From patchwork Tue Dec 18 14:07:01 2012
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: netfilter: xtables: remove table restrictions from some modules
Date: Tue, 18 Dec 2012 04:07:01 -0000
From: Jan Engelhardt <jengelh@inai.de>
X-Patchwork-Id: 207126
Message-Id: <1355839621-14206-1-git-send-email-jengelh@inai.de>
To: pablo@netfilter.org
Cc: jhs@mojatatu.com, netfilter-devel@vger.kernel.org

I cannot think of a reason to limit the use of these modules to the
"mangle" table or their hooks. TOS/DSCP is not only used to influence
a routing decision, for example.

Signed-off-by: Jan Engelhardt <jengelh@inai.de>

---
Are there any pitfalls I am not aware of?
Could conntrack be upset if TCPOPTSTRIP/CHECKSUM can execute
at different places?


 net/ipv4/netfilter/ipt_ECN.c   |    1 -
 net/netfilter/xt_CHECKSUM.c    |    1 -
 net/netfilter/xt_CLASSIFY.c    |    3 ---
 net/netfilter/xt_DSCP.c        |    4 ----
 net/netfilter/xt_HL.c          |    2 --
 net/netfilter/xt_TCPOPTSTRIP.c |    2 --
 6 files changed, 13 deletions(-)

diff --git a/net/ipv4/netfilter/ipt_ECN.c b/net/ipv4/netfilter/ipt_ECN.c
index 4bf3dc4..5508113 100644
--- a/net/ipv4/netfilter/ipt_ECN.c
+++ b/net/ipv4/netfilter/ipt_ECN.c
@@ -119,7 +119,6 @@ static struct xt_target ecn_tg_reg __read_mostly = {
 	.family		= NFPROTO_IPV4,
 	.target		= ecn_tg,
 	.targetsize	= sizeof(struct ipt_ECN_info),
-	.table		= "mangle",
 	.checkentry	= ecn_tg_check,
 	.me		= THIS_MODULE,
 };
diff --git a/net/netfilter/xt_CHECKSUM.c b/net/netfilter/xt_CHECKSUM.c
index 0f642ef..153d5c3 100644
--- a/net/netfilter/xt_CHECKSUM.c
+++ b/net/netfilter/xt_CHECKSUM.c
@@ -51,7 +51,6 @@ static struct xt_target checksum_tg_reg __read_mostly = {
 	.family		= NFPROTO_UNSPEC,
 	.target		= checksum_tg,
 	.targetsize	= sizeof(struct xt_CHECKSUM_info),
-	.table		= "mangle",
 	.checkentry	= checksum_tg_check,
 	.me		= THIS_MODULE,
 };
diff --git a/net/netfilter/xt_CLASSIFY.c b/net/netfilter/xt_CLASSIFY.c
index af9c4da..c988093 100644
--- a/net/netfilter/xt_CLASSIFY.c
+++ b/net/netfilter/xt_CLASSIFY.c
@@ -42,8 +42,6 @@ static struct xt_target classify_tg_reg[] __read_mostly = {
 		.name       = "CLASSIFY",
 		.revision   = 0,
 		.family     = NFPROTO_UNSPEC,
-		.hooks      = (1 << NF_INET_LOCAL_OUT) | (1 << NF_INET_FORWARD) |
-		              (1 << NF_INET_POST_ROUTING),
 		.target     = classify_tg,
 		.targetsize = sizeof(struct xt_classify_target_info),
 		.me         = THIS_MODULE,
@@ -52,7 +50,6 @@ static struct xt_target classify_tg_reg[] __read_mostly = {
 		.name       = "CLASSIFY",
 		.revision   = 0,
 		.family     = NFPROTO_ARP,
-		.hooks      = (1 << NF_ARP_OUT) | (1 << NF_ARP_FORWARD),
 		.target     = classify_tg,
 		.targetsize = sizeof(struct xt_classify_target_info),
 		.me         = THIS_MODULE,
diff --git a/net/netfilter/xt_DSCP.c b/net/netfilter/xt_DSCP.c
index ae82716..0a9ff64 100644
--- a/net/netfilter/xt_DSCP.c
+++ b/net/netfilter/xt_DSCP.c
@@ -118,7 +118,6 @@ static struct xt_target dscp_tg_reg[] __read_mostly = {
 		.checkentry	= dscp_tg_check,
 		.target		= dscp_tg,
 		.targetsize	= sizeof(struct xt_DSCP_info),
-		.table		= "mangle",
 		.me		= THIS_MODULE,
 	},
 	{
@@ -127,14 +126,12 @@ static struct xt_target dscp_tg_reg[] __read_mostly = {
 		.checkentry	= dscp_tg_check,
 		.target		= dscp_tg6,
 		.targetsize	= sizeof(struct xt_DSCP_info),
-		.table		= "mangle",
 		.me		= THIS_MODULE,
 	},
 	{
 		.name		= "TOS",
 		.revision	= 1,
 		.family		= NFPROTO_IPV4,
-		.table		= "mangle",
 		.target		= tos_tg,
 		.targetsize	= sizeof(struct xt_tos_target_info),
 		.me		= THIS_MODULE,
@@ -143,7 +140,6 @@ static struct xt_target dscp_tg_reg[] __read_mostly = {
 		.name		= "TOS",
 		.revision	= 1,
 		.family		= NFPROTO_IPV6,
-		.table		= "mangle",
 		.target		= tos_tg6,
 		.targetsize	= sizeof(struct xt_tos_target_info),
 		.me		= THIS_MODULE,
diff --git a/net/netfilter/xt_HL.c b/net/netfilter/xt_HL.c
index 1535e87..4da5db3 100644
--- a/net/netfilter/xt_HL.c
+++ b/net/netfilter/xt_HL.c
@@ -137,7 +137,6 @@ static struct xt_target hl_tg_reg[] __read_mostly = {
 		.family     = NFPROTO_IPV4,
 		.target     = ttl_tg,
 		.targetsize = sizeof(struct ipt_TTL_info),
-		.table      = "mangle",
 		.checkentry = ttl_tg_check,
 		.me         = THIS_MODULE,
 	},
@@ -147,7 +146,6 @@ static struct xt_target hl_tg_reg[] __read_mostly = {
 		.family     = NFPROTO_IPV6,
 		.target     = hl_tg6,
 		.targetsize = sizeof(struct ip6t_HL_info),
-		.table      = "mangle",
 		.checkentry = hl_tg6_check,
 		.me         = THIS_MODULE,
 	},
diff --git a/net/netfilter/xt_TCPOPTSTRIP.c b/net/netfilter/xt_TCPOPTSTRIP.c
index 25fd1c4..b42c02e 100644
--- a/net/netfilter/xt_TCPOPTSTRIP.c
+++ b/net/netfilter/xt_TCPOPTSTRIP.c
@@ -103,7 +103,6 @@ static struct xt_target tcpoptstrip_tg_reg[] __read_mostly = {
 	{
 		.name       = "TCPOPTSTRIP",
 		.family     = NFPROTO_IPV4,
-		.table      = "mangle",
 		.proto      = IPPROTO_TCP,
 		.target     = tcpoptstrip_tg4,
 		.targetsize = sizeof(struct xt_tcpoptstrip_target_info),
@@ -113,7 +112,6 @@ static struct xt_target tcpoptstrip_tg_reg[] __read_mostly = {
 	{
 		.name       = "TCPOPTSTRIP",
 		.family     = NFPROTO_IPV6,
-		.table      = "mangle",
 		.proto      = IPPROTO_TCP,
 		.target     = tcpoptstrip_tg6,
 		.targetsize = sizeof(struct xt_tcpoptstrip_target_info),