Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
L
linux
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Kirill Smelkov
linux
Commits
1c491ba2
Commit
1c491ba2
authored
Apr 03, 2015
by
David S. Miller
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
netfilter: Pass nf_hook_state through ipt_do_table().
Signed-off-by:
David S. Miller
<
davem@davemloft.net
>
parent
d7cf4081
Changes
7
Show whitespace changes
Inline
Side-by-side
Showing
7 changed files
with
17 additions
and
21 deletions
+17
-21
include/linux/netfilter_ipv4/ip_tables.h
include/linux/netfilter_ipv4/ip_tables.h
+1
-2
net/ipv4/netfilter/ip_tables.c
net/ipv4/netfilter/ip_tables.c
+6
-7
net/ipv4/netfilter/iptable_filter.c
net/ipv4/netfilter/iptable_filter.c
+1
-2
net/ipv4/netfilter/iptable_mangle.c
net/ipv4/netfilter/iptable_mangle.c
+6
-5
net/ipv4/netfilter/iptable_nat.c
net/ipv4/netfilter/iptable_nat.c
+1
-2
net/ipv4/netfilter/iptable_raw.c
net/ipv4/netfilter/iptable_raw.c
+1
-2
net/ipv4/netfilter/iptable_security.c
net/ipv4/netfilter/iptable_security.c
+1
-1
No files found.
include/linux/netfilter_ipv4/ip_tables.h
View file @
1c491ba2
...
@@ -65,8 +65,7 @@ struct ipt_error {
...
@@ -65,8 +65,7 @@ struct ipt_error {
extern
void
*
ipt_alloc_initial_table
(
const
struct
xt_table
*
);
extern
void
*
ipt_alloc_initial_table
(
const
struct
xt_table
*
);
extern
unsigned
int
ipt_do_table
(
struct
sk_buff
*
skb
,
extern
unsigned
int
ipt_do_table
(
struct
sk_buff
*
skb
,
unsigned
int
hook
,
unsigned
int
hook
,
const
struct
net_device
*
in
,
const
struct
nf_hook_state
*
state
,
const
struct
net_device
*
out
,
struct
xt_table
*
table
);
struct
xt_table
*
table
);
#ifdef CONFIG_COMPAT
#ifdef CONFIG_COMPAT
...
...
net/ipv4/netfilter/ip_tables.c
View file @
1c491ba2
...
@@ -288,8 +288,7 @@ struct ipt_entry *ipt_next_entry(const struct ipt_entry *entry)
...
@@ -288,8 +288,7 @@ struct ipt_entry *ipt_next_entry(const struct ipt_entry *entry)
unsigned
int
unsigned
int
ipt_do_table
(
struct
sk_buff
*
skb
,
ipt_do_table
(
struct
sk_buff
*
skb
,
unsigned
int
hook
,
unsigned
int
hook
,
const
struct
net_device
*
in
,
const
struct
nf_hook_state
*
state
,
const
struct
net_device
*
out
,
struct
xt_table
*
table
)
struct
xt_table
*
table
)
{
{
static
const
char
nulldevname
[
IFNAMSIZ
]
__attribute__
((
aligned
(
sizeof
(
long
))));
static
const
char
nulldevname
[
IFNAMSIZ
]
__attribute__
((
aligned
(
sizeof
(
long
))));
...
@@ -306,8 +305,8 @@ ipt_do_table(struct sk_buff *skb,
...
@@ -306,8 +305,8 @@ ipt_do_table(struct sk_buff *skb,
/* Initialization */
/* Initialization */
ip
=
ip_hdr
(
skb
);
ip
=
ip_hdr
(
skb
);
indev
=
in
?
in
->
name
:
nulldevname
;
indev
=
state
->
in
?
state
->
in
->
name
:
nulldevname
;
outdev
=
out
?
out
->
name
:
nulldevname
;
outdev
=
state
->
out
?
state
->
out
->
name
:
nulldevname
;
/* We handle fragments by dealing with the first fragment as
/* We handle fragments by dealing with the first fragment as
* if it was a normal packet. All other fragments are treated
* if it was a normal packet. All other fragments are treated
* normally, except that they will NEVER match rules that ask
* normally, except that they will NEVER match rules that ask
...
@@ -317,8 +316,8 @@ ipt_do_table(struct sk_buff *skb,
...
