diff options
author | Jan Engelhardt | 2010-04-19 16:05:10 +0200 |
---|---|---|
committer | Patrick McHardy | 2010-04-19 16:05:10 +0200 |
commit | f3c5c1bfd430858d3a05436f82c51e53104feb6b (patch) | |
tree | ada5b570b66e141e79fdb256f69e2541a3d30c04 /include | |
parent | netfilter: xtables: inclusion of xt_TEE (diff) | |
download | kernel-qcow2-linux-f3c5c1bfd430858d3a05436f82c51e53104feb6b.tar.gz kernel-qcow2-linux-f3c5c1bfd430858d3a05436f82c51e53104feb6b.tar.xz kernel-qcow2-linux-f3c5c1bfd430858d3a05436f82c51e53104feb6b.zip |
netfilter: xtables: make ip_tables reentrant
Currently, the table traverser stores return addresses in the ruleset
itself (struct ip6t_entry->comefrom). This has a well-known drawback:
the jumpstack is overwritten on reentry, making it necessary for
targets to return absolute verdicts. Also, the ruleset (which might
be heavy memory-wise) needs to be replicated for each CPU that can
possibly invoke ip6t_do_table.
This patch decouples the jumpstack from struct ip6t_entry and instead
puts it into xt_table_info. Not being restricted by 'comefrom'
anymore, we can set up a stack as needed. By default, there is room
allocated for two entries into the traverser.
arp_tables is not touched though, because there is just one/two
modules and further patches seek to collapse the table traverser
anyhow.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Diffstat (limited to 'include')
-rw-r--r-- | include/linux/netfilter/x_tables.h | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h index 26ced0c323a5..50c867256ca3 100644 --- a/include/linux/netfilter/x_tables.h +++ b/include/linux/netfilter/x_tables.h @@ -401,6 +401,13 @@ struct xt_table_info { unsigned int hook_entry[NF_INET_NUMHOOKS]; unsigned int underflow[NF_INET_NUMHOOKS]; + /* + * Number of user chains. Since tables cannot have loops, at most + * @stacksize jumps (number of user chains) can possibly be made. + */ + unsigned int stacksize; + unsigned int *stackptr; + void ***jumpstack; /* ipt_entry tables: one per CPU */ /* Note : this field MUST be the last one, see XT_TABLE_INFO_SZ */ void *entries[1]; |