SAFE public projects git trees. - safe/jmp/linux-2.6/commit

author	Jan Engelhardt <jengelh@medozas.de>
	Mon, 19 Apr 2010 14:05:10 +0000 (16:05 +0200)
committer	Patrick McHardy <kaber@trash.net>
	Mon, 19 Apr 2010 14:05:10 +0000 (16:05 +0200)
commit	f3c5c1bfd430858d3a05436f82c51e53104feb6b
tree	ada5b570b66e141e79fdb256f69e2541a3d30c04	tree \| snapshot
parent	e281b19897dc21c1071802808d461627d747a877	commit \| diff

netfilter: xtables: make ip_tables reentrant

Currently, the table traverser stores return addresses in the ruleset
itself (struct ip6t_entry->comefrom). This has a well-known drawback:
the jumpstack is overwritten on reentry, making it necessary for
targets to return absolute verdicts. Also, the ruleset (which might
be heavy memory-wise) needs to be replicated for each CPU that can
possibly invoke ip6t_do_table.

This patch decouples the jumpstack from struct ip6t_entry and instead
puts it into xt_table_info. Not being restricted by 'comefrom'
anymore, we can set up a stack as needed. By default, there is room
allocated for two entries into the traverser.

arp_tables is not touched though, because there is just one/two
modules and further patches seek to collapse the table traverser
anyhow.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>

include/linux/netfilter/x_tables.h		diff \| blob \| history
net/ipv4/netfilter/arp_tables.c		diff \| blob \| history
net/ipv4/netfilter/ip_tables.c		diff \| blob \| history
net/ipv6/netfilter/ip6_tables.c		diff \| blob \| history
net/netfilter/x_tables.c		diff \| blob \| history