aboutsummaryrefslogtreecommitdiffstats
path: root/target/linux/generic/backport-4.14/312-netfilter-nf_tables-remove-hooks-from-family-definit.patch
diff options
context:
space:
mode:
Diffstat (limited to 'target/linux/generic/backport-4.14/312-netfilter-nf_tables-remove-hooks-from-family-definit.patch')
-rw-r--r--target/linux/generic/backport-4.14/312-netfilter-nf_tables-remove-hooks-from-family-definit.patch233
1 files changed, 233 insertions, 0 deletions
diff --git a/target/linux/generic/backport-4.14/312-netfilter-nf_tables-remove-hooks-from-family-definit.patch b/target/linux/generic/backport-4.14/312-netfilter-nf_tables-remove-hooks-from-family-definit.patch
new file mode 100644
index 0000000000..dd969c12a6
--- /dev/null
+++ b/target/linux/generic/backport-4.14/312-netfilter-nf_tables-remove-hooks-from-family-definit.patch
@@ -0,0 +1,233 @@
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Sat, 9 Dec 2017 15:43:17 +0100
+Subject: [PATCH] netfilter: nf_tables: remove hooks from family definition
+
+They don't belong to the family definition, move them to the filter
+chain type definition instead.
+
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+
+--- a/include/net/netfilter/nf_tables.h
++++ b/include/net/netfilter/nf_tables.h
+@@ -870,7 +870,7 @@ enum nft_chain_type {
+ * @family: address family
+ * @owner: module owner
+ * @hook_mask: mask of valid hooks
+- * @hooks: hookfn overrides
++ * @hooks: array of hook functions
+ */
+ struct nf_chain_type {
+ const char *name;
+@@ -964,7 +964,6 @@ enum nft_af_flags {
+ * @owner: module owner
+ * @tables: used internally
+ * @flags: family flags
+- * @hooks: hookfn overrides for packet validation
+ */
+ struct nft_af_info {
+ struct list_head list;
+@@ -973,7 +972,6 @@ struct nft_af_info {
+ struct module *owner;
+ struct list_head tables;
+ u32 flags;
+- nf_hookfn *hooks[NF_MAX_HOOKS];
+ };
+
+ int nft_register_afinfo(struct net *, struct nft_af_info *);
+--- a/net/bridge/netfilter/nf_tables_bridge.c
++++ b/net/bridge/netfilter/nf_tables_bridge.c
+@@ -46,13 +46,6 @@ static struct nft_af_info nft_af_bridge
+ .family = NFPROTO_BRIDGE,
+ .nhooks = NF_BR_NUMHOOKS,
+ .owner = THIS_MODULE,
+- .hooks = {
+- [NF_BR_PRE_ROUTING] = nft_do_chain_bridge,
+- [NF_BR_LOCAL_IN] = nft_do_chain_bridge,
+- [NF_BR_FORWARD] = nft_do_chain_bridge,
+- [NF_BR_LOCAL_OUT] = nft_do_chain_bridge,
+- [NF_BR_POST_ROUTING] = nft_do_chain_bridge,
+- },
+ };
+
+ static int nf_tables_bridge_init_net(struct net *net)
+@@ -93,6 +86,13 @@ static const struct nf_chain_type filter
+ (1 << NF_BR_FORWARD) |
+ (1 << NF_BR_LOCAL_OUT) |
+ (1 << NF_BR_POST_ROUTING),
++ .hooks = {
++ [NF_BR_PRE_ROUTING] = nft_do_chain_bridge,
++ [NF_BR_LOCAL_IN] = nft_do_chain_bridge,
++ [NF_BR_FORWARD] = nft_do_chain_bridge,
++ [NF_BR_LOCAL_OUT] = nft_do_chain_bridge,
++ [NF_BR_POST_ROUTING] = nft_do_chain_bridge,
++ },
+ };
+
+ static int __init nf_tables_bridge_init(void)
+--- a/net/ipv4/netfilter/nf_tables_arp.c
++++ b/net/ipv4/netfilter/nf_tables_arp.c
+@@ -31,10 +31,6 @@ static struct nft_af_info nft_af_arp __r
+ .family = NFPROTO_ARP,
+ .nhooks = NF_ARP_NUMHOOKS,
+ .owner = THIS_MODULE,
+- .hooks = {
+- [NF_ARP_IN] = nft_do_chain_arp,
+- [NF_ARP_OUT] = nft_do_chain_arp,
+- },
+ };
+
+ static int nf_tables_arp_init_net(struct net *net)
+@@ -72,6 +68,10 @@ static const struct nf_chain_type filter
+ .owner = THIS_MODULE,
+ .hook_mask = (1 << NF_ARP_IN) |
+ (1 << NF_ARP_OUT),
++ .hooks = {
++ [NF_ARP_IN] = nft_do_chain_arp,
++ [NF_ARP_OUT] = nft_do_chain_arp,
++ },
+ };
+
+ static int __init nf_tables_arp_init(void)
+--- a/net/ipv4/netfilter/nf_tables_ipv4.c
++++ b/net/ipv4/netfilter/nf_tables_ipv4.c
+@@ -49,13 +49,6 @@ static struct nft_af_info nft_af_ipv4 __
+ .family = NFPROTO_IPV4,
+ .nhooks = NF_INET_NUMHOOKS,
+ .owner = THIS_MODULE,
+- .hooks = {
+- [NF_INET_LOCAL_IN] = nft_do_chain_ipv4,
+- [NF_INET_LOCAL_OUT] = nft_ipv4_output,
+- [NF_INET_FORWARD] = nft_do_chain_ipv4,
+- [NF_INET_PRE_ROUTING] = nft_do_chain_ipv4,
+- [NF_INET_POST_ROUTING] = nft_do_chain_ipv4,
+- },
+ };
+
+ static int nf_tables_ipv4_init_net(struct net *net)
+@@ -96,6 +89,13 @@ static const struct nf_chain_type filter
+ (1 << NF_INET_FORWARD) |
+ (1 << NF_INET_PRE_ROUTING) |
+ (1 << NF_INET_POST_ROUTING),
++ .hooks = {
++ [NF_INET_LOCAL_IN] = nft_do_chain_ipv4,
++ [NF_INET_LOCAL_OUT] = nft_ipv4_output,
++ [NF_INET_FORWARD] = nft_do_chain_ipv4,
++ [NF_INET_PRE_ROUTING] = nft_do_chain_ipv4,
++ [NF_INET_POST_ROUTING] = nft_do_chain_ipv4,
++ },
+ };
+
+ static int __init nf_tables_ipv4_init(void)
+--- a/net/ipv6/netfilter/nf_tables_ipv6.c
++++ b/net/ipv6/netfilter/nf_tables_ipv6.c
+@@ -46,13 +46,6 @@ static struct nft_af_info nft_af_ipv6 __
+ .family = NFPROTO_IPV6,
+ .nhooks = NF_INET_NUMHOOKS,
+ .owner = THIS_MODULE,
+- .hooks = {
+- [NF_INET_LOCAL_IN] = nft_do_chain_ipv6,
+- [NF_INET_LOCAL_OUT] = nft_ipv6_output,
+- [NF_INET_FORWARD] = nft_do_chain_ipv6,
+- [NF_INET_PRE_ROUTING] = nft_do_chain_ipv6,
+- [NF_INET_POST_ROUTING] = nft_do_chain_ipv6,
+- },
+ };
+
+ static int nf_tables_ipv6_init_net(struct net *net)
+@@ -93,6 +86,13 @@ static const struct nf_chain_type filter
+ (1 << NF_INET_FORWARD) |
+ (1 << NF_INET_PRE_ROUTING) |
+ (1 << NF_INET_POST_ROUTING),
++ .hooks = {
++ [NF_INET_LOCAL_IN] = nft_do_chain_ipv6,
++ [NF_INET_LOCAL_OUT] = nft_ipv6_output,
++ [NF_INET_FORWARD] = nft_do_chain_ipv6,
++ [NF_INET_PRE_ROUTING] = nft_do_chain_ipv6,
++ [NF_INET_POST_ROUTING] = nft_do_chain_ipv6,
++ },
+ };
+
+ static int __init nf_tables_ipv6_init(void)
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -1352,7 +1352,6 @@ static int nf_tables_addchain(struct nft
+ if (nla[NFTA_CHAIN_HOOK]) {
+ struct nft_chain_hook hook;
+ struct nf_hook_ops *ops;
+- nf_hookfn *hookfn;
+
+ err = nft_chain_parse_hook(net, nla, afi, &hook, create);
+ if (err < 0)
+@@ -1378,7 +1377,6 @@ static int nf_tables_addchain(struct nft
+ static_branch_inc(&nft_counters_enabled);
+ }
+
+- hookfn = hook.type->hooks[hook.num];
+ basechain->type = hook.type;
+ chain = &basechain->chain;
+
+@@ -1387,10 +1385,8 @@ static int nf_tables_addchain(struct nft
+ ops->hooknum = hook.num;
+ ops->priority = hook.priority;
+ ops->priv = chain;
+- ops->hook = afi->hooks[ops->hooknum];
++ ops->hook = hook.type->hooks[ops->hooknum];
+ ops->dev = hook.dev;
+- if (hookfn)
+- ops->hook = hookfn;
+
+ if (basechain->type->type == NFT_CHAIN_T_NAT)
+ ops->nat_hook = true;
+--- a/net/netfilter/nf_tables_inet.c
++++ b/net/netfilter/nf_tables_inet.c
+@@ -74,13 +74,6 @@ static struct nft_af_info nft_af_inet __
+ .family = NFPROTO_INET,
+ .nhooks = NF_INET_NUMHOOKS,
+ .owner = THIS_MODULE,
+- .hooks = {
+- [NF_INET_LOCAL_IN] = nft_do_chain_inet,
+- [NF_INET_LOCAL_OUT] = nft_inet_output,
+- [NF_INET_FORWARD] = nft_do_chain_inet,
+- [NF_INET_PRE_ROUTING] = nft_do_chain_inet,
+- [NF_INET_POST_ROUTING] = nft_do_chain_inet,
+- },
+ };
+
+ static int __net_init nf_tables_inet_init_net(struct net *net)
+@@ -121,6 +114,13 @@ static const struct nf_chain_type filter
+ (1 << NF_INET_FORWARD) |
+ (1 << NF_INET_PRE_ROUTING) |
+ (1 << NF_INET_POST_ROUTING),
++ .hooks = {
++ [NF_INET_LOCAL_IN] = nft_do_chain_inet,
++ [NF_INET_LOCAL_OUT] = nft_inet_output,
++ [NF_INET_FORWARD] = nft_do_chain_inet,
++ [NF_INET_PRE_ROUTING] = nft_do_chain_inet,
++ [NF_INET_POST_ROUTING] = nft_do_chain_inet,
++ },
+ };
+
+ static int __init nf_tables_inet_init(void)
+--- a/net/netfilter/nf_tables_netdev.c
++++ b/net/netfilter/nf_tables_netdev.c
+@@ -43,9 +43,6 @@ static struct nft_af_info nft_af_netdev
+ .nhooks = NF_NETDEV_NUMHOOKS,
+ .owner = THIS_MODULE,
+ .flags = NFT_AF_NEEDS_DEV,
+- .hooks = {
+- [NF_NETDEV_INGRESS] = nft_do_chain_netdev,
+- },
+ };
+
+ static int nf_tables_netdev_init_net(struct net *net)
+@@ -82,6 +79,9 @@ static const struct nf_chain_type nft_fi
+ .family = NFPROTO_NETDEV,
+ .owner = THIS_MODULE,
+ .hook_mask = (1 << NF_NETDEV_INGRESS),
++ .hooks = {
++ [NF_NETDEV_INGRESS] = nft_do_chain_netdev,
++ },
+ };
+
+ static void nft_netdev_event(unsigned long event, struct net_device *dev,
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-12 20:18:42 +0000