netfilter: nf_tables: minor nf_chain_type cleanups
Minor nf_chain_type cleanups: - reorder struct to plug a hoe - rename struct module member to "owner" for consistency - rename nf_hookfn array to "hooks" for consistency - reorder initializers for better readability Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
parent
2a37d755b8
commit
fa2c1de0bb
|
@ -498,13 +498,23 @@ struct nft_af_info {
|
||||||
int nft_register_afinfo(struct net *, struct nft_af_info *);
|
int nft_register_afinfo(struct net *, struct nft_af_info *);
|
||||||
void nft_unregister_afinfo(struct nft_af_info *);
|
void nft_unregister_afinfo(struct nft_af_info *);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* struct nf_chain_type - nf_tables chain type info
|
||||||
|
*
|
||||||
|
* @name: name of the type
|
||||||
|
* @type: numeric identifier
|
||||||
|
* @family: address family
|
||||||
|
* @owner: module owner
|
||||||
|
* @hook_mask: mask of valid hooks
|
||||||
|
* @hooks: hookfn overrides
|
||||||
|
*/
|
||||||
struct nf_chain_type {
|
struct nf_chain_type {
|
||||||
unsigned int hook_mask;
|
const char *name;
|
||||||
const char *name;
|
enum nft_chain_type type;
|
||||||
enum nft_chain_type type;
|
int family;
|
||||||
nf_hookfn *fn[NF_MAX_HOOKS];
|
struct module *owner;
|
||||||
struct module *me;
|
unsigned int hook_mask;
|
||||||
int family;
|
nf_hookfn *hooks[NF_MAX_HOOKS];
|
||||||
};
|
};
|
||||||
|
|
||||||
int nft_register_chain_type(const struct nf_chain_type *);
|
int nft_register_chain_type(const struct nf_chain_type *);
|
||||||
|
|
|
@ -69,10 +69,10 @@ static struct pernet_operations nf_tables_bridge_net_ops = {
|
||||||
};
|
};
|
||||||
|
|
||||||
static const struct nf_chain_type filter_bridge = {
|
static const struct nf_chain_type filter_bridge = {
|
||||||
.family = NFPROTO_BRIDGE,
|
|
||||||
.name = "filter",
|
.name = "filter",
|
||||||
.type = NFT_CHAIN_T_DEFAULT,
|
.type = NFT_CHAIN_T_DEFAULT,
|
||||||
.me = THIS_MODULE,
|
.family = NFPROTO_BRIDGE,
|
||||||
|
.owner = THIS_MODULE,
|
||||||
.hook_mask = (1 << NF_BR_LOCAL_IN) |
|
.hook_mask = (1 << NF_BR_LOCAL_IN) |
|
||||||
(1 << NF_BR_FORWARD) |
|
(1 << NF_BR_FORWARD) |
|
||||||
(1 << NF_BR_LOCAL_OUT),
|
(1 << NF_BR_LOCAL_OUT),
|
||||||
|
|
|
@ -69,10 +69,10 @@ static struct pernet_operations nf_tables_arp_net_ops = {
|
||||||
};
|
};
|
||||||
|
|
||||||
static const struct nf_chain_type filter_arp = {
|
static const struct nf_chain_type filter_arp = {
|
||||||
.family = NFPROTO_ARP,
|
|
||||||
.name = "filter",
|
.name = "filter",
|
||||||
.type = NFT_CHAIN_T_DEFAULT,
|
.type = NFT_CHAIN_T_DEFAULT,
|
||||||
.me = THIS_MODULE,
|
.family = NFPROTO_ARP,
|
||||||
|
.owner = THIS_MODULE,
|
||||||
.hook_mask = (1 << NF_ARP_IN) |
|
.hook_mask = (1 << NF_ARP_IN) |
|
||||||
(1 << NF_ARP_OUT) |
|
(1 << NF_ARP_OUT) |
|
||||||
(1 << NF_ARP_FORWARD),
|
(1 << NF_ARP_FORWARD),
|
||||||
|
|
|
@ -92,10 +92,10 @@ static struct pernet_operations nf_tables_ipv4_net_ops = {
|
||||||
};
|
};
|
||||||
|
|
