
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 427bc9b..a73afa1 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -1429,7 +1429,7 @@ struct compat_ipt_replace {

static int
compat_copy_entry_to_user(struct ipt_entry *e, void __user **dstptr,
- compat_uint_t *size, struct xt_counters *counters,
+ unsigned int *size, struct xt_counters *counters,
unsigned int *i)
{
struct ipt_entry_target *t;
@@ -1476,7 +1476,7 @@ compat_find_calc_match(struct ipt_entry_match *m,
const char *name,
const struct ipt_ip *ip,
unsigned int hookmask,
- int *size, int *i)
+ int *size, unsigned int *i)
{
struct xt_match *match;

@@ -1534,7 +1534,8 @@ check_compat_entry_size_and_hooks(struct compat_ipt_entry *e,
struct ipt_entry_target *t;
struct xt_target *target;
unsigned int entry_offset;
- int ret, off, h, j;
+ unsigned int j;
+ int ret, off, h;

duprintf("check_compat_entry_size_and_hooks %p\n", e);
if ((unsigned long)e % __alignof__(struct compat_ipt_entry) != 0
@@ -1647,7 +1648,8 @@ static int
compat_check_entry(struct ipt_entry *e, const char *name,
unsigned int *i)
{
- int j, ret;
+ unsigned int j;
+ int ret;

j = 0;
ret = IPT_MATCH_ITERATE(e, check_match, name, &e->ip,
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 6fabb73..b91738a 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -1457,7 +1457,7 @@ struct compat_ip6t_replace {

static int
compat_copy_entry_to_user(struct ip6t_entry *e, void __user **dstptr,
- compat_uint_t *size, struct xt_counters *counters,
+ unsigned int *size, struct xt_counters *counters,
unsigned int *i)
{
struct ip6t_entry_target *t;
@@ -1504,7 +1504,7 @@ compat_find_calc_match(struct ip6t_entry_match *m,
const char *name,
const struct ip6t_ip6 *ipv6,
unsigned int hookmask,
- int *size, int *i)
+ int *size, unsigned int *i)
{
struct xt_match *match;

@@ -1562,7 +1562,8 @@ check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e,
struct ip6t_entry_target *t;
struct xt_target *target;
unsigned int entry_offset;
- int ret, off, h, j;
+ unsigned int j;
+ int ret, off, h;

duprintf("check_compat_entry_size_and_hooks %p\n", e);
if ((unsigned long)e % __alignof__(struct compat_ip6t_entry) != 0
@@ -1674,7 +1675,8 @@ compat_copy_entry_from_user(struct compat_ip6t_entry *e, void **dstptr,
static int compat_check_entry(struct ip6t_entry *e, const char *name,
unsigned int *i)
{
- int j, ret;
+ unsigned int j;
+ int ret;

j = 0;
ret = IP6T_MATCH_ITERATE(e, check_match, name, &e->ipv6,
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index d7fbb1b..cd78fc8 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -399,7 +399,7 @@ int xt_compat_match_offset(struct xt_match *match)
EXPORT_SYMBOL_GPL(xt_compat_match_offset);

int xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr,
- int *size)
+ unsigned int *size)
{
struct xt_match *match = m->u.kernel.match;
struct compat_xt_entry_match *cm = (struct compat_xt_entry_match *)m;
@@ -426,7 +426,7 @@ int xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr,
EXPORT_SYMBOL_GPL(xt_compat_match_from_user);

int xt_compat_match_to_user(struct xt_entry_match *m, void __user **dstptr,
- int *size)
+ unsigned int *size)
{
struct xt_match *match = m->u.kernel.match;
struct compat_xt_entry_match __user *cm = *dstptr;
@@ -493,7 +493,7 @@ int xt_compat_target_offset(struct xt_target *target)
EXPORT_SYMBOL_GPL(xt_compat_target_offset);

void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr,
- int *size)
+ unsigned int *size)
{
struct xt_target *target = t->u.kernel.target;
struct compat_xt_entry_target *ct = (struct compat_xt_entry_target *)t;
@@ -519,7 +519,7 @@ void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr,
EXPORT_SYMBOL_GPL(xt_compat_target_from_user);

int xt_compat_target_to_user(struct xt_entry_target *t, void __user **dstptr,
- int *size)
+ unsigned int *size)
{
struct xt_target *target = t->u.kernel.target;
struct compat_xt_entry_target __user *ct = *dstptr;
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

[NETFILTER]: nf_nat: switch rwlock to spinlock

Since we're using RCU, all users of nf_nat_lock take a write_lock.
Switch it to a spinlock.

Signed-off-by: Patrick McHardy <***@trash.net>

---
commit 5cf331a51d8fed16e2e12142d8dc66eef5cb7bca
tree bd9226e5403ac965a26f9aa792a5951126d4c197
parent 9a797e6248868e23d468f801ec67b98a44ef689b
author Patrick McHardy <***@trash.net> Wed, 30 Jan 2008 21:03:10 +0100
committer Patrick McHardy <***@trash.net> Wed, 30 Jan 2008 21:03:10 +0100

net/ipv4/netfilter/nf_nat_core.c | 26 +++++++++++++-------------
1 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/net/ipv4/netfilter/nf_nat_core.c b/net/ipv4/netfilter/nf_nat_core.c
index c7a985f..dd07362 100644
--- a/net/ipv4/netfilter/nf_nat_core.c
+++ b/net/ipv4/netfilter/nf_nat_core.c
@@ -31,7 +31,7 @@
#include <net/netfilter/nf_conntrack_l3proto.h>
#include <net/netfilter/nf_conntrack_l4proto.h>

-static DEFINE_RWLOCK(nf_nat_lock);
+static DEFINE_SPINLOCK(nf_nat_lock);

static struct nf_conntrack_l3proto *l3proto __read_mostly;

@@ -330,12 +330,12 @@ nf_nat_setup_info(struct nf_conn *ct,
unsigned int srchash;

srchash = hash_by_src(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
- write_lock_bh(&nf_nat_lock);
+ spin_lock_bh(&nf_nat_lock);
/* nf_conntrack_alter_reply might re-allocate exntension aera */
nat = nfct_nat(ct);
nat->ct = ct;
hlist_add_head_rcu(&nat->bysource, &bysource[srchash]);
- write_unlock_bh(&nf_nat_lock);
+ spin_unlock_bh(&nf_nat_lock);
}

