Skip to content

Commit bbe8373

Browse files
davem330davem330
committed
Merge branch 'nf_hook_netns'
Eric W. Biederman says: ==================== Passing net through the netfilter hooks My primary goal with this patchset and it's follow ups is to cleanup the network routing paths so that we do not look at the output device to derive the network namespace. My plan is to pass the network namespace of the transmitting socket through the output path, to replace code that looks at the output network device today. Once that is done we can have routes with output devices outside of the current network namespace. Which should allow reception and transmission of packets in network namespaces to be as fast as normal packet reception and transmission with early demux disabled, because it will same code path. Once skb_dst(skb)->dev is a little better under control I think it will also be possible to use rcu to cleanup the ancient hack that sets dst->dev to loopback_dev when a network device is removed. The work to get there is a series of code cleanups. I am starting with passing net into the netfilter hooks and into the functions that are called after the netfilter hooks. This removes from netfilter the need to guess which network namespace it is working on. To get there I perform a series of minor prep patches so the big changes at the end are possible to audit without getting lost in the noise. In particular I have a lot of patches computing net into a local variable and then using it through out the function. So this patchset encompases removing dead code, sorting out the _sk functions that were added last time someone pushed a prototype change through the post netfilter functions. Cleaning up individual functions use of the network namespace. Passing net into the netfilter hooks. Passing net into the post netfilter functions. Using state->net in the netfilter code where it is available and trivially usable. Pablo, Dave I don't know whose tree this makes more sense to go through. I am assuming at least initially Pablos as netfilter is involved. From what I have seen there will be a lot of back and forth between the netfilter code paths and the routing code paths. The patches are also available (against 4.3-rc1) at: git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/net-next.git master ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
2 parents a2f23e0 + be10de0 commit bbe8373

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

67 files changed

+379
-358
lines changed

drivers/net/vrf.c

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -253,7 +253,7 @@ static netdev_tx_t vrf_xmit(struct sk_buff *skb, struct net_device *dev)
253253
}
254254

255255
/* modelled after ip_finish_output2 */
256-
static int vrf_finish_output(struct sock *sk, struct sk_buff *skb)
256+
static int vrf_finish_output(struct net *net, struct sock *sk, struct sk_buff *skb)
257257
{
258258
struct dst_entry *dst = skb_dst(skb);
259259
struct rtable *rt = (struct rtable *)dst;
@@ -298,14 +298,15 @@ static int vrf_finish_output(struct sock *sk, struct sk_buff *skb)
298298
static int vrf_output(struct sock *sk, struct sk_buff *skb)
299299
{
300300
struct net_device *dev = skb_dst(skb)->dev;
301+
struct net *net = dev_net(dev);
301302

302-
IP_UPD_PO_STATS(dev_net(dev), IPSTATS_MIB_OUT, skb->len);
303+
IP_UPD_PO_STATS(net, IPSTATS_MIB_OUT, skb->len);
303304

304305
skb->dev = dev;
305306
skb->protocol = htons(ETH_P_IP);
306307

307-
return NF_HOOK_COND(NFPROTO_IPV4, NF_INET_POST_ROUTING, sk, skb,
308-
NULL, dev,
308+
return NF_HOOK_COND(NFPROTO_IPV4, NF_INET_POST_ROUTING,
309+
net, sk, skb, NULL, dev,
309310
vrf_finish_output,
310311
!(IPCB(skb)->flags & IPSKB_REROUTED));
311312
}

include/linux/netdevice.h

Lines changed: 3 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -2212,12 +2212,8 @@ int dev_open(struct net_device *dev);
22122212
int dev_close(struct net_device *dev);
22132213
int dev_close_many(struct list_head *head, bool unlink);
22142214
void dev_disable_lro(struct net_device *dev);
2215-
int dev_loopback_xmit(struct sock *sk, struct sk_buff *newskb);
2216-
int dev_queue_xmit_sk(struct sock *sk, struct sk_buff *skb);
2217-
static inline int dev_queue_xmit(struct sk_buff *skb)
2218-
{
2219-
return dev_queue_xmit_sk(skb->sk, skb);
2220-
}
2215+
int dev_loopback_xmit(struct net *net, struct sock *sk, struct sk_buff *newskb);
2216+
int dev_queue_xmit(struct sk_buff *skb);
22212217
int dev_queue_xmit_accel(struct sk_buff *skb, void *accel_priv);
22222218
int register_netdevice(struct net_device *dev);
22232219
void unregister_netdevice_queue(struct net_device *dev, struct list_head *head);
@@ -2989,11 +2985,7 @@ static inline void dev_consume_skb_any(struct sk_buff *skb)
29892985

29902986
int netif_rx(struct sk_buff *skb);
29912987
int netif_rx_ni(struct sk_buff *skb);
2992-
int netif_receive_skb_sk(struct sock *sk, struct sk_buff *skb);
2993-
static inline int netif_receive_skb(struct sk_buff *skb)
2994-
{
2995-
return netif_receive_skb_sk(skb->sk, skb);
2996-
}
2988+
int netif_receive_skb(struct sk_buff *skb);
29972989
gro_result_t napi_gro_receive(struct napi_struct *napi, struct sk_buff *skb);
29982990
void napi_gro_flush(struct napi_struct *napi, bool flush_old);
29992991
struct sk_buff *napi_get_frags(struct napi_struct *napi);

include/linux/netfilter.h

Lines changed: 32 additions & 36 deletions
Original file line numberDiff line numberDiff line change
@@ -54,8 +54,9 @@ struct nf_hook_state {
5454
struct net_device *in;
5555
struct net_device *out;
5656
struct sock *sk;
57+
struct net *net;
5758
struct list_head *hook_list;
58-
int (*okfn)(struct sock *, struct sk_buff *);
59+
int (*okfn)(struct net *, struct sock *, struct sk_buff *);
5960
};
6061

6162
static inline void nf_hook_state_init(struct nf_hook_state *p,
@@ -65,14 +66,16 @@ static inline void nf_hook_state_init(struct nf_hook_state *p,
6566
struct net_device *indev,
6667
struct net_device *outdev,
6768
struct sock *sk,
68-
int (*okfn)(struct sock *, struct sk_buff *))
69+
struct net *net,
70+
int (*okfn)(struct net *, struct sock *, struct sk_buff *))
6971
{
7072
p->hook = hook;
7173
p->thresh = thresh;
7274
p->pf = pf;
7375
p->in = indev;
7476
p->out = outdev;
7577
p->sk = sk;
78+
p->net = net;
7679
p->hook_list = hook_list;
7780
p->okfn = okfn;
7881
}
@@ -167,32 +170,32 @@ int nf_hook_slow(struct sk_buff *skb, struct nf_hook_state *state);
167170
* value indicates the packet has been consumed by the hook.
168171
*/
169172
static inline int nf_hook_thresh(u_int8_t pf, unsigned int hook,
173+
struct net *net,
170174
struct sock *sk,
171175
struct sk_buff *skb,
172176
struct net_device *indev,
173177
struct net_device *outdev,
174-
int (*okfn)(struct sock *, struct sk_buff *),
178+
int (*okfn)(struct net *, struct sock *, struct sk_buff *),
175179
int thresh)
176180
{
177-
struct net *net = dev_net(indev ? indev : outdev);
178181
struct list_head *hook_list = &net->nf.hooks[pf][hook];
179182

180183
if (nf_hook_list_active(hook_list, pf, hook)) {
181184
struct nf_hook_state state;
182185

183186
nf_hook_state_init(&state, hook_list, hook, thresh,
184-
pf, indev, outdev, sk, okfn);
187+
pf, indev, outdev, sk, net, okfn);
185188
return nf_hook_slow(skb, &state);
186189
}
187190
return 1;
188191
}
189192

190-
static inline int nf_hook(u_int8_t pf, unsigned int hook, struct sock *sk,
191-
struct sk_buff *skb, struct net_device *indev,
192-
struct net_device *outdev,
193-
int (*okfn)(struct sock *, struct sk_buff *))
193+
static inline int nf_hook(u_int8_t pf, unsigned int hook, struct net *net,
194+
struct sock *sk, struct sk_buff *skb,
195+
struct net_device *indev, struct net_device *outdev,
196+
int (*okfn)(struct net *, struct sock *, struct sk_buff *))
194197
{
195-
return nf_hook_thresh(pf, hook, sk, skb, indev, outdev, okfn, INT_MIN);
198+
return nf_hook_thresh(pf, hook, net, sk, skb, indev, outdev, okfn, INT_MIN);
196199
}
197200

198201
/* Activate hook; either okfn or kfree_skb called, unless a hook
@@ -213,36 +216,38 @@ static inline int nf_hook(u_int8_t pf, unsigned int hook, struct sock *sk,
213216
*/
214217

215218
static inline int
216-
NF_HOOK_THRESH(uint8_t pf, unsigned int hook, struct sock *sk,
219+
NF_HOOK_THRESH(uint8_t pf, unsigned int hook, struct net *net, struct sock *sk,
217220
struct sk_buff *skb, struct net_device *in,
218221
struct net_device *out,
219-
int (*okfn)(struct sock *, struct sk_buff *), int thresh)
222+
int (*okfn)(struct net *, struct sock *, struct sk_buff *),
223+
int thresh)
220224
{
221-
int ret = nf_hook_thresh(pf, hook, sk, skb, in, out, okfn, thresh);
225+
int ret = nf_hook_thresh(pf, hook, net, sk, skb, in, out, okfn, thresh);
222226
if (ret == 1)
223-
ret = okfn(sk, skb);
227+
ret = okfn(net, sk, skb);
224228
return ret;
225229
}
226230

227231
static inline int
228-
NF_HOOK_COND(uint8_t pf, unsigned int hook, struct sock *sk,
232+
NF_HOOK_COND(uint8_t pf, unsigned int hook, struct net *net, struct sock *sk,
229233
struct sk_buff *skb, struct net_device *in, struct net_device *out,
230-
int (*okfn)(struct sock *, struct sk_buff *), bool cond)
234+
int (*okfn)(struct net *, struct sock *, struct sk_buff *),
235+
bool cond)
231236
{
232237
int ret;
233238

234239
if (!cond ||
235-
((ret = nf_hook_thresh(pf, hook, sk, skb, in, out, okfn, INT_MIN)) == 1))
236-
ret = okfn(sk, skb);
240+
((ret = nf_hook_thresh(pf, hook, net, sk, skb, in, out, okfn, INT_MIN)) == 1))
241+
ret = okfn(net, sk, skb);
237242
return ret;
238243
}
239244

240245
static inline int
241-
NF_HOOK(uint8_t pf, unsigned int hook, struct sock *sk, struct sk_buff *skb,
246+
NF_HOOK(uint8_t pf, unsigned int hook, struct net *net, struct sock *sk, struct sk_buff *skb,
242247
struct net_device *in, struct net_device *out,
243-
int (*okfn)(struct sock *, struct sk_buff *))
248+
int (*okfn)(struct net *, struct sock *, struct sk_buff *))
244249
{
245-
return NF_HOOK_THRESH(pf, hook, sk, skb, in, out, okfn, INT_MIN);
250+
return NF_HOOK_THRESH(pf, hook, net, sk, skb, in, out, okfn, INT_MIN);
246251
}
247252

248253
/* Call setsockopt() */
@@ -342,21 +347,12 @@ nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl, u_int8_t family)
342347
}
343348

344349
#else /* !CONFIG_NETFILTER */
345-
#define NF_HOOK(pf, hook, sk, skb, indev, outdev, okfn) (okfn)(sk, skb)
346-
#define NF_HOOK_COND(pf, hook, sk, skb, indev, outdev, okfn, cond) (okfn)(sk, skb)
347-
static inline int nf_hook_thresh(u_int8_t pf, unsigned int hook,
348-
struct sock *sk,
349-
struct sk_buff *skb,
350-
struct net_device *indev,
351-
struct net_device *outdev,
352-
int (*okfn)(struct sock *sk, struct sk_buff *), int thresh)
353-
{
354-
return okfn(sk, skb);
355-
}
356-
static inline int nf_hook(u_int8_t pf, unsigned int hook, struct sock *sk,
357-
struct sk_buff *skb, struct net_device *indev,
358-
struct net_device *outdev,
359-
int (*okfn)(struct sock *, struct sk_buff *))
350+
#define NF_HOOK(pf, hook, net, sk, skb, indev, outdev, okfn) (okfn)(net, sk, skb)
351+
#define NF_HOOK_COND(pf, hook, net, sk, skb, indev, outdev, okfn, cond) (okfn)(net, sk, skb)
352+
static inline int nf_hook(u_int8_t pf, unsigned int hook, struct net *net,
353+
struct sock *sk, struct sk_buff *skb,
354+
struct net_device *indev, struct net_device *outdev,
355+
int (*okfn)(struct net *, struct sock *, struct sk_buff *))
360356
{
361357
return 1;
362358
}

include/linux/netfilter_bridge.h

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,7 @@ enum nf_br_hook_priorities {
1717

1818
#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
1919

20-
int br_handle_frame_finish(struct sock *sk, struct sk_buff *skb);
20+
int br_handle_frame_finish(struct net *net, struct sock *sk, struct sk_buff *skb);
2121

2222
static inline void br_drop_fake_rtable(struct sk_buff *skb)
2323
{

include/linux/netfilter_ingress.h

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,7 @@ static inline int nf_hook_ingress(struct sk_buff *skb)
1717

1818
nf_hook_state_init(&state, &skb->dev->nf_hooks_ingress,
1919
NF_NETDEV_INGRESS, INT_MIN, NFPROTO_NETDEV, NULL,
20-
skb->dev, NULL, NULL);
20+
skb->dev, NULL, dev_net(skb->dev), NULL);
2121
return nf_hook_slow(skb, &state);
2222
}
2323

include/net/dn_neigh.h

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -18,11 +18,11 @@ struct dn_neigh {
1818

1919
void dn_neigh_init(void);
2020
void dn_neigh_cleanup(void);
21-
int dn_neigh_router_hello(struct sock *sk, struct sk_buff *skb);
22-
int dn_neigh_endnode_hello(struct sock *sk, struct sk_buff *skb);
21+
int dn_neigh_router_hello(struct net *net, struct sock *sk, struct sk_buff *skb);
22+
int dn_neigh_endnode_hello(struct net *net, struct sock *sk, struct sk_buff *skb);
2323
void dn_neigh_pointopoint_hello(struct sk_buff *skb);
2424
int dn_neigh_elist(struct net_device *dev, unsigned char *ptr, int n);
25-
int dn_to_neigh_output(struct sock *sk, struct sk_buff *skb);
25+
int dn_to_neigh_output(struct net *net, struct sock *sk, struct sk_buff *skb);
2626

2727
extern struct neigh_table dn_neigh_table;
2828

include/net/dst.h

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -454,13 +454,13 @@ static inline void dst_set_expires(struct dst_entry *dst, int timeout)
454454
}
455455

456456
/* Output packet to network from transport. */
457-
static inline int dst_output_sk(struct sock *sk, struct sk_buff *skb)
457+
static inline int dst_output(struct sock *sk, struct sk_buff *skb)
458458
{
459459
return skb_dst(skb)->output(sk, skb);
460460
}
461-
static inline int dst_output(struct sk_buff *skb)
461+
static inline int dst_output_okfn(struct net *net, struct sock *sk, struct sk_buff *skb)
462462
{
463-
return dst_output_sk(skb->sk, skb);
463+
return dst_output(sk, skb);
464464
}
465465

466466
/* Input packet from network to transport. */

include/net/ipv6.h

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -807,7 +807,7 @@ static inline u8 ip6_tclass(__be32 flowinfo)
807807
int ipv6_rcv(struct sk_buff *skb, struct net_device *dev,
808808
struct packet_type *pt, struct net_device *orig_dev);
809809

810-
int ip6_rcv_finish(struct sock *sk, struct sk_buff *skb);
810+
int ip6_rcv_finish(struct net *net, struct sock *sk, struct sk_buff *skb);
811811

812812
/*
813813
* upper-layer output functions

include/net/netfilter/br_netfilter.h

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -31,7 +31,7 @@ static inline void nf_bridge_push_encap_header(struct sk_buff *skb)
3131
skb->network_header -= len;
3232
}
3333

34-
int br_nf_pre_routing_finish_bridge(struct sock *sk, struct sk_buff *skb);
34+
int br_nf_pre_routing_finish_bridge(struct net *net, struct sock *sk, struct sk_buff *skb);
3535

3636
static inline struct rtable *bridge_parent_rtable(const struct net_device *dev)
3737
{

include/net/xfrm.h

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -296,8 +296,6 @@ struct xfrm_policy_afinfo {
296296
struct flowi *fl,
297297
int reverse);
298298
int (*get_tos)(const struct flowi *fl);
299-
void (*init_dst)(struct net *net,
300-
struct xfrm_dst *dst);
301299
int (*init_path)(struct xfrm_dst *path,
302300
struct dst_entry *dst,
303301
int nfheader_len);

net/bridge/br_forward.c

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -35,7 +35,7 @@ static inline int should_deliver(const struct net_bridge_port *p,
3535
p->state == BR_STATE_FORWARDING;
3636
}
3737

38-
int br_dev_queue_push_xmit(struct sock *sk, struct sk_buff *skb)
38+
int br_dev_queue_push_xmit(struct net *net, struct sock *sk, struct sk_buff *skb)
3939
{
4040
if (!is_skb_forwardable(skb->dev, skb))
4141
goto drop;
@@ -65,10 +65,10 @@ int br_dev_queue_push_xmit(struct sock *sk, struct sk_buff *skb)
6565
}
6666
EXPORT_SYMBOL_GPL(br_dev_queue_push_xmit);
6767

68-
int br_forward_finish(struct sock *sk, struct sk_buff *skb)
68+
int br_forward_finish(struct net *net, struct sock *sk, struct sk_buff *skb)
6969
{
70-
return NF_HOOK(NFPROTO_BRIDGE, NF_BR_POST_ROUTING, sk, skb,
71-
NULL, skb->dev,
70+
return NF_HOOK(NFPROTO_BRIDGE, NF_BR_POST_ROUTING,
71+
net, sk, skb, NULL, skb->dev,
7272
br_dev_queue_push_xmit);
7373

7474
}
@@ -92,8 +92,8 @@ static void __br_deliver(const struct net_bridge_port *to, struct sk_buff *skb)
9292
return;
9393
}
9494

95-
NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_OUT, NULL, skb,
96-
NULL, skb->dev,
95+
NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_OUT,
96+
dev_net(skb->dev), NULL, skb,NULL, skb->dev,
9797
br_forward_finish);
9898
}
9999

@@ -114,8 +114,8 @@ static void __br_forward(const struct net_bridge_port *to, struct sk_buff *skb)
114114
skb->dev = to->dev;
115115
skb_forward_csum(skb);
116116

