netfilter: Make nf_hookfn use nf_hook_state.
authorDavid S. Miller <davem@davemloft.net>
Sat, 4 Apr 2015 00:32:56 +0000 (20:32 -0400)
committerDavid S. Miller <davem@davemloft.net>
Sat, 4 Apr 2015 16:31:38 +0000 (12:31 -0400)
Pass the nf_hook_state all the way down into the hook
functions themselves.

Signed-off-by: David S. Miller <davem@davemloft.net>
35 files changed:
include/linux/netfilter.h
net/bridge/br_netfilter.c
net/bridge/netfilter/ebtable_filter.c
net/bridge/netfilter/ebtable_nat.c
net/bridge/netfilter/nf_tables_bridge.c
net/decnet/netfilter/dn_rtmsg.c
net/ipv4/netfilter/arptable_filter.c
net/ipv4/netfilter/ipt_CLUSTERIP.c
net/ipv4/netfilter/ipt_SYNPROXY.c
net/ipv4/netfilter/iptable_filter.c
net/ipv4/netfilter/iptable_mangle.c
net/ipv4/netfilter/iptable_nat.c
net/ipv4/netfilter/iptable_raw.c
net/ipv4/netfilter/iptable_security.c
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
net/ipv4/netfilter/nf_defrag_ipv4.c
net/ipv4/netfilter/nf_tables_arp.c
net/ipv4/netfilter/nf_tables_ipv4.c
net/ipv4/netfilter/nft_chain_nat_ipv4.c
net/ipv4/netfilter/nft_chain_route_ipv4.c
net/ipv6/netfilter/ip6t_SYNPROXY.c
net/ipv6/netfilter/ip6table_filter.c
net/ipv6/netfilter/ip6table_mangle.c
net/ipv6/netfilter/ip6table_nat.c
net/ipv6/netfilter/ip6table_raw.c
net/ipv6/netfilter/ip6table_security.c
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
net/ipv6/netfilter/nf_defrag_ipv6_hooks.c
net/ipv6/netfilter/nf_tables_ipv6.c
net/ipv6/netfilter/nft_chain_nat_ipv6.c
net/ipv6/netfilter/nft_chain_route_ipv6.c
net/netfilter/core.c
net/netfilter/ipvs/ip_vs_core.c
security/selinux/hooks.c
security/smack/smack_netfilter.c

index aee7ef1e23edd24ad789e6723c6bbc29b26fbde5..c480c43ad8f7a59538c3bc71fd971744e6f0246c 100644 (file)
@@ -56,9 +56,7 @@ struct nf_hook_state {
 
 typedef unsigned int nf_hookfn(const struct nf_hook_ops *ops,
                               struct sk_buff *skb,
-                              const struct net_device *in,
-                              const struct net_device *out,
-                              int (*okfn)(struct sk_buff *));
+                              const struct nf_hook_state *state);
 
 struct nf_hook_ops {
        struct list_head list;
index f3884a1b942f7ae788dc19ff6131f44ea0c809eb..7527e94dd5dce327064fe045506458d1a42f3c0c 100644 (file)
@@ -562,9 +562,7 @@ bad:
  * to ip6tables, which doesn't support NAT, so things are fairly simple. */
 static unsigned int br_nf_pre_routing_ipv6(const struct nf_hook_ops *ops,
                                           struct sk_buff *skb,
-                                          const struct net_device *in,
-                                          const struct net_device *out,
-                                          int (*okfn)(struct sk_buff *))
+                                          const struct nf_hook_state *state)
 {
        const struct ipv6hdr *hdr;
        u32 pkt_len;
@@ -612,9 +610,7 @@ static unsigned int br_nf_pre_routing_ipv6(const struct nf_hook_ops *ops,
  * address to be able to detect DNAT afterwards. */
 static unsigned int br_nf_pre_routing(const struct nf_hook_ops *ops,
                                      struct sk_buff *skb,
-                                     const struct net_device *in,
-                                     const struct net_device *out,
-                                     int (*okfn)(struct sk_buff *))
+                                     const struct nf_hook_state *state)
 {
        struct net_bridge_port *p;
        struct net_bridge *br;
@@ -623,7 +619,7 @@ static unsigned int br_nf_pre_routing(const struct nf_hook_ops *ops,
        if (unlikely(!pskb_may_pull(skb, len)))
                return NF_DROP;
 
-       p = br_port_get_rcu(in);
+       p = br_port_get_rcu(state->in);
        if (p == NULL)
                return NF_DROP;
        br = p->br;
@@ -633,7 +629,7 @@ static unsigned int br_nf_pre_routing(const struct nf_hook_ops *ops,
                        return NF_ACCEPT;
 
                nf_bridge_pull_encap_header_rcsum(skb);
-               return br_nf_pre_routing_ipv6(ops, skb, in, out, okfn);
+               return br_nf_pre_routing_ipv6(ops, skb, state);
        }
 
        if (!brnf_call_iptables && !br->nf_call_iptables)
@@ -671,9 +667,7 @@ static unsigned int br_nf_pre_routing(const struct nf_hook_ops *ops,
  * prevent this from happening. */
 static unsigned int br_nf_local_in(const struct nf_hook_ops *ops,
                                   struct sk_buff *skb,
-                                  const struct net_device *in,
-                                  const struct net_device *out,
-                                  int (*okfn)(struct sk_buff *))
+                                  const struct nf_hook_state *state)
 {
        br_drop_fake_rtable(skb);
        return NF_ACCEPT;
@@ -710,9 +704,7 @@ static int br_nf_forward_finish(struct sk_buff *skb)
  * bridge ports. */
 static unsigned int br_nf_forward_ip(const struct nf_hook_ops *ops,
                                     struct sk_buff *skb,
-                                    const struct net_device *in,
-                                    const struct net_device *out,
-                                    int (*okfn)(struct sk_buff *))
+                                    const struct nf_hook_state *state)
 {
        struct nf_bridge_info *nf_bridge;
        struct net_device *parent;
@@ -726,7 +718,7 @@ static unsigned int br_nf_forward_ip(const struct nf_hook_ops *ops,
        if (!nf_bridge_unshare(skb))
                return NF_DROP;
 
-       parent = bridge_parent(out);
+       parent = bridge_parent(state->out);
        if (!parent)
                return NF_DROP;
 
@@ -754,23 +746,21 @@ static unsigned int br_nf_forward_ip(const struct nf_hook_ops *ops,
        else
                skb->protocol = htons(ETH_P_IPV6);
 
-       NF_HOOK(pf, NF_INET_FORWARD, skb, brnf_get_logical_dev(skb, in), parent,
-               br_nf_forward_finish);
+       NF_HOOK(pf, NF_INET_FORWARD, skb, brnf_get_logical_dev(skb, state->in),
+               parent, br_nf_forward_finish);
 
        return NF_STOLEN;
 }
 
 static unsigned int br_nf_forward_arp(const struct nf_hook_ops *ops,
                                      struct sk_buff *skb,
-                                     const struct net_device *in,
-                                     const struct net_device *out,
-                                     int (*okfn)(struct sk_buff *))
+                                     const struct nf_hook_state *state)
 {
        struct net_bridge_port *p;
        struct net_bridge *br;
        struct net_device **d = (struct net_device **)(skb->cb);
 
-       p = br_port_get_rcu(out);
+       p = br_port_get_rcu(state->out);
        if (p == NULL)
                return NF_ACCEPT;
        br = p->br;
@@ -789,9 +779,9 @@ static unsigned int br_nf_forward_arp(const struct nf_hook_ops *ops,
                        nf_bridge_push_encap_header(skb);
                return NF_ACCEPT;
        }
-       *d = (struct net_device *)in;
-       NF_HOOK(NFPROTO_ARP, NF_ARP_FORWARD, skb, (struct net_device *)in,
-               (struct net_device *)out, br_nf_forward_finish);
+       *d = state->in;
+       NF_HOOK(NFPROTO_ARP, NF_ARP_FORWARD, skb, state->in,
+               state->out, br_nf_forward_finish);
 
        return NF_STOLEN;
 }
@@ -859,9 +849,7 @@ static int br_nf_dev_queue_xmit(struct sk_buff *skb)
 /* PF_BRIDGE/POST_ROUTING ********************************************/
 static unsigned int br_nf_post_routing(const struct nf_hook_ops *ops,
                                       struct sk_buff *skb,
-                                      const struct net_device *in,
-                                      const struct net_device *out,
-                                      int (*okfn)(struct sk_buff *))
+                                      const struct nf_hook_state *state)
 {
        struct nf_bridge_info *nf_bridge = skb->nf_bridge;
        struct net_device *realoutdev = bridge_parent(skb->dev);
@@ -910,9 +898,7 @@ static unsigned int br_nf_post_routing(const struct nf_hook_ops *ops,
  * for the second time. */
 static unsigned int ip_sabotage_in(const struct nf_hook_ops *ops,
                                   struct sk_buff *skb,
-                                  const struct net_device *in,
-                                  const struct net_device *out,
-                                  int (*okfn)(struct sk_buff *))
+                                  const struct nf_hook_state *state)
 {
        if (skb->nf_bridge &&
            !(skb->nf_bridge->mask & BRNF_NF_BRIDGE_PREROUTING)) {
index ce205aabf9c5333e2ea5286ef93a4d5a1d977cd9..8a3f63b2e8073d8081df5fbaac3bf63c348c0447 100644 (file)
@@ -58,20 +58,18 @@ static const struct ebt_table frame_filter = {
 
 static unsigned int
 ebt_in_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
-           const struct net_device *in, const struct net_device *out,
-           int (*okfn)(struct sk_buff *))
+           const struct nf_hook_state *state)
 {
-       return ebt_do_table(ops->hooknum, skb, in, out,
-                           dev_net(in)->xt.frame_filter);
+       return ebt_do_table(ops->hooknum, skb, state->in, state->out,
+                           dev_net(state->in)->xt.frame_filter);
 }
 
 static unsigned int
 ebt_out_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
-            const struct net_device *in, const struct net_device *out,
-            int (*okfn)(struct sk_buff *))
+            const struct nf_hook_state *state)
 {
-       return ebt_do_table(ops->hooknum, skb, in, out,
-                           dev_net(out)->xt.frame_filter);
+       return ebt_do_table(ops->hooknum, skb, state->in, state->out,
+                           dev_net(state->out)->xt.frame_filter);
 }
 
 static struct nf_hook_ops ebt_ops_filter[] __read_mostly = {
index a0ac2984fb6c1e1864efdb4bb05150acbf57ba16..c5ef5b1ab6786814830983d76ef46c6fd0051f51 100644 (file)
@@ -58,20 +58,18 @@ static struct ebt_table frame_nat = {
 
 static unsigned int
 ebt_nat_in(const struct nf_hook_ops *ops, struct sk_buff *skb,
-          const struct net_device *in, const struct net_device *out,
-          int (*okfn)(struct sk_buff *))
+          const struct nf_hook_state *state)
 {
-       return ebt_do_table(ops->hooknum, skb, in, out,
-                           dev_net(in)->xt.frame_nat);
+       return ebt_do_table(ops->hooknum, skb, state->in, state->out,
+                           dev_net(state->in)->xt.frame_nat);
 }
 
 static unsigned int
 ebt_nat_out(const struct nf_hook_ops *ops, struct sk_buff *skb,
-           const struct net_device *in, const struct net_device *out,
-           int (*okfn)(struct sk_buff *))
+           const struct nf_hook_state *state)
 {
-       return ebt_do_table(ops->hooknum, skb, in, out,
-                           dev_net(out)->xt.frame_nat);
+       return ebt_do_table(ops->hooknum, skb, state->in, state->out,
+                           dev_net(state->out)->xt.frame_nat);
 }
 
 static struct nf_hook_ops ebt_ops_nat[] __read_mostly = {
index 19473a9371b8a65ed6b1e8727a5c2b321862886b..2c46a47160a8c1dc59b7ac4bbaeb687dd0cb4d09 100644 (file)
@@ -93,21 +93,19 @@ static inline void nft_bridge_set_pktinfo_ipv6(struct nft_pktinfo *pkt,
 static unsigned int
 nft_do_chain_bridge(const struct nf_hook_ops *ops,
                    struct sk_buff *skb,
-                   const struct net_device *in,
-                   const struct net_device *out,
-                   int (*okfn)(struct sk_buff *))
+                   const struct nf_hook_state *state)
 {
        struct nft_pktinfo pkt;
 
        switch (eth_hdr(skb)->h_proto) {
        case htons(ETH_P_IP):
-               nft_bridge_set_pktinfo_ipv4(&pkt, ops, skb, in, out);
+               nft_bridge_set_pktinfo_ipv4(&pkt, ops, skb, state->in, state->out);
                break;
        case htons(ETH_P_IPV6):
-               nft_bridge_set_pktinfo_ipv6(&pkt, ops, skb, in, out);
+               nft_bridge_set_pktinfo_ipv6(&pkt, ops, skb, state->in, state->out);
                break;
        default:
-               nft_set_pktinfo(&pkt, ops, skb, in, out);
+               nft_set_pktinfo(&pkt, ops, skb, state->in, state->out);
                break;
        }
 
index e4d9560a910b0eb96ed3a4ad59d63771f865de3c..af34fc9bdf69768e45e3e772929410fa0eeee41c 100644 (file)
@@ -89,9 +89,7 @@ static void dnrmg_send_peer(struct sk_buff *skb)
 
 static unsigned int dnrmg_hook(const struct nf_hook_ops *ops,
                        struct sk_buff *skb,
-                       const struct net_device *in,
-                       const struct net_device *out,
-                       int (*okfn)(struct sk_buff *))
+                       const struct nf_hook_state *state)
 {
        dnrmg_send_peer(skb);
        return NF_ACCEPT;
index 802ddecb30b8110474da0e0a34c134aceaece43b..6a641cb41062f907f73708a78e8d473815e07e84 100644 (file)
@@ -28,12 +28,11 @@ static const struct xt_table packet_filter = {
 /* The work comes in here from netfilter.c */
 static unsigned int
 arptable_filter_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
-                    const struct net_device *in, const struct net_device *out,
-                    int (*okfn)(struct sk_buff *))
+                    const struct nf_hook_state *state)
 {
-       const struct net *net = dev_net((in != NULL) ? in : out);
+       const struct net *net = dev_net(state->in ? state->in : state->out);
 
-       return arpt_do_table(skb, ops->hooknum, in, out,
+       return arpt_do_table(skb, ops->hooknum, state->in, state->out,
                             net->ipv4.arptable_filter);
 }
 
index f75e9df5e0179d3f8a40640dee61b355a3077784..771ab3d01ad3dc303ac999e539a9c8ab5845baf2 100644 (file)
@@ -504,14 +504,12 @@ static void arp_print(struct arp_payload *payload)
 static unsigned int
 arp_mangle(const struct nf_hook_ops *ops,
           struct sk_buff *skb,
-          const struct net_device *in,
-          const struct net_device *out,
-          int (*okfn)(struct sk_buff *))
+          const struct nf_hook_state *state)
 {
        struct arphdr *arp = arp_hdr(skb);
        struct arp_payload *payload;
        struct clusterip_config *c;
-       struct net *net = dev_net(in ? in : out);
+       struct net *net = dev_net(state->in ? state->in : state->out);
 
        /* we don't care about non-ethernet and non-ipv4 ARP */
        if (arp->ar_hrd != htons(ARPHRD_ETHER) ||
@@ -536,10 +534,10 @@ arp_mangle(const struct nf_hook_ops *ops,
         * addresses on different interfacs.  However, in the CLUSTERIP case
         * this wouldn't work, since we didn't subscribe the mcast group on
         * other interfaces */
-       if (c->dev != out) {
+       if (c->dev != state->out) {
                pr_debug("not mangling arp reply on different "
                         "interface: cip'%s'-skb'%s'\n",
-                        c->dev->name, out->name);
+                        c->dev->name, state->out->name);
                clusterip_config_put(c);
                return NF_ACCEPT;
        }
index a313c3fbeb469e0594b2f7bccd788d687184bc61..e9e67793055fce9b20ee836275a3eb4a9437592a 100644 (file)
@@ -300,11 +300,9 @@ synproxy_tg4(struct sk_buff *skb, const struct xt_action_param *par)
 
 static unsigned int ipv4_synproxy_hook(const struct nf_hook_ops *ops,
                                       struct sk_buff *skb,
-                                      const struct net_device *in,
-                                      const struct net_device *out,
-                                      int (*okfn)(struct sk_buff *))
+                                      const struct nf_hook_state *nhs)
 {
-       struct synproxy_net *snet = synproxy_pernet(dev_net(in ? : out));
+       struct synproxy_net *snet = synproxy_pernet(dev_net(nhs->in ? : nhs->out));
        enum ip_conntrack_info ctinfo;
        struct nf_conn *ct;
        struct nf_conn_synproxy *synproxy;
index e08a74a243a85d125ccbd043314f06c6b528b368..1df0d42bfd39e9cd723432d742614bb4dfafa72e 100644 (file)
@@ -34,8 +34,7 @@ static const struct xt_table packet_filter = {
 
 static unsigned int
 iptable_filter_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
-                   const struct net_device *in, const struct net_device *out,
-                   int (*okfn)(struct sk_buff *))
+                   const struct nf_hook_state *state)
 {
        const struct net *net;
 
@@ -45,8 +44,8 @@ iptable_filter_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
                /* root is playing with raw sockets. */
                return NF_ACCEPT;
 
-       net = dev_net((in != NULL) ? in : out);
-       return ipt_do_table(skb, ops->hooknum, in, out,
+       net = dev_net(state->in ? state->in : state->out);
+       return ipt_do_table(skb, ops->hooknum, state->in, state->out,
                            net->ipv4.iptable_filter);
 }
 
index 6a5079c34bb363c34135e9bed5700a645f15b249..7a825e7400459311641a167c738e623ae2ad5faa 100644 (file)
@@ -81,18 +81,16 @@ ipt_mangle_out(struct sk_buff *skb, const struct net_device *out)
 static unsigned int
 iptable_mangle_hook(const struct nf_hook_ops *ops,
                     struct sk_buff *skb,
-                    const struct net_device *in,
-                    const struct net_device *out,
-                    int (*okfn)(struct sk_buff *))
+                    const struct nf_hook_state *state)
 {
        if (ops->hooknum == NF_INET_LOCAL_OUT)
-               return ipt_mangle_out(skb, out);
+               return ipt_mangle_out(skb, state->out);
        if (ops->hooknum == NF_INET_POST_ROUTING)
-               return ipt_do_table(skb, ops->hooknum, in, out,
-                                   dev_net(out)->ipv4.iptable_mangle);
+               return ipt_do_table(skb, ops->hooknum, state->in, state->out,
+                                   dev_net(state->out)->ipv4.iptable_mangle);
        /* PREROUTING/INPUT/FORWARD: */
-       return ipt_do_table(skb, ops->hooknum, in, out,
-                           dev_net(in)->ipv4.iptable_mangle);
+       return ipt_do_table(skb, ops->hooknum, state->in, state->out,
+                           dev_net(state->in)->ipv4.iptable_mangle);
 }
 
 static struct nf_hook_ops *mangle_ops __read_mostly;
index 6b67d7e9a75d69e95d9d25f9b8524bc58d9ef607..7a7fea4711e5441d77b76aa81d3156f37b7e518e 100644 (file)
@@ -41,38 +41,34 @@ static unsigned int iptable_nat_do_chain(const struct nf_hook_ops *ops,
 
 static unsigned int iptable_nat_ipv4_fn(const struct nf_hook_ops *ops,
                                        struct sk_buff *skb,
-                                       const struct net_device *in,
-                                       const struct net_device *out,
-                                       int (*okfn)(struct sk_buff *))
+                                       const struct nf_hook_state *state)
 {
-       return nf_nat_ipv4_fn(ops, skb, in, out, iptable_nat_do_chain);
+       return nf_nat_ipv4_fn(ops, skb, state->in, state->out,
+                             iptable_nat_do_chain);
 }
 
 static unsigned int iptable_nat_ipv4_in(const struct nf_hook_ops *ops,
                                        struct sk_buff *skb,
-                                       const struct net_device *in,
-                                       const struct net_device *out,
-                                       int (*okfn)(struct sk_buff *))
+                                       const struct nf_hook_state *state)
 {
-       return nf_nat_ipv4_in(ops, skb, in, out, iptable_nat_do_chain);
+       return nf_nat_ipv4_in(ops, skb, state->in, state->out,
+                             iptable_nat_do_chain);
 }
 
 static unsigned int iptable_nat_ipv4_out(const struct nf_hook_ops *ops,
                                         struct sk_buff *skb,
-                                        const struct net_device *in,
-                                        const struct net_device *out,
-                                        int (*okfn)(struct sk_buff *))
+                                        const struct nf_hook_state *state)
 {
-       return nf_nat_ipv4_out(ops, skb, in, out, iptable_nat_do_chain);
+       return nf_nat_ipv4_out(ops, skb, state->in, state->out,
+                              iptable_nat_do_chain);
 }
 
 static unsigned int iptable_nat_ipv4_local_fn(const struct nf_hook_ops *ops,
                                              struct sk_buff *skb,
-                                             const struct net_device *in,
-                                             const struct net_device *out,
-                                             int (*okfn)(struct sk_buff *))
+                                             const struct nf_hook_state *state)
 {
-       return nf_nat_ipv4_local_fn(ops, skb, in, out, iptable_nat_do_chain);
+       return nf_nat_ipv4_local_fn(ops, skb, state->in, state->out,
+                                   iptable_nat_do_chain);
 }
 
 static struct nf_hook_ops nf_nat_ipv4_ops[] __read_mostly = {
index b2f7e8f98316d2733e3936ead8dec20da2978f73..fac8f607c70be0bf8dd2a603aeb268ca216a7281 100644 (file)
@@ -21,8 +21,7 @@ static const struct xt_table packet_raw = {
 /* The work comes in here from netfilter.c. */
 static unsigned int
 iptable_raw_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
-                const struct net_device *in, const struct net_device *out,
-                int (*okfn)(struct sk_buff *))
+                const struct nf_hook_state *state)
 {
        const struct net *net;
 
@@ -32,8 +31,9 @@ iptable_raw_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
                /* root is playing with raw sockets. */
                return NF_ACCEPT;
 
-       net = dev_net((in != NULL) ? in : out);
-       return ipt_do_table(skb, ops->hooknum, in, out, net->ipv4.iptable_raw);
+       net = dev_net(state->in ? state->in : state->out);
+       return ipt_do_table(skb, ops->hooknum, state->in, state->out,
+                           net->ipv4.iptable_raw);
 }
 
 static struct nf_hook_ops *rawtable_ops __read_mostly;
index c86647ed2078f660cf0e9f8b69957a6f4c79b1f6..d9ad60a57413e84a2dde1c83c3f478ee24bdcdf1 100644 (file)
@@ -38,9 +38,7 @@ static const struct xt_table security_table = {
 
 static unsigned int
 iptable_security_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
-                     const struct net_device *in,
-                     const struct net_device *out,
-                     int (*okfn)(struct sk_buff *))
+                     const struct nf_hook_state *state)
 {
        const struct net *net;
 
@@ -50,8 +48,8 @@ iptable_security_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
                /* Somebody is playing with raw sockets. */
                return NF_ACCEPT;
 
-       net = dev_net((in != NULL) ? in : out);
-       return ipt_do_table(skb, ops->hooknum, in, out,
+       net = dev_net(state->in ? state->in : state->out);
+       return ipt_do_table(skb, ops->hooknum, state->in, state->out,
                            net->ipv4.iptable_security);
 }
 
index 8c8d6642cbb0211f2a14252d95158233b485c256..30ad9554b5e9931ad37329f0ffda6a8aacdf55d1 100644 (file)
@@ -94,9 +94,7 @@ static int ipv4_get_l4proto(const struct sk_buff *skb, unsigned int nhoff,
 
 static unsigned int ipv4_helper(const struct nf_hook_ops *ops,
                                struct sk_buff *skb,
-                               const struct net_device *in,
-                               const struct net_device *out,
-                               int (*okfn)(struct sk_buff *))
+                               const struct nf_hook_state *state)
 {
        struct nf_conn *ct;
        enum ip_conntrack_info ctinfo;
@@ -123,9 +121,7 @@ static unsigned int ipv4_helper(const struct nf_hook_ops *ops,
 
 static unsigned int ipv4_confirm(const struct nf_hook_ops *ops,
                                 struct sk_buff *skb,
-                                const struct net_device *in,
-                                const struct net_device *out,
-                                int (*okfn)(struct sk_buff *))
+                                const struct nf_hook_state *state)
 {
        struct nf_conn *ct;
        enum ip_conntrack_info ctinfo;
@@ -149,24 +145,20 @@ out:
 
 static unsigned int ipv4_conntrack_in(const struct nf_hook_ops *ops,
                                      struct sk_buff *skb,
-                                     const struct net_device *in,
-                                     const struct net_device *out,
-                                     int (*okfn)(struct sk_buff *))
+                                     const struct nf_hook_state *state)
 {
-       return nf_conntrack_in(dev_net(in), PF_INET, ops->hooknum, skb);
+       return nf_conntrack_in(dev_net(state->in), PF_INET, ops->hooknum, skb);
 }
 
 static unsigned int ipv4_conntrack_local(const struct nf_hook_ops *ops,
                                         struct sk_buff *skb,
-                                        const struct net_device *in,
-                                        const struct net_device *out,
-                                        int (*okfn)(struct sk_buff *))
+                                        const struct nf_hook_state *state)
 {
        /* root is playing with raw sockets. */
        if (skb->len < sizeof(struct iphdr) ||
            ip_hdrlen(skb) < sizeof(struct iphdr))
                return NF_ACCEPT;
-       return nf_conntrack_in(dev_net(out), PF_INET, ops->hooknum, skb);
+       return nf_conntrack_in(dev_net(state->out), PF_INET, ops->hooknum, skb);
 }
 
 /* Connection tracking may drop packets, but never alters them, so
index 7e5ca6f2d0cd57a7084cd9cd7386c9cdd40ac076..c88b7d4347187260e789612c44f34059092dc41d 100644 (file)
@@ -63,9 +63,7 @@ static enum ip_defrag_users nf_ct_defrag_user(unsigned int hooknum,
 
 static unsigned int ipv4_conntrack_defrag(const struct nf_hook_ops *ops,
                                          struct sk_buff *skb,
-                                         const struct net_device *in,
-                                         const struct net_device *out,
-                                         int (*okfn)(struct sk_buff *))
+                                         const struct nf_hook_state *state)
 {
        struct sock *sk = skb->sk;
        struct inet_sock *inet = inet_sk(skb->sk);
index 19412a4063fbe27de956f4d7c380b8e774d61aae..fceb50e1e87dc86f3011f3a4ac2fe7e806d620a4 100644 (file)
 static unsigned int
 nft_do_chain_arp(const struct nf_hook_ops *ops,
                  struct sk_buff *skb,
-                 const struct net_device *in,
-                 const struct net_device *out,
-                 int (*okfn)(struct sk_buff *))
+                 const struct nf_hook_state *state)
 {
        struct nft_pktinfo pkt;
 
-       nft_set_pktinfo(&pkt, ops, skb, in, out);
+       nft_set_pktinfo(&pkt, ops, skb, state->in, state->out);
 
        return nft_do_chain(&pkt, ops);
 }
index 6820c8c40842170039cfad8645ca72d88508daa1..708e388e3dbeb7220f7a8ca0782cbe93d7f0a036 100644 (file)
 
 static unsigned int nft_do_chain_ipv4(const struct nf_hook_ops *ops,
                                      struct sk_buff *skb,
-                                     const struct net_device *in,
-                                     const struct net_device *out,
-                                     int (*okfn)(struct sk_buff *))
+                                     const struct nf_hook_state *state)
 {
        struct nft_pktinfo pkt;
 
-       nft_set_pktinfo_ipv4(&pkt, ops, skb, in, out);
+       nft_set_pktinfo_ipv4(&pkt, ops, skb, state->in, state->out);
 
        return nft_do_chain(&pkt, ops);
 }
 
 static unsigned int nft_ipv4_output(const struct nf_hook_ops *ops,
                                    struct sk_buff *skb,
-                                   const struct net_device *in,
-                                   const struct net_device *out,
-                                   int (*okfn)(struct sk_buff *))
+                                   const struct nf_hook_state *state)
 {
        if (unlikely(skb->len < sizeof(struct iphdr) ||
                     ip_hdr(skb)->ihl < sizeof(struct iphdr) / 4)) {
@@ -45,7 +41,7 @@ static unsigned int nft_ipv4_output(const struct nf_hook_ops *ops,
                return NF_ACCEPT;
        }
 
-       return nft_do_chain_ipv4(ops, skb, in, out, okfn);
+       return nft_do_chain_ipv4(ops, skb, state);
 }
 
 struct nft_af_info nft_af_ipv4 __read_mostly = {
index df547bf50078c4016c0e1924da77315cb1e6127a..d08db6b0fcc3c1632dbd8355eeb558cd1d26286a 100644 (file)
@@ -41,38 +41,31 @@ static unsigned int nft_nat_do_chain(const struct nf_hook_ops *ops,
 
 static unsigned int nft_nat_ipv4_fn(const struct nf_hook_ops *ops,
                                    struct sk_buff *skb,
-                                   const struct net_device *in,
-                                   const struct net_device *out,
-                                   int (*okfn)(struct sk_buff *))
+                                   const struct nf_hook_state *state)
 {
-       return nf_nat_ipv4_fn(ops, skb, in, out, nft_nat_do_chain);
+       return nf_nat_ipv4_fn(ops, skb, state->in, state->out, nft_nat_do_chain);
 }
 
 static unsigned int nft_nat_ipv4_in(const struct nf_hook_ops *ops,
                                    struct sk_buff *skb,
-                                   const struct net_device *in,
-                                   const struct net_device *out,
-                                   int (*okfn)(struct sk_buff *))
+                                   const struct nf_hook_state *state)
 {
-       return nf_nat_ipv4_in(ops, skb, in, out, nft_nat_do_chain);
+       return nf_nat_ipv4_in(ops, skb, state->in, state->out, nft_nat_do_chain);
 }
 
 static unsigned int nft_nat_ipv4_out(const struct nf_hook_ops *ops,
                                     struct sk_buff *skb,
-                                    const struct net_device *in,
-                                    const struct net_device *out,
-                                    int (*okfn)(struct sk_buff *))
+                                    const struct nf_hook_state *state)
 {
-       return nf_nat_ipv4_out(ops, skb, in, out, nft_nat_do_chain);
+       return nf_nat_ipv4_out(ops, skb, state->in, state->out, nft_nat_do_chain);
 }
 
 static unsigned int nft_nat_ipv4_local_fn(const struct nf_hook_ops *ops,
                                          struct sk_buff *skb,
-                                         const struct net_device *in,
-                                         const struct net_device *out,
-                                         int (*okfn)(struct sk_buff *))
+                                         const struct nf_hook_state *state)
 {
-       return nf_nat_ipv4_local_fn(ops, skb, in, out, nft_nat_do_chain);
+       return nf_nat_ipv4_local_fn(ops, skb, state->in, state->out,
+                                   nft_nat_do_chain);
 }
 
 static const struct nf_chain_type nft_chain_nat_ipv4 = {
index 125b66766c0a8799f0137b12352ab2448a0f9979..073d0776ae7ff5069721b471ce273da70e06e939 100644 (file)
@@ -23,9 +23,7 @@
 
 static unsigned int nf_route_table_hook(const struct nf_hook_ops *ops,
                                        struct sk_buff *skb,
-                                       const struct net_device *in,
-                                       const struct net_device *out,
-                                       int (*okfn)(struct sk_buff *))
+                                       const struct nf_hook_state *state)
 {
        unsigned int ret;
        struct nft_pktinfo pkt;
@@ -39,7 +37,7 @@ static unsigned int nf_route_table_hook(const struct nf_hook_ops *ops,
            ip_hdrlen(skb) < sizeof(struct iphdr))
                return NF_ACCEPT;
 
-       nft_set_pktinfo_ipv4(&pkt, ops, skb, in, out);
+       nft_set_pktinfo_ipv4(&pkt, ops, skb, state->in, state->out);
 
        mark = skb->mark;
        iph = ip_hdr(skb);
index a0d17270117c37793be3cb61c4d767cd57f70611..6edb7b106de769728357174d0657c644f83e41e8 100644 (file)
@@ -315,11 +315,9 @@ synproxy_tg6(struct sk_buff *skb, const struct xt_action_param *par)
 
 static unsigned int ipv6_synproxy_hook(const struct nf_hook_ops *ops,
                                       struct sk_buff *skb,
-                                      const struct net_device *in,
-                                      const struct net_device *out,
-                                      int (*okfn)(struct sk_buff *))
+                                      const struct nf_hook_state *nhs)
 {
-       struct synproxy_net *snet = synproxy_pernet(dev_net(in ? : out));
+       struct synproxy_net *snet = synproxy_pernet(dev_net(nhs->in ? : nhs->out));
        enum ip_conntrack_info ctinfo;
        struct nf_conn *ct;
        struct nf_conn_synproxy *synproxy;
index ca7f6c1280861b2977dce643fdea349eb3ec5078..eb9ef093454ff221503fd18526e2ba99a2f6bf43 100644 (file)
@@ -33,12 +33,11 @@ static const struct xt_table packet_filter = {
 /* The work comes in here from netfilter.c. */
 static unsigned int
 ip6table_filter_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
-                    const struct net_device *in, const struct net_device *out,
-                    int (*okfn)(struct sk_buff *))
+                    const struct nf_hook_state *state)
 {
-       const struct net *net = dev_net((in != NULL) ? in : out);
+       const struct net *net = dev_net(state->in ? state->in : state->out);
 
-       return ip6t_do_table(skb, ops->hooknum, in, out,
+       return ip6t_do_table(skb, ops->hooknum, state->in, state->out,
                             net->ipv6.ip6table_filter);
 }
 
index 307bbb782d147011d689f04c92e0ba5ac7c13074..e713b8d3dbbcd9d85f7cecd4b4ec373dee84f1d0 100644 (file)
@@ -77,17 +77,16 @@ ip6t_mangle_out(struct sk_buff *skb, const struct net_device *out)
 /* The work comes in here from netfilter.c. */
 static unsigned int
 ip6table_mangle_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
-                    const struct net_device *in, const struct net_device *out,
-                    int (*okfn)(struct sk_buff *))
+                    const struct nf_hook_state *state)
 {
        if (ops->hooknum == NF_INET_LOCAL_OUT)
-               return ip6t_mangle_out(skb, out);
+               return ip6t_mangle_out(skb, state->out);
        if (ops->hooknum == NF_INET_POST_ROUTING)
-               return ip6t_do_table(skb, ops->hooknum, in, out,
-                                    dev_net(out)->ipv6.ip6table_mangle);
+               return ip6t_do_table(skb, ops->hooknum, state->in, state->out,
+                                    dev_net(state->out)->ipv6.ip6table_mangle);
        /* INPUT/FORWARD */
-       return ip6t_do_table(skb, ops->hooknum, in, out,
-                            dev_net(in)->ipv6.ip6table_mangle);
+       return ip6t_do_table(skb, ops->hooknum, state->in, state->out,
+                            dev_net(state->in)->ipv6.ip6table_mangle);
 }
 
 static struct nf_hook_ops *mangle_ops __read_mostly;
index b0634ac996b706a9108b2f1369e4c2be9c1188c4..e32b0d0315e6276ae479b7f8dd158d213d62bad7 100644 (file)
@@ -43,38 +43,34 @@ static unsigned int ip6table_nat_do_chain(const struct nf_hook_ops *ops,
 
 static unsigned int ip6table_nat_fn(const struct nf_hook_ops *ops,
                                    struct sk_buff *skb,
-                                   const struct net_device *in,
-                                   const struct net_device *out,
-                                   int (*okfn)(struct sk_buff *))
+                                   const struct nf_hook_state *state)
 {
-       return nf_nat_ipv6_fn(ops, skb, in, out, ip6table_nat_do_chain);
+       return nf_nat_ipv6_fn(ops, skb, state->in, state->out,
+                             ip6table_nat_do_chain);
 }
 
