diff options
author | Patrick McHardy <kaber@trash.net> | 2006-03-20 21:01:14 -0500 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2006-03-20 21:01:14 -0500 |
commit | 1d5cd90976fa0d1cc21554b9d43f5c517323ebfc (patch) | |
tree | 3eb43557a1d23c71ea41b91e4ee001ac43b8ba21 /net/ipv4 | |
parent | 3cdc7c953eb1e1e1d1b82adbd140bf3451c165b1 (diff) |
[NETFILTER]: Convert ip_tables matches/targets to centralized error checking
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv4')
28 files changed, 103 insertions, 390 deletions
diff --git a/net/ipv4/netfilter/ip_nat_rule.c b/net/ipv4/netfilter/ip_nat_rule.c index 1de86282d232..ef4be3d50553 100644 --- a/net/ipv4/netfilter/ip_nat_rule.c +++ b/net/ipv4/netfilter/ip_nat_rule.c | |||
@@ -181,23 +181,6 @@ static int ipt_snat_checkentry(const char *tablename, | |||
181 | printk("SNAT: multiple ranges no longer supported\n"); | 181 | printk("SNAT: multiple ranges no longer supported\n"); |
182 | return 0; | 182 | return 0; |
183 | } | 183 | } |
184 | |||
185 | if (targinfosize != IPT_ALIGN(sizeof(struct ip_nat_multi_range_compat))) { | ||
186 | DEBUGP("SNAT: Target size %u wrong for %u ranges\n", | ||
187 | targinfosize, mr->rangesize); | ||
188 | return 0; | ||
189 | } | ||
190 | |||
191 | /* Only allow these for NAT. */ | ||
192 | if (strcmp(tablename, "nat") != 0) { | ||
193 | DEBUGP("SNAT: wrong table %s\n", tablename); | ||
194 | return 0; | ||
195 | } | ||
196 | |||
197 | if (hook_mask & ~(1 << NF_IP_POST_ROUTING)) { | ||
198 | DEBUGP("SNAT: hook mask 0x%x bad\n", hook_mask); | ||
199 | return 0; | ||
200 | } | ||
201 | return 1; | 184 | return 1; |
202 | } | 185 | } |
203 | 186 | ||
@@ -214,24 +197,6 @@ static int ipt_dnat_checkentry(const char *tablename, | |||
214 | printk("DNAT: multiple ranges no longer supported\n"); | 197 | printk("DNAT: multiple ranges no longer supported\n"); |
215 | return 0; | 198 | return 0; |
216 | } | 199 | } |
217 | |||
218 | if (targinfosize != IPT_ALIGN(sizeof(struct ip_nat_multi_range_compat))) { | ||
219 | DEBUGP("DNAT: Target size %u wrong for %u ranges\n", | ||
220 | targinfosize, mr->rangesize); | ||
221 | return 0; | ||
222 | } | ||
223 | |||
224 | /* Only allow these for NAT. */ | ||
225 | if (strcmp(tablename, "nat") != 0) { | ||
226 | DEBUGP("DNAT: wrong table %s\n", tablename); | ||
227 | return 0; | ||
228 | } | ||
229 | |||
230 | if (hook_mask & ~((1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_LOCAL_OUT))) { | ||
231 | DEBUGP("DNAT: hook mask 0x%x bad\n", hook_mask); | ||
232 | return 0; | ||
233 | } | ||
234 | |||
235 | return 1; | 200 | return 1; |
236 | } | 201 | } |
237 | 202 | ||
@@ -299,12 +264,18 @@ int ip_nat_rule_find(struct sk_buff **pskb, | |||
299 | static struct ipt_target ipt_snat_reg = { | 264 | static struct ipt_target ipt_snat_reg = { |
300 | .name = "SNAT", | 265 | .name = "SNAT", |
301 | .target = ipt_snat_target, | 266 | .target = ipt_snat_target, |
267 | .targetsize = sizeof(struct ip_nat_multi_range_compat), | ||
268 | .table = "nat", | ||
269 | .hooks = 1 << NF_IP_POST_ROUTING, | ||
302 | .checkentry = ipt_snat_checkentry, | 270 | .checkentry = ipt_snat_checkentry, |
303 | }; | 271 | }; |
304 | 272 | ||
305 | static struct ipt_target ipt_dnat_reg = { | 273 | static struct ipt_target ipt_dnat_reg = { |
306 | .name = "DNAT", | 274 | .name = "DNAT", |
307 | .target = ipt_dnat_target, | 275 | .target = ipt_dnat_target, |
276 | .targetsize = sizeof(struct ip_nat_multi_range_compat), | ||
277 | .table = "nat", | ||
278 | .hooks = 1 << NF_IP_PRE_ROUTING, | ||
308 | .checkentry = ipt_dnat_checkentry, | 279 | .checkentry = ipt_dnat_checkentry, |
309 | }; | 280 | }; |
310 | 281 | ||
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c index f884ca223295..62f8d639ab9c 100644 --- a/net/ipv4/netfilter/ip_tables.c +++ b/net/ipv4/netfilter/ip_tables.c | |||
@@ -477,21 +477,12 @@ standard_check(const struct ipt_entry_target *t, | |||
477 | struct ipt_standard_target *targ = (void *)t; | 477 | struct ipt_standard_target *targ = (void *)t; |
478 | 478 | ||
479 | /* Check standard info. */ | 479 | /* Check standard info. */ |
480 | if (t->u.target_size | ||
481 | != IPT_ALIGN(sizeof(struct ipt_standard_target))) { | ||
482 | duprintf("standard_check: target size %u != %u\n", | ||
483 | t->u.target_size, | ||
484 | IPT_ALIGN(sizeof(struct ipt_standard_target))); | ||
485 | return 0; | ||
486 | } | ||
487 | |||
488 | if (targ->verdict >= 0 | 480 | if (targ->verdict >= 0 |
489 | && targ->verdict > max_offset - sizeof(struct ipt_entry)) { | 481 | && targ->verdict > max_offset - sizeof(struct ipt_entry)) { |
490 | duprintf("ipt_standard_check: bad verdict (%i)\n", | 482 | duprintf("ipt_standard_check: bad verdict (%i)\n", |
491 | targ->verdict); | 483 | targ->verdict); |
492 | return 0; | 484 | return 0; |
493 | } | 485 | } |
494 | |||
495 | if (targ->verdict < -NF_MAX_VERDICT - 1) { | 486 | if (targ->verdict < -NF_MAX_VERDICT - 1) { |
496 | duprintf("ipt_standard_check: bad negative verdict (%i)\n", | 487 | duprintf("ipt_standard_check: bad negative verdict (%i)\n", |
497 | targ->verdict); | 488 | targ->verdict); |
@@ -1330,24 +1321,22 @@ icmp_checkentry(const char *tablename, | |||
1330 | unsigned int matchsize, | 1321 | unsigned int matchsize, |
1331 | unsigned int hook_mask) | 1322 | unsigned int hook_mask) |
1332 | { | 1323 | { |
1333 | const struct ipt_ip *ip = info; | ||
1334 | const struct ipt_icmp *icmpinfo = matchinfo; | 1324 | const struct ipt_icmp *icmpinfo = matchinfo; |
1335 | 1325 | ||
1336 | /* Must specify proto == ICMP, and no unknown invflags */ | 1326 | /* Must specify no unknown invflags */ |
1337 | return ip->proto == IPPROTO_ICMP | 1327 | return !(icmpinfo->invflags & ~IPT_ICMP_INV); |
1338 | && !(ip->invflags & IPT_INV_PROTO) | ||
1339 | && matchsize == IPT_ALIGN(sizeof(struct ipt_icmp)) | ||
1340 | && !(icmpinfo->invflags & ~IPT_ICMP_INV); | ||
1341 | } | 1328 | } |
1342 | 1329 | ||
1343 | /* The built-in targets: standard (NULL) and error. */ | 1330 | /* The built-in targets: standard (NULL) and error. */ |
1344 | static struct ipt_target ipt_standard_target = { | 1331 | static struct ipt_target ipt_standard_target = { |
1345 | .name = IPT_STANDARD_TARGET, | 1332 | .name = IPT_STANDARD_TARGET, |
1333 | .targetsize = sizeof(int), | ||
1346 | }; | 1334 | }; |
1347 | 1335 | ||
1348 | static struct ipt_target ipt_error_target = { | 1336 | static struct ipt_target ipt_error_target = { |
1349 | .name = IPT_ERROR_TARGET, | 1337 | .name = IPT_ERROR_TARGET, |
1350 | .target = ipt_error, | 1338 | .target = ipt_error, |
1339 | .targetsize = IPT_FUNCTION_MAXNAMELEN, | ||
1351 | }; | 1340 | }; |
1352 | 1341 | ||
1353 | static struct nf_sockopt_ops ipt_sockopts = { | 1342 | static struct nf_sockopt_ops ipt_sockopts = { |
@@ -1362,8 +1351,10 @@ static struct nf_sockopt_ops ipt_sockopts = { | |||
1362 | 1351 | ||
1363 | static struct ipt_match icmp_matchstruct = { | 1352 | static struct ipt_match icmp_matchstruct = { |
1364 | .name = "icmp", | 1353 | .name = "icmp", |
1365 | .match = &icmp_match, | 1354 | .match = icmp_match, |
1366 | .checkentry = &icmp_checkentry, | 1355 | .matchsize = sizeof(struct ipt_icmp), |
1356 | .proto = IPPROTO_ICMP, | ||
1357 | .checkentry = icmp_checkentry, | ||
1367 | }; | 1358 | }; |
1368 | 1359 | ||
1369 | static int __init init(void) | 1360 | static int __init init(void) |
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c index d9bc971f03af..24f88dd5d8f9 100644 --- a/net/ipv4/netfilter/ipt_CLUSTERIP.c +++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c | |||
@@ -389,13 +389,6 @@ checkentry(const char *tablename, | |||
389 | 389 | ||
390 | struct clusterip_config *config; | 390 | struct clusterip_config *config; |
391 | 391 | ||
392 | if (targinfosize != IPT_ALIGN(sizeof(struct ipt_clusterip_tgt_info))) { | ||
393 | printk(KERN_WARNING "CLUSTERIP: targinfosize %u != %Zu\n", | ||
394 | targinfosize, | ||
395 | IPT_ALIGN(sizeof(struct ipt_clusterip_tgt_info))); | ||
396 | return 0; | ||
397 | } | ||
398 | |||
399 | if (cipinfo->hash_mode != CLUSTERIP_HASHMODE_SIP && | 392 | if (cipinfo->hash_mode != CLUSTERIP_HASHMODE_SIP && |
400 | cipinfo->hash_mode != CLUSTERIP_HASHMODE_SIP_SPT && | 393 | cipinfo->hash_mode != CLUSTERIP_HASHMODE_SIP_SPT && |
401 | cipinfo->hash_mode != CLUSTERIP_HASHMODE_SIP_SPT_DPT) { | 394 | cipinfo->hash_mode != CLUSTERIP_HASHMODE_SIP_SPT_DPT) { |
@@ -476,12 +469,13 @@ static void destroy(void *matchinfo, unsigned int matchinfosize) | |||
476 | clusterip_config_put(cipinfo->config); | 469 | clusterip_config_put(cipinfo->config); |
477 | } | 470 | } |
478 | 471 | ||
479 | static struct ipt_target clusterip_tgt = { | 472 | static struct ipt_target clusterip_tgt = { |
480 | .name = "CLUSTERIP", | 473 | .name = "CLUSTERIP", |
481 | .target = &target, | 474 | .target = target, |
482 | .checkentry = &checkentry, | 475 | .targetsize = sizeof(struct ipt_clusterip_tgt_info), |
483 | .destroy = &destroy, | 476 | .checkentry = checkentry, |
484 | .me = THIS_MODULE | 477 | .destroy = destroy, |
478 | .me = THIS_MODULE | ||
485 | }; | 479 | }; |
486 | 480 | ||
487 | 481 | ||
diff --git a/net/ipv4/netfilter/ipt_DSCP.c b/net/ipv4/netfilter/ipt_DSCP.c index 898cdf79ce18..a202467e4a88 100644 --- a/net/ipv4/netfilter/ipt_DSCP.c +++ b/net/ipv4/netfilter/ipt_DSCP.c | |||
@@ -64,29 +64,18 @@ checkentry(const char *tablename, | |||
64 | { | 64 | { |
65 | const u_int8_t dscp = ((struct ipt_DSCP_info *)targinfo)->dscp; | 65 | const u_int8_t dscp = ((struct ipt_DSCP_info *)targinfo)->dscp; |
66 | 66 | ||
67 | if (targinfosize != IPT_ALIGN(sizeof(struct ipt_DSCP_info))) { | ||
68 | printk(KERN_WARNING "DSCP: targinfosize %u != %Zu\n", | ||
69 | targinfosize, | ||
70 | IPT_ALIGN(sizeof(struct ipt_DSCP_info))); | ||
71 | return 0; | ||
72 | } | ||
73 | |||
74 | if (strcmp(tablename, "mangle") != 0) { | ||
75 | printk(KERN_WARNING "DSCP: can only be called from \"mangle\" table, not \"%s\"\n", tablename); | ||
76 | return 0; | ||
77 | } | ||
78 | |||
79 | if ((dscp > IPT_DSCP_MAX)) { | 67 | if ((dscp > IPT_DSCP_MAX)) { |
80 | printk(KERN_WARNING "DSCP: dscp %x out of range\n", dscp); | 68 | printk(KERN_WARNING "DSCP: dscp %x out of range\n", dscp); |
81 | return 0; | 69 | return 0; |
82 | } | 70 | } |
83 | |||
84 | return 1; | 71 | return 1; |
85 | } | 72 | } |
86 | 73 | ||
87 | static struct ipt_target ipt_dscp_reg = { | 74 | static struct ipt_target ipt_dscp_reg = { |
88 | .name = "DSCP", | 75 | .name = "DSCP", |
89 | .target = target, | 76 | .target = target, |
77 | .targetsize = sizeof(struct ipt_DSCP_info), | ||
78 | .table = "mangle", | ||
90 | .checkentry = checkentry, | 79 | .checkentry = checkentry, |
91 | .me = THIS_MODULE, | 80 | .me = THIS_MODULE, |
92 | }; | 81 | }; |
diff --git a/net/ipv4/netfilter/ipt_ECN.c b/net/ipv4/netfilter/ipt_ECN.c index 706445426a6d..1bf1a4063b6f 100644 --- a/net/ipv4/netfilter/ipt_ECN.c +++ b/net/ipv4/netfilter/ipt_ECN.c | |||
@@ -121,18 +121,6 @@ checkentry(const char *tablename, | |||
121 | const struct ipt_ECN_info *einfo = (struct ipt_ECN_info *)targinfo; | 121 | const struct ipt_ECN_info *einfo = (struct ipt_ECN_info *)targinfo; |
122 | const struct ipt_entry *e = e_void; | 122 | const struct ipt_entry *e = e_void; |
123 | 123 | ||
124 | if (targinfosize != IPT_ALIGN(sizeof(struct ipt_ECN_info))) { | ||
125 | printk(KERN_WARNING "ECN: targinfosize %u != %Zu\n", | ||
126 | targinfosize, | ||
127 | IPT_ALIGN(sizeof(struct ipt_ECN_info))); | ||
128 | return 0; | ||
129 | } | ||
130 | |||
131 | if (strcmp(tablename, "mangle") != 0) { | ||
132 | printk(KERN_WARNING "ECN: can only be called from \"mangle\" table, not \"%s\"\n", tablename); | ||
133 | return 0; | ||
134 | } | ||
135 | |||
136 | if (einfo->operation & IPT_ECN_OP_MASK) { | 124 | if (einfo->operation & IPT_ECN_OP_MASK) { |
137 | printk(KERN_WARNING "ECN: unsupported ECN operation %x\n", | 125 | printk(KERN_WARNING "ECN: unsupported ECN operation %x\n", |
138 | einfo->operation); | 126 | einfo->operation); |
@@ -143,20 +131,20 @@ checkentry(const char *tablename, | |||
143 | einfo->ip_ect); | 131 | einfo->ip_ect); |
144 | return 0; | 132 | return 0; |
145 | } | 133 | } |
146 | |||
147 | if ((einfo->operation & (IPT_ECN_OP_SET_ECE|IPT_ECN_OP_SET_CWR)) | 134 | if ((einfo->operation & (IPT_ECN_OP_SET_ECE|IPT_ECN_OP_SET_CWR)) |
148 | && (e->ip.proto != IPPROTO_TCP || (e->ip.invflags & IPT_INV_PROTO))) { | 135 | && (e->ip.proto != IPPROTO_TCP || (e->ip.invflags & IPT_INV_PROTO))) { |
149 | printk(KERN_WARNING "ECN: cannot use TCP operations on a " | 136 | printk(KERN_WARNING "ECN: cannot use TCP operations on a " |
150 | "non-tcp rule\n"); | 137 | "non-tcp rule\n"); |
151 | return 0; | 138 | return 0; |
152 | } | 139 | } |
153 | |||
154 | return 1; | 140 | return 1; |
155 | } | 141 | } |
156 | 142 | ||
157 | static struct ipt_target ipt_ecn_reg = { | 143 | static struct ipt_target ipt_ecn_reg = { |
158 | .name = "ECN", | 144 | .name = "ECN", |
159 | .target = target, | 145 | .target = target, |
146 | .targetsize = sizeof(struct ipt_ECN_info), | ||
147 | .table = "mangle", | ||
160 | .checkentry = checkentry, | 148 | .checkentry = checkentry, |
161 | .me = THIS_MODULE, | 149 | .me = THIS_MODULE, |
162 | }; | 150 | }; |
diff --git a/net/ipv4/netfilter/ipt_LOG.c b/net/ipv4/netfilter/ipt_LOG.c index cc27545ff97f..f2c7a9343656 100644 --- a/net/ipv4/netfilter/ipt_LOG.c +++ b/net/ipv4/netfilter/ipt_LOG.c | |||
@@ -443,29 +443,22 @@ static int ipt_log_checkentry(const char *tablename, | |||
443 | { | 443 | { |
444 | const struct ipt_log_info *loginfo = targinfo; | 444 | const struct ipt_log_info *loginfo = targinfo; |
445 | 445 | ||
446 | if (targinfosize != IPT_ALIGN(sizeof(struct ipt_log_info))) { | ||
447 | DEBUGP("LOG: targinfosize %u != %u\n", | ||
448 | targinfosize, IPT_ALIGN(sizeof(struct ipt_log_info))); | ||
449 | return 0; | ||
450 | } | ||
451 | |||
452 | if (loginfo->level >= 8) { | 446 | if (loginfo->level >= 8) { |
453 | DEBUGP("LOG: level %u >= 8\n", loginfo->level); | 447 | DEBUGP("LOG: level %u >= 8\n", loginfo->level); |
454 | return 0; | 448 | return 0; |
455 | } | 449 | } |
456 | |||
457 | if (loginfo->prefix[sizeof(loginfo->prefix)-1] != '\0') { | 450 | if (loginfo->prefix[sizeof(loginfo->prefix)-1] != '\0') { |
458 | DEBUGP("LOG: prefix term %i\n", | 451 | DEBUGP("LOG: prefix term %i\n", |
459 | loginfo->prefix[sizeof(loginfo->prefix)-1]); | 452 | loginfo->prefix[sizeof(loginfo->prefix)-1]); |
460 | return 0; | 453 | return 0; |
461 | } | 454 | } |
462 | |||
463 | return 1; | 455 | return 1; |
464 | } | 456 | } |
465 | 457 | ||
466 | static struct ipt_target ipt_log_reg = { | 458 | static struct ipt_target ipt_log_reg = { |
467 | .name = "LOG", | 459 | .name = "LOG", |
468 | .target = ipt_log_target, | 460 | .target = ipt_log_target, |
461 | .targetsize = sizeof(struct ipt_log_info), | ||
469 | .checkentry = ipt_log_checkentry, | 462 | .checkentry = ipt_log_checkentry, |
470 | .me = THIS_MODULE, | 463 | .me = THIS_MODULE, |
471 | }; | 464 | }; |
diff --git a/net/ipv4/netfilter/ipt_MASQUERADE.c b/net/ipv4/netfilter/ipt_MASQUERADE.c index 12c56d3343ca..df5ea08f1a15 100644 --- a/net/ipv4/netfilter/ipt_MASQUERADE.c +++ b/net/ipv4/netfilter/ipt_MASQUERADE.c | |||
@@ -47,19 +47,6 @@ masquerade_check(const char *tablename, | |||
47 | { | 47 | { |
48 | const struct ip_nat_multi_range_compat *mr = targinfo; | 48 | const struct ip_nat_multi_range_compat *mr = targinfo; |
49 | 49 | ||
50 | if (strcmp(tablename, "nat") != 0) { | ||
51 | DEBUGP("masquerade_check: bad table `%s'.\n", tablename); | ||
52 | return 0; | ||
53 | } | ||
54 | if (targinfosize != IPT_ALIGN(sizeof(*mr))) { | ||
55 | DEBUGP("masquerade_check: size %u != %u.\n", | ||
56 | targinfosize, sizeof(*mr)); | ||
57 | return 0; | ||
58 | } | ||
59 | if (hook_mask & ~(1 << NF_IP_POST_ROUTING)) { | ||
60 | DEBUGP("masquerade_check: bad hooks %x.\n", hook_mask); | ||
61 | return 0; | ||
62 | } | ||
63 | if (mr->range[0].flags & IP_NAT_RANGE_MAP_IPS) { | 50 | if (mr->range[0].flags & IP_NAT_RANGE_MAP_IPS) { |
64 | DEBUGP("masquerade_check: bad MAP_IPS.\n"); | 51 | DEBUGP("masquerade_check: bad MAP_IPS.\n"); |
65 | return 0; | 52 | return 0; |
@@ -179,6 +166,9 @@ static struct notifier_block masq_inet_notifier = { | |||
179 | static struct ipt_target masquerade = { | 166 | static struct ipt_target masquerade = { |
180 | .name = "MASQUERADE", | 167 | .name = "MASQUERADE", |
181 | .target = masquerade_target, | 168 | .target = masquerade_target, |
169 | .targetsize = sizeof(struct ip_nat_multi_range_compat), | ||
170 | .table = "nat", | ||
171 | .hooks = 1 << NF_IP_POST_ROUTING, | ||
182 | .checkentry = masquerade_check, | 172 | .checkentry = masquerade_check, |
183 | .me = THIS_MODULE, | 173 | .me = THIS_MODULE, |
184 | }; | 174 | }; |
diff --git a/net/ipv4/netfilter/ipt_NETMAP.c b/net/ipv4/netfilter/ipt_NETMAP.c index b074467fe67b..836d67e66391 100644 --- a/net/ipv4/netfilter/ipt_NETMAP.c +++ b/net/ipv4/netfilter/ipt_NETMAP.c | |||
@@ -38,19 +38,6 @@ check(const char *tablename, | |||
38 | { | 38 | { |
39 | const struct ip_nat_multi_range_compat *mr = targinfo; | 39 | const struct ip_nat_multi_range_compat *mr = targinfo; |
40 | 40 | ||
41 | if (strcmp(tablename, "nat") != 0) { | ||
42 | DEBUGP(MODULENAME":check: bad table `%s'.\n", tablename); | ||
43 | return 0; | ||
44 | } | ||
45 | if (targinfosize != IPT_ALIGN(sizeof(*mr))) { | ||
46 | DEBUGP(MODULENAME":check: size %u.\n", targinfosize); | ||
47 | return 0; | ||
48 | } | ||
49 | if (hook_mask & ~((1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_POST_ROUTING) | | ||
50 | (1 << NF_IP_LOCAL_OUT))) { | ||
51 | DEBUGP(MODULENAME":check: bad hooks %x.\n", hook_mask); | ||
52 | return 0; | ||
53 | } | ||
54 | if (!(mr->range[0].flags & IP_NAT_RANGE_MAP_IPS)) { | 41 | if (!(mr->range[0].flags & IP_NAT_RANGE_MAP_IPS)) { |
55 | DEBUGP(MODULENAME":check: bad MAP_IPS.\n"); | 42 | DEBUGP(MODULENAME":check: bad MAP_IPS.\n"); |
56 | return 0; | 43 | return 0; |
@@ -101,6 +88,10 @@ target(struct sk_buff **pskb, | |||
101 | static struct ipt_target target_module = { | 88 | static struct ipt_target target_module = { |
102 | .name = MODULENAME, | 89 | .name = MODULENAME, |
103 | .target = target, | 90 | .target = target, |
91 | .targetsize = sizeof(struct ip_nat_multi_range_compat), | ||
92 | .table = "nat", | ||
93 | .hooks = (1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_POST_ROUTING) | | ||
94 | (1 << NF_IP_LOCAL_OUT), | ||
104 | .checkentry = check, | 95 | .checkentry = check, |
105 | .me = THIS_MODULE | 96 | .me = THIS_MODULE |
106 | }; | 97 | }; |
diff --git a/net/ipv4/netfilter/ipt_REDIRECT.c b/net/ipv4/netfilter/ipt_REDIRECT.c index 140be51f2f01..cc165e09d0b8 100644 --- a/net/ipv4/netfilter/ipt_REDIRECT.c +++ b/net/ipv4/netfilter/ipt_REDIRECT.c | |||
@@ -40,18 +40,6 @@ redirect_check(const char *tablename, | |||
40 | { | 40 | { |
41 | const struct ip_nat_multi_range_compat *mr = targinfo; | 41 | const struct ip_nat_multi_range_compat *mr = targinfo; |
42 | 42 | ||
43 | if (strcmp(tablename, "nat") != 0) { | ||
44 | DEBUGP("redirect_check: bad table `%s'.\n", table); | ||
45 | return 0; | ||
46 | } | ||
47 | if (targinfosize != IPT_ALIGN(sizeof(*mr))) { | ||
48 | DEBUGP("redirect_check: size %u.\n", targinfosize); | ||
49 | return 0; | ||
50 | } | ||
51 | if (hook_mask & ~((1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_LOCAL_OUT))) { | ||
52 | DEBUGP("redirect_check: bad hooks %x.\n", hook_mask); | ||
53 | return 0; | ||
54 | } | ||
55 | if (mr->range[0].flags & IP_NAT_RANGE_MAP_IPS) { | 43 | if (mr->range[0].flags & IP_NAT_RANGE_MAP_IPS) { |
56 | DEBUGP("redirect_check: bad MAP_IPS.\n"); | 44 | DEBUGP("redirect_check: bad MAP_IPS.\n"); |
57 | return 0; | 45 | return 0; |
@@ -115,6 +103,9 @@ redirect_target(struct sk_buff **pskb, | |||
115 | static struct ipt_target redirect_reg = { | 103 | static struct ipt_target redirect_reg = { |
116 | .name = "REDIRECT", | 104 | .name = "REDIRECT", |
117 | .target = redirect_target, | 105 | .target = redirect_target, |
106 | .targetsize = sizeof(struct ip_nat_multi_range_compat), | ||
107 | .table = "nat", | ||
108 | .hooks = (1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_LOCAL_OUT), | ||
118 | .checkentry = redirect_check, | 109 | .checkentry = redirect_check, |
119 | .me = THIS_MODULE, | 110 | .me = THIS_MODULE, |
120 | }; | 111 | }; |
diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c index 3eb47aae78c5..ddd6bd1b9776 100644 --- a/net/ipv4/netfilter/ipt_REJECT.c +++ b/net/ipv4/netfilter/ipt_REJECT.c | |||
@@ -290,23 +290,6 @@ static int check(const char *tablename, | |||
290 | const struct ipt_reject_info *rejinfo = targinfo; | 290 | const struct ipt_reject_info *rejinfo = targinfo; |
291 | const struct ipt_entry *e = e_void; | 291 | const struct ipt_entry *e = e_void; |
292 | 292 | ||
293 | if (targinfosize != IPT_ALIGN(sizeof(struct ipt_reject_info))) { | ||
294 | DEBUGP("REJECT: targinfosize %u != 0\n", targinfosize); | ||
295 | return 0; | ||
296 | } | ||
297 | |||
298 | /* Only allow these for packet filtering. */ | ||
299 | if (strcmp(tablename, "filter") != 0) { | ||
300 | DEBUGP("REJECT: bad table `%s'.\n", tablename); | ||
301 | return 0; | ||
302 | } | ||
303 | if ((hook_mask & ~((1 << NF_IP_LOCAL_IN) | ||
304 | | (1 << NF_IP_FORWARD) | ||
305 | | (1 << NF_IP_LOCAL_OUT))) != 0) { | ||
306 | DEBUGP("REJECT: bad hook mask %X\n", hook_mask); | ||
307 | return 0; | ||
308 | } | ||
309 | |||
310 | if (rejinfo->with == IPT_ICMP_ECHOREPLY) { | 293 | if (rejinfo->with == IPT_ICMP_ECHOREPLY) { |
311 | printk("REJECT: ECHOREPLY no longer supported.\n"); | 294 | printk("REJECT: ECHOREPLY no longer supported.\n"); |
312 | return 0; | 295 | return 0; |
@@ -318,13 +301,16 @@ static int check(const char *tablename, | |||
318 | return 0; | 301 | return 0; |
319 | } | 302 | } |
320 | } | 303 | } |
321 | |||
322 | return 1; | 304 | return 1; |
323 | } | 305 | } |
324 | 306 | ||
325 | static struct ipt_target ipt_reject_reg = { | 307 | static struct ipt_target ipt_reject_reg = { |
326 | .name = "REJECT", | 308 | .name = "REJECT", |
327 | .target = reject, | 309 | .target = reject, |
310 | .targetsize = sizeof(struct ipt_reject_info), | ||
311 | .table = "filter", | ||
312 | .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD) | | ||
313 | (1 << NF_IP_LOCAL_OUT), | ||
328 | .checkentry = check, | 314 | .checkentry = check, |
329 | .me = THIS_MODULE, | 315 | .me = THIS_MODULE, |
330 | }; | 316 | }; |
diff --git a/net/ipv4/netfilter/ipt_SAME.c b/net/ipv4/netfilter/ipt_SAME.c index a22de59bba0e..8743c3a70157 100644 --- a/net/ipv4/netfilter/ipt_SAME.c +++ b/net/ipv4/netfilter/ipt_SAME.c | |||
@@ -59,18 +59,6 @@ same_check(const char *tablename, | |||
59 | 59 | ||
60 | mr->ipnum = 0; | 60 | mr->ipnum = 0; |
61 | 61 | ||
62 | if (strcmp(tablename, "nat") != 0) { | ||
63 | DEBUGP("same_check: bad table `%s'.\n", tablename); | ||
64 | return 0; | ||
65 | } | ||
66 | if (targinfosize != IPT_ALIGN(sizeof(*mr))) { | ||
67 | DEBUGP("same_check: size %u.\n", targinfosize); | ||
68 | return 0; | ||
69 | } | ||
70 | if (hook_mask & ~(1 << NF_IP_PRE_ROUTING | 1 << NF_IP_POST_ROUTING)) { | ||
71 | DEBUGP("same_check: bad hooks %x.\n", hook_mask); | ||
72 | return 0; | ||
73 | } | ||
74 | if (mr->rangesize < 1) { | 62 | if (mr->rangesize < 1) { |
75 | DEBUGP("same_check: need at least one dest range.\n"); | 63 | DEBUGP("same_check: need at least one dest range.\n"); |
76 | return 0; | 64 | return 0; |
@@ -191,6 +179,9 @@ same_target(struct sk_buff **pskb, | |||
191 | static struct ipt_target same_reg = { | 179 | static struct ipt_target same_reg = { |
192 | .name = "SAME", | 180 | .name = "SAME", |
193 | .target = same_target, | 181 | .target = same_target, |
182 | .targetsize = sizeof(struct ipt_same_info), | ||
183 | .table = "nat", | ||
184 | .hooks = (1 << NF_IP_PRE_ROUTING | 1 << NF_IP_POST_ROUTING), | ||
194 | .checkentry = same_check, | 185 | .checkentry = same_check, |
195 | .destroy = same_destroy, | 186 | .destroy = same_destroy, |
196 | .me = THIS_MODULE, | 187 | .me = THIS_MODULE, |
diff --git a/net/ipv4/netfilter/ipt_TCPMSS.c b/net/ipv4/netfilter/ipt_TCPMSS.c index c122841e182c..4be6e2bf26d2 100644 --- a/net/ipv4/netfilter/ipt_TCPMSS.c +++ b/net/ipv4/netfilter/ipt_TCPMSS.c | |||
@@ -218,13 +218,6 @@ ipt_tcpmss_checkentry(const char *tablename, | |||
218 | const struct ipt_tcpmss_info *tcpmssinfo = targinfo; | 218 | const struct ipt_tcpmss_info *tcpmssinfo = targinfo; |
219 | const struct ipt_entry *e = e_void; | 219 | const struct ipt_entry *e = e_void; |
220 | 220 | ||
221 | if (targinfosize != IPT_ALIGN(sizeof(struct ipt_tcpmss_info))) { | ||
222 | DEBUGP("ipt_tcpmss_checkentry: targinfosize %u != %u\n", | ||
223 | targinfosize, IPT_ALIGN(sizeof(struct ipt_tcpmss_info))); | ||
224 | return 0; | ||
225 | } | ||
226 | |||
227 | |||
228 | if((tcpmssinfo->mss == IPT_TCPMSS_CLAMP_PMTU) && | 221 | if((tcpmssinfo->mss == IPT_TCPMSS_CLAMP_PMTU) && |
229 | ((hook_mask & ~((1 << NF_IP_FORWARD) | 222 | ((hook_mask & ~((1 << NF_IP_FORWARD) |
230 | | (1 << NF_IP_LOCAL_OUT) | 223 | | (1 << NF_IP_LOCAL_OUT) |
@@ -233,11 +226,8 @@ ipt_tcpmss_checkentry(const char *tablename, | |||
233 | return 0; | 226 | return 0; |
234 | } | 227 | } |
235 | 228 | ||
236 | if (e->ip.proto == IPPROTO_TCP | 229 | if (IPT_MATCH_ITERATE(e, find_syn_match)) |
237 | && !(e->ip.invflags & IPT_INV_PROTO) | ||
238 | && IPT_MATCH_ITERATE(e, find_syn_match)) | ||
239 | return 1; | 230 | return 1; |
240 | |||
241 | printk("TCPMSS: Only works on TCP SYN packets\n"); | 231 | printk("TCPMSS: Only works on TCP SYN packets\n"); |
242 | return 0; | 232 | return 0; |
243 | } | 233 | } |
@@ -245,6 +235,8 @@ ipt_tcpmss_checkentry(const char *tablename, | |||
245 | static struct ipt_target ipt_tcpmss_reg = { | 235 | static struct ipt_target ipt_tcpmss_reg = { |
246 | .name = "TCPMSS", | 236 | .name = "TCPMSS", |
247 | .target = ipt_tcpmss_target, | 237 | .target = ipt_tcpmss_target, |
238 | .targetsize = sizeof(struct ipt_tcpmss_info), | ||
239 | .proto = IPPROTO_TCP, | ||
248 | .checkentry = ipt_tcpmss_checkentry, | 240 | .checkentry = ipt_tcpmss_checkentry, |
249 | .me = THIS_MODULE, | 241 | .me = THIS_MODULE, |
250 | }; | 242 | }; |
diff --git a/net/ipv4/netfilter/ipt_TOS.c b/net/ipv4/netfilter/ipt_TOS.c index 3a44a56db239..6568e3e30e47 100644 --- a/net/ipv4/netfilter/ipt_TOS.c +++ b/net/ipv4/netfilter/ipt_TOS.c | |||
@@ -59,18 +59,6 @@ checkentry(const char *tablename, | |||
59 | { | 59 | { |
60 | const u_int8_t tos = ((struct ipt_tos_target_info *)targinfo)->tos; | 60 | const u_int8_t tos = ((struct ipt_tos_target_info *)targinfo)->tos; |
61 | 61 | ||
62 | if (targinfosize != IPT_ALIGN(sizeof(struct ipt_tos_target_info))) { | ||
63 | printk(KERN_WARNING "TOS: targinfosize %u != %Zu\n", | ||
64 | targinfosize, | ||
65 | IPT_ALIGN(sizeof(struct ipt_tos_target_info))); | ||
66 | return 0; | ||
67 | } | ||
68 | |||
69 | if (strcmp(tablename, "mangle") != 0) { | ||
70 | printk(KERN_WARNING "TOS: can only be called from \"mangle\" table, not \"%s\"\n", tablename); | ||
71 | return 0; | ||
72 | } | ||
73 | |||
74 | if (tos != IPTOS_LOWDELAY | 62 | if (tos != IPTOS_LOWDELAY |
75 | && tos != IPTOS_THROUGHPUT | 63 | && tos != IPTOS_THROUGHPUT |
76 | && tos != IPTOS_RELIABILITY | 64 | && tos != IPTOS_RELIABILITY |
@@ -79,13 +67,14 @@ checkentry(const char *tablename, | |||
79 | printk(KERN_WARNING "TOS: bad tos value %#x\n", tos); | 67 | printk(KERN_WARNING "TOS: bad tos value %#x\n", tos); |
80 | return 0; | 68 | return 0; |
81 | } | 69 | } |
82 | |||
83 | return 1; | 70 | return 1; |
84 | } | 71 | } |
85 | 72 | ||
86 | static struct ipt_target ipt_tos_reg = { | 73 | static struct ipt_target ipt_tos_reg = { |
87 | .name = "TOS", | 74 | .name = "TOS", |
88 | .target = target, | 75 | .target = target, |
76 | .targetsize = sizeof(struct ipt_tos_target_info), | ||
77 | .table = "mangle", | ||
89 | .checkentry = checkentry, | 78 | .checkentry = checkentry, |
90 | .me = THIS_MODULE, | 79 | .me = THIS_MODULE, |
91 | }; | 80 | }; |
diff --git a/net/ipv4/netfilter/ipt_TTL.c b/net/ipv4/netfilter/ipt_TTL.c index b769eb231970..61d94e096939 100644 --- a/net/ipv4/netfilter/ipt_TTL.c +++ b/net/ipv4/netfilter/ipt_TTL.c | |||
@@ -73,34 +73,21 @@ static int ipt_ttl_checkentry(const char *tablename, | |||
73 | { | 73 | { |
74 | struct ipt_TTL_info *info = targinfo; | 74 | struct ipt_TTL_info *info = targinfo; |
75 | 75 | ||
76 | if (targinfosize != IPT_ALIGN(sizeof(struct ipt_TTL_info))) { | ||
77 | printk(KERN_WARNING "ipt_TTL: targinfosize %u != %Zu\n", | ||
78 | targinfosize, | ||
79 | IPT_ALIGN(sizeof(struct ipt_TTL_info))); | ||
80 | return 0; | ||
81 | } | ||
82 | |||
83 | if (strcmp(tablename, "mangle")) { | ||
84 | printk(KERN_WARNING "ipt_TTL: can only be called from " | ||
85 | "\"mangle\" table, not \"%s\"\n", tablename); | ||
86 | return 0; | ||
87 | } | ||
88 | |||
89 | if (info->mode > IPT_TTL_MAXMODE) { | 76 | if (info->mode > IPT_TTL_MAXMODE) { |
90 | printk(KERN_WARNING "ipt_TTL: invalid or unknown Mode %u\n", | 77 | printk(KERN_WARNING "ipt_TTL: invalid or unknown Mode %u\n", |
91 | info->mode); | 78 | info->mode); |
92 | return 0; | 79 | return 0; |
93 | } | 80 | } |
94 | |||
95 | if ((info->mode != IPT_TTL_SET) && (info->ttl == 0)) | 81 | if ((info->mode != IPT_TTL_SET) && (info->ttl == 0)) |
96 | return 0; | 82 | return 0; |
97 | |||
98 | return 1; | 83 | return 1; |
99 | } | 84 | } |
100 | 85 | ||
101 | static struct ipt_target ipt_TTL = { | 86 | static struct ipt_target ipt_TTL = { |
102 | .name = "TTL", | 87 | .name = "TTL", |
103 | .target = ipt_ttl_target, | 88 | .target = ipt_ttl_target, |
89 | .targetsize = sizeof(struct ipt_TTL_info), | ||
90 | .table = "mangle", | ||
104 | .checkentry = ipt_ttl_checkentry, | 91 | .checkentry = ipt_ttl_checkentry, |
105 | .me = THIS_MODULE, | 92 | .me = THIS_MODULE, |
106 | }; | 93 | }; |
diff --git a/net/ipv4/netfilter/ipt_ULOG.c b/net/ipv4/netfilter/ipt_ULOG.c index 180a9ea57b69..c95e7e9f74ff 100644 --- a/net/ipv4/netfilter/ipt_ULOG.c +++ b/net/ipv4/netfilter/ipt_ULOG.c | |||
@@ -345,36 +345,30 @@ static int ipt_ulog_checkentry(const char *tablename, | |||
345 | { | 345 | { |
346 | struct ipt_ulog_info *loginfo = (struct ipt_ulog_info *) targinfo; | 346 | struct ipt_ulog_info *loginfo = (struct ipt_ulog_info *) targinfo; |
347 | 347 | ||
348 | if (targinfosize != IPT_ALIGN(sizeof(struct ipt_ulog_info))) { | ||
349 | DEBUGP("ipt_ULOG: targinfosize %u != 0\n", targinfosize); | ||
350 | return 0; | ||
351 | } | ||
352 | |||
353 | if (loginfo->prefix[sizeof(loginfo->prefix) - 1] != '\0') { | 348 | if (loginfo->prefix[sizeof(loginfo->prefix) - 1] != '\0') { |
354 | DEBUGP("ipt_ULOG: prefix term %i\n", | 349 | DEBUGP("ipt_ULOG: prefix term %i\n", |
355 | loginfo->prefix[sizeof(loginfo->prefix) - 1]); | 350 | loginfo->prefix[sizeof(loginfo->prefix) - 1]); |
356 | return 0; | 351 | return 0; |
357 | } | 352 | } |
358 | |||
359 | if (loginfo->qthreshold > ULOG_MAX_QLEN) { | 353 | if (loginfo->qthreshold > ULOG_MAX_QLEN) { |
360 | DEBUGP("ipt_ULOG: queue threshold %i > MAX_QLEN\n", | 354 | DEBUGP("ipt_ULOG: queue threshold %i > MAX_QLEN\n", |
361 | loginfo->qthreshold); | 355 | loginfo->qthreshold); |
362 | return 0; | 356 | return 0; |
363 | } | 357 | } |
364 | |||
365 | return 1; | 358 | return 1; |
366 | } | 359 | } |
367 | 360 | ||
368 | static struct ipt_target ipt_ulog_reg = { | 361 | static struct ipt_target ipt_ulog_reg = { |
369 | .name = "ULOG", | 362 | .name = "ULOG", |
370 | .target = ipt_ulog_target, | 363 | .target = ipt_ulog_target, |
364 | .targetsize = sizeof(struct ipt_ulog_info), | ||
371 | .checkentry = ipt_ulog_checkentry, | 365 | .checkentry = ipt_ulog_checkentry, |
372 | .me = THIS_MODULE, | 366 | .me = THIS_MODULE, |
373 | }; | 367 | }; |
374 | 368 | ||
375 | static struct nf_logger ipt_ulog_logger = { | 369 | static struct nf_logger ipt_ulog_logger = { |
376 | .name = "ipt_ULOG", | 370 | .name = "ipt_ULOG", |
377 | .logfn = &ipt_logfn, | 371 | .logfn = ipt_logfn, |
378 | .me = THIS_MODULE, | 372 | .me = THIS_MODULE, |
379 | }; | 373 | }; |
380 | 374 | ||
diff --git a/net/ipv4/netfilter/ipt_addrtype.c b/net/ipv4/netfilter/ipt_addrtype.c index d6b83a976518..ad5dc4658022 100644 --- a/net/ipv4/netfilter/ipt_addrtype.c +++ b/net/ipv4/netfilter/ipt_addrtype.c | |||
@@ -43,23 +43,10 @@ static int match(const struct sk_buff *skb, const struct net_device *in, | |||
43 | return ret; | 43 | return ret; |
44 | } | 44 | } |
45 | 45 | ||
46 | static int checkentry(const char *tablename, const void *ip, | ||
47 | void *matchinfo, unsigned int matchsize, | ||
48 | unsigned int hook_mask) | ||
49 | { | ||
50 | if (matchsize != IPT_ALIGN(sizeof(struct ipt_addrtype_info))) { | ||
51 | printk(KERN_ERR "ipt_addrtype: invalid size (%u != %Zu)\n", | ||
52 | matchsize, IPT_ALIGN(sizeof(struct ipt_addrtype_info))); | ||
53 | return 0; | ||
54 | } | ||
55 | |||
56 | return 1; | ||
57 | } | ||
58 | |||
59 | static struct ipt_match addrtype_match = { | 46 | static struct ipt_match addrtype_match = { |
60 | .name = "addrtype", | 47 | .name = "addrtype", |
61 | .match = match, | 48 | .match = match, |
62 | .checkentry = checkentry, | 49 | .matchsize = sizeof(struct ipt_addrtype_info), |
63 | .me = THIS_MODULE | 50 | .me = THIS_MODULE |
64 | }; | 51 | }; |
65 | 52 | ||
diff --git a/net/ipv4/netfilter/ipt_ah.c b/net/ipv4/netfilter/ipt_ah.c index 144adfec13cc..a33eeea38e1d 100644 --- a/net/ipv4/netfilter/ipt_ah.c +++ b/net/ipv4/netfilter/ipt_ah.c | |||
@@ -76,32 +76,21 @@ checkentry(const char *tablename, | |||
76 | unsigned int hook_mask) | 76 | unsigned int hook_mask) |
77 | { | 77 | { |
78 | const struct ipt_ah *ahinfo = matchinfo; | 78 | const struct ipt_ah *ahinfo = matchinfo; |
79 | const struct ipt_ip *ip = ip_void; | ||
80 | 79 | ||
81 | /* Must specify proto == AH, and no unknown invflags */ | 80 | /* Must specify no unknown invflags */ |
82 | if (ip->proto != IPPROTO_AH || (ip->invflags & IPT_INV_PROTO)) { | ||
83 | duprintf("ipt_ah: Protocol %u != %u\n", ip->proto, | ||
84 | IPPROTO_AH); | ||
85 | return 0; | ||
86 | } | ||
87 | if (matchinfosize != IPT_ALIGN(sizeof(struct ipt_ah))) { | ||
88 | duprintf("ipt_ah: matchsize %u != %u\n", | ||
89 | matchinfosize, IPT_ALIGN(sizeof(struct ipt_ah))); | ||
90 | return 0; | ||
91 | } | ||
92 | if (ahinfo->invflags & ~IPT_AH_INV_MASK) { | 81 | if (ahinfo->invflags & ~IPT_AH_INV_MASK) { |
93 | duprintf("ipt_ah: unknown flags %X\n", | 82 | duprintf("ipt_ah: unknown flags %X\n", ahinfo->invflags); |
94 | ahinfo->invflags); | ||
95 | return 0; | 83 | return 0; |
96 | } | 84 | } |
97 | |||
98 | return 1; | 85 | return 1; |
99 | } | 86 | } |
100 | 87 | ||
101 | static struct ipt_match ah_match = { | 88 | static struct ipt_match ah_match = { |
102 | .name = "ah", | 89 | .name = "ah", |
103 | .match = &match, | 90 | .match = match, |
104 | .checkentry = &checkentry, | 91 | .matchsize = sizeof(struct ipt_ah), |
92 | .proto = IPPROTO_AH, | ||
93 | .checkentry = checkentry, | ||
105 | .me = THIS_MODULE, | 94 | .me = THIS_MODULE, |
106 | }; | 95 | }; |
107 | 96 | ||
diff --git a/net/ipv4/netfilter/ipt_dscp.c b/net/ipv4/netfilter/ipt_dscp.c index 92063b4f8602..e7889ba22f4c 100644 --- a/net/ipv4/netfilter/ipt_dscp.c +++ b/net/ipv4/netfilter/ipt_dscp.c | |||
@@ -31,20 +31,10 @@ static int match(const struct sk_buff *skb, const struct net_device *in, | |||
31 | return ((iph->tos&IPT_DSCP_MASK) == sh_dscp) ^ info->invert; | 31 | return ((iph->tos&IPT_DSCP_MASK) == sh_dscp) ^ info->invert; |
32 | } | 32 | } |
33 | 33 | ||
34 | static int checkentry(const char *tablename, const void *ip, | ||
35 | void *matchinfo, unsigned int matchsize, | ||
36 | unsigned int hook_mask) | ||
37 | { | ||
38 | if (matchsize != IPT_ALIGN(sizeof(struct ipt_dscp_info))) | ||
39 | return 0; | ||
40 | |||
41 | return 1; | ||
42 | } | ||
43 | |||
44 | static struct ipt_match dscp_match = { | 34 | static struct ipt_match dscp_match = { |
45 | .name = "dscp", | 35 | .name = "dscp", |
46 | .match = &match, | 36 | .match = match, |
47 | .checkentry = &checkentry, | 37 | .matchsize = sizeof(struct ipt_dscp_info), |
48 | .me = THIS_MODULE, | 38 | .me = THIS_MODULE, |
49 | }; | 39 | }; |
50 | 40 | ||
diff --git a/net/ipv4/netfilter/ipt_ecn.c b/net/ipv4/netfilter/ipt_ecn.c index e68b0c7981f0..723957f77310 100644 --- a/net/ipv4/netfilter/ipt_ecn.c +++ b/net/ipv4/netfilter/ipt_ecn.c | |||
@@ -92,9 +92,6 @@ static int checkentry(const char *tablename, const void *ip_void, | |||
92 | const struct ipt_ecn_info *info = matchinfo; | 92 | const struct ipt_ecn_info *info = matchinfo; |
93 | const struct ipt_ip *ip = ip_void; | 93 | const struct ipt_ip *ip = ip_void; |
94 | 94 | ||
95 | if (matchsize != IPT_ALIGN(sizeof(struct ipt_ecn_info))) | ||
96 | return 0; | ||
97 | |||
98 | if (info->operation & IPT_ECN_OP_MATCH_MASK) | 95 | if (info->operation & IPT_ECN_OP_MATCH_MASK) |
99 | return 0; | 96 | return 0; |
100 | 97 | ||
@@ -113,8 +110,9 @@ static int checkentry(const char *tablename, const void *ip_void, | |||
113 | 110 | ||
114 | static struct ipt_match ecn_match = { | 111 | static struct ipt_match ecn_match = { |
115 | .name = "ecn", | 112 | .name = "ecn", |
116 | .match = &match, | 113 | .match = match, |
117 | .checkentry = &checkentry, | 114 | .matchsize = sizeof(struct ipt_ecn_info), |
115 | .checkentry = checkentry, | ||
118 | .me = THIS_MODULE, | 116 | .me = THIS_MODULE, |
119 | }; | 117 | }; |
120 | 118 | ||
diff --git a/net/ipv4/netfilter/ipt_esp.c b/net/ipv4/netfilter/ipt_esp.c index 9de191a8162d..984fa4862ce9 100644 --- a/net/ipv4/netfilter/ipt_esp.c +++ b/net/ipv4/netfilter/ipt_esp.c | |||
@@ -77,32 +77,21 @@ checkentry(const char *tablename, | |||
77 | unsigned int hook_mask) | 77 | unsigned int hook_mask) |
78 | { | 78 | { |
79 | const struct ipt_esp *espinfo = matchinfo; | 79 | const struct ipt_esp *espinfo = matchinfo; |
80 | const struct ipt_ip *ip = ip_void; | ||
81 | 80 | ||
82 | /* Must specify proto == ESP, and no unknown invflags */ | 81 | /* Must specify no unknown invflags */ |
83 | if (ip->proto != IPPROTO_ESP || (ip->invflags & IPT_INV_PROTO)) { | ||
84 | duprintf("ipt_esp: Protocol %u != %u\n", ip->proto, | ||
85 | IPPROTO_ESP); | ||
86 | return 0; | ||
87 | } | ||
88 | if (matchinfosize != IPT_ALIGN(sizeof(struct ipt_esp))) { | ||
89 | duprintf("ipt_esp: matchsize %u != %u\n", | ||
90 | matchinfosize, IPT_ALIGN(sizeof(struct ipt_esp))); | ||
91 | return 0; | ||
92 | } | ||
93 | if (espinfo->invflags & ~IPT_ESP_INV_MASK) { | 82 | if (espinfo->invflags & ~IPT_ESP_INV_MASK) { |
94 | duprintf("ipt_esp: unknown flags %X\n", | 83 | duprintf("ipt_esp: unknown flags %X\n", espinfo->invflags); |
95 | espinfo->invflags); | ||
96 | return 0; | 84 | return 0; |
97 | } | 85 | } |
98 | |||
99 | return 1; | 86 | return 1; |
100 | } | 87 | } |
101 | 88 | ||
102 | static struct ipt_match esp_match = { | 89 | static struct ipt_match esp_match = { |
103 | .name = "esp", | 90 | .name = "esp", |
104 | .match = &match, | 91 | .match = match, |
105 | .checkentry = &checkentry, | 92 | .matchsize = sizeof(struct ipt_esp), |
93 | .proto = IPPROTO_ESP, | ||
94 | .checkentry = checkentry, | ||
106 | .me = THIS_MODULE, | 95 | .me = THIS_MODULE, |
107 | }; | 96 | }; |
108 | 97 | ||
diff --git a/net/ipv4/netfilter/ipt_hashlimit.c b/net/ipv4/netfilter/ipt_hashlimit.c index 4fe48c1bd5f3..156d9c255b2b 100644 --- a/net/ipv4/netfilter/ipt_hashlimit.c +++ b/net/ipv4/netfilter/ipt_hashlimit.c | |||
@@ -512,9 +512,6 @@ hashlimit_checkentry(const char *tablename, | |||
512 | { | 512 | { |
513 | struct ipt_hashlimit_info *r = matchinfo; | 513 | struct ipt_hashlimit_info *r = matchinfo; |
514 | 514 | ||
515 | if (matchsize != IPT_ALIGN(sizeof(struct ipt_hashlimit_info))) | ||
516 | return 0; | ||
517 | |||
518 | /* Check for overflow. */ | 515 | /* Check for overflow. */ |
519 | if (r->cfg.burst == 0 | 516 | if (r->cfg.burst == 0 |
520 | || user2credits(r->cfg.avg * r->cfg.burst) < | 517 | || user2credits(r->cfg.avg * r->cfg.burst) < |
@@ -565,12 +562,13 @@ hashlimit_destroy(void *matchinfo, unsigned int matchsize) | |||
565 | htable_put(r->hinfo); | 562 | htable_put(r->hinfo); |
566 | } | 563 | } |
567 | 564 | ||
568 | static struct ipt_match ipt_hashlimit = { | 565 | static struct ipt_match ipt_hashlimit = { |
569 | .name = "hashlimit", | 566 | .name = "hashlimit", |
570 | .match = hashlimit_match, | 567 | .match = hashlimit_match, |
571 | .checkentry = hashlimit_checkentry, | 568 | .matchsize = sizeof(struct ipt_hashlimit_info), |
572 | .destroy = hashlimit_destroy, | 569 | .checkentry = hashlimit_checkentry, |
573 | .me = THIS_MODULE | 570 | .destroy = hashlimit_destroy, |
571 | .me = THIS_MODULE | ||
574 | }; | 572 | }; |
575 | 573 | ||
576 | /* PROC stuff */ | 574 | /* PROC stuff */ |
diff --git a/net/ipv4/netfilter/ipt_iprange.c b/net/ipv4/netfilter/ipt_iprange.c index 13fb16fb7892..0885ff5d0db7 100644 --- a/net/ipv4/netfilter/ipt_iprange.c +++ b/net/ipv4/netfilter/ipt_iprange.c | |||
@@ -62,27 +62,12 @@ match(const struct sk_buff *skb, | |||
62 | return 1; | 62 | return 1; |
63 | } | 63 | } |
64 | 64 | ||
65 | static int check(const char *tablename, | 65 | static struct ipt_match iprange_match = { |
66 | const void *inf, | 66 | .name = "iprange", |
67 | void *matchinfo, | 67 | .match = match, |
68 | unsigned int matchsize, | 68 | .matchsize = sizeof(struct ipt_iprange_info), |
69 | unsigned int hook_mask) | 69 | .destroy = NULL, |
70 | { | 70 | .me = THIS_MODULE |
71 | /* verify size */ | ||
72 | if (matchsize != IPT_ALIGN(sizeof(struct ipt_iprange_info))) | ||
73 | return 0; | ||
74 | |||
75 | return 1; | ||
76 | } | ||
77 | |||
78 | static struct ipt_match iprange_match = | ||
79 | { | ||
80 | .list = { NULL, NULL }, | ||
81 | .name = "iprange", | ||
82 | .match = &match, | ||
83 | .checkentry = &check, | ||
84 | .destroy = NULL, | ||
85 | .me = THIS_MODULE | ||
86 | }; | 71 | }; |
87 | 72 | ||
88 | static int __init init(void) | 73 | static int __init init(void) |
diff --git a/net/ipv4/netfilter/ipt_multiport.c b/net/ipv4/netfilter/ipt_multiport.c index 2d52326553f1..8f1684c3e5c6 100644 --- a/net/ipv4/netfilter/ipt_multiport.c +++ b/net/ipv4/netfilter/ipt_multiport.c | |||
@@ -153,40 +153,19 @@ match_v1(const struct sk_buff *skb, | |||
153 | return ports_match_v1(multiinfo, ntohs(pptr[0]), ntohs(pptr[1])); | 153 | return ports_match_v1(multiinfo, ntohs(pptr[0]), ntohs(pptr[1])); |
154 | } | 154 | } |
155 | 155 | ||
156 | /* Called when user tries to insert an entry of this type. */ | ||
157 | static int | ||
158 | checkentry(const char *tablename, | ||
159 | const void *ip, | ||
160 | void *matchinfo, | ||
161 | unsigned int matchsize, | ||
162 | unsigned int hook_mask) | ||
163 | { | ||
164 | return (matchsize == IPT_ALIGN(sizeof(struct ipt_multiport))); | ||
165 | } | ||
166 | |||
167 | static int | ||
168 | checkentry_v1(const char *tablename, | ||
169 | const void *ip, | ||
170 | void *matchinfo, | ||
171 | unsigned int matchsize, | ||
172 | unsigned int hook_mask) | ||
173 | { | ||
174 | return (matchsize == IPT_ALIGN(sizeof(struct ipt_multiport_v1))); | ||
175 | } | ||
176 | |||
177 | static struct ipt_match multiport_match = { | 156 | static struct ipt_match multiport_match = { |
178 | .name = "multiport", | 157 | .name = "multiport", |
179 | .revision = 0, | 158 | .revision = 0, |
180 | .match = &match, | 159 | .match = match, |
181 | .checkentry = &checkentry, | 160 | .matchsize = sizeof(struct ipt_multiport), |
182 | .me = THIS_MODULE, | 161 | .me = THIS_MODULE, |
183 | }; | 162 | }; |
184 | 163 | ||
185 | static struct ipt_match multiport_match_v1 = { | 164 | static struct ipt_match multiport_match_v1 = { |
186 | .name = "multiport", | 165 | .name = "multiport", |
187 | .revision = 1, | 166 | .revision = 1, |
188 | .match = &match_v1, | 167 | .match = match_v1, |
189 | .checkentry = &checkentry_v1, | 168 | .matchsize = sizeof(struct ipt_multiport_v1), |
190 | .me = THIS_MODULE, | 169 | .me = THIS_MODULE, |
191 | }; | 170 | }; |
192 | 171 | ||
diff --git a/net/ipv4/netfilter/ipt_owner.c b/net/ipv4/netfilter/ipt_owner.c index 4843d0c9734f..18adc1d214d4 100644 --- a/net/ipv4/netfilter/ipt_owner.c +++ b/net/ipv4/netfilter/ipt_owner.c | |||
@@ -59,31 +59,20 @@ checkentry(const char *tablename, | |||
59 | { | 59 | { |
60 | const struct ipt_owner_info *info = matchinfo; | 60 | const struct ipt_owner_info *info = matchinfo; |
61 | 61 | ||
62 | if (hook_mask | ||
63 | & ~((1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_POST_ROUTING))) { | ||
64 | printk("ipt_owner: only valid for LOCAL_OUT or POST_ROUTING.\n"); | ||
65 | return 0; | ||
66 | } | ||
67 | |||
68 | if (matchsize != IPT_ALIGN(sizeof(struct ipt_owner_info))) { | ||
69 | printk("Matchsize %u != %Zu\n", matchsize, | ||
70 | IPT_ALIGN(sizeof(struct ipt_owner_info))); | ||
71 | return 0; | ||
72 | } | ||
73 | |||
74 | if (info->match & (IPT_OWNER_PID|IPT_OWNER_SID|IPT_OWNER_COMM)) { | 62 | if (info->match & (IPT_OWNER_PID|IPT_OWNER_SID|IPT_OWNER_COMM)) { |
75 | printk("ipt_owner: pid, sid and command matching " | 63 | printk("ipt_owner: pid, sid and command matching " |
76 | "not supported anymore\n"); | 64 | "not supported anymore\n"); |
77 | return 0; | 65 | return 0; |
78 | } | 66 | } |
79 | |||
80 | return 1; | 67 | return 1; |
81 | } | 68 | } |
82 | 69 | ||
83 | static struct ipt_match owner_match = { | 70 | static struct ipt_match owner_match = { |
84 | .name = "owner", | 71 | .name = "owner", |
85 | .match = &match, | 72 | .match = match, |
86 | .checkentry = &checkentry, | 73 | .matchsize = sizeof(struct ipt_owner_info), |
74 | .hooks = (1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_POST_ROUTING), | ||
75 | .checkentry = checkentry, | ||
87 | .me = THIS_MODULE, | 76 | .me = THIS_MODULE, |
88 | }; | 77 | }; |
89 | 78 | ||
diff --git a/net/ipv4/netfilter/ipt_policy.c b/net/ipv4/netfilter/ipt_policy.c index 5a7a265280f9..3fa6607c0c6c 100644 --- a/net/ipv4/netfilter/ipt_policy.c +++ b/net/ipv4/netfilter/ipt_policy.c | |||
@@ -125,11 +125,6 @@ static int checkentry(const char *tablename, const void *ip_void, | |||
125 | { | 125 | { |
126 | struct ipt_policy_info *info = matchinfo; | 126 | struct ipt_policy_info *info = matchinfo; |
127 | 127 | ||
128 | if (matchsize != IPT_ALIGN(sizeof(*info))) { | ||
129 | printk(KERN_ERR "ipt_policy: matchsize %u != %zu\n", | ||
130 | matchsize, IPT_ALIGN(sizeof(*info))); | ||
131 | return 0; | ||
132 | } | ||
133 | if (!(info->flags & (IPT_POLICY_MATCH_IN|IPT_POLICY_MATCH_OUT))) { | 128 | if (!(info->flags & (IPT_POLICY_MATCH_IN|IPT_POLICY_MATCH_OUT))) { |
134 | printk(KERN_ERR "ipt_policy: neither incoming nor " | 129 | printk(KERN_ERR "ipt_policy: neither incoming nor " |
135 | "outgoing policy selected\n"); | 130 | "outgoing policy selected\n"); |
@@ -158,6 +153,7 @@ static int checkentry(const char *tablename, const void *ip_void, | |||
158 | static struct ipt_match policy_match = { | 153 | static struct ipt_match policy_match = { |
159 | .name = "policy", | 154 | .name = "policy", |
160 | .match = match, | 155 | .match = match, |
156 | .matchsize = sizeof(struct ipt_policy_info), | ||
161 | .checkentry = checkentry, | 157 | .checkentry = checkentry, |
162 | .me = THIS_MODULE, | 158 | .me = THIS_MODULE, |
163 | }; | 159 | }; |
diff --git a/net/ipv4/netfilter/ipt_recent.c b/net/ipv4/netfilter/ipt_recent.c index 44611d6d14f5..e2ccd4295344 100644 --- a/net/ipv4/netfilter/ipt_recent.c +++ b/net/ipv4/netfilter/ipt_recent.c | |||
@@ -670,8 +670,6 @@ checkentry(const char *tablename, | |||
670 | if(debug) printk(KERN_INFO RECENT_NAME ": checkentry() entered.\n"); | 670 | if(debug) printk(KERN_INFO RECENT_NAME ": checkentry() entered.\n"); |
671 | #endif | 671 | #endif |
672 | 672 | ||
673 | if (matchsize != IPT_ALIGN(sizeof(struct ipt_recent_info))) return 0; | ||
674 | |||
675 | /* seconds and hit_count only valid for CHECK/UPDATE */ | 673 | /* seconds and hit_count only valid for CHECK/UPDATE */ |
676 | if(info->check_set & IPT_RECENT_SET) { flag++; if(info->seconds || info->hit_count) return 0; } | 674 | if(info->check_set & IPT_RECENT_SET) { flag++; if(info->seconds || info->hit_count) return 0; } |
677 | if(info->check_set & IPT_RECENT_REMOVE) { flag++; if(info->seconds || info->hit_count) return 0; } | 675 | if(info->check_set & IPT_RECENT_REMOVE) { flag++; if(info->seconds || info->hit_count) return 0; } |
@@ -951,12 +949,13 @@ destroy(void *matchinfo, unsigned int matchsize) | |||
951 | /* This is the structure we pass to ipt_register to register our | 949 | /* This is the structure we pass to ipt_register to register our |
952 | * module with iptables. | 950 | * module with iptables. |
953 | */ | 951 | */ |
954 | static struct ipt_match recent_match = { | 952 | static struct ipt_match recent_match = { |
955 | .name = "recent", | 953 | .name = "recent", |
956 | .match = &match, | 954 | .match = match, |
957 | .checkentry = &checkentry, | 955 | .matchsize = sizeof(struct ipt_recent_info), |
958 | .destroy = &destroy, | 956 | .checkentry = checkentry, |
959 | .me = THIS_MODULE | 957 | .destroy = destroy, |
958 | .me = THIS_MODULE | ||
960 | }; | 959 | }; |
961 | 960 | ||
962 | /* Kernel module initialization. */ | 961 | /* Kernel module initialization. */ |
diff --git a/net/ipv4/netfilter/ipt_tos.c b/net/ipv4/netfilter/ipt_tos.c index 9ab765e126f2..4675c786189b 100644 --- a/net/ipv4/netfilter/ipt_tos.c +++ b/net/ipv4/netfilter/ipt_tos.c | |||
@@ -31,23 +31,10 @@ match(const struct sk_buff *skb, | |||
31 | return (skb->nh.iph->tos == info->tos) ^ info->invert; | 31 | return (skb->nh.iph->tos == info->tos) ^ info->invert; |
32 | } | 32 | } |
33 | 33 | ||
34 | static int | ||
35 | checkentry(const char *tablename, | ||
36 | const void *ip, | ||
37 | void *matchinfo, | ||
38 | unsigned int matchsize, | ||
39 | unsigned int hook_mask) | ||
40 | { | ||
41 | if (matchsize != IPT_ALIGN(sizeof(struct ipt_tos_info))) | ||
42 | return 0; | ||
43 | |||
44 | return 1; | ||
45 | } | ||
46 | |||
47 | static struct ipt_match tos_match = { | 34 | static struct ipt_match tos_match = { |
48 | .name = "tos", | 35 | .name = "tos", |
49 | .match = &match, | 36 | .match = match, |
50 | .checkentry = &checkentry, | 37 | .matchsize = sizeof(struct ipt_tos_info), |
51 | .me = THIS_MODULE, | 38 | .me = THIS_MODULE, |
52 | }; | 39 | }; |
53 | 40 | ||
diff --git a/net/ipv4/netfilter/ipt_ttl.c b/net/ipv4/netfilter/ipt_ttl.c index 82da53f430ab..bb694a0b361d 100644 --- a/net/ipv4/netfilter/ipt_ttl.c +++ b/net/ipv4/netfilter/ipt_ttl.c | |||
@@ -47,20 +47,10 @@ static int match(const struct sk_buff *skb, const struct net_device *in, | |||
47 | return 0; | 47 | return 0; |
48 | } | 48 | } |
49 | 49 | ||
50 | static int checkentry(const char *tablename, const void *ip, | ||
51 | void *matchinfo, unsigned int matchsize, | ||
52 | unsigned int hook_mask) | ||
53 | { | ||
54 | if (matchsize != IPT_ALIGN(sizeof(struct ipt_ttl_info))) | ||
55 | return 0; | ||
56 | |||
57 | return 1; | ||
58 | } | ||
59 | |||
60 | static struct ipt_match ttl_match = { | 50 | static struct ipt_match ttl_match = { |
61 | .name = "ttl", | 51 | .name = "ttl", |
62 | .match = &match, | 52 | .match = match, |
63 | .checkentry = &checkentry, | 53 | .matchsize = sizeof(struct ipt_ttl_info), |
64 | .me = THIS_MODULE, | 54 | .me = THIS_MODULE, |
65 | }; | 55 | }; |
66 | 56 | ||