/* It's done. */
@@ -521,14 +521,14 @@ int nf_nat_protocol_register(const struct nf_nat_protocol *proto)
{
int ret = 0;

- write_lock_bh(&nf_nat_lock);
+ spin_lock_bh(&nf_nat_lock);
if (nf_nat_protos[proto->protonum] != &nf_nat_unknown_protocol) {
ret = -EBUSY;
goto out;
}
rcu_assign_pointer(nf_nat_protos[proto->protonum], proto);
out:
- write_unlock_bh(&nf_nat_lock);
+ spin_unlock_bh(&nf_nat_lock);
return ret;
}
EXPORT_SYMBOL(nf_nat_protocol_register);
@@ -536,10 +536,10 @@ EXPORT_SYMBOL(nf_nat_protocol_register);
/* Noone stores the protocol anywhere; simply delete it. */
void nf_nat_protocol_unregister(const struct nf_nat_protocol *proto)
{
- write_lock_bh(&nf_nat_lock);
+ spin_lock_bh(&nf_nat_lock);
rcu_assign_pointer(nf_nat_protos[proto->protonum],
&nf_nat_unknown_protocol);
- write_unlock_bh(&nf_nat_lock);
+ spin_unlock_bh(&nf_nat_lock);
synchronize_rcu();
}
EXPORT_SYMBOL(nf_nat_protocol_unregister);
@@ -594,10 +594,10 @@ static void nf_nat_cleanup_conntrack(struct nf_conn *ct)

NF_CT_ASSERT(nat->ct->status & IPS_NAT_DONE_MASK);

- write_lock_bh(&nf_nat_lock);
+ spin_lock_bh(&nf_nat_lock);
hlist_del_rcu(&nat->bysource);
nat->ct = NULL;
- write_unlock_bh(&nf_nat_lock);
+ spin_unlock_bh(&nf_nat_lock);
}

static void nf_nat_move_storage(struct nf_conn *conntrack, void *old)
@@ -609,10 +609,10 @@ static void nf_nat_move_storage(struct nf_conn *conntrack, void *old)
if (!ct || !(ct->status & IPS_NAT_DONE_MASK))
return;

- write_lock_bh(&nf_nat_lock);
+ spin_lock_bh(&nf_nat_lock);
hlist_replace_rcu(&old_nat->bysource, &new_nat->bysource);
new_nat->ct = ct;
- write_unlock_bh(&nf_nat_lock);
+ spin_unlock_bh(&nf_nat_lock);
}

static struct nf_ct_ext_type nat_extend __read_mostly = {
@@ -646,13 +646,13 @@ static int __init nf_nat_init(void)
}

/* Sew in builtin protocols. */
- write_lock_bh(&nf_nat_lock);
+ spin_lock_bh(&nf_nat_lock);
for (i = 0; i < MAX_IP_NAT_PROTO; i++)
rcu_assign_pointer(nf_nat_protos[i], &nf_nat_unknown_protocol);
rcu_assign_pointer(nf_nat_protos[IPPROTO_TCP], &nf_nat_protocol_tcp);
rcu_assign_pointer(nf_nat_protos[IPPROTO_UDP], &nf_nat_protocol_udp);
rcu_assign_pointer(nf_nat_protos[IPPROTO_ICMP], &nf_nat_protocol_icmp);
- write_unlock_bh(&nf_nat_lock);
+ spin_unlock_bh(&nf_nat_lock);

/* Initialize fake conntrack so that NAT will skip it */
nf_conntrack_untracked.status |= IPS_NAT_DONE_MASK;
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

[NETFILTER]: nf_conntrack: reorder struct nf_conntrack_l4proto

Reorder struct nf_conntrack_l4proto so all members used during packet
processing are in the same cacheline.

Signed-off-by: Patrick McHardy <***@trash.net>

---
commit 7b2624034f45ce13ecfdf13847cbf7ad67bb7137
tree b723a4d976afb8853e3b619922b24004ab2bb6f7
parent 2f75544ea729329074f86020b4524179cc82c219
author Patrick McHardy <***@trash.net> Wed, 30 Jan 2008 21:03:08 +0100
committer Patrick McHardy <***@trash.net> Wed, 30 Jan 2008 21:03:08 +0100

include/net/netfilter/nf_conntrack_l4proto.h | 19 +++++++++----------
1 files changed, 9 insertions(+), 10 deletions(-)

diff --git a/include/net/netfilter/nf_conntrack_l4proto.h b/include/net/netfilter/nf_conntrack_l4proto.h
index fb50c21..84892cc 100644
--- a/include/net/netfilter/nf_conntrack_l4proto.h
+++ b/include/net/netfilter/nf_conntrack_l4proto.h
@@ -23,9 +23,6 @@ struct nf_conntrack_l4proto
/* L4 Protocol number. */
u_int8_t l4proto;

- /* Protocol name */
- const char *name;
-
/* Try to fill in the third arg: dataoff is offset past network protocol
hdr. Return true if possible. */
int (*pkt_to_tuple)(const struct sk_buff *skb,
@@ -38,13 +35,6 @@ struct nf_conntrack_l4proto
int (*invert_tuple)(struct nf_conntrack_tuple *inverse,
const struct nf_conntrack_tuple *orig);

- /* Print out the per-protocol part of the tuple. Return like seq_* */
- int (*print_tuple)(struct seq_file *s,
- const struct nf_conntrack_tuple *);
-
- /* Print out the private part of the conntrack. */
- int (*print_conntrack)(struct seq_file *s, const struct nf_conn *);
-
/* Returns verdict for packet, or -1 for invalid. */
int (*packet)(struct nf_conn *conntrack,
const struct sk_buff *skb,
@@ -65,6 +55,13 @@ struct nf_conntrack_l4proto
enum ip_conntrack_info *ctinfo,
int pf, unsigned int hooknum);

+ /* Print out the per-protocol part of the tuple. Return like seq_* */
+ int (*print_tuple)(struct seq_file *s,
+ const struct nf_conntrack_tuple *);
+
+ /* Print out the private part of the conntrack. */
+ int (*print_conntrack)(struct seq_file *s, const struct nf_conn *);
+
/* convert protoinfo to nfnetink attributes */
int (*to_nlattr)(struct sk_buff *skb, struct nlattr *nla,
const struct nf_conn *ct);
@@ -87,6 +84,8 @@ struct nf_conntrack_l4proto
struct ctl_table *ctl_compat_table;
#endif
#endif
+ /* Protocol name */
+ const char *name;

/* Module (if any) which this is connected to. */
struct module *me;
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

[NETFILTER]: nf_conntrack: avoid duplicate protocol comparison in nf_ct_tuple_equal()

nf_ct_tuple_src_equal() and nf_ct_tuple_dst_equal() both compare the protocol
numbers. Unfortunately gcc doesn't optimize out the second comparison, so
remove it and prefix both functions with __ to indicate that they should not
be used directly.

Saves another 16 byte of text in __nf_conntrack_find() on x86_64:

nf_conntrack_tuple_taken | -20 # 320 -> 300, size inlines: 181 -> 161
__nf_conntrack_find | -16 # 267 -> 251, size inlines: 127 -> 115
__nf_conntrack_confirm | -40 # 875 -> 835, size inlines: 570 -> 537
3 functions changed, 76 bytes removed

Signed-off-by: Patrick McHardy <***@trash.net>

---
commit 18fd2bf273954b4fa527e5d630049f40acc29fca
tree f2b287d7b240777464be03524e99b18cd3e4e497
parent 419fd8e88eba9f4c35fd1bdc27aaa22578f202fb
author Patrick McHardy <***@trash.net> Tue, 29 Jan 2008 16:22:14 +0100
committer Patrick McHardy <***@trash.net> Wed, 30 Jan 2008 21:03:08 +0100

include/net/netfilter/nf_conntrack_tuple.h | 17 ++++++++---------
1 files changed, 8 insertions(+), 9 deletions(-)

diff --git a/include/net/netfilter/nf_conntrack_tuple.h b/include/net/netfilter/nf_conntrack_tuple.h
index 45cb17c..e69ab2e 100644
--- a/include/net/netfilter/nf_conntrack_tuple.h
+++ b/include/net/netfilter/nf_conntrack_tuple.h
@@ -132,34 +132,33 @@ struct nf_conntrack_tuple_hash

#endif /* __KERNEL__ */

-static inline int nf_ct_tuple_src_equal(const struct nf_conntrack_tuple *t1,
- const struct nf_conntrack_tuple *t2)
+static inline int __nf_ct_tuple_src_equal(const struct nf_conntrack_tuple *t1,
+ const struct nf_conntrack_tuple *t2)
{
return (t1->src.u3.all[0] == t2->src.u3.all[0] &&
t1->src.u3.all[1] == t2->src.u3.all[1] &&
t1->src.u3.all[2] == t2->src.u3.all[2] &&
t1->src.u3.all[3] == t2->src.u3.all[3] &&
t1->src.u.all == t2->src.u.all &&
- t1->src.l3num == t2->src.l3num &&
- t1->dst.protonum == t2->dst.protonum);
+ t1->src.l3num == t2->src.l3num);
}

-static inline int nf_ct_tuple_dst_equal(const struct nf_conntrack_tuple *t1,
- const struct nf_conntrack_tuple *t2)
+static inline int __nf_ct_tuple_dst_equal(const struct nf_conntrack_tuple *t1,
+ const struct nf_conntrack_tuple *t2)
{
return (t1->dst.u3.all[0] == t2->dst.u3.all[0] &&
t1->dst.u3.all[1] == t2->dst.u3.all[1] &&
t1->dst.u3.all[2] == t2->dst.u3.all[2] &&
t1->dst.u3.all[3] == t2->dst.u3.all[3] &&
t1->dst.u.all == t2->dst.u.all &&
- t1->src.l3num == t2->src.l3num &&
t1->dst.protonum == t2->dst.protonum);
}

static inline int nf_ct_tuple_equal(const struct nf_conntrack_tuple *t1,
const struct nf_conntrack_tuple *t2)
{
- return nf_ct_tuple_src_equal(t1, t2) && nf_ct_tuple_dst_equal(t1, t2);
+ return __nf_ct_tuple_src_equal(t1, t2) &&
+ __nf_ct_tuple_dst_equal(t1, t2);
}

static inline int nf_ct_tuple_mask_equal(const struct nf_conntrack_tuple_mask *m1,
@@ -199,7 +198,7 @@ static inline int nf_ct_tuple_mask_cmp(const struct nf_conntrack_tuple *t,
const struct nf_conntrack_tuple_mask *mask)
{
return nf_ct_tuple_src_mask_cmp(t, tuple, mask) &&
- nf_ct_tuple_dst_equal(t, tuple);
+ __nf_ct_tuple_dst_equal(t, tuple);
}

#endif /* _NF_CONNTRACK_TUPLE_H */
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

[NETFILTER]: nf_conntrack: use RCU for conntrack hash

Signed-off-by: Patrick McHardy <***@trash.net>

---
commit b3deb266341ef2957c9386657243bfdf3480cf84
tree a0f6f7efa7464a3fd81e5bbab659ee83b1362698
parent 504ca298fd3846f894b3979666df5bf5021707ff
author Patrick McHardy <***@trash.net> Tue, 29 Jan 2008 16:22:12 +0100
committer Patrick McHardy <***@trash.net> Wed, 30 Jan 2008 21:03:07 +0100

include/net/netfilter/nf_conntrack.h | 2 +
.../netfilter/nf_conntrack_l3proto_ipv4_compat.c | 18 ++++---
net/netfilter/nf_conntrack_core.c | 63 +++++++++++++-------
net/netfilter/nf_conntrack_netlink.c | 11 ++-
net/netfilter/nf_conntrack_standalone.c | 18 +++---
net/netfilter/xt_connlimit.c | 4 +
6 files changed, 73 insertions(+), 43 deletions(-)

diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
index dada041..561ae76 100644
--- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h
@@ -129,6 +129,8 @@ struct nf_conn

