Commit 1610a73c authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso

netfilter: kill NF_HOOK_THRESH() and state->tresh

Patch c5136b15 ("netfilter: bridge: add and use br_nf_hook_thresh")
introduced br_nf_hook_thresh().

Replace NF_HOOK_THRESH() by br_nf_hook_thresh from
br_nf_forward_finish(), so we have no more callers for this macro.

As a result, state->thresh and explicit thresh parameter in the hook
state structure is not required anymore. And we can get rid of
skip-hook-under-thresh loop in nf_iterate() in the core path that is
only used by br_netfilter to search for the filter hook.
Suggested-by: default avatarFlorian Westphal <fw@strlen.de>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent d2be66f6
...@@ -49,7 +49,6 @@ struct sock; ...@@ -49,7 +49,6 @@ struct sock;
struct nf_hook_state { struct nf_hook_state {
unsigned int hook; unsigned int hook;
int thresh;
u_int8_t pf; u_int8_t pf;
struct net_device *in; struct net_device *in;
struct net_device *out; struct net_device *out;
...@@ -84,7 +83,7 @@ struct nf_hook_entry { ...@@ -84,7 +83,7 @@ struct nf_hook_entry {
static inline void nf_hook_state_init(struct nf_hook_state *p, static inline void nf_hook_state_init(struct nf_hook_state *p,
struct nf_hook_entry *hook_entry, struct nf_hook_entry *hook_entry,
unsigned int hook, unsigned int hook,
int thresh, u_int8_t pf, u_int8_t pf,
struct net_device *indev, struct net_device *indev,
struct net_device *outdev, struct net_device *outdev,
struct sock *sk, struct sock *sk,
...@@ -92,7 +91,6 @@ static inline void nf_hook_state_init(struct nf_hook_state *p, ...@@ -92,7 +91,6 @@ static inline void nf_hook_state_init(struct nf_hook_state *p,
int (*okfn)(struct net *, struct sock *, struct sk_buff *)) int (*okfn)(struct net *, struct sock *, struct sk_buff *))
{ {
p->hook = hook; p->hook = hook;
p->thresh = thresh;
p->pf = pf; p->pf = pf;
p->in = indev; p->in = indev;
p->out = outdev; p->out = outdev;
...@@ -155,20 +153,16 @@ extern struct static_key nf_hooks_needed[NFPROTO_NUMPROTO][NF_MAX_HOOKS]; ...@@ -155,20 +153,16 @@ extern struct static_key nf_hooks_needed[NFPROTO_NUMPROTO][NF_MAX_HOOKS];
int nf_hook_slow(struct sk_buff *skb, struct nf_hook_state *state); int nf_hook_slow(struct sk_buff *skb, struct nf_hook_state *state);
/** /**
* nf_hook_thresh - call a netfilter hook * nf_hook - call a netfilter hook
* *
* Returns 1 if the hook has allowed the packet to pass. The function * Returns 1 if the hook has allowed the packet to pass. The function
* okfn must be invoked by the caller in this case. Any other return * okfn must be invoked by the caller in this case. Any other return
* value indicates the packet has been consumed by the hook. * value indicates the packet has been consumed by the hook.
*/ */
static inline int nf_hook_thresh(u_int8_t pf, unsigned int hook, static inline int nf_hook(u_int8_t pf, unsigned int hook, struct net *net,
struct net *net, struct sock *sk, struct sk_buff *skb,
struct sock *sk, struct net_device *indev, struct net_device *outdev,
struct sk_buff *skb, int (*okfn)(struct net *, struct sock *, struct sk_buff *))
struct net_device *indev,
struct net_device *outdev,
int (*okfn)(struct net *, struct sock *, struct sk_buff *),
int thresh)
{ {
struct nf_hook_entry *hook_head; struct nf_hook_entry *hook_head;
int ret = 1; int ret = 1;
...@@ -185,8 +179,8 @@ static inline int nf_hook_thresh(u_int8_t pf, unsigned int hook, ...@@ -185,8 +179,8 @@ static inline int nf_hook_thresh(u_int8_t pf, unsigned int hook,
if (hook_head) { if (hook_head) {
struct nf_hook_state state; struct nf_hook_state state;
nf_hook_state_init(&state, hook_head, hook, thresh, nf_hook_state_init(&state, hook_head, hook, pf, indev, outdev,
pf, indev, outdev, sk, net, okfn); sk, net, okfn);
ret = nf_hook_slow(skb, &state); ret = nf_hook_slow(skb, &state);
} }
...@@ -195,14 +189,6 @@ static inline int nf_hook_thresh(u_int8_t pf, unsigned int hook, ...@@ -195,14 +189,6 @@ static inline int nf_hook_thresh(u_int8_t pf, unsigned int hook,
return ret; return ret;
} }
static inline int nf_hook(u_int8_t pf, unsigned int hook, struct net *net,
struct sock *sk, struct sk_buff *skb,
struct net_device *indev, struct net_device *outdev,
int (*okfn)(struct net *, struct sock *, struct sk_buff *))
{
return nf_hook_thresh(pf, hook, net, sk, skb, indev, outdev, okfn, INT_MIN);
}
/* Activate hook; either okfn or kfree_skb called, unless a hook /* Activate hook; either okfn or kfree_skb called, unless a hook
returns NF_STOLEN (in which case, it's up to the hook to deal with returns NF_STOLEN (in which case, it's up to the hook to deal with
the consequences). the consequences).
...@@ -220,19 +206,6 @@ static inline int nf_hook(u_int8_t pf, unsigned int hook, struct net *net, ...@@ -220,19 +206,6 @@ static inline int nf_hook(u_int8_t pf, unsigned int hook, struct net *net,
coders :) coders :)
*/ */
static inline int
NF_HOOK_THRESH(uint8_t pf, unsigned int hook, struct net *net, struct sock *sk,
struct sk_buff *skb, struct net_device *in,
struct net_device *out,
int (*okfn)(struct net *, struct sock *, struct sk_buff *),
int thresh)
{
int ret = nf_hook_thresh(pf, hook, net, sk, skb, in, out, okfn, thresh);
if (ret == 1)
ret = okfn(net, sk, skb);
return ret;
}
static inline int static inline int
NF_HOOK_COND(uint8_t pf, unsigned int hook, struct net *net, struct sock *sk, NF_HOOK_COND(uint8_t pf, unsigned int hook, struct net *net, struct sock *sk,
struct sk_buff *skb, struct net_device *in, struct net_device *out, struct sk_buff *skb, struct net_device *in, struct net_device *out,
...@@ -242,7 +215,7 @@ NF_HOOK_COND(uint8_t pf, unsigned int hook, struct net *net, struct sock *sk, ...@@ -242,7 +215,7 @@ NF_HOOK_COND(uint8_t pf, unsigned int hook, struct net *net, struct sock *sk,
int ret; int ret;
if (!cond || if (!cond ||
((ret = nf_hook_thresh(pf, hook, net, sk, skb, in, out, okfn, INT_MIN)) == 1)) ((ret = nf_hook(pf, hook, net, sk, skb, in, out, okfn)) == 1))
ret = okfn(net, sk, skb); ret = okfn(net, sk, skb);
return ret; return ret;
} }
...@@ -252,7 +225,10 @@ NF_HOOK(uint8_t pf, unsigned int hook, struct net *net, struct sock *sk, struct ...@@ -252,7 +225,10 @@ NF_HOOK(uint8_t pf, unsigned int hook, struct net *net, struct sock *sk, struct
struct net_device *in, struct net_device *out, struct net_device *in, struct net_device *out,
int (*okfn)(struct net *, struct sock *, struct sk_buff *)) int (*okfn)(struct net *, struct sock *, struct sk_buff *))
{ {
return NF_HOOK_THRESH(pf, hook, net, sk, skb, in, out, okfn, INT_MIN); int ret = nf_hook(pf, hook, net, sk, skb, in, out, okfn);
if (ret == 1)
ret = okfn(net, sk, skb);
return ret;
} }
/* Call setsockopt() */ /* Call setsockopt() */
......
