From: Pablo Neira Ayuso Date: Tue, 9 Jan 2018 02:48:47 +0100 Subject: [PATCH] netfilter: nf_tables: get rid of struct nft_af_info abstraction Remove the infrastructure to register/unregister nft_af_info structure, this structure stores no useful information anymore. Signed-off-by: Pablo Neira Ayuso --- --- a/include/net/netfilter/nf_tables.h +++ b/include/net/netfilter/nf_tables.h @@ -956,28 +956,12 @@ struct nft_table { struct list_head flowtables; u64 hgenerator; u32 use; - u16 flags:14, + u16 family:6, + flags:8, genmask:2; - struct nft_af_info *afi; char *name; }; -/** - * struct nft_af_info - nf_tables address family info - * - * @list: used internally - * @family: address family - * @owner: module owner - */ -struct nft_af_info { - struct list_head list; - int family; - struct module *owner; -}; - -int nft_register_afinfo(struct nft_af_info *); -void nft_unregister_afinfo(struct nft_af_info *); - int nft_register_chain_type(const struct nf_chain_type *); void nft_unregister_chain_type(const struct nf_chain_type *); @@ -1145,9 +1129,6 @@ void nft_trace_notify(struct nft_tracein #define nft_dereference(p) \ nfnl_dereference(p, NFNL_SUBSYS_NFTABLES) -#define MODULE_ALIAS_NFT_FAMILY(family) \ - MODULE_ALIAS("nft-afinfo-" __stringify(family)) - #define MODULE_ALIAS_NFT_CHAIN(family, name) \ MODULE_ALIAS("nft-chain-" __stringify(family) "-" name) --- a/net/bridge/netfilter/nf_tables_bridge.c +++ b/net/bridge/netfilter/nf_tables_bridge.c @@ -42,11 +42,6 @@ nft_do_chain_bridge(void *priv, return nft_do_chain(&pkt, priv); } -static struct nft_af_info nft_af_bridge __read_mostly = { - .family = NFPROTO_BRIDGE, - .owner = THIS_MODULE, -}; - static const struct nf_chain_type filter_bridge = { .name = "filter", .type = NFT_CHAIN_T_DEFAULT, @@ -68,28 +63,12 @@ static const struct nf_chain_type filter static int __init nf_tables_bridge_init(void) { - int ret; - - ret = nft_register_afinfo(&nft_af_bridge); - if (ret < 0) - return ret; - - ret = nft_register_chain_type(&filter_bridge); - if (ret < 0) - goto err_register_chain; - - return ret; - -err_register_chain: - nft_unregister_chain_type(&filter_bridge); - - return ret; + return nft_register_chain_type(&filter_bridge); } static void __exit nf_tables_bridge_exit(void) { nft_unregister_chain_type(&filter_bridge); - nft_unregister_afinfo(&nft_af_bridge); } module_init(nf_tables_bridge_init); @@ -97,4 +76,4 @@ module_exit(nf_tables_bridge_exit); MODULE_LICENSE("GPL"); MODULE_AUTHOR("Patrick McHardy "); -MODULE_ALIAS_NFT_FAMILY(AF_BRIDGE); +MODULE_ALIAS_NFT_CHAIN(AF_BRIDGE, "filter"); --- a/net/ipv4/netfilter/nf_tables_arp.c +++ b/net/ipv4/netfilter/nf_tables_arp.c @@ -27,11 +27,6 @@ nft_do_chain_arp(void *priv, return nft_do_chain(&pkt, priv); } -static struct nft_af_info nft_af_arp __read_mostly = { - .family = NFPROTO_ARP, - .owner = THIS_MODULE, -}; - static const struct nf_chain_type filter_arp = { .name = "filter", .type = NFT_CHAIN_T_DEFAULT, @@ -47,28 +42,12 @@ static const struct nf_chain_type filter static int __init nf_tables_arp_init(void) { - int ret; - - ret = nft_register_afinfo(&nft_af_arp); - if (ret < 0) - return ret; - - ret = nft_register_chain_type(&filter_arp); - if (ret < 0) - goto err_register_chain; - - return 0; - -err_register_chain: - nft_unregister_chain_type(&filter_arp); - - return ret; + return nft_register_chain_type(&filter_arp); } static void __exit nf_tables_arp_exit(void) { nft_unregister_chain_type(&filter_arp); - nft_unregister_afinfo(&nft_af_arp); } module_init(nf_tables_arp_init); @@ -76,4 +55,4 @@ module_exit(nf_tables_arp_exit); MODULE_LICENSE("GPL"); MODULE_AUTHOR("Patrick McHardy "); -MODULE_ALIAS_NFT_FAMILY(3); /* NFPROTO_ARP */ +MODULE_ALIAS_NFT_CHAIN(3, "filter"); /* NFPROTO_ARP */ --- a/net/ipv4/netfilter/nf_tables_ipv4.c +++ b/net/ipv4/netfilter/nf_tables_ipv4.c @@ -30,11 +30,6 @@ static unsigned int nft_do_chain_ipv4(vo return nft_do_chain(&pkt, priv); } -static struct nft_af_info nft_af_ipv4 __read_mostly = { - .family = NFPROTO_IPV4, - .owner = THIS_MODULE, -}; - static const struct nf_chain_type filter_ipv4 = { .name = "filter", .type = NFT_CHAIN_T_DEFAULT, @@ -56,27 +51,12 @@ static const struct nf_chain_type filter static int __init nf_tables_ipv4_init(void) { - int ret; - - ret = nft_register_afinfo(&nft_af_ipv4); - if (ret < 0) - return ret; - - ret = nft_register_chain_type(&filter_ipv4); - if (ret < 0) - goto err_register_chain; - - return 0; - -err_register_chain: - nft_unregister_afinfo(&nft_af_ipv4); - return ret; + return nft_register_chain_type(&filter_ipv4); } static void __exit nf_tables_ipv4_exit(void) { nft_unregister_chain_type(&filter_ipv4); - nft_unregister_afinfo(&nft_af_ipv4); } module_init(nf_tables_ipv4_init); @@ -84,4 +64,4 @@ module_exit(nf_tables_ipv4_exit); MODULE_LICENSE("GPL"); MODULE_AUTHOR("Patrick McHardy "); -MODULE_ALIAS_NFT_FAMILY(AF_INET); +MODULE_ALIAS_NFT_CHAIN(AF_INET, "filter"); --- a/net/ipv6/netfilter/nf_tables_ipv6.c +++ b/net/ipv6/netfilter/nf_tables_ipv6.c @@ -28,11 +28,6 @@ static unsigned int nft_do_chain_ipv6(vo return nft_do_chain(&pkt, priv); } -static struct nft_af_info nft_af_ipv6 __read_mostly = { - .family = NFPROTO_IPV6, - .owner = THIS_MODULE, -}; - static const struct nf_chain_type filter_ipv6 = { .name = "filter", .type = NFT_CHAIN_T_DEFAULT, @@ -54,26 +49,11 @@ static const struct nf_chain_type filter static int __init nf_tables_ipv6_init(void) { - int ret; - - ret = nft_register_afinfo(&nft_af_ipv6); - if (ret < 0) - return ret; - - ret = nft_register_chain_type(&filter_ipv6); - if (ret < 0) - goto err_register_chain; - - return 0; - -err_register_chain: - nft_unregister_afinfo(&nft_af_ipv6); - return ret; + return nft_register_chain_type(&filter_ipv6); } static void __exit nf_tables_ipv6_exit(void) { - nft_unregister_afinfo(&nft_af_ipv6); nft_unregister_chain_type(&filter_ipv6); } @@ -82,4 +62,4 @@ module_exit(nf_tables_ipv6_exit); MODULE_LICENSE("GPL"); MODULE_AUTHOR("Patrick McHardy "); -MODULE_ALIAS_NFT_FAMILY(AF_INET6); +MODULE_ALIAS_NFT_CHAIN(AF_INET6, "filter"); --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -26,71 +26,6 @@ static LIST_HEAD(nf_tables_expressions); static LIST_HEAD(nf_tables_objects); static LIST_HEAD(nf_tables_flowtables); -static LIST_HEAD(nf_tables_af_info); - -/** - * nft_register_afinfo - register nf_tables address family info - * - * @afi: address family info to register - * - * Register the address family for use with nf_tables. Returns zero on - * success or a negative errno code otherwise. - */ -int nft_register_afinfo(struct nft_af_info *afi) -{ - nfnl_lock(NFNL_SUBSYS_NFTABLES); - list_add_tail_rcu(&afi->list, &nf_tables_af_info); - nfnl_unlock(NFNL_SUBSYS_NFTABLES); - return 0; -} -EXPORT_SYMBOL_GPL(nft_register_afinfo); - -/** - * nft_unregister_afinfo - unregister nf_tables address family info - * - * @afi: address family info to unregister - * - * Unregister the address family for use with nf_tables. - */ -void nft_unregister_afinfo(struct nft_af_info *afi) -{ - nfnl_lock(NFNL_SUBSYS_NFTABLES); - list_del_rcu(&afi->list); - nfnl_unlock(NFNL_SUBSYS_NFTABLES); -} -EXPORT_SYMBOL_GPL(nft_unregister_afinfo); - -static struct nft_af_info *nft_afinfo_lookup(struct net *net, int family) -{ - struct nft_af_info *afi; - - list_for_each_entry(afi, &nf_tables_af_info, list) { - if (afi->family == family) - return afi; - } - return NULL; -} - -static struct nft_af_info * -nf_tables_afinfo_lookup(struct net *net, int family, bool autoload) -{ - struct nft_af_info *afi; - - afi = nft_afinfo_lookup(net, family); - if (afi != NULL) - return afi; -#ifdef CONFIG_MODULES - if (autoload) { - nfnl_unlock(NFNL_SUBSYS_NFTABLES); - request_module("nft-afinfo-%u", family); - nfnl_lock(NFNL_SUBSYS_NFTABLES); - afi = nft_afinfo_lookup(net, family); - if (afi != NULL) - return ERR_PTR(-EAGAIN); - } -#endif - return ERR_PTR(-EAFNOSUPPORT); -} static void nft_ctx_init(struct nft_ctx *ctx, struct net *net, @@ -434,7 +369,7 @@ static struct nft_table *nft_table_looku list_for_each_entry(table, &net->nft.tables, list) { if (!nla_strcmp(nla, table->name) && - table->afi->family == family && + table->family == family && nft_active_genmask(table, genmask)) return table; } @@ -575,7 +510,7 @@ static int nf_tables_dump_tables(struct cb->seq = net->nft.base_seq; list_for_each_entry_rcu(table, &net->nft.tables, list) { - if (family != NFPROTO_UNSPEC && family != table->afi->family) + if (family != NFPROTO_UNSPEC && family != table->family) continue; if (idx < s_idx) @@ -589,7 +524,7 @@ static int nf_tables_dump_tables(struct NETLINK_CB(cb->skb).portid, cb->nlh->nlmsg_seq, NFT_MSG_NEWTABLE, NLM_F_MULTI, - table->afi->family, table) < 0) + table->family, table) < 0) goto done; nl_dump_check_consistent(cb, nlmsg_hdr(skb)); @@ -609,7 +544,6 @@ static int nf_tables_gettable(struct net { const struct nfgenmsg *nfmsg = nlmsg_data(nlh); u8 genmask = nft_genmask_cur(net); - const struct nft_af_info *afi; const struct nft_table *table; struct sk_buff *skb2; int family = nfmsg->nfgen_family; @@ -622,11 +556,7 @@ static int nf_tables_gettable(struct net return netlink_dump_start(nlsk, skb, nlh, &c); } - afi = nf_tables_afinfo_lookup(net, family, false); - if (IS_ERR(afi)) - return PTR_ERR(afi); - - table = nf_tables_table_lookup(net, nla[NFTA_TABLE_NAME], afi->family, + table = nf_tables_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask); if (IS_ERR(table)) return PTR_ERR(table); @@ -746,19 +676,14 @@ static int nf_tables_newtable(struct net const struct nfgenmsg *nfmsg = nlmsg_data(nlh); u8 genmask = nft_genmask_next(net); const struct nlattr *name; - struct nft_af_info *afi; struct nft_table *table; int family = nfmsg->nfgen_family; u32 flags = 0; struct nft_ctx ctx; int err; - afi = nf_tables_afinfo_lookup(net, family, true); - if (IS_ERR(afi)) - return PTR_ERR(afi); - name = nla[NFTA_TABLE_NAME]; - table = nf_tables_table_lookup(net, name, afi->family, genmask); + table = nf_tables_table_lookup(net, name, family, genmask); if (IS_ERR(table)) { if (PTR_ERR(table) != -ENOENT) return PTR_ERR(table); @@ -768,7 +693,7 @@ static int nf_tables_newtable(struct net if (nlh->nlmsg_flags & NLM_F_REPLACE) return -EOPNOTSUPP; - nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, NULL, nla); + nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla); return nf_tables_updtable(&ctx); } @@ -778,40 +703,34 @@ static int nf_tables_newtable(struct net return -EINVAL; } - err = -EAFNOSUPPORT; - if (!try_module_get(afi->owner)) - goto err1; - err = -ENOMEM; table = kzalloc(sizeof(*table), GFP_KERNEL); if (table == NULL) - goto err2; + goto err_kzalloc; table->name = nla_strdup(name, GFP_KERNEL); if (table->name == NULL) - goto err3; + goto err_strdup; INIT_LIST_HEAD(&table->chains); INIT_LIST_HEAD(&table->sets); INIT_LIST_HEAD(&table->objects); INIT_LIST_HEAD(&table->flowtables); - table->afi = afi; + table->family = family; table->flags = flags; - nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, NULL, nla); + nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla); err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE); if (err < 0) - goto err4; + goto err_trans; list_add_tail_rcu(&table->list, &net->nft.tables); return 0; -err4: +err_trans: kfree(table->name); -err3: +err_strdup: kfree(table); -err2: - module_put(afi->owner); -err1: +err_kzalloc: return err; } @@ -882,10 +801,10 @@ static int nft_flush(struct nft_ctx *ctx int err = 0; list_for_each_entry_safe(table, nt, &ctx->net->nft.tables, list) { - if (family != AF_UNSPEC && table->afi->family != family) + if (family != AF_UNSPEC && table->family != family) continue; - ctx->family = table->afi->family; + ctx->family = table->family; if (!nft_is_active_next(ctx->net, table)) continue; @@ -911,7 +830,6 @@ static int nf_tables_deltable(struct net { const struct nfgenmsg *nfmsg = nlmsg_data(nlh); u8 genmask = nft_genmask_next(net); - struct nft_af_info *afi; struct nft_table *table; int family = nfmsg->nfgen_family; struct nft_ctx ctx; @@ -920,11 +838,7 @@ static int nf_tables_deltable(struct net if (family == AF_UNSPEC || nla[NFTA_TABLE_NAME] == NULL) return nft_flush(&ctx, family); - afi = nf_tables_afinfo_lookup(net, family, false); - if (IS_ERR(afi)) - return PTR_ERR(afi); - - table = nf_tables_table_lookup(net, nla[NFTA_TABLE_NAME], afi->family, + table = nf_tables_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask); if (IS_ERR(table)) return PTR_ERR(table); @@ -933,7 +847,7 @@ static int nf_tables_deltable(struct net table->use > 0) return -EBUSY; - ctx.family = afi->family; + ctx.family = family; ctx.table = table; return nft_flush_table(&ctx); @@ -945,7 +859,6 @@ static void nf_tables_table_destroy(stru kfree(ctx->table->name); kfree(ctx->table); - module_put(ctx->table->afi->owner); } int nft_register_chain_type(const struct nf_chain_type *ctype) @@ -1174,7 +1087,7 @@ static int nf_tables_dump_chains(struct cb->seq = net->nft.base_seq; list_for_each_entry_rcu(table, &net->nft.tables, list) { - if (family != NFPROTO_UNSPEC && family != table->afi->family) + if (family != NFPROTO_UNSPEC && family != table->family) continue; list_for_each_entry_rcu(chain, &table->chains, list) { @@ -1190,7 +1103,7 @@ static int nf_tables_dump_chains(struct cb->nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, NLM_F_MULTI, - table->afi->family, table, + table->family, table, chain) < 0) goto done; @@ -1212,7 +1125,6 @@ static int nf_tables_getchain(struct net { const struct nfgenmsg *nfmsg = nlmsg_data(nlh); u8 genmask = nft_genmask_cur(net); - const struct nft_af_info *afi; const struct nft_table *table; const struct nft_chain *chain; struct sk_buff *skb2; @@ -1226,11 +1138,7 @@ static int nf_tables_getchain(struct net return netlink_dump_start(nlsk, skb, nlh, &c); } - afi = nf_tables_afinfo_lookup(net, family, false); - if (IS_ERR(afi)) - return PTR_ERR(afi); - - table = nf_tables_table_lookup(net, nla[NFTA_CHAIN_TABLE], afi->family, + table = nf_tables_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask); if (IS_ERR(table)) return PTR_ERR(table); @@ -1612,7 +1520,6 @@ static int nf_tables_newchain(struct net const struct nlattr * uninitialized_var(name); u8 genmask = nft_genmask_next(net); int family = nfmsg->nfgen_family; - struct nft_af_info *afi; struct nft_table *table; struct nft_chain *chain; u8 policy = NF_ACCEPT; @@ -1622,11 +1529,7 @@ static int nf_tables_newchain(struct net create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false; - afi = nf_tables_afinfo_lookup(net, family, true); - if (IS_ERR(afi)) - return PTR_ERR(afi); - - table = nf_tables_table_lookup(net, nla[NFTA_CHAIN_TABLE], afi->family, + table = nf_tables_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask); if (IS_ERR(table)) return PTR_ERR(table); @@ -1667,7 +1570,7 @@ static int nf_tables_newchain(struct net } } - nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, chain, nla); + nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla); if (chain != NULL) { if (nlh->nlmsg_flags & NLM_F_EXCL) @@ -1688,7 +1591,6 @@ static int nf_tables_delchain(struct net { const struct nfgenmsg *nfmsg = nlmsg_data(nlh); u8 genmask = nft_genmask_next(net); - struct nft_af_info *afi; struct nft_table *table; struct nft_chain *chain; struct nft_rule *rule; @@ -1697,11 +1599,7 @@ static int nf_tables_delchain(struct net u32 use; int err; - afi = nf_tables_afinfo_lookup(net, family, false); - if (IS_ERR(afi)) - return PTR_ERR(afi); - - table = nf_tables_table_lookup(net, nla[NFTA_CHAIN_TABLE], afi->family, + table = nf_tables_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask); if (IS_ERR(table)) return PTR_ERR(table); @@ -1714,7 +1612,7 @@ static int nf_tables_delchain(struct net chain->use > 0) return -EBUSY; - nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, chain, nla); + nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla); use = chain->use; list_for_each_entry(rule, &chain->rules, list) { @@ -2145,7 +2043,7 @@ static int nf_tables_dump_rules(struct s cb->seq = net->nft.base_seq; list_for_each_entry_rcu(table, &net->nft.tables, list) { - if (family != NFPROTO_UNSPEC && family != table->afi->family) + if (family != NFPROTO_UNSPEC && family != table->family) continue; if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0) @@ -2168,7 +2066,7 @@ static int nf_tables_dump_rules(struct s cb->nlh->nlmsg_seq, NFT_MSG_NEWRULE, NLM_F_MULTI | NLM_F_APPEND, - table->afi->family, + table->family, table, chain, rule) < 0) goto done; @@ -2204,7 +2102,6 @@ static int nf_tables_getrule(struct net { const struct nfgenmsg *nfmsg = nlmsg_data(nlh); u8 genmask = nft_genmask_cur(net); - const struct nft_af_info *afi; const struct nft_table *table; const struct nft_chain *chain; const struct nft_rule *rule; @@ -2248,11 +2145,7 @@ static int nf_tables_getrule(struct net return netlink_dump_start(nlsk, skb, nlh, &c); } - afi = nf_tables_afinfo_lookup(net, family, false); - if (IS_ERR(afi)) - return PTR_ERR(afi); - - table = nf_tables_table_lookup(net, nla[NFTA_RULE_TABLE], afi->family, + table = nf_tables_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask); if (IS_ERR(table)) return PTR_ERR(table); @@ -2318,7 +2211,7 @@ static int nf_tables_newrule(struct net { const struct nfgenmsg *nfmsg = nlmsg_data(nlh); u8 genmask = nft_genmask_next(net); - struct nft_af_info *afi; + int family = nfmsg->nfgen_family; struct nft_table *table; struct nft_chain *chain; struct nft_rule *rule, *old_rule = NULL; @@ -2334,11 +2227,7 @@ static int nf_tables_newrule(struct net create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false; - afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create); - if (IS_ERR(afi)) - return PTR_ERR(afi); - - table = nf_tables_table_lookup(net, nla[NFTA_RULE_TABLE], afi->family, + table = nf_tables_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask); if (IS_ERR(table)) return PTR_ERR(table); @@ -2378,7 +2267,7 @@ static int nf_tables_newrule(struct net return PTR_ERR(old_rule); } - nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, chain, nla); + nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla); n = 0; size = 0; @@ -2500,18 +2389,13 @@ static int nf_tables_delrule(struct net { const struct nfgenmsg *nfmsg = nlmsg_data(nlh); u8 genmask = nft_genmask_next(net); - struct nft_af_info *afi; struct nft_table *table; struct nft_chain *chain = NULL; struct nft_rule *rule; int family = nfmsg->nfgen_family, err = 0; struct nft_ctx ctx; - afi = nf_tables_afinfo_lookup(net, family, false); - if (IS_ERR(afi)) - return PTR_ERR(afi); - - table = nf_tables_table_lookup(net, nla[NFTA_RULE_TABLE], afi->family, + table = nf_tables_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask); if (IS_ERR(table)) return PTR_ERR(table); @@ -2523,7 +2407,7 @@ static int nf_tables_delrule(struct net return PTR_ERR(chain); } - nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, chain, nla); + nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla); if (chain) { if (nla[NFTA_RULE_HANDLE]) { @@ -2708,26 +2592,17 @@ static int nft_ctx_init_from_setattr(str u8 genmask) { const struct nfgenmsg *nfmsg = nlmsg_data(nlh); - struct nft_af_info *afi = NULL; + int family = nfmsg->nfgen_family; struct nft_table *table = NULL; - if (nfmsg->nfgen_family != NFPROTO_UNSPEC) { - afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false); - if (IS_ERR(afi)) - return PTR_ERR(afi); - } - if (nla[NFTA_SET_TABLE] != NULL) { - if (afi == NULL) - return -EAFNOSUPPORT; - table = nf_tables_table_lookup(net, nla[NFTA_SET_TABLE], - afi->family, genmask); + family, genmask); if (IS_ERR(table)) return PTR_ERR(table); } - nft_ctx_init(ctx, net, skb, nlh, afi->family, table, NULL, nla); + nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla); return 0; } @@ -2959,7 +2834,7 @@ static int nf_tables_dump_sets(struct sk list_for_each_entry_rcu(table, &net->nft.tables, list) { if (ctx->family != NFPROTO_UNSPEC && - ctx->family != table->afi->family) + ctx->family != table->family) continue; if (ctx->table && ctx->table != table) @@ -2980,7 +2855,7 @@ static int nf_tables_dump_sets(struct sk ctx_set = *ctx; ctx_set.table = table; - ctx_set.family = table->afi->family; + ctx_set.family = table->family; if (nf_tables_fill_set(skb, &ctx_set, set, NFT_MSG_NEWSET, @@ -3092,8 +2967,8 @@ static int nf_tables_newset(struct net * { const struct nfgenmsg *nfmsg = nlmsg_data(nlh); u8 genmask = nft_genmask_next(net); + int family = nfmsg->nfgen_family; const struct nft_set_ops *ops; - struct nft_af_info *afi; struct nft_table *table; struct nft_set *set; struct nft_ctx ctx; @@ -3203,16 +3078,12 @@ static int nf_tables_newset(struct net * create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false; - afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create); - if (IS_ERR(afi)) - return PTR_ERR(afi); - - table = nf_tables_table_lookup(net, nla[NFTA_SET_TABLE], afi->family, + table = nf_tables_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask); if (IS_ERR(table)) return PTR_ERR(table); - nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, NULL, nla); + nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla); set = nf_tables_set_lookup(table, nla[NFTA_SET_NAME], genmask); if (IS_ERR(set)) { @@ -3474,19 +3345,15 @@ static int nft_ctx_init_from_elemattr(st u8 genmask) { const struct nfgenmsg *nfmsg = nlmsg_data(nlh); - struct nft_af_info *afi; + int family = nfmsg->nfgen_family; struct nft_table *table; - afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false); - if (IS_ERR(afi)) - return PTR_ERR(afi); - table = nf_tables_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], - afi->family, genmask); + family, genmask); if (IS_ERR(table)) return PTR_ERR(table); - nft_ctx_init(ctx, net, skb, nlh, afi->family, table, NULL, nla); + nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla); return 0; } @@ -3604,7 +3471,7 @@ static int nf_tables_dump_set(struct sk_ rcu_read_lock(); list_for_each_entry_rcu(table, &net->nft.tables, list) { if (dump_ctx->ctx.family != NFPROTO_UNSPEC && - dump_ctx->ctx.family != table->afi->family) + dump_ctx->ctx.family != table->family) continue; if (table != dump_ctx->ctx.table) @@ -3634,7 +3501,7 @@ static int nf_tables_dump_set(struct sk_ goto nla_put_failure; nfmsg = nlmsg_data(nlh); - nfmsg->nfgen_family = table->afi->family; + nfmsg->nfgen_family = table->family; nfmsg->version = NFNETLINK_V0; nfmsg->res_id = htons(net->nft.base_seq & 0xffff); @@ -4516,7 +4383,6 @@ static int nf_tables_newobj(struct net * const struct nft_object_type *type; u8 genmask = nft_genmask_next(net); int family = nfmsg->nfgen_family; - struct nft_af_info *afi; struct nft_table *table; struct nft_object *obj; struct nft_ctx ctx; @@ -4528,11 +4394,7 @@ static int nf_tables_newobj(struct net * !nla[NFTA_OBJ_DATA]) return -EINVAL; - afi = nf_tables_afinfo_lookup(net, family, true); - if (IS_ERR(afi)) - return PTR_ERR(afi); - - table = nf_tables_table_lookup(net, nla[NFTA_OBJ_TABLE], afi->family, + table = nf_tables_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask); if (IS_ERR(table)) return PTR_ERR(table); @@ -4551,7 +4413,7 @@ static int nf_tables_newobj(struct net * return 0; } - nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, NULL, nla); + nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla); type = nft_obj_type_get(objtype); if (IS_ERR(type)) @@ -4643,7 +4505,7 @@ static int nf_tables_dump_obj(struct sk_ cb->seq = net->nft.base_seq; list_for_each_entry_rcu(table, &net->nft.tables, list) { - if (family != NFPROTO_UNSPEC && family != table->afi->family) + if (family != NFPROTO_UNSPEC && family != table->family) continue; list_for_each_entry_rcu(obj, &table->objects, list) { @@ -4666,7 +4528,7 @@ static int nf_tables_dump_obj(struct sk_ cb->nlh->nlmsg_seq, NFT_MSG_NEWOBJ, NLM_F_MULTI | NLM_F_APPEND, - table->afi->family, table, + table->family, table, obj, reset) < 0) goto done; @@ -4724,7 +4586,6 @@ static int nf_tables_getobj(struct net * const struct nfgenmsg *nfmsg = nlmsg_data(nlh); u8 genmask = nft_genmask_cur(net); int family = nfmsg->nfgen_family; - const struct nft_af_info *afi; const struct nft_table *table; struct nft_object *obj; struct sk_buff *skb2; @@ -4755,11 +4616,7 @@ static int nf_tables_getobj(struct net * !nla[NFTA_OBJ_TYPE]) return -EINVAL; - afi = nf_tables_afinfo_lookup(net, family, false); - if (IS_ERR(afi)) - return PTR_ERR(afi); - - table = nf_tables_table_lookup(net, nla[NFTA_OBJ_TABLE], afi->family, + table = nf_tables_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask); if (IS_ERR(table)) return PTR_ERR(table); @@ -4806,7 +4663,6 @@ static int nf_tables_delobj(struct net * const struct nfgenmsg *nfmsg = nlmsg_data(nlh); u8 genmask = nft_genmask_next(net); int family = nfmsg->nfgen_family; - struct nft_af_info *afi; struct nft_table *table; struct nft_object *obj; struct nft_ctx ctx; @@ -4816,11 +4672,7 @@ static int nf_tables_delobj(struct net * !nla[NFTA_OBJ_NAME]) return -EINVAL; - afi = nf_tables_afinfo_lookup(net, family, true); - if (IS_ERR(afi)) - return PTR_ERR(afi); - - table = nf_tables_table_lookup(net, nla[NFTA_OBJ_TABLE], afi->family, + table = nf_tables_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask); if (IS_ERR(table)) return PTR_ERR(table); @@ -4832,7 +4684,7 @@ static int nf_tables_delobj(struct net * if (obj->use > 0) return -EBUSY; - nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, NULL, nla); + nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla); return nft_delobj(&ctx, obj); } @@ -5017,33 +4869,31 @@ err1: return err; } -static const struct nf_flowtable_type * -__nft_flowtable_type_get(const struct nft_af_info *afi) +static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family) { const struct nf_flowtable_type *type; list_for_each_entry(type, &nf_tables_flowtables, list) { - if (afi->family == type->family) + if (family == type->family) return type; } return NULL; } -static const struct nf_flowtable_type * -nft_flowtable_type_get(const struct nft_af_info *afi) +static const struct nf_flowtable_type *nft_flowtable_type_get(u8 family) { const struct nf_flowtable_type *type; - type = __nft_flowtable_type_get(afi); + type = __nft_flowtable_type_get(family); if (type != NULL && try_module_get(type->owner)) return type; #ifdef CONFIG_MODULES if (type == NULL) { nfnl_unlock(NFNL_SUBSYS_NFTABLES); - request_module("nf-flowtable-%u", afi->family); + request_module("nf-flowtable-%u", family); nfnl_lock(NFNL_SUBSYS_NFTABLES); - if (__nft_flowtable_type_get(afi)) + if (__nft_flowtable_type_get(family)) return ERR_PTR(-EAGAIN); } #endif @@ -5091,7 +4941,6 @@ static int nf_tables_newflowtable(struct u8 genmask = nft_genmask_next(net); int family = nfmsg->nfgen_family; struct nft_flowtable *flowtable; - struct nft_af_info *afi; struct nft_table *table; struct nft_ctx ctx; int err, i, k; @@ -5101,12 +4950,8 @@ static int nf_tables_newflowtable(struct !nla[NFTA_FLOWTABLE_HOOK]) return -EINVAL; - afi = nf_tables_afinfo_lookup(net, family, true); - if (IS_ERR(afi)) - return PTR_ERR(afi); - table = nf_tables_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], - afi->family, genmask); + family, genmask); if (IS_ERR(table)) return PTR_ERR(table); @@ -5123,7 +4968,7 @@ static int nf_tables_newflowtable(struct return 0; } - nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, NULL, nla); + nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla); flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL); if (!flowtable) @@ -5136,7 +4981,7 @@ static int nf_tables_newflowtable(struct goto err1; } - type = nft_flowtable_type_get(afi); + type = nft_flowtable_type_get(family); if (IS_ERR(type)) { err = PTR_ERR(type); goto err2; @@ -5196,16 +5041,11 @@ static int nf_tables_delflowtable(struct u8 genmask = nft_genmask_next(net); int family = nfmsg->nfgen_family; struct nft_flowtable *flowtable; - struct nft_af_info *afi; struct nft_table *table; struct nft_ctx ctx; - afi = nf_tables_afinfo_lookup(net, family, true); - if (IS_ERR(afi)) - return PTR_ERR(afi); - table = nf_tables_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], - afi->family, genmask); + family, genmask); if (IS_ERR(table)) return PTR_ERR(table); @@ -5216,7 +5056,7 @@ static int nf_tables_delflowtable(struct if (flowtable->use > 0) return -EBUSY; - nft_ctx_init(&ctx, net, skb, nlh, afi->family, table, NULL, nla); + nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla); return nft_delflowtable(&ctx, flowtable); } @@ -5291,7 +5131,7 @@ static int nf_tables_dump_flowtable(stru cb->seq = net->nft.base_seq; list_for_each_entry_rcu(table, &net->nft.tables, list) { - if (family != NFPROTO_UNSPEC && family != table->afi->family) + if (family != NFPROTO_UNSPEC && family != table->family) continue; list_for_each_entry_rcu(flowtable, &table->flowtables, list) { @@ -5310,7 +5150,7 @@ static int nf_tables_dump_flowtable(stru cb->nlh->nlmsg_seq, NFT_MSG_NEWFLOWTABLE, NLM_F_MULTI | NLM_F_APPEND, - table->afi->family, flowtable) < 0) + table->family, flowtable) < 0) goto done; nl_dump_check_consistent(cb, nlmsg_hdr(skb)); @@ -5370,7 +5210,6 @@ static int nf_tables_getflowtable(struct u8 genmask = nft_genmask_cur(net); int family = nfmsg->nfgen_family; struct nft_flowtable *flowtable; - const struct nft_af_info *afi; const struct nft_table *table; struct sk_buff *skb2; int err; @@ -5396,12 +5235,8 @@ static int nf_tables_getflowtable(struct if (!nla[NFTA_FLOWTABLE_NAME]) return -EINVAL; - afi = nf_tables_afinfo_lookup(net, family, false); - if (IS_ERR(afi)) - return PTR_ERR(afi); - table = nf_tables_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], - afi->family, genmask); + family, genmask); if (IS_ERR(table)) return PTR_ERR(table); @@ -6572,7 +6407,7 @@ int __nft_release_basechain(struct nft_c } EXPORT_SYMBOL_GPL(__nft_release_basechain); -static void __nft_release_afinfo(struct net *net) +static void __nft_release_tables(struct net *net) { struct nft_flowtable *flowtable, *nf; struct nft_table *table, *nt; @@ -6585,7 +6420,7 @@ static void __nft_release_afinfo(struct }; list_for_each_entry_safe(table, nt, &net->nft.tables, list) { - ctx.family = table->afi->family; + ctx.family = table->family; list_for_each_entry(chain, &table->chains, list) nf_tables_unregister_hook(net, table, chain); @@ -6637,7 +6472,7 @@ static int __net_init nf_tables_init_net static void __net_exit nf_tables_exit_net(struct net *net) { - __nft_release_afinfo(net); + __nft_release_tables(net); WARN_ON_ONCE(!list_empty(&net->nft.tables)); WARN_ON_ONCE(!list_empty(&net->nft.commit_list)); } --- a/net/netfilter/nf_tables_inet.c +++ b/net/netfilter/nf_tables_inet.c @@ -38,11 +38,6 @@ static unsigned int nft_do_chain_inet(vo return nft_do_chain(&pkt, priv); } -static struct nft_af_info nft_af_inet __read_mostly = { - .family = NFPROTO_INET, - .owner = THIS_MODULE, -}; - static const struct nf_chain_type filter_inet = { .name = "filter", .type = NFT_CHAIN_T_DEFAULT, @@ -64,26 +59,12 @@ static const struct nf_chain_type filter static int __init nf_tables_inet_init(void) { - int ret; - - if (nft_register_afinfo(&nft_af_inet) < 0) - return ret; - - ret = nft_register_chain_type(&filter_inet); - if (ret < 0) - goto err_register_chain; - - return ret; - -err_register_chain: - nft_unregister_afinfo(&nft_af_inet); - return ret; + return nft_register_chain_type(&filter_inet); } static void __exit nf_tables_inet_exit(void) { nft_unregister_chain_type(&filter_inet); - nft_unregister_afinfo(&nft_af_inet); } module_init(nf_tables_inet_init); @@ -91,4 +72,4 @@ module_exit(nf_tables_inet_exit); MODULE_LICENSE("GPL"); MODULE_AUTHOR("Patrick McHardy "); -MODULE_ALIAS_NFT_FAMILY(1); +MODULE_ALIAS_NFT_CHAIN(1, "filter"); --- a/net/netfilter/nf_tables_netdev.c +++ b/net/netfilter/nf_tables_netdev.c @@ -38,11 +38,6 @@ nft_do_chain_netdev(void *priv, struct s return nft_do_chain(&pkt, priv); } -static struct nft_af_info nft_af_netdev __read_mostly = { - .family = NFPROTO_NETDEV, - .owner = THIS_MODULE, -}; - static const struct nf_chain_type nft_filter_chain_netdev = { .name = "filter", .type = NFT_CHAIN_T_DEFAULT, @@ -91,10 +86,10 @@ static int nf_tables_netdev_event(struct nfnl_lock(NFNL_SUBSYS_NFTABLES); list_for_each_entry(table, &ctx.net->nft.tables, list) { - if (table->afi->family != NFPROTO_NETDEV) + if (table->family != NFPROTO_NETDEV) continue; - ctx.family = table->afi->family; + ctx.family = table->family; ctx.table = table; list_for_each_entry_safe(chain, nr, &table->chains, list) { if (!nft_is_base_chain(chain)) @@ -117,12 +112,9 @@ static int __init nf_tables_netdev_init( { int ret; - if (nft_register_afinfo(&nft_af_netdev) < 0) - return ret; - ret = nft_register_chain_type(&nft_filter_chain_netdev); if (ret) - goto err_register_chain_type; + return ret; ret = register_netdevice_notifier(&nf_tables_netdev_notifier); if (ret) @@ -132,8 +124,6 @@ static int __init nf_tables_netdev_init( err_register_netdevice_notifier: nft_unregister_chain_type(&nft_filter_chain_netdev); -err_register_chain_type: - nft_unregister_afinfo(&nft_af_netdev); return ret; } @@ -142,7 +132,6 @@ static void __exit nf_tables_netdev_exit { unregister_netdevice_notifier(&nf_tables_netdev_notifier); nft_unregister_chain_type(&nft_filter_chain_netdev); - nft_unregister_afinfo(&nft_af_netdev); } module_init(nf_tables_netdev_init); @@ -150,4 +139,4 @@ module_exit(nf_tables_netdev_exit); MODULE_LICENSE("GPL"); MODULE_AUTHOR("Pablo Neira Ayuso "); -MODULE_ALIAS_NFT_FAMILY(5); /* NFPROTO_NETDEV */ +MODULE_ALIAS_NFT_CHAIN(5, "filter"); /* NFPROTO_NETDEV */