netfilter: iptables: unregister the tables by name

xtables stores the xt_table structs in the struct net.  This isn't
needed anymore, the structures could be passed via the netfilter hook
'private' pointer to the hook functions, which would allow us to remove
those pointers from struct net.

As a first step, reduce the number of accesses to the
net->ipv4.ip6table_{raw,filter,...} pointers.
This allows the tables to get unregistered by name instead of having to
pass the raw address.

The xt_table structure cane looked up by name+address family instead.

This patch is useless as-is (the backends still have the raw pointer
address), but it lowers the bar to remove those.

It also allows to put the 'was table registered in the first place' check
into ip_tables.c rather than have it in each table sub module.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/include/linux/netfilter_ipv4/ip_tables.h b/include/linux/netfilter_ipv4/ip_tables.h
index 9f440eb6cf6c9310137efbd9c49ff8a0757aef55..73bcf7f261d2c7ad51605350a70764b58122e80e 100644 (file)
--- a/include/linux/netfilter_ipv4/ip_tables.h
+++ b/include/linux/netfilter_ipv4/ip_tables.h
@@ -26,10 +26,10 @@ int ipt_register_table(struct net *net, const struct xt_table *table,
                       const struct ipt_replace *repl,
                       const struct nf_hook_ops *ops, struct xt_table **res);
 
-void ipt_unregister_table_pre_exit(struct net *net, struct xt_table *table,
-                      const struct nf_hook_ops *ops);
+void ipt_unregister_table_pre_exit(struct net *net, const char *name,
+                                  const struct nf_hook_ops *ops);
 
-void ipt_unregister_table_exit(struct net *net, struct xt_table *table);
+void ipt_unregister_table_exit(struct net *net, const char *name);
 
 /* Standard entry. */
 struct ipt_standard {

diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 2fa7f28b88e38d27a3c12b93a93d761f8c267ae5..0b859ec2d3f893663f0f207b29200112c044889a 100644 (file)
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -1759,15 +1759,21 @@ out_free:
        return ret;
 }
 
-void ipt_unregister_table_pre_exit(struct net *net, struct xt_table *table,
+void ipt_unregister_table_pre_exit(struct net *net, const char *name,
                                   const struct nf_hook_ops *ops)
 {
-       nf_unregister_net_hooks(net, ops, hweight32(table->valid_hooks));
+       struct xt_table *table = xt_find_table(net, NFPROTO_IPV4, name);
+
+       if (table)
+               nf_unregister_net_hooks(net, ops, hweight32(table->valid_hooks));
 }
 
-void ipt_unregister_table_exit(struct net *net, struct xt_table *table)
+void ipt_unregister_table_exit(struct net *net, const char *name)
 {
-       __ipt_unregister_table(net, table);
+       struct xt_table *table = xt_find_table(net, NFPROTO_IPV4, name);
+
+       if (table)
+               __ipt_unregister_table(net, table);
 }
 
 /* Returns 1 if the type and code is matched by the range, 0 otherwise */

diff --git a/net/ipv4/netfilter/iptable_filter.c b/net/ipv4/netfilter/iptable_filter.c
index 8f7bc1ee74532898b5a95af818a985ba17a3666d..a39998c7977f17d7944747140dd20457d47f3fbf 100644 (file)
--- a/net/ipv4/netfilter/iptable_filter.c
+++ b/net/ipv4/netfilter/iptable_filter.c
@@ -74,16 +74,12 @@ static int __net_init iptable_filter_net_init(struct net *net)
 
 static void __net_exit iptable_filter_net_pre_exit(struct net *net)
 {
-       if (net->ipv4.iptable_filter)
-               ipt_unregister_table_pre_exit(net, net->ipv4.iptable_filter,
-                                             filter_ops);
+       ipt_unregister_table_pre_exit(net, "filter", filter_ops);
 }
 
 static void __net_exit iptable_filter_net_exit(struct net *net)
 {
-       if (!net->ipv4.iptable_filter)
-               return;
-       ipt_unregister_table_exit(net, net->ipv4.iptable_filter);
+       ipt_unregister_table_exit(net, "filter");
        net->ipv4.iptable_filter = NULL;
 }
 

diff --git a/net/ipv4/netfilter/iptable_mangle.c b/net/ipv4/netfilter/iptable_mangle.c
index 83307958927307845951ef5cb2682f05e7b2024b..7d1713e22553377f8e53cb4d3dffb18925c866e6 100644 (file)
--- a/net/ipv4/netfilter/iptable_mangle.c
+++ b/net/ipv4/netfilter/iptable_mangle.c
@@ -102,16 +102,12 @@ static int __net_init iptable_mangle_table_init(struct net *net)
 
