aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--net/ipv4/netfilter/ipt_CLUSTERIP.c11
-rw-r--r--net/ipv4/netfilter/ipt_ECN.c4
-rw-r--r--net/ipv4/netfilter/ipt_TTL.c2
-rw-r--r--net/ipv4/netfilter/ipt_ULOG.c9
-rw-r--r--net/ipv4/netfilter/ipt_iprange.c8
-rw-r--r--net/ipv4/netfilter/ipt_recent.c9
-rw-r--r--net/ipv4/netfilter/ipt_ttl.c12
-rw-r--r--net/ipv6/netfilter/ip6t_HL.c2
-rw-r--r--net/ipv6/netfilter/ip6t_REJECT.c2
-rw-r--r--net/ipv6/netfilter/ip6t_ah.c12
-rw-r--r--net/ipv6/netfilter/ip6t_eui64.c6
-rw-r--r--net/ipv6/netfilter/ip6t_frag.c18
-rw-r--r--net/ipv6/netfilter/ip6t_hbh.c2
-rw-r--r--net/ipv6/netfilter/ip6t_hl.c8
-rw-r--r--net/ipv6/netfilter/ip6t_ipv6header.c6
-rw-r--r--net/ipv6/netfilter/ip6t_owner.c6
-rw-r--r--net/ipv6/netfilter/ip6t_rt.c16
-rw-r--r--net/netfilter/xt_DSCP.c2
-rw-r--r--net/netfilter/xt_TCPMSS.c4
-rw-r--r--net/netfilter/xt_connbytes.c4
-rw-r--r--net/netfilter/xt_connmark.c2
-rw-r--r--net/netfilter/xt_dccp.c10
-rw-r--r--net/netfilter/xt_hashlimit.c2
-rw-r--r--net/netfilter/xt_length.c4
-rw-r--r--net/netfilter/xt_mac.c10
-rw-r--r--net/netfilter/xt_pkttype.c4
-rw-r--r--net/netfilter/xt_sctp.c23
-rw-r--r--net/netfilter/xt_tcpudp.c2
28 files changed, 90 insertions, 110 deletions
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index 2de7ae0180a..5de13b44b1c 100644
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -122,9 +122,8 @@ __clusterip_config_find(__be32 clusterip)
122 list_for_each(pos, &clusterip_configs) { 122 list_for_each(pos, &clusterip_configs) {
123 struct clusterip_config *c = list_entry(pos, 123 struct clusterip_config *c = list_entry(pos,
124 struct clusterip_config, list); 124 struct clusterip_config, list);
125 if (c->clusterip == clusterip) { 125 if (c->clusterip == clusterip)
126 return c; 126 return c;
127 }
128 } 127 }
129 128
130 return NULL; 129 return NULL;
@@ -155,9 +154,8 @@ clusterip_config_init_nodelist(struct clusterip_config *c,
155{ 154{
156 int n; 155 int n;
157 156
158 for (n = 0; n < i->num_local_nodes; n++) { 157 for (n = 0; n < i->num_local_nodes; n++)
159 set_bit(i->local_nodes[n] - 1, &c->local_nodes); 158 set_bit(i->local_nodes[n] - 1, &c->local_nodes);
160 }
161} 159}
162 160
163static struct clusterip_config * 161static struct clusterip_config *
@@ -255,10 +253,9 @@ clusterip_hashfn(const struct sk_buff *skb,
255 dport = ports[1]; 253 dport = ports[1];
256 break; 254 break;
257 default: 255 default:
258 if (net_ratelimit()) { 256 if (net_ratelimit())
259 printk(KERN_NOTICE "CLUSTERIP: unknown protocol `%u'\n", 257 printk(KERN_NOTICE "CLUSTERIP: unknown protocol `%u'\n",
260 iph->protocol); 258 iph->protocol);
261 }
262 sport = dport = 0; 259 sport = dport = 0;
263 } 260 }
264 261
@@ -286,7 +283,7 @@ clusterip_hashfn(const struct sk_buff *skb,
286 } 283 }
287 284
288 /* node numbers are 1..n, not 0..n */ 285 /* node numbers are 1..n, not 0..n */
289 return ((hashval % config->num_total_nodes)+1); 286 return (hashval % config->num_total_nodes) + 1;
290} 287}
291 288
292static inline int 289static inline int
diff --git a/net/ipv4/netfilter/ipt_ECN.c b/net/ipv4/netfilter/ipt_ECN.c
index 02367012fc7..a647c1db86d 100644
--- a/net/ipv4/netfilter/ipt_ECN.c
+++ b/net/ipv4/netfilter/ipt_ECN.c
@@ -58,8 +58,8 @@ set_ect_tcp(struct sk_buff **pskb, const struct ipt_ECN_info *einfo)
58 58
59 if ((!(einfo->operation & IPT_ECN_OP_SET_ECE) || 59 if ((!(einfo->operation & IPT_ECN_OP_SET_ECE) ||
60 tcph->ece == einfo->proto.tcp.ece) && 60 tcph->ece == einfo->proto.tcp.ece) &&
61 ((!(einfo->operation & IPT_ECN_OP_SET_CWR) || 61 (!(einfo->operation & IPT_ECN_OP_SET_CWR) ||
62 tcph->cwr == einfo->proto.tcp.cwr))) 62 tcph->cwr == einfo->proto.tcp.cwr))
63 return true; 63 return true;
64 64
65 if (!skb_make_writable(pskb, ip_hdrlen(*pskb) + sizeof(*tcph))) 65 if (!skb_make_writable(pskb, ip_hdrlen(*pskb) + sizeof(*tcph)))
diff --git a/net/ipv4/netfilter/ipt_TTL.c b/net/ipv4/netfilter/ipt_TTL.c
index f53f2c4ca4a..737830b68ad 100644
--- a/net/ipv4/netfilter/ipt_TTL.c
+++ b/net/ipv4/netfilter/ipt_TTL.c
@@ -75,7 +75,7 @@ static bool ipt_ttl_checkentry(const char *tablename,
75 info->mode); 75 info->mode);
76 return false; 76 return false;
77 } 77 }
78 if ((info->mode != IPT_TTL_SET) && (info->ttl == 0)) 78 if (info->mode != IPT_TTL_SET && info->ttl == 0)
79 return false; 79 return false;
80 return true; 80 return true;
81} 81}
diff --git a/net/ipv4/netfilter/ipt_ULOG.c b/net/ipv4/netfilter/ipt_ULOG.c
index 282eb00fc47..5b25ca68878 100644
--- a/net/ipv4/netfilter/ipt_ULOG.c
+++ b/net/ipv4/netfilter/ipt_ULOG.c
@@ -179,12 +179,10 @@ static void ipt_ulog_packet(unsigned int hooknum,
179 unsigned int groupnum = ffs(loginfo->nl_group) - 1; 179 unsigned int groupnum = ffs(loginfo->nl_group) - 1;
180 180
181 /* calculate the size of the skb needed */ 181 /* calculate the size of the skb needed */
182 if ((loginfo->copy_range == 0) || 182 if (loginfo->copy_range == 0 || loginfo->copy_range > skb->len)
183 (loginfo->copy_range > skb->len)) {
184 copy_len = skb->len; 183 copy_len = skb->len;
185 } else { 184 else
186 copy_len = loginfo->copy_range; 185 copy_len = loginfo->copy_range;
187 }
188 186
189 size = NLMSG_SPACE(sizeof(*pm) + copy_len); 187 size = NLMSG_SPACE(sizeof(*pm) + copy_len);
190 188
@@ -257,9 +255,8 @@ static void ipt_ulog_packet(unsigned int hooknum,
257 BUG(); 255 BUG();
258 256
259 /* check if we are building multi-part messages */ 257 /* check if we are building multi-part messages */
260 if (ub->qlen > 1) { 258 if (ub->qlen > 1)
261 ub->lastnlh->nlmsg_flags |= NLM_F_MULTI; 259 ub->lastnlh->nlmsg_flags |= NLM_F_MULTI;
262 }
263 260
264 ub->lastnlh = nlh; 261 ub->lastnlh = nlh;
265 262
diff --git a/net/ipv4/netfilter/ipt_iprange.c b/net/ipv4/netfilter/ipt_iprange.c
index b266d98aac8..854281c6200 100644
--- a/net/ipv4/netfilter/ipt_iprange.c
+++ b/net/ipv4/netfilter/ipt_iprange.c
@@ -35,8 +35,8 @@ match(const struct sk_buff *skb,
35 const struct iphdr *iph = ip_hdr(skb); 35 const struct iphdr *iph = ip_hdr(skb);
36 36
37 if (info->flags & IPRANGE_SRC) { 37 if (info->flags & IPRANGE_SRC) {
38 if (((ntohl(iph->saddr) < ntohl(info->src.min_ip)) 38 if ((ntohl(iph->saddr) < ntohl(info->src.min_ip)
39 || (ntohl(iph->saddr) > ntohl(info->src.max_ip))) 39 || ntohl(iph->saddr) > ntohl(info->src.max_ip))
40 ^ !!(info->flags & IPRANGE_SRC_INV)) { 40 ^ !!(info->flags & IPRANGE_SRC_INV)) {
41 DEBUGP("src IP %u.%u.%u.%u NOT in range %s" 41 DEBUGP("src IP %u.%u.%u.%u NOT in range %s"
42 "%u.%u.%u.%u-%u.%u.%u.%u\n", 42 "%u.%u.%u.%u-%u.%u.%u.%u\n",
@@ -48,8 +48,8 @@ match(const struct sk_buff *skb,
48 } 48 }
49 } 49 }
50 if (info->flags & IPRANGE_DST) { 50 if (info->flags & IPRANGE_DST) {
51 if (((ntohl(iph->daddr) < ntohl(info->dst.min_ip)) 51 if ((ntohl(iph->daddr) < ntohl(info->dst.min_ip)
52 || (ntohl(iph->daddr) > ntohl(info->dst.max_ip))) 52 || ntohl(iph->daddr) > ntohl(info->dst.max_ip))
53 ^ !!(info->flags & IPRANGE_DST_INV)) { 53 ^ !!(info->flags & IPRANGE_DST_INV)) {
54 DEBUGP("dst IP %u.%u.%u.%u NOT in range %s" 54 DEBUGP("dst IP %u.%u.%u.%u NOT in range %s"
55 "%u.%u.%u.%u-%u.%u.%u.%u\n", 55 "%u.%u.%u.%u-%u.%u.%u.%u\n",
diff --git a/net/ipv4/netfilter/ipt_recent.c b/net/ipv4/netfilter/ipt_recent.c
index d03e6a6eb76..68f7181e412 100644
--- a/net/ipv4/netfilter/ipt_recent.c
+++ b/net/ipv4/netfilter/ipt_recent.c
@@ -163,10 +163,9 @@ static void recent_table_flush(struct recent_table *t)
163 struct recent_entry *e, *next; 163 struct recent_entry *e, *next;
164 unsigned int i; 164 unsigned int i;
165 165
166 for (i = 0; i < ip_list_hash_size; i++) { 166 for (i = 0; i < ip_list_hash_size; i++)
167 list_for_each_entry_safe(e, next, &t->iphash[i], list) 167 list_for_each_entry_safe(e, next, &t->iphash[i], list)
168 recent_entry_remove(t, e); 168 recent_entry_remove(t, e);
169 }
170} 169}
171 170
172static bool 171static bool
@@ -329,12 +328,10 @@ static void *recent_seq_start(struct seq_file *seq, loff_t *pos)
329 328
330 spin_lock_bh(&recent_lock); 329 spin_lock_bh(&recent_lock);
331 330
332 for (st->bucket = 0; st->bucket < ip_list_hash_size; st->bucket++) { 331 for (st->bucket = 0; st->bucket < ip_list_hash_size; st->bucket++)
333 list_for_each_entry(e, &t->iphash[st->bucket], list) { 332 list_for_each_entry(e, &t->iphash[st->bucket], list)
334 if (p-- == 0) 333 if (p-- == 0)
335 return e; 334 return e;
336 }
337 }
338 return NULL; 335 return NULL;
339} 336}
340 337
diff --git a/net/ipv4/netfilter/ipt_ttl.c b/net/ipv4/netfilter/ipt_ttl.c
index 82fe4ea8ab7..59a644db4d7 100644
--- a/net/ipv4/netfilter/ipt_ttl.c
+++ b/net/ipv4/netfilter/ipt_ttl.c
@@ -28,17 +28,13 @@ static bool match(const struct sk_buff *skb,
28 28
29 switch (info->mode) { 29 switch (info->mode) {
30 case IPT_TTL_EQ: 30 case IPT_TTL_EQ:
31 return (ttl == info->ttl); 31 return ttl == info->ttl;
32 break;
33 case IPT_TTL_NE: 32 case IPT_TTL_NE:
34 return (!(ttl == info->ttl)); 33 return ttl != info->ttl;
35 break;
36 case IPT_TTL_LT: 34 case IPT_TTL_LT:
37 return (ttl < info->ttl); 35 return ttl < info->ttl;
38 break;
39 case IPT_TTL_GT: 36 case IPT_TTL_GT:
40 return (ttl > info->ttl); 37 return ttl > info->ttl;
41 break;
42 default: 38 default:
43 printk(KERN_WARNING "ipt_ttl: unknown mode %d\n", 39 printk(KERN_WARNING "ipt_ttl: unknown mode %d\n",
44 info->mode); 40 info->mode);
diff --git a/net/ipv6/netfilter/ip6t_HL.c b/net/ipv6/netfilter/ip6t_HL.c
index 20047ff5492..33c4cb8a5c4 100644
--- a/net/ipv6/netfilter/ip6t_HL.c
+++ b/net/ipv6/netfilter/ip6t_HL.c
@@ -71,7 +71,7 @@ static bool ip6t_hl_checkentry(const char *tablename,
71 info->mode); 71 info->mode);
72 return false; 72 return false;
73 } 73 }
74 if ((info->mode != IP6T_HL_SET) && (info->hop_limit == 0)) { 74 if (info->mode != IP6T_HL_SET && info->hop_limit == 0) {
75 printk(KERN_WARNING "ip6t_HL: increment/decrement doesn't " 75 printk(KERN_WARNING "ip6t_HL: increment/decrement doesn't "
76 "make sense with value 0\n"); 76 "make sense with value 0\n");
77 return false; 77 return false;
diff --git a/net/ipv6/netfilter/ip6t_REJECT.c b/net/ipv6/netfilter/ip6t_REJECT.c
index 4df07f0adf1..0fa1f2cf9fb 100644
--- a/net/ipv6/netfilter/ip6t_REJECT.c
+++ b/net/ipv6/netfilter/ip6t_REJECT.c
@@ -69,7 +69,7 @@ static void send_reset(struct sk_buff *oldskb)
69 otcplen = oldskb->len - tcphoff; 69 otcplen = oldskb->len - tcphoff;
70 70
71 /* IP header checks: fragment, too short. */ 71 /* IP header checks: fragment, too short. */
72 if ((proto != IPPROTO_TCP) || (otcplen < sizeof(struct tcphdr))) { 72 if (proto != IPPROTO_TCP || otcplen < sizeof(struct tcphdr)) {
73 DEBUGP("ip6t_REJECT: proto(%d) != IPPROTO_TCP, or too short. otcplen = %d\n", 73 DEBUGP("ip6t_REJECT: proto(%d) != IPPROTO_TCP, or too short. otcplen = %d\n",
74 proto, otcplen); 74 proto, otcplen);
75 return; 75 return;
diff --git a/net/ipv6/netfilter/ip6t_ah.c b/net/ipv6/netfilter/ip6t_ah.c
index b4b1d282761..fbf3d7748dc 100644
--- a/net/ipv6/netfilter/ip6t_ah.c
+++ b/net/ipv6/netfilter/ip6t_ah.c
@@ -78,9 +78,9 @@ match(const struct sk_buff *skb,
78 DEBUGP("SPI %u %08X\n", ntohl(ah->spi), ntohl(ah->spi)); 78 DEBUGP("SPI %u %08X\n", ntohl(ah->spi), ntohl(ah->spi));
79 79
80 DEBUGP("IPv6 AH spi %02X ", 80 DEBUGP("IPv6 AH spi %02X ",
81 (spi_match(ahinfo->spis[0], ahinfo->spis[1], 81 spi_match(ahinfo->spis[0], ahinfo->spis[1],
82 ntohl(ah->spi), 82 ntohl(ah->spi),
83 !!(ahinfo->invflags & IP6T_AH_INV_SPI)))); 83 !!(ahinfo->invflags & IP6T_AH_INV_SPI)));
84 DEBUGP("len %02X %04X %02X ", 84 DEBUGP("len %02X %04X %02X ",
85 ahinfo->hdrlen, hdrlen, 85 ahinfo->hdrlen, hdrlen,
86 (!ahinfo->hdrlen || 86 (!ahinfo->hdrlen ||
@@ -92,9 +92,9 @@ match(const struct sk_buff *skb,
92 92
93 return (ah != NULL) 93 return (ah != NULL)
94 && 94 &&
95 (spi_match(ahinfo->spis[0], ahinfo->spis[1], 95 spi_match(ahinfo->spis[0], ahinfo->spis[1],
96 ntohl(ah->spi), 96 ntohl(ah->spi),
97 !!(ahinfo->invflags & IP6T_AH_INV_SPI))) 97 !!(ahinfo->invflags & IP6T_AH_INV_SPI))
98 && 98 &&
99 (!ahinfo->hdrlen || 99 (!ahinfo->hdrlen ||
100 (ahinfo->hdrlen == hdrlen) ^ 100 (ahinfo->hdrlen == hdrlen) ^
diff --git a/net/ipv6/netfilter/ip6t_eui64.c b/net/ipv6/netfilter/ip6t_eui64.c
