projects / deliverable / linux.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
netfilter: xtables: don't hook tables by default
[deliverable/linux.git] / net / ipv4 / netfilter / arp_tables.c
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 00eed0852dfcf070f406ef689d6d771dbb734a0d..bf081927e06bed507d2ee798eb5bdd21d4d8d761 100644 (file)
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -1780,6 +1780,24 @@ static int do_arpt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len
        return ret;
 }
 
+static void __arpt_unregister_table(struct xt_table *table)
+{
+       struct xt_table_info *private;
+       void *loc_cpu_entry;
+       struct module *table_owner = table->me;
+       struct arpt_entry *iter;
+
+       private = xt_unregister_table(table);
+
+       /* Decrease module usage counts and free resources */
+       loc_cpu_entry = private->entries;
+       xt_entry_foreach(iter, loc_cpu_entry, private->size)
+               cleanup_entry(iter);
+       if (private->number > private->initial_entries)
+               module_put(table_owner);
+       xt_free_table_info(private);
+}
+
 int arpt_register_table(struct net *net,
                        const struct xt_table *table,
                        const struct arpt_replace *repl,
@@ -1810,8 +1828,15 @@ int arpt_register_table(struct net *net,
                goto out_free;
        }
 
+       /* set res now, will see skbs right after nf_register_net_hooks */
        WRITE_ONCE(*res, new_table);
 
+       ret = nf_register_net_hooks(net, ops, hweight32(table->valid_hooks));
+       if (ret != 0) {
+               __arpt_unregister_table(new_table);
+               *res = NULL;
+       }
+
        return ret;
 
 out_free:
@@ -1822,20 +1847,8 @@ out_free:
 void arpt_unregister_table(struct net *net, struct xt_table *table,
                           const struct nf_hook_ops *ops)
 {
-       struct xt_table_info *private;
-       void *loc_cpu_entry;
-       struct module *table_owner = table->me;
-       struct arpt_entry *iter;
-
-       private = xt_unregister_table(table);
-
-       /* Decrease module usage counts and free resources */
-       loc_cpu_entry = private->entries;
-       xt_entry_foreach(iter, loc_cpu_entry, private->size)
-               cleanup_entry(iter);
-       if (private->number > private->initial_entries)
-               module_put(table_owner);
-       xt_free_table_info(private);
+       nf_unregister_net_hooks(net, ops, hweight32(table->valid_hooks));
+       __arpt_unregister_table(table);
 }
 
 /* The built-in targets: standard (NULL) and error. */
Linux kernel - Deliverables
This page took 0.024968 seconds and 5 git commands to generate.