[NETFILTER]: Avoid skb_copy/pskb_copy/skb_realloc_headroom
authorHerbert Xu <herbert@gondor.apana.org.au>
Sun, 14 Oct 2007 07:39:55 +0000 (00:39 -0700)
committerDavid S. Miller <davem@sunset.davemloft.net>
Mon, 15 Oct 2007 19:26:28 +0000 (12:26 -0700)
This patch replaces unnecessary uses of skb_copy, pskb_copy and
skb_realloc_headroom by functions such as skb_make_writable and
pskb_expand_head.

This allows us to remove the double pointers later.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/bridge/netfilter/ebt_dnat.c
net/bridge/netfilter/ebt_redirect.c
net/bridge/netfilter/ebt_snat.c
net/ipv4/netfilter.c
net/ipv4/netfilter/arpt_mangle.c
net/ipv4/netfilter/ip_queue.c
net/ipv4/netfilter/nf_nat_helper.c
net/ipv6/netfilter/ip6_queue.c
net/netfilter/nfnetlink_queue.c
net/netfilter/xt_TCPMSS.c

index 4582659dff0e1e535b51551003ed45a1af92ebea..9d74dee20ab0ef5e883cce35a513b50033e2a987 100644 (file)
@@ -8,6 +8,7 @@
  *
  */
 
+#include <linux/netfilter.h>
 #include <linux/netfilter_bridge/ebtables.h>
 #include <linux/netfilter_bridge/ebt_nat.h>
 #include <linux/module.h>
@@ -19,17 +20,9 @@ static int ebt_target_dnat(struct sk_buff **pskb, unsigned int hooknr,
 {
        struct ebt_nat_info *info = (struct ebt_nat_info *)data;
 
-       if (skb_shared(*pskb) || skb_cloned(*pskb)) {
-               struct sk_buff *nskb;
+       if (skb_make_writable(*pskb, 0))
+               return NF_DROP;
 
-               nskb = skb_copy(*pskb, GFP_ATOMIC);
-               if (!nskb)
-                       return NF_DROP;
-               if ((*pskb)->sk)
-                       skb_set_owner_w(nskb, (*pskb)->sk);
-               kfree_skb(*pskb);
-               *pskb = nskb;
-       }
        memcpy(eth_hdr(*pskb)->h_dest, info->mac, ETH_ALEN);
        return info->target;
 }
index 9f378eab72d06bba7caff7f60fdc147aadc8ca9e..81371cd01bd0bf76390dd80f8b076cdeccf6cc23 100644 (file)
@@ -8,6 +8,7 @@
  *
  */
 
+#include <linux/netfilter.h>
 #include <linux/netfilter_bridge/ebtables.h>
 #include <linux/netfilter_bridge/ebt_redirect.h>
 #include <linux/module.h>
@@ -20,17 +21,9 @@ static int ebt_target_redirect(struct sk_buff **pskb, unsigned int hooknr,
 {
        struct ebt_redirect_info *info = (struct ebt_redirect_info *)data;
 
-       if (skb_shared(*pskb) || skb_cloned(*pskb)) {
-               struct sk_buff *nskb;
+       if (skb_make_writable(*pskb, 0))
+               return NF_DROP;
 
-               nskb = skb_copy(*pskb, GFP_ATOMIC);
-               if (!nskb)
-                       return NF_DROP;
-               if ((*pskb)->sk)
-                       skb_set_owner_w(nskb, (*pskb)->sk);
-               kfree_skb(*pskb);
-               *pskb = nskb;
-       }
        if (hooknr != NF_BR_BROUTING)
                memcpy(eth_hdr(*pskb)->h_dest,
                       in->br_port->br->dev->dev_addr, ETH_ALEN);
index a50722182bfe401c62727d5b768c02de794c709c..b0c63684e2f58994b18657037e1449aba1e5e5ec 100644 (file)
@@ -8,6 +8,7 @@
  *
  */
 
+#include <linux/netfilter.h>
 #include <linux/netfilter_bridge/ebtables.h>
 #include <linux/netfilter_bridge/ebt_nat.h>
 #include <linux/module.h>
@@ -21,17 +22,9 @@ static int ebt_target_snat(struct sk_buff **pskb, unsigned int hooknr,
 {
        struct ebt_nat_info *info = (struct ebt_nat_info *) data;
 
-       if (skb_shared(*pskb) || skb_cloned(*pskb)) {
-               struct sk_buff *nskb;
+       if (skb_make_writable(*pskb, 0))
+               return NF_DROP;
 
-               nskb = skb_copy(*pskb, GFP_ATOMIC);
-               if (!nskb)
-                       return NF_DROP;
-               if ((*pskb)->sk)
-                       skb_set_owner_w(nskb, (*pskb)->sk);
-               kfree_skb(*pskb);
-               *pskb = nskb;
-       }
        memcpy(eth_hdr(*pskb)->h_source, info->mac, ETH_ALEN);
        if (!(info->target & NAT_ARP_BIT) &&
            eth_hdr(*pskb)->h_proto == htons(ETH_P_ARP)) {
index b44192924f95fed17389482bb8ef47ed6275c2ab..d1e3012d891f98fc44d2c88265a4f723b7b5a3aa 100644 (file)
@@ -3,6 +3,7 @@
 #include <linux/netfilter.h>
 #include <linux/netfilter_ipv4.h>
 #include <linux/ip.h>
+#include <linux/skbuff.h>
 #include <net/route.h>
 #include <net/xfrm.h>
 #include <net/ip.h>
@@ -66,17 +67,10 @@ int ip_route_me_harder(struct sk_buff **pskb, unsigned addr_type)
 
        /* Change in oif may mean change in hh_len. */
        hh_len = (*pskb)->dst->dev->hard_header_len;
-       if (skb_headroom(*pskb) < hh_len) {
-               struct sk_buff *nskb;
-
-               nskb = skb_realloc_headroom(*pskb, hh_len);
-               if (!nskb)
-                       return -1;
-               if ((*pskb)->sk)
-                       skb_set_owner_w(nskb, (*pskb)->sk);
-               kfree_skb(*pskb);
-               *pskb = nskb;
-       }
+       if (skb_headroom(*pskb) < hh_len &&
+           pskb_expand_head(*pskb, hh_len - skb_headroom(*pskb), 0,
+                            GFP_ATOMIC))
+               return -1;
 
        return 0;
 }
@@ -107,17 +101,10 @@ int ip_xfrm_me_harder(struct sk_buff **pskb)
 
        /* Change in oif may mean change in hh_len. */
        hh_len = (*pskb)->dst->dev->hard_header_len;
-       if (skb_headroom(*pskb) < hh_len) {
-               struct sk_buff *nskb;
-
-               nskb = skb_realloc_headroom(*pskb, hh_len);
-               if (!nskb)
-                       return -1;
-               if ((*pskb)->sk)
-                       skb_set_owner_w(nskb, (*pskb)->sk);
-               kfree_skb(*pskb);
-               *pskb = nskb;
-       }
+       if (skb_headroom(*pskb) < hh_len &&
+           pskb_expand_head(*pskb, hh_len - skb_headroom(*pskb), 0,
+                            GFP_ATOMIC))
+               return -1;
        return 0;
 }
 EXPORT_SYMBOL(ip_xfrm_me_harder);
index c4bdab47597f071c35cb73f45570552777c8ad48..0181f919a79c01f0fd88ed768c5d7767af51f2a2 100644 (file)
@@ -1,5 +1,6 @@
 /* module that allows mangling of the arp payload */
 #include <linux/module.h>
+#include <linux/netfilter.h>
 #include <linux/netfilter_arp/arpt_mangle.h>
 #include <net/sock.h>
 
@@ -18,17 +19,8 @@ target(struct sk_buff **pskb,
        unsigned char *arpptr;
        int pln, hln;
 
-       if (skb_shared(*pskb) || skb_cloned(*pskb)) {
-               struct sk_buff *nskb;
-
-               nskb = skb_copy(*pskb, GFP_ATOMIC);
-               if (!nskb)
-                       return NF_DROP;
-               if ((*pskb)->sk)
-                       skb_set_owner_w(nskb, (*pskb)->sk);
-               kfree_skb(*pskb);
-               *pskb = nskb;
-       }
+       if (skb_make_writable(*pskb, (*pskb)->len))
+               return NF_DROP;
 
        arp = arp_hdr(*pskb);
        arpptr = skb_network_header(*pskb) + sizeof(*arp);
index 62d8867ca7d01068297400bc733916e21b622f8b..10a2ce09fd8e9e88065250c2ed4f96225e15d646 100644 (file)
@@ -335,6 +335,7 @@ static int
 ipq_mangle_ipv4(ipq_verdict_msg_t *v, struct ipq_queue_entry *e)
 {
        int diff;
+       int err;
        struct iphdr *user_iph = (struct iphdr *)v->payload;
 
        if (v->data_len < sizeof(*user_iph))
@@ -347,21 +348,14 @@ ipq_mangle_ipv4(ipq_verdict_msg_t *v, struct ipq_queue_entry *e)
                if (v->data_len > 0xFFFF)
                        return -EINVAL;
                if (diff > skb_tailroom(e->skb)) {
-                       struct sk_buff *newskb;
-
-                       newskb = skb_copy_expand(e->skb,
-                                                skb_headroom(e->skb),
-                                                diff,
-                                                GFP_ATOMIC);
-                       if (newskb == NULL) {
-                               printk(KERN_WARNING "ip_queue: OOM "
-                                     "in mangle, dropping packet\n");
-                               return -ENOMEM;
+                       err = pskb_expand_head(e->skb, 0,
+                                              diff - skb_tailroom(e->skb),
+                                              GFP_ATOMIC);
+                       if (err) {
+                               printk(KERN_WARNING "ip_queue: error "
+                                     "in mangle, dropping packet: %d\n", -err);
+                               return err;
                        }
-                       if (e->skb->sk)
-                               skb_set_owner_w(newskb, e->skb->sk);
-                       kfree_skb(e->skb);
-                       e->skb = newskb;
                }
                skb_put(e->skb, diff);
        }
index 6e81f7612b71c37e36c7f2cbf36f087ce97ce4ac..40b429e4540da672d1356e281d1681219272ccb4 100644 (file)
@@ -113,20 +113,12 @@ static void mangle_contents(struct sk_buff *skb,
 /* Unusual, but possible case. */
 static int enlarge_skb(struct sk_buff **pskb, unsigned int extra)
 {
-       struct sk_buff *nskb;
-
        if ((*pskb)->len + extra > 65535)
                return 0;
 
