3 files changed, 63 insertions, 66 deletions
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index ecba246dc2a..7505dff4ffd 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -313,23 +313,24 @@ unsigned int arpt_do_table(struct sk_buff *skb,
                        }
                        e = get_entry(table_base, v);
-                } else {
+                        continue;
-                        /* Targets which reenter must return
-                         * abs. verdicts
-                         */
-                        tgpar.target   = t->u.kernel.target;
-                        tgpar.targinfo = t->data;
-                        verdict = t->u.kernel.target->target(skb, &tgpar);
-                        /* Target might have changed stuff. */
-                        arp = arp_hdr(skb);
-                        if (verdict == ARPT_CONTINUE)
-                                e = arpt_next_entry(e);
-                        else
-                                /* Verdict */
-                                break;
                }
+                /* Targets which reenter must return
+                 * abs. verdicts
+                 */
+                tgpar.target   = t->u.kernel.target;
+                tgpar.targinfo = t->data;
+                verdict = t->u.kernel.target->target(skb, &tgpar);
+                /* Target might have changed stuff. */
+                arp = arp_hdr(skb);
+                if (verdict == ARPT_CONTINUE)
+                        e = arpt_next_entry(e);
+                else
+                        /* Verdict */
+                        break;
        } while (!hotdrop);
        xt_info_rdunlock_bh();
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index cfcb7af9172..d91ecd4c264 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -402,37 +402,35 @@ ipt_do_table(struct sk_buff *skb,
                        }
                        e = get_entry(table_base, v);
-                } else {
+                        continue;
-                        /* Targets which reenter must return
+                }
-                           abs. verdicts */
-                        tgpar.target   = t->u.kernel.target;
+                /* Targets which reenter must return
-                        tgpar.targinfo = t->data;
+                   abs. verdicts */
+                tgpar.target   = t->u.kernel.target;
+                tgpar.targinfo = t->data;
 #ifdef CONFIG_NETFILTER_DEBUG
-                        ((struct ipt_entry *)table_base)->comefrom
+                ((struct ipt_entry *)table_base)->comefrom = 0xeeeeeeec;
-                                = 0xeeeeeeec;
 #endif
-                        verdict = t->u.kernel.target->target(skb, &tgpar);
+                verdict = t->u.kernel.target->target(skb, &tgpar);
 #ifdef CONFIG_NETFILTER_DEBUG
-                        if (((struct ipt_entry *)table_base)->comefrom
+                if (((struct ipt_entry *)table_base)->comefrom != 0xeeeeeeec &&
-                            != 0xeeeeeeec
+                    verdict == IPT_CONTINUE) {
-                            && verdict == IPT_CONTINUE) {
+                        printk("Target %s reentered!\n",
-                                printk("Target %s reentered!\n",
+                               t->u.kernel.target->name);
-                                       t->u.kernel.target->name);
+                        verdict = NF_DROP;
-                                verdict = NF_DROP;
-                        }
-                        ((struct ipt_entry *)table_base)->comefrom
-                                = 0x57acc001;
-#endif
-                        /* Target might have changed stuff. */
-                        ip = ip_hdr(skb);
-                        datalen = skb->len - ip->ihl * 4;
-                        if (verdict == IPT_CONTINUE)
-                                e = ipt_next_entry(e);
-                        else
-                                /* Verdict */
-                                break;
                }
+                ((struct ipt_entry *)table_base)->comefrom = 0x57acc001;
+#endif
+                /* Target might have changed stuff. */
+                ip = ip_hdr(skb);
+                datalen = skb->len - ip->ihl * 4;
+                if (verdict == IPT_CONTINUE)
+                        e = ipt_next_entry(e);
+                else
+                        /* Verdict */
+                        break;
        } while (!hotdrop);
        xt_info_rdunlock_bh();
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index d01b8a39fbd..5a178be6c8c 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -431,35 +431,33 @@ ip6t_do_table(struct sk_buff *skb,
                        }
                        e = get_entry(table_base, v);
-                } else {
+                        continue;
-                        /* Targets which reenter must return
+                }
-                           abs. verdicts */
-                        tgpar.target   = t->u.kernel.target;
+                /* Targets which reenter must return
-                        tgpar.targinfo = t->data;
+                   abs. verdicts */
+                tgpar.target   = t->u.kernel.target;
+                tgpar.targinfo = t->data;
 #ifdef CONFIG_NETFILTER_DEBUG
-                        ((struct ip6t_entry *)table_base)->comefrom
+                ((struct ip6t_entry *)table_base)->comefrom = 0xeeeeeeec;
-                                = 0xeeeeeeec;
 #endif
-                        verdict = t->u.kernel.target->target(skb, &tgpar);
+                verdict = t->u.kernel.target->target(skb, &tgpar);
 #ifdef CONFIG_NETFILTER_DEBUG
-                        if (((struct ip6t_entry *)table_base)->comefrom
+                if (((struct ip6t_entry *)table_base)->comefrom != 0xeeeeeeec &&
-                            != 0xeeeeeeec
+                    verdict == IP6T_CONTINUE) {
-                            && verdict == IP6T_CONTINUE) {
+                        printk("Target %s reentered!\n",
-                                printk("Target %s reentered!\n",
+                               t->u.kernel.target->name);
-                                       t->u.kernel.target->name);
+                        verdict = NF_DROP;
-                                verdict = NF_DROP;
-                        }
-                        ((struct ip6t_entry *)table_base)->comefrom
-                                = 0x57acc001;
-#endif
-                        if (verdict == IP6T_CONTINUE)
-                                e = ip6t_next_entry(e);
-                        else
-                                /* Verdict */
-                                break;
                }
+                ((struct ip6t_entry *)table_base)->comefrom = 0x57acc001;
+#endif
+                if (verdict == IP6T_CONTINUE)
+                        e = ip6t_next_entry(e);
+                else
+                        /* Verdict */
+                        break;
        } while (!hotdrop);
 #ifdef CONFIG_NETFILTER_DEBUG

diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c index ecba246dc2a..7505dff4ffd 100644 --- a/net/ipv4/netfilter/arp_tables.c +++ b/net/ipv4/netfilter/arp_tables.c
@@ -313,23 +313,24 @@ unsigned int arpt_do_table(struct sk_buff *skb,
313	}	313	}
314		314
315	e = get_entry(table_base, v);	315	e = get_entry(table_base, v);
316	} else {	316	continue;
317	/* Targets which reenter must return
318	* abs. verdicts
319	*/
320	tgpar.target = t->u.kernel.target;
321	tgpar.targinfo = t->data;
322	verdict = t->u.kernel.target->target(skb, &tgpar);
323
324	/* Target might have changed stuff. */
325	arp = arp_hdr(skb);
326
327	if (verdict == ARPT_CONTINUE)
328	e = arpt_next_entry(e);
329	else
330	/* Verdict */
331	break;
332	}	317	}
		318
		319	/* Targets which reenter must return
		320	* abs. verdicts
		321	*/
		322	tgpar.target = t->u.kernel.target;
		323	tgpar.targinfo = t->data;
		324	verdict = t->u.kernel.target->target(skb, &tgpar);
		325
		326	/* Target might have changed stuff. */
		327	arp = arp_hdr(skb);
		328
		329	if (verdict == ARPT_CONTINUE)
		330	e = arpt_next_entry(e);
		331	else
		332	/* Verdict */
		333	break;
333	} while (!hotdrop);	334	} while (!hotdrop);
334	xt_info_rdunlock_bh();	335	xt_info_rdunlock_bh();
335		336


diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c index cfcb7af9172..d91ecd4c264 100644 --- a/net/ipv4/netfilter/ip_tables.c +++ b/net/ipv4/netfilter/ip_tables.c
@@ -402,37 +402,35 @@ ipt_do_table(struct sk_buff *skb,
402	}	402	}
403		403
404	e = get_entry(table_base, v);	404	e = get_entry(table_base, v);
405	} else {	405	continue;
406	/* Targets which reenter must return	406	}
407	abs. verdicts */	407
408	tgpar.target = t->u.kernel.target;	408	/* Targets which reenter must return
409	tgpar.targinfo = t->data;	409	abs. verdicts */
		410	tgpar.target = t->u.kernel.target;
		411	tgpar.targinfo = t->data;
410	#ifdef CONFIG_NETFILTER_DEBUG	412	#ifdef CONFIG_NETFILTER_DEBUG
411	((struct ipt_entry *)table_base)->comefrom	413	((struct ipt_entry *)table_base)->comefrom = 0xeeeeeeec;
412	= 0xeeeeeeec;
413	#endif	414	#endif
414	verdict = t->u.kernel.target->target(skb, &tgpar);	415	verdict = t->u.kernel.target->target(skb, &tgpar);
415	#ifdef CONFIG_NETFILTER_DEBUG	416	#ifdef CONFIG_NETFILTER_DEBUG
416	if (((struct ipt_entry *)table_base)->comefrom	417	if (((struct ipt_entry *)table_base)->comefrom != 0xeeeeeeec &&
417	!= 0xeeeeeeec	418	verdict == IPT_CONTINUE) {
418	&& verdict == IPT_CONTINUE) {	419	printk("Target %s reentered!\n",
419	printk("Target %s reentered!\n",	420	t->u.kernel.target->name);
420	t->u.kernel.target->name);	421	verdict = NF_DROP;
421	verdict = NF_DROP;
422	}
423	((struct ipt_entry *)table_base)->comefrom
424	= 0x57acc001;
425	#endif
426	/* Target might have changed stuff. */
427	ip = ip_hdr(skb);
428	datalen = skb->len - ip->ihl * 4;
429
430	if (verdict == IPT_CONTINUE)
431	e = ipt_next_entry(e);
432	else
433	/* Verdict */
434	break;
435	}	422	}
		423	((struct ipt_entry *)table_base)->comefrom = 0x57acc001;
		424	#endif
		425	/* Target might have changed stuff. */
		426	ip = ip_hdr(skb);
		427	datalen = skb->len - ip->ihl * 4;
		428
		429	if (verdict == IPT_CONTINUE)
		430	e = ipt_next_entry(e);
		431	else
		432	/* Verdict */
		433	break;
436	} while (!hotdrop);	434	} while (!hotdrop);
437	xt_info_rdunlock_bh();	435	xt_info_rdunlock_bh();
438		436


diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c index d01b8a39fbd..5a178be6c8c 100644 --- a/net/ipv6/netfilter/ip6_tables.c +++ b/net/ipv6/netfilter/ip6_tables.c
@@ -431,35 +431,33 @@ ip6t_do_table(struct sk_buff *skb,
431	}	431	}
432		432
433	e = get_entry(table_base, v);	433	e = get_entry(table_base, v);
434	} else {	434	continue;
435	/* Targets which reenter must return	435	}
436	abs. verdicts */	436
437	tgpar.target = t->u.kernel.target;	437	/* Targets which reenter must return
438	tgpar.targinfo = t->data;	438	abs. verdicts */
		439	tgpar.target = t->u.kernel.target;
		440	tgpar.targinfo = t->data;
439		441
440	#ifdef CONFIG_NETFILTER_DEBUG	442	#ifdef CONFIG_NETFILTER_DEBUG
441	((struct ip6t_entry *)table_base)->comefrom	443	((struct ip6t_entry *)table_base)->comefrom = 0xeeeeeeec;
442	= 0xeeeeeeec;
443	#endif	444	#endif
444	verdict = t->u.kernel.target->target(skb, &tgpar);	445	verdict = t->u.kernel.target->target(skb, &tgpar);
445		446
446	#ifdef CONFIG_NETFILTER_DEBUG	447	#ifdef CONFIG_NETFILTER_DEBUG
447	if (((struct ip6t_entry *)table_base)->comefrom	448	if (((struct ip6t_entry *)table_base)->comefrom != 0xeeeeeeec &&
448	!= 0xeeeeeeec	449	verdict == IP6T_CONTINUE) {
449	&& verdict == IP6T_CONTINUE) {	450	printk("Target %s reentered!\n",
450	printk("Target %s reentered!\n",	451	t->u.kernel.target->name);
451	t->u.kernel.target->name);	452	verdict = NF_DROP;
452	verdict = NF_DROP;
453	}
454	((struct ip6t_entry *)table_base)->comefrom
455	= 0x57acc001;
456	#endif
457	if (verdict == IP6T_CONTINUE)
458	e = ip6t_next_entry(e);
459	else
460	/* Verdict */
461	break;
462	}	453	}
		454	((struct ip6t_entry *)table_base)->comefrom = 0x57acc001;
		455	#endif
		456	if (verdict == IP6T_CONTINUE)
		457	e = ip6t_next_entry(e);
		458	else
		459	/* Verdict */
		460	break;
463	} while (!hotdrop);	461	} while (!hotdrop);
464		462
465	#ifdef CONFIG_NETFILTER_DEBUG	463	#ifdef CONFIG_NETFILTER_DEBUG