Commit 795aa6ef authored by Patrick McHardy's avatar Patrick McHardy Committed by Pablo Neira Ayuso
Browse files

netfilter: pass hook ops to hookfn 



Pass the hook ops to the hookfn to allow for generic hook
functions. This change is required by nf_tables.

Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent ccdbb6e9

include/linux/netfilter.h

+2 −1
Original line number Diff line number Diff line
@@ -42,7 +42,8 @@ int netfilter_init(void); 


struct sk_buff;



typedef unsigned int nf_hookfn(unsigned int hooknum,

struct nf_hook_ops;

typedef unsigned int nf_hookfn(const struct nf_hook_ops *ops,

			       struct sk_buff *skb,

			       const struct net_device *in,

			       const struct net_device *out,

net/bridge/br_netfilter.c

+14 −8
Original line number Diff line number Diff line
@@ -619,7 +619,7 @@ static int check_hbh_len(struct sk_buff *skb) 


/* Replicate the checks that IPv6 does on packet reception and pass the packet

 * to ip6tables, which doesn't support NAT, so things are fairly simple. */

static unsigned int br_nf_pre_routing_ipv6(unsigned int hook,

static unsigned int br_nf_pre_routing_ipv6(const struct nf_hook_ops *ops,

					   struct sk_buff *skb,

					   const struct net_device *in,

					   const struct net_device *out,
@@ -669,7 +669,8 @@ static unsigned int br_nf_pre_routing_ipv6(unsigned int hook, 
 * receiving device) to make netfilter happy, the REDIRECT

 * target in particular.  Save the original destination IP

 * address to be able to detect DNAT afterwards. */

static unsigned int br_nf_pre_routing(unsigned int hook, struct sk_buff *skb,

static unsigned int br_nf_pre_routing(const struct nf_hook_ops *ops,

				      struct sk_buff *skb,

				      const struct net_device *in,

				      const struct net_device *out,

				      int (*okfn)(struct sk_buff *))
@@ -691,7 +692,7 @@ static unsigned int br_nf_pre_routing(unsigned int hook, struct sk_buff *skb, 
			return NF_ACCEPT;



		nf_bridge_pull_encap_header_rcsum(skb);

		return br_nf_pre_routing_ipv6(hook, skb, in, out, okfn);

		return br_nf_pre_routing_ipv6(ops, skb, in, out, okfn);

	}



	if (!brnf_call_iptables && !br->nf_call_iptables)
@@ -727,7 +728,8 @@ static unsigned int br_nf_pre_routing(unsigned int hook, struct sk_buff *skb, 
 * took place when the packet entered the bridge), but we

 * register an IPv4 PRE_ROUTING 'sabotage' hook that will

 * prevent this from happening. */

static unsigned int br_nf_local_in(unsigned int hook, struct sk_buff *skb,

static unsigned int br_nf_local_in(const struct nf_hook_ops *ops,

				   struct sk_buff *skb,

				   const struct net_device *in,

				   const struct net_device *out,

				   int (*okfn)(struct sk_buff *))
@@ -765,7 +767,8 @@ static int br_nf_forward_finish(struct sk_buff *skb) 
 * but we are still able to filter on the 'real' indev/outdev

 * because of the physdev module. For ARP, indev and outdev are the

 * bridge ports. */

static unsigned int br_nf_forward_ip(unsigned int hook, struct sk_buff *skb,

static unsigned int br_nf_forward_ip(const struct nf_hook_ops *ops,

				     struct sk_buff *skb,

				     const struct net_device *in,

				     const struct net_device *out,

				     int (*okfn)(struct sk_buff *))
@@ -818,7 +821,8 @@ static unsigned int br_nf_forward_ip(unsigned int hook, struct sk_buff *skb, 
	return NF_STOLEN;

}



static unsigned int br_nf_forward_arp(unsigned int hook, struct sk_buff *skb,

static unsigned int br_nf_forward_arp(const struct nf_hook_ops *ops,

				      struct sk_buff *skb,

				      const struct net_device *in,

				      const struct net_device *out,

				      int (*okfn)(struct sk_buff *))
@@ -878,7 +882,8 @@ static int br_nf_dev_queue_xmit(struct sk_buff *skb) 
#endif



