Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
L
linux
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
linux
Commits
8f8a3715
Commit
8f8a3715
authored
Apr 03, 2015
by
David S. Miller
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
netfilter: Pass nf_hook_state through ip6t_do_table().
Signed-off-by:
David S. Miller
<
davem@davemloft.net
>
parent
8fe22382
Changes
7
Hide whitespace changes
Inline
Side-by-side
Showing
7 changed files
with
17 additions
and
22 deletions
+17
-22
include/linux/netfilter_ipv6/ip6_tables.h
include/linux/netfilter_ipv6/ip6_tables.h
+1
-2
net/ipv6/netfilter/ip6_tables.c
net/ipv6/netfilter/ip6_tables.c
+6
-7
net/ipv6/netfilter/ip6table_filter.c
net/ipv6/netfilter/ip6table_filter.c
+1
-2
net/ipv6/netfilter/ip6table_mangle.c
net/ipv6/netfilter/ip6table_mangle.c
+6
-6
net/ipv6/netfilter/ip6table_nat.c
net/ipv6/netfilter/ip6table_nat.c
+1
-2
net/ipv6/netfilter/ip6table_raw.c
net/ipv6/netfilter/ip6table_raw.c
+1
-2
net/ipv6/netfilter/ip6table_security.c
net/ipv6/netfilter/ip6table_security.c
+1
-1
No files found.
include/linux/netfilter_ipv6/ip6_tables.h
View file @
8f8a3715
...
@@ -31,8 +31,7 @@ extern struct xt_table *ip6t_register_table(struct net *net,
...
@@ -31,8 +31,7 @@ extern struct xt_table *ip6t_register_table(struct net *net,
extern
void
ip6t_unregister_table
(
struct
net
*
net
,
struct
xt_table
*
table
);
extern
void
ip6t_unregister_table
(
struct
net
*
net
,
struct
xt_table
*
table
);
extern
unsigned
int
ip6t_do_table
(
struct
sk_buff
*
skb
,
extern
unsigned
int
ip6t_do_table
(
struct
sk_buff
*
skb
,
unsigned
int
hook
,
unsigned
int
hook
,
const
struct
net_device
*
in
,
const
struct
nf_hook_state
*
state
,
const
struct
net_device
*
out
,
struct
xt_table
*
table
);
struct
xt_table
*
table
);
/* Check for an extension */
/* Check for an extension */
...
...
net/ipv6/netfilter/ip6_tables.c
View file @
8f8a3715
...
@@ -317,8 +317,7 @@ ip6t_next_entry(const struct ip6t_entry *entry)
...
@@ -317,8 +317,7 @@ ip6t_next_entry(const struct ip6t_entry *entry)
unsigned
int
unsigned
int
ip6t_do_table
(
struct
sk_buff
*
skb
,
ip6t_do_table
(
struct
sk_buff
*
skb
,
unsigned
int
hook
,
unsigned
int
hook
,
const
struct
net_device
*
in
,
const
struct
nf_hook_state
*
state
,
const
struct
net_device
*
out
,
struct
xt_table
*
table
)
struct
xt_table
*
table
)
{
{
static
const
char
nulldevname
[
IFNAMSIZ
]
__attribute__
((
aligned
(
sizeof
(
long
))));
static
const
char
nulldevname
[
IFNAMSIZ
]
__attribute__
((
aligned
(
sizeof
(
long
))));
...
@@ -333,8 +332,8 @@ ip6t_do_table(struct sk_buff *skb,
...
@@ -333,8 +332,8 @@ ip6t_do_table(struct sk_buff *skb,
unsigned
int
addend
;
unsigned
int
addend
;
/* Initialization */
/* Initialization */
indev
=
in
?
in
->
name
:
nulldevname
;
indev
=
state
->
in
?
state
->
in
->
name
:
nulldevname
;
outdev
=
out
?
out
->
name
:
nulldevname
;
outdev
=
state
->
out
?
state
->
out
->
name
:
nulldevname
;
/* We handle fragments by dealing with the first fragment as
/* We handle fragments by dealing with the first fragment as
* if it was a normal packet. All other fragments are treated
* if it was a normal packet. All other fragments are treated
* normally, except that they will NEVER match rules that ask
* normally, except that they will NEVER match rules that ask
...
@@ -342,8 +341,8 @@ ip6t_do_table(struct sk_buff *skb,
...
