aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--include/linux/netfilter/x_tables.h22
-rw-r--r--net/bridge/netfilter/ebt_arpreply.c8
-rw-r--r--net/bridge/netfilter/ebt_dnat.c6
-rw-r--r--net/bridge/netfilter/ebt_log.c14
-rw-r--r--net/bridge/netfilter/ebt_mark.c6
-rw-r--r--net/bridge/netfilter/ebt_nflog.c9
-rw-r--r--net/bridge/netfilter/ebt_redirect.c12
-rw-r--r--net/bridge/netfilter/ebt_snat.c6
-rw-r--r--net/bridge/netfilter/ebt_ulog.c9
-rw-r--r--net/bridge/netfilter/ebtables.c27
-rw-r--r--net/ipv4/netfilter/arp_tables.c23
-rw-r--r--net/ipv4/netfilter/arpt_mangle.c7
-rw-r--r--net/ipv4/netfilter/ip_tables.c24
-rw-r--r--net/ipv4/netfilter/ipt_CLUSTERIP.c6
-rw-r--r--net/ipv4/netfilter/ipt_ECN.c6
-rw-r--r--net/ipv4/netfilter/ipt_LOG.c8
-rw-r--r--net/ipv4/netfilter/ipt_MASQUERADE.c14
-rw-r--r--net/ipv4/netfilter/ipt_NETMAP.c17
-rw-r--r--net/ipv4/netfilter/ipt_REDIRECT.c12
-rw-r--r--net/ipv4/netfilter/ipt_REJECT.c8
-rw-r--r--net/ipv4/netfilter/ipt_TTL.c6
-rw-r--r--net/ipv4/netfilter/ipt_ULOG.c10
-rw-r--r--net/ipv4/netfilter/nf_nat_rule.c32
-rw-r--r--net/ipv6/netfilter/ip6_tables.c24
-rw-r--r--net/ipv6/netfilter/ip6t_HL.c6
-rw-r--r--net/ipv6/netfilter/ip6t_LOG.c8
-rw-r--r--net/ipv6/netfilter/ip6t_REJECT.c18
-rw-r--r--net/netfilter/xt_CLASSIFY.c6
-rw-r--r--net/netfilter/xt_CONNMARK.c12
-rw-r--r--net/netfilter/xt_CONNSECMARK.c6
-rw-r--r--net/netfilter/xt_DSCP.c30
-rw-r--r--net/netfilter/xt_MARK.c18
-rw-r--r--net/netfilter/xt_NFLOG.c10
-rw-r--r--net/netfilter/xt_NFQUEUE.c6
-rw-r--r--net/netfilter/xt_NOTRACK.c4
-rw-r--r--net/netfilter/xt_RATEEST.c9
-rw-r--r--net/netfilter/xt_SECMARK.c6
-rw-r--r--net/netfilter/xt_TCPMSS.c12
-rw-r--r--net/netfilter/xt_TCPOPTSTRIP.c12
-rw-r--r--net/netfilter/xt_TPROXY.c11
-rw-r--r--net/netfilter/xt_TRACE.c4
-rw-r--r--net/sched/act_ipt.c12
42 files changed, 209 insertions, 297 deletions
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index c79c88380149..46d0cb1ad340 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -218,6 +218,22 @@ struct xt_mtdtor_param {
218 void *matchinfo; 218 void *matchinfo;
219}; 219};
220 220
221/**
222 * struct xt_target_param - parameters for target extensions' target functions
223 *
224 * @hooknum: hook through which this target was invoked
225 * @target: struct xt_target through which this function was invoked
226 * @targinfo: per-target data
227 *
228 * Other fields see above.
229 */
230struct xt_target_param {
231 const struct net_device *in, *out;
232 unsigned int hooknum;
233 const struct xt_target *target;
234 const void *targinfo;
235};
236
221struct xt_match 237struct xt_match
222{ 238{
223 struct list_head list; 239 struct list_head list;
@@ -269,11 +285,7 @@ struct xt_target
269 must now handle non-linear skbs, using skb_copy_bits and 285 must now handle non-linear skbs, using skb_copy_bits and
270 skb_ip_make_writable. */ 286 skb_ip_make_writable. */
271 unsigned int (*target)(struct sk_buff *skb, 287 unsigned int (*target)(struct sk_buff *skb,
272 const struct net_device *in, 288 const struct xt_target_param *);
273 const struct net_device *out,
274 unsigned int hooknum,
275 const struct xt_target *target,
276 const void *targinfo);
277 289
278 /* Called when user tries to insert an entry of this type: 290 /* Called when user tries to insert an entry of this type:
279 hook_mask is a bitmask of hooks from which it can be 291 hook_mask is a bitmask of hooks from which it can be
diff --git a/net/bridge/netfilter/ebt_arpreply.c b/net/bridge/netfilter/ebt_arpreply.c
index baf5510d044c..fc94699f719e 100644
--- a/net/bridge/netfilter/ebt_arpreply.c
+++ b/net/bridge/netfilter/ebt_arpreply.c
@@ -16,11 +16,9 @@
16#include <linux/netfilter_bridge/ebt_arpreply.h> 16#include <linux/netfilter_bridge/ebt_arpreply.h>
17 17
18static unsigned int 18static unsigned int
19ebt_arpreply_tg(struct sk_buff *skb, const struct net_device *in, 19ebt_arpreply_tg(struct sk_buff *skb, const struct xt_target_param *par)
20 const struct net_device *out, unsigned int hook_nr,
21 const struct xt_target *target, const void *data)
22{ 20{
23 const struct ebt_arpreply_info *info = data; 21 const struct ebt_arpreply_info *info = par->targinfo;
24 const __be32 *siptr, *diptr; 22 const __be32 *siptr, *diptr;
25 __be32 _sip, _dip; 23 __be32 _sip, _dip;
26 const struct arphdr *ap; 24 const struct arphdr *ap;
@@ -53,7 +51,7 @@ ebt_arpreply_tg(struct sk_buff *skb, const struct net_device *in,
53 if (diptr == NULL) 51 if (diptr == NULL)
54 return EBT_DROP; 52 return EBT_DROP;
55 53
56 arp_send(ARPOP_REPLY, ETH_P_ARP, *siptr, (struct net_device *)in, 54 arp_send(ARPOP_REPLY, ETH_P_ARP, *siptr, (struct net_device *)par->in,
57 *diptr, shp, info->mac, shp); 55 *diptr, shp, info->mac, shp);
58 56
59 return info->target; 57 return info->target;
diff --git a/net/bridge/netfilter/ebt_dnat.c b/net/bridge/netfilter/ebt_dnat.c
index cb80101e412c..bb5d79e0beea 100644
--- a/net/bridge/netfilter/ebt_dnat.c
+++ b/net/bridge/netfilter/ebt_dnat.c
@@ -15,11 +15,9 @@
15#include <linux/netfilter_bridge/ebt_nat.h> 15#include <linux/netfilter_bridge/ebt_nat.h>
16 16
17static unsigned int 17static unsigned int
18ebt_dnat_tg(struct sk_buff *skb, const struct net_device *in, 18ebt_dnat_tg(struct sk_buff *skb, const struct xt_target_param *par)
19 const struct net_device *out, unsigned int hook_nr,
20 const struct xt_target *target, const void *data)
21{ 19{
22 const struct ebt_nat_info *info = data; 20 const struct ebt_nat_info *info = par->targinfo;
23 21
24 if (!skb_make_writable(skb, 0)) 22 if (!skb_make_writable(skb, 0))
25 return EBT_DROP; 23 return EBT_DROP;
diff --git a/net/bridge/netfilter/ebt_log.c b/net/bridge/netfilter/ebt_log.c
index b40f9ed4c343..87de5fccb2f1 100644
--- a/net/bridge/netfilter/ebt_log.c
+++ b/net/bridge/netfilter/ebt_log.c
@@ -195,11 +195,9 @@ out:
195} 195}
196 196
197static unsigned int 197static unsigned int
198ebt_log_tg(struct sk_buff *skb, const struct net_device *in, 198ebt_log_tg(struct sk_buff *skb, const struct xt_target_param *par)
199 const struct net_device *out, unsigned int hooknr,
200 const struct xt_target *target, const void *data)
201{ 199{
202 const struct ebt_log_info *info = data; 200 const struct ebt_log_info *info = par->targinfo;
203 struct nf_loginfo li; 201 struct nf_loginfo li;
204 202
205 li.type = NF_LOG_TYPE_LOG; 203 li.type = NF_LOG_TYPE_LOG;
@@ -207,11 +205,11 @@ ebt_log_tg(struct sk_buff *skb, const struct net_device *in,
207 li.u.log.logflags = info->bitmask; 205 li.u.log.logflags = info->bitmask;
208 206
209 if (info->bitmask & EBT_LOG_NFLOG) 207 if (info->bitmask & EBT_LOG_NFLOG)
210 nf_log_packet(NFPROTO_BRIDGE, hooknr, skb, in, out, &li, 208 nf_log_packet(NFPROTO_BRIDGE, par->hooknum, skb, par->in,
211 "%s", info->prefix); 209 par->out, &li, "%s", info->prefix);
212 else 210 else
213 ebt_log_packet(NFPROTO_BRIDGE, hooknr, skb, in, out, &li, 211 ebt_log_packet(NFPROTO_BRIDGE, par->hooknum, skb, par->in,
214 info->prefix); 212 par->out, &li, info->prefix);
215 return EBT_CONTINUE; 213 return EBT_CONTINUE;
216} 214}
217 215
diff --git a/net/bridge/netfilter/ebt_mark.c b/net/bridge/netfilter/ebt_mark.c
index dff19fc91cf5..aafc456c3c3b 100644
--- a/net/bridge/netfilter/ebt_mark.c
+++ b/net/bridge/netfilter/ebt_mark.c
@@ -19,11 +19,9 @@
19#include <linux/netfilter_bridge/ebt_mark_t.h> 19#include <linux/netfilter_bridge/ebt_mark_t.h>
20 20
21static unsigned int 21static unsigned int
22ebt_mark_tg(struct sk_buff *skb, const struct net_device *in, 22ebt_mark_tg(struct sk_buff *skb, const struct xt_target_param *par)
23 const struct net_device *out, unsigned int hook_nr,
24 const struct xt_target *target, const void *data)
25{ 23{
26 const struct ebt_mark_t_info *info = data; 24 const struct ebt_mark_t_info *info = par->targinfo;
27 int action = info->target & -16; 25 int action = info->target & -16;
28 26
29 if (action == MARK_SET_VALUE) 27 if (action == MARK_SET_VALUE)
diff --git a/net/bridge/netfilter/ebt_nflog.c b/net/bridge/netfilter/ebt_nflog.c
index 74b4fa0aabc1..6a28d994cf7d 100644
--- a/net/bridge/netfilter/ebt_nflog.c
+++ b/net/bridge/netfilter/ebt_nflog.c
@@ -20,11 +20,9 @@
20#include <net/netfilter/nf_log.h> 20#include <net/netfilter/nf_log.h>
21 21
22static unsigned int 22static unsigned int
23ebt_nflog_tg(struct sk_buff *skb, const struct net_device *in, 23ebt_nflog_tg(struct sk_buff *skb, const struct xt_target_param *par)
24 const struct net_device *out, unsigned int hooknr,
25 const struct xt_target *target, const void *data)
26{ 24{
27 const struct ebt_nflog_info *info = data; 25 const struct ebt_nflog_info *info = par->targinfo;
28 struct nf_loginfo li; 26 struct nf_loginfo li;
29 27
30 li.type = NF_LOG_TYPE_ULOG; 28 li.type = NF_LOG_TYPE_ULOG;
@@ -32,7 +30,8 @@ ebt_nflog_tg(struct sk_buff *skb, const struct net_device *in,
32 li.u.ulog.group = info->group; 30 li.u.ulog.group = info->group;
33 li.u.ulog.qthreshold = info->threshold; 31 li.u.ulog.qthreshold = info->threshold;
34 32
35 nf_log_packet(PF_BRIDGE, hooknr, skb, in, out, &li, "%s", info->prefix); 33 nf_log_packet(PF_BRIDGE, par->hooknum, skb, par->in, par->out,
34 &li, "%s", info->prefix);
36 return EBT_CONTINUE; 35 return EBT_CONTINUE;
37} 36}
38 37
diff --git a/net/bridge/netfilter/ebt_redirect.c b/net/bridge/netfilter/ebt_redirect.c
index a50ffbe0e4fb..0cfe2fad9404 100644
--- a/net/bridge/netfilter/ebt_redirect.c
+++ b/net/bridge/netfilter/ebt_redirect.c
@@ -16,20 +16,18 @@
16#include <linux/netfilter_bridge/ebt_redirect.h> 16#include <linux/netfilter_bridge/ebt_redirect.h>
17 17
18static unsigned int 18static unsigned int
19ebt_redirect_tg(struct sk_buff *skb, const struct net_device *in, 19ebt_redirect_tg(struct sk_buff *skb, const struct xt_target_param *par)
20 const struct net_device *out, unsigned int hooknr,
21 const struct xt_target *target, const void *data)
22{ 20{
23 const struct ebt_redirect_info *info = data; 21 const struct ebt_redirect_info *info = par->targinfo;
24 22
25 if (!skb_make_writable(skb, 0)) 23 if (!skb_make_writable(skb, 0))
26 return EBT_DROP; 24 return EBT_DROP;
27 25
28 if (hooknr != NF_BR_BROUTING) 26 if (par->hooknum != NF_BR_BROUTING)
29 memcpy(eth_hdr(skb)->h_dest, 27 memcpy(eth_hdr(skb)->h_dest,
30 in->br_port->br->dev->dev_addr, ETH_ALEN); 28 par->in->br_port->br->dev->dev_addr, ETH_ALEN);
31 else 29 else
32 memcpy(eth_hdr(skb)->h_dest, in->dev_addr, ETH_ALEN); 30 memcpy(eth_hdr(skb)->h_dest, par->in->dev_addr, ETH_ALEN);
33 skb->pkt_type = PACKET_HOST; 31 skb->pkt_type = PACKET_HOST;
34 return info->target; 32 return info->target;
35} 33}
diff --git a/net/bridge/netfilter/ebt_snat.c b/net/bridge/netfilter/ebt_snat.c
index 8a55c7d49b55..f55960eee996 100644
--- a/net/bridge/netfilter/ebt_snat.c
+++ b/net/bridge/netfilter/ebt_snat.c
@@ -17,11 +17,9 @@
17#include <linux/netfilter_bridge/ebt_nat.h> 17#include <linux/netfilter_bridge/ebt_nat.h>
18 18
19static unsigned int 19static unsigned int
20ebt_snat_tg(struct sk_buff *skb, const struct net_device *in, 20ebt_snat_tg(struct sk_buff *skb, const struct xt_target_param *par)
21 const struct net_device *out, unsigned int hook_nr,
22 const struct xt_target *target, const void *data)
23{ 21{
24 const struct ebt_nat_info *info = data; 22 const struct ebt_nat_info *info = par->targinfo;
25 23
26 if (!skb_make_writable(skb, 0)) 24 if (!skb_make_writable(skb, 0))
27 return EBT_DROP; 25 return EBT_DROP;
diff --git a/net/bridge/netfilter/ebt_ulog.c b/net/bridge/netfilter/ebt_ulog.c
index 25ca6467349e..bfedf12cbf41 100644
--- a/net/bridge/netfilter/ebt_ulog.c
+++ b/net/bridge/netfilter/ebt_ulog.c
@@ -247,13 +247,10 @@ static void ebt_log_packet(u_int8_t pf, unsigned int hooknum,
247} 247}
248 248
249static unsigned int 249static unsigned int
250ebt_ulog_tg(struct sk_buff *skb, const struct net_device *in, 250ebt_ulog_tg(struct sk_buff *skb, const struct xt_target_param *par)
251 const struct net_device *out, unsigned int hooknr,
252 const struct xt_target *target, const void *data)
253{ 251{
254 const struct ebt_ulog_info *uloginfo = data; 252 ebt_ulog_packet(par->hooknum, skb, par->in, par->out,
255 253 par->targinfo, NULL);
256 ebt_ulog_packet(hooknr, skb, in, out, uloginfo, NULL);
257 return EBT_CONTINUE; 254 return EBT_CONTINUE;
258} 255}
259 256
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 0320b5203624..a1156bab4a03 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -64,11 +64,13 @@ static struct xt_target ebt_standard_target = {
64 .targetsize = sizeof(int), 64 .targetsize = sizeof(int),
65}; 65};
66 66
67static inline int ebt_do_watcher (struct ebt_entry_watcher *w, 67static inline int
68 struct sk_buff *skb, unsigned int hooknr, const struct net_device *in, 68ebt_do_watcher(const struct ebt_entry_watcher *w, struct sk_buff *skb,
69 const struct net_device *out) 69 struct xt_target_param *par)
70{ 70{
71 w->u.watcher->target(skb, in, out, hooknr, w->u.watcher, w->data); 71 par->target = w->u.watcher;
72 par->targinfo = w->data;
73 w->u.watcher->target(skb, par);
72 /* watchers don't give a verdict */ 74 /* watchers don't give a verdict */
73 return 0; 75 return 0;
74} 76}
@@ -156,10 +158,12 @@ unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
156 struct ebt_table_info *private; 158 struct ebt_table_info *private;
157 bool hotdrop = false; 159 bool hotdrop = false;
158 struct xt_match_param mtpar; 160 struct xt_match_param mtpar;
161 struct xt_target_param tgpar;
159 162
160 mtpar.in = in; 163 mtpar.in = tgpar.in = in;
161 mtpar.out = out; 164 mtpar.out = tgpar.out = out;
162 mtpar.hotdrop = &hotdrop; 165 mtpar.hotdrop = &hotdrop;
166 tgpar.hooknum = hook;
163 167
164 read_lock_bh(&table->lock); 168 read_lock_bh(&table->lock);
165 private = table->private; 169 private = table->private;
@@ -193,17 +197,18 @@ unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
193 197
194 /* these should only watch: not modify, nor tell us 198 /* these should only watch: not modify, nor tell us
195 what to do with the packet */ 199 what to do with the packet */
196 EBT_WATCHER_ITERATE(point, ebt_do_watcher, skb, hook, in, 200 EBT_WATCHER_ITERATE(point, ebt_do_watcher, skb, &tgpar);
197 out);
198 201
199 t = (struct ebt_entry_target *) 202 t = (struct ebt_entry_target *)
200 (((char *)point) + point->target_offset); 203 (((char *)point) + point->target_offset);
201 /* standard target */ 204 /* standard target */
202 if (!t->u.target->target) 205 if (!t->u.target->target)
203 verdict = ((struct ebt_standard_target *)t)->verdict; 206 verdict = ((struct ebt_standard_target *)t)->verdict;
204 else 207 else {
205 verdict = t->u.target->target(skb, in, out, hook, 208 tgpar.target = t->u.target;
206 t->u.target, t->data); 209 tgpar.targinfo = t->data;
210 verdict = t->u.target->target(skb, &tgpar);
211 }
207 if (verdict == EBT_ACCEPT) { 212 if (verdict == EBT_ACCEPT) {
208 read_unlock_bh(&table->lock); 213 read_unlock_bh(&table->lock);
209 return NF_ACCEPT; 214 return NF_ACCEPT;
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index ae525a9afbec..5b631ad74b5f 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -200,15 +200,12 @@ static inline int arp_checkentry(const struct arpt_arp *arp)
200 return 1; 200 return 1;
201} 201}
202 202
203static unsigned int arpt_error(struct sk_buff *skb, 203static unsigned int
204 const struct net_device *in, 204arpt_error(struct sk_buff *skb, const struct xt_target_param *par)
205 const struct net_device *out,
206 unsigned int hooknum,
207 const struct xt_target *target,
208 const void *targinfo)
209{ 205{
210 if (net_ratelimit()) 206 if (net_ratelimit())
211 printk("arp_tables: error: '%s'\n", (char *)targinfo); 207 printk("arp_tables: error: '%s'\n",
208 (const char *)par->targinfo);
212 209
213 return NF_DROP; 210 return NF_DROP;
214} 211}
@@ -232,6 +229,7 @@ unsigned int arpt_do_table(struct sk_buff *skb,
232 const char *indev, *outdev; 229 const char *indev, *outdev;
233 void *table_base; 230 void *table_base;
234 const struct xt_table_info *private; 231 const struct xt_table_info *private;
232 struct xt_target_param tgpar;
235 233
236 if (!pskb_may_pull(skb, arp_hdr_len(skb->dev))) 234 if (!pskb_may_pull(skb, arp_hdr_len(skb->dev)))
237 return NF_DROP; 235 return NF_DROP;
@@ -245,6 +243,10 @@ unsigned int arpt_do_table(struct sk_buff *skb,
245 e = get_entry(table_base, private->hook_entry[hook]); 243 e = get_entry(table_base, private->hook_entry[hook]);
246 back = get_entry(table_base, private->underflow[hook]); 244 back = get_entry(table_base, private->underflow[hook]);
247 245
246 tgpar.in = in;
247 tgpar.out = out;
248 tgpar.hooknum = hook;
249
248 arp = arp_hdr(skb); 250 arp = arp_hdr(skb);
249 do { 251 do {
250 if (arp_packet_match(arp, skb->dev, indev, outdev, &e->arp)) { 252 if (arp_packet_match(arp, skb->dev, indev, outdev, &e->arp)) {
@@ -290,11 +292,10 @@ unsigned int arpt_do_table(struct sk_buff *skb,
290 /* Targets which reenter must return 292 /* Targets which reenter must return
291 * abs. verdicts 293 * abs. verdicts
292 */ 294 */
295 tgpar.target = t->u.kernel.target;
296 tgpar.targinfo = t->data;
293 verdict = t->u.kernel.target->target(skb, 297 verdict = t->u.kernel.target->target(skb,
294 in, out, 298 &tgpar);
295 hook,
296 t->u.kernel.target,
297 t->data);
298 299
299 /* Target might have changed stuff. */ 300 /* Target might have changed stuff. */
300 arp = arp_hdr(skb); 301 arp = arp_hdr(skb);
diff --git a/net/ipv4/netfilter/arpt_mangle.c b/net/ipv4/netfilter/arpt_mangle.c
index 3f9e4ccd6168..0bf81b353694 100644
--- a/net/ipv4/netfilter/arpt_mangle.c
+++ b/net/ipv4/netfilter/arpt_mangle.c
@@ -9,12 +9,9 @@ MODULE_AUTHOR("Bart De Schuymer <bdschuym@pandora.be>");
9MODULE_DESCRIPTION("arptables arp payload mangle target"); 9MODULE_DESCRIPTION("arptables arp payload mangle target");
10 10
11static unsigned int 11static unsigned int
12target(struct sk_buff *skb, 12target(struct sk_buff *skb, const struct xt_target_param *par)
13 const struct net_device *in, const struct net_device *out,
14 unsigned int hooknum, const struct xt_target *target,
15 const void *targinfo)
16{ 13{
17 const struct arpt_mangle *mangle = targinfo; 14 const struct arpt_mangle *mangle = par->targinfo;
18 const struct arphdr *arp; 15 const struct arphdr *arp;
19 unsigned char *arpptr; 16 unsigned char *arpptr;
20 int pln, hln; 17 int pln, hln;
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 12ad4d5c55d6..0f8ecf390229 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -171,15 +171,11 @@ ip_checkentry(const struct ipt_ip *ip)
171} 171}
172 172
173static unsigned int 173static unsigned int
174ipt_error(struct sk_buff *skb, 174ipt_error(struct sk_buff *skb, const struct xt_target_param *par)
175 const struct net_device *in,
176 const struct net_device *out,
177 unsigned int hooknum,
178 const struct xt_target *target,
179 const void *targinfo)
180{ 175{
181 if (net_ratelimit()) 176 if (net_ratelimit())
182 printk("ip_tables: error: `%s'\n", (char *)targinfo); 177 printk("ip_tables: error: `%s'\n",
178 (const char *)par->targinfo);
183 179
184 return NF_DROP; 180 return NF_DROP;
185} 181}
@@ -334,6 +330,7 @@ ipt_do_table(struct sk_buff *skb,
334 struct ipt_entry *e, *back; 330 struct ipt_entry *e, *back;
335 struct xt_table_info *private; 331 struct xt_table_info *private;
336 struct xt_match_param mtpar; 332 struct xt_match_param mtpar;
333 struct xt_target_param tgpar;
337 334
338 /* Initialization */ 335 /* Initialization */
339 ip = ip_hdr(skb); 336 ip = ip_hdr(skb);
@@ -349,8 +346,9 @@ ipt_do_table(struct sk_buff *skb,
349 mtpar.fragoff = ntohs(ip->frag_off) & IP_OFFSET; 346 mtpar.fragoff = ntohs(ip->frag_off) & IP_OFFSET;
350 mtpar.thoff = ip_hdrlen(skb); 347 mtpar.thoff = ip_hdrlen(skb);
351 mtpar.hotdrop = &hotdrop; 348 mtpar.hotdrop = &hotdrop;
352 mtpar.in = in; 349 mtpar.in = tgpar.in = in;
353 mtpar.out = out; 350 mtpar.out = tgpar.out = out;
351 tgpar.hooknum = hook;
354 352
355 read_lock_bh(&table->lock); 353 read_lock_bh(&table->lock);
356 IP_NF_ASSERT(table->valid_hooks & (1 << hook)); 354 IP_NF_ASSERT(table->valid_hooks & (1 << hook));
@@ -414,16 +412,14 @@ ipt_do_table(struct sk_buff *skb,
414 } else { 412 } else {
415 /* Targets which reenter must return 413 /* Targets which reenter must return
416 abs. verdicts */ 414 abs. verdicts */
415 tgpar.target = t->u.kernel.target;
416 tgpar.targinfo = t->data;
417#ifdef CONFIG_NETFILTER_DEBUG 417#ifdef CONFIG_NETFILTER_DEBUG
418 ((struct ipt_entry *)table_base)->comefrom 418 ((struct ipt_entry *)table_base)->comefrom
419 = 0xeeeeeeec; 419 = 0xeeeeeeec;
420#endif 420#endif
421 verdict = t->u.kernel.target->target(skb, 421 verdict = t->u.kernel.target->target(skb,
422 in, out, 422 &tgpar);
423 hook,
424 t->u.kernel.target,
425 t->data);
426
427#ifdef CONFIG_NETFILTER_DEBUG 423#ifdef CONFIG_NETFILTER_DEBUG
428 if (((struct ipt_entry *)table_base)->comefrom 424 if (((struct ipt_entry *)table_base)->comefrom
429 != 0xeeeeeeec 425 != 0xeeeeeeec
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index 63faddc18a1c..67e8aa8f34f2 100644
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -281,11 +281,9 @@ clusterip_responsible(const struct clusterip_config *config, u_int32_t hash)
281 ***********************************************************************/ 281 ***********************************************************************/
282 282
283static unsigned int 283static unsigned int
284clusterip_tg(struct sk_buff *skb, const struct net_device *in, 284clusterip_tg(struct sk_buff *skb, const struct xt_target_param *par)
285 const struct net_device *out, unsigned int hooknum,
286 const struct xt_target *target, const void *targinfo)
287{ 285{
288 const struct ipt_clusterip_tgt_info *cipinfo = targinfo; 286 const struct ipt_clusterip_tgt_info *cipinfo = par->targinfo;
289 struct nf_conn *ct; 287 struct nf_conn *ct;
290 enum ip_conntrack_info ctinfo; 288 enum ip_conntrack_info ctinfo;
291 u_int32_t hash; 289 u_int32_t hash;
diff --git a/net/ipv4/netfilter/ipt_ECN.c b/net/ipv4/netfilter/ipt_ECN.c
index aee2364afffd..e37f181e8298 100644
--- a/net/ipv4/netfilter/ipt_ECN.c
+++ b/net/ipv4/netfilter/ipt_ECN.c
@@ -77,11 +77,9 @@ set_ect_tcp(struct sk_buff *skb, const struct ipt_ECN_info *einfo)
77} 77}
78 78
79static unsigned int 79static unsigned int
80ecn_tg(struct sk_buff *skb, const struct net_device *in, 80ecn_tg(struct sk_buff *skb, const struct xt_target_param *par)
81 const struct net_device *out, unsigned int hooknum,
82 const struct xt_target *target, const void *targinfo)
83{ 81{
84 const struct ipt_ECN_info *einfo = targinfo; 82 const struct ipt_ECN_info *einfo = par->targinfo;
85 83
86 if (einfo->operation & IPT_ECN_OP_SET_IP) 84 if (einfo->operation & IPT_ECN_OP_SET_IP)
87 if (!set_ect_ip(skb, einfo)) 85 if (!set_ect_ip(skb, einfo))
diff --git a/net/ipv4/netfilter/ipt_LOG.c b/net/ipv4/netfilter/ipt_LOG.c
index 1c9785df4df7..e9942aed35ae 100644
--- a/net/ipv4/netfilter/ipt_LOG.c
+++ b/net/ipv4/netfilter/ipt_LOG.c
@@ -426,18 +426,16 @@ ipt_log_packet(u_int8_t pf,
426} 426}
427 427
428static unsigned int 428static unsigned int
429log_tg(struct sk_buff *skb, const struct net_device *in, 429log_tg(struct sk_buff *skb, const struct xt_target_param *par)
430 const struct net_device *out, unsigned int hooknum,
431 const struct xt_target *target, const void *targinfo)
432{ 430{
433 const struct ipt_log_info *loginfo = targinfo; 431 const struct ipt_log_info *loginfo = par->targinfo;
434 struct nf_loginfo li; 432 struct nf_loginfo li;
435 433
436 li.type = NF_LOG_TYPE_LOG; 434 li.type = NF_LOG_TYPE_LOG;
437 li.u.log.level = loginfo->level; 435 li.u.log.level = loginfo->level;
438 li.u.log.logflags = loginfo->logflags; 436 li.u.log.logflags = loginfo->logflags;
439 437
440 ipt_log_packet(NFPROTO_IPV4, hooknum, skb, in, out, &li, 438 ipt_log_packet(NFPROTO_IPV4, par->hooknum, skb, par->in, par->out, &li,
441 loginfo->prefix); 439 loginfo->prefix);
442 return XT_CONTINUE; 440 return XT_CONTINUE;
443} 441}
diff --git a/net/ipv4/netfilter/ipt_MASQUERADE.c b/net/ipv4/netfilter/ipt_MASQUERADE.c
index 65c811b27b7b..e0d9d49b79ee 100644
--- a/net/ipv4/netfilter/ipt_MASQUERADE.c
+++ b/net/ipv4/netfilter/ipt_MASQUERADE.c
@@ -50,9 +50,7 @@ masquerade_tg_check(const char *tablename, const void *e,
50} 50}
51 51
52static unsigned int 52static unsigned int
53masquerade_tg(struct sk_buff *skb, const struct net_device *in, 53masquerade_tg(struct sk_buff *skb, const struct xt_target_param *par)
54 const struct net_device *out, unsigned int hooknum,
55 const struct xt_target *target, const void *targinfo)
56{ 54{
57 struct nf_conn *ct; 55 struct nf_conn *ct;
58 struct nf_conn_nat *nat; 56 struct nf_conn_nat *nat;
@@ -62,7 +60,7 @@ masquerade_tg(struct sk_buff *skb, const struct net_device *in,
62 const struct rtable *rt; 60 const struct rtable *rt;
63 __be32 newsrc; 61 __be32 newsrc;
64 62
65 NF_CT_ASSERT(hooknum == NF_INET_POST_ROUTING); 63 NF_CT_ASSERT(par->hooknum == NF_INET_POST_ROUTING);
66 64
67 ct = nf_ct_get(skb, &ctinfo); 65 ct = nf_ct_get(skb, &ctinfo);
68 nat = nfct_nat(ct); 66 nat = nfct_nat(ct);
@@ -76,16 +74,16 @@ masquerade_tg(struct sk_buff *skb, const struct net_device *in,
76 if (ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3.ip == 0) 74 if (ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3.ip == 0)
77 return NF_ACCEPT; 75 return NF_ACCEPT;
78 76
79 mr = targinfo; 77 mr = par->targinfo;
80 rt = skb->rtable; 78 rt = skb->rtable;
81 newsrc = inet_select_addr(out, rt->rt_gateway, RT_SCOPE_UNIVERSE); 79 newsrc = inet_select_addr(par->out, rt->rt_gateway, RT_SCOPE_UNIVERSE);
82 if (!newsrc) { 80 if (!newsrc) {
83 printk("MASQUERADE: %s ate my IP address\n", out->name); 81 printk("MASQUERADE: %s ate my IP address\n", par->out->name);
84 return NF_DROP; 82 return NF_DROP;
85 } 83 }
86 84
87 write_lock_bh(&masq_lock); 85 write_lock_bh(&masq_lock);
88 nat->masq_index = out->ifindex; 86 nat->masq_index = par->out->ifindex;
89 write_unlock_bh(&masq_lock); 87 write_unlock_bh(&masq_lock);
90 88
91 /* Transfer from original range. */ 89 /* Transfer from original range. */
diff --git a/net/ipv4/netfilter/ipt_NETMAP.c b/net/ipv4/netfilter/ipt_NETMAP.c
index f281500bd7fa..cf18f23b3460 100644
--- a/net/ipv4/netfilter/ipt_NETMAP.c
+++ b/net/ipv4/netfilter/ipt_NETMAP.c
@@ -41,24 +41,23 @@ netmap_tg_check(const char *tablename, const void *e,
41} 41}
42 42
43static unsigned int 43static unsigned int
44netmap_tg(struct sk_buff *skb, const struct net_device *in, 44netmap_tg(struct sk_buff *skb, const struct xt_target_param *par)
45 const struct net_device *out, unsigned int hooknum,
46 const struct xt_target *target, const void *targinfo)
47{ 45{
48 struct nf_conn *ct; 46 struct nf_conn *ct;
49 enum ip_conntrack_info ctinfo; 47 enum ip_conntrack_info ctinfo;
50 __be32 new_ip, netmask; 48 __be32 new_ip, netmask;
51 const struct nf_nat_multi_range_compat *mr = targinfo; 49 const struct nf_nat_multi_range_compat *mr = par->targinfo;
52 struct nf_nat_range newrange; 50 struct nf_nat_range newrange;
53 51
54 NF_CT_ASSERT(hooknum == NF_INET_PRE_ROUTING 52 NF_CT_ASSERT(par->hooknum == NF_INET_PRE_ROUTING ||
55 || hooknum == NF_INET_POST_ROUTING 53 par->hooknum == NF_INET_POST_ROUTING ||
56 || hooknum == NF_INET_LOCAL_OUT); 54 par->hooknum == NF_INET_LOCAL_OUT);
57 ct = nf_ct_get(skb, &ctinfo); 55 ct = nf_ct_get(skb, &ctinfo);
58 56
59 netmask = ~(mr->range[0].min_ip ^ mr->range[0].max_ip); 57 netmask = ~(mr->range[0].min_ip ^ mr->range[0].max_ip);
60 58
61 if (hooknum == NF_INET_PRE_ROUTING || hooknum == NF_INET_LOCAL_OUT) 59 if (par->hooknum == NF_INET_PRE_ROUTING ||
60 par->hooknum == NF_INET_LOCAL_OUT)
62 new_ip = ip_hdr(skb)->daddr & ~netmask; 61 new_ip = ip_hdr(skb)->daddr & ~netmask;
63 else 62 else
64 new_ip = ip_hdr(skb)->saddr & ~netmask; 63 new_ip = ip_hdr(skb)->saddr & ~netmask;
@@ -70,7 +69,7 @@ netmap_tg(struct sk_buff *skb, const struct net_device *in,
70 mr->range[0].min, mr->range[0].max }); 69 mr->range[0].min, mr->range[0].max });
71 70
72 /* Hand modified range to generic setup. */ 71 /* Hand modified range to generic setup. */
73 return nf_nat_setup_info(ct, &newrange, HOOK2MANIP(hooknum)); 72 return nf_nat_setup_info(ct, &newrange, HOOK2MANIP(par->hooknum));
74} 73}
75 74
76static struct xt_target netmap_tg_reg __read_mostly = { 75static struct xt_target netmap_tg_reg __read_mostly = {
diff --git a/net/ipv4/netfilter/ipt_REDIRECT.c b/net/ipv4/netfilter/ipt_REDIRECT.c
index ef496105eae1..23adb09ddfb4 100644
--- a/net/ipv4/netfilter/ipt_REDIRECT.c
+++ b/net/ipv4/netfilter/ipt_REDIRECT.c
@@ -45,24 +45,22 @@ redirect_tg_check(const char *tablename, const void *e,
45} 45}
46 46
47static unsigned int 47static unsigned int
48redirect_tg(struct sk_buff *skb, const struct net_device *in, 48redirect_tg(struct sk_buff *skb, const struct xt_target_param *par)
49 const struct net_device *out, unsigned int hooknum,
50 const struct xt_target *target, const void *targinfo)
51{ 49{
52 struct nf_conn *ct; 50 struct nf_conn *ct;
53 enum ip_conntrack_info ctinfo; 51 enum ip_conntrack_info ctinfo;
54 __be32 newdst; 52 __be32 newdst;
55 const struct nf_nat_multi_range_compat *mr = targinfo; 53 const struct nf_nat_multi_range_compat *mr = par->targinfo;
56 struct nf_nat_range newrange; 54 struct nf_nat_range newrange;
57 55
58 NF_CT_ASSERT(hooknum == NF_INET_PRE_ROUTING 56 NF_CT_ASSERT(par->hooknum == NF_INET_PRE_ROUTING ||
59 || hooknum == NF_INET_LOCAL_OUT); 57 par->hooknum == NF_INET_LOCAL_OUT);
60 58
61 ct = nf_ct_get(skb, &ctinfo); 59 ct = nf_ct_get(skb, &ctinfo);
62 NF_CT_ASSERT(ct && (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED)); 60 NF_CT_ASSERT(ct && (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED));
63 61
64 /* Local packets: make them go to loopback */ 62 /* Local packets: make them go to loopback */
65 if (hooknum == NF_INET_LOCAL_OUT) 63 if (par->hooknum == NF_INET_LOCAL_OUT)
66 newdst = htonl(0x7F000001); 64 newdst = htonl(0x7F000001);
67 else { 65 else {
68 struct in_device *indev; 66 struct in_device *indev;
diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c
index 9f5da0c2cae8..b36071bb1077 100644
--- a/net/ipv4/netfilter/ipt_REJECT.c
+++ b/net/ipv4/netfilter/ipt_REJECT.c
@@ -136,11 +136,9 @@ static inline void send_unreach(struct sk_buff *skb_in, int code)
136} 136}
137 137
138static unsigned int 138static unsigned int
139reject_tg(struct sk_buff *skb, const struct net_device *in, 139reject_tg(struct sk_buff *skb, const struct xt_target_param *par)
140 const struct net_device *out, unsigned int hooknum,
141 const struct xt_target *target, const void *targinfo)
142{ 140{
143 const struct ipt_reject_info *reject = targinfo; 141 const struct ipt_reject_info *reject = par->targinfo;
144 142
145 /* WARNING: This code causes reentry within iptables. 143 /* WARNING: This code causes reentry within iptables.