||||||
static const struct nf_chain_type filter_ipv4 = {
|
static const struct nf_chain_type filter_ipv4 = {
|
||||||
.family = NFPROTO_IPV4,
|
|
||||||
.name = "filter",
|
.name = "filter",
|
||||||
.type = NFT_CHAIN_T_DEFAULT,
|
.type = NFT_CHAIN_T_DEFAULT,
|
||||||
.me = THIS_MODULE,
|
.family = NFPROTO_IPV4,
|
||||||
|
.owner = THIS_MODULE,
|
||||||
.hook_mask = (1 << NF_INET_LOCAL_IN) |
|
.hook_mask = (1 << NF_INET_LOCAL_IN) |
|
||||||
(1 << NF_INET_LOCAL_OUT) |
|
(1 << NF_INET_LOCAL_OUT) |
|
||||||
(1 << NF_INET_FORWARD) |
|
(1 << NF_INET_FORWARD) |
|
||||||
|
|
|
@ -165,20 +165,20 @@ static unsigned int nf_nat_output(const struct nf_hook_ops *ops,
|
||||||
}
|
}
|
||||||
|
|
||||||
static const struct nf_chain_type nft_chain_nat_ipv4 = {
|
static const struct nf_chain_type nft_chain_nat_ipv4 = {
|
||||||
.family = NFPROTO_IPV4,
|
|
||||||
.name = "nat",
|
.name = "nat",
|
||||||
.type = NFT_CHAIN_T_NAT,
|
.type = NFT_CHAIN_T_NAT,
|
||||||
|
.family = NFPROTO_IPV4,
|
||||||
|
.owner = THIS_MODULE,
|
||||||
.hook_mask = (1 << NF_INET_PRE_ROUTING) |
|
.hook_mask = (1 << NF_INET_PRE_ROUTING) |
|
||||||
(1 << NF_INET_POST_ROUTING) |
|
(1 << NF_INET_POST_ROUTING) |
|
||||||
(1 << NF_INET_LOCAL_OUT) |
|
(1 << NF_INET_LOCAL_OUT) |
|
||||||
(1 << NF_INET_LOCAL_IN),
|
(1 << NF_INET_LOCAL_IN),
|
||||||
.fn = {
|
.hooks = {
|
||||||
[NF_INET_PRE_ROUTING] = nf_nat_prerouting,
|
[NF_INET_PRE_ROUTING] = nf_nat_prerouting,
|
||||||
[NF_INET_POST_ROUTING] = nf_nat_postrouting,
|
[NF_INET_POST_ROUTING] = nf_nat_postrouting,
|
||||||
[NF_INET_LOCAL_OUT] = nf_nat_output,
|
[NF_INET_LOCAL_OUT] = nf_nat_output,
|
||||||
[NF_INET_LOCAL_IN] = nf_nat_fn,
|
[NF_INET_LOCAL_IN] = nf_nat_fn,
|
||||||
},
|
},
|
||||||
.me = THIS_MODULE,
|
|
||||||
};
|
};
|
||||||
|
|
||||||
static int __init nft_chain_nat_init(void)
|
static int __init nft_chain_nat_init(void)
|
||||||
|
|
|
@ -62,14 +62,14 @@ static unsigned int nf_route_table_hook(const struct nf_hook_ops *ops,
|
||||||
}
|
}
|
||||||
|
|
||||||
static const struct nf_chain_type nft_chain_route_ipv4 = {
|
static const struct nf_chain_type nft_chain_route_ipv4 = {
|
||||||
.family = NFPROTO_IPV4,
|
|
||||||
.name = "route",
|
.name = "route",
|
||||||
.type = NFT_CHAIN_T_ROUTE,
|
.type = NFT_CHAIN_T_ROUTE,
|
||||||
|
.family = NFPROTO_IPV4,
|
||||||
|
.owner = THIS_MODULE,
|
||||||
.hook_mask = (1 << NF_INET_LOCAL_OUT),
|
.hook_mask = (1 << NF_INET_LOCAL_OUT),
|
||||||
.fn = {
|
.hooks = {
|
||||||
[NF_INET_LOCAL_OUT] = nf_route_table_hook,
|
[NF_INET_LOCAL_OUT] = nf_route_table_hook,
|
||||||
},
|
},
|
||||||
.me = THIS_MODULE,
|
|
||||||
};
|
};
|
||||||
|
|
||||||
static int __init nft_chain_route_init(void)
|
static int __init nft_chain_route_init(void)
|
||||||
|
|
|
@ -91,10 +91,10 @@ static struct pernet_operations nf_tables_ipv6_net_ops = {
|
||||||
};
|
};
|
||||||
|
|
||||||
static const struct nf_chain_type filter_ipv6 = {
|
static const struct nf_chain_type filter_ipv6 = {
|
||||||
.family = NFPROTO_IPV6,