 static void __net_exit iptable_mangle_net_pre_exit(struct net *net)
 {
-       if (net->ipv4.iptable_mangle)
-               ipt_unregister_table_pre_exit(net, net->ipv4.iptable_mangle,
-                                             mangle_ops);
+       ipt_unregister_table_pre_exit(net, "mangle", mangle_ops);
 }
 
 static void __net_exit iptable_mangle_net_exit(struct net *net)
 {
-       if (!net->ipv4.iptable_mangle)
-               return;
-       ipt_unregister_table_exit(net, net->ipv4.iptable_mangle);
+       ipt_unregister_table_exit(net, "mangle");
        net->ipv4.iptable_mangle = NULL;
 }
 

diff --git a/net/ipv4/netfilter/iptable_nat.c b/net/ipv4/netfilter/iptable_nat.c
index a89c1b9f94c28e4de3846cfabcb68be938380aec..16bf3009642e84a71ef722341290c312345631b5 100644 (file)
--- a/net/ipv4/netfilter/iptable_nat.c
+++ b/net/ipv4/netfilter/iptable_nat.c
@@ -105,7 +105,7 @@ static int __net_init iptable_nat_table_init(struct net *net)
 
        ret = ipt_nat_register_lookups(net);
        if (ret < 0) {
-               ipt_unregister_table_exit(net, net->ipv4.nat_table);
+               ipt_unregister_table_exit(net, "nat");
                net->ipv4.nat_table = NULL;
        }
 
@@ -121,9 +121,7 @@ static void __net_exit iptable_nat_net_pre_exit(struct net *net)
 
 static void __net_exit iptable_nat_net_exit(struct net *net)
 {
-       if (!net->ipv4.nat_table)
-               return;
-       ipt_unregister_table_exit(net, net->ipv4.nat_table);
+       ipt_unregister_table_exit(net, "nat");
        net->ipv4.nat_table = NULL;
 }
 

diff --git a/net/ipv4/netfilter/iptable_raw.c b/net/ipv4/netfilter/iptable_raw.c
index 9abfe6bf2cb9c300d923c1ec6dfab24822ddd6e3..a1f556464b93b89dadada5a0ba2e62cdf3215d47 100644 (file)
--- a/net/ipv4/netfilter/iptable_raw.c
+++ b/net/ipv4/netfilter/iptable_raw.c
@@ -69,16 +69,12 @@ static int __net_init iptable_raw_table_init(struct net *net)
 
 static void __net_exit iptable_raw_net_pre_exit(struct net *net)
 {
-       if (net->ipv4.iptable_raw)
-               ipt_unregister_table_pre_exit(net, net->ipv4.iptable_raw,
-                                             rawtable_ops);
+       ipt_unregister_table_pre_exit(net, "raw", rawtable_ops);
 }
 
 static void __net_exit iptable_raw_net_exit(struct net *net)
 {
-       if (!net->ipv4.iptable_raw)
-               return;
-       ipt_unregister_table_exit(net, net->ipv4.iptable_raw);
+       ipt_unregister_table_exit(net, "raw");
        net->ipv4.iptable_raw = NULL;
 }
 

diff --git a/net/ipv4/netfilter/iptable_security.c b/net/ipv4/netfilter/iptable_security.c
index 415c1975d770e8665fd8d1775de287d18fa2a4a8..33eded4f90805cbcfe40708f6cc56b824b0752f8 100644 (file)
--- a/net/ipv4/netfilter/iptable_security.c
+++ b/net/ipv4/netfilter/iptable_security.c
@@ -64,16 +64,12 @@ static int __net_init iptable_security_table_init(struct net *net)
 
 static void __net_exit iptable_security_net_pre_exit(struct net *net)
 {
-       if (net->ipv4.iptable_security)
-               ipt_unregister_table_pre_exit(net, net->ipv4.iptable_security,
-                                             sectbl_ops);
+       ipt_unregister_table_pre_exit(net, "security", sectbl_ops);
 }
 
 static void __net_exit iptable_security_net_exit(struct net *net)
 {
-       if (!net->ipv4.iptable_security)
-               return;
-       ipt_unregister_table_exit(net, net->ipv4.iptable_security);
+       ipt_unregister_table_exit(net, "security");
        net->ipv4.iptable_security = NULL;
 }