aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJan Engelhardt <jengelh@medozas.de>2009-07-07 14:54:30 -0400
committerJan Engelhardt <jengelh@medozas.de>2010-05-11 12:35:27 -0400
commitb4ba26119b06052888696491f614201817491a0d (patch)
treed6dc2a4e0f78641b5b64a1728322c81cbad09974
parent62fc8051083a334578c3f4b3488808f210b4565f (diff)
netfilter: xtables: change hotdrop pointer to direct modification
Since xt_action_param is writable, let's use it. The pointer to 'bool hotdrop' always worried (8 bytes (64-bit) to write 1 byte!). Surprisingly results in a reduction in size: text data bss filename 5457066 692730 357892 vmlinux.o-prev 5456554 692730 357892 vmlinux.o Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
-rw-r--r--include/linux/netfilter/x_tables.h5
-rw-r--r--net/bridge/netfilter/ebtables.c5
-rw-r--r--net/ipv4/netfilter/arp_tables.c6
-rw-r--r--net/ipv4/netfilter/ip_tables.c9
-rw-r--r--net/ipv4/netfilter/ipt_ah.c2
-rw-r--r--net/ipv4/netfilter/ipt_ecn.c2
-rw-r--r--net/ipv6/netfilter/ip6_tables.c11
-rw-r--r--net/ipv6/netfilter/ip6t_ah.c4
-rw-r--r--net/ipv6/netfilter/ip6t_eui64.c2
-rw-r--r--net/ipv6/netfilter/ip6t_frag.c4
-rw-r--r--net/ipv6/netfilter/ip6t_hbh.c4
-rw-r--r--net/ipv6/netfilter/ip6t_mh.c4
-rw-r--r--net/ipv6/netfilter/ip6t_rt.c4
-rw-r--r--net/netfilter/xt_connlimit.c4
-rw-r--r--net/netfilter/xt_dccp.c4
-rw-r--r--net/netfilter/xt_esp.c2
-rw-r--r--net/netfilter/xt_hashlimit.c2
-rw-r--r--net/netfilter/xt_multiport.c2
-rw-r--r--net/netfilter/xt_recent.c2
-rw-r--r--net/netfilter/xt_sctp.c4
-rw-r--r--net/netfilter/xt_tcpmss.c2
-rw-r--r--net/netfilter/xt_tcpudp.c10
22 files changed, 47 insertions, 47 deletions
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 40c6a8d2a9ea..c2ee5d8550cf 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -196,6 +196,9 @@ struct xt_counters_info {
196 * @hook: hook number given packet came from 196 * @hook: hook number given packet came from
197 * @family: Actual NFPROTO_* through which the function is invoked 197 * @family: Actual NFPROTO_* through which the function is invoked
198 * (helpful when match->family == NFPROTO_UNSPEC) 198 * (helpful when match->family == NFPROTO_UNSPEC)
199 *
200 * Fields written to by extensions:
201 *
199 * @hotdrop: drop packet if we had inspection problems 202 * @hotdrop: drop packet if we had inspection problems
200 * Network namespace obtainable using dev_net(in/out) 203 * Network namespace obtainable using dev_net(in/out)
201 */ 204 */
@@ -212,7 +215,7 @@ struct xt_action_param {
212 unsigned int thoff; 215 unsigned int thoff;
213 unsigned int hooknum; 216 unsigned int hooknum;
214 u_int8_t family; 217 u_int8_t family;
215 bool *hotdrop; 218 bool hotdrop;
216}; 219};
217 220
218/** 221/**
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 290d43541d46..59ca00e40dec 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -186,13 +186,12 @@ unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
186 struct ebt_entries *chaininfo; 186 struct ebt_entries *chaininfo;
187 const char *base; 187 const char *base;
188 const struct ebt_table_info *private; 188 const struct ebt_table_info *private;
189 bool hotdrop = false;
190 struct xt_action_param acpar; 189 struct xt_action_param acpar;
191 190
192 acpar.family = NFPROTO_BRIDGE; 191 acpar.family = NFPROTO_BRIDGE;
193 acpar.in = in; 192 acpar.in = in;
194 acpar.out = out; 193 acpar.out = out;
195 acpar.hotdrop = &hotdrop; 194 acpar.hotdrop = false;
196 acpar.hooknum = hook; 195 acpar.hooknum = hook;
197 196
198 read_lock_bh(&table->lock); 197 read_lock_bh(&table->lock);
@@ -216,7 +215,7 @@ unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
216 215
217 if (EBT_MATCH_ITERATE(point, ebt_do_match, skb, &acpar) != 0) 216 if (EBT_MATCH_ITERATE(point, ebt_do_match, skb, &acpar) != 0)
218 goto letscontinue; 217 goto letscontinue;
219 if (hotdrop) { 218 if (acpar.hotdrop) {
220 read_unlock_bh(&table->lock); 219 read_unlock_bh(&table->lock);
221 return NF_DROP; 220 return NF_DROP;
222 } 221 }
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 9e7d089f168a..8cc56d26e937 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -260,7 +260,6 @@ unsigned int arpt_do_table(struct sk_buff *skb,
260 static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long)))); 260 static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
261 unsigned int verdict = NF_DROP; 261 unsigned int verdict = NF_DROP;
262 const struct arphdr *arp; 262 const struct arphdr *arp;
263 bool hotdrop = false;
264 struct arpt_entry *e, *back; 263 struct arpt_entry *e, *back;
265 const char *indev, *outdev; 264 const char *indev, *outdev;
266 void *table_base; 265 void *table_base;
@@ -284,6 +283,7 @@ unsigned int arpt_do_table(struct sk_buff *skb,
284 acpar.out = out; 283 acpar.out = out;
285 acpar.hooknum = hook; 284 acpar.hooknum = hook;
286 acpar.family = NFPROTO_ARP; 285 acpar.family = NFPROTO_ARP;
286 acpar.hotdrop = false;
287 287
288 arp = arp_hdr(skb); 288 arp = arp_hdr(skb);
289 do { 289 do {
@@ -345,10 +345,10 @@ unsigned int arpt_do_table(struct sk_buff *skb,
345 else 345 else
346 /* Verdict */ 346 /* Verdict */
347 break; 347 break;
348 } while (!hotdrop); 348 } while (!acpar.hotdrop);
349 xt_info_rdunlock_bh(); 349 xt_info_rdunlock_bh();
350 350
351 if (hotdrop) 351 if (acpar.hotdrop)
352 return NF_DROP; 352 return NF_DROP;
353 else 353 else
354 return verdict; 354 return verdict;
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 4e674f2824a7..607f89f16b76 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -308,7 +308,6 @@ ipt_do_table(struct sk_buff *skb,
308{ 308{
309 static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long)))); 309 static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
310 const struct iphdr *ip; 310 const struct iphdr *ip;
311 bool hotdrop = false;
312 /* Initializing verdict to NF_DROP keeps gcc happy. */ 311 /* Initializing verdict to NF_DROP keeps gcc happy. */
313 unsigned int verdict = NF_DROP; 312 unsigned int verdict = NF_DROP;
314 const char *indev, *outdev; 313 const char *indev, *outdev;
@@ -330,7 +329,7 @@ ipt_do_table(struct sk_buff *skb,
330 * match it. */ 329 * match it. */
331 acpar.fragoff = ntohs(ip->frag_off) & IP_OFFSET; 330 acpar.fragoff = ntohs(ip->frag_off) & IP_OFFSET;
332 acpar.thoff = ip_hdrlen(skb); 331 acpar.thoff = ip_hdrlen(skb);
333 acpar.hotdrop = &hotdrop; 332 acpar.hotdrop = false;
334 acpar.in = in; 333 acpar.in = in;
335 acpar.out = out; 334 acpar.out = out;
336 acpar.family = NFPROTO_IPV4; 335 acpar.family = NFPROTO_IPV4;
@@ -432,7 +431,7 @@ ipt_do_table(struct sk_buff *skb,
432 else 431 else
433 /* Verdict */ 432 /* Verdict */
434 break; 433 break;
435 } while (!hotdrop); 434 } while (!acpar.hotdrop);
436 xt_info_rdunlock_bh(); 435 xt_info_rdunlock_bh();
437 pr_debug("Exiting %s; resetting sp from %u to %u\n", 436 pr_debug("Exiting %s; resetting sp from %u to %u\n",
438 __func__, *stackptr, origptr); 437 __func__, *stackptr, origptr);
@@ -440,7 +439,7 @@ ipt_do_table(struct sk_buff *skb,
440#ifdef DEBUG_ALLOW_ALL 439#ifdef DEBUG_ALLOW_ALL
441 return NF_ACCEPT; 440 return NF_ACCEPT;
442#else 441#else
443 if (hotdrop) 442 if (acpar.hotdrop)
444 return NF_DROP; 443 return NF_DROP;
445 else return verdict; 444 else return verdict;
446#endif 445#endif
@@ -2154,7 +2153,7 @@ icmp_match(const struct sk_buff *skb, struct xt_action_param *par)
2154 * can't. Hence, no choice but to drop. 2153 * can't. Hence, no choice but to drop.
2155 */ 2154 */
2156 duprintf("Dropping evil ICMP tinygram.\n"); 2155 duprintf("Dropping evil ICMP tinygram.\n");
2157 *par->hotdrop = true; 2156 par->hotdrop = true;
2158 return false; 2157 return false;
2159 } 2158 }
2160 2159
diff --git a/net/ipv4/netfilter/ipt_ah.c b/net/ipv4/netfilter/ipt_ah.c
index c9d83dc2d6fa..14a2aa8b8a14 100644
--- a/net/ipv4/netfilter/ipt_ah.c
+++ b/net/ipv4/netfilter/ipt_ah.c
@@ -46,7 +46,7 @@ static bool ah_mt(const struct sk_buff *skb, struct xt_action_param *par)
46 * can't. Hence, no choice but to drop. 46 * can't. Hence, no choice but to drop.
47 */ 47 */
48 pr_debug("Dropping evil AH tinygram.\n"); 48 pr_debug("Dropping evil AH tinygram.\n");
49 *par->hotdrop = true; 49 par->hotdrop = true;
50 return 0; 50 return 0;
51 } 51 }
52 52
diff --git a/net/ipv4/netfilter/ipt_ecn.c b/net/ipv4/netfilter/ipt_ecn.c
index b79dddc9edd6..af6e9c778345 100644
--- a/net/ipv4/netfilter/ipt_ecn.c
+++ b/net/ipv4/netfilter/ipt_ecn.c
@@ -78,7 +78,7 @@ static bool ecn_mt(const struct sk_buff *skb, struct xt_action_param *par)
78 if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR)) { 78 if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR)) {
79 if (ip_hdr(skb)->protocol != IPPROTO_TCP) 79 if (ip_hdr(skb)->protocol != IPPROTO_TCP)
80 return false; 80 return false;
81 if (!match_tcp(skb, info, par->hotdrop)) 81 if (!match_tcp(skb, info, &par->hotdrop))
82 return false; 82 return false;
83 } 83 }
84 84
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 4549f8d6f88f..557fac9689c0 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -337,7 +337,6 @@ ip6t_do_table(struct sk_buff *skb,
337 struct xt_table *table) 337 struct xt_table *table)
338{ 338{
339 static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long)))); 339 static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
340 bool hotdrop = false;
341 /* Initializing verdict to NF_DROP keeps gcc happy. */ 340 /* Initializing verdict to NF_DROP keeps gcc happy. */
342 unsigned int verdict = NF_DROP; 341 unsigned int verdict = NF_DROP;
343 const char *indev, *outdev; 342 const char *indev, *outdev;
@@ -356,7 +355,7 @@ ip6t_do_table(struct sk_buff *skb,
356 * things we don't know, ie. tcp syn flag or ports). If the 355 * things we don't know, ie. tcp syn flag or ports). If the
357 * rule is also a fragment-specific rule, non-fragments won't 356 * rule is also a fragment-specific rule, non-fragments won't
358 * match it. */ 357 * match it. */
359 acpar.hotdrop = &hotdrop; 358 acpar.hotdrop = false;
360 acpar.in = in; 359 acpar.in = in;
361 acpar.out = out; 360 acpar.out = out;
362 acpar.family = NFPROTO_IPV6; 361 acpar.family = NFPROTO_IPV6;
@@ -380,7 +379,7 @@ ip6t_do_table(struct sk_buff *skb,
380 379
381 IP_NF_ASSERT(e); 380 IP_NF_ASSERT(e);
382 if (!ip6_packet_match(skb, indev, outdev, &e->ipv6, 381 if (!ip6_packet_match(skb, indev, outdev, &e->ipv6,
383 &acpar.thoff, &acpar.fragoff, &hotdrop)) { 382 &acpar.thoff, &acpar.fragoff, &acpar.hotdrop)) {
384 no_match: 383 no_match:
385 e = ip6t_next_entry(e); 384 e = ip6t_next_entry(e);
386 continue; 385 continue;
@@ -447,7 +446,7 @@ ip6t_do_table(struct sk_buff *skb,
447 else 446 else
448 /* Verdict */ 447 /* Verdict */
449 break; 448 break;
450 } while (!hotdrop); 449 } while (!acpar.hotdrop);
451 450
452 xt_info_rdunlock_bh(); 451 xt_info_rdunlock_bh();
453 *stackptr = origptr; 452 *stackptr = origptr;
@@ -455,7 +454,7 @@ ip6t_do_table(struct sk_buff *skb,
455#ifdef DEBUG_ALLOW_ALL 454#ifdef DEBUG_ALLOW_ALL
456 return NF_ACCEPT; 455 return NF_ACCEPT;
457#else 456#else
458 if (hotdrop) 457 if (acpar.hotdrop)
459 return NF_DROP; 458 return NF_DROP;
460 else return verdict; 459 else return verdict;
461#endif 460#endif
@@ -2170,7 +2169,7 @@ icmp6_match(const struct sk_buff *skb, struct xt_action_param *par)
2170 * can't. Hence, no choice but to drop. 2169 * can't. Hence, no choice but to drop.
2171 */ 2170 */
2172 duprintf("Dropping evil ICMP tinygram.\n"); 2171 duprintf("Dropping evil ICMP tinygram.\n");
2173 *par->hotdrop = true; 2172 par->hotdrop = true;
2174 return false; 2173 return false;
2175 } 2174 }
2176 2175
diff --git a/net/ipv6/netfilter/ip6t_ah.c b/net/ipv6/netfilter/ip6t_ah.c
index c89887f35a46..89cccc5a9c92 100644
--- a/net/ipv6/netfilter/ip6t_ah.c
+++ b/net/ipv6/netfilter/ip6t_ah.c
@@ -48,13 +48,13 @@ static bool ah_mt6(const struct sk_buff *skb, struct xt_action_param *par)
48 err = ipv6_find_hdr(skb, &ptr, NEXTHDR_AUTH, NULL); 48 err = ipv6_find_hdr(skb, &ptr, NEXTHDR_AUTH, NULL);
49 if (err < 0) { 49 if (err < 0) {
50 if (err != -ENOENT) 50 if (err != -ENOENT)
51 *par->hotdrop = true; 51 par->hotdrop = true;
52 return false; 52 return false;
53 } 53 }
54 54
55 ah = skb_header_pointer(skb, ptr, sizeof(_ah), &_ah); 55 ah = skb_header_pointer(skb, ptr, sizeof(_ah), &_ah);
56 if (ah == NULL) { 56 if (ah == NULL) {
57 *par->hotdrop = true; 57 par->hotdrop = true;
58 return false; 58 return false;
59 } 59 }
60 60
diff --git a/net/ipv6/netfilter/ip6t_eui64.c b/net/ipv6/netfilter/ip6t_eui64.c
index f32fce34145a..aab0706908c5 100644
--- a/net/ipv6/netfilter/ip6t_eui64.c
+++ b/net/ipv6/netfilter/ip6t_eui64.c
@@ -27,7 +27,7 @@ eui64_mt6(const struct sk_buff *skb, struct xt_action_param *par)
27 if (!(skb_mac_header(skb) >= skb->head && 27 if (!(skb_mac_header(skb) >= skb->head &&
28 skb_mac_header(skb) + ETH_HLEN <= skb->data) && 28 skb_mac_header(skb) + ETH_HLEN <= skb->data) &&
29 par->fragoff != 0) { 29 par->fragoff != 0) {
30 *par->hotdrop = true; 30 par->hotdrop = true;
31 return false; 31 return false;
32 } 32 }
33 33
diff --git a/net/ipv6/netfilter/ip6t_frag.c b/net/ipv6/netfilter/ip6t_frag.c
index fcc8c72f218e..eda898fda6ca 100644
--- a/net/ipv6/netfilter/ip6t_frag.c
+++ b/net/ipv6/netfilter/ip6t_frag.c
@@ -46,13 +46,13 @@ frag_mt6(const struct sk_buff *skb, struct xt_action_param *par)
46 err = ipv6_find_hdr(skb, &ptr, NEXTHDR_FRAGMENT, NULL); 46 err = ipv6_find_hdr(skb, &ptr, NEXTHDR_FRAGMENT, NULL);
47 if (err < 0) { 47 if (err < 0) {
48 if (err != -ENOENT) 48 if (err != -ENOENT)
49 *par->hotdrop = true; 49 par->hotdrop = true;
50 return false; 50 return false;
51 } 51 }
52 52
53 fh = skb_header_pointer(skb, ptr, sizeof(_frag), &_frag); 53 fh = skb_header_pointer(skb, ptr, sizeof(_frag), &_frag);
54 if (fh == NULL) { 54 if (fh == NULL) {
55 *par->hotdrop = true; 55 par->hotdrop = true;
56 return false; 56 return false;
57 } 57 }
58 58
diff --git a/net/ipv6/netfilter/ip6t_hbh.c b/net/ipv6/netfilter/ip6t_hbh.c
index f8aebc098d71..59df051eaef6 100644
--- a/net/ipv6/netfilter/ip6t_hbh.c
+++ b/net/ipv6/netfilter/ip6t_hbh.c
@@ -65,13 +65,13 @@ hbh_mt6(const struct sk_buff *skb, struct xt_action_param *par)
65 NEXTHDR_HOP : NEXTHDR_DEST, NULL); 65 NEXTHDR_HOP : NEXTHDR_DEST, NULL);
66 if (err < 0) { 66 if (err < 0) {
67 if (err != -ENOENT) 67 if (err != -ENOENT)
68 *par->hotdrop = true; 68 par->hotdrop = true;
69 return false; 69 return false;
70 } 70 }
71 71
72 oh = skb_header_pointer(skb, ptr, sizeof(_optsh), &_optsh); 72 oh = skb_header_pointer(skb, ptr, sizeof(_optsh), &_optsh);
73 if (oh == NULL) { 73 if (oh == NULL) {
74 *par->hotdrop = true; 74 par->hotdrop = true;
75 return false; 75 return false;
76 } 76 }
77 77
diff --git a/net/ipv6/netfilter/ip6t_mh.c b/net/ipv6/netfilter/ip6t_mh.c
index eb1c3d65271a..0c90c66b1992 100644
--- a/net/ipv6/netfilter/ip6t_mh.c
+++ b/net/ipv6/netfilter/ip6t_mh.c
@@ -47,14 +47,14 @@ static bool mh_mt6(const struct sk_buff *skb, struct xt_action_param *par)
47 /* We've been asked to examine this packet, and we 47 /* We've been asked to examine this packet, and we
48 can't. Hence, no choice but to drop. */ 48 can't. Hence, no choice but to drop. */
49 pr_debug("Dropping evil MH tinygram.\n"); 49 pr_debug("Dropping evil MH tinygram.\n");
50 *par->hotdrop = true; 50 par->hotdrop = true;
51 return false; 51 return false;
52 } 52 }
53 53
54 if (mh->ip6mh_proto != IPPROTO_NONE) { 54 if (mh->ip6mh_proto != IPPROTO_NONE) {
55 pr_debug("Dropping invalid MH Payload Proto: %u\n", 55 pr_debug("Dropping invalid MH Payload Proto: %u\n",
56 mh->ip6mh_proto); 56 mh->ip6mh_proto);
57 *par->hotdrop = true; 57 par->hotdrop = true;
58 return false; 58 return false;
59 } 59 }
60 60
diff --git a/net/ipv6/netfilter/ip6t_rt.c b/net/ipv6/netfilter/ip6t_rt.c
index ee584693ee35..d8488c50a8e0 100644
--- a/net/ipv6/netfilter/ip6t_rt.c
+++ b/net/ipv6/netfilter/ip6t_rt.c
@@ -52,13 +52,13 @@ static bool rt_mt6(const struct sk_buff *skb, struct xt_action_param *par)
52 err = ipv6_find_hdr(skb, &ptr, NEXTHDR_ROUTING, NULL); 52 err = ipv6_find_hdr(skb, &ptr, NEXTHDR_ROUTING, NULL);
53 if (err < 0) { 53 if (err < 0) {
54 if (err != -ENOENT) 54 if (err != -ENOENT)
55 *par->hotdrop = true; 55 par->hotdrop = true;
56 return false; 56 return false;
57 } 57 }
58 58
59 rh = skb_header_pointer(skb, ptr, sizeof(_route), &_route); 59 rh = skb_header_pointer(skb, ptr, sizeof(_route), &_route);
60 if (rh == NULL) { 60 if (rh == NULL) {
61 *par->hotdrop = true; 61 par->hotdrop = true;
62 return false; 62 return false;
63 } 63 }
64 64
diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c
index f130fd9817be..5c5b6b921b84 100644
--- a/net/netfilter/xt_connlimit.c
+++ b/net/netfilter/xt_connlimit.c
@@ -206,14 +206,14 @@ connlimit_mt(const struct sk_buff *skb, struct xt_action_param *par)
206 206
207 if (connections < 0) { 207 if (connections < 0) {
208 /* kmalloc failed, drop it entirely */ 208 /* kmalloc failed, drop it entirely */
209 *par->hotdrop = true; 209 par->hotdrop = true;
210 return false; 210 return false;
211 } 211 }
212 212
213 return (connections > info->limit) ^ info->inverse; 213 return (connections > info->limit) ^ info->inverse;
214 214
215 hotdrop: 215 hotdrop:
216 *par->hotdrop = true; 216 par->hotdrop = true;
217 return false; 217 return false;
218} 218}
219 219
diff --git a/net/netfilter/xt_dccp.c b/net/netfilter/xt_dccp.c
index cc2c2919439f..b63d2a3d80ba 100644
--- a/net/netfilter/xt_dccp.c
+++ b/net/netfilter/xt_dccp.c
@@ -107,7 +107,7 @@ dccp_mt(const struct sk_buff *skb, struct xt_action_param *par)
107 107
108 dh = skb_header_pointer(skb, par->thoff, sizeof(_dh), &_dh); 108 dh = skb_header_pointer(skb, par->thoff, sizeof(_dh), &_dh);
109 if (dh == NULL) { 109 if (dh == NULL) {
110 *par->hotdrop = true; 110 par->hotdrop = true;
111 return false; 111 return false;
112 } 112 }
113 113
@@ -120,7 +120,7 @@ dccp_mt(const struct sk_buff *skb, struct xt_action_param *par)
120 && DCCHECK(match_types(dh, info->typemask), 120 && DCCHECK(match_types(dh, info->typemask),
121 XT_DCCP_TYPE, info->flags, info->invflags) 121 XT_DCCP_TYPE, info->flags, info->invflags)
122 && DCCHECK(match_option(info->option, skb, par->thoff, dh, 122 && DCCHECK(match_option(info->option, skb, par->thoff, dh,
123 par->hotdrop), 123 &par->hotdrop),
124 XT_DCCP_OPTION, info->flags, info->invflags); 124 XT_DCCP_OPTION, info->flags, info->invflags);
125} 125}
126 126
diff --git a/net/netfilter/xt_esp.c b/net/netfilter/xt_esp.c
index 7c2d80020554..171ba82b5902 100644
--- a/net/netfilter/xt_esp.c
+++ b/net/netfilter/xt_esp.c
@@ -52,7 +52,7 @@ static bool esp_mt(const struct sk_buff *skb, struct xt_action_param *par)
52 * can't. Hence, no choice but to drop. 52 * can't. Hence, no choice but to drop.
53 */ 53 */
54 pr_debug("Dropping evil ESP tinygram.\n"); 54 pr_debug("Dropping evil ESP tinygram.\n");
55 *par->hotdrop = true; 55 par->hotdrop = true;
56 return false; 56 return false;
57 } 57 }
58 58
diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
index 25a6e548ec27..b46a8390896d 100644
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@@ -562,7 +562,7 @@ hashlimit_mt(const struct sk_buff *skb, struct xt_action_param *par)
562 return info->cfg.mode & XT_HASHLIMIT_INVERT; 562 return info->cfg.mode & XT_HASHLIMIT_INVERT;
563 563
564 hotdrop: 564 hotdrop:
565 *par->hotdrop = true; 565 par->hotdrop = true;
566 return false; 566 return false;
567} 567}
568 568
diff --git a/net/netfilter/xt_multiport.c b/net/netfilter/xt_multiport.c
index 52beb68256c8..ac1d3c3d09e7 100644
--- a/net/netfilter/xt_multiport.c
+++ b/net/netfilter/xt_multiport.c
@@ -87,7 +87,7 @@ multiport_mt(const struct sk_buff *skb, struct xt_action_param *par)
87 * can't. Hence, no choice but to drop. 87 * can't. Hence, no choice but to drop.
88 */ 88 */
89 pr_debug("Dropping evil offset=0 tinygram.\n"); 89 pr_debug("Dropping evil offset=0 tinygram.\n");
90 *par->hotdrop = true; 90 par->hotdrop = true;
91 return false; 91 return false;
92 } 92 }
93 93
diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c
index 2808a7e33947..76aec6a44762 100644
--- a/net/netfilter/xt_recent.c
+++ b/net/netfilter/xt_recent.c
@@ -268,7 +268,7 @@ recent_mt(const struct sk_buff *skb, struct xt_action_param *par)
268 goto out; 268 goto out;
269 e = recent_entry_init(t, &addr, par->family, ttl); 269 e = recent_entry_init(t, &addr, par->family, ttl);
270 if (e == NULL) 270 if (e == NULL)
271 *par->hotdrop = true; 271 par->hotdrop = true;
272 ret = !ret; 272 ret = !ret;
273 goto out; 273 goto out;
274 } 274 }
diff --git a/net/netfilter/xt_sctp.c b/net/netfilter/xt_sctp.c
index 94d8b5deb2d0..c04fcf385c59 100644
--- a/net/netfilter/xt_sctp.c
+++ b/net/netfilter/xt_sctp.c
@@ -128,7 +128,7 @@ sctp_mt(const struct sk_buff *skb, struct xt_action_param *par)
128 sh = skb_header_pointer(skb, par->thoff, sizeof(_sh), &_sh); 128 sh = skb_header_pointer(skb, par->thoff, sizeof(_sh), &_sh);
129 if (sh == NULL) { 129 if (sh == NULL) {
130 pr_debug("Dropping evil TCP offset=0 tinygram.\n"); 130 pr_debug("Dropping evil TCP offset=0 tinygram.\n");
131 *par->hotdrop = true; 131 par->hotdrop = true;
132 return false; 132 return false;
133 } 133 }
134 pr_debug("spt: %d\tdpt: %d\n", ntohs(sh->source), ntohs(sh->dest)); 134 pr_debug("spt: %d\tdpt: %d\n", ntohs(sh->source), ntohs(sh->dest));
@@ -140,7 +140,7 @@ sctp_mt(const struct sk_buff *skb, struct xt_action_param *par)
140 && ntohs(sh->dest) <= info->dpts[1], 140 && ntohs(sh->dest) <= info->dpts[1],
141 XT_SCTP_DEST_PORTS, info->flags, info->invflags) 141 XT_SCTP_DEST_PORTS, info->flags, info->invflags)
142 && SCCHECK(match_packet(skb, par->thoff + sizeof(sctp_sctphdr_t), 142 && SCCHECK(match_packet(skb, par->thoff + sizeof(sctp_sctphdr_t),
143 info, par->hotdrop), 143 info, &par->hotdrop),
144 XT_SCTP_CHUNK_TYPES, info->flags, info->invflags); 144 XT_SCTP_CHUNK_TYPES, info->flags, info->invflags);
145} 145}
146 146
diff --git a/net/netfilter/xt_tcpmss.c b/net/netfilter/xt_tcpmss.c
index f90728f6b8a4..c53d4d18eadf 100644
--- a/net/netfilter/xt_tcpmss.c
+++ b/net/netfilter/xt_tcpmss.c
@@ -73,7 +73,7 @@ out:
73 return info->invert; 73 return info->invert;
74 74
75dropit: 75dropit:
76 *par->hotdrop = true; 76 par->hotdrop = true;
77 return false; 77 return false;
78} 78}
79 79
diff --git a/net/netfilter/xt_tcpudp.c b/net/netfilter/xt_tcpudp.c
index dedde33c9db6..c14d4645daa3 100644
--- a/net/netfilter/xt_tcpudp.c
+++ b/net/netfilter/xt_tcpudp.c
@@ -77,7 +77,7 @@ static bool tcp_mt(const struct sk_buff *skb, struct xt_action_param *par)
77 */ 77 */
78 if (par->fragoff == 1) { 78 if (par->fragoff == 1) {
79 pr_debug("Dropping evil TCP offset=1 frag.\n"); 79 pr_debug("Dropping evil TCP offset=1 frag.\n");
80 *par->hotdrop = true; 80 par->hotdrop = true;
81 } 81 }
82 /* Must not be a fragment. */ 82 /* Must not be a fragment. */
83 return false; 83 return false;
@@ -90,7 +90,7 @@ static bool tcp_mt(const struct sk_buff *skb, struct xt_action_param *par)
90 /* We've been asked to examine this packet, and we 90 /* We've been asked to examine this packet, and we
91 can't. Hence, no choice but to drop. */ 91 can't. Hence, no choice but to drop. */
92 pr_debug("Dropping evil TCP offset=0 tinygram.\n"); 92 pr_debug("Dropping evil TCP offset=0 tinygram.\n");
93 *par->hotdrop = true; 93 par->hotdrop = true;
94 return false; 94 return false;
95 } 95 }
96 96
@@ -108,13 +108,13 @@ static bool tcp_mt(const struct sk_buff *skb, struct xt_action_param *par)
108 return false; 108 return false;
109 if (tcpinfo->option) { 109 if (tcpinfo->option) {
110 if (th->doff * 4 < sizeof(_tcph)) { 110 if (th->doff * 4 < sizeof(_tcph)) {
111 *par->hotdrop = true; 111 par->hotdrop = true;
112 return false; 112 return false;
113 } 113 }
114 if (!tcp_find_option(tcpinfo->option, skb, par->thoff, 114 if (!tcp_find_option(tcpinfo->option, skb, par->thoff,
115 th->doff*4 - sizeof(_tcph), 115 th->doff*4 - sizeof(_tcph),
116 tcpinfo->invflags & XT_TCP_INV_OPTION, 116 tcpinfo->invflags & XT_TCP_INV_OPTION,
117 par->hotdrop)) 117 &par->hotdrop))
118 return false; 118 return false;
119 } 119 }
120 return true; 120 return true;
@@ -143,7 +143,7 @@ static bool udp_mt(const struct sk_buff *skb, struct xt_action_param *par)
143 /* We've been asked to examine this packet, and we 143 /* We've been asked to examine this packet, and we
144 can't. Hence, no choice but to drop. */ 144 can't. Hence, no choice but to drop. */
145 pr_debug("Dropping evil UDP tinygram.\n"); 145 pr_debug("Dropping evil UDP tinygram.\n");
146 *par->hotdrop = true; 146 par->hotdrop = true;
147 return false; 147 return false;
148 } 148 }
149 149