ec149299926f4f83bca45e9353a83dd139bfb205
[openwrt/openwrt.git] /
1 From: Pablo Neira Ayuso <pablo@netfilter.org>
2 Date: Tue, 19 Dec 2017 13:53:45 +0100
3 Subject: [PATCH] netfilter: nf_tables: remove nhooks field from struct
4 nft_af_info
5
6 We already validate the hook through bitmask, so this check is
7 superfluous. When removing this, this patch is also fixing a bug in the
8 new flowtable codebase, since ctx->afi points to the table family
9 instead of the netdev family which is where the flowtable is really
10 hooked in.
11
12 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
13 ---
14
15 --- a/include/net/netfilter/nf_tables.h
16 +++ b/include/net/netfilter/nf_tables.h
17 @@ -969,7 +969,6 @@ enum nft_af_flags {
18 *
19 * @list: used internally
20 * @family: address family
21 - * @nhooks: number of hooks in this family
22 * @owner: module owner
23 * @tables: used internally
24 * @flags: family flags
25 @@ -977,7 +976,6 @@ enum nft_af_flags {
26 struct nft_af_info {
27 struct list_head list;
28 int family;
29 - unsigned int nhooks;
30 struct module *owner;
31 struct list_head tables;
32 u32 flags;
33 --- a/net/bridge/netfilter/nf_tables_bridge.c
34 +++ b/net/bridge/netfilter/nf_tables_bridge.c
35 @@ -44,7 +44,6 @@ nft_do_chain_bridge(void *priv,
36
37 static struct nft_af_info nft_af_bridge __read_mostly = {
38 .family = NFPROTO_BRIDGE,
39 - .nhooks = NF_BR_NUMHOOKS,
40 .owner = THIS_MODULE,
41 };
42
43 --- a/net/ipv4/netfilter/nf_tables_arp.c
44 +++ b/net/ipv4/netfilter/nf_tables_arp.c
45 @@ -29,7 +29,6 @@ nft_do_chain_arp(void *priv,
46
47 static struct nft_af_info nft_af_arp __read_mostly = {
48 .family = NFPROTO_ARP,
49 - .nhooks = NF_ARP_NUMHOOKS,
50 .owner = THIS_MODULE,
51 };
52
53 --- a/net/ipv4/netfilter/nf_tables_ipv4.c
54 +++ b/net/ipv4/netfilter/nf_tables_ipv4.c
55 @@ -32,7 +32,6 @@ static unsigned int nft_do_chain_ipv4(vo
56
57 static struct nft_af_info nft_af_ipv4 __read_mostly = {
58 .family = NFPROTO_IPV4,
59 - .nhooks = NF_INET_NUMHOOKS,
60 .owner = THIS_MODULE,
61 };
62
63 --- a/net/ipv6/netfilter/nf_tables_ipv6.c
64 +++ b/net/ipv6/netfilter/nf_tables_ipv6.c
65 @@ -30,7 +30,6 @@ static unsigned int nft_do_chain_ipv6(vo
66
67 static struct nft_af_info nft_af_ipv6 __read_mostly = {
68 .family = NFPROTO_IPV6,
69 - .nhooks = NF_INET_NUMHOOKS,
70 .owner = THIS_MODULE,
71 };
72
73 --- a/net/netfilter/nf_tables_api.c
74 +++ b/net/netfilter/nf_tables_api.c
75 @@ -1374,9 +1374,6 @@ static int nft_chain_parse_hook(struct n
76 return -EINVAL;
77
78 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
79 - if (hook->num >= afi->nhooks)
80 - return -EINVAL;
81 -
82 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
83
84 type = chain_type[afi->family][NFT_CHAIN_T_DEFAULT];
85 @@ -5008,7 +5005,7 @@ static int nf_tables_flowtable_parse_hoo
86 return -EINVAL;
87
88 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
89 - if (hooknum >= ctx->afi->nhooks)
90 + if (hooknum != NF_NETDEV_INGRESS)
91 return -EINVAL;
92
93 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
94 --- a/net/netfilter/nf_tables_inet.c
95 +++ b/net/netfilter/nf_tables_inet.c
96 @@ -40,7 +40,6 @@ static unsigned int nft_do_chain_inet(vo
97
98 static struct nft_af_info nft_af_inet __read_mostly = {
99 .family = NFPROTO_INET,
100 - .nhooks = NF_INET_NUMHOOKS,
101 .owner = THIS_MODULE,
102 };
103
104 --- a/net/netfilter/nf_tables_netdev.c
105 +++ b/net/netfilter/nf_tables_netdev.c
106 @@ -40,7 +40,6 @@ nft_do_chain_netdev(void *priv, struct s
107
108 static struct nft_af_info nft_af_netdev __read_mostly = {
109 .family = NFPROTO_NETDEV,
110 - .nhooks = NF_NETDEV_NUMHOOKS,
111 .owner = THIS_MODULE,
112 .flags = NFT_AF_NEEDS_DEV,
113 };