 static unsigned int ip6table_nat_in(const struct nf_hook_ops *ops,
                                    struct sk_buff *skb,
-                                   const struct net_device *in,
-                                   const struct net_device *out,
-                                   int (*okfn)(struct sk_buff *))
+                                   const struct nf_hook_state *state)
 {
-       return nf_nat_ipv6_in(ops, skb, in, out, ip6table_nat_do_chain);
+       return nf_nat_ipv6_in(ops, skb, state->in, state->out,
+                             ip6table_nat_do_chain);
 }
 
 static unsigned int ip6table_nat_out(const struct nf_hook_ops *ops,
                                     struct sk_buff *skb,
-                                    const struct net_device *in,
-                                    const struct net_device *out,
-                                    int (*okfn)(struct sk_buff *))
+                                    const struct nf_hook_state *state)
 {
-       return nf_nat_ipv6_out(ops, skb, in, out, ip6table_nat_do_chain);
+       return nf_nat_ipv6_out(ops, skb, state->in, state->out,
+                              ip6table_nat_do_chain);
 }
 
 static unsigned int ip6table_nat_local_fn(const struct nf_hook_ops *ops,
                                          struct sk_buff *skb,
-                                         const struct net_device *in,
-                                         const struct net_device *out,
-                                         int (*okfn)(struct sk_buff *))
+                                         const struct nf_hook_state *state)
 {
-       return nf_nat_ipv6_local_fn(ops, skb, in, out, ip6table_nat_do_chain);
+       return nf_nat_ipv6_local_fn(ops, skb, state->in, state->out,
+                                   ip6table_nat_do_chain);
 }
 
 static struct nf_hook_ops nf_nat_ipv6_ops[] __read_mostly = {
index 5274740acecc93b4550dabdd7f48fac3c04f67ac..937908e258628768f742aefbaf29d4f23e07486f 100644 (file)
@@ -20,12 +20,11 @@ static const struct xt_table packet_raw = {
 /* The work comes in here from netfilter.c. */
 static unsigned int
 ip6table_raw_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
-                 const struct net_device *in, const struct net_device *out,
-                 int (*okfn)(struct sk_buff *))
+                 const struct nf_hook_state *state)
 {
-       const struct net *net = dev_net((in != NULL) ? in : out);
+       const struct net *net = dev_net(state->in ? state->in : state->out);
 
-       return ip6t_do_table(skb, ops->hooknum, in, out,
+       return ip6t_do_table(skb, ops->hooknum, state->in, state->out,
                             net->ipv6.ip6table_raw);
 }
 
index ab3b0219ecfa436c07eb5cb86af36bd04efbdfb7..f33b41e8e294dde298c4a618cb37071d059e93f7 100644 (file)
@@ -37,13 +37,11 @@ static const struct xt_table security_table = {
 
 static unsigned int
 ip6table_security_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
-                      const struct net_device *in,
-                      const struct net_device *out,
-                      int (*okfn)(struct sk_buff *))
+                      const struct nf_hook_state *state)
 {
-       const struct net *net = dev_net((in != NULL) ? in : out);
+       const struct net *net = dev_net(state->in ? state->in : state->out);
 
-       return ip6t_do_table(skb, ops->hooknum, in, out,
+       return ip6t_do_table(skb, ops->hooknum, state->in, state->out,
                             net->ipv6.ip6table_security);
 }
 
index fba91c6fc7ca38f1a282da09b7323519ddf3b1aa..4ba0c34c627b0e88d3a06fda6532c83a3936315e 100644 (file)
@@ -97,9 +97,7 @@ static int ipv6_get_l4proto(const struct sk_buff *skb, unsigned int nhoff,
 
 static unsigned int ipv6_helper(const struct nf_hook_ops *ops,
                                struct sk_buff *skb,
-                               const struct net_device *in,
-                               const struct net_device *out,
-                               int (*okfn)(struct sk_buff *))
+                               const struct nf_hook_state *state)
 {
        struct nf_conn *ct;
        const struct nf_conn_help *help;
@@ -135,9 +133,7 @@ static unsigned int ipv6_helper(const struct nf_hook_ops *ops,
 
 static unsigned int ipv6_confirm(const struct nf_hook_ops *ops,
                                 struct sk_buff *skb,
-                                const struct net_device *in,
-                                const struct net_device *out,
-                                int (*okfn)(struct sk_buff *))
+                                const struct nf_hook_state *state)
 {
        struct nf_conn *ct;
        enum ip_conntrack_info ctinfo;
@@ -171,25 +167,21 @@ out:
 
 static unsigned int ipv6_conntrack_in(const struct nf_hook_ops *ops,
                                      struct sk_buff *skb,
-                                     const struct net_device *in,
-                                     const struct net_device *out,
-                                     int (*okfn)(struct sk_buff *))
+                                     const struct nf_hook_state *state)
 {
-       return nf_conntrack_in(dev_net(in), PF_INET6, ops->hooknum, skb);
+       return nf_conntrack_in(dev_net(state->in), PF_INET6, ops->hooknum, skb);
 }
 
 static unsigned int ipv6_conntrack_local(const struct nf_hook_ops *ops,
                                         struct sk_buff *skb,
-                                        const struct net_device *in,
-                                        const struct net_device *out,
-                                        int (*okfn)(struct sk_buff *))
+                                        const struct nf_hook_state *state)
 {
        /* root is playing with raw sockets. */
        if (skb->len < sizeof(struct ipv6hdr)) {
                net_notice_ratelimited("ipv6_conntrack_local: packet too short\n");
                return NF_ACCEPT;
        }
-       return nf_conntrack_in(dev_net(out), PF_INET6, ops->hooknum, skb);
+       return nf_conntrack_in(dev_net(state->out), PF_INET6, ops->hooknum, skb);
 }
 
 static struct nf_hook_ops ipv6_conntrack_ops[] __read_mostly = {
index e70382e4dfb5d05d91d9dad132d04baabd2b48d5..e2b88205675152fd229ca4a4c15f4d7212f14956 100644 (file)
@@ -54,9 +54,7 @@ static enum ip6_defrag_users nf_ct6_defrag_user(unsigned int hooknum,
 
 static unsigned int ipv6_defrag(const struct nf_hook_ops *ops,
                                struct sk_buff *skb,
-                               const struct net_device *in,
-                               const struct net_device *out,
-                               int (*okfn)(struct sk_buff *))
+                               const struct nf_hook_state *state)
 {
        struct sk_buff *reasm;
 
@@ -78,8 +76,8 @@ static unsigned int ipv6_defrag(const struct nf_hook_ops *ops,
        nf_ct_frag6_consume_orig(reasm);
 