/* Extensions */
struct nf_ct_ext *ext;
+
+ struct rcu_head rcu;
};

static inline struct nf_conn *
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
index 2fdcd92..0ee87ed 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
@@ -39,12 +39,14 @@ struct ct_iter_state {
static struct hlist_node *ct_get_first(struct seq_file *seq)
{
struct ct_iter_state *st = seq->private;
+ struct hlist_node *n;

for (st->bucket = 0;
st->bucket < nf_conntrack_htable_size;
st->bucket++) {
- if (!hlist_empty(&nf_conntrack_hash[st->bucket]))
- return nf_conntrack_hash[st->bucket].first;
+ n = rcu_dereference(nf_conntrack_hash[st->bucket].first);
+ if (n)
+ return n;
}
return NULL;
}
@@ -54,11 +56,11 @@ static struct hlist_node *ct_get_next(struct seq_file *seq,
{
struct ct_iter_state *st = seq->private;

- head = head->next;
+ head = rcu_dereference(head->next);
while (head == NULL) {
if (++st->bucket >= nf_conntrack_htable_size)
return NULL;
- head = nf_conntrack_hash[st->bucket].first;
+ head = rcu_dereference(nf_conntrack_hash[st->bucket].first);
}
return head;
}
@@ -74,8 +76,9 @@ static struct hlist_node *ct_get_idx(struct seq_file *seq, loff_t pos)
}

static void *ct_seq_start(struct seq_file *seq, loff_t *pos)
+ __acquires(RCU)
{
- read_lock_bh(&nf_conntrack_lock);
+ rcu_read_lock();
return ct_get_idx(seq, *pos);
}

@@ -86,8 +89,9 @@ static void *ct_seq_next(struct seq_file *s, void *v, loff_t *pos)
}

static void ct_seq_stop(struct seq_file *s, void *v)
+ __releases(RCU)
{
- read_unlock_bh(&nf_conntrack_lock);
+ rcu_read_unlock();
}

static int ct_seq_show(struct seq_file *s, void *v)
@@ -226,6 +230,7 @@ static struct hlist_node *ct_expect_get_idx(struct seq_file *seq, loff_t pos)
}

static void *exp_seq_start(struct seq_file *seq, loff_t *pos)
+ __acquires(RCU)
{
rcu_read_lock();
return ct_expect_get_idx(seq, *pos);
@@ -238,6 +243,7 @@ static void *exp_seq_next(struct seq_file *seq, void *v, loff_t *pos)
}

static void exp_seq_stop(struct seq_file *seq, void *v)
+ __releases(RCU)
{
rcu_read_unlock();
}
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 1025607..a54bfec 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -166,8 +166,8 @@ static void
clean_from_lists(struct nf_conn *ct)
{
pr_debug("clean_from_lists(%p)\n", ct);
- hlist_del(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnode);
- hlist_del(&ct->tuplehash[IP_CT_DIR_REPLY].hnode);
+ hlist_del_rcu(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnode);
+ hlist_del_rcu(&ct->tuplehash[IP_CT_DIR_REPLY].hnode);

/* Destroy all pending expectations */
nf_ct_remove_expectations(ct);
@@ -253,7 +253,7 @@ __nf_conntrack_find(const struct nf_conntrack_tuple *tuple,
struct hlist_node *n;
unsigned int hash = hash_conntrack(tuple);

- hlist_for_each_entry(h, n, &nf_conntrack_hash[hash], hnode) {
+ hlist_for_each_entry_rcu(h, n, &nf_conntrack_hash[hash], hnode) {
if (nf_ct_tuplehash_to_ctrack(h) != ignored_conntrack &&
nf_ct_tuple_equal(tuple, &h->tuple)) {
NF_CT_STAT_INC(found);
@@ -271,12 +271,16 @@ struct nf_conntrack_tuple_hash *
nf_conntrack_find_get(const struct nf_conntrack_tuple *tuple)
{
struct nf_conntrack_tuple_hash *h;
+ struct nf_conn *ct;

- read_lock_bh(&nf_conntrack_lock);
+ rcu_read_lock();
h = __nf_conntrack_find(tuple, NULL);
- if (h)
- atomic_inc(&nf_ct_tuplehash_to_ctrack(h)->ct_general.use);
- read_unlock_bh(&nf_conntrack_lock);
+ if (h) {
+ ct = nf_ct_tuplehash_to_ctrack(h);
+ if (unlikely(!atomic_inc_not_zero(&ct->ct_general.use)))
+ h = NULL;
+ }
+ rcu_read_unlock();

return h;
}
@@ -286,10 +290,10 @@ static void __nf_conntrack_hash_insert(struct nf_conn *ct,
unsigned int hash,
unsigned int repl_hash)
{
- hlist_add_head(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnode,
- &nf_conntrack_hash[hash]);
- hlist_add_head(&ct->tuplehash[IP_CT_DIR_REPLY].hnode,
- &nf_conntrack_hash[repl_hash]);
+ hlist_add_head_rcu(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnode,
+ &nf_conntrack_hash[hash]);
+ hlist_add_head_rcu(&ct->tuplehash[IP_CT_DIR_REPLY].hnode,
+ &nf_conntrack_hash[repl_hash]);
}

void nf_conntrack_hash_insert(struct nf_conn *ct)
@@ -392,9 +396,9 @@ nf_conntrack_tuple_taken(const struct nf_conntrack_tuple *tuple,
{
struct nf_conntrack_tuple_hash *h;

- read_lock_bh(&nf_conntrack_lock);
+ rcu_read_lock();
h = __nf_conntrack_find(tuple, ignored_conntrack);
- read_unlock_bh(&nf_conntrack_lock);
+ rcu_read_unlock();

return h != NULL;
}
@@ -413,21 +417,23 @@ static int early_drop(unsigned int hash)
unsigned int i, cnt = 0;
int dropped = 0;

- read_lock_bh(&nf_conntrack_lock);
+ rcu_read_lock();
for (i = 0; i < nf_conntrack_htable_size; i++) {
- hlist_for_each_entry(h, n, &nf_conntrack_hash[hash], hnode) {
+ hlist_for_each_entry_rcu(h, n, &nf_conntrack_hash[hash],
+ hnode) {
tmp = nf_ct_tuplehash_to_ctrack(h);
if (!test_bit(IPS_ASSURED_BIT, &tmp->status))
ct = tmp;
cnt++;
}
+
+ if (ct && unlikely(!atomic_inc_not_zero(&ct->ct_general.use)))
+ ct = NULL;
if (ct || cnt >= NF_CT_EVICTION_RANGE)
break;
hash = (hash + 1) % nf_conntrack_htable_size;
}
- if (ct)
- atomic_inc(&ct->ct_general.use);
- read_unlock_bh(&nf_conntrack_lock);
+ rcu_read_unlock();

if (!ct)
return dropped;
@@ -480,17 +486,25 @@ struct nf_conn *nf_conntrack_alloc(const struct nf_conntrack_tuple *orig,
/* Don't set timer yet: wait for confirmation */
setup_timer(&conntrack->timeout, death_by_timeout,
(unsigned long)conntrack);
+ INIT_RCU_HEAD(&conntrack->rcu);

return conntrack;
}
EXPORT_SYMBOL_GPL(nf_conntrack_alloc);

-void nf_conntrack_free(struct nf_conn *conntrack)
+static void nf_conntrack_free_rcu(struct rcu_head *head)
{
- nf_ct_ext_free(conntrack);
- kmem_cache_free(nf_conntrack_cachep, conntrack);
+ struct nf_conn *ct = container_of(head, struct nf_conn, rcu);
+
+ nf_ct_ext_free(ct);
+ kmem_cache_free(nf_conntrack_cachep, ct);
atomic_dec(&nf_conntrack_count);
}
+
+void nf_conntrack_free(struct nf_conn *conntrack)
+{
+ call_rcu(&conntrack->rcu, nf_conntrack_free_rcu);
+}
EXPORT_SYMBOL_GPL(nf_conntrack_free);

/* Allocate a new conntrack: we return -ENOMEM if classification
@@ -1036,12 +1050,17 @@ int nf_conntrack_set_hashsize(const char *val, struct kernel_param *kp)
* use a newrandom seed */
get_random_bytes(&rnd, 4);

+ /* Lookups in the old hash might happen in parallel, which means we
+ * might get false negatives during connection lookup. New connections
+ * created because of a false negative won't make it into the hash
+ * though since that required taking the lock.
+ */
write_lock_bh(&nf_conntrack_lock);
for (i = 0; i < nf_conntrack_htable_size; i++) {
while (!hlist_empty(&nf_conntrack_hash[i])) {
h = hlist_entry(nf_conntrack_hash[i].first,
struct nf_conntrack_tuple_hash, hnode);
- hlist_del(&h->hnode);
+ hlist_del_rcu(&h->hnode);
bucket = __hash_conntrack(&h->tuple, hashsize, rnd);
hlist_add_head(&h->hnode, &hash[bucket]);
}
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 557f471..b701dcc 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -545,12 +545,12 @@ ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
struct nfgenmsg *nfmsg = NLMSG_DATA(cb->nlh);
u_int8_t l3proto = nfmsg->nfgen_family;

- read_lock_bh(&nf_conntrack_lock);
+ rcu_read_lock();
last = (struct nf_conn *)cb->args[1];
for (; cb->args[0] < nf_conntrack_htable_size; cb->args[0]++) {
restart:
- hlist_for_each_entry(h, n, &nf_conntrack_hash[cb->args[0]],
- hnode) {
+ hlist_for_each_entry_rcu(h, n, &nf_conntrack_hash[cb->args[0]],
+ hnode) {
if (NF_CT_DIRECTION(h) != IP_CT_DIR_ORIGINAL)
continue;
ct = nf_ct_tuplehash_to_ctrack(h);
@@ -568,7 +568,8 @@ restart:
cb->nlh->nlmsg_seq,
IPCTNL_MSG_CT_NEW,
1, ct) < 0) {
- nf_conntrack_get(&ct->ct_general);
+ if (!atomic_inc_not_zero(&ct->ct_general.use))
+ continue;
cb->args[1] = (unsigned long)ct;
goto out;
}
@@ -584,7 +585,7 @@ restart:
}
}
out:
- read_unlock_bh(&nf_conntrack_lock);
+ rcu_read_unlock();
if (last)
nf_ct_put(last);

diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index 28c5ae8..98f0cd3 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -58,12 +58,14 @@ struct ct_iter_state {
static struct hlist_node *ct_get_first(struct seq_file *seq)
{
struct ct_iter_state *st = seq->private;
+ struct hlist_node *n;

for (st->bucket = 0;
st->bucket < nf_conntrack_htable_size;
st->bucket++) {
- if (!hlist_empty(&nf_conntrack_hash[st->bucket]))
- return nf_conntrack_hash[st->bucket].first;
+ n = rcu_dereference(nf_conntrack_hash[st->bucket].first);
+ if (n)
+ return n;
}
return NULL;
}
@@ -73,11 +75,11 @@ static struct hlist_node *ct_get_next(struct seq_file *seq,
{
struct ct_iter_state *st = seq->private;

- head = head->next;
+ head = rcu_dereference(head->next);
while (head == NULL) {
if (++st->bucket >= nf_conntrack_htable_size)
return NULL;
- head = nf_conntrack_hash[st->bucket].first;
+ head = rcu_dereference(nf_conntrack_hash[st->bucket].first);
}
return head;
}
@@ -93,9 +95,9 @@ static struct hlist_node *ct_get_idx(struct seq_file *seq, loff_t pos)
}

static void *ct_seq_start(struct seq_file *seq, loff_t *pos)
- __acquires(nf_conntrack_lock)
+ __acquires(RCU)
{
- read_lock_bh(&nf_conntrack_lock);
+ rcu_read_lock();
return ct_get_idx(seq, *pos);
}

@@ -106,9 +108,9 @@ static void *ct_seq_next(struct seq_file *s, void *v, loff_t *pos)
}

static void ct_seq_stop(struct seq_file *s, void *v)
- __releases(nf_conntrack_lock)
+ __releases(RCU)
{
- read_unlock_bh(&nf_conntrack_lock);
+ rcu_read_unlock();
}

