diff options
44 files changed, 162 insertions, 156 deletions
diff --git a/net/bridge/netfilter/ebt_802_3.c b/net/bridge/netfilter/ebt_802_3.c index 7b6f4c4cccb..f7de8dbc342 100644 --- a/net/bridge/netfilter/ebt_802_3.c +++ b/net/bridge/netfilter/ebt_802_3.c | |||
@@ -41,9 +41,9 @@ static int ebt_802_3_mt_check(const struct xt_mtchk_param *par) | |||
41 | const struct ebt_802_3_info *info = par->matchinfo; | 41 | const struct ebt_802_3_info *info = par->matchinfo; |
42 | 42 | ||
43 | if (info->bitmask & ~EBT_802_3_MASK || info->invflags & ~EBT_802_3_MASK) | 43 | if (info->bitmask & ~EBT_802_3_MASK || info->invflags & ~EBT_802_3_MASK) |
44 | return false; | 44 | return -EINVAL; |
45 | 45 | ||
46 | return true; | 46 | return 0; |
47 | } | 47 | } |
48 | 48 | ||
49 | static struct xt_match ebt_802_3_mt_reg __read_mostly = { | 49 | static struct xt_match ebt_802_3_mt_reg __read_mostly = { |
diff --git a/net/bridge/netfilter/ebt_among.c b/net/bridge/netfilter/ebt_among.c index 8a75d399b51..20068e03fa8 100644 --- a/net/bridge/netfilter/ebt_among.c +++ b/net/bridge/netfilter/ebt_among.c | |||
@@ -190,17 +190,17 @@ static int ebt_among_mt_check(const struct xt_mtchk_param *par) | |||
190 | pr_info("wrong size: %d against expected %d, rounded to %Zd\n", | 190 | pr_info("wrong size: %d against expected %d, rounded to %Zd\n", |
191 | em->match_size, expected_length, | 191 | em->match_size, expected_length, |
192 | EBT_ALIGN(expected_length)); | 192 | EBT_ALIGN(expected_length)); |
193 | return false; | 193 | return -EINVAL; |
194 | } | 194 | } |
195 | if (wh_dst && (err = ebt_mac_wormhash_check_integrity(wh_dst))) { | 195 | if (wh_dst && (err = ebt_mac_wormhash_check_integrity(wh_dst))) { |
196 | pr_info("dst integrity fail: %x\n", -err); | 196 | pr_info("dst integrity fail: %x\n", -err); |
197 | return false; | 197 | return -EINVAL; |
198 | } | 198 | } |
199 | if (wh_src && (err = ebt_mac_wormhash_check_integrity(wh_src))) { | 199 | if (wh_src && (err = ebt_mac_wormhash_check_integrity(wh_src))) { |
200 | pr_info("src integrity fail: %x\n", -err); | 200 | pr_info("src integrity fail: %x\n", -err); |
201 | return false; | 201 | return -EINVAL; |
202 | } | 202 | } |
203 | return true; | 203 | return 0; |
204 | } | 204 | } |
205 | 205 | ||
206 | static struct xt_match ebt_among_mt_reg __read_mostly = { | 206 | static struct xt_match ebt_among_mt_reg __read_mostly = { |
diff --git a/net/bridge/netfilter/ebt_arp.c b/net/bridge/netfilter/ebt_arp.c index fc62055adb1..952150cd5e7 100644 --- a/net/bridge/netfilter/ebt_arp.c +++ b/net/bridge/netfilter/ebt_arp.c | |||
@@ -108,10 +108,10 @@ static int ebt_arp_mt_check(const struct xt_mtchk_param *par) | |||
108 | if ((e->ethproto != htons(ETH_P_ARP) && | 108 | if ((e->ethproto != htons(ETH_P_ARP) && |
109 | e->ethproto != htons(ETH_P_RARP)) || | 109 | e->ethproto != htons(ETH_P_RARP)) || |
110 | e->invflags & EBT_IPROTO) | 110 | e->invflags & EBT_IPROTO) |
111 | return false; | 111 | return -EINVAL; |
112 | if (info->bitmask & ~EBT_ARP_MASK || info->invflags & ~EBT_ARP_MASK) | 112 | if (info->bitmask & ~EBT_ARP_MASK || info->invflags & ~EBT_ARP_MASK) |
113 | return false; | 113 | return -EINVAL; |
114 | return true; | 114 | return 0; |
115 | } | 115 | } |
116 | 116 | ||
117 | static struct xt_match ebt_arp_mt_reg __read_mostly = { | 117 | static struct xt_match ebt_arp_mt_reg __read_mostly = { |
diff --git a/net/bridge/netfilter/ebt_ip.c b/net/bridge/netfilter/ebt_ip.c index d1a555dc887..a1c76c7e521 100644 --- a/net/bridge/netfilter/ebt_ip.c +++ b/net/bridge/netfilter/ebt_ip.c | |||
@@ -84,24 +84,24 @@ static int ebt_ip_mt_check(const struct xt_mtchk_param *par) | |||
84 | 84 | ||
85 | if (e->ethproto != htons(ETH_P_IP) || | 85 | if (e->ethproto != htons(ETH_P_IP) || |
86 | e->invflags & EBT_IPROTO) | 86 | e->invflags & EBT_IPROTO) |
87 | return false; | 87 | return -EINVAL; |
88 | if (info->bitmask & ~EBT_IP_MASK || info->invflags & ~EBT_IP_MASK) | 88 | if (info->bitmask & ~EBT_IP_MASK || info->invflags & ~EBT_IP_MASK) |
89 | return false; | 89 | return -EINVAL; |
90 | if (info->bitmask & (EBT_IP_DPORT | EBT_IP_SPORT)) { | 90 | if (info->bitmask & (EBT_IP_DPORT | EBT_IP_SPORT)) { |
91 | if (info->invflags & EBT_IP_PROTO) | 91 | if (info->invflags & EBT_IP_PROTO) |
92 | return false; | 92 | return -EINVAL; |
93 | if (info->protocol != IPPROTO_TCP && | 93 | if (info->protocol != IPPROTO_TCP && |
94 | info->protocol != IPPROTO_UDP && | 94 | info->protocol != IPPROTO_UDP && |
95 | info->protocol != IPPROTO_UDPLITE && | 95 | info->protocol != IPPROTO_UDPLITE && |
96 | info->protocol != IPPROTO_SCTP && | 96 | info->protocol != IPPROTO_SCTP && |
97 | info->protocol != IPPROTO_DCCP) | 97 | info->protocol != IPPROTO_DCCP) |
98 | return false; | 98 | return -EINVAL; |
99 | } | 99 | } |
100 | if (info->bitmask & EBT_IP_DPORT && info->dport[0] > info->dport[1]) | 100 | if (info->bitmask & EBT_IP_DPORT && info->dport[0] > info->dport[1]) |
101 | return false; | 101 | return -EINVAL; |
102 | if (info->bitmask & EBT_IP_SPORT && info->sport[0] > info->sport[1]) | 102 | if (info->bitmask & EBT_IP_SPORT && info->sport[0] > info->sport[1]) |
103 | return false; | 103 | return -EINVAL; |
104 | return true; | 104 | return 0; |
105 | } | 105 | } |
106 | 106 | ||
107 | static struct xt_match ebt_ip_mt_reg __read_mostly = { | 107 | static struct xt_match ebt_ip_mt_reg __read_mostly = { |
diff --git a/net/bridge/netfilter/ebt_ip6.c b/net/bridge/netfilter/ebt_ip6.c index fa4ecf50fdc..33f8413f05a 100644 --- a/net/bridge/netfilter/ebt_ip6.c +++ b/net/bridge/netfilter/ebt_ip6.c | |||
@@ -86,24 +86,24 @@ static int ebt_ip6_mt_check(const struct xt_mtchk_param *par) | |||
86 | struct ebt_ip6_info *info = par->matchinfo; | 86 | struct ebt_ip6_info *info = par->matchinfo; |
87 | 87 | ||
88 | if (e->ethproto != htons(ETH_P_IPV6) || e->invflags & EBT_IPROTO) | 88 | if (e->ethproto != htons(ETH_P_IPV6) || e->invflags & EBT_IPROTO) |
89 | return false; | 89 | return -EINVAL; |
90 | if (info->bitmask & ~EBT_IP6_MASK || info->invflags & ~EBT_IP6_MASK) | 90 | if (info->bitmask & ~EBT_IP6_MASK || info->invflags & ~EBT_IP6_MASK) |
91 | return false; | 91 | return -EINVAL; |
92 | if (info->bitmask & (EBT_IP6_DPORT | EBT_IP6_SPORT)) { | 92 | if (info->bitmask & (EBT_IP6_DPORT | EBT_IP6_SPORT)) { |
93 | if (info->invflags & EBT_IP6_PROTO) | 93 | if (info->invflags & EBT_IP6_PROTO) |
94 | return false; | 94 | return -EINVAL; |
95 | if (info->protocol != IPPROTO_TCP && | 95 | if (info->protocol != IPPROTO_TCP && |
96 | info->protocol != IPPROTO_UDP && | 96 | info->protocol != IPPROTO_UDP && |
97 | info->protocol != IPPROTO_UDPLITE && | 97 | info->protocol != IPPROTO_UDPLITE && |
98 | info->protocol != IPPROTO_SCTP && | 98 | info->protocol != IPPROTO_SCTP && |
99 | info->protocol != IPPROTO_DCCP) | 99 | info->protocol != IPPROTO_DCCP) |
100 | return false; | 100 | return -EINVAL; |
101 | } | 101 | } |
102 | if (info->bitmask & EBT_IP6_DPORT && info->dport[0] > info->dport[1]) | 102 | if (info->bitmask & EBT_IP6_DPORT && info->dport[0] > info->dport[1]) |
103 | return false; | 103 | return -EINVAL; |
104 | if (info->bitmask & EBT_IP6_SPORT && info->sport[0] > info->sport[1]) | 104 | if (info->bitmask & EBT_IP6_SPORT && info->sport[0] > info->sport[1]) |
105 | return false; | 105 | return -EINVAL; |
106 | return true; | 106 | return 0; |
107 | } | 107 | } |
108 | 108 | ||
109 | static struct xt_match ebt_ip6_mt_reg __read_mostly = { | 109 | static struct xt_match ebt_ip6_mt_reg __read_mostly = { |
diff --git a/net/bridge/netfilter/ebt_limit.c b/net/bridge/netfilter/ebt_limit.c index abfb0ecd7c1..4b0e2e53fa5 100644 --- a/net/bridge/netfilter/ebt_limit.c +++ b/net/bridge/netfilter/ebt_limit.c | |||
@@ -74,7 +74,7 @@ static int ebt_limit_mt_check(const struct xt_mtchk_param *par) | |||
74 | user2credits(info->avg * info->burst) < user2credits(info->avg)) { | 74 | user2credits(info->avg * info->burst) < user2credits(info->avg)) { |
75 | pr_info("overflow, try lower: %u/%u\n", | 75 | pr_info("overflow, try lower: %u/%u\n", |
76 | info->avg, info->burst); | 76 | info->avg, info->burst); |
77 | return false; | 77 | return -EINVAL; |
78 | } | 78 | } |
79 | 79 | ||
80 | /* User avg in seconds * EBT_LIMIT_SCALE: convert to jiffies * 128. */ | 80 | /* User avg in seconds * EBT_LIMIT_SCALE: convert to jiffies * 128. */ |
@@ -82,7 +82,7 @@ static int ebt_limit_mt_check(const struct xt_mtchk_param *par) | |||
82 | info->credit = user2credits(info->avg * info->burst); | 82 | info->credit = user2credits(info->avg * info->burst); |
83 | info->credit_cap = user2credits(info->avg * info->burst); | 83 | info->credit_cap = user2credits(info->avg * info->burst); |
84 | info->cost = user2credits(info->avg); | 84 | info->cost = user2credits(info->avg); |
85 | return true; | 85 | return 0; |
86 | } | 86 | } |
87 | 87 | ||
88 | 88 | ||
diff --git a/net/bridge/netfilter/ebt_mark_m.c b/net/bridge/netfilter/ebt_mark_m.c index 1e5b0b316fb..e4366c0a1a4 100644 --- a/net/bridge/netfilter/ebt_mark_m.c +++ b/net/bridge/netfilter/ebt_mark_m.c | |||
@@ -27,12 +27,12 @@ static int ebt_mark_mt_check(const struct xt_mtchk_param *par) | |||
27 | const struct ebt_mark_m_info *info = par->matchinfo; | 27 | const struct ebt_mark_m_info *info = par->matchinfo; |
28 | 28 | ||
29 | if (info->bitmask & ~EBT_MARK_MASK) | 29 | if (info->bitmask & ~EBT_MARK_MASK) |
30 | return false; | 30 | return -EINVAL; |
31 | if ((info->bitmask & EBT_MARK_OR) && (info->bitmask & EBT_MARK_AND)) | 31 | if ((info->bitmask & EBT_MARK_OR) && (info->bitmask & EBT_MARK_AND)) |
32 | return false; | 32 | return -EINVAL; |
33 | if (!info->bitmask) | 33 | if (!info->bitmask) |
34 | return false; | 34 | return -EINVAL; |
35 | return true; | 35 | return 0; |
36 | } | 36 | } |
37 | 37 | ||
38 | 38 | ||
diff --git a/net/bridge/netfilter/ebt_pkttype.c b/net/bridge/netfilter/ebt_pkttype.c index 9b3c6451660..f34bcc3197b 100644 --- a/net/bridge/netfilter/ebt_pkttype.c +++ b/net/bridge/netfilter/ebt_pkttype.c | |||
@@ -25,9 +25,9 @@ static int ebt_pkttype_mt_check(const struct xt_mtchk_param *par) | |||
25 | const struct ebt_pkttype_info *info = par->matchinfo; | 25 | const struct ebt_pkttype_info *info = par->matchinfo; |
26 | 26 | ||
27 | if (info->invert != 0 && info->invert != 1) | 27 | if (info->invert != 0 && info->invert != 1) |
28 | return false; | 28 | return -EINVAL; |
29 | /* Allow any pkt_type value */ | 29 | /* Allow any pkt_type value */ |
30 | return true; | 30 | return 0; |
31 | } | 31 | } |
32 | 32 | ||
33 | static struct xt_match ebt_pkttype_mt_reg __read_mostly = { | 33 | static struct xt_match ebt_pkttype_mt_reg __read_mostly = { |
diff --git a/net/bridge/netfilter/ebt_stp.c b/net/bridge/netfilter/ebt_stp.c index 521186fa699..02f28fdda39 100644 --- a/net/bridge/netfilter/ebt_stp.c +++ b/net/bridge/netfilter/ebt_stp.c | |||
@@ -162,13 +162,13 @@ static int ebt_stp_mt_check(const struct xt_mtchk_param *par) | |||
162 | 162 | ||
163 | if (info->bitmask & ~EBT_STP_MASK || info->invflags & ~EBT_STP_MASK || | 163 | if (info->bitmask & ~EBT_STP_MASK || info->invflags & ~EBT_STP_MASK || |
164 | !(info->bitmask & EBT_STP_MASK)) | 164 | !(info->bitmask & EBT_STP_MASK)) |
165 | return false; | 165 | return -EINVAL; |
166 | /* Make sure the match only receives stp frames */ | 166 | /* Make sure the match only receives stp frames */ |
167 | if (compare_ether_addr(e->destmac, bridge_ula) || | 167 | if (compare_ether_addr(e->destmac, bridge_ula) || |
168 | compare_ether_addr(e->destmsk, msk) || !(e->bitmask & EBT_DESTMAC)) | 168 | compare_ether_addr(e->destmsk, msk) || !(e->bitmask & EBT_DESTMAC)) |
169 | return false; | 169 | return -EINVAL; |
170 | 170 | ||
171 | return true; | 171 | return 0; |
172 | } | 172 | } |
173 | 173 | ||
174 | static struct xt_match ebt_stp_mt_reg __read_mostly = { | 174 | static struct xt_match ebt_stp_mt_reg __read_mostly = { |
diff --git a/net/bridge/netfilter/ebt_vlan.c b/net/bridge/netfilter/ebt_vlan.c index 04a9575389d..bf8ae5c7a0c 100644 --- a/net/bridge/netfilter/ebt_vlan.c +++ b/net/bridge/netfilter/ebt_vlan.c | |||
@@ -88,7 +88,7 @@ static int ebt_vlan_mt_check(const struct xt_mtchk_param *par) | |||
88 | if (e->ethproto != htons(ETH_P_8021Q)) { | 88 | if (e->ethproto != htons(ETH_P_8021Q)) { |
89 | pr_debug("passed entry proto %2.4X is not 802.1Q (8100)\n", | 89 | pr_debug("passed entry proto %2.4X is not 802.1Q (8100)\n", |
90 | ntohs(e->ethproto)); | 90 | ntohs(e->ethproto)); |
91 | return false; | 91 | return -EINVAL; |
92 | } | 92 | } |
93 | 93 | ||
94 | /* Check for bitmask range | 94 | /* Check for bitmask range |
@@ -96,14 +96,14 @@ static int ebt_vlan_mt_check(const struct xt_mtchk_param *par) | |||
96 | if (info->bitmask & ~EBT_VLAN_MASK) { | 96 | if (info->bitmask & ~EBT_VLAN_MASK) { |
97 | pr_debug("bitmask %2X is out of mask (%2X)\n", | 97 | pr_debug("bitmask %2X is out of mask (%2X)\n", |
98 | info->bitmask, EBT_VLAN_MASK); | 98 | info->bitmask, EBT_VLAN_MASK); |
99 | return false; | 99 | return -EINVAL; |
100 | } | 100 | } |
101 | 101 | ||
102 | /* Check for inversion flags range */ | 102 | /* Check for inversion flags range */ |
103 | if (info->invflags & ~EBT_VLAN_MASK) { | 103 | if (info->invflags & ~EBT_VLAN_MASK) { |
104 | pr_debug("inversion flags %2X is out of mask (%2X)\n", | 104 | pr_debug("inversion flags %2X is out of mask (%2X)\n", |
105 | info->invflags, EBT_VLAN_MASK); | 105 | info->invflags, EBT_VLAN_MASK); |
106 | return false; | 106 | return -EINVAL; |
107 | } | 107 | } |
108 | 108 | ||
109 | /* Reserved VLAN ID (VID) values | 109 | /* Reserved VLAN ID (VID) values |
@@ -117,7 +117,7 @@ static int ebt_vlan_mt_check(const struct xt_mtchk_param *par) | |||
117 | if (info->id > VLAN_GROUP_ARRAY_LEN) { | 117 | if (info->id > VLAN_GROUP_ARRAY_LEN) { |
118 | pr_debug("id %d is out of range (1-4096)\n", | 118 | pr_debug("id %d is out of range (1-4096)\n", |
119 | info->id); | 119 | info->id); |
120 | return false; | 120 | return -EINVAL; |
121 | } | 121 | } |
122 | /* Note: This is valid VLAN-tagged frame point. | 122 | /* Note: This is valid VLAN-tagged frame point. |
123 | * Any value of user_priority are acceptable, | 123 | * Any value of user_priority are acceptable, |
@@ -132,7 +132,7 @@ static int ebt_vlan_mt_check(const struct xt_mtchk_param *par) | |||
132 | if ((unsigned char) info->prio > 7) { | 132 | if ((unsigned char) info->prio > 7) { |
133 | pr_debug("prio %d is out of range (0-7)\n", | 133 | pr_debug("prio %d is out of range (0-7)\n", |
134 | info->prio); | 134 | info->prio); |
135 | return false; | 135 | return -EINVAL; |
136 | } | 136 | } |
137 | } | 137 | } |
138 | /* Check for encapsulated proto range - it is possible to be | 138 | /* Check for encapsulated proto range - it is possible to be |
@@ -142,11 +142,11 @@ static int ebt_vlan_mt_check(const struct xt_mtchk_param *par) | |||
142 | if ((unsigned short) ntohs(info->encap) < ETH_ZLEN) { | 142 | if ((unsigned short) ntohs(info->encap) < ETH_ZLEN) { |
143 | pr_debug("encap frame length %d is less than " | 143 | pr_debug("encap frame length %d is less than " |
144 | "minimal\n", ntohs(info->encap)); | 144 | "minimal\n", ntohs(info->encap)); |
145 | return false; | 145 | return -EINVAL; |
146 | } | 146 | } |
147 | } | 147 | } |
148 | 148 | ||
149 | return true; | 149 | return 0; |
150 | } | 150 | } |
151 | 151 | ||
152 | static struct xt_match ebt_vlan_mt_reg __read_mostly = { | 152 | static struct xt_match ebt_vlan_mt_reg __read_mostly = { |
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c index 771ffa7b9af..18c5b1573f3 100644 --- a/net/ipv4/netfilter/ip_tables.c +++ b/net/ipv4/netfilter/ip_tables.c | |||
@@ -2181,7 +2181,7 @@ static int icmp_checkentry(const struct xt_mtchk_param *par) | |||
2181 | const struct ipt_icmp *icmpinfo = par->matchinfo; | 2181 | const struct ipt_icmp *icmpinfo = par->matchinfo; |
2182 | 2182 | ||
2183 | /* Must specify no unknown invflags */ | 2183 | /* Must specify no unknown invflags */ |
2184 | return !(icmpinfo->invflags & ~IPT_ICMP_INV); | 2184 | return (icmpinfo->invflags & ~IPT_ICMP_INV) ? -EINVAL : 0; |
2185 | } | 2185 | } |
2186 | 2186 | ||
2187 | /* The built-in targets: standard (NULL) and error. */ | 2187 | /* The built-in targets: standard (NULL) and error. */ |
diff --git a/net/ipv4/netfilter/ipt_addrtype.c b/net/ipv4/netfilter/ipt_addrtype.c index 81197f456d7..e4b8f2bf8aa 100644 --- a/net/ipv4/netfilter/ipt_addrtype.c +++ b/net/ipv4/netfilter/ipt_addrtype.c | |||
@@ -78,7 +78,7 @@ static int addrtype_mt_checkentry_v1(const struct xt_mtchk_param *par) | |||
78 | info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT) { | 78 | info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT) { |
79 | pr_info("both incoming and outgoing " | 79 | pr_info("both incoming and outgoing " |
80 | "interface limitation cannot be selected\n"); | 80 | "interface limitation cannot be selected\n"); |
81 | return false; | 81 | return -EINVAL; |
82 | } | 82 | } |
83 | 83 | ||
84 | if (par->hook_mask & ((1 << NF_INET_PRE_ROUTING) | | 84 | if (par->hook_mask & ((1 << NF_INET_PRE_ROUTING) | |
@@ -86,7 +86,7 @@ static int addrtype_mt_checkentry_v1(const struct xt_mtchk_param *par) | |||
86 | info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT) { | 86 | info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT) { |
87 | pr_info("output interface limitation " | 87 | pr_info("output interface limitation " |
88 | "not valid in PREROUTING and INPUT\n"); | 88 | "not valid in PREROUTING and INPUT\n"); |
89 | return false; | 89 | return -EINVAL; |
90 | } | 90 | } |
91 | 91 | ||
92 | if (par->hook_mask & ((1 << NF_INET_POST_ROUTING) | | 92 | if (par->hook_mask & ((1 << NF_INET_POST_ROUTING) | |
@@ -94,10 +94,10 @@ static int addrtype_mt_checkentry_v1(const struct xt_mtchk_param *par) | |||
94 | info->flags & IPT_ADDRTYPE_LIMIT_IFACE_IN) { | 94 | info->flags & IPT_ADDRTYPE_LIMIT_IFACE_IN) { |
95 | pr_info("input interface limitation " | 95 | pr_info("input interface limitation " |
96 | "not valid in POSTROUTING and OUTPUT\n"); | 96 | "not valid in POSTROUTING and OUTPUT\n"); |
97 | return false; | 97 | return -EINVAL; |
98 | } | 98 | } |
99 | 99 | ||
100 | return true; | 100 | return 0; |
101 | } | 101 | } |
102 | 102 | ||
103 | static struct xt_match addrtype_mt_reg[] __read_mostly = { | 103 | static struct xt_match addrtype_mt_reg[] __read_mostly = { |
diff --git a/net/ipv4/netfilter/ipt_ah.c b/net/ipv4/netfilter/ipt_ah.c index 667ded16e12..9f981020489 100644 --- a/net/ipv4/netfilter/ipt_ah.c +++ b/net/ipv4/netfilter/ipt_ah.c | |||
@@ -62,9 +62,9 @@ static int ah_mt_check(const struct xt_mtchk_param *par) | |||
62 | /* Must specify no unknown invflags */ | 62 | /* Must specify no unknown invflags */ |
63 | if (ahinfo->invflags & ~IPT_AH_INV_MASK) { | 63 | if (ahinfo->invflags & ~IPT_AH_INV_MASK) { |
64 | pr_debug("unknown flags %X\n", ahinfo->invflags); | 64 | pr_debug("unknown flags %X\n", ahinfo->invflags); |
65 | return false; | 65 | return -EINVAL; |
66 | } | 66 | } |
67 | return true; | 67 | return 0; |
68 | } | 68 | } |
69 | 69 | ||
70 | static struct xt_match ah_mt_reg __read_mostly = { | 70 | static struct xt_match ah_mt_reg __read_mostly = { |
diff --git a/net/ipv4/netfilter/ipt_ecn.c b/net/ipv4/netfilter/ipt_ecn.c index d1e234fe7f1..32e24100d8d 100644 --- a/net/ipv4/netfilter/ipt_ecn.c +++ b/net/ipv4/netfilter/ipt_ecn.c | |||
@@ -91,18 +91,18 @@ static int ecn_mt_check(const struct xt_mtchk_param *par) | |||
91 | const struct ipt_ip *ip = par->entryinfo; | 91 | const struct ipt_ip *ip = par->entryinfo; |
92 | 92 | ||
93 | if (info->operation & IPT_ECN_OP_MATCH_MASK) | 93 | if (info->operation & IPT_ECN_OP_MATCH_MASK) |
94 | return false; | 94 | return -EINVAL; |
95 | 95 | ||
96 | if (info->invert & IPT_ECN_OP_MATCH_MASK) | 96 | if (info->invert & IPT_ECN_OP_MATCH_MASK) |
97 | return false; | 97 | return -EINVAL; |
98 | 98 | ||
99 | if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR) && | 99 | if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR) && |
100 | ip->proto != IPPROTO_TCP) { | 100 | ip->proto != IPPROTO_TCP) { |
101 | pr_info("cannot match TCP bits in rule for non-tcp packets\n"); | 101 | pr_info("cannot match TCP bits in rule for non-tcp packets\n"); |
102 | return false; | 102 | return -EINVAL; |
103 | } | 103 | } |
104 | 104 | ||
105 | return true; | 105 | return 0; |
106 | } | 106 | } |
107 | 107 | ||
108 | static struct xt_match ecn_mt_reg __read_mostly = { | 108 | static struct xt_match ecn_mt_reg __read_mostly = { |
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c index 595b45d52ff..f2b815e7232 100644 --- a/net/ipv6/netfilter/ip6_tables.c +++ b/net/ipv6/netfilter/ip6_tables.c | |||
@@ -2214,7 +2214,7 @@ static int icmp6_checkentry(const struct xt_mtchk_param *par) | |||
2214 | const struct ip6t_icmp *icmpinfo = par->matchinfo; | 2214 | const struct ip6t_icmp *icmpinfo = par->matchinfo; |
2215 | 2215 | ||
2216 | /* Must specify no unknown invflags */ | 2216 | /* Must specify no unknown invflags */ |
2217 | return !(icmpinfo->invflags & ~IP6T_ICMP_INV); | 2217 | return (icmpinfo->invflags & ~IP6T_ICMP_INV) ? -EINVAL : 0; |
2218 | } | 2218 | } |
2219 | 2219 | ||
2220 | /* The built-in targets: standard (NULL) and error. */ | 2220 | /* The built-in targets: standard (NULL) and error. */ |
diff --git a/net/ipv6/netfilter/ip6t_ah.c b/net/ipv6/netfilter/ip6t_ah.c index 3d570446dee..1580693c86c 100644 --- a/net/ipv6/netfilter/ip6t_ah.c +++ b/net/ipv6/netfilter/ip6t_ah.c | |||
@@ -93,9 +93,9 @@ static int ah_mt6_check(const struct xt_mtchk_param *par) | |||
93 | 93 | ||
94 | if (ahinfo->invflags & ~IP6T_AH_INV_MASK) { | 94 | if (ahinfo->invflags & ~IP6T_AH_INV_MASK) { |
95 | pr_debug("unknown flags %X\n", ahinfo->invflags); | 95 | pr_debug("unknown flags %X\n", ahinfo->invflags); |
96 | return false; | 96 | return -EINVAL; |
97 | } | 97 | } |
98 | return true; | 98 | return 0; |
99 | } | 99 | } |
100 | 100 | ||
101 | static struct xt_match ah_mt6_reg __read_mostly = { | 101 | static struct xt_match ah_mt6_reg __read_mostly = { |
diff --git a/net/ipv6/netfilter/ip6t_frag.c b/net/ipv6/netfilter/ip6t_frag.c index c2dba2701fa..a5daf0ffb4e 100644 --- a/net/ipv6/netfilter/ip6t_frag.c +++ b/net/ipv6/netfilter/ip6t_frag.c | |||
@@ -108,9 +108,9 @@ static int frag_mt6_check(const struct xt_mtchk_param *par) | |||
108 | 108 | ||
109 | if (fraginfo->invflags & ~IP6T_FRAG_INV_MASK) { | 109 | if (fraginfo->invflags & ~IP6T_FRAG_INV_MASK) { |
110 | pr_debug("unknown flags %X\n", fraginfo->invflags); | 110 | pr_debug("unknown flags %X\n", fraginfo->invflags); |
111 | return false; | 111 | return -EINVAL; |
112 | } | 112 | } |
113 | return true; | 113 | return 0; |
114 | } | 114 | } |
115 | 115 | ||
116 | static struct xt_match frag_mt6_reg __read_mostly = { | 116 | static struct xt_match frag_mt6_reg __read_mostly = { |
diff --git a/net/ipv6/netfilter/ip6t_hbh.c b/net/ipv6/netfilter/ip6t_hbh.c index 1b294317707..5e6acdae6d8 100644 --- a/net/ipv6/netfilter/ip6t_hbh.c +++ b/net/ipv6/netfilter/ip6t_hbh.c | |||
@@ -170,15 +170,15 @@ static int hbh_mt6_check(const struct xt_mtchk_param *par) | |||
170 | 170 | ||
171 | if (optsinfo->invflags & ~IP6T_OPTS_INV_MASK) { | 171 | if (optsinfo->invflags & ~IP6T_OPTS_INV_MASK) { |
172 | pr_debug("unknown flags %X\n", optsinfo->invflags); | 172 | pr_debug("unknown flags %X\n", optsinfo->invflags); |
173 | return false; | 173 | return -EINVAL; |
174 | } | 174 | } |
175 | 175 | ||
176 | if (optsinfo->flags & IP6T_OPTS_NSTRICT) { | 176 | if (optsinfo->flags & IP6T_OPTS_NSTRICT) { |
177 | pr_debug("Not strict - not implemented"); | 177 | pr_debug("Not strict - not implemented"); |
178 | return false; | 178 | return -EINVAL; |
179 | } | 179 | } |
180 | 180 | ||
181 | return true; | 181 | return 0; |
182 | } | 182 | } |
183 | 183 | ||
184 | static struct xt_match hbh_mt6_reg[] __read_mostly = { | 184 | static struct xt_match hbh_mt6_reg[] __read_mostly = { |
diff --git a/net/ipv6/netfilter/ip6t_ipv6header.c b/net/ipv6/netfilter/ip6t_ipv6header.c index 90e1e04b793..46fbabb493f 100644 --- a/net/ipv6/netfilter/ip6t_ipv6header.c +++ b/net/ipv6/netfilter/ip6t_ipv6header.c | |||
@@ -125,9 +125,9 @@ static int ipv6header_mt6_check(const struct xt_mtchk_param *par) | |||
125 | /* invflags is 0 or 0xff in hard mode */ | 125 | /* invflags is 0 or 0xff in hard mode */ |
126 | if ((!info->modeflag) && info->invflags != 0x00 && | 126 | if ((!info->modeflag) && info->invflags != 0x00 && |
127 | info->invflags != 0xFF) | 127 | info->invflags != 0xFF) |
128 | return false; | 128 | return -EINVAL; |
129 | 129 | ||
130 | return true; | 130 | return 0; |
131 | } | 131 | } |
132 | 132 | ||
133 | static struct xt_match ipv6header_mt6_reg __read_mostly = { | 133 | static struct xt_match ipv6header_mt6_reg __read_mostly = { |
diff --git a/net/ipv6/netfilter/ip6t_mh.c b/net/ipv6/netfilter/ip6t_mh.c index d9408045994..c9f443e0138 100644 --- a/net/ipv6/netfilter/ip6t_mh.c +++ b/net/ipv6/netfilter/ip6t_mh.c | |||
@@ -67,7 +67,7 @@ static int mh_mt6_check(const struct xt_mtchk_param *par) | |||
67 | const struct ip6t_mh *mhinfo = par->matchinfo; | 67 | const struct ip6t_mh *mhinfo = par->matchinfo; |
68 | 68 | ||
69 | /* Must specify no unknown invflags */ | 69 | /* Must specify no unknown invflags */ |
70 | return !(mhinfo->invflags & ~IP6T_MH_INV_MASK); | 70 | return (mhinfo->invflags & ~IP6T_MH_INV_MASK) ? -EINVAL : 0; |
71 | } | 71 | } |
72 | 72 | ||
73 | static struct xt_match mh_mt6_reg __read_mostly = { | 73 | static struct xt_match mh_mt6_reg __read_mostly = { |
diff --git a/net/ipv6/netfilter/ip6t_rt.c b/net/ipv6/netfilter/ip6t_rt.c index 76397f35eaf..09322720d2a 100644 --- a/net/ipv6/netfilter/ip6t_rt.c +++ b/net/ipv6/netfilter/ip6t_rt.c | |||
@@ -189,17 +189,17 @@ static int rt_mt6_check(const struct xt_mtchk_param *par) | |||
189 | 189 | ||
190 | if (rtinfo->invflags & ~IP6T_RT_INV_MASK) { | 190 | if (rtinfo->invflags & ~IP6T_RT_INV_MASK) { |
191 | pr_debug("unknown flags %X\n", rtinfo->invflags); | 191 | pr_debug("unknown flags %X\n", rtinfo->invflags); |
192 | return false; | 192 | return -EINVAL; |
193 | } | 193 | } |
194 | if ((rtinfo->flags & (IP6T_RT_RES | IP6T_RT_FST_MASK)) && | 194 | if ((rtinfo->flags & (IP6T_RT_RES | IP6T_RT_FST_MASK)) && |
195 | (!(rtinfo->flags & IP6T_RT_TYP) || | 195 | (!(rtinfo->flags & IP6T_RT_TYP) || |
196 | (rtinfo->rt_type != 0) || | 196 | (rtinfo->rt_type != 0) || |
197 | (rtinfo->invflags & IP6T_RT_INV_TYP))) { | 197 | (rtinfo->invflags & IP6T_RT_INV_TYP))) { |
198 | pr_debug("`--rt-type 0' required before `--rt-0-*'"); | 198 | pr_debug("`--rt-type 0' required before `--rt-0-*'"); |
199 | return false; | 199 | return -EINVAL; |
200 | } | 200 | } |
201 | 201 | ||
202 | return true; | 202 | return 0; |
203 | } | 203 | } |
204 | 204 | ||
205 | static struct xt_match rt_mt6_reg __read_mostly = { | 205 | static struct xt_match rt_mt6_reg __read_mostly = { |
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c index ee7fe215b3e..7ee17774617 100644 --- a/net/netfilter/x_tables.c +++ b/net/netfilter/x_tables.c | |||
@@ -363,6 +363,8 @@ static char *textify_hooks(char *buf, size_t size, unsigned int mask) | |||
363 | int xt_check_match(struct xt_mtchk_param *par, | 363 | int xt_check_match(struct xt_mtchk_param *par, |
364 | unsigned int size, u_int8_t proto, bool inv_proto) | 364 | unsigned int size, u_int8_t proto, bool inv_proto) |
365 | { | 365 | { |
366 | int ret; | ||
367 | |||
366 | if (XT_ALIGN(par->match->matchsize) != size && | 368 | if (XT_ALIGN(par->match->matchsize) != size && |
367 | par->match->matchsize != -1) { | 369 | par->match->matchsize != -1) { |
368 | /* | 370 | /* |
@@ -399,8 +401,14 @@ int xt_check_match(struct xt_mtchk_param *par, | |||
399 | par->match->proto); | 401 | par->match->proto); |
400 | return -EINVAL; | 402 | return -EINVAL; |
401 | } | 403 | } |
402 | if (par->match->checkentry != NULL && !par->match->checkentry(par)) | 404 | if (par->match->checkentry != NULL) { |
403 | return -EINVAL; | 405 | ret = par->match->checkentry(par); |
406 | if (ret < 0) | ||
407 | return ret; | ||
408 | else if (ret > 0) | ||
409 | /* Flag up potential errors. */ | ||
410 | return -EIO; | ||
411 | } | ||
404 | return 0; | 412 | return 0; |
405 | } | 413 | } |
406 | EXPORT_SYMBOL_GPL(xt_check_match); | 414 | EXPORT_SYMBOL_GPL(xt_check_match); |
diff --git a/net/netfilter/xt_cluster.c b/net/netfilter/xt_cluster.c index 1f2c35ef142..30cb7762fc4 100644 --- a/net/netfilter/xt_cluster.c +++ b/net/netfilter/xt_cluster.c | |||
@@ -140,14 +140,14 @@ static int xt_cluster_mt_checkentry(const struct xt_mtchk_param *par) | |||
140 | pr_info("you have exceeded the maximum " | 140 | pr_info("you have exceeded the maximum " |
141 | "number of cluster nodes (%u > %u)\n", | 141 | "number of cluster nodes (%u > %u)\n", |
142 | info->total_nodes, XT_CLUSTER_NODES_MAX); | 142 | info->total_nodes, XT_CLUSTER_NODES_MAX); |
143 | return false; | 143 | return -EINVAL; |
144 | } | 144 | } |
145 | if (info->node_mask >= (1ULL << info->total_nodes)) { | 145 | if (info->node_mask >= (1ULL << info->total_nodes)) { |
146 | pr_info("this node mask cannot be " | 146 | pr_info("this node mask cannot be " |
147 | "higher than the total number of nodes\n"); | 147 | "higher than the total number of nodes\n"); |
148 | return false; | 148 | return -EINVAL; |
149 | } | 149 | } |
150 | return true; | 150 | return 0; |
151 | } | 151 | } |
152 | 152 | ||
153 | static struct xt_match xt_cluster_match __read_mostly = { | 153 | static struct xt_match xt_cluster_match __read_mostly = { |
diff --git a/net/netfilter/xt_connbytes.c b/net/netfilter/xt_connbytes.c index 136ef4ccdac..bf8e286361c 100644 --- a/net/netfilter/xt_connbytes.c +++ b/net/netfilter/xt_connbytes.c | |||
@@ -100,20 +100,20 @@ static int connbytes_mt_check(const struct xt_mtchk_param *par) | |||
100 | if (sinfo->what != XT_CONNBYTES_PKTS && | 100 | if (sinfo->what != XT_CONNBYTES_PKTS && |
101 | sinfo->what != XT_CONNBYTES_BYTES && | 101 | sinfo->what != XT_CONNBYTES_BYTES && |
102 | sinfo->what != XT_CONNBYTES_AVGPKT) | 102 | sinfo->what != XT_CONNBYTES_AVGPKT) |
103 | return false; | 103 | return -EINVAL; |
104 | 104 | ||
105 | if (sinfo->direction != XT_CONNBYTES_DIR_ORIGINAL && | 105 | if (sinfo->direction != XT_CONNBYTES_DIR_ORIGINAL && |
106 | sinfo->direction != XT_CONNBYTES_DIR_REPLY && | 106 | sinfo->direction != XT_CONNBYTES_DIR_REPLY && |
107 | sinfo->direction != XT_CONNBYTES_DIR_BOTH) | 107 | sinfo->direction != XT_CONNBYTES_DIR_BOTH) |
108 | return false; | 108 | return -EINVAL; |
109 | 109 | ||
110 | if (nf_ct_l3proto_try_module_get(par->family) < 0) { | 110 | if (nf_ct_l3proto_try_module_get(par->family) < 0) { |
111 | pr_info("cannot load conntrack support for proto=%u\n", | 111 | pr_info("cannot load conntrack support for proto=%u\n", |
112 | par->family); | 112 | par->family); |
113 | return false; | 113 | return -EINVAL; |
114 | } | 114 | } |
115 | 115 | ||
116 | return true; | 116 | return 0; |
117 | } | 117 | } |
118 | 118 | ||
119 | static void connbytes_mt_destroy(const struct xt_mtdtor_param *par) | 119 | static void connbytes_mt_destroy(const struct xt_mtdtor_param *par) |
diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c index a9fec38ab02..68e89f08140 100644 --- a/net/netfilter/xt_connlimit.c +++ b/net/netfilter/xt_connlimit.c | |||
@@ -228,21 +228,21 @@ static int connlimit_mt_check(const struct xt_mtchk_param *par) | |||
228 | if (nf_ct_l3proto_try_module_get(par->family) < 0) { | 228 | if (nf_ct_l3proto_try_module_get(par->family) < 0) { |
229 | pr_info("cannot load conntrack support for " | 229 | pr_info("cannot load conntrack support for " |
230 | "address family %u\n", par->family); | 230 | "address family %u\n", par->family); |
231 | return false; | 231 | return -EINVAL; |
232 | } | 232 | } |
233 | 233 | ||
234 | /* init private data */ | 234 | /* init private data */ |
235 | info->data = kmalloc(sizeof(struct xt_connlimit_data), GFP_KERNEL); | 235 | info->data = kmalloc(sizeof(struct xt_connlimit_data), GFP_KERNEL); |
236 | if (info->data == NULL) { | 236 | if (info->data == NULL) { |
237 | nf_ct_l3proto_module_put(par->family); | 237 | nf_ct_l3proto_module_put(par->family); |
238 | return false; | 238 | return -EINVAL; |
239 | } | 239 | } |
240 | 240 | ||
241 | spin_lock_init(&info->data->lock); | 241 | spin_lock_init(&info->data->lock); |
242 | for (i = 0; i < ARRAY_SIZE(info->data->iphash); ++i) | 242 | for (i = 0; i < ARRAY_SIZE(info->data->iphash); ++i) |
243 | INIT_LIST_HEAD(&info->data->iphash[i]); | 243 | INIT_LIST_HEAD(&info->data->iphash[i]); |
244 | 244 | ||
245 | return true; | 245 | return 0; |
246 | } | 246 | } |
247 | 247 | ||
248 | static void connlimit_mt_destroy(const struct xt_mtdtor_param *par) | 248 | static void connlimit_mt_destroy(const struct xt_mtdtor_param *par) |
diff --git a/net/netfilter/xt_connmark.c b/net/netfilter/xt_connmark.c index 0e69427f8cd..e137af5559e 100644 --- a/net/netfilter/xt_connmark.c +++ b/net/netfilter/xt_connmark.c | |||
@@ -79,9 +79,9 @@ static int connmark_tg_check(const struct xt_tgchk_param *par) | |||
79 | if (nf_ct_l3proto_try_module_get(par->family) < 0) { | 79 | if (nf_ct_l3proto_try_module_get(par->family) < 0) { |
80 | pr_info("cannot load conntrack support for proto=%u\n", | 80 | pr_info("cannot load conntrack support for proto=%u\n", |
81 | par->family); | 81 | par->family); |
82 | return false; | 82 | return -EINVAL; |
83 | } | 83 | } |
84 | return true; | 84 | return 0; |
85 | } | 85 | } |
86 | 86 | ||
87 | static void connmark_tg_destroy(const struct xt_tgdtor_param *par) | 87 | static void connmark_tg_destroy(const struct xt_tgdtor_param *par) |
@@ -108,9 +108,9 @@ static int connmark_mt_check(const struct xt_mtchk_param *par) | |||
108 | if (nf_ct_l3proto_try_module_get(par->family) < 0) { | 108 | if (nf_ct_l3proto_try_module_get(par->family) < 0) { |
109 | pr_info("cannot load conntrack support for proto=%u\n", | 109 | pr_info("cannot load conntrack support for proto=%u\n", |
110 | par->family); | 110 | par->family); |
111 | return false; | 111 | return -EINVAL; |
112 | } | 112 | } |
113 | return true; | 113 | return 0; |
114 | } | 114 | } |
115 | 115 | ||
116 | static void connmark_mt_destroy(const struct xt_mtdtor_param *par) | 116 | static void connmark_mt_destroy(const struct xt_mtdtor_param *par) |
diff --git a/net/netfilter/xt_conntrack.c b/net/netfilter/xt_conntrack.c index 500e0338a18..26e34aa7f8d 100644 --- a/net/netfilter/xt_conntrack.c +++ b/net/netfilter/xt_conntrack.c | |||
@@ -211,9 +211,9 @@ static int conntrack_mt_check(const struct xt_mtchk_param *par) | |||
211 | if (nf_ct_l3proto_try_module_get(par->family) < 0) { | 211 | if (nf_ct_l3proto_try_module_get(par->family) < 0) { |
212 | pr_info("cannot load conntrack support for proto=%u\n", | 212 | pr_info("cannot load conntrack support for proto=%u\n", |
213 | par->family); | 213 | par->family); |
214 | return false; | 214 | return -EINVAL; |
215 | } | 215 | } |
216 | return true; | 216 | return 0; |
217 | } | 217 | } |
218 | 218 | ||
219 | static void conntrack_mt_destroy(const struct xt_mtdtor_param *par) | 219 | static void conntrack_mt_destroy(const struct xt_mtdtor_param *par) |
diff --git a/net/netfilter/xt_dccp.c b/net/netfilter/xt_dccp.c index da8c301d24e..f54699ca560 100644 --- a/net/netfilter/xt_dccp.c +++ b/net/netfilter/xt_dccp.c | |||
@@ -128,12 +128,12 @@ static int dccp_mt_check(const struct xt_mtchk_param *par) | |||
128 | const struct xt_dccp_info *info = par->matchinfo; | 128 | const struct xt_dccp_info *info = par->matchinfo; |
129 | 129 | ||
130 | if (info->flags & ~XT_DCCP_VALID_FLAGS) | 130 | if (info->flags & ~XT_DCCP_VALID_FLAGS) |
131 | return false; | 131 | return -EINVAL; |
132 | if (info->invflags & ~XT_DCCP_VALID_FLAGS) | 132 | if (info->invflags & ~XT_DCCP_VALID_FLAGS) |
133 | return false; | 133 | return -EINVAL; |
134 | if (info->invflags & ~info->flags) | 134 | if (info->invflags & ~info->flags) |
135 | return false; | 135 | return -EINVAL; |
136 | return true; | 136 | return 0; |
137 | } | 137 | } |
138 | 138 | ||
139 | static struct xt_match dccp_mt_reg[] __read_mostly = { | 139 | static struct xt_match dccp_mt_reg[] __read_mostly = { |
diff --git a/net/netfilter/xt_dscp.c b/net/netfilter/xt_dscp.c index 295da4ce822..f355fb9e06f 100644 --- a/net/netfilter/xt_dscp.c +++ b/net/netfilter/xt_dscp.c | |||
@@ -48,10 +48,10 @@ static int dscp_mt_check(const struct xt_mtchk_param *par) | |||
48 | 48 | ||
49 | if (info->dscp > XT_DSCP_MAX) { | 49 | if (info->dscp > XT_DSCP_MAX) { |
50 | pr_info("dscp %x out of range\n", info->dscp); | 50 | pr_info("dscp %x out of range\n", info->dscp); |
51 | return false; | 51 | return -EINVAL; |
52 | } | 52 | } |
53 | 53 | ||
54 | return true; | 54 | return 0; |
55 | } | 55 | } |
56 | 56 | ||
57 | static bool tos_mt(const struct sk_buff *skb, const struct xt_match_param *par) | 57 | static bool tos_mt(const struct sk_buff *skb, const struct xt_match_param *par) |
diff --git a/net/netfilter/xt_esp.c b/net/netfilter/xt_esp.c index 9f5da979567..143bfdc8e38 100644 --- a/net/netfilter/xt_esp.c +++ b/net/netfilter/xt_esp.c | |||
@@ -66,10 +66,10 @@ static int esp_mt_check(const struct xt_mtchk_param *par) | |||
66 | 66 | ||
67 | if (espinfo->invflags & ~XT_ESP_INV_MASK) { | 67 | if (espinfo->invflags & ~XT_ESP_INV_MASK) { |
68 | pr_debug("unknown flags %X\n", espinfo->invflags); | 68 | pr_debug("unknown flags %X\n", espinfo->invflags); |
69 | return false; | 69 | return -EINVAL; |
70 | } | 70 | } |
71 | 71 | ||
72 | return true; | 72 | return 0; |
73 | } | 73 | } |
74 | 74 | ||
75 | static struct xt_match esp_mt_reg[] __read_mostly = { | 75 | static struct xt_match esp_mt_reg[] __read_mostly = { |
diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c index d13800c9593..0c0152902b3 100644 --- a/net/netfilter/xt_hashlimit.c +++ b/net/netfilter/xt_hashlimit.c | |||
@@ -681,30 +681,29 @@ static int hashlimit_mt_check_v0(const struct xt_mtchk_param *par) | |||
681 | user2credits(r->cfg.avg * r->cfg.burst) < user2credits(r->cfg.avg)) { | 681 | user2credits(r->cfg.avg * r->cfg.burst) < user2credits(r->cfg.avg)) { |
682 | pr_info("overflow, try lower: %u/%u\n", | 682 | pr_info("overflow, try lower: %u/%u\n", |
683 | r->cfg.avg, r->cfg.burst); | 683 | r->cfg.avg, r->cfg.burst); |
684 | return false; | 684 | return -EINVAL; |
685 | } | 685 | } |
686 | if (r->cfg.mode == 0 || | 686 | if (r->cfg.mode == 0 || |
687 | r->cfg.mode > (XT_HASHLIMIT_HASH_DPT | | 687 | r->cfg.mode > (XT_HASHLIMIT_HASH_DPT | |
688 | XT_HASHLIMIT_HASH_DIP | | 688 | XT_HASHLIMIT_HASH_DIP | |
689 | XT_HASHLIMIT_HASH_SIP | | 689 | XT_HASHLIMIT_HASH_SIP | |
690 | XT_HASHLIMIT_HASH_SPT)) | 690 | XT_HASHLIMIT_HASH_SPT)) |
691 | return false; | 691 | return -EINVAL; |
692 | if (!r->cfg.gc_interval) | 692 | if (!r->cfg.gc_interval) |
693 | return false; | 693 | return -EINVAL; |
694 | if (!r->cfg.expire) | 694 | if (!r->cfg.expire) |
695 | return false; | 695 | return -EINVAL; |
696 | if (r->name[sizeof(r->name) - 1] != '\0') | 696 | if (r->name[sizeof(r->name) - 1] != '\0') |
697 | return false; | 697 | return -EINVAL; |
698 | 698 | ||
699 | mutex_lock(&hashlimit_mutex); | 699 | mutex_lock(&hashlimit_mutex); |
700 | r->hinfo = htable_find_get(net, r->name, par->family); | 700 | r->hinfo = htable_find_get(net, r->name, par->family); |
701 | if (!r->hinfo && htable_create_v0(net, r, par->family) != 0) { | 701 | if (!r->hinfo && htable_create_v0(net, r, par->family) != 0) { |
702 | mutex_unlock(&hashlimit_mutex); | 702 | mutex_unlock(&hashlimit_mutex); |
703 | return false; | 703 | return -EINVAL; |
704 | } | 704 | } |
705 | mutex_unlock(&hashlimit_mutex); | 705 | mutex_unlock(&hashlimit_mutex); |
706 | 706 | return 0; | |
707 | return true; | ||
708 | } | 707 | } |
709 | 708 | ||
710 | static int hashlimit_mt_check(const struct xt_mtchk_param *par) | 709 | static int hashlimit_mt_check(const struct xt_mtchk_param *par) |
@@ -718,28 +717,28 @@ static int hashlimit_mt_check(const struct xt_mtchk_param *par) | |||
718 | user2credits(info->cfg.avg)) { | 717 | user2credits(info->cfg.avg)) { |
719 | pr_info("overflow, try lower: %u/%u\n", | 718 | pr_info("overflow, try lower: %u/%u\n", |
720 | info->cfg.avg, info->cfg.burst); | 719 | info->cfg.avg, info->cfg.burst); |
721 | return false; | 720 | return -EINVAL; |
722 | } | 721 | } |
723 | if (info->cfg.gc_interval == 0 || info->cfg.expire == 0) | 722 | if (info->cfg.gc_interval == 0 || info->cfg.expire == 0) |
724 | return false; | 723 | return -EINVAL; |
725 | if (info->name[sizeof(info->name)-1] != '\0') | 724 | if (info->name[sizeof(info->name)-1] != '\0') |
726 | return false; | 725 | return -EINVAL; |
727 | if (par->family == NFPROTO_IPV4) { | 726 | if (par->family == NFPROTO_IPV4) { |
728 | if (info->cfg.srcmask > 32 || info->cfg.dstmask > 32) | 727 | if (info->cfg.srcmask > 32 || info->cfg.dstmask > 32) |
729 | return false; | 728 | return -EINVAL; |
730 | } else { | 729 | } else { |
731 | if (info->cfg.srcmask > 128 || info->cfg.dstmask > 128) | 730 | if (info->cfg.srcmask > 128 || info->cfg.dstmask > 128) |
732 | return false; | 731 | return -EINVAL; |
733 | } | 732 | } |
734 | 733 | ||
735 | mutex_lock(&hashlimit_mutex); | 734 | mutex_lock(&hashlimit_mutex); |
736 | info->hinfo = htable_find_get(net, info->name, par->family); | 735 | info->hinfo = htable_find_get(net, info->name, par->family); |
737 | if (!info->hinfo && htable_create(net, info, par->family) != 0) { | 736 | if (!info->hinfo && htable_create(net, info, par->family) != 0) { |
738 | mutex_unlock(&hashlimit_mutex); | 737 | mutex_unlock(&hashlimit_mutex); |
739 | return false; | 738 | return -EINVAL; |
740 | } | 739 | } |
741 | mutex_unlock(&hashlimit_mutex); | 740 | mutex_unlock(&hashlimit_mutex); |
742 | return true; | 741 | return 0; |
743 | } | 742 | } |
744 | 743 | ||
745 | static void | 744 | static void |
diff --git a/net/netfilter/xt_helper.c b/net/netfilter/xt_helper.c index 6e177b279f9..eb308b32bfe 100644 --- a/net/netfilter/xt_helper.c +++ b/net/netfilter/xt_helper.c | |||
@@ -61,10 +61,10 @@ static int helper_mt_check(const struct xt_mtchk_param *par) | |||
61 | if (nf_ct_l3proto_try_module_get(par->family) < 0) { | 61 | if (nf_ct_l3proto_try_module_get(par->family) < 0) { |
62 | pr_info("cannot load conntrack support for proto=%u\n", | 62 | pr_info("cannot load conntrack support for proto=%u\n", |
63 | par->family); | 63 | par->family); |
64 | return false; | 64 | return -EINVAL; |
65 | } | 65 | } |
66 | info->name[29] = '\0'; | 66 | info->name[29] = '\0'; |
67 | return true; | 67 | return 0; |
68 | } | 68 | } |
69 | 69 | ||
70 | static void helper_mt_destroy(const struct xt_mtdtor_param *par) | 70 | static void helper_mt_destroy(const struct xt_mtdtor_param *par) |
diff --git a/net/netfilter/xt_limit.c b/net/netfilter/xt_limit.c index 138a324df8d..5ff0580ce87 100644 --- a/net/netfilter/xt_limit.c +++ b/net/netfilter/xt_limit.c | |||
@@ -107,12 +107,12 @@ static int limit_mt_check(const struct xt_mtchk_param *par) | |||
107 | || user2credits(r->avg * r->burst) < user2credits(r->avg)) { | 107 | || user2credits(r->avg * r->burst) < user2credits(r->avg)) { |
108 | pr_info("Overflow, try lower: %u/%u\n", | 108 | pr_info("Overflow, try lower: %u/%u\n", |
109 | r->avg, r->burst); | 109 | r->avg, r->burst); |
110 | return false; | 110 | return -EINVAL; |
111 | } | 111 | } |
112 | 112 | ||
113 | priv = kmalloc(sizeof(*priv), GFP_KERNEL); | 113 | priv = kmalloc(sizeof(*priv), GFP_KERNEL); |
114 | if (priv == NULL) | 114 | if (priv == NULL) |
115 | return false; | 115 | return -EINVAL; |
116 | 116 | ||
117 | /* For SMP, we only want to use one set of state. */ | 117 | /* For SMP, we only want to use one set of state. */ |
118 | r->master = priv; | 118 | r->master = priv; |
@@ -124,7 +124,7 @@ static int limit_mt_check(const struct xt_mtchk_param *par) | |||
124 | r->credit_cap = user2credits(r->avg * r->burst); /* Credits full. */ | 124 | r->credit_cap = user2credits(r->avg * r->burst); /* Credits full. */ |
125 | r->cost = user2credits(r->avg); | 125 | r->cost = user2credits(r->avg); |
126 | } | 126 | } |
127 | return true; | 127 | return 0; |
128 | } | 128 | } |
129 | 129 | ||
130 | static void limit_mt_destroy(const struct xt_mtdtor_param *par) | 130 | static void limit_mt_destroy(const struct xt_mtdtor_param *par) |
diff --git a/net/netfilter/xt_physdev.c b/net/netfilter/xt_physdev.c index 850e412c83e..d0bdf3dd4d2 100644 --- a/net/netfilter/xt_physdev.c +++ b/net/netfilter/xt_physdev.c | |||
@@ -89,7 +89,7 @@ static int physdev_mt_check(const struct xt_mtchk_param *par) | |||
89 | 89 | ||
90 | if (!(info->bitmask & XT_PHYSDEV_OP_MASK) || | 90 | if (!(info->bitmask & XT_PHYSDEV_OP_MASK) || |
91 | info->bitmask & ~XT_PHYSDEV_OP_MASK) | 91 | info->bitmask & ~XT_PHYSDEV_OP_MASK) |
92 | return false; | 92 | return -EINVAL; |
93 | if (info->bitmask & XT_PHYSDEV_OP_OUT && | 93 | if (info->bitmask & XT_PHYSDEV_OP_OUT && |
94 | (!(info->bitmask & XT_PHYSDEV_OP_BRIDGED) || | 94 | (!(info->bitmask & XT_PHYSDEV_OP_BRIDGED) || |
95 | info->invert & XT_PHYSDEV_OP_BRIDGED) && | 95 | info->invert & XT_PHYSDEV_OP_BRIDGED) && |
@@ -99,9 +99,9 @@ static int physdev_mt_check(const struct xt_mtchk_param *par) | |||
99 | "POSTROUTING chains for non-bridged traffic is not " | 99 | "POSTROUTING chains for non-bridged traffic is not " |
100 | "supported anymore.\n"); | 100 | "supported anymore.\n"); |
101 | if (par->hook_mask & (1 << NF_INET_LOCAL_OUT)) | 101 | if (par->hook_mask & (1 << NF_INET_LOCAL_OUT)) |
102 | return false; | 102 | return -EINVAL; |
103 | } | 103 | } |
104 | return true; | 104 | return 0; |
105 | } | 105 | } |
106 | 106 | ||
107 | static struct xt_match physdev_mt_reg __read_mostly = { | 107 | static struct xt_match physdev_mt_reg __read_mostly = { |
diff --git a/net/netfilter/xt_policy.c b/net/netfilter/xt_policy.c index c9965b640b1..1fa239c1fb9 100644 --- a/net/netfilter/xt_policy.c +++ b/net/netfilter/xt_policy.c | |||
@@ -134,23 +134,23 @@ static int policy_mt_check(const struct xt_mtchk_param *par) | |||
134 | 134 | ||
135 | if (!(info->flags & (XT_POLICY_MATCH_IN|XT_POLICY_MATCH_OUT))) { | 135 | if (!(info->flags & (XT_POLICY_MATCH_IN|XT_POLICY_MATCH_OUT))) { |
136 | pr_info("neither incoming nor outgoing policy selected\n"); | 136 | pr_info("neither incoming nor outgoing policy selected\n"); |
137 | return false; | 137 | return -EINVAL; |
138 | } | 138 | } |
139 | if (par->hook_mask & ((1 << NF_INET_PRE_ROUTING) | | 139 | if (par->hook_mask & ((1 << NF_INET_PRE_ROUTING) | |
140 | (1 << NF_INET_LOCAL_IN)) && info->flags & XT_POLICY_MATCH_OUT) { | 140 | (1 << NF_INET_LOCAL_IN)) && info->flags & XT_POLICY_MATCH_OUT) { |
141 | pr_info("output policy not valid in PREROUTING and INPUT\n"); | 141 | pr_info("output policy not valid in PREROUTING and INPUT\n"); |
142 | return false; | 142 | return -EINVAL; |
143 | } | 143 | } |
144 | if (par->hook_mask & ((1 << NF_INET_POST_ROUTING) | | 144 | if (par->hook_mask & ((1 << NF_INET_POST_ROUTING) | |
145 | (1 << NF_INET_LOCAL_OUT)) && info->flags & XT_POLICY_MATCH_IN) { | 145 | (1 << NF_INET_LOCAL_OUT)) && info->flags & XT_POLICY_MATCH_IN) { |
146 | pr_info("input policy not valid in POSTROUTING and OUTPUT\n"); | 146 | pr_info("input policy not valid in POSTROUTING and OUTPUT\n"); |
147 | return false; | 147 | return -EINVAL; |
148 | } | 148 | } |
149 | if (info->len > XT_POLICY_MAX_ELEM) { | 149 | if (info->len > XT_POLICY_MAX_ELEM) { |
150 | pr_info("too many policy elements\n"); | 150 | pr_info("too many policy elements\n"); |
151 | return false; | 151 | return -EINVAL; |
152 | } | 152 | } |
153 | return true; | 153 | return 0; |
154 | } | 154 | } |
155 | 155 | ||
156 | static struct xt_match policy_mt_reg[] __read_mostly = { | 156 | static struct xt_match policy_mt_reg[] __read_mostly = { |
diff --git a/net/netfilter/xt_quota.c b/net/netfilter/xt_quota.c index 2861fac5f2e..766e71c6dc5 100644 --- a/net/netfilter/xt_quota.c +++ b/net/netfilter/xt_quota.c | |||
@@ -48,14 +48,14 @@ static int quota_mt_check(const struct xt_mtchk_param *par) | |||
48 | struct xt_quota_info *q = par->matchinfo; | 48 | struct xt_quota_info *q = par->matchinfo; |
49 | 49 | ||
50 | if (q->flags & ~XT_QUOTA_MASK) | 50 | if (q->flags & ~XT_QUOTA_MASK) |
51 | return false; | 51 | return -EINVAL; |
52 | 52 | ||
53 | q->master = kmalloc(sizeof(*q->master), GFP_KERNEL); | 53 | q->master = kmalloc(sizeof(*q->master), GFP_KERNEL); |
54 | if (q->master == NULL) | 54 | if (q->master == NULL) |
55 | return false; | 55 | return -EINVAL; |
56 | 56 | ||
57 | q->master->quota = q->quota; | 57 | q->master->quota = q->quota; |
58 | return true; | 58 | return 0; |
59 | } | 59 | } |
60 | 60 | ||
61 | static void quota_mt_destroy(const struct xt_mtdtor_param *par) | 61 | static void quota_mt_destroy(const struct xt_mtdtor_param *par) |
diff --git a/net/netfilter/xt_rateest.c b/net/netfilter/xt_rateest.c index 3b5e3d613b1..0b5c6122737 100644 --- a/net/netfilter/xt_rateest.c +++ b/net/netfilter/xt_rateest.c | |||
@@ -109,12 +109,12 @@ static int xt_rateest_mt_checkentry(const struct xt_mtchk_param *par) | |||
109 | 109 | ||
110 | info->est1 = est1; | 110 | info->est1 = est1; |
111 | info->est2 = est2; | 111 | info->est2 = est2; |
112 | return true; | 112 | return 0; |
113 | 113 | ||
114 | err2: | 114 | err2: |
115 | xt_rateest_put(est1); | 115 | xt_rateest_put(est1); |
116 | err1: | 116 | err1: |
117 | return false; | 117 | return -EINVAL; |
118 | } | 118 | } |
119 | 119 | ||
120 | static void xt_rateest_mt_destroy(const struct xt_mtdtor_param *par) | 120 | static void xt_rateest_mt_destroy(const struct xt_mtdtor_param *par) |
diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c index 52042c8bf7f..0994ff54a73 100644 --- a/net/netfilter/xt_recent.c +++ b/net/netfilter/xt_recent.c | |||
@@ -314,7 +314,7 @@ static int recent_mt_check(const struct xt_mtchk_param *par) | |||
314 | struct proc_dir_entry *pde; | 314 | struct proc_dir_entry *pde; |
315 | #endif | 315 | #endif |
316 | unsigned i; | 316 | unsigned i; |
317 | bool ret = false; | 317 | int ret = -EINVAL; |
318 | 318 | ||
319 | if (unlikely(!hash_rnd_inited)) { | 319 | if (unlikely(!hash_rnd_inited)) { |
320 | get_random_bytes(&hash_rnd, sizeof(hash_rnd)); | 320 | get_random_bytes(&hash_rnd, sizeof(hash_rnd)); |
@@ -323,33 +323,33 @@ static int recent_mt_check(const struct xt_mtchk_param *par) | |||
323 | if (info->check_set & ~XT_RECENT_VALID_FLAGS) { | 323 | if (info->check_set & ~XT_RECENT_VALID_FLAGS) { |
324 | pr_info("Unsupported user space flags (%08x)\n", | 324 | pr_info("Unsupported user space flags (%08x)\n", |
325 | info->check_set); | 325 | info->check_set); |
326 | return false; | 326 | return -EINVAL; |
327 | } | 327 | } |
328 | if (hweight8(info->check_set & | 328 | if (hweight8(info->check_set & |
329 | (XT_RECENT_SET | XT_RECENT_REMOVE | | 329 | (XT_RECENT_SET | XT_RECENT_REMOVE | |
330 | XT_RECENT_CHECK | XT_RECENT_UPDATE)) != 1) | 330 | XT_RECENT_CHECK | XT_RECENT_UPDATE)) != 1) |
331 | return false; | 331 | return -EINVAL; |
332 | if ((info->check_set & (XT_RECENT_SET | XT_RECENT_REMOVE)) && | 332 | if ((info->check_set & (XT_RECENT_SET | XT_RECENT_REMOVE)) && |
333 | (info->seconds || info->hit_count || | 333 | (info->seconds || info->hit_count || |
334 | (info->check_set & XT_RECENT_MODIFIERS))) | 334 | (info->check_set & XT_RECENT_MODIFIERS))) |
335 | return false; | 335 | return -EINVAL; |
336 | if ((info->check_set & XT_RECENT_REAP) && !info->seconds) | 336 | if ((info->check_set & XT_RECENT_REAP) && !info->seconds) |
337 | return false; | 337 | return -EINVAL; |
338 | if (info->hit_count > ip_pkt_list_tot) { | 338 | if (info->hit_count > ip_pkt_list_tot) { |
339 | pr_info("hitcount (%u) is larger than " | 339 | pr_info("hitcount (%u) is larger than " |
340 | "packets to be remembered (%u)\n", | 340 | "packets to be remembered (%u)\n", |
341 | info->hit_count, ip_pkt_list_tot); | 341 | info->hit_count, ip_pkt_list_tot); |
342 | return false; | 342 | return -EINVAL; |
343 | } | 343 | } |
344 | if (info->name[0] == '\0' || | 344 | if (info->name[0] == '\0' || |
345 | strnlen(info->name, XT_RECENT_NAME_LEN) == XT_RECENT_NAME_LEN) | 345 | strnlen(info->name, XT_RECENT_NAME_LEN) == XT_RECENT_NAME_LEN) |
346 | return false; | 346 | return -EINVAL; |
347 | 347 | ||
348 | mutex_lock(&recent_mutex); | 348 | mutex_lock(&recent_mutex); |
349 | t = recent_table_lookup(recent_net, info->name); | 349 | t = recent_table_lookup(recent_net, info->name); |
350 | if (t != NULL) { | 350 | if (t != NULL) { |
351 | t->refcnt++; | 351 | t->refcnt++; |
352 | ret = true; | 352 | ret = 0; |
353 | goto out; | 353 | goto out; |
354 | } | 354 | } |
355 | 355 | ||
@@ -375,7 +375,7 @@ static int recent_mt_check(const struct xt_mtchk_param *par) | |||
375 | spin_lock_bh(&recent_lock); | 375 | spin_lock_bh(&recent_lock); |
376 | list_add_tail(&t->list, &recent_net->tables); | 376 | list_add_tail(&t->list, &recent_net->tables); |
377 | spin_unlock_bh(&recent_lock); | 377 | spin_unlock_bh(&recent_lock); |
378 | ret = true; | 378 | ret = 0; |
379 | out: | 379 | out: |
380 | mutex_unlock(&recent_mutex); | 380 | mutex_unlock(&recent_mutex); |
381 | return ret; | 381 | return ret; |
diff --git a/net/netfilter/xt_sctp.c b/net/netfilter/xt_sctp.c index 5037a7a0059..c3694df5467 100644 --- a/net/netfilter/xt_sctp.c +++ b/net/netfilter/xt_sctp.c | |||
@@ -149,17 +149,17 @@ static int sctp_mt_check(const struct xt_mtchk_param *par) | |||
149 | const struct xt_sctp_info *info = par->matchinfo; | 149 | const struct xt_sctp_info *info = par->matchinfo; |
150 | 150 | ||
151 | if (info->flags & ~XT_SCTP_VALID_FLAGS) | 151 | if (info->flags & ~XT_SCTP_VALID_FLAGS) |
152 | return false; | 152 | return -EINVAL; |
153 | if (info->invflags & ~XT_SCTP_VALID_FLAGS) | 153 | if (info->invflags & ~XT_SCTP_VALID_FLAGS) |
154 | return false; | 154 | return -EINVAL; |
155 | if (info->invflags & ~info->flags) | 155 | if (info->invflags & ~info->flags) |
156 | return false; | 156 | return -EINVAL; |
157 | if (!(info->flags & XT_SCTP_CHUNK_TYPES)) | 157 | if (!(info->flags & XT_SCTP_CHUNK_TYPES)) |
158 | return true; | 158 | return 0; |
159 | if (info->chunk_match_type & (SCTP_CHUNK_MATCH_ALL | | 159 | if (info->chunk_match_type & (SCTP_CHUNK_MATCH_ALL | |
160 | SCTP_CHUNK_MATCH_ANY | SCTP_CHUNK_MATCH_ONLY)) | 160 | SCTP_CHUNK_MATCH_ANY | SCTP_CHUNK_MATCH_ONLY)) |
161 | return true; | 161 | return 0; |
162 | return false; | 162 | return -EINVAL; |
163 | } | 163 | } |
164 | 164 | ||
165 | static struct xt_match sctp_mt_reg[] __read_mostly = { | 165 | static struct xt_match sctp_mt_reg[] __read_mostly = { |
diff --git a/net/netfilter/xt_state.c b/net/netfilter/xt_state.c index 8b15b1317f1..8e8c9df5178 100644 --- a/net/netfilter/xt_state.c +++ b/net/netfilter/xt_state.c | |||
@@ -42,9 +42,9 @@ static int state_mt_check(const struct xt_mtchk_param *par) | |||
42 | if (nf_ct_l3proto_try_module_get(par->family) < 0) { | 42 | if (nf_ct_l3proto_try_module_get(par->family) < 0) { |
43 | pr_info("cannot load conntrack support for proto=%u\n", | 43 | pr_info("cannot load conntrack support for proto=%u\n", |
44 | par->family); | 44 | par->family); |
45 | return false; | 45 | return -EINVAL; |
46 | } | 46 | } |
47 | return true; | 47 | return 0; |
48 | } | 48 | } |
49 | 49 | ||
50 | static void state_mt_destroy(const struct xt_mtdtor_param *par) | 50 | static void state_mt_destroy(const struct xt_mtdtor_param *par) |
diff --git a/net/netfilter/xt_statistic.c b/net/netfilter/xt_statistic.c index a577ab008f5..29d76f8f188 100644 --- a/net/netfilter/xt_statistic.c +++ b/net/netfilter/xt_statistic.c | |||
@@ -58,14 +58,14 @@ static int statistic_mt_check(const struct xt_mtchk_param *par) | |||
58 | 58 | ||
59 | if (info->mode > XT_STATISTIC_MODE_MAX || | 59 | if (info->mode > XT_STATISTIC_MODE_MAX || |
60 | info->flags & ~XT_STATISTIC_MASK) | 60 | info->flags & ~XT_STATISTIC_MASK) |
61 | return false; | 61 | return -EINVAL; |
62 | 62 | ||
63 | info->master = kzalloc(sizeof(*info->master), GFP_KERNEL); | 63 | info->master = kzalloc(sizeof(*info->master), GFP_KERNEL); |
64 | if (info->master == NULL) | 64 | if (info->master == NULL) |
65 | return false; | 65 | return -EINVAL; |
66 | info->master->count = info->u.nth.count; | 66 | info->master->count = info->u.nth.count; |
67 | 67 | ||
68 | return true; | 68 | return 0; |
69 | } | 69 | } |
70 | 70 | ||
71 | static void statistic_mt_destroy(const struct xt_mtdtor_param *par) | 71 | static void statistic_mt_destroy(const struct xt_mtdtor_param *par) |
diff --git a/net/netfilter/xt_string.c b/net/netfilter/xt_string.c index 7d1412154e2..e1f22a7a415 100644 --- a/net/netfilter/xt_string.c +++ b/net/netfilter/xt_string.c | |||
@@ -48,26 +48,25 @@ static int string_mt_check(const struct xt_mtchk_param *par) | |||
48 | 48 | ||
49 | /* Damn, can't handle this case properly with iptables... */ | 49 | /* Damn, can't handle this case properly with iptables... */ |
50 | if (conf->from_offset > conf->to_offset) | 50 | if (conf->from_offset > conf->to_offset) |
51 | return false; | 51 | return -EINVAL; |
52 | if (conf->algo[XT_STRING_MAX_ALGO_NAME_SIZE - 1] != '\0') | 52 | if (conf->algo[XT_STRING_MAX_ALGO_NAME_SIZE - 1] != '\0') |
53 | return false; | 53 | return -EINVAL; |
54 | if (conf->patlen > XT_STRING_MAX_PATTERN_SIZE) | 54 | if (conf->patlen > XT_STRING_MAX_PATTERN_SIZE) |
55 | return false; | 55 | return -EINVAL; |
56 | if (par->match->revision == 1) { | 56 | if (par->match->revision == 1) { |
57 | if (conf->u.v1.flags & | 57 | if (conf->u.v1.flags & |
58 | ~(XT_STRING_FLAG_IGNORECASE | XT_STRING_FLAG_INVERT)) | 58 | ~(XT_STRING_FLAG_IGNORECASE | XT_STRING_FLAG_INVERT)) |
59 | return false; | 59 | return -EINVAL; |
60 | if (conf->u.v1.flags & XT_STRING_FLAG_IGNORECASE) | 60 | if (conf->u.v1.flags & XT_STRING_FLAG_IGNORECASE) |
61 | flags |= TS_IGNORECASE; | 61 | flags |= TS_IGNORECASE; |
62 | } | 62 | } |
63 | ts_conf = textsearch_prepare(conf->algo, conf->pattern, conf->patlen, | 63 | ts_conf = textsearch_prepare(conf->algo, conf->pattern, conf->patlen, |
64 | GFP_KERNEL, flags); | 64 | GFP_KERNEL, flags); |
65 | if (IS_ERR(ts_conf)) | 65 | if (IS_ERR(ts_conf)) |
66 | return false; | 66 | return -EINVAL; |
67 | 67 | ||
68 | conf->config = ts_conf; | 68 | conf->config = ts_conf; |
69 | 69 | return 0; | |
70 | return true; | ||
71 | } | 70 | } |
72 | 71 | ||
73 | static void string_mt_destroy(const struct xt_mtdtor_param *par) | 72 | static void string_mt_destroy(const struct xt_mtdtor_param *par) |
diff --git a/net/netfilter/xt_tcpudp.c b/net/netfilter/xt_tcpudp.c index 00728410099..efa2ede24ae 100644 --- a/net/netfilter/xt_tcpudp.c +++ b/net/netfilter/xt_tcpudp.c | |||
@@ -125,7 +125,7 @@ static int tcp_mt_check(const struct xt_mtchk_param *par) | |||
125 | const struct xt_tcp *tcpinfo = par->matchinfo; | 125 | const struct xt_tcp *tcpinfo = par->matchinfo; |
126 | 126 | ||
127 | /* Must specify no unknown invflags */ | 127 | /* Must specify no unknown invflags */ |
128 | return !(tcpinfo->invflags & ~XT_TCP_INV_MASK); | 128 | return (tcpinfo->invflags & ~XT_TCP_INV_MASK) ? -EINVAL : 0; |
129 | } | 129 | } |
130 | 130 | ||
131 | static bool udp_mt(const struct sk_buff *skb, const struct xt_match_param *par) | 131 | static bool udp_mt(const struct sk_buff *skb, const struct xt_match_param *par) |
@@ -160,7 +160,7 @@ static int udp_mt_check(const struct xt_mtchk_param *par) | |||
160 | const struct xt_udp *udpinfo = par->matchinfo; | 160 | const struct xt_udp *udpinfo = par->matchinfo; |
161 | 161 | ||
162 | /* Must specify no unknown invflags */ | 162 | /* Must specify no unknown invflags */ |
163 | return !(udpinfo->invflags & ~XT_UDP_INV_MASK); | 163 | return (udpinfo->invflags & ~XT_UDP_INV_MASK) ? -EINVAL : 0; |
164 | } | 164 | } |
165 | 165 | ||
166 | static struct xt_match tcpudp_mt_reg[] __read_mostly = { | 166 | static struct xt_match tcpudp_mt_reg[] __read_mostly = { |
diff --git a/net/netfilter/xt_time.c b/net/netfilter/xt_time.c index db74f4fd57d..8dde5e51ff1 100644 --- a/net/netfilter/xt_time.c +++ b/net/netfilter/xt_time.c | |||
@@ -225,10 +225,10 @@ static int time_mt_check(const struct xt_mtchk_param *par) | |||
225 | info->daytime_stop > XT_TIME_MAX_DAYTIME) { | 225 | info->daytime_stop > XT_TIME_MAX_DAYTIME) { |
226 | pr_info("invalid argument - start or " | 226 | pr_info("invalid argument - start or " |
227 | "stop time greater than 23:59:59\n"); | 227 | "stop time greater than 23:59:59\n"); |
228 | return false; | 228 | return -EINVAL; |
229 | } | 229 | } |
230 | 230 | ||
231 | return true; | 231 | return 0; |
232 | } | 232 | } |
233 | 233 | ||
234 | static struct xt_match xt_time_mt_reg __read_mostly = { | 234 | static struct xt_match xt_time_mt_reg __read_mostly = { |