netfilter: iptables: unregister the tables by name

xtables stores the xt_table structs in the struct net.  This isn't
needed anymore, the structures could be passed via the netfilter hook
'private' pointer to the hook functions, which would allow us to remove
those pointers from struct net.

As a first step, reduce the number of accesses to the
net->ipv4.ip6table_{raw,filter,...} pointers.
This allows the tables to get unregistered by name instead of having to
pass the raw address.

The xt_table structure cane looked up by name+address family instead.

This patch is useless as-is (the backends still have the raw pointer
address), but it lowers the bar to remove those.

It also allows to put the 'was table registered in the first place' check
into ip_tables.c rather than have it in each table sub module.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
Florian Westphal 2021-04-21 09:51:02 +02:00 committed by Pablo Neira Ayuso
parent 1ef4d6d1af
commit 20a9df3359
7 changed files with 23 additions and 35 deletions

View File

@ -26,10 +26,10 @@ int ipt_register_table(struct net *net, const struct xt_table *table,
const struct ipt_replace *repl,
const struct nf_hook_ops *ops, struct xt_table **res);
void ipt_unregister_table_pre_exit(struct net *net, struct xt_table *table,
void ipt_unregister_table_pre_exit(struct net *net, const char *name,
const struct nf_hook_ops *ops);
void ipt_unregister_table_exit(struct net *net, struct xt_table *table);
void ipt_unregister_table_exit(struct net *net, const char *name);
/* Standard entry. */
struct ipt_standard {

View File

@ -1759,14 +1759,20 @@ out_free:
return ret;
}
void ipt_unregister_table_pre_exit(struct net *net, struct xt_table *table,
void ipt_unregister_table_pre_exit(struct net *net, const char *name,
const struct nf_hook_ops *ops)
{
struct xt_table *table = xt_find_table(net, NFPROTO_IPV4, name);
if (table)
nf_unregister_net_hooks(net, ops, hweight32(table->valid_hooks));
}
void ipt_unregister_table_exit(struct net *net, struct xt_table *table)
void ipt_unregister_table_exit(struct net *net, const char *name)
{
struct xt_table *table = xt_find_table(net, NFPROTO_IPV4, name);
if (table)
__ipt_unregister_table(net, table);
}

View File

@ -74,16 +74,12 @@ static int __net_init iptable_filter_net_init(struct net *net)
static void __net_exit iptable_filter_net_pre_exit(struct net *net)
{
if (net->ipv4.iptable_filter)
ipt_unregister_table_pre_exit(net, net->ipv4.iptable_filter,
filter_ops);
ipt_unregister_table_pre_exit(net, "filter", filter_ops);
}
static void __net_exit iptable_filter_net_exit(struct net *net)
{
if (!net->ipv4.iptable_filter)
return;
ipt_unregister_table_exit(net, net->ipv4.iptable_filter);
ipt_unregister_table_exit(net, "filter");
net->ipv4.iptable_filter = NULL;
}

View File

@ -102,16 +102,12 @@ static int __net_init iptable_mangle_table_init(struct net *net)
static void __net_exit iptable_mangle_net_pre_exit(struct net *net)
{
if (net->ipv4.iptable_mangle)
ipt_unregister_table_pre_exit(net, net->ipv4.iptable_mangle,
mangle_ops);
ipt_unregister_table_pre_exit(net, "mangle", mangle_ops);
}
static void __net_exit iptable_mangle_net_exit(struct net *net)
{
if (!net->ipv4.iptable_mangle)
return;
ipt_unregister_table_exit(net, net->ipv4.iptable_mangle);
ipt_unregister_table_exit(net, "mangle");
net->ipv4.iptable_mangle = NULL;
}

View File

@ -105,7 +105,7 @@ static int __net_init iptable_nat_table_init(struct net *net)
ret = ipt_nat_register_lookups(net);
if (ret < 0) {
ipt_unregister_table_exit(net, net->ipv4.nat_table);
ipt_unregister_table_exit(net, "nat");
net->ipv4.nat_table = NULL;
}
@ -121,9 +121,7 @@ static void __net_exit iptable_nat_net_pre_exit(struct net *net)
static void __net_exit iptable_nat_net_exit(struct net *net)
{
if (!net->ipv4.nat_table)
return;
ipt_unregister_table_exit(net, net->ipv4.nat_table);
ipt_unregister_table_exit(net, "nat");
net->ipv4.nat_table = NULL;
}

View File

@ -69,16 +69,12 @@ static int __net_init iptable_raw_table_init(struct net *net)
static void __net_exit iptable_raw_net_pre_exit(struct net *net)
{
if (net->ipv4.iptable_raw)
ipt_unregister_table_pre_exit(net, net->ipv4.iptable_raw,
rawtable_ops);
ipt_unregister_table_pre_exit(net, "raw", rawtable_ops);
}
static void __net_exit iptable_raw_net_exit(struct net *net)
{
if (!net->ipv4.iptable_raw)
return;
ipt_unregister_table_exit(net, net->ipv4.iptable_raw);
ipt_unregister_table_exit(net, "raw");
net->ipv4.iptable_raw = NULL;
}

View File

@ -64,16 +64,12 @@ static int __net_init iptable_security_table_init(struct net *net)
static void __net_exit iptable_security_net_pre_exit(struct net *net)
{
if (net->ipv4.iptable_security)
ipt_unregister_table_pre_exit(net, net->ipv4.iptable_security,
sectbl_ops);
ipt_unregister_table_pre_exit(net, "security", sectbl_ops);
}
static void __net_exit iptable_security_net_exit(struct net *net)
{
if (!net->ipv4.iptable_security)
return;
ipt_unregister_table_exit(net, net->ipv4.iptable_security);
ipt_unregister_table_exit(net, "security");
net->ipv4.iptable_security = NULL;
}