netfilter: x_tables: Pass struct net in xt_action_param
As xt_action_param lives on the stack this does not bloat any persistent data structures. This is a first step in making netfilter code that needs to know which network namespace it is executing in simpler. Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
parent
6aa187f21c
commit
156c196f60
|
@ -13,6 +13,7 @@
|
||||||
* @target: the target extension
|
* @target: the target extension
|
||||||
* @matchinfo: per-match data
|
* @matchinfo: per-match data
|
||||||
* @targetinfo: per-target data
|
* @targetinfo: per-target data
|
||||||
|
* @net network namespace through which the action was invoked
|
||||||
* @in: input netdevice
|
* @in: input netdevice
|
||||||
* @out: output netdevice
|
* @out: output netdevice
|
||||||
* @fragoff: packet is a fragment, this is the data offset
|
* @fragoff: packet is a fragment, this is the data offset
|
||||||
|
@ -24,7 +25,6 @@
|
||||||
* Fields written to by extensions:
|
* Fields written to by extensions:
|
||||||
*
|
*
|
||||||
* @hotdrop: drop packet if we had inspection problems
|
* @hotdrop: drop packet if we had inspection problems
|
||||||
* Network namespace obtainable using dev_net(in/out)
|
|
||||||
*/
|
*/
|
||||||
struct xt_action_param {
|
struct xt_action_param {
|
||||||
union {
|
union {
|
||||||
|
@ -34,6 +34,7 @@ struct xt_action_param {
|
||||||
union {
|
union {
|
||||||
const void *matchinfo, *targinfo;
|
const void *matchinfo, *targinfo;
|
||||||
};
|
};
|
||||||
|
struct net *net;
|
||||||
const struct net_device *in, *out;
|
const struct net_device *in, *out;
|
||||||
int fragoff;
|
int fragoff;
|
||||||
unsigned int thoff;
|
unsigned int thoff;
|
||||||
|
|
|
@ -30,6 +30,7 @@ static inline void nft_set_pktinfo(struct nft_pktinfo *pkt,
|
||||||
const struct nf_hook_state *state)
|
const struct nf_hook_state *state)
|
||||||
{
|
{
|
||||||
pkt->skb = skb;
|
pkt->skb = skb;
|
||||||
|
pkt->xt.net = state->net;
|
||||||
pkt->in = pkt->xt.in = state->in;
|
pkt->in = pkt->xt.in = state->in;
|
||||||
pkt->out = pkt->xt.out = state->out;
|
pkt->out = pkt->xt.out = state->out;
|
||||||
pkt->hook = pkt->xt.hooknum = state->hook;
|
pkt->hook = pkt->xt.hooknum = state->hook;
|
||||||
|
|
|
@ -200,6 +200,7 @@ unsigned int ebt_do_table(struct sk_buff *skb,
|
||||||
struct xt_action_param acpar;
|
struct xt_action_param acpar;
|
||||||
|
|
||||||
acpar.family = NFPROTO_BRIDGE;
|
acpar.family = NFPROTO_BRIDGE;
|
||||||
|
acpar.net = state->net;
|
||||||
acpar.in = state->in;
|
acpar.in = state->in;
|
||||||
acpar.out = state->out;
|
acpar.out = state->out;
|
||||||
acpar.hotdrop = false;
|
acpar.hotdrop = false;
|
||||||
|
|
|
@ -285,6 +285,7 @@ unsigned int arpt_do_table(struct sk_buff *skb,
|
||||||
*/
|
*/
|
||||||
e = get_entry(table_base, private->hook_entry[hook]);
|
e = get_entry(table_base, private->hook_entry[hook]);
|
||||||
|
|
||||||
|
acpar.net = state->net;
|
||||||
acpar.in = state->in;
|
acpar.in = state->in;
|
||||||
acpar.out = state->out;
|
acpar.out = state->out;
|
||||||
acpar.hooknum = hook;
|
acpar.hooknum = hook;
|
||||||
|
|
|
@ -315,6 +315,7 @@ ipt_do_table(struct sk_buff *skb,
|
||||||
acpar.fragoff = ntohs(ip->frag_off) & IP_OFFSET;
|
acpar.fragoff = ntohs(ip->frag_off) & IP_OFFSET;
|
||||||
acpar.thoff = ip_hdrlen(skb);
|
acpar.thoff = ip_hdrlen(skb);
|
||||||
acpar.hotdrop = false;
|
acpar.hotdrop = false;
|
||||||
|
acpar.net = state->net;
|
||||||
acpar.in = state->in;
|
acpar.in = state->in;
|
||||||
acpar.out = state->out;
|
acpar.out = state->out;
|
||||||
acpar.family = NFPROTO_IPV4;
|
acpar.family = NFPROTO_IPV4;
|
||||||
|
|
|
@ -340,6 +340,7 @@ ip6t_do_table(struct sk_buff *skb,
|
||||||
* rule is also a fragment-specific rule, non-fragments won't
|
* rule is also a fragment-specific rule, non-fragments won't
|
||||||
* match it. */
|
* match it. */
|
||||||
acpar.hotdrop = false;
|
acpar.hotdrop = false;
|
||||||
|
acpar.net = state->net;
|
||||||
acpar.in = state->in;
|
acpar.in = state->in;
|
||||||
acpar.out = state->out;
|
acpar.out = state->out;
|
||||||
acpar.family = NFPROTO_IPV6;
|
acpar.family = NFPROTO_IPV6;
|
||||||
|
|
|
@ -189,6 +189,7 @@ static int tcf_ipt(struct sk_buff *skb, const struct tc_action *a,
|
||||||
* worry later - danger - this API seems to have changed
|
* worry later - danger - this API seems to have changed
|
||||||
* from earlier kernels
|
* from earlier kernels
|
||||||
*/
|
*/
|
||||||
|
par.net = dev_net(skb->dev);
|
||||||
par.in = skb->dev;
|
par.in = skb->dev;
|
||||||
par.out = NULL;
|
par.out = NULL;
|
||||||
par.hooknum = ipt->tcfi_hook;
|
par.hooknum = ipt->tcfi_hook;
|
||||||
|
|
|
@ -95,6 +95,7 @@ static int em_ipset_match(struct sk_buff *skb, struct tcf_ematch *em,
|
||||||
if (skb->skb_iif)
|
if (skb->skb_iif)
|
||||||
indev = dev_get_by_index_rcu(em->net, skb->skb_iif);
|
indev = dev_get_by_index_rcu(em->net, skb->skb_iif);
|
||||||
|
|
||||||
|
acpar.net = em->net;
|
||||||
acpar.in = indev ? indev : dev;
|
acpar.in = indev ? indev : dev;
|
||||||
acpar.out = dev;
|
acpar.out = dev;
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue