[NETFILTER]: Introduce infrastructure for address family specific operations
Change the queue rerouter intrastructure to a generic usable infrastructure for address family specific operations as a base for some cleanups. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
a0aed49bdb
commit
bce8032ef3
|
@ -283,16 +283,25 @@ extern void nf_invalidate_cache(int pf);
|
||||||
Returns true or false. */
|
Returns true or false. */
|
||||||
extern int skb_make_writable(struct sk_buff **pskb, unsigned int writable_len);
|
extern int skb_make_writable(struct sk_buff **pskb, unsigned int writable_len);
|
||||||
|
|
||||||
struct nf_queue_rerouter {
|
struct nf_afinfo {
|
||||||
void (*save)(const struct sk_buff *skb, struct nf_info *info);
|
unsigned short family;
|
||||||
int (*reroute)(struct sk_buff **skb, const struct nf_info *info);
|
void (*saveroute)(const struct sk_buff *skb,
|
||||||
int rer_size;
|
struct nf_info *info);
|
||||||
|
int (*reroute)(struct sk_buff **skb,
|
||||||
|
const struct nf_info *info);
|
||||||
|
int route_key_size;
|
||||||
};
|
};
|
||||||
|
|
||||||
#define nf_info_reroute(x) ((void *)x + sizeof(struct nf_info))
|
extern struct nf_afinfo *nf_afinfo[];
|
||||||
|
static inline struct nf_afinfo *nf_get_afinfo(unsigned short family)
|
||||||
|
{
|
||||||
|
return rcu_dereference(nf_afinfo[family]);
|
||||||
|
}
|
||||||
|
|
||||||
extern int nf_register_queue_rerouter(int pf, struct nf_queue_rerouter *rer);
|
extern int nf_register_afinfo(struct nf_afinfo *afinfo);
|
||||||
extern int nf_unregister_queue_rerouter(int pf);
|
extern void nf_unregister_afinfo(struct nf_afinfo *afinfo);
|
||||||
|
|
||||||
|
#define nf_info_reroute(x) ((void *)x + sizeof(struct nf_info))
|
||||||
|
|
||||||
#include <net/flow.h>
|
#include <net/flow.h>
|
||||||
extern void (*ip_nat_decode_session)(struct sk_buff *, struct flowi *);
|
extern void (*ip_nat_decode_session)(struct sk_buff *, struct flowi *);
|
||||||
|
|
|
@ -133,7 +133,7 @@ struct ip_rt_info {
|
||||||
u_int8_t tos;
|
u_int8_t tos;
|
||||||
};
|
};
|
||||||
|
|
||||||
static void queue_save(const struct sk_buff *skb, struct nf_info *info)
|
static void nf_ip_saveroute(const struct sk_buff *skb, struct nf_info *info)
|
||||||
{
|
{
|
||||||
struct ip_rt_info *rt_info = nf_info_reroute(info);
|
struct ip_rt_info *rt_info = nf_info_reroute(info);
|
||||||
|
|
||||||
|
@ -146,7 +146,7 @@ static void queue_save(const struct sk_buff *skb, struct nf_info *info)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
static int queue_reroute(struct sk_buff **pskb, const struct nf_info *info)
|
static int nf_ip_reroute(struct sk_buff **pskb, const struct nf_info *info)
|
||||||
{
|
{
|
||||||
const struct ip_rt_info *rt_info = nf_info_reroute(info);
|
const struct ip_rt_info *rt_info = nf_info_reroute(info);
|
||||||
|
|
||||||
|
@ -161,20 +161,21 @@ static int queue_reroute(struct sk_buff **pskb, const struct nf_info *info)
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
static struct nf_queue_rerouter ip_reroute = {
|
static struct nf_afinfo nf_ip_afinfo = {
|
||||||
.rer_size = sizeof(struct ip_rt_info),
|
.family = AF_INET,
|
||||||
.save = queue_save,
|
.saveroute = nf_ip_saveroute,
|
||||||
.reroute = queue_reroute,
|
.reroute = nf_ip_reroute,
|
||||||
|
.route_key_size = sizeof(struct ip_rt_info),
|
||||||
};
|
};
|
||||||
|
|
||||||
static int ipv4_netfilter_init(void)
|
static int ipv4_netfilter_init(void)
|
||||||
{
|
{
|
||||||
return nf_register_queue_rerouter(PF_INET, &ip_reroute);
|
return nf_register_afinfo(&nf_ip_afinfo);
|
||||||
}
|
}
|
||||||
|
|
||||||
static void ipv4_netfilter_fini(void)
|
static void ipv4_netfilter_fini(void)
|
||||||
{
|
{
|
||||||
nf_unregister_queue_rerouter(PF_INET);
|
nf_unregister_afinfo(&nf_ip_afinfo);
|
||||||
}
|
}
|
||||||
|
|
||||||
module_init(ipv4_netfilter_init);
|
module_init(ipv4_netfilter_init);
|
||||||
|
|
|
@ -54,7 +54,7 @@ struct ip6_rt_info {
|
||||||
struct in6_addr saddr;
|
struct in6_addr saddr;
|
||||||
};
|
};
|
||||||
|
|
||||||
static void save(const struct sk_buff *skb, struct nf_info *info)
|
static void nf_ip6_saveroute(const struct sk_buff *skb, struct nf_info *info)
|
||||||
{
|
{
|
||||||
struct ip6_rt_info *rt_info = nf_info_reroute(info);
|
struct ip6_rt_info *rt_info = nf_info_reroute(info);
|
||||||
|
|
||||||
|
@ -66,7 +66,7 @@ static void save(const struct sk_buff *skb, struct nf_info *info)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
static int reroute(struct sk_buff **pskb, const struct nf_info *info)
|
static int nf_ip6_reroute(struct sk_buff **pskb, const struct nf_info *info)
|
||||||
{
|
{
|
||||||
struct ip6_rt_info *rt_info = nf_info_reroute(info);
|
struct ip6_rt_info *rt_info = nf_info_reroute(info);
|
||||||
|
|
||||||
|
@ -79,15 +79,16 @@ static int reroute(struct sk_buff **pskb, const struct nf_info *info)
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
static struct nf_queue_rerouter ip6_reroute = {
|
static struct nf_afinfo nf_ip6_afinfo = {
|
||||||
.rer_size = sizeof(struct ip6_rt_info),
|
.family = AF_INET6,
|
||||||
.save = &save,
|
.saveroute = nf_ip6_saveroute,
|
||||||
.reroute = &reroute,
|
.reroute = nf_ip6_reroute,
|
||||||
|
.route_key_size = sizeof(struct ip6_rt_info),
|
||||||
};
|
};
|
||||||
|
|
||||||
int __init ipv6_netfilter_init(void)
|
int __init ipv6_netfilter_init(void)
|
||||||
{
|
{
|
||||||
return nf_register_queue_rerouter(PF_INET6, &ip6_reroute);
|
return nf_register_afinfo(&nf_ip6_afinfo);
|
||||||
}
|
}
|
||||||
|
|
||||||
/* This can be called from inet6_init() on errors, so it cannot
|
/* This can be called from inet6_init() on errors, so it cannot
|
||||||
|
@ -95,5 +96,5 @@ int __init ipv6_netfilter_init(void)
|
||||||
*/
|
*/
|
||||||
void ipv6_netfilter_fini(void)
|
void ipv6_netfilter_fini(void)
|
||||||
{
|
{
|
||||||
nf_unregister_queue_rerouter(PF_INET6);
|
nf_unregister_afinfo(&nf_ip6_afinfo);
|
||||||
}
|
}
|
||||||
|
|
|
@ -27,6 +27,29 @@
|
||||||
|
|
||||||
#include "nf_internals.h"
|
#include "nf_internals.h"
|
||||||
|
|
||||||
|
static DEFINE_SPINLOCK(afinfo_lock);
|
||||||
|
|
||||||
|
struct nf_afinfo *nf_afinfo[NPROTO];
|
||||||
|
EXPORT_SYMBOL(nf_afinfo);
|
||||||
|
|
||||||
|
int nf_register_afinfo(struct nf_afinfo *afinfo)
|
||||||
|
{
|
||||||
|
spin_lock(&afinfo_lock);
|
||||||
|
rcu_assign_pointer(nf_afinfo[afinfo->family], afinfo);
|
||||||
|
spin_unlock(&afinfo_lock);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
EXPORT_SYMBOL_GPL(nf_register_afinfo);
|
||||||
|
|
||||||
|
void nf_unregister_afinfo(struct nf_afinfo *afinfo)
|
||||||
|
{
|
||||||
|
spin_lock(&afinfo_lock);
|
||||||
|
rcu_assign_pointer(nf_afinfo[afinfo->family], NULL);
|
||||||
|
spin_unlock(&afinfo_lock);
|
||||||
|
synchronize_rcu();
|
||||||
|
}
|
||||||
|
EXPORT_SYMBOL_GPL(nf_unregister_afinfo);
|
||||||
|
|
||||||
/* In this code, we can be waiting indefinitely for userspace to
|
/* In this code, we can be waiting indefinitely for userspace to
|
||||||
* service a packet if a hook returns NF_QUEUE. We could keep a count
|
* service a packet if a hook returns NF_QUEUE. We could keep a count
|
||||||
* of skbuffs queued for userspace, and not deregister a hook unless
|
* of skbuffs queued for userspace, and not deregister a hook unless
|
||||||
|
|
|
@ -17,7 +17,6 @@
|
||||||
* for queueing and must reinject all packets it receives, no matter what.
|
* for queueing and must reinject all packets it receives, no matter what.
