From 8d870052079d255917ec4f8431f5ec102707b7af Mon Sep 17 00:00:00 2001 From: Alexey Dobriyan Date: Thu, 31 Jan 2008 04:02:13 -0800 Subject: [NETFILTER]: x_tables: per-netns xt_tables In fact all we want is per-netns set of rules, however doing that will unnecessary complicate routines such as ipt_hook()/ipt_do_table, so make full xt_table array per-netns. Every user stubbed with init_net for a while. Signed-off-by: Alexey Dobriyan Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- net/netfilter/x_tables.c | 34 ++++++++++++++++++++++++---------- 1 file changed, 24 insertions(+), 10 deletions(-) (limited to 'net/netfilter/x_tables.c') diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c index d8d8637739b..d62f722cccc 100644 --- a/net/netfilter/x_tables.c +++ b/net/netfilter/x_tables.c @@ -44,7 +44,6 @@ struct xt_af { struct mutex mutex; struct list_head match; struct list_head target; - struct list_head tables; #ifdef CONFIG_COMPAT struct mutex compat_mutex; struct compat_delta *compat_offsets; @@ -597,14 +596,14 @@ void xt_free_table_info(struct xt_table_info *info) EXPORT_SYMBOL(xt_free_table_info); /* Find table by name, grabs mutex & ref. Returns ERR_PTR() on error. */ -struct xt_table *xt_find_table_lock(int af, const char *name) +struct xt_table *xt_find_table_lock(struct net *net, int af, const char *name) { struct xt_table *t; if (mutex_lock_interruptible(&xt[af].mutex) != 0) return ERR_PTR(-EINTR); - list_for_each_entry(t, &xt[af].tables, list) + list_for_each_entry(t, &net->xt.tables[af], list) if (strcmp(t->name, name) == 0 && try_module_get(t->me)) return t; mutex_unlock(&xt[af].mutex); @@ -660,7 +659,7 @@ xt_replace_table(struct xt_table *table, } EXPORT_SYMBOL_GPL(xt_replace_table); -struct xt_table *xt_register_table(struct xt_table *table, +struct xt_table *xt_register_table(struct net *net, struct xt_table *table, struct xt_table_info *bootstrap, struct xt_table_info *newinfo) { @@ -673,7 +672,7 @@ struct xt_table *xt_register_table(struct xt_table *table, goto out; /* Don't autoload: we'd eat our tail... */ - list_for_each_entry(t, &xt[table->af].tables, list) { + list_for_each_entry(t, &net->xt.tables[table->af], list) { if (strcmp(t->name, table->name) == 0) { ret = -EEXIST; goto unlock; @@ -692,7 +691,7 @@ struct xt_table *xt_register_table(struct xt_table *table, /* save number of initial entries */ private->initial_entries = private->number; - list_add(&table->list, &xt[table->af].tables); + list_add(&table->list, &net->xt.tables[table->af]); mutex_unlock(&xt[table->af].mutex); return table; @@ -744,7 +743,7 @@ static struct list_head *type2list(u_int16_t af, u_int16_t type) list = &xt[af].match; break; case TABLE: - list = &xt[af].tables; + list = &init_net.xt.tables[af]; break; default: list = NULL; @@ -919,10 +918,22 @@ void xt_proto_fini(int af) } EXPORT_SYMBOL_GPL(xt_proto_fini); +static int __net_init xt_net_init(struct net *net) +{ + int i; + + for (i = 0; i < NPROTO; i++) + INIT_LIST_HEAD(&net->xt.tables[i]); + return 0; +} + +static struct pernet_operations xt_net_ops = { + .init = xt_net_init, +}; static int __init xt_init(void) { - int i; + int i, rv; xt = kmalloc(sizeof(struct xt_af) * NPROTO, GFP_KERNEL); if (!xt) @@ -936,13 +947,16 @@ static int __init xt_init(void) #endif INIT_LIST_HEAD(&xt[i].target); INIT_LIST_HEAD(&xt[i].match); - INIT_LIST_HEAD(&xt[i].tables); } - return 0; + rv = register_pernet_subsys(&xt_net_ops); + if (rv < 0) + kfree(xt); + return rv; } static void __exit xt_fini(void) { + unregister_pernet_subsys(&xt_net_ops); kfree(xt); } -- cgit v1.2.3