@@ -342,8 +341,8 @@ ip6t_do_table(struct sk_buff *skb,
* rule is also a fragment-specific rule, non-fragments won't
* rule is also a fragment-specific rule, non-fragments won't
* match it. */
* match it. */
acpar
.
hotdrop
=
false
;
acpar
.
hotdrop
=
false
;
acpar
.
in
=
in
;
acpar
.
in
=
state
->
in
;
acpar
.
out
=
out
;
acpar
.
out
=
state
->
out
;
acpar
.
family
=
NFPROTO_IPV6
;
acpar
.
family
=
NFPROTO_IPV6
;
acpar
.
hooknum
=
hook
;
acpar
.
hooknum
=
hook
;
...
@@ -393,7 +392,7 @@ ip6t_do_table(struct sk_buff *skb,
...
@@ -393,7 +392,7 @@ ip6t_do_table(struct sk_buff *skb,
#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE)
#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE)
/* The packet is traced: log it */
/* The packet is traced: log it */
if
(
unlikely
(
skb
->
nf_trace
))
if
(
unlikely
(
skb
->
nf_trace
))
trace_packet
(
skb
,
hook
,
in
,
out
,
trace_packet
(
skb
,
hook
,
state
->
in
,
state
->
out
,
table
->
name
,
private
,
e
);
table
->
name
,
private
,
e
);
#endif
#endif
/* Standard target? */
/* Standard target? */
...
...
net/ipv6/netfilter/ip6table_filter.c
View file @
8f8a3715
...
@@ -37,8 +37,7 @@ ip6table_filter_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
...
@@ -37,8 +37,7 @@ ip6table_filter_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
{
{
const
struct
net
*
net
=
dev_net
(
state
->
in
?
state
->
in
:
state
->
out
);
const
struct
net
*
net
=
dev_net
(
state
->
in
?
state
->
in
:
state
->
out
);
return
ip6t_do_table
(
skb
,
ops
->
hooknum
,
state
->
in
,
state
->
out
,
return
ip6t_do_table
(
skb
,
ops
->
hooknum
,
state
,
net
->
ipv6
.
ip6table_filter
);
net
->
ipv6
.
ip6table_filter
);
}
}
static
struct
nf_hook_ops
*
filter_ops
__read_mostly
;
static
struct
nf_hook_ops
*
filter_ops
__read_mostly
;
...
...
net/ipv6/netfilter/ip6table_mangle.c
View file @
8f8a3715
...
@@ -32,7 +32,7 @@ static const struct xt_table packet_mangler = {
...
@@ -32,7 +32,7 @@ static const struct xt_table packet_mangler = {
};
};
static
unsigned
int
static
unsigned
int
ip6t_mangle_out
(
struct
sk_buff
*
skb
,
const
struct
n
et_device
*
out
)
ip6t_mangle_out
(
struct
sk_buff
*
skb
,
const
struct
n
f_hook_state
*
state
)
{
{
unsigned
int
ret
;
unsigned
int
ret
;
struct
in6_addr
saddr
,
daddr
;
struct
in6_addr
saddr
,
daddr
;
...
@@ -57,8 +57,8 @@ ip6t_mangle_out(struct sk_buff *skb, const struct net_device *out)
...
@@ -57,8 +57,8 @@ ip6t_mangle_out(struct sk_buff *skb, const struct net_device *out)
/* flowlabel and prio (includes version, which shouldn't change either */
/* flowlabel and prio (includes version, which shouldn't change either */
flowlabel
=
*
((
u_int32_t
*
)
ipv6_hdr
(
skb
));
flowlabel
=
*
((
u_int32_t
*
)
ipv6_hdr
(
skb
));
ret
=
ip6t_do_table
(
skb
,
NF_INET_LOCAL_OUT
,
NULL
,
out
,
ret
=
ip6t_do_table
(
skb
,
NF_INET_LOCAL_OUT
,
state
,
dev_net
(
out
)
->
ipv6
.
ip6table_mangle
);
dev_net
(
state
->
out
)
->
ipv6
.
ip6table_mangle
);
if
(
ret
!=
NF_DROP
&&
ret
!=
NF_STOLEN
&&
if
(
ret
!=
NF_DROP
&&
ret
!=
NF_STOLEN
&&
(
!
ipv6_addr_equal
(
&
ipv6_hdr
(
skb
)
->
saddr
,
&
saddr
)
||
(
!
ipv6_addr_equal
(
&
ipv6_hdr
(
skb
)
->
saddr
,
&
saddr
)
||
...