117-
NF_HOOK(NFPROTO_BRIDGE, NF_BR_FORWARD, NULL, skb,
118-
indev, skb->dev,
117+
NF_HOOK(NFPROTO_BRIDGE, NF_BR_FORWARD,
118+
dev_net(indev), NULL, skb, indev, skb->dev,
119119
br_forward_finish);
120120
}
121121

net/bridge/br_input.c

Lines changed: 16 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,12 @@
2626
br_should_route_hook_t __rcu *br_should_route_hook __read_mostly;
2727
EXPORT_SYMBOL(br_should_route_hook);
2828

29+
static int
30+
br_netif_receive_skb(struct net *net, struct sock *sk, struct sk_buff *skb)
31+
{
32+
return netif_receive_skb(skb);
33+
}
34+
2935
static int br_pass_frame_up(struct sk_buff *skb)
3036
{
3137
struct net_device *indev, *brdev = BR_INPUT_SKB_CB(skb)->brdev;
@@ -55,9 +61,9 @@ static int br_pass_frame_up(struct sk_buff *skb)
5561
if (!skb)
5662
return NET_RX_DROP;
5763

58-
return NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_IN, NULL, skb,
59-
indev, NULL,
60-
netif_receive_skb_sk);
64+
return NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_IN,
65+
dev_net(indev), NULL, skb, indev, NULL,
66+
br_netif_receive_skb);
6167
}
6268

6369
static void br_do_proxy_arp(struct sk_buff *skb, struct net_bridge *br,
@@ -120,7 +126,7 @@ static void br_do_proxy_arp(struct sk_buff *skb, struct net_bridge *br,
120126
}
121127

122128
/* note: already called with rcu_read_lock */
123-
int br_handle_frame_finish(struct sock *sk, struct sk_buff *skb)
129+
int br_handle_frame_finish(struct net *net, struct sock *sk, struct sk_buff *skb)
124130
{
125131
const unsigned char *dest = eth_hdr(skb)->h_dest;
126132
struct net_bridge_port *p = br_port_get_rcu(skb->dev);
@@ -208,7 +214,7 @@ int br_handle_frame_finish(struct sock *sk, struct sk_buff *skb)
208214
EXPORT_SYMBOL_GPL(br_handle_frame_finish);
209215

210216
/* note: already called with rcu_read_lock */
211-
static int br_handle_local_finish(struct sock *sk, struct sk_buff *skb)
217+
static int br_handle_local_finish(struct net *net, struct sock *sk, struct sk_buff *skb)
212218
{
213219
struct net_bridge_port *p = br_port_get_rcu(skb->dev);
214220
u16 vid = 0;
@@ -278,8 +284,9 @@ rx_handler_result_t br_handle_frame(struct sk_buff **pskb)
278284
}
279285

280286
/* Deliver packet to local host only */
281-
if (NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_IN, NULL, skb,
282-
skb->dev, NULL, br_handle_local_finish)) {
287+
if (NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_IN,
288+
dev_net(skb->dev), NULL, skb, skb->dev, NULL,
289+
br_handle_local_finish)) {
283290
return RX_HANDLER_CONSUMED; /* consumed by filter */
284291
} else {
285292
*pskb = skb;
@@ -303,8 +310,8 @@ rx_handler_result_t br_handle_frame(struct sk_buff **pskb)
303310
if (ether_addr_equal(p->br->dev->dev_addr, dest))
304311
skb->pkt_type = PACKET_HOST;
305312

306-
NF_HOOK(NFPROTO_BRIDGE, NF_BR_PRE_ROUTING, NULL, skb,
307-
skb->dev, NULL,
313+
NF_HOOK(NFPROTO_BRIDGE, NF_BR_PRE_ROUTING,
314+
dev_net(skb->dev), NULL, skb, skb->dev, NULL,
308315
br_handle_frame_finish);
309316
break;
310317
default:

0 commit comments

Comments
 (0)