netfilter: xtables: move extension arguments into compound structure (2/6)

This patch does this for match extensions' checkentry functions. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
author: Jan Engelhardt <jengelh@medozas.de> 2008-10-08 05:35:18 -0400
committer: Patrick McHardy <kaber@trash.net> 2008-10-08 05:35:18 -0400
commit: 9b4fce7a3508a9776534188b6065b206a9608ccf (patch)
tree: 7df90f099a72738900deb93124ad86724a2df207 /net/netfilter
parent: f7108a20dee44e5bb037f9e48f6a207b42e6ae1c (diff)
25 files changed, 110 insertions, 209 deletions
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index d1f2fb3e8f2d..817ab14f7cd6 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -321,39 +321,39 @@ int xt_find_revision(u8 af, const char *name, u8 revision, int target,
 }
 EXPORT_SYMBOL_GPL(xt_find_revision);
-int xt_check_match(const struct xt_match *match, unsigned short family,
+int xt_check_match(struct xt_mtchk_param *par, u_int8_t family,
-                   unsigned int size, const char *table, unsigned int hook_mask,
+                   unsigned int size, u_int8_t proto, bool inv_proto)
-                   unsigned short proto, int inv_proto, const void *entry,
-                   void *matchinfo)
 {
-        if (XT_ALIGN(match->matchsize) != size &&
+        if (XT_ALIGN(par->match->matchsize) != size &&
-            match->matchsize != -1) {
+            par->match->matchsize != -1) {
                /*
                 * ebt_among is exempt from centralized matchsize checking
                 * because it uses a dynamic-size data set.
                 */
                printk("%s_tables: %s match: invalid size %Zu != %u\n",
-                       xt_prefix[family], match->name,
+                       xt_prefix[family], par->match->name,
-                       XT_ALIGN(match->matchsize), size);
+                       XT_ALIGN(par->match->matchsize), size);
                return -EINVAL;
        }
-        if (match->table && strcmp(match->table, table)) {
+        if (par->match->table != NULL &&
+            strcmp(par->match->table, par->table) != 0) {
                printk("%s_tables: %s match: only valid in %s table, not %s\n",
-                       xt_prefix[family], match->name, match->table, table);
+                       xt_prefix[family], par->match->name,
+                       par->match->table, par->table);
                return -EINVAL;
        }
-        if (match->hooks && (hook_mask & ~match->hooks) != 0) {
+        if (par->match->hooks && (par->hook_mask & ~par->match->hooks) != 0) {
                printk("%s_tables: %s match: bad hook_mask %#x/%#x\n",
-                       xt_prefix[family], match->name, hook_mask, match->hooks);
+                       xt_prefix[family], par->match->name,
+                       par->hook_mask, par->match->hooks);
                return -EINVAL;
        }
-        if (match->proto && (match->proto != proto || inv_proto)) {
+        if (par->match->proto && (par->match->proto != proto || inv_proto)) {
                printk("%s_tables: %s match: only valid for protocol %u\n",
-                       xt_prefix[family], match->name, match->proto);
+                       xt_prefix[family], par->match->name, par->match->proto);
                return -EINVAL;
        }
-        if (match->checkentry != NULL &&
+        if (par->match->checkentry != NULL && !par->match->checkentry(par))
-            !match->checkentry(table, entry, match, matchinfo, hook_mask))
                return -EINVAL;
        return 0;
 }
diff --git a/net/netfilter/xt_connbytes.c b/net/netfilter/xt_connbytes.c
index 30c19b5fe908..43a36c728e56 100644
--- a/net/netfilter/xt_connbytes.c
+++ b/net/netfilter/xt_connbytes.c
@@ -92,12 +92,9 @@ connbytes_mt(const struct sk_buff *skb, const struct xt_match_param *par)
                return what >= sinfo->count.from;
 }
-static bool
+static bool connbytes_mt_check(const struct xt_mtchk_param *par)
-connbytes_mt_check(const char *tablename, const void *ip,
-                   const struct xt_match *match, void *matchinfo,
-                   unsigned int hook_mask)
 {
-        const struct xt_connbytes_info *sinfo = matchinfo;
+        const struct xt_connbytes_info *sinfo = par->matchinfo;
        if (sinfo->what != XT_CONNBYTES_PKTS &&
            sinfo->what != XT_CONNBYTES_BYTES &&
@@ -109,17 +106,16 @@ connbytes_mt_check(const char *tablename, const void *ip,
            sinfo->direction != XT_CONNBYTES_DIR_BOTH)
                return false;
-        if (nf_ct_l3proto_try_module_get(match->family) < 0) {
+        if (nf_ct_l3proto_try_module_get(par->match->family) < 0) {
                printk(KERN_WARNING "can't load conntrack support for "
-                                    "proto=%u\n", match->family);
+                                    "proto=%u\n", par->match->family);
                return false;
        }
        return true;
 }
-static void
+static void connbytes_mt_destroy(const struct xt_match *match, void *matchinfo)
-connbytes_mt_destroy(const struct xt_match *match, void *matchinfo)
 {
        nf_ct_l3proto_module_put(match->family);
 }
diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c
index 8b8f70e76646..1361e9919cf2 100644
--- a/net/netfilter/xt_connlimit.c
+++ b/net/netfilter/xt_connlimit.c
@@ -221,24 +221,21 @@ connlimit_mt(const struct sk_buff *skb, const struct xt_match_param *par)
        return false;
 }
-static bool
+static bool connlimit_mt_check(const struct xt_mtchk_param *par)
-connlimit_mt_check(const char *tablename, const void *ip,
-                   const struct xt_match *match, void *matchinfo,
-                   unsigned int hook_mask)
 {
-        struct xt_connlimit_info *info = matchinfo;
+        struct xt_connlimit_info *info = par->matchinfo;
        unsigned int i;
-        if (nf_ct_l3proto_try_module_get(match->family) < 0) {
+        if (nf_ct_l3proto_try_module_get(par->match->family) < 0) {
                printk(KERN_WARNING "cannot load conntrack support for "
-                       "address family %u\n", match->family);
+                       "address family %u\n", par->match->family);
                return false;
        }
        /* init private data */
        info->data = kmalloc(sizeof(struct xt_connlimit_data), GFP_KERNEL);
        if (info->data == NULL) {
-                nf_ct_l3proto_module_put(match->family);
+                nf_ct_l3proto_module_put(par->match->family);
                return false;
        }
diff --git a/net/netfilter/xt_connmark.c b/net/netfilter/xt_connmark.c
index df4f4a865a5e..b935b7888a90 100644
--- a/net/netfilter/xt_connmark.c
+++ b/net/netfilter/xt_connmark.c
@@ -61,33 +61,27 @@ connmark_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
        return ((ct->mark & info->mask) == info->mark) ^ info->invert;
 }
-static bool
+static bool connmark_mt_check_v0(const struct xt_mtchk_param *par)
-connmark_mt_check_v0(const char *tablename, const void *ip,
-                     const struct xt_match *match, void *matchinfo,
-                     unsigned int hook_mask)
 {
-        const struct xt_connmark_info *cm = matchinfo;
+        const struct xt_connmark_info *cm = par->matchinfo;
        if (cm->mark > 0xffffffff || cm->mask > 0xffffffff) {
                printk(KERN_WARNING "connmark: only support 32bit mark\n");
                return false;
        }
-        if (nf_ct_l3proto_try_module_get(match->family) < 0) {
+        if (nf_ct_l3proto_try_module_get(par->match->family) < 0) {
                printk(KERN_WARNING "can't load conntrack support for "
-                                    "proto=%u\n", match->family);
+                                    "proto=%u\n", par->match->family);
                return false;
        }
        return true;
 }
-static bool
+static bool connmark_mt_check(const struct xt_mtchk_param *par)
-connmark_mt_check(const char *tablename, const void *ip,
-                  const struct xt_match *match, void *matchinfo,
-                  unsigned int hook_mask)
 {
-        if (nf_ct_l3proto_try_module_get(match->family) < 0) {
+        if (nf_ct_l3proto_try_module_get(par->match->family) < 0) {
                printk(KERN_WARNING "cannot load conntrack support for "
-                       "proto=%u\n", match->family);
