netfilter: ebtables: Simplify the arguments to ebt_do_table
authorEric W. Biederman <ebiederm@xmission.com>
Fri, 18 Sep 2015 19:32:54 +0000 (14:32 -0500)
committerPablo Neira Ayuso <pablo@netfilter.org>
Fri, 18 Sep 2015 19:57:35 +0000 (21:57 +0200)
Nearly everything thing of interest to ebt_do_table is already present
in nf_hook_state.  Simplify ebt_do_table by just passing in the skb,
nf_hook_state, and the table.  This make the code easier to read and
maintenance easier.

To support this create an nf_hook_state on the stack in ebt_broute
(the only caller without a nf_hook_state already available).  This new
nf_hook_state adds no new computations to ebt_broute, but does use a
few more bytes of stack.

Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
include/linux/netfilter_bridge/ebtables.h
net/bridge/netfilter/ebtable_broute.c
net/bridge/netfilter/ebtable_filter.c
net/bridge/netfilter/ebtable_nat.c
net/bridge/netfilter/ebtables.c

index 8ca6d6464ea31fd7fa8c9faf53c9b5aa5c58980e..2ea517c7c6b945d7842633c7e20dc0c35ab8ffc2 100644 (file)
@@ -111,9 +111,9 @@ struct ebt_table {
 extern struct ebt_table *ebt_register_table(struct net *net,
                                            const struct ebt_table *table);
 extern void ebt_unregister_table(struct net *net, struct ebt_table *table);
-extern unsigned int ebt_do_table(unsigned int hook, struct sk_buff *skb,
-   const struct net_device *in, const struct net_device *out,
-   struct ebt_table *table);
+extern unsigned int ebt_do_table(struct sk_buff *skb,
+                                const struct nf_hook_state *state,
+                                struct ebt_table *table);
 
 /* Used in the kernel match() functions */
 #define FWINV(bool,invflg) ((bool) ^ !!(info->invflags & invflg))
index d2cdf5d6e98cee057ebc838c64a7a1e66d6869c6..ec94c6f1ae881461bb1c72fc7a8965c335de73fe 100644 (file)
@@ -50,10 +50,14 @@ static const struct ebt_table broute_table = {
 
 static int ebt_broute(struct sk_buff *skb)
 {
+       struct nf_hook_state state;
        int ret;
 
-       ret = ebt_do_table(NF_BR_BROUTING, skb, skb->dev, NULL,
-                          dev_net(skb->dev)->xt.broute_table);
+       nf_hook_state_init(&state, NULL, NF_BR_BROUTING, INT_MIN,
+                          NFPROTO_BRIDGE, skb->dev, NULL, NULL,
+                          dev_net(skb->dev), NULL);
+
+       ret = ebt_do_table(skb, &state, state.net->xt.broute_table);
        if (ret == NF_DROP)
                return 1; /* route it */
        return 0; /* bridge it */
index ab20d6ed6e2f9a693cef4f1f017ad9d55637130c..118ce40ac1815f36182b8e9dac37dd6c56385358 100644 (file)
@@ -60,16 +60,14 @@ static unsigned int
 ebt_in_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
            const struct nf_hook_state *state)
 {
-       return ebt_do_table(ops->hooknum, skb, state->in, state->out,
-                           state->net->xt.frame_filter);
+       return ebt_do_table(skb, state, state->net->xt.frame_filter);
 }
 
 static unsigned int
 ebt_out_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
             const struct nf_hook_state *state)
 {
-       return ebt_do_table(ops->hooknum, skb, state->in, state->out,
-                           state->net->xt.frame_filter);
+       return ebt_do_table(skb, state, state->net->xt.frame_filter);
 }
 
 static struct nf_hook_ops ebt_ops_filter[] __read_mostly = {
index ad81a5a65644ef23af545d5375beae883b60c9c3..56c3329d6c37e59ff1d49494fb1e827863b2bd9a 100644 (file)
@@ -60,16 +60,14 @@ static unsigned int
 ebt_nat_in(const struct nf_hook_ops *ops, struct sk_buff *skb,
           const struct nf_hook_state *state)
 {
-       return ebt_do_table(ops->hooknum, skb, state->in, state->out,
-                           state->net->xt.frame_nat);
+       return ebt_do_table(skb, state, state->net->xt.frame_nat);
 }
 
 static unsigned int
 ebt_nat_out(const struct nf_hook_ops *ops, struct sk_buff *skb,
            const struct nf_hook_state *state)
 {
-       return ebt_do_table(ops->hooknum, skb, state->in, state->out,
-                           state->net->xt.frame_nat);
+       return ebt_do_table(skb, state, state->net->xt.frame_nat);
 }
 
 static struct nf_hook_ops ebt_ops_nat[] __read_mostly = {
index 48b6b01295de4d39987f82a39cfd4c6503155f5a..8d5a3975b96341f2e48c839dc6c0a29de28bd702 100644 (file)
@@ -183,10 +183,11 @@ struct ebt_entry *ebt_next_entry(const struct ebt_entry *entry)
 }
 
 /* Do some firewalling */
-unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
-   const struct net_device *in, const struct net_device *out,
-   struct ebt_table *table)
+unsigned int ebt_do_table(struct sk_buff *skb,
+                         const struct nf_hook_state *state,
+                         struct ebt_table *table)
 {
+       unsigned int hook = state->hook;
        int i, nentries;
        struct ebt_entry *point;
        struct ebt_counter *counter_base, *cb_base;
@@ -199,8 +200,8 @@ unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
        struct xt_action_param acpar;
 
        acpar.family  = NFPROTO_BRIDGE;
-       acpar.in      = in;
-       acpar.out     = out;
+       acpar.in      = state->in;
+       acpar.out     = state->out;
        acpar.hotdrop = false;
        acpar.hooknum = hook;
 
@@ -220,7 +221,7 @@ unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
        base = private->entries;
        i = 0;
        while (i < nentries) {
-               if (ebt_basic_match(point, skb, in, out))
+               if (ebt_basic_match(point, skb, state->in, state->out))
                        goto letscontinue;
 
                if (EBT_MATCH_ITERATE(point, ebt_do_match, skb, &acpar) != 0)