|
|
||||||
.name = "filter",
|
.name = "filter",
|
||||||
.type = NFT_CHAIN_T_DEFAULT,
|
.type = NFT_CHAIN_T_DEFAULT,
|
||||||
.me = THIS_MODULE,
|
.family = NFPROTO_IPV6,
|
||||||
|
.owner = THIS_MODULE,
|
||||||
.hook_mask = (1 << NF_INET_LOCAL_IN) |
|
.hook_mask = (1 << NF_INET_LOCAL_IN) |
|
||||||
(1 << NF_INET_LOCAL_OUT) |
|
(1 << NF_INET_LOCAL_OUT) |
|
||||||
(1 << NF_INET_FORWARD) |
|
(1 << NF_INET_FORWARD) |
|
||||||
|
|
|
@ -171,20 +171,20 @@ static unsigned int nf_nat_ipv6_output(const struct nf_hook_ops *ops,
|
||||||
}
|
}
|
||||||
|
|
||||||
static const struct nf_chain_type nft_chain_nat_ipv6 = {
|
static const struct nf_chain_type nft_chain_nat_ipv6 = {
|
||||||
.family = NFPROTO_IPV6,
|
|
||||||
.name = "nat",
|
.name = "nat",
|
||||||
.type = NFT_CHAIN_T_NAT,
|
.type = NFT_CHAIN_T_NAT,
|
||||||
|
.family = NFPROTO_IPV6,
|
||||||
|
.owner = THIS_MODULE,
|
||||||
.hook_mask = (1 << NF_INET_PRE_ROUTING) |
|
.hook_mask = (1 << NF_INET_PRE_ROUTING) |
|
||||||
(1 << NF_INET_POST_ROUTING) |
|
(1 << NF_INET_POST_ROUTING) |
|
||||||
(1 << NF_INET_LOCAL_OUT) |
|
(1 << NF_INET_LOCAL_OUT) |
|
||||||
(1 << NF_INET_LOCAL_IN),
|
(1 << NF_INET_LOCAL_IN),
|
||||||
.fn = {
|
.hooks = {
|
||||||
[NF_INET_PRE_ROUTING] = nf_nat_ipv6_prerouting,
|
[NF_INET_PRE_ROUTING] = nf_nat_ipv6_prerouting,
|
||||||
[NF_INET_POST_ROUTING] = nf_nat_ipv6_postrouting,
|
[NF_INET_POST_ROUTING] = nf_nat_ipv6_postrouting,
|
||||||
[NF_INET_LOCAL_OUT] = nf_nat_ipv6_output,
|
[NF_INET_LOCAL_OUT] = nf_nat_ipv6_output,
|
||||||
[NF_INET_LOCAL_IN] = nf_nat_ipv6_fn,
|
[NF_INET_LOCAL_IN] = nf_nat_ipv6_fn,
|
||||||
},
|
},
|
||||||
.me = THIS_MODULE,
|
|
||||||
};
|
};
|
||||||
|
|
||||||
static int __init nft_chain_nat_ipv6_init(void)
|
static int __init nft_chain_nat_ipv6_init(void)
|
||||||
|
|
|
@ -60,14 +60,14 @@ static unsigned int nf_route_table_hook(const struct nf_hook_ops *ops,
|
||||||
}
|
}
|
||||||
|
|
||||||
static const struct nf_chain_type nft_chain_route_ipv6 = {
|
static const struct nf_chain_type nft_chain_route_ipv6 = {
|
||||||
.family = NFPROTO_IPV6,
|
|
||||||
.name = "route",
|
.name = "route",
|
||||||
.type = NFT_CHAIN_T_ROUTE,
|
.type = NFT_CHAIN_T_ROUTE,
|
||||||
|
.family = NFPROTO_IPV6,
|
||||||
|
.owner = THIS_MODULE,
|
||||||
.hook_mask = (1 << NF_INET_LOCAL_OUT),
|
.hook_mask = (1 << NF_INET_LOCAL_OUT),
|
||||||
.fn = {
|
.hooks = {
|
||||||
[NF_INET_LOCAL_OUT] = nf_route_table_hook,
|
[NF_INET_LOCAL_OUT] = nf_route_table_hook,
|
||||||
},
|
},
|
||||||
.me = THIS_MODULE,
|
|
||||||
};
|
};
|
||||||
|
|
||||||
static int __init nft_chain_route_init(void)
|
static int __init nft_chain_route_init(void)
|
||||||
|
|
|
@ -929,9 +929,9 @@ static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb,
|
||||||
|
|
||||||
if (!(type->hook_mask & (1 << hooknum)))
|
if (!(type->hook_mask & (1 << hooknum)))
|
||||||
return -EOPNOTSUPP;
|
return -EOPNOTSUPP;
|
||||||
if (!try_module_get(type->me))
|
if (!try_module_get(type->owner))
|
||||||
return -ENOENT;