...@@ -26,7 +26,7 @@ static inline int nf_hook_ingress(struct sk_buff *skb) ...@@ -26,7 +26,7 @@ static inline int nf_hook_ingress(struct sk_buff *skb)
if (unlikely(!e)) if (unlikely(!e))
return 0; return 0;
nf_hook_state_init(&state, e, NF_NETDEV_INGRESS, INT_MIN, nf_hook_state_init(&state, e, NF_NETDEV_INGRESS,
NFPROTO_NETDEV, skb->dev, NULL, NULL, NFPROTO_NETDEV, skb->dev, NULL, NULL,
dev_net(skb->dev), NULL); dev_net(skb->dev), NULL);
return nf_hook_slow(skb, &state); return nf_hook_slow(skb, &state);
......
...@@ -561,8 +561,8 @@ static int br_nf_forward_finish(struct net *net, struct sock *sk, struct sk_buff ...@@ -561,8 +561,8 @@ static int br_nf_forward_finish(struct net *net, struct sock *sk, struct sk_buff
} }
nf_bridge_push_encap_header(skb); nf_bridge_push_encap_header(skb);
NF_HOOK_THRESH(NFPROTO_BRIDGE, NF_BR_FORWARD, net, sk, skb, br_nf_hook_thresh(NF_BR_FORWARD, net, sk, skb, in, skb->dev,
in, skb->dev, br_forward_finish, 1); br_forward_finish);
return 0; return 0;
} }
...@@ -1016,8 +1016,8 @@ int br_nf_hook_thresh(unsigned int hook, struct net *net, ...@@ -1016,8 +1016,8 @@ int br_nf_hook_thresh(unsigned int hook, struct net *net,
/* We may already have this, but read-locks nest anyway */ /* We may already have this, but read-locks nest anyway */
rcu_read_lock(); rcu_read_lock();
nf_hook_state_init(&state, elem, hook, NF_BR_PRI_BRNF + 1, nf_hook_state_init(&state, elem, hook, NFPROTO_BRIDGE, indev, outdev,
NFPROTO_BRIDGE, indev, outdev, sk, net, okfn); sk, net, okfn);
ret = nf_hook_slow(skb, &state); ret = nf_hook_slow(skb, &state);
rcu_read_unlock(); rcu_read_unlock();
......
...@@ -53,7 +53,7 @@ static int ebt_broute(struct sk_buff *skb) ...@@ -53,7 +53,7 @@ static int ebt_broute(struct sk_buff *skb)
struct nf_hook_state state; struct nf_hook_state state;
int ret; int ret;
nf_hook_state_init(&state, NULL, NF_BR_BROUTING, INT_MIN, nf_hook_state_init(&state, NULL, NF_BR_BROUTING,
NFPROTO_BRIDGE, skb->dev, NULL, NULL, NFPROTO_BRIDGE, skb->dev, NULL, NULL,
dev_net(skb->dev), NULL); dev_net(skb->dev), NULL);
......
...@@ -309,10 +309,6 @@ unsigned int nf_iterate(struct sk_buff *skb, ...@@ -309,10 +309,6 @@ unsigned int nf_iterate(struct sk_buff *skb,
unsigned int verdict; unsigned int verdict;
while (*entryp) { while (*entryp) {
if (state->thresh > (*entryp)->ops.priority) {
*entryp = rcu_dereference((*entryp)->next);
continue;
}
repeat: repeat:
verdict = (*entryp)->ops.hook((*entryp)->ops.priv, skb, state); verdict = (*entryp)->ops.hook((*entryp)->ops.priv, skb, state);
if (verdict != NF_ACCEPT) { if (verdict != NF_ACCEPT) {
......
...@@ -200,8 +200,6 @@ void nf_reinject(struct nf_queue_entry *entry, unsigned int verdict) ...@@ -200,8 +200,6 @@ void nf_reinject(struct nf_queue_entry *entry, unsigned int verdict)
verdict = NF_DROP; verdict = NF_DROP;
} }
entry->state.thresh = INT_MIN;
if (verdict == NF_ACCEPT) { if (verdict == NF_ACCEPT) {
hook_entry = rcu_dereference(hook_entry->next); hook_entry = rcu_dereference(hook_entry->next);
if (hook_entry) if (hook_entry)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment