aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--net/ipv4/netfilter/ipt_CLUSTERIP.c11
-rw-r--r--net/ipv4/netfilter/ipt_LOG.c26
-rw-r--r--net/ipv4/netfilter/ipt_MASQUERADE.c8
-rw-r--r--net/ipv4/netfilter/ipt_REJECT.c2
-rw-r--r--net/ipv4/netfilter/ipt_TTL.c2
-rw-r--r--net/ipv4/netfilter/ipt_ULOG.c6
-rw-r--r--net/ipv4/netfilter/ipt_ah.c3
-rw-r--r--net/ipv4/netfilter/ipt_ecn.c3
-rw-r--r--net/ipv4/netfilter/ipt_recent.c2
-rw-r--r--net/ipv4/netfilter/nf_nat_helper.c4
-rw-r--r--net/ipv6/netfilter/ip6t_HL.c2
-rw-r--r--net/ipv6/netfilter/ip6t_LOG.c27
-rw-r--r--net/ipv6/netfilter/ip6t_REJECT.c2
-rw-r--r--net/ipv6/netfilter/ip6t_ah.c3
-rw-r--r--net/ipv6/netfilter/ip6t_frag.c3
-rw-r--r--net/ipv6/netfilter/ip6t_hbh.c9
-rw-r--r--net/ipv6/netfilter/ip6t_mh.c3
-rw-r--r--net/ipv6/netfilter/ip6t_rt.c10
-rw-r--r--net/netfilter/core.c6
-rw-r--r--net/netfilter/xt_CONNMARK.c6
-rw-r--r--net/netfilter/xt_CONNSECMARK.c4
-rw-r--r--net/netfilter/xt_MARK.c8
-rw-r--r--net/netfilter/xt_NFLOG.c2
-rw-r--r--net/netfilter/xt_connbytes.c2
-rw-r--r--net/netfilter/xt_connmark.c8
-rw-r--r--net/netfilter/xt_conntrack.c8
-rw-r--r--net/netfilter/xt_dccp.c2
-rw-r--r--net/netfilter/xt_hashlimit.c30
-rw-r--r--net/netfilter/xt_helper.c6
-rw-r--r--net/netfilter/xt_limit.c7
-rw-r--r--net/netfilter/xt_mark.c4
-rw-r--r--net/netfilter/xt_physdev.c2
-rw-r--r--net/netfilter/xt_policy.c6
-rw-r--r--net/netfilter/xt_quota.c5
-rw-r--r--net/netfilter/xt_realm.c2
-rw-r--r--net/netfilter/xt_statistic.c2
36 files changed, 136 insertions, 100 deletions
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index e82339a78c01..2de7ae0180aa 100644
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -235,12 +235,13 @@ clusterip_del_node(struct clusterip_config *c, u_int16_t nodenum)
235#endif 235#endif
236 236
237static inline u_int32_t 237static inline u_int32_t
238clusterip_hashfn(struct sk_buff *skb, struct clusterip_config *config) 238clusterip_hashfn(const struct sk_buff *skb,
239 const struct clusterip_config *config)
239{ 240{
240 struct iphdr *iph = ip_hdr(skb); 241 const struct iphdr *iph = ip_hdr(skb);
241 unsigned long hashval; 242 unsigned long hashval;
242 u_int16_t sport, dport; 243 u_int16_t sport, dport;
243 u_int16_t *ports; 244 const u_int16_t *ports;
244 245
245 switch (iph->protocol) { 246 switch (iph->protocol) {
246 case IPPROTO_TCP: 247 case IPPROTO_TCP:
@@ -249,7 +250,7 @@ clusterip_hashfn(struct sk_buff *skb, struct clusterip_config *config)
249 case IPPROTO_SCTP: 250 case IPPROTO_SCTP:
250 case IPPROTO_DCCP: 251 case IPPROTO_DCCP:
251 case IPPROTO_ICMP: 252 case IPPROTO_ICMP:
252 ports = (void *)iph+iph->ihl*4; 253 ports = (const void *)iph+iph->ihl*4;
253 sport = ports[0]; 254 sport = ports[0];
254 dport = ports[1]; 255 dport = ports[1];
255 break; 256 break;
@@ -289,7 +290,7 @@ clusterip_hashfn(struct sk_buff *skb, struct clusterip_config *config)
289} 290}
290 291
291static inline int 292static inline int
292clusterip_responsible(struct clusterip_config *config, u_int32_t hash) 293clusterip_responsible(const struct clusterip_config *config, u_int32_t hash)
293{ 294{
294 return test_bit(hash - 1, &config->local_nodes); 295 return test_bit(hash - 1, &config->local_nodes);
295} 296}
diff --git a/net/ipv4/netfilter/ipt_LOG.c b/net/ipv4/netfilter/ipt_LOG.c
index bbff6c352ef8..bcc43a625e72 100644
--- a/net/ipv4/netfilter/ipt_LOG.c
+++ b/net/ipv4/netfilter/ipt_LOG.c
@@ -41,7 +41,8 @@ static void dump_packet(const struct nf_loginfo *info,
41 const struct sk_buff *skb, 41 const struct sk_buff *skb,
42 unsigned int iphoff) 42 unsigned int iphoff)
43{ 43{
44 struct iphdr _iph, *ih; 44 struct iphdr _iph;
45 const struct iphdr *ih;
45 unsigned int logflags; 46 unsigned int logflags;
46 47
47 if (info->type == NF_LOG_TYPE_LOG) 48 if (info->type == NF_LOG_TYPE_LOG)
@@ -100,7 +101,8 @@ static void dump_packet(const struct nf_loginfo *info,
100 101
101 switch (ih->protocol) { 102 switch (ih->protocol) {
102 case IPPROTO_TCP: { 103 case IPPROTO_TCP: {
103 struct tcphdr _tcph, *th; 104 struct tcphdr _tcph;
105 const struct tcphdr *th;
104 106
105 /* Max length: 10 "PROTO=TCP " */ 107 /* Max length: 10 "PROTO=TCP " */
106 printk("PROTO=TCP "); 108 printk("PROTO=TCP ");
@@ -151,7 +153,7 @@ static void dump_packet(const struct nf_loginfo *info,
151 if ((logflags & IPT_LOG_TCPOPT) 153 if ((logflags & IPT_LOG_TCPOPT)
152 && th->doff * 4 > sizeof(struct tcphdr)) { 154 && th->doff * 4 > sizeof(struct tcphdr)) {
153 unsigned char _opt[4 * 15 - sizeof(struct tcphdr)]; 155 unsigned char _opt[4 * 15 - sizeof(struct tcphdr)];
154 unsigned char *op; 156 const unsigned char *op;
155 unsigned int i, optsize; 157 unsigned int i, optsize;
156 158
157 optsize = th->doff * 4 - sizeof(struct tcphdr); 159 optsize = th->doff * 4 - sizeof(struct tcphdr);
@@ -173,7 +175,8 @@ static void dump_packet(const struct nf_loginfo *info,
173 } 175 }
174 case IPPROTO_UDP: 176 case IPPROTO_UDP:
175 case IPPROTO_UDPLITE: { 177 case IPPROTO_UDPLITE: {
176 struct udphdr _udph, *uh; 178 struct udphdr _udph;
179 const struct udphdr *uh;
177 180
178 if (ih->protocol == IPPROTO_UDP) 181 if (ih->protocol == IPPROTO_UDP)
179 /* Max length: 10 "PROTO=UDP " */ 182 /* Max length: 10 "PROTO=UDP " */
@@ -200,7 +203,8 @@ static void dump_packet(const struct nf_loginfo *info,
200 break; 203 break;
201 } 204 }
202 case IPPROTO_ICMP: { 205 case IPPROTO_ICMP: {
203 struct icmphdr _icmph, *ich; 206 struct icmphdr _icmph;
207 const struct icmphdr *ich;
204 static const size_t required_len[NR_ICMP_TYPES+1] 208 static const size_t required_len[NR_ICMP_TYPES+1]
205 = { [ICMP_ECHOREPLY] = 4, 209 = { [ICMP_ECHOREPLY] = 4,
206 [ICMP_DEST_UNREACH] 210 [ICMP_DEST_UNREACH]
@@ -285,7 +289,8 @@ static void dump_packet(const struct nf_loginfo *info,
285 } 289 }
286 /* Max Length */ 290 /* Max Length */
287 case IPPROTO_AH: { 291 case IPPROTO_AH: {
288 struct ip_auth_hdr _ahdr, *ah; 292 struct ip_auth_hdr _ahdr;
293 const struct ip_auth_hdr *ah;
289 294
290 if (ntohs(ih->frag_off) & IP_OFFSET) 295 if (ntohs(ih->frag_off) & IP_OFFSET)
291 break; 296 break;
@@ -307,7 +312,8 @@ static void dump_packet(const struct nf_loginfo *info,
307 break; 312 break;
308 } 313 }
309 case IPPROTO_ESP: { 314 case IPPROTO_ESP: {
310 struct ip_esp_hdr _esph, *eh; 315 struct ip_esp_hdr _esph;
316 const struct ip_esp_hdr *eh;
311 317
312 /* Max length: 10 "PROTO=ESP " */ 318 /* Max length: 10 "PROTO=ESP " */
313 printk("PROTO=ESP "); 319 printk("PROTO=ESP ");
@@ -385,11 +391,13 @@ ipt_log_packet(unsigned int pf,
385 out ? out->name : ""); 391 out ? out->name : "");
386#ifdef CONFIG_BRIDGE_NETFILTER 392#ifdef CONFIG_BRIDGE_NETFILTER
387 if (skb->nf_bridge) { 393 if (skb->nf_bridge) {
388 struct net_device *physindev = skb->nf_bridge->physindev; 394 const struct net_device *physindev;
389 struct net_device *physoutdev = skb->nf_bridge->physoutdev; 395 const struct net_device *physoutdev;
390 396
397 physindev = skb->nf_bridge->physindev;
391 if (physindev && in != physindev) 398 if (physindev && in != physindev)
392 printk("PHYSIN=%s ", physindev->name); 399 printk("PHYSIN=%s ", physindev->name);
400 physoutdev = skb->nf_bridge->physoutdev;
393 if (physoutdev && out != physoutdev) 401 if (physoutdev && out != physoutdev)
394 printk("PHYSOUT=%s ", physoutdev->name); 402 printk("PHYSOUT=%s ", physoutdev->name);
395 } 403 }
diff --git a/net/ipv4/netfilter/ipt_MASQUERADE.c b/net/ipv4/netfilter/ipt_MASQUERADE.c
index b5b216408ee7..846a0e727218 100644
--- a/net/ipv4/netfilter/ipt_MASQUERADE.c
+++ b/net/ipv4/netfilter/ipt_MASQUERADE.c
@@ -70,7 +70,7 @@ masquerade_target(struct sk_buff **pskb,
70 enum ip_conntrack_info ctinfo; 70 enum ip_conntrack_info ctinfo;
71 struct nf_nat_range newrange; 71 struct nf_nat_range newrange;
72 const struct nf_nat_multi_range_compat *mr; 72 const struct nf_nat_multi_range_compat *mr;
73 struct rtable *rt; 73 const struct rtable *rt;
74 __be32 newsrc; 74 __be32 newsrc;
75 75
76 NF_CT_ASSERT(hooknum == NF_IP_POST_ROUTING); 76 NF_CT_ASSERT(hooknum == NF_IP_POST_ROUTING);
@@ -112,7 +112,7 @@ masquerade_target(struct sk_buff **pskb,
112static inline int 112static inline int
113device_cmp(struct nf_conn *i, void *ifindex) 113device_cmp(struct nf_conn *i, void *ifindex)
114{ 114{
115 struct nf_conn_nat *nat = nfct_nat(i); 115 const struct nf_conn_nat *nat = nfct_nat(i);
116 int ret; 116 int ret;
117 117
118 if (!nat) 118 if (!nat)
@@ -129,7 +129,7 @@ static int masq_device_event(struct notifier_block *this,
129 unsigned long event, 129 unsigned long event,
130 void *ptr) 130 void *ptr)
131{ 131{
132 struct net_device *dev = ptr; 132 const struct net_device *dev = ptr;
133 133
134 if (event == NETDEV_DOWN) { 134 if (event == NETDEV_DOWN) {
135 /* Device was downed. Search entire table for 135 /* Device was downed. Search entire table for
@@ -147,7 +147,7 @@ static int masq_inet_event(struct notifier_block *this,
147 unsigned long event, 147 unsigned long event,
148 void *ptr) 148 void *ptr)
149{ 149{
150 struct net_device *dev = ((struct in_ifaddr *)ptr)->ifa_dev->dev; 150 const struct net_device *dev = ((struct in_ifaddr *)ptr)->ifa_dev->dev;
151 151
152 if (event == NETDEV_DOWN) { 152 if (event == NETDEV_DOWN) {
153 /* IP address was deleted. Search entire table for 153 /* IP address was deleted. Search entire table for
diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c
index 5c3270d325f3..90f7b7093785 100644
--- a/net/ipv4/netfilter/ipt_REJECT.c
+++ b/net/ipv4/netfilter/ipt_REJECT.c
@@ -122,7 +122,7 @@ static void send_reset(struct sk_buff *oldskb, int hook)
122 tcph->check = 0; 122 tcph->check = 0;
123 tcph->check = tcp_v4_check(sizeof(struct tcphdr), 123 tcph->check = tcp_v4_check(sizeof(struct tcphdr),
124 niph->saddr, niph->daddr, 124 niph->saddr, niph->daddr,
125 csum_partial((char *)tcph, 125 csum_partial(tcph,
126 sizeof(struct tcphdr), 0)); 126 sizeof(struct tcphdr), 0));
127 127
128 /* Set DF, id = 0 */ 128 /* Set DF, id = 0 */
diff --git a/net/ipv4/netfilter/ipt_TTL.c b/net/ipv4/netfilter/ipt_TTL.c
index 96b6e3514c22..f53f2c4ca4a1 100644
--- a/net/ipv4/netfilter/ipt_TTL.c
+++ b/net/ipv4/netfilter/ipt_TTL.c
@@ -68,7 +68,7 @@ static bool ipt_ttl_checkentry(const char *tablename,
68 void *targinfo, 68 void *targinfo,
69 unsigned int hook_mask) 69 unsigned int hook_mask)
70{ 70{
71 struct ipt_TTL_info *info = targinfo; 71 const struct ipt_TTL_info *info = targinfo;
72 72
73 if (info->mode > IPT_TTL_MAXMODE) { 73 if (info->mode > IPT_TTL_MAXMODE) {
74 printk(KERN_WARNING "ipt_TTL: invalid or unknown Mode %u\n", 74 printk(KERN_WARNING "ipt_TTL: invalid or unknown Mode %u\n",
diff --git a/net/ipv4/netfilter/ipt_ULOG.c b/net/ipv4/netfilter/ipt_ULOG.c
index dfa7afd84763..282eb00fc471 100644
--- a/net/ipv4/netfilter/ipt_ULOG.c
+++ b/net/ipv4/netfilter/ipt_ULOG.c
@@ -334,7 +334,7 @@ static bool ipt_ulog_checkentry(const char *tablename,
334 void *targinfo, 334 void *targinfo,
335 unsigned int hookmask) 335 unsigned int hookmask)
336{ 336{
337 struct ipt_ulog_info *loginfo = (struct ipt_ulog_info *) targinfo; 337 const struct ipt_ulog_info *loginfo = targinfo;
338 338
339 if (loginfo->prefix[sizeof(loginfo->prefix) - 1] != '\0') { 339 if (loginfo->prefix[sizeof(loginfo->prefix) - 1] != '\0') {
340 DEBUGP("ipt_ULOG: prefix term %i\n", 340 DEBUGP("ipt_ULOG: prefix term %i\n",
@@ -359,7 +359,7 @@ struct compat_ipt_ulog_info {
359 359
360static void compat_from_user(void *dst, void *src) 360static void compat_from_user(void *dst, void *src)
361{ 361{
362 struct compat_ipt_ulog_info *cl = src; 362 const struct compat_ipt_ulog_info *cl = src;
363 struct ipt_ulog_info l = { 363 struct ipt_ulog_info l = {
364 .nl_group = cl->nl_group, 364 .nl_group = cl->nl_group,
365 .copy_range = cl->copy_range, 365 .copy_range = cl->copy_range,
@@ -372,7 +372,7 @@ static void compat_from_user(void *dst, void *src)
372 372
373static int compat_to_user(void __user *dst, void *src) 373static int compat_to_user(void __user *dst, void *src)
374{ 374{
375 struct ipt_ulog_info *l = src; 375 const struct ipt_ulog_info *l = src;
376 struct compat_ipt_ulog_info cl = { 376 struct compat_ipt_ulog_info cl = {
377 .nl_group = l->nl_group, 377 .nl_group = l->nl_group,
378 .copy_range = l->copy_range, 378 .copy_range = l->copy_range,
diff --git a/net/ipv4/netfilter/ipt_ah.c b/net/ipv4/netfilter/ipt_ah.c
index 6b5b7c9f7392..49d503cbab09 100644
--- a/net/ipv4/netfilter/ipt_ah.c
+++ b/net/ipv4/netfilter/ipt_ah.c
@@ -46,7 +46,8 @@ match(const struct sk_buff *skb,
46 unsigned int protoff, 46 unsigned int protoff,
47 bool *hotdrop) 47 bool *hotdrop)
48{ 48{
49 struct ip_auth_hdr _ahdr, *ah; 49 struct ip_auth_hdr _ahdr;
50 const struct ip_auth_hdr *ah;
50 const struct ipt_ah *ahinfo = matchinfo; 51 const struct ipt_ah *ahinfo = matchinfo;
51 52
52 /* Must not be a fragment. */ 53 /* Must not be a fragment. */
diff --git a/net/ipv4/netfilter/ipt_ecn.c b/net/ipv4/netfilter/ipt_ecn.c
index ba4f5497add3..3129e3106162 100644
--- a/net/ipv4/netfilter/ipt_ecn.c
+++ b/net/ipv4/netfilter/ipt_ecn.c
@@ -32,7 +32,8 @@ static inline bool match_tcp(const struct sk_buff *skb,
32 const struct ipt_ecn_info *einfo, 32 const struct ipt_ecn_info *einfo,
33 bool *hotdrop) 33 bool *hotdrop)
34{ 34{
35 struct tcphdr _tcph, *th; 35 struct tcphdr _tcph;
36 const struct tcphdr *th;
36 37
37 /* In practice, TCP match does this, so can't fail. But let's 38 /* In practice, TCP match does this, so can't fail. But let's
38 * be good citizens. 39 * be good citizens.
diff --git a/net/ipv4/netfilter/ipt_recent.c b/net/ipv4/netfilter/ipt_recent.c
index d632e0e6ef16..d03e6a6eb767 100644
--- a/net/ipv4/netfilter/ipt_recent.c
+++ b/net/ipv4/netfilter/ipt_recent.c
@@ -323,7 +323,7 @@ struct recent_iter_state {
323static void *recent_seq_start(struct seq_file *seq, loff_t *pos) 323static void *recent_seq_start(struct seq_file *seq, loff_t *pos)
324{ 324{
325 struct recent_iter_state *st = seq->private; 325 struct recent_iter_state *st = seq->private;
326 struct recent_table *t = st->table; 326 const struct recent_table *t = st->table;
327 struct recent_entry *e; 327 struct recent_entry *e;
328 loff_t p = *pos; 328 loff_t p = *pos;
329 329
diff --git a/net/ipv4/netfilter/nf_nat_helper.c b/net/ipv4/netfilter/nf_nat_helper.c
index b1aa5983a95b..ef0a99e09fd1 100644
--- a/net/ipv4/netfilter/nf_nat_helper.c
+++ b/net/ipv4/netfilter/nf_nat_helper.c
@@ -190,7 +190,7 @@ nf_nat_mangle_tcp_packet(struct sk_buff **pskb,
190 