/* return 0 on success, 1 in case of error */
diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c
index e00ecd9..f9b59a6 100644
--- a/net/netfilter/xt_connlimit.c
+++ b/net/netfilter/xt_connlimit.c
@@ -120,7 +120,7 @@ static int count_them(struct xt_connlimit_data *data,
else
hash = &data->iphash[connlimit_iphash(addr->ip & mask->ip)];

- read_lock_bh(&nf_conntrack_lock);
+ rcu_read_lock();

/* check the saved connections */
list_for_each_entry_safe(conn, tmp, hash, list) {
@@ -163,7 +163,7 @@ static int count_them(struct xt_connlimit_data *data,
++matches;
}

- read_unlock_bh(&nf_conntrack_lock);
+ rcu_read_unlock();

if (addit) {
/* save the new connection in our list */
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

[NETFILTER]: nf_conntrack: optimize __nf_conntrack_find()

Ignoring specific entries in __nf_conntrack_find() is only needed by NAT
for nf_conntrack_tuple_taken(). Remove it from __nf_conntrack_find()
and make nf_conntrack_tuple_taken() search the hash itself.

Saves 54 bytes of text in the hotpath on x86_64:

__nf_conntrack_find | -54 # 321 -> 267, # inlines: 3 -> 2, size inlines: 181 -> 127
nf_conntrack_tuple_taken | +305 # 15 -> 320, lexblocks: 0 -> 3, # inlines: 0 -> 3, size inlines: 0 -> 181
nf_conntrack_find_get | -2 # 90 -> 88
3 functions changed, 305 bytes added, 56 bytes removed, diff: +249

Signed-off-by: Patrick McHardy <***@trash.net>

---
commit 419fd8e88eba9f4c35fd1bdc27aaa22578f202fb
tree a1a0c6ac4b3543a127ee27cad47d5b4aa77862ec
parent 0d9d7643b39dae81d0b16b54365d7985a278227f
author Patrick McHardy <***@trash.net> Tue, 29 Jan 2008 16:22:13 +0100
committer Patrick McHardy <***@trash.net> Wed, 30 Jan 2008 21:03:07 +0100

include/net/netfilter/nf_conntrack.h | 3 +--
net/netfilter/nf_conntrack_core.c | 22 +++++++++++++++-------
net/netfilter/nf_conntrack_netlink.c | 6 +++---
net/netfilter/xt_connlimit.c | 2 +-
4 files changed, 20 insertions(+), 13 deletions(-)

diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
index 561ae76..14e0cc8 100644
--- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h
@@ -178,8 +178,7 @@ extern void nf_ct_free_hashtable(struct hlist_head *hash, int vmalloced,
unsigned int size);

extern struct nf_conntrack_tuple_hash *
-__nf_conntrack_find(const struct nf_conntrack_tuple *tuple,
- const struct nf_conn *ignored_conntrack);
+__nf_conntrack_find(const struct nf_conntrack_tuple *tuple);

extern void nf_conntrack_hash_insert(struct nf_conn *ct);

diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index f284ddd..ce4c4ba 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -246,16 +246,14 @@ static void death_by_timeout(unsigned long ul_conntrack)
}

struct nf_conntrack_tuple_hash *
-__nf_conntrack_find(const struct nf_conntrack_tuple *tuple,
- const struct nf_conn *ignored_conntrack)
+__nf_conntrack_find(const struct nf_conntrack_tuple *tuple)
{
struct nf_conntrack_tuple_hash *h;
struct hlist_node *n;
unsigned int hash = hash_conntrack(tuple);

hlist_for_each_entry_rcu(h, n, &nf_conntrack_hash[hash], hnode) {
- if (nf_ct_tuplehash_to_ctrack(h) != ignored_conntrack &&
- nf_ct_tuple_equal(tuple, &h->tuple)) {
+ if (nf_ct_tuple_equal(tuple, &h->tuple)) {
NF_CT_STAT_INC(found);
return h;
}
@@ -274,7 +272,7 @@ nf_conntrack_find_get(const struct nf_conntrack_tuple *tuple)
struct nf_conn *ct;

rcu_read_lock();
- h = __nf_conntrack_find(tuple, NULL);
+ h = __nf_conntrack_find(tuple);
if (h) {
ct = nf_ct_tuplehash_to_ctrack(h);
if (unlikely(!atomic_inc_not_zero(&ct->ct_general.use)))
@@ -395,12 +393,22 @@ nf_conntrack_tuple_taken(const struct nf_conntrack_tuple *tuple,
const struct nf_conn *ignored_conntrack)
{
struct nf_conntrack_tuple_hash *h;
+ struct hlist_node *n;
+ unsigned int hash = hash_conntrack(tuple);

rcu_read_lock();
- h = __nf_conntrack_find(tuple, ignored_conntrack);
+ hlist_for_each_entry_rcu(h, n, &nf_conntrack_hash[hash], hnode) {
+ if (nf_ct_tuplehash_to_ctrack(h) != ignored_conntrack &&
+ nf_ct_tuple_equal(tuple, &h->tuple)) {
+ NF_CT_STAT_INC(found);
+ rcu_read_unlock();
+ return 1;
+ }
+ NF_CT_STAT_INC(searched);
+ }
rcu_read_unlock();

- return h != NULL;
+ return 0;
}
EXPORT_SYMBOL_GPL(nf_conntrack_tuple_taken);

diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index b6a8c08..bf86fdd 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -1222,9 +1222,9 @@ ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb,

spin_lock_bh(&nf_conntrack_lock);
if (cda[CTA_TUPLE_ORIG])
- h = __nf_conntrack_find(&otuple, NULL);
+ h = __nf_conntrack_find(&otuple);
else if (cda[CTA_TUPLE_REPLY])
- h = __nf_conntrack_find(&rtuple, NULL);
+ h = __nf_conntrack_find(&rtuple);

if (h == NULL) {
struct nf_conntrack_tuple master;
@@ -1239,7 +1239,7 @@ ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb,
if (err < 0)
goto out_unlock;

- master_h = __nf_conntrack_find(&master, NULL);
+ master_h = __nf_conntrack_find(&master);
if (master_h == NULL) {
err = -ENOENT;
goto out_unlock;
diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c
index f9b59a6..3b01119 100644
--- a/net/netfilter/xt_connlimit.c
+++ b/net/netfilter/xt_connlimit.c
@@ -124,7 +124,7 @@ static int count_them(struct xt_connlimit_data *data,

/* check the saved connections */
list_for_each_entry_safe(conn, tmp, hash, list) {
- found = __nf_conntrack_find(&conn->tuple, NULL);
+ found = __nf_conntrack_find(&conn->tuple);
found_ct = NULL;

if (found != NULL)
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

[NETFILTER]: nf_conntrack_netlink: transmit mark during all events

The following feature was submitted some months ago. It forces the dump
of mark during the connection destruction event. The induced load is
quiet small and the patch is usefull to provide an easy way to filter
event on user side without having to keep an hash in userspace.

