diff options
| author | Daniel Borkmann <daniel@iogearbox.net> | 2020-03-18 10:33:22 +0100 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2020-03-18 16:35:48 -0700 |
| commit | 357b6cc5834eabc1be7c28a9faae7da061df097d (patch) | |
| tree | 115ada0d38fbd89d8be6ffc03c27c22e3bcdb4b5 /net/core | |
| parent | ce7964bdc414b1ab6a7d3678ba064548c0bee973 (diff) | |
netfilter: revert introduction of egress hook
This reverts the following commits:
8537f78647c0 ("netfilter: Introduce egress hook")
5418d3881e1f ("netfilter: Generalize ingress hook")
b030f194aed2 ("netfilter: Rename ingress hook include file")
>From the discussion in [0], the author's main motivation to add a hook
in fast path is for an out of tree kernel module, which is a red flag
to begin with. Other mentioned potential use cases like NAT{64,46}
is on future extensions w/o concrete code in the tree yet. Revert as
suggested [1] given the weak justification to add more hooks to critical
fast-path.
[0] https://lore.kernel.org/netdev/cover.1583927267.git.lukas@wunner.de/
[1] https://lore.kernel.org/netdev/20200318.011152.72770718915606186.davem@davemloft.net/
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Cc: David Miller <davem@davemloft.net>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Alexei Starovoitov <ast@kernel.org>
Nacked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/core')
| -rw-r--r-- | net/core/dev.c | 27 |
1 files changed, 5 insertions, 22 deletions
diff --git a/net/core/dev.c b/net/core/dev.c index aeb8ccbbe93b..021e18251465 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -135,7 +135,7 @@ #include <linux/if_macvlan.h> #include <linux/errqueue.h> #include <linux/hrtimer.h> -#include <linux/netfilter_netdev.h> +#include <linux/netfilter_ingress.h> #include <linux/crash_dump.h> #include <linux/sctp.h> #include <net/udp_tunnel.h> @@ -3773,7 +3773,6 @@ EXPORT_SYMBOL(dev_loopback_xmit); static struct sk_buff * sch_handle_egress(struct sk_buff *skb, int *ret, struct net_device *dev) { -#ifdef CONFIG_NET_CLS_ACT struct mini_Qdisc *miniq = rcu_dereference_bh(dev->miniq_egress); struct tcf_result cl_res; @@ -3807,24 +3806,11 @@ sch_handle_egress(struct sk_buff *skb, int *ret, struct net_device *dev) default: break; } -#endif /* CONFIG_NET_CLS_ACT */ + return skb; } #endif /* CONFIG_NET_EGRESS */ -static inline int nf_egress(struct sk_buff *skb) -{ - if (nf_hook_egress_active(skb)) { - int ret; - - rcu_read_lock(); - ret = nf_hook_egress(skb); - rcu_read_unlock(); - return ret; - } - return 0; -} - #ifdef CONFIG_XPS static int __get_xps_queue_idx(struct net_device *dev, struct sk_buff *skb, struct xps_dev_maps *dev_maps, unsigned int tci) @@ -4011,16 +3997,13 @@ static int __dev_queue_xmit(struct sk_buff *skb, struct net_device *sb_dev) qdisc_pkt_len_init(skb); #ifdef CONFIG_NET_CLS_ACT skb->tc_at_ingress = 0; -#endif -#ifdef CONFIG_NET_EGRESS +# ifdef CONFIG_NET_EGRESS if (static_branch_unlikely(&egress_needed_key)) { - if (nf_egress(skb) < 0) - goto out; - skb = sch_handle_egress(skb, &rc, dev); if (!skb) goto out; } +# endif #endif /* If device/qdisc don't need skb->dst, release it right now while * its hot in this cpu cache. @@ -9867,7 +9850,7 @@ struct net_device *alloc_netdev_mqs(int sizeof_priv, const char *name, if (!dev->ethtool_ops) dev->ethtool_ops = &default_ethtool_ops; - nf_hook_netdev_init(dev); + nf_hook_ingress_init(dev); return dev; |