Techwizz/kernel-fxtec-pro1x
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

[NETFILTER]: Clean up hook registration

Browse source 
Clean up hook registration by makeing use of the new mass registration and
unregistration helpers.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Patrick McHardy 2006-04-06 14:09:49 -07:00 committed by David S. Miller
parent 972d1cb142
commit 964ddaa10d
11 changed files with 253 additions and 579 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
net/ipv4/netfilter/arptable_filter.c
View file

@ -181,33 +181,26 @@ static struct nf_hook_ops arpt_ops[] = {
static int __init arptable_filter_init(void) static int __init arptable_filter_init(void)
{ {
int ret, i; int ret;
/* Register table */ /* Register table */
ret = arpt_register_table(&packet_filter, &initial_table.repl); ret = arpt_register_table(&packet_filter, &initial_table.repl);
if (ret < 0) if (ret < 0)
return ret; return ret;
for (i = 0; i < ARRAY_SIZE(arpt_ops); i++) ret = nf_register_hooks(arpt_ops, ARRAY_SIZE(arpt_ops));
if ((ret = nf_register_hook(&arpt_ops[i])) < 0) if (ret < 0)
goto cleanup_hooks; goto cleanup_table;
return ret; return ret;
cleanup_hooks: cleanup_table:
while (--i >= 0)
nf_unregister_hook(&arpt_ops[i]);
arpt_unregister_table(&packet_filter); arpt_unregister_table(&packet_filter);
return ret; return ret;
} }
static void __exit arptable_filter_fini(void) static void __exit arptable_filter_fini(void)
{ {
unsigned int i; nf_unregister_hooks(arpt_ops, ARRAY_SIZE(arpt_ops));
for (i = 0; i < ARRAY_SIZE(arpt_ops); i++)
nf_unregister_hook(&arpt_ops[i]);
arpt_unregister_table(&packet_filter); arpt_unregister_table(&packet_filter);
} }

180
net/ipv4/netfilter/ip_conntrack_standalone.c
View file

@ -469,70 +469,63 @@ static unsigned int ip_conntrack_local(unsigned int hooknum,
/* Connection tracking may drop packets, but never alters them, so /* Connection tracking may drop packets, but never alters them, so
make it the first hook. */ make it the first hook. */
static struct nf_hook_ops ip_conntrack_defrag_ops = { static struct nf_hook_ops ip_conntrack_ops[] = {
.hook = ip_conntrack_defrag, {
.owner = THIS_MODULE, .hook = ip_conntrack_defrag,
.pf = PF_INET, .owner = THIS_MODULE,
.hooknum = NF_IP_PRE_ROUTING, .pf = PF_INET,
.priority = NF_IP_PRI_CONNTRACK_DEFRAG, .hooknum = NF_IP_PRE_ROUTING,
}; .priority = NF_IP_PRI_CONNTRACK_DEFRAG,
},
static struct nf_hook_ops ip_conntrack_in_ops = { {
.hook = ip_conntrack_in, .hook = ip_conntrack_in,
.owner = THIS_MODULE, .owner = THIS_MODULE,
.pf = PF_INET, .pf = PF_INET,
.hooknum = NF_IP_PRE_ROUTING, .hooknum = NF_IP_PRE_ROUTING,
.priority = NF_IP_PRI_CONNTRACK, .priority = NF_IP_PRI_CONNTRACK,
}; },
{
static struct nf_hook_ops ip_conntrack_defrag_local_out_ops = { .hook = ip_conntrack_defrag,
.hook = ip_conntrack_defrag, .owner = THIS_MODULE,
.owner = THIS_MODULE, .pf = PF_INET,
.pf = PF_INET, .hooknum = NF_IP_LOCAL_OUT,
.hooknum = NF_IP_LOCAL_OUT, .priority = NF_IP_PRI_CONNTRACK_DEFRAG,
.priority = NF_IP_PRI_CONNTRACK_DEFRAG, },
}; {
.hook = ip_conntrack_local,
static struct nf_hook_ops ip_conntrack_local_out_ops = { .owner = THIS_MODULE,
.hook = ip_conntrack_local, .pf = PF_INET,
.owner = THIS_MODULE, .hooknum = NF_IP_LOCAL_OUT,
.pf = PF_INET, .priority = NF_IP_PRI_CONNTRACK,
.hooknum = NF_IP_LOCAL_OUT, },
.priority = NF_IP_PRI_CONNTRACK, {
}; .hook = ip_conntrack_help,
.owner = THIS_MODULE,
/* helpers */ .pf = PF_INET,
static struct nf_hook_ops ip_conntrack_helper_out_ops = { .hooknum = NF_IP_POST_ROUTING,
.hook = ip_conntrack_help, .priority = NF_IP_PRI_CONNTRACK_HELPER,
.owner = THIS_MODULE, },
.pf = PF_INET, {
.hooknum = NF_IP_POST_ROUTING, .hook = ip_conntrack_help,
.priority = NF_IP_PRI_CONNTRACK_HELPER, .owner = THIS_MODULE,
}; .pf = PF_INET,
.hooknum = NF_IP_LOCAL_IN,
static struct nf_hook_ops ip_conntrack_helper_in_ops = { .priority = NF_IP_PRI_CONNTRACK_HELPER,
.hook = ip_conntrack_help, },
.owner = THIS_MODULE, {
.pf = PF_INET, .hook = ip_confirm,
.hooknum = NF_IP_LOCAL_IN, .owner = THIS_MODULE,
.priority = NF_IP_PRI_CONNTRACK_HELPER, .pf = PF_INET,
}; .hooknum = NF_IP_POST_ROUTING,
.priority = NF_IP_PRI_CONNTRACK_CONFIRM,
/* Refragmenter; last chance. */ },
static struct nf_hook_ops ip_conntrack_out_ops = { {
.hook = ip_confirm, .hook = ip_confirm,
.owner = THIS_MODULE, .owner = THIS_MODULE,
.pf = PF_INET, .pf = PF_INET,
.hooknum = NF_IP_POST_ROUTING, .hooknum = NF_IP_LOCAL_IN,
.priority = NF_IP_PRI_CONNTRACK_CONFIRM, .priority = NF_IP_PRI_CONNTRACK_CONFIRM,
}; },
static struct nf_hook_ops ip_conntrack_local_in_ops = {
.hook = ip_confirm,
.owner = THIS_MODULE,
.pf = PF_INET,
.hooknum = NF_IP_LOCAL_IN,
.priority = NF_IP_PRI_CONNTRACK_CONFIRM,
}; };
/* Sysctl support */ /* Sysctl support */
@ -813,52 +806,17 @@ static int init_or_cleanup(int init)
proc_stat->owner = THIS_MODULE; proc_stat->owner = THIS_MODULE;
#endif #endif
ret = nf_register_hook(&ip_conntrack_defrag_ops); ret = nf_register_hooks(ip_conntrack_ops, ARRAY_SIZE(ip_conntrack_ops));
if (ret < 0) { if (ret < 0) {
printk("ip_conntrack: can't register pre-routing defrag hook.\n"); printk("ip_conntrack: can't register hooks.\n");
goto cleanup_proc_stat; goto cleanup_proc_stat;
} }
ret = nf_register_hook(&ip_conntrack_defrag_local_out_ops);
if (ret < 0) {
printk("ip_conntrack: can't register local_out defrag hook.\n");
goto cleanup_defragops;
}
ret = nf_register_hook(&ip_conntrack_in_ops);
if (ret < 0) {
printk("ip_conntrack: can't register pre-routing hook.\n");
goto cleanup_defraglocalops;
}
ret = nf_register_hook(&ip_conntrack_local_out_ops);
if (ret < 0) {
printk("ip_conntrack: can't register local out hook.\n");
goto cleanup_inops;
}
ret = nf_register_hook(&ip_conntrack_helper_in_ops);
if (ret < 0) {
printk("ip_conntrack: can't register local in helper hook.\n");
goto cleanup_inandlocalops;
}
ret = nf_register_hook(&ip_conntrack_helper_out_ops);
if (ret < 0) {
printk("ip_conntrack: can't register postrouting helper hook.\n");
goto cleanup_helperinops;
}
ret = nf_register_hook(&ip_conntrack_out_ops);
if (ret < 0) {
printk("ip_conntrack: can't register post-routing hook.\n");
goto cleanup_helperoutops;
}
ret = nf_register_hook(&ip_conntrack_local_in_ops);
if (ret < 0) {
printk("ip_conntrack: can't register local in hook.\n");
goto cleanup_inoutandlocalops;
}
#ifdef CONFIG_SYSCTL #ifdef CONFIG_SYSCTL
ip_ct_sysctl_header = register_sysctl_table(ip_ct_net_table, 0); ip_ct_sysctl_header = register_sysctl_table(ip_ct_net_table, 0);
if (ip_ct_sysctl_header == NULL) { if (ip_ct_sysctl_header == NULL) {
printk("ip_conntrack: can't register to sysctl.\n"); printk("ip_conntrack: can't register to sysctl.\n");
ret = -ENOMEM; ret = -ENOMEM;
goto cleanup_localinops; goto cleanup_hooks;
} }
#endif #endif
@ -868,23 +826,9 @@ static int init_or_cleanup(int init)
synchronize_net(); synchronize_net();
#ifdef CONFIG_SYSCTL #ifdef CONFIG_SYSCTL
unregister_sysctl_table(ip_ct_sysctl_header); unregister_sysctl_table(ip_ct_sysctl_header);
cleanup_localinops: cleanup_hooks:
#endif #endif
nf_unregister_hook(&ip_conntrack_local_in_ops); nf_unregister_hooks(ip_conntrack_ops, ARRAY_SIZE(ip_conntrack_ops));
cleanup_inoutandlocalops:
nf_unregister_hook(&ip_conntrack_out_ops);
cleanup_helperoutops:
nf_unregister_hook(&ip_conntrack_helper_out_ops);
cleanup_helperinops:
nf_unregister_hook(&ip_conntrack_helper_in_ops);
cleanup_inandlocalops:
nf_unregister_hook(&ip_conntrack_local_out_ops);
cleanup_inops:
nf_unregister_hook(&ip_conntrack_in_ops);
cleanup_defraglocalops:
nf_unregister_hook(&ip_conntrack_defrag_local_out_ops);
cleanup_defragops:
nf_unregister_hook(&ip_conntrack_defrag_ops);
cleanup_proc_stat: cleanup_proc_stat:
#ifdef CONFIG_PROC_FS #ifdef CONFIG_PROC_FS
remove_proc_entry("ip_conntrack", proc_net_stat); remove_proc_entry("ip_conntrack", proc_net_stat);

143
net/ipv4/netfilter/ip_nat_standalone.c
View file

@ -299,61 +299,57 @@ ip_nat_adjust(unsigned int hooknum,
/* We must be after connection tracking and before packet filtering. */ /* We must be after connection tracking and before packet filtering. */
/* Before packet filtering, change destination */ static struct nf_hook_ops ip_nat_ops[] = {
static struct nf_hook_ops ip_nat_in_ops = { /* Before packet filtering, change destination */
.hook = ip_nat_in, {
.owner = THIS_MODULE, .hook = ip_nat_in,
.pf = PF_INET, .owner = THIS_MODULE,
.hooknum = NF_IP_PRE_ROUTING, .pf = PF_INET,
.priority = NF_IP_PRI_NAT_DST, .hooknum = NF_IP_PRE_ROUTING,
.priority = NF_IP_PRI_NAT_DST,
},
/* After packet filtering, change source */
{
.hook = ip_nat_out,
.owner = THIS_MODULE,
.pf = PF_INET,
.hooknum = NF_IP_POST_ROUTING,
.priority = NF_IP_PRI_NAT_SRC,
},
/* After conntrack, adjust sequence number */
{
.hook = ip_nat_adjust,
.owner = THIS_MODULE,
.pf = PF_INET,
.hooknum = NF_IP_POST_ROUTING,
.priority = NF_IP_PRI_NAT_SEQ_ADJUST,
},
/* Before packet filtering, change destination */
{
.hook = ip_nat_local_fn,
.owner = THIS_MODULE,
.pf = PF_INET,
.hooknum = NF_IP_LOCAL_OUT,
.priority = NF_IP_PRI_NAT_DST,
},
/* After packet filtering, change source */
{
.hook = ip_nat_fn,
.owner = THIS_MODULE,
.pf = PF_INET,
.hooknum = NF_IP_LOCAL_IN,
.priority = NF_IP_PRI_NAT_SRC,
},
/* After conntrack, adjust sequence number */
{
.hook = ip_nat_adjust,
.owner = THIS_MODULE,
.pf = PF_INET,
.hooknum = NF_IP_LOCAL_IN,
.priority = NF_IP_PRI_NAT_SEQ_ADJUST,
},
}; };
/* After packet filtering, change source */
static struct nf_hook_ops ip_nat_out_ops = {
.hook = ip_nat_out,
.owner = THIS_MODULE,
.pf = PF_INET,
.hooknum = NF_IP_POST_ROUTING,
.priority = NF_IP_PRI_NAT_SRC,
};
/* After conntrack, adjust sequence number */
static struct nf_hook_ops ip_nat_adjust_out_ops = {
.hook = ip_nat_adjust,
.owner = THIS_MODULE,
.pf = PF_INET,
.hooknum = NF_IP_POST_ROUTING,
.priority = NF_IP_PRI_NAT_SEQ_ADJUST,
};
/* Before packet filtering, change destination */
static struct nf_hook_ops ip_nat_local_out_ops = {
.hook = ip_nat_local_fn,
.owner = THIS_MODULE,
.pf = PF_INET,
.hooknum = NF_IP_LOCAL_OUT,
.priority = NF_IP_PRI_NAT_DST,
};
/* After packet filtering, change source for reply packets of LOCAL_OUT DNAT */
static struct nf_hook_ops ip_nat_local_in_ops = {
.hook = ip_nat_fn,
.owner = THIS_MODULE,
.pf = PF_INET,
.hooknum = NF_IP_LOCAL_IN,
.priority = NF_IP_PRI_NAT_SRC,
};
/* After conntrack, adjust sequence number */
static struct nf_hook_ops ip_nat_adjust_in_ops = {
.hook = ip_nat_adjust,
.owner = THIS_MODULE,
.pf = PF_INET,
.hooknum = NF_IP_LOCAL_IN,
.priority = NF_IP_PRI_NAT_SEQ_ADJUST,
};
static int init_or_cleanup(int init) static int init_or_cleanup(int init)
{ {
int ret = 0; int ret = 0;
@ -371,50 +367,15 @@ static int init_or_cleanup(int init)
printk("ip_nat_init: can't setup rules.\n"); printk("ip_nat_init: can't setup rules.\n");
goto cleanup_decode_session; goto cleanup_decode_session;
} }
ret = nf_register_hook(&ip_nat_in_ops); ret = nf_register_hooks(ip_nat_ops, ARRAY_SIZE(ip_nat_ops));
if (ret < 0) { if (ret < 0) {
printk("ip_nat_init: can't register in hook.\n"); printk("ip_nat_init: can't register hooks.\n");
goto cleanup_rule_init; goto cleanup_rule_init;
} }
ret = nf_register_hook(&ip_nat_out_ops);
if (ret < 0) {
printk("ip_nat_init: can't register out hook.\n");
goto cleanup_inops;
}
ret = nf_register_hook(&ip_nat_adjust_in_ops);
if (ret < 0) {
printk("ip_nat_init: can't register adjust in hook.\n");
goto cleanup_outops;
}
ret = nf_register_hook(&ip_nat_adjust_out_ops);
if (ret < 0) {
printk("ip_nat_init: can't register adjust out hook.\n");
goto cleanup_adjustin_ops;
}
ret = nf_register_hook(&ip_nat_local_out_ops);
if (ret < 0) {
printk("ip_nat_init: can't register local out hook.\n");
goto cleanup_adjustout_ops;
}
ret = nf_register_hook(&ip_nat_local_in_ops);
if (ret < 0) {
printk("ip_nat_init: can't register local in hook.\n");
goto cleanup_localoutops;
}
return ret; return ret;
cleanup: cleanup:
nf_unregister_hook(&ip_nat_local_in_ops); nf_unregister_hooks(ip_nat_ops, ARRAY_SIZE(ip_nat_ops));
cleanup_localoutops:
nf_unregister_hook(&ip_nat_local_out_ops);
cleanup_adjustout_ops:
nf_unregister_hook(&ip_nat_adjust_out_ops);
cleanup_adjustin_ops:
nf_unregister_hook(&ip_nat_adjust_in_ops);
cleanup_outops:
nf_unregister_hook(&ip_nat_out_ops);
cleanup_inops:
nf_unregister_hook(&ip_nat_in_ops);
cleanup_rule_init: cleanup_rule_init:
ip_nat_rule_cleanup(); ip_nat_rule_cleanup();
cleanup_decode_session: cleanup_decode_session:

21
net/ipv4/netfilter/iptable_filter.c
View file

@ -157,37 +157,20 @@ static int __init iptable_filter_init(void)
return ret; return ret;
/* Register hooks */ /* Register hooks */
ret = nf_register_hook(&ipt_ops[0]); ret = nf_register_hooks(ipt_ops, ARRAY_SIZE(ipt_ops));
if (ret < 0) if (ret < 0)
goto cleanup_table; goto cleanup_table;
ret = nf_register_hook(&ipt_ops[1]);
if (ret < 0)
goto cleanup_hook0;
ret = nf_register_hook(&ipt_ops[2]);
if (ret < 0)
goto cleanup_hook1;
return ret; return ret;
cleanup_hook1:
nf_unregister_hook(&ipt_ops[1]);
cleanup_hook0:
nf_unregister_hook(&ipt_ops[0]);
cleanup_table: cleanup_table:
ipt_unregister_table(&packet_filter); ipt_unregister_table(&packet_filter);
return ret; return ret;
} }
static void __exit iptable_filter_fini(void) static void __exit iptable_filter_fini(void)
{ {
unsigned int i; nf_unregister_hooks(ipt_ops, ARRAY_SIZE(ipt_ops));
for (i = 0; i < sizeof(ipt_ops)/sizeof(struct nf_hook_ops); i++)
nf_unregister_hook(&ipt_ops[i]);
ipt_unregister_table(&packet_filter); ipt_unregister_table(&packet_filter);
} }

33
net/ipv4/netfilter/iptable_mangle.c
View file

@ -211,49 +211,20 @@ static int __init iptable_mangle_init(void)
return ret; return ret;
/* Register hooks */ /* Register hooks */
ret = nf_register_hook(&ipt_ops[0]); ret = nf_register_hooks(ipt_ops, ARRAY_SIZE(ipt_ops));
if (ret < 0) if (ret < 0)
goto cleanup_table; goto cleanup_table;
ret = nf_register_hook(&ipt_ops[1]);
if (ret < 0)
goto cleanup_hook0;
ret = nf_register_hook(&ipt_ops[2]);
if (ret < 0)
goto cleanup_hook1;
ret = nf_register_hook(&ipt_ops[3]);
if (ret < 0)
goto cleanup_hook2;
ret = nf_register_hook(&ipt_ops[4]);
if (ret < 0)
goto cleanup_hook3;
return ret; return ret;
cleanup_hook3:
nf_unregister_hook(&ipt_ops[3]);
cleanup_hook2:
nf_unregister_hook(&ipt_ops[2]);
cleanup_hook1:
nf_unregister_hook(&ipt_ops[1]);
cleanup_hook0:
nf_unregister_hook(&ipt_ops[0]);
cleanup_table: cleanup_table:
ipt_unregister_table(&packet_mangler); ipt_unregister_table(&packet_mangler);
return ret; return ret;
} }
static void __exit iptable_mangle_fini(void) static void __exit iptable_mangle_fini(void)
{ {
unsigned int i; nf_unregister_hooks(ipt_ops, ARRAY_SIZE(ipt_ops));
for (i = 0; i < sizeof(ipt_ops)/sizeof(struct nf_hook_ops); i++)
nf_unregister_hook(&ipt_ops[i]);
ipt_unregister_table(&packet_mangler); ipt_unregister_table(&packet_mangler);
} }

35
net/ipv4/netfilter/iptable_raw.c
View file

@ -101,18 +101,18 @@ ipt_hook(unsigned int hook,
/* 'raw' is the very first table. */ /* 'raw' is the very first table. */
static struct nf_hook_ops ipt_ops[] = { static struct nf_hook_ops ipt_ops[] = {
{ {
.hook = ipt_hook, .hook = ipt_hook,
.pf = PF_INET, .pf = PF_INET,
.hooknum = NF_IP_PRE_ROUTING, .hooknum = NF_IP_PRE_ROUTING,
.priority = NF_IP_PRI_RAW, .priority = NF_IP_PRI_RAW,
.owner = THIS_MODULE, .owner = THIS_MODULE,
}, },
{ {
.hook = ipt_hook, .hook = ipt_hook,
.pf = PF_INET, .pf = PF_INET,
.hooknum = NF_IP_LOCAL_OUT, .hooknum = NF_IP_LOCAL_OUT,
.priority = NF_IP_PRI_RAW, .priority = NF_IP_PRI_RAW,
.owner = THIS_MODULE, .owner = THIS_MODULE,
}, },
}; };
@ -126,31 +126,20 @@ static int __init iptable_raw_init(void)
return ret; return ret;
/* Register hooks */ /* Register hooks */
ret = nf_register_hook(&ipt_ops[0]); ret = nf_register_hooks(ipt_ops, ARRAY_SIZE(ipt_ops));
if (ret < 0) if (ret < 0)
goto cleanup_table; goto cleanup_table;
ret = nf_register_hook(&ipt_ops[1]);
if (ret < 0)
goto cleanup_hook0;
return ret; return ret;
cleanup_hook0:
nf_unregister_hook(&ipt_ops[0]);
cleanup_table: cleanup_table:
ipt_unregister_table(&packet_raw); ipt_unregister_table(&packet_raw);
return ret; return ret;
} }
static void __exit iptable_raw_fini(void) static void __exit iptable_raw_fini(void)
{ {
unsigned int i; nf_unregister_hooks(ipt_ops, ARRAY_SIZE(ipt_ops));
for (i = 0; i < sizeof(ipt_ops)/sizeof(struct nf_hook_ops); i++)
nf_unregister_hook(&ipt_ops[i]);
ipt_unregister_table(&packet_raw); ipt_unregister_table(&packet_raw);
} }

189
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
View file

@ -210,71 +210,63 @@ static unsigned int ipv4_conntrack_local(unsigned int hooknum,
/* Connection tracking may drop packets, but never alters them, so /* Connection tracking may drop packets, but never alters them, so
make it the first hook. */ make it the first hook. */
static struct nf_hook_ops ipv4_conntrack_defrag_ops = { static struct nf_hook_ops ipv4_conntrack_ops[] = {
.hook = ipv4_conntrack_defrag, {
.owner = THIS_MODULE, .hook = ipv4_conntrack_defrag,
.pf = PF_INET, .owner = THIS_MODULE,
.hooknum = NF_IP_PRE_ROUTING, .pf = PF_INET,
.priority = NF_IP_PRI_CONNTRACK_DEFRAG, .hooknum = NF_IP_PRE_ROUTING,
}; .priority = NF_IP_PRI_CONNTRACK_DEFRAG,
},
static struct nf_hook_ops ipv4_conntrack_in_ops = { {
.hook = ipv4_conntrack_in, .hook = ipv4_conntrack_in,
.owner = THIS_MODULE, .owner = THIS_MODULE,
.pf = PF_INET, .pf = PF_INET,
.hooknum = NF_IP_PRE_ROUTING, .hooknum = NF_IP_PRE_ROUTING,
.priority = NF_IP_PRI_CONNTRACK, .priority = NF_IP_PRI_CONNTRACK,
}; },
{
static struct nf_hook_ops ipv4_conntrack_defrag_local_out_ops = { .hook = ipv4_conntrack_defrag,
.hook = ipv4_conntrack_defrag, .owner = THIS_MODULE,
.owner = THIS_MODULE, .pf = PF_INET,
.pf = PF_INET, .hooknum = NF_IP_LOCAL_OUT,
.hooknum = NF_IP_LOCAL_OUT, .priority = NF_IP_PRI_CONNTRACK_DEFRAG,
.priority = NF_IP_PRI_CONNTRACK_DEFRAG, },
}; {
.hook = ipv4_conntrack_local,
static struct nf_hook_ops ipv4_conntrack_local_out_ops = { .owner = THIS_MODULE,
.hook = ipv4_conntrack_local, .pf = PF_INET,
.owner = THIS_MODULE, .hooknum = NF_IP_LOCAL_OUT,
.pf = PF_INET, .priority = NF_IP_PRI_CONNTRACK,
.hooknum = NF_IP_LOCAL_OUT, },
.priority = NF_IP_PRI_CONNTRACK, {
}; .hook = ipv4_conntrack_help,
.owner = THIS_MODULE,
/* helpers */ .pf = PF_INET,
static struct nf_hook_ops ipv4_conntrack_helper_out_ops = { .hooknum = NF_IP_POST_ROUTING,
.hook = ipv4_conntrack_help, .priority = NF_IP_PRI_CONNTRACK_HELPER,
.owner = THIS_MODULE, },
.pf = PF_INET, {
.hooknum = NF_IP_POST_ROUTING, .hook = ipv4_conntrack_help,
.priority = NF_IP_PRI_CONNTRACK_HELPER, .owner = THIS_MODULE,
}; .pf = PF_INET,
.hooknum = NF_IP_LOCAL_IN,
static struct nf_hook_ops ipv4_conntrack_helper_in_ops = { .priority = NF_IP_PRI_CONNTRACK_HELPER,
.hook = ipv4_conntrack_help, },
.owner = THIS_MODULE, {
.pf = PF_INET, .hook = ipv4_confirm,
.hooknum = NF_IP_LOCAL_IN, .owner = THIS_MODULE,
.priority = NF_IP_PRI_CONNTRACK_HELPER, .pf = PF_INET,
}; .hooknum = NF_IP_POST_ROUTING,
.priority = NF_IP_PRI_CONNTRACK_CONFIRM,
},
/* Refragmenter; last chance. */ {
static struct nf_hook_ops ipv4_conntrack_out_ops = { .hook = ipv4_confirm,
.hook = ipv4_confirm, .owner = THIS_MODULE,
.owner = THIS_MODULE, .pf = PF_INET,
.pf = PF_INET, .hooknum = NF_IP_LOCAL_IN,
.hooknum = NF_IP_POST_ROUTING, .priority = NF_IP_PRI_CONNTRACK_CONFIRM,
.priority = NF_IP_PRI_CONNTRACK_CONFIRM, },
};
static struct nf_hook_ops ipv4_conntrack_local_in_ops = {
.hook = ipv4_confirm,
.owner = THIS_MODULE,
.pf = PF_INET,
.hooknum = NF_IP_LOCAL_IN,
.priority = NF_IP_PRI_CONNTRACK_CONFIRM,
}; };
#ifdef CONFIG_SYSCTL #ifdef CONFIG_SYSCTL
@ -476,59 +468,18 @@ static int init_or_cleanup(int init)
goto cleanup_icmp; goto cleanup_icmp;
} }
ret = nf_register_hook(&ipv4_conntrack_defrag_ops); ret = nf_register_hooks(ipv4_conntrack_ops,
ARRAY_SIZE(ipv4_conntrack_ops));
if (ret < 0) { if (ret < 0) {
printk("nf_conntrack_ipv4: can't register pre-routing defrag hook.\n"); printk("nf_conntrack_ipv4: can't register hooks.\n");
goto cleanup_ipv4; goto cleanup_ipv4;
} }
ret = nf_register_hook(&ipv4_conntrack_defrag_local_out_ops);
if (ret < 0) {
printk("nf_conntrack_ipv4: can't register local_out defrag hook.\n");
goto cleanup_defragops;
}
ret = nf_register_hook(&ipv4_conntrack_in_ops);
if (ret < 0) {
printk("nf_conntrack_ipv4: can't register pre-routing hook.\n");
goto cleanup_defraglocalops;
}
ret = nf_register_hook(&ipv4_conntrack_local_out_ops);
if (ret < 0) {
printk("nf_conntrack_ipv4: can't register local out hook.\n");
goto cleanup_inops;
}
ret = nf_register_hook(&ipv4_conntrack_helper_in_ops);
if (ret < 0) {
printk("nf_conntrack_ipv4: can't register local helper hook.\n");
goto cleanup_inandlocalops;
}
ret = nf_register_hook(&ipv4_conntrack_helper_out_ops);
if (ret < 0) {
printk("nf_conntrack_ipv4: can't register postrouting helper hook.\n");
goto cleanup_helperinops;
}
ret = nf_register_hook(&ipv4_conntrack_out_ops);
if (ret < 0) {
printk("nf_conntrack_ipv4: can't register post-routing hook.\n");
goto cleanup_helperoutops;
}
ret = nf_register_hook(&ipv4_conntrack_local_in_ops);
if (ret < 0) {
printk("nf_conntrack_ipv4: can't register local in hook.\n");
goto cleanup_inoutandlocalops;
}
#ifdef CONFIG_SYSCTL #ifdef CONFIG_SYSCTL
nf_ct_ipv4_sysctl_header = register_sysctl_table(nf_ct_net_table, 0); nf_ct_ipv4_sysctl_header = register_sysctl_table(nf_ct_net_table, 0);
if (nf_ct_ipv4_sysctl_header == NULL) { if (nf_ct_ipv4_sysctl_header == NULL) {
printk("nf_conntrack: can't register to sysctl.\n"); printk("nf_conntrack: can't register to sysctl.\n");
ret = -ENOMEM; ret = -ENOMEM;
goto cleanup_localinops; goto cleanup_hooks;
} }
#endif #endif
return ret; return ret;
@ -537,23 +488,9 @@ static int init_or_cleanup(int init)
synchronize_net(); synchronize_net();
#ifdef CONFIG_SYSCTL #ifdef CONFIG_SYSCTL
unregister_sysctl_table(nf_ct_ipv4_sysctl_header); unregister_sysctl_table(nf_ct_ipv4_sysctl_header);
cleanup_localinops: cleanup_hooks:
#endif #endif
nf_unregister_hook(&ipv4_conntrack_local_in_ops); nf_unregister_hooks(ipv4_conntrack_ops, ARRAY_SIZE(ipv4_conntrack_ops));
cleanup_inoutandlocalops:
nf_unregister_hook(&ipv4_conntrack_out_ops);
cleanup_helperoutops:
nf_unregister_hook(&ipv4_conntrack_helper_out_ops);
cleanup_helperinops:
nf_unregister_hook(&ipv4_conntrack_helper_in_ops);
cleanup_inandlocalops:
nf_unregister_hook(&ipv4_conntrack_local_out_ops);
cleanup_inops:
nf_unregister_hook(&ipv4_conntrack_in_ops);
cleanup_defraglocalops:
nf_unregister_hook(&ipv4_conntrack_defrag_local_out_ops);
cleanup_defragops:
nf_unregister_hook(&ipv4_conntrack_defrag_ops);
cleanup_ipv4: cleanup_ipv4:
nf_conntrack_l3proto_unregister(&nf_conntrack_l3proto_ipv4); nf_conntrack_l3proto_unregister(&nf_conntrack_l3proto_ipv4);
cleanup_icmp: cleanup_icmp:

21
net/ipv6/netfilter/ip6table_filter.c
View file

@ -177,37 +177,20 @@ static int __init ip6table_filter_init(void)
return ret; return ret;
/* Register hooks */ /* Register hooks */
ret = nf_register_hook(&ip6t_ops[0]); ret = nf_register_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops));
if (ret < 0) if (ret < 0)
goto cleanup_table; goto cleanup_table;
ret = nf_register_hook(&ip6t_ops[1]);
if (ret < 0)
goto cleanup_hook0;
ret = nf_register_hook(&ip6t_ops[2]);
if (ret < 0)
goto cleanup_hook1;
return ret; return ret;
cleanup_hook1:
nf_unregister_hook(&ip6t_ops[1]);
cleanup_hook0:
nf_unregister_hook(&ip6t_ops[0]);
cleanup_table: cleanup_table:
ip6t_unregister_table(&packet_filter); ip6t_unregister_table(&packet_filter);
return ret; return ret;
} }
static void __exit ip6table_filter_fini(void) static void __exit ip6table_filter_fini(void)
{ {
unsigned int i; nf_unregister_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops));
for (i = 0; i < sizeof(ip6t_ops)/sizeof(struct nf_hook_ops); i++)
nf_unregister_hook(&ip6t_ops[i]);
ip6t_unregister_table(&packet_filter); ip6t_unregister_table(&packet_filter);
} }

33
net/ipv6/netfilter/ip6table_mangle.c
View file

@ -238,49 +238,20 @@ static int __init ip6table_mangle_init(void)
return ret; return ret;
/* Register hooks */ /* Register hooks */
ret = nf_register_hook(&ip6t_ops[0]); ret = nf_register_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops));
if (ret < 0) if (ret < 0)
goto cleanup_table; goto cleanup_table;
ret = nf_register_hook(&ip6t_ops[1]);
if (ret < 0)
goto cleanup_hook0;
ret = nf_register_hook(&ip6t_ops[2]);
if (ret < 0)
goto cleanup_hook1;
ret = nf_register_hook(&ip6t_ops[3]);
if (ret < 0)
goto cleanup_hook2;
ret = nf_register_hook(&ip6t_ops[4]);
if (ret < 0)
goto cleanup_hook3;
return ret; return ret;
cleanup_hook3:
nf_unregister_hook(&ip6t_ops[3]);
cleanup_hook2:
nf_unregister_hook(&ip6t_ops[2]);
cleanup_hook1:
nf_unregister_hook(&ip6t_ops[1]);
cleanup_hook0:
nf_unregister_hook(&ip6t_ops[0]);
cleanup_table: cleanup_table:
ip6t_unregister_table(&packet_mangler); ip6t_unregister_table(&packet_mangler);
return ret; return ret;
} }
static void __exit ip6table_mangle_fini(void) static void __exit ip6table_mangle_fini(void)
{ {
unsigned int i; nf_unregister_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops));
for (i = 0; i < sizeof(ip6t_ops)/sizeof(struct nf_hook_ops); i++)
nf_unregister_hook(&ip6t_ops[i]);
ip6t_unregister_table(&packet_mangler); ip6t_unregister_table(&packet_mangler);
} }

15
net/ipv6/netfilter/ip6table_raw.c
View file

@ -152,31 +152,20 @@ static int __init ip6table_raw_init(void)
return ret; return ret;
/* Register hooks */ /* Register hooks */
ret = nf_register_hook(&ip6t_ops[0]); ret = nf_register_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops));
if (ret < 0) if (ret < 0)
goto cleanup_table; goto cleanup_table;
ret = nf_register_hook(&ip6t_ops[1]);
if (ret < 0)
goto cleanup_hook0;
return ret; return ret;
cleanup_hook0:
nf_unregister_hook(&ip6t_ops[0]);
cleanup_table: cleanup_table:
ip6t_unregister_table(&packet_raw); ip6t_unregister_table(&packet_raw);
return ret; return ret;
} }
static void __exit ip6table_raw_fini(void) static void __exit ip6table_raw_fini(void)
{ {
unsigned int i; nf_unregister_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops));
for (i = 0; i < sizeof(ip6t_ops)/sizeof(struct nf_hook_ops); i++)
nf_unregister_hook(&ip6t_ops[i]);
ip6t_unregister_table(&packet_raw); ip6t_unregister_table(&packet_raw);
} }

143
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
View file

@ -286,55 +286,49 @@ static unsigned int ipv6_conntrack_local(unsigned int hooknum,
return ipv6_conntrack_in(hooknum, pskb, in, out, okfn); return ipv6_conntrack_in(hooknum, pskb, in, out, okfn);
} }
/* Connection tracking may drop packets, but never alters them, so static struct nf_hook_ops ipv6_conntrack_ops[] = {
make it the first hook. */ {
static struct nf_hook_ops ipv6_conntrack_defrag_ops = { .hook = ipv6_defrag,
.hook = ipv6_defrag, .owner = THIS_MODULE,
.owner = THIS_MODULE, .pf = PF_INET6,
.pf = PF_INET6, .hooknum = NF_IP6_PRE_ROUTING,
.hooknum = NF_IP6_PRE_ROUTING, .priority = NF_IP6_PRI_CONNTRACK_DEFRAG,
.priority = NF_IP6_PRI_CONNTRACK_DEFRAG, },
}; {
.hook = ipv6_conntrack_in,
static struct nf_hook_ops ipv6_conntrack_in_ops = { .owner = THIS_MODULE,
.hook = ipv6_conntrack_in, .pf = PF_INET6,
.owner = THIS_MODULE, .hooknum = NF_IP6_PRE_ROUTING,
.pf = PF_INET6, .priority = NF_IP6_PRI_CONNTRACK,
.hooknum = NF_IP6_PRE_ROUTING, },
.priority = NF_IP6_PRI_CONNTRACK, {
}; .hook = ipv6_conntrack_local,
.owner = THIS_MODULE,
static struct nf_hook_ops ipv6_conntrack_local_out_ops = { .pf = PF_INET6,
.hook = ipv6_conntrack_local, .hooknum = NF_IP6_LOCAL_OUT,
.owner = THIS_MODULE, .priority = NF_IP6_PRI_CONNTRACK,
.pf = PF_INET6, },
.hooknum = NF_IP6_LOCAL_OUT, {
.priority = NF_IP6_PRI_CONNTRACK, .hook = ipv6_defrag,
}; .owner = THIS_MODULE,
.pf = PF_INET6,
static struct nf_hook_ops ipv6_conntrack_defrag_local_out_ops = { .hooknum = NF_IP6_LOCAL_OUT,
.hook = ipv6_defrag, .priority = NF_IP6_PRI_CONNTRACK_DEFRAG,
.owner = THIS_MODULE, },
.pf = PF_INET6, {
.hooknum = NF_IP6_LOCAL_OUT, .hook = ipv6_confirm,
.priority = NF_IP6_PRI_CONNTRACK_DEFRAG, .owner = THIS_MODULE,
}; .pf = PF_INET6,
.hooknum = NF_IP6_POST_ROUTING,
/* Refragmenter; last chance. */ .priority = NF_IP6_PRI_LAST,
static struct nf_hook_ops ipv6_conntrack_out_ops = { },
.hook = ipv6_confirm, {
.owner = THIS_MODULE, .hook = ipv6_confirm,
.pf = PF_INET6, .owner = THIS_MODULE,
.hooknum = NF_IP6_POST_ROUTING, .pf = PF_INET6,
.priority = NF_IP6_PRI_LAST, .hooknum = NF_IP6_LOCAL_IN,
}; .priority = NF_IP6_PRI_LAST-1,
},
static struct nf_hook_ops ipv6_conntrack_local_in_ops = {
.hook = ipv6_confirm,
.owner = THIS_MODULE,
.pf = PF_INET6,
.hooknum = NF_IP6_LOCAL_IN,
.priority = NF_IP6_PRI_LAST-1,
}; };
#ifdef CONFIG_SYSCTL #ifdef CONFIG_SYSCTL
@ -505,50 +499,19 @@ static int init_or_cleanup(int init)
goto cleanup_icmpv6; goto cleanup_icmpv6;
} }
ret = nf_register_hook(&ipv6_conntrack_defrag_ops); ret = nf_register_hooks(ipv6_conntrack_ops,
ARRAY_SIZE(ipv6_conntrack_ops));
if (ret < 0) { if (ret < 0) {
printk("nf_conntrack_ipv6: can't register pre-routing defrag " printk("nf_conntrack_ipv6: can't register pre-routing defrag "
"hook.\n"); "hook.\n");
goto cleanup_ipv6; goto cleanup_ipv6;
} }
ret = nf_register_hook(&ipv6_conntrack_defrag_local_out_ops);
if (ret < 0) {
printk("nf_conntrack_ipv6: can't register local_out defrag "
"hook.\n");
goto cleanup_defragops;
}
ret = nf_register_hook(&ipv6_conntrack_in_ops);
if (ret < 0) {
printk("nf_conntrack_ipv6: can't register pre-routing hook.\n");
goto cleanup_defraglocalops;
}
ret = nf_register_hook(&ipv6_conntrack_local_out_ops);
if (ret < 0) {
printk("nf_conntrack_ipv6: can't register local out hook.\n");
goto cleanup_inops;
}
ret = nf_register_hook(&ipv6_conntrack_out_ops);
if (ret < 0) {
printk("nf_conntrack_ipv6: can't register post-routing hook.\n");
goto cleanup_inandlocalops;
}
ret = nf_register_hook(&ipv6_conntrack_local_in_ops);
if (ret < 0) {
printk("nf_conntrack_ipv6: can't register local in hook.\n");
goto cleanup_inoutandlocalops;
}
#ifdef CONFIG_SYSCTL #ifdef CONFIG_SYSCTL
nf_ct_ipv6_sysctl_header = register_sysctl_table(nf_ct_net_table, 0); nf_ct_ipv6_sysctl_header = register_sysctl_table(nf_ct_net_table, 0);
if (nf_ct_ipv6_sysctl_header == NULL) { if (nf_ct_ipv6_sysctl_header == NULL) {
printk("nf_conntrack: can't register to sysctl.\n"); printk("nf_conntrack: can't register to sysctl.\n");
ret = -ENOMEM; ret = -ENOMEM;
goto cleanup_localinops; goto cleanup_hooks;
} }
#endif #endif
return ret; return ret;
@ -557,19 +520,9 @@ static int init_or_cleanup(int init)
synchronize_net(); synchronize_net();
#ifdef CONFIG_SYSCTL #ifdef CONFIG_SYSCTL
unregister_sysctl_table(nf_ct_ipv6_sysctl_header); unregister_sysctl_table(nf_ct_ipv6_sysctl_header);
cleanup_localinops: cleanup_hooks:
#endif #endif
nf_unregister_hook(&ipv6_conntrack_local_in_ops); nf_unregister_hooks(ipv6_conntrack_ops, ARRAY_SIZE(ipv6_conntrack_ops));
cleanup_inoutandlocalops:
nf_unregister_hook(&ipv6_conntrack_out_ops);
cleanup_inandlocalops:
nf_unregister_hook(&ipv6_conntrack_local_out_ops);
cleanup_inops:
nf_unregister_hook(&ipv6_conntrack_in_ops);
cleanup_defraglocalops:
nf_unregister_hook(&ipv6_conntrack_defrag_local_out_ops);
cleanup_defragops:
nf_unregister_hook(&ipv6_conntrack_defrag_ops);
cleanup_ipv6: cleanup_ipv6:
nf_conntrack_l3proto_unregister(&nf_conntrack_l3proto_ipv6); nf_conntrack_l3proto_unregister(&nf_conntrack_l3proto_ipv6);
cleanup_icmpv6: cleanup_icmpv6: