* [PATCH 1/4][data-condition]: instance data support in matches' prototypes and structures
2006-12-05 22:12 [PATCH 0/4][data-condition] Massimiliano Hofer
@ 2006-12-05 22:15 ` Massimiliano Hofer
2006-12-05 22:16 ` [PATCH 2/4][data-condition]: instance data support in targets' " Massimiliano Hofer
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Massimiliano Hofer @ 2006-12-05 22:15 UTC (permalink / raw)
To: netfilter-devel; +Cc: Patrick McHardy
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset="utf-8", Size: 68077 bytes --]
From 5cd5ac8bf04d15de1a3b370eedac4d7d3b7946d3 Mon Sep 17 00:00:00 2001
From: Massimiliano Hofer <max@nucleus.it>
Date: Tue, 5 Dec 2006 22:48:10 +0100
Subject: [PATCH] [NETFILTER]: instance data support in matches' prototypes and structures
This patch adds support for instance specific data in matches.
Only prototype and structure changes are included here.
The real code will come in a separate patch.
Signed-off-by: Massimiliano Hofer <max@nucleus.it>
---
include/linux/netfilter/x_tables.h | 23 +++++++++-----
net/ipv4/netfilter/ip_tables.c | 50 +++++++++++++++++--------------
net/ipv4/netfilter/ipt_addrtype.c | 2 +-
net/ipv4/netfilter/ipt_ah.c | 14 +++++----
net/ipv4/netfilter/ipt_ecn.c | 10 +++---
net/ipv4/netfilter/ipt_iprange.c | 1 +
net/ipv4/netfilter/ipt_owner.c | 14 +++++----
net/ipv4/netfilter/ipt_recent.c | 21 +++++++------
net/ipv4/netfilter/ipt_tos.c | 1 +
net/ipv4/netfilter/ipt_ttl.c | 2 +-
net/ipv6/netfilter/ip6_tables.c | 23 +++++++++-----
net/ipv6/netfilter/ip6t_ah.c | 14 +++++----
net/ipv6/netfilter/ip6t_eui64.c | 1 +
net/ipv6/netfilter/ip6t_frag.c | 14 +++++----
net/ipv6/netfilter/ip6t_hbh.c | 16 +++++----
net/ipv6/netfilter/ip6t_hl.c | 2 +-
| 22 +++++++------
net/ipv6/netfilter/ip6t_owner.c | 14 +++++----
net/ipv6/netfilter/ip6t_rt.c | 14 +++++----
net/netfilter/x_tables.c | 8 ++--
| 1 +
net/netfilter/xt_connbytes.c | 16 +++++----
net/netfilter/xt_connmark.c | 18 ++++++-----
net/netfilter/xt_conntrack.c | 18 +++++++----
net/netfilter/xt_dccp.c | 16 +++++----
net/netfilter/xt_dscp.c | 17 ++++++----
net/netfilter/xt_esp.c | 16 +++++----
net/netfilter/xt_hashlimit.c | 18 ++++++-----
net/netfilter/xt_helper.c | 19 +++++++-----
net/netfilter/xt_length.c | 2 +
net/netfilter/xt_limit.c | 20 +++++++-----
net/netfilter/xt_mac.c | 1 +
net/netfilter/xt_mark.c | 16 +++++----
net/netfilter/xt_multiport.c | 54 +++++++++++++++++++---------------
net/netfilter/xt_physdev.c | 16 +++++----
net/netfilter/xt_pkttype.c | 1 +
net/netfilter/xt_policy.c | 19 ++++++-----
net/netfilter/xt_quota.c | 12 ++++----
net/netfilter/xt_realm.c | 1 +
net/netfilter/xt_sctp.c | 16 +++++----
net/netfilter/xt_state.c | 18 ++++++-----
net/netfilter/xt_statistic.c | 12 ++++----
net/netfilter/xt_string.c | 21 +++++++-----
net/netfilter/xt_tcpmss.c | 1 +
net/netfilter/xt_tcpudp.c | 44 +++++++++++++++------------
45 files changed, 373 insertions(+), 286 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 022edfa..73147b4 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -20,6 +20,7 @@ struct xt_entry_match
/* Used inside the kernel */
struct xt_match *match;
+ void *data;
} kernel;
/* Total length */
@@ -138,20 +139,23 @@ struct xt_match
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
+ void *data,
int offset,
unsigned int protoff,
int *hotdrop);
/* Called when user tries to insert an entry of this type. */
/* Should return true or false. */
- int (*checkentry)(const char *tablename,
- const void *ip,
- const struct xt_match *match,
- void *matchinfo,
- unsigned int hook_mask);
+ int (*init)(const char *tablename,
+ const void *ip,
+ const struct xt_match *match,
+ void *matchinfo,
+ void *data,
+ unsigned int hook_mask);
/* Called when entry of this type deleted. */
- void (*destroy)(const struct xt_match *match, void *matchinfo);
+ void (*destroy)(const struct xt_match *match, void *matchinfo,
+ void *data);
/* Called when userspace align differs from kernel space one */
void (*compat_from_user)(void *dst, void *src);
@@ -164,6 +168,7 @@ struct xt_match
unsigned long data;
char *table;
+ unsigned int datasize;
unsigned int matchsize;
unsigned int compatsize;
unsigned int hooks;
@@ -274,9 +279,9 @@ extern void xt_unregister_match(struct x
extern int xt_register_matches(struct xt_match *match, unsigned int n);
extern void xt_unregister_matches(struct xt_match *match, unsigned int n);
-extern int xt_check_match(const struct xt_match *match, unsigned short family,
- unsigned int size, const char *table, unsigned int hook,
- unsigned short proto, int inv_proto);
+extern int xt_init_match(const struct xt_match *match, unsigned short family,
+ unsigned int size, const char *table, unsigned int hook,
+ unsigned short proto, int inv_proto);
extern int xt_check_target(const struct xt_target *target, unsigned short family,
unsigned int size, const char *table, unsigned int hook,
unsigned short proto, int inv_proto);
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 8a45543..75fae96 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -198,7 +198,8 @@ int do_match(struct ipt_entry_match *m,
{
/* Stop iteration if it doesn't match */
if (!m->u.kernel.match->match(skb, in, out, m->u.kernel.match, m->data,
- offset, skb->nh.iph->ihl*4, hotdrop))
+ m->u.kernel.data, offset,
+ skb->nh.iph->ihl*4, hotdrop))
return 1;
else
return 0;
@@ -464,7 +465,8 @@ cleanup_match(struct ipt_entry_match *m,
return 1;
if (m->u.kernel.match->destroy)
- m->u.kernel.match->destroy(m->u.kernel.match, m->data);
+ m->u.kernel.match->destroy(m->u.kernel.match, m->data,
+ m->u.kernel.data);
module_put(m->u.kernel.match->me);
return 0;
}
@@ -491,7 +493,7 @@ standard_check(const struct ipt_entry_ta
}
static inline int
-check_match(struct ipt_entry_match *m,
+init_match(struct ipt_entry_match *m,
const char *name,
const struct ipt_ip *ip,
unsigned int hookmask,
@@ -509,15 +511,16 @@ check_match(struct ipt_entry_match *m,
}
m->u.kernel.match = match;
- ret = xt_check_match(match, AF_INET, m->u.match_size - sizeof(*m),
- name, hookmask, ip->proto,
- ip->invflags & IPT_INV_PROTO);
+ ret = xt_init_match(match, AF_INET, m->u.match_size - sizeof(*m),
+ name, hookmask, ip->proto,
+ ip->invflags & IPT_INV_PROTO);
if (ret)
goto err;
- if (m->u.kernel.match->checkentry
- && !m->u.kernel.match->checkentry(name, ip, match, m->data,
- hookmask)) {
+ m->u.kernel.data = NULL;
+ if (m->u.kernel.match->init
+ && !m->u.kernel.match->init(name, ip, match, m->data,
+ m->u.kernel.data, hookmask)) {
duprintf("ip_tables: check failed for `%s'.\n",
m->u.kernel.match->name);
ret = -EINVAL;
@@ -551,7 +554,7 @@ check_entry(struct ipt_entry *e, const c
return -EINVAL;
j = 0;
- ret = IPT_MATCH_ITERATE(e, check_match, name, &e->ip, e->comefrom, &j);
+ ret = IPT_MATCH_ITERATE(e, init_match, name, &e->ip, e->comefrom, &j);
if (ret != 0)
goto cleanup_matches;
@@ -1537,12 +1540,13 @@ static inline int compat_copy_match_from
match = m->u.kernel.match;
xt_compat_match_from_user(m, dstptr, size);
- ret = xt_check_match(match, AF_INET, dm->u.match_size - sizeof(*dm),
- name, hookmask, ip->proto,
- ip->invflags & IPT_INV_PROTO);
- if (!ret && m->u.kernel.match->checkentry
- && !m->u.kernel.match->checkentry(name, ip, match, dm->data,
- hookmask)) {
+ ret = xt_init_match(match, AF_INET, dm->u.match_size - sizeof(*dm),
+ name, hookmask, ip->proto,
+ ip->invflags & IPT_INV_PROTO);
+ m->u.kernel.data = NULL;
+ if (!ret && m->u.kernel.match->init
+ && !m->u.kernel.match->init(name, ip, match, dm->data,
+ m->u.kernel.data, hookmask)) {
duprintf("ip_tables: check failed for `%s'.\n",
m->u.kernel.match->name);
ret = -EINVAL;
@@ -2092,6 +2096,7 @@ icmp_match(const struct sk_buff *skb,
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
+ void *data,
int offset,
unsigned int protoff,
int *hotdrop)
@@ -2122,11 +2127,12 @@ icmp_match(const struct sk_buff *skb,
/* Called when user tries to insert an entry of this type. */
static int
-icmp_checkentry(const char *tablename,
- const void *info,
- const struct xt_match *match,
- void *matchinfo,
- unsigned int hook_mask)
+icmp_init(const char *tablename,
+ const void *info,
+ const struct xt_match *match,
+ void *matchinfo,
+ void *data,
+ unsigned int hook_mask)
{
const struct ipt_icmp *icmpinfo = matchinfo;
@@ -2175,7 +2181,7 @@ static struct ipt_match icmp_matchstruct
.matchsize = sizeof(struct ipt_icmp),
.proto = IPPROTO_ICMP,
.family = AF_INET,
- .checkentry = icmp_checkentry,
+ .init = icmp_init,
};
static int __init ip_tables_init(void)
diff --git a/net/ipv4/netfilter/ipt_addrtype.c b/net/ipv4/netfilter/ipt_addrtype.c
index 7b60eb7..de3c961 100644
--- a/net/ipv4/netfilter/ipt_addrtype.c
+++ b/net/ipv4/netfilter/ipt_addrtype.c
@@ -30,7 +30,7 @@ static inline int match_type(__be32 addr
static int match(const struct sk_buff *skb,
const struct net_device *in, const struct net_device *out,
const struct xt_match *match, const void *matchinfo,
- int offset, unsigned int protoff, int *hotdrop)
+ void *data, int offset, unsigned int protoff, int *hotdrop)
{
const struct ipt_addrtype_info *info = matchinfo;
const struct iphdr *iph = skb->nh.iph;
diff --git a/net/ipv4/netfilter/ipt_ah.c b/net/ipv4/netfilter/ipt_ah.c
index 1798f86..0cee597 100644
--- a/net/ipv4/netfilter/ipt_ah.c
+++ b/net/ipv4/netfilter/ipt_ah.c
@@ -41,6 +41,7 @@ match(const struct sk_buff *skb,
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
+ void *data,
int offset,
unsigned int protoff,
int *hotdrop)
@@ -70,11 +71,12 @@ match(const struct sk_buff *skb,
/* Called when user tries to insert an entry of this type. */
static int
-checkentry(const char *tablename,
- const void *ip_void,
- const struct xt_match *match,
- void *matchinfo,
- unsigned int hook_mask)
+init(const char *tablename,
+ const void *ip_void,
+ const struct xt_match *match,
+ void *matchinfo,
+ void *data,
+ unsigned int hook_mask)
{
const struct ipt_ah *ahinfo = matchinfo;
@@ -91,7 +93,7 @@ static struct ipt_match ah_match = {
.match = match,
.matchsize = sizeof(struct ipt_ah),
.proto = IPPROTO_AH,
- .checkentry = checkentry,
+ .init = init,
.me = THIS_MODULE,
};
diff --git a/net/ipv4/netfilter/ipt_ecn.c b/net/ipv4/netfilter/ipt_ecn.c
index dafbdec..e9e7241 100644
--- a/net/ipv4/netfilter/ipt_ecn.c
+++ b/net/ipv4/netfilter/ipt_ecn.c
@@ -68,7 +68,7 @@ static inline int match_tcp(const struct
static int match(const struct sk_buff *skb,
const struct net_device *in, const struct net_device *out,
const struct xt_match *match, const void *matchinfo,
- int offset, unsigned int protoff, int *hotdrop)
+ void *data, int offset, unsigned int protoff, int *hotdrop)
{
const struct ipt_ecn_info *info = matchinfo;
@@ -86,9 +86,9 @@ static int match(const struct sk_buff *s
return 1;
}
-static int checkentry(const char *tablename, const void *ip_void,
- const struct xt_match *match,
- void *matchinfo, unsigned int hook_mask)
+static int init(const char *tablename, const void *ip_void,
+ const struct xt_match *match,
+ void *matchinfo, void *data, unsigned int hook_mask)
{
const struct ipt_ecn_info *info = matchinfo;
const struct ipt_ip *ip = ip_void;
@@ -113,7 +113,7 @@ static struct ipt_match ecn_match = {
.name = "ecn",
.match = match,
.matchsize = sizeof(struct ipt_ecn_info),
- .checkentry = checkentry,
+ .init = init,
.me = THIS_MODULE,
};
diff --git a/net/ipv4/netfilter/ipt_iprange.c b/net/ipv4/netfilter/ipt_iprange.c
index 5202edd..2b2439b 100644
--- a/net/ipv4/netfilter/ipt_iprange.c
+++ b/net/ipv4/netfilter/ipt_iprange.c
@@ -29,6 +29,7 @@ match(const struct sk_buff *skb,
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
+ void *data,
int offset, unsigned int protoff, int *hotdrop)
{
const struct ipt_iprange_info *info = matchinfo;
diff --git a/net/ipv4/netfilter/ipt_owner.c b/net/ipv4/netfilter/ipt_owner.c
index 78c336f..c154360 100644
--- a/net/ipv4/netfilter/ipt_owner.c
+++ b/net/ipv4/netfilter/ipt_owner.c
@@ -27,6 +27,7 @@ match(const struct sk_buff *skb,
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
+ void *data,
int offset,
unsigned int protoff,
int *hotdrop)
@@ -52,11 +53,12 @@ match(const struct sk_buff *skb,
}
static int
-checkentry(const char *tablename,
- const void *ip,
- const struct xt_match *match,
- void *matchinfo,
- unsigned int hook_mask)
+init(const char *tablename,
+ const void *ip,
+ const struct xt_match *match,
+ void *matchinfo,
+ void *data,
+ unsigned int hook_mask)
{
const struct ipt_owner_info *info = matchinfo;
@@ -73,7 +75,7 @@ static struct ipt_match owner_match = {
.match = match,
.matchsize = sizeof(struct ipt_owner_info),
.hooks = (1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_POST_ROUTING),
- .checkentry = checkentry,
+ .init = init,
.me = THIS_MODULE,
};
diff --git a/net/ipv4/netfilter/ipt_recent.c b/net/ipv4/netfilter/ipt_recent.c
index 126db44..278bdb3 100644
--- a/net/ipv4/netfilter/ipt_recent.c
+++ b/net/ipv4/netfilter/ipt_recent.c
@@ -172,7 +172,7 @@ static int
ipt_recent_match(const struct sk_buff *skb,
const struct net_device *in, const struct net_device *out,
const struct xt_match *match, const void *matchinfo,
- int offset, unsigned int protoff, int *hotdrop)
+ void *data, int offset, unsigned int protoff, int *hotdrop)
{
const struct ipt_recent_info *info = matchinfo;
struct recent_table *t;
@@ -235,9 +235,9 @@ out:
}
static int
-ipt_recent_checkentry(const char *tablename, const void *ip,
- const struct xt_match *match, void *matchinfo,
- unsigned int hook_mask)
+ipt_recent_init(const char *tablename, const void *ip,
+ const struct xt_match *match, void *matchinfo,
+ void *data, unsigned int hook_mask)
{
const struct ipt_recent_info *info = matchinfo;
struct recent_table *t;
@@ -293,7 +293,8 @@ out:
}
static void
-ipt_recent_destroy(const struct xt_match *match, void *matchinfo)
+ipt_recent_destroy(const struct xt_match *match, void *matchinfo,
+ void *data)
{
const struct ipt_recent_info *info = matchinfo;
struct recent_table *t;
@@ -466,12 +467,12 @@ static struct ipt_match recent_match = {
.name = "recent",
.match = ipt_recent_match,
.matchsize = sizeof(struct ipt_recent_info),
- .checkentry = ipt_recent_checkentry,
+ .init = ipt_recent_init,
.destroy = ipt_recent_destroy,
.me = THIS_MODULE,
};
-static int __init ipt_recent_init(void)
+static int __init ipt_recent_module_init(void)
{
int err;
@@ -492,7 +493,7 @@ static int __init ipt_recent_init(void)
return err;
}
-static void __exit ipt_recent_exit(void)
+static void __exit ipt_recent_module_exit(void)
{
BUG_ON(!list_empty(&tables));
ipt_unregister_match(&recent_match);
@@ -501,5 +502,5 @@ static void __exit ipt_recent_exit(void)
#endif
}
-module_init(ipt_recent_init);
-module_exit(ipt_recent_exit);
+module_init(ipt_recent_module_init);
+module_exit(ipt_recent_module_exit);
diff --git a/net/ipv4/netfilter/ipt_tos.c b/net/ipv4/netfilter/ipt_tos.c
index 5549c39..f3433cd 100644
--- a/net/ipv4/netfilter/ipt_tos.c
+++ b/net/ipv4/netfilter/ipt_tos.c
@@ -23,6 +23,7 @@ match(const struct sk_buff *skb,
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
+ void *data,
int offset,
unsigned int protoff,
int *hotdrop)
diff --git a/net/ipv4/netfilter/ipt_ttl.c b/net/ipv4/netfilter/ipt_ttl.c
index a5243bd..de69ea6 100644
--- a/net/ipv4/netfilter/ipt_ttl.c
+++ b/net/ipv4/netfilter/ipt_ttl.c
@@ -22,7 +22,7 @@ MODULE_LICENSE("GPL");
static int match(const struct sk_buff *skb,
const struct net_device *in, const struct net_device *out,
const struct xt_match *match, const void *matchinfo,
- int offset, unsigned int protoff, int *hotdrop)
+ void *data, int offset, unsigned int protoff, int *hotdrop)
{
const struct ipt_ttl_info *info = matchinfo;
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index f63fb86..dc5e1ad 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -238,6 +238,7 @@ int do_match(struct ip6t_entry_match *m,
{
/* Stop iteration if it doesn't match */
if (!m->u.kernel.match->match(skb, in, out, m->u.kernel.match, m->data,
+ m->u.kernel.data,
offset, protoff, hotdrop))
return 1;
else
@@ -503,7 +504,8 @@ cleanup_match(struct ip6t_entry_match *m
return 1;
if (m->u.kernel.match->destroy)
- m->u.kernel.match->destroy(m->u.kernel.match, m->data);
+ m->u.kernel.match->destroy(m->u.kernel.match, m->data,
+ m->u.kernel.data);
module_put(m->u.kernel.match->me);
return 0;
}
@@ -548,15 +550,16 @@ check_match(struct ip6t_entry_match *m,
}
m->u.kernel.match = match;
- ret = xt_check_match(match, AF_INET6, m->u.match_size - sizeof(*m),
- name, hookmask, ipv6->proto,
- ipv6->invflags & IP6T_INV_PROTO);
+ ret = xt_init_match(match, AF_INET6, m->u.match_size - sizeof(*m),
+ name, hookmask, ipv6->proto,
+ ipv6->invflags & IP6T_INV_PROTO);
if (ret)
goto err;
- if (m->u.kernel.match->checkentry
- && !m->u.kernel.match->checkentry(name, ipv6, match, m->data,
- hookmask)) {
+ m->u.kernel.data=NULL;
+ if (m->u.kernel.match->init
+ && !m->u.kernel.match->init(name, ipv6, match, m->data,
+ m->u.kernel.data, hookmask)) {
duprintf("ip_tables: check failed for `%s'.\n",
m->u.kernel.match->name);
ret = -EINVAL;
@@ -1318,6 +1321,7 @@ icmp6_match(const struct sk_buff *skb,
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
+ void *data,
int offset,
unsigned int protoff,
int *hotdrop)
@@ -1347,10 +1351,11 @@ icmp6_match(const struct sk_buff *skb,
/* Called when user tries to insert an entry of this type. */
static int
-icmp6_checkentry(const char *tablename,
+icmp6_init(const char *tablename,
const void *entry,
const struct xt_match *match,
void *matchinfo,
+ void *data,
unsigned int hook_mask)
{
const struct ip6t_icmp *icmpinfo = matchinfo;
@@ -1387,7 +1392,7 @@ static struct ip6t_match icmp6_matchstru
.name = "icmp6",
.match = &icmp6_match,
.matchsize = sizeof(struct ip6t_icmp),
- .checkentry = icmp6_checkentry,
+ .init = icmp6_init,
.proto = IPPROTO_ICMPV6,
.family = AF_INET6,
};
diff --git a/net/ipv6/netfilter/ip6t_ah.c b/net/ipv6/netfilter/ip6t_ah.c
index 4648664..616d250 100644
--- a/net/ipv6/netfilter/ip6t_ah.c
+++ b/net/ipv6/netfilter/ip6t_ah.c
@@ -46,6 +46,7 @@ match(const struct sk_buff *skb,
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
+ void *data,
int offset,
unsigned int protoff,
int *hotdrop)
@@ -103,11 +104,12 @@ match(const struct sk_buff *skb,
/* Called when user tries to insert an entry of this type. */
static int
-checkentry(const char *tablename,
- const void *entry,
- const struct xt_match *match,
- void *matchinfo,
- unsigned int hook_mask)
+init(const char *tablename,
+ const void *entry,
+ const struct xt_match *match,
+ void *matchinfo,
+ void *data,
+ unsigned int hook_mask)
{
const struct ip6t_ah *ahinfo = matchinfo;
@@ -122,7 +124,7 @@ static struct ip6t_match ah_match = {
.name = "ah",
.match = match,
.matchsize = sizeof(struct ip6t_ah),
- .checkentry = checkentry,
+ .init = init,
.me = THIS_MODULE,
};
diff --git a/net/ipv6/netfilter/ip6t_eui64.c b/net/ipv6/netfilter/ip6t_eui64.c
index 4f6b84c..c4842e3 100644
--- a/net/ipv6/netfilter/ip6t_eui64.c
+++ b/net/ipv6/netfilter/ip6t_eui64.c
@@ -24,6 +24,7 @@ match(const struct sk_buff *skb,
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
+ void *data,
int offset,
unsigned int protoff,
int *hotdrop)
diff --git a/net/ipv6/netfilter/ip6t_frag.c b/net/ipv6/netfilter/ip6t_frag.c
index cd22eaa..d272157 100644
--- a/net/ipv6/netfilter/ip6t_frag.c
+++ b/net/ipv6/netfilter/ip6t_frag.c
@@ -45,6 +45,7 @@ match(const struct sk_buff *skb,
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
+ void *data,
int offset,
unsigned int protoff,
int *hotdrop)
@@ -120,11 +121,12 @@ match(const struct sk_buff *skb,
/* Called when user tries to insert an entry of this type. */
static int
-checkentry(const char *tablename,
- const void *ip,
- const struct xt_match *match,
- void *matchinfo,
- unsigned int hook_mask)
+init(const char *tablename,
+ const void *ip,
+ const struct xt_match *match,
+ void *matchinfo,
+ void *data,
+ unsigned int hook_mask)
{
const struct ip6t_frag *fraginfo = matchinfo;
@@ -139,7 +141,7 @@ static struct ip6t_match frag_match = {
.name = "frag",
.match = match,
.matchsize = sizeof(struct ip6t_frag),
- .checkentry = checkentry,
+ .init = init,
.me = THIS_MODULE,
};
diff --git a/net/ipv6/netfilter/ip6t_hbh.c b/net/ipv6/netfilter/ip6t_hbh.c
index 3f25bab..0402cdc 100644
--- a/net/ipv6/netfilter/ip6t_hbh.c
+++ b/net/ipv6/netfilter/ip6t_hbh.c
@@ -52,6 +52,7 @@ match(const struct sk_buff *skb,
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
+ void *data,
int offset,
unsigned int protoff,
int *hotdrop)
@@ -174,11 +175,12 @@ match(const struct sk_buff *skb,
/* Called when user tries to insert an entry of this type. */
static int
-checkentry(const char *tablename,
- const void *entry,
- const struct xt_match *match,
- void *matchinfo,
- unsigned int hook_mask)
+init(const char *tablename,
+ const void *entry,
+ const struct xt_match *match,
+ void *matchinfo,
+ void *data,
+ unsigned int hook_mask)
{
const struct ip6t_opts *optsinfo = matchinfo;
@@ -195,7 +197,7 @@ static struct xt_match opts_match[] = {
.family = AF_INET6,
.match = match,
.matchsize = sizeof(struct ip6t_opts),
- .checkentry = checkentry,
+ .init = init,
.me = THIS_MODULE,
.data = NEXTHDR_HOP,
},
@@ -204,7 +206,7 @@ static struct xt_match opts_match[] = {
.family = AF_INET6,
.match = match,
.matchsize = sizeof(struct ip6t_opts),
- .checkentry = checkentry,
+ .init = init,
.me = THIS_MODULE,
.data = NEXTHDR_DEST,
},
diff --git a/net/ipv6/netfilter/ip6t_hl.c b/net/ipv6/netfilter/ip6t_hl.c
index 44a729e..e4a0a5f 100644
--- a/net/ipv6/netfilter/ip6t_hl.c
+++ b/net/ipv6/netfilter/ip6t_hl.c
@@ -21,7 +21,7 @@ MODULE_LICENSE("GPL");
static int match(const struct sk_buff *skb,
const struct net_device *in, const struct net_device *out,
const struct xt_match *match, const void *matchinfo,
- int offset, unsigned int protoff, int *hotdrop)
+ void *data, int offset, unsigned int protoff, int *hotdrop)
{
const struct ip6t_hl_info *info = matchinfo;
const struct ipv6hdr *ip6h = skb->nh.ipv6h;
--git a/net/ipv6/netfilter/ip6t_ipv6header.c b/net/ipv6/netfilter/ip6t_ipv6header.c
index 3093c39..cadf1dc 100644
--- a/net/ipv6/netfilter/ip6t_ipv6header.c
+++ b/net/ipv6/netfilter/ip6t_ipv6header.c
@@ -31,6 +31,7 @@ ipv6header_match(const struct sk_buff *s
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
+ void *data,
int offset,
unsigned int protoff,
int *hotdrop)
@@ -124,11 +125,12 @@ ipv6header_match(const struct sk_buff *s
}
static int
-ipv6header_checkentry(const char *tablename,
- const void *ip,
- const struct xt_match *match,
- void *matchinfo,
- unsigned int hook_mask)
+ipv6header_init(const char *tablename,
+ const void *ip,
+ const struct xt_match *match,
+ void *matchinfo,
+ void *data,
+ unsigned int hook_mask)
{
const struct ip6t_ipv6header_info *info = matchinfo;
@@ -144,20 +146,20 @@ static struct ip6t_match ip6t_ipv6header
.name = "ipv6header",
.match = &ipv6header_match,
.matchsize = sizeof(struct ip6t_ipv6header_info),
- .checkentry = &ipv6header_checkentry,
+ .init = &ipv6header_init,
.destroy = NULL,
.me = THIS_MODULE,
};
-static int __init ipv6header_init(void)
+static int __init ipv6header_module_init(void)
{
return ip6t_register_match(&ip6t_ipv6header_match);
}
-static void __exit ipv6header_exit(void)
+static void __exit ipv6header_module_exit(void)
{
ip6t_unregister_match(&ip6t_ipv6header_match);
}
-module_init(ipv6header_init);
-module_exit(ipv6header_exit);
+module_init(ipv6header_module_init);
+module_exit(ipv6header_module_exit);
diff --git a/net/ipv6/netfilter/ip6t_owner.c b/net/ipv6/netfilter/ip6t_owner.c
index 4eb9bbc..2e86bfe 100644
--- a/net/ipv6/netfilter/ip6t_owner.c
+++ b/net/ipv6/netfilter/ip6t_owner.c
@@ -28,6 +28,7 @@ match(const struct sk_buff *skb,
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
+ void *data,
int offset,
unsigned int protoff,
int *hotdrop)
@@ -53,11 +54,12 @@ match(const struct sk_buff *skb,
}
static int
-checkentry(const char *tablename,
- const void *ip,
- const struct xt_match *match,
- void *matchinfo,
- unsigned int hook_mask)
+init(const char *tablename,
+ const void *ip,
+ const struct xt_match *match,
+ void *matchinfo,
+ void *data,
+ unsigned int hook_mask)
{
const struct ip6t_owner_info *info = matchinfo;
@@ -74,7 +76,7 @@ static struct ip6t_match owner_match = {
.match = match,
.matchsize = sizeof(struct ip6t_owner_info),
.hooks = (1 << NF_IP6_LOCAL_OUT) | (1 << NF_IP6_POST_ROUTING),
- .checkentry = checkentry,
+ .init = init,
.me = THIS_MODULE,
};
diff --git a/net/ipv6/netfilter/ip6t_rt.c b/net/ipv6/netfilter/ip6t_rt.c
index 54d7d14..53dc9f0 100644
--- a/net/ipv6/netfilter/ip6t_rt.c
+++ b/net/ipv6/netfilter/ip6t_rt.c
@@ -47,6 +47,7 @@ match(const struct sk_buff *skb,
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
+ void *data,
int offset,
unsigned int protoff,
int *hotdrop)
@@ -198,11 +199,12 @@ match(const struct sk_buff *skb,
/* Called when user tries to insert an entry of this type. */
static int
-checkentry(const char *tablename,
- const void *entry,
- const struct xt_match *match,
- void *matchinfo,
- unsigned int hook_mask)
+init(const char *tablename,
+ const void *entry,
+ const struct xt_match *match,
+ void *matchinfo,
+ void *data,
+ unsigned int hook_mask)
{
const struct ip6t_rt *rtinfo = matchinfo;
@@ -225,7 +227,7 @@ static struct ip6t_match rt_match = {
.name = "rt",
.match = match,
.matchsize = sizeof(struct ip6t_rt),
- .checkentry = checkentry,
+ .init = init,
.me = THIS_MODULE,
};
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 8996584..d2ffe98 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -304,9 +304,9 @@ int xt_find_revision(int af, const char
}
EXPORT_SYMBOL_GPL(xt_find_revision);
-int xt_check_match(const struct xt_match *match, unsigned short family,
- unsigned int size, const char *table, unsigned int hook_mask,
- unsigned short proto, int inv_proto)
+int xt_init_match(const struct xt_match *match, unsigned short family,
+ unsigned int size, const char *table, unsigned int hook_mask,
+ unsigned short proto, int inv_proto)
{
if (XT_ALIGN(match->matchsize) != size) {
printk("%s_tables: %s match: invalid size %Zu != %u\n",
@@ -331,7 +331,7 @@ int xt_check_match(const struct xt_match
}
return 0;
}
-EXPORT_SYMBOL_GPL(xt_check_match);
+EXPORT_SYMBOL_GPL(xt_init_match);
#ifdef CONFIG_COMPAT
int xt_compat_match_offset(struct xt_match *match)
--git a/net/netfilter/xt_comment.c b/net/netfilter/xt_comment.c
index 7db492d..047f499 100644
--- a/net/netfilter/xt_comment.c
+++ b/net/netfilter/xt_comment.c
@@ -21,6 +21,7 @@ match(const struct sk_buff *skb,
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
+ void *data,
int offset,
unsigned int protooff,
int *hotdrop)
diff --git a/net/netfilter/xt_connbytes.c b/net/netfilter/xt_connbytes.c
index dcc497e..759d8f3 100644
--- a/net/netfilter/xt_connbytes.c
+++ b/net/netfilter/xt_connbytes.c
@@ -46,6 +46,7 @@ match(const struct sk_buff *skb,
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
+ void *data,
int offset,
unsigned int protoff,
int *hotdrop)
@@ -121,11 +122,12 @@ match(const struct sk_buff *skb,
return (what >= sinfo->count.from);
}
-static int check(const char *tablename,
- const void *ip,
- const struct xt_match *match,
- void *matchinfo,
- unsigned int hook_mask)
+static int init(const char *tablename,
+ const void *ip,
+ const struct xt_match *match,
+ void *matchinfo,
+ void *data,
+ unsigned int hook_mask)
{
const struct xt_connbytes_info *sinfo = matchinfo;
@@ -146,7 +148,7 @@ static struct xt_match xt_connbytes_matc
{
.name = "connbytes",
.family = AF_INET,
- .checkentry = check,
+ .init = init,
.match = match,
.matchsize = sizeof(struct xt_connbytes_info),
.me = THIS_MODULE
@@ -154,7 +156,7 @@ static struct xt_match xt_connbytes_matc
{
.name = "connbytes",
.family = AF_INET6,
- .checkentry = check,
+ .init = init,
.match = match,
.matchsize = sizeof(struct xt_connbytes_info),
.me = THIS_MODULE
diff --git a/net/netfilter/xt_connmark.c b/net/netfilter/xt_connmark.c
index a8f0305..5cd94a3 100644
--- a/net/netfilter/xt_connmark.c
+++ b/net/netfilter/xt_connmark.c
@@ -37,6 +37,7 @@ match(const struct sk_buff *skb,
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
+ void *data,
int offset,
unsigned int protoff,
int *hotdrop)
@@ -51,11 +52,12 @@ match(const struct sk_buff *skb,
}
static int
-checkentry(const char *tablename,
- const void *ip,
- const struct xt_match *match,
- void *matchinfo,
- unsigned int hook_mask)
+init(const char *tablename,
+ const void *ip,
+ const struct xt_match *match,
+ void *matchinfo,
+ void *data,
+ unsigned int hook_mask)
{
struct xt_connmark_info *cm = matchinfo;
@@ -74,7 +76,7 @@ checkentry(const char *tablename,
}
static void
-destroy(const struct xt_match *match, void *matchinfo)
+destroy(const struct xt_match *match, void *matchinfo, void *data)
{
#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
nf_ct_l3proto_module_put(match->family);
@@ -116,7 +118,7 @@ static struct xt_match xt_connmark_match
{
.name = "connmark",
.family = AF_INET,
- .checkentry = checkentry,
+ .init = init,
.match = match,
.destroy = destroy,
.matchsize = sizeof(struct xt_connmark_info),
@@ -130,7 +132,7 @@ static struct xt_match xt_connmark_match
{
.name = "connmark",
.family = AF_INET6,
- .checkentry = checkentry,
+ .init = init,
.match = match,
.destroy = destroy,
.matchsize = sizeof(struct xt_connmark_info),
diff --git a/net/netfilter/xt_conntrack.c b/net/netfilter/xt_conntrack.c
index 0ea501a..d06ce02 100644
--- a/net/netfilter/xt_conntrack.c
+++ b/net/netfilter/xt_conntrack.c
@@ -34,6 +34,7 @@ match(const struct sk_buff *skb,
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
+ void *data,
int offset,
unsigned int protoff,
int *hotdrop)
@@ -130,6 +131,7 @@ match(const struct sk_buff *skb,
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
+ void *data,
int offset,
unsigned int protoff,
int *hotdrop)
@@ -222,11 +224,12 @@ match(const struct sk_buff *skb,
#endif /* CONFIG_NF_IP_CONNTRACK */
static int
-checkentry(const char *tablename,
- const void *ip,
- const struct xt_match *match,
- void *matchinfo,
- unsigned int hook_mask)
+init(const char *tablename,
+ const void *ip,
+ const struct xt_match *match,
+ void *matchinfo,
+ void *data,
+ unsigned int hook_mask)
{
#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
if (nf_ct_l3proto_try_module_get(match->family) < 0) {
@@ -238,7 +241,8 @@ checkentry(const char *tablename,
return 1;
}
-static void destroy(const struct xt_match *match, void *matchinfo)
+static void destroy(const struct xt_match *match, void *matchinfo,
+ void *data)
{
#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
nf_ct_l3proto_module_put(match->family);
@@ -248,7 +252,7 @@ static void destroy(const struct xt_matc
static struct xt_match conntrack_match = {
.name = "conntrack",
.match = match,
- .checkentry = checkentry,
+ .init = init,
.destroy = destroy,
.matchsize = sizeof(struct xt_conntrack_info),
.family = AF_INET,
diff --git a/net/netfilter/xt_dccp.c b/net/netfilter/xt_dccp.c
index 3e6cf43..27e0a2f 100644
--- a/net/netfilter/xt_dccp.c
+++ b/net/netfilter/xt_dccp.c
@@ -97,6 +97,7 @@ match(const struct sk_buff *skb,
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
+ void *data,
int offset,
unsigned int protoff,
int *hotdrop)
@@ -127,11 +128,12 @@ match(const struct sk_buff *skb,
}
static int
-checkentry(const char *tablename,
- const void *inf,
- const struct xt_match *match,
- void *matchinfo,
- unsigned int hook_mask)
+init(const char *tablename,
+ const void *inf,
+ const struct xt_match *match,
+ void *matchinfo,
+ void *data,
+ unsigned int hook_mask)
{
const struct xt_dccp_info *info = matchinfo;
@@ -144,7 +146,7 @@ static struct xt_match xt_dccp_match[] =
{
.name = "dccp",
.family = AF_INET,
- .checkentry = checkentry,
+ .init = init,
.match = match,
.matchsize = sizeof(struct xt_dccp_info),
.proto = IPPROTO_DCCP,
@@ -153,7 +155,7 @@ static struct xt_match xt_dccp_match[] =
{
.name = "dccp",
.family = AF_INET6,
- .checkentry = checkentry,
+ .init = init,
.match = match,
.matchsize = sizeof(struct xt_dccp_info),
.proto = IPPROTO_DCCP,
diff --git a/net/netfilter/xt_dscp.c b/net/netfilter/xt_dscp.c
index 26c7f4a..9a43d98 100644
--- a/net/netfilter/xt_dscp.c
+++ b/net/netfilter/xt_dscp.c
@@ -29,6 +29,7 @@ static int match(const struct sk_buff *s
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
+ void *data,
int offset,
unsigned int protoff,
int *hotdrop)
@@ -44,6 +45,7 @@ static int match6(const struct sk_buff *
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
+ void *data,
int offset,
unsigned int protoff,
int *hotdrop)
@@ -54,11 +56,12 @@ static int match6(const struct sk_buff *
return (dscp == info->dscp) ^ !!info->invert;
}
-static int checkentry(const char *tablename,
- const void *info,
- const struct xt_match *match,
- void *matchinfo,
- unsigned int hook_mask)
+static int init(const char *tablename,
+ const void *info,
+ const struct xt_match *match,
+ void *matchinfo,
+ void *data,
+ unsigned int hook_mask)
{
const u_int8_t dscp = ((struct xt_dscp_info *)matchinfo)->dscp;
@@ -74,7 +77,7 @@ static struct xt_match xt_dscp_match[] =
{
.name = "dscp",
.family = AF_INET,
- .checkentry = checkentry,
+ .init = init,
.match = match,
.matchsize = sizeof(struct xt_dscp_info),
.me = THIS_MODULE,
@@ -82,7 +85,7 @@ static struct xt_match xt_dscp_match[] =
{
.name = "dscp",
.family = AF_INET6,
- .checkentry = checkentry,
+ .init = init,
.match = match6,
.matchsize = sizeof(struct xt_dscp_info),
.me = THIS_MODULE,
diff --git a/net/netfilter/xt_esp.c b/net/netfilter/xt_esp.c
index 7c95f14..dd3ebc8 100644
--- a/net/netfilter/xt_esp.c
+++ b/net/netfilter/xt_esp.c
@@ -48,6 +48,7 @@ match(const struct sk_buff *skb,
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
+ void *data,
int offset,
unsigned int protoff,
int *hotdrop)
@@ -75,11 +76,12 @@ match(const struct sk_buff *skb,
/* Called when user tries to insert an entry of this type. */
static int
-checkentry(const char *tablename,
- const void *ip_void,
- const struct xt_match *match,
- void *matchinfo,
- unsigned int hook_mask)
+init(const char *tablename,
+ const void *ip_void,
+ const struct xt_match *match,
+ void *matchinfo,
+ void *data,
+ unsigned int hook_mask)
{
const struct xt_esp *espinfo = matchinfo;
@@ -95,7 +97,7 @@ static struct xt_match xt_esp_match[] =
{
.name = "esp",
.family = AF_INET,
- .checkentry = checkentry,
+ .init = init,
.match = match,
.matchsize = sizeof(struct xt_esp),
.proto = IPPROTO_ESP,
@@ -104,7 +106,7 @@ static struct xt_match xt_esp_match[] =
{
.name = "esp",
.family = AF_INET6,
- .checkentry = checkentry,
+ .init = init,
.match = match,
.matchsize = sizeof(struct xt_esp),
.proto = IPPROTO_ESP,
diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
index a98de0b..100808e 100644
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@@ -439,6 +439,7 @@ hashlimit_match(const struct sk_buff *sk
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
+ void *data,
int offset,
unsigned int protoff,
int *hotdrop)
@@ -493,11 +494,12 @@ hotdrop:
}
static int
-hashlimit_checkentry(const char *tablename,
- const void *inf,
- const struct xt_match *match,
- void *matchinfo,
- unsigned int hook_mask)
+hashlimit_init(const char *tablename,
+ const void *inf,
+ const struct xt_match *match,
+ void *matchinfo,
+ void *data,
+ unsigned int hook_mask)
{
struct xt_hashlimit_info *r = matchinfo;
@@ -541,7 +543,7 @@ hashlimit_checkentry(const char *tablena
}
static void
-hashlimit_destroy(const struct xt_match *match, void *matchinfo)
+hashlimit_destroy(const struct xt_match *match, void *matchinfo, void *data)
{
struct xt_hashlimit_info *r = matchinfo;
@@ -583,7 +585,7 @@ static struct xt_match xt_hashlimit[] =
.compat_from_user = compat_from_user,
.compat_to_user = compat_to_user,
#endif
- .checkentry = hashlimit_checkentry,
+ .init = hashlimit_init,
.destroy = hashlimit_destroy,
.me = THIS_MODULE
},
@@ -597,7 +599,7 @@ static struct xt_match xt_hashlimit[] =
.compat_from_user = compat_from_user,
.compat_to_user = compat_to_user,
#endif
- .checkentry = hashlimit_checkentry,
+ .init = hashlimit_init,
.destroy = hashlimit_destroy,
.me = THIS_MODULE
},
diff --git a/net/netfilter/xt_helper.c b/net/netfilter/xt_helper.c
index 5d7818b..de437e5 100644
--- a/net/netfilter/xt_helper.c
+++ b/net/netfilter/xt_helper.c
@@ -44,6 +44,7 @@ match(const struct sk_buff *skb,
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
+ void *data,
int offset,
unsigned int protoff,
int *hotdrop)
@@ -92,6 +93,7 @@ match(const struct sk_buff *skb,
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
+ void *data,
int offset,
unsigned int protoff,
int *hotdrop)
@@ -135,11 +137,12 @@ out_unlock:
}
#endif
-static int check(const char *tablename,
- const void *inf,
- const struct xt_match *match,
- void *matchinfo,
- unsigned int hook_mask)
+static int init(const char *tablename,
+ const void *inf,
+ const struct xt_match *match,
+ void *matchinfo,
+ void *data,
+ unsigned int hook_mask)
{
struct xt_helper_info *info = matchinfo;
@@ -155,7 +158,7 @@ static int check(const char *tablename,
}
static void
-destroy(const struct xt_match *match, void *matchinfo)
+destroy(const struct xt_match *match, void *matchinfo, void *data)
{
#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
nf_ct_l3proto_module_put(match->family);
@@ -166,7 +169,7 @@ static struct xt_match xt_helper_match[]
{
.name = "helper",
.family = AF_INET,
- .checkentry = check,
+ .init = init,
.match = match,
.destroy = destroy,
.matchsize = sizeof(struct xt_helper_info),
@@ -175,7 +178,7 @@ static struct xt_match xt_helper_match[]
{
.name = "helper",
.family = AF_INET6,
- .checkentry = check,
+ .init = init,
.match = match,
.destroy = destroy,
.matchsize = sizeof(struct xt_helper_info),
diff --git a/net/netfilter/xt_length.c b/net/netfilter/xt_length.c
index 67fd30d..74053bc 100644
--- a/net/netfilter/xt_length.c
+++ b/net/netfilter/xt_length.c
@@ -26,6 +26,7 @@ match(const struct sk_buff *skb,
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
+ void *data,
int offset,
unsigned int protoff,
int *hotdrop)
@@ -42,6 +43,7 @@ match6(const struct sk_buff *skb,
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
+ void *data,
int offset,
unsigned int protoff,
int *hotdrop)
diff --git a/net/netfilter/xt_limit.c b/net/netfilter/xt_limit.c
index fda7b7d..a073df7 100644
--- a/net/netfilter/xt_limit.c
+++ b/net/netfilter/xt_limit.c
@@ -5,8 +5,8 @@
* Alexey is a fucking genius?
* Rusty Russell (rusty@rustcorp.com.au). */
-/* (C) 1999 Jérôme de Vivie <devivie@info.enserb.u-bordeaux.fr>
- * (C) 1999 Hervé Eychenne <eychenne@info.enserb.u-bordeaux.fr>
+/* (C) 1999 J��e de Vivie <devivie@info.enserb.u-bordeaux.fr>
+ * (C) 1999 Herv�Eychenne <eychenne@info.enserb.u-bordeaux.fr>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
@@ -70,6 +70,7 @@ ipt_limit_match(const struct sk_buff *sk
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
+ void *data,
int offset,
unsigned int protoff,
int *hotdrop)
@@ -106,11 +107,12 @@ user2credits(u_int32_t user)
}
static int
-ipt_limit_checkentry(const char *tablename,
- const void *inf,
- const struct xt_match *match,
- void *matchinfo,
- unsigned int hook_mask)
+ipt_limit_init(const char *tablename,
+ const void *inf,
+ const struct xt_match *match,
+ void *matchinfo,
+ void *data,
+ unsigned int hook_mask)
{
struct xt_rateinfo *r = matchinfo;
@@ -183,7 +185,7 @@ static struct xt_match xt_limit_match[]
{
.name = "limit",
.family = AF_INET,
- .checkentry = ipt_limit_checkentry,
+ .init = ipt_limit_init,
.match = ipt_limit_match,
.matchsize = sizeof(struct xt_rateinfo),
#ifdef CONFIG_COMPAT
@@ -196,7 +198,7 @@ static struct xt_match xt_limit_match[]
{
.name = "limit",
.family = AF_INET6,
- .checkentry = ipt_limit_checkentry,
+ .init = ipt_limit_init,
.match = ipt_limit_match,
.matchsize = sizeof(struct xt_rateinfo),
.me = THIS_MODULE,
diff --git a/net/netfilter/xt_mac.c b/net/netfilter/xt_mac.c
index 425fc21..4b5eef2 100644
--- a/net/netfilter/xt_mac.c
+++ b/net/netfilter/xt_mac.c
@@ -29,6 +29,7 @@ match(const struct sk_buff *skb,
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
+ void *data,
int offset,
unsigned int protoff,
int *hotdrop)
diff --git a/net/netfilter/xt_mark.c b/net/netfilter/xt_mark.c
index dfa1ee6..733e049 100644
--- a/net/netfilter/xt_mark.c
+++ b/net/netfilter/xt_mark.c
@@ -25,6 +25,7 @@ match(const struct sk_buff *skb,
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
+ void *data,
int offset,
unsigned int protoff,
int *hotdrop)
@@ -35,11 +36,12 @@ match(const struct sk_buff *skb,
}
static int
-checkentry(const char *tablename,
- const void *entry,
- const struct xt_match *match,
- void *matchinfo,
- unsigned int hook_mask)
+init(const char *tablename,
+ const void *entry,
+ const struct xt_match *match,
+ void *matchinfo,
+ void *data,
+ unsigned int hook_mask)
{
const struct xt_mark_info *minfo = matchinfo;
@@ -85,7 +87,7 @@ static struct xt_match xt_mark_match[] =
{
.name = "mark",
.family = AF_INET,
- .checkentry = checkentry,
+ .init = init,
.match = match,
.matchsize = sizeof(struct xt_mark_info),
#ifdef CONFIG_COMPAT
@@ -98,7 +100,7 @@ static struct xt_match xt_mark_match[] =
{
.name = "mark",
.family = AF_INET6,
- .checkentry = checkentry,
+ .init = init,
.match = match,
.matchsize = sizeof(struct xt_mark_info),
.me = THIS_MODULE,
diff --git a/net/netfilter/xt_multiport.c b/net/netfilter/xt_multiport.c
index 1602086..2619dfc 100644
--- a/net/netfilter/xt_multiport.c
+++ b/net/netfilter/xt_multiport.c
@@ -100,6 +100,7 @@ match(const struct sk_buff *skb,
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
+ void *data,
int offset,
unsigned int protoff,
int *hotdrop)
@@ -131,6 +132,7 @@ match_v1(const struct sk_buff *skb,
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
+ void *data,
int offset,
unsigned int protoff,
int *hotdrop)
@@ -173,11 +175,12 @@ check(u_int16_t proto,
/* Called when user tries to insert an entry of this type. */
static int
-checkentry(const char *tablename,
- const void *info,
- const struct xt_match *match,
- void *matchinfo,
- unsigned int hook_mask)
+init(const char *tablename,
+ const void *info,
+ const struct xt_match *match,
+ void *matchinfo,
+ void *data,
+ unsigned int hook_mask)
{
const struct ipt_ip *ip = info;
const struct xt_multiport *multiinfo = matchinfo;
@@ -187,11 +190,12 @@ checkentry(const char *tablename,
}
static int
-checkentry_v1(const char *tablename,
- const void *info,
- const struct xt_match *match,
- void *matchinfo,
- unsigned int hook_mask)
+init_v1(const char *tablename,
+ const void *info,
+ const struct xt_match *match,
+ void *matchinfo,
+ void *data,
+ unsigned int hook_mask)
{
const struct ipt_ip *ip = info;
const struct xt_multiport_v1 *multiinfo = matchinfo;
@@ -201,11 +205,12 @@ checkentry_v1(const char *tablename,
}
static int
-checkentry6(const char *tablename,
- const void *info,
- const struct xt_match *match,
- void *matchinfo,
- unsigned int hook_mask)
+init6(const char *tablename,
+ const void *info,
+ const struct xt_match *match,
+ void *matchinfo,
+ void *data,
+ unsigned int hook_mask)
{
const struct ip6t_ip6 *ip = info;
const struct xt_multiport *multiinfo = matchinfo;
@@ -215,11 +220,12 @@ checkentry6(const char *tablename,
}
static int
-checkentry6_v1(const char *tablename,
- const void *info,
- const struct xt_match *match,
- void *matchinfo,
- unsigned int hook_mask)
+init6_v1(const char *tablename,
+ const void *info,
+ const struct xt_match *match,
+ void *matchinfo,
+ void *data,
+ unsigned int hook_mask)
{
const struct ip6t_ip6 *ip = info;
const struct xt_multiport_v1 *multiinfo = matchinfo;
@@ -233,7 +239,7 @@ static struct xt_match xt_multiport_matc
.name = "multiport",
.family = AF_INET,
.revision = 0,
- .checkentry = checkentry,
+ .init = init,
.match = match,
.matchsize = sizeof(struct xt_multiport),
.me = THIS_MODULE,
@@ -242,7 +248,7 @@ static struct xt_match xt_multiport_matc
.name = "multiport",
.family = AF_INET,
.revision = 1,
- .checkentry = checkentry_v1,
+ .init = init_v1,
.match = match_v1,
.matchsize = sizeof(struct xt_multiport_v1),
.me = THIS_MODULE,
@@ -251,7 +257,7 @@ static struct xt_match xt_multiport_matc
.name = "multiport",
.family = AF_INET6,
.revision = 0,
- .checkentry = checkentry6,
+ .init = init6,
.match = match,
.matchsize = sizeof(struct xt_multiport),
.me = THIS_MODULE,
@@ -260,7 +266,7 @@ static struct xt_match xt_multiport_matc
.name = "multiport",
.family = AF_INET6,
.revision = 1,
- .checkentry = checkentry6_v1,
+ .init = init6_v1,
.match = match_v1,
.matchsize = sizeof(struct xt_multiport_v1),
.me = THIS_MODULE,
diff --git a/net/netfilter/xt_physdev.c b/net/netfilter/xt_physdev.c
index fd8f954..9fb445c 100644
--- a/net/netfilter/xt_physdev.c
+++ b/net/netfilter/xt_physdev.c
@@ -29,6 +29,7 @@ match(const struct sk_buff *skb,
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
+ void *data,
int offset,
unsigned int protoff,
int *hotdrop)
@@ -102,11 +103,12 @@ match_outdev:
}
static int
-checkentry(const char *tablename,
- const void *ip,
- const struct xt_match *match,
- void *matchinfo,
- unsigned int hook_mask)
+init(const char *tablename,
+ const void *ip,
+ const struct xt_match *match,
+ void *matchinfo,
+ void *data,
+ unsigned int hook_mask)
{
const struct xt_physdev_info *info = matchinfo;
@@ -135,7 +137,7 @@ static struct xt_match xt_physdev_match[
{
.name = "physdev",
.family = AF_INET,
- .checkentry = checkentry,
+ .init = init,
.match = match,
.matchsize = sizeof(struct xt_physdev_info),
.me = THIS_MODULE,
@@ -143,7 +145,7 @@ static struct xt_match xt_physdev_match[
{
.name = "physdev",
.family = AF_INET6,
- .checkentry = checkentry,
+ .init = init,
.match = match,
.matchsize = sizeof(struct xt_physdev_info),
.me = THIS_MODULE,
diff --git a/net/netfilter/xt_pkttype.c b/net/netfilter/xt_pkttype.c
index 16e7b08..1445de5 100644
--- a/net/netfilter/xt_pkttype.c
+++ b/net/netfilter/xt_pkttype.c
@@ -26,6 +26,7 @@ static int match(const struct sk_buff *s
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
+ void *data,
int offset,
unsigned int protoff,
int *hotdrop)
diff --git a/net/netfilter/xt_policy.c b/net/netfilter/xt_policy.c
index 46bde2b..b7c5020 100644
--- a/net/netfilter/xt_policy.c
+++ b/net/netfilter/xt_policy.c
@@ -113,6 +113,7 @@ static int match(const struct sk_buff *s
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
+ void *data,
int offset,
unsigned int protoff,
int *hotdrop)
@@ -133,9 +134,9 @@ static int match(const struct sk_buff *s
return ret;
}
-static int checkentry(const char *tablename, const void *ip_void,
- const struct xt_match *match,
- void *matchinfo, unsigned int hook_mask)
+static int init(const char *tablename, const void *ip_void,
+ const struct xt_match *match,
+ void *matchinfo, void *data, unsigned int hook_mask)
{
struct xt_policy_info *info = matchinfo;
@@ -168,7 +169,7 @@ static struct xt_match xt_policy_match[]
{
.name = "policy",
.family = AF_INET,
- .checkentry = checkentry,
+ .init = init,
.match = match,
.matchsize = sizeof(struct xt_policy_info),
.me = THIS_MODULE,
@@ -176,25 +177,25 @@ static struct xt_match xt_policy_match[]
{
.name = "policy",
.family = AF_INET6,
- .checkentry = checkentry,
+ .init = init,
.match = match,
.matchsize = sizeof(struct xt_policy_info),
.me = THIS_MODULE,
},
};
-static int __init init(void)
+static int __init xt_policy_init(void)
{
return xt_register_matches(xt_policy_match,
ARRAY_SIZE(xt_policy_match));
}
-static void __exit fini(void)
+static void __exit xt_policy_fini(void)
{
xt_unregister_matches(xt_policy_match, ARRAY_SIZE(xt_policy_match));
}
-module_init(init);
-module_exit(fini);
+module_init(xt_policy_init);
+module_exit(xt_policy_fini);
MODULE_ALIAS("ipt_policy");
MODULE_ALIAS("ip6t_policy");
diff --git a/net/netfilter/xt_quota.c b/net/netfilter/xt_quota.c
index b75fa2c..a715b83 100644
--- a/net/netfilter/xt_quota.c
+++ b/net/netfilter/xt_quota.c
@@ -20,7 +20,7 @@ static int
match(const struct sk_buff *skb,
const struct net_device *in, const struct net_device *out,
const struct xt_match *match, const void *matchinfo,
- int offset, unsigned int protoff, int *hotdrop)
+ void *data, int offset, unsigned int protoff, int *hotdrop)
{
struct xt_quota_info *q = ((struct xt_quota_info *)matchinfo)->master;
int ret = q->flags & XT_QUOTA_INVERT ? 1 : 0;
@@ -39,9 +39,9 @@ match(const struct sk_buff *skb,
}
static int
-checkentry(const char *tablename, const void *entry,
- const struct xt_match *match, void *matchinfo,
- unsigned int hook_mask)
+init(const char *tablename, const void *entry,
+ const struct xt_match *match, void *matchinfo,
+ void *data, unsigned int hook_mask)
{
struct xt_quota_info *q = (struct xt_quota_info *)matchinfo;
@@ -56,7 +56,7 @@ static struct xt_match xt_quota_match[]
{
.name = "quota",
.family = AF_INET,
- .checkentry = checkentry,
+ .init = init,
.match = match,
.matchsize = sizeof(struct xt_quota_info),
.me = THIS_MODULE
@@ -64,7 +64,7 @@ static struct xt_match xt_quota_match[]
{
.name = "quota",
.family = AF_INET6,
- .checkentry = checkentry,
+ .init = init,
.match = match,
.matchsize = sizeof(struct xt_quota_info),
.me = THIS_MODULE
diff --git a/net/netfilter/xt_realm.c b/net/netfilter/xt_realm.c
index a80b7d1..32df3d9 100644
--- a/net/netfilter/xt_realm.c
+++ b/net/netfilter/xt_realm.c
@@ -29,6 +29,7 @@ match(const struct sk_buff *skb,
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
+ void *data,
int offset,
unsigned int protoff,
int *hotdrop)
diff --git a/net/netfilter/xt_sctp.c b/net/netfilter/xt_sctp.c
index 71bf036..ab57309 100644
--- a/net/netfilter/xt_sctp.c
+++ b/net/netfilter/xt_sctp.c
@@ -125,6 +125,7 @@ match(const struct sk_buff *skb,
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
+ void *data,
int offset,
unsigned int protoff,
int *hotdrop)
@@ -159,11 +160,12 @@ match(const struct sk_buff *skb,
}
static int
-checkentry(const char *tablename,
- const void *inf,
- const struct xt_match *match,
- void *matchinfo,
- unsigned int hook_mask)
+init(const char *tablename,
+ const void *inf,
+ const struct xt_match *match,
+ void *matchinfo,
+ void *data,
+ unsigned int hook_mask)
{
const struct xt_sctp_info *info = matchinfo;
@@ -181,7 +183,7 @@ static struct xt_match xt_sctp_match[] =
{
.name = "sctp",
.family = AF_INET,
- .checkentry = checkentry,
+ .init = init,
.match = match,
.matchsize = sizeof(struct xt_sctp_info),
.proto = IPPROTO_SCTP,
@@ -190,7 +192,7 @@ static struct xt_match xt_sctp_match[] =
{
.name = "sctp",
.family = AF_INET6,
- .checkentry = checkentry,
+ .init = init,
.match = match,
.matchsize = sizeof(struct xt_sctp_info),
.proto = IPPROTO_SCTP,
diff --git a/net/netfilter/xt_state.c b/net/netfilter/xt_state.c
index d9010b1..2269cbf 100644
--- a/net/netfilter/xt_state.c
+++ b/net/netfilter/xt_state.c
@@ -26,6 +26,7 @@ match(const struct sk_buff *skb,
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
+ void *data,
int offset,
unsigned int protoff,
int *hotdrop)
@@ -44,11 +45,12 @@ match(const struct sk_buff *skb,
return (sinfo->statemask & statebit);
}
-static int check(const char *tablename,
- const void *inf,
- const struct xt_match *match,
- void *matchinfo,
- unsigned int hook_mask)
+static int init(const char *tablename,
+ const void *inf,
+ const struct xt_match *match,
+ void *matchinfo,
+ void *data,
+ unsigned int hook_mask)
{
#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
if (nf_ct_l3proto_try_module_get(match->family) < 0) {
@@ -61,7 +63,7 @@ static int check(const char *tablename,
}
static void
-destroy(const struct xt_match *match, void *matchinfo)
+destroy(const struct xt_match *match, void *matchinfo, void *data)
{
#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
nf_ct_l3proto_module_put(match->family);
@@ -72,7 +74,7 @@ static struct xt_match xt_state_match[]
{
.name = "state",
.family = AF_INET,
- .checkentry = check,
+ .init = init,
.match = match,
.destroy = destroy,
.matchsize = sizeof(struct xt_state_info),
@@ -81,7 +83,7 @@ static struct xt_match xt_state_match[]
{
.name = "state",
.family = AF_INET6,
- .checkentry = check,
+ .init = init,
.match = match,
.destroy = destroy,
.matchsize = sizeof(struct xt_state_info),
diff --git a/net/netfilter/xt_statistic.c b/net/netfilter/xt_statistic.c
index 091a9f8..ed3a303 100644
--- a/net/netfilter/xt_statistic.c
+++ b/net/netfilter/xt_statistic.c
@@ -28,7 +28,7 @@ static int
match(const struct sk_buff *skb,
const struct net_device *in, const struct net_device *out,
const struct xt_match *match, const void *matchinfo,
- int offset, unsigned int protoff, int *hotdrop)
+ void *data, int offset, unsigned int protoff, int *hotdrop)
{
struct xt_statistic_info *info = (struct xt_statistic_info *)matchinfo;
int ret = info->flags & XT_STATISTIC_INVERT ? 1 : 0;
@@ -53,9 +53,9 @@ match(const struct sk_buff *skb,
}
static int
-checkentry(const char *tablename, const void *entry,
- const struct xt_match *match, void *matchinfo,
- unsigned int hook_mask)
+init(const char *tablename, const void *entry,
+ const struct xt_match *match, void *matchinfo,
+ void *data, unsigned int hook_mask)
{
struct xt_statistic_info *info = (struct xt_statistic_info *)matchinfo;
@@ -70,7 +70,7 @@ static struct xt_match xt_statistic_matc
{
.name = "statistic",
.family = AF_INET,
- .checkentry = checkentry,
+ .init = init,
.match = match,
.matchsize = sizeof(struct xt_statistic_info),
.me = THIS_MODULE,
@@ -78,7 +78,7 @@ static struct xt_match xt_statistic_matc
{
.name = "statistic",
.family = AF_INET6,
- .checkentry = checkentry,
+ .init = init,
.match = match,
.matchsize = sizeof(struct xt_statistic_info),
.me = THIS_MODULE,
diff --git a/net/netfilter/xt_string.c b/net/netfilter/xt_string.c
index 4453252..253012e 100644
--- a/net/netfilter/xt_string.c
+++ b/net/netfilter/xt_string.c
@@ -26,6 +26,7 @@ static int match(const struct sk_buff *s
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
+ void *data,
int offset,
unsigned int protoff,
int *hotdrop)
@@ -42,11 +43,12 @@ static int match(const struct sk_buff *s
#define STRING_TEXT_PRIV(m) ((struct xt_string_info *) m)
-static int checkentry(const char *tablename,
- const void *ip,
- const struct xt_match *match,
- void *matchinfo,
- unsigned int hook_mask)
+static int init(const char *tablename,
+ const void *ip,
+ const struct xt_match *match,
+ void *matchinfo,
+ void *data,
+ unsigned int hook_mask)
{
struct xt_string_info *conf = matchinfo;
struct ts_config *ts_conf;
@@ -68,7 +70,8 @@ static int checkentry(const char *tablen
return 1;
}
-static void destroy(const struct xt_match *match, void *matchinfo)
+static void destroy(const struct xt_match *match, void *matchinfo,
+ void *data)
{
textsearch_destroy(STRING_TEXT_PRIV(matchinfo)->config);
}
@@ -77,7 +80,7 @@ static struct xt_match xt_string_match[]
{
.name = "string",
.family = AF_INET,
- .checkentry = checkentry,
+ .init = init,
.match = match,
.destroy = destroy,
.matchsize = sizeof(struct xt_string_info),
@@ -86,8 +89,8 @@ static struct xt_match xt_string_match[]
{
.name = "string",
.family = AF_INET6,
- .checkentry = checkentry,
- .match = match,
+ .init = init,
+ .match = match,
.destroy = destroy,
.matchsize = sizeof(struct xt_string_info),
.me = THIS_MODULE
diff --git a/net/netfilter/xt_tcpmss.c b/net/netfilter/xt_tcpmss.c
index a3682fe..c5c5e77 100644
--- a/net/netfilter/xt_tcpmss.c
+++ b/net/netfilter/xt_tcpmss.c
@@ -29,6 +29,7 @@ match(const struct sk_buff *skb,
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
+ void *data,
int offset,
unsigned int protoff,
int *hotdrop)
diff --git a/net/netfilter/xt_tcpudp.c b/net/netfilter/xt_tcpudp.c
index 46414b5..090ae2f 100644
--- a/net/netfilter/xt_tcpudp.c
+++ b/net/netfilter/xt_tcpudp.c
@@ -76,6 +76,7 @@ tcp_match(const struct sk_buff *skb,
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
+ void *data,
int offset,
unsigned int protoff,
int *hotdrop)
@@ -137,11 +138,12 @@ tcp_match(const struct sk_buff *skb,
/* Called when user tries to insert an entry of this type. */
static int
-tcp_checkentry(const char *tablename,
- const void *info,
- const struct xt_match *match,
- void *matchinfo,
- unsigned int hook_mask)
+xt_tcp_init(const char *tablename,
+ const void *info,
+ const struct xt_match *match,
+ void *matchinfo,
+ void *data,
+ unsigned int hook_mask)
{
const struct xt_tcp *tcpinfo = matchinfo;
@@ -155,6 +157,7 @@ udp_match(const struct sk_buff *skb,
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
+ void *data,
int offset,
unsigned int protoff,
int *hotdrop)
@@ -185,11 +188,12 @@ udp_match(const struct sk_buff *skb,
/* Called when user tries to insert an entry of this type. */
static int
-udp_checkentry(const char *tablename,
- const void *info,
- const struct xt_match *match,
- void *matchinfo,
- unsigned int hook_mask)
+xt_udp_init(const char *tablename,
+ const void *info,
+ const struct xt_match *match,
+ void *matchinfo,
+ void *data,
+ unsigned int hook_mask)
{
const struct xt_tcp *udpinfo = matchinfo;
@@ -201,7 +205,7 @@ static struct xt_match xt_tcpudp_match[]
{
.name = "tcp",
.family = AF_INET,
- .checkentry = tcp_checkentry,
+ .init = xt_tcp_init,
.match = tcp_match,
.matchsize = sizeof(struct xt_tcp),
.proto = IPPROTO_TCP,
@@ -210,7 +214,7 @@ static struct xt_match xt_tcpudp_match[]
{
.name = "tcp",
.family = AF_INET6,
- .checkentry = tcp_checkentry,
+ .init = xt_tcp_init,
.match = tcp_match,
.matchsize = sizeof(struct xt_tcp),
.proto = IPPROTO_TCP,
@@ -219,7 +223,7 @@ static struct xt_match xt_tcpudp_match[]
{
.name = "udp",
.family = AF_INET,
- .checkentry = udp_checkentry,
+ .init = xt_udp_init,
.match = udp_match,
.matchsize = sizeof(struct xt_udp),
.proto = IPPROTO_UDP,
@@ -228,7 +232,7 @@ static struct xt_match xt_tcpudp_match[]
{
.name = "udp",
.family = AF_INET6,
- .checkentry = udp_checkentry,
+ .init = xt_udp_init,
.match = udp_match,
.matchsize = sizeof(struct xt_udp),
.proto = IPPROTO_UDP,
@@ -237,7 +241,7 @@ static struct xt_match xt_tcpudp_match[]
{
.name = "udplite",
.family = AF_INET,
- .checkentry = udp_checkentry,
+ .init = xt_udp_init,
.match = udp_match,
.matchsize = sizeof(struct xt_udp),
.proto = IPPROTO_UDPLITE,
@@ -246,7 +250,7 @@ static struct xt_match xt_tcpudp_match[]
{
.name = "udplite",
.family = AF_INET6,
- .checkentry = udp_checkentry,
+ .init = xt_udp_init,
.match = udp_match,
.matchsize = sizeof(struct xt_udp),
.proto = IPPROTO_UDPLITE,
@@ -254,16 +258,16 @@ static struct xt_match xt_tcpudp_match[]
},
};
-static int __init xt_tcpudp_init(void)
+static int __init xt_tcpudp_module_init(void)
{
return xt_register_matches(xt_tcpudp_match,
ARRAY_SIZE(xt_tcpudp_match));
}
-static void __exit xt_tcpudp_fini(void)
+static void __exit xt_tcpudp_module_fini(void)
{
xt_unregister_matches(xt_tcpudp_match, ARRAY_SIZE(xt_tcpudp_match));
}
-module_init(xt_tcpudp_init);
-module_exit(xt_tcpudp_fini);
+module_init(xt_tcpudp_module_init);
+module_exit(xt_tcpudp_module_fini);
--
1.4.3.3
^ permalink raw reply related [flat|nested] 6+ messages in thread* [PATCH 2/4][data-condition]: instance data support in targets' prototypes and structures
2006-12-05 22:12 [PATCH 0/4][data-condition] Massimiliano Hofer
2006-12-05 22:15 ` [PATCH 1/4][data-condition]: instance data support in matches' prototypes and structures Massimiliano Hofer
@ 2006-12-05 22:16 ` Massimiliano Hofer
2006-12-05 22:17 ` [PATCH 3/4][data-condition]: instance data support in netfilter core code Massimiliano Hofer
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Massimiliano Hofer @ 2006-12-05 22:16 UTC (permalink / raw)
To: netfilter-devel; +Cc: Patrick McHardy
From cb9bace80424e5835778634778047806ac104710 Mon Sep 17 00:00:00 2001
From: Massimiliano Hofer <max@nucleus.it>
Date: Tue, 5 Dec 2006 22:51:12 +0100
Subject: [PATCH] [NETFILTER]: instance data support in targets' prototypes and structures
This patch adds support for instance specific data in targets.
Only prototype and structure changes are included here.
The real code will come in a separate patch.
Signed-off-by: Massimiliano Hofer <max@nucleus.it>
---
include/linux/netfilter/x_tables.h | 25 ++++++++++++++---------
net/ipv4/netfilter/arp_tables.c | 21 ++++++++++++-------
net/ipv4/netfilter/arpt_mangle.c | 8 +++---
net/ipv4/netfilter/ip_nat_rule.c | 32 +++++++++++++++++-------------
net/ipv4/netfilter/ip_tables.c | 37 ++++++++++++++++++++--------------
net/ipv4/netfilter/ipt_CLUSTERIP.c | 19 ++++++++++-------
net/ipv4/netfilter/ipt_ECN.c | 16 ++++++++------
net/ipv4/netfilter/ipt_LOG.c | 24 ++++++++++++----------
net/ipv4/netfilter/ipt_MASQUERADE.c | 16 ++++++++------
net/ipv4/netfilter/ipt_NETMAP.c | 16 ++++++++------
net/ipv4/netfilter/ipt_REDIRECT.c | 16 ++++++++------
net/ipv4/netfilter/ipt_REJECT.c | 16 ++++++++------
net/ipv4/netfilter/ipt_SAME.c | 18 +++++++++-------
net/ipv4/netfilter/ipt_TCPMSS.c | 24 ++++++++++++----------
net/ipv4/netfilter/ipt_TOS.c | 16 ++++++++------
net/ipv4/netfilter/ipt_TTL.c | 23 +++++++++++----------
net/ipv4/netfilter/ipt_ULOG.c | 24 ++++++++++++----------
net/ipv4/netfilter/nf_nat_rule.c | 32 +++++++++++++++++-------------
net/ipv6/netfilter/ip6_tables.c | 23 +++++++++++++--------
net/ipv6/netfilter/ip6t_HL.c | 24 ++++++++++++----------
net/ipv6/netfilter/ip6t_LOG.c | 24 ++++++++++++----------
net/ipv6/netfilter/ip6t_REJECT.c | 24 ++++++++++++----------
net/netfilter/x_tables.c | 8 +++---
net/netfilter/xt_CLASSIFY.c | 3 +-
net/netfilter/xt_CONNMARK.c | 18 +++++++++-------
net/netfilter/xt_CONNSECMARK.c | 12 +++++-----
net/netfilter/xt_DSCP.c | 21 +++++++++++--------
net/netfilter/xt_MARK.c | 34 ++++++++++++++++++--------------
net/netfilter/xt_NFLOG.c | 12 +++++-----
net/netfilter/xt_NFQUEUE.c | 3 +-
net/netfilter/xt_NOTRACK.c | 3 +-
net/netfilter/xt_SECMARK.c | 12 +++++-----
32 files changed, 338 insertions(+), 266 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 73147b4..17aa03b 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -46,6 +46,7 @@ struct xt_entry_target
/* Used inside the kernel */
struct xt_target *target;
+ void *data;
} kernel;
/* Total length */
@@ -193,20 +194,23 @@ struct xt_target
const struct net_device *out,
unsigned int hooknum,
const struct xt_target *target,
- const void *targinfo);
+ const void *targinfo,
+ void *data);
/* Called when user tries to insert an entry of this type:
hook_mask is a bitmask of hooks from which it can be
called. */
/* Should return true or false. */
- int (*checkentry)(const char *tablename,
- const void *entry,
- const struct xt_target *target,
- void *targinfo,
- unsigned int hook_mask);
+ int (*init)(const char *tablename,
+ const void *entry,
+ const struct xt_target *target,
+ void *targinfo,
+ void *data,
+ unsigned int hook_mask);
/* Called when entry of this type deleted. */
- void (*destroy)(const struct xt_target *target, void *targinfo);
+ void (*destroy)(const struct xt_target *target, void *targinfo,
+ void *data);
/* Called when userspace align differs from kernel space one */
void (*compat_from_user)(void *dst, void *src);
@@ -216,6 +220,7 @@ struct xt_target
struct module *me;
char *table;
+ unsigned int datasize;
unsigned int targetsize;
unsigned int compatsize;
unsigned int hooks;
@@ -282,9 +287,9 @@ extern void xt_unregister_matches(struct
extern int xt_init_match(const struct xt_match *match, unsigned short family,
unsigned int size, const char *table, unsigned int hook,
unsigned short proto, int inv_proto);
-extern int xt_check_target(const struct xt_target *target, unsigned short family,
- unsigned int size, const char *table, unsigned int hook,
- unsigned short proto, int inv_proto);
+extern int xt_init_target(const struct xt_target *target, unsigned short family,
+ unsigned int size, const char *table, unsigned int hook,
+ unsigned short proto, int inv_proto);
extern int xt_register_table(struct xt_table *table,
struct xt_table_info *bootstrap,
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 413c2d0..683179f 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -206,7 +206,8 @@ static unsigned int arpt_error(struct sk
const struct net_device *out,
unsigned int hooknum,
const struct xt_target *target,
- const void *targinfo)
+ const void *targinfo,
+ void *data)
{
if (net_ratelimit())
printk("arp_tables: error: '%s'\n", (char *)targinfo);
@@ -298,7 +299,8 @@ unsigned int arpt_do_table(struct sk_buf
in, out,
hook,
t->u.kernel.target,
- t->data);
+ t->data,
+ t->u.kernel.data);
/* Target might have changed stuff. */
arp = (*pskb)->nh.arph;
@@ -483,19 +485,21 @@ static inline int check_entry(struct arp
}
t->u.kernel.target = target;
- ret = xt_check_target(target, NF_ARP, t->u.target_size - sizeof(*t),
- name, e->comefrom, 0, 0);
+ ret = xt_init_target(target, NF_ARP, t->u.target_size - sizeof(*t),
+ name, e->comefrom, 0, 0);
if (ret)
goto err;
+ t->u.kernel.data=NULL;
if (t->u.kernel.target == &arpt_standard_target) {
if (!standard_check(t, size)) {
ret = -EINVAL;
goto err;
}
- } else if (t->u.kernel.target->checkentry
- && !t->u.kernel.target->checkentry(name, e, target, t->data,
- e->comefrom)) {
+ } else if (t->u.kernel.target->init
+ && !t->u.kernel.target->init(name, e, target, t->data,
+ t->u.kernel.data,
+ e->comefrom)) {
duprintf("arp_tables: check failed for `%s'.\n",
t->u.kernel.target->name);
ret = -EINVAL;
@@ -561,7 +565,8 @@ static inline int cleanup_entry(struct a
t = arpt_get_target(e);
if (t->u.kernel.target->destroy)
- t->u.kernel.target->destroy(t->u.kernel.target, t->data);
+ t->u.kernel.target->destroy(t->u.kernel.target, t->data,
+ t->u.kernel.data);
module_put(t->u.kernel.target->me);
return 0;
}
diff --git a/net/ipv4/netfilter/arpt_mangle.c b/net/ipv4/netfilter/arpt_mangle.c
index d12b1df..49ae77a 100644
--- a/net/ipv4/netfilter/arpt_mangle.c
+++ b/net/ipv4/netfilter/arpt_mangle.c
@@ -11,7 +11,7 @@ static unsigned int
target(struct sk_buff **pskb,
const struct net_device *in, const struct net_device *out,
unsigned int hooknum, const struct xt_target *target,
- const void *targinfo)
+ const void *targinfo, void *data)
{
const struct arpt_mangle *mangle = targinfo;
struct arphdr *arp;
@@ -66,8 +66,8 @@ target(struct sk_buff **pskb,
}
static int
-checkentry(const char *tablename, const void *e, const struct xt_target *target,
- void *targinfo, unsigned int hook_mask)
+init(const char *tablename, const void *e, const struct xt_target *target,
+ void *targinfo, void *data, unsigned int hook_mask)
{
const struct arpt_mangle *mangle = targinfo;
@@ -85,7 +85,7 @@ static struct arpt_target arpt_mangle_re
.name = "mangle",
.target = target,
.targetsize = sizeof(struct arpt_mangle),
- .checkentry = checkentry,
+ .init = init,
.me = THIS_MODULE,
};
diff --git a/net/ipv4/netfilter/ip_nat_rule.c b/net/ipv4/netfilter/ip_nat_rule.c
index a176aa3..8c24c1d 100644
--- a/net/ipv4/netfilter/ip_nat_rule.c
+++ b/net/ipv4/netfilter/ip_nat_rule.c
@@ -100,7 +100,8 @@ static unsigned int ipt_snat_target(stru
const struct net_device *out,
unsigned int hooknum,
const struct ipt_target *target,
- const void *targinfo)
+ const void *targinfo,
+ void *data)
{
struct ip_conntrack *ct;
enum ip_conntrack_info ctinfo;
@@ -142,7 +143,8 @@ static unsigned int ipt_dnat_target(stru
const struct net_device *out,
unsigned int hooknum,
const struct ipt_target *target,
- const void *targinfo)
+ const void *targinfo,
+ void *data)
{
struct ip_conntrack *ct;
enum ip_conntrack_info ctinfo;
@@ -164,11 +166,12 @@ static unsigned int ipt_dnat_target(stru
return ip_nat_setup_info(ct, &mr->range[0], hooknum);
}
-static int ipt_snat_checkentry(const char *tablename,
- const void *entry,
- const struct ipt_target *target,
- void *targinfo,
- unsigned int hook_mask)
+static int ipt_snat_init(const char *tablename,
+ const void *entry,
+ const struct ipt_target *target,
+ void *targinfo,
+ void *data,
+ unsigned int hook_mask)
{
struct ip_nat_multi_range_compat *mr = targinfo;
@@ -180,11 +183,12 @@ static int ipt_snat_checkentry(const cha
return 1;
}
-static int ipt_dnat_checkentry(const char *tablename,
- const void *entry,
- const struct ipt_target *target,
- void *targinfo,
- unsigned int hook_mask)
+static int ipt_dnat_init(const char *tablename,
+ const void *entry,
+ const struct ipt_target *target,
+ void *targinfo,
+ void *data,
+ unsigned int hook_mask)
{
struct ip_nat_multi_range_compat *mr = targinfo;
@@ -263,7 +267,7 @@ static struct ipt_target ipt_snat_reg =
.targetsize = sizeof(struct ip_nat_multi_range_compat),
.table = "nat",
.hooks = 1 << NF_IP_POST_ROUTING,
- .checkentry = ipt_snat_checkentry,
+ .init = ipt_snat_init,
};
static struct ipt_target ipt_dnat_reg = {
@@ -272,7 +276,7 @@ static struct ipt_target ipt_dnat_reg =
.targetsize = sizeof(struct ip_nat_multi_range_compat),
.table = "nat",
.hooks = (1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_LOCAL_OUT),
- .checkentry = ipt_dnat_checkentry,
+ .init = ipt_dnat_init,
};
int __init ip_nat_rule_init(void)
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 75fae96..4077577 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -180,7 +180,8 @@ ipt_error(struct sk_buff **pskb,
const struct net_device *out,
unsigned int hooknum,
const struct xt_target *target,
- const void *targinfo)
+ const void *targinfo,
+ void *data)
{
if (net_ratelimit())
printk("ip_tables: error: `%s'\n", (char *)targinfo);
@@ -307,7 +308,8 @@ ipt_do_table(struct sk_buff **pskb,
in, out,
hook,
t->u.kernel.target,
- t->data);
+ t->data,
+ t->u.kernel.data);
#ifdef CONFIG_NETFILTER_DEBUG
if (((struct ipt_entry *)table_base)->comefrom
@@ -573,20 +575,22 @@ check_entry(struct ipt_entry *e, const c
}
t->u.kernel.target = target;
- ret = xt_check_target(target, AF_INET, t->u.target_size - sizeof(*t),
- name, e->comefrom, e->ip.proto,
- e->ip.invflags & IPT_INV_PROTO);
+ ret = xt_init_target(target, AF_INET, t->u.target_size - sizeof(*t),
+ name, e->comefrom, e->ip.proto,
+ e->ip.invflags & IPT_INV_PROTO);
if (ret)
goto err;
+ t->u.kernel.data = NULL;
if (t->u.kernel.target == &ipt_standard_target) {
if (!standard_check(t, size)) {
ret = -EINVAL;
goto err;
}
- } else if (t->u.kernel.target->checkentry
- && !t->u.kernel.target->checkentry(name, e, target, t->data,
- e->comefrom)) {
+ } else if (t->u.kernel.target->init
+ && !t->u.kernel.target->init(name, e, target, t->data,
+ t->u.kernel.data,
+ e->comefrom)) {
duprintf("ip_tables: check failed for `%s'.\n",
t->u.kernel.target->name);
ret = -EINVAL;
@@ -657,7 +661,8 @@ cleanup_entry(struct ipt_entry *e, unsig
IPT_MATCH_ITERATE(e, cleanup_match, NULL);
t = ipt_get_target(e);
if (t->u.kernel.target->destroy)
- t->u.kernel.target->destroy(t->u.kernel.target, t->data);
+ t->u.kernel.target->destroy(t->u.kernel.target, t->data,
+ t->u.kernel.data);
module_put(t->u.kernel.target->me);
return 0;
}
@@ -1589,19 +1594,21 @@ static int compat_copy_entry_from_user(s
t = ipt_get_target(de);
target = t->u.kernel.target;
- ret = xt_check_target(target, AF_INET, t->u.target_size - sizeof(*t),
- name, e->comefrom, e->ip.proto,
- e->ip.invflags & IPT_INV_PROTO);
+ ret = xt_init_target(target, AF_INET, t->u.target_size - sizeof(*t),
+ name, e->comefrom, e->ip.proto,
+ e->ip.invflags & IPT_INV_PROTO);
if (ret)
goto err;
ret = -EINVAL;
+ t->u.kernel.data = NULL;
if (t->u.kernel.target == &ipt_standard_target) {
if (!standard_check(t, *size))
goto err;
- } else if (t->u.kernel.target->checkentry
- && !t->u.kernel.target->checkentry(name, de, target,
- t->data, de->comefrom)) {
+ } else if (t->u.kernel.target->init
+ && !t->u.kernel.target->init(name, de, target,
+ t->data, t->u.kernel.data,
+ de->comefrom)) {
duprintf("ip_tables: compat: check failed for `%s'.\n",
t->u.kernel.target->name);
goto err;
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index 0983650..4e9817d 100644
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -305,7 +305,8 @@ target(struct sk_buff **pskb,
const struct net_device *out,
unsigned int hooknum,
const struct xt_target *target,
- const void *targinfo)
+ const void *targinfo,
+ void *data)
{
const struct ipt_clusterip_tgt_info *cipinfo = targinfo;
enum ip_conntrack_info ctinfo;
@@ -371,11 +372,12 @@ target(struct sk_buff **pskb,
}
static int
-checkentry(const char *tablename,
- const void *e_void,
- const struct xt_target *target,
- void *targinfo,
- unsigned int hook_mask)
+init(const char *tablename,
+ const void *e_void,
+ const struct xt_target *target,
+ void *targinfo,
+ void *data,
+ unsigned int hook_mask)
{
struct ipt_clusterip_tgt_info *cipinfo = targinfo;
const struct ipt_entry *e = e_void;
@@ -451,7 +453,8 @@ checkentry(const char *tablename,
}
/* drop reference count of cluster config when rule is deleted */
-static void destroy(const struct xt_target *target, void *targinfo)
+static void destroy(const struct xt_target *target, void *targinfo,
+ void *data)
{
struct ipt_clusterip_tgt_info *cipinfo = targinfo;
@@ -466,7 +469,7 @@ static struct ipt_target clusterip_tgt =
.name = "CLUSTERIP",
.target = target,
.targetsize = sizeof(struct ipt_clusterip_tgt_info),
- .checkentry = checkentry,
+ .init = init,
.destroy = destroy,
.me = THIS_MODULE
};
diff --git a/net/ipv4/netfilter/ipt_ECN.c b/net/ipv4/netfilter/ipt_ECN.c
index b55d670..7cd17f9 100644
--- a/net/ipv4/netfilter/ipt_ECN.c
+++ b/net/ipv4/netfilter/ipt_ECN.c
@@ -82,7 +82,8 @@ target(struct sk_buff **pskb,
const struct net_device *out,
unsigned int hooknum,
const struct xt_target *target,
- const void *targinfo)
+ const void *targinfo,
+ void *data)
{
const struct ipt_ECN_info *einfo = targinfo;
@@ -99,11 +100,12 @@ target(struct sk_buff **pskb,
}
static int
-checkentry(const char *tablename,
- const void *e_void,
- const struct xt_target *target,
- void *targinfo,
- unsigned int hook_mask)
+init(const char *tablename,
+ const void *e_void,
+ const struct xt_target *target,
+ void *targinfo,
+ void *data,
+ unsigned int hook_mask)
{
const struct ipt_ECN_info *einfo = (struct ipt_ECN_info *)targinfo;
const struct ipt_entry *e = e_void;
@@ -132,7 +134,7 @@ static struct ipt_target ipt_ecn_reg = {
.target = target,
.targetsize = sizeof(struct ipt_ECN_info),
.table = "mangle",
- .checkentry = checkentry,
+ .init = init,
.me = THIS_MODULE,
};
diff --git a/net/ipv4/netfilter/ipt_LOG.c b/net/ipv4/netfilter/ipt_LOG.c
index c96de16..14e7801 100644
--- a/net/ipv4/netfilter/ipt_LOG.c
+++ b/net/ipv4/netfilter/ipt_LOG.c
@@ -421,7 +421,8 @@ ipt_log_target(struct sk_buff **pskb,
const struct net_device *out,
unsigned int hooknum,
const struct xt_target *target,
- const void *targinfo)
+ const void *targinfo,
+ void *data)
{
const struct ipt_log_info *loginfo = targinfo;
struct nf_loginfo li;
@@ -435,11 +436,12 @@ ipt_log_target(struct sk_buff **pskb,
return IPT_CONTINUE;
}
-static int ipt_log_checkentry(const char *tablename,
- const void *e,
- const struct xt_target *target,
- void *targinfo,
- unsigned int hook_mask)
+static int ipt_log_init(const char *tablename,
+ const void *e,
+ const struct xt_target *target,
+ void *targinfo,
+ void *data,
+ unsigned int hook_mask)
{
const struct ipt_log_info *loginfo = targinfo;
@@ -459,7 +461,7 @@ static struct ipt_target ipt_log_reg = {
.name = "LOG",
.target = ipt_log_target,
.targetsize = sizeof(struct ipt_log_info),
- .checkentry = ipt_log_checkentry,
+ .init = ipt_log_init,
.me = THIS_MODULE,
};
@@ -469,7 +471,7 @@ static struct nf_logger ipt_log_logger =
.me = THIS_MODULE,
};
-static int __init ipt_log_init(void)
+static int __init ipt_log_module_init(void)
{
if (ipt_register_target(&ipt_log_reg))
return -EINVAL;
@@ -483,11 +485,11 @@ static int __init ipt_log_init(void)
return 0;
}
-static void __exit ipt_log_fini(void)
+static void __exit ipt_log_module_fini(void)
{
nf_log_unregister_logger(&ipt_log_logger);
ipt_unregister_target(&ipt_log_reg);
}
-module_init(ipt_log_init);
-module_exit(ipt_log_fini);
+module_init(ipt_log_module_init);
+module_exit(ipt_log_module_fini);
diff --git a/net/ipv4/netfilter/ipt_MASQUERADE.c b/net/ipv4/netfilter/ipt_MASQUERADE.c
index 28b9233..51fed4c 100644
--- a/net/ipv4/netfilter/ipt_MASQUERADE.c
+++ b/net/ipv4/netfilter/ipt_MASQUERADE.c
@@ -42,11 +42,12 @@ static DEFINE_RWLOCK(masq_lock);
/* FIXME: Multiple targets. --RR */
static int
-masquerade_check(const char *tablename,
- const void *e,
- const struct xt_target *target,
- void *targinfo,
- unsigned int hook_mask)
+masquerade_init(const char *tablename,
+ const void *e,
+ const struct xt_target *target,
+ void *targinfo,
+ void *data,
+ unsigned int hook_mask)
{
const struct ip_nat_multi_range_compat *mr = targinfo;
@@ -67,7 +68,8 @@ masquerade_target(struct sk_buff **pskb,
const struct net_device *out,
unsigned int hooknum,
const struct xt_target *target,
- const void *targinfo)
+ const void *targinfo,
+ void *data)
{
#ifdef CONFIG_NF_NAT_NEEDED
struct nf_conn_nat *nat;
@@ -193,7 +195,7 @@ static struct ipt_target masquerade = {
.targetsize = sizeof(struct ip_nat_multi_range_compat),
.table = "nat",
.hooks = 1 << NF_IP_POST_ROUTING,
- .checkentry = masquerade_check,
+ .init = masquerade_init,
.me = THIS_MODULE,
};
diff --git a/net/ipv4/netfilter/ipt_NETMAP.c b/net/ipv4/netfilter/ipt_NETMAP.c
index 9390e90..9cb56ea 100644
--- a/net/ipv4/netfilter/ipt_NETMAP.c
+++ b/net/ipv4/netfilter/ipt_NETMAP.c
@@ -33,11 +33,12 @@ MODULE_DESCRIPTION("iptables 1:1 NAT map
#endif
static int
-check(const char *tablename,
- const void *e,
- const struct xt_target *target,
- void *targinfo,
- unsigned int hook_mask)
+init(const char *tablename,
+ const void *e,
+ const struct xt_target *target,
+ void *targinfo,
+ void *data,
+ unsigned int hook_mask)
{
const struct ip_nat_multi_range_compat *mr = targinfo;
@@ -58,7 +59,8 @@ target(struct sk_buff **pskb,
const struct net_device *out,
unsigned int hooknum,
const struct xt_target *target,
- const void *targinfo)
+ const void *targinfo,
+ void *data)
{
struct ip_conntrack *ct;
enum ip_conntrack_info ctinfo;
@@ -95,7 +97,7 @@ static struct ipt_target target_module =
.table = "nat",
.hooks = (1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_POST_ROUTING) |
(1 << NF_IP_LOCAL_OUT),
- .checkentry = check,
+ .init = init,
.me = THIS_MODULE
};
diff --git a/net/ipv4/netfilter/ipt_REDIRECT.c b/net/ipv4/netfilter/ipt_REDIRECT.c
index 462eceb..74b6116 100644
--- a/net/ipv4/netfilter/ipt_REDIRECT.c
+++ b/net/ipv4/netfilter/ipt_REDIRECT.c
@@ -36,11 +36,12 @@ MODULE_DESCRIPTION("iptables REDIRECT ta
/* FIXME: Take multiple ranges --RR */
static int
-redirect_check(const char *tablename,
- const void *e,
- const struct xt_target *target,
- void *targinfo,
- unsigned int hook_mask)
+redirect_init(const char *tablename,
+ const void *e,
+ const struct xt_target *target,
+ void *targinfo,
+ void *data,
+ unsigned int hook_mask)
{
const struct ip_nat_multi_range_compat *mr = targinfo;
@@ -61,7 +62,8 @@ redirect_target(struct sk_buff **pskb,
const struct net_device *out,
unsigned int hooknum,
const struct xt_target *target,
- const void *targinfo)
+ const void *targinfo,
+ void *data)
{
struct ip_conntrack *ct;
enum ip_conntrack_info ctinfo;
@@ -110,7 +112,7 @@ static struct ipt_target redirect_reg =
.targetsize = sizeof(struct ip_nat_multi_range_compat),
.table = "nat",
.hooks = (1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_LOCAL_OUT),
- .checkentry = redirect_check,
+ .init = redirect_init,
.me = THIS_MODULE,
};
diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c
index f0319e5..64d6198 100644
--- a/net/ipv4/netfilter/ipt_REJECT.c
+++ b/net/ipv4/netfilter/ipt_REJECT.c
@@ -171,7 +171,8 @@ static unsigned int reject(struct sk_buf
const struct net_device *out,
unsigned int hooknum,
const struct xt_target *target,
- const void *targinfo)
+ const void *targinfo,
+ void *data)
{
const struct ipt_reject_info *reject = targinfo;
@@ -215,11 +216,12 @@ static unsigned int reject(struct sk_buf
return NF_DROP;
}
-static int check(const char *tablename,
- const void *e_void,
- const struct xt_target *target,
- void *targinfo,
- unsigned int hook_mask)
+static int init(const char *tablename,
+ const void *e_void,
+ const struct xt_target *target,
+ void *targinfo,
+ void *data,
+ unsigned int hook_mask)
{
const struct ipt_reject_info *rejinfo = targinfo;
const struct ipt_entry *e = e_void;
@@ -245,7 +247,7 @@ static struct ipt_target ipt_reject_reg
.table = "filter",
.hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD) |
(1 << NF_IP_LOCAL_OUT),
- .checkentry = check,
+ .init = init,
.me = THIS_MODULE,
};
diff --git a/net/ipv4/netfilter/ipt_SAME.c b/net/ipv4/netfilter/ipt_SAME.c
index 3dcf294..938e954 100644
--- a/net/ipv4/netfilter/ipt_SAME.c
+++ b/net/ipv4/netfilter/ipt_SAME.c
@@ -52,11 +52,12 @@ MODULE_DESCRIPTION("iptables special SNA
#endif
static int
-same_check(const char *tablename,
- const void *e,
- const struct xt_target *target,
- void *targinfo,
- unsigned int hook_mask)
+same_init(const char *tablename,
+ const void *e,
+ const struct xt_target *target,
+ void *targinfo,
+ void *data,
+ unsigned int hook_mask)
{
unsigned int count, countess, rangeip, index = 0;
struct ipt_same_info *mr = targinfo;
@@ -119,7 +120,7 @@ same_check(const char *tablename,
}
static void
-same_destroy(const struct xt_target *target, void *targinfo)
+same_destroy(const struct xt_target *target, void *targinfo, void *data)
{
struct ipt_same_info *mr = targinfo;
@@ -135,7 +136,8 @@ same_target(struct sk_buff **pskb,
const struct net_device *out,
unsigned int hooknum,
const struct xt_target *target,
- const void *targinfo)
+ const void *targinfo,
+ void *data)
{
struct ip_conntrack *ct;
enum ip_conntrack_info ctinfo;
@@ -192,7 +194,7 @@ static struct ipt_target same_reg = {
.targetsize = sizeof(struct ipt_same_info),
.table = "nat",
.hooks = (1 << NF_IP_PRE_ROUTING | 1 << NF_IP_POST_ROUTING),
- .checkentry = same_check,
+ .init = same_init,
.destroy = same_destroy,
.me = THIS_MODULE,
};
diff --git a/net/ipv4/netfilter/ipt_TCPMSS.c b/net/ipv4/netfilter/ipt_TCPMSS.c
index 93eb5c3..70f70ac 100644
--- a/net/ipv4/netfilter/ipt_TCPMSS.c
+++ b/net/ipv4/netfilter/ipt_TCPMSS.c
@@ -37,7 +37,8 @@ ipt_tcpmss_target(struct sk_buff **pskb,
const struct net_device *out,
unsigned int hooknum,
const struct xt_target *target,
- const void *targinfo)
+ const void *targinfo,
+ void *data)
{
const struct ipt_tcpmss_info *tcpmssinfo = targinfo;
struct tcphdr *tcph;
@@ -160,11 +161,12 @@ static inline int find_syn_match(const s
/* Must specify -p tcp --syn/--tcp-flags SYN */
static int
-ipt_tcpmss_checkentry(const char *tablename,
- const void *e_void,
- const struct xt_target *target,
- void *targinfo,
- unsigned int hook_mask)
+ipt_tcpmss_init(const char *tablename,
+ const void *e_void,
+ const struct xt_target *target,
+ void *targinfo,
+ void *data,
+ unsigned int hook_mask)
{
const struct ipt_tcpmss_info *tcpmssinfo = targinfo;
const struct ipt_entry *e = e_void;
@@ -189,19 +191,19 @@ static struct ipt_target ipt_tcpmss_reg
.target = ipt_tcpmss_target,
.targetsize = sizeof(struct ipt_tcpmss_info),
.proto = IPPROTO_TCP,
- .checkentry = ipt_tcpmss_checkentry,
+ .init = ipt_tcpmss_init,
.me = THIS_MODULE,
};
-static int __init ipt_tcpmss_init(void)
+static int __init ipt_tcpmss_module_init(void)
{
return ipt_register_target(&ipt_tcpmss_reg);
}
-static void __exit ipt_tcpmss_fini(void)
+static void __exit ipt_tcpmss_module_fini(void)
{
ipt_unregister_target(&ipt_tcpmss_reg);
}
-module_init(ipt_tcpmss_init);
-module_exit(ipt_tcpmss_fini);
+module_init(ipt_tcpmss_module_init);
+module_exit(ipt_tcpmss_module_fini);
diff --git a/net/ipv4/netfilter/ipt_TOS.c b/net/ipv4/netfilter/ipt_TOS.c
index 18e74ac..cb54627 100644
--- a/net/ipv4/netfilter/ipt_TOS.c
+++ b/net/ipv4/netfilter/ipt_TOS.c
@@ -26,7 +26,8 @@ target(struct sk_buff **pskb,
const struct net_device *out,
unsigned int hooknum,
const struct xt_target *target,
- const void *targinfo)
+ const void *targinfo,
+ void *data)
{
const struct ipt_tos_target_info *tosinfo = targinfo;
struct iphdr *iph = (*pskb)->nh.iph;
@@ -44,11 +45,12 @@ target(struct sk_buff **pskb,
}
static int
-checkentry(const char *tablename,
- const void *e_void,
- const struct xt_target *target,
- void *targinfo,
- unsigned int hook_mask)
+init(const char *tablename,
+ const void *e_void,
+ const struct xt_target *target,
+ void *targinfo,
+ void *data,
+ unsigned int hook_mask)
{
const u_int8_t tos = ((struct ipt_tos_target_info *)targinfo)->tos;
@@ -68,7 +70,7 @@ static struct ipt_target ipt_tos_reg = {
.target = target,
.targetsize = sizeof(struct ipt_tos_target_info),
.table = "mangle",
- .checkentry = checkentry,
+ .init = init,
.me = THIS_MODULE,
};
diff --git a/net/ipv4/netfilter/ipt_TTL.c b/net/ipv4/netfilter/ipt_TTL.c
index fffe5ca..ff8dd4b 100644
--- a/net/ipv4/netfilter/ipt_TTL.c
+++ b/net/ipv4/netfilter/ipt_TTL.c
@@ -23,7 +23,7 @@ static unsigned int
ipt_ttl_target(struct sk_buff **pskb,
const struct net_device *in, const struct net_device *out,
unsigned int hooknum, const struct xt_target *target,
- const void *targinfo)
+ const void *targinfo, void *data)
{
struct iphdr *iph;
const struct ipt_TTL_info *info = targinfo;
@@ -62,11 +62,12 @@ ipt_ttl_target(struct sk_buff **pskb,
return IPT_CONTINUE;
}
-static int ipt_ttl_checkentry(const char *tablename,
- const void *e,
- const struct xt_target *target,
- void *targinfo,
- unsigned int hook_mask)
+static int ipt_ttl_init(const char *tablename,
+ const void *e,
+ const struct xt_target *target,
+ void *targinfo,
+ void *data,
+ unsigned int hook_mask)
{
struct ipt_TTL_info *info = targinfo;
@@ -85,19 +86,19 @@ static struct ipt_target ipt_TTL = {
.target = ipt_ttl_target,
.targetsize = sizeof(struct ipt_TTL_info),
.table = "mangle",
- .checkentry = ipt_ttl_checkentry,
+ .init = ipt_ttl_init,
.me = THIS_MODULE,
};
-static int __init ipt_ttl_init(void)
+static int __init ipt_ttl_module_init(void)
{
return ipt_register_target(&ipt_TTL);
}
-static void __exit ipt_ttl_fini(void)
+static void __exit ipt_ttl_module_fini(void)
{
ipt_unregister_target(&ipt_TTL);
}
-module_init(ipt_ttl_init);
-module_exit(ipt_ttl_fini);
+module_init(ipt_ttl_module_init);
+module_exit(ipt_ttl_module_fini);
diff --git a/net/ipv4/netfilter/ipt_ULOG.c b/net/ipv4/netfilter/ipt_ULOG.c
index dbd3478..fc9bae1 100644
--- a/net/ipv4/netfilter/ipt_ULOG.c
+++ b/net/ipv4/netfilter/ipt_ULOG.c
@@ -308,7 +308,8 @@ static unsigned int ipt_ulog_target(stru
const struct net_device *out,
unsigned int hooknum,
const struct xt_target *target,
- const void *targinfo)
+ const void *targinfo,
+ void *data)
{
struct ipt_ulog_info *loginfo = (struct ipt_ulog_info *) targinfo;
@@ -342,11 +343,12 @@ static void ipt_logfn(unsigned int pf,
ipt_ulog_packet(hooknum, skb, in, out, &loginfo, prefix);
}
-static int ipt_ulog_checkentry(const char *tablename,
- const void *e,
- const struct xt_target *target,
- void *targinfo,
- unsigned int hookmask)
+static int ipt_ulog_init(const char *tablename,
+ const void *e,
+ const struct xt_target *target,
+ void *targinfo,
+ void *data,
+ unsigned int hookmask)
{
struct ipt_ulog_info *loginfo = (struct ipt_ulog_info *) targinfo;
@@ -367,7 +369,7 @@ static struct ipt_target ipt_ulog_reg =
.name = "ULOG",
.target = ipt_ulog_target,
.targetsize = sizeof(struct ipt_ulog_info),
- .checkentry = ipt_ulog_checkentry,
+ .init = ipt_ulog_init,
.me = THIS_MODULE,
};
@@ -377,7 +379,7 @@ static struct nf_logger ipt_ulog_logger
.me = THIS_MODULE,
};
-static int __init ipt_ulog_init(void)
+static int __init ipt_ulog_module_init(void)
{
int i;
@@ -410,7 +412,7 @@ static int __init ipt_ulog_init(void)
return 0;
}
-static void __exit ipt_ulog_fini(void)
+static void __exit ipt_ulog_module_fini(void)
{
ulog_buff_t *ub;
int i;
@@ -438,5 +440,5 @@ static void __exit ipt_ulog_fini(void)
}
-module_init(ipt_ulog_init);
-module_exit(ipt_ulog_fini);
+module_init(ipt_ulog_module_init);
+module_exit(ipt_ulog_module_fini);
diff --git a/net/ipv4/netfilter/nf_nat_rule.c b/net/ipv4/netfilter/nf_nat_rule.c
index b868ee0..08c5006 100644
--- a/net/ipv4/netfilter/nf_nat_rule.c
+++ b/net/ipv4/netfilter/nf_nat_rule.c
@@ -133,7 +133,8 @@ static unsigned int ipt_snat_target(stru
const struct net_device *out,
unsigned int hooknum,
const struct xt_target *target,
- const void *targinfo)
+ const void *targinfo,
+ void *data)
{
struct nf_conn *ct;
enum ip_conntrack_info ctinfo;
@@ -175,7 +176,8 @@ static unsigned int ipt_dnat_target(stru
const struct net_device *out,
unsigned int hooknum,
const struct xt_target *target,
- const void *targinfo)
+ const void *targinfo,
+ void *data)
{
struct nf_conn *ct;
enum ip_conntrack_info ctinfo;
@@ -197,11 +199,12 @@ static unsigned int ipt_dnat_target(stru
return nf_nat_setup_info(ct, &mr->range[0], hooknum);
}
-static int ipt_snat_checkentry(const char *tablename,
- const void *entry,
- const struct xt_target *target,
- void *targinfo,
- unsigned int hook_mask)
+static int ipt_snat_init(const char *tablename,
+ const void *entry,
+ const struct xt_target *target,
+ void *targinfo,
+ void *data,
+ unsigned int hook_mask)
{
struct nf_nat_multi_range_compat *mr = targinfo;
@@ -213,11 +216,12 @@ static int ipt_snat_checkentry(const cha
return 1;
}
-static int ipt_dnat_checkentry(const char *tablename,
- const void *entry,
- const struct xt_target *target,
- void *targinfo,
- unsigned int hook_mask)
+static int ipt_dnat_init(const char *tablename,
+ const void *entry,
+ const struct xt_target *target,
+ void *targinfo,
+ void *data,
+ unsigned int hook_mask)
{
struct nf_nat_multi_range_compat *mr = targinfo;
@@ -296,7 +300,7 @@ static struct ipt_target ipt_snat_reg =
.targetsize = sizeof(struct nf_nat_multi_range_compat),
.table = "nat",
.hooks = 1 << NF_IP_POST_ROUTING,
- .checkentry = ipt_snat_checkentry,
+ .init = ipt_snat_init,
.family = AF_INET,
};
@@ -306,7 +310,7 @@ static struct xt_target ipt_dnat_reg = {
.targetsize = sizeof(struct nf_nat_multi_range_compat),
.table = "nat",
.hooks = (1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_LOCAL_OUT),
- .checkentry = ipt_dnat_checkentry,
+ .init = ipt_dnat_init,
.family = AF_INET,
};
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index dc5e1ad..f14fe12 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -219,7 +219,8 @@ ip6t_error(struct sk_buff **pskb,
const struct net_device *out,
unsigned int hooknum,
const struct xt_target *target,
- const void *targinfo)
+ const void *targinfo,
+ void *data)
{
if (net_ratelimit())
printk("ip6_tables: error: `%s'\n", (char *)targinfo);
@@ -347,7 +348,8 @@ ip6t_do_table(struct sk_buff **pskb,
in, out,
hook,
t->u.kernel.target,
- t->data);
+ t->data,
+ t->u.kernel.data);
#ifdef CONFIG_NETFILTER_DEBUG
if (((struct ip6t_entry *)table_base)->comefrom
@@ -613,20 +615,22 @@ check_entry(struct ip6t_entry *e, const
}
t->u.kernel.target = target;
- ret = xt_check_target(target, AF_INET6, t->u.target_size - sizeof(*t),
- name, e->comefrom, e->ipv6.proto,
- e->ipv6.invflags & IP6T_INV_PROTO);
+ ret = xt_init_target(target, AF_INET6, t->u.target_size - sizeof(*t),
+ name, e->comefrom, e->ipv6.proto,
+ e->ipv6.invflags & IP6T_INV_PROTO);
if (ret)
goto err;
+ t->u.kernel.data=NULL;
if (t->u.kernel.target == &ip6t_standard_target) {
if (!standard_check(t, size)) {
ret = -EINVAL;
goto err;
}
- } else if (t->u.kernel.target->checkentry
- && !t->u.kernel.target->checkentry(name, e, target, t->data,
- e->comefrom)) {
+ } else if (t->u.kernel.target->init
+ && !t->u.kernel.target->init(name, e, target, t->data,
+ t->u.kernel.data,
+ e->comefrom)) {
duprintf("ip_tables: check failed for `%s'.\n",
t->u.kernel.target->name);
ret = -EINVAL;
@@ -697,7 +701,8 @@ cleanup_entry(struct ip6t_entry *e, unsi
IP6T_MATCH_ITERATE(e, cleanup_match, NULL);
t = ip6t_get_target(e);
if (t->u.kernel.target->destroy)
- t->u.kernel.target->destroy(t->u.kernel.target, t->data);
+ t->u.kernel.target->destroy(t->u.kernel.target, t->data,
+ t->u.kernel.data);
module_put(t->u.kernel.target->me);
return 0;
}
diff --git a/net/ipv6/netfilter/ip6t_HL.c b/net/ipv6/netfilter/ip6t_HL.c
index 435750f..796c0d1 100644
--- a/net/ipv6/netfilter/ip6t_HL.c
+++ b/net/ipv6/netfilter/ip6t_HL.c
@@ -22,7 +22,8 @@ static unsigned int ip6t_hl_target(struc
const struct net_device *out,
unsigned int hooknum,
const struct xt_target *target,
- const void *targinfo)
+ const void *targinfo,
+ void *data)
{
struct ipv6hdr *ip6h;
const struct ip6t_HL_info *info = targinfo;
@@ -58,11 +59,12 @@ static unsigned int ip6t_hl_target(struc
return IP6T_CONTINUE;
}
-static int ip6t_hl_checkentry(const char *tablename,
- const void *entry,
- const struct xt_target *target,
- void *targinfo,
- unsigned int hook_mask)
+static int ip6t_hl_init(const char *tablename,
+ const void *entry,
+ const struct xt_target *target,
+ void *targinfo,
+ void *data,
+ unsigned int hook_mask)
{
struct ip6t_HL_info *info = targinfo;
@@ -84,19 +86,19 @@ static struct ip6t_target ip6t_HL = {
.target = ip6t_hl_target,
.targetsize = sizeof(struct ip6t_HL_info),
.table = "mangle",
- .checkentry = ip6t_hl_checkentry,
+ .init = ip6t_hl_init,
.me = THIS_MODULE
};
-static int __init ip6t_hl_init(void)
+static int __init ip6t_hl_module_init(void)
{
return ip6t_register_target(&ip6t_HL);
}
-static void __exit ip6t_hl_fini(void)
+static void __exit ip6t_hl_module_fini(void)
{
ip6t_unregister_target(&ip6t_HL);
}
-module_init(ip6t_hl_init);
-module_exit(ip6t_hl_fini);
+module_init(ip6t_hl_module_init);
+module_exit(ip6t_hl_module_fini);
diff --git a/net/ipv6/netfilter/ip6t_LOG.c b/net/ipv6/netfilter/ip6t_LOG.c
index 33b1faa..d50f666 100644
--- a/net/ipv6/netfilter/ip6t_LOG.c
+++ b/net/ipv6/netfilter/ip6t_LOG.c
@@ -431,7 +431,8 @@ ip6t_log_target(struct sk_buff **pskb,
const struct net_device *out,
unsigned int hooknum,
const struct xt_target *target,
- const void *targinfo)
+ const void *targinfo,
+ void *data)
{
const struct ip6t_log_info *loginfo = targinfo;
struct nf_loginfo li;
@@ -446,11 +447,12 @@ ip6t_log_target(struct sk_buff **pskb,
}
-static int ip6t_log_checkentry(const char *tablename,
- const void *entry,
- const struct xt_target *target,
- void *targinfo,
- unsigned int hook_mask)
+static int ip6t_log_init(const char *tablename,
+ const void *entry,
+ const struct xt_target *target,
+ void *targinfo,
+ void *data,
+ unsigned int hook_mask)
{
const struct ip6t_log_info *loginfo = targinfo;
@@ -470,7 +472,7 @@ static struct ip6t_target ip6t_log_reg =
.name = "LOG",
.target = ip6t_log_target,
.targetsize = sizeof(struct ip6t_log_info),
- .checkentry = ip6t_log_checkentry,
+ .init = ip6t_log_init,
.me = THIS_MODULE,
};
@@ -480,7 +482,7 @@ static struct nf_logger ip6t_logger = {
.me = THIS_MODULE,
};
-static int __init ip6t_log_init(void)
+static int __init ip6t_log_module_init(void)
{
if (ip6t_register_target(&ip6t_log_reg))
return -EINVAL;
@@ -494,11 +496,11 @@ static int __init ip6t_log_init(void)
return 0;
}
-static void __exit ip6t_log_fini(void)
+static void __exit ip6t_log_module_fini(void)
{
nf_log_unregister_logger(&ip6t_logger);
ip6t_unregister_target(&ip6t_log_reg);
}
-module_init(ip6t_log_init);
-module_exit(ip6t_log_fini);
+module_init(ip6t_log_module_init);
+module_exit(ip6t_log_module_fini);
diff --git a/net/ipv6/netfilter/ip6t_REJECT.c b/net/ipv6/netfilter/ip6t_REJECT.c
index 311eae8..9c3b209 100644
--- a/net/ipv6/netfilter/ip6t_REJECT.c
+++ b/net/ipv6/netfilter/ip6t_REJECT.c
@@ -176,11 +176,12 @@ send_unreach(struct sk_buff *skb_in, uns
}
static unsigned int reject6_target(struct sk_buff **pskb,
- const struct net_device *in,
- const struct net_device *out,
- unsigned int hooknum,
- const struct xt_target *target,
- const void *targinfo)
+ const struct net_device *in,
+ const struct net_device *out,
+ unsigned int hooknum,
+ const struct xt_target *target,
+ const void *targinfo,
+ void *data)
{
const struct ip6t_reject_info *reject = targinfo;
@@ -219,11 +220,12 @@ static unsigned int reject6_target(struc
return NF_DROP;
}
-static int check(const char *tablename,
- const void *entry,
- const struct xt_target *target,
- void *targinfo,
- unsigned int hook_mask)
+static int init(const char *tablename,
+ const void *entry,
+ const struct xt_target *target,
+ void *targinfo,
+ void *data,
+ unsigned int hook_mask)
{
const struct ip6t_reject_info *rejinfo = targinfo;
const struct ip6t_entry *e = entry;
@@ -249,7 +251,7 @@ static struct ip6t_target ip6t_reject_re
.table = "filter",
.hooks = (1 << NF_IP6_LOCAL_IN) | (1 << NF_IP6_FORWARD) |
(1 << NF_IP6_LOCAL_OUT),
- .checkentry = check,
+ .init = init,
.me = THIS_MODULE
};
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index d2ffe98..679c430 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -394,9 +394,9 @@ int xt_compat_match_to_user(struct xt_en
EXPORT_SYMBOL_GPL(xt_compat_match_to_user);
#endif /* CONFIG_COMPAT */
-int xt_check_target(const struct xt_target *target, unsigned short family,
- unsigned int size, const char *table, unsigned int hook_mask,
- unsigned short proto, int inv_proto)
+int xt_init_target(const struct xt_target *target, unsigned short family,
+ unsigned int size, const char *table, unsigned int hook_mask,
+ unsigned short proto, int inv_proto)
{
if (XT_ALIGN(target->targetsize) != size) {
printk("%s_tables: %s target: invalid size %Zu != %u\n",
@@ -421,7 +421,7 @@ int xt_check_target(const struct xt_targ
}
return 0;
}
-EXPORT_SYMBOL_GPL(xt_check_target);
+EXPORT_SYMBOL_GPL(xt_init_target);
#ifdef CONFIG_COMPAT
int xt_compat_target_offset(struct xt_target *target)
diff --git a/net/netfilter/xt_CLASSIFY.c b/net/netfilter/xt_CLASSIFY.c
index 50de965..62fac2e 100644
--- a/net/netfilter/xt_CLASSIFY.c
+++ b/net/netfilter/xt_CLASSIFY.c
@@ -29,7 +29,8 @@ target(struct sk_buff **pskb,
const struct net_device *out,
unsigned int hooknum,
const struct xt_target *target,
- const void *targinfo)
+ const void *targinfo,
+ void *data)
{
const struct xt_classify_target_info *clinfo = targinfo;
diff --git a/net/netfilter/xt_CONNMARK.c b/net/netfilter/xt_CONNMARK.c
index b554823..d869fd8 100644
--- a/net/netfilter/xt_CONNMARK.c
+++ b/net/netfilter/xt_CONNMARK.c
@@ -41,7 +41,8 @@ target(struct sk_buff **pskb,
const struct net_device *out,
unsigned int hooknum,
const struct xt_target *target,
- const void *targinfo)
+ const void *targinfo,
+ void *data)
{
const struct xt_connmark_target_info *markinfo = targinfo;
u_int32_t diff;
@@ -88,11 +89,12 @@ target(struct sk_buff **pskb,
}
static int
-checkentry(const char *tablename,
- const void *entry,
- const struct xt_target *target,
- void *targinfo,
- unsigned int hook_mask)
+init(const char *tablename,
+ const void *entry,
+ const struct xt_target *target,
+ void *targinfo,
+ void *data,
+ unsigned int hook_mask)
{
struct xt_connmark_target_info *matchinfo = targinfo;
@@ -146,7 +148,7 @@ static struct xt_target xt_connmark_targ
{
.name = "CONNMARK",
.family = AF_INET,
- .checkentry = checkentry,
+ .init = init,
.target = target,
.targetsize = sizeof(struct xt_connmark_target_info),
#ifdef CONFIG_COMPAT
@@ -159,7 +161,7 @@ static struct xt_target xt_connmark_targ
{
.name = "CONNMARK",
.family = AF_INET6,
- .checkentry = checkentry,
+ .init = init,
.target = target,
.targetsize = sizeof(struct xt_connmark_target_info),
.me = THIS_MODULE
diff --git a/net/netfilter/xt_CONNSECMARK.c b/net/netfilter/xt_CONNSECMARK.c
index 4673862..f598fdc 100644
--- a/net/netfilter/xt_CONNSECMARK.c
+++ b/net/netfilter/xt_CONNSECMARK.c
@@ -66,7 +66,7 @@ static void secmark_restore(struct sk_bu
static unsigned int target(struct sk_buff **pskb, const struct net_device *in,
const struct net_device *out, unsigned int hooknum,
const struct xt_target *target,
- const void *targinfo)
+ const void *targinfo, void *data)
{
struct sk_buff *skb = *pskb;
const struct xt_connsecmark_target_info *info = targinfo;
@@ -87,9 +87,9 @@ static unsigned int target(struct sk_buf
return XT_CONTINUE;
}
-static int checkentry(const char *tablename, const void *entry,
- const struct xt_target *target, void *targinfo,
- unsigned int hook_mask)
+static int init(const char *tablename, const void *entry,
+ const struct xt_target *target, void *targinfo,
+ void *data, unsigned int hook_mask)
{
struct xt_connsecmark_target_info *info = targinfo;
@@ -110,7 +110,7 @@ static struct xt_target xt_connsecmark_t
{
.name = "CONNSECMARK",
.family = AF_INET,
- .checkentry = checkentry,
+ .init = init,
.target = target,
.targetsize = sizeof(struct xt_connsecmark_target_info),
.table = "mangle",
@@ -119,7 +119,7 @@ static struct xt_target xt_connsecmark_t
{
.name = "CONNSECMARK",
.family = AF_INET6,
- .checkentry = checkentry,
+ .init = init,
.target = target,
.targetsize = sizeof(struct xt_connsecmark_target_info),
.table = "mangle",
diff --git a/net/netfilter/xt_DSCP.c b/net/netfilter/xt_DSCP.c
index a7cc75a..8525c9e 100644
--- a/net/netfilter/xt_DSCP.c
+++ b/net/netfilter/xt_DSCP.c
@@ -32,7 +32,8 @@ static unsigned int target(struct sk_buf
const struct net_device *out,
unsigned int hooknum,
const struct xt_target *target,
- const void *targinfo)
+ const void *targinfo,
+ void *data)
{
const struct xt_DSCP_info *dinfo = targinfo;
u_int8_t dscp = ipv4_get_dsfield((*pskb)->nh.iph) >> XT_DSCP_SHIFT;
@@ -53,7 +54,8 @@ static unsigned int target6(struct sk_bu
const struct net_device *out,
unsigned int hooknum,
const struct xt_target *target,
- const void *targinfo)
+ const void *targinfo,
+ void *data)
{
const struct xt_DSCP_info *dinfo = targinfo;
u_int8_t dscp = ipv6_get_dsfield((*pskb)->nh.ipv6h) >> XT_DSCP_SHIFT;
@@ -68,11 +70,12 @@ static unsigned int target6(struct sk_bu
return XT_CONTINUE;
}
-static int checkentry(const char *tablename,
- const void *e_void,
- const struct xt_target *target,
- void *targinfo,
- unsigned int hook_mask)
+static int init(const char *tablename,
+ const void *e_void,
+ const struct xt_target *target,
+ void *targinfo,
+ void *data,
+ unsigned int hook_mask)
{
const u_int8_t dscp = ((struct xt_DSCP_info *)targinfo)->dscp;
@@ -87,7 +90,7 @@ static struct xt_target xt_dscp_target[]
{
.name = "DSCP",
.family = AF_INET,
- .checkentry = checkentry,
+ .init = init,
.target = target,
.targetsize = sizeof(struct xt_DSCP_info),
.table = "mangle",
@@ -96,7 +99,7 @@ static struct xt_target xt_dscp_target[]
{
.name = "DSCP",
.family = AF_INET6,
- .checkentry = checkentry,
+ .init = init,
.target = target6,
.targetsize = sizeof(struct xt_DSCP_info),
.table = "mangle",
diff --git a/net/netfilter/xt_MARK.c b/net/netfilter/xt_MARK.c
index 0b48547..c2a7775 100644
--- a/net/netfilter/xt_MARK.c
+++ b/net/netfilter/xt_MARK.c
@@ -27,7 +27,8 @@ target_v0(struct sk_buff **pskb,
const struct net_device *out,
unsigned int hooknum,
const struct xt_target *target,
- const void *targinfo)
+ const void *targinfo,
+ void *data)
{
const struct xt_mark_target_info *markinfo = targinfo;
@@ -43,7 +44,8 @@ target_v1(struct sk_buff **pskb,
const struct net_device *out,
unsigned int hooknum,
const struct xt_target *target,
- const void *targinfo)
+ const void *targinfo,
+ void *data)
{
const struct xt_mark_target_info_v1 *markinfo = targinfo;
int mark = 0;
@@ -70,11 +72,12 @@ target_v1(struct sk_buff **pskb,
static int
-checkentry_v0(const char *tablename,
- const void *entry,
- const struct xt_target *target,
- void *targinfo,
- unsigned int hook_mask)
+init_v0(const char *tablename,
+ const void *entry,
+ const struct xt_target *target,
+ void *targinfo,
+ void *data,
+ unsigned int hook_mask)
{
struct xt_mark_target_info *markinfo = targinfo;
@@ -86,11 +89,12 @@ checkentry_v0(const char *tablename,
}
static int
-checkentry_v1(const char *tablename,
- const void *entry,
- const struct xt_target *target,
- void *targinfo,
- unsigned int hook_mask)
+init_v1(const char *tablename,
+ const void *entry,
+ const struct xt_target *target,
+ void *targinfo,
+ void *data,
+ unsigned int hook_mask)
{
struct xt_mark_target_info_v1 *markinfo = targinfo;
@@ -142,7 +146,7 @@ static struct xt_target xt_mark_target[]
.name = "MARK",
.family = AF_INET,
.revision = 0,
- .checkentry = checkentry_v0,
+ .init = init_v0,
.target = target_v0,
.targetsize = sizeof(struct xt_mark_target_info),
.table = "mangle",
@@ -152,7 +156,7 @@ static struct xt_target xt_mark_target[]
.name = "MARK",
.family = AF_INET,
.revision = 1,
- .checkentry = checkentry_v1,
+ .init = init_v1,
.target = target_v1,
.targetsize = sizeof(struct xt_mark_target_info_v1),
#ifdef CONFIG_COMPAT
@@ -167,7 +171,7 @@ static struct xt_target xt_mark_target[]
.name = "MARK",
.family = AF_INET6,
.revision = 0,
- .checkentry = checkentry_v0,
+ .init = init_v0,
.target = target_v0,
.targetsize = sizeof(struct xt_mark_target_info),
.table = "mangle",
diff --git a/net/netfilter/xt_NFLOG.c b/net/netfilter/xt_NFLOG.c
index 901ed7a..9aafb39 100644
--- a/net/netfilter/xt_NFLOG.c
+++ b/net/netfilter/xt_NFLOG.c
@@ -23,7 +23,7 @@ static unsigned int
nflog_target(struct sk_buff **pskb,
const struct net_device *in, const struct net_device *out,
unsigned int hooknum, const struct xt_target *target,
- const void *targinfo)
+ const void *targinfo, void *data)
{
const struct xt_nflog_info *info = targinfo;
struct nf_loginfo li;
@@ -39,9 +39,9 @@ nflog_target(struct sk_buff **pskb,
}
static int
-nflog_checkentry(const char *tablename, const void *entry,
- const struct xt_target *target, void *targetinfo,
- unsigned int hookmask)
+nflog_init(const char *tablename, const void *entry,
+ const struct xt_target *target, void *targetinfo,
+ void *data, unsigned int hookmask)
{
struct xt_nflog_info *info = targetinfo;
@@ -56,7 +56,7 @@ static struct xt_target xt_nflog_target[
{
.name = "NFLOG",
.family = AF_INET,
- .checkentry = nflog_checkentry,
+ .init = nflog_init,
.target = nflog_target,
.targetsize = sizeof(struct xt_nflog_info),
.me = THIS_MODULE,
@@ -64,7 +64,7 @@ static struct xt_target xt_nflog_target[
{
.name = "NFLOG",
.family = AF_INET6,
- .checkentry = nflog_checkentry,
+ .init = nflog_init,
.target = nflog_target,
.targetsize = sizeof(struct xt_nflog_info),
.me = THIS_MODULE,
diff --git a/net/netfilter/xt_NFQUEUE.c b/net/netfilter/xt_NFQUEUE.c
index 39e1175..efd7d95 100644
--- a/net/netfilter/xt_NFQUEUE.c
+++ b/net/netfilter/xt_NFQUEUE.c
@@ -29,7 +29,8 @@ target(struct sk_buff **pskb,
const struct net_device *out,
unsigned int hooknum,
const struct xt_target *target,
- const void *targinfo)
+ const void *targinfo,
+ void *data)
{
const struct xt_NFQ_info *tinfo = targinfo;
diff --git a/net/netfilter/xt_NOTRACK.c b/net/netfilter/xt_NOTRACK.c
index 6d00dca..c6274d7 100644
--- a/net/netfilter/xt_NOTRACK.c
+++ b/net/netfilter/xt_NOTRACK.c
@@ -16,7 +16,8 @@ target(struct sk_buff **pskb,
const struct net_device *out,
unsigned int hooknum,
const struct xt_target *target,
- const void *targinfo)
+ const void *targinfo,
+ void *data)
{
/* Previously seen (loopback)? Ignore. */
if ((*pskb)->nfct != NULL)
diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c
index add7521..f7f698b 100644
--- a/net/netfilter/xt_SECMARK.c
+++ b/net/netfilter/xt_SECMARK.c
@@ -31,7 +31,7 @@ static u8 mode;
static unsigned int target(struct sk_buff **pskb, const struct net_device *in,
const struct net_device *out, unsigned int hooknum,
const struct xt_target *target,
- const void *targinfo)
+ const void *targinfo, void *data)
{
u32 secmark = 0;
const struct xt_secmark_target_info *info = targinfo;
@@ -83,9 +83,9 @@ static int checkentry_selinux(struct xt_
return 1;
}
-static int checkentry(const char *tablename, const void *entry,
- const struct xt_target *target, void *targinfo,
- unsigned int hook_mask)
+static int init(const char *tablename, const void *entry,
+ const struct xt_target *target, void *targinfo,
+ void *data, unsigned int hook_mask)
{
struct xt_secmark_target_info *info = targinfo;
@@ -115,7 +115,7 @@ static struct xt_target xt_secmark_targe
{
.name = "SECMARK",
.family = AF_INET,
- .checkentry = checkentry,
+ .init = init,
.target = target,
.targetsize = sizeof(struct xt_secmark_target_info),
.table = "mangle",
@@ -124,7 +124,7 @@ static struct xt_target xt_secmark_targe
{
.name = "SECMARK",
.family = AF_INET6,
- .checkentry = checkentry,
+ .init = init,
.target = target,
.targetsize = sizeof(struct xt_secmark_target_info),
.table = "mangle",
--
1.4.3.3
^ permalink raw reply related [flat|nested] 6+ messages in thread* [PATCH 3/4][data-condition]: instance data support in netfilter core code
2006-12-05 22:12 [PATCH 0/4][data-condition] Massimiliano Hofer
2006-12-05 22:15 ` [PATCH 1/4][data-condition]: instance data support in matches' prototypes and structures Massimiliano Hofer
2006-12-05 22:16 ` [PATCH 2/4][data-condition]: instance data support in targets' " Massimiliano Hofer
@ 2006-12-05 22:17 ` Massimiliano Hofer
2006-12-05 22:18 ` [PATCH 4/4][data-condition]: condition match Massimiliano Hofer
2006-12-05 22:22 ` [PATCH -/4][data-condition]: userspace code Massimiliano Hofer
4 siblings, 0 replies; 6+ messages in thread
From: Massimiliano Hofer @ 2006-12-05 22:17 UTC (permalink / raw)
To: netfilter-devel; +Cc: Patrick McHardy
From b0ff8190113c29f440ee420c238836492c7e23ff Mon Sep 17 00:00:00 2001
From: Massimiliano Hofer <max@nucleus.it>
Date: Tue, 5 Dec 2006 22:57:21 +0100
Subject: [PATCH] [NETFILTER]: instance data support in netfilter core code
This patch adds the relevant code to support instance specific data in matches and targets.
Some code shuffling happened and I used the opportunity to move some common code
from ip_tables.c, arp_tables.c and ip6_tables.c to x_tables.c.
Signed-off-by: Massimiliano Hofer <max@nucleus.it>
---
include/linux/netfilter/x_tables.h | 16 +++--
net/ipv4/netfilter/arp_tables.c | 30 +++-------
net/ipv4/netfilter/ip_tables.c | 84 ++++++++------------------
net/ipv6/netfilter/ip6_tables.c | 75 ++++++------------------
net/netfilter/x_tables.c | 113 +++++++++++++++++++++++++++++++++---
5 files changed, 168 insertions(+), 150 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 17aa03b..8903d35 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -284,12 +284,16 @@ extern void xt_unregister_match(struct x
extern int xt_register_matches(struct xt_match *match, unsigned int n);
extern void xt_unregister_matches(struct xt_match *match, unsigned int n);
-extern int xt_init_match(const struct xt_match *match, unsigned short family,
- unsigned int size, const char *table, unsigned int hook,
- unsigned short proto, int inv_proto);
-extern int xt_init_target(const struct xt_target *target, unsigned short family,
- unsigned int size, const char *table, unsigned int hook,
- unsigned short proto, int inv_proto);
+extern int xt_init_match(struct xt_entry_match *m,
+ unsigned short family, const char *table,
+ unsigned int hook_mask, const void *ip,
+ unsigned short proto, int inv_proto);
+extern void xt_destroy_match(struct xt_entry_match *m);
+extern int xt_init_target(struct xt_entry_target *t,
+ unsigned short family, const char *table,
+ unsigned int hook_mask, unsigned short proto,
+ int inv_proto);
+extern void xt_destroy_target(struct xt_entry_target *m);
extern int xt_register_table(struct xt_table *table,
struct xt_table_info *bootstrap,
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 683179f..dce28d9 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -456,11 +456,10 @@ static inline int standard_check(const s
static struct arpt_target arpt_standard_target;
-static inline int check_entry(struct arpt_entry *e, const char *name, unsigned int size,
- unsigned int *i)
+static inline int init_entry(struct arpt_entry *e, const char *name, unsigned int size,
+ unsigned int *i)
{
struct arpt_entry_target *t;
- struct arpt_target *target;
int ret;
if (!arp_checkentry(&e->arp)) {
@@ -475,30 +474,20 @@ static inline int check_entry(struct arp
if (e->target_offset + t->u.target_size > e->next_offset)
return -EINVAL;
- target = try_then_request_module(xt_find_target(NF_ARP, t->u.user.name,
- t->u.user.revision),
- "arpt_%s", t->u.user.name);
- if (IS_ERR(target) || !target) {
- duprintf("check_entry: `%s' not found\n", t->u.user.name);
- ret = target ? PTR_ERR(target) : -ENOENT;
- goto out;
- }
- t->u.kernel.target = target;
-
- ret = xt_init_target(target, NF_ARP, t->u.target_size - sizeof(*t),
+ ret = xt_init_target(t, NF_ARP,
name, e->comefrom, 0, 0);
+
if (ret)
goto err;
- t->u.kernel.data=NULL;
if (t->u.kernel.target == &arpt_standard_target) {
if (!standard_check(t, size)) {
ret = -EINVAL;
goto err;
}
} else if (t->u.kernel.target->init
- && !t->u.kernel.target->init(name, e, target, t->data,
- t->u.kernel.data,
+ && !t->u.kernel.target->init(name, e, t->u.kernel.target,
+ t->data, t->u.kernel.data,
e->comefrom)) {
duprintf("arp_tables: check failed for `%s'.\n",
t->u.kernel.target->name);
@@ -509,8 +498,7 @@ static inline int check_entry(struct arp
(*i)++;
return 0;
err:
- module_put(t->u.kernel.target->me);
-out:
+ xt_destroy_target(t);
return ret;
}
@@ -567,7 +555,7 @@ static inline int cleanup_entry(struct a
if (t->u.kernel.target->destroy)
t->u.kernel.target->destroy(t->u.kernel.target, t->data,
t->u.kernel.data);
- module_put(t->u.kernel.target->me);
+ xt_destroy_target(t);
return 0;
}
@@ -635,7 +623,7 @@ static int translate_table(const char *n
/* Finally, each sanity check must pass */
i = 0;
ret = ARPT_ENTRY_ITERATE(entry0, newinfo->size,
- check_entry, name, size, &i);
+ init_entry, name, size, &i);
if (ret != 0)
goto cleanup;
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 4077577..98a2e28 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -469,7 +469,7 @@ cleanup_match(struct ipt_entry_match *m,
if (m->u.kernel.match->destroy)
m->u.kernel.match->destroy(m->u.kernel.match, m->data,
m->u.kernel.data);
- module_put(m->u.kernel.match->me);
+ xt_destroy_match(m);
return 0;
}
@@ -501,49 +501,24 @@ init_match(struct ipt_entry_match *m,
unsigned int hookmask,
unsigned int *i)
{
- struct ipt_match *match;
int ret;
- match = try_then_request_module(xt_find_match(AF_INET, m->u.user.name,
- m->u.user.revision),
- "ipt_%s", m->u.user.name);
- if (IS_ERR(match) || !match) {
- duprintf("check_match: `%s' not found\n", m->u.user.name);
- return match ? PTR_ERR(match) : -ENOENT;
- }
- m->u.kernel.match = match;
-
- ret = xt_init_match(match, AF_INET, m->u.match_size - sizeof(*m),
- name, hookmask, ip->proto,
+ ret = xt_init_match(m, AF_INET,
+ name, hookmask, ip, ip->proto,
ip->invflags & IPT_INV_PROTO);
- if (ret)
- goto err;
- m->u.kernel.data = NULL;
- if (m->u.kernel.match->init
- && !m->u.kernel.match->init(name, ip, match, m->data,
- m->u.kernel.data, hookmask)) {
- duprintf("ip_tables: check failed for `%s'.\n",
- m->u.kernel.match->name);
- ret = -EINVAL;
- goto err;
- }
-
- (*i)++;
- return 0;
-err:
- module_put(m->u.kernel.match->me);
+ if(!ret)
+ (*i)++;
return ret;
}
static struct ipt_target ipt_standard_target;
static inline int
-check_entry(struct ipt_entry *e, const char *name, unsigned int size,
- unsigned int *i)
+init_entry(struct ipt_entry *e, const char *name, unsigned int size,
+ unsigned int *i)
{
struct ipt_entry_target *t;
- struct ipt_target *target;
int ret;
unsigned int j;
@@ -564,32 +539,20 @@ check_entry(struct ipt_entry *e, const c
ret = -EINVAL;
if (e->target_offset + t->u.target_size > e->next_offset)
goto cleanup_matches;
- target = try_then_request_module(xt_find_target(AF_INET,
- t->u.user.name,
- t->u.user.revision),
- "ipt_%s", t->u.user.name);
- if (IS_ERR(target) || !target) {
- duprintf("check_entry: `%s' not found\n", t->u.user.name);
- ret = target ? PTR_ERR(target) : -ENOENT;
- goto cleanup_matches;
- }
- t->u.kernel.target = target;
-
- ret = xt_init_target(target, AF_INET, t->u.target_size - sizeof(*t),
+ ret = xt_init_target(t, AF_INET,
name, e->comefrom, e->ip.proto,
e->ip.invflags & IPT_INV_PROTO);
if (ret)
goto err;
- t->u.kernel.data = NULL;
if (t->u.kernel.target == &ipt_standard_target) {
if (!standard_check(t, size)) {
ret = -EINVAL;
goto err;
}
} else if (t->u.kernel.target->init
- && !t->u.kernel.target->init(name, e, target, t->data,
- t->u.kernel.data,
+ && !t->u.kernel.target->init(name, e, t->u.kernel.target,
+ t->data, t->u.kernel.data,
e->comefrom)) {
duprintf("ip_tables: check failed for `%s'.\n",
t->u.kernel.target->name);
@@ -600,7 +563,7 @@ check_entry(struct ipt_entry *e, const c
(*i)++;
return 0;
err:
- module_put(t->u.kernel.target->me);
+ xt_destroy_target(t);
cleanup_matches:
IPT_MATCH_ITERATE(e, cleanup_match, &j);
return ret;
@@ -663,7 +626,7 @@ cleanup_entry(struct ipt_entry *e, unsig
if (t->u.kernel.target->destroy)
t->u.kernel.target->destroy(t->u.kernel.target, t->data,
t->u.kernel.data);
- module_put(t->u.kernel.target->me);
+ xt_destroy_target(t);
return 0;
}
@@ -729,7 +692,7 @@ translate_table(const char *name,
/* Finally, each sanity check must pass */
i = 0;
ret = IPT_ENTRY_ITERATE(entry0, newinfo->size,
- check_entry, name, size, &i);
+ init_entry, name, size, &i);
if (ret != 0)
goto cleanup;
@@ -1499,7 +1462,7 @@ check_compat_entry_size_and_hooks(struct
t->u.user.revision),
"ipt_%s", t->u.user.name);
if (IS_ERR(target) || !target) {
- duprintf("check_entry: `%s' not found\n", t->u.user.name);
+ duprintf("init_entry: `%s' not found\n", t->u.user.name);
ret = target ? PTR_ERR(target) : -ENOENT;
goto cleanup_matches;
}
@@ -1545,17 +1508,22 @@ static inline int compat_copy_match_from
match = m->u.kernel.match;
xt_compat_match_from_user(m, dstptr, size);
- ret = xt_init_match(match, AF_INET, dm->u.match_size - sizeof(*dm),
- name, hookmask, ip->proto,
+ ret = xt_init_match(m, AF_INET, name, hookmask,
+ ip, ip->proto,
ip->invflags & IPT_INV_PROTO);
- m->u.kernel.data = NULL;
- if (!ret && m->u.kernel.match->init
+ if(ret)
+ goto err;
+ if (m->u.kernel.match->init
&& !m->u.kernel.match->init(name, ip, match, dm->data,
m->u.kernel.data, hookmask)) {
duprintf("ip_tables: check failed for `%s'.\n",
m->u.kernel.match->name);
ret = -EINVAL;
+ goto err;
}
+ return 0;
+err:
+ xt_destroy_match(m);
return ret;
}
@@ -1578,7 +1546,7 @@ static int compat_copy_entry_from_user(s
ret = IPT_MATCH_ITERATE(e, compat_copy_match_from_user, dstptr, size,
name, &de->ip, de->comefrom);
if (ret)
- goto err;
+ return ret;
de->target_offset = e->target_offset - (origsize - *size);
t = ipt_get_target(e);
target = t->u.kernel.target;
@@ -1594,14 +1562,13 @@ static int compat_copy_entry_from_user(s
t = ipt_get_target(de);
target = t->u.kernel.target;
- ret = xt_init_target(target, AF_INET, t->u.target_size - sizeof(*t),
+ ret = xt_init_target(t, AF_INET,
name, e->comefrom, e->ip.proto,
e->ip.invflags & IPT_INV_PROTO);
if (ret)
goto err;
ret = -EINVAL;
- t->u.kernel.data = NULL;
if (t->u.kernel.target == &ipt_standard_target) {
if (!standard_check(t, *size))
goto err;
@@ -1615,6 +1582,7 @@ static int compat_copy_entry_from_user(s
}
ret = 0;
err:
+ xt_destroy_target(t);
return ret;
}
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index f14fe12..055fec0 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -508,7 +508,7 @@ cleanup_match(struct ip6t_entry_match *m
if (m->u.kernel.match->destroy)
m->u.kernel.match->destroy(m->u.kernel.match, m->data,
m->u.kernel.data);
- module_put(m->u.kernel.match->me);
+ xt_destroy_match(m);
return 0;
}
@@ -534,55 +534,30 @@ standard_check(const struct ip6t_entry_t
}
static inline int
-check_match(struct ip6t_entry_match *m,
- const char *name,
- const struct ip6t_ip6 *ipv6,
- unsigned int hookmask,
- unsigned int *i)
+init_match(struct ip6t_entry_match *m,
+ const char *name,
+ const struct ip6t_ip6 *ipv6,
+ unsigned int hookmask,
+ unsigned int *i)
{
- struct ip6t_match *match;
int ret;
- match = try_then_request_module(xt_find_match(AF_INET6, m->u.user.name,
- m->u.user.revision),
- "ip6t_%s", m->u.user.name);
- if (IS_ERR(match) || !match) {
- duprintf("check_match: `%s' not found\n", m->u.user.name);
- return match ? PTR_ERR(match) : -ENOENT;
- }
- m->u.kernel.match = match;
-
- ret = xt_init_match(match, AF_INET6, m->u.match_size - sizeof(*m),
- name, hookmask, ipv6->proto,
+ ret = xt_init_match(m, AF_INET6,
+ name, hookmask, ipv6, ipv6->proto,
ipv6->invflags & IP6T_INV_PROTO);
- if (ret)
- goto err;
-
- m->u.kernel.data=NULL;
- if (m->u.kernel.match->init
- && !m->u.kernel.match->init(name, ipv6, match, m->data,
- m->u.kernel.data, hookmask)) {
- duprintf("ip_tables: check failed for `%s'.\n",
- m->u.kernel.match->name);
- ret = -EINVAL;
- goto err;
- }
- (*i)++;
+ if(!ret)
+ (*i)++;
return 0;
-err:
- module_put(m->u.kernel.match->me);
- return ret;
}
static struct ip6t_target ip6t_standard_target;
static inline int
-check_entry(struct ip6t_entry *e, const char *name, unsigned int size,
- unsigned int *i)
+init_entry(struct ip6t_entry *e, const char *name, unsigned int size,
+ unsigned int *i)
{
struct ip6t_entry_target *t;
- struct ip6t_target *target;
int ret;
unsigned int j;
@@ -596,7 +571,7 @@ check_entry(struct ip6t_entry *e, const
return -EINVAL;
j = 0;
- ret = IP6T_MATCH_ITERATE(e, check_match, name, &e->ipv6, e->comefrom, &j);
+ ret = IP6T_MATCH_ITERATE(e, init_match, name, &e->ipv6, e->comefrom, &j);
if (ret != 0)
goto cleanup_matches;
@@ -604,32 +579,20 @@ check_entry(struct ip6t_entry *e, const
ret = -EINVAL;
if (e->target_offset + t->u.target_size > e->next_offset)
goto cleanup_matches;
- target = try_then_request_module(xt_find_target(AF_INET6,
- t->u.user.name,
- t->u.user.revision),
- "ip6t_%s", t->u.user.name);
- if (IS_ERR(target) || !target) {
- duprintf("check_entry: `%s' not found\n", t->u.user.name);
- ret = target ? PTR_ERR(target) : -ENOENT;
- goto cleanup_matches;
- }
- t->u.kernel.target = target;
-
- ret = xt_init_target(target, AF_INET6, t->u.target_size - sizeof(*t),
+ ret = xt_init_target(t, AF_INET6,
name, e->comefrom, e->ipv6.proto,
e->ipv6.invflags & IP6T_INV_PROTO);
if (ret)
goto err;
- t->u.kernel.data=NULL;
if (t->u.kernel.target == &ip6t_standard_target) {
if (!standard_check(t, size)) {
ret = -EINVAL;
goto err;
}
} else if (t->u.kernel.target->init
- && !t->u.kernel.target->init(name, e, target, t->data,
- t->u.kernel.data,
+ && !t->u.kernel.target->init(name, e, t->u.kernel.target,
+ t->data, t->u.kernel.data,
e->comefrom)) {
duprintf("ip_tables: check failed for `%s'.\n",
t->u.kernel.target->name);
@@ -640,7 +603,7 @@ check_entry(struct ip6t_entry *e, const
(*i)++;
return 0;
err:
- module_put(t->u.kernel.target->me);
+ xt_destroy_target(t);
cleanup_matches:
IP6T_MATCH_ITERATE(e, cleanup_match, &j);
return ret;
@@ -703,7 +666,7 @@ cleanup_entry(struct ip6t_entry *e, unsi
if (t->u.kernel.target->destroy)
t->u.kernel.target->destroy(t->u.kernel.target, t->data,
t->u.kernel.data);
- module_put(t->u.kernel.target->me);
+ xt_destroy_target(t);
return 0;
}
@@ -769,7 +732,7 @@ translate_table(const char *name,
/* Finally, each sanity check must pass */
i = 0;
ret = IP6T_ENTRY_ITERATE(entry0, newinfo->size,
- check_entry, name, size, &i);
+ init_entry, name, size, &i);
if (ret != 0)
goto cleanup;
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 679c430..7f2b16c 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -304,35 +304,91 @@ int xt_find_revision(int af, const char
}
EXPORT_SYMBOL_GPL(xt_find_revision);
-int xt_init_match(const struct xt_match *match, unsigned short family,
- unsigned int size, const char *table, unsigned int hook_mask,
+int xt_init_match(struct xt_entry_match *m,
+ unsigned short family, const char *table,
+ unsigned int hook_mask, const void *ip,
unsigned short proto, int inv_proto)
{
+ struct xt_match *match;
+ unsigned int size = (m->u.match_size - sizeof(*m));
+ int ret=0;
+
+ match = try_then_request_module(xt_find_match(family, m->u.user.name,
+ m->u.user.revision),
+ "%st_%s",
+ xt_prefix[family], m->u.user.name);
+ if (IS_ERR(match) || !match) {
+ duprintf("init_match: `%s' not found\n", m->u.user.name);
+ m->u.kernel.match = NULL;
+ m->u.kernel.data = NULL;
+ return match ? PTR_ERR(match) : -ENOENT;
+ }
+ m->u.kernel.match = match;
+ m->u.kernel.data = NULL;
+
if (XT_ALIGN(match->matchsize) != size) {
printk("%s_tables: %s match: invalid size %Zu != %u\n",
xt_prefix[family], match->name,
XT_ALIGN(match->matchsize), size);
- return -EINVAL;
+ ret = -EINVAL;
+ goto err;
}
if (match->table && strcmp(match->table, table)) {
printk("%s_tables: %s match: only valid in %s table, not %s\n",
xt_prefix[family], match->name, match->table, table);
- return -EINVAL;
+ ret = -EINVAL;
+ goto err;
}
if (match->hooks && (hook_mask & ~match->hooks) != 0) {
printk("%s_tables: %s match: bad hook_mask %u\n",
xt_prefix[family], match->name, hook_mask);
- return -EINVAL;
+ ret = -EINVAL;
+ goto err;
}
if (match->proto && (match->proto != proto || inv_proto)) {
printk("%s_tables: %s match: only valid for protocol %u\n",
xt_prefix[family], match->name, match->proto);
- return -EINVAL;
+ ret = -EINVAL;
+ goto err;
}
+
+ if (match->datasize) {
+ m->u.kernel.data = kzalloc(match->datasize,
+ GFP_KERNEL);
+ if (!m->u.kernel.data) {
+ printk("%s_tables: %s match: "
+ "unable to allocate memory\n",
+ xt_prefix[family], match->name);
+ ret = -ENOMEM;
+ goto err;
+ }
+ }
+
+ if (m->u.kernel.match->init
+ && !m->u.kernel.match->init(table, ip, m->u.kernel.match, m->data,
+ m->u.kernel.data, hook_mask)) {
+ duprintf("ip_tables: check failed for `%s'.\n",
+ m->u.kernel.match->name);
+ ret = -EINVAL;
+ goto err;
+ }
+
return 0;
+err:
+ xt_destroy_match(m);
+ return ret;
}
EXPORT_SYMBOL_GPL(xt_init_match);
+void xt_destroy_match(struct xt_entry_match *m)
+{
+ BUG_ON(!m);
+ kfree(m->u.kernel.data);
+ if (m->u.kernel.match)
+ module_put(m->u.kernel.match->me);
+}
+EXPORT_SYMBOL_GPL(xt_destroy_match);
+
#ifdef CONFIG_COMPAT
int xt_compat_match_offset(struct xt_match *match)
{
@@ -394,10 +450,28 @@ int xt_compat_match_to_user(struct xt_en
EXPORT_SYMBOL_GPL(xt_compat_match_to_user);
#endif /* CONFIG_COMPAT */
-int xt_init_target(const struct xt_target *target, unsigned short family,
- unsigned int size, const char *table, unsigned int hook_mask,
- unsigned short proto, int inv_proto)
+int xt_init_target(struct xt_entry_target *t,
+ unsigned short family, const char *table,
+ unsigned int hook_mask, unsigned short proto,
+ int inv_proto)
{
+ struct xt_target *target;
+ unsigned int size = t->u.target_size - sizeof(*t);
+
+ target = try_then_request_module(xt_find_target(family,
+ t->u.user.name,
+ t->u.user.revision),
+ "%st_%s",
+ xt_prefix[family], t->u.user.name);
+ if (IS_ERR(target) || !target) {
+ duprintf("init_target: `%s' not found\n", t->u.user.name);
+ t->u.kernel.target = NULL;
+ t->u.kernel.data = NULL;
+ return target ? PTR_ERR(target) : -ENOENT;
+ }
+ t->u.kernel.target = target;
+ t->u.kernel.data = NULL;
+
if (XT_ALIGN(target->targetsize) != size) {
printk("%s_tables: %s target: invalid size %Zu != %u\n",
xt_prefix[family], target->name,
@@ -419,10 +493,31 @@ int xt_init_target(const struct xt_targe
xt_prefix[family], target->name, target->proto);
return -EINVAL;
}
+
+ if (target->datasize) {
+ t->u.kernel.data = kzalloc(target->datasize,
+ GFP_KERNEL);
+ if (!t->u.kernel.data) {
+ printk("%s_tables: %s target: "
+ "unable to allocate memory\n",
+ xt_prefix[family], target->name);
+ return -ENOMEM;
+ }
+ }
+
return 0;
}
EXPORT_SYMBOL_GPL(xt_init_target);
+void xt_destroy_target(struct xt_entry_target *t)
+{
+ BUG_ON(!t);
+ kfree(t->u.kernel.data);
+ if (t->u.kernel.target)
+ module_put(t->u.kernel.target->me);
+}
+EXPORT_SYMBOL_GPL(xt_destroy_target);
+
#ifdef CONFIG_COMPAT
int xt_compat_target_offset(struct xt_target *target)
{
--
1.4.3.3
^ permalink raw reply related [flat|nested] 6+ messages in thread* [PATCH 4/4][data-condition]: condition match
2006-12-05 22:12 [PATCH 0/4][data-condition] Massimiliano Hofer
` (2 preceding siblings ...)
2006-12-05 22:17 ` [PATCH 3/4][data-condition]: instance data support in netfilter core code Massimiliano Hofer
@ 2006-12-05 22:18 ` Massimiliano Hofer
2006-12-05 22:22 ` [PATCH -/4][data-condition]: userspace code Massimiliano Hofer
4 siblings, 0 replies; 6+ messages in thread
From: Massimiliano Hofer @ 2006-12-05 22:18 UTC (permalink / raw)
To: netfilter-devel; +Cc: Patrick McHardy
On Tuesday 5 December 2006 11:12 pm, Massimiliano Hofer wrote:
From 51ca538c78b5748a3521a6868cd4239231984bf0 Mon Sep 17 00:00:00 2001
From: Massimiliano Hofer <max@nucleus.it>
Date: Tue, 5 Dec 2006 23:02:29 +0100
Subject: [PATCH] [NETFILTER]: condition match
This patch adds the first match that makes use of the new instance specific data in netfilter.
This module allows you to match firewall rules against condition
variables stored in the /proc/net/nf_condition directory.
Signed-off-by: Massimiliano Hofer <max@nucleus.it>
---
include/linux/netfilter/xt_condition.h | 11 ++
net/netfilter/Kconfig | 10 +
net/netfilter/Makefile | 1 +
net/netfilter/xt_condition.c | 292 ++++++++++++++++++++++++++++++++
4 files changed, 314 insertions(+), 0 deletions(-)
diff --git a/include/linux/netfilter/xt_condition.h b/include/linux/netfilter/xt_condition.h
new file mode 100644
index 0000000..f0706d0
--- /dev/null
+++ b/include/linux/netfilter/xt_condition.h
@@ -0,0 +1,11 @@
+#ifndef _XT_CONDITION_H
+#define _XT_CONDITION_H
+
+#define CONDITION_NAME_LEN 32
+
+struct condition_info {
+ char name[CONDITION_NAME_LEN];
+ int invert;
+};
+
+#endif /* _XT_CONDITION_H */
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 3a66878..fb4f07b 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -393,6 +393,16 @@ config NETFILTER_XT_MATCH_COMMENT
If you want to compile it as a module, say M here and read
<file:Documentation/modules.txt>. If unsure, say `N'.
+config NETFILTER_XT_MATCH_CONDITION
+ tristate '"condition" match support'
+ depends on NETFILTER_XTABLES && PROC_FS
+ help
+ This option allows you to match firewall rules against condition
+ variables stored in the /proc/net/nf_condition directory.
+
+ If you want to compile it as a module, say M here and read
+ Documentation/modules.txt. If unsure, say `N'.
+
config NETFILTER_XT_MATCH_CONNBYTES
tristate '"connbytes" per-connection counter match support'
depends on NETFILTER_XTABLES
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 5dc5574..36840e0 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -71,3 +71,4 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_STRING)
obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o
obj-$(CONFIG_NETFILTER_XT_MATCH_PHYSDEV) += xt_physdev.o
obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
+obj-$(CONFIG_NETFILTER_XT_MATCH_LENGTH) += xt_condition.o
diff --git a/net/netfilter/xt_condition.c b/net/netfilter/xt_condition.c
new file mode 100644
index 0000000..91ec4d5
--- /dev/null
+++ b/net/netfilter/xt_condition.c
@@ -0,0 +1,292 @@
+/*-------------------------------------------*\
+| Netfilter Condition Module |
+| |
+| Description: This module allows firewall |
+| rules to match using condition variables |
+| stored in /proc files. |
+| |
+| Author: Stephane Ouellette 2002-10-22 |
+| <ouellettes@videotron.ca> |
+| Massimiliano Hofer 2006-05-15 |
+| <max@nucleus.it> |
+| |
+| History: |
+| 2003-02-10 Second version with improved |
+| locking and simplified code. |
+| 2006-05-15 2.6.16 adaptations. |
+| Locking overhaul. |
+| Various bug fixes. |
+| |
+| This software is distributed under the |
+| terms of the GNU GPL. |
+\*-------------------------------------------*/
+
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/proc_fs.h>
+#include <linux/spinlock.h>
+#include <asm/semaphore.h>
+#include <linux/string.h>
+#include <linux/list.h>
+#include <asm/atomic.h>
+#include <asm/uaccess.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/xt_condition.h>
+
+/* Defaults, these can be overridden on the module command-line. */
+static unsigned int condition_list_perms = 0600;
+static unsigned int condition_uid_perms = 0;
+static unsigned int condition_gid_perms = 0;
+
+MODULE_AUTHOR("Stephane Ouellette <ouellettes@videotron.ca> and Massimiliano Hofer <max@nucleus.it>");
+MODULE_DESCRIPTION("Allows rules to match against condition variables");
+MODULE_LICENSE("GPL");
+module_param(condition_list_perms, uint, 0600);
+MODULE_PARM_DESC(condition_list_perms,"permissions on /proc/net/nf_condition/* files");
+module_param(condition_uid_perms, uint, 0600);
+MODULE_PARM_DESC(condition_uid_perms,"user owner of /proc/net/nf_condition/* files");
+module_param(condition_gid_perms, uint, 0600);
+MODULE_PARM_DESC(condition_gid_perms,"group owner of /proc/net/nf_condition/* files");
+MODULE_ALIAS("ipt_condition");
+MODULE_ALIAS("ip6t_condition");
+
+static const char dir_name[]="nf_condition";
+
+struct condition_variable {
+ struct list_head list;
+ struct proc_dir_entry *status_proc;
+ unsigned int refcount;
+ int enabled; /* TRUE == 1, FALSE == 0 */
+};
+
+/* proc_lock is a user context only semaphore used for write access */
+/* to the conditions' list. */
+static DECLARE_MUTEX(proc_lock);
+
+static LIST_HEAD(conditions_list);
+static struct proc_dir_entry *proc_net_condition = NULL;
+
+static int
+xt_condition_read_info(char __user *buffer, char **start, off_t offset,
+ int length, int *eof, void *data)
+{
+ struct condition_variable *var =
+ (struct condition_variable *) data;
+
+ buffer[0] = (var->enabled) ? '1' : '0';
+ buffer[1] = '\n';
+ if (length>=2)
+ *eof = 1;
+
+ return 2;
+}
+
+
+static int
+xt_condition_write_info(struct file *file, const char __user *buffer,
+ unsigned long length, void *data)
+{
+ struct condition_variable *var =
+ (struct condition_variable *) data;
+ char newval;
+
+ if (length>0) {
+ if (get_user(newval, buffer))
+ return -EFAULT;
+ /* Match only on the first character */
+ switch (newval) {
+ case '0':
+ var->enabled = 0;
+ break;
+ case '1':
+ var->enabled = 1;
+ break;
+ }
+ }
+
+ return (int) length;
+}
+
+
+static int
+match(const struct sk_buff *skb, const struct net_device *in,
+ const struct net_device *out, const struct xt_match *match,
+ const void *matchinfo, void *data, int offset,
+ unsigned int protoff, int *hotdrop)
+{
+ const struct condition_info *info =
+ (const struct condition_info *)matchinfo;
+ struct condition_variable *var=
+ *(struct condition_variable **)data;
+
+ return var->enabled ^ info->invert;
+}
+
+
+static int
+init(const char *tablename, const void *ip,
+ const struct xt_match *match,
+ void *matchinfo, void *data,
+ unsigned int hook_mask)
+{
+ static const char * const forbidden_names[]={ "", ".", ".." };
+ struct condition_info *info = (struct condition_info *) matchinfo;
+ struct list_head *pos;
+ struct condition_variable *var, *newvar;
+
+ int i;
+
+ /* We don't want a '/' in a proc file name. */
+ for (i=0; i < CONDITION_NAME_LEN && info->name[i] != '\0'; i++)
+ if (info->name[i] == '/')
+ return 0;
+ /* We can't handle file names longer than CONDITION_NAME_LEN and */
+ /* we want a NULL terminated string. */
+ if (i == CONDITION_NAME_LEN)
+ return 0;
+
+ /* We don't want certain reserved names. */
+ for (i=0; i < sizeof(forbidden_names)/sizeof(char *); i++)
+ if(strcmp(info->name, forbidden_names[i])==0)
+ return 0;
+
+ /* Let's acquire the lock, check for the condition and add it */
+ /* or increase the reference counter. */
+ if (down_interruptible(&proc_lock))
+ return -EINTR;
+
+ list_for_each(pos, &conditions_list) {
+ var = list_entry(pos, struct condition_variable, list);
+ if (strcmp(info->name, var->status_proc->name) == 0) {
+ var->refcount++;
+ up(&proc_lock);
+ *(struct condition_variable **)data=var;
+ return 1;
+ }
+ }
+
+ /* At this point, we need to allocate a new condition variable. */
+ newvar = kmalloc(sizeof(struct condition_variable), GFP_KERNEL);
+
+ if (!newvar) {
+ up(&proc_lock);
+ return -ENOMEM;
+ }
+
+ /* Create the condition variable's proc file entry. */
+ newvar->status_proc = create_proc_entry(info->name, condition_list_perms, proc_net_condition);
+
+ if (!newvar->status_proc) {
+ kfree(newvar);
+ up(&proc_lock);
+ return -ENOMEM;
+ }
+
+ newvar->refcount = 1;
+ newvar->enabled = 0;
+ newvar->status_proc->owner = THIS_MODULE;
+ newvar->status_proc->data = newvar;
+ wmb();
+ newvar->status_proc->read_proc = xt_condition_read_info;
+ newvar->status_proc->write_proc = xt_condition_write_info;
+
+ list_add_rcu(&newvar->list, &conditions_list);
+
+ newvar->status_proc->uid = condition_uid_perms;
+ newvar->status_proc->gid = condition_gid_perms;
+
+ up(&proc_lock);
+
+ *(struct condition_variable **)data=newvar;
+
+ return 1;
+}
+
+
+static void
+destroy(const struct xt_match *match, void *matchinfo, void *data)
+{
+ struct condition_variable *var=
+ *(struct condition_variable **)data;
+
+ BUG_ON(data==NULL);
+ BUG_ON(var==NULL);
+
+ down(&proc_lock);
+
+ if (--var->refcount == 0) {
+ list_del_rcu(&var->list);
+ remove_proc_entry(var->status_proc->name, proc_net_condition);
+ up(&proc_lock);
+ /* synchronize_rcu() would be goog enough, but */
+ /* synchronize_net() guarantees that no packet will go */
+ /* out with the old rule after succesful removal. */
+ synchronize_net();
+ kfree(var);
+ return;
+ }
+
+ up(&proc_lock);
+}
+
+
+static struct xt_match condition_match = {
+ .name = "condition",
+ .family = AF_INET,
+ .matchsize = sizeof(struct condition_info),
+ .datasize = sizeof(struct condition_variable *),
+ .match = match,
+ .init = init,
+ .destroy = destroy,
+ .me = THIS_MODULE
+};
+
+static struct xt_match condition6_match = {
+ .name = "condition",
+ .family = AF_INET6,
+ .matchsize = sizeof(struct condition_info),
+ .datasize = sizeof(struct condition_variable *),
+ .match = match,
+ .init = init,
+ .destroy = destroy,
+ .me = THIS_MODULE
+};
+
+static int __init xt_condition_init(void)
+{
+ int errorcode;
+
+ proc_net_condition = proc_mkdir(dir_name, proc_net);
+ if (!proc_net_condition) {
+ remove_proc_entry(dir_name, proc_net);
+ return -EACCES;
+ }
+
+ errorcode = xt_register_match(&condition_match);
+ if (errorcode) {
+ xt_unregister_match(&condition_match);
+ remove_proc_entry(dir_name, proc_net);
+ return errorcode;
+ }
+
+ errorcode = xt_register_match(&condition6_match);
+ if (errorcode) {
+ xt_unregister_match(&condition6_match);
+ xt_unregister_match(&condition_match);
+ remove_proc_entry(dir_name, proc_net);
+ return errorcode;
+ }
+
+ return 0;
+}
+
+
+static void __exit xt_condition_fini(void)
+{
+ xt_unregister_match(&condition6_match);
+ xt_unregister_match(&condition_match);
+ remove_proc_entry(dir_name, proc_net);
+}
+
+module_init(xt_condition_init);
+module_exit(xt_condition_fini);
--
1.4.3.3
^ permalink raw reply related [flat|nested] 6+ messages in thread* [PATCH -/4][data-condition]: userspace code
2006-12-05 22:12 [PATCH 0/4][data-condition] Massimiliano Hofer
` (3 preceding siblings ...)
2006-12-05 22:18 ` [PATCH 4/4][data-condition]: condition match Massimiliano Hofer
@ 2006-12-05 22:22 ` Massimiliano Hofer
4 siblings, 0 replies; 6+ messages in thread
From: Massimiliano Hofer @ 2006-12-05 22:22 UTC (permalink / raw)
To: netfilter-devel; +Cc: Patrick McHardy
[-- Attachment #1: Type: text/plain, Size: 215 bytes --]
Hi,
the condition patch is most useful if you apply the attached patch to the
userspace utility.
Without this patch iptables can't be compiled with condition and recent
kernels.
--
Saluti,
Massimiliano Hofer
[-- Attachment #2: iptables-xt_condition.patch --]
[-- Type: text/x-diff, Size: 7374 bytes --]
diff -Nru iptables-1.3.5-20060922.orig/extensions/.condition-test iptables-1.3.5-20060922.new/extensions/.condition-test
--- iptables-1.3.5-20060922.orig/extensions/.condition-test 2002-11-02 16:00:15.000000000 +0100
+++ iptables-1.3.5-20060922.new/extensions/.condition-test 2006-09-26 12:56:01.000000000 +0200
@@ -1,3 +1,5 @@
#!/bin/sh
# True if condition is applied.
-[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_condition.h ] && echo condition
+( [ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_condition.h ] ||
+ [ -f $KERNEL_DIR/include/linux/netfilter/xt_condition.h ] ) &&
+ echo condition
diff -Nru iptables-1.3.5-20060922.orig/extensions/.condition-test6 iptables-1.3.5-20060922.new/extensions/.condition-test6
--- iptables-1.3.5-20060922.orig/extensions/.condition-test6 2003-02-25 12:54:56.000000000 +0100
+++ iptables-1.3.5-20060922.new/extensions/.condition-test6 2006-09-26 12:55:23.000000000 +0200
@@ -1,3 +1,5 @@
#!/bin/sh
# True if condition6 is applied.
-[ -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_condition.h ] && echo condition
+( [ -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_condition.h ] ||
+ [ -f $KERNEL_DIR/include/linux/netfilter/xt_condition.h ] ) &&
+ echo condition
diff -Nru iptables-1.3.5-20060922.orig/extensions/libip6t_condition.c iptables-1.3.5-20060922.new/extensions/libip6t_condition.c
--- iptables-1.3.5-20060922.orig/extensions/libip6t_condition.c 2005-02-14 14:13:04.000000000 +0100
+++ iptables-1.3.5-20060922.new/extensions/libip6t_condition.c 2006-09-26 13:04:09.000000000 +0200
@@ -6,7 +6,14 @@
#include <ip6tables.h>
#include<linux/netfilter_ipv6/ip6_tables.h>
+
+#ifndef _X_TABLES_H
#include<linux/netfilter_ipv6/ip6t_condition.h>
+#define condition_info condition6_info
+#define CONDITION_NAME_LEN CONDITION6_NAME_LEN
+#else
+#include<linux/netfilter/xt_condition.h>
+#endif
static void
@@ -29,8 +36,12 @@
const struct ip6t_entry *entry, unsigned int *nfcache,
struct ip6t_entry_match **match)
{
- struct condition6_info *info =
- (struct condition6_info *) (*match)->data;
+ static const char * const forbidden_names[]={ "", ".", ".." };
+ const char *name;
+ int i;
+
+ struct condition_info *info =
+ (struct condition_info *) (*match)->data;
if (c == 'X') {
if (*flags)
@@ -39,12 +50,26 @@
check_inverse(optarg, &invert, &optind, 0);
- if (strlen(argv[optind - 1]) < CONDITION6_NAME_LEN)
- strcpy(info->name, argv[optind - 1]);
- else
+ name = argv[optind - 1];
+ /* We don't want a '/' in a proc file name. */
+ for (i=0; i < CONDITION_NAME_LEN && name[i] != '\0'; i++)
+ if (name[i] == '/')
+ exit_error(PARAMETER_PROBLEM,
+ "Can't have a '/' in a condition name");
+
+ /* We can't handle file names longer than CONDITION_NAME_LEN and */
+ /* we want a NULL terminated string. */
+ if (i == CONDITION_NAME_LEN)
exit_error(PARAMETER_PROBLEM,
"File name too long");
+ /* We don't want certain reserved names. */
+ for (i=0; i < sizeof(forbidden_names)/sizeof(char *); i++)
+ if(strcmp(name, forbidden_names[i])==0)
+ exit_error(PARAMETER_PROBLEM,
+ "Forbidden condition name");
+
+ strcpy(info->name, name);
info->invert = invert;
*flags = 1;
return 1;
@@ -67,8 +92,8 @@
print(const struct ip6t_ip6 *ip,
const struct ip6t_entry_match *match, int numeric)
{
- const struct condition6_info *info =
- (const struct condition6_info *) match->data;
+ const struct condition_info *info =
+ (const struct condition_info *) match->data;
printf("condition %s%s ", (info->invert) ? "!" : "", info->name);
}
@@ -78,8 +103,8 @@
save(const struct ip6t_ip6 *ip,
const struct ip6t_entry_match *match)
{
- const struct condition6_info *info =
- (const struct condition6_info *) match->data;
+ const struct condition_info *info =
+ (const struct condition_info *) match->data;
printf("--condition %s\"%s\" ", (info->invert) ? "! " : "", info->name);
}
@@ -88,8 +113,8 @@
static struct ip6tables_match condition = {
.name = "condition",
.version = IPTABLES_VERSION,
- .size = IP6T_ALIGN(sizeof(struct condition6_info)),
- .userspacesize = IP6T_ALIGN(sizeof(struct condition6_info)),
+ .size = IP6T_ALIGN(sizeof(struct condition_info)),
+ .userspacesize = IP6T_ALIGN(sizeof(struct condition_info)),
.help = &help,
.parse = &parse,
.final_check = &final_check,
diff -Nru iptables-1.3.5-20060922.orig/extensions/libip6t_condition.man iptables-1.3.5-20060922.new/extensions/libip6t_condition.man
--- iptables-1.3.5-20060922.orig/extensions/libip6t_condition.man 2006-01-30 09:50:09.000000000 +0100
+++ iptables-1.3.5-20060922.new/extensions/libip6t_condition.man 2006-09-26 09:31:40.000000000 +0200
@@ -1,4 +1,4 @@
This matches if a specific /proc filename is '0' or '1'.
.TP
.BR "--condition " "[!] \fIfilename"
-Match on boolean value stored in /proc/net/ip6t_condition/filename file
+Match on boolean value stored in /proc/net/nf_condition/filename file
diff -Nru iptables-1.3.5-20060922.orig/extensions/libipt_condition.c iptables-1.3.5-20060922.new/extensions/libipt_condition.c
--- iptables-1.3.5-20060922.orig/extensions/libipt_condition.c 2005-02-14 14:13:04.000000000 +0100
+++ iptables-1.3.5-20060922.new/extensions/libipt_condition.c 2006-09-26 12:01:57.000000000 +0200
@@ -6,7 +6,12 @@
#include <iptables.h>
#include<linux/netfilter_ipv4/ip_tables.h>
+
+#ifndef _X_TABLES_H
#include<linux/netfilter_ipv4/ipt_condition.h>
+#else
+#include<linux/netfilter/xt_condition.h>
+#endif
static void
@@ -29,6 +34,10 @@
const struct ipt_entry *entry, unsigned int *nfcache,
struct ipt_entry_match **match)
{
+ static const char * const forbidden_names[]={ "", ".", ".." };
+ const char *name;
+ int i;
+
struct condition_info *info =
(struct condition_info *) (*match)->data;
@@ -39,12 +48,26 @@
check_inverse(optarg, &invert, &optind, 0);
- if (strlen(argv[optind - 1]) < CONDITION_NAME_LEN)
- strcpy(info->name, argv[optind - 1]);
- else
+ name = argv[optind - 1];
+ /* We don't want a '/' in a proc file name. */
+ for (i=0; i < CONDITION_NAME_LEN && name[i] != '\0'; i++)
+ if (name[i] == '/')
+ exit_error(PARAMETER_PROBLEM,
+ "Can't have a '/' in a condition name");
+
+ /* We can't handle file names longer than CONDITION_NAME_LEN and */
+ /* we want a NULL terminated string. */
+ if (i == CONDITION_NAME_LEN)
exit_error(PARAMETER_PROBLEM,
"File name too long");
+ /* We don't want certain reserved names. */
+ for (i=0; i < sizeof(forbidden_names)/sizeof(char *); i++)
+ if(strcmp(name, forbidden_names[i])==0)
+ exit_error(PARAMETER_PROBLEM,
+ "Forbidden condition name");
+
+ strcpy(info->name, name);
info->invert = invert;
*flags = 1;
return 1;
diff -Nru iptables-1.3.5-20060922.orig/extensions/libipt_condition.man iptables-1.3.5-20060922.new/extensions/libipt_condition.man
--- iptables-1.3.5-20060922.orig/extensions/libipt_condition.man 2006-01-30 09:50:09.000000000 +0100
+++ iptables-1.3.5-20060922.new/extensions/libipt_condition.man 2006-09-26 09:31:42.000000000 +0200
@@ -1,4 +1,4 @@
This matches if a specific /proc filename is '0' or '1'.
.TP
.BI "--condition " "[!] \fIfilename\fP"
-Match on boolean value stored in /proc/net/ipt_condition/filename file
+Match on boolean value stored in /proc/net/nf_condition/filename file
^ permalink raw reply [flat|nested] 6+ messages in thread