Signed-off-by: Eric Leblond <***@inl.fr>
Signed-off-by: Patrick McHardy <***@trash.net>

---
commit 8bf50a16334291fa18d090ad11221e802327b26f
tree 41e125cf8230f6ffd0cc8f94679247e82c2c57c4
parent bc81193022f55c5cc719728b1bdf67648054bce6
author Eric Leblond <***@inl.fr> Tue, 29 Jan 2008 16:22:16 +0100
committer Patrick McHardy <***@trash.net> Wed, 30 Jan 2008 21:03:11 +0100

net/netfilter/nf_conntrack_netlink.c | 11 ++++++-----
1 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index bf86fdd..4a1b42b 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -491,11 +491,6 @@ static int ctnetlink_conntrack_event(struct notifier_block *this,
&& ctnetlink_dump_helpinfo(skb, ct) < 0)
goto nla_put_failure;

-#ifdef CONFIG_NF_CONNTRACK_MARK
- if ((events & IPCT_MARK || ct->mark)
- && ctnetlink_dump_mark(skb, ct) < 0)
- goto nla_put_failure;
-#endif
#ifdef CONFIG_NF_CONNTRACK_SECMARK
if ((events & IPCT_SECMARK || ct->secmark)
&& ctnetlink_dump_secmark(skb, ct) < 0)
@@ -516,6 +511,12 @@ static int ctnetlink_conntrack_event(struct notifier_block *this,
goto nla_put_failure;
}

+#ifdef CONFIG_NF_CONNTRACK_MARK
+ if ((events & IPCT_MARK || ct->mark)
+ && ctnetlink_dump_mark(skb, ct) < 0)
+ goto nla_put_failure;
+#endif
+
nlh->nlmsg_len = skb->tail - b;
nfnetlink_send(skb, 0, group, 0);
return NOTIFY_DONE;
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

[NETFILTER]: nf_conntrack: kill unused static inline (do_iter)

Signed-off-by: Ilpo J=E4rvinen <***@helsinki.fi>
Signed-off-by: Patrick McHardy <***@trash.net>

---
commit 589cbc737eef0c619fc75c099063861ec7540ec7
tree aec04a71a3720e1c37f8620f07b12e9e33e77ffa
parent da5a0452866ad6f4a4967f31d5d5854d9f481e33
author Ilpo J=E4rvinen <***@helsinki.fi> Tue, 29 Jan 2008 16:=
22:17 +0100
committer Patrick McHardy <***@trash.net> Wed, 30 Jan 2008 21:03:12 +=
0100

net/netfilter/nf_conntrack_core.c | 8 --------
1 files changed, 0 insertions(+), 8 deletions(-)

diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_connt=
rack_core.c
index 0db7d1d..2392234 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -902,14 +902,6 @@ static void nf_conntrack_attach(struct sk_buff *ns=
kb, struct sk_buff *skb)
nf_conntrack_get(nskb->nfct);
}
=20
-static inline int
-do_iter(const struct nf_conntrack_tuple_hash *i,
- int (*iter)(struct nf_conn *i, void *data),
- void *data)
-{
- return iter(nf_ct_tuplehash_to_ctrack(i), data);
-}
-
/* Bring out ya dead! */
static struct nf_conn *
get_next_corpse(int (*iter)(struct nf_conn *i, void *data),
-
To unsubscribe from this list: send the line "unsubscribe netfilter-dev=
el" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

[NETFILTER]: x_tables: netns propagation for /proc/net/*_tables_names

Propagate netns together with AF down to ->start/->next/->stop
iterators. Choose table based on netns and AF for showing.

Signed-off-by: Alexey Dobriyan <***@sw.ru>
Signed-off-by: Patrick McHardy <***@trash.net>

---
commit 513f43dcb3326e0f5273191d368a17585e865afc
tree 33e9aa9f7a1a993512840fc84708167ac9d62cf6
parent 738a61f2bcd7ded174cdac25f330e7bb1e3fb2c5
author Alexey Dobriyan <***@sw.ru> Wed, 30 Jan 2008 21:03:13 +0100
committer Patrick McHardy <***@trash.net> Wed, 30 Jan 2008 21:03:13 +0100

net/netfilter/x_tables.c | 31 +++++++++++++++++++------------
1 files changed, 19 insertions(+), 12 deletions(-)

diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 89e322d..12ed64c 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -720,27 +720,33 @@ void *xt_unregister_table(struct xt_table *table)
EXPORT_SYMBOL_GPL(xt_unregister_table);

#ifdef CONFIG_PROC_FS
+struct xt_names_priv {
+ struct seq_net_private p;
+ int af;
+};
static void *xt_table_seq_start(struct seq_file *seq, loff_t *pos)
{
- struct proc_dir_entry *pde = (struct proc_dir_entry *)seq->private;
- u_int16_t af = (unsigned long)pde->data;
+ struct xt_names_priv *priv = seq->private;
+ struct net *net = priv->p.net;
+ int af = priv->af;

mutex_lock(&xt[af].mutex);
- return seq_list_start(&init_net.xt.tables[af], *pos);
+ return seq_list_start(&net->xt.tables[af], *pos);
}

static void *xt_table_seq_next(struct seq_file *seq, void *v, loff_t *pos)
{
- struct proc_dir_entry *pde = (struct proc_dir_entry *)seq->private;
- u_int16_t af = (unsigned long)pde->data;
+ struct xt_names_priv *priv = seq->private;
+ struct net *net = priv->p.net;
+ int af = priv->af;