|
return -ENOENT;
|
||||||
hookfn = type->fn[hooknum];
|
hookfn = type->hooks[hooknum];
|
||||||
|
|
||||||
basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
|
basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
|
||||||
if (basechain == NULL)
|
if (basechain == NULL)
|
||||||
|
@ -941,7 +941,7 @@ static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb,
|
||||||
err = nf_tables_counters(basechain,
|
err = nf_tables_counters(basechain,
|
||||||
nla[NFTA_CHAIN_COUNTERS]);
|
nla[NFTA_CHAIN_COUNTERS]);
|
||||||
if (err < 0) {
|
if (err < 0) {
|
||||||
module_put(type->me);
|
module_put(type->owner);
|
||||||
kfree(basechain);
|
kfree(basechain);
|
||||||
return err;
|
return err;
|
||||||
}
|
}
|
||||||
|
@ -950,7 +950,7 @@ static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb,
|
||||||
|
|
||||||
newstats = alloc_percpu(struct nft_stats);
|
newstats = alloc_percpu(struct nft_stats);
|
||||||
if (newstats == NULL) {
|
if (newstats == NULL) {
|
||||||
module_put(type->me);
|
module_put(type->owner);
|
||||||
kfree(basechain);
|
kfree(basechain);
|
||||||
return -ENOMEM;
|
return -ENOMEM;
|
||||||
}
|
}
|
||||||
|
@ -992,7 +992,7 @@ static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb,
|
||||||
chain->flags & NFT_BASE_CHAIN) {
|
chain->flags & NFT_BASE_CHAIN) {
|
||||||
err = nf_register_hooks(nft_base_chain(chain)->ops, afi->nops);
|
err = nf_register_hooks(nft_base_chain(chain)->ops, afi->nops);
|
||||||
if (err < 0) {
|
if (err < 0) {
|
||||||
module_put(basechain->type->me);
|
module_put(basechain->type->owner);
|
||||||
free_percpu(basechain->stats);
|
free_percpu(basechain->stats);
|
||||||
kfree(basechain);
|
kfree(basechain);
|
||||||
return err;
|
return err;
|
||||||
|
@ -1013,7 +1013,7 @@ static void nf_tables_rcu_chain_destroy(struct rcu_head *head)
|
||||||
BUG_ON(chain->use > 0);
|
BUG_ON(chain->use > 0);
|
||||||
|
|
||||||
if (chain->flags & NFT_BASE_CHAIN) {
|
if (chain->flags & NFT_BASE_CHAIN) {
|
||||||
module_put(nft_base_chain(chain)->type->me);
|
module_put(nft_base_chain(chain)->type->owner);
|
||||||
free_percpu(nft_base_chain(chain)->stats);
|
free_percpu(nft_base_chain(chain)->stats);
|
||||||
kfree(nft_base_chain(chain));
|
kfree(nft_base_chain(chain));
|
||||||
} else
|
} else
|
||||||
|
|
|
@ -67,10 +67,10 @@ static struct pernet_operations nf_tables_inet_net_ops = {
|
||||||
};
|
};
|
||||||
|
|
||||||
static const struct nf_chain_type filter_inet = {
|
static const struct nf_chain_type filter_inet = {
|
||||||
.family = NFPROTO_INET,
|
|
||||||
.name = "filter",
|
.name = "filter",
|
||||||
.type = NFT_CHAIN_T_DEFAULT,
|
.type = NFT_CHAIN_T_DEFAULT,
|
||||||
.me = THIS_MODULE,
|
.family = NFPROTO_INET,
|
||||||
|
.owner = THIS_MODULE,
|
||||||
.hook_mask = (1 << NF_INET_LOCAL_IN) |
|
.hook_mask = (1 << NF_INET_LOCAL_IN) |
|
||||||
(1 << NF_INET_LOCAL_OUT) |
|
(1 << NF_INET_LOCAL_OUT) |
|
||||||
(1 << NF_INET_FORWARD) |
|
(1 << NF_INET_FORWARD) |
|
||||||
|
|
Loading…
Reference in New Issue