146 This means that the iptables jump stack is now crap. We 144 This means that the iptables jump stack is now crap. We
@@ -168,7 +166,7 @@ reject_tg(struct sk_buff *skb, const struct net_device *in,
168 send_unreach(skb, ICMP_PKT_FILTERED); 166 send_unreach(skb, ICMP_PKT_FILTERED);
169 break; 167 break;
170 case IPT_TCP_RESET: 168 case IPT_TCP_RESET:
171 send_reset(skb, hooknum); 169 send_reset(skb, par->hooknum);
172 case IPT_ICMP_ECHOREPLY: 170 case IPT_ICMP_ECHOREPLY:
173 /* Doesn't happen. */ 171 /* Doesn't happen. */
174 break; 172 break;
diff --git a/net/ipv4/netfilter/ipt_TTL.c b/net/ipv4/netfilter/ipt_TTL.c
index 7d01d424a71a..05cbfd2f7470 100644
--- a/net/ipv4/netfilter/ipt_TTL.c
+++ b/net/ipv4/netfilter/ipt_TTL.c
@@ -20,12 +20,10 @@ MODULE_DESCRIPTION("Xtables: IPv4 TTL field modification target");
20MODULE_LICENSE("GPL"); 20MODULE_LICENSE("GPL");
21 21
22static unsigned int 22static unsigned int
23ttl_tg(struct sk_buff *skb, const struct net_device *in, 23ttl_tg(struct sk_buff *skb, const struct xt_target_param *par)
24 const struct net_device *out, unsigned int hooknum,
25 const struct xt_target *target, const void *targinfo)
26{ 24{
27 struct iphdr *iph; 25 struct iphdr *iph;
28 const struct ipt_TTL_info *info = targinfo; 26 const struct ipt_TTL_info *info = par->targinfo;
29 int new_ttl; 27 int new_ttl;
30 28
31 if (!skb_make_writable(skb, skb->len)) 29 if (!skb_make_writable(skb, skb->len))
diff --git a/net/ipv4/netfilter/ipt_ULOG.c b/net/ipv4/netfilter/ipt_ULOG.c
index 9065e4a34fbc..46c0df0dc2dc 100644
--- a/net/ipv4/netfilter/ipt_ULOG.c
+++ b/net/ipv4/netfilter/ipt_ULOG.c
@@ -281,14 +281,10 @@ alloc_failure:
281} 281}
282 282
283static unsigned int 283static unsigned int
284ulog_tg(struct sk_buff *skb, const struct net_device *in, 284ulog_tg(struct sk_buff *skb, const struct xt_target_param *par)
285 const struct net_device *out, unsigned int hooknum,
286 const struct xt_target *target, const void *targinfo)
287{ 285{
288 struct ipt_ulog_info *loginfo = (struct ipt_ulog_info *) targinfo; 286 ipt_ulog_packet(par->hooknum, skb, par->in, par->out,
289 287 par->targinfo, NULL);
290 ipt_ulog_packet(hooknum, skb, in, out, loginfo, NULL);
291
292 return XT_CONTINUE; 288 return XT_CONTINUE;
293} 289}
294 290
diff --git a/net/ipv4/netfilter/nf_nat_rule.c b/net/ipv4/netfilter/nf_nat_rule.c
index f929352ec0ee..83170ff131f9 100644
--- a/net/ipv4/netfilter/nf_nat_rule.c
+++ b/net/ipv4/netfilter/nf_nat_rule.c
@@ -67,25 +67,21 @@ static struct xt_table nat_table = {
67}; 67};
68 68
69/* Source NAT */ 69/* Source NAT */
70static unsigned int ipt_snat_target(struct sk_buff *skb, 70static unsigned int
71 const struct net_device *in, 71ipt_snat_target(struct sk_buff *skb, const struct xt_target_param *par)
72 const struct net_device *out,
73 unsigned int hooknum,
74 const struct xt_target *target,
75 const void *targinfo)
76{ 72{
77 struct nf_conn *ct; 73 struct nf_conn *ct;
78 enum ip_conntrack_info ctinfo; 74 enum ip_conntrack_info ctinfo;
79 const struct nf_nat_multi_range_compat *mr = targinfo; 75 const struct nf_nat_multi_range_compat *mr = par->targinfo;
80 76
81 NF_CT_ASSERT(hooknum == NF_INET_POST_ROUTING); 77 NF_CT_ASSERT(par->hooknum == NF_INET_POST_ROUTING);
82 78
83 ct = nf_ct_get(skb, &ctinfo); 79 ct = nf_ct_get(skb, &ctinfo);
84 80
85 /* Connection must be valid and new. */ 81 /* Connection must be valid and new. */
86 NF_CT_ASSERT(ct && (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED || 82 NF_CT_ASSERT(ct && (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED ||
87 ctinfo == IP_CT_RELATED + IP_CT_IS_REPLY)); 83 ctinfo == IP_CT_RELATED + IP_CT_IS_REPLY));
88 NF_CT_ASSERT(out); 84 NF_CT_ASSERT(par->out != NULL);
89 85
90 return nf_nat_setup_info(ct, &mr->range[0], IP_NAT_MANIP_SRC); 86 return nf_nat_setup_info(ct, &mr->range[0], IP_NAT_MANIP_SRC);
91} 87}
@@ -109,28 +105,24 @@ static void warn_if_extra_mangle(struct net *net, __be32 dstip, __be32 srcip)
109 ip_rt_put(rt); 105 ip_rt_put(rt);
110} 106}
111 107
112static unsigned int ipt_dnat_target(struct sk_buff *skb, 108static unsigned int
113 const struct net_device *in, 109ipt_dnat_target(struct sk_buff *skb, const struct xt_target_param *par)
114 const struct net_device *out,
115 unsigned int hooknum,
116 const struct xt_target *target,
117 const void *targinfo)
118{ 110{
119 struct nf_conn *ct; 111 struct nf_conn *ct;
120 enum ip_conntrack_info ctinfo; 112 enum ip_conntrack_info ctinfo;
121 const struct nf_nat_multi_range_compat *mr = targinfo; 113 const struct nf_nat_multi_range_compat *mr = par->targinfo;
122 114
123 NF_CT_ASSERT(hooknum == NF_INET_PRE_ROUTING || 115 NF_CT_ASSERT(par->hooknum == NF_INET_PRE_ROUTING ||
124 hooknum == NF_INET_LOCAL_OUT); 116 par->hooknum == NF_INET_LOCAL_OUT);
125 117
126 ct = nf_ct_get(skb, &ctinfo); 118 ct = nf_ct_get(skb, &ctinfo);
127 119
128 /* Connection must be valid and new. */ 120 /* Connection must be valid and new. */
129 NF_CT_ASSERT(ct && (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED)); 121 NF_CT_ASSERT(ct && (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED));
130 122
131 if (hooknum == NF_INET_LOCAL_OUT && 123 if (par->hooknum == NF_INET_LOCAL_OUT &&
132 mr->range[0].flags & IP_NAT_RANGE_MAP_IPS) 124 mr->range[0].flags & IP_NAT_RANGE_MAP_IPS)
133 warn_if_extra_mangle(dev_net(out), ip_hdr(skb)->daddr, 125 warn_if_extra_mangle(dev_net(par->out), ip_hdr(skb)->daddr,
134 mr->range[0].min_ip); 126 mr->range[0].min_ip);
135 127
136 return nf_nat_setup_info(ct, &mr->range[0], IP_NAT_MANIP_DST); 128 return nf_nat_setup_info(ct, &mr->range[0], IP_NAT_MANIP_DST);
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 891358e89a2b..ee0986cdbd66 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -200,15 +200,11 @@ ip6_checkentry(const struct ip6t_ip6 *ipv6)
200} 200}
201 201
202static unsigned int 202static unsigned int
203ip6t_error(struct sk_buff *skb, 203ip6t_error(struct sk_buff *skb, const struct xt_target_param *par)
204 const struct net_device *in,
205 const struct net_device *out,
206 unsigned int hooknum,
207 const struct xt_target *target,
208 const void *targinfo)
209{ 204{
210 if (net_ratelimit()) 205 if (net_ratelimit())
211 printk("ip6_tables: error: `%s'\n", (char *)targinfo); 206 printk("ip6_tables: error: `%s'\n",
207 (const char *)par->targinfo);
212 208
213 return NF_DROP; 209 return NF_DROP;
214} 210}
@@ -360,6 +356,7 @@ ip6t_do_table(struct sk_buff *skb,
360 struct ip6t_entry *e, *back; 356 struct ip6t_entry *e, *back;
361 struct xt_table_info *private; 357 struct xt_table_info *private;
362 struct xt_match_param mtpar; 358 struct xt_match_param mtpar;
359 struct xt_target_param tgpar;
363 360
364 /* Initialization */ 361 /* Initialization */
365 indev = in ? in->name : nulldevname; 362 indev = in ? in->name : nulldevname;
@@ -371,8 +368,9 @@ ip6t_do_table(struct sk_buff *skb,
371 * rule is also a fragment-specific rule, non-fragments won't 368 * rule is also a fragment-specific rule, non-fragments won't
372 * match it. */ 369 * match it. */
373 mtpar.hotdrop = &hotdrop; 370 mtpar.hotdrop = &hotdrop;
374 mtpar.in = in; 371 mtpar.in = tgpar.in = in;
375 mtpar.out = out; 372 mtpar.out = tgpar.out = out;
373 tgpar.hooknum = hook;
376 374
377 read_lock_bh(&table->lock); 375 read_lock_bh(&table->lock);
378 IP_NF_ASSERT(table->valid_hooks & (1 << hook)); 376 IP_NF_ASSERT(table->valid_hooks & (1 << hook));
@@ -438,15 +436,15 @@ ip6t_do_table(struct sk_buff *skb,
438 } else { 436 } else {
439 /* Targets which reenter must return 437 /* Targets which reenter must return
440 abs. verdicts */ 438 abs. verdicts */
439 tgpar.target = t->u.kernel.target;
440 tgpar.targinfo = t->data;
441
441#ifdef CONFIG_NETFILTER_DEBUG 442#ifdef CONFIG_NETFILTER_DEBUG
442 ((struct ip6t_entry *)table_base)->comefrom 443 ((struct ip6t_entry *)table_base)->comefrom
443 = 0xeeeeeeec; 444 = 0xeeeeeeec;
444#endif 445#endif
445 verdict = t->u.kernel.target->target(skb, 446 verdict = t->u.kernel.target->target(skb,
446 in, out, 447 &tgpar);
447 hook,
448 t->u.kernel.target,
449 t->data);
450 448
451#ifdef CONFIG_NETFILTER_DEBUG 449#ifdef CONFIG_NETFILTER_DEBUG
452 if (((struct ip6t_entry *)table_base)->comefrom 450 if (((struct ip6t_entry *)table_base)->comefrom
diff --git a/net/ipv6/netfilter/ip6t_HL.c b/net/ipv6/netfilter/ip6t_HL.c
index 7eebd3509166..ac759a54f2c6 100644
--- a/net/ipv6/netfilter/ip6t_HL.c
+++ b/net/ipv6/netfilter/ip6t_HL.c
@@ -19,12 +19,10 @@ MODULE_DESCRIPTION("Xtables: IPv6 Hop Limit field modification target");
19MODULE_LICENSE("GPL"); 19MODULE_LICENSE("GPL");
20 20
21static unsigned int 21static unsigned int
22hl_tg6(struct sk_buff *skb, const struct net_device *in, 22hl_tg6(struct sk_buff *skb, const struct xt_target_param *par)
23 const struct net_device *out, unsigned int hooknum,
24 const struct xt_target *target, const void *targinfo)
25{ 23{
26 struct ipv6hdr *ip6h; 24 struct ipv6hdr *ip6h;
27 const struct ip6t_HL_info *info = targinfo; 25 const struct ip6t_HL_info *info = par->targinfo;
28 int new_hl; 26 int new_hl;
29 27
30 if (!skb_make_writable(skb, skb->len)) 28 if (!skb_make_writable(skb, skb->len))
diff --git a/net/ipv6/netfilter/ip6t_LOG.c b/net/ipv6/netfilter/ip6t_LOG.c
index fd148f3d842f..a31d3ecd1fc9 100644
--- a/net/ipv6/netfilter/ip6t_LOG.c
+++ b/net/ipv6/netfilter/ip6t_LOG.c
@@ -438,18 +438,16 @@ ip6t_log_packet(u_int8_t pf,
438} 438}
439 439
440static unsigned int 440static unsigned int
441log_tg6(struct sk_buff *skb, const struct net_device *in, 441log_tg6(struct sk_buff *skb, const struct xt_target_param *par)
442 const struct net_device *out, unsigned int hooknum,
443 const struct xt_target *target, const void *targinfo)
444{ 442{
445 const struct ip6t_log_info *loginfo = targinfo; 443 const struct ip6t_log_info *loginfo = par->targinfo;
446 struct nf_loginfo li; 444 struct nf_loginfo li;
447 445
448 li.type = NF_LOG_TYPE_LOG; 446 li.type = NF_LOG_TYPE_LOG;
449 li.u.log.level = loginfo->level; 447 li.u.log.level = loginfo->level;
450 li.u.log.logflags = loginfo->logflags; 448 li.u.log.logflags = loginfo->logflags;
451 449
452 ip6t_log_packet(NFPROTO_IPV6, hooknum, skb, in, out, 450 ip6t_log_packet(NFPROTO_IPV6, par->hooknum, skb, par->in, par->out,
453 &li, loginfo->prefix); 451 &li, loginfo->prefix);
454 return XT_CONTINUE; 452 return XT_CONTINUE;
455} 453}
diff --git a/net/ipv6/netfilter/ip6t_REJECT.c b/net/ipv6/netfilter/ip6t_REJECT.c
index f1a9fce1ec95..1d5f3a70ed09 100644
--- a/net/ipv6/netfilter/ip6t_REJECT.c
+++ b/net/ipv6/netfilter/ip6t_REJECT.c
@@ -173,12 +173,10 @@ send_unreach(struct net *net, struct sk_buff *skb_in, unsigned char code,
173} 173}
174 174
175static unsigned int 175static unsigned int
176reject_tg6(struct sk_buff *skb, const struct net_device *in, 176reject_tg6(struct sk_buff *skb, const struct xt_target_param *par)
177 const struct net_device *out, unsigned int hooknum,
178 const struct xt_target *target, const void *targinfo)
179{ 177{
180 const struct ip6t_reject_info *reject = targinfo; 178 const struct ip6t_reject_info *reject = par->targinfo;
181 struct net *net = dev_net(in ? in : out); 179 struct net *net = dev_net((par->in != NULL) ? par->in : par->out);
182 180
183 pr_debug("%s: medium point\n", __func__); 181 pr_debug("%s: medium point\n", __func__);
184 /* WARNING: This code causes reentry within ip6tables. 182 /* WARNING: This code causes reentry within ip6tables.
@@ -186,19 +184,19 @@ reject_tg6(struct sk_buff *skb, const struct net_device *in,
186 must return an absolute verdict. --RR */ 184 must return an absolute verdict. --RR */
187 switch (reject->with) { 185 switch (reject->with) {
188 case IP6T_ICMP6_NO_ROUTE: 186 case IP6T_ICMP6_NO_ROUTE:
189 send_unreach(net, skb, ICMPV6_NOROUTE, hooknum); 187 send_unreach(net, skb, ICMPV6_NOROUTE, par->hooknum);
190 break; 188 break;
191 case IP6T_ICMP6_ADM_PROHIBITED: 189 case IP6T_ICMP6_ADM_PROHIBITED:
192 send_unreach(net, skb, ICMPV6_ADM_PROHIBITED, hooknum); 190 send_unreach(net, skb, ICMPV6_ADM_PROHIBITED, par->hooknum);
193 break; 191 break;
194 case IP6T_ICMP6_NOT_NEIGHBOUR: 192 case IP6T_ICMP6_NOT_NEIGHBOUR:
195 send_unreach(net, skb, ICMPV6_NOT_NEIGHBOUR, hooknum); 193 send_unreach(net, skb, ICMPV6_NOT_NEIGHBOUR, par->hooknum);
196 break; 194 break;
197 case IP6T_ICMP6_ADDR_UNREACH: 195 case IP6T_ICMP6_ADDR_UNREACH:
198 send_unreach(net, skb, ICMPV6_ADDR_UNREACH, hooknum); 196 send_unreach(net, skb, ICMPV6_ADDR_UNREACH, par->hooknum);
199 break; 197 break;
200 case IP6T_ICMP6_PORT_UNREACH: 198 case IP6T_ICMP6_PORT_UNREACH:
201 send_unreach(net, skb, ICMPV6_PORT_UNREACH, hooknum); 199 send_unreach(net, skb, ICMPV6_PORT_UNREACH, par->hooknum);
202 break; 200 break;
203 case IP6T_ICMP6_ECHOREPLY: 201 case IP6T_ICMP6_ECHOREPLY:
204 /* Do nothing */ 202 /* Do nothing */
diff --git a/net/netfilter/xt_CLASSIFY.c b/net/netfilter/xt_CLASSIFY.c
index 8cffa295dd37..011bc80dd2a1 100644
--- a/net/netfilter/xt_CLASSIFY.c
+++ b/net/netfilter/xt_CLASSIFY.c
@@ -27,11 +27,9 @@ MODULE_ALIAS("ipt_CLASSIFY");
27MODULE_ALIAS("ip6t_CLASSIFY"); 27MODULE_ALIAS("ip6t_CLASSIFY");
28 28
29static unsigned int 29static unsigned int
30classify_tg(struct sk_buff *skb, const struct net_device *in, 30classify_tg(struct sk_buff *skb, const struct xt_target_param *par)
31 const struct net_device *out, unsigned int hooknum,
32 const struct xt_target *target, const void *targinfo)
33{ 31{
34 const struct xt_classify_target_info *clinfo = targinfo; 32 const struct xt_classify_target_info *clinfo = par->targinfo;
35 33
36 skb->priority = clinfo->priority; 34 skb->priority = clinfo->priority;
37 return XT_CONTINUE; 35 return XT_CONTINUE;
diff --git a/net/netfilter/xt_CONNMARK.c b/net/netfilter/xt_CONNMARK.c
index e1415c3f5c91..95ed267328a7 100644
--- a/net/netfilter/xt_CONNMARK.c
+++ b/net/netfilter/xt_CONNMARK.c
@@ -36,11 +36,9 @@ MODULE_ALIAS("ip6t_CONNMARK");
36#include <net/netfilter/nf_conntrack_ecache.h> 36#include <net/netfilter/nf_conntrack_ecache.h>
37 37
38static unsigned int 38static unsigned int
39connmark_tg_v0(struct sk_buff *skb, const struct net_device *in, 39connmark_tg_v0(struct sk_buff *skb, const struct xt_target_param *par)
40 const struct net_device *out, unsigned int hooknum,
41 const struct xt_target *target, const void *targinfo)
42{ 40{
43 const struct xt_connmark_target_info *markinfo = targinfo; 41 const struct xt_connmark_target_info *markinfo = par->targinfo;
44 struct nf_conn *ct; 42 struct nf_conn *ct;
45 enum ip_conntrack_info ctinfo; 43 enum ip_conntrack_info ctinfo;
46 u_int32_t diff; 44 u_int32_t diff;
@@ -77,11 +75,9 @@ connmark_tg_v0(struct sk_buff *skb, const struct net_device *in,
77} 75}
78 76
79static unsigned int 77static unsigned int
80connmark_tg(struct sk_buff *skb, const struct net_device *in, 78connmark_tg(struct sk_buff *skb, const struct xt_target_param *par)
81 const struct net_device *out, unsigned int hooknum,
82 const struct xt_target *target, const void *targinfo)
83{ 79{
84 const struct xt_connmark_tginfo1 *info = targinfo; 80 const struct xt_connmark_tginfo1 *info = par->targinfo;
85 enum ip_conntrack_info ctinfo; 81 enum ip_conntrack_info ctinfo;
86 struct nf_conn *ct; 82 struct nf_conn *ct;
87 u_int32_t newmark; 83 u_int32_t newmark;
diff --git a/net/netfilter/xt_CONNSECMARK.c b/net/netfilter/xt_CONNSECMARK.c
index 5f221c3bd35c..2211a2cef280 100644
--- a/net/netfilter/xt_CONNSECMARK.c
+++ b/net/netfilter/xt_CONNSECMARK.c
@@ -65,11 +65,9 @@ static void secmark_restore(struct sk_buff *skb)
65} 65}
66 66
67static unsigned int 67static unsigned int
68connsecmark_tg(struct sk_buff *skb, const struct net_device *in, 68connsecmark_tg(struct sk_buff *skb, const struct xt_target_param *par)
69 const struct net_device *out, unsigned int hooknum,
70 const struct xt_target *target, const void *targinfo)
71{ 69{
72 const struct xt_connsecmark_target_info *info = targinfo; 70 const struct xt_connsecmark_target_info *info = par->targinfo;
73 71
74 switch (info->mode) { 72 switch (info->mode) {
75 case CONNSECMARK_SAVE: 73 case CONNSECMARK_SAVE:
diff --git a/net/netfilter/xt_DSCP.c b/net/netfilter/xt_DSCP.c
index f0b4958528e0..c78e80afdf3d 100644
--- a/net/netfilter/xt_DSCP.c
+++ b/net/netfilter/xt_DSCP.c
@@ -29,11 +29,9 @@ MODULE_ALIAS("ipt_TOS");
29MODULE_ALIAS("ip6t_TOS"); 29MODULE_ALIAS("ip6t_TOS");
30 30
31static unsigned int 31static unsigned int
32dscp_tg(struct sk_buff *skb, const struct net_device *in, 32dscp_tg(struct sk_buff *skb, const struct xt_target_param *par)
33 const struct net_device *out, unsigned int hooknum,
34 const struct xt_target *target, const void *targinfo)
35{ 33{
36 const struct xt_DSCP_info *dinfo = targinfo; 34 const struct xt_DSCP_info *dinfo = par->targinfo;
37 u_int8_t dscp = ipv4_get_dsfield(ip_hdr(skb)) >> XT_DSCP_SHIFT; 35 u_int8_t dscp = ipv4_get_dsfield(ip_hdr(skb)) >> XT_DSCP_SHIFT;
38 36
39 if (dscp != dinfo->dscp) { 37 if (dscp != dinfo->dscp) {
@@ -48,11 +46,9 @@ dscp_tg(struct sk_buff *skb, const struct net_device *in,
48} 46}
49 47
50static unsigned int 48static unsigned int
51dscp_tg6(struct sk_buff *skb, const struct net_device *in, 49dscp_tg6(struct sk_buff *skb, const struct xt_target_param *par)
52 const struct net_device *out, unsigned int hooknum,
53 const struct xt_target *target, const void *targinfo)
54{ 50{
55 const struct xt_DSCP_info *dinfo = targinfo; 51 const struct xt_DSCP_info *dinfo = par->targinfo;
56 u_int8_t dscp = ipv6_get_dsfield(ipv6_hdr(skb)) >> XT_DSCP_SHIFT; 52 u_int8_t dscp = ipv6_get_dsfield(ipv6_hdr(skb)) >> XT_DSCP_SHIFT;
57 53
58 if (dscp != dinfo->dscp) { 54 if (dscp != dinfo->dscp) {
@@ -80,11 +76,9 @@ dscp_tg_check(const char *tablename, const void *e_void,
80} 76}
81 77
82static unsigned int 78static unsigned int
83tos_tg_v0(struct sk_buff *skb, const struct net_device *in, 79tos_tg_v0(struct sk_buff *skb, const struct xt_target_param *par)
84 const struct net_device *out, unsigned int hooknum,
85 const struct xt_target *target, const void *targinfo)
86{ 80{
87 const struct ipt_tos_target_info *info = targinfo; 81 const struct ipt_tos_target_info *info = par->targinfo;
88 struct iphdr *iph = ip_hdr(skb); 82 struct iphdr *iph = ip_hdr(skb);
89 u_int8_t oldtos; 83 u_int8_t oldtos;
90 84
@@ -119,11 +113,9 @@ tos_tg_check_v0(const char *tablename, const void *e_void,
119} 113}
120 114
121static unsigned int 115static unsigned int
122tos_tg(struct sk_buff *skb, const struct net_device *in, 116tos_tg(struct sk_buff *skb, const struct xt_target_param *par)
123 const struct net_device *out, unsigned int hooknum,
124 const struct xt_target *target, const void *targinfo)
125{ 117{
126 const struct xt_tos_target_info *info = targinfo; 118 const struct xt_tos_target_info *info = par->targinfo;
127 struct iphdr *iph = ip_hdr(skb); 119 struct iphdr *iph = ip_hdr(skb);
128 u_int8_t orig, nv; 120 u_int8_t orig, nv;
129 121
@@ -141,11 +133,9 @@ tos_tg(struct sk_buff *skb, const struct net_device *in,
141} 133}
142 134
143static unsigned int 135static unsigned int
144tos_tg6(struct sk_buff *skb, const struct net_device *in, 136tos_tg6(struct sk_buff *skb, const struct xt_target_param *par)
145 const struct net_device *out, unsigned int hooknum,
146 const struct xt_target *target, const void *targinfo)
147{ 137{
148 const struct xt_tos_target_info *info = targinfo; 138 const struct xt_tos_target_info *info = par->targinfo;
149 struct ipv6hdr *iph = ipv6_hdr(skb); 139 struct ipv6hdr *iph = ipv6_hdr(skb);
150 u_int8_t orig, nv; 140 u_int8_t orig, nv;
151 141
diff --git a/net/netfilter/xt_MARK.c b/net/netfilter/xt_MARK.c
index c8ea7a809707..27d03f396117 100644
--- a/net/netfilter/xt_MARK.c
+++ b/net/netfilter/xt_MARK.c
@@ -25,22 +25,18 @@ MODULE_ALIAS("ipt_MARK");
25MODULE_ALIAS("ip6t_MARK"); 25MODULE_ALIAS("ip6t_MARK");
26 26
27static unsigned int 27static unsigned int
28mark_tg_v0(struct sk_buff *skb, const struct net_device *in, 28mark_tg_v0(struct sk_buff *skb, const struct xt_target_param *par)
29 const struct net_device *out, unsigned int hooknum,
30 const struct xt_target *target, const void *targinfo)
31{ 29{
32 const struct xt_mark_target_info *markinfo = targinfo; 30 const struct xt_mark_target_info *markinfo = par->targinfo;
33 31
34 skb->mark = markinfo->mark; 32 skb->mark = markinfo->mark;
35 return XT_CONTINUE; 33 return XT_CONTINUE;
36} 34}
37 35
38static unsigned int 36static unsigned int
39mark_tg_v1(struct sk_buff *skb, const struct net_device *in, 37mark_tg_v1(struct sk_buff *skb, const struct xt_target_param *par)
40 const struct net_device *out, unsigned int hooknum,
41 const struct xt_target *target, const void *targinfo)
42{ 38{
43 const struct xt_mark_target_info_v1 *markinfo = targinfo; 39 const struct xt_mark_target_info_v1 *markinfo = par->targinfo;
44 int mark = 0; 40 int mark = 0;
45 41
46 switch (markinfo->mode) { 42 switch (markinfo->mode) {
@@ -62,11 +58,9 @@ mark_tg_v1(struct sk_buff *skb, const struct net_device *in,
62} 58}
63 59
64static unsigned int 60static unsigned int
65mark_tg(struct sk_buff *skb, const struct net_device *in, 61mark_tg(struct sk_buff *skb, const struct xt_target_param *par)
66 const struct net_device *out, unsigned int hooknum,
67 const struct xt_target *target, const void *targinfo)
68{ 62{
69 const struct xt_mark_tginfo2 *info = targinfo; 63 const struct xt_mark_tginfo2 *info = par->targinfo;
70 64
71 skb->mark = (skb->mark & ~info->mask) ^ info->mark; 65 skb->mark = (skb->mark & ~info->mask) ^ info->mark;
72 return XT_CONTINUE; 66 return XT_CONTINUE;
diff --git a/net/netfilter/xt_NFLOG.c b/net/netfilter/xt_NFLOG.c
index 9b0955201762..3218ad63bd1d 100644
--- a/net/netfilter/xt_NFLOG.c
+++ b/net/netfilter/xt_NFLOG.c
@@ -21,11 +21,9 @@ MODULE_ALIAS("ipt_NFLOG");
21MODULE_ALIAS("ip6t_NFLOG"); 21MODULE_ALIAS("ip6t_NFLOG");
22 22
23static unsigned int 23static unsigned int
24nflog_tg(struct sk_buff *skb, const struct net_device *in, 24nflog_tg(struct sk_buff *skb, const struct xt_target_param *par)
25 const struct net_device *out, unsigned int hooknum,
26 const struct xt_target *target, const void *targinfo)
27{ 25{
28 const struct xt_nflog_info *info = targinfo; 26 const struct xt_nflog_info *info = par->targinfo;
29 struct nf_loginfo li; 27 struct nf_loginfo li;
30 28
31 li.type = NF_LOG_TYPE_ULOG; 29 li.type = NF_LOG_TYPE_ULOG;
@@ -33,8 +31,8 @@ nflog_tg(struct sk_buff *skb, const struct net_device *in,
33 li.u.ulog.group = info->group; 31 li.u.ulog.group = info->group;
34 li.u.ulog.qthreshold = info->threshold; 32 li.u.ulog.qthreshold = info->threshold;
35 33
36 nf_log_packet(target->family, hooknum, skb, in, out, &li, 34 nf_log_packet(par->target->family, par->hooknum, skb, par->in,
37 "%s", info->prefix); 35 par->out, &li, "%s", info->prefix);
38 return XT_CONTINUE; 36 return XT_CONTINUE;
39} 37}
40 38
diff --git a/net/netfilter/xt_NFQUEUE.c b/net/netfilter/xt_NFQUEUE.c
index c03c2e8d06fd..2cc1fff49307 100644
--- a/net/netfilter/xt_NFQUEUE.c
+++ b/net/netfilter/xt_NFQUEUE.c
@@ -24,11 +24,9 @@ MODULE_ALIAS("ip6t_NFQUEUE");
24MODULE_ALIAS("arpt_NFQUEUE"); 24MODULE_ALIAS("arpt_NFQUEUE");
25 25
26static unsigned int 26static unsigned int
27nfqueue_tg(struct sk_buff *skb, const struct net_device *in, 27nfqueue_tg(struct sk_buff *skb, const struct xt_target_param *par)
28 const struct net_device *out, unsigned int hooknum,
29 const struct xt_target *target, const void *targinfo)
30{ 28{
31 const struct xt_NFQ_info *tinfo = targinfo; 29 const struct xt_NFQ_info *tinfo = par->targinfo;
32 30
33 return NF_QUEUE_NR(tinfo->queuenum); 31 return NF_QUEUE_NR(tinfo->queuenum);
34} 32}
diff --git a/net/netfilter/xt_NOTRACK.c b/net/netfilter/xt_NOTRACK.c
index b9ee268b37c3..cc50295cd11e 100644
--- a/net/netfilter/xt_NOTRACK.c
+++ b/net/netfilter/xt_NOTRACK.c
@@ -13,9 +13,7 @@ MODULE_ALIAS("ipt_NOTRACK");
13MODULE_ALIAS("ip6t_NOTRACK"); 13MODULE_ALIAS("ip6t_NOTRACK");
14 14
15static unsigned int 15static unsigned int
16notrack_tg(struct sk_buff *skb, const struct net_device *in, 16notrack_tg(struct sk_buff *skb, const struct xt_target_param *par)
17 const struct net_device *out, unsigned int hooknum,
18 const struct xt_target *target, const void *targinfo)
19{ 17{
20 /* Previously seen (loopback)? Ignore. */ 18 /* Previously seen (loopback)? Ignore. */
21 if (skb->nfct != NULL) 19 if (skb->nfct != NULL)
diff --git a/net/netfilter/xt_RATEEST.c b/net/netfilter/xt_RATEEST.c
index da7946e6ecb2..92e33524f784 100644
--- a/net/netfilter/xt_RATEEST.c
+++ b/net/netfilter/xt_RATEEST.c
@@ -71,14 +71,9 @@ void xt_rateest_put(struct xt_rateest *est)
71EXPORT_SYMBOL_GPL(xt_rateest_put); 71EXPORT_SYMBOL_GPL(xt_rateest_put);
72 72
73static unsigned int 73static unsigned int
74xt_rateest_tg(struct sk_buff *skb, 74xt_rateest_tg(struct sk_buff *skb, const struct xt_target_param *par)
75 const struct net_device *in,
76 const struct net_device *out,
77 unsigned int hooknum,
78 const struct xt_target *target,
79 const void *targinfo)
80{ 75{
81 const struct xt_rateest_target_info *info = targinfo; 76 const struct xt_rateest_target_info *info = par->targinfo;
82 struct gnet_stats_basic *stats = &info->est->bstats; 77 struct gnet_stats_basic *stats = &info->est->bstats;
83 78
84 spin_lock_bh(&info->est->lock); 79 spin_lock_bh(&info->est->lock);
diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c
index 2a2ab8334817..ad05214e3809 100644
--- a/net/netfilter/xt_SECMARK.c
+++ b/net/netfilter/xt_SECMARK.c
@@ -29,12 +29,10 @@ MODULE_ALIAS("ip6t_SECMARK");
29static u8 mode; 29static u8 mode;
30 30
31static unsigned int 31static unsigned int
32secmark_tg(struct sk_buff *skb, const struct net_device *in, 32secmark_tg(struct sk_buff *skb, const struct xt_target_param *par)
33 const struct net_device *out, unsigned int hooknum,
34 const struct xt_target *target, const void *targinfo)
35{ 33{
36 u32 secmark = 0; 34 u32 secmark = 0;
37 const struct xt_secmark_target_info *info = targinfo; 35 const struct xt_secmark_target_info *info = par->targinfo;
38 36
39 BUG_ON(info->mode != mode); 37 BUG_ON(info->mode != mode);
40 38
diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c
index b868f9952398..e08762d9b0ff 100644
--- a/net/netfilter/xt_TCPMSS.c
+++ b/net/netfilter/xt_TCPMSS.c
@@ -174,15 +174,13 @@ static u_int32_t tcpmss_reverse_mtu(const struct sk_buff *skb,
174} 174}
175 175
176static unsigned int 176static unsigned int
177tcpmss_tg4(struct sk_buff *skb, const struct net_device *in, 177tcpmss_tg4(struct sk_buff *skb, const struct xt_target_param *par)
178 const struct net_device *out, unsigned int hooknum,
179 const struct xt_target *target, const void *targinfo)
180{ 178{
181 struct iphdr *iph = ip_hdr(skb); 179 struct iphdr *iph = ip_hdr(skb);
182 __be16 newlen; 180 __be16 newlen;
183 int ret; 181 int ret;
184 182
185 ret = tcpmss_mangle_packet(skb, targinfo, 183 ret = tcpmss_mangle_packet(skb, par->targinfo,
186 tcpmss_reverse_mtu(skb, PF_INET), 184 tcpmss_reverse_mtu(skb, PF_INET),
187 iph->ihl * 4, 185 iph->ihl * 4,
188 sizeof(*iph) + sizeof(struct tcphdr)); 186 sizeof(*iph) + sizeof(struct tcphdr));
@@ -199,9 +197,7 @@ tcpmss_tg4(struct sk_buff *skb, const struct net_device *in,
199 197
200#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE) 198#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
201static unsigned int 199static unsigned int
202tcpmss_tg6(struct sk_buff *skb, const struct net_device *in, 200tcpmss_tg6(struct sk_buff *skb, const struct xt_target_param *par)
203 const struct net_device *out, unsigned int hooknum,
204 const struct xt_target *target, const void *targinfo)
205{ 201{
206 struct ipv6hdr *ipv6h = ipv6_hdr(skb); 202 struct ipv6hdr *ipv6h = ipv6_hdr(skb);
207 u8 nexthdr; 203 u8 nexthdr;
@@ -212,7 +208,7 @@ tcpmss_tg6(struct sk_buff *skb, const struct net_device *in,
212 tcphoff = ipv6_skip_exthdr(skb, sizeof(*ipv6h), &nexthdr); 208 tcphoff = ipv6_skip_exthdr(skb, sizeof(*ipv6h), &nexthdr);
213 if (tcphoff < 0) 209 if (tcphoff < 0)
214 return NF_DROP; 210 return NF_DROP;
215 ret = tcpmss_mangle_packet(skb, targinfo, 211 ret = tcpmss_mangle_packet(skb, par->targinfo,
216 tcpmss_reverse_mtu(skb, PF_INET6), 212 tcpmss_reverse_mtu(skb, PF_INET6),
217 tcphoff, 213 tcphoff,
218 sizeof(*ipv6h) + sizeof(struct tcphdr)); 214 sizeof(*ipv6h) + sizeof(struct tcphdr));
diff --git a/net/netfilter/xt_TCPOPTSTRIP.c b/net/netfilter/xt_TCPOPTSTRIP.c
index 2e0ae6cc5d95..9dd8c8ef63eb 100644
--- a/net/netfilter/xt_TCPOPTSTRIP.c
+++ b/net/netfilter/xt_TCPOPTSTRIP.c
@@ -75,19 +75,15 @@ tcpoptstrip_mangle_packet(struct sk_buff *skb,
75} 75}
76 76
77static unsigned int 77static unsigned int
78tcpoptstrip_tg4(struct sk_buff *skb, const struct net_device *in, 78tcpoptstrip_tg4(struct sk_buff *skb, const struct xt_target_param *par)
79 const struct net_device *out, unsigned int hooknum,
80 const struct xt_target *target, const void *targinfo)
81{ 79{
82 return tcpoptstrip_mangle_packet(skb, targinfo, ip_hdrlen(skb), 80 return tcpoptstrip_mangle_packet(skb, par->targinfo, ip_hdrlen(skb),
83 sizeof(struct iphdr) + sizeof(struct tcphdr)); 81 sizeof(struct iphdr) + sizeof(struct tcphdr));
84} 82}
85 83
86#if defined(CONFIG_IP6_NF_MANGLE) || defined(CONFIG_IP6_NF_MANGLE_MODULE) 84#if defined(CONFIG_IP6_NF_MANGLE) || defined(CONFIG_IP6_NF_MANGLE_MODULE)
87static unsigned int 85static unsigned int
88tcpoptstrip_tg6(struct sk_buff *skb, const struct net_device *in, 86tcpoptstrip_tg6(struct sk_buff *skb, const struct xt_target_param *par)
89 const struct net_device *out, unsigned int hooknum,
90 const struct xt_target *target, const void *targinfo)
91{ 87{
92 struct ipv6hdr *ipv6h = ipv6_hdr(skb); 88 struct ipv6hdr *ipv6h = ipv6_hdr(skb);
93 int tcphoff; 89 int tcphoff;
@@ -98,7 +94,7 @@ tcpoptstrip_tg6(struct sk_buff *skb, const struct net_device *in,
98 if (tcphoff < 0) 94 if (tcphoff < 0)
99 return NF_DROP; 95 return NF_DROP;
100 96
101 return tcpoptstrip_mangle_packet(skb, targinfo, tcphoff, 97 return tcpoptstrip_mangle_packet(skb, par->targinfo, tcphoff,
102 sizeof(*ipv6h) + sizeof(struct tcphdr)); 98 sizeof(*ipv6h) + sizeof(struct tcphdr));
103} 99}
104#endif 100#endif
diff --git a/net/netfilter/xt_TPROXY.c b/net/netfilter/xt_TPROXY.c
index 183f251d2f06..f08c49ea4bdc 100644
--- a/net/netfilter/xt_TPROXY.c
+++ b/net/netfilter/xt_TPROXY.c
@@ -25,15 +25,10 @@
25#include <net/netfilter/nf_tproxy_core.h> 25#include <net/netfilter/nf_tproxy_core.h>
26 26
27static unsigned int 27static unsigned int
28tproxy_tg(struct sk_buff *skb, 28tproxy_tg(struct sk_buff *skb, const struct xt_target_param *par)
29 const struct net_device *in,
30 const struct net_device *out,
31 unsigned int hooknum,
32 const struct xt_target *target,
33 const void *targinfo)
34{ 29{
35 const struct iphdr *iph = ip_hdr(skb); 30 const struct iphdr *iph = ip_hdr(skb);
36 const struct xt_tproxy_target_info *tgi = targinfo; 31 const struct xt_tproxy_target_info *tgi = par->targinfo;
37 struct udphdr _hdr, *hp; 32 struct udphdr _hdr, *hp;
38 struct sock *sk; 33 struct sock *sk;
39 34
@@ -44,7 +39,7 @@ tproxy_tg(struct sk_buff *skb,
44 sk = nf_tproxy_get_sock_v4(dev_net(skb->dev), iph->protocol, 39 sk = nf_tproxy_get_sock_v4(dev_net(skb->dev), iph->protocol,
45 iph->saddr, tgi->laddr ? tgi->laddr : iph->daddr, 40 iph->saddr, tgi->laddr ? tgi->laddr : iph->daddr,
46 hp->source, tgi->lport ? tgi->lport : hp->dest, 41 hp->source, tgi->lport ? tgi->lport : hp->dest,
47 in, true); 42 par->in, true);
48 43
49 /* NOTE: assign_sock consumes our sk reference */ 44 /* NOTE: assign_sock consumes our sk reference */
50 if (sk && nf_tproxy_assign_sock(skb, sk)) { 45 if (sk && nf_tproxy_assign_sock(skb, sk)) {
diff --git a/net/netfilter/xt_TRACE.c b/net/netfilter/xt_TRACE.c
index da35f9f1cd7b..fbb04b86c46b 100644
--- a/net/netfilter/xt_TRACE.c
+++ b/net/netfilter/xt_TRACE.c
@@ -11,9 +11,7 @@ MODULE_ALIAS("ipt_TRACE");
11MODULE_ALIAS("ip6t_TRACE"); 11MODULE_ALIAS("ip6t_TRACE");
12 12
13static unsigned int 13static unsigned int
14trace_tg(struct sk_buff *skb, const struct net_device *in, 14trace_tg(struct sk_buff *skb, const struct xt_target_param *par)
15 const struct net_device *out, unsigned int hooknum,
16 const struct xt_target *target, const void *targinfo)
17{ 15{
18 skb->nf_trace = 1; 16 skb->nf_trace = 1;
19 return XT_CONTINUE; 17 return XT_CONTINUE;
diff --git a/net/sched/act_ipt.c b/net/sched/act_ipt.c
index 79ea19375caf..89791a56429a 100644
--- a/net/sched/act_ipt.c
+++ b/net/sched/act_ipt.c
@@ -188,6 +188,7 @@ static int tcf_ipt(struct sk_buff *skb, struct tc_action *a,
188{ 188{
189 int ret = 0, result = 0; 189 int ret = 0, result = 0;
190 struct tcf_ipt *ipt = a->priv; 190 struct tcf_ipt *ipt = a->priv;
191 struct xt_target_param par;
191 192
192 if (skb_cloned(skb)) { 193 if (skb_cloned(skb)) {
193 if (pskb_expand_head(skb, 0, 0, GFP_ATOMIC)) 194 if (pskb_expand_head(skb, 0, 0, GFP_ATOMIC))
@@ -203,10 +204,13 @@ static int tcf_ipt(struct sk_buff *skb, struct tc_action *a,
203 /* yes, we have to worry about both in and out dev 204 /* yes, we have to worry about both in and out dev
204 worry later - danger - this API seems to have changed 205 worry later - danger - this API seems to have changed
205 from earlier kernels */ 206 from earlier kernels */
206 ret = ipt->tcfi_t->u.kernel.target->target(skb, skb->dev, NULL, 207 par.in = skb->dev;
207 ipt->tcfi_hook, 208 par.out = NULL;
208 ipt->tcfi_t->u.kernel.target, 209 par.hooknum = ipt->tcfi_hook;
209 ipt->tcfi_t->data); 210 par.target = ipt->tcfi_t->u.kernel.target;
211 par.targinfo = ipt->tcfi_t->data;
212 ret = par.target->target(skb, &par);
213
210 switch (ret) { 214 switch (ret) {
211 case NF_ACCEPT: 215 case NF_ACCEPT:
212 result = TC_ACT_OK; 216 result = TC_ACT_OK;
generated by cgit v1.2.2 (git 2.25.0) at 2024-10-06 09:33:33 -0400