aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDavid S. Miller <davem@davemloft.net>2010-05-13 17:14:10 -0400
committerDavid S. Miller <davem@davemloft.net>2010-05-13 17:14:10 -0400
commite7874c996b8591f59d78efa519031dab5b58723b (patch)
tree14aa8dea0c33de9d22ef8177fb242c9d80d693de
parent4a6346d4ea63b5e1390babf22f1cc0f113d8082b (diff)
parent736d58e3a2245ac2779fe0f278f8735bcf33ca8d (diff)
Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6
Diffstat
-rw-r--r--include/linux/netfilter/x_tables.h45
-rw-r--r--net/bridge/br_netfilter.c2
-rw-r--r--net/bridge/netfilter/ebt_802_3.c2
-rw-r--r--net/bridge/netfilter/ebt_among.c2
-rw-r--r--net/bridge/netfilter/ebt_arp.c2
-rw-r--r--net/bridge/netfilter/ebt_arpreply.c2
-rw-r--r--net/bridge/netfilter/ebt_dnat.c2
-rw-r--r--net/bridge/netfilter/ebt_ip.c2
-rw-r--r--net/bridge/netfilter/ebt_ip6.c2
-rw-r--r--net/bridge/netfilter/ebt_limit.c2
-rw-r--r--net/bridge/netfilter/ebt_log.c2
-rw-r--r--net/bridge/netfilter/ebt_mark.c2
-rw-r--r--net/bridge/netfilter/ebt_mark_m.c2
-rw-r--r--net/bridge/netfilter/ebt_nflog.c2
-rw-r--r--net/bridge/netfilter/ebt_pkttype.c2
-rw-r--r--net/bridge/netfilter/ebt_redirect.c2
-rw-r--r--net/bridge/netfilter/ebt_snat.c2
-rw-r--r--net/bridge/netfilter/ebt_stp.c2
-rw-r--r--net/bridge/netfilter/ebt_ulog.c2
-rw-r--r--net/bridge/netfilter/ebt_vlan.c2
-rw-r--r--net/bridge/netfilter/ebtables.c33
-rw-r--r--net/ipv4/netfilter/arp_tables.c76
-rw-r--r--net/ipv4/netfilter/arpt_mangle.c2
-rw-r--r--net/ipv4/netfilter/ip_queue.c1
-rw-r--r--net/ipv4/netfilter/ip_tables.c137
-rw-r--r--net/ipv4/netfilter/ipt_CLUSTERIP.c2
-rw-r--r--net/ipv4/netfilter/ipt_ECN.c2
-rw-r--r--net/ipv4/netfilter/ipt_LOG.c2
-rw-r--r--net/ipv4/netfilter/ipt_MASQUERADE.c2
-rw-r--r--net/ipv4/netfilter/ipt_NETMAP.c2
-rw-r--r--net/ipv4/netfilter/ipt_REDIRECT.c2
-rw-r--r--net/ipv4/netfilter/ipt_REJECT.c2
-rw-r--r--net/ipv4/netfilter/ipt_ULOG.c2
-rw-r--r--net/ipv4/netfilter/ipt_addrtype.c4
-rw-r--r--net/ipv4/netfilter/ipt_ah.c4
-rw-r--r--net/ipv4/netfilter/ipt_ecn.c4
-rw-r--r--net/ipv4/netfilter/iptable_filter.c2
-rw-r--r--net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c10
-rw-r--r--net/ipv4/netfilter/nf_nat_h323.c16
-rw-r--r--net/ipv4/netfilter/nf_nat_rule.c4
-rw-r--r--net/ipv4/netfilter/nf_nat_snmp_basic.c16
-rw-r--r--net/ipv4/netfilter/nf_nat_standalone.c4
-rw-r--r--net/ipv6/netfilter/ip6_queue.c1
-rw-r--r--net/ipv6/netfilter/ip6_tables.c127
-rw-r--r--net/ipv6/netfilter/ip6t_LOG.c2
-rw-r--r--net/ipv6/netfilter/ip6t_REJECT.c2
-rw-r--r--net/ipv6/netfilter/ip6t_ah.c6
-rw-r--r--net/ipv6/netfilter/ip6t_eui64.c4
-rw-r--r--net/ipv6/netfilter/ip6t_frag.c6
-rw-r--r--net/ipv6/netfilter/ip6t_hbh.c6
-rw-r--r--net/ipv6/netfilter/ip6t_ipv6header.c2
-rw-r--r--net/ipv6/netfilter/ip6t_mh.c6
-rw-r--r--net/ipv6/netfilter/ip6t_rt.c6
-rw-r--r--net/ipv6/netfilter/ip6table_filter.c2
-rw-r--r--net/ipv6/netfilter/ip6table_mangle.c2
-rw-r--r--net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c14
-rw-r--r--net/netfilter/nf_conntrack_amanda.c2
-rw-r--r--net/netfilter/nf_conntrack_core.c2
-rw-r--r--net/netfilter/nf_conntrack_ftp.c4
-rw-r--r--net/netfilter/nf_conntrack_h323_main.c6
-rw-r--r--net/netfilter/nf_conntrack_irc.c4
-rw-r--r--net/netfilter/nf_conntrack_netlink.c13
-rw-r--r--net/netfilter/nf_conntrack_proto_sctp.c4
-rw-r--r--net/netfilter/nf_conntrack_sip.c4
-rw-r--r--net/netfilter/nf_conntrack_standalone.c2
-rw-r--r--net/netfilter/nf_conntrack_tftp.c4
-rw-r--r--net/netfilter/nf_internals.h2
-rw-r--r--net/netfilter/nf_queue.c1
-rw-r--r--net/netfilter/nfnetlink.c4
-rw-r--r--net/netfilter/nfnetlink_log.c4
-rw-r--r--net/netfilter/xt_CLASSIFY.c2
-rw-r--r--net/netfilter/xt_CONNSECMARK.c2
-rw-r--r--net/netfilter/xt_CT.c2
-rw-r--r--net/netfilter/xt_DSCP.c8
-rw-r--r--net/netfilter/xt_HL.c4
-rw-r--r--net/netfilter/xt_LED.c2
-rw-r--r--net/netfilter/xt_NFLOG.c2
-rw-r--r--net/netfilter/xt_NFQUEUE.c4
-rw-r--r--net/netfilter/xt_NOTRACK.c2
-rw-r--r--net/netfilter/xt_RATEEST.c2
-rw-r--r--net/netfilter/xt_SECMARK.c2
-rw-r--r--net/netfilter/xt_TCPMSS.c4
-rw-r--r--net/netfilter/xt_TCPOPTSTRIP.c4
-rw-r--r--net/netfilter/xt_TEE.c4
-rw-r--r--net/netfilter/xt_TPROXY.c2
-rw-r--r--net/netfilter/xt_TRACE.c2
-rw-r--r--net/netfilter/xt_cluster.c2
-rw-r--r--net/netfilter/xt_comment.c2
-rw-r--r--net/netfilter/xt_connbytes.c2
-rw-r--r--net/netfilter/xt_connlimit.c6
-rw-r--r--net/netfilter/xt_connmark.c4
-rw-r--r--net/netfilter/xt_conntrack.c6
-rw-r--r--net/netfilter/xt_dccp.c6
-rw-r--r--net/netfilter/xt_dscp.c6
-rw-r--r--net/netfilter/xt_esp.c4
-rw-r--r--net/netfilter/xt_hashlimit.c4
-rw-r--r--net/netfilter/xt_helper.c2
-rw-r--r--net/netfilter/xt_hl.c4
-rw-r--r--net/netfilter/xt_iprange.c4
-rw-r--r--net/netfilter/xt_length.c4
-rw-r--r--net/netfilter/xt_limit.c2
-rw-r--r--net/netfilter/xt_mac.c2
-rw-r--r--net/netfilter/xt_mark.c4
-rw-r--r--net/netfilter/xt_multiport.c8
-rw-r--r--net/netfilter/xt_osf.c4
-rw-r--r--net/netfilter/xt_owner.c2
-rw-r--r--net/netfilter/xt_physdev.c2
-rw-r--r--net/netfilter/xt_pkttype.c2
-rw-r--r--net/netfilter/xt_policy.c2
-rw-r--r--net/netfilter/xt_quota.c2
-rw-r--r--net/netfilter/xt_rateest.c2
-rw-r--r--net/netfilter/xt_realm.c2
-rw-r--r--net/netfilter/xt_recent.c4
-rw-r--r--net/netfilter/xt_sctp.c6
-rw-r--r--net/netfilter/xt_socket.c6
-rw-r--r--net/netfilter/xt_state.c2
-rw-r--r--net/netfilter/xt_statistic.c2
-rw-r--r--net/netfilter/xt_string.c2
-rw-r--r--net/netfilter/xt_tcpmss.c4
-rw-r--r--net/netfilter/xt_tcpudp.c14
-rw-r--r--net/netfilter/xt_time.c3
-rw-r--r--net/netfilter/xt_u32.c2
-rw-r--r--net/sched/act_ipt.c2
123 files changed, 384 insertions, 455 deletions
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index eeb4884c30be..c2ee5d8550cf 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -183,29 +183,39 @@ struct xt_counters_info {
183#include <linux/netdevice.h> 183#include <linux/netdevice.h>
184 184
185/** 185/**
186 * struct xt_match_param - parameters for match extensions' match functions 186 * struct xt_action_param - parameters for matches/targets
187 * 187 *
188 * @match: the match extension
189 * @target: the target extension
190 * @matchinfo: per-match data
191 * @targetinfo: per-target data
188 * @in: input netdevice 192 * @in: input netdevice
189 * @out: output netdevice 193 * @out: output netdevice
190 * @match: struct xt_match through which this function was invoked
191 * @matchinfo: per-match data
192 * @fragoff: packet is a fragment, this is the data offset 194 * @fragoff: packet is a fragment, this is the data offset
193 * @thoff: position of transport header relative to skb->data 195 * @thoff: position of transport header relative to skb->data
194 * @hook: hook number given packet came from 196 * @hook: hook number given packet came from
195 * @family: Actual NFPROTO_* through which the function is invoked 197 * @family: Actual NFPROTO_* through which the function is invoked
196 * (helpful when match->family == NFPROTO_UNSPEC) 198 * (helpful when match->family == NFPROTO_UNSPEC)
199 *
200 * Fields written to by extensions:
201 *
197 * @hotdrop: drop packet if we had inspection problems 202 * @hotdrop: drop packet if we had inspection problems
198 * Network namespace obtainable using dev_net(in/out) 203 * Network namespace obtainable using dev_net(in/out)
199 */ 204 */
200struct xt_match_param { 205struct xt_action_param {
206 union {
207 const struct xt_match *match;
208 const struct xt_target *target;
209 };
210 union {
211 const void *matchinfo, *targinfo;
212 };
201 const struct net_device *in, *out; 213 const struct net_device *in, *out;
202 const struct xt_match *match;
203 const void *matchinfo;
204 int fragoff; 214 int fragoff;
205 unsigned int thoff; 215 unsigned int thoff;
206 unsigned int hooknum; 216 unsigned int hooknum;
207 u_int8_t family; 217 u_int8_t family;
208 bool *hotdrop; 218 bool hotdrop;
209}; 219};
210 220
211/** 221/**
@@ -243,23 +253,6 @@ struct xt_mtdtor_param {
243}; 253};
244 254
245/** 255/**
246 * struct xt_target_param - parameters for target extensions' target functions
247 *
248 * @hooknum: hook through which this target was invoked
249 * @target: struct xt_target through which this function was invoked
250 * @targinfo: per-target data
251 *
252 * Other fields see above.
253 */
254struct xt_target_param {
255 const struct net_device *in, *out;
256 const struct xt_target *target;
257 const void *targinfo;
258 unsigned int hooknum;
259 u_int8_t family;
260};
261
262/**
263 * struct xt_tgchk_param - parameters for target extensions' 256 * struct xt_tgchk_param - parameters for target extensions'
264 * checkentry functions 257 * checkentry functions
265 * 258 *
@@ -298,7 +291,7 @@ struct xt_match {
298 non-linear skb, using skb_header_pointer and 291 non-linear skb, using skb_header_pointer and
299 skb_ip_make_writable. */ 292 skb_ip_make_writable. */
300 bool (*match)(const struct sk_buff *skb, 293 bool (*match)(const struct sk_buff *skb,
301 const struct xt_match_param *); 294 struct xt_action_param *);
302 295
303 /* Called when user tries to insert an entry of this type. */ 296 /* Called when user tries to insert an entry of this type. */
304 int (*checkentry)(const struct xt_mtchk_param *); 297 int (*checkentry)(const struct xt_mtchk_param *);
@@ -335,7 +328,7 @@ struct xt_target {
335 must now handle non-linear skbs, using skb_copy_bits and 328 must now handle non-linear skbs, using skb_copy_bits and
336 skb_ip_make_writable. */ 329 skb_ip_make_writable. */
337 unsigned int (*target)(struct sk_buff *skb, 330 unsigned int (*target)(struct sk_buff *skb,
338 const struct xt_target_param *); 331 const struct xt_action_param *);
339 332
340 /* Called when user tries to insert an entry of this type: 333 /* Called when user tries to insert an entry of this type:
341 hook_mask is a bitmask of hooks from which it can be 334 hook_mask is a bitmask of hooks from which it can be
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index 93f80fefa496..44420992f72f 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -643,10 +643,10 @@ static int br_nf_forward_finish(struct sk_buff *skb)
643 skb->pkt_type = PACKET_OTHERHOST; 643 skb->pkt_type = PACKET_OTHERHOST;
644 nf_bridge->mask ^= BRNF_PKT_TYPE; 644 nf_bridge->mask ^= BRNF_PKT_TYPE;
645 } 645 }
646 nf_bridge_update_protocol(skb);
646 } else { 647 } else {
647 in = *((struct net_device **)(skb->cb)); 648 in = *((struct net_device **)(skb->cb));
648 } 649 }
649 nf_bridge_update_protocol(skb);
650 nf_bridge_push_encap_header(skb); 650 nf_bridge_push_encap_header(skb);
651 651
652 NF_HOOK_THRESH(NFPROTO_BRIDGE, NF_BR_FORWARD, skb, in, 652 NF_HOOK_THRESH(NFPROTO_BRIDGE, NF_BR_FORWARD, skb, in,
diff --git a/net/bridge/netfilter/ebt_802_3.c b/net/bridge/netfilter/ebt_802_3.c
index f7de8dbc3422..2a449b7ab8fa 100644
--- a/net/bridge/netfilter/ebt_802_3.c
+++ b/net/bridge/netfilter/ebt_802_3.c
@@ -13,7 +13,7 @@
13#include <linux/netfilter_bridge/ebt_802_3.h> 13#include <linux/netfilter_bridge/ebt_802_3.h>
14 14
15static bool 15static bool
16ebt_802_3_mt(const struct sk_buff *skb, const struct xt_match_param *par) 16ebt_802_3_mt(const struct sk_buff *skb, struct xt_action_param *par)
17{ 17{
18 const struct ebt_802_3_info *info = par->matchinfo; 18 const struct ebt_802_3_info *info = par->matchinfo;
19 const struct ebt_802_3_hdr *hdr = ebt_802_3_hdr(skb); 19 const struct ebt_802_3_hdr *hdr = ebt_802_3_hdr(skb);
diff --git a/net/bridge/netfilter/ebt_among.c b/net/bridge/netfilter/ebt_among.c
index 20068e03fa81..8b84c581be30 100644
--- a/net/bridge/netfilter/ebt_among.c
+++ b/net/bridge/netfilter/ebt_among.c
@@ -129,7 +129,7 @@ static int get_ip_src(const struct sk_buff *skb, __be32 *addr)
129} 129}
130 130
131static bool 131static bool
132ebt_among_mt(const struct sk_buff *skb, const struct xt_match_param *par) 132ebt_among_mt(const struct sk_buff *skb, struct xt_action_param *par)
133{ 133{
134 const struct ebt_among_info *info = par->matchinfo; 134 const struct ebt_among_info *info = par->matchinfo;
135 const char *dmac, *smac; 135 const char *dmac, *smac;
diff --git a/net/bridge/netfilter/ebt_arp.c b/net/bridge/netfilter/ebt_arp.c
index 952150cd5e7d..cd457b891b27 100644
--- a/net/bridge/netfilter/ebt_arp.c
+++ b/net/bridge/netfilter/ebt_arp.c
@@ -16,7 +16,7 @@
16#include <linux/netfilter_bridge/ebt_arp.h> 16#include <linux/netfilter_bridge/ebt_arp.h>
17 17
18static bool 18static bool
19ebt_arp_mt(const struct sk_buff *skb, const struct xt_match_param *par) 19ebt_arp_mt(const struct sk_buff *skb, struct xt_action_param *par)
20{ 20{
21 const struct ebt_arp_info *info = par->matchinfo; 21 const struct ebt_arp_info *info = par->matchinfo;
22 const struct arphdr *ah; 22 const struct arphdr *ah;
diff --git a/net/bridge/netfilter/ebt_arpreply.c b/net/bridge/netfilter/ebt_arpreply.c
index 4581adb27583..070cf134a22f 100644
--- a/net/bridge/netfilter/ebt_arpreply.c
+++ b/net/bridge/netfilter/ebt_arpreply.c
@@ -16,7 +16,7 @@
16#include <linux/netfilter_bridge/ebt_arpreply.h> 16#include <linux/netfilter_bridge/ebt_arpreply.h>
17 17
18static unsigned int 18static unsigned int
19ebt_arpreply_tg(struct sk_buff *skb, const struct xt_target_param *par) 19ebt_arpreply_tg(struct sk_buff *skb, const struct xt_action_param *par)
20{ 20{
21 const struct ebt_arpreply_info *info = par->targinfo; 21 const struct ebt_arpreply_info *info = par->targinfo;
22 const __be32 *siptr, *diptr; 22 const __be32 *siptr, *diptr;
diff --git a/net/bridge/netfilter/ebt_dnat.c b/net/bridge/netfilter/ebt_dnat.c
index 59d5b7c8a557..c59f7bfae6e2 100644
--- a/net/bridge/netfilter/ebt_dnat.c
+++ b/net/bridge/netfilter/ebt_dnat.c
@@ -15,7 +15,7 @@
15#include <linux/netfilter_bridge/ebt_nat.h> 15#include <linux/netfilter_bridge/ebt_nat.h>
16 16
17static unsigned int 17static unsigned int
18ebt_dnat_tg(struct sk_buff *skb, const struct xt_target_param *par) 18ebt_dnat_tg(struct sk_buff *skb, const struct xt_action_param *par)
19{ 19{
20 const struct ebt_nat_info *info = par->targinfo; 20 const struct ebt_nat_info *info = par->targinfo;
21 21
diff --git a/net/bridge/netfilter/ebt_ip.c b/net/bridge/netfilter/ebt_ip.c
index a1c76c7e5219..23bca62d58d2 100644
--- a/net/bridge/netfilter/ebt_ip.c
+++ b/net/bridge/netfilter/ebt_ip.c
@@ -25,7 +25,7 @@ struct tcpudphdr {
25}; 25};
26 26
27static bool 27static bool
28ebt_ip_mt(const struct sk_buff *skb, const struct xt_match_param *par) 28ebt_ip_mt(const struct sk_buff *skb, struct xt_action_param *par)
29{ 29{
30 const struct ebt_ip_info *info = par->matchinfo; 30 const struct ebt_ip_info *info = par->matchinfo;
31 const struct iphdr *ih; 31 const struct iphdr *ih;
diff --git a/net/bridge/netfilter/ebt_ip6.c b/net/bridge/netfilter/ebt_ip6.c
index 33f8413f05ad..50a46afc2bcc 100644
--- a/net/bridge/netfilter/ebt_ip6.c
+++ b/net/bridge/netfilter/ebt_ip6.c
@@ -28,7 +28,7 @@ struct tcpudphdr {
28}; 28};
29 29
30static bool 30static bool
31ebt_ip6_mt(const struct sk_buff *skb, const struct xt_match_param *par) 31ebt_ip6_mt(const struct sk_buff *skb, struct xt_action_param *par)
32{ 32{
33 const struct ebt_ip6_info *info = par->matchinfo; 33 const struct ebt_ip6_info *info = par->matchinfo;
34 const struct ipv6hdr *ih6; 34 const struct ipv6hdr *ih6;
diff --git a/net/bridge/netfilter/ebt_limit.c b/net/bridge/netfilter/ebt_limit.c
index 4b0e2e53fa57..517e78befcb2 100644
--- a/net/bridge/netfilter/ebt_limit.c
+++ b/net/bridge/netfilter/ebt_limit.c
@@ -32,7 +32,7 @@ static DEFINE_SPINLOCK(limit_lock);
32#define CREDITS_PER_JIFFY POW2_BELOW32(MAX_CPJ) 32#define CREDITS_PER_JIFFY POW2_BELOW32(MAX_CPJ)
33 33
34static bool 34static bool
35ebt_limit_mt(const struct sk_buff *skb, const struct xt_match_param *par) 35ebt_limit_mt(const struct sk_buff *skb, struct xt_action_param *par)
36{ 36{
37 struct ebt_limit_info *info = (void *)par->matchinfo; 37 struct ebt_limit_info *info = (void *)par->matchinfo;
38 unsigned long now = jiffies; 38 unsigned long now = jiffies;
diff --git a/net/bridge/netfilter/ebt_log.c b/net/bridge/netfilter/ebt_log.c
index c46024156539..6e5a8bb9b940 100644
--- a/net/bridge/netfilter/ebt_log.c
+++ b/net/bridge/netfilter/ebt_log.c
@@ -171,7 +171,7 @@ out:
171} 171}
172 172
173static unsigned int 173static unsigned int
174ebt_log_tg(struct sk_buff *skb, const struct xt_target_param *par) 174ebt_log_tg(struct sk_buff *skb, const struct xt_action_param *par)
175{ 175{
176 const struct ebt_log_info *info = par->targinfo; 176 const struct ebt_log_info *info = par->targinfo;
177 struct nf_loginfo li; 177 struct nf_loginfo li;
diff --git a/net/bridge/netfilter/ebt_mark.c b/net/bridge/netfilter/ebt_mark.c
index 126e536ff8f4..66697cbd0a8b 100644
--- a/net/bridge/netfilter/ebt_mark.c
+++ b/net/bridge/netfilter/ebt_mark.c
@@ -19,7 +19,7 @@
19#include <linux/netfilter_bridge/ebt_mark_t.h> 19#include <linux/netfilter_bridge/ebt_mark_t.h>
20 20
21static unsigned int 21static unsigned int
22ebt_mark_tg(struct sk_buff *skb, const struct xt_target_param *par) 22ebt_mark_tg(struct sk_buff *skb, const struct xt_action_param *par)
23{ 23{
24 const struct ebt_mark_t_info *info = par->targinfo; 24 const struct ebt_mark_t_info *info = par->targinfo;
25 int action = info->target & -16; 25 int action = info->target & -16;
diff --git a/net/bridge/netfilter/ebt_mark_m.c b/net/bridge/netfilter/ebt_mark_m.c
index e4366c0a1a43..d98baefc4c7e 100644
--- a/net/bridge/netfilter/ebt_mark_m.c
+++ b/net/bridge/netfilter/ebt_mark_m.c
@@ -13,7 +13,7 @@
13#include <linux/netfilter_bridge/ebt_mark_m.h> 13#include <linux/netfilter_bridge/ebt_mark_m.h>
14 14
15static bool 15static bool
16ebt_mark_mt(const struct sk_buff *skb, const struct xt_match_param *par) 16ebt_mark_mt(const struct sk_buff *skb, struct xt_action_param *par)
17{ 17{
18 const struct ebt_mark_m_info *info = par->matchinfo; 18 const struct ebt_mark_m_info *info = par->matchinfo;
19 19
diff --git a/net/bridge/netfilter/ebt_nflog.c b/net/bridge/netfilter/ebt_nflog.c
index 22e2ad5f23e8..5be68bbcc341 100644
--- a/net/bridge/netfilter/ebt_nflog.c
+++ b/net/bridge/netfilter/ebt_nflog.c
@@ -20,7 +20,7 @@
20#include <net/netfilter/nf_log.h> 20#include <net/netfilter/nf_log.h>
21 21
22static unsigned int 22static unsigned int
23ebt_nflog_tg(struct sk_buff *skb, const struct xt_target_param *par) 23ebt_nflog_tg(struct sk_buff *skb, const struct xt_action_param *par)
24{ 24{
25 const struct ebt_nflog_info *info = par->targinfo; 25 const struct ebt_nflog_info *info = par->targinfo;
26 struct nf_loginfo li; 26 struct nf_loginfo li;
diff --git a/net/bridge/netfilter/ebt_pkttype.c b/net/bridge/netfilter/ebt_pkttype.c
index f34bcc3197bd..496a56515307 100644
--- a/net/bridge/netfilter/ebt_pkttype.c
+++ b/net/bridge/netfilter/ebt_pkttype.c
@@ -13,7 +13,7 @@
13#include <linux/netfilter_bridge/ebt_pkttype.h> 13#include <linux/netfilter_bridge/ebt_pkttype.h>
14 14
15static bool 15static bool
16ebt_pkttype_mt(const struct sk_buff *skb, const struct xt_match_param *par) 16ebt_pkttype_mt(const struct sk_buff *skb, struct xt_action_param *par)
17{ 17{
18 const struct ebt_pkttype_info *info = par->matchinfo; 18 const struct ebt_pkttype_info *info = par->matchinfo;
19 19
diff --git a/net/bridge/netfilter/ebt_redirect.c b/net/bridge/netfilter/ebt_redirect.c
index a6044a6f2383..9e19166ba453 100644
--- a/net/bridge/netfilter/ebt_redirect.c
+++ b/net/bridge/netfilter/ebt_redirect.c
@@ -16,7 +16,7 @@
16#include <linux/netfilter_bridge/ebt_redirect.h> 16#include <linux/netfilter_bridge/ebt_redirect.h>
17 17
18static unsigned int 18static unsigned int
19ebt_redirect_tg(struct sk_buff *skb, const struct xt_target_param *par) 19ebt_redirect_tg(struct sk_buff *skb, const struct xt_action_param *par)
20{ 20{
21 const struct ebt_redirect_info *info = par->targinfo; 21 const struct ebt_redirect_info *info = par->targinfo;
22 22
diff --git a/net/bridge/netfilter/ebt_snat.c b/net/bridge/netfilter/ebt_snat.c
index 79caca34ae2b..f8f0bd1a1d51 100644
--- a/net/bridge/netfilter/ebt_snat.c
+++ b/net/bridge/netfilter/ebt_snat.c
@@ -17,7 +17,7 @@
17#include <linux/netfilter_bridge/ebt_nat.h> 17#include <linux/netfilter_bridge/ebt_nat.h>
18 18
19static unsigned int 19static unsigned int
20ebt_snat_tg(struct sk_buff *skb, const struct xt_target_param *par) 20ebt_snat_tg(struct sk_buff *skb, const struct xt_action_param *par)
21{ 21{
22 const struct ebt_nat_info *info = par->targinfo; 22 const struct ebt_nat_info *info = par->targinfo;
23 23
diff --git a/net/bridge/netfilter/ebt_stp.c b/net/bridge/netfilter/ebt_stp.c
index 02f28fdda393..5b33a2e634a6 100644
--- a/net/bridge/netfilter/ebt_stp.c
+++ b/net/bridge/netfilter/ebt_stp.c
@@ -120,7 +120,7 @@ static bool ebt_filter_config(const struct ebt_stp_info *info,
120} 120}
121 121
122static bool 122static bool
123ebt_stp_mt(const struct sk_buff *skb, const struct xt_match_param *par) 123ebt_stp_mt(const struct sk_buff *skb, struct xt_action_param *par)
124{ 124{
125 const struct ebt_stp_info *info = par->matchinfo; 125 const struct ebt_stp_info *info = par->matchinfo;
126 const struct stp_header *sp; 126 const struct stp_header *sp;
diff --git a/net/bridge/netfilter/ebt_ulog.c b/net/bridge/netfilter/ebt_ulog.c
index 852f37c27659..ae3c7cef1484 100644
--- a/net/bridge/netfilter/ebt_ulog.c
+++ b/net/bridge/netfilter/ebt_ulog.c
@@ -243,7 +243,7 @@ static void ebt_log_packet(u_int8_t pf, unsigned int hooknum,
243} 243}
244 244
245static unsigned int 245static unsigned int
246ebt_ulog_tg(struct sk_buff *skb, const struct xt_target_param *par) 246ebt_ulog_tg(struct sk_buff *skb, const struct xt_action_param *par)
247{ 247{
248 ebt_ulog_packet(par->hooknum, skb, par->in, par->out, 248 ebt_ulog_packet(par->hooknum, skb, par->in, par->out,
249 par->targinfo, NULL); 249 par->targinfo, NULL);
diff --git a/net/bridge/netfilter/ebt_vlan.c b/net/bridge/netfilter/ebt_vlan.c
index bf8ae5c7a0c5..87b53b3a921d 100644
--- a/net/bridge/netfilter/ebt_vlan.c
+++ b/net/bridge/netfilter/ebt_vlan.c
@@ -36,7 +36,7 @@ MODULE_LICENSE("GPL");
36#define EXIT_ON_MISMATCH(_MATCH_,_MASK_) {if (!((info->_MATCH_ == _MATCH_)^!!(info->invflags & _MASK_))) return false; } 36#define EXIT_ON_MISMATCH(_MATCH_,_MASK_) {if (!((info->_MATCH_ == _MATCH_)^!!(info->invflags & _MASK_))) return false; }
37 37
38static bool 38static bool
39ebt_vlan_mt(const struct sk_buff *skb, const struct xt_match_param *par) 39ebt_vlan_mt(const struct sk_buff *skb, struct xt_action_param *par)
40{ 40{
41 const struct ebt_vlan_info *info = par->matchinfo; 41 const struct ebt_vlan_info *info = par->matchinfo;
42 const struct vlan_hdr *fp; 42 const struct vlan_hdr *fp;
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 1d8c2c0a7470..59ca00e40dec 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -86,7 +86,7 @@ static struct xt_target ebt_standard_target = {
86 86
87static inline int 87static inline int
88ebt_do_watcher(const struct ebt_entry_watcher *w, struct sk_buff *skb, 88ebt_do_watcher(const struct ebt_entry_watcher *w, struct sk_buff *skb,
89 struct xt_target_param *par) 89 struct xt_action_param *par)
90{ 90{
91 par->target = w->u.watcher; 91 par->target = w->u.watcher;
92 par->targinfo = w->data; 92 par->targinfo = w->data;
@@ -95,8 +95,9 @@ ebt_do_watcher(const struct ebt_entry_watcher *w, struct sk_buff *skb,
95 return 0; 95 return 0;
96} 96}
97 97
98static inline int ebt_do_match (struct ebt_entry_match *m, 98static inline int
99 const struct sk_buff *skb, struct xt_match_param *par) 99ebt_do_match(struct ebt_entry_match *m, const struct sk_buff *skb,
100 struct xt_action_param *par)
100{ 101{
101 par->match = m->u.match; 102 par->match = m->u.match;
102 par->matchinfo = m->data; 103 par->matchinfo = m->data;
@@ -185,15 +186,13 @@ unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
185 struct ebt_entries *chaininfo; 186 struct ebt_entries *chaininfo;
186 const char *base; 187 const char *base;
187 const struct ebt_table_info *private; 188 const struct ebt_table_info *private;
188 bool hotdrop = false; 189 struct xt_action_param acpar;
189 struct xt_match_param mtpar;
190 struct xt_target_param tgpar;
191 190
192 mtpar.family = tgpar.family = NFPROTO_BRIDGE; 191 acpar.family = NFPROTO_BRIDGE;
193 mtpar.in = tgpar.in = in; 192 acpar.in = in;
194 mtpar.out = tgpar.out = out; 193 acpar.out = out;
195 mtpar.hotdrop = &hotdrop; 194 acpar.hotdrop = false;
196 mtpar.hooknum = tgpar.hooknum = hook; 195 acpar.hooknum = hook;
197 196
198 read_lock_bh(&table->lock); 197 read_lock_bh(&table->lock);
199 private = table->private; 198 private = table->private;
@@ -214,9 +213,9 @@ unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
214 if (ebt_basic_match(point, eth_hdr(skb), in, out)) 213 if (ebt_basic_match(point, eth_hdr(skb), in, out))
215 goto letscontinue; 214 goto letscontinue;
216 215
217 if (EBT_MATCH_ITERATE(point, ebt_do_match, skb, &mtpar) != 0) 216 if (EBT_MATCH_ITERATE(point, ebt_do_match, skb, &acpar) != 0)
218 goto letscontinue; 217 goto letscontinue;
219 if (hotdrop) { 218 if (acpar.hotdrop) {
220 read_unlock_bh(&table->lock); 219 read_unlock_bh(&table->lock);
221 return NF_DROP; 220 return NF_DROP;
222 } 221 }
@@ -227,7 +226,7 @@ unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
227 226
228 /* these should only watch: not modify, nor tell us 227 /* these should only watch: not modify, nor tell us
229 what to do with the packet */ 228 what to do with the packet */
230 EBT_WATCHER_ITERATE(point, ebt_do_watcher, skb, &tgpar); 229 EBT_WATCHER_ITERATE(point, ebt_do_watcher, skb, &acpar);
231 230
232 t = (struct ebt_entry_target *) 231 t = (struct ebt_entry_target *)
233 (((char *)point) + point->target_offset); 232 (((char *)point) + point->target_offset);
@@ -235,9 +234,9 @@ unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
235 if (!t->u.target->target) 234 if (!t->u.target->target)
236 verdict = ((struct ebt_standard_target *)t)->verdict; 235 verdict = ((struct ebt_standard_target *)t)->verdict;
237 else { 236 else {
238 tgpar.target = t->u.target; 237 acpar.target = t->u.target;
239 tgpar.targinfo = t->data; 238 acpar.targinfo = t->data;
240 verdict = t->u.target->target(skb, &tgpar); 239 verdict = t->u.target->target(skb, &acpar);
241 } 240 }
242 if (verdict == EBT_ACCEPT) { 241 if (verdict == EBT_ACCEPT) {
243 read_unlock_bh(&table->lock); 242 read_unlock_bh(&table->lock);
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 07a699059390..1ac01b128621 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -49,12 +49,7 @@ MODULE_DESCRIPTION("arptables core");
49#endif 49#endif
50 50
51#ifdef CONFIG_NETFILTER_DEBUG 51#ifdef CONFIG_NETFILTER_DEBUG
52#define ARP_NF_ASSERT(x) \ 52#define ARP_NF_ASSERT(x) WARN_ON(!(x))
53do { \
54 if (!(x)) \
55 printk("ARP_NF_ASSERT: %s:%s:%u\n", \
56 __func__, __FILE__, __LINE__); \
57} while(0)
58#else 53#else
59#define ARP_NF_ASSERT(x) 54#define ARP_NF_ASSERT(x)
60#endif 55#endif
@@ -224,10 +219,10 @@ static inline int arp_checkentry(const struct arpt_arp *arp)
224} 219}
225 220
226static unsigned int 221static unsigned int
227arpt_error(struct sk_buff *skb, const struct xt_target_param *par) 222arpt_error(struct sk_buff *skb, const struct xt_action_param *par)
228{ 223{
229 if (net_ratelimit()) 224 if (net_ratelimit())
230 printk("arp_tables: error: '%s'\n", 225 pr_err("arp_tables: error: '%s'\n",
231 (const char *)par->targinfo); 226 (const char *)par->targinfo);
232 227
233 return NF_DROP; 228 return NF_DROP;
@@ -260,12 +255,11 @@ unsigned int arpt_do_table(struct sk_buff *skb,
260 static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long)))); 255 static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
261 unsigned int verdict = NF_DROP; 256 unsigned int verdict = NF_DROP;
262 const struct arphdr *arp; 257 const struct arphdr *arp;
263 bool hotdrop = false;
264 struct arpt_entry *e, *back; 258 struct arpt_entry *e, *back;
265 const char *indev, *outdev; 259 const char *indev, *outdev;
266 void *table_base; 260 void *table_base;
267 const struct xt_table_info *private; 261 const struct xt_table_info *private;
268 struct xt_target_param tgpar; 262 struct xt_action_param acpar;
269 263
270 if (!pskb_may_pull(skb, arp_hdr_len(skb->dev))) 264 if (!pskb_may_pull(skb, arp_hdr_len(skb->dev)))
271 return NF_DROP; 265 return NF_DROP;
@@ -280,10 +274,11 @@ unsigned int arpt_do_table(struct sk_buff *skb,
280 e = get_entry(table_base, private->hook_entry[hook]); 274 e = get_entry(table_base, private->hook_entry[hook]);
281 back = get_entry(table_base, private->underflow[hook]); 275 back = get_entry(table_base, private->underflow[hook]);
282 276
283 tgpar.in = in; 277 acpar.in = in;
284 tgpar.out = out; 278 acpar.out = out;
285 tgpar.hooknum = hook; 279 acpar.hooknum = hook;
286 tgpar.family = NFPROTO_ARP; 280 acpar.family = NFPROTO_ARP;
281 acpar.hotdrop = false;
287 282
288 arp = arp_hdr(skb); 283 arp = arp_hdr(skb);
289 do { 284 do {
@@ -333,9 +328,9 @@ unsigned int arpt_do_table(struct sk_buff *skb,
333 /* Targets which reenter must return 328 /* Targets which reenter must return
334 * abs. verdicts 329 * abs. verdicts
335 */ 330 */
336 tgpar.target = t->u.kernel.target; 331 acpar.target = t->u.kernel.target;
337 tgpar.targinfo = t->data; 332 acpar.targinfo = t->data;
338 verdict = t->u.kernel.target->target(skb, &tgpar); 333 verdict = t->u.kernel.target->target(skb, &acpar);
339 334
340 /* Target might have changed stuff. */ 335 /* Target might have changed stuff. */
341 arp = arp_hdr(skb); 336 arp = arp_hdr(skb);
@@ -345,10 +340,10 @@ unsigned int arpt_do_table(struct sk_buff *skb,
345 else 340 else
346 /* Verdict */ 341 /* Verdict */
347 break; 342 break;
348 } while (!hotdrop); 343 } while (!acpar.hotdrop);
349 xt_info_rdunlock_bh(); 344 xt_info_rdunlock_bh();
350 345
351 if (hotdrop) 346 if (acpar.hotdrop)
352 return NF_DROP; 347 return NF_DROP;
353 else 348 else
354 return verdict; 349 return verdict;
@@ -390,7 +385,7 @@ static int mark_source_chains(const struct xt_table_info *newinfo,
390 int visited = e->comefrom & (1 << hook); 385 int visited = e->comefrom & (1 << hook);
391 386
392 if (e->comefrom & (1 << NF_ARP_NUMHOOKS)) { 387 if (e->comefrom & (1 << NF_ARP_NUMHOOKS)) {
393 printk("arptables: loop hook %u pos %u %08X.\n", 388 pr_notice("arptables: loop hook %u pos %u %08X.\n",
394 hook, pos, e->comefrom); 389 hook, pos, e->comefrom);
395 return 0; 390 return 0;
396 } 391 }
@@ -1828,22 +1823,23 @@ void arpt_unregister_table(struct xt_table *table)
1828} 1823}
1829 1824
1830/* The built-in targets: standard (NULL) and error. */ 1825/* The built-in targets: standard (NULL) and error. */
1831static struct xt_target arpt_standard_target __read_mostly = { 1826static struct xt_target arpt_builtin_tg[] __read_mostly = {
1832 .name = ARPT_STANDARD_TARGET, 1827 {
1833 .targetsize = sizeof(int), 1828 .name = ARPT_STANDARD_TARGET,
1834 .family = NFPROTO_ARP, 1829 .targetsize = sizeof(int),
1830 .family = NFPROTO_ARP,
1835#ifdef CONFIG_COMPAT 1831#ifdef CONFIG_COMPAT
1836 .compatsize = sizeof(compat_int_t), 1832 .compatsize = sizeof(compat_int_t),
1837 .compat_from_user = compat_standard_from_user, 1833 .compat_from_user = compat_standard_from_user,
1838 .compat_to_user = compat_standard_to_user, 1834 .compat_to_user = compat_standard_to_user,
1839#endif 1835#endif
1840}; 1836 },
1841 1837 {
1842static struct xt_target arpt_error_target __read_mostly = { 1838 .name = ARPT_ERROR_TARGET,
1843 .name = ARPT_ERROR_TARGET, 1839 .target = arpt_error,
1844 .target = arpt_error, 1840 .targetsize = ARPT_FUNCTION_MAXNAMELEN,
1845 .targetsize = ARPT_FUNCTION_MAXNAMELEN, 1841 .family = NFPROTO_ARP,
1846 .family = NFPROTO_ARP, 1842 },
1847}; 1843};
1848 1844
1849static struct nf_sockopt_ops arpt_sockopts = { 1845static struct nf_sockopt_ops arpt_sockopts = {
@@ -1887,12 +1883,9 @@ static int __init arp_tables_init(void)
1887 goto err1; 1883 goto err1;
1888 1884
1889 /* Noone else will be downing sem now, so we won't sleep */ 1885 /* Noone else will be downing sem now, so we won't sleep */
1890 ret = xt_register_target(&arpt_standard_target); 1886 ret = xt_register_targets(arpt_builtin_tg, ARRAY_SIZE(arpt_builtin_tg));
1891 if (ret < 0) 1887 if (ret < 0)
1892 goto err2; 1888 goto err2;
1893 ret = xt_register_target(&arpt_error_target);
1894 if (ret < 0)
1895 goto err3;
1896 1889
1897 /* Register setsockopt */ 1890 /* Register setsockopt */
1898 ret = nf_register_sockopt(&arpt_sockopts); 1891 ret = nf_register_sockopt(&arpt_sockopts);
@@ -1903,9 +1896,7 @@ static int __init arp_tables_init(void)
1903 return 0; 1896 return 0;
1904 1897
1905err4: 1898err4:
1906 xt_unregister_target(&arpt_error_target); 1899 xt_unregister_targets(arpt_builtin_tg, ARRAY_SIZE(arpt_builtin_tg));
1907err3:
1908 xt_unregister_target(&arpt_standard_target);
1909err2: 1900err2:
1910 unregister_pernet_subsys(&arp_tables_net_ops); 1901 unregister_pernet_subsys(&arp_tables_net_ops);
1911err1: 1902err1:
@@ -1915,8 +1906,7 @@ err1:
1915static void __exit arp_tables_fini(void) 1906static void __exit arp_tables_fini(void)
1916{ 1907{
1917 nf_unregister_sockopt(&arpt_sockopts); 1908 nf_unregister_sockopt(&arpt_sockopts);
1918 xt_unregister_target(&arpt_error_target); 1909 xt_unregister_targets(arpt_builtin_tg, ARRAY_SIZE(arpt_builtin_tg));
1919 xt_unregister_target(&arpt_standard_target);
1920 unregister_pernet_subsys(&arp_tables_net_ops); 1910 unregister_pernet_subsys(&arp_tables_net_ops);
1921} 1911}
1922 1912
diff --git a/net/ipv4/netfilter/arpt_mangle.c b/net/ipv4/netfilter/arpt_mangle.c
index 4b51a027f307..e1be7dd1171b 100644
--- a/net/ipv4/netfilter/arpt_mangle.c
+++ b/net/ipv4/netfilter/arpt_mangle.c
@@ -9,7 +9,7 @@ MODULE_AUTHOR("Bart De Schuymer <bdschuym@pandora.be>");
9MODULE_DESCRIPTION("arptables arp payload mangle target"); 9MODULE_DESCRIPTION("arptables arp payload mangle target");
10 10
11static unsigned int 11static unsigned int
12target(struct sk_buff *skb, const struct xt_target_param *par) 12target(struct sk_buff *skb, const struct xt_action_param *par)
13{ 13{
14 const struct arpt_mangle *mangle = par->targinfo; 14 const struct arpt_mangle *mangle = par->targinfo;
15 const struct arphdr *arp; 15 const struct arphdr *arp;
diff --git a/net/ipv4/netfilter/ip_queue.c b/net/ipv4/netfilter/ip_queue.c
index c838238104f5..a4e5fc5df4bf 100644
--- a/net/ipv4/netfilter/ip_queue.c
+++ b/net/ipv4/netfilter/ip_queue.c
@@ -461,7 +461,6 @@ __ipq_rcv_skb(struct sk_buff *skb)
461 461
462 if (flags & NLM_F_ACK) 462 if (flags & NLM_F_ACK)
463 netlink_ack(skb, nlh, 0); 463 netlink_ack(skb, nlh, 0);
464 return;
465} 464}
466 465
467static void 466static void
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 3e6af1036fbc..63958f3394a5 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -51,12 +51,7 @@ MODULE_DESCRIPTION("IPv4 packet filter");
51#endif 51#endif
52 52
53#ifdef CONFIG_NETFILTER_DEBUG 53#ifdef CONFIG_NETFILTER_DEBUG
54#define IP_NF_ASSERT(x) \ 54#define IP_NF_ASSERT(x) WARN_ON(!(x))
55do { \
56 if (!(x)) \
57 printk("IP_NF_ASSERT: %s:%s:%u\n", \
58 __func__, __FILE__, __LINE__); \
59} while(0)
60#else 55#else
61#define IP_NF_ASSERT(x) 56#define IP_NF_ASSERT(x)
62#endif 57#endif
@@ -165,7 +160,7 @@ ip_checkentry(const struct ipt_ip *ip)
165} 160}
166 161
167static unsigned int 162static unsigned int
168ipt_error(struct sk_buff *skb, const struct xt_target_param *par) 163ipt_error(struct sk_buff *skb, const struct xt_action_param *par)
169{ 164{
170 if (net_ratelimit()) 165 if (net_ratelimit())
171 pr_info("error: `%s'\n", (const char *)par->targinfo); 166 pr_info("error: `%s'\n", (const char *)par->targinfo);
@@ -173,21 +168,6 @@ ipt_error(struct sk_buff *skb, const struct xt_target_param *par)
173 return NF_DROP; 168 return NF_DROP;
174} 169}
175 170
176/* Performance critical - called for every packet */
177static inline bool
178do_match(const struct ipt_entry_match *m, const struct sk_buff *skb,
179 struct xt_match_param *par)
180{
181 par->match = m->u.kernel.match;
182 par->matchinfo = m->data;
183
184 /* Stop iteration if it doesn't match */
185 if (!m->u.kernel.match->match(skb, par))
186 return true;
187 else
188 return false;
189}
190
191/* Performance critical */ 171/* Performance critical */
192static inline struct ipt_entry * 172static inline struct ipt_entry *
193get_entry(const void *base, unsigned int offset) 173get_entry(const void *base, unsigned int offset)
@@ -323,7 +303,6 @@ ipt_do_table(struct sk_buff *skb,
323{ 303{
324 static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long)))); 304 static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
325 const struct iphdr *ip; 305 const struct iphdr *ip;
326 bool hotdrop = false;
327 /* Initializing verdict to NF_DROP keeps gcc happy. */ 306 /* Initializing verdict to NF_DROP keeps gcc happy. */
328 unsigned int verdict = NF_DROP; 307 unsigned int verdict = NF_DROP;
329 const char *indev, *outdev; 308 const char *indev, *outdev;
@@ -331,8 +310,7 @@ ipt_do_table(struct sk_buff *skb,
331 struct ipt_entry *e, **jumpstack; 310 struct ipt_entry *e, **jumpstack;
332 unsigned int *stackptr, origptr, cpu; 311 unsigned int *stackptr, origptr, cpu;
333 const struct xt_table_info *private; 312 const struct xt_table_info *private;
334 struct xt_match_param mtpar; 313 struct xt_action_param acpar;
335 struct xt_target_param tgpar;
336 314
337 /* Initialization */ 315 /* Initialization */
338 ip = ip_hdr(skb); 316 ip = ip_hdr(skb);
@@ -344,13 +322,13 @@ ipt_do_table(struct sk_buff *skb,
344 * things we don't know, ie. tcp syn flag or ports). If the 322 * things we don't know, ie. tcp syn flag or ports). If the
345 * rule is also a fragment-specific rule, non-fragments won't 323 * rule is also a fragment-specific rule, non-fragments won't
346 * match it. */ 324 * match it. */
347 mtpar.fragoff = ntohs(ip->frag_off) & IP_OFFSET; 325 acpar.fragoff = ntohs(ip->frag_off) & IP_OFFSET;
348 mtpar.thoff = ip_hdrlen(skb); 326 acpar.thoff = ip_hdrlen(skb);
349 mtpar.hotdrop = &hotdrop; 327 acpar.hotdrop = false;
350 mtpar.in = tgpar.in = in; 328 acpar.in = in;
351 mtpar.out = tgpar.out = out; 329 acpar.out = out;
352 mtpar.family = tgpar.family = NFPROTO_IPV4; 330 acpar.family = NFPROTO_IPV4;
353 mtpar.hooknum = tgpar.hooknum = hook; 331 acpar.hooknum = hook;
354 332
355 IP_NF_ASSERT(table->valid_hooks & (1 << hook)); 333 IP_NF_ASSERT(table->valid_hooks & (1 << hook));
356 xt_info_rdlock_bh(); 334 xt_info_rdlock_bh();
@@ -373,15 +351,18 @@ ipt_do_table(struct sk_buff *skb,
373 351
374 IP_NF_ASSERT(e); 352 IP_NF_ASSERT(e);
375 if (!ip_packet_match(ip, indev, outdev, 353 if (!ip_packet_match(ip, indev, outdev,
376 &e->ip, mtpar.fragoff)) { 354 &e->ip, acpar.fragoff)) {
377 no_match: 355 no_match:
378 e = ipt_next_entry(e); 356 e = ipt_next_entry(e);
379 continue; 357 continue;
380 } 358 }
381 359
382 xt_ematch_foreach(ematch, e) 360 xt_ematch_foreach(ematch, e) {
383 if (do_match(ematch, skb, &mtpar) != 0) 361 acpar.match = ematch->u.kernel.match;
362 acpar.matchinfo = ematch->data;
363 if (!acpar.match->match(skb, &acpar))
384 goto no_match; 364 goto no_match;
365 }
385 366
386 ADD_COUNTER(e->counters, ntohs(ip->tot_len), 1); 367 ADD_COUNTER(e->counters, ntohs(ip->tot_len), 1);
387 368
@@ -434,11 +415,10 @@ ipt_do_table(struct sk_buff *skb,
434 continue; 415 continue;
435 } 416 }
436 417
437 tgpar.target = t->u.kernel.target; 418 acpar.target = t->u.kernel.target;
438 tgpar.targinfo = t->data; 419 acpar.targinfo = t->data;
439
440 420
441 verdict = t->u.kernel.target->target(skb, &tgpar); 421 verdict = t->u.kernel.target->target(skb, &acpar);
442 /* Target might have changed stuff. */ 422 /* Target might have changed stuff. */
443 ip = ip_hdr(skb); 423 ip = ip_hdr(skb);
444 if (verdict == IPT_CONTINUE) 424 if (verdict == IPT_CONTINUE)
@@ -446,7 +426,7 @@ ipt_do_table(struct sk_buff *skb,
446 else 426 else
447 /* Verdict */ 427 /* Verdict */
448 break; 428 break;
449 } while (!hotdrop); 429 } while (!acpar.hotdrop);
450 xt_info_rdunlock_bh(); 430 xt_info_rdunlock_bh();
451 pr_debug("Exiting %s; resetting sp from %u to %u\n", 431 pr_debug("Exiting %s; resetting sp from %u to %u\n",
452 __func__, *stackptr, origptr); 432 __func__, *stackptr, origptr);
@@ -454,7 +434,7 @@ ipt_do_table(struct sk_buff *skb,
454#ifdef DEBUG_ALLOW_ALL 434#ifdef DEBUG_ALLOW_ALL
455 return NF_ACCEPT; 435 return NF_ACCEPT;
456#else 436#else
457 if (hotdrop) 437 if (acpar.hotdrop)
458 return NF_DROP; 438 return NF_DROP;
459 else return verdict; 439 else return verdict;
460#endif 440#endif
@@ -486,7 +466,7 @@ mark_source_chains(const struct xt_table_info *newinfo,
486 int visited = e->comefrom & (1 << hook); 466 int visited = e->comefrom & (1 << hook);
487 467
488 if (e->comefrom & (1 << NF_INET_NUMHOOKS)) { 468 if (e->comefrom & (1 << NF_INET_NUMHOOKS)) {
489 printk("iptables: loop hook %u pos %u %08X.\n", 469 pr_err("iptables: loop hook %u pos %u %08X.\n",
490 hook, pos, e->comefrom); 470 hook, pos, e->comefrom);
491 return 0; 471 return 0;
492 } 472 }
@@ -591,7 +571,7 @@ check_entry(const struct ipt_entry *e, const char *name)
591 const struct ipt_entry_target *t; 571 const struct ipt_entry_target *t;
592 572
593 if (!ip_checkentry(&e->ip)) { 573 if (!ip_checkentry(&e->ip)) {
594 duprintf("ip check failed %p %s.\n", e, name); 574 duprintf("ip check failed %p %s.\n", e, par->match->name);
595 return -EINVAL; 575 return -EINVAL;
596 } 576 }
597 577
@@ -618,7 +598,7 @@ check_match(struct ipt_entry_match *m, struct xt_mtchk_param *par)
618 ret = xt_check_match(par, m->u.match_size - sizeof(*m), 598 ret = xt_check_match(par, m->u.match_size - sizeof(*m),
619 ip->proto, ip->invflags & IPT_INV_PROTO); 599 ip->proto, ip->invflags & IPT_INV_PROTO);
620 if (ret < 0) { 600 if (ret < 0) {
621 duprintf("check failed for `%s'.\n", par.match->name); 601 duprintf("check failed for `%s'.\n", par->match->name);
622 return ret; 602 return ret;
623 } 603 }
624 return 0; 604 return 0;
@@ -2152,7 +2132,7 @@ icmp_type_code_match(u_int8_t test_type, u_int8_t min_code, u_int8_t max_code,
2152} 2132}
2153 2133
2154static bool 2134static bool
2155icmp_match(const struct sk_buff *skb, const struct xt_match_param *par) 2135icmp_match(const struct sk_buff *skb, struct xt_action_param *par)
2156{ 2136{
2157 const struct icmphdr *ic; 2137 const struct icmphdr *ic;
2158 struct icmphdr _icmph; 2138 struct icmphdr _icmph;
@@ -2168,7 +2148,7 @@ icmp_match(const struct sk_buff *skb, const struct xt_match_param *par)
2168 * can't. Hence, no choice but to drop. 2148 * can't. Hence, no choice but to drop.
2169 */ 2149 */
2170 duprintf("Dropping evil ICMP tinygram.\n"); 2150 duprintf("Dropping evil ICMP tinygram.\n");
2171 *par->hotdrop = true; 2151 par->hotdrop = true;
2172 return false; 2152 return false;
2173 } 2153 }
2174 2154
@@ -2187,23 +2167,23 @@ static int icmp_checkentry(const struct xt_mtchk_param *par)
2187 return (icmpinfo->invflags & ~IPT_ICMP_INV) ? -EINVAL : 0; 2167 return (icmpinfo->invflags & ~IPT_ICMP_INV) ? -EINVAL : 0;
2188} 2168}
2189 2169
2190/* The built-in targets: standard (NULL) and error. */ 2170static struct xt_target ipt_builtin_tg[] __read_mostly = {
2191static struct xt_target ipt_standard_target __read_mostly = { 2171 {
2192 .name = IPT_STANDARD_TARGET, 2172 .name = IPT_STANDARD_TARGET,
2193 .targetsize = sizeof(int), 2173 .targetsize = sizeof(int),
2194 .family = NFPROTO_IPV4, 2174 .family = NFPROTO_IPV4,
2195#ifdef CONFIG_COMPAT 2175#ifdef CONFIG_COMPAT
2196 .compatsize = sizeof(compat_int_t), 2176 .compatsize = sizeof(compat_int_t),
2197 .compat_from_user = compat_standard_from_user, 2177 .compat_from_user = compat_standard_from_user,
2198 .compat_to_user = compat_standard_to_user, 2178 .compat_to_user = compat_standard_to_user,
2199#endif 2179#endif
2200}; 2180 },
2201 2181 {
2202static struct xt_target ipt_error_target __read_mostly = { 2182 .name = IPT_ERROR_TARGET,
2203 .name = IPT_ERROR_TARGET, 2183 .target = ipt_error,
2204 .target = ipt_error, 2184 .targetsize = IPT_FUNCTION_MAXNAMELEN,
2205 .targetsize = IPT_FUNCTION_MAXNAMELEN, 2185 .family = NFPROTO_IPV4,
2206 .family = NFPROTO_IPV4, 2186 },
2207}; 2187};
2208 2188
2209static struct nf_sockopt_ops ipt_sockopts = { 2189static struct nf_sockopt_ops ipt_sockopts = {
@@ -2223,13 +2203,15 @@ static struct nf_sockopt_ops ipt_sockopts = {
2223 .owner = THIS_MODULE, 2203 .owner = THIS_MODULE,
2224}; 2204};
2225 2205
2226static struct xt_match icmp_matchstruct __read_mostly = { 2206static struct xt_match ipt_builtin_mt[] __read_mostly = {
2227 .name = "icmp", 2207 {
2228 .match = icmp_match, 2208 .name = "icmp",
2229 .matchsize = sizeof(struct ipt_icmp), 2209 .match = icmp_match,
2230 .checkentry = icmp_checkentry, 2210 .matchsize = sizeof(struct ipt_icmp),
2231 .proto = IPPROTO_ICMP, 2211 .checkentry = icmp_checkentry,
2232 .family = NFPROTO_IPV4, 2212 .proto = IPPROTO_ICMP,
2213 .family = NFPROTO_IPV4,
2214 },
2233}; 2215};
2234 2216
2235static int __net_init ip_tables_net_init(struct net *net) 2217static int __net_init ip_tables_net_init(struct net *net)
@@ -2256,13 +2238,10 @@ static int __init ip_tables_init(void)
2256 goto err1; 2238 goto err1;
2257 2239
2258 /* Noone else will be downing sem now, so we won't sleep */ 2240 /* Noone else will be downing sem now, so we won't sleep */
2259 ret = xt_register_target(&ipt_standard_target); 2241 ret = xt_register_targets(ipt_builtin_tg, ARRAY_SIZE(ipt_builtin_tg));
2260 if (ret < 0) 2242 if (ret < 0)
2261 goto err2; 2243 goto err2;
2262 ret = xt_register_target(&ipt_error_target); 2244 ret = xt_register_matches(ipt_builtin_mt, ARRAY_SIZE(ipt_builtin_mt));
2263 if (ret < 0)
2264 goto err3;
2265 ret = xt_register_match(&icmp_matchstruct);
2266 if (ret < 0) 2245 if (ret < 0)
2267 goto err4; 2246 goto err4;
2268 2247
@@ -2275,11 +2254,9 @@ static int __init ip_tables_init(void)
2275 return 0; 2254 return 0;
2276 2255
2277err5: 2256err5:
2278 xt_unregister_match(&icmp_matchstruct); 2257 xt_unregister_matches(ipt_builtin_mt, ARRAY_SIZE(ipt_builtin_mt));
2279err4: 2258err4:
2280 xt_unregister_target(&ipt_error_target); 2259 xt_unregister_targets(ipt_builtin_tg, ARRAY_SIZE(ipt_builtin_tg));
2281err3:
2282 xt_unregister_target(&ipt_standard_target);
2283err2: 2260err2:
2284 unregister_pernet_subsys(&ip_tables_net_ops); 2261 unregister_pernet_subsys(&ip_tables_net_ops);
2285err1: 2262err1:
@@ -2290,10 +2267,8 @@ static void __exit ip_tables_fini(void)
2290{ 2267{
2291 nf_unregister_sockopt(&ipt_sockopts); 2268 nf_unregister_sockopt(&ipt_sockopts);
2292 2269
2293 xt_unregister_match(&icmp_matchstruct); 2270 xt_unregister_matches(ipt_builtin_mt, ARRAY_SIZE(ipt_builtin_mt));
2294 xt_unregister_target(&ipt_error_target); 2271 xt_unregister_targets(ipt_builtin_tg, ARRAY_SIZE(ipt_builtin_tg));
2295 xt_unregister_target(&ipt_standard_target);
2296
2297 unregister_pernet_subsys(&ip_tables_net_ops); 2272 unregister_pernet_subsys(&ip_tables_net_ops);
2298} 2273}
2299 2274
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index 8815d458de46..f91c94b9a790 100644
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -282,7 +282,7 @@ clusterip_responsible(const struct clusterip_config *config, u_int32_t hash)
282 ***********************************************************************/ 282 ***********************************************************************/
283 283
284static unsigned int 284static unsigned int
285clusterip_tg(struct sk_buff *skb, const struct xt_target_param *par) 285clusterip_tg(struct sk_buff *skb, const struct xt_action_param *par)
286{ 286{
287 const struct ipt_clusterip_tgt_info *cipinfo = par->targinfo; 287 const struct ipt_clusterip_tgt_info *cipinfo = par->targinfo;
288 struct nf_conn *ct; 288 struct nf_conn *ct;
diff --git a/net/ipv4/netfilter/ipt_ECN.c b/net/ipv4/netfilter/ipt_ECN.c
index 563049f31aef..4bf3dc49ad1e 100644
--- a/net/ipv4/netfilter/ipt_ECN.c
+++ b/net/ipv4/netfilter/ipt_ECN.c
@@ -77,7 +77,7 @@ set_ect_tcp(struct sk_buff *skb, const struct ipt_ECN_info *einfo)
77} 77}
78 78
79static unsigned int 79static unsigned int
80ecn_tg(struct sk_buff *skb, const struct xt_target_param *par) 80ecn_tg(struct sk_buff *skb, const struct xt_action_param *par)
81{ 81{
82 const struct ipt_ECN_info *einfo = par->targinfo; 82 const struct ipt_ECN_info *einfo = par->targinfo;
83 83
diff --git a/net/ipv4/netfilter/ipt_LOG.c b/net/ipv4/netfilter/ipt_LOG.c
index 3bd35f370817..5234f4f3499a 100644
--- a/net/ipv4/netfilter/ipt_LOG.c
+++ b/net/ipv4/netfilter/ipt_LOG.c
@@ -425,7 +425,7 @@ ipt_log_packet(u_int8_t pf,
425} 425}
426 426
427static unsigned int 427static unsigned int
428log_tg(struct sk_buff *skb, const struct xt_target_param *par) 428log_tg(struct sk_buff *skb, const struct xt_action_param *par)
429{ 429{
430 const struct ipt_log_info *loginfo = par->targinfo; 430 const struct ipt_log_info *loginfo = par->targinfo;
431 struct nf_loginfo li; 431 struct nf_loginfo li;
diff --git a/net/ipv4/netfilter/ipt_MASQUERADE.c b/net/ipv4/netfilter/ipt_MASQUERADE.c
index 02b1bc477998..d2ed9dc74ebc 100644
--- a/net/ipv4/netfilter/ipt_MASQUERADE.c
+++ b/net/ipv4/netfilter/ipt_MASQUERADE.c
@@ -44,7 +44,7 @@ static int masquerade_tg_check(const struct xt_tgchk_param *par)
44} 44}
45 45
46static unsigned int 46static unsigned int
47masquerade_tg(struct sk_buff *skb, const struct xt_target_param *par) 47masquerade_tg(struct sk_buff *skb, const struct xt_action_param *par)
48{ 48{
49 struct nf_conn *ct; 49 struct nf_conn *ct;
50 struct nf_conn_nat *nat; 50 struct nf_conn_nat *nat;
diff --git a/net/ipv4/netfilter/ipt_NETMAP.c b/net/ipv4/netfilter/ipt_NETMAP.c
index 708c7f8f7eea..f43867d1697f 100644
--- a/net/ipv4/netfilter/ipt_NETMAP.c
+++ b/net/ipv4/netfilter/ipt_NETMAP.c
@@ -38,7 +38,7 @@ static int netmap_tg_check(const struct xt_tgchk_param *par)
38} 38}
39 39
40static unsigned int 40static unsigned int
41netmap_tg(struct sk_buff *skb, const struct xt_target_param *par) 41netmap_tg(struct sk_buff *skb, const struct xt_action_param *par)
42{ 42{
43 struct nf_conn *ct; 43 struct nf_conn *ct;
44 enum ip_conntrack_info ctinfo; 44 enum ip_conntrack_info ctinfo;
diff --git a/net/ipv4/netfilter/ipt_REDIRECT.c b/net/ipv4/netfilter/ipt_REDIRECT.c
index 3cf101916523..18a0656505a0 100644
--- a/net/ipv4/netfilter/ipt_REDIRECT.c
+++ b/net/ipv4/netfilter/ipt_REDIRECT.c
@@ -42,7 +42,7 @@ static int redirect_tg_check(const struct xt_tgchk_param *par)
42} 42}
43 43
44static unsigned int 44static unsigned int
45redirect_tg(struct sk_buff *skb, const struct xt_target_param *par) 45redirect_tg(struct sk_buff *skb, const struct xt_action_param *par)
46{ 46{
47 struct nf_conn *ct; 47 struct nf_conn *ct;
48 enum ip_conntrack_info ctinfo; 48 enum ip_conntrack_info ctinfo;
diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c
index a86135a28058..f5f4a888e4ec 100644
--- a/net/ipv4/netfilter/ipt_REJECT.c
+++ b/net/ipv4/netfilter/ipt_REJECT.c
@@ -136,7 +136,7 @@ static inline void send_unreach(struct sk_buff *skb_in, int code)
136} 136}
137 137
138static unsigned int 138static unsigned int
139reject_tg(struct sk_buff *skb, const struct xt_target_param *par) 139reject_tg(struct sk_buff *skb, const struct xt_action_param *par)
140{ 140{
141 const struct ipt_reject_info *reject = par->targinfo; 141 const struct ipt_reject_info *reject = par->targinfo;
142 142
diff --git a/net/ipv4/netfilter/ipt_ULOG.c b/net/ipv4/netfilter/ipt_ULOG.c
index 8f60749e87a3..446e0f467a17 100644
--- a/net/ipv4/netfilter/ipt_ULOG.c
+++ b/net/ipv4/netfilter/ipt_ULOG.c
@@ -276,7 +276,7 @@ alloc_failure:
276} 276}
277 277
278static unsigned int 278static unsigned int
279ulog_tg(struct sk_buff *skb, const struct xt_target_param *par) 279ulog_tg(struct sk_buff *skb, const struct xt_action_param *par)
280{ 280{
281 ipt_ulog_packet(par->hooknum, skb, par->in, par->out, 281 ipt_ulog_packet(par->hooknum, skb, par->in, par->out,
282 par->targinfo, NULL); 282 par->targinfo, NULL);
diff --git a/net/ipv4/netfilter/ipt_addrtype.c b/net/ipv4/netfilter/ipt_addrtype.c
index e4b8f2bf8aaa..db8bff0fb86d 100644
--- a/net/ipv4/netfilter/ipt_addrtype.c
+++ b/net/ipv4/netfilter/ipt_addrtype.c
@@ -30,7 +30,7 @@ static inline bool match_type(struct net *net, const struct net_device *dev,
30} 30}
31 31
32static bool 32static bool
33addrtype_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par) 33addrtype_mt_v0(const struct sk_buff *skb, struct xt_action_param *par)
34{ 34{
35 struct net *net = dev_net(par->in ? par->in : par->out); 35 struct net *net = dev_net(par->in ? par->in : par->out);
36 const struct ipt_addrtype_info *info = par->matchinfo; 36 const struct ipt_addrtype_info *info = par->matchinfo;
@@ -48,7 +48,7 @@ addrtype_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
48} 48}
49 49
50static bool 50static bool
51addrtype_mt_v1(const struct sk_buff *skb, const struct xt_match_param *par) 51addrtype_mt_v1(const struct sk_buff *skb, struct xt_action_param *par)
52{ 52{
53 struct net *net = dev_net(par->in ? par->in : par->out); 53 struct net *net = dev_net(par->in ? par->in : par->out);
54 const struct ipt_addrtype_info_v1 *info = par->matchinfo; 54 const struct ipt_addrtype_info_v1 *info = par->matchinfo;
diff --git a/net/ipv4/netfilter/ipt_ah.c b/net/ipv4/netfilter/ipt_ah.c
index 9f9810204892..14a2aa8b8a14 100644
--- a/net/ipv4/netfilter/ipt_ah.c
+++ b/net/ipv4/netfilter/ipt_ah.c
@@ -30,7 +30,7 @@ spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, bool invert)
30 return r; 30 return r;
31} 31}
32 32
33static bool ah_mt(const struct sk_buff *skb, const struct xt_match_param *par) 33static bool ah_mt(const struct sk_buff *skb, struct xt_action_param *par)
34{ 34{
35 struct ip_auth_hdr _ahdr; 35 struct ip_auth_hdr _ahdr;
36 const struct ip_auth_hdr *ah; 36 const struct ip_auth_hdr *ah;
@@ -46,7 +46,7 @@ static bool ah_mt(const struct sk_buff *skb, const struct xt_match_param *par)
46 * can't. Hence, no choice but to drop. 46 * can't. Hence, no choice but to drop.
47 */ 47 */
48 pr_debug("Dropping evil AH tinygram.\n"); 48 pr_debug("Dropping evil AH tinygram.\n");
49 *par->hotdrop = true; 49 par->hotdrop = true;
50 return 0; 50 return 0;
51 } 51 }
52 52
diff --git a/net/ipv4/netfilter/ipt_ecn.c b/net/ipv4/netfilter/ipt_ecn.c
index 32e24100d8d1..af6e9c778345 100644
--- a/net/ipv4/netfilter/ipt_ecn.c
+++ b/net/ipv4/netfilter/ipt_ecn.c
@@ -67,7 +67,7 @@ static inline bool match_tcp(const struct sk_buff *skb,
67 return true; 67 return true;
68} 68}
69 69
70static bool ecn_mt(const struct sk_buff *skb, const struct xt_match_param *par) 70static bool ecn_mt(const struct sk_buff *skb, struct xt_action_param *par)
71{ 71{
72 const struct ipt_ecn_info *info = par->matchinfo; 72 const struct ipt_ecn_info *info = par->matchinfo;
73 73
@@ -78,7 +78,7 @@ static bool ecn_mt(const struct sk_buff *skb, const struct xt_match_param *par)
78 if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR)) { 78 if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR)) {
79 if (ip_hdr(skb)->protocol != IPPROTO_TCP) 79 if (ip_hdr(skb)->protocol != IPPROTO_TCP)
80 return false; 80 return false;
81 if (!match_tcp(skb, info, par->hotdrop)) 81 if (!match_tcp(skb, info, &par->hotdrop))
82 return false; 82 return false;
83 } 83 }
84 84
diff --git a/net/ipv4/netfilter/iptable_filter.c b/net/ipv4/netfilter/iptable_filter.c
index 55392466daa4..c37641e819f2 100644
--- a/net/ipv4/netfilter/iptable_filter.c
+++ b/net/ipv4/netfilter/iptable_filter.c
@@ -89,7 +89,7 @@ static int __init iptable_filter_init(void)
89 int ret; 89 int ret;
90 90
91 if (forward < 0 || forward > NF_MAX_VERDICT) { 91 if (forward < 0 || forward > NF_MAX_VERDICT) {
92 printk("iptables forward must be 0 or 1\n"); 92 pr_err("iptables forward must be 0 or 1\n");
93 return -EINVAL; 93 return -EINVAL;
94 } 94 }
95 95
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
index 2bb1f87051c4..5a03c02af999 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -382,32 +382,32 @@ static int __init nf_conntrack_l3proto_ipv4_init(void)
382 382
383 ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_tcp4); 383 ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_tcp4);
384 if (ret < 0) { 384 if (ret < 0) {
385 printk("nf_conntrack_ipv4: can't register tcp.\n"); 385 pr_err("nf_conntrack_ipv4: can't register tcp.\n");
386 goto cleanup_sockopt; 386 goto cleanup_sockopt;
387 } 387 }
388 388
389 ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_udp4); 389 ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_udp4);
390 if (ret < 0) { 390 if (ret < 0) {
391 printk("nf_conntrack_ipv4: can't register udp.\n"); 391 pr_err("nf_conntrack_ipv4: can't register udp.\n");
392 goto cleanup_tcp; 392 goto cleanup_tcp;
393 } 393 }
394 394
395 ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_icmp); 395 ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_icmp);
396 if (ret < 0) { 396 if (ret < 0) {
397 printk("nf_conntrack_ipv4: can't register icmp.\n"); 397 pr_err("nf_conntrack_ipv4: can't register icmp.\n");
398 goto cleanup_udp; 398 goto cleanup_udp;
399 } 399 }
400 400
401 ret = nf_conntrack_l3proto_register(&nf_conntrack_l3proto_ipv4); 401 ret = nf_conntrack_l3proto_register(&nf_conntrack_l3proto_ipv4);
402 if (ret < 0) { 402 if (ret < 0) {
403 printk("nf_conntrack_ipv4: can't register ipv4\n"); 403 pr_err("nf_conntrack_ipv4: can't register ipv4\n");
404 goto cleanup_icmp; 404 goto cleanup_icmp;
405 } 405 }
406 406
407 ret = nf_register_hooks(ipv4_conntrack_ops, 407 ret = nf_register_hooks(ipv4_conntrack_ops,
408 ARRAY_SIZE(ipv4_conntrack_ops)); 408 ARRAY_SIZE(ipv4_conntrack_ops));
409 if (ret < 0) { 409 if (ret < 0) {
410 printk("nf_conntrack_ipv4: can't register hooks.\n"); 410 pr_err("nf_conntrack_ipv4: can't register hooks.\n");
411 goto cleanup_ipv4; 411 goto cleanup_ipv4;
412 } 412 }
413#if defined(CONFIG_PROC_FS) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT) 413#if defined(CONFIG_PROC_FS) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
diff --git a/net/ipv4/netfilter/nf_nat_h323.c b/net/ipv4/netfilter/nf_nat_h323.c
index d4c061874f8f..5045196d853c 100644
--- a/net/ipv4/netfilter/nf_nat_h323.c
+++ b/net/ipv4/netfilter/nf_nat_h323.c
@@ -43,7 +43,7 @@ static int set_addr(struct sk_buff *skb,
43 addroff, sizeof(buf), 43 addroff, sizeof(buf),
44 (char *) &buf, sizeof(buf))) { 44 (char *) &buf, sizeof(buf))) {
45 if (net_ratelimit()) 45 if (net_ratelimit())
46 printk("nf_nat_h323: nf_nat_mangle_tcp_packet" 46 pr_notice("nf_nat_h323: nf_nat_mangle_tcp_packet"
47 " error\n"); 47 " error\n");
48 return -1; 48 return -1;
49 } 49 }
@@ -59,7 +59,7 @@ static int set_addr(struct sk_buff *skb,
59 addroff, sizeof(buf), 59 addroff, sizeof(buf),
60 (char *) &buf, sizeof(buf))) { 60 (char *) &buf, sizeof(buf))) {
61 if (net_ratelimit()) 61 if (net_ratelimit())
62 printk("nf_nat_h323: nf_nat_mangle_udp_packet" 62 pr_notice("nf_nat_h323: nf_nat_mangle_udp_packet"
63 " error\n"); 63 " error\n");
64 return -1; 64 return -1;
65 } 65 }
@@ -215,7 +215,7 @@ static int nat_rtp_rtcp(struct sk_buff *skb, struct nf_conn *ct,
215 /* Run out of expectations */ 215 /* Run out of expectations */
216 if (i >= H323_RTP_CHANNEL_MAX) { 216 if (i >= H323_RTP_CHANNEL_MAX) {
217 if (net_ratelimit()) 217 if (net_ratelimit())
218 printk("nf_nat_h323: out of expectations\n"); 218 pr_notice("nf_nat_h323: out of expectations\n");
219 return 0; 219 return 0;
220 } 220 }
221 221
@@ -234,7 +234,7 @@ static int nat_rtp_rtcp(struct sk_buff *skb, struct nf_conn *ct,
234 234
235 if (nated_port == 0) { /* No port available */ 235 if (nated_port == 0) { /* No port available */
236 if (net_ratelimit()) 236 if (net_ratelimit())
237 printk("nf_nat_h323: out of RTP ports\n"); 237 pr_notice("nf_nat_h323: out of RTP ports\n");
238 return 0; 238 return 0;
239 } 239 }
240 240
@@ -291,7 +291,7 @@ static int nat_t120(struct sk_buff *skb, struct nf_conn *ct,
291 291
292 if (nated_port == 0) { /* No port available */ 292 if (nated_port == 0) { /* No port available */
293 if (net_ratelimit()) 293 if (net_ratelimit())
294 printk("nf_nat_h323: out of TCP ports\n"); 294 pr_notice("nf_nat_h323: out of TCP ports\n");
295 return 0; 295 return 0;
296 } 296 }
297 297
@@ -341,7 +341,7 @@ static int nat_h245(struct sk_buff *skb, struct nf_conn *ct,
341 341
342 if (nated_port == 0) { /* No port available */ 342 if (nated_port == 0) { /* No port available */
343 if (net_ratelimit()) 343 if (net_ratelimit())
344 printk("nf_nat_q931: out of TCP ports\n"); 344 pr_notice("nf_nat_q931: out of TCP ports\n");
345 return 0; 345 return 0;
346 } 346 }
347 347
@@ -425,7 +425,7 @@ static int nat_q931(struct sk_buff *skb, struct nf_conn *ct,
425 425
426 if (nated_port == 0) { /* No port available */ 426 if (nated_port == 0) { /* No port available */
427 if (net_ratelimit()) 427 if (net_ratelimit())
428 printk("nf_nat_ras: out of TCP ports\n"); 428 pr_notice("nf_nat_ras: out of TCP ports\n");
429 return 0; 429 return 0;
430 } 430 }
431 431
@@ -507,7 +507,7 @@ static int nat_callforwarding(struct sk_buff *skb, struct nf_conn *ct,
507 507
508 if (nated_port == 0) { /* No port available */ 508 if (nated_port == 0) { /* No port available */
509 if (net_ratelimit()) 509 if (net_ratelimit())
510 printk("nf_nat_q931: out of TCP ports\n"); 510 pr_notice("nf_nat_q931: out of TCP ports\n");
511 return 0; 511 return 0;
512 } 512 }
513 513
diff --git a/net/ipv4/netfilter/nf_nat_rule.c b/net/ipv4/netfilter/nf_nat_rule.c
index b48a0fc3d9ed..98ed78281aee 100644
--- a/net/ipv4/netfilter/nf_nat_rule.c
+++ b/net/ipv4/netfilter/nf_nat_rule.c
@@ -39,7 +39,7 @@ static const struct xt_table nat_table = {
39 39
40/* Source NAT */ 40/* Source NAT */
41static unsigned int 41static unsigned int
42ipt_snat_target(struct sk_buff *skb, const struct xt_target_param *par) 42ipt_snat_target(struct sk_buff *skb, const struct xt_action_param *par)
43{ 43{
44 struct nf_conn *ct; 44 struct nf_conn *ct;
45 enum ip_conntrack_info ctinfo; 45 enum ip_conntrack_info ctinfo;
@@ -58,7 +58,7 @@ ipt_snat_target(struct sk_buff *skb, const struct xt_target_param *par)
58} 58}
59 59
60static unsigned int 60static unsigned int
61ipt_dnat_target(struct sk_buff *skb, const struct xt_target_param *par) 61ipt_dnat_target(struct sk_buff *skb, const struct xt_action_param *par)
62{ 62{
63 struct nf_conn *ct; 63 struct nf_conn *ct;
64 enum ip_conntrack_info ctinfo; 64 enum ip_conntrack_info ctinfo;
diff --git a/net/ipv4/netfilter/nf_nat_snmp_basic.c b/net/ipv4/netfilter/nf_nat_snmp_basic.c
index 4d85b6e55f29..1679e2c0963d 100644
--- a/net/ipv4/netfilter/nf_nat_snmp_basic.c
+++ b/net/ipv4/netfilter/nf_nat_snmp_basic.c
@@ -401,7 +401,7 @@ static unsigned char asn1_octets_decode(struct asn1_ctx *ctx,
401 *octets = kmalloc(eoc - ctx->pointer, GFP_ATOMIC); 401 *octets = kmalloc(eoc - ctx->pointer, GFP_ATOMIC);
402 if (*octets == NULL) { 402 if (*octets == NULL) {
403 if (net_ratelimit()) 403 if (net_ratelimit())
404 printk("OOM in bsalg (%d)\n", __LINE__); 404 pr_notice("OOM in bsalg (%d)\n", __LINE__);
405 return 0; 405 return 0;
406 } 406 }
407 407
@@ -452,7 +452,7 @@ static unsigned char asn1_oid_decode(struct asn1_ctx *ctx,
452 *oid = kmalloc(size * sizeof(unsigned long), GFP_ATOMIC); 452 *oid = kmalloc(size * sizeof(unsigned long), GFP_ATOMIC);
453 if (*oid == NULL) { 453 if (*oid == NULL) {
454 if (net_ratelimit()) 454 if (net_ratelimit())
455 printk("OOM in bsalg (%d)\n", __LINE__); 455 pr_notice("OOM in bsalg (%d)\n", __LINE__);
456 return 0; 456 return 0;
457 } 457 }
458 458
@@ -729,7 +729,7 @@ static unsigned char snmp_object_decode(struct asn1_ctx *ctx,
729 if (*obj == NULL) { 729 if (*obj == NULL) {
730 kfree(id); 730 kfree(id);
731 if (net_ratelimit()) 731 if (net_ratelimit())
732 printk("OOM in bsalg (%d)\n", __LINE__); 732 pr_notice("OOM in bsalg (%d)\n", __LINE__);
733 return 0; 733 return 0;
734 } 734 }
735 (*obj)->syntax.l[0] = l; 735 (*obj)->syntax.l[0] = l;
@@ -746,7 +746,7 @@ static unsigned char snmp_object_decode(struct asn1_ctx *ctx,
746 kfree(p); 746 kfree(p);
747 kfree(id); 747 kfree(id);
748 if (net_ratelimit()) 748 if (net_ratelimit())
749 printk("OOM in bsalg (%d)\n", __LINE__); 749 pr_notice("OOM in bsalg (%d)\n", __LINE__);
750 return 0; 750 return 0;
751 } 751 }
752 memcpy((*obj)->syntax.c, p, len); 752 memcpy((*obj)->syntax.c, p, len);
@@ -761,7 +761,7 @@ static unsigned char snmp_object_decode(struct asn1_ctx *ctx,
761 if (*obj == NULL) { 761 if (*obj == NULL) {
762 kfree(id); 762 kfree(id);
763 if (net_ratelimit()) 763 if (net_ratelimit())
764 printk("OOM in bsalg (%d)\n", __LINE__); 764 pr_notice("OOM in bsalg (%d)\n", __LINE__);
765 return 0; 765 return 0;
766 } 766 }
767 if (!asn1_null_decode(ctx, end)) { 767 if (!asn1_null_decode(ctx, end)) {
@@ -782,7 +782,7 @@ static unsigned char snmp_object_decode(struct asn1_ctx *ctx,
782 kfree(lp); 782 kfree(lp);
783 kfree(id); 783 kfree(id);
784 if (net_ratelimit()) 784 if (net_ratelimit())
785 printk("OOM in bsalg (%d)\n", __LINE__); 785 pr_notice("OOM in bsalg (%d)\n", __LINE__);
786 return 0; 786 return 0;
787 } 787 }
788 memcpy((*obj)->syntax.ul, lp, len); 788 memcpy((*obj)->syntax.ul, lp, len);
@@ -803,7 +803,7 @@ static unsigned char snmp_object_decode(struct asn1_ctx *ctx,
803 kfree(p); 803 kfree(p);
804 kfree(id); 804 kfree(id);
805 if (net_ratelimit()) 805 if (net_ratelimit())
806 printk("OOM in bsalg (%d)\n", __LINE__); 806 pr_notice("OOM in bsalg (%d)\n", __LINE__);
807 return 0; 807 return 0;
808 } 808 }
809 memcpy((*obj)->syntax.uc, p, len); 809 memcpy((*obj)->syntax.uc, p, len);
@@ -821,7 +821,7 @@ static unsigned char snmp_object_decode(struct asn1_ctx *ctx,
821 if (*obj == NULL) { 821 if (*obj == NULL) {
822 kfree(id); 822 kfree(id);
823 if (net_ratelimit()) 823 if (net_ratelimit())
824 printk("OOM in bsalg (%d)\n", __LINE__); 824 pr_notice("OOM in bsalg (%d)\n", __LINE__);
825 return 0; 825 return 0;
826 } 826 }
827 (*obj)->syntax.ul[0] = ul; 827 (*obj)->syntax.ul[0] = ul;
diff --git a/net/ipv4/netfilter/nf_nat_standalone.c b/net/ipv4/netfilter/nf_nat_standalone.c
index 84c7974f5830..beb25819c9c9 100644
--- a/net/ipv4/netfilter/nf_nat_standalone.c
+++ b/net/ipv4/netfilter/nf_nat_standalone.c
@@ -293,12 +293,12 @@ static int __init nf_nat_standalone_init(void)
293#endif 293#endif
294 ret = nf_nat_rule_init(); 294 ret = nf_nat_rule_init();
295 if (ret < 0) { 295 if (ret < 0) {
296 printk("nf_nat_init: can't setup rules.\n"); 296 pr_err("nf_nat_init: can't setup rules.\n");
297 goto cleanup_decode_session; 297 goto cleanup_decode_session;
298 } 298 }
299 ret = nf_register_hooks(nf_nat_ops, ARRAY_SIZE(nf_nat_ops)); 299 ret = nf_register_hooks(nf_nat_ops, ARRAY_SIZE(nf_nat_ops));
300 if (ret < 0) { 300 if (ret < 0) {
301 printk("nf_nat_init: can't register hooks.\n"); 301 pr_err("nf_nat_init: can't register hooks.\n");
302 goto cleanup_rule_init; 302 goto cleanup_rule_init;
303 } 303 }
304 return ret; 304 return ret;
diff --git a/net/ipv6/netfilter/ip6_queue.c b/net/ipv6/netfilter/ip6_queue.c
index 8656eb75520c..8c201743d96d 100644
--- a/net/ipv6/netfilter/ip6_queue.c
+++ b/net/ipv6/netfilter/ip6_queue.c
@@ -462,7 +462,6 @@ __ipq_rcv_skb(struct sk_buff *skb)
462 462
463 if (flags & NLM_F_ACK) 463 if (flags & NLM_F_ACK)
464 netlink_ack(skb, nlh, 0); 464 netlink_ack(skb, nlh, 0);
465 return;
466} 465}
467 466
468static void 467static void
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 7afa11773164..6f517bd83692 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -52,12 +52,7 @@ MODULE_DESCRIPTION("IPv6 packet filter");
52#endif 52#endif
53 53
54#ifdef CONFIG_NETFILTER_DEBUG 54#ifdef CONFIG_NETFILTER_DEBUG
55#define IP_NF_ASSERT(x) \ 55#define IP_NF_ASSERT(x) WARN_ON(!(x))
56do { \
57 if (!(x)) \
58 printk("IP_NF_ASSERT: %s:%s:%u\n", \
59 __func__, __FILE__, __LINE__); \
60} while(0)
61#else 56#else
62#define IP_NF_ASSERT(x) 57#define IP_NF_ASSERT(x)
63#endif 58#endif
@@ -197,7 +192,7 @@ ip6_checkentry(const struct ip6t_ip6 *ipv6)
197} 192}
198 193
199static unsigned int 194static unsigned int
200ip6t_error(struct sk_buff *skb, const struct xt_target_param *par) 195ip6t_error(struct sk_buff *skb, const struct xt_action_param *par)
201{ 196{
202 if (net_ratelimit()) 197 if (net_ratelimit())
203 pr_info("error: `%s'\n", (const char *)par->targinfo); 198 pr_info("error: `%s'\n", (const char *)par->targinfo);
@@ -205,21 +200,6 @@ ip6t_error(struct sk_buff *skb, const struct xt_target_param *par)
205 return NF_DROP; 200 return NF_DROP;
206} 201}
207 202
208/* Performance critical - called for every packet */
209static inline bool
210do_match(const struct ip6t_entry_match *m, const struct sk_buff *skb,
211 struct xt_match_param *par)
212{
213 par->match = m->u.kernel.match;
214 par->matchinfo = m->data;
215
216 /* Stop iteration if it doesn't match */
217 if (!m->u.kernel.match->match(skb, par))
218 return true;
219 else
220 return false;
221}
222
223static inline struct ip6t_entry * 203static inline struct ip6t_entry *
224get_entry(const void *base, unsigned int offset) 204get_entry(const void *base, unsigned int offset)
225{ 205{
@@ -352,7 +332,6 @@ ip6t_do_table(struct sk_buff *skb,
352 struct xt_table *table) 332 struct xt_table *table)
353{ 333{
354 static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long)))); 334 static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
355 bool hotdrop = false;
356 /* Initializing verdict to NF_DROP keeps gcc happy. */ 335 /* Initializing verdict to NF_DROP keeps gcc happy. */
357 unsigned int verdict = NF_DROP; 336 unsigned int verdict = NF_DROP;
358 const char *indev, *outdev; 337 const char *indev, *outdev;
@@ -360,8 +339,7 @@ ip6t_do_table(struct sk_buff *skb,
360 struct ip6t_entry *e, **jumpstack; 339 struct ip6t_entry *e, **jumpstack;
361 unsigned int *stackptr, origptr, cpu; 340 unsigned int *stackptr, origptr, cpu;
362 const struct xt_table_info *private; 341 const struct xt_table_info *private;
363 struct xt_match_param mtpar; 342 struct xt_action_param acpar;
364 struct xt_target_param tgpar;
365 343
366 /* Initialization */ 344 /* Initialization */
367 indev = in ? in->name : nulldevname; 345 indev = in ? in->name : nulldevname;
@@ -372,11 +350,11 @@ ip6t_do_table(struct sk_buff *skb,
372 * things we don't know, ie. tcp syn flag or ports). If the 350 * things we don't know, ie. tcp syn flag or ports). If the
373 * rule is also a fragment-specific rule, non-fragments won't 351 * rule is also a fragment-specific rule, non-fragments won't
374 * match it. */ 352 * match it. */
375 mtpar.hotdrop = &hotdrop; 353 acpar.hotdrop = false;
376 mtpar.in = tgpar.in = in; 354 acpar.in = in;
377 mtpar.out = tgpar.out = out; 355 acpar.out = out;
378 mtpar.family = tgpar.family = NFPROTO_IPV6; 356 acpar.family = NFPROTO_IPV6;
379 mtpar.hooknum = tgpar.hooknum = hook; 357 acpar.hooknum = hook;
380 358
381 IP_NF_ASSERT(table->valid_hooks & (1 << hook)); 359 IP_NF_ASSERT(table->valid_hooks & (1 << hook));
382 360
@@ -396,15 +374,18 @@ ip6t_do_table(struct sk_buff *skb,
396 374
397 IP_NF_ASSERT(e); 375 IP_NF_ASSERT(e);
398 if (!ip6_packet_match(skb, indev, outdev, &e->ipv6, 376 if (!ip6_packet_match(skb, indev, outdev, &e->ipv6,
399 &mtpar.thoff, &mtpar.fragoff, &hotdrop)) { 377 &acpar.thoff, &acpar.fragoff, &acpar.hotdrop)) {
400 no_match: 378 no_match:
401 e = ip6t_next_entry(e); 379 e = ip6t_next_entry(e);
402 continue; 380 continue;
403 } 381 }
404 382
405 xt_ematch_foreach(ematch, e) 383 xt_ematch_foreach(ematch, e) {
406 if (do_match(ematch, skb, &mtpar) != 0) 384 acpar.match = ematch->u.kernel.match;
385 acpar.matchinfo = ematch->data;
386 if (!acpar.match->match(skb, &acpar))
407 goto no_match; 387 goto no_match;
388 }
408 389
409 ADD_COUNTER(e->counters, 390 ADD_COUNTER(e->counters,
410 ntohs(ipv6_hdr(skb)->payload_len) + 391 ntohs(ipv6_hdr(skb)->payload_len) +
@@ -451,16 +432,16 @@ ip6t_do_table(struct sk_buff *skb,
451 continue; 432 continue;
452 } 433 }
453 434
454 tgpar.target = t->u.kernel.target; 435 acpar.target = t->u.kernel.target;
455 tgpar.targinfo = t->data; 436 acpar.targinfo = t->data;
456 437
457 verdict = t->u.kernel.target->target(skb, &tgpar); 438 verdict = t->u.kernel.target->target(skb, &acpar);
458 if (verdict == IP6T_CONTINUE) 439 if (verdict == IP6T_CONTINUE)
459 e = ip6t_next_entry(e); 440 e = ip6t_next_entry(e);
460 else 441 else
461 /* Verdict */ 442 /* Verdict */
462 break; 443 break;
463 } while (!hotdrop); 444 } while (!acpar.hotdrop);
464 445
465 xt_info_rdunlock_bh(); 446 xt_info_rdunlock_bh();
466 *stackptr = origptr; 447 *stackptr = origptr;
@@ -468,7 +449,7 @@ ip6t_do_table(struct sk_buff *skb,
468#ifdef DEBUG_ALLOW_ALL 449#ifdef DEBUG_ALLOW_ALL
469 return NF_ACCEPT; 450 return NF_ACCEPT;
470#else 451#else
471 if (hotdrop) 452 if (acpar.hotdrop)
472 return NF_DROP; 453 return NF_DROP;
473 else return verdict; 454 else return verdict;
474#endif 455#endif
@@ -500,7 +481,7 @@ mark_source_chains(const struct xt_table_info *newinfo,
500 int visited = e->comefrom & (1 << hook); 481 int visited = e->comefrom & (1 << hook);
501 482
502 if (e->comefrom & (1 << NF_INET_NUMHOOKS)) { 483 if (e->comefrom & (1 << NF_INET_NUMHOOKS)) {
503 printk("iptables: loop hook %u pos %u %08X.\n", 484 pr_err("iptables: loop hook %u pos %u %08X.\n",
504 hook, pos, e->comefrom); 485 hook, pos, e->comefrom);
505 return 0; 486 return 0;
506 } 487 }
@@ -2167,7 +2148,7 @@ icmp6_type_code_match(u_int8_t test_type, u_int8_t min_code, u_int8_t max_code,
2167} 2148}
2168 2149
2169static bool 2150static bool
2170icmp6_match(const struct sk_buff *skb, const struct xt_match_param *par) 2151icmp6_match(const struct sk_buff *skb, struct xt_action_param *par)
2171{ 2152{
2172 const struct icmp6hdr *ic; 2153 const struct icmp6hdr *ic;
2173 struct icmp6hdr _icmph; 2154 struct icmp6hdr _icmph;
@@ -2183,7 +2164,7 @@ icmp6_match(const struct sk_buff *skb, const struct xt_match_param *par)
2183 * can't. Hence, no choice but to drop. 2164 * can't. Hence, no choice but to drop.
2184 */ 2165 */
2185 duprintf("Dropping evil ICMP tinygram.\n"); 2166 duprintf("Dropping evil ICMP tinygram.\n");
2186 *par->hotdrop = true; 2167 par->hotdrop = true;
2187 return false; 2168 return false;
2188 } 2169 }
2189 2170
@@ -2204,22 +2185,23 @@ static int icmp6_checkentry(const struct xt_mtchk_param *par)
2204} 2185}
2205 2186
2206/* The built-in targets: standard (NULL) and error. */ 2187/* The built-in targets: standard (NULL) and error. */
2207static struct xt_target ip6t_standard_target __read_mostly = { 2188static struct xt_target ip6t_builtin_tg[] __read_mostly = {
2208 .name = IP6T_STANDARD_TARGET, 2189 {
2209 .targetsize = sizeof(int), 2190 .name = IP6T_STANDARD_TARGET,
2210 .family = NFPROTO_IPV6, 2191 .targetsize = sizeof(int),
2192 .family = NFPROTO_IPV6,
2211#ifdef CONFIG_COMPAT 2193#ifdef CONFIG_COMPAT
2212 .compatsize = sizeof(compat_int_t), 2194 .compatsize = sizeof(compat_int_t),
2213 .compat_from_user = compat_standard_from_user, 2195 .compat_from_user = compat_standard_from_user,
2214 .compat_to_user = compat_standard_to_user, 2196 .compat_to_user = compat_standard_to_user,
2215#endif 2197#endif
2216}; 2198 },
2217 2199 {
2218static struct xt_target ip6t_error_target __read_mostly = { 2200 .name = IP6T_ERROR_TARGET,
2219 .name = IP6T_ERROR_TARGET, 2201 .target = ip6t_error,
2220 .target = ip6t_error, 2202 .targetsize = IP6T_FUNCTION_MAXNAMELEN,
2221 .targetsize = IP6T_FUNCTION_MAXNAMELEN, 2203 .family = NFPROTO_IPV6,
2222 .family = NFPROTO_IPV6, 2204 },
2223}; 2205};
2224 2206
2225static struct nf_sockopt_ops ip6t_sockopts = { 2207static struct nf_sockopt_ops ip6t_sockopts = {
@@ -2239,13 +2221,15 @@ static struct nf_sockopt_ops ip6t_sockopts = {
2239 .owner = THIS_MODULE, 2221 .owner = THIS_MODULE,
2240}; 2222};
2241 2223
2242static struct xt_match icmp6_matchstruct __read_mostly = { 2224static struct xt_match ip6t_builtin_mt[] __read_mostly = {
2243 .name = "icmp6", 2225 {
2244 .match = icmp6_match, 2226 .name = "icmp6",
2245 .matchsize = sizeof(struct ip6t_icmp), 2227 .match = icmp6_match,
2246 .checkentry = icmp6_checkentry, 2228 .matchsize = sizeof(struct ip6t_icmp),
2247 .proto = IPPROTO_ICMPV6, 2229 .checkentry = icmp6_checkentry,
2248 .family = NFPROTO_IPV6, 2230 .proto = IPPROTO_ICMPV6,
2231 .family = NFPROTO_IPV6,
2232 },
2249}; 2233};
2250 2234
2251static int __net_init ip6_tables_net_init(struct net *net) 2235static int __net_init ip6_tables_net_init(struct net *net)
@@ -2272,13 +2256,10 @@ static int __init ip6_tables_init(void)
2272 goto err1; 2256 goto err1;
2273 2257
2274 /* Noone else will be downing sem now, so we won't sleep */ 2258 /* Noone else will be downing sem now, so we won't sleep */
2275 ret = xt_register_target(&ip6t_standard_target); 2259 ret = xt_register_targets(ip6t_builtin_tg, ARRAY_SIZE(ip6t_builtin_tg));
2276 if (ret < 0) 2260 if (ret < 0)
2277 goto err2; 2261 goto err2;
2278 ret = xt_register_target(&ip6t_error_target); 2262 ret = xt_register_matches(ip6t_builtin_mt, ARRAY_SIZE(ip6t_builtin_mt));
2279 if (ret < 0)
2280 goto err3;
2281 ret = xt_register_match(&icmp6_matchstruct);
2282 if (ret < 0) 2263 if (ret < 0)
2283 goto err4; 2264 goto err4;
2284 2265
@@ -2291,11 +2272,9 @@ static int __init ip6_tables_init(void)
2291 return 0; 2272 return 0;
2292 2273
2293err5: 2274err5:
2294 xt_unregister_match(&icmp6_matchstruct); 2275 xt_unregister_matches(ip6t_builtin_mt, ARRAY_SIZE(ip6t_builtin_mt));
2295err4: 2276err4:
2296 xt_unregister_target(&ip6t_error_target); 2277 xt_unregister_targets(ip6t_builtin_tg, ARRAY_SIZE(ip6t_builtin_tg));
2297err3:
2298 xt_unregister_target(&ip6t_standard_target);
2299err2: 2278err2:
2300 unregister_pernet_subsys(&ip6_tables_net_ops); 2279 unregister_pernet_subsys(&ip6_tables_net_ops);
2301err1: 2280err1:
@@ -2306,10 +2285,8 @@ static void __exit ip6_tables_fini(void)
2306{ 2285{
2307 nf_unregister_sockopt(&ip6t_sockopts); 2286 nf_unregister_sockopt(&ip6t_sockopts);
2308 2287
2309 xt_unregister_match(&icmp6_matchstruct); 2288 xt_unregister_matches(ip6t_builtin_mt, ARRAY_SIZE(ip6t_builtin_mt));
2310 xt_unregister_target(&ip6t_error_target); 2289 xt_unregister_targets(ip6t_builtin_tg, ARRAY_SIZE(ip6t_builtin_tg));
2311 xt_unregister_target(&ip6t_standard_target);
2312
2313 unregister_pernet_subsys(&ip6_tables_net_ops); 2290 unregister_pernet_subsys(&ip6_tables_net_ops);
2314} 2291}
2315 2292
diff --git a/net/ipv6/netfilter/ip6t_LOG.c b/net/ipv6/netfilter/ip6t_LOG.c
index 1f47a525f484..af4ee11f2066 100644
--- a/net/ipv6/netfilter/ip6t_LOG.c
+++ b/net/ipv6/netfilter/ip6t_LOG.c
@@ -436,7 +436,7 @@ ip6t_log_packet(u_int8_t pf,
436} 436}
437 437
438static unsigned int 438static unsigned int
439log_tg6(struct sk_buff *skb, const struct xt_target_param *par) 439log_tg6(struct sk_buff *skb, const struct xt_action_param *par)
440{ 440{
441 const struct ip6t_log_info *loginfo = par->targinfo; 441 const struct ip6t_log_info *loginfo = par->targinfo;
442 struct nf_loginfo li; 442 struct nf_loginfo li;
diff --git a/net/ipv6/netfilter/ip6t_REJECT.c b/net/ipv6/netfilter/ip6t_REJECT.c
index af1d6494ac39..47d227713758 100644
--- a/net/ipv6/netfilter/ip6t_REJECT.c
+++ b/net/ipv6/netfilter/ip6t_REJECT.c
@@ -175,7 +175,7 @@ send_unreach(struct net *net, struct sk_buff *skb_in, unsigned char code,
175} 175}
176 176
177static unsigned int 177static unsigned int
178reject_tg6(struct sk_buff *skb, const struct xt_target_param *par) 178reject_tg6(struct sk_buff *skb, const struct xt_action_param *par)
179{ 179{
180 const struct ip6t_reject_info *reject = par->targinfo; 180 const struct ip6t_reject_info *reject = par->targinfo;
181 struct net *net = dev_net((par->in != NULL) ? par->in : par->out); 181 struct net *net = dev_net((par->in != NULL) ? par->in : par->out);
diff --git a/net/ipv6/netfilter/ip6t_ah.c b/net/ipv6/netfilter/ip6t_ah.c
index 1580693c86c1..89cccc5a9c92 100644
--- a/net/ipv6/netfilter/ip6t_ah.c
+++ b/net/ipv6/netfilter/ip6t_ah.c
@@ -36,7 +36,7 @@ spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, bool invert)
36 return r; 36 return r;
37} 37}
38 38
39static bool ah_mt6(const struct sk_buff *skb, const struct xt_match_param *par) 39static bool ah_mt6(const struct sk_buff *skb, struct xt_action_param *par)
40{ 40{
41 struct ip_auth_hdr _ah; 41 struct ip_auth_hdr _ah;
42 const struct ip_auth_hdr *ah; 42 const struct ip_auth_hdr *ah;
@@ -48,13 +48,13 @@ static bool ah_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
48 err = ipv6_find_hdr(skb, &ptr, NEXTHDR_AUTH, NULL); 48 err = ipv6_find_hdr(skb, &ptr, NEXTHDR_AUTH, NULL);
49 if (err < 0) { 49 if (err < 0) {
50 if (err != -ENOENT) 50 if (err != -ENOENT)
51 *par->hotdrop = true; 51 par->hotdrop = true;
52 return false; 52 return false;
53 } 53 }
54 54
55 ah = skb_header_pointer(skb, ptr, sizeof(_ah), &_ah); 55 ah = skb_header_pointer(skb, ptr, sizeof(_ah), &_ah);
56 if (ah == NULL) { 56 if (ah == NULL) {
57 *par->hotdrop = true; 57 par->hotdrop = true;
58 return false; 58 return false;
59 } 59 }
60 60
diff --git a/net/ipv6/netfilter/ip6t_eui64.c b/net/ipv6/netfilter/ip6t_eui64.c
index ca287f6d2bce..aab0706908c5 100644
--- a/net/ipv6/netfilter/ip6t_eui64.c
+++ b/net/ipv6/netfilter/ip6t_eui64.c
@@ -20,14 +20,14 @@ MODULE_LICENSE("GPL");
20MODULE_AUTHOR("Andras Kis-Szabo <kisza@sch.bme.hu>"); 20MODULE_AUTHOR("Andras Kis-Szabo <kisza@sch.bme.hu>");
21 21
22static bool 22static bool
23eui64_mt6(const struct sk_buff *skb, const struct xt_match_param *par) 23eui64_mt6(const struct sk_buff *skb, struct xt_action_param *par)
24{ 24{
25 unsigned char eui64[8]; 25 unsigned char eui64[8];
26 26
27 if (!(skb_mac_header(skb) >= skb->head && 27 if (!(skb_mac_header(skb) >= skb->head &&
28 skb_mac_header(skb) + ETH_HLEN <= skb->data) && 28 skb_mac_header(skb) + ETH_HLEN <= skb->data) &&
29 par->fragoff != 0) { 29 par->fragoff != 0) {
30 *par->hotdrop = true; 30 par->hotdrop = true;
31 return false; 31 return false;
32 } 32 }
33 33
diff --git a/net/ipv6/netfilter/ip6t_frag.c b/net/ipv6/netfilter/ip6t_frag.c
index a5daf0ffb4ec..eda898fda6ca 100644
--- a/net/ipv6/netfilter/ip6t_frag.c
+++ b/net/ipv6/netfilter/ip6t_frag.c
@@ -35,7 +35,7 @@ id_match(u_int32_t min, u_int32_t max, u_int32_t id, bool invert)
35} 35}
36 36
37static bool 37static bool
38frag_mt6(const struct sk_buff *skb, const struct xt_match_param *par) 38frag_mt6(const struct sk_buff *skb, struct xt_action_param *par)
39{ 39{
40 struct frag_hdr _frag; 40 struct frag_hdr _frag;
41 const struct frag_hdr *fh; 41 const struct frag_hdr *fh;
@@ -46,13 +46,13 @@ frag_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
46 err = ipv6_find_hdr(skb, &ptr, NEXTHDR_FRAGMENT, NULL); 46 err = ipv6_find_hdr(skb, &ptr, NEXTHDR_FRAGMENT, NULL);
47 if (err < 0) { 47 if (err < 0) {
48 if (err != -ENOENT) 48 if (err != -ENOENT)
49 *par->hotdrop = true; 49 par->hotdrop = true;
50 return false; 50 return false;
51 } 51 }
52 52
53 fh = skb_header_pointer(skb, ptr, sizeof(_frag), &_frag); 53 fh = skb_header_pointer(skb, ptr, sizeof(_frag), &_frag);
54 if (fh == NULL) { 54 if (fh == NULL) {
55 *par->hotdrop = true; 55 par->hotdrop = true;
56 return false; 56 return false;
57 } 57 }
58 58
diff --git a/net/ipv6/netfilter/ip6t_hbh.c b/net/ipv6/netfilter/ip6t_hbh.c
index e424e7c8f824..59df051eaef6 100644
--- a/net/ipv6/netfilter/ip6t_hbh.c
+++ b/net/ipv6/netfilter/ip6t_hbh.c
@@ -44,7 +44,7 @@ MODULE_ALIAS("ip6t_dst");
44static struct xt_match hbh_mt6_reg[] __read_mostly; 44static struct xt_match hbh_mt6_reg[] __read_mostly;
45 45
46static bool 46static bool
47hbh_mt6(const struct sk_buff *skb, const struct xt_match_param *par) 47hbh_mt6(const struct sk_buff *skb, struct xt_action_param *par)
48{ 48{
49 struct ipv6_opt_hdr _optsh; 49 struct ipv6_opt_hdr _optsh;
50 const struct ipv6_opt_hdr *oh; 50 const struct ipv6_opt_hdr *oh;
@@ -65,13 +65,13 @@ hbh_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
65 NEXTHDR_HOP : NEXTHDR_DEST, NULL); 65 NEXTHDR_HOP : NEXTHDR_DEST, NULL);
66 if (err < 0) { 66 if (err < 0) {
67 if (err != -ENOENT) 67 if (err != -ENOENT)
68 *par->hotdrop = true; 68 par->hotdrop = true;
69 return false; 69 return false;
70 } 70 }
71 71
72 oh = skb_header_pointer(skb, ptr, sizeof(_optsh), &_optsh); 72 oh = skb_header_pointer(skb, ptr, sizeof(_optsh), &_optsh);
73 if (oh == NULL) { 73 if (oh == NULL) {
74 *par->hotdrop = true; 74 par->hotdrop = true;
75 return false; 75 return false;
76 } 76 }
77 77
diff --git a/net/ipv6/netfilter/ip6t_ipv6header.c b/net/ipv6/netfilter/ip6t_ipv6header.c
index 46fbabb493fa..54bd9790603f 100644
--- a/net/ipv6/netfilter/ip6t_ipv6header.c
+++ b/net/ipv6/netfilter/ip6t_ipv6header.c
@@ -27,7 +27,7 @@ MODULE_DESCRIPTION("Xtables: IPv6 header types match");
27MODULE_AUTHOR("Andras Kis-Szabo <kisza@sch.bme.hu>"); 27MODULE_AUTHOR("Andras Kis-Szabo <kisza@sch.bme.hu>");
28 28
29static bool 29static bool
30ipv6header_mt6(const struct sk_buff *skb, const struct xt_match_param *par) 30ipv6header_mt6(const struct sk_buff *skb, struct xt_action_param *par)
31{ 31{
32 const struct ip6t_ipv6header_info *info = par->matchinfo; 32 const struct ip6t_ipv6header_info *info = par->matchinfo;
33 unsigned int temp; 33 unsigned int temp;
diff --git a/net/ipv6/netfilter/ip6t_mh.c b/net/ipv6/netfilter/ip6t_mh.c
index c9f443e0138f..0c90c66b1992 100644
--- a/net/ipv6/netfilter/ip6t_mh.c
+++ b/net/ipv6/netfilter/ip6t_mh.c
@@ -32,7 +32,7 @@ type_match(u_int8_t min, u_int8_t max, u_int8_t type, bool invert)
32 return (type >= min && type <= max) ^ invert; 32 return (type >= min && type <= max) ^ invert;
33} 33}
34 34
35static bool mh_mt6(const struct sk_buff *skb, const struct xt_match_param *par) 35static bool mh_mt6(const struct sk_buff *skb, struct xt_action_param *par)
36{ 36{
37 struct ip6_mh _mh; 37 struct ip6_mh _mh;
38 const struct ip6_mh *mh; 38 const struct ip6_mh *mh;
@@ -47,14 +47,14 @@ static bool mh_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
47 /* We've been asked to examine this packet, and we 47 /* We've been asked to examine this packet, and we
48 can't. Hence, no choice but to drop. */ 48 can't. Hence, no choice but to drop. */
49 pr_debug("Dropping evil MH tinygram.\n"); 49 pr_debug("Dropping evil MH tinygram.\n");
50 *par->hotdrop = true; 50 par->hotdrop = true;
51 return false; 51 return false;
52 } 52 }
53 53
54 if (mh->ip6mh_proto != IPPROTO_NONE) { 54 if (mh->ip6mh_proto != IPPROTO_NONE) {
55 pr_debug("Dropping invalid MH Payload Proto: %u\n", 55 pr_debug("Dropping invalid MH Payload Proto: %u\n",
56 mh->ip6mh_proto); 56 mh->ip6mh_proto);
57 *par->hotdrop = true; 57 par->hotdrop = true;
58 return false; 58 return false;
59 } 59 }
60 60
diff --git a/net/ipv6/netfilter/ip6t_rt.c b/net/ipv6/netfilter/ip6t_rt.c
index 09322720d2a6..d8488c50a8e0 100644
--- a/net/ipv6/netfilter/ip6t_rt.c
+++ b/net/ipv6/netfilter/ip6t_rt.c
@@ -36,7 +36,7 @@ segsleft_match(u_int32_t min, u_int32_t max, u_int32_t id, bool invert)
36 return r; 36 return r;
37} 37}
38 38
39static bool rt_mt6(const struct sk_buff *skb, const struct xt_match_param *par) 39static bool rt_mt6(const struct sk_buff *skb, struct xt_action_param *par)
40{ 40{
41 struct ipv6_rt_hdr _route; 41 struct ipv6_rt_hdr _route;
42 const struct ipv6_rt_hdr *rh; 42 const struct ipv6_rt_hdr *rh;
@@ -52,13 +52,13 @@ static bool rt_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
52 err = ipv6_find_hdr(skb, &ptr, NEXTHDR_ROUTING, NULL); 52 err = ipv6_find_hdr(skb, &ptr, NEXTHDR_ROUTING, NULL);
53 if (err < 0) { 53 if (err < 0) {
54 if (err != -ENOENT) 54 if (err != -ENOENT)
55 *par->hotdrop = true; 55 par->hotdrop = true;
56 return false; 56 return false;
57 } 57 }
58 58
59 rh = skb_header_pointer(skb, ptr, sizeof(_route), &_route); 59 rh = skb_header_pointer(skb, ptr, sizeof(_route), &_route);
60 if (rh == NULL) { 60 if (rh == NULL) {
61 *par->hotdrop = true; 61 par->hotdrop = true;
62 return false; 62 return false;
63 } 63 }
64 64
diff --git a/net/ipv6/netfilter/ip6table_filter.c b/net/ipv6/netfilter/ip6table_filter.c
index d6fc9aff3163..c9e37c8fd62c 100644
--- a/net/ipv6/netfilter/ip6table_filter.c
+++ b/net/ipv6/netfilter/ip6table_filter.c
@@ -81,7 +81,7 @@ static int __init ip6table_filter_init(void)
81 int ret; 81 int ret;
82 82
83 if (forward < 0 || forward > NF_MAX_VERDICT) { 83 if (forward < 0 || forward > NF_MAX_VERDICT) {
84 printk("iptables forward must be 0 or 1\n"); 84 pr_err("iptables forward must be 0 or 1\n");
85 return -EINVAL; 85 return -EINVAL;
86 } 86 }
87 87
diff --git a/net/ipv6/netfilter/ip6table_mangle.c b/net/ipv6/netfilter/ip6table_mangle.c
index 6a102b57f356..679a0a3b7b3c 100644
--- a/net/ipv6/netfilter/ip6table_mangle.c
+++ b/net/ipv6/netfilter/ip6table_mangle.c
@@ -43,7 +43,7 @@ ip6t_mangle_out(struct sk_buff *skb, const struct net_device *out)
43 if (skb->len < sizeof(struct iphdr) || 43 if (skb->len < sizeof(struct iphdr) ||
44 ip_hdrlen(skb) < sizeof(struct iphdr)) { 44 ip_hdrlen(skb) < sizeof(struct iphdr)) {
45 if (net_ratelimit()) 45 if (net_ratelimit())
46 printk("ip6t_hook: happy cracking.\n"); 46 pr_warning("ip6t_hook: happy cracking.\n");
47 return NF_ACCEPT; 47 return NF_ACCEPT;
48 } 48 }
49#endif 49#endif
diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
index 996c3f41fecd..ff43461704be 100644
--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
@@ -280,7 +280,7 @@ static unsigned int ipv6_conntrack_local(unsigned int hooknum,
280 /* root is playing with raw sockets. */ 280 /* root is playing with raw sockets. */
281 if (skb->len < sizeof(struct ipv6hdr)) { 281 if (skb->len < sizeof(struct ipv6hdr)) {
282 if (net_ratelimit()) 282 if (net_ratelimit())
283 printk("ipv6_conntrack_local: packet too short\n"); 283 pr_notice("ipv6_conntrack_local: packet too short\n");
284 return NF_ACCEPT; 284 return NF_ACCEPT;
285 } 285 }
286 return __ipv6_conntrack_in(dev_net(out), hooknum, skb, okfn); 286 return __ipv6_conntrack_in(dev_net(out), hooknum, skb, okfn);
@@ -406,37 +406,37 @@ static int __init nf_conntrack_l3proto_ipv6_init(void)
406 406
407 ret = nf_ct_frag6_init(); 407 ret = nf_ct_frag6_init();
408 if (ret < 0) { 408 if (ret < 0) {
409 printk("nf_conntrack_ipv6: can't initialize frag6.\n"); 409 pr_err("nf_conntrack_ipv6: can't initialize frag6.\n");
410 return ret; 410 return ret;
411 } 411 }
412 ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_tcp6); 412 ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_tcp6);
413 if (ret < 0) { 413 if (ret < 0) {
414 printk("nf_conntrack_ipv6: can't register tcp.\n"); 414 pr_err("nf_conntrack_ipv6: can't register tcp.\n");
415 goto cleanup_frag6; 415 goto cleanup_frag6;
416 } 416 }
417 417
418 ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_udp6); 418 ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_udp6);
419 if (ret < 0) { 419 if (ret < 0) {
420 printk("nf_conntrack_ipv6: can't register udp.\n"); 420 pr_err("nf_conntrack_ipv6: can't register udp.\n");
421 goto cleanup_tcp; 421 goto cleanup_tcp;
422 } 422 }
423 423
424 ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_icmpv6); 424 ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_icmpv6);
425 if (ret < 0) { 425 if (ret < 0) {
426 printk("nf_conntrack_ipv6: can't register icmpv6.\n"); 426 pr_err("nf_conntrack_ipv6: can't register icmpv6.\n");
427 goto cleanup_udp; 427 goto cleanup_udp;
428 } 428 }
429 429
430 ret = nf_conntrack_l3proto_register(&nf_conntrack_l3proto_ipv6); 430 ret = nf_conntrack_l3proto_register(&nf_conntrack_l3proto_ipv6);
431 if (ret < 0) { 431 if (ret < 0) {
432 printk("nf_conntrack_ipv6: can't register ipv6\n"); 432 pr_err("nf_conntrack_ipv6: can't register ipv6\n");
433 goto cleanup_icmpv6; 433 goto cleanup_icmpv6;
434 } 434 }
435 435
436 ret = nf_register_hooks(ipv6_conntrack_ops, 436 ret = nf_register_hooks(ipv6_conntrack_ops,
437 ARRAY_SIZE(ipv6_conntrack_ops)); 437 ARRAY_SIZE(ipv6_conntrack_ops));
438 if (ret < 0) { 438 if (ret < 0) {
439 printk("nf_conntrack_ipv6: can't register pre-routing defrag " 439 pr_err("nf_conntrack_ipv6: can't register pre-routing defrag "
440 "hook.\n"); 440 "hook.\n");
441 goto cleanup_ipv6; 441 goto cleanup_ipv6;
442 } 442 }
diff --git a/net/netfilter/nf_conntrack_amanda.c b/net/netfilter/nf_conntrack_amanda.c
index 372e80f07a81..13fd2c55e329 100644
--- a/net/netfilter/nf_conntrack_amanda.c
+++ b/net/netfilter/nf_conntrack_amanda.c
@@ -108,7 +108,7 @@ static int amanda_help(struct sk_buff *skb,
108 dataoff = protoff + sizeof(struct udphdr); 108 dataoff = protoff + sizeof(struct udphdr);
109 if (dataoff >= skb->len) { 109 if (dataoff >= skb->len) {
110 if (net_ratelimit()) 110 if (net_ratelimit())
111 printk("amanda_help: skblen = %u\n", skb->len); 111 printk(KERN_ERR "amanda_help: skblen = %u\n", skb->len);
112 return NF_ACCEPT; 112 return NF_ACCEPT;
113 } 113 }
114 114
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 3907efb97a7c..b83c530c5e0a 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -1335,7 +1335,7 @@ static int nf_conntrack_init_init_net(void)
1335 } 1335 }
1336 nf_conntrack_max = max_factor * nf_conntrack_htable_size; 1336 nf_conntrack_max = max_factor * nf_conntrack_htable_size;
1337 1337
1338 printk("nf_conntrack version %s (%u buckets, %d max)\n", 1338 printk(KERN_INFO "nf_conntrack version %s (%u buckets, %d max)\n",
1339 NF_CONNTRACK_VERSION, nf_conntrack_htable_size, 1339 NF_CONNTRACK_VERSION, nf_conntrack_htable_size,
1340 nf_conntrack_max); 1340 nf_conntrack_max);
1341 1341
diff --git a/net/netfilter/nf_conntrack_ftp.c b/net/netfilter/nf_conntrack_ftp.c
index 2ae3169e7633..e17cb7c7dd8f 100644
--- a/net/netfilter/nf_conntrack_ftp.c
+++ b/net/netfilter/nf_conntrack_ftp.c
@@ -573,8 +573,8 @@ static int __init nf_conntrack_ftp_init(void)
573 ftp[i][j].tuple.src.l3num, ports[i]); 573 ftp[i][j].tuple.src.l3num, ports[i]);
574 ret = nf_conntrack_helper_register(&ftp[i][j]); 574 ret = nf_conntrack_helper_register(&ftp[i][j]);
575 if (ret) { 575 if (ret) {
576 printk("nf_ct_ftp: failed to register helper " 576 printk(KERN_ERR "nf_ct_ftp: failed to register"
577 " for pf: %d port: %d\n", 577 " helper for pf: %d port: %d\n",
578 ftp[i][j].tuple.src.l3num, ports[i]); 578 ftp[i][j].tuple.src.l3num, ports[i]);
579 nf_conntrack_ftp_fini(); 579 nf_conntrack_ftp_fini();
580 return ret; 580 return ret;
diff --git a/net/netfilter/nf_conntrack_h323_main.c b/net/netfilter/nf_conntrack_h323_main.c
index 48bf15073a85..6eaee7c8a337 100644
--- a/net/netfilter/nf_conntrack_h323_main.c
+++ b/net/netfilter/nf_conntrack_h323_main.c
@@ -607,7 +607,7 @@ static int h245_help(struct sk_buff *skb, unsigned int protoff,
607 drop: 607 drop:
608 spin_unlock_bh(&nf_h323_lock); 608 spin_unlock_bh(&nf_h323_lock);
609 if (net_ratelimit()) 609 if (net_ratelimit())
610 printk("nf_ct_h245: packet dropped\n"); 610 pr_info("nf_ct_h245: packet dropped\n");
611 return NF_DROP; 611 return NF_DROP;
612} 612}
613 613
@@ -1152,7 +1152,7 @@ static int q931_help(struct sk_buff *skb, unsigned int protoff,
1152 drop: 1152 drop:
1153 spin_unlock_bh(&nf_h323_lock); 1153 spin_unlock_bh(&nf_h323_lock);
1154 if (net_ratelimit()) 1154 if (net_ratelimit())
1155 printk("nf_ct_q931: packet dropped\n"); 1155 pr_info("nf_ct_q931: packet dropped\n");
1156 return NF_DROP; 1156 return NF_DROP;
1157} 1157}
1158 1158
@@ -1727,7 +1727,7 @@ static int ras_help(struct sk_buff *skb, unsigned int protoff,
1727 drop: 1727 drop:
1728 spin_unlock_bh(&nf_h323_lock); 1728 spin_unlock_bh(&nf_h323_lock);
1729 if (net_ratelimit()) 1729 if (net_ratelimit())
1730 printk("nf_ct_ras: packet dropped\n"); 1730 pr_info("nf_ct_ras: packet dropped\n");
1731 return NF_DROP; 1731 return NF_DROP;
1732} 1732}
1733 1733
diff --git a/net/netfilter/nf_conntrack_irc.c b/net/netfilter/nf_conntrack_irc.c
index 7673930ca342..b394aa318776 100644
--- a/net/netfilter/nf_conntrack_irc.c
+++ b/net/netfilter/nf_conntrack_irc.c
@@ -235,7 +235,7 @@ static int __init nf_conntrack_irc_init(void)
235 char *tmpname; 235 char *tmpname;
236 236
237 if (max_dcc_channels < 1) { 237 if (max_dcc_channels < 1) {
238 printk("nf_ct_irc: max_dcc_channels must not be zero\n"); 238 printk(KERN_ERR "nf_ct_irc: max_dcc_channels must not be zero\n");
239 return -EINVAL; 239 return -EINVAL;
240 } 240 }
241 241
@@ -267,7 +267,7 @@ static int __init nf_conntrack_irc_init(void)
267 267
268 ret = nf_conntrack_helper_register(&irc[i]); 268 ret = nf_conntrack_helper_register(&irc[i]);
269 if (ret) { 269 if (ret) {
270 printk("nf_ct_irc: failed to register helper " 270 printk(KERN_ERR "nf_ct_irc: failed to register helper "
271 "for pf: %u port: %u\n", 271 "for pf: %u port: %u\n",
272 irc[i].tuple.src.l3num, ports[i]); 272 irc[i].tuple.src.l3num, ports[i]);
273 nf_conntrack_irc_fini(); 273 nf_conntrack_irc_fini();
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 4e55403bf263..c42ff6aa441d 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -2057,29 +2057,29 @@ static int __init ctnetlink_init(void)
2057{ 2057{
2058 int ret; 2058 int ret;
2059 2059
2060 printk("ctnetlink v%s: registering with nfnetlink.\n", version); 2060 pr_info("ctnetlink v%s: registering with nfnetlink.\n", version);
2061 ret = nfnetlink_subsys_register(&ctnl_subsys); 2061 ret = nfnetlink_subsys_register(&ctnl_subsys);
2062 if (ret < 0) { 2062 if (ret < 0) {
2063 printk("ctnetlink_init: cannot register with nfnetlink.\n"); 2063 pr_err("ctnetlink_init: cannot register with nfnetlink.\n");
2064 goto err_out; 2064 goto err_out;
2065 } 2065 }
2066 2066
2067 ret = nfnetlink_subsys_register(&ctnl_exp_subsys); 2067 ret = nfnetlink_subsys_register(&ctnl_exp_subsys);
2068 if (ret < 0) { 2068 if (ret < 0) {
2069 printk("ctnetlink_init: cannot register exp with nfnetlink.\n"); 2069 pr_err("ctnetlink_init: cannot register exp with nfnetlink.\n");
2070 goto err_unreg_subsys; 2070 goto err_unreg_subsys;
2071 } 2071 }
2072 2072
2073#ifdef CONFIG_NF_CONNTRACK_EVENTS 2073#ifdef CONFIG_NF_CONNTRACK_EVENTS
2074 ret = nf_conntrack_register_notifier(&ctnl_notifier); 2074 ret = nf_conntrack_register_notifier(&ctnl_notifier);
2075 if (ret < 0) { 2075 if (ret < 0) {
2076 printk("ctnetlink_init: cannot register notifier.\n"); 2076 pr_err("ctnetlink_init: cannot register notifier.\n");
2077 goto err_unreg_exp_subsys; 2077 goto err_unreg_exp_subsys;
2078 } 2078 }
2079 2079
2080 ret = nf_ct_expect_register_notifier(&ctnl_notifier_exp); 2080 ret = nf_ct_expect_register_notifier(&ctnl_notifier_exp);
2081 if (ret < 0) { 2081 if (ret < 0) {
2082 printk("ctnetlink_init: cannot expect register notifier.\n"); 2082 pr_err("ctnetlink_init: cannot expect register notifier.\n");
2083 goto err_unreg_notifier; 2083 goto err_unreg_notifier;
2084 } 2084 }
2085#endif 2085#endif
@@ -2100,7 +2100,7 @@ err_out:
2100 2100
2101static void __exit ctnetlink_exit(void) 2101static void __exit ctnetlink_exit(void)
2102{ 2102{
2103 printk("ctnetlink: unregistering from nfnetlink.\n"); 2103 pr_info("ctnetlink: unregistering from nfnetlink.\n");
2104 2104
2105#ifdef CONFIG_NF_CONNTRACK_EVENTS 2105#ifdef CONFIG_NF_CONNTRACK_EVENTS
2106 nf_ct_expect_unregister_notifier(&ctnl_notifier_exp); 2106 nf_ct_expect_unregister_notifier(&ctnl_notifier_exp);
@@ -2109,7 +2109,6 @@ static void __exit ctnetlink_exit(void)
2109 2109
2110 nfnetlink_subsys_unregister(&ctnl_exp_subsys); 2110 nfnetlink_subsys_unregister(&ctnl_exp_subsys);
2111 nfnetlink_subsys_unregister(&ctnl_subsys); 2111 nfnetlink_subsys_unregister(&ctnl_subsys);
2112 return;
2113} 2112}
2114 2113
2115module_init(ctnetlink_init); 2114module_init(ctnetlink_init);
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
index b68ff15ed979..c6049c2d5ea8 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -717,12 +717,12 @@ static int __init nf_conntrack_proto_sctp_init(void)
717 717
718 ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_sctp4); 718 ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_sctp4);
719 if (ret) { 719 if (ret) {
720 printk("nf_conntrack_l4proto_sctp4: protocol register failed\n"); 720 pr_err("nf_conntrack_l4proto_sctp4: protocol register failed\n");
721 goto out; 721 goto out;
722 } 722 }
723 ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_sctp6); 723 ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_sctp6);
724 if (ret) { 724 if (ret) {
725 printk("nf_conntrack_l4proto_sctp6: protocol register failed\n"); 725 pr_err("nf_conntrack_l4proto_sctp6: protocol register failed\n");
726 goto cleanup_sctp4; 726 goto cleanup_sctp4;
727 } 727 }
728 728
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index c6cd1b84eddd..b20f4275893c 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -1549,8 +1549,8 @@ static int __init nf_conntrack_sip_init(void)
1549 1549
1550 ret = nf_conntrack_helper_register(&sip[i][j]); 1550 ret = nf_conntrack_helper_register(&sip[i][j]);
1551 if (ret) { 1551 if (ret) {
1552 printk("nf_ct_sip: failed to register helper " 1552 printk(KERN_ERR "nf_ct_sip: failed to register"
1553 "for pf: %u port: %u\n", 1553 " helper for pf: %u port: %u\n",
1554 sip[i][j].tuple.src.l3num, ports[i]); 1554 sip[i][j].tuple.src.l3num, ports[i]);
1555 nf_conntrack_sip_fini(); 1555 nf_conntrack_sip_fini();
1556 return ret; 1556 return ret;
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index ea4a8d384234..eb973fcd67ab 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -446,7 +446,7 @@ out_kmemdup:
446 if (net_eq(net, &init_net)) 446 if (net_eq(net, &init_net))
447 unregister_sysctl_table(nf_ct_netfilter_header); 447 unregister_sysctl_table(nf_ct_netfilter_header);
448out: 448out:
449 printk("nf_conntrack: can't register to sysctl.\n"); 449 printk(KERN_ERR "nf_conntrack: can't register to sysctl.\n");
450 return -ENOMEM; 450 return -ENOMEM;
451} 451}
452 452
diff --git a/net/netfilter/nf_conntrack_tftp.c b/net/netfilter/nf_conntrack_tftp.c
index 46e646b2e9b9..75466fd72f4f 100644
--- a/net/netfilter/nf_conntrack_tftp.c
+++ b/net/netfilter/nf_conntrack_tftp.c
@@ -138,8 +138,8 @@ static int __init nf_conntrack_tftp_init(void)
138 138
139 ret = nf_conntrack_helper_register(&tftp[i][j]); 139 ret = nf_conntrack_helper_register(&tftp[i][j]);
140 if (ret) { 140 if (ret) {
141 printk("nf_ct_tftp: failed to register helper " 141 printk(KERN_ERR "nf_ct_tftp: failed to register"
142 "for pf: %u port: %u\n", 142 " helper for pf: %u port: %u\n",
143 tftp[i][j].tuple.src.l3num, ports[i]); 143 tftp[i][j].tuple.src.l3num, ports[i]);
144 nf_conntrack_tftp_fini(); 144 nf_conntrack_tftp_fini();
145 return ret; 145 return ret;
diff --git a/net/netfilter/nf_internals.h b/net/netfilter/nf_internals.h
index bf6609978af7..770f76432ad0 100644
--- a/net/netfilter/nf_internals.h
+++ b/net/netfilter/nf_internals.h
@@ -6,7 +6,7 @@
6#include <linux/netdevice.h> 6#include <linux/netdevice.h>
7 7
8#ifdef CONFIG_NETFILTER_DEBUG 8#ifdef CONFIG_NETFILTER_DEBUG
9#define NFDEBUG(format, args...) printk(format , ## args) 9#define NFDEBUG(format, args...) printk(KERN_DEBUG format , ## args)
10#else 10#else
11#define NFDEBUG(format, args...) 11#define NFDEBUG(format, args...)
12#endif 12#endif
diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c
index c49ef219899e..0b1103c0b1f3 100644
--- a/net/netfilter/nf_queue.c
+++ b/net/netfilter/nf_queue.c
@@ -279,7 +279,6 @@ void nf_reinject(struct nf_queue_entry *entry, unsigned int verdict)
279 } 279 }
280 rcu_read_unlock(); 280 rcu_read_unlock();
281 kfree(entry); 281 kfree(entry);
282 return;
283} 282}
284EXPORT_SYMBOL(nf_reinject); 283EXPORT_SYMBOL(nf_reinject);
285 284
diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
index 39b0e3100575..b4a4532823e8 100644
--- a/net/netfilter/nfnetlink.c
+++ b/net/netfilter/nfnetlink.c
@@ -212,13 +212,13 @@ static struct pernet_operations nfnetlink_net_ops = {
212 212
213static int __init nfnetlink_init(void) 213static int __init nfnetlink_init(void)
214{ 214{
215 printk("Netfilter messages via NETLINK v%s.\n", nfversion); 215 pr_info("Netfilter messages via NETLINK v%s.\n", nfversion);
216 return register_pernet_subsys(&nfnetlink_net_ops); 216 return register_pernet_subsys(&nfnetlink_net_ops);
217} 217}
218 218
219static void __exit nfnetlink_exit(void) 219static void __exit nfnetlink_exit(void)
220{ 220{
221 printk("Removing netfilter NETLINK layer.\n"); 221 pr_info("Removing netfilter NETLINK layer.\n");
222 unregister_pernet_subsys(&nfnetlink_net_ops); 222 unregister_pernet_subsys(&nfnetlink_net_ops);
223} 223}
224module_init(nfnetlink_init); 224module_init(nfnetlink_init);
diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
index 203643fb2c52..fc9a211e629e 100644
--- a/net/netfilter/nfnetlink_log.c
+++ b/net/netfilter/nfnetlink_log.c
@@ -297,7 +297,7 @@ nfulnl_alloc_skb(unsigned int inst_size, unsigned int pkt_size)
297 n = max(inst_size, pkt_size); 297 n = max(inst_size, pkt_size);
298 skb = alloc_skb(n, GFP_ATOMIC); 298 skb = alloc_skb(n, GFP_ATOMIC);
299 if (!skb) { 299 if (!skb) {
300 PRINTR("nfnetlink_log: can't alloc whole buffer (%u bytes)\n", 300 pr_notice("nfnetlink_log: can't alloc whole buffer (%u bytes)\n",
301 inst_size); 301 inst_size);
302 302
303 if (n > pkt_size) { 303 if (n > pkt_size) {
@@ -306,7 +306,7 @@ nfulnl_alloc_skb(unsigned int inst_size, unsigned int pkt_size)
306 306
307 skb = alloc_skb(pkt_size, GFP_ATOMIC); 307 skb = alloc_skb(pkt_size, GFP_ATOMIC);
308 if (!skb) 308 if (!skb)
309 PRINTR("nfnetlink_log: can't even alloc %u " 309 pr_err("nfnetlink_log: can't even alloc %u "
310 "bytes\n", pkt_size); 310 "bytes\n", pkt_size);
311 } 311 }
312 } 312 }
diff --git a/net/netfilter/xt_CLASSIFY.c b/net/netfilter/xt_CLASSIFY.c
index 011bc80dd2a1..c2c0e4abeb99 100644
--- a/net/netfilter/xt_CLASSIFY.c
+++ b/net/netfilter/xt_CLASSIFY.c
@@ -27,7 +27,7 @@ MODULE_ALIAS("ipt_CLASSIFY");
27MODULE_ALIAS("ip6t_CLASSIFY"); 27MODULE_ALIAS("ip6t_CLASSIFY");
28 28
29static unsigned int 29static unsigned int
30classify_tg(struct sk_buff *skb, const struct xt_target_param *par) 30classify_tg(struct sk_buff *skb, const struct xt_action_param *par)
31{ 31{
32 const struct xt_classify_target_info *clinfo = par->targinfo; 32 const struct xt_classify_target_info *clinfo = par->targinfo;
33 33
diff --git a/net/netfilter/xt_CONNSECMARK.c b/net/netfilter/xt_CONNSECMARK.c
index e953e302141d..e04dc282e3bb 100644
--- a/net/netfilter/xt_CONNSECMARK.c
+++ b/net/netfilter/xt_CONNSECMARK.c
@@ -64,7 +64,7 @@ static void secmark_restore(struct sk_buff *skb)
64} 64}
65 65
66static unsigned int 66static unsigned int
67connsecmark_tg(struct sk_buff *skb, const struct xt_target_param *par) 67connsecmark_tg(struct sk_buff *skb, const struct xt_action_param *par)
68{ 68{
69 const struct xt_connsecmark_target_info *info = par->targinfo; 69 const struct xt_connsecmark_target_info *info = par->targinfo;
70 70
diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c
index c8f547829bad..562bf3266e04 100644
--- a/net/netfilter/xt_CT.c
+++ b/net/netfilter/xt_CT.c
@@ -20,7 +20,7 @@
20#include <net/netfilter/nf_conntrack_zones.h> 20#include <net/netfilter/nf_conntrack_zones.h>
21 21
22static unsigned int xt_ct_target(struct sk_buff *skb, 22static unsigned int xt_ct_target(struct sk_buff *skb,
23 const struct xt_target_param *par) 23 const struct xt_action_param *par)
24{ 24{
25 const struct xt_ct_target_info *info = par->targinfo; 25 const struct xt_ct_target_info *info = par->targinfo;
26 struct nf_conn *ct = info->ct; 26 struct nf_conn *ct = info->ct;
diff --git a/net/netfilter/xt_DSCP.c b/net/netfilter/xt_DSCP.c
index 969634f293e5..0a229191e55b 100644
--- a/net/netfilter/xt_DSCP.c
+++ b/net/netfilter/xt_DSCP.c
@@ -28,7 +28,7 @@ MODULE_ALIAS("ipt_TOS");
28MODULE_ALIAS("ip6t_TOS"); 28MODULE_ALIAS("ip6t_TOS");
29 29
30static unsigned int 30static unsigned int
31dscp_tg(struct sk_buff *skb, const struct xt_target_param *par) 31dscp_tg(struct sk_buff *skb, const struct xt_action_param *par)
32{ 32{
33 const struct xt_DSCP_info *dinfo = par->targinfo; 33 const struct xt_DSCP_info *dinfo = par->targinfo;
34 u_int8_t dscp = ipv4_get_dsfield(ip_hdr(skb)) >> XT_DSCP_SHIFT; 34 u_int8_t dscp = ipv4_get_dsfield(ip_hdr(skb)) >> XT_DSCP_SHIFT;
@@ -45,7 +45,7 @@ dscp_tg(struct sk_buff *skb, const struct xt_target_param *par)
45} 45}
46 46
47static unsigned int 47static unsigned int
48dscp_tg6(struct sk_buff *skb, const struct xt_target_param *par) 48dscp_tg6(struct sk_buff *skb, const struct xt_action_param *par)
49{ 49{
50 const struct xt_DSCP_info *dinfo = par->targinfo; 50 const struct xt_DSCP_info *dinfo = par->targinfo;
51 u_int8_t dscp = ipv6_get_dsfield(ipv6_hdr(skb)) >> XT_DSCP_SHIFT; 51 u_int8_t dscp = ipv6_get_dsfield(ipv6_hdr(skb)) >> XT_DSCP_SHIFT;
@@ -72,7 +72,7 @@ static int dscp_tg_check(const struct xt_tgchk_param *par)
72} 72}
73 73
74static unsigned int 74static unsigned int
75tos_tg(struct sk_buff *skb, const struct xt_target_param *par) 75tos_tg(struct sk_buff *skb, const struct xt_action_param *par)
76{ 76{
77 const struct xt_tos_target_info *info = par->targinfo; 77 const struct xt_tos_target_info *info = par->targinfo;
78 struct iphdr *iph = ip_hdr(skb); 78 struct iphdr *iph = ip_hdr(skb);
@@ -92,7 +92,7 @@ tos_tg(struct sk_buff *skb, const struct xt_target_param *par)
92} 92}
93 93
94static unsigned int 94static unsigned int
95tos_tg6(struct sk_buff *skb, const struct xt_target_param *par) 95tos_tg6(struct sk_buff *skb, const struct xt_action_param *par)
96{ 96{
97 const struct xt_tos_target_info *info = par->targinfo; 97 const struct xt_tos_target_info *info = par->targinfo;
98 struct ipv6hdr *iph = ipv6_hdr(skb); 98 struct ipv6hdr *iph = ipv6_hdr(skb);
diff --git a/net/netfilter/xt_HL.c b/net/netfilter/xt_HL.c
index 77b99f732711..95b084800fcc 100644
--- a/net/netfilter/xt_HL.c
+++ b/net/netfilter/xt_HL.c
@@ -26,7 +26,7 @@ MODULE_DESCRIPTION("Xtables: Hoplimit/TTL Limit field modification target");
26MODULE_LICENSE("GPL"); 26MODULE_LICENSE("GPL");
27 27
28static unsigned int 28static unsigned int
29ttl_tg(struct sk_buff *skb, const struct xt_target_param *par) 29ttl_tg(struct sk_buff *skb, const struct xt_action_param *par)
30{ 30{
31 struct iphdr *iph; 31 struct iphdr *iph;
32 const struct ipt_TTL_info *info = par->targinfo; 32 const struct ipt_TTL_info *info = par->targinfo;
@@ -66,7 +66,7 @@ ttl_tg(struct sk_buff *skb, const struct xt_target_param *par)
66} 66}
67 67
68static unsigned int 68static unsigned int
69hl_tg6(struct sk_buff *skb, const struct xt_target_param *par) 69hl_tg6(struct sk_buff *skb, const struct xt_action_param *par)
70{ 70{
71 struct ipv6hdr *ip6h; 71 struct ipv6hdr *ip6h;
72 const struct ip6t_HL_info *info = par->targinfo; 72 const struct ip6t_HL_info *info = par->targinfo;
diff --git a/net/netfilter/xt_LED.c b/net/netfilter/xt_LED.c
index ab6f8ff9c9a7..a4140509eea1 100644
--- a/net/netfilter/xt_LED.c
+++ b/net/netfilter/xt_LED.c
@@ -49,7 +49,7 @@ struct xt_led_info_internal {
49}; 49};
50 50
51static unsigned int 51static unsigned int
52led_tg(struct sk_buff *skb, const struct xt_target_param *par) 52led_tg(struct sk_buff *skb, const struct xt_action_param *par)
53{ 53{
54 const struct xt_led_info *ledinfo = par->targinfo; 54 const struct xt_led_info *ledinfo = par->targinfo;
55 struct xt_led_info_internal *ledinternal = ledinfo->internal_data; 55 struct xt_led_info_internal *ledinternal = ledinfo->internal_data;
diff --git a/net/netfilter/xt_NFLOG.c b/net/netfilter/xt_NFLOG.c
index 42dd8747b421..a17dd0f589b2 100644
--- a/net/netfilter/xt_NFLOG.c
+++ b/net/netfilter/xt_NFLOG.c
@@ -22,7 +22,7 @@ MODULE_ALIAS("ipt_NFLOG");
22MODULE_ALIAS("ip6t_NFLOG"); 22MODULE_ALIAS("ip6t_NFLOG");
23 23
24static unsigned int 24static unsigned int
25nflog_tg(struct sk_buff *skb, const struct xt_target_param *par) 25nflog_tg(struct sk_buff *skb, const struct xt_action_param *par)
26{ 26{
27 const struct xt_nflog_info *info = par->targinfo; 27 const struct xt_nflog_info *info = par->targinfo;
28 struct nf_loginfo li; 28 struct nf_loginfo li;
diff --git a/net/netfilter/xt_NFQUEUE.c b/net/netfilter/xt_NFQUEUE.c
index f9217cb56fe3..039cce1bde3d 100644
--- a/net/netfilter/xt_NFQUEUE.c
+++ b/net/netfilter/xt_NFQUEUE.c
@@ -31,7 +31,7 @@ static u32 jhash_initval __read_mostly;
31static bool rnd_inited __read_mostly; 31static bool rnd_inited __read_mostly;
32 32
33static unsigned int 33static unsigned int
34nfqueue_tg(struct sk_buff *skb, const struct xt_target_param *par) 34nfqueue_tg(struct sk_buff *skb, const struct xt_action_param *par)
35{ 35{
36 const struct xt_NFQ_info *tinfo = par->targinfo; 36 const struct xt_NFQ_info *tinfo = par->targinfo;
37 37
@@ -65,7 +65,7 @@ static u32 hash_v6(const struct sk_buff *skb)
65#endif 65#endif
66 66
67static unsigned int 67static unsigned int
68nfqueue_tg_v1(struct sk_buff *skb, const struct xt_target_param *par) 68nfqueue_tg_v1(struct sk_buff *skb, const struct xt_action_param *par)
69{ 69{
70 const struct xt_NFQ_info_v1 *info = par->targinfo; 70 const struct xt_NFQ_info_v1 *info = par->targinfo;
71 u32 queue = info->queuenum; 71 u32 queue = info->queuenum;
diff --git a/net/netfilter/xt_NOTRACK.c b/net/netfilter/xt_NOTRACK.c
index e7a0a54fd4ea..512b9123252f 100644
--- a/net/netfilter/xt_NOTRACK.c
+++ b/net/netfilter/xt_NOTRACK.c
@@ -13,7 +13,7 @@ MODULE_ALIAS("ipt_NOTRACK");
13MODULE_ALIAS("ip6t_NOTRACK"); 13MODULE_ALIAS("ip6t_NOTRACK");
14 14
15static unsigned int 15static unsigned int
16notrack_tg(struct sk_buff *skb, const struct xt_target_param *par) 16notrack_tg(struct sk_buff *skb, const struct xt_action_param *par)
17{ 17{
18 /* Previously seen (loopback)? Ignore. */ 18 /* Previously seen (loopback)? Ignore. */
19 if (skb->nfct != NULL) 19 if (skb->nfct != NULL)
diff --git a/net/netfilter/xt_RATEEST.c b/net/netfilter/xt_RATEEST.c
index a02193f06e39..69c01e10f8af 100644
--- a/net/netfilter/xt_RATEEST.c
+++ b/net/netfilter/xt_RATEEST.c
@@ -73,7 +73,7 @@ void xt_rateest_put(struct xt_rateest *est)
73EXPORT_SYMBOL_GPL(xt_rateest_put); 73EXPORT_SYMBOL_GPL(xt_rateest_put);
74 74
75static unsigned int 75static unsigned int
76xt_rateest_tg(struct sk_buff *skb, const struct xt_target_param *par) 76xt_rateest_tg(struct sk_buff *skb, const struct xt_action_param *par)
77{ 77{
78 const struct xt_rateest_target_info *info = par->targinfo; 78 const struct xt_rateest_target_info *info = par->targinfo;
79 struct gnet_stats_basic_packed *stats = &info->est->bstats; 79 struct gnet_stats_basic_packed *stats = &info->est->bstats;
diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c
index a91d4a7d5a2c..23b2d6c486b5 100644
--- a/net/netfilter/xt_SECMARK.c
+++ b/net/netfilter/xt_SECMARK.c
@@ -30,7 +30,7 @@ MODULE_ALIAS("ip6t_SECMARK");
30static u8 mode; 30static u8 mode;
31 31
32static unsigned int 32static unsigned int
33secmark_tg(struct sk_buff *skb, const struct xt_target_param *par) 33secmark_tg(struct sk_buff *skb, const struct xt_action_param *par)
34{ 34{
35 u32 secmark = 0; 35 u32 secmark = 0;
36 const struct xt_secmark_target_info *info = par->targinfo; 36 const struct xt_secmark_target_info *info = par->targinfo;
diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c
index d04606459c9d..62ec021fbd50 100644
--- a/net/netfilter/xt_TCPMSS.c
+++ b/net/netfilter/xt_TCPMSS.c
@@ -172,7 +172,7 @@ static u_int32_t tcpmss_reverse_mtu(const struct sk_buff *skb,
172} 172}
173 173
174static unsigned int 174static unsigned int
175tcpmss_tg4(struct sk_buff *skb, const struct xt_target_param *par) 175tcpmss_tg4(struct sk_buff *skb, const struct xt_action_param *par)
176{ 176{
177 struct iphdr *iph = ip_hdr(skb); 177 struct iphdr *iph = ip_hdr(skb);
178 __be16 newlen; 178 __be16 newlen;
@@ -195,7 +195,7 @@ tcpmss_tg4(struct sk_buff *skb, const struct xt_target_param *par)
195 195
196#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE) 196#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
197static unsigned int 197static unsigned int
198tcpmss_tg6(struct sk_buff *skb, const struct xt_target_param *par) 198tcpmss_tg6(struct sk_buff *skb, const struct xt_action_param *par)
199{ 199{
200 struct ipv6hdr *ipv6h = ipv6_hdr(skb); 200 struct ipv6hdr *ipv6h = ipv6_hdr(skb);
201 u8 nexthdr; 201 u8 nexthdr;
diff --git a/net/netfilter/xt_TCPOPTSTRIP.c b/net/netfilter/xt_TCPOPTSTRIP.c
index e8b57609ddc0..9dc9ecfdd546 100644
--- a/net/netfilter/xt_TCPOPTSTRIP.c
+++ b/net/netfilter/xt_TCPOPTSTRIP.c
@@ -74,7 +74,7 @@ tcpoptstrip_mangle_packet(struct sk_buff *skb,
74} 74}
75 75
76static unsigned int 76static unsigned int
77tcpoptstrip_tg4(struct sk_buff *skb, const struct xt_target_param *par) 77tcpoptstrip_tg4(struct sk_buff *skb, const struct xt_action_param *par)
78{ 78{
79 return tcpoptstrip_mangle_packet(skb, par->targinfo, ip_hdrlen(skb), 79 return tcpoptstrip_mangle_packet(skb, par->targinfo, ip_hdrlen(skb),
80 sizeof(struct iphdr) + sizeof(struct tcphdr)); 80 sizeof(struct iphdr) + sizeof(struct tcphdr));
@@ -82,7 +82,7 @@ tcpoptstrip_tg4(struct sk_buff *skb, const struct xt_target_param *par)
82 82
83#if defined(CONFIG_IP6_NF_MANGLE) || defined(CONFIG_IP6_NF_MANGLE_MODULE) 83#if defined(CONFIG_IP6_NF_MANGLE) || defined(CONFIG_IP6_NF_MANGLE_MODULE)
84static unsigned int 84static unsigned int
85tcpoptstrip_tg6(struct sk_buff *skb, const struct xt_target_param *par) 85tcpoptstrip_tg6(struct sk_buff *skb, const struct xt_action_param *par)
86{ 86{
87 struct ipv6hdr *ipv6h = ipv6_hdr(skb); 87 struct ipv6hdr *ipv6h = ipv6_hdr(skb);
88 int tcphoff; 88 int tcphoff;
diff --git a/net/netfilter/xt_TEE.c b/net/netfilter/xt_TEE.c
index 49da6c05f4e0..d7920d9f49e9 100644
--- a/net/netfilter/xt_TEE.c
+++ b/net/netfilter/xt_TEE.c
@@ -84,7 +84,7 @@ tee_tg_route4(struct sk_buff *skb, const struct xt_tee_tginfo *info)
84} 84}
85 85
86static unsigned int 86static unsigned int
87tee_tg4(struct sk_buff *skb, const struct xt_target_param *par) 87tee_tg4(struct sk_buff *skb, const struct xt_action_param *par)
88{ 88{
89 const struct xt_tee_tginfo *info = par->targinfo; 89 const struct xt_tee_tginfo *info = par->targinfo;
90 struct iphdr *iph; 90 struct iphdr *iph;
@@ -165,7 +165,7 @@ tee_tg_route6(struct sk_buff *skb, const struct xt_tee_tginfo *info)
165} 165}
166 166
167static unsigned int 167static unsigned int
168tee_tg6(struct sk_buff *skb, const struct xt_target_param *par) 168tee_tg6(struct sk_buff *skb, const struct xt_action_param *par)
169{ 169{
170 const struct xt_tee_tginfo *info = par->targinfo; 170 const struct xt_tee_tginfo *info = par->targinfo;
171 171
diff --git a/net/netfilter/xt_TPROXY.c b/net/netfilter/xt_TPROXY.c
index 4f246ddc5c48..e1a0dedac258 100644
--- a/net/netfilter/xt_TPROXY.c
+++ b/net/netfilter/xt_TPROXY.c
@@ -25,7 +25,7 @@
25#include <net/netfilter/nf_tproxy_core.h> 25#include <net/netfilter/nf_tproxy_core.h>
26 26
27static unsigned int 27static unsigned int
28tproxy_tg(struct sk_buff *skb, const struct xt_target_param *par) 28tproxy_tg(struct sk_buff *skb, const struct xt_action_param *par)
29{ 29{
30 const struct iphdr *iph = ip_hdr(skb); 30 const struct iphdr *iph = ip_hdr(skb);
31 const struct xt_tproxy_target_info *tgi = par->targinfo; 31 const struct xt_tproxy_target_info *tgi = par->targinfo;
diff --git a/net/netfilter/xt_TRACE.c b/net/netfilter/xt_TRACE.c
index fbb04b86c46b..df48967af382 100644
--- a/net/netfilter/xt_TRACE.c
+++ b/net/netfilter/xt_TRACE.c
@@ -11,7 +11,7 @@ MODULE_ALIAS("ipt_TRACE");
11MODULE_ALIAS("ip6t_TRACE"); 11MODULE_ALIAS("ip6t_TRACE");
12 12
13static unsigned int 13static unsigned int
14trace_tg(struct sk_buff *skb, const struct xt_target_param *par) 14trace_tg(struct sk_buff *skb, const struct xt_action_param *par)
15{ 15{
16 skb->nf_trace = 1; 16 skb->nf_trace = 1;
17 return XT_CONTINUE; 17 return XT_CONTINUE;
diff --git a/net/netfilter/xt_cluster.c b/net/netfilter/xt_cluster.c
index 6c941e1c6b9e..30b95a1c1c89 100644
--- a/net/netfilter/xt_cluster.c
+++ b/net/netfilter/xt_cluster.c
@@ -86,7 +86,7 @@ xt_cluster_is_multicast_addr(const struct sk_buff *skb, u_int8_t family)
86} 86}
87 87
88static bool 88static bool
89xt_cluster_mt(const struct sk_buff *skb, const struct xt_match_param *par) 89xt_cluster_mt(const struct sk_buff *skb, struct xt_action_param *par)
90{ 90{
91 struct sk_buff *pskb = (struct sk_buff *)skb; 91 struct sk_buff *pskb = (struct sk_buff *)skb;
92 const struct xt_cluster_match_info *info = par->matchinfo; 92 const struct xt_cluster_match_info *info = par->matchinfo;
diff --git a/net/netfilter/xt_comment.c b/net/netfilter/xt_comment.c
index e82179832acd..5c861d2f21ca 100644
--- a/net/netfilter/xt_comment.c
+++ b/net/netfilter/xt_comment.c
@@ -16,7 +16,7 @@ MODULE_ALIAS("ipt_comment");
16MODULE_ALIAS("ip6t_comment"); 16MODULE_ALIAS("ip6t_comment");
17 17
18static bool 18static bool
19comment_mt(const struct sk_buff *skb, const struct xt_match_param *par) 19comment_mt(const struct sk_buff *skb, struct xt_action_param *par)
20{ 20{
21 /* We always match */ 21 /* We always match */
22 return true; 22 return true;
diff --git a/net/netfilter/xt_connbytes.c b/net/netfilter/xt_connbytes.c
index ff738a5f963a..73517835303d 100644
--- a/net/netfilter/xt_connbytes.c
+++ b/net/netfilter/xt_connbytes.c
@@ -18,7 +18,7 @@ MODULE_ALIAS("ipt_connbytes");
18MODULE_ALIAS("ip6t_connbytes"); 18MODULE_ALIAS("ip6t_connbytes");
19 19
20static bool 20static bool
21connbytes_mt(const struct sk_buff *skb, const struct xt_match_param *par) 21connbytes_mt(const struct sk_buff *skb, struct xt_action_param *par)
22{ 22{
23 const struct xt_connbytes_info *sinfo = par->matchinfo; 23 const struct xt_connbytes_info *sinfo = par->matchinfo;
24 const struct nf_conn *ct; 24 const struct nf_conn *ct;
diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c
index 326bc1b81681..5c5b6b921b84 100644
--- a/net/netfilter/xt_connlimit.c
+++ b/net/netfilter/xt_connlimit.c
@@ -173,7 +173,7 @@ static int count_them(struct net *net,
173} 173}
174 174
175static bool 175static bool
176connlimit_mt(const struct sk_buff *skb, const struct xt_match_param *par) 176connlimit_mt(const struct sk_buff *skb, struct xt_action_param *par)
177{ 177{
178 struct net *net = dev_net(par->in ? par->in : par->out); 178 struct net *net = dev_net(par->in ? par->in : par->out);
179 const struct xt_connlimit_info *info = par->matchinfo; 179 const struct xt_connlimit_info *info = par->matchinfo;
@@ -206,14 +206,14 @@ connlimit_mt(const struct sk_buff *skb, const struct xt_match_param *par)
206 206
207 if (connections < 0) { 207 if (connections < 0) {
208 /* kmalloc failed, drop it entirely */ 208 /* kmalloc failed, drop it entirely */
209 *par->hotdrop = true; 209 par->hotdrop = true;
210 return false; 210 return false;
211 } 211 }
212 212
213 return (connections > info->limit) ^ info->inverse; 213 return (connections > info->limit) ^ info->inverse;
214 214
215 hotdrop: 215 hotdrop:
216 *par->hotdrop = true; 216 par->hotdrop = true;
217 return false; 217 return false;
218} 218}
219 219
diff --git a/net/netfilter/xt_connmark.c b/net/netfilter/xt_connmark.c
index ae1015484ae2..7278145e6a68 100644
--- a/net/netfilter/xt_connmark.c
+++ b/net/netfilter/xt_connmark.c
@@ -37,7 +37,7 @@ MODULE_ALIAS("ipt_connmark");
37MODULE_ALIAS("ip6t_connmark"); 37MODULE_ALIAS("ip6t_connmark");
38 38
39static unsigned int 39static unsigned int
40connmark_tg(struct sk_buff *skb, const struct xt_target_param *par) 40connmark_tg(struct sk_buff *skb, const struct xt_action_param *par)
41{ 41{
42 const struct xt_connmark_tginfo1 *info = par->targinfo; 42 const struct xt_connmark_tginfo1 *info = par->targinfo;
43 enum ip_conntrack_info ctinfo; 43 enum ip_conntrack_info ctinfo;
@@ -91,7 +91,7 @@ static void connmark_tg_destroy(const struct xt_tgdtor_param *par)
91} 91}
92 92
93static bool 93static bool
94connmark_mt(const struct sk_buff *skb, const struct xt_match_param *par) 94connmark_mt(const struct sk_buff *skb, struct xt_action_param *par)
95{ 95{
96 const struct xt_connmark_mtinfo1 *info = par->matchinfo; 96 const struct xt_connmark_mtinfo1 *info = par->matchinfo;
97 enum ip_conntrack_info ctinfo; 97 enum ip_conntrack_info ctinfo;
diff --git a/net/netfilter/xt_conntrack.c b/net/netfilter/xt_conntrack.c
index 3348706ce56d..39681f10291c 100644
--- a/net/netfilter/xt_conntrack.c
+++ b/net/netfilter/xt_conntrack.c
@@ -113,7 +113,7 @@ ct_proto_port_check(const struct xt_conntrack_mtinfo2 *info,
113} 113}
114 114
115static bool 115static bool
116conntrack_mt(const struct sk_buff *skb, const struct xt_match_param *par, 116conntrack_mt(const struct sk_buff *skb, struct xt_action_param *par,
117 u16 state_mask, u16 status_mask) 117 u16 state_mask, u16 status_mask)
118{ 118{
119 const struct xt_conntrack_mtinfo2 *info = par->matchinfo; 119 const struct xt_conntrack_mtinfo2 *info = par->matchinfo;
@@ -191,7 +191,7 @@ conntrack_mt(const struct sk_buff *skb, const struct xt_match_param *par,
191} 191}
192 192
193static bool 193static bool
194conntrack_mt_v1(const struct sk_buff *skb, const struct xt_match_param *par) 194conntrack_mt_v1(const struct sk_buff *skb, struct xt_action_param *par)
195{ 195{
196 const struct xt_conntrack_mtinfo1 *info = par->matchinfo; 196 const struct xt_conntrack_mtinfo1 *info = par->matchinfo;
197 197
@@ -199,7 +199,7 @@ conntrack_mt_v1(const struct sk_buff *skb, const struct xt_match_param *par)
199} 199}
200 200
201static bool 201static bool
202conntrack_mt_v2(const struct sk_buff *skb, const struct xt_match_param *par) 202conntrack_mt_v2(const struct sk_buff *skb, struct xt_action_param *par)
203{ 203{
204 const struct xt_conntrack_mtinfo2 *info = par->matchinfo; 204 const struct xt_conntrack_mtinfo2 *info = par->matchinfo;
205 205
diff --git a/net/netfilter/xt_dccp.c b/net/netfilter/xt_dccp.c
index 0d260aec487f..b63d2a3d80ba 100644
--- a/net/netfilter/xt_dccp.c
+++ b/net/netfilter/xt_dccp.c
@@ -96,7 +96,7 @@ match_option(u_int8_t option, const struct sk_buff *skb, unsigned int protoff,
96} 96}
97 97
98static bool 98static bool
99dccp_mt(const struct sk_buff *skb, const struct xt_match_param *par) 99dccp_mt(const struct sk_buff *skb, struct xt_action_param *par)
100{ 100{
101 const struct xt_dccp_info *info = par->matchinfo; 101 const struct xt_dccp_info *info = par->matchinfo;
102 const struct dccp_hdr *dh; 102 const struct dccp_hdr *dh;
@@ -107,7 +107,7 @@ dccp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
107 107
108 dh = skb_header_pointer(skb, par->thoff, sizeof(_dh), &_dh); 108 dh = skb_header_pointer(skb, par->thoff, sizeof(_dh), &_dh);
109 if (dh == NULL) { 109 if (dh == NULL) {
110 *par->hotdrop = true; 110 par->hotdrop = true;
111 return false; 111 return false;
112 } 112 }
113 113
@@ -120,7 +120,7 @@ dccp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
120 && DCCHECK(match_types(dh, info->typemask), 120 && DCCHECK(match_types(dh, info->typemask),
121 XT_DCCP_TYPE, info->flags, info->invflags) 121 XT_DCCP_TYPE, info->flags, info->invflags)
122 && DCCHECK(match_option(info->option, skb, par->thoff, dh, 122 && DCCHECK(match_option(info->option, skb, par->thoff, dh,
123 par->hotdrop), 123 &par->hotdrop),
124 XT_DCCP_OPTION, info->flags, info->invflags); 124 XT_DCCP_OPTION, info->flags, info->invflags);
125} 125}
126 126
diff --git a/net/netfilter/xt_dscp.c b/net/netfilter/xt_dscp.c
index 9db51fddbdb8..64670fc5d0e1 100644
--- a/net/netfilter/xt_dscp.c
+++ b/net/netfilter/xt_dscp.c
@@ -25,7 +25,7 @@ MODULE_ALIAS("ipt_tos");
25MODULE_ALIAS("ip6t_tos"); 25MODULE_ALIAS("ip6t_tos");
26 26
27static bool 27static bool
28dscp_mt(const struct sk_buff *skb, const struct xt_match_param *par) 28dscp_mt(const struct sk_buff *skb, struct xt_action_param *par)
29{ 29{
30 const struct xt_dscp_info *info = par->matchinfo; 30 const struct xt_dscp_info *info = par->matchinfo;
31 u_int8_t dscp = ipv4_get_dsfield(ip_hdr(skb)) >> XT_DSCP_SHIFT; 31 u_int8_t dscp = ipv4_get_dsfield(ip_hdr(skb)) >> XT_DSCP_SHIFT;
@@ -34,7 +34,7 @@ dscp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
34} 34}
35 35
36static bool 36static bool
37dscp_mt6(const struct sk_buff *skb, const struct xt_match_param *par) 37dscp_mt6(const struct sk_buff *skb, struct xt_action_param *par)
38{ 38{
39 const struct xt_dscp_info *info = par->matchinfo; 39 const struct xt_dscp_info *info = par->matchinfo;
40 u_int8_t dscp = ipv6_get_dsfield(ipv6_hdr(skb)) >> XT_DSCP_SHIFT; 40 u_int8_t dscp = ipv6_get_dsfield(ipv6_hdr(skb)) >> XT_DSCP_SHIFT;
@@ -54,7 +54,7 @@ static int dscp_mt_check(const struct xt_mtchk_param *par)
54 return 0; 54 return 0;
55} 55}
56 56
57static bool tos_mt(const struct sk_buff *skb, const struct xt_match_param *par) 57static bool tos_mt(const struct sk_buff *skb, struct xt_action_param *par)
58{ 58{
59 const struct xt_tos_match_info *info = par->matchinfo; 59 const struct xt_tos_match_info *info = par->matchinfo;
60 60
diff --git a/net/netfilter/xt_esp.c b/net/netfilter/xt_esp.c
index 143bfdc8e38f..171ba82b5902 100644
--- a/net/netfilter/xt_esp.c
+++ b/net/netfilter/xt_esp.c
@@ -36,7 +36,7 @@ spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, bool invert)
36 return r; 36 return r;
37} 37}
38 38
39static bool esp_mt(const struct sk_buff *skb, const struct xt_match_param *par) 39static bool esp_mt(const struct sk_buff *skb, struct xt_action_param *par)
40{ 40{
41 const struct ip_esp_hdr *eh; 41 const struct ip_esp_hdr *eh;
42 struct ip_esp_hdr _esp; 42 struct ip_esp_hdr _esp;
@@ -52,7 +52,7 @@ static bool esp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
52 * can't. Hence, no choice but to drop. 52 * can't. Hence, no choice but to drop.
53 */ 53 */
54 pr_debug("Dropping evil ESP tinygram.\n"); 54 pr_debug("Dropping evil ESP tinygram.\n");
55 *par->hotdrop = true; 55 par->hotdrop = true;
56 return false; 56 return false;
57 } 57 }
58 58
diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
index 0c366d387c8c..b46a8390896d 100644
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@@ -516,7 +516,7 @@ hashlimit_init_dst(const struct xt_hashlimit_htable *hinfo,
516} 516}
517 517
518static bool 518static bool
519hashlimit_mt(const struct sk_buff *skb, const struct xt_match_param *par) 519hashlimit_mt(const struct sk_buff *skb, struct xt_action_param *par)
520{ 520{
521 const struct xt_hashlimit_mtinfo1 *info = par->matchinfo; 521 const struct xt_hashlimit_mtinfo1 *info = par->matchinfo;
522 struct xt_hashlimit_htable *hinfo = info->hinfo; 522 struct xt_hashlimit_htable *hinfo = info->hinfo;
@@ -562,7 +562,7 @@ hashlimit_mt(const struct sk_buff *skb, const struct xt_match_param *par)
562 return info->cfg.mode & XT_HASHLIMIT_INVERT; 562 return info->cfg.mode & XT_HASHLIMIT_INVERT;
563 563
564 hotdrop: 564 hotdrop:
565 *par->hotdrop = true; 565 par->hotdrop = true;
566 return false; 566 return false;
567} 567}
568 568
diff --git a/net/netfilter/xt_helper.c b/net/netfilter/xt_helper.c
index b8b3e13dc71e..9f4ab00c8050 100644
--- a/net/netfilter/xt_helper.c
+++ b/net/netfilter/xt_helper.c
@@ -24,7 +24,7 @@ MODULE_ALIAS("ip6t_helper");
24 24
25 25
26static bool 26static bool
27helper_mt(const struct sk_buff *skb, const struct xt_match_param *par) 27helper_mt(const struct sk_buff *skb, struct xt_action_param *par)
28{ 28{
29 const struct xt_helper_info *info = par->matchinfo; 29 const struct xt_helper_info *info = par->matchinfo;
30 const struct nf_conn *ct; 30 const struct nf_conn *ct;
diff --git a/net/netfilter/xt_hl.c b/net/netfilter/xt_hl.c
index be53f7299623..7d12221ead89 100644
--- a/net/netfilter/xt_hl.c
+++ b/net/netfilter/xt_hl.c
@@ -25,7 +25,7 @@ MODULE_LICENSE("GPL");
25MODULE_ALIAS("ipt_ttl"); 25MODULE_ALIAS("ipt_ttl");
26MODULE_ALIAS("ip6t_hl"); 26MODULE_ALIAS("ip6t_hl");
27 27
28static bool ttl_mt(const struct sk_buff *skb, const struct xt_match_param *par) 28static bool ttl_mt(const struct sk_buff *skb, struct xt_action_param *par)
29{ 29{
30 const struct ipt_ttl_info *info = par->matchinfo; 30 const struct ipt_ttl_info *info = par->matchinfo;
31 const u8 ttl = ip_hdr(skb)->ttl; 31 const u8 ttl = ip_hdr(skb)->ttl;
@@ -44,7 +44,7 @@ static bool ttl_mt(const struct sk_buff *skb, const struct xt_match_param *par)
44 return false; 44 return false;
45} 45}
46 46
47static bool hl_mt6(const struct sk_buff *skb, const struct xt_match_param *par) 47static bool hl_mt6(const struct sk_buff *skb, struct xt_action_param *par)
48{ 48{
49 const struct ip6t_hl_info *info = par->matchinfo; 49 const struct ip6t_hl_info *info = par->matchinfo;
50 const struct ipv6hdr *ip6h = ipv6_hdr(skb); 50 const struct ipv6hdr *ip6h = ipv6_hdr(skb);
diff --git a/net/netfilter/xt_iprange.c b/net/netfilter/xt_iprange.c
index 8471d9715bde..88f7c3511c72 100644
--- a/net/netfilter/xt_iprange.c
+++ b/net/netfilter/xt_iprange.c
@@ -17,7 +17,7 @@
17#include <linux/netfilter/xt_iprange.h> 17#include <linux/netfilter/xt_iprange.h>
18 18
19static bool 19static bool
20iprange_mt4(const struct sk_buff *skb, const struct xt_match_param *par) 20iprange_mt4(const struct sk_buff *skb, struct xt_action_param *par)
21{ 21{
22 const struct xt_iprange_mtinfo *info = par->matchinfo; 22 const struct xt_iprange_mtinfo *info = par->matchinfo;
23 const struct iphdr *iph = ip_hdr(skb); 23 const struct iphdr *iph = ip_hdr(skb);
@@ -68,7 +68,7 @@ iprange_ipv6_sub(const struct in6_addr *a, const struct in6_addr *b)
68} 68}
69 69
70static bool 70static bool
71iprange_mt6(const struct sk_buff *skb, const struct xt_match_param *par) 71iprange_mt6(const struct sk_buff *skb, struct xt_action_param *par)
72{ 72{
73 const struct xt_iprange_mtinfo *info = par->matchinfo; 73 const struct xt_iprange_mtinfo *info = par->matchinfo;
74 const struct ipv6hdr *iph = ipv6_hdr(skb); 74 const struct ipv6hdr *iph = ipv6_hdr(skb);
diff --git a/net/netfilter/xt_length.c b/net/netfilter/xt_length.c
index c4871ca6c86d..176e5570a999 100644
--- a/net/netfilter/xt_length.c
+++ b/net/netfilter/xt_length.c
@@ -21,7 +21,7 @@ MODULE_ALIAS("ipt_length");
21MODULE_ALIAS("ip6t_length"); 21MODULE_ALIAS("ip6t_length");
22 22
23static bool 23static bool
24length_mt(const struct sk_buff *skb, const struct xt_match_param *par) 24length_mt(const struct sk_buff *skb, struct xt_action_param *par)
25{ 25{
26 const struct xt_length_info *info = par->matchinfo; 26 const struct xt_length_info *info = par->matchinfo;
27 u_int16_t pktlen = ntohs(ip_hdr(skb)->tot_len); 27 u_int16_t pktlen = ntohs(ip_hdr(skb)->tot_len);
@@ -30,7 +30,7 @@ length_mt(const struct sk_buff *skb, const struct xt_match_param *par)
30} 30}
31 31
32static bool 32static bool
33length_mt6(const struct sk_buff *skb, const struct xt_match_param *par) 33length_mt6(const struct sk_buff *skb, struct xt_action_param *par)
34{ 34{
35 const struct xt_length_info *info = par->matchinfo; 35 const struct xt_length_info *info = par->matchinfo;
36 const u_int16_t pktlen = ntohs(ipv6_hdr(skb)->payload_len) + 36 const u_int16_t pktlen = ntohs(ipv6_hdr(skb)->payload_len) +
diff --git a/net/netfilter/xt_limit.c b/net/netfilter/xt_limit.c
index 88215dca19cb..32b7a579a032 100644
--- a/net/netfilter/xt_limit.c
+++ b/net/netfilter/xt_limit.c
@@ -65,7 +65,7 @@ static DEFINE_SPINLOCK(limit_lock);
65#define CREDITS_PER_JIFFY POW2_BELOW32(MAX_CPJ) 65#define CREDITS_PER_JIFFY POW2_BELOW32(MAX_CPJ)
66 66
67static bool 67static bool
68limit_mt(const struct sk_buff *skb, const struct xt_match_param *par) 68limit_mt(const struct sk_buff *skb, struct xt_action_param *par)
69{ 69{
70 const struct xt_rateinfo *r = par->matchinfo; 70 const struct xt_rateinfo *r = par->matchinfo;
71 struct xt_limit_priv *priv = r->master; 71 struct xt_limit_priv *priv = r->master;
diff --git a/net/netfilter/xt_mac.c b/net/netfilter/xt_mac.c
index b971ce93773e..8160f6b1435d 100644
--- a/net/netfilter/xt_mac.c
+++ b/net/netfilter/xt_mac.c
@@ -25,7 +25,7 @@ MODULE_DESCRIPTION("Xtables: MAC address match");
25MODULE_ALIAS("ipt_mac"); 25MODULE_ALIAS("ipt_mac");
26MODULE_ALIAS("ip6t_mac"); 26MODULE_ALIAS("ip6t_mac");
27 27
28static bool mac_mt(const struct sk_buff *skb, const struct xt_match_param *par) 28static bool mac_mt(const struct sk_buff *skb, struct xt_action_param *par)
29{ 29{
30 const struct xt_mac_info *info = par->matchinfo; 30 const struct xt_mac_info *info = par->matchinfo;
31 bool ret; 31 bool ret;
diff --git a/net/netfilter/xt_mark.c b/net/netfilter/xt_mark.c
index 035c468a0040..23345238711b 100644
--- a/net/netfilter/xt_mark.c
+++ b/net/netfilter/xt_mark.c
@@ -25,7 +25,7 @@ MODULE_ALIAS("ipt_MARK");
25MODULE_ALIAS("ip6t_MARK"); 25MODULE_ALIAS("ip6t_MARK");
26 26
27static unsigned int 27static unsigned int
28mark_tg(struct sk_buff *skb, const struct xt_target_param *par) 28mark_tg(struct sk_buff *skb, const struct xt_action_param *par)
29{ 29{
30 const struct xt_mark_tginfo2 *info = par->targinfo; 30 const struct xt_mark_tginfo2 *info = par->targinfo;
31 31
@@ -34,7 +34,7 @@ mark_tg(struct sk_buff *skb, const struct xt_target_param *par)
34} 34}
35 35
36static bool 36static bool
37mark_mt(const struct sk_buff *skb, const struct xt_match_param *par) 37mark_mt(const struct sk_buff *skb, struct xt_action_param *par)
38{ 38{
39 const struct xt_mark_mtinfo1 *info = par->matchinfo; 39 const struct xt_mark_mtinfo1 *info = par->matchinfo;
40 40
diff --git a/net/netfilter/xt_multiport.c b/net/netfilter/xt_multiport.c
index 83b77ceb264f..ac1d3c3d09e7 100644
--- a/net/netfilter/xt_multiport.c
+++ b/net/netfilter/xt_multiport.c
@@ -72,7 +72,7 @@ ports_match_v1(const struct xt_multiport_v1 *minfo,
72} 72}
73 73
74static bool 74static bool
75multiport_mt(const struct sk_buff *skb, const struct xt_match_param *par) 75multiport_mt(const struct sk_buff *skb, struct xt_action_param *par)
76{ 76{
77 const __be16 *pptr; 77 const __be16 *pptr;
78 __be16 _ports[2]; 78 __be16 _ports[2];
@@ -87,7 +87,7 @@ multiport_mt(const struct sk_buff *skb, const struct xt_match_param *par)
87 * can't. Hence, no choice but to drop. 87 * can't. Hence, no choice but to drop.
88 */ 88 */
89 pr_debug("Dropping evil offset=0 tinygram.\n"); 89 pr_debug("Dropping evil offset=0 tinygram.\n");
90 *par->hotdrop = true; 90 par->hotdrop = true;
91 return false; 91 return false;
92 } 92 }
93 93
@@ -117,7 +117,7 @@ static int multiport_mt_check(const struct xt_mtchk_param *par)
117 const struct xt_multiport_v1 *multiinfo = par->matchinfo; 117 const struct xt_multiport_v1 *multiinfo = par->matchinfo;
118 118
119 return check(ip->proto, ip->invflags, multiinfo->flags, 119 return check(ip->proto, ip->invflags, multiinfo->flags,
120 multiinfo->count); 120 multiinfo->count) ? 0 : -EINVAL;
121} 121}
122 122
123static int multiport_mt6_check(const struct xt_mtchk_param *par) 123static int multiport_mt6_check(const struct xt_mtchk_param *par)
@@ -126,7 +126,7 @@ static int multiport_mt6_check(const struct xt_mtchk_param *par)
126 const struct xt_multiport_v1 *multiinfo = par->matchinfo; 126 const struct xt_multiport_v1 *multiinfo = par->matchinfo;
127 127
128 return check(ip->proto, ip->invflags, multiinfo->flags, 128 return check(ip->proto, ip->invflags, multiinfo->flags,
129 multiinfo->count); 129 multiinfo->count) ? 0 : -EINVAL;
130} 130}
131 131
132static struct xt_match multiport_mt_reg[] __read_mostly = { 132static struct xt_match multiport_mt_reg[] __read_mostly = {
diff --git a/net/netfilter/xt_osf.c b/net/netfilter/xt_osf.c
index 8dcde13a0781..4327e101c047 100644
--- a/net/netfilter/xt_osf.c
+++ b/net/netfilter/xt_osf.c
@@ -193,8 +193,8 @@ static inline int xt_osf_ttl(const struct sk_buff *skb, const struct xt_osf_info
193 return ip->ttl == f_ttl; 193 return ip->ttl == f_ttl;
194} 194}
195 195
196static bool xt_osf_match_packet(const struct sk_buff *skb, 196static bool
197 const struct xt_match_param *p) 197xt_osf_match_packet(const struct sk_buff *skb, struct xt_action_param *p)
198{ 198{
199 const struct xt_osf_info *info = p->matchinfo; 199 const struct xt_osf_info *info = p->matchinfo;
200 const struct iphdr *ip = ip_hdr(skb); 200 const struct iphdr *ip = ip_hdr(skb);
diff --git a/net/netfilter/xt_owner.c b/net/netfilter/xt_owner.c
index d24c76dffee2..772d7389b337 100644
--- a/net/netfilter/xt_owner.c
+++ b/net/netfilter/xt_owner.c
@@ -18,7 +18,7 @@
18#include <linux/netfilter/xt_owner.h> 18#include <linux/netfilter/xt_owner.h>
19 19
20static bool 20static bool
21owner_mt(const struct sk_buff *skb, const struct xt_match_param *par) 21owner_mt(const struct sk_buff *skb, struct xt_action_param *par)
22{ 22{
23 const struct xt_owner_match_info *info = par->matchinfo; 23 const struct xt_owner_match_info *info = par->matchinfo;
24 const struct file *filp; 24 const struct file *filp;
diff --git a/net/netfilter/xt_physdev.c b/net/netfilter/xt_physdev.c
index d0bdf3dd4d25..d7ca16b8b8df 100644
--- a/net/netfilter/xt_physdev.c
+++ b/net/netfilter/xt_physdev.c
@@ -22,7 +22,7 @@ MODULE_ALIAS("ip6t_physdev");
22 22
23 23
24static bool 24static bool
25physdev_mt(const struct sk_buff *skb, const struct xt_match_param *par) 25physdev_mt(const struct sk_buff *skb, struct xt_action_param *par)
26{ 26{
27 static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long)))); 27 static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
28 const struct xt_physdev_info *info = par->matchinfo; 28 const struct xt_physdev_info *info = par->matchinfo;
diff --git a/net/netfilter/xt_pkttype.c b/net/netfilter/xt_pkttype.c
index 69da1d3a1d85..5b645cb598fc 100644
--- a/net/netfilter/xt_pkttype.c
+++ b/net/netfilter/xt_pkttype.c
@@ -23,7 +23,7 @@ MODULE_ALIAS("ipt_pkttype");
23MODULE_ALIAS("ip6t_pkttype"); 23MODULE_ALIAS("ip6t_pkttype");
24 24
25static bool 25static bool
26pkttype_mt(const struct sk_buff *skb, const struct xt_match_param *par) 26pkttype_mt(const struct sk_buff *skb, struct xt_action_param *par)
27{ 27{
28 const struct xt_pkttype_info *info = par->matchinfo; 28 const struct xt_pkttype_info *info = par->matchinfo;
29 u_int8_t type; 29 u_int8_t type;
diff --git a/net/netfilter/xt_policy.c b/net/netfilter/xt_policy.c
index 1fa239c1fb93..f23e97bb42d7 100644
--- a/net/netfilter/xt_policy.c
+++ b/net/netfilter/xt_policy.c
@@ -110,7 +110,7 @@ match_policy_out(const struct sk_buff *skb, const struct xt_policy_info *info,
110} 110}
111 111
112static bool 112static bool
113policy_mt(const struct sk_buff *skb, const struct xt_match_param *par) 113policy_mt(const struct sk_buff *skb, struct xt_action_param *par)
114{ 114{
115 const struct xt_policy_info *info = par->matchinfo; 115 const struct xt_policy_info *info = par->matchinfo;
116 int ret; 116 int ret;
diff --git a/net/netfilter/xt_quota.c b/net/netfilter/xt_quota.c
index 7c95d69f6f06..b4f7dfea5980 100644
--- a/net/netfilter/xt_quota.c
+++ b/net/netfilter/xt_quota.c
@@ -23,7 +23,7 @@ MODULE_ALIAS("ip6t_quota");
23static DEFINE_SPINLOCK(quota_lock); 23static DEFINE_SPINLOCK(quota_lock);
24 24
25static bool 25static bool
26quota_mt(const struct sk_buff *skb, const struct xt_match_param *par) 26quota_mt(const struct sk_buff *skb, struct xt_action_param *par)
27{ 27{
28 struct xt_quota_info *q = (void *)par->matchinfo; 28 struct xt_quota_info *q = (void *)par->matchinfo;
29 struct xt_quota_priv *priv = q->master; 29 struct xt_quota_priv *priv = q->master;
diff --git a/net/netfilter/xt_rateest.c b/net/netfilter/xt_rateest.c
index 23805f8a444b..76a083184d8e 100644
--- a/net/netfilter/xt_rateest.c
+++ b/net/netfilter/xt_rateest.c
@@ -15,7 +15,7 @@
15 15
16 16
17static bool 17static bool
18xt_rateest_mt(const struct sk_buff *skb, const struct xt_match_param *par) 18xt_rateest_mt(const struct sk_buff *skb, struct xt_action_param *par)
19{ 19{
20 const struct xt_rateest_match_info *info = par->matchinfo; 20 const struct xt_rateest_match_info *info = par->matchinfo;
21 struct gnet_stats_rate_est *r; 21 struct gnet_stats_rate_est *r;
diff --git a/net/netfilter/xt_realm.c b/net/netfilter/xt_realm.c
index 484d1689bfde..459a7b256eb2 100644
--- a/net/netfilter/xt_realm.c
+++ b/net/netfilter/xt_realm.c
@@ -22,7 +22,7 @@ MODULE_DESCRIPTION("Xtables: Routing realm match");
22MODULE_ALIAS("ipt_realm"); 22MODULE_ALIAS("ipt_realm");
23 23
24static bool 24static bool
25realm_mt(const struct sk_buff *skb, const struct xt_match_param *par) 25realm_mt(const struct sk_buff *skb, struct xt_action_param *par)
26{ 26{
27 const struct xt_realm_info *info = par->matchinfo; 27 const struct xt_realm_info *info = par->matchinfo;
28 const struct dst_entry *dst = skb_dst(skb); 28 const struct dst_entry *dst = skb_dst(skb);
diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c
index b88d63b9c76a..76aec6a44762 100644
--- a/net/netfilter/xt_recent.c
+++ b/net/netfilter/xt_recent.c
@@ -224,7 +224,7 @@ static void recent_table_flush(struct recent_table *t)
224} 224}
225 225
226static bool 226static bool
227recent_mt(const struct sk_buff *skb, const struct xt_match_param *par) 227recent_mt(const struct sk_buff *skb, struct xt_action_param *par)
228{ 228{
229 struct net *net = dev_net(par->in ? par->in : par->out); 229 struct net *net = dev_net(par->in ? par->in : par->out);
230 struct recent_net *recent_net = recent_pernet(net); 230 struct recent_net *recent_net = recent_pernet(net);
@@ -268,7 +268,7 @@ recent_mt(const struct sk_buff *skb, const struct xt_match_param *par)
268 goto out; 268 goto out;
269 e = recent_entry_init(t, &addr, par->family, ttl); 269 e = recent_entry_init(t, &addr, par->family, ttl);
270 if (e == NULL) 270 if (e == NULL)
271 *par->hotdrop = true; 271 par->hotdrop = true;
272 ret = !ret; 272 ret = !ret;
273 goto out; 273 goto out;
274 } 274 }
diff --git a/net/netfilter/xt_sctp.c b/net/netfilter/xt_sctp.c
index c3694df54672..c04fcf385c59 100644
--- a/net/netfilter/xt_sctp.c
+++ b/net/netfilter/xt_sctp.c
@@ -114,7 +114,7 @@ match_packet(const struct sk_buff *skb,
114} 114}
115 115
116static bool 116static bool
117sctp_mt(const struct sk_buff *skb, const struct xt_match_param *par) 117sctp_mt(const struct sk_buff *skb, struct xt_action_param *par)
118{ 118{
119 const struct xt_sctp_info *info = par->matchinfo; 119 const struct xt_sctp_info *info = par->matchinfo;
120 const sctp_sctphdr_t *sh; 120 const sctp_sctphdr_t *sh;
@@ -128,7 +128,7 @@ sctp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
128 sh = skb_header_pointer(skb, par->thoff, sizeof(_sh), &_sh); 128 sh = skb_header_pointer(skb, par->thoff, sizeof(_sh), &_sh);
129 if (sh == NULL) { 129 if (sh == NULL) {
130 pr_debug("Dropping evil TCP offset=0 tinygram.\n"); 130 pr_debug("Dropping evil TCP offset=0 tinygram.\n");
131 *par->hotdrop = true; 131 par->hotdrop = true;
132 return false; 132 return false;
133 } 133 }
134 pr_debug("spt: %d\tdpt: %d\n", ntohs(sh->source), ntohs(sh->dest)); 134 pr_debug("spt: %d\tdpt: %d\n", ntohs(sh->source), ntohs(sh->dest));
@@ -140,7 +140,7 @@ sctp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
140 && ntohs(sh->dest) <= info->dpts[1], 140 && ntohs(sh->dest) <= info->dpts[1],
141 XT_SCTP_DEST_PORTS, info->flags, info->invflags) 141 XT_SCTP_DEST_PORTS, info->flags, info->invflags)
142 && SCCHECK(match_packet(skb, par->thoff + sizeof(sctp_sctphdr_t), 142 && SCCHECK(match_packet(skb, par->thoff + sizeof(sctp_sctphdr_t),
143 info, par->hotdrop), 143 info, &par->hotdrop),
144 XT_SCTP_CHUNK_TYPES, info->flags, info->invflags); 144 XT_SCTP_CHUNK_TYPES, info->flags, info->invflags);
145} 145}
146 146
diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c
index a9b16867e1f7..3d54c236a1ba 100644
--- a/net/netfilter/xt_socket.c
+++ b/net/netfilter/xt_socket.c
@@ -88,7 +88,7 @@ extract_icmp_fields(const struct sk_buff *skb,
88 88
89 89
90static bool 90static bool
91socket_match(const struct sk_buff *skb, const struct xt_match_param *par, 91socket_match(const struct sk_buff *skb, struct xt_action_param *par,
92 const struct xt_socket_mtinfo1 *info) 92 const struct xt_socket_mtinfo1 *info)
93{ 93{
94 const struct iphdr *iph = ip_hdr(skb); 94 const struct iphdr *iph = ip_hdr(skb);
@@ -174,13 +174,13 @@ socket_match(const struct sk_buff *skb, const struct xt_match_param *par,
174} 174}
175 175
176static bool 176static bool
177socket_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par) 177socket_mt_v0(const struct sk_buff *skb, struct xt_action_param *par)
178{ 178{
179 return socket_match(skb, par, NULL); 179 return socket_match(skb, par, NULL);
180} 180}
181 181
182static bool 182static bool
183socket_mt_v1(const struct sk_buff *skb, const struct xt_match_param *par) 183socket_mt_v1(const struct sk_buff *skb, struct xt_action_param *par)
184{ 184{
185 return socket_match(skb, par, par->matchinfo); 185 return socket_match(skb, par, par->matchinfo);
186} 186}
diff --git a/net/netfilter/xt_state.c b/net/netfilter/xt_state.c
index bb1271852d50..e12e053d3782 100644
--- a/net/netfilter/xt_state.c
+++ b/net/netfilter/xt_state.c
@@ -21,7 +21,7 @@ MODULE_ALIAS("ipt_state");
21MODULE_ALIAS("ip6t_state"); 21MODULE_ALIAS("ip6t_state");
22 22
23static bool 23static bool
24state_mt(const struct sk_buff *skb, const struct xt_match_param *par) 24state_mt(const struct sk_buff *skb, struct xt_action_param *par)
25{ 25{
26 const struct xt_state_info *sinfo = par->matchinfo; 26 const struct xt_state_info *sinfo = par->matchinfo;
27 enum ip_conntrack_info ctinfo; 27 enum ip_conntrack_info ctinfo;
diff --git a/net/netfilter/xt_statistic.c b/net/netfilter/xt_statistic.c
index 5aeca1d023d8..96e62b8fd6b1 100644
--- a/net/netfilter/xt_statistic.c
+++ b/net/netfilter/xt_statistic.c
@@ -30,7 +30,7 @@ MODULE_ALIAS("ip6t_statistic");
30static DEFINE_SPINLOCK(nth_lock); 30static DEFINE_SPINLOCK(nth_lock);
31 31
32static bool 32static bool
33statistic_mt(const struct sk_buff *skb, const struct xt_match_param *par) 33statistic_mt(const struct sk_buff *skb, struct xt_action_param *par)
34{ 34{
35 const struct xt_statistic_info *info = par->matchinfo; 35 const struct xt_statistic_info *info = par->matchinfo;
36 bool ret = info->flags & XT_STATISTIC_INVERT; 36 bool ret = info->flags & XT_STATISTIC_INVERT;
diff --git a/net/netfilter/xt_string.c b/net/netfilter/xt_string.c
index f6d5112175e6..d3c48b14ab94 100644
--- a/net/netfilter/xt_string.c
+++ b/net/netfilter/xt_string.c
@@ -23,7 +23,7 @@ MODULE_ALIAS("ipt_string");
23MODULE_ALIAS("ip6t_string"); 23MODULE_ALIAS("ip6t_string");
24 24
25static bool 25static bool
26string_mt(const struct sk_buff *skb, const struct xt_match_param *par) 26string_mt(const struct sk_buff *skb, struct xt_action_param *par)
27{ 27{
28 const struct xt_string_info *conf = par->matchinfo; 28 const struct xt_string_info *conf = par->matchinfo;
29 struct ts_state state; 29 struct ts_state state;
diff --git a/net/netfilter/xt_tcpmss.c b/net/netfilter/xt_tcpmss.c
index 4809b34b10f8..c53d4d18eadf 100644
--- a/net/netfilter/xt_tcpmss.c
+++ b/net/netfilter/xt_tcpmss.c
@@ -25,7 +25,7 @@ MODULE_ALIAS("ipt_tcpmss");
25MODULE_ALIAS("ip6t_tcpmss"); 25MODULE_ALIAS("ip6t_tcpmss");
26 26
27static bool 27static bool
28tcpmss_mt(const struct sk_buff *skb, const struct xt_match_param *par) 28tcpmss_mt(const struct sk_buff *skb, struct xt_action_param *par)
29{ 29{
30 const struct xt_tcpmss_match_info *info = par->matchinfo; 30 const struct xt_tcpmss_match_info *info = par->matchinfo;
31 const struct tcphdr *th; 31 const struct tcphdr *th;
@@ -73,7 +73,7 @@ out:
73 return info->invert; 73 return info->invert;
74 74
75dropit: 75dropit:
76 *par->hotdrop = true; 76 par->hotdrop = true;
77 return false; 77 return false;
78} 78}
79 79
diff --git a/net/netfilter/xt_tcpudp.c b/net/netfilter/xt_tcpudp.c
index efa2ede24ae6..c14d4645daa3 100644
--- a/net/netfilter/xt_tcpudp.c
+++ b/net/netfilter/xt_tcpudp.c
@@ -62,7 +62,7 @@ tcp_find_option(u_int8_t option,
62 return invert; 62 return invert;
63} 63}
64 64
65static bool tcp_mt(const struct sk_buff *skb, const struct xt_match_param *par) 65static bool tcp_mt(const struct sk_buff *skb, struct xt_action_param *par)
66{ 66{
67 const struct tcphdr *th; 67 const struct tcphdr *th;
68 struct tcphdr _tcph; 68 struct tcphdr _tcph;
@@ -77,7 +77,7 @@ static bool tcp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
77 */ 77 */
78 if (par->fragoff == 1) { 78 if (par->fragoff == 1) {
79 pr_debug("Dropping evil TCP offset=1 frag.\n"); 79 pr_debug("Dropping evil TCP offset=1 frag.\n");
80 *par->hotdrop = true; 80 par->hotdrop = true;
81 } 81 }
82 /* Must not be a fragment. */ 82 /* Must not be a fragment. */
83 return false; 83 return false;
@@ -90,7 +90,7 @@ static bool tcp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
90 /* We've been asked to examine this packet, and we 90 /* We've been asked to examine this packet, and we
91 can't. Hence, no choice but to drop. */ 91 can't. Hence, no choice but to drop. */
92 pr_debug("Dropping evil TCP offset=0 tinygram.\n"); 92 pr_debug("Dropping evil TCP offset=0 tinygram.\n");
93 *par->hotdrop = true; 93 par->hotdrop = true;
94 return false; 94 return false;
95 } 95 }
96 96
@@ -108,13 +108,13 @@ static bool tcp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
108 return false; 108 return false;
109 if (tcpinfo->option) { 109 if (tcpinfo->option) {
110 if (th->doff * 4 < sizeof(_tcph)) { 110 if (th->doff * 4 < sizeof(_tcph)) {
111 *par->hotdrop = true; 111 par->hotdrop = true;
112 return false; 112 return false;
113 } 113 }
114 if (!tcp_find_option(tcpinfo->option, skb, par->thoff, 114 if (!tcp_find_option(tcpinfo->option, skb, par->thoff,
115 th->doff*4 - sizeof(_tcph), 115 th->doff*4 - sizeof(_tcph),
116 tcpinfo->invflags & XT_TCP_INV_OPTION, 116 tcpinfo->invflags & XT_TCP_INV_OPTION,
117 par->hotdrop)) 117 &par->hotdrop))
118 return false; 118 return false;
119 } 119 }
120 return true; 120 return true;
@@ -128,7 +128,7 @@ static int tcp_mt_check(const struct xt_mtchk_param *par)
128 return (tcpinfo->invflags & ~XT_TCP_INV_MASK) ? -EINVAL : 0; 128 return (tcpinfo->invflags & ~XT_TCP_INV_MASK) ? -EINVAL : 0;
129} 129}
130 130
131static bool udp_mt(const struct sk_buff *skb, const struct xt_match_param *par) 131static bool udp_mt(const struct sk_buff *skb, struct xt_action_param *par)
132{ 132{
133 const struct udphdr *uh; 133 const struct udphdr *uh;
134 struct udphdr _udph; 134 struct udphdr _udph;
@@ -143,7 +143,7 @@ static bool udp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
143 /* We've been asked to examine this packet, and we 143 /* We've been asked to examine this packet, and we
144 can't. Hence, no choice but to drop. */ 144 can't. Hence, no choice but to drop. */
145 pr_debug("Dropping evil UDP tinygram.\n"); 145 pr_debug("Dropping evil UDP tinygram.\n");
146 *par->hotdrop = true; 146 par->hotdrop = true;
147 return false; 147 return false;
148 } 148 }
149 149
diff --git a/net/netfilter/xt_time.c b/net/netfilter/xt_time.c
index d8556fdda440..c48975ff8ea2 100644
--- a/net/netfilter/xt_time.c
+++ b/net/netfilter/xt_time.c
@@ -148,11 +148,10 @@ static void localtime_3(struct xtm *r, time_t time)
148 } 148 }
149 149
150 r->month = i + 1; 150 r->month = i + 1;
151 return;
152} 151}
153 152
154static bool 153static bool
155time_mt(const struct sk_buff *skb, const struct xt_match_param *par) 154time_mt(const struct sk_buff *skb, struct xt_action_param *par)
156{ 155{
157 const struct xt_time_info *info = par->matchinfo; 156 const struct xt_time_info *info = par->matchinfo;
158 unsigned int packet_time; 157 unsigned int packet_time;
diff --git a/net/netfilter/xt_u32.c b/net/netfilter/xt_u32.c
index d7c05f03a7e7..a95b50342dbb 100644
--- a/net/netfilter/xt_u32.c
+++ b/net/netfilter/xt_u32.c
@@ -86,7 +86,7 @@ static bool u32_match_it(const struct xt_u32 *data,
86 return true; 86 return true;
87} 87}
88 88
89static bool u32_mt(const struct sk_buff *skb, const struct xt_match_param *par) 89static bool u32_mt(const struct sk_buff *skb, struct xt_action_param *par)
90{ 90{
91 const struct xt_u32 *data = par->matchinfo; 91 const struct xt_u32 *data = par->matchinfo;
92 bool ret; 92 bool ret;
diff --git a/net/sched/act_ipt.c b/net/sched/act_ipt.c
index 03f80a0fa167..1f9595467c17 100644
--- a/net/sched/act_ipt.c
+++ b/net/sched/act_ipt.c
@@ -199,7 +199,7 @@ static int tcf_ipt(struct sk_buff *skb, struct tc_action *a,
199{ 199{
200 int ret = 0, result = 0; 200 int ret = 0, result = 0;
201 struct tcf_ipt *ipt = a->priv; 201 struct tcf_ipt *ipt = a->priv;
202 struct xt_target_param par; 202 struct xt_action_param par;
203 203
204 if (skb_cloned(skb)) { 204 if (skb_cloned(skb)) {
205 if (pskb_expand_head(skb, 0, 0, GFP_ATOMIC)) 205 if (pskb_expand_head(skb, 0, 0, GFP_ATOMIC))
generated by cgit v1.2.2 (git 2.25.0) at 2025-01-13 15:20:03 -0500