index bebb12a1d0e..2af99fc6bdc 100644
--- a/net/ipv6/netfilter/ip6t_eui64.c
+++ b/net/ipv6/netfilter/ip6t_eui64.c
@@ -33,7 +33,7 @@ match(const struct sk_buff *skb,
33 int i = 0; 33 int i = 0;
34 34
35 if (!(skb_mac_header(skb) >= skb->head && 35 if (!(skb_mac_header(skb) >= skb->head &&
36 (skb_mac_header(skb) + ETH_HLEN) <= skb->data) && 36 skb_mac_header(skb) + ETH_HLEN <= skb->data) &&
37 offset != 0) { 37 offset != 0) {
38 *hotdrop = true; 38 *hotdrop = true;
39 return false; 39 return false;
@@ -50,8 +50,8 @@ match(const struct sk_buff *skb,
50 eui64[0] |= 0x02; 50 eui64[0] |= 0x02;
51 51
52 i = 0; 52 i = 0;
53 while ((ipv6_hdr(skb)->saddr.s6_addr[8 + i] == eui64[i]) 53 while (ipv6_hdr(skb)->saddr.s6_addr[8 + i] == eui64[i]
54 && (i < 8)) 54 && i < 8)
55 i++; 55 i++;
56 56
57 if (i == 8) 57 if (i == 8)
diff --git a/net/ipv6/netfilter/ip6t_frag.c b/net/ipv6/netfilter/ip6t_frag.c
index e0e416bb284..65482af711d 100644
--- a/net/ipv6/netfilter/ip6t_frag.c
+++ b/net/ipv6/netfilter/ip6t_frag.c
@@ -77,35 +77,35 @@ match(const struct sk_buff *skb,
77 ntohl(fh->identification)); 77 ntohl(fh->identification));
78 78
79 DEBUGP("IPv6 FRAG id %02X ", 79 DEBUGP("IPv6 FRAG id %02X ",
80 (id_match(fraginfo->ids[0], fraginfo->ids[1], 80 id_match(fraginfo->ids[0], fraginfo->ids[1],
81 ntohl(fh->identification), 81 ntohl(fh->identification),
82 !!(fraginfo->invflags & IP6T_FRAG_INV_IDS)))); 82 !!(fraginfo->invflags & IP6T_FRAG_INV_IDS)));
83 DEBUGP("res %02X %02X%04X %02X ", 83 DEBUGP("res %02X %02X%04X %02X ",
84 (fraginfo->flags & IP6T_FRAG_RES), fh->reserved, 84 fraginfo->flags & IP6T_FRAG_RES, fh->reserved,
85 ntohs(fh->frag_off) & 0x6, 85 ntohs(fh->frag_off) & 0x6,
86 !((fraginfo->flags & IP6T_FRAG_RES) 86 !((fraginfo->flags & IP6T_FRAG_RES)
87 && (fh->reserved || (ntohs(fh->frag_off) & 0x06)))); 87 && (fh->reserved || (ntohs(fh->frag_off) & 0x06))));
88 DEBUGP("first %02X %02X %02X ", 88 DEBUGP("first %02X %02X %02X ",
89 (fraginfo->flags & IP6T_FRAG_FST), 89 fraginfo->flags & IP6T_FRAG_FST,
90 ntohs(fh->frag_off) & ~0x7, 90 ntohs(fh->frag_off) & ~0x7,
91 !((fraginfo->flags & IP6T_FRAG_FST) 91 !((fraginfo->flags & IP6T_FRAG_FST)
92 && (ntohs(fh->frag_off) & ~0x7))); 92 && (ntohs(fh->frag_off) & ~0x7)));
93 DEBUGP("mf %02X %02X %02X ", 93 DEBUGP("mf %02X %02X %02X ",
94 (fraginfo->flags & IP6T_FRAG_MF), 94 fraginfo->flags & IP6T_FRAG_MF,
95 ntohs(fh->frag_off) & IP6_MF, 95 ntohs(fh->frag_off) & IP6_MF,
96 !((fraginfo->flags & IP6T_FRAG_MF) 96 !((fraginfo->flags & IP6T_FRAG_MF)
97 && !((ntohs(fh->frag_off) & IP6_MF)))); 97 && !((ntohs(fh->frag_off) & IP6_MF))));
98 DEBUGP("last %02X %02X %02X\n", 98 DEBUGP("last %02X %02X %02X\n",
99 (fraginfo->flags & IP6T_FRAG_NMF), 99 fraginfo->flags & IP6T_FRAG_NMF,
100 ntohs(fh->frag_off) & IP6_MF, 100 ntohs(fh->frag_off) & IP6_MF,
101 !((fraginfo->flags & IP6T_FRAG_NMF) 101 !((fraginfo->flags & IP6T_FRAG_NMF)
102 && (ntohs(fh->frag_off) & IP6_MF))); 102 && (ntohs(fh->frag_off) & IP6_MF)));
103 103
104 return (fh != NULL) 104 return (fh != NULL)
105 && 105 &&
106 (id_match(fraginfo->ids[0], fraginfo->ids[1], 106 id_match(fraginfo->ids[0], fraginfo->ids[1],
107 ntohl(fh->identification), 107 ntohl(fh->identification),
108 !!(fraginfo->invflags & IP6T_FRAG_INV_IDS))) 108 !!(fraginfo->invflags & IP6T_FRAG_INV_IDS))
109 && 109 &&
110 !((fraginfo->flags & IP6T_FRAG_RES) 110 !((fraginfo->flags & IP6T_FRAG_RES)
111 && (fh->reserved || (ntohs(fh->frag_off) & 0x6))) 111 && (fh->reserved || (ntohs(fh->frag_off) & 0x6)))
diff --git a/net/ipv6/netfilter/ip6t_hbh.c b/net/ipv6/netfilter/ip6t_hbh.c
index bbd2615ad2e..8eecac14dda 100644
--- a/net/ipv6/netfilter/ip6t_hbh.c
+++ b/net/ipv6/netfilter/ip6t_hbh.c
@@ -160,7 +160,7 @@ match(const struct sk_buff *skb,
160 DEBUGP("len%04X \n", optlen); 160 DEBUGP("len%04X \n", optlen);
161 161
162 if ((ptr > skb->len - optlen || hdrlen < optlen) && 162 if ((ptr > skb->len - optlen || hdrlen < optlen) &&
163 (temp < optinfo->optsnr - 1)) { 163 temp < optinfo->optsnr - 1) {
164 DEBUGP("new pointer is too large! \n"); 164 DEBUGP("new pointer is too large! \n");
165 break; 165 break;
166 } 166 }
diff --git a/net/ipv6/netfilter/ip6t_hl.c b/net/ipv6/netfilter/ip6t_hl.c
index b933e84a06a..ddee088f5f1 100644
--- a/net/ipv6/netfilter/ip6t_hl.c
+++ b/net/ipv6/netfilter/ip6t_hl.c
@@ -29,16 +29,16 @@ static bool match(const struct sk_buff *skb,
29 29
30 switch (info->mode) { 30 switch (info->mode) {
31 case IP6T_HL_EQ: 31 case IP6T_HL_EQ:
32 return (ip6h->hop_limit == info->hop_limit); 32 return ip6h->hop_limit == info->hop_limit;
33 break; 33 break;
34 case IP6T_HL_NE: 34 case IP6T_HL_NE:
35 return (!(ip6h->hop_limit == info->hop_limit)); 35 return ip6h->hop_limit != info->hop_limit;
36 break; 36 break;
37 case IP6T_HL_LT: 37 case IP6T_HL_LT:
38 return (ip6h->hop_limit < info->hop_limit); 38 return ip6h->hop_limit < info->hop_limit;
39 break; 39 break;
40 case IP6T_HL_GT: 40 case IP6T_HL_GT:
41 return (ip6h->hop_limit > info->hop_limit); 41 return ip6h->hop_limit > info->hop_limit;
42 break; 42 break;
43 default: 43 default:
44 printk(KERN_WARNING "ip6t_hl: unknown mode %d\n", 44 printk(KERN_WARNING "ip6t_hl: unknown mode %d\n",
diff --git a/net/ipv6/netfilter/ip6t_ipv6header.c b/net/ipv6/netfilter/ip6t_ipv6header.c
index 5ba6ef0f1b1..ca020ce1c4a 100644
--- a/net/ipv6/netfilter/ip6t_ipv6header.c
+++ b/net/ipv6/netfilter/ip6t_ipv6header.c
@@ -74,9 +74,9 @@ ipv6header_match(const struct sk_buff *skb,
74 BUG_ON(hp == NULL); 74 BUG_ON(hp == NULL);
75 75
76 /* Calculate the header length */ 76 /* Calculate the header length */
77 if (nexthdr == NEXTHDR_FRAGMENT) { 77 if (nexthdr == NEXTHDR_FRAGMENT)
78 hdrlen = 8; 78 hdrlen = 8;
79 } else if (nexthdr == NEXTHDR_AUTH) 79 else if (nexthdr == NEXTHDR_AUTH)
80 hdrlen = (hp->hdrlen + 2) << 2; 80 hdrlen = (hp->hdrlen + 2) << 2;
81 else 81 else
82 hdrlen = ipv6_optlen(hp); 82 hdrlen = ipv6_optlen(hp);
@@ -110,7 +110,7 @@ ipv6header_match(const struct sk_buff *skb,
110 break; 110 break;
111 } 111 }
112 112
113 if ((nexthdr != NEXTHDR_NONE) && (nexthdr != NEXTHDR_ESP)) 113 if (nexthdr != NEXTHDR_NONE && nexthdr != NEXTHDR_ESP)
114 temp |= MASK_PROTO; 114 temp |= MASK_PROTO;
115 115
116 if (info->modeflag) 116 if (info->modeflag)
diff --git a/net/ipv6/netfilter/ip6t_owner.c b/net/ipv6/netfilter/ip6t_owner.c
index 8cb6c94b4a2..d2bf3204aea 100644
--- a/net/ipv6/netfilter/ip6t_owner.c
+++ b/net/ipv6/netfilter/ip6t_owner.c
@@ -38,17 +38,15 @@ match(const struct sk_buff *skb,
38 if (!skb->sk || !skb->sk->sk_socket || !skb->sk->sk_socket->file) 38 if (!skb->sk || !skb->sk->sk_socket || !skb->sk->sk_socket->file)
39 return false; 39 return false;
40 40
41 if (info->match & IP6T_OWNER_UID) { 41 if (info->match & IP6T_OWNER_UID)
42 if ((skb->sk->sk_socket->file->f_uid != info->uid) ^ 42 if ((skb->sk->sk_socket->file->f_uid != info->uid) ^
43 !!(info->invert & IP6T_OWNER_UID)) 43 !!(info->invert & IP6T_OWNER_UID))
44 return false; 44 return false;
45 }
46 45
47 if (info->match & IP6T_OWNER_GID) { 46 if (info->match & IP6T_OWNER_GID)
48 if ((skb->sk->sk_socket->file->f_gid != info->gid) ^ 47 if ((skb->sk->sk_socket->file->f_gid != info->gid) ^
49 !!(info->invert & IP6T_OWNER_GID)) 48 !!(info->invert & IP6T_OWNER_GID))
50 return false; 49 return false;
51 }
52 50
53 return true; 51 return true;
54} 52}
diff --git a/net/ipv6/netfilter/ip6t_rt.c b/net/ipv6/netfilter/ip6t_rt.c
index bc5ff4b1af3..f86fdcdd8cb 100644
--- a/net/ipv6/netfilter/ip6t_rt.c
+++ b/net/ipv6/netfilter/ip6t_rt.c
@@ -87,9 +87,9 @@ match(const struct sk_buff *skb,
87 DEBUGP("SGS_LEFT %u %02X\n", rh->segments_left, rh->segments_left); 87 DEBUGP("SGS_LEFT %u %02X\n", rh->segments_left, rh->segments_left);
88 88
89 DEBUGP("IPv6 RT segsleft %02X ", 89 DEBUGP("IPv6 RT segsleft %02X ",
90 (segsleft_match(rtinfo->segsleft[0], rtinfo->segsleft[1], 90 segsleft_match(rtinfo->segsleft[0], rtinfo->segsleft[1],
91 rh->segments_left, 91 rh->segments_left,
92 !!(rtinfo->invflags & IP6T_RT_INV_SGS)))); 92 !!(rtinfo->invflags & IP6T_RT_INV_SGS)));
93 DEBUGP("type %02X %02X %02X ", 93 DEBUGP("type %02X %02X %02X ",
94 rtinfo->rt_type, rh->type, 94 rtinfo->rt_type, rh->type,
95 (!(rtinfo->flags & IP6T_RT_TYP) || 95 (!(rtinfo->flags & IP6T_RT_TYP) ||
@@ -97,11 +97,11 @@ match(const struct sk_buff *skb,
97 !!(rtinfo->invflags & IP6T_RT_INV_TYP)))); 97 !!(rtinfo->invflags & IP6T_RT_INV_TYP))));
98 DEBUGP("len %02X %04X %02X ", 98 DEBUGP("len %02X %04X %02X ",
99 rtinfo->hdrlen, hdrlen, 99 rtinfo->hdrlen, hdrlen,
100 (!(rtinfo->flags & IP6T_RT_LEN) || 100 !(rtinfo->flags & IP6T_RT_LEN) ||
101 ((rtinfo->hdrlen == hdrlen) ^ 101 ((rtinfo->hdrlen == hdrlen) ^
102 !!(rtinfo->invflags & IP6T_RT_INV_LEN)))); 102 !!(rtinfo->invflags & IP6T_RT_INV_LEN)));
103 DEBUGP("res %02X %02X %02X ", 103 DEBUGP("res %02X %02X %02X ",
104 (rtinfo->flags & IP6T_RT_RES), 104 rtinfo->flags & IP6T_RT_RES,
105 ((const struct rt0_hdr *)rh)->reserved, 105 ((const struct rt0_hdr *)rh)->reserved,
106 !((rtinfo->flags & IP6T_RT_RES) && 106 !((rtinfo->flags & IP6T_RT_RES) &&
107 (((const struct rt0_hdr *)rh)->reserved))); 107 (((const struct rt0_hdr *)rh)->reserved)));
@@ -188,8 +188,8 @@ match(const struct sk_buff *skb,
188 break; 188 break;
189 } 189 }
190 DEBUGP("temp=%d #%d\n", temp, rtinfo->addrnr); 190 DEBUGP("temp=%d #%d\n", temp, rtinfo->addrnr);
191 if ((temp == rtinfo->addrnr) && 191 if (temp == rtinfo->addrnr &&
192 (temp == (unsigned int)((hdrlen - 8) / 16))) 192 temp == (unsigned int)((hdrlen - 8) / 16))
193 return ret; 193 return ret;
194 else 194 else
195 return false; 195 return false;
diff --git a/net/netfilter/xt_DSCP.c b/net/netfilter/xt_DSCP.c
index 2d779f6902d..ed6b524064f 100644
--- a/net/netfilter/xt_DSCP.c
+++ b/net/netfilter/xt_DSCP.c
@@ -74,7 +74,7 @@ static bool checkentry(const char *tablename,
74{ 74{
75 const u_int8_t dscp = ((struct xt_DSCP_info *)targinfo)->dscp; 75 const u_int8_t dscp = ((struct xt_DSCP_info *)targinfo)->dscp;
76 76
77 if ((dscp > XT_DSCP_MAX)) { 77 if (dscp > XT_DSCP_MAX) {
78 printk(KERN_WARNING "DSCP: dscp %x out of range\n", dscp); 78 printk(KERN_WARNING "DSCP: dscp %x out of range\n", dscp);
79 return false; 79 return false;
80 } 80 }
diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c
index 075051acb55..6ae6df993aa 100644
--- a/net/netfilter/xt_TCPMSS.c
+++ b/net/netfilter/xt_TCPMSS.c
@@ -93,7 +93,7 @@ tcpmss_mangle_packet(struct sk_buff **pskb,
93 return 0; 93 return 0;
94 94
95 opt[i+2] = (newmss & 0xff00) >> 8; 95 opt[i+2] = (newmss & 0xff00) >> 8;
96 opt[i+3] = (newmss & 0x00ff); 96 opt[i+3] = newmss & 0x00ff;
97 97
98 nf_proto_csum_replace2(&tcph->check, *pskb, 98 nf_proto_csum_replace2(&tcph->check, *pskb,
99 htons(oldmss), htons(newmss), 0); 99 htons(oldmss), htons(newmss), 0);
@@ -126,7 +126,7 @@ tcpmss_mangle_packet(struct sk_buff **pskb,
126 opt[0] = TCPOPT_MSS; 126 opt[0] = TCPOPT_MSS;
127 opt[1] = TCPOLEN_MSS; 127 opt[1] = TCPOLEN_MSS;
128 opt[2] = (newmss & 0xff00) >> 8; 128 opt[2] = (newmss & 0xff00) >> 8;
129 opt[3] = (newmss & 0x00ff); 129 opt[3] = newmss & 0x00ff;
130 130
131 nf_proto_csum_replace4(&tcph->check, *pskb, 0, *((__be32 *)opt), 0); 131 nf_proto_csum_replace4(&tcph->check, *pskb, 0, *((__be32 *)opt), 0);
132 132
diff --git a/net/netfilter/xt_connbytes.c b/net/netfilter/xt_connbytes.c
index 99c246e45c4..d9b2e75fbab 100644
--- a/net/netfilter/xt_connbytes.c
+++ b/net/netfilter/xt_connbytes.c
@@ -90,9 +90,9 @@ match(const struct sk_buff *skb,
90 } 90 }
91 91
92 if (sinfo->count.to) 92 if (sinfo->count.to)
93 return (what <= sinfo->count.to && what >= sinfo->count.from); 93 return what <= sinfo->count.to && what >= sinfo->count.from;
94 else 94 else
95 return (what >= sinfo->count.from); 95 return what >= sinfo->count.from;
96} 96}
97 97
98static bool check(const char *tablename, 98static bool check(const char *tablename,
diff --git a/net/netfilter/xt_connmark.c b/net/netfilter/xt_connmark.c
index 71f3c1a5d5e..3a6e16d4edc 100644
--- a/net/netfilter/xt_connmark.c
+++ b/net/netfilter/xt_connmark.c
@@ -48,7 +48,7 @@ match(const struct sk_buff *skb,
48 if (!ct) 48 if (!ct)
49 return false; 49 return false;
50 50
51 return (((ct->mark) & info->mask) == info->mark) ^ info->invert; 51 return ((ct->mark & info->mask) == info->mark) ^ info->invert;
52} 52}
53 53
54static bool 54static bool
diff --git a/net/netfilter/xt_dccp.c b/net/netfilter/xt_dccp.c
index 1b77c5bcb34..f07a68d445c 100644
--- a/net/netfilter/xt_dccp.c
+++ b/net/netfilter/xt_dccp.c
@@ -81,7 +81,7 @@ dccp_find_option(u_int8_t option,
81static inline bool 81static inline bool
82match_types(const struct dccp_hdr *dh, u_int16_t typemask) 82match_types(const struct dccp_hdr *dh, u_int16_t typemask)
83{ 83{
84 return (typemask & (1 << dh->dccph_type)); 84 return typemask & (1 << dh->dccph_type);
85} 85}
86 86
87static inline bool 87static inline bool
@@ -113,11 +113,11 @@ match(const struct sk_buff *skb,
113 return false; 113 return false;
114 } 114 }
115 115
116 return DCCHECK(((ntohs(dh->dccph_sport) >= info->spts[0]) 116 return DCCHECK(ntohs(dh->dccph_sport) >= info->spts[0]
117 && (ntohs(dh->dccph_sport) <= info->spts[1])), 117 && ntohs(dh->dccph_sport) <= info->spts[1],
118 XT_DCCP_SRC_PORTS, info->flags, info->invflags) 118 XT_DCCP_SRC_PORTS, info->flags, info->invflags)
119 && DCCHECK(((ntohs(dh->dccph_dport) >= info->dpts[0]) 119 && DCCHECK(ntohs(dh->dccph_dport) >= info->dpts[0]
120 && (ntohs(dh->dccph_dport) <= info->dpts[1])), 120 && ntohs(dh->dccph_dport) <= info->dpts[1],
121 XT_DCCP_DEST_PORTS, info->flags, info->invflags) 121 XT_DCCP_DEST_PORTS, info->flags, info->invflags)
122 && DCCHECK(match_types(dh, info->typemask), 122 && DCCHECK(match_types(dh, info->typemask),
123 XT_DCCP_TYPE, info->flags, info->invflags) 123 XT_DCCP_TYPE, info->flags, info->invflags)
diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
index deb5890aa3a..094da6e066b 100644
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@@ -239,7 +239,7 @@ static bool select_all(const struct xt_hashlimit_htable *ht,
239static bool select_gc(const struct xt_hashlimit_htable *ht, 239static bool select_gc(const struct xt_hashlimit_htable *ht,
240 const struct dsthash_ent *he) 240 const struct dsthash_ent *he)
241{ 241{
242 return (jiffies >= he->expires); 242 return jiffies >= he->expires;
243} 243}
244 244
245static void htable_selective_cleanup(struct xt_hashlimit_htable *ht, 245static void htable_selective_cleanup(struct xt_hashlimit_htable *ht,
diff --git a/net/netfilter/xt_length.c b/net/netfilter/xt_length.c
index 57bcfacde59..ea4880bd31e 100644
--- a/net/netfilter/xt_length.c
+++ b/net/netfilter/xt_length.c
@@ -47,8 +47,8 @@ match6(const struct sk_buff *skb,
47 bool *hotdrop) 47 bool *hotdrop)
48{ 48{
49 const struct xt_length_info *info = matchinfo; 49 const struct xt_length_info *info = matchinfo;
50 const u_int16_t pktlen = (ntohs(ipv6_hdr(skb)->payload_len) + 50 const u_int16_t pktlen = ntohs(ipv6_hdr(skb)->payload_len) +
51 sizeof(struct ipv6hdr)); 51 sizeof(struct ipv6hdr);
52 52
53 return (pktlen >= info->min && pktlen <= info->max) ^ info->invert; 53 return (pktlen >= info->min && pktlen <= info->max) ^ info->invert;
54} 54}
diff --git a/net/netfilter/xt_mac.c b/net/netfilter/xt_mac.c
index 86022027dd6..28ec08e7511 100644
--- a/net/netfilter/xt_mac.c
+++ b/net/netfilter/xt_mac.c
@@ -37,11 +37,11 @@ match(const struct sk_buff *skb,
37 const struct xt_mac_info *info = matchinfo; 37 const struct xt_mac_info *info = matchinfo;
38 38
39 /* Is mac pointer valid? */ 39 /* Is mac pointer valid? */
40 return (skb_mac_header(skb) >= skb->head && 40 return skb_mac_header(skb) >= skb->head &&
41 (skb_mac_header(skb) + ETH_HLEN) <= skb->data 41 skb_mac_header(skb) + ETH_HLEN <= skb->data
42 /* If so, compare... */ 42 /* If so, compare... */
43 && ((!compare_ether_addr(eth_hdr(skb)->h_source, info->srcaddr)) 43 && ((!compare_ether_addr(eth_hdr(skb)->h_source, info->srcaddr))
44 ^ info->invert)); 44 ^ info->invert);
45} 45}
46 46
47static struct xt_match xt_mac_match[] = { 47static struct xt_match xt_mac_match[] = {
diff --git a/net/netfilter/xt_pkttype.c b/net/netfilter/xt_pkttype.c
index 63239727bc2..e4c420b5713 100644
--- a/net/netfilter/xt_pkttype.c
+++ b/net/netfilter/xt_pkttype.c
@@ -34,9 +34,9 @@ static bool match(const struct sk_buff *skb,
34 const struct xt_pkttype_info *info = matchinfo; 34 const struct xt_pkttype_info *info = matchinfo;
35 35
36 if (skb->pkt_type == PACKET_LOOPBACK) 36 if (skb->pkt_type == PACKET_LOOPBACK)
37 type = (MULTICAST(ip_hdr(skb)->daddr) 37 type = MULTICAST(ip_hdr(skb)->daddr)
38 ? PACKET_MULTICAST 38 ? PACKET_MULTICAST
39 : PACKET_BROADCAST); 39 : PACKET_BROADCAST;
40 else 40 else
41 type = skb->pkt_type; 41 type = skb->pkt_type;
42 42
diff --git a/net/netfilter/xt_sctp.c b/net/netfilter/xt_sctp.c
index 22df338b393..fefc846188f 100644
--- a/net/netfilter/xt_sctp.c
+++ b/net/netfilter/xt_sctp.c
@@ -31,11 +31,9 @@ match_flags(const struct xt_sctp_flag_info *flag_info,
31{ 31{
32 int i; 32 int i;
33 33
34 for (i = 0; i < flag_count; i++) { 34 for (i = 0; i < flag_count; i++)
35 if (flag_info[i].chunktype == chunktype) { 35 if (flag_info[i].chunktype == chunktype)
36 return (chunkflags & flag_info[i].flag_mask) == flag_info[i].flag; 36 return (chunkflags & flag_info[i].flag_mask) == flag_info[i].flag;
37 }
38 }
39 37
40 return true; 38 return true;
41} 39}
@@ -56,9 +54,8 @@ match_packet(const struct sk_buff *skb,
56 int i = 0; 54 int i = 0;
57#endif 55#endif
58 56
59 if (chunk_match_type == SCTP_CHUNK_MATCH_ALL) { 57 if (chunk_match_type == SCTP_CHUNK_MATCH_ALL)
60 SCTP_CHUNKMAP_COPY(chunkmapcopy, chunkmap); 58 SCTP_CHUNKMAP_COPY(chunkmapcopy, chunkmap);
61 }
62 59
63 do { 60 do {
64 sch = skb_header_pointer(skb, offset, sizeof(_sch), &_sch); 61 sch = skb_header_pointer(skb, offset, sizeof(_sch), &_sch);
@@ -86,16 +83,14 @@ match_packet(const struct sk_buff *skb,
86 83
87 case SCTP_CHUNK_MATCH_ALL: 84 case SCTP_CHUNK_MATCH_ALL:
88 if (match_flags(flag_info, flag_count, 85 if (match_flags(flag_info, flag_count,
89 sch->type, sch->flags)) { 86 sch->type, sch->flags))
90 SCTP_CHUNKMAP_CLEAR(chunkmapcopy, sch->type); 87 SCTP_CHUNKMAP_CLEAR(chunkmapcopy, sch->type);
91 }
92 break; 88 break;
93 89
94 case SCTP_CHUNK_MATCH_ONLY: 90 case SCTP_CHUNK_MATCH_ONLY:
95 if (!match_flags(flag_info, flag_count, 91 if (!match_flags(flag_info, flag_count,
96 sch->type, sch->flags)) { 92 sch->type, sch->flags))
97 return false; 93 return false;
98 }
99 break; 94 break;
100 } 95 }
101 } else { 96 } else {
@@ -145,11 +140,11 @@ match(const struct sk_buff *skb,
145 } 140 }
146 duprintf("spt: %d\tdpt: %d\n", ntohs(sh->source), ntohs(sh->dest)); 141 duprintf("spt: %d\tdpt: %d\n", ntohs(sh->source), ntohs(sh->dest));
147 142
148 return SCCHECK(((ntohs(sh->source) >= info->spts[0]) 143 return SCCHECK(ntohs(sh->source) >= info->spts[0]
149 && (ntohs(sh->source) <= info->spts[1])), 144 && ntohs(sh->source) <= info->spts[1],
150 XT_SCTP_SRC_PORTS, info->flags, info->invflags) 145 XT_SCTP_SRC_PORTS, info->flags, info->invflags)
151 && SCCHECK(((ntohs(sh->dest) >= info->dpts[0]) 146 && SCCHECK(ntohs(sh->dest) >= info->dpts[0]
152 && (ntohs(sh->dest) <= info->dpts[1])), 147 && ntohs(sh->dest) <= info->dpts[1],
153 XT_SCTP_DEST_PORTS, info->flags, info->invflags) 148 XT_SCTP_DEST_PORTS, info->flags, info->invflags)
154 && SCCHECK(match_packet(skb, protoff + sizeof (sctp_sctphdr_t), 149 && SCCHECK(match_packet(skb, protoff + sizeof (sctp_sctphdr_t),
155 info->chunkmap, info->chunk_match_type, 150 info->chunkmap, info->chunk_match_type,
diff --git a/net/netfilter/xt_tcpudp.c b/net/netfilter/xt_tcpudp.c
index 0dd3022cc79..5cb345aeeca 100644
--- a/net/netfilter/xt_tcpudp.c
+++ b/net/netfilter/xt_tcpudp.c
@@ -95,7 +95,7 @@ tcp_match(const struct sk_buff *skb,
95 return false; 95 return false;
96 } 96 }
97 97
98#define FWINVTCP(bool,invflg) ((bool) ^ !!(tcpinfo->invflags & invflg)) 98#define FWINVTCP(bool, invflg) ((bool) ^ !!(tcpinfo->invflags & (invflg)))
99 99
100 th = skb_header_pointer(skb, protoff, sizeof(_tcph), &_tcph); 100 th = skb_header_pointer(skb, protoff, sizeof(_tcph), &_tcph);
101 if (th == NULL) { 101 if (th == NULL) {
generated by cgit v1.2.2 (git 2.25.0) at 2024-10-19 15:23:48 -0400