netfilter: xtables: do centralized checkentry call (1/2)

It used to be that {ip,ip6,etc}_tables called extension->checkentry
themselves, but this can be moved into the xtables core.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>

2 files changed, 13 insertions, 20 deletions

diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index b4a9a1799c94..ae525a9afbec 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -465,15 +465,13 @@ static inline int check_target(struct arpt_entry *e, const char *name)
 
         ret = xt_check_target(target, NFPROTO_ARP,
                               t->u.target_size - sizeof(*t),
-                              name, e->comefrom, 0, 0);
-        if (!ret && t->u.kernel.target->checkentry
-            && !t->u.kernel.target->checkentry(name, e, target, t->data,
-                                               e->comefrom)) {
+                              name, e->comefrom, 0, 0, e, t->data);
+        if (ret < 0) {
                 duprintf("arp_tables: check failed for `%s'.\n",
                          t->u.kernel.target->name);
-                ret = -EINVAL;
+                return ret;
         }
-        return ret;
+        return 0;
 }
 
 static inline int
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 4e7c719445c2..b4c74a7a807c 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -616,17 +616,14 @@ check_match(struct ipt_entry_match *m, const char *name,
         match = m->u.kernel.match;
         ret = xt_check_match(match, AF_INET, m->u.match_size - sizeof(*m),
                              name, hookmask, ip->proto,
-                             ip->invflags & IPT_INV_PROTO);
-        if (!ret && m->u.kernel.match->checkentry
-            && !m->u.kernel.match->checkentry(name, ip, match, m->data,
-                                              hookmask)) {
+                             ip->invflags & IPT_INV_PROTO, ip, m->data);
+        if (ret < 0) {
                 duprintf("ip_tables: check failed for `%s'.\n",
                          m->u.kernel.match->name);
-                ret = -EINVAL;
+                return ret;
         }
-        if (!ret)
-                (*i)++;
-        return ret;
+        ++*i;
+        return 0;
 }
 
 static int
@@ -668,15 +665,13 @@ static int check_target(struct ipt_entry *e, const char *name)
         target = t->u.kernel.target;
         ret = xt_check_target(target, AF_INET, t->u.target_size - sizeof(*t),
                               name, e->comefrom, e->ip.proto,
-                              e->ip.invflags & IPT_INV_PROTO);
-        if (!ret && t->u.kernel.target->checkentry
-            && !t->u.kernel.target->checkentry(name, e, target, t->data,
-                                               e->comefrom)) {
+                              e->ip.invflags & IPT_INV_PROTO, e, t->data);
+        if (ret < 0) {
                 duprintf("ip_tables: check failed for `%s'.\n",
                          t->u.kernel.target->name);
-                ret = -EINVAL;
+                return ret;
         }
-        return ret;
+        return 0;
 }
 
 static int