netfilter: xtables: move extension arguments into compound structure (2/6)

This patch does this for match extensions' checkentry functions. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
author: Jan Engelhardt <jengelh@medozas.de> 2008-10-08 05:35:18 -0400
committer: Patrick McHardy <kaber@trash.net> 2008-10-08 05:35:18 -0400
commit: 9b4fce7a3508a9776534188b6065b206a9608ccf (patch)
tree: 7df90f099a72738900deb93124ad86724a2df207 /net/ipv4
parent: f7108a20dee44e5bb037f9e48f6a207b42e6ae1c (diff)
4 files changed, 34 insertions, 45 deletions
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 99fdb59454fd..4147298a6a81 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -607,20 +607,20 @@ check_entry(struct ipt_entry *e, const char *name)
 }
 static int
-check_match(struct ipt_entry_match *m, const char *name,
+check_match(struct ipt_entry_match *m, struct xt_mtchk_param *par,
-                              const struct ipt_ip *ip,
+            unsigned int *i)
-                              unsigned int hookmask, unsigned int *i)
 {
-        struct xt_match *match;
+        const struct ipt_ip *ip = par->entryinfo;
        int ret;
-        match = m->u.kernel.match;
+        par->match     = m->u.kernel.match;
-        ret = xt_check_match(match, AF_INET, m->u.match_size - sizeof(*m),
+        par->matchinfo = m->data;
-                             name, hookmask, ip->proto,
-                             ip->invflags & IPT_INV_PROTO, ip, m->data);
+        ret = xt_check_match(par, NFPROTO_IPV4, m->u.match_size - sizeof(*m),
+              ip->proto, ip->invflags & IPT_INV_PROTO);
        if (ret < 0) {
                duprintf("ip_tables: check failed for `%s'.\n",
-                         m->u.kernel.match->name);
+                         par.match->name);
                return ret;
        }
        ++*i;
@@ -628,10 +628,7 @@ check_match(struct ipt_entry_match *m, const char *name,
 }
 static int
-find_check_match(struct ipt_entry_match *m,
+find_check_match(struct ipt_entry_match *m, struct xt_mtchk_param *par,
-                 const char *name,
-                 const struct ipt_ip *ip,
-                 unsigned int hookmask,
                 unsigned int *i)
 {
        struct xt_match *match;
@@ -646,7 +643,7 @@ find_check_match(struct ipt_entry_match *m,
        }
        m->u.kernel.match = match;
-        ret = check_match(m, name, ip, hookmask, i);
+        ret = check_match(m, par, i);
        if (ret)
                goto err;
@@ -683,14 +680,17 @@ find_check_entry(struct ipt_entry *e, const char *name, unsigned int size,
        struct xt_target *target;
        int ret;
        unsigned int j;
+        struct xt_mtchk_param mtpar;
        ret = check_entry(e, name);
        if (ret)
                return ret;
        j = 0;
-        ret = IPT_MATCH_ITERATE(e, find_check_match, name, &e->ip,
+        mtpar.table     = name;
-                                e->comefrom, &j);
+        mtpar.entryinfo = &e->ip;
+        mtpar.hook_mask = e->comefrom;
+        ret = IPT_MATCH_ITERATE(e, find_check_match, &mtpar, &j);
        if (ret != 0)
                goto cleanup_matches;
@@ -1644,12 +1644,15 @@ static int
 compat_check_entry(struct ipt_entry *e, const char *name,
                                     unsigned int *i)
