netfilter: xtables: make ip_tables reentrant
Currently, the table traverser stores return addresses in the ruleset itself (struct ip6t_entry->comefrom). This has a well-known drawback: the jumpstack is overwritten on reentry, making it necessary for targets to return absolute verdicts. Also, the ruleset (which might be heavy memory-wise) needs to be replicated for each CPU that can possibly invoke ip6t_do_table. This patch decouples the jumpstack from struct ip6t_entry and instead puts it into xt_table_info. Not being restricted by 'comefrom' anymore, we can set up a stack as needed. By default, there is room allocated for two entries into the traverser. arp_tables is not touched though, because there is just one/two modules and further patches seek to collapse the table traverser anyhow. Signed-off-by:Jan Engelhardt <jengelh@medozas.de> Signed-off-by:
Patrick McHardy <kaber@trash.net>
Showing
- include/linux/netfilter/x_tables.h 7 additions, 0 deletionsinclude/linux/netfilter/x_tables.h
- net/ipv4/netfilter/arp_tables.c 4 additions, 2 deletionsnet/ipv4/netfilter/arp_tables.c
- net/ipv4/netfilter/ip_tables.c 35 additions, 30 deletionsnet/ipv4/netfilter/ip_tables.c
- net/ipv6/netfilter/ip6_tables.c 22 additions, 34 deletionsnet/ipv6/netfilter/ip6_tables.c
- net/netfilter/x_tables.c 77 additions, 0 deletionsnet/netfilter/x_tables.c
Loading
Please register or sign in to comment