提交 b069b37a 编写于 作者: A Arnd Bergmann 提交者: Pablo Neira Ayuso

netfilter: nf_defrag: mark xt_table structures 'const' again

As a side-effect of adding the module option, we now get a section
mismatch warning:

WARNING: net/ipv4/netfilter/iptable_raw.o(.data+0x1c): Section mismatch in reference from the variable packet_raw to the function .init.text:iptable_raw_table_init()
The variable packet_raw references
the function __init iptable_raw_table_init()
If the reference is valid then annotate the
variable with __init* or __refdata (see linux/init.h) or name the variable:
*_template, *_timer, *_sht, *_ops, *_probe, *_probe_one, *_console

Apparently it's ok to link to a __net_init function from .rodata but not
from .data. We can address this by rearranging the logic so that the
structure is read-only again. Instead of writing to the .priority field
later, we have an extra copies of the structure with that flag. An added
advantage is that that we don't have writable function pointers with this
approach.

Fixes: 902d6a4c ("netfilter: nf_defrag: Skip defrag if NOTRACK is set")
Signed-off-by: NArnd Bergmann <arnd@arndb.de>
Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
上级 83f1999c
...@@ -17,7 +17,7 @@ static bool raw_before_defrag __read_mostly; ...@@ -17,7 +17,7 @@ static bool raw_before_defrag __read_mostly;
MODULE_PARM_DESC(raw_before_defrag, "Enable raw table before defrag"); MODULE_PARM_DESC(raw_before_defrag, "Enable raw table before defrag");
module_param(raw_before_defrag, bool, 0000); module_param(raw_before_defrag, bool, 0000);
static struct xt_table packet_raw = { static const struct xt_table packet_raw = {
.name = "raw", .name = "raw",
.valid_hooks = RAW_VALID_HOOKS, .valid_hooks = RAW_VALID_HOOKS,
.me = THIS_MODULE, .me = THIS_MODULE,
...@@ -26,6 +26,15 @@ static struct xt_table packet_raw = { ...@@ -26,6 +26,15 @@ static struct xt_table packet_raw = {
.table_init = iptable_raw_table_init, .table_init = iptable_raw_table_init,
}; };
static const struct xt_table packet_raw_before_defrag = {
.name = "raw",
.valid_hooks = RAW_VALID_HOOKS,
.me = THIS_MODULE,
.af = NFPROTO_IPV4,
.priority = NF_IP_PRI_RAW_BEFORE_DEFRAG,
.table_init = iptable_raw_table_init,
};
/* The work comes in here from netfilter.c. */ /* The work comes in here from netfilter.c. */
static unsigned int static unsigned int
iptable_raw_hook(void *priv, struct sk_buff *skb, iptable_raw_hook(void *priv, struct sk_buff *skb,
...@@ -39,15 +48,19 @@ static struct nf_hook_ops *rawtable_ops __read_mostly; ...@@ -39,15 +48,19 @@ static struct nf_hook_ops *rawtable_ops __read_mostly;
static int __net_init iptable_raw_table_init(struct net *net) static int __net_init iptable_raw_table_init(struct net *net)
{ {
struct ipt_replace *repl; struct ipt_replace *repl;
const struct xt_table *table = &packet_raw;
int ret; int ret;
if (raw_before_defrag)
table = &packet_raw_before_defrag;
if (net->ipv4.iptable_raw) if (net->ipv4.iptable_raw)
return 0; return 0;
repl = ipt_alloc_initial_table(&packet_raw); repl = ipt_alloc_initial_table(table);
if (repl == NULL) if (repl == NULL)
return -ENOMEM; return -ENOMEM;
ret = ipt_register_table(net, &packet_raw, repl, rawtable_ops, ret = ipt_register_table(net, table, repl, rawtable_ops,
&net->ipv4.iptable_raw); &net->ipv4.iptable_raw);
kfree(repl); kfree(repl);
return ret; return ret;
...@@ -68,14 +81,15 @@ static struct pernet_operations iptable_raw_net_ops = { ...@@ -68,14 +81,15 @@ static struct pernet_operations iptable_raw_net_ops = {
static int __init iptable_raw_init(void) static int __init iptable_raw_init(void)
{ {
int ret; int ret;
const struct xt_table *table = &packet_raw;
if (raw_before_defrag) { if (raw_before_defrag) {
packet_raw.priority = NF_IP_PRI_RAW_BEFORE_DEFRAG; table = &packet_raw_before_defrag;
pr_info("Enabling raw table before defrag\n"); pr_info("Enabling raw table before defrag\n");
} }
rawtable_ops = xt_hook_ops_alloc(&packet_raw, iptable_raw_hook); rawtable_ops = xt_hook_ops_alloc(table, iptable_raw_hook);
if (IS_ERR(rawtable_ops)) if (IS_ERR(rawtable_ops))
return PTR_ERR(rawtable_ops); return PTR_ERR(rawtable_ops);
......
...@@ -16,7 +16,7 @@ static bool raw_before_defrag __read_mostly; ...@@ -16,7 +16,7 @@ static bool raw_before_defrag __read_mostly;
MODULE_PARM_DESC(raw_before_defrag, "Enable raw table before defrag"); MODULE_PARM_DESC(raw_before_defrag, "Enable raw table before defrag");
module_param(raw_before_defrag, bool, 0000); module_param(raw_before_defrag, bool, 0000);
static struct xt_table packet_raw = { static const struct xt_table packet_raw = {
.name = "raw", .name = "raw",
.valid_hooks = RAW_VALID_HOOKS, .valid_hooks = RAW_VALID_HOOKS,
.me = THIS_MODULE, .me = THIS_MODULE,
...@@ -25,6 +25,15 @@ static struct xt_table packet_raw = { ...@@ -25,6 +25,15 @@ static struct xt_table packet_raw = {
.table_init = ip6table_raw_table_init, .table_init = ip6table_raw_table_init,
}; };
static const struct xt_table packet_raw_before_defrag = {
.name = "raw",
.valid_hooks = RAW_VALID_HOOKS,
.me = THIS_MODULE,
.af = NFPROTO_IPV6,
.priority = NF_IP6_PRI_RAW_BEFORE_DEFRAG,
.table_init = ip6table_raw_table_init,
};
/* The work comes in here from netfilter.c. */ /* The work comes in here from netfilter.c. */
static unsigned int static unsigned int
ip6table_raw_hook(void *priv, struct sk_buff *skb, ip6table_raw_hook(void *priv, struct sk_buff *skb,
...@@ -38,15 +47,19 @@ static struct nf_hook_ops *rawtable_ops __read_mostly; ...@@ -38,15 +47,19 @@ static struct nf_hook_ops *rawtable_ops __read_mostly;
static int __net_init ip6table_raw_table_init(struct net *net) static int __net_init ip6table_raw_table_init(struct net *net)
{ {
struct ip6t_replace *repl; struct ip6t_replace *repl;
const struct xt_table *table = &packet_raw;
int ret; int ret;
if (raw_before_defrag)
table = &packet_raw_before_defrag;
if (net->ipv6.ip6table_raw) if (net->ipv6.ip6table_raw)
return 0; return 0;
repl = ip6t_alloc_initial_table(&packet_raw); repl = ip6t_alloc_initial_table(table);
if (repl == NULL) if (repl == NULL)
return -ENOMEM; return -ENOMEM;
ret = ip6t_register_table(net, &packet_raw, repl, rawtable_ops, ret = ip6t_register_table(net, table, repl, rawtable_ops,
&net->ipv6.ip6table_raw); &net->ipv6.ip6table_raw);
kfree(repl); kfree(repl);
return ret; return ret;
...@@ -67,15 +80,16 @@ static struct pernet_operations ip6table_raw_net_ops = { ...@@ -67,15 +80,16 @@ static struct pernet_operations ip6table_raw_net_ops = {
static int __init ip6table_raw_init(void) static int __init ip6table_raw_init(void)
{ {
int ret; int ret;
const struct xt_table *table = &packet_raw;
if (raw_before_defrag) { if (raw_before_defrag) {
packet_raw.priority = NF_IP6_PRI_RAW_BEFORE_DEFRAG; table = &packet_raw_before_defrag;
pr_info("Enabling raw table before defrag\n"); pr_info("Enabling raw table before defrag\n");
} }
/* Register hooks */ /* Register hooks */
rawtable_ops = xt_hook_ops_alloc(&packet_raw, ip6table_raw_hook); rawtable_ops = xt_hook_ops_alloc(table, ip6table_raw_hook);
if (IS_ERR(rawtable_ops)) if (IS_ERR(rawtable_ops))
return PTR_ERR(rawtable_ops); return PTR_ERR(rawtable_ops);
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册