+                       "proto=%u\n", par->match->family);
                return false;
        }
        return true;
diff --git a/net/netfilter/xt_conntrack.c b/net/netfilter/xt_conntrack.c
index 13a7e4eacdfd..f04c46a02ce0 100644
--- a/net/netfilter/xt_conntrack.c
+++ b/net/netfilter/xt_conntrack.c
@@ -278,14 +278,11 @@ conntrack_mt(const struct sk_buff *skb, const struct xt_match_param *par)
        return true;
 }
-static bool
+static bool conntrack_mt_check(const struct xt_mtchk_param *par)
-conntrack_mt_check(const char *tablename, const void *ip,
-                   const struct xt_match *match, void *matchinfo,
-                   unsigned int hook_mask)
 {
-        if (nf_ct_l3proto_try_module_get(match->family) < 0) {
+        if (nf_ct_l3proto_try_module_get(par->match->family) < 0) {
                printk(KERN_WARNING "can't load conntrack support for "
-                                    "proto=%u\n", match->family);
+                                    "proto=%u\n", par->match->family);
                return false;
        }
        return true;
diff --git a/net/netfilter/xt_dccp.c b/net/netfilter/xt_dccp.c
index 7aa30bb91050..e5d3e8673287 100644
--- a/net/netfilter/xt_dccp.c
+++ b/net/netfilter/xt_dccp.c
@@ -121,12 +121,9 @@ dccp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
                           XT_DCCP_OPTION, info->flags, info->invflags);
 }
-static bool
+static bool dccp_mt_check(const struct xt_mtchk_param *par)
-dccp_mt_check(const char *tablename, const void *inf,
-              const struct xt_match *match, void *matchinfo,
-              unsigned int hook_mask)
 {
-        const struct xt_dccp_info *info = matchinfo;
+        const struct xt_dccp_info *info = par->matchinfo;
        return !(info->flags & ~XT_DCCP_VALID_FLAGS)
                && !(info->invflags & ~XT_DCCP_VALID_FLAGS)
diff --git a/net/netfilter/xt_dscp.c b/net/netfilter/xt_dscp.c
index 57d612061358..c3f8085460d7 100644
--- a/net/netfilter/xt_dscp.c
+++ b/net/netfilter/xt_dscp.c
@@ -43,15 +43,12 @@ dscp_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
        return (dscp == info->dscp) ^ !!info->invert;
 }
-static bool
+static bool dscp_mt_check(const struct xt_mtchk_param *par)
-dscp_mt_check(const char *tablename, const void *info,
-              const struct xt_match *match, void *matchinfo,
-              unsigned int hook_mask)
 {
-        const u_int8_t dscp = ((struct xt_dscp_info *)matchinfo)->dscp;
+        const struct xt_dscp_info *info = par->matchinfo;
-        if (dscp > XT_DSCP_MAX) {
+        if (info->dscp > XT_DSCP_MAX) {
-                printk(KERN_ERR "xt_dscp: dscp %x out of range\n", dscp);
+                printk(KERN_ERR "xt_dscp: dscp %x out of range\n", info->dscp);
                return false;
        }
diff --git a/net/netfilter/xt_esp.c b/net/netfilter/xt_esp.c
index 6d59f2e7c1c1..609439967c2c 100644
--- a/net/netfilter/xt_esp.c
+++ b/net/netfilter/xt_esp.c
@@ -66,13 +66,9 @@ static bool esp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
                         !!(espinfo->invflags & XT_ESP_INV_SPI));
 }
-/* Called when user tries to insert an entry of this type. */
+static bool esp_mt_check(const struct xt_mtchk_param *par)
-static bool
-esp_mt_check(const char *tablename, const void *ip_void,
-             const struct xt_match *match, void *matchinfo,
-             unsigned int hook_mask)
 {
-        const struct xt_esp *espinfo = matchinfo;
+        const struct xt_esp *espinfo = par->matchinfo;
        if (espinfo->invflags & ~XT_ESP_INV_MASK) {
                duprintf("xt_esp: unknown flags %X\n", espinfo->invflags);
diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
index 22a60a728cf1..2f73820e46d7 100644
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@@ -664,12 +664,9 @@ hashlimit_mt(const struct sk_buff *skb, const struct xt_match_param *par)
        return false;
 }
-static bool
+static bool hashlimit_mt_check_v0(const struct xt_mtchk_param *par)
-hashlimit_mt_check_v0(const char *tablename, const void *inf,
-                      const struct xt_match *match, void *matchinfo,
-                      unsigned int hook_mask)
 {
-        struct xt_hashlimit_info *r = matchinfo;
+        struct xt_hashlimit_info *r = par->matchinfo;
        /* Check for overflow. */
        if (r->cfg.burst == 0 ||
@@ -698,8 +695,8 @@ hashlimit_mt_check_v0(const char *tablename, const void *inf,
         * the list of htable's in htable_create(), since then we would
         * create duplicate proc files. -HW */
        mutex_lock(&hlimit_mutex);
-        r->hinfo = htable_find_get(r->name, match->family);
+        r->hinfo = htable_find_get(r->name, par->match->family);
-        if (!r->hinfo && htable_create_v0(r, match->family) != 0) {
+        if (!r->hinfo && htable_create_v0(r, par->match->family) != 0) {
                mutex_unlock(&hlimit_mutex);
                return false;
        }
@@ -710,12 +707,9 @@ hashlimit_mt_check_v0(const char *tablename, const void *inf,
        return true;
 }
-static bool
+static bool hashlimit_mt_check(const struct xt_mtchk_param *par)
-hashlimit_mt_check(const char *tablename, const void *inf,
-                   const struct xt_match *match, void *matchinfo,
-                   unsigned int hook_mask)
 {
-        struct xt_hashlimit_mtinfo1 *info = matchinfo;
+        struct xt_hashlimit_mtinfo1 *info = par->matchinfo;
        /* Check for overflow. */
        if (info->cfg.burst == 0 ||
@@ -729,7 +723,7 @@ hashlimit_mt_check(const char *tablename, const void *inf,
                return false;
        if (info->name[sizeof(info->name)-1] != '\0')
                return false;
-        if (match->family == NFPROTO_IPV4) {
+        if (par->match->family == NFPROTO_IPV4) {
                if (info->cfg.srcmask > 32 || info->cfg.dstmask > 32)
                        return false;
        } else {
@@ -744,8 +738,8 @@ hashlimit_mt_check(const char *tablename, const void *inf,
         * the list of htable's in htable_create(), since then we would
         * create duplicate proc files. -HW */
        mutex_lock(&hlimit_mutex);
-        info->hinfo = htable_find_get(info->name, match->family);
+        info->hinfo = htable_find_get(info->name, par->match->family);
-        if (!info->hinfo && htable_create(info, match->family) != 0) {
+        if (!info->hinfo && htable_create(info, par->match->family) != 0) {
                mutex_unlock(&hlimit_mutex);
                return false;
        }
diff --git a/net/netfilter/xt_helper.c b/net/netfilter/xt_helper.c
index 73bdc3ba13fc..86d3c332fcb8 100644
--- a/net/netfilter/xt_helper.c
+++ b/net/netfilter/xt_helper.c
@@ -54,16 +54,13 @@ helper_mt(const struct sk_buff *skb, const struct xt_match_param *par)
        return ret;
 }
-static bool
+static bool helper_mt_check(const struct xt_mtchk_param *par)
-helper_mt_check(const char *tablename, const void *inf,
-                const struct xt_match *match, void *matchinfo,
-                unsigned int hook_mask)
 {
-        struct xt_helper_info *info = matchinfo;
+        struct xt_helper_info *info = par->matchinfo;
-        if (nf_ct_l3proto_try_module_get(match->family) < 0) {
+        if (nf_ct_l3proto_try_module_get(par->match->family) < 0) {
                printk(KERN_WARNING "can't load conntrack support for "
-                                    "proto=%u\n", match->family);
+                                    "proto=%u\n", par->match->family);
                return false;
        }
        info->name[29] = '\0';
diff --git a/net/netfilter/xt_limit.c b/net/netfilter/xt_limit.c
index c475eac5dbec..c908d69a5595 100644
--- a/net/netfilter/xt_limit.c
+++ b/net/netfilter/xt_limit.c
@@ -92,12 +92,9 @@ user2credits(u_int32_t user)
        return (user * HZ * CREDITS_PER_JIFFY) / XT_LIMIT_SCALE;
 }
-static bool
+static bool limit_mt_check(const struct xt_mtchk_param *par)
-limit_mt_check(const char *tablename, const void *inf,
-               const struct xt_match *match, void *matchinfo,
-               unsigned int hook_mask)
 {
-        struct xt_rateinfo *r = matchinfo;
+        struct xt_rateinfo *r = par->matchinfo;
        /* Check for overflow. */
        if (r->burst == 0
diff --git a/net/netfilter/xt_mark.c b/net/netfilter/xt_mark.c
index 885476146531..10b9e34bbc5b 100644
--- a/net/netfilter/xt_mark.c
+++ b/net/netfilter/xt_mark.c
@@ -38,12 +38,9 @@ mark_mt(const struct sk_buff *skb, const struct xt_match_param *par)
        return ((skb->mark & info->mask) == info->mark) ^ info->invert;
 }
-static bool
+static bool mark_mt_check_v0(const struct xt_mtchk_param *par)
-mark_mt_check_v0(const char *tablename, const void *entry,
-                 const struct xt_match *match, void *matchinfo,
-                 unsigned int hook_mask)
 {
-        const struct xt_mark_info *minfo = matchinfo;
+        const struct xt_mark_info *minfo = par->matchinfo;
        if (minfo->mark > 0xffffffff || minfo->mask > 0xffffffff) {
                printk(KERN_WARNING "mark: only supports 32bit mark\n");
diff --git a/net/netfilter/xt_multiport.c b/net/netfilter/xt_multiport.c
index 7087e291528d..d06bb2dd3900 100644
--- a/net/netfilter/xt_multiport.c
+++ b/net/netfilter/xt_multiport.c
@@ -158,50 +158,37 @@ check(u_int16_t proto,
                && count <= XT_MULTI_PORTS;
 }
-/* Called when user tries to insert an entry of this type. */
+static bool multiport_mt_check_v0(const struct xt_mtchk_param *par)
-static bool
-multiport_mt_check_v0(const char *tablename, const void *info,
-                      const struct xt_match *match, void *matchinfo,
-                      unsigned int hook_mask)
 {
-        const struct ipt_ip *ip = info;
+        const struct ipt_ip *ip = par->entryinfo;
-        const struct xt_multiport *multiinfo = matchinfo;
+        const struct xt_multiport *multiinfo = par->matchinfo;
        return check(ip->proto, ip->invflags, multiinfo->flags,
                     multiinfo->count);
 }
-static bool
+static bool multiport_mt_check(const struct xt_mtchk_param *par)
-multiport_mt_check(const char *tablename, const void *info,
-                   const struct xt_match *match, void *matchinfo,
-                   unsigned int hook_mask)
 {
-        const struct ipt_ip *ip = info;
+        const struct ipt_ip *ip = par->entryinfo;
-        const struct xt_multiport_v1 *multiinfo = matchinfo;
+        const struct xt_multiport_v1 *multiinfo = par->matchinfo;
        return check(ip->proto, ip->invflags, multiinfo->flags,
                     multiinfo->count);
 }
-static bool
+static bool multiport_mt6_check_v0(const struct xt_mtchk_param *par)
-multiport_mt6_check_v0(const char *tablename, const void *info,
-                       const struct xt_match *match, void *matchinfo,
-                       unsigned int hook_mask)
 {
-        const struct ip6t_ip6 *ip = info;
+        const struct ip6t_ip6 *ip = par->entryinfo;
-        const struct xt_multiport *multiinfo = matchinfo;
+        const struct xt_multiport *multiinfo = par->matchinfo;
        return check(ip->proto, ip->invflags, multiinfo->flags,
                     multiinfo->count);
 }
-static bool
+static bool multiport_mt6_check(const struct xt_mtchk_param *par)
-multiport_mt6_check(const char *tablename, const void *info,
-                    const struct xt_match *match, void *matchinfo,
-                    unsigned int hook_mask)
 {
-        const struct ip6t_ip6 *ip = info;
+        const struct ip6t_ip6 *ip = par->entryinfo;
-        const struct xt_multiport_v1 *multiinfo = matchinfo;
+        const struct xt_multiport_v1 *multiinfo = par->matchinfo;
        return check(ip->proto, ip->invflags, multiinfo->flags,
                     multiinfo->count);
diff --git a/net/netfilter/xt_owner.c b/net/netfilter/xt_owner.c
index 493b5eb8d148..32f84e84d9e6 100644
--- a/net/netfilter/xt_owner.c
+++ b/net/netfilter/xt_owner.c
@@ -107,12 +107,9 @@ owner_mt(const struct sk_buff *skb, const struct xt_match_param *par)
        return true;
 }
-static bool
+static bool owner_mt_check_v0(const struct xt_mtchk_param *par)
-owner_mt_check_v0(const char *tablename, const void *ip,
-                  const struct xt_match *match, void *matchinfo,
-                  unsigned int hook_mask)
 {
-        const struct ipt_owner_info *info = matchinfo;
+        const struct ipt_owner_info *info = par->matchinfo;
        if (info->match & (IPT_OWNER_PID | IPT_OWNER_SID | IPT_OWNER_COMM)) {
                printk(KERN_WARNING KBUILD_MODNAME
@@ -124,12 +121,9 @@ owner_mt_check_v0(const char *tablename, const void *ip,
        return true;
 }
-static bool
+static bool owner_mt6_check_v0(const struct xt_mtchk_param *par)
-owner_mt6_check_v0(const char *tablename, const void *ip,
-                   const struct xt_match *match, void *matchinfo,
-                   unsigned int hook_mask)
 {
-        const struct ip6t_owner_info *info = matchinfo;
+        const struct ip6t_owner_info *info = par->matchinfo;
        if (info->match & (IP6T_OWNER_PID | IP6T_OWNER_SID)) {
                printk(KERN_WARNING KBUILD_MODNAME
diff --git a/net/netfilter/xt_physdev.c b/net/netfilter/xt_physdev.c
index e980e179d4f1..b01786d2dd91 100644
--- a/net/netfilter/xt_physdev.c
+++ b/net/netfilter/xt_physdev.c
@@ -91,12 +91,9 @@ match_outdev:
        return ret ^ !(info->invert & XT_PHYSDEV_OP_OUT);
 }
-static bool
+static bool physdev_mt_check(const struct xt_mtchk_param *par)
-physdev_mt_check(const char *tablename, const void *ip,
-                 const struct xt_match *match, void *matchinfo,
-                 unsigned int hook_mask)
 {
-        const struct xt_physdev_info *info = matchinfo;
+        const struct xt_physdev_info *info = par->matchinfo;
        if (!(info->bitmask & XT_PHYSDEV_OP_MASK) ||
            info->bitmask & ~XT_PHYSDEV_OP_MASK)
@@ -104,12 +101,12 @@ physdev_mt_check(const char *tablename, const void *ip,
        if (info->bitmask & XT_PHYSDEV_OP_OUT &&
            (!(info->bitmask & XT_PHYSDEV_OP_BRIDGED) ||
             info->invert & XT_PHYSDEV_OP_BRIDGED) &&
-            hook_mask & ((1 << NF_INET_LOCAL_OUT) | (1 << NF_INET_FORWARD) |
+            par->hook_mask & ((1 << NF_INET_LOCAL_OUT) |
-                         (1 << NF_INET_POST_ROUTING))) {
+            (1 << NF_INET_FORWARD) | (1 << NF_INET_POST_ROUTING))) {
                printk(KERN_WARNING "physdev match: using --physdev-out in the "
                       "OUTPUT, FORWARD and POSTROUTING chains for non-bridged "
                       "traffic is not supported anymore.\n");
-                if (hook_mask & (1 << NF_INET_LOCAL_OUT))
+                if (par->hook_mask & (1 << NF_INET_LOCAL_OUT))
                        return false;
        }
        return true;
diff --git a/net/netfilter/xt_policy.c b/net/netfilter/xt_policy.c
index b0a00fb0511b..328bd20ddd25 100644
--- a/net/netfilter/xt_policy.c
+++ b/net/netfilter/xt_policy.c
@@ -128,26 +128,23 @@ policy_mt(const struct sk_buff *skb, const struct xt_match_param *par)
        return ret;
 }
-static bool
+static bool policy_mt_check(const struct xt_mtchk_param *par)
-policy_mt_check(const char *tablename, const void *ip_void,
-                const struct xt_match *match, void *matchinfo,
-                unsigned int hook_mask)
 {
-        const struct xt_policy_info *info = matchinfo;
+        const struct xt_policy_info *info = par->matchinfo;
        if (!(info->flags & (XT_POLICY_MATCH_IN|XT_POLICY_MATCH_OUT))) {
                printk(KERN_ERR "xt_policy: neither incoming nor "
                                "outgoing policy selected\n");
                return false;
        }
-        if (hook_mask & (1 << NF_INET_PRE_ROUTING | 1 << NF_INET_LOCAL_IN)
+        if (par->hook_mask & ((1 << NF_INET_PRE_ROUTING) |
-            && info->flags & XT_POLICY_MATCH_OUT) {
+            (1 << NF_INET_LOCAL_IN)) && info->flags & XT_POLICY_MATCH_OUT) {
                printk(KERN_ERR "xt_policy: output policy not valid in "
                                "PRE_ROUTING and INPUT\n");
                return false;
        }
-        if (hook_mask & (1 << NF_INET_POST_ROUTING | 1 << NF_INET_LOCAL_OUT)
+        if (par->hook_mask & ((1 << NF_INET_POST_ROUTING) |
-            && info->flags & XT_POLICY_MATCH_IN) {
+            (1 << NF_INET_LOCAL_OUT)) && info->flags & XT_POLICY_MATCH_IN) {
                printk(KERN_ERR "xt_policy: input policy not valid in "
                                "POST_ROUTING and OUTPUT\n");
                return false;
diff --git a/net/netfilter/xt_quota.c b/net/netfilter/xt_quota.c
index 3ab92666c149..c84fce5e0f3e 100644
--- a/net/netfilter/xt_quota.c
+++ b/net/netfilter/xt_quota.c
@@ -37,12 +37,9 @@ quota_mt(const struct sk_buff *skb, const struct xt_match_param *par)
        return ret;
 }
-static bool
+static bool quota_mt_check(const struct xt_mtchk_param *par)
-quota_mt_check(const char *tablename, const void *entry,
-               const struct xt_match *match, void *matchinfo,
-               unsigned int hook_mask)
 {
-        struct xt_quota_info *q = matchinfo;
+        struct xt_quota_info *q = par->matchinfo;
        if (q->flags & ~XT_QUOTA_MASK)
                return false;
diff --git a/net/netfilter/xt_rateest.c b/net/netfilter/xt_rateest.c
index e9f64ef45655..4b05ce168a78 100644
--- a/net/netfilter/xt_rateest.c
+++ b/net/netfilter/xt_rateest.c
@@ -74,13 +74,9 @@ xt_rateest_mt(const struct sk_buff *skb, const struct xt_match_param *par)
        return ret;
 }
-static bool xt_rateest_mt_checkentry(const char *tablename,
+static bool xt_rateest_mt_checkentry(const struct xt_mtchk_param *par)
-                                     const void *ip,
-                                     const struct xt_match *match,
-                                     void *matchinfo,
-                                     unsigned int hook_mask)
 {
-        struct xt_rateest_match_info *info = matchinfo;
+        struct xt_rateest_match_info *info = par->matchinfo;
        struct xt_rateest *est1, *est2;
        if (hweight32(info->flags & (XT_RATEEST_MATCH_ABS |
diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c
index baeb90a56231..a512b49f3fe4 100644
--- a/net/netfilter/xt_recent.c
+++ b/net/netfilter/xt_recent.c
@@ -280,12 +280,9 @@ out:
        return ret;
 }
-static bool
+static bool recent_mt_check(const struct xt_mtchk_param *par)
-recent_mt_check(const char *tablename, const void *ip,
-                const struct xt_match *match, void *matchinfo,
-                unsigned int hook_mask)
 {
-        const struct xt_recent_mtinfo *info = matchinfo;
+        const struct xt_recent_mtinfo *info = par->matchinfo;
        struct recent_table *t;
        unsigned i;
        bool ret = false;
diff --git a/net/netfilter/xt_sctp.c b/net/netfilter/xt_sctp.c
index b0014ab65da7..e223cb43ae8e 100644
--- a/net/netfilter/xt_sctp.c
+++ b/net/netfilter/xt_sctp.c
@@ -147,12 +147,9 @@ sctp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
                           XT_SCTP_CHUNK_TYPES, info->flags, info->invflags);
 }
-static bool
+static bool sctp_mt_check(const struct xt_mtchk_param *par)
-sctp_mt_check(const char *tablename, const void *inf,
-              const struct xt_match *match, void *matchinfo,
-              unsigned int hook_mask)
 {
-        const struct xt_sctp_info *info = matchinfo;
+        const struct xt_sctp_info *info = par->matchinfo;
        return !(info->flags & ~XT_SCTP_VALID_FLAGS)
                && !(info->invflags & ~XT_SCTP_VALID_FLAGS)
diff --git a/net/netfilter/xt_state.c b/net/netfilter/xt_state.c
index 29f5a8a1b024..88b1235519d7 100644
--- a/net/netfilter/xt_state.c
+++ b/net/netfilter/xt_state.c
@@ -37,14 +37,11 @@ state_mt(const struct sk_buff *skb, const struct xt_match_param *par)
        return (sinfo->statemask & statebit);
 }
-static bool
+static bool state_mt_check(const struct xt_mtchk_param *par)
-state_mt_check(const char *tablename, const void *inf,
-               const struct xt_match *match, void *matchinfo,
-               unsigned int hook_mask)
 {
-        if (nf_ct_l3proto_try_module_get(match->family) < 0) {
+        if (nf_ct_l3proto_try_module_get(par->match->family) < 0) {
                printk(KERN_WARNING "can't load conntrack support for "
-                                    "proto=%u\n", match->family);
+                                    "proto=%u\n", par->match->family);
                return false;
        }
        return true;
diff --git a/net/netfilter/xt_statistic.c b/net/netfilter/xt_statistic.c
index dcadc491db21..0d75141139d5 100644
--- a/net/netfilter/xt_statistic.c
+++ b/net/netfilter/xt_statistic.c
@@ -49,12 +49,9 @@ statistic_mt(const struct sk_buff *skb, const struct xt_match_param *par)
        return ret;
 }
-static bool
+static bool statistic_mt_check(const struct xt_mtchk_param *par)
-statistic_mt_check(const char *tablename, const void *entry,
-                   const struct xt_match *match, void *matchinfo,
-                   unsigned int hook_mask)
 {
-        struct xt_statistic_info *info = matchinfo;
+        struct xt_statistic_info *info = par->matchinfo;
        if (info->mode > XT_STATISTIC_MODE_MAX ||
            info->flags & ~XT_STATISTIC_MASK)
diff --git a/net/netfilter/xt_string.c b/net/netfilter/xt_string.c
index 33f2d29ca4f7..c9407aa78f73 100644
--- a/net/netfilter/xt_string.c
+++ b/net/netfilter/xt_string.c
@@ -40,12 +40,9 @@ string_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 #define STRING_TEXT_PRIV(m) ((struct xt_string_info *)(m))
-static bool
+static bool string_mt_check(const struct xt_mtchk_param *par)
-string_mt_check(const char *tablename, const void *ip,
-                const struct xt_match *match, void *matchinfo,
-                unsigned int hook_mask)
 {
-        struct xt_string_info *conf = matchinfo;
+        struct xt_string_info *conf = par->matchinfo;
        struct ts_config *ts_conf;
        int flags = TS_AUTOLOAD;
@@ -56,7 +53,7 @@ string_mt_check(const char *tablename, const void *ip,
                return false;
        if (conf->patlen > XT_STRING_MAX_PATTERN_SIZE)
                return false;
-        if (match->revision == 1) {
+        if (par->match->revision == 1) {
                if (conf->u.v1.flags &
                    ~(XT_STRING_FLAG_IGNORECASE | XT_STRING_FLAG_INVERT))
                        return false;
diff --git a/net/netfilter/xt_tcpudp.c b/net/netfilter/xt_tcpudp.c
index 66cf71b1d59c..1ebdc4934eed 100644
--- a/net/netfilter/xt_tcpudp.c
+++ b/net/netfilter/xt_tcpudp.c
@@ -126,13 +126,9 @@ static bool tcp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
        return true;
 }
-/* Called when user tries to insert an entry of this type. */
+static bool tcp_mt_check(const struct xt_mtchk_param *par)
-static bool
-tcp_mt_check(const char *tablename, const void *info,
-             const struct xt_match *match, void *matchinfo,
-             unsigned int hook_mask)
 {
-        const struct xt_tcp *tcpinfo = matchinfo;
+        const struct xt_tcp *tcpinfo = par->matchinfo;
        /* Must specify no unknown invflags */
        return !(tcpinfo->invflags & ~XT_TCP_INV_MASK);
@@ -165,13 +161,9 @@ static bool udp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
                              !!(udpinfo->invflags & XT_UDP_INV_DSTPT));
 }
-/* Called when user tries to insert an entry of this type. */
+static bool udp_mt_check(const struct xt_mtchk_param *par)
-static bool
-udp_mt_check(const char *tablename, const void *info,
-             const struct xt_match *match, void *matchinfo,
-             unsigned int hook_mask)
 {
-        const struct xt_udp *udpinfo = matchinfo;
+        const struct xt_udp *udpinfo = par->matchinfo;
        /* Must specify no unknown invflags */
        return !(udpinfo->invflags & ~XT_UDP_INV_MASK);
diff --git a/net/netfilter/xt_time.c b/net/netfilter/xt_time.c
index 28599d3979c4..29375ba8db73 100644
--- a/net/netfilter/xt_time.c
+++ b/net/netfilter/xt_time.c
@@ -218,12 +218,9 @@ time_mt(const struct sk_buff *skb, const struct xt_match_param *par)
        return true;
 }
-static bool
+static bool time_mt_check(const struct xt_mtchk_param *par)
-time_mt_check(const char *tablename, const void *ip,
-              const struct xt_match *match, void *matchinfo,
-              unsigned int hook_mask)
 {
-        const struct xt_time_info *info = matchinfo;
+        const struct xt_time_info *info = par->matchinfo;
        if (info->daytime_start > XT_TIME_MAX_DAYTIME ||
            info->daytime_stop > XT_TIME_MAX_DAYTIME) {
author	Jan Engelhardt <jengelh@medozas.de>	2008-10-08 05:35:18 -0400
committer	Patrick McHardy <kaber@trash.net>	2008-10-08 05:35:18 -0400
commit	9b4fce7a3508a9776534188b6065b206a9608ccf (patch)
tree	7df90f099a72738900deb93124ad86724a2df207 /net/netfilter
parent	f7108a20dee44e5bb037f9e48f6a207b42e6ae1c (diff)