source: trunk/target/linux/generic/patches-2.6.39/611-netfilter_match_bypass_default_table.patch @ 27840

Last change on this file since 27840 was 27840, checked in by nbd, 5 years ago

kernel: add a new version of my netfilter speedup patches for linux 2.6.39 and 3.0

File size: 2.3 KB
  • net/ipv4/netfilter/ip_tables.c

    a b struct ipt_entry *ipt_next_entry(const s 
    316316        return (void *)entry + entry->next_offset; 
    317317} 
    318318 
     319static bool 
     320ipt_handle_default_rule(struct ipt_entry *e, unsigned int *verdict) 
     321{ 
     322        struct xt_entry_target *t; 
     323        struct xt_standard_target *st; 
     324 
     325        if (e->target_offset != sizeof(struct ipt_entry)) 
     326                return false; 
     327 
     328        if (!(e->ip.flags & IPT_F_NO_DEF_MATCH)) 
     329                return false; 
     330 
     331        t = ipt_get_target(e); 
     332        if (t->u.kernel.target->target) 
     333                return false; 
     334 
     335        st = (struct xt_standard_target *) t; 
     336        if (st->verdict == XT_RETURN) 
     337                return false; 
     338 
     339        if (st->verdict >= 0) 
     340                return false; 
     341 
     342        *verdict = (unsigned)(-st->verdict) - 1; 
     343        return true; 
     344} 
     345 
    319346/* Returns one of the generic firewall policies, like NF_ACCEPT. */ 
    320347unsigned int 
    321348ipt_do_table(struct sk_buff *skb, 
    ipt_do_table(struct sk_buff *skb, 
    339366        ip = ip_hdr(skb); 
    340367        indev = in ? in->name : nulldevname; 
    341368        outdev = out ? out->name : nulldevname; 
     369 
     370        IP_NF_ASSERT(table->valid_hooks & (1 << hook)); 
     371        xt_info_rdlock_bh(); 
     372        private = table->private; 
     373        cpu        = smp_processor_id(); 
     374        table_base = private->entries[cpu]; 
     375        jumpstack  = (struct ipt_entry **)private->jumpstack[cpu]; 
     376        stackptr   = per_cpu_ptr(private->stackptr, cpu); 
     377        origptr    = *stackptr; 
     378 
     379        e = get_entry(table_base, private->hook_entry[hook]); 
     380        if (ipt_handle_default_rule(e, &verdict)) { 
     381                ADD_COUNTER(e->counters, skb->len, 1); 
     382                xt_info_rdunlock_bh(); 
     383                return verdict; 
     384        } 
     385 
    342386        /* We handle fragments by dealing with the first fragment as 
    343387         * if it was a normal packet.  All other fragments are treated 
    344388         * normally, except that they will NEVER match rules that ask 
    ipt_do_table(struct sk_buff *skb, 
    353397        acpar.family  = NFPROTO_IPV4; 
    354398        acpar.hooknum = hook; 
    355399 
    356         IP_NF_ASSERT(table->valid_hooks & (1 << hook)); 
    357         xt_info_rdlock_bh(); 
    358         private = table->private; 
    359         cpu        = smp_processor_id(); 
    360         table_base = private->entries[cpu]; 
    361         jumpstack  = (struct ipt_entry **)private->jumpstack[cpu]; 
    362         stackptr   = per_cpu_ptr(private->stackptr, cpu); 
    363         origptr    = *stackptr; 
    364  
    365         e = get_entry(table_base, private->hook_entry[hook]); 
    366  
    367400        pr_debug("Entering %s(hook %u); sp at %u (UF %p)\n", 
    368401                 table->name, hook, origptr, 
    369402                 get_entry(table_base, private->underflow[hook])); 
Note: See TracBrowser for help on using the repository browser.