aboutsummaryrefslogtreecommitdiffstats
path: root/net/ipv4
diff options
context:
space:
mode:
authorPatrick McHardy <kaber@trash.net>2006-03-20 21:01:14 -0500
committerDavid S. Miller <davem@davemloft.net>2006-03-20 21:01:14 -0500
commit1d5cd90976fa0d1cc21554b9d43f5c517323ebfc (patch)
tree3eb43557a1d23c71ea41b91e4ee001ac43b8ba21 /net/ipv4
parent3cdc7c953eb1e1e1d1b82adbd140bf3451c165b1 (diff)
[NETFILTER]: Convert ip_tables matches/targets to centralized error checking
Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv4')
-rw-r--r--net/ipv4/netfilter/ip_nat_rule.c41
-rw-r--r--net/ipv4/netfilter/ip_tables.c25
-rw-r--r--net/ipv4/netfilter/ipt_CLUSTERIP.c20
-rw-r--r--net/ipv4/netfilter/ipt_DSCP.c15
-rw-r--r--net/ipv4/netfilter/ipt_ECN.c16
-rw-r--r--net/ipv4/netfilter/ipt_LOG.c9
-rw-r--r--net/ipv4/netfilter/ipt_MASQUERADE.c16
-rw-r--r--net/ipv4/netfilter/ipt_NETMAP.c17
-rw-r--r--net/ipv4/netfilter/ipt_REDIRECT.c15
-rw-r--r--net/ipv4/netfilter/ipt_REJECT.c22
-rw-r--r--net/ipv4/netfilter/ipt_SAME.c15
-rw-r--r--net/ipv4/netfilter/ipt_TCPMSS.c14
-rw-r--r--net/ipv4/netfilter/ipt_TOS.c15
-rw-r--r--net/ipv4/netfilter/ipt_TTL.c17
-rw-r--r--net/ipv4/netfilter/ipt_ULOG.c10
-rw-r--r--net/ipv4/netfilter/ipt_addrtype.c15
-rw-r--r--net/ipv4/netfilter/ipt_ah.c23
-rw-r--r--net/ipv4/netfilter/ipt_dscp.c14
-rw-r--r--net/ipv4/netfilter/ipt_ecn.c8
-rw-r--r--net/ipv4/netfilter/ipt_esp.c23
-rw-r--r--net/ipv4/netfilter/ipt_hashlimit.c16
-rw-r--r--net/ipv4/netfilter/ipt_iprange.c27
-rw-r--r--net/ipv4/netfilter/ipt_multiport.c29
-rw-r--r--net/ipv4/netfilter/ipt_owner.c19
-rw-r--r--net/ipv4/netfilter/ipt_policy.c6
-rw-r--r--net/ipv4/netfilter/ipt_recent.c15
-rw-r--r--net/ipv4/netfilter/ipt_tos.c17
-rw-r--r--net/ipv4/netfilter/ipt_ttl.c14
28 files changed, 103 insertions, 390 deletions
diff --git a/net/ipv4/netfilter/ip_nat_rule.c b/net/ipv4/netfilter/ip_nat_rule.c
index 1de86282d232..ef4be3d50553 100644
--- a/net/ipv4/netfilter/ip_nat_rule.c
+++ b/net/ipv4/netfilter/ip_nat_rule.c
@@ -181,23 +181,6 @@ static int ipt_snat_checkentry(const char *tablename,
181 printk("SNAT: multiple ranges no longer supported\n"); 181 printk("SNAT: multiple ranges no longer supported\n");
182 return 0; 182 return 0;
183 } 183 }
184
185 if (targinfosize != IPT_ALIGN(sizeof(struct ip_nat_multi_range_compat))) {
186 DEBUGP("SNAT: Target size %u wrong for %u ranges\n",
187 targinfosize, mr->rangesize);
188 return 0;
189 }
190
191 /* Only allow these for NAT. */
192 if (strcmp(tablename, "nat") != 0) {
193 DEBUGP("SNAT: wrong table %s\n", tablename);
194 return 0;
195 }
196
197 if (hook_mask & ~(1 << NF_IP_POST_ROUTING)) {
198 DEBUGP("SNAT: hook mask 0x%x bad\n", hook_mask);
199 return 0;
200 }
201 return 1; 184 return 1;
202} 185}
203 186
@@ -214,24 +197,6 @@ static int ipt_dnat_checkentry(const char *tablename,
214 printk("DNAT: multiple ranges no longer supported\n"); 197 printk("DNAT: multiple ranges no longer supported\n");
215 return 0; 198 return 0;
216 } 199 }
217
218 if (targinfosize != IPT_ALIGN(sizeof(struct ip_nat_multi_range_compat))) {
219 DEBUGP("DNAT: Target size %u wrong for %u ranges\n",
220 targinfosize, mr->rangesize);
221 return 0;
222 }
223
224 /* Only allow these for NAT. */
225 if (strcmp(tablename, "nat") != 0) {
226 DEBUGP("DNAT: wrong table %s\n", tablename);
227 return 0;
228 }
229
230 if (hook_mask & ~((1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_LOCAL_OUT))) {
231 DEBUGP("DNAT: hook mask 0x%x bad\n", hook_mask);
232 return 0;
233 }
234
235 return 1; 200 return 1;
236} 201}
237 202
@@ -299,12 +264,18 @@ int ip_nat_rule_find(struct sk_buff **pskb,
299static struct ipt_target ipt_snat_reg = { 264static struct ipt_target ipt_snat_reg = {
300 .name = "SNAT", 265 .name = "SNAT",
301 .target = ipt_snat_target, 266 .target = ipt_snat_target,
267 .targetsize = sizeof(struct ip_nat_multi_range_compat),
268 .table = "nat",
269 .hooks = 1 << NF_IP_POST_ROUTING,
302 .checkentry = ipt_snat_checkentry, 270 .checkentry = ipt_snat_checkentry,
303}; 271};
304 272
305static struct ipt_target ipt_dnat_reg = { 273static struct ipt_target ipt_dnat_reg = {
306 .name = "DNAT", 274 .name = "DNAT",
307 .target = ipt_dnat_target, 275 .target = ipt_dnat_target,
276 .targetsize = sizeof(struct ip_nat_multi_range_compat),
277 .table = "nat",
278 .hooks = 1 << NF_IP_PRE_ROUTING,
308 .checkentry = ipt_dnat_checkentry, 279 .checkentry = ipt_dnat_checkentry,
309}; 280};
310 281
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index f884ca223295..62f8d639ab9c 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -477,21 +477,12 @@ standard_check(const struct ipt_entry_target *t,
477 struct ipt_standard_target *targ = (void *)t; 477 struct ipt_standard_target *targ = (void *)t;
478 478
479 /* Check standard info. */ 479 /* Check standard info. */
480 if (t->u.target_size
481 != IPT_ALIGN(sizeof(struct ipt_standard_target))) {
482 duprintf("standard_check: target size %u != %u\n",
483 t->u.target_size,
484 IPT_ALIGN(sizeof(struct ipt_standard_target)));
485 return 0;
486 }
487
488 if (targ->verdict >= 0 480 if (targ->verdict >= 0
489 && targ->verdict > max_offset - sizeof(struct ipt_entry)) { 481 && targ->verdict > max_offset - sizeof(struct ipt_entry)) {
490 duprintf("ipt_standard_check: bad verdict (%i)\n", 482 duprintf("ipt_standard_check: bad verdict (%i)\n",
491 targ->verdict); 483 targ->verdict);
492 return 0; 484 return 0;
493 } 485 }
494
495 if (targ->verdict < -NF_MAX_VERDICT - 1) { 486 if (targ->verdict < -NF_MAX_VERDICT - 1) {
496 duprintf("ipt_standard_check: bad negative verdict (%i)\n", 487 duprintf("ipt_standard_check: bad negative verdict (%i)\n",
497 targ->verdict); 488 targ->verdict);
@@ -1330,24 +1321,22 @@ icmp_checkentry(const char *tablename,
1330 unsigned int matchsize, 1321 unsigned int matchsize,
1331 unsigned int hook_mask) 1322 unsigned int hook_mask)
1332{ 1323{
1333 const struct ipt_ip *ip = info;
1334 const struct ipt_icmp *icmpinfo = matchinfo; 1324 const struct ipt_icmp *icmpinfo = matchinfo;
1335 1325
1336 /* Must specify proto == ICMP, and no unknown invflags */ 1326 /* Must specify no unknown invflags */
1337 return ip->proto == IPPROTO_ICMP 1327 return !(icmpinfo->invflags & ~IPT_ICMP_INV);
1338 && !(ip->invflags & IPT_INV_PROTO)
1339 && matchsize == IPT_ALIGN(sizeof(struct ipt_icmp))
1340 && !(icmpinfo->invflags & ~IPT_ICMP_INV);
1341} 1328}
1342 1329
1343/* The built-in targets: standard (NULL) and error. */ 1330/* The built-in targets: standard (NULL) and error. */
1344static struct ipt_target ipt_standard_target = { 1331static struct ipt_target ipt_standard_target = {
1345 .name = IPT_STANDARD_TARGET, 1332 .name = IPT_STANDARD_TARGET,
1333 .targetsize = sizeof(int),
1346}; 1334};
1347 1335
1348static struct ipt_target ipt_error_target = { 1336static struct ipt_target ipt_error_target = {
1349 .name = IPT_ERROR_TARGET, 1337 .name = IPT_ERROR_TARGET,
1350 .target = ipt_error, 1338 .target = ipt_error,
1339 .targetsize = IPT_FUNCTION_MAXNAMELEN,
1351}; 1340};
1352 1341
1353static struct nf_sockopt_ops ipt_sockopts = { 1342static struct nf_sockopt_ops ipt_sockopts = {
@@ -1362,8 +1351,10 @@ static struct nf_sockopt_ops ipt_sockopts = {
1362 1351
1363static struct ipt_match icmp_matchstruct = { 1352static struct ipt_match icmp_matchstruct = {
1364 .name = "icmp", 1353 .name = "icmp",
1365 .match = &icmp_match, 1354 .match = icmp_match,
1366 .checkentry = &icmp_checkentry, 1355 .matchsize = sizeof(struct ipt_icmp),
1356 .proto = IPPROTO_ICMP,
1357 .checkentry = icmp_checkentry,
1367}; 1358};
1368 1359
1369static int __init init(void) 1360static int __init init(void)
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index d9bc971f03af..24f88dd5d8f9 100644
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -389,13 +389,6 @@ checkentry(const char *tablename,
389 389
390 struct clusterip_config *config; 390 struct clusterip_config *config;
391 391
392 if (targinfosize != IPT_ALIGN(sizeof(struct ipt_clusterip_tgt_info))) {
393 printk(KERN_WARNING "CLUSTERIP: targinfosize %u != %Zu\n",
394 targinfosize,
395 IPT_ALIGN(sizeof(struct ipt_clusterip_tgt_info)));
396 return 0;
397 }
398
399 if (cipinfo->hash_mode != CLUSTERIP_HASHMODE_SIP && 392 if (cipinfo->hash_mode != CLUSTERIP_HASHMODE_SIP &&
400 cipinfo->hash_mode != CLUSTERIP_HASHMODE_SIP_SPT && 393 cipinfo->hash_mode != CLUSTERIP_HASHMODE_SIP_SPT &&
401 cipinfo->hash_mode != CLUSTERIP_HASHMODE_SIP_SPT_DPT) { 394 cipinfo->hash_mode != CLUSTERIP_HASHMODE_SIP_SPT_DPT) {
@@ -476,12 +469,13 @@ static void destroy(void *matchinfo, unsigned int matchinfosize)
476 clusterip_config_put(cipinfo->config); 469 clusterip_config_put(cipinfo->config);
477} 470}
478 471
479static struct ipt_target clusterip_tgt = { 472static struct ipt_target clusterip_tgt = {
480 .name = "CLUSTERIP", 473 .name = "CLUSTERIP",
481 .target = &target, 474 .target = target,
482 .checkentry = &checkentry, 475 .targetsize = sizeof(struct ipt_clusterip_tgt_info),
483 .destroy = &destroy, 476 .checkentry = checkentry,
484 .me = THIS_MODULE 477 .destroy = destroy,
478 .me = THIS_MODULE
485}; 479};
486 480
487 481
diff --git a/net/ipv4/netfilter/ipt_DSCP.c b/net/ipv4/netfilter/ipt_DSCP.c
index 898cdf79ce18..a202467e4a88 100644
--- a/net/ipv4/netfilter/ipt_DSCP.c
+++ b/net/ipv4/netfilter/ipt_DSCP.c
@@ -64,29 +64,18 @@ checkentry(const char *tablename,
64{ 64{
65 const u_int8_t dscp = ((struct ipt_DSCP_info *)targinfo)->dscp; 65 const u_int8_t dscp = ((struct ipt_DSCP_info *)targinfo)->dscp;
66 66
67 if (targinfosize != IPT_ALIGN(sizeof(struct ipt_DSCP_info))) {
68 printk(KERN_WARNING "DSCP: targinfosize %u != %Zu\n",
69 targinfosize,
70 IPT_ALIGN(sizeof(struct ipt_DSCP_info)));
71 return 0;
72 }
73
74 if (strcmp(tablename, "mangle") != 0) {
75 printk(KERN_WARNING "DSCP: can only be called from \"mangle\" table, not \"%s\"\n", tablename);
76 return 0;
77 }
78
79 if ((dscp > IPT_DSCP_MAX)) { 67 if ((dscp > IPT_DSCP_MAX)) {
80 printk(KERN_WARNING "DSCP: dscp %x out of range\n", dscp); 68 printk(KERN_WARNING "DSCP: dscp %x out of range\n", dscp);
81 return 0; 69 return 0;
82 } 70 }
83
84 return 1; 71 return 1;
85} 72}
86 73
87static struct ipt_target ipt_dscp_reg = { 74static struct ipt_target ipt_dscp_reg = {
88 .name = "DSCP", 75 .name = "DSCP",
89 .target = target, 76 .target = target,
77 .targetsize = sizeof(struct ipt_DSCP_info),
78 .table = "mangle",
90 .checkentry = checkentry, 79 .checkentry = checkentry,
91 .me = THIS_MODULE, 80 .me = THIS_MODULE,
92}; 81};
diff --git a/net/ipv4/netfilter/ipt_ECN.c b/net/ipv4/netfilter/ipt_ECN.c
index 706445426a6d..1bf1a4063b6f 100644
--- a/net/ipv4/netfilter/ipt_ECN.c
+++ b/net/ipv4/netfilter/ipt_ECN.c
@@ -121,18 +121,6 @@ checkentry(const char *tablename,
121 const struct ipt_ECN_info *einfo = (struct ipt_ECN_info *)targinfo; 121 const struct ipt_ECN_info *einfo = (struct ipt_ECN_info *)targinfo;
122 const struct ipt_entry *e = e_void; 122 const struct ipt_entry *e = e_void;
123 123
124 if (targinfosize != IPT_ALIGN(sizeof(struct ipt_ECN_info))) {
125 printk(KERN_WARNING "ECN: targinfosize %u != %Zu\n",
126 targinfosize,
127 IPT_ALIGN(sizeof(struct ipt_ECN_info)));
128 return 0;
129 }
130
131 if (strcmp(tablename, "mangle") != 0) {
132 printk(KERN_WARNING "ECN: can only be called from \"mangle\" table, not \"%s\"\n", tablename);
133 return 0;
134 }
135
136 if (einfo->operation & IPT_ECN_OP_MASK) { 124 if (einfo->operation & IPT_ECN_OP_MASK) {
137 printk(KERN_WARNING "ECN: unsupported ECN operation %x\n", 125 printk(KERN_WARNING "ECN: unsupported ECN operation %x\n",
138 einfo->operation); 126 einfo->operation);
@@ -143,20 +131,20 @@ checkentry(const char *tablename,
143 einfo->ip_ect); 131 einfo->ip_ect);
144 return 0; 132 return 0;
145 } 133 }
146
147 if ((einfo->operation & (IPT_ECN_OP_SET_ECE|IPT_ECN_OP_SET_CWR)) 134 if ((einfo->operation & (IPT_ECN_OP_SET_ECE|IPT_ECN_OP_SET_CWR))
148 && (e->ip.proto != IPPROTO_TCP || (e->ip.invflags & IPT_INV_PROTO))) { 135 && (e->ip.proto != IPPROTO_TCP || (e->ip.invflags & IPT_INV_PROTO))) {
149 printk(KERN_WARNING "ECN: cannot use TCP operations on a " 136 printk(KERN_WARNING "ECN: cannot use TCP operations on a "
150 "non-tcp rule\n"); 137 "non-tcp rule\n");
151 return 0; 138 return 0;
152 } 139 }
153
154 return 1; 140 return 1;
155} 141}
156 142
157static struct ipt_target ipt_ecn_reg = { 143static struct ipt_target ipt_ecn_reg = {
158 .name = "ECN", 144 .name = "ECN",
159 .target = target, 145 .target = target,
146 .targetsize = sizeof(struct ipt_ECN_info),
147 .table = "mangle",
160 .checkentry = checkentry, 148 .checkentry = checkentry,
161 .me = THIS_MODULE, 149 .me = THIS_MODULE,
162}; 150};
diff --git a/net/ipv4/netfilter/ipt_LOG.c b/net/ipv4/netfilter/ipt_LOG.c
index cc27545ff97f..f2c7a9343656 100644
--- a/net/ipv4/netfilter/ipt_LOG.c
+++ b/net/ipv4/netfilter/ipt_LOG.c
@@ -443,29 +443,22 @@ static int ipt_log_checkentry(const char *tablename,
443{ 443{
444 const struct ipt_log_info *loginfo = targinfo; 444 const struct ipt_log_info *loginfo = targinfo;
445 445
446 if (targinfosize != IPT_ALIGN(sizeof(struct ipt_log_info))) {
447 DEBUGP("LOG: targinfosize %u != %u\n",
448 targinfosize, IPT_ALIGN(sizeof(struct ipt_log_info)));
449 return 0;
450 }
451
452 if (loginfo->level >= 8) { 446 if (loginfo->level >= 8) {
453 DEBUGP("LOG: level %u >= 8\n", loginfo->level); 447 DEBUGP("LOG: level %u >= 8\n", loginfo->level);
454 return 0; 448 return 0;
455 } 449 }
456
457 if (loginfo->prefix[sizeof(loginfo->prefix)-1] != '\0') { 450 if (loginfo->prefix[sizeof(loginfo->prefix)-1] != '\0') {
458 DEBUGP("LOG: prefix term %i\n", 451 DEBUGP("LOG: prefix term %i\n",
459 loginfo->prefix[sizeof(loginfo->prefix)-1]); 452 loginfo->prefix[sizeof(loginfo->prefix)-1]);
460 return 0; 453 return 0;
461 } 454 }
462
463 return 1; 455 return 1;
464} 456}
465 457
466static struct ipt_target ipt_log_reg = { 458static struct ipt_target ipt_log_reg = {
467 .name = "LOG", 459 .name = "LOG",
468 .target = ipt_log_target, 460 .target = ipt_log_target,
461 .targetsize = sizeof(struct ipt_log_info),
469 .checkentry = ipt_log_checkentry, 462 .checkentry = ipt_log_checkentry,
470 .me = THIS_MODULE, 463 .me = THIS_MODULE,
471}; 464};
diff --git a/net/ipv4/netfilter/ipt_MASQUERADE.c b/net/ipv4/netfilter/ipt_MASQUERADE.c
index 12c56d3343ca..df5ea08f1a15 100644
--- a/net/ipv4/netfilter/ipt_MASQUERADE.c
+++ b/net/ipv4/netfilter/ipt_MASQUERADE.c
@@ -47,19 +47,6 @@ masquerade_check(const char *tablename,
47{ 47{
48 const struct ip_nat_multi_range_compat *mr = targinfo; 48 const struct ip_nat_multi_range_compat *mr = targinfo;
49 49
50 if (strcmp(tablename, "nat") != 0) {
51 DEBUGP("masquerade_check: bad table `%s'.\n", tablename);
52 return 0;
53 }
54 if (targinfosize != IPT_ALIGN(sizeof(*mr))) {
55 DEBUGP("masquerade_check: size %u != %u.\n",
56 targinfosize, sizeof(*mr));
57 return 0;
58 }
59 if (hook_mask & ~(1 << NF_IP_POST_ROUTING)) {
60 DEBUGP("masquerade_check: bad hooks %x.\n", hook_mask);
61 return 0;
62 }
63 if (mr->range[0].flags & IP_NAT_RANGE_MAP_IPS) { 50 if (mr->range[0].flags & IP_NAT_RANGE_MAP_IPS) {
64 DEBUGP("masquerade_check: bad MAP_IPS.\n"); 51 DEBUGP("masquerade_check: bad MAP_IPS.\n");
65 return 0; 52 return 0;
@@ -179,6 +166,9 @@ static struct notifier_block masq_inet_notifier = {
179static struct ipt_target masquerade = { 166static struct ipt_target masquerade = {
180 .name = "MASQUERADE", 167 .name = "MASQUERADE",
181 .target = masquerade_target, 168 .target = masquerade_target,
169 .targetsize = sizeof(struct ip_nat_multi_range_compat),
170 .table = "nat",
171 .hooks = 1 << NF_IP_POST_ROUTING,
182 .checkentry = masquerade_check, 172 .checkentry = masquerade_check,
183 .me = THIS_MODULE, 173 .me = THIS_MODULE,
184}; 174};
diff --git a/net/ipv4/netfilter/ipt_NETMAP.c b/net/ipv4/netfilter/ipt_NETMAP.c
index b074467fe67b..836d67e66391 100644
--- a/net/ipv4/netfilter/ipt_NETMAP.c
+++ b/net/ipv4/netfilter/ipt_NETMAP.c
@@ -38,19 +38,6 @@ check(const char *tablename,
38{ 38{
39 const struct ip_nat_multi_range_compat *mr = targinfo; 39 const struct ip_nat_multi_range_compat *mr = targinfo;
40 40
41 if (strcmp(tablename, "nat") != 0) {
42 DEBUGP(MODULENAME":check: bad table `%s'.\n", tablename);
43 return 0;
44 }
45 if (targinfosize != IPT_ALIGN(sizeof(*mr))) {
46 DEBUGP(MODULENAME":check: size %u.\n", targinfosize);
47 return 0;
48 }
49 if (hook_mask & ~((1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_POST_ROUTING) |
50 (1 << NF_IP_LOCAL_OUT))) {
51 DEBUGP(MODULENAME":check: bad hooks %x.\n", hook_mask);
52 return 0;
53 }
54 if (!(mr->range[0].flags & IP_NAT_RANGE_MAP_IPS)) { 41 if (!(mr->range[0].flags & IP_NAT_RANGE_MAP_IPS)) {
55 DEBUGP(MODULENAME":check: bad MAP_IPS.\n"); 42 DEBUGP(MODULENAME":check: bad MAP_IPS.\n");
56 return 0; 43 return 0;
@@ -101,6 +88,10 @@ target(struct sk_buff **pskb,
101static struct ipt_target target_module = { 88static struct ipt_target target_module = {
102 .name = MODULENAME, 89 .name = MODULENAME,
103 .target = target, 90 .target = target,
91 .targetsize = sizeof(struct ip_nat_multi_range_compat),
92 .table = "nat",
93 .hooks = (1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_POST_ROUTING) |
94 (1 << NF_IP_LOCAL_OUT),
104 .checkentry = check, 95 .checkentry = check,
105 .me = THIS_MODULE 96 .me = THIS_MODULE
106}; 97};
diff --git a/net/ipv4/netfilter/ipt_REDIRECT.c b/net/ipv4/netfilter/ipt_REDIRECT.c
index 140be51f2f01..cc165e09d0b8 100644
--- a/net/ipv4/netfilter/ipt_REDIRECT.c
+++ b/net/ipv4/netfilter/ipt_REDIRECT.c
@@ -40,18 +40,6 @@ redirect_check(const char *tablename,
40{ 40{
41 const struct ip_nat_multi_range_compat *mr = targinfo; 41 const struct ip_nat_multi_range_compat *mr = targinfo;
42 42
43 if (strcmp(tablename, "nat") != 0) {
44 DEBUGP("redirect_check: bad table `%s'.\n", table);
45 return 0;
46 }
47 if (targinfosize != IPT_ALIGN(sizeof(*mr))) {
48 DEBUGP("redirect_check: size %u.\n", targinfosize);
49 return 0;
50 }
51 if (hook_mask & ~((1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_LOCAL_OUT))) {
52 DEBUGP("redirect_check: bad hooks %x.\n", hook_mask);
53 return 0;
54 }
55 if (mr->range[0].flags & IP_NAT_RANGE_MAP_IPS) { 43 if (mr->range[0].flags & IP_NAT_RANGE_MAP_IPS) {
56 DEBUGP("redirect_check: bad MAP_IPS.\n"); 44 DEBUGP("redirect_check: bad MAP_IPS.\n");
57 return 0; 45 return 0;
@@ -115,6 +103,9 @@ redirect_target(struct sk_buff **pskb,
115static struct ipt_target redirect_reg = { 103static struct ipt_target redirect_reg = {
116 .name = "REDIRECT", 104 .name = "REDIRECT",
117 .target = redirect_target, 105 .target = redirect_target,
106 .targetsize = sizeof(struct ip_nat_multi_range_compat),
107 .table = "nat",
108 .hooks = (1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_LOCAL_OUT),
118 .checkentry = redirect_check, 109 .checkentry = redirect_check,
119 .me = THIS_MODULE, 110 .me = THIS_MODULE,
120}; 111};
diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c
index 3eb47aae78c5..ddd6bd1b9776 100644
--- a/net/ipv4/netfilter/ipt_REJECT.c
+++ b/net/ipv4/netfilter/ipt_REJECT.c
@@ -290,23 +290,6 @@ static int check(const char *tablename,
290 const struct ipt_reject_info *rejinfo = targinfo; 290 const struct ipt_reject_info *rejinfo = targinfo;
291 const struct ipt_entry *e = e_void; 291 const struct ipt_entry *e = e_void;
292 292
293 if (targinfosize != IPT_ALIGN(sizeof(struct ipt_reject_info))) {
294 DEBUGP("REJECT: targinfosize %u != 0\n", targinfosize);
295 return 0;
296 }
297
298 /* Only allow these for packet filtering. */
299 if (strcmp(tablename, "filter") != 0) {
300 DEBUGP("REJECT: bad table `%s'.\n", tablename);
301 return 0;
302 }
303 if ((hook_mask & ~((1 << NF_IP_LOCAL_IN)
304 | (1 << NF_IP_FORWARD)
305 | (1 << NF_IP_LOCAL_OUT))) != 0) {
306 DEBUGP("REJECT: bad hook mask %X\n", hook_mask);
307 return 0;
308 }
309
310 if (rejinfo->with == IPT_ICMP_ECHOREPLY) { 293 if (rejinfo->with == IPT_ICMP_ECHOREPLY) {
311 printk("REJECT: ECHOREPLY no longer supported.\n"); 294 printk("REJECT: ECHOREPLY no longer supported.\n");
312 return 0; 295 return 0;
@@ -318,13 +301,16 @@ static int check(const char *tablename,
318 return 0; 301 return 0;
319 } 302 }
320 } 303 }
321
322 return 1; 304 return 1;
323} 305}
324 306
325static struct ipt_target ipt_reject_reg = { 307static struct ipt_target ipt_reject_reg = {
326 .name = "REJECT", 308 .name = "REJECT",
327 .target = reject, 309 .target = reject,
310 .targetsize = sizeof(struct ipt_reject_info),
311 .table = "filter",
312 .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD) |
313 (1 << NF_IP_LOCAL_OUT),
328 .checkentry = check, 314 .checkentry = check,
329 .me = THIS_MODULE, 315 .me = THIS_MODULE,
330}; 316};
diff --git a/net/ipv4/netfilter/ipt_SAME.c b/net/ipv4/netfilter/ipt_SAME.c
index a22de59bba0e..8743c3a70157 100644
--- a/net/ipv4/netfilter/ipt_SAME.c
+++ b/net/ipv4/netfilter/ipt_SAME.c
@@ -59,18 +59,6 @@ same_check(const char *tablename,
59 59
60 mr->ipnum = 0; 60 mr->ipnum = 0;
61 61
62 if (strcmp(tablename, "nat") != 0) {
63 DEBUGP("same_check: bad table `%s'.\n", tablename);
64 return 0;
65 }
66 if (targinfosize != IPT_ALIGN(sizeof(*mr))) {
67 DEBUGP("same_check: size %u.\n", targinfosize);
68 return 0;
69 }
70 if (hook_mask & ~(1 << NF_IP_PRE_ROUTING | 1 << NF_IP_POST_ROUTING)) {
71 DEBUGP("same_check: bad hooks %x.\n", hook_mask);
72 return 0;
73 }
74 if (mr->rangesize < 1) { 62 if (mr->rangesize < 1) {
75 DEBUGP("same_check: need at least one dest range.\n"); 63 DEBUGP("same_check: need at least one dest range.\n");
76 return 0; 64 return 0;
@@ -191,6 +179,9 @@ same_target(struct sk_buff **pskb,
191static struct ipt_target same_reg = { 179static struct ipt_target same_reg = {
192 .name = "SAME", 180 .name = "SAME",
193 .target = same_target, 181 .target = same_target,
182 .targetsize = sizeof(struct ipt_same_info),
183 .table = "nat",
184 .hooks = (1 << NF_IP_PRE_ROUTING | 1 << NF_IP_POST_ROUTING),
194 .checkentry = same_check, 185 .checkentry = same_check,
195 .destroy = same_destroy, 186 .destroy = same_destroy,
196 .me = THIS_MODULE, 187 .me = THIS_MODULE,
diff --git a/net/ipv4/netfilter/ipt_TCPMSS.c b/net/ipv4/netfilter/ipt_TCPMSS.c
index c122841e182c..4be6e2bf26d2 100644
--- a/net/ipv4/netfilter/ipt_TCPMSS.c
+++ b/net/ipv4/netfilter/ipt_TCPMSS.c
@@ -218,13 +218,6 @@ ipt_tcpmss_checkentry(const char *tablename,
218 const struct ipt_tcpmss_info *tcpmssinfo = targinfo; 218 const struct ipt_tcpmss_info *tcpmssinfo = targinfo;
219 const struct ipt_entry *e = e_void; 219 const struct ipt_entry *e = e_void;
220 220
221 if (targinfosize != IPT_ALIGN(sizeof(struct ipt_tcpmss_info))) {
222 DEBUGP("ipt_tcpmss_checkentry: targinfosize %u != %u\n",
223 targinfosize, IPT_ALIGN(sizeof(struct ipt_tcpmss_info)));
224 return 0;
225 }
226
227
228 if((tcpmssinfo->mss == IPT_TCPMSS_CLAMP_PMTU) && 221 if((tcpmssinfo->mss == IPT_TCPMSS_CLAMP_PMTU) &&
229 ((hook_mask & ~((1 << NF_IP_FORWARD) 222 ((hook_mask & ~((1 << NF_IP_FORWARD)
230 | (1 << NF_IP_LOCAL_OUT) 223 | (1 << NF_IP_LOCAL_OUT)
@@ -233,11 +226,8 @@ ipt_tcpmss_checkentry(const char *tablename,
233 return 0; 226 return 0;
234 } 227 }
235 228
236 if (e->ip.proto == IPPROTO_TCP 229 if (IPT_MATCH_ITERATE(e, find_syn_match))
237 && !(e->ip.invflags & IPT_INV_PROTO)
238 && IPT_MATCH_ITERATE(e, find_syn_match))
239 return 1; 230 return 1;
240
241 printk("TCPMSS: Only works on TCP SYN packets\n"); 231 printk("TCPMSS: Only works on TCP SYN packets\n");
242 return 0; 232 return 0;
243} 233}
@@ -245,6 +235,8 @@ ipt_tcpmss_checkentry(const char *tablename,
245static struct ipt_target ipt_tcpmss_reg = { 235static struct ipt_target ipt_tcpmss_reg = {
246 .name = "TCPMSS", 236 .name = "TCPMSS",
247 .target = ipt_tcpmss_target, 237 .target = ipt_tcpmss_target,
238 .targetsize = sizeof(struct ipt_tcpmss_info),
239 .proto = IPPROTO_TCP,
248 .checkentry = ipt_tcpmss_checkentry, 240 .checkentry = ipt_tcpmss_checkentry,
249 .me = THIS_MODULE, 241 .me = THIS_MODULE,
250}; 242};
diff --git a/net/ipv4/netfilter/ipt_TOS.c b/net/ipv4/netfilter/ipt_TOS.c
index 3a44a56db239..6568e3e30e47 100644
--- a/net/ipv4/netfilter/ipt_TOS.c
+++ b/net/ipv4/netfilter/ipt_TOS.c
@@ -59,18 +59,6 @@ checkentry(const char *tablename,
59{ 59{
60 const u_int8_t tos = ((struct ipt_tos_target_info *)targinfo)->tos; 60 const u_int8_t tos = ((struct ipt_tos_target_info *)targinfo)->tos;
61 61
62 if (targinfosize != IPT_ALIGN(sizeof(struct ipt_tos_target_info))) {
63 printk(KERN_WARNING "TOS: targinfosize %u != %Zu\n",
64 targinfosize,
65 IPT_ALIGN(sizeof(struct ipt_tos_target_info)));
66 return 0;
67 }
68
69 if (strcmp(tablename, "mangle") != 0) {
70 printk(KERN_WARNING "TOS: can only be called from \"mangle\" table, not \"%s\"\n", tablename);
71 return 0;
72 }
73
74 if (tos != IPTOS_LOWDELAY 62 if (tos != IPTOS_LOWDELAY
75 && tos != IPTOS_THROUGHPUT 63 && tos != IPTOS_THROUGHPUT
76 && tos != IPTOS_RELIABILITY 64 && tos != IPTOS_RELIABILITY
@@ -79,13 +67,14 @@ checkentry(const char *tablename,
79 printk(KERN_WARNING "TOS: bad tos value %#x\n", tos); 67 printk(KERN_WARNING "TOS: bad tos value %#x\n", tos);
80 return 0; 68 return 0;
81 } 69 }
82
83 return 1; 70 return 1;
84} 71}
85 72
86static struct ipt_target ipt_tos_reg = { 73static struct ipt_target ipt_tos_reg = {
87 .name = "TOS", 74 .name = "TOS",
88 .target = target, 75 .target = target,
76 .targetsize = sizeof(struct ipt_tos_target_info),
77 .table = "mangle",
89 .checkentry = checkentry, 78 .checkentry = checkentry,
90 .me = THIS_MODULE, 79 .me = THIS_MODULE,
91}; 80};
diff --git a/net/ipv4/netfilter/ipt_TTL.c b/net/ipv4/netfilter/ipt_TTL.c
index b769eb231970..61d94e096939 100644
--- a/net/ipv4/netfilter/ipt_TTL.c
+++ b/net/ipv4/netfilter/ipt_TTL.c
@@ -73,34 +73,21 @@ static int ipt_ttl_checkentry(const char *tablename,
73{ 73{
74 struct ipt_TTL_info *info = targinfo; 74 struct ipt_TTL_info *info = targinfo;
75 75
76 if (targinfosize != IPT_ALIGN(sizeof(struct ipt_TTL_info))) {
77 printk(KERN_WARNING "ipt_TTL: targinfosize %u != %Zu\n",
78 targinfosize,
79 IPT_ALIGN(sizeof(struct ipt_TTL_info)));
80 return 0;
81 }
82
83 if (strcmp(tablename, "mangle")) {
84 printk(KERN_WARNING "ipt_TTL: can only be called from "
85 "\"mangle\" table, not \"%s\"\n", tablename);
86 return 0;
87 }
88
89 if (info->mode > IPT_TTL_MAXMODE) { 76 if (info->mode > IPT_TTL_MAXMODE) {
90 printk(KERN_WARNING "ipt_TTL: invalid or unknown Mode %u\n", 77 printk(KERN_WARNING "ipt_TTL: invalid or unknown Mode %u\n",
91 info->mode); 78 info->mode);
92 return 0; 79 return 0;
93 } 80 }
94
95 if ((info->mode != IPT_TTL_SET) && (info->ttl == 0)) 81 if ((info->mode != IPT_TTL_SET) && (info->ttl == 0))
96 return 0; 82 return 0;
97
98 return 1; 83 return 1;
99} 84}
100 85
101static struct ipt_target ipt_TTL = { 86static struct ipt_target ipt_TTL = {
102 .name = "TTL", 87 .name = "TTL",
103 .target = ipt_ttl_target, 88 .target = ipt_ttl_target,
89 .targetsize = sizeof(struct ipt_TTL_info),
90 .table = "mangle",
104 .checkentry = ipt_ttl_checkentry, 91 .checkentry = ipt_ttl_checkentry,
105 .me = THIS_MODULE, 92 .me = THIS_MODULE,
106}; 93};
diff --git a/net/ipv4/netfilter/ipt_ULOG.c b/net/ipv4/netfilter/ipt_ULOG.c
index 180a9ea57b69..c95e7e9f74ff 100644
--- a/net/ipv4/netfilter/ipt_ULOG.c
+++ b/net/ipv4/netfilter/ipt_ULOG.c
@@ -345,36 +345,30 @@ static int ipt_ulog_checkentry(const char *tablename,
345{ 345{
346 struct ipt_ulog_info *loginfo = (struct ipt_ulog_info *) targinfo; 346 struct ipt_ulog_info *loginfo = (struct ipt_ulog_info *) targinfo;
347 347
348 if (targinfosize != IPT_ALIGN(sizeof(struct ipt_ulog_info))) {
349 DEBUGP("ipt_ULOG: targinfosize %u != 0\n", targinfosize);
350 return 0;
351 }
352
353 if (loginfo->prefix[sizeof(loginfo->prefix) - 1] != '\0') { 348 if (loginfo->prefix[sizeof(loginfo->prefix) - 1] != '\0') {
354 DEBUGP("ipt_ULOG: prefix term %i\n", 349 DEBUGP("ipt_ULOG: prefix term %i\n",
355 loginfo->prefix[sizeof(loginfo->prefix) - 1]); 350 loginfo->prefix[sizeof(loginfo->prefix) - 1]);
356 return 0; 351 return 0;
357 } 352 }
358
359 if (loginfo->qthreshold > ULOG_MAX_QLEN) { 353 if (loginfo->qthreshold > ULOG_MAX_QLEN) {
360 DEBUGP("ipt_ULOG: queue threshold %i > MAX_QLEN\n", 354 DEBUGP("ipt_ULOG: queue threshold %i > MAX_QLEN\n",
361 loginfo->qthreshold); 355 loginfo->qthreshold);
362 return 0; 356 return 0;
363 } 357 }
364
365 return 1; 358 return 1;
366} 359}
367 360
368static struct ipt_target ipt_ulog_reg = { 361static struct ipt_target ipt_ulog_reg = {
369 .name = "ULOG", 362 .name = "ULOG",
370 .target = ipt_ulog_target, 363 .target = ipt_ulog_target,
364 .targetsize = sizeof(struct ipt_ulog_info),
371 .checkentry = ipt_ulog_checkentry, 365 .checkentry = ipt_ulog_checkentry,
372 .me = THIS_MODULE, 366 .me = THIS_MODULE,
373}; 367};
374 368
375static struct nf_logger ipt_ulog_logger = { 369static struct nf_logger ipt_ulog_logger = {
376 .name = "ipt_ULOG", 370 .name = "ipt_ULOG",
377 .logfn = &ipt_logfn, 371 .logfn = ipt_logfn,
378 .me = THIS_MODULE, 372 .me = THIS_MODULE,
379}; 373};
380 374
diff --git a/net/ipv4/netfilter/ipt_addrtype.c b/net/ipv4/netfilter/ipt_addrtype.c
index d6b83a976518..ad5dc4658022 100644
--- a/net/ipv4/netfilter/ipt_addrtype.c
+++ b/net/ipv4/netfilter/ipt_addrtype.c
@@ -43,23 +43,10 @@ static int match(const struct sk_buff *skb, const struct net_device *in,
43 return ret; 43 return ret;
44} 44}
45 45
46static int checkentry(const char *tablename, const void *ip,
47 void *matchinfo, unsigned int matchsize,
48 unsigned int hook_mask)
49{
50 if (matchsize != IPT_ALIGN(sizeof(struct ipt_addrtype_info))) {
51 printk(KERN_ERR "ipt_addrtype: invalid size (%u != %Zu)\n",
52 matchsize, IPT_ALIGN(sizeof(struct ipt_addrtype_info)));
53 return 0;
54 }
55
56 return 1;
57}
58
59static struct ipt_match addrtype_match = { 46static struct ipt_match addrtype_match = {
60 .name = "addrtype", 47 .name = "addrtype",
61 .match = match, 48 .match = match,
62 .checkentry = checkentry, 49 .matchsize = sizeof(struct ipt_addrtype_info),
63 .me = THIS_MODULE 50 .me = THIS_MODULE
64}; 51};
65 52
diff --git a/net/ipv4/netfilter/ipt_ah.c b/net/ipv4/netfilter/ipt_ah.c
index 144adfec13cc..a33eeea38e1d 100644
--- a/net/ipv4/netfilter/ipt_ah.c
+++ b/net/ipv4/netfilter/ipt_ah.c
@@ -76,32 +76,21 @@ checkentry(const char *tablename,
76 unsigned int hook_mask) 76 unsigned int hook_mask)
77{ 77{
78 const struct ipt_ah *ahinfo = matchinfo; 78 const struct ipt_ah *ahinfo = matchinfo;
79 const struct ipt_ip *ip = ip_void;
80 79
81 /* Must specify proto == AH, and no unknown invflags */ 80 /* Must specify no unknown invflags */
82 if (ip->proto != IPPROTO_AH || (ip->invflags & IPT_INV_PROTO)) {
83 duprintf("ipt_ah: Protocol %u != %u\n", ip->proto,
84 IPPROTO_AH);
85 return 0;
86 }
87 if (matchinfosize != IPT_ALIGN(sizeof(struct ipt_ah))) {
88 duprintf("ipt_ah: matchsize %u != %u\n",
89 matchinfosize, IPT_ALIGN(sizeof(struct ipt_ah)));
90 return 0;
91 }
92 if (ahinfo->invflags & ~IPT_AH_INV_MASK) { 81 if (ahinfo->invflags & ~IPT_AH_INV_MASK) {
93 duprintf("ipt_ah: unknown flags %X\n", 82 duprintf("ipt_ah: unknown flags %X\n", ahinfo->invflags);
94 ahinfo->invflags);
95 return 0; 83 return 0;
96 } 84 }
97
98 return 1; 85 return 1;
99} 86}
100 87
101static struct ipt_match ah_match = { 88static struct ipt_match ah_match = {
102 .name = "ah", 89 .name = "ah",
103 .match = &match, 90 .match = match,
104 .checkentry = &checkentry, 91 .matchsize = sizeof(struct ipt_ah),
92 .proto = IPPROTO_AH,
93 .checkentry = checkentry,
105 .me = THIS_MODULE, 94 .me = THIS_MODULE,
106}; 95};
107 96
diff --git a/net/ipv4/netfilter/ipt_dscp.c b/net/ipv4/netfilter/ipt_dscp.c
index 92063b4f8602..e7889ba22f4c 100644
--- a/net/ipv4/netfilter/ipt_dscp.c
+++ b/net/ipv4/netfilter/ipt_dscp.c
@@ -31,20 +31,10 @@ static int match(const struct sk_buff *skb, const struct net_device *in,
31 return ((iph->tos&IPT_DSCP_MASK) == sh_dscp) ^ info->invert; 31 return ((iph->tos&IPT_DSCP_MASK) == sh_dscp) ^ info->invert;
32} 32}
33 33
34static int checkentry(const char *tablename, const void *ip,
35 void *matchinfo, unsigned int matchsize,
36 unsigned int hook_mask)
37{
38 if (matchsize != IPT_ALIGN(sizeof(struct ipt_dscp_info)))
39 return 0;
40
41 return 1;
42}
43
44static struct ipt_match dscp_match = { 34static struct ipt_match dscp_match = {
45 .name = "dscp", 35 .name = "dscp",
46 .match = &match, 36 .match = match,
47 .checkentry = &checkentry, 37 .matchsize = sizeof(struct ipt_dscp_info),
48 .me = THIS_MODULE, 38 .me = THIS_MODULE,
49}; 39};
50 40
diff --git a/net/ipv4/netfilter/ipt_ecn.c b/net/ipv4/netfilter/ipt_ecn.c
index e68b0c7981f0..723957f77310 100644
--- a/net/ipv4/netfilter/ipt_ecn.c
+++ b/net/ipv4/netfilter/ipt_ecn.c
@@ -92,9 +92,6 @@ static int checkentry(const char *tablename, const void *ip_void,
92 const struct ipt_ecn_info *info = matchinfo; 92 const struct ipt_ecn_info *info = matchinfo;
93 const struct ipt_ip *ip = ip_void; 93 const struct ipt_ip *ip = ip_void;
94 94
95 if (matchsize != IPT_ALIGN(sizeof(struct ipt_ecn_info)))
96 return 0;
97
98 if (info->operation & IPT_ECN_OP_MATCH_MASK) 95 if (info->operation & IPT_ECN_OP_MATCH_MASK)
99 return 0; 96 return 0;
100 97
@@ -113,8 +110,9 @@ static int checkentry(const char *tablename, const void *ip_void,
113 110
114static struct ipt_match ecn_match = { 111static struct ipt_match ecn_match = {
115 .name = "ecn", 112 .name = "ecn",
116 .match = &match, 113 .match = match,
117 .checkentry = &checkentry, 114 .matchsize = sizeof(struct ipt_ecn_info),
115 .checkentry = checkentry,
118 .me = THIS_MODULE, 116 .me = THIS_MODULE,
119}; 117};
120 118
diff --git a/net/ipv4/netfilter/ipt_esp.c b/net/ipv4/netfilter/ipt_esp.c
index 9de191a8162d..984fa4862ce9 100644
--- a/net/ipv4/netfilter/ipt_esp.c
+++ b/net/ipv4/netfilter/ipt_esp.c
@@ -77,32 +77,21 @@ checkentry(const char *tablename,
77 unsigned int hook_mask) 77 unsigned int hook_mask)
78{ 78{
79 const struct ipt_esp *espinfo = matchinfo; 79 const struct ipt_esp *espinfo = matchinfo;
80 const struct ipt_ip *ip = ip_void;
81 80
82 /* Must specify proto == ESP, and no unknown invflags */ 81 /* Must specify no unknown invflags */
83 if (ip->proto != IPPROTO_ESP || (ip->invflags & IPT_INV_PROTO)) {
84 duprintf("ipt_esp: Protocol %u != %u\n", ip->proto,
85 IPPROTO_ESP);
86 return 0;
87 }
88 if (matchinfosize != IPT_ALIGN(sizeof(struct ipt_esp))) {
89 duprintf("ipt_esp: matchsize %u != %u\n",
90 matchinfosize, IPT_ALIGN(sizeof(struct ipt_esp)));
91 return 0;
92 }
93 if (espinfo->invflags & ~IPT_ESP_INV_MASK) { 82 if (espinfo->invflags & ~IPT_ESP_INV_MASK) {
94 duprintf("ipt_esp: unknown flags %X\n", 83 duprintf("ipt_esp: unknown flags %X\n", espinfo->invflags);
95 espinfo->invflags);
96 return 0; 84 return 0;
97 } 85 }
98
99 return 1; 86 return 1;
100} 87}
101 88
102static struct ipt_match esp_match = { 89static struct ipt_match esp_match = {
103 .name = "esp", 90 .name = "esp",
104 .match = &match, 91 .match = match,
105 .checkentry = &checkentry, 92 .matchsize = sizeof(struct ipt_esp),
93 .proto = IPPROTO_ESP,
94 .checkentry = checkentry,
106 .me = THIS_MODULE, 95 .me = THIS_MODULE,
107}; 96};
108 97
diff --git a/net/ipv4/netfilter/ipt_hashlimit.c b/net/ipv4/netfilter/ipt_hashlimit.c
index 4fe48c1bd5f3..156d9c255b2b 100644
--- a/net/ipv4/netfilter/ipt_hashlimit.c
+++ b/net/ipv4/netfilter/ipt_hashlimit.c
@@ -512,9 +512,6 @@ hashlimit_checkentry(const char *tablename,
512{ 512{
513 struct ipt_hashlimit_info *r = matchinfo; 513 struct ipt_hashlimit_info *r = matchinfo;
514 514
515 if (matchsize != IPT_ALIGN(sizeof(struct ipt_hashlimit_info)))
516 return 0;
517
518 /* Check for overflow. */ 515 /* Check for overflow. */
519 if (r->cfg.burst == 0 516 if (r->cfg.burst == 0
520 || user2credits(r->cfg.avg * r->cfg.burst) < 517 || user2credits(r->cfg.avg * r->cfg.burst) <
@@ -565,12 +562,13 @@ hashlimit_destroy(void *matchinfo, unsigned int matchsize)
565 htable_put(r->hinfo); 562 htable_put(r->hinfo);
566} 563}
567 564
568static struct ipt_match ipt_hashlimit = { 565static struct ipt_match ipt_hashlimit = {
569 .name = "hashlimit", 566 .name = "hashlimit",
570 .match = hashlimit_match, 567 .match = hashlimit_match,
571 .checkentry = hashlimit_checkentry, 568 .matchsize = sizeof(struct ipt_hashlimit_info),
572 .destroy = hashlimit_destroy, 569 .checkentry = hashlimit_checkentry,
573 .me = THIS_MODULE 570 .destroy = hashlimit_destroy,
571 .me = THIS_MODULE
574}; 572};
575 573
576/* PROC stuff */ 574/* PROC stuff */
diff --git a/net/ipv4/netfilter/ipt_iprange.c b/net/ipv4/netfilter/ipt_iprange.c
index 13fb16fb7892..0885ff5d0db7 100644
--- a/net/ipv4/netfilter/ipt_iprange.c
+++ b/net/ipv4/netfilter/ipt_iprange.c
@@ -62,27 +62,12 @@ match(const struct sk_buff *skb,
62 return 1; 62 return 1;
63} 63}
64 64
65static int check(const char *tablename, 65static struct ipt_match iprange_match = {
66 const void *inf, 66 .name = "iprange",
67 void *matchinfo, 67 .match = match,
68 unsigned int matchsize, 68 .matchsize = sizeof(struct ipt_iprange_info),
69 unsigned int hook_mask) 69 .destroy = NULL,
70{ 70 .me = THIS_MODULE
71 /* verify size */
72 if (matchsize != IPT_ALIGN(sizeof(struct ipt_iprange_info)))
73 return 0;
74
75 return 1;
76}
77
78static struct ipt_match iprange_match =
79{
80 .list = { NULL, NULL },
81 .name = "iprange",
82 .match = &match,
83 .checkentry = &check,
84 .destroy = NULL,
85 .me = THIS_MODULE
86}; 71};
87 72
88static int __init init(void) 73static int __init init(void)
diff --git a/net/ipv4/netfilter/ipt_multiport.c b/net/ipv4/netfilter/ipt_multiport.c
index 2d52326553f1..8f1684c3e5c6 100644
--- a/net/ipv4/netfilter/ipt_multiport.c
+++ b/net/ipv4/netfilter/ipt_multiport.c
@@ -153,40 +153,19 @@ match_v1(const struct sk_buff *skb,
153 return ports_match_v1(multiinfo, ntohs(pptr[0]), ntohs(pptr[1])); 153 return ports_match_v1(multiinfo, ntohs(pptr[0]), ntohs(pptr[1]));
154} 154}
155 155
156/* Called when user tries to insert an entry of this type. */
157static int
158checkentry(const char *tablename,
159 const void *ip,
160 void *matchinfo,
161 unsigned int matchsize,
162 unsigned int hook_mask)
163{
164 return (matchsize == IPT_ALIGN(sizeof(struct ipt_multiport)));
165}
166
167static int
168checkentry_v1(const char *tablename,
169 const void *ip,
170 void *matchinfo,
171 unsigned int matchsize,
172 unsigned int hook_mask)
173{
174 return (matchsize == IPT_ALIGN(sizeof(struct ipt_multiport_v1)));
175}
176
177static struct ipt_match multiport_match = { 156static struct ipt_match multiport_match = {
178 .name = "multiport", 157 .name = "multiport",
179 .revision = 0, 158 .revision = 0,
180 .match = &match, 159 .match = match,
181 .checkentry = &checkentry, 160 .matchsize = sizeof(struct ipt_multiport),
182 .me = THIS_MODULE, 161 .me = THIS_MODULE,
183}; 162};
184 163
185static struct ipt_match multiport_match_v1 = { 164static struct ipt_match multiport_match_v1 = {
186 .name = "multiport", 165 .name = "multiport",
187 .revision = 1, 166 .revision = 1,
188 .match = &match_v1, 167 .match = match_v1,
189 .checkentry = &checkentry_v1, 168 .matchsize = sizeof(struct ipt_multiport_v1),
190 .me = THIS_MODULE, 169 .me = THIS_MODULE,
191}; 170};
192 171
diff --git a/net/ipv4/netfilter/ipt_owner.c b/net/ipv4/netfilter/ipt_owner.c
index 4843d0c9734f..18adc1d214d4 100644
--- a/net/ipv4/netfilter/ipt_owner.c
+++ b/net/ipv4/netfilter/ipt_owner.c
@@ -59,31 +59,20 @@ checkentry(const char *tablename,
59{ 59{
60 const struct ipt_owner_info *info = matchinfo; 60 const struct ipt_owner_info *info = matchinfo;
61 61
62 if (hook_mask
63 & ~((1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_POST_ROUTING))) {
64 printk("ipt_owner: only valid for LOCAL_OUT or POST_ROUTING.\n");
65 return 0;
66 }
67
68 if (matchsize != IPT_ALIGN(sizeof(struct ipt_owner_info))) {
69 printk("Matchsize %u != %Zu\n", matchsize,
70 IPT_ALIGN(sizeof(struct ipt_owner_info)));
71 return 0;
72 }
73
74 if (info->match & (IPT_OWNER_PID|IPT_OWNER_SID|IPT_OWNER_COMM)) { 62 if (info->match & (IPT_OWNER_PID|IPT_OWNER_SID|IPT_OWNER_COMM)) {
75 printk("ipt_owner: pid, sid and command matching " 63 printk("ipt_owner: pid, sid and command matching "
76 "not supported anymore\n"); 64 "not supported anymore\n");
77 return 0; 65 return 0;
78 } 66 }
79
80 return 1; 67 return 1;
81} 68}
82 69
83static struct ipt_match owner_match = { 70static struct ipt_match owner_match = {
84 .name = "owner", 71 .name = "owner",
85 .match = &match, 72 .match = match,
86 .checkentry = &checkentry, 73 .matchsize = sizeof(struct ipt_owner_info),
74 .hooks = (1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_POST_ROUTING),
75 .checkentry = checkentry,
87 .me = THIS_MODULE, 76 .me = THIS_MODULE,
88}; 77};
89 78
diff --git a/net/ipv4/netfilter/ipt_policy.c b/net/ipv4/netfilter/ipt_policy.c
index 5a7a265280f9..3fa6607c0c6c 100644
--- a/net/ipv4/netfilter/ipt_policy.c
+++ b/net/ipv4/netfilter/ipt_policy.c
@@ -125,11 +125,6 @@ static int checkentry(const char *tablename, const void *ip_void,
125{ 125{
126 struct ipt_policy_info *info = matchinfo; 126 struct ipt_policy_info *info = matchinfo;
127 127
128 if (matchsize != IPT_ALIGN(sizeof(*info))) {
129 printk(KERN_ERR "ipt_policy: matchsize %u != %zu\n",
130 matchsize, IPT_ALIGN(sizeof(*info)));
131 return 0;
132 }
133 if (!(info->flags & (IPT_POLICY_MATCH_IN|IPT_POLICY_MATCH_OUT))) { 128 if (!(info->flags & (IPT_POLICY_MATCH_IN|IPT_POLICY_MATCH_OUT))) {
134 printk(KERN_ERR "ipt_policy: neither incoming nor " 129 printk(KERN_ERR "ipt_policy: neither incoming nor "
135 "outgoing policy selected\n"); 130 "outgoing policy selected\n");
@@ -158,6 +153,7 @@ static int checkentry(const char *tablename, const void *ip_void,
158static struct ipt_match policy_match = { 153static struct ipt_match policy_match = {
159 .name = "policy", 154 .name = "policy",
160 .match = match, 155 .match = match,
156 .matchsize = sizeof(struct ipt_policy_info),
161 .checkentry = checkentry, 157 .checkentry = checkentry,
162 .me = THIS_MODULE, 158 .me = THIS_MODULE,
163}; 159};
diff --git a/net/ipv4/netfilter/ipt_recent.c b/net/ipv4/netfilter/ipt_recent.c
index 44611d6d14f5..e2ccd4295344 100644
--- a/net/ipv4/netfilter/ipt_recent.c
+++ b/net/ipv4/netfilter/ipt_recent.c
@@ -670,8 +670,6 @@ checkentry(const char *tablename,
670 if(debug) printk(KERN_INFO RECENT_NAME ": checkentry() entered.\n"); 670 if(debug) printk(KERN_INFO RECENT_NAME ": checkentry() entered.\n");
671#endif 671#endif
672 672
673 if (matchsize != IPT_ALIGN(sizeof(struct ipt_recent_info))) return 0;
674
675 /* seconds and hit_count only valid for CHECK/UPDATE */ 673 /* seconds and hit_count only valid for CHECK/UPDATE */
676 if(info->check_set & IPT_RECENT_SET) { flag++; if(info->seconds || info->hit_count) return 0; } 674 if(info->check_set & IPT_RECENT_SET) { flag++; if(info->seconds || info->hit_count) return 0; }
677 if(info->check_set & IPT_RECENT_REMOVE) { flag++; if(info->seconds || info->hit_count) return 0; } 675 if(info->check_set & IPT_RECENT_REMOVE) { flag++; if(info->seconds || info->hit_count) return 0; }
@@ -951,12 +949,13 @@ destroy(void *matchinfo, unsigned int matchsize)
951/* This is the structure we pass to ipt_register to register our 949/* This is the structure we pass to ipt_register to register our
952 * module with iptables. 950 * module with iptables.
953 */ 951 */
954static struct ipt_match recent_match = { 952static struct ipt_match recent_match = {
955 .name = "recent", 953 .name = "recent",
956 .match = &match, 954 .match = match,
957 .checkentry = &checkentry, 955 .matchsize = sizeof(struct ipt_recent_info),
958 .destroy = &destroy, 956 .checkentry = checkentry,
959 .me = THIS_MODULE 957 .destroy = destroy,
958 .me = THIS_MODULE
960}; 959};
961 960
962/* Kernel module initialization. */ 961/* Kernel module initialization. */
diff --git a/net/ipv4/netfilter/ipt_tos.c b/net/ipv4/netfilter/ipt_tos.c
index 9ab765e126f2..4675c786189b 100644
--- a/net/ipv4/netfilter/ipt_tos.c
+++ b/net/ipv4/netfilter/ipt_tos.c
@@ -31,23 +31,10 @@ match(const struct sk_buff *skb,
31 return (skb->nh.iph->tos == info->tos) ^ info->invert; 31 return (skb->nh.iph->tos == info->tos) ^ info->invert;
32} 32}
33 33
34static int
35checkentry(const char *tablename,
36 const void *ip,
37 void *matchinfo,
38 unsigned int matchsize,
39 unsigned int hook_mask)
40{
41 if (matchsize != IPT_ALIGN(sizeof(struct ipt_tos_info)))
42 return 0;
43
44 return 1;
45}
46
47static struct ipt_match tos_match = { 34static struct ipt_match tos_match = {
48 .name = "tos", 35 .name = "tos",
49 .match = &match, 36 .match = match,
50 .checkentry = &checkentry, 37 .matchsize = sizeof(struct ipt_tos_info),
51 .me = THIS_MODULE, 38 .me = THIS_MODULE,
52}; 39};
53 40
diff --git a/net/ipv4/netfilter/ipt_ttl.c b/net/ipv4/netfilter/ipt_ttl.c
index 82da53f430ab..bb694a0b361d 100644
--- a/net/ipv4/netfilter/ipt_ttl.c
+++ b/net/ipv4/netfilter/ipt_ttl.c
@@ -47,20 +47,10 @@ static int match(const struct sk_buff *skb, const struct net_device *in,
47 return 0; 47 return 0;
48} 48}
49 49
50static int checkentry(const char *tablename, const void *ip,
51 void *matchinfo, unsigned int matchsize,
52 unsigned int hook_mask)
53{
54 if (matchsize != IPT_ALIGN(sizeof(struct ipt_ttl_info)))
55 return 0;
56
57 return 1;
58}
59
60static struct ipt_match ttl_match = { 50static struct ipt_match ttl_match = {
61 .name = "ttl", 51 .name = "ttl",
62 .match = &match, 52 .match = match,
63 .checkentry = &checkentry, 53 .matchsize = sizeof(struct ipt_ttl_info),
64 .me = THIS_MODULE, 54 .me = THIS_MODULE,
65}; 55};
66 56