        NF_HOOK_THRESH(NFPROTO_IPV6, ops->hooknum, reasm,
-                      (struct net_device *) in, (struct net_device *) out,
-                      okfn, NF_IP6_PRI_CONNTRACK_DEFRAG + 1);
+                      state->in, state->out,
+                      state->okfn, NF_IP6_PRI_CONNTRACK_DEFRAG + 1);
 
        return NF_STOLEN;
 }
index 0d812b31277d9eb04133dbc880e0e151e0f2cf1f..224bc8971a0bbb9d20752568184403fa922c9fae 100644 (file)
 
 static unsigned int nft_do_chain_ipv6(const struct nf_hook_ops *ops,
                                      struct sk_buff *skb,
-                                     const struct net_device *in,
-                                     const struct net_device *out,
-                                     int (*okfn)(struct sk_buff *))
+                                     const struct nf_hook_state *state)
 {
        struct nft_pktinfo pkt;
 
        /* malformed packet, drop it */
-       if (nft_set_pktinfo_ipv6(&pkt, ops, skb, in, out) < 0)
+       if (nft_set_pktinfo_ipv6(&pkt, ops, skb, state->in, state->out) < 0)
                return NF_DROP;
 
        return nft_do_chain(&pkt, ops);
@@ -33,9 +31,7 @@ static unsigned int nft_do_chain_ipv6(const struct nf_hook_ops *ops,
 
 static unsigned int nft_ipv6_output(const struct nf_hook_ops *ops,
                                    struct sk_buff *skb,
-                                   const struct net_device *in,
-                                   const struct net_device *out,
-                                   int (*okfn)(struct sk_buff *))
+                                   const struct nf_hook_state *state)
 {
        if (unlikely(skb->len < sizeof(struct ipv6hdr))) {
                if (net_ratelimit())
@@ -44,7 +40,7 @@ static unsigned int nft_ipv6_output(const struct nf_hook_ops *ops,
                return NF_ACCEPT;
        }
 
-       return nft_do_chain_ipv6(ops, skb, in, out, okfn);
+       return nft_do_chain_ipv6(ops, skb, state);
 }
 
 struct nft_af_info nft_af_ipv6 __read_mostly = {
index 1c4b75dd425b8e7fe421df37e215534a6eb19584..f73f4ae25bc2cb074c8742600c65ab52e7dc14cd 100644 (file)
@@ -39,38 +39,30 @@ static unsigned int nft_nat_do_chain(const struct nf_hook_ops *ops,
 
 static unsigned int nft_nat_ipv6_fn(const struct nf_hook_ops *ops,
                                    struct sk_buff *skb,
-                                   const struct net_device *in,
-                                   const struct net_device *out,
-                                   int (*okfn)(struct sk_buff *))
+                                   const struct nf_hook_state *state)
 {
-       return nf_nat_ipv6_fn(ops, skb, in, out, nft_nat_do_chain);
+       return nf_nat_ipv6_fn(ops, skb, state->in, state->out, nft_nat_do_chain);
 }
 
 static unsigned int nft_nat_ipv6_in(const struct nf_hook_ops *ops,
                                    struct sk_buff *skb,
-                                   const struct net_device *in,
-                                   const struct net_device *out,
-                                   int (*okfn)(struct sk_buff *))
+                                   const struct nf_hook_state *state)
 {
-       return nf_nat_ipv6_in(ops, skb, in, out, nft_nat_do_chain);
+       return nf_nat_ipv6_in(ops, skb, state->in, state->out, nft_nat_do_chain);
 }
 
 static unsigned int nft_nat_ipv6_out(const struct nf_hook_ops *ops,
                                     struct sk_buff *skb,
-                                    const struct net_device *in,
-                                    const struct net_device *out,
-                                    int (*okfn)(struct sk_buff *))
+                                    const struct nf_hook_state *state)
 {
-       return nf_nat_ipv6_out(ops, skb, in, out, nft_nat_do_chain);
+       return nf_nat_ipv6_out(ops, skb, state->in, state->out, nft_nat_do_chain);
 }
 
 static unsigned int nft_nat_ipv6_local_fn(const struct nf_hook_ops *ops,
                                          struct sk_buff *skb,
-                                         const struct net_device *in,
-                                         const struct net_device *out,
-                                         int (*okfn)(struct sk_buff *))
+                                         const struct nf_hook_state *state)
 {
-       return nf_nat_ipv6_local_fn(ops, skb, in, out, nft_nat_do_chain);
+       return nf_nat_ipv6_local_fn(ops, skb, state->in, state->out, nft_nat_do_chain);
 }
 
 static const struct nf_chain_type nft_chain_nat_ipv6 = {
index 42031299585e1be0452b35a264ee010bb9d7f7fb..c826c3c854b2bd6fe0a12e47eeb61f929cb55813 100644 (file)
@@ -24,9 +24,7 @@
 
 static unsigned int nf_route_table_hook(const struct nf_hook_ops *ops,
                                        struct sk_buff *skb,
-                                       const struct net_device *in,
-                                       const struct net_device *out,
-                                       int (*okfn)(struct sk_buff *))
+                                       const struct nf_hook_state *state)
 {
        unsigned int ret;
        struct nft_pktinfo pkt;
@@ -35,7 +33,7 @@ static unsigned int nf_route_table_hook(const struct nf_hook_ops *ops,
        u32 mark, flowlabel;
 
        /* malformed packet, drop it */
-       if (nft_set_pktinfo_ipv6(&pkt, ops, skb, in, out) < 0)
+       if (nft_set_pktinfo_ipv6(&pkt, ops, skb, state->in, state->out) < 0)
                return NF_DROP;
 
        /* save source/dest address, mark, hoplimit, flowlabel, priority */
index 11d04ebfc5e37bf042fb1e190a87d88ce458fb6b..e6163017c42db2a1d553bc7b8ac812e5c401fcba 100644 (file)
@@ -136,8 +136,7 @@ unsigned int nf_iterate(struct list_head *head,
                /* Optimization: we don't need to hold module
                   reference here, since function can't sleep. --RR */
 repeat:
-               verdict = (*elemp)->hook(*elemp, skb, state->in, state->out,
-                                        state->okfn);
+               verdict = (*elemp)->hook(*elemp, skb, state);
                if (verdict != NF_ACCEPT) {
 #ifdef CONFIG_NETFILTER_DEBUG
                        if (unlikely((verdict & NF_VERDICT_MASK)
index 04dbd9c7213fe86e1993e009372b6838127e4688..5d2b806a862e6834ff6c61aee5c0e0a899bbe4b8 100644 (file)
@@ -1272,8 +1272,7 @@ ip_vs_out(unsigned int hooknum, struct sk_buff *skb, int af)
  */
 static unsigned int
 ip_vs_reply4(const struct nf_hook_ops *ops, struct sk_buff *skb,
-            const struct net_device *in, const struct net_device *out,
-            int (*okfn)(struct sk_buff *))
+            const struct nf_hook_state *state)
 {
        return ip_vs_out(ops->hooknum, skb, AF_INET);
 }
@@ -1284,8 +1283,7 @@ ip_vs_reply4(const struct nf_hook_ops *ops, struct sk_buff *skb,
  */
 static unsigned int
 ip_vs_local_reply4(const struct nf_hook_ops *ops, struct sk_buff *skb,
-                  const struct net_device *in, const struct net_device *out,
-                  int (*okfn)(struct sk_buff *))
+                  const struct nf_hook_state *state)
 {
        return ip_vs_out(ops->hooknum, skb, AF_INET);
 }
@@ -1299,8 +1297,7 @@ ip_vs_local_reply4(const struct nf_hook_ops *ops, struct sk_buff *skb,
  */
 static unsigned int
 ip_vs_reply6(const struct nf_hook_ops *ops, struct sk_buff *skb,
-            const struct net_device *in, const struct net_device *out,
-            int (*okfn)(struct sk_buff *))
+            const struct nf_hook_state *state)
 {
        return ip_vs_out(ops->hooknum, skb, AF_INET6);
 }
@@ -1311,8 +1308,7 @@ ip_vs_reply6(const struct nf_hook_ops *ops, struct sk_buff *skb,
  */
 static unsigned int
 ip_vs_local_reply6(const struct nf_hook_ops *ops, struct sk_buff *skb,
-                  const struct net_device *in, const struct net_device *out,
-                  int (*okfn)(struct sk_buff *))
+                  const struct nf_hook_state *state)
 {
        return ip_vs_out(ops->hooknum, skb, AF_INET6);
 }
@@ -1769,9 +1765,7 @@ ip_vs_in(unsigned int hooknum, struct sk_buff *skb, int af)
  */
 static unsigned int
 ip_vs_remote_request4(const struct nf_hook_ops *ops, struct sk_buff *skb,
-                     const struct net_device *in,
-                     const struct net_device *out,
-                     int (*okfn)(struct sk_buff *))
+                     const struct nf_hook_state *state)
 {
        return ip_vs_in(ops->hooknum, skb, AF_INET);
 }
@@ -1782,8 +1776,7 @@ ip_vs_remote_request4(const struct nf_hook_ops *ops, struct sk_buff *skb,
  */
 static unsigned int
 ip_vs_local_request4(const struct nf_hook_ops *ops, struct sk_buff *skb,
-                    const struct net_device *in, const struct net_device *out,
-                    int (*okfn)(struct sk_buff *))
+                    const struct nf_hook_state *state)
 {
        return ip_vs_in(ops->hooknum, skb, AF_INET);
 }
@@ -1796,9 +1789,7 @@ ip_vs_local_request4(const struct nf_hook_ops *ops, struct sk_buff *skb,
  */
 static unsigned int
 ip_vs_remote_request6(const struct nf_hook_ops *ops, struct sk_buff *skb,
-                     const struct net_device *in,
-                     const struct net_device *out,
-                     int (*okfn)(struct sk_buff *))
+                     const struct nf_hook_state *state)
 {
        return ip_vs_in(ops->hooknum, skb, AF_INET6);
 }
@@ -1809,8 +1800,7 @@ ip_vs_remote_request6(const struct nf_hook_ops *ops, struct sk_buff *skb,
  */
 static unsigned int
 ip_vs_local_request6(const struct nf_hook_ops *ops, struct sk_buff *skb,
-                    const struct net_device *in, const struct net_device *out,
-                    int (*okfn)(struct sk_buff *))
+                    const struct nf_hook_state *state)
 {
        return ip_vs_in(ops->hooknum, skb, AF_INET6);
 }
@@ -1829,8 +1819,7 @@ ip_vs_local_request6(const struct nf_hook_ops *ops, struct sk_buff *skb,
  */
 static unsigned int
 ip_vs_forward_icmp(const struct nf_hook_ops *ops, struct sk_buff *skb,
-                  const struct net_device *in, const struct net_device *out,
-                  int (*okfn)(struct sk_buff *))
+                  const struct nf_hook_state *state)
 {
        int r;
        struct net *net;
@@ -1851,8 +1840,7 @@ ip_vs_forward_icmp(const struct nf_hook_ops *ops, struct sk_buff *skb,
 #ifdef CONFIG_IP_VS_IPV6
 static unsigned int
 ip_vs_forward_icmp_v6(const struct nf_hook_ops *ops, struct sk_buff *skb,
-                     const struct net_device *in, const struct net_device *out,
-                     int (*okfn)(struct sk_buff *))
+                     const struct nf_hook_state *state)
 {
        int r;
        struct net *net;
index edc66de39f2e2f665becf1028c9f1b85f4ea7af0..7e392edaab97bee0f66825b195562c3aa879c05a 100644 (file)
@@ -4852,21 +4852,17 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb,
 
 static unsigned int selinux_ipv4_forward(const struct nf_hook_ops *ops,
                                         struct sk_buff *skb,
-                                        const struct net_device *in,
-                                        const struct net_device *out,
-                                        int (*okfn)(struct sk_buff *))
+                                        const struct nf_hook_state *state)
 {
-       return selinux_ip_forward(skb, in, PF_INET);
+       return selinux_ip_forward(skb, state->in, PF_INET);
 }
 
 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
 static unsigned int selinux_ipv6_forward(const struct nf_hook_ops *ops,
                                         struct sk_buff *skb,
-                                        const struct net_device *in,
-                                        const struct net_device *out,
-                                        int (*okfn)(struct sk_buff *))
+                                        const struct nf_hook_state *state)
 {
-       return selinux_ip_forward(skb, in, PF_INET6);
+       return selinux_ip_forward(skb, state->in, PF_INET6);
 }
 #endif /* IPV6 */
 
@@ -4914,9 +4910,7 @@ static unsigned int selinux_ip_output(struct sk_buff *skb,
 
 static unsigned int selinux_ipv4_output(const struct nf_hook_ops *ops,
                                        struct sk_buff *skb,
-                                       const struct net_device *in,
-                                       const struct net_device *out,
-                                       int (*okfn)(struct sk_buff *))
+                                       const struct nf_hook_state *state)
 {
        return selinux_ip_output(skb, PF_INET);
 }
@@ -5091,21 +5085,17 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb,
 
 static unsigned int selinux_ipv4_postroute(const struct nf_hook_ops *ops,
                                           struct sk_buff *skb,
-                                          const struct net_device *in,
-                                          const struct net_device *out,
-                                          int (*okfn)(struct sk_buff *))
+                                          const struct nf_hook_state *state)
 {
-       return selinux_ip_postroute(skb, out, PF_INET);
+       return selinux_ip_postroute(skb, state->out, PF_INET);
 }
 
 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
 static unsigned int selinux_ipv6_postroute(const struct nf_hook_ops *ops,
                                           struct sk_buff *skb,
-                                          const struct net_device *in,
-                                          const struct net_device *out,
-                                          int (*okfn)(struct sk_buff *))
+                                          const struct nf_hook_state *state)
 {
-       return selinux_ip_postroute(skb, out, PF_INET6);
+       return selinux_ip_postroute(skb, state->out, PF_INET6);
 }
 #endif /* IPV6 */
 
index c952632afb0d4ac8e44e35209e56a9b30d083c51..a455cfc9ec1f614851aba10693800a6acd476049 100644 (file)
@@ -23,9 +23,7 @@
 
 static unsigned int smack_ipv6_output(const struct nf_hook_ops *ops,
                                        struct sk_buff *skb,
-                                       const struct net_device *in,
-                                       const struct net_device *out,
-                                       int (*okfn)(struct sk_buff *))
+                                       const struct nf_hook_state *state)
 {
        struct socket_smack *ssp;
        struct smack_known *skp;
@@ -42,9 +40,7 @@ static unsigned int smack_ipv6_output(const struct nf_hook_ops *ops,
 
 static unsigned int smack_ipv4_output(const struct nf_hook_ops *ops,
                                        struct sk_buff *skb,
-                                       const struct net_device *in,
-                                       const struct net_device *out,
-                                       int (*okfn)(struct sk_buff *))
+                                       const struct nf_hook_state *state)
 {
        struct socket_smack *ssp;
        struct smack_known *skp;