diff options
| author | Daniel Borkmann <daniel@iogearbox.net> | 2020-03-18 12:33:22 +0300 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2020-03-19 02:35:48 +0300 |
| commit | 357b6cc5834eabc1be7c28a9faae7da061df097d (patch) | |
| tree | 115ada0d38fbd89d8be6ffc03c27c22e3bcdb4b5 /net/netfilter | |
| parent | ce7964bdc414b1ab6a7d3678ba064548c0bee973 (diff) | |
| download | linux-357b6cc5834eabc1be7c28a9faae7da061df097d.tar.xz | |
netfilter: revert introduction of egress hook
This reverts the following commits:
8537f78647c0 ("netfilter: Introduce egress hook")
5418d3881e1f ("netfilter: Generalize ingress hook")
b030f194aed2 ("netfilter: Rename ingress hook include file")
>From the discussion in [0], the author's main motivation to add a hook
in fast path is for an out of tree kernel module, which is a red flag
to begin with. Other mentioned potential use cases like NAT{64,46}
is on future extensions w/o concrete code in the tree yet. Revert as
suggested [1] given the weak justification to add more hooks to critical
fast-path.
[0] https://lore.kernel.org/netdev/cover.1583927267.git.lukas@wunner.de/
[1] https://lore.kernel.org/netdev/20200318.011152.72770718915606186.davem@davemloft.net/
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Cc: David Miller <davem@davemloft.net>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Alexei Starovoitov <ast@kernel.org>
Nacked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/netfilter')
| -rw-r--r-- | net/netfilter/Kconfig | 8 | ||||
| -rw-r--r-- | net/netfilter/core.c | 24 | ||||
| -rw-r--r-- | net/netfilter/nft_chain_filter.c | 4 |
3 files changed, 5 insertions, 31 deletions
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index f4c68f60f241..468fea1aebba 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig @@ -10,14 +10,6 @@ config NETFILTER_INGRESS This allows you to classify packets from ingress using the Netfilter infrastructure. -config NETFILTER_EGRESS - bool "Netfilter egress support" - default y - select NET_EGRESS - help - This allows you to classify packets before transmission using the - Netfilter infrastructure. - config NETFILTER_NETLINK tristate diff --git a/net/netfilter/core.c b/net/netfilter/core.c index 85e9c959aba7..78f046ec506f 100644 --- a/net/netfilter/core.c +++ b/net/netfilter/core.c @@ -307,12 +307,6 @@ nf_hook_entry_head(struct net *net, int pf, unsigned int hooknum, return &dev->nf_hooks_ingress; } #endif -#ifdef CONFIG_NETFILTER_EGRESS - if (hooknum == NF_NETDEV_EGRESS) { - if (dev && dev_net(dev) == net) - return &dev->nf_hooks_egress; - } -#endif WARN_ON_ONCE(1); return NULL; } @@ -324,13 +318,11 @@ static int __nf_register_net_hook(struct net *net, int pf, struct nf_hook_entries __rcu **pp; if (pf == NFPROTO_NETDEV) { - if ((!IS_ENABLED(CONFIG_NETFILTER_INGRESS) && - reg->hooknum == NF_NETDEV_INGRESS) || - (!IS_ENABLED(CONFIG_NETFILTER_EGRESS) && - reg->hooknum == NF_NETDEV_EGRESS)) +#ifndef CONFIG_NETFILTER_INGRESS + if (reg->hooknum == NF_NETDEV_INGRESS) return -EOPNOTSUPP; - if ((reg->hooknum != NF_NETDEV_INGRESS && - reg->hooknum != NF_NETDEV_EGRESS) || +#endif + if (reg->hooknum != NF_NETDEV_INGRESS || !reg->dev || dev_net(reg->dev) != net) return -EINVAL; } @@ -356,10 +348,6 @@ static int __nf_register_net_hook(struct net *net, int pf, if (pf == NFPROTO_NETDEV && reg->hooknum == NF_NETDEV_INGRESS) net_inc_ingress_queue(); #endif -#ifdef CONFIG_NETFILTER_EGRESS - if (pf == NFPROTO_NETDEV && reg->hooknum == NF_NETDEV_EGRESS) - net_inc_egress_queue(); -#endif #ifdef CONFIG_JUMP_LABEL static_key_slow_inc(&nf_hooks_needed[pf][reg->hooknum]); #endif @@ -418,10 +406,6 @@ static void __nf_unregister_net_hook(struct net *net, int pf, if (pf == NFPROTO_NETDEV && reg->hooknum == NF_NETDEV_INGRESS) net_dec_ingress_queue(); #endif -#ifdef CONFIG_NETFILTER_EGRESS - if (pf == NFPROTO_NETDEV && reg->hooknum == NF_NETDEV_EGRESS) - net_dec_egress_queue(); -#endif #ifdef CONFIG_JUMP_LABEL static_key_slow_dec(&nf_hooks_needed[pf][reg->hooknum]); #endif diff --git a/net/netfilter/nft_chain_filter.c b/net/netfilter/nft_chain_filter.c index 67ce6dbb5496..c78d01bc02e9 100644 --- a/net/netfilter/nft_chain_filter.c +++ b/net/netfilter/nft_chain_filter.c @@ -277,11 +277,9 @@ static const struct nft_chain_type nft_chain_filter_netdev = { .name = "filter", .type = NFT_CHAIN_T_DEFAULT, .family = NFPROTO_NETDEV, - .hook_mask = (1 << NF_NETDEV_INGRESS) | - (1 << NF_NETDEV_EGRESS), + .hook_mask = (1 << NF_NETDEV_INGRESS), .hooks = { [NF_NETDEV_INGRESS] = nft_do_chain_netdev, - [NF_NETDEV_EGRESS] = nft_do_chain_netdev, }, }; |