 {
+        struct xt_mtchk_param mtpar;
        unsigned int j;
        int ret;
        j = 0;
-        ret = IPT_MATCH_ITERATE(e, check_match, name, &e->ip,
+        mtpar.table     = name;
-                                e->comefrom, &j);
+        mtpar.entryinfo = &e->ip;
+        mtpar.hook_mask = e->comefrom;
+        ret = IPT_MATCH_ITERATE(e, check_match, &mtpar, &j);
        if (ret)
                goto cleanup_matches;
@@ -2144,15 +2147,9 @@ icmp_match(const struct sk_buff *skb, const struct xt_match_param *par)
                                    !!(icmpinfo->invflags&IPT_ICMP_INV));
 }
-/* Called when user tries to insert an entry of this type. */
+static bool icmp_checkentry(const struct xt_mtchk_param *par)
-static bool
-icmp_checkentry(const char *tablename,
-           const void *entry,
-           const struct xt_match *match,
-           void *matchinfo,
-           unsigned int hook_mask)
 {
-        const struct ipt_icmp *icmpinfo = matchinfo;
+        const struct ipt_icmp *icmpinfo = par->matchinfo;
        /* Must specify no unknown invflags */
        return !(icmpinfo->invflags & ~IPT_ICMP_INV);
diff --git a/net/ipv4/netfilter/ipt_addrtype.c b/net/ipv4/netfilter/ipt_addrtype.c
index e60995e4c20c..88762f02779d 100644
--- a/net/ipv4/netfilter/ipt_addrtype.c
+++ b/net/ipv4/netfilter/ipt_addrtype.c
@@ -68,12 +68,9 @@ addrtype_mt_v1(const struct sk_buff *skb, const struct xt_match_param *par)
        return ret;
 }
-static bool
+static bool addrtype_mt_checkentry_v1(const struct xt_mtchk_param *par)
-addrtype_mt_checkentry_v1(const char *tablename, const void *ip_void,
-                          const struct xt_match *match, void *matchinfo,
-                          unsigned int hook_mask)
 {
-        struct ipt_addrtype_info_v1 *info = matchinfo;
+        struct ipt_addrtype_info_v1 *info = par->matchinfo;
        if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_IN &&
            info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT) {
@@ -82,14 +79,16 @@ addrtype_mt_checkentry_v1(const char *tablename, const void *ip_void,
                return false;
        }
-        if (hook_mask & (1 << NF_INET_PRE_ROUTING | 1 << NF_INET_LOCAL_IN) &&
+        if (par->hook_mask & ((1 << NF_INET_PRE_ROUTING) |
+            (1 << NF_INET_LOCAL_IN)) &&
            info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT) {
                printk(KERN_ERR "ipt_addrtype: output interface limitation "
                                "not valid in PRE_ROUTING and INPUT\n");
                return false;
        }
-        if (hook_mask & (1 << NF_INET_POST_ROUTING | 1 << NF_INET_LOCAL_OUT) &&
+        if (par->hook_mask & ((1 << NF_INET_POST_ROUTING) |
+            (1 << NF_INET_LOCAL_OUT)) &&
            info->flags & IPT_ADDRTYPE_LIMIT_IFACE_IN) {
                printk(KERN_ERR "ipt_addrtype: input interface limitation "
                                "not valid in POST_ROUTING and OUTPUT\n");
diff --git a/net/ipv4/netfilter/ipt_ah.c b/net/ipv4/netfilter/ipt_ah.c
index 2fce19ef4f3f..0104c0b399de 100644
--- a/net/ipv4/netfilter/ipt_ah.c
+++ b/net/ipv4/netfilter/ipt_ah.c
@@ -61,13 +61,9 @@ static bool ah_mt(const struct sk_buff *skb, const struct xt_match_param *par)
                         !!(ahinfo->invflags & IPT_AH_INV_SPI));
 }
-/* Called when user tries to insert an entry of this type. */
+static bool ah_mt_check(const struct xt_mtchk_param *par)
-static bool
-ah_mt_check(const char *tablename, const void *ip_void,
-            const struct xt_match *match, void *matchinfo,
-            unsigned int hook_mask)
 {
-        const struct ipt_ah *ahinfo = matchinfo;
+        const struct ipt_ah *ahinfo = par->matchinfo;
        /* Must specify no unknown invflags */
        if (ahinfo->invflags & ~IPT_AH_INV_MASK) {
diff --git a/net/ipv4/netfilter/ipt_ecn.c b/net/ipv4/netfilter/ipt_ecn.c
index 069154631508..6289b64144c6 100644
--- a/net/ipv4/netfilter/ipt_ecn.c
+++ b/net/ipv4/netfilter/ipt_ecn.c
@@ -85,13 +85,10 @@ static bool ecn_mt(const struct sk_buff *skb, const struct xt_match_param *par)
        return true;
 }
-static bool
+static bool ecn_mt_check(const struct xt_mtchk_param *par)
-ecn_mt_check(const char *tablename, const void *ip_void,
-             const struct xt_match *match, void *matchinfo,
-             unsigned int hook_mask)
 {
-        const struct ipt_ecn_info *info = matchinfo;
+        const struct ipt_ecn_info *info = par->matchinfo;
-        const struct ipt_ip *ip = ip_void;
+        const struct ipt_ip *ip = par->entryinfo;
        if (info->operation & IPT_ECN_OP_MATCH_MASK)
                return false;
author	Jan Engelhardt <jengelh@medozas.de>	2008-10-08 05:35:18 -0400
committer	Patrick McHardy <kaber@trash.net>	2008-10-08 05:35:18 -0400
commit	9b4fce7a3508a9776534188b6065b206a9608ccf (patch)
tree	7df90f099a72738900deb93124ad86724a2df207 /net/ipv4
parent	f7108a20dee44e5bb037f9e48f6a207b42e6ae1c (diff)

diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c index 99fdb59454fd..4147298a6a81 100644 --- a/net/ipv4/netfilter/ip_tables.c +++ b/net/ipv4/netfilter/ip_tables.c
@@ -607,20 +607,20 @@ check_entry(struct ipt_entry e, const char name)
607	}	607	}
608		608
609	static int	609	static int
610	check_match(struct ipt_entry_match m, const char name,	610	check_match(struct ipt_entry_match m, struct xt_mtchk_param par,
611	const struct ipt_ip *ip,	611	unsigned int *i)
612	unsigned int hookmask, unsigned int *i)
613	{	612	{
614	struct xt_match *match;	613	const struct ipt_ip *ip = par->entryinfo;
615	int ret;	614	int ret;
616		615
617	match = m->u.kernel.match;	616	par->match = m->u.kernel.match;
618	ret = xt_check_match(match, AF_INET, m->u.match_size - sizeof(*m),	617	par->matchinfo = m->data;
619	name, hookmask, ip->proto,	618
620	ip->invflags & IPT_INV_PROTO, ip, m->data);	619	ret = xt_check_match(par, NFPROTO_IPV4, m->u.match_size - sizeof(*m),
		620	ip->proto, ip->invflags & IPT_INV_PROTO);
621	if (ret < 0) {	621	if (ret < 0) {
622	duprintf("ip_tables: check failed for `%s'.\n",	622	duprintf("ip_tables: check failed for `%s'.\n",
623	m->u.kernel.match->name);	623	par.match->name);
624	return ret;	624	return ret;
625	}	625	}
626	++*i;	626	++*i;
@@ -628,10 +628,7 @@ check_match(struct ipt_entry_match m, const char name,
628	}	628	}
629		629
630	static int	630	static int
631	find_check_match(struct ipt_entry_match *m,	631	find_check_match(struct ipt_entry_match m, struct xt_mtchk_param par,
632	const char *name,
633	const struct ipt_ip *ip,
634	unsigned int hookmask,
635	unsigned int *i)	632	unsigned int *i)
636	{	633	{
637	struct xt_match *match;	634	struct xt_match *match;
@@ -646,7 +643,7 @@ find_check_match(struct ipt_entry_match *m,
646	}	643	}
647	m->u.kernel.match = match;	644	m->u.kernel.match = match;
648		645
649	ret = check_match(m, name, ip, hookmask, i);	646	ret = check_match(m, par, i);
650	if (ret)	647	if (ret)
651	goto err;	648	goto err;
652		649
@@ -683,14 +680,17 @@ find_check_entry(struct ipt_entry e, const char name, unsigned int size,
683	struct xt_target *target;	680	struct xt_target *target;
684	int ret;	681	int ret;
685	unsigned int j;	682	unsigned int j;
		683	struct xt_mtchk_param mtpar;
686		684
687	ret = check_entry(e, name);	685	ret = check_entry(e, name);
688	if (ret)	686	if (ret)
689	return ret;	687	return ret;
690		688
691	j = 0;	689	j = 0;
692	ret = IPT_MATCH_ITERATE(e, find_check_match, name, &e->ip,	690	mtpar.table = name;
693	e->comefrom, &j);	691	mtpar.entryinfo = &e->ip;
		692	mtpar.hook_mask = e->comefrom;
		693	ret = IPT_MATCH_ITERATE(e, find_check_match, &mtpar, &j);
694	if (ret != 0)	694	if (ret != 0)
695	goto cleanup_matches;	695	goto cleanup_matches;
696		696
@@ -1644,12 +1644,15 @@ static int
1644	compat_check_entry(struct ipt_entry e, const char name,	1644	compat_check_entry(struct ipt_entry e, const char name,
1645	unsigned int *i)	1645	unsigned int *i)
1646	{	1646	{
		1647	struct xt_mtchk_param mtpar;
1647	unsigned int j;	1648	unsigned int j;
1648	int ret;	1649	int ret;
1649		1650
1650	j = 0;	1651	j = 0;
1651	ret = IPT_MATCH_ITERATE(e, check_match, name, &e->ip,	1652	mtpar.table = name;
1652	e->comefrom, &j);	1653	mtpar.entryinfo = &e->ip;
		1654	mtpar.hook_mask = e->comefrom;
		1655	ret = IPT_MATCH_ITERATE(e, check_match, &mtpar, &j);
1653	if (ret)	1656	if (ret)
1654	goto cleanup_matches;	1657	goto cleanup_matches;
1655		1658
@@ -2144,15 +2147,9 @@ icmp_match(const struct sk_buff skb, const struct xt_match_param par)
2144	!!(icmpinfo->invflags&IPT_ICMP_INV));	2147	!!(icmpinfo->invflags&IPT_ICMP_INV));
2145	}	2148	}
2146		2149
2147	/* Called when user tries to insert an entry of this type. */	2150	static bool icmp_checkentry(const struct xt_mtchk_param *par)
2148	static bool
2149	icmp_checkentry(const char *tablename,
2150	const void *entry,
2151	const struct xt_match *match,
2152	void *matchinfo,
2153	unsigned int hook_mask)
2154	{	2151	{
2155	const struct ipt_icmp *icmpinfo = matchinfo;	2152	const struct ipt_icmp *icmpinfo = par->matchinfo;
2156		2153
2157	/* Must specify no unknown invflags */	2154	/* Must specify no unknown invflags */
2158	return !(icmpinfo->invflags & ~IPT_ICMP_INV);	2155	return !(icmpinfo->invflags & ~IPT_ICMP_INV);


diff --git a/net/ipv4/netfilter/ipt_addrtype.c b/net/ipv4/netfilter/ipt_addrtype.c index e60995e4c20c..88762f02779d 100644 --- a/net/ipv4/netfilter/ipt_addrtype.c +++ b/net/ipv4/netfilter/ipt_addrtype.c
@@ -68,12 +68,9 @@ addrtype_mt_v1(const struct sk_buff skb, const struct xt_match_param par)
68	return ret;	68	return ret;
69	}	69	}
70		70
71	static bool	71	static bool addrtype_mt_checkentry_v1(const struct xt_mtchk_param *par)
72	addrtype_mt_checkentry_v1(const char tablename, const void ip_void,
73	const struct xt_match match, void matchinfo,
74	unsigned int hook_mask)
75	{	72	{
76	struct ipt_addrtype_info_v1 *info = matchinfo;	73	struct ipt_addrtype_info_v1 *info = par->matchinfo;
77		74
78	if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_IN &&	75	if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_IN &&
79	info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT) {	76	info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT) {
@@ -82,14 +79,16 @@ addrtype_mt_checkentry_v1(const char tablename, const void ip_void,
82	return false;	79	return false;
83	}	80	}
84		81
85	if (hook_mask & (1 << NF_INET_PRE_ROUTING \| 1 << NF_INET_LOCAL_IN) &&	82	if (par->hook_mask & ((1 << NF_INET_PRE_ROUTING) \|
		83	(1 << NF_INET_LOCAL_IN)) &&
86	info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT) {	84	info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT) {
87	printk(KERN_ERR "ipt_addrtype: output interface limitation "	85	printk(KERN_ERR "ipt_addrtype: output interface limitation "
88	"not valid in PRE_ROUTING and INPUT\n");	86	"not valid in PRE_ROUTING and INPUT\n");
89	return false;	87	return false;
90	}	88	}
91		89
92	if (hook_mask & (1 << NF_INET_POST_ROUTING \| 1 << NF_INET_LOCAL_OUT) &&	90	if (par->hook_mask & ((1 << NF_INET_POST_ROUTING) \|
		91	(1 << NF_INET_LOCAL_OUT)) &&
93	info->flags & IPT_ADDRTYPE_LIMIT_IFACE_IN) {	92	info->flags & IPT_ADDRTYPE_LIMIT_IFACE_IN) {
94	printk(KERN_ERR "ipt_addrtype: input interface limitation "	93	printk(KERN_ERR "ipt_addrtype: input interface limitation "
95	"not valid in POST_ROUTING and OUTPUT\n");	94	"not valid in POST_ROUTING and OUTPUT\n");


diff --git a/net/ipv4/netfilter/ipt_ah.c b/net/ipv4/netfilter/ipt_ah.c index 2fce19ef4f3f..0104c0b399de 100644 --- a/net/ipv4/netfilter/ipt_ah.c +++ b/net/ipv4/netfilter/ipt_ah.c
@@ -61,13 +61,9 @@ static bool ah_mt(const struct sk_buff skb, const struct xt_match_param par)
61	!!(ahinfo->invflags & IPT_AH_INV_SPI));	61	!!(ahinfo->invflags & IPT_AH_INV_SPI));
62	}	62	}
63		63
64	/* Called when user tries to insert an entry of this type. */	64	static bool ah_mt_check(const struct xt_mtchk_param *par)
65	static bool
66	ah_mt_check(const char tablename, const void ip_void,
67	const struct xt_match match, void matchinfo,
68	unsigned int hook_mask)
69	{	65	{
70	const struct ipt_ah *ahinfo = matchinfo;	66	const struct ipt_ah *ahinfo = par->matchinfo;
71		67
72	/* Must specify no unknown invflags */	68	/* Must specify no unknown invflags */
73	if (ahinfo->invflags & ~IPT_AH_INV_MASK) {	69	if (ahinfo->invflags & ~IPT_AH_INV_MASK) {


diff --git a/net/ipv4/netfilter/ipt_ecn.c b/net/ipv4/netfilter/ipt_ecn.c index 069154631508..6289b64144c6 100644 --- a/net/ipv4/netfilter/ipt_ecn.c +++ b/net/ipv4/netfilter/ipt_ecn.c
@@ -85,13 +85,10 @@ static bool ecn_mt(const struct sk_buff skb, const struct xt_match_param par)
85	return true;	85	return true;
86	}	86	}
87		87
88	static bool	88	static bool ecn_mt_check(const struct xt_mtchk_param *par)
89	ecn_mt_check(const char tablename, const void ip_void,
90	const struct xt_match match, void matchinfo,
91	unsigned int hook_mask)
92	{	89	{
93	const struct ipt_ecn_info *info = matchinfo;	90	const struct ipt_ecn_info *info = par->matchinfo;
94	const struct ipt_ip *ip = ip_void;	91	const struct ipt_ip *ip = par->entryinfo;
95		92
96	if (info->operation & IPT_ECN_OP_MATCH_MASK)	93	if (info->operation & IPT_ECN_OP_MATCH_MASK)
97	return false;	94	return false;