/* PF_BRIDGE/POST_ROUTING ********************************************/

static unsigned int br_nf_post_routing(unsigned int hook, struct sk_buff *skb,

static unsigned int br_nf_post_routing(const struct nf_hook_ops *ops,

				       struct sk_buff *skb,

				       const struct net_device *in,

				       const struct net_device *out,

				       int (*okfn)(struct sk_buff *))
@@ -923,7 +928,8 @@ static unsigned int br_nf_post_routing(unsigned int hook, struct sk_buff *skb, 
/* IP/SABOTAGE *****************************************************/

/* Don't hand locally destined packets to PF_INET(6)/PRE_ROUTING

 * for the second time. */

static unsigned int ip_sabotage_in(unsigned int hook, struct sk_buff *skb,

static unsigned int ip_sabotage_in(const struct nf_hook_ops *ops,

				   struct sk_buff *skb,

				   const struct net_device *in,

				   const struct net_device *out,

				   int (*okfn)(struct sk_buff *))

net/bridge/netfilter/ebtable_filter.c

+10 −6
Original line number Diff line number Diff line
@@ -60,17 +60,21 @@ static const struct ebt_table frame_filter = 
};



static unsigned int

ebt_in_hook(unsigned int hook, struct sk_buff *skb, const struct net_device *in,

   const struct net_device *out, int (*okfn)(struct sk_buff *))

ebt_in_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,

	    const struct net_device *in, const struct net_device *out,

	    int (*okfn)(struct sk_buff *))

{

	return ebt_do_table(hook, skb, in, out, dev_net(in)->xt.frame_filter);

	return ebt_do_table(ops->hooknum, skb, in, out,

			    dev_net(in)->xt.frame_filter);

}



static unsigned int

ebt_out_hook(unsigned int hook, struct sk_buff *skb, const struct net_device *in,

   const struct net_device *out, int (*okfn)(struct sk_buff *))

ebt_out_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,

	     const struct net_device *in, const struct net_device *out,

	     int (*okfn)(struct sk_buff *))

{

	return ebt_do_table(hook, skb, in, out, dev_net(out)->xt.frame_filter);

	return ebt_do_table(ops->hooknum, skb, in, out,

			    dev_net(out)->xt.frame_filter);

}



static struct nf_hook_ops ebt_ops_filter[] __read_mostly = {

net/bridge/netfilter/ebtable_nat.c

+10 −6
Original line number Diff line number Diff line
@@ -60,17 +60,21 @@ static struct ebt_table frame_nat = 
};



static unsigned int

ebt_nat_in(unsigned int hook, struct sk_buff *skb, const struct net_device *in

   , const struct net_device *out, int (*okfn)(struct sk_buff *))

ebt_nat_in(const struct nf_hook_ops *ops, struct sk_buff *skb,

	   const struct net_device *in, const struct net_device *out,

	   int (*okfn)(struct sk_buff *))

{

	return ebt_do_table(hook, skb, in, out, dev_net(in)->xt.frame_nat);

	return ebt_do_table(ops->hooknum, skb, in, out,

			    dev_net(in)->xt.frame_nat);

}



static unsigned int

ebt_nat_out(unsigned int hook, struct sk_buff *skb, const struct net_device *in

   , const struct net_device *out, int (*okfn)(struct sk_buff *))

ebt_nat_out(const struct nf_hook_ops *ops, struct sk_buff *skb,

	    const struct net_device *in, const struct net_device *out,

	    int (*okfn)(struct sk_buff *))

{

	return ebt_do_table(hook, skb, in, out, dev_net(out)->xt.frame_nat);

	return ebt_do_table(ops->hooknum, skb, in, out,

			    dev_net(out)->xt.frame_nat);

}



static struct nf_hook_ops ebt_ops_nat[] __read_mostly = {

net/decnet/netfilter/dn_rtmsg.c

+1 −1
Original line number Diff line number Diff line
@@ -87,7 +87,7 @@ static void dnrmg_send_peer(struct sk_buff *skb) 
}





static unsigned int dnrmg_hook(unsigned int hook,

static unsigned int dnrmg_hook(const struct nf_hook_ops *ops,

			struct sk_buff *skb,

			const struct net_device *in,

			const struct net_device *out,