@@ -80,12 +80,12 @@ ip6table_mangle_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
...
@@ -80,12 +80,12 @@ ip6table_mangle_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
const
struct
nf_hook_state
*
state
)
const
struct
nf_hook_state
*
state
)
{
{
if
(
ops
->
hooknum
==
NF_INET_LOCAL_OUT
)
if
(
ops
->
hooknum
==
NF_INET_LOCAL_OUT
)
return
ip6t_mangle_out
(
skb
,
state
->
out
);
return
ip6t_mangle_out
(
skb
,
state
);
if
(
ops
->
hooknum
==
NF_INET_POST_ROUTING
)
if
(
ops
->
hooknum
==
NF_INET_POST_ROUTING
)
return
ip6t_do_table
(
skb
,
ops
->
hooknum
,
state
->
in
,
state
->
out
,
return
ip6t_do_table
(
skb
,
ops
->
hooknum
,
state
,
dev_net
(
state
->
out
)
->
ipv6
.
ip6table_mangle
);
dev_net
(
state
->
out
)
->
ipv6
.
ip6table_mangle
);
/* INPUT/FORWARD */
/* INPUT/FORWARD */
return
ip6t_do_table
(
skb
,
ops
->
hooknum
,
state
->
in
,
state
->
out
,
return
ip6t_do_table
(
skb
,
ops
->
hooknum
,
state
,
dev_net
(
state
->
in
)
->
ipv6
.
ip6table_mangle
);
dev_net
(
state
->
in
)
->
ipv6
.
ip6table_mangle
);
}
}
...
...
net/ipv6/netfilter/ip6table_nat.c
View file @
8f8a3715
...
@@ -37,8 +37,7 @@ static unsigned int ip6table_nat_do_chain(const struct nf_hook_ops *ops,
...
@@ -37,8 +37,7 @@ static unsigned int ip6table_nat_do_chain(const struct nf_hook_ops *ops,
{
{
struct
net
*
net
=
nf_ct_net
(
ct
);
struct
net
*
net
=
nf_ct_net
(
ct
);
return
ip6t_do_table
(
skb
,
ops
->
hooknum
,
state
->
in
,
state
->
out
,
return
ip6t_do_table
(
skb
,
ops
->
hooknum
,
state
,
net
->
ipv6
.
ip6table_nat
);
net
->
ipv6
.
ip6table_nat
);
}
}
static
unsigned
int
ip6table_nat_fn
(
const
struct
nf_hook_ops
*
ops
,
static
unsigned
int
ip6table_nat_fn
(
const
struct
nf_hook_ops
*
ops
,
...
...
net/ipv6/netfilter/ip6table_raw.c
View file @
8f8a3715
...
@@ -24,8 +24,7 @@ ip6table_raw_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
...
@@ -24,8 +24,7 @@ ip6table_raw_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
{
{
const
struct
net
*
net
=
dev_net
(
state
->
in
?
state
->
in
:
state
->
out
);
const
struct
net
*
net
=
dev_net
(
state
->
in
?
state
->
in
:
state
->
out
);
return
ip6t_do_table
(
skb
,
ops
->
hooknum
,
state
->
in
,
state
->
out
,
return
ip6t_do_table
(
skb
,
ops
->
hooknum
,
state
,
net
->
ipv6
.
ip6table_raw
);
net
->
ipv6
.
ip6table_raw
);
}
}
static
struct
nf_hook_ops
*
rawtable_ops
__read_mostly
;
static
struct
nf_hook_ops
*
rawtable_ops
__read_mostly
;
...
...
net/ipv6/netfilter/ip6table_security.c
View file @
8f8a3715
...
@@ -41,7 +41,7 @@ ip6table_security_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
...
@@ -41,7 +41,7 @@ ip6table_security_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
{
{
const
struct
net
*
net
=
dev_net
(
state
->
in
?
state
->
in
:
state
->
out
);
const
struct
net
*
net
=
dev_net
(
state
->
in
?
state
->
in
:
state
->
out
);
return
ip6t_do_table
(
skb
,
ops
->
hooknum
,
state
->
in
,
state
->
out
,
return
ip6t_do_table
(
skb
,
ops
->
hooknum
,
state
,
net
->
ipv6
.
ip6table_security
);
net
->
ipv6
.
ip6table_security
);
}
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment