* [NETFILTER 00/13]: Netfilter patches for 2.6.17
@ 2006-02-16 21:32 Patrick McHardy
2006-02-16 21:32 ` [NETFILTER 01/13]: Fix CID offset bug in PPTP NAT helper debug message Patrick McHardy
` (13 more replies)
0 siblings, 14 replies; 15+ messages in thread
From: Patrick McHardy @ 2006-02-16 21:32 UTC (permalink / raw)
To: davem; +Cc: netfilter-devel, Patrick McHardy
Hi Dave,
these are my netfilter patches for 2.6.17. The last patch (ctnetlink:
avoid unneccessary event message generation) depends on the netlink
patch I sent yesterday. Please apply on top of that patch.
include/linux/netfilter/nfnetlink.h | 1
include/linux/netfilter/x_tables.h | 37 ++++-
include/linux/netfilter/xt_policy.h | 58 ++++++++
include/linux/netfilter_ipv4/ipt_policy.h | 67 ++-------
include/linux/netfilter_ipv6/ip6t_policy.h | 67 ++-------
include/net/ipv6.h | 12 +
net/ipv4/netfilter/Kconfig | 10 -
net/ipv4/netfilter/Makefile | 1
net/ipv4/netfilter/arp_tables.c | 19 +-
net/ipv4/netfilter/arpt_mangle.c | 23 +--
net/ipv4/netfilter/ip_conntrack_netlink.c | 7
net/ipv4/netfilter/ip_nat_helper_pptp.c | 8 -
net/ipv4/netfilter/ip_nat_rule.c | 45 +-----
net/ipv4/netfilter/ip_tables.c | 67 +++++----
net/ipv4/netfilter/ipt_CLUSTERIP.c | 27 +--
net/ipv4/netfilter/ipt_DSCP.c | 17 --
net/ipv4/netfilter/ipt_ECN.c | 18 --
net/ipv4/netfilter/ipt_LOG.c | 11 -
net/ipv4/netfilter/ipt_MASQUERADE.c | 18 --
net/ipv4/netfilter/ipt_NETMAP.c | 19 --
net/ipv4/netfilter/ipt_REDIRECT.c | 17 --
net/ipv4/netfilter/ipt_REJECT.c | 24 ---
net/ipv4/netfilter/ipt_SAME.c | 19 --
net/ipv4/netfilter/ipt_TCPMSS.c | 16 --
net/ipv4/netfilter/ipt_TOS.c | 17 --
net/ipv4/netfilter/ipt_TTL.c | 25 ---
net/ipv4/netfilter/ipt_ULOG.c | 12 -
net/ipv4/netfilter/ipt_addrtype.c | 20 --
net/ipv4/netfilter/ipt_ah.c | 25 +--
net/ipv4/netfilter/ipt_dscp.c | 19 --
net/ipv4/netfilter/ipt_ecn.c | 14 -
net/ipv4/netfilter/ipt_esp.c | 25 +--
net/ipv4/netfilter/ipt_hashlimit.c | 21 +-
net/ipv4/netfilter/ipt_iprange.c | 28 ---
net/ipv4/netfilter/ipt_multiport.c | 31 ----
net/ipv4/netfilter/ipt_owner.c | 21 --
net/ipv4/netfilter/ipt_policy.c | 182 -------------------------
net/ipv4/netfilter/ipt_recent.c | 22 +--
net/ipv4/netfilter/ipt_tos.c | 18 --
net/ipv4/netfilter/ipt_ttl.c | 19 --
net/ipv6/netfilter/Kconfig | 10 -
net/ipv6/netfilter/Makefile | 1
net/ipv6/netfilter/ip6_tables.c | 85 +++++------
net/ipv6/netfilter/ip6t_HL.c | 19 --
net/ipv6/netfilter/ip6t_LOG.c | 11 -
net/ipv6/netfilter/ip6t_REJECT.c | 25 ---
net/ipv6/netfilter/ip6t_ah.c | 12 -
net/ipv6/netfilter/ip6t_dst.c | 13 -
net/ipv6/netfilter/ip6t_esp.c | 12 -
net/ipv6/netfilter/ip6t_eui64.c | 27 ---
net/ipv6/netfilter/ip6t_frag.c | 13 -
net/ipv6/netfilter/ip6t_hbh.c | 13 -
net/ipv6/netfilter/ip6t_hl.c | 22 ---
net/ipv6/netfilter/ip6t_ipv6header.c | 8 -
net/ipv6/netfilter/ip6t_multiport.c | 11 -
net/ipv6/netfilter/ip6t_owner.c | 18 --
net/ipv6/netfilter/ip6t_policy.c | 188 --------------------------
net/ipv6/netfilter/ip6t_rt.c | 12 -
net/ipv6/netfilter/nf_conntrack_reasm.c | 8 -
net/netfilter/Kconfig | 10 +
net/netfilter/Makefile | 1
net/netfilter/nf_conntrack_netlink.c | 7
net/netfilter/nfnetlink.c | 6
net/netfilter/x_tables.c | 72 +++++++++
net/netfilter/xt_CLASSIFY.c | 42 +----
net/netfilter/xt_CONNMARK.c | 27 +--
net/netfilter/xt_MARK.c | 37 +----
net/netfilter/xt_NFQUEUE.c | 24 ---
net/netfilter/xt_NOTRACK.c | 45 +-----
net/netfilter/xt_comment.c | 18 --
net/netfilter/xt_connbytes.c | 15 +-
net/netfilter/xt_connmark.c | 28 +--
net/netfilter/xt_conntrack.c | 18 --
net/netfilter/xt_dccp.c | 45 +-----
net/netfilter/xt_helper.c | 18 +-
net/netfilter/xt_length.c | 24 ---
net/netfilter/xt_limit.c | 7
net/netfilter/xt_mac.c | 34 +---
net/netfilter/xt_mark.c | 16 +-
net/netfilter/xt_physdev.c | 14 +
net/netfilter/xt_pkttype.c | 23 ---
net/netfilter/xt_policy.c | 209 +++++++++++++++++++++++++++++
net/netfilter/xt_realm.c | 27 ---
net/netfilter/xt_sctp.c | 66 ++-------
net/netfilter/xt_state.c | 21 --
net/netfilter/xt_string.c | 10 -
net/netfilter/xt_tcpmss.c | 52 -------
net/netfilter/xt_tcpudp.c | 112 +++------------
net/sched/act_ipt.c | 10 -
89 files changed, 1003 insertions(+), 1650 deletions(-)
Holger Eitzenberger:
[NETFILTER]: Fix CID offset bug in PPTP NAT helper debug message
Patrick McHardy:
[NETFILTER]: xt_tables: add centralized error checking
[NETFILTER]: Change {ip,ip6,arp}_tables to use centralized error checking
[NETFILTER]: Convert ip_tables matches/targets to centralized error checking
[NETFILTER]: Convert arp_tables targets to centralized error checking
[NETFILTER]: Convert ip6_tables matches/targets to centralized error checking
[NETFILTER]: Convert x_tables matches/targets to centralized error checking
[NETFILTER]: x_tables: pass registered match/target data to match/target functions
[NETFILTER]: x_tables: add xt_{match,target} arguments to match/target functions
[NETFILTER]: Move ip6_masked_addrcmp to include/net/ipv6.h
[NETFILTER]: x_tables: replace IPv4/IPv6 policy match by address family independant version
[NETFILTER]: ctnetlink: avoid unneccessary event message generation
Yasuyuki Kozakai:
[NETFILTER]: nf_conntrack: use ipv6_addr_equal in nf_ct_reasm
^ permalink raw reply [flat|nested] 15+ messages in thread
* [NETFILTER 01/13]: Fix CID offset bug in PPTP NAT helper debug message
2006-02-16 21:32 [NETFILTER 00/13]: Netfilter patches for 2.6.17 Patrick McHardy
@ 2006-02-16 21:32 ` Patrick McHardy
2006-02-16 21:32 ` [NETFILTER 02/13]: nf_conntrack: use ipv6_addr_equal in nf_ct_reasm Patrick McHardy
` (12 subsequent siblings)
13 siblings, 0 replies; 15+ messages in thread
From: Patrick McHardy @ 2006-02-16 21:32 UTC (permalink / raw)
To: davem; +Cc: netfilter-devel, Patrick McHardy
[NETFILTER]: Fix CID offset bug in PPTP NAT helper debug message
The recent (kernel 2.6.15.1) fix for PPTP NAT helper introduced a
bug - which only appears if DEBUGP is enabled though.
The calculation of the CID offset into a PPTP request struct is
not correct, so that at least not the correct CID is displayed
if DEBUGP is enabled.
This patch corrects CID offset calculation and introduces a #define
for that.
Signed-off-by: Holger Eitzenberger <heitzenberger@astaro.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit d4f037506a5832b329930b927309e911fd42ee4d
tree c36fe915a018b64aa9db28c72a50ff53fa408e91
parent 43fa6235163124c797a94a4fc1703d38335309a7
author Holger Eitzenberger <heitzenberger@astaro.com> Thu, 16 Feb 2006 14:16:59 +0100
committer Patrick McHardy <kaber@trash.net> Thu, 16 Feb 2006 14:16:59 +0100
net/ipv4/netfilter/ip_nat_helper_pptp.c | 8 +++++---
1 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/net/ipv4/netfilter/ip_nat_helper_pptp.c b/net/ipv4/netfilter/ip_nat_helper_pptp.c
index ac00489..b9c016c 100644
--- a/net/ipv4/netfilter/ip_nat_helper_pptp.c
+++ b/net/ipv4/netfilter/ip_nat_helper_pptp.c
@@ -52,6 +52,8 @@
#define IP_NAT_PPTP_VERSION "3.0"
+#define REQ_CID(req, off) (*(u_int16_t *)((char *)(req) + (off)))
+
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Harald Welte <laforge@gnumonks.org>");
MODULE_DESCRIPTION("Netfilter NAT helper module for PPTP");
@@ -198,7 +200,7 @@ pptp_outbound_pkt(struct sk_buff **pskb,
/* only OUT_CALL_REQUEST, IN_CALL_REPLY, CALL_CLEAR_REQUEST pass
* down to here */
DEBUGP("altering call id from 0x%04x to 0x%04x\n",
- ntohs(*(u_int16_t *)pptpReq + cid_off), ntohs(new_callid));
+ ntohs(REQ_CID(pptpReq, cid_off)), ntohs(new_callid));
/* mangle packet */
if (ip_nat_mangle_tcp_packet(pskb, ct, ctinfo,
@@ -342,7 +344,7 @@ pptp_inbound_pkt(struct sk_buff **pskb,
/* mangle packet */
DEBUGP("altering peer call id from 0x%04x to 0x%04x\n",
- ntohs(*(u_int16_t *)pptpReq + pcid_off), ntohs(new_pcid));
+ ntohs(REQ_CID(pptpReq, pcid_off)), ntohs(new_pcid));
if (ip_nat_mangle_tcp_packet(pskb, ct, ctinfo,
pcid_off + sizeof(struct pptp_pkt_hdr) +
@@ -353,7 +355,7 @@ pptp_inbound_pkt(struct sk_buff **pskb,
if (new_cid) {
DEBUGP("altering call id from 0x%04x to 0x%04x\n",
- ntohs(*(u_int16_t *)pptpReq + cid_off), ntohs(new_cid));
+ ntohs(REQ_CID(pptpReq, cid_off)), ntohs(new_cid));
if (ip_nat_mangle_tcp_packet(pskb, ct, ctinfo,
cid_off + sizeof(struct pptp_pkt_hdr) +
sizeof(struct PptpControlHeader),
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [NETFILTER 02/13]: nf_conntrack: use ipv6_addr_equal in nf_ct_reasm
2006-02-16 21:32 [NETFILTER 00/13]: Netfilter patches for 2.6.17 Patrick McHardy
2006-02-16 21:32 ` [NETFILTER 01/13]: Fix CID offset bug in PPTP NAT helper debug message Patrick McHardy
@ 2006-02-16 21:32 ` Patrick McHardy
2006-02-16 21:32 ` [NETFILTER 03/13]: xt_tables: add centralized error checking Patrick McHardy
` (11 subsequent siblings)
13 siblings, 0 replies; 15+ messages in thread
From: Patrick McHardy @ 2006-02-16 21:32 UTC (permalink / raw)
To: davem; +Cc: netfilter-devel, Patrick McHardy
[NETFILTER]: nf_conntrack: use ipv6_addr_equal in nf_ct_reasm
Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit a99f01294a6531c0511ff84bc735e92e12e88c99
tree e0f40422971b69fa0780368c27934f557d12d820
parent d4f037506a5832b329930b927309e911fd42ee4d
author Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp> Thu, 16 Feb 2006 14:17:00 +0100
committer Patrick McHardy <kaber@trash.net> Thu, 16 Feb 2006 14:17:00 +0100
net/ipv6/netfilter/nf_conntrack_reasm.c | 8 ++++----
1 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
index 84ef9a1..3e31903 100644
--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
@@ -313,8 +313,8 @@ static struct nf_ct_frag6_queue *nf_ct_f
#ifdef CONFIG_SMP
hlist_for_each_entry(fq, n, &nf_ct_frag6_hash[hash], list) {
if (fq->id == fq_in->id &&
- !ipv6_addr_cmp(&fq_in->saddr, &fq->saddr) &&
- !ipv6_addr_cmp(&fq_in->daddr, &fq->daddr)) {
+ ipv6_addr_equal(&fq_in->saddr, &fq->saddr) &&
+ ipv6_addr_equal(&fq_in->daddr, &fq->daddr)) {
atomic_inc(&fq->refcnt);
write_unlock(&nf_ct_frag6_lock);
fq_in->last_in |= COMPLETE;
@@ -376,8 +376,8 @@ fq_find(u32 id, struct in6_addr *src, st
read_lock(&nf_ct_frag6_lock);
hlist_for_each_entry(fq, n, &nf_ct_frag6_hash[hash], list) {
if (fq->id == id &&
- !ipv6_addr_cmp(src, &fq->saddr) &&
- !ipv6_addr_cmp(dst, &fq->daddr)) {
+ ipv6_addr_equal(src, &fq->saddr) &&
+ ipv6_addr_equal(dst, &fq->daddr)) {
atomic_inc(&fq->refcnt);
read_unlock(&nf_ct_frag6_lock);
return fq;
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [NETFILTER 03/13]: xt_tables: add centralized error checking
2006-02-16 21:32 [NETFILTER 00/13]: Netfilter patches for 2.6.17 Patrick McHardy
2006-02-16 21:32 ` [NETFILTER 01/13]: Fix CID offset bug in PPTP NAT helper debug message Patrick McHardy
2006-02-16 21:32 ` [NETFILTER 02/13]: nf_conntrack: use ipv6_addr_equal in nf_ct_reasm Patrick McHardy
@ 2006-02-16 21:32 ` Patrick McHardy
2006-02-16 21:32 ` [NETFILTER 04/13]: Change {ip, ip6, arp}_tables to use " Patrick McHardy
` (10 subsequent siblings)
13 siblings, 0 replies; 15+ messages in thread
From: Patrick McHardy @ 2006-02-16 21:32 UTC (permalink / raw)
To: davem; +Cc: netfilter-devel, Patrick McHardy
[NETFILTER]: xt_tables: add centralized error checking
Introduce new functions for common match/target checks (private data
size, valid hooks, valid tables and valid protocols) to get more consistent
error reporting and to avoid each module duplicating them.
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit ef8e3f5ae821c8023c72faf255f2256a5326d723
tree 1539653b16ea0d3c4cc7ec0ae1c5223807e575dc
parent a99f01294a6531c0511ff84bc735e92e12e88c99
author Patrick McHardy <kaber@trash.net> Thu, 16 Feb 2006 14:17:01 +0100
committer Patrick McHardy <kaber@trash.net> Thu, 16 Feb 2006 14:17:01 +0100
include/linux/netfilter/x_tables.h | 23 ++++++++++--
net/netfilter/x_tables.c | 72 +++++++++++++++++++++++++++++++++---
2 files changed, 84 insertions(+), 11 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 6500d4e..b9c37e1 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -92,8 +92,6 @@ struct xt_match
const char name[XT_FUNCTION_MAXNAMELEN-1];
- u_int8_t revision;
-
/* Return true or false: return FALSE and set *hotdrop = 1 to
force immediate packet drop. */
/* Arguments changed since 2.6.9, as this must now handle
@@ -120,6 +118,12 @@ struct xt_match
/* Set this to THIS_MODULE if you are a module, otherwise NULL */
struct module *me;
+
+ char *table;
+ unsigned int matchsize;
+ unsigned int hooks;
+ unsigned short proto;
+ u_int8_t revision;
};
/* Registration hooks for targets. */
@@ -129,8 +133,6 @@ struct xt_target
const char name[XT_FUNCTION_MAXNAMELEN-1];
- u_int8_t revision;
-
/* Returns verdict. Argument order changed since 2.6.9, as this
must now handle non-linear skbs, using skb_copy_bits and
skb_ip_make_writable. */
@@ -156,6 +158,12 @@ struct xt_target
/* Set this to THIS_MODULE if you are a module, otherwise NULL */
struct module *me;
+
+ char *table;
+ unsigned int targetsize;
+ unsigned int hooks;
+ unsigned short proto;
+ u_int8_t revision;
};
/* Furniture shopping... */
@@ -207,6 +215,13 @@ extern void xt_unregister_target(int af,
extern int xt_register_match(int af, struct xt_match *target);
extern void xt_unregister_match(int af, struct xt_match *target);
+extern int xt_check_match(const struct xt_match *match, unsigned short family,
+ unsigned int size, const char *table, unsigned int hook,
+ unsigned short proto, int inv_proto);
+extern int xt_check_target(const struct xt_target *target, unsigned short family,
+ unsigned int size, const char *table, unsigned int hook,
+ unsigned short proto, int inv_proto);
+
extern int xt_register_table(struct xt_table *table,
struct xt_table_info *bootstrap,
struct xt_table_info *newinfo);
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index d7817af..750b928 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -52,6 +52,12 @@ enum {
MATCH,
};
+static const char *xt_prefix[NPROTO] = {
+ [AF_INET] = "ip",
+ [AF_INET6] = "ip6",
+ [NF_ARP] = "arp",
+};
+
/* Registration hooks for targets. */
int
xt_register_target(int af, struct xt_target *target)
@@ -158,18 +164,12 @@ struct xt_target *xt_find_target(int af,
}
EXPORT_SYMBOL(xt_find_target);
-static const char *xt_prefix[NPROTO] = {
- [AF_INET] = "ipt_%s",
- [AF_INET6] = "ip6t_%s",
- [NF_ARP] = "arpt_%s",
-};
-
struct xt_target *xt_request_find_target(int af, const char *name, u8 revision)
{
struct xt_target *target;
target = try_then_request_module(xt_find_target(af, name, revision),
- xt_prefix[af], name);
+ "%st_%s", xt_prefix[af], name);
if (IS_ERR(target) || !target)
return NULL;
return target;
@@ -237,6 +237,64 @@ int xt_find_revision(int af, const char
}
EXPORT_SYMBOL_GPL(xt_find_revision);
+int xt_check_match(const struct xt_match *match, unsigned short family,
+ unsigned int size, const char *table, unsigned int hook_mask,
+ unsigned short proto, int inv_proto)
+{
+ if (XT_ALIGN(match->matchsize) != size) {
+ printk("%s_tables: %s match: invalid size %Zu != %u\n",
+ xt_prefix[family], match->name,
+ XT_ALIGN(match->matchsize), size);
+ return -EINVAL;
+ }
+ if (match->table && strcmp(match->table, table)) {
+ printk("%s_tables: %s match: only valid in %s table, not %s\n",
+ xt_prefix[family], match->name, match->table, table);
+ return -EINVAL;
+ }
+ if (match->hooks && (hook_mask & ~match->hooks) != 0) {
+ printk("%s_tables: %s match: bad hook_mask %u\n",
+ xt_prefix[family], match->name, hook_mask);
+ return -EINVAL;
+ }
+ if (match->proto && (match->proto != proto || inv_proto)) {
+ printk("%s_tables: %s match: only valid for protocol %u\n",
+ xt_prefix[family], match->name, match->proto);
+ return -EINVAL;
+ }
+ return 0;
+}
+EXPORT_SYMBOL_GPL(xt_check_match);
+
+int xt_check_target(const struct xt_target *target, unsigned short family,
+ unsigned int size, const char *table, unsigned int hook_mask,
+ unsigned short proto, int inv_proto)
+{
+ if (XT_ALIGN(target->targetsize) != size) {
+ printk("%s_tables: %s target: invalid size %Zu != %u\n",
+ xt_prefix[family], target->name,
+ XT_ALIGN(target->targetsize), size);
+ return -EINVAL;
+ }
+ if (target->table && strcmp(target->table, table)) {
+ printk("%s_tables: %s target: only valid in %s table, not %s\n",
+ xt_prefix[family], target->name, target->table, table);
+ return -EINVAL;
+ }
+ if (target->hooks && (hook_mask & ~target->hooks) != 0) {
+ printk("%s_tables: %s target: bad hook_mask %u\n",
+ xt_prefix[family], target->name, hook_mask);
+ return -EINVAL;
+ }
+ if (target->proto && (target->proto != proto || inv_proto)) {
+ printk("%s_tables: %s target: only valid for protocol %u\n",
+ xt_prefix[family], target->name, target->proto);
+ return -EINVAL;
+ }
+ return 0;
+}
+EXPORT_SYMBOL_GPL(xt_check_target);
+
struct xt_table_info *xt_alloc_table_info(unsigned int size)
{
struct xt_table_info *newinfo;
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [NETFILTER 04/13]: Change {ip, ip6, arp}_tables to use centralized error checking
2006-02-16 21:32 [NETFILTER 00/13]: Netfilter patches for 2.6.17 Patrick McHardy
` (2 preceding siblings ...)
2006-02-16 21:32 ` [NETFILTER 03/13]: xt_tables: add centralized error checking Patrick McHardy
@ 2006-02-16 21:32 ` Patrick McHardy
2006-02-16 21:32 ` [NETFILTER 05/13]: Convert ip_tables matches/targets to " Patrick McHardy
` (9 subsequent siblings)
13 siblings, 0 replies; 15+ messages in thread
From: Patrick McHardy @ 2006-02-16 21:32 UTC (permalink / raw)
To: davem; +Cc: netfilter-devel, Patrick McHardy
[NETFILTER]: Change {ip,ip6,arp}_tables to use centralized error checking
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit 21596d6b3f1a5d828a9dbe4e3db8430898a97f17
tree d4f3cd7a721c4260e614939bdfe8db92b1d5548b
parent ef8e3f5ae821c8023c72faf255f2256a5326d723
author Patrick McHardy <kaber@trash.net> Thu, 16 Feb 2006 14:17:02 +0100
committer Patrick McHardy <kaber@trash.net> Thu, 16 Feb 2006 14:17:02 +0100
net/ipv4/netfilter/arp_tables.c | 11 ++++++++---
net/ipv4/netfilter/ip_tables.c | 26 +++++++++++++++++++++-----
net/ipv6/netfilter/ip6_tables.c | 26 +++++++++++++++++++++-----
3 files changed, 50 insertions(+), 13 deletions(-)
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index dd1048b..f68eb67 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -480,6 +480,11 @@ static inline int check_entry(struct arp
}
t->u.kernel.target = target;
+ ret = xt_check_target(target, NF_ARP, t->u.target_size - sizeof(*t),
+ name, e->comefrom, 0, 0);
+ if (ret)
+ goto err;
+
if (t->u.kernel.target == &arpt_standard_target) {
if (!standard_check(t, size)) {
ret = -EINVAL;
@@ -490,16 +495,16 @@ static inline int check_entry(struct arp
t->u.target_size
- sizeof(*t),
e->comefrom)) {
- module_put(t->u.kernel.target->me);
duprintf("arp_tables: check failed for `%s'.\n",
t->u.kernel.target->name);
ret = -EINVAL;
- goto out;
+ goto err;
}
(*i)++;
return 0;
-
+err:
+ module_put(t->u.kernel.target->me);
out:
return ret;
}
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 16f47c6..f884ca2 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -508,6 +508,7 @@ check_match(struct ipt_entry_match *m,
unsigned int *i)
{
struct ipt_match *match;
+ int ret;
match = try_then_request_module(xt_find_match(AF_INET, m->u.user.name,
m->u.user.revision),
@@ -518,18 +519,27 @@ check_match(struct ipt_entry_match *m,
}
m->u.kernel.match = match;
+ ret = xt_check_match(match, AF_INET, m->u.match_size - sizeof(*m),
+ name, hookmask, ip->proto,
+ ip->invflags & IPT_INV_PROTO);
+ if (ret)
+ goto err;
+
if (m->u.kernel.match->checkentry
&& !m->u.kernel.match->checkentry(name, ip, m->data,
m->u.match_size - sizeof(*m),
hookmask)) {
- module_put(m->u.kernel.match->me);
duprintf("ip_tables: check failed for `%s'.\n",
m->u.kernel.match->name);
- return -EINVAL;
+ ret = -EINVAL;
+ goto err;
}
(*i)++;
return 0;
+err:
+ module_put(m->u.kernel.match->me);
+ return ret;
}
static struct ipt_target ipt_standard_target;
@@ -565,6 +575,12 @@ check_entry(struct ipt_entry *e, const c
}
t->u.kernel.target = target;
+ ret = xt_check_target(target, AF_INET, t->u.target_size - sizeof(*t),
+ name, e->comefrom, e->ip.proto,
+ e->ip.invflags & IPT_INV_PROTO);
+ if (ret)
+ goto err;
+
if (t->u.kernel.target == &ipt_standard_target) {
if (!standard_check(t, size)) {
ret = -EINVAL;
@@ -575,16 +591,16 @@ check_entry(struct ipt_entry *e, const c
t->u.target_size
- sizeof(*t),
e->comefrom)) {
- module_put(t->u.kernel.target->me);
duprintf("ip_tables: check failed for `%s'.\n",
t->u.kernel.target->name);
ret = -EINVAL;
- goto cleanup_matches;
+ goto err;
}
(*i)++;
return 0;
-
+ err:
+ module_put(t->u.kernel.target->me);
cleanup_matches:
IPT_MATCH_ITERATE(e, cleanup_match, &j);
return ret;
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 74ff56c..3d2fefe 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -575,6 +575,7 @@ check_match(struct ip6t_entry_match *m,
unsigned int *i)
{
struct ip6t_match *match;
+ int ret;
match = try_then_request_module(xt_find_match(AF_INET6, m->u.user.name,
m->u.user.revision),
@@ -585,18 +586,27 @@ check_match(struct ip6t_entry_match *m,
}
m->u.kernel.match = match;
+ ret = xt_check_match(match, AF_INET6, m->u.match_size - sizeof(*m),
+ name, hookmask, ipv6->proto,
+ ipv6->invflags & IP6T_INV_PROTO);
+ if (ret)
+ goto err;
+
if (m->u.kernel.match->checkentry
&& !m->u.kernel.match->checkentry(name, ipv6, m->data,
m->u.match_size - sizeof(*m),
hookmask)) {
- module_put(m->u.kernel.match->me);
duprintf("ip_tables: check failed for `%s'.\n",
m->u.kernel.match->name);
- return -EINVAL;
+ ret = -EINVAL;
+ goto err;
}
(*i)++;
return 0;
+err:
+ module_put(m->u.kernel.match->me);
+ return ret;
}
static struct ip6t_target ip6t_standard_target;
@@ -632,6 +642,12 @@ check_entry(struct ip6t_entry *e, const
}
t->u.kernel.target = target;
+ ret = xt_check_target(target, AF_INET6, t->u.target_size - sizeof(*t),
+ name, e->comefrom, e->ipv6.proto,
+ e->ipv6.invflags & IP6T_INV_PROTO);
+ if (ret)
+ goto err;
+
if (t->u.kernel.target == &ip6t_standard_target) {
if (!standard_check(t, size)) {
ret = -EINVAL;
@@ -642,16 +658,16 @@ check_entry(struct ip6t_entry *e, const
t->u.target_size
- sizeof(*t),
e->comefrom)) {
- module_put(t->u.kernel.target->me);
duprintf("ip_tables: check failed for `%s'.\n",
t->u.kernel.target->name);
ret = -EINVAL;
- goto cleanup_matches;
+ goto err;
}
(*i)++;
return 0;
-
+ err:
+ module_put(t->u.kernel.target->me);
cleanup_matches:
IP6T_MATCH_ITERATE(e, cleanup_match, &j);
return ret;
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [NETFILTER 05/13]: Convert ip_tables matches/targets to centralized error checking
2006-02-16 21:32 [NETFILTER 00/13]: Netfilter patches for 2.6.17 Patrick McHardy
` (3 preceding siblings ...)
2006-02-16 21:32 ` [NETFILTER 04/13]: Change {ip, ip6, arp}_tables to use " Patrick McHardy
@ 2006-02-16 21:32 ` Patrick McHardy
2006-02-16 21:32 ` [NETFILTER 06/13]: Convert arp_tables targets " Patrick McHardy
` (8 subsequent siblings)
13 siblings, 0 replies; 15+ messages in thread
From: Patrick McHardy @ 2006-02-16 21:32 UTC (permalink / raw)
To: davem; +Cc: netfilter-devel, Patrick McHardy
[NETFILTER]: Convert ip_tables matches/targets to centralized error checking
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit 4f172068d4d24e663edc75a7679e887771a2d89e
tree 30a8183ee1887be4ba7ee86c4c3f2e46125a54d7
parent 21596d6b3f1a5d828a9dbe4e3db8430898a97f17
author Patrick McHardy <kaber@trash.net> Thu, 16 Feb 2006 14:17:03 +0100
committer Patrick McHardy <kaber@trash.net> Thu, 16 Feb 2006 14:17:03 +0100
net/ipv4/netfilter/ip_nat_rule.c | 41 +++++------------------------------
net/ipv4/netfilter/ip_tables.c | 25 +++++++--------------
net/ipv4/netfilter/ipt_CLUSTERIP.c | 20 ++++++-----------
net/ipv4/netfilter/ipt_DSCP.c | 15 ++-----------
net/ipv4/netfilter/ipt_ECN.c | 16 ++------------
net/ipv4/netfilter/ipt_LOG.c | 9 +-------
net/ipv4/netfilter/ipt_MASQUERADE.c | 16 +++-----------
net/ipv4/netfilter/ipt_NETMAP.c | 17 +++------------
net/ipv4/netfilter/ipt_REDIRECT.c | 15 +++----------
net/ipv4/netfilter/ipt_REJECT.c | 22 +++----------------
net/ipv4/netfilter/ipt_SAME.c | 15 +++----------
net/ipv4/netfilter/ipt_TCPMSS.c | 14 +++---------
net/ipv4/netfilter/ipt_TOS.c | 15 ++-----------
net/ipv4/netfilter/ipt_TTL.c | 17 ++-------------
net/ipv4/netfilter/ipt_ULOG.c | 10 ++-------
net/ipv4/netfilter/ipt_addrtype.c | 15 +------------
net/ipv4/netfilter/ipt_ah.c | 23 +++++---------------
net/ipv4/netfilter/ipt_dscp.c | 14 ++----------
net/ipv4/netfilter/ipt_ecn.c | 8 +++----
net/ipv4/netfilter/ipt_esp.c | 23 +++++---------------
net/ipv4/netfilter/ipt_hashlimit.c | 16 ++++++--------
net/ipv4/netfilter/ipt_iprange.c | 27 +++++------------------
net/ipv4/netfilter/ipt_multiport.c | 29 +++----------------------
net/ipv4/netfilter/ipt_owner.c | 19 +++-------------
net/ipv4/netfilter/ipt_policy.c | 6 +----
net/ipv4/netfilter/ipt_recent.c | 15 ++++++-------
net/ipv4/netfilter/ipt_tos.c | 17 ++-------------
net/ipv4/netfilter/ipt_ttl.c | 14 ++----------
28 files changed, 103 insertions(+), 390 deletions(-)
diff --git a/net/ipv4/netfilter/ip_nat_rule.c b/net/ipv4/netfilter/ip_nat_rule.c
index 1de8628..ef4be3d 100644
--- a/net/ipv4/netfilter/ip_nat_rule.c
+++ b/net/ipv4/netfilter/ip_nat_rule.c
@@ -181,23 +181,6 @@ static int ipt_snat_checkentry(const cha
printk("SNAT: multiple ranges no longer supported\n");
return 0;
}
-
- if (targinfosize != IPT_ALIGN(sizeof(struct ip_nat_multi_range_compat))) {
- DEBUGP("SNAT: Target size %u wrong for %u ranges\n",
- targinfosize, mr->rangesize);
- return 0;
- }
-
- /* Only allow these for NAT. */
- if (strcmp(tablename, "nat") != 0) {
- DEBUGP("SNAT: wrong table %s\n", tablename);
- return 0;
- }
-
- if (hook_mask & ~(1 << NF_IP_POST_ROUTING)) {
- DEBUGP("SNAT: hook mask 0x%x bad\n", hook_mask);
- return 0;
- }
return 1;
}
@@ -214,24 +197,6 @@ static int ipt_dnat_checkentry(const cha
printk("DNAT: multiple ranges no longer supported\n");
return 0;
}
-
- if (targinfosize != IPT_ALIGN(sizeof(struct ip_nat_multi_range_compat))) {
- DEBUGP("DNAT: Target size %u wrong for %u ranges\n",
- targinfosize, mr->rangesize);
- return 0;
- }
-
- /* Only allow these for NAT. */
- if (strcmp(tablename, "nat") != 0) {
- DEBUGP("DNAT: wrong table %s\n", tablename);
- return 0;
- }
-
- if (hook_mask & ~((1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_LOCAL_OUT))) {
- DEBUGP("DNAT: hook mask 0x%x bad\n", hook_mask);
- return 0;
- }
-
return 1;
}
@@ -299,12 +264,18 @@ int ip_nat_rule_find(struct sk_buff **ps
static struct ipt_target ipt_snat_reg = {
.name = "SNAT",
.target = ipt_snat_target,
+ .targetsize = sizeof(struct ip_nat_multi_range_compat),
+ .table = "nat",
+ .hooks = 1 << NF_IP_POST_ROUTING,
.checkentry = ipt_snat_checkentry,
};
static struct ipt_target ipt_dnat_reg = {
.name = "DNAT",
.target = ipt_dnat_target,
+ .targetsize = sizeof(struct ip_nat_multi_range_compat),
+ .table = "nat",
+ .hooks = 1 << NF_IP_PRE_ROUTING,
.checkentry = ipt_dnat_checkentry,
};
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index f884ca2..62f8d63 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -477,21 +477,12 @@ standard_check(const struct ipt_entry_ta
struct ipt_standard_target *targ = (void *)t;
/* Check standard info. */
- if (t->u.target_size
- != IPT_ALIGN(sizeof(struct ipt_standard_target))) {
- duprintf("standard_check: target size %u != %u\n",
- t->u.target_size,
- IPT_ALIGN(sizeof(struct ipt_standard_target)));
- return 0;
- }
-
if (targ->verdict >= 0
&& targ->verdict > max_offset - sizeof(struct ipt_entry)) {
duprintf("ipt_standard_check: bad verdict (%i)\n",
targ->verdict);
return 0;
}
-
if (targ->verdict < -NF_MAX_VERDICT - 1) {
duprintf("ipt_standard_check: bad negative verdict (%i)\n",
targ->verdict);
@@ -1330,24 +1321,22 @@ icmp_checkentry(const char *tablename,
unsigned int matchsize,
unsigned int hook_mask)
{
- const struct ipt_ip *ip = info;
const struct ipt_icmp *icmpinfo = matchinfo;
- /* Must specify proto == ICMP, and no unknown invflags */
- return ip->proto == IPPROTO_ICMP
- && !(ip->invflags & IPT_INV_PROTO)
- && matchsize == IPT_ALIGN(sizeof(struct ipt_icmp))
- && !(icmpinfo->invflags & ~IPT_ICMP_INV);
+ /* Must specify no unknown invflags */
+ return !(icmpinfo->invflags & ~IPT_ICMP_INV);
}
/* The built-in targets: standard (NULL) and error. */
static struct ipt_target ipt_standard_target = {
.name = IPT_STANDARD_TARGET,
+ .targetsize = sizeof(int),
};
static struct ipt_target ipt_error_target = {
.name = IPT_ERROR_TARGET,
.target = ipt_error,
+ .targetsize = IPT_FUNCTION_MAXNAMELEN,
};
static struct nf_sockopt_ops ipt_sockopts = {
@@ -1362,8 +1351,10 @@ static struct nf_sockopt_ops ipt_sockopt
static struct ipt_match icmp_matchstruct = {
.name = "icmp",
- .match = &icmp_match,
- .checkentry = &icmp_checkentry,
+ .match = icmp_match,
+ .matchsize = sizeof(struct ipt_icmp),
+ .proto = IPPROTO_ICMP,
+ .checkentry = icmp_checkentry,
};
static int __init init(void)
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index d9bc971..24f88dd 100644
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -389,13 +389,6 @@ checkentry(const char *tablename,
struct clusterip_config *config;
- if (targinfosize != IPT_ALIGN(sizeof(struct ipt_clusterip_tgt_info))) {
- printk(KERN_WARNING "CLUSTERIP: targinfosize %u != %Zu\n",
- targinfosize,
- IPT_ALIGN(sizeof(struct ipt_clusterip_tgt_info)));
- return 0;
- }
-
if (cipinfo->hash_mode != CLUSTERIP_HASHMODE_SIP &&
cipinfo->hash_mode != CLUSTERIP_HASHMODE_SIP_SPT &&
cipinfo->hash_mode != CLUSTERIP_HASHMODE_SIP_SPT_DPT) {
@@ -476,12 +469,13 @@ static void destroy(void *matchinfo, uns
clusterip_config_put(cipinfo->config);
}
-static struct ipt_target clusterip_tgt = {
- .name = "CLUSTERIP",
- .target = &target,
- .checkentry = &checkentry,
- .destroy = &destroy,
- .me = THIS_MODULE
+static struct ipt_target clusterip_tgt = {
+ .name = "CLUSTERIP",
+ .target = target,
+ .targetsize = sizeof(struct ipt_clusterip_tgt_info),
+ .checkentry = checkentry,
+ .destroy = destroy,
+ .me = THIS_MODULE
};
diff --git a/net/ipv4/netfilter/ipt_DSCP.c b/net/ipv4/netfilter/ipt_DSCP.c
index 898cdf7..a202467 100644
--- a/net/ipv4/netfilter/ipt_DSCP.c
+++ b/net/ipv4/netfilter/ipt_DSCP.c
@@ -64,29 +64,18 @@ checkentry(const char *tablename,
{
const u_int8_t dscp = ((struct ipt_DSCP_info *)targinfo)->dscp;
- if (targinfosize != IPT_ALIGN(sizeof(struct ipt_DSCP_info))) {
- printk(KERN_WARNING "DSCP: targinfosize %u != %Zu\n",
- targinfosize,
- IPT_ALIGN(sizeof(struct ipt_DSCP_info)));
- return 0;
- }
-
- if (strcmp(tablename, "mangle") != 0) {
- printk(KERN_WARNING "DSCP: can only be called from \"mangle\" table, not \"%s\"\n", tablename);
- return 0;
- }
-
if ((dscp > IPT_DSCP_MAX)) {
printk(KERN_WARNING "DSCP: dscp %x out of range\n", dscp);
return 0;
}
-
return 1;
}
static struct ipt_target ipt_dscp_reg = {
.name = "DSCP",
.target = target,
+ .targetsize = sizeof(struct ipt_DSCP_info),
+ .table = "mangle",
.checkentry = checkentry,
.me = THIS_MODULE,
};
diff --git a/net/ipv4/netfilter/ipt_ECN.c b/net/ipv4/netfilter/ipt_ECN.c
index 7064454..1bf1a40 100644
--- a/net/ipv4/netfilter/ipt_ECN.c
+++ b/net/ipv4/netfilter/ipt_ECN.c
@@ -121,18 +121,6 @@ checkentry(const char *tablename,
const struct ipt_ECN_info *einfo = (struct ipt_ECN_info *)targinfo;
const struct ipt_entry *e = e_void;
- if (targinfosize != IPT_ALIGN(sizeof(struct ipt_ECN_info))) {
- printk(KERN_WARNING "ECN: targinfosize %u != %Zu\n",
- targinfosize,
- IPT_ALIGN(sizeof(struct ipt_ECN_info)));
- return 0;
- }
-
- if (strcmp(tablename, "mangle") != 0) {
- printk(KERN_WARNING "ECN: can only be called from \"mangle\" table, not \"%s\"\n", tablename);
- return 0;
- }
-
if (einfo->operation & IPT_ECN_OP_MASK) {
printk(KERN_WARNING "ECN: unsupported ECN operation %x\n",
einfo->operation);
@@ -143,20 +131,20 @@ checkentry(const char *tablename,
einfo->ip_ect);
return 0;
}
-
if ((einfo->operation & (IPT_ECN_OP_SET_ECE|IPT_ECN_OP_SET_CWR))
&& (e->ip.proto != IPPROTO_TCP || (e->ip.invflags & IPT_INV_PROTO))) {
printk(KERN_WARNING "ECN: cannot use TCP operations on a "
"non-tcp rule\n");
return 0;
}
-
return 1;
}
static struct ipt_target ipt_ecn_reg = {
.name = "ECN",
.target = target,
+ .targetsize = sizeof(struct ipt_ECN_info),
+ .table = "mangle",
.checkentry = checkentry,
.me = THIS_MODULE,
};
diff --git a/net/ipv4/netfilter/ipt_LOG.c b/net/ipv4/netfilter/ipt_LOG.c
index 6606ddb..24f1495 100644
--- a/net/ipv4/netfilter/ipt_LOG.c
+++ b/net/ipv4/netfilter/ipt_LOG.c
@@ -438,29 +438,22 @@ static int ipt_log_checkentry(const char
{
const struct ipt_log_info *loginfo = targinfo;
- if (targinfosize != IPT_ALIGN(sizeof(struct ipt_log_info))) {
- DEBUGP("LOG: targinfosize %u != %u\n",
- targinfosize, IPT_ALIGN(sizeof(struct ipt_log_info)));
- return 0;
- }
-
if (loginfo->level >= 8) {
DEBUGP("LOG: level %u >= 8\n", loginfo->level);
return 0;
}
-
if (loginfo->prefix[sizeof(loginfo->prefix)-1] != '\0') {
DEBUGP("LOG: prefix term %i\n",
loginfo->prefix[sizeof(loginfo->prefix)-1]);
return 0;
}
-
return 1;
}
static struct ipt_target ipt_log_reg = {
.name = "LOG",
.target = ipt_log_target,
+ .targetsize = sizeof(struct ipt_log_info),
.checkentry = ipt_log_checkentry,
.me = THIS_MODULE,
};
diff --git a/net/ipv4/netfilter/ipt_MASQUERADE.c b/net/ipv4/netfilter/ipt_MASQUERADE.c
index 12c56d3..df5ea08 100644
--- a/net/ipv4/netfilter/ipt_MASQUERADE.c
+++ b/net/ipv4/netfilter/ipt_MASQUERADE.c
@@ -47,19 +47,6 @@ masquerade_check(const char *tablename,
{
const struct ip_nat_multi_range_compat *mr = targinfo;
- if (strcmp(tablename, "nat") != 0) {
- DEBUGP("masquerade_check: bad table `%s'.\n", tablename);
- return 0;
- }
- if (targinfosize != IPT_ALIGN(sizeof(*mr))) {
- DEBUGP("masquerade_check: size %u != %u.\n",
- targinfosize, sizeof(*mr));
- return 0;
- }
- if (hook_mask & ~(1 << NF_IP_POST_ROUTING)) {
- DEBUGP("masquerade_check: bad hooks %x.\n", hook_mask);
- return 0;
- }
if (mr->range[0].flags & IP_NAT_RANGE_MAP_IPS) {
DEBUGP("masquerade_check: bad MAP_IPS.\n");
return 0;
@@ -179,6 +166,9 @@ static struct notifier_block masq_inet_n
static struct ipt_target masquerade = {
.name = "MASQUERADE",
.target = masquerade_target,
+ .targetsize = sizeof(struct ip_nat_multi_range_compat),
+ .table = "nat",
+ .hooks = 1 << NF_IP_POST_ROUTING,
.checkentry = masquerade_check,
.me = THIS_MODULE,
};
diff --git a/net/ipv4/netfilter/ipt_NETMAP.c b/net/ipv4/netfilter/ipt_NETMAP.c
index b074467..836d67e 100644
--- a/net/ipv4/netfilter/ipt_NETMAP.c
+++ b/net/ipv4/netfilter/ipt_NETMAP.c
@@ -38,19 +38,6 @@ check(const char *tablename,
{
const struct ip_nat_multi_range_compat *mr = targinfo;
- if (strcmp(tablename, "nat") != 0) {
- DEBUGP(MODULENAME":check: bad table `%s'.\n", tablename);
- return 0;
- }
- if (targinfosize != IPT_ALIGN(sizeof(*mr))) {
- DEBUGP(MODULENAME":check: size %u.\n", targinfosize);
- return 0;
- }
- if (hook_mask & ~((1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_POST_ROUTING) |
- (1 << NF_IP_LOCAL_OUT))) {
- DEBUGP(MODULENAME":check: bad hooks %x.\n", hook_mask);
- return 0;
- }
if (!(mr->range[0].flags & IP_NAT_RANGE_MAP_IPS)) {
DEBUGP(MODULENAME":check: bad MAP_IPS.\n");
return 0;
@@ -101,6 +88,10 @@ target(struct sk_buff **pskb,
static struct ipt_target target_module = {
.name = MODULENAME,
.target = target,
+ .targetsize = sizeof(struct ip_nat_multi_range_compat),
+ .table = "nat",
+ .hooks = (1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_POST_ROUTING) |
+ (1 << NF_IP_LOCAL_OUT),
.checkentry = check,
.me = THIS_MODULE
};
diff --git a/net/ipv4/netfilter/ipt_REDIRECT.c b/net/ipv4/netfilter/ipt_REDIRECT.c
index 140be51..cc165e0 100644
--- a/net/ipv4/netfilter/ipt_REDIRECT.c
+++ b/net/ipv4/netfilter/ipt_REDIRECT.c
@@ -40,18 +40,6 @@ redirect_check(const char *tablename,
{
const struct ip_nat_multi_range_compat *mr = targinfo;
- if (strcmp(tablename, "nat") != 0) {
- DEBUGP("redirect_check: bad table `%s'.\n", table);
- return 0;
- }
- if (targinfosize != IPT_ALIGN(sizeof(*mr))) {
- DEBUGP("redirect_check: size %u.\n", targinfosize);
- return 0;
- }
- if (hook_mask & ~((1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_LOCAL_OUT))) {
- DEBUGP("redirect_check: bad hooks %x.\n", hook_mask);
- return 0;
- }
if (mr->range[0].flags & IP_NAT_RANGE_MAP_IPS) {
DEBUGP("redirect_check: bad MAP_IPS.\n");
return 0;
@@ -115,6 +103,9 @@ redirect_target(struct sk_buff **pskb,
static struct ipt_target redirect_reg = {
.name = "REDIRECT",
.target = redirect_target,
+ .targetsize = sizeof(struct ip_nat_multi_range_compat),
+ .table = "nat",
+ .hooks = (1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_LOCAL_OUT),
.checkentry = redirect_check,
.me = THIS_MODULE,
};
diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c
index 3eb47aa..ddd6bd1 100644
--- a/net/ipv4/netfilter/ipt_REJECT.c
+++ b/net/ipv4/netfilter/ipt_REJECT.c
@@ -290,23 +290,6 @@ static int check(const char *tablename,
const struct ipt_reject_info *rejinfo = targinfo;
const struct ipt_entry *e = e_void;
- if (targinfosize != IPT_ALIGN(sizeof(struct ipt_reject_info))) {
- DEBUGP("REJECT: targinfosize %u != 0\n", targinfosize);
- return 0;
- }
-
- /* Only allow these for packet filtering. */
- if (strcmp(tablename, "filter") != 0) {
- DEBUGP("REJECT: bad table `%s'.\n", tablename);
- return 0;
- }
- if ((hook_mask & ~((1 << NF_IP_LOCAL_IN)
- | (1 << NF_IP_FORWARD)
- | (1 << NF_IP_LOCAL_OUT))) != 0) {
- DEBUGP("REJECT: bad hook mask %X\n", hook_mask);
- return 0;
- }
-
if (rejinfo->with == IPT_ICMP_ECHOREPLY) {
printk("REJECT: ECHOREPLY no longer supported.\n");
return 0;
@@ -318,13 +301,16 @@ static int check(const char *tablename,
return 0;
}
}
-
return 1;
}
static struct ipt_target ipt_reject_reg = {
.name = "REJECT",
.target = reject,
+ .targetsize = sizeof(struct ipt_reject_info),
+ .table = "filter",
+ .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD) |
+ (1 << NF_IP_LOCAL_OUT),
.checkentry = check,
.me = THIS_MODULE,
};
diff --git a/net/ipv4/netfilter/ipt_SAME.c b/net/ipv4/netfilter/ipt_SAME.c
index a22de59..8743c3a 100644
--- a/net/ipv4/netfilter/ipt_SAME.c
+++ b/net/ipv4/netfilter/ipt_SAME.c
@@ -59,18 +59,6 @@ same_check(const char *tablename,
mr->ipnum = 0;
- if (strcmp(tablename, "nat") != 0) {
- DEBUGP("same_check: bad table `%s'.\n", tablename);
- return 0;
- }
- if (targinfosize != IPT_ALIGN(sizeof(*mr))) {
- DEBUGP("same_check: size %u.\n", targinfosize);
- return 0;
- }
- if (hook_mask & ~(1 << NF_IP_PRE_ROUTING | 1 << NF_IP_POST_ROUTING)) {
- DEBUGP("same_check: bad hooks %x.\n", hook_mask);
- return 0;
- }
if (mr->rangesize < 1) {
DEBUGP("same_check: need at least one dest range.\n");
return 0;
@@ -191,6 +179,9 @@ same_target(struct sk_buff **pskb,
static struct ipt_target same_reg = {
.name = "SAME",
.target = same_target,
+ .targetsize = sizeof(struct ipt_same_info),
+ .table = "nat",
+ .hooks = (1 << NF_IP_PRE_ROUTING | 1 << NF_IP_POST_ROUTING),
.checkentry = same_check,
.destroy = same_destroy,
.me = THIS_MODULE,
diff --git a/net/ipv4/netfilter/ipt_TCPMSS.c b/net/ipv4/netfilter/ipt_TCPMSS.c
index c122841..4be6e2b 100644
--- a/net/ipv4/netfilter/ipt_TCPMSS.c
+++ b/net/ipv4/netfilter/ipt_TCPMSS.c
@@ -218,13 +218,6 @@ ipt_tcpmss_checkentry(const char *tablen
const struct ipt_tcpmss_info *tcpmssinfo = targinfo;
const struct ipt_entry *e = e_void;
- if (targinfosize != IPT_ALIGN(sizeof(struct ipt_tcpmss_info))) {
- DEBUGP("ipt_tcpmss_checkentry: targinfosize %u != %u\n",
- targinfosize, IPT_ALIGN(sizeof(struct ipt_tcpmss_info)));
- return 0;
- }
-
-
if((tcpmssinfo->mss == IPT_TCPMSS_CLAMP_PMTU) &&
((hook_mask & ~((1 << NF_IP_FORWARD)
| (1 << NF_IP_LOCAL_OUT)
@@ -233,11 +226,8 @@ ipt_tcpmss_checkentry(const char *tablen
return 0;
}
- if (e->ip.proto == IPPROTO_TCP
- && !(e->ip.invflags & IPT_INV_PROTO)
- && IPT_MATCH_ITERATE(e, find_syn_match))
+ if (IPT_MATCH_ITERATE(e, find_syn_match))
return 1;
-
printk("TCPMSS: Only works on TCP SYN packets\n");
return 0;
}
@@ -245,6 +235,8 @@ ipt_tcpmss_checkentry(const char *tablen
static struct ipt_target ipt_tcpmss_reg = {
.name = "TCPMSS",
.target = ipt_tcpmss_target,
+ .targetsize = sizeof(struct ipt_tcpmss_info),
+ .proto = IPPROTO_TCP,
.checkentry = ipt_tcpmss_checkentry,
.me = THIS_MODULE,
};
diff --git a/net/ipv4/netfilter/ipt_TOS.c b/net/ipv4/netfilter/ipt_TOS.c
index 3a44a56..6568e3e 100644
--- a/net/ipv4/netfilter/ipt_TOS.c
+++ b/net/ipv4/netfilter/ipt_TOS.c
@@ -59,18 +59,6 @@ checkentry(const char *tablename,
{
const u_int8_t tos = ((struct ipt_tos_target_info *)targinfo)->tos;
- if (targinfosize != IPT_ALIGN(sizeof(struct ipt_tos_target_info))) {
- printk(KERN_WARNING "TOS: targinfosize %u != %Zu\n",
- targinfosize,
- IPT_ALIGN(sizeof(struct ipt_tos_target_info)));
- return 0;
- }
-
- if (strcmp(tablename, "mangle") != 0) {
- printk(KERN_WARNING "TOS: can only be called from \"mangle\" table, not \"%s\"\n", tablename);
- return 0;
- }
-
if (tos != IPTOS_LOWDELAY
&& tos != IPTOS_THROUGHPUT
&& tos != IPTOS_RELIABILITY
@@ -79,13 +67,14 @@ checkentry(const char *tablename,
printk(KERN_WARNING "TOS: bad tos value %#x\n", tos);
return 0;
}
-
return 1;
}
static struct ipt_target ipt_tos_reg = {
.name = "TOS",
.target = target,
+ .targetsize = sizeof(struct ipt_tos_target_info),
+ .table = "mangle",
.checkentry = checkentry,
.me = THIS_MODULE,
};
diff --git a/net/ipv4/netfilter/ipt_TTL.c b/net/ipv4/netfilter/ipt_TTL.c
index b769eb2..61d94e0 100644
--- a/net/ipv4/netfilter/ipt_TTL.c
+++ b/net/ipv4/netfilter/ipt_TTL.c
@@ -73,34 +73,21 @@ static int ipt_ttl_checkentry(const char
{
struct ipt_TTL_info *info = targinfo;
- if (targinfosize != IPT_ALIGN(sizeof(struct ipt_TTL_info))) {
- printk(KERN_WARNING "ipt_TTL: targinfosize %u != %Zu\n",
- targinfosize,
- IPT_ALIGN(sizeof(struct ipt_TTL_info)));
- return 0;
- }
-
- if (strcmp(tablename, "mangle")) {
- printk(KERN_WARNING "ipt_TTL: can only be called from "
- "\"mangle\" table, not \"%s\"\n", tablename);
- return 0;
- }
-
if (info->mode > IPT_TTL_MAXMODE) {
printk(KERN_WARNING "ipt_TTL: invalid or unknown Mode %u\n",
info->mode);
return 0;
}
-
if ((info->mode != IPT_TTL_SET) && (info->ttl == 0))
return 0;
-
return 1;
}
static struct ipt_target ipt_TTL = {
.name = "TTL",
.target = ipt_ttl_target,
+ .targetsize = sizeof(struct ipt_TTL_info),
+ .table = "mangle",
.checkentry = ipt_ttl_checkentry,
.me = THIS_MODULE,
};
diff --git a/net/ipv4/netfilter/ipt_ULOG.c b/net/ipv4/netfilter/ipt_ULOG.c
index 180a9ea..c95e7e9 100644
--- a/net/ipv4/netfilter/ipt_ULOG.c
+++ b/net/ipv4/netfilter/ipt_ULOG.c
@@ -345,36 +345,30 @@ static int ipt_ulog_checkentry(const cha
{
struct ipt_ulog_info *loginfo = (struct ipt_ulog_info *) targinfo;
- if (targinfosize != IPT_ALIGN(sizeof(struct ipt_ulog_info))) {
- DEBUGP("ipt_ULOG: targinfosize %u != 0\n", targinfosize);
- return 0;
- }
-
if (loginfo->prefix[sizeof(loginfo->prefix) - 1] != '\0') {
DEBUGP("ipt_ULOG: prefix term %i\n",
loginfo->prefix[sizeof(loginfo->prefix) - 1]);
return 0;
}
-
if (loginfo->qthreshold > ULOG_MAX_QLEN) {
DEBUGP("ipt_ULOG: queue threshold %i > MAX_QLEN\n",
loginfo->qthreshold);
return 0;
}
-
return 1;
}
static struct ipt_target ipt_ulog_reg = {
.name = "ULOG",
.target = ipt_ulog_target,
+ .targetsize = sizeof(struct ipt_ulog_info),
.checkentry = ipt_ulog_checkentry,
.me = THIS_MODULE,
};
static struct nf_logger ipt_ulog_logger = {
.name = "ipt_ULOG",
- .logfn = &ipt_logfn,
+ .logfn = ipt_logfn,
.me = THIS_MODULE,
};
diff --git a/net/ipv4/netfilter/ipt_addrtype.c b/net/ipv4/netfilter/ipt_addrtype.c
index d6b83a9..ad5dc46 100644
--- a/net/ipv4/netfilter/ipt_addrtype.c
+++ b/net/ipv4/netfilter/ipt_addrtype.c
@@ -43,23 +43,10 @@ static int match(const struct sk_buff *s
return ret;
}
-static int checkentry(const char *tablename, const void *ip,
- void *matchinfo, unsigned int matchsize,
- unsigned int hook_mask)
-{
- if (matchsize != IPT_ALIGN(sizeof(struct ipt_addrtype_info))) {
- printk(KERN_ERR "ipt_addrtype: invalid size (%u != %Zu)\n",
- matchsize, IPT_ALIGN(sizeof(struct ipt_addrtype_info)));
- return 0;
- }
-
- return 1;
-}
-
static struct ipt_match addrtype_match = {
.name = "addrtype",
.match = match,
- .checkentry = checkentry,
+ .matchsize = sizeof(struct ipt_addrtype_info),
.me = THIS_MODULE
};
diff --git a/net/ipv4/netfilter/ipt_ah.c b/net/ipv4/netfilter/ipt_ah.c
index 144adfe..a33eeea 100644
--- a/net/ipv4/netfilter/ipt_ah.c
+++ b/net/ipv4/netfilter/ipt_ah.c
@@ -76,32 +76,21 @@ checkentry(const char *tablename,
unsigned int hook_mask)
{
const struct ipt_ah *ahinfo = matchinfo;
- const struct ipt_ip *ip = ip_void;
- /* Must specify proto == AH, and no unknown invflags */
- if (ip->proto != IPPROTO_AH || (ip->invflags & IPT_INV_PROTO)) {
- duprintf("ipt_ah: Protocol %u != %u\n", ip->proto,
- IPPROTO_AH);
- return 0;
- }
- if (matchinfosize != IPT_ALIGN(sizeof(struct ipt_ah))) {
- duprintf("ipt_ah: matchsize %u != %u\n",
- matchinfosize, IPT_ALIGN(sizeof(struct ipt_ah)));
- return 0;
- }
+ /* Must specify no unknown invflags */
if (ahinfo->invflags & ~IPT_AH_INV_MASK) {
- duprintf("ipt_ah: unknown flags %X\n",
- ahinfo->invflags);
+ duprintf("ipt_ah: unknown flags %X\n", ahinfo->invflags);
return 0;
}
-
return 1;
}
static struct ipt_match ah_match = {
.name = "ah",
- .match = &match,
- .checkentry = &checkentry,
+ .match = match,
+ .matchsize = sizeof(struct ipt_ah),
+ .proto = IPPROTO_AH,
+ .checkentry = checkentry,
.me = THIS_MODULE,
};
diff --git a/net/ipv4/netfilter/ipt_dscp.c b/net/ipv4/netfilter/ipt_dscp.c
index 92063b4..e7889ba 100644
--- a/net/ipv4/netfilter/ipt_dscp.c
+++ b/net/ipv4/netfilter/ipt_dscp.c
@@ -31,20 +31,10 @@ static int match(const struct sk_buff *s
return ((iph->tos&IPT_DSCP_MASK) == sh_dscp) ^ info->invert;
}
-static int checkentry(const char *tablename, const void *ip,
- void *matchinfo, unsigned int matchsize,
- unsigned int hook_mask)
-{
- if (matchsize != IPT_ALIGN(sizeof(struct ipt_dscp_info)))
- return 0;
-
- return 1;
-}
-
static struct ipt_match dscp_match = {
.name = "dscp",
- .match = &match,
- .checkentry = &checkentry,
+ .match = match,
+ .matchsize = sizeof(struct ipt_dscp_info),
.me = THIS_MODULE,
};
diff --git a/net/ipv4/netfilter/ipt_ecn.c b/net/ipv4/netfilter/ipt_ecn.c
index e68b0c7..723957f 100644
--- a/net/ipv4/netfilter/ipt_ecn.c
+++ b/net/ipv4/netfilter/ipt_ecn.c
@@ -92,9 +92,6 @@ static int checkentry(const char *tablen
const struct ipt_ecn_info *info = matchinfo;
const struct ipt_ip *ip = ip_void;
- if (matchsize != IPT_ALIGN(sizeof(struct ipt_ecn_info)))
- return 0;
-
if (info->operation & IPT_ECN_OP_MATCH_MASK)
return 0;
@@ -113,8 +110,9 @@ static int checkentry(const char *tablen
static struct ipt_match ecn_match = {
.name = "ecn",
- .match = &match,
- .checkentry = &checkentry,
+ .match = match,
+ .matchsize = sizeof(struct ipt_ecn_info),
+ .checkentry = checkentry,
.me = THIS_MODULE,
};
diff --git a/net/ipv4/netfilter/ipt_esp.c b/net/ipv4/netfilter/ipt_esp.c
index 9de191a..984fa48 100644
--- a/net/ipv4/netfilter/ipt_esp.c
+++ b/net/ipv4/netfilter/ipt_esp.c
@@ -77,32 +77,21 @@ checkentry(const char *tablename,
unsigned int hook_mask)
{
const struct ipt_esp *espinfo = matchinfo;
- const struct ipt_ip *ip = ip_void;
- /* Must specify proto == ESP, and no unknown invflags */
- if (ip->proto != IPPROTO_ESP || (ip->invflags & IPT_INV_PROTO)) {
- duprintf("ipt_esp: Protocol %u != %u\n", ip->proto,
- IPPROTO_ESP);
- return 0;
- }
- if (matchinfosize != IPT_ALIGN(sizeof(struct ipt_esp))) {
- duprintf("ipt_esp: matchsize %u != %u\n",
- matchinfosize, IPT_ALIGN(sizeof(struct ipt_esp)));
- return 0;
- }
+ /* Must specify no unknown invflags */
if (espinfo->invflags & ~IPT_ESP_INV_MASK) {
- duprintf("ipt_esp: unknown flags %X\n",
- espinfo->invflags);
+ duprintf("ipt_esp: unknown flags %X\n", espinfo->invflags);
return 0;
}
-
return 1;
}
static struct ipt_match esp_match = {
.name = "esp",
- .match = &match,
- .checkentry = &checkentry,
+ .match = match,
+ .matchsize = sizeof(struct ipt_esp),
+ .proto = IPPROTO_ESP,
+ .checkentry = checkentry,
.me = THIS_MODULE,
};
diff --git a/net/ipv4/netfilter/ipt_hashlimit.c b/net/ipv4/netfilter/ipt_hashlimit.c
index 4fe48c1..156d9c2 100644
--- a/net/ipv4/netfilter/ipt_hashlimit.c
+++ b/net/ipv4/netfilter/ipt_hashlimit.c
@@ -512,9 +512,6 @@ hashlimit_checkentry(const char *tablena
{
struct ipt_hashlimit_info *r = matchinfo;
- if (matchsize != IPT_ALIGN(sizeof(struct ipt_hashlimit_info)))
- return 0;
-
/* Check for overflow. */
if (r->cfg.burst == 0
|| user2credits(r->cfg.avg * r->cfg.burst) <
@@ -565,12 +562,13 @@ hashlimit_destroy(void *matchinfo, unsig
htable_put(r->hinfo);
}
-static struct ipt_match ipt_hashlimit = {
- .name = "hashlimit",
- .match = hashlimit_match,
- .checkentry = hashlimit_checkentry,
- .destroy = hashlimit_destroy,
- .me = THIS_MODULE
+static struct ipt_match ipt_hashlimit = {
+ .name = "hashlimit",
+ .match = hashlimit_match,
+ .matchsize = sizeof(struct ipt_hashlimit_info),
+ .checkentry = hashlimit_checkentry,
+ .destroy = hashlimit_destroy,
+ .me = THIS_MODULE
};
/* PROC stuff */
diff --git a/net/ipv4/netfilter/ipt_iprange.c b/net/ipv4/netfilter/ipt_iprange.c
index 13fb16f..0885ff5 100644
--- a/net/ipv4/netfilter/ipt_iprange.c
+++ b/net/ipv4/netfilter/ipt_iprange.c
@@ -62,27 +62,12 @@ match(const struct sk_buff *skb,
return 1;
}
-static int check(const char *tablename,
- const void *inf,
- void *matchinfo,
- unsigned int matchsize,
- unsigned int hook_mask)
-{
- /* verify size */
- if (matchsize != IPT_ALIGN(sizeof(struct ipt_iprange_info)))
- return 0;
-
- return 1;
-}
-
-static struct ipt_match iprange_match =
-{
- .list = { NULL, NULL },
- .name = "iprange",
- .match = &match,
- .checkentry = &check,
- .destroy = NULL,
- .me = THIS_MODULE
+static struct ipt_match iprange_match = {
+ .name = "iprange",
+ .match = match,
+ .matchsize = sizeof(struct ipt_iprange_info),
+ .destroy = NULL,
+ .me = THIS_MODULE
};
static int __init init(void)
diff --git a/net/ipv4/netfilter/ipt_multiport.c b/net/ipv4/netfilter/ipt_multiport.c
index 2d52326..8f1684c 100644
--- a/net/ipv4/netfilter/ipt_multiport.c
+++ b/net/ipv4/netfilter/ipt_multiport.c
@@ -153,40 +153,19 @@ match_v1(const struct sk_buff *skb,
return ports_match_v1(multiinfo, ntohs(pptr[0]), ntohs(pptr[1]));
}
-/* Called when user tries to insert an entry of this type. */
-static int
-checkentry(const char *tablename,
- const void *ip,
- void *matchinfo,
- unsigned int matchsize,
- unsigned int hook_mask)
-{
- return (matchsize == IPT_ALIGN(sizeof(struct ipt_multiport)));
-}
-
-static int
-checkentry_v1(const char *tablename,
- const void *ip,
- void *matchinfo,
- unsigned int matchsize,
- unsigned int hook_mask)
-{
- return (matchsize == IPT_ALIGN(sizeof(struct ipt_multiport_v1)));
-}
-
static struct ipt_match multiport_match = {
.name = "multiport",
.revision = 0,
- .match = &match,
- .checkentry = &checkentry,
+ .match = match,
+ .matchsize = sizeof(struct ipt_multiport),
.me = THIS_MODULE,
};
static struct ipt_match multiport_match_v1 = {
.name = "multiport",
.revision = 1,
- .match = &match_v1,
- .checkentry = &checkentry_v1,
+ .match = match_v1,
+ .matchsize = sizeof(struct ipt_multiport_v1),
.me = THIS_MODULE,
};
diff --git a/net/ipv4/netfilter/ipt_owner.c b/net/ipv4/netfilter/ipt_owner.c
index 4843d0c..18adc1d 100644
--- a/net/ipv4/netfilter/ipt_owner.c
+++ b/net/ipv4/netfilter/ipt_owner.c
@@ -59,31 +59,20 @@ checkentry(const char *tablename,
{
const struct ipt_owner_info *info = matchinfo;
- if (hook_mask
- & ~((1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_POST_ROUTING))) {
- printk("ipt_owner: only valid for LOCAL_OUT or POST_ROUTING.\n");
- return 0;
- }
-
- if (matchsize != IPT_ALIGN(sizeof(struct ipt_owner_info))) {
- printk("Matchsize %u != %Zu\n", matchsize,
- IPT_ALIGN(sizeof(struct ipt_owner_info)));
- return 0;
- }
-
if (info->match & (IPT_OWNER_PID|IPT_OWNER_SID|IPT_OWNER_COMM)) {
printk("ipt_owner: pid, sid and command matching "
"not supported anymore\n");
return 0;
}
-
return 1;
}
static struct ipt_match owner_match = {
.name = "owner",
- .match = &match,
- .checkentry = &checkentry,
+ .match = match,
+ .matchsize = sizeof(struct ipt_owner_info),
+ .hooks = (1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_POST_ROUTING),
+ .checkentry = checkentry,
.me = THIS_MODULE,
};
diff --git a/net/ipv4/netfilter/ipt_policy.c b/net/ipv4/netfilter/ipt_policy.c
index 5a7a265..3fa6607 100644
--- a/net/ipv4/netfilter/ipt_policy.c
+++ b/net/ipv4/netfilter/ipt_policy.c
@@ -125,11 +125,6 @@ static int checkentry(const char *tablen
{
struct ipt_policy_info *info = matchinfo;
- if (matchsize != IPT_ALIGN(sizeof(*info))) {
- printk(KERN_ERR "ipt_policy: matchsize %u != %zu\n",
- matchsize, IPT_ALIGN(sizeof(*info)));
- return 0;
- }
if (!(info->flags & (IPT_POLICY_MATCH_IN|IPT_POLICY_MATCH_OUT))) {
printk(KERN_ERR "ipt_policy: neither incoming nor "
"outgoing policy selected\n");
@@ -158,6 +153,7 @@ static int checkentry(const char *tablen
static struct ipt_match policy_match = {
.name = "policy",
.match = match,
+ .matchsize = sizeof(struct ipt_policy_info),
.checkentry = checkentry,
.me = THIS_MODULE,
};
diff --git a/net/ipv4/netfilter/ipt_recent.c b/net/ipv4/netfilter/ipt_recent.c
index 44611d6..e2ccd42 100644
--- a/net/ipv4/netfilter/ipt_recent.c
+++ b/net/ipv4/netfilter/ipt_recent.c
@@ -670,8 +670,6 @@ checkentry(const char *tablename,
if(debug) printk(KERN_INFO RECENT_NAME ": checkentry() entered.\n");
#endif
- if (matchsize != IPT_ALIGN(sizeof(struct ipt_recent_info))) return 0;
-
/* seconds and hit_count only valid for CHECK/UPDATE */
if(info->check_set & IPT_RECENT_SET) { flag++; if(info->seconds || info->hit_count) return 0; }
if(info->check_set & IPT_RECENT_REMOVE) { flag++; if(info->seconds || info->hit_count) return 0; }
@@ -951,12 +949,13 @@ destroy(void *matchinfo, unsigned int ma
/* This is the structure we pass to ipt_register to register our
* module with iptables.
