From 357b6cc5834eabc1be7c28a9faae7da061df097d Mon Sep 17 00:00:00 2001 From: Daniel Borkmann Date: Wed, 18 Mar 2020 10:33:22 +0100 Subject: netfilter: revert introduction of egress hook This reverts the following commits: 8537f78647c0 ("netfilter: Introduce egress hook") 5418d3881e1f ("netfilter: Generalize ingress hook") b030f194aed2 ("netfilter: Rename ingress hook include file") >From the discussion in [0], the author's main motivation to add a hook in fast path is for an out of tree kernel module, which is a red flag to begin with. Other mentioned potential use cases like NAT{64,46} is on future extensions w/o concrete code in the tree yet. Revert as suggested [1] given the weak justification to add more hooks to critical fast-path. [0] https://lore.kernel.org/netdev/cover.1583927267.git.lukas@wunner.de/ [1] https://lore.kernel.org/netdev/20200318.011152.72770718915606186.davem@davemloft.net/ Signed-off-by: Daniel Borkmann Cc: David Miller Cc: Pablo Neira Ayuso Cc: Alexei Starovoitov Nacked-by: Pablo Neira Ayuso Signed-off-by: David S. Miller --- net/netfilter/Kconfig | 8 -------- net/netfilter/core.c | 24 ++++-------------------- net/netfilter/nft_chain_filter.c | 4 +--- 3 files changed, 5 insertions(+), 31 deletions(-) (limited to 'net/netfilter') diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index f4c68f60f241..468fea1aebba 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig @@ -10,14 +10,6 @@ config NETFILTER_INGRESS This allows you to classify packets from ingress using the Netfilter infrastructure. -config NETFILTER_EGRESS - bool "Netfilter egress support" - default y - select NET_EGRESS - help - This allows you to classify packets before transmission using the - Netfilter infrastructure. - config NETFILTER_NETLINK tristate diff --git a/net/netfilter/core.c b/net/netfilter/core.c index 85e9c959aba7..78f046ec506f 100644 --- a/net/netfilter/core.c +++ b/net/netfilter/core.c @@ -306,12 +306,6 @@ nf_hook_entry_head(struct net *net, int pf, unsigned int hooknum, if (dev && dev_net(dev) == net) return &dev->nf_hooks_ingress; } -#endif -#ifdef CONFIG_NETFILTER_EGRESS - if (hooknum == NF_NETDEV_EGRESS) { - if (dev && dev_net(dev) == net) - return &dev->nf_hooks_egress; - } #endif WARN_ON_ONCE(1); return NULL; @@ -324,13 +318,11 @@ static int __nf_register_net_hook(struct net *net, int pf, struct nf_hook_entries __rcu **pp; if (pf == NFPROTO_NETDEV) { - if ((!IS_ENABLED(CONFIG_NETFILTER_INGRESS) && - reg->hooknum == NF_NETDEV_INGRESS) || - (!IS_ENABLED(CONFIG_NETFILTER_EGRESS) && - reg->hooknum == NF_NETDEV_EGRESS)) +#ifndef CONFIG_NETFILTER_INGRESS + if (reg->hooknum == NF_NETDEV_INGRESS) return -EOPNOTSUPP; - if ((reg->hooknum != NF_NETDEV_INGRESS && - reg->hooknum != NF_NETDEV_EGRESS) || +#endif + if (reg->hooknum != NF_NETDEV_INGRESS || !reg->dev || dev_net(reg->dev) != net) return -EINVAL; } @@ -356,10 +348,6 @@ static int __nf_register_net_hook(struct net *net, int pf, if (pf == NFPROTO_NETDEV && reg->hooknum == NF_NETDEV_INGRESS) net_inc_ingress_queue(); #endif -#ifdef CONFIG_NETFILTER_EGRESS - if (pf == NFPROTO_NETDEV && reg->hooknum == NF_NETDEV_EGRESS) - net_inc_egress_queue(); -#endif #ifdef CONFIG_JUMP_LABEL static_key_slow_inc(&nf_hooks_needed[pf][reg->hooknum]); #endif @@ -418,10 +406,6 @@ static void __nf_unregister_net_hook(struct net *net, int pf, if (pf == NFPROTO_NETDEV && reg->hooknum == NF_NETDEV_INGRESS) net_dec_ingress_queue(); #endif -#ifdef CONFIG_NETFILTER_EGRESS - if (pf == NFPROTO_NETDEV && reg->hooknum == NF_NETDEV_EGRESS) - net_dec_egress_queue(); -#endif #ifdef CONFIG_JUMP_LABEL static_key_slow_dec(&nf_hooks_needed[pf][reg->hooknum]); #endif diff --git a/net/netfilter/nft_chain_filter.c b/net/netfilter/nft_chain_filter.c index 67ce6dbb5496..c78d01bc02e9 100644 --- a/net/netfilter/nft_chain_filter.c +++ b/net/netfilter/nft_chain_filter.c @@ -277,11 +277,9 @@ static const struct nft_chain_type nft_chain_filter_netdev = { .name = "filter", .type = NFT_CHAIN_T_DEFAULT, .family = NFPROTO_NETDEV, - .hook_mask = (1 << NF_NETDEV_INGRESS) | - (1 << NF_NETDEV_EGRESS), + .hook_mask = (1 << NF_NETDEV_INGRESS), .hooks = { [NF_NETDEV_INGRESS] = nft_do_chain_netdev, - [NF_NETDEV_EGRESS] = nft_do_chain_netdev, }, }; -- cgit v1.2.3