aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorJan Engelhardt <jengelh@medozas.de>2010-02-24 12:35:37 -0500
committerPatrick McHardy <kaber@trash.net>2010-02-24 12:35:37 -0500
commit6bdb331bc6910d1ccb74dc9852fc858c5916c927 (patch)
treed77dd2df2d6d43ce25703ce8c9ecab0173c14a7f /net
parentdcea992aca82cb08b4674c4c783e325835408d1e (diff)
netfilter: xtables: optimize call flow around xt_ematch_foreach
Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
Diffstat (limited to 'net')
-rw-r--r--net/ipv4/netfilter/ip_tables.c93
-rw-r--r--net/ipv6/netfilter/ip6_tables.c93
2 files changed, 62 insertions, 124 deletions
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 3a7fc732b918..36edc7d5f284 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -572,14 +572,10 @@ mark_source_chains(const struct xt_table_info *newinfo,
572 return 1; 572 return 1;
573} 573}
574 574
575static int 575static void cleanup_match(struct ipt_entry_match *m, struct net *net)
576cleanup_match(struct ipt_entry_match *m, struct net *net, unsigned int *i)
577{ 576{
578 struct xt_mtdtor_param par; 577 struct xt_mtdtor_param par;
579 578
580 if (i && (*i)-- == 0)
581 return 1;
582
583 par.net = net; 579 par.net = net;
584 par.match = m->u.kernel.match; 580 par.match = m->u.kernel.match;
585 par.matchinfo = m->data; 581 par.matchinfo = m->data;
@@ -587,7 +583,6 @@ cleanup_match(struct ipt_entry_match *m, struct net *net, unsigned int *i)
587 if (par.match->destroy != NULL) 583 if (par.match->destroy != NULL)
588 par.match->destroy(&par); 584 par.match->destroy(&par);
589 module_put(par.match->me); 585 module_put(par.match->me);
590 return 0;
591} 586}
592 587
593static int 588static int
@@ -612,8 +607,7 @@ check_entry(const struct ipt_entry *e, const char *name)
612} 607}
613 608
614static int 609static int
615check_match(struct ipt_entry_match *m, struct xt_mtchk_param *par, 610check_match(struct ipt_entry_match *m, struct xt_mtchk_param *par)
616 unsigned int *i)
617{ 611{
618 const struct ipt_ip *ip = par->entryinfo; 612 const struct ipt_ip *ip = par->entryinfo;
619 int ret; 613 int ret;
@@ -628,13 +622,11 @@ check_match(struct ipt_entry_match *m, struct xt_mtchk_param *par,
628 par.match->name); 622 par.match->name);
629 return ret; 623 return ret;
630 } 624 }
631 ++*i;
632 return 0; 625 return 0;
633} 626}
634 627
635static int 628static int
636find_check_match(struct ipt_entry_match *m, struct xt_mtchk_param *par, 629find_check_match(struct ipt_entry_match *m, struct xt_mtchk_param *par)
637 unsigned int *i)
638{ 630{
639 struct xt_match *match; 631 struct xt_match *match;
640 int ret; 632 int ret;
@@ -648,7 +640,7 @@ find_check_match(struct ipt_entry_match *m, struct xt_mtchk_param *par,
648 } 640 }
649 m->u.kernel.match = match; 641 m->u.kernel.match = match;
650 642
651 ret = check_match(m, par, i); 643 ret = check_match(m, par);
652 if (ret) 644 if (ret)
653 goto err; 645 goto err;
654 646
@@ -704,12 +696,11 @@ find_check_entry(struct ipt_entry *e, struct net *net, const char *name,
704 mtpar.hook_mask = e->comefrom; 696 mtpar.hook_mask = e->comefrom;
705 mtpar.family = NFPROTO_IPV4; 697 mtpar.family = NFPROTO_IPV4;
706 xt_ematch_foreach(ematch, e) { 698 xt_ematch_foreach(ematch, e) {
707 ret = find_check_match(ematch, &mtpar, &j); 699 ret = find_check_match(ematch, &mtpar);
708 if (ret != 0) 700 if (ret != 0)
709 break; 701 goto cleanup_matches;
702 ++j;
710 } 703 }
711 if (ret != 0)
712 goto cleanup_matches;
713 704
714 t = ipt_get_target(e); 705 t = ipt_get_target(e);
715 target = try_then_request_module(xt_find_target(AF_INET, 706 target = try_then_request_module(xt_find_target(AF_INET,
@@ -730,9 +721,11 @@ find_check_entry(struct ipt_entry *e, struct net *net, const char *name,
730 err: 721 err:
731 module_put(t->u.kernel.target->me); 722 module_put(t->u.kernel.target->me);
732 cleanup_matches: 723 cleanup_matches:
733 xt_ematch_foreach(ematch, e) 724 xt_ematch_foreach(ematch, e) {
734 if (cleanup_match(ematch, net, &j) != 0) 725 if (j-- == 0)
735 break; 726 break;
727 cleanup_match(ematch, net);
728 }
736 return ret; 729 return ret;
737} 730}
738 731
@@ -807,8 +800,7 @@ cleanup_entry(struct ipt_entry *e, struct net *net)
807 800
808 /* Cleanup all matches */ 801 /* Cleanup all matches */
809 xt_ematch_foreach(ematch, e) 802 xt_ematch_foreach(ematch, e)
810 if (cleanup_match(ematch, net, NULL) != 0) 803 cleanup_match(ematch, net);
811 break;
812 t = ipt_get_target(e); 804 t = ipt_get_target(e);
813 805
814 par.net = net; 806 par.net = net;
@@ -1064,13 +1056,6 @@ static int compat_standard_to_user(void __user *dst, const void *src)
1064 return copy_to_user(dst, &cv, sizeof(cv)) ? -EFAULT : 0; 1056 return copy_to_user(dst, &cv, sizeof(cv)) ? -EFAULT : 0;
1065} 1057}
1066 1058
1067static inline int
1068compat_calc_match(const struct ipt_entry_match *m, int *size)
1069{
1070 *size += xt_compat_match_offset(m->u.kernel.match);
1071 return 0;
1072}
1073
1074static int compat_calc_entry(const struct ipt_entry *e, 1059static int compat_calc_entry(const struct ipt_entry *e,
1075 const struct xt_table_info *info, 1060 const struct xt_table_info *info,
1076 const void *base, struct xt_table_info *newinfo) 1061 const void *base, struct xt_table_info *newinfo)
@@ -1083,8 +1068,7 @@ static int compat_calc_entry(const struct ipt_entry *e,
1083 off = sizeof(struct ipt_entry) - sizeof(struct compat_ipt_entry); 1068 off = sizeof(struct ipt_entry) - sizeof(struct compat_ipt_entry);
1084 entry_offset = (void *)e - base; 1069 entry_offset = (void *)e - base;
1085 xt_ematch_foreach(ematch, e) 1070 xt_ematch_foreach(ematch, e)
1086 if (compat_calc_match(ematch, &off) != 0) 1071 off += xt_compat_match_offset(ematch->u.kernel.match);
1087 break;
1088 t = ipt_get_target_c(e); 1072 t = ipt_get_target_c(e);
1089 off += xt_compat_target_offset(t->u.kernel.target); 1073 off += xt_compat_target_offset(t->u.kernel.target);
1090 newinfo->size -= off; 1074 newinfo->size -= off;
@@ -1475,11 +1459,9 @@ compat_copy_entry_to_user(struct ipt_entry *e, void __user **dstptr,
1475 xt_ematch_foreach(ematch, e) { 1459 xt_ematch_foreach(ematch, e) {
1476 ret = xt_compat_match_to_user(ematch, dstptr, size); 1460 ret = xt_compat_match_to_user(ematch, dstptr, size);
1477 if (ret != 0) 1461 if (ret != 0)
1478 break; 1462 return ret;
1479 } 1463 }
1480 target_offset = e->target_offset - (origsize - *size); 1464 target_offset = e->target_offset - (origsize - *size);
1481 if (ret)
1482 return ret;
1483 t = ipt_get_target(e); 1465 t = ipt_get_target(e);
1484 ret = xt_compat_target_to_user(t, dstptr, size); 1466 ret = xt_compat_target_to_user(t, dstptr, size);
1485 if (ret) 1467 if (ret)
@@ -1496,7 +1478,7 @@ compat_find_calc_match(struct ipt_entry_match *m,
1496 const char *name, 1478 const char *name,
1497 const struct ipt_ip *ip, 1479 const struct ipt_ip *ip,
1498 unsigned int hookmask, 1480 unsigned int hookmask,
1499 int *size, unsigned int *i) 1481 int *size)
1500{ 1482{
1501 struct xt_match *match; 1483 struct xt_match *match;
1502 1484
@@ -1510,18 +1492,6 @@ compat_find_calc_match(struct ipt_entry_match *m,
1510 } 1492 }
1511 m->u.kernel.match = match; 1493 m->u.kernel.match = match;
1512 *size += xt_compat_match_offset(match); 1494 *size += xt_compat_match_offset(match);
1513
1514 (*i)++;
1515 return 0;
1516}
1517
1518static int
1519compat_release_match(struct ipt_entry_match *m, unsigned int *i)
1520{
1521 if (i && (*i)-- == 0)
1522 return 1;
1523
1524 module_put(m->u.kernel.match->me);
1525 return 0; 1495 return 0;
1526} 1496}
1527 1497
@@ -1532,8 +1502,7 @@ static void compat_release_entry(struct compat_ipt_entry *e)
1532 1502
1533 /* Cleanup all matches */ 1503 /* Cleanup all matches */
1534 xt_ematch_foreach(ematch, e) 1504 xt_ematch_foreach(ematch, e)
1535 if (compat_release_match(ematch, NULL) != 0) 1505 module_put(ematch->u.kernel.match->me);
1536 break;
1537 t = compat_ipt_get_target(e); 1506 t = compat_ipt_get_target(e);
1538 module_put(t->u.kernel.target->me); 1507 module_put(t->u.kernel.target->me);
1539} 1508}
@@ -1579,12 +1548,11 @@ check_compat_entry_size_and_hooks(struct compat_ipt_entry *e,
1579 j = 0; 1548 j = 0;
1580 xt_ematch_foreach(ematch, e) { 1549 xt_ematch_foreach(ematch, e) {
1581 ret = compat_find_calc_match(ematch, name, 1550 ret = compat_find_calc_match(ematch, name,
1582 &e->ip, e->comefrom, &off, &j); 1551 &e->ip, e->comefrom, &off);
1583 if (ret != 0) 1552 if (ret != 0)
1584 break; 1553 goto release_matches;
1554 ++j;
1585 } 1555 }
1586 if (ret != 0)
1587 goto release_matches;
1588 1556
1589 t = compat_ipt_get_target(e); 1557 t = compat_ipt_get_target(e);
1590 target = try_then_request_module(xt_find_target(AF_INET, 1558 target = try_then_request_module(xt_find_target(AF_INET,
@@ -1621,9 +1589,11 @@ check_compat_entry_size_and_hooks(struct compat_ipt_entry *e,
1621out: 1589out:
1622 module_put(t->u.kernel.target->me); 1590 module_put(t->u.kernel.target->me);
1623release_matches: 1591release_matches:
1624 xt_ematch_foreach(ematch, e) 1592 xt_ematch_foreach(ematch, e) {
1625 if (compat_release_match(ematch, &j) != 0) 1593 if (j-- == 0)
1626 break; 1594 break;
1595 module_put(ematch->u.kernel.match->me);
1596 }
1627 return ret; 1597 return ret;
1628} 1598}
1629 1599
@@ -1651,10 +1621,8 @@ compat_copy_entry_from_user(struct compat_ipt_entry *e, void **dstptr,
1651 xt_ematch_foreach(ematch, e) { 1621 xt_ematch_foreach(ematch, e) {
1652 ret = xt_compat_match_from_user(ematch, dstptr, size); 1622 ret = xt_compat_match_from_user(ematch, dstptr, size);
1653 if (ret != 0) 1623 if (ret != 0)
1654 break; 1624 return ret;
1655 } 1625 }
1656 if (ret)
1657 return ret;
1658 de->target_offset = e->target_offset - (origsize - *size); 1626 de->target_offset = e->target_offset - (origsize - *size);
1659 t = compat_ipt_get_target(e); 1627 t = compat_ipt_get_target(e);
1660 target = t->u.kernel.target; 1628 target = t->u.kernel.target;
@@ -1685,12 +1653,11 @@ compat_check_entry(struct ipt_entry *e, struct net *net, const char *name)
1685 mtpar.hook_mask = e->comefrom; 1653 mtpar.hook_mask = e->comefrom;
1686 mtpar.family = NFPROTO_IPV4; 1654 mtpar.family = NFPROTO_IPV4;
1687 xt_ematch_foreach(ematch, e) { 1655 xt_ematch_foreach(ematch, e) {
1688 ret = check_match(ematch, &mtpar, &j); 1656 ret = check_match(ematch, &mtpar);
1689 if (ret != 0) 1657 if (ret != 0)
1690 break; 1658 goto cleanup_matches;
1659 ++j;
1691 } 1660 }
1692 if (ret)
1693 goto cleanup_matches;
1694 1661
1695 ret = check_target(e, net, name); 1662 ret = check_target(e, net, name);
1696 if (ret) 1663 if (ret)
@@ -1698,9 +1665,11 @@ compat_check_entry(struct ipt_entry *e, struct net *net, const char *name)
1698 return 0; 1665 return 0;
1699 1666
1700 cleanup_matches: 1667 cleanup_matches:
1701 xt_ematch_foreach(ematch, e) 1668 xt_ematch_foreach(ematch, e) {
1702 if (cleanup_match(ematch, net, &j) != 0) 1669 if (j-- == 0)
1703 break; 1670 break;
1671 cleanup_match(ematch, net);
1672 }
1704 return ret; 1673 return ret;
1705} 1674}
1706 1675
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 1537e6bad5d9..c5a963e4b545 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -603,14 +603,10 @@ mark_source_chains(const struct xt_table_info *newinfo,
603 return 1; 603 return 1;
604} 604}
605 605
606static int 606static void cleanup_match(struct ip6t_entry_match *m, struct net *net)
607cleanup_match(struct ip6t_entry_match *m, struct net *net, unsigned int *i)
608{ 607{
609 struct xt_mtdtor_param par; 608 struct xt_mtdtor_param par;
610 609
611 if (i && (*i)-- == 0)
612 return 1;
613
614 par.net = net; 610 par.net = net;
615 par.match = m->u.kernel.match; 611 par.match = m->u.kernel.match;
616 par.matchinfo = m->data; 612 par.matchinfo = m->data;
@@ -618,7 +614,6 @@ cleanup_match(struct ip6t_entry_match *m, struct net *net, unsigned int *i)
618 if (par.match->destroy != NULL) 614 if (par.match->destroy != NULL)
619 par.match->destroy(&par); 615 par.match->destroy(&par);
620 module_put(par.match->me); 616 module_put(par.match->me);
621 return 0;
622} 617}
623 618
624static int 619static int
@@ -642,8 +637,7 @@ check_entry(const struct ip6t_entry *e, const char *name)
642 return 0; 637 return 0;
643} 638}
644 639
645static int check_match(struct ip6t_entry_match *m, struct xt_mtchk_param *par, 640static int check_match(struct ip6t_entry_match *m, struct xt_mtchk_param *par)
646 unsigned int *i)
647{ 641{
648 const struct ip6t_ip6 *ipv6 = par->entryinfo; 642 const struct ip6t_ip6 *ipv6 = par->entryinfo;
649 int ret; 643 int ret;
@@ -658,13 +652,11 @@ static int check_match(struct ip6t_entry_match *m, struct xt_mtchk_param *par,
658 par.match->name); 652 par.match->name);
659 return ret; 653 return ret;
660 } 654 }
661 ++*i;
662 return 0; 655 return 0;
663} 656}
664 657
665static int 658static int
666find_check_match(struct ip6t_entry_match *m, struct xt_mtchk_param *par, 659find_check_match(struct ip6t_entry_match *m, struct xt_mtchk_param *par)
667 unsigned int *i)
668{ 660{
669 struct xt_match *match; 661 struct xt_match *match;
670 int ret; 662 int ret;
@@ -678,7 +670,7 @@ find_check_match(struct ip6t_entry_match *m, struct xt_mtchk_param *par,
678 } 670 }
679 m->u.kernel.match = match; 671 m->u.kernel.match = match;
680 672
681 ret = check_match(m, par, i); 673 ret = check_match(m, par);
682 if (ret) 674 if (ret)
683 goto err; 675 goto err;
684 676
@@ -735,12 +727,11 @@ find_check_entry(struct ip6t_entry *e, struct net *net, const char *name,
735 mtpar.hook_mask = e->comefrom; 727 mtpar.hook_mask = e->comefrom;
736 mtpar.family = NFPROTO_IPV6; 728 mtpar.family = NFPROTO_IPV6;
737 xt_ematch_foreach(ematch, e) { 729 xt_ematch_foreach(ematch, e) {
738 ret = find_check_match(ematch, &mtpar, &j); 730 ret = find_check_match(ematch, &mtpar);
739 if (ret != 0) 731 if (ret != 0)
740 break; 732 goto cleanup_matches;
733 ++j;
741 } 734 }
742 if (ret != 0)
743 goto cleanup_matches;
744 735
745 t = ip6t_get_target(e); 736 t = ip6t_get_target(e);
746 target = try_then_request_module(xt_find_target(AF_INET6, 737 target = try_then_request_module(xt_find_target(AF_INET6,
@@ -761,9 +752,11 @@ find_check_entry(struct ip6t_entry *e, struct net *net, const char *name,
761 err: 752 err:
762 module_put(t->u.kernel.target->me); 753 module_put(t->u.kernel.target->me);
763 cleanup_matches: 754 cleanup_matches:
764 xt_ematch_foreach(ematch, e) 755 xt_ematch_foreach(ematch, e) {
765 if (cleanup_match(ematch, net, &j) != 0) 756 if (j-- == 0)
766 break; 757 break;
758 cleanup_match(ematch, net);
759 }
767 return ret; 760 return ret;
768} 761}
769 762
@@ -837,8 +830,7 @@ static void cleanup_entry(struct ip6t_entry *e, struct net *net)
837 830
838 /* Cleanup all matches */ 831 /* Cleanup all matches */
839 xt_ematch_foreach(ematch, e) 832 xt_ematch_foreach(ematch, e)
840 if (cleanup_match(ematch, net, NULL) != 0) 833 cleanup_match(ematch, net);
841 break;
842 t = ip6t_get_target(e); 834 t = ip6t_get_target(e);
843 835
844 par.net = net; 836 par.net = net;
@@ -1094,13 +1086,6 @@ static int compat_standard_to_user(void __user *dst, const void *src)
1094 return copy_to_user(dst, &cv, sizeof(cv)) ? -EFAULT : 0; 1086 return copy_to_user(dst, &cv, sizeof(cv)) ? -EFAULT : 0;
1095} 1087}
1096 1088
1097static inline int
1098compat_calc_match(const struct ip6t_entry_match *m, int *size)
1099{
1100 *size += xt_compat_match_offset(m->u.kernel.match);
1101 return 0;
1102}
1103
1104static int compat_calc_entry(const struct ip6t_entry *e, 1089static int compat_calc_entry(const struct ip6t_entry *e,
1105 const struct xt_table_info *info, 1090 const struct xt_table_info *info,
1106 const void *base, struct xt_table_info *newinfo) 1091 const void *base, struct xt_table_info *newinfo)
@@ -1113,8 +1098,7 @@ static int compat_calc_entry(const struct ip6t_entry *e,
1113 off = sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry); 1098 off = sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
1114 entry_offset = (void *)e - base; 1099 entry_offset = (void *)e - base;
1115 xt_ematch_foreach(ematch, e) 1100 xt_ematch_foreach(ematch, e)
1116 if (compat_calc_match(ematch, &off) != 0) 1101 off += xt_compat_match_offset(ematch->u.kernel.match);
1117 break;
1118 t = ip6t_get_target_c(e); 1102 t = ip6t_get_target_c(e);
1119 off += xt_compat_target_offset(t->u.kernel.target); 1103 off += xt_compat_target_offset(t->u.kernel.target);
1120 newinfo->size -= off; 1104 newinfo->size -= off;
@@ -1508,11 +1492,9 @@ compat_copy_entry_to_user(struct ip6t_entry *e, void __user **dstptr,
1508 xt_ematch_foreach(ematch, e) { 1492 xt_ematch_foreach(ematch, e) {
1509 ret = xt_compat_match_to_user(ematch, dstptr, size); 1493 ret = xt_compat_match_to_user(ematch, dstptr, size);
1510 if (ret != 0) 1494 if (ret != 0)
1511 break; 1495 return ret;
1512 } 1496 }
1513 target_offset = e->target_offset - (origsize - *size); 1497 target_offset = e->target_offset - (origsize - *size);
1514 if (ret)
1515 return ret;
1516 t = ip6t_get_target(e); 1498 t = ip6t_get_target(e);
1517 ret = xt_compat_target_to_user(t, dstptr, size); 1499 ret = xt_compat_target_to_user(t, dstptr, size);
1518 if (ret) 1500 if (ret)
@@ -1529,7 +1511,7 @@ compat_find_calc_match(struct ip6t_entry_match *m,
1529 const char *name, 1511 const char *name,
1530 const struct ip6t_ip6 *ipv6, 1512 const struct ip6t_ip6 *ipv6,
1531 unsigned int hookmask, 1513 unsigned int hookmask,
1532 int *size, unsigned int *i) 1514 int *size)
1533{ 1515{
1534 struct xt_match *match; 1516 struct xt_match *match;
1535 1517
@@ -1543,18 +1525,6 @@ compat_find_calc_match(struct ip6t_entry_match *m,
1543 } 1525 }
1544 m->u.kernel.match = match; 1526 m->u.kernel.match = match;
1545 *size += xt_compat_match_offset(match); 1527 *size += xt_compat_match_offset(match);
1546
1547 (*i)++;
1548 return 0;
1549}
1550
1551static int
1552compat_release_match(struct ip6t_entry_match *m, unsigned int *i)
1553{
1554 if (i && (*i)-- == 0)
1555 return 1;
1556
1557 module_put(m->u.kernel.match->me);
1558 return 0; 1528 return 0;
1559} 1529}
1560 1530
@@ -1565,8 +1535,7 @@ static void compat_release_entry(struct compat_ip6t_entry *e)
1565 1535
1566 /* Cleanup all matches */ 1536 /* Cleanup all matches */
1567 xt_ematch_foreach(ematch, e) 1537 xt_ematch_foreach(ematch, e)
1568 if (compat_release_match(ematch, NULL) != 0) 1538 module_put(ematch->u.kernel.match->me);
1569 break;
1570 t = compat_ip6t_get_target(e); 1539 t = compat_ip6t_get_target(e);
1571 module_put(t->u.kernel.target->me); 1540 module_put(t->u.kernel.target->me);
1572} 1541}
@@ -1612,12 +1581,11 @@ check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e,
1612 j = 0; 1581 j = 0;
1613 xt_ematch_foreach(ematch, e) { 1582 xt_ematch_foreach(ematch, e) {
1614 ret = compat_find_calc_match(ematch, name, 1583 ret = compat_find_calc_match(ematch, name,
1615 &e->ipv6, e->comefrom, &off, &j); 1584 &e->ipv6, e->comefrom, &off);
1616 if (ret != 0) 1585 if (ret != 0)
1617 break; 1586 goto release_matches;
1587 ++j;
1618 } 1588 }
1619 if (ret != 0)
1620 goto release_matches;
1621 1589
1622 t = compat_ip6t_get_target(e); 1590 t = compat_ip6t_get_target(e);
1623 target = try_then_request_module(xt_find_target(AF_INET6, 1591 target = try_then_request_module(xt_find_target(AF_INET6,
@@ -1654,9 +1622,11 @@ check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e,
1654out: 1622out:
1655 module_put(t->u.kernel.target->me); 1623 module_put(t->u.kernel.target->me);
1656release_matches: 1624release_matches:
1657 xt_ematch_foreach(ematch, e) 1625 xt_ematch_foreach(ematch, e) {
1658 if (compat_release_match(ematch, &j) != 0) 1626 if (j-- == 0)
1659 break; 1627 break;
1628 module_put(ematch->u.kernel.match->me);
1629 }
1660 return ret; 1630 return ret;
1661} 1631}
1662 1632
@@ -1684,10 +1654,8 @@ compat_copy_entry_from_user(struct compat_ip6t_entry *e, void **dstptr,
1684 xt_ematch_foreach(ematch, e) { 1654 xt_ematch_foreach(ematch, e) {
1685 ret = xt_compat_match_from_user(ematch, dstptr, size); 1655 ret = xt_compat_match_from_user(ematch, dstptr, size);
1686 if (ret != 0) 1656 if (ret != 0)
1687 break; 1657 return ret;
1688 } 1658 }
1689 if (ret)
1690 return ret;
1691 de->target_offset = e->target_offset - (origsize - *size); 1659 de->target_offset = e->target_offset - (origsize - *size);
1692 t = compat_ip6t_get_target(e); 1660 t = compat_ip6t_get_target(e);
1693 target = t->u.kernel.target; 1661 target = t->u.kernel.target;
@@ -1718,12 +1686,11 @@ static int compat_check_entry(struct ip6t_entry *e, struct net *net,
1718 mtpar.hook_mask = e->comefrom; 1686 mtpar.hook_mask = e->comefrom;
1719 mtpar.family = NFPROTO_IPV6; 1687 mtpar.family = NFPROTO_IPV6;
1720 xt_ematch_foreach(ematch, e) { 1688 xt_ematch_foreach(ematch, e) {
1721 ret = check_match(ematch, &mtpar, &j); 1689 ret = check_match(ematch, &mtpar);
1722 if (ret != 0) 1690 if (ret != 0)
1723 break; 1691 goto cleanup_matches;
1692 ++j;
1724 } 1693 }
1725 if (ret)
1726 goto cleanup_matches;
1727 1694
1728 ret = check_target(e, net, name); 1695 ret = check_target(e, net, name);
1729 if (ret) 1696 if (ret)
@@ -1731,9 +1698,11 @@ static int compat_check_entry(struct ip6t_entry *e, struct net *net,
1731 return 0; 1698 return 0;
1732 1699
1733 cleanup_matches: 1700 cleanup_matches:
1734 xt_ematch_foreach(ematch, e) 1701 xt_ematch_foreach(ematch, e) {
1735 if (cleanup_match(ematch, net, &j) != 0) 1702 if (j-- == 0)
1736 break; 1703 break;
1704 cleanup_match(ematch, net);
1705 }
1737 return ret; 1706 return ret;
1738} 1707}
1739 1708