netfilter: x_tables: Pass struct net in xt_action_param

As xt_action_param lives on the stack this does not bloat any
persistent data structures.

This is a first step in making netfilter code that needs to know
which network namespace it is executing in simpler.

Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index b006b719183fc40aef93d6eae1e90f302979a4dc..c5577410c25d3b6b3520811c994a1f3d20ed1488 100644 (file)
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -13,6 +13,7 @@
  * @target:    the target extension
  * @matchinfo: per-match data
  * @targetinfo:        per-target data
+ * @net                network namespace through which the action was invoked
  * @in:                input netdevice
  * @out:       output netdevice
  * @fragoff:   packet is a fragment, this is the data offset
@@ -24,7 +25,6 @@
  * Fields written to by extensions:
  *
  * @hotdrop:   drop packet if we had inspection problems
- * Network namespace obtainable using dev_net(in/out)
  */
 struct xt_action_param {
        union {
@@ -34,6 +34,7 @@ struct xt_action_param {
        union {
                const void *matchinfo, *targinfo;
        };
+       struct net *net;
        const struct net_device *in, *out;
        int fragoff;
        unsigned int thoff;

diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index c0899f97ff8d62cbd05fb3147f7361615ca0101c..c0516529e8a0c9e2dde4e16b61343f41f1a6ce60 100644 (file)
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -30,6 +30,7 @@ static inline void nft_set_pktinfo(struct nft_pktinfo *pkt,
                                   const struct nf_hook_state *state)
 {
        pkt->skb = skb;
+       pkt->xt.net = state->net;
        pkt->in = pkt->xt.in = state->in;
        pkt->out = pkt->xt.out = state->out;
        pkt->hook = pkt->xt.hooknum = state->hook;

diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 8d5a3975b96341f2e48c839dc6c0a29de28bd702..f46ca417bf2d147118f8d37c67d9bffbee59724f 100644 (file)
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -200,6 +200,7 @@ unsigned int ebt_do_table(struct sk_buff *skb,
        struct xt_action_param acpar;
 
        acpar.family  = NFPROTO_BRIDGE;
+       acpar.net     = state->net;
        acpar.in      = state->in;
        acpar.out     = state->out;
        acpar.hotdrop = false;

diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 10eb2b297450d5204bac057292b2820e35e2b484..2dad3e1c5f11d850f2ef9d7ae19b4ebe731840d4 100644 (file)
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -285,6 +285,7 @@ unsigned int arpt_do_table(struct sk_buff *skb,
         */
        e = get_entry(table_base, private->hook_entry[hook]);
 
+       acpar.net     = state->net;
        acpar.in      = state->in;
        acpar.out     = state->out;
        acpar.hooknum = hook;

diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 2b049e135de81f0686bfdff49bb70fc683cd6397..42d0946956db6b545305ac5f1b9a601ffad4c87c 100644 (file)
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -315,6 +315,7 @@ ipt_do_table(struct sk_buff *skb,
        acpar.fragoff = ntohs(ip->frag_off) & IP_OFFSET;
        acpar.thoff   = ip_hdrlen(skb);
        acpar.hotdrop = false;
+       acpar.net     = state->net;
        acpar.in      = state->in;
        acpar.out     = state->out;
        acpar.family  = NFPROTO_IPV4;

diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index da6446b6e3f95cf046d0661629aa5f227233f4e0..80e3bd72b715fc628290298ef92ecf23b5ea818f 100644 (file)
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -340,6 +340,7 @@ ip6t_do_table(struct sk_buff *skb,
         * rule is also a fragment-specific rule, non-fragments won't
         * match it. */
        acpar.hotdrop = false;
+       acpar.net     = state->net;
        acpar.in      = state->in;
        acpar.out     = state->out;
        acpar.family  = NFPROTO_IPV6;

diff --git a/net/sched/act_ipt.c b/net/sched/act_ipt.c
index 99c9cc1c7af9240f9df444ae158df4fa7f7f8c73..d05869646515dbabeb352361c9d58b9ccfc687d5 100644 (file)
--- a/net/sched/act_ipt.c
+++ b/net/sched/act_ipt.c
@@ -189,6 +189,7 @@ static int tcf_ipt(struct sk_buff *skb, const struct tc_action *a,
         * worry later - danger - this API seems to have changed
         * from earlier kernels
         */
+       par.net      = dev_net(skb->dev);
        par.in       = skb->dev;
        par.out      = NULL;
        par.hooknum  = ipt->tcfi_hook;

diff --git a/net/sched/em_ipset.c b/net/sched/em_ipset.c
index df0328ba6a48243056526fbc044f8c0e392f4f3c..c66ca9400ab4f03d96bc287381a935546abfe8fa 100644 (file)
--- a/net/sched/em_ipset.c
+++ b/net/sched/em_ipset.c
@@ -95,6 +95,7 @@ static int em_ipset_match(struct sk_buff *skb, struct tcf_ematch *em,
        if (skb->skb_iif)
                indev = dev_get_by_index_rcu(em->net, skb->skb_iif);
 
+       acpar.net     = em->net;
        acpar.in      = indev ? indev : dev;
        acpar.out     = dev;