diff options
author | Jan Engelhardt <jengelh@medozas.de> | 2010-03-25 11:34:45 -0400 |
---|---|---|
committer | Jan Engelhardt <jengelh@medozas.de> | 2010-03-25 11:55:49 -0400 |
commit | d6b00a5345ce4e86e8b00a88bb84a2c0c1f69ddc (patch) | |
tree | 11d68bb08584fbbae02a7bf22599bdd67da4408e | |
parent | bd414ee605ff3ac5fcd79f57269a897879ee4cde (diff) |
netfilter: xtables: change targets to return error code
Part of the transition of done by this semantic patch:
// <smpl>
@ rule1 @
struct xt_target ops;
identifier check;
@@
ops.checkentry = check;
@@
identifier rule1.check;
@@
check(...) { <...
-return true;
+return 0;
...> }
@@
identifier rule1.check;
@@
check(...) { <...
-return false;
+return -EINVAL;
...> }
// </smpl>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
31 files changed, 116 insertions, 111 deletions
diff --git a/net/bridge/netfilter/ebt_arpreply.c b/net/bridge/netfilter/ebt_arpreply.c index 2491564e9e0..4581adb2758 100644 --- a/net/bridge/netfilter/ebt_arpreply.c +++ b/net/bridge/netfilter/ebt_arpreply.c | |||
@@ -63,11 +63,11 @@ static int ebt_arpreply_tg_check(const struct xt_tgchk_param *par) | |||
63 | const struct ebt_entry *e = par->entryinfo; | 63 | const struct ebt_entry *e = par->entryinfo; |
64 | 64 | ||
65 | if (BASE_CHAIN && info->target == EBT_RETURN) | 65 | if (BASE_CHAIN && info->target == EBT_RETURN) |
66 | return false; | 66 | return -EINVAL; |
67 | if (e->ethproto != htons(ETH_P_ARP) || | 67 | if (e->ethproto != htons(ETH_P_ARP) || |
68 | e->invflags & EBT_IPROTO) | 68 | e->invflags & EBT_IPROTO) |
69 | return false; | 69 | return -EINVAL; |
70 | return true; | 70 | return 0; |
71 | } | 71 | } |
72 | 72 | ||
73 | static struct xt_target ebt_arpreply_tg_reg __read_mostly = { | 73 | static struct xt_target ebt_arpreply_tg_reg __read_mostly = { |
diff --git a/net/bridge/netfilter/ebt_dnat.c b/net/bridge/netfilter/ebt_dnat.c index 5fddebea45c..59d5b7c8a55 100644 --- a/net/bridge/netfilter/ebt_dnat.c +++ b/net/bridge/netfilter/ebt_dnat.c | |||
@@ -32,7 +32,7 @@ static int ebt_dnat_tg_check(const struct xt_tgchk_param *par) | |||
32 | unsigned int hook_mask; | 32 | unsigned int hook_mask; |
33 | 33 | ||
34 | if (BASE_CHAIN && info->target == EBT_RETURN) | 34 | if (BASE_CHAIN && info->target == EBT_RETURN) |
35 | return false; | 35 | return -EINVAL; |
36 | 36 | ||
37 | hook_mask = par->hook_mask & ~(1 << NF_BR_NUMHOOKS); | 37 | hook_mask = par->hook_mask & ~(1 << NF_BR_NUMHOOKS); |
38 | if ((strcmp(par->table, "nat") != 0 || | 38 | if ((strcmp(par->table, "nat") != 0 || |
@@ -40,10 +40,10 @@ static int ebt_dnat_tg_check(const struct xt_tgchk_param *par) | |||
40 | (1 << NF_BR_LOCAL_OUT)))) && | 40 | (1 << NF_BR_LOCAL_OUT)))) && |
41 | (strcmp(par->table, "broute") != 0 || | 41 | (strcmp(par->table, "broute") != 0 || |
42 | hook_mask & ~(1 << NF_BR_BROUTING))) | 42 | hook_mask & ~(1 << NF_BR_BROUTING))) |
43 | return false; | 43 | return -EINVAL; |
44 | if (INVALID_TARGET) | 44 | if (INVALID_TARGET) |
45 | return false; | 45 | return -EINVAL; |
46 | return true; | 46 | return 0; |
47 | } | 47 | } |
48 | 48 | ||
49 | static struct xt_target ebt_dnat_tg_reg __read_mostly = { | 49 | static struct xt_target ebt_dnat_tg_reg __read_mostly = { |
diff --git a/net/bridge/netfilter/ebt_log.c b/net/bridge/netfilter/ebt_log.c index a0aeac6176e..c4602415653 100644 --- a/net/bridge/netfilter/ebt_log.c +++ b/net/bridge/netfilter/ebt_log.c | |||
@@ -29,11 +29,11 @@ static int ebt_log_tg_check(const struct xt_tgchk_param *par) | |||
29 | struct ebt_log_info *info = par->targinfo; | 29 | struct ebt_log_info *info = par->targinfo; |
30 | 30 | ||
31 | if (info->bitmask & ~EBT_LOG_MASK) | 31 | if (info->bitmask & ~EBT_LOG_MASK) |
32 | return false; | 32 | return -EINVAL; |
33 | if (info->loglevel >= 8) | 33 | if (info->loglevel >= 8) |
34 | return false; | 34 | return -EINVAL; |
35 | info->prefix[EBT_LOG_PREFIX_SIZE - 1] = '\0'; | 35 | info->prefix[EBT_LOG_PREFIX_SIZE - 1] = '\0'; |
36 | return true; | 36 | return 0; |
37 | } | 37 | } |
38 | 38 | ||
39 | struct tcpudphdr | 39 | struct tcpudphdr |
diff --git a/net/bridge/netfilter/ebt_mark.c b/net/bridge/netfilter/ebt_mark.c index dd94dafa615..126e536ff8f 100644 --- a/net/bridge/netfilter/ebt_mark.c +++ b/net/bridge/netfilter/ebt_mark.c | |||
@@ -43,14 +43,14 @@ static int ebt_mark_tg_check(const struct xt_tgchk_param *par) | |||
43 | 43 | ||
44 | tmp = info->target | ~EBT_VERDICT_BITS; | 44 | tmp = info->target | ~EBT_VERDICT_BITS; |
45 | if (BASE_CHAIN && tmp == EBT_RETURN) | 45 | if (BASE_CHAIN && tmp == EBT_RETURN) |
46 | return false; | 46 | return -EINVAL; |
47 | if (tmp < -NUM_STANDARD_TARGETS || tmp >= 0) | 47 | if (tmp < -NUM_STANDARD_TARGETS || tmp >= 0) |
48 | return false; | 48 | return -EINVAL; |
49 | tmp = info->target & ~EBT_VERDICT_BITS; | 49 | tmp = info->target & ~EBT_VERDICT_BITS; |
50 | if (tmp != MARK_SET_VALUE && tmp != MARK_OR_VALUE && | 50 | if (tmp != MARK_SET_VALUE && tmp != MARK_OR_VALUE && |
51 | tmp != MARK_AND_VALUE && tmp != MARK_XOR_VALUE) | 51 | tmp != MARK_AND_VALUE && tmp != MARK_XOR_VALUE) |
52 | return false; | 52 | return -EINVAL; |
53 | return true; | 53 | return 0; |
54 | } | 54 | } |
55 | #ifdef CONFIG_COMPAT | 55 | #ifdef CONFIG_COMPAT |
56 | struct compat_ebt_mark_t_info { | 56 | struct compat_ebt_mark_t_info { |
diff --git a/net/bridge/netfilter/ebt_nflog.c b/net/bridge/netfilter/ebt_nflog.c index 1f2b7bbdde7..22e2ad5f23e 100644 --- a/net/bridge/netfilter/ebt_nflog.c +++ b/net/bridge/netfilter/ebt_nflog.c | |||
@@ -40,9 +40,9 @@ static int ebt_nflog_tg_check(const struct xt_tgchk_param *par) | |||
40 | struct ebt_nflog_info *info = par->targinfo; | 40 | struct ebt_nflog_info *info = par->targinfo; |
41 | 41 | ||
42 | if (info->flags & ~EBT_NFLOG_MASK) | 42 | if (info->flags & ~EBT_NFLOG_MASK) |
43 | return false; | 43 | return -EINVAL; |
44 | info->prefix[EBT_NFLOG_PREFIX_SIZE - 1] = '\0'; | 44 | info->prefix[EBT_NFLOG_PREFIX_SIZE - 1] = '\0'; |
45 | return true; | 45 | return 0; |
46 | } | 46 | } |
47 | 47 | ||
48 | static struct xt_target ebt_nflog_tg_reg __read_mostly = { | 48 | static struct xt_target ebt_nflog_tg_reg __read_mostly = { |
diff --git a/net/bridge/netfilter/ebt_redirect.c b/net/bridge/netfilter/ebt_redirect.c index 73c4d3ac6f2..a6044a6f238 100644 --- a/net/bridge/netfilter/ebt_redirect.c +++ b/net/bridge/netfilter/ebt_redirect.c | |||
@@ -38,17 +38,17 @@ static int ebt_redirect_tg_check(const struct xt_tgchk_param *par) | |||
38 | unsigned int hook_mask; | 38 | unsigned int hook_mask; |
39 | 39 | ||
40 | if (BASE_CHAIN && info->target == EBT_RETURN) | 40 | if (BASE_CHAIN && info->target == EBT_RETURN) |
41 | return false; | 41 | return -EINVAL; |
42 | 42 | ||
43 | hook_mask = par->hook_mask & ~(1 << NF_BR_NUMHOOKS); | 43 | hook_mask = par->hook_mask & ~(1 << NF_BR_NUMHOOKS); |
44 | if ((strcmp(par->table, "nat") != 0 || | 44 | if ((strcmp(par->table, "nat") != 0 || |
45 | hook_mask & ~(1 << NF_BR_PRE_ROUTING)) && | 45 | hook_mask & ~(1 << NF_BR_PRE_ROUTING)) && |
46 | (strcmp(par->table, "broute") != 0 || | 46 | (strcmp(par->table, "broute") != 0 || |
47 | hook_mask & ~(1 << NF_BR_BROUTING))) | 47 | hook_mask & ~(1 << NF_BR_BROUTING))) |
48 | return false; | 48 | return -EINVAL; |
49 | if (INVALID_TARGET) | 49 | if (INVALID_TARGET) |
50 | return false; | 50 | return -EINVAL; |
51 | return true; | 51 | return 0; |
52 | } | 52 | } |
53 | 53 | ||
54 | static struct xt_target ebt_redirect_tg_reg __read_mostly = { | 54 | static struct xt_target ebt_redirect_tg_reg __read_mostly = { |
diff --git a/net/bridge/netfilter/ebt_snat.c b/net/bridge/netfilter/ebt_snat.c index 94bcecd90d7..79caca34ae2 100644 --- a/net/bridge/netfilter/ebt_snat.c +++ b/net/bridge/netfilter/ebt_snat.c | |||
@@ -49,14 +49,14 @@ static int ebt_snat_tg_check(const struct xt_tgchk_param *par) | |||
49 | 49 | ||
50 | tmp = info->target | ~EBT_VERDICT_BITS; | 50 | tmp = info->target | ~EBT_VERDICT_BITS; |
51 | if (BASE_CHAIN && tmp == EBT_RETURN) | 51 | if (BASE_CHAIN && tmp == EBT_RETURN) |
52 | return false; | 52 | return -EINVAL; |
53 | 53 | ||
54 | if (tmp < -NUM_STANDARD_TARGETS || tmp >= 0) | 54 | if (tmp < -NUM_STANDARD_TARGETS || tmp >= 0) |
55 | return false; | 55 | return -EINVAL; |
56 | tmp = info->target | EBT_VERDICT_BITS; | 56 | tmp = info->target | EBT_VERDICT_BITS; |
57 | if ((tmp & ~NAT_ARP_BIT) != ~NAT_ARP_BIT) | 57 | if ((tmp & ~NAT_ARP_BIT) != ~NAT_ARP_BIT) |
58 | return false; | 58 | return -EINVAL; |
59 | return true; | 59 | return 0; |
60 | } | 60 | } |
61 | 61 | ||
62 | static struct xt_target ebt_snat_tg_reg __read_mostly = { | 62 | static struct xt_target ebt_snat_tg_reg __read_mostly = { |
diff --git a/net/bridge/netfilter/ebt_ulog.c b/net/bridge/netfilter/ebt_ulog.c index f554bc2515d..f77b42d8e87 100644 --- a/net/bridge/netfilter/ebt_ulog.c +++ b/net/bridge/netfilter/ebt_ulog.c | |||
@@ -254,14 +254,14 @@ static int ebt_ulog_tg_check(const struct xt_tgchk_param *par) | |||
254 | struct ebt_ulog_info *uloginfo = par->targinfo; | 254 | struct ebt_ulog_info *uloginfo = par->targinfo; |
255 | 255 | ||
256 | if (uloginfo->nlgroup > 31) | 256 | if (uloginfo->nlgroup > 31) |
257 | return false; | 257 | return -EINVAL; |
258 | 258 | ||
259 | uloginfo->prefix[EBT_ULOG_PREFIX_LEN - 1] = '\0'; | 259 | uloginfo->prefix[EBT_ULOG_PREFIX_LEN - 1] = '\0'; |
260 | 260 | ||
261 | if (uloginfo->qthreshold > EBT_ULOG_MAX_QLEN) | 261 | if (uloginfo->qthreshold > EBT_ULOG_MAX_QLEN) |
262 | uloginfo->qthreshold = EBT_ULOG_MAX_QLEN; | 262 | uloginfo->qthreshold = EBT_ULOG_MAX_QLEN; |
263 | 263 | ||
264 | return true; | 264 | return 0; |
265 | } | 265 | } |
266 | 266 | ||
267 | static struct xt_target ebt_ulog_tg_reg __read_mostly = { | 267 | static struct xt_target ebt_ulog_tg_reg __read_mostly = { |
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c index 290a7b9b393..1302de2ae0a 100644 --- a/net/ipv4/netfilter/ipt_CLUSTERIP.c +++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c | |||
@@ -358,13 +358,13 @@ static int clusterip_tg_check(const struct xt_tgchk_param *par) | |||
358 | cipinfo->hash_mode != CLUSTERIP_HASHMODE_SIP_SPT && | 358 | cipinfo->hash_mode != CLUSTERIP_HASHMODE_SIP_SPT && |
359 | cipinfo->hash_mode != CLUSTERIP_HASHMODE_SIP_SPT_DPT) { | 359 | cipinfo->hash_mode != CLUSTERIP_HASHMODE_SIP_SPT_DPT) { |
360 | pr_info("unknown mode %u\n", cipinfo->hash_mode); | 360 | pr_info("unknown mode %u\n", cipinfo->hash_mode); |
361 | return false; | 361 | return -EINVAL; |
362 | 362 | ||
363 | } | 363 | } |
364 | if (e->ip.dmsk.s_addr != htonl(0xffffffff) || | 364 | if (e->ip.dmsk.s_addr != htonl(0xffffffff) || |
365 | e->ip.dst.s_addr == 0) { | 365 | e->ip.dst.s_addr == 0) { |
366 | pr_info("Please specify destination IP\n"); | 366 | pr_info("Please specify destination IP\n"); |
367 | return false; | 367 | return -EINVAL; |
368 | } | 368 | } |
369 | 369 | ||
370 | /* FIXME: further sanity checks */ | 370 | /* FIXME: further sanity checks */ |
@@ -374,20 +374,20 @@ static int clusterip_tg_check(const struct xt_tgchk_param *par) | |||
374 | if (!(cipinfo->flags & CLUSTERIP_FLAG_NEW)) { | 374 | if (!(cipinfo->flags & CLUSTERIP_FLAG_NEW)) { |
375 | pr_info("no config found for %pI4, need 'new'\n", | 375 | pr_info("no config found for %pI4, need 'new'\n", |
376 | &e->ip.dst.s_addr); | 376 | &e->ip.dst.s_addr); |
377 | return false; | 377 | return -EINVAL; |
378 | } else { | 378 | } else { |
379 | struct net_device *dev; | 379 | struct net_device *dev; |
380 | 380 | ||
381 | if (e->ip.iniface[0] == '\0') { | 381 | if (e->ip.iniface[0] == '\0') { |
382 | pr_info("Please specify an interface name\n"); | 382 | pr_info("Please specify an interface name\n"); |
383 | return false; | 383 | return -EINVAL; |
384 | } | 384 | } |
385 | 385 | ||
386 | dev = dev_get_by_name(&init_net, e->ip.iniface); | 386 | dev = dev_get_by_name(&init_net, e->ip.iniface); |
387 | if (!dev) { | 387 | if (!dev) { |
388 | pr_info("no such interface %s\n", | 388 | pr_info("no such interface %s\n", |
389 | e->ip.iniface); | 389 | e->ip.iniface); |
390 | return false; | 390 | return -EINVAL; |
391 | } | 391 | } |
392 | 392 | ||
393 | config = clusterip_config_init(cipinfo, | 393 | config = clusterip_config_init(cipinfo, |
@@ -395,7 +395,7 @@ static int clusterip_tg_check(const struct xt_tgchk_param *par) | |||
395 | if (!config) { | 395 | if (!config) { |
396 | pr_info("cannot allocate config\n"); | 396 | pr_info("cannot allocate config\n"); |
397 | dev_put(dev); | 397 | dev_put(dev); |
398 | return false; | 398 | return -EINVAL; |
399 | } | 399 | } |
400 | dev_mc_add(config->dev,config->clustermac, ETH_ALEN, 0); | 400 | dev_mc_add(config->dev,config->clustermac, ETH_ALEN, 0); |
401 | } | 401 | } |
@@ -405,10 +405,10 @@ static int clusterip_tg_check(const struct xt_tgchk_param *par) | |||
405 | if (nf_ct_l3proto_try_module_get(par->family) < 0) { | 405 | if (nf_ct_l3proto_try_module_get(par->family) < 0) { |
406 | pr_info("cannot load conntrack support for proto=%u\n", | 406 | pr_info("cannot load conntrack support for proto=%u\n", |
407 | par->family); | 407 | par->family); |
408 | return false; | 408 | return -EINVAL; |
409 | } | 409 | } |
410 | 410 | ||
411 | return true; | 411 | return 0; |
412 | } | 412 | } |
413 | 413 | ||
414 | /* drop reference count of cluster config when rule is deleted */ | 414 | /* drop reference count of cluster config when rule is deleted */ |
diff --git a/net/ipv4/netfilter/ipt_ECN.c b/net/ipv4/netfilter/ipt_ECN.c index 9d96500a415..563049f31ae 100644 --- a/net/ipv4/netfilter/ipt_ECN.c +++ b/net/ipv4/netfilter/ipt_ECN.c | |||
@@ -100,18 +100,18 @@ static int ecn_tg_check(const struct xt_tgchk_param *par) | |||
100 | 100 | ||
101 | if (einfo->operation & IPT_ECN_OP_MASK) { | 101 | if (einfo->operation & IPT_ECN_OP_MASK) { |
102 | pr_info("unsupported ECN operation %x\n", einfo->operation); | 102 | pr_info("unsupported ECN operation %x\n", einfo->operation); |
103 | return false; | 103 | return -EINVAL; |
104 | } | 104 | } |
105 | if (einfo->ip_ect & ~IPT_ECN_IP_MASK) { | 105 | if (einfo->ip_ect & ~IPT_ECN_IP_MASK) { |
106 | pr_info("new ECT codepoint %x out of mask\n", einfo->ip_ect); | 106 | pr_info("new ECT codepoint %x out of mask\n", einfo->ip_ect); |
107 | return false; | 107 | return -EINVAL; |
108 | } | 108 | } |
109 | if ((einfo->operation & (IPT_ECN_OP_SET_ECE|IPT_ECN_OP_SET_CWR)) && | 109 | if ((einfo->operation & (IPT_ECN_OP_SET_ECE|IPT_ECN_OP_SET_CWR)) && |
110 | (e->ip.proto != IPPROTO_TCP || (e->ip.invflags & XT_INV_PROTO))) { | 110 | (e->ip.proto != IPPROTO_TCP || (e->ip.invflags & XT_INV_PROTO))) { |
111 | pr_info("cannot use TCP operations on a non-tcp rule\n"); | 111 | pr_info("cannot use TCP operations on a non-tcp rule\n"); |
112 | return false; | 112 | return -EINVAL; |
113 | } | 113 | } |
114 | return true; | 114 | return 0; |
115 | } | 115 | } |
116 | 116 | ||
117 | static struct xt_target ecn_tg_reg __read_mostly = { | 117 | static struct xt_target ecn_tg_reg __read_mostly = { |
diff --git a/net/ipv4/netfilter/ipt_LOG.c b/net/ipv4/netfilter/ipt_LOG.c index c9ee5c40d1b..a6a454b2550 100644 --- a/net/ipv4/netfilter/ipt_LOG.c +++ b/net/ipv4/netfilter/ipt_LOG.c | |||
@@ -445,13 +445,13 @@ static int log_tg_check(const struct xt_tgchk_param *par) | |||
445 | 445 | ||
446 | if (loginfo->level >= 8) { | 446 | if (loginfo->level >= 8) { |
447 | pr_debug("level %u >= 8\n", loginfo->level); | 447 | pr_debug("level %u >= 8\n", loginfo->level); |
448 | return false; | 448 | return -EINVAL; |
449 | } | 449 | } |
450 | if (loginfo->prefix[sizeof(loginfo->prefix)-1] != '\0') { | 450 | if (loginfo->prefix[sizeof(loginfo->prefix)-1] != '\0') { |
451 | pr_debug("prefix is not null-terminated\n"); | 451 | pr_debug("prefix is not null-terminated\n"); |
452 | return false; | 452 | return -EINVAL; |
453 | } | 453 | } |
454 | return true; | 454 | return 0; |
455 | } | 455 | } |
456 | 456 | ||
457 | static struct xt_target log_tg_reg __read_mostly = { | 457 | static struct xt_target log_tg_reg __read_mostly = { |
diff --git a/net/ipv4/netfilter/ipt_MASQUERADE.c b/net/ipv4/netfilter/ipt_MASQUERADE.c index 5a182f6de5d..02b1bc47799 100644 --- a/net/ipv4/netfilter/ipt_MASQUERADE.c +++ b/net/ipv4/netfilter/ipt_MASQUERADE.c | |||
@@ -34,13 +34,13 @@ static int masquerade_tg_check(const struct xt_tgchk_param *par) | |||
34 | 34 | ||
35 | if (mr->range[0].flags & IP_NAT_RANGE_MAP_IPS) { | 35 | if (mr->range[0].flags & IP_NAT_RANGE_MAP_IPS) { |
36 | pr_debug("bad MAP_IPS.\n"); | 36 | pr_debug("bad MAP_IPS.\n"); |
37 | return false; | 37 | return -EINVAL; |
38 | } | 38 | } |
39 | if (mr->rangesize != 1) { | 39 | if (mr->rangesize != 1) { |
40 | pr_debug("bad rangesize %u\n", mr->rangesize); | 40 | pr_debug("bad rangesize %u\n", mr->rangesize); |
41 | return false; | 41 | return -EINVAL; |
42 | } | 42 | } |
43 | return true; | 43 | return 0; |
44 | } | 44 | } |
45 | 45 | ||
46 | static unsigned int | 46 | static unsigned int |
diff --git a/net/ipv4/netfilter/ipt_NETMAP.c b/net/ipv4/netfilter/ipt_NETMAP.c index cbfe5f7e082..708c7f8f7ee 100644 --- a/net/ipv4/netfilter/ipt_NETMAP.c +++ b/net/ipv4/netfilter/ipt_NETMAP.c | |||
@@ -28,13 +28,13 @@ static int netmap_tg_check(const struct xt_tgchk_param *par) | |||
28 | 28 | ||
29 | if (!(mr->range[0].flags & IP_NAT_RANGE_MAP_IPS)) { | 29 | if (!(mr->range[0].flags & IP_NAT_RANGE_MAP_IPS)) { |
30 | pr_debug("bad MAP_IPS.\n"); | 30 | pr_debug("bad MAP_IPS.\n"); |
31 | return false; | 31 | return -EINVAL; |
32 | } | 32 | } |
33 | if (mr->rangesize != 1) { | 33 | if (mr->rangesize != 1) { |
34 | pr_debug("bad rangesize %u.\n", mr->rangesize); | 34 | pr_debug("bad rangesize %u.\n", mr->rangesize); |
35 | return false; | 35 | return -EINVAL; |
36 | } | 36 | } |
37 | return true; | 37 | return 0; |
38 | } | 38 | } |
39 | 39 | ||
40 | static unsigned int | 40 | static unsigned int |
diff --git a/net/ipv4/netfilter/ipt_REDIRECT.c b/net/ipv4/netfilter/ipt_REDIRECT.c index f8daec20fb0..3cf10191652 100644 --- a/net/ipv4/netfilter/ipt_REDIRECT.c +++ b/net/ipv4/netfilter/ipt_REDIRECT.c | |||
@@ -32,13 +32,13 @@ static int redirect_tg_check(const struct xt_tgchk_param *par) | |||
32 | 32 | ||
33 | if (mr->range[0].flags & IP_NAT_RANGE_MAP_IPS) { | 33 | if (mr->range[0].flags & IP_NAT_RANGE_MAP_IPS) { |
34 | pr_debug("bad MAP_IPS.\n"); | 34 | pr_debug("bad MAP_IPS.\n"); |
35 | return false; | 35 | return -EINVAL; |
36 | } | 36 | } |
37 | if (mr->rangesize != 1) { | 37 | if (mr->rangesize != 1) { |
38 | pr_debug("bad rangesize %u.\n", mr->rangesize); | 38 | pr_debug("bad rangesize %u.\n", mr->rangesize); |
39 | return false; | 39 | return -EINVAL; |
40 | } | 40 | } |
41 | return true; | 41 | return 0; |
42 | } | 42 | } |
43 | 43 | ||
44 | static unsigned int | 44 | static unsigned int |
diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c index cf76f1bc3f1..b026014e7a5 100644 --- a/net/ipv4/netfilter/ipt_REJECT.c +++ b/net/ipv4/netfilter/ipt_REJECT.c | |||
@@ -181,16 +181,16 @@ static int reject_tg_check(const struct xt_tgchk_param *par) | |||
181 | 181 | ||
182 | if (rejinfo->with == IPT_ICMP_ECHOREPLY) { | 182 | if (rejinfo->with == IPT_ICMP_ECHOREPLY) { |
183 | pr_info("ECHOREPLY no longer supported.\n"); | 183 | pr_info("ECHOREPLY no longer supported.\n"); |
184 | return false; | 184 | return -EINVAL; |
185 | } else if (rejinfo->with == IPT_TCP_RESET) { | 185 | } else if (rejinfo->with == IPT_TCP_RESET) { |
186 | /* Must specify that it's a TCP packet */ | 186 | /* Must specify that it's a TCP packet */ |
187 | if (e->ip.proto != IPPROTO_TCP || | 187 | if (e->ip.proto != IPPROTO_TCP || |
188 | (e->ip.invflags & XT_INV_PROTO)) { | 188 | (e->ip.invflags & XT_INV_PROTO)) { |
189 | pr_info("TCP_RESET invalid for non-tcp\n"); | 189 | pr_info("TCP_RESET invalid for non-tcp\n"); |
190 | return false; | 190 | return -EINVAL; |
191 | } | 191 | } |
192 | } | 192 | } |
193 | return true; | 193 | return 0; |
194 | } | 194 | } |
195 | 195 | ||
196 | static struct xt_target reject_tg_reg __read_mostly = { | 196 | static struct xt_target reject_tg_reg __read_mostly = { |
diff --git a/net/ipv4/netfilter/ipt_ULOG.c b/net/ipv4/netfilter/ipt_ULOG.c index 7f73bbe2193..04c86dc5d53 100644 --- a/net/ipv4/netfilter/ipt_ULOG.c +++ b/net/ipv4/netfilter/ipt_ULOG.c | |||
@@ -313,14 +313,14 @@ static int ulog_tg_check(const struct xt_tgchk_param *par) | |||
313 | 313 | ||
314 | if (loginfo->prefix[sizeof(loginfo->prefix) - 1] != '\0') { | 314 | if (loginfo->prefix[sizeof(loginfo->prefix) - 1] != '\0') { |
315 | pr_debug("prefix not null-terminated\n"); | 315 | pr_debug("prefix not null-terminated\n"); |
316 | return false; | 316 | return -EINVAL; |
317 | } | 317 | } |
318 | if (loginfo->qthreshold > ULOG_MAX_QLEN) { | 318 | if (loginfo->qthreshold > ULOG_MAX_QLEN) { |
319 | pr_debug("queue threshold %Zu > MAX_QLEN\n", | 319 | pr_debug("queue threshold %Zu > MAX_QLEN\n", |
320 | loginfo->qthreshold); | 320 | loginfo->qthreshold); |
321 | return false; | 321 | return -EINVAL; |
322 | } | 322 | } |
323 | return true; | 323 | return 0; |
324 | } | 324 | } |
325 | 325 | ||
326 | #ifdef CONFIG_COMPAT | 326 | #ifdef CONFIG_COMPAT |
diff --git a/net/ipv4/netfilter/nf_nat_rule.c b/net/ipv4/netfilter/nf_nat_rule.c index 11722670873..b66137c80bc 100644 --- a/net/ipv4/netfilter/nf_nat_rule.c +++ b/net/ipv4/netfilter/nf_nat_rule.c | |||
@@ -81,9 +81,9 @@ static int ipt_snat_checkentry(const struct xt_tgchk_param *par) | |||
81 | /* Must be a valid range */ | 81 | /* Must be a valid range */ |
82 | if (mr->rangesize != 1) { | 82 | if (mr->rangesize != 1) { |
83 | pr_info("SNAT: multiple ranges no longer supported\n"); | 83 | pr_info("SNAT: multiple ranges no longer supported\n"); |
84 | return false; | 84 | return -EINVAL; |
85 | } | 85 | } |
86 | return true; | 86 | return 0; |
87 | } | 87 | } |
88 | 88 | ||
89 | static int ipt_dnat_checkentry(const struct xt_tgchk_param *par) | 89 | static int ipt_dnat_checkentry(const struct xt_tgchk_param *par) |
@@ -93,9 +93,9 @@ static int ipt_dnat_checkentry(const struct xt_tgchk_param *par) | |||
93 | /* Must be a valid range */ | 93 | /* Must be a valid range */ |
94 | if (mr->rangesize != 1) { | 94 | if (mr->rangesize != 1) { |
95 | pr_info("DNAT: multiple ranges no longer supported\n"); | 95 | pr_info("DNAT: multiple ranges no longer supported\n"); |
96 | return false; | 96 | return -EINVAL; |
97 | } | 97 | } |
98 | return true; | 98 | return 0; |
99 | } | 99 | } |
100 | 100 | ||
101 | unsigned int | 101 | unsigned int |
diff --git a/net/ipv6/netfilter/ip6t_LOG.c b/net/ipv6/netfilter/ip6t_LOG.c index bcc3fc19374..439ededd530 100644 --- a/net/ipv6/netfilter/ip6t_LOG.c +++ b/net/ipv6/netfilter/ip6t_LOG.c | |||
@@ -457,13 +457,13 @@ static int log_tg6_check(const struct xt_tgchk_param *par) | |||
457 | 457 | ||
458 | if (loginfo->level >= 8) { | 458 | if (loginfo->level >= 8) { |
459 | pr_debug("level %u >= 8\n", loginfo->level); | 459 | pr_debug("level %u >= 8\n", loginfo->level); |
460 | return false; | 460 | return -EINVAL; |
461 | } | 461 | } |
462 | if (loginfo->prefix[sizeof(loginfo->prefix)-1] != '\0') { | 462 | if (loginfo->prefix[sizeof(loginfo->prefix)-1] != '\0') { |
463 | pr_debug("prefix not null-terminated\n"); | 463 | pr_debug("prefix not null-terminated\n"); |
464 | return false; | 464 | return -EINVAL; |
465 | } | 465 | } |
466 | return true; | 466 | return 0; |
467 | } | 467 | } |
468 | 468 | ||
469 | static struct xt_target log_tg6_reg __read_mostly = { | 469 | static struct xt_target log_tg6_reg __read_mostly = { |
diff --git a/net/ipv6/netfilter/ip6t_REJECT.c b/net/ipv6/netfilter/ip6t_REJECT.c index 8d5141ece67..55b9b2da134 100644 --- a/net/ipv6/netfilter/ip6t_REJECT.c +++ b/net/ipv6/netfilter/ip6t_REJECT.c | |||
@@ -220,16 +220,16 @@ static int reject_tg6_check(const struct xt_tgchk_param *par) | |||
220 | 220 | ||
221 | if (rejinfo->with == IP6T_ICMP6_ECHOREPLY) { | 221 | if (rejinfo->with == IP6T_ICMP6_ECHOREPLY) { |
222 | pr_info("ECHOREPLY is not supported.\n"); | 222 | pr_info("ECHOREPLY is not supported.\n"); |
223 | return false; | 223 | return -EINVAL; |
224 | } else if (rejinfo->with == IP6T_TCP_RESET) { | 224 | } else if (rejinfo->with == IP6T_TCP_RESET) { |
225 | /* Must specify that it's a TCP packet */ | 225 | /* Must specify that it's a TCP packet */ |
226 | if (e->ipv6.proto != IPPROTO_TCP || | 226 | if (e->ipv6.proto != IPPROTO_TCP || |
227 | (e->ipv6.invflags & XT_INV_PROTO)) { | 227 | (e->ipv6.invflags & XT_INV_PROTO)) { |
228 | pr_info("TCP_RESET illegal for non-tcp\n"); | 228 | pr_info("TCP_RESET illegal for non-tcp\n"); |
229 | return false; | 229 | return -EINVAL; |
230 | } | 230 | } |
231 | } | 231 | } |
232 | return true; | 232 | return 0; |
233 | } | 233 | } |
234 | 234 | ||
235 | static struct xt_target reject_tg6_reg __read_mostly = { | 235 | static struct xt_target reject_tg6_reg __read_mostly = { |
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c index 7ee17774617..8e23d8f6845 100644 --- a/net/netfilter/x_tables.c +++ b/net/netfilter/x_tables.c | |||
@@ -528,6 +528,8 @@ EXPORT_SYMBOL_GPL(xt_compat_match_to_user); | |||
528 | int xt_check_target(struct xt_tgchk_param *par, | 528 | int xt_check_target(struct xt_tgchk_param *par, |
529 | unsigned int size, u_int8_t proto, bool inv_proto) | 529 | unsigned int size, u_int8_t proto, bool inv_proto) |
530 | { | 530 | { |
531 | int ret; | ||
532 | |||
531 | if (XT_ALIGN(par->target->targetsize) != size) { | 533 | if (XT_ALIGN(par->target->targetsize) != size) { |
532 | pr_err("%s_tables: %s.%u target: invalid size " | 534 | pr_err("%s_tables: %s.%u target: invalid size " |
533 | "%u (kernel) != (user) %u\n", | 535 | "%u (kernel) != (user) %u\n", |
@@ -559,8 +561,14 @@ int xt_check_target(struct xt_tgchk_param *par, | |||
559 | par->target->proto); | 561 | par->target->proto); |
560 | return -EINVAL; | 562 | return -EINVAL; |
561 | } | 563 | } |
562 | if (par->target->checkentry != NULL && !par->target->checkentry(par)) | 564 | if (par->target->checkentry != NULL) { |
563 | return -EINVAL; | 565 | ret = par->target->checkentry(par); |
566 | if (ret < 0) | ||
567 | return ret; | ||
568 | else if (ret > 0) | ||
569 | /* Flag up potential errors. */ | ||
570 | return -EIO; | ||
571 | } | ||
564 | return 0; | 572 | return 0; |
565 | } | 573 | } |
566 | EXPORT_SYMBOL_GPL(xt_check_target); | 574 | EXPORT_SYMBOL_GPL(xt_check_target); |
diff --git a/net/netfilter/xt_CONNSECMARK.c b/net/netfilter/xt_CONNSECMARK.c index 3f9d0f4f852..2287a82a070 100644 --- a/net/netfilter/xt_CONNSECMARK.c +++ b/net/netfilter/xt_CONNSECMARK.c | |||
@@ -92,7 +92,7 @@ static int connsecmark_tg_check(const struct xt_tgchk_param *par) | |||
92 | strcmp(par->table, "security") != 0) { | 92 | strcmp(par->table, "security") != 0) { |
93 | pr_info("target only valid in the \'mangle\' " | 93 | pr_info("target only valid in the \'mangle\' " |
94 | "or \'security\' tables, not \'%s\'.\n", par->table); | 94 | "or \'security\' tables, not \'%s\'.\n", par->table); |
95 | return false; | 95 | return -EINVAL; |
96 | } | 96 | } |
97 | 97 | ||
98 | switch (info->mode) { | 98 | switch (info->mode) { |
@@ -108,9 +108,9 @@ static int connsecmark_tg_check(const struct xt_tgchk_param *par) | |||
108 | if (nf_ct_l3proto_try_module_get(par->family) < 0) { | 108 | if (nf_ct_l3proto_try_module_get(par->family) < 0) { |
109 | pr_info("cannot load conntrack support for proto=%u\n", | 109 | pr_info("cannot load conntrack support for proto=%u\n", |
110 | par->family); | 110 | par->family); |
111 | return false; | 111 | return -EINVAL; |
112 | } | 112 | } |
113 | return true; | 113 | return 0; |
114 | } | 114 | } |
115 | 115 | ||
116 | static void connsecmark_tg_destroy(const struct xt_tgdtor_param *par) | 116 | static void connsecmark_tg_destroy(const struct xt_tgdtor_param *par) |
diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c index c1553bf06cf..ee566e2e453 100644 --- a/net/netfilter/xt_CT.c +++ b/net/netfilter/xt_CT.c | |||
@@ -62,7 +62,7 @@ static int xt_ct_tg_check(const struct xt_tgchk_param *par) | |||
62 | u8 proto; | 62 | u8 proto; |
63 | 63 | ||
64 | if (info->flags & ~XT_CT_NOTRACK) | 64 | if (info->flags & ~XT_CT_NOTRACK) |
65 | return false; | 65 | return -EINVAL; |
66 | 66 | ||
67 | if (info->flags & XT_CT_NOTRACK) { | 67 | if (info->flags & XT_CT_NOTRACK) { |
68 | ct = &nf_conntrack_untracked; | 68 | ct = &nf_conntrack_untracked; |
@@ -108,14 +108,14 @@ static int xt_ct_tg_check(const struct xt_tgchk_param *par) | |||
108 | __set_bit(IPS_CONFIRMED_BIT, &ct->status); | 108 | __set_bit(IPS_CONFIRMED_BIT, &ct->status); |
109 | out: | 109 | out: |
110 | info->ct = ct; | 110 | info->ct = ct; |
111 | return true; | 111 | return 0; |
112 | 112 | ||
113 | err3: | 113 | err3: |
114 | nf_conntrack_free(ct); | 114 | nf_conntrack_free(ct); |
115 | err2: | 115 | err2: |
116 | nf_ct_l3proto_module_put(par->family); | 116 | nf_ct_l3proto_module_put(par->family); |
117 | err1: | 117 | err1: |
118 | return false; | 118 | return -EINVAL; |
119 | } | 119 | } |
120 | 120 | ||
121 | static void xt_ct_tg_destroy(const struct xt_tgdtor_param *par) | 121 | static void xt_ct_tg_destroy(const struct xt_tgdtor_param *par) |
diff --git a/net/netfilter/xt_DSCP.c b/net/netfilter/xt_DSCP.c index 1fa7b67bf22..aa263b80f8c 100644 --- a/net/netfilter/xt_DSCP.c +++ b/net/netfilter/xt_DSCP.c | |||
@@ -66,9 +66,9 @@ static int dscp_tg_check(const struct xt_tgchk_param *par) | |||
66 | 66 | ||
67 | if (info->dscp > XT_DSCP_MAX) { | 67 | if (info->dscp > XT_DSCP_MAX) { |
68 | pr_info("dscp %x out of range\n", info->dscp); | 68 | pr_info("dscp %x out of range\n", info->dscp); |
69 | return false; | 69 | return -EINVAL; |
70 | } | 70 | } |
71 | return true; | 71 | return 0; |
72 | } | 72 | } |
73 | 73 | ||
74 | static unsigned int | 74 | static unsigned int |
diff --git a/net/netfilter/xt_HL.c b/net/netfilter/xt_HL.c index 15ba1610818..7a47383ec72 100644 --- a/net/netfilter/xt_HL.c +++ b/net/netfilter/xt_HL.c | |||
@@ -110,8 +110,8 @@ static int ttl_tg_check(const struct xt_tgchk_param *par) | |||
110 | return false; | 110 | return false; |
111 | } | 111 | } |
112 | if (info->mode != IPT_TTL_SET && info->ttl == 0) | 112 | if (info->mode != IPT_TTL_SET && info->ttl == 0) |
113 | return false; | 113 | return -EINVAL; |
114 | return true; | 114 | return 0; |
115 | } | 115 | } |
116 | 116 | ||
117 | static int hl_tg6_check(const struct xt_tgchk_param *par) | 117 | static int hl_tg6_check(const struct xt_tgchk_param *par) |
@@ -120,14 +120,14 @@ static int hl_tg6_check(const struct xt_tgchk_param *par) | |||
120 | 120 | ||
121 | if (info->mode > IP6T_HL_MAXMODE) { | 121 | if (info->mode > IP6T_HL_MAXMODE) { |
122 | pr_info("invalid or unknown mode %u\n", info->mode); | 122 | pr_info("invalid or unknown mode %u\n", info->mode); |
123 | return false; | 123 | return -EINVAL; |
124 | } | 124 | } |
125 | if (info->mode != IP6T_HL_SET && info->hop_limit == 0) { | 125 | if (info->mode != IP6T_HL_SET && info->hop_limit == 0) { |
126 | pr_info("increment/decrement does not " | 126 | pr_info("increment/decrement does not " |
127 | "make sense with value 0\n"); | 127 | "make sense with value 0\n"); |
128 | return false; | 128 | return -EINVAL; |
129 | } | 129 | } |
130 | return true; | 130 | return 0; |
131 | } | 131 | } |
132 | 132 | ||
133 | static struct xt_target hl_tg_reg[] __read_mostly = { | 133 | static struct xt_target hl_tg_reg[] __read_mostly = { |
diff --git a/net/netfilter/xt_LED.c b/net/netfilter/xt_LED.c index 1a3e3dd5a77..22b5b705739 100644 --- a/net/netfilter/xt_LED.c +++ b/net/netfilter/xt_LED.c | |||
@@ -88,12 +88,12 @@ static int led_tg_check(const struct xt_tgchk_param *par) | |||
88 | 88 | ||
89 | if (ledinfo->id[0] == '\0') { | 89 | if (ledinfo->id[0] == '\0') { |
90 | pr_info("No 'id' parameter given.\n"); | 90 | pr_info("No 'id' parameter given.\n"); |
91 | return false; | 91 | return -EINVAL; |
92 | } | 92 | } |
93 | 93 | ||
94 | ledinternal = kzalloc(sizeof(struct xt_led_info_internal), GFP_KERNEL); | 94 | ledinternal = kzalloc(sizeof(struct xt_led_info_internal), GFP_KERNEL); |
95 | if (!ledinternal) | 95 | if (!ledinternal) |
96 | return false; | 96 | return -EINVAL; |
97 | 97 | ||
98 | ledinternal->netfilter_led_trigger.name = ledinfo->id; | 98 | ledinternal->netfilter_led_trigger.name = ledinfo->id; |
99 | 99 | ||
@@ -111,13 +111,11 @@ static int led_tg_check(const struct xt_tgchk_param *par) | |||
111 | (unsigned long)ledinfo); | 111 | (unsigned long)ledinfo); |
112 | 112 | ||
113 | ledinfo->internal_data = ledinternal; | 113 | ledinfo->internal_data = ledinternal; |
114 | 114 | return 0; | |
115 | return true; | ||
116 | 115 | ||
117 | exit_alloc: | 116 | exit_alloc: |
118 | kfree(ledinternal); | 117 | kfree(ledinternal); |
119 | 118 | return -EINVAL; | |
120 | return false; | ||
121 | } | 119 | } |
122 | 120 | ||
123 | static void led_tg_destroy(const struct xt_tgdtor_param *par) | 121 | static void led_tg_destroy(const struct xt_tgdtor_param *par) |
diff --git a/net/netfilter/xt_NFLOG.c b/net/netfilter/xt_NFLOG.c index 13e6c0002c8..42dd8747b42 100644 --- a/net/netfilter/xt_NFLOG.c +++ b/net/netfilter/xt_NFLOG.c | |||
@@ -42,10 +42,10 @@ static int nflog_tg_check(const struct xt_tgchk_param *par) | |||
42 | const struct xt_nflog_info *info = par->targinfo; | 42 | const struct xt_nflog_info *info = par->targinfo; |
43 | 43 | ||
44 | if (info->flags & ~XT_NFLOG_MASK) | 44 | if (info->flags & ~XT_NFLOG_MASK) |
45 | return false; | 45 | return -EINVAL; |
46 | if (info->prefix[sizeof(info->prefix) - 1] != '\0') | 46 | if (info->prefix[sizeof(info->prefix) - 1] != '\0') |
47 | return false; | 47 | return -EINVAL; |
48 | return true; | 48 | return 0; |
49 | } | 49 | } |
50 | 50 | ||
51 | static struct xt_target nflog_tg_reg __read_mostly = { | 51 | static struct xt_target nflog_tg_reg __read_mostly = { |
diff --git a/net/netfilter/xt_NFQUEUE.c b/net/netfilter/xt_NFQUEUE.c index d435579a64c..add1789ae4a 100644 --- a/net/netfilter/xt_NFQUEUE.c +++ b/net/netfilter/xt_NFQUEUE.c | |||
@@ -92,15 +92,15 @@ static int nfqueue_tg_v1_check(const struct xt_tgchk_param *par) | |||
92 | } | 92 | } |
93 | if (info->queues_total == 0) { | 93 | if (info->queues_total == 0) { |
94 | pr_err("NFQUEUE: number of total queues is 0\n"); | 94 | pr_err("NFQUEUE: number of total queues is 0\n"); |
95 | return false; | 95 | return -EINVAL; |
96 | } | 96 | } |
97 | maxid = info->queues_total - 1 + info->queuenum; | 97 | maxid = info->queues_total - 1 + info->queuenum; |
98 | if (maxid > 0xffff) { | 98 | if (maxid > 0xffff) { |
99 | pr_err("NFQUEUE: number of queues (%u) out of range (got %u)\n", | 99 | pr_err("NFQUEUE: number of queues (%u) out of range (got %u)\n", |
100 | info->queues_total, maxid); | 100 | info->queues_total, maxid); |
101 | return false; | 101 | return -EINVAL; |
102 | } | 102 | } |
103 | return true; | 103 | return 0; |
104 | } | 104 | } |
105 | 105 | ||
106 | static struct xt_target nfqueue_tg_reg[] __read_mostly = { | 106 | static struct xt_target nfqueue_tg_reg[] __read_mostly = { |
diff --git a/net/netfilter/xt_RATEEST.c b/net/netfilter/xt_RATEEST.c index 9743e50be8e..7af5fba39cd 100644 --- a/net/netfilter/xt_RATEEST.c +++ b/net/netfilter/xt_RATEEST.c | |||
@@ -109,10 +109,10 @@ static int xt_rateest_tg_checkentry(const struct xt_tgchk_param *par) | |||
109 | (info->interval != est->params.interval || | 109 | (info->interval != est->params.interval || |
110 | info->ewma_log != est->params.ewma_log)) { | 110 | info->ewma_log != est->params.ewma_log)) { |
111 | xt_rateest_put(est); | 111 | xt_rateest_put(est); |
112 | return false; | 112 | return -EINVAL; |
113 | } | 113 | } |
114 | info->est = est; | 114 | info->est = est; |
115 | return true; | 115 | return 0; |
116 | } | 116 | } |
117 | 117 | ||
118 | est = kzalloc(sizeof(*est), GFP_KERNEL); | 118 | est = kzalloc(sizeof(*est), GFP_KERNEL); |
@@ -136,13 +136,12 @@ static int xt_rateest_tg_checkentry(const struct xt_tgchk_param *par) | |||
136 | 136 | ||
137 | info->est = est; | 137 | info->est = est; |
138 | xt_rateest_hash_insert(est); | 138 | xt_rateest_hash_insert(est); |
139 | 139 | return 0; | |
140 | return true; | ||
141 | 140 | ||
142 | err2: | 141 | err2: |
143 | kfree(est); | 142 | kfree(est); |
144 | err1: | 143 | err1: |
145 | return false; | 144 | return -EINVAL; |
146 | } | 145 | } |
147 | 146 | ||
148 | static void xt_rateest_tg_destroy(const struct xt_tgdtor_param *par) | 147 | static void xt_rateest_tg_destroy(const struct xt_tgdtor_param *par) |
diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c index 48f8e4f7ea8..39098fc9887 100644 --- a/net/netfilter/xt_SECMARK.c +++ b/net/netfilter/xt_SECMARK.c | |||
@@ -88,29 +88,29 @@ static int secmark_tg_check(const struct xt_tgchk_param *par) | |||
88 | strcmp(par->table, "security") != 0) { | 88 | strcmp(par->table, "security") != 0) { |
89 | pr_info("target only valid in the \'mangle\' " | 89 | pr_info("target only valid in the \'mangle\' " |
90 | "or \'security\' tables, not \'%s\'.\n", par->table); | 90 | "or \'security\' tables, not \'%s\'.\n", par->table); |
91 | return false; | 91 | return -EINVAL; |
92 | } | 92 | } |
93 | 93 | ||
94 | if (mode && mode != info->mode) { | 94 | if (mode && mode != info->mode) { |
95 | pr_info("mode already set to %hu cannot mix with " | 95 | pr_info("mode already set to %hu cannot mix with " |
96 | "rules for mode %hu\n", mode, info->mode); | 96 | "rules for mode %hu\n", mode, info->mode); |
97 | return false; | 97 | return -EINVAL; |
98 | } | 98 | } |
99 | 99 | ||
100 | switch (info->mode) { | 100 | switch (info->mode) { |
101 | case SECMARK_MODE_SEL: | 101 | case SECMARK_MODE_SEL: |
102 | if (!checkentry_selinux(info)) | 102 | if (!checkentry_selinux(info)) |
103 | return false; | 103 | return -EINVAL; |
104 | break; | 104 | break; |
105 | 105 | ||
106 | default: | 106 | default: |
107 | pr_info("invalid mode: %hu\n", info->mode); | 107 | pr_info("invalid mode: %hu\n", info->mode); |
108 | return false; | 108 | return -EINVAL; |
109 | } | 109 | } |
110 | 110 | ||
111 | if (!mode) | 111 | if (!mode) |
112 | mode = info->mode; | 112 | mode = info->mode; |
113 | return true; | 113 | return 0; |
114 | } | 114 | } |
115 | 115 | ||
116 | static void secmark_tg_destroy(const struct xt_tgdtor_param *par) | 116 | static void secmark_tg_destroy(const struct xt_tgdtor_param *par) |
diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c index 70288dc3158..385677b963d 100644 --- a/net/netfilter/xt_TCPMSS.c +++ b/net/netfilter/xt_TCPMSS.c | |||
@@ -246,13 +246,13 @@ static int tcpmss_tg4_check(const struct xt_tgchk_param *par) | |||
246 | (1 << NF_INET_POST_ROUTING))) != 0) { | 246 | (1 << NF_INET_POST_ROUTING))) != 0) { |
247 | pr_info("path-MTU clamping only supported in " | 247 | pr_info("path-MTU clamping only supported in " |
248 | "FORWARD, OUTPUT and POSTROUTING hooks\n"); | 248 | "FORWARD, OUTPUT and POSTROUTING hooks\n"); |
249 | return false; | 249 | return -EINVAL; |
250 | } | 250 | } |
251 | xt_ematch_foreach(ematch, e) | 251 | xt_ematch_foreach(ematch, e) |
252 | if (find_syn_match(ematch)) | 252 | if (find_syn_match(ematch)) |
253 | return true; | 253 | return 0; |
254 | pr_info("Only works on TCP SYN packets\n"); | 254 | pr_info("Only works on TCP SYN packets\n"); |
255 | return false; | 255 | return -EINVAL; |
256 | } | 256 | } |
257 | 257 | ||
258 | #if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE) | 258 | #if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE) |
@@ -268,13 +268,13 @@ static int tcpmss_tg6_check(const struct xt_tgchk_param *par) | |||
268 | (1 << NF_INET_POST_ROUTING))) != 0) { | 268 | (1 << NF_INET_POST_ROUTING))) != 0) { |
269 | pr_info("path-MTU clamping only supported in " | 269 | pr_info("path-MTU clamping only supported in " |
270 | "FORWARD, OUTPUT and POSTROUTING hooks\n"); | 270 | "FORWARD, OUTPUT and POSTROUTING hooks\n"); |
271 | return false; | 271 | return -EINVAL; |
272 | } | 272 | } |
273 | xt_ematch_foreach(ematch, e) | 273 | xt_ematch_foreach(ematch, e) |
274 | if (find_syn_match(ematch)) | 274 | if (find_syn_match(ematch)) |
275 | return true; | 275 | return 0; |
276 | pr_info("Only works on TCP SYN packets\n"); | 276 | pr_info("Only works on TCP SYN packets\n"); |
277 | return false; | 277 | return -EINVAL; |
278 | } | 278 | } |
279 | #endif | 279 | #endif |
280 | 280 | ||
diff --git a/net/netfilter/xt_TPROXY.c b/net/netfilter/xt_TPROXY.c index 189df9af4de..4f246ddc5c4 100644 --- a/net/netfilter/xt_TPROXY.c +++ b/net/netfilter/xt_TPROXY.c | |||
@@ -65,11 +65,11 @@ static int tproxy_tg_check(const struct xt_tgchk_param *par) | |||
65 | 65 | ||
66 | if ((i->proto == IPPROTO_TCP || i->proto == IPPROTO_UDP) | 66 | if ((i->proto == IPPROTO_TCP || i->proto == IPPROTO_UDP) |
67 | && !(i->invflags & IPT_INV_PROTO)) | 67 | && !(i->invflags & IPT_INV_PROTO)) |
68 | return true; | 68 | return 0; |
69 | 69 | ||
70 | pr_info("Can be used only in combination with " | 70 | pr_info("Can be used only in combination with " |
71 | "either -p tcp or -p udp\n"); | 71 | "either -p tcp or -p udp\n"); |
72 | return false; | 72 | return -EINVAL; |
73 | } | 73 | } |
74 | 74 | ||
75 | static struct xt_target tproxy_tg_reg __read_mostly = { | 75 | static struct xt_target tproxy_tg_reg __read_mostly = { |