- return seq_list_next(v, &init_net.xt.tables[af], pos);
+ return seq_list_next(v, &net->xt.tables[af], pos);
}

static void xt_table_seq_stop(struct seq_file *seq, void *v)
{
- struct proc_dir_entry *pde = seq->private;
- u_int16_t af = (unsigned long)pde->data;
+ struct xt_names_priv *priv = seq->private;
+ int af = priv->af;

mutex_unlock(&xt[af].mutex);
}
@@ -765,12 +771,13 @@ static const struct seq_operations xt_table_seq_ops = {
static int xt_table_open(struct inode *inode, struct file *file)
{
int ret;
+ struct xt_names_priv *priv;

- ret = seq_open(file, &xt_table_seq_ops);
+ ret = seq_open_net(inode, file, &xt_table_seq_ops,
+ sizeof(struct xt_names_priv));
if (!ret) {
- struct seq_file *seq = file->private_data;
-
- seq->private = PDE(inode);
+ priv = ((struct seq_file *)file->private_data)->private;
+ priv->af = (unsigned long)PDE(inode)->data;
}
return ret;
}
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

[NETFILTER]: nf_{conntrack,nat}_proto_gre: annotate with const

Signed-off-by: Jan Engelhardt <***@computergmbh.de>
Signed-off-by: Patrick McHardy <***@trash.net>

---
commit 0d18e97268fb631100b6b7689ac1b75426463d0c
tree ed5370f3ae3ceb58b0963ffc83f9b17f3fa8ff78
parent 605ba346a8a54fc3c2a6d846a345d4d6c3cd5642
author Jan Engelhardt <***@computergmbh.de> Wed, 30 Jan 2008 21:03:17 +0100
committer Patrick McHardy <***@trash.net> Wed, 30 Jan 2008 21:03:17 +0100

net/ipv4/netfilter/nf_nat_proto_gre.c | 2 +-
net/netfilter/nf_conntrack_proto_gre.c | 6 ++++--
2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/net/ipv4/netfilter/nf_nat_proto_gre.c b/net/ipv4/netfilter/nf_nat_proto_gre.c
index b887ebb..a1e4da1 100644
--- a/net/ipv4/netfilter/nf_nat_proto_gre.c
+++ b/net/ipv4/netfilter/nf_nat_proto_gre.c
@@ -104,7 +104,7 @@ gre_manip_pkt(struct sk_buff *skb, unsigned int iphdroff,
{
struct gre_hdr *greh;
struct gre_hdr_pptp *pgreh;
- struct iphdr *iph = (struct iphdr *)(skb->data + iphdroff);
+ const struct iphdr *iph = (struct iphdr *)(skb->data + iphdroff);
unsigned int hdroff = iphdroff + iph->ihl * 4;

/* pgreh includes two optional 32bit fields which are not required
diff --git a/net/netfilter/nf_conntrack_proto_gre.c b/net/netfilter/nf_conntrack_proto_gre.c
index 4a185f6..e10024a 100644
--- a/net/netfilter/nf_conntrack_proto_gre.c
+++ b/net/netfilter/nf_conntrack_proto_gre.c
@@ -161,9 +161,11 @@ static int gre_pkt_to_tuple(const struct sk_buff *skb,
unsigned int dataoff,
struct nf_conntrack_tuple *tuple)
{
- struct gre_hdr_pptp _pgrehdr, *pgrehdr;
+ const struct gre_hdr_pptp *pgrehdr;
+ struct gre_hdr_pptp _pgrehdr;
__be16 srckey;
- struct gre_hdr _grehdr, *grehdr;
+ const struct gre_hdr *grehdr;
+ struct gre_hdr _grehdr;

/* first only delinearize old RFC1701 GRE header */
grehdr = skb_header_pointer(skb, dataoff, sizeof(_grehdr), &_grehdr);
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

[NETFILTER]: nf_conntrack: optimize hash_conntrack()

Avoid calling jhash three times and hash the entire tuple in one go.

__hash_conntrack | -485 # 760 -> 275, # inlines: 3 -> 1, size inlines: 717 -> 252
1 function changed, 485 bytes removed

Signed-off-by: Patrick McHardy <***@trash.net>

---
commit 2f75544ea729329074f86020b4524179cc82c219
tree e4dc132f189625ad5bd28e043e348f0deb825c47
parent 18fd2bf273954b4fa527e5d630049f40acc29fca
author Patrick McHardy <***@trash.net> Tue, 29 Jan 2008 16:22:15 +0100
committer Patrick McHardy <***@trash.net> Wed, 30 Jan 2008 21:03:08 +0100

net/netfilter/nf_conntrack_core.c | 18 +++++++++++-------
1 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index ce4c4ba..24a0863 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -73,15 +73,19 @@ static unsigned int nf_conntrack_hash_rnd;
static u_int32_t __hash_conntrack(const struct nf_conntrack_tuple *tuple,
unsigned int size, unsigned int rnd)
{
- unsigned int a, b;
+ unsigned int n;
+ u_int32_t h;

- a = jhash2(tuple->src.u3.all, ARRAY_SIZE(tuple->src.u3.all),
- (tuple->src.l3num << 16) | tuple->dst.protonum);
- b = jhash2(tuple->dst.u3.all, ARRAY_SIZE(tuple->dst.u3.all),
- ((__force __u16)tuple->src.u.all << 16) |
- (__force __u16)tuple->dst.u.all);
+ /* The direction must be ignored, so we hash everything up to the
+ * destination ports (which is a multiple of 4) and treat the last
+ * three bytes manually.
+ */
+ n = (sizeof(tuple->src) + sizeof(tuple->dst.u3)) / sizeof(u32);
+ h = jhash2((u32 *)tuple, n,
+ rnd ^ (((__force __u16)tuple->dst.u.all << 16) |
+ tuple->dst.protonum));

- return ((u64)jhash_2words(a, b, rnd) * size) >> 32;
+ return ((u64)h * size) >> 32;
}

static inline u_int32_t hash_conntrack(const struct nf_conntrack_tuple *tuple)
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html