From: Patrick McHardy <kaber@trash.net>
To: davem@davemloft.net
Cc: Patrick McHardy <kaber@trash.net>, netfilter-devel@vger.kernel.org
Subject: [NETFILTER 09/64]: ip6_tables: move entry, match and target checks to seperate functions
Date: Tue, 18 Dec 2007 00:46:25 +0100 (MET) [thread overview]
Message-ID: <20071217234624.23601.23279.sendpatchset@localhost.localdomain> (raw)
In-Reply-To: <20071217234612.23601.6979.sendpatchset@localhost.localdomain>
[NETFILTER]: ip6_tables: move entry, match and target checks to seperate functions
Resync with ip_tables.c as preparation for compat support.
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit e3dd889d718409e2ebd6010d6db111c5ee304804
tree c654332f845415a4ce63e5fe7220c674ca3eb330
parent de6db21852632a229cad718da30eb526b6b46da9
author Patrick McHardy <kaber@trash.net> Mon, 17 Dec 2007 14:57:45 +0100
committer Patrick McHardy <kaber@trash.net> Mon, 17 Dec 2007 16:05:28 +0100
net/ipv6/netfilter/ip6_tables.c | 129 +++++++++++++++++++++++++--------------
1 files changed, 82 insertions(+), 47 deletions(-)
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index b73e6b6..655c221 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -607,11 +607,55 @@ cleanup_match(struct ip6t_entry_match *m, unsigned int *i)
}
static inline int
-check_match(struct ip6t_entry_match *m,
- const char *name,
- const struct ip6t_ip6 *ipv6,
- unsigned int hookmask,
- unsigned int *i)
+check_entry(struct ip6t_entry *e, const char *name)
+{
+ struct ip6t_entry_target *t;
+
+ if (!ip6_checkentry(&e->ipv6)) {
+ duprintf("ip_tables: ip check failed %p %s.\n", e, name);
+ return -EINVAL;
+ }
+
+ if (e->target_offset + sizeof(struct ip6t_entry_target) >
+ e->next_offset)
+ return -EINVAL;
+
+ t = ip6t_get_target(e);
+ if (e->target_offset + t->u.target_size > e->next_offset)
+ return -EINVAL;
+
+ return 0;
+}
+
+static inline int check_match(struct ip6t_entry_match *m, const char *name,
+ const struct ip6t_ip6 *ipv6,
+ unsigned int hookmask, unsigned int *i)
+{
+ struct xt_match *match;
+ int ret;
+
+ match = m->u.kernel.match;
+ ret = xt_check_match(match, AF_INET6, m->u.match_size - sizeof(*m),
+ name, hookmask, ipv6->proto,
+ ipv6->invflags & IP6T_INV_PROTO);
+ if (!ret && m->u.kernel.match->checkentry
+ && !m->u.kernel.match->checkentry(name, ipv6, match, m->data,
+ hookmask)) {
+ duprintf("ip_tables: check failed for `%s'.\n",
+ m->u.kernel.match->name);
+ ret = -EINVAL;
+ }
+ if (!ret)
+ (*i)++;
+ return ret;
+}
+
+static inline int
+find_check_match(struct ip6t_entry_match *m,
+ const char *name,
+ const struct ip6t_ip6 *ipv6,
+ unsigned int hookmask,
+ unsigned int *i)
{
struct xt_match *match;
int ret;
@@ -620,86 +664,77 @@ check_match(struct ip6t_entry_match *m,
m->u.user.revision),
"ip6t_%s", m->u.user.name);
if (IS_ERR(match) || !match) {
- duprintf("check_match: `%s' not found\n", m->u.user.name);
+ duprintf("find_check_match: `%s' not found\n", m->u.user.name);
return match ? PTR_ERR(match) : -ENOENT;
}
m->u.kernel.match = match;
- ret = xt_check_match(match, AF_INET6, m->u.match_size - sizeof(*m),
- name, hookmask, ipv6->proto,
- ipv6->invflags & IP6T_INV_PROTO);
+ ret = check_match(m, name, ipv6, hookmask, i);
if (ret)
goto err;
- if (m->u.kernel.match->checkentry
- && !m->u.kernel.match->checkentry(name, ipv6, match, m->data,
- hookmask)) {
- duprintf("ip_tables: check failed for `%s'.\n",
- m->u.kernel.match->name);
- ret = -EINVAL;
- goto err;
- }
-
- (*i)++;
return 0;
err:
module_put(m->u.kernel.match->me);
return ret;
}
-static inline int
-check_entry(struct ip6t_entry *e, const char *name, unsigned int size,
- unsigned int *i)
+static inline int check_target(struct ip6t_entry *e, const char *name)
{
struct ip6t_entry_target *t;
struct xt_target *target;
int ret;
- unsigned int j;
- if (!ip6_checkentry(&e->ipv6)) {
- duprintf("ip_tables: ip check failed %p %s.\n", e, name);
- return -EINVAL;
+ t = ip6t_get_target(e);
+ target = t->u.kernel.target;
+ ret = xt_check_target(target, AF_INET6, t->u.target_size - sizeof(*t),
+ name, e->comefrom, e->ipv6.proto,
+ e->ipv6.invflags & IP6T_INV_PROTO);
+ if (!ret && t->u.kernel.target->checkentry
+ && !t->u.kernel.target->checkentry(name, e, target, t->data,
+ e->comefrom)) {
+ duprintf("ip_tables: check failed for `%s'.\n",
+ t->u.kernel.target->name);
+ ret = -EINVAL;
}
+ return ret;
+}
- if (e->target_offset + sizeof(struct ip6t_entry_target) >
- e->next_offset)
- return -EINVAL;
+static inline int
+find_check_entry(struct ip6t_entry *e, const char *name, unsigned int size,
+ unsigned int *i)
+{
+ struct ip6t_entry_target *t;
+ struct xt_target *target;
+ int ret;
+ unsigned int j;
+
+ ret = check_entry(e, name);
+ if (ret)
+ return ret;
j = 0;
- ret = IP6T_MATCH_ITERATE(e, check_match, name, &e->ipv6, e->comefrom, &j);
+ ret = IP6T_MATCH_ITERATE(e, find_check_match, name, &e->ipv6,
+ e->comefrom, &j);
if (ret != 0)
goto cleanup_matches;
t = ip6t_get_target(e);
- ret = -EINVAL;
- if (e->target_offset + t->u.target_size > e->next_offset)
- goto cleanup_matches;
target = try_then_request_module(xt_find_target(AF_INET6,
t->u.user.name,
t->u.user.revision),
"ip6t_%s", t->u.user.name);
if (IS_ERR(target) || !target) {
- duprintf("check_entry: `%s' not found\n", t->u.user.name);
+ duprintf("find_check_entry: `%s' not found\n", t->u.user.name);
ret = target ? PTR_ERR(target) : -ENOENT;
goto cleanup_matches;
}
t->u.kernel.target = target;
- ret = xt_check_target(target, AF_INET6, t->u.target_size - sizeof(*t),
- name, e->comefrom, e->ipv6.proto,
- e->ipv6.invflags & IP6T_INV_PROTO);
+ ret = check_target(e, name);
if (ret)
goto err;
- if (t->u.kernel.target->checkentry
- && !t->u.kernel.target->checkentry(name, e, target, t->data,
- e->comefrom)) {
- duprintf("ip_tables: check failed for `%s'.\n",
- t->u.kernel.target->name);
- ret = -EINVAL;
- goto err;
- }
-
(*i)++;
return 0;
err:
@@ -834,7 +869,7 @@ translate_table(const char *name,
/* Finally, each sanity check must pass */
i = 0;
ret = IP6T_ENTRY_ITERATE(entry0, newinfo->size,
- check_entry, name, size, &i);
+ find_check_entry, name, size, &i);
if (ret != 0) {
IP6T_ENTRY_ITERATE(entry0, newinfo->size,
next prev parent reply other threads:[~2007-12-17 23:46 UTC|newest]
Thread overview: 69+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-12-17 23:46 [NETFILTER 00/64]: Netfilter update Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 01/64]: ip_tables: kill useless wrapper Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 02/64]: ip_tables: reformat compat code Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 03/64]: x_tables: make xt_compat_match_from_user usable in iterator macros Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 04/64]: {ip,ip6,arp}_tables: consolidate " Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 05/64]: ip_tables: account for struct ipt_entry/struct compat_ipt_entry size diff Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 06/64]: ip_tables: fix compat types Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 07/64]: ip_tables: move compat offset calculation to x_tables Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 08/64]: ip6_tables: kill a few useless defines/forward declarations Patrick McHardy
2007-12-17 23:46 ` Patrick McHardy [this message]
2007-12-17 23:46 ` [NETFILTER 10/64]: ip6_tables: use vmalloc_node() Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 11/64]: ip6_tables: move counter allocation to seperate function Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 12/64]: ip6_tables: move IP6T_SO_GET_INFO handling " Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 13/64]: ip6_tables: resync get_entries() with ip_tables Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 14/64]: ip6_tables: add compat support Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 15/64]: x_tables: enable compat translation for IPv6 matches/targets Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 16/64]: xt_MARK: support revision 1 for IPv6 Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 17/64]: xt_MARK: add compat support for revision 0 Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 18/64]: {ip,ip6}_tables: reformat to eliminate differences Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 19/64]: {ip,ip6}_tables: fix format strings Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 20/64]: ip6_tables: fix stack leagage Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 21/64]: ip6_tables: use raw_smp_processor_id() in do_add_counters() Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 22/64]: ip_tables: remove ipchains compatibility hack Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 23/64]: ip6_tables: use XT_ALIGN Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 24/64]: arp_tables: remove obsolete standard_check function Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 25/64]: arp_tables: use XT_ALIGN Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 26/64]: arp_tables: use vmalloc_node() Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 27/64]: arp_tables: remove ipchains compat hack Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 28/64]: arp_tables: move entry and target checks to seperate functions Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 29/64]: arp_tables: move counter allocation to seperate function Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 30/64]: arp_tables: move ARPT_SO_GET_INFO handling " Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 31/64]: arp_tables: resync get_entries() with ip_tables Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 32/64]: arp_tables: add compat support Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 33/64]: xt_TCPMSS: don't allow netfilter --setmss to increase mss Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 34/64]: ctnetlink: add support for NAT sequence adjustments Patrick McHardy
2007-12-17 23:47 ` [NETFILTER 35/64]: ctnetlink: add support for master tuple event notification and dumping Patrick McHardy
2007-12-17 23:47 ` [NETFILTER 36/64]: ctnetlink: add support for secmark Patrick McHardy
2007-12-17 23:47 ` [NETFILTER 37/64]: nf_conntrack_sctp: add ctnetlink support Patrick McHardy
2007-12-17 23:47 ` [NETLINK 38/64]: Add NLA_PUT_BE16/nla_get_be16() Patrick McHardy
2007-12-17 23:47 ` [NETFILTER 39/64]: ctnetlink: use netlink attribute helpers Patrick McHardy
2007-12-17 23:47 ` [NETFILTER 40/64]: ctnetlink: fix expectation timeout dumping Patrick McHardy
2007-12-17 23:47 ` [NETFILTER 41/64]: nf_nat_proto_gre: add missing module reference Patrick McHardy
2007-12-17 23:47 ` [NETFILTER 42/64]: nf_nat: mark NAT protocols const Patrick McHardy
2007-12-17 23:47 ` [NETFILTER 43/64]: nf_nat: sprinkle a few __read_mostlys Patrick McHardy
2007-12-17 23:47 ` [NETFILTER 44/64]: nf_nat: pass manip type instead of hook to nf_nat_setup_info Patrick McHardy
2007-12-17 23:47 ` [NETFILTER 45/64]: nf_log: move logging stuff to seperate header Patrick McHardy
2007-12-17 23:47 ` [NETFILTER 46/64]: nf_log: constify struct nf_logger and nf_log_packet loginfo arg Patrick McHardy
2007-12-17 23:47 ` [NETFILTER 47/64]: nf_log: remove incomprehensible comment Patrick McHardy
2007-12-17 23:47 ` [NETFILTER 48/64]: nfnetlink_log: fix checks in nfulnl_recv_config Patrick McHardy
2007-12-17 23:47 ` [NETFILTER 49/64]: nfnetlink_{queue,log}: return ENOTSUPP for unknown cfg commands Patrick McHardy
2007-12-17 23:47 ` [NETFILTER 50/64]: nfnetlink_log: remove excessive debugging Patrick McHardy
2007-12-17 23:47 ` [NETFILTER 51/64]: nfnetlink_{queue,log}: return proper error codes in instance_create Patrick McHardy
2007-12-17 23:47 ` [NETFILTER 52/64]: nfnetlink_log: use endianness-aware attribute functions Patrick McHardy
2007-12-17 23:47 ` [NETFILTER 53/64]: nfnetlink_log: include GID in netlink message Patrick McHardy
2007-12-17 23:47 ` [NETFILTER 54/64]: Kill function prototype for non-existing function Patrick McHardy
2007-12-17 23:47 ` [NETFILTER 55/64]: constify nf_afinfo Patrick McHardy
2007-12-17 23:47 ` [NETFILTER 56/64]: nf_nat: properly use RCU for ip_nat_decode_session Patrick McHardy
2007-12-17 23:47 ` [NETFILTER 57/64]: x_tables: use %u format specifiers Patrick McHardy
2007-12-17 23:47 ` [NETFILTER 58/64]: Introduce nf_inet_address Patrick McHardy
2007-12-17 23:47 ` [NETFILTER 59/64]: Parenthesize macro parameters Patrick McHardy
2007-12-17 23:47 ` [NETFILTER 60/64]: xt_connlimit: use the new union nf_inet_addr Patrick McHardy
2007-12-17 23:47 ` [NETFILTER 61/64]: xt_hashlimit: speedup hash_dst() Patrick McHardy
2007-12-17 23:47 ` [NETFILTER 62/64]: xt_hashlimit: reduce overhead without IPv6 Patrick McHardy
2007-12-17 23:47 ` [NETFILTER 63/64]: non-power-of-two jhash optimizations Patrick McHardy
2007-12-17 23:47 ` [NETFILTER 64/64]: Add CONFIG_NETFILTER_ADVANCED option Patrick McHardy
2007-12-18 6:51 ` [NETFILTER 00/64]: Netfilter update David Miller
2007-12-18 10:31 ` Patrick McHardy
2007-12-18 11:32 ` Pablo Neira Ayuso
2007-12-18 11:33 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20071217234624.23601.23279.sendpatchset@localhost.localdomain \
--to=kaber@trash.net \
--cc=davem@davemloft.net \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).