-       nskb = skb_copy_expand(*pskb, skb_headroom(*pskb), extra, GFP_ATOMIC);
-       if (!nskb)
+       if (pskb_expand_head(*pskb, 0, extra - skb_tailroom(*pskb), GFP_ATOMIC))
                return 0;
 
-       /* Transfer socket to new skb. */
-       if ((*pskb)->sk)
-               skb_set_owner_w(nskb, (*pskb)->sk);
-       kfree_skb(*pskb);
-       *pskb = nskb;
        return 1;
 }
 
index d7080dd475ac4acf8af10eadaf2d96829144bd73..6413a30d9f68858cea06a0f6bac64233bdfd8aa0 100644 (file)
@@ -332,6 +332,7 @@ static int
 ipq_mangle_ipv6(ipq_verdict_msg_t *v, struct ipq_queue_entry *e)
 {
        int diff;
+       int err;
        struct ipv6hdr *user_iph = (struct ipv6hdr *)v->payload;
 
        if (v->data_len < sizeof(*user_iph))
@@ -344,21 +345,14 @@ ipq_mangle_ipv6(ipq_verdict_msg_t *v, struct ipq_queue_entry *e)
                if (v->data_len > 0xFFFF)
                        return -EINVAL;
                if (diff > skb_tailroom(e->skb)) {
-                       struct sk_buff *newskb;
-
-                       newskb = skb_copy_expand(e->skb,
-                                                skb_headroom(e->skb),
-                                                diff,
-                                                GFP_ATOMIC);
-                       if (newskb == NULL) {
+                       err = pskb_expand_head(e->skb, 0,
+                                              diff - skb_tailroom(e->skb),
+                                              GFP_ATOMIC);
+                       if (err) {
                                printk(KERN_WARNING "ip6_queue: OOM "
                                      "in mangle, dropping packet\n");
-                               return -ENOMEM;
+                               return err;
                        }
-                       if (e->skb->sk)
-                               skb_set_owner_w(newskb, e->skb->sk);
-                       kfree_skb(e->skb);
-                       e->skb = newskb;
                }
                skb_put(e->skb, diff);
        }
index 6ba98acdd7a225eb9be401040b0dd3c570fcdac2..3ceeffcf6f9de65cd5386d0a7e9d73d11cdacdc6 100644 (file)
@@ -617,6 +617,7 @@ static int
 nfqnl_mangle(void *data, int data_len, struct nfqnl_queue_entry *e)
 {
        int diff;
+       int err;
 
        diff = data_len - e->skb->len;
        if (diff < 0) {
@@ -626,21 +627,14 @@ nfqnl_mangle(void *data, int data_len, struct nfqnl_queue_entry *e)
                if (data_len > 0xFFFF)
                        return -EINVAL;
                if (diff > skb_tailroom(e->skb)) {
-                       struct sk_buff *newskb;
-
-                       newskb = skb_copy_expand(e->skb,
-                                                skb_headroom(e->skb),
-                                                diff,
-                                                GFP_ATOMIC);
-                       if (newskb == NULL) {
+                       err = pskb_expand_head(e->skb, 0,
+                                              diff - skb_tailroom(e->skb),
+                                              GFP_ATOMIC);
+                       if (err) {
                                printk(KERN_WARNING "nf_queue: OOM "
                                      "in mangle, dropping packet\n");
-                               return -ENOMEM;
+                               return err;
                        }
-                       if (e->skb->sk)
-                               skb_set_owner_w(newskb, e->skb->sk);
-                       kfree_skb(e->skb);
-                       e->skb = newskb;
                }
                skb_put(e->skb, diff);
        }
index 31b6f9d0982277826393248e28f1265ae5476c7a..f111edf5f7754516a7743bae3064958ad0010d65 100644 (file)
@@ -105,14 +105,10 @@ tcpmss_mangle_packet(struct sk_buff **pskb,
         * MSS Option not found ?! add it..
         */
        if (skb_tailroom((*pskb)) < TCPOLEN_MSS) {
-               struct sk_buff *newskb;
-
-               newskb = skb_copy_expand(*pskb, skb_headroom(*pskb),
-                                        TCPOLEN_MSS, GFP_ATOMIC);
-               if (!newskb)
+               if (pskb_expand_head(*pskb, 0,
+                                    TCPOLEN_MSS - skb_tailroom(*pskb),
+                                    GFP_ATOMIC))
                        return -1;
-               kfree_skb(*pskb);
-               *pskb = newskb;
                tcph = (struct tcphdr *)(skb_network_header(*pskb) + tcphoff);
        }