Commit 156c196f authored by Eric W. Biederman's avatar Eric W. Biederman Committed by Pablo Neira Ayuso

netfilter: x_tables: Pass struct net in xt_action_param

As xt_action_param lives on the stack this does not bloat any
persistent data structures.

This is a first step in making netfilter code that needs to know
which network namespace it is executing in simpler.
Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 6aa187f2
...@@ -13,6 +13,7 @@ ...@@ -13,6 +13,7 @@
* @target: the target extension * @target: the target extension
* @matchinfo: per-match data * @matchinfo: per-match data
* @targetinfo: per-target data * @targetinfo: per-target data
* @net network namespace through which the action was invoked
* @in: input netdevice * @in: input netdevice
* @out: output netdevice * @out: output netdevice
* @fragoff: packet is a fragment, this is the data offset * @fragoff: packet is a fragment, this is the data offset
...@@ -24,7 +25,6 @@ ...@@ -24,7 +25,6 @@
* Fields written to by extensions: * Fields written to by extensions:
* *
* @hotdrop: drop packet if we had inspection problems * @hotdrop: drop packet if we had inspection problems
* Network namespace obtainable using dev_net(in/out)
*/ */
struct xt_action_param { struct xt_action_param {
union { union {
...@@ -34,6 +34,7 @@ struct xt_action_param { ...@@ -34,6 +34,7 @@ struct xt_action_param {
union { union {
const void *matchinfo, *targinfo; const void *matchinfo, *targinfo;
}; };
struct net *net;
const struct net_device *in, *out; const struct net_device *in, *out;
int fragoff; int fragoff;
unsigned int thoff; unsigned int thoff;
......
...@@ -30,6 +30,7 @@ static inline void nft_set_pktinfo(struct nft_pktinfo *pkt, ...@@ -30,6 +30,7 @@ static inline void nft_set_pktinfo(struct nft_pktinfo *pkt,
const struct nf_hook_state *state) const struct nf_hook_state *state)
{ {
pkt->skb = skb; pkt->skb = skb;
pkt->xt.net = state->net;
pkt->in = pkt->xt.in = state->in; pkt->in = pkt->xt.in = state->in;
pkt->out = pkt->xt.out = state->out; pkt->out = pkt->xt.out = state->out;
pkt->hook = pkt->xt.hooknum = state->hook; pkt->hook = pkt->xt.hooknum = state->hook;
......
...@@ -200,6 +200,7 @@ unsigned int ebt_do_table(struct sk_buff *skb, ...@@ -200,6 +200,7 @@ unsigned int ebt_do_table(struct sk_buff *skb,
struct xt_action_param acpar; struct xt_action_param acpar;
acpar.family = NFPROTO_BRIDGE; acpar.family = NFPROTO_BRIDGE;
acpar.net = state->net;
acpar.in = state->in; acpar.in = state->in;
acpar.out = state->out; acpar.out = state->out;
acpar.hotdrop = false; acpar.hotdrop = false;
......
...@@ -285,6 +285,7 @@ unsigned int arpt_do_table(struct sk_buff *skb, ...@@ -285,6 +285,7 @@ unsigned int arpt_do_table(struct sk_buff *skb,
*/ */
e = get_entry(table_base, private->hook_entry[hook]); e = get_entry(table_base, private->hook_entry[hook]);
acpar.net = state->net;
acpar.in = state->in; acpar.in = state->in;
acpar.out = state->out; acpar.out = state->out;
acpar.hooknum = hook; acpar.hooknum = hook;
......
...@@ -315,6 +315,7 @@ ipt_do_table(struct sk_buff *skb, ...@@ -315,6 +315,7 @@ ipt_do_table(struct sk_buff *skb,
acpar.fragoff = ntohs(ip->frag_off) & IP_OFFSET; acpar.fragoff = ntohs(ip->frag_off) & IP_OFFSET;
acpar.thoff = ip_hdrlen(skb); acpar.thoff = ip_hdrlen(skb);
acpar.hotdrop = false; acpar.hotdrop = false;
acpar.net = state->net;
acpar.in = state->in; acpar.in = state->in;
acpar.out = state->out; acpar.out = state->out;
acpar.family = NFPROTO_IPV4; acpar.family = NFPROTO_IPV4;
......
...@@ -340,6 +340,7 @@ ip6t_do_table(struct sk_buff *skb, ...@@ -340,6 +340,7 @@ ip6t_do_table(struct sk_buff *skb,
* rule is also a fragment-specific rule, non-fragments won't * rule is also a fragment-specific rule, non-fragments won't
* match it. */ * match it. */
acpar.hotdrop = false; acpar.hotdrop = false;
acpar.net = state->net;
acpar.in = state->in; acpar.in = state->in;
acpar.out = state->out; acpar.out = state->out;
acpar.family = NFPROTO_IPV6; acpar.family = NFPROTO_IPV6;
......
...@@ -189,6 +189,7 @@ static int tcf_ipt(struct sk_buff *skb, const struct tc_action *a, ...@@ -189,6 +189,7 @@ static int tcf_ipt(struct sk_buff *skb, const struct tc_action *a,
* worry later - danger - this API seems to have changed * worry later - danger - this API seems to have changed
* from earlier kernels * from earlier kernels
*/ */
par.net = dev_net(skb->dev);
par.in = skb->dev; par.in = skb->dev;
par.out = NULL; par.out = NULL;
par.hooknum = ipt->tcfi_hook; par.hooknum = ipt->tcfi_hook;
......
...@@ -95,6 +95,7 @@ static int em_ipset_match(struct sk_buff *skb, struct tcf_ematch *em, ...@@ -95,6 +95,7 @@ static int em_ipset_match(struct sk_buff *skb, struct tcf_ematch *em,
if (skb->skb_iif) if (skb->skb_iif)
indev = dev_get_by_index_rcu(em->net, skb->skb_iif); indev = dev_get_by_index_rcu(em->net, skb->skb_iif);
acpar.net = em->net;
acpar.in = indev ? indev : dev; acpar.in = indev ? indev : dev;
acpar.out = dev; acpar.out = dev;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment