* [1/13] [NETFILTER]: annotate xtables targets with const and remove casts
2008-01-31 23:11 [00/!@#%] patches patches! Jan Engelhardt
@ 2008-01-31 23:19 ` Jan Engelhardt
2008-01-31 23:19 ` [02/13] [NETFILTER]: annotate {arp,ip,ip6,x}tables with const Jan Engelhardt
` (22 subsequent siblings)
23 siblings, 0 replies; 27+ messages in thread
From: Jan Engelhardt @ 2008-01-31 23:19 UTC (permalink / raw)
To: kaber; +Cc: Netfilter Developer Mailing List
commit b8b4c357f472df2796bb3e2c885c2da7cf852ed8
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Fri Jan 25 20:52:56 2008 +0100
[NETFILTER]: annotate xtables targets with const and remove casts
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
---
net/ipv4/netfilter/ipt_CLUSTERIP.c | 12 ++++++------
net/ipv4/netfilter/ipt_ECN.c | 2 +-
net/ipv4/netfilter/ipt_LOG.c | 3 ++-
net/ipv4/netfilter/ipt_REJECT.c | 6 ++++--
net/ipv4/netfilter/ipt_recent.c | 6 +++---
net/ipv4/netfilter/nf_nat_rule.c | 4 ++--
net/ipv6/netfilter/ip6t_REJECT.c | 3 ++-
| 3 ++-
net/ipv6/netfilter/ip6t_rt.c | 3 ++-
net/netfilter/xt_CONNSECMARK.c | 2 +-
net/netfilter/xt_RATEEST.c | 2 +-
net/netfilter/xt_connlimit.c | 6 +++---
net/netfilter/xt_dccp.c | 3 ++-
net/netfilter/xt_esp.c | 3 ++-
net/netfilter/xt_multiport.c | 6 ++++--
net/netfilter/xt_policy.c | 2 +-
net/netfilter/xt_rateest.c | 4 ++--
net/netfilter/xt_sctp.c | 6 ++++--
net/netfilter/xt_tcpmss.c | 6 ++++--
net/netfilter/xt_tcpudp.c | 9 ++++++---
net/netfilter/xt_time.c | 2 +-
21 files changed, 55 insertions(+), 38 deletions(-)
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index c6cf84c..b8c793c 100644
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -142,7 +142,7 @@ clusterip_config_init_nodelist(struct clusterip_config *c,
}
static struct clusterip_config *
-clusterip_config_init(struct ipt_clusterip_tgt_info *i, __be32 ip,
+clusterip_config_init(const struct ipt_clusterip_tgt_info *i, __be32 ip,
struct net_device *dev)
{
struct clusterip_config *c;
@@ -417,7 +417,7 @@ clusterip_tg_check(const char *tablename, const void *e_void,
/* drop reference count of cluster config when rule is deleted */
static void clusterip_tg_destroy(const struct xt_target *target, void *targinfo)
{
- struct ipt_clusterip_tgt_info *cipinfo = targinfo;
+ const struct ipt_clusterip_tgt_info *cipinfo = targinfo;
/* if no more entries are referencing the config, remove it
* from the list and destroy the proc entry */
@@ -566,7 +566,7 @@ struct clusterip_seq_position {
static void *clusterip_seq_start(struct seq_file *s, loff_t *pos)
{
- struct proc_dir_entry *pde = s->private;
+ const struct proc_dir_entry *pde = s->private;
struct clusterip_config *c = pde->data;
unsigned int weight;
u_int32_t local_nodes;
@@ -593,7 +593,7 @@ static void *clusterip_seq_start(struct seq_file *s, loff_t *pos)
static void *clusterip_seq_next(struct seq_file *s, void *v, loff_t *pos)
{
- struct clusterip_seq_position *idx = (struct clusterip_seq_position *)v;
+ struct clusterip_seq_position *idx = v;
*pos = ++idx->pos;
if (*pos >= idx->weight) {
@@ -612,7 +612,7 @@ static void clusterip_seq_stop(struct seq_file *s, void *v)
static int clusterip_seq_show(struct seq_file *s, void *v)
{
- struct clusterip_seq_position *idx = (struct clusterip_seq_position *)v;
+ struct clusterip_seq_position *idx = v;
if (idx->pos != 0)
seq_putc(s, ',');
@@ -668,7 +668,7 @@ static ssize_t clusterip_proc_write(struct file *file, const char __user *input,
{
#define PROC_WRITELEN 10
char buffer[PROC_WRITELEN+1];
- struct proc_dir_entry *pde = PDE(file->f_path.dentry->d_inode);
+ const struct proc_dir_entry *pde = PDE(file->f_path.dentry->d_inode);
struct clusterip_config *c = pde->data;
unsigned long nodenum;
diff --git a/net/ipv4/netfilter/ipt_ECN.c b/net/ipv4/netfilter/ipt_ECN.c
index 21395bc..d60139c 100644
--- a/net/ipv4/netfilter/ipt_ECN.c
+++ b/net/ipv4/netfilter/ipt_ECN.c
@@ -100,7 +100,7 @@ ecn_tg_check(const char *tablename, const void *e_void,
const struct xt_target *target, void *targinfo,
unsigned int hook_mask)
{
- const struct ipt_ECN_info *einfo = (struct ipt_ECN_info *)targinfo;
+ const struct ipt_ECN_info *einfo = targinfo;
const struct ipt_entry *e = e_void;
if (einfo->operation & IPT_ECN_OP_MASK) {
diff --git a/net/ipv4/netfilter/ipt_LOG.c b/net/ipv4/netfilter/ipt_LOG.c
index b38d785..77300e9 100644
--- a/net/ipv4/netfilter/ipt_LOG.c
+++ b/net/ipv4/netfilter/ipt_LOG.c
@@ -76,7 +76,8 @@ static void dump_packet(const struct nf_loginfo *info,
if ((logflags & IPT_LOG_IPOPT)
&& ih->ihl * 4 > sizeof(struct iphdr)) {
- unsigned char _opt[4 * 15 - sizeof(struct iphdr)], *op;
+ const unsigned char *op;
+ unsigned char _opt[4 * 15 - sizeof(struct iphdr)];
unsigned int i, optsize;
optsize = ih->ihl * 4 - sizeof(struct iphdr);
diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c
index 22606e2..2639872 100644
--- a/net/ipv4/netfilter/ipt_REJECT.c
+++ b/net/ipv4/netfilter/ipt_REJECT.c
@@ -35,8 +35,10 @@ MODULE_DESCRIPTION("Xtables: packet \"rejection\" target for IPv4");
static void send_reset(struct sk_buff *oldskb, int hook)
{
struct sk_buff *nskb;
- struct iphdr *oiph, *niph;
- struct tcphdr _otcph, *oth, *tcph;
+ const struct iphdr *oiph;
+ struct iphdr *niph;
+ const struct tcphdr *oth;
+ struct tcphdr _otcph, *tcph;
unsigned int addr_type;
/* IP header checks: fragment. */
diff --git a/net/ipv4/netfilter/ipt_recent.c b/net/ipv4/netfilter/ipt_recent.c
index 68cbe3c..f2142b7 100644
--- a/net/ipv4/netfilter/ipt_recent.c
+++ b/net/ipv4/netfilter/ipt_recent.c
@@ -339,7 +339,7 @@ static void *recent_seq_start(struct seq_file *seq, loff_t *pos)
static void *recent_seq_next(struct seq_file *seq, void *v, loff_t *pos)
{
struct recent_iter_state *st = seq->private;
- struct recent_table *t = st->table;
+ const struct recent_table *t = st->table;
struct recent_entry *e = v;
struct list_head *head = e->list.next;
@@ -360,7 +360,7 @@ static void recent_seq_stop(struct seq_file *s, void *v)
static int recent_seq_show(struct seq_file *seq, void *v)
{
- struct recent_entry *e = v;
+ const struct recent_entry *e = v;
unsigned int i;
i = (e->index - 1) % ip_pkt_list_tot;
@@ -395,7 +395,7 @@ static int recent_seq_open(struct inode *inode, struct file *file)
static ssize_t recent_proc_write(struct file *file, const char __user *input,
size_t size, loff_t *loff)
{
- struct proc_dir_entry *pde = PDE(file->f_path.dentry->d_inode);
+ const struct proc_dir_entry *pde = PDE(file->f_path.dentry->d_inode);
struct recent_table *t = pde->data;
struct recent_entry *e;
char buf[sizeof("+255.255.255.255")], *c = buf;
diff --git a/net/ipv4/netfilter/nf_nat_rule.c b/net/ipv4/netfilter/nf_nat_rule.c
index f8fda57..600f6d7 100644
--- a/net/ipv4/netfilter/nf_nat_rule.c
+++ b/net/ipv4/netfilter/nf_nat_rule.c
@@ -143,7 +143,7 @@ static bool ipt_snat_checkentry(const char *tablename,
void *targinfo,
unsigned int hook_mask)
{
- struct nf_nat_multi_range_compat *mr = targinfo;
+ const struct nf_nat_multi_range_compat *mr = targinfo;
/* Must be a valid range */
if (mr->rangesize != 1) {
@@ -159,7 +159,7 @@ static bool ipt_dnat_checkentry(const char *tablename,
void *targinfo,
unsigned int hook_mask)
{
- struct nf_nat_multi_range_compat *mr = targinfo;
+ const struct nf_nat_multi_range_compat *mr = targinfo;
/* Must be a valid range */
if (mr->rangesize != 1) {
diff --git a/net/ipv6/netfilter/ip6t_REJECT.c b/net/ipv6/netfilter/ip6t_REJECT.c
index b23baa6..c779d76 100644
--- a/net/ipv6/netfilter/ip6t_REJECT.c
+++ b/net/ipv6/netfilter/ip6t_REJECT.c
@@ -41,7 +41,8 @@ static void send_reset(struct sk_buff *oldskb)
struct tcphdr otcph, *tcph;
unsigned int otcplen, hh_len;
int tcphoff, needs_ack;
- struct ipv6hdr *oip6h = ipv6_hdr(oldskb), *ip6h;
+ const struct ipv6hdr *oip6h = ipv6_hdr(oldskb);
+ struct ipv6hdr *ip6h;
struct dst_entry *dst = NULL;
u8 proto;
struct flowi fl;
--git a/net/ipv6/netfilter/ip6t_ipv6header.c b/net/ipv6/netfilter/ip6t_ipv6header.c
index 3a94017..317a896 100644
--- a/net/ipv6/netfilter/ip6t_ipv6header.c
+++ b/net/ipv6/netfilter/ip6t_ipv6header.c
@@ -49,7 +49,8 @@ ipv6header_mt6(const struct sk_buff *skb, const struct net_device *in,
temp = 0;
while (ip6t_ext_hdr(nexthdr)) {
- struct ipv6_opt_hdr _hdr, *hp;
+ const struct ipv6_opt_hdr *hp;
+ struct ipv6_opt_hdr _hdr;
int hdrlen;
/* Is there enough space for the next ext header? */
diff --git a/net/ipv6/netfilter/ip6t_rt.c b/net/ipv6/netfilter/ip6t_rt.c
index 12a9efe..81aaf7a 100644
--- a/net/ipv6/netfilter/ip6t_rt.c
+++ b/net/ipv6/netfilter/ip6t_rt.c
@@ -110,7 +110,8 @@ rt_mt6(const struct sk_buff *skb, const struct net_device *in,
!!(rtinfo->invflags & IP6T_RT_INV_TYP)));
if (ret && (rtinfo->flags & IP6T_RT_RES)) {
- u_int32_t *rp, _reserved;
+ const u_int32_t *rp;
+ u_int32_t _reserved;
rp = skb_header_pointer(skb,
ptr + offsetof(struct rt0_hdr,
reserved),
diff --git a/net/netfilter/xt_CONNSECMARK.c b/net/netfilter/xt_CONNSECMARK.c
index 1faa913..211189e 100644
--- a/net/netfilter/xt_CONNSECMARK.c
+++ b/net/netfilter/xt_CONNSECMARK.c
@@ -55,7 +55,7 @@ static void secmark_save(const struct sk_buff *skb)
static void secmark_restore(struct sk_buff *skb)
{
if (!skb->secmark) {
- struct nf_conn *ct;
+ const struct nf_conn *ct;
enum ip_conntrack_info ctinfo;
ct = nf_ct_get(skb, &ctinfo);
diff --git a/net/netfilter/xt_RATEEST.c b/net/netfilter/xt_RATEEST.c
index 24c73ba..64d6ad3 100644
--- a/net/netfilter/xt_RATEEST.c
+++ b/net/netfilter/xt_RATEEST.c
@@ -96,7 +96,7 @@ xt_rateest_tg_checkentry(const char *tablename,
void *targinfo,
unsigned int hook_mask)
{
- struct xt_rateest_target_info *info = (void *)targinfo;
+ struct xt_rateest_target_info *info = targinfo;
struct xt_rateest *est;
struct {
struct nlattr opt;
diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c
index 3b01119..0ca9fe9 100644
--- a/net/netfilter/xt_connlimit.c
+++ b/net/netfilter/xt_connlimit.c
@@ -106,10 +106,10 @@ static int count_them(struct xt_connlimit_data *data,
const union nf_inet_addr *mask,
const struct xt_match *match)
{
- struct nf_conntrack_tuple_hash *found;
+ const struct nf_conntrack_tuple_hash *found;
struct xt_connlimit_conn *conn;
struct xt_connlimit_conn *tmp;
- struct nf_conn *found_ct;
+ const struct nf_conn *found_ct;
struct list_head *hash;
bool addit = true;
int matches = 0;
@@ -256,7 +256,7 @@ connlimit_mt_check(const char *tablename, const void *ip,
static void
connlimit_mt_destroy(const struct xt_match *match, void *matchinfo)
{
- struct xt_connlimit_info *info = matchinfo;
+ const struct xt_connlimit_info *info = matchinfo;
struct xt_connlimit_conn *conn;
struct xt_connlimit_conn *tmp;
struct list_head *hash = info->data->iphash;
diff --git a/net/netfilter/xt_dccp.c b/net/netfilter/xt_dccp.c
index 667f45e..8b65221 100644
--- a/net/netfilter/xt_dccp.c
+++ b/net/netfilter/xt_dccp.c
@@ -98,7 +98,8 @@ dccp_mt(const struct sk_buff *skb, const struct net_device *in,
const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop)
{
const struct xt_dccp_info *info = matchinfo;
- struct dccp_hdr _dh, *dh;
+ const struct dccp_hdr *dh;
+ struct dccp_hdr _dh;
if (offset)
return false;
diff --git a/net/netfilter/xt_esp.c b/net/netfilter/xt_esp.c
index 71c7c37..a133eb9 100644
--- a/net/netfilter/xt_esp.c
+++ b/net/netfilter/xt_esp.c
@@ -47,7 +47,8 @@ esp_mt(const struct sk_buff *skb, const struct net_device *in,
const struct net_device *out, const struct xt_match *match,
const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop)
{
- struct ip_esp_hdr _esp, *eh;
+ const struct ip_esp_hdr *eh;
+ struct ip_esp_hdr _esp;
const struct xt_esp *espinfo = matchinfo;
/* Must not be a fragment. */
diff --git a/net/netfilter/xt_multiport.c b/net/netfilter/xt_multiport.c
index 31daa81..fd88c48 100644
--- a/net/netfilter/xt_multiport.c
+++ b/net/netfilter/xt_multiport.c
@@ -100,7 +100,8 @@ multiport_mt_v0(const struct sk_buff *skb, const struct net_device *in,
const void *matchinfo, int offset, unsigned int protoff,
bool *hotdrop)
{
- __be16 _ports[2], *pptr;
+ const __be16 *pptr;
+ __be16 _ports[2];
const struct xt_multiport *multiinfo = matchinfo;
if (offset)
@@ -126,7 +127,8 @@ multiport_mt(const struct sk_buff *skb, const struct net_device *in,
const void *matchinfo, int offset, unsigned int protoff,
bool *hotdrop)
{
- __be16 _ports[2], *pptr;
+ const __be16 *pptr;
+ __be16 _ports[2];
const struct xt_multiport_v1 *multiinfo = matchinfo;
if (offset)
diff --git a/net/netfilter/xt_policy.c b/net/netfilter/xt_policy.c
index 9e918ad..d351582 100644
--- a/net/netfilter/xt_policy.c
+++ b/net/netfilter/xt_policy.c
@@ -136,7 +136,7 @@ policy_mt_check(const char *tablename, const void *ip_void,
const struct xt_match *match, void *matchinfo,
unsigned int hook_mask)
{
- struct xt_policy_info *info = matchinfo;
+ const struct xt_policy_info *info = matchinfo;
if (!(info->flags & (XT_POLICY_MATCH_IN|XT_POLICY_MATCH_OUT))) {
printk(KERN_ERR "xt_policy: neither incoming nor "
diff --git a/net/netfilter/xt_rateest.c b/net/netfilter/xt_rateest.c
index fdb86a5..ebd84f1 100644
--- a/net/netfilter/xt_rateest.c
+++ b/net/netfilter/xt_rateest.c
@@ -86,7 +86,7 @@ static bool xt_rateest_mt_checkentry(const char *tablename,
void *matchinfo,
unsigned int hook_mask)
{
- struct xt_rateest_match_info *info = (void *)matchinfo;
+ struct xt_rateest_match_info *info = matchinfo;
struct xt_rateest *est1, *est2;
if (hweight32(info->flags & (XT_RATEEST_MATCH_ABS |
@@ -130,7 +130,7 @@ err1:
static void xt_rateest_mt_destroy(const struct xt_match *match,
void *matchinfo)
{
- struct xt_rateest_match_info *info = (void *)matchinfo;
+ struct xt_rateest_match_info *info = matchinfo;
xt_rateest_put(info->est1);
if (info->est2)
diff --git a/net/netfilter/xt_sctp.c b/net/netfilter/xt_sctp.c
index b718ec6..e6e4681 100644
--- a/net/netfilter/xt_sctp.c
+++ b/net/netfilter/xt_sctp.c
@@ -46,7 +46,8 @@ match_packet(const struct sk_buff *skb,
bool *hotdrop)
{
u_int32_t chunkmapcopy[256 / sizeof (u_int32_t)];
- sctp_chunkhdr_t _sch, *sch;
+ const sctp_chunkhdr_t *sch;
+ sctp_chunkhdr_t _sch;
int chunk_match_type = info->chunk_match_type;
const struct xt_sctp_flag_info *flag_info = info->flag_info;
int flag_count = info->flag_count;
@@ -121,7 +122,8 @@ sctp_mt(const struct sk_buff *skb, const struct net_device *in,
const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop)
{
const struct xt_sctp_info *info = matchinfo;
- sctp_sctphdr_t _sh, *sh;
+ const sctp_sctphdr_t *sh;
+ sctp_sctphdr_t _sh;
if (offset) {
duprintf("Dropping non-first fragment.. FIXME\n");
diff --git a/net/netfilter/xt_tcpmss.c b/net/netfilter/xt_tcpmss.c
index d7a5b27..6771bf0 100644
--- a/net/netfilter/xt_tcpmss.c
+++ b/net/netfilter/xt_tcpmss.c
@@ -31,9 +31,11 @@ tcpmss_mt(const struct sk_buff *skb, const struct net_device *in,
bool *hotdrop)
{
const struct xt_tcpmss_match_info *info = matchinfo;
- struct tcphdr _tcph, *th;
+ const struct tcphdr *th;
+ struct tcphdr _tcph;
/* tcp.doff is only 4 bits, ie. max 15 * 4 bytes */
- u8 _opt[15 * 4 - sizeof(_tcph)], *op;
+ const u_int8_t *op;
+ u8 _opt[15 * 4 - sizeof(_tcph)];
unsigned int i, optlen;
/* If we don't have the whole header, drop packet. */
diff --git a/net/netfilter/xt_tcpudp.c b/net/netfilter/xt_tcpudp.c
index 4fa3b66..951b06b 100644
--- a/net/netfilter/xt_tcpudp.c
+++ b/net/netfilter/xt_tcpudp.c
@@ -42,7 +42,8 @@ tcp_find_option(u_int8_t option,
bool *hotdrop)
{
/* tcp.doff is only 4 bits, ie. max 15 * 4 bytes */
- u_int8_t _opt[60 - sizeof(struct tcphdr)], *op;
+ const u_int8_t *op;
+ u_int8_t _opt[60 - sizeof(struct tcphdr)];
unsigned int i;
duprintf("tcp_match: finding option\n");
@@ -72,7 +73,8 @@ tcp_mt(const struct sk_buff *skb, const struct net_device *in,
const struct net_device *out, const struct xt_match *match,
const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop)
{
- struct tcphdr _tcph, *th;
+ const struct tcphdr *th;
+ struct tcphdr _tcph;
const struct xt_tcp *tcpinfo = matchinfo;
if (offset) {
@@ -144,7 +146,8 @@ udp_mt(const struct sk_buff *skb, const struct net_device *in,
const struct net_device *out, const struct xt_match *match,
const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop)
{
- struct udphdr _udph, *uh;
+ const struct udphdr *uh;
+ struct udphdr _udph;
const struct xt_udp *udpinfo = matchinfo;
/* Must not be a fragment. */
diff --git a/net/netfilter/xt_time.c b/net/netfilter/xt_time.c
index e9a8794..41297d0 100644
--- a/net/netfilter/xt_time.c
+++ b/net/netfilter/xt_time.c
@@ -220,7 +220,7 @@ time_mt_check(const char *tablename, const void *ip,
const struct xt_match *match, void *matchinfo,
unsigned int hook_mask)
{
- struct xt_time_info *info = matchinfo;
+ const struct xt_time_info *info = matchinfo;
if (info->daytime_start > XT_TIME_MAX_DAYTIME ||
info->daytime_stop > XT_TIME_MAX_DAYTIME) {
^ permalink raw reply related [flat|nested] 27+ messages in thread* [02/13] [NETFILTER]: annotate {arp,ip,ip6,x}tables with const
2008-01-31 23:11 [00/!@#%] patches patches! Jan Engelhardt
2008-01-31 23:19 ` [1/13] [NETFILTER]: annotate xtables targets with const and remove casts Jan Engelhardt
@ 2008-01-31 23:19 ` Jan Engelhardt
2008-01-31 23:19 ` [03/13] [NETFILTER]: annotate rest of nf_conntrack_* " Jan Engelhardt
` (21 subsequent siblings)
23 siblings, 0 replies; 27+ messages in thread
From: Jan Engelhardt @ 2008-01-31 23:19 UTC (permalink / raw)
To: kaber; +Cc: Netfilter Developer Mailing List
commit 2bab432aba178b45b2b1f344077e8b0fb892066a
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Fri Jan 25 20:52:56 2008 +0100
[NETFILTER]: annotate {arp,ip,ip6,x}tables with const
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
---
include/linux/netfilter/x_tables.h | 4 +-
net/ipv4/netfilter/arp_tables.c | 33 ++++++++++++++-------------
net/ipv4/netfilter/arpt_mangle.c | 2 +-
net/ipv4/netfilter/ip_tables.c | 31 +++++++++++++------------
net/ipv6/netfilter/ip6_tables.c | 29 ++++++++++++-----------
net/netfilter/x_tables.c | 18 +++++++-------
6 files changed, 60 insertions(+), 57 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index b2c62cc..2326296 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -430,13 +430,13 @@ extern int xt_compat_add_offset(int af, unsigned int offset, short delta);
extern void xt_compat_flush_offsets(int af);
extern short xt_compat_calc_jump(int af, unsigned int offset);
-extern int xt_compat_match_offset(struct xt_match *match);
+extern int xt_compat_match_offset(const struct xt_match *match);
extern int xt_compat_match_from_user(struct xt_entry_match *m,
void **dstptr, unsigned int *size);
extern int xt_compat_match_to_user(struct xt_entry_match *m,
void __user **dstptr, unsigned int *size);
-extern int xt_compat_target_offset(struct xt_target *target);
+extern int xt_compat_target_offset(const struct xt_target *target);
extern void xt_compat_target_from_user(struct xt_entry_target *t,
void **dstptr, unsigned int *size);
extern int xt_compat_target_to_user(struct xt_entry_target *t,
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index a7591ce..4191588 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -59,7 +59,7 @@ do { \
#endif
static inline int arp_devaddr_compare(const struct arpt_devaddr_info *ap,
- char *hdr_addr, int len)
+ const char *hdr_addr, int len)
{
int i, ret;
@@ -80,8 +80,8 @@ static inline int arp_packet_match(const struct arphdr *arphdr,
const char *outdev,
const struct arpt_arp *arpinfo)
{
- char *arpptr = (char *)(arphdr + 1);
- char *src_devaddr, *tgt_devaddr;
+ const char *arpptr = (char *)(arphdr + 1);
+ const char *src_devaddr, *tgt_devaddr;
__be32 src_ipaddr, tgt_ipaddr;
int i, ret;
@@ -226,12 +226,12 @@ unsigned int arpt_do_table(struct sk_buff *skb,
{
static const char nulldevname[IFNAMSIZ];
unsigned int verdict = NF_DROP;
- struct arphdr *arp;
+ const struct arphdr *arp;
bool hotdrop = false;
struct arpt_entry *e, *back;
- const char *indev, *outdev;
+ const const char *indev, *outdev;
void *table_base;
- struct xt_table_info *private;
+ const struct xt_table_info *private;
/* ARP header, plus 2 device addresses, plus 2 IP addresses. */
if (!pskb_may_pull(skb, (sizeof(struct arphdr) +
@@ -355,7 +355,7 @@ static int mark_source_chains(struct xt_table_info *newinfo,
e->counters.pcnt = pos;
for (;;) {
- struct arpt_standard_target *t
+ const struct arpt_standard_target *t
= (void *)arpt_get_target(e);
int visited = e->comefrom & (1 << hook);
@@ -440,7 +440,7 @@ static int mark_source_chains(struct xt_table_info *newinfo,
static inline int check_entry(struct arpt_entry *e, const char *name)
{
- struct arpt_entry_target *t;
+ const struct arpt_entry_target *t;
if (!arp_checkentry(&e->arp)) {
duprintf("arp_tables: arp check failed %p %s.\n", e, name);
@@ -713,7 +713,7 @@ static inline struct xt_counters *alloc_counters(struct arpt_table *table)
{
unsigned int countersize;
struct xt_counters *counters;
- struct xt_table_info *private = table->private;
+ const struct xt_table_info *private = table->private;
/* We need atomic snapshot of counters: rest doesn't change
* (other than comefrom, which userspace doesn't care
@@ -740,7 +740,7 @@ static int copy_entries_to_user(unsigned int total_size,
unsigned int off, num;
struct arpt_entry *e;
struct xt_counters *counters;
- struct xt_table_info *private = table->private;
+ const struct xt_table_info *private = table->private;
int ret = 0;
void *loc_cpu_entry;
@@ -875,7 +875,7 @@ static int get_info(struct net *net, void __user *user, int *len, int compat)
"arptable_%s", name);
if (t && !IS_ERR(t)) {
struct arpt_getinfo info;
- struct xt_table_info *private = t->private;
+ const struct xt_table_info *private = t->private;
#ifdef CONFIG_COMPAT
if (compat) {
@@ -930,7 +930,8 @@ static int get_entries(struct net *net, struct arpt_get_entries __user *uptr,
t = xt_find_table_lock(net, NF_ARP, get.name);
if (t && !IS_ERR(t)) {
- struct xt_table_info *private = t->private;
+ const struct xt_table_info *private = t->private;
+
duprintf("t->private->number = %u\n",
private->number);
if (get.size == private->size)
@@ -1090,11 +1091,11 @@ static int do_add_counters(struct net *net, void __user *user, unsigned int len,
struct xt_counters_info tmp;
struct xt_counters *paddc;
unsigned int num_counters;
- char *name;
+ const char *name;
int size;
void *ptmp;
struct arpt_table *t;
- struct xt_table_info *private;
+ const struct xt_table_info *private;
int ret = 0;
void *loc_cpu_entry;
#ifdef CONFIG_COMPAT
@@ -1561,7 +1562,7 @@ static int compat_copy_entries_to_user(unsigned int total_size,
void __user *userptr)
{
struct xt_counters *counters;
- struct xt_table_info *private = table->private;
+ const struct xt_table_info *private = table->private;
void __user *pos;
unsigned int size;
int ret = 0;
@@ -1612,7 +1613,7 @@ static int compat_get_entries(struct net *net,
xt_compat_lock(NF_ARP);
t = xt_find_table_lock(net, NF_ARP, get.name);
if (t && !IS_ERR(t)) {
- struct xt_table_info *private = t->private;
+ const struct xt_table_info *private = t->private;
struct xt_table_info info;
duprintf("t->private->number = %u\n", private->number);
diff --git a/net/ipv4/netfilter/arpt_mangle.c b/net/ipv4/netfilter/arpt_mangle.c
index 45fa4e2..10517d6 100644
--- a/net/ipv4/netfilter/arpt_mangle.c
+++ b/net/ipv4/netfilter/arpt_mangle.c
@@ -15,7 +15,7 @@ target(struct sk_buff *skb,
const void *targinfo)
{
const struct arpt_mangle *mangle = targinfo;
- struct arphdr *arp;
+ const struct arphdr *arp;
unsigned char *arpptr;
int pln, hln;
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 600737f..eb3ec74 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -296,7 +296,7 @@ static void trace_packet(struct sk_buff *skb,
struct ipt_entry *e)
{
void *table_base;
- struct ipt_entry *root;
+ const struct ipt_entry *root;
char *hookname, *chainname, *comment;
unsigned int rulenum = 0;
@@ -327,7 +327,7 @@ ipt_do_table(struct sk_buff *skb,
{
static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
u_int16_t offset;
- struct iphdr *ip;
+ const struct iphdr *ip;
u_int16_t datalen;
bool hotdrop = false;
/* Initializing verdict to NF_DROP keeps gcc happy. */
@@ -926,7 +926,7 @@ static struct xt_counters * alloc_counters(struct xt_table *table)
{
unsigned int countersize;
struct xt_counters *counters;
- struct xt_table_info *private = table->private;
+ const struct xt_table_info *private = table->private;
/* We need atomic snapshot of counters: rest doesn't change
(other than comefrom, which userspace doesn't care
@@ -953,9 +953,9 @@ copy_entries_to_user(unsigned int total_size,
unsigned int off, num;
struct ipt_entry *e;
struct xt_counters *counters;
- struct xt_table_info *private = table->private;
+ const struct xt_table_info *private = table->private;
int ret = 0;
- void *loc_cpu_entry;
+ const void *loc_cpu_entry;
counters = alloc_counters(table);
if (IS_ERR(counters))
@@ -975,8 +975,8 @@ copy_entries_to_user(unsigned int total_size,
/* ... then go back and fix counters and names */
for (off = 0, num = 0; off < total_size; off += e->next_offset, num++){
unsigned int i;
- struct ipt_entry_match *m;
- struct ipt_entry_target *t;
+ const struct ipt_entry_match *m;
+ const struct ipt_entry_target *t;
e = (struct ipt_entry *)(loc_cpu_entry + off);
if (copy_to_user(userptr + off
@@ -1116,7 +1116,7 @@ static int get_info(struct net *net, void __user *user, int *len, int compat)
"iptable_%s", name);
if (t && !IS_ERR(t)) {
struct ipt_getinfo info;
- struct xt_table_info *private = t->private;
+ const struct xt_table_info *private = t->private;
#ifdef CONFIG_COMPAT
if (compat) {
@@ -1172,7 +1172,7 @@ get_entries(struct net *net, struct ipt_get_entries __user *uptr, int *len)
t = xt_find_table_lock(net, AF_INET, get.name);
if (t && !IS_ERR(t)) {
- struct xt_table_info *private = t->private;
+ const struct xt_table_info *private = t->private;
duprintf("t->private->number = %u\n", private->number);
if (get.size == private->size)
ret = copy_entries_to_user(private->size,
@@ -1337,11 +1337,11 @@ do_add_counters(struct net *net, void __user *user, unsigned int len, int compat
struct xt_counters_info tmp;
struct xt_counters *paddc;
unsigned int num_counters;
- char *name;
+ const char *name;
int size;
void *ptmp;
struct xt_table *t;
- struct xt_table_info *private;
+ const struct xt_table_info *private;
int ret = 0;
void *loc_cpu_entry;
#ifdef CONFIG_COMPAT
@@ -1878,11 +1878,11 @@ compat_copy_entries_to_user(unsigned int total_size, struct xt_table *table,
void __user *userptr)
{
struct xt_counters *counters;
- struct xt_table_info *private = table->private;
+ const struct xt_table_info *private = table->private;
void __user *pos;
unsigned int size;
int ret = 0;
- void *loc_cpu_entry;
+ const void *loc_cpu_entry;
unsigned int i = 0;
counters = alloc_counters(table);
@@ -1929,7 +1929,7 @@ compat_get_entries(struct net *net, struct compat_ipt_get_entries __user *uptr,
xt_compat_lock(AF_INET);
t = xt_find_table_lock(net, AF_INET, get.name);
if (t && !IS_ERR(t)) {
- struct xt_table_info *private = t->private;
+ const struct xt_table_info *private = t->private;
struct xt_table_info info;
duprintf("t->private->number = %u\n", private->number);
ret = compat_table_info(private, &info);
@@ -2130,7 +2130,8 @@ icmp_match(const struct sk_buff *skb,
unsigned int protoff,
bool *hotdrop)
{
- struct icmphdr _icmph, *ic;
+ const struct icmphdr *ic;
+ struct icmphdr _icmph;
const struct ipt_icmp *icmpinfo = matchinfo;
/* Must not be a fragment. */
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index bf9bb6e..743b108 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -325,7 +325,7 @@ static void trace_packet(struct sk_buff *skb,
struct ip6t_entry *e)
{
void *table_base;
- struct ip6t_entry *root;
+ const struct ip6t_entry *root;
char *hookname, *chainname, *comment;
unsigned int rulenum = 0;
@@ -952,7 +952,7 @@ static struct xt_counters *alloc_counters(struct xt_table *table)
{
unsigned int countersize;
struct xt_counters *counters;
- struct xt_table_info *private = table->private;
+ const struct xt_table_info *private = table->private;
/* We need atomic snapshot of counters: rest doesn't change
(other than comefrom, which userspace doesn't care
@@ -979,9 +979,9 @@ copy_entries_to_user(unsigned int total_size,
unsigned int off, num;
struct ip6t_entry *e;
struct xt_counters *counters;
- struct xt_table_info *private = table->private;
+ const struct xt_table_info *private = table->private;
int ret = 0;
- void *loc_cpu_entry;
+ const void *loc_cpu_entry;
counters = alloc_counters(table);
if (IS_ERR(counters))
@@ -1001,8 +1001,8 @@ copy_entries_to_user(unsigned int total_size,
/* ... then go back and fix counters and names */
for (off = 0, num = 0; off < total_size; off += e->next_offset, num++){
unsigned int i;
- struct ip6t_entry_match *m;
- struct ip6t_entry_target *t;
+ const struct ip6t_entry_match *m;
+ const struct ip6t_entry_target *t;
e = (struct ip6t_entry *)(loc_cpu_entry + off);
if (copy_to_user(userptr + off
@@ -1142,7 +1142,7 @@ static int get_info(struct net *net, void __user *user, int *len, int compat)
"ip6table_%s", name);
if (t && !IS_ERR(t)) {
struct ip6t_getinfo info;
- struct xt_table_info *private = t->private;
+ const struct xt_table_info *private = t->private;
#ifdef CONFIG_COMPAT
if (compat) {
@@ -1225,7 +1225,7 @@ __do_replace(struct net *net, const char *name, unsigned int valid_hooks,
struct xt_table *t;
struct xt_table_info *oldinfo;
struct xt_counters *counters;
- void *loc_cpu_old_entry;
+ const void *loc_cpu_old_entry;
ret = 0;
counters = vmalloc_node(num_counters * sizeof(struct xt_counters),
@@ -1369,9 +1369,9 @@ do_add_counters(struct net *net, void __user *user, unsigned int len,
int size;
void *ptmp;
struct xt_table *t;
- struct xt_table_info *private;
+ const struct xt_table_info *private;
int ret = 0;
- void *loc_cpu_entry;
+ const void *loc_cpu_entry;
#ifdef CONFIG_COMPAT
struct compat_xt_counters_info compat_tmp;
@@ -1905,11 +1905,11 @@ compat_copy_entries_to_user(unsigned int total_size, struct xt_table *table,
void __user *userptr)
{
struct xt_counters *counters;
- struct xt_table_info *private = table->private;
+ const struct xt_table_info *private = table->private;
void __user *pos;
unsigned int size;
int ret = 0;
- void *loc_cpu_entry;
+ const void *loc_cpu_entry;
unsigned int i = 0;
counters = alloc_counters(table);
@@ -1956,7 +1956,7 @@ compat_get_entries(struct net *net, struct compat_ip6t_get_entries __user *uptr,
xt_compat_lock(AF_INET6);
t = xt_find_table_lock(net, AF_INET6, get.name);
if (t && !IS_ERR(t)) {
- struct xt_table_info *private = t->private;
+ const struct xt_table_info *private = t->private;
struct xt_table_info info;
duprintf("t->private->number = %u\n", private->number);
ret = compat_table_info(private, &info);
@@ -2155,7 +2155,8 @@ icmp6_match(const struct sk_buff *skb,
unsigned int protoff,
bool *hotdrop)
{
- struct icmp6hdr _icmph, *ic;
+ const struct icmp6hdr *ic;
+ struct icmp6hdr _icmph;
const struct ip6t_icmp *icmpinfo = matchinfo;
/* Must not be a fragment. */
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index a679208..4d74dff 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -58,7 +58,7 @@ static struct xt_af *xt;
#define duprintf(format, args...)
#endif
-static const char *xt_prefix[NPROTO] = {
+static const char *const xt_prefix[NPROTO] = {
[AF_INET] = "ip",
[AF_INET6] = "ip6",
[NF_ARP] = "arp",
@@ -248,7 +248,7 @@ EXPORT_SYMBOL_GPL(xt_request_find_target);
static int match_revfn(int af, const char *name, u8 revision, int *bestp)
{
- struct xt_match *m;
+ const struct xt_match *m;
int have_rev = 0;
list_for_each_entry(m, &xt[af].match, list) {
@@ -264,7 +264,7 @@ static int match_revfn(int af, const char *name, u8 revision, int *bestp)
static int target_revfn(int af, const char *name, u8 revision, int *bestp)
{
- struct xt_target *t;
+ const struct xt_target *t;
int have_rev = 0;
list_for_each_entry(t, &xt[af].target, list) {
@@ -385,7 +385,7 @@ short xt_compat_calc_jump(int af, unsigned int offset)
}
EXPORT_SYMBOL_GPL(xt_compat_calc_jump);
-int xt_compat_match_offset(struct xt_match *match)
+int xt_compat_match_offset(const struct xt_match *match)
{
u_int16_t csize = match->compatsize ? : match->matchsize;
return XT_ALIGN(match->matchsize) - COMPAT_XT_ALIGN(csize);
@@ -395,7 +395,7 @@ EXPORT_SYMBOL_GPL(xt_compat_match_offset);
int xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr,
unsigned int *size)
{
- struct xt_match *match = m->u.kernel.match;
+ const struct xt_match *match = m->u.kernel.match;
struct compat_xt_entry_match *cm = (struct compat_xt_entry_match *)m;
int pad, off = xt_compat_match_offset(match);
u_int16_t msize = cm->u.user.match_size;
@@ -422,7 +422,7 @@ EXPORT_SYMBOL_GPL(xt_compat_match_from_user);
int xt_compat_match_to_user(struct xt_entry_match *m, void __user **dstptr,
unsigned int *size)
{
- struct xt_match *match = m->u.kernel.match;
+ const struct xt_match *match = m->u.kernel.match;
struct compat_xt_entry_match __user *cm = *dstptr;
int off = xt_compat_match_offset(match);
u_int16_t msize = m->u.user.match_size - off;
@@ -479,7 +479,7 @@ int xt_check_target(const struct xt_target *target, unsigned short family,
EXPORT_SYMBOL_GPL(xt_check_target);
#ifdef CONFIG_COMPAT
-int xt_compat_target_offset(struct xt_target *target)
+int xt_compat_target_offset(const struct xt_target *target)
{
u_int16_t csize = target->compatsize ? : target->targetsize;
return XT_ALIGN(target->targetsize) - COMPAT_XT_ALIGN(csize);
@@ -489,7 +489,7 @@ EXPORT_SYMBOL_GPL(xt_compat_target_offset);
void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr,
unsigned int *size)
{
- struct xt_target *target = t->u.kernel.target;
+ const struct xt_target *target = t->u.kernel.target;
struct compat_xt_entry_target *ct = (struct compat_xt_entry_target *)t;
int pad, off = xt_compat_target_offset(target);
u_int16_t tsize = ct->u.user.target_size;
@@ -515,7 +515,7 @@ EXPORT_SYMBOL_GPL(xt_compat_target_from_user);
int xt_compat_target_to_user(struct xt_entry_target *t, void __user **dstptr,
unsigned int *size)
{
- struct xt_target *target = t->u.kernel.target;
+ const struct xt_target *target = t->u.kernel.target;
struct compat_xt_entry_target __user *ct = *dstptr;
int off = xt_compat_target_offset(target);
u_int16_t tsize = t->u.user.target_size - off;
^ permalink raw reply related [flat|nested] 27+ messages in thread* [03/13] [NETFILTER]: annotate rest of nf_conntrack_* with const
2008-01-31 23:11 [00/!@#%] patches patches! Jan Engelhardt
2008-01-31 23:19 ` [1/13] [NETFILTER]: annotate xtables targets with const and remove casts Jan Engelhardt
2008-01-31 23:19 ` [02/13] [NETFILTER]: annotate {arp,ip,ip6,x}tables with const Jan Engelhardt
@ 2008-01-31 23:19 ` Jan Engelhardt
2008-01-31 23:19 ` [04/13] [NETFILTER]: annotate rest of nf_nat_* " Jan Engelhardt
` (20 subsequent siblings)
23 siblings, 0 replies; 27+ messages in thread
From: Jan Engelhardt @ 2008-01-31 23:19 UTC (permalink / raw)
To: kaber; +Cc: Netfilter Developer Mailing List
commit 0f1f1daf9bfb59d0412512c1cea04a7cee5aa154
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Fri Jan 25 20:52:56 2008 +0100
[NETFILTER]: annotate rest of nf_conntrack_* with const
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
---
net/ipv6/netfilter/nf_conntrack_reasm.c | 8 ++++----
net/netfilter/nf_conntrack_amanda.c | 2 +-
net/netfilter/nf_conntrack_ftp.c | 5 +++--
net/netfilter/nf_conntrack_helper.c | 2 +-
net/netfilter/nf_conntrack_irc.c | 14 ++++++++------
5 files changed, 17 insertions(+), 14 deletions(-)
diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
index 2a0d698..d4a42f0 100644
--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
@@ -103,8 +103,8 @@ struct ctl_table nf_ct_ipv6_sysctl_table[] = {
};
#endif
-static unsigned int ip6qhashfn(__be32 id, struct in6_addr *saddr,
- struct in6_addr *daddr)
+static unsigned int ip6qhashfn(__be32 id, const struct in6_addr *saddr,
+ const struct in6_addr *daddr)
{
u32 a, b, c;
@@ -132,7 +132,7 @@ static unsigned int ip6qhashfn(__be32 id, struct in6_addr *saddr,
static unsigned int nf_hashfn(struct inet_frag_queue *q)
{
- struct nf_ct_frag6_queue *nq;
+ const struct nf_ct_frag6_queue *nq;
nq = container_of(q, struct nf_ct_frag6_queue, q);
return ip6qhashfn(nq->id, &nq->saddr, &nq->daddr);
@@ -220,7 +220,7 @@ oom:
static int nf_ct_frag6_queue(struct nf_ct_frag6_queue *fq, struct sk_buff *skb,
- struct frag_hdr *fhdr, int nhoff)
+ const struct frag_hdr *fhdr, int nhoff)
{
struct sk_buff *prev, *next;
int offset, end;
diff --git a/net/netfilter/nf_conntrack_amanda.c b/net/netfilter/nf_conntrack_amanda.c
index 7b8239c..572eedf 100644
--- a/net/netfilter/nf_conntrack_amanda.c
+++ b/net/netfilter/nf_conntrack_amanda.c
@@ -53,7 +53,7 @@ enum amanda_strings {
};
static struct {
- char *string;
+ const char *string;
size_t len;
struct ts_config *ts;
} search[] __read_mostly = {
diff --git a/net/netfilter/nf_conntrack_ftp.c b/net/netfilter/nf_conntrack_ftp.c
index 6770baf..e0a2877 100644
--- a/net/netfilter/nf_conntrack_ftp.c
+++ b/net/netfilter/nf_conntrack_ftp.c
@@ -350,8 +350,9 @@ static int help(struct sk_buff *skb,
enum ip_conntrack_info ctinfo)
{
unsigned int dataoff, datalen;
- struct tcphdr _tcph, *th;
- char *fb_ptr;
+ const struct tcphdr *th;
+ struct tcphdr _tcph;
+ const char *fb_ptr;
int ret;
u32 seq;
int dir = CTINFO2DIR(ctinfo);
diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c
index b1fd21c..367e23c 100644
--- a/net/netfilter/nf_conntrack_helper.c
+++ b/net/netfilter/nf_conntrack_helper.c
@@ -125,7 +125,7 @@ void nf_conntrack_helper_unregister(struct nf_conntrack_helper *me)
{
struct nf_conntrack_tuple_hash *h;
struct nf_conntrack_expect *exp;
- struct hlist_node *n, *next;
+ const struct hlist_node *n, *next;
unsigned int i;
mutex_lock(&nf_ct_helper_mutex);
diff --git a/net/netfilter/nf_conntrack_irc.c b/net/netfilter/nf_conntrack_irc.c
index c336b07..37a5ae5 100644
--- a/net/netfilter/nf_conntrack_irc.c
+++ b/net/netfilter/nf_conntrack_irc.c
@@ -50,7 +50,7 @@ MODULE_PARM_DESC(max_dcc_channels, "max number of expected DCC channels per "
module_param(dcc_timeout, uint, 0400);
MODULE_PARM_DESC(dcc_timeout, "timeout on for unestablished DCC channels");
-static const char *dccprotos[] = {
+static const char *const dccprotos[] = {
"SEND ", "CHAT ", "MOVE ", "TSEND ", "SCHAT "
};
@@ -65,7 +65,7 @@ static const char *dccprotos[] = {
* ad_beg_p returns pointer to first byte of addr data
* ad_end_p returns pointer to last byte of addr data
*/
-static int parse_dcc(char *data, char *data_end, u_int32_t *ip,
+static int parse_dcc(char *data, const char *data_end, u_int32_t *ip,
u_int16_t *port, char **ad_beg_p, char **ad_end_p)
{
/* at least 12: "AAAAAAAA P\1\n" */
@@ -93,9 +93,11 @@ static int help(struct sk_buff *skb, unsigned int protoff,
struct nf_conn *ct, enum ip_conntrack_info ctinfo)
{
unsigned int dataoff;
- struct iphdr *iph;
- struct tcphdr _tcph, *th;
- char *data, *data_limit, *ib_ptr;
+ const struct iphdr *iph;
+ const struct tcphdr *th;
+ struct tcphdr _tcph;
+ const char *data_limit;
+ char *data, *ib_ptr;
int dir = CTINFO2DIR(ctinfo);
struct nf_conntrack_expect *exp;
struct nf_conntrack_tuple *tuple;
@@ -159,7 +161,7 @@ static int help(struct sk_buff *skb, unsigned int protoff,
/* we have at least
* (19+MINMATCHLEN)-5-dccprotos[i].matchlen bytes valid
* data left (== 14/13 bytes) */
- if (parse_dcc((char *)data, data_limit, &dcc_ip,
+ if (parse_dcc(data, data_limit, &dcc_ip,
&dcc_port, &addr_beg_p, &addr_end_p)) {
pr_debug("unable to parse dcc command\n");
continue;
^ permalink raw reply related [flat|nested] 27+ messages in thread* [04/13] [NETFILTER]: annotate rest of nf_nat_* with const
2008-01-31 23:11 [00/!@#%] patches patches! Jan Engelhardt
` (2 preceding siblings ...)
2008-01-31 23:19 ` [03/13] [NETFILTER]: annotate rest of nf_conntrack_* " Jan Engelhardt
@ 2008-01-31 23:19 ` Jan Engelhardt
2008-01-31 23:19 ` [05/13] [NETFILTER]: xt_sctp: simplify xt_sctp.h Jan Engelhardt
` (19 subsequent siblings)
23 siblings, 0 replies; 27+ messages in thread
From: Jan Engelhardt @ 2008-01-31 23:19 UTC (permalink / raw)
To: kaber; +Cc: Netfilter Developer Mailing List
commit 4952444d97d7789f5a15051a62636f57ae41a302
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Fri Jan 25 20:52:56 2008 +0100
[NETFILTER]: annotate rest of nf_nat_* with const
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
---
net/ipv4/netfilter/nf_nat_core.c | 8 ++++----
net/ipv4/netfilter/nf_nat_snmp_basic.c | 17 ++++++++---------
net/ipv4/netfilter/nf_nat_standalone.c | 8 ++++----
3 files changed, 16 insertions(+), 17 deletions(-)
diff --git a/net/ipv4/netfilter/nf_nat_core.c b/net/ipv4/netfilter/nf_nat_core.c
index dd07362..afdcd8d 100644
--- a/net/ipv4/netfilter/nf_nat_core.c
+++ b/net/ipv4/netfilter/nf_nat_core.c
@@ -150,9 +150,9 @@ find_appropriate_src(const struct nf_conntrack_tuple *tuple,
const struct nf_nat_range *range)
{
unsigned int h = hash_by_src(tuple);
- struct nf_conn_nat *nat;
- struct nf_conn *ct;
- struct hlist_node *n;
+ const struct nf_conn_nat *nat;
+ const struct nf_conn *ct;
+ const struct hlist_node *n;
rcu_read_lock();
hlist_for_each_entry_rcu(nat, n, &bysource[h], bysource) {
@@ -426,7 +426,7 @@ int nf_nat_icmp_reply_translation(struct nf_conn *ct,
struct icmphdr icmp;
struct iphdr ip;
} *inside;
- struct nf_conntrack_l4proto *l4proto;
+ const struct nf_conntrack_l4proto *l4proto;
struct nf_conntrack_tuple inner, target;
int hdrlen = ip_hdrlen(skb);
enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
diff --git a/net/ipv4/netfilter/nf_nat_snmp_basic.c b/net/ipv4/netfilter/nf_nat_snmp_basic.c
index 540ce6a..0c695c0 100644
--- a/net/ipv4/netfilter/nf_nat_snmp_basic.c
+++ b/net/ipv4/netfilter/nf_nat_snmp_basic.c
@@ -219,7 +219,7 @@ static unsigned char asn1_length_decode(struct asn1_ctx *ctx,
if (ch < 0x80)
*len = ch;
else {
- cnt = (unsigned char) (ch & 0x7F);
+ cnt = ch & 0x7F;
*len = 0;
while (cnt > 0) {
@@ -617,8 +617,7 @@ struct snmp_cnv
int syntax;
};
-static struct snmp_cnv snmp_conv [] =
-{
+static const struct snmp_cnv snmp_conv[] = {
{ASN1_UNI, ASN1_NUL, SNMP_NULL},
{ASN1_UNI, ASN1_INT, SNMP_INTEGER},
{ASN1_UNI, ASN1_OTS, SNMP_OCTETSTR},
@@ -643,7 +642,7 @@ static unsigned char snmp_tag_cls2syntax(unsigned int tag,
unsigned int cls,
unsigned short *syntax)
{
- struct snmp_cnv *cnv;
+ const struct snmp_cnv *cnv;
cnv = snmp_conv;
@@ -903,7 +902,7 @@ static inline void mangle_address(unsigned char *begin,
u_int32_t old;
if (debug)
- memcpy(&old, (unsigned char *)addr, sizeof(old));
+ memcpy(&old, addr, sizeof(old));
*addr = map->to;
@@ -998,7 +997,7 @@ err_id_free:
*
*****************************************************************************/
-static void hex_dump(unsigned char *buf, size_t len)
+static void hex_dump(const unsigned char *buf, size_t len)
{
size_t i;
@@ -1079,7 +1078,7 @@ static int snmp_parse_mangle(unsigned char *msg,
if (cls != ASN1_CTX || con != ASN1_CON)
return 0;
if (debug > 1) {
- unsigned char *pdus[] = {
+ static const unsigned char *const pdus[] = {
[SNMP_PDU_GET] = "get",
[SNMP_PDU_NEXT] = "get-next",
[SNMP_PDU_RESPONSE] = "response",
@@ -1231,8 +1230,8 @@ static int help(struct sk_buff *skb, unsigned int protoff,
{
int dir = CTINFO2DIR(ctinfo);
unsigned int ret;
- struct iphdr *iph = ip_hdr(skb);
- struct udphdr *udph = (struct udphdr *)((u_int32_t *)iph + iph->ihl);
+ const struct iphdr *iph = ip_hdr(skb);
+ const struct udphdr *udph = (struct udphdr *)((__be32 *)iph + iph->ihl);
/* SNMP replies and originating SNMP traps get mangled */
if (udph->source == htons(SNMP_PORT) && dir != IP_CT_DIR_REPLY)
diff --git a/net/ipv4/netfilter/nf_nat_standalone.c b/net/ipv4/netfilter/nf_nat_standalone.c
index 99b2c78..9fba42d 100644
--- a/net/ipv4/netfilter/nf_nat_standalone.c
+++ b/net/ipv4/netfilter/nf_nat_standalone.c
@@ -30,8 +30,8 @@
#ifdef CONFIG_XFRM
static void nat_decode_session(struct sk_buff *skb, struct flowi *fl)
{
- struct nf_conn *ct;
- struct nf_conntrack_tuple *t;
+ const struct nf_conn *ct;
+ const struct nf_conntrack_tuple *t;
enum ip_conntrack_info ctinfo;
enum ip_conntrack_dir dir;
unsigned long statusbit;
@@ -189,7 +189,7 @@ nf_nat_out(unsigned int hooknum,
int (*okfn)(struct sk_buff *))
{
#ifdef CONFIG_XFRM
- struct nf_conn *ct;
+ const struct nf_conn *ct;
enum ip_conntrack_info ctinfo;
#endif
unsigned int ret;
@@ -223,7 +223,7 @@ nf_nat_local_fn(unsigned int hooknum,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
- struct nf_conn *ct;
+ const struct nf_conn *ct;
enum ip_conntrack_info ctinfo;
unsigned int ret;
^ permalink raw reply related [flat|nested] 27+ messages in thread* [05/13] [NETFILTER]: xt_sctp: simplify xt_sctp.h
2008-01-31 23:11 [00/!@#%] patches patches! Jan Engelhardt
` (3 preceding siblings ...)
2008-01-31 23:19 ` [04/13] [NETFILTER]: annotate rest of nf_nat_* " Jan Engelhardt
@ 2008-01-31 23:19 ` Jan Engelhardt
2008-01-31 23:20 ` [06/13] [NETFILTER]: xt_hashlimit: remove unneeded struct member Jan Engelhardt
` (18 subsequent siblings)
23 siblings, 0 replies; 27+ messages in thread
From: Jan Engelhardt @ 2008-01-31 23:19 UTC (permalink / raw)
To: kaber; +Cc: Netfilter Developer Mailing List
commit b54fa78b8cc5543b28affd229c0ecb76383c63f1
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Tue Jan 29 16:53:31 2008 +0100
[NETFILTER]: xt_sctp: simplify xt_sctp.h
The use of xt_sctp.h flagged up -Wshadow warnings in userspace, which
prompted me to look at it and clean it up. Basic operations have been
directly replaced by library calls (memcpy, memset is both available
in the kernel and userspace, and usually faster than a self-made
loop). The is_set and is_clear functions now use a processing time
shortcut, too.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
---
include/linux/netfilter/xt_sctp.h | 84 ++++++++++++-----------------
1 files changed, 35 insertions(+), 49 deletions(-)
diff --git a/include/linux/netfilter/xt_sctp.h b/include/linux/netfilter/xt_sctp.h
index dd5a4fd..32000ba 100644
--- a/include/linux/netfilter/xt_sctp.h
+++ b/include/linux/netfilter/xt_sctp.h
@@ -37,68 +37,54 @@ struct xt_sctp_info {
#define SCTP_CHUNKMAP_SET(chunkmap, type) \
do { \
- chunkmap[type / bytes(u_int32_t)] |= \
+ (chunkmap)[type / bytes(u_int32_t)] |= \
1 << (type % bytes(u_int32_t)); \
} while (0)
#define SCTP_CHUNKMAP_CLEAR(chunkmap, type) \
do { \
- chunkmap[type / bytes(u_int32_t)] &= \
+ (chunkmap)[type / bytes(u_int32_t)] &= \
~(1 << (type % bytes(u_int32_t))); \
} while (0)
#define SCTP_CHUNKMAP_IS_SET(chunkmap, type) \
({ \
- (chunkmap[type / bytes (u_int32_t)] & \
+ ((chunkmap)[type / bytes (u_int32_t)] & \
(1 << (type % bytes (u_int32_t)))) ? 1: 0; \
})
-#define SCTP_CHUNKMAP_RESET(chunkmap) \
- do { \
- int i; \
- for (i = 0; i < ARRAY_SIZE(chunkmap); i++) \
- chunkmap[i] = 0; \
- } while (0)
-
-#define SCTP_CHUNKMAP_SET_ALL(chunkmap) \
- do { \
- int i; \
- for (i = 0; i < ARRAY_SIZE(chunkmap); i++) \
- chunkmap[i] = ~0; \
- } while (0)
-
-#define SCTP_CHUNKMAP_COPY(destmap, srcmap) \
- do { \
- int i; \
- for (i = 0; i < ARRAY_SIZE(srcmap); i++) \
- destmap[i] = srcmap[i]; \
- } while (0)
-
-#define SCTP_CHUNKMAP_IS_CLEAR(chunkmap) \
-({ \
- int i; \
- int flag = 1; \
- for (i = 0; i < ARRAY_SIZE(chunkmap); i++) { \
- if (chunkmap[i]) { \
- flag = 0; \
- break; \
- } \
- } \
- flag; \
-})
-
-#define SCTP_CHUNKMAP_IS_ALL_SET(chunkmap) \
-({ \
- int i; \
- int flag = 1; \
- for (i = 0; i < ARRAY_SIZE(chunkmap); i++) { \
- if (chunkmap[i] != ~0) { \
- flag = 0; \
- break; \
- } \
- } \
- flag; \
-})
+#define SCTP_CHUNKMAP_RESET(chunkmap) \
+ memset((chunkmap), 0, sizeof(chunkmap))
+
+#define SCTP_CHUNKMAP_SET_ALL(chunkmap) \
+ memset((chunkmap), ~0U, sizeof(chunkmap))
+
+#define SCTP_CHUNKMAP_COPY(destmap, srcmap) \
+ memcpy((destmap), (srcmap), sizeof(srcmap))
+
+#define SCTP_CHUNKMAP_IS_CLEAR(chunkmap) \
+ __sctp_chunkmap_is_clear((chunkmap), ARRAY_SIZE(chunkmap))
+static inline bool
+__sctp_chunkmap_is_clear(const u_int32_t *chunkmap, unsigned int n)
+{
+ unsigned int i;
+ for (i = 0; i < n; ++i)
+ if (chunkmap[i])
+ return false;
+ return true;
+}
+
+#define SCTP_CHUNKMAP_IS_ALL_SET(chunkmap) \
+ __sctp_chunkmap_is_all_set((chunkmap), ARRAY_SIZE(chunkmap))
+static inline bool
+__sctp_chunkmap_is_all_set(const u_int32_t *chunkmap, unsigned int n)
+{
+ unsigned int i;
+ for (i = 0; i < n; ++i)
+ if (chunkmap[i] != ~0U)
+ return false;
+ return true;
+}
#endif /* _XT_SCTP_H_ */
^ permalink raw reply related [flat|nested] 27+ messages in thread* [06/13] [NETFILTER]: xt_hashlimit: remove unneeded struct member
2008-01-31 23:11 [00/!@#%] patches patches! Jan Engelhardt
` (4 preceding siblings ...)
2008-01-31 23:19 ` [05/13] [NETFILTER]: xt_sctp: simplify xt_sctp.h Jan Engelhardt
@ 2008-01-31 23:20 ` Jan Engelhardt
2008-01-31 23:20 ` [07/13] [NETFILTER]: Use unsigned types for hooknum and pf vars Jan Engelhardt
` (17 subsequent siblings)
23 siblings, 0 replies; 27+ messages in thread
From: Jan Engelhardt @ 2008-01-31 23:20 UTC (permalink / raw)
To: kaber; +Cc: Netfilter Developer Mailing List
commit 85607a1a0c8007872b68ec08e2f3b6a0e2998eef
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Tue Jan 29 16:30:58 2008 +0100
[NETFILTER]: xt_hashlimit: remove unneeded struct member
By allocating ->hinfo, we already have the needed indirection to cope
with the per-cpu xtables struct match_entry.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
---
include/linux/netfilter/xt_hashlimit.h | 1 -
net/netfilter/xt_hashlimit.c | 3 ---
2 files changed, 0 insertions(+), 4 deletions(-)
diff --git a/include/linux/netfilter/xt_hashlimit.h b/include/linux/netfilter/xt_hashlimit.h
index 58b818e..51b18d8 100644
--- a/include/linux/netfilter/xt_hashlimit.h
+++ b/include/linux/netfilter/xt_hashlimit.h
@@ -61,7 +61,6 @@ struct xt_hashlimit_mtinfo1 {
/* Used internally by the kernel */
struct xt_hashlimit_htable *hinfo __attribute__((aligned(8)));
- struct xt_hashlimit_mtinfo1 *master __attribute__((aligned(8)));
};
#endif /*_XT_HASHLIMIT_H*/
diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
index 54aaf5b..c860a17 100644
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@@ -772,9 +772,6 @@ hashlimit_mt_check(const char *tablename, const void *inf,
return false;
}
mutex_unlock(&hlimit_mutex);
-
- /* Ugly hack: For SMP, we only want to use one set */
- info->master = info;
return true;
}
^ permalink raw reply related [flat|nested] 27+ messages in thread* [07/13] [NETFILTER]: Use unsigned types for hooknum and pf vars
2008-01-31 23:11 [00/!@#%] patches patches! Jan Engelhardt
` (5 preceding siblings ...)
2008-01-31 23:20 ` [06/13] [NETFILTER]: xt_hashlimit: remove unneeded struct member Jan Engelhardt
@ 2008-01-31 23:20 ` Jan Engelhardt
2008-01-31 23:20 ` [08/13] [NETFILTER]: ebtables: add ebt_ip6 match Jan Engelhardt
` (16 subsequent siblings)
23 siblings, 0 replies; 27+ messages in thread
From: Jan Engelhardt @ 2008-01-31 23:20 UTC (permalink / raw)
To: kaber; +Cc: Netfilter Developer Mailing List
commit 444bdc9c80a05b24e8293e96b08d53d93d344029
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Sat Jan 26 21:41:28 2008 +0100
[NETFILTER]: Use unsigned types for hooknum and pf vars
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
---
include/linux/netfilter.h | 54 ++++++++-------
include/linux/netfilter/x_tables.h | 2 +-
include/net/netfilter/nf_conntrack_core.h | 2 +-
include/net/netfilter/nf_conntrack_expect.h | 2 +-
include/net/netfilter/nf_conntrack_l4proto.h | 4 +-
include/net/netfilter/nf_log.h | 6 +-
include/net/netfilter/nf_queue.h | 6 +-
net/bridge/br_netfilter.c | 4 +-
net/ipv4/netfilter/nf_conntrack_proto_icmp.c | 5 +-
net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c | 5 +-
net/netfilter/core.c | 4 +-
net/netfilter/nf_conntrack_amanda.c | 2 +-
net/netfilter/nf_conntrack_core.c | 2 +-
net/netfilter/nf_conntrack_expect.c | 2 +-
net/netfilter/nf_conntrack_h323_main.c | 7 +-
net/netfilter/nf_conntrack_proto_generic.c | 2 +-
net/netfilter/nf_conntrack_proto_gre.c | 2 +-
net/netfilter/nf_conntrack_proto_sctp.c | 2 +-
net/netfilter/nf_conntrack_proto_tcp.c | 6 +-
net/netfilter/nf_conntrack_proto_udp.c | 4 +-
net/netfilter/nf_conntrack_proto_udplite.c | 4 +-
net/netfilter/nf_conntrack_sane.c | 2 +-
net/netfilter/nf_conntrack_sip.c | 6 +-
net/netfilter/nf_conntrack_tftp.c | 2 +-
net/netfilter/nf_internals.h | 4 +-
net/netfilter/nf_log.c | 6 +-
net/netfilter/nf_queue.c | 12 ++--
net/netfilter/nf_sockopt.c | 15 ++--
net/netfilter/x_tables.c | 10 ++-
29 files changed, 98 insertions(+), 86 deletions(-)
diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index d74e79b..51bac95 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -82,8 +82,8 @@ struct nf_hook_ops
/* User fills in from here down. */
nf_hookfn *hook;
struct module *owner;
- int pf;
- int hooknum;
+ unsigned int pf;
+ unsigned int hooknum;
/* Hooks are ordered in ascending priority. */
int priority;
};
@@ -92,7 +92,7 @@ struct nf_sockopt_ops
{
struct list_head list;
- int pf;
+ unsigned int pf;
/* Non-inclusive ranges: use 0/0/NULL to never get called. */
int set_optmin;
@@ -130,7 +130,7 @@ extern struct ctl_path nf_net_ipv4_netfilter_sysctl_path[];
extern struct list_head nf_hooks[NPROTO][NF_MAX_HOOKS];
-int nf_hook_slow(int pf, unsigned int hook, struct sk_buff *skb,
+int nf_hook_slow(unsigned int pf, unsigned int hook, struct sk_buff *skb,
struct net_device *indev, struct net_device *outdev,
int (*okfn)(struct sk_buff *), int thresh);
@@ -141,12 +141,10 @@ int nf_hook_slow(int pf, unsigned int hook, struct sk_buff *skb,
* okfn must be invoked by the caller in this case. Any other return
* value indicates the packet has been consumed by the hook.
*/
-static inline int nf_hook_thresh(int pf, unsigned int hook,
- struct sk_buff *skb,
- struct net_device *indev,
- struct net_device *outdev,
- int (*okfn)(struct sk_buff *), int thresh,
- int cond)
+static inline int
+nf_hook_thresh(unsigned int pf, unsigned int hook, struct sk_buff *skb,
+ struct net_device *indev, struct net_device *outdev,
+ int (*okfn)(struct sk_buff *), int thresh, int cond)
{
if (!cond)
return 1;
@@ -157,9 +155,10 @@ static inline int nf_hook_thresh(int pf, unsigned int hook,
return nf_hook_slow(pf, hook, skb, indev, outdev, okfn, thresh);
}
-static inline int nf_hook(int pf, unsigned int hook, struct sk_buff *skb,
- struct net_device *indev, struct net_device *outdev,
- int (*okfn)(struct sk_buff *))
+static inline int
+nf_hook(unsigned int pf, unsigned int hook, struct sk_buff *skb,
+ struct net_device *indev, struct net_device *outdev,
+ int (*okfn)(struct sk_buff *))
{
return nf_hook_thresh(pf, hook, skb, indev, outdev, okfn, INT_MIN, 1);
}
@@ -202,14 +201,14 @@ __ret;})
NF_HOOK_THRESH(pf, hook, skb, indev, outdev, okfn, INT_MIN)
/* Call setsockopt() */
-int nf_setsockopt(struct sock *sk, int pf, int optval, char __user *opt,
- int len);
-int nf_getsockopt(struct sock *sk, int pf, int optval, char __user *opt,
- int *len);
+int nf_setsockopt(struct sock *sk, unsigned int pf, int optval,
+ char __user *opt, int len);
+int nf_getsockopt(struct sock *sk, unsigned int pf, int optval,
+ char __user *opt, int *len);
-int compat_nf_setsockopt(struct sock *sk, int pf, int optval,
+int compat_nf_setsockopt(struct sock *sk, unsigned int pf, int optval,
char __user *opt, int len);
-int compat_nf_getsockopt(struct sock *sk, int pf, int optval,
+int compat_nf_getsockopt(struct sock *sk, unsigned int pf, int optval,
char __user *opt, int *len);
/* Call this before modifying an existing packet: ensures it is
@@ -260,7 +259,8 @@ extern void nf_unregister_afinfo(const struct nf_afinfo *afinfo);
extern void (*ip_nat_decode_session)(struct sk_buff *, struct flowi *);
static inline void
-nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl, int family)
+nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl,
+ unsigned int family)
{
#ifdef CONFIG_NF_NAT_NEEDED
void (*decodefn)(struct sk_buff *, struct flowi *);
@@ -283,7 +283,7 @@ extern struct proc_dir_entry *proc_net_netfilter;
#else /* !CONFIG_NETFILTER */
#define NF_HOOK(pf, hook, skb, indev, outdev, okfn) (okfn)(skb)
#define NF_HOOK_COND(pf, hook, skb, indev, outdev, okfn, cond) (okfn)(skb)
-static inline int nf_hook_thresh(int pf, unsigned int hook,
+static inline int nf_hook_thresh(unsigned int pf, unsigned int hook,
struct sk_buff *skb,
struct net_device *indev,
struct net_device *outdev,
@@ -292,15 +292,19 @@ static inline int nf_hook_thresh(int pf, unsigned int hook,
{
return okfn(skb);
}
-static inline int nf_hook(int pf, unsigned int hook, struct sk_buff *skb,
- struct net_device *indev, struct net_device *outdev,
- int (*okfn)(struct sk_buff *))
+static inline int
+nf_hook(unsigned int pf, unsigned int hook, struct sk_buff *skb,
+ struct net_device *indev, struct net_device *outdev,
+ int (*okfn)(struct sk_buff *))
{
return 1;
}
struct flowi;
static inline void
-nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl, int family) {}
+nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl,
+ unsigned int family)
+{
+}
#endif /*CONFIG_NETFILTER*/
#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 2326296..f0aecd7 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -292,7 +292,7 @@ struct xt_table
/* Set this to THIS_MODULE if you are a module, otherwise NULL */
struct module *me;
- int af; /* address/protocol family */
+ unsigned int af; /* address/protocol family */
};
#include <linux/netfilter_ipv4.h>
diff --git a/include/net/netfilter/nf_conntrack_core.h b/include/net/netfilter/nf_conntrack_core.h
index 9ee2646..74d7a01 100644
--- a/include/net/netfilter/nf_conntrack_core.h
+++ b/include/net/netfilter/nf_conntrack_core.h
@@ -20,7 +20,7 @@
/* This header is used to share core functionality between the
standalone connection tracking module, and the compatibility layer's use
of connection tracking. */
-extern unsigned int nf_conntrack_in(int pf,
+extern unsigned int nf_conntrack_in(unsigned int pf,
unsigned int hooknum,
struct sk_buff *skb);
diff --git a/include/net/netfilter/nf_conntrack_expect.h b/include/net/netfilter/nf_conntrack_expect.h
index cb608a1..aaf20c0 100644
--- a/include/net/netfilter/nf_conntrack_expect.h
+++ b/include/net/netfilter/nf_conntrack_expect.h
@@ -74,7 +74,7 @@ void nf_ct_unexpect_related(struct nf_conntrack_expect *exp);
/* Allocate space for an expectation: this is mandatory before calling
nf_ct_expect_related. You will have to call put afterwards. */
struct nf_conntrack_expect *nf_ct_expect_alloc(struct nf_conn *me);
-void nf_ct_expect_init(struct nf_conntrack_expect *, int,
+void nf_ct_expect_init(struct nf_conntrack_expect *, unsigned int,
union nf_inet_addr *,
union nf_inet_addr *,
u_int8_t, __be16 *, __be16 *);
diff --git a/include/net/netfilter/nf_conntrack_l4proto.h b/include/net/netfilter/nf_conntrack_l4proto.h
index efc16ec..1d2f8fd 100644
--- a/include/net/netfilter/nf_conntrack_l4proto.h
+++ b/include/net/netfilter/nf_conntrack_l4proto.h
@@ -40,7 +40,7 @@ struct nf_conntrack_l4proto
const struct sk_buff *skb,
unsigned int dataoff,
enum ip_conntrack_info ctinfo,
- int pf,
+ unsigned int pf,
unsigned int hooknum);
/* Called when a new connection for this protocol found;
@@ -53,7 +53,7 @@ struct nf_conntrack_l4proto
int (*error)(struct sk_buff *skb, unsigned int dataoff,
enum ip_conntrack_info *ctinfo,
- int pf, unsigned int hooknum);
+ unsigned int pf, unsigned int hooknum);
/* Print out the per-protocol part of the tuple. Return like seq_* */
int (*print_tuple)(struct seq_file *s,
diff --git a/include/net/netfilter/nf_log.h b/include/net/netfilter/nf_log.h
index 8c6b5ae..0c910de 100644
--- a/include/net/netfilter/nf_log.h
+++ b/include/net/netfilter/nf_log.h
@@ -43,12 +43,12 @@ struct nf_logger {
};
/* Function to register/unregister log function. */
-int nf_log_register(int pf, const struct nf_logger *logger);
+int nf_log_register(unsigned int pf, const struct nf_logger *logger);
void nf_log_unregister(const struct nf_logger *logger);
-void nf_log_unregister_pf(int pf);
+void nf_log_unregister_pf(unsigned int pf);
/* Calls the registered backend logging function */
-void nf_log_packet(int pf,
+void nf_log_packet(unsigned int pf,
unsigned int hooknum,
const struct sk_buff *skb,
const struct net_device *in,
diff --git a/include/net/netfilter/nf_queue.h b/include/net/netfilter/nf_queue.h
index d030044..00497f0 100644
--- a/include/net/netfilter/nf_queue.h
+++ b/include/net/netfilter/nf_queue.h
@@ -8,7 +8,7 @@ struct nf_queue_entry {
unsigned int id;
struct nf_hook_ops *elem;
- int pf;
+ unsigned int pf;
unsigned int hook;
struct net_device *indev;
struct net_device *outdev;
@@ -24,9 +24,9 @@ struct nf_queue_handler {
char *name;
};
-extern int nf_register_queue_handler(int pf,
+extern int nf_register_queue_handler(unsigned int pf,
const struct nf_queue_handler *qh);
-extern int nf_unregister_queue_handler(int pf,
+extern int nf_unregister_queue_handler(unsigned int pf,
const struct nf_queue_handler *qh);
extern void nf_unregister_queue_handlers(const struct nf_queue_handler *qh);
extern void nf_reinject(struct nf_queue_entry *entry, unsigned int verdict);
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index 1c0efd8..b36b294 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -649,7 +649,7 @@ static unsigned int br_nf_forward_ip(unsigned int hook, struct sk_buff *skb,
{
struct nf_bridge_info *nf_bridge;
struct net_device *parent;
- int pf;
+ unsigned int pf;
if (!skb->nf_bridge)
return NF_ACCEPT;
@@ -783,7 +783,7 @@ static unsigned int br_nf_post_routing(unsigned int hook, struct sk_buff *skb,
{
struct nf_bridge_info *nf_bridge = skb->nf_bridge;
struct net_device *realoutdev = bridge_parent(skb->dev);
- int pf;
+ unsigned int pf;
#ifdef CONFIG_NETFILTER_DEBUG
/* Be very paranoid. This probably won't happen anymore, but let's
diff --git a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
index 6873fdd..999f305 100644
--- a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
+++ b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
@@ -80,7 +80,7 @@ static int icmp_packet(struct nf_conn *ct,
const struct sk_buff *skb,
unsigned int dataoff,
enum ip_conntrack_info ctinfo,
- int pf,
+ unsigned int pf,
unsigned int hooknum)
{
/* Try to delete connection immediately after all replies:
@@ -175,7 +175,8 @@ icmp_error_message(struct sk_buff *skb,
/* Small and modified version of icmp_rcv */
static int
icmp_error(struct sk_buff *skb, unsigned int dataoff,
- enum ip_conntrack_info *ctinfo, int pf, unsigned int hooknum)
+ enum ip_conntrack_info *ctinfo, unsigned int pf,
+ unsigned int hooknum)
{
const struct icmphdr *icmph;
struct icmphdr _ih;
diff --git a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
index 0897d0f..a7551ad 100644
--- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
@@ -81,7 +81,7 @@ static int icmpv6_packet(struct nf_conn *ct,
const struct sk_buff *skb,
unsigned int dataoff,
enum ip_conntrack_info ctinfo,
- int pf,
+ unsigned int pf,
unsigned int hooknum)
{
/* Try to delete connection immediately after all replies:
@@ -175,7 +175,8 @@ icmpv6_error_message(struct sk_buff *skb,
static int
icmpv6_error(struct sk_buff *skb, unsigned int dataoff,
- enum ip_conntrack_info *ctinfo, int pf, unsigned int hooknum)
+ enum ip_conntrack_info *ctinfo, unsigned int pf,
+ unsigned int hooknum)
{
const struct icmp6hdr *icmp6h;
struct icmp6hdr _ih;
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index c4065b8..9a77bf0 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -113,7 +113,7 @@ EXPORT_SYMBOL(nf_unregister_hooks);
unsigned int nf_iterate(struct list_head *head,
struct sk_buff *skb,
- int hook,
+ unsigned int hook,
const struct net_device *indev,
const struct net_device *outdev,
struct list_head **i,
@@ -155,7 +155,7 @@ unsigned int nf_iterate(struct list_head *head,
/* Returns 1 if okfn() needs to be executed by the caller,
* -EPERM for NF_DROP, 0 otherwise. */
-int nf_hook_slow(int pf, unsigned int hook, struct sk_buff *skb,
+int nf_hook_slow(unsigned int pf, unsigned int hook, struct sk_buff *skb,
struct net_device *indev,
struct net_device *outdev,
int (*okfn)(struct sk_buff *),
diff --git a/net/netfilter/nf_conntrack_amanda.c b/net/netfilter/nf_conntrack_amanda.c
index 572eedf..2118330 100644
--- a/net/netfilter/nf_conntrack_amanda.c
+++ b/net/netfilter/nf_conntrack_amanda.c
@@ -91,7 +91,7 @@ static int amanda_help(struct sk_buff *skb,
char pbuf[sizeof("65535")], *tmp;
u_int16_t len;
__be16 port;
- int family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
+ unsigned int family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
int ret = NF_ACCEPT;
typeof(nf_nat_amanda_hook) nf_nat_amanda;
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 327e847..3d45e18 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -656,7 +656,7 @@ resolve_normal_ct(struct sk_buff *skb,
}
unsigned int
-nf_conntrack_in(int pf, unsigned int hooknum, struct sk_buff *skb)
+nf_conntrack_in(unsigned int pf, unsigned int hooknum, struct sk_buff *skb)
{
struct nf_conn *ct;
enum ip_conntrack_info ctinfo;
diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c
index e06bf00..1d09ca3 100644
--- a/net/netfilter/nf_conntrack_expect.c
+++ b/net/netfilter/nf_conntrack_expect.c
@@ -228,7 +228,7 @@ struct nf_conntrack_expect *nf_ct_expect_alloc(struct nf_conn *me)
}
EXPORT_SYMBOL_GPL(nf_ct_expect_alloc);
-void nf_ct_expect_init(struct nf_conntrack_expect *exp, int family,
+void nf_ct_expect_init(struct nf_conntrack_expect *exp, unsigned int family,
union nf_inet_addr *saddr,
union nf_inet_addr *daddr,
u_int8_t proto, __be16 *src, __be16 *dst)
diff --git a/net/netfilter/nf_conntrack_h323_main.c b/net/netfilter/nf_conntrack_h323_main.c
index 6213787..293826a 100644
--- a/net/netfilter/nf_conntrack_h323_main.c
+++ b/net/netfilter/nf_conntrack_h323_main.c
@@ -218,7 +218,7 @@ static int get_h245_addr(struct nf_conn *ct, const unsigned char *data,
union nf_inet_addr *addr, __be16 *port)
{
const unsigned char *p;
- int family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
+ unsigned int family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
int len;
if (taddr->choice != eH245_TransportAddress_unicastAddress)
@@ -627,7 +627,7 @@ int get_h225_addr(struct nf_conn *ct, unsigned char *data,
union nf_inet_addr *addr, __be16 *port)
{
const unsigned char *p;
- int family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
+ unsigned int family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
int len;
switch (taddr->choice) {
@@ -706,7 +706,8 @@ static int expect_h245(struct sk_buff *skb, struct nf_conn *ct,
/* If the calling party is on the same side of the forward-to party,
* we don't need to track the second call */
static int callforward_do_filter(const union nf_inet_addr *src,
- const union nf_inet_addr *dst, int family)
+ const union nf_inet_addr *dst,
+ unsigned int family)
{
const struct nf_afinfo *afinfo;
struct flowi fl1, fl2;
diff --git a/net/netfilter/nf_conntrack_proto_generic.c b/net/netfilter/nf_conntrack_proto_generic.c
index 5545891..6470194 100644
--- a/net/netfilter/nf_conntrack_proto_generic.c
+++ b/net/netfilter/nf_conntrack_proto_generic.c
@@ -45,7 +45,7 @@ static int packet(struct nf_conn *ct,
const struct sk_buff *skb,
unsigned int dataoff,
enum ip_conntrack_info ctinfo,
- int pf,
+ unsigned int pf,
unsigned int hooknum)
{
nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_generic_timeout);
diff --git a/net/netfilter/nf_conntrack_proto_gre.c b/net/netfilter/nf_conntrack_proto_gre.c
index e10024a..e85096e 100644
--- a/net/netfilter/nf_conntrack_proto_gre.c
+++ b/net/netfilter/nf_conntrack_proto_gre.c
@@ -216,7 +216,7 @@ static int gre_packet(struct nf_conn *ct,
const struct sk_buff *skb,
unsigned int dataoff,
enum ip_conntrack_info ctinfo,
- int pf,
+ unsigned int pf,
unsigned int hooknum)
{
/* If we've seen traffic both ways, this is a GRE connection.
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
index f9a0837..d61f83e 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -287,7 +287,7 @@ static int sctp_packet(struct nf_conn *ct,
const struct sk_buff *skb,
unsigned int dataoff,
enum ip_conntrack_info ctinfo,
- int pf,
+ unsigned int pf,
unsigned int hooknum)
{
enum sctp_conntrack new_state, old_state;
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index 3e0ccca..db9e7fa 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -485,7 +485,7 @@ static int tcp_in_window(const struct nf_conn *ct,
const struct sk_buff *skb,
unsigned int dataoff,
const struct tcphdr *tcph,
- int pf)
+ unsigned int pf)
{
struct ip_ct_tcp_state *sender = &state->seen[dir];
struct ip_ct_tcp_state *receiver = &state->seen[!dir];
@@ -744,7 +744,7 @@ static const u8 tcp_valid_flags[(TH_FIN|TH_SYN|TH_RST|TH_ACK|TH_URG) + 1] =
static int tcp_error(struct sk_buff *skb,
unsigned int dataoff,
enum ip_conntrack_info *ctinfo,
- int pf,
+ unsigned int pf,
unsigned int hooknum)
{
const struct tcphdr *th;
@@ -799,7 +799,7 @@ static int tcp_packet(struct nf_conn *ct,
const struct sk_buff *skb,
unsigned int dataoff,
enum ip_conntrack_info ctinfo,
- int pf,
+ unsigned int pf,
unsigned int hooknum)
{
struct nf_conntrack_tuple *tuple;
diff --git a/net/netfilter/nf_conntrack_proto_udp.c b/net/netfilter/nf_conntrack_proto_udp.c
index b8a35cc..f86aba3 100644
--- a/net/netfilter/nf_conntrack_proto_udp.c
+++ b/net/netfilter/nf_conntrack_proto_udp.c
@@ -66,7 +66,7 @@ static int udp_packet(struct nf_conn *ct,
const struct sk_buff *skb,
unsigned int dataoff,
enum ip_conntrack_info ctinfo,
- int pf,
+ unsigned int pf,
unsigned int hooknum)
{
/* If we've seen traffic both ways, this is some kind of UDP
@@ -91,7 +91,7 @@ static int udp_new(struct nf_conn *ct, const struct sk_buff *skb,
static int udp_error(struct sk_buff *skb, unsigned int dataoff,
enum ip_conntrack_info *ctinfo,
- int pf,
+ unsigned int pf,
unsigned int hooknum)
{
unsigned int udplen = skb->len - dataoff;
diff --git a/net/netfilter/nf_conntrack_proto_udplite.c b/net/netfilter/nf_conntrack_proto_udplite.c
index 9dd03c7..2bf4cf0 100644
--- a/net/netfilter/nf_conntrack_proto_udplite.c
+++ b/net/netfilter/nf_conntrack_proto_udplite.c
@@ -65,7 +65,7 @@ static int udplite_packet(struct nf_conn *ct,
const struct sk_buff *skb,
unsigned int dataoff,
enum ip_conntrack_info ctinfo,
- int pf,
+ unsigned int pf,
unsigned int hooknum)
{
/* If we've seen traffic both ways, this is some kind of UDP
@@ -91,7 +91,7 @@ static int udplite_new(struct nf_conn *ct, const struct sk_buff *skb,
static int udplite_error(struct sk_buff *skb, unsigned int dataoff,
enum ip_conntrack_info *ctinfo,
- int pf,
+ unsigned int pf,
unsigned int hooknum)
{
unsigned int udplen = skb->len - dataoff;
diff --git a/net/netfilter/nf_conntrack_sane.c b/net/netfilter/nf_conntrack_sane.c
index a70051d..1e7e8a1 100644
--- a/net/netfilter/nf_conntrack_sane.c
+++ b/net/netfilter/nf_conntrack_sane.c
@@ -72,7 +72,7 @@ static int help(struct sk_buff *skb,
struct nf_conntrack_tuple *tuple;
struct sane_request *req;
struct sane_reply_net_start *reply;
- int family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
+ unsigned int family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
ct_sane_info = &nfct_help(ct)->help.ct_sane_info;
/* Until there's been traffic both ways, don't look in packets. */
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index c521c89..402fb77 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -251,7 +251,7 @@ static int parse_addr(const struct nf_conn *ct, const char *cp,
const char *limit)
{
const char *end;
- int family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
+ unsigned int family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
int ret = 0;
switch (family) {
@@ -373,7 +373,7 @@ static int set_expected_rtp(struct sk_buff *skb,
{
struct nf_conntrack_expect *exp;
enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
- int family = ct->tuplehash[!dir].tuple.src.l3num;
+ unsigned int family = ct->tuplehash[!dir].tuple.src.l3num;
int ret;
typeof(nf_nat_sdp_hook) nf_nat_sdp;
@@ -403,7 +403,7 @@ static int sip_help(struct sk_buff *skb,
struct nf_conn *ct,
enum ip_conntrack_info ctinfo)
{
- int family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
+ unsigned int family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
union nf_inet_addr addr;
unsigned int dataoff, datalen;
const char *dptr;
diff --git a/net/netfilter/nf_conntrack_tftp.c b/net/netfilter/nf_conntrack_tftp.c
index bd2e800..572c0f9 100644
--- a/net/netfilter/nf_conntrack_tftp.c
+++ b/net/netfilter/nf_conntrack_tftp.c
@@ -44,7 +44,7 @@ static int tftp_help(struct sk_buff *skb,
struct nf_conntrack_expect *exp;
struct nf_conntrack_tuple *tuple;
unsigned int ret = NF_ACCEPT;
- int family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
+ unsigned int family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
typeof(nf_nat_tftp_hook) nf_nat_tftp;
tfh = skb_header_pointer(skb, protoff + sizeof(struct udphdr),
diff --git a/net/netfilter/nf_internals.h b/net/netfilter/nf_internals.h
index 196269c..0c3fcd6 100644
--- a/net/netfilter/nf_internals.h
+++ b/net/netfilter/nf_internals.h
@@ -15,7 +15,7 @@
/* core.c */
extern unsigned int nf_iterate(struct list_head *head,
struct sk_buff *skb,
- int hook,
+ unsigned int hook,
const struct net_device *indev,
const struct net_device *outdev,
struct list_head **i,
@@ -25,7 +25,7 @@ extern unsigned int nf_iterate(struct list_head *head,
/* nf_queue.c */
extern int nf_queue(struct sk_buff *skb,
struct list_head *elem,
- int pf, unsigned int hook,
+ unsigned int pf, unsigned int hook,
struct net_device *indev,
struct net_device *outdev,
int (*okfn)(struct sk_buff *),
diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c
index cec9976..f1e858b 100644
--- a/net/netfilter/nf_log.c
+++ b/net/netfilter/nf_log.c
@@ -20,7 +20,7 @@ static DEFINE_MUTEX(nf_log_mutex);
/* return EBUSY if somebody else is registered, EEXIST if the same logger
* is registred, 0 on success. */
-int nf_log_register(int pf, const struct nf_logger *logger)
+int nf_log_register(unsigned int pf, const struct nf_logger *logger)
{
int ret;
@@ -45,7 +45,7 @@ int nf_log_register(int pf, const struct nf_logger *logger)
}
EXPORT_SYMBOL(nf_log_register);
-void nf_log_unregister_pf(int pf)
+void nf_log_unregister_pf(unsigned int pf)
{
if (pf >= NPROTO)
return;
@@ -73,7 +73,7 @@ void nf_log_unregister(const struct nf_logger *logger)
}
EXPORT_SYMBOL(nf_log_unregister);
-void nf_log_packet(int pf,
+void nf_log_packet(unsigned int pf,
unsigned int hooknum,
const struct sk_buff *skb,
const struct net_device *in,
diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c
index bfc2928..1be152e 100644
--- a/net/netfilter/nf_queue.c
+++ b/net/netfilter/nf_queue.c
@@ -22,7 +22,8 @@ static DEFINE_MUTEX(queue_handler_mutex);
/* return EBUSY when somebody else is registered, return EEXIST if the
* same handler is registered, return 0 in case of success. */
-int nf_register_queue_handler(int pf, const struct nf_queue_handler *qh)
+int nf_register_queue_handler(unsigned int pf,
+ const struct nf_queue_handler *qh)
{
int ret;
@@ -45,7 +46,8 @@ int nf_register_queue_handler(int pf, const struct nf_queue_handler *qh)
EXPORT_SYMBOL(nf_register_queue_handler);
/* The caller must flush their queue before this */
-int nf_unregister_queue_handler(int pf, const struct nf_queue_handler *qh)
+int nf_unregister_queue_handler(unsigned int pf,
+ const struct nf_queue_handler *qh)
{
if (pf >= NPROTO)
return -EINVAL;
@@ -67,7 +69,7 @@ EXPORT_SYMBOL(nf_unregister_queue_handler);
void nf_unregister_queue_handlers(const struct nf_queue_handler *qh)
{
- int pf;
+ unsigned int pf;
mutex_lock(&queue_handler_mutex);
for (pf = 0; pf < NPROTO; pf++) {
@@ -107,7 +109,7 @@ static void nf_queue_entry_release_refs(struct nf_queue_entry *entry)
*/
static int __nf_queue(struct sk_buff *skb,
struct list_head *elem,
- int pf, unsigned int hook,
+ unsigned int pf, unsigned int hook,
struct net_device *indev,
struct net_device *outdev,
int (*okfn)(struct sk_buff *),
@@ -191,7 +193,7 @@ err:
int nf_queue(struct sk_buff *skb,
struct list_head *elem,
- int pf, unsigned int hook,
+ unsigned int pf, unsigned int hook,
struct net_device *indev,
struct net_device *outdev,
int (*okfn)(struct sk_buff *),
diff --git a/net/netfilter/nf_sockopt.c b/net/netfilter/nf_sockopt.c
index 3dd4b3c..170521d 100644
--- a/net/netfilter/nf_sockopt.c
+++ b/net/netfilter/nf_sockopt.c
@@ -60,7 +60,7 @@ void nf_unregister_sockopt(struct nf_sockopt_ops *reg)
}
EXPORT_SYMBOL(nf_unregister_sockopt);
-static struct nf_sockopt_ops *nf_sockopt_find(struct sock *sk, int pf,
+static struct nf_sockopt_ops *nf_sockopt_find(struct sock *sk, unsigned int pf,
int val, int get)
{
struct nf_sockopt_ops *ops;
@@ -96,7 +96,7 @@ out:
}
/* Call get/setsockopt() */
-static int nf_sockopt(struct sock *sk, int pf, int val,
+static int nf_sockopt(struct sock *sk, unsigned int pf, int val,
char __user *opt, int *len, int get)
{
struct nf_sockopt_ops *ops;
@@ -115,21 +115,22 @@ static int nf_sockopt(struct sock *sk, int pf, int val,
return ret;
}
-int nf_setsockopt(struct sock *sk, int pf, int val, char __user *opt,
+int nf_setsockopt(struct sock *sk, unsigned int pf, int val, char __user *opt,
int len)
{
return nf_sockopt(sk, pf, val, opt, &len, 0);
}
EXPORT_SYMBOL(nf_setsockopt);
-int nf_getsockopt(struct sock *sk, int pf, int val, char __user *opt, int *len)
+int nf_getsockopt(struct sock *sk, unsigned int pf, int val,
+ char __user *opt, int *len)
{
return nf_sockopt(sk, pf, val, opt, len, 1);
}
EXPORT_SYMBOL(nf_getsockopt);
#ifdef CONFIG_COMPAT
-static int compat_nf_sockopt(struct sock *sk, int pf, int val,
+static int compat_nf_sockopt(struct sock *sk, unsigned int pf, int val,
char __user *opt, int *len, int get)
{
struct nf_sockopt_ops *ops;
@@ -155,14 +156,14 @@ static int compat_nf_sockopt(struct sock *sk, int pf, int val,
return ret;
}
-int compat_nf_setsockopt(struct sock *sk, int pf,
+int compat_nf_setsockopt(struct sock *sk, unsigned int pf,
int val, char __user *opt, int len)
{
return compat_nf_sockopt(sk, pf, val, opt, &len, 0);
}
EXPORT_SYMBOL(compat_nf_setsockopt);
-int compat_nf_getsockopt(struct sock *sk, int pf,
+int compat_nf_getsockopt(struct sock *sk, unsigned int pf,
int val, char __user *opt, int *len)
{
return compat_nf_sockopt(sk, pf, val, opt, len, 1);
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 4d74dff..763db11 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -68,7 +68,8 @@ static const char *const xt_prefix[NPROTO] = {
int
xt_register_target(struct xt_target *target)
{
- int ret, af = target->family;
+ unsigned int af = target->family;
+ int ret;
ret = mutex_lock_interruptible(&xt[af].mutex);
if (ret != 0)
@@ -82,7 +83,7 @@ EXPORT_SYMBOL(xt_register_target);
void
xt_unregister_target(struct xt_target *target)
{
- int af = target->family;
+ unsigned int af = target->family;
mutex_lock(&xt[af].mutex);
list_del(&target->list);
@@ -123,7 +124,8 @@ EXPORT_SYMBOL(xt_unregister_targets);
int
xt_register_match(struct xt_match *match)
{
- int ret, af = match->family;
+ unsigned int af = match->family;
+ int ret;
ret = mutex_lock_interruptible(&xt[af].mutex);
if (ret != 0)
@@ -139,7 +141,7 @@ EXPORT_SYMBOL(xt_register_match);
void
xt_unregister_match(struct xt_match *match)
{
- int af = match->family;
+ unsigned int af = match->family;
mutex_lock(&xt[af].mutex);
list_del(&match->list);
^ permalink raw reply related [flat|nested] 27+ messages in thread* [08/13] [NETFILTER]: ebtables: add ebt_ip6 match
2008-01-31 23:11 [00/!@#%] patches patches! Jan Engelhardt
` (6 preceding siblings ...)
2008-01-31 23:20 ` [07/13] [NETFILTER]: Use unsigned types for hooknum and pf vars Jan Engelhardt
@ 2008-01-31 23:20 ` Jan Engelhardt
2008-01-31 23:21 ` [09/13] [NETFILTER]: Rename ipt_recent to xt_recent Jan Engelhardt
` (15 subsequent siblings)
23 siblings, 0 replies; 27+ messages in thread
From: Jan Engelhardt @ 2008-01-31 23:20 UTC (permalink / raw)
To: kaber; +Cc: Netfilter Developer Mailing List
commit 860c9b7d78d73515e4c3b938e7fc1f78ca21edf8
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Sun Jan 27 18:17:55 2008 +0100
[NETFILTER]: ebtables: add ebt_ip6 match
Allows to match the basic IPv6 header from within ebtables, much like
there is ebt_ip for IPv4.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
---
include/linux/netfilter_bridge/ebt_ip6.h | 21 ++++++
net/bridge/netfilter/Kconfig | 7 ++
net/bridge/netfilter/Makefile | 1 +
net/bridge/netfilter/ebt_ip6.c | 79 ++++++++++++++++++++++
4 files changed, 108 insertions(+), 0 deletions(-)
create mode 100644 include/linux/netfilter_bridge/ebt_ip6.h
create mode 100644 net/bridge/netfilter/ebt_ip6.c
diff --git a/include/linux/netfilter_bridge/ebt_ip6.h b/include/linux/netfilter_bridge/ebt_ip6.h
new file mode 100644
index 0000000..76afe72
--- /dev/null
+++ b/include/linux/netfilter_bridge/ebt_ip6.h
@@ -0,0 +1,21 @@
+#ifndef _LINUX_NETFILTER_BRIDGE_EBT_IP6_H
+#define _LINUX_NETFILTER_BRIDGE_EBT_IP6_H 1
+
+enum {
+ EBT_IP6_SRCADDR = 1 << 0,
+ EBT_IP6_DSTADDR = 1 << 1,
+ EBT_IP6_TFCLASS = 1 << 2,
+ EBT_IP6_FLOWLBL = 1 << 3,
+ EBT_IP6_NEXTHDR = 1 << 4,
+ EBT_IP6_HOPLIMIT = 1 << 5,
+};
+
+struct ebt_ip6_mtinfo {
+ struct in6_addr src, dst;
+ uint32_t flow_label;
+ uint8_t tf_class, nexthdr, hop_limit;
+
+ uint8_t match_flags, invert_flags;
+};
+
+#endif /* _LINUX_NETFILTER_BRIDGE_EBT_IP6ADDR_H */
diff --git a/net/bridge/netfilter/Kconfig b/net/bridge/netfilter/Kconfig
index 4a3e2bf..f42db30 100644
--- a/net/bridge/netfilter/Kconfig
+++ b/net/bridge/netfilter/Kconfig
@@ -83,6 +83,13 @@ config BRIDGE_EBT_IP
To compile it as a module, choose M here. If unsure, say N.
+config BRIDGE_EBT_IP6
+ tristate 'ebt: "ip6" IPv6 match support'
+ depends on BRIDGE_NF_EBTABLES
+ ---help---
+ This option adds the "ip6" match which allows basic IPv6 header
+ field examination.
+
config BRIDGE_EBT_LIMIT
tristate "ebt: limit match support"
depends on BRIDGE_NF_EBTABLES
diff --git a/net/bridge/netfilter/Makefile b/net/bridge/netfilter/Makefile
index 905087e..0d8fb54 100644
--- a/net/bridge/netfilter/Makefile
+++ b/net/bridge/netfilter/Makefile
@@ -14,6 +14,7 @@ obj-$(CONFIG_BRIDGE_EBT_802_3) += ebt_802_3.o
obj-$(CONFIG_BRIDGE_EBT_AMONG) += ebt_among.o
obj-$(CONFIG_BRIDGE_EBT_ARP) += ebt_arp.o
obj-$(CONFIG_BRIDGE_EBT_IP) += ebt_ip.o
+obj-$(CONFIG_BRIDGE_EBT_IP6) += ebt_ip6.o
obj-$(CONFIG_BRIDGE_EBT_LIMIT) += ebt_limit.o
obj-$(CONFIG_BRIDGE_EBT_MARK) += ebt_mark_m.o
obj-$(CONFIG_BRIDGE_EBT_PKTTYPE) += ebt_pkttype.o
diff --git a/net/bridge/netfilter/ebt_ip6.c b/net/bridge/netfilter/ebt_ip6.c
new file mode 100644
index 0000000..5d6065c
--- /dev/null
+++ b/net/bridge/netfilter/ebt_ip6.c
@@ -0,0 +1,79 @@
+#include <linux/ipv6.h>
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/types.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter_bridge/ebtables.h>
+#include <linux/netfilter_bridge/ebt_ip6.h>
+#include <net/dsfield.h>
+#include <net/ipv6.h>
+
+static inline uint32_t ipv6_get_flowlbl(const struct ipv6hdr *iph)
+{
+ return ((iph->flow_lbl[0] << 16) | (iph->flow_lbl[2] << 8) |
+ iph->flow_lbl[2]) & 0xFFFFF;
+}
+
+static int ebt_ip6_mt(const struct sk_buff *skb, const struct net_device *in,
+ const struct net_device *out, const void *matchinfo, unsigned int data_len)
+{
+ const struct ebt_ip6_mtinfo *info = matchinfo;
+ const struct ipv6hdr *iph;
+ struct ipv6hdr iphbuf;
+
+ iph = skb_header_pointer(skb, 0, sizeof(iphbuf), &iphbuf);
+ if (iph == NULL)
+ return EBT_NOMATCH;
+
+ if ((info->match_flags & EBT_IP6_TFCLASS) &&
+ (ipv6_get_dsfield(iph) != info->tf_class) ^
+ !!(info->invert_flags & EBT_IP6_TFCLASS))
+ return EBT_NOMATCH;
+
+ if ((info->match_flags & EBT_IP6_FLOWLBL) &&
+ (ipv6_get_flowlbl(iph) != info->flow_label) ^
+ !!(info->invert_flags & EBT_IP6_FLOWLBL))
+ return EBT_NOMATCH;
+
+ if ((info->match_flags & EBT_IP6_NEXTHDR) &&
+ (iph->nexthdr != info->nexthdr) ^
+ !!(info->invert_flags & EBT_IP6_NEXTHDR))
+ return EBT_NOMATCH;
+
+ if ((info->match_flags & EBT_IP6_HOPLIMIT) &&
+ (iph->hop_limit != info->hop_limit) ^
+ !!(info->invert_flags & EBT_IP6_HOPLIMIT))
+ return EBT_NOMATCH;
+
+ if ((info->match_flags & EBT_IP6_SRCADDR) &&
+ (ipv6_addr_cmp(&iph->saddr, &info->src) != 0) ^
+ !!(info->invert_flags & EBT_IP6_SRCADDR))
+ return EBT_NOMATCH;
+
+ if ((info->match_flags & EBT_IP6_DSTADDR) &&
+ (ipv6_addr_cmp(&iph->daddr, &info->dst) != 0) ^
+ !!(info->invert_flags & EBT_IP6_DSTADDR))
+ return EBT_NOMATCH;
+
+ return EBT_MATCH;
+}
+
+static struct ebt_match ebt_ip6_mt_reg = {
+ .name = "ip6",
+ .match = ebt_ip6_mt,
+ .me = THIS_MODULE,
+};
+
+static int __init ebt_ip6_mt_init(void)
+{
+ return ebt_register_match(&ebt_ip6_mt_reg);
+}
+
+static void __exit ebt_ip6_mt_exit(void)
+{
+ ebt_unregister_match(&ebt_ip6_mt_reg);
+}
+
+module_init(ebt_ip6_mt_init);
+module_exit(ebt_ip6_mt_exit);
+MODULE_LICENSE("GPL");
^ permalink raw reply related [flat|nested] 27+ messages in thread* [09/13] [NETFILTER]: Rename ipt_recent to xt_recent
2008-01-31 23:11 [00/!@#%] patches patches! Jan Engelhardt
` (7 preceding siblings ...)
2008-01-31 23:20 ` [08/13] [NETFILTER]: ebtables: add ebt_ip6 match Jan Engelhardt
@ 2008-01-31 23:21 ` Jan Engelhardt
2008-01-31 23:21 ` [10/13] [NETFILTER]: xt_recent: add IPv6 support Jan Engelhardt
` (14 subsequent siblings)
23 siblings, 0 replies; 27+ messages in thread
From: Jan Engelhardt @ 2008-01-31 23:21 UTC (permalink / raw)
To: kaber; +Cc: Netfilter Developer Mailing List
commit 9a1711d2e53d3168edb3a019beef9348024d9f78
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Thu Jan 31 02:17:07 2008 +0100
[NETFILTER]: Rename ipt_recent to xt_recent
Like with other modules (such as ipt_state), ipt_recent.h is changed
to forward definitions to (IOW include) xt_recent.h, and xt_recent.c
is changed to use the new constant names.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
---
include/linux/netfilter/xt_recent.h | 26 ++++++++
include/linux/netfilter_ipv4/ipt_recent.h | 28 ++++-----
net/ipv4/netfilter/Kconfig | 13 ----
net/ipv4/netfilter/Makefile | 1 -
net/netfilter/Kconfig | 11 ++++
net/netfilter/Makefile | 1 +
.../ipt_recent.c => netfilter/xt_recent.c} | 37 ++++++------
7 files changed, 68 insertions(+), 49 deletions(-)
create mode 100644 include/linux/netfilter/xt_recent.h
rename net/{ipv4/netfilter/ipt_recent.c => netfilter/xt_recent.c} (92%)
diff --git a/include/linux/netfilter/xt_recent.h b/include/linux/netfilter/xt_recent.h
new file mode 100644
index 0000000..5cfeb81
--- /dev/null
+++ b/include/linux/netfilter/xt_recent.h
@@ -0,0 +1,26 @@
+#ifndef _LINUX_NETFILTER_XT_RECENT_H
+#define _LINUX_NETFILTER_XT_RECENT_H 1
+
+enum {
+ XT_RECENT_CHECK = 1 << 0,
+ XT_RECENT_SET = 1 << 1,
+ XT_RECENT_UPDATE = 1 << 2,
+ XT_RECENT_REMOVE = 1 << 3,
+ XT_RECENT_TTL = 1 << 4,
+
+ XT_RECENT_SOURCE = 0,
+ XT_RECENT_DEST = 1,
+
+ XT_RECENT_NAME_LEN = 200,
+};
+
+struct xt_recent_mtinfo {
+ u_int32_t seconds;
+ u_int32_t hit_count;
+ u_int8_t check_set;
+ u_int8_t invert;
+ char name[XT_RECENT_NAME_LEN];
+ u_int8_t side;
+};
+
+#endif /* _LINUX_NETFILTER_XT_RECENT_H */
diff --git a/include/linux/netfilter_ipv4/ipt_recent.h b/include/linux/netfilter_ipv4/ipt_recent.h
index 6508a45..d636cca 100644
--- a/include/linux/netfilter_ipv4/ipt_recent.h
+++ b/include/linux/netfilter_ipv4/ipt_recent.h
@@ -1,27 +1,21 @@
#ifndef _IPT_RECENT_H
#define _IPT_RECENT_H
-#define RECENT_NAME "ipt_recent"
-#define RECENT_VER "v0.3.1"
+#include <linux/netfilter/xt_recent.h>
-#define IPT_RECENT_CHECK 1
-#define IPT_RECENT_SET 2
-#define IPT_RECENT_UPDATE 4
-#define IPT_RECENT_REMOVE 8
-#define IPT_RECENT_TTL 16
+#define ipt_recent_info xt_recent_mtinfo
-#define IPT_RECENT_SOURCE 0
-#define IPT_RECENT_DEST 1
+enum {
+ IPT_RECENT_CHECK = XT_RECENT_CHECK,
+ IPT_RECENT_SET = XT_RECENT_SET,
+ IPT_RECENT_UPDATE = XT_RECENT_UPDATE,
+ IPT_RECENT_REMOVE = XT_RECENT_REMOVE,
+ IPT_RECENT_TTL = XT_RECENT_TTL,
-#define IPT_RECENT_NAME_LEN 200
+ IPT_RECENT_SOURCE = XT_RECENT_SOURCE,
+ IPT_RECENT_DEST = XT_RECENT_DEST,
-struct ipt_recent_info {
- u_int32_t seconds;
- u_int32_t hit_count;
- u_int8_t check_set;
- u_int8_t invert;
- char name[IPT_RECENT_NAME_LEN];
- u_int8_t side;
+ IPT_RECENT_NAME_LEN = XT_RECENT_NAME_LEN,
};
#endif /*_IPT_RECENT_H*/
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index 9a077cb..eeaab13 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -57,19 +57,6 @@ config IP_NF_IPTABLES
To compile it as a module, choose M here. If unsure, say N.
# The matches.
-config IP_NF_MATCH_RECENT
- tristate '"recent" match support'
- depends on IP_NF_IPTABLES
- depends on NETFILTER_ADVANCED
- help
- This match is used for creating one or many lists of recently
- used addresses and then matching against that/those list(s).
-
- Short options are available by using 'iptables -m recent -h'
- Official Website: <http://snowman.net/projects/ipt_recent/>
-
- To compile it as a module, choose M here. If unsure, say N.
-
config IP_NF_MATCH_ECN
tristate '"ecn" match support'
depends on IP_NF_IPTABLES
diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile
index 0c7dc78..7b1b4e5 100644
--- a/net/ipv4/netfilter/Makefile
+++ b/net/ipv4/netfilter/Makefile
@@ -44,7 +44,6 @@ obj-$(CONFIG_IP_NF_RAW) += iptable_raw.o
obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o
obj-$(CONFIG_IP_NF_MATCH_AH) += ipt_ah.o
obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o
-obj-$(CONFIG_IP_NF_MATCH_RECENT) += ipt_recent.o
obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o
# targets
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index daf5b88..222aa07 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -711,6 +711,17 @@ config NETFILTER_XT_MATCH_REALM
If you want to compile it as a module, say M here and read
<file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
+config NETFILTER_XT_MATCH_RECENT
+ tristate '"recent" match support'
+ depends on NETFILTER_XTABLES
+ depends on NETFILTER_ADVANCED
+ ---help---
+ This match is used for creating one or many lists of recently
+ used addresses and then matching against that/those list(s).
+
+ Short options are available by using 'iptables -m recent -h'
+ Official Website: <http://snowman.net/projects/ipt_recent/>
+
config NETFILTER_XT_MATCH_SCTP
tristate '"sctp" protocol match support (EXPERIMENTAL)'
depends on NETFILTER_XTABLES && EXPERIMENTAL
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index ea75083..9599083 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -75,6 +75,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_POLICY) += xt_policy.o
obj-$(CONFIG_NETFILTER_XT_MATCH_QUOTA) += xt_quota.o
obj-$(CONFIG_NETFILTER_XT_MATCH_RATEEST) += xt_rateest.o
obj-$(CONFIG_NETFILTER_XT_MATCH_REALM) += xt_realm.o
+obj-$(CONFIG_NETFILTER_XT_MATCH_RECENT) += xt_recent.o
obj-$(CONFIG_NETFILTER_XT_MATCH_SCTP) += xt_sctp.o
obj-$(CONFIG_NETFILTER_XT_MATCH_STATE) += xt_state.o
obj-$(CONFIG_NETFILTER_XT_MATCH_STATISTIC) += xt_statistic.o
diff --git a/net/ipv4/netfilter/ipt_recent.c b/net/netfilter/xt_recent.c
similarity index 92%
rename from net/ipv4/netfilter/ipt_recent.c
rename to net/netfilter/xt_recent.c
index f2142b7..c7af6a8 100644
--- a/net/ipv4/netfilter/ipt_recent.c
+++ b/net/netfilter/xt_recent.c
@@ -27,11 +27,12 @@
#include <net/net_namespace.h>
#include <linux/netfilter/x_tables.h>
-#include <linux/netfilter_ipv4/ipt_recent.h>
+#include <linux/netfilter/xt_recent.h>
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
MODULE_DESCRIPTION("Xtables: \"recently-seen\" host matching for IPv4");
MODULE_LICENSE("GPL");
+MODULE_ALIAS("ipt_recent");
static unsigned int ip_list_tot = 100;
static unsigned int ip_pkt_list_tot = 20;
@@ -64,7 +65,7 @@ struct recent_entry {
struct recent_table {
struct list_head list;
- char name[IPT_RECENT_NAME_LEN];
+ char name[XT_RECENT_NAME_LEN];
#ifdef CONFIG_PROC_FS
struct proc_dir_entry *proc;
#endif
@@ -175,14 +176,14 @@ recent_mt(const struct sk_buff *skb, const struct net_device *in,
const void *matchinfo, int offset, unsigned int protoff,
bool *hotdrop)
{
- const struct ipt_recent_info *info = matchinfo;
+ const struct xt_recent_mtinfo *info = matchinfo;
struct recent_table *t;
struct recent_entry *e;
__be32 addr;
u_int8_t ttl;
bool ret = info->invert;
- if (info->side == IPT_RECENT_DEST)
+ if (info->side == XT_RECENT_DEST)
addr = ip_hdr(skb)->daddr;
else
addr = ip_hdr(skb)->saddr;
@@ -195,9 +196,9 @@ recent_mt(const struct sk_buff *skb, const struct net_device *in,
spin_lock_bh(&recent_lock);
t = recent_table_lookup(info->name);
e = recent_entry_lookup(t, addr,
- info->check_set & IPT_RECENT_TTL ? ttl : 0);
+ info->check_set & XT_RECENT_TTL ? ttl : 0);
if (e == NULL) {
- if (!(info->check_set & IPT_RECENT_SET))
+ if (!(info->check_set & XT_RECENT_SET))
goto out;
e = recent_entry_init(t, addr, ttl);
if (e == NULL)
@@ -206,12 +207,12 @@ recent_mt(const struct sk_buff *skb, const struct net_device *in,
goto out;
}
- if (info->check_set & IPT_RECENT_SET)
+ if (info->check_set & XT_RECENT_SET)
ret = !ret;
- else if (info->check_set & IPT_RECENT_REMOVE) {
+ else if (info->check_set & XT_RECENT_REMOVE) {
recent_entry_remove(t, e);
ret = !ret;
- } else if (info->check_set & (IPT_RECENT_CHECK | IPT_RECENT_UPDATE)) {
+ } else if (info->check_set & (XT_RECENT_CHECK | XT_RECENT_UPDATE)) {
unsigned long time = jiffies - info->seconds * HZ;
unsigned int i, hits = 0;
@@ -225,8 +226,8 @@ recent_mt(const struct sk_buff *skb, const struct net_device *in,
}
}
- if (info->check_set & IPT_RECENT_SET ||
- (info->check_set & IPT_RECENT_UPDATE && ret)) {
+ if (info->check_set & XT_RECENT_SET ||
+ (info->check_set & XT_RECENT_UPDATE && ret)) {
recent_entry_update(t, e);
e->ttl = ttl;
}
@@ -240,20 +241,20 @@ recent_mt_check(const char *tablename, const void *ip,
const struct xt_match *match, void *matchinfo,
unsigned int hook_mask)
{
- const struct ipt_recent_info *info = matchinfo;
+ const struct xt_recent_mtinfo *info = matchinfo;
struct recent_table *t;
unsigned i;
bool ret = false;
if (hweight8(info->check_set &
- (IPT_RECENT_SET | IPT_RECENT_REMOVE |
- IPT_RECENT_CHECK | IPT_RECENT_UPDATE)) != 1)
+ (XT_RECENT_SET | XT_RECENT_REMOVE |
+ XT_RECENT_CHECK | XT_RECENT_UPDATE)) != 1)
return false;
- if ((info->check_set & (IPT_RECENT_SET | IPT_RECENT_REMOVE)) &&
+ if ((info->check_set & (XT_RECENT_SET | XT_RECENT_REMOVE)) &&
(info->seconds || info->hit_count))
return false;
if (info->name[0] == '\0' ||
- strnlen(info->name, IPT_RECENT_NAME_LEN) == IPT_RECENT_NAME_LEN)
+ strnlen(info->name, XT_RECENT_NAME_LEN) == XT_RECENT_NAME_LEN)
return false;
mutex_lock(&recent_mutex);
@@ -295,7 +296,7 @@ out:
static void recent_mt_destroy(const struct xt_match *match, void *matchinfo)
{
- const struct ipt_recent_info *info = matchinfo;
+ const struct xt_recent_mtinfo *info = matchinfo;
struct recent_table *t;
mutex_lock(&recent_mutex);
@@ -460,7 +461,7 @@ static struct xt_match recent_mt_reg __read_mostly = {
.name = "recent",
.family = AF_INET,
.match = recent_mt,
- .matchsize = sizeof(struct ipt_recent_info),
+ .matchsize = sizeof(struct xt_recent_mtinfo),
.checkentry = recent_mt_check,
.destroy = recent_mt_destroy,
.me = THIS_MODULE,
^ permalink raw reply related [flat|nested] 27+ messages in thread* [10/13] [NETFILTER]: xt_recent: add IPv6 support
2008-01-31 23:11 [00/!@#%] patches patches! Jan Engelhardt
` (8 preceding siblings ...)
2008-01-31 23:21 ` [09/13] [NETFILTER]: Rename ipt_recent to xt_recent Jan Engelhardt
@ 2008-01-31 23:21 ` Jan Engelhardt
2008-01-31 23:21 ` [11/13] [NETFILTER]: xt_iprange: fix subtraction-based comparison Jan Engelhardt
` (13 subsequent siblings)
23 siblings, 0 replies; 27+ messages in thread
From: Jan Engelhardt @ 2008-01-31 23:21 UTC (permalink / raw)
To: kaber; +Cc: Netfilter Developer Mailing List
commit c39c7713512e9b7e56c06b3d3efa7c456081e4d6
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Thu Jan 31 04:36:12 2008 +0100
[NETFILTER]: xt_recent: add IPv6 support
This updates xt_recent to support IPv6 handling. It is sort of a flag
day, as the new control directory is /proc/net/xt_recent with a new,
more strict protocol (the string you ought to write into
/proc/net/xt_recent/LIST). But on the other hand, I kept the binary
interface towards iptables (which is quite memory consuming I must
say) to keep the patch small.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
---
net/netfilter/xt_recent.c | 207 +++++++++++++++++++++++++------------
1 files changed, 143 insertions(+), 64 deletions(-)
diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c
index c7af6a8..74caea8 100644
--- a/net/netfilter/xt_recent.c
+++ b/net/netfilter/xt_recent.c
@@ -1,5 +1,6 @@
/*
* Copyright (c) 2006 Patrick McHardy <kaber@trash.net>
+ * Copyright © CC Computer Consultants GmbH, 2007 - 2008
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
@@ -13,6 +14,8 @@
*/
#include <linux/init.h>
#include <linux/ip.h>
+#include <linux/ipv6.h>
+#include <linux/module.h>
#include <linux/moduleparam.h>
#include <linux/proc_fs.h>
#include <linux/seq_file.h>
@@ -30,9 +33,11 @@
#include <linux/netfilter/xt_recent.h>
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
+MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
MODULE_DESCRIPTION("Xtables: \"recently-seen\" host matching for IPv4");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_recent");
+MODULE_ALIAS("ip6t_recent");
static unsigned int ip_list_tot = 100;
static unsigned int ip_pkt_list_tot = 20;
@@ -49,14 +54,15 @@ module_param(ip_list_gid, uint, 0400);
MODULE_PARM_DESC(ip_list_tot, "number of IPs to remember per list");
MODULE_PARM_DESC(ip_pkt_list_tot, "number of packets per IP to remember (max. 255)");
MODULE_PARM_DESC(ip_list_hash_size, "size of hash table used to look up IPs");
-MODULE_PARM_DESC(ip_list_perms, "permissions on /proc/net/ipt_recent/* files");
-MODULE_PARM_DESC(ip_list_uid,"owner of /proc/net/ipt_recent/* files");
-MODULE_PARM_DESC(ip_list_gid,"owning group of /proc/net/ipt_recent/* files");
+MODULE_PARM_DESC(ip_list_perms, "permissions on /proc/net/xt_recent/* files");
+MODULE_PARM_DESC(ip_list_uid,"owner of /proc/net/xt_recent/* files");
+MODULE_PARM_DESC(ip_list_gid,"owning group of /proc/net/xt_recent/* files");
struct recent_entry {
struct list_head list;
struct list_head lru_list;
- __be32 addr;
+ union nf_inet_addr addr;
+ u_int16_t family;
u_int8_t ttl;
u_int8_t index;
u_int16_t nstamps;
@@ -87,24 +93,43 @@ static const struct file_operations recent_fops;
static u_int32_t hash_rnd;
static int hash_rnd_initted;
-static unsigned int recent_entry_hash(__be32 addr)
+static unsigned int recent_entry_hash4(const union nf_inet_addr *addr)
{
if (!hash_rnd_initted) {
- get_random_bytes(&hash_rnd, 4);
+ get_random_bytes(&hash_rnd, sizeof(hash_rnd));
hash_rnd_initted = 1;
}
- return jhash_1word((__force u32)addr, hash_rnd) & (ip_list_hash_size - 1);
+ return jhash_1word((__force u32)addr->ip, hash_rnd) &
+ (ip_list_hash_size - 1);
+}
+
+static unsigned int recent_entry_hash6(const union nf_inet_addr *addr)
+{
+ if (!hash_rnd_initted) {
+ get_random_bytes(&hash_rnd, sizeof(hash_rnd));
+ hash_rnd_initted = 1;
+ }
+ return jhash2((u32 *)addr->ip6, ARRAY_SIZE(addr->ip6), hash_rnd) &
+ (ip_list_hash_size - 1);
}
static struct recent_entry *
-recent_entry_lookup(const struct recent_table *table, __be32 addr, u_int8_t ttl)
+recent_entry_lookup(const struct recent_table *table,
+ const union nf_inet_addr *addrp, u_int16_t family,
+ u_int8_t ttl)
{
struct recent_entry *e;
unsigned int h;
- h = recent_entry_hash(addr);
+ if (family == AF_INET)
+ h = recent_entry_hash4(addrp);
+ else
+ h = recent_entry_hash6(addrp);
+
list_for_each_entry(e, &table->iphash[h], list)
- if (e->addr == addr && (ttl == e->ttl || !ttl || !e->ttl))
+ if (e->family == family &&
+ memcmp(&e->addr, addrp, sizeof(e->addr)) == 0 &&
+ (ttl == e->ttl || ttl == 0 || e->ttl == 0))
return e;
return NULL;
}
@@ -118,7 +143,8 @@ static void recent_entry_remove(struct recent_table *t, struct recent_entry *e)
}
static struct recent_entry *
-recent_entry_init(struct recent_table *t, __be32 addr, u_int8_t ttl)
+recent_entry_init(struct recent_table *t, const union nf_inet_addr *addr,
+ u_int16_t family, u_int8_t ttl)
{
struct recent_entry *e;
@@ -130,12 +156,16 @@ recent_entry_init(struct recent_table *t, __be32 addr, u_int8_t ttl)
GFP_ATOMIC);
if (e == NULL)
return NULL;
- e->addr = addr;
+ memcpy(&e->addr, addr, sizeof(e->addr));
e->ttl = ttl;
e->stamps[0] = jiffies;
e->nstamps = 1;
e->index = 1;
- list_add_tail(&e->list, &t->iphash[recent_entry_hash(addr)]);
+ e->family = family;
+ if (family == AF_INET)
+ list_add_tail(&e->list, &t->iphash[recent_entry_hash4(addr)]);
+ else
+ list_add_tail(&e->list, &t->iphash[recent_entry_hash6(addr)]);
list_add_tail(&e->lru_list, &t->lru_list);
t->entries++;
return e;
@@ -179,28 +209,42 @@ recent_mt(const struct sk_buff *skb, const struct net_device *in,
const struct xt_recent_mtinfo *info = matchinfo;
struct recent_table *t;
struct recent_entry *e;
- __be32 addr;
+ union nf_inet_addr addr;
u_int8_t ttl;
bool ret = info->invert;
- if (info->side == XT_RECENT_DEST)
- addr = ip_hdr(skb)->daddr;
- else
- addr = ip_hdr(skb)->saddr;
+ if (match->family == AF_INET) {
+ const struct iphdr *iph = ip_hdr(skb);
+
+ if (info->side == XT_RECENT_DEST)
+ addr.ip = iph->daddr;
+ else
+ addr.ip = iph->saddr;
+
+ ttl = iph->ttl;
+ } else {
+ const struct ipv6hdr *iph = ipv6_hdr(skb);
+
+ if (info->side == XT_RECENT_DEST)
+ memcpy(&addr.in6, &iph->daddr, sizeof(addr.in6));
+ else
+ memcpy(&addr.in6, &iph->saddr, sizeof(addr.in6));
+
+ ttl = iph->hop_limit;
+ }
- ttl = ip_hdr(skb)->ttl;
/* use TTL as seen before forwarding */
if (out && !skb->sk)
ttl++;
spin_lock_bh(&recent_lock);
t = recent_table_lookup(info->name);
- e = recent_entry_lookup(t, addr,
+ e = recent_entry_lookup(t, &addr, match->family,
info->check_set & XT_RECENT_TTL ? ttl : 0);
if (e == NULL) {
if (!(info->check_set & XT_RECENT_SET))
goto out;
- e = recent_entry_init(t, addr, ttl);
+ e = recent_entry_init(t, &addr, match->family, ttl);
if (e == NULL)
*hotdrop = true;
ret = !ret;
@@ -316,7 +360,7 @@ static void recent_mt_destroy(const struct xt_match *match, void *matchinfo)
#ifdef CONFIG_PROC_FS
struct recent_iter_state {
- struct recent_table *table;
+ const struct recent_table *table;
unsigned int bucket;
};
@@ -341,8 +385,8 @@ static void *recent_seq_next(struct seq_file *seq, void *v, loff_t *pos)
{
struct recent_iter_state *st = seq->private;
const struct recent_table *t = st->table;
- struct recent_entry *e = v;
- struct list_head *head = e->list.next;
+ const struct recent_entry *e = v;
+ const struct list_head *head = e->list.next;
while (head == &t->iphash[st->bucket]) {
if (++st->bucket >= ip_list_hash_size)
@@ -365,8 +409,14 @@ static int recent_seq_show(struct seq_file *seq, void *v)
unsigned int i;
i = (e->index - 1) % ip_pkt_list_tot;
- seq_printf(seq, "src=%u.%u.%u.%u ttl: %u last_seen: %lu oldest_pkt: %u",
- NIPQUAD(e->addr), e->ttl, e->stamps[i], e->index);
+ if (e->family == AF_INET)
+ seq_printf(seq, "src=" NIPQUAD_FMT " ttl: %u last_seen: %lu "
+ "oldest_pkt: %u", NIPQUAD(e->addr.ip), e->ttl,
+ e->stamps[i], e->index);
+ else
+ seq_printf(seq, "src=" NIP6_FMT " ttl: %u last_seen: %lu "
+ "oldest_pkt: %u", NIP6(e->addr.in6), e->ttl,
+ e->stamps[i], e->index);
for (i = 0; i < e->nstamps; i++)
seq_printf(seq, "%s %lu", i ? "," : "", e->stamps[i]);
seq_printf(seq, "\n");
@@ -399,45 +449,59 @@ static ssize_t recent_proc_write(struct file *file, const char __user *input,
const struct proc_dir_entry *pde = PDE(file->f_path.dentry->d_inode);
struct recent_table *t = pde->data;
struct recent_entry *e;
- char buf[sizeof("+255.255.255.255")], *c = buf;
- __be32 addr;
- int add;
+ char buf[sizeof("+b335:1d35:1e55:dead:c0de:1715:5afe:c0de")], *c = buf;
+ union nf_inet_addr addr;
+ u_int16_t family;
+ bool add, succ;
+ if (size == 0)
+ return 0;
if (size > sizeof(buf))
size = sizeof(buf);
- if (copy_from_user(buf, input, size))
+ if (copy_from_user(buf, input, size) != 0)
return -EFAULT;
- while (isspace(*c))
- c++;
- if (size - (c - buf) < 5)
- return c - buf;
- if (!strncmp(c, "clear", 5)) {
- c += 5;
+ /* Strict protocol! */
+ if (*loff != 0)
+ return -ESPIPE;
+ switch (*c) {
+ case '/': /* flush table */
spin_lock_bh(&recent_lock);
recent_table_flush(t);
spin_unlock_bh(&recent_lock);
- return c - buf;
- }
-
- switch (*c) {
- case '-':
- add = 0;
- c++;
+ return size;
+ case '-': /* remove address */
+ add = false;
break;
- case '+':
- c++;
- default:
- add = 1;
+ case '+': /* add address */
+ add = true;
break;
+ default:
+ printk(KERN_INFO KBUILD_MODNAME ": Need +ip, -ip or /\n");
+ return -EINVAL;
+ }
+
+ ++c;
+ --size;
+ if (strnchr(c, size, ':') != NULL) {
+ family = AF_INET6;
+ succ = in6_pton(c, size, (void *)&addr, '\n', NULL);
+ } else {
+ family = AF_INET;
+ succ = in4_pton(c, size, (void *)&addr, '\n', NULL);
+ }
+
+ if (!succ) {
+ printk(KERN_INFO KBUILD_MODNAME ": illegal address written "
+ "to procfs\n");
+ return -EINVAL;
}
- addr = in_aton(c);
spin_lock_bh(&recent_lock);
- e = recent_entry_lookup(t, addr, 0);
+ e = recent_entry_lookup(t, &addr, family, 0);
if (e == NULL) {
if (add)
- recent_entry_init(t, addr, 0);
+ recent_entry_init(t, &addr, family, 0);
} else {
if (add)
recent_entry_update(t, e);
@@ -445,7 +509,9 @@ static ssize_t recent_proc_write(struct file *file, const char __user *input,
recent_entry_remove(t, e);
}
spin_unlock_bh(&recent_lock);
- return size;
+ /* Note we removed one above */
+ *loff += size + 1;
+ return size + 1;
}
static const struct file_operations recent_fops = {
@@ -457,14 +523,27 @@ static const struct file_operations recent_fops = {
};
#endif /* CONFIG_PROC_FS */
-static struct xt_match recent_mt_reg __read_mostly = {
- .name = "recent",
- .family = AF_INET,
- .match = recent_mt,
- .matchsize = sizeof(struct xt_recent_mtinfo),
- .checkentry = recent_mt_check,
- .destroy = recent_mt_destroy,
- .me = THIS_MODULE,
+static struct xt_match recent_mt_reg[] __read_mostly = {
+ {
+ .name = "recent",
+ .revision = 0,
+ .family = AF_INET,
+ .match = recent_mt,
+ .matchsize = sizeof(struct xt_recent_mtinfo),
+ .checkentry = recent_mt_check,
+ .destroy = recent_mt_destroy,
+ .me = THIS_MODULE,
+ },
+ {
+ .name = "recent",
+ .revision = 0,
+ .family = AF_INET6,
+ .match = recent_mt,
+ .matchsize = sizeof(struct xt_recent_mtinfo),
+ .checkentry = recent_mt_check,
+ .destroy = recent_mt_destroy,
+ .me = THIS_MODULE,
+ },
};
static int __init recent_mt_init(void)
@@ -475,13 +554,13 @@ static int __init recent_mt_init(void)
return -EINVAL;
ip_list_hash_size = 1 << fls(ip_list_tot);
- err = xt_register_match(&recent_mt_reg);
+ err = xt_register_matches(recent_mt_reg, ARRAY_SIZE(recent_mt_reg));
#ifdef CONFIG_PROC_FS
if (err)
return err;
- proc_dir = proc_mkdir("ipt_recent", init_net.proc_net);
+ proc_dir = proc_mkdir("xt_recent", init_net.proc_net);
if (proc_dir == NULL) {
- xt_unregister_match(&recent_mt_reg);
+ xt_unregister_matches(recent_mt_reg, ARRAY_SIZE(recent_mt_reg));
err = -ENOMEM;
}
#endif
@@ -491,9 +570,9 @@ static int __init recent_mt_init(void)
static void __exit recent_mt_exit(void)
{
BUG_ON(!list_empty(&tables));
- xt_unregister_match(&recent_mt_reg);
+ xt_unregister_matches(recent_mt_reg, ARRAY_SIZE(recent_mt_reg));
#ifdef CONFIG_PROC_FS
- remove_proc_entry("ipt_recent", init_net.proc_net);
+ remove_proc_entry("xt_recent", init_net.proc_net);
#endif
}
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 27+ messages in thread* [11/13] [NETFILTER]: xt_iprange: fix subtraction-based comparison
2008-01-31 23:11 [00/!@#%] patches patches! Jan Engelhardt
` (9 preceding siblings ...)
2008-01-31 23:21 ` [10/13] [NETFILTER]: xt_recent: add IPv6 support Jan Engelhardt
@ 2008-01-31 23:21 ` Jan Engelhardt
2008-01-31 23:23 ` [12/13] [NETFILTER]: xt_realm: enable for IPv6 Jan Engelhardt
` (12 subsequent siblings)
23 siblings, 0 replies; 27+ messages in thread
From: Jan Engelhardt @ 2008-01-31 23:21 UTC (permalink / raw)
To: kaber; +Cc: Netfilter Developer Mailing List
commit 88da1439625fdc5214ced15df282ed7388acb601
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Thu Jan 31 23:12:07 2008 +0100
[NETFILTER]: xt_iprange: fix subtraction-based comparison
The host address parts need to be converted to host-endian first
before arithmetic makes any sense on them.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
---
net/netfilter/xt_iprange.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/net/netfilter/xt_iprange.c b/net/netfilter/xt_iprange.c
index 01035fc..624eeda 100644
--- a/net/netfilter/xt_iprange.c
+++ b/net/netfilter/xt_iprange.c
@@ -101,7 +101,7 @@ iprange_ipv6_sub(const struct in6_addr *a, const struct in6_addr *b)
int r;
for (i = 0; i < 4; ++i) {
- r = (__force u32)a->s6_addr32[i] - (__force u32)b->s6_addr32[i];
+ r = ntohl(a->s6_addr32[i]) - ntohl(b->s6_addr32[i]);
if (r != 0)
return r;
}
^ permalink raw reply related [flat|nested] 27+ messages in thread* [12/13] [NETFILTER]: xt_realm: enable for IPv6
2008-01-31 23:11 [00/!@#%] patches patches! Jan Engelhardt
` (10 preceding siblings ...)
2008-01-31 23:21 ` [11/13] [NETFILTER]: xt_iprange: fix subtraction-based comparison Jan Engelhardt
@ 2008-01-31 23:23 ` Jan Engelhardt
2008-01-31 23:24 ` [13/13] [NETFILTER]: split off next-gen owner match into xt_socket Jan Engelhardt
` (11 subsequent siblings)
23 siblings, 0 replies; 27+ messages in thread
From: Jan Engelhardt @ 2008-01-31 23:23 UTC (permalink / raw)
To: kaber; +Cc: Netfilter Developer Mailing List
Dunno why xt_realm was not registered for AF_INET6 before. iproute2
does not seem to display IPv6 realms - leaves me wondering.
===
commit 05ec5f1b7e9d1497dd4738210df137722038d6b5
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Thu Jan 31 23:36:04 2008 +0100
[NETFILTER]: xt_realm: enable for IPv6
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
---
net/netfilter/xt_realm.c | 38 ++++++++++++++++++++++++++++----------
1 files changed, 28 insertions(+), 10 deletions(-)
diff --git a/net/netfilter/xt_realm.c b/net/netfilter/xt_realm.c
index 7df1627..f18b6e9 100644
--- a/net/netfilter/xt_realm.c
+++ b/net/netfilter/xt_realm.c
@@ -20,6 +20,7 @@ MODULE_AUTHOR("Sampsa Ranta <sampsa@netsonic.fi>");
MODULE_LICENSE("GPL");
MODULE_DESCRIPTION("Xtables: Routing realm match");
MODULE_ALIAS("ipt_realm");
+MODULE_ALIAS("ip6t_realm");
static bool
realm_mt(const struct sk_buff *skb, const struct net_device *in,
@@ -33,24 +34,41 @@ realm_mt(const struct sk_buff *skb, const struct net_device *in,
return (info->id == (dst->tclassid & info->mask)) ^ info->invert;
}
-static struct xt_match realm_mt_reg __read_mostly = {
- .name = "realm",
- .match = realm_mt,
- .matchsize = sizeof(struct xt_realm_info),
- .hooks = (1 << NF_INET_POST_ROUTING) | (1 << NF_INET_FORWARD) |
- (1 << NF_INET_LOCAL_OUT) | (1 << NF_INET_LOCAL_IN),
- .family = AF_INET,
- .me = THIS_MODULE
+static struct xt_match realm_mt_reg[] __read_mostly = {
+ {
+ .name = "realm",
+ .revision = 0,
+ .family = AF_INET,
+ .match = realm_mt,
+ .matchsize = sizeof(struct xt_realm_info),
+ .hooks = (1 << NF_INET_LOCAL_IN) |
+ (1 << NF_INET_FORWARD) |
+ (1 << NF_INET_LOCAL_OUT) |
+ (1 << NF_INET_POST_ROUTING),
+ .me = THIS_MODULE,
+ },
+ {
+ .name = "realm",
+ .revision = 0,
+ .family = AF_INET6,
+ .match = realm_mt,
+ .matchsize = sizeof(struct xt_realm_info),
+ .hooks = (1 << NF_INET_LOCAL_IN) |
+ (1 << NF_INET_FORWARD) |
+ (1 << NF_INET_LOCAL_OUT) |
+ (1 << NF_INET_POST_ROUTING),
+ .me = THIS_MODULE,
+ },
};
static int __init realm_mt_init(void)
{
- return xt_register_match(&realm_mt_reg);
+ return xt_register_matches(realm_mt_reg, ARRAY_SIZE(realm_mt_reg));
}
static void __exit realm_mt_exit(void)
{
- xt_unregister_match(&realm_mt_reg);
+ xt_unregister_matches(realm_mt_reg, ARRAY_SIZE(realm_mt_reg));
}
module_init(realm_mt_init);
^ permalink raw reply related [flat|nested] 27+ messages in thread* [13/13] [NETFILTER]: split off next-gen owner match into xt_socket
2008-01-31 23:11 [00/!@#%] patches patches! Jan Engelhardt
` (11 preceding siblings ...)
2008-01-31 23:23 ` [12/13] [NETFILTER]: xt_realm: enable for IPv6 Jan Engelhardt
@ 2008-01-31 23:24 ` Jan Engelhardt
2008-02-01 0:28 ` [01/10] [IPTABLES]: Fix static build Jan Engelhardt
` (10 subsequent siblings)
23 siblings, 0 replies; 27+ messages in thread
From: Jan Engelhardt @ 2008-01-31 23:24 UTC (permalink / raw)
To: kaber; +Cc: Netfilter Developer Mailing List
I would not be me if I did not try pushing this. Please consider!
===
commit 2fa078781b60ab577e9b59db38a77f52e35b3518
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Fri Feb 1 00:10:00 2008 +0100
[NETFILTER]: split off next-gen owner match into xt_socket
The "owner" match seems ripe for moving it to xt_socket, not only
because ownership is actually a socket feature, but because once
tproxy gets merged, xt_socket can easily be extended by anticipated
(it comes up every now and then on IRC) input path processing. The
reason the rename is done now is that once the module is in a Linus's
tarball release, it is set in stone, so I would rather start using
the name xt_socket now, because the ABI already changed, and I want
to avoid another flag day later.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
---
include/linux/netfilter/xt_owner.h | 16 -------
include/linux/netfilter/xt_socket.h | 16 +++++++
net/netfilter/Kconfig | 18 ++++----
net/netfilter/Makefile | 2 +-
net/netfilter/{xt_owner.c => xt_socket.c} | 48 +++++++++++----------
5 files changed, 51 insertions(+), 49 deletions(-)
delete mode 100644 include/linux/netfilter/xt_owner.h
create mode 100644 include/linux/netfilter/xt_socket.h
rename net/netfilter/{xt_owner.c => xt_socket.c} (82%)
diff --git a/include/linux/netfilter/xt_owner.h b/include/linux/netfilter/xt_owner.h
deleted file mode 100644
index c84e52c..0000000
--- a/include/linux/netfilter/xt_owner.h
+++ /dev/null
@@ -1,16 +0,0 @@
-#ifndef _XT_OWNER_MATCH_H
-#define _XT_OWNER_MATCH_H
-
-enum {
- XT_OWNER_UID = 1 << 0,
- XT_OWNER_GID = 1 << 1,
- XT_OWNER_SOCKET = 1 << 2,
-};
-
-struct xt_owner_match_info {
- u_int32_t uid_min, uid_max;
- u_int32_t gid_min, gid_max;
- u_int8_t match, invert;
-};
-
-#endif /* _XT_OWNER_MATCH_H */
diff --git a/include/linux/netfilter/xt_socket.h b/include/linux/netfilter/xt_socket.h
new file mode 100644
index 0000000..8393a47
--- /dev/null
+++ b/include/linux/netfilter/xt_socket.h
@@ -0,0 +1,16 @@
+#ifndef _XT_SOCKET_MATCH_H
+#define _XT_SOCKET_MATCH_H
+
+enum {
+ XT_SOCKET_UID = 1 << 0,
+ XT_SOCKET_GID = 1 << 1,
+ XT_SOCKET_EXISTS = 1 << 2,
+};
+
+struct xt_socket_mtinfo {
+ u_int32_t uid_min, uid_max;
+ u_int32_t gid_min, gid_max;
+ u_int8_t match, invert;
+};
+
+#endif /* _XT_SOCKET_MATCH_H */
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 222aa07..ac4b24e 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -620,15 +620,6 @@ config NETFILTER_XT_MATCH_MARK
To compile it as a module, choose M here. If unsure, say N.
-config NETFILTER_XT_MATCH_OWNER
- tristate '"owner" match support'
- depends on NETFILTER_XTABLES
- depends on NETFILTER_ADVANCED
- ---help---
- Socket owner matching allows you to match locally-generated packets
- based on who created the socket: the user or group. It is also
- possible to check whether a socket actually exists.
-
config NETFILTER_XT_MATCH_POLICY
tristate 'IPsec "policy" match support'
depends on NETFILTER_XTABLES && XFRM
@@ -734,6 +725,15 @@ config NETFILTER_XT_MATCH_SCTP
If you want to compile it as a module, say M here and read
<file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
+config NETFILTER_XT_MATCH_SOCKET
+ tristate '"socket" match support'
+ depends on NETFILTER_XTABLES
+ depends on NETFILTER_ADVANCED
+ ---help---
+ Socket owner matching allows you to match locally-generated packets
+ based on who created the socket: the user or group. It is also
+ possible to check whether a socket actually exists.
+
config NETFILTER_XT_MATCH_STATE
tristate '"state" match support'
depends on NETFILTER_XTABLES
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 9599083..702a5df 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -68,7 +68,6 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_LIMIT) += xt_limit.o
obj-$(CONFIG_NETFILTER_XT_MATCH_MAC) += xt_mac.o
obj-$(CONFIG_NETFILTER_XT_MATCH_MARK) += xt_mark.o
obj-$(CONFIG_NETFILTER_XT_MATCH_MULTIPORT) += xt_multiport.o
-obj-$(CONFIG_NETFILTER_XT_MATCH_OWNER) += xt_owner.o
obj-$(CONFIG_NETFILTER_XT_MATCH_PHYSDEV) += xt_physdev.o
obj-$(CONFIG_NETFILTER_XT_MATCH_PKTTYPE) += xt_pkttype.o
obj-$(CONFIG_NETFILTER_XT_MATCH_POLICY) += xt_policy.o
@@ -77,6 +76,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_RATEEST) += xt_rateest.o
obj-$(CONFIG_NETFILTER_XT_MATCH_REALM) += xt_realm.o
obj-$(CONFIG_NETFILTER_XT_MATCH_RECENT) += xt_recent.o
obj-$(CONFIG_NETFILTER_XT_MATCH_SCTP) += xt_sctp.o
+obj-$(CONFIG_NETFILTER_XT_MATCH_SOCKET) += xt_socket.o
obj-$(CONFIG_NETFILTER_XT_MATCH_STATE) += xt_state.o
obj-$(CONFIG_NETFILTER_XT_MATCH_STATISTIC) += xt_statistic.o
obj-$(CONFIG_NETFILTER_XT_MATCH_STRING) += xt_string.o
diff --git a/net/netfilter/xt_owner.c b/net/netfilter/xt_socket.c
similarity index 82%
rename from net/netfilter/xt_owner.c
rename to net/netfilter/xt_socket.c
index 9059c16..9d37d13 100644
--- a/net/netfilter/xt_owner.c
+++ b/net/netfilter/xt_socket.c
@@ -16,7 +16,7 @@
#include <linux/file.h>
#include <net/sock.h>
#include <linux/netfilter/x_tables.h>
-#include <linux/netfilter/xt_owner.h>
+#include <linux/netfilter/xt_socket.h>
#include <linux/netfilter_ipv4/ipt_owner.h>
#include <linux/netfilter_ipv6/ip6t_owner.h>
@@ -79,17 +79,17 @@ owner_mt6_v0(const struct sk_buff *skb, const struct net_device *in,
}
static bool
-owner_mt(const struct sk_buff *skb, const struct net_device *in,
- const struct net_device *out, const struct xt_match *match,
- const void *matchinfo, int offset, unsigned int protoff,
- bool *hotdrop)
+socket_mt(const struct sk_buff *skb, const struct net_device *in,
+ const struct net_device *out, const struct xt_match *match,
+ const void *matchinfo, int offset, unsigned int protoff,
+ bool *hotdrop)
{
- const struct xt_owner_match_info *info = matchinfo;
+ const struct xt_socket_mtinfo *info = matchinfo;
const struct file *filp;
if (skb->sk == NULL || skb->sk->sk_socket == NULL)
return (info->match ^ info->invert) == 0;
- else if (info->match & info->invert & XT_OWNER_SOCKET)
+ else if (info->match & info->invert & XT_SOCKET_EXISTS)
/*
* Socket exists but user wanted ! --socket-exists.
* (Single ampersands intended.)
@@ -99,18 +99,18 @@ owner_mt(const struct sk_buff *skb, const struct net_device *in,
filp = skb->sk->sk_socket->file;
if (filp == NULL)
return ((info->match ^ info->invert) &
- (XT_OWNER_UID | XT_OWNER_GID)) == 0;
+ (XT_SOCKET_UID | XT_SOCKET_GID)) == 0;
- if (info->match & XT_OWNER_UID)
+ if (info->match & XT_SOCKET_UID)
if ((filp->f_uid >= info->uid_min &&
filp->f_uid <= info->uid_max) ^
- !(info->invert & XT_OWNER_UID))
+ !(info->invert & XT_SOCKET_UID))
return false;
- if (info->match & XT_OWNER_GID)
+ if (info->match & XT_SOCKET_GID)
if ((filp->f_gid >= info->gid_min &&
filp->f_gid <= info->gid_max) ^
- !(info->invert & XT_OWNER_GID))
+ !(info->invert & XT_SOCKET_GID))
return false;
return true;
@@ -149,7 +149,7 @@ owner_mt6_check_v0(const char *tablename, const void *ip,
return true;
}
-static struct xt_match owner_mt_reg[] __read_mostly = {
+static struct xt_match socket_mt_reg[] __read_mostly = {
{
.name = "owner",
.revision = 0,
@@ -173,21 +173,21 @@ static struct xt_match owner_mt_reg[] __read_mostly = {
.me = THIS_MODULE,
},
{
- .name = "owner",
- .revision = 1,
+ .name = "socket",
+ .revision = 0,
.family = AF_INET,
- .match = owner_mt,
- .matchsize = sizeof(struct xt_owner_match_info),
+ .match = socket_mt,
+ .matchsize = sizeof(struct xt_socket_mtinfo),
.hooks = (1 << NF_INET_LOCAL_OUT) |
(1 << NF_INET_POST_ROUTING),
.me = THIS_MODULE,
},
{
- .name = "owner",
- .revision = 1,
+ .name = "socket",
+ .revision = 0,
.family = AF_INET6,
- .match = owner_mt,
- .matchsize = sizeof(struct xt_owner_match_info),
+ .match = socket_mt,
+ .matchsize = sizeof(struct xt_socket_mtinfo),
.hooks = (1 << NF_INET_LOCAL_OUT) |
(1 << NF_INET_POST_ROUTING),
.me = THIS_MODULE,
@@ -196,12 +196,12 @@ static struct xt_match owner_mt_reg[] __read_mostly = {
static int __init owner_mt_init(void)
{
- return xt_register_matches(owner_mt_reg, ARRAY_SIZE(owner_mt_reg));
+ return xt_register_matches(socket_mt_reg, ARRAY_SIZE(socket_mt_reg));
}
static void __exit owner_mt_exit(void)
{
- xt_unregister_matches(owner_mt_reg, ARRAY_SIZE(owner_mt_reg));
+ xt_unregister_matches(socket_mt_reg, ARRAY_SIZE(socket_mt_reg));
}
module_init(owner_mt_init);
@@ -211,3 +211,5 @@ MODULE_DESCRIPTION("Xtables: socket owner matching");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_owner");
MODULE_ALIAS("ip6t_owner");
+MODULE_ALIAS("ipt_socket");
+MODULE_ALIAS("ip6t_socket");
^ permalink raw reply related [flat|nested] 27+ messages in thread* [01/10] [IPTABLES]: Fix static build
2008-01-31 23:11 [00/!@#%] patches patches! Jan Engelhardt
` (12 preceding siblings ...)
2008-01-31 23:24 ` [13/13] [NETFILTER]: split off next-gen owner match into xt_socket Jan Engelhardt
@ 2008-02-01 0:28 ` Jan Engelhardt
2008-02-01 0:28 ` [02/10] [IPTABLES]: revert r7306 Jan Engelhardt
` (9 subsequent siblings)
23 siblings, 0 replies; 27+ messages in thread
From: Jan Engelhardt @ 2008-02-01 0:28 UTC (permalink / raw)
To: kaber; +Cc: Netfilter Developer Mailing List
Fix static build
Adjust the _INIT macro and thus fix the build/linking procedure
of the monolithic do-it-all binary (iptables-static).
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
---
extensions/GNUmakefile.in | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
Index: iptables/extensions/GNUmakefile.in
===================================================================
--- iptables.orig/extensions/GNUmakefile.in
+++ iptables/extensions/GNUmakefile.in
@@ -104,7 +104,7 @@ lib%.so: lib%.oo
${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $<;
lib%.oo: ${srcdir}/lib%.c
- ${AM_VERBOSE_CC} ${CC} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=$*_init -DPIC -fPIC ${CFLAGS} -o $@ -c $<;
+ ${AM_VERBOSE_CC} ${CC} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=lib$*_init -DPIC -fPIC ${CFLAGS} -o $@ -c $<;
#
@@ -115,7 +115,7 @@ lib%.oo: ${srcdir}/lib%.c
# handling code in the Makefiles.
#
lib%.o: ${srcdir}/lib%.c
- ${AM_VERBOSE_CC} ${CC} ${AM_DEPFLAGS} ${AM_CFLAGS} -DNO_SHARED_LIBS=1 -D_INIT=$*_init ${CFLAGS} -o $@ -c $<;
+ ${AM_VERBOSE_CC} ${CC} ${AM_DEPFLAGS} ${AM_CFLAGS} -DNO_SHARED_LIBS=1 -D_INIT=lib$*_init ${CFLAGS} -o $@ -c $<;
libext4.a: initext4.o ${libext4_objs}
${AM_VERBOSE_AR} ${AR} crs $@ $^;
^ permalink raw reply [flat|nested] 27+ messages in thread* [02/10] [IPTABLES]: revert r7306
2008-01-31 23:11 [00/!@#%] patches patches! Jan Engelhardt
` (13 preceding siblings ...)
2008-02-01 0:28 ` [01/10] [IPTABLES]: Fix static build Jan Engelhardt
@ 2008-02-01 0:28 ` Jan Engelhardt
2008-02-01 0:28 ` [03/10] [IPTABLES]: Fix -Wshadow warnings Jan Engelhardt
` (8 subsequent siblings)
23 siblings, 0 replies; 27+ messages in thread
From: Jan Engelhardt @ 2008-02-01 0:28 UTC (permalink / raw)
To: kaber; +Cc: Netfilter Developer Mailing List
- Revert part of svn r7306, as some gcc warnings are truly unhelpful.
"{}" clearly means to me: I want an empty thing, aka. {0};
and {.something = NULL} is just the same in verbose
- Change "unsigned" to explicit "unsigned int".
- Remove a few casts I have stumbled upon in the process.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
---
configure.ac | 2 +-
extensions/dscp_helper.c | 2 +-
extensions/libip6t_HL.c | 2 +-
extensions/libip6t_LOG.c | 2 +-
extensions/libip6t_REJECT.c | 2 +-
extensions/libip6t_ah.c | 2 +-
extensions/libip6t_dst.c | 4 ++--
extensions/libip6t_hbh.c | 4 ++--
extensions/libip6t_hl.c | 2 +-
extensions/libip6t_icmp6.c | 2 +-
| 2 +-
extensions/libip6t_mh.c | 2 +-
extensions/libip6t_policy.c | 2 +-
extensions/libip6t_rt.c | 4 ++--
extensions/libipt_CLUSTERIP.c | 2 +-
extensions/libipt_DNAT.c | 2 +-
extensions/libipt_ECN.c | 2 +-
extensions/libipt_LOG.c | 2 +-
extensions/libipt_MASQUERADE.c | 2 +-
extensions/libipt_NETMAP.c | 2 +-
extensions/libipt_REDIRECT.c | 2 +-
extensions/libipt_REJECT.c | 2 +-
extensions/libipt_SAME.c | 8 ++++----
extensions/libipt_SNAT.c | 2 +-
extensions/libipt_TTL.c | 2 +-
extensions/libipt_ULOG.c | 2 +-
extensions/libipt_addrtype.c | 2 +-
extensions/libipt_ah.c | 2 +-
extensions/libipt_ecn.c | 2 +-
extensions/libipt_icmp.c | 2 +-
extensions/libipt_policy.c | 2 +-
extensions/libipt_realm.c | 2 +-
extensions/libipt_recent.c | 2 +-
extensions/libipt_ttl.c | 2 +-
extensions/libxt_CLASSIFY.c | 2 +-
extensions/libxt_CONNMARK.c | 4 ++--
extensions/libxt_CONNSECMARK.c | 2 +-
extensions/libxt_DSCP.c | 2 +-
extensions/libxt_MARK.c | 4 ++--
extensions/libxt_NFLOG.c | 2 +-
extensions/libxt_NFQUEUE.c | 2 +-
extensions/libxt_RATEEST.c | 2 +-
extensions/libxt_SECMARK.c | 2 +-
extensions/libxt_TCPMSS.c | 2 +-
extensions/libxt_TCPOPTSTRIP.c | 6 +++---
extensions/libxt_TOS.c | 4 ++--
| 2 +-
extensions/libxt_connbytes.c | 2 +-
extensions/libxt_connlimit.c | 2 +-
extensions/libxt_connmark.c | 2 +-
extensions/libxt_conntrack.c | 8 +++-----
extensions/libxt_dccp.c | 2 +-
extensions/libxt_dscp.c | 2 +-
extensions/libxt_esp.c | 2 +-
extensions/libxt_hashlimit.c | 2 +-
extensions/libxt_helper.c | 2 +-
extensions/libxt_iprange.c | 2 +-
extensions/libxt_length.c | 2 +-
extensions/libxt_limit.c | 2 +-
extensions/libxt_mac.c | 2 +-
extensions/libxt_mark.c | 2 +-
extensions/libxt_multiport.c | 2 +-
extensions/libxt_owner.c | 6 +++---
extensions/libxt_physdev.c | 2 +-
extensions/libxt_pkttype.c | 2 +-
extensions/libxt_quota.c | 6 +++---
extensions/libxt_rateest.c | 4 ++--
extensions/libxt_sctp.c | 2 +-
extensions/libxt_state.c | 2 +-
extensions/libxt_statistic.c | 2 +-
extensions/libxt_string.c | 2 +-
extensions/libxt_tcp.c | 2 +-
extensions/libxt_tcpmss.c | 2 +-
extensions/libxt_time.c | 2 +-
extensions/libxt_tos.c | 2 +-
extensions/libxt_u32.c | 2 +-
extensions/libxt_udp.c | 2 +-
extensions/tos_values.c | 2 +-
iptables-xml.c | 24 ++++++++++++------------
xtables.c | 6 +++---
80 files changed, 111 insertions(+), 113 deletions(-)
Index: iptables/configure.ac
===================================================================
--- iptables.orig/configure.ac
+++ iptables/configure.ac
@@ -37,7 +37,7 @@ AM_CONDITIONAL([ENABLE_SHARED], [test "$
AM_CONDITIONAL([ENABLE_DEVEL], [test "$enable_devel" == "yes"])
regular_CFLAGS="-D_LARGEFILE_SOURCE=1 -D_LARGE_FILES -D_FILE_OFFSET_BITS=64 \
- -D_REENTRANT -W -Wall -Waggregate-return -Wmissing-declarations \
+ -D_REENTRANT -Wall -Waggregate-return -Wmissing-declarations \
-Wmissing-prototypes -Wredundant-decls -Wshadow -Wstrict-prototypes \
-Winline -pipe -DIPTABLES_VERSION=\\\"$PACKAGE_VERSION\\\" \
-DIPT_LIB_DIR=\\\"\${iptdir}\\\" -DIP6T_LIB_DIR=\\\"\${iptdir}\\\"";
Index: iptables/extensions/dscp_helper.c
===================================================================
--- iptables.orig/extensions/dscp_helper.c
+++ iptables/extensions/dscp_helper.c
@@ -49,7 +49,7 @@ static const struct ds_class
static unsigned int
class_to_dscp(const char *name)
{
- unsigned i;
+ unsigned int i;
for (i = 0; i < sizeof(ds_classes) / sizeof(struct ds_class); i++) {
if (!strncasecmp(name, ds_classes[i].name,
Index: iptables/extensions/libip6t_HL.c
===================================================================
--- iptables.orig/extensions/libip6t_HL.c
+++ iptables/extensions/libip6t_HL.c
@@ -136,7 +136,7 @@ static const struct option HL_opts[] = {
{ "hl-set", 1, NULL, '1' },
{ "hl-dec", 1, NULL, '2' },
{ "hl-inc", 1, NULL, '3' },
- { .name = NULL }
+ {},
};
static struct ip6tables_target hl_target6 = {
Index: iptables/extensions/libip6t_LOG.c
===================================================================
--- iptables.orig/extensions/libip6t_LOG.c
+++ iptables/extensions/libip6t_LOG.c
@@ -38,7 +38,7 @@ static const struct option LOG_opts[] =
{ .name = "log-tcp-options", .has_arg = 0, .val = '2' },
{ .name = "log-ip-options", .has_arg = 0, .val = '3' },
{ .name = "log-uid", .has_arg = 0, .val = '4' },
- { .name = NULL }
+ {},
};
/* Initialize the target. */
Index: iptables/extensions/libip6t_REJECT.c
===================================================================
--- iptables.orig/extensions/libip6t_REJECT.c
+++ iptables/extensions/libip6t_REJECT.c
@@ -66,7 +66,7 @@ static void REJECT_help(void)
static const struct option REJECT_opts[] = {
{ "reject-with", 1, NULL, '1' },
- { .name = NULL }
+ {},
};
/* Allocate and initialize the target. */
Index: iptables/extensions/libip6t_ah.c
===================================================================
--- iptables.orig/extensions/libip6t_ah.c
+++ iptables/extensions/libip6t_ah.c
@@ -23,7 +23,7 @@ static const struct option ah_opts[] = {
{ .name = "ahspi", .has_arg = 1, .val = '1' },
{ .name = "ahlen", .has_arg = 1, .val = '2' },
{ .name = "ahres", .has_arg = 0, .val = '3' },
- { .name = NULL }
+ {},
};
static u_int32_t
Index: iptables/extensions/libip6t_dst.c
===================================================================
--- iptables.orig/extensions/libip6t_dst.c
+++ iptables/extensions/libip6t_dst.c
@@ -26,7 +26,7 @@ static const struct option dst_opts[] =
{ .name = "dst-len", .has_arg = 1, .val = '1' },
{ .name = "dst-opts", .has_arg = 1, .val = '2' },
{ .name = "dst-not-strict", .has_arg = 1, .val = '3' },
- { .name = NULL }
+ {},
};
static u_int32_t
@@ -168,7 +168,7 @@ static int dst_parse(int c, char **argv,
}
static void
-print_options(unsigned optsnr, u_int16_t *optsp)
+print_options(unsigned int optsnr, u_int16_t *optsp)
{
unsigned int i;
Index: iptables/extensions/libip6t_hbh.c
===================================================================
--- iptables.orig/extensions/libip6t_hbh.c
+++ iptables/extensions/libip6t_hbh.c
@@ -29,7 +29,7 @@ static const struct option hbh_opts[] =
{ "hbh-len", 1, NULL, '1' },
{ "hbh-opts", 1, NULL, '2' },
{ "hbh-not-strict", 1, NULL, '3' },
- { .name = NULL }
+ {},
};
static u_int32_t
@@ -162,7 +162,7 @@ static int hbh_parse(int c, char **argv,
}
static void
-print_options(unsigned optsnr, u_int16_t *optsp)
+print_options(unsigned int optsnr, u_int16_t *optsp)
{
unsigned int i;
Index: iptables/extensions/libip6t_hl.c
===================================================================
--- iptables.orig/extensions/libip6t_hl.c
+++ iptables/extensions/libip6t_hl.c
@@ -122,7 +122,7 @@ static const struct option hl_opts[] = {
{ .name = "hl-eq", .has_arg = 1, .val = '2' },
{ .name = "hl-lt", .has_arg = 1, .val = '3' },
{ .name = "hl-gt", .has_arg = 1, .val = '4' },
- { .name = NULL }
+ {},
};
static struct ip6tables_match hl_match6 = {
Index: iptables/extensions/libip6t_icmp6.c
===================================================================
--- iptables.orig/extensions/libip6t_icmp6.c
+++ iptables/extensions/libip6t_icmp6.c
@@ -86,7 +86,7 @@ static void icmp6_help(void)
static const struct option icmp6_opts[] = {
{ "icmpv6-type", 1, NULL, '1' },
- { .name = NULL }
+ {},
};
static void
Index: iptables/extensions/libip6t_ipv6header.c
===================================================================
--- iptables.orig/extensions/libip6t_ipv6header.c
+++ iptables/extensions/libip6t_ipv6header.c
@@ -150,7 +150,7 @@ static void ipv6header_help(void)
static const struct option ipv6header_opts[] = {
{ "header", 1, NULL, '1' },
{ "soft", 0, NULL, '2' },
- { .name = NULL }
+ {},
};
static void ipv6header_init(struct xt_entry_match *m)
Index: iptables/extensions/libip6t_mh.c
===================================================================
--- iptables.orig/extensions/libip6t_mh.c
+++ iptables/extensions/libip6t_mh.c
@@ -220,7 +220,7 @@ static void mh_save(const void *ip, cons
static const struct option mh_opts[] = {
{ "mh-type", 1, NULL, '1' },
- { .name = NULL }
+ {},
};
static struct ip6tables_match mh_match6 = {
Index: iptables/extensions/libip6t_policy.c
===================================================================
--- iptables.orig/extensions/libip6t_policy.c
+++ iptables/extensions/libip6t_policy.c
@@ -91,7 +91,7 @@ static const struct option policy_opts[]
.name = "next",
.val = 'a'
},
- { .name = NULL }
+ {},
};
/* FIXME - Duplicated code from ip6tables.c */
Index: iptables/extensions/libip6t_rt.c
===================================================================
--- iptables.orig/extensions/libip6t_rt.c
+++ iptables/extensions/libip6t_rt.c
@@ -35,7 +35,7 @@ static const struct option rt_opts[] = {
{ "rt-0-res", 0, NULL, '4' },
{ "rt-0-addrs", 1, NULL, '5' },
{ "rt-0-not-strict", 0, NULL, '6' },
- { .name = NULL }
+ {},
};
static u_int32_t
@@ -255,7 +255,7 @@ print_nums(const char *name, u_int32_t m
}
static void
-print_addresses(unsigned addrnr, struct in6_addr *addrp)
+print_addresses(unsigned int addrnr, struct in6_addr *addrp)
{
unsigned int i;
Index: iptables/extensions/libipt_CLUSTERIP.c
===================================================================
--- iptables.orig/extensions/libipt_CLUSTERIP.c
+++ iptables/extensions/libipt_CLUSTERIP.c
@@ -50,7 +50,7 @@ static const struct option CLUSTERIP_opt
{ "total-nodes", 1, NULL, '4' },
{ "local-node", 1, NULL, '5' },
{ "hash-init", 1, NULL, '6' },
- { .name = NULL }
+ {},
};
static void
Index: iptables/extensions/libipt_DNAT.c
===================================================================
--- iptables.orig/extensions/libipt_DNAT.c
+++ iptables/extensions/libipt_DNAT.c
@@ -34,7 +34,7 @@ IPTABLES_VERSION);
static const struct option DNAT_opts[] = {
{ "to-destination", 1, NULL, '1' },
{ "random", 0, NULL, '2' },
- { .name = NULL }
+ {},
};
static struct ipt_natinfo *
Index: iptables/extensions/libipt_ECN.c
===================================================================
--- iptables.orig/extensions/libipt_ECN.c
+++ iptables/extensions/libipt_ECN.c
@@ -38,7 +38,7 @@ static const struct option ECN_opts[] =
{ "ecn-tcp-cwr", 1, NULL, 'G' },
{ "ecn-tcp-ece", 1, NULL, 'H' },
{ "ecn-ip-ect", 1, NULL, '9' },
- { .name = NULL }
+ {},
};
static int ECN_parse(int c, char **argv, int invert, unsigned int *flags,
Index: iptables/extensions/libipt_LOG.c
===================================================================
--- iptables.orig/extensions/libipt_LOG.c
+++ iptables/extensions/libipt_LOG.c
@@ -38,7 +38,7 @@ static const struct option LOG_opts[] =
{ .name = "log-tcp-options", .has_arg = 0, .val = '2' },
{ .name = "log-ip-options", .has_arg = 0, .val = '3' },
{ .name = "log-uid", .has_arg = 0, .val = '4' },
- { .name = NULL }
+ {},
};
/* Initialize the target. */
Index: iptables/extensions/libipt_MASQUERADE.c
===================================================================
--- iptables.orig/extensions/libipt_MASQUERADE.c
+++ iptables/extensions/libipt_MASQUERADE.c
@@ -25,7 +25,7 @@ IPTABLES_VERSION);
static const struct option MASQUERADE_opts[] = {
{ "to-ports", 1, NULL, '1' },
{ "random", 0, NULL, '2' },
- { .name = NULL }
+ {},
};
/* Initialize the target. */
Index: iptables/extensions/libipt_NETMAP.c
===================================================================
--- iptables.orig/extensions/libipt_NETMAP.c
+++ iptables/extensions/libipt_NETMAP.c
@@ -15,7 +15,7 @@
static const struct option NETMAP_opts[] = {
{ "to", 1, NULL, '1' },
- { .name = NULL }
+ {},
};
/* Function which prints out usage message. */
Index: iptables/extensions/libipt_REDIRECT.c
===================================================================
--- iptables.orig/extensions/libipt_REDIRECT.c
+++ iptables/extensions/libipt_REDIRECT.c
@@ -24,7 +24,7 @@ IPTABLES_VERSION);
static const struct option REDIRECT_opts[] = {
{ "to-ports", 1, NULL, '1' },
{ "random", 0, NULL, '2' },
- { .name = NULL }
+ {},
};
/* Initialize the target. */
Index: iptables/extensions/libipt_REJECT.c
===================================================================
--- iptables.orig/extensions/libipt_REJECT.c
+++ iptables/extensions/libipt_REJECT.c
@@ -81,7 +81,7 @@ static void REJECT_help(void)
static const struct option REJECT_opts[] = {
{ "reject-with", 1, NULL, '1' },
- { .name = NULL }
+ {},
};
/* Allocate and initialize the target. */
Index: iptables/extensions/libipt_SAME.c
===================================================================
--- iptables.orig/extensions/libipt_SAME.c
+++ iptables/extensions/libipt_SAME.c
@@ -32,7 +32,7 @@ static const struct option SAME_opts[] =
{ "to", 1, NULL, '1' },
{ "nodst", 0, NULL, '2'},
{ "random", 0, NULL, '3' },
- { .name = NULL }
+ {},
};
/* Initialize the target. */
@@ -90,7 +90,7 @@ static int SAME_parse(int c, char **argv
{
struct ipt_same_info *mr
= (struct ipt_same_info *)(*target)->data;
- unsigned count;
+ unsigned int count;
switch (c) {
case '1':
@@ -146,7 +146,7 @@ static void SAME_check(unsigned int flag
static void SAME_print(const void *ip, const struct xt_entry_target *target,
int numeric)
{
- unsigned count;
+ unsigned int count;
struct ipt_same_info *mr
= (struct ipt_same_info *)target->data;
int random = 0;
@@ -180,7 +180,7 @@ static void SAME_print(const void *ip, c
/* Saves the union ipt_targinfo in parsable form to stdout. */
static void SAME_save(const void *ip, const struct xt_entry_target *target)
{
- unsigned count;
+ unsigned int count;
struct ipt_same_info *mr
= (struct ipt_same_info *)target->data;
int random = 0;
Index: iptables/extensions/libipt_SNAT.c
===================================================================
--- iptables.orig/extensions/libipt_SNAT.c
+++ iptables/extensions/libipt_SNAT.c
@@ -34,7 +34,7 @@ IPTABLES_VERSION);
static const struct option SNAT_opts[] = {
{ "to-source", 1, NULL, '1' },
{ "random", 0, NULL, '2' },
- { .name = NULL }
+ {},
};
static struct ipt_natinfo *
Index: iptables/extensions/libipt_TTL.c
===================================================================
--- iptables.orig/extensions/libipt_TTL.c
+++ iptables/extensions/libipt_TTL.c
@@ -136,7 +136,7 @@ static const struct option TTL_opts[] =
{ "ttl-set", 1, NULL, '1' },
{ "ttl-dec", 1, NULL, '2' },
{ "ttl-inc", 1, NULL, '3' },
- { .name = NULL }
+ {},
};
static struct iptables_target ttl_target = {
Index: iptables/extensions/libipt_ULOG.c
===================================================================
--- iptables.orig/extensions/libipt_ULOG.c
+++ iptables/extensions/libipt_ULOG.c
@@ -49,7 +49,7 @@ static const struct option ULOG_opts[] =
{"ulog-prefix", 1, NULL, '#'},
{"ulog-cprange", 1, NULL, 'A'},
{"ulog-qthreshold", 1, NULL, 'B'},
- { .name = NULL }
+ {},
};
/* Initialize the target. */
Index: iptables/extensions/libipt_addrtype.c
===================================================================
--- iptables.orig/extensions/libipt_addrtype.c
+++ iptables/extensions/libipt_addrtype.c
@@ -180,7 +180,7 @@ static void addrtype_save(const void *ip
static const struct option addrtype_opts[] = {
{ "src-type", 1, NULL, '1' },
{ "dst-type", 1, NULL, '2' },
- { .name = NULL }
+ {},
};
static struct iptables_match addrtype_match = {
Index: iptables/extensions/libipt_ah.c
===================================================================
--- iptables.orig/extensions/libipt_ah.c
+++ iptables/extensions/libipt_ah.c
@@ -20,7 +20,7 @@ IPTABLES_VERSION);
static const struct option ah_opts[] = {
{ "ahspi", 1, NULL, '1' },
- { .name = NULL }
+ {},
};
static u_int32_t
Index: iptables/extensions/libipt_ecn.c
===================================================================
--- iptables.orig/extensions/libipt_ecn.c
+++ iptables/extensions/libipt_ecn.c
@@ -30,7 +30,7 @@ static const struct option ecn_opts[] =
{ .name = "ecn-tcp-cwr", .has_arg = 0, .val = 'F' },
{ .name = "ecn-tcp-ece", .has_arg = 0, .val = 'G' },
{ .name = "ecn-ip-ect", .has_arg = 1, .val = 'H' },
- { .name = NULL }
+ {},
};
static int ecn_parse(int c, char **argv, int invert, unsigned int *flags,
Index: iptables/extensions/libipt_icmp.c
===================================================================
--- iptables.orig/extensions/libipt_icmp.c
+++ iptables/extensions/libipt_icmp.c
@@ -110,7 +110,7 @@ static void icmp_help(void)
static const struct option icmp_opts[] = {
{ "icmp-type", 1, NULL, '1' },
- { .name = NULL }
+ {},
};
static void
Index: iptables/extensions/libipt_policy.c
===================================================================
--- iptables.orig/extensions/libipt_policy.c
+++ iptables/extensions/libipt_policy.c
@@ -90,7 +90,7 @@ static const struct option policy_opts[]
.name = "next",
.val = 'a'
},
- { .name = NULL }
+ {},
};
static int parse_direction(char *s)
Index: iptables/extensions/libipt_realm.c
===================================================================
--- iptables.orig/extensions/libipt_realm.c
+++ iptables/extensions/libipt_realm.c
@@ -26,7 +26,7 @@ static void realm_help(void)
static const struct option realm_opts[] = {
{ "realm", 1, NULL, '1' },
- { .name = NULL }
+ {},
};
struct realmname {
Index: iptables/extensions/libipt_recent.c
===================================================================
--- iptables.orig/extensions/libipt_recent.c
+++ iptables/extensions/libipt_recent.c
@@ -33,7 +33,7 @@ static const struct option recent_opts[]
{ .name = "name", .has_arg = 1, .val = 208 },
{ .name = "rsource", .has_arg = 0, .val = 209 },
{ .name = "rdest", .has_arg = 0, .val = 210 },
- { .name = NULL }
+ {},
};
/* Function which prints out usage message. */
Index: iptables/extensions/libipt_ttl.c
===================================================================
--- iptables.orig/extensions/libipt_ttl.c
+++ iptables/extensions/libipt_ttl.c
@@ -145,7 +145,7 @@ static const struct option ttl_opts[] =
{ "ttl-eq", 1, NULL, '2'},
{ "ttl-lt", 1, NULL, '3'},
{ "ttl-gt", 1, NULL, '4'},
- { .name = NULL }
+ {},
};
static struct iptables_match ttl_match = {
Index: iptables/extensions/libxt_CLASSIFY.c
===================================================================
--- iptables.orig/extensions/libxt_CLASSIFY.c
+++ iptables/extensions/libxt_CLASSIFY.c
@@ -23,7 +23,7 @@ IPTABLES_VERSION);
static const struct option CLASSIFY_opts[] = {
{ "set-class", 1, NULL, '1' },
- { .name = NULL }
+ {},
};
static int CLASSIFY_string_to_priority(const char *s, unsigned int *p)
Index: iptables/extensions/libxt_CONNMARK.c
===================================================================
--- iptables.orig/extensions/libxt_CONNMARK.c
+++ iptables/extensions/libxt_CONNMARK.c
@@ -50,7 +50,7 @@ static const struct option CONNMARK_opts
{ "save-mark", 0, NULL, '2' },
{ "restore-mark", 0, NULL, '3' },
{ "mask", 1, NULL, '4' },
- { .name = NULL }
+ {},
};
static const struct option connmark_tg_opts[] = {
@@ -64,7 +64,7 @@ static const struct option connmark_tg_o
{.name = "ctmask", .has_arg = true, .val = 'c'},
{.name = "nfmask", .has_arg = true, .val = 'n'},
{.name = "mask", .has_arg = true, .val = 'm'},
- {.name = NULL},
+ {},
};
static void connmark_tg_help(void)
Index: iptables/extensions/libxt_CONNSECMARK.c
===================================================================
--- iptables.orig/extensions/libxt_CONNSECMARK.c
+++ iptables/extensions/libxt_CONNSECMARK.c
@@ -27,7 +27,7 @@ IPTABLES_VERSION);
static const struct option CONNSECMARK_opts[] = {
{ "save", 0, 0, '1' },
{ "restore", 0, 0, '2' },
- { .name = NULL }
+ {},
};
static int
Index: iptables/extensions/libxt_DSCP.c
===================================================================
--- iptables.orig/extensions/libxt_DSCP.c
+++ iptables/extensions/libxt_DSCP.c
@@ -40,7 +40,7 @@ static void DSCP_help(void)
static const struct option DSCP_opts[] = {
{ "set-dscp", 1, NULL, 'F' },
{ "set-dscp-class", 1, NULL, 'G' },
- { .name = NULL }
+ {},
};
static void
Index: iptables/extensions/libxt_MARK.c
===================================================================
--- iptables.orig/extensions/libxt_MARK.c
+++ iptables/extensions/libxt_MARK.c
@@ -29,7 +29,7 @@ static const struct option MARK_opts[] =
{ "set-mark", 1, NULL, '1' },
{ "and-mark", 1, NULL, '2' },
{ "or-mark", 1, NULL, '3' },
- { .name = NULL }
+ {},
};
static const struct option mark_tg_opts[] = {
@@ -38,7 +38,7 @@ static const struct option mark_tg_opts[
{.name = "and-mark", .has_arg = true, .val = '&'},
{.name = "or-mark", .has_arg = true, .val = '|'},
{.name = "xor-mark", .has_arg = true, .val = '^'},
- { .name = NULL }
+ {},
};
static void mark_tg_help(void)
Index: iptables/extensions/libxt_NFLOG.c
===================================================================
--- iptables.orig/extensions/libxt_NFLOG.c
+++ iptables/extensions/libxt_NFLOG.c
@@ -19,7 +19,7 @@ static const struct option NFLOG_opts[]
{ "nflog-prefix", 1, NULL, NFLOG_PREFIX },
{ "nflog-range", 1, NULL, NFLOG_RANGE },
{ "nflog-threshold", 1, NULL, NFLOG_THRESHOLD },
- { .name = NULL }
+ {},
};
static void NFLOG_help(void)
Index: iptables/extensions/libxt_NFQUEUE.c
===================================================================
--- iptables.orig/extensions/libxt_NFQUEUE.c
+++ iptables/extensions/libxt_NFQUEUE.c
@@ -25,7 +25,7 @@ static void NFQUEUE_help(void)
static const struct option NFQUEUE_opts[] = {
{ "queue-num", 1, NULL, 'F' },
- { .name = NULL }
+ {},
};
static void
Index: iptables/extensions/libxt_RATEEST.c
===================================================================
--- iptables.orig/extensions/libxt_RATEEST.c
+++ iptables/extensions/libxt_RATEEST.c
@@ -36,7 +36,7 @@ static const struct option RATEEST_opts[
{ "rateest-name", 1, NULL, RATEEST_OPT_NAME },
{ "rateest-interval", 1, NULL, RATEEST_OPT_INTERVAL },
{ "rateest-ewmalog", 1, NULL, RATEEST_OPT_EWMALOG },
- { .name = NULL },
+ {},
};
/* Copied from iproute */
Index: iptables/extensions/libxt_SECMARK.c
===================================================================
--- iptables.orig/extensions/libxt_SECMARK.c
+++ iptables/extensions/libxt_SECMARK.c
@@ -25,7 +25,7 @@ IPTABLES_VERSION);
static const struct option SECMARK_opts[] = {
{ "selctx", 1, 0, '1' },
- { .name = NULL }
+ {},
};
/*
Index: iptables/extensions/libxt_TCPMSS.c
===================================================================
--- iptables.orig/extensions/libxt_TCPMSS.c
+++ iptables/extensions/libxt_TCPMSS.c
@@ -39,7 +39,7 @@ static void TCPMSS_help6(void)
static const struct option TCPMSS_opts[] = {
{ "set-mss", 1, NULL, '1' },
{ "clamp-mss-to-pmtu", 0, NULL, '2' },
- { .name = NULL }
+ {},
};
/* Function which parses command options; returns true if it
Index: iptables/extensions/libxt_TCPOPTSTRIP.c
===================================================================
--- iptables.orig/extensions/libxt_TCPOPTSTRIP.c
+++ iptables/extensions/libxt_TCPOPTSTRIP.c
@@ -22,12 +22,12 @@ enum {
struct tcp_optionmap {
const char *name, *desc;
- const unsigned option;
+ const unsigned int option;
};
static const struct option tcpoptstrip_tg_opts[] = {
{.name = "strip-options", .has_arg = true, .val = 's'},
- { .name = NULL }
+ {},
};
static const struct tcp_optionmap tcp_optionmap[] = {
@@ -37,7 +37,7 @@ static const struct tcp_optionmap tcp_op
{"sack", "Selective ACK", TCPOPT_SACK},
{"timestamp", "Timestamp", TCPOPT_TIMESTAMP},
{"md5", "MD5 signature", TCPOPT_MD5SIG},
- { .name = NULL }
+ {},
};
static void tcpoptstrip_tg_help(void)
Index: iptables/extensions/libxt_TOS.c
===================================================================
--- iptables.orig/extensions/libxt_TOS.c
+++ iptables/extensions/libxt_TOS.c
@@ -20,7 +20,7 @@ enum {
static const struct option tos_tg_opts_v0[] = {
{.name = "set-tos", .has_arg = true, .val = '='},
- { .name = NULL }
+ {},
};
static const struct option tos_tg_opts[] = {
@@ -28,7 +28,7 @@ static const struct option tos_tg_opts[]
{.name = "and-tos", .has_arg = true, .val = '&'},
{.name = "or-tos", .has_arg = true, .val = '|'},
{.name = "xor-tos", .has_arg = true, .val = '^'},
- { .name = NULL }
+ {},
};
static void tos_tg_help_v0(void)
Index: iptables/extensions/libxt_comment.c
===================================================================
--- iptables.orig/extensions/libxt_comment.c
+++ iptables/extensions/libxt_comment.c
@@ -25,7 +25,7 @@ static void comment_help(void)
static const struct option comment_opts[] = {
{ "comment", 1, NULL, '1' },
- { .name = NULL }
+ {},
};
static void
Index: iptables/extensions/libxt_connbytes.c
===================================================================
--- iptables.orig/extensions/libxt_connbytes.c
+++ iptables/extensions/libxt_connbytes.c
@@ -23,7 +23,7 @@ static const struct option connbytes_opt
{ "connbytes", 1, NULL, '1' },
{ "connbytes-dir", 1, NULL, '2' },
{ "connbytes-mode", 1, NULL, '3' },
- { .name = NULL }
+ {},
};
static void
Index: iptables/extensions/libxt_connlimit.c
===================================================================
--- iptables.orig/extensions/libxt_connlimit.c
+++ iptables/extensions/libxt_connlimit.c
@@ -21,7 +21,7 @@ static void connlimit_help(void)
static const struct option connlimit_opts[] = {
{"connlimit-above", 1, NULL, 'A'},
{"connlimit-mask", 1, NULL, 'M'},
- { .name = NULL }
+ {},
};
static void connlimit_init(struct xt_entry_match *match)
Index: iptables/extensions/libxt_connmark.c
===================================================================
--- iptables.orig/extensions/libxt_connmark.c
+++ iptables/extensions/libxt_connmark.c
@@ -42,7 +42,7 @@ static void connmark_mt_help(void)
static const struct option connmark_mt_opts[] = {
{.name = "mark", .has_arg = true, .val = '1'},
- { .name = NULL }
+ {},
};
static int
Index: iptables/extensions/libxt_conntrack.c
===================================================================
--- iptables.orig/extensions/libxt_conntrack.c
+++ iptables/extensions/libxt_conntrack.c
@@ -57,7 +57,7 @@ static const struct option conntrack_mt_
{.name = "ctrepldst", .has_arg = true, .val = '6'},
{.name = "ctstatus", .has_arg = true, .val = '7'},
{.name = "ctexpire", .has_arg = true, .val = '8'},
- { .name = NULL }
+ {},
};
static const struct option conntrack_mt_opts[] = {
@@ -74,7 +74,7 @@ static const struct option conntrack_mt_
{.name = "ctreplsrcport", .has_arg = true, .val = 'c'},
{.name = "ctrepldstport", .has_arg = true, .val = 'd'},
{.name = "ctdir", .has_arg = true, .val = 'e'},
- {.name = NULL},
+ {},
};
static int
@@ -250,9 +250,7 @@ parse_expires(const char *s, struct xt_c
cp++;
sinfo->expires_min = buffer[0] ? parse_expire(buffer) : 0;
- sinfo->expires_max = cp[0]
- ? parse_expire(cp)
- : (unsigned long)-1;
+ sinfo->expires_max = cp[0] ? parse_expire(cp) : -1;
}
free(buffer);
Index: iptables/extensions/libxt_dccp.c
===================================================================
--- iptables.orig/extensions/libxt_dccp.c
+++ iptables/extensions/libxt_dccp.c
@@ -51,7 +51,7 @@ static const struct option dccp_opts[] =
{ .name = "dport", .has_arg = 1, .val = '2' },
{ .name = "dccp-types", .has_arg = 1, .val = '3' },
{ .name = "dccp-option", .has_arg = 1, .val = '4' },
- { .name = NULL }
+ {},
};
static void
Index: iptables/extensions/libxt_dscp.c
===================================================================
--- iptables.orig/extensions/libxt_dscp.c
+++ iptables/extensions/libxt_dscp.c
@@ -42,7 +42,7 @@ static void dscp_help(void)
static const struct option dscp_opts[] = {
{ "dscp", 1, NULL, 'F' },
{ "dscp-class", 1, NULL, 'G' },
- { .name = NULL }
+ {},
};
static void
Index: iptables/extensions/libxt_esp.c
===================================================================
--- iptables.orig/extensions/libxt_esp.c
+++ iptables/extensions/libxt_esp.c
@@ -20,7 +20,7 @@ IPTABLES_VERSION);
static const struct option esp_opts[] = {
{ "espspi", 1, NULL, '1' },
- { .name = NULL }
+ {},
};
static u_int32_t
Index: iptables/extensions/libxt_hashlimit.c
===================================================================
--- iptables.orig/extensions/libxt_hashlimit.c
+++ iptables/extensions/libxt_hashlimit.c
@@ -54,7 +54,7 @@ static const struct option hashlimit_opt
{ "hashlimit-htable-expire", 1, NULL, ')' },
{ "hashlimit-mode", 1, NULL, '_' },
{ "hashlimit-name", 1, NULL, '"' },
- { .name = NULL }
+ {},
};
static
Index: iptables/extensions/libxt_helper.c
===================================================================
--- iptables.orig/extensions/libxt_helper.c
+++ iptables/extensions/libxt_helper.c
@@ -20,7 +20,7 @@ IPTABLES_VERSION);
static const struct option helper_opts[] = {
{ "helper", 1, NULL, '1' },
- { .name = NULL }
+ {},
};
/* Function which parses command options; returns true if it
Index: iptables/extensions/libxt_iprange.c
===================================================================
--- iptables.orig/extensions/libxt_iprange.c
+++ iptables/extensions/libxt_iprange.c
@@ -27,7 +27,7 @@ static void iprange_mt_help(void)
static const struct option iprange_mt_opts[] = {
{.name = "src-range", .has_arg = true, .val = '1'},
{.name = "dst-range", .has_arg = true, .val = '2'},
- { .name = NULL }
+ {},
};
static void
Index: iptables/extensions/libxt_length.c
===================================================================
--- iptables.orig/extensions/libxt_length.c
+++ iptables/extensions/libxt_length.c
@@ -21,7 +21,7 @@ IPTABLES_VERSION);
static const struct option length_opts[] = {
{ "length", 1, NULL, '1' },
- { .name = NULL }
+ {},
};
static u_int16_t
Index: iptables/extensions/libxt_limit.c
===================================================================
--- iptables.orig/extensions/libxt_limit.c
+++ iptables/extensions/libxt_limit.c
@@ -32,7 +32,7 @@ static void limit_help(void)
static const struct option limit_opts[] = {
{ "limit", 1, NULL, '%' },
{ "limit-burst", 1, NULL, '$' },
- { .name = NULL }
+ {},
};
static
Index: iptables/extensions/libxt_mac.c
===================================================================
--- iptables.orig/extensions/libxt_mac.c
+++ iptables/extensions/libxt_mac.c
@@ -24,7 +24,7 @@ static void mac_help(void)
static const struct option mac_opts[] = {
{ "mac-source", 1, NULL, '1' },
- { .name = NULL }
+ {},
};
static void
Index: iptables/extensions/libxt_mark.c
===================================================================
--- iptables.orig/extensions/libxt_mark.c
+++ iptables/extensions/libxt_mark.c
@@ -23,7 +23,7 @@ static void mark_mt_help(void)
static const struct option mark_mt_opts[] = {
{.name = "mark", .has_arg = true, .val = '1'},
- { .name = NULL }
+ {},
};
static int mark_mt_parse(int c, char **argv, int invert, unsigned int *flags,
Index: iptables/extensions/libxt_multiport.c
===================================================================
--- iptables.orig/extensions/libxt_multiport.c
+++ iptables/extensions/libxt_multiport.c
@@ -49,7 +49,7 @@ static const struct option multiport_opt
{ "destination-ports", 1, NULL, '2' },
{ "dports", 1, NULL, '2' }, /* synonym */
{ "ports", 1, NULL, '3' },
- { .name = NULL }
+ {},
};
static char *
Index: iptables/extensions/libxt_owner.c
===================================================================
--- iptables.orig/extensions/libxt_owner.c
+++ iptables/extensions/libxt_owner.c
@@ -81,7 +81,7 @@ static const struct option owner_mt_opts
#ifdef IPT_OWNER_COMM
{.name = "cmd-owner", .has_arg = true, .val = 'c'},
#endif
- { .name = NULL }
+ {},
};
static const struct option owner_mt6_opts_v0[] = {
@@ -89,14 +89,14 @@ static const struct option owner_mt6_opt
{.name = "gid-owner", .has_arg = true, .val = 'g'},
{.name = "pid-owner", .has_arg = true, .val = 'p'},
{.name = "sid-owner", .has_arg = true, .val = 's'},
- { .name = NULL }
+ {},
};
static const struct option owner_mt_opts[] = {
{.name = "uid-owner", .has_arg = true, .val = 'u'},
{.name = "gid-owner", .has_arg = true, .val = 'g'},
{.name = "socket-exists", .has_arg = false, .val = 'k'},
- { .name = NULL }
+ {},
};
static int
Index: iptables/extensions/libxt_physdev.c
===================================================================
--- iptables.orig/extensions/libxt_physdev.c
+++ iptables/extensions/libxt_physdev.c
@@ -30,7 +30,7 @@ static const struct option physdev_opts[
{ "physdev-is-in", 0, NULL, '3' },
{ "physdev-is-out", 0, NULL, '4' },
{ "physdev-is-bridged", 0, NULL, '5' },
- { .name = NULL }
+ {},
};
static int
Index: iptables/extensions/libxt_pkttype.c
===================================================================
--- iptables.orig/extensions/libxt_pkttype.c
+++ iptables/extensions/libxt_pkttype.c
@@ -66,7 +66,7 @@ static void pkttype_help(void)
static const struct option pkttype_opts[] = {
{"pkt-type", 1, NULL, '1'},
- { .name = NULL }
+ {},
};
static void parse_pkttype(const char *pkttype, struct xt_pkttype_info *info)
Index: iptables/extensions/libxt_quota.c
===================================================================
--- iptables.orig/extensions/libxt_quota.c
+++ iptables/extensions/libxt_quota.c
@@ -13,7 +13,7 @@
static const struct option quota_opts[] = {
{"quota", 1, NULL, '1'},
- { .name = NULL }
+ {},
};
/* print usage */
@@ -43,13 +43,13 @@ quota_save(const void *ip, const struct
static int
parse_quota(const char *s, u_int64_t * quota)
{
- *quota = strtoull(s, (char **) NULL, 10);
+ *quota = strtoull(s, NULL, 10);
#ifdef DEBUG_XT_QUOTA
printf("Quota: %llu\n", *quota);
#endif
- if (*quota == (u_int64_t)-1)
+ if (*quota == -1)
exit_error(PARAMETER_PROBLEM, "quota invalid: '%s'\n", s);
else
return 1;
Index: iptables/extensions/libxt_rateest.c
===================================================================
--- iptables.orig/extensions/libxt_rateest.c
+++ iptables/extensions/libxt_rateest.c
@@ -55,7 +55,7 @@ static const struct option rateest_opts[
{ "rateest-lt", 0, NULL, OPT_RATEEST_LT },
{ "rateest-gt", 0, NULL, OPT_RATEEST_GT },
{ "rateest-eq", 0, NULL, OPT_RATEEST_EQ },
- { .name = NULL }
+ {},
};
/* Copied from iproute. See http://physics.nist.gov/cuu/Units/binary.html */
@@ -81,7 +81,7 @@ static const struct rate_suffix {
{ "GBps", 8000000000. },
{ "TiBps", 8.*1024.*1024.*1024.*1024. },
{ "TBps", 8000000000000. },
- { .name = NULL }
+ {},
};
static int
Index: iptables/extensions/libxt_sctp.c
===================================================================
--- iptables.orig/extensions/libxt_sctp.c
+++ iptables/extensions/libxt_sctp.c
@@ -73,7 +73,7 @@ static const struct option sctp_opts[] =
{ .name = "destination-port", .has_arg = 1, .val = '2' },
{ .name = "dport", .has_arg = 1, .val = '2' },
{ .name = "chunk-types", .has_arg = 1, .val = '3' },
- { .name = NULL }
+ {},
};
static void
Index: iptables/extensions/libxt_state.c
===================================================================
--- iptables.orig/extensions/libxt_state.c
+++ iptables/extensions/libxt_state.c
@@ -25,7 +25,7 @@ state_help(void)
static const struct option state_opts[] = {
{ "state", 1, NULL, '1' },
- { .name = NULL }
+ {},
};
static int
Index: iptables/extensions/libxt_statistic.c
===================================================================
--- iptables.orig/extensions/libxt_statistic.c
+++ iptables/extensions/libxt_statistic.c
@@ -27,7 +27,7 @@ static const struct option statistic_opt
{ "probability", 1, NULL, '2' },
{ "every", 1, NULL, '3' },
{ "packet", 1, NULL, '4' },
- { .name = NULL }
+ {},
};
static struct xt_statistic_info *info;
Index: iptables/extensions/libxt_string.c
===================================================================
--- iptables.orig/extensions/libxt_string.c
+++ iptables/extensions/libxt_string.c
@@ -49,7 +49,7 @@ static const struct option string_opts[]
{ "algo", 1, NULL, '3' },
{ "string", 1, NULL, '4' },
{ "hex-string", 1, NULL, '5' },
- { .name = NULL }
+ {},
};
static void string_init(struct xt_entry_match *m)
Index: iptables/extensions/libxt_tcp.c
===================================================================
--- iptables.orig/extensions/libxt_tcp.c
+++ iptables/extensions/libxt_tcp.c
@@ -34,7 +34,7 @@ static const struct option tcp_opts[] =
{ "syn", 0, NULL, '3' },
{ "tcp-flags", 1, NULL, '4' },
{ "tcp-option", 1, NULL, '5' },
- { .name = NULL }
+ {},
};
static void
Index: iptables/extensions/libxt_tcpmss.c
===================================================================
--- iptables.orig/extensions/libxt_tcpmss.c
+++ iptables/extensions/libxt_tcpmss.c
@@ -20,7 +20,7 @@ IPTABLES_VERSION);
static const struct option tcpmss_opts[] = {
{ "mss", 1, NULL, '1' },
- { .name = NULL }
+ {},
};
static u_int16_t
Index: iptables/extensions/libxt_time.c
===================================================================
--- iptables.orig/extensions/libxt_time.c
+++ iptables/extensions/libxt_time.c
@@ -44,7 +44,7 @@ static const struct option time_opts[] =
{"monthdays", true, NULL, 'm'},
{"localtz", false, NULL, 'l'},
{"utc", false, NULL, 'u'},
- { .name = NULL }
+ {},
};
static void time_help(void)
Index: iptables/extensions/libxt_tos.c
===================================================================
--- iptables.orig/extensions/libxt_tos.c
+++ iptables/extensions/libxt_tos.c
@@ -22,7 +22,7 @@ enum {
static const struct option tos_mt_opts[] = {
{.name = "tos", .has_arg = true, .val = 't'},
- { .name = NULL }
+ {},
};
static void tos_mt_help(void)
Index: iptables/extensions/libxt_u32.c
===================================================================
--- iptables.orig/extensions/libxt_u32.c
+++ iptables/extensions/libxt_u32.c
@@ -24,7 +24,7 @@
static const struct option u32_opts[] = {
{"u32", 1, NULL, 'u'},
- { .name = NULL }
+ {},
};
static void u32_help(void)
Index: iptables/extensions/libxt_udp.c
===================================================================
--- iptables.orig/extensions/libxt_udp.c
+++ iptables/extensions/libxt_udp.c
@@ -26,7 +26,7 @@ static const struct option udp_opts[] =
{ "sport", 1, NULL, '1' }, /* synonym */
{ "destination-port", 1, NULL, '2' },
{ "dport", 1, NULL, '2' }, /* synonym */
- { .name = NULL }
+ {},
};
static void
Index: iptables/extensions/tos_values.c
===================================================================
--- iptables.orig/extensions/tos_values.c
+++ iptables/extensions/tos_values.c
@@ -15,7 +15,7 @@ static const struct tos_symbol_info {
{IPTOS_RELIABILITY, "Maximize-Reliability"},
{IPTOS_MINCOST, "Minimize-Cost"},
{IPTOS_NORMALSVC, "Normal-Service"},
- { .name = NULL }
+ {},
};
/*
Index: iptables/iptables-xml.c
===================================================================
--- iptables.orig/iptables-xml.c
+++ iptables/iptables-xml.c
@@ -50,11 +50,11 @@ static int verbose = 0;
/* Whether to combine actions of sequential rules with identical conditions */
static int combine = 0;
/* Keeping track of external matches and targets. */
-static struct option options[] = {
- {"verbose", 0, 0, 'v'},
- {"combine", 0, 0, 'c'},
- {"help", 0, 0, 'h'},
- { .name = NULL }
+static const struct option options[] = {
+ {.name = "verbose", .has_arg = false, .val = 'v'},
+ {.name = "combine", .has_arg = false, .val = 'c'},
+ {.name = "help", .has_arg = false, .val = 'h'},
+ {},
};
static void
@@ -85,10 +85,10 @@ parse_counters(char *string, struct ipt_
/* global new argv and argc */
static char *newargv[255];
-static unsigned newargc = 0;
+static unsigned int newargc = 0;
static char *oldargv[255];
-static unsigned oldargc = 0;
+static unsigned int oldargc = 0;
/* arg meta data, were they quoted, frinstance */
static int newargvattr[255];
@@ -129,7 +129,7 @@ add_argv(char *what, int quoted)
static void
free_argv(void)
{
- unsigned i;
+ unsigned int i;
for (i = 0; i < newargc; i++) {
free(newargv[i]);
@@ -149,7 +149,7 @@ free_argv(void)
static void
save_argv(void)
{
- unsigned i;
+ unsigned int i;
for (i = 0; i < oldargc; i++)
free(oldargv[i]);
@@ -545,8 +545,8 @@ compareRules(void)
is the case when processing the ACTUAL output of actual iptables-save
rather than a file merely in a compatable format */
- unsigned old = 0;
- unsigned new = 0;
+ unsigned int old = 0;
+ unsigned int new = 0;
int compare = 0;
@@ -748,7 +748,7 @@ main(int argc, char *argv[])
ret = 1;
} else if (curTable[0]) {
- unsigned a;
+ unsigned int a;
char *ptr = buffer;
char *pcnt = NULL;
char *bcnt = NULL;
Index: iptables/xtables.c
===================================================================
--- iptables.orig/xtables.c
+++ iptables/xtables.c
@@ -257,11 +257,11 @@ int service_to_port(const char *name, co
u_int16_t parse_port(const char *port, const char *proto)
{
- unsigned portnum;
+ unsigned int portnum;
if ((string_to_number(port, 0, 65535, &portnum)) != -1 ||
- (portnum = service_to_port(port, proto)) != (unsigned)-1)
- return (u_int16_t)portnum;
+ (portnum = service_to_port(port, proto)) != -1)
+ return portnum;
exit_error(PARAMETER_PROBLEM,
"invalid port/service `%s' specified", port);
^ permalink raw reply [flat|nested] 27+ messages in thread* [03/10] [IPTABLES]: Fix -Wshadow warnings
2008-01-31 23:11 [00/!@#%] patches patches! Jan Engelhardt
` (14 preceding siblings ...)
2008-02-01 0:28 ` [02/10] [IPTABLES]: revert r7306 Jan Engelhardt
@ 2008-02-01 0:28 ` Jan Engelhardt
2008-02-01 0:28 ` [04/10] [IPTABLES]: Fix all remaining warnings Jan Engelhardt
` (7 subsequent siblings)
23 siblings, 0 replies; 27+ messages in thread
From: Jan Engelhardt @ 2008-02-01 0:28 UTC (permalink / raw)
To: kaber; +Cc: Netfilter Developer Mailing List
Fix -Wshadow warnings.
Update deshadowed xt_sctp.h from kernel.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
---
configure.ac | 3 -
extensions/libipt_SAME.c | 12 ++---
extensions/libipt_addrtype.c | 4 -
extensions/libxt_RATEEST.c | 12 ++---
extensions/libxt_conntrack.c | 28 ++++++-------
extensions/libxt_hashlimit.c | 4 -
extensions/libxt_state.c | 12 ++---
extensions/libxt_statistic.c | 23 +++++++---
include/linux/netfilter/xt_sctp.h | 81 +++++++++++++++-----------------------
include/xtables.h | 2
ip6tables-save.c | 10 ++--
ip6tables.c | 12 ++---
iptables-save.c | 10 ++--
iptables-xml.c | 7 +--
iptables.c | 12 ++---
libiptc/libiptc.c | 49 ++++++++++------------
xtables.c | 4 -
17 files changed, 136 insertions(+), 149 deletions(-)
Index: iptables/configure.ac
===================================================================
--- iptables.orig/configure.ac
+++ iptables/configure.ac
@@ -46,8 +46,7 @@ kinclude_CFLAGS="-I\"$kbuilddir/include\
# Remove workarounds soon
regular_CFLAGS="$regular_CFLAGS -Wno-aggregate-return \
-Wno-missing-declarations -Wno-missing-prototypes \
- -Wno-unused-parameter \
- -Wno-shadow -Wno-inline"
+ -Wno-unused-parameter"
AC_SUBST([regular_CFLAGS kinclude_CFLAGS])
AC_SUBST([kbuilddir])
Index: iptables/extensions/libipt_SAME.c
===================================================================
--- iptables.orig/extensions/libipt_SAME.c
+++ iptables/extensions/libipt_SAME.c
@@ -149,7 +149,7 @@ static void SAME_print(const void *ip, c
unsigned int count;
struct ipt_same_info *mr
= (struct ipt_same_info *)target->data;
- int random = 0;
+ int random_selection = 0;
printf("same:");
@@ -167,13 +167,13 @@ static void SAME_print(const void *ip, c
else
printf("-%s ", ipaddr_to_numeric(&a));
if (r->flags & IP_NAT_RANGE_PROTO_RANDOM)
- random = 1;
+ random_selection = 1;
}
if (mr->info & IPT_SAME_NODST)
printf("nodst ");
- if (random)
+ if (random_selection)
printf("random ");
}
@@ -183,7 +183,7 @@ static void SAME_save(const void *ip, co
unsigned int count;
struct ipt_same_info *mr
= (struct ipt_same_info *)target->data;
- int random = 0;
+ int random_selection = 0;
for (count = 0; count < mr->rangesize; count++) {
struct ip_nat_range *r = &mr->range[count];
@@ -198,13 +198,13 @@ static void SAME_save(const void *ip, co
else
printf("-%s ", ipaddr_to_numeric(&a));
if (r->flags & IP_NAT_RANGE_PROTO_RANDOM)
- random = 1;
+ random_selection = 1;
}
if (mr->info & IPT_SAME_NODST)
printf("--nodst ");
- if (random)
+ if (random_selection)
printf("--random ");
}
Index: iptables/extensions/libipt_addrtype.c
===================================================================
--- iptables.orig/extensions/libipt_addrtype.c
+++ iptables/extensions/libipt_addrtype.c
@@ -49,12 +49,12 @@ static void addrtype_help(void)
}
static int
-parse_type(const char *name, size_t strlen, u_int16_t *mask)
+parse_type(const char *name, size_t len, u_int16_t *mask)
{
int i;
for (i = 0; rtn_names[i]; i++)
- if (strncasecmp(name, rtn_names[i], strlen) == 0) {
+ if (strncasecmp(name, rtn_names[i], len) == 0) {
/* build up bitmask for kernel module */
*mask |= (1 << i);
return 1;
Index: iptables/extensions/libxt_RATEEST.c
===================================================================
--- iptables.orig/extensions/libxt_RATEEST.c
+++ iptables/extensions/libxt_RATEEST.c
@@ -177,17 +177,17 @@ static void
__RATEEST_print(const struct xt_entry_target *target, const char *prefix)
{
struct xt_rateest_target_info *info = (void *)target->data;
- unsigned int interval;
- unsigned int ewma_log;
+ unsigned int local_interval;
+ unsigned int local_ewma_log;
- interval = (TIME_UNITS_PER_SEC << (info->interval + 2)) / 4;
- ewma_log = interval * (1 << (info->ewma_log));
+ local_interval = (TIME_UNITS_PER_SEC << (info->interval + 2)) / 4;
+ local_ewma_log = local_interval * (1 << (info->ewma_log));
printf("%sname %s ", prefix, info->name);
printf("%sinterval ", prefix);
- RATEEST_print_time(interval);
+ RATEEST_print_time(local_interval);
printf("%sewmalog ", prefix);
- RATEEST_print_time(ewma_log);
+ RATEEST_print_time(local_ewma_log);
}
static void
Index: iptables/extensions/libxt_conntrack.c
===================================================================
--- iptables.orig/extensions/libxt_conntrack.c
+++ iptables/extensions/libxt_conntrack.c
@@ -78,21 +78,21 @@ static const struct option conntrack_mt_
};
static int
-parse_state(const char *state, size_t strlen, struct xt_conntrack_info *sinfo)
+parse_state(const char *state, size_t len, struct xt_conntrack_info *sinfo)
{
- if (strncasecmp(state, "INVALID", strlen) == 0)
+ if (strncasecmp(state, "INVALID", len) == 0)
sinfo->statemask |= XT_CONNTRACK_STATE_INVALID;
- else if (strncasecmp(state, "NEW", strlen) == 0)
+ else if (strncasecmp(state, "NEW", len) == 0)
sinfo->statemask |= XT_CONNTRACK_STATE_BIT(IP_CT_NEW);
- else if (strncasecmp(state, "ESTABLISHED", strlen) == 0)
+ else if (strncasecmp(state, "ESTABLISHED", len) == 0)
sinfo->statemask |= XT_CONNTRACK_STATE_BIT(IP_CT_ESTABLISHED);
- else if (strncasecmp(state, "RELATED", strlen) == 0)
+ else if (strncasecmp(state, "RELATED", len) == 0)
sinfo->statemask |= XT_CONNTRACK_STATE_BIT(IP_CT_RELATED);
- else if (strncasecmp(state, "UNTRACKED", strlen) == 0)
+ else if (strncasecmp(state, "UNTRACKED", len) == 0)
sinfo->statemask |= XT_CONNTRACK_STATE_UNTRACKED;
- else if (strncasecmp(state, "SNAT", strlen) == 0)
+ else if (strncasecmp(state, "SNAT", len) == 0)
sinfo->statemask |= XT_CONNTRACK_STATE_SNAT;
- else if (strncasecmp(state, "DNAT", strlen) == 0)
+ else if (strncasecmp(state, "DNAT", len) == 0)
sinfo->statemask |= XT_CONNTRACK_STATE_DNAT;
else
return 0;
@@ -154,18 +154,18 @@ conntrack_ps_states(struct xt_conntrack_
}
static int
-parse_status(const char *status, size_t strlen, struct xt_conntrack_info *sinfo)
+parse_status(const char *status, size_t len, struct xt_conntrack_info *sinfo)
{
- if (strncasecmp(status, "NONE", strlen) == 0)
+ if (strncasecmp(status, "NONE", len) == 0)
sinfo->statusmask |= 0;
- else if (strncasecmp(status, "EXPECTED", strlen) == 0)
+ else if (strncasecmp(status, "EXPECTED", len) == 0)
sinfo->statusmask |= IPS_EXPECTED;
- else if (strncasecmp(status, "SEEN_REPLY", strlen) == 0)
+ else if (strncasecmp(status, "SEEN_REPLY", len) == 0)
sinfo->statusmask |= IPS_SEEN_REPLY;
- else if (strncasecmp(status, "ASSURED", strlen) == 0)
+ else if (strncasecmp(status, "ASSURED", len) == 0)
sinfo->statusmask |= IPS_ASSURED;
#ifdef IPS_CONFIRMED
- else if (strncasecmp(status, "CONFIRMED", strlen) == 0)
+ else if (strncasecmp(status, "CONFIRMED", len) == 0)
sinfo->statusmask |= IPS_CONFIRMED;
#endif
else
Index: iptables/extensions/libxt_hashlimit.c
===================================================================
--- iptables.orig/extensions/libxt_hashlimit.c
+++ iptables/extensions/libxt_hashlimit.c
@@ -106,10 +106,10 @@ static void hashlimit_init(struct xt_ent
/* Parse a 'mode' parameter into the required bitmask */
-static int parse_mode(struct xt_hashlimit_info *r, char *optarg)
+static int parse_mode(struct xt_hashlimit_info *r, char *option_arg)
{
char *tok;
- char *arg = strdup(optarg);
+ char *arg = strdup(option_arg);
if (!arg)
return -1;
Index: iptables/extensions/libxt_state.c
===================================================================
--- iptables.orig/extensions/libxt_state.c
+++ iptables/extensions/libxt_state.c
@@ -29,17 +29,17 @@ static const struct option state_opts[]
};
static int
-state_parse_state(const char *state, size_t strlen, struct xt_state_info *sinfo)
+state_parse_state(const char *state, size_t len, struct xt_state_info *sinfo)
{
- if (strncasecmp(state, "INVALID", strlen) == 0)
+ if (strncasecmp(state, "INVALID", len) == 0)
sinfo->statemask |= XT_STATE_INVALID;
- else if (strncasecmp(state, "NEW", strlen) == 0)
+ else if (strncasecmp(state, "NEW", len) == 0)
sinfo->statemask |= XT_STATE_BIT(IP_CT_NEW);
- else if (strncasecmp(state, "ESTABLISHED", strlen) == 0)
+ else if (strncasecmp(state, "ESTABLISHED", len) == 0)
sinfo->statemask |= XT_STATE_BIT(IP_CT_ESTABLISHED);
- else if (strncasecmp(state, "RELATED", strlen) == 0)
+ else if (strncasecmp(state, "RELATED", len) == 0)
sinfo->statemask |= XT_STATE_BIT(IP_CT_RELATED);
- else if (strncasecmp(state, "UNTRACKED", strlen) == 0)
+ else if (strncasecmp(state, "UNTRACKED", len) == 0)
sinfo->statemask |= XT_STATE_UNTRACKED;
else
return 0;
Index: iptables/extensions/libxt_statistic.c
===================================================================
--- iptables.orig/extensions/libxt_statistic.c
+++ iptables/extensions/libxt_statistic.c
@@ -30,16 +30,20 @@ static const struct option statistic_opt
{},
};
-static struct xt_statistic_info *info;
+static struct xt_statistic_info *global_info;
+
+static void statistic_mt_init(struct xt_entry_match *match)
+{
+ global_info = (void *)match->data;
+}
static int
statistic_parse(int c, char **argv, int invert, unsigned int *flags,
const void *entry, struct xt_entry_match **match)
{
+ struct xt_statistic_info *info = (void *)(*match)->data;
double prob;
- info = (void *)(*match)->data;
-
if (invert)
info->flags |= XT_STATISTIC_INVERT;
@@ -100,25 +104,26 @@ static void statistic_check(unsigned int
if ((flags & 0x2) && (flags & (0x4 | 0x8)))
exit_error(PARAMETER_PROBLEM,
"both nth and random parameters given");
- if (flags & 0x2 && info->mode != XT_STATISTIC_MODE_RANDOM)
+ if (flags & 0x2 && global_info->mode != XT_STATISTIC_MODE_RANDOM)
exit_error(PARAMETER_PROBLEM,
"--probability can only be used in random mode");
- if (flags & 0x4 && info->mode != XT_STATISTIC_MODE_NTH)
+ if (flags & 0x4 && global_info->mode != XT_STATISTIC_MODE_NTH)
exit_error(PARAMETER_PROBLEM,
"--every can only be used in nth mode");
- if (flags & 0x8 && info->mode != XT_STATISTIC_MODE_NTH)
+ if (flags & 0x8 && global_info->mode != XT_STATISTIC_MODE_NTH)
exit_error(PARAMETER_PROBLEM,
"--packet can only be used in nth mode");
if ((flags & 0x8) && !(flags & 0x4))
exit_error(PARAMETER_PROBLEM,
"--packet can only be used with --every");
/* at this point, info->u.nth.every have been decreased. */
- if (info->u.nth.packet > info->u.nth.every)
+ if (global_info->u.nth.packet > global_info->u.nth.every)
exit_error(PARAMETER_PROBLEM,
"the --packet p must be 0 <= p <= n-1");
- info->u.nth.count = info->u.nth.every - info->u.nth.packet;
+ global_info->u.nth.count = global_info->u.nth.every -
+ global_info->u.nth.packet;
}
/* Prints out the matchinfo. */
@@ -164,6 +169,7 @@ static struct xtables_match statistic_ma
.version = IPTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_statistic_info)),
.userspacesize = offsetof(struct xt_statistic_info, u.nth.count),
+ .init = statistic_mt_init,
.help = statistic_help,
.parse = statistic_parse,
.final_check = statistic_check,
@@ -178,6 +184,7 @@ static struct xtables_match statistic_ma
.version = IPTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_statistic_info)),
.userspacesize = offsetof(struct xt_statistic_info, u.nth.count),
+ .init = statistic_mt_init,
.help = statistic_help,
.parse = statistic_parse,
.final_check = statistic_check,
Index: iptables/include/linux/netfilter/xt_sctp.h
===================================================================
--- iptables.orig/include/linux/netfilter/xt_sctp.h
+++ iptables/include/linux/netfilter/xt_sctp.h
@@ -7,7 +7,8 @@
#define XT_SCTP_VALID_FLAGS 0x07
-#define ELEMCOUNT(x) (sizeof(x)/sizeof(x[0]))
+/* temporary */
+#define SCTP_ARRAY_SIZE(x) (sizeof(x) / sizeof(*(x)))
struct xt_sctp_flag_info {
@@ -40,68 +41,54 @@ struct xt_sctp_info {
#define SCTP_CHUNKMAP_SET(chunkmap, type) \
do { \
- chunkmap[type / bytes(u_int32_t)] |= \
+ (chunkmap)[type / bytes(u_int32_t)] |= \
1 << (type % bytes(u_int32_t)); \
} while (0)
#define SCTP_CHUNKMAP_CLEAR(chunkmap, type) \
do { \
- chunkmap[type / bytes(u_int32_t)] &= \
+ (chunkmap)[type / bytes(u_int32_t)] &= \
~(1 << (type % bytes(u_int32_t))); \
} while (0)
#define SCTP_CHUNKMAP_IS_SET(chunkmap, type) \
({ \
- (chunkmap[type / bytes (u_int32_t)] & \
+ ((chunkmap)[type / bytes (u_int32_t)] & \
(1 << (type % bytes (u_int32_t)))) ? 1: 0; \
})
-#define SCTP_CHUNKMAP_RESET(chunkmap) \
- do { \
- int i; \
- for (i = 0; i < ELEMCOUNT(chunkmap); i++) \
- chunkmap[i] = 0; \
- } while (0)
+#define SCTP_CHUNKMAP_RESET(chunkmap) \
+ memset((chunkmap), 0, sizeof(chunkmap))
-#define SCTP_CHUNKMAP_SET_ALL(chunkmap) \
- do { \
- int i; \
- for (i = 0; i < ELEMCOUNT(chunkmap); i++) \
- chunkmap[i] = ~0; \
- } while (0)
+#define SCTP_CHUNKMAP_SET_ALL(chunkmap) \
+ memset((chunkmap), ~0U, sizeof(chunkmap))
-#define SCTP_CHUNKMAP_COPY(destmap, srcmap) \
- do { \
- int i; \
- for (i = 0; i < ELEMCOUNT(chunkmap); i++) \
- destmap[i] = srcmap[i]; \
- } while (0)
-
-#define SCTP_CHUNKMAP_IS_CLEAR(chunkmap) \
-({ \
- int i; \
- int flag = 1; \
- for (i = 0; i < ELEMCOUNT(chunkmap); i++) { \
- if (chunkmap[i]) { \
- flag = 0; \
- break; \
- } \
- } \
- flag; \
-})
+#define SCTP_CHUNKMAP_COPY(destmap, srcmap) \
+ memcpy((destmap), (srcmap), sizeof(srcmap))
-#define SCTP_CHUNKMAP_IS_ALL_SET(chunkmap) \
-({ \
- int i; \
- int flag = 1; \
- for (i = 0; i < ELEMCOUNT(chunkmap); i++) { \
- if (chunkmap[i] != ~0) { \
- flag = 0; \
- break; \
- } \
- } \
- flag; \
-})
+#define SCTP_CHUNKMAP_IS_CLEAR(chunkmap) \
+ __sctp_chunkmap_is_clear((chunkmap), SCTP_ARRAY_SIZE(chunkmap))
+static inline bool
+__sctp_chunkmap_is_clear(const u_int32_t *chunkmap, unsigned int n)
+{
+ unsigned int i;
+ for (i = 0; i < n; ++i)
+ if (chunkmap[i])
+ return false;
+ return true;
+}
+
+#define SCTP_CHUNKMAP_IS_ALL_SET(chunkmap) \
+ __sctp_chunkmap_is_all_set((chunkmap), ARRAY_SIZE(chunkmap))
+static inline bool
+__sctp_chunkmap_is_all_set(const u_int32_t *chunkmap, unsigned int n)
+{
+ unsigned int i;
+ for (i = 0; i < n; ++i)
+ if (chunkmap[i] != ~0U)
+ return false;
+ return true;
+}
#endif /* _XT_SCTP_H_ */
Index: iptables/include/xtables.h
===================================================================
--- iptables.orig/include/xtables.h
+++ iptables/include/xtables.h
@@ -176,7 +176,7 @@ extern char *lib_dir;
extern void *fw_calloc(size_t count, size_t size);
extern void *fw_malloc(size_t size);
-extern const char *modprobe;
+extern const char *modprobe_program;
extern int xtables_insmod(const char *modname, const char *modprobe, int quiet);
extern int load_xtables_ko(const char *modprobe, int quiet);
Index: iptables/ip6tables-save.c
===================================================================
--- iptables.orig/ip6tables-save.c
+++ iptables/ip6tables-save.c
@@ -21,7 +21,7 @@
#include <dlfcn.h>
#endif
-static int binary = 0, counters = 0;
+static int show_binary = 0, show_counters = 0;
static struct option options[] = {
{ "binary", 0, 0, 'b' },
@@ -264,7 +264,7 @@ static int do_output(const char *tablena
exit_error(OTHER_PROBLEM, "Can't initialize: %s\n",
ip6tc_strerror(errno));
- if (!binary) {
+ if (!show_binary) {
time_t now = time(NULL);
printf("# Generated by ip6tables-save v%s on %s",
@@ -297,7 +297,7 @@ static int do_output(const char *tablena
/* Dump out rules */
e = ip6tc_first_rule(chain, &h);
while(e) {
- print_rule(e, &h, chain, counters);
+ print_rule(e, &h, chain, show_counters);
e = ip6tc_next_rule(e, &h);
}
}
@@ -342,11 +342,11 @@ int main(int argc, char *argv[])
while ((c = getopt_long(argc, argv, "bcdt:", options, NULL)) != -1) {
switch (c) {
case 'b':
- binary = 1;
+ show_binary = 1;
break;
case 'c':
- counters = 1;
+ show_counters = 1;
break;
case 't':
Index: iptables/ip6tables.c
===================================================================
--- iptables.orig/ip6tables.c
+++ iptables/ip6tables.c
@@ -440,16 +440,16 @@ add_command(unsigned int *cmd, const int
}
int
-check_inverse(const char option[], int *invert, int *optind, int argc)
+check_inverse(const char option[], int *invert, int *my_optind, int argc)
{
if (option && strcmp(option, "!") == 0) {
if (*invert)
exit_error(PARAMETER_PROBLEM,
"Multiple `!' flags not allowed");
*invert = TRUE;
- if (optind) {
- *optind = *optind+1;
- if (argc && *optind > argc)
+ if (my_optind != NULL) {
+ ++*my_optind;
+ if (argc && *my_optind > argc)
exit_error(PARAMETER_PROBLEM,
"no argument following `!'");
}
@@ -1492,7 +1492,7 @@ int do_command6(int argc, char *argv[],
break;
case 'M':
- modprobe = optarg;
+ modprobe_program = optarg;
break;
case 'c':
@@ -1673,7 +1673,7 @@ int do_command6(int argc, char *argv[],
*handle = ip6tc_init(*table);
/* try to insmod the module if iptc_init failed */
- if (!*handle && load_xtables_ko(modprobe, 0) != -1)
+ if (!*handle && load_xtables_ko(modprobe_program, 0) != -1)
*handle = ip6tc_init(*table);
if (!*handle)
Index: iptables/iptables-save.c
===================================================================
--- iptables.orig/iptables-save.c
+++ iptables/iptables-save.c
@@ -20,7 +20,7 @@
#include <dlfcn.h>
#endif
-static int binary = 0, counters = 0;
+static int show_binary = 0, show_counters = 0;
static struct option options[] = {
{ "binary", 0, 0, 'b' },
@@ -287,7 +287,7 @@ static int do_output(const char *tablena
exit_error(OTHER_PROBLEM, "Can't initialize: %s\n",
iptc_strerror(errno));
- if (!binary) {
+ if (!show_binary) {
time_t now = time(NULL);
printf("# Generated by iptables-save v%s on %s",
@@ -320,7 +320,7 @@ static int do_output(const char *tablena
/* Dump out rules */
e = iptc_first_rule(chain, &h);
while(e) {
- print_rule(e, &h, chain, counters);
+ print_rule(e, &h, chain, show_counters);
e = iptc_next_rule(e, &h);
}
}
@@ -367,11 +367,11 @@ main(int argc, char *argv[])
while ((c = getopt_long(argc, argv, "bcdt:", options, NULL)) != -1) {
switch (c) {
case 'b':
- binary = 1;
+ show_binary = 1;
break;
case 'c':
- counters = 1;
+ show_counters = 1;
break;
case 't':
Index: iptables/iptables-xml.c
===================================================================
--- iptables.orig/iptables-xml.c
+++ iptables/iptables-xml.c
@@ -99,16 +99,15 @@ char closeRuleTag[IPT_TABLE_MAXNAMELEN +
char curTable[IPT_TABLE_MAXNAMELEN + 1];
char curChain[IPT_CHAIN_MAXNAMELEN + 1];
-typedef struct chain
-{
+struct chain {
char *chain;
char *policy;
struct ipt_counters count;
int created;
-} chain;
+};
#define maxChains 10240 /* max chains per table */
-static chain chains[maxChains];
+static struct chain chains[maxChains];
static int nextChain = 0;
/* funCtion adding one argument to newargv, updating newargc
Index: iptables/iptables.c
===================================================================
--- iptables.orig/iptables.c
+++ iptables/iptables.c
@@ -447,16 +447,16 @@ add_command(unsigned int *cmd, const int
}
int
-check_inverse(const char option[], int *invert, int *optind, int argc)
+check_inverse(const char option[], int *invert, int *my_optind, int argc)
{
if (option && strcmp(option, "!") == 0) {
if (*invert)
exit_error(PARAMETER_PROBLEM,
"Multiple `!' flags not allowed");
*invert = TRUE;
- if (optind) {
- *optind = *optind+1;
- if (argc && *optind > argc)
+ if (my_optind != NULL) {
+ ++*my_optind;
+ if (argc && *my_optind > argc)
exit_error(PARAMETER_PROBLEM,
"no argument following `!'");
}
@@ -1529,7 +1529,7 @@ int do_command(int argc, char *argv[], c
break;
case 'M':
- modprobe = optarg;
+ modprobe_program = optarg;
break;
case 'c':
@@ -1712,7 +1712,7 @@ int do_command(int argc, char *argv[], c
*handle = iptc_init(*table);
/* try to insmod the module if iptc_init failed */
- if (!*handle && load_xtables_ko(modprobe, 0) != -1)
+ if (!*handle && load_xtables_ko(modprobe_program, 0) != -1)
*handle = iptc_init(*table);
if (!*handle)
Index: iptables/libiptc/libiptc.c
===================================================================
--- iptables.orig/libiptc/libiptc.c
+++ iptables/libiptc/libiptc.c
@@ -317,7 +317,7 @@ static inline unsigned int iptcc_is_buil
* is sorted by name.
*/
static struct list_head *
-iptcc_bsearch_chain_index(const char *name, unsigned int *index, TC_HANDLE_T handle)
+iptcc_bsearch_chain_index(const char *name, unsigned int *idx, TC_HANDLE_T handle)
{
unsigned int pos, end;
int res;
@@ -346,7 +346,7 @@ iptcc_bsearch_chain_index(const char *na
res = strcmp(name, handle->chain_index[pos]->name);
list_pos = &handle->chain_index[pos]->list;
- (*index)=pos;
+ *idx = pos;
debug("bsearch Index[%d] name:%s res:%d ",
pos, handle->chain_index[pos]->name, res);
@@ -536,9 +536,9 @@ static int iptcc_chain_index_delete_chai
{
struct list_head *index_ptr, *index_ptr2, *next;
struct chain_head *c2;
- unsigned int index, index2;
+ unsigned int idx, idx2;
- index_ptr = iptcc_bsearch_chain_index(c->name, &index, h);
+ index_ptr = iptcc_bsearch_chain_index(c->name, &idx, h);
debug("Del chain[%s] c->list:%p index_ptr:%p\n",
c->name, &c->list, index_ptr);
@@ -554,15 +554,15 @@ static int iptcc_chain_index_delete_chai
* is located in the same index bucket.
*/
c2 = list_entry(next, struct chain_head, list);
- index_ptr2 = iptcc_bsearch_chain_index(c2->name, &index2, h);
- if (index != index2) {
+ index_ptr2 = iptcc_bsearch_chain_index(c2->name, &idx2, h);
+ if (idx != idx2) {
/* Rebuild needed */
return iptcc_chain_index_rebuild(h);
} else {
/* Avoiding rebuild */
debug("Update cindex[%d] with next ptr name:[%s]\n",
- index, c2->name);
- h->chain_index[index]=c2;
+ idx, c2->name);
+ h->chain_index[idx]=c2;
return 0;
}
}
@@ -962,18 +962,18 @@ static int parse_table(TC_HANDLE_T h)
list_for_each_entry(c, &h->chains, list) {
struct rule_head *r;
list_for_each_entry(r, &c->rules, list) {
- struct chain_head *c;
+ struct chain_head *lc;
STRUCT_STANDARD_TARGET *t;
if (r->type != IPTCC_R_JUMP)
continue;
t = (STRUCT_STANDARD_TARGET *)GET_TARGET(r->entry);
- c = iptcc_find_chain_by_offset(h, t->verdict);
- if (!c)
+ lc = iptcc_find_chain_by_offset(h, t->verdict);
+ if (!lc)
return -1;
- r->jump = c;
- c->references++;
+ r->jump = lc;
+ lc->references++;
}
}
@@ -2395,16 +2395,14 @@ subtract_counters(STRUCT_COUNTERS *answe
}
-static void counters_nomap(STRUCT_COUNTERS_INFO *newcounters,
- unsigned int index)
+static void counters_nomap(STRUCT_COUNTERS_INFO *newcounters, unsigned int idx)
{
- newcounters->counters[index] = ((STRUCT_COUNTERS) { 0, 0});
+ newcounters->counters[idx] = ((STRUCT_COUNTERS) { 0, 0});
DEBUGP_C("NOMAP => zero\n");
}
static void counters_normal_map(STRUCT_COUNTERS_INFO *newcounters,
- STRUCT_REPLACE *repl,
- unsigned int index,
+ STRUCT_REPLACE *repl, unsigned int idx,
unsigned int mappos)
{
/* Original read: X.
@@ -2414,15 +2412,13 @@ static void counters_normal_map(STRUCT_C
* => Add in X + Y
* => Add in replacement read.
*/
- newcounters->counters[index] = repl->counters[mappos];
+ newcounters->counters[idx] = repl->counters[mappos];
DEBUGP_C("NORMAL_MAP => mappos %u \n", mappos);
}
static void counters_map_zeroed(STRUCT_COUNTERS_INFO *newcounters,
- STRUCT_REPLACE *repl,
- unsigned int index,
- unsigned int mappos,
- STRUCT_COUNTERS *counters)
+ STRUCT_REPLACE *repl, unsigned int idx,
+ unsigned int mappos, STRUCT_COUNTERS *counters)
{
/* Original read: X.
* Atomic read on replacement: X + Y.
@@ -2431,19 +2427,18 @@ static void counters_map_zeroed(STRUCT_C
* => Add in Y.
* => Add in (replacement read - original read).
*/
- subtract_counters(&newcounters->counters[index],
+ subtract_counters(&newcounters->counters[idx],
&repl->counters[mappos],
counters);
DEBUGP_C("ZEROED => mappos %u\n", mappos);
}
static void counters_map_set(STRUCT_COUNTERS_INFO *newcounters,
- unsigned int index,
- STRUCT_COUNTERS *counters)
+ unsigned int idx, STRUCT_COUNTERS *counters)
{
/* Want to set counter (iptables-restore) */
- memcpy(&newcounters->counters[index], counters,
+ memcpy(&newcounters->counters[idx], counters,
sizeof(STRUCT_COUNTERS));
DEBUGP_C("SET\n");
Index: iptables/xtables.c
===================================================================
--- iptables.orig/xtables.c
+++ iptables/xtables.c
@@ -46,7 +46,7 @@
char *lib_dir;
/* the path to command to load kernel module */
-const char *modprobe = NULL;
+const char *modprobe_program = NULL;
/* Keeping track of external matches and targets: linked lists. */
struct xtables_match *xtables_matches;
@@ -488,7 +488,7 @@ static int compatible_revision(const cha
exit(1);
}
- load_xtables_ko(modprobe, 1);
+ load_xtables_ko(modprobe_program, 1);
strcpy(rev.name, name);
rev.revision = revision;
^ permalink raw reply [flat|nested] 27+ messages in thread* [04/10] [IPTABLES]: Fix all remaining warnings
2008-01-31 23:11 [00/!@#%] patches patches! Jan Engelhardt
` (15 preceding siblings ...)
2008-02-01 0:28 ` [03/10] [IPTABLES]: Fix -Wshadow warnings Jan Engelhardt
@ 2008-02-01 0:28 ` Jan Engelhardt
2008-02-01 0:28 ` [05/10] [IPTABLES]: xt_hashlimit revision 1 Jan Engelhardt
` (6 subsequent siblings)
23 siblings, 0 replies; 27+ messages in thread
From: Jan Engelhardt @ 2008-02-01 0:28 UTC (permalink / raw)
To: kaber; +Cc: Netfilter Developer Mailing List
Fix all remaining warnings (missing declarations, missing prototypes).
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
---
configure.ac | 5 -----
extensions/GNUmakefile.in | 2 ++
extensions/libip6t_HL.c | 1 +
extensions/libip6t_LOG.c | 1 +
extensions/libip6t_REJECT.c | 1 +
extensions/libip6t_ah.c | 4 ++--
extensions/libip6t_condition.c | 5 ++---
extensions/libip6t_dst.c | 4 ++--
extensions/libip6t_eui64.c | 1 +
extensions/libip6t_frag.c | 4 ++--
extensions/libip6t_hbh.c | 4 ++--
extensions/libip6t_hl.c | 2 +-
extensions/libip6t_icmp6.c | 1 +
| 1 +
extensions/libip6t_mh.c | 1 +
extensions/libip6t_policy.c | 6 +-----
extensions/libip6t_rt.c | 4 ++--
extensions/libipt_CLUSTERIP.c | 1 +
extensions/libipt_DNAT.c | 1 +
extensions/libipt_ECN.c | 1 +
extensions/libipt_LOG.c | 1 +
extensions/libipt_MASQUERADE.c | 1 +
extensions/libipt_MIRROR.c | 1 +
extensions/libipt_NETMAP.c | 1 +
extensions/libipt_REDIRECT.c | 1 +
extensions/libipt_REJECT.c | 1 +
extensions/libipt_SAME.c | 1 +
extensions/libipt_SET.c | 1 +
extensions/libipt_SNAT.c | 1 +
extensions/libipt_TTL.c | 1 +
extensions/libipt_ULOG.c | 3 ++-
extensions/libipt_addrtype.c | 2 +-
extensions/libipt_ah.c | 4 ++--
extensions/libipt_condition.c | 5 ++---
extensions/libipt_ecn.c | 1 +
extensions/libipt_icmp.c | 1 +
extensions/libipt_policy.c | 1 +
extensions/libipt_realm.c | 1 +
extensions/libipt_recent.c | 1 +
extensions/libipt_set.c | 1 +
extensions/libipt_ttl.c | 2 +-
extensions/libipt_unclean.c | 1 +
extensions/libxt_CLASSIFY.c | 1 +
extensions/libxt_CONNMARK.c | 1 +
extensions/libxt_CONNSECMARK.c | 1 +
extensions/libxt_DSCP.c | 1 +
extensions/libxt_MARK.c | 1 +
extensions/libxt_NFLOG.c | 1 +
extensions/libxt_NFQUEUE.c | 1 +
extensions/libxt_NOTRACK.c | 1 +
extensions/libxt_RATEEST.c | 1 +
extensions/libxt_SECMARK.c | 1 +
extensions/libxt_TCPMSS.c | 1 +
extensions/libxt_TCPOPTSTRIP.c | 1 +
extensions/libxt_TOS.c | 1 +
extensions/libxt_TRACE.c | 1 +
| 1 +
extensions/libxt_connbytes.c | 1 +
extensions/libxt_connlimit.c | 1 +
extensions/libxt_connmark.c | 1 +
extensions/libxt_conntrack.c | 1 +
extensions/libxt_dccp.c | 1 +
extensions/libxt_dscp.c | 1 +
extensions/libxt_esp.c | 4 ++--
extensions/libxt_hashlimit.c | 1 +
extensions/libxt_helper.c | 1 +
extensions/libxt_iprange.c | 1 +
extensions/libxt_length.c | 1 +
extensions/libxt_limit.c | 1 +
extensions/libxt_mac.c | 1 +
extensions/libxt_mark.c | 1 +
extensions/libxt_multiport.c | 4 ++--
extensions/libxt_owner.c | 1 +
extensions/libxt_physdev.c | 1 +
extensions/libxt_pkttype.c | 1 +
extensions/libxt_quota.c | 4 ++--
extensions/libxt_rateest.c | 1 +
extensions/libxt_sctp.c | 1 +
extensions/libxt_standard.c | 1 +
extensions/libxt_state.c | 1 +
extensions/libxt_statistic.c | 1 +
extensions/libxt_string.c | 1 +
extensions/libxt_tcp.c | 4 ++--
extensions/libxt_tcpmss.c | 1 +
extensions/libxt_time.c | 1 +
extensions/libxt_tos.c | 1 +
extensions/libxt_u32.c | 1 +
extensions/libxt_udp.c | 4 ++--
include/iptables.h | 2 --
include/libiptc/libip6tc.h | 2 ++
include/libiptc/libiptc.h | 2 ++
include/xtables.h | 3 +++
ip6tables-multi.h | 8 ++++++++
ip6tables-restore.c | 4 +++-
ip6tables-save.c | 1 +
ip6tables-standalone.c | 1 +
ip6tables.c | 6 ++----
iptables-multi.h | 9 +++++++++
iptables-restore.c | 3 ++-
iptables-save.c | 1 +
iptables-standalone.c | 1 +
iptables-xml.c | 1 +
iptables.c | 4 +---
libiptc/libiptc.c | 9 ++++-----
104 files changed, 143 insertions(+), 58 deletions(-)
Index: iptables/configure.ac
===================================================================
--- iptables.orig/configure.ac
+++ iptables/configure.ac
@@ -43,11 +43,6 @@ regular_CFLAGS="-D_LARGEFILE_SOURCE=1 -D
-DIPT_LIB_DIR=\\\"\${iptdir}\\\" -DIP6T_LIB_DIR=\\\"\${iptdir}\\\"";
kinclude_CFLAGS="-I\"$kbuilddir/include\" -I\"$ksourcedir/include\"";
-# Remove workarounds soon
-regular_CFLAGS="$regular_CFLAGS -Wno-aggregate-return \
- -Wno-missing-declarations -Wno-missing-prototypes \
- -Wno-unused-parameter"
-
AC_SUBST([regular_CFLAGS kinclude_CFLAGS])
AC_SUBST([kbuilddir])
AC_SUBST([ksourcedir])
Index: iptables/extensions/GNUmakefile.in
===================================================================
--- iptables.orig/extensions/GNUmakefile.in
+++ iptables/extensions/GNUmakefile.in
@@ -143,6 +143,7 @@ initext4.c: .initext4.dd
for i in ${initext_func}; do \
echo "extern void lib$${i}_init(void);" >>$@; \
done; \
+ echo -en "void init_extensions(void);\n" >>$@; \
echo -en "void init_extensions(void)\n""{\n" >>$@; \
for i in ${initext_func}; do \
echo -e "\t""lib$${i}_init();" >>$@; \
@@ -157,6 +158,7 @@ initext6.c: .initext6.dd
for i in ${initext6_func}; do \
echo "extern void lib$${i}_init(void);" >>$@; \
done; \
+ echo -en "void init_extensions(void);\n" >>$@; \
echo -en "void init_extensions(void)\n""{\n" >>$@; \
for i in ${initext6_func}; do \
echo -e "\t""lib$${i}_init();" >>$@; \
Index: iptables/extensions/libip6t_HL.c
===================================================================
--- iptables.orig/extensions/libip6t_HL.c
+++ iptables/extensions/libip6t_HL.c
@@ -152,6 +152,7 @@ static struct ip6tables_target hl_target
.extra_opts = HL_opts,
};
+void _init(void);
void _init(void)
{
register_target6(&hl_target6);
Index: iptables/extensions/libip6t_LOG.c
===================================================================
--- iptables.orig/extensions/libip6t_LOG.c
+++ iptables/extensions/libip6t_LOG.c
@@ -269,6 +269,7 @@ static struct ip6tables_target log_targe
.extra_opts = LOG_opts,
};
+void _init(void);
void _init(void)
{
register_target6(&log_target6);
Index: iptables/extensions/libip6t_REJECT.c
===================================================================
--- iptables.orig/extensions/libip6t_REJECT.c
+++ iptables/extensions/libip6t_REJECT.c
@@ -151,6 +151,7 @@ static struct ip6tables_target reject_ta
.extra_opts = REJECT_opts,
};
+void _init(void);
void _init(void)
{
register_target6(&reject_target6);
Index: iptables/extensions/libip6t_ah.c
===================================================================
--- iptables.orig/extensions/libip6t_ah.c
+++ iptables/extensions/libip6t_ah.c
@@ -206,8 +206,8 @@ static struct ip6tables_match ah_match6
.extra_opts = ah_opts,
};
-void
-_init(void)
+void _init(void);
+void _init(void)
{
register_match6(&ah_match6);
}
Index: iptables/extensions/libip6t_condition.c
===================================================================
--- iptables.orig/extensions/libip6t_condition.c
+++ iptables/extensions/libip6t_condition.c
@@ -87,9 +87,8 @@ static struct ip6tables_match condition_
.extra_opts = condition_opts,
};
-
-void
-_init(void)
+void _init(void);
+void _init(void)
{
register_match6(&condition_match6);
}
Index: iptables/extensions/libip6t_dst.c
===================================================================
--- iptables.orig/extensions/libip6t_dst.c
+++ iptables/extensions/libip6t_dst.c
@@ -240,8 +240,8 @@ static struct ip6tables_match dst_match6
.extra_opts = dst_opts,
};
-void
-_init(void)
+void _init(void);
+void _init(void)
{
register_match6(&dst_match6);
}
Index: iptables/extensions/libip6t_eui64.c
===================================================================
--- iptables.orig/extensions/libip6t_eui64.c
+++ iptables/extensions/libip6t_eui64.c
@@ -38,6 +38,7 @@ static struct ip6tables_match eui64_targ
.parse = eui64_parse,
};
+void _init(void);
void _init(void)
{
register_match6(&eui64_target6);
Index: iptables/extensions/libip6t_frag.c
===================================================================
--- iptables.orig/extensions/libip6t_frag.c
+++ iptables/extensions/libip6t_frag.c
@@ -251,8 +251,8 @@ static struct ip6tables_match frag_match
.extra_opts = frag_opts,
};
-void
-_init(void)
+void _init(void);
+void _init(void)
{
register_match6(&frag_match6);
}
Index: iptables/extensions/libip6t_hbh.c
===================================================================
--- iptables.orig/extensions/libip6t_hbh.c
+++ iptables/extensions/libip6t_hbh.c
@@ -227,8 +227,8 @@ static struct ip6tables_match hbh_match6
.extra_opts = hbh_opts,
};
-void
-_init(void)
+void _init(void);
+void _init(void)
{
register_match6(&hbh_match6);
}
Index: iptables/extensions/libip6t_hl.c
===================================================================
--- iptables.orig/extensions/libip6t_hl.c
+++ iptables/extensions/libip6t_hl.c
@@ -138,7 +138,7 @@ static struct ip6tables_match hl_match6
.extra_opts = hl_opts,
};
-
+void _init(void);
void _init(void)
{
register_match6(&hl_match6);
Index: iptables/extensions/libip6t_icmp6.c
===================================================================
--- iptables.orig/extensions/libip6t_icmp6.c
+++ iptables/extensions/libip6t_icmp6.c
@@ -265,6 +265,7 @@ static struct ip6tables_match icmp6_matc
.extra_opts = icmp6_opts,
};
+void _init(void);
void _init(void)
{
register_match6(&icmp6_match6);
Index: iptables/extensions/libip6t_ipv6header.c
===================================================================
--- iptables.orig/extensions/libip6t_ipv6header.c
+++ iptables/extensions/libip6t_ipv6header.c
@@ -300,6 +300,7 @@ static struct ip6tables_match ipv6header
.extra_opts = ipv6header_opts,
};
+void _init(void);
void _init(void)
{
register_match6(&ipv6header_match6);
Index: iptables/extensions/libip6t_mh.c
===================================================================
--- iptables.orig/extensions/libip6t_mh.c
+++ iptables/extensions/libip6t_mh.c
@@ -236,6 +236,7 @@ static struct ip6tables_match mh_match6
.extra_opts = mh_opts,
};
+void _init(void);
void _init(void)
{
register_match6(&mh_match6);
Index: iptables/extensions/libip6t_policy.c
===================================================================
--- iptables.orig/extensions/libip6t_policy.c
+++ iptables/extensions/libip6t_policy.c
@@ -126,11 +126,6 @@ mask_to_numeric(const struct in6_addr *a
return buf;
}
-/* These should be in include/ip6tables.h... */
-extern u_int16_t parse_protocol(const char *s);
-
-/* End duplicated code from ip6tables.c */
-
static int parse_direction(char *s)
{
if (strcmp(s, "in") == 0)
@@ -461,6 +456,7 @@ static struct ip6tables_match policy_mat
.extra_opts = policy_opts,
};
+void _init(void);
void _init(void)
{
register_match6(&policy_match6);
Index: iptables/extensions/libip6t_rt.c
===================================================================
--- iptables.orig/extensions/libip6t_rt.c
+++ iptables/extensions/libip6t_rt.c
@@ -342,8 +342,8 @@ static struct ip6tables_match rt_match6
.extra_opts = rt_opts,
};
-void
-_init(void)
+void _init(void);
+void _init(void)
{
register_match6(&rt_match6);
}
Index: iptables/extensions/libipt_CLUSTERIP.c
===================================================================
--- iptables.orig/extensions/libipt_CLUSTERIP.c
+++ iptables/extensions/libipt_CLUSTERIP.c
@@ -248,6 +248,7 @@ static struct iptables_target clusterip_
.extra_opts = CLUSTERIP_opts,
};
+void _init(void);
void _init(void)
{
register_target(&clusterip_target);
Index: iptables/extensions/libipt_DNAT.c
===================================================================
--- iptables.orig/extensions/libipt_DNAT.c
+++ iptables/extensions/libipt_DNAT.c
@@ -256,6 +256,7 @@ static struct iptables_target dnat_targe
.extra_opts = DNAT_opts,
};
+void _init(void);
void _init(void)
{
register_target(&dnat_target);
Index: iptables/extensions/libipt_ECN.c
===================================================================
--- iptables.orig/extensions/libipt_ECN.c
+++ iptables/extensions/libipt_ECN.c
@@ -166,6 +166,7 @@ static struct iptables_target ecn_target
.extra_opts = ECN_opts,
};
+void _init(void);
void _init(void)
{
register_target(&ecn_target);
Index: iptables/extensions/libipt_LOG.c
===================================================================
--- iptables.orig/extensions/libipt_LOG.c
+++ iptables/extensions/libipt_LOG.c
@@ -271,6 +271,7 @@ static struct iptables_target log_target
.extra_opts = LOG_opts,
};
+void _init(void);
void _init(void)
{
register_target(&log_target);
Index: iptables/extensions/libipt_MASQUERADE.c
===================================================================
--- iptables.orig/extensions/libipt_MASQUERADE.c
+++ iptables/extensions/libipt_MASQUERADE.c
@@ -164,6 +164,7 @@ static struct iptables_target masquerade
.extra_opts = MASQUERADE_opts,
};
+void _init(void);
void _init(void)
{
register_target(&masquerade_target);
Index: iptables/extensions/libipt_MIRROR.c
===================================================================
--- iptables.orig/extensions/libipt_MIRROR.c
+++ iptables/extensions/libipt_MIRROR.c
@@ -34,6 +34,7 @@ static struct iptables_target mirror_tar
.save = NULL,
};
+void _init(void);
void _init(void)
{
register_target(&mirror_target);
Index: iptables/extensions/libipt_NETMAP.c
===================================================================
--- iptables.orig/extensions/libipt_NETMAP.c
+++ iptables/extensions/libipt_NETMAP.c
@@ -184,6 +184,7 @@ static struct iptables_target netmap_tar
.extra_opts = NETMAP_opts,
};
+void _init(void);
void _init(void)
{
register_target(&netmap_target);
Index: iptables/extensions/libipt_REDIRECT.c
===================================================================
--- iptables.orig/extensions/libipt_REDIRECT.c
+++ iptables/extensions/libipt_REDIRECT.c
@@ -170,6 +170,7 @@ static struct iptables_target redirect_t
.extra_opts = REDIRECT_opts,
};
+void _init(void);
void _init(void)
{
register_target(&redirect_target);
Index: iptables/extensions/libipt_REJECT.c
===================================================================
--- iptables.orig/extensions/libipt_REJECT.c
+++ iptables/extensions/libipt_REJECT.c
@@ -170,6 +170,7 @@ static struct iptables_target reject_tar
.extra_opts = REJECT_opts,
};
+void _init(void);
void _init(void)
{
register_target(&reject_target);
Index: iptables/extensions/libipt_SAME.c
===================================================================
--- iptables.orig/extensions/libipt_SAME.c
+++ iptables/extensions/libipt_SAME.c
@@ -222,6 +222,7 @@ static struct iptables_target same_targe
.extra_opts = SAME_opts,
};
+void _init(void);
void _init(void)
{
register_target(&same_target);
Index: iptables/extensions/libipt_SET.c
===================================================================
--- iptables.orig/extensions/libipt_SET.c
+++ iptables/extensions/libipt_SET.c
@@ -168,6 +168,7 @@ static struct iptables_target set_target
.extra_opts = SET_opts,
};
+void _init(void);
void _init(void)
{
register_target(&set_target);
Index: iptables/extensions/libipt_SNAT.c
===================================================================
--- iptables.orig/extensions/libipt_SNAT.c
+++ iptables/extensions/libipt_SNAT.c
@@ -257,6 +257,7 @@ static struct iptables_target snat_targe
.extra_opts = SNAT_opts,
};
+void _init(void);
void _init(void)
{
register_target(&snat_target);
Index: iptables/extensions/libipt_TTL.c
===================================================================
--- iptables.orig/extensions/libipt_TTL.c
+++ iptables/extensions/libipt_TTL.c
@@ -153,6 +153,7 @@ static struct iptables_target ttl_target
.extra_opts = TTL_opts,
};
+void _init(void);
void _init(void)
{
register_target(&ttl_target);
Index: iptables/extensions/libipt_ULOG.c
===================================================================
--- iptables.orig/extensions/libipt_ULOG.c
+++ iptables/extensions/libipt_ULOG.c
@@ -21,7 +21,7 @@
#include "../include/linux/netfilter_ipv4/ipt_ULOG.h"
-void print_groups(unsigned int gmask)
+static void print_groups(unsigned int gmask)
{
int b;
unsigned int test;
@@ -199,6 +199,7 @@ static struct iptables_target ulog_targe
.extra_opts = ULOG_opts,
};
+void _init(void);
void _init(void)
{
register_target(&ulog_target);
Index: iptables/extensions/libipt_addrtype.c
===================================================================
--- iptables.orig/extensions/libipt_addrtype.c
+++ iptables/extensions/libipt_addrtype.c
@@ -196,7 +196,7 @@ static struct iptables_match addrtype_ma
.extra_opts = addrtype_opts,
};
-
+void _init(void);
void _init(void)
{
register_match(&addrtype_match);
Index: iptables/extensions/libipt_ah.c
===================================================================
--- iptables.orig/extensions/libipt_ah.c
+++ iptables/extensions/libipt_ah.c
@@ -169,8 +169,8 @@ static struct iptables_match ah_match =
.extra_opts = ah_opts,
};
-void
-_init(void)
+void _init(void);
+void _init(void)
{
register_match(&ah_match);
}
Index: iptables/extensions/libipt_condition.c
===================================================================
--- iptables.orig/extensions/libipt_condition.c
+++ iptables/extensions/libipt_condition.c
@@ -86,9 +86,8 @@ static struct iptables_match condition_m
.extra_opts = condition_opts,
};
-
-void
-_init(void)
+void _init(void);
+void _init(void)
{
register_match(&condition_match);
}
Index: iptables/extensions/libipt_ecn.c
===================================================================
--- iptables.orig/extensions/libipt_ecn.c
+++ iptables/extensions/libipt_ecn.c
@@ -157,6 +157,7 @@ static struct iptables_match ecn_match =
.extra_opts = ecn_opts,
};
+void _init(void);
void _init(void)
{
register_match(&ecn_match);
Index: iptables/extensions/libipt_icmp.c
===================================================================
--- iptables.orig/extensions/libipt_icmp.c
+++ iptables/extensions/libipt_icmp.c
@@ -287,6 +287,7 @@ static struct iptables_match icmp_match
.extra_opts = icmp_opts,
};
+void _init(void);
void _init(void)
{
register_match(&icmp_match);
Index: iptables/extensions/libipt_policy.c
===================================================================
--- iptables.orig/extensions/libipt_policy.c
+++ iptables/extensions/libipt_policy.c
@@ -421,6 +421,7 @@ static struct iptables_match policy_matc
.extra_opts = policy_opts,
};
+void _init(void);
void _init(void)
{
register_match(&policy_match);
Index: iptables/extensions/libipt_realm.c
===================================================================
--- iptables.orig/extensions/libipt_realm.c
+++ iptables/extensions/libipt_realm.c
@@ -256,6 +256,7 @@ static struct iptables_match realm_match
.extra_opts = realm_opts,
};
+void _init(void);
void _init(void)
{
register_match(&realm_match);
Index: iptables/extensions/libipt_recent.c
===================================================================
--- iptables.orig/extensions/libipt_recent.c
+++ iptables/extensions/libipt_recent.c
@@ -224,6 +224,7 @@ static struct iptables_match recent_matc
.extra_opts = recent_opts,
};
+void _init(void);
void _init(void)
{
register_match(&recent_match);
Index: iptables/extensions/libipt_set.c
===================================================================
--- iptables.orig/extensions/libipt_set.c
+++ iptables/extensions/libipt_set.c
@@ -155,6 +155,7 @@ static struct iptables_match set_match =
.extra_opts = set_opts,
};
+void _init(void);
void _init(void)
{
register_match(&set_match);
Index: iptables/extensions/libipt_ttl.c
===================================================================
--- iptables.orig/extensions/libipt_ttl.c
+++ iptables/extensions/libipt_ttl.c
@@ -161,7 +161,7 @@ static struct iptables_match ttl_match =
.extra_opts = ttl_opts,
};
-
+void _init(void);
void _init(void)
{
register_match(&ttl_match);
Index: iptables/extensions/libipt_unclean.c
===================================================================
--- iptables.orig/extensions/libipt_unclean.c
+++ iptables/extensions/libipt_unclean.c
@@ -29,6 +29,7 @@ static struct iptables_match unclean_mat
.parse = unclean_parse,
};
+void _init(void);
void _init(void)
{
register_match(&unclean_match);
Index: iptables/extensions/libxt_CLASSIFY.c
===================================================================
--- iptables.orig/extensions/libxt_CLASSIFY.c
+++ iptables/extensions/libxt_CLASSIFY.c
@@ -130,6 +130,7 @@ static struct xtables_target classify_ta
.extra_opts = CLASSIFY_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_target(&classify_target);
Index: iptables/extensions/libxt_CONNMARK.c
===================================================================
--- iptables.orig/extensions/libxt_CONNMARK.c
+++ iptables/extensions/libxt_CONNMARK.c
@@ -470,6 +470,7 @@ static struct xtables_target connmark_tg
.extra_opts = connmark_tg_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_target(&connmark_target);
Index: iptables/extensions/libxt_CONNSECMARK.c
===================================================================
--- iptables.orig/extensions/libxt_CONNSECMARK.c
+++ iptables/extensions/libxt_CONNSECMARK.c
@@ -138,6 +138,7 @@ static struct xtables_target connsecmark
.extra_opts = CONNSECMARK_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_target(&connsecmark_target);
Index: iptables/extensions/libxt_DSCP.c
===================================================================
--- iptables.orig/extensions/libxt_DSCP.c
+++ iptables/extensions/libxt_DSCP.c
@@ -160,6 +160,7 @@ static struct xtables_target dscp_target
.extra_opts = DSCP_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_target(&dscp_target);
Index: iptables/extensions/libxt_MARK.c
===================================================================
--- iptables.orig/extensions/libxt_MARK.c
+++ iptables/extensions/libxt_MARK.c
@@ -359,6 +359,7 @@ static struct xtables_target mark_tg6_re
.extra_opts = mark_tg_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_target(&mark_target_v0);
Index: iptables/extensions/libxt_NFLOG.c
===================================================================
--- iptables.orig/extensions/libxt_NFLOG.c
+++ iptables/extensions/libxt_NFLOG.c
@@ -167,6 +167,7 @@ static struct xtables_target nflog_targe
.extra_opts = NFLOG_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_target(&nflog_target);
Index: iptables/extensions/libxt_NFQUEUE.c
===================================================================
--- iptables.orig/extensions/libxt_NFQUEUE.c
+++ iptables/extensions/libxt_NFQUEUE.c
@@ -106,6 +106,7 @@ static struct xtables_target nfqueue_tar
.extra_opts = NFQUEUE_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_target(&nfqueue_target);
Index: iptables/extensions/libxt_NOTRACK.c
===================================================================
--- iptables.orig/extensions/libxt_NOTRACK.c
+++ iptables/extensions/libxt_NOTRACK.c
@@ -44,6 +44,7 @@ static struct xtables_target notrack_tar
.parse = NOTRACK_parse,
};
+void _init(void);
void _init(void)
{
xtables_register_target(¬rack_target);
Index: iptables/extensions/libxt_RATEEST.c
===================================================================
--- iptables.orig/extensions/libxt_RATEEST.c
+++ iptables/extensions/libxt_RATEEST.c
@@ -233,6 +233,7 @@ static struct xtables_target rateest_tar
.extra_opts = RATEEST_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_target(&rateest_target4);
Index: iptables/extensions/libxt_SECMARK.c
===================================================================
--- iptables.orig/extensions/libxt_SECMARK.c
+++ iptables/extensions/libxt_SECMARK.c
@@ -129,6 +129,7 @@ static struct xtables_target secmark_tar
.extra_opts = SECMARK_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_target(&secmark_target);
Index: iptables/extensions/libxt_TCPMSS.c
===================================================================
--- iptables.orig/extensions/libxt_TCPMSS.c
+++ iptables/extensions/libxt_TCPMSS.c
@@ -151,6 +151,7 @@ static struct xtables_target tcpmss_targ
.extra_opts = TCPMSS_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_target(&tcpmss_target);
Index: iptables/extensions/libxt_TCPOPTSTRIP.c
===================================================================
--- iptables.orig/extensions/libxt_TCPOPTSTRIP.c
+++ iptables/extensions/libxt_TCPOPTSTRIP.c
@@ -205,6 +205,7 @@ static struct xtables_target tcpoptstrip
.extra_opts = tcpoptstrip_tg_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_target(&tcpoptstrip_tg_reg);
Index: iptables/extensions/libxt_TOS.c
===================================================================
--- iptables.orig/extensions/libxt_TOS.c
+++ iptables/extensions/libxt_TOS.c
@@ -249,6 +249,7 @@ static struct xtables_target tos_tg6_reg
.extra_opts = tos_tg_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_target(&tos_tg_reg_v0);
Index: iptables/extensions/libxt_TRACE.c
===================================================================
--- iptables.orig/extensions/libxt_TRACE.c
+++ iptables/extensions/libxt_TRACE.c
@@ -43,6 +43,7 @@ static struct xtables_target trace_targe
.parse = TRACE_parse,
};
+void _init(void);
void _init(void)
{
xtables_register_target(&trace_target);
Index: iptables/extensions/libxt_comment.c
===================================================================
--- iptables.orig/extensions/libxt_comment.c
+++ iptables/extensions/libxt_comment.c
@@ -121,6 +121,7 @@ static struct xtables_match comment_matc
.extra_opts = comment_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&comment_match);
Index: iptables/extensions/libxt_connbytes.c
===================================================================
--- iptables.orig/extensions/libxt_connbytes.c
+++ iptables/extensions/libxt_connbytes.c
@@ -213,6 +213,7 @@ static struct xtables_match connbytes_ma
.extra_opts = connbytes_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&connbytes_match);
Index: iptables/extensions/libxt_connlimit.c
===================================================================
--- iptables.orig/extensions/libxt_connlimit.c
+++ iptables/extensions/libxt_connlimit.c
@@ -208,6 +208,7 @@ static struct xtables_match connlimit_ma
.extra_opts = connlimit_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&connlimit_match);
Index: iptables/extensions/libxt_connmark.c
===================================================================
--- iptables.orig/extensions/libxt_connmark.c
+++ iptables/extensions/libxt_connmark.c
@@ -228,6 +228,7 @@ static struct xtables_match connmark_mt6
.extra_opts = connmark_mt_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&connmark_mt_reg_v0);
Index: iptables/extensions/libxt_conntrack.c
===================================================================
--- iptables.orig/extensions/libxt_conntrack.c
+++ iptables/extensions/libxt_conntrack.c
@@ -1059,6 +1059,7 @@ static struct xtables_match conntrack_mt
.extra_opts = conntrack_mt_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&conntrack_match);
Index: iptables/extensions/libxt_dccp.c
===================================================================
--- iptables.orig/extensions/libxt_dccp.c
+++ iptables/extensions/libxt_dccp.c
@@ -367,6 +367,7 @@ static struct xtables_match dccp_match6
.extra_opts = dccp_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&dccp_match);
Index: iptables/extensions/libxt_dscp.c
===================================================================
--- iptables.orig/extensions/libxt_dscp.c
+++ iptables/extensions/libxt_dscp.c
@@ -174,6 +174,7 @@ static struct xtables_match dscp_match6
.extra_opts = dscp_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&dscp_match);
Index: iptables/extensions/libxt_esp.c
===================================================================
--- iptables.orig/extensions/libxt_esp.c
+++ iptables/extensions/libxt_esp.c
@@ -181,8 +181,8 @@ static struct xtables_match esp_match6 =
.extra_opts = esp_opts,
};
-void
-_init(void)
+void _init(void);
+void _init(void)
{
xtables_register_match(&esp_match);
xtables_register_match(&esp_match6);
Index: iptables/extensions/libxt_hashlimit.c
===================================================================
--- iptables.orig/extensions/libxt_hashlimit.c
+++ iptables/extensions/libxt_hashlimit.c
@@ -390,6 +390,7 @@ static struct xtables_match hashlimit_ma
.extra_opts = hashlimit_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&hashlimit_match);
Index: iptables/extensions/libxt_helper.c
===================================================================
--- iptables.orig/extensions/libxt_helper.c
+++ iptables/extensions/libxt_helper.c
@@ -102,6 +102,7 @@ static struct xtables_match helper_match
.extra_opts = helper_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&helper_match);
Index: iptables/extensions/libxt_iprange.c
===================================================================
--- iptables.orig/extensions/libxt_iprange.c
+++ iptables/extensions/libxt_iprange.c
@@ -383,6 +383,7 @@ static struct xtables_match iprange_mt6_
.extra_opts = iprange_mt_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&iprange_match);
Index: iptables/extensions/libxt_length.c
===================================================================
--- iptables.orig/extensions/libxt_length.c
+++ iptables/extensions/libxt_length.c
@@ -152,6 +152,7 @@ static struct xtables_match length_match
.extra_opts = length_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&length_match);
Index: iptables/extensions/libxt_limit.c
===================================================================
--- iptables.orig/extensions/libxt_limit.c
+++ iptables/extensions/libxt_limit.c
@@ -192,6 +192,7 @@ static struct xtables_match limit_match6
.extra_opts = limit_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&limit_match);
Index: iptables/extensions/libxt_mac.c
===================================================================
--- iptables.orig/extensions/libxt_mac.c
+++ iptables/extensions/libxt_mac.c
@@ -143,6 +143,7 @@ static struct xtables_match mac_match6 =
.extra_opts = mac_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&mac_match);
Index: iptables/extensions/libxt_mark.c
===================================================================
--- iptables.orig/extensions/libxt_mark.c
+++ iptables/extensions/libxt_mark.c
@@ -208,6 +208,7 @@ static struct xtables_match mark_mt6_reg
.extra_opts = mark_mt_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&mark_match);
Index: iptables/extensions/libxt_multiport.c
===================================================================
--- iptables.orig/extensions/libxt_multiport.c
+++ iptables/extensions/libxt_multiport.c
@@ -569,8 +569,8 @@ static struct xtables_match multiport_ma
.extra_opts = multiport_opts,
};
-void
-_init(void)
+void _init(void);
+void _init(void)
{
xtables_register_match(&multiport_match);
xtables_register_match(&multiport_match6);
Index: iptables/extensions/libxt_owner.c
===================================================================
--- iptables.orig/extensions/libxt_owner.c
+++ iptables/extensions/libxt_owner.c
@@ -591,6 +591,7 @@ static struct xtables_match owner_mt6_re
.extra_opts = owner_mt_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&owner_mt_reg_v0);
Index: iptables/extensions/libxt_physdev.c
===================================================================
--- iptables.orig/extensions/libxt_physdev.c
+++ iptables/extensions/libxt_physdev.c
@@ -190,6 +190,7 @@ static struct xtables_match physdev_matc
.extra_opts = physdev_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&physdev_match);
Index: iptables/extensions/libxt_pkttype.c
===================================================================
--- iptables.orig/extensions/libxt_pkttype.c
+++ iptables/extensions/libxt_pkttype.c
@@ -174,6 +174,7 @@ static struct xtables_match pkttype_matc
.extra_opts = pkttype_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&pkttype_match);
Index: iptables/extensions/libxt_quota.c
===================================================================
--- iptables.orig/extensions/libxt_quota.c
+++ iptables/extensions/libxt_quota.c
@@ -103,8 +103,8 @@ struct xtables_match quota_match6 = {
.extra_opts = quota_opts,
};
-void
-_init(void)
+void _init(void);
+void _init(void)
{
xtables_register_match("a_match);
xtables_register_match("a_match6);
Index: iptables/extensions/libxt_rateest.c
===================================================================
--- iptables.orig/extensions/libxt_rateest.c
+++ iptables/extensions/libxt_rateest.c
@@ -454,6 +454,7 @@ static struct xtables_match rateest_matc
.extra_opts = rateest_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&rateest_match4);
Index: iptables/extensions/libxt_sctp.c
===================================================================
--- iptables.orig/extensions/libxt_sctp.c
+++ iptables/extensions/libxt_sctp.c
@@ -539,6 +539,7 @@ static struct xtables_match sctp_match6
.extra_opts = sctp_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&sctp_match);
Index: iptables/extensions/libxt_standard.c
===================================================================
--- iptables.orig/extensions/libxt_standard.c
+++ iptables/extensions/libxt_standard.c
@@ -43,6 +43,7 @@ static struct xtables_target standard_ta
.parse = standard_parse,
};
+void _init(void);
void _init(void)
{
xtables_register_target(&standard_target);
Index: iptables/extensions/libxt_state.c
===================================================================
--- iptables.orig/extensions/libxt_state.c
+++ iptables/extensions/libxt_state.c
@@ -170,6 +170,7 @@ static struct xtables_match state_match6
.extra_opts = state_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&state_match);
Index: iptables/extensions/libxt_statistic.c
===================================================================
--- iptables.orig/extensions/libxt_statistic.c
+++ iptables/extensions/libxt_statistic.c
@@ -193,6 +193,7 @@ static struct xtables_match statistic_ma
.extra_opts = statistic_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&statistic_match);
Index: iptables/extensions/libxt_string.c
===================================================================
--- iptables.orig/extensions/libxt_string.c
+++ iptables/extensions/libxt_string.c
@@ -356,6 +356,7 @@ static struct xtables_match string_match
.extra_opts = string_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&string_match);
Index: iptables/extensions/libxt_tcp.c
===================================================================
--- iptables.orig/extensions/libxt_tcp.c
+++ iptables/extensions/libxt_tcp.c
@@ -411,8 +411,8 @@ static struct xtables_match tcp_match6 =
.extra_opts = tcp_opts,
};
-void
-_init(void)
+void _init(void);
+void _init(void)
{
xtables_register_match(&tcp_match);
xtables_register_match(&tcp_match6);
Index: iptables/extensions/libxt_tcpmss.c
===================================================================
--- iptables.orig/extensions/libxt_tcpmss.c
+++ iptables/extensions/libxt_tcpmss.c
@@ -153,6 +153,7 @@ static struct xtables_match tcpmss_match
.extra_opts = tcpmss_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&tcpmss_match);
Index: iptables/extensions/libxt_time.c
===================================================================
--- iptables.orig/extensions/libxt_time.c
+++ iptables/extensions/libxt_time.c
@@ -492,6 +492,7 @@ static struct xtables_match time_match6
.extra_opts = time_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&time_match);
Index: iptables/extensions/libxt_tos.c
===================================================================
--- iptables.orig/extensions/libxt_tos.c
+++ iptables/extensions/libxt_tos.c
@@ -182,6 +182,7 @@ static struct xtables_match tos_mt6_reg
.extra_opts = tos_mt_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&tos_mt_reg_v0);
Index: iptables/extensions/libxt_u32.c
===================================================================
--- iptables.orig/extensions/libxt_u32.c
+++ iptables/extensions/libxt_u32.c
@@ -296,6 +296,7 @@ static struct xtables_match u32_match6 =
.extra_opts = u32_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&u32_match);
Index: iptables/extensions/libxt_udp.c
===================================================================
--- iptables.orig/extensions/libxt_udp.c
+++ iptables/extensions/libxt_udp.c
@@ -224,8 +224,8 @@ static struct xtables_match udp_match6 =
.extra_opts = udp_opts,
};
-void
-_init(void)
+void _init(void);
+void _init(void)
{
xtables_register_match(&udp_match);
xtables_register_match(&udp_match6);
Index: iptables/include/iptables.h
===================================================================
--- iptables.orig/include/iptables.h
+++ iptables/include/iptables.h
@@ -24,8 +24,6 @@ extern int line;
extern void register_match(struct iptables_match *me);
extern void register_target(struct iptables_target *me);
-extern u_int16_t parse_protocol(const char *s);
-
extern int do_command(int argc, char *argv[], char **table,
iptc_handle_t *handle);
extern int delete_chain(const ipt_chainlabel chain, int verbose,
Index: iptables/include/libiptc/libip6tc.h
===================================================================
--- iptables.orig/include/libiptc/libip6tc.h
+++ iptables/include/libiptc/libip6tc.h
@@ -152,4 +152,6 @@ const char *ip6tc_strerror(int err);
/* Return prefix length, or -1 if not contiguous */
int ipv6_prefix_length(const struct in6_addr *a);
+extern void dump_entries6(const ip6tc_handle_t);
+
#endif /* _LIBIP6TC_H */
Index: iptables/include/libiptc/libiptc.h
===================================================================
--- iptables.orig/include/libiptc/libiptc.h
+++ iptables/include/libiptc/libiptc.h
@@ -159,6 +159,8 @@ int iptc_get_raw_socket(void);
/* Translates errno numbers into more human-readable form than strerror. */
const char *iptc_strerror(int err);
+extern void dump_entries(const iptc_handle_t);
+
#ifdef __cplusplus
}
#endif
Index: iptables/include/xtables.h
===================================================================
--- iptables.orig/include/xtables.h
+++ iptables/include/xtables.h
@@ -267,4 +267,7 @@ extern void save_string(const char *valu
# define _init __attribute__((constructor)) _INIT
#endif
+/* Present in both iptables.c and ip6tables.c */
+extern u_int16_t parse_protocol(const char *s);
+
#endif /* _XTABLES_H */
Index: iptables/ip6tables-multi.h
===================================================================
--- /dev/null
+++ iptables/ip6tables-multi.h
@@ -0,0 +1,8 @@
+#ifndef _IP6TABLES_MULTI_H
+#define _IP6TABLES_MULTI_H 1
+
+extern int ip6tables_main(int, char **);
+extern int ip6tables_save_main(int, char **);
+extern int ip6tables_restore_main(int, char **);
+
+#endif /* _IP6TABLES_MULTI_H */
Index: iptables/ip6tables-restore.c
===================================================================
--- iptables.orig/ip6tables-restore.c
+++ iptables/ip6tables-restore.c
@@ -18,6 +18,7 @@
#include "ip6tables.h"
#include "xtables.h"
#include "libiptc/libip6tc.h"
+#include "ip6tables-multi.h"
#ifdef DEBUG
#define DEBUGP(x, args...) fprintf(stderr, x, ## args)
@@ -55,7 +56,8 @@ static void print_usage(const char *name
exit(1);
}
-ip6tc_handle_t create_handle(const char *tablename, const char* modprobe)
+static ip6tc_handle_t create_handle(const char *tablename,
+ const char *modprobe)
{
ip6tc_handle_t handle;
Index: iptables/ip6tables-save.c
===================================================================
--- iptables.orig/ip6tables-save.c
+++ iptables/ip6tables-save.c
@@ -16,6 +16,7 @@
#include <arpa/inet.h>
#include "libiptc/libip6tc.h"
#include "ip6tables.h"
+#include "ip6tables-multi.h"
#ifndef NO_SHARED_LIBS
#include <dlfcn.h>
Index: iptables/ip6tables-standalone.c
===================================================================
--- iptables.orig/ip6tables-standalone.c
+++ iptables/ip6tables-standalone.c
@@ -35,6 +35,7 @@
#include <stdlib.h>
#include <errno.h>
#include <ip6tables.h>
+#include "ip6tables-multi.h"
#ifdef IPTABLES_MULTI
int
Index: iptables/ip6tables.c
===================================================================
--- iptables.orig/ip6tables.c
+++ iptables/ip6tables.c
@@ -41,6 +41,7 @@
#include <fcntl.h>
#include <sys/types.h>
#include <sys/socket.h>
+#include "ip6tables-multi.h"
#ifndef TRUE
#define TRUE 1
@@ -186,9 +187,6 @@ static int inverse_for_options[NUMBER_OF
const char *program_version;
const char *program_name;
-/* Extra debugging from libiptc */
-extern void dump_entries6(const ip6tc_handle_t handle);
-
/* A few hardcoded protocols for 'all' and in case the user has no
/etc/protocols */
struct pprot {
@@ -1140,7 +1138,7 @@ generate_entry(const struct ip6t_entry *
return e;
}
-void clear_rule_matches(struct ip6tables_rule_match **matches)
+static void clear_rule_matches(struct ip6tables_rule_match **matches)
{
struct ip6tables_rule_match *matchp, *tmp;
Index: iptables/iptables-multi.h
===================================================================
--- /dev/null
+++ iptables/iptables-multi.h
@@ -0,0 +1,9 @@
+#ifndef _IPTABLES_MULTI_H
+#define _IPTABLES_MULTI_H 1
+
+extern int iptables_main(int, char **);
+extern int iptables_save_main(int, char **);
+extern int iptables_restore_main(int, char **);
+extern int iptables_xml_main(int, char **);
+
+#endif /* _IPTABLES_MULTI_H */
Index: iptables/iptables-restore.c
===================================================================
--- iptables.orig/iptables-restore.c
+++ iptables/iptables-restore.c
@@ -15,6 +15,7 @@
#include "iptables.h"
#include "xtables.h"
#include "libiptc/libiptc.h"
+#include "iptables-multi.h"
#ifdef DEBUG
#define DEBUGP(x, args...) fprintf(stderr, x, ## args)
@@ -54,7 +55,7 @@ static void print_usage(const char *name
exit(1);
}
-iptc_handle_t create_handle(const char *tablename, const char* modprobe )
+static iptc_handle_t create_handle(const char *tablename, const char *modprobe)
{
iptc_handle_t handle;
Index: iptables/iptables-save.c
===================================================================
--- iptables.orig/iptables-save.c
+++ iptables/iptables-save.c
@@ -15,6 +15,7 @@
#include <netdb.h>
#include "libiptc/libiptc.h"
#include "iptables.h"
+#include "iptables-multi.h"
#ifndef NO_SHARED_LIBS
#include <dlfcn.h>
Index: iptables/iptables-standalone.c
===================================================================
--- iptables.orig/iptables-standalone.c
+++ iptables/iptables-standalone.c
@@ -36,6 +36,7 @@
#include <errno.h>
#include <string.h>
#include <iptables.h>
+#include "iptables-multi.h"
#ifdef IPTABLES_MULTI
int
Index: iptables/iptables-xml.c
===================================================================
--- iptables.orig/iptables-xml.c
+++ iptables/iptables-xml.c
@@ -16,6 +16,7 @@
#include <stdarg.h>
#include "iptables.h"
#include "libiptc/libiptc.h"
+#include "iptables-multi.h"
#ifdef DEBUG
#define DEBUGP(x, args...) fprintf(stderr, x, ## args)
Index: iptables/iptables.c
===================================================================
--- iptables.orig/iptables.c
+++ iptables/iptables.c
@@ -190,8 +190,6 @@ const char *program_name;
int kernel_version;
-extern void dump_entries(const iptc_handle_t handle);
-
/* A few hardcoded protocols for 'all' and in case the user has no
/etc/protocols */
struct pprot {
@@ -1143,7 +1141,7 @@ generate_entry(const struct ipt_entry *f
return e;
}
-void clear_rule_matches(struct iptables_rule_match **matches)
+static void clear_rule_matches(struct iptables_rule_match **matches)
{
struct iptables_rule_match *matchp, *tmp;
Index: iptables/libiptc/libiptc.c
===================================================================
--- iptables.orig/libiptc/libiptc.c
+++ iptables/libiptc/libiptc.c
@@ -1471,7 +1471,7 @@ TC_NEXT_RULE(const STRUCT_ENTRY *prev, T
}
/* How many rules in this chain? */
-unsigned int
+static unsigned int
TC_NUM_RULES(const char *chain, TC_HANDLE_T *handle)
{
struct chain_head *c;
@@ -1487,9 +1487,8 @@ TC_NUM_RULES(const char *chain, TC_HANDL
return c->num_rules;
}
-const STRUCT_ENTRY *TC_GET_RULE(const char *chain,
- unsigned int n,
- TC_HANDLE_T *handle)
+static const STRUCT_ENTRY *
+TC_GET_RULE(const char *chain, unsigned int n, TC_HANDLE_T *handle)
{
struct chain_head *c;
struct rule_head *r;
@@ -1511,7 +1510,7 @@ const STRUCT_ENTRY *TC_GET_RULE(const ch
}
/* Returns a pointer to the target name of this position. */
-const char *standard_target_map(int verdict)
+static const char *standard_target_map(int verdict)
{
switch (verdict) {
case RETURN:
^ permalink raw reply [flat|nested] 27+ messages in thread* [05/10] [IPTABLES]: xt_hashlimit revision 1
2008-01-31 23:11 [00/!@#%] patches patches! Jan Engelhardt
` (16 preceding siblings ...)
2008-02-01 0:28 ` [04/10] [IPTABLES]: Fix all remaining warnings Jan Engelhardt
@ 2008-02-01 0:28 ` Jan Engelhardt
2008-02-01 0:29 ` [06/10] [IPTABLES]: Update libxt_owner manpage (so far) Jan Engelhardt
` (5 subsequent siblings)
23 siblings, 0 replies; 27+ messages in thread
From: Jan Engelhardt @ 2008-02-01 0:28 UTC (permalink / raw)
To: kaber; +Cc: Netfilter Developer Mailing List
Add support for xt_hashlimit match revision 1
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
---
extensions/libxt_hashlimit.c | 398 ++++++++++++++++++++++++++++++---
extensions/libxt_hashlimit.man | 80 ++++--
include/linux/netfilter/xt_hashlimit.h | 38 ++-
3 files changed, 455 insertions(+), 61 deletions(-)
Index: iptables/extensions/libxt_hashlimit.c
===================================================================
--- iptables.orig/extensions/libxt_hashlimit.c
+++ iptables/extensions/libxt_hashlimit.c
@@ -10,7 +10,7 @@
*
* Error corections by nmalykh@bilim.com (22.01.2005)
*/
-
+#include <stdbool.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
@@ -45,6 +45,27 @@ static void hashlimit_help(void)
"\n", IPTABLES_VERSION, XT_HASHLIMIT_BURST);
}
+static void hashlimit_mt_help(void)
+{
+ printf(
+"hashlimit match options:\n"
+" --hashlimit-upto <avg> max average match rate\n"
+" [Packets per second unless followed by \n"
+" /sec /minute /hour /day postfixes]\n"
+" --hashlimit-above <avg> min average match rate\n"
+" --hashlimit-mode <mode> mode is a comma-separated list of\n"
+" dstip,srcip,dstport,srcport (or none)\n"
+" --hashlimit-srcmask <length> source address grouping prefix length\n"
+" --hashlimit-dstmask <length> destination address grouping prefix length\n"
+" --hashlimit-name <name> name for /proc/net/ipt_hashlimit\n"
+" --hashlimit-burst <num> number to match in a burst, default %u\n"
+" --hashlimit-htable-size <num> number of hashtable buckets\n"
+" --hashlimit-htable-max <num> number of hashtable entries\n"
+" --hashlimit-htable-gcinterval interval between garbage collection runs\n"
+" --hashlimit-htable-expire after which time are idle entries expired?\n"
+"\n", XT_HASHLIMIT_BURST);
+}
+
static const struct option hashlimit_opts[] = {
{ "hashlimit", 1, NULL, '%' },
{ "hashlimit-burst", 1, NULL, '$' },
@@ -57,6 +78,22 @@ static const struct option hashlimit_opt
{},
};
+static const struct option hashlimit_mt_opts[] = {
+ {.name = "hashlimit-upto", .has_arg = true, .val = '%'},
+ {.name = "hashlimit-above", .has_arg = true, .val = '^'},
+ {.name = "hashlimit", .has_arg = true, .val = '%'},
+ {.name = "hashlimit-srcmask", .has_arg = true, .val = '<'},
+ {.name = "hashlimit-dstmask", .has_arg = true, .val = '>'},
+ {.name = "hashlimit-burst", .has_arg = true, .val = '$'},
+ {.name = "hashlimit-htable-size", .has_arg = true, .val = '&'},
+ {.name = "hashlimit-htable-max", .has_arg = true, .val = '*'},
+ {.name = "hashlimit-htable-gcinterval", .has_arg = true, .val = '('},
+ {.name = "hashlimit-htable-expire", .has_arg = true, .val = ')'},
+ {.name = "hashlimit-mode", .has_arg = true, .val = '_'},
+ {.name = "hashlimit-name", .has_arg = true, .val = '"'},
+ {},
+};
+
static
int parse_rate(const char *rate, u_int32_t *val)
{
@@ -98,15 +135,39 @@ static void hashlimit_init(struct xt_ent
{
struct xt_hashlimit_info *r = (struct xt_hashlimit_info *)m->data;
+ r->cfg.mode = 0;
r->cfg.burst = XT_HASHLIMIT_BURST;
r->cfg.gc_interval = XT_HASHLIMIT_GCINTERVAL;
r->cfg.expire = XT_HASHLIMIT_EXPIRE;
}
+static void hashlimit_mt4_init(struct xt_entry_match *match)
+{
+ struct xt_hashlimit_mtinfo1 *info = (void *)match->data;
+
+ info->cfg.mode = 0;
+ info->cfg.burst = XT_HASHLIMIT_BURST;
+ info->cfg.gc_interval = XT_HASHLIMIT_GCINTERVAL;
+ info->cfg.expire = XT_HASHLIMIT_EXPIRE;
+ info->cfg.srcmask = 32;
+ info->cfg.dstmask = 32;
+}
+
+static void hashlimit_mt6_init(struct xt_entry_match *match)
+{
+ struct xt_hashlimit_mtinfo1 *info = (void *)match->data;
+
+ info->cfg.mode = 0;
+ info->cfg.burst = XT_HASHLIMIT_BURST;
+ info->cfg.gc_interval = XT_HASHLIMIT_GCINTERVAL;
+ info->cfg.expire = XT_HASHLIMIT_EXPIRE;
+ info->cfg.srcmask = 128;
+ info->cfg.dstmask = 128;
+}
/* Parse a 'mode' parameter into the required bitmask */
-static int parse_mode(struct xt_hashlimit_info *r, char *option_arg)
+static int parse_mode(uint32_t *mode, char *option_arg)
{
char *tok;
char *arg = strdup(option_arg);
@@ -114,19 +175,17 @@ static int parse_mode(struct xt_hashlimi
if (!arg)
return -1;
- r->cfg.mode = 0;
-
for (tok = strtok(arg, ",|");
tok;
tok = strtok(NULL, ",|")) {
if (!strcmp(tok, "dstip"))
- r->cfg.mode |= XT_HASHLIMIT_HASH_DIP;
+ *mode |= XT_HASHLIMIT_HASH_DIP;
else if (!strcmp(tok, "srcip"))
- r->cfg.mode |= XT_HASHLIMIT_HASH_SIP;
+ *mode |= XT_HASHLIMIT_HASH_SIP;
else if (!strcmp(tok, "srcport"))
- r->cfg.mode |= XT_HASHLIMIT_HASH_SPT;
+ *mode |= XT_HASHLIMIT_HASH_SPT;
else if (!strcmp(tok, "dstport"))
- r->cfg.mode |= XT_HASHLIMIT_HASH_DPT;
+ *mode |= XT_HASHLIMIT_HASH_DPT;
else {
free(arg);
return -1;
@@ -136,14 +195,18 @@ static int parse_mode(struct xt_hashlimi
return 0;
}
-#define PARAM_LIMIT 0x00000001
-#define PARAM_BURST 0x00000002
-#define PARAM_MODE 0x00000004
-#define PARAM_NAME 0x00000008
-#define PARAM_SIZE 0x00000010
-#define PARAM_MAX 0x00000020
-#define PARAM_GCINTERVAL 0x00000040
-#define PARAM_EXPIRE 0x00000080
+enum {
+ PARAM_LIMIT = 1 << 0,
+ PARAM_BURST = 1 << 1,
+ PARAM_MODE = 1 << 2,
+ PARAM_NAME = 1 << 3,
+ PARAM_SIZE = 1 << 4,
+ PARAM_MAX = 1 << 5,
+ PARAM_GCINTERVAL = 1 << 6,
+ PARAM_EXPIRE = 1 << 7,
+ PARAM_SRCMASK = 1 << 8,
+ PARAM_DSTMASK = 1 << 9,
+};
/* Function which parses command options; returns true if it
ate an option */
@@ -224,7 +287,7 @@ hashlimit_parse(int c, char **argv, int
param_act(P_ONLY_ONCE, "hashlimit", "--hashlimit-mode",
*flags & PARAM_MODE);
if (check_inverse(argv[optind-1], &invert, &optind, 0)) break;
- if (parse_mode(r, optarg) < 0)
+ if (parse_mode(&r->cfg.mode, optarg) < 0)
exit_error(PARAMETER_PROBLEM,
"bad --hashlimit-mode: `%s'\n", optarg);
*flags |= PARAM_MODE;
@@ -249,6 +312,146 @@ hashlimit_parse(int c, char **argv, int
return 1;
}
+static int
+hashlimit_mt_parse(struct xt_hashlimit_mtinfo1 *info, unsigned int *flags,
+ int c, int invert, unsigned int maxmask)
+{
+ unsigned int num;
+
+ switch(c) {
+ case '%': /* --hashlimit / --hashlimit-below */
+ param_act(P_ONLY_ONCE, "hashlimit", "--hashlimit-upto",
+ *flags & PARAM_LIMIT);
+ if (invert)
+ info->cfg.mode |= XT_HASHLIMIT_INVERT;
+ if (!parse_rate(optarg, &info->cfg.avg))
+ param_act(P_BAD_VALUE, "hashlimit",
+ "--hashlimit-upto", optarg);
+ *flags |= PARAM_LIMIT;
+ return true;
+
+ case '^': /* --hashlimit-above == !--hashlimit-below */
+ param_act(P_ONLY_ONCE, "hashlimit", "--hashlimit-above",
+ *flags & PARAM_LIMIT);
+ if (!invert)
+ info->cfg.mode |= XT_HASHLIMIT_INVERT;
+ if (!parse_rate(optarg, &info->cfg.avg))
+ param_act(P_BAD_VALUE, "hashlimit",
+ "--hashlimit-above", optarg);
+ *flags |= PARAM_LIMIT;
+ return true;
+
+ case '$': /* --hashlimit-burst */
+ param_act(P_ONLY_ONCE, "hashlimit", "--hashlimit-burst",
+ *flags & PARAM_BURST);
+ if (!strtonum(optarg, NULL, &num, 0, 10000))
+ param_act(P_BAD_VALUE, "hashlimit",
+ "--hashlimit-burst", optarg);
+ info->cfg.burst = num;
+ *flags |= PARAM_BURST;
+ return true;
+
+ case '&': /* --hashlimit-htable-size */
+ param_act(P_ONLY_ONCE, "hashlimit", "--hashlimit-htable-size",
+ *flags & PARAM_SIZE);
+ if (!strtonum(optarg, NULL, &num, 0, 0xffffffff))
+ param_act(P_BAD_VALUE, "hashlimit",
+ "--hashlimit-htable-size", optarg);
+ info->cfg.size = num;
+ *flags |= PARAM_SIZE;
+ return true;
+
+ case '*': /* --hashlimit-htable-max */
+ param_act(P_ONLY_ONCE, "hashlimit", "--hashlimit-htable-max",
+ *flags & PARAM_MAX);
+ if (!strtonum(optarg, NULL, &num, 0, 0xffffffff))
+ param_act(P_BAD_VALUE, "hashlimit",
+ "--hashlimit-htable-max", optarg);
+ info->cfg.max = num;
+ *flags |= PARAM_MAX;
+ return true;
+
+ case '(': /* --hashlimit-htable-gcinterval */
+ param_act(P_ONLY_ONCE, "hashlimit",
+ "--hashlimit-htable-gcinterval",
+ *flags & PARAM_GCINTERVAL);
+ if (!strtonum(optarg, NULL, &num, 0, 0xffffffff))
+ param_act(P_BAD_VALUE, "hashlimit",
+ "--hashlimit-htable-gcinterval", optarg);
+ /* FIXME: not HZ dependent!! */
+ info->cfg.gc_interval = num;
+ *flags |= PARAM_GCINTERVAL;
+ return true;
+
+ case ')': /* --hashlimit-htable-expire */
+ param_act(P_ONLY_ONCE, "hashlimit",
+ "--hashlimit-htable-expire", *flags & PARAM_EXPIRE);
+ if (!strtonum(optarg, NULL, &num, 0, 0xffffffff))
+ param_act(P_BAD_VALUE, "hashlimit",
+ "--hashlimit-htable-expire", optarg);
+ /* FIXME: not HZ dependent */
+ info->cfg.expire = num;
+ *flags |= PARAM_EXPIRE;
+ return true;
+
+ case '_':
+ param_act(P_ONLY_ONCE, "hashlimit", "--hashlimit-mode",
+ *flags & PARAM_MODE);
+ if (parse_mode(&info->cfg.mode, optarg) < 0)
+ param_act(P_BAD_VALUE, "hashlimit",
+ "--hashlimit-mode", optarg);
+ *flags |= PARAM_MODE;
+ return true;
+
+ case '"': /* --hashlimit-name */
+ param_act(P_ONLY_ONCE, "hashlimit", "--hashlimit-name",
+ *flags & PARAM_NAME);
+ if (strlen(optarg) == 0)
+ exit_error(PARAMETER_PROBLEM, "Zero-length name?");
+ strncpy(info->name, optarg, sizeof(info->name));
+ info->name[sizeof(info->name)-1] = '\0';
+ *flags |= PARAM_NAME;
+ return true;
+
+ case '<': /* --hashlimit-srcmask */
+ param_act(P_ONLY_ONCE, "hashlimit", "--hashlimit-srcmask",
+ *flags & PARAM_SRCMASK);
+ if (!strtonum(optarg, NULL, &num, 0, maxmask))
+ param_act(P_BAD_VALUE, "hashlimit",
+ "--hashlimit-srcmask", optarg);
+ info->cfg.srcmask = num;
+ *flags |= PARAM_SRCMASK;
+ return true;
+
+ case '>': /* --hashlimit-dstmask */
+ param_act(P_ONLY_ONCE, "hashlimit", "--hashlimit-dstmask",
+ *flags & PARAM_DSTMASK);
+ if (!strtonum(optarg, NULL, &num, 0, maxmask))
+ param_act(P_BAD_VALUE, "hashlimit",
+ "--hashlimit-dstmask", optarg);
+ info->cfg.dstmask = num;
+ *flags |= PARAM_DSTMASK;
+ return true;
+ }
+ return false;
+}
+
+static int
+hashlimit_mt4_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ return hashlimit_mt_parse((void *)(*match)->data,
+ flags, c, invert, 32);
+}
+
+static int
+hashlimit_mt6_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ return hashlimit_mt_parse((void *)(*match)->data,
+ flags, c, invert, 128);
+}
+
/* Final check; nothing. */
static void hashlimit_check(unsigned int flags)
{
@@ -263,6 +466,16 @@ static void hashlimit_check(unsigned int
"You have to specify --hashlimit-name");
}
+static void hashlimit_mt_check(unsigned int flags)
+{
+ if (!(flags & PARAM_LIMIT))
+ exit_error(PARAMETER_PROBLEM, "You have to specify "
+ "--hashlimit-upto or --hashlimit-above");
+ if (!(flags & PARAM_NAME))
+ exit_error(PARAMETER_PROBLEM,
+ "You have to specify --hashlimit-name");
+}
+
static const struct rates
{
const char *name;
@@ -285,29 +498,27 @@ static void print_rate(u_int32_t period)
printf("%u/%s ", rates[i-1].mult / period, rates[i-1].name);
}
-static void print_mode(const struct xt_hashlimit_info *r, char separator)
+static void print_mode(unsigned int mode, char separator)
{
- int prevmode = 0;
+ bool prevmode = false;
- if (r->cfg.mode & XT_HASHLIMIT_HASH_SIP) {
- if (prevmode)
- putchar(separator);
+ if (mode & XT_HASHLIMIT_HASH_SIP) {
fputs("srcip", stdout);
prevmode = 1;
}
- if (r->cfg.mode & XT_HASHLIMIT_HASH_SPT) {
+ if (mode & XT_HASHLIMIT_HASH_SPT) {
if (prevmode)
putchar(separator);
fputs("srcport", stdout);
prevmode = 1;
}
- if (r->cfg.mode & XT_HASHLIMIT_HASH_DIP) {
+ if (mode & XT_HASHLIMIT_HASH_DIP) {
if (prevmode)
putchar(separator);
fputs("dstip", stdout);
prevmode = 1;
}
- if (r->cfg.mode & XT_HASHLIMIT_HASH_DPT) {
+ if (mode & XT_HASHLIMIT_HASH_DPT) {
if (prevmode)
putchar(separator);
fputs("dstport", stdout);
@@ -324,7 +535,7 @@ static void hashlimit_print(const void *
fputs("limit: avg ", stdout); print_rate(r->cfg.avg);
printf("burst %u ", r->cfg.burst);
fputs("mode ", stdout);
- print_mode(r, '-');
+ print_mode(r->cfg.mode, '-');
if (r->cfg.size)
printf("htable-size %u ", r->cfg.size);
if (r->cfg.max)
@@ -335,6 +546,53 @@ static void hashlimit_print(const void *
printf("htable-expire %u ", r->cfg.expire);
}
+static void
+hashlimit_mt_print(const struct xt_hashlimit_mtinfo1 *info, unsigned int dmask)
+{
+ if (info->cfg.mode & XT_HASHLIMIT_INVERT)
+ fputs("limit: above ", stdout);
+ else
+ fputs("limit: up to ", stdout);
+ print_rate(info->cfg.avg);
+ printf("burst %u ", info->cfg.burst);
+ if (info->cfg.mode & (XT_HASHLIMIT_HASH_SIP | XT_HASHLIMIT_HASH_SPT |
+ XT_HASHLIMIT_HASH_DIP | XT_HASHLIMIT_HASH_DPT)) {
+ fputs("mode ", stdout);
+ print_mode(info->cfg.mode, '-');
+ }
+ if (info->cfg.size != 0)
+ printf("htable-size %u ", info->cfg.size);
+ if (info->cfg.max != 0)
+ printf("htable-max %u ", info->cfg.max);
+ if (info->cfg.gc_interval != XT_HASHLIMIT_GCINTERVAL)
+ printf("htable-gcinterval %u ", info->cfg.gc_interval);
+ if (info->cfg.expire != XT_HASHLIMIT_EXPIRE)
+ printf("htable-expire %u ", info->cfg.expire);
+
+ if (info->cfg.srcmask != dmask)
+ printf("srcmask %u ", info->cfg.srcmask);
+ if (info->cfg.dstmask != dmask)
+ printf("dstmask %u ", info->cfg.dstmask);
+}
+
+static void
+hashlimit_mt4_print(const void *ip, const struct xt_entry_match *match,
+ int numeric)
+{
+ const struct xt_hashlimit_mtinfo1 *info = (const void *)match->data;
+
+ hashlimit_mt_print(info, 32);
+}
+
+static void
+hashlimit_mt6_print(const void *ip, const struct xt_entry_match *match,
+ int numeric)
+{
+ const struct xt_hashlimit_mtinfo1 *info = (const void *)match->data;
+
+ hashlimit_mt_print(info, 128);
+}
+
/* FIXME: Make minimalist: only print rate if not default --RR */
static void hashlimit_save(const void *ip, const struct xt_entry_match *match)
{
@@ -346,7 +604,7 @@ static void hashlimit_save(const void *i
printf("--hashlimit-burst %u ", r->cfg.burst);
fputs("--hashlimit-mode ", stdout);
- print_mode(r, ',');
+ print_mode(r->cfg.mode, ',');
printf("--hashlimit-name %s ", r->name);
@@ -360,10 +618,61 @@ static void hashlimit_save(const void *i
printf("--hashlimit-htable-expire %u ", r->cfg.expire);
}
+static void
+hashlimit_mt_save(const struct xt_hashlimit_mtinfo1 *info, unsigned int dmask)
+{
+ if (info->cfg.mode & XT_HASHLIMIT_INVERT)
+ fputs("--hashlimit-above ", stdout);
+ else
+ fputs("--hashlimit-upto ", stdout);
+ print_rate(info->cfg.avg);
+ if (info->cfg.burst != XT_HASHLIMIT_BURST)
+ printf("--hashlimit-burst %u ", info->cfg.burst);
+
+ if (info->cfg.mode & (XT_HASHLIMIT_HASH_SIP | XT_HASHLIMIT_HASH_SPT |
+ XT_HASHLIMIT_HASH_DIP | XT_HASHLIMIT_HASH_DPT)) {
+ fputs("--hashlimit-mode ", stdout);
+ print_mode(info->cfg.mode, ',');
+ }
+
+ printf("--hashlimit-name %s ", info->name);
+
+ if (info->cfg.size != 0)
+ printf("--hashlimit-htable-size %u ", info->cfg.size);
+ if (info->cfg.max != 0)
+ printf("--hashlimit-htable-max %u ", info->cfg.max);
+ if (info->cfg.gc_interval != XT_HASHLIMIT_GCINTERVAL)
+ printf("--hashlimit-htable-gcinterval %u", info->cfg.gc_interval);
+ if (info->cfg.expire != XT_HASHLIMIT_EXPIRE)
+ printf("--hashlimit-htable-expire %u ", info->cfg.expire);
+
+ if (info->cfg.srcmask != dmask)
+ printf("--hashlimit-srcmask %u ", info->cfg.srcmask);
+ if (info->cfg.dstmask != dmask)
+ printf("--hashlimit-dstmask %u ", info->cfg.dstmask);
+}
+
+static void
+hashlimit_mt4_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct xt_hashlimit_mtinfo1 *info = (const void *)match->data;
+
+ hashlimit_mt_save(info, 32);
+}
+
+static void
+hashlimit_mt6_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct xt_hashlimit_mtinfo1 *info = (const void *)match->data;
+
+ hashlimit_mt_save(info, 128);
+}
+
static struct xtables_match hashlimit_match = {
.family = AF_INET,
.name = "hashlimit",
.version = IPTABLES_VERSION,
+ .revision = 0,
.size = XT_ALIGN(sizeof(struct xt_hashlimit_info)),
.userspacesize = offsetof(struct xt_hashlimit_info, hinfo),
.help = hashlimit_help,
@@ -379,6 +688,7 @@ static struct xtables_match hashlimit_ma
.family = AF_INET6,
.name = "hashlimit",
.version = IPTABLES_VERSION,
+ .revision = 0,
.size = XT_ALIGN(sizeof(struct xt_hashlimit_info)),
.userspacesize = offsetof(struct xt_hashlimit_info, hinfo),
.help = hashlimit_help,
@@ -390,9 +700,43 @@ static struct xtables_match hashlimit_ma
.extra_opts = hashlimit_opts,
};
+static struct xtables_match hashlimit_mt_reg = {
+ .version = IPTABLES_VERSION,
+ .name = "hashlimit",
+ .revision = 1,
+ .family = AF_INET,
+ .size = XT_ALIGN(sizeof(struct xt_hashlimit_mtinfo1)),
+ .userspacesize = offsetof(struct xt_hashlimit_mtinfo1, hinfo),
+ .help = hashlimit_mt_help,
+ .init = hashlimit_mt4_init,
+ .parse = hashlimit_mt4_parse,
+ .final_check = hashlimit_mt_check,
+ .print = hashlimit_mt4_print,
+ .save = hashlimit_mt4_save,
+ .extra_opts = hashlimit_mt_opts,
+};
+
+static struct xtables_match hashlimit_mt6_reg = {
+ .version = IPTABLES_VERSION,
+ .name = "hashlimit",
+ .revision = 1,
+ .family = AF_INET6,
+ .size = XT_ALIGN(sizeof(struct xt_hashlimit_mtinfo1)),
+ .userspacesize = offsetof(struct xt_hashlimit_mtinfo1, hinfo),
+ .help = hashlimit_mt_help,
+ .init = hashlimit_mt6_init,
+ .parse = hashlimit_mt6_parse,
+ .final_check = hashlimit_mt_check,
+ .print = hashlimit_mt6_print,
+ .save = hashlimit_mt6_save,
+ .extra_opts = hashlimit_mt_opts,
+};
+
void _init(void);
void _init(void)
{
xtables_register_match(&hashlimit_match);
xtables_register_match(&hashlimit_match6);
+ xtables_register_match(&hashlimit_mt_reg);
+ xtables_register_match(&hashlimit_mt6_reg);
}
Index: iptables/extensions/libxt_hashlimit.man
===================================================================
--- iptables.orig/extensions/libxt_hashlimit.man
+++ iptables/extensions/libxt_hashlimit.man
@@ -1,35 +1,59 @@
-This patch adds a new match called 'hashlimit'.
-The idea is to have something like 'limit', but either per
-destination-ip or per (destip,destport) tuple.
-
-It gives you the ability to express
-.IP
- '1000 packets per second for every host in 192.168.0.0/16'
-.IP
- '100 packets per second for every service of 192.168.1.1'
-.P
-with a single iptables rule.
-.TP
-.BI "--hashlimit " "rate"
-A rate just like the limit match
-.TP
-.BI "--hashlimit-burst " "num"
-Burst value, just like limit match
+\fBhashlimit\fR uses hash buckets to express a rate limiting match (like the
+\fBlimit\fR match) for a group of connections using a \fBsingle\fR iptables
+rule. Grouping can be done per-hostgroup (source and/or destination address)
+and/or per-port. It gives you the ability to express "\fIN\fR packets per time
+quantum per group":
+.TP
+matching on source host
+"1000 packets per second for every host in 192.168.0.0/16"
+.TP
+matching on source prot
+"100 packets per second for every service of 192.168.1.1"
+.TP
+matching on subnet
+"10000 packets per minute for every /28 subnet in 10.0.0.0/8"
+.PP
+A hash limit option (\fB--hashlimit-upto\fR, \fB--hashlimit-above\fR) and
+\fB--hashlimit-name\fR are required.
+.TP
+\fB--hashlimit-upto\fR \fIamount\fR[\fB/second\fR|\fB/minute\fR|\fB/hour\fR|\fB/day\fR]
+Match if the rate is below or equal to \fIamount\fR/quantum. It is specified as
+a number, with an optional time quantum suffix; the default is 3/hour.
+.TP
+\fB--hashlimit-above\fR \fIamount\fR[\fB/second\fR|\fB/minute\fR|\fB/hour\fR|\fB/day\fR]
+Match if the rate is above \fIamount\fR/quantum.
+.TP
+\fB--hashlimit-burst\fR \fIamount\fR
+Maximum initial number of packets to match: this number gets recharged by one
+every time the limit specified above is not reached, up to this number; the
+default is 5.
+.TP
+\fB--hashlimit-mode\fR [\fBsrcip\fR|\fBsrcport\fR|\fBdstip\fR|\fBdstport\fR[\fB,\fR...]]
+A comma-separated list of objects to take into consideration. If no
+--hashlimit-mode option is given, hashlimit acts like limit, but at the
+expensive of doing the hash housekeeping.
+.TP
+\fB--hashlimit-srcmask\fR \fIprefix\fR
+When --hashlimit-mode srcip is used, all source addresses encountered will be
+grouped according to the given prefix length and the so-created subnet will be
+subject to hashlimit. \fIprefix\fR must be between (inclusive) 0 and 32. Note
+that --hashlimit-srcmask 0 is basically doing the same thing as not specifying
+srcip for --hashlimit-mode, but is technically more expensive.
.TP
-.BI "--hashlimit-mode " "dstip,srcip,dstport,srcport"
-A comma-separated list of objects to take into consideration
+\fB--hashlimit-dstmask\fR \fIprefix\fR
+Like --hashlimit-srcmask, but for destination addresses.
.TP
-.BI "--hashlimit-name " "foo"
-The name for the /proc/net/ipt_hashlimit/foo entry
+\fB--hashlimit-name\fR \fIfoo\fR
+The name for the /proc/net/ipt_hashlimit/foo entry.
.TP
-.BI "--hashlimit-htable-size " "num"
+\fB--hashlimit-htable-size\fR \fIbuckets\fR
The number of buckets of the hash table
.TP
-.BI "--hashlimit-htable-max " "num"
-Maximum entries in the hash
+\fB--hashlimit-htable-max\fR \fIentries\fR
+Maximum entries in the hash.
.TP
-.BI "--hashlimit-htable-expire " "num"
-After how many miliseconds do hash entries expire
+\fB--hashlimit-htable-expire\fR \fImsec\fR
+After how many miliseconds do hash entries expire.
.TP
-.BI "--hashlimit-htable-gcinterval " "num"
-How many miliseconds between garbage collection intervals
+\fB--hashlimit-htable-gcinterval\fR \fImsec\fR
+How many miliseconds between garbage collection intervals.
Index: iptables/include/linux/netfilter/xt_hashlimit.h
===================================================================
--- iptables.orig/include/linux/netfilter/xt_hashlimit.h
+++ iptables/include/linux/netfilter/xt_hashlimit.h
@@ -9,13 +9,16 @@
/* details of this structure hidden by the implementation */
struct xt_hashlimit_htable;
-#define XT_HASHLIMIT_HASH_DIP 0x0001
-#define XT_HASHLIMIT_HASH_DPT 0x0002
-#define XT_HASHLIMIT_HASH_SIP 0x0004
-#define XT_HASHLIMIT_HASH_SPT 0x0008
+enum {
+ XT_HASHLIMIT_HASH_DIP = 1 << 0,
+ XT_HASHLIMIT_HASH_DPT = 1 << 1,
+ XT_HASHLIMIT_HASH_SIP = 1 << 2,
+ XT_HASHLIMIT_HASH_SPT = 1 << 3,
+ XT_HASHLIMIT_INVERT = 1 << 4,
+};
struct hashlimit_cfg {
- u_int32_t mode; /* bitmask of IPT_HASHLIMIT_HASH_* */
+ u_int32_t mode; /* bitmask of XT_HASHLIMIT_HASH_* */
u_int32_t avg; /* Average secs between packets * scale */
u_int32_t burst; /* Period multiplier for upper limit. */
@@ -29,12 +32,35 @@ struct hashlimit_cfg {
struct xt_hashlimit_info {
char name [IFNAMSIZ]; /* name */
struct hashlimit_cfg cfg;
- struct xt_hashlimit_htable *hinfo;
/* Used internally by the kernel */
+ struct xt_hashlimit_htable *hinfo;
union {
void *ptr;
struct xt_hashlimit_info *master;
} u;
};
+
+struct hashlimit_cfg1 {
+ u_int32_t mode; /* bitmask of XT_HASHLIMIT_HASH_* */
+ u_int32_t avg; /* Average secs between packets * scale */
+ u_int32_t burst; /* Period multiplier for upper limit. */
+
+ /* user specified */
+ u_int32_t size; /* how many buckets */
+ u_int32_t max; /* max number of entries */
+ u_int32_t gc_interval; /* gc interval */
+ u_int32_t expire; /* when do entries expire? */
+
+ u_int8_t srcmask, dstmask;
+};
+
+struct xt_hashlimit_mtinfo1 {
+ char name[IFNAMSIZ];
+ struct hashlimit_cfg1 cfg;
+
+ /* Used internally by the kernel */
+ struct xt_hashlimit_htable *hinfo __attribute__((aligned(8)));
+};
+
#endif /*_XT_HASHLIMIT_H*/
^ permalink raw reply [flat|nested] 27+ messages in thread* [06/10] [IPTABLES]: Update libxt_owner manpage (so far)
2008-01-31 23:11 [00/!@#%] patches patches! Jan Engelhardt
` (17 preceding siblings ...)
2008-02-01 0:28 ` [05/10] [IPTABLES]: xt_hashlimit revision 1 Jan Engelhardt
@ 2008-02-01 0:29 ` Jan Engelhardt
2008-02-01 0:29 ` [07/10] [NETFILTER]: Combine IP[6]T_LIB_DIR into XTABLES_LIBDIR Jan Engelhardt
` (4 subsequent siblings)
23 siblings, 0 replies; 27+ messages in thread
From: Jan Engelhardt @ 2008-02-01 0:29 UTC (permalink / raw)
To: kaber; +Cc: Netfilter Developer Mailing List
Update the libxt_owner manpage with the UID/GID-range feature
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
---
extensions/libxt_owner.man | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
Index: iptables/extensions/libxt_owner.man
===================================================================
--- iptables.orig/extensions/libxt_owner.man
+++ iptables/extensions/libxt_owner.man
@@ -3,14 +3,17 @@ for locally generated packets. This matc
POSTROUTING chains. Forwarded packets do not have any socket associated with
them. Packets from kernel threads do have a socket, but usually no owner.
.TP
-\fB--uid-owner\fR \fIuserid\fR
+\fB--uid-owner\fR \fIusername\fR
+.TP
+\fB--uid-owner\fR \fIuserid\fR[\fB-\fR\fIuserid\fR]
Matches if the packet socket's file structure (if it has one) is owned by the
-given user ID. A user name may be specified in place of \fIuserid\fR, in which
-case iptables will try to look it up.
+given user. You may also specify a numerical UID, or an UID range.
+.TP
+\fB--gid-owner\fR \fIgroupname\fR
.TP
-\fB--gid-owner\fR \fIgroupid\fR
-Matches if the packet socket's file structure is owned by the given group ID.
-A group name may be specified in place of \fIgroupid\fR.
+\fB--gid-owner\fR \fIgroupid\fR[\fB-\fR\fIgroupid\fR]
+Matches if the packet socket's file structure is owned by the given group.
+You may also specify a numerical GID, or a GID range.
.TP
\fB--socket-exists\fR
Matches if the packet is associated with a socket.
^ permalink raw reply [flat|nested] 27+ messages in thread* [07/10] [NETFILTER]: Combine IP[6]T_LIB_DIR into XTABLES_LIBDIR.
2008-01-31 23:11 [00/!@#%] patches patches! Jan Engelhardt
` (18 preceding siblings ...)
2008-02-01 0:29 ` [06/10] [IPTABLES]: Update libxt_owner manpage (so far) Jan Engelhardt
@ 2008-02-01 0:29 ` Jan Engelhardt
2008-02-01 0:29 ` [08/10] [IPTABLES]: Move libipt_recent to libxt_recent Jan Engelhardt
` (3 subsequent siblings)
23 siblings, 0 replies; 27+ messages in thread
From: Jan Engelhardt @ 2008-02-01 0:29 UTC (permalink / raw)
To: kaber; +Cc: Netfilter Developer Mailing List
Combine IP[6]T_LIB_DIR into XTABLES_LIBDIR.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
---
configure.ac | 12 ++++++------
extensions/GNUmakefile.in | 6 +++---
include/ip6tables.h | 4 ----
include/iptables.h | 4 ----
include/xtables.h | 4 ----
ip6tables-restore.c | 8 +++++---
ip6tables-save.c | 8 +++++---
ip6tables-standalone.c | 8 +++++---
iptables-restore.c | 8 +++++---
iptables-save.c | 8 +++++---
iptables-standalone.c | 8 +++++---
libiptc/libiptc.c | 4 ----
12 files changed, 39 insertions(+), 43 deletions(-)
Index: iptables/configure.ac
===================================================================
--- iptables.orig/configure.ac
+++ iptables/configure.ac
@@ -22,11 +22,11 @@ AC_ARG_WITH([ksource],
AS_HELP_STRING([--with-ksource=PATH],
[Path to kernel source directory [[/lib/modules/CURRENT/source]]]),
[ksourcedir="$withval"])
-AC_ARG_WITH([iptdir],
- AS_HELP_STRING([--with-iptdir=PATH],
+AC_ARG_WITH([xtlibdir],
+ AS_HELP_STRING([--with-xtlibdir=PATH],
[Path to iptables modules [[LIBEXECDIR/iptables]]]),
- [iptdir="$withval"],
- [iptdir="${libexecdir}/iptables"])
+ [xtlibdir="$withval"],
+ [xtlibdir="${libexecdir}/iptables"])
AC_ARG_ENABLE([devel],
AS_HELP_STRING([--enable-devel],
[Build and install development files (libipq, libipq-devel, iptables-devel)]))
@@ -40,11 +40,11 @@ regular_CFLAGS="-D_LARGEFILE_SOURCE=1 -D
-D_REENTRANT -Wall -Waggregate-return -Wmissing-declarations \
-Wmissing-prototypes -Wredundant-decls -Wshadow -Wstrict-prototypes \
-Winline -pipe -DIPTABLES_VERSION=\\\"$PACKAGE_VERSION\\\" \
- -DIPT_LIB_DIR=\\\"\${iptdir}\\\" -DIP6T_LIB_DIR=\\\"\${iptdir}\\\"";
+ -DXTABLES_LIBDIR=\\\"\${xtlibdir}\\\"";
kinclude_CFLAGS="-I\"$kbuilddir/include\" -I\"$ksourcedir/include\"";
AC_SUBST([regular_CFLAGS kinclude_CFLAGS])
AC_SUBST([kbuilddir])
AC_SUBST([ksourcedir])
-AC_SUBST([iptdir])
+AC_SUBST([xtlibdir])
AC_OUTPUT([Makefile extensions/GNUmakefile libipq/Makefile])
Index: iptables/extensions/GNUmakefile.in
===================================================================
--- iptables.orig/extensions/GNUmakefile.in
+++ iptables/extensions/GNUmakefile.in
@@ -7,7 +7,7 @@ prefix := @prefix@
exec_prefix := @exec_prefix@
libdir := @libdir@
libexecdir := @libexecdir@
-iptdir := @iptdir@
+xtlibdir := @xtlibdir@
CC := @CC@
CCLD := ${CC}
@@ -82,8 +82,8 @@ targets_install :=
all: ${targets}
install: ${targets_install}
- @mkdir -p "${DESTDIR}${iptdir}";
- install -pm0755 $^ "${DESTDIR}${iptdir}/";
+ @mkdir -p "${DESTDIR}${xtlibdir}";
+ install -pm0755 $^ "${DESTDIR}${xtlibdir}/";
clean:
rm -f *.o *.oo *.so *.a {matches,targets}[46].man initext4.c initext6.c;
Index: iptables/include/ip6tables.h
===================================================================
--- iptables.orig/include/ip6tables.h
+++ iptables/include/ip6tables.h
@@ -5,10 +5,6 @@
#include "libiptc/libip6tc.h"
-#ifndef IP6T_LIB_DIR
-#define IP6T_LIB_DIR XT_LIB_DIR
-#endif
-
#ifndef IP6T_SO_GET_REVISION_MATCH /* Old kernel source. */
#define IP6T_SO_GET_REVISION_MATCH 68
#define IP6T_SO_GET_REVISION_TARGET 69
Index: iptables/include/iptables.h
===================================================================
--- iptables.orig/include/iptables.h
+++ iptables/include/iptables.h
@@ -4,10 +4,6 @@
#include "xtables.h"
#include "libiptc/libiptc.h"
-#ifndef IPT_LIB_DIR
-#define IPT_LIB_DIR XT_LIB_DIR
-#endif
-
#ifndef IPT_SO_GET_REVISION_MATCH /* Old kernel source. */
#define IPT_SO_GET_REVISION_MATCH (IPT_BASE_CTL + 2)
#define IPT_SO_GET_REVISION_TARGET (IPT_BASE_CTL + 3)
Index: iptables/include/xtables.h
===================================================================
--- iptables.orig/include/xtables.h
+++ iptables/include/xtables.h
@@ -7,10 +7,6 @@
#include <libiptc/libxtc.h>
#include <stdbool.h>
-#ifndef XT_LIB_DIR
-#define XT_LIB_DIR "/usr/local/lib/iptables"
-#endif
-
#ifndef IPPROTO_SCTP
#define IPPROTO_SCTP 132
#endif
Index: iptables/ip6tables-restore.c
===================================================================
--- iptables.orig/ip6tables-restore.c
+++ iptables/ip6tables-restore.c
@@ -131,9 +131,11 @@ int main(int argc, char *argv[])
program_version = IPTABLES_VERSION;
line = 0;
- lib_dir = getenv("IP6TABLES_LIB_DIR");
- if (!lib_dir)
- lib_dir = IP6T_LIB_DIR;
+ lib_dir = getenv("XTABLES_LIBDIR");
+ if (lib_dir == NULL)
+ lib_dir = getenv("IP6TABLES_LIB_DIR");
+ if (lib_dir == NULL)
+ lib_dir = XTABLES_LIBDIR;
#ifdef NO_SHARED_LIBS
init_extensions();
Index: iptables/ip6tables-save.c
===================================================================
--- iptables.orig/ip6tables-save.c
+++ iptables/ip6tables-save.c
@@ -332,9 +332,11 @@ int main(int argc, char *argv[])
program_name = "ip6tables-save";
program_version = IPTABLES_VERSION;
- lib_dir = getenv("IP6TABLES_LIB_DIR");
- if (!lib_dir)
- lib_dir = IP6T_LIB_DIR;
+ lib_dir = getenv("XTABLES_LIBDIR");
+ if (lib_dir == NULL)
+ lib_dir = getenv("IP6TABLES_LIB_DIR");
+ if (lib_dir == NULL)
+ lib_dir = XTABLES_LIBDIR;
#ifdef NO_SHARED_LIBS
init_extensions();
Index: iptables/ip6tables-standalone.c
===================================================================
--- iptables.orig/ip6tables-standalone.c
+++ iptables/ip6tables-standalone.c
@@ -52,9 +52,11 @@ main(int argc, char *argv[])
program_name = "ip6tables";
program_version = IPTABLES_VERSION;
- lib_dir = getenv("IP6TABLES_LIB_DIR");
- if (!lib_dir)
- lib_dir = IP6T_LIB_DIR;
+ lib_dir = getenv("XTABLES_LIBDIR");
+ if (lib_dir == NULL)
+ lib_dir = getenv("IP6TABLES_LIB_DIR");
+ if (lib_dir == NULL)
+ lib_dir = XTABLES_LIBDIR;
#ifdef NO_SHARED_LIBS
init_extensions();
Index: iptables/iptables-restore.c
===================================================================
--- iptables.orig/iptables-restore.c
+++ iptables/iptables-restore.c
@@ -132,9 +132,11 @@ main(int argc, char *argv[])
program_version = IPTABLES_VERSION;
line = 0;
- lib_dir = getenv("IPTABLES_LIB_DIR");
- if (!lib_dir)
- lib_dir = IPT_LIB_DIR;
+ lib_dir = getenv("XTABLES_LIBDIR");
+ if (lib_dir == NULL)
+ lib_dir = getenv("IPTABLES_LIB_DIR");
+ if (lib_dir == NULL)
+ lib_dir = XTABLES_LIBDIR;
#ifdef NO_SHARED_LIBS
init_extensions();
Index: iptables/iptables-save.c
===================================================================
--- iptables.orig/iptables-save.c
+++ iptables/iptables-save.c
@@ -357,9 +357,11 @@ main(int argc, char *argv[])
program_name = "iptables-save";
program_version = IPTABLES_VERSION;
- lib_dir = getenv("IPTABLES_LIB_DIR");
- if (!lib_dir)
- lib_dir = IPT_LIB_DIR;
+ lib_dir = getenv("XTABLES_LIBDIR");
+ if (lib_dir == NULL)
+ lib_dir = getenv("IPTABLES_LIB_DIR");
+ if (lib_dir == NULL)
+ lib_dir = XTABLES_LIBDIR;
#ifdef NO_SHARED_LIBS
init_extensions();
Index: iptables/iptables-standalone.c
===================================================================
--- iptables.orig/iptables-standalone.c
+++ iptables/iptables-standalone.c
@@ -53,9 +53,11 @@ main(int argc, char *argv[])
program_name = "iptables";
program_version = IPTABLES_VERSION;
- lib_dir = getenv("IPTABLES_LIB_DIR");
- if (!lib_dir)
- lib_dir = IPT_LIB_DIR;
+ lib_dir = getenv("XTABLES_LIBDIR");
+ if (lib_dir == NULL)
+ lib_dir = getenv("IPTABLES_LIB_DIR");
+ if (lib_dir == NULL)
+ lib_dir = XTABLES_LIBDIR;
#ifdef NO_SHARED_LIBS
init_extensions();
Index: iptables/libiptc/libiptc.c
===================================================================
--- iptables.orig/libiptc/libiptc.c
+++ iptables/libiptc/libiptc.c
@@ -46,10 +46,6 @@
#define debug(x, args...)
#endif
-#ifndef IPT_LIB_DIR
-#define IPT_LIB_DIR "/usr/local/lib/iptables"
-#endif
-
static int sockfd = -1;
static int sockfd_use = 0;
static void *iptc_fn = NULL;
^ permalink raw reply [flat|nested] 27+ messages in thread* [08/10] [IPTABLES]: Move libipt_recent to libxt_recent
2008-01-31 23:11 [00/!@#%] patches patches! Jan Engelhardt
` (19 preceding siblings ...)
2008-02-01 0:29 ` [07/10] [NETFILTER]: Combine IP[6]T_LIB_DIR into XTABLES_LIBDIR Jan Engelhardt
@ 2008-02-01 0:29 ` Jan Engelhardt
2008-02-01 0:29 ` [09/10] [IPTABLES]: Add IPv6 support " Jan Engelhardt
` (2 subsequent siblings)
23 siblings, 0 replies; 27+ messages in thread
From: Jan Engelhardt @ 2008-02-01 0:29 UTC (permalink / raw)
To: kaber; +Cc: Netfilter Developer Mailing List
Move libipt_recent to libxt_recent
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
---
extensions/libipt_recent.c | 231 ------------------------------
extensions/libipt_recent.man | 93 ------------
extensions/libxt_recent.c | 217 ++++++++++++++++++++++++++++
extensions/libxt_recent.man | 93 ++++++++++++
include/linux/netfilter/xt_recent.h | 26 +++
include/linux/netfilter_ipv4/ipt_recent.h | 27 ---
6 files changed, 336 insertions(+), 351 deletions(-)
Index: iptables/extensions/libipt_recent.c
===================================================================
--- iptables.orig/extensions/libipt_recent.c
+++ /dev/null
@@ -1,231 +0,0 @@
-/* Shared library add-on to iptables to add recent matching support. */
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
-#include <getopt.h>
-
-#include <iptables.h>
-#include <linux/netfilter_ipv4/ipt_recent.h>
-
-/* Need these in order to not fail when compiling against an older kernel. */
-#ifndef RECENT_NAME
-#define RECENT_NAME "ipt_recent"
-#endif /* RECENT_NAME */
-
-#ifndef RECENT_VER
-#define RECENT_VER "unknown"
-#endif /* RECENT_VER */
-
-#ifndef IPT_RECENT_NAME_LEN
-#define IPT_RECENT_NAME_LEN 200
-#endif /* IPT_RECENT_NAME_LEN */
-
-/* Options for this module */
-static const struct option recent_opts[] = {
- { .name = "set", .has_arg = 0, .val = 201 },
- { .name = "rcheck", .has_arg = 0, .val = 202 },
- { .name = "update", .has_arg = 0, .val = 203 },
- { .name = "seconds", .has_arg = 1, .val = 204 },
- { .name = "hitcount", .has_arg = 1, .val = 205 },
- { .name = "remove", .has_arg = 0, .val = 206 },
- { .name = "rttl", .has_arg = 0, .val = 207 },
- { .name = "name", .has_arg = 1, .val = 208 },
- { .name = "rsource", .has_arg = 0, .val = 209 },
- { .name = "rdest", .has_arg = 0, .val = 210 },
- {},
-};
-
-/* Function which prints out usage message. */
-static void recent_help(void)
-{
- printf(
-"recent v%s options:\n"
-"[!] --set Add source address to list, always matches.\n"
-"[!] --rcheck Match if source address in list.\n"
-"[!] --update Match if source address in list, also update last-seen time.\n"
-"[!] --remove Match if source address in list, also removes that address from list.\n"
-" --seconds seconds For check and update commands above.\n"
-" Specifies that the match will only occur if source address last seen within\n"
-" the last 'seconds' seconds.\n"
-" --hitcount hits For check and update commands above.\n"
-" Specifies that the match will only occur if source address seen hits times.\n"
-" May be used in conjunction with the seconds option.\n"
-" --rttl For check and update commands above.\n"
-" Specifies that the match will only occur if the source address and the TTL\n"
-" match between this packet and the one which was set.\n"
-" Useful if you have problems with people spoofing their source address in order\n"
-" to DoS you via this module.\n"
-" --name name Name of the recent list to be used. DEFAULT used if none given.\n"
-" --rsource Match/Save the source address of each packet in the recent list table (default).\n"
-" --rdest Match/Save the destination address of each packet in the recent list table.\n"
-RECENT_NAME " " RECENT_VER ": Stephen Frost <sfrost@snowman.net>. http://snowman.net/projects/ipt_recent/\n"
-,
-IPTABLES_VERSION);
-
-}
-
-/* Initialize the match. */
-static void recent_init(struct xt_entry_match *match)
-{
- struct ipt_recent_info *info = (struct ipt_recent_info *)(match)->data;
-
-
- strncpy(info->name,"DEFAULT",IPT_RECENT_NAME_LEN);
- /* eventhough IPT_RECENT_NAME_LEN is currently defined as 200,
- * better be safe, than sorry */
- info->name[IPT_RECENT_NAME_LEN-1] = '\0';
- info->side = IPT_RECENT_SOURCE;
-}
-
-/* Function which parses command options; returns true if it
- ate an option */
-static int recent_parse(int c, char **argv, int invert, unsigned int *flags,
- const void *entry, struct xt_entry_match **match)
-{
- struct ipt_recent_info *info = (struct ipt_recent_info *)(*match)->data;
- switch (c) {
- case 201:
- if (*flags) exit_error(PARAMETER_PROBLEM,
- "recent: only one of `--set', `--rcheck' "
- "`--update' or `--remove' may be set");
- check_inverse(optarg, &invert, &optind, 0);
- info->check_set |= IPT_RECENT_SET;
- if (invert) info->invert = 1;
- *flags = 1;
- break;
-
- case 202:
- if (*flags) exit_error(PARAMETER_PROBLEM,
- "recent: only one of `--set', `--rcheck' "
- "`--update' or `--remove' may be set");
- check_inverse(optarg, &invert, &optind, 0);
- info->check_set |= IPT_RECENT_CHECK;
- if(invert) info->invert = 1;
- *flags = 1;
- break;
-
- case 203:
- if (*flags) exit_error(PARAMETER_PROBLEM,
- "recent: only one of `--set', `--rcheck' "
- "`--update' or `--remove' may be set");
- check_inverse(optarg, &invert, &optind, 0);
- info->check_set |= IPT_RECENT_UPDATE;
- if (invert) info->invert = 1;
- *flags = 1;
- break;
-
- case 206:
- if (*flags) exit_error(PARAMETER_PROBLEM,
- "recent: only one of `--set', `--rcheck' "
- "`--update' or `--remove' may be set");
- check_inverse(optarg, &invert, &optind, 0);
- info->check_set |= IPT_RECENT_REMOVE;
- if (invert) info->invert = 1;
- *flags = 1;
- break;
-
- case 204:
- info->seconds = atoi(optarg);
- break;
-
- case 205:
- info->hit_count = atoi(optarg);
- break;
-
- case 207:
- info->check_set |= IPT_RECENT_TTL;
- break;
-
- case 208:
- strncpy(info->name,optarg,IPT_RECENT_NAME_LEN);
- info->name[IPT_RECENT_NAME_LEN-1] = '\0';
- break;
-
- case 209:
- info->side = IPT_RECENT_SOURCE;
- break;
-
- case 210:
- info->side = IPT_RECENT_DEST;
- break;
-
- default:
- return 0;
- }
-
- return 1;
-}
-
-/* Final check; must have specified a specific option. */
-static void recent_check(unsigned int flags)
-{
-
- if (!flags)
- exit_error(PARAMETER_PROBLEM,
- "recent: you must specify one of `--set', `--rcheck' "
- "`--update' or `--remove'");
-}
-
-/* Prints out the matchinfo. */
-static void recent_print(const void *ip, const struct xt_entry_match *match,
- int numeric)
-{
- struct ipt_recent_info *info = (struct ipt_recent_info *)match->data;
-
- if (info->invert)
- fputc('!', stdout);
-
- printf("recent: ");
- if(info->check_set & IPT_RECENT_SET) printf("SET ");
- if(info->check_set & IPT_RECENT_CHECK) printf("CHECK ");
- if(info->check_set & IPT_RECENT_UPDATE) printf("UPDATE ");
- if(info->check_set & IPT_RECENT_REMOVE) printf("REMOVE ");
- if(info->seconds) printf("seconds: %d ",info->seconds);
- if(info->hit_count) printf("hit_count: %d ",info->hit_count);
- if(info->check_set & IPT_RECENT_TTL) printf("TTL-Match ");
- if(info->name) printf("name: %s ",info->name);
- if(info->side == IPT_RECENT_SOURCE) printf("side: source ");
- if(info->side == IPT_RECENT_DEST) printf("side: dest");
-}
-
-/* Saves the union ipt_matchinfo in parsable form to stdout. */
-static void recent_save(const void *ip, const struct xt_entry_match *match)
-{
- struct ipt_recent_info *info = (struct ipt_recent_info *)match->data;
-
- if (info->invert)
- printf("! ");
-
- if(info->check_set & IPT_RECENT_SET) printf("--set ");
- if(info->check_set & IPT_RECENT_CHECK) printf("--rcheck ");
- if(info->check_set & IPT_RECENT_UPDATE) printf("--update ");
- if(info->check_set & IPT_RECENT_REMOVE) printf("--remove ");
- if(info->seconds) printf("--seconds %d ",info->seconds);
- if(info->hit_count) printf("--hitcount %d ",info->hit_count);
- if(info->check_set & IPT_RECENT_TTL) printf("--rttl ");
- if(info->name) printf("--name %s ",info->name);
- if(info->side == IPT_RECENT_SOURCE) printf("--rsource ");
- if(info->side == IPT_RECENT_DEST) printf("--rdest ");
-}
-
-/* Structure for iptables to use to communicate with module */
-static struct iptables_match recent_match = {
- .name = "recent",
- .version = IPTABLES_VERSION,
- .size = IPT_ALIGN(sizeof(struct ipt_recent_info)),
- .userspacesize = IPT_ALIGN(sizeof(struct ipt_recent_info)),
- .help = recent_help,
- .init = recent_init,
- .parse = recent_parse,
- .final_check = recent_check,
- .print = recent_print,
- .save = recent_save,
- .extra_opts = recent_opts,
-};
-
-void _init(void);
-void _init(void)
-{
- register_match(&recent_match);
-}
Index: iptables/extensions/libipt_recent.man
===================================================================
--- iptables.orig/extensions/libipt_recent.man
+++ /dev/null
@@ -1,93 +0,0 @@
-Allows you to dynamically create a list of IP addresses and then match
-against that list in a few different ways.
-
-For example, you can create a `badguy' list out of people attempting
-to connect to port 139 on your firewall and then DROP all future
-packets from them without considering them.
-.TP
-.BI "--name " "name"
-Specify the list to use for the commands. If no name is given then 'DEFAULT'
-will be used.
-.TP
-[\fB!\fR] \fB--set\fR
-This will add the source address of the packet to the list. If the
-source address is already in the list, this will update the existing
-entry. This will always return success (or failure if `!' is passed
-in).
-.TP
-[\fB!\fR] \fB--rcheck\fR
-Check if the source address of the packet is currently in
-the list.
-.TP
-[\fB!\fR] \fB--update\fR
-Like \fB--rcheck\fR, except it will update the "last seen" timestamp if it
-matches.
-.TP
-[\fB!\fR] \fB--remove\fR
-Check if the source address of the packet is currently in the list and
-if so that address will be removed from the list and the rule will
-return true. If the address is not found, false is returned.
-.TP
-[\fB!\fR] \fB--seconds \fIseconds\fR
-This option must be used in conjunction with one of \fB--rcheck\fR or
-\fB--update\fR. When used, this will narrow the match to only happen
-when the address is in the list and was seen within the last given
-number of seconds.
-.TP
-[\fB!\fR] \fB--hitcount \fIhits\fR
-This option must be used in conjunction with one of \fB--rcheck\fR or
-\fB--update\fR. When used, this will narrow the match to only happen
-when the address is in the list and packets had been received greater
-than or equal to the given value. This option may be used along with
-\fB--seconds\fR to create an even narrower match requiring a certain
-number of hits within a specific time frame.
-.TP
-\fB--rttl\fR
-This option must be used in conjunction with one of \fB--rcheck\fR or
-\fB--update\fR. When used, this will narrow the match to only happen
-when the address is in the list and the TTL of the current packet
-matches that of the packet which hit the \fB--set\fR rule. This may be
-useful if you have problems with people faking their source address in
-order to DoS you via this module by disallowing others access to your
-site by sending bogus packets to you.
-.P
-Examples:
-.IP
-# iptables -A FORWARD -m recent --name badguy --rcheck --seconds 60 -j DROP
-
-# iptables -A FORWARD -p tcp -i eth0 --dport 139 -m recent --name badguy --set -j DROP
-.P
-Official website (http://snowman.net/projects/ipt_recent/) also has
-some examples of usage.
-
-/proc/net/ipt_recent/* are the current lists of addresses and information
-about each entry of each list.
-
-Each file in /proc/net/ipt_recent/ can be read from to see the current list
-or written two using the following commands to modify the list:
-.TP
-echo xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT
-to Add to the DEFAULT list
-.TP
-echo -xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT
-to Remove from the DEFAULT list
-.TP
-echo clear > /proc/net/ipt_recent/DEFAULT
-to empty the DEFAULT list.
-.P
-The module itself accepts parameters, defaults shown:
-.TP
-.BI "ip_list_tot=" "100"
-Number of addresses remembered per table
-.TP
-.BI "ip_pkt_list_tot=" "20"
-Number of packets per address remembered
-.TP
-.BI "ip_list_hash_size=" "0"
-Hash table size. 0 means to calculate it based on ip_list_tot, default: 512
-.TP
-.BI "ip_list_perms=" "0644"
-Permissions for /proc/net/ipt_recent/* files
-.TP
-.BI "debug=" "0"
-Set to 1 to get lots of debugging info
Index: iptables/extensions/libxt_recent.c
===================================================================
--- /dev/null
+++ iptables/extensions/libxt_recent.c
@@ -0,0 +1,217 @@
+/* Shared library add-on to iptables to add recent matching support. */
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+
+#include <xtables.h>
+#include <linux/netfilter/xt_recent.h>
+
+/* Options for this module */
+static const struct option recent_opts[] = {
+ { .name = "set", .has_arg = 0, .val = 201 },
+ { .name = "rcheck", .has_arg = 0, .val = 202 },
+ { .name = "update", .has_arg = 0, .val = 203 },
+ { .name = "seconds", .has_arg = 1, .val = 204 },
+ { .name = "hitcount", .has_arg = 1, .val = 205 },
+ { .name = "remove", .has_arg = 0, .val = 206 },
+ { .name = "rttl", .has_arg = 0, .val = 207 },
+ { .name = "name", .has_arg = 1, .val = 208 },
+ { .name = "rsource", .has_arg = 0, .val = 209 },
+ { .name = "rdest", .has_arg = 0, .val = 210 },
+ {},
+};
+
+/* Function which prints out usage message. */
+static void recent_help(void)
+{
+ printf(
+"\"recent\" match options:\n"
+"[!] --set Add source address to list, always matches.\n"
+"[!] --rcheck Match if source address in list.\n"
+"[!] --update Match if source address in list, also update last-seen time.\n"
+"[!] --remove Match if source address in list, also removes that address from list.\n"
+" --seconds seconds For check and update commands above.\n"
+" Specifies that the match will only occur if source address last seen within\n"
+" the last 'seconds' seconds.\n"
+" --hitcount hits For check and update commands above.\n"
+" Specifies that the match will only occur if source address seen hits times.\n"
+" May be used in conjunction with the seconds option.\n"
+" --rttl For check and update commands above.\n"
+" Specifies that the match will only occur if the source address and the TTL\n"
+" match between this packet and the one which was set.\n"
+" Useful if you have problems with people spoofing their source address in order\n"
+" to DoS you via this module.\n"
+" --name name Name of the recent list to be used. DEFAULT used if none given.\n"
+" --rsource Match/Save the source address of each packet in the recent list table (default).\n"
+" --rdest Match/Save the destination address of each packet in the recent list table.\n"
+"ipt_recent by: Stephen Frost <sfrost@snowman.net>. http://snowman.net/projects/ipt_recent/\n"
+);
+}
+
+/* Initialize the match. */
+static void recent_init(struct xt_entry_match *match)
+{
+ struct xt_recent_mtinfo *info = (void *)(match)->data;
+
+ strncpy(info->name,"DEFAULT", XT_RECENT_NAME_LEN);
+ /* even though XT_RECENT_NAME_LEN is currently defined as 200,
+ * better be safe, than sorry */
+ info->name[XT_RECENT_NAME_LEN-1] = '\0';
+ info->side = XT_RECENT_SOURCE;
+}
+
+/* Function which parses command options; returns true if it
+ ate an option */
+static int recent_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct xt_recent_mtinfo *info = (void *)(*match)->data;
+
+ switch (c) {
+ case 201:
+ if (*flags) exit_error(PARAMETER_PROBLEM,
+ "recent: only one of `--set', `--rcheck' "
+ "`--update' or `--remove' may be set");
+ check_inverse(optarg, &invert, &optind, 0);
+ info->check_set |= XT_RECENT_SET;
+ if (invert) info->invert = 1;
+ *flags = 1;
+ break;
+
+ case 202:
+ if (*flags) exit_error(PARAMETER_PROBLEM,
+ "recent: only one of `--set', `--rcheck' "
+ "`--update' or `--remove' may be set");
+ check_inverse(optarg, &invert, &optind, 0);
+ info->check_set |= XT_RECENT_CHECK;
+ if(invert) info->invert = 1;
+ *flags = 1;
+ break;
+
+ case 203:
+ if (*flags) exit_error(PARAMETER_PROBLEM,
+ "recent: only one of `--set', `--rcheck' "
+ "`--update' or `--remove' may be set");
+ check_inverse(optarg, &invert, &optind, 0);
+ info->check_set |= XT_RECENT_UPDATE;
+ if (invert) info->invert = 1;
+ *flags = 1;
+ break;
+
+ case 206:
+ if (*flags) exit_error(PARAMETER_PROBLEM,
+ "recent: only one of `--set', `--rcheck' "
+ "`--update' or `--remove' may be set");
+ check_inverse(optarg, &invert, &optind, 0);
+ info->check_set |= XT_RECENT_REMOVE;
+ if (invert) info->invert = 1;
+ *flags = 1;
+ break;
+
+ case 204:
+ info->seconds = atoi(optarg);
+ break;
+
+ case 205:
+ info->hit_count = atoi(optarg);
+ break;
+
+ case 207:
+ info->check_set |= XT_RECENT_TTL;
+ break;
+
+ case 208:
+ strncpy(info->name,optarg, XT_RECENT_NAME_LEN);
+ info->name[XT_RECENT_NAME_LEN-1] = '\0';
+ break;
+
+ case 209:
+ info->side = XT_RECENT_SOURCE;
+ break;
+
+ case 210:
+ info->side = XT_RECENT_DEST;
+ break;
+
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+/* Final check; must have specified a specific option. */
+static void recent_check(unsigned int flags)
+{
+
+ if (!flags)
+ exit_error(PARAMETER_PROBLEM,
+ "recent: you must specify one of `--set', `--rcheck' "
+ "`--update' or `--remove'");
+}
+
+/* Prints out the matchinfo. */
+static void recent_print(const void *ip, const struct xt_entry_match *match,
+ int numeric)
+{
+ const struct xt_recent_mtinfo *info = (const void *)match->data;
+
+ if (info->invert)
+ fputc('!', stdout);
+
+ printf("recent: ");
+ if(info->check_set & XT_RECENT_SET) printf("SET ");
+ if(info->check_set & XT_RECENT_CHECK) printf("CHECK ");
+ if(info->check_set & XT_RECENT_UPDATE) printf("UPDATE ");
+ if(info->check_set & XT_RECENT_REMOVE) printf("REMOVE ");
+ if(info->seconds) printf("seconds: %d ",info->seconds);
+ if(info->hit_count) printf("hit_count: %d ",info->hit_count);
+ if(info->check_set & XT_RECENT_TTL) printf("TTL-Match ");
+ if(info->name) printf("name: %s ",info->name);
+ if(info->side == XT_RECENT_SOURCE) printf("side: source ");
+ if(info->side == XT_RECENT_DEST) printf("side: dest");
+}
+
+/* Saves the union ipt_matchinfo in parsable form to stdout. */
+static void recent_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct xt_recent_mtinfo *info = (const void *)match->data;
+
+ if (info->invert)
+ printf("! ");
+
+ if(info->check_set & XT_RECENT_SET) printf("--set ");
+ if(info->check_set & XT_RECENT_CHECK) printf("--rcheck ");
+ if(info->check_set & XT_RECENT_UPDATE) printf("--update ");
+ if(info->check_set & XT_RECENT_REMOVE) printf("--remove ");
+ if(info->seconds) printf("--seconds %d ",info->seconds);
+ if(info->hit_count) printf("--hitcount %d ",info->hit_count);
+ if(info->check_set & XT_RECENT_TTL) printf("--rttl ");
+ if(info->name) printf("--name %s ",info->name);
+ if(info->side == XT_RECENT_SOURCE) printf("--rsource ");
+ if(info->side == XT_RECENT_DEST) printf("--rdest ");
+}
+
+/* Structure for iptables to use to communicate with module */
+static struct xtables_match recent_match = {
+ .name = "recent",
+ .version = IPTABLES_VERSION,
+ .family = AF_INET,
+ .size = XT_ALIGN(sizeof(struct xt_recent_mtinfo)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_recent_mtinfo)),
+ .help = recent_help,
+ .init = recent_init,
+ .parse = recent_parse,
+ .final_check = recent_check,
+ .print = recent_print,
+ .save = recent_save,
+ .extra_opts = recent_opts,
+};
+
+void _init(void);
+void _init(void)
+{
+ xtables_register_match(&recent_match);
+}
Index: iptables/extensions/libxt_recent.man
===================================================================
--- /dev/null
+++ iptables/extensions/libxt_recent.man
@@ -0,0 +1,93 @@
+Allows you to dynamically create a list of IP addresses and then match
+against that list in a few different ways.
+
+For example, you can create a `badguy' list out of people attempting
+to connect to port 139 on your firewall and then DROP all future
+packets from them without considering them.
+.TP
+.BI "--name " "name"
+Specify the list to use for the commands. If no name is given then 'DEFAULT'
+will be used.
+.TP
+[\fB!\fR] \fB--set\fR
+This will add the source address of the packet to the list. If the
+source address is already in the list, this will update the existing
+entry. This will always return success (or failure if `!' is passed
+in).
+.TP
+[\fB!\fR] \fB--rcheck\fR
+Check if the source address of the packet is currently in
+the list.
+.TP
+[\fB!\fR] \fB--update\fR
+Like \fB--rcheck\fR, except it will update the "last seen" timestamp if it
+matches.
+.TP
+[\fB!\fR] \fB--remove\fR
+Check if the source address of the packet is currently in the list and
+if so that address will be removed from the list and the rule will
+return true. If the address is not found, false is returned.
+.TP
+[\fB!\fR] \fB--seconds \fIseconds\fR
+This option must be used in conjunction with one of \fB--rcheck\fR or
+\fB--update\fR. When used, this will narrow the match to only happen
+when the address is in the list and was seen within the last given
+number of seconds.
+.TP
+[\fB!\fR] \fB--hitcount \fIhits\fR
+This option must be used in conjunction with one of \fB--rcheck\fR or
+\fB--update\fR. When used, this will narrow the match to only happen
+when the address is in the list and packets had been received greater
+than or equal to the given value. This option may be used along with
+\fB--seconds\fR to create an even narrower match requiring a certain
+number of hits within a specific time frame.
+.TP
+\fB--rttl\fR
+This option must be used in conjunction with one of \fB--rcheck\fR or
+\fB--update\fR. When used, this will narrow the match to only happen
+when the address is in the list and the TTL of the current packet
+matches that of the packet which hit the \fB--set\fR rule. This may be
+useful if you have problems with people faking their source address in
+order to DoS you via this module by disallowing others access to your
+site by sending bogus packets to you.
+.P
+Examples:
+.IP
+# iptables -A FORWARD -m recent --name badguy --rcheck --seconds 60 -j DROP
+
+# iptables -A FORWARD -p tcp -i eth0 --dport 139 -m recent --name badguy --set -j DROP
+.P
+Official website (http://snowman.net/projects/ipt_recent/) also has
+some examples of usage.
+
+/proc/net/ipt_recent/* are the current lists of addresses and information
+about each entry of each list.
+
+Each file in /proc/net/ipt_recent/ can be read from to see the current list
+or written two using the following commands to modify the list:
+.TP
+echo xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT
+to Add to the DEFAULT list
+.TP
+echo -xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT
+to Remove from the DEFAULT list
+.TP
+echo clear > /proc/net/ipt_recent/DEFAULT
+to empty the DEFAULT list.
+.P
+The module itself accepts parameters, defaults shown:
+.TP
+.BI "ip_list_tot=" "100"
+Number of addresses remembered per table
+.TP
+.BI "ip_pkt_list_tot=" "20"
+Number of packets per address remembered
+.TP
+.BI "ip_list_hash_size=" "0"
+Hash table size. 0 means to calculate it based on ip_list_tot, default: 512
+.TP
+.BI "ip_list_perms=" "0644"
+Permissions for /proc/net/ipt_recent/* files
+.TP
+.BI "debug=" "0"
+Set to 1 to get lots of debugging info
Index: iptables/include/linux/netfilter/xt_recent.h
===================================================================
--- /dev/null
+++ iptables/include/linux/netfilter/xt_recent.h
@@ -0,0 +1,26 @@
+#ifndef _LINUX_NETFILTER_XT_RECENT_H
+#define _LINUX_NETFILTER_XT_RECENT_H 1
+
+enum {
+ XT_RECENT_CHECK = 1 << 0,
+ XT_RECENT_SET = 1 << 1,
+ XT_RECENT_UPDATE = 1 << 2,
+ XT_RECENT_REMOVE = 1 << 3,
+ XT_RECENT_TTL = 1 << 4,
+
+ XT_RECENT_SOURCE = 0,
+ XT_RECENT_DEST = 1,
+
+ XT_RECENT_NAME_LEN = 200,
+};
+
+struct xt_recent_mtinfo {
+ u_int32_t seconds;
+ u_int32_t hit_count;
+ u_int8_t check_set;
+ u_int8_t invert;
+ char name[XT_RECENT_NAME_LEN];
+ u_int8_t side;
+};
+
+#endif /* _LINUX_NETFILTER_XT_RECENT_H */
Index: iptables/include/linux/netfilter_ipv4/ipt_recent.h
===================================================================
--- iptables.orig/include/linux/netfilter_ipv4/ipt_recent.h
+++ /dev/null
@@ -1,27 +0,0 @@
-#ifndef _IPT_RECENT_H
-#define _IPT_RECENT_H
-
-#define RECENT_NAME "ipt_recent"
-#define RECENT_VER "v0.3.1"
-
-#define IPT_RECENT_CHECK 1
-#define IPT_RECENT_SET 2
-#define IPT_RECENT_UPDATE 4
-#define IPT_RECENT_REMOVE 8
-#define IPT_RECENT_TTL 16
-
-#define IPT_RECENT_SOURCE 0
-#define IPT_RECENT_DEST 1
-
-#define IPT_RECENT_NAME_LEN 200
-
-struct ipt_recent_info {
- u_int32_t seconds;
- u_int32_t hit_count;
- u_int8_t check_set;
- u_int8_t invert;
- char name[IPT_RECENT_NAME_LEN];
- u_int8_t side;
-};
-
-#endif /*_IPT_RECENT_H*/
^ permalink raw reply [flat|nested] 27+ messages in thread* [09/10] [IPTABLES]: Add IPv6 support to libxt_recent
2008-01-31 23:11 [00/!@#%] patches patches! Jan Engelhardt
` (20 preceding siblings ...)
2008-02-01 0:29 ` [08/10] [IPTABLES]: Move libipt_recent to libxt_recent Jan Engelhardt
@ 2008-02-01 0:29 ` Jan Engelhardt
2008-02-01 0:30 ` [10/10] [IPTABLES]: Split code into libxt_socket Jan Engelhardt
2008-02-01 10:05 ` [00/!@#%] patches patches! Patrick McHardy
23 siblings, 0 replies; 27+ messages in thread
From: Jan Engelhardt @ 2008-02-01 0:29 UTC (permalink / raw)
To: kaber; +Cc: Netfilter Developer Mailing List
Add IPv6 support to libxt_recent
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
---
extensions/libxt_recent.c | 17 +++++
extensions/libxt_recent.man | 127 +++++++++++++++++++++-----------------------
2 files changed, 80 insertions(+), 64 deletions(-)
Index: iptables/extensions/libxt_recent.c
===================================================================
--- iptables.orig/extensions/libxt_recent.c
+++ iptables/extensions/libxt_recent.c
@@ -210,8 +210,25 @@ static struct xtables_match recent_match
.extra_opts = recent_opts,
};
+static struct xtables_match recent_mt6_reg = {
+ .version = IPTABLES_VERSION,
+ .name = "recent",
+ .revision = 0,
+ .family = AF_INET6,
+ .size = XT_ALIGN(sizeof(struct xt_recent_mtinfo)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_recent_mtinfo)),
+ .help = recent_help,
+ .init = recent_init,
+ .parse = recent_parse,
+ .final_check = recent_check,
+ .print = recent_print,
+ .save = recent_save,
+ .extra_opts = recent_opts,
+};
+
void _init(void);
void _init(void)
{
xtables_register_match(&recent_match);
+ xtables_register_match(&recent_mt6_reg);
}
Index: iptables/extensions/libxt_recent.man
===================================================================
--- iptables.orig/extensions/libxt_recent.man
+++ iptables/extensions/libxt_recent.man
@@ -1,93 +1,92 @@
-Allows you to dynamically create a list of IP addresses and then match
-against that list in a few different ways.
-
-For example, you can create a `badguy' list out of people attempting
-to connect to port 139 on your firewall and then DROP all future
-packets from them without considering them.
-.TP
-.BI "--name " "name"
-Specify the list to use for the commands. If no name is given then 'DEFAULT'
-will be used.
+Allows you to dynamically create a list of IP addresses and then match against
+that list in a few different ways.
+.PP
+For example, you can create a "badguy" list out of people attempting to connect
+to port 139 on your firewall and then DROP all future packets from them without
+considering them.
+.TP
+\fB--name\fR \fIname\fR
+Specify the list to use for the commands. If no name is given then
+\fBDEFAULT\fR will be used.
.TP
[\fB!\fR] \fB--set\fR
-This will add the source address of the packet to the list. If the
-source address is already in the list, this will update the existing
-entry. This will always return success (or failure if `!' is passed
-in).
+This will add the source address of the packet to the list. If the source
+address is already in the list, this will update the existing entry. This will
+always return success (or failure if \fB!\fR is passed in).
.TP
[\fB!\fR] \fB--rcheck\fR
-Check if the source address of the packet is currently in
-the list.
+Check if the source address of the packet is currently in the list.
.TP
[\fB!\fR] \fB--update\fR
Like \fB--rcheck\fR, except it will update the "last seen" timestamp if it
matches.
.TP
[\fB!\fR] \fB--remove\fR
-Check if the source address of the packet is currently in the list and
-if so that address will be removed from the list and the rule will
-return true. If the address is not found, false is returned.
+Check if the source address of the packet is currently in the list and if so
+that address will be removed from the list and the rule will return true. If
+the address is not found, false is returned.
.TP
[\fB!\fR] \fB--seconds \fIseconds\fR
This option must be used in conjunction with one of \fB--rcheck\fR or
-\fB--update\fR. When used, this will narrow the match to only happen
-when the address is in the list and was seen within the last given
-number of seconds.
+\fB--update\fR. When used, this will narrow the match to only happen when the
+address is in the list and was seen within the last given number of seconds.
.TP
[\fB!\fR] \fB--hitcount \fIhits\fR
This option must be used in conjunction with one of \fB--rcheck\fR or
-\fB--update\fR. When used, this will narrow the match to only happen
-when the address is in the list and packets had been received greater
-than or equal to the given value. This option may be used along with
-\fB--seconds\fR to create an even narrower match requiring a certain
-number of hits within a specific time frame.
+\fB--update\fR. When used, this will narrow the match to only happen when the
+address is in the list and packets had been received greater than or equal to
+the given value. This option may be used along with \fB--seconds\fR to create
+an even narrower match requiring a certain number of hits within a specific
+time frame.
.TP
\fB--rttl\fR
This option must be used in conjunction with one of \fB--rcheck\fR or
-\fB--update\fR. When used, this will narrow the match to only happen
-when the address is in the list and the TTL of the current packet
-matches that of the packet which hit the \fB--set\fR rule. This may be
-useful if you have problems with people faking their source address in
-order to DoS you via this module by disallowing others access to your
-site by sending bogus packets to you.
-.P
+\fB--update\fR. When used, this will narrow the match to only happen when the
+address is in the list and the TTL of the current packet matches that of the
+packet which hit the \fB--set\fR rule. This may be useful if you have problems
+with people faking their source address in order to DoS you via this module by
+disallowing others access to your site by sending bogus packets to you.
+.PP
Examples:
.IP
-# iptables -A FORWARD -m recent --name badguy --rcheck --seconds 60 -j DROP
-
-# iptables -A FORWARD -p tcp -i eth0 --dport 139 -m recent --name badguy --set -j DROP
-.P
-Official website (http://snowman.net/projects/ipt_recent/) also has
+iptables -A FORWARD -m recent --name badguy --rcheck --seconds 60 -j DROP
+.IP
+iptables -A FORWARD -p tcp -i eth0 --dport 139 -m recent --name badguy --set -j DROP
+.PP
+Steve's ipt_recent website (http://snowman.net/projects/ipt_recent/) also has
some examples of usage.
-
-/proc/net/ipt_recent/* are the current lists of addresses and information
+.PP
+\fB/proc/net/xt_recent/*\fR are the current lists of addresses and information
about each entry of each list.
-
-Each file in /proc/net/ipt_recent/ can be read from to see the current list
-or written two using the following commands to modify the list:
-.TP
-echo xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT
-to Add to the DEFAULT list
-.TP
-echo -xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT
-to Remove from the DEFAULT list
-.TP
-echo clear > /proc/net/ipt_recent/DEFAULT
-to empty the DEFAULT list.
-.P
+.PP
+Each file in \fB/proc/net/xt_recent/\fR can be read from to see the current
+list or written two using the following commands to modify the list:
+.TP
+\fBecho +\fR\fIaddr\fR\fB >/proc/net/xt_recent/DEFAULT\fR
+to add \fIaddr\fR to the DEFAULT list
+.TP
+\fBecho -\fR\fIaddr\fR\fB >/proc/net/xt_recent/DEFAULT\fR
+to remove \fIaddr\fR from the DEFAULT list
+.TP
+\fBecho / >/proc/net/xt_recent/DEFAULT\fR
+to flush the DEFAULT list (remove all entries).
+.PP
The module itself accepts parameters, defaults shown:
.TP
-.BI "ip_list_tot=" "100"
-Number of addresses remembered per table
+\fBip_list_tot\fR=\fI100\fR
+Number of addresses remembered per table.
+.TP
+\fBip_pkt_list_tot\fR=\fI20\fR
+Number of packets per address remembered.
.TP
-.BI "ip_pkt_list_tot=" "20"
-Number of packets per address remembered
+\fBip_list_hash_size\fR=\fI0\fR
+Hash table size. 0 means to calculate it based on ip_list_tot, default: 512.
.TP
-.BI "ip_list_hash_size=" "0"
-Hash table size. 0 means to calculate it based on ip_list_tot, default: 512
+\fBip_list_perms\fR=\fI0644\fR
+Permissions for /proc/net/xt_recent/* files.
.TP
-.BI "ip_list_perms=" "0644"
-Permissions for /proc/net/ipt_recent/* files
+\fBip_list_uid\fR=\fI0\fR
+Numerical UID for ownership of /proc/net/xt_recent/* files.
.TP
-.BI "debug=" "0"
-Set to 1 to get lots of debugging info
+\fBip_list_gid\fR=\fI0\fR
+Numerical GID for ownership of /proc/net/xt_recent/* files.
^ permalink raw reply [flat|nested] 27+ messages in thread* [10/10] [IPTABLES]: Split code into libxt_socket
2008-01-31 23:11 [00/!@#%] patches patches! Jan Engelhardt
` (21 preceding siblings ...)
2008-02-01 0:29 ` [09/10] [IPTABLES]: Add IPv6 support " Jan Engelhardt
@ 2008-02-01 0:30 ` Jan Engelhardt
2008-02-01 10:05 ` [00/!@#%] patches patches! Patrick McHardy
23 siblings, 0 replies; 27+ messages in thread
From: Jan Engelhardt @ 2008-02-01 0:30 UTC (permalink / raw)
To: kaber; +Cc: Netfilter Developer Mailing List
Split out the new code into libxt_socket.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
---
extensions/libxt_owner.c | 182 -----------------------------
extensions/libxt_owner.man | 19 ---
extensions/libxt_socket.c | 220 ++++++++++++++++++++++++++++++++++++
extensions/libxt_socket.man | 19 +++
include/linux/netfilter/xt_owner.h | 16 --
include/linux/netfilter/xt_socket.h | 16 ++
6 files changed, 255 insertions(+), 217 deletions(-)
Index: iptables/extensions/libxt_owner.c
===================================================================
--- iptables.orig/extensions/libxt_owner.c
+++ iptables/extensions/libxt_owner.c
@@ -14,7 +14,6 @@
#include <string.h>
#include <xtables.h>
-#include <linux/netfilter/xt_owner.h>
#include <linux/netfilter_ipv4/ipt_owner.h>
#include <linux/netfilter_ipv6/ip6t_owner.h>
@@ -63,16 +62,6 @@ static void owner_mt6_help_v0(void)
"\n");
}
-static void owner_mt_help(void)
-{
- printf(
-"owner match options:\n"
-"[!] --uid-owner userid[-userid] Match local UID\n"
-"[!] --gid-owner groupid[-groupid] Match local GID\n"
-"[!] --socket-exists Match if socket exists\n"
-"\n");
-}
-
static const struct option owner_mt_opts_v0[] = {
{.name = "uid-owner", .has_arg = true, .val = 'u'},
{.name = "gid-owner", .has_arg = true, .val = 'g'},
@@ -92,13 +81,6 @@ static const struct option owner_mt6_opt
{},
};
-static const struct option owner_mt_opts[] = {
- {.name = "uid-owner", .has_arg = true, .val = 'u'},
- {.name = "gid-owner", .has_arg = true, .val = 'g'},
- {.name = "socket-exists", .has_arg = false, .val = 'k'},
- {},
-};
-
static int
owner_mt_parse_v0(int c, char **argv, int invert, unsigned int *flags,
const void *entry, struct xt_entry_match **match)
@@ -243,74 +225,6 @@ owner_mt6_parse_v0(int c, char **argv, i
return false;
}
-static void owner_parse_range(const char *s, unsigned int *from,
- unsigned int *to, const char *opt)
-{
- char *end;
-
- /* 4294967295 is reserved, so subtract one from ~0 */
- if (!strtonum(s, &end, from, 0, (~(uid_t)0) - 1))
- param_act(P_BAD_VALUE, "owner", opt, s);
- *to = *from;
- if (*end == '-' || *end == ':')
- if (!strtonum(end + 1, &end, to, 0, (~(uid_t)0) - 1))
- param_act(P_BAD_VALUE, "owner", opt, s);
- if (*end != '\0')
- param_act(P_BAD_VALUE, "owner", opt, s);
-}
-
-static int owner_mt_parse(int c, char **argv, int invert, unsigned int *flags,
- const void *entry, struct xt_entry_match **match)
-{
- struct xt_owner_match_info *info = (void *)(*match)->data;
- struct passwd *pwd;
- struct group *grp;
- unsigned int from, to;
-
- switch (c) {
- case 'u':
- param_act(P_ONLY_ONCE, "owner", "--uid-owner",
- *flags & FLAG_UID_OWNER);
- if ((pwd = getpwnam(optarg)) != NULL)
- from = to = pwd->pw_uid;
- else
- owner_parse_range(optarg, &from, &to, "--uid-owner");
- if (invert)
- info->invert |= XT_OWNER_UID;
- info->match |= XT_OWNER_UID;
- info->uid_min = from;
- info->uid_max = to;
- *flags |= FLAG_UID_OWNER;
- return true;
-
- case 'g':
- param_act(P_ONLY_ONCE, "owner", "--gid-owner",
- *flags & FLAG_GID_OWNER);
- if ((grp = getgrnam(optarg)) != NULL)
- from = to = grp->gr_gid;
- else
- owner_parse_range(optarg, &from, &to, "--gid-owner");
- if (invert)
- info->invert |= XT_OWNER_GID;
- info->match |= XT_OWNER_GID;
- info->gid_min = from;
- info->gid_max = to;
- *flags |= FLAG_GID_OWNER;
- return true;
-
- case 'k':
- param_act(P_ONLY_ONCE, "owner", "--socket-exists",
- *flags & FLAG_SOCKET_EXISTS);
- if (invert)
- info->invert |= XT_OWNER_SOCKET;
- info->match |= XT_OWNER_SOCKET;
- *flags |= FLAG_SOCKET_EXISTS;
- return true;
-
- }
- return false;
-}
-
static void owner_mt_check(unsigned int flags)
{
if (flags == 0)
@@ -416,51 +330,6 @@ owner_mt6_print_item_v0(const struct ip6
}
static void
-owner_mt_print_item(const struct xt_owner_match_info *info, const char *label,
- u_int8_t flag, bool numeric)
-{
- if (!(info->match & flag))
- return;
- if (info->invert & flag)
- printf("! ");
- printf(label);
-
- switch (info->match & flag) {
- case XT_OWNER_UID:
- if (info->uid_min != info->uid_max) {
- printf("%u-%u ", (unsigned int)info->uid_min,
- (unsigned int)info->uid_max);
- break;
- } else if (!numeric) {
- const struct passwd *pwd = getpwuid(info->uid_min);
-
- if (pwd != NULL && pwd->pw_name != NULL) {
- printf("%s ", pwd->pw_name);
- break;
- }
- }
- printf("%u ", (unsigned int)info->uid_min);
- break;
-
- case XT_OWNER_GID:
- if (info->gid_min != info->gid_max) {
- printf("%u-%u ", (unsigned int)info->gid_min,
- (unsigned int)info->gid_max);
- break;
- } else if (!numeric) {
- const struct group *grp = getgrgid(info->gid_min);
-
- if (grp != NULL && grp->gr_name != NULL) {
- printf("%s ", grp->gr_name);
- break;
- }
- }
- printf("%u ", (unsigned int)info->gid_min);
- break;
- }
-}
-
-static void
owner_mt_print_v0(const void *ip, const struct xt_entry_match *match,
int numeric)
{
@@ -487,16 +356,6 @@ owner_mt6_print_v0(const void *ip, const
owner_mt6_print_item_v0(info, "owner SID match ", IPT_OWNER_SID, numeric);
}
-static void owner_mt_print(const void *ip, const struct xt_entry_match *match,
- int numeric)
-{
- const struct xt_owner_match_info *info = (void *)match->data;
-
- owner_mt_print_item(info, "owner socket exists ", XT_OWNER_SOCKET, numeric);
- owner_mt_print_item(info, "owner UID match ", XT_OWNER_UID, numeric);
- owner_mt_print_item(info, "owner GID match ", XT_OWNER_GID, numeric);
-}
-
static void
owner_mt_save_v0(const void *ip, const struct xt_entry_match *match)
{
@@ -522,15 +381,6 @@ owner_mt6_save_v0(const void *ip, const
owner_mt6_print_item_v0(info, "owner SID match ", IPT_OWNER_SID, true);
}
-static void owner_mt_save(const void *ip, const struct xt_entry_match *match)
-{
- const struct xt_owner_match_info *info = (void *)match->data;
-
- owner_mt_print_item(info, "--socket-exists ", XT_OWNER_SOCKET, false);
- owner_mt_print_item(info, "--uid-owner", XT_OWNER_UID, false);
- owner_mt_print_item(info, "--gid-owner", XT_OWNER_GID, false);
-}
-
static struct xtables_match owner_mt_reg_v0 = {
.version = IPTABLES_VERSION,
.name = "owner",
@@ -561,41 +411,9 @@ static struct xtables_match owner_mt6_re
.extra_opts = owner_mt6_opts_v0,
};
-static struct xtables_match owner_mt_reg = {
- .version = IPTABLES_VERSION,
- .name = "owner",
- .revision = 1,
- .family = AF_INET,
- .size = XT_ALIGN(sizeof(struct xt_owner_match_info)),
- .userspacesize = XT_ALIGN(sizeof(struct xt_owner_match_info)),
- .help = owner_mt_help,
- .parse = owner_mt_parse,
- .final_check = owner_mt_check,
- .print = owner_mt_print,
- .save = owner_mt_save,
- .extra_opts = owner_mt_opts,
-};
-
-static struct xtables_match owner_mt6_reg = {
- .version = IPTABLES_VERSION,
- .name = "owner",
- .revision = 1,
- .family = AF_INET6,
- .size = XT_ALIGN(sizeof(struct xt_owner_match_info)),
- .userspacesize = XT_ALIGN(sizeof(struct xt_owner_match_info)),
- .help = owner_mt_help,
- .parse = owner_mt_parse,
- .final_check = owner_mt_check,
- .print = owner_mt_print,
- .save = owner_mt_save,
- .extra_opts = owner_mt_opts,
-};
-
void _init(void);
void _init(void)
{
xtables_register_match(&owner_mt_reg_v0);
xtables_register_match(&owner_mt6_reg_v0);
- xtables_register_match(&owner_mt_reg);
- xtables_register_match(&owner_mt6_reg);
}
Index: iptables/extensions/libxt_owner.man
===================================================================
--- iptables.orig/extensions/libxt_owner.man
+++ /dev/null
@@ -1,19 +0,0 @@
-This module attempts to match various characteristics of the packet creator,
-for locally generated packets. This match is only valid in the OUTPUT and
-POSTROUTING chains. Forwarded packets do not have any socket associated with
-them. Packets from kernel threads do have a socket, but usually no owner.
-.TP
-\fB--uid-owner\fR \fIusername\fR
-.TP
-\fB--uid-owner\fR \fIuserid\fR[\fB-\fR\fIuserid\fR]
-Matches if the packet socket's file structure (if it has one) is owned by the
-given user. You may also specify a numerical UID, or an UID range.
-.TP
-\fB--gid-owner\fR \fIgroupname\fR
-.TP
-\fB--gid-owner\fR \fIgroupid\fR[\fB-\fR\fIgroupid\fR]
-Matches if the packet socket's file structure is owned by the given group.
-You may also specify a numerical GID, or a GID range.
-.TP
-\fB--socket-exists\fR
-Matches if the packet is associated with a socket.
Index: iptables/extensions/libxt_socket.c
===================================================================
--- /dev/null
+++ iptables/extensions/libxt_socket.c
@@ -0,0 +1,220 @@
+/*
+ * libxt_socket - iptables addon for xt_socket
+ *
+ * Copyright © CC Computer Consultants GmbH, 2007 - 2008
+ * Jan Engelhardt <jengelh@computergmbh.de>
+ */
+#include <getopt.h>
+#include <grp.h>
+#include <netdb.h>
+#include <pwd.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <xtables.h>
+#include <linux/netfilter/xt_socket.h>
+
+enum {
+ FLAG_UID_OWNER = 1 << 0,
+ FLAG_GID_OWNER = 1 << 1,
+ FLAG_SOCKET_EXISTS = 1 << 2,
+};
+
+static void socket_mt_help(void)
+{
+ printf(
+"owner match options:\n"
+"[!] --uid-owner userid[-userid] Match local UID\n"
+"[!] --gid-owner groupid[-groupid] Match local GID\n"
+"[!] --socket-exists Match if socket exists\n"
+"\n");
+}
+
+static const struct option socket_mt_opts[] = {
+ {.name = "uid-owner", .has_arg = true, .val = 'u'},
+ {.name = "gid-owner", .has_arg = true, .val = 'g'},
+ {.name = "socket-exists", .has_arg = false, .val = 'k'},
+ {},
+};
+
+static void owner_parse_range(const char *s, unsigned int *from,
+ unsigned int *to, const char *opt)
+{
+ char *end;
+
+ /* 4294967295 is reserved, so subtract one from ~0 */
+ if (!strtonum(s, &end, from, 0, (~(uid_t)0) - 1))
+ param_act(P_BAD_VALUE, "owner", opt, s);
+ *to = *from;
+ if (*end == '-' || *end == ':')
+ if (!strtonum(end + 1, &end, to, 0, (~(uid_t)0) - 1))
+ param_act(P_BAD_VALUE, "owner", opt, s);
+ if (*end != '\0')
+ param_act(P_BAD_VALUE, "owner", opt, s);
+}
+
+static int socket_mt_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct xt_socket_mtinfo *info = (void *)(*match)->data;
+ struct passwd *pwd;
+ struct group *grp;
+ unsigned int from, to;
+
+ switch (c) {
+ case 'u':
+ param_act(P_ONLY_ONCE, "owner", "--uid-owner",
+ *flags & FLAG_UID_OWNER);
+ if ((pwd = getpwnam(optarg)) != NULL)
+ from = to = pwd->pw_uid;
+ else
+ owner_parse_range(optarg, &from, &to, "--uid-owner");
+ if (invert)
+ info->invert |= XT_SOCKET_UID;
+ info->match |= XT_SOCKET_UID;
+ info->uid_min = from;
+ info->uid_max = to;
+ *flags |= FLAG_UID_OWNER;
+ return true;
+
+ case 'g':
+ param_act(P_ONLY_ONCE, "owner", "--gid-owner",
+ *flags & FLAG_GID_OWNER);
+ if ((grp = getgrnam(optarg)) != NULL)
+ from = to = grp->gr_gid;
+ else
+ owner_parse_range(optarg, &from, &to, "--gid-owner");
+ if (invert)
+ info->invert |= XT_SOCKET_GID;
+ info->match |= XT_SOCKET_GID;
+ info->gid_min = from;
+ info->gid_max = to;
+ *flags |= FLAG_GID_OWNER;
+ return true;
+
+ case 'k':
+ param_act(P_ONLY_ONCE, "owner", "--socket-exists",
+ *flags & FLAG_SOCKET_EXISTS);
+ if (invert)
+ info->invert |= XT_SOCKET_EXISTS;
+ info->match |= XT_SOCKET_EXISTS;
+ *flags |= FLAG_SOCKET_EXISTS;
+ return true;
+
+ }
+ return false;
+}
+
+static void socket_mt_check(unsigned int flags)
+{
+ if (flags == 0)
+ exit_error(PARAMETER_PROBLEM, "owner: At least one of "
+ "--uid-owner, --gid-owner or --socket-exists "
+ "is required");
+}
+
+static void
+socket_mt_print_item(const struct xt_socket_mtinfo *info, const char *label,
+ u_int8_t flag, bool numeric)
+{
+ if (!(info->match & flag))
+ return;
+ if (info->invert & flag)
+ printf("! ");
+ printf(label);
+
+ switch (info->match & flag) {
+ case XT_SOCKET_UID:
+ if (info->uid_min != info->uid_max) {
+ printf("%u-%u ", (unsigned int)info->uid_min,
+ (unsigned int)info->uid_max);
+ break;
+ } else if (!numeric) {
+ const struct passwd *pwd = getpwuid(info->uid_min);
+
+ if (pwd != NULL && pwd->pw_name != NULL) {
+ printf("%s ", pwd->pw_name);
+ break;
+ }
+ }
+ printf("%u ", (unsigned int)info->uid_min);
+ break;
+
+ case XT_SOCKET_GID:
+ if (info->gid_min != info->gid_max) {
+ printf("%u-%u ", (unsigned int)info->gid_min,
+ (unsigned int)info->gid_max);
+ break;
+ } else if (!numeric) {
+ const struct group *grp = getgrgid(info->gid_min);
+
+ if (grp != NULL && grp->gr_name != NULL) {
+ printf("%s ", grp->gr_name);
+ break;
+ }
+ }
+ printf("%u ", (unsigned int)info->gid_min);
+ break;
+ }
+}
+
+static void socket_mt_print(const void *ip, const struct xt_entry_match *match,
+ int numeric)
+{
+ const struct xt_socket_mtinfo *info = (void *)match->data;
+
+ socket_mt_print_item(info, "owner socket exists ",
+ XT_SOCKET_EXISTS, numeric);
+ socket_mt_print_item(info, "owner UID match ",
+ XT_SOCKET_UID, numeric);
+ socket_mt_print_item(info, "owner GID match ",
+ XT_SOCKET_GID, numeric);
+}
+
+static void socket_mt_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct xt_socket_mtinfo *info = (void *)match->data;
+
+ socket_mt_print_item(info, "--socket-exists ", XT_SOCKET_EXISTS, false);
+ socket_mt_print_item(info, "--uid-owner", XT_SOCKET_UID, false);
+ socket_mt_print_item(info, "--gid-owner", XT_SOCKET_GID, false);
+}
+
+static struct xtables_match socket_mt_reg = {
+ .version = IPTABLES_VERSION,
+ .name = "socket",
+ .revision = 0,
+ .family = AF_INET,
+ .size = XT_ALIGN(sizeof(struct xt_socket_mtinfo)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_socket_mtinfo)),
+ .help = socket_mt_help,
+ .parse = socket_mt_parse,
+ .final_check = socket_mt_check,
+ .print = socket_mt_print,
+ .save = socket_mt_save,
+ .extra_opts = socket_mt_opts,
+};
+
+static struct xtables_match socket_mt6_reg = {
+ .version = IPTABLES_VERSION,
+ .name = "socket",
+ .revision = 0,
+ .family = AF_INET6,
+ .size = XT_ALIGN(sizeof(struct xt_socket_mtinfo)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_socket_mtinfo)),
+ .help = socket_mt_help,
+ .parse = socket_mt_parse,
+ .final_check = socket_mt_check,
+ .print = socket_mt_print,
+ .save = socket_mt_save,
+ .extra_opts = socket_mt_opts,
+};
+
+void _init(void);
+void _init(void)
+{
+ xtables_register_match(&socket_mt_reg);
+ xtables_register_match(&socket_mt6_reg);
+}
Index: iptables/extensions/libxt_socket.man
===================================================================
--- /dev/null
+++ iptables/extensions/libxt_socket.man
@@ -0,0 +1,19 @@
+This module attempts to match various characteristics of the packet creator,
+for locally generated packets. This match is currently only valid in the OUTPUT
+and POSTROUTING chains. Forwarded packets do not have any socket associated
+with them. Packets from kernel threads do have a socket, but usually no owner.
+.TP
+\fB--uid-owner\fR \fIusername\fR
+.TP
+\fB--uid-owner\fR \fIuserid\fR[\fB-\fR\fIuserid\fR]
+Matches if the packet socket's file structure (if it has one) is owned by the
+given user. You may also specify a numerical UID, or an UID range.
+.TP
+\fB--gid-owner\fR \fIgroupname\fR
+.TP
+\fB--gid-owner\fR \fIgroupid\fR[\fB-\fR\fIgroupid\fR]
+Matches if the packet socket's file structure is owned by the given group.
+You may also specify a numerical GID, or a GID range.
+.TP
+\fB--socket-exists\fR
+Matches if the packet is associated with a socket.
Index: iptables/include/linux/netfilter/xt_owner.h
===================================================================
--- iptables.orig/include/linux/netfilter/xt_owner.h
+++ /dev/null
@@ -1,16 +0,0 @@
-#ifndef _XT_OWNER_MATCH_H
-#define _XT_OWNER_MATCH_H
-
-enum {
- XT_OWNER_UID = 1 << 0,
- XT_OWNER_GID = 1 << 1,
- XT_OWNER_SOCKET = 1 << 2,
-};
-
-struct xt_owner_match_info {
- u_int32_t uid_min, uid_max;
- u_int32_t gid_min, gid_max;
- u_int8_t match, invert;
-};
-
-#endif /* _XT_OWNER_MATCH_H */
Index: iptables/include/linux/netfilter/xt_socket.h
===================================================================
--- /dev/null
+++ iptables/include/linux/netfilter/xt_socket.h
@@ -0,0 +1,16 @@
+#ifndef _XT_SOCKET_MATCH_H
+#define _XT_SOCKET_MATCH_H
+
+enum {
+ XT_SOCKET_UID = 1 << 0,
+ XT_SOCKET_GID = 1 << 1,
+ XT_SOCKET_EXISTS = 1 << 2,
+};
+
+struct xt_socket_mtinfo {
+ u_int32_t uid_min, uid_max;
+ u_int32_t gid_min, gid_max;
+ u_int8_t match, invert;
+};
+
+#endif /* _XT_SOCKET_MATCH_H */
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 27+ messages in thread* Re: [00/!@#%] patches patches!
2008-01-31 23:11 [00/!@#%] patches patches! Jan Engelhardt
` (22 preceding siblings ...)
2008-02-01 0:30 ` [10/10] [IPTABLES]: Split code into libxt_socket Jan Engelhardt
@ 2008-02-01 10:05 ` Patrick McHardy
2008-02-01 12:49 ` [00/..] " Jan Engelhardt
23 siblings, 1 reply; 27+ messages in thread
From: Patrick McHardy @ 2008-02-01 10:05 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Netfilter Developer Mailing List
Jan Engelhardt wrote:
> Hi :)
>
>
> to make this evening still interesting, I have:
>
> - 13 kernel patches, as replies to this thread.
>
> The way it looks from a quick grep is that all non-IPv4/v6-centric
> matches are now IPv6 capable - yay!
>
> - 9 iptables patches, as replies to this thread.
> making way for a final tarball (I think it's time)
>
> All previously posted patches are hereby obsoleted.
Great :) Dave declared that only non-features should be merged
from now on. The constifying is no big deal I guess, but could
you combine all of these in one big patch please? The remaining
fixes are obviously fine, also the patches fixing non-released
features. Everything else will have to wait for 2.6.26, but I
can queue it for you.
^ permalink raw reply [flat|nested] 27+ messages in thread* Re: [00/..] patches patches!
2008-02-01 10:05 ` [00/!@#%] patches patches! Patrick McHardy
@ 2008-02-01 12:49 ` Jan Engelhardt
2008-02-02 11:42 ` Jan Engelhardt
0 siblings, 1 reply; 27+ messages in thread
From: Jan Engelhardt @ 2008-02-01 12:49 UTC (permalink / raw)
To: davem; +Cc: Netfilter Developer Mailing List, kaber
On Feb 1 2008 11:05, Patrick McHardy wrote:
> Jan Engelhardt wrote:
>> Hi :)
>>
>>
>> to make this evening still interesting, I have:
>>
>> - 13 kernel patches, as replies to this thread.
>>
>> The way it looks from a quick grep is that all non-IPv4/v6-centric matches
>> are now IPv6 capable - yay!
>
> Great :) Dave declared that only non-features should be merged
> from now on.
That's real sad - because it would have wrapped up the package
perfectly. Please reconsider these small improvements (7-10,13).
Categories:
01-04 constifying
05 fix
06 fix non-released feature
07 'feature'?
08 ebt_ip6, feature.
09 rename - belongs to what category?
10 xt_recent/AF_INET6, feature.
11 fix non-released feature
12 fix?
13 I'd call it both a feature and fix, it avoids
a(nother) [user-visible] flagday later.
> The constifying is no big deal I guess, but could
> you combine all of these in one big patch please? The remaining
> fixes are obviously fine, also the patches fixing non-released
> features. Everything else will have to wait for 2.6.26, but I
> can queue it for you.
01-04 combo below.
===
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Fri Jan 25 20:52:56 2008 +0100
[NETFILTER]: Annotate a few more places with const and remove casts
- xtables targets
- {arp,ip,ip6,x}tables
- rest of nf_conntrack_* files
- rest of nf_nat_* files
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index b2c62cc..2326296 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -430,13 +430,13 @@ extern int xt_compat_add_offset(int af, unsigned int offset, short delta);
extern void xt_compat_flush_offsets(int af);
extern short xt_compat_calc_jump(int af, unsigned int offset);
-extern int xt_compat_match_offset(struct xt_match *match);
+extern int xt_compat_match_offset(const struct xt_match *match);
extern int xt_compat_match_from_user(struct xt_entry_match *m,
void **dstptr, unsigned int *size);
extern int xt_compat_match_to_user(struct xt_entry_match *m,
void __user **dstptr, unsigned int *size);
-extern int xt_compat_target_offset(struct xt_target *target);
+extern int xt_compat_target_offset(const struct xt_target *target);
extern void xt_compat_target_from_user(struct xt_entry_target *t,
void **dstptr, unsigned int *size);
extern int xt_compat_target_to_user(struct xt_entry_target *t,
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index a7591ce..4191588 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -59,7 +59,7 @@ do { \
#endif
static inline int arp_devaddr_compare(const struct arpt_devaddr_info *ap,
- char *hdr_addr, int len)
+ const char *hdr_addr, int len)
{
int i, ret;
@@ -80,8 +80,8 @@ static inline int arp_packet_match(const struct arphdr *arphdr,
const char *outdev,
const struct arpt_arp *arpinfo)
{
- char *arpptr = (char *)(arphdr + 1);
- char *src_devaddr, *tgt_devaddr;
+ const char *arpptr = (char *)(arphdr + 1);
+ const char *src_devaddr, *tgt_devaddr;
__be32 src_ipaddr, tgt_ipaddr;
int i, ret;
@@ -226,12 +226,12 @@ unsigned int arpt_do_table(struct sk_buff *skb,
{
static const char nulldevname[IFNAMSIZ];
unsigned int verdict = NF_DROP;
- struct arphdr *arp;
+ const struct arphdr *arp;
bool hotdrop = false;
struct arpt_entry *e, *back;
- const char *indev, *outdev;
+ const const char *indev, *outdev;
void *table_base;
- struct xt_table_info *private;
+ const struct xt_table_info *private;
/* ARP header, plus 2 device addresses, plus 2 IP addresses. */
if (!pskb_may_pull(skb, (sizeof(struct arphdr) +
@@ -355,7 +355,7 @@ static int mark_source_chains(struct xt_table_info *newinfo,
e->counters.pcnt = pos;
for (;;) {
- struct arpt_standard_target *t
+ const struct arpt_standard_target *t
= (void *)arpt_get_target(e);
int visited = e->comefrom & (1 << hook);
@@ -440,7 +440,7 @@ static int mark_source_chains(struct xt_table_info *newinfo,
static inline int check_entry(struct arpt_entry *e, const char *name)
{
- struct arpt_entry_target *t;
+ const struct arpt_entry_target *t;
if (!arp_checkentry(&e->arp)) {
duprintf("arp_tables: arp check failed %p %s.\n", e, name);
@@ -713,7 +713,7 @@ static inline struct xt_counters *alloc_counters(struct arpt_table *table)
{
unsigned int countersize;
struct xt_counters *counters;
- struct xt_table_info *private = table->private;
+ const struct xt_table_info *private = table->private;
/* We need atomic snapshot of counters: rest doesn't change
* (other than comefrom, which userspace doesn't care
@@ -740,7 +740,7 @@ static int copy_entries_to_user(unsigned int total_size,
unsigned int off, num;
struct arpt_entry *e;
struct xt_counters *counters;
- struct xt_table_info *private = table->private;
+ const struct xt_table_info *private = table->private;
int ret = 0;
void *loc_cpu_entry;
@@ -875,7 +875,7 @@ static int get_info(struct net *net, void __user *user, int *len, int compat)
"arptable_%s", name);
if (t && !IS_ERR(t)) {
struct arpt_getinfo info;
- struct xt_table_info *private = t->private;
+ const struct xt_table_info *private = t->private;
#ifdef CONFIG_COMPAT
if (compat) {
@@ -930,7 +930,8 @@ static int get_entries(struct net *net, struct arpt_get_entries __user *uptr,
t = xt_find_table_lock(net, NF_ARP, get.name);
if (t && !IS_ERR(t)) {
- struct xt_table_info *private = t->private;
+ const struct xt_table_info *private = t->private;
+
duprintf("t->private->number = %u\n",
private->number);
if (get.size == private->size)
@@ -1090,11 +1091,11 @@ static int do_add_counters(struct net *net, void __user *user, unsigned int len,
struct xt_counters_info tmp;
struct xt_counters *paddc;
unsigned int num_counters;
- char *name;
+ const char *name;
int size;
void *ptmp;
struct arpt_table *t;
- struct xt_table_info *private;
+ const struct xt_table_info *private;
int ret = 0;
void *loc_cpu_entry;
#ifdef CONFIG_COMPAT
@@ -1561,7 +1562,7 @@ static int compat_copy_entries_to_user(unsigned int total_size,
void __user *userptr)
{
struct xt_counters *counters;
- struct xt_table_info *private = table->private;
+ const struct xt_table_info *private = table->private;
void __user *pos;
unsigned int size;
int ret = 0;
@@ -1612,7 +1613,7 @@ static int compat_get_entries(struct net *net,
xt_compat_lock(NF_ARP);
t = xt_find_table_lock(net, NF_ARP, get.name);
if (t && !IS_ERR(t)) {
- struct xt_table_info *private = t->private;
+ const struct xt_table_info *private = t->private;
struct xt_table_info info;
duprintf("t->private->number = %u\n", private->number);
diff --git a/net/ipv4/netfilter/arpt_mangle.c b/net/ipv4/netfilter/arpt_mangle.c
index 45fa4e2..10517d6 100644
--- a/net/ipv4/netfilter/arpt_mangle.c
+++ b/net/ipv4/netfilter/arpt_mangle.c
@@ -15,7 +15,7 @@ target(struct sk_buff *skb,
const void *targinfo)
{
const struct arpt_mangle *mangle = targinfo;
- struct arphdr *arp;
+ const struct arphdr *arp;
unsigned char *arpptr;
int pln, hln;
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 600737f..eb3ec74 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -296,7 +296,7 @@ static void trace_packet(struct sk_buff *skb,
struct ipt_entry *e)
{
void *table_base;
- struct ipt_entry *root;
+ const struct ipt_entry *root;
char *hookname, *chainname, *comment;
unsigned int rulenum = 0;
@@ -327,7 +327,7 @@ ipt_do_table(struct sk_buff *skb,
{
static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
u_int16_t offset;
- struct iphdr *ip;
+ const struct iphdr *ip;
u_int16_t datalen;
bool hotdrop = false;
/* Initializing verdict to NF_DROP keeps gcc happy. */
@@ -926,7 +926,7 @@ static struct xt_counters * alloc_counters(struct xt_table *table)
{
unsigned int countersize;
struct xt_counters *counters;
- struct xt_table_info *private = table->private;
+ const struct xt_table_info *private = table->private;
/* We need atomic snapshot of counters: rest doesn't change
(other than comefrom, which userspace doesn't care
@@ -953,9 +953,9 @@ copy_entries_to_user(unsigned int total_size,
unsigned int off, num;
struct ipt_entry *e;
struct xt_counters *counters;
- struct xt_table_info *private = table->private;
+ const struct xt_table_info *private = table->private;
int ret = 0;
- void *loc_cpu_entry;
+ const void *loc_cpu_entry;
counters = alloc_counters(table);
if (IS_ERR(counters))
@@ -975,8 +975,8 @@ copy_entries_to_user(unsigned int total_size,
/* ... then go back and fix counters and names */
for (off = 0, num = 0; off < total_size; off += e->next_offset, num++){
unsigned int i;
- struct ipt_entry_match *m;
- struct ipt_entry_target *t;
+ const struct ipt_entry_match *m;
+ const struct ipt_entry_target *t;
e = (struct ipt_entry *)(loc_cpu_entry + off);
if (copy_to_user(userptr + off
@@ -1116,7 +1116,7 @@ static int get_info(struct net *net, void __user *user, int *len, int compat)
"iptable_%s", name);
if (t && !IS_ERR(t)) {
struct ipt_getinfo info;
- struct xt_table_info *private = t->private;
+ const struct xt_table_info *private = t->private;
#ifdef CONFIG_COMPAT
if (compat) {
@@ -1172,7 +1172,7 @@ get_entries(struct net *net, struct ipt_get_entries __user *uptr, int *len)
t = xt_find_table_lock(net, AF_INET, get.name);
if (t && !IS_ERR(t)) {
- struct xt_table_info *private = t->private;
+ const struct xt_table_info *private = t->private;
duprintf("t->private->number = %u\n", private->number);
if (get.size == private->size)
ret = copy_entries_to_user(private->size,
@@ -1337,11 +1337,11 @@ do_add_counters(struct net *net, void __user *user, unsigned int len, int compat
struct xt_counters_info tmp;
struct xt_counters *paddc;
unsigned int num_counters;
- char *name;
+ const char *name;
int size;
void *ptmp;
struct xt_table *t;
- struct xt_table_info *private;
+ const struct xt_table_info *private;
int ret = 0;
void *loc_cpu_entry;
#ifdef CONFIG_COMPAT
@@ -1878,11 +1878,11 @@ compat_copy_entries_to_user(unsigned int total_size, struct xt_table *table,
void __user *userptr)
{
struct xt_counters *counters;
- struct xt_table_info *private = table->private;
+ const struct xt_table_info *private = table->private;
void __user *pos;
unsigned int size;
int ret = 0;
- void *loc_cpu_entry;
+ const void *loc_cpu_entry;
unsigned int i = 0;
counters = alloc_counters(table);
@@ -1929,7 +1929,7 @@ compat_get_entries(struct net *net, struct compat_ipt_get_entries __user *uptr,
xt_compat_lock(AF_INET);
t = xt_find_table_lock(net, AF_INET, get.name);
if (t && !IS_ERR(t)) {
- struct xt_table_info *private = t->private;
+ const struct xt_table_info *private = t->private;
struct xt_table_info info;
duprintf("t->private->number = %u\n", private->number);
ret = compat_table_info(private, &info);
@@ -2130,7 +2130,8 @@ icmp_match(const struct sk_buff *skb,
unsigned int protoff,
bool *hotdrop)
{
- struct icmphdr _icmph, *ic;
+ const struct icmphdr *ic;
+ struct icmphdr _icmph;
const struct ipt_icmp *icmpinfo = matchinfo;
/* Must not be a fragment. */
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index c6cf84c..b8c793c 100644
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -142,7 +142,7 @@ clusterip_config_init_nodelist(struct clusterip_config *c,
}
static struct clusterip_config *
-clusterip_config_init(struct ipt_clusterip_tgt_info *i, __be32 ip,
+clusterip_config_init(const struct ipt_clusterip_tgt_info *i, __be32 ip,
struct net_device *dev)
{
struct clusterip_config *c;
@@ -417,7 +417,7 @@ clusterip_tg_check(const char *tablename, const void *e_void,
/* drop reference count of cluster config when rule is deleted */
static void clusterip_tg_destroy(const struct xt_target *target, void *targinfo)
{
- struct ipt_clusterip_tgt_info *cipinfo = targinfo;
+ const struct ipt_clusterip_tgt_info *cipinfo = targinfo;
/* if no more entries are referencing the config, remove it
* from the list and destroy the proc entry */
@@ -566,7 +566,7 @@ struct clusterip_seq_position {
static void *clusterip_seq_start(struct seq_file *s, loff_t *pos)
{
- struct proc_dir_entry *pde = s->private;
+ const struct proc_dir_entry *pde = s->private;
struct clusterip_config *c = pde->data;
unsigned int weight;
u_int32_t local_nodes;
@@ -593,7 +593,7 @@ static void *clusterip_seq_start(struct seq_file *s, loff_t *pos)
static void *clusterip_seq_next(struct seq_file *s, void *v, loff_t *pos)
{
- struct clusterip_seq_position *idx = (struct clusterip_seq_position *)v;
+ struct clusterip_seq_position *idx = v;
*pos = ++idx->pos;
if (*pos >= idx->weight) {
@@ -612,7 +612,7 @@ static void clusterip_seq_stop(struct seq_file *s, void *v)
static int clusterip_seq_show(struct seq_file *s, void *v)
{
- struct clusterip_seq_position *idx = (struct clusterip_seq_position *)v;
+ struct clusterip_seq_position *idx = v;
if (idx->pos != 0)
seq_putc(s, ',');
@@ -668,7 +668,7 @@ static ssize_t clusterip_proc_write(struct file *file, const char __user *input,
{
#define PROC_WRITELEN 10
char buffer[PROC_WRITELEN+1];
- struct proc_dir_entry *pde = PDE(file->f_path.dentry->d_inode);
+ const struct proc_dir_entry *pde = PDE(file->f_path.dentry->d_inode);
struct clusterip_config *c = pde->data;
unsigned long nodenum;
diff --git a/net/ipv4/netfilter/ipt_ECN.c b/net/ipv4/netfilter/ipt_ECN.c
index 21395bc..d60139c 100644
--- a/net/ipv4/netfilter/ipt_ECN.c
+++ b/net/ipv4/netfilter/ipt_ECN.c
@@ -100,7 +100,7 @@ ecn_tg_check(const char *tablename, const void *e_void,
const struct xt_target *target, void *targinfo,
unsigned int hook_mask)
{
- const struct ipt_ECN_info *einfo = (struct ipt_ECN_info *)targinfo;
+ const struct ipt_ECN_info *einfo = targinfo;
const struct ipt_entry *e = e_void;
if (einfo->operation & IPT_ECN_OP_MASK) {
diff --git a/net/ipv4/netfilter/ipt_LOG.c b/net/ipv4/netfilter/ipt_LOG.c
index b38d785..77300e9 100644
--- a/net/ipv4/netfilter/ipt_LOG.c
+++ b/net/ipv4/netfilter/ipt_LOG.c
@@ -76,7 +76,8 @@ static void dump_packet(const struct nf_loginfo *info,
if ((logflags & IPT_LOG_IPOPT)
&& ih->ihl * 4 > sizeof(struct iphdr)) {
- unsigned char _opt[4 * 15 - sizeof(struct iphdr)], *op;
+ const unsigned char *op;
+ unsigned char _opt[4 * 15 - sizeof(struct iphdr)];
unsigned int i, optsize;
optsize = ih->ihl * 4 - sizeof(struct iphdr);
diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c
index 22606e2..2639872 100644
--- a/net/ipv4/netfilter/ipt_REJECT.c
+++ b/net/ipv4/netfilter/ipt_REJECT.c
@@ -35,8 +35,10 @@ MODULE_DESCRIPTION("Xtables: packet \"rejection\" target for IPv4");
static void send_reset(struct sk_buff *oldskb, int hook)
{
struct sk_buff *nskb;
- struct iphdr *oiph, *niph;
- struct tcphdr _otcph, *oth, *tcph;
+ const struct iphdr *oiph;
+ struct iphdr *niph;
+ const struct tcphdr *oth;
+ struct tcphdr _otcph, *tcph;
unsigned int addr_type;
/* IP header checks: fragment. */
diff --git a/net/ipv4/netfilter/ipt_recent.c b/net/ipv4/netfilter/ipt_recent.c
index 68cbe3c..f2142b7 100644
--- a/net/ipv4/netfilter/ipt_recent.c
+++ b/net/ipv4/netfilter/ipt_recent.c
@@ -339,7 +339,7 @@ static void *recent_seq_start(struct seq_file *seq, loff_t *pos)
static void *recent_seq_next(struct seq_file *seq, void *v, loff_t *pos)
{
struct recent_iter_state *st = seq->private;
- struct recent_table *t = st->table;
+ const struct recent_table *t = st->table;
struct recent_entry *e = v;
struct list_head *head = e->list.next;
@@ -360,7 +360,7 @@ static void recent_seq_stop(struct seq_file *s, void *v)
static int recent_seq_show(struct seq_file *seq, void *v)
{
- struct recent_entry *e = v;
+ const struct recent_entry *e = v;
unsigned int i;
i = (e->index - 1) % ip_pkt_list_tot;
@@ -395,7 +395,7 @@ static int recent_seq_open(struct inode *inode, struct file *file)
static ssize_t recent_proc_write(struct file *file, const char __user *input,
size_t size, loff_t *loff)
{
- struct proc_dir_entry *pde = PDE(file->f_path.dentry->d_inode);
+ const struct proc_dir_entry *pde = PDE(file->f_path.dentry->d_inode);
struct recent_table *t = pde->data;
struct recent_entry *e;
char buf[sizeof("+255.255.255.255")], *c = buf;
diff --git a/net/ipv4/netfilter/nf_nat_core.c b/net/ipv4/netfilter/nf_nat_core.c
index dd07362..afdcd8d 100644
--- a/net/ipv4/netfilter/nf_nat_core.c
+++ b/net/ipv4/netfilter/nf_nat_core.c
@@ -150,9 +150,9 @@ find_appropriate_src(const struct nf_conntrack_tuple *tuple,
const struct nf_nat_range *range)
{
unsigned int h = hash_by_src(tuple);
- struct nf_conn_nat *nat;
- struct nf_conn *ct;
- struct hlist_node *n;
+ const struct nf_conn_nat *nat;
+ const struct nf_conn *ct;
+ const struct hlist_node *n;
rcu_read_lock();
hlist_for_each_entry_rcu(nat, n, &bysource[h], bysource) {
@@ -426,7 +426,7 @@ int nf_nat_icmp_reply_translation(struct nf_conn *ct,
struct icmphdr icmp;
struct iphdr ip;
} *inside;
- struct nf_conntrack_l4proto *l4proto;
+ const struct nf_conntrack_l4proto *l4proto;
struct nf_conntrack_tuple inner, target;
int hdrlen = ip_hdrlen(skb);
enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
diff --git a/net/ipv4/netfilter/nf_nat_rule.c b/net/ipv4/netfilter/nf_nat_rule.c
index f8fda57..600f6d7 100644
--- a/net/ipv4/netfilter/nf_nat_rule.c
+++ b/net/ipv4/netfilter/nf_nat_rule.c
@@ -143,7 +143,7 @@ static bool ipt_snat_checkentry(const char *tablename,
void *targinfo,
unsigned int hook_mask)
{
- struct nf_nat_multi_range_compat *mr = targinfo;
+ const struct nf_nat_multi_range_compat *mr = targinfo;
/* Must be a valid range */
if (mr->rangesize != 1) {
@@ -159,7 +159,7 @@ static bool ipt_dnat_checkentry(const char *tablename,
void *targinfo,
unsigned int hook_mask)
{
- struct nf_nat_multi_range_compat *mr = targinfo;
+ const struct nf_nat_multi_range_compat *mr = targinfo;
/* Must be a valid range */
if (mr->rangesize != 1) {
diff --git a/net/ipv4/netfilter/nf_nat_snmp_basic.c b/net/ipv4/netfilter/nf_nat_snmp_basic.c
index 540ce6a..0c695c0 100644
--- a/net/ipv4/netfilter/nf_nat_snmp_basic.c
+++ b/net/ipv4/netfilter/nf_nat_snmp_basic.c
@@ -219,7 +219,7 @@ static unsigned char asn1_length_decode(struct asn1_ctx *ctx,
if (ch < 0x80)
*len = ch;
else {
- cnt = (unsigned char) (ch & 0x7F);
+ cnt = ch & 0x7F;
*len = 0;
while (cnt > 0) {
@@ -617,8 +617,7 @@ struct snmp_cnv
int syntax;
};
-static struct snmp_cnv snmp_conv [] =
-{
+static const struct snmp_cnv snmp_conv[] = {
{ASN1_UNI, ASN1_NUL, SNMP_NULL},
{ASN1_UNI, ASN1_INT, SNMP_INTEGER},
{ASN1_UNI, ASN1_OTS, SNMP_OCTETSTR},
@@ -643,7 +642,7 @@ static unsigned char snmp_tag_cls2syntax(unsigned int tag,
unsigned int cls,
unsigned short *syntax)
{
- struct snmp_cnv *cnv;
+ const struct snmp_cnv *cnv;
cnv = snmp_conv;
@@ -903,7 +902,7 @@ static inline void mangle_address(unsigned char *begin,
u_int32_t old;
if (debug)
- memcpy(&old, (unsigned char *)addr, sizeof(old));
+ memcpy(&old, addr, sizeof(old));
*addr = map->to;
@@ -998,7 +997,7 @@ err_id_free:
*
*****************************************************************************/
-static void hex_dump(unsigned char *buf, size_t len)
+static void hex_dump(const unsigned char *buf, size_t len)
{
size_t i;
@@ -1079,7 +1078,7 @@ static int snmp_parse_mangle(unsigned char *msg,
if (cls != ASN1_CTX || con != ASN1_CON)
return 0;
if (debug > 1) {
- unsigned char *pdus[] = {
+ static const unsigned char *const pdus[] = {
[SNMP_PDU_GET] = "get",
[SNMP_PDU_NEXT] = "get-next",
[SNMP_PDU_RESPONSE] = "response",
@@ -1231,8 +1230,8 @@ static int help(struct sk_buff *skb, unsigned int protoff,
{
int dir = CTINFO2DIR(ctinfo);
unsigned int ret;
- struct iphdr *iph = ip_hdr(skb);
- struct udphdr *udph = (struct udphdr *)((u_int32_t *)iph + iph->ihl);
+ const struct iphdr *iph = ip_hdr(skb);
+ const struct udphdr *udph = (struct udphdr *)((__be32 *)iph + iph->ihl);
/* SNMP replies and originating SNMP traps get mangled */
if (udph->source == htons(SNMP_PORT) && dir != IP_CT_DIR_REPLY)
diff --git a/net/ipv4/netfilter/nf_nat_standalone.c b/net/ipv4/netfilter/nf_nat_standalone.c
index 99b2c78..9fba42d 100644
--- a/net/ipv4/netfilter/nf_nat_standalone.c
+++ b/net/ipv4/netfilter/nf_nat_standalone.c
@@ -30,8 +30,8 @@
#ifdef CONFIG_XFRM
static void nat_decode_session(struct sk_buff *skb, struct flowi *fl)
{
- struct nf_conn *ct;
- struct nf_conntrack_tuple *t;
+ const struct nf_conn *ct;
+ const struct nf_conntrack_tuple *t;
enum ip_conntrack_info ctinfo;
enum ip_conntrack_dir dir;
unsigned long statusbit;
@@ -189,7 +189,7 @@ nf_nat_out(unsigned int hooknum,
int (*okfn)(struct sk_buff *))
{
#ifdef CONFIG_XFRM
- struct nf_conn *ct;
+ const struct nf_conn *ct;
enum ip_conntrack_info ctinfo;
#endif
unsigned int ret;
@@ -223,7 +223,7 @@ nf_nat_local_fn(unsigned int hooknum,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
- struct nf_conn *ct;
+ const struct nf_conn *ct;
enum ip_conntrack_info ctinfo;
unsigned int ret;
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index bf9bb6e..743b108 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -325,7 +325,7 @@ static void trace_packet(struct sk_buff *skb,
struct ip6t_entry *e)
{
void *table_base;
- struct ip6t_entry *root;
+ const struct ip6t_entry *root;
char *hookname, *chainname, *comment;
unsigned int rulenum = 0;
@@ -952,7 +952,7 @@ static struct xt_counters *alloc_counters(struct xt_table *table)
{
unsigned int countersize;
struct xt_counters *counters;
- struct xt_table_info *private = table->private;
+ const struct xt_table_info *private = table->private;
/* We need atomic snapshot of counters: rest doesn't change
(other than comefrom, which userspace doesn't care
@@ -979,9 +979,9 @@ copy_entries_to_user(unsigned int total_size,
unsigned int off, num;
struct ip6t_entry *e;
struct xt_counters *counters;
- struct xt_table_info *private = table->private;
+ const struct xt_table_info *private = table->private;
int ret = 0;
- void *loc_cpu_entry;
+ const void *loc_cpu_entry;
counters = alloc_counters(table);
if (IS_ERR(counters))
@@ -1001,8 +1001,8 @@ copy_entries_to_user(unsigned int total_size,
/* ... then go back and fix counters and names */
for (off = 0, num = 0; off < total_size; off += e->next_offset, num++){
unsigned int i;
- struct ip6t_entry_match *m;
- struct ip6t_entry_target *t;
+ const struct ip6t_entry_match *m;
+ const struct ip6t_entry_target *t;
e = (struct ip6t_entry *)(loc_cpu_entry + off);
if (copy_to_user(userptr + off
@@ -1142,7 +1142,7 @@ static int get_info(struct net *net, void __user *user, int *len, int compat)
"ip6table_%s", name);
if (t && !IS_ERR(t)) {
struct ip6t_getinfo info;
- struct xt_table_info *private = t->private;
+ const struct xt_table_info *private = t->private;
#ifdef CONFIG_COMPAT
if (compat) {
@@ -1225,7 +1225,7 @@ __do_replace(struct net *net, const char *name, unsigned int valid_hooks,
struct xt_table *t;
struct xt_table_info *oldinfo;
struct xt_counters *counters;
- void *loc_cpu_old_entry;
+ const void *loc_cpu_old_entry;
ret = 0;
counters = vmalloc_node(num_counters * sizeof(struct xt_counters),
@@ -1369,9 +1369,9 @@ do_add_counters(struct net *net, void __user *user, unsigned int len,
int size;
void *ptmp;
struct xt_table *t;
- struct xt_table_info *private;
+ const struct xt_table_info *private;
int ret = 0;
- void *loc_cpu_entry;
+ const void *loc_cpu_entry;
#ifdef CONFIG_COMPAT
struct compat_xt_counters_info compat_tmp;
@@ -1905,11 +1905,11 @@ compat_copy_entries_to_user(unsigned int total_size, struct xt_table *table,
void __user *userptr)
{
struct xt_counters *counters;
- struct xt_table_info *private = table->private;
+ const struct xt_table_info *private = table->private;
void __user *pos;
unsigned int size;
int ret = 0;
- void *loc_cpu_entry;
+ const void *loc_cpu_entry;
unsigned int i = 0;
counters = alloc_counters(table);
@@ -1956,7 +1956,7 @@ compat_get_entries(struct net *net, struct compat_ip6t_get_entries __user *uptr,
xt_compat_lock(AF_INET6);
t = xt_find_table_lock(net, AF_INET6, get.name);
if (t && !IS_ERR(t)) {
- struct xt_table_info *private = t->private;
+ const struct xt_table_info *private = t->private;
struct xt_table_info info;
duprintf("t->private->number = %u\n", private->number);
ret = compat_table_info(private, &info);
@@ -2155,7 +2155,8 @@ icmp6_match(const struct sk_buff *skb,
unsigned int protoff,
bool *hotdrop)
{
- struct icmp6hdr _icmph, *ic;
+ const struct icmp6hdr *ic;
+ struct icmp6hdr _icmph;
const struct ip6t_icmp *icmpinfo = matchinfo;
/* Must not be a fragment. */
diff --git a/net/ipv6/netfilter/ip6t_REJECT.c b/net/ipv6/netfilter/ip6t_REJECT.c
index b23baa6..c779d76 100644
--- a/net/ipv6/netfilter/ip6t_REJECT.c
+++ b/net/ipv6/netfilter/ip6t_REJECT.c
@@ -41,7 +41,8 @@ static void send_reset(struct sk_buff *oldskb)
struct tcphdr otcph, *tcph;
unsigned int otcplen, hh_len;
int tcphoff, needs_ack;
- struct ipv6hdr *oip6h = ipv6_hdr(oldskb), *ip6h;
+ const struct ipv6hdr *oip6h = ipv6_hdr(oldskb);
+ struct ipv6hdr *ip6h;
struct dst_entry *dst = NULL;
u8 proto;
struct flowi fl;
diff --git a/net/ipv6/netfilter/ip6t_ipv6header.c b/net/ipv6/netfilter/ip6t_ipv6header.c
index 3a94017..317a896 100644
--- a/net/ipv6/netfilter/ip6t_ipv6header.c
+++ b/net/ipv6/netfilter/ip6t_ipv6header.c
@@ -49,7 +49,8 @@ ipv6header_mt6(const struct sk_buff *skb, const struct net_device *in,
temp = 0;
while (ip6t_ext_hdr(nexthdr)) {
- struct ipv6_opt_hdr _hdr, *hp;
+ const struct ipv6_opt_hdr *hp;
+ struct ipv6_opt_hdr _hdr;
int hdrlen;
/* Is there enough space for the next ext header? */
diff --git a/net/ipv6/netfilter/ip6t_rt.c b/net/ipv6/netfilter/ip6t_rt.c
index 12a9efe..81aaf7a 100644
--- a/net/ipv6/netfilter/ip6t_rt.c
+++ b/net/ipv6/netfilter/ip6t_rt.c
@@ -110,7 +110,8 @@ rt_mt6(const struct sk_buff *skb, const struct net_device *in,
!!(rtinfo->invflags & IP6T_RT_INV_TYP)));
if (ret && (rtinfo->flags & IP6T_RT_RES)) {
- u_int32_t *rp, _reserved;
+ const u_int32_t *rp;
+ u_int32_t _reserved;
rp = skb_header_pointer(skb,
ptr + offsetof(struct rt0_hdr,
reserved),
diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
index 2a0d698..d4a42f0 100644
--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
@@ -103,8 +103,8 @@ struct ctl_table nf_ct_ipv6_sysctl_table[] = {
};
#endif
-static unsigned int ip6qhashfn(__be32 id, struct in6_addr *saddr,
- struct in6_addr *daddr)
+static unsigned int ip6qhashfn(__be32 id, const struct in6_addr *saddr,
+ const struct in6_addr *daddr)
{
u32 a, b, c;
@@ -132,7 +132,7 @@ static unsigned int ip6qhashfn(__be32 id, struct in6_addr *saddr,
static unsigned int nf_hashfn(struct inet_frag_queue *q)
{
- struct nf_ct_frag6_queue *nq;
+ const struct nf_ct_frag6_queue *nq;
nq = container_of(q, struct nf_ct_frag6_queue, q);
return ip6qhashfn(nq->id, &nq->saddr, &nq->daddr);
@@ -220,7 +220,7 @@ oom:
static int nf_ct_frag6_queue(struct nf_ct_frag6_queue *fq, struct sk_buff *skb,
- struct frag_hdr *fhdr, int nhoff)
+ const struct frag_hdr *fhdr, int nhoff)
{
struct sk_buff *prev, *next;
int offset, end;
diff --git a/net/netfilter/nf_conntrack_amanda.c b/net/netfilter/nf_conntrack_amanda.c
index 7b8239c..572eedf 100644
--- a/net/netfilter/nf_conntrack_amanda.c
+++ b/net/netfilter/nf_conntrack_amanda.c
@@ -53,7 +53,7 @@ enum amanda_strings {
};
static struct {
- char *string;
+ const char *string;
size_t len;
struct ts_config *ts;
} search[] __read_mostly = {
diff --git a/net/netfilter/nf_conntrack_ftp.c b/net/netfilter/nf_conntrack_ftp.c
index 6770baf..e0a2877 100644
--- a/net/netfilter/nf_conntrack_ftp.c
+++ b/net/netfilter/nf_conntrack_ftp.c
@@ -350,8 +350,9 @@ static int help(struct sk_buff *skb,
enum ip_conntrack_info ctinfo)
{
unsigned int dataoff, datalen;
- struct tcphdr _tcph, *th;
- char *fb_ptr;
+ const struct tcphdr *th;
+ struct tcphdr _tcph;
+ const char *fb_ptr;
int ret;
u32 seq;
int dir = CTINFO2DIR(ctinfo);
diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c
index b1fd21c..367e23c 100644
--- a/net/netfilter/nf_conntrack_helper.c
+++ b/net/netfilter/nf_conntrack_helper.c
@@ -125,7 +125,7 @@ void nf_conntrack_helper_unregister(struct nf_conntrack_helper *me)
{
struct nf_conntrack_tuple_hash *h;
struct nf_conntrack_expect *exp;
- struct hlist_node *n, *next;
+ const struct hlist_node *n, *next;
unsigned int i;
mutex_lock(&nf_ct_helper_mutex);
diff --git a/net/netfilter/nf_conntrack_irc.c b/net/netfilter/nf_conntrack_irc.c
index c336b07..37a5ae5 100644
--- a/net/netfilter/nf_conntrack_irc.c
+++ b/net/netfilter/nf_conntrack_irc.c
@@ -50,7 +50,7 @@ MODULE_PARM_DESC(max_dcc_channels, "max number of expected DCC channels per "
module_param(dcc_timeout, uint, 0400);
MODULE_PARM_DESC(dcc_timeout, "timeout on for unestablished DCC channels");
-static const char *dccprotos[] = {
+static const char *const dccprotos[] = {
"SEND ", "CHAT ", "MOVE ", "TSEND ", "SCHAT "
};
@@ -65,7 +65,7 @@ static const char *dccprotos[] = {
* ad_beg_p returns pointer to first byte of addr data
* ad_end_p returns pointer to last byte of addr data
*/
-static int parse_dcc(char *data, char *data_end, u_int32_t *ip,
+static int parse_dcc(char *data, const char *data_end, u_int32_t *ip,
u_int16_t *port, char **ad_beg_p, char **ad_end_p)
{
/* at least 12: "AAAAAAAA P\1\n" */
@@ -93,9 +93,11 @@ static int help(struct sk_buff *skb, unsigned int protoff,
struct nf_conn *ct, enum ip_conntrack_info ctinfo)
{
unsigned int dataoff;
- struct iphdr *iph;
- struct tcphdr _tcph, *th;
- char *data, *data_limit, *ib_ptr;
+ const struct iphdr *iph;
+ const struct tcphdr *th;
+ struct tcphdr _tcph;
+ const char *data_limit;
+ char *data, *ib_ptr;
int dir = CTINFO2DIR(ctinfo);
struct nf_conntrack_expect *exp;
struct nf_conntrack_tuple *tuple;
@@ -159,7 +161,7 @@ static int help(struct sk_buff *skb, unsigned int protoff,
/* we have at least
* (19+MINMATCHLEN)-5-dccprotos[i].matchlen bytes valid
* data left (== 14/13 bytes) */
- if (parse_dcc((char *)data, data_limit, &dcc_ip,
+ if (parse_dcc(data, data_limit, &dcc_ip,
&dcc_port, &addr_beg_p, &addr_end_p)) {
pr_debug("unable to parse dcc command\n");
continue;
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index a679208..4d74dff 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -58,7 +58,7 @@ static struct xt_af *xt;
#define duprintf(format, args...)
#endif
-static const char *xt_prefix[NPROTO] = {
+static const char *const xt_prefix[NPROTO] = {
[AF_INET] = "ip",
[AF_INET6] = "ip6",
[NF_ARP] = "arp",
@@ -248,7 +248,7 @@ EXPORT_SYMBOL_GPL(xt_request_find_target);
static int match_revfn(int af, const char *name, u8 revision, int *bestp)
{
- struct xt_match *m;
+ const struct xt_match *m;
int have_rev = 0;
list_for_each_entry(m, &xt[af].match, list) {
@@ -264,7 +264,7 @@ static int match_revfn(int af, const char *name, u8 revision, int *bestp)
static int target_revfn(int af, const char *name, u8 revision, int *bestp)
{
- struct xt_target *t;
+ const struct xt_target *t;
int have_rev = 0;
list_for_each_entry(t, &xt[af].target, list) {
@@ -385,7 +385,7 @@ short xt_compat_calc_jump(int af, unsigned int offset)
}
EXPORT_SYMBOL_GPL(xt_compat_calc_jump);
-int xt_compat_match_offset(struct xt_match *match)
+int xt_compat_match_offset(const struct xt_match *match)
{
u_int16_t csize = match->compatsize ? : match->matchsize;
return XT_ALIGN(match->matchsize) - COMPAT_XT_ALIGN(csize);
@@ -395,7 +395,7 @@ EXPORT_SYMBOL_GPL(xt_compat_match_offset);
int xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr,
unsigned int *size)
{
- struct xt_match *match = m->u.kernel.match;
+ const struct xt_match *match = m->u.kernel.match;
struct compat_xt_entry_match *cm = (struct compat_xt_entry_match *)m;
int pad, off = xt_compat_match_offset(match);
u_int16_t msize = cm->u.user.match_size;
@@ -422,7 +422,7 @@ EXPORT_SYMBOL_GPL(xt_compat_match_from_user);
int xt_compat_match_to_user(struct xt_entry_match *m, void __user **dstptr,
unsigned int *size)
{
- struct xt_match *match = m->u.kernel.match;
+ const struct xt_match *match = m->u.kernel.match;
struct compat_xt_entry_match __user *cm = *dstptr;
int off = xt_compat_match_offset(match);
u_int16_t msize = m->u.user.match_size - off;
@@ -479,7 +479,7 @@ int xt_check_target(const struct xt_target *target, unsigned short family,
EXPORT_SYMBOL_GPL(xt_check_target);
#ifdef CONFIG_COMPAT
-int xt_compat_target_offset(struct xt_target *target)
+int xt_compat_target_offset(const struct xt_target *target)
{
u_int16_t csize = target->compatsize ? : target->targetsize;
return XT_ALIGN(target->targetsize) - COMPAT_XT_ALIGN(csize);
@@ -489,7 +489,7 @@ EXPORT_SYMBOL_GPL(xt_compat_target_offset);
void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr,
unsigned int *size)
{
- struct xt_target *target = t->u.kernel.target;
+ const struct xt_target *target = t->u.kernel.target;
struct compat_xt_entry_target *ct = (struct compat_xt_entry_target *)t;
int pad, off = xt_compat_target_offset(target);
u_int16_t tsize = ct->u.user.target_size;
@@ -515,7 +515,7 @@ EXPORT_SYMBOL_GPL(xt_compat_target_from_user);
int xt_compat_target_to_user(struct xt_entry_target *t, void __user **dstptr,
unsigned int *size)
{
- struct xt_target *target = t->u.kernel.target;
+ const struct xt_target *target = t->u.kernel.target;
struct compat_xt_entry_target __user *ct = *dstptr;
int off = xt_compat_target_offset(target);
u_int16_t tsize = t->u.user.target_size - off;
diff --git a/net/netfilter/xt_CONNSECMARK.c b/net/netfilter/xt_CONNSECMARK.c
index 1faa913..211189e 100644
--- a/net/netfilter/xt_CONNSECMARK.c
+++ b/net/netfilter/xt_CONNSECMARK.c
@@ -55,7 +55,7 @@ static void secmark_save(const struct sk_buff *skb)
static void secmark_restore(struct sk_buff *skb)
{
if (!skb->secmark) {
- struct nf_conn *ct;
+ const struct nf_conn *ct;
enum ip_conntrack_info ctinfo;
ct = nf_ct_get(skb, &ctinfo);
diff --git a/net/netfilter/xt_RATEEST.c b/net/netfilter/xt_RATEEST.c
index 24c73ba..64d6ad3 100644
--- a/net/netfilter/xt_RATEEST.c
+++ b/net/netfilter/xt_RATEEST.c
@@ -96,7 +96,7 @@ xt_rateest_tg_checkentry(const char *tablename,
void *targinfo,
unsigned int hook_mask)
{
- struct xt_rateest_target_info *info = (void *)targinfo;
+ struct xt_rateest_target_info *info = targinfo;
struct xt_rateest *est;
struct {
struct nlattr opt;
diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c
index 3b01119..0ca9fe9 100644
--- a/net/netfilter/xt_connlimit.c
+++ b/net/netfilter/xt_connlimit.c
@@ -106,10 +106,10 @@ static int count_them(struct xt_connlimit_data *data,
const union nf_inet_addr *mask,
const struct xt_match *match)
{
- struct nf_conntrack_tuple_hash *found;
+ const struct nf_conntrack_tuple_hash *found;
struct xt_connlimit_conn *conn;
struct xt_connlimit_conn *tmp;
- struct nf_conn *found_ct;
+ const struct nf_conn *found_ct;
struct list_head *hash;
bool addit = true;
int matches = 0;
@@ -256,7 +256,7 @@ connlimit_mt_check(const char *tablename, const void *ip,
static void
connlimit_mt_destroy(const struct xt_match *match, void *matchinfo)
{
- struct xt_connlimit_info *info = matchinfo;
+ const struct xt_connlimit_info *info = matchinfo;
struct xt_connlimit_conn *conn;
struct xt_connlimit_conn *tmp;
struct list_head *hash = info->data->iphash;
diff --git a/net/netfilter/xt_dccp.c b/net/netfilter/xt_dccp.c
index 667f45e..8b65221 100644
--- a/net/netfilter/xt_dccp.c
+++ b/net/netfilter/xt_dccp.c
@@ -98,7 +98,8 @@ dccp_mt(const struct sk_buff *skb, const struct net_device *in,
const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop)
{
const struct xt_dccp_info *info = matchinfo;
- struct dccp_hdr _dh, *dh;
+ const struct dccp_hdr *dh;
+ struct dccp_hdr _dh;
if (offset)
return false;
diff --git a/net/netfilter/xt_esp.c b/net/netfilter/xt_esp.c
index 71c7c37..a133eb9 100644
--- a/net/netfilter/xt_esp.c
+++ b/net/netfilter/xt_esp.c
@@ -47,7 +47,8 @@ esp_mt(const struct sk_buff *skb, const struct net_device *in,
const struct net_device *out, const struct xt_match *match,
const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop)
{
- struct ip_esp_hdr _esp, *eh;
+ const struct ip_esp_hdr *eh;
+ struct ip_esp_hdr _esp;
const struct xt_esp *espinfo = matchinfo;
/* Must not be a fragment. */
diff --git a/net/netfilter/xt_multiport.c b/net/netfilter/xt_multiport.c
index 31daa81..fd88c48 100644
--- a/net/netfilter/xt_multiport.c
+++ b/net/netfilter/xt_multiport.c
@@ -100,7 +100,8 @@ multiport_mt_v0(const struct sk_buff *skb, const struct net_device *in,
const void *matchinfo, int offset, unsigned int protoff,
bool *hotdrop)
{
- __be16 _ports[2], *pptr;
+ const __be16 *pptr;
+ __be16 _ports[2];
const struct xt_multiport *multiinfo = matchinfo;
if (offset)
@@ -126,7 +127,8 @@ multiport_mt(const struct sk_buff *skb, const struct net_device *in,
const void *matchinfo, int offset, unsigned int protoff,
bool *hotdrop)
{
- __be16 _ports[2], *pptr;
+ const __be16 *pptr;
+ __be16 _ports[2];
const struct xt_multiport_v1 *multiinfo = matchinfo;
if (offset)
diff --git a/net/netfilter/xt_policy.c b/net/netfilter/xt_policy.c
index 9e918ad..d351582 100644
--- a/net/netfilter/xt_policy.c
+++ b/net/netfilter/xt_policy.c
@@ -136,7 +136,7 @@ policy_mt_check(const char *tablename, const void *ip_void,
const struct xt_match *match, void *matchinfo,
unsigned int hook_mask)
{
- struct xt_policy_info *info = matchinfo;
+ const struct xt_policy_info *info = matchinfo;
if (!(info->flags & (XT_POLICY_MATCH_IN|XT_POLICY_MATCH_OUT))) {
printk(KERN_ERR "xt_policy: neither incoming nor "
diff --git a/net/netfilter/xt_rateest.c b/net/netfilter/xt_rateest.c
index fdb86a5..ebd84f1 100644
--- a/net/netfilter/xt_rateest.c
+++ b/net/netfilter/xt_rateest.c
@@ -86,7 +86,7 @@ static bool xt_rateest_mt_checkentry(const char *tablename,
void *matchinfo,
unsigned int hook_mask)
{
- struct xt_rateest_match_info *info = (void *)matchinfo;
+ struct xt_rateest_match_info *info = matchinfo;
struct xt_rateest *est1, *est2;
if (hweight32(info->flags & (XT_RATEEST_MATCH_ABS |
@@ -130,7 +130,7 @@ err1:
static void xt_rateest_mt_destroy(const struct xt_match *match,
void *matchinfo)
{
- struct xt_rateest_match_info *info = (void *)matchinfo;
+ struct xt_rateest_match_info *info = matchinfo;
xt_rateest_put(info->est1);
if (info->est2)
diff --git a/net/netfilter/xt_sctp.c b/net/netfilter/xt_sctp.c
index b718ec6..e6e4681 100644
--- a/net/netfilter/xt_sctp.c
+++ b/net/netfilter/xt_sctp.c
@@ -46,7 +46,8 @@ match_packet(const struct sk_buff *skb,
bool *hotdrop)
{
u_int32_t chunkmapcopy[256 / sizeof (u_int32_t)];
- sctp_chunkhdr_t _sch, *sch;
+ const sctp_chunkhdr_t *sch;
+ sctp_chunkhdr_t _sch;
int chunk_match_type = info->chunk_match_type;
const struct xt_sctp_flag_info *flag_info = info->flag_info;
int flag_count = info->flag_count;
@@ -121,7 +122,8 @@ sctp_mt(const struct sk_buff *skb, const struct net_device *in,
const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop)
{
const struct xt_sctp_info *info = matchinfo;
- sctp_sctphdr_t _sh, *sh;
+ const sctp_sctphdr_t *sh;
+ sctp_sctphdr_t _sh;
if (offset) {
duprintf("Dropping non-first fragment.. FIXME\n");
diff --git a/net/netfilter/xt_tcpmss.c b/net/netfilter/xt_tcpmss.c
index d7a5b27..6771bf0 100644
--- a/net/netfilter/xt_tcpmss.c
+++ b/net/netfilter/xt_tcpmss.c
@@ -31,9 +31,11 @@ tcpmss_mt(const struct sk_buff *skb, const struct net_device *in,
bool *hotdrop)
{
const struct xt_tcpmss_match_info *info = matchinfo;
- struct tcphdr _tcph, *th;
+ const struct tcphdr *th;
+ struct tcphdr _tcph;
/* tcp.doff is only 4 bits, ie. max 15 * 4 bytes */
- u8 _opt[15 * 4 - sizeof(_tcph)], *op;
+ const u_int8_t *op;
+ u8 _opt[15 * 4 - sizeof(_tcph)];
unsigned int i, optlen;
/* If we don't have the whole header, drop packet. */
diff --git a/net/netfilter/xt_tcpudp.c b/net/netfilter/xt_tcpudp.c
index 4fa3b66..951b06b 100644
--- a/net/netfilter/xt_tcpudp.c
+++ b/net/netfilter/xt_tcpudp.c
@@ -42,7 +42,8 @@ tcp_find_option(u_int8_t option,
bool *hotdrop)
{
/* tcp.doff is only 4 bits, ie. max 15 * 4 bytes */
- u_int8_t _opt[60 - sizeof(struct tcphdr)], *op;
+ const u_int8_t *op;
+ u_int8_t _opt[60 - sizeof(struct tcphdr)];
unsigned int i;
duprintf("tcp_match: finding option\n");
@@ -72,7 +73,8 @@ tcp_mt(const struct sk_buff *skb, const struct net_device *in,
const struct net_device *out, const struct xt_match *match,
const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop)
{
- struct tcphdr _tcph, *th;
+ const struct tcphdr *th;
+ struct tcphdr _tcph;
const struct xt_tcp *tcpinfo = matchinfo;
if (offset) {
@@ -144,7 +146,8 @@ udp_mt(const struct sk_buff *skb, const struct net_device *in,
const struct net_device *out, const struct xt_match *match,
const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop)
{
- struct udphdr _udph, *uh;
+ const struct udphdr *uh;
+ struct udphdr _udph;
const struct xt_udp *udpinfo = matchinfo;
/* Must not be a fragment. */
diff --git a/net/netfilter/xt_time.c b/net/netfilter/xt_time.c
index e9a8794..41297d0 100644
--- a/net/netfilter/xt_time.c
+++ b/net/netfilter/xt_time.c
@@ -220,7 +220,7 @@ time_mt_check(const char *tablename, const void *ip,
const struct xt_match *match, void *matchinfo,
unsigned int hook_mask)
{
- struct xt_time_info *info = matchinfo;
+ const struct xt_time_info *info = matchinfo;
if (info->daytime_start > XT_TIME_MAX_DAYTIME ||
info->daytime_stop > XT_TIME_MAX_DAYTIME) {
^ permalink raw reply related [flat|nested] 27+ messages in thread* Re: [00/..] patches patches!
2008-02-01 12:49 ` [00/..] " Jan Engelhardt
@ 2008-02-02 11:42 ` Jan Engelhardt
0 siblings, 0 replies; 27+ messages in thread
From: Jan Engelhardt @ 2008-02-02 11:42 UTC (permalink / raw)
To: kaber; +Cc: Netfilter Developer Mailing List
On Feb 1 2008 13:49, Jan Engelhardt wrote:
>
>> The constifying is no big deal I guess, but could
>> you combine all of these in one big patch please? The remaining
>> fixes are obviously fine, also the patches fixing non-released
>> features. Everything else will have to wait for 2.6.26, but I
>> can queue it for you.
>
>01-04 combo below.
Ok so?
===
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Fri Jan 25 20:52:56 2008 +0100
[NETFILTER]: Annotate a few more places with const and remove casts
- xtables targets
- {arp,ip,ip6,x}tables
- rest of nf_conntrack_* files
- rest of nf_nat_* files
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index b2c62cc..2326296 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -430,13 +430,13 @@ extern int xt_compat_add_offset(int af, unsigned int offset, short delta);
extern void xt_compat_flush_offsets(int af);
extern short xt_compat_calc_jump(int af, unsigned int offset);
-extern int xt_compat_match_offset(struct xt_match *match);
+extern int xt_compat_match_offset(const struct xt_match *match);
extern int xt_compat_match_from_user(struct xt_entry_match *m,
void **dstptr, unsigned int *size);
extern int xt_compat_match_to_user(struct xt_entry_match *m,
void __user **dstptr, unsigned int *size);
-extern int xt_compat_target_offset(struct xt_target *target);
+extern int xt_compat_target_offset(const struct xt_target *target);
extern void xt_compat_target_from_user(struct xt_entry_target *t,
void **dstptr, unsigned int *size);
extern int xt_compat_target_to_user(struct xt_entry_target *t,
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index a7591ce..4191588 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -59,7 +59,7 @@ do { \
#endif
static inline int arp_devaddr_compare(const struct arpt_devaddr_info *ap,
- char *hdr_addr, int len)
+ const char *hdr_addr, int len)
{
int i, ret;
@@ -80,8 +80,8 @@ static inline int arp_packet_match(const struct arphdr *arphdr,
const char *outdev,
const struct arpt_arp *arpinfo)
{
- char *arpptr = (char *)(arphdr + 1);
- char *src_devaddr, *tgt_devaddr;
+ const char *arpptr = (char *)(arphdr + 1);
+ const char *src_devaddr, *tgt_devaddr;
__be32 src_ipaddr, tgt_ipaddr;
int i, ret;
@@ -226,12 +226,12 @@ unsigned int arpt_do_table(struct sk_buff *skb,
{
static const char nulldevname[IFNAMSIZ];
unsigned int verdict = NF_DROP;
- struct arphdr *arp;
+ const struct arphdr *arp;
bool hotdrop = false;
struct arpt_entry *e, *back;
- const char *indev, *outdev;
+ const const char *indev, *outdev;
void *table_base;
- struct xt_table_info *private;
+ const struct xt_table_info *private;
/* ARP header, plus 2 device addresses, plus 2 IP addresses. */
if (!pskb_may_pull(skb, (sizeof(struct arphdr) +
@@ -355,7 +355,7 @@ static int mark_source_chains(struct xt_table_info *newinfo,
e->counters.pcnt = pos;
for (;;) {
- struct arpt_standard_target *t
+ const struct arpt_standard_target *t
= (void *)arpt_get_target(e);
int visited = e->comefrom & (1 << hook);
@@ -440,7 +440,7 @@ static int mark_source_chains(struct xt_table_info *newinfo,
static inline int check_entry(struct arpt_entry *e, const char *name)
{
- struct arpt_entry_target *t;
+ const struct arpt_entry_target *t;
if (!arp_checkentry(&e->arp)) {
duprintf("arp_tables: arp check failed %p %s.\n", e, name);
@@ -713,7 +713,7 @@ static inline struct xt_counters *alloc_counters(struct arpt_table *table)
{
unsigned int countersize;
struct xt_counters *counters;
- struct xt_table_info *private = table->private;
+ const struct xt_table_info *private = table->private;
/* We need atomic snapshot of counters: rest doesn't change
* (other than comefrom, which userspace doesn't care
@@ -740,7 +740,7 @@ static int copy_entries_to_user(unsigned int total_size,
unsigned int off, num;
struct arpt_entry *e;
struct xt_counters *counters;
- struct xt_table_info *private = table->private;
+ const struct xt_table_info *private = table->private;
int ret = 0;
void *loc_cpu_entry;
@@ -875,7 +875,7 @@ static int get_info(struct net *net, void __user *user, int *len, int compat)
"arptable_%s", name);
if (t && !IS_ERR(t)) {
struct arpt_getinfo info;
- struct xt_table_info *private = t->private;
+ const struct xt_table_info *private = t->private;
#ifdef CONFIG_COMPAT
if (compat) {
@@ -930,7 +930,8 @@ static int get_entries(struct net *net, struct arpt_get_entries __user *uptr,
t = xt_find_table_lock(net, NF_ARP, get.name);
if (t && !IS_ERR(t)) {
- struct xt_table_info *private = t->private;
+ const struct xt_table_info *private = t->private;
+
duprintf("t->private->number = %u\n",
private->number);
if (get.size == private->size)
@@ -1090,11 +1091,11 @@ static int do_add_counters(struct net *net, void __user *user, unsigned int len,
struct xt_counters_info tmp;
struct xt_counters *paddc;
unsigned int num_counters;
- char *name;
+ const char *name;
int size;
void *ptmp;
struct arpt_table *t;
- struct xt_table_info *private;
+ const struct xt_table_info *private;
int ret = 0;
void *loc_cpu_entry;
#ifdef CONFIG_COMPAT
@@ -1561,7 +1562,7 @@ static int compat_copy_entries_to_user(unsigned int total_size,
void __user *userptr)
{
struct xt_counters *counters;
- struct xt_table_info *private = table->private;
+ const struct xt_table_info *private = table->private;
void __user *pos;
unsigned int size;
int ret = 0;
@@ -1612,7 +1613,7 @@ static int compat_get_entries(struct net *net,
xt_compat_lock(NF_ARP);
t = xt_find_table_lock(net, NF_ARP, get.name);
if (t && !IS_ERR(t)) {
- struct xt_table_info *private = t->private;
+ const struct xt_table_info *private = t->private;
struct xt_table_info info;
duprintf("t->private->number = %u\n", private->number);
diff --git a/net/ipv4/netfilter/arpt_mangle.c b/net/ipv4/netfilter/arpt_mangle.c
index 45fa4e2..10517d6 100644
--- a/net/ipv4/netfilter/arpt_mangle.c
+++ b/net/ipv4/netfilter/arpt_mangle.c
@@ -15,7 +15,7 @@ target(struct sk_buff *skb,
const void *targinfo)
{
const struct arpt_mangle *mangle = targinfo;
- struct arphdr *arp;
+ const struct arphdr *arp;
unsigned char *arpptr;
int pln, hln;
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 600737f..eb3ec74 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -296,7 +296,7 @@ static void trace_packet(struct sk_buff *skb,
struct ipt_entry *e)
{
void *table_base;
- struct ipt_entry *root;
+ const struct ipt_entry *root;
char *hookname, *chainname, *comment;
unsigned int rulenum = 0;
@@ -327,7 +327,7 @@ ipt_do_table(struct sk_buff *skb,
{
static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
u_int16_t offset;
- struct iphdr *ip;
+ const struct iphdr *ip;
u_int16_t datalen;
bool hotdrop = false;
/* Initializing verdict to NF_DROP keeps gcc happy. */
@@ -926,7 +926,7 @@ static struct xt_counters * alloc_counters(struct xt_table *table)
{
unsigned int countersize;
struct xt_counters *counters;
- struct xt_table_info *private = table->private;
+ const struct xt_table_info *private = table->private;
/* We need atomic snapshot of counters: rest doesn't change
(other than comefrom, which userspace doesn't care
@@ -953,9 +953,9 @@ copy_entries_to_user(unsigned int total_size,
unsigned int off, num;
struct ipt_entry *e;
struct xt_counters *counters;
- struct xt_table_info *private = table->private;
+ const struct xt_table_info *private = table->private;
int ret = 0;
- void *loc_cpu_entry;
+ const void *loc_cpu_entry;
counters = alloc_counters(table);
if (IS_ERR(counters))
@@ -975,8 +975,8 @@ copy_entries_to_user(unsigned int total_size,
/* ... then go back and fix counters and names */
for (off = 0, num = 0; off < total_size; off += e->next_offset, num++){
unsigned int i;
- struct ipt_entry_match *m;
- struct ipt_entry_target *t;
+ const struct ipt_entry_match *m;
+ const struct ipt_entry_target *t;
e = (struct ipt_entry *)(loc_cpu_entry + off);
if (copy_to_user(userptr + off
@@ -1116,7 +1116,7 @@ static int get_info(struct net *net, void __user *user, int *len, int compat)
"iptable_%s", name);
if (t && !IS_ERR(t)) {
struct ipt_getinfo info;
- struct xt_table_info *private = t->private;
+ const struct xt_table_info *private = t->private;
#ifdef CONFIG_COMPAT
if (compat) {
@@ -1172,7 +1172,7 @@ get_entries(struct net *net, struct ipt_get_entries __user *uptr, int *len)
t = xt_find_table_lock(net, AF_INET, get.name);
if (t && !IS_ERR(t)) {
- struct xt_table_info *private = t->private;
+ const struct xt_table_info *private = t->private;
duprintf("t->private->number = %u\n", private->number);
if (get.size == private->size)
ret = copy_entries_to_user(private->size,
@@ -1337,11 +1337,11 @@ do_add_counters(struct net *net, void __user *user, unsigned int len, int compat
struct xt_counters_info tmp;
struct xt_counters *paddc;
unsigned int num_counters;
- char *name;
+ const char *name;
int size;
void *ptmp;
struct xt_table *t;
- struct xt_table_info *private;
+ const struct xt_table_info *private;
int ret = 0;
void *loc_cpu_entry;
#ifdef CONFIG_COMPAT
@@ -1878,11 +1878,11 @@ compat_copy_entries_to_user(unsigned int total_size, struct xt_table *table,
void __user *userptr)
{
struct xt_counters *counters;
- struct xt_table_info *private = table->private;
+ const struct xt_table_info *private = table->private;
void __user *pos;
unsigned int size;
int ret = 0;
- void *loc_cpu_entry;
+ const void *loc_cpu_entry;
unsigned int i = 0;
counters = alloc_counters(table);
@@ -1929,7 +1929,7 @@ compat_get_entries(struct net *net, struct compat_ipt_get_entries __user *uptr,
xt_compat_lock(AF_INET);
t = xt_find_table_lock(net, AF_INET, get.name);
if (t && !IS_ERR(t)) {
- struct xt_table_info *private = t->private;
+ const struct xt_table_info *private = t->private;
struct xt_table_info info;
duprintf("t->private->number = %u\n", private->number);
ret = compat_table_info(private, &info);
@@ -2130,7 +2130,8 @@ icmp_match(const struct sk_buff *skb,
unsigned int protoff,
bool *hotdrop)
{
- struct icmphdr _icmph, *ic;
+ const struct icmphdr *ic;
+ struct icmphdr _icmph;
const struct ipt_icmp *icmpinfo = matchinfo;
/* Must not be a fragment. */
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index c6cf84c..b8c793c 100644
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -142,7 +142,7 @@ clusterip_config_init_nodelist(struct clusterip_config *c,
}
static struct clusterip_config *
-clusterip_config_init(struct ipt_clusterip_tgt_info *i, __be32 ip,
+clusterip_config_init(const struct ipt_clusterip_tgt_info *i, __be32 ip,
struct net_device *dev)
{
struct clusterip_config *c;
@@ -417,7 +417,7 @@ clusterip_tg_check(const char *tablename, const void *e_void,
/* drop reference count of cluster config when rule is deleted */
static void clusterip_tg_destroy(const struct xt_target *target, void *targinfo)
{
- struct ipt_clusterip_tgt_info *cipinfo = targinfo;
+ const struct ipt_clusterip_tgt_info *cipinfo = targinfo;
/* if no more entries are referencing the config, remove it
* from the list and destroy the proc entry */
@@ -566,7 +566,7 @@ struct clusterip_seq_position {
static void *clusterip_seq_start(struct seq_file *s, loff_t *pos)
{
- struct proc_dir_entry *pde = s->private;
+ const struct proc_dir_entry *pde = s->private;
struct clusterip_config *c = pde->data;
unsigned int weight;
u_int32_t local_nodes;
@@ -593,7 +593,7 @@ static void *clusterip_seq_start(struct seq_file *s, loff_t *pos)
static void *clusterip_seq_next(struct seq_file *s, void *v, loff_t *pos)
{
- struct clusterip_seq_position *idx = (struct clusterip_seq_position *)v;
+ struct clusterip_seq_position *idx = v;
*pos = ++idx->pos;
if (*pos >= idx->weight) {
@@ -612,7 +612,7 @@ static void clusterip_seq_stop(struct seq_file *s, void *v)
static int clusterip_seq_show(struct seq_file *s, void *v)
{
- struct clusterip_seq_position *idx = (struct clusterip_seq_position *)v;
+ struct clusterip_seq_position *idx = v;
if (idx->pos != 0)
seq_putc(s, ',');
@@ -668,7 +668,7 @@ static ssize_t clusterip_proc_write(struct file *file, const char __user *input,
{
#define PROC_WRITELEN 10
char buffer[PROC_WRITELEN+1];
- struct proc_dir_entry *pde = PDE(file->f_path.dentry->d_inode);
+ const struct proc_dir_entry *pde = PDE(file->f_path.dentry->d_inode);
struct clusterip_config *c = pde->data;
unsigned long nodenum;
diff --git a/net/ipv4/netfilter/ipt_ECN.c b/net/ipv4/netfilter/ipt_ECN.c
index 21395bc..d60139c 100644
--- a/net/ipv4/netfilter/ipt_ECN.c
+++ b/net/ipv4/netfilter/ipt_ECN.c
@@ -100,7 +100,7 @@ ecn_tg_check(const char *tablename, const void *e_void,
const struct xt_target *target, void *targinfo,
unsigned int hook_mask)
{
- const struct ipt_ECN_info *einfo = (struct ipt_ECN_info *)targinfo;
+ const struct ipt_ECN_info *einfo = targinfo;
const struct ipt_entry *e = e_void;
if (einfo->operation & IPT_ECN_OP_MASK) {
diff --git a/net/ipv4/netfilter/ipt_LOG.c b/net/ipv4/netfilter/ipt_LOG.c
index b38d785..77300e9 100644
--- a/net/ipv4/netfilter/ipt_LOG.c
+++ b/net/ipv4/netfilter/ipt_LOG.c
@@ -76,7 +76,8 @@ static void dump_packet(const struct nf_loginfo *info,
if ((logflags & IPT_LOG_IPOPT)
&& ih->ihl * 4 > sizeof(struct iphdr)) {
- unsigned char _opt[4 * 15 - sizeof(struct iphdr)], *op;
+ const unsigned char *op;
+ unsigned char _opt[4 * 15 - sizeof(struct iphdr)];
unsigned int i, optsize;
optsize = ih->ihl * 4 - sizeof(struct iphdr);
diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c
index 22606e2..2639872 100644
--- a/net/ipv4/netfilter/ipt_REJECT.c
+++ b/net/ipv4/netfilter/ipt_REJECT.c
@@ -35,8 +35,10 @@ MODULE_DESCRIPTION("Xtables: packet \"rejection\" target for IPv4");
static void send_reset(struct sk_buff *oldskb, int hook)
{
struct sk_buff *nskb;
- struct iphdr *oiph, *niph;
- struct tcphdr _otcph, *oth, *tcph;
+ const struct iphdr *oiph;
+ struct iphdr *niph;
+ const struct tcphdr *oth;
+ struct tcphdr _otcph, *tcph;
unsigned int addr_type;
/* IP header checks: fragment. */
diff --git a/net/ipv4/netfilter/ipt_recent.c b/net/ipv4/netfilter/ipt_recent.c
index 68cbe3c..f2142b7 100644
--- a/net/ipv4/netfilter/ipt_recent.c
+++ b/net/ipv4/netfilter/ipt_recent.c
@@ -339,7 +339,7 @@ static void *recent_seq_start(struct seq_file *seq, loff_t *pos)
static void *recent_seq_next(struct seq_file *seq, void *v, loff_t *pos)
{
struct recent_iter_state *st = seq->private;
- struct recent_table *t = st->table;
+ const struct recent_table *t = st->table;
struct recent_entry *e = v;
struct list_head *head = e->list.next;
@@ -360,7 +360,7 @@ static void recent_seq_stop(struct seq_file *s, void *v)
static int recent_seq_show(struct seq_file *seq, void *v)
{
- struct recent_entry *e = v;
+ const struct recent_entry *e = v;
unsigned int i;
i = (e->index - 1) % ip_pkt_list_tot;
@@ -395,7 +395,7 @@ static int recent_seq_open(struct inode *inode, struct file *file)
static ssize_t recent_proc_write(struct file *file, const char __user *input,
size_t size, loff_t *loff)
{
- struct proc_dir_entry *pde = PDE(file->f_path.dentry->d_inode);
+ const struct proc_dir_entry *pde = PDE(file->f_path.dentry->d_inode);
struct recent_table *t = pde->data;
struct recent_entry *e;
char buf[sizeof("+255.255.255.255")], *c = buf;
diff --git a/net/ipv4/netfilter/nf_nat_core.c b/net/ipv4/netfilter/nf_nat_core.c
index dd07362..afdcd8d 100644
--- a/net/ipv4/netfilter/nf_nat_core.c
+++ b/net/ipv4/netfilter/nf_nat_core.c
@@ -150,9 +150,9 @@ find_appropriate_src(const struct nf_conntrack_tuple *tuple,
const struct nf_nat_range *range)
{
unsigned int h = hash_by_src(tuple);
- struct nf_conn_nat *nat;
- struct nf_conn *ct;
- struct hlist_node *n;
+ const struct nf_conn_nat *nat;
+ const struct nf_conn *ct;
+ const struct hlist_node *n;
rcu_read_lock();
hlist_for_each_entry_rcu(nat, n, &bysource[h], bysource) {
@@ -426,7 +426,7 @@ int nf_nat_icmp_reply_translation(struct nf_conn *ct,
struct icmphdr icmp;
struct iphdr ip;
} *inside;
- struct nf_conntrack_l4proto *l4proto;
+ const struct nf_conntrack_l4proto *l4proto;
struct nf_conntrack_tuple inner, target;
int hdrlen = ip_hdrlen(skb);
enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
diff --git a/net/ipv4/netfilter/nf_nat_rule.c b/net/ipv4/netfilter/nf_nat_rule.c
index f8fda57..600f6d7 100644
--- a/net/ipv4/netfilter/nf_nat_rule.c
+++ b/net/ipv4/netfilter/nf_nat_rule.c
@@ -143,7 +143,7 @@ static bool ipt_snat_checkentry(const char *tablename,
void *targinfo,
unsigned int hook_mask)
{
- struct nf_nat_multi_range_compat *mr = targinfo;
+ const struct nf_nat_multi_range_compat *mr = targinfo;
/* Must be a valid range */
if (mr->rangesize != 1) {
@@ -159,7 +159,7 @@ static bool ipt_dnat_checkentry(const char *tablename,
void *targinfo,
unsigned int hook_mask)
{
- struct nf_nat_multi_range_compat *mr = targinfo;
+ const struct nf_nat_multi_range_compat *mr = targinfo;
/* Must be a valid range */
if (mr->rangesize != 1) {
diff --git a/net/ipv4/netfilter/nf_nat_snmp_basic.c b/net/ipv4/netfilter/nf_nat_snmp_basic.c
index 540ce6a..0c695c0 100644
--- a/net/ipv4/netfilter/nf_nat_snmp_basic.c
+++ b/net/ipv4/netfilter/nf_nat_snmp_basic.c
@@ -219,7 +219,7 @@ static unsigned char asn1_length_decode(struct asn1_ctx *ctx,
if (ch < 0x80)
*len = ch;
else {
- cnt = (unsigned char) (ch & 0x7F);
+ cnt = ch & 0x7F;
*len = 0;
while (cnt > 0) {
@@ -617,8 +617,7 @@ struct snmp_cnv
int syntax;
};
-static struct snmp_cnv snmp_conv [] =
-{
+static const struct snmp_cnv snmp_conv[] = {
{ASN1_UNI, ASN1_NUL, SNMP_NULL},
{ASN1_UNI, ASN1_INT, SNMP_INTEGER},
{ASN1_UNI, ASN1_OTS, SNMP_OCTETSTR},
@@ -643,7 +642,7 @@ static unsigned char snmp_tag_cls2syntax(unsigned int tag,
unsigned int cls,
unsigned short *syntax)
{
- struct snmp_cnv *cnv;
+ const struct snmp_cnv *cnv;
cnv = snmp_conv;
@@ -903,7 +902,7 @@ static inline void mangle_address(unsigned char *begin,
u_int32_t old;
if (debug)
- memcpy(&old, (unsigned char *)addr, sizeof(old));
+ memcpy(&old, addr, sizeof(old));
*addr = map->to;
@@ -998,7 +997,7 @@ err_id_free:
*
*****************************************************************************/
-static void hex_dump(unsigned char *buf, size_t len)
+static void hex_dump(const unsigned char *buf, size_t len)
{
size_t i;
@@ -1079,7 +1078,7 @@ static int snmp_parse_mangle(unsigned char *msg,
if (cls != ASN1_CTX || con != ASN1_CON)
return 0;
if (debug > 1) {
- unsigned char *pdus[] = {
+ static const unsigned char *const pdus[] = {
[SNMP_PDU_GET] = "get",
[SNMP_PDU_NEXT] = "get-next",
[SNMP_PDU_RESPONSE] = "response",
@@ -1231,8 +1230,8 @@ static int help(struct sk_buff *skb, unsigned int protoff,
{
int dir = CTINFO2DIR(ctinfo);
unsigned int ret;
- struct iphdr *iph = ip_hdr(skb);
- struct udphdr *udph = (struct udphdr *)((u_int32_t *)iph + iph->ihl);
+ const struct iphdr *iph = ip_hdr(skb);
+ const struct udphdr *udph = (struct udphdr *)((__be32 *)iph + iph->ihl);
/* SNMP replies and originating SNMP traps get mangled */
if (udph->source == htons(SNMP_PORT) && dir != IP_CT_DIR_REPLY)
diff --git a/net/ipv4/netfilter/nf_nat_standalone.c b/net/ipv4/netfilter/nf_nat_standalone.c
index 99b2c78..9fba42d 100644
--- a/net/ipv4/netfilter/nf_nat_standalone.c
+++ b/net/ipv4/netfilter/nf_nat_standalone.c
@@ -30,8 +30,8 @@
#ifdef CONFIG_XFRM
static void nat_decode_session(struct sk_buff *skb, struct flowi *fl)
{
- struct nf_conn *ct;
- struct nf_conntrack_tuple *t;
+ const struct nf_conn *ct;
+ const struct nf_conntrack_tuple *t;
enum ip_conntrack_info ctinfo;
enum ip_conntrack_dir dir;
unsigned long statusbit;
@@ -189,7 +189,7 @@ nf_nat_out(unsigned int hooknum,
int (*okfn)(struct sk_buff *))
{
#ifdef CONFIG_XFRM
- struct nf_conn *ct;
+ const struct nf_conn *ct;
enum ip_conntrack_info ctinfo;
#endif
unsigned int ret;
@@ -223,7 +223,7 @@ nf_nat_local_fn(unsigned int hooknum,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
- struct nf_conn *ct;
+ const struct nf_conn *ct;
enum ip_conntrack_info ctinfo;
unsigned int ret;
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index bf9bb6e..743b108 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -325,7 +325,7 @@ static void trace_packet(struct sk_buff *skb,
struct ip6t_entry *e)
{
void *table_base;
- struct ip6t_entry *root;
+ const struct ip6t_entry *root;
char *hookname, *chainname, *comment;
unsigned int rulenum = 0;
@@ -952,7 +952,7 @@ static struct xt_counters *alloc_counters(struct xt_table *table)
{
unsigned int countersize;
struct xt_counters *counters;
- struct xt_table_info *private = table->private;
+ const struct xt_table_info *private = table->private;
/* We need atomic snapshot of counters: rest doesn't change
(other than comefrom, which userspace doesn't care
@@ -979,9 +979,9 @@ copy_entries_to_user(unsigned int total_size,
unsigned int off, num;
struct ip6t_entry *e;
struct xt_counters *counters;
- struct xt_table_info *private = table->private;
+ const struct xt_table_info *private = table->private;
int ret = 0;
- void *loc_cpu_entry;
+ const void *loc_cpu_entry;
counters = alloc_counters(table);
if (IS_ERR(counters))
@@ -1001,8 +1001,8 @@ copy_entries_to_user(unsigned int total_size,
/* ... then go back and fix counters and names */
for (off = 0, num = 0; off < total_size; off += e->next_offset, num++){
unsigned int i;
- struct ip6t_entry_match *m;
- struct ip6t_entry_target *t;
+ const struct ip6t_entry_match *m;
+ const struct ip6t_entry_target *t;
e = (struct ip6t_entry *)(loc_cpu_entry + off);
if (copy_to_user(userptr + off
@@ -1142,7 +1142,7 @@ static int get_info(struct net *net, void __user *user, int *len, int compat)
"ip6table_%s", name);
if (t && !IS_ERR(t)) {
struct ip6t_getinfo info;
- struct xt_table_info *private = t->private;
+ const struct xt_table_info *private = t->private;
#ifdef CONFIG_COMPAT
if (compat) {
@@ -1225,7 +1225,7 @@ __do_replace(struct net *net, const char *name, unsigned int valid_hooks,
struct xt_table *t;
struct xt_table_info *oldinfo;
struct xt_counters *counters;
- void *loc_cpu_old_entry;
+ const void *loc_cpu_old_entry;
ret = 0;
counters = vmalloc_node(num_counters * sizeof(struct xt_counters),
@@ -1369,9 +1369,9 @@ do_add_counters(struct net *net, void __user *user, unsigned int len,
int size;
void *ptmp;
struct xt_table *t;
- struct xt_table_info *private;
+ const struct xt_table_info *private;
int ret = 0;
- void *loc_cpu_entry;
+ const void *loc_cpu_entry;
#ifdef CONFIG_COMPAT
struct compat_xt_counters_info compat_tmp;
@@ -1905,11 +1905,11 @@ compat_copy_entries_to_user(unsigned int total_size, struct xt_table *table,
void __user *userptr)
{
struct xt_counters *counters;
- struct xt_table_info *private = table->private;
+ const struct xt_table_info *private = table->private;
void __user *pos;
unsigned int size;
int ret = 0;
- void *loc_cpu_entry;
+ const void *loc_cpu_entry;
unsigned int i = 0;
counters = alloc_counters(table);
@@ -1956,7 +1956,7 @@ compat_get_entries(struct net *net, struct compat_ip6t_get_entries __user *uptr,
xt_compat_lock(AF_INET6);
t = xt_find_table_lock(net, AF_INET6, get.name);
if (t && !IS_ERR(t)) {
- struct xt_table_info *private = t->private;
+ const struct xt_table_info *private = t->private;
struct xt_table_info info;
duprintf("t->private->number = %u\n", private->number);
ret = compat_table_info(private, &info);
@@ -2155,7 +2155,8 @@ icmp6_match(const struct sk_buff *skb,
unsigned int protoff,
bool *hotdrop)
{
- struct icmp6hdr _icmph, *ic;
+ const struct icmp6hdr *ic;
+ struct icmp6hdr _icmph;
const struct ip6t_icmp *icmpinfo = matchinfo;
/* Must not be a fragment. */
diff --git a/net/ipv6/netfilter/ip6t_REJECT.c b/net/ipv6/netfilter/ip6t_REJECT.c
index b23baa6..c779d76 100644
--- a/net/ipv6/netfilter/ip6t_REJECT.c
+++ b/net/ipv6/netfilter/ip6t_REJECT.c
@@ -41,7 +41,8 @@ static void send_reset(struct sk_buff *oldskb)
struct tcphdr otcph, *tcph;
unsigned int otcplen, hh_len;
int tcphoff, needs_ack;
- struct ipv6hdr *oip6h = ipv6_hdr(oldskb), *ip6h;
+ const struct ipv6hdr *oip6h = ipv6_hdr(oldskb);
+ struct ipv6hdr *ip6h;
struct dst_entry *dst = NULL;
u8 proto;
struct flowi fl;
diff --git a/net/ipv6/netfilter/ip6t_ipv6header.c b/net/ipv6/netfilter/ip6t_ipv6header.c
index 3a94017..317a896 100644
--- a/net/ipv6/netfilter/ip6t_ipv6header.c
+++ b/net/ipv6/netfilter/ip6t_ipv6header.c
@@ -49,7 +49,8 @@ ipv6header_mt6(const struct sk_buff *skb, const struct net_device *in,
temp = 0;
while (ip6t_ext_hdr(nexthdr)) {
- struct ipv6_opt_hdr _hdr, *hp;
+ const struct ipv6_opt_hdr *hp;
+ struct ipv6_opt_hdr _hdr;
int hdrlen;
/* Is there enough space for the next ext header? */
diff --git a/net/ipv6/netfilter/ip6t_rt.c b/net/ipv6/netfilter/ip6t_rt.c
index 12a9efe..81aaf7a 100644
--- a/net/ipv6/netfilter/ip6t_rt.c
+++ b/net/ipv6/netfilter/ip6t_rt.c
@@ -110,7 +110,8 @@ rt_mt6(const struct sk_buff *skb, const struct net_device *in,
!!(rtinfo->invflags & IP6T_RT_INV_TYP)));
if (ret && (rtinfo->flags & IP6T_RT_RES)) {
- u_int32_t *rp, _reserved;
+ const u_int32_t *rp;
+ u_int32_t _reserved;
rp = skb_header_pointer(skb,
ptr + offsetof(struct rt0_hdr,
reserved),
diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
index 2a0d698..d4a42f0 100644
--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
@@ -103,8 +103,8 @@ struct ctl_table nf_ct_ipv6_sysctl_table[] = {
};
#endif
-static unsigned int ip6qhashfn(__be32 id, struct in6_addr *saddr,
- struct in6_addr *daddr)
+static unsigned int ip6qhashfn(__be32 id, const struct in6_addr *saddr,
+ const struct in6_addr *daddr)
{
u32 a, b, c;
@@ -132,7 +132,7 @@ static unsigned int ip6qhashfn(__be32 id, struct in6_addr *saddr,
static unsigned int nf_hashfn(struct inet_frag_queue *q)
{
- struct nf_ct_frag6_queue *nq;
+ const struct nf_ct_frag6_queue *nq;
nq = container_of(q, struct nf_ct_frag6_queue, q);
return ip6qhashfn(nq->id, &nq->saddr, &nq->daddr);
@@ -220,7 +220,7 @@ oom:
static int nf_ct_frag6_queue(struct nf_ct_frag6_queue *fq, struct sk_buff *skb,
- struct frag_hdr *fhdr, int nhoff)
+ const struct frag_hdr *fhdr, int nhoff)
{
struct sk_buff *prev, *next;
int offset, end;
diff --git a/net/netfilter/nf_conntrack_amanda.c b/net/netfilter/nf_conntrack_amanda.c
index 7b8239c..572eedf 100644
--- a/net/netfilter/nf_conntrack_amanda.c
+++ b/net/netfilter/nf_conntrack_amanda.c
@@ -53,7 +53,7 @@ enum amanda_strings {
};
static struct {
- char *string;
+ const char *string;
size_t len;
struct ts_config *ts;
} search[] __read_mostly = {
diff --git a/net/netfilter/nf_conntrack_ftp.c b/net/netfilter/nf_conntrack_ftp.c
index 6770baf..e0a2877 100644
--- a/net/netfilter/nf_conntrack_ftp.c
+++ b/net/netfilter/nf_conntrack_ftp.c
@@ -350,8 +350,9 @@ static int help(struct sk_buff *skb,
enum ip_conntrack_info ctinfo)
{
unsigned int dataoff, datalen;
- struct tcphdr _tcph, *th;
- char *fb_ptr;
+ const struct tcphdr *th;
+ struct tcphdr _tcph;
+ const char *fb_ptr;
int ret;
u32 seq;
int dir = CTINFO2DIR(ctinfo);
diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c
index b1fd21c..367e23c 100644
--- a/net/netfilter/nf_conntrack_helper.c
+++ b/net/netfilter/nf_conntrack_helper.c
@@ -125,7 +125,7 @@ void nf_conntrack_helper_unregister(struct nf_conntrack_helper *me)
{
struct nf_conntrack_tuple_hash *h;
struct nf_conntrack_expect *exp;
- struct hlist_node *n, *next;
+ const struct hlist_node *n, *next;
unsigned int i;
mutex_lock(&nf_ct_helper_mutex);
diff --git a/net/netfilter/nf_conntrack_irc.c b/net/netfilter/nf_conntrack_irc.c
index c336b07..37a5ae5 100644
--- a/net/netfilter/nf_conntrack_irc.c
+++ b/net/netfilter/nf_conntrack_irc.c
@@ -50,7 +50,7 @@ MODULE_PARM_DESC(max_dcc_channels, "max number of expected DCC channels per "
module_param(dcc_timeout, uint, 0400);
MODULE_PARM_DESC(dcc_timeout, "timeout on for unestablished DCC channels");
-static const char *dccprotos[] = {
+static const char *const dccprotos[] = {
"SEND ", "CHAT ", "MOVE ", "TSEND ", "SCHAT "
};
@@ -65,7 +65,7 @@ static const char *dccprotos[] = {
* ad_beg_p returns pointer to first byte of addr data
* ad_end_p returns pointer to last byte of addr data
*/
-static int parse_dcc(char *data, char *data_end, u_int32_t *ip,
+static int parse_dcc(char *data, const char *data_end, u_int32_t *ip,
u_int16_t *port, char **ad_beg_p, char **ad_end_p)
{
/* at least 12: "AAAAAAAA P\1\n" */
@@ -93,9 +93,11 @@ static int help(struct sk_buff *skb, unsigned int protoff,
struct nf_conn *ct, enum ip_conntrack_info ctinfo)
{
unsigned int dataoff;
- struct iphdr *iph;
- struct tcphdr _tcph, *th;
- char *data, *data_limit, *ib_ptr;
+ const struct iphdr *iph;
+ const struct tcphdr *th;
+ struct tcphdr _tcph;
+ const char *data_limit;
+ char *data, *ib_ptr;
int dir = CTINFO2DIR(ctinfo);
struct nf_conntrack_expect *exp;
struct nf_conntrack_tuple *tuple;
@@ -159,7 +161,7 @@ static int help(struct sk_buff *skb, unsigned int protoff,
/* we have at least
* (19+MINMATCHLEN)-5-dccprotos[i].matchlen bytes valid
* data left (== 14/13 bytes) */
- if (parse_dcc((char *)data, data_limit, &dcc_ip,
+ if (parse_dcc(data, data_limit, &dcc_ip,
&dcc_port, &addr_beg_p, &addr_end_p)) {
pr_debug("unable to parse dcc command\n");
continue;
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index a679208..4d74dff 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -58,7 +58,7 @@ static struct xt_af *xt;
#define duprintf(format, args...)
#endif
-static const char *xt_prefix[NPROTO] = {
+static const char *const xt_prefix[NPROTO] = {
[AF_INET] = "ip",
[AF_INET6] = "ip6",
[NF_ARP] = "arp",
@@ -248,7 +248,7 @@ EXPORT_SYMBOL_GPL(xt_request_find_target);
static int match_revfn(int af, const char *name, u8 revision, int *bestp)
{
- struct xt_match *m;
+ const struct xt_match *m;
int have_rev = 0;
list_for_each_entry(m, &xt[af].match, list) {
@@ -264,7 +264,7 @@ static int match_revfn(int af, const char *name, u8 revision, int *bestp)
static int target_revfn(int af, const char *name, u8 revision, int *bestp)
{
- struct xt_target *t;
+ const struct xt_target *t;
int have_rev = 0;
list_for_each_entry(t, &xt[af].target, list) {
@@ -385,7 +385,7 @@ short xt_compat_calc_jump(int af, unsigned int offset)
}
EXPORT_SYMBOL_GPL(xt_compat_calc_jump);
-int xt_compat_match_offset(struct xt_match *match)
+int xt_compat_match_offset(const struct xt_match *match)
{
u_int16_t csize = match->compatsize ? : match->matchsize;
return XT_ALIGN(match->matchsize) - COMPAT_XT_ALIGN(csize);
@@ -395,7 +395,7 @@ EXPORT_SYMBOL_GPL(xt_compat_match_offset);
int xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr,
unsigned int *size)
{
- struct xt_match *match = m->u.kernel.match;
+ const struct xt_match *match = m->u.kernel.match;
struct compat_xt_entry_match *cm = (struct compat_xt_entry_match *)m;
int pad, off = xt_compat_match_offset(match);
u_int16_t msize = cm->u.user.match_size;
@@ -422,7 +422,7 @@ EXPORT_SYMBOL_GPL(xt_compat_match_from_user);
int xt_compat_match_to_user(struct xt_entry_match *m, void __user **dstptr,
unsigned int *size)
{
- struct xt_match *match = m->u.kernel.match;
+ const struct xt_match *match = m->u.kernel.match;
struct compat_xt_entry_match __user *cm = *dstptr;
int off = xt_compat_match_offset(match);
u_int16_t msize = m->u.user.match_size - off;
@@ -479,7 +479,7 @@ int xt_check_target(const struct xt_target *target, unsigned short family,
EXPORT_SYMBOL_GPL(xt_check_target);
#ifdef CONFIG_COMPAT
-int xt_compat_target_offset(struct xt_target *target)
+int xt_compat_target_offset(const struct xt_target *target)
{
u_int16_t csize = target->compatsize ? : target->targetsize;
return XT_ALIGN(target->targetsize) - COMPAT_XT_ALIGN(csize);
@@ -489,7 +489,7 @@ EXPORT_SYMBOL_GPL(xt_compat_target_offset);
void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr,
unsigned int *size)
{
- struct xt_target *target = t->u.kernel.target;
+ const struct xt_target *target = t->u.kernel.target;
struct compat_xt_entry_target *ct = (struct compat_xt_entry_target *)t;
int pad, off = xt_compat_target_offset(target);
u_int16_t tsize = ct->u.user.target_size;
@@ -515,7 +515,7 @@ EXPORT_SYMBOL_GPL(xt_compat_target_from_user);
int xt_compat_target_to_user(struct xt_entry_target *t, void __user **dstptr,
unsigned int *size)
{
- struct xt_target *target = t->u.kernel.target;
+ const struct xt_target *target = t->u.kernel.target;
struct compat_xt_entry_target __user *ct = *dstptr;
int off = xt_compat_target_offset(target);
u_int16_t tsize = t->u.user.target_size - off;
diff --git a/net/netfilter/xt_CONNSECMARK.c b/net/netfilter/xt_CONNSECMARK.c
index 1faa913..211189e 100644
--- a/net/netfilter/xt_CONNSECMARK.c
+++ b/net/netfilter/xt_CONNSECMARK.c
@@ -55,7 +55,7 @@ static void secmark_save(const struct sk_buff *skb)
static void secmark_restore(struct sk_buff *skb)
{
if (!skb->secmark) {
- struct nf_conn *ct;
+ const struct nf_conn *ct;
enum ip_conntrack_info ctinfo;
ct = nf_ct_get(skb, &ctinfo);
diff --git a/net/netfilter/xt_RATEEST.c b/net/netfilter/xt_RATEEST.c
index 24c73ba..64d6ad3 100644
--- a/net/netfilter/xt_RATEEST.c
+++ b/net/netfilter/xt_RATEEST.c
@@ -96,7 +96,7 @@ xt_rateest_tg_checkentry(const char *tablename,
void *targinfo,
unsigned int hook_mask)
{
- struct xt_rateest_target_info *info = (void *)targinfo;
+ struct xt_rateest_target_info *info = targinfo;
struct xt_rateest *est;
struct {
struct nlattr opt;
diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c
index 3b01119..0ca9fe9 100644
--- a/net/netfilter/xt_connlimit.c
+++ b/net/netfilter/xt_connlimit.c
@@ -106,10 +106,10 @@ static int count_them(struct xt_connlimit_data *data,
const union nf_inet_addr *mask,
const struct xt_match *match)
{
- struct nf_conntrack_tuple_hash *found;
+ const struct nf_conntrack_tuple_hash *found;
struct xt_connlimit_conn *conn;
struct xt_connlimit_conn *tmp;
- struct nf_conn *found_ct;
+ const struct nf_conn *found_ct;
struct list_head *hash;
bool addit = true;
int matches = 0;
@@ -256,7 +256,7 @@ connlimit_mt_check(const char *tablename, const void *ip,
static void
connlimit_mt_destroy(const struct xt_match *match, void *matchinfo)
{
- struct xt_connlimit_info *info = matchinfo;
+ const struct xt_connlimit_info *info = matchinfo;
struct xt_connlimit_conn *conn;
struct xt_connlimit_conn *tmp;
struct list_head *hash = info->data->iphash;
diff --git a/net/netfilter/xt_dccp.c b/net/netfilter/xt_dccp.c
index 667f45e..8b65221 100644
--- a/net/netfilter/xt_dccp.c
+++ b/net/netfilter/xt_dccp.c
@@ -98,7 +98,8 @@ dccp_mt(const struct sk_buff *skb, const struct net_device *in,
const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop)
{
const struct xt_dccp_info *info = matchinfo;
- struct dccp_hdr _dh, *dh;
+ const struct dccp_hdr *dh;
+ struct dccp_hdr _dh;
if (offset)
return false;
diff --git a/net/netfilter/xt_esp.c b/net/netfilter/xt_esp.c
index 71c7c37..a133eb9 100644
--- a/net/netfilter/xt_esp.c
+++ b/net/netfilter/xt_esp.c
@@ -47,7 +47,8 @@ esp_mt(const struct sk_buff *skb, const struct net_device *in,
const struct net_device *out, const struct xt_match *match,
const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop)
{
- struct ip_esp_hdr _esp, *eh;
+ const struct ip_esp_hdr *eh;
+ struct ip_esp_hdr _esp;
const struct xt_esp *espinfo = matchinfo;
/* Must not be a fragment. */
diff --git a/net/netfilter/xt_multiport.c b/net/netfilter/xt_multiport.c
index 31daa81..fd88c48 100644
--- a/net/netfilter/xt_multiport.c
+++ b/net/netfilter/xt_multiport.c
@@ -100,7 +100,8 @@ multiport_mt_v0(const struct sk_buff *skb, const struct net_device *in,
const void *matchinfo, int offset, unsigned int protoff,
bool *hotdrop)
{
- __be16 _ports[2], *pptr;
+ const __be16 *pptr;
+ __be16 _ports[2];
const struct xt_multiport *multiinfo = matchinfo;
if (offset)
@@ -126,7 +127,8 @@ multiport_mt(const struct sk_buff *skb, const struct net_device *in,
const void *matchinfo, int offset, unsigned int protoff,
bool *hotdrop)
{
- __be16 _ports[2], *pptr;
+ const __be16 *pptr;
+ __be16 _ports[2];
const struct xt_multiport_v1 *multiinfo = matchinfo;
if (offset)
diff --git a/net/netfilter/xt_policy.c b/net/netfilter/xt_policy.c
index 9e918ad..d351582 100644
--- a/net/netfilter/xt_policy.c
+++ b/net/netfilter/xt_policy.c
@@ -136,7 +136,7 @@ policy_mt_check(const char *tablename, const void *ip_void,
const struct xt_match *match, void *matchinfo,
unsigned int hook_mask)
{
- struct xt_policy_info *info = matchinfo;
+ const struct xt_policy_info *info = matchinfo;
if (!(info->flags & (XT_POLICY_MATCH_IN|XT_POLICY_MATCH_OUT))) {
printk(KERN_ERR "xt_policy: neither incoming nor "
diff --git a/net/netfilter/xt_rateest.c b/net/netfilter/xt_rateest.c
index fdb86a5..ebd84f1 100644
--- a/net/netfilter/xt_rateest.c
+++ b/net/netfilter/xt_rateest.c
@@ -86,7 +86,7 @@ static bool xt_rateest_mt_checkentry(const char *tablename,
void *matchinfo,
unsigned int hook_mask)
{
- struct xt_rateest_match_info *info = (void *)matchinfo;
+ struct xt_rateest_match_info *info = matchinfo;
struct xt_rateest *est1, *est2;
if (hweight32(info->flags & (XT_RATEEST_MATCH_ABS |
@@ -130,7 +130,7 @@ err1:
static void xt_rateest_mt_destroy(const struct xt_match *match,
void *matchinfo)
{
- struct xt_rateest_match_info *info = (void *)matchinfo;
+ struct xt_rateest_match_info *info = matchinfo;
xt_rateest_put(info->est1);
if (info->est2)
diff --git a/net/netfilter/xt_sctp.c b/net/netfilter/xt_sctp.c
index b718ec6..e6e4681 100644
--- a/net/netfilter/xt_sctp.c
+++ b/net/netfilter/xt_sctp.c
@@ -46,7 +46,8 @@ match_packet(const struct sk_buff *skb,
bool *hotdrop)
{
u_int32_t chunkmapcopy[256 / sizeof (u_int32_t)];
- sctp_chunkhdr_t _sch, *sch;
+ const sctp_chunkhdr_t *sch;
+ sctp_chunkhdr_t _sch;
int chunk_match_type = info->chunk_match_type;
const struct xt_sctp_flag_info *flag_info = info->flag_info;
int flag_count = info->flag_count;
@@ -121,7 +122,8 @@ sctp_mt(const struct sk_buff *skb, const struct net_device *in,
const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop)
{
const struct xt_sctp_info *info = matchinfo;
- sctp_sctphdr_t _sh, *sh;
+ const sctp_sctphdr_t *sh;
+ sctp_sctphdr_t _sh;
if (offset) {
duprintf("Dropping non-first fragment.. FIXME\n");
diff --git a/net/netfilter/xt_tcpmss.c b/net/netfilter/xt_tcpmss.c
index d7a5b27..6771bf0 100644
--- a/net/netfilter/xt_tcpmss.c
+++ b/net/netfilter/xt_tcpmss.c
@@ -31,9 +31,11 @@ tcpmss_mt(const struct sk_buff *skb, const struct net_device *in,
bool *hotdrop)
{
const struct xt_tcpmss_match_info *info = matchinfo;
- struct tcphdr _tcph, *th;
+ const struct tcphdr *th;
+ struct tcphdr _tcph;
/* tcp.doff is only 4 bits, ie. max 15 * 4 bytes */
- u8 _opt[15 * 4 - sizeof(_tcph)], *op;
+ const u_int8_t *op;
+ u8 _opt[15 * 4 - sizeof(_tcph)];
unsigned int i, optlen;
/* If we don't have the whole header, drop packet. */
diff --git a/net/netfilter/xt_tcpudp.c b/net/netfilter/xt_tcpudp.c
index 4fa3b66..951b06b 100644
--- a/net/netfilter/xt_tcpudp.c
+++ b/net/netfilter/xt_tcpudp.c
@@ -42,7 +42,8 @@ tcp_find_option(u_int8_t option,
bool *hotdrop)
{
/* tcp.doff is only 4 bits, ie. max 15 * 4 bytes */
- u_int8_t _opt[60 - sizeof(struct tcphdr)], *op;
+ const u_int8_t *op;
+ u_int8_t _opt[60 - sizeof(struct tcphdr)];
unsigned int i;
duprintf("tcp_match: finding option\n");
@@ -72,7 +73,8 @@ tcp_mt(const struct sk_buff *skb, const struct net_device *in,
const struct net_device *out, const struct xt_match *match,
const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop)
{
- struct tcphdr _tcph, *th;
+ const struct tcphdr *th;
+ struct tcphdr _tcph;
const struct xt_tcp *tcpinfo = matchinfo;
if (offset) {
@@ -144,7 +146,8 @@ udp_mt(const struct sk_buff *skb, const struct net_device *in,
const struct net_device *out, const struct xt_match *match,
const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop)
{
- struct udphdr _udph, *uh;
+ const struct udphdr *uh;
+ struct udphdr _udph;
const struct xt_udp *udpinfo = matchinfo;
/* Must not be a fragment. */
diff --git a/net/netfilter/xt_time.c b/net/netfilter/xt_time.c
index e9a8794..41297d0 100644
--- a/net/netfilter/xt_time.c
+++ b/net/netfilter/xt_time.c
@@ -220,7 +220,7 @@ time_mt_check(const char *tablename, const void *ip,
const struct xt_match *match, void *matchinfo,
unsigned int hook_mask)
{
- struct xt_time_info *info = matchinfo;
+ const struct xt_time_info *info = matchinfo;
if (info->daytime_start > XT_TIME_MAX_DAYTIME ||
info->daytime_stop > XT_TIME_MAX_DAYTIME) {
^ permalink raw reply related [flat|nested] 27+ messages in thread