]> granicus.if.org Git - ipset/commitdiff
netfilter: bridge: add helpers for fetching physin/outdev pablo
authorFlorian Westphal <fw@strlen.de>
Mon, 27 Apr 2015 19:48:33 +0000 (21:48 +0200)
committerJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Mon, 27 Apr 2015 19:49:25 +0000 (21:49 +0200)
right now we store this in the nf_bridge_info struct, accessible
via skb->nf_bridge.  This patch prepares removal of this pointer from skb:

Instead of using skb->nf_bridge->x, we use helpers to obtain the in/out
device (or ifindexes).

Followup patches to netfilter will then allow nf_bridge_info to be
obtained by a call into the br_netfilter core, rather than keeping a
pointer to it in sk_buff.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
configure.ac
kernel/include/linux/netfilter/ipset/ip_set_compat.h.in
kernel/net/netfilter/ipset/ip_set_hash_netiface.c

index a6b86a95321e3000b1a747caf4e2401d1ed9c128..c032bf609879c277c2f3acd42a4e0b263bf9f8a4 100644 (file)
@@ -406,6 +406,16 @@ else
        AC_SUBST(HAVE_ETHER_ADDR_COPY, undef)
 fi
 
+AC_MSG_CHECKING([kernel source for nf_bridge_get_physindev])
+if test -f $ksourcedir/include/linux/netfilter_bridge.h && \
+   $GREP -q 'nf_bridge_get_physindev' $ksourcedir/include/linux/netfilter_bridge.h; then
+       AC_MSG_RESULT(yes)
+       AC_SUBST(HAVE_NF_BRIDGE_GET_PHYSDEV, define)
+else
+       AC_MSG_RESULT(no)
+       AC_SUBST(HAVE_NF_BRIDGE_GET_PHYSDEV, undef)
+fi
+
 AC_MSG_CHECKING([kernel source for struct net_generic])
 if test -f $ksourcedir/include/net/netns/generic.h && \
    $GREP -q 'struct net_generic' $ksourcedir/include/net/netns/generic.h; then
index 5938d8f5b5aa8269491b581cf81eaa07a61885e2..02c2a37188b4be82bbeff701494344b4ddf57407 100644 (file)
@@ -43,6 +43,7 @@
 #@HAVE_LIST_LAST_ENTRY@ HAVE_LIST_LAST_ENTRY
 #@HAVE_LIST_NEXT_ENTRY@ HAVE_LIST_NEXT_ENTRY
 #@HAVE_ETHER_ADDR_COPY@ HAVE_ETHER_ADDR_COPY
+#@HAVE_NF_BRIDGE_GET_PHYSDEV@ HAVE_NF_BRIDGE_GET_PHYSDEV
 
 /* Not everything could be moved here. Compatibility stuffs can be found in
  * xt_set.c, ip_set_core.c, ip_set_getport.c, pfxlen.c too.
@@ -209,6 +210,22 @@ static inline int nla_put_net32(struct sk_buff *skb, int attrtype, __be32 value)
 #define ether_addr_copy(dst, src)      memcpy(dst, src, ETH_ALEN)
 #endif
 
+#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
+#ifndef HAVE_NF_BRIDGE_GET_PHYSDEV
+static inline struct net_device *
+nf_bridge_get_physindev(const struct sk_buff *skb)
+{
+       return skb->nf_bridge ? skb->nf_bridge->physindev : NULL;
+}
+
+static inline struct net_device *
+nf_bridge_get_physoutdev(const struct sk_buff *skb)
+{
+       return skb->nf_bridge ? skb->nf_bridge->physoutdev : NULL;
+}
+#endif
+#endif
+
 #ifndef smp_mb__before_atomic
 #define smp_mb__before_atomic()        smp_mb()
 #define smp_mb__after_atomic() smp_mb()
index 646c9f5cd313047bd5d24cd764b81cb5711c0c9c..136af7cd746a1c1d5595b19fc2e6925391382733 100644 (file)
@@ -18,6 +18,7 @@
 #include <net/netlink.h>
 
 #include <linux/netfilter.h>
+#include <linux/netfilter_bridge.h>
 #include <linux/netfilter/ipset/pfxlen.h>
 #include <linux/netfilter/ipset/ip_set.h>
 #include <linux/netfilter/ipset/ip_set_hash.h>
@@ -134,6 +135,22 @@ hash_netiface4_data_next(struct hash_netiface4_elem *next,
 #define HKEY_DATALEN   sizeof(struct hash_netiface4_elem_hashed)
 #include "ip_set_hash_gen.h"
 
+#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
+static const char *get_physindev_name(const struct sk_buff *skb)
+{
+       struct net_device *dev = nf_bridge_get_physindev(skb);
+
+       return dev ? dev->name : NULL;
+}
+
+static const char *get_physoutdev_name(const struct sk_buff *skb)
+{
+       struct net_device *dev = nf_bridge_get_physoutdev(skb);
+
+       return dev ? dev->name : NULL;
+}
+#endif
+
 static int
 hash_netiface4_kadt(struct ip_set *set, const struct sk_buff *skb,
                    const struct xt_action_param *par,
@@ -156,17 +173,16 @@ hash_netiface4_kadt(struct ip_set *set, const struct sk_buff *skb,
        e.ip &= ip_set_netmask(e.cidr);
 
 #define IFACE(dir)     (par->dir ? par->dir->name : "")
-#define PHYSDEV(dir)   (nf_bridge->dir ? nf_bridge->dir->name : "")
 #define SRCDIR         (opt->flags & IPSET_DIM_TWO_SRC)
 
        if (opt->cmdflags & IPSET_FLAG_PHYSDEV) {
 #if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
-               const struct nf_bridge_info *nf_bridge = skb->nf_bridge;
+               const char *eiface = SRCDIR ? get_physindev_name(skb) :
+                                             get_phyoutdev_name(skb);
 
-               if (!nf_bridge)
+               if (!eiface)
                        return -EINVAL;
-               STRLCPY(e.iface,
-                       SRCDIR ? PHYSDEV(physindev) : PHYSDEV(physoutdev));
+               STRLCPY(e.iface, eiface);
                e.physdev = 1;
 #endif
        } else {
@@ -371,12 +387,12 @@ hash_netiface6_kadt(struct ip_set *set, const struct sk_buff *skb,
 
        if (opt->cmdflags & IPSET_FLAG_PHYSDEV) {
 #if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
-               const struct nf_bridge_info *nf_bridge = skb->nf_bridge;
+               const char *eiface = SRCDIR ? get_physindev_name(skb) :
+                                             get_phyoutdev_name(skb);
 
-               if (!nf_bridge)
+               if (!eiface)
                        return -EINVAL;
-               STRLCPY(e.iface,
-                       SRCDIR ? PHYSDEV(physindev) : PHYSDEV(physoutdev));
+               STRLCPY(e.iface, eiface);
                e.physdev = 1;
 #endif
        } else {