diff options
author | Jan Engelhardt <jengelh@medozas.de> | 2009-07-07 14:54:30 -0400 |
---|---|---|
committer | Jan Engelhardt <jengelh@medozas.de> | 2010-05-11 12:35:27 -0400 |
commit | b4ba26119b06052888696491f614201817491a0d (patch) | |
tree | d6dc2a4e0f78641b5b64a1728322c81cbad09974 | |
parent | 62fc8051083a334578c3f4b3488808f210b4565f (diff) |
netfilter: xtables: change hotdrop pointer to direct modification
Since xt_action_param is writable, let's use it. The pointer to
'bool hotdrop' always worried (8 bytes (64-bit) to write 1 byte!).
Surprisingly results in a reduction in size:
text data bss filename
5457066 692730 357892 vmlinux.o-prev
5456554 692730 357892 vmlinux.o
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
-rw-r--r-- | include/linux/netfilter/x_tables.h | 5 | ||||
-rw-r--r-- | net/bridge/netfilter/ebtables.c | 5 | ||||
-rw-r--r-- | net/ipv4/netfilter/arp_tables.c | 6 | ||||
-rw-r--r-- | net/ipv4/netfilter/ip_tables.c | 9 | ||||
-rw-r--r-- | net/ipv4/netfilter/ipt_ah.c | 2 | ||||
-rw-r--r-- | net/ipv4/netfilter/ipt_ecn.c | 2 | ||||
-rw-r--r-- | net/ipv6/netfilter/ip6_tables.c | 11 | ||||
-rw-r--r-- | net/ipv6/netfilter/ip6t_ah.c | 4 | ||||
-rw-r--r-- | net/ipv6/netfilter/ip6t_eui64.c | 2 | ||||
-rw-r--r-- | net/ipv6/netfilter/ip6t_frag.c | 4 | ||||
-rw-r--r-- | net/ipv6/netfilter/ip6t_hbh.c | 4 | ||||
-rw-r--r-- | net/ipv6/netfilter/ip6t_mh.c | 4 | ||||
-rw-r--r-- | net/ipv6/netfilter/ip6t_rt.c | 4 | ||||
-rw-r--r-- | net/netfilter/xt_connlimit.c | 4 | ||||
-rw-r--r-- | net/netfilter/xt_dccp.c | 4 | ||||
-rw-r--r-- | net/netfilter/xt_esp.c | 2 | ||||
-rw-r--r-- | net/netfilter/xt_hashlimit.c | 2 | ||||
-rw-r--r-- | net/netfilter/xt_multiport.c | 2 | ||||
-rw-r--r-- | net/netfilter/xt_recent.c | 2 | ||||
-rw-r--r-- | net/netfilter/xt_sctp.c | 4 | ||||
-rw-r--r-- | net/netfilter/xt_tcpmss.c | 2 | ||||
-rw-r--r-- | net/netfilter/xt_tcpudp.c | 10 |
22 files changed, 47 insertions, 47 deletions
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h index 40c6a8d2a9ea..c2ee5d8550cf 100644 --- a/include/linux/netfilter/x_tables.h +++ b/include/linux/netfilter/x_tables.h | |||
@@ -196,6 +196,9 @@ struct xt_counters_info { | |||
196 | * @hook: hook number given packet came from | 196 | * @hook: hook number given packet came from |
197 | * @family: Actual NFPROTO_* through which the function is invoked | 197 | * @family: Actual NFPROTO_* through which the function is invoked |
198 | * (helpful when match->family == NFPROTO_UNSPEC) | 198 | * (helpful when match->family == NFPROTO_UNSPEC) |
199 | * | ||
200 | * Fields written to by extensions: | ||
201 | * | ||
199 | * @hotdrop: drop packet if we had inspection problems | 202 | * @hotdrop: drop packet if we had inspection problems |
200 | * Network namespace obtainable using dev_net(in/out) | 203 | * Network namespace obtainable using dev_net(in/out) |
201 | */ | 204 | */ |
@@ -212,7 +215,7 @@ struct xt_action_param { | |||
212 | unsigned int thoff; | 215 | unsigned int thoff; |
213 | unsigned int hooknum; | 216 | unsigned int hooknum; |
214 | u_int8_t family; | 217 | u_int8_t family; |
215 | bool *hotdrop; | 218 | bool hotdrop; |
216 | }; | 219 | }; |
217 | 220 | ||
218 | /** | 221 | /** |
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c index 290d43541d46..59ca00e40dec 100644 --- a/net/bridge/netfilter/ebtables.c +++ b/net/bridge/netfilter/ebtables.c | |||
@@ -186,13 +186,12 @@ unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb, | |||
186 | struct ebt_entries *chaininfo; | 186 | struct ebt_entries *chaininfo; |
187 | const char *base; | 187 | const char *base; |
188 | const struct ebt_table_info *private; | 188 | const struct ebt_table_info *private; |
189 | bool hotdrop = false; | ||
190 | struct xt_action_param acpar; | 189 | struct xt_action_param acpar; |
191 | 190 | ||
192 | acpar.family = NFPROTO_BRIDGE; | 191 | acpar.family = NFPROTO_BRIDGE; |
193 | acpar.in = in; | 192 | acpar.in = in; |
194 | acpar.out = out; | 193 | acpar.out = out; |
195 | acpar.hotdrop = &hotdrop; | 194 | acpar.hotdrop = false; |
196 | acpar.hooknum = hook; | 195 | acpar.hooknum = hook; |
197 | 196 | ||
198 | read_lock_bh(&table->lock); | 197 | read_lock_bh(&table->lock); |
@@ -216,7 +215,7 @@ unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb, | |||
216 | 215 | ||
217 | if (EBT_MATCH_ITERATE(point, ebt_do_match, skb, &acpar) != 0) | 216 | if (EBT_MATCH_ITERATE(point, ebt_do_match, skb, &acpar) != 0) |
218 | goto letscontinue; | 217 | goto letscontinue; |
219 | if (hotdrop) { | 218 | if (acpar.hotdrop) { |
220 | read_unlock_bh(&table->lock); | 219 | read_unlock_bh(&table->lock); |
221 | return NF_DROP; | 220 | return NF_DROP; |
222 | } | 221 | } |
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c index 9e7d089f168a..8cc56d26e937 100644 --- a/net/ipv4/netfilter/arp_tables.c +++ b/net/ipv4/netfilter/arp_tables.c | |||
@@ -260,7 +260,6 @@ unsigned int arpt_do_table(struct sk_buff *skb, | |||
260 | static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long)))); | 260 | static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long)))); |
261 | unsigned int verdict = NF_DROP; | 261 | unsigned int verdict = NF_DROP; |
262 | const struct arphdr *arp; | 262 | const struct arphdr *arp; |
263 | bool hotdrop = false; | ||
264 | struct arpt_entry *e, *back; | 263 | struct arpt_entry *e, *back; |
265 | const char *indev, *outdev; | 264 | const char *indev, *outdev; |
266 | void *table_base; | 265 | void *table_base; |
@@ -284,6 +283,7 @@ unsigned int arpt_do_table(struct sk_buff *skb, | |||
284 | acpar.out = out; | 283 | acpar.out = out; |
285 | acpar.hooknum = hook; | 284 | acpar.hooknum = hook; |
286 | acpar.family = NFPROTO_ARP; | 285 | acpar.family = NFPROTO_ARP; |
286 | acpar.hotdrop = false; | ||
287 | 287 | ||
288 | arp = arp_hdr(skb); | 288 | arp = arp_hdr(skb); |
289 | do { | 289 | do { |
@@ -345,10 +345,10 @@ unsigned int arpt_do_table(struct sk_buff *skb, | |||
345 | else | 345 | else |
346 | /* Verdict */ | 346 | /* Verdict */ |
347 | break; | 347 | break; |
348 | } while (!hotdrop); | 348 | } while (!acpar.hotdrop); |
349 | xt_info_rdunlock_bh(); | 349 | xt_info_rdunlock_bh(); |
350 | 350 | ||
351 | if (hotdrop) | 351 | if (acpar.hotdrop) |
352 | return NF_DROP; | 352 | return NF_DROP; |
353 | else | 353 | else |
354 | return verdict; | 354 | return verdict; |
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c index 4e674f2824a7..607f89f16b76 100644 --- a/net/ipv4/netfilter/ip_tables.c +++ b/net/ipv4/netfilter/ip_tables.c | |||
@@ -308,7 +308,6 @@ ipt_do_table(struct sk_buff *skb, | |||
308 | { | 308 | { |
309 | static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long)))); | 309 | static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long)))); |
310 | const struct iphdr *ip; | 310 | const struct iphdr *ip; |
311 | bool hotdrop = false; | ||
312 | /* Initializing verdict to NF_DROP keeps gcc happy. */ | 311 | /* Initializing verdict to NF_DROP keeps gcc happy. */ |
313 | unsigned int verdict = NF_DROP; | 312 | unsigned int verdict = NF_DROP; |
314 | const char *indev, *outdev; | 313 | const char *indev, *outdev; |
@@ -330,7 +329,7 @@ ipt_do_table(struct sk_buff *skb, | |||
330 | * match it. */ | 329 | * match it. */ |
331 | acpar.fragoff = ntohs(ip->frag_off) & IP_OFFSET; | 330 | acpar.fragoff = ntohs(ip->frag_off) & IP_OFFSET; |
332 | acpar.thoff = ip_hdrlen(skb); | 331 | acpar.thoff = ip_hdrlen(skb); |
333 | acpar.hotdrop = &hotdrop; | 332 | acpar.hotdrop = false; |
334 | acpar.in = in; | 333 | acpar.in = in; |
335 | acpar.out = out; | 334 | acpar.out = out; |
336 | acpar.family = NFPROTO_IPV4; | 335 | acpar.family = NFPROTO_IPV4; |
@@ -432,7 +431,7 @@ ipt_do_table(struct sk_buff *skb, | |||
432 | else | 431 | else |
433 | /* Verdict */ | 432 | /* Verdict */ |
434 | break; | 433 | break; |
435 | } while (!hotdrop); | 434 | } while (!acpar.hotdrop); |
436 | xt_info_rdunlock_bh(); | 435 | xt_info_rdunlock_bh(); |
437 | pr_debug("Exiting %s; resetting sp from %u to %u\n", | 436 | pr_debug("Exiting %s; resetting sp from %u to %u\n", |
438 | __func__, *stackptr, origptr); | 437 | __func__, *stackptr, origptr); |
@@ -440,7 +439,7 @@ ipt_do_table(struct sk_buff *skb, | |||
440 | #ifdef DEBUG_ALLOW_ALL | 439 | #ifdef DEBUG_ALLOW_ALL |
441 | return NF_ACCEPT; | 440 | return NF_ACCEPT; |
442 | #else | 441 | #else |
443 | if (hotdrop) | 442 | if (acpar.hotdrop) |
444 | return NF_DROP; | 443 | return NF_DROP; |
445 | else return verdict; | 444 | else return verdict; |
446 | #endif | 445 | #endif |
@@ -2154,7 +2153,7 @@ icmp_match(const struct sk_buff *skb, struct xt_action_param *par) | |||
2154 | * can't. Hence, no choice but to drop. | 2153 | * can't. Hence, no choice but to drop. |
2155 | */ | 2154 | */ |
2156 | duprintf("Dropping evil ICMP tinygram.\n"); | 2155 | duprintf("Dropping evil ICMP tinygram.\n"); |
2157 | *par->hotdrop = true; | 2156 | par->hotdrop = true; |
2158 | return false; | 2157 | return false; |
2159 | } | 2158 | } |
2160 | 2159 | ||
diff --git a/net/ipv4/netfilter/ipt_ah.c b/net/ipv4/netfilter/ipt_ah.c index c9d83dc2d6fa..14a2aa8b8a14 100644 --- a/net/ipv4/netfilter/ipt_ah.c +++ b/net/ipv4/netfilter/ipt_ah.c | |||
@@ -46,7 +46,7 @@ static bool ah_mt(const struct sk_buff *skb, struct xt_action_param *par) | |||
46 | * can't. Hence, no choice but to drop. | 46 | * can't. Hence, no choice but to drop. |
47 | */ | 47 | */ |
48 | pr_debug("Dropping evil AH tinygram.\n"); | 48 | pr_debug("Dropping evil AH tinygram.\n"); |
49 | *par->hotdrop = true; | 49 | par->hotdrop = true; |
50 | return 0; | 50 | return 0; |
51 | } | 51 | } |
52 | 52 | ||
diff --git a/net/ipv4/netfilter/ipt_ecn.c b/net/ipv4/netfilter/ipt_ecn.c index b79dddc9edd6..af6e9c778345 100644 --- a/net/ipv4/netfilter/ipt_ecn.c +++ b/net/ipv4/netfilter/ipt_ecn.c | |||
@@ -78,7 +78,7 @@ static bool ecn_mt(const struct sk_buff *skb, struct xt_action_param *par) | |||
78 | if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR)) { | 78 | if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR)) { |
79 | if (ip_hdr(skb)->protocol != IPPROTO_TCP) | 79 | if (ip_hdr(skb)->protocol != IPPROTO_TCP) |
80 | return false; | 80 | return false; |
81 | if (!match_tcp(skb, info, par->hotdrop)) | 81 | if (!match_tcp(skb, info, &par->hotdrop)) |
82 | return false; | 82 | return false; |
83 | } | 83 | } |
84 | 84 | ||
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c index 4549f8d6f88f..557fac9689c0 100644 --- a/net/ipv6/netfilter/ip6_tables.c +++ b/net/ipv6/netfilter/ip6_tables.c | |||
@@ -337,7 +337,6 @@ ip6t_do_table(struct sk_buff *skb, | |||
337 | struct xt_table *table) | 337 | struct xt_table *table) |
338 | { | 338 | { |
339 | static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long)))); | 339 | static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long)))); |
340 | bool hotdrop = false; | ||
341 | /* Initializing verdict to NF_DROP keeps gcc happy. */ | 340 | /* Initializing verdict to NF_DROP keeps gcc happy. */ |
342 | unsigned int verdict = NF_DROP; | 341 | unsigned int verdict = NF_DROP; |
343 | const char *indev, *outdev; | 342 | const char *indev, *outdev; |
@@ -356,7 +355,7 @@ ip6t_do_table(struct sk_buff *skb, | |||
356 | * things we don't know, ie. tcp syn flag or ports). If the | 355 | * things we don't know, ie. tcp syn flag or ports). If the |
357 | * rule is also a fragment-specific rule, non-fragments won't | 356 | * rule is also a fragment-specific rule, non-fragments won't |
358 | * match it. */ | 357 | * match it. */ |
359 | acpar.hotdrop = &hotdrop; | 358 | acpar.hotdrop = false; |
360 | acpar.in = in; | 359 | acpar.in = in; |
361 | acpar.out = out; | 360 | acpar.out = out; |
362 | acpar.family = NFPROTO_IPV6; | 361 | acpar.family = NFPROTO_IPV6; |
@@ -380,7 +379,7 @@ ip6t_do_table(struct sk_buff *skb, | |||
380 | 379 | ||
381 | IP_NF_ASSERT(e); | 380 | IP_NF_ASSERT(e); |
382 | if (!ip6_packet_match(skb, indev, outdev, &e->ipv6, | 381 | if (!ip6_packet_match(skb, indev, outdev, &e->ipv6, |
383 | &acpar.thoff, &acpar.fragoff, &hotdrop)) { | 382 | &acpar.thoff, &acpar.fragoff, &acpar.hotdrop)) { |
384 | no_match: | 383 | no_match: |
385 | e = ip6t_next_entry(e); | 384 | e = ip6t_next_entry(e); |
386 | continue; | 385 | continue; |
@@ -447,7 +446,7 @@ ip6t_do_table(struct sk_buff *skb, | |||
447 | else | 446 | else |
448 | /* Verdict */ | 447 | /* Verdict */ |
449 | break; | 448 | break; |
450 | } while (!hotdrop); | 449 | } while (!acpar.hotdrop); |
451 | 450 | ||
452 | xt_info_rdunlock_bh(); | 451 | xt_info_rdunlock_bh(); |
453 | *stackptr = origptr; | 452 | *stackptr = origptr; |
@@ -455,7 +454,7 @@ ip6t_do_table(struct sk_buff *skb, | |||
455 | #ifdef DEBUG_ALLOW_ALL | 454 | #ifdef DEBUG_ALLOW_ALL |
456 | return NF_ACCEPT; | 455 | return NF_ACCEPT; |
457 | #else | 456 | #else |
458 | if (hotdrop) | 457 | if (acpar.hotdrop) |
459 | return NF_DROP; | 458 | return NF_DROP; |
460 | else return verdict; | 459 | else return verdict; |
461 | #endif | 460 | #endif |
@@ -2170,7 +2169,7 @@ icmp6_match(const struct sk_buff *skb, struct xt_action_param *par) | |||
2170 | * can't. Hence, no choice but to drop. | 2169 | * can't. Hence, no choice but to drop. |
2171 | */ | 2170 | */ |
2172 | duprintf("Dropping evil ICMP tinygram.\n"); | 2171 | duprintf("Dropping evil ICMP tinygram.\n"); |
2173 | *par->hotdrop = true; | 2172 | par->hotdrop = true; |
2174 | return false; | 2173 | return false; |
2175 | } | 2174 | } |
2176 | 2175 | ||
diff --git a/net/ipv6/netfilter/ip6t_ah.c b/net/ipv6/netfilter/ip6t_ah.c index c89887f35a46..89cccc5a9c92 100644 --- a/net/ipv6/netfilter/ip6t_ah.c +++ b/net/ipv6/netfilter/ip6t_ah.c | |||
@@ -48,13 +48,13 @@ static bool ah_mt6(const struct sk_buff *skb, struct xt_action_param *par) | |||
48 | err = ipv6_find_hdr(skb, &ptr, NEXTHDR_AUTH, NULL); | 48 | err = ipv6_find_hdr(skb, &ptr, NEXTHDR_AUTH, NULL); |
49 | if (err < 0) { | 49 | if (err < 0) { |
50 | if (err != -ENOENT) | 50 | if (err != -ENOENT) |
51 | *par->hotdrop = true; | 51 | par->hotdrop = true; |
52 | return false; | 52 | return false; |
53 | } | 53 | } |
54 | 54 | ||
55 | ah = skb_header_pointer(skb, ptr, sizeof(_ah), &_ah); | 55 | ah = skb_header_pointer(skb, ptr, sizeof(_ah), &_ah); |
56 | if (ah == NULL) { | 56 | if (ah == NULL) { |
57 | *par->hotdrop = true; | 57 | par->hotdrop = true; |
58 | return false; | 58 | return false; |
59 | } | 59 | } |
60 | 60 | ||
diff --git a/net/ipv6/netfilter/ip6t_eui64.c b/net/ipv6/netfilter/ip6t_eui64.c index f32fce34145a..aab0706908c5 100644 --- a/net/ipv6/netfilter/ip6t_eui64.c +++ b/net/ipv6/netfilter/ip6t_eui64.c | |||
@@ -27,7 +27,7 @@ eui64_mt6(const struct sk_buff *skb, struct xt_action_param *par) | |||
27 | if (!(skb_mac_header(skb) >= skb->head && | 27 | if (!(skb_mac_header(skb) >= skb->head && |
28 | skb_mac_header(skb) + ETH_HLEN <= skb->data) && | 28 | skb_mac_header(skb) + ETH_HLEN <= skb->data) && |
29 | par->fragoff != 0) { | 29 | par->fragoff != 0) { |
30 | *par->hotdrop = true; | 30 | par->hotdrop = true; |
31 | return false; | 31 | return false; |
32 | } | 32 | } |
33 | 33 | ||
diff --git a/net/ipv6/netfilter/ip6t_frag.c b/net/ipv6/netfilter/ip6t_frag.c index fcc8c72f218e..eda898fda6ca 100644 --- a/net/ipv6/netfilter/ip6t_frag.c +++ b/net/ipv6/netfilter/ip6t_frag.c | |||
@@ -46,13 +46,13 @@ frag_mt6(const struct sk_buff *skb, struct xt_action_param *par) | |||
46 | err = ipv6_find_hdr(skb, &ptr, NEXTHDR_FRAGMENT, NULL); | 46 | err = ipv6_find_hdr(skb, &ptr, NEXTHDR_FRAGMENT, NULL); |
47 | if (err < 0) { | 47 | if (err < 0) { |
48 | if (err != -ENOENT) | 48 | if (err != -ENOENT) |
49 | *par->hotdrop = true; | 49 | par->hotdrop = true; |
50 | return false; | 50 | return false; |
51 | } | 51 | } |
52 | 52 | ||
53 | fh = skb_header_pointer(skb, ptr, sizeof(_frag), &_frag); | 53 | fh = skb_header_pointer(skb, ptr, sizeof(_frag), &_frag); |
54 | if (fh == NULL) { | 54 | if (fh == NULL) { |
55 | *par->hotdrop = true; | 55 | par->hotdrop = true; |
56 | return false; | 56 | return false; |
57 | } | 57 | } |
58 | 58 | ||
diff --git a/net/ipv6/netfilter/ip6t_hbh.c b/net/ipv6/netfilter/ip6t_hbh.c index f8aebc098d71..59df051eaef6 100644 --- a/net/ipv6/netfilter/ip6t_hbh.c +++ b/net/ipv6/netfilter/ip6t_hbh.c | |||
@@ -65,13 +65,13 @@ hbh_mt6(const struct sk_buff *skb, struct xt_action_param *par) | |||
65 | NEXTHDR_HOP : NEXTHDR_DEST, NULL); | 65 | NEXTHDR_HOP : NEXTHDR_DEST, NULL); |
66 | if (err < 0) { | 66 | if (err < 0) { |
67 | if (err != -ENOENT) | 67 | if (err != -ENOENT) |
68 | *par->hotdrop = true; | 68 | par->hotdrop = true; |
69 | return false; | 69 | return false; |
70 | } | 70 | } |
71 | 71 | ||
72 | oh = skb_header_pointer(skb, ptr, sizeof(_optsh), &_optsh); | 72 | oh = skb_header_pointer(skb, ptr, sizeof(_optsh), &_optsh); |
73 | if (oh == NULL) { | 73 | if (oh == NULL) { |
74 | *par->hotdrop = true; | 74 | par->hotdrop = true; |
75 | return false; | 75 | return false; |
76 | } | 76 | } |
77 | 77 | ||
diff --git a/net/ipv6/netfilter/ip6t_mh.c b/net/ipv6/netfilter/ip6t_mh.c index eb1c3d65271a..0c90c66b1992 100644 --- a/net/ipv6/netfilter/ip6t_mh.c +++ b/net/ipv6/netfilter/ip6t_mh.c | |||
@@ -47,14 +47,14 @@ static bool mh_mt6(const struct sk_buff *skb, struct xt_action_param *par) | |||
47 | /* We've been asked to examine this packet, and we | 47 | /* We've been asked to examine this packet, and we |
48 | can't. Hence, no choice but to drop. */ | 48 | can't. Hence, no choice but to drop. */ |
49 | pr_debug("Dropping evil MH tinygram.\n"); | 49 | pr_debug("Dropping evil MH tinygram.\n"); |
50 | *par->hotdrop = true; | 50 | par->hotdrop = true; |
51 | return false; | 51 | return false; |
52 | } | 52 | } |
53 | 53 | ||
54 | if (mh->ip6mh_proto != IPPROTO_NONE) { | 54 | if (mh->ip6mh_proto != IPPROTO_NONE) { |
55 | pr_debug("Dropping invalid MH Payload Proto: %u\n", | 55 | pr_debug("Dropping invalid MH Payload Proto: %u\n", |
56 | mh->ip6mh_proto); | 56 | mh->ip6mh_proto); |
57 | *par->hotdrop = true; | 57 | par->hotdrop = true; |
58 | return false; | 58 | return false; |
59 | } | 59 | } |
60 | 60 | ||
diff --git a/net/ipv6/netfilter/ip6t_rt.c b/net/ipv6/netfilter/ip6t_rt.c index ee584693ee35..d8488c50a8e0 100644 --- a/net/ipv6/netfilter/ip6t_rt.c +++ b/net/ipv6/netfilter/ip6t_rt.c | |||
@@ -52,13 +52,13 @@ static bool rt_mt6(const struct sk_buff *skb, struct xt_action_param *par) | |||
52 | err = ipv6_find_hdr(skb, &ptr, NEXTHDR_ROUTING, NULL); | 52 | err = ipv6_find_hdr(skb, &ptr, NEXTHDR_ROUTING, NULL); |
53 | if (err < 0) { | 53 | if (err < 0) { |
54 | if (err != -ENOENT) | 54 | if (err != -ENOENT) |
55 | *par->hotdrop = true; | 55 | par->hotdrop = true; |
56 | return false; | 56 | return false; |
57 | } | 57 | } |
58 | 58 | ||
59 | rh = skb_header_pointer(skb, ptr, sizeof(_route), &_route); | 59 | rh = skb_header_pointer(skb, ptr, sizeof(_route), &_route); |
60 | if (rh == NULL) { | 60 | if (rh == NULL) { |
61 | *par->hotdrop = true; | 61 | par->hotdrop = true; |
62 | return false; | 62 | return false; |
63 | } | 63 | } |
64 | 64 | ||
diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c index f130fd9817be..5c5b6b921b84 100644 --- a/net/netfilter/xt_connlimit.c +++ b/net/netfilter/xt_connlimit.c | |||
@@ -206,14 +206,14 @@ connlimit_mt(const struct sk_buff *skb, struct xt_action_param *par) | |||
206 | 206 | ||
207 | if (connections < 0) { | 207 | if (connections < 0) { |
208 | /* kmalloc failed, drop it entirely */ | 208 | /* kmalloc failed, drop it entirely */ |
209 | *par->hotdrop = true; | 209 | par->hotdrop = true; |
210 | return false; | 210 | return false; |
211 | } | 211 | } |
212 | 212 | ||
213 | return (connections > info->limit) ^ info->inverse; | 213 | return (connections > info->limit) ^ info->inverse; |
214 | 214 | ||
215 | hotdrop: | 215 | hotdrop: |
216 | *par->hotdrop = true; | 216 | par->hotdrop = true; |
217 | return false; | 217 | return false; |
218 | } | 218 | } |
219 | 219 | ||
diff --git a/net/netfilter/xt_dccp.c b/net/netfilter/xt_dccp.c index cc2c2919439f..b63d2a3d80ba 100644 --- a/net/netfilter/xt_dccp.c +++ b/net/netfilter/xt_dccp.c | |||
@@ -107,7 +107,7 @@ dccp_mt(const struct sk_buff *skb, struct xt_action_param *par) | |||
107 | 107 | ||
108 | dh = skb_header_pointer(skb, par->thoff, sizeof(_dh), &_dh); | 108 | dh = skb_header_pointer(skb, par->thoff, sizeof(_dh), &_dh); |
109 | if (dh == NULL) { | 109 | if (dh == NULL) { |
110 | *par->hotdrop = true; | 110 | par->hotdrop = true; |
111 | return false; | 111 | return false; |
112 | } | 112 | } |
113 | 113 | ||
@@ -120,7 +120,7 @@ dccp_mt(const struct sk_buff *skb, struct xt_action_param *par) | |||
120 | && DCCHECK(match_types(dh, info->typemask), | 120 | && DCCHECK(match_types(dh, info->typemask), |
121 | XT_DCCP_TYPE, info->flags, info->invflags) | 121 | XT_DCCP_TYPE, info->flags, info->invflags) |
122 | && DCCHECK(match_option(info->option, skb, par->thoff, dh, | 122 | && DCCHECK(match_option(info->option, skb, par->thoff, dh, |
123 | par->hotdrop), | 123 | &par->hotdrop), |
124 | XT_DCCP_OPTION, info->flags, info->invflags); | 124 | XT_DCCP_OPTION, info->flags, info->invflags); |
125 | } | 125 | } |
126 | 126 | ||
diff --git a/net/netfilter/xt_esp.c b/net/netfilter/xt_esp.c index 7c2d80020554..171ba82b5902 100644 --- a/net/netfilter/xt_esp.c +++ b/net/netfilter/xt_esp.c | |||
@@ -52,7 +52,7 @@ static bool esp_mt(const struct sk_buff *skb, struct xt_action_param *par) | |||
52 | * can't. Hence, no choice but to drop. | 52 | * can't. Hence, no choice but to drop. |
53 | */ | 53 | */ |
54 | pr_debug("Dropping evil ESP tinygram.\n"); | 54 | pr_debug("Dropping evil ESP tinygram.\n"); |
55 | *par->hotdrop = true; | 55 | par->hotdrop = true; |
56 | return false; | 56 | return false; |
57 | } | 57 | } |
58 | 58 | ||
diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c index 25a6e548ec27..b46a8390896d 100644 --- a/net/netfilter/xt_hashlimit.c +++ b/net/netfilter/xt_hashlimit.c | |||
@@ -562,7 +562,7 @@ hashlimit_mt(const struct sk_buff *skb, struct xt_action_param *par) | |||
562 | return info->cfg.mode & XT_HASHLIMIT_INVERT; | 562 | return info->cfg.mode & XT_HASHLIMIT_INVERT; |
563 | 563 | ||
564 | hotdrop: | 564 | hotdrop: |
565 | *par->hotdrop = true; | 565 | par->hotdrop = true; |
566 | return false; | 566 | return false; |
567 | } | 567 | } |
568 | 568 | ||
diff --git a/net/netfilter/xt_multiport.c b/net/netfilter/xt_multiport.c index 52beb68256c8..ac1d3c3d09e7 100644 --- a/net/netfilter/xt_multiport.c +++ b/net/netfilter/xt_multiport.c | |||
@@ -87,7 +87,7 @@ multiport_mt(const struct sk_buff *skb, struct xt_action_param *par) | |||
87 | * can't. Hence, no choice but to drop. | 87 | * can't. Hence, no choice but to drop. |
88 | */ | 88 | */ |
89 | pr_debug("Dropping evil offset=0 tinygram.\n"); | 89 | pr_debug("Dropping evil offset=0 tinygram.\n"); |
90 | *par->hotdrop = true; | 90 | par->hotdrop = true; |
91 | return false; | 91 | return false; |
92 | } | 92 | } |
93 | 93 | ||
diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c index 2808a7e33947..76aec6a44762 100644 --- a/net/netfilter/xt_recent.c +++ b/net/netfilter/xt_recent.c | |||
@@ -268,7 +268,7 @@ recent_mt(const struct sk_buff *skb, struct xt_action_param *par) | |||
268 | goto out; | 268 | goto out; |
269 | e = recent_entry_init(t, &addr, par->family, ttl); | 269 | e = recent_entry_init(t, &addr, par->family, ttl); |
270 | if (e == NULL) | 270 | if (e == NULL) |
271 | *par->hotdrop = true; | 271 | par->hotdrop = true; |
272 | ret = !ret; | 272 | ret = !ret; |
273 | goto out; | 273 | goto out; |
274 | } | 274 | } |
diff --git a/net/netfilter/xt_sctp.c b/net/netfilter/xt_sctp.c index 94d8b5deb2d0..c04fcf385c59 100644 --- a/net/netfilter/xt_sctp.c +++ b/net/netfilter/xt_sctp.c | |||
@@ -128,7 +128,7 @@ sctp_mt(const struct sk_buff *skb, struct xt_action_param *par) | |||
128 | sh = skb_header_pointer(skb, par->thoff, sizeof(_sh), &_sh); | 128 | sh = skb_header_pointer(skb, par->thoff, sizeof(_sh), &_sh); |
129 | if (sh == NULL) { | 129 | if (sh == NULL) { |
130 | pr_debug("Dropping evil TCP offset=0 tinygram.\n"); | 130 | pr_debug("Dropping evil TCP offset=0 tinygram.\n"); |
131 | *par->hotdrop = true; | 131 | par->hotdrop = true; |
132 | return false; | 132 | return false; |
133 | } | 133 | } |
134 | pr_debug("spt: %d\tdpt: %d\n", ntohs(sh->source), ntohs(sh->dest)); | 134 | pr_debug("spt: %d\tdpt: %d\n", ntohs(sh->source), ntohs(sh->dest)); |
@@ -140,7 +140,7 @@ sctp_mt(const struct sk_buff *skb, struct xt_action_param *par) | |||
140 | && ntohs(sh->dest) <= info->dpts[1], | 140 | && ntohs(sh->dest) <= info->dpts[1], |
141 | XT_SCTP_DEST_PORTS, info->flags, info->invflags) | 141 | XT_SCTP_DEST_PORTS, info->flags, info->invflags) |
142 | && SCCHECK(match_packet(skb, par->thoff + sizeof(sctp_sctphdr_t), | 142 | && SCCHECK(match_packet(skb, par->thoff + sizeof(sctp_sctphdr_t), |
143 | info, par->hotdrop), | 143 | info, &par->hotdrop), |
144 | XT_SCTP_CHUNK_TYPES, info->flags, info->invflags); | 144 | XT_SCTP_CHUNK_TYPES, info->flags, info->invflags); |
145 | } | 145 | } |
146 | 146 | ||
diff --git a/net/netfilter/xt_tcpmss.c b/net/netfilter/xt_tcpmss.c index f90728f6b8a4..c53d4d18eadf 100644 --- a/net/netfilter/xt_tcpmss.c +++ b/net/netfilter/xt_tcpmss.c | |||
@@ -73,7 +73,7 @@ out: | |||
73 | return info->invert; | 73 | return info->invert; |
74 | 74 | ||
75 | dropit: | 75 | dropit: |
76 | *par->hotdrop = true; | 76 | par->hotdrop = true; |
77 | return false; | 77 | return false; |
78 | } | 78 | } |
79 | 79 | ||
diff --git a/net/netfilter/xt_tcpudp.c b/net/netfilter/xt_tcpudp.c index dedde33c9db6..c14d4645daa3 100644 --- a/net/netfilter/xt_tcpudp.c +++ b/net/netfilter/xt_tcpudp.c | |||
@@ -77,7 +77,7 @@ static bool tcp_mt(const struct sk_buff *skb, struct xt_action_param *par) | |||
77 | */ | 77 | */ |
78 | if (par->fragoff == 1) { | 78 | if (par->fragoff == 1) { |
79 | pr_debug("Dropping evil TCP offset=1 frag.\n"); | 79 | pr_debug("Dropping evil TCP offset=1 frag.\n"); |
80 | *par->hotdrop = true; | 80 | par->hotdrop = true; |
81 | } | 81 | } |
82 | /* Must not be a fragment. */ | 82 | /* Must not be a fragment. */ |
83 | return false; | 83 | return false; |
@@ -90,7 +90,7 @@ static bool tcp_mt(const struct sk_buff *skb, struct xt_action_param *par) | |||
90 | /* We've been asked to examine this packet, and we | 90 | /* We've been asked to examine this packet, and we |
91 | can't. Hence, no choice but to drop. */ | 91 | can't. Hence, no choice but to drop. */ |
92 | pr_debug("Dropping evil TCP offset=0 tinygram.\n"); | 92 | pr_debug("Dropping evil TCP offset=0 tinygram.\n"); |
93 | *par->hotdrop = true; | 93 | par->hotdrop = true; |
94 | return false; | 94 | return false; |
95 | } | 95 | } |
96 | 96 | ||
@@ -108,13 +108,13 @@ static bool tcp_mt(const struct sk_buff *skb, struct xt_action_param *par) | |||
108 | return false; | 108 | return false; |
109 | if (tcpinfo->option) { | 109 | if (tcpinfo->option) { |
110 | if (th->doff * 4 < sizeof(_tcph)) { | 110 | if (th->doff * 4 < sizeof(_tcph)) { |
111 | *par->hotdrop = true; | 111 | par->hotdrop = true; |
112 | return false; | 112 | return false; |
113 | } | 113 | } |
114 | if (!tcp_find_option(tcpinfo->option, skb, par->thoff, | 114 | if (!tcp_find_option(tcpinfo->option, skb, par->thoff, |
115 | th->doff*4 - sizeof(_tcph), | 115 | th->doff*4 - sizeof(_tcph), |
116 | tcpinfo->invflags & XT_TCP_INV_OPTION, | 116 | tcpinfo->invflags & XT_TCP_INV_OPTION, |
117 | par->hotdrop)) | 117 | &par->hotdrop)) |
118 | return false; | 118 | return false; |
119 | } | 119 | } |
120 | return true; | 120 | return true; |
@@ -143,7 +143,7 @@ static bool udp_mt(const struct sk_buff *skb, struct xt_action_param *par) | |||
143 | /* We've been asked to examine this packet, and we | 143 | /* We've been asked to examine this packet, and we |
144 | can't. Hence, no choice but to drop. */ | 144 | can't. Hence, no choice but to drop. */ |
145 | pr_debug("Dropping evil UDP tinygram.\n"); | 145 | pr_debug("Dropping evil UDP tinygram.\n"); |
146 | *par->hotdrop = true; | 146 | par->hotdrop = true; |
147 | return false; | 147 | return false; |
148 | } | 148 | } |
149 | 149 | ||