diff options
author | Jan Engelhardt <jengelh@medozas.de> | 2008-10-08 05:35:19 -0400 |
---|---|---|
committer | Patrick McHardy <kaber@trash.net> | 2008-10-08 05:35:19 -0400 |
commit | af5d6dc200eb0fcc6fbd3df1ab4d8969004cb37f (patch) | |
tree | 06f5805d0a98a421f23380bdb044f93216204b9d /net | |
parent | 7eb3558655aaa87a3e71a0c065dfaddda521fa6d (diff) |
netfilter: xtables: move extension arguments into compound structure (5/6)
This patch does this for target extensions' checkentry functions.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Diffstat (limited to 'net')
37 files changed, 186 insertions, 272 deletions
diff --git a/net/bridge/netfilter/ebt_arpreply.c b/net/bridge/netfilter/ebt_arpreply.c index fc94699f719e..76584cd72e57 100644 --- a/net/bridge/netfilter/ebt_arpreply.c +++ b/net/bridge/netfilter/ebt_arpreply.c | |||
@@ -57,20 +57,16 @@ ebt_arpreply_tg(struct sk_buff *skb, const struct xt_target_param *par) | |||
57 | return info->target; | 57 | return info->target; |
58 | } | 58 | } |
59 | 59 | ||
60 | static bool | 60 | static bool ebt_arpreply_tg_check(const struct xt_tgchk_param *par) |
61 | ebt_arpreply_tg_check(const char *tablename, const void *entry, | ||
62 | const struct xt_target *target, void *data, | ||
63 | unsigned int hookmask) | ||
64 | { | 61 | { |
65 | const struct ebt_arpreply_info *info = data; | 62 | const struct ebt_arpreply_info *info = par->targinfo; |
66 | const struct ebt_entry *e = entry; | 63 | const struct ebt_entry *e = par->entryinfo; |
67 | 64 | ||
68 | if (BASE_CHAIN && info->target == EBT_RETURN) | 65 | if (BASE_CHAIN && info->target == EBT_RETURN) |
69 | return false; | 66 | return false; |
70 | if (e->ethproto != htons(ETH_P_ARP) || | 67 | if (e->ethproto != htons(ETH_P_ARP) || |
71 | e->invflags & EBT_IPROTO) | 68 | e->invflags & EBT_IPROTO) |
72 | return false; | 69 | return false; |
73 | CLEAR_BASE_CHAIN_BIT; | ||
74 | return true; | 70 | return true; |
75 | } | 71 | } |
76 | 72 | ||
diff --git a/net/bridge/netfilter/ebt_dnat.c b/net/bridge/netfilter/ebt_dnat.c index bb5d79e0beea..6b49ea9e31fb 100644 --- a/net/bridge/netfilter/ebt_dnat.c +++ b/net/bridge/netfilter/ebt_dnat.c | |||
@@ -26,19 +26,20 @@ ebt_dnat_tg(struct sk_buff *skb, const struct xt_target_param *par) | |||
26 | return info->target; | 26 | return info->target; |
27 | } | 27 | } |
28 | 28 | ||
29 | static bool | 29 | static bool ebt_dnat_tg_check(const struct xt_tgchk_param *par) |
30 | ebt_dnat_tg_check(const char *tablename, const void *entry, | ||
31 | const struct xt_target *target, void *data, | ||
32 | unsigned int hookmask) | ||
33 | { | 30 | { |
34 | const struct ebt_nat_info *info = data; | 31 | const struct ebt_nat_info *info = par->targinfo; |
32 | unsigned int hook_mask; | ||
35 | 33 | ||
36 | if (BASE_CHAIN && info->target == EBT_RETURN) | 34 | if (BASE_CHAIN && info->target == EBT_RETURN) |
37 | return false; | 35 | return false; |
38 | CLEAR_BASE_CHAIN_BIT; | 36 | |
39 | if ( (strcmp(tablename, "nat") || | 37 | hook_mask = par->hook_mask & ~(1 << NF_BR_NUMHOOKS); |
40 | (hookmask & ~((1 << NF_BR_PRE_ROUTING) | (1 << NF_BR_LOCAL_OUT)))) && | 38 | if ((strcmp(par->table, "nat") != 0 || |
41 | (strcmp(tablename, "broute") || hookmask & ~(1 << NF_BR_BROUTING)) ) | 39 | (hook_mask & ~((1 << NF_BR_PRE_ROUTING) | |
40 | (1 << NF_BR_LOCAL_OUT)))) && | ||
41 | (strcmp(par->table, "broute") != 0 || | ||
42 | hook_mask & ~(1 << NF_BR_BROUTING))) | ||
42 | return false; | 43 | return false; |
43 | if (INVALID_TARGET) | 44 | if (INVALID_TARGET) |
44 | return false; | 45 | return false; |
diff --git a/net/bridge/netfilter/ebt_log.c b/net/bridge/netfilter/ebt_log.c index 87de5fccb2f1..3d33c608906a 100644 --- a/net/bridge/netfilter/ebt_log.c +++ b/net/bridge/netfilter/ebt_log.c | |||
@@ -24,12 +24,9 @@ | |||
24 | 24 | ||
25 | static DEFINE_SPINLOCK(ebt_log_lock); | 25 | static DEFINE_SPINLOCK(ebt_log_lock); |
26 | 26 | ||
27 | static bool | 27 | static bool ebt_log_tg_check(const struct xt_tgchk_param *par) |
28 | ebt_log_tg_check(const char *table, const void *entry, | ||
29 | const struct xt_target *target, void *data, | ||
30 | unsigned int hook_mask) | ||
31 | { | 28 | { |
32 | struct ebt_log_info *info = data; | 29 | struct ebt_log_info *info = par->targinfo; |
33 | 30 | ||
34 | if (info->bitmask & ~EBT_LOG_MASK) | 31 | if (info->bitmask & ~EBT_LOG_MASK) |
35 | return false; | 32 | return false; |
diff --git a/net/bridge/netfilter/ebt_mark.c b/net/bridge/netfilter/ebt_mark.c index aafc456c3c3b..2fee7e8e2e93 100644 --- a/net/bridge/netfilter/ebt_mark.c +++ b/net/bridge/netfilter/ebt_mark.c | |||
@@ -36,18 +36,14 @@ ebt_mark_tg(struct sk_buff *skb, const struct xt_target_param *par) | |||
36 | return info->target | ~EBT_VERDICT_BITS; | 36 | return info->target | ~EBT_VERDICT_BITS; |
37 | } | 37 | } |
38 | 38 | ||
39 | static bool | 39 | static bool ebt_mark_tg_check(const struct xt_tgchk_param *par) |
40 | ebt_mark_tg_check(const char *table, const void *e, | ||
41 | const struct xt_target *target, void *data, | ||
42 | unsigned int hookmask) | ||
43 | { | 40 | { |
44 | const struct ebt_mark_t_info *info = data; | 41 | const struct ebt_mark_t_info *info = par->targinfo; |
45 | int tmp; | 42 | int tmp; |
46 | 43 | ||
47 | tmp = info->target | ~EBT_VERDICT_BITS; | 44 | tmp = info->target | ~EBT_VERDICT_BITS; |
48 | if (BASE_CHAIN && tmp == EBT_RETURN) | 45 | if (BASE_CHAIN && tmp == EBT_RETURN) |
49 | return false; | 46 | return false; |
50 | CLEAR_BASE_CHAIN_BIT; | ||
51 | if (tmp < -NUM_STANDARD_TARGETS || tmp >= 0) | 47 | if (tmp < -NUM_STANDARD_TARGETS || tmp >= 0) |
52 | return false; | 48 | return false; |
53 | tmp = info->target & ~EBT_VERDICT_BITS; | 49 | tmp = info->target & ~EBT_VERDICT_BITS; |
diff --git a/net/bridge/netfilter/ebt_nflog.c b/net/bridge/netfilter/ebt_nflog.c index 6a28d994cf7d..2a63d996dd4e 100644 --- a/net/bridge/netfilter/ebt_nflog.c +++ b/net/bridge/netfilter/ebt_nflog.c | |||
@@ -35,12 +35,9 @@ ebt_nflog_tg(struct sk_buff *skb, const struct xt_target_param *par) | |||
35 | return EBT_CONTINUE; | 35 | return EBT_CONTINUE; |
36 | } | 36 | } |
37 | 37 | ||
38 | static bool | 38 | static bool ebt_nflog_tg_check(const struct xt_tgchk_param *par) |
39 | ebt_nflog_tg_check(const char *table, const void *e, | ||
40 | const struct xt_target *target, void *data, | ||
41 | unsigned int hookmask) | ||
42 | { | 39 | { |
43 | struct ebt_nflog_info *info = data; | 40 | struct ebt_nflog_info *info = par->targinfo; |
44 | 41 | ||
45 | if (info->flags & ~EBT_NFLOG_MASK) | 42 | if (info->flags & ~EBT_NFLOG_MASK) |
46 | return false; | 43 | return false; |
diff --git a/net/bridge/netfilter/ebt_redirect.c b/net/bridge/netfilter/ebt_redirect.c index 0cfe2fad9404..c8a49f7a57ba 100644 --- a/net/bridge/netfilter/ebt_redirect.c +++ b/net/bridge/netfilter/ebt_redirect.c | |||
@@ -32,18 +32,19 @@ ebt_redirect_tg(struct sk_buff *skb, const struct xt_target_param *par) | |||
32 | return info->target; | 32 | return info->target; |
33 | } | 33 | } |
34 | 34 | ||
35 | static bool | 35 | static bool ebt_redirect_tg_check(const struct xt_tgchk_param *par) |
36 | ebt_redirect_tg_check(const char *tablename, const void *e, | ||
37 | const struct xt_target *target, void *data, | ||
38 | unsigned int hookmask) | ||
39 | { | 36 | { |
40 | const struct ebt_redirect_info *info = data; | 37 | const struct ebt_redirect_info *info = par->targinfo; |
38 | unsigned int hook_mask; | ||
41 | 39 | ||
42 | if (BASE_CHAIN && info->target == EBT_RETURN) | 40 | if (BASE_CHAIN && info->target == EBT_RETURN) |
43 | return false; | 41 | return false; |
44 | CLEAR_BASE_CHAIN_BIT; | 42 | |
45 | if ( (strcmp(tablename, "nat") || hookmask & ~(1 << NF_BR_PRE_ROUTING)) && | 43 | hook_mask = par->hook_mask & ~(1 << NF_BR_NUMHOOKS); |
46 | (strcmp(tablename, "broute") || hookmask & ~(1 << NF_BR_BROUTING)) ) | 44 | if ((strcmp(par->table, "nat") != 0 || |
45 | hook_mask & ~(1 << NF_BR_PRE_ROUTING)) && | ||
46 | (strcmp(par->table, "broute") != 0 || | ||
47 | hook_mask & ~(1 << NF_BR_BROUTING))) | ||
47 | return false; | 48 | return false; |
48 | if (INVALID_TARGET) | 49 | if (INVALID_TARGET) |
49 | return false; | 50 | return false; |
diff --git a/net/bridge/netfilter/ebt_snat.c b/net/bridge/netfilter/ebt_snat.c index f55960eee996..8d04d4c302bd 100644 --- a/net/bridge/netfilter/ebt_snat.c +++ b/net/bridge/netfilter/ebt_snat.c | |||
@@ -42,18 +42,14 @@ out: | |||
42 | return info->target | ~EBT_VERDICT_BITS; | 42 | return info->target | ~EBT_VERDICT_BITS; |
43 | } | 43 | } |
44 | 44 | ||
45 | static bool | 45 | static bool ebt_snat_tg_check(const struct xt_tgchk_param *par) |
46 | ebt_snat_tg_check(const char *tablename, const void *e, | ||
47 | const struct xt_target *target, void *data, | ||
48 | unsigned int hookmask) | ||
49 | { | 46 | { |
50 | const struct ebt_nat_info *info = data; | 47 | const struct ebt_nat_info *info = par->targinfo; |
51 | int tmp; | 48 | int tmp; |
52 | 49 | ||
53 | tmp = info->target | ~EBT_VERDICT_BITS; | 50 | tmp = info->target | ~EBT_VERDICT_BITS; |
54 | if (BASE_CHAIN && tmp == EBT_RETURN) | 51 | if (BASE_CHAIN && tmp == EBT_RETURN) |
55 | return false; | 52 | return false; |
56 | CLEAR_BASE_CHAIN_BIT; | ||
57 | 53 | ||
58 | if (tmp < -NUM_STANDARD_TARGETS || tmp >= 0) | 54 | if (tmp < -NUM_STANDARD_TARGETS || tmp >= 0) |
59 | return false; | 55 | return false; |
diff --git a/net/bridge/netfilter/ebt_ulog.c b/net/bridge/netfilter/ebt_ulog.c index bfedf12cbf41..2c6d6823e703 100644 --- a/net/bridge/netfilter/ebt_ulog.c +++ b/net/bridge/netfilter/ebt_ulog.c | |||
@@ -254,12 +254,9 @@ ebt_ulog_tg(struct sk_buff *skb, const struct xt_target_param *par) | |||
254 | return EBT_CONTINUE; | 254 | return EBT_CONTINUE; |
255 | } | 255 | } |
256 | 256 | ||
257 | static bool | 257 | static bool ebt_ulog_tg_check(const struct xt_tgchk_param *par) |
258 | ebt_ulog_tg_check(const char *table, const void *entry, | ||
259 | const struct xt_target *target, void *data, | ||
260 | unsigned int hookmask) | ||
261 | { | 258 | { |
262 | struct ebt_ulog_info *uloginfo = data; | 259 | struct ebt_ulog_info *uloginfo = par->targinfo; |
263 | 260 | ||
264 | if (uloginfo->nlgroup > 31) | 261 | if (uloginfo->nlgroup > 31) |
265 | return false; | 262 | return false; |
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c index a1156bab4a03..cf823c21c166 100644 --- a/net/bridge/netfilter/ebtables.c +++ b/net/bridge/netfilter/ebtables.c | |||
@@ -363,9 +363,10 @@ ebt_check_match(struct ebt_entry_match *m, struct xt_mtchk_param *par, | |||
363 | } | 363 | } |
364 | 364 | ||
365 | static inline int | 365 | static inline int |
366 | ebt_check_watcher(struct ebt_entry_watcher *w, struct ebt_entry *e, | 366 | ebt_check_watcher(struct ebt_entry_watcher *w, struct xt_tgchk_param *par, |
367 | const char *name, unsigned int hookmask, unsigned int *cnt) | 367 | unsigned int *cnt) |
368 | { | 368 | { |
369 | const struct ebt_entry *e = par->entryinfo; | ||
369 | struct xt_target *watcher; | 370 | struct xt_target *watcher; |
370 | size_t left = ((char *)e + e->target_offset) - (char *)w; | 371 | size_t left = ((char *)e + e->target_offset) - (char *)w; |
371 | int ret; | 372 | int ret; |
@@ -383,9 +384,10 @@ ebt_check_watcher(struct ebt_entry_watcher *w, struct ebt_entry *e, | |||
383 | return -ENOENT; | 384 | return -ENOENT; |
384 | w->u.watcher = watcher; | 385 | w->u.watcher = watcher; |
385 | 386 | ||
386 | ret = xt_check_target(watcher, NFPROTO_BRIDGE, w->watcher_size, | 387 | par->target = watcher; |
387 | name, hookmask, e->ethproto, e->invflags & EBT_IPROTO, | 388 | par->targinfo = w->data; |
388 | e, w->data); | 389 | ret = xt_check_target(par, NFPROTO_BRIDGE, w->watcher_size, |
390 | e->ethproto, e->invflags & EBT_IPROTO); | ||
389 | if (ret < 0) { | 391 | if (ret < 0) { |
390 | module_put(watcher->me); | 392 | module_put(watcher->me); |
391 | return ret; | 393 | return ret; |
@@ -619,6 +621,7 @@ ebt_check_entry(struct ebt_entry *e, struct ebt_table_info *newinfo, | |||
619 | size_t gap; | 621 | size_t gap; |
620 | int ret; | 622 | int ret; |
621 | struct xt_mtchk_param mtpar; | 623 | struct xt_mtchk_param mtpar; |
624 | struct xt_tgchk_param tgpar; | ||
622 | 625 | ||
623 | /* don't mess with the struct ebt_entries */ | 626 | /* don't mess with the struct ebt_entries */ |
624 | if (e->bitmask == 0) | 627 | if (e->bitmask == 0) |
@@ -660,14 +663,14 @@ ebt_check_entry(struct ebt_entry *e, struct ebt_table_info *newinfo, | |||
660 | } | 663 | } |
661 | i = 0; | 664 | i = 0; |
662 | 665 | ||
663 | mtpar.table = name; | 666 | mtpar.table = tgpar.table = name; |
664 | mtpar.entryinfo = e; | 667 | mtpar.entryinfo = tgpar.entryinfo = e; |
665 | mtpar.hook_mask = hookmask; | 668 | mtpar.hook_mask = tgpar.hook_mask = hookmask; |
666 | ret = EBT_MATCH_ITERATE(e, ebt_check_match, &mtpar, &i); | 669 | ret = EBT_MATCH_ITERATE(e, ebt_check_match, &mtpar, &i); |
667 | if (ret != 0) | 670 | if (ret != 0) |
668 | goto cleanup_matches; | 671 | goto cleanup_matches; |
669 | j = 0; | 672 | j = 0; |
670 | ret = EBT_WATCHER_ITERATE(e, ebt_check_watcher, e, name, hookmask, &j); | 673 | ret = EBT_WATCHER_ITERATE(e, ebt_check_watcher, &tgpar, &j); |
671 | if (ret != 0) | 674 | if (ret != 0) |
672 | goto cleanup_watchers; | 675 | goto cleanup_watchers; |
673 | t = (struct ebt_entry_target *)(((char *)e) + e->target_offset); | 676 | t = (struct ebt_entry_target *)(((char *)e) + e->target_offset); |
@@ -703,9 +706,10 @@ ebt_check_entry(struct ebt_entry *e, struct ebt_table_info *newinfo, | |||
703 | goto cleanup_watchers; | 706 | goto cleanup_watchers; |
704 | } | 707 | } |
705 | 708 | ||
706 | ret = xt_check_target(target, NFPROTO_BRIDGE, t->target_size, | 709 | tgpar.target = target; |
707 | name, hookmask, e->ethproto, e->invflags & EBT_IPROTO, | 710 | tgpar.targinfo = t->data; |
708 | e, t->data); | 711 | ret = xt_check_target(&tgpar, NFPROTO_BRIDGE, t->target_size, |
712 | e->ethproto, e->invflags & EBT_IPROTO); | ||
709 | if (ret < 0) { | 713 | if (ret < 0) { |
710 | module_put(target->me); | 714 | module_put(target->me); |
711 | goto cleanup_watchers; | 715 | goto cleanup_watchers; |
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c index 5b631ad74b5f..b3238d0101cc 100644 --- a/net/ipv4/netfilter/arp_tables.c +++ b/net/ipv4/netfilter/arp_tables.c | |||
@@ -457,16 +457,18 @@ static inline int check_entry(struct arpt_entry *e, const char *name) | |||
457 | 457 | ||
458 | static inline int check_target(struct arpt_entry *e, const char *name) | 458 | static inline int check_target(struct arpt_entry *e, const char *name) |
459 | { | 459 | { |
460 | struct arpt_entry_target *t; | 460 | struct arpt_entry_target *t = arpt_get_target(e); |
461 | struct xt_target *target; | ||
462 | int ret; | 461 | int ret; |
463 | 462 | struct xt_tgchk_param par = { | |
464 | t = arpt_get_target(e); | 463 | .table = name, |
465 | target = t->u.kernel.target; | 464 | .entryinfo = e, |
466 | 465 | .target = t->u.kernel.target, | |
467 | ret = xt_check_target(target, NFPROTO_ARP, | 466 | .targinfo = t->data, |
468 | t->u.target_size - sizeof(*t), | 467 | .hook_mask = e->comefrom, |
469 | name, e->comefrom, 0, 0, e, t->data); | 468 | }; |
469 | |||
470 | ret = xt_check_target(&par, NFPROTO_ARP, | ||
471 | t->u.target_size - sizeof(*t), 0, false); | ||
470 | if (ret < 0) { | 472 | if (ret < 0) { |
471 | duprintf("arp_tables: check failed for `%s'.\n", | 473 | duprintf("arp_tables: check failed for `%s'.\n", |
472 | t->u.kernel.target->name); | 474 | t->u.kernel.target->name); |
diff --git a/net/ipv4/netfilter/arpt_mangle.c b/net/ipv4/netfilter/arpt_mangle.c index 0bf81b353694..b0d5b1d0a769 100644 --- a/net/ipv4/netfilter/arpt_mangle.c +++ b/net/ipv4/netfilter/arpt_mangle.c | |||
@@ -54,11 +54,9 @@ target(struct sk_buff *skb, const struct xt_target_param *par) | |||
54 | return mangle->target; | 54 | return mangle->target; |
55 | } | 55 | } |
56 | 56 | ||
57 | static bool | 57 | static bool checkentry(const struct xt_tgchk_param *par) |
58 | checkentry(const char *tablename, const void *e, const struct xt_target *target, | ||
59 | void *targinfo, unsigned int hook_mask) | ||
60 | { | 58 | { |
61 | const struct arpt_mangle *mangle = targinfo; | 59 | const struct arpt_mangle *mangle = par->targinfo; |
62 | 60 | ||
63 | if (mangle->flags & ~ARPT_MANGLE_MASK || | 61 | if (mangle->flags & ~ARPT_MANGLE_MASK || |
64 | !(mangle->flags & ARPT_MANGLE_MASK)) | 62 | !(mangle->flags & ARPT_MANGLE_MASK)) |
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c index 0f8ecf390229..e592c54d4992 100644 --- a/net/ipv4/netfilter/ip_tables.c +++ b/net/ipv4/netfilter/ip_tables.c | |||
@@ -655,15 +655,18 @@ err: | |||
655 | 655 | ||
656 | static int check_target(struct ipt_entry *e, const char *name) | 656 | static int check_target(struct ipt_entry *e, const char *name) |
657 | { | 657 | { |
658 | struct ipt_entry_target *t; | 658 | struct ipt_entry_target *t = ipt_get_target(e); |
659 | struct xt_target *target; | 659 | struct xt_tgchk_param par = { |
660 | .table = name, | ||
661 | .entryinfo = e, | ||
662 | .target = t->u.kernel.target, | ||
663 | .targinfo = t->data, | ||
664 | .hook_mask = e->comefrom, | ||
665 | }; | ||
660 | int ret; | 666 | int ret; |
661 | 667 | ||
662 | t = ipt_get_target(e); | 668 | ret = xt_check_target(&par, NFPROTO_IPV4, t->u.target_size - sizeof(*t), |
663 | target = t->u.kernel.target; | 669 | e->ip.proto, e->ip.invflags & IPT_INV_PROTO); |
664 | ret = xt_check_target(target, AF_INET, t->u.target_size - sizeof(*t), | ||
665 | name, e->comefrom, e->ip.proto, | ||
666 | e->ip.invflags & IPT_INV_PROTO, e, t->data); | ||
667 | if (ret < 0) { | 670 | if (ret < 0) { |
668 | duprintf("ip_tables: check failed for `%s'.\n", | 671 | duprintf("ip_tables: check failed for `%s'.\n", |
669 | t->u.kernel.target->name); | 672 | t->u.kernel.target->name); |
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c index 67e8aa8f34f2..6c7254e02561 100644 --- a/net/ipv4/netfilter/ipt_CLUSTERIP.c +++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c | |||
@@ -347,13 +347,10 @@ clusterip_tg(struct sk_buff *skb, const struct xt_target_param *par) | |||
347 | return XT_CONTINUE; | 347 | return XT_CONTINUE; |
348 | } | 348 | } |
349 | 349 | ||
350 | static bool | 350 | static bool clusterip_tg_check(const struct xt_tgchk_param *par) |
351 | clusterip_tg_check(const char *tablename, const void *e_void, | ||
352 | const struct xt_target *target, void *targinfo, | ||
353 | unsigned int hook_mask) | ||
354 | { | 351 | { |
355 | struct ipt_clusterip_tgt_info *cipinfo = targinfo; | 352 | struct ipt_clusterip_tgt_info *cipinfo = par->targinfo; |
356 | const struct ipt_entry *e = e_void; | 353 | const struct ipt_entry *e = par->entryinfo; |
357 | 354 | ||
358 | struct clusterip_config *config; | 355 | struct clusterip_config *config; |
359 | 356 | ||
@@ -404,9 +401,9 @@ clusterip_tg_check(const char *tablename, const void *e_void, | |||
404 | } | 401 | } |
405 | cipinfo->config = config; | 402 | cipinfo->config = config; |
406 | 403 | ||
407 | if (nf_ct_l3proto_try_module_get(target->family) < 0) { | 404 | if (nf_ct_l3proto_try_module_get(par->target->family) < 0) { |
408 | printk(KERN_WARNING "can't load conntrack support for " | 405 | printk(KERN_WARNING "can't load conntrack support for " |
409 | "proto=%u\n", target->family); | 406 | "proto=%u\n", par->target->family); |
410 | return false; | 407 | return false; |
411 | } | 408 | } |
412 | 409 | ||
diff --git a/net/ipv4/netfilter/ipt_ECN.c b/net/ipv4/netfilter/ipt_ECN.c index e37f181e8298..f7e2fa0974dc 100644 --- a/net/ipv4/netfilter/ipt_ECN.c +++ b/net/ipv4/netfilter/ipt_ECN.c | |||
@@ -93,13 +93,10 @@ ecn_tg(struct sk_buff *skb, const struct xt_target_param *par) | |||
93 | return XT_CONTINUE; | 93 | return XT_CONTINUE; |
94 | } | 94 | } |
95 | 95 | ||
96 | static bool | 96 | static bool ecn_tg_check(const struct xt_tgchk_param *par) |
97 | ecn_tg_check(const char *tablename, const void *e_void, | ||
98 | const struct xt_target *target, void *targinfo, | ||
99 | unsigned int hook_mask) | ||
100 | { | 97 | { |
101 | const struct ipt_ECN_info *einfo = targinfo; | 98 | const struct ipt_ECN_info *einfo = par->targinfo; |
102 | const struct ipt_entry *e = e_void; | 99 | const struct ipt_entry *e = par->entryinfo; |
103 | 100 | ||
104 | if (einfo->operation & IPT_ECN_OP_MASK) { | 101 | if (einfo->operation & IPT_ECN_OP_MASK) { |
105 | printk(KERN_WARNING "ECN: unsupported ECN operation %x\n", | 102 | printk(KERN_WARNING "ECN: unsupported ECN operation %x\n", |
diff --git a/net/ipv4/netfilter/ipt_LOG.c b/net/ipv4/netfilter/ipt_LOG.c index e9942aed35ae..fc6ce04a3e35 100644 --- a/net/ipv4/netfilter/ipt_LOG.c +++ b/net/ipv4/netfilter/ipt_LOG.c | |||
@@ -440,12 +440,9 @@ log_tg(struct sk_buff *skb, const struct xt_target_param *par) | |||
440 | return XT_CONTINUE; | 440 | return XT_CONTINUE; |
441 | } | 441 | } |
442 | 442 | ||
443 | static bool | 443 | static bool log_tg_check(const struct xt_tgchk_param *par) |
444 | log_tg_check(const char *tablename, const void *e, | ||
445 | const struct xt_target *target, void *targinfo, | ||
446 | unsigned int hook_mask) | ||
447 | { | 444 | { |
448 | const struct ipt_log_info *loginfo = targinfo; | 445 | const struct ipt_log_info *loginfo = par->targinfo; |
449 | 446 | ||
450 | if (loginfo->level >= 8) { | 447 | if (loginfo->level >= 8) { |
451 | pr_debug("LOG: level %u >= 8\n", loginfo->level); | 448 | pr_debug("LOG: level %u >= 8\n", loginfo->level); |
diff --git a/net/ipv4/netfilter/ipt_MASQUERADE.c b/net/ipv4/netfilter/ipt_MASQUERADE.c index e0d9d49b79ee..f389f60cb105 100644 --- a/net/ipv4/netfilter/ipt_MASQUERADE.c +++ b/net/ipv4/netfilter/ipt_MASQUERADE.c | |||
@@ -31,12 +31,9 @@ MODULE_DESCRIPTION("Xtables: automatic-address SNAT"); | |||
31 | static DEFINE_RWLOCK(masq_lock); | 31 | static DEFINE_RWLOCK(masq_lock); |
32 | 32 | ||
33 | /* FIXME: Multiple targets. --RR */ | 33 | /* FIXME: Multiple targets. --RR */ |
34 | static bool | 34 | static bool masquerade_tg_check(const struct xt_tgchk_param *par) |
35 | masquerade_tg_check(const char *tablename, const void *e, | ||
36 | const struct xt_target *target, void *targinfo, | ||
37 | unsigned int hook_mask) | ||
38 | { | 35 | { |
39 | const struct nf_nat_multi_range_compat *mr = targinfo; | 36 | const struct nf_nat_multi_range_compat *mr = par->targinfo; |
40 | 37 | ||
41 | if (mr->range[0].flags & IP_NAT_RANGE_MAP_IPS) { | 38 | if (mr->range[0].flags & IP_NAT_RANGE_MAP_IPS) { |
42 | pr_debug("masquerade_check: bad MAP_IPS.\n"); | 39 | pr_debug("masquerade_check: bad MAP_IPS.\n"); |
diff --git a/net/ipv4/netfilter/ipt_NETMAP.c b/net/ipv4/netfilter/ipt_NETMAP.c index cf18f23b3460..7c29582d4ec8 100644 --- a/net/ipv4/netfilter/ipt_NETMAP.c +++ b/net/ipv4/netfilter/ipt_NETMAP.c | |||
@@ -22,12 +22,9 @@ MODULE_LICENSE("GPL"); | |||
22 | MODULE_AUTHOR("Svenning Soerensen <svenning@post5.tele.dk>"); | 22 | MODULE_AUTHOR("Svenning Soerensen <svenning@post5.tele.dk>"); |
23 | MODULE_DESCRIPTION("Xtables: 1:1 NAT mapping of IPv4 subnets"); | 23 | MODULE_DESCRIPTION("Xtables: 1:1 NAT mapping of IPv4 subnets"); |
24 | 24 | ||
25 | static bool | 25 | static bool netmap_tg_check(const struct xt_tgchk_param *par) |
26 | netmap_tg_check(const char *tablename, const void *e, | ||
27 | const struct xt_target *target, void *targinfo, | ||
28 | unsigned int hook_mask) | ||
29 | { | 26 | { |
30 | const struct nf_nat_multi_range_compat *mr = targinfo; | 27 | const struct nf_nat_multi_range_compat *mr = par->targinfo; |
31 | 28 | ||
32 | if (!(mr->range[0].flags & IP_NAT_RANGE_MAP_IPS)) { | 29 | if (!(mr->range[0].flags & IP_NAT_RANGE_MAP_IPS)) { |
33 | pr_debug("NETMAP:check: bad MAP_IPS.\n"); | 30 | pr_debug("NETMAP:check: bad MAP_IPS.\n"); |
diff --git a/net/ipv4/netfilter/ipt_REDIRECT.c b/net/ipv4/netfilter/ipt_REDIRECT.c index 23adb09ddfb4..698e5e78685b 100644 --- a/net/ipv4/netfilter/ipt_REDIRECT.c +++ b/net/ipv4/netfilter/ipt_REDIRECT.c | |||
@@ -26,12 +26,9 @@ MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>"); | |||
26 | MODULE_DESCRIPTION("Xtables: Connection redirection to localhost"); | 26 | MODULE_DESCRIPTION("Xtables: Connection redirection to localhost"); |
27 | 27 | ||
28 | /* FIXME: Take multiple ranges --RR */ | 28 | /* FIXME: Take multiple ranges --RR */ |
29 | static bool | 29 | static bool redirect_tg_check(const struct xt_tgchk_param *par) |
30 | redirect_tg_check(const char *tablename, const void *e, | ||
31 | const struct xt_target *target, void *targinfo, | ||
32 | unsigned int hook_mask) | ||
33 | { | 30 | { |
34 | const struct nf_nat_multi_range_compat *mr = targinfo; | 31 | const struct nf_nat_multi_range_compat *mr = par->targinfo; |
35 | 32 | ||
36 | if (mr->range[0].flags & IP_NAT_RANGE_MAP_IPS) { | 33 | if (mr->range[0].flags & IP_NAT_RANGE_MAP_IPS) { |
37 | pr_debug("redirect_check: bad MAP_IPS.\n"); | 34 | pr_debug("redirect_check: bad MAP_IPS.\n"); |
diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c index b36071bb1077..0b4b6e0ff2b9 100644 --- a/net/ipv4/netfilter/ipt_REJECT.c +++ b/net/ipv4/netfilter/ipt_REJECT.c | |||
@@ -175,13 +175,10 @@ reject_tg(struct sk_buff *skb, const struct xt_target_param *par) | |||
175 | return NF_DROP; | 175 | return NF_DROP; |
176 | } | 176 | } |
177 | 177 | ||
178 | static bool | 178 | static bool reject_tg_check(const struct xt_tgchk_param *par) |
179 | reject_tg_check(const char *tablename, const void *e_void, | ||
180 | const struct xt_target *target, void *targinfo, | ||
181 | unsigned int hook_mask) | ||
182 | { | 179 | { |
183 | const struct ipt_reject_info *rejinfo = targinfo; | 180 | const struct ipt_reject_info *rejinfo = par->targinfo; |
184 | const struct ipt_entry *e = e_void; | 181 | const struct ipt_entry *e = par->entryinfo; |
185 | 182 | ||
186 | if (rejinfo->with == IPT_ICMP_ECHOREPLY) { | 183 | if (rejinfo->with == IPT_ICMP_ECHOREPLY) { |
187 | printk("ipt_REJECT: ECHOREPLY no longer supported.\n"); | 184 | printk("ipt_REJECT: ECHOREPLY no longer supported.\n"); |
diff --git a/net/ipv4/netfilter/ipt_TTL.c b/net/ipv4/netfilter/ipt_TTL.c index 05cbfd2f7470..6d76aae90cc0 100644 --- a/net/ipv4/netfilter/ipt_TTL.c +++ b/net/ipv4/netfilter/ipt_TTL.c | |||
@@ -59,12 +59,9 @@ ttl_tg(struct sk_buff *skb, const struct xt_target_param *par) | |||
59 | return XT_CONTINUE; | 59 | return XT_CONTINUE; |
60 | } | 60 | } |
61 | 61 | ||
62 | static bool | 62 | static bool ttl_tg_check(const struct xt_tgchk_param *par) |
63 | ttl_tg_check(const char *tablename, const void *e, | ||
64 | const struct xt_target *target, void *targinfo, | ||
65 | unsigned int hook_mask) | ||
66 | { | 63 | { |
67 | const struct ipt_TTL_info *info = targinfo; | 64 | const struct ipt_TTL_info *info = par->targinfo; |
68 | 65 | ||
69 | if (info->mode > IPT_TTL_MAXMODE) { | 66 | if (info->mode > IPT_TTL_MAXMODE) { |
70 | printk(KERN_WARNING "ipt_TTL: invalid or unknown Mode %u\n", | 67 | printk(KERN_WARNING "ipt_TTL: invalid or unknown Mode %u\n", |
diff --git a/net/ipv4/netfilter/ipt_ULOG.c b/net/ipv4/netfilter/ipt_ULOG.c index 46c0df0dc2dc..18a2826b57c6 100644 --- a/net/ipv4/netfilter/ipt_ULOG.c +++ b/net/ipv4/netfilter/ipt_ULOG.c | |||
@@ -313,12 +313,9 @@ static void ipt_logfn(u_int8_t pf, | |||
313 | ipt_ulog_packet(hooknum, skb, in, out, &loginfo, prefix); | 313 | ipt_ulog_packet(hooknum, skb, in, out, &loginfo, prefix); |
314 | } | 314 | } |
315 | 315 | ||
316 | static bool | 316 | static bool ulog_tg_check(const struct xt_tgchk_param *par) |
317 | ulog_tg_check(const char *tablename, const void *e, | ||
318 | const struct xt_target *target, void *targinfo, | ||
319 | unsigned int hookmask) | ||
320 | { | 317 | { |
321 | const struct ipt_ulog_info *loginfo = targinfo; | 318 | const struct ipt_ulog_info *loginfo = par->targinfo; |
322 | 319 | ||
323 | if (loginfo->prefix[sizeof(loginfo->prefix) - 1] != '\0') { | 320 | if (loginfo->prefix[sizeof(loginfo->prefix) - 1] != '\0') { |
324 | pr_debug("ipt_ULOG: prefix term %i\n", | 321 | pr_debug("ipt_ULOG: prefix term %i\n", |
diff --git a/net/ipv4/netfilter/nf_nat_rule.c b/net/ipv4/netfilter/nf_nat_rule.c index 83170ff131f9..bea54a685109 100644 --- a/net/ipv4/netfilter/nf_nat_rule.c +++ b/net/ipv4/netfilter/nf_nat_rule.c | |||
@@ -128,13 +128,9 @@ ipt_dnat_target(struct sk_buff *skb, const struct xt_target_param *par) | |||
128 | return nf_nat_setup_info(ct, &mr->range[0], IP_NAT_MANIP_DST); | 128 | return nf_nat_setup_info(ct, &mr->range[0], IP_NAT_MANIP_DST); |
129 | } | 129 | } |
130 | 130 | ||
131 | static bool ipt_snat_checkentry(const char *tablename, | 131 | static bool ipt_snat_checkentry(const struct xt_tgchk_param *par) |
132 | const void *entry, | ||
133 | const struct xt_target *target, | ||
134 | void *targinfo, | ||
135 | unsigned int hook_mask) | ||
136 | { | 132 | { |
137 | const struct nf_nat_multi_range_compat *mr = targinfo; | 133 | const struct nf_nat_multi_range_compat *mr = par->targinfo; |
138 | 134 | ||
139 | /* Must be a valid range */ | 135 | /* Must be a valid range */ |
140 | if (mr->rangesize != 1) { | 136 | if (mr->rangesize != 1) { |
@@ -144,13 +140,9 @@ static bool ipt_snat_checkentry(const char *tablename, | |||
144 | return true; | 140 | return true; |
145 | } | 141 | } |
146 | 142 | ||
147 | static bool ipt_dnat_checkentry(const char *tablename, | 143 | static bool ipt_dnat_checkentry(const struct xt_tgchk_param *par) |
148 | const void *entry, | ||
149 | const struct xt_target *target, | ||
150 | void *targinfo, | ||
151 | unsigned int hook_mask) | ||
152 | { | 144 | { |
153 | const struct nf_nat_multi_range_compat *mr = targinfo; | 145 | const struct nf_nat_multi_range_compat *mr = par->targinfo; |
154 | 146 | ||
155 | /* Must be a valid range */ | 147 | /* Must be a valid range */ |
156 | if (mr->rangesize != 1) { | 148 | if (mr->rangesize != 1) { |
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c index ee0986cdbd66..ca14fb8bd362 100644 --- a/net/ipv6/netfilter/ip6_tables.c +++ b/net/ipv6/netfilter/ip6_tables.c | |||
@@ -679,15 +679,19 @@ err: | |||
679 | 679 | ||
680 | static int check_target(struct ip6t_entry *e, const char *name) | 680 | static int check_target(struct ip6t_entry *e, const char *name) |
681 | { | 681 | { |
682 | struct ip6t_entry_target *t; | 682 | struct ip6t_entry_target *t = ip6t_get_target(e); |
683 | struct xt_target *target; | 683 | struct xt_tgchk_param par = { |
684 | .table = name, | ||
685 | .entryinfo = e, | ||
686 | .target = t->u.kernel.target, | ||
687 | .targinfo = t->data, | ||
688 | .hook_mask = e->comefrom, | ||
689 | }; | ||
684 | int ret; | 690 | int ret; |
685 | 691 | ||
686 | t = ip6t_get_target(e); | 692 | t = ip6t_get_target(e); |
687 | target = t->u.kernel.target; | 693 | ret = xt_check_target(&par, NFPROTO_IPV6, t->u.target_size - sizeof(*t), |
688 | ret = xt_check_target(target, AF_INET6, t->u.target_size - sizeof(*t), | 694 | e->ipv6.proto, e->ipv6.invflags & IP6T_INV_PROTO); |
689 | name, e->comefrom, e->ipv6.proto, | ||
690 | e->ipv6.invflags & IP6T_INV_PROTO, e, t->data); | ||
691 | if (ret < 0) { | 695 | if (ret < 0) { |
692 | duprintf("ip_tables: check failed for `%s'.\n", | 696 | duprintf("ip_tables: check failed for `%s'.\n", |
693 | t->u.kernel.target->name); | 697 | t->u.kernel.target->name); |
diff --git a/net/ipv6/netfilter/ip6t_HL.c b/net/ipv6/netfilter/ip6t_HL.c index ac759a54f2c6..27b5adf670a2 100644 --- a/net/ipv6/netfilter/ip6t_HL.c +++ b/net/ipv6/netfilter/ip6t_HL.c | |||
@@ -54,12 +54,9 @@ hl_tg6(struct sk_buff *skb, const struct xt_target_param *par) | |||
54 | return XT_CONTINUE; | 54 | return XT_CONTINUE; |
55 | } | 55 | } |
56 | 56 | ||
57 | static bool | 57 | static bool hl_tg6_check(const struct xt_tgchk_param *par) |
58 | hl_tg6_check(const char *tablename, const void *entry, | ||
59 | const struct xt_target *target, void *targinfo, | ||
60 | unsigned int hook_mask) | ||
61 | { | 58 | { |
62 | const struct ip6t_HL_info *info = targinfo; | 59 | const struct ip6t_HL_info *info = par->targinfo; |
63 | 60 | ||
64 | if (info->mode > IP6T_HL_MAXMODE) { | 61 | if (info->mode > IP6T_HL_MAXMODE) { |
65 | printk(KERN_WARNING "ip6t_HL: invalid or unknown Mode %u\n", | 62 | printk(KERN_WARNING "ip6t_HL: invalid or unknown Mode %u\n", |
diff --git a/net/ipv6/netfilter/ip6t_LOG.c b/net/ipv6/netfilter/ip6t_LOG.c index a31d3ecd1fc9..caa441d09567 100644 --- a/net/ipv6/netfilter/ip6t_LOG.c +++ b/net/ipv6/netfilter/ip6t_LOG.c | |||
@@ -453,12 +453,9 @@ log_tg6(struct sk_buff *skb, const struct xt_target_param *par) | |||
453 | } | 453 | } |
454 | 454 | ||
455 | 455 | ||
456 | static bool | 456 | static bool log_tg6_check(const struct xt_tgchk_param *par) |
457 | log_tg6_check(const char *tablename, const void *entry, | ||
458 | const struct xt_target *target, void *targinfo, | ||
459 | unsigned int hook_mask) | ||
460 | { | 457 | { |
461 | const struct ip6t_log_info *loginfo = targinfo; | 458 | const struct ip6t_log_info *loginfo = par->targinfo; |
462 | 459 | ||
463 | if (loginfo->level >= 8) { | 460 | if (loginfo->level >= 8) { |
464 | pr_debug("LOG: level %u >= 8\n", loginfo->level); | 461 | pr_debug("LOG: level %u >= 8\n", loginfo->level); |
diff --git a/net/ipv6/netfilter/ip6t_REJECT.c b/net/ipv6/netfilter/ip6t_REJECT.c index 1d5f3a70ed09..0981b4ccb8b1 100644 --- a/net/ipv6/netfilter/ip6t_REJECT.c +++ b/net/ipv6/netfilter/ip6t_REJECT.c | |||
@@ -213,13 +213,10 @@ reject_tg6(struct sk_buff *skb, const struct xt_target_param *par) | |||
213 | return NF_DROP; | 213 | return NF_DROP; |
214 | } | 214 | } |
215 | 215 | ||
216 | static bool | 216 | static bool reject_tg6_check(const struct xt_tgchk_param *par) |
217 | reject_tg6_check(const char *tablename, const void *entry, | ||
218 | const struct xt_target *target, void *targinfo, | ||
219 | unsigned int hook_mask) | ||
220 | { | 217 | { |
221 | const struct ip6t_reject_info *rejinfo = targinfo; | 218 | const struct ip6t_reject_info *rejinfo = par->targinfo; |
222 | const struct ip6t_entry *e = entry; | 219 | const struct ip6t_entry *e = par->entryinfo; |
223 | 220 | ||
224 | if (rejinfo->with == IP6T_ICMP6_ECHOREPLY) { | 221 | if (rejinfo->with == IP6T_ICMP6_ECHOREPLY) { |
225 | printk("ip6t_REJECT: ECHOREPLY is not supported.\n"); | 222 | printk("ip6t_REJECT: ECHOREPLY is not supported.\n"); |
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c index 817ab14f7cd6..f29513cd1399 100644 --- a/net/netfilter/x_tables.c +++ b/net/netfilter/x_tables.c | |||
@@ -471,35 +471,35 @@ int xt_compat_match_to_user(struct xt_entry_match *m, void __user **dstptr, | |||
471 | EXPORT_SYMBOL_GPL(xt_compat_match_to_user); | 471 | EXPORT_SYMBOL_GPL(xt_compat_match_to_user); |
472 | #endif /* CONFIG_COMPAT */ | 472 | #endif /* CONFIG_COMPAT */ |
473 | 473 | ||
474 | int xt_check_target(const struct xt_target *target, unsigned short family, | 474 | int xt_check_target(struct xt_tgchk_param *par, u_int8_t family, |
475 | unsigned int size, const char *table, unsigned int hook_mask, | 475 | unsigned int size, u_int8_t proto, bool inv_proto) |
476 | unsigned short proto, int inv_proto, const void *entry, | ||
477 | void *targinfo) | ||
478 | { | 476 | { |
479 | if (XT_ALIGN(target->targetsize) != size) { | 477 | if (XT_ALIGN(par->target->targetsize) != size) { |
480 | printk("%s_tables: %s target: invalid size %Zu != %u\n", | 478 | printk("%s_tables: %s target: invalid size %Zu != %u\n", |
481 | xt_prefix[family], target->name, | 479 | xt_prefix[family], par->target->name, |
482 | XT_ALIGN(target->targetsize), size); | 480 | XT_ALIGN(par->target->targetsize), size); |
483 | return -EINVAL; | 481 | return -EINVAL; |
484 | } | 482 | } |
485 | if (target->table && strcmp(target->table, table)) { | 483 | if (par->target->table != NULL && |
484 | strcmp(par->target->table, par->table) != 0) { | ||
486 | printk("%s_tables: %s target: only valid in %s table, not %s\n", | 485 | printk("%s_tables: %s target: only valid in %s table, not %s\n", |
487 | xt_prefix[family], target->name, target->table, table); | 486 | xt_prefix[family], par->target->name, |
487 | par->target->table, par->table); | ||
488 | return -EINVAL; | 488 | return -EINVAL; |
489 | } | 489 | } |
490 | if (target->hooks && (hook_mask & ~target->hooks) != 0) { | 490 | if (par->target->hooks && (par->hook_mask & ~par->target->hooks) != 0) { |
491 | printk("%s_tables: %s target: bad hook_mask %#x/%#x\n", | 491 | printk("%s_tables: %s target: bad hook_mask %#x/%#x\n", |
492 | xt_prefix[family], target->name, hook_mask, | 492 | xt_prefix[family], par->target->name, par->hook_mask, |
493 | target->hooks); | 493 | par->target->hooks); |
494 | return -EINVAL; | 494 | return -EINVAL; |
495 | } | 495 | } |
496 | if (target->proto && (target->proto != proto || inv_proto)) { | 496 | if (par->target->proto && (par->target->proto != proto || inv_proto)) { |
497 | printk("%s_tables: %s target: only valid for protocol %u\n", | 497 | printk("%s_tables: %s target: only valid for protocol %u\n", |
498 | xt_prefix[family], target->name, target->proto); | 498 | xt_prefix[family], par->target->name, |
499 | par->target->proto); | ||
499 | return -EINVAL; | 500 | return -EINVAL; |
500 | } | 501 | } |
501 | if (target->checkentry != NULL && | 502 | if (par->target->checkentry != NULL && !par->target->checkentry(par)) |
502 | !target->checkentry(table, entry, target, targinfo, hook_mask)) | ||
503 | return -EINVAL; | 503 | return -EINVAL; |
504 | return 0; | 504 | return 0; |
505 | } | 505 | } |
diff --git a/net/netfilter/xt_CONNMARK.c b/net/netfilter/xt_CONNMARK.c index 95ed267328a7..8fc9f35e67df 100644 --- a/net/netfilter/xt_CONNMARK.c +++ b/net/netfilter/xt_CONNMARK.c | |||
@@ -112,18 +112,15 @@ connmark_tg(struct sk_buff *skb, const struct xt_target_param *par) | |||
112 | return XT_CONTINUE; | 112 | return XT_CONTINUE; |
113 | } | 113 | } |
114 | 114 | ||
115 | static bool | 115 | static bool connmark_tg_check_v0(const struct xt_tgchk_param *par) |
116 | connmark_tg_check_v0(const char *tablename, const void *entry, | ||
117 | const struct xt_target *target, void *targinfo, | ||
118 | unsigned int hook_mask) | ||
119 | { | 116 | { |
120 | const struct xt_connmark_target_info *matchinfo = targinfo; | 117 | const struct xt_connmark_target_info *matchinfo = par->targinfo; |
121 | 118 | ||
122 | if (matchinfo->mode == XT_CONNMARK_RESTORE) { | 119 | if (matchinfo->mode == XT_CONNMARK_RESTORE) { |
123 | if (strcmp(tablename, "mangle") != 0) { | 120 | if (strcmp(par->table, "mangle") != 0) { |
124 | printk(KERN_WARNING "CONNMARK: restore can only be " | 121 | printk(KERN_WARNING "CONNMARK: restore can only be " |
125 | "called from \"mangle\" table, not \"%s\"\n", | 122 | "called from \"mangle\" table, not \"%s\"\n", |
126 | tablename); | 123 | par->table); |
127 | return false; | 124 | return false; |
128 | } | 125 | } |
129 | } | 126 | } |
@@ -131,22 +128,19 @@ connmark_tg_check_v0(const char *tablename, const void *entry, | |||
131 | printk(KERN_WARNING "CONNMARK: Only supports 32bit mark\n"); | 128 | printk(KERN_WARNING "CONNMARK: Only supports 32bit mark\n"); |
132 | return false; | 129 | return false; |
133 | } | 130 | } |
134 | if (nf_ct_l3proto_try_module_get(target->family) < 0) { | 131 | if (nf_ct_l3proto_try_module_get(par->target->family) < 0) { |
135 | printk(KERN_WARNING "can't load conntrack support for " | 132 | printk(KERN_WARNING "can't load conntrack support for " |
136 | "proto=%u\n", target->family); | 133 | "proto=%u\n", par->target->family); |
137 | return false; | 134 | return false; |
138 | } | 135 | } |
139 | return true; | 136 | return true; |
140 | } | 137 | } |
141 | 138 | ||
142 | static bool | 139 | static bool connmark_tg_check(const struct xt_tgchk_param *par) |
143 | connmark_tg_check(const char *tablename, const void *entry, | ||
144 | const struct xt_target *target, void *targinfo, | ||
145 | unsigned int hook_mask) | ||
146 | { | 140 | { |
147 | if (nf_ct_l3proto_try_module_get(target->family) < 0) { | 141 | if (nf_ct_l3proto_try_module_get(par->target->family) < 0) { |
148 | printk(KERN_WARNING "cannot load conntrack support for " | 142 | printk(KERN_WARNING "cannot load conntrack support for " |
149 | "proto=%u\n", target->family); | 143 | "proto=%u\n", par->target->family); |
150 | return false; | 144 | return false; |
151 | } | 145 | } |
152 | return true; | 146 | return true; |
diff --git a/net/netfilter/xt_CONNSECMARK.c b/net/netfilter/xt_CONNSECMARK.c index 2211a2cef280..2041a3d4b4d8 100644 --- a/net/netfilter/xt_CONNSECMARK.c +++ b/net/netfilter/xt_CONNSECMARK.c | |||
@@ -85,16 +85,14 @@ connsecmark_tg(struct sk_buff *skb, const struct xt_target_param *par) | |||
85 | return XT_CONTINUE; | 85 | return XT_CONTINUE; |
86 | } | 86 | } |
87 | 87 | ||
88 | static bool | 88 | static bool connsecmark_tg_check(const struct xt_tgchk_param *par) |
89 | connsecmark_tg_check(const char *tablename, const void *entry, | ||
90 | const struct xt_target *target, void *targinfo, | ||
91 | unsigned int hook_mask) | ||
92 | { | 89 | { |
93 | const struct xt_connsecmark_target_info *info = targinfo; | 90 | const struct xt_connsecmark_target_info *info = par->targinfo; |
94 | 91 | ||
95 | if (strcmp(tablename, "mangle") && strcmp(tablename, "security")) { | 92 | if (strcmp(par->table, "mangle") != 0 && |
93 | strcmp(par->table, "security") != 0) { | ||
96 | printk(KERN_INFO PFX "target only valid in the \'mangle\' " | 94 | printk(KERN_INFO PFX "target only valid in the \'mangle\' " |
97 | "or \'security\' tables, not \'%s\'.\n", tablename); | 95 | "or \'security\' tables, not \'%s\'.\n", par->table); |
98 | return false; | 96 | return false; |
99 | } | 97 | } |
100 | 98 | ||
@@ -108,9 +106,9 @@ connsecmark_tg_check(const char *tablename, const void *entry, | |||
108 | return false; | 106 | return false; |
109 | } | 107 | } |
110 | 108 | ||
111 | if (nf_ct_l3proto_try_module_get(target->family) < 0) { | 109 | if (nf_ct_l3proto_try_module_get(par->target->family) < 0) { |
112 | printk(KERN_WARNING "can't load conntrack support for " | 110 | printk(KERN_WARNING "can't load conntrack support for " |
113 | "proto=%u\n", target->family); | 111 | "proto=%u\n", par->target->family); |
114 | return false; | 112 | return false; |
115 | } | 113 | } |
116 | return true; | 114 | return true; |
diff --git a/net/netfilter/xt_DSCP.c b/net/netfilter/xt_DSCP.c index c78e80afdf3d..6a347e768f86 100644 --- a/net/netfilter/xt_DSCP.c +++ b/net/netfilter/xt_DSCP.c | |||
@@ -61,15 +61,12 @@ dscp_tg6(struct sk_buff *skb, const struct xt_target_param *par) | |||
61 | return XT_CONTINUE; | 61 | return XT_CONTINUE; |
62 | } | 62 | } |
63 | 63 | ||
64 | static bool | 64 | static bool dscp_tg_check(const struct xt_tgchk_param *par) |
65 | dscp_tg_check(const char *tablename, const void *e_void, | ||
66 | const struct xt_target *target, void *targinfo, | ||
67 | unsigned int hook_mask) | ||
68 | { | 65 | { |
69 | const u_int8_t dscp = ((struct xt_DSCP_info *)targinfo)->dscp; | 66 | const struct xt_DSCP_info *info = par->targinfo; |
70 | 67 | ||
71 | if (dscp > XT_DSCP_MAX) { | 68 | if (info->dscp > XT_DSCP_MAX) { |
72 | printk(KERN_WARNING "DSCP: dscp %x out of range\n", dscp); | 69 | printk(KERN_WARNING "DSCP: dscp %x out of range\n", info->dscp); |
73 | return false; | 70 | return false; |
74 | } | 71 | } |
75 | return true; | 72 | return true; |
@@ -95,12 +92,10 @@ tos_tg_v0(struct sk_buff *skb, const struct xt_target_param *par) | |||
95 | return XT_CONTINUE; | 92 | return XT_CONTINUE; |
96 | } | 93 | } |
97 | 94 | ||
98 | static bool | 95 | static bool tos_tg_check_v0(const struct xt_tgchk_param *par) |
99 | tos_tg_check_v0(const char *tablename, const void *e_void, | ||
100 | const struct xt_target *target, void *targinfo, | ||
101 | unsigned int hook_mask) | ||
102 | { | 96 | { |
103 | const u_int8_t tos = ((struct ipt_tos_target_info *)targinfo)->tos; | 97 | const struct ipt_tos_target_info *info = par->targinfo; |
98 | const uint8_t tos = info->tos; | ||
104 | 99 | ||
105 | if (tos != IPTOS_LOWDELAY && tos != IPTOS_THROUGHPUT && | 100 | if (tos != IPTOS_LOWDELAY && tos != IPTOS_THROUGHPUT && |
106 | tos != IPTOS_RELIABILITY && tos != IPTOS_MINCOST && | 101 | tos != IPTOS_RELIABILITY && tos != IPTOS_MINCOST && |
diff --git a/net/netfilter/xt_MARK.c b/net/netfilter/xt_MARK.c index 27d03f396117..123ee0ba78c6 100644 --- a/net/netfilter/xt_MARK.c +++ b/net/netfilter/xt_MARK.c | |||
@@ -66,12 +66,9 @@ mark_tg(struct sk_buff *skb, const struct xt_target_param *par) | |||
66 | return XT_CONTINUE; | 66 | return XT_CONTINUE; |
67 | } | 67 | } |
68 | 68 | ||
69 | static bool | 69 | static bool mark_tg_check_v0(const struct xt_tgchk_param *par) |
70 | mark_tg_check_v0(const char *tablename, const void *entry, | ||
71 | const struct xt_target *target, void *targinfo, | ||
72 | unsigned int hook_mask) | ||
73 | { | 70 | { |
74 | const struct xt_mark_target_info *markinfo = targinfo; | 71 | const struct xt_mark_target_info *markinfo = par->targinfo; |
75 | 72 | ||
76 | if (markinfo->mark > 0xffffffff) { | 73 | if (markinfo->mark > 0xffffffff) { |
77 | printk(KERN_WARNING "MARK: Only supports 32bit wide mark\n"); | 74 | printk(KERN_WARNING "MARK: Only supports 32bit wide mark\n"); |
@@ -80,12 +77,9 @@ mark_tg_check_v0(const char *tablename, const void *entry, | |||
80 | return true; | 77 | return true; |
81 | } | 78 | } |
82 | 79 | ||
83 | static bool | 80 | static bool mark_tg_check_v1(const struct xt_tgchk_param *par) |
84 | mark_tg_check_v1(const char *tablename, const void *entry, | ||
85 | const struct xt_target *target, void *targinfo, | ||
86 | unsigned int hook_mask) | ||
87 | { | 81 | { |
88 | const struct xt_mark_target_info_v1 *markinfo = targinfo; | 82 | const struct xt_mark_target_info_v1 *markinfo = par->targinfo; |
89 | 83 | ||
90 | if (markinfo->mode != XT_MARK_SET | 84 | if (markinfo->mode != XT_MARK_SET |
91 | && markinfo->mode != XT_MARK_AND | 85 | && markinfo->mode != XT_MARK_AND |
diff --git a/net/netfilter/xt_NFLOG.c b/net/netfilter/xt_NFLOG.c index 3218ad63bd1d..56ee4f118b59 100644 --- a/net/netfilter/xt_NFLOG.c +++ b/net/netfilter/xt_NFLOG.c | |||
@@ -36,12 +36,9 @@ nflog_tg(struct sk_buff *skb, const struct xt_target_param *par) | |||
36 | return XT_CONTINUE; | 36 | return XT_CONTINUE; |
37 | } | 37 | } |
38 | 38 | ||
39 | static bool | 39 | static bool nflog_tg_check(const struct xt_tgchk_param *par) |
40 | nflog_tg_check(const char *tablename, const void *entry, | ||
41 | const struct xt_target *target, void *targetinfo, | ||
42 | unsigned int hookmask) | ||
43 | { | 40 | { |
44 | const struct xt_nflog_info *info = targetinfo; | 41 | const struct xt_nflog_info *info = par->targinfo; |
45 | 42 | ||
46 | if (info->flags & ~XT_NFLOG_MASK) | 43 | if (info->flags & ~XT_NFLOG_MASK) |
47 | return false; | 44 | return false; |
diff --git a/net/netfilter/xt_RATEEST.c b/net/netfilter/xt_RATEEST.c index 92e33524f784..edf4ab1f30ff 100644 --- a/net/netfilter/xt_RATEEST.c +++ b/net/netfilter/xt_RATEEST.c | |||
@@ -84,14 +84,9 @@ xt_rateest_tg(struct sk_buff *skb, const struct xt_target_param *par) | |||
84 | return XT_CONTINUE; | 84 | return XT_CONTINUE; |
85 | } | 85 | } |
86 | 86 | ||
87 | static bool | 87 | static bool xt_rateest_tg_checkentry(const struct xt_tgchk_param *par) |
88 | xt_rateest_tg_checkentry(const char *tablename, | ||
89 | const void *entry, | ||
90 | const struct xt_target *target, | ||
91 | void *targinfo, | ||
92 | unsigned int hook_mask) | ||
93 | { | 88 | { |
94 | struct xt_rateest_target_info *info = targinfo; | 89 | struct xt_rateest_target_info *info = par->targinfo; |
95 | struct xt_rateest *est; | 90 | struct xt_rateest *est; |
96 | struct { | 91 | struct { |
97 | struct nlattr opt; | 92 | struct nlattr opt; |
diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c index ad05214e3809..e5777227192c 100644 --- a/net/netfilter/xt_SECMARK.c +++ b/net/netfilter/xt_SECMARK.c | |||
@@ -80,16 +80,14 @@ static bool checkentry_selinux(struct xt_secmark_target_info *info) | |||
80 | return true; | 80 | return true; |
81 | } | 81 | } |
82 | 82 | ||
83 | static bool | 83 | static bool secmark_tg_check(const struct xt_tgchk_param *par) |
84 | secmark_tg_check(const char *tablename, const void *entry, | ||
85 | const struct xt_target *target, void *targinfo, | ||
86 | unsigned int hook_mask) | ||
87 | { | 84 | { |
88 | struct xt_secmark_target_info *info = targinfo; | 85 | struct xt_secmark_target_info *info = par->targinfo; |
89 | 86 | ||
90 | if (strcmp(tablename, "mangle") && strcmp(tablename, "security")) { | 87 | if (strcmp(par->table, "mangle") != 0 && |
88 | strcmp(par->table, "security") != 0) { | ||
91 | printk(KERN_INFO PFX "target only valid in the \'mangle\' " | 89 | printk(KERN_INFO PFX "target only valid in the \'mangle\' " |
92 | "or \'security\' tables, not \'%s\'.\n", tablename); | 90 | "or \'security\' tables, not \'%s\'.\n", par->table); |
93 | return false; | 91 | return false; |
94 | } | 92 | } |
95 | 93 | ||
diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c index e08762d9b0ff..4f3b1f808795 100644 --- a/net/netfilter/xt_TCPMSS.c +++ b/net/netfilter/xt_TCPMSS.c | |||
@@ -237,16 +237,13 @@ static inline bool find_syn_match(const struct xt_entry_match *m) | |||
237 | return false; | 237 | return false; |
238 | } | 238 | } |
239 | 239 | ||
240 | static bool | 240 | static bool tcpmss_tg4_check(const struct xt_tgchk_param *par) |
241 | tcpmss_tg4_check(const char *tablename, const void *entry, | ||
242 | const struct xt_target *target, void *targinfo, | ||
243 | unsigned int hook_mask) | ||
244 | { | 241 | { |
245 | const struct xt_tcpmss_info *info = targinfo; | 242 | const struct xt_tcpmss_info *info = par->targinfo; |
246 | const struct ipt_entry *e = entry; | 243 | const struct ipt_entry *e = par->entryinfo; |
247 | 244 | ||
248 | if (info->mss == XT_TCPMSS_CLAMP_PMTU && | 245 | if (info->mss == XT_TCPMSS_CLAMP_PMTU && |
249 | (hook_mask & ~((1 << NF_INET_FORWARD) | | 246 | (par->hook_mask & ~((1 << NF_INET_FORWARD) | |
250 | (1 << NF_INET_LOCAL_OUT) | | 247 | (1 << NF_INET_LOCAL_OUT) | |
251 | (1 << NF_INET_POST_ROUTING))) != 0) { | 248 | (1 << NF_INET_POST_ROUTING))) != 0) { |
252 | printk("xt_TCPMSS: path-MTU clamping only supported in " | 249 | printk("xt_TCPMSS: path-MTU clamping only supported in " |
@@ -260,16 +257,13 @@ tcpmss_tg4_check(const char *tablename, const void *entry, | |||
260 | } | 257 | } |
261 | 258 | ||
262 | #if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE) | 259 | #if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE) |
263 | static bool | 260 | static bool tcpmss_tg6_check(const struct xt_tgchk_param *par) |
264 | tcpmss_tg6_check(const char *tablename, const void *entry, | ||
265 | const struct xt_target *target, void *targinfo, | ||
266 | unsigned int hook_mask) | ||
267 | { | 261 | { |
268 | const struct xt_tcpmss_info *info = targinfo; | 262 | const struct xt_tcpmss_info *info = par->targinfo; |
269 | const struct ip6t_entry *e = entry; | 263 | const struct ip6t_entry *e = par->entryinfo; |
270 | 264 | ||
271 | if (info->mss == XT_TCPMSS_CLAMP_PMTU && | 265 | if (info->mss == XT_TCPMSS_CLAMP_PMTU && |
272 | (hook_mask & ~((1 << NF_INET_FORWARD) | | 266 | (par->hook_mask & ~((1 << NF_INET_FORWARD) | |
273 | (1 << NF_INET_LOCAL_OUT) | | 267 | (1 << NF_INET_LOCAL_OUT) | |
274 | (1 << NF_INET_POST_ROUTING))) != 0) { | 268 | (1 << NF_INET_POST_ROUTING))) != 0) { |
275 | printk("xt_TCPMSS: path-MTU clamping only supported in " | 269 | printk("xt_TCPMSS: path-MTU clamping only supported in " |
diff --git a/net/netfilter/xt_TPROXY.c b/net/netfilter/xt_TPROXY.c index f08c49ea4bdc..1340c2fa3621 100644 --- a/net/netfilter/xt_TPROXY.c +++ b/net/netfilter/xt_TPROXY.c | |||
@@ -59,14 +59,9 @@ tproxy_tg(struct sk_buff *skb, const struct xt_target_param *par) | |||
59 | return NF_DROP; | 59 | return NF_DROP; |
60 | } | 60 | } |
61 | 61 | ||
62 | static bool | 62 | static bool tproxy_tg_check(const struct xt_tgchk_param *par) |
63 | tproxy_tg_check(const char *tablename, | ||
64 | const void *entry, | ||
65 | const struct xt_target *target, | ||
66 | void *targetinfo, | ||
67 | unsigned int hook_mask) | ||
68 | { | 63 | { |
69 | const struct ipt_ip *i = entry; | 64 | const struct ipt_ip *i = par->entryinfo; |
70 | 65 | ||
71 | if ((i->proto == IPPROTO_TCP || i->proto == IPPROTO_UDP) | 66 | if ((i->proto == IPPROTO_TCP || i->proto == IPPROTO_UDP) |
72 | && !(i->invflags & IPT_INV_PROTO)) | 67 | && !(i->invflags & IPT_INV_PROTO)) |
diff --git a/net/sched/act_ipt.c b/net/sched/act_ipt.c index 89791a56429a..a54dc3f8234f 100644 --- a/net/sched/act_ipt.c +++ b/net/sched/act_ipt.c | |||
@@ -40,6 +40,7 @@ static struct tcf_hashinfo ipt_hash_info = { | |||
40 | 40 | ||
41 | static int ipt_init_target(struct ipt_entry_target *t, char *table, unsigned int hook) | 41 | static int ipt_init_target(struct ipt_entry_target *t, char *table, unsigned int hook) |
42 | { | 42 | { |
43 | struct xt_tgchk_param par; | ||
43 | struct xt_target *target; | 44 | struct xt_target *target; |
44 | int ret = 0; | 45 | int ret = 0; |
45 | 46 | ||
@@ -49,9 +50,14 @@ static int ipt_init_target(struct ipt_entry_target *t, char *table, unsigned int | |||
49 | return -ENOENT; | 50 | return -ENOENT; |
50 | 51 | ||
51 | t->u.kernel.target = target; | 52 | t->u.kernel.target = target; |
52 | 53 | par.table = table; | |
53 | ret = xt_check_target(target, AF_INET, t->u.target_size - sizeof(*t), | 54 | par.entryinfo = NULL; |
54 | table, hook, 0, 0, NULL, t->data); | 55 | par.target = target; |
56 | par.targinfo = t->data; | ||
57 | par.hook_mask = hook; | ||
58 | |||
59 | ret = xt_check_target(&par, NFPROTO_IPV4, | ||
60 | t->u.target_size - sizeof(*t), 0, false); | ||
55 | if (ret < 0) { | 61 | if (ret < 0) { |
56 | module_put(t->u.kernel.target->me); | 62 | module_put(t->u.kernel.target->me); |
57 | return ret; | 63 | return ret; |