aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPatrick McHardy <kaber@trash.net>2006-03-20 21:02:15 -0500
committerDavid S. Miller <davem@davemloft.net>2006-03-20 21:02:15 -0500
commit1c524830d0b39472f0278989bf1119750a5e234d (patch)
tree9c60dd1717ddf458f66c4a71cb41c3ef7186cdd3
parent5d04bff096180f032de8b9b12153a8a1b4009b8d (diff)
[NETFILTER]: x_tables: pass registered match/target data to match/target functions
This allows to make decisions based on the revision (and address family with a follow-up patch) at runtime. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat
-rw-r--r--include/linux/netfilter/x_tables.h10
-rw-r--r--net/ipv4/netfilter/arp_tables.c5
-rw-r--r--net/ipv4/netfilter/ip_tables.c13
-rw-r--r--net/ipv6/netfilter/ip6_tables.c11
-rw-r--r--net/sched/act_ipt.c10
5 files changed, 30 insertions, 19 deletions
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index b9c37e1e6730..2fdbc4a446bf 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -100,6 +100,7 @@ struct xt_match
100 int (*match)(const struct sk_buff *skb, 100 int (*match)(const struct sk_buff *skb,
101 const struct net_device *in, 101 const struct net_device *in,
102 const struct net_device *out, 102 const struct net_device *out,
103 const struct xt_match *match,
103 const void *matchinfo, 104 const void *matchinfo,
104 int offset, 105 int offset,
105 unsigned int protoff, 106 unsigned int protoff,
@@ -109,12 +110,14 @@ struct xt_match
109 /* Should return true or false. */ 110 /* Should return true or false. */
110 int (*checkentry)(const char *tablename, 111 int (*checkentry)(const char *tablename,
111 const void *ip, 112 const void *ip,
113 const struct xt_match *match,
112 void *matchinfo, 114 void *matchinfo,
113 unsigned int matchinfosize, 115 unsigned int matchinfosize,
114 unsigned int hook_mask); 116 unsigned int hook_mask);
115 117
116 /* Called when entry of this type deleted. */ 118 /* Called when entry of this type deleted. */
117 void (*destroy)(void *matchinfo, unsigned int matchinfosize); 119 void (*destroy)(const struct xt_match *match, void *matchinfo,
120 unsigned int matchinfosize);
118 121
119 /* Set this to THIS_MODULE if you are a module, otherwise NULL */ 122 /* Set this to THIS_MODULE if you are a module, otherwise NULL */
120 struct module *me; 123 struct module *me;
@@ -140,6 +143,7 @@ struct xt_target
140 const struct net_device *in, 143 const struct net_device *in,
141 const struct net_device *out, 144 const struct net_device *out,
142 unsigned int hooknum, 145 unsigned int hooknum,
146 const struct xt_target *target,
143 const void *targinfo, 147 const void *targinfo,
144 void *userdata); 148 void *userdata);
145 149
@@ -149,12 +153,14 @@ struct xt_target
149 /* Should return true or false. */ 153 /* Should return true or false. */
150 int (*checkentry)(const char *tablename, 154 int (*checkentry)(const char *tablename,
151 const void *entry, 155 const void *entry,
156 const struct xt_target *target,
152 void *targinfo, 157 void *targinfo,
153 unsigned int targinfosize, 158 unsigned int targinfosize,
154 unsigned int hook_mask); 159 unsigned int hook_mask);
155 160
156 /* Called when entry of this type deleted. */ 161 /* Called when entry of this type deleted. */
157 void (*destroy)(void *targinfo, unsigned int targinfosize); 162 void (*destroy)(const struct xt_target *target, void *targinfo,
163 unsigned int targinfosize);
158 164
159 /* Set this to THIS_MODULE if you are a module, otherwise NULL */ 165 /* Set this to THIS_MODULE if you are a module, otherwise NULL */
160 struct module *me; 166 struct module *me;
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 6162d0e328ec..87b3b7920101 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -300,6 +300,7 @@ unsigned int arpt_do_table(struct sk_buff **pskb,
300 verdict = t->u.kernel.target->target(pskb, 300 verdict = t->u.kernel.target->target(pskb,
301 in, out, 301 in, out,
302 hook, 302 hook,
303 t->u.kernel.target,
303 t->data, 304 t->data,
304 userdata); 305 userdata);
305 306
@@ -491,7 +492,7 @@ static inline int check_entry(struct arpt_entry *e, const char *name, unsigned i
491 goto out; 492 goto out;
492 } 493 }
493 } else if (t->u.kernel.target->checkentry 494 } else if (t->u.kernel.target->checkentry
494 && !t->u.kernel.target->checkentry(name, e, t->data, 495 && !t->u.kernel.target->checkentry(name, e, target, t->data,
495 t->u.target_size 496 t->u.target_size
496 - sizeof(*t), 497 - sizeof(*t),
497 e->comefrom)) { 498 e->comefrom)) {
@@ -560,7 +561,7 @@ static inline int cleanup_entry(struct arpt_entry *e, unsigned int *i)
560 561
561 t = arpt_get_target(e); 562 t = arpt_get_target(e);
562 if (t->u.kernel.target->destroy) 563 if (t->u.kernel.target->destroy)
563 t->u.kernel.target->destroy(t->data, 564 t->u.kernel.target->destroy(t->u.kernel.target, t->data,
564 t->u.target_size - sizeof(*t)); 565 t->u.target_size - sizeof(*t));
565 module_put(t->u.kernel.target->me); 566 module_put(t->u.kernel.target->me);
566 return 0; 567 return 0;
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 62f8d639ab9c..2381a4aa71d0 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -197,8 +197,8 @@ int do_match(struct ipt_entry_match *m,
197 int *hotdrop) 197 int *hotdrop)
198{ 198{
199 /* Stop iteration if it doesn't match */ 199 /* Stop iteration if it doesn't match */
200 if (!m->u.kernel.match->match(skb, in, out, m->data, offset, 200 if (!m->u.kernel.match->match(skb, in, out, m->u.kernel.match, m->data,
201 skb->nh.iph->ihl*4, hotdrop)) 201 offset, skb->nh.iph->ihl*4, hotdrop))
202 return 1; 202 return 1;
203 else 203 else
204 return 0; 204 return 0;
@@ -305,6 +305,7 @@ ipt_do_table(struct sk_buff **pskb,
305 verdict = t->u.kernel.target->target(pskb, 305 verdict = t->u.kernel.target->target(pskb,
306 in, out, 306 in, out,
307 hook, 307 hook,
308 t->u.kernel.target,
308 t->data, 309 t->data,
309 userdata); 310 userdata);
310 311
@@ -464,7 +465,7 @@ cleanup_match(struct ipt_entry_match *m, unsigned int *i)
464 return 1; 465 return 1;
465 466
466 if (m->u.kernel.match->destroy) 467 if (m->u.kernel.match->destroy)
467 m->u.kernel.match->destroy(m->data, 468 m->u.kernel.match->destroy(m->u.kernel.match, m->data,
468 m->u.match_size - sizeof(*m)); 469 m->u.match_size - sizeof(*m));
469 module_put(m->u.kernel.match->me); 470 module_put(m->u.kernel.match->me);
470 return 0; 471 return 0;
@@ -517,7 +518,7 @@ check_match(struct ipt_entry_match *m,
517 goto err; 518 goto err;
518 519
519 if (m->u.kernel.match->checkentry 520 if (m->u.kernel.match->checkentry
520 && !m->u.kernel.match->checkentry(name, ip, m->data, 521 && !m->u.kernel.match->checkentry(name, ip, match, m->data,
521 m->u.match_size - sizeof(*m), 522 m->u.match_size - sizeof(*m),
522 hookmask)) { 523 hookmask)) {
523 duprintf("ip_tables: check failed for `%s'.\n", 524 duprintf("ip_tables: check failed for `%s'.\n",
@@ -578,7 +579,7 @@ check_entry(struct ipt_entry *e, const char *name, unsigned int size,
578 goto cleanup_matches; 579 goto cleanup_matches;
579 } 580 }
580 } else if (t->u.kernel.target->checkentry 581 } else if (t->u.kernel.target->checkentry
581 && !t->u.kernel.target->checkentry(name, e, t->data, 582 && !t->u.kernel.target->checkentry(name, e, target, t->data,
582 t->u.target_size 583 t->u.target_size
583 - sizeof(*t), 584 - sizeof(*t),
584 e->comefrom)) { 585 e->comefrom)) {
@@ -652,7 +653,7 @@ cleanup_entry(struct ipt_entry *e, unsigned int *i)
652 IPT_MATCH_ITERATE(e, cleanup_match, NULL); 653 IPT_MATCH_ITERATE(e, cleanup_match, NULL);
653 t = ipt_get_target(e); 654 t = ipt_get_target(e);
654 if (t->u.kernel.target->destroy) 655 if (t->u.kernel.target->destroy)
655 t->u.kernel.target->destroy(t->data, 656 t->u.kernel.target->destroy(t->u.kernel.target, t->data,
656 t->u.target_size - sizeof(*t)); 657 t->u.target_size - sizeof(*t));
657 module_put(t->u.kernel.target->me); 658 module_put(t->u.kernel.target->me);
658 return 0; 659 return 0;
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index e2e8d0140d7b..1b32a2d1e9e0 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -251,7 +251,7 @@ int do_match(struct ip6t_entry_match *m,
251 int *hotdrop) 251 int *hotdrop)
252{ 252{
253 /* Stop iteration if it doesn't match */ 253 /* Stop iteration if it doesn't match */
254 if (!m->u.kernel.match->match(skb, in, out, m->data, 254 if (!m->u.kernel.match->match(skb, in, out, m->u.kernel.match, m->data,
255 offset, protoff, hotdrop)) 255 offset, protoff, hotdrop))
256 return 1; 256 return 1;
257 else 257 else
@@ -373,6 +373,7 @@ ip6t_do_table(struct sk_buff **pskb,
373 verdict = t->u.kernel.target->target(pskb, 373 verdict = t->u.kernel.target->target(pskb,
374 in, out, 374 in, out,
375 hook, 375 hook,
376 t->u.kernel.target,
376 t->data, 377 t->data,
377 userdata); 378 userdata);
378 379
@@ -531,7 +532,7 @@ cleanup_match(struct ip6t_entry_match *m, unsigned int *i)
531 return 1; 532 return 1;
532 533
533 if (m->u.kernel.match->destroy) 534 if (m->u.kernel.match->destroy)
534 m->u.kernel.match->destroy(m->data, 535 m->u.kernel.match->destroy(m->u.kernel.match, m->data,
535 m->u.match_size - sizeof(*m)); 536 m->u.match_size - sizeof(*m));
536 module_put(m->u.kernel.match->me); 537 module_put(m->u.kernel.match->me);
537 return 0; 538 return 0;
@@ -584,7 +585,7 @@ check_match(struct ip6t_entry_match *m,
584 goto err; 585 goto err;
585 586
586 if (m->u.kernel.match->checkentry 587 if (m->u.kernel.match->checkentry
587 && !m->u.kernel.match->checkentry(name, ipv6, m->data, 588 && !m->u.kernel.match->checkentry(name, ipv6, match, m->data,
588 m->u.match_size - sizeof(*m), 589 m->u.match_size - sizeof(*m),
589 hookmask)) { 590 hookmask)) {
590 duprintf("ip_tables: check failed for `%s'.\n", 591 duprintf("ip_tables: check failed for `%s'.\n",
@@ -645,7 +646,7 @@ check_entry(struct ip6t_entry *e, const char *name, unsigned int size,
645 goto cleanup_matches; 646 goto cleanup_matches;
646 } 647 }
647 } else if (t->u.kernel.target->checkentry 648 } else if (t->u.kernel.target->checkentry
648 && !t->u.kernel.target->checkentry(name, e, t->data, 649 && !t->u.kernel.target->checkentry(name, e, target, t->data,
649 t->u.target_size 650 t->u.target_size
650 - sizeof(*t), 651 - sizeof(*t),
651 e->comefrom)) { 652 e->comefrom)) {
@@ -719,7 +720,7 @@ cleanup_entry(struct ip6t_entry *e, unsigned int *i)
719 IP6T_MATCH_ITERATE(e, cleanup_match, NULL); 720 IP6T_MATCH_ITERATE(e, cleanup_match, NULL);
720 t = ip6t_get_target(e); 721 t = ip6t_get_target(e);
721 if (t->u.kernel.target->destroy) 722 if (t->u.kernel.target->destroy)
722 t->u.kernel.target->destroy(t->data, 723 t->u.kernel.target->destroy(t->u.kernel.target, t->data,
723 t->u.target_size - sizeof(*t)); 724 t->u.target_size - sizeof(*t));
724 module_put(t->u.kernel.target->me); 725 module_put(t->u.kernel.target->me);
725 return 0; 726 return 0;
diff --git a/net/sched/act_ipt.c b/net/sched/act_ipt.c
index 39a22a3ffe78..6056d20ef429 100644
--- a/net/sched/act_ipt.c
+++ b/net/sched/act_ipt.c
@@ -70,7 +70,8 @@ ipt_init_target(struct ipt_entry_target *t, char *table, unsigned int hook)
70 t->u.kernel.target = target; 70 t->u.kernel.target = target;
71 71
72 if (t->u.kernel.target->checkentry 72 if (t->u.kernel.target->checkentry
73 && !t->u.kernel.target->checkentry(table, NULL, t->data, 73 && !t->u.kernel.target->checkentry(table, NULL,
74 t->u.kernel.target, t->data,
74 t->u.target_size - sizeof(*t), 75 t->u.target_size - sizeof(*t),
75 hook)) { 76 hook)) {
76 DPRINTK("ipt_init_target: check failed for `%s'.\n", 77 DPRINTK("ipt_init_target: check failed for `%s'.\n",
@@ -86,7 +87,7 @@ static void
86ipt_destroy_target(struct ipt_entry_target *t) 87ipt_destroy_target(struct ipt_entry_target *t)
87{ 88{
88 if (t->u.kernel.target->destroy) 89 if (t->u.kernel.target->destroy)
89 t->u.kernel.target->destroy(t->data, 90 t->u.kernel.target->destroy(t->u.kernel.target, t->data,
90 t->u.target_size - sizeof(*t)); 91 t->u.target_size - sizeof(*t));
91 module_put(t->u.kernel.target->me); 92 module_put(t->u.kernel.target->me);
92} 93}
@@ -224,8 +225,9 @@ tcf_ipt(struct sk_buff *skb, struct tc_action *a, struct tcf_result *res)
224 /* iptables targets take a double skb pointer in case the skb 225 /* iptables targets take a double skb pointer in case the skb
225 * needs to be replaced. We don't own the skb, so this must not 226 * needs to be replaced. We don't own the skb, so this must not
226 * happen. The pskb_expand_head above should make sure of this */ 227 * happen. The pskb_expand_head above should make sure of this */
227 ret = p->t->u.kernel.target->target(&skb, skb->dev, NULL, 228 ret = p->t->u.kernel.target->target(&skb, skb->dev, NULL, p->hook,
228 p->hook, p->t->data, NULL); 229 p->t->u.kernel.target, p->t->data,
230 NULL);
229 switch (ret) { 231 switch (ret) {
230 case NF_ACCEPT: 232 case NF_ACCEPT:
231 result = TC_ACT_OK; 233 result = TC_ACT_OK;
generated by cgit v1.2.2 (git 2.25.0) at 2024-11-17 14:31:02 -0500