|
|
@@ -34,50 +34,61 @@
|
|
|
/* Returns one of the generic firewall policies, like NF_ACCEPT. */
|
|
|
unsigned int
|
|
|
ipt_do_table(struct sk_buff *skb,
|
|
|
-@@ -334,19 +361,6 @@ ipt_do_table(struct sk_buff *skb,
|
|
|
- ip = ip_hdr(skb);
|
|
|
- indev = in ? in->name : nulldevname;
|
|
|
- outdev = out ? out->name : nulldevname;
|
|
|
-- /* We handle fragments by dealing with the first fragment as
|
|
|
-- * if it was a normal packet. All other fragments are treated
|
|
|
-- * normally, except that they will NEVER match rules that ask
|
|
|
-- * things we don't know, ie. tcp syn flag or ports). If the
|
|
|
-- * rule is also a fragment-specific rule, non-fragments won't
|
|
|
-- * match it. */
|
|
|
-- acpar.fragoff = ntohs(ip->frag_off) & IP_OFFSET;
|
|
|
-- acpar.thoff = ip_hdrlen(skb);
|
|
|
-- acpar.hotdrop = false;
|
|
|
-- acpar.in = in;
|
|
|
-- acpar.out = out;
|
|
|
-- acpar.family = NFPROTO_IPV4;
|
|
|
-- acpar.hooknum = hook;
|
|
|
+@@ -331,9 +358,33 @@ ipt_do_table(struct sk_buff *skb,
|
|
|
+ unsigned int addend;
|
|
|
|
|
|
- IP_NF_ASSERT(table->valid_hooks & (1 << hook));
|
|
|
- local_bh_disable();
|
|
|
-@@ -364,6 +378,26 @@ ipt_do_table(struct sk_buff *skb,
|
|
|
- origptr = *stackptr;
|
|
|
-
|
|
|
- e = get_entry(table_base, private->hook_entry[hook]);
|
|
|
+ /* Initialization */
|
|
|
++ IP_NF_ASSERT(table->valid_hooks & (1 << hook));
|
|
|
++ local_bh_disable();
|
|
|
++ private = table->private;
|
|
|
++ cpu = smp_processor_id();
|
|
|
++ /*
|
|
|
++ * Ensure we load private-> members after we've fetched the base
|
|
|
++ * pointer.
|
|
|
++ */
|
|
|
++ smp_read_barrier_depends();
|
|
|
++ table_base = private->entries[cpu];
|
|
|
++
|
|
|
++ e = get_entry(table_base, private->hook_entry[hook]);
|
|
|
+ if (ipt_handle_default_rule(e, &verdict)) {
|
|
|
+ ADD_COUNTER(e->counters, skb->len, 1);
|
|
|
-+ xt_write_recseq_end(addend);
|
|
|
+ local_bh_enable();
|
|
|
+ return verdict;
|
|
|
+ }
|
|
|
+
|
|
|
-+ /* We handle fragments by dealing with the first fragment as
|
|
|
-+ * if it was a normal packet. All other fragments are treated
|
|
|
-+ * normally, except that they will NEVER match rules that ask
|
|
|
-+ * things we don't know, ie. tcp syn flag or ports). If the
|
|
|
-+ * rule is also a fragment-specific rule, non-fragments won't
|
|
|
-+ * match it. */
|
|
|
-+ acpar.fragoff = ntohs(ip->frag_off) & IP_OFFSET;
|
|
|
-+ acpar.thoff = ip_hdrlen(skb);
|
|
|
-+ acpar.hotdrop = false;
|
|
|
-+ acpar.in = in;
|
|
|
-+ acpar.out = out;
|
|
|
-+ acpar.family = NFPROTO_IPV4;
|
|
|
-+ acpar.hooknum = hook;
|
|
|
+ ip = ip_hdr(skb);
|
|
|
+ indev = in ? in->name : nulldevname;
|
|
|
+ outdev = out ? out->name : nulldevname;
|
|
|
++
|
|
|
++ addend = xt_write_recseq_begin();
|
|
|
++ jumpstack = (struct ipt_entry **)private->jumpstack[cpu];
|
|
|
++ stackptr = per_cpu_ptr(private->stackptr, cpu);
|
|
|
++ origptr = *stackptr;
|
|
|
++
|
|
|
+ /* We handle fragments by dealing with the first fragment as
|
|
|
+ * if it was a normal packet. All other fragments are treated
|
|
|
+ * normally, except that they will NEVER match rules that ask
|
|
|
+@@ -348,23 +399,6 @@ ipt_do_table(struct sk_buff *skb,
|
|
|
+ acpar.family = NFPROTO_IPV4;
|
|
|
+ acpar.hooknum = hook;
|
|
|
|
|
|
+- IP_NF_ASSERT(table->valid_hooks & (1 << hook));
|
|
|
+- local_bh_disable();
|
|
|
+- addend = xt_write_recseq_begin();
|
|
|
+- private = table->private;
|
|
|
+- cpu = smp_processor_id();
|
|
|
+- /*
|
|
|
+- * Ensure we load private-> members after we've fetched the base
|
|
|
+- * pointer.
|
|
|
+- */
|
|
|
+- smp_read_barrier_depends();
|
|
|
+- table_base = private->entries[cpu];
|
|
|
+- jumpstack = (struct ipt_entry **)private->jumpstack[cpu];
|
|
|
+- stackptr = per_cpu_ptr(private->stackptr, cpu);
|
|
|
+- origptr = *stackptr;
|
|
|
+-
|
|
|
+- e = get_entry(table_base, private->hook_entry[hook]);
|
|
|
+-
|
|
|
pr_debug("Entering %s(hook %u); sp at %u (UF %p)\n",
|
|
|
table->name, hook, origptr,
|
|
|
+ get_entry(table_base, private->underflow[hook]));
|
Felix Fietkau