aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPatrick McHardy <kaber@trash.net>2006-03-20 21:01:58 -0500
committerDavid S. Miller <davem@davemloft.net>2006-03-20 21:01:58 -0500
commit5d04bff096180f032de8b9b12153a8a1b4009b8d (patch)
tree58aa8a8177b6d07cbce8b0c0bedeb23ecbde74d8
parent7f9397138e297904bf1c717651183e785a01ff13 (diff)
[NETFILTER]: Convert x_tables matches/targets to centralized error checking
Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat
-rw-r--r--net/netfilter/xt_CLASSIFY.c41
-rw-r--r--net/netfilter/xt_CONNMARK.c25
-rw-r--r--net/netfilter/xt_MARK.c33
-rw-r--r--net/netfilter/xt_NFQUEUE.c23
-rw-r--r--net/netfilter/xt_NOTRACK.c44
-rw-r--r--net/netfilter/xt_comment.c17
-rw-r--r--net/netfilter/xt_connbytes.c13
-rw-r--r--net/netfilter/xt_connmark.c26
-rw-r--r--net/netfilter/xt_conntrack.c16
-rw-r--r--net/netfilter/xt_dccp.c43
-rw-r--r--net/netfilter/xt_helper.c15
-rw-r--r--net/netfilter/xt_length.c22
-rw-r--r--net/netfilter/xt_limit.c5
-rw-r--r--net/netfilter/xt_mac.c33
-rw-r--r--net/netfilter/xt_mark.c14
-rw-r--r--net/netfilter/xt_physdev.c12
-rw-r--r--net/netfilter/xt_pkttype.c22
-rw-r--r--net/netfilter/xt_realm.c26
-rw-r--r--net/netfilter/xt_sctp.c64
-rw-r--r--net/netfilter/xt_state.c20
-rw-r--r--net/netfilter/xt_string.c5
-rw-r--r--net/netfilter/xt_tcpmss.c51
-rw-r--r--net/netfilter/xt_tcpudp.c108
23 files changed, 167 insertions, 511 deletions
diff --git a/net/netfilter/xt_CLASSIFY.c b/net/netfilter/xt_CLASSIFY.c
index 78ee266a12ee..6b36e8475657 100644
--- a/net/netfilter/xt_CLASSIFY.c
+++ b/net/netfilter/xt_CLASSIFY.c
@@ -39,47 +39,22 @@ target(struct sk_buff **pskb,
39 return XT_CONTINUE; 39 return XT_CONTINUE;
40} 40}
41 41
42static int
43checkentry(const char *tablename,
44 const void *e,
45 void *targinfo,
46 unsigned int targinfosize,
47 unsigned int hook_mask)
48{
49 if (targinfosize != XT_ALIGN(sizeof(struct xt_classify_target_info))){
50 printk(KERN_ERR "CLASSIFY: invalid size (%u != %Zu).\n",
51 targinfosize,
52 XT_ALIGN(sizeof(struct xt_classify_target_info)));
53 return 0;
54 }
55
56 if (hook_mask & ~((1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_FORWARD) |
57 (1 << NF_IP_POST_ROUTING))) {
58 printk(KERN_ERR "CLASSIFY: only valid in LOCAL_OUT, FORWARD "
59 "and POST_ROUTING.\n");
60 return 0;
61 }
62
63 if (strcmp(tablename, "mangle") != 0) {
64 printk(KERN_ERR "CLASSIFY: can only be called from "
65 "\"mangle\" table, not \"%s\".\n",
66 tablename);
67 return 0;
68 }
69
70 return 1;
71}
72
73static struct xt_target classify_reg = { 42static struct xt_target classify_reg = {
74 .name = "CLASSIFY", 43 .name = "CLASSIFY",
75 .target = target, 44 .target = target,
76 .checkentry = checkentry, 45 .targetsize = sizeof(struct xt_classify_target_info),
46 .table = "mangle",
47 .hooks = (1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_FORWARD) |
48 (1 << NF_IP_POST_ROUTING),
77 .me = THIS_MODULE, 49 .me = THIS_MODULE,
78}; 50};
79static struct xt_target classify6_reg = { 51static struct xt_target classify6_reg = {
80 .name = "CLASSIFY", 52 .name = "CLASSIFY",
81 .target = target, 53 .target = target,
82 .checkentry = checkentry, 54 .targetsize = sizeof(struct xt_classify_target_info),
55 .table = "mangle",
56 .hooks = (1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_FORWARD) |
57 (1 << NF_IP_POST_ROUTING),
83 .me = THIS_MODULE, 58 .me = THIS_MODULE,
84}; 59};
85 60
diff --git a/net/netfilter/xt_CONNMARK.c b/net/netfilter/xt_CONNMARK.c
index 22506e376be5..b269ba9f2934 100644
--- a/net/netfilter/xt_CONNMARK.c
+++ b/net/netfilter/xt_CONNMARK.c
@@ -79,12 +79,6 @@ checkentry(const char *tablename,
79 unsigned int hook_mask) 79 unsigned int hook_mask)
80{ 80{
81 struct xt_connmark_target_info *matchinfo = targinfo; 81 struct xt_connmark_target_info *matchinfo = targinfo;
82 if (targinfosize != XT_ALIGN(sizeof(struct xt_connmark_target_info))) {
83 printk(KERN_WARNING "CONNMARK: targinfosize %u != %Zu\n",
84 targinfosize,
85 XT_ALIGN(sizeof(struct xt_connmark_target_info)));
86 return 0;
87 }
88 82
89 if (matchinfo->mode == XT_CONNMARK_RESTORE) { 83 if (matchinfo->mode == XT_CONNMARK_RESTORE) {
90 if (strcmp(tablename, "mangle") != 0) { 84 if (strcmp(tablename, "mangle") != 0) {
@@ -102,16 +96,19 @@ checkentry(const char *tablename,
102} 96}
103 97
104static struct xt_target connmark_reg = { 98static struct xt_target connmark_reg = {
105 .name = "CONNMARK", 99 .name = "CONNMARK",
106 .target = &target, 100 .target = target,
107 .checkentry = &checkentry, 101 .targetsize = sizeof(struct xt_connmark_target_info),
108 .me = THIS_MODULE 102 .checkentry = checkentry,
103 .me = THIS_MODULE
109}; 104};
105
110static struct xt_target connmark6_reg = { 106static struct xt_target connmark6_reg = {
111 .name = "CONNMARK", 107 .name = "CONNMARK",
112 .target = &target, 108 .target = target,
113 .checkentry = &checkentry, 109 .targetsize = sizeof(struct xt_connmark_target_info),
114 .me = THIS_MODULE 110 .checkentry = checkentry,
111 .me = THIS_MODULE
115}; 112};
116 113
117static int __init init(void) 114static int __init init(void)
diff --git a/net/netfilter/xt_MARK.c b/net/netfilter/xt_MARK.c
index 0c11ee9550f3..1bc968b519d8 100644
--- a/net/netfilter/xt_MARK.c
+++ b/net/netfilter/xt_MARK.c
@@ -78,23 +78,10 @@ checkentry_v0(const char *tablename,
78{ 78{
79 struct xt_mark_target_info *markinfo = targinfo; 79 struct xt_mark_target_info *markinfo = targinfo;
80 80
81 if (targinfosize != XT_ALIGN(sizeof(struct xt_mark_target_info))) {
82 printk(KERN_WARNING "MARK: targinfosize %u != %Zu\n",
83 targinfosize,
84 XT_ALIGN(sizeof(struct xt_mark_target_info)));
85 return 0;
86 }
87
88 if (strcmp(tablename, "mangle") != 0) {
89 printk(KERN_WARNING "MARK: can only be called from \"mangle\" table, not \"%s\"\n", tablename);
90 return 0;
91 }
92
93 if (markinfo->mark > 0xffffffff) { 81 if (markinfo->mark > 0xffffffff) {
94 printk(KERN_WARNING "MARK: Only supports 32bit wide mark\n"); 82 printk(KERN_WARNING "MARK: Only supports 32bit wide mark\n");
95 return 0; 83 return 0;
96 } 84 }
97
98 return 1; 85 return 1;
99} 86}
100 87
@@ -107,18 +94,6 @@ checkentry_v1(const char *tablename,
107{ 94{
108 struct xt_mark_target_info_v1 *markinfo = targinfo; 95 struct xt_mark_target_info_v1 *markinfo = targinfo;
109 96
110 if (targinfosize != XT_ALIGN(sizeof(struct xt_mark_target_info_v1))){
111 printk(KERN_WARNING "MARK: targinfosize %u != %Zu\n",
112 targinfosize,
113 XT_ALIGN(sizeof(struct xt_mark_target_info_v1)));
114 return 0;
115 }
116
117 if (strcmp(tablename, "mangle") != 0) {
118 printk(KERN_WARNING "MARK: can only be called from \"mangle\" table, not \"%s\"\n", tablename);
119 return 0;
120 }
121
122 if (markinfo->mode != XT_MARK_SET 97 if (markinfo->mode != XT_MARK_SET
123 && markinfo->mode != XT_MARK_AND 98 && markinfo->mode != XT_MARK_AND
124 && markinfo->mode != XT_MARK_OR) { 99 && markinfo->mode != XT_MARK_OR) {
@@ -126,18 +101,18 @@ checkentry_v1(const char *tablename,
126 markinfo->mode); 101 markinfo->mode);
127 return 0; 102 return 0;
128 } 103 }
129
130 if (markinfo->mark > 0xffffffff) { 104 if (markinfo->mark > 0xffffffff) {
131 printk(KERN_WARNING "MARK: Only supports 32bit wide mark\n"); 105 printk(KERN_WARNING "MARK: Only supports 32bit wide mark\n");
132 return 0; 106 return 0;
133 } 107 }
134
135 return 1; 108 return 1;
136} 109}
137 110
138static struct xt_target ipt_mark_reg_v0 = { 111static struct xt_target ipt_mark_reg_v0 = {
139 .name = "MARK", 112 .name = "MARK",
140 .target = target_v0, 113 .target = target_v0,
114 .targetsize = sizeof(struct xt_mark_target_info),
115 .table = "mangle",
141 .checkentry = checkentry_v0, 116 .checkentry = checkentry_v0,
142 .me = THIS_MODULE, 117 .me = THIS_MODULE,
143 .revision = 0, 118 .revision = 0,
@@ -146,6 +121,8 @@ static struct xt_target ipt_mark_reg_v0 = {
146static struct xt_target ipt_mark_reg_v1 = { 121static struct xt_target ipt_mark_reg_v1 = {
147 .name = "MARK", 122 .name = "MARK",
148 .target = target_v1, 123 .target = target_v1,
124 .targetsize = sizeof(struct xt_mark_target_info_v1),
125 .table = "mangle",
149 .checkentry = checkentry_v1, 126 .checkentry = checkentry_v1,
150 .me = THIS_MODULE, 127 .me = THIS_MODULE,
151 .revision = 1, 128 .revision = 1,
@@ -154,6 +131,8 @@ static struct xt_target ipt_mark_reg_v1 = {
154static struct xt_target ip6t_mark_reg_v0 = { 131static struct xt_target ip6t_mark_reg_v0 = {
155 .name = "MARK", 132 .name = "MARK",
156 .target = target_v0, 133 .target = target_v0,
134 .targetsize = sizeof(struct xt_mark_target_info),
135 .table = "mangle",
157 .checkentry = checkentry_v0, 136 .checkentry = checkentry_v0,
158 .me = THIS_MODULE, 137 .me = THIS_MODULE,
159 .revision = 0, 138 .revision = 0,
diff --git a/net/netfilter/xt_NFQUEUE.c b/net/netfilter/xt_NFQUEUE.c
index 8b76b6f8d1e4..b1da0ad10a6c 100644
--- a/net/netfilter/xt_NFQUEUE.c
+++ b/net/netfilter/xt_NFQUEUE.c
@@ -36,41 +36,24 @@ target(struct sk_buff **pskb,
36 return NF_QUEUE_NR(tinfo->queuenum); 36 return NF_QUEUE_NR(tinfo->queuenum);
37} 37}
38 38
39static int
40checkentry(const char *tablename,
41 const void *entry,
42 void *targinfo,
43 unsigned int targinfosize,
44 unsigned int hook_mask)
45{
46 if (targinfosize != XT_ALIGN(sizeof(struct xt_NFQ_info))) {
47 printk(KERN_WARNING "NFQUEUE: targinfosize %u != %Zu\n",
48 targinfosize,
49 XT_ALIGN(sizeof(struct xt_NFQ_info)));
50 return 0;
51 }
52
53 return 1;
54}
55
56static struct xt_target ipt_NFQ_reg = { 39static struct xt_target ipt_NFQ_reg = {
57 .name = "NFQUEUE", 40 .name = "NFQUEUE",
58 .target = target, 41 .target = target,
59 .checkentry = checkentry, 42 .targetsize = sizeof(struct xt_NFQ_info),
60 .me = THIS_MODULE, 43 .me = THIS_MODULE,
61}; 44};
62 45
63static struct xt_target ip6t_NFQ_reg = { 46static struct xt_target ip6t_NFQ_reg = {
64 .name = "NFQUEUE", 47 .name = "NFQUEUE",
65 .target = target, 48 .target = target,
66 .checkentry = checkentry, 49 .targetsize = sizeof(struct xt_NFQ_info),
67 .me = THIS_MODULE, 50 .me = THIS_MODULE,
68}; 51};
69 52
70static struct xt_target arpt_NFQ_reg = { 53static struct xt_target arpt_NFQ_reg = {
71 .name = "NFQUEUE", 54 .name = "NFQUEUE",
72 .target = target, 55 .target = target,
73 .checkentry = checkentry, 56 .targetsize = sizeof(struct xt_NFQ_info),
74 .me = THIS_MODULE, 57 .me = THIS_MODULE,
75}; 58};
76 59
diff --git a/net/netfilter/xt_NOTRACK.c b/net/netfilter/xt_NOTRACK.c
index 24d477afa939..8bacbe14afb5 100644
--- a/net/netfilter/xt_NOTRACK.c
+++ b/net/netfilter/xt_NOTRACK.c
@@ -33,38 +33,20 @@ target(struct sk_buff **pskb,
33 return XT_CONTINUE; 33 return XT_CONTINUE;
34} 34}
35 35
36static int 36static struct xt_target notrack_reg = {
37checkentry(const char *tablename, 37 .name = "NOTRACK",
38 const void *entry, 38 .target = target,
39 void *targinfo, 39 .targetsize = 0,
40 unsigned int targinfosize, 40 .table = "raw",
41 unsigned int hook_mask) 41 .me = THIS_MODULE,
42{
43 if (targinfosize != 0) {
44 printk(KERN_WARNING "NOTRACK: targinfosize %u != 0\n",
45 targinfosize);
46 return 0;
47 }
48
49 if (strcmp(tablename, "raw") != 0) {
50 printk(KERN_WARNING "NOTRACK: can only be called from \"raw\" table, not \"%s\"\n", tablename);
51 return 0;
52 }
53
54 return 1;
55}
56
57static struct xt_target notrack_reg = {
58 .name = "NOTRACK",
59 .target = target,
60 .checkentry = checkentry,
61 .me = THIS_MODULE,
62}; 42};
63static struct xt_target notrack6_reg = { 43
64 .name = "NOTRACK", 44static struct xt_target notrack6_reg = {
65 .target = target, 45 .name = "NOTRACK",
66 .checkentry = checkentry, 46 .target = target,
67 .me = THIS_MODULE, 47 .targetsize = 0,
48 .table = "raw",
49 .me = THIS_MODULE,
68}; 50};
69 51
70static int __init init(void) 52static int __init init(void)
diff --git a/net/netfilter/xt_comment.c b/net/netfilter/xt_comment.c
index 4ba6fd65c6e9..b3f07aa593f4 100644
--- a/net/netfilter/xt_comment.c
+++ b/net/netfilter/xt_comment.c
@@ -28,30 +28,17 @@ match(const struct sk_buff *skb,
28 return 1; 28 return 1;
29} 29}
30 30
31static int
32checkentry(const char *tablename,
33 const void *ip,
34 void *matchinfo,
35 unsigned int matchsize,
36 unsigned int hook_mask)
37{
38 /* Check the size */
39 if (matchsize != XT_ALIGN(sizeof(struct xt_comment_info)))
40 return 0;
41 return 1;
42}
43
44static struct xt_match comment_match = { 31static struct xt_match comment_match = {
45 .name = "comment", 32 .name = "comment",
46 .match = match, 33 .match = match,
47 .checkentry = checkentry, 34 .matchsize = sizeof(struct xt_comment_info),
48 .me = THIS_MODULE 35 .me = THIS_MODULE
49}; 36};
50 37
51static struct xt_match comment6_match = { 38static struct xt_match comment6_match = {
52 .name = "comment", 39 .name = "comment",
53 .match = match, 40 .match = match,
54 .checkentry = checkentry, 41 .matchsize = sizeof(struct xt_comment_info),
55 .me = THIS_MODULE 42 .me = THIS_MODULE
56}; 43};
57 44
diff --git a/net/netfilter/xt_connbytes.c b/net/netfilter/xt_connbytes.c
index 150d2a4b0f71..d9851358ff49 100644
--- a/net/netfilter/xt_connbytes.c
+++ b/net/netfilter/xt_connbytes.c
@@ -128,9 +128,6 @@ static int check(const char *tablename,
128{ 128{
129 const struct xt_connbytes_info *sinfo = matchinfo; 129 const struct xt_connbytes_info *sinfo = matchinfo;
130 130
131 if (matchsize != XT_ALIGN(sizeof(struct xt_connbytes_info)))
132 return 0;
133
134 if (sinfo->what != XT_CONNBYTES_PKTS && 131 if (sinfo->what != XT_CONNBYTES_PKTS &&
135 sinfo->what != XT_CONNBYTES_BYTES && 132 sinfo->what != XT_CONNBYTES_BYTES &&
136 sinfo->what != XT_CONNBYTES_AVGPKT) 133 sinfo->what != XT_CONNBYTES_AVGPKT)
@@ -146,14 +143,16 @@ static int check(const char *tablename,
146 143
147static struct xt_match connbytes_match = { 144static struct xt_match connbytes_match = {
148 .name = "connbytes", 145 .name = "connbytes",
149 .match = &match, 146 .match = match,
150 .checkentry = &check, 147 .checkentry = check,
148 .matchsize = sizeof(struct xt_connbytes_info),
151 .me = THIS_MODULE 149 .me = THIS_MODULE
152}; 150};
153static struct xt_match connbytes6_match = { 151static struct xt_match connbytes6_match = {
154 .name = "connbytes", 152 .name = "connbytes",
155 .match = &match, 153 .match = match,
156 .checkentry = &check, 154 .checkentry = check,
155 .matchsize = sizeof(struct xt_connbytes_info),
157 .me = THIS_MODULE 156 .me = THIS_MODULE
158}; 157};
159 158
diff --git a/net/netfilter/xt_connmark.c b/net/netfilter/xt_connmark.c
index d06e925032da..2bb987f7bdd9 100644
--- a/net/netfilter/xt_connmark.c
+++ b/net/netfilter/xt_connmark.c
@@ -56,33 +56,31 @@ checkentry(const char *tablename,
56 unsigned int matchsize, 56 unsigned int matchsize,
57 unsigned int hook_mask) 57 unsigned int hook_mask)
58{ 58{
59 struct xt_connmark_info *cm = 59 struct xt_connmark_info *cm = (struct xt_connmark_info *)matchinfo;
60 (struct xt_connmark_info *)matchinfo;
61 if (matchsize != XT_ALIGN(sizeof(struct xt_connmark_info)))
62 return 0;
63 60
64 if (cm->mark > 0xffffffff || cm->mask > 0xffffffff) { 61 if (cm->mark > 0xffffffff || cm->mask > 0xffffffff) {
65 printk(KERN_WARNING "connmark: only support 32bit mark\n"); 62 printk(KERN_WARNING "connmark: only support 32bit mark\n");
66 return 0; 63 return 0;
67 } 64 }
68
69 return 1; 65 return 1;
70} 66}
71 67
72static struct xt_match connmark_match = { 68static struct xt_match connmark_match = {
73 .name = "connmark", 69 .name = "connmark",
74 .match = &match, 70 .match = match,
75 .checkentry = &checkentry, 71 .matchsize = sizeof(struct xt_connmark_info),
76 .me = THIS_MODULE 72 .checkentry = checkentry,
73 .me = THIS_MODULE
77}; 74};
75
78static struct xt_match connmark6_match = { 76static struct xt_match connmark6_match = {
79 .name = "connmark", 77 .name = "connmark",
80 .match = &match, 78 .match = match,
81 .checkentry = &checkentry, 79 .matchsize = sizeof(struct xt_connmark_info),
82 .me = THIS_MODULE 80 .checkentry = checkentry,
81 .me = THIS_MODULE
83}; 82};
84 83
85
86static int __init init(void) 84static int __init init(void)
87{ 85{
88 int ret; 86 int ret;
diff --git a/net/netfilter/xt_conntrack.c b/net/netfilter/xt_conntrack.c
index ffdebc95eb95..45a5a7d1939a 100644
--- a/net/netfilter/xt_conntrack.c
+++ b/net/netfilter/xt_conntrack.c
@@ -201,22 +201,10 @@ match(const struct sk_buff *skb,
201 201
202#endif /* CONFIG_NF_IP_CONNTRACK */ 202#endif /* CONFIG_NF_IP_CONNTRACK */
203 203
204static int check(const char *tablename,
205 const void *ip,
206 void *matchinfo,
207 unsigned int matchsize,
208 unsigned int hook_mask)
209{
210 if (matchsize != XT_ALIGN(sizeof(struct xt_conntrack_info)))
211 return 0;
212
213 return 1;
214}
215
216static struct xt_match conntrack_match = { 204static struct xt_match conntrack_match = {
217 .name = "conntrack", 205 .name = "conntrack",
218 .match = &match, 206 .match = match,
219 .checkentry = &check, 207 .matchsize = sizeof(struct xt_conntrack_info),
220 .me = THIS_MODULE, 208 .me = THIS_MODULE,
221}; 209};
222 210
diff --git a/net/netfilter/xt_dccp.c b/net/netfilter/xt_dccp.c
index 779f42fc9524..06e9ef2b1d4c 100644
--- a/net/netfilter/xt_dccp.c
+++ b/net/netfilter/xt_dccp.c
@@ -133,52 +133,29 @@ checkentry(const char *tablename,
133 unsigned int matchsize, 133 unsigned int matchsize,
134 unsigned int hook_mask) 134 unsigned int hook_mask)
135{ 135{
136 const struct ipt_ip *ip = inf; 136 const struct xt_dccp_info *info = matchinfo;
137 const struct xt_dccp_info *info;
138 137
139 info = (const struct xt_dccp_info *)matchinfo; 138 return !(info->flags & ~XT_DCCP_VALID_FLAGS)
140
141 return ip->proto == IPPROTO_DCCP
142 && !(ip->invflags & XT_INV_PROTO)
143 && matchsize == XT_ALIGN(sizeof(struct xt_dccp_info))
144 && !(info->flags & ~XT_DCCP_VALID_FLAGS)
145 && !(info->invflags & ~XT_DCCP_VALID_FLAGS)
146 && !(info->invflags & ~info->flags);
147}
148
149static int
150checkentry6(const char *tablename,
151 const void *inf,
152 void *matchinfo,
153 unsigned int matchsize,
154 unsigned int hook_mask)
155{
156 const struct ip6t_ip6 *ip = inf;
157 const struct xt_dccp_info *info;
158
159 info = (const struct xt_dccp_info *)matchinfo;
160
161 return ip->proto == IPPROTO_DCCP
162 && !(ip->invflags & XT_INV_PROTO)
163 && matchsize == XT_ALIGN(sizeof(struct xt_dccp_info))
164 && !(info->flags & ~XT_DCCP_VALID_FLAGS)
165 && !(info->invflags & ~XT_DCCP_VALID_FLAGS) 139 && !(info->invflags & ~XT_DCCP_VALID_FLAGS)
166 && !(info->invflags & ~info->flags); 140 && !(info->invflags & ~info->flags);
167} 141}
168 142
169
170static struct xt_match dccp_match = 143static struct xt_match dccp_match =
171{ 144{
172 .name = "dccp", 145 .name = "dccp",
173 .match = &match, 146 .match = match,
174 .checkentry = &checkentry, 147 .matchsize = sizeof(struct xt_dccp_info),
148 .proto = IPPROTO_DCCP,
149 .checkentry = checkentry,
175 .me = THIS_MODULE, 150 .me = THIS_MODULE,
176}; 151};
177static struct xt_match dccp6_match = 152static struct xt_match dccp6_match =
178{ 153{
179 .name = "dccp", 154 .name = "dccp",
180 .match = &match, 155 .match = match,
181 .checkentry = &checkentry6, 156 .matchsize = sizeof(struct xt_dccp_info),
157 .proto = IPPROTO_DCCP,
158 .checkentry = checkentry,
182 .me = THIS_MODULE, 159 .me = THIS_MODULE,
183}; 160};
184 161
diff --git a/net/netfilter/xt_helper.c b/net/netfilter/xt_helper.c
index 0ddb32363d06..dc28f49c484b 100644
--- a/net/netfilter/xt_helper.c
+++ b/net/netfilter/xt_helper.c
@@ -142,24 +142,21 @@ static int check(const char *tablename,
142 struct xt_helper_info *info = matchinfo; 142 struct xt_helper_info *info = matchinfo;
143 143
144 info->name[29] = '\0'; 144 info->name[29] = '\0';
145
146 /* verify size */
147 if (matchsize != XT_ALIGN(sizeof(struct xt_helper_info)))
148 return 0;
149
150 return 1; 145 return 1;
151} 146}
152 147
153static struct xt_match helper_match = { 148static struct xt_match helper_match = {
154 .name = "helper", 149 .name = "helper",
155 .match = &match, 150 .match = match,
156 .checkentry = &check, 151 .matchsize = sizeof(struct xt_helper_info),
152 .checkentry = check,
157 .me = THIS_MODULE, 153 .me = THIS_MODULE,
158}; 154};
159static struct xt_match helper6_match = { 155static struct xt_match helper6_match = {
160 .name = "helper", 156 .name = "helper",
161 .match = &match, 157 .match = match,
162 .checkentry = &check, 158 .matchsize = sizeof(struct xt_helper_info),
159 .checkentry = check,
163 .me = THIS_MODULE, 160 .me = THIS_MODULE,
164}; 161};
165 162
diff --git a/net/netfilter/xt_length.c b/net/netfilter/xt_length.c
index 39c8faea63de..11a2812a99b1 100644
--- a/net/netfilter/xt_length.c
+++ b/net/netfilter/xt_length.c
@@ -50,29 +50,17 @@ match6(const struct sk_buff *skb,
50 return (pktlen >= info->min && pktlen <= info->max) ^ info->invert; 50 return (pktlen >= info->min && pktlen <= info->max) ^ info->invert;
51} 51}
52 52
53static int
54checkentry(const char *tablename,
55 const void *ip,
56 void *matchinfo,
57 unsigned int matchsize,
58 unsigned int hook_mask)
59{
60 if (matchsize != XT_ALIGN(sizeof(struct xt_length_info)))
61 return 0;
62
63 return 1;
64}
65
66static struct xt_match length_match = { 53static struct xt_match length_match = {
67 .name = "length", 54 .name = "length",
68 .match = &match, 55 .match = match,
69 .checkentry = &checkentry, 56 .matchsize = sizeof(struct xt_length_info),
70 .me = THIS_MODULE, 57 .me = THIS_MODULE,
71}; 58};
59
72static struct xt_match length6_match = { 60static struct xt_match length6_match = {
73 .name = "length", 61 .name = "length",
74 .match = &match6, 62 .match = match6,
75 .checkentry = &checkentry, 63 .matchsize = sizeof(struct xt_length_info),
76 .me = THIS_MODULE, 64 .me = THIS_MODULE,
77}; 65};
78 66
diff --git a/net/netfilter/xt_limit.c b/net/netfilter/xt_limit.c
index 15e40506bc3a..dec3f02a9834 100644
--- a/net/netfilter/xt_limit.c
+++ b/net/netfilter/xt_limit.c
@@ -113,9 +113,6 @@ ipt_limit_checkentry(const char *tablename,
113{ 113{
114 struct xt_rateinfo *r = matchinfo; 114 struct xt_rateinfo *r = matchinfo;
115 115
116 if (matchsize != XT_ALIGN(sizeof(struct xt_rateinfo)))
117 return 0;
118
119 /* Check for overflow. */ 116 /* Check for overflow. */
120 if (r->burst == 0 117 if (r->burst == 0
121 || user2credits(r->avg * r->burst) < user2credits(r->avg)) { 118 || user2credits(r->avg * r->burst) < user2credits(r->avg)) {
@@ -140,12 +137,14 @@ ipt_limit_checkentry(const char *tablename,
140static struct xt_match ipt_limit_reg = { 137static struct xt_match ipt_limit_reg = {
141 .name = "limit", 138 .name = "limit",
142 .match = ipt_limit_match, 139 .match = ipt_limit_match,
140 .matchsize = sizeof(struct xt_rateinfo),
143 .checkentry = ipt_limit_checkentry, 141 .checkentry = ipt_limit_checkentry,
144 .me = THIS_MODULE, 142 .me = THIS_MODULE,
145}; 143};
146static struct xt_match limit6_reg = { 144static struct xt_match limit6_reg = {
147 .name = "limit", 145 .name = "limit",
148 .match = ipt_limit_match, 146 .match = ipt_limit_match,
147 .matchsize = sizeof(struct xt_rateinfo),
149 .checkentry = ipt_limit_checkentry, 148 .checkentry = ipt_limit_checkentry,
150 .me = THIS_MODULE, 149 .me = THIS_MODULE,
151}; 150};
diff --git a/net/netfilter/xt_mac.c b/net/netfilter/xt_mac.c
index 0461dcb5fc7a..e20772616f55 100644
--- a/net/netfilter/xt_mac.c
+++ b/net/netfilter/xt_mac.c
@@ -42,37 +42,20 @@ match(const struct sk_buff *skb,
42 ^ info->invert)); 42 ^ info->invert));
43} 43}
44 44
45static int
46ipt_mac_checkentry(const char *tablename,
47 const void *inf,
48 void *matchinfo,
49 unsigned int matchsize,
50 unsigned int hook_mask)
51{
52 /* FORWARD isn't always valid, but it's nice to be able to do --RR */
53 if (hook_mask
54 & ~((1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_LOCAL_IN)
55 | (1 << NF_IP_FORWARD))) {
56 printk("xt_mac: only valid for PRE_ROUTING, LOCAL_IN or FORWARD.\n");
57 return 0;
58 }
59
60 if (matchsize != XT_ALIGN(sizeof(struct xt_mac_info)))
61 return 0;
62
63 return 1;
64}
65
66static struct xt_match mac_match = { 45static struct xt_match mac_match = {
67 .name = "mac", 46 .name = "mac",
68 .match = &match, 47 .match = match,
69 .checkentry = &ipt_mac_checkentry, 48 .matchsize = sizeof(struct xt_mac_info),
49 .hooks = (1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_LOCAL_IN) |
50 (1 << NF_IP_FORWARD),
70 .me = THIS_MODULE, 51 .me = THIS_MODULE,
71}; 52};
72static struct xt_match mac6_match = { 53static struct xt_match mac6_match = {
73 .name = "mac", 54 .name = "mac",
74 .match = &match, 55 .match = match,
75 .checkentry = &ipt_mac_checkentry, 56 .matchsize = sizeof(struct xt_mac_info),
57 .hooks = (1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_LOCAL_IN) |
58 (1 << NF_IP_FORWARD),
76 .me = THIS_MODULE, 59 .me = THIS_MODULE,
77}; 60};
78 61
diff --git a/net/netfilter/xt_mark.c b/net/netfilter/xt_mark.c
index 2a0ac62b72c8..b21b94a4684f 100644
--- a/net/netfilter/xt_mark.c
+++ b/net/netfilter/xt_mark.c
@@ -42,28 +42,26 @@ checkentry(const char *tablename,
42{ 42{
43 struct xt_mark_info *minfo = (struct xt_mark_info *) matchinfo; 43 struct xt_mark_info *minfo = (struct xt_mark_info *) matchinfo;
44 44
45 if (matchsize != XT_ALIGN(sizeof(struct xt_mark_info)))
46 return 0;
47
48 if (minfo->mark > 0xffffffff || minfo->mask > 0xffffffff) { 45 if (minfo->mark > 0xffffffff || minfo->mask > 0xffffffff) {
49 printk(KERN_WARNING "mark: only supports 32bit mark\n"); 46 printk(KERN_WARNING "mark: only supports 32bit mark\n");
50 return 0; 47 return 0;
51 } 48 }
52
53 return 1; 49 return 1;
54} 50}
55 51
56static struct xt_match mark_match = { 52static struct xt_match mark_match = {
57 .name = "mark", 53 .name = "mark",
58 .match = &match, 54 .match = match,
59 .checkentry = &checkentry, 55 .matchsize = sizeof(struct xt_mark_info),
56 .checkentry = checkentry,
60 .me = THIS_MODULE, 57 .me = THIS_MODULE,
61}; 58};
62 59
63static struct xt_match mark6_match = { 60static struct xt_match mark6_match = {
64 .name = "mark", 61 .name = "mark",
65 .match = &match, 62 .match = match,
66 .checkentry = &checkentry, 63 .matchsize = sizeof(struct xt_mark_info),
64 .checkentry = checkentry,
67 .me = THIS_MODULE, 65 .me = THIS_MODULE,
68}; 66};
69 67
diff --git a/net/netfilter/xt_physdev.c b/net/netfilter/xt_physdev.c
index 19bb57c14dfe..5afc41734d51 100644
--- a/net/netfilter/xt_physdev.c
+++ b/net/netfilter/xt_physdev.c
@@ -108,8 +108,6 @@ checkentry(const char *tablename,
108{ 108{
109 const struct xt_physdev_info *info = matchinfo; 109 const struct xt_physdev_info *info = matchinfo;
110 110
111 if (matchsize != XT_ALIGN(sizeof(struct xt_physdev_info)))
112 return 0;
113 if (!(info->bitmask & XT_PHYSDEV_OP_MASK) || 111 if (!(info->bitmask & XT_PHYSDEV_OP_MASK) ||
114 info->bitmask & ~XT_PHYSDEV_OP_MASK) 112 info->bitmask & ~XT_PHYSDEV_OP_MASK)
115 return 0; 113 return 0;
@@ -118,15 +116,17 @@ checkentry(const char *tablename,
118 116
119static struct xt_match physdev_match = { 117static struct xt_match physdev_match = {
120 .name = "physdev", 118 .name = "physdev",
121 .match = &match, 119 .match = match,
122 .checkentry = &checkentry, 120 .matchsize = sizeof(struct xt_physdev_info),
121 .checkentry = checkentry,
123 .me = THIS_MODULE, 122 .me = THIS_MODULE,
124}; 123};
125 124
126static struct xt_match physdev6_match = { 125static struct xt_match physdev6_match = {
127 .name = "physdev", 126 .name = "physdev",
128 .match = &match, 127 .match = match,
129 .checkentry = &checkentry, 128 .matchsize = sizeof(struct xt_physdev_info),
129 .checkentry = checkentry,
130 .me = THIS_MODULE, 130 .me = THIS_MODULE,
131}; 131};
132 132
diff --git a/net/netfilter/xt_pkttype.c b/net/netfilter/xt_pkttype.c
index ab1b2630f97d..872bb2a7d5b8 100644
--- a/net/netfilter/xt_pkttype.c
+++ b/net/netfilter/xt_pkttype.c
@@ -32,32 +32,20 @@ static int match(const struct sk_buff *skb,
32 return (skb->pkt_type == info->pkttype) ^ info->invert; 32 return (skb->pkt_type == info->pkttype) ^ info->invert;
33} 33}
34 34
35static int checkentry(const char *tablename,
36 const void *ip,
37 void *matchinfo,
38 unsigned int matchsize,
39 unsigned int hook_mask)
40{
41 if (matchsize != XT_ALIGN(sizeof(struct xt_pkttype_info)))
42 return 0;
43
44 return 1;
45}
46
47static struct xt_match pkttype_match = { 35static struct xt_match pkttype_match = {
48 .name = "pkttype", 36 .name = "pkttype",
49 .match = &match, 37 .match = match,
50 .checkentry = &checkentry, 38 .matchsize = sizeof(struct xt_pkttype_info),
51 .me = THIS_MODULE, 39 .me = THIS_MODULE,
52}; 40};
41
53static struct xt_match pkttype6_match = { 42static struct xt_match pkttype6_match = {
54 .name = "pkttype", 43 .name = "pkttype",
55 .match = &match, 44 .match = match,
56 .checkentry = &checkentry, 45 .matchsize = sizeof(struct xt_pkttype_info),
57 .me = THIS_MODULE, 46 .me = THIS_MODULE,
58}; 47};
59 48
60
61static int __init init(void) 49static int __init init(void)
62{ 50{
63 int ret; 51 int ret;
diff --git a/net/netfilter/xt_realm.c b/net/netfilter/xt_realm.c
index 2b7e1781d34d..249e0a3e156b 100644
--- a/net/netfilter/xt_realm.c
+++ b/net/netfilter/xt_realm.c
@@ -38,30 +38,12 @@ match(const struct sk_buff *skb,
38 return (info->id == (dst->tclassid & info->mask)) ^ info->invert; 38 return (info->id == (dst->tclassid & info->mask)) ^ info->invert;
39} 39}
40 40
41static int check(const char *tablename,
42 const void *ip,
43 void *matchinfo,
44 unsigned int matchsize,
45 unsigned int hook_mask)
46{
47 if (hook_mask
48 & ~((1 << NF_IP_POST_ROUTING) | (1 << NF_IP_FORWARD) |
49 (1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_LOCAL_IN))) {
50 printk("xt_realm: only valid for POST_ROUTING, LOCAL_OUT, "
51 "LOCAL_IN or FORWARD.\n");
52 return 0;
53 }
54 if (matchsize != XT_ALIGN(sizeof(struct xt_realm_info))) {
55 printk("xt_realm: invalid matchsize.\n");
56 return 0;
57 }
58 return 1;
59}
60
61static struct xt_match realm_match = { 41static struct xt_match realm_match = {
62 .name = "realm", 42 .name = "realm",
63 .match = match, 43 .match = match,
64 .checkentry = check, 44 .matchsize = sizeof(struct xt_realm_info),
45 .hooks = (1 << NF_IP_POST_ROUTING) | (1 << NF_IP_FORWARD) |
46 (1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_LOCAL_IN),
65 .me = THIS_MODULE 47 .me = THIS_MODULE
66}; 48};
67 49
diff --git a/net/netfilter/xt_sctp.c b/net/netfilter/xt_sctp.c
index 10fbfc5ba758..f0a25e5a5306 100644
--- a/net/netfilter/xt_sctp.c
+++ b/net/netfilter/xt_sctp.c
@@ -166,15 +166,9 @@ checkentry(const char *tablename,
166 unsigned int matchsize, 166 unsigned int matchsize,
167 unsigned int hook_mask) 167 unsigned int hook_mask)
168{ 168{
169 const struct xt_sctp_info *info; 169 const struct xt_sctp_info *info = matchinfo;
170 const struct ipt_ip *ip = inf;
171
172 info = (const struct xt_sctp_info *)matchinfo;
173 170
174 return ip->proto == IPPROTO_SCTP 171 return !(info->flags & ~XT_SCTP_VALID_FLAGS)
175 && !(ip->invflags & XT_INV_PROTO)
176 && matchsize == XT_ALIGN(sizeof(struct xt_sctp_info))
177 && !(info->flags & ~XT_SCTP_VALID_FLAGS)
178 && !(info->invflags & ~XT_SCTP_VALID_FLAGS) 172 && !(info->invflags & ~XT_SCTP_VALID_FLAGS)
179 && !(info->invflags & ~info->flags) 173 && !(info->invflags & ~info->flags)
180 && ((!(info->flags & XT_SCTP_CHUNK_TYPES)) || 174 && ((!(info->flags & XT_SCTP_CHUNK_TYPES)) ||
@@ -184,47 +178,23 @@ checkentry(const char *tablename,
184 | SCTP_CHUNK_MATCH_ONLY))); 178 | SCTP_CHUNK_MATCH_ONLY)));
185} 179}
186 180
187static int 181static struct xt_match sctp_match = {
188checkentry6(const char *tablename, 182 .name = "sctp",
189 const void *inf, 183 .match = match,
190 void *matchinfo, 184 .matchsize = sizeof(struct xt_sctp_info),
191 unsigned int matchsize, 185 .proto = IPPROTO_SCTP,
192 unsigned int hook_mask) 186 .checkentry = checkentry,
193{ 187 .me = THIS_MODULE
194 const struct xt_sctp_info *info;
195 const struct ip6t_ip6 *ip = inf;
196
197 info = (const struct xt_sctp_info *)matchinfo;
198
199 return ip->proto == IPPROTO_SCTP
200 && !(ip->invflags & XT_INV_PROTO)
201 && matchsize == XT_ALIGN(sizeof(struct xt_sctp_info))
202 && !(info->flags & ~XT_SCTP_VALID_FLAGS)
203 && !(info->invflags & ~XT_SCTP_VALID_FLAGS)
204 && !(info->invflags & ~info->flags)
205 && ((!(info->flags & XT_SCTP_CHUNK_TYPES)) ||
206 (info->chunk_match_type &
207 (SCTP_CHUNK_MATCH_ALL
208 | SCTP_CHUNK_MATCH_ANY
209 | SCTP_CHUNK_MATCH_ONLY)));
210}
211
212
213static struct xt_match sctp_match =
214{
215 .name = "sctp",
216 .match = &match,
217 .checkentry = &checkentry,
218 .me = THIS_MODULE
219};
220static struct xt_match sctp6_match =
221{
222 .name = "sctp",
223 .match = &match,
224 .checkentry = &checkentry6,
225 .me = THIS_MODULE
226}; 188};
227 189
190static struct xt_match sctp6_match = {
191 .name = "sctp",
192 .match = match,
193 .matchsize = sizeof(struct xt_sctp_info),
194 .proto = IPPROTO_SCTP,
195 .checkentry = checkentry,
196 .me = THIS_MODULE
197};
228 198
229static int __init init(void) 199static int __init init(void)
230{ 200{
diff --git a/net/netfilter/xt_state.c b/net/netfilter/xt_state.c
index 39ce808d40ef..9a7d6dfd7efb 100644
--- a/net/netfilter/xt_state.c
+++ b/net/netfilter/xt_state.c
@@ -43,29 +43,17 @@ match(const struct sk_buff *skb,
43 return (sinfo->statemask & statebit); 43 return (sinfo->statemask & statebit);
44} 44}
45 45
46static int check(const char *tablename,
47 const void *ip,
48 void *matchinfo,
49 unsigned int matchsize,
50 unsigned int hook_mask)
51{
52 if (matchsize != XT_ALIGN(sizeof(struct xt_state_info)))
53 return 0;
54
55 return 1;
56}
57
58static struct xt_match state_match = { 46static struct xt_match state_match = {
59 .name = "state", 47 .name = "state",
60 .match = &match, 48 .match = match,
61 .checkentry = &check, 49 .matchsize = sizeof(struct xt_state_info),
62 .me = THIS_MODULE, 50 .me = THIS_MODULE,
63}; 51};
64 52
65static struct xt_match state6_match = { 53static struct xt_match state6_match = {
66 .name = "state", 54 .name = "state",
67 .match = &match, 55 .match = match,
68 .checkentry = &check, 56 .matchsize = sizeof(struct xt_state_info),
69 .me = THIS_MODULE, 57 .me = THIS_MODULE,
70}; 58};
71 59
diff --git a/net/netfilter/xt_string.c b/net/netfilter/xt_string.c
index 7c7d5c8807d6..c3efd3773d75 100644
--- a/net/netfilter/xt_string.c
+++ b/net/netfilter/xt_string.c
@@ -50,9 +50,6 @@ static int checkentry(const char *tablename,
50 struct xt_string_info *conf = matchinfo; 50 struct xt_string_info *conf = matchinfo;
51 struct ts_config *ts_conf; 51 struct ts_config *ts_conf;
52 52
53 if (matchsize != XT_ALIGN(sizeof(struct xt_string_info)))
54 return 0;
55
56 /* Damn, can't handle this case properly with iptables... */ 53 /* Damn, can't handle this case properly with iptables... */
57 if (conf->from_offset > conf->to_offset) 54 if (conf->from_offset > conf->to_offset)
58 return 0; 55 return 0;
@@ -75,6 +72,7 @@ static void destroy(void *matchinfo, unsigned int matchsize)
75static struct xt_match string_match = { 72static struct xt_match string_match = {
76 .name = "string", 73 .name = "string",
77 .match = match, 74 .match = match,
75 .matchsize = sizeof(struct xt_string_info),
78 .checkentry = checkentry, 76 .checkentry = checkentry,
79 .destroy = destroy, 77 .destroy = destroy,
80 .me = THIS_MODULE 78 .me = THIS_MODULE
@@ -82,6 +80,7 @@ static struct xt_match string_match = {
82static struct xt_match string6_match = { 80static struct xt_match string6_match = {
83 .name = "string", 81 .name = "string",
84 .match = match, 82 .match = match,
83 .matchsize = sizeof(struct xt_string_info),
85 .checkentry = checkentry, 84 .checkentry = checkentry,
86 .destroy = destroy, 85 .destroy = destroy,
87 .me = THIS_MODULE 86 .me = THIS_MODULE
diff --git a/net/netfilter/xt_tcpmss.c b/net/netfilter/xt_tcpmss.c
index acf7f533e9f1..95d8611eef23 100644
--- a/net/netfilter/xt_tcpmss.c
+++ b/net/netfilter/xt_tcpmss.c
@@ -92,58 +92,19 @@ match(const struct sk_buff *skb,
92 info->invert, hotdrop); 92 info->invert, hotdrop);
93} 93}
94 94
95static int
96checkentry(const char *tablename,
97 const void *ipinfo,
98 void *matchinfo,
99 unsigned int matchsize,
100 unsigned int hook_mask)
101{
102 const struct ipt_ip *ip = ipinfo;
103 if (matchsize != XT_ALIGN(sizeof(struct xt_tcpmss_match_info)))
104 return 0;
105
106 /* Must specify -p tcp */
107 if (ip->proto != IPPROTO_TCP || (ip->invflags & IPT_INV_PROTO)) {
108 printk("tcpmss: Only works on TCP packets\n");
109 return 0;
110 }
111
112 return 1;
113}
114
115static int
116checkentry6(const char *tablename,
117 const void *ipinfo,
118 void *matchinfo,
119 unsigned int matchsize,
120 unsigned int hook_mask)
121{
122 const struct ip6t_ip6 *ip = ipinfo;
123
124 if (matchsize != XT_ALIGN(sizeof(struct xt_tcpmss_match_info)))
125 return 0;
126
127 /* Must specify -p tcp */
128 if (ip->proto != IPPROTO_TCP || (ip->invflags & XT_INV_PROTO)) {
129 printk("tcpmss: Only works on TCP packets\n");
130 return 0;
131 }
132
133 return 1;
134}
135
136static struct xt_match tcpmss_match = { 95static struct xt_match tcpmss_match = {
137 .name = "tcpmss", 96 .name = "tcpmss",
138 .match = &match, 97 .match = match,
139 .checkentry = &checkentry, 98 .matchsize = sizeof(struct xt_tcpmss_match_info),
99 .proto = IPPROTO_TCP,
140 .me = THIS_MODULE, 100 .me = THIS_MODULE,
141}; 101};
142 102
143static struct xt_match tcpmss6_match = { 103static struct xt_match tcpmss6_match = {
144 .name = "tcpmss", 104 .name = "tcpmss",
145 .match = &match, 105 .match = match,
146 .checkentry = &checkentry6, 106 .matchsize = sizeof(struct xt_tcpmss_match_info),
107 .proto = IPPROTO_TCP,
147 .me = THIS_MODULE, 108 .me = THIS_MODULE,
148}; 109};
149 110
diff --git a/net/netfilter/xt_tcpudp.c b/net/netfilter/xt_tcpudp.c
index 669c8113cc60..9d01f07ceb65 100644
--- a/net/netfilter/xt_tcpudp.c
+++ b/net/netfilter/xt_tcpudp.c
@@ -142,35 +142,12 @@ tcp_checkentry(const char *tablename,
142 unsigned int matchsize, 142 unsigned int matchsize,
143 unsigned int hook_mask) 143 unsigned int hook_mask)
144{ 144{
145 const struct ipt_ip *ip = info;
146 const struct xt_tcp *tcpinfo = matchinfo; 145 const struct xt_tcp *tcpinfo = matchinfo;
147 146
148 /* Must specify proto == TCP, and no unknown invflags */ 147 /* Must specify no unknown invflags */
149 return ip->proto == IPPROTO_TCP 148 return !(tcpinfo->invflags & ~XT_TCP_INV_MASK);
150 && !(ip->invflags & XT_INV_PROTO)
151 && matchsize == XT_ALIGN(sizeof(struct xt_tcp))
152 && !(tcpinfo->invflags & ~XT_TCP_INV_MASK);
153} 149}
154 150
155/* Called when user tries to insert an entry of this type. */
156static int
157tcp6_checkentry(const char *tablename,
158 const void *entry,
159 void *matchinfo,
160 unsigned int matchsize,
161 unsigned int hook_mask)
162{
163 const struct ip6t_ip6 *ipv6 = entry;
164 const struct xt_tcp *tcpinfo = matchinfo;
165
166 /* Must specify proto == TCP, and no unknown invflags */
167 return ipv6->proto == IPPROTO_TCP
168 && !(ipv6->invflags & XT_INV_PROTO)
169 && matchsize == XT_ALIGN(sizeof(struct xt_tcp))
170 && !(tcpinfo->invflags & ~XT_TCP_INV_MASK);
171}
172
173
174static int 151static int
175udp_match(const struct sk_buff *skb, 152udp_match(const struct sk_buff *skb,
176 const struct net_device *in, 153 const struct net_device *in,
@@ -209,86 +186,47 @@ static int
209udp_checkentry(const char *tablename, 186udp_checkentry(const char *tablename,
210 const void *info, 187 const void *info,
211 void *matchinfo, 188 void *matchinfo,
212 unsigned int matchinfosize, 189 unsigned int matchsize,
213 unsigned int hook_mask)
214{
215 const struct ipt_ip *ip = info;
216 const struct xt_udp *udpinfo = matchinfo;
217
218 /* Must specify proto == UDP, and no unknown invflags */
219 if (ip->proto != IPPROTO_UDP || (ip->invflags & XT_INV_PROTO)) {
220 duprintf("ipt_udp: Protocol %u != %u\n", ip->proto,
221 IPPROTO_UDP);
222 return 0;
223 }
224 if (matchinfosize != XT_ALIGN(sizeof(struct xt_udp))) {
225 duprintf("ipt_udp: matchsize %u != %u\n",
226 matchinfosize, XT_ALIGN(sizeof(struct xt_udp)));
227 return 0;
228 }
229 if (udpinfo->invflags & ~XT_UDP_INV_MASK) {
230 duprintf("ipt_udp: unknown flags %X\n",
231 udpinfo->invflags);
232 return 0;
233 }
234
235 return 1;
236}
237
238/* Called when user tries to insert an entry of this type. */
239static int
240udp6_checkentry(const char *tablename,
241 const void *entry,
242 void *matchinfo,
243 unsigned int matchinfosize,
244 unsigned int hook_mask) 190 unsigned int hook_mask)
245{ 191{
246 const struct ip6t_ip6 *ipv6 = entry; 192 const struct xt_tcp *udpinfo = matchinfo;
247 const struct xt_udp *udpinfo = matchinfo;
248 193
249 /* Must specify proto == UDP, and no unknown invflags */ 194 /* Must specify no unknown invflags */
250 if (ipv6->proto != IPPROTO_UDP || (ipv6->invflags & XT_INV_PROTO)) { 195 return !(udpinfo->invflags & ~XT_UDP_INV_MASK);
251 duprintf("ip6t_udp: Protocol %u != %u\n", ipv6->proto,
252 IPPROTO_UDP);
253 return 0;
254 }
255 if (matchinfosize != XT_ALIGN(sizeof(struct xt_udp))) {
256 duprintf("ip6t_udp: matchsize %u != %u\n",
257 matchinfosize, XT_ALIGN(sizeof(struct xt_udp)));
258 return 0;
259 }
260 if (udpinfo->invflags & ~XT_UDP_INV_MASK) {
261 duprintf("ip6t_udp: unknown flags %X\n",
262 udpinfo->invflags);
263 return 0;
264 }
265
266 return 1;
267} 196}
268 197
269static struct xt_match tcp_matchstruct = { 198static struct xt_match tcp_matchstruct = {
270 .name = "tcp", 199 .name = "tcp",
271 .match = &tcp_match, 200 .match = tcp_match,
272 .checkentry = &tcp_checkentry, 201 .matchsize = sizeof(struct xt_tcp),
202 .proto = IPPROTO_TCP,
203 .checkentry = tcp_checkentry,
273 .me = THIS_MODULE, 204 .me = THIS_MODULE,
274}; 205};
206
275static struct xt_match tcp6_matchstruct = { 207static struct xt_match tcp6_matchstruct = {
276 .name = "tcp", 208 .name = "tcp",
277 .match = &tcp_match, 209 .match = tcp_match,
278 .checkentry = &tcp6_checkentry, 210 .matchsize = sizeof(struct xt_tcp),
211 .proto = IPPROTO_TCP,
212 .checkentry = tcp_checkentry,
279 .me = THIS_MODULE, 213 .me = THIS_MODULE,
280}; 214};
281 215
282static struct xt_match udp_matchstruct = { 216static struct xt_match udp_matchstruct = {
283 .name = "udp", 217 .name = "udp",
284 .match = &udp_match, 218 .match = udp_match,
285 .checkentry = &udp_checkentry, 219 .matchsize = sizeof(struct xt_udp),
220 .proto = IPPROTO_UDP,
221 .checkentry = udp_checkentry,
286 .me = THIS_MODULE, 222 .me = THIS_MODULE,
287}; 223};
288static struct xt_match udp6_matchstruct = { 224static struct xt_match udp6_matchstruct = {
289 .name = "udp", 225 .name = "udp",
290 .match = &udp_match, 226 .match = udp_match,
291 .checkentry = &udp6_checkentry, 227 .matchsize = sizeof(struct xt_udp),
228 .proto = IPPROTO_UDP,
229 .checkentry = udp_checkentry,
292 .me = THIS_MODULE, 230 .me = THIS_MODULE,
293}; 231};
294 232
generated by cgit v1.2.2 (git 2.25.0) at 2024-11-28 07:36:43 -0500