@@ -317,8 +316,8 @@ ipt_do_table(struct sk_buff *skb,
acpar
.
fragoff
=
ntohs
(
ip
->
frag_off
)
&
IP_OFFSET
;
acpar
.
fragoff
=
ntohs
(
ip
->
frag_off
)
&
IP_OFFSET
;
acpar
.
thoff
=
ip_hdrlen
(
skb
);
acpar
.
thoff
=
ip_hdrlen
(
skb
);
acpar
.
hotdrop
=
false
;
acpar
.
hotdrop
=
false
;
acpar
.
in
=
in
;
acpar
.
in
=
state
->
in
;
acpar
.
out
=
out
;
acpar
.
out
=
state
->
out
;
acpar
.
family
=
NFPROTO_IPV4
;
acpar
.
family
=
NFPROTO_IPV4
;
acpar
.
hooknum
=
hook
;
acpar
.
hooknum
=
hook
;
...
@@ -370,7 +369,7 @@ ipt_do_table(struct sk_buff *skb,
...
@@ -370,7 +369,7 @@ ipt_do_table(struct sk_buff *skb,
#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE)
#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE)
/* The packet is traced: log it */
/* The packet is traced: log it */
if
(
unlikely
(
skb
->
nf_trace
))
if
(
unlikely
(
skb
->
nf_trace
))
trace_packet
(
skb
,
hook
,
in
,
out
,
trace_packet
(
skb
,
hook
,
state
->
in
,
state
->
out
,
table
->
name
,
private
,
e
);
table
->
name
,
private
,
e
);
#endif
#endif
/* Standard target? */
/* Standard target? */
...
...
net/ipv4/netfilter/iptable_filter.c
View file @
1c491ba2
...
@@ -45,8 +45,7 @@ iptable_filter_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
...
@@ -45,8 +45,7 @@ iptable_filter_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
return
NF_ACCEPT
;
return
NF_ACCEPT
;
net
=
dev_net
(
state
->
in
?
state
->
in
:
state
->
out
);
net
=
dev_net
(
state
->
in
?
state
->
in
:
state
->
out
);
return
ipt_do_table
(
skb
,
ops
->
hooknum
,
state
->
in
,
state
->
out
,
return
ipt_do_table
(
skb
,
ops
->
hooknum
,
state
,
net
->
ipv4
.
iptable_filter
);
net
->
ipv4
.
iptable_filter
);
}
}
static
struct
nf_hook_ops
*
filter_ops
__read_mostly
;
static
struct
nf_hook_ops
*
filter_ops
__read_mostly
;
...
...
net/ipv4/netfilter/iptable_mangle.c
View file @
1c491ba2
...
@@ -37,8 +37,9 @@ static const struct xt_table packet_mangler = {
...
@@ -37,8 +37,9 @@ static const struct xt_table packet_mangler = {
};
};
static
unsigned
int
static
unsigned
int
ipt_mangle_out
(
struct
sk_buff
*
skb
,
const
struct
n
et_device
*
out
)
ipt_mangle_out
(
struct
sk_buff
*
skb
,
const
struct
n
f_hook_state
*
state
)
{
{
struct
net_device
*
out
=
state
->
out
;
unsigned
int
ret
;
unsigned
int
ret
;
const
struct
iphdr
*
iph
;
const
struct
iphdr
*
iph
;
u_int8_t
tos
;
u_int8_t
tos
;
...
@@ -58,7 +59,7 @@ ipt_mangle_out(struct sk_buff *skb, const struct net_device *out)
...
@@ -58,7 +59,7 @@ ipt_mangle_out(struct sk_buff *skb, const struct net_device *out)
daddr
=
iph
->
daddr
;
daddr
=
iph
->
daddr
;
tos
=
iph
->
tos
;
tos
=
iph
->
tos
;
ret
=
ipt_do_table
(
skb
,
NF_INET_LOCAL_OUT
,
NULL
,
out
,
ret
=
ipt_do_table
(
skb
,
NF_INET_LOCAL_OUT
,
state
,
dev_net
(
out
)
->
ipv4
.
iptable_mangle
);
dev_net
(
out
)
->
ipv4
.
iptable_mangle
);
/* Reroute for ANY change. */
/* Reroute for ANY change. */
if
(
ret
!=
NF_DROP
&&
ret
!=
NF_STOLEN
)
{
if
(
ret
!=
NF_DROP
&&
ret
!=
NF_STOLEN
)
{
...
@@ -84,12 +85,12 @@ iptable_mangle_hook(const struct nf_hook_ops *ops,
...
@@ -84,12 +85,12 @@ iptable_mangle_hook(const struct nf_hook_ops *ops,
const
struct
nf_hook_state
*
state
)
const
struct
nf_hook_state
*
state
)
{
{
if
(
ops
->
hooknum
==
NF_INET_LOCAL_OUT
)
if
(
ops
->
hooknum
==
NF_INET_LOCAL_OUT
)
return
ipt_mangle_out
(
skb
,
state
->
out
);
return
ipt_mangle_out
(
skb
,
state
);
if
(
ops
->
hooknum
==
NF_INET_POST_ROUTING
)
if
(
ops
->
hooknum
==
NF_INET_POST_ROUTING
)
return
ipt_do_table
(
skb
,
ops
->
hooknum
,
state
->
in
,
state
->
out
,
return
ipt_do_table
(
skb
,
ops
->
hooknum
,
state
,
dev_net
(
state
->
out
)
->
ipv4
.
iptable_mangle
);
dev_net
(
state
->
out
)
->
ipv4
.
iptable_mangle
);
/* PREROUTING/INPUT/FORWARD: */
/* PREROUTING/INPUT/FORWARD: */
return
ipt_do_table
(
skb
,
ops
->
hooknum
,
state
->
in
,
state
->
out
,
return
ipt_do_table
(
skb
,
ops
->
hooknum
,
state
,
dev_net
(
state
->
in
)
->
ipv4
.
iptable_mangle
);
dev_net
(
state
->
in
)
->
ipv4
.
iptable_mangle
);
}
}
...
...
net/ipv4/netfilter/iptable_nat.c
View file @
1c491ba2
...
@@ -35,8 +35,7 @@ static unsigned int iptable_nat_do_chain(const struct nf_hook_ops *ops,
...
@@ -35,8 +35,7 @@ static unsigned int iptable_nat_do_chain(const struct nf_hook_ops *ops,
{
{
struct
net
*
net
=
nf_ct_net
(
ct
);
struct
net
*
net
=
nf_ct_net
(
ct
);
return
ipt_do_table
(
skb
,
ops
->
hooknum
,
state
->
in
,
state
->
out
,
return
ipt_do_table
(
skb
,
ops
->
hooknum
,
state
,
net
->
ipv4
.
nat_table
);
net
->
ipv4
.
nat_table
);
}
}
static
unsigned
int
iptable_nat_ipv4_fn
(
const
struct
nf_hook_ops
*
ops
,
static
unsigned
int
iptable_nat_ipv4_fn
(
const
struct
nf_hook_ops
*
ops
,
...
...
net/ipv4/netfilter/iptable_raw.c
View file @
1c491ba2
...
@@ -32,8 +32,7 @@ iptable_raw_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
...
@@ -32,8 +32,7 @@ iptable_raw_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
return
NF_ACCEPT
;
return
NF_ACCEPT
;
net
=
dev_net
(
state
->
in
?
state
->
in
:
state
->
out
);
net
=
dev_net
(
state
->
in
?
state
->
in
:
state
->
out
);
return
ipt_do_table
(
skb
,
ops
->
hooknum
,
state
->
in
,
state
->
out
,
return
ipt_do_table
(
skb
,
ops
->
hooknum
,
state
,
net
->
ipv4
.
iptable_raw
);
net
->
ipv4
.
iptable_raw
);
}
}
static
struct
nf_hook_ops
*
rawtable_ops
__read_mostly
;
static
struct
nf_hook_ops
*
rawtable_ops
__read_mostly
;
...
...
net/ipv4/netfilter/iptable_security.c
View file @
1c491ba2
...
@@ -49,7 +49,7 @@ iptable_security_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
...
@@ -49,7 +49,7 @@ iptable_security_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
return
NF_ACCEPT
;
return
NF_ACCEPT
;
net
=
dev_net
(
state
->
in
?
state
->
in
:
state
->
out
);
net
=
dev_net
(
state
->
in
?
state
->
in
:
state
->
out
);
return
ipt_do_table
(
skb
,
ops
->
hooknum
,
state
->
in
,
state
->
out
,
return
ipt_do_table
(
skb
,
ops
->
hooknum
,
state
,
net
->
ipv4
.
iptable_security
);
net
->
ipv4
.
iptable_security
);
}
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment