aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--include/linux/netfilter/x_tables.h28
-rw-r--r--net/bridge/netfilter/ebt_802_3.c6
-rw-r--r--net/bridge/netfilter/ebt_among.c6
-rw-r--r--net/bridge/netfilter/ebt_arp.c6
-rw-r--r--net/bridge/netfilter/ebt_ip.c6
-rw-r--r--net/bridge/netfilter/ebt_ip6.c6
-rw-r--r--net/bridge/netfilter/ebt_limit.c6
-rw-r--r--net/bridge/netfilter/ebt_mark_m.c6
-rw-r--r--net/bridge/netfilter/ebt_pkttype.c7
-rw-r--r--net/bridge/netfilter/ebt_stp.c6
-rw-r--r--net/bridge/netfilter/ebt_vlan.c6
-rw-r--r--net/bridge/netfilter/ebtables.c16
-rw-r--r--net/ipv4/netfilter/ip_tables.c46
-rw-r--r--net/ipv4/netfilter/ipt_addrtype.c18
-rw-r--r--net/ipv4/netfilter/ipt_ah.c14
-rw-r--r--net/ipv4/netfilter/ipt_ecn.c9
-rw-r--r--net/ipv4/netfilter/ipt_ttl.c7
-rw-r--r--net/ipv6/netfilter/ip6_tables.c44
-rw-r--r--net/ipv6/netfilter/ip6t_ah.c11
-rw-r--r--net/ipv6/netfilter/ip6t_eui64.c9
-rw-r--r--net/ipv6/netfilter/ip6t_frag.c11
-rw-r--r--net/ipv6/netfilter/ip6t_hbh.c13
-rw-r--r--net/ipv6/netfilter/ip6t_hl.c7
-rw-r--r--net/ipv6/netfilter/ip6t_ipv6header.c7
-rw-r--r--net/ipv6/netfilter/ip6t_mh.c15
-rw-r--r--net/ipv6/netfilter/ip6t_rt.c11
-rw-r--r--net/netfilter/xt_comment.c5
-rw-r--r--net/netfilter/xt_connbytes.c7
-rw-r--r--net/netfilter/xt_connlimit.c17
-rw-r--r--net/netfilter/xt_connmark.c14
-rw-r--r--net/netfilter/xt_conntrack.c22
-rw-r--r--net/netfilter/xt_dccp.c16
-rw-r--r--net/netfilter/xt_dscp.c30
-rw-r--r--net/netfilter/xt_esp.c13
-rw-r--r--net/netfilter/xt_hashlimit.c22
-rw-r--r--net/netfilter/xt_helper.c7
-rw-r--r--net/netfilter/xt_iprange.c21
-rw-r--r--net/netfilter/xt_length.c14
-rw-r--r--net/netfilter/xt_limit.c7
-rw-r--r--net/netfilter/xt_mac.c7
-rw-r--r--net/netfilter/xt_mark.c13
-rw-r--r--net/netfilter/xt_multiport.c26
-rw-r--r--net/netfilter/xt_owner.c21
-rw-r--r--net/netfilter/xt_physdev.c7
-rw-r--r--net/netfilter/xt_pkttype.c11
-rw-r--r--net/netfilter/xt_policy.c11
-rw-r--r--net/netfilter/xt_quota.c7
-rw-r--r--net/netfilter/xt_rateest.c12
-rw-r--r--net/netfilter/xt_realm.c7
-rw-r--r--net/netfilter/xt_recent.c17
-rw-r--r--net/netfilter/xt_sctp.c16
-rw-r--r--net/netfilter/xt_socket.c11
-rw-r--r--net/netfilter/xt_state.c7
-rw-r--r--net/netfilter/xt_statistic.c7
-rw-r--r--net/netfilter/xt_string.c9
-rw-r--r--net/netfilter/xt_tcpmss.c13
-rw-r--r--net/netfilter/xt_tcpudp.c36
-rw-r--r--net/netfilter/xt_time.c6
-rw-r--r--net/netfilter/xt_u32.c7
59 files changed, 286 insertions, 487 deletions
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 85aa42785a5e..bcd40ec83257 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -173,6 +173,26 @@ struct xt_counters_info
173 173
174#include <linux/netdevice.h> 174#include <linux/netdevice.h>
175 175
176/**
177 * struct xt_match_param - parameters for match extensions' match functions
178 *
179 * @in: input netdevice
180 * @out: output netdevice
181 * @match: struct xt_match through which this function was invoked
182 * @matchinfo: per-match data
183 * @fragoff: packet is a fragment, this is the data offset
184 * @thoff: position of transport header relative to skb->data
185 * @hotdrop: drop packet if we had inspection problems
186 */
187struct xt_match_param {
188 const struct net_device *in, *out;
189 const struct xt_match *match;
190 const void *matchinfo;
191 int fragoff;
192 unsigned int thoff;
193 bool *hotdrop;
194};
195
176struct xt_match 196struct xt_match
177{ 197{
178 struct list_head list; 198 struct list_head list;
@@ -185,13 +205,7 @@ struct xt_match
185 non-linear skb, using skb_header_pointer and 205 non-linear skb, using skb_header_pointer and
186 skb_ip_make_writable. */ 206 skb_ip_make_writable. */
187 bool (*match)(const struct sk_buff *skb, 207 bool (*match)(const struct sk_buff *skb,
188 const struct net_device *in, 208 const struct xt_match_param *);
189 const struct net_device *out,
190 const struct xt_match *match,
191 const void *matchinfo,
192 int offset,
193 unsigned int protoff,
194 bool *hotdrop);
195 209
196 /* Called when user tries to insert an entry of this type. */ 210 /* Called when user tries to insert an entry of this type. */
197 /* Should return true or false. */ 211 /* Should return true or false. */
diff --git a/net/bridge/netfilter/ebt_802_3.c b/net/bridge/netfilter/ebt_802_3.c
index 6fc2a59e09a1..c9e1bc149513 100644
--- a/net/bridge/netfilter/ebt_802_3.c
+++ b/net/bridge/netfilter/ebt_802_3.c
@@ -13,11 +13,9 @@
13#include <linux/netfilter_bridge/ebt_802_3.h> 13#include <linux/netfilter_bridge/ebt_802_3.h>
14 14
15static bool 15static bool
16ebt_802_3_mt(const struct sk_buff *skb, const struct net_device *in, 16ebt_802_3_mt(const struct sk_buff *skb, const struct xt_match_param *par)
17 const struct net_device *out, const struct xt_match *match,
18 const void *data, int offset, unsigned int protoff, bool *hotdrop)
19{ 17{
20 const struct ebt_802_3_info *info = data; 18 const struct ebt_802_3_info *info = par->matchinfo;
21 const struct ebt_802_3_hdr *hdr = ebt_802_3_hdr(skb); 19 const struct ebt_802_3_hdr *hdr = ebt_802_3_hdr(skb);
22 __be16 type = hdr->llc.ui.ctrl & IS_UI ? hdr->llc.ui.type : hdr->llc.ni.type; 20 __be16 type = hdr->llc.ui.ctrl & IS_UI ? hdr->llc.ui.type : hdr->llc.ni.type;
23 21
diff --git a/net/bridge/netfilter/ebt_among.c b/net/bridge/netfilter/ebt_among.c
index 084559e1840f..0ad0db3e815d 100644
--- a/net/bridge/netfilter/ebt_among.c
+++ b/net/bridge/netfilter/ebt_among.c
@@ -128,11 +128,9 @@ static int get_ip_src(const struct sk_buff *skb, __be32 *addr)
128} 128}
129 129
130static bool 130static bool
131ebt_among_mt(const struct sk_buff *skb, const struct net_device *in, 131ebt_among_mt(const struct sk_buff *skb, const struct xt_match_param *par)
132 const struct net_device *out, const struct xt_match *match,
133 const void *data, int offset, unsigned int protoff, bool *hotdrop)
134{ 132{
135 const struct ebt_among_info *info = data; 133 const struct ebt_among_info *info = par->matchinfo;
136 const char *dmac, *smac; 134 const char *dmac, *smac;
137 const struct ebt_mac_wormhash *wh_dst, *wh_src; 135 const struct ebt_mac_wormhash *wh_dst, *wh_src;
138 __be32 dip = 0, sip = 0; 136 __be32 dip = 0, sip = 0;
diff --git a/net/bridge/netfilter/ebt_arp.c b/net/bridge/netfilter/ebt_arp.c
index a073dffe7a11..1ff8fa3a9e7b 100644
--- a/net/bridge/netfilter/ebt_arp.c
+++ b/net/bridge/netfilter/ebt_arp.c
@@ -16,11 +16,9 @@
16#include <linux/netfilter_bridge/ebt_arp.h> 16#include <linux/netfilter_bridge/ebt_arp.h>
17 17
18static bool 18static bool
19ebt_arp_mt(const struct sk_buff *skb, const struct net_device *in, 19ebt_arp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
20 const struct net_device *out, const struct xt_match *match,
21 const void *data, int offset, unsigned int protoff, bool *hotdrop)
22{ 20{
23 const struct ebt_arp_info *info = data; 21 const struct ebt_arp_info *info = par->matchinfo;
24 const struct arphdr *ah; 22 const struct arphdr *ah;
25 struct arphdr _arph; 23 struct arphdr _arph;
26 24
diff --git a/net/bridge/netfilter/ebt_ip.c b/net/bridge/netfilter/ebt_ip.c
index b42c7ce799b3..c70ea39840b7 100644
--- a/net/bridge/netfilter/ebt_ip.c
+++ b/net/bridge/netfilter/ebt_ip.c
@@ -25,11 +25,9 @@ struct tcpudphdr {
25}; 25};
26 26
27static bool 27static bool
28ebt_ip_mt(const struct sk_buff *skb, const struct net_device *in, 28ebt_ip_mt(const struct sk_buff *skb, const struct xt_match_param *par)
29 const struct net_device *out, const struct xt_match *match,
30 const void *data, int offset, unsigned int protoff, bool *hotdrop)
31{ 29{
32 const struct ebt_ip_info *info = data; 30 const struct ebt_ip_info *info = par->matchinfo;
33 const struct iphdr *ih; 31 const struct iphdr *ih;
34 struct iphdr _iph; 32 struct iphdr _iph;
35 const struct tcpudphdr *pptr; 33 const struct tcpudphdr *pptr;
diff --git a/net/bridge/netfilter/ebt_ip6.c b/net/bridge/netfilter/ebt_ip6.c
index 7bd983129674..5acee02de723 100644
--- a/net/bridge/netfilter/ebt_ip6.c
+++ b/net/bridge/netfilter/ebt_ip6.c
@@ -28,11 +28,9 @@ struct tcpudphdr {
28}; 28};
29 29
30static bool 30static bool
31ebt_ip6_mt(const struct sk_buff *skb, const struct net_device *in, 31ebt_ip6_mt(const struct sk_buff *skb, const struct xt_match_param *par)
32 const struct net_device *out, const struct xt_match *match,
33 const void *data, int offset, unsigned int protoff, bool *hotdrop)
34{ 32{
35 const struct ebt_ip6_info *info = data; 33 const struct ebt_ip6_info *info = par->matchinfo;
36 const struct ipv6hdr *ih6; 34 const struct ipv6hdr *ih6;
37 struct ipv6hdr _ip6h; 35 struct ipv6hdr _ip6h;
38 const struct tcpudphdr *pptr; 36 const struct tcpudphdr *pptr;
diff --git a/net/bridge/netfilter/ebt_limit.c b/net/bridge/netfilter/ebt_limit.c
index 58aaaa149068..9a3ec8cadaa4 100644
--- a/net/bridge/netfilter/ebt_limit.c
+++ b/net/bridge/netfilter/ebt_limit.c
@@ -31,11 +31,9 @@ static DEFINE_SPINLOCK(limit_lock);
31#define CREDITS_PER_JIFFY POW2_BELOW32(MAX_CPJ) 31#define CREDITS_PER_JIFFY POW2_BELOW32(MAX_CPJ)
32 32
33static bool 33static bool
34ebt_limit_mt(const struct sk_buff *skb, const struct net_device *in, 34ebt_limit_mt(const struct sk_buff *skb, const struct xt_match_param *par)
35 const struct net_device *out, const struct xt_match *match,
36 const void *data, int offset, unsigned int protoff, bool *hotdrop)
37{ 35{
38 struct ebt_limit_info *info = (void *)data; 36 struct ebt_limit_info *info = (void *)par->matchinfo;
39 unsigned long now = jiffies; 37 unsigned long now = jiffies;
40 38
41 spin_lock_bh(&limit_lock); 39 spin_lock_bh(&limit_lock);
diff --git a/net/bridge/netfilter/ebt_mark_m.c b/net/bridge/netfilter/ebt_mark_m.c
index aa6781c7f98b..5b22ef96127c 100644
--- a/net/bridge/netfilter/ebt_mark_m.c
+++ b/net/bridge/netfilter/ebt_mark_m.c
@@ -13,11 +13,9 @@
13#include <linux/netfilter_bridge/ebt_mark_m.h> 13#include <linux/netfilter_bridge/ebt_mark_m.h>
14 14
15static bool 15static bool
16ebt_mark_mt(const struct sk_buff *skb, const struct net_device *in, 16ebt_mark_mt(const struct sk_buff *skb, const struct xt_match_param *par)
17 const struct net_device *out, const struct xt_match *match,
18 const void *data, int offset, unsigned int protoff, bool *hotdrop)
19{ 17{
20 const struct ebt_mark_m_info *info = data; 18 const struct ebt_mark_m_info *info = par->matchinfo;
21 19
22 if (info->bitmask & EBT_MARK_OR) 20 if (info->bitmask & EBT_MARK_OR)
23 return !!(skb->mark & info->mask) ^ info->invert; 21 return !!(skb->mark & info->mask) ^ info->invert;
diff --git a/net/bridge/netfilter/ebt_pkttype.c b/net/bridge/netfilter/ebt_pkttype.c
index 1c04ce5a52c7..b756f88fb10f 100644
--- a/net/bridge/netfilter/ebt_pkttype.c
+++ b/net/bridge/netfilter/ebt_pkttype.c
@@ -13,12 +13,9 @@
13#include <linux/netfilter_bridge/ebt_pkttype.h> 13#include <linux/netfilter_bridge/ebt_pkttype.h>
14 14
15static bool 15static bool
16ebt_pkttype_mt(const struct sk_buff *skb, const struct net_device *in, 16ebt_pkttype_mt(const struct sk_buff *skb, const struct xt_match_param *par)
17 const struct net_device *out, const struct xt_match *match,
18 const void *data, int offset, unsigned int protoff,
19 bool *hotdrop)
20{ 17{
21 const struct ebt_pkttype_info *info = data; 18 const struct ebt_pkttype_info *info = par->matchinfo;
22 19
23 return (skb->pkt_type == info->pkt_type) ^ info->invert; 20 return (skb->pkt_type == info->pkt_type) ^ info->invert;
24} 21}
diff --git a/net/bridge/netfilter/ebt_stp.c b/net/bridge/netfilter/ebt_stp.c
index 28bb48b67a80..06d777c62c32 100644
--- a/net/bridge/netfilter/ebt_stp.c
+++ b/net/bridge/netfilter/ebt_stp.c
@@ -120,11 +120,9 @@ static bool ebt_filter_config(const struct ebt_stp_info *info,
120} 120}
121 121
122static bool 122static bool
123ebt_stp_mt(const struct sk_buff *skb, const struct net_device *in, 123ebt_stp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
124 const struct net_device *out, const struct xt_match *match,
125 const void *data, int offset, unsigned int protoff, bool *hotdrop)
126{ 124{
127 const struct ebt_stp_info *info = data; 125 const struct ebt_stp_info *info = par->matchinfo;
128 const struct stp_header *sp; 126 const struct stp_header *sp;
129 struct stp_header _stph; 127 struct stp_header _stph;
130 const uint8_t header[6] = {0x42, 0x42, 0x03, 0x00, 0x00, 0x00}; 128 const uint8_t header[6] = {0x42, 0x42, 0x03, 0x00, 0x00, 0x00};
diff --git a/net/bridge/netfilter/ebt_vlan.c b/net/bridge/netfilter/ebt_vlan.c
index 5addef6d62f0..b05b4a818341 100644
--- a/net/bridge/netfilter/ebt_vlan.c
+++ b/net/bridge/netfilter/ebt_vlan.c
@@ -41,11 +41,9 @@ MODULE_LICENSE("GPL");
41#define EXIT_ON_MISMATCH(_MATCH_,_MASK_) {if (!((info->_MATCH_ == _MATCH_)^!!(info->invflags & _MASK_))) return false; } 41#define EXIT_ON_MISMATCH(_MATCH_,_MASK_) {if (!((info->_MATCH_ == _MATCH_)^!!(info->invflags & _MASK_))) return false; }
42 42
43static bool 43static bool
44ebt_vlan_mt(const struct sk_buff *skb, const struct net_device *in, 44ebt_vlan_mt(const struct sk_buff *skb, const struct xt_match_param *par)
45 const struct net_device *out, const struct xt_match *match,
46 const void *data, int offset, unsigned int protoff, bool *hotdrop)
47{ 45{
48 const struct ebt_vlan_info *info = data; 46 const struct ebt_vlan_info *info = par->matchinfo;
49 const struct vlan_hdr *fp; 47 const struct vlan_hdr *fp;
50 struct vlan_hdr _frame; 48 struct vlan_hdr _frame;
51 49
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 7ee72b71d3cb..f8e1822f38d4 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -74,11 +74,11 @@ static inline int ebt_do_watcher (struct ebt_entry_watcher *w,
74} 74}
75 75
76static inline int ebt_do_match (struct ebt_entry_match *m, 76static inline int ebt_do_match (struct ebt_entry_match *m,
77 const struct sk_buff *skb, const struct net_device *in, 77 const struct sk_buff *skb, struct xt_match_param *par)
78 const struct net_device *out, bool *hotdrop)
79{ 78{
80 return m->u.match->match(skb, in, out, m->u.match, 79 par->match = m->u.match;
81 m->data, 0, 0, hotdrop); 80 par->matchinfo = m->data;
81 return m->u.match->match(skb, par);
82} 82}
83 83
84static inline int ebt_dev_check(char *entry, const struct net_device *device) 84static inline int ebt_dev_check(char *entry, const struct net_device *device)
@@ -155,6 +155,11 @@ unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
155 char *base; 155 char *base;
156 struct ebt_table_info *private; 156 struct ebt_table_info *private;
157 bool hotdrop = false; 157 bool hotdrop = false;
158 struct xt_match_param mtpar;
159
160 mtpar.in = in;
161 mtpar.out = out;
162 mtpar.hotdrop = &hotdrop;
158 163
159 read_lock_bh(&table->lock); 164 read_lock_bh(&table->lock);
160 private = table->private; 165 private = table->private;
@@ -175,8 +180,7 @@ unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
175 if (ebt_basic_match(point, eth_hdr(skb), in, out)) 180 if (ebt_basic_match(point, eth_hdr(skb), in, out))
176 goto letscontinue; 181 goto letscontinue;
177 182
178 if (EBT_MATCH_ITERATE(point, ebt_do_match, skb, 183 if (EBT_MATCH_ITERATE(point, ebt_do_match, skb, &mtpar) != 0)
179 in, out, &hotdrop) != 0)
180 goto letscontinue; 184 goto letscontinue;
181 if (hotdrop) { 185 if (hotdrop) {
182 read_unlock_bh(&table->lock); 186 read_unlock_bh(&table->lock);
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index b4c74a7a807c..99fdb59454fd 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -186,16 +186,14 @@ ipt_error(struct sk_buff *skb,
186 186
187/* Performance critical - called for every packet */ 187/* Performance critical - called for every packet */
188static inline bool 188static inline bool
189do_match(struct ipt_entry_match *m, 189do_match(struct ipt_entry_match *m, const struct sk_buff *skb,
190 const struct sk_buff *skb, 190 struct xt_match_param *par)
191 const struct net_device *in,
192 const struct net_device *out,
193 int offset,
194 bool *hotdrop)
195{ 191{
192 par->match = m->u.kernel.match;
193 par->matchinfo = m->data;
194
196 /* Stop iteration if it doesn't match */ 195 /* Stop iteration if it doesn't match */
197 if (!m->u.kernel.match->match(skb, in, out, m->u.kernel.match, m->data, 196 if (!m->u.kernel.match->match(skb, par))
198 offset, ip_hdrlen(skb), hotdrop))
199 return true; 197 return true;
200 else 198 else
201 return false; 199 return false;
@@ -326,7 +324,6 @@ ipt_do_table(struct sk_buff *skb,
326 struct xt_table *table) 324 struct xt_table *table)
327{ 325{
328 static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long)))); 326 static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
329 u_int16_t offset;
330 const struct iphdr *ip; 327 const struct iphdr *ip;
331 u_int16_t datalen; 328 u_int16_t datalen;
332 bool hotdrop = false; 329 bool hotdrop = false;
@@ -336,6 +333,7 @@ ipt_do_table(struct sk_buff *skb,
336 void *table_base; 333 void *table_base;
337 struct ipt_entry *e, *back; 334 struct ipt_entry *e, *back;
338 struct xt_table_info *private; 335 struct xt_table_info *private;
336 struct xt_match_param mtpar;
339 337
340 /* Initialization */ 338 /* Initialization */
341 ip = ip_hdr(skb); 339 ip = ip_hdr(skb);
@@ -348,7 +346,11 @@ ipt_do_table(struct sk_buff *skb,
348 * things we don't know, ie. tcp syn flag or ports). If the 346 * things we don't know, ie. tcp syn flag or ports). If the
349 * rule is also a fragment-specific rule, non-fragments won't 347 * rule is also a fragment-specific rule, non-fragments won't
350 * match it. */ 348 * match it. */
351 offset = ntohs(ip->frag_off) & IP_OFFSET; 349 mtpar.fragoff = ntohs(ip->frag_off) & IP_OFFSET;
350 mtpar.thoff = ip_hdrlen(skb);
351 mtpar.hotdrop = &hotdrop;
352 mtpar.in = in;
353 mtpar.out = out;
352 354
353 read_lock_bh(&table->lock); 355 read_lock_bh(&table->lock);
354 IP_NF_ASSERT(table->valid_hooks & (1 << hook)); 356 IP_NF_ASSERT(table->valid_hooks & (1 << hook));
@@ -362,12 +364,11 @@ ipt_do_table(struct sk_buff *skb,
362 do { 364 do {
363 IP_NF_ASSERT(e); 365 IP_NF_ASSERT(e);
364 IP_NF_ASSERT(back); 366 IP_NF_ASSERT(back);
365 if (ip_packet_match(ip, indev, outdev, &e->ip, offset)) { 367 if (ip_packet_match(ip, indev, outdev,
368 &e->ip, mtpar.fragoff)) {
366 struct ipt_entry_target *t; 369 struct ipt_entry_target *t;
367 370
368 if (IPT_MATCH_ITERATE(e, do_match, 371 if (IPT_MATCH_ITERATE(e, do_match, skb, &mtpar) != 0)
369 skb, in, out,
370 offset, &hotdrop) != 0)
371 goto no_match; 372 goto no_match;
372 373
373 ADD_COUNTER(e->counters, ntohs(ip->tot_len), 1); 374 ADD_COUNTER(e->counters, ntohs(ip->tot_len), 1);
@@ -2116,30 +2117,23 @@ icmp_type_code_match(u_int8_t test_type, u_int8_t min_code, u_int8_t max_code,
2116} 2117}
2117 2118
2118static bool 2119static bool
2119icmp_match(const struct sk_buff *skb, 2120icmp_match(const struct sk_buff *skb, const struct xt_match_param *par)
2120 const struct net_device *in,
2121 const struct net_device *out,
2122 const struct xt_match *match,
2123 const void *matchinfo,
2124 int offset,
2125 unsigned int protoff,
2126 bool *hotdrop)
2127{ 2121{
2128 const struct icmphdr *ic; 2122 const struct icmphdr *ic;
2129 struct icmphdr _icmph; 2123 struct icmphdr _icmph;
2130 const struct ipt_icmp *icmpinfo = matchinfo; 2124 const struct ipt_icmp *icmpinfo = par->matchinfo;
2131 2125
2132 /* Must not be a fragment. */ 2126 /* Must not be a fragment. */
2133 if (offset) 2127 if (par->fragoff != 0)
2134 return false; 2128 return false;
2135 2129
2136 ic = skb_header_pointer(skb, protoff, sizeof(_icmph), &_icmph); 2130 ic = skb_header_pointer(skb, par->thoff, sizeof(_icmph), &_icmph);
2137 if (ic == NULL) { 2131 if (ic == NULL) {
2138 /* We've been asked to examine this packet, and we 2132 /* We've been asked to examine this packet, and we
2139 * can't. Hence, no choice but to drop. 2133 * can't. Hence, no choice but to drop.
2140 */ 2134 */
2141 duprintf("Dropping evil ICMP tinygram.\n"); 2135 duprintf("Dropping evil ICMP tinygram.\n");
2142 *hotdrop = true; 2136 *par->hotdrop = true;
2143 return false; 2137 return false;
2144 } 2138 }
2145 2139
diff --git a/net/ipv4/netfilter/ipt_addrtype.c b/net/ipv4/netfilter/ipt_addrtype.c
index 2c9d88a6c838..e60995e4c20c 100644
--- a/net/ipv4/netfilter/ipt_addrtype.c
+++ b/net/ipv4/netfilter/ipt_addrtype.c
@@ -30,12 +30,9 @@ static inline bool match_type(const struct net_device *dev, __be32 addr,
30} 30}
31 31
32static bool 32static bool
33addrtype_mt_v0(const struct sk_buff *skb, const struct net_device *in, 33addrtype_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
34 const struct net_device *out, const struct xt_match *match,
35 const void *matchinfo, int offset, unsigned int protoff,
36 bool *hotdrop)
37{ 34{
38 const struct ipt_addrtype_info *info = matchinfo; 35 const struct ipt_addrtype_info *info = par->matchinfo;
39 const struct iphdr *iph = ip_hdr(skb); 36 const struct iphdr *iph = ip_hdr(skb);
40 bool ret = true; 37 bool ret = true;
41 38
@@ -50,20 +47,17 @@ addrtype_mt_v0(const struct sk_buff *skb, const struct net_device *in,
50} 47}
51 48
52static bool 49static bool
53addrtype_mt_v1(const struct sk_buff *skb, const struct net_device *in, 50addrtype_mt_v1(const struct sk_buff *skb, const struct xt_match_param *par)
54 const struct net_device *out, const struct xt_match *match,
55 const void *matchinfo, int offset, unsigned int protoff,
56 bool *hotdrop)
57{ 51{
58 const struct ipt_addrtype_info_v1 *info = matchinfo; 52 const struct ipt_addrtype_info_v1 *info = par->matchinfo;
59 const struct iphdr *iph = ip_hdr(skb); 53 const struct iphdr *iph = ip_hdr(skb);
60 const struct net_device *dev = NULL; 54 const struct net_device *dev = NULL;
61 bool ret = true; 55 bool ret = true;
62 56
63 if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_IN) 57 if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_IN)
64 dev = in; 58 dev = par->in;
65 else if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT) 59 else if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT)
66 dev = out; 60 dev = par->out;
67 61
68 if (info->source) 62 if (info->source)
69 ret &= match_type(dev, iph->saddr, info->source) ^ 63 ret &= match_type(dev, iph->saddr, info->source) ^
diff --git a/net/ipv4/netfilter/ipt_ah.c b/net/ipv4/netfilter/ipt_ah.c
index e2e993edd665..2fce19ef4f3f 100644
--- a/net/ipv4/netfilter/ipt_ah.c
+++ b/net/ipv4/netfilter/ipt_ah.c
@@ -36,27 +36,23 @@ spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, bool invert)
36 return r; 36 return r;
37} 37}
38 38
39static bool 39static bool ah_mt(const struct sk_buff *skb, const struct xt_match_param *par)
40ah_mt(const struct sk_buff *skb, const struct net_device *in,
41 const struct net_device *out, const struct xt_match *match,
42 const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop)
43{ 40{
44 struct ip_auth_hdr _ahdr; 41 struct ip_auth_hdr _ahdr;
45 const struct ip_auth_hdr *ah; 42 const struct ip_auth_hdr *ah;
46 const struct ipt_ah *ahinfo = matchinfo; 43 const struct ipt_ah *ahinfo = par->matchinfo;
47 44
48 /* Must not be a fragment. */ 45 /* Must not be a fragment. */
49 if (offset) 46 if (par->fragoff != 0)
50 return false; 47 return false;
51 48
52 ah = skb_header_pointer(skb, protoff, 49 ah = skb_header_pointer(skb, par->thoff, sizeof(_ahdr), &_ahdr);
53 sizeof(_ahdr), &_ahdr);
54 if (ah == NULL) { 50 if (ah == NULL) {
55 /* We've been asked to examine this packet, and we 51 /* We've been asked to examine this packet, and we
56 * can't. Hence, no choice but to drop. 52 * can't. Hence, no choice but to drop.
57 */ 53 */
58 duprintf("Dropping evil AH tinygram.\n"); 54 duprintf("Dropping evil AH tinygram.\n");
59 *hotdrop = true; 55 *par->hotdrop = true;
60 return 0; 56 return 0;
61 } 57 }
62 58
diff --git a/net/ipv4/netfilter/ipt_ecn.c b/net/ipv4/netfilter/ipt_ecn.c
index 2c45b4be7c3c..069154631508 100644
--- a/net/ipv4/netfilter/ipt_ecn.c
+++ b/net/ipv4/netfilter/ipt_ecn.c
@@ -67,12 +67,9 @@ static inline bool match_tcp(const struct sk_buff *skb,
67 return true; 67 return true;
68} 68}
69 69
70static bool 70static bool ecn_mt(const struct sk_buff *skb, const struct xt_match_param *par)
71ecn_mt(const struct sk_buff *skb, const struct net_device *in,
72 const struct net_device *out, const struct xt_match *match,
73 const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop)
74{ 71{
75 const struct ipt_ecn_info *info = matchinfo; 72 const struct ipt_ecn_info *info = par->matchinfo;
76 73
77 if (info->operation & IPT_ECN_OP_MATCH_IP) 74 if (info->operation & IPT_ECN_OP_MATCH_IP)
78 if (!match_ip(skb, info)) 75 if (!match_ip(skb, info))
@@ -81,7 +78,7 @@ ecn_mt(const struct sk_buff *skb, const struct net_device *in,
81 if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR)) { 78 if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR)) {
82 if (ip_hdr(skb)->protocol != IPPROTO_TCP) 79 if (ip_hdr(skb)->protocol != IPPROTO_TCP)
83 return false; 80 return false;
84 if (!match_tcp(skb, info, hotdrop)) 81 if (!match_tcp(skb, info, par->hotdrop))
85 return false; 82 return false;
86 } 83 }
87 84
diff --git a/net/ipv4/netfilter/ipt_ttl.c b/net/ipv4/netfilter/ipt_ttl.c
index d4c3fdc2a79f..297f1cbf4ff5 100644
--- a/net/ipv4/netfilter/ipt_ttl.c
+++ b/net/ipv4/netfilter/ipt_ttl.c
@@ -18,12 +18,9 @@ MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
18MODULE_DESCRIPTION("Xtables: IPv4 TTL field match"); 18MODULE_DESCRIPTION("Xtables: IPv4 TTL field match");
19MODULE_LICENSE("GPL"); 19MODULE_LICENSE("GPL");
20 20
21static bool 21static bool ttl_mt(const struct sk_buff *skb, const struct xt_match_param *par)
22ttl_mt(const struct sk_buff *skb, const struct net_device *in,
23 const struct net_device *out, const struct xt_match *match,
24 const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop)
25{ 22{
26 const struct ipt_ttl_info *info = matchinfo; 23 const struct ipt_ttl_info *info = par->matchinfo;
27 const u8 ttl = ip_hdr(skb)->ttl; 24 const u8 ttl = ip_hdr(skb)->ttl;
28 25
29 switch (info->mode) { 26 switch (info->mode) {
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 12c41b8d365b..cf2c5370a4e8 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -215,17 +215,14 @@ ip6t_error(struct sk_buff *skb,
215 215
216/* Performance critical - called for every packet */ 216/* Performance critical - called for every packet */
217static inline bool 217static inline bool
218do_match(struct ip6t_entry_match *m, 218do_match(struct ip6t_entry_match *m, const struct sk_buff *skb,
219 const struct sk_buff *skb, 219 struct xt_match_param *par)
220 const struct net_device *in,
221 const struct net_device *out,
222 int offset,
223 unsigned int protoff,
224 bool *hotdrop)
225{ 220{
221 par->match = m->u.kernel.match;
222 par->matchinfo = m->data;
223
226 /* Stop iteration if it doesn't match */ 224 /* Stop iteration if it doesn't match */
227 if (!m->u.kernel.match->match(skb, in, out, m->u.kernel.match, m->data, 225 if (!m->u.kernel.match->match(skb, par))
228 offset, protoff, hotdrop))
229 return true; 226 return true;
230 else 227 else
231 return false; 228 return false;
@@ -355,8 +352,6 @@ ip6t_do_table(struct sk_buff *skb,
355 struct xt_table *table) 352 struct xt_table *table)
356{ 353{
357 static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long)))); 354 static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
358 int offset = 0;
359 unsigned int protoff = 0;
360 bool hotdrop = false; 355 bool hotdrop = false;
361 /* Initializing verdict to NF_DROP keeps gcc happy. */ 356 /* Initializing verdict to NF_DROP keeps gcc happy. */
362 unsigned int verdict = NF_DROP; 357 unsigned int verdict = NF_DROP;
@@ -364,6 +359,7 @@ ip6t_do_table(struct sk_buff *skb,
364 void *table_base; 359 void *table_base;
365 struct ip6t_entry *e, *back; 360 struct ip6t_entry *e, *back;
366 struct xt_table_info *private; 361 struct xt_table_info *private;
362 struct xt_match_param mtpar;
367 363
368 /* Initialization */ 364 /* Initialization */
369 indev = in ? in->name : nulldevname; 365 indev = in ? in->name : nulldevname;
@@ -374,6 +370,9 @@ ip6t_do_table(struct sk_buff *skb,
374 * things we don't know, ie. tcp syn flag or ports). If the 370 * things we don't know, ie. tcp syn flag or ports). If the
375 * rule is also a fragment-specific rule, non-fragments won't 371 * rule is also a fragment-specific rule, non-fragments won't
376 * match it. */ 372 * match it. */
373 mtpar.hotdrop = &hotdrop;
374 mtpar.in = in;
375 mtpar.out = out;
377 376
378 read_lock_bh(&table->lock); 377 read_lock_bh(&table->lock);
379 IP_NF_ASSERT(table->valid_hooks & (1 << hook)); 378 IP_NF_ASSERT(table->valid_hooks & (1 << hook));
@@ -388,12 +387,10 @@ ip6t_do_table(struct sk_buff *skb,
388 IP_NF_ASSERT(e); 387 IP_NF_ASSERT(e);
389 IP_NF_ASSERT(back); 388 IP_NF_ASSERT(back);
390 if (ip6_packet_match(skb, indev, outdev, &e->ipv6, 389 if (ip6_packet_match(skb, indev, outdev, &e->ipv6,
391 &protoff, &offset, &hotdrop)) { 390 &mtpar.thoff, &mtpar.fragoff, &hotdrop)) {
392 struct ip6t_entry_target *t; 391 struct ip6t_entry_target *t;
393 392
394 if (IP6T_MATCH_ITERATE(e, do_match, 393 if (IP6T_MATCH_ITERATE(e, do_match, skb, &mtpar) != 0)
395 skb, in, out,
396 offset, protoff, &hotdrop) != 0)
397 goto no_match; 394 goto no_match;
398 395
399 ADD_COUNTER(e->counters, 396 ADD_COUNTER(e->counters,
@@ -2141,30 +2138,23 @@ icmp6_type_code_match(u_int8_t test_type, u_int8_t min_code, u_int8_t max_code,
2141} 2138}
2142 2139
2143static bool 2140static bool
2144icmp6_match(const struct sk_buff *skb, 2141icmp6_match(const struct sk_buff *skb, const struct xt_match_param *par)
2145 const struct net_device *in,
2146 const struct net_device *out,
2147 const struct xt_match *match,
2148 const void *matchinfo,
2149 int offset,
2150 unsigned int protoff,
2151 bool *hotdrop)
2152{ 2142{
2153 const struct icmp6hdr *ic; 2143 const struct icmp6hdr *ic;
2154 struct icmp6hdr _icmph; 2144 struct icmp6hdr _icmph;
2155 const struct ip6t_icmp *icmpinfo = matchinfo; 2145 const struct ip6t_icmp *icmpinfo = par->matchinfo;
2156 2146
2157 /* Must not be a fragment. */ 2147 /* Must not be a fragment. */
2158 if (offset) 2148 if (par->fragoff != 0)
2159 return false; 2149 return false;
2160 2150
2161 ic = skb_header_pointer(skb, protoff, sizeof(_icmph), &_icmph); 2151 ic = skb_header_pointer(skb, par->thoff, sizeof(_icmph), &_icmph);
2162 if (ic == NULL) { 2152 if (ic == NULL) {
2163 /* We've been asked to examine this packet, and we 2153 /* We've been asked to examine this packet, and we
2164 * can't. Hence, no choice but to drop. 2154 * can't. Hence, no choice but to drop.
2165 */ 2155 */
2166 duprintf("Dropping evil ICMP tinygram.\n"); 2156 duprintf("Dropping evil ICMP tinygram.\n");
2167 *hotdrop = true; 2157 *par->hotdrop = true;
2168 return false; 2158 return false;
2169 } 2159 }
2170 2160
diff --git a/net/ipv6/netfilter/ip6t_ah.c b/net/ipv6/netfilter/ip6t_ah.c
index 061f89beeb67..a04f2b8396e9 100644
--- a/net/ipv6/netfilter/ip6t_ah.c
+++ b/net/ipv6/netfilter/ip6t_ah.c
@@ -36,14 +36,11 @@ spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, bool invert)
36 return r; 36 return r;
37} 37}
38 38
39static bool 39static bool ah_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
40ah_mt6(const struct sk_buff *skb, const struct net_device *in,
41 const struct net_device *out, const struct xt_match *match,
42 const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop)
43{ 40{
44 struct ip_auth_hdr _ah; 41 struct ip_auth_hdr _ah;
45 const struct ip_auth_hdr *ah; 42 const struct ip_auth_hdr *ah;
46 const struct ip6t_ah *ahinfo = matchinfo; 43 const struct ip6t_ah *ahinfo = par->matchinfo;
47 unsigned int ptr; 44 unsigned int ptr;
48 unsigned int hdrlen = 0; 45 unsigned int hdrlen = 0;
49 int err; 46 int err;
@@ -51,13 +48,13 @@ ah_mt6(const struct sk_buff *skb, const struct net_device *in,
51 err = ipv6_find_hdr(skb, &ptr, NEXTHDR_AUTH, NULL); 48 err = ipv6_find_hdr(skb, &ptr, NEXTHDR_AUTH, NULL);
52 if (err < 0) { 49 if (err < 0) {
53 if (err != -ENOENT) 50 if (err != -ENOENT)
54 *hotdrop = true; 51 *par->hotdrop = true;
55 return false; 52 return false;
56 } 53 }
57 54
58 ah = skb_header_pointer(skb, ptr, sizeof(_ah), &_ah); 55 ah = skb_header_pointer(skb, ptr, sizeof(_ah), &_ah);
59 if (ah == NULL) { 56 if (ah == NULL) {
60 *hotdrop = true; 57 *par->hotdrop = true;
61 return false; 58 return false;
62 } 59 }
63 60
diff --git a/net/ipv6/netfilter/ip6t_eui64.c b/net/ipv6/netfilter/ip6t_eui64.c
index ba38df1116f0..db610bacbcce 100644
--- a/net/ipv6/netfilter/ip6t_eui64.c
+++ b/net/ipv6/netfilter/ip6t_eui64.c
@@ -20,18 +20,15 @@ MODULE_LICENSE("GPL");
20MODULE_AUTHOR("Andras Kis-Szabo <kisza@sch.bme.hu>"); 20MODULE_AUTHOR("Andras Kis-Szabo <kisza@sch.bme.hu>");
21 21
22static bool 22static bool
23eui64_mt6(const struct sk_buff *skb, const struct net_device *in, 23eui64_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
24 const struct net_device *out, const struct xt_match *match,
25 const void *matchinfo, int offset, unsigned int protoff,
26 bool *hotdrop)
27{ 24{
28 unsigned char eui64[8]; 25 unsigned char eui64[8];
29 int i = 0; 26 int i = 0;
30 27
31 if (!(skb_mac_header(skb) >= skb->head && 28 if (!(skb_mac_header(skb) >= skb->head &&
32 skb_mac_header(skb) + ETH_HLEN <= skb->data) && 29 skb_mac_header(skb) + ETH_HLEN <= skb->data) &&
33 offset != 0) { 30 par->fragoff != 0) {
34 *hotdrop = true; 31 *par->hotdrop = true;
35 return false; 32 return false;
36 } 33 }
37 34
diff --git a/net/ipv6/netfilter/ip6t_frag.c b/net/ipv6/netfilter/ip6t_frag.c
index 972f699af22c..6951d0dacf45 100644
--- a/net/ipv6/netfilter/ip6t_frag.c
+++ b/net/ipv6/netfilter/ip6t_frag.c
@@ -35,27 +35,24 @@ id_match(u_int32_t min, u_int32_t max, u_int32_t id, bool invert)
35} 35}
36 36
37static bool 37static bool
38frag_mt6(const struct sk_buff *skb, const struct net_device *in, 38frag_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
39 const struct net_device *out, const struct xt_match *match,
40 const void *matchinfo, int offset, unsigned int protoff,
41 bool *hotdrop)
42{ 39{
43 struct frag_hdr _frag; 40 struct frag_hdr _frag;
44 const struct frag_hdr *fh; 41 const struct frag_hdr *fh;
45 const struct ip6t_frag *fraginfo = matchinfo; 42 const struct ip6t_frag *fraginfo = par->matchinfo;
46 unsigned int ptr; 43 unsigned int ptr;
47 int err; 44 int err;
48 45
49 err = ipv6_find_hdr(skb, &ptr, NEXTHDR_FRAGMENT, NULL); 46 err = ipv6_find_hdr(skb, &ptr, NEXTHDR_FRAGMENT, NULL);
50 if (err < 0) { 47 if (err < 0) {
51 if (err != -ENOENT) 48 if (err != -ENOENT)
52 *hotdrop = true; 49 *par->hotdrop = true;
53 return false; 50 return false;
54 } 51 }
55 52
56 fh = skb_header_pointer(skb, ptr, sizeof(_frag), &_frag); 53 fh = skb_header_pointer(skb, ptr, sizeof(_frag), &_frag);
57 if (fh == NULL) { 54 if (fh == NULL) {
58 *hotdrop = true; 55 *par->hotdrop = true;
59 return false; 56 return false;
60 } 57 }
61 58
diff --git a/net/ipv6/netfilter/ip6t_hbh.c b/net/ipv6/netfilter/ip6t_hbh.c
index d5edb51a595a..d3351978819a 100644
--- a/net/ipv6/netfilter/ip6t_hbh.c
+++ b/net/ipv6/netfilter/ip6t_hbh.c
@@ -42,14 +42,11 @@ MODULE_ALIAS("ip6t_dst");
42 */ 42 */
43 43
44static bool 44static bool
45hbh_mt6(const struct sk_buff *skb, const struct net_device *in, 45hbh_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
46 const struct net_device *out, const struct xt_match *match,
47 const void *matchinfo, int offset, unsigned int protoff,
48 bool *hotdrop)
49{ 46{
50 struct ipv6_opt_hdr _optsh; 47 struct ipv6_opt_hdr _optsh;
51 const struct ipv6_opt_hdr *oh; 48 const struct ipv6_opt_hdr *oh;
52 const struct ip6t_opts *optinfo = matchinfo; 49 const struct ip6t_opts *optinfo = par->matchinfo;
53 unsigned int temp; 50 unsigned int temp;
54 unsigned int ptr; 51 unsigned int ptr;
55 unsigned int hdrlen = 0; 52 unsigned int hdrlen = 0;
@@ -61,16 +58,16 @@ hbh_mt6(const struct sk_buff *skb, const struct net_device *in,
61 unsigned int optlen; 58 unsigned int optlen;
62 int err; 59 int err;
63 60
64 err = ipv6_find_hdr(skb, &ptr, match->data, NULL); 61 err = ipv6_find_hdr(skb, &ptr, par->match->data, NULL);
65 if (err < 0) { 62 if (err < 0) {
66 if (err != -ENOENT) 63 if (err != -ENOENT)
67 *hotdrop = true; 64 *par->hotdrop = true;
68 return false; 65 return false;
69 } 66 }
70 67
71 oh = skb_header_pointer(skb, ptr, sizeof(_optsh), &_optsh); 68 oh = skb_header_pointer(skb, ptr, sizeof(_optsh), &_optsh);
72 if (oh == NULL) { 69 if (oh == NULL) {
73 *hotdrop = true; 70 *par->hotdrop = true;
74 return false; 71 return false;
75 } 72 }
76 73
diff --git a/net/ipv6/netfilter/ip6t_hl.c b/net/ipv6/netfilter/ip6t_hl.c
index 25c1eb92fac3..c964dca1132d 100644
--- a/net/ipv6/netfilter/ip6t_hl.c
+++ b/net/ipv6/netfilter/ip6t_hl.c
@@ -19,12 +19,9 @@ MODULE_AUTHOR("Maciej Soltysiak <solt@dns.toxicfilms.tv>");
19MODULE_DESCRIPTION("Xtables: IPv6 Hop Limit field match"); 19MODULE_DESCRIPTION("Xtables: IPv6 Hop Limit field match");
20MODULE_LICENSE("GPL"); 20MODULE_LICENSE("GPL");
21 21
22static bool 22static bool hl_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
23hl_mt6(const struct sk_buff *skb, const struct net_device *in,
24 const struct net_device *out, const struct xt_match *match,
25 const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop)
26{ 23{
27 const struct ip6t_hl_info *info = matchinfo; 24 const struct ip6t_hl_info *info = par->matchinfo;
28 const struct ipv6hdr *ip6h = ipv6_hdr(skb); 25 const struct ipv6hdr *ip6h = ipv6_hdr(skb);
29 26
30 switch (info->mode) { 27 switch (info->mode) {
diff --git a/net/ipv6/netfilter/ip6t_ipv6header.c b/net/ipv6/netfilter/ip6t_ipv6header.c
index ef0661aacea7..6aaca511d473 100644
--- a/net/ipv6/netfilter/ip6t_ipv6header.c
+++ b/net/ipv6/netfilter/ip6t_ipv6header.c
@@ -27,12 +27,9 @@ MODULE_DESCRIPTION("Xtables: IPv6 header types match");
27MODULE_AUTHOR("Andras Kis-Szabo <kisza@sch.bme.hu>"); 27MODULE_AUTHOR("Andras Kis-Szabo <kisza@sch.bme.hu>");
28 28
29static bool 29static bool
30ipv6header_mt6(const struct sk_buff *skb, const struct net_device *in, 30ipv6header_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
31 const struct net_device *out, const struct xt_match *match,
32 const void *matchinfo, int offset, unsigned int protoff,
33 bool *hotdrop)
34{ 31{
35 const struct ip6t_ipv6header_info *info = matchinfo; 32 const struct ip6t_ipv6header_info *info = par->matchinfo;
36 unsigned int temp; 33 unsigned int temp;
37 int len; 34 int len;
38 u8 nexthdr; 35 u8 nexthdr;
diff --git a/net/ipv6/netfilter/ip6t_mh.c b/net/ipv6/netfilter/ip6t_mh.c
index dd876274ff6e..2803258b6d07 100644
--- a/net/ipv6/netfilter/ip6t_mh.c
+++ b/net/ipv6/netfilter/ip6t_mh.c
@@ -37,32 +37,29 @@ type_match(u_int8_t min, u_int8_t max, u_int8_t type, bool invert)
37 return (type >= min && type <= max) ^ invert; 37 return (type >= min && type <= max) ^ invert;
38} 38}
39 39
40static bool 40static bool mh_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
41mh_mt6(const struct sk_buff *skb, const struct net_device *in,
42 const struct net_device *out, const struct xt_match *match,
43 const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop)
44{ 41{
45 struct ip6_mh _mh; 42 struct ip6_mh _mh;
46 const struct ip6_mh *mh; 43 const struct ip6_mh *mh;
47 const struct ip6t_mh *mhinfo = matchinfo; 44 const struct ip6t_mh *mhinfo = par->matchinfo;
48 45
49 /* Must not be a fragment. */ 46 /* Must not be a fragment. */
50 if (offset) 47 if (par->fragoff != 0)
51 return false; 48 return false;
52 49
53 mh = skb_header_pointer(skb, protoff, sizeof(_mh), &_mh); 50 mh = skb_header_pointer(skb, par->thoff, sizeof(_mh), &_mh);
54 if (mh == NULL) { 51 if (mh == NULL) {
55 /* We've been asked to examine this packet, and we 52 /* We've been asked to examine this packet, and we
56 can't. Hence, no choice but to drop. */ 53 can't. Hence, no choice but to drop. */
57 duprintf("Dropping evil MH tinygram.\n"); 54 duprintf("Dropping evil MH tinygram.\n");
58 *hotdrop = true; 55 *par->hotdrop = true;
59 return false; 56 return false;
60 } 57 }
61 58
62 if (mh->ip6mh_proto != IPPROTO_NONE) { 59 if (mh->ip6mh_proto != IPPROTO_NONE) {
63 duprintf("Dropping invalid MH Payload Proto: %u\n", 60 duprintf("Dropping invalid MH Payload Proto: %u\n",
64 mh->ip6mh_proto); 61 mh->ip6mh_proto);
65 *hotdrop = true; 62 *par->hotdrop = true;
66 return false; 63 return false;
67 } 64 }
68 65
diff --git a/net/ipv6/netfilter/ip6t_rt.c b/net/ipv6/netfilter/ip6t_rt.c
index 7c544ae591d8..9cf4b8a37af7 100644
--- a/net/ipv6/netfilter/ip6t_rt.c
+++ b/net/ipv6/netfilter/ip6t_rt.c
@@ -36,14 +36,11 @@ segsleft_match(u_int32_t min, u_int32_t max, u_int32_t id, bool invert)
36 return r; 36 return r;
37} 37}
38 38
39static bool 39static bool rt_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
40rt_mt6(const struct sk_buff *skb, const struct net_device *in,
41 const struct net_device *out, const struct xt_match *match,
42 const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop)
43{ 40{
44 struct ipv6_rt_hdr _route; 41 struct ipv6_rt_hdr _route;
45 const struct ipv6_rt_hdr *rh; 42 const struct ipv6_rt_hdr *rh;
46 const struct ip6t_rt *rtinfo = matchinfo; 43 const struct ip6t_rt *rtinfo = par->matchinfo;
47 unsigned int temp; 44 unsigned int temp;
48 unsigned int ptr; 45 unsigned int ptr;
49 unsigned int hdrlen = 0; 46 unsigned int hdrlen = 0;
@@ -55,13 +52,13 @@ rt_mt6(const struct sk_buff *skb, const struct net_device *in,
55 err = ipv6_find_hdr(skb, &ptr, NEXTHDR_ROUTING, NULL); 52 err = ipv6_find_hdr(skb, &ptr, NEXTHDR_ROUTING, NULL);
56 if (err < 0) { 53 if (err < 0) {
57 if (err != -ENOENT) 54 if (err != -ENOENT)
58 *hotdrop = true; 55 *par->hotdrop = true;
59 return false; 56 return false;
60 } 57 }
61 58
62 rh = skb_header_pointer(skb, ptr, sizeof(_route), &_route); 59 rh = skb_header_pointer(skb, ptr, sizeof(_route), &_route);
63 if (rh == NULL) { 60 if (rh == NULL) {
64 *hotdrop = true; 61 *par->hotdrop = true;
65 return false; 62 return false;
66 } 63 }
67 64
diff --git a/net/netfilter/xt_comment.c b/net/netfilter/xt_comment.c
index fa211b2ab874..bd7aa57af428 100644
--- a/net/netfilter/xt_comment.c
+++ b/net/netfilter/xt_comment.c
@@ -16,10 +16,7 @@ MODULE_ALIAS("ipt_comment");
16MODULE_ALIAS("ip6t_comment"); 16MODULE_ALIAS("ip6t_comment");
17 17
18static bool 18static bool
19comment_mt(const struct sk_buff *skb, const struct net_device *in, 19comment_mt(const struct sk_buff *skb, const struct xt_match_param *par)
20 const struct net_device *out, const struct xt_match *match,
21 const void *matchinfo, int offset, unsigned int protooff,
22 bool *hotdrop)
23{ 20{
24 /* We always match */ 21 /* We always match */
25 return true; 22 return true;
diff --git a/net/netfilter/xt_connbytes.c b/net/netfilter/xt_connbytes.c
index d2cd22a49c96..30c19b5fe908 100644
--- a/net/netfilter/xt_connbytes.c
+++ b/net/netfilter/xt_connbytes.c
@@ -17,12 +17,9 @@ MODULE_ALIAS("ipt_connbytes");
17MODULE_ALIAS("ip6t_connbytes"); 17MODULE_ALIAS("ip6t_connbytes");
18 18
19static bool 19static bool
20connbytes_mt(const struct sk_buff *skb, const struct net_device *in, 20connbytes_mt(const struct sk_buff *skb, const struct xt_match_param *par)
21 const struct net_device *out, const struct xt_match *match,
22 const void *matchinfo, int offset, unsigned int protoff,
23 bool *hotdrop)
24{ 21{
25 const struct xt_connbytes_info *sinfo = matchinfo; 22 const struct xt_connbytes_info *sinfo = par->matchinfo;
26 const struct nf_conn *ct; 23 const struct nf_conn *ct;
27 enum ip_conntrack_info ctinfo; 24 enum ip_conntrack_info ctinfo;
28 u_int64_t what = 0; /* initialize to make gcc happy */ 25 u_int64_t what = 0; /* initialize to make gcc happy */
diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c
index bd00830ff697..8b8f70e76646 100644
--- a/net/netfilter/xt_connlimit.c
+++ b/net/netfilter/xt_connlimit.c
@@ -178,12 +178,9 @@ static int count_them(struct xt_connlimit_data *data,
178} 178}
179 179
180static bool 180static bool
181connlimit_mt(const struct sk_buff *skb, const struct net_device *in, 181connlimit_mt(const struct sk_buff *skb, const struct xt_match_param *par)
182 const struct net_device *out, const struct xt_match *match,
183 const void *matchinfo, int offset, unsigned int protoff,
184 bool *hotdrop)
185{ 182{
186 const struct xt_connlimit_info *info = matchinfo; 183 const struct xt_connlimit_info *info = par->matchinfo;
187 union nf_inet_addr addr; 184 union nf_inet_addr addr;
188 struct nf_conntrack_tuple tuple; 185 struct nf_conntrack_tuple tuple;
189 const struct nf_conntrack_tuple *tuple_ptr = &tuple; 186 const struct nf_conntrack_tuple *tuple_ptr = &tuple;
@@ -195,10 +192,10 @@ connlimit_mt(const struct sk_buff *skb, const struct net_device *in,
195 if (ct != NULL) 192 if (ct != NULL)
196 tuple_ptr = &ct->tuplehash[0].tuple; 193 tuple_ptr = &ct->tuplehash[0].tuple;
197 else if (!nf_ct_get_tuplepr(skb, skb_network_offset(skb), 194 else if (!nf_ct_get_tuplepr(skb, skb_network_offset(skb),
198 match->family, &tuple)) 195 par->match->family, &tuple))
199 goto hotdrop; 196 goto hotdrop;
200 197
201 if (match->family == NFPROTO_IPV6) { 198 if (par->match->family == NFPROTO_IPV6) {
202 const struct ipv6hdr *iph = ipv6_hdr(skb); 199 const struct ipv6hdr *iph = ipv6_hdr(skb);
203 memcpy(&addr.ip6, &iph->saddr, sizeof(iph->saddr)); 200 memcpy(&addr.ip6, &iph->saddr, sizeof(iph->saddr));
204 } else { 201 } else {
@@ -208,19 +205,19 @@ connlimit_mt(const struct sk_buff *skb, const struct net_device *in,
208 205
209 spin_lock_bh(&info->data->lock); 206 spin_lock_bh(&info->data->lock);
210 connections = count_them(info->data, tuple_ptr, &addr, 207 connections = count_them(info->data, tuple_ptr, &addr,
211 &info->mask, match); 208 &info->mask, par->match);
212 spin_unlock_bh(&info->data->lock); 209 spin_unlock_bh(&info->data->lock);
213 210
214 if (connections < 0) { 211 if (connections < 0) {
215 /* kmalloc failed, drop it entirely */ 212 /* kmalloc failed, drop it entirely */
216 *hotdrop = true; 213 *par->hotdrop = true;
217 return false; 214 return false;
218 } 215 }
219 216
220 return (connections > info->limit) ^ info->inverse; 217 return (connections > info->limit) ^ info->inverse;
221 218
222 hotdrop: 219 hotdrop:
223 *hotdrop = true; 220 *par->hotdrop = true;
224 return false; 221 return false;
225} 222}
226 223
diff --git a/net/netfilter/xt_connmark.c b/net/netfilter/xt_connmark.c
index 0577b8ff4e1e..df4f4a865a5e 100644
--- a/net/netfilter/xt_connmark.c
+++ b/net/netfilter/xt_connmark.c
@@ -34,12 +34,9 @@ MODULE_ALIAS("ipt_connmark");
34MODULE_ALIAS("ip6t_connmark"); 34MODULE_ALIAS("ip6t_connmark");
35 35
36static bool 36static bool
37connmark_mt(const struct sk_buff *skb, const struct net_device *in, 37connmark_mt(const struct sk_buff *skb, const struct xt_match_param *par)
38 const struct net_device *out, const struct xt_match *match,
39 const void *matchinfo, int offset, unsigned int protoff,
40 bool *hotdrop)
41{ 38{
42 const struct xt_connmark_mtinfo1 *info = matchinfo; 39 const struct xt_connmark_mtinfo1 *info = par->matchinfo;
43 enum ip_conntrack_info ctinfo; 40 enum ip_conntrack_info ctinfo;
44 const struct nf_conn *ct; 41 const struct nf_conn *ct;
45 42
@@ -51,12 +48,9 @@ connmark_mt(const struct sk_buff *skb, const struct net_device *in,
51} 48}
52 49
53static bool 50static bool
54connmark_mt_v0(const struct sk_buff *skb, const struct net_device *in, 51connmark_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
55 const struct net_device *out, const struct xt_match *match,
56 const void *matchinfo, int offset, unsigned int protoff,
57 bool *hotdrop)
58{ 52{
59 const struct xt_connmark_info *info = matchinfo; 53 const struct xt_connmark_info *info = par->matchinfo;
60 const struct nf_conn *ct; 54 const struct nf_conn *ct;
61 enum ip_conntrack_info ctinfo; 55 enum ip_conntrack_info ctinfo;
62 56
diff --git a/net/netfilter/xt_conntrack.c b/net/netfilter/xt_conntrack.c
index 392b457f9c22..13a7e4eacdfd 100644
--- a/net/netfilter/xt_conntrack.c
+++ b/net/netfilter/xt_conntrack.c
@@ -25,12 +25,9 @@ MODULE_ALIAS("ipt_conntrack");
25MODULE_ALIAS("ip6t_conntrack"); 25MODULE_ALIAS("ip6t_conntrack");
26 26
27static bool 27static bool
28conntrack_mt_v0(const struct sk_buff *skb, const struct net_device *in, 28conntrack_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
29 const struct net_device *out, const struct xt_match *match,
30 const void *matchinfo, int offset, unsigned int protoff,
31 bool *hotdrop)
32{ 29{
33 const struct xt_conntrack_info *sinfo = matchinfo; 30 const struct xt_conntrack_info *sinfo = par->matchinfo;
34 const struct nf_conn *ct; 31 const struct nf_conn *ct;
35 enum ip_conntrack_info ctinfo; 32 enum ip_conntrack_info ctinfo;
36 unsigned int statebit; 33 unsigned int statebit;
@@ -205,12 +202,9 @@ ct_proto_port_check(const struct xt_conntrack_mtinfo1 *info,
205} 202}
206 203
207static bool 204static bool
208conntrack_mt(const struct sk_buff *skb, const struct net_device *in, 205conntrack_mt(const struct sk_buff *skb, const struct xt_match_param *par)
209 const struct net_device *out, const struct xt_match *match,
210 const void *matchinfo, int offset, unsigned int protoff,
211 bool *hotdrop)
212{ 206{
213 const struct xt_conntrack_mtinfo1 *info = matchinfo; 207 const struct xt_conntrack_mtinfo1 *info = par->matchinfo;
214 enum ip_conntrack_info ctinfo; 208 enum ip_conntrack_info ctinfo;
215 const struct nf_conn *ct; 209 const struct nf_conn *ct;
216 unsigned int statebit; 210 unsigned int statebit;
@@ -244,22 +238,22 @@ conntrack_mt(const struct sk_buff *skb, const struct net_device *in,
244 return false; 238 return false;
245 239
246 if (info->match_flags & XT_CONNTRACK_ORIGSRC) 240 if (info->match_flags & XT_CONNTRACK_ORIGSRC)
247 if (conntrack_mt_origsrc(ct, info, match->family) ^ 241 if (conntrack_mt_origsrc(ct, info, par->match->family) ^
248 !(info->invert_flags & XT_CONNTRACK_ORIGSRC)) 242 !(info->invert_flags & XT_CONNTRACK_ORIGSRC))
249 return false; 243 return false;
250 244
251 if (info->match_flags & XT_CONNTRACK_ORIGDST) 245 if (info->match_flags & XT_CONNTRACK_ORIGDST)
252 if (conntrack_mt_origdst(ct, info, match->family) ^ 246 if (conntrack_mt_origdst(ct, info, par->match->family) ^
253 !(info->invert_flags & XT_CONNTRACK_ORIGDST)) 247 !(info->invert_flags & XT_CONNTRACK_ORIGDST))
254 return false; 248 return false;
255 249
256 if (info->match_flags & XT_CONNTRACK_REPLSRC) 250 if (info->match_flags & XT_CONNTRACK_REPLSRC)
257 if (conntrack_mt_replsrc(ct, info, match->family) ^ 251 if (conntrack_mt_replsrc(ct, info, par->match->family) ^
258 !(info->invert_flags & XT_CONNTRACK_REPLSRC)) 252 !(info->invert_flags & XT_CONNTRACK_REPLSRC))
259 return false; 253 return false;
260 254
261 if (info->match_flags & XT_CONNTRACK_REPLDST) 255 if (info->match_flags & XT_CONNTRACK_REPLDST)
262 if (conntrack_mt_repldst(ct, info, match->family) ^ 256 if (conntrack_mt_repldst(ct, info, par->match->family) ^
263 !(info->invert_flags & XT_CONNTRACK_REPLDST)) 257 !(info->invert_flags & XT_CONNTRACK_REPLDST))
264 return false; 258 return false;
265 259
diff --git a/net/netfilter/xt_dccp.c b/net/netfilter/xt_dccp.c
index 87971f47132d..7aa30bb91050 100644
--- a/net/netfilter/xt_dccp.c
+++ b/net/netfilter/xt_dccp.c
@@ -93,20 +93,18 @@ match_option(u_int8_t option, const struct sk_buff *skb, unsigned int protoff,
93} 93}
94 94
95static bool 95static bool
96dccp_mt(const struct sk_buff *skb, const struct net_device *in, 96dccp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
97 const struct net_device *out, const struct xt_match *match,
98 const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop)
99{ 97{
100 const struct xt_dccp_info *info = matchinfo; 98 const struct xt_dccp_info *info = par->matchinfo;
101 const struct dccp_hdr *dh; 99 const struct dccp_hdr *dh;
102 struct dccp_hdr _dh; 100 struct dccp_hdr _dh;
103 101
104 if (offset) 102 if (par->fragoff != 0)
105 return false; 103 return false;
106 104
107 dh = skb_header_pointer(skb, protoff, sizeof(_dh), &_dh); 105 dh = skb_header_pointer(skb, par->thoff, sizeof(_dh), &_dh);
108 if (dh == NULL) { 106 if (dh == NULL) {
109 *hotdrop = true; 107 *par->hotdrop = true;
110 return false; 108 return false;
111 } 109 }
112 110
@@ -118,8 +116,8 @@ dccp_mt(const struct sk_buff *skb, const struct net_device *in,
118 XT_DCCP_DEST_PORTS, info->flags, info->invflags) 116 XT_DCCP_DEST_PORTS, info->flags, info->invflags)
119 && DCCHECK(match_types(dh, info->typemask), 117 && DCCHECK(match_types(dh, info->typemask),
120 XT_DCCP_TYPE, info->flags, info->invflags) 118 XT_DCCP_TYPE, info->flags, info->invflags)
121 && DCCHECK(match_option(info->option, skb, protoff, dh, 119 && DCCHECK(match_option(info->option, skb, par->thoff, dh,
122 hotdrop), 120 par->hotdrop),
123 XT_DCCP_OPTION, info->flags, info->invflags); 121 XT_DCCP_OPTION, info->flags, info->invflags);
124} 122}
125 123
diff --git a/net/netfilter/xt_dscp.c b/net/netfilter/xt_dscp.c
index 7f03aa13a955..57d612061358 100644
--- a/net/netfilter/xt_dscp.c
+++ b/net/netfilter/xt_dscp.c
@@ -26,23 +26,18 @@ MODULE_ALIAS("ipt_tos");
26MODULE_ALIAS("ip6t_tos"); 26MODULE_ALIAS("ip6t_tos");
27 27
28static bool 28static bool
29dscp_mt(const struct sk_buff *skb, const struct net_device *in, 29dscp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
30 const struct net_device *out, const struct xt_match *match,
31 const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop)
32{ 30{
33 const struct xt_dscp_info *info = matchinfo; 31 const struct xt_dscp_info *info = par->matchinfo;
34 u_int8_t dscp = ipv4_get_dsfield(ip_hdr(skb)) >> XT_DSCP_SHIFT; 32 u_int8_t dscp = ipv4_get_dsfield(ip_hdr(skb)) >> XT_DSCP_SHIFT;
35 33
36 return (dscp == info->dscp) ^ !!info->invert; 34 return (dscp == info->dscp) ^ !!info->invert;
37} 35}
38 36
39static bool 37static bool
40dscp_mt6(const struct sk_buff *skb, const struct net_device *in, 38dscp_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
41 const struct net_device *out, const struct xt_match *match,
42 const void *matchinfo, int offset, unsigned int protoff,
43 bool *hotdrop)
44{ 39{
45 const struct xt_dscp_info *info = matchinfo; 40 const struct xt_dscp_info *info = par->matchinfo;
46 u_int8_t dscp = ipv6_get_dsfield(ipv6_hdr(skb)) >> XT_DSCP_SHIFT; 41 u_int8_t dscp = ipv6_get_dsfield(ipv6_hdr(skb)) >> XT_DSCP_SHIFT;
47 42
48 return (dscp == info->dscp) ^ !!info->invert; 43 return (dscp == info->dscp) ^ !!info->invert;
@@ -63,24 +58,19 @@ dscp_mt_check(const char *tablename, const void *info,
63 return true; 58 return true;
64} 59}
65 60
66static bool tos_mt_v0(const struct sk_buff *skb, const struct net_device *in, 61static bool
67 const struct net_device *out, 62tos_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
68 const struct xt_match *match, const void *matchinfo,
69 int offset, unsigned int protoff, bool *hotdrop)
70{ 63{
71 const struct ipt_tos_info *info = matchinfo; 64 const struct ipt_tos_info *info = par->matchinfo;
72 65
73 return (ip_hdr(skb)->tos == info->tos) ^ info->invert; 66 return (ip_hdr(skb)->tos == info->tos) ^ info->invert;
74} 67}
75 68
76static bool tos_mt(const struct sk_buff *skb, const struct net_device *in, 69static bool tos_mt(const struct sk_buff *skb, const struct xt_match_param *par)
77 const struct net_device *out, const struct xt_match *match,
78 const void *matchinfo, int offset, unsigned int protoff,
79 bool *hotdrop)
80{ 70{
81 const struct xt_tos_match_info *info = matchinfo; 71 const struct xt_tos_match_info *info = par->matchinfo;
82 72
83 if (match->family == NFPROTO_IPV4) 73 if (par->match->family == NFPROTO_IPV4)
84 return ((ip_hdr(skb)->tos & info->tos_mask) == 74 return ((ip_hdr(skb)->tos & info->tos_mask) ==
85 info->tos_value) ^ !!info->invert; 75 info->tos_value) ^ !!info->invert;
86 else 76 else
diff --git a/net/netfilter/xt_esp.c b/net/netfilter/xt_esp.c
index 045c4deecafc..6d59f2e7c1c1 100644
--- a/net/netfilter/xt_esp.c
+++ b/net/netfilter/xt_esp.c
@@ -42,26 +42,23 @@ spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, bool invert)
42 return r; 42 return r;
43} 43}
44 44
45static bool 45static bool esp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
46esp_mt(const struct sk_buff *skb, const struct net_device *in,
47 const struct net_device *out, const struct xt_match *match,
48 const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop)
49{ 46{
50 const struct ip_esp_hdr *eh; 47 const struct ip_esp_hdr *eh;
51 struct ip_esp_hdr _esp; 48 struct ip_esp_hdr _esp;
52 const struct xt_esp *espinfo = matchinfo; 49 const struct xt_esp *espinfo = par->matchinfo;
53 50
54 /* Must not be a fragment. */ 51 /* Must not be a fragment. */
55 if (offset) 52 if (par->fragoff != 0)
56 return false; 53 return false;
57 54
58 eh = skb_header_pointer(skb, protoff, sizeof(_esp), &_esp); 55 eh = skb_header_pointer(skb, par->thoff, sizeof(_esp), &_esp);
59 if (eh == NULL) { 56 if (eh == NULL) {
60 /* We've been asked to examine this packet, and we 57 /* We've been asked to examine this packet, and we
61 * can't. Hence, no choice but to drop. 58 * can't. Hence, no choice but to drop.
62 */ 59 */
63 duprintf("Dropping evil ESP tinygram.\n"); 60 duprintf("Dropping evil ESP tinygram.\n");
64 *hotdrop = true; 61 *par->hotdrop = true;
65 return false; 62 return false;
66 } 63 }
67 64
diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
index 7bae369603d7..22a60a728cf1 100644
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@@ -563,19 +563,16 @@ hashlimit_init_dst(const struct xt_hashlimit_htable *hinfo,
563} 563}
564 564
565static bool 565static bool
566hashlimit_mt_v0(const struct sk_buff *skb, const struct net_device *in, 566hashlimit_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
567 const struct net_device *out, const struct xt_match *match,
568 const void *matchinfo, int offset, unsigned int protoff,
569 bool *hotdrop)
570{ 567{
571 const struct xt_hashlimit_info *r = 568 const struct xt_hashlimit_info *r =
572 ((const struct xt_hashlimit_info *)matchinfo)->u.master; 569 ((const struct xt_hashlimit_info *)par->matchinfo)->u.master;
573 struct xt_hashlimit_htable *hinfo = r->hinfo; 570 struct xt_hashlimit_htable *hinfo = r->hinfo;
574 unsigned long now = jiffies; 571 unsigned long now = jiffies;
575 struct dsthash_ent *dh; 572 struct dsthash_ent *dh;
576 struct dsthash_dst dst; 573 struct dsthash_dst dst;
577 574
578 if (hashlimit_init_dst(hinfo, &dst, skb, protoff) < 0) 575 if (hashlimit_init_dst(hinfo, &dst, skb, par->thoff) < 0)
579 goto hotdrop; 576 goto hotdrop;
580 577
581 spin_lock_bh(&hinfo->lock); 578 spin_lock_bh(&hinfo->lock);
@@ -613,23 +610,20 @@ hashlimit_mt_v0(const struct sk_buff *skb, const struct net_device *in,
613 return false; 610 return false;
614 611
615hotdrop: 612hotdrop:
616 *hotdrop = true; 613 *par->hotdrop = true;
617 return false; 614 return false;
618} 615}
619 616
620static bool 617static bool
621hashlimit_mt(const struct sk_buff *skb, const struct net_device *in, 618hashlimit_mt(const struct sk_buff *skb, const struct xt_match_param *par)
622 const struct net_device *out, const struct xt_match *match,
623 const void *matchinfo, int offset, unsigned int protoff,
624 bool *hotdrop)
625{ 619{
626 const struct xt_hashlimit_mtinfo1 *info = matchinfo; 620 const struct xt_hashlimit_mtinfo1 *info = par->matchinfo;
627 struct xt_hashlimit_htable *hinfo = info->hinfo; 621 struct xt_hashlimit_htable *hinfo = info->hinfo;
628 unsigned long now = jiffies; 622 unsigned long now = jiffies;
629 struct dsthash_ent *dh; 623 struct dsthash_ent *dh;
630 struct dsthash_dst dst; 624 struct dsthash_dst dst;
631 625
632 if (hashlimit_init_dst(hinfo, &dst, skb, protoff) < 0) 626 if (hashlimit_init_dst(hinfo, &dst, skb, par->thoff) < 0)
633 goto hotdrop; 627 goto hotdrop;
634 628
635 spin_lock_bh(&hinfo->lock); 629 spin_lock_bh(&hinfo->lock);
@@ -666,7 +660,7 @@ hashlimit_mt(const struct sk_buff *skb, const struct net_device *in,
666 return info->cfg.mode & XT_HASHLIMIT_INVERT; 660 return info->cfg.mode & XT_HASHLIMIT_INVERT;
667 661
668 hotdrop: 662 hotdrop:
669 *hotdrop = true; 663 *par->hotdrop = true;
670 return false; 664 return false;
671} 665}
672 666
diff --git a/net/netfilter/xt_helper.c b/net/netfilter/xt_helper.c
index 134d94324eb9..73bdc3ba13fc 100644
--- a/net/netfilter/xt_helper.c
+++ b/net/netfilter/xt_helper.c
@@ -24,12 +24,9 @@ MODULE_ALIAS("ip6t_helper");
24 24
25 25
26static bool 26static bool
27helper_mt(const struct sk_buff *skb, const struct net_device *in, 27helper_mt(const struct sk_buff *skb, const struct xt_match_param *par)
28 const struct net_device *out, const struct xt_match *match,
29 const void *matchinfo, int offset, unsigned int protoff,
30 bool *hotdrop)
31{ 28{
32 const struct xt_helper_info *info = matchinfo; 29 const struct xt_helper_info *info = par->matchinfo;
33 const struct nf_conn *ct; 30 const struct nf_conn *ct;
34 const struct nf_conn_help *master_help; 31 const struct nf_conn_help *master_help;
35 const struct nf_conntrack_helper *helper; 32 const struct nf_conntrack_helper *helper;
diff --git a/net/netfilter/xt_iprange.c b/net/netfilter/xt_iprange.c
index a7498cc48dca..6f62c36948d9 100644
--- a/net/netfilter/xt_iprange.c
+++ b/net/netfilter/xt_iprange.c
@@ -17,12 +17,9 @@
17#include <linux/netfilter_ipv4/ipt_iprange.h> 17#include <linux/netfilter_ipv4/ipt_iprange.h>
18 18
19static bool 19static bool
20iprange_mt_v0(const struct sk_buff *skb, const struct net_device *in, 20iprange_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
21 const struct net_device *out, const struct xt_match *match,
22 const void *matchinfo, int offset, unsigned int protoff,
23 bool *hotdrop)
24{ 21{
25 const struct ipt_iprange_info *info = matchinfo; 22 const struct ipt_iprange_info *info = par->matchinfo;
26 const struct iphdr *iph = ip_hdr(skb); 23 const struct iphdr *iph = ip_hdr(skb);
27 24
28 if (info->flags & IPRANGE_SRC) { 25 if (info->flags & IPRANGE_SRC) {
@@ -55,12 +52,9 @@ iprange_mt_v0(const struct sk_buff *skb, const struct net_device *in,
55} 52}
56 53
57static bool 54static bool
58iprange_mt4(const struct sk_buff *skb, const struct net_device *in, 55iprange_mt4(const struct sk_buff *skb, const struct xt_match_param *par)
59 const struct net_device *out, const struct xt_match *match,
60 const void *matchinfo, int offset, unsigned int protoff,
61 bool *hotdrop)
62{ 56{
63 const struct xt_iprange_mtinfo *info = matchinfo; 57 const struct xt_iprange_mtinfo *info = par->matchinfo;
64 const struct iphdr *iph = ip_hdr(skb); 58 const struct iphdr *iph = ip_hdr(skb);
65 bool m; 59 bool m;
66 60
@@ -111,12 +105,9 @@ iprange_ipv6_sub(const struct in6_addr *a, const struct in6_addr *b)
111} 105}
112 106
113static bool 107static bool
114iprange_mt6(const struct sk_buff *skb, const struct net_device *in, 108iprange_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
115 const struct net_device *out, const struct xt_match *match,
116 const void *matchinfo, int offset, unsigned int protoff,
117 bool *hotdrop)
118{ 109{
119 const struct xt_iprange_mtinfo *info = matchinfo; 110 const struct xt_iprange_mtinfo *info = par->matchinfo;
120 const struct ipv6hdr *iph = ipv6_hdr(skb); 111 const struct ipv6hdr *iph = ipv6_hdr(skb);
121 bool m; 112 bool m;
122 113
diff --git a/net/netfilter/xt_length.c b/net/netfilter/xt_length.c
index b8612d1914b7..c4871ca6c86d 100644
--- a/net/netfilter/xt_length.c
+++ b/net/netfilter/xt_length.c
@@ -21,24 +21,18 @@ MODULE_ALIAS("ipt_length");
21MODULE_ALIAS("ip6t_length"); 21MODULE_ALIAS("ip6t_length");
22 22
23static bool 23static bool
24length_mt(const struct sk_buff *skb, const struct net_device *in, 24length_mt(const struct sk_buff *skb, const struct xt_match_param *par)
25 const struct net_device *out, const struct xt_match *match,
26 const void *matchinfo, int offset, unsigned int protoff,
27 bool *hotdrop)
28{ 25{
29 const struct xt_length_info *info = matchinfo; 26 const struct xt_length_info *info = par->matchinfo;
30 u_int16_t pktlen = ntohs(ip_hdr(skb)->tot_len); 27 u_int16_t pktlen = ntohs(ip_hdr(skb)->tot_len);
31 28
32 return (pktlen >= info->min && pktlen <= info->max) ^ info->invert; 29 return (pktlen >= info->min && pktlen <= info->max) ^ info->invert;
33} 30}
34 31
35static bool 32static bool
36length_mt6(const struct sk_buff *skb, const struct net_device *in, 33length_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
37 const struct net_device *out, const struct xt_match *match,
38 const void *matchinfo, int offset, unsigned int protoff,
39 bool *hotdrop)
40{ 34{
41 const struct xt_length_info *info = matchinfo; 35 const struct xt_length_info *info = par->matchinfo;
42 const u_int16_t pktlen = ntohs(ipv6_hdr(skb)->payload_len) + 36 const u_int16_t pktlen = ntohs(ipv6_hdr(skb)->payload_len) +
43 sizeof(struct ipv6hdr); 37 sizeof(struct ipv6hdr);
44 38
diff --git a/net/netfilter/xt_limit.c b/net/netfilter/xt_limit.c
index 00247bd1095e..c475eac5dbec 100644
--- a/net/netfilter/xt_limit.c
+++ b/net/netfilter/xt_limit.c
@@ -58,13 +58,10 @@ static DEFINE_SPINLOCK(limit_lock);
58#define CREDITS_PER_JIFFY POW2_BELOW32(MAX_CPJ) 58#define CREDITS_PER_JIFFY POW2_BELOW32(MAX_CPJ)
59 59
60static bool 60static bool
61limit_mt(const struct sk_buff *skb, const struct net_device *in, 61limit_mt(const struct sk_buff *skb, const struct xt_match_param *par)
62 const struct net_device *out, const struct xt_match *match,
63 const void *matchinfo, int offset, unsigned int protoff,
64 bool *hotdrop)
65{ 62{
66 struct xt_rateinfo *r = 63 struct xt_rateinfo *r =
67 ((const struct xt_rateinfo *)matchinfo)->master; 64 ((const struct xt_rateinfo *)par->matchinfo)->master;
68 unsigned long now = jiffies; 65 unsigned long now = jiffies;
69 66
70 spin_lock_bh(&limit_lock); 67 spin_lock_bh(&limit_lock);
diff --git a/net/netfilter/xt_mac.c b/net/netfilter/xt_mac.c
index 60db240098ac..269f9d8aef5f 100644
--- a/net/netfilter/xt_mac.c
+++ b/net/netfilter/xt_mac.c
@@ -24,12 +24,9 @@ MODULE_DESCRIPTION("Xtables: MAC address match");
24MODULE_ALIAS("ipt_mac"); 24MODULE_ALIAS("ipt_mac");
25MODULE_ALIAS("ip6t_mac"); 25MODULE_ALIAS("ip6t_mac");
26 26
27static bool 27static bool mac_mt(const struct sk_buff *skb, const struct xt_match_param *par)
28mac_mt(const struct sk_buff *skb, const struct net_device *in,
29 const struct net_device *out, const struct xt_match *match,
30 const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop)
31{ 28{
32 const struct xt_mac_info *info = matchinfo; 29 const struct xt_mac_info *info = par->matchinfo;
33 30
34 /* Is mac pointer valid? */ 31 /* Is mac pointer valid? */
35 return skb_mac_header(skb) >= skb->head && 32 return skb_mac_header(skb) >= skb->head &&
diff --git a/net/netfilter/xt_mark.c b/net/netfilter/xt_mark.c
index 96dd2b63b6b6..885476146531 100644
--- a/net/netfilter/xt_mark.c
+++ b/net/netfilter/xt_mark.c
@@ -23,22 +23,17 @@ MODULE_ALIAS("ipt_mark");
23MODULE_ALIAS("ip6t_mark"); 23MODULE_ALIAS("ip6t_mark");
24 24
25static bool 25static bool
26mark_mt_v0(const struct sk_buff *skb, const struct net_device *in, 26mark_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
27 const struct net_device *out, const struct xt_match *match,
28 const void *matchinfo, int offset, unsigned int protoff,
29 bool *hotdrop)
30{ 27{
31 const struct xt_mark_info *info = matchinfo; 28 const struct xt_mark_info *info = par->matchinfo;
32 29
33 return ((skb->mark & info->mask) == info->mark) ^ info->invert; 30 return ((skb->mark & info->mask) == info->mark) ^ info->invert;
34} 31}
35 32
36static bool 33static bool
37mark_mt(const struct sk_buff *skb, const struct net_device *in, 34mark_mt(const struct sk_buff *skb, const struct xt_match_param *par)
38 const struct net_device *out, const struct xt_match *match,
39 const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop)
40{ 35{
41 const struct xt_mark_mtinfo1 *info = matchinfo; 36 const struct xt_mark_mtinfo1 *info = par->matchinfo;
42 37
43 return ((skb->mark & info->mask) == info->mark) ^ info->invert; 38 return ((skb->mark & info->mask) == info->mark) ^ info->invert;
44} 39}
diff --git a/net/netfilter/xt_multiport.c b/net/netfilter/xt_multiport.c
index f6fe008ab8c3..7087e291528d 100644
--- a/net/netfilter/xt_multiport.c
+++ b/net/netfilter/xt_multiport.c
@@ -95,25 +95,22 @@ ports_match_v1(const struct xt_multiport_v1 *minfo,
95} 95}
96 96
97static bool 97static bool
98multiport_mt_v0(const struct sk_buff *skb, const struct net_device *in, 98multiport_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
99 const struct net_device *out, const struct xt_match *match,
100 const void *matchinfo, int offset, unsigned int protoff,
101 bool *hotdrop)
102{ 99{
103 const __be16 *pptr; 100 const __be16 *pptr;
104 __be16 _ports[2]; 101 __be16 _ports[2];
105 const struct xt_multiport *multiinfo = matchinfo; 102 const struct xt_multiport *multiinfo = par->matchinfo;
106 103
107 if (offset) 104 if (par->fragoff != 0)
108 return false; 105 return false;
109 106
110 pptr = skb_header_pointer(skb, protoff, sizeof(_ports), _ports); 107 pptr = skb_header_pointer(skb, par->thoff, sizeof(_ports), _ports);
111 if (pptr == NULL) { 108 if (pptr == NULL) {
112 /* We've been asked to examine this packet, and we 109 /* We've been asked to examine this packet, and we
113 * can't. Hence, no choice but to drop. 110 * can't. Hence, no choice but to drop.
114 */ 111 */
115 duprintf("xt_multiport: Dropping evil offset=0 tinygram.\n"); 112 duprintf("xt_multiport: Dropping evil offset=0 tinygram.\n");
116 *hotdrop = true; 113 *par->hotdrop = true;
117 return false; 114 return false;
118 } 115 }
119 116
@@ -122,25 +119,22 @@ multiport_mt_v0(const struct sk_buff *skb, const struct net_device *in,
122} 119}
123 120
124static bool 121static bool
125multiport_mt(const struct sk_buff *skb, const struct net_device *in, 122multiport_mt(const struct sk_buff *skb, const struct xt_match_param *par)
126 const struct net_device *out, const struct xt_match *match,
127 const void *matchinfo, int offset, unsigned int protoff,
128 bool *hotdrop)
129{ 123{
130 const __be16 *pptr; 124 const __be16 *pptr;
131 __be16 _ports[2]; 125 __be16 _ports[2];
132 const struct xt_multiport_v1 *multiinfo = matchinfo; 126 const struct xt_multiport_v1 *multiinfo = par->matchinfo;
133 127
134 if (offset) 128 if (par->fragoff != 0)
135 return false; 129 return false;
136 130
137 pptr = skb_header_pointer(skb, protoff, sizeof(_ports), _ports); 131 pptr = skb_header_pointer(skb, par->thoff, sizeof(_ports), _ports);
138 if (pptr == NULL) { 132 if (pptr == NULL) {
139 /* We've been asked to examine this packet, and we 133 /* We've been asked to examine this packet, and we
140 * can't. Hence, no choice but to drop. 134 * can't. Hence, no choice but to drop.
141 */ 135 */
142 duprintf("xt_multiport: Dropping evil offset=0 tinygram.\n"); 136 duprintf("xt_multiport: Dropping evil offset=0 tinygram.\n");
143 *hotdrop = true; 137 *par->hotdrop = true;
144 return false; 138 return false;
145 } 139 }
146 140
diff --git a/net/netfilter/xt_owner.c b/net/netfilter/xt_owner.c
index d1c3b7ae9b49..493b5eb8d148 100644
--- a/net/netfilter/xt_owner.c
+++ b/net/netfilter/xt_owner.c
@@ -21,12 +21,9 @@
21#include <linux/netfilter_ipv6/ip6t_owner.h> 21#include <linux/netfilter_ipv6/ip6t_owner.h>
22 22
23static bool 23static bool
24owner_mt_v0(const struct sk_buff *skb, const struct net_device *in, 24owner_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
25 const struct net_device *out, const struct xt_match *match,
26 const void *matchinfo, int offset, unsigned int protoff,
27 bool *hotdrop)
28{ 25{
29 const struct ipt_owner_info *info = matchinfo; 26 const struct ipt_owner_info *info = par->matchinfo;
30 const struct file *filp; 27 const struct file *filp;
31 28
32 if (skb->sk == NULL || skb->sk->sk_socket == NULL) 29 if (skb->sk == NULL || skb->sk->sk_socket == NULL)
@@ -50,12 +47,9 @@ owner_mt_v0(const struct sk_buff *skb, const struct net_device *in,
50} 47}
51 48
52static bool 49static bool
53owner_mt6_v0(const struct sk_buff *skb, const struct net_device *in, 50owner_mt6_v0(const struct sk_buff *skb, const struct xt_match_param *par)
54 const struct net_device *out, const struct xt_match *match,
55 const void *matchinfo, int offset, unsigned int protoff,
56 bool *hotdrop)
57{ 51{
58 const struct ip6t_owner_info *info = matchinfo; 52 const struct ip6t_owner_info *info = par->matchinfo;
59 const struct file *filp; 53 const struct file *filp;
60 54
61 if (skb->sk == NULL || skb->sk->sk_socket == NULL) 55 if (skb->sk == NULL || skb->sk->sk_socket == NULL)
@@ -79,12 +73,9 @@ owner_mt6_v0(const struct sk_buff *skb, const struct net_device *in,
79} 73}
80 74
81static bool 75static bool
82owner_mt(const struct sk_buff *skb, const struct net_device *in, 76owner_mt(const struct sk_buff *skb, const struct xt_match_param *par)
83 const struct net_device *out, const struct xt_match *match,
84 const void *matchinfo, int offset, unsigned int protoff,
85 bool *hotdrop)
86{ 77{
87 const struct xt_owner_match_info *info = matchinfo; 78 const struct xt_owner_match_info *info = par->matchinfo;
88 const struct file *filp; 79 const struct file *filp;
89 80
90 if (skb->sk == NULL || skb->sk->sk_socket == NULL) 81 if (skb->sk == NULL || skb->sk->sk_socket == NULL)
diff --git a/net/netfilter/xt_physdev.c b/net/netfilter/xt_physdev.c
index 72a0bdd53fa8..e980e179d4f1 100644
--- a/net/netfilter/xt_physdev.c
+++ b/net/netfilter/xt_physdev.c
@@ -21,14 +21,11 @@ MODULE_ALIAS("ipt_physdev");
21MODULE_ALIAS("ip6t_physdev"); 21MODULE_ALIAS("ip6t_physdev");
22 22
23static bool 23static bool
24physdev_mt(const struct sk_buff *skb, const struct net_device *in, 24physdev_mt(const struct sk_buff *skb, const struct xt_match_param *par)
25 const struct net_device *out, const struct xt_match *match,
26 const void *matchinfo, int offset, unsigned int protoff,
27 bool *hotdrop)
28{ 25{
29 int i; 26 int i;
30 static const char nulldevname[IFNAMSIZ]; 27 static const char nulldevname[IFNAMSIZ];
31 const struct xt_physdev_info *info = matchinfo; 28 const struct xt_physdev_info *info = par->matchinfo;
32 bool ret; 29 bool ret;
33 const char *indev, *outdev; 30 const char *indev, *outdev;
34 const struct nf_bridge_info *nf_bridge; 31 const struct nf_bridge_info *nf_bridge;
diff --git a/net/netfilter/xt_pkttype.c b/net/netfilter/xt_pkttype.c
index 81e86d319a8f..37753a377603 100644
--- a/net/netfilter/xt_pkttype.c
+++ b/net/netfilter/xt_pkttype.c
@@ -23,20 +23,17 @@ MODULE_ALIAS("ipt_pkttype");
23MODULE_ALIAS("ip6t_pkttype"); 23MODULE_ALIAS("ip6t_pkttype");
24 24
25static bool 25static bool
26pkttype_mt(const struct sk_buff *skb, const struct net_device *in, 26pkttype_mt(const struct sk_buff *skb, const struct xt_match_param *par)
27 const struct net_device *out, const struct xt_match *match,
28 const void *matchinfo, int offset, unsigned int protoff,
29 bool *hotdrop)
30{ 27{
31 const struct xt_pkttype_info *info = matchinfo; 28 const struct xt_pkttype_info *info = par->matchinfo;
32 u_int8_t type; 29 u_int8_t type;
33 30
34 if (skb->pkt_type != PACKET_LOOPBACK) 31 if (skb->pkt_type != PACKET_LOOPBACK)
35 type = skb->pkt_type; 32 type = skb->pkt_type;
36 else if (match->family == NFPROTO_IPV4 && 33 else if (par->match->family == NFPROTO_IPV4 &&
37 ipv4_is_multicast(ip_hdr(skb)->daddr)) 34 ipv4_is_multicast(ip_hdr(skb)->daddr))
38 type = PACKET_MULTICAST; 35 type = PACKET_MULTICAST;
39 else if (match->family == NFPROTO_IPV6 && 36 else if (par->match->family == NFPROTO_IPV6 &&
40 ipv6_hdr(skb)->daddr.s6_addr[0] == 0xFF) 37 ipv6_hdr(skb)->daddr.s6_addr[0] == 0xFF)
41 type = PACKET_MULTICAST; 38 type = PACKET_MULTICAST;
42 else 39 else
diff --git a/net/netfilter/xt_policy.c b/net/netfilter/xt_policy.c
index f1d514e9d0a2..b0a00fb0511b 100644
--- a/net/netfilter/xt_policy.c
+++ b/net/netfilter/xt_policy.c
@@ -110,18 +110,15 @@ match_policy_out(const struct sk_buff *skb, const struct xt_policy_info *info,
110} 110}
111 111
112static bool 112static bool
113policy_mt(const struct sk_buff *skb, const struct net_device *in, 113policy_mt(const struct sk_buff *skb, const struct xt_match_param *par)
114 const struct net_device *out, const struct xt_match *match,
115 const void *matchinfo, int offset, unsigned int protoff,
116 bool *hotdrop)
117{ 114{
118 const struct xt_policy_info *info = matchinfo; 115 const struct xt_policy_info *info = par->matchinfo;
119 int ret; 116 int ret;
120 117
121 if (info->flags & XT_POLICY_MATCH_IN) 118 if (info->flags & XT_POLICY_MATCH_IN)
122 ret = match_policy_in(skb, info, match->family); 119 ret = match_policy_in(skb, info, par->match->family);
123 else 120 else
124 ret = match_policy_out(skb, info, match->family); 121 ret = match_policy_out(skb, info, par->match->family);
125 122
126 if (ret < 0) 123 if (ret < 0)
127 ret = info->flags & XT_POLICY_MATCH_NONE ? true : false; 124 ret = info->flags & XT_POLICY_MATCH_NONE ? true : false;
diff --git a/net/netfilter/xt_quota.c b/net/netfilter/xt_quota.c
index a3c8798f0cc7..3ab92666c149 100644
--- a/net/netfilter/xt_quota.c
+++ b/net/netfilter/xt_quota.c
@@ -18,13 +18,10 @@ MODULE_ALIAS("ip6t_quota");
18static DEFINE_SPINLOCK(quota_lock); 18static DEFINE_SPINLOCK(quota_lock);
19 19
20static bool 20static bool
21quota_mt(const struct sk_buff *skb, const struct net_device *in, 21quota_mt(const struct sk_buff *skb, const struct xt_match_param *par)
22 const struct net_device *out, const struct xt_match *match,
23 const void *matchinfo, int offset, unsigned int protoff,
24 bool *hotdrop)
25{ 22{
26 struct xt_quota_info *q = 23 struct xt_quota_info *q =
27 ((const struct xt_quota_info *)matchinfo)->master; 24 ((const struct xt_quota_info *)par->matchinfo)->master;
28 bool ret = q->flags & XT_QUOTA_INVERT; 25 bool ret = q->flags & XT_QUOTA_INVERT;
29 26
30 spin_lock_bh(&quota_lock); 27 spin_lock_bh(&quota_lock);
diff --git a/net/netfilter/xt_rateest.c b/net/netfilter/xt_rateest.c
index 4dcfd7353dba..e9f64ef45655 100644
--- a/net/netfilter/xt_rateest.c
+++ b/net/netfilter/xt_rateest.c
@@ -14,16 +14,10 @@
14#include <net/netfilter/xt_rateest.h> 14#include <net/netfilter/xt_rateest.h>
15 15
16 16
17static bool xt_rateest_mt(const struct sk_buff *skb, 17static bool
18 const struct net_device *in, 18xt_rateest_mt(const struct sk_buff *skb, const struct xt_match_param *par)
19 const struct net_device *out,
20 const struct xt_match *match,
21 const void *matchinfo,
22 int offset,
23 unsigned int protoff,
24 bool *hotdrop)
25{ 19{
26 const struct xt_rateest_match_info *info = matchinfo; 20 const struct xt_rateest_match_info *info = par->matchinfo;
27 struct gnet_stats_rate_est *r; 21 struct gnet_stats_rate_est *r;
28 u_int32_t bps1, bps2, pps1, pps2; 22 u_int32_t bps1, bps2, pps1, pps2;
29 bool ret = true; 23 bool ret = true;
diff --git a/net/netfilter/xt_realm.c b/net/netfilter/xt_realm.c
index ef65756d4894..b25942110ed7 100644
--- a/net/netfilter/xt_realm.c
+++ b/net/netfilter/xt_realm.c
@@ -22,12 +22,9 @@ MODULE_DESCRIPTION("Xtables: Routing realm match");
22MODULE_ALIAS("ipt_realm"); 22MODULE_ALIAS("ipt_realm");
23 23
24static bool 24static bool
25realm_mt(const struct sk_buff *skb, const struct net_device *in, 25realm_mt(const struct sk_buff *skb, const struct xt_match_param *par)
26 const struct net_device *out, const struct xt_match *match,
27 const void *matchinfo, int offset, unsigned int protoff,
28 bool *hotdrop)
29{ 26{
30 const struct xt_realm_info *info = matchinfo; 27 const struct xt_realm_info *info = par->matchinfo;
31 const struct dst_entry *dst = skb->dst; 28 const struct dst_entry *dst = skb->dst;
32 29
33 return (info->id == (dst->tclassid & info->mask)) ^ info->invert; 30 return (info->id == (dst->tclassid & info->mask)) ^ info->invert;
diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c
index 4a916e2624d3..baeb90a56231 100644
--- a/net/netfilter/xt_recent.c
+++ b/net/netfilter/xt_recent.c
@@ -204,19 +204,16 @@ static void recent_table_flush(struct recent_table *t)
204} 204}
205 205
206static bool 206static bool
207recent_mt(const struct sk_buff *skb, const struct net_device *in, 207recent_mt(const struct sk_buff *skb, const struct xt_match_param *par)
208 const struct net_device *out, const struct xt_match *match,
209 const void *matchinfo, int offset, unsigned int protoff,
210 bool *hotdrop)
211{ 208{
212 const struct xt_recent_mtinfo *info = matchinfo; 209 const struct xt_recent_mtinfo *info = par->matchinfo;
213 struct recent_table *t; 210 struct recent_table *t;
214 struct recent_entry *e; 211 struct recent_entry *e;
215 union nf_inet_addr addr = {}; 212 union nf_inet_addr addr = {};
216 u_int8_t ttl; 213 u_int8_t ttl;
217 bool ret = info->invert; 214 bool ret = info->invert;
218 215
219 if (match->family == NFPROTO_IPV4) { 216 if (par->match->family == NFPROTO_IPV4) {
220 const struct iphdr *iph = ip_hdr(skb); 217 const struct iphdr *iph = ip_hdr(skb);
221 218
222 if (info->side == XT_RECENT_DEST) 219 if (info->side == XT_RECENT_DEST)
@@ -237,19 +234,19 @@ recent_mt(const struct sk_buff *skb, const struct net_device *in,
237 } 234 }
238 235
239 /* use TTL as seen before forwarding */ 236 /* use TTL as seen before forwarding */
240 if (out && !skb->sk) 237 if (par->out != NULL && skb->sk == NULL)
241 ttl++; 238 ttl++;
242 239
243 spin_lock_bh(&recent_lock); 240 spin_lock_bh(&recent_lock);
244 t = recent_table_lookup(info->name); 241 t = recent_table_lookup(info->name);
245 e = recent_entry_lookup(t, &addr, match->family, 242 e = recent_entry_lookup(t, &addr, par->match->family,
246 (info->check_set & XT_RECENT_TTL) ? ttl : 0); 243 (info->check_set & XT_RECENT_TTL) ? ttl : 0);
247 if (e == NULL) { 244 if (e == NULL) {
248 if (!(info->check_set & XT_RECENT_SET)) 245 if (!(info->check_set & XT_RECENT_SET))
249 goto out; 246 goto out;
250 e = recent_entry_init(t, &addr, match->family, ttl); 247 e = recent_entry_init(t, &addr, par->match->family, ttl);
251 if (e == NULL) 248 if (e == NULL)
252 *hotdrop = true; 249 *par->hotdrop = true;
253 ret = !ret; 250 ret = !ret;
254 goto out; 251 goto out;
255 } 252 }
diff --git a/net/netfilter/xt_sctp.c b/net/netfilter/xt_sctp.c
index ab67aca4d8fe..b0014ab65da7 100644
--- a/net/netfilter/xt_sctp.c
+++ b/net/netfilter/xt_sctp.c
@@ -117,23 +117,21 @@ match_packet(const struct sk_buff *skb,
117} 117}
118 118
119static bool 119static bool
120sctp_mt(const struct sk_buff *skb, const struct net_device *in, 120sctp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
121 const struct net_device *out, const struct xt_match *match,
122 const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop)
123{ 121{
124 const struct xt_sctp_info *info = matchinfo; 122 const struct xt_sctp_info *info = par->matchinfo;
125 const sctp_sctphdr_t *sh; 123 const sctp_sctphdr_t *sh;
126 sctp_sctphdr_t _sh; 124 sctp_sctphdr_t _sh;
127 125
128 if (offset) { 126 if (par->fragoff != 0) {
129 duprintf("Dropping non-first fragment.. FIXME\n"); 127 duprintf("Dropping non-first fragment.. FIXME\n");
130 return false; 128 return false;
131 } 129 }
132 130
133 sh = skb_header_pointer(skb, protoff, sizeof(_sh), &_sh); 131 sh = skb_header_pointer(skb, par->thoff, sizeof(_sh), &_sh);
134 if (sh == NULL) { 132 if (sh == NULL) {
135 duprintf("Dropping evil TCP offset=0 tinygram.\n"); 133 duprintf("Dropping evil TCP offset=0 tinygram.\n");
136 *hotdrop = true; 134 *par->hotdrop = true;
137 return false; 135 return false;
138 } 136 }
139 duprintf("spt: %d\tdpt: %d\n", ntohs(sh->source), ntohs(sh->dest)); 137 duprintf("spt: %d\tdpt: %d\n", ntohs(sh->source), ntohs(sh->dest));
@@ -144,8 +142,8 @@ sctp_mt(const struct sk_buff *skb, const struct net_device *in,
144 && SCCHECK(ntohs(sh->dest) >= info->dpts[0] 142 && SCCHECK(ntohs(sh->dest) >= info->dpts[0]
145 && ntohs(sh->dest) <= info->dpts[1], 143 && ntohs(sh->dest) <= info->dpts[1],
146 XT_SCTP_DEST_PORTS, info->flags, info->invflags) 144 XT_SCTP_DEST_PORTS, info->flags, info->invflags)
147 && SCCHECK(match_packet(skb, protoff + sizeof (sctp_sctphdr_t), 145 && SCCHECK(match_packet(skb, par->thoff + sizeof(sctp_sctphdr_t),
148 info, hotdrop), 146 info, par->hotdrop),
149 XT_SCTP_CHUNK_TYPES, info->flags, info->invflags); 147 XT_SCTP_CHUNK_TYPES, info->flags, info->invflags);
150} 148}
151 149
diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c
index ac9db17c7b9c..02a8fed21082 100644
--- a/net/netfilter/xt_socket.c
+++ b/net/netfilter/xt_socket.c
@@ -86,14 +86,7 @@ extract_icmp_fields(const struct sk_buff *skb,
86 86
87 87
88static bool 88static bool
89socket_mt(const struct sk_buff *skb, 89socket_mt(const struct sk_buff *skb, const struct xt_match_param *par)
90 const struct net_device *in,
91 const struct net_device *out,
92 const struct xt_match *match,
93 const void *matchinfo,
94 int offset,
95 unsigned int protoff,
96 bool *hotdrop)
97{ 90{
98 const struct iphdr *iph = ip_hdr(skb); 91 const struct iphdr *iph = ip_hdr(skb);
99 struct udphdr _hdr, *hp = NULL; 92 struct udphdr _hdr, *hp = NULL;
@@ -146,7 +139,7 @@ socket_mt(const struct sk_buff *skb,
146#endif 139#endif
147 140
148 sk = nf_tproxy_get_sock_v4(dev_net(skb->dev), protocol, 141 sk = nf_tproxy_get_sock_v4(dev_net(skb->dev), protocol,
149 saddr, daddr, sport, dport, in, false); 142 saddr, daddr, sport, dport, par->in, false);
150 if (sk != NULL) { 143 if (sk != NULL) {
151 bool wildcard = (inet_sk(sk)->rcv_saddr == 0); 144 bool wildcard = (inet_sk(sk)->rcv_saddr == 0);
152 145
diff --git a/net/netfilter/xt_state.c b/net/netfilter/xt_state.c
index f92f8bcc1e38..29f5a8a1b024 100644
--- a/net/netfilter/xt_state.c
+++ b/net/netfilter/xt_state.c
@@ -21,12 +21,9 @@ MODULE_ALIAS("ipt_state");
21MODULE_ALIAS("ip6t_state"); 21MODULE_ALIAS("ip6t_state");
22 22
23static bool 23static bool
24state_mt(const struct sk_buff *skb, const struct net_device *in, 24state_mt(const struct sk_buff *skb, const struct xt_match_param *par)
25 const struct net_device *out, const struct xt_match *match,
26 const void *matchinfo, int offset, unsigned int protoff,
27 bool *hotdrop)
28{ 25{
29 const struct xt_state_info *sinfo = matchinfo; 26 const struct xt_state_info *sinfo = par->matchinfo;
30 enum ip_conntrack_info ctinfo; 27 enum ip_conntrack_info ctinfo;
31 unsigned int statebit; 28 unsigned int statebit;
32 29
diff --git a/net/netfilter/xt_statistic.c b/net/netfilter/xt_statistic.c
index f41a92322e6e..dcadc491db21 100644
--- a/net/netfilter/xt_statistic.c
+++ b/net/netfilter/xt_statistic.c
@@ -25,12 +25,9 @@ MODULE_ALIAS("ip6t_statistic");
25static DEFINE_SPINLOCK(nth_lock); 25static DEFINE_SPINLOCK(nth_lock);
26 26
27static bool 27static bool
28statistic_mt(const struct sk_buff *skb, const struct net_device *in, 28statistic_mt(const struct sk_buff *skb, const struct xt_match_param *par)
29 const struct net_device *out, const struct xt_match *match,
30 const void *matchinfo, int offset, unsigned int protoff,
31 bool *hotdrop)
32{ 29{
33 struct xt_statistic_info *info = (struct xt_statistic_info *)matchinfo; 30 struct xt_statistic_info *info = (void *)par->matchinfo;
34 bool ret = info->flags & XT_STATISTIC_INVERT; 31 bool ret = info->flags & XT_STATISTIC_INVERT;
35 32
36 switch (info->mode) { 33 switch (info->mode) {
diff --git a/net/netfilter/xt_string.c b/net/netfilter/xt_string.c
index 18d8884e7370..33f2d29ca4f7 100644
--- a/net/netfilter/xt_string.c
+++ b/net/netfilter/xt_string.c
@@ -22,18 +22,15 @@ MODULE_ALIAS("ipt_string");
22MODULE_ALIAS("ip6t_string"); 22MODULE_ALIAS("ip6t_string");
23 23
24static bool 24static bool
25string_mt(const struct sk_buff *skb, const struct net_device *in, 25string_mt(const struct sk_buff *skb, const struct xt_match_param *par)
26 const struct net_device *out, const struct xt_match *match,
27 const void *matchinfo, int offset, unsigned int protoff,
28 bool *hotdrop)
29{ 26{
30 const struct xt_string_info *conf = matchinfo; 27 const struct xt_string_info *conf = par->matchinfo;
31 struct ts_state state; 28 struct ts_state state;
32 int invert; 29 int invert;
33 30
34 memset(&state, 0, sizeof(struct ts_state)); 31 memset(&state, 0, sizeof(struct ts_state));
35 32
36 invert = (match->revision == 0 ? conf->u.v0.invert : 33 invert = (par->match->revision == 0 ? conf->u.v0.invert :
37 conf->u.v1.flags & XT_STRING_FLAG_INVERT); 34 conf->u.v1.flags & XT_STRING_FLAG_INVERT);
38 35
39 return (skb_find_text((struct sk_buff *)skb, conf->from_offset, 36 return (skb_find_text((struct sk_buff *)skb, conf->from_offset,
diff --git a/net/netfilter/xt_tcpmss.c b/net/netfilter/xt_tcpmss.c
index 4791c7cbe5a9..4809b34b10f8 100644
--- a/net/netfilter/xt_tcpmss.c
+++ b/net/netfilter/xt_tcpmss.c
@@ -25,12 +25,9 @@ MODULE_ALIAS("ipt_tcpmss");
25MODULE_ALIAS("ip6t_tcpmss"); 25MODULE_ALIAS("ip6t_tcpmss");
26 26
27static bool 27static bool
28tcpmss_mt(const struct sk_buff *skb, const struct net_device *in, 28tcpmss_mt(const struct sk_buff *skb, const struct xt_match_param *par)
29 const struct net_device *out, const struct xt_match *match,
30 const void *matchinfo, int offset, unsigned int protoff,
31 bool *hotdrop)
32{ 29{
33 const struct xt_tcpmss_match_info *info = matchinfo; 30 const struct xt_tcpmss_match_info *info = par->matchinfo;
34 const struct tcphdr *th; 31 const struct tcphdr *th;
35 struct tcphdr _tcph; 32 struct tcphdr _tcph;
36 /* tcp.doff is only 4 bits, ie. max 15 * 4 bytes */ 33 /* tcp.doff is only 4 bits, ie. max 15 * 4 bytes */
@@ -39,7 +36,7 @@ tcpmss_mt(const struct sk_buff *skb, const struct net_device *in,
39 unsigned int i, optlen; 36 unsigned int i, optlen;
40 37
41 /* If we don't have the whole header, drop packet. */ 38 /* If we don't have the whole header, drop packet. */
42 th = skb_header_pointer(skb, protoff, sizeof(_tcph), &_tcph); 39 th = skb_header_pointer(skb, par->thoff, sizeof(_tcph), &_tcph);
43 if (th == NULL) 40 if (th == NULL)
44 goto dropit; 41 goto dropit;
45 42
@@ -52,7 +49,7 @@ tcpmss_mt(const struct sk_buff *skb, const struct net_device *in,
52 goto out; 49 goto out;
53 50
54 /* Truncated options. */ 51 /* Truncated options. */
55 op = skb_header_pointer(skb, protoff + sizeof(*th), optlen, _opt); 52 op = skb_header_pointer(skb, par->thoff + sizeof(*th), optlen, _opt);
56 if (op == NULL) 53 if (op == NULL)
57 goto dropit; 54 goto dropit;
58 55
@@ -76,7 +73,7 @@ out:
76 return info->invert; 73 return info->invert;
77 74
78dropit: 75dropit:
79 *hotdrop = true; 76 *par->hotdrop = true;
80 return false; 77 return false;
81} 78}
82 79
diff --git a/net/netfilter/xt_tcpudp.c b/net/netfilter/xt_tcpudp.c
index 5a6268cbb9f8..66cf71b1d59c 100644
--- a/net/netfilter/xt_tcpudp.c
+++ b/net/netfilter/xt_tcpudp.c
@@ -68,25 +68,22 @@ tcp_find_option(u_int8_t option,
68 return invert; 68 return invert;
69} 69}
70 70
71static bool 71static bool tcp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
72tcp_mt(const struct sk_buff *skb, const struct net_device *in,
73 const struct net_device *out, const struct xt_match *match,
74 const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop)
75{ 72{
76 const struct tcphdr *th; 73 const struct tcphdr *th;
77 struct tcphdr _tcph; 74 struct tcphdr _tcph;
78 const struct xt_tcp *tcpinfo = matchinfo; 75 const struct xt_tcp *tcpinfo = par->matchinfo;
79 76
80 if (offset) { 77 if (par->fragoff != 0) {
81 /* To quote Alan: 78 /* To quote Alan:
82 79
83 Don't allow a fragment of TCP 8 bytes in. Nobody normal 80 Don't allow a fragment of TCP 8 bytes in. Nobody normal
84 causes this. Its a cracker trying to break in by doing a 81 causes this. Its a cracker trying to break in by doing a
85 flag overwrite to pass the direction checks. 82 flag overwrite to pass the direction checks.
86 */ 83 */
87 if (offset == 1) { 84 if (par->fragoff == 1) {
88 duprintf("Dropping evil TCP offset=1 frag.\n"); 85 duprintf("Dropping evil TCP offset=1 frag.\n");
89 *hotdrop = true; 86 *par->hotdrop = true;
90 } 87 }
91 /* Must not be a fragment. */ 88 /* Must not be a fragment. */
92 return false; 89 return false;
@@ -94,12 +91,12 @@ tcp_mt(const struct sk_buff *skb, const struct net_device *in,
94 91
95#define FWINVTCP(bool, invflg) ((bool) ^ !!(tcpinfo->invflags & (invflg))) 92#define FWINVTCP(bool, invflg) ((bool) ^ !!(tcpinfo->invflags & (invflg)))
96 93
97 th = skb_header_pointer(skb, protoff, sizeof(_tcph), &_tcph); 94 th = skb_header_pointer(skb, par->thoff, sizeof(_tcph), &_tcph);
98 if (th == NULL) { 95 if (th == NULL) {
99 /* We've been asked to examine this packet, and we 96 /* We've been asked to examine this packet, and we
100 can't. Hence, no choice but to drop. */ 97 can't. Hence, no choice but to drop. */
101 duprintf("Dropping evil TCP offset=0 tinygram.\n"); 98 duprintf("Dropping evil TCP offset=0 tinygram.\n");
102 *hotdrop = true; 99 *par->hotdrop = true;
103 return false; 100 return false;
104 } 101 }
105 102
@@ -117,13 +114,13 @@ tcp_mt(const struct sk_buff *skb, const struct net_device *in,
117 return false; 114 return false;
118 if (tcpinfo->option) { 115 if (tcpinfo->option) {
119 if (th->doff * 4 < sizeof(_tcph)) { 116 if (th->doff * 4 < sizeof(_tcph)) {
120 *hotdrop = true; 117 *par->hotdrop = true;
121 return false; 118 return false;
122 } 119 }
123 if (!tcp_find_option(tcpinfo->option, skb, protoff, 120 if (!tcp_find_option(tcpinfo->option, skb, par->thoff,
124 th->doff*4 - sizeof(_tcph), 121 th->doff*4 - sizeof(_tcph),
125 tcpinfo->invflags & XT_TCP_INV_OPTION, 122 tcpinfo->invflags & XT_TCP_INV_OPTION,
126 hotdrop)) 123 par->hotdrop))
127 return false; 124 return false;
128 } 125 }
129 return true; 126 return true;
@@ -141,25 +138,22 @@ tcp_mt_check(const char *tablename, const void *info,
141 return !(tcpinfo->invflags & ~XT_TCP_INV_MASK); 138 return !(tcpinfo->invflags & ~XT_TCP_INV_MASK);
142} 139}
143 140
144static bool 141static bool udp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
145udp_mt(const struct sk_buff *skb, const struct net_device *in,
146 const struct net_device *out, const struct xt_match *match,
147 const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop)
148{ 142{
149 const struct udphdr *uh; 143 const struct udphdr *uh;
150 struct udphdr _udph; 144 struct udphdr _udph;
151 const struct xt_udp *udpinfo = matchinfo; 145 const struct xt_udp *udpinfo = par->matchinfo;
152 146
153 /* Must not be a fragment. */ 147 /* Must not be a fragment. */
154 if (offset) 148 if (par->fragoff != 0)
155 return false; 149 return false;
156 150
157 uh = skb_header_pointer(skb, protoff, sizeof(_udph), &_udph); 151 uh = skb_header_pointer(skb, par->thoff, sizeof(_udph), &_udph);
158 if (uh == NULL) { 152 if (uh == NULL) {
159 /* We've been asked to examine this packet, and we 153 /* We've been asked to examine this packet, and we
160 can't. Hence, no choice but to drop. */ 154 can't. Hence, no choice but to drop. */
161 duprintf("Dropping evil UDP tinygram.\n"); 155 duprintf("Dropping evil UDP tinygram.\n");
162 *hotdrop = true; 156 *par->hotdrop = true;
163 return false; 157 return false;
164 } 158 }
165 159
diff --git a/net/netfilter/xt_time.c b/net/netfilter/xt_time.c
index 32d4c769caa4..28599d3979c4 100644
--- a/net/netfilter/xt_time.c
+++ b/net/netfilter/xt_time.c
@@ -153,11 +153,9 @@ static void localtime_3(struct xtm *r, time_t time)
153} 153}
154 154
155static bool 155static bool
156time_mt(const struct sk_buff *skb, const struct net_device *in, 156time_mt(const struct sk_buff *skb, const struct xt_match_param *par)
157 const struct net_device *out, const struct xt_match *match,
158 const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop)
159{ 157{
160 const struct xt_time_info *info = matchinfo; 158 const struct xt_time_info *info = par->matchinfo;
161 unsigned int packet_time; 159 unsigned int packet_time;
162 struct xtm current_time; 160 struct xtm current_time;
163 s64 stamp; 161 s64 stamp;
diff --git a/net/netfilter/xt_u32.c b/net/netfilter/xt_u32.c
index a6b971dc5d38..24a527624500 100644
--- a/net/netfilter/xt_u32.c
+++ b/net/netfilter/xt_u32.c
@@ -87,12 +87,9 @@ static bool u32_match_it(const struct xt_u32 *data,
87 return true; 87 return true;
88} 88}
89 89
90static bool 90static bool u32_mt(const struct sk_buff *skb, const struct xt_match_param *par)
91u32_mt(const struct sk_buff *skb, const struct net_device *in,
92 const struct net_device *out, const struct xt_match *match,
93 const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop)
94{ 91{
95 const struct xt_u32 *data = matchinfo; 92 const struct xt_u32 *data = par->matchinfo;
96 bool ret; 93 bool ret;
97 94
98 ret = u32_match_it(data, skb); 95 ret = u32_match_it(data, skb);
generated by cgit v1.2.2 (git 2.25.0) at 2024-12-21 07:25:53 -0500