*/
-static struct ipt_match recent_match = {
- .name = "recent",
- .match = &match,
- .checkentry = &checkentry,
- .destroy = &destroy,
- .me = THIS_MODULE
+static struct ipt_match recent_match = {
+ .name = "recent",
+ .match = match,
+ .matchsize = sizeof(struct ipt_recent_info),
+ .checkentry = checkentry,
+ .destroy = destroy,
+ .me = THIS_MODULE
};
/* Kernel module initialization. */
diff --git a/net/ipv4/netfilter/ipt_tos.c b/net/ipv4/netfilter/ipt_tos.c
index 9ab765e..4675c78 100644
--- a/net/ipv4/netfilter/ipt_tos.c
+++ b/net/ipv4/netfilter/ipt_tos.c
@@ -31,23 +31,10 @@ match(const struct sk_buff *skb,
return (skb->nh.iph->tos == info->tos) ^ info->invert;
}
-static int
-checkentry(const char *tablename,
- const void *ip,
- void *matchinfo,
- unsigned int matchsize,
- unsigned int hook_mask)
-{
- if (matchsize != IPT_ALIGN(sizeof(struct ipt_tos_info)))
- return 0;
-
- return 1;
-}
-
static struct ipt_match tos_match = {
.name = "tos",
- .match = &match,
- .checkentry = &checkentry,
+ .match = match,
+ .matchsize = sizeof(struct ipt_tos_info),
.me = THIS_MODULE,
};
diff --git a/net/ipv4/netfilter/ipt_ttl.c b/net/ipv4/netfilter/ipt_ttl.c
index 82da53f..bb694a0 100644
--- a/net/ipv4/netfilter/ipt_ttl.c
+++ b/net/ipv4/netfilter/ipt_ttl.c
@@ -47,20 +47,10 @@ static int match(const struct sk_buff *s
return 0;
}
-static int checkentry(const char *tablename, const void *ip,
- void *matchinfo, unsigned int matchsize,
- unsigned int hook_mask)
-{
- if (matchsize != IPT_ALIGN(sizeof(struct ipt_ttl_info)))
- return 0;
-
- return 1;
-}
-
static struct ipt_match ttl_match = {
.name = "ttl",
- .match = &match,
- .checkentry = &checkentry,
+ .match = match,
+ .matchsize = sizeof(struct ipt_ttl_info),
.me = THIS_MODULE,
};
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [NETFILTER 06/13]: Convert arp_tables targets to centralized error checking
2006-02-16 21:32 [NETFILTER 00/13]: Netfilter patches for 2.6.17 Patrick McHardy
` (4 preceding siblings ...)
2006-02-16 21:32 ` [NETFILTER 05/13]: Convert ip_tables matches/targets to " Patrick McHardy
@ 2006-02-16 21:32 ` Patrick McHardy
2006-02-16 21:32 ` [NETFILTER 07/13]: Convert ip6_tables matches/targets " Patrick McHardy
` (7 subsequent siblings)
13 siblings, 0 replies; 15+ messages in thread
From: Patrick McHardy @ 2006-02-16 21:32 UTC (permalink / raw)
To: davem; +Cc: netfilter-devel, Patrick McHardy
[NETFILTER]: Convert arp_tables targets to centralized error checking
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit b5b1850e58154ca2646ec8f759164a967779d42b
tree 968f37b8f9bf4ccc4855135f6c40a2729c75579a
parent 4f172068d4d24e663edc75a7679e887771a2d89e
author Patrick McHardy <kaber@trash.net> Thu, 16 Feb 2006 14:17:04 +0100
committer Patrick McHardy <kaber@trash.net> Thu, 16 Feb 2006 14:17:04 +0100
net/ipv4/netfilter/arp_tables.c | 2 ++
net/ipv4/netfilter/arpt_mangle.c | 12 ++++++------
2 files changed, 8 insertions(+), 6 deletions(-)
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index f68eb67..082b748 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -1143,11 +1143,13 @@ void arpt_unregister_table(struct arpt_t
/* The built-in targets: standard (NULL) and error. */
static struct arpt_target arpt_standard_target = {
.name = ARPT_STANDARD_TARGET,
+ .targetsize = sizeof(int),
};
static struct arpt_target arpt_error_target = {
.name = ARPT_ERROR_TARGET,
.target = arpt_error,
+ .targetsize = ARPT_FUNCTION_MAXNAMELEN,
};
static struct nf_sockopt_ops arpt_sockopts = {
diff --git a/net/ipv4/netfilter/arpt_mangle.c b/net/ipv4/netfilter/arpt_mangle.c
index c97650a..4715cf5 100644
--- a/net/ipv4/netfilter/arpt_mangle.c
+++ b/net/ipv4/netfilter/arpt_mangle.c
@@ -80,12 +80,12 @@ checkentry(const char *tablename, const
return 1;
}
-static struct arpt_target arpt_mangle_reg
-= {
- .name = "mangle",
- .target = target,
- .checkentry = checkentry,
- .me = THIS_MODULE,
+static struct arpt_target arpt_mangle_reg = {
+ .name = "mangle",
+ .target = target,
+ .targetsize = sizeof(struct arpt_mangle),
+ .checkentry = checkentry,
+ .me = THIS_MODULE,
};
static int __init init(void)
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [NETFILTER 07/13]: Convert ip6_tables matches/targets to centralized error checking
2006-02-16 21:32 [NETFILTER 00/13]: Netfilter patches for 2.6.17 Patrick McHardy
` (5 preceding siblings ...)
2006-02-16 21:32 ` [NETFILTER 06/13]: Convert arp_tables targets " Patrick McHardy
@ 2006-02-16 21:32 ` Patrick McHardy
2006-02-16 21:32 ` [NETFILTER 08/13]: Convert x_tables " Patrick McHardy
` (6 subsequent siblings)
13 siblings, 0 replies; 15+ messages in thread
From: Patrick McHardy @ 2006-02-16 21:32 UTC (permalink / raw)
To: davem; +Cc: netfilter-devel, Patrick McHardy
[NETFILTER]: Convert ip6_tables matches/targets to centralized error checking
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit dff18dfa6d3b6ad94a5c5b8d185cb37cb6d2af57
tree c3f4bea7849966a1152c4756f1d81a18da2bd3db
parent b5b1850e58154ca2646ec8f759164a967779d42b
author Patrick McHardy <kaber@trash.net> Thu, 16 Feb 2006 14:17:05 +0100
committer Patrick McHardy <kaber@trash.net> Thu, 16 Feb 2006 14:17:05 +0100
net/ipv6/netfilter/ip6_tables.c | 23 +++++++----------------
net/ipv6/netfilter/ip6t_HL.c | 17 ++---------------
net/ipv6/netfilter/ip6t_LOG.c | 9 +--------
net/ipv6/netfilter/ip6t_REJECT.c | 23 ++++-------------------
net/ipv6/netfilter/ip6t_ah.c | 10 +++-------
net/ipv6/netfilter/ip6t_dst.c | 11 +++--------
net/ipv6/netfilter/ip6t_esp.c | 10 +++-------
net/ipv6/netfilter/ip6t_eui64.c | 26 ++++----------------------
net/ipv6/netfilter/ip6t_frag.c | 11 +++--------
net/ipv6/netfilter/ip6t_hbh.c | 11 +++--------
net/ipv6/netfilter/ip6t_hl.c | 14 ++------------
net/ipv6/netfilter/ip6t_ipv6header.c | 6 +-----
net/ipv6/netfilter/ip6t_multiport.c | 9 +++------
net/ipv6/netfilter/ip6t_owner.c | 16 ++++------------
net/ipv6/netfilter/ip6t_policy.c | 6 +-----
net/ipv6/netfilter/ip6t_rt.c | 10 +++-------
16 files changed, 47 insertions(+), 165 deletions(-)
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 3d2fefe..88f5d29 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -544,21 +544,12 @@ standard_check(const struct ip6t_entry_t
struct ip6t_standard_target *targ = (void *)t;
/* Check standard info. */
- if (t->u.target_size
- != IP6T_ALIGN(sizeof(struct ip6t_standard_target))) {
- duprintf("standard_check: target size %u != %u\n",
- t->u.target_size,
- IP6T_ALIGN(sizeof(struct ip6t_standard_target)));
- return 0;
- }
-
if (targ->verdict >= 0
&& targ->verdict > max_offset - sizeof(struct ip6t_entry)) {
duprintf("ip6t_standard_check: bad verdict (%i)\n",
targ->verdict);
return 0;
}
-
if (targ->verdict < -NF_MAX_VERDICT - 1) {
duprintf("ip6t_standard_check: bad negative verdict (%i)\n",
targ->verdict);
@@ -1385,24 +1376,22 @@ icmp6_checkentry(const char *tablename,
unsigned int matchsize,
unsigned int hook_mask)
{
- const struct ip6t_ip6 *ipv6 = entry;
const struct ip6t_icmp *icmpinfo = matchinfo;
- /* Must specify proto == ICMP, and no unknown invflags */
- return ipv6->proto == IPPROTO_ICMPV6
- && !(ipv6->invflags & IP6T_INV_PROTO)
- && matchsize == IP6T_ALIGN(sizeof(struct ip6t_icmp))
- && !(icmpinfo->invflags & ~IP6T_ICMP_INV);
+ /* Must specify no unknown invflags */
+ return !(icmpinfo->invflags & ~IP6T_ICMP_INV);
}
/* The built-in targets: standard (NULL) and error. */
static struct ip6t_target ip6t_standard_target = {
.name = IP6T_STANDARD_TARGET,
+ .targetsize = sizeof(int),
};
static struct ip6t_target ip6t_error_target = {
.name = IP6T_ERROR_TARGET,
.target = ip6t_error,
+ .targetsize = IP6T_FUNCTION_MAXNAMELEN,
};
static struct nf_sockopt_ops ip6t_sockopts = {
@@ -1418,7 +1407,9 @@ static struct nf_sockopt_ops ip6t_sockop
static struct ip6t_match icmp6_matchstruct = {
.name = "icmp6",
.match = &icmp6_match,
- .checkentry = &icmp6_checkentry,
+ .matchsize = sizeof(struct ip6t_icmp),
+ .checkentry = icmp6_checkentry,
+ .proto = IPPROTO_ICMPV6,
};
static int __init init(void)
diff --git a/net/ipv6/netfilter/ip6t_HL.c b/net/ipv6/netfilter/ip6t_HL.c
index 306200c..ab39ee9 100644
--- a/net/ipv6/netfilter/ip6t_HL.c
+++ b/net/ipv6/netfilter/ip6t_HL.c
@@ -69,37 +69,24 @@ static int ip6t_hl_checkentry(const char
{
struct ip6t_HL_info *info = targinfo;
- if (targinfosize != IP6T_ALIGN(sizeof(struct ip6t_HL_info))) {
- printk(KERN_WARNING "ip6t_HL: targinfosize %u != %Zu\n",
- targinfosize,
- IP6T_ALIGN(sizeof(struct ip6t_HL_info)));
- return 0;
- }
-
- if (strcmp(tablename, "mangle")) {
- printk(KERN_WARNING "ip6t_HL: can only be called from "
- "\"mangle\" table, not \"%s\"\n", tablename);
- return 0;
- }
-
if (info->mode > IP6T_HL_MAXMODE) {
printk(KERN_WARNING "ip6t_HL: invalid or unknown Mode %u\n",
info->mode);
return 0;
}
-
if ((info->mode != IP6T_HL_SET) && (info->hop_limit == 0)) {
printk(KERN_WARNING "ip6t_HL: increment/decrement doesn't "
"make sense with value 0\n");
return 0;
}
-
return 1;
}
static struct ip6t_target ip6t_HL = {
.name = "HL",
.target = ip6t_hl_target,
+ .targetsize = sizeof(struct ip6t_HL_info),
+ .table = "mangle",
.checkentry = ip6t_hl_checkentry,
.me = THIS_MODULE
};
diff --git a/net/ipv6/netfilter/ip6t_LOG.c b/net/ipv6/netfilter/ip6t_LOG.c
index 77c7258..171c9ba 100644
--- a/net/ipv6/netfilter/ip6t_LOG.c
+++ b/net/ipv6/netfilter/ip6t_LOG.c
@@ -450,29 +450,22 @@ static int ip6t_log_checkentry(const cha
{
const struct ip6t_log_info *loginfo = targinfo;
- if (targinfosize != IP6T_ALIGN(sizeof(struct ip6t_log_info))) {
- DEBUGP("LOG: targinfosize %u != %u\n",
- targinfosize, IP6T_ALIGN(sizeof(struct ip6t_log_info)));
- return 0;
- }
-
if (loginfo->level >= 8) {
DEBUGP("LOG: level %u >= 8\n", loginfo->level);
return 0;
}
-
if (loginfo->prefix[sizeof(loginfo->prefix)-1] != '\0') {
DEBUGP("LOG: prefix term %i\n",
loginfo->prefix[sizeof(loginfo->prefix)-1]);
return 0;
}
-
return 1;
}
static struct ip6t_target ip6t_log_reg = {
.name = "LOG",
.target = ip6t_log_target,
+ .targetsize = sizeof(struct ip6t_log_info),
.checkentry = ip6t_log_checkentry,
.me = THIS_MODULE,
};
diff --git a/net/ipv6/netfilter/ip6t_REJECT.c b/net/ipv6/netfilter/ip6t_REJECT.c
index 0e6d1d4..8640706 100644
--- a/net/ipv6/netfilter/ip6t_REJECT.c
+++ b/net/ipv6/netfilter/ip6t_REJECT.c
@@ -228,24 +228,6 @@ static int check(const char *tablename,
const struct ip6t_reject_info *rejinfo = targinfo;
const struct ip6t_entry *e = entry;
- if (targinfosize != IP6T_ALIGN(sizeof(struct ip6t_reject_info))) {
- DEBUGP("ip6t_REJECT: targinfosize %u != 0\n", targinfosize);
- return 0;
- }
-
- /* Only allow these for packet filtering. */
- if (strcmp(tablename, "filter") != 0) {
- DEBUGP("ip6t_REJECT: bad table `%s'.\n", tablename);
- return 0;
- }
-
- if ((hook_mask & ~((1 << NF_IP6_LOCAL_IN)
- | (1 << NF_IP6_FORWARD)
- | (1 << NF_IP6_LOCAL_OUT))) != 0) {
- DEBUGP("ip6t_REJECT: bad hook mask %X\n", hook_mask);
- return 0;
- }
-
if (rejinfo->with == IP6T_ICMP6_ECHOREPLY) {
printk("ip6t_REJECT: ECHOREPLY is not supported.\n");
return 0;
@@ -257,13 +239,16 @@ static int check(const char *tablename,
return 0;
}
}
-
return 1;
}
static struct ip6t_target ip6t_reject_reg = {
.name = "REJECT",
.target = reject6_target,
+ .targetsize = sizeof(struct ip6t_reject_info),
+ .table = "filter",
+ .hooks = (1 << NF_IP6_LOCAL_IN) | (1 << NF_IP6_FORWARD) |
+ (1 << NF_IP6_LOCAL_OUT),
.checkentry = check,
.me = THIS_MODULE
};
diff --git a/net/ipv6/netfilter/ip6t_ah.c b/net/ipv6/netfilter/ip6t_ah.c
index 219a303..28710ed 100644
--- a/net/ipv6/netfilter/ip6t_ah.c
+++ b/net/ipv6/netfilter/ip6t_ah.c
@@ -105,11 +105,6 @@ checkentry(const char *tablename,
{
const struct ip6t_ah *ahinfo = matchinfo;
- if (matchinfosize != IP6T_ALIGN(sizeof(struct ip6t_ah))) {
- DEBUGP("ip6t_ah: matchsize %u != %u\n",
- matchinfosize, IP6T_ALIGN(sizeof(struct ip6t_ah)));
- return 0;
- }
if (ahinfo->invflags & ~IP6T_AH_INV_MASK) {
DEBUGP("ip6t_ah: unknown flags %X\n", ahinfo->invflags);
return 0;
@@ -119,8 +114,9 @@ checkentry(const char *tablename,
static struct ip6t_match ah_match = {
.name = "ah",
- .match = &match,
- .checkentry = &checkentry,
+ .match = match,
+ .matchsize = sizeof(struct ip6t_ah),
+ .checkentry = checkentry,
.me = THIS_MODULE,
};
diff --git a/net/ipv6/netfilter/ip6t_dst.c b/net/ipv6/netfilter/ip6t_dst.c
index b4c153a..2fbde59 100644
--- a/net/ipv6/netfilter/ip6t_dst.c
+++ b/net/ipv6/netfilter/ip6t_dst.c
@@ -185,16 +185,10 @@ checkentry(const char *tablename,
{
const struct ip6t_opts *optsinfo = matchinfo;
- if (matchinfosize != IP6T_ALIGN(sizeof(struct ip6t_opts))) {
- DEBUGP("ip6t_opts: matchsize %u != %u\n",
- matchinfosize, IP6T_ALIGN(sizeof(struct ip6t_opts)));
- return 0;
- }
if (optsinfo->invflags & ~IP6T_OPTS_INV_MASK) {
DEBUGP("ip6t_opts: unknown flags %X\n", optsinfo->invflags);
return 0;
}
-
return 1;
}
@@ -204,8 +198,9 @@ static struct ip6t_match opts_match = {
#else
.name = "dst",
#endif
- .match = &match,
- .checkentry = &checkentry,
+ .match = match,
+ .matchsize = sizeof(struct ip6t_opts),
+ .checkentry = checkentry,
.me = THIS_MODULE,
};
diff --git a/net/ipv6/netfilter/ip6t_esp.c b/net/ipv6/netfilter/ip6t_esp.c
index 724285d..ede7223 100644
--- a/net/ipv6/netfilter/ip6t_esp.c
+++ b/net/ipv6/netfilter/ip6t_esp.c
@@ -83,11 +83,6 @@ checkentry(const char *tablename,
{
const struct ip6t_esp *espinfo = matchinfo;
- if (matchinfosize != IP6T_ALIGN(sizeof(struct ip6t_esp))) {
- DEBUGP("ip6t_esp: matchsize %u != %u\n",
- matchinfosize, IP6T_ALIGN(sizeof(struct ip6t_esp)));
- return 0;
- }
if (espinfo->invflags & ~IP6T_ESP_INV_MASK) {
DEBUGP("ip6t_esp: unknown flags %X\n",
espinfo->invflags);
@@ -98,8 +93,9 @@ checkentry(const char *tablename,
static struct ip6t_match esp_match = {
.name = "esp",
- .match = &match,
- .checkentry = &checkentry,
+ .match = match,
+ .matchsize = sizeof(struct ip6t_esp),
+ .checkentry = checkentry,
.me = THIS_MODULE,
};
diff --git a/net/ipv6/netfilter/ip6t_eui64.c b/net/ipv6/netfilter/ip6t_eui64.c
index 27396ac..bfee5be 100644
--- a/net/ipv6/netfilter/ip6t_eui64.c
+++ b/net/ipv6/netfilter/ip6t_eui64.c
@@ -60,30 +60,12 @@ match(const struct sk_buff *skb,
return 0;
}
-static int
-ip6t_eui64_checkentry(const char *tablename,
- const void *ip,
- void *matchinfo,
- unsigned int matchsize,
- unsigned int hook_mask)
-{
- if (hook_mask
- & ~((1 << NF_IP6_PRE_ROUTING) | (1 << NF_IP6_LOCAL_IN) |
- (1 << NF_IP6_FORWARD))) {
- printk("ip6t_eui64: only valid for PRE_ROUTING, LOCAL_IN or FORWARD.\n");
- return 0;
- }
-
- if (matchsize != IP6T_ALIGN(sizeof(int)))
- return 0;
-
- return 1;
-}
-
static struct ip6t_match eui64_match = {
.name = "eui64",
- .match = &match,
- .checkentry = &ip6t_eui64_checkentry,
+ .match = match,
+ .matchsize = sizeof(int),
+ .hooks = (1 << NF_IP6_PRE_ROUTING) | (1 << NF_IP6_LOCAL_IN) |
+ (1 << NF_IP6_FORWARD),
.me = THIS_MODULE,
};
diff --git a/net/ipv6/netfilter/ip6t_frag.c b/net/ipv6/netfilter/ip6t_frag.c
index 4c14125..305de9b 100644
--- a/net/ipv6/netfilter/ip6t_frag.c
+++ b/net/ipv6/netfilter/ip6t_frag.c
@@ -122,23 +122,18 @@ checkentry(const char *tablename,
{
const struct ip6t_frag *fraginfo = matchinfo;
- if (matchinfosize != IP6T_ALIGN(sizeof(struct ip6t_frag))) {
- DEBUGP("ip6t_frag: matchsize %u != %u\n",
- matchinfosize, IP6T_ALIGN(sizeof(struct ip6t_frag)));
- return 0;
- }
if (fraginfo->invflags & ~IP6T_FRAG_INV_MASK) {
DEBUGP("ip6t_frag: unknown flags %X\n", fraginfo->invflags);
return 0;
}
-
return 1;
}
static struct ip6t_match frag_match = {
.name = "frag",
- .match = &match,
- .checkentry = &checkentry,
+ .match = match,
+ .matchsize = sizeof(struct ip6t_frag),
+ .checkentry = checkentry,
.me = THIS_MODULE,
};
diff --git a/net/ipv6/netfilter/ip6t_hbh.c b/net/ipv6/netfilter/ip6t_hbh.c
index 37a8474..ac8d479 100644
--- a/net/ipv6/netfilter/ip6t_hbh.c
+++ b/net/ipv6/netfilter/ip6t_hbh.c
@@ -185,16 +185,10 @@ checkentry(const char *tablename,
{
const struct ip6t_opts *optsinfo = matchinfo;
- if (matchinfosize != IP6T_ALIGN(sizeof(struct ip6t_opts))) {
- DEBUGP("ip6t_opts: matchsize %u != %u\n",
- matchinfosize, IP6T_ALIGN(sizeof(struct ip6t_opts)));
- return 0;
- }
if (optsinfo->invflags & ~IP6T_OPTS_INV_MASK) {
DEBUGP("ip6t_opts: unknown flags %X\n", optsinfo->invflags);
return 0;
}
-
return 1;
}
@@ -204,8 +198,9 @@ static struct ip6t_match opts_match = {
#else
.name = "dst",
#endif
- .match = &match,
- .checkentry = &checkentry,
+ .match = match,
+ .matchsize = sizeof(struct ip6t_opts),
+ .checkentry = checkentry,
.me = THIS_MODULE,
};
diff --git a/net/ipv6/netfilter/ip6t_hl.c b/net/ipv6/netfilter/ip6t_hl.c
index c5d9079..1eabb65 100644
--- a/net/ipv6/netfilter/ip6t_hl.c
+++ b/net/ipv6/netfilter/ip6t_hl.c
@@ -48,20 +48,10 @@ static int match(const struct sk_buff *s
return 0;
}
-static int checkentry(const char *tablename, const void *entry,
- void *matchinfo, unsigned int matchsize,
- unsigned int hook_mask)
-{
- if (matchsize != IP6T_ALIGN(sizeof(struct ip6t_hl_info)))
- return 0;
-
- return 1;
-}
-
static struct ip6t_match hl_match = {
.name = "hl",
- .match = &match,
- .checkentry = &checkentry,
+ .match = match,
+ .matchsize = sizeof(struct ip6t_hl_info),
.me = THIS_MODULE,
};
diff --git a/net/ipv6/netfilter/ip6t_ipv6header.c b/net/ipv6/netfilter/ip6t_ipv6header.c
index 83ad6b2..063032a 100644
--- a/net/ipv6/netfilter/ip6t_ipv6header.c
+++ b/net/ipv6/netfilter/ip6t_ipv6header.c
@@ -131,11 +131,6 @@ ipv6header_checkentry(const char *tablen
{
const struct ip6t_ipv6header_info *info = matchinfo;
- /* Check for obvious errors */
- /* This match is valid in all hooks! */
- if (matchsize != IP6T_ALIGN(sizeof(struct ip6t_ipv6header_info)))
- return 0;
-
/* invflags is 0 or 0xff in hard mode */
if ((!info->modeflag) && info->invflags != 0x00 &&
info->invflags != 0xFF)
@@ -147,6 +142,7 @@ ipv6header_checkentry(const char *tablen
static struct ip6t_match ip6t_ipv6header_match = {
.name = "ipv6header",
.match = &ipv6header_match,
+ .matchsize = sizeof(struct ip6t_ipv6header_info),
.checkentry = &ipv6header_checkentry,
.destroy = NULL,
.me = THIS_MODULE,
diff --git a/net/ipv6/netfilter/ip6t_multiport.c b/net/ipv6/netfilter/ip6t_multiport.c
index 49f7829..b86774d 100644
--- a/net/ipv6/netfilter/ip6t_multiport.c
+++ b/net/ipv6/netfilter/ip6t_multiport.c
@@ -92,13 +92,9 @@ checkentry(const char *tablename,
const struct ip6t_ip6 *ip = info;
const struct ip6t_multiport *multiinfo = matchinfo;
- if (matchsize != IP6T_ALIGN(sizeof(struct ip6t_multiport)))
- return 0;
-
/* Must specify proto == TCP/UDP, no unknown flags or bad count */
return (ip->proto == IPPROTO_TCP || ip->proto == IPPROTO_UDP)
&& !(ip->invflags & IP6T_INV_PROTO)
- && matchsize == IP6T_ALIGN(sizeof(struct ip6t_multiport))
&& (multiinfo->flags == IP6T_MULTIPORT_SOURCE
|| multiinfo->flags == IP6T_MULTIPORT_DESTINATION
|| multiinfo->flags == IP6T_MULTIPORT_EITHER)
@@ -107,8 +103,9 @@ checkentry(const char *tablename,
static struct ip6t_match multiport_match = {
.name = "multiport",
- .match = &match,
- .checkentry = &checkentry,
+ .match = match,
+ .matchsize = sizeof(struct ip6t_multiport),
+ .checkentry = checkentry,
.me = THIS_MODULE,
};
diff --git a/net/ipv6/netfilter/ip6t_owner.c b/net/ipv6/netfilter/ip6t_owner.c
index 8c8a4c7..e26cd6d 100644
--- a/net/ipv6/netfilter/ip6t_owner.c
+++ b/net/ipv6/netfilter/ip6t_owner.c
@@ -60,28 +60,20 @@ checkentry(const char *tablename,
{
const struct ip6t_owner_info *info = matchinfo;
- if (hook_mask
- & ~((1 << NF_IP6_LOCAL_OUT) | (1 << NF_IP6_POST_ROUTING))) {
- printk("ip6t_owner: only valid for LOCAL_OUT or POST_ROUTING.\n");
- return 0;
- }
-
- if (matchsize != IP6T_ALIGN(sizeof(struct ip6t_owner_info)))
- return 0;
-
if (info->match & (IP6T_OWNER_PID | IP6T_OWNER_SID)) {
printk("ipt_owner: pid and sid matching "
"not supported anymore\n");
return 0;
}
-
return 1;
}
static struct ip6t_match owner_match = {
.name = "owner",
- .match = &match,
- .checkentry = &checkentry,
+ .match = match,
+ .matchsize = sizeof(struct ip6t_owner_info),
+ .hooks = (1 << NF_IP6_LOCAL_OUT) | (1 << NF_IP6_POST_ROUTING),
+ .checkentry = checkentry,
.me = THIS_MODULE,
};
diff --git a/net/ipv6/netfilter/ip6t_policy.c b/net/ipv6/netfilter/ip6t_policy.c
index 3d39ec9..ac8a544 100644
--- a/net/ipv6/netfilter/ip6t_policy.c
+++ b/net/ipv6/netfilter/ip6t_policy.c
@@ -125,11 +125,6 @@ static int checkentry(const char *tablen
{
struct ip6t_policy_info *info = matchinfo;
- if (matchsize != IP6T_ALIGN(sizeof(*info))) {
- printk(KERN_ERR "ip6t_policy: matchsize %u != %zu\n",
- matchsize, IP6T_ALIGN(sizeof(*info)));
- return 0;
- }
if (!(info->flags & (IP6T_POLICY_MATCH_IN|IP6T_POLICY_MATCH_OUT))) {
printk(KERN_ERR "ip6t_policy: neither incoming nor "
"outgoing policy selected\n");
@@ -158,6 +153,7 @@ static int checkentry(const char *tablen
static struct ip6t_match policy_match = {
.name = "policy",
.match = match,
+ .matchsize = sizeof(struct ip6t_policy_info),
.checkentry = checkentry,
.me = THIS_MODULE,
};
diff --git a/net/ipv6/netfilter/ip6t_rt.c b/net/ipv6/netfilter/ip6t_rt.c
index 8f82476..a381074 100644
--- a/net/ipv6/netfilter/ip6t_rt.c
+++ b/net/ipv6/netfilter/ip6t_rt.c
@@ -200,11 +200,6 @@ checkentry(const char *tablename,
{
const struct ip6t_rt *rtinfo = matchinfo;
- if (matchinfosize != IP6T_ALIGN(sizeof(struct ip6t_rt))) {
- DEBUGP("ip6t_rt: matchsize %u != %u\n",
- matchinfosize, IP6T_ALIGN(sizeof(struct ip6t_rt)));
- return 0;
- }
if (rtinfo->invflags & ~IP6T_RT_INV_MASK) {
DEBUGP("ip6t_rt: unknown flags %X\n", rtinfo->invflags);
return 0;
@@ -222,8 +217,9 @@ checkentry(const char *tablename,
static struct ip6t_match rt_match = {
.name = "rt",
- .match = &match,
- .checkentry = &checkentry,
+ .match = match,
+ .matchsize = sizeof(struct ip6t_rt),
+ .checkentry = checkentry,
.me = THIS_MODULE,
};
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [NETFILTER 08/13]: Convert x_tables matches/targets to centralized error checking
2006-02-16 21:32 [NETFILTER 00/13]: Netfilter patches for 2.6.17 Patrick McHardy
` (6 preceding siblings ...)
2006-02-16 21:32 ` [NETFILTER 07/13]: Convert ip6_tables matches/targets " Patrick McHardy
@ 2006-02-16 21:32 ` Patrick McHardy
2006-02-16 21:32 ` [NETFILTER 09/13]: x_tables: pass registered match/target data to match/target functions Patrick McHardy
` (5 subsequent siblings)
13 siblings, 0 replies; 15+ messages in thread
From: Patrick McHardy @ 2006-02-16 21:32 UTC (permalink / raw)
To: davem; +Cc: netfilter-devel, Patrick McHardy
[NETFILTER]: Convert x_tables matches/targets to centralized error checking
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit 17605235f23efeda52fa086e6dfa6dccd9ab915e
tree 37e5c5cbcafe0563c9f8deafb425b23c94a61f87
parent dff18dfa6d3b6ad94a5c5b8d185cb37cb6d2af57
author Patrick McHardy <kaber@trash.net> Thu, 16 Feb 2006 14:17:07 +0100
committer Patrick McHardy <kaber@trash.net> Thu, 16 Feb 2006 14:17:07 +0100
net/netfilter/xt_CLASSIFY.c | 41 +++-------------
net/netfilter/xt_CONNMARK.c | 25 ++++------
net/netfilter/xt_MARK.c | 33 ++-----------
net/netfilter/xt_NFQUEUE.c | 23 +--------
net/netfilter/xt_NOTRACK.c | 44 +++++------------
net/netfilter/xt_comment.c | 17 +------
net/netfilter/xt_connbytes.c | 13 ++---
net/netfilter/xt_connmark.c | 26 +++++-----
net/netfilter/xt_conntrack.c | 16 +-----
net/netfilter/xt_dccp.c | 43 ++++-------------
net/netfilter/xt_helper.c | 15 ++----
net/netfilter/xt_length.c | 22 ++-------
net/netfilter/xt_limit.c | 5 +-
net/netfilter/xt_mac.c | 33 +++----------
net/netfilter/xt_mark.c | 14 ++---
net/netfilter/xt_physdev.c | 12 ++---
net/netfilter/xt_pkttype.c | 22 ++-------
net/netfilter/xt_realm.c | 26 ++--------
net/netfilter/xt_sctp.c | 64 +++++++------------------
net/netfilter/xt_state.c | 20 ++------
net/netfilter/xt_string.c | 5 +-
net/netfilter/xt_tcpmss.c | 51 ++------------------
net/netfilter/xt_tcpudp.c | 108 +++++++++---------------------------------
23 files changed, 167 insertions(+), 511 deletions(-)
diff --git a/net/netfilter/xt_CLASSIFY.c b/net/netfilter/xt_CLASSIFY.c
index 78ee266..6b36e84 100644
--- a/net/netfilter/xt_CLASSIFY.c
+++ b/net/netfilter/xt_CLASSIFY.c
@@ -39,47 +39,22 @@ target(struct sk_buff **pskb,
return XT_CONTINUE;
}
-static int
-checkentry(const char *tablename,
- const void *e,
- void *targinfo,
- unsigned int targinfosize,
- unsigned int hook_mask)
-{
- if (targinfosize != XT_ALIGN(sizeof(struct xt_classify_target_info))){
- printk(KERN_ERR "CLASSIFY: invalid size (%u != %Zu).\n",
- targinfosize,
- XT_ALIGN(sizeof(struct xt_classify_target_info)));
- return 0;
- }
-
- if (hook_mask & ~((1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_FORWARD) |
- (1 << NF_IP_POST_ROUTING))) {
- printk(KERN_ERR "CLASSIFY: only valid in LOCAL_OUT, FORWARD "
- "and POST_ROUTING.\n");
- return 0;
- }
-
- if (strcmp(tablename, "mangle") != 0) {
- printk(KERN_ERR "CLASSIFY: can only be called from "
- "\"mangle\" table, not \"%s\".\n",
- tablename);
- return 0;
- }
-
- return 1;
-}
-
static struct xt_target classify_reg = {
.name = "CLASSIFY",
.target = target,
- .checkentry = checkentry,
+ .targetsize = sizeof(struct xt_classify_target_info),
+ .table = "mangle",
+ .hooks = (1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_FORWARD) |
+ (1 << NF_IP_POST_ROUTING),
.me = THIS_MODULE,
};
static struct xt_target classify6_reg = {
.name = "CLASSIFY",
.target = target,
- .checkentry = checkentry,
+ .targetsize = sizeof(struct xt_classify_target_info),
+ .table = "mangle",
+ .hooks = (1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_FORWARD) |
+ (1 << NF_IP_POST_ROUTING),
.me = THIS_MODULE,
};
diff --git a/net/netfilter/xt_CONNMARK.c b/net/netfilter/xt_CONNMARK.c
index 22506e3..b269ba9 100644
--- a/net/netfilter/xt_CONNMARK.c
+++ b/net/netfilter/xt_CONNMARK.c
@@ -79,12 +79,6 @@ checkentry(const char *tablename,
unsigned int hook_mask)
{
struct xt_connmark_target_info *matchinfo = targinfo;
- if (targinfosize != XT_ALIGN(sizeof(struct xt_connmark_target_info))) {
- printk(KERN_WARNING "CONNMARK: targinfosize %u != %Zu\n",
- targinfosize,
- XT_ALIGN(sizeof(struct xt_connmark_target_info)));
- return 0;
- }
if (matchinfo->mode == XT_CONNMARK_RESTORE) {
if (strcmp(tablename, "mangle") != 0) {
@@ -102,16 +96,19 @@ checkentry(const char *tablename,
}
static struct xt_target connmark_reg = {
- .name = "CONNMARK",
- .target = &target,
- .checkentry = &checkentry,
- .me = THIS_MODULE
+ .name = "CONNMARK",
+ .target = target,
+ .targetsize = sizeof(struct xt_connmark_target_info),
+ .checkentry = checkentry,
+ .me = THIS_MODULE
};
+
static struct xt_target connmark6_reg = {
- .name = "CONNMARK",
- .target = &target,
- .checkentry = &checkentry,
- .me = THIS_MODULE
+ .name = "CONNMARK",
+ .target = target,
+ .targetsize = sizeof(struct xt_connmark_target_info),
+ .checkentry = checkentry,
+ .me = THIS_MODULE
};
static int __init init(void)
diff --git a/net/netfilter/xt_MARK.c b/net/netfilter/xt_MARK.c
index 0c11ee9..1bc968b 100644
--- a/net/netfilter/xt_MARK.c
+++ b/net/netfilter/xt_MARK.c
@@ -78,23 +78,10 @@ checkentry_v0(const char *tablename,
{
struct xt_mark_target_info *markinfo = targinfo;
- if (targinfosize != XT_ALIGN(sizeof(struct xt_mark_target_info))) {
- printk(KERN_WARNING "MARK: targinfosize %u != %Zu\n",
- targinfosize,
- XT_ALIGN(sizeof(struct xt_mark_target_info)));
- return 0;
- }
-
- if (strcmp(tablename, "mangle") != 0) {
- printk(KERN_WARNING "MARK: can only be called from \"mangle\" table, not \"%s\"\n", tablename);
- return 0;
- }
-
if (markinfo->mark > 0xffffffff) {
printk(KERN_WARNING "MARK: Only supports 32bit wide mark\n");
return 0;
}
-
return 1;
}
@@ -107,18 +94,6 @@ checkentry_v1(const char *tablename,
{
struct xt_mark_target_info_v1 *markinfo = targinfo;
- if (targinfosize != XT_ALIGN(sizeof(struct xt_mark_target_info_v1))){
- printk(KERN_WARNING "MARK: targinfosize %u != %Zu\n",
- targinfosize,
- XT_ALIGN(sizeof(struct xt_mark_target_info_v1)));
- return 0;
- }
-
- if (strcmp(tablename, "mangle") != 0) {
- printk(KERN_WARNING "MARK: can only be called from \"mangle\" table, not \"%s\"\n", tablename);
- return 0;
- }
-
if (markinfo->mode != XT_MARK_SET
&& markinfo->mode != XT_MARK_AND
&& markinfo->mode != XT_MARK_OR) {
@@ -126,18 +101,18 @@ checkentry_v1(const char *tablename,
markinfo->mode);
return 0;
}
-
if (markinfo->mark > 0xffffffff) {
printk(KERN_WARNING "MARK: Only supports 32bit wide mark\n");
return 0;
}
-
return 1;
}
static struct xt_target ipt_mark_reg_v0 = {
.name = "MARK",
.target = target_v0,
+ .targetsize = sizeof(struct xt_mark_target_info),
+ .table = "mangle",
.checkentry = checkentry_v0,
.me = THIS_MODULE,
.revision = 0,
@@ -146,6 +121,8 @@ static struct xt_target ipt_mark_reg_v0
static struct xt_target ipt_mark_reg_v1 = {
.name = "MARK",
.target = target_v1,
+ .targetsize = sizeof(struct xt_mark_target_info_v1),
+ .table = "mangle",
.checkentry = checkentry_v1,
.me = THIS_MODULE,
.revision = 1,
@@ -154,6 +131,8 @@ static struct xt_target ipt_mark_reg_v1
static struct xt_target ip6t_mark_reg_v0 = {
.name = "MARK",
.target = target_v0,
+ .targetsize = sizeof(struct xt_mark_target_info),
+ .table = "mangle",
.checkentry = checkentry_v0,
.me = THIS_MODULE,
.revision = 0,
diff --git a/net/netfilter/xt_NFQUEUE.c b/net/netfilter/xt_NFQUEUE.c
index 8b76b6f..b1da0ad 100644
--- a/net/netfilter/xt_NFQUEUE.c
+++ b/net/netfilter/xt_NFQUEUE.c
@@ -36,41 +36,24 @@ target(struct sk_buff **pskb,
return NF_QUEUE_NR(tinfo->queuenum);
}
-static int
-checkentry(const char *tablename,
- const void *entry,
- void *targinfo,
- unsigned int targinfosize,
- unsigned int hook_mask)
-{
- if (targinfosize != XT_ALIGN(sizeof(struct xt_NFQ_info))) {
- printk(KERN_WARNING "NFQUEUE: targinfosize %u != %Zu\n",
- targinfosize,
- XT_ALIGN(sizeof(struct xt_NFQ_info)));
- return 0;
- }
-
- return 1;
-}
-
static struct xt_target ipt_NFQ_reg = {
.name = "NFQUEUE",
.target = target,
- .checkentry = checkentry,
+ .targetsize = sizeof(struct xt_NFQ_info),
.me = THIS_MODULE,
};
static struct xt_target ip6t_NFQ_reg = {
.name = "NFQUEUE",
.target = target,
- .checkentry = checkentry,
+ .targetsize = sizeof(struct xt_NFQ_info),
.me = THIS_MODULE,
};
static struct xt_target arpt_NFQ_reg = {
.name = "NFQUEUE",
.target = target,
- .checkentry = checkentry,
+ .targetsize = sizeof(struct xt_NFQ_info),
.me = THIS_MODULE,
};
diff --git a/net/netfilter/xt_NOTRACK.c b/net/netfilter/xt_NOTRACK.c
index 24d477a..8bacbe1 100644
--- a/net/netfilter/xt_NOTRACK.c
+++ b/net/netfilter/xt_NOTRACK.c
@@ -33,38 +33,20 @@ target(struct sk_buff **pskb,
return XT_CONTINUE;
}
-static int
-checkentry(const char *tablename,
- const void *entry,
- void *targinfo,
- unsigned int targinfosize,
- unsigned int hook_mask)
-{
- if (targinfosize != 0) {
- printk(KERN_WARNING "NOTRACK: targinfosize %u != 0\n",
- targinfosize);
- return 0;
- }
-
- if (strcmp(tablename, "raw") != 0) {
- printk(KERN_WARNING "NOTRACK: can only be called from \"raw\" table, not \"%s\"\n", tablename);
- return 0;
- }
-
- return 1;
-}
-
-static struct xt_target notrack_reg = {
- .name = "NOTRACK",
- .target = target,
- .checkentry = checkentry,
- .me = THIS_MODULE,
+static struct xt_target notrack_reg = {
+ .name = "NOTRACK",
+ .target = target,
+ .targetsize = 0,
+ .table = "raw",
+ .me = THIS_MODULE,
};
-static struct xt_target notrack6_reg = {
- .name = "NOTRACK",
- .target = target,
- .checkentry = checkentry,
- .me = THIS_MODULE,
+
+static struct xt_target notrack6_reg = {
+ .name = "NOTRACK",
+ .target = target,
+ .targetsize = 0,
+ .table = "raw",
+ .me = THIS_MODULE,
};
static int __init init(void)
diff --git a/net/netfilter/xt_comment.c b/net/netfilter/xt_comment.c
index 4ba6fd6..b3f07aa 100644
--- a/net/netfilter/xt_comment.c
+++ b/net/netfilter/xt_comment.c
@@ -28,30 +28,17 @@ match(const struct sk_buff *skb,
return 1;
}
-static int
-checkentry(const char *tablename,
- const void *ip,
- void *matchinfo,
- unsigned int matchsize,
- unsigned int hook_mask)
-{
- /* Check the size */
- if (matchsize != XT_ALIGN(sizeof(struct xt_comment_info)))
- return 0;
- return 1;
-}
-
static struct xt_match comment_match = {
.name = "comment",
.match = match,
- .checkentry = checkentry,
+ .matchsize = sizeof(struct xt_comment_info),
.me = THIS_MODULE
};
static struct xt_match comment6_match = {
.name = "comment",
.match = match,
- .checkentry = checkentry,
+ .matchsize = sizeof(struct xt_comment_info),
.me = THIS_MODULE
};
diff --git a/net/netfilter/xt_connbytes.c b/net/netfilter/xt_connbytes.c
index 150d2a4..d985135 100644
--- a/net/netfilter/xt_connbytes.c
+++ b/net/netfilter/xt_connbytes.c
@@ -128,9 +128,6 @@ static int check(const char *tablename,
{
const struct xt_connbytes_info *sinfo = matchinfo;
- if (matchsize != XT_ALIGN(sizeof(struct xt_connbytes_info)))
- return 0;
-
if (sinfo->what != XT_CONNBYTES_PKTS &&
sinfo->what != XT_CONNBYTES_BYTES &&
sinfo->what != XT_CONNBYTES_AVGPKT)
@@ -146,14 +143,16 @@ static int check(const char *tablename,
static struct xt_match connbytes_match = {
.name = "connbytes",
- .match = &match,
- .checkentry = &check,
+ .match = match,
+ .checkentry = check,
+ .matchsize = sizeof(struct xt_connbytes_info),
.me = THIS_MODULE
};
static struct xt_match connbytes6_match = {
.name = "connbytes",
- .match = &match,
- .checkentry = &check,
+ .match = match,
+ .checkentry = check,
+ .matchsize = sizeof(struct xt_connbytes_info),
.me = THIS_MODULE
};
diff --git a/net/netfilter/xt_connmark.c b/net/netfilter/xt_connmark.c
index d06e925..2bb987f 100644
--- a/net/netfilter/xt_connmark.c
+++ b/net/netfilter/xt_connmark.c
@@ -56,33 +56,31 @@ checkentry(const char *tablename,
unsigned int matchsize,
unsigned int hook_mask)
{
- struct xt_connmark_info *cm =
- (struct xt_connmark_info *)matchinfo;
- if (matchsize != XT_ALIGN(sizeof(struct xt_connmark_info)))
- return 0;
+ struct xt_connmark_info *cm = (struct xt_connmark_info *)matchinfo;
if (cm->mark > 0xffffffff || cm->mask > 0xffffffff) {
printk(KERN_WARNING "connmark: only support 32bit mark\n");
return 0;
}
-
return 1;
}
static struct xt_match connmark_match = {
- .name = "connmark",
- .match = &match,
- .checkentry = &checkentry,
- .me = THIS_MODULE
+ .name = "connmark",
+ .match = match,
+ .matchsize = sizeof(struct xt_connmark_info),
+ .checkentry = checkentry,
+ .me = THIS_MODULE
};
+
static struct xt_match connmark6_match = {
- .name = "connmark",
- .match = &match,
- .checkentry = &checkentry,
- .me = THIS_MODULE
+ .name = "connmark",
+ .match = match,
+ .matchsize = sizeof(struct xt_connmark_info),
+ .checkentry = checkentry,
+ .me = THIS_MODULE
};
-
static int __init init(void)
{
int ret;
diff --git a/net/netfilter/xt_conntrack.c b/net/netfilter/xt_conntrack.c
index ffdebc9..45a5a7d 100644
--- a/net/netfilter/xt_conntrack.c
+++ b/net/netfilter/xt_conntrack.c
@@ -201,22 +201,10 @@ match(const struct sk_buff *skb,
#endif /* CONFIG_NF_IP_CONNTRACK */
-static int check(const char *tablename,
- const void *ip,
- void *matchinfo,
- unsigned int matchsize,
- unsigned int hook_mask)
-{
- if (matchsize != XT_ALIGN(sizeof(struct xt_conntrack_info)))
- return 0;
-
- return 1;
-}
-
static struct xt_match conntrack_match = {
.name = "conntrack",
- .match = &match,
- .checkentry = &check,
+ .match = match,
+ .matchsize = sizeof(struct xt_conntrack_info),
.me = THIS_MODULE,
};
diff --git a/net/netfilter/xt_dccp.c b/net/netfilter/xt_dccp.c
index 779f42f..06e9ef2 100644
--- a/net/netfilter/xt_dccp.c
+++ b/net/netfilter/xt_dccp.c
@@ -133,52 +133,29 @@ checkentry(const char *tablename,
unsigned int matchsize,
unsigned int hook_mask)
{
- const struct ipt_ip *ip = inf;
- const struct xt_dccp_info *info;
+ const struct xt_dccp_info *info = matchinfo;
- info = (const struct xt_dccp_info *)matchinfo;
-
- return ip->proto == IPPROTO_DCCP
- && !(ip->invflags & XT_INV_PROTO)
- && matchsize == XT_ALIGN(sizeof(struct xt_dccp_info))
- && !(info->flags & ~XT_DCCP_VALID_FLAGS)
+ return !(info->flags & ~XT_DCCP_VALID_FLAGS)
&& !(info->invflags & ~XT_DCCP_VALID_FLAGS)
&& !(info->invflags & ~info->flags);
}
-static int
-checkentry6(const char *tablename,
- const void *inf,
- void *matchinfo,
- unsigned int matchsize,
- unsigned int hook_mask)
-{
- const struct ip6t_ip6 *ip = inf;
- const struct xt_dccp_info *info;
-
- info = (const struct xt_dccp_info *)matchinfo;
-
- return ip->proto == IPPROTO_DCCP
- && !(ip->invflags & XT_INV_PROTO)
- && matchsize == XT_ALIGN(sizeof(struct xt_dccp_info))
- && !(info->flags & ~XT_DCCP_VALID_FLAGS)
- && !(info->invflags & ~XT_DCCP_VALID_FLAGS)
- && !(info->invflags & ~info->flags);
-}
-
-
static struct xt_match dccp_match =
{
.name = "dccp",
- .match = &match,
- .checkentry = &checkentry,
+ .match = match,
+ .matchsize = sizeof(struct xt_dccp_info),
+ .proto = IPPROTO_DCCP,
+ .checkentry = checkentry,
.me = THIS_MODULE,
};
static struct xt_match dccp6_match =
{
.name = "dccp",
- .match = &match,
- .checkentry = &checkentry6,
+ .match = match,
+ .matchsize = sizeof(struct xt_dccp_info),
+ .proto = IPPROTO_DCCP,
+ .checkentry = checkentry,
.me = THIS_MODULE,
};
diff --git a/net/netfilter/xt_helper.c b/net/netfilter/xt_helper.c
index c451169..70bc00f 100644
--- a/net/netfilter/xt_helper.c
+++ b/net/netfilter/xt_helper.c
@@ -142,24 +142,21 @@ static int check(const char *tablename,
struct xt_helper_info *info = matchinfo;
info->name[29] = '\0';
-
- /* verify size */
- if (matchsize != XT_ALIGN(sizeof(struct xt_helper_info)))
- return 0;
-
return 1;
}
static struct xt_match helper_match = {
.name = "helper",
- .match = &match,
- .checkentry = &check,
+ .match = match,
+ .matchsize = sizeof(struct xt_helper_info),
+ .checkentry = check,
.me = THIS_MODULE,
};
static struct xt_match helper6_match = {
.name = "helper",
- .match = &match,
- .checkentry = &check,
+ .match = match,
+ .matchsize = sizeof(struct xt_helper_info),
+ .checkentry = check,
.me = THIS_MODULE,
};
diff --git a/net/netfilter/xt_length.c b/net/netfilter/xt_length.c
index 39c8fae..11a2812 100644
--- a/net/netfilter/xt_length.c
+++ b/net/netfilter/xt_length.c
@@ -50,29 +50,17 @@ match6(const struct sk_buff *skb,
return (pktlen >= info->min && pktlen <= info->max) ^ info->invert;
}
-static int
-checkentry(const char *tablename,
- const void *ip,
- void *matchinfo,
- unsigned int matchsize,
- unsigned int hook_mask)
-{
- if (matchsize != XT_ALIGN(sizeof(struct xt_length_info)))
- return 0;
-
- return 1;
-}
-
static struct xt_match length_match = {
.name = "length",
- .match = &match,
- .checkentry = &checkentry,
+ .match = match,
+ .matchsize = sizeof(struct xt_length_info),
.me = THIS_MODULE,
};
+
static struct xt_match length6_match = {
.name = "length",
- .match = &match6,
- .checkentry = &checkentry,
+ .match = match6,
+ .matchsize = sizeof(struct xt_length_info),
.me = THIS_MODULE,
};
diff --git a/net/netfilter/xt_limit.c b/net/netfilter/xt_limit.c
index 15e4050..dec3f02 100644
--- a/net/netfilter/xt_limit.c
+++ b/net/netfilter/xt_limit.c
@@ -113,9 +113,6 @@ ipt_limit_checkentry(const char *tablena
{
struct xt_rateinfo *r = matchinfo;
- if (matchsize != XT_ALIGN(sizeof(struct xt_rateinfo)))
- return 0;
-
/* Check for overflow. */
if (r->burst == 0
|| user2credits(r->avg * r->burst) < user2credits(r->avg)) {
@@ -140,12 +137,14 @@ ipt_limit_checkentry(const char *tablena
static struct xt_match ipt_limit_reg = {
.name = "limit",
.match = ipt_limit_match,
+ .matchsize = sizeof(struct xt_rateinfo),
.checkentry = ipt_limit_checkentry,
.me = THIS_MODULE,
};
static struct xt_match limit6_reg = {
.name = "limit",
.match = ipt_limit_match,
+ .matchsize = sizeof(struct xt_rateinfo),
.checkentry = ipt_limit_checkentry,
.me = THIS_MODULE,
};
diff --git a/net/netfilter/xt_mac.c b/net/netfilter/xt_mac.c
index 0461dcb..e207726 100644
--- a/net/netfilter/xt_mac.c
+++ b/net/netfilter/xt_mac.c
@@ -42,37 +42,20 @@ match(const struct sk_buff *skb,
^ info->invert));
}
-static int
-ipt_mac_checkentry(const char *tablename,
- const void *inf,
- void *matchinfo,
- unsigned int matchsize,
- unsigned int hook_mask)
-{
- /* FORWARD isn't always valid, but it's nice to be able to do --RR */
- if (hook_mask
- & ~((1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_LOCAL_IN)
- | (1 << NF_IP_FORWARD))) {
- printk("xt_mac: only valid for PRE_ROUTING, LOCAL_IN or FORWARD.\n");
- return 0;
- }
-
- if (matchsize != XT_ALIGN(sizeof(struct xt_mac_info)))
- return 0;
-
- return 1;
-}
-
static struct xt_match mac_match = {
.name = "mac",
- .match = &match,
- .checkentry = &ipt_mac_checkentry,
+ .match = match,
+ .matchsize = sizeof(struct xt_mac_info),
+ .hooks = (1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_LOCAL_IN) |
+ (1 << NF_IP_FORWARD),
.me = THIS_MODULE,
};
static struct xt_match mac6_match = {
.name = "mac",
- .match = &match,
- .checkentry = &ipt_mac_checkentry,
+ .match = match,
+ .matchsize = sizeof(struct xt_mac_info),
+ .hooks = (1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_LOCAL_IN) |
+ (1 << NF_IP_FORWARD),
.me = THIS_MODULE,
};
diff --git a/net/netfilter/xt_mark.c b/net/netfilter/xt_mark.c
index 2a0ac62..b21b94a 100644
--- a/net/netfilter/xt_mark.c
+++ b/net/netfilter/xt_mark.c
@@ -42,28 +42,26 @@ checkentry(const char *tablename,
{
struct xt_mark_info *minfo = (struct xt_mark_info *) matchinfo;
- if (matchsize != XT_ALIGN(sizeof(struct xt_mark_info)))
- return 0;
-
if (minfo->mark > 0xffffffff || minfo->mask > 0xffffffff) {
printk(KERN_WARNING "mark: only supports 32bit mark\n");
return 0;
}
-
return 1;
}
static struct xt_match mark_match = {
.name = "mark",
- .match = &match,
- .checkentry = &checkentry,
+ .match = match,
+ .matchsize = sizeof(struct xt_mark_info),
+ .checkentry = checkentry,
.me = THIS_MODULE,
};
static struct xt_match mark6_match = {
.name = "mark",
- .match = &match,
- .checkentry = &checkentry,
+ .match = match,
+ .matchsize = sizeof(struct xt_mark_info),
+ .checkentry = checkentry,
.me = THIS_MODULE,
};
diff --git a/net/netfilter/xt_physdev.c b/net/netfilter/xt_physdev.c
index 19bb57c..5afc417 100644
--- a/net/netfilter/xt_physdev.c
+++ b/net/netfilter/xt_physdev.c
@@ -108,8 +108,6 @@ checkentry(const char *tablename,
{
const struct xt_physdev_info *info = matchinfo;
- if (matchsize != XT_ALIGN(sizeof(struct xt_physdev_info)))
- return 0;
if (!(info->bitmask & XT_PHYSDEV_OP_MASK) ||
info->bitmask & ~XT_PHYSDEV_OP_MASK)
return 0;
@@ -118,15 +116,17 @@ checkentry(const char *tablename,
static struct xt_match physdev_match = {
.name = "physdev",
- .match = &match,
- .checkentry = &checkentry,
+ .match = match,
+ .matchsize = sizeof(struct xt_physdev_info),
+ .checkentry = checkentry,
.me = THIS_MODULE,
};
static struct xt_match physdev6_match = {
.name = "physdev",
- .match = &match,
- .checkentry = &checkentry,
+ .match = match,
+ .matchsize = sizeof(struct xt_physdev_info),
+ .checkentry = checkentry,
.me = THIS_MODULE,
};
diff --git a/net/netfilter/xt_pkttype.c b/net/netfilter/xt_pkttype.c
index ab1b263..872bb2a 100644
--- a/net/netfilter/xt_pkttype.c
+++ b/net/netfilter/xt_pkttype.c
@@ -32,32 +32,20 @@ static int match(const struct sk_buff *s
return (skb->pkt_type == info->pkttype) ^ info->invert;
}
-static int checkentry(const char *tablename,
- const void *ip,
- void *matchinfo,
- unsigned int matchsize,
- unsigned int hook_mask)
-{
- if (matchsize != XT_ALIGN(sizeof(struct xt_pkttype_info)))
- return 0;
-
- return 1;
-}
-
static struct xt_match pkttype_match = {
.name = "pkttype",
- .match = &match,
- .checkentry = &checkentry,
+ .match = match,
+ .matchsize = sizeof(struct xt_pkttype_info),
.me = THIS_MODULE,
};
+
static struct xt_match pkttype6_match = {
.name = "pkttype",
- .match = &match,
- .checkentry = &checkentry,
+ .match = match,
+ .matchsize = sizeof(struct xt_pkttype_info),
.me = THIS_MODULE,
};
-
static int __init init(void)
{
int ret;
diff --git a/net/netfilter/xt_realm.c b/net/netfilter/xt_realm.c
index 2b7e178..249e0a3 100644
--- a/net/netfilter/xt_realm.c
+++ b/net/netfilter/xt_realm.c
@@ -38,30 +38,12 @@ match(const struct sk_buff *skb,
return (info->id == (dst->tclassid & info->mask)) ^ info->invert;
}
-static int check(const char *tablename,
- const void *ip,
- void *matchinfo,
- unsigned int matchsize,
- unsigned int hook_mask)
-{
- if (hook_mask
- & ~((1 << NF_IP_POST_ROUTING) | (1 << NF_IP_FORWARD) |
- (1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_LOCAL_IN))) {
- printk("xt_realm: only valid for POST_ROUTING, LOCAL_OUT, "
- "LOCAL_IN or FORWARD.\n");
- return 0;
- }
- if (matchsize != XT_ALIGN(sizeof(struct xt_realm_info))) {
- printk("xt_realm: invalid matchsize.\n");
- return 0;
- }
- return 1;
-}
-
static struct xt_match realm_match = {
.name = "realm",
- .match = match,
- .checkentry = check,
+ .match = match,
+ .matchsize = sizeof(struct xt_realm_info),
+ .hooks = (1 << NF_IP_POST_ROUTING) | (1 << NF_IP_FORWARD) |
+ (1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_LOCAL_IN),
.me = THIS_MODULE
};
diff --git a/net/netfilter/xt_sctp.c b/net/netfilter/xt_sctp.c
index 10fbfc5..f0a25e5 100644
--- a/net/netfilter/xt_sctp.c
+++ b/net/netfilter/xt_sctp.c
@@ -166,40 +166,9 @@ checkentry(const char *tablename,
unsigned int matchsize,
unsigned int hook_mask)
{
- const struct xt_sctp_info *info;
- const struct ipt_ip *ip = inf;
+ const struct xt_sctp_info *info = matchinfo;
- info = (const struct xt_sctp_info *)matchinfo;
-
- return ip->proto == IPPROTO_SCTP
- && !(ip->invflags & XT_INV_PROTO)
- && matchsize == XT_ALIGN(sizeof(struct xt_sctp_info))
- && !(info->flags & ~XT_SCTP_VALID_FLAGS)
- && !(info->invflags & ~XT_SCTP_VALID_FLAGS)
- && !(info->invflags & ~info->flags)
- && ((!(info->flags & XT_SCTP_CHUNK_TYPES)) ||
- (info->chunk_match_type &
- (SCTP_CHUNK_MATCH_ALL
- | SCTP_CHUNK_MATCH_ANY
- | SCTP_CHUNK_MATCH_ONLY)));
-}
-
-static int
-checkentry6(const char *tablename,
- const void *inf,
- void *matchinfo,
- unsigned int matchsize,
- unsigned int hook_mask)
-{
- const struct xt_sctp_info *info;
- const struct ip6t_ip6 *ip = inf;
-
- info = (const struct xt_sctp_info *)matchinfo;
-
- return ip->proto == IPPROTO_SCTP
- && !(ip->invflags & XT_INV_PROTO)
- && matchsize == XT_ALIGN(sizeof(struct xt_sctp_info))
- && !(info->flags & ~XT_SCTP_VALID_FLAGS)
+ return !(info->flags & ~XT_SCTP_VALID_FLAGS)
&& !(info->invflags & ~XT_SCTP_VALID_FLAGS)
&& !(info->invflags & ~info->flags)
&& ((!(info->flags & XT_SCTP_CHUNK_TYPES)) ||
@@ -209,22 +178,23 @@ checkentry6(const char *tablename,
| SCTP_CHUNK_MATCH_ONLY)));
}
-
-static struct xt_match sctp_match =
-{
- .name = "sctp",
- .match = &match,
- .checkentry = &checkentry,
- .me = THIS_MODULE
-};
-static struct xt_match sctp6_match =
-{
- .name = "sctp",
- .match = &match,
- .checkentry = &checkentry6,
- .me = THIS_MODULE
+static struct xt_match sctp_match = {
+ .name = "sctp",
+ .match = match,
+ .matchsize = sizeof(struct xt_sctp_info),
+ .proto = IPPROTO_SCTP,
+ .checkentry = checkentry,
+ .me = THIS_MODULE
};
+static struct xt_match sctp6_match = {
+ .name = "sctp",
+ .match = match,
+ .matchsize = sizeof(struct xt_sctp_info),
+ .proto = IPPROTO_SCTP,
+ .checkentry = checkentry,
+ .me = THIS_MODULE
+};
static int __init init(void)
{
diff --git a/net/netfilter/xt_state.c b/net/netfilter/xt_state.c
index 39ce808..9a7d6df 100644
--- a/net/netfilter/xt_state.c
+++ b/net/netfilter/xt_state.c
@@ -43,29 +43,17 @@ match(const struct sk_buff *skb,
return (sinfo->statemask & statebit);
}
-static int check(const char *tablename,
- const void *ip,
- void *matchinfo,
- unsigned int matchsize,
- unsigned int hook_mask)
-{
- if (matchsize != XT_ALIGN(sizeof(struct xt_state_info)))
- return 0;
-
- return 1;
-}
-
static struct xt_match state_match = {
.name = "state",
- .match = &match,
- .checkentry = &check,
+ .match = match,
+ .matchsize = sizeof(struct xt_state_info),
.me = THIS_MODULE,
};
static struct xt_match state6_match = {
.name = "state",
- .match = &match,
- .checkentry = &check,
+ .match = match,
+ .matchsize = sizeof(struct xt_state_info),
.me = THIS_MODULE,
};
diff --git a/net/netfilter/xt_string.c b/net/netfilter/xt_string.c
index 7c7d5c8..c3efd37 100644
--- a/net/netfilter/xt_string.c
+++ b/net/netfilter/xt_string.c
@@ -50,9 +50,6 @@ static int checkentry(const char *tablen
struct xt_string_info *conf = matchinfo;
struct ts_config *ts_conf;
- if (matchsize != XT_ALIGN(sizeof(struct xt_string_info)))
- return 0;
-
/* Damn, can't handle this case properly with iptables... */
if (conf->from_offset > conf->to_offset)
return 0;
@@ -75,6 +72,7 @@ static void destroy(void *matchinfo, uns
static struct xt_match string_match = {
.name = "string",
.match = match,
+ .matchsize = sizeof(struct xt_string_info),
.checkentry = checkentry,
.destroy = destroy,
.me = THIS_MODULE
@@ -82,6 +80,7 @@ static struct xt_match string_match = {
static struct xt_match string6_match = {
.name = "string",
.match = match,
+ .matchsize = sizeof(struct xt_string_info),
.checkentry = checkentry,
.destroy = destroy,
.me = THIS_MODULE
diff --git a/net/netfilter/xt_tcpmss.c b/net/netfilter/xt_tcpmss.c
index acf7f53..95d8611 100644
--- a/net/netfilter/xt_tcpmss.c
+++ b/net/netfilter/xt_tcpmss.c
@@ -92,58 +92,19 @@ match(const struct sk_buff *skb,
info->invert, hotdrop);
}
-static int
-checkentry(const char *tablename,
- const void *ipinfo,
- void *matchinfo,
- unsigned int matchsize,
- unsigned int hook_mask)
-{
- const struct ipt_ip *ip = ipinfo;
- if (matchsize != XT_ALIGN(sizeof(struct xt_tcpmss_match_info)))
- return 0;
-
- /* Must specify -p tcp */
- if (ip->proto != IPPROTO_TCP || (ip->invflags & IPT_INV_PROTO)) {
- printk("tcpmss: Only works on TCP packets\n");
- return 0;
- }
-
- return 1;
-}
-
-static int
-checkentry6(const char *tablename,
- const void *ipinfo,
- void *matchinfo,
- unsigned int matchsize,
- unsigned int hook_mask)
-{
- const struct ip6t_ip6 *ip = ipinfo;
-
- if (matchsize != XT_ALIGN(sizeof(struct xt_tcpmss_match_info)))
- return 0;
-
- /* Must specify -p tcp */
- if (ip->proto != IPPROTO_TCP || (ip->invflags & XT_INV_PROTO)) {
- printk("tcpmss: Only works on TCP packets\n");
- return 0;
- }
-
- return 1;
-}
-
static struct xt_match tcpmss_match = {
.name = "tcpmss",
- .match = &match,
- .checkentry = &checkentry,
+ .match = match,
+ .matchsize = sizeof(struct xt_tcpmss_match_info),
+ .proto = IPPROTO_TCP,
.me = THIS_MODULE,
};
static struct xt_match tcpmss6_match = {
.name = "tcpmss",
- .match = &match,
- .checkentry = &checkentry6,
+ .match = match,
+ .matchsize = sizeof(struct xt_tcpmss_match_info),
+ .proto = IPPROTO_TCP,
.me = THIS_MODULE,
};
diff --git a/net/netfilter/xt_tcpudp.c b/net/netfilter/xt_tcpudp.c
index 669c811..9d01f07 100644
--- a/net/netfilter/xt_tcpudp.c
+++ b/net/netfilter/xt_tcpudp.c
@@ -142,35 +142,12 @@ tcp_checkentry(const char *tablename,
unsigned int matchsize,
unsigned int hook_mask)
{
- const struct ipt_ip *ip = info;
const struct xt_tcp *tcpinfo = matchinfo;
- /* Must specify proto == TCP, and no unknown invflags */
- return ip->proto == IPPROTO_TCP
- && !(ip->invflags & XT_INV_PROTO)
- && matchsize == XT_ALIGN(sizeof(struct xt_tcp))
- && !(tcpinfo->invflags & ~XT_TCP_INV_MASK);
+ /* Must specify no unknown invflags */
+ return !(tcpinfo->invflags & ~XT_TCP_INV_MASK);
}
-/* Called when user tries to insert an entry of this type. */
-static int
-tcp6_checkentry(const char *tablename,
- const void *entry,
- void *matchinfo,
- unsigned int matchsize,
- unsigned int hook_mask)
-{
- const struct ip6t_ip6 *ipv6 = entry;
- const struct xt_tcp *tcpinfo = matchinfo;
-
- /* Must specify proto == TCP, and no unknown invflags */
- return ipv6->proto == IPPROTO_TCP
- && !(ipv6->invflags & XT_INV_PROTO)
- && matchsize == XT_ALIGN(sizeof(struct xt_tcp))
- && !(tcpinfo->invflags & ~XT_TCP_INV_MASK);
-}
-
-
static int
udp_match(const struct sk_buff *skb,
const struct net_device *in,
@@ -209,86 +186,47 @@ static int
udp_checkentry(const char *tablename,
const void *info,
void *matchinfo,
- unsigned int matchinfosize,
- unsigned int hook_mask)
-{
- const struct ipt_ip *ip = info;
- const struct xt_udp *udpinfo = matchinfo;
-
- /* Must specify proto == UDP, and no unknown invflags */
- if (ip->proto != IPPROTO_UDP || (ip->invflags & XT_INV_PROTO)) {
- duprintf("ipt_udp: Protocol %u != %u\n", ip->proto,
- IPPROTO_UDP);
- return 0;
- }
- if (matchinfosize != XT_ALIGN(sizeof(struct xt_udp))) {
- duprintf("ipt_udp: matchsize %u != %u\n",
- matchinfosize, XT_ALIGN(sizeof(struct xt_udp)));
- return 0;
- }
- if (udpinfo->invflags & ~XT_UDP_INV_MASK) {
- duprintf("ipt_udp: unknown flags %X\n",
- udpinfo->invflags);
- return 0;
- }
-
- return 1;
-}
-
-/* Called when user tries to insert an entry of this type. */
-static int
-udp6_checkentry(const char *tablename,
- const void *entry,
- void *matchinfo,
- unsigned int matchinfosize,
+ unsigned int matchsize,
unsigned int hook_mask)
{
- const struct ip6t_ip6 *ipv6 = entry;
- const struct xt_udp *udpinfo = matchinfo;
+ const struct xt_tcp *udpinfo = matchinfo;
- /* Must specify proto == UDP, and no unknown invflags */
- if (ipv6->proto != IPPROTO_UDP || (ipv6->invflags & XT_INV_PROTO)) {
- duprintf("ip6t_udp: Protocol %u != %u\n", ipv6->proto,
- IPPROTO_UDP);
- return 0;
- }
- if (matchinfosize != XT_ALIGN(sizeof(struct xt_udp))) {
- duprintf("ip6t_udp: matchsize %u != %u\n",
- matchinfosize, XT_ALIGN(sizeof(struct xt_udp)));
- return 0;
- }
- if (udpinfo->invflags & ~XT_UDP_INV_MASK) {
- duprintf("ip6t_udp: unknown flags %X\n",
- udpinfo->invflags);
- return 0;
- }
-
- return 1;
+ /* Must specify no unknown invflags */
+ return !(udpinfo->invflags & ~XT_UDP_INV_MASK);
}
static struct xt_match tcp_matchstruct = {
.name = "tcp",
- .match = &tcp_match,
- .checkentry = &tcp_checkentry,
+ .match = tcp_match,
+ .matchsize = sizeof(struct xt_tcp),
+ .proto = IPPROTO_TCP,
+ .checkentry = tcp_checkentry,
.me = THIS_MODULE,
};
+
static struct xt_match tcp6_matchstruct = {
.name = "tcp",
- .match = &tcp_match,
- .checkentry = &tcp6_checkentry,
+ .match = tcp_match,
+ .matchsize = sizeof(struct xt_tcp),
+ .proto = IPPROTO_TCP,
+ .checkentry = tcp_checkentry,
.me = THIS_MODULE,
};
static struct xt_match udp_matchstruct = {
.name = "udp",
- .match = &udp_match,
- .checkentry = &udp_checkentry,
+ .match = udp_match,
+ .matchsize = sizeof(struct xt_udp),
+ .proto = IPPROTO_UDP,
+ .checkentry = udp_checkentry,
.me = THIS_MODULE,
};
static struct xt_match udp6_matchstruct = {
.name = "udp",
- .match = &udp_match,
- .checkentry = &udp6_checkentry,
+ .match = udp_match,
+ .matchsize = sizeof(struct xt_udp),
+ .proto = IPPROTO_UDP,
+ .checkentry = udp_checkentry,
.me = THIS_MODULE,
};
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [NETFILTER 09/13]: x_tables: pass registered match/target data to match/target functions
2006-02-16 21:32 [NETFILTER 00/13]: Netfilter patches for 2.6.17 Patrick McHardy
` (7 preceding siblings ...)
2006-02-16 21:32 ` [NETFILTER 08/13]: Convert x_tables " Patrick McHardy
@ 2006-02-16 21:32 ` Patrick McHardy
2006-02-16 21:32 ` [NETFILTER 10/13]: x_tables: add xt_{match, target} arguments " Patrick McHardy
` (4 subsequent siblings)
13 siblings, 0 replies; 15+ messages in thread
From: Patrick McHardy @ 2006-02-16 21:32 UTC (permalink / raw)
To: davem; +Cc: netfilter-devel, Patrick McHardy
[NETFILTER]: x_tables: pass registered match/target data to match/target functions
This allows to make decisions based on the revision (and address family
with a follow-up patch) at runtime.
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit fa94db409d568fb96bc1e806ecd24506e2b1f4dd
tree ca00834de166904ae812808ae014ff2cb1eb4f09
parent 17605235f23efeda52fa086e6dfa6dccd9ab915e
author Patrick McHardy <kaber@trash.net> Thu, 16 Feb 2006 14:28:20 +0100
committer Patrick McHardy <kaber@trash.net> Thu, 16 Feb 2006 14:28:20 +0100
include/linux/netfilter/x_tables.h | 10 ++++++++--
net/ipv4/netfilter/arp_tables.c | 5 +++--
net/ipv4/netfilter/ip_tables.c | 13 +++++++------
net/ipv6/netfilter/ip6_tables.c | 11 ++++++-----
net/sched/act_ipt.c | 10 ++++++----
5 files changed, 30 insertions(+), 19 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index b9c37e1..2fdbc4a 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -100,6 +100,7 @@ struct xt_match
int (*match)(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
+ const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
@@ -109,12 +110,14 @@ struct xt_match
/* Should return true or false. */
int (*checkentry)(const char *tablename,
const void *ip,
+ const struct xt_match *match,
void *matchinfo,
unsigned int matchinfosize,
unsigned int hook_mask);
/* Called when entry of this type deleted. */
- void (*destroy)(void *matchinfo, unsigned int matchinfosize);
+ void (*destroy)(const struct xt_match *match, void *matchinfo,
+ unsigned int matchinfosize);
/* Set this to THIS_MODULE if you are a module, otherwise NULL */
struct module *me;
@@ -140,6 +143,7 @@ struct xt_target
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
+ const struct xt_target *target,
const void *targinfo,
void *userdata);
@@ -149,12 +153,14 @@ struct xt_target
/* Should return true or false. */
int (*checkentry)(const char *tablename,
const void *entry,
+ const struct xt_target *target,
void *targinfo,
unsigned int targinfosize,
unsigned int hook_mask);
/* Called when entry of this type deleted. */
- void (*destroy)(void *targinfo, unsigned int targinfosize);
+ void (*destroy)(const struct xt_target *target, void *targinfo,
+ unsigned int targinfosize);
/* Set this to THIS_MODULE if you are a module, otherwise NULL */
struct module *me;
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 082b748..59f74b7 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -300,6 +300,7 @@ unsigned int arpt_do_table(struct sk_buf
verdict = t->u.kernel.target->target(pskb,
in, out,
hook,
+ t->u.kernel.target,
t->data,
userdata);
@@ -491,7 +492,7 @@ static inline int check_entry(struct arp
goto out;
}
} else if (t->u.kernel.target->checkentry
- && !t->u.kernel.target->checkentry(name, e, t->data,
+ && !t->u.kernel.target->checkentry(name, e, target, t->data,
t->u.target_size
- sizeof(*t),
e->comefrom)) {
@@ -560,7 +561,7 @@ static inline int cleanup_entry(struct a
t = arpt_get_target(e);
if (t->u.kernel.target->destroy)
- t->u.kernel.target->destroy(t->data,
+ t->u.kernel.target->destroy(t->u.kernel.target, t->data,
t->u.target_size - sizeof(*t));
module_put(t->u.kernel.target->me);
return 0;
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 62f8d63..2381a4a 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -197,8 +197,8 @@ int do_match(struct ipt_entry_match *m,
int *hotdrop)
{
/* Stop iteration if it doesn't match */
- if (!m->u.kernel.match->match(skb, in, out, m->data, offset,
- skb->nh.iph->ihl*4, hotdrop))
+ if (!m->u.kernel.match->match(skb, in, out, m->u.kernel.match, m->data,
+ offset, skb->nh.iph->ihl*4, hotdrop))
return 1;
else
return 0;
@@ -305,6 +305,7 @@ ipt_do_table(struct sk_buff **pskb,
verdict = t->u.kernel.target->target(pskb,
in, out,
hook,
+ t->u.kernel.target,
t->data,
userdata);
@@ -464,7 +465,7 @@ cleanup_match(struct ipt_entry_match *m,
return 1;
if (m->u.kernel.match->destroy)
- m->u.kernel.match->destroy(m->data,
+ m->u.kernel.match->destroy(m->u.kernel.match, m->data,
m->u.match_size - sizeof(*m));
module_put(m->u.kernel.match->me);
return 0;
@@ -517,7 +518,7 @@ check_match(struct ipt_entry_match *m,
goto err;
if (m->u.kernel.match->checkentry
- && !m->u.kernel.match->checkentry(name, ip, m->data,
+ && !m->u.kernel.match->checkentry(name, ip, match, m->data,
m->u.match_size - sizeof(*m),
hookmask)) {
duprintf("ip_tables: check failed for `%s'.\n",
@@ -578,7 +579,7 @@ check_entry(struct ipt_entry *e, const c
goto cleanup_matches;
}
} else if (t->u.kernel.target->checkentry
- && !t->u.kernel.target->checkentry(name, e, t->data,
+ && !t->u.kernel.target->checkentry(name, e, target, t->data,
t->u.target_size
- sizeof(*t),
e->comefrom)) {
@@ -652,7 +653,7 @@ cleanup_entry(struct ipt_entry *e, unsig
IPT_MATCH_ITERATE(e, cleanup_match, NULL);
t = ipt_get_target(e);
if (t->u.kernel.target->destroy)
- t->u.kernel.target->destroy(t->data,
+ t->u.kernel.target->destroy(t->u.kernel.target, t->data,
t->u.target_size - sizeof(*t));
module_put(t->u.kernel.target->me);
return 0;
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 88f5d29..2dc731a 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -251,7 +251,7 @@ int do_match(struct ip6t_entry_match *m,
int *hotdrop)
{
/* Stop iteration if it doesn't match */
- if (!m->u.kernel.match->match(skb, in, out, m->data,
+ if (!m->u.kernel.match->match(skb, in, out, m->u.kernel.match, m->data,
offset, protoff, hotdrop))
return 1;
else
@@ -373,6 +373,7 @@ ip6t_do_table(struct sk_buff **pskb,
verdict = t->u.kernel.target->target(pskb,
in, out,
hook,
+ t->u.kernel.target,
t->data,
userdata);
@@ -531,7 +532,7 @@ cleanup_match(struct ip6t_entry_match *m
return 1;
if (m->u.kernel.match->destroy)
- m->u.kernel.match->destroy(m->data,
+ m->u.kernel.match->destroy(m->u.kernel.match, m->data,
m->u.match_size - sizeof(*m));
module_put(m->u.kernel.match->me);
return 0;
@@ -584,7 +585,7 @@ check_match(struct ip6t_entry_match *m,
goto err;
if (m->u.kernel.match->checkentry
- && !m->u.kernel.match->checkentry(name, ipv6, m->data,
+ && !m->u.kernel.match->checkentry(name, ipv6, match, m->data,
m->u.match_size - sizeof(*m),
hookmask)) {
duprintf("ip_tables: check failed for `%s'.\n",
@@ -645,7 +646,7 @@ check_entry(struct ip6t_entry *e, const
goto cleanup_matches;
}
} else if (t->u.kernel.target->checkentry
- && !t->u.kernel.target->checkentry(name, e, t->data,
+ && !t->u.kernel.target->checkentry(name, e, target, t->data,
t->u.target_size
- sizeof(*t),
e->comefrom)) {
@@ -719,7 +720,7 @@ cleanup_entry(struct ip6t_entry *e, unsi
IP6T_MATCH_ITERATE(e, cleanup_match, NULL);
t = ip6t_get_target(e);
if (t->u.kernel.target->destroy)
- t->u.kernel.target->destroy(t->data,
+ t->u.kernel.target->destroy(t->u.kernel.target, t->data,
t->u.target_size - sizeof(*t));
module_put(t->u.kernel.target->me);
return 0;
diff --git a/net/sched/act_ipt.c b/net/sched/act_ipt.c
index 39a22a3..6056d20 100644
--- a/net/sched/act_ipt.c
+++ b/net/sched/act_ipt.c
@@ -70,7 +70,8 @@ ipt_init_target(struct ipt_entry_target
t->u.kernel.target = target;
if (t->u.kernel.target->checkentry
- && !t->u.kernel.target->checkentry(table, NULL, t->data,
+ && !t->u.kernel.target->checkentry(table, NULL,
+ t->u.kernel.target, t->data,
t->u.target_size - sizeof(*t),
hook)) {
DPRINTK("ipt_init_target: check failed for `%s'.\n",
@@ -86,7 +87,7 @@ static void
ipt_destroy_target(struct ipt_entry_target *t)
{
if (t->u.kernel.target->destroy)
- t->u.kernel.target->destroy(t->data,
+ t->u.kernel.target->destroy(t->u.kernel.target, t->data,
t->u.target_size - sizeof(*t));
module_put(t->u.kernel.target->me);
}
@@ -224,8 +225,9 @@ tcf_ipt(struct sk_buff *skb, struct tc_a
/* iptables targets take a double skb pointer in case the skb
* needs to be replaced. We don't own the skb, so this must not
* happen. The pskb_expand_head above should make sure of this */
- ret = p->t->u.kernel.target->target(&skb, skb->dev, NULL,
- p->hook, p->t->data, NULL);
+ ret = p->t->u.kernel.target->target(&skb, skb->dev, NULL, p->hook,
+ p->t->u.kernel.target, p->t->data,
+ NULL);
switch (ret) {
case NF_ACCEPT:
result = TC_ACT_OK;
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [NETFILTER 10/13]: x_tables: add xt_{match, target} arguments to match/target functions
2006-02-16 21:32 [NETFILTER 00/13]: Netfilter patches for 2.6.17 Patrick McHardy
` (8 preceding siblings ...)
2006-02-16 21:32 ` [NETFILTER 09/13]: x_tables: pass registered match/target data to match/target functions Patrick McHardy
@ 2006-02-16 21:32 ` Patrick McHardy
2006-02-16 21:32 ` [NETFILTER 11/13]: Move ip6_masked_addrcmp to include/net/ipv6.h Patrick McHardy
` (3 subsequent siblings)
13 siblings, 0 replies; 15+ messages in thread
From: Patrick McHardy @ 2006-02-16 21:32 UTC (permalink / raw)
To: davem; +Cc: netfilter-devel, Patrick McHardy
[NETFILTER]: x_tables: add xt_{match,target} arguments to match/target functions
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit 58b6f4b041f8400857ac02cc5a5ddd9f442c05c7
tree aa715791023c3f5f8bca4ffa05ee541ce03dedcf
parent fa94db409d568fb96bc1e806ecd24506e2b1f4dd
author Patrick McHardy <kaber@trash.net> Thu, 16 Feb 2006 14:35:19 +0100
committer Patrick McHardy <kaber@trash.net> Thu, 16 Feb 2006 14:35:19 +0100
net/ipv4/netfilter/arp_tables.c | 1 +
net/ipv4/netfilter/arpt_mangle.c | 11 ++++++-----
net/ipv4/netfilter/ip_nat_rule.c | 4 ++++
net/ipv4/netfilter/ip_tables.c | 3 +++
net/ipv4/netfilter/ipt_CLUSTERIP.c | 7 +++++--
net/ipv4/netfilter/ipt_DSCP.c | 2 ++
net/ipv4/netfilter/ipt_ECN.c | 2 ++
net/ipv4/netfilter/ipt_LOG.c | 2 ++
net/ipv4/netfilter/ipt_MASQUERADE.c | 2 ++
net/ipv4/netfilter/ipt_NETMAP.c | 2 ++
net/ipv4/netfilter/ipt_REDIRECT.c | 2 ++
net/ipv4/netfilter/ipt_REJECT.c | 2 ++
net/ipv4/netfilter/ipt_SAME.c | 4 +++-
net/ipv4/netfilter/ipt_TCPMSS.c | 2 ++
net/ipv4/netfilter/ipt_TOS.c | 2 ++
net/ipv4/netfilter/ipt_TTL.c | 8 +++++---
net/ipv4/netfilter/ipt_ULOG.c | 2 ++
net/ipv4/netfilter/ipt_addrtype.c | 5 +++--
net/ipv4/netfilter/ipt_ah.c | 2 ++
net/ipv4/netfilter/ipt_dscp.c | 5 +++--
net/ipv4/netfilter/ipt_ecn.c | 6 ++++--
net/ipv4/netfilter/ipt_esp.c | 2 ++
net/ipv4/netfilter/ipt_hashlimit.c | 5 ++++-
net/ipv4/netfilter/ipt_iprange.c | 1 +
net/ipv4/netfilter/ipt_multiport.c | 2 ++
net/ipv4/netfilter/ipt_owner.c | 2 ++
net/ipv4/netfilter/ipt_policy.c | 2 ++
net/ipv4/netfilter/ipt_recent.c | 7 +++++--
net/ipv4/netfilter/ipt_tos.c | 1 +
net/ipv4/netfilter/ipt_ttl.c | 5 +++--
net/ipv6/netfilter/ip6_tables.c | 3 +++
net/ipv6/netfilter/ip6t_HL.c | 2 ++
net/ipv6/netfilter/ip6t_LOG.c | 2 ++
net/ipv6/netfilter/ip6t_REJECT.c | 2 ++
net/ipv6/netfilter/ip6t_ah.c | 2 ++
net/ipv6/netfilter/ip6t_dst.c | 2 ++
net/ipv6/netfilter/ip6t_esp.c | 2 ++
net/ipv6/netfilter/ip6t_eui64.c | 1 +
net/ipv6/netfilter/ip6t_frag.c | 2 ++
net/ipv6/netfilter/ip6t_hbh.c | 2 ++
net/ipv6/netfilter/ip6t_hl.c | 8 ++++----
net/ipv6/netfilter/ip6t_ipv6header.c | 2 ++
net/ipv6/netfilter/ip6t_multiport.c | 2 ++
net/ipv6/netfilter/ip6t_owner.c | 2 ++
net/ipv6/netfilter/ip6t_policy.c | 5 +++--
net/ipv6/netfilter/ip6t_rt.c | 2 ++
net/netfilter/xt_CLASSIFY.c | 1 +
net/netfilter/xt_CONNMARK.c | 2 ++
net/netfilter/xt_MARK.c | 4 ++++
net/netfilter/xt_NFQUEUE.c | 1 +
net/netfilter/xt_NOTRACK.c | 1 +
net/netfilter/xt_comment.c | 1 +
net/netfilter/xt_connbytes.c | 2 ++
net/netfilter/xt_connmark.c | 2 ++
net/netfilter/xt_conntrack.c | 2 ++
net/netfilter/xt_dccp.c | 2 ++
net/netfilter/xt_helper.c | 3 +++
net/netfilter/xt_length.c | 2 ++
net/netfilter/xt_limit.c | 2 ++
net/netfilter/xt_mac.c | 1 +
net/netfilter/xt_mark.c | 2 ++
net/netfilter/xt_physdev.c | 2 ++
net/netfilter/xt_pkttype.c | 1 +
net/netfilter/xt_realm.c | 1 +
net/netfilter/xt_sctp.c | 2 ++
net/netfilter/xt_state.c | 1 +
net/netfilter/xt_string.c | 5 ++++-
net/netfilter/xt_tcpmss.c | 1 +
net/netfilter/xt_tcpudp.c | 4 ++++
69 files changed, 160 insertions(+), 29 deletions(-)
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 59f74b7..6da92d2 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -208,6 +208,7 @@ static unsigned int arpt_error(struct sk
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
+ const struct xt_target *target,
const void *targinfo,
void *userinfo)
{
diff --git a/net/ipv4/netfilter/arpt_mangle.c b/net/ipv4/netfilter/arpt_mangle.c
index 4715cf5..0f2a953 100644
--- a/net/ipv4/netfilter/arpt_mangle.c
+++ b/net/ipv4/netfilter/arpt_mangle.c
@@ -8,9 +8,10 @@ MODULE_AUTHOR("Bart De Schuymer <bdschuy
MODULE_DESCRIPTION("arptables arp payload mangle target");
static unsigned int
-target(struct sk_buff **pskb, const struct net_device *in,
- const struct net_device *out, unsigned int hooknum, const void *targinfo,
- void *userinfo)
+target(struct sk_buff **pskb,
+ const struct net_device *in, const struct net_device *out,
+ unsigned int hooknum, const struct xt_target *target,
+ const void *targinfo, void *userinfo)
{
const struct arpt_mangle *mangle = targinfo;
struct arphdr *arp;
@@ -65,8 +66,8 @@ target(struct sk_buff **pskb, const stru
}
static int
-checkentry(const char *tablename, const void *e, void *targinfo,
- unsigned int targinfosize, unsigned int hook_mask)
+checkentry(const char *tablename, const void *e, const struct xt_target *target,
+ void *targinfo, unsigned int targinfosize, unsigned int hook_mask)
{
const struct arpt_mangle *mangle = targinfo;
diff --git a/net/ipv4/netfilter/ip_nat_rule.c b/net/ipv4/netfilter/ip_nat_rule.c
index ef4be3d..efba8c4 100644
--- a/net/ipv4/netfilter/ip_nat_rule.c
+++ b/net/ipv4/netfilter/ip_nat_rule.c
@@ -103,6 +103,7 @@ static unsigned int ipt_snat_target(stru
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
+ const struct ipt_target *target,
const void *targinfo,
void *userinfo)
{
@@ -145,6 +146,7 @@ static unsigned int ipt_dnat_target(stru
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
+ const struct ipt_target *target,
const void *targinfo,
void *userinfo)
{
@@ -170,6 +172,7 @@ static unsigned int ipt_dnat_target(stru
static int ipt_snat_checkentry(const char *tablename,
const void *entry,
+ const struct ipt_target *target,
void *targinfo,
unsigned int targinfosize,
unsigned int hook_mask)
@@ -186,6 +189,7 @@ static int ipt_snat_checkentry(const cha
static int ipt_dnat_checkentry(const char *tablename,
const void *entry,
+ const struct ipt_target *target,
void *targinfo,
unsigned int targinfosize,
unsigned int hook_mask)
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 2381a4a..cf5b9db 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -179,6 +179,7 @@ ipt_error(struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
+ const struct xt_target *target,
const void *targinfo,
void *userinfo)
{
@@ -1285,6 +1286,7 @@ static int
icmp_match(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
+ const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
@@ -1318,6 +1320,7 @@ icmp_match(const struct sk_buff *skb,
static int
icmp_checkentry(const char *tablename,
const void *info,
+ const struct xt_match *match,
void *matchinfo,
unsigned int matchsize,
unsigned int hook_mask)
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index 24f88dd..61e11ed 100644
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -311,6 +311,7 @@ target(struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
+ const struct xt_target *target,
const void *targinfo,
void *userinfo)
{
@@ -380,6 +381,7 @@ target(struct sk_buff **pskb,
static int
checkentry(const char *tablename,
const void *e_void,
+ const struct xt_target *target,
void *targinfo,
unsigned int targinfosize,
unsigned int hook_mask)
@@ -458,9 +460,10 @@ checkentry(const char *tablename,
}
/* drop reference count of cluster config when rule is deleted */
-static void destroy(void *matchinfo, unsigned int matchinfosize)
+static void destroy(const struct xt_target *target, void *targinfo,
+ unsigned int targinfosize)
{
- struct ipt_clusterip_tgt_info *cipinfo = matchinfo;
+ struct ipt_clusterip_tgt_info *cipinfo = targinfo;
/* if no more entries are referencing the config, remove it
* from the list and destroy the proc entry */
diff --git a/net/ipv4/netfilter/ipt_DSCP.c b/net/ipv4/netfilter/ipt_DSCP.c
index a202467..cfb0b90 100644
--- a/net/ipv4/netfilter/ipt_DSCP.c
+++ b/net/ipv4/netfilter/ipt_DSCP.c
@@ -29,6 +29,7 @@ target(struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
+ const struct xt_target *target,
const void *targinfo,
void *userinfo)
{
@@ -58,6 +59,7 @@ target(struct sk_buff **pskb,
static int
checkentry(const char *tablename,
const void *e_void,
+ const struct xt_target *target,
void *targinfo,
unsigned int targinfosize,
unsigned int hook_mask)
diff --git a/net/ipv4/netfilter/ipt_ECN.c b/net/ipv4/netfilter/ipt_ECN.c
index 1bf1a40..b9b80f9 100644
--- a/net/ipv4/netfilter/ipt_ECN.c
+++ b/net/ipv4/netfilter/ipt_ECN.c
@@ -94,6 +94,7 @@ target(struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
+ const struct xt_target *target,
const void *targinfo,
void *userinfo)
{
@@ -114,6 +115,7 @@ target(struct sk_buff **pskb,
static int
checkentry(const char *tablename,
const void *e_void,
+ const struct xt_target *target,
void *targinfo,
unsigned int targinfosize,
unsigned int hook_mask)
diff --git a/net/ipv4/netfilter/ipt_LOG.c b/net/ipv4/netfilter/ipt_LOG.c
index 24f1495..ea92f1f 100644
--- a/net/ipv4/netfilter/ipt_LOG.c
+++ b/net/ipv4/netfilter/ipt_LOG.c
@@ -415,6 +415,7 @@ ipt_log_target(struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
+ const struct xt_target *target,
const void *targinfo,
void *userinfo)
{
@@ -432,6 +433,7 @@ ipt_log_target(struct sk_buff **pskb,
static int ipt_log_checkentry(const char *tablename,
const void *e,
+ const struct xt_target *target,
void *targinfo,
unsigned int targinfosize,
unsigned int hook_mask)
diff --git a/net/ipv4/netfilter/ipt_MASQUERADE.c b/net/ipv4/netfilter/ipt_MASQUERADE.c
index df5ea08..e0c321c 100644
--- a/net/ipv4/netfilter/ipt_MASQUERADE.c
+++ b/net/ipv4/netfilter/ipt_MASQUERADE.c
@@ -41,6 +41,7 @@ static DEFINE_RWLOCK(masq_lock);
static int
masquerade_check(const char *tablename,
const void *e,
+ const struct xt_target *target,
void *targinfo,
unsigned int targinfosize,
unsigned int hook_mask)
@@ -63,6 +64,7 @@ masquerade_target(struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
+ const struct xt_target *target,
const void *targinfo,
void *userinfo)
{
diff --git a/net/ipv4/netfilter/ipt_NETMAP.c b/net/ipv4/netfilter/ipt_NETMAP.c
index 836d67e..fba181c 100644
--- a/net/ipv4/netfilter/ipt_NETMAP.c
+++ b/net/ipv4/netfilter/ipt_NETMAP.c
@@ -32,6 +32,7 @@ MODULE_DESCRIPTION("iptables 1:1 NAT map
static int
check(const char *tablename,
const void *e,
+ const struct xt_target *target,
void *targinfo,
unsigned int targinfosize,
unsigned int hook_mask)
@@ -54,6 +55,7 @@ target(struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
+ const struct xt_target *target,
const void *targinfo,
void *userinfo)
{
diff --git a/net/ipv4/netfilter/ipt_REDIRECT.c b/net/ipv4/netfilter/ipt_REDIRECT.c
index cc165e0..be3da7c 100644
--- a/net/ipv4/netfilter/ipt_REDIRECT.c
+++ b/net/ipv4/netfilter/ipt_REDIRECT.c
@@ -34,6 +34,7 @@ MODULE_DESCRIPTION("iptables REDIRECT ta
static int
redirect_check(const char *tablename,
const void *e,
+ const struct xt_target *target,
void *targinfo,
unsigned int targinfosize,
unsigned int hook_mask)
@@ -56,6 +57,7 @@ redirect_target(struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
+ const struct xt_target *target,
const void *targinfo,
void *userinfo)
{
diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c
index ddd6bd1..26ea6c1 100644
--- a/net/ipv4/netfilter/ipt_REJECT.c
+++ b/net/ipv4/netfilter/ipt_REJECT.c
@@ -236,6 +236,7 @@ static unsigned int reject(struct sk_buf
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
+ const struct xt_target *target,
const void *targinfo,
void *userinfo)
{
@@ -283,6 +284,7 @@ static unsigned int reject(struct sk_buf
static int check(const char *tablename,
const void *e_void,
+ const struct xt_target *target,
void *targinfo,
unsigned int targinfosize,
unsigned int hook_mask)
diff --git a/net/ipv4/netfilter/ipt_SAME.c b/net/ipv4/netfilter/ipt_SAME.c
index 8743c3a..7e2ebc9 100644
--- a/net/ipv4/netfilter/ipt_SAME.c
+++ b/net/ipv4/netfilter/ipt_SAME.c
@@ -50,6 +50,7 @@ MODULE_DESCRIPTION("iptables special SNA
static int
same_check(const char *tablename,
const void *e,
+ const struct xt_target *target,
void *targinfo,
unsigned int targinfosize,
unsigned int hook_mask)
@@ -115,7 +116,7 @@ same_check(const char *tablename,
}
static void
-same_destroy(void *targinfo,
+same_destroy(const struct xt_target *target, void *targinfo,
unsigned int targinfosize)
{
struct ipt_same_info *mr = targinfo;
@@ -131,6 +132,7 @@ same_target(struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
+ const struct xt_target *target,
const void *targinfo,
void *userinfo)
{
diff --git a/net/ipv4/netfilter/ipt_TCPMSS.c b/net/ipv4/netfilter/ipt_TCPMSS.c
index 4be6e2b..c4fc50e 100644
--- a/net/ipv4/netfilter/ipt_TCPMSS.c
+++ b/net/ipv4/netfilter/ipt_TCPMSS.c
@@ -48,6 +48,7 @@ ipt_tcpmss_target(struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
+ const struct xt_target *target,
const void *targinfo,
void *userinfo)
{
@@ -211,6 +212,7 @@ static inline int find_syn_match(const s
static int
ipt_tcpmss_checkentry(const char *tablename,
const void *e_void,
+ const struct xt_target *target,
void *targinfo,
unsigned int targinfosize,
unsigned int hook_mask)
diff --git a/net/ipv4/netfilter/ipt_TOS.c b/net/ipv4/netfilter/ipt_TOS.c
index 6568e3e..9aa7817 100644
--- a/net/ipv4/netfilter/ipt_TOS.c
+++ b/net/ipv4/netfilter/ipt_TOS.c
@@ -25,6 +25,7 @@ target(struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
+ const struct xt_target *target,
const void *targinfo,
void *userinfo)
{
@@ -53,6 +54,7 @@ target(struct sk_buff **pskb,
static int
checkentry(const char *tablename,
const void *e_void,
+ const struct xt_target *target,
void *targinfo,
unsigned int targinfosize,
unsigned int hook_mask)
diff --git a/net/ipv4/netfilter/ipt_TTL.c b/net/ipv4/netfilter/ipt_TTL.c
index 61d94e0..5009a00 100644
--- a/net/ipv4/netfilter/ipt_TTL.c
+++ b/net/ipv4/netfilter/ipt_TTL.c
@@ -20,9 +20,10 @@ MODULE_DESCRIPTION("IP tables TTL modifi
MODULE_LICENSE("GPL");
static unsigned int
-ipt_ttl_target(struct sk_buff **pskb, const struct net_device *in,
- const struct net_device *out, unsigned int hooknum,
- const void *targinfo, void *userinfo)
+ipt_ttl_target(struct sk_buff **pskb,
+ const struct net_device *in, const struct net_device *out,
+ unsigned int hooknum, const struct xt_target *target,
+ const void *targinfo, void *userinfo)
{
struct iphdr *iph;
const struct ipt_TTL_info *info = targinfo;
@@ -67,6 +68,7 @@ ipt_ttl_target(struct sk_buff **pskb, co
static int ipt_ttl_checkentry(const char *tablename,
const void *e,
+ const struct xt_target *target,
void *targinfo,
unsigned int targinfosize,
unsigned int hook_mask)
diff --git a/net/ipv4/netfilter/ipt_ULOG.c b/net/ipv4/netfilter/ipt_ULOG.c
index c95e7e9..a82a32e 100644
--- a/net/ipv4/netfilter/ipt_ULOG.c
+++ b/net/ipv4/netfilter/ipt_ULOG.c
@@ -303,6 +303,7 @@ static unsigned int ipt_ulog_target(stru
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
+ const struct xt_target *target,
const void *targinfo, void *userinfo)
{
struct ipt_ulog_info *loginfo = (struct ipt_ulog_info *) targinfo;
@@ -339,6 +340,7 @@ static void ipt_logfn(unsigned int pf,
static int ipt_ulog_checkentry(const char *tablename,
const void *e,
+ const struct xt_target *target,
void *targinfo,
unsigned int targinfosize,
unsigned int hookmask)
diff --git a/net/ipv4/netfilter/ipt_addrtype.c b/net/ipv4/netfilter/ipt_addrtype.c
index ad5dc46..5fdf85d 100644
--- a/net/ipv4/netfilter/ipt_addrtype.c
+++ b/net/ipv4/netfilter/ipt_addrtype.c
@@ -27,8 +27,9 @@ static inline int match_type(u_int32_t a
return !!(mask & (1 << inet_addr_type(addr)));
}
-static int match(const struct sk_buff *skb, const struct net_device *in,
- const struct net_device *out, const void *matchinfo,
+static int match(const struct sk_buff *skb,
+ const struct net_device *in, const struct net_device *out,
+ const struct xt_match *match, const void *matchinfo,
int offset, unsigned int protoff, int *hotdrop)
{
const struct ipt_addrtype_info *info = matchinfo;
diff --git a/net/ipv4/netfilter/ipt_ah.c b/net/ipv4/netfilter/ipt_ah.c
index a33eeea..35a21fb 100644
--- a/net/ipv4/netfilter/ipt_ah.c
+++ b/net/ipv4/netfilter/ipt_ah.c
@@ -39,6 +39,7 @@ static int
match(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
+ const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
@@ -71,6 +72,7 @@ match(const struct sk_buff *skb,
static int
checkentry(const char *tablename,
const void *ip_void,
+ const struct xt_match *match,
void *matchinfo,
unsigned int matchinfosize,
unsigned int hook_mask)
diff --git a/net/ipv4/netfilter/ipt_dscp.c b/net/ipv4/netfilter/ipt_dscp.c
index e7889ba..11963c3 100644
--- a/net/ipv4/netfilter/ipt_dscp.c
+++ b/net/ipv4/netfilter/ipt_dscp.c
@@ -19,8 +19,9 @@ MODULE_AUTHOR("Harald Welte <laforge@net
MODULE_DESCRIPTION("iptables DSCP matching module");
MODULE_LICENSE("GPL");
-static int match(const struct sk_buff *skb, const struct net_device *in,
- const struct net_device *out, const void *matchinfo,
+static int match(const struct sk_buff *skb,
+ const struct net_device *in, const struct net_device *out,
+ const struct xt_match *match, const void *matchinfo,
int offset, unsigned int protoff, int *hotdrop)
{
const struct ipt_dscp_info *info = matchinfo;
diff --git a/net/ipv4/netfilter/ipt_ecn.c b/net/ipv4/netfilter/ipt_ecn.c
index 723957f..d7e29f6 100644
--- a/net/ipv4/netfilter/ipt_ecn.c
+++ b/net/ipv4/netfilter/ipt_ecn.c
@@ -65,8 +65,9 @@ static inline int match_tcp(const struct
return 1;
}
-static int match(const struct sk_buff *skb, const struct net_device *in,
- const struct net_device *out, const void *matchinfo,
+static int match(const struct sk_buff *skb,
+ const struct net_device *in, const struct net_device *out,
+ const struct xt_match *match, const void *matchinfo,
int offset, unsigned int protoff, int *hotdrop)
{
const struct ipt_ecn_info *info = matchinfo;
@@ -86,6 +87,7 @@ static int match(const struct sk_buff *s
}
static int checkentry(const char *tablename, const void *ip_void,
+ const struct xt_match *match,
void *matchinfo, unsigned int matchsize,
unsigned int hook_mask)
{
diff --git a/net/ipv4/netfilter/ipt_esp.c b/net/ipv4/netfilter/ipt_esp.c
index 984fa48..af0d5ec 100644
--- a/net/ipv4/netfilter/ipt_esp.c
+++ b/net/ipv4/netfilter/ipt_esp.c
@@ -40,6 +40,7 @@ static int
match(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
+ const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
@@ -72,6 +73,7 @@ match(const struct sk_buff *skb,
static int
checkentry(const char *tablename,
const void *ip_void,
+ const struct xt_match *match,
void *matchinfo,
unsigned int matchinfosize,
unsigned int hook_mask)
diff --git a/net/ipv4/netfilter/ipt_hashlimit.c b/net/ipv4/netfilter/ipt_hashlimit.c
index 156d9c2..dc1521c 100644
--- a/net/ipv4/netfilter/ipt_hashlimit.c
+++ b/net/ipv4/netfilter/ipt_hashlimit.c
@@ -427,6 +427,7 @@ static int
hashlimit_match(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
+ const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
@@ -506,6 +507,7 @@ hashlimit_match(const struct sk_buff *sk
static int
hashlimit_checkentry(const char *tablename,
const void *inf,
+ const struct xt_match *match,
void *matchinfo,
unsigned int matchsize,
unsigned int hook_mask)
@@ -555,7 +557,8 @@ hashlimit_checkentry(const char *tablena
}
static void
-hashlimit_destroy(void *matchinfo, unsigned int matchsize)
+hashlimit_destroy(const struct xt_match *match, void *matchinfo,
+ unsigned int matchsize)
{
struct ipt_hashlimit_info *r = (struct ipt_hashlimit_info *) matchinfo;
diff --git a/net/ipv4/netfilter/ipt_iprange.c b/net/ipv4/netfilter/ipt_iprange.c
index 0885ff5..ae70112 100644
--- a/net/ipv4/netfilter/ipt_iprange.c
+++ b/net/ipv4/netfilter/ipt_iprange.c
@@ -27,6 +27,7 @@ static int
match(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
+ const struct xt_match *match,
const void *matchinfo,
int offset, unsigned int protoff, int *hotdrop)
{
diff --git a/net/ipv4/netfilter/ipt_multiport.c b/net/ipv4/netfilter/ipt_multiport.c
index 8f1684c..bd07f7c 100644
--- a/net/ipv4/netfilter/ipt_multiport.c
+++ b/net/ipv4/netfilter/ipt_multiport.c
@@ -95,6 +95,7 @@ static int
match(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
+ const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
@@ -127,6 +128,7 @@ static int
match_v1(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
+ const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
diff --git a/net/ipv4/netfilter/ipt_owner.c b/net/ipv4/netfilter/ipt_owner.c
index 18adc1d..3900428 100644
--- a/net/ipv4/netfilter/ipt_owner.c
+++ b/net/ipv4/netfilter/ipt_owner.c
@@ -25,6 +25,7 @@ static int
match(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
+ const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
@@ -53,6 +54,7 @@ match(const struct sk_buff *skb,
static int
checkentry(const char *tablename,
const void *ip,
+ const struct xt_match *match,
void *matchinfo,
unsigned int matchsize,
unsigned int hook_mask)
diff --git a/net/ipv4/netfilter/ipt_policy.c b/net/ipv4/netfilter/ipt_policy.c
index 3fa6607..b73f590 100644
--- a/net/ipv4/netfilter/ipt_policy.c
+++ b/net/ipv4/netfilter/ipt_policy.c
@@ -98,6 +98,7 @@ match_policy_out(const struct sk_buff *s
static int match(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
+ const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
@@ -120,6 +121,7 @@ static int match(const struct sk_buff *s
}
static int checkentry(const char *tablename, const void *ip_void,
+ const struct xt_match *match,
void *matchinfo, unsigned int matchsize,
unsigned int hook_mask)
{
diff --git a/net/ipv4/netfilter/ipt_recent.c b/net/ipv4/netfilter/ipt_recent.c
index e2ccd42..06792ea 100644
--- a/net/ipv4/netfilter/ipt_recent.c
+++ b/net/ipv4/netfilter/ipt_recent.c
@@ -102,6 +102,7 @@ static int
match(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
+ const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
@@ -318,7 +319,7 @@ static int ip_recent_ctrl(struct file *f
skb->nh.iph->daddr = 0;
/* Clear ttl since we have no way of knowing it */
skb->nh.iph->ttl = 0;
- match(skb,NULL,NULL,info,0,0,NULL);
+ match(skb,NULL,NULL,NULL,info,0,0,NULL);
kfree(skb->nh.iph);
out_free_skb:
@@ -356,6 +357,7 @@ static int
match(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
+ const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
@@ -657,6 +659,7 @@ match(const struct sk_buff *skb,
static int
checkentry(const char *tablename,
const void *ip,
+ const struct xt_match *match,
void *matchinfo,
unsigned int matchsize,
unsigned int hook_mask)
@@ -869,7 +872,7 @@ checkentry(const char *tablename,
* up its memory.
*/
static void
-destroy(void *matchinfo, unsigned int matchsize)
+destroy(const struct xt_match *match, void *matchinfo, unsigned int matchsize)
{
const struct ipt_recent_info *info = matchinfo;
struct recent_ip_tables *curr_table, *last_table;
diff --git a/net/ipv4/netfilter/ipt_tos.c b/net/ipv4/netfilter/ipt_tos.c
index 4675c78..e404e92 100644
--- a/net/ipv4/netfilter/ipt_tos.c
+++ b/net/ipv4/netfilter/ipt_tos.c
@@ -21,6 +21,7 @@ static int
match(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
+ const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
diff --git a/net/ipv4/netfilter/ipt_ttl.c b/net/ipv4/netfilter/ipt_ttl.c
index bb694a0..ae7ce4d 100644
--- a/net/ipv4/netfilter/ipt_ttl.c
+++ b/net/ipv4/netfilter/ipt_ttl.c
@@ -19,8 +19,9 @@ MODULE_AUTHOR("Harald Welte <laforge@net
MODULE_DESCRIPTION("IP tables TTL matching module");
MODULE_LICENSE("GPL");
-static int match(const struct sk_buff *skb, const struct net_device *in,
- const struct net_device *out, const void *matchinfo,
+static int match(const struct sk_buff *skb,
+ const struct net_device *in, const struct net_device *out,
+ const struct xt_match *match, const void *matchinfo,
int offset, unsigned int protoff, int *hotdrop)
{
const struct ipt_ttl_info *info = matchinfo;
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 2dc731a..bb04852 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -232,6 +232,7 @@ ip6t_error(struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
+ const struct xt_target *target,
const void *targinfo,
void *userinfo)
{
@@ -1341,6 +1342,7 @@ static int
icmp6_match(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
+ const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
@@ -1373,6 +1375,7 @@ icmp6_match(const struct sk_buff *skb,
static int
icmp6_checkentry(const char *tablename,
const void *entry,
+ const struct xt_match *match,
void *matchinfo,
unsigned int matchsize,
unsigned int hook_mask)
diff --git a/net/ipv6/netfilter/ip6t_HL.c b/net/ipv6/netfilter/ip6t_HL.c
index ab39ee9..da14c6d 100644
--- a/net/ipv6/netfilter/ip6t_HL.c
+++ b/net/ipv6/netfilter/ip6t_HL.c
@@ -21,6 +21,7 @@ static unsigned int ip6t_hl_target(struc
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
+ const struct xt_target *target,
const void *targinfo, void *userinfo)
{
struct ipv6hdr *ip6h;
@@ -63,6 +64,7 @@ static unsigned int ip6t_hl_target(struc
static int ip6t_hl_checkentry(const char *tablename,
const void *entry,
+ const struct xt_target *target,
void *targinfo,
unsigned int targinfosize,
unsigned int hook_mask)
diff --git a/net/ipv6/netfilter/ip6t_LOG.c b/net/ipv6/netfilter/ip6t_LOG.c
index 171c9ba..f4963ad 100644
--- a/net/ipv6/netfilter/ip6t_LOG.c
+++ b/net/ipv6/netfilter/ip6t_LOG.c
@@ -426,6 +426,7 @@ ip6t_log_target(struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
+ const struct xt_target *target,
const void *targinfo,
void *userinfo)
{
@@ -444,6 +445,7 @@ ip6t_log_target(struct sk_buff **pskb,
static int ip6t_log_checkentry(const char *tablename,
const void *entry,
+ const struct xt_target *target,
void *targinfo,
unsigned int targinfosize,
unsigned int hook_mask)
diff --git a/net/ipv6/netfilter/ip6t_REJECT.c b/net/ipv6/netfilter/ip6t_REJECT.c
index 8640706..ddfa385 100644
--- a/net/ipv6/netfilter/ip6t_REJECT.c
+++ b/net/ipv6/netfilter/ip6t_REJECT.c
@@ -179,6 +179,7 @@ static unsigned int reject6_target(struc
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
+ const struct xt_target *target,
const void *targinfo,
void *userinfo)
{
@@ -221,6 +222,7 @@ static unsigned int reject6_target(struc
static int check(const char *tablename,
const void *entry,
+ const struct xt_target *target,
void *targinfo,
unsigned int targinfosize,
unsigned int hook_mask)
diff --git a/net/ipv6/netfilter/ip6t_ah.c b/net/ipv6/netfilter/ip6t_ah.c
index 28710ed..178f6fb 100644
--- a/net/ipv6/netfilter/ip6t_ah.c
+++ b/net/ipv6/netfilter/ip6t_ah.c
@@ -44,6 +44,7 @@ static int
match(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
+ const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
@@ -99,6 +100,7 @@ match(const struct sk_buff *skb,
static int
checkentry(const char *tablename,
const void *entry,
+ const struct xt_match *match,
void *matchinfo,
unsigned int matchinfosize,
unsigned int hook_mask)
diff --git a/net/ipv6/netfilter/ip6t_dst.c b/net/ipv6/netfilter/ip6t_dst.c
index 2fbde59..e97a702 100644
--- a/net/ipv6/netfilter/ip6t_dst.c
+++ b/net/ipv6/netfilter/ip6t_dst.c
@@ -55,6 +55,7 @@ static int
match(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
+ const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
@@ -179,6 +180,7 @@ match(const struct sk_buff *skb,
static int
checkentry(const char *tablename,
const void *info,
+ const struct xt_match *match,
void *matchinfo,
unsigned int matchinfosize,
unsigned int hook_mask)
diff --git a/net/ipv6/netfilter/ip6t_esp.c b/net/ipv6/netfilter/ip6t_esp.c
index ede7223..540b8bf 100644
--- a/net/ipv6/netfilter/ip6t_esp.c
+++ b/net/ipv6/netfilter/ip6t_esp.c
@@ -44,6 +44,7 @@ static int
match(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
+ const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
@@ -77,6 +78,7 @@ match(const struct sk_buff *skb,
static int
checkentry(const char *tablename,
const void *ip,
+ const struct xt_match *match,
void *matchinfo,
unsigned int matchinfosize,
unsigned int hook_mask)
diff --git a/net/ipv6/netfilter/ip6t_eui64.c b/net/ipv6/netfilter/ip6t_eui64.c
index bfee5be..d4b0bad 100644
--- a/net/ipv6/netfilter/ip6t_eui64.c
+++ b/net/ipv6/netfilter/ip6t_eui64.c
@@ -22,6 +22,7 @@ static int
match(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
+ const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
diff --git a/net/ipv6/netfilter/ip6t_frag.c b/net/ipv6/netfilter/ip6t_frag.c
index 305de9b..4c41e14 100644
--- a/net/ipv6/netfilter/ip6t_frag.c
+++ b/net/ipv6/netfilter/ip6t_frag.c
@@ -43,6 +43,7 @@ static int
match(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
+ const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
@@ -116,6 +117,7 @@ match(const struct sk_buff *skb,
static int
checkentry(const char *tablename,
const void *ip,
+ const struct xt_match *match,
void *matchinfo,
unsigned int matchinfosize,
unsigned int hook_mask)
diff --git a/net/ipv6/netfilter/ip6t_hbh.c b/net/ipv6/netfilter/ip6t_hbh.c
index ac8d479..b4a1fdf 100644
--- a/net/ipv6/netfilter/ip6t_hbh.c
+++ b/net/ipv6/netfilter/ip6t_hbh.c
@@ -55,6 +55,7 @@ static int
match(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
+ const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
@@ -179,6 +180,7 @@ match(const struct sk_buff *skb,
static int
checkentry(const char *tablename,
const void *entry,
+ const struct xt_match *match,
void *matchinfo,
unsigned int matchinfosize,
unsigned int hook_mask)
diff --git a/net/ipv6/netfilter/ip6t_hl.c b/net/ipv6/netfilter/ip6t_hl.c
index 1eabb65..3740557 100644
--- a/net/ipv6/netfilter/ip6t_hl.c
+++ b/net/ipv6/netfilter/ip6t_hl.c
@@ -18,10 +18,10 @@ MODULE_AUTHOR("Maciej Soltysiak <solt@dn
MODULE_DESCRIPTION("IP tables Hop Limit matching module");
MODULE_LICENSE("GPL");
-static int match(const struct sk_buff *skb, const struct net_device *in,
- const struct net_device *out, const void *matchinfo,
- int offset, unsigned int protoff,
- int *hotdrop)
+static int match(const struct sk_buff *skb,
+ const struct net_device *in, const struct net_device *out,
+ const struct xt_match *match, const void *matchinfo,
+ int offset, unsigned int protoff, int *hotdrop)
{
const struct ip6t_hl_info *info = matchinfo;
const struct ipv6hdr *ip6h = skb->nh.ipv6h;
diff --git a/net/ipv6/netfilter/ip6t_ipv6header.c b/net/ipv6/netfilter/ip6t_ipv6header.c
index 063032a..9375eeb 100644
--- a/net/ipv6/netfilter/ip6t_ipv6header.c
+++ b/net/ipv6/netfilter/ip6t_ipv6header.c
@@ -29,6 +29,7 @@ static int
ipv6header_match(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
+ const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
@@ -125,6 +126,7 @@ ipv6header_match(const struct sk_buff *s
static int
ipv6header_checkentry(const char *tablename,
const void *ip,
+ const struct xt_match *match,
void *matchinfo,
unsigned int matchsize,
unsigned int hook_mask)
diff --git a/net/ipv6/netfilter/ip6t_multiport.c b/net/ipv6/netfilter/ip6t_multiport.c
index b86774d..752b65d 100644
--- a/net/ipv6/netfilter/ip6t_multiport.c
+++ b/net/ipv6/netfilter/ip6t_multiport.c
@@ -51,6 +51,7 @@ static int
match(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
+ const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
@@ -85,6 +86,7 @@ match(const struct sk_buff *skb,
static int
checkentry(const char *tablename,
const void *info,
+ const struct xt_match *match,
void *matchinfo,
unsigned int matchsize,
unsigned int hook_mask)
diff --git a/net/ipv6/netfilter/ip6t_owner.c b/net/ipv6/netfilter/ip6t_owner.c
index e26cd6d..e2cee3b 100644
--- a/net/ipv6/netfilter/ip6t_owner.c
+++ b/net/ipv6/netfilter/ip6t_owner.c
@@ -26,6 +26,7 @@ static int
match(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
+ const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
@@ -54,6 +55,7 @@ match(const struct sk_buff *skb,
static int
checkentry(const char *tablename,
const void *ip,
+ const struct xt_match *match,
void *matchinfo,
unsigned int matchsize,
unsigned int hook_mask)
diff --git a/net/ipv6/netfilter/ip6t_policy.c b/net/ipv6/netfilter/ip6t_policy.c
index ac8a544..b2f3007 100644
--- a/net/ipv6/netfilter/ip6t_policy.c
+++ b/net/ipv6/netfilter/ip6t_policy.c
@@ -98,6 +98,7 @@ match_policy_out(const struct sk_buff *s
static int match(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
+ const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
@@ -120,8 +121,8 @@ static int match(const struct sk_buff *s
}
static int checkentry(const char *tablename, const void *ip_void,
- void *matchinfo, unsigned int matchsize,
- unsigned int hook_mask)
+ const struct xt_match *match, void *matchinfo,
+ unsigned int matchsize, unsigned int hook_mask)
{
struct ip6t_policy_info *info = matchinfo;
diff --git a/net/ipv6/netfilter/ip6t_rt.c b/net/ipv6/netfilter/ip6t_rt.c
index a381074..4c6b55b 100644
--- a/net/ipv6/netfilter/ip6t_rt.c
+++ b/net/ipv6/netfilter/ip6t_rt.c
@@ -45,6 +45,7 @@ static int
match(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
+ const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
@@ -194,6 +195,7 @@ match(const struct sk_buff *skb,
static int
checkentry(const char *tablename,
const void *entry,
+ const struct xt_match *match,
void *matchinfo,
unsigned int matchinfosize,
unsigned int hook_mask)
diff --git a/net/netfilter/xt_CLASSIFY.c b/net/netfilter/xt_CLASSIFY.c
index 6b36e84..3224ed8 100644
--- a/net/netfilter/xt_CLASSIFY.c
+++ b/net/netfilter/xt_CLASSIFY.c
@@ -28,6 +28,7 @@ target(struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
+ const struct xt_target *target,
const void *targinfo,
void *userinfo)
{
diff --git a/net/netfilter/xt_CONNMARK.c b/net/netfilter/xt_CONNMARK.c
index b269ba9..df2486a 100644
--- a/net/netfilter/xt_CONNMARK.c
+++ b/net/netfilter/xt_CONNMARK.c
@@ -37,6 +37,7 @@ target(struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
+ const struct xt_target *target,
const void *targinfo,
void *userinfo)
{
@@ -74,6 +75,7 @@ target(struct sk_buff **pskb,
static int
checkentry(const char *tablename,
const void *entry,
+ const struct xt_target *target,
void *targinfo,
unsigned int targinfosize,
unsigned int hook_mask)
diff --git a/net/netfilter/xt_MARK.c b/net/netfilter/xt_MARK.c
index 1bc968b..dcb5266 100644
--- a/net/netfilter/xt_MARK.c
+++ b/net/netfilter/xt_MARK.c
@@ -26,6 +26,7 @@ target_v0(struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
+ const struct xt_target *target,
const void *targinfo,
void *userinfo)
{
@@ -42,6 +43,7 @@ target_v1(struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
+ const struct xt_target *target,
const void *targinfo,
void *userinfo)
{
@@ -72,6 +74,7 @@ target_v1(struct sk_buff **pskb,
static int
checkentry_v0(const char *tablename,
const void *entry,
+ const struct xt_target *target,
void *targinfo,
unsigned int targinfosize,
unsigned int hook_mask)
@@ -88,6 +91,7 @@ checkentry_v0(const char *tablename,
static int
checkentry_v1(const char *tablename,
const void *entry,
+ const struct xt_target *target,
void *targinfo,
unsigned int targinfosize,
unsigned int hook_mask)
diff --git a/net/netfilter/xt_NFQUEUE.c b/net/netfilter/xt_NFQUEUE.c
index b1da0ad..39a963e 100644
--- a/net/netfilter/xt_NFQUEUE.c
+++ b/net/netfilter/xt_NFQUEUE.c
@@ -28,6 +28,7 @@ target(struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
+ const struct xt_target *target,
const void *targinfo,
void *userinfo)
{
diff --git a/net/netfilter/xt_NOTRACK.c b/net/netfilter/xt_NOTRACK.c
index 8bacbe1..b8634e3 100644
--- a/net/netfilter/xt_NOTRACK.c
+++ b/net/netfilter/xt_NOTRACK.c
@@ -15,6 +15,7 @@ target(struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
+ const struct xt_target *target,
const void *targinfo,
void *userinfo)
{
diff --git a/net/netfilter/xt_comment.c b/net/netfilter/xt_comment.c
index b3f07aa..03d9d74 100644
--- a/net/netfilter/xt_comment.c
+++ b/net/netfilter/xt_comment.c
@@ -19,6 +19,7 @@ static int
match(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
+ const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protooff,
diff --git a/net/netfilter/xt_connbytes.c b/net/netfilter/xt_connbytes.c
index d985135..f34ecb9 100644
--- a/net/netfilter/xt_connbytes.c
+++ b/net/netfilter/xt_connbytes.c
@@ -44,6 +44,7 @@ static int
match(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
+ const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
@@ -122,6 +123,7 @@ match(const struct sk_buff *skb,
static int check(const char *tablename,
const void *ip,
+ const struct xt_match *match,
void *matchinfo,
unsigned int matchsize,
unsigned int hook_mask)
diff --git a/net/netfilter/xt_connmark.c b/net/netfilter/xt_connmark.c
index 2bb987f..5182247 100644
--- a/net/netfilter/xt_connmark.c
+++ b/net/netfilter/xt_connmark.c
@@ -35,6 +35,7 @@ static int
match(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
+ const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
@@ -52,6 +53,7 @@ match(const struct sk_buff *skb,
static int
checkentry(const char *tablename,
const void *ip,
+ const struct xt_match *match,
void *matchinfo,
unsigned int matchsize,
unsigned int hook_mask)
diff --git a/net/netfilter/xt_conntrack.c b/net/netfilter/xt_conntrack.c
index 45a5a7d..39fc294 100644
--- a/net/netfilter/xt_conntrack.c
+++ b/net/netfilter/xt_conntrack.c
@@ -32,6 +32,7 @@ static int
match(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
+ const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
@@ -118,6 +119,7 @@ static int
match(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
+ const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
diff --git a/net/netfilter/xt_dccp.c b/net/netfilter/xt_dccp.c
index 06e9ef2..db6b70c 100644
--- a/net/netfilter/xt_dccp.c
+++ b/net/netfilter/xt_dccp.c
@@ -95,6 +95,7 @@ static int
match(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
+ const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
@@ -129,6 +130,7 @@ match(const struct sk_buff *skb,
static int
checkentry(const char *tablename,
const void *inf,
+ const struct xt_match *match,
void *matchinfo,
unsigned int matchsize,
unsigned int hook_mask)
diff --git a/net/netfilter/xt_helper.c b/net/netfilter/xt_helper.c
index 70bc00f..79c3d2a 100644
--- a/net/netfilter/xt_helper.c
+++ b/net/netfilter/xt_helper.c
@@ -42,6 +42,7 @@ static int
match(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
+ const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
@@ -89,6 +90,7 @@ static int
match(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
+ const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
@@ -135,6 +137,7 @@ out_unlock:
static int check(const char *tablename,
const void *inf,
+ const struct xt_match *match,
void *matchinfo,
unsigned int matchsize,
unsigned int hook_mask)
diff --git a/net/netfilter/xt_length.c b/net/netfilter/xt_length.c
index 11a2812..b9e60f0 100644
--- a/net/netfilter/xt_length.c
+++ b/net/netfilter/xt_length.c
@@ -24,6 +24,7 @@ static int
match(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
+ const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
@@ -39,6 +40,7 @@ static int
match6(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
+ const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
diff --git a/net/netfilter/xt_limit.c b/net/netfilter/xt_limit.c
index dec3f02..3049e6f 100644
--- a/net/netfilter/xt_limit.c
+++ b/net/netfilter/xt_limit.c
@@ -68,6 +68,7 @@ static int
ipt_limit_match(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
+ const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
@@ -107,6 +108,7 @@ user2credits(u_int32_t user)
static int
ipt_limit_checkentry(const char *tablename,
const void *inf,
+ const struct xt_match *match,
void *matchinfo,
unsigned int matchsize,
unsigned int hook_mask)
diff --git a/net/netfilter/xt_mac.c b/net/netfilter/xt_mac.c
index e207726..b4559a4 100644
--- a/net/netfilter/xt_mac.c
+++ b/net/netfilter/xt_mac.c
@@ -27,6 +27,7 @@ static int
match(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
+ const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
diff --git a/net/netfilter/xt_mark.c b/net/netfilter/xt_mark.c
index b21b94a..c1a8f0f 100644
--- a/net/netfilter/xt_mark.c
+++ b/net/netfilter/xt_mark.c
@@ -23,6 +23,7 @@ static int
match(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
+ const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
@@ -36,6 +37,7 @@ match(const struct sk_buff *skb,
static int
checkentry(const char *tablename,
const void *entry,
+ const struct xt_match *match,
void *matchinfo,
unsigned int matchsize,
unsigned int hook_mask)
diff --git a/net/netfilter/xt_physdev.c b/net/netfilter/xt_physdev.c
index 5afc417..f788e8e 100644
--- a/net/netfilter/xt_physdev.c
+++ b/net/netfilter/xt_physdev.c
@@ -26,6 +26,7 @@ static int
match(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
+ const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
@@ -102,6 +103,7 @@ match_outdev:
static int
checkentry(const char *tablename,
const void *ip,
+ const struct xt_match *match,
void *matchinfo,
unsigned int matchsize,
unsigned int hook_mask)
diff --git a/net/netfilter/xt_pkttype.c b/net/netfilter/xt_pkttype.c
index 872bb2a..f38638d 100644
--- a/net/netfilter/xt_pkttype.c
+++ b/net/netfilter/xt_pkttype.c
@@ -22,6 +22,7 @@ MODULE_ALIAS("ip6t_pkttype");
static int match(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
+ const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
diff --git a/net/netfilter/xt_realm.c b/net/netfilter/xt_realm.c
index 249e0a3..57815a0 100644
--- a/net/netfilter/xt_realm.c
+++ b/net/netfilter/xt_realm.c
@@ -27,6 +27,7 @@ static int
match(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
+ const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
diff --git a/net/netfilter/xt_sctp.c b/net/netfilter/xt_sctp.c
index f0a25e5..f5d698b 100644
--- a/net/netfilter/xt_sctp.c
+++ b/net/netfilter/xt_sctp.c
@@ -123,6 +123,7 @@ static int
match(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
+ const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
@@ -162,6 +163,7 @@ match(const struct sk_buff *skb,
static int
checkentry(const char *tablename,
const void *inf,
+ const struct xt_match *match,
void *matchinfo,
unsigned int matchsize,
unsigned int hook_mask)
diff --git a/net/netfilter/xt_state.c b/net/netfilter/xt_state.c
index 9a7d6df..b8ec00c 100644
--- a/net/netfilter/xt_state.c
+++ b/net/netfilter/xt_state.c
@@ -24,6 +24,7 @@ static int
match(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
+ const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
diff --git a/net/netfilter/xt_string.c b/net/netfilter/xt_string.c
index c3efd37..fccbad6 100644
--- a/net/netfilter/xt_string.c
+++ b/net/netfilter/xt_string.c
@@ -24,6 +24,7 @@ MODULE_ALIAS("ip6t_string");
static int match(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
+ const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
@@ -43,6 +44,7 @@ static int match(const struct sk_buff *s
static int checkentry(const char *tablename,
const void *ip,
+ const struct xt_match *match,
void *matchinfo,
unsigned int matchsize,
unsigned int hook_mask)
@@ -64,7 +66,8 @@ static int checkentry(const char *tablen
return 1;
}
-static void destroy(void *matchinfo, unsigned int matchsize)
+static void destroy(const struct xt_match *match, void *matchinfo,
+ unsigned int matchsize)
{
textsearch_destroy(STRING_TEXT_PRIV(matchinfo)->config);
}
diff --git a/net/netfilter/xt_tcpmss.c b/net/netfilter/xt_tcpmss.c
index 95d8611..4925fc9 100644
--- a/net/netfilter/xt_tcpmss.c
+++ b/net/netfilter/xt_tcpmss.c
@@ -81,6 +81,7 @@ static int
match(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
+ const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
diff --git a/net/netfilter/xt_tcpudp.c b/net/netfilter/xt_tcpudp.c
index 9d01f07..b5cd0dd 100644
--- a/net/netfilter/xt_tcpudp.c
+++ b/net/netfilter/xt_tcpudp.c
@@ -74,6 +74,7 @@ static int
tcp_match(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
+ const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
@@ -138,6 +139,7 @@ tcp_match(const struct sk_buff *skb,
static int
tcp_checkentry(const char *tablename,
const void *info,
+ const struct xt_match *match,
void *matchinfo,
unsigned int matchsize,
unsigned int hook_mask)
@@ -152,6 +154,7 @@ static int
udp_match(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
+ const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
@@ -185,6 +188,7 @@ udp_match(const struct sk_buff *skb,
static int
udp_checkentry(const char *tablename,
const void *info,
+ const struct xt_match *match,
void *matchinfo,
unsigned int matchsize,
unsigned int hook_mask)
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [NETFILTER 11/13]: Move ip6_masked_addrcmp to include/net/ipv6.h
2006-02-16 21:32 [NETFILTER 00/13]: Netfilter patches for 2.6.17 Patrick McHardy
` (9 preceding siblings ...)
2006-02-16 21:32 ` [NETFILTER 10/13]: x_tables: add xt_{match, target} arguments " Patrick McHardy
@ 2006-02-16 21:32 ` Patrick McHardy
2006-02-16 21:32 ` [NETFILTER 12/13]: x_tables: replace IPv4/IPv6 policy match by address family independant version Patrick McHardy
` (2 subsequent siblings)
13 siblings, 0 replies; 15+ messages in thread
From: Patrick McHardy @ 2006-02-16 21:32 UTC (permalink / raw)
To: davem; +Cc: netfilter-devel, Patrick McHardy
[NETFILTER]: Move ip6_masked_addrcmp to include/net/ipv6.h
Replace netfilter's ip6_masked_addrcmp by a more efficient version
in include/net/ipv6.h to make it usable without module dependencies.
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit 27e960bc61180f1028acd05990c8bcba688fc87f
tree 92352857c92597419b23ef1621a6d8349e37a920
parent 58b6f4b041f8400857ac02cc5a5ddd9f442c05c7
author Patrick McHardy <kaber@trash.net> Thu, 16 Feb 2006 14:35:56 +0100
committer Patrick McHardy <kaber@trash.net> Thu, 16 Feb 2006 14:35:56 +0100
include/net/ipv6.h | 12 ++++++++++++
net/ipv6/netfilter/ip6_tables.c | 22 ++++------------------
net/ipv6/netfilter/ip6t_policy.c | 3 ++-
3 files changed, 18 insertions(+), 19 deletions(-)
diff --git a/include/net/ipv6.h b/include/net/ipv6.h
index 3b1d963..c893a1c 100644
--- a/include/net/ipv6.h
+++ b/include/net/ipv6.h
@@ -282,6 +282,18 @@ static inline int ipv6_addr_cmp(const st
return memcmp((const void *) a1, (const void *) a2, sizeof(struct in6_addr));
}
+static inline int
+ipv6_masked_addr_cmp(const struct in6_addr *a1, const struct in6_addr *m,
+ const struct in6_addr *a2)
+{
+ unsigned int i;
+
+ for (i = 0; i < 4; i++)
+ if ((a1->s6_addr32[i] ^ a2->s6_addr32[i]) & m->s6_addr32[i])
+ return 1;
+ return 0;
+}
+
static inline void ipv6_addr_copy(struct in6_addr *a1, const struct in6_addr *a2)
{
memcpy((void *) a1, (const void *) a2, sizeof(struct in6_addr));
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index bb04852..0d6fe15 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -94,19 +94,6 @@ do { \
#define up(x) do { printk("UP:%u:" #x "\n", __LINE__); up(x); } while(0)
#endif
-int
-ip6_masked_addrcmp(const struct in6_addr *addr1, const struct in6_addr *mask,
- const struct in6_addr *addr2)
-{
- int i;
- for( i = 0; i < 16; i++){
- if((addr1->s6_addr[i] & mask->s6_addr[i]) !=
- (addr2->s6_addr[i] & mask->s6_addr[i]))
- return 1;
- }
- return 0;
-}
-
/* Check for an extension */
int
ip6t_ext_hdr(u8 nexthdr)
@@ -135,10 +122,10 @@ ip6_packet_match(const struct sk_buff *s
#define FWINV(bool,invflg) ((bool) ^ !!(ip6info->invflags & invflg))
- if (FWINV(ip6_masked_addrcmp(&ipv6->saddr, &ip6info->smsk,
- &ip6info->src), IP6T_INV_SRCIP)
- || FWINV(ip6_masked_addrcmp(&ipv6->daddr, &ip6info->dmsk,
- &ip6info->dst), IP6T_INV_DSTIP)) {
+ if (FWINV(ipv6_masked_addr_cmp(&ipv6->saddr, &ip6info->smsk,
+ &ip6info->src), IP6T_INV_SRCIP)
+ || FWINV(ipv6_masked_addr_cmp(&ipv6->daddr, &ip6info->dmsk,
+ &ip6info->dst), IP6T_INV_DSTIP)) {
dprintf("Source or dest mismatch.\n");
/*
dprintf("SRC: %u. Mask: %u. Target: %u.%s\n", ip->saddr,
@@ -1526,7 +1513,6 @@ EXPORT_SYMBOL(ip6t_unregister_table);
EXPORT_SYMBOL(ip6t_do_table);
EXPORT_SYMBOL(ip6t_ext_hdr);
EXPORT_SYMBOL(ipv6_find_hdr);
-EXPORT_SYMBOL(ip6_masked_addrcmp);
module_init(init);
module_exit(fini);
diff --git a/net/ipv6/netfilter/ip6t_policy.c b/net/ipv6/netfilter/ip6t_policy.c
index b2f3007..f2a5997 100644
--- a/net/ipv6/netfilter/ip6t_policy.c
+++ b/net/ipv6/netfilter/ip6t_policy.c
@@ -27,7 +27,8 @@ static inline int
match_xfrm_state(struct xfrm_state *x, const struct ip6t_policy_elem *e)
{
#define MATCH_ADDR(x,y,z) (!e->match.x || \
- ((!ip6_masked_addrcmp(&e->x.a6, &e->y.a6, z)) \
+ ((!ipv6_masked_addr_cmp(&e->x.a6, &e->y.a6, \
+ z)) \
^ e->invert.x))
#define MATCH(x,y) (!e->match.x || ((e->x == (y)) ^ e->invert.x))
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [NETFILTER 12/13]: x_tables: replace IPv4/IPv6 policy match by address family independant version
2006-02-16 21:32 [NETFILTER 00/13]: Netfilter patches for 2.6.17 Patrick McHardy
` (10 preceding siblings ...)
2006-02-16 21:32 ` [NETFILTER 11/13]: Move ip6_masked_addrcmp to include/net/ipv6.h Patrick McHardy
@ 2006-02-16 21:32 ` Patrick McHardy
2006-02-16 21:32 ` [NETFILTER 13/13]: ctnetlink: avoid unneccessary event message generation Patrick McHardy
2006-02-19 8:31 ` [NETFILTER 00/13]: Netfilter patches for 2.6.17 David S. Miller
13 siblings, 0 replies; 15+ messages in thread
From: Patrick McHardy @ 2006-02-16 21:32 UTC (permalink / raw)
To: davem; +Cc: netfilter-devel, Patrick McHardy
[NETFILTER]: x_tables: replace IPv4/IPv6 policy match by address family independant version
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit 3a3198cc233706dcead7c9642201cc747579a677
tree 90d54c7679930d5121938657ae15e8399e2b2e79
parent 27e960bc61180f1028acd05990c8bcba688fc87f
author Patrick McHardy <kaber@trash.net> Thu, 16 Feb 2006 14:35:57 +0100
committer Patrick McHardy <kaber@trash.net> Thu, 16 Feb 2006 14:35:57 +0100
include/linux/netfilter/x_tables.h | 4 +
include/linux/netfilter/xt_policy.h | 58 ++++++++
include/linux/netfilter_ipv4/ipt_policy.h | 67 ++-------
include/linux/netfilter_ipv6/ip6t_policy.h | 67 ++-------
net/ipv4/netfilter/Kconfig | 10 -
net/ipv4/netfilter/Makefile | 1
net/ipv4/netfilter/ipt_policy.c | 174 -----------------------
net/ipv6/netfilter/Kconfig | 10 -
net/ipv6/netfilter/Makefile | 1
net/ipv6/netfilter/ip6t_policy.c | 174 -----------------------
net/netfilter/Kconfig | 10 +
net/netfilter/Makefile | 1
net/netfilter/xt_policy.c | 209 ++++++++++++++++++++++++++++
13 files changed, 312 insertions(+), 474 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 2fdbc4a..46a0f97 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -126,6 +126,8 @@ struct xt_match
unsigned int matchsize;
unsigned int hooks;
unsigned short proto;
+
+ unsigned short family;
u_int8_t revision;
};
@@ -169,6 +171,8 @@ struct xt_target
unsigned int targetsize;
unsigned int hooks;
unsigned short proto;
+
+ unsigned short family;
u_int8_t revision;
};
diff --git a/include/linux/netfilter/xt_policy.h b/include/linux/netfilter/xt_policy.h
new file mode 100644
index 0000000..a8132ec
--- /dev/null
+++ b/include/linux/netfilter/xt_policy.h
@@ -0,0 +1,58 @@
+#ifndef _XT_POLICY_H
+#define _XT_POLICY_H
+
+#define XT_POLICY_MAX_ELEM 4
+
+enum xt_policy_flags
+{
+ XT_POLICY_MATCH_IN = 0x1,
+ XT_POLICY_MATCH_OUT = 0x2,
+ XT_POLICY_MATCH_NONE = 0x4,
+ XT_POLICY_MATCH_STRICT = 0x8,
+};
+
+enum xt_policy_modes
+{
+ XT_POLICY_MODE_TRANSPORT,
+ XT_POLICY_MODE_TUNNEL
+};
+
+struct xt_policy_spec
+{
+ u_int8_t saddr:1,
+ daddr:1,
+ proto:1,
+ mode:1,
+ spi:1,
+ reqid:1;
+};
+
+union xt_policy_addr
+{
+ struct in_addr a4;
+ struct in6_addr a6;
+};
+
+struct xt_policy_elem
+{
+ union xt_policy_addr saddr;
+ union xt_policy_addr smask;
+ union xt_policy_addr daddr;
+ union xt_policy_addr dmask;
+ u_int32_t spi;
+ u_int32_t reqid;
+ u_int8_t proto;
+ u_int8_t mode;
+
+ struct xt_policy_spec match;
+ struct xt_policy_spec invert;
+};
+
+struct xt_policy_info
+{
+ struct xt_policy_elem pol[XT_POLICY_MAX_ELEM];
+ u_int16_t flags;
+ u_int16_t len;
+};
+
+#endif /* _XT_POLICY_H */
diff --git a/include/linux/netfilter_ipv4/ipt_policy.h b/include/linux/netfilter_ipv4/ipt_policy.h
index a3f6eff..b9478a2 100644
--- a/include/linux/netfilter_ipv4/ipt_policy.h
+++ b/include/linux/netfilter_ipv4/ipt_policy.h
@@ -1,58 +1,21 @@
#ifndef _IPT_POLICY_H
#define _IPT_POLICY_H
-#define IPT_POLICY_MAX_ELEM 4
+#define IPT_POLICY_MAX_ELEM XT_POLICY_MAX_ELEM
-enum ipt_policy_flags
-{
- IPT_POLICY_MATCH_IN = 0x1,
- IPT_POLICY_MATCH_OUT = 0x2,
- IPT_POLICY_MATCH_NONE = 0x4,
- IPT_POLICY_MATCH_STRICT = 0x8,
-};
-
-enum ipt_policy_modes
-{
- IPT_POLICY_MODE_TRANSPORT,
- IPT_POLICY_MODE_TUNNEL
-};
-
-struct ipt_policy_spec
-{
- u_int8_t saddr:1,
- daddr:1,
- proto:1,
- mode:1,
- spi:1,
- reqid:1;
-};
-
-union ipt_policy_addr
-{
- struct in_addr a4;
- struct in6_addr a6;
-};
-
-struct ipt_policy_elem
-{
- union ipt_policy_addr saddr;
- union ipt_policy_addr smask;
- union ipt_policy_addr daddr;
- union ipt_policy_addr dmask;
- u_int32_t spi;
- u_int32_t reqid;
- u_int8_t proto;
- u_int8_t mode;
-
- struct ipt_policy_spec match;
- struct ipt_policy_spec invert;
-};
-
-struct ipt_policy_info
-{
- struct ipt_policy_elem pol[IPT_POLICY_MAX_ELEM];
- u_int16_t flags;
- u_int16_t len;
-};
+/* ipt_policy_flags */
+#define IPT_POLICY_MATCH_IN XT_POLICY_MATCH_IN
+#define IPT_POLICY_MATCH_OUT XT_POLICY_MATCH_OUT
+#define IPT_POLICY_MATCH_NONE XT_POLICY_MATCH_NONE
+#define IPT_POLICY_MATCH_STRICT XT_POLICY_MATCH_STRICT
+
+/* ipt_policy_modes */
+#define IPT_POLICY_MODE_TRANSPORT XT_POLICY_MODE_TRANSPORT
+#define IPT_POLICY_MODE_TUNNEL XT_POLICY_MODE_TUNNEL
+
+#define ipt_policy_spec xt_policy_spec
+#define ipt_policy_addr xt_policy_addr
+#define ipt_policy_elem xt_policy_elem
+#define ipt_policy_info xt_policy_info
#endif /* _IPT_POLICY_H */
diff --git a/include/linux/netfilter_ipv6/ip6t_policy.h b/include/linux/netfilter_ipv6/ip6t_policy.h
index 671bd81..6bab316 100644
--- a/include/linux/netfilter_ipv6/ip6t_policy.h
+++ b/include/linux/netfilter_ipv6/ip6t_policy.h
@@ -1,58 +1,21 @@
#ifndef _IP6T_POLICY_H
#define _IP6T_POLICY_H
-#define IP6T_POLICY_MAX_ELEM 4
+#define IP6T_POLICY_MAX_ELEM XT_POLICY_MAX_ELEM
-enum ip6t_policy_flags
-{
- IP6T_POLICY_MATCH_IN = 0x1,
- IP6T_POLICY_MATCH_OUT = 0x2,
- IP6T_POLICY_MATCH_NONE = 0x4,
- IP6T_POLICY_MATCH_STRICT = 0x8,
-};
-
-enum ip6t_policy_modes
-{
- IP6T_POLICY_MODE_TRANSPORT,
- IP6T_POLICY_MODE_TUNNEL
-};
-
-struct ip6t_policy_spec
-{
- u_int8_t saddr:1,
- daddr:1,
- proto:1,
- mode:1,
- spi:1,
- reqid:1;
-};
-
-union ip6t_policy_addr
-{
- struct in_addr a4;
- struct in6_addr a6;
-};
-
-struct ip6t_policy_elem
-{
- union ip6t_policy_addr saddr;
- union ip6t_policy_addr smask;
- union ip6t_policy_addr daddr;
- union ip6t_policy_addr dmask;
- u_int32_t spi;
- u_int32_t reqid;
- u_int8_t proto;
- u_int8_t mode;
-
- struct ip6t_policy_spec match;
- struct ip6t_policy_spec invert;
-};
-
-struct ip6t_policy_info
-{
- struct ip6t_policy_elem pol[IP6T_POLICY_MAX_ELEM];
- u_int16_t flags;
- u_int16_t len;
-};
+/* ip6t_policy_flags */
+#define IP6T_POLICY_MATCH_IN XT_POLICY_MATCH_IN
+#define IP6T_POLICY_MATCH_OUT XT_POLICY_MATCH_OUT
+#define IP6T_POLICY_MATCH_NONE XT_POLICY_MATCH_NONE
+#define IP6T_POLICY_MATCH_STRICT XT_POLICY_MATCH_STRICT
+
+/* ip6t_policy_modes */
+#define IP6T_POLICY_MODE_TRANSPORT XT_POLICY_MODE_TRANSPORT
+#define IP6T_POLICY_MODE_TUNNEL XT_POLICY_MODE_TUNNEL
+
+#define ip6t_policy_spec xt_policy_spec
+#define ip6t_policy_addr xt_policy_addr
+#define ip6t_policy_elem xt_policy_elem
+#define ip6t_policy_info xt_policy_info
#endif /* _IP6T_POLICY_H */
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index db78303..933ee7a 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -303,16 +303,6 @@ config IP_NF_MATCH_HASHLIMIT
destination IP' or `500pps from any given source IP' with a single
IPtables rule.
-config IP_NF_MATCH_POLICY
- tristate "IPsec policy match support"
- depends on IP_NF_IPTABLES && XFRM
- help
- Policy matching allows you to match packets based on the
- IPsec policy that was used during decapsulation/will
- be used during encapsulation.
-
- To compile it as a module, choose M here. If unsure, say N.
-
# `filter', generic and specific targets
config IP_NF_FILTER
tristate "Packet filtering"
diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile
index e5c5b32..3fe8092 100644
--- a/net/ipv4/netfilter/Makefile
+++ b/net/ipv4/netfilter/Makefile
@@ -57,7 +57,6 @@ obj-$(CONFIG_IP_NF_MATCH_DSCP) += ipt_ds
obj-$(CONFIG_IP_NF_MATCH_AH_ESP) += ipt_ah.o ipt_esp.o
obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o
obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o
-obj-$(CONFIG_IP_NF_MATCH_POLICY) += ipt_policy.o
# targets
obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o
diff --git a/net/ipv4/netfilter/ipt_policy.c b/net/ipv4/netfilter/ipt_policy.c
deleted file mode 100644
index b73f590..0000000
--- a/net/ipv4/netfilter/ipt_policy.c
+++ /dev/null
@@ -1,174 +0,0 @@
-/* IP tables module for matching IPsec policy
- *
- * Copyright (c) 2004,2005 Patrick McHardy, <kaber@trash.net>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- */
-
-#include <linux/kernel.h>
-#include <linux/config.h>
-#include <linux/module.h>
-#include <linux/skbuff.h>
-#include <linux/init.h>
-#include <net/xfrm.h>
-
-#include <linux/netfilter_ipv4.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ipt_policy.h>
-
-MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
-MODULE_DESCRIPTION("IPtables IPsec policy matching module");
-MODULE_LICENSE("GPL");
-
-
-static inline int
-match_xfrm_state(struct xfrm_state *x, const struct ipt_policy_elem *e)
-{
-#define MATCH_ADDR(x,y,z) (!e->match.x || \
- ((e->x.a4.s_addr == (e->y.a4.s_addr & (z))) \
- ^ e->invert.x))
-#define MATCH(x,y) (!e->match.x || ((e->x == (y)) ^ e->invert.x))
-
- return MATCH_ADDR(saddr, smask, x->props.saddr.a4) &&
- MATCH_ADDR(daddr, dmask, x->id.daddr.a4) &&
- MATCH(proto, x->id.proto) &&
- MATCH(mode, x->props.mode) &&
- MATCH(spi, x->id.spi) &&
- MATCH(reqid, x->props.reqid);
-}
-
-static int
-match_policy_in(const struct sk_buff *skb, const struct ipt_policy_info *info)
-{
- const struct ipt_policy_elem *e;
- struct sec_path *sp = skb->sp;
- int strict = info->flags & IPT_POLICY_MATCH_STRICT;
- int i, pos;
-
- if (sp == NULL)
- return -1;
- if (strict && info->len != sp->len)
- return 0;
-
- for (i = sp->len - 1; i >= 0; i--) {
- pos = strict ? i - sp->len + 1 : 0;
- if (pos >= info->len)
- return 0;
- e = &info->pol[pos];
-
- if (match_xfrm_state(sp->x[i].xvec, e)) {
- if (!strict)
- return 1;
- } else if (strict)
- return 0;
- }
-
- return strict ? 1 : 0;
-}
-
-static int
-match_policy_out(const struct sk_buff *skb, const struct ipt_policy_info *info)
-{
- const struct ipt_policy_elem *e;
- struct dst_entry *dst = skb->dst;
- int strict = info->flags & IPT_POLICY_MATCH_STRICT;
- int i, pos;
-
- if (dst->xfrm == NULL)
- return -1;
-
- for (i = 0; dst && dst->xfrm; dst = dst->child, i++) {
- pos = strict ? i : 0;
- if (pos >= info->len)
- return 0;
- e = &info->pol[pos];
-
- if (match_xfrm_state(dst->xfrm, e)) {
- if (!strict)
- return 1;
- } else if (strict)
- return 0;
- }
-
- return strict ? i == info->len : 0;
-}
-
-static int match(const struct sk_buff *skb,
- const struct net_device *in,
- const struct net_device *out,
- const struct xt_match *match,
- const void *matchinfo,
- int offset,
- unsigned int protoff,
- int *hotdrop)
-{
- const struct ipt_policy_info *info = matchinfo;
- int ret;
-
- if (info->flags & IPT_POLICY_MATCH_IN)
- ret = match_policy_in(skb, info);
- else
- ret = match_policy_out(skb, info);
-
- if (ret < 0)
- ret = info->flags & IPT_POLICY_MATCH_NONE ? 1 : 0;
- else if (info->flags & IPT_POLICY_MATCH_NONE)
- ret = 0;
-
- return ret;
-}
-
-static int checkentry(const char *tablename, const void *ip_void,
- const struct xt_match *match,
- void *matchinfo, unsigned int matchsize,
- unsigned int hook_mask)
-{
- struct ipt_policy_info *info = matchinfo;
-
- if (!(info->flags & (IPT_POLICY_MATCH_IN|IPT_POLICY_MATCH_OUT))) {
- printk(KERN_ERR "ipt_policy: neither incoming nor "
- "outgoing policy selected\n");
- return 0;
- }
- if (hook_mask & (1 << NF_IP_PRE_ROUTING | 1 << NF_IP_LOCAL_IN)
- && info->flags & IPT_POLICY_MATCH_OUT) {
- printk(KERN_ERR "ipt_policy: output policy not valid in "
- "PRE_ROUTING and INPUT\n");
- return 0;
- }
- if (hook_mask & (1 << NF_IP_POST_ROUTING | 1 << NF_IP_LOCAL_OUT)
- && info->flags & IPT_POLICY_MATCH_IN) {
- printk(KERN_ERR "ipt_policy: input policy not valid in "
- "POST_ROUTING and OUTPUT\n");
- return 0;
- }
- if (info->len > IPT_POLICY_MAX_ELEM) {
- printk(KERN_ERR "ipt_policy: too many policy elements\n");
- return 0;
- }
-
- return 1;
-}
-
-static struct ipt_match policy_match = {
- .name = "policy",
- .match = match,
- .matchsize = sizeof(struct ipt_policy_info),
- .checkentry = checkentry,
- .me = THIS_MODULE,
-};
-
-static int __init init(void)
-{
- return ipt_register_match(&policy_match);
-}
-
-static void __exit fini(void)
-{
- ipt_unregister_match(&policy_match);
-}
-
-module_init(init);
-module_exit(fini);
diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
index 2d6f8ec..98f7875 100644
--- a/net/ipv6/netfilter/Kconfig
+++ b/net/ipv6/netfilter/Kconfig
@@ -133,16 +133,6 @@ config IP6_NF_MATCH_EUI64
To compile it as a module, choose M here. If unsure, say N.
-config IP6_NF_MATCH_POLICY
- tristate "IPsec policy match support"
- depends on IP6_NF_IPTABLES && XFRM
- help
- Policy matching allows you to match packets based on the
- IPsec policy that was used during decapsulation/will
- be used during encapsulation.
-
- To compile it as a module, choose M here. If unsure, say N.
-
# The targets
config IP6_NF_FILTER
tristate "Packet filtering"
diff --git a/net/ipv6/netfilter/Makefile b/net/ipv6/netfilter/Makefile
index db6073c..8436a1a 100644
--- a/net/ipv6/netfilter/Makefile
+++ b/net/ipv6/netfilter/Makefile
@@ -9,7 +9,6 @@ obj-$(CONFIG_IP6_NF_MATCH_OPTS) += ip6t_
obj-$(CONFIG_IP6_NF_MATCH_IPV6HEADER) += ip6t_ipv6header.o
obj-$(CONFIG_IP6_NF_MATCH_FRAG) += ip6t_frag.o
obj-$(CONFIG_IP6_NF_MATCH_AHESP) += ip6t_esp.o ip6t_ah.o
-obj-$(CONFIG_IP6_NF_MATCH_POLICY) += ip6t_policy.o
obj-$(CONFIG_IP6_NF_MATCH_EUI64) += ip6t_eui64.o
obj-$(CONFIG_IP6_NF_MATCH_MULTIPORT) += ip6t_multiport.o
obj-$(CONFIG_IP6_NF_MATCH_OWNER) += ip6t_owner.o
diff --git a/net/ipv6/netfilter/ip6t_policy.c b/net/ipv6/netfilter/ip6t_policy.c
deleted file mode 100644
index f2a5997..0000000
--- a/net/ipv6/netfilter/ip6t_policy.c
+++ /dev/null
@@ -1,174 +0,0 @@
-/* IP tables module for matching IPsec policy
- *
- * Copyright (c) 2004,2005 Patrick McHardy, <kaber@trash.net>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- */
-
-#include <linux/kernel.h>
-#include <linux/config.h>
-#include <linux/module.h>
-#include <linux/skbuff.h>
-#include <linux/init.h>
-#include <net/xfrm.h>
-
-#include <linux/netfilter_ipv6.h>
-#include <linux/netfilter_ipv6/ip6_tables.h>
-#include <linux/netfilter_ipv6/ip6t_policy.h>
-
-MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
-MODULE_DESCRIPTION("IPtables IPsec policy matching module");
-MODULE_LICENSE("GPL");
-
-
-static inline int
-match_xfrm_state(struct xfrm_state *x, const struct ip6t_policy_elem *e)
-{
-#define MATCH_ADDR(x,y,z) (!e->match.x || \
- ((!ipv6_masked_addr_cmp(&e->x.a6, &e->y.a6, \
- z)) \
- ^ e->invert.x))
-#define MATCH(x,y) (!e->match.x || ((e->x == (y)) ^ e->invert.x))
-
- return MATCH_ADDR(saddr, smask, (struct in6_addr *)&x->props.saddr.a6) &&
- MATCH_ADDR(daddr, dmask, (struct in6_addr *)&x->id.daddr.a6) &&
- MATCH(proto, x->id.proto) &&
- MATCH(mode, x->props.mode) &&
- MATCH(spi, x->id.spi) &&
- MATCH(reqid, x->props.reqid);
-}
-
-static int
-match_policy_in(const struct sk_buff *skb, const struct ip6t_policy_info *info)
-{
- const struct ip6t_policy_elem *e;
- struct sec_path *sp = skb->sp;
- int strict = info->flags & IP6T_POLICY_MATCH_STRICT;
- int i, pos;
-
- if (sp == NULL)
- return -1;
- if (strict && info->len != sp->len)
- return 0;
-
- for (i = sp->len - 1; i >= 0; i--) {
- pos = strict ? i - sp->len + 1 : 0;
- if (pos >= info->len)
- return 0;
- e = &info->pol[pos];
-
- if (match_xfrm_state(sp->x[i].xvec, e)) {
- if (!strict)
- return 1;
- } else if (strict)
- return 0;
- }
-
- return strict ? 1 : 0;
-}
-
-static int
-match_policy_out(const struct sk_buff *skb, const struct ip6t_policy_info *info)
-{
- const struct ip6t_policy_elem *e;
- struct dst_entry *dst = skb->dst;
- int strict = info->flags & IP6T_POLICY_MATCH_STRICT;
- int i, pos;
-
- if (dst->xfrm == NULL)
- return -1;
-
- for (i = 0; dst && dst->xfrm; dst = dst->child, i++) {
- pos = strict ? i : 0;
- if (pos >= info->len)
- return 0;
- e = &info->pol[pos];
-
- if (match_xfrm_state(dst->xfrm, e)) {
- if (!strict)
- return 1;
- } else if (strict)
- return 0;
- }
-
- return strict ? i == info->len : 0;
-}
-
-static int match(const struct sk_buff *skb,
- const struct net_device *in,
- const struct net_device *out,
- const struct xt_match *match,
- const void *matchinfo,
- int offset,
- unsigned int protoff,
- int *hotdrop)
-{
- const struct ip6t_policy_info *info = matchinfo;
- int ret;
-
- if (info->flags & IP6T_POLICY_MATCH_IN)
- ret = match_policy_in(skb, info);
- else
- ret = match_policy_out(skb, info);
-
- if (ret < 0)
- ret = info->flags & IP6T_POLICY_MATCH_NONE ? 1 : 0;
- else if (info->flags & IP6T_POLICY_MATCH_NONE)
- ret = 0;
-
- return ret;
-}
-
-static int checkentry(const char *tablename, const void *ip_void,
- const struct xt_match *match, void *matchinfo,
- unsigned int matchsize, unsigned int hook_mask)
-{
- struct ip6t_policy_info *info = matchinfo;
-
- if (!(info->flags & (IP6T_POLICY_MATCH_IN|IP6T_POLICY_MATCH_OUT))) {
- printk(KERN_ERR "ip6t_policy: neither incoming nor "
- "outgoing policy selected\n");
- return 0;
- }
- if (hook_mask & (1 << NF_IP6_PRE_ROUTING | 1 << NF_IP6_LOCAL_IN)
- && info->flags & IP6T_POLICY_MATCH_OUT) {
- printk(KERN_ERR "ip6t_policy: output policy not valid in "
- "PRE_ROUTING and INPUT\n");
- return 0;
- }
- if (hook_mask & (1 << NF_IP6_POST_ROUTING | 1 << NF_IP6_LOCAL_OUT)
- && info->flags & IP6T_POLICY_MATCH_IN) {
- printk(KERN_ERR "ip6t_policy: input policy not valid in "
- "POST_ROUTING and OUTPUT\n");
- return 0;
- }
- if (info->len > IP6T_POLICY_MAX_ELEM) {
- printk(KERN_ERR "ip6t_policy: too many policy elements\n");
- return 0;
- }
-
- return 1;
-}
-
-static struct ip6t_match policy_match = {
- .name = "policy",
- .match = match,
- .matchsize = sizeof(struct ip6t_policy_info),
- .checkentry = checkentry,
- .me = THIS_MODULE,
-};
-
-static int __init init(void)
-{
- return ip6t_register_match(&policy_match);
-}
-
-static void __exit fini(void)
-{
- ip6t_unregister_match(&policy_match);
-}
-
-module_init(init);
-module_exit(fini);
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index a8e5544..1e6e311 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -279,6 +279,16 @@ config NETFILTER_XT_MATCH_MARK
To compile it as a module, choose M here. If unsure, say N.
+config NETFILTER_XT_MATCH_POLICY
+ tristate 'IPsec "policy" match support'
+ depends on NETFILTER_XTABLES && XFRM
+ help
+ Policy matching allows you to match packets based on the
+ IPsec policy that was used during decapsulation/will
+ be used during encapsulation.
+
+ To compile it as a module, choose M here. If unsure, say N.
+
config NETFILTER_XT_MATCH_PHYSDEV
tristate '"physdev" match support'
depends on NETFILTER_XTABLES && BRIDGE_NETFILTER
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 746172e..9558727 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -40,6 +40,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_LENGTH)
obj-$(CONFIG_NETFILTER_XT_MATCH_LIMIT) += xt_limit.o
obj-$(CONFIG_NETFILTER_XT_MATCH_MAC) += xt_mac.o
obj-$(CONFIG_NETFILTER_XT_MATCH_MARK) += xt_mark.o
+obj-$(CONFIG_NETFILTER_XT_MATCH_POLICY) += xt_policy.o
obj-$(CONFIG_NETFILTER_XT_MATCH_PKTTYPE) += xt_pkttype.o
obj-$(CONFIG_NETFILTER_XT_MATCH_REALM) += xt_realm.o
obj-$(CONFIG_NETFILTER_XT_MATCH_SCTP) += xt_sctp.o
diff --git a/net/netfilter/xt_policy.c b/net/netfilter/xt_policy.c
new file mode 100644
index 0000000..1ec2208
--- /dev/null
+++ b/net/netfilter/xt_policy.c
@@ -0,0 +1,209 @@
+/* IP tables module for matching IPsec policy
+ *
+ * Copyright (c) 2004,2005 Patrick McHardy, <kaber@trash.net>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include <linux/kernel.h>
+#include <linux/config.h>
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/init.h>
+#include <net/xfrm.h>
+
+#include <linux/netfilter/xt_policy.h>
+#include <linux/netfilter/x_tables.h>
+
+MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
+MODULE_DESCRIPTION("Xtables IPsec policy matching module");
+MODULE_LICENSE("GPL");
+
+static inline int
+xt_addr_cmp(const union xt_policy_addr *a1, const union xt_policy_addr *m,
+ const union xt_policy_addr *a2, unsigned short family)
+{
+ switch (family) {
+ case AF_INET:
+ return (a1->a4.s_addr ^ a2->a4.s_addr) & m->a4.s_addr;
+ case AF_INET6:
+ return ipv6_masked_addr_cmp(&a1->a6, &m->a6, &a2->a6);
+ }
+ return 0;
+}
+
+static inline int
+match_xfrm_state(struct xfrm_state *x, const struct xt_policy_elem *e,
+ unsigned short family)
+{
+#define MATCH_ADDR(x,y,z) (!e->match.x || \
+ (xt_addr_cmp(&e->x, &e->y, z, family) \
+ ^ e->invert.x))
+#define MATCH(x,y) (!e->match.x || ((e->x == (y)) ^ e->invert.x))
+
+ return MATCH_ADDR(saddr, smask, (union xt_policy_addr *)&x->props.saddr) &&
+ MATCH_ADDR(daddr, dmask, (union xt_policy_addr *)&x->id.daddr.a4) &&
+ MATCH(proto, x->id.proto) &&
+ MATCH(mode, x->props.mode) &&
+ MATCH(spi, x->id.spi) &&
+ MATCH(reqid, x->props.reqid);
+}
+
+static int
+match_policy_in(const struct sk_buff *skb, const struct xt_policy_info *info,
+ unsigned short family)
+{
+ const struct xt_policy_elem *e;
+ struct sec_path *sp = skb->sp;
+ int strict = info->flags & XT_POLICY_MATCH_STRICT;
+ int i, pos;
+
+ if (sp == NULL)
+ return -1;
+ if (strict && info->len != sp->len)
+ return 0;
+
+ for (i = sp->len - 1; i >= 0; i--) {
+ pos = strict ? i - sp->len + 1 : 0;
+ if (pos >= info->len)
+ return 0;
+ e = &info->pol[pos];
+
+ if (match_xfrm_state(sp->x[i].xvec, e, family)) {
+ if (!strict)
+ return 1;
+ } else if (strict)
+ return 0;
+ }
+
+ return strict ? 1 : 0;
+}
+
+static int
+match_policy_out(const struct sk_buff *skb, const struct xt_policy_info *info,
+ unsigned short family)
+{
+ const struct xt_policy_elem *e;
+ struct dst_entry *dst = skb->dst;
+ int strict = info->flags & XT_POLICY_MATCH_STRICT;
+ int i, pos;
+
+ if (dst->xfrm == NULL)
+ return -1;
+
+ for (i = 0; dst && dst->xfrm; dst = dst->child, i++) {
+ pos = strict ? i : 0;
+ if (pos >= info->len)
+ return 0;
+ e = &info->pol[pos];
+
+ if (match_xfrm_state(dst->xfrm, e, family)) {
+ if (!strict)
+ return 1;
+ } else if (strict)
+ return 0;
+ }
+
+ return strict ? i == info->len : 0;
+}
+
+static int match(const struct sk_buff *skb,
+ const struct net_device *in,
+ const struct net_device *out,
+ const struct xt_match *match,
+ const void *matchinfo,
+ int offset,
+ unsigned int protoff,
+ int *hotdrop)
+{
+ const struct xt_policy_info *info = matchinfo;
+ int ret;
+
+ if (info->flags & XT_POLICY_MATCH_IN)
+ ret = match_policy_in(skb, info, match->family);
+ else
+ ret = match_policy_out(skb, info, match->family);
+
+ if (ret < 0)
+ ret = info->flags & XT_POLICY_MATCH_NONE ? 1 : 0;
+ else if (info->flags & XT_POLICY_MATCH_NONE)
+ ret = 0;
+
+ return ret;
+}
+
+static int checkentry(const char *tablename, const void *ip_void,
+ const struct xt_match *match,
+ void *matchinfo, unsigned int matchsize,
+ unsigned int hook_mask)
+{
+ struct xt_policy_info *info = matchinfo;
+
+ if (!(info->flags & (XT_POLICY_MATCH_IN|XT_POLICY_MATCH_OUT))) {
+ printk(KERN_ERR "xt_policy: neither incoming nor "
+ "outgoing policy selected\n");
+ return 0;
+ }
+ /* hook values are equal for IPv4 and IPv6 */
+ if (hook_mask & (1 << NF_IP_PRE_ROUTING | 1 << NF_IP_LOCAL_IN)
+ && info->flags & XT_POLICY_MATCH_OUT) {
+ printk(KERN_ERR "xt_policy: output policy not valid in "
+ "PRE_ROUTING and INPUT\n");
+ return 0;
+ }
+ if (hook_mask & (1 << NF_IP_POST_ROUTING | 1 << NF_IP_LOCAL_OUT)
+ && info->flags & XT_POLICY_MATCH_IN) {
+ printk(KERN_ERR "xt_policy: input policy not valid in "
+ "POST_ROUTING and OUTPUT\n");
+ return 0;
+ }
+ if (info->len > XT_POLICY_MAX_ELEM) {
+ printk(KERN_ERR "xt_policy: too many policy elements\n");
+ return 0;
+ }
+ return 1;
+}
+
+static struct xt_match policy_match = {
+ .name = "policy",
+ .family = AF_INET,
+ .match = match,
+ .matchsize = sizeof(struct xt_policy_info),
+ .checkentry = checkentry,
+ .me = THIS_MODULE,
+};
+
+static struct xt_match policy6_match = {
+ .name = "policy",
+ .family = AF_INET6,
+ .match = match,
+ .matchsize = sizeof(struct xt_policy_info),
+ .checkentry = checkentry,
+ .me = THIS_MODULE,
+};
+
+static int __init init(void)
+{
+ int ret;
+
+ ret = xt_register_match(AF_INET, &policy_match);
+ if (ret)
+ return ret;
+ ret = xt_register_match(AF_INET6, &policy6_match);
+ if (ret)
+ xt_unregister_match(AF_INET, &policy_match);
+ return ret;
+}
+
+static void __exit fini(void)
+{
+ xt_unregister_match(AF_INET6, &policy6_match);
+ xt_unregister_match(AF_INET, &policy_match);
+}
+
+module_init(init);
+module_exit(fini);
+MODULE_ALIAS("ipt_policy");
+MODULE_ALIAS("ip6t_policy");
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [NETFILTER 13/13]: ctnetlink: avoid unneccessary event message generation
2006-02-16 21:32 [NETFILTER 00/13]: Netfilter patches for 2.6.17 Patrick McHardy
` (11 preceding siblings ...)
2006-02-16 21:32 ` [NETFILTER 12/13]: x_tables: replace IPv4/IPv6 policy match by address family independant version Patrick McHardy
@ 2006-02-16 21:32 ` Patrick McHardy
2006-02-19 8:31 ` [NETFILTER 00/13]: Netfilter patches for 2.6.17 David S. Miller
13 siblings, 0 replies; 15+ messages in thread
From: Patrick McHardy @ 2006-02-16 21:32 UTC (permalink / raw)
To: davem; +Cc: netfilter-devel, Patrick McHardy
[NETFILTER]: ctnetlink: avoid unneccessary event message generation
Avoid unneccessary event message generation by checking for netlink
listeners before building a message.
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit 0d101f9f648b51101f3c4ba4ba39b76b4a3e12c8
tree f3bf95231f93cf57d25e3239eebbe897a2927259
parent 3a3198cc233706dcead7c9642201cc747579a677
author Patrick McHardy <kaber@trash.net> Thu, 16 Feb 2006 14:35:58 +0100
committer Patrick McHardy <kaber@trash.net> Thu, 16 Feb 2006 14:35:58 +0100
include/linux/netfilter/nfnetlink.h | 1 +
net/ipv4/netfilter/ip_conntrack_netlink.c | 7 ++++---
net/netfilter/nf_conntrack_netlink.c | 7 ++++---
net/netfilter/nfnetlink.c | 6 ++++++
4 files changed, 15 insertions(+), 6 deletions(-)
diff --git a/include/linux/netfilter/nfnetlink.h b/include/linux/netfilter/nfnetlink.h
index 934a247..9f5b12c 100644
--- a/include/linux/netfilter/nfnetlink.h
+++ b/include/linux/netfilter/nfnetlink.h
@@ -164,6 +164,7 @@ extern void nfattr_parse(struct nfattr *
__res; \
})
+extern int nfnetlink_has_listeners(unsigned int group);
extern int nfnetlink_send(struct sk_buff *skb, u32 pid, unsigned group,
int echo);
extern int nfnetlink_unicast(struct sk_buff *skb, u_int32_t pid, int flags);
diff --git a/net/ipv4/netfilter/ip_conntrack_netlink.c b/net/ipv4/netfilter/ip_conntrack_netlink.c
index e0b5926..5ce2e3f 100644
--- a/net/ipv4/netfilter/ip_conntrack_netlink.c
+++ b/net/ipv4/netfilter/ip_conntrack_netlink.c
@@ -327,9 +327,10 @@ static int ctnetlink_conntrack_event(str
group = NFNLGRP_CONNTRACK_UPDATE;
} else
return NOTIFY_DONE;
-
- /* FIXME: Check if there are any listeners before, don't hurt performance */
-
+
+ if (!nfnetlink_has_listeners(group))
+ return NOTIFY_DONE;
+
skb = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
if (!skb)
return NOTIFY_DONE;
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index f0d6fc9..20db402 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -338,9 +338,10 @@ static int ctnetlink_conntrack_event(str
group = NFNLGRP_CONNTRACK_UPDATE;
} else
return NOTIFY_DONE;
-
- /* FIXME: Check if there are any listeners before, don't hurt performance */
-
+
+ if (!nfnetlink_has_listeners(group))
+ return NOTIFY_DONE;
+
skb = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
if (!skb)
return NOTIFY_DONE;
diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
index f6063e8..b88e82a 100644
--- a/net/netfilter/nfnetlink.c
+++ b/net/netfilter/nfnetlink.c
@@ -191,6 +191,12 @@ nfnetlink_check_attributes(struct nfnetl
return 0;
}
+int nfnetlink_has_listeners(unsigned int group)
+{
+ return netlink_has_listeners(nfnl, group);
+}
+EXPORT_SYMBOL_GPL(nfnetlink_has_listeners);
+
int nfnetlink_send(struct sk_buff *skb, u32 pid, unsigned group, int echo)
{
gfp_t allocation = in_interrupt() ? GFP_ATOMIC : GFP_KERNEL;
^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: [NETFILTER 00/13]: Netfilter patches for 2.6.17
2006-02-16 21:32 [NETFILTER 00/13]: Netfilter patches for 2.6.17 Patrick McHardy
` (12 preceding siblings ...)
2006-02-16 21:32 ` [NETFILTER 13/13]: ctnetlink: avoid unneccessary event message generation Patrick McHardy
@ 2006-02-19 8:31 ` David S. Miller
13 siblings, 0 replies; 15+ messages in thread
From: David S. Miller @ 2006-02-19 8:31 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
From: Patrick McHardy <kaber@trash.net>
Date: Thu, 16 Feb 2006 22:32:07 +0100 (MET)
> these are my netfilter patches for 2.6.17. The last patch (ctnetlink:
> avoid unneccessary event message generation) depends on the netlink
> patch I sent yesterday. Please apply on top of that patch.
All applied, thanks Patrick.
^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2006-02-19 8:31 UTC | newest]
Thread overview: 15+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-02-16 21:32 [NETFILTER 00/13]: Netfilter patches for 2.6.17 Patrick McHardy
2006-02-16 21:32 ` [NETFILTER 01/13]: Fix CID offset bug in PPTP NAT helper debug message Patrick McHardy
2006-02-16 21:32 ` [NETFILTER 02/13]: nf_conntrack: use ipv6_addr_equal in nf_ct_reasm Patrick McHardy
2006-02-16 21:32 ` [NETFILTER 03/13]: xt_tables: add centralized error checking Patrick McHardy
2006-02-16 21:32 ` [NETFILTER 04/13]: Change {ip, ip6, arp}_tables to use " Patrick McHardy
2006-02-16 21:32 ` [NETFILTER 05/13]: Convert ip_tables matches/targets to " Patrick McHardy
2006-02-16 21:32 ` [NETFILTER 06/13]: Convert arp_tables targets " Patrick McHardy
2006-02-16 21:32 ` [NETFILTER 07/13]: Convert ip6_tables matches/targets " Patrick McHardy
2006-02-16 21:32 ` [NETFILTER 08/13]: Convert x_tables " Patrick McHardy
2006-02-16 21:32 ` [NETFILTER 09/13]: x_tables: pass registered match/target data to match/target functions Patrick McHardy
2006-02-16 21:32 ` [NETFILTER 10/13]: x_tables: add xt_{match, target} arguments " Patrick McHardy
2006-02-16 21:32 ` [NETFILTER 11/13]: Move ip6_masked_addrcmp to include/net/ipv6.h Patrick McHardy
2006-02-16 21:32 ` [NETFILTER 12/13]: x_tables: replace IPv4/IPv6 policy match by address family independant version Patrick McHardy
2006-02-16 21:32 ` [NETFILTER 13/13]: ctnetlink: avoid unneccessary event message generation Patrick McHardy
2006-02-19 8:31 ` [NETFILTER 00/13]: Netfilter patches for 2.6.17 David S. Miller
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.