|
||||||
*/
|
*/
|
||||||
static struct nf_queue_handler *queue_handler[NPROTO];
|
static struct nf_queue_handler *queue_handler[NPROTO];
|
||||||
static struct nf_queue_rerouter *queue_rerouter[NPROTO];
|
|
||||||
|
|
||||||
static DEFINE_RWLOCK(queue_handler_lock);
|
static DEFINE_RWLOCK(queue_handler_lock);
|
||||||
|
|
||||||
|
@ -59,32 +58,6 @@ int nf_unregister_queue_handler(int pf)
|
||||||
}
|
}
|
||||||
EXPORT_SYMBOL(nf_unregister_queue_handler);
|
EXPORT_SYMBOL(nf_unregister_queue_handler);
|
||||||
|
|
||||||
int nf_register_queue_rerouter(int pf, struct nf_queue_rerouter *rer)
|
|
||||||
{
|
|
||||||
if (pf >= NPROTO)
|
|
||||||
return -EINVAL;
|
|
||||||
|
|
||||||
write_lock_bh(&queue_handler_lock);
|
|
||||||
rcu_assign_pointer(queue_rerouter[pf], rer);
|
|
||||||
write_unlock_bh(&queue_handler_lock);
|
|
||||||
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
EXPORT_SYMBOL_GPL(nf_register_queue_rerouter);
|
|
||||||
|
|
||||||
int nf_unregister_queue_rerouter(int pf)
|
|
||||||
{
|
|
||||||
if (pf >= NPROTO)
|
|
||||||
return -EINVAL;
|
|
||||||
|
|
||||||
write_lock_bh(&queue_handler_lock);
|
|
||||||
rcu_assign_pointer(queue_rerouter[pf], NULL);
|
|
||||||
write_unlock_bh(&queue_handler_lock);
|
|
||||||
synchronize_rcu();
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
EXPORT_SYMBOL_GPL(nf_unregister_queue_rerouter);
|
|
||||||
|
|
||||||
void nf_unregister_queue_handlers(struct nf_queue_handler *qh)
|
void nf_unregister_queue_handlers(struct nf_queue_handler *qh)
|
||||||
{
|
{
|
||||||
int pf;
|
int pf;
|
||||||
|
@ -116,7 +89,7 @@ int nf_queue(struct sk_buff **skb,
|
||||||
struct net_device *physindev = NULL;
|
struct net_device *physindev = NULL;
|
||||||
struct net_device *physoutdev = NULL;
|
struct net_device *physoutdev = NULL;
|
||||||
#endif
|
#endif
|
||||||
struct nf_queue_rerouter *rerouter;
|
struct nf_afinfo *afinfo;
|
||||||
|
|
||||||
/* QUEUE == DROP if noone is waiting, to be safe. */
|
/* QUEUE == DROP if noone is waiting, to be safe. */
|
||||||
read_lock(&queue_handler_lock);
|
read_lock(&queue_handler_lock);
|
||||||
|
@ -126,7 +99,14 @@ int nf_queue(struct sk_buff **skb,
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
info = kmalloc(sizeof(*info)+queue_rerouter[pf]->rer_size, GFP_ATOMIC);
|
afinfo = nf_get_afinfo(pf);
|
||||||
|
if (!afinfo) {
|
||||||
|
read_unlock(&queue_handler_lock);
|
||||||
|
kfree_skb(*skb);
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
info = kmalloc(sizeof(*info) + afinfo->route_key_size, GFP_ATOMIC);
|
||||||
if (!info) {
|
if (!info) {
|
||||||
if (net_ratelimit())
|
if (net_ratelimit())
|
||||||
printk(KERN_ERR "OOM queueing packet %p\n",
|
printk(KERN_ERR "OOM queueing packet %p\n",
|
||||||
|
@ -158,10 +138,7 @@ int nf_queue(struct sk_buff **skb,
|
||||||
if (physoutdev) dev_hold(physoutdev);
|
if (physoutdev) dev_hold(physoutdev);
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
rerouter = rcu_dereference(queue_rerouter[pf]);
|
afinfo->saveroute(*skb, info);
|
||||||
if (rerouter)
|
|
||||||
rerouter->save(*skb, info);
|
|
||||||
|
|
||||||
status = queue_handler[pf]->outfn(*skb, info, queuenum,
|
status = queue_handler[pf]->outfn(*skb, info, queuenum,
|
||||||
queue_handler[pf]->data);
|
queue_handler[pf]->data);
|
||||||
|
|
||||||
|
@ -190,7 +167,7 @@ void nf_reinject(struct sk_buff *skb, struct nf_info *info,
|
||||||
{
|
{
|
||||||
struct list_head *elem = &info->elem->list;
|
struct list_head *elem = &info->elem->list;
|
||||||
struct list_head *i;
|
struct list_head *i;
|
||||||
struct nf_queue_rerouter *rerouter;
|
struct nf_afinfo *afinfo;
|
||||||
|
|
||||||
rcu_read_lock();
|
rcu_read_lock();
|
||||||
|
|
||||||
|
@ -228,8 +205,8 @@ void nf_reinject(struct sk_buff *skb, struct nf_info *info,
|
||||||
}
|
}
|
||||||
|
|
||||||
if (verdict == NF_ACCEPT) {
|
if (verdict == NF_ACCEPT) {
|
||||||
rerouter = rcu_dereference(queue_rerouter[info->pf]);
|
afinfo = nf_get_afinfo(info->pf);
|
||||||
if (rerouter && rerouter->reroute(&skb, info) < 0)
|
if (!afinfo || afinfo->reroute(&skb, info) < 0)
|
||||||
verdict = NF_DROP;
|
verdict = NF_DROP;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue