From: Patrick McHardy <kaber@trash.net>
To: davem@davemloft.net
Cc: netfilter-devel@lists.netfilter.org, Patrick McHardy <kaber@trash.net>
Subject: [NETFILTER 04/13]: Change {ip, ip6, arp}_tables to use centralized error checking
Date: Thu, 16 Feb 2006 22:32:13 +0100 (MET) [thread overview]
Message-ID: <20060216213213.6933.32188.sendpatchset@localhost.localdomain> (raw)
In-Reply-To: <20060216213207.6933.99672.sendpatchset@localhost.localdomain>
[NETFILTER]: Change {ip,ip6,arp}_tables to use centralized error checking
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit 21596d6b3f1a5d828a9dbe4e3db8430898a97f17
tree d4f3cd7a721c4260e614939bdfe8db92b1d5548b
parent ef8e3f5ae821c8023c72faf255f2256a5326d723
author Patrick McHardy <kaber@trash.net> Thu, 16 Feb 2006 14:17:02 +0100
committer Patrick McHardy <kaber@trash.net> Thu, 16 Feb 2006 14:17:02 +0100
net/ipv4/netfilter/arp_tables.c | 11 ++++++++---
net/ipv4/netfilter/ip_tables.c | 26 +++++++++++++++++++++-----
net/ipv6/netfilter/ip6_tables.c | 26 +++++++++++++++++++++-----
3 files changed, 50 insertions(+), 13 deletions(-)
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index dd1048b..f68eb67 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -480,6 +480,11 @@ static inline int check_entry(struct arp
}
t->u.kernel.target = target;
+ ret = xt_check_target(target, NF_ARP, t->u.target_size - sizeof(*t),
+ name, e->comefrom, 0, 0);
+ if (ret)
+ goto err;
+
if (t->u.kernel.target == &arpt_standard_target) {
if (!standard_check(t, size)) {
ret = -EINVAL;
@@ -490,16 +495,16 @@ static inline int check_entry(struct arp
t->u.target_size
- sizeof(*t),
e->comefrom)) {
- module_put(t->u.kernel.target->me);
duprintf("arp_tables: check failed for `%s'.\n",
t->u.kernel.target->name);
ret = -EINVAL;
- goto out;
+ goto err;
}
(*i)++;
return 0;
-
+err:
+ module_put(t->u.kernel.target->me);
out:
return ret;
}
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 16f47c6..f884ca2 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -508,6 +508,7 @@ check_match(struct ipt_entry_match *m,
unsigned int *i)
{
struct ipt_match *match;
+ int ret;
match = try_then_request_module(xt_find_match(AF_INET, m->u.user.name,
m->u.user.revision),
@@ -518,18 +519,27 @@ check_match(struct ipt_entry_match *m,
}
m->u.kernel.match = match;
+ ret = xt_check_match(match, AF_INET, m->u.match_size - sizeof(*m),
+ name, hookmask, ip->proto,
+ ip->invflags & IPT_INV_PROTO);
+ if (ret)
+ goto err;
+
if (m->u.kernel.match->checkentry
&& !m->u.kernel.match->checkentry(name, ip, m->data,
m->u.match_size - sizeof(*m),
hookmask)) {
- module_put(m->u.kernel.match->me);
duprintf("ip_tables: check failed for `%s'.\n",
m->u.kernel.match->name);
- return -EINVAL;
+ ret = -EINVAL;
+ goto err;
}
(*i)++;
return 0;
+err:
+ module_put(m->u.kernel.match->me);
+ return ret;
}
static struct ipt_target ipt_standard_target;
@@ -565,6 +575,12 @@ check_entry(struct ipt_entry *e, const c
}
t->u.kernel.target = target;
+ ret = xt_check_target(target, AF_INET, t->u.target_size - sizeof(*t),
+ name, e->comefrom, e->ip.proto,
+ e->ip.invflags & IPT_INV_PROTO);
+ if (ret)
+ goto err;
+
if (t->u.kernel.target == &ipt_standard_target) {
if (!standard_check(t, size)) {
ret = -EINVAL;
@@ -575,16 +591,16 @@ check_entry(struct ipt_entry *e, const c
t->u.target_size
- sizeof(*t),
e->comefrom)) {
- module_put(t->u.kernel.target->me);
duprintf("ip_tables: check failed for `%s'.\n",
t->u.kernel.target->name);
ret = -EINVAL;
- goto cleanup_matches;
+ goto err;
}
(*i)++;
return 0;
-
+ err:
+ module_put(t->u.kernel.target->me);
cleanup_matches:
IPT_MATCH_ITERATE(e, cleanup_match, &j);
return ret;
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 74ff56c..3d2fefe 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -575,6 +575,7 @@ check_match(struct ip6t_entry_match *m,
unsigned int *i)
{
struct ip6t_match *match;
+ int ret;
match = try_then_request_module(xt_find_match(AF_INET6, m->u.user.name,
m->u.user.revision),
@@ -585,18 +586,27 @@ check_match(struct ip6t_entry_match *m,
}
m->u.kernel.match = match;
+ ret = xt_check_match(match, AF_INET6, m->u.match_size - sizeof(*m),
+ name, hookmask, ipv6->proto,
+ ipv6->invflags & IP6T_INV_PROTO);
+ if (ret)
+ goto err;
+
if (m->u.kernel.match->checkentry
&& !m->u.kernel.match->checkentry(name, ipv6, m->data,
m->u.match_size - sizeof(*m),
hookmask)) {
- module_put(m->u.kernel.match->me);
duprintf("ip_tables: check failed for `%s'.\n",
m->u.kernel.match->name);
- return -EINVAL;
+ ret = -EINVAL;
+ goto err;
}
(*i)++;
return 0;
+err:
+ module_put(m->u.kernel.match->me);
+ return ret;
}
static struct ip6t_target ip6t_standard_target;
@@ -632,6 +642,12 @@ check_entry(struct ip6t_entry *e, const
}
t->u.kernel.target = target;
+ ret = xt_check_target(target, AF_INET6, t->u.target_size - sizeof(*t),
+ name, e->comefrom, e->ipv6.proto,
+ e->ipv6.invflags & IP6T_INV_PROTO);
+ if (ret)
+ goto err;
+
if (t->u.kernel.target == &ip6t_standard_target) {
if (!standard_check(t, size)) {
ret = -EINVAL;
@@ -642,16 +658,16 @@ check_entry(struct ip6t_entry *e, const
t->u.target_size
- sizeof(*t),
e->comefrom)) {
- module_put(t->u.kernel.target->me);
duprintf("ip_tables: check failed for `%s'.\n",
t->u.kernel.target->name);
ret = -EINVAL;
- goto cleanup_matches;
+ goto err;
}
(*i)++;
return 0;
-
+ err:
+ module_put(t->u.kernel.target->me);
cleanup_matches:
IP6T_MATCH_ITERATE(e, cleanup_match, &j);
return ret;
next prev parent reply other threads:[~2006-02-16 21:32 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-02-16 21:32 [NETFILTER 00/13]: Netfilter patches for 2.6.17 Patrick McHardy
2006-02-16 21:32 ` [NETFILTER 01/13]: Fix CID offset bug in PPTP NAT helper debug message Patrick McHardy
2006-02-16 21:32 ` [NETFILTER 02/13]: nf_conntrack: use ipv6_addr_equal in nf_ct_reasm Patrick McHardy
2006-02-16 21:32 ` [NETFILTER 03/13]: xt_tables: add centralized error checking Patrick McHardy
2006-02-16 21:32 ` Patrick McHardy [this message]
2006-02-16 21:32 ` [NETFILTER 05/13]: Convert ip_tables matches/targets to " Patrick McHardy
2006-02-16 21:32 ` [NETFILTER 06/13]: Convert arp_tables targets " Patrick McHardy
2006-02-16 21:32 ` [NETFILTER 07/13]: Convert ip6_tables matches/targets " Patrick McHardy
2006-02-16 21:32 ` [NETFILTER 08/13]: Convert x_tables " Patrick McHardy
2006-02-16 21:32 ` [NETFILTER 09/13]: x_tables: pass registered match/target data to match/target functions Patrick McHardy
2006-02-16 21:32 ` [NETFILTER 10/13]: x_tables: add xt_{match, target} arguments " Patrick McHardy
2006-02-16 21:32 ` [NETFILTER 11/13]: Move ip6_masked_addrcmp to include/net/ipv6.h Patrick McHardy
2006-02-16 21:32 ` [NETFILTER 12/13]: x_tables: replace IPv4/IPv6 policy match by address family independant version Patrick McHardy
2006-02-16 21:32 ` [NETFILTER 13/13]: ctnetlink: avoid unneccessary event message generation Patrick McHardy
2006-02-19 8:31 ` [NETFILTER 00/13]: Netfilter patches for 2.6.17 David S. Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060216213213.6933.32188.sendpatchset@localhost.localdomain \
--to=kaber@trash.net \
--cc=davem@davemloft.net \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.