aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPatrick McHardy <kaber@trash.net>2010-05-11 12:59:21 -0400
committerPatrick McHardy <kaber@trash.net>2010-05-11 12:59:21 -0400
commitcba7a98a474a4f2a9316473734ba76829191a78a (patch)
tree28a0ab87dba93385353bedb76a26a1fc45b3a0c6
parentd250fe91ae129bff0968e685cc9c466d3a5e3482 (diff)
parent4538506be386f9736b83bf9892f829adbbb70fea (diff)
Merge branch 'master' of git://dev.medozas.de/linux
Diffstat
-rw-r--r--include/linux/netfilter/x_tables.h45
-rw-r--r--net/bridge/netfilter/ebt_802_3.c2
-rw-r--r--net/bridge/netfilter/ebt_among.c2
-rw-r--r--net/bridge/netfilter/ebt_arp.c2
-rw-r--r--net/bridge/netfilter/ebt_arpreply.c2
-rw-r--r--net/bridge/netfilter/ebt_dnat.c2
-rw-r--r--net/bridge/netfilter/ebt_ip.c2
-rw-r--r--net/bridge/netfilter/ebt_ip6.c2
-rw-r--r--net/bridge/netfilter/ebt_limit.c2
-rw-r--r--net/bridge/netfilter/ebt_log.c2
-rw-r--r--net/bridge/netfilter/ebt_mark.c2
-rw-r--r--net/bridge/netfilter/ebt_mark_m.c2
-rw-r--r--net/bridge/netfilter/ebt_nflog.c2
-rw-r--r--net/bridge/netfilter/ebt_pkttype.c2
-rw-r--r--net/bridge/netfilter/ebt_redirect.c2
-rw-r--r--net/bridge/netfilter/ebt_snat.c2
-rw-r--r--net/bridge/netfilter/ebt_stp.c2
-rw-r--r--net/bridge/netfilter/ebt_ulog.c2
-rw-r--r--net/bridge/netfilter/ebt_vlan.c2
-rw-r--r--net/bridge/netfilter/ebtables.c33
-rw-r--r--net/ipv4/netfilter/arp_tables.c65
-rw-r--r--net/ipv4/netfilter/arpt_mangle.c2
-rw-r--r--net/ipv4/netfilter/ip_tables.c128
-rw-r--r--net/ipv4/netfilter/ipt_CLUSTERIP.c2
-rw-r--r--net/ipv4/netfilter/ipt_ECN.c2
-rw-r--r--net/ipv4/netfilter/ipt_LOG.c2
-rw-r--r--net/ipv4/netfilter/ipt_MASQUERADE.c2
-rw-r--r--net/ipv4/netfilter/ipt_NETMAP.c2
-rw-r--r--net/ipv4/netfilter/ipt_REDIRECT.c2
-rw-r--r--net/ipv4/netfilter/ipt_REJECT.c2
-rw-r--r--net/ipv4/netfilter/ipt_ULOG.c2
-rw-r--r--net/ipv4/netfilter/ipt_addrtype.c4
-rw-r--r--net/ipv4/netfilter/ipt_ah.c4
-rw-r--r--net/ipv4/netfilter/ipt_ecn.c4
-rw-r--r--net/ipv4/netfilter/nf_nat_rule.c4
-rw-r--r--net/ipv6/netfilter/ip6_tables.c118
-rw-r--r--net/ipv6/netfilter/ip6t_LOG.c2
-rw-r--r--net/ipv6/netfilter/ip6t_REJECT.c2
-rw-r--r--net/ipv6/netfilter/ip6t_ah.c6
-rw-r--r--net/ipv6/netfilter/ip6t_eui64.c4
-rw-r--r--net/ipv6/netfilter/ip6t_frag.c6
-rw-r--r--net/ipv6/netfilter/ip6t_hbh.c6
-rw-r--r--net/ipv6/netfilter/ip6t_ipv6header.c2
-rw-r--r--net/ipv6/netfilter/ip6t_mh.c6
-rw-r--r--net/ipv6/netfilter/ip6t_rt.c6
-rw-r--r--net/netfilter/xt_CLASSIFY.c2
-rw-r--r--net/netfilter/xt_CONNSECMARK.c2
-rw-r--r--net/netfilter/xt_CT.c2
-rw-r--r--net/netfilter/xt_DSCP.c8
-rw-r--r--net/netfilter/xt_HL.c4
-rw-r--r--net/netfilter/xt_LED.c2
-rw-r--r--net/netfilter/xt_NFLOG.c2
-rw-r--r--net/netfilter/xt_NFQUEUE.c4
-rw-r--r--net/netfilter/xt_NOTRACK.c2
-rw-r--r--net/netfilter/xt_RATEEST.c2
-rw-r--r--net/netfilter/xt_SECMARK.c2
-rw-r--r--net/netfilter/xt_TCPMSS.c4
-rw-r--r--net/netfilter/xt_TCPOPTSTRIP.c4
-rw-r--r--net/netfilter/xt_TEE.c4
-rw-r--r--net/netfilter/xt_TPROXY.c2
-rw-r--r--net/netfilter/xt_TRACE.c2
-rw-r--r--net/netfilter/xt_cluster.c2
-rw-r--r--net/netfilter/xt_comment.c2
-rw-r--r--net/netfilter/xt_connbytes.c2
-rw-r--r--net/netfilter/xt_connlimit.c6
-rw-r--r--net/netfilter/xt_connmark.c4
-rw-r--r--net/netfilter/xt_conntrack.c6
-rw-r--r--net/netfilter/xt_dccp.c6
-rw-r--r--net/netfilter/xt_dscp.c6
-rw-r--r--net/netfilter/xt_esp.c4
-rw-r--r--net/netfilter/xt_hashlimit.c4
-rw-r--r--net/netfilter/xt_helper.c2
-rw-r--r--net/netfilter/xt_hl.c4
-rw-r--r--net/netfilter/xt_iprange.c4
-rw-r--r--net/netfilter/xt_length.c4
-rw-r--r--net/netfilter/xt_limit.c2
-rw-r--r--net/netfilter/xt_mac.c2
-rw-r--r--net/netfilter/xt_mark.c4
-rw-r--r--net/netfilter/xt_multiport.c8
-rw-r--r--net/netfilter/xt_osf.c4
-rw-r--r--net/netfilter/xt_owner.c2
-rw-r--r--net/netfilter/xt_physdev.c2
-rw-r--r--net/netfilter/xt_pkttype.c2
-rw-r--r--net/netfilter/xt_policy.c2
-rw-r--r--net/netfilter/xt_quota.c2
-rw-r--r--net/netfilter/xt_rateest.c2
-rw-r--r--net/netfilter/xt_realm.c2
-rw-r--r--net/netfilter/xt_recent.c4
-rw-r--r--net/netfilter/xt_sctp.c6
-rw-r--r--net/netfilter/xt_socket.c6
-rw-r--r--net/netfilter/xt_state.c2
-rw-r--r--net/netfilter/xt_statistic.c2
-rw-r--r--net/netfilter/xt_string.c2
-rw-r--r--net/netfilter/xt_tcpmss.c4
-rw-r--r--net/netfilter/xt_tcpudp.c14
-rw-r--r--net/netfilter/xt_time.c2
-rw-r--r--net/netfilter/xt_u32.c2
-rw-r--r--net/sched/act_ipt.c2
98 files changed, 316 insertions, 367 deletions
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index eeb4884c30be..c2ee5d8550cf 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -183,29 +183,39 @@ struct xt_counters_info {
183#include <linux/netdevice.h> 183#include <linux/netdevice.h>
184 184
185/** 185/**
186 * struct xt_match_param - parameters for match extensions' match functions 186 * struct xt_action_param - parameters for matches/targets
187 * 187 *
188 * @match: the match extension
189 * @target: the target extension
190 * @matchinfo: per-match data
191 * @targetinfo: per-target data
188 * @in: input netdevice 192 * @in: input netdevice
189 * @out: output netdevice 193 * @out: output netdevice
190 * @match: struct xt_match through which this function was invoked
191 * @matchinfo: per-match data
192 * @fragoff: packet is a fragment, this is the data offset 194 * @fragoff: packet is a fragment, this is the data offset
193 * @thoff: position of transport header relative to skb->data 195 * @thoff: position of transport header relative to skb->data
194 * @hook: hook number given packet came from 196 * @hook: hook number given packet came from
195 * @family: Actual NFPROTO_* through which the function is invoked 197 * @family: Actual NFPROTO_* through which the function is invoked
196 * (helpful when match->family == NFPROTO_UNSPEC) 198 * (helpful when match->family == NFPROTO_UNSPEC)
199 *
200 * Fields written to by extensions:
201 *
197 * @hotdrop: drop packet if we had inspection problems 202 * @hotdrop: drop packet if we had inspection problems
198 * Network namespace obtainable using dev_net(in/out) 203 * Network namespace obtainable using dev_net(in/out)
199 */ 204 */
200struct xt_match_param { 205struct xt_action_param {
206 union {
207 const struct xt_match *match;
208 const struct xt_target *target;
209 };
210 union {
211 const void *matchinfo, *targinfo;
212 };
201 const struct net_device *in, *out; 213 const struct net_device *in, *out;
202 const struct xt_match *match;
203 const void *matchinfo;
204 int fragoff; 214 int fragoff;
205 unsigned int thoff; 215 unsigned int thoff;
206 unsigned int hooknum; 216 unsigned int hooknum;
207 u_int8_t family; 217 u_int8_t family;
208 bool *hotdrop; 218 bool hotdrop;
209}; 219};
210 220
211/** 221/**
@@ -243,23 +253,6 @@ struct xt_mtdtor_param {
243}; 253};
244 254
245/** 255/**
246 * struct xt_target_param - parameters for target extensions' target functions
247 *
248 * @hooknum: hook through which this target was invoked
249 * @target: struct xt_target through which this function was invoked
250 * @targinfo: per-target data
251 *
252 * Other fields see above.
253 */
254struct xt_target_param {
255 const struct net_device *in, *out;
256 const struct xt_target *target;
257 const void *targinfo;
258 unsigned int hooknum;
259 u_int8_t family;
260};
261
262/**
263 * struct xt_tgchk_param - parameters for target extensions' 256 * struct xt_tgchk_param - parameters for target extensions'
264 * checkentry functions 257 * checkentry functions
265 * 258 *
@@ -298,7 +291,7 @@ struct xt_match {
298 non-linear skb, using skb_header_pointer and 291 non-linear skb, using skb_header_pointer and
299 skb_ip_make_writable. */ 292 skb_ip_make_writable. */
300 bool (*match)(const struct sk_buff *skb, 293 bool (*match)(const struct sk_buff *skb,
301 const struct xt_match_param *); 294 struct xt_action_param *);
302 295
303 /* Called when user tries to insert an entry of this type. */ 296 /* Called when user tries to insert an entry of this type. */
304 int (*checkentry)(const struct xt_mtchk_param *); 297 int (*checkentry)(const struct xt_mtchk_param *);
@@ -335,7 +328,7 @@ struct xt_target {
335 must now handle non-linear skbs, using skb_copy_bits and 328 must now handle non-linear skbs, using skb_copy_bits and
336 skb_ip_make_writable. */ 329 skb_ip_make_writable. */
337 unsigned int (*target)(struct sk_buff *skb, 330 unsigned int (*target)(struct sk_buff *skb,
338 const struct xt_target_param *); 331 const struct xt_action_param *);
339 332
340 /* Called when user tries to insert an entry of this type: 333 /* Called when user tries to insert an entry of this type:
341 hook_mask is a bitmask of hooks from which it can be 334 hook_mask is a bitmask of hooks from which it can be
diff --git a/net/bridge/netfilter/ebt_802_3.c b/net/bridge/netfilter/ebt_802_3.c
index f7de8dbc3422..2a449b7ab8fa 100644
--- a/net/bridge/netfilter/ebt_802_3.c
+++ b/net/bridge/netfilter/ebt_802_3.c
@@ -13,7 +13,7 @@
13#include <linux/netfilter_bridge/ebt_802_3.h> 13#include <linux/netfilter_bridge/ebt_802_3.h>
14 14
15static bool 15static bool
16ebt_802_3_mt(const struct sk_buff *skb, const struct xt_match_param *par) 16ebt_802_3_mt(const struct sk_buff *skb, struct xt_action_param *par)
17{ 17{
18 const struct ebt_802_3_info *info = par->matchinfo; 18 const struct ebt_802_3_info *info = par->matchinfo;
19 const struct ebt_802_3_hdr *hdr = ebt_802_3_hdr(skb); 19 const struct ebt_802_3_hdr *hdr = ebt_802_3_hdr(skb);
diff --git a/net/bridge/netfilter/ebt_among.c b/net/bridge/netfilter/ebt_among.c
index 20068e03fa81..8b84c581be30 100644
--- a/net/bridge/netfilter/ebt_among.c
+++ b/net/bridge/netfilter/ebt_among.c
@@ -129,7 +129,7 @@ static int get_ip_src(const struct sk_buff *skb, __be32 *addr)
129} 129}
130 130
131static bool 131static bool
132ebt_among_mt(const struct sk_buff *skb, const struct xt_match_param *par) 132ebt_among_mt(const struct sk_buff *skb, struct xt_action_param *par)
133{ 133{
134 const struct ebt_among_info *info = par->matchinfo; 134 const struct ebt_among_info *info = par->matchinfo;
135 const char *dmac, *smac; 135 const char *dmac, *smac;
diff --git a/net/bridge/netfilter/ebt_arp.c b/net/bridge/netfilter/ebt_arp.c
index 952150cd5e7d..cd457b891b27 100644
--- a/net/bridge/netfilter/ebt_arp.c
+++ b/net/bridge/netfilter/ebt_arp.c
@@ -16,7 +16,7 @@
16#include <linux/netfilter_bridge/ebt_arp.h> 16#include <linux/netfilter_bridge/ebt_arp.h>
17 17
18static bool 18static bool
19ebt_arp_mt(const struct sk_buff *skb, const struct xt_match_param *par) 19ebt_arp_mt(const struct sk_buff *skb, struct xt_action_param *par)
20{ 20{
21 const struct ebt_arp_info *info = par->matchinfo; 21 const struct ebt_arp_info *info = par->matchinfo;
22 const struct arphdr *ah; 22 const struct arphdr *ah;
diff --git a/net/bridge/netfilter/ebt_arpreply.c b/net/bridge/netfilter/ebt_arpreply.c
index 4581adb27583..070cf134a22f 100644
--- a/net/bridge/netfilter/ebt_arpreply.c
+++ b/net/bridge/netfilter/ebt_arpreply.c
@@ -16,7 +16,7 @@
16#include <linux/netfilter_bridge/ebt_arpreply.h> 16#include <linux/netfilter_bridge/ebt_arpreply.h>
17 17
18static unsigned int 18static unsigned int
19ebt_arpreply_tg(struct sk_buff *skb, const struct xt_target_param *par) 19ebt_arpreply_tg(struct sk_buff *skb, const struct xt_action_param *par)
20{ 20{
21 const struct ebt_arpreply_info *info = par->targinfo; 21 const struct ebt_arpreply_info *info = par->targinfo;
22 const __be32 *siptr, *diptr; 22 const __be32 *siptr, *diptr;
diff --git a/net/bridge/netfilter/ebt_dnat.c b/net/bridge/netfilter/ebt_dnat.c
index 59d5b7c8a557..c59f7bfae6e2 100644
--- a/net/bridge/netfilter/ebt_dnat.c
+++ b/net/bridge/netfilter/ebt_dnat.c
@@ -15,7 +15,7 @@
15#include <linux/netfilter_bridge/ebt_nat.h> 15#include <linux/netfilter_bridge/ebt_nat.h>
16 16
17static unsigned int 17static unsigned int
18ebt_dnat_tg(struct sk_buff *skb, const struct xt_target_param *par) 18ebt_dnat_tg(struct sk_buff *skb, const struct xt_action_param *par)
19{ 19{
20 const struct ebt_nat_info *info = par->targinfo; 20 const struct ebt_nat_info *info = par->targinfo;
21 21
diff --git a/net/bridge/netfilter/ebt_ip.c b/net/bridge/netfilter/ebt_ip.c
index a1c76c7e5219..23bca62d58d2 100644
--- a/net/bridge/netfilter/ebt_ip.c
+++ b/net/bridge/netfilter/ebt_ip.c
@@ -25,7 +25,7 @@ struct tcpudphdr {
25}; 25};
26 26
27static bool 27static bool
28ebt_ip_mt(const struct sk_buff *skb, const struct xt_match_param *par) 28ebt_ip_mt(const struct sk_buff *skb, struct xt_action_param *par)
29{ 29{
30 const struct ebt_ip_info *info = par->matchinfo; 30 const struct ebt_ip_info *info = par->matchinfo;
31 const struct iphdr *ih; 31 const struct iphdr *ih;
diff --git a/net/bridge/netfilter/ebt_ip6.c b/net/bridge/netfilter/ebt_ip6.c
index 33f8413f05ad..50a46afc2bcc 100644
--- a/net/bridge/netfilter/ebt_ip6.c
+++ b/net/bridge/netfilter/ebt_ip6.c
@@ -28,7 +28,7 @@ struct tcpudphdr {
28}; 28};
29 29
30static bool 30static bool
31ebt_ip6_mt(const struct sk_buff *skb, const struct xt_match_param *par) 31ebt_ip6_mt(const struct sk_buff *skb, struct xt_action_param *par)
32{ 32{
33 const struct ebt_ip6_info *info = par->matchinfo; 33 const struct ebt_ip6_info *info = par->matchinfo;
34 const struct ipv6hdr *ih6; 34 const struct ipv6hdr *ih6;
diff --git a/net/bridge/netfilter/ebt_limit.c b/net/bridge/netfilter/ebt_limit.c
index 4b0e2e53fa57..517e78befcb2 100644
--- a/net/bridge/netfilter/ebt_limit.c
+++ b/net/bridge/netfilter/ebt_limit.c
@@ -32,7 +32,7 @@ static DEFINE_SPINLOCK(limit_lock);
32#define CREDITS_PER_JIFFY POW2_BELOW32(MAX_CPJ) 32#define CREDITS_PER_JIFFY POW2_BELOW32(MAX_CPJ)
33 33
34static bool 34static bool
35ebt_limit_mt(const struct sk_buff *skb, const struct xt_match_param *par) 35ebt_limit_mt(const struct sk_buff *skb, struct xt_action_param *par)
36{ 36{
37 struct ebt_limit_info *info = (void *)par->matchinfo; 37 struct ebt_limit_info *info = (void *)par->matchinfo;
38 unsigned long now = jiffies; 38 unsigned long now = jiffies;
diff --git a/net/bridge/netfilter/ebt_log.c b/net/bridge/netfilter/ebt_log.c
index c46024156539..6e5a8bb9b940 100644
--- a/net/bridge/netfilter/ebt_log.c
+++ b/net/bridge/netfilter/ebt_log.c
@@ -171,7 +171,7 @@ out:
171} 171}
172 172
173static unsigned int 173static unsigned int
174ebt_log_tg(struct sk_buff *skb, const struct xt_target_param *par) 174ebt_log_tg(struct sk_buff *skb, const struct xt_action_param *par)
175{ 175{
176 const struct ebt_log_info *info = par->targinfo; 176 const struct ebt_log_info *info = par->targinfo;
177 struct nf_loginfo li; 177 struct nf_loginfo li;
diff --git a/net/bridge/netfilter/ebt_mark.c b/net/bridge/netfilter/ebt_mark.c
index 126e536ff8f4..66697cbd0a8b 100644
--- a/net/bridge/netfilter/ebt_mark.c
+++ b/net/bridge/netfilter/ebt_mark.c
@@ -19,7 +19,7 @@
19#include <linux/netfilter_bridge/ebt_mark_t.h> 19#include <linux/netfilter_bridge/ebt_mark_t.h>
20 20
21static unsigned int 21static unsigned int
22ebt_mark_tg(struct sk_buff *skb, const struct xt_target_param *par) 22ebt_mark_tg(struct sk_buff *skb, const struct xt_action_param *par)
23{ 23{
24 const struct ebt_mark_t_info *info = par->targinfo; 24 const struct ebt_mark_t_info *info = par->targinfo;
25 int action = info->target & -16; 25 int action = info->target & -16;
diff --git a/net/bridge/netfilter/ebt_mark_m.c b/net/bridge/netfilter/ebt_mark_m.c
index e4366c0a1a43..d98baefc4c7e 100644
--- a/net/bridge/netfilter/ebt_mark_m.c
+++ b/net/bridge/netfilter/ebt_mark_m.c
@@ -13,7 +13,7 @@
13#include <linux/netfilter_bridge/ebt_mark_m.h> 13#include <linux/netfilter_bridge/ebt_mark_m.h>
14 14
15static bool 15static bool
16ebt_mark_mt(const struct sk_buff *skb, const struct xt_match_param *par) 16ebt_mark_mt(const struct sk_buff *skb, struct xt_action_param *par)
17{ 17{
18 const struct ebt_mark_m_info *info = par->matchinfo; 18 const struct ebt_mark_m_info *info = par->matchinfo;
19 19
diff --git a/net/bridge/netfilter/ebt_nflog.c b/net/bridge/netfilter/ebt_nflog.c
index 22e2ad5f23e8..5be68bbcc341 100644
--- a/net/bridge/netfilter/ebt_nflog.c
+++ b/net/bridge/netfilter/ebt_nflog.c
@@ -20,7 +20,7 @@
20#include <net/netfilter/nf_log.h> 20#include <net/netfilter/nf_log.h>
21 21
22static unsigned int 22static unsigned int
23ebt_nflog_tg(struct sk_buff *skb, const struct xt_target_param *par) 23ebt_nflog_tg(struct sk_buff *skb, const struct xt_action_param *par)
24{ 24{
25 const struct ebt_nflog_info *info = par->targinfo; 25 const struct ebt_nflog_info *info = par->targinfo;
26 struct nf_loginfo li; 26 struct nf_loginfo li;
diff --git a/net/bridge/netfilter/ebt_pkttype.c b/net/bridge/netfilter/ebt_pkttype.c
index f34bcc3197bd..496a56515307 100644
--- a/net/bridge/netfilter/ebt_pkttype.c
+++ b/net/bridge/netfilter/ebt_pkttype.c
@@ -13,7 +13,7 @@
13#include <linux/netfilter_bridge/ebt_pkttype.h> 13#include <linux/netfilter_bridge/ebt_pkttype.h>
14 14
15static bool 15static bool
16ebt_pkttype_mt(const struct sk_buff *skb, const struct xt_match_param *par) 16ebt_pkttype_mt(const struct sk_buff *skb, struct xt_action_param *par)
17{ 17{
18 const struct ebt_pkttype_info *info = par->matchinfo; 18 const struct ebt_pkttype_info *info = par->matchinfo;
19 19
diff --git a/net/bridge/netfilter/ebt_redirect.c b/net/bridge/netfilter/ebt_redirect.c
index a6044a6f2383..9e19166ba453 100644
--- a/net/bridge/netfilter/ebt_redirect.c
+++ b/net/bridge/netfilter/ebt_redirect.c
@@ -16,7 +16,7 @@
16#include <linux/netfilter_bridge/ebt_redirect.h> 16#include <linux/netfilter_bridge/ebt_redirect.h>
17 17
18static unsigned int 18static unsigned int
19ebt_redirect_tg(struct sk_buff *skb, const struct xt_target_param *par) 19ebt_redirect_tg(struct sk_buff *skb, const struct xt_action_param *par)
20{ 20{
21 const struct ebt_redirect_info *info = par->targinfo; 21 const struct ebt_redirect_info *info = par->targinfo;
22 22
diff --git a/net/bridge/netfilter/ebt_snat.c b/net/bridge/netfilter/ebt_snat.c
index 79caca34ae2b..f8f0bd1a1d51 100644
--- a/net/bridge/netfilter/ebt_snat.c
+++ b/net/bridge/netfilter/ebt_snat.c
@@ -17,7 +17,7 @@
17#include <linux/netfilter_bridge/ebt_nat.h> 17#include <linux/netfilter_bridge/ebt_nat.h>
18 18
19static unsigned int 19static unsigned int
20ebt_snat_tg(struct sk_buff *skb, const struct xt_target_param *par) 20ebt_snat_tg(struct sk_buff *skb, const struct xt_action_param *par)
21{ 21{
22 const struct ebt_nat_info *info = par->targinfo; 22 const struct ebt_nat_info *info = par->targinfo;
23 23
diff --git a/net/bridge/netfilter/ebt_stp.c b/net/bridge/netfilter/ebt_stp.c
index 02f28fdda393..5b33a2e634a6 100644
--- a/net/bridge/netfilter/ebt_stp.c
+++ b/net/bridge/netfilter/ebt_stp.c
@@ -120,7 +120,7 @@ static bool ebt_filter_config(const struct ebt_stp_info *info,
120} 120}
121 121
122static bool 122static bool
123ebt_stp_mt(const struct sk_buff *skb, const struct xt_match_param *par) 123ebt_stp_mt(const struct sk_buff *skb, struct xt_action_param *par)
124{ 124{
125 const struct ebt_stp_info *info = par->matchinfo; 125 const struct ebt_stp_info *info = par->matchinfo;
126 const struct stp_header *sp; 126 const struct stp_header *sp;
diff --git a/net/bridge/netfilter/ebt_ulog.c b/net/bridge/netfilter/ebt_ulog.c
index 852f37c27659..ae3c7cef1484 100644
--- a/net/bridge/netfilter/ebt_ulog.c
+++ b/net/bridge/netfilter/ebt_ulog.c
@@ -243,7 +243,7 @@ static void ebt_log_packet(u_int8_t pf, unsigned int hooknum,
243} 243}
244 244
245static unsigned int 245static unsigned int
246ebt_ulog_tg(struct sk_buff *skb, const struct xt_target_param *par) 246ebt_ulog_tg(struct sk_buff *skb, const struct xt_action_param *par)
247{ 247{
248 ebt_ulog_packet(par->hooknum, skb, par->in, par->out, 248 ebt_ulog_packet(par->hooknum, skb, par->in, par->out,
249 par->targinfo, NULL); 249 par->targinfo, NULL);
diff --git a/net/bridge/netfilter/ebt_vlan.c b/net/bridge/netfilter/ebt_vlan.c
index bf8ae5c7a0c5..87b53b3a921d 100644
--- a/net/bridge/netfilter/ebt_vlan.c
+++ b/net/bridge/netfilter/ebt_vlan.c
@@ -36,7 +36,7 @@ MODULE_LICENSE("GPL");
36#define EXIT_ON_MISMATCH(_MATCH_,_MASK_) {if (!((info->_MATCH_ == _MATCH_)^!!(info->invflags & _MASK_))) return false; } 36#define EXIT_ON_MISMATCH(_MATCH_,_MASK_) {if (!((info->_MATCH_ == _MATCH_)^!!(info->invflags & _MASK_))) return false; }
37 37
38static bool 38static bool
39ebt_vlan_mt(const struct sk_buff *skb, const struct xt_match_param *par) 39ebt_vlan_mt(const struct sk_buff *skb, struct xt_action_param *par)
40{ 40{
41 const struct ebt_vlan_info *info = par->matchinfo; 41 const struct ebt_vlan_info *info = par->matchinfo;
42 const struct vlan_hdr *fp; 42 const struct vlan_hdr *fp;
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 1d8c2c0a7470..59ca00e40dec 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -86,7 +86,7 @@ static struct xt_target ebt_standard_target = {
86 86
87static inline int 87static inline int
88ebt_do_watcher(const struct ebt_entry_watcher *w, struct sk_buff *skb, 88ebt_do_watcher(const struct ebt_entry_watcher *w, struct sk_buff *skb,
89 struct xt_target_param *par) 89 struct xt_action_param *par)
90{ 90{
91 par->target = w->u.watcher; 91 par->target = w->u.watcher;
92 par->targinfo = w->data; 92 par->targinfo = w->data;
@@ -95,8 +95,9 @@ ebt_do_watcher(const struct ebt_entry_watcher *w, struct sk_buff *skb,
95 return 0; 95 return 0;
96} 96}
97 97
98static inline int ebt_do_match (struct ebt_entry_match *m, 98static inline int
99 const struct sk_buff *skb, struct xt_match_param *par) 99ebt_do_match(struct ebt_entry_match *m, const struct sk_buff *skb,
100 struct xt_action_param *par)
100{ 101{
101 par->match = m->u.match; 102 par->match = m->u.match;
102 par->matchinfo = m->data; 103 par->matchinfo = m->data;
@@ -185,15 +186,13 @@ unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
185 struct ebt_entries *chaininfo; 186 struct ebt_entries *chaininfo;
186 const char *base; 187 const char *base;
187 const struct ebt_table_info *private; 188 const struct ebt_table_info *private;
188 bool hotdrop = false; 189 struct xt_action_param acpar;
189 struct xt_match_param mtpar;
190 struct xt_target_param tgpar;
191 190
192 mtpar.family = tgpar.family = NFPROTO_BRIDGE; 191 acpar.family = NFPROTO_BRIDGE;
193 mtpar.in = tgpar.in = in; 192 acpar.in = in;
194 mtpar.out = tgpar.out = out; 193 acpar.out = out;
195 mtpar.hotdrop = &hotdrop; 194 acpar.hotdrop = false;
196 mtpar.hooknum = tgpar.hooknum = hook; 195 acpar.hooknum = hook;
197 196
198 read_lock_bh(&table->lock); 197 read_lock_bh(&table->lock);
199 private = table->private; 198 private = table->private;
@@ -214,9 +213,9 @@ unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
214 if (ebt_basic_match(point, eth_hdr(skb), in, out)) 213 if (ebt_basic_match(point, eth_hdr(skb), in, out))
215 goto letscontinue; 214 goto letscontinue;
216 215
217 if (EBT_MATCH_ITERATE(point, ebt_do_match, skb, &mtpar) != 0) 216 if (EBT_MATCH_ITERATE(point, ebt_do_match, skb, &acpar) != 0)
218 goto letscontinue; 217 goto letscontinue;
219 if (hotdrop) { 218 if (acpar.hotdrop) {
220 read_unlock_bh(&table->lock); 219 read_unlock_bh(&table->lock);
221 return NF_DROP; 220 return NF_DROP;
222 } 221 }
@@ -227,7 +226,7 @@ unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
227 226
228 /* these should only watch: not modify, nor tell us 227 /* these should only watch: not modify, nor tell us
229 what to do with the packet */ 228 what to do with the packet */
230 EBT_WATCHER_ITERATE(point, ebt_do_watcher, skb, &tgpar); 229 EBT_WATCHER_ITERATE(point, ebt_do_watcher, skb, &acpar);
231 230
232 t = (struct ebt_entry_target *) 231 t = (struct ebt_entry_target *)
233 (((char *)point) + point->target_offset); 232 (((char *)point) + point->target_offset);
@@ -235,9 +234,9 @@ unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
235 if (!t->u.target->target) 234 if (!t->u.target->target)
236 verdict = ((struct ebt_standard_target *)t)->verdict; 235 verdict = ((struct ebt_standard_target *)t)->verdict;
237 else { 236 else {
238 tgpar.target = t->u.target; 237 acpar.target = t->u.target;
239 tgpar.targinfo = t->data; 238 acpar.targinfo = t->data;
240 verdict = t->u.target->target(skb, &tgpar); 239 verdict = t->u.target->target(skb, &acpar);
241 } 240 }
242 if (verdict == EBT_ACCEPT) { 241 if (verdict == EBT_ACCEPT) {
243 read_unlock_bh(&table->lock); 242 read_unlock_bh(&table->lock);
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 07a699059390..03352fcba172 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -224,7 +224,7 @@ static inline int arp_checkentry(const struct arpt_arp *arp)
224} 224}
225 225
226static unsigned int 226static unsigned int
227arpt_error(struct sk_buff *skb, const struct xt_target_param *par) 227arpt_error(struct sk_buff *skb, const struct xt_action_param *par)
228{ 228{
229 if (net_ratelimit()) 229 if (net_ratelimit())
230 printk("arp_tables: error: '%s'\n", 230 printk("arp_tables: error: '%s'\n",
@@ -260,12 +260,11 @@ unsigned int arpt_do_table(struct sk_buff *skb,
260 static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long)))); 260 static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
261 unsigned int verdict = NF_DROP; 261 unsigned int verdict = NF_DROP;
262 const struct arphdr *arp; 262 const struct arphdr *arp;
263 bool hotdrop = false;
264 struct arpt_entry *e, *back; 263 struct arpt_entry *e, *back;
265 const char *indev, *outdev; 264 const char *indev, *outdev;
266 void *table_base; 265 void *table_base;
267 const struct xt_table_info *private; 266 const struct xt_table_info *private;
268 struct xt_target_param tgpar; 267 struct xt_action_param acpar;
269 268
270 if (!pskb_may_pull(skb, arp_hdr_len(skb->dev))) 269 if (!pskb_may_pull(skb, arp_hdr_len(skb->dev)))
271 return NF_DROP; 270 return NF_DROP;
@@ -280,10 +279,11 @@ unsigned int arpt_do_table(struct sk_buff *skb,
280 e = get_entry(table_base, private->hook_entry[hook]); 279 e = get_entry(table_base, private->hook_entry[hook]);
281 back = get_entry(table_base, private->underflow[hook]); 280 back = get_entry(table_base, private->underflow[hook]);
282 281
283 tgpar.in = in; 282 acpar.in = in;
284 tgpar.out = out; 283 acpar.out = out;
285 tgpar.hooknum = hook; 284 acpar.hooknum = hook;
286 tgpar.family = NFPROTO_ARP; 285 acpar.family = NFPROTO_ARP;
286 acpar.hotdrop = false;
287 287
288 arp = arp_hdr(skb); 288 arp = arp_hdr(skb);
289 do { 289 do {
@@ -333,9 +333,9 @@ unsigned int arpt_do_table(struct sk_buff *skb,
333 /* Targets which reenter must return 333 /* Targets which reenter must return
334 * abs. verdicts 334 * abs. verdicts
335 */ 335 */
336 tgpar.target = t->u.kernel.target; 336 acpar.target = t->u.kernel.target;
337 tgpar.targinfo = t->data; 337 acpar.targinfo = t->data;
338 verdict = t->u.kernel.target->target(skb, &tgpar); 338 verdict = t->u.kernel.target->target(skb, &acpar);
339 339
340 /* Target might have changed stuff. */ 340 /* Target might have changed stuff. */
341 arp = arp_hdr(skb); 341 arp = arp_hdr(skb);
@@ -345,10 +345,10 @@ unsigned int arpt_do_table(struct sk_buff *skb,
345 else 345 else
346 /* Verdict */ 346 /* Verdict */
347 break; 347 break;
348 } while (!hotdrop); 348 } while (!acpar.hotdrop);
349 xt_info_rdunlock_bh(); 349 xt_info_rdunlock_bh();
350 350
351 if (hotdrop) 351 if (acpar.hotdrop)
352 return NF_DROP; 352 return NF_DROP;
353 else 353 else
354 return verdict; 354 return verdict;
@@ -1828,22 +1828,23 @@ void arpt_unregister_table(struct xt_table *table)
1828} 1828}
1829 1829
1830/* The built-in targets: standard (NULL) and error. */ 1830/* The built-in targets: standard (NULL) and error. */
1831static struct xt_target arpt_standard_target __read_mostly = { 1831static struct xt_target arpt_builtin_tg[] __read_mostly = {
1832 .name = ARPT_STANDARD_TARGET, 1832 {
1833 .targetsize = sizeof(int), 1833 .name = ARPT_STANDARD_TARGET,
1834 .family = NFPROTO_ARP, 1834 .targetsize = sizeof(int),
1835 .family = NFPROTO_ARP,
1835#ifdef CONFIG_COMPAT 1836#ifdef CONFIG_COMPAT
1836 .compatsize = sizeof(compat_int_t), 1837 .compatsize = sizeof(compat_int_t),
1837 .compat_from_user = compat_standard_from_user, 1838 .compat_from_user = compat_standard_from_user,
1838 .compat_to_user = compat_standard_to_user, 1839 .compat_to_user = compat_standard_to_user,
1839#endif 1840#endif
1840}; 1841 },
1841 1842 {
1842static struct xt_target arpt_error_target __read_mostly = { 1843 .name = ARPT_ERROR_TARGET,
1843 .name = ARPT_ERROR_TARGET, 1844 .target = arpt_error,
1844 .target = arpt_error, 1845 .targetsize = ARPT_FUNCTION_MAXNAMELEN,
1845 .targetsize = ARPT_FUNCTION_MAXNAMELEN, 1846 .family = NFPROTO_ARP,
1846 .family = NFPROTO_ARP, 1847 },
1847}; 1848};
1848 1849
1849static struct nf_sockopt_ops arpt_sockopts = { 1850static struct nf_sockopt_ops arpt_sockopts = {
@@ -1887,12 +1888,9 @@ static int __init arp_tables_init(void)
1887 goto err1; 1888 goto err1;
1888 1889
1889 /* Noone else will be downing sem now, so we won't sleep */ 1890 /* Noone else will be downing sem now, so we won't sleep */
1890 ret = xt_register_target(&arpt_standard_target); 1891 ret = xt_register_targets(arpt_builtin_tg, ARRAY_SIZE(arpt_builtin_tg));
1891 if (ret < 0) 1892 if (ret < 0)
1892 goto err2; 1893 goto err2;
1893 ret = xt_register_target(&arpt_error_target);
1894 if (ret < 0)
1895 goto err3;
1896 1894
1897 /* Register setsockopt */ 1895 /* Register setsockopt */
1898 ret = nf_register_sockopt(&arpt_sockopts); 1896 ret = nf_register_sockopt(&arpt_sockopts);
@@ -1903,9 +1901,7 @@ static int __init arp_tables_init(void)
1903 return 0; 1901 return 0;
1904 1902
1905err4: 1903err4:
1906 xt_unregister_target(&arpt_error_target); 1904 xt_unregister_targets(arpt_builtin_tg, ARRAY_SIZE(arpt_builtin_tg));
1907err3:
1908 xt_unregister_target(&arpt_standard_target);
1909err2: 1905err2:
1910 unregister_pernet_subsys(&arp_tables_net_ops); 1906 unregister_pernet_subsys(&arp_tables_net_ops);
1911err1: 1907err1:
@@ -1915,8 +1911,7 @@ err1:
1915static void __exit arp_tables_fini(void) 1911static void __exit arp_tables_fini(void)
1916{ 1912{
1917 nf_unregister_sockopt(&arpt_sockopts); 1913 nf_unregister_sockopt(&arpt_sockopts);
1918 xt_unregister_target(&arpt_error_target); 1914 xt_unregister_targets(arpt_builtin_tg, ARRAY_SIZE(arpt_builtin_tg));
1919 xt_unregister_target(&arpt_standard_target);
1920 unregister_pernet_subsys(&arp_tables_net_ops); 1915 unregister_pernet_subsys(&arp_tables_net_ops);
1921} 1916}
1922 1917
diff --git a/net/ipv4/netfilter/arpt_mangle.c b/net/ipv4/netfilter/arpt_mangle.c
index 4b51a027f307..e1be7dd1171b 100644
--- a/net/ipv4/netfilter/arpt_mangle.c
+++ b/net/ipv4/netfilter/arpt_mangle.c
@@ -9,7 +9,7 @@ MODULE_AUTHOR("Bart De Schuymer <bdschuym@pandora.be>");
9MODULE_DESCRIPTION("arptables arp payload mangle target"); 9MODULE_DESCRIPTION("arptables arp payload mangle target");
10 10
11static unsigned int 11static unsigned int
12target(struct sk_buff *skb, const struct xt_target_param *par) 12target(struct sk_buff *skb, const struct xt_action_param *par)
13{ 13{
14 const struct arpt_mangle *mangle = par->targinfo; 14 const struct arpt_mangle *mangle = par->targinfo;
15 const struct arphdr *arp; 15 const struct arphdr *arp;
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 3e6af1036fbc..49b9e4fb5460 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -165,7 +165,7 @@ ip_checkentry(const struct ipt_ip *ip)
165} 165}
166 166
167static unsigned int 167static unsigned int
168ipt_error(struct sk_buff *skb, const struct xt_target_param *par) 168ipt_error(struct sk_buff *skb, const struct xt_action_param *par)
169{ 169{
170 if (net_ratelimit()) 170 if (net_ratelimit())
171 pr_info("error: `%s'\n", (const char *)par->targinfo); 171 pr_info("error: `%s'\n", (const char *)par->targinfo);
@@ -173,21 +173,6 @@ ipt_error(struct sk_buff *skb, const struct xt_target_param *par)
173 return NF_DROP; 173 return NF_DROP;
174} 174}
175 175
176/* Performance critical - called for every packet */
177static inline bool
178do_match(const struct ipt_entry_match *m, const struct sk_buff *skb,
179 struct xt_match_param *par)
180{
181 par->match = m->u.kernel.match;
182 par->matchinfo = m->data;
183
184 /* Stop iteration if it doesn't match */
185 if (!m->u.kernel.match->match(skb, par))
186 return true;
187 else
188 return false;
189}
190
191/* Performance critical */ 176/* Performance critical */
192static inline struct ipt_entry * 177static inline struct ipt_entry *
193get_entry(const void *base, unsigned int offset) 178get_entry(const void *base, unsigned int offset)
@@ -323,7 +308,6 @@ ipt_do_table(struct sk_buff *skb,
323{ 308{
324 static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long)))); 309 static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
325 const struct iphdr *ip; 310 const struct iphdr *ip;
326 bool hotdrop = false;
327 /* Initializing verdict to NF_DROP keeps gcc happy. */ 311 /* Initializing verdict to NF_DROP keeps gcc happy. */
328 unsigned int verdict = NF_DROP; 312 unsigned int verdict = NF_DROP;
329 const char *indev, *outdev; 313 const char *indev, *outdev;
@@ -331,8 +315,7 @@ ipt_do_table(struct sk_buff *skb,
331 struct ipt_entry *e, **jumpstack; 315 struct ipt_entry *e, **jumpstack;
332 unsigned int *stackptr, origptr, cpu; 316 unsigned int *stackptr, origptr, cpu;
333 const struct xt_table_info *private; 317 const struct xt_table_info *private;
334 struct xt_match_param mtpar; 318 struct xt_action_param acpar;
335 struct xt_target_param tgpar;
336 319
337 /* Initialization */ 320 /* Initialization */
338 ip = ip_hdr(skb); 321 ip = ip_hdr(skb);
@@ -344,13 +327,13 @@ ipt_do_table(struct sk_buff *skb,
344 * things we don't know, ie. tcp syn flag or ports). If the 327 * things we don't know, ie. tcp syn flag or ports). If the
345 * rule is also a fragment-specific rule, non-fragments won't 328 * rule is also a fragment-specific rule, non-fragments won't
346 * match it. */ 329 * match it. */
347 mtpar.fragoff = ntohs(ip->frag_off) & IP_OFFSET; 330 acpar.fragoff = ntohs(ip->frag_off) & IP_OFFSET;
348 mtpar.thoff = ip_hdrlen(skb); 331 acpar.thoff = ip_hdrlen(skb);
349 mtpar.hotdrop = &hotdrop; 332 acpar.hotdrop = false;
350 mtpar.in = tgpar.in = in; 333 acpar.in = in;
351 mtpar.out = tgpar.out = out; 334 acpar.out = out;
352 mtpar.family = tgpar.family = NFPROTO_IPV4; 335 acpar.family = NFPROTO_IPV4;
353 mtpar.hooknum = tgpar.hooknum = hook; 336 acpar.hooknum = hook;
354 337
355 IP_NF_ASSERT(table->valid_hooks & (1 << hook)); 338 IP_NF_ASSERT(table->valid_hooks & (1 << hook));
356 xt_info_rdlock_bh(); 339 xt_info_rdlock_bh();
@@ -373,15 +356,18 @@ ipt_do_table(struct sk_buff *skb,
373 356
374 IP_NF_ASSERT(e); 357 IP_NF_ASSERT(e);
375 if (!ip_packet_match(ip, indev, outdev, 358 if (!ip_packet_match(ip, indev, outdev,
376 &e->ip, mtpar.fragoff)) { 359 &e->ip, acpar.fragoff)) {
377 no_match: 360 no_match:
378 e = ipt_next_entry(e); 361 e = ipt_next_entry(e);
379 continue; 362 continue;
380 } 363 }
381 364
382 xt_ematch_foreach(ematch, e) 365 xt_ematch_foreach(ematch, e) {
383 if (do_match(ematch, skb, &mtpar) != 0) 366 acpar.match = ematch->u.kernel.match;
367 acpar.matchinfo = ematch->data;
368 if (!acpar.match->match(skb, &acpar))
384 goto no_match; 369 goto no_match;
370 }
385 371
386 ADD_COUNTER(e->counters, ntohs(ip->tot_len), 1); 372 ADD_COUNTER(e->counters, ntohs(ip->tot_len), 1);
387 373
@@ -434,11 +420,10 @@ ipt_do_table(struct sk_buff *skb,
434 continue; 420 continue;
435 } 421 }
436 422
437 tgpar.target = t->u.kernel.target; 423 acpar.target = t->u.kernel.target;
438 tgpar.targinfo = t->data; 424 acpar.targinfo = t->data;
439
440 425
441 verdict = t->u.kernel.target->target(skb, &tgpar); 426 verdict = t->u.kernel.target->target(skb, &acpar);
442 /* Target might have changed stuff. */ 427 /* Target might have changed stuff. */
443 ip = ip_hdr(skb); 428 ip = ip_hdr(skb);
444 if (verdict == IPT_CONTINUE) 429 if (verdict == IPT_CONTINUE)
@@ -446,7 +431,7 @@ ipt_do_table(struct sk_buff *skb,
446 else 431 else
447 /* Verdict */ 432 /* Verdict */
448 break; 433 break;
449 } while (!hotdrop); 434 } while (!acpar.hotdrop);
450 xt_info_rdunlock_bh(); 435 xt_info_rdunlock_bh();
451 pr_debug("Exiting %s; resetting sp from %u to %u\n", 436 pr_debug("Exiting %s; resetting sp from %u to %u\n",
452 __func__, *stackptr, origptr); 437 __func__, *stackptr, origptr);
@@ -454,7 +439,7 @@ ipt_do_table(struct sk_buff *skb,
454#ifdef DEBUG_ALLOW_ALL 439#ifdef DEBUG_ALLOW_ALL
455 return NF_ACCEPT; 440 return NF_ACCEPT;
456#else 441#else
457 if (hotdrop) 442 if (acpar.hotdrop)
458 return NF_DROP; 443 return NF_DROP;
459 else return verdict; 444 else return verdict;
460#endif 445#endif
@@ -591,7 +576,7 @@ check_entry(const struct ipt_entry *e, const char *name)
591 const struct ipt_entry_target *t; 576 const struct ipt_entry_target *t;
592 577
593 if (!ip_checkentry(&e->ip)) { 578 if (!ip_checkentry(&e->ip)) {
594 duprintf("ip check failed %p %s.\n", e, name); 579 duprintf("ip check failed %p %s.\n", e, par->match->name);
595 return -EINVAL; 580 return -EINVAL;
596 } 581 }
597 582
@@ -618,7 +603,7 @@ check_match(struct ipt_entry_match *m, struct xt_mtchk_param *par)
618 ret = xt_check_match(par, m->u.match_size - sizeof(*m), 603 ret = xt_check_match(par, m->u.match_size - sizeof(*m),
619 ip->proto, ip->invflags & IPT_INV_PROTO); 604 ip->proto, ip->invflags & IPT_INV_PROTO);
620 if (ret < 0) { 605 if (ret < 0) {
621 duprintf("check failed for `%s'.\n", par.match->name); 606 duprintf("check failed for `%s'.\n", par->match->name);
622 return ret; 607 return ret;
623 } 608 }
624 return 0; 609 return 0;
@@ -2152,7 +2137,7 @@ icmp_type_code_match(u_int8_t test_type, u_int8_t min_code, u_int8_t max_code,
2152} 2137}
2153 2138
2154static bool 2139static bool
2155icmp_match(const struct sk_buff *skb, const struct xt_match_param *par) 2140icmp_match(const struct sk_buff *skb, struct xt_action_param *par)
2156{ 2141{
2157 const struct icmphdr *ic; 2142 const struct icmphdr *ic;
2158 struct icmphdr _icmph; 2143 struct icmphdr _icmph;
@@ -2168,7 +2153,7 @@ icmp_match(const struct sk_buff *skb, const struct xt_match_param *par)
2168 * can't. Hence, no choice but to drop. 2153 * can't. Hence, no choice but to drop.
2169 */ 2154 */
2170 duprintf("Dropping evil ICMP tinygram.\n"); 2155 duprintf("Dropping evil ICMP tinygram.\n");
2171 *par->hotdrop = true; 2156 par->hotdrop = true;
2172 return false; 2157 return false;
2173 } 2158 }
2174 2159
@@ -2187,23 +2172,23 @@ static int icmp_checkentry(const struct xt_mtchk_param *par)
2187 return (icmpinfo->invflags & ~IPT_ICMP_INV) ? -EINVAL : 0; 2172 return (icmpinfo->invflags & ~IPT_ICMP_INV) ? -EINVAL : 0;
2188} 2173}
2189 2174
2190/* The built-in targets: standard (NULL) and error. */ 2175static struct xt_target ipt_builtin_tg[] __read_mostly = {
2191static struct xt_target ipt_standard_target __read_mostly = { 2176 {
2192 .name = IPT_STANDARD_TARGET, 2177 .name = IPT_STANDARD_TARGET,
2193 .targetsize = sizeof(int), 2178 .targetsize = sizeof(int),
2194 .family = NFPROTO_IPV4, 2179 .family = NFPROTO_IPV4,
2195#ifdef CONFIG_COMPAT 2180#ifdef CONFIG_COMPAT
2196 .compatsize = sizeof(compat_int_t), 2181 .compatsize = sizeof(compat_int_t),
2197 .compat_from_user = compat_standard_from_user, 2182 .compat_from_user = compat_standard_from_user,
2198 .compat_to_user = compat_standard_to_user, 2183 .compat_to_user = compat_standard_to_user,
2199#endif 2184#endif
2200}; 2185 },
2201 2186 {
2202static struct xt_target ipt_error_target __read_mostly = { 2187 .name = IPT_ERROR_TARGET,
2203 .name = IPT_ERROR_TARGET, 2188 .target = ipt_error,
2204 .target = ipt_error, 2189 .targetsize = IPT_FUNCTION_MAXNAMELEN,
2205 .targetsize = IPT_FUNCTION_MAXNAMELEN, 2190 .family = NFPROTO_IPV4,
2206 .family = NFPROTO_IPV4, 2191 },
2207}; 2192};
2208 2193
2209static struct nf_sockopt_ops ipt_sockopts = { 2194static struct nf_sockopt_ops ipt_sockopts = {
@@ -2223,13 +2208,15 @@ static struct nf_sockopt_ops ipt_sockopts = {
2223 .owner = THIS_MODULE, 2208 .owner = THIS_MODULE,
2224}; 2209};
2225 2210
2226static struct xt_match icmp_matchstruct __read_mostly = { 2211static struct xt_match ipt_builtin_mt[] __read_mostly = {
2227 .name = "icmp", 2212 {
2228 .match = icmp_match, 2213 .name = "icmp",
2229 .matchsize = sizeof(struct ipt_icmp), 2214 .match = icmp_match,
2230 .checkentry = icmp_checkentry, 2215 .matchsize = sizeof(struct ipt_icmp),
2231 .proto = IPPROTO_ICMP, 2216 .checkentry = icmp_checkentry,
2232 .family = NFPROTO_IPV4, 2217 .proto = IPPROTO_ICMP,
2218 .family = NFPROTO_IPV4,
2219 },
2233}; 2220};
2234 2221
2235static int __net_init ip_tables_net_init(struct net *net) 2222static int __net_init ip_tables_net_init(struct net *net)
@@ -2256,13 +2243,10 @@ static int __init ip_tables_init(void)
2256 goto err1; 2243 goto err1;
2257 2244
2258 /* Noone else will be downing sem now, so we won't sleep */ 2245 /* Noone else will be downing sem now, so we won't sleep */
2259 ret = xt_register_target(&ipt_standard_target); 2246 ret = xt_register_targets(ipt_builtin_tg, ARRAY_SIZE(ipt_builtin_tg));
2260 if (ret < 0) 2247 if (ret < 0)
2261 goto err2; 2248 goto err2;
2262 ret = xt_register_target(&ipt_error_target); 2249 ret = xt_register_matches(ipt_builtin_mt, ARRAY_SIZE(ipt_builtin_mt));
2263 if (ret < 0)
2264 goto err3;
2265 ret = xt_register_match(&icmp_matchstruct);
2266 if (ret < 0) 2250 if (ret < 0)
2267 goto err4; 2251 goto err4;
2268 2252
@@ -2275,11 +2259,9 @@ static int __init ip_tables_init(void)
2275 return 0; 2259 return 0;
2276 2260
2277err5: 2261err5:
2278 xt_unregister_match(&icmp_matchstruct); 2262 xt_unregister_matches(ipt_builtin_mt, ARRAY_SIZE(ipt_builtin_mt));
2279err4: 2263err4:
2280 xt_unregister_target(&ipt_error_target); 2264 xt_unregister_targets(ipt_builtin_tg, ARRAY_SIZE(ipt_builtin_tg));
2281err3:
2282 xt_unregister_target(&ipt_standard_target);
2283err2: 2265err2:
2284 unregister_pernet_subsys(&ip_tables_net_ops); 2266 unregister_pernet_subsys(&ip_tables_net_ops);
2285err1: 2267err1:
@@ -2290,10 +2272,8 @@ static void __exit ip_tables_fini(void)
2290{ 2272{
2291 nf_unregister_sockopt(&ipt_sockopts); 2273 nf_unregister_sockopt(&ipt_sockopts);
2292 2274
2293 xt_unregister_match(&icmp_matchstruct); 2275 xt_unregister_matches(ipt_builtin_mt, ARRAY_SIZE(ipt_builtin_mt));
2294 xt_unregister_target(&ipt_error_target); 2276 xt_unregister_targets(ipt_builtin_tg, ARRAY_SIZE(ipt_builtin_tg));
2295 xt_unregister_target(&ipt_standard_target);
2296
2297 unregister_pernet_subsys(&ip_tables_net_ops); 2277 unregister_pernet_subsys(&ip_tables_net_ops);
2298} 2278}
2299 2279
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index 8815d458de46..f91c94b9a790 100644
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -282,7 +282,7 @@ clusterip_responsible(const struct clusterip_config *config, u_int32_t hash)
282 ***********************************************************************/ 282 ***********************************************************************/
283 283
284static unsigned int 284static unsigned int
285clusterip_tg(struct sk_buff *skb, const struct xt_target_param *par) 285clusterip_tg(struct sk_buff *skb, const struct xt_action_param *par)
286{ 286{
287 const struct ipt_clusterip_tgt_info *cipinfo = par->targinfo; 287 const struct ipt_clusterip_tgt_info *cipinfo = par->targinfo;
288 struct nf_conn *ct; 288 struct nf_conn *ct;
diff --git a/net/ipv4/netfilter/ipt_ECN.c b/net/ipv4/netfilter/ipt_ECN.c
index 563049f31aef..4bf3dc49ad1e 100644
--- a/net/ipv4/netfilter/ipt_ECN.c
+++ b/net/ipv4/netfilter/ipt_ECN.c
@@ -77,7 +77,7 @@ set_ect_tcp(struct sk_buff *skb, const struct ipt_ECN_info *einfo)
77} 77}
78 78
79static unsigned int 79static unsigned int
80ecn_tg(struct sk_buff *skb, const struct xt_target_param *par) 80ecn_tg(struct sk_buff *skb, const struct xt_action_param *par)
81{ 81{
82 const struct ipt_ECN_info *einfo = par->targinfo; 82 const struct ipt_ECN_info *einfo = par->targinfo;
83 83
diff --git a/net/ipv4/netfilter/ipt_LOG.c b/net/ipv4/netfilter/ipt_LOG.c
index 3bd35f370817..5234f4f3499a 100644
--- a/net/ipv4/netfilter/ipt_LOG.c
+++ b/net/ipv4/netfilter/ipt_LOG.c
@@ -425,7 +425,7 @@ ipt_log_packet(u_int8_t pf,
425} 425}
426 426
427static unsigned int 427static unsigned int
428log_tg(struct sk_buff *skb, const struct xt_target_param *par) 428log_tg(struct sk_buff *skb, const struct xt_action_param *par)
429{ 429{
430 const struct ipt_log_info *loginfo = par->targinfo; 430 const struct ipt_log_info *loginfo = par->targinfo;
431 struct nf_loginfo li; 431 struct nf_loginfo li;
diff --git a/net/ipv4/netfilter/ipt_MASQUERADE.c b/net/ipv4/netfilter/ipt_MASQUERADE.c
index 02b1bc477998..d2ed9dc74ebc 100644
--- a/net/ipv4/netfilter/ipt_MASQUERADE.c
+++ b/net/ipv4/netfilter/ipt_MASQUERADE.c
@@ -44,7 +44,7 @@ static int masquerade_tg_check(const struct xt_tgchk_param *par)
44} 44}
45 45
46static unsigned int 46static unsigned int
47masquerade_tg(struct sk_buff *skb, const struct xt_target_param *par) 47masquerade_tg(struct sk_buff *skb, const struct xt_action_param *par)
48{ 48{
49 struct nf_conn *ct; 49 struct nf_conn *ct;
50 struct nf_conn_nat *nat; 50 struct nf_conn_nat *nat;
diff --git a/net/ipv4/netfilter/ipt_NETMAP.c b/net/ipv4/netfilter/ipt_NETMAP.c
index 708c7f8f7eea..f43867d1697f 100644
--- a/net/ipv4/netfilter/ipt_NETMAP.c
+++ b/net/ipv4/netfilter/ipt_NETMAP.c
@@ -38,7 +38,7 @@ static int netmap_tg_check(const struct xt_tgchk_param *par)
38} 38}
39 39
40static unsigned int 40static unsigned int
41netmap_tg(struct sk_buff *skb, const struct xt_target_param *par) 41netmap_tg(struct sk_buff *skb, const struct xt_action_param *par)
42{ 42{
43 struct nf_conn *ct; 43 struct nf_conn *ct;
44 enum ip_conntrack_info ctinfo; 44 enum ip_conntrack_info ctinfo;
diff --git a/net/ipv4/netfilter/ipt_REDIRECT.c b/net/ipv4/netfilter/ipt_REDIRECT.c
index 3cf101916523..18a0656505a0 100644
--- a/net/ipv4/netfilter/ipt_REDIRECT.c
+++ b/net/ipv4/netfilter/ipt_REDIRECT.c
@@ -42,7 +42,7 @@ static int redirect_tg_check(const struct xt_tgchk_param *par)
42} 42}
43 43
44static unsigned int 44static unsigned int
45redirect_tg(struct sk_buff *skb, const struct xt_target_param *par) 45redirect_tg(struct sk_buff *skb, const struct xt_action_param *par)
46{ 46{
47 struct nf_conn *ct; 47 struct nf_conn *ct;
48 enum ip_conntrack_info ctinfo; 48 enum ip_conntrack_info ctinfo;
diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c
index a86135a28058..f5f4a888e4ec 100644
--- a/net/ipv4/netfilter/ipt_REJECT.c
+++ b/net/ipv4/netfilter/ipt_REJECT.c
@@ -136,7 +136,7 @@ static inline void send_unreach(struct sk_buff *skb_in, int code)
136} 136}
137 137
138static unsigned int 138static unsigned int
139reject_tg(struct sk_buff *skb, const struct xt_target_param *par) 139reject_tg(struct sk_buff *skb, const struct xt_action_param *par)
140{ 140{
141 const struct ipt_reject_info *reject = par->targinfo; 141 const struct ipt_reject_info *reject = par->targinfo;
142 142
diff --git a/net/ipv4/netfilter/ipt_ULOG.c b/net/ipv4/netfilter/ipt_ULOG.c
index 8f60749e87a3..446e0f467a17 100644
--- a/net/ipv4/netfilter/ipt_ULOG.c
+++ b/net/ipv4/netfilter/ipt_ULOG.c
@@ -276,7 +276,7 @@ alloc_failure:
276} 276}
277 277
278static unsigned int 278static unsigned int
279ulog_tg(struct sk_buff *skb, const struct xt_target_param *par) 279ulog_tg(struct sk_buff *skb, const struct xt_action_param *par)
280{ 280{
281 ipt_ulog_packet(par->hooknum, skb, par->in, par->out, 281 ipt_ulog_packet(par->hooknum, skb, par->in, par->out,
282 par->targinfo, NULL); 282 par->targinfo, NULL);
diff --git a/net/ipv4/netfilter/ipt_addrtype.c b/net/ipv4/netfilter/ipt_addrtype.c
index e4b8f2bf8aaa..db8bff0fb86d 100644
--- a/net/ipv4/netfilter/ipt_addrtype.c
+++ b/net/ipv4/netfilter/ipt_addrtype.c
@@ -30,7 +30,7 @@ static inline bool match_type(struct net *net, const struct net_device *dev,
30} 30}
31 31
32static bool 32static bool
33addrtype_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par) 33addrtype_mt_v0(const struct sk_buff *skb, struct xt_action_param *par)
34{ 34{
35 struct net *net = dev_net(par->in ? par->in : par->out); 35 struct net *net = dev_net(par->in ? par->in : par->out);
36 const struct ipt_addrtype_info *info = par->matchinfo; 36 const struct ipt_addrtype_info *info = par->matchinfo;
@@ -48,7 +48,7 @@ addrtype_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
48} 48}
49 49
50static bool 50static bool
51addrtype_mt_v1(const struct sk_buff *skb, const struct xt_match_param *par) 51addrtype_mt_v1(const struct sk_buff *skb, struct xt_action_param *par)
52{ 52{
53 struct net *net = dev_net(par->in ? par->in : par->out); 53 struct net *net = dev_net(par->in ? par->in : par->out);
54 const struct ipt_addrtype_info_v1 *info = par->matchinfo; 54 const struct ipt_addrtype_info_v1 *info = par->matchinfo;
diff --git a/net/ipv4/netfilter/ipt_ah.c b/net/ipv4/netfilter/ipt_ah.c
index 9f9810204892..14a2aa8b8a14 100644
--- a/net/ipv4/netfilter/ipt_ah.c
+++ b/net/ipv4/netfilter/ipt_ah.c
@@ -30,7 +30,7 @@ spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, bool invert)
30 return r; 30 return r;
31} 31}
32 32
33static bool ah_mt(const struct sk_buff *skb, const struct xt_match_param *par) 33static bool ah_mt(const struct sk_buff *skb, struct xt_action_param *par)
34{ 34{
35 struct ip_auth_hdr _ahdr; 35 struct ip_auth_hdr _ahdr;
36 const struct ip_auth_hdr *ah; 36 const struct ip_auth_hdr *ah;
@@ -46,7 +46,7 @@ static bool ah_mt(const struct sk_buff *skb, const struct xt_match_param *par)
46 * can't. Hence, no choice but to drop. 46 * can't. Hence, no choice but to drop.
47 */ 47 */
48 pr_debug("Dropping evil AH tinygram.\n"); 48 pr_debug("Dropping evil AH tinygram.\n");
49 *par->hotdrop = true; 49 par->hotdrop = true;
50 return 0; 50 return 0;
51 } 51 }
52 52
diff --git a/net/ipv4/netfilter/ipt_ecn.c b/net/ipv4/netfilter/ipt_ecn.c
index 32e24100d8d1..af6e9c778345 100644
--- a/net/ipv4/netfilter/ipt_ecn.c
+++ b/net/ipv4/netfilter/ipt_ecn.c
@@ -67,7 +67,7 @@ static inline bool match_tcp(const struct sk_buff *skb,
67 return true; 67 return true;
68} 68}
69 69
70static bool ecn_mt(const struct sk_buff *skb, const struct xt_match_param *par) 70static bool ecn_mt(const struct sk_buff *skb, struct xt_action_param *par)
71{ 71{
72 const struct ipt_ecn_info *info = par->matchinfo; 72 const struct ipt_ecn_info *info = par->matchinfo;
73 73
@@ -78,7 +78,7 @@ static bool ecn_mt(const struct sk_buff *skb, const struct xt_match_param *par)
78 if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR)) { 78 if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR)) {
79 if (ip_hdr(skb)->protocol != IPPROTO_TCP) 79 if (ip_hdr(skb)->protocol != IPPROTO_TCP)
80 return false; 80 return false;
81 if (!match_tcp(skb, info, par->hotdrop)) 81 if (!match_tcp(skb, info, &par->hotdrop))
82 return false; 82 return false;
83 } 83 }
84 84
diff --git a/net/ipv4/netfilter/nf_nat_rule.c b/net/ipv4/netfilter/nf_nat_rule.c
index b48a0fc3d9ed..98ed78281aee 100644
--- a/net/ipv4/netfilter/nf_nat_rule.c
+++ b/net/ipv4/netfilter/nf_nat_rule.c
@@ -39,7 +39,7 @@ static const struct xt_table nat_table = {
39 39
40/* Source NAT */ 40/* Source NAT */
41static unsigned int 41static unsigned int
42ipt_snat_target(struct sk_buff *skb, const struct xt_target_param *par) 42ipt_snat_target(struct sk_buff *skb, const struct xt_action_param *par)
43{ 43{
44 struct nf_conn *ct; 44 struct nf_conn *ct;
45 enum ip_conntrack_info ctinfo; 45 enum ip_conntrack_info ctinfo;
@@ -58,7 +58,7 @@ ipt_snat_target(struct sk_buff *skb, const struct xt_target_param *par)
58} 58}
59 59
60static unsigned int 60static unsigned int
61ipt_dnat_target(struct sk_buff *skb, const struct xt_target_param *par) 61ipt_dnat_target(struct sk_buff *skb, const struct xt_action_param *par)
62{ 62{
63 struct nf_conn *ct; 63 struct nf_conn *ct;
64 enum ip_conntrack_info ctinfo; 64 enum ip_conntrack_info ctinfo;
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 7afa11773164..56782336474f 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -197,7 +197,7 @@ ip6_checkentry(const struct ip6t_ip6 *ipv6)
197} 197}
198 198
199static unsigned int 199static unsigned int
200ip6t_error(struct sk_buff *skb, const struct xt_target_param *par) 200ip6t_error(struct sk_buff *skb, const struct xt_action_param *par)
201{ 201{
202 if (net_ratelimit()) 202 if (net_ratelimit())
203 pr_info("error: `%s'\n", (const char *)par->targinfo); 203 pr_info("error: `%s'\n", (const char *)par->targinfo);
@@ -205,21 +205,6 @@ ip6t_error(struct sk_buff *skb, const struct xt_target_param *par)
205 return NF_DROP; 205 return NF_DROP;
206} 206}
207 207
208/* Performance critical - called for every packet */
209static inline bool
210do_match(const struct ip6t_entry_match *m, const struct sk_buff *skb,
211 struct xt_match_param *par)
212{
213 par->match = m->u.kernel.match;
214 par->matchinfo = m->data;
215
216 /* Stop iteration if it doesn't match */
217 if (!m->u.kernel.match->match(skb, par))
218 return true;
219 else
220 return false;
221}
222
223static inline struct ip6t_entry * 208static inline struct ip6t_entry *
224get_entry(const void *base, unsigned int offset) 209get_entry(const void *base, unsigned int offset)
225{ 210{
@@ -352,7 +337,6 @@ ip6t_do_table(struct sk_buff *skb,
352 struct xt_table *table) 337 struct xt_table *table)
353{ 338{
354 static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long)))); 339 static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
355 bool hotdrop = false;
356 /* Initializing verdict to NF_DROP keeps gcc happy. */ 340 /* Initializing verdict to NF_DROP keeps gcc happy. */
357 unsigned int verdict = NF_DROP; 341 unsigned int verdict = NF_DROP;
358 const char *indev, *outdev; 342 const char *indev, *outdev;
@@ -360,8 +344,7 @@ ip6t_do_table(struct sk_buff *skb,
360 struct ip6t_entry *e, **jumpstack; 344 struct ip6t_entry *e, **jumpstack;
361 unsigned int *stackptr, origptr, cpu; 345 unsigned int *stackptr, origptr, cpu;
362 const struct xt_table_info *private; 346 const struct xt_table_info *private;
363 struct xt_match_param mtpar; 347 struct xt_action_param acpar;
364 struct xt_target_param tgpar;
365 348
366 /* Initialization */ 349 /* Initialization */
367 indev = in ? in->name : nulldevname; 350 indev = in ? in->name : nulldevname;
@@ -372,11 +355,11 @@ ip6t_do_table(struct sk_buff *skb,
372 * things we don't know, ie. tcp syn flag or ports). If the 355 * things we don't know, ie. tcp syn flag or ports). If the
373 * rule is also a fragment-specific rule, non-fragments won't 356 * rule is also a fragment-specific rule, non-fragments won't
374 * match it. */ 357 * match it. */
375 mtpar.hotdrop = &hotdrop; 358 acpar.hotdrop = false;
376 mtpar.in = tgpar.in = in; 359 acpar.in = in;
377 mtpar.out = tgpar.out = out; 360 acpar.out = out;
378 mtpar.family = tgpar.family = NFPROTO_IPV6; 361 acpar.family = NFPROTO_IPV6;
379 mtpar.hooknum = tgpar.hooknum = hook; 362 acpar.hooknum = hook;
380 363
381 IP_NF_ASSERT(table->valid_hooks & (1 << hook)); 364 IP_NF_ASSERT(table->valid_hooks & (1 << hook));
382 365
@@ -396,15 +379,18 @@ ip6t_do_table(struct sk_buff *skb,
396 379
397 IP_NF_ASSERT(e); 380 IP_NF_ASSERT(e);
398 if (!ip6_packet_match(skb, indev, outdev, &e->ipv6, 381 if (!ip6_packet_match(skb, indev, outdev, &e->ipv6,
399 &mtpar.thoff, &mtpar.fragoff, &hotdrop)) { 382 &acpar.thoff, &acpar.fragoff, &acpar.hotdrop)) {
400 no_match: 383 no_match:
401 e = ip6t_next_entry(e); 384 e = ip6t_next_entry(e);
402 continue; 385 continue;
403 } 386 }
404 387
405 xt_ematch_foreach(ematch, e) 388 xt_ematch_foreach(ematch, e) {
406 if (do_match(ematch, skb, &mtpar) != 0) 389 acpar.match = ematch->u.kernel.match;
390 acpar.matchinfo = ematch->data;
391 if (!acpar.match->match(skb, &acpar))
407 goto no_match; 392 goto no_match;
393 }
408 394
409 ADD_COUNTER(e->counters, 395 ADD_COUNTER(e->counters,
410 ntohs(ipv6_hdr(skb)->payload_len) + 396 ntohs(ipv6_hdr(skb)->payload_len) +
@@ -451,16 +437,16 @@ ip6t_do_table(struct sk_buff *skb,
451 continue; 437 continue;
452 } 438 }
453 439
454 tgpar.target = t->u.kernel.target; 440 acpar.target = t->u.kernel.target;
455 tgpar.targinfo = t->data; 441 acpar.targinfo = t->data;
456 442
457 verdict = t->u.kernel.target->target(skb, &tgpar); 443 verdict = t->u.kernel.target->target(skb, &acpar);
458 if (verdict == IP6T_CONTINUE) 444 if (verdict == IP6T_CONTINUE)
459 e = ip6t_next_entry(e); 445 e = ip6t_next_entry(e);
460 else 446 else
461 /* Verdict */ 447 /* Verdict */
462 break; 448 break;
463 } while (!hotdrop); 449 } while (!acpar.hotdrop);
464 450
465 xt_info_rdunlock_bh(); 451 xt_info_rdunlock_bh();
466 *stackptr = origptr; 452 *stackptr = origptr;
@@ -468,7 +454,7 @@ ip6t_do_table(struct sk_buff *skb,
468#ifdef DEBUG_ALLOW_ALL 454#ifdef DEBUG_ALLOW_ALL
469 return NF_ACCEPT; 455 return NF_ACCEPT;
470#else 456#else
471 if (hotdrop) 457 if (acpar.hotdrop)
472 return NF_DROP; 458 return NF_DROP;
473 else return verdict; 459 else return verdict;
474#endif 460#endif
@@ -2167,7 +2153,7 @@ icmp6_type_code_match(u_int8_t test_type, u_int8_t min_code, u_int8_t max_code,
2167} 2153}
2168 2154
2169static bool 2155static bool
2170icmp6_match(const struct sk_buff *skb, const struct xt_match_param *par) 2156icmp6_match(const struct sk_buff *skb, struct xt_action_param *par)
2171{ 2157{
2172 const struct icmp6hdr *ic; 2158 const struct icmp6hdr *ic;
2173 struct icmp6hdr _icmph; 2159 struct icmp6hdr _icmph;
@@ -2183,7 +2169,7 @@ icmp6_match(const struct sk_buff *skb, const struct xt_match_param *par)
2183 * can't. Hence, no choice but to drop. 2169 * can't. Hence, no choice but to drop.
2184 */ 2170 */
2185 duprintf("Dropping evil ICMP tinygram.\n"); 2171 duprintf("Dropping evil ICMP tinygram.\n");
2186 *par->hotdrop = true; 2172 par->hotdrop = true;
2187 return false; 2173 return false;
2188 } 2174 }
2189 2175
@@ -2204,22 +2190,23 @@ static int icmp6_checkentry(const struct xt_mtchk_param *par)
2204} 2190}
2205 2191
2206/* The built-in targets: standard (NULL) and error. */ 2192/* The built-in targets: standard (NULL) and error. */
2207static struct xt_target ip6t_standard_target __read_mostly = { 2193static struct xt_target ip6t_builtin_tg[] __read_mostly = {
2208 .name = IP6T_STANDARD_TARGET, 2194 {
2209 .targetsize = sizeof(int), 2195 .name = IP6T_STANDARD_TARGET,
2210 .family = NFPROTO_IPV6, 2196 .targetsize = sizeof(int),
2197 .family = NFPROTO_IPV6,
2211#ifdef CONFIG_COMPAT 2198#ifdef CONFIG_COMPAT
2212 .compatsize = sizeof(compat_int_t), 2199 .compatsize = sizeof(compat_int_t),
2213 .compat_from_user = compat_standard_from_user, 2200 .compat_from_user = compat_standard_from_user,
2214 .compat_to_user = compat_standard_to_user, 2201 .compat_to_user = compat_standard_to_user,
2215#endif 2202#endif
2216}; 2203 },
2217 2204 {
2218static struct xt_target ip6t_error_target __read_mostly = { 2205 .name = IP6T_ERROR_TARGET,
2219 .name = IP6T_ERROR_TARGET, 2206 .target = ip6t_error,
2220 .target = ip6t_error, 2207 .targetsize = IP6T_FUNCTION_MAXNAMELEN,
2221 .targetsize = IP6T_FUNCTION_MAXNAMELEN, 2208 .family = NFPROTO_IPV6,
2222 .family = NFPROTO_IPV6, 2209 },
2223}; 2210};
2224 2211
2225static struct nf_sockopt_ops ip6t_sockopts = { 2212static struct nf_sockopt_ops ip6t_sockopts = {
@@ -2239,13 +2226,15 @@ static struct nf_sockopt_ops ip6t_sockopts = {
2239 .owner = THIS_MODULE, 2226 .owner = THIS_MODULE,
2240}; 2227};
2241 2228
2242static struct xt_match icmp6_matchstruct __read_mostly = { 2229static struct xt_match ip6t_builtin_mt[] __read_mostly = {
2243 .name = "icmp6", 2230 {
2244 .match = icmp6_match, 2231 .name = "icmp6",
2245 .matchsize = sizeof(struct ip6t_icmp), 2232 .match = icmp6_match,
2246 .checkentry = icmp6_checkentry, 2233 .matchsize = sizeof(struct ip6t_icmp),
2247 .proto = IPPROTO_ICMPV6, 2234 .checkentry = icmp6_checkentry,
2248 .family = NFPROTO_IPV6, 2235 .proto = IPPROTO_ICMPV6,
2236 .family = NFPROTO_IPV6,
2237 },
2249}; 2238};
2250 2239
2251static int __net_init ip6_tables_net_init(struct net *net) 2240static int __net_init ip6_tables_net_init(struct net *net)
@@ -2272,13 +2261,10 @@ static int __init ip6_tables_init(void)
2272 goto err1; 2261 goto err1;
2273 2262
2274 /* Noone else will be downing sem now, so we won't sleep */ 2263 /* Noone else will be downing sem now, so we won't sleep */
2275 ret = xt_register_target(&ip6t_standard_target); 2264 ret = xt_register_targets(ip6t_builtin_tg, ARRAY_SIZE(ip6t_builtin_tg));
2276 if (ret < 0) 2265 if (ret < 0)
2277 goto err2; 2266 goto err2;
2278 ret = xt_register_target(&ip6t_error_target); 2267 ret = xt_register_matches(ip6t_builtin_mt, ARRAY_SIZE(ip6t_builtin_mt));
2279 if (ret < 0)
2280 goto err3;
2281 ret = xt_register_match(&icmp6_matchstruct);
2282 if (ret < 0) 2268 if (ret < 0)
2283 goto err4; 2269 goto err4;
2284 2270
@@ -2291,11 +2277,9 @@ static int __init ip6_tables_init(void)
2291 return 0; 2277 return 0;
2292 2278
2293err5: 2279err5:
2294 xt_unregister_match(&icmp6_matchstruct); 2280 xt_unregister_matches(ip6t_builtin_mt, ARRAY_SIZE(ip6t_builtin_mt));
2295err4: 2281err4:
2296 xt_unregister_target(&ip6t_error_target); 2282 xt_unregister_targets(ip6t_builtin_tg, ARRAY_SIZE(ip6t_builtin_tg));
2297err3:
2298 xt_unregister_target(&ip6t_standard_target);
2299err2: 2283err2:
2300 unregister_pernet_subsys(&ip6_tables_net_ops); 2284 unregister_pernet_subsys(&ip6_tables_net_ops);
2301err1: 2285err1:
@@ -2306,10 +2290,8 @@ static void __exit ip6_tables_fini(void)
2306{ 2290{
2307 nf_unregister_sockopt(&ip6t_sockopts); 2291 nf_unregister_sockopt(&ip6t_sockopts);
2308 2292
2309 xt_unregister_match(&icmp6_matchstruct); 2293 xt_unregister_matches(ip6t_builtin_mt, ARRAY_SIZE(ip6t_builtin_mt));
2310 xt_unregister_target(&ip6t_error_target); 2294 xt_unregister_targets(ip6t_builtin_tg, ARRAY_SIZE(ip6t_builtin_tg));
2311 xt_unregister_target(&ip6t_standard_target);
2312
2313 unregister_pernet_subsys(&ip6_tables_net_ops); 2295 unregister_pernet_subsys(&ip6_tables_net_ops);
2314} 2296}
2315 2297
diff --git a/net/ipv6/netfilter/ip6t_LOG.c b/net/ipv6/netfilter/ip6t_LOG.c
index 1f47a525f484..af4ee11f2066 100644
--- a/net/ipv6/netfilter/ip6t_LOG.c
+++ b/net/ipv6/netfilter/ip6t_LOG.c
@@ -436,7 +436,7 @@ ip6t_log_packet(u_int8_t pf,
436} 436}
437 437
438static unsigned int 438static unsigned int
439log_tg6(struct sk_buff *skb, const struct xt_target_param *par) 439log_tg6(struct sk_buff *skb, const struct xt_action_param *par)
440{ 440{
441 const struct ip6t_log_info *loginfo = par->targinfo; 441 const struct ip6t_log_info *loginfo = par->targinfo;
442 struct nf_loginfo li; 442 struct nf_loginfo li;
diff --git a/net/ipv6/netfilter/ip6t_REJECT.c b/net/ipv6/netfilter/ip6t_REJECT.c
index af1d6494ac39..47d227713758 100644
--- a/net/ipv6/netfilter/ip6t_REJECT.c
+++ b/net/ipv6/netfilter/ip6t_REJECT.c
@@ -175,7 +175,7 @@ send_unreach(struct net *net, struct sk_buff *skb_in, unsigned char code,
175} 175}
176 176
177static unsigned int 177static unsigned int
178reject_tg6(struct sk_buff *skb, const struct xt_target_param *par) 178reject_tg6(struct sk_buff *skb, const struct xt_action_param *par)
179{ 179{
180 const struct ip6t_reject_info *reject = par->targinfo; 180 const struct ip6t_reject_info *reject = par->targinfo;
181 struct net *net = dev_net((par->in != NULL) ? par->in : par->out); 181 struct net *net = dev_net((par->in != NULL) ? par->in : par->out);
diff --git a/net/ipv6/netfilter/ip6t_ah.c b/net/ipv6/netfilter/ip6t_ah.c
index 1580693c86c1..89cccc5a9c92 100644
--- a/net/ipv6/netfilter/ip6t_ah.c
+++ b/net/ipv6/netfilter/ip6t_ah.c
@@ -36,7 +36,7 @@ spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, bool invert)
36 return r; 36 return r;
37} 37}
38 38
39static bool ah_mt6(const struct sk_buff *skb, const struct xt_match_param *par) 39static bool ah_mt6(const struct sk_buff *skb, struct xt_action_param *par)
40{ 40{
41 struct ip_auth_hdr _ah; 41 struct ip_auth_hdr _ah;
42 const struct ip_auth_hdr *ah; 42 const struct ip_auth_hdr *ah;
@@ -48,13 +48,13 @@ static bool ah_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
48 err = ipv6_find_hdr(skb, &ptr, NEXTHDR_AUTH, NULL); 48 err = ipv6_find_hdr(skb, &ptr, NEXTHDR_AUTH, NULL);
49 if (err < 0) { 49 if (err < 0) {
50 if (err != -ENOENT) 50 if (err != -ENOENT)
51 *par->hotdrop = true; 51 par->hotdrop = true;
52 return false; 52 return false;
53 } 53 }
54 54
55 ah = skb_header_pointer(skb, ptr, sizeof(_ah), &_ah); 55 ah = skb_header_pointer(skb, ptr, sizeof(_ah), &_ah);
56 if (ah == NULL) { 56 if (ah == NULL) {
57 *par->hotdrop = true; 57 par->hotdrop = true;
58 return false; 58 return false;
59 } 59 }
60 60
diff --git a/net/ipv6/netfilter/ip6t_eui64.c b/net/ipv6/netfilter/ip6t_eui64.c
index ca287f6d2bce..aab0706908c5 100644
--- a/net/ipv6/netfilter/ip6t_eui64.c
+++ b/net/ipv6/netfilter/ip6t_eui64.c
@@ -20,14 +20,14 @@ MODULE_LICENSE("GPL");
20MODULE_AUTHOR("Andras Kis-Szabo <kisza@sch.bme.hu>"); 20MODULE_AUTHOR("Andras Kis-Szabo <kisza@sch.bme.hu>");
21 21
22static bool 22static bool
23eui64_mt6(const struct sk_buff *skb, const struct xt_match_param *par) 23eui64_mt6(const struct sk_buff *skb, struct xt_action_param *par)
24{ 24{
25 unsigned char eui64[8]; 25 unsigned char eui64[8];
26 26
27 if (!(skb_mac_header(skb) >= skb->head && 27 if (!(skb_mac_header(skb) >= skb->head &&
28 skb_mac_header(skb) + ETH_HLEN <= skb->data) && 28 skb_mac_header(skb) + ETH_HLEN <= skb->data) &&
29 par->fragoff != 0) { 29 par->fragoff != 0) {
30 *par->hotdrop = true; 30 par->hotdrop = true;
31 return false; 31 return false;
32 } 32 }
33 33
diff --git a/net/ipv6/netfilter/ip6t_frag.c b/net/ipv6/netfilter/ip6t_frag.c
index a5daf0ffb4ec..eda898fda6ca 100644
--- a/net/ipv6/netfilter/ip6t_frag.c
+++ b/net/ipv6/netfilter/ip6t_frag.c
@@ -35,7 +35,7 @@ id_match(u_int32_t min, u_int32_t max, u_int32_t id, bool invert)
35} 35}
36 36
37static bool 37static bool
38frag_mt6(const struct sk_buff *skb, const struct xt_match_param *par) 38frag_mt6(const struct sk_buff *skb, struct xt_action_param *par)
39{ 39{
40 struct frag_hdr _frag; 40 struct frag_hdr _frag;
41 const struct frag_hdr *fh; 41 const struct frag_hdr *fh;
@@ -46,13 +46,13 @@ frag_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
46 err = ipv6_find_hdr(skb, &ptr, NEXTHDR_FRAGMENT, NULL); 46 err = ipv6_find_hdr(skb, &ptr, NEXTHDR_FRAGMENT, NULL);
47 if (err < 0) { 47 if (err < 0) {
48 if (err != -ENOENT) 48 if (err != -ENOENT)
49 *par->hotdrop = true; 49 par->hotdrop = true;
50 return false; 50 return false;
51 } 51 }
52 52
53 fh = skb_header_pointer(skb, ptr, sizeof(_frag), &_frag); 53 fh = skb_header_pointer(skb, ptr, sizeof(_frag), &_frag);
54 if (fh == NULL) { 54 if (fh == NULL) {
55 *par->hotdrop = true; 55 par->hotdrop = true;
56 return false; 56 return false;
57 } 57 }
58 58
diff --git a/net/ipv6/netfilter/ip6t_hbh.c b/net/ipv6/netfilter/ip6t_hbh.c
index e424e7c8f824..59df051eaef6 100644
--- a/net/ipv6/netfilter/ip6t_hbh.c
+++ b/net/ipv6/netfilter/ip6t_hbh.c
@@ -44,7 +44,7 @@ MODULE_ALIAS("ip6t_dst");
44static struct xt_match hbh_mt6_reg[] __read_mostly; 44static struct xt_match hbh_mt6_reg[] __read_mostly;
45 45
46static bool 46static bool
47hbh_mt6(const struct sk_buff *skb, const struct xt_match_param *par) 47hbh_mt6(const struct sk_buff *skb, struct xt_action_param *par)
48{ 48{
49 struct ipv6_opt_hdr _optsh; 49 struct ipv6_opt_hdr _optsh;
50 const struct ipv6_opt_hdr *oh; 50 const struct ipv6_opt_hdr *oh;
@@ -65,13 +65,13 @@ hbh_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
65 NEXTHDR_HOP : NEXTHDR_DEST, NULL); 65 NEXTHDR_HOP : NEXTHDR_DEST, NULL);
66 if (err < 0) { 66 if (err < 0) {
67 if (err != -ENOENT) 67 if (err != -ENOENT)
68 *par->hotdrop = true; 68 par->hotdrop = true;
69 return false; 69 return false;
70 } 70 }
71 71
72 oh = skb_header_pointer(skb, ptr, sizeof(_optsh), &_optsh); 72 oh = skb_header_pointer(skb, ptr, sizeof(_optsh), &_optsh);
73 if (oh == NULL) { 73 if (oh == NULL) {
74 *par->hotdrop = true; 74 par->hotdrop = true;
75 return false; 75 return false;
76 } 76 }
77 77
diff --git a/net/ipv6/netfilter/ip6t_ipv6header.c b/net/ipv6/netfilter/ip6t_ipv6header.c
index 46fbabb493fa..54bd9790603f 100644
--- a/net/ipv6/netfilter/ip6t_ipv6header.c
+++ b/net/ipv6/netfilter/ip6t_ipv6header.c
@@ -27,7 +27,7 @@ MODULE_DESCRIPTION("Xtables: IPv6 header types match");
27MODULE_AUTHOR("Andras Kis-Szabo <kisza@sch.bme.hu>"); 27MODULE_AUTHOR("Andras Kis-Szabo <kisza@sch.bme.hu>");
28 28
29static bool 29static bool
30ipv6header_mt6(const struct sk_buff *skb, const struct xt_match_param *par) 30ipv6header_mt6(const struct sk_buff *skb, struct xt_action_param *par)
31{ 31{
32 const struct ip6t_ipv6header_info *info = par->matchinfo; 32 const struct ip6t_ipv6header_info *info = par->matchinfo;
33 unsigned int temp; 33 unsigned int temp;
diff --git a/net/ipv6/netfilter/ip6t_mh.c b/net/ipv6/netfilter/ip6t_mh.c
index c9f443e0138f..0c90c66b1992 100644
--- a/net/ipv6/netfilter/ip6t_mh.c
+++ b/net/ipv6/netfilter/ip6t_mh.c
@@ -32,7 +32,7 @@ type_match(u_int8_t min, u_int8_t max, u_int8_t type, bool invert)
32 return (type >= min && type <= max) ^ invert; 32 return (type >= min && type <= max) ^ invert;
33} 33}
34 34
35static bool mh_mt6(const struct sk_buff *skb, const struct xt_match_param *par) 35static bool mh_mt6(const struct sk_buff *skb, struct xt_action_param *par)
36{ 36{
37 struct ip6_mh _mh; 37 struct ip6_mh _mh;
38 const struct ip6_mh *mh; 38 const struct ip6_mh *mh;
@@ -47,14 +47,14 @@ static bool mh_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
47 /* We've been asked to examine this packet, and we 47 /* We've been asked to examine this packet, and we
48 can't. Hence, no choice but to drop. */ 48 can't. Hence, no choice but to drop. */
49 pr_debug("Dropping evil MH tinygram.\n"); 49 pr_debug("Dropping evil MH tinygram.\n");
50 *par->hotdrop = true; 50 par->hotdrop = true;
51 return false; 51 return false;
52 } 52 }
53 53
54 if (mh->ip6mh_proto != IPPROTO_NONE) { 54 if (mh->ip6mh_proto != IPPROTO_NONE) {
55 pr_debug("Dropping invalid MH Payload Proto: %u\n", 55 pr_debug("Dropping invalid MH Payload Proto: %u\n",
56 mh->ip6mh_proto); 56 mh->ip6mh_proto);
57 *par->hotdrop = true; 57 par->hotdrop = true;
58 return false; 58 return false;
59 } 59 }
60 60
diff --git a/net/ipv6/netfilter/ip6t_rt.c b/net/ipv6/netfilter/ip6t_rt.c
index 09322720d2a6..d8488c50a8e0 100644
--- a/net/ipv6/netfilter/ip6t_rt.c
+++ b/net/ipv6/netfilter/ip6t_rt.c
@@ -36,7 +36,7 @@ segsleft_match(u_int32_t min, u_int32_t max, u_int32_t id, bool invert)
36 return r; 36 return r;
37} 37}
38 38
39static bool rt_mt6(const struct sk_buff *skb, const struct xt_match_param *par) 39static bool rt_mt6(const struct sk_buff *skb, struct xt_action_param *par)
40{ 40{
41 struct ipv6_rt_hdr _route; 41 struct ipv6_rt_hdr _route;
42 const struct ipv6_rt_hdr *rh; 42 const struct ipv6_rt_hdr *rh;
@@ -52,13 +52,13 @@ static bool rt_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
52 err = ipv6_find_hdr(skb, &ptr, NEXTHDR_ROUTING, NULL); 52 err = ipv6_find_hdr(skb, &ptr, NEXTHDR_ROUTING, NULL);
53 if (err < 0) { 53 if (err < 0) {
54 if (err != -ENOENT) 54 if (err != -ENOENT)
55 *par->hotdrop = true; 55 par->hotdrop = true;
56 return false; 56 return false;
57 } 57 }
58 58
59 rh = skb_header_pointer(skb, ptr, sizeof(_route), &_route); 59 rh = skb_header_pointer(skb, ptr, sizeof(_route), &_route);
60 if (rh == NULL) { 60 if (rh == NULL) {
61 *par->hotdrop = true; 61 par->hotdrop = true;
62 return false; 62 return false;
63 } 63 }
64 64
diff --git a/net/netfilter/xt_CLASSIFY.c b/net/netfilter/xt_CLASSIFY.c
index 011bc80dd2a1..c2c0e4abeb99 100644
--- a/net/netfilter/xt_CLASSIFY.c
+++ b/net/netfilter/xt_CLASSIFY.c
@@ -27,7 +27,7 @@ MODULE_ALIAS("ipt_CLASSIFY");
27MODULE_ALIAS("ip6t_CLASSIFY"); 27MODULE_ALIAS("ip6t_CLASSIFY");
28 28
29static unsigned int 29static unsigned int
30classify_tg(struct sk_buff *skb, const struct xt_target_param *par) 30classify_tg(struct sk_buff *skb, const struct xt_action_param *par)
31{ 31{
32 const struct xt_classify_target_info *clinfo = par->targinfo; 32 const struct xt_classify_target_info *clinfo = par->targinfo;
33 33
diff --git a/net/netfilter/xt_CONNSECMARK.c b/net/netfilter/xt_CONNSECMARK.c
index e953e302141d..e04dc282e3bb 100644
--- a/net/netfilter/xt_CONNSECMARK.c
+++ b/net/netfilter/xt_CONNSECMARK.c
@@ -64,7 +64,7 @@ static void secmark_restore(struct sk_buff *skb)
64} 64}
65 65
66static unsigned int 66static unsigned int
67connsecmark_tg(struct sk_buff *skb, const struct xt_target_param *par) 67connsecmark_tg(struct sk_buff *skb, const struct xt_action_param *par)
68{ 68{
69 const struct xt_connsecmark_target_info *info = par->targinfo; 69 const struct xt_connsecmark_target_info *info = par->targinfo;
70 70
diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c
index c8f547829bad..562bf3266e04 100644
--- a/net/netfilter/xt_CT.c
+++ b/net/netfilter/xt_CT.c
@@ -20,7 +20,7 @@
20#include <net/netfilter/nf_conntrack_zones.h> 20#include <net/netfilter/nf_conntrack_zones.h>
21 21
22static unsigned int xt_ct_target(struct sk_buff *skb, 22static unsigned int xt_ct_target(struct sk_buff *skb,
23 const struct xt_target_param *par) 23 const struct xt_action_param *par)
24{ 24{
25 const struct xt_ct_target_info *info = par->targinfo; 25 const struct xt_ct_target_info *info = par->targinfo;
26 struct nf_conn *ct = info->ct; 26 struct nf_conn *ct = info->ct;
diff --git a/net/netfilter/xt_DSCP.c b/net/netfilter/xt_DSCP.c
index 969634f293e5..0a229191e55b 100644
--- a/net/netfilter/xt_DSCP.c
+++ b/net/netfilter/xt_DSCP.c
@@ -28,7 +28,7 @@ MODULE_ALIAS("ipt_TOS");
28MODULE_ALIAS("ip6t_TOS"); 28MODULE_ALIAS("ip6t_TOS");
29 29
30static unsigned int 30static unsigned int
31dscp_tg(struct sk_buff *skb, const struct xt_target_param *par) 31dscp_tg(struct sk_buff *skb, const struct xt_action_param *par)
32{ 32{
33 const struct xt_DSCP_info *dinfo = par->targinfo; 33 const struct xt_DSCP_info *dinfo = par->targinfo;
34 u_int8_t dscp = ipv4_get_dsfield(ip_hdr(skb)) >> XT_DSCP_SHIFT; 34 u_int8_t dscp = ipv4_get_dsfield(ip_hdr(skb)) >> XT_DSCP_SHIFT;
@@ -45,7 +45,7 @@ dscp_tg(struct sk_buff *skb, const struct xt_target_param *par)
45} 45}
46 46
47static unsigned int 47static unsigned int
48dscp_tg6(struct sk_buff *skb, const struct xt_target_param *par) 48dscp_tg6(struct sk_buff *skb, const struct xt_action_param *par)
49{ 49{
50 const struct xt_DSCP_info *dinfo = par->targinfo; 50 const struct xt_DSCP_info *dinfo = par->targinfo;
51 u_int8_t dscp = ipv6_get_dsfield(ipv6_hdr(skb)) >> XT_DSCP_SHIFT; 51 u_int8_t dscp = ipv6_get_dsfield(ipv6_hdr(skb)) >> XT_DSCP_SHIFT;
@@ -72,7 +72,7 @@ static int dscp_tg_check(const struct xt_tgchk_param *par)
72} 72}
73 73
74static unsigned int 74static unsigned int
75tos_tg(struct sk_buff *skb, const struct xt_target_param *par) 75tos_tg(struct sk_buff *skb, const struct xt_action_param *par)
76{ 76{
77 const struct xt_tos_target_info *info = par->targinfo; 77 const struct xt_tos_target_info *info = par->targinfo;
78 struct iphdr *iph = ip_hdr(skb); 78 struct iphdr *iph = ip_hdr(skb);
@@ -92,7 +92,7 @@ tos_tg(struct sk_buff *skb, const struct xt_target_param *par)
92} 92}
93 93
94static unsigned int 94static unsigned int
95tos_tg6(struct sk_buff *skb, const struct xt_target_param *par) 95tos_tg6(struct sk_buff *skb, const struct xt_action_param *par)
96{ 96{
97 const struct xt_tos_target_info *info = par->targinfo; 97 const struct xt_tos_target_info *info = par->targinfo;
98 struct ipv6hdr *iph = ipv6_hdr(skb); 98 struct ipv6hdr *iph = ipv6_hdr(skb);
diff --git a/net/netfilter/xt_HL.c b/net/netfilter/xt_HL.c
index 77b99f732711..95b084800fcc 100644
--- a/net/netfilter/xt_HL.c
+++ b/net/netfilter/xt_HL.c
@@ -26,7 +26,7 @@ MODULE_DESCRIPTION("Xtables: Hoplimit/TTL Limit field modification target");
26MODULE_LICENSE("GPL"); 26MODULE_LICENSE("GPL");
27 27
28static unsigned int 28static unsigned int
29ttl_tg(struct sk_buff *skb, const struct xt_target_param *par) 29ttl_tg(struct sk_buff *skb, const struct xt_action_param *par)
30{ 30{
31 struct iphdr *iph; 31 struct iphdr *iph;
32 const struct ipt_TTL_info *info = par->targinfo; 32 const struct ipt_TTL_info *info = par->targinfo;
@@ -66,7 +66,7 @@ ttl_tg(struct sk_buff *skb, const struct xt_target_param *par)
66} 66}
67 67
68static unsigned int 68static unsigned int
69hl_tg6(struct sk_buff *skb, const struct xt_target_param *par) 69hl_tg6(struct sk_buff *skb, const struct xt_action_param *par)
70{ 70{
71 struct ipv6hdr *ip6h; 71 struct ipv6hdr *ip6h;
72 const struct ip6t_HL_info *info = par->targinfo; 72 const struct ip6t_HL_info *info = par->targinfo;
diff --git a/net/netfilter/xt_LED.c b/net/netfilter/xt_LED.c
index ab6f8ff9c9a7..a4140509eea1 100644
--- a/net/netfilter/xt_LED.c
+++ b/net/netfilter/xt_LED.c
@@ -49,7 +49,7 @@ struct xt_led_info_internal {
49}; 49};
50 50
51static unsigned int 51static unsigned int
52led_tg(struct sk_buff *skb, const struct xt_target_param *par) 52led_tg(struct sk_buff *skb, const struct xt_action_param *par)
53{ 53{
54 const struct xt_led_info *ledinfo = par->targinfo; 54 const struct xt_led_info *ledinfo = par->targinfo;
55 struct xt_led_info_internal *ledinternal = ledinfo->internal_data; 55 struct xt_led_info_internal *ledinternal = ledinfo->internal_data;
diff --git a/net/netfilter/xt_NFLOG.c b/net/netfilter/xt_NFLOG.c
index 42dd8747b421..a17dd0f589b2 100644
--- a/net/netfilter/xt_NFLOG.c
+++ b/net/netfilter/xt_NFLOG.c
@@ -22,7 +22,7 @@ MODULE_ALIAS("ipt_NFLOG");
22MODULE_ALIAS("ip6t_NFLOG"); 22MODULE_ALIAS("ip6t_NFLOG");
23 23
24static unsigned int 24static unsigned int
25nflog_tg(struct sk_buff *skb, const struct xt_target_param *par) 25nflog_tg(struct sk_buff *skb, const struct xt_action_param *par)
26{ 26{
27 const struct xt_nflog_info *info = par->targinfo; 27 const struct xt_nflog_info *info = par->targinfo;
28 struct nf_loginfo li; 28 struct nf_loginfo li;
diff --git a/net/netfilter/xt_NFQUEUE.c b/net/netfilter/xt_NFQUEUE.c
index f9217cb56fe3..039cce1bde3d 100644
--- a/net/netfilter/xt_NFQUEUE.c
+++ b/net/netfilter/xt_NFQUEUE.c
@@ -31,7 +31,7 @@ static u32 jhash_initval __read_mostly;
31static bool rnd_inited __read_mostly; 31static bool rnd_inited __read_mostly;
32 32
33static unsigned int 33static unsigned int
34nfqueue_tg(struct sk_buff *skb, const struct xt_target_param *par) 34nfqueue_tg(struct sk_buff *skb, const struct xt_action_param *par)
35{ 35{
36 const struct xt_NFQ_info *tinfo = par->targinfo; 36 const struct xt_NFQ_info *tinfo = par->targinfo;
37 37
@@ -65,7 +65,7 @@ static u32 hash_v6(const struct sk_buff *skb)
65#endif 65#endif
66 66
67static unsigned int 67static unsigned int
68nfqueue_tg_v1(struct sk_buff *skb, const struct xt_target_param *par) 68nfqueue_tg_v1(struct sk_buff *skb, const struct xt_action_param *par)
69{ 69{
70 const struct xt_NFQ_info_v1 *info = par->targinfo; 70 const struct xt_NFQ_info_v1 *info = par->targinfo;
71 u32 queue = info->queuenum; 71 u32 queue = info->queuenum;
diff --git a/net/netfilter/xt_NOTRACK.c b/net/netfilter/xt_NOTRACK.c
index e7a0a54fd4ea..512b9123252f 100644
--- a/net/netfilter/xt_NOTRACK.c
+++ b/net/netfilter/xt_NOTRACK.c
@@ -13,7 +13,7 @@ MODULE_ALIAS("ipt_NOTRACK");
13MODULE_ALIAS("ip6t_NOTRACK"); 13MODULE_ALIAS("ip6t_NOTRACK");
14 14
15static unsigned int 15static unsigned int
16notrack_tg(struct sk_buff *skb, const struct xt_target_param *par) 16notrack_tg(struct sk_buff *skb, const struct xt_action_param *par)
17{ 17{
18 /* Previously seen (loopback)? Ignore. */ 18 /* Previously seen (loopback)? Ignore. */
19 if (skb->nfct != NULL) 19 if (skb->nfct != NULL)
diff --git a/net/netfilter/xt_RATEEST.c b/net/netfilter/xt_RATEEST.c
index a02193f06e39..69c01e10f8af 100644
--- a/net/netfilter/xt_RATEEST.c
+++ b/net/netfilter/xt_RATEEST.c
@@ -73,7 +73,7 @@ void xt_rateest_put(struct xt_rateest *est)
73EXPORT_SYMBOL_GPL(xt_rateest_put); 73EXPORT_SYMBOL_GPL(xt_rateest_put);
74 74
75static unsigned int 75static unsigned int
76xt_rateest_tg(struct sk_buff *skb, const struct xt_target_param *par) 76xt_rateest_tg(struct sk_buff *skb, const struct xt_action_param *par)
77{ 77{
78 const struct xt_rateest_target_info *info = par->targinfo; 78 const struct xt_rateest_target_info *info = par->targinfo;
79 struct gnet_stats_basic_packed *stats = &info->est->bstats; 79 struct gnet_stats_basic_packed *stats = &info->est->bstats;
diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c
index a91d4a7d5a2c..23b2d6c486b5 100644
--- a/net/netfilter/xt_SECMARK.c
+++ b/net/netfilter/xt_SECMARK.c
@@ -30,7 +30,7 @@ MODULE_ALIAS("ip6t_SECMARK");
30static u8 mode; 30static u8 mode;
31 31
32static unsigned int 32static unsigned int
33secmark_tg(struct sk_buff *skb, const struct xt_target_param *par) 33secmark_tg(struct sk_buff *skb, const struct xt_action_param *par)
34{ 34{
35 u32 secmark = 0; 35 u32 secmark = 0;
36 const struct xt_secmark_target_info *info = par->targinfo; 36 const struct xt_secmark_target_info *info = par->targinfo;
diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c
index d04606459c9d..62ec021fbd50 100644
--- a/net/netfilter/xt_TCPMSS.c
+++ b/net/netfilter/xt_TCPMSS.c
@@ -172,7 +172,7 @@ static u_int32_t tcpmss_reverse_mtu(const struct sk_buff *skb,
172} 172}
173 173
174static unsigned int 174static unsigned int
175tcpmss_tg4(struct sk_buff *skb, const struct xt_target_param *par) 175tcpmss_tg4(struct sk_buff *skb, const struct xt_action_param *par)
176{ 176{
177 struct iphdr *iph = ip_hdr(skb); 177 struct iphdr *iph = ip_hdr(skb);
178 __be16 newlen; 178 __be16 newlen;
@@ -195,7 +195,7 @@ tcpmss_tg4(struct sk_buff *skb, const struct xt_target_param *par)
195 195
196#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE) 196#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
197static unsigned int 197static unsigned int
198tcpmss_tg6(struct sk_buff *skb, const struct xt_target_param *par) 198tcpmss_tg6(struct sk_buff *skb, const struct xt_action_param *par)
199{ 199{
200 struct ipv6hdr *ipv6h = ipv6_hdr(skb); 200 struct ipv6hdr *ipv6h = ipv6_hdr(skb);
201 u8 nexthdr; 201 u8 nexthdr;
diff --git a/net/netfilter/xt_TCPOPTSTRIP.c b/net/netfilter/xt_TCPOPTSTRIP.c
index e8b57609ddc0..9dc9ecfdd546 100644
--- a/net/netfilter/xt_TCPOPTSTRIP.c
+++ b/net/netfilter/xt_TCPOPTSTRIP.c
@@ -74,7 +74,7 @@ tcpoptstrip_mangle_packet(struct sk_buff *skb,
74} 74}
75 75
76static unsigned int 76static unsigned int
77tcpoptstrip_tg4(struct sk_buff *skb, const struct xt_target_param *par) 77tcpoptstrip_tg4(struct sk_buff *skb, const struct xt_action_param *par)
78{ 78{
79 return tcpoptstrip_mangle_packet(skb, par->targinfo, ip_hdrlen(skb), 79 return tcpoptstrip_mangle_packet(skb, par->targinfo, ip_hdrlen(skb),
80 sizeof(struct iphdr) + sizeof(struct tcphdr)); 80 sizeof(struct iphdr) + sizeof(struct tcphdr));
@@ -82,7 +82,7 @@ tcpoptstrip_tg4(struct sk_buff *skb, const struct xt_target_param *par)
82 82
83#if defined(CONFIG_IP6_NF_MANGLE) || defined(CONFIG_IP6_NF_MANGLE_MODULE) 83#if defined(CONFIG_IP6_NF_MANGLE) || defined(CONFIG_IP6_NF_MANGLE_MODULE)
84static unsigned int 84static unsigned int
85tcpoptstrip_tg6(struct sk_buff *skb, const struct xt_target_param *par) 85tcpoptstrip_tg6(struct sk_buff *skb, const struct xt_action_param *par)
86{ 86{
87 struct ipv6hdr *ipv6h = ipv6_hdr(skb); 87 struct ipv6hdr *ipv6h = ipv6_hdr(skb);
88 int tcphoff; 88 int tcphoff;
diff --git a/net/netfilter/xt_TEE.c b/net/netfilter/xt_TEE.c
index 49da6c05f4e0..d7920d9f49e9 100644
--- a/net/netfilter/xt_TEE.c
+++ b/net/netfilter/xt_TEE.c
@@ -84,7 +84,7 @@ tee_tg_route4(struct sk_buff *skb, const struct xt_tee_tginfo *info)
84} 84}
85 85
86static unsigned int 86static unsigned int
87tee_tg4(struct sk_buff *skb, const struct xt_target_param *par) 87tee_tg4(struct sk_buff *skb, const struct xt_action_param *par)
88{ 88{
89 const struct xt_tee_tginfo *info = par->targinfo; 89 const struct xt_tee_tginfo *info = par->targinfo;
90 struct iphdr *iph; 90 struct iphdr *iph;
@@ -165,7 +165,7 @@ tee_tg_route6(struct sk_buff *skb, const struct xt_tee_tginfo *info)
165} 165}
166 166
167static unsigned int 167static unsigned int
168tee_tg6(struct sk_buff *skb, const struct xt_target_param *par) 168tee_tg6(struct sk_buff *skb, const struct xt_action_param *par)
169{ 169{
170 const struct xt_tee_tginfo *info = par->targinfo; 170 const struct xt_tee_tginfo *info = par->targinfo;
171 171
diff --git a/net/netfilter/xt_TPROXY.c b/net/netfilter/xt_TPROXY.c
index 4f246ddc5c48..e1a0dedac258 100644
--- a/net/netfilter/xt_TPROXY.c
+++ b/net/netfilter/xt_TPROXY.c
@@ -25,7 +25,7 @@
25#include <net/netfilter/nf_tproxy_core.h> 25#include <net/netfilter/nf_tproxy_core.h>
26 26
27static unsigned int 27static unsigned int
28tproxy_tg(struct sk_buff *skb, const struct xt_target_param *par) 28tproxy_tg(struct sk_buff *skb, const struct xt_action_param *par)
29{ 29{
30 const struct iphdr *iph = ip_hdr(skb); 30 const struct iphdr *iph = ip_hdr(skb);
31 const struct xt_tproxy_target_info *tgi = par->targinfo; 31 const struct xt_tproxy_target_info *tgi = par->targinfo;
diff --git a/net/netfilter/xt_TRACE.c b/net/netfilter/xt_TRACE.c
index fbb04b86c46b..df48967af382 100644
--- a/net/netfilter/xt_TRACE.c
+++ b/net/netfilter/xt_TRACE.c
@@ -11,7 +11,7 @@ MODULE_ALIAS("ipt_TRACE");
11MODULE_ALIAS("ip6t_TRACE"); 11MODULE_ALIAS("ip6t_TRACE");
12 12
13static unsigned int 13static unsigned int
14trace_tg(struct sk_buff *skb, const struct xt_target_param *par) 14trace_tg(struct sk_buff *skb, const struct xt_action_param *par)
15{ 15{
16 skb->nf_trace = 1; 16 skb->nf_trace = 1;
17 return XT_CONTINUE; 17 return XT_CONTINUE;
diff --git a/net/netfilter/xt_cluster.c b/net/netfilter/xt_cluster.c
index 6c941e1c6b9e..30b95a1c1c89 100644
--- a/net/netfilter/xt_cluster.c
+++ b/net/netfilter/xt_cluster.c
@@ -86,7 +86,7 @@ xt_cluster_is_multicast_addr(const struct sk_buff *skb, u_int8_t family)
86} 86}
87 87
88static bool 88static bool
89xt_cluster_mt(const struct sk_buff *skb, const struct xt_match_param *par) 89xt_cluster_mt(const struct sk_buff *skb, struct xt_action_param *par)
90{ 90{
91 struct sk_buff *pskb = (struct sk_buff *)skb; 91 struct sk_buff *pskb = (struct sk_buff *)skb;
92 const struct xt_cluster_match_info *info = par->matchinfo; 92 const struct xt_cluster_match_info *info = par->matchinfo;
diff --git a/net/netfilter/xt_comment.c b/net/netfilter/xt_comment.c
index e82179832acd..5c861d2f21ca 100644
--- a/net/netfilter/xt_comment.c
+++ b/net/netfilter/xt_comment.c
@@ -16,7 +16,7 @@ MODULE_ALIAS("ipt_comment");
16MODULE_ALIAS("ip6t_comment"); 16MODULE_ALIAS("ip6t_comment");
17 17
18static bool 18static bool
19comment_mt(const struct sk_buff *skb, const struct xt_match_param *par) 19comment_mt(const struct sk_buff *skb, struct xt_action_param *par)
20{ 20{
21 /* We always match */ 21 /* We always match */
22 return true; 22 return true;
diff --git a/net/netfilter/xt_connbytes.c b/net/netfilter/xt_connbytes.c
index ff738a5f963a..73517835303d 100644
--- a/net/netfilter/xt_connbytes.c
+++ b/net/netfilter/xt_connbytes.c
@@ -18,7 +18,7 @@ MODULE_ALIAS("ipt_connbytes");
18MODULE_ALIAS("ip6t_connbytes"); 18MODULE_ALIAS("ip6t_connbytes");
19 19
20static bool 20static bool
21connbytes_mt(const struct sk_buff *skb, const struct xt_match_param *par) 21connbytes_mt(const struct sk_buff *skb, struct xt_action_param *par)
22{ 22{
23 const struct xt_connbytes_info *sinfo = par->matchinfo; 23 const struct xt_connbytes_info *sinfo = par->matchinfo;
24 const struct nf_conn *ct; 24 const struct nf_conn *ct;
diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c
index 326bc1b81681..5c5b6b921b84 100644
--- a/net/netfilter/xt_connlimit.c
+++ b/net/netfilter/xt_connlimit.c
@@ -173,7 +173,7 @@ static int count_them(struct net *net,
173} 173}
174 174
175static bool 175static bool
176connlimit_mt(const struct sk_buff *skb, const struct xt_match_param *par) 176connlimit_mt(const struct sk_buff *skb, struct xt_action_param *par)
177{ 177{
178 struct net *net = dev_net(par->in ? par->in : par->out); 178 struct net *net = dev_net(par->in ? par->in : par->out);
179 const struct xt_connlimit_info *info = par->matchinfo; 179 const struct xt_connlimit_info *info = par->matchinfo;
@@ -206,14 +206,14 @@ connlimit_mt(const struct sk_buff *skb, const struct xt_match_param *par)
206 206
207 if (connections < 0) { 207 if (connections < 0) {
208 /* kmalloc failed, drop it entirely */ 208 /* kmalloc failed, drop it entirely */
209 *par->hotdrop = true; 209 par->hotdrop = true;
210 return false; 210 return false;
211 } 211 }
212 212
213 return (connections > info->limit) ^ info->inverse; 213 return (connections > info->limit) ^ info->inverse;
214 214
215 hotdrop: 215 hotdrop:
216 *par->hotdrop = true; 216 par->hotdrop = true;
217 return false; 217 return false;
218} 218}
219 219
diff --git a/net/netfilter/xt_connmark.c b/net/netfilter/xt_connmark.c
index ae1015484ae2..7278145e6a68 100644
--- a/net/netfilter/xt_connmark.c
+++ b/net/netfilter/xt_connmark.c
@@ -37,7 +37,7 @@ MODULE_ALIAS("ipt_connmark");
37MODULE_ALIAS("ip6t_connmark"); 37MODULE_ALIAS("ip6t_connmark");
38 38
39static unsigned int 39static unsigned int
40connmark_tg(struct sk_buff *skb, const struct xt_target_param *par) 40connmark_tg(struct sk_buff *skb, const struct xt_action_param *par)
41{ 41{
42 const struct xt_connmark_tginfo1 *info = par->targinfo; 42 const struct xt_connmark_tginfo1 *info = par->targinfo;
43 enum ip_conntrack_info ctinfo; 43 enum ip_conntrack_info ctinfo;
@@ -91,7 +91,7 @@ static void connmark_tg_destroy(const struct xt_tgdtor_param *par)
91} 91}
92 92
93static bool 93static bool
94connmark_mt(const struct sk_buff *skb, const struct xt_match_param *par) 94connmark_mt(const struct sk_buff *skb, struct xt_action_param *par)
95{ 95{
96 const struct xt_connmark_mtinfo1 *info = par->matchinfo; 96 const struct xt_connmark_mtinfo1 *info = par->matchinfo;
97 enum ip_conntrack_info ctinfo; 97 enum ip_conntrack_info ctinfo;
diff --git a/net/netfilter/xt_conntrack.c b/net/netfilter/xt_conntrack.c
index 3348706ce56d..39681f10291c 100644
--- a/net/netfilter/xt_conntrack.c
+++ b/net/netfilter/xt_conntrack.c
@@ -113,7 +113,7 @@ ct_proto_port_check(const struct xt_conntrack_mtinfo2 *info,
113} 113}
114 114
115static bool 115static bool
116conntrack_mt(const struct sk_buff *skb, const struct xt_match_param *par, 116conntrack_mt(const struct sk_buff *skb, struct xt_action_param *par,
117 u16 state_mask, u16 status_mask) 117 u16 state_mask, u16 status_mask)
118{ 118{
119 const struct xt_conntrack_mtinfo2 *info = par->matchinfo; 119 const struct xt_conntrack_mtinfo2 *info = par->matchinfo;
@@ -191,7 +191,7 @@ conntrack_mt(const struct sk_buff *skb, const struct xt_match_param *par,
191} 191}
192 192
193static bool 193static bool
194conntrack_mt_v1(const struct sk_buff *skb, const struct xt_match_param *par) 194conntrack_mt_v1(const struct sk_buff *skb, struct xt_action_param *par)
195{ 195{
196 const struct xt_conntrack_mtinfo1 *info = par->matchinfo; 196 const struct xt_conntrack_mtinfo1 *info = par->matchinfo;
197 197
@@ -199,7 +199,7 @@ conntrack_mt_v1(const struct sk_buff *skb, const struct xt_match_param *par)
199} 199}
200 200
201static bool 201static bool
202conntrack_mt_v2(const struct sk_buff *skb, const struct xt_match_param *par) 202conntrack_mt_v2(const struct sk_buff *skb, struct xt_action_param *par)
203{ 203{
204 const struct xt_conntrack_mtinfo2 *info = par->matchinfo; 204 const struct xt_conntrack_mtinfo2 *info = par->matchinfo;
205 205
diff --git a/net/netfilter/xt_dccp.c b/net/netfilter/xt_dccp.c
index 0d260aec487f..b63d2a3d80ba 100644
--- a/net/netfilter/xt_dccp.c
+++ b/net/netfilter/xt_dccp.c
@@ -96,7 +96,7 @@ match_option(u_int8_t option, const struct sk_buff *skb, unsigned int protoff,
96} 96}
97 97
98static bool 98static bool
99dccp_mt(const struct sk_buff *skb, const struct xt_match_param *par) 99dccp_mt(const struct sk_buff *skb, struct xt_action_param *par)
100{ 100{
101 const struct xt_dccp_info *info = par->matchinfo; 101 const struct xt_dccp_info *info = par->matchinfo;
102 const struct dccp_hdr *dh; 102 const struct dccp_hdr *dh;
@@ -107,7 +107,7 @@ dccp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
107 107
108 dh = skb_header_pointer(skb, par->thoff, sizeof(_dh), &_dh); 108 dh = skb_header_pointer(skb, par->thoff, sizeof(_dh), &_dh);
109 if (dh == NULL) { 109 if (dh == NULL) {
110 *par->hotdrop = true; 110 par->hotdrop = true;
111 return false; 111 return false;
112 } 112 }
113 113
@@ -120,7 +120,7 @@ dccp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
120 && DCCHECK(match_types(dh, info->typemask), 120 && DCCHECK(match_types(dh, info->typemask),
121 XT_DCCP_TYPE, info->flags, info->invflags) 121 XT_DCCP_TYPE, info->flags, info->invflags)
122 && DCCHECK(match_option(info->option, skb, par->thoff, dh, 122 && DCCHECK(match_option(info->option, skb, par->thoff, dh,
123 par->hotdrop), 123 &par->hotdrop),
124 XT_DCCP_OPTION, info->flags, info->invflags); 124 XT_DCCP_OPTION, info->flags, info->invflags);
125} 125}
126 126
diff --git a/net/netfilter/xt_dscp.c b/net/netfilter/xt_dscp.c
index 9db51fddbdb8..64670fc5d0e1 100644
--- a/net/netfilter/xt_dscp.c
+++ b/net/netfilter/xt_dscp.c
@@ -25,7 +25,7 @@ MODULE_ALIAS("ipt_tos");
25MODULE_ALIAS("ip6t_tos"); 25MODULE_ALIAS("ip6t_tos");
26 26
27static bool 27static bool
28dscp_mt(const struct sk_buff *skb, const struct xt_match_param *par) 28dscp_mt(const struct sk_buff *skb, struct xt_action_param *par)
29{ 29{
30 const struct xt_dscp_info *info = par->matchinfo; 30 const struct xt_dscp_info *info = par->matchinfo;
31 u_int8_t dscp = ipv4_get_dsfield(ip_hdr(skb)) >> XT_DSCP_SHIFT; 31 u_int8_t dscp = ipv4_get_dsfield(ip_hdr(skb)) >> XT_DSCP_SHIFT;
@@ -34,7 +34,7 @@ dscp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
34} 34}
35 35
36static bool 36static bool
37dscp_mt6(const struct sk_buff *skb, const struct xt_match_param *par) 37dscp_mt6(const struct sk_buff *skb, struct xt_action_param *par)
38{ 38{
39 const struct xt_dscp_info *info = par->matchinfo; 39 const struct xt_dscp_info *info = par->matchinfo;
40 u_int8_t dscp = ipv6_get_dsfield(ipv6_hdr(skb)) >> XT_DSCP_SHIFT; 40 u_int8_t dscp = ipv6_get_dsfield(ipv6_hdr(skb)) >> XT_DSCP_SHIFT;
@@ -54,7 +54,7 @@ static int dscp_mt_check(const struct xt_mtchk_param *par)
54 return 0; 54 return 0;
55} 55}
56 56
57static bool tos_mt(const struct sk_buff *skb, const struct xt_match_param *par) 57static bool tos_mt(const struct sk_buff *skb, struct xt_action_param *par)
58{ 58{
59 const struct xt_tos_match_info *info = par->matchinfo; 59 const struct xt_tos_match_info *info = par->matchinfo;
60 60
diff --git a/net/netfilter/xt_esp.c b/net/netfilter/xt_esp.c
index 143bfdc8e38f..171ba82b5902 100644
--- a/net/netfilter/xt_esp.c
+++ b/net/netfilter/xt_esp.c
@@ -36,7 +36,7 @@ spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, bool invert)
36 return r; 36 return r;
37} 37}
38 38
39static bool esp_mt(const struct sk_buff *skb, const struct xt_match_param *par) 39static bool esp_mt(const struct sk_buff *skb, struct xt_action_param *par)
40{ 40{
41 const struct ip_esp_hdr *eh; 41 const struct ip_esp_hdr *eh;
42 struct ip_esp_hdr _esp; 42 struct ip_esp_hdr _esp;
@@ -52,7 +52,7 @@ static bool esp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
52 * can't. Hence, no choice but to drop. 52 * can't. Hence, no choice but to drop.
53 */ 53 */
54 pr_debug("Dropping evil ESP tinygram.\n"); 54 pr_debug("Dropping evil ESP tinygram.\n");
55 *par->hotdrop = true; 55 par->hotdrop = true;
56 return false; 56 return false;
57 } 57 }
58 58
diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
index 0c366d387c8c..b46a8390896d 100644
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@@ -516,7 +516,7 @@ hashlimit_init_dst(const struct xt_hashlimit_htable *hinfo,
516} 516}
517 517
518static bool 518static bool
519hashlimit_mt(const struct sk_buff *skb, const struct xt_match_param *par) 519hashlimit_mt(const struct sk_buff *skb, struct xt_action_param *par)
520{ 520{
521 const struct xt_hashlimit_mtinfo1 *info = par->matchinfo; 521 const struct xt_hashlimit_mtinfo1 *info = par->matchinfo;
522 struct xt_hashlimit_htable *hinfo = info->hinfo; 522 struct xt_hashlimit_htable *hinfo = info->hinfo;
@@ -562,7 +562,7 @@ hashlimit_mt(const struct sk_buff *skb, const struct xt_match_param *par)
562 return info->cfg.mode & XT_HASHLIMIT_INVERT; 562 return info->cfg.mode & XT_HASHLIMIT_INVERT;
563 563
564 hotdrop: 564 hotdrop:
565 *par->hotdrop = true; 565 par->hotdrop = true;
566 return false; 566 return false;
567} 567}
568 568
diff --git a/net/netfilter/xt_helper.c b/net/netfilter/xt_helper.c
index b8b3e13dc71e..9f4ab00c8050 100644
--- a/net/netfilter/xt_helper.c
+++ b/net/netfilter/xt_helper.c
@@ -24,7 +24,7 @@ MODULE_ALIAS("ip6t_helper");
24 24
25 25
26static bool 26static bool
27helper_mt(const struct sk_buff *skb, const struct xt_match_param *par) 27helper_mt(const struct sk_buff *skb, struct xt_action_param *par)
28{ 28{
29 const struct xt_helper_info *info = par->matchinfo; 29 const struct xt_helper_info *info = par->matchinfo;
30 const struct nf_conn *ct; 30 const struct nf_conn *ct;
diff --git a/net/netfilter/xt_hl.c b/net/netfilter/xt_hl.c
index be53f7299623..7d12221ead89 100644
--- a/net/netfilter/xt_hl.c
+++ b/net/netfilter/xt_hl.c
@@ -25,7 +25,7 @@ MODULE_LICENSE("GPL");
25MODULE_ALIAS("ipt_ttl"); 25MODULE_ALIAS("ipt_ttl");
26MODULE_ALIAS("ip6t_hl"); 26MODULE_ALIAS("ip6t_hl");
27 27
28static bool ttl_mt(const struct sk_buff *skb, const struct xt_match_param *par) 28static bool ttl_mt(const struct sk_buff *skb, struct xt_action_param *par)
29{ 29{
30 const struct ipt_ttl_info *info = par->matchinfo; 30 const struct ipt_ttl_info *info = par->matchinfo;
31 const u8 ttl = ip_hdr(skb)->ttl; 31 const u8 ttl = ip_hdr(skb)->ttl;
@@ -44,7 +44,7 @@ static bool ttl_mt(const struct sk_buff *skb, const struct xt_match_param *par)
44 return false; 44 return false;
45} 45}
46 46
47static bool hl_mt6(const struct sk_buff *skb, const struct xt_match_param *par) 47static bool hl_mt6(const struct sk_buff *skb, struct xt_action_param *par)
48{ 48{
49 const struct ip6t_hl_info *info = par->matchinfo; 49 const struct ip6t_hl_info *info = par->matchinfo;
50 const struct ipv6hdr *ip6h = ipv6_hdr(skb); 50 const struct ipv6hdr *ip6h = ipv6_hdr(skb);
diff --git a/net/netfilter/xt_iprange.c b/net/netfilter/xt_iprange.c
index 8471d9715bde..88f7c3511c72 100644
--- a/net/netfilter/xt_iprange.c
+++ b/net/netfilter/xt_iprange.c
@@ -17,7 +17,7 @@
17#include <linux/netfilter/xt_iprange.h> 17#include <linux/netfilter/xt_iprange.h>
18 18
19static bool 19static bool
20iprange_mt4(const struct sk_buff *skb, const struct xt_match_param *par) 20iprange_mt4(const struct sk_buff *skb, struct xt_action_param *par)
21{ 21{
22 const struct xt_iprange_mtinfo *info = par->matchinfo; 22 const struct xt_iprange_mtinfo *info = par->matchinfo;
23 const struct iphdr *iph = ip_hdr(skb); 23 const struct iphdr *iph = ip_hdr(skb);
@@ -68,7 +68,7 @@ iprange_ipv6_sub(const struct in6_addr *a, const struct in6_addr *b)
68} 68}
69 69
70static bool 70static bool
71iprange_mt6(const struct sk_buff *skb, const struct xt_match_param *par) 71iprange_mt6(const struct sk_buff *skb, struct xt_action_param *par)
72{ 72{
73 const struct xt_iprange_mtinfo *info = par->matchinfo; 73 const struct xt_iprange_mtinfo *info = par->matchinfo;
74 const struct ipv6hdr *iph = ipv6_hdr(skb); 74 const struct ipv6hdr *iph = ipv6_hdr(skb);
diff --git a/net/netfilter/xt_length.c b/net/netfilter/xt_length.c
index c4871ca6c86d..176e5570a999 100644
--- a/net/netfilter/xt_length.c
+++ b/net/netfilter/xt_length.c
@@ -21,7 +21,7 @@ MODULE_ALIAS("ipt_length");
21MODULE_ALIAS("ip6t_length"); 21MODULE_ALIAS("ip6t_length");
22 22
23static bool 23static bool
24length_mt(const struct sk_buff *skb, const struct xt_match_param *par) 24length_mt(const struct sk_buff *skb, struct xt_action_param *par)
25{ 25{
26 const struct xt_length_info *info = par->matchinfo; 26 const struct xt_length_info *info = par->matchinfo;
27 u_int16_t pktlen = ntohs(ip_hdr(skb)->tot_len); 27 u_int16_t pktlen = ntohs(ip_hdr(skb)->tot_len);
@@ -30,7 +30,7 @@ length_mt(const struct sk_buff *skb, const struct xt_match_param *par)
30} 30}
31 31
32static bool 32static bool
33length_mt6(const struct sk_buff *skb, const struct xt_match_param *par) 33length_mt6(const struct sk_buff *skb, struct xt_action_param *par)
34{ 34{
35 const struct xt_length_info *info = par->matchinfo; 35 const struct xt_length_info *info = par->matchinfo;
36 const u_int16_t pktlen = ntohs(ipv6_hdr(skb)->payload_len) + 36 const u_int16_t pktlen = ntohs(ipv6_hdr(skb)->payload_len) +
diff --git a/net/netfilter/xt_limit.c b/net/netfilter/xt_limit.c
index 88215dca19cb..32b7a579a032 100644
--- a/net/netfilter/xt_limit.c
+++ b/net/netfilter/xt_limit.c
@@ -65,7 +65,7 @@ static DEFINE_SPINLOCK(limit_lock);
65#define CREDITS_PER_JIFFY POW2_BELOW32(MAX_CPJ) 65#define CREDITS_PER_JIFFY POW2_BELOW32(MAX_CPJ)
66 66
67static bool 67static bool
68limit_mt(const struct sk_buff *skb, const struct xt_match_param *par) 68limit_mt(const struct sk_buff *skb, struct xt_action_param *par)
69{ 69{
70 const struct xt_rateinfo *r = par->matchinfo; 70 const struct xt_rateinfo *r = par->matchinfo;
71 struct xt_limit_priv *priv = r->master; 71 struct xt_limit_priv *priv = r->master;
diff --git a/net/netfilter/xt_mac.c b/net/netfilter/xt_mac.c
index b971ce93773e..8160f6b1435d 100644
--- a/net/netfilter/xt_mac.c
+++ b/net/netfilter/xt_mac.c
@@ -25,7 +25,7 @@ MODULE_DESCRIPTION("Xtables: MAC address match");
25MODULE_ALIAS("ipt_mac"); 25MODULE_ALIAS("ipt_mac");
26MODULE_ALIAS("ip6t_mac"); 26MODULE_ALIAS("ip6t_mac");
27 27
28static bool mac_mt(const struct sk_buff *skb, const struct xt_match_param *par) 28static bool mac_mt(const struct sk_buff *skb, struct xt_action_param *par)
29{ 29{
30 const struct xt_mac_info *info = par->matchinfo; 30 const struct xt_mac_info *info = par->matchinfo;
31 bool ret; 31 bool ret;
diff --git a/net/netfilter/xt_mark.c b/net/netfilter/xt_mark.c
index 035c468a0040..23345238711b 100644
--- a/net/netfilter/xt_mark.c
+++ b/net/netfilter/xt_mark.c
@@ -25,7 +25,7 @@ MODULE_ALIAS("ipt_MARK");
25MODULE_ALIAS("ip6t_MARK"); 25MODULE_ALIAS("ip6t_MARK");
26 26
27static unsigned int 27static unsigned int
28mark_tg(struct sk_buff *skb, const struct xt_target_param *par) 28mark_tg(struct sk_buff *skb, const struct xt_action_param *par)
29{ 29{
30 const struct xt_mark_tginfo2 *info = par->targinfo; 30 const struct xt_mark_tginfo2 *info = par->targinfo;
31 31
@@ -34,7 +34,7 @@ mark_tg(struct sk_buff *skb, const struct xt_target_param *par)
34} 34}
35 35
36static bool 36static bool
37mark_mt(const struct sk_buff *skb, const struct xt_match_param *par) 37mark_mt(const struct sk_buff *skb, struct xt_action_param *par)
38{ 38{
39 const struct xt_mark_mtinfo1 *info = par->matchinfo; 39 const struct xt_mark_mtinfo1 *info = par->matchinfo;
40 40
diff --git a/net/netfilter/xt_multiport.c b/net/netfilter/xt_multiport.c
index 83b77ceb264f..ac1d3c3d09e7 100644
--- a/net/netfilter/xt_multiport.c
+++ b/net/netfilter/xt_multiport.c
@@ -72,7 +72,7 @@ ports_match_v1(const struct xt_multiport_v1 *minfo,
72} 72}
73 73
74static bool 74static bool
75multiport_mt(const struct sk_buff *skb, const struct xt_match_param *par) 75multiport_mt(const struct sk_buff *skb, struct xt_action_param *par)
76{ 76{
77 const __be16 *pptr; 77 const __be16 *pptr;
78 __be16 _ports[2]; 78 __be16 _ports[2];
@@ -87,7 +87,7 @@ multiport_mt(const struct sk_buff *skb, const struct xt_match_param *par)
87 * can't. Hence, no choice but to drop. 87 * can't. Hence, no choice but to drop.
88 */ 88 */
89 pr_debug("Dropping evil offset=0 tinygram.\n"); 89 pr_debug("Dropping evil offset=0 tinygram.\n");
90 *par->hotdrop = true; 90 par->hotdrop = true;
91 return false; 91 return false;
92 } 92 }
93 93
@@ -117,7 +117,7 @@ static int multiport_mt_check(const struct xt_mtchk_param *par)
117 const struct xt_multiport_v1 *multiinfo = par->matchinfo; 117 const struct xt_multiport_v1 *multiinfo = par->matchinfo;
118 118
119 return check(ip->proto, ip->invflags, multiinfo->flags, 119 return check(ip->proto, ip->invflags, multiinfo->flags,
120 multiinfo->count); 120 multiinfo->count) ? 0 : -EINVAL;
121} 121}
122 122
123static int multiport_mt6_check(const struct xt_mtchk_param *par) 123static int multiport_mt6_check(const struct xt_mtchk_param *par)
@@ -126,7 +126,7 @@ static int multiport_mt6_check(const struct xt_mtchk_param *par)
126 const struct xt_multiport_v1 *multiinfo = par->matchinfo; 126 const struct xt_multiport_v1 *multiinfo = par->matchinfo;
127 127
128 return check(ip->proto, ip->invflags, multiinfo->flags, 128 return check(ip->proto, ip->invflags, multiinfo->flags,
129 multiinfo->count); 129 multiinfo->count) ? 0 : -EINVAL;
130} 130}
131 131
132static struct xt_match multiport_mt_reg[] __read_mostly = { 132static struct xt_match multiport_mt_reg[] __read_mostly = {
diff --git a/net/netfilter/xt_osf.c b/net/netfilter/xt_osf.c
index 8dcde13a0781..4327e101c047 100644
--- a/net/netfilter/xt_osf.c
+++ b/net/netfilter/xt_osf.c
@@ -193,8 +193,8 @@ static inline int xt_osf_ttl(const struct sk_buff *skb, const struct xt_osf_info
193 return ip->ttl == f_ttl; 193 return ip->ttl == f_ttl;
194} 194}
195 195
196static bool xt_osf_match_packet(const struct sk_buff *skb, 196static bool
197 const struct xt_match_param *p) 197xt_osf_match_packet(const struct sk_buff *skb, struct xt_action_param *p)
198{ 198{
199 const struct xt_osf_info *info = p->matchinfo; 199 const struct xt_osf_info *info = p->matchinfo;
200 const struct iphdr *ip = ip_hdr(skb); 200 const struct iphdr *ip = ip_hdr(skb);
diff --git a/net/netfilter/xt_owner.c b/net/netfilter/xt_owner.c
index d24c76dffee2..772d7389b337 100644
--- a/net/netfilter/xt_owner.c
+++ b/net/netfilter/xt_owner.c
@@ -18,7 +18,7 @@
18#include <linux/netfilter/xt_owner.h> 18#include <linux/netfilter/xt_owner.h>
19 19
20static bool 20static bool
21owner_mt(const struct sk_buff *skb, const struct xt_match_param *par) 21owner_mt(const struct sk_buff *skb, struct xt_action_param *par)
22{ 22{
23 const struct xt_owner_match_info *info = par->matchinfo; 23 const struct xt_owner_match_info *info = par->matchinfo;
24 const struct file *filp; 24 const struct file *filp;
diff --git a/net/netfilter/xt_physdev.c b/net/netfilter/xt_physdev.c
index d0bdf3dd4d25..d7ca16b8b8df 100644
--- a/net/netfilter/xt_physdev.c
+++ b/net/netfilter/xt_physdev.c
@@ -22,7 +22,7 @@ MODULE_ALIAS("ip6t_physdev");
22 22
23 23
24static bool 24static bool
25physdev_mt(const struct sk_buff *skb, const struct xt_match_param *par) 25physdev_mt(const struct sk_buff *skb, struct xt_action_param *par)
26{ 26{
27 static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long)))); 27 static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
28 const struct xt_physdev_info *info = par->matchinfo; 28 const struct xt_physdev_info *info = par->matchinfo;
diff --git a/net/netfilter/xt_pkttype.c b/net/netfilter/xt_pkttype.c
index 69da1d3a1d85..5b645cb598fc 100644
--- a/net/netfilter/xt_pkttype.c
+++ b/net/netfilter/xt_pkttype.c
@@ -23,7 +23,7 @@ MODULE_ALIAS("ipt_pkttype");
23MODULE_ALIAS("ip6t_pkttype"); 23MODULE_ALIAS("ip6t_pkttype");
24 24
25static bool 25static bool
26pkttype_mt(const struct sk_buff *skb, const struct xt_match_param *par) 26pkttype_mt(const struct sk_buff *skb, struct xt_action_param *par)
27{ 27{
28 const struct xt_pkttype_info *info = par->matchinfo; 28 const struct xt_pkttype_info *info = par->matchinfo;
29 u_int8_t type; 29 u_int8_t type;
diff --git a/net/netfilter/xt_policy.c b/net/netfilter/xt_policy.c
index 1fa239c1fb93..f23e97bb42d7 100644
--- a/net/netfilter/xt_policy.c
+++ b/net/netfilter/xt_policy.c
@@ -110,7 +110,7 @@ match_policy_out(const struct sk_buff *skb, const struct xt_policy_info *info,
110} 110}
111 111
112static bool 112static bool
113policy_mt(const struct sk_buff *skb, const struct xt_match_param *par) 113policy_mt(const struct sk_buff *skb, struct xt_action_param *par)
114{ 114{
115 const struct xt_policy_info *info = par->matchinfo; 115 const struct xt_policy_info *info = par->matchinfo;
116 int ret; 116 int ret;
diff --git a/net/netfilter/xt_quota.c b/net/netfilter/xt_quota.c
index 7c95d69f6f06..b4f7dfea5980 100644
--- a/net/netfilter/xt_quota.c
+++ b/net/netfilter/xt_quota.c
@@ -23,7 +23,7 @@ MODULE_ALIAS("ip6t_quota");
23static DEFINE_SPINLOCK(quota_lock); 23static DEFINE_SPINLOCK(quota_lock);
24 24
25static bool 25static bool
26quota_mt(const struct sk_buff *skb, const struct xt_match_param *par) 26quota_mt(const struct sk_buff *skb, struct xt_action_param *par)
27{ 27{
28 struct xt_quota_info *q = (void *)par->matchinfo; 28 struct xt_quota_info *q = (void *)par->matchinfo;
29 struct xt_quota_priv *priv = q->master; 29 struct xt_quota_priv *priv = q->master;
diff --git a/net/netfilter/xt_rateest.c b/net/netfilter/xt_rateest.c
index 23805f8a444b..76a083184d8e 100644
--- a/net/netfilter/xt_rateest.c
+++ b/net/netfilter/xt_rateest.c
@@ -15,7 +15,7 @@
15 15
16 16
17static bool 17static bool
18xt_rateest_mt(const struct sk_buff *skb, const struct xt_match_param *par) 18xt_rateest_mt(const struct sk_buff *skb, struct xt_action_param *par)
19{ 19{
20 const struct xt_rateest_match_info *info = par->matchinfo; 20 const struct xt_rateest_match_info *info = par->matchinfo;
21 struct gnet_stats_rate_est *r; 21 struct gnet_stats_rate_est *r;
diff --git a/net/netfilter/xt_realm.c b/net/netfilter/xt_realm.c
index 484d1689bfde..459a7b256eb2 100644
--- a/net/netfilter/xt_realm.c
+++ b/net/netfilter/xt_realm.c
@@ -22,7 +22,7 @@ MODULE_DESCRIPTION("Xtables: Routing realm match");
22MODULE_ALIAS("ipt_realm"); 22MODULE_ALIAS("ipt_realm");
23 23
24static bool 24static bool
25realm_mt(const struct sk_buff *skb, const struct xt_match_param *par) 25realm_mt(const struct sk_buff *skb, struct xt_action_param *par)
26{ 26{
27 const struct xt_realm_info *info = par->matchinfo; 27 const struct xt_realm_info *info = par->matchinfo;
28 const struct dst_entry *dst = skb_dst(skb); 28 const struct dst_entry *dst = skb_dst(skb);
diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c
index b88d63b9c76a..76aec6a44762 100644
--- a/net/netfilter/xt_recent.c
+++ b/net/netfilter/xt_recent.c
@@ -224,7 +224,7 @@ static void recent_table_flush(struct recent_table *t)
224} 224}
225 225
226static bool 226static bool
227recent_mt(const struct sk_buff *skb, const struct xt_match_param *par) 227recent_mt(const struct sk_buff *skb, struct xt_action_param *par)
228{ 228{
229 struct net *net = dev_net(par->in ? par->in : par->out); 229 struct net *net = dev_net(par->in ? par->in : par->out);
230 struct recent_net *recent_net = recent_pernet(net); 230 struct recent_net *recent_net = recent_pernet(net);
@@ -268,7 +268,7 @@ recent_mt(const struct sk_buff *skb, const struct xt_match_param *par)
268 goto out; 268 goto out;
269 e = recent_entry_init(t, &addr, par->family, ttl); 269 e = recent_entry_init(t, &addr, par->family, ttl);
270 if (e == NULL) 270 if (e == NULL)
271 *par->hotdrop = true; 271 par->hotdrop = true;
272 ret = !ret; 272 ret = !ret;
273 goto out; 273 goto out;
274 } 274 }
diff --git a/net/netfilter/xt_sctp.c b/net/netfilter/xt_sctp.c
index c3694df54672..c04fcf385c59 100644
--- a/net/netfilter/xt_sctp.c
+++ b/net/netfilter/xt_sctp.c
@@ -114,7 +114,7 @@ match_packet(const struct sk_buff *skb,
114} 114}
115 115
116static bool 116static bool
117sctp_mt(const struct sk_buff *skb, const struct xt_match_param *par) 117sctp_mt(const struct sk_buff *skb, struct xt_action_param *par)
118{ 118{
119 const struct xt_sctp_info *info = par->matchinfo; 119 const struct xt_sctp_info *info = par->matchinfo;
120 const sctp_sctphdr_t *sh; 120 const sctp_sctphdr_t *sh;
@@ -128,7 +128,7 @@ sctp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
128 sh = skb_header_pointer(skb, par->thoff, sizeof(_sh), &_sh); 128 sh = skb_header_pointer(skb, par->thoff, sizeof(_sh), &_sh);
129 if (sh == NULL) { 129 if (sh == NULL) {
130 pr_debug("Dropping evil TCP offset=0 tinygram.\n"); 130 pr_debug("Dropping evil TCP offset=0 tinygram.\n");
131 *par->hotdrop = true; 131 par->hotdrop = true;
132 return false; 132 return false;
133 } 133 }
134 pr_debug("spt: %d\tdpt: %d\n", ntohs(sh->source), ntohs(sh->dest)); 134 pr_debug("spt: %d\tdpt: %d\n", ntohs(sh->source), ntohs(sh->dest));
@@ -140,7 +140,7 @@ sctp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
140 && ntohs(sh->dest) <= info->dpts[1], 140 && ntohs(sh->dest) <= info->dpts[1],
141 XT_SCTP_DEST_PORTS, info->flags, info->invflags) 141 XT_SCTP_DEST_PORTS, info->flags, info->invflags)
142 && SCCHECK(match_packet(skb, par->thoff + sizeof(sctp_sctphdr_t), 142 && SCCHECK(match_packet(skb, par->thoff + sizeof(sctp_sctphdr_t),
143 info, par->hotdrop), 143 info, &par->hotdrop),
144 XT_SCTP_CHUNK_TYPES, info->flags, info->invflags); 144 XT_SCTP_CHUNK_TYPES, info->flags, info->invflags);
145} 145}
146 146
diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c
index a9b16867e1f7..3d54c236a1ba 100644
--- a/net/netfilter/xt_socket.c
+++ b/net/netfilter/xt_socket.c
@@ -88,7 +88,7 @@ extract_icmp_fields(const struct sk_buff *skb,
88 88
89 89
90static bool 90static bool
91socket_match(const struct sk_buff *skb, const struct xt_match_param *par, 91socket_match(const struct sk_buff *skb, struct xt_action_param *par,
92 const struct xt_socket_mtinfo1 *info) 92 const struct xt_socket_mtinfo1 *info)
93{ 93{
94 const struct iphdr *iph = ip_hdr(skb); 94 const struct iphdr *iph = ip_hdr(skb);
@@ -174,13 +174,13 @@ socket_match(const struct sk_buff *skb, const struct xt_match_param *par,
174} 174}
175 175
176static bool 176static bool
177socket_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par) 177socket_mt_v0(const struct sk_buff *skb, struct xt_action_param *par)
178{ 178{
179 return socket_match(skb, par, NULL); 179 return socket_match(skb, par, NULL);
180} 180}
181 181
182static bool 182static bool
183socket_mt_v1(const struct sk_buff *skb, const struct xt_match_param *par) 183socket_mt_v1(const struct sk_buff *skb, struct xt_action_param *par)
184{ 184{
185 return socket_match(skb, par, par->matchinfo); 185 return socket_match(skb, par, par->matchinfo);
186} 186}
diff --git a/net/netfilter/xt_state.c b/net/netfilter/xt_state.c
index bb1271852d50..e12e053d3782 100644
--- a/net/netfilter/xt_state.c
+++ b/net/netfilter/xt_state.c
@@ -21,7 +21,7 @@ MODULE_ALIAS("ipt_state");
21MODULE_ALIAS("ip6t_state"); 21MODULE_ALIAS("ip6t_state");
22 22
23static bool 23static bool
24state_mt(const struct sk_buff *skb, const struct xt_match_param *par) 24state_mt(const struct sk_buff *skb, struct xt_action_param *par)
25{ 25{
26 const struct xt_state_info *sinfo = par->matchinfo; 26 const struct xt_state_info *sinfo = par->matchinfo;
27 enum ip_conntrack_info ctinfo; 27 enum ip_conntrack_info ctinfo;
diff --git a/net/netfilter/xt_statistic.c b/net/netfilter/xt_statistic.c
index 5aeca1d023d8..96e62b8fd6b1 100644
--- a/net/netfilter/xt_statistic.c
+++ b/net/netfilter/xt_statistic.c
@@ -30,7 +30,7 @@ MODULE_ALIAS("ip6t_statistic");
30static DEFINE_SPINLOCK(nth_lock); 30static DEFINE_SPINLOCK(nth_lock);
31 31
32static bool 32static bool
33statistic_mt(const struct sk_buff *skb, const struct xt_match_param *par) 33statistic_mt(const struct sk_buff *skb, struct xt_action_param *par)
34{ 34{
35 const struct xt_statistic_info *info = par->matchinfo; 35 const struct xt_statistic_info *info = par->matchinfo;
36 bool ret = info->flags & XT_STATISTIC_INVERT; 36 bool ret = info->flags & XT_STATISTIC_INVERT;
diff --git a/net/netfilter/xt_string.c b/net/netfilter/xt_string.c
index f6d5112175e6..d3c48b14ab94 100644
--- a/net/netfilter/xt_string.c
+++ b/net/netfilter/xt_string.c
@@ -23,7 +23,7 @@ MODULE_ALIAS("ipt_string");
23MODULE_ALIAS("ip6t_string"); 23MODULE_ALIAS("ip6t_string");
24 24
25static bool 25static bool
26string_mt(const struct sk_buff *skb, const struct xt_match_param *par) 26string_mt(const struct sk_buff *skb, struct xt_action_param *par)
27{ 27{
28 const struct xt_string_info *conf = par->matchinfo; 28 const struct xt_string_info *conf = par->matchinfo;
29 struct ts_state state; 29 struct ts_state state;
diff --git a/net/netfilter/xt_tcpmss.c b/net/netfilter/xt_tcpmss.c
index 4809b34b10f8..c53d4d18eadf 100644
--- a/net/netfilter/xt_tcpmss.c
+++ b/net/netfilter/xt_tcpmss.c
@@ -25,7 +25,7 @@ MODULE_ALIAS("ipt_tcpmss");
25MODULE_ALIAS("ip6t_tcpmss"); 25MODULE_ALIAS("ip6t_tcpmss");
26 26
27static bool 27static bool
28tcpmss_mt(const struct sk_buff *skb, const struct xt_match_param *par) 28tcpmss_mt(const struct sk_buff *skb, struct xt_action_param *par)
29{ 29{
30 const struct xt_tcpmss_match_info *info = par->matchinfo; 30 const struct xt_tcpmss_match_info *info = par->matchinfo;
31 const struct tcphdr *th; 31 const struct tcphdr *th;
@@ -73,7 +73,7 @@ out:
73 return info->invert; 73 return info->invert;
74 74
75dropit: 75dropit:
76 *par->hotdrop = true; 76 par->hotdrop = true;
77 return false; 77 return false;
78} 78}
79 79
diff --git a/net/netfilter/xt_tcpudp.c b/net/netfilter/xt_tcpudp.c
index efa2ede24ae6..c14d4645daa3 100644
--- a/net/netfilter/xt_tcpudp.c
+++ b/net/netfilter/xt_tcpudp.c
@@ -62,7 +62,7 @@ tcp_find_option(u_int8_t option,
62 return invert; 62 return invert;
63} 63}
64 64
65static bool tcp_mt(const struct sk_buff *skb, const struct xt_match_param *par) 65static bool tcp_mt(const struct sk_buff *skb, struct xt_action_param *par)
66{ 66{
67 const struct tcphdr *th; 67 const struct tcphdr *th;
68 struct tcphdr _tcph; 68 struct tcphdr _tcph;
@@ -77,7 +77,7 @@ static bool tcp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
77 */ 77 */
78 if (par->fragoff == 1) { 78 if (par->fragoff == 1) {
79 pr_debug("Dropping evil TCP offset=1 frag.\n"); 79 pr_debug("Dropping evil TCP offset=1 frag.\n");
80 *par->hotdrop = true; 80 par->hotdrop = true;
81 } 81 }
82 /* Must not be a fragment. */ 82 /* Must not be a fragment. */
83 return false; 83 return false;
@@ -90,7 +90,7 @@ static bool tcp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
90 /* We've been asked to examine this packet, and we 90 /* We've been asked to examine this packet, and we
91 can't. Hence, no choice but to drop. */ 91 can't. Hence, no choice but to drop. */
92 pr_debug("Dropping evil TCP offset=0 tinygram.\n"); 92 pr_debug("Dropping evil TCP offset=0 tinygram.\n");
93 *par->hotdrop = true; 93 par->hotdrop = true;
94 return false; 94 return false;
95 } 95 }
96 96
@@ -108,13 +108,13 @@ static bool tcp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
108 return false; 108 return false;
109 if (tcpinfo->option) { 109 if (tcpinfo->option) {
110 if (th->doff * 4 < sizeof(_tcph)) { 110 if (th->doff * 4 < sizeof(_tcph)) {
111 *par->hotdrop = true; 111 par->hotdrop = true;
112 return false; 112 return false;
113 } 113 }
114 if (!tcp_find_option(tcpinfo->option, skb, par->thoff, 114 if (!tcp_find_option(tcpinfo->option, skb, par->thoff,
115 th->doff*4 - sizeof(_tcph), 115 th->doff*4 - sizeof(_tcph),
116 tcpinfo->invflags & XT_TCP_INV_OPTION, 116 tcpinfo->invflags & XT_TCP_INV_OPTION,
117 par->hotdrop)) 117 &par->hotdrop))
118 return false; 118 return false;
119 } 119 }
120 return true; 120 return true;
@@ -128,7 +128,7 @@ static int tcp_mt_check(const struct xt_mtchk_param *par)
128 return (tcpinfo->invflags & ~XT_TCP_INV_MASK) ? -EINVAL : 0; 128 return (tcpinfo->invflags & ~XT_TCP_INV_MASK) ? -EINVAL : 0;
129} 129}
130 130
131static bool udp_mt(const struct sk_buff *skb, const struct xt_match_param *par) 131static bool udp_mt(const struct sk_buff *skb, struct xt_action_param *par)
132{ 132{
133 const struct udphdr *uh; 133 const struct udphdr *uh;
134 struct udphdr _udph; 134 struct udphdr _udph;
@@ -143,7 +143,7 @@ static bool udp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
143 /* We've been asked to examine this packet, and we 143 /* We've been asked to examine this packet, and we
144 can't. Hence, no choice but to drop. */ 144 can't. Hence, no choice but to drop. */
145 pr_debug("Dropping evil UDP tinygram.\n"); 145 pr_debug("Dropping evil UDP tinygram.\n");
146 *par->hotdrop = true; 146 par->hotdrop = true;
147 return false; 147 return false;
148 } 148 }
149 149
diff --git a/net/netfilter/xt_time.c b/net/netfilter/xt_time.c
index d8556fdda440..79234bb19d05 100644
--- a/net/netfilter/xt_time.c
+++ b/net/netfilter/xt_time.c
@@ -152,7 +152,7 @@ static void localtime_3(struct xtm *r, time_t time)
152} 152}
153 153
154static bool 154static bool
155time_mt(const struct sk_buff *skb, const struct xt_match_param *par) 155time_mt(const struct sk_buff *skb, struct xt_action_param *par)
156{ 156{
157 const struct xt_time_info *info = par->matchinfo; 157 const struct xt_time_info *info = par->matchinfo;
158 unsigned int packet_time; 158 unsigned int packet_time;
diff --git a/net/netfilter/xt_u32.c b/net/netfilter/xt_u32.c
index d7c05f03a7e7..a95b50342dbb 100644
--- a/net/netfilter/xt_u32.c
+++ b/net/netfilter/xt_u32.c
@@ -86,7 +86,7 @@ static bool u32_match_it(const struct xt_u32 *data,
86 return true; 86 return true;
87} 87}
88 88
89static bool u32_mt(const struct sk_buff *skb, const struct xt_match_param *par) 89static bool u32_mt(const struct sk_buff *skb, struct xt_action_param *par)
90{ 90{
91 const struct xt_u32 *data = par->matchinfo; 91 const struct xt_u32 *data = par->matchinfo;
92 bool ret; 92 bool ret;
diff --git a/net/sched/act_ipt.c b/net/sched/act_ipt.c
index 03f80a0fa167..1f9595467c17 100644
--- a/net/sched/act_ipt.c
+++ b/net/sched/act_ipt.c
@@ -199,7 +199,7 @@ static int tcf_ipt(struct sk_buff *skb, struct tc_action *a,
199{ 199{
200 int ret = 0, result = 0; 200 int ret = 0, result = 0;
201 struct tcf_ipt *ipt = a->priv; 201 struct tcf_ipt *ipt = a->priv;
202 struct xt_target_param par; 202 struct xt_action_param par;
203 203
204 if (skb_cloned(skb)) { 204 if (skb_cloned(skb)) {
205 if (pskb_expand_head(skb, 0, 0, GFP_ATOMIC)) 205 if (pskb_expand_head(skb, 0, 0, GFP_ATOMIC))
generated by cgit v1.2.2 (git 2.25.0) at 2024-11-12 21:34:45 -0500