diff options
-rw-r--r-- | net/ipv6/netfilter/ip6_tables.c | 33 |
1 files changed, 21 insertions, 12 deletions
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c index a33485dc81cb..d64594b6c061 100644 --- a/net/ipv6/netfilter/ip6_tables.c +++ b/net/ipv6/netfilter/ip6_tables.c | |||
@@ -89,6 +89,25 @@ ip6t_ext_hdr(u8 nexthdr) | |||
89 | (nexthdr == IPPROTO_DSTOPTS) ); | 89 | (nexthdr == IPPROTO_DSTOPTS) ); |
90 | } | 90 | } |
91 | 91 | ||
92 | static unsigned long ifname_compare(const char *_a, const char *_b, | ||
93 | const unsigned char *_mask) | ||
94 | { | ||
95 | const unsigned long *a = (const unsigned long *)_a; | ||
96 | const unsigned long *b = (const unsigned long *)_b; | ||
97 | const unsigned long *mask = (const unsigned long *)_mask; | ||
98 | unsigned long ret; | ||
99 | |||
100 | ret = (a[0] ^ b[0]) & mask[0]; | ||
101 | if (IFNAMSIZ > sizeof(unsigned long)) | ||
102 | ret |= (a[1] ^ b[1]) & mask[1]; | ||
103 | if (IFNAMSIZ > 2 * sizeof(unsigned long)) | ||
104 | ret |= (a[2] ^ b[2]) & mask[2]; | ||
105 | if (IFNAMSIZ > 3 * sizeof(unsigned long)) | ||
106 | ret |= (a[3] ^ b[3]) & mask[3]; | ||
107 | BUILD_BUG_ON(IFNAMSIZ > 4 * sizeof(unsigned long)); | ||
108 | return ret; | ||
109 | } | ||
110 | |||
92 | /* Returns whether matches rule or not. */ | 111 | /* Returns whether matches rule or not. */ |
93 | /* Performance critical - called for every packet */ | 112 | /* Performance critical - called for every packet */ |
94 | static inline bool | 113 | static inline bool |
@@ -99,7 +118,6 @@ ip6_packet_match(const struct sk_buff *skb, | |||
99 | unsigned int *protoff, | 118 | unsigned int *protoff, |
100 | int *fragoff, bool *hotdrop) | 119 | int *fragoff, bool *hotdrop) |
101 | { | 120 | { |
102 | size_t i; | ||
103 | unsigned long ret; | 121 | unsigned long ret; |
104 | const struct ipv6hdr *ipv6 = ipv6_hdr(skb); | 122 | const struct ipv6hdr *ipv6 = ipv6_hdr(skb); |
105 | 123 | ||
@@ -120,12 +138,7 @@ ip6_packet_match(const struct sk_buff *skb, | |||
120 | return false; | 138 | return false; |
121 | } | 139 | } |
122 | 140 | ||
123 | /* Look for ifname matches; this should unroll nicely. */ | 141 | ret = ifname_compare(indev, ip6info->iniface, ip6info->iniface_mask); |
124 | for (i = 0, ret = 0; i < IFNAMSIZ/sizeof(unsigned long); i++) { | ||
125 | ret |= (((const unsigned long *)indev)[i] | ||
126 | ^ ((const unsigned long *)ip6info->iniface)[i]) | ||
127 | & ((const unsigned long *)ip6info->iniface_mask)[i]; | ||
128 | } | ||
129 | 142 | ||
130 | if (FWINV(ret != 0, IP6T_INV_VIA_IN)) { | 143 | if (FWINV(ret != 0, IP6T_INV_VIA_IN)) { |
131 | dprintf("VIA in mismatch (%s vs %s).%s\n", | 144 | dprintf("VIA in mismatch (%s vs %s).%s\n", |
@@ -134,11 +147,7 @@ ip6_packet_match(const struct sk_buff *skb, | |||
134 | return false; | 147 | return false; |
135 | } | 148 | } |
136 | 149 | ||
137 | for (i = 0, ret = 0; i < IFNAMSIZ/sizeof(unsigned long); i++) { | 150 | ret = ifname_compare(outdev, ip6info->outiface, ip6info->outiface_mask); |
138 | ret |= (((const unsigned long *)outdev)[i] | ||
139 | ^ ((const unsigned long *)ip6info->outiface)[i]) | ||
140 | & ((const unsigned long *)ip6info->outiface_mask)[i]; | ||
141 | } | ||
142 | 151 | ||
143 | if (FWINV(ret != 0, IP6T_INV_VIA_OUT)) { | 152 | if (FWINV(ret != 0, IP6T_INV_VIA_OUT)) { |
144 | dprintf("VIA out mismatch (%s vs %s).%s\n", | 153 | dprintf("VIA out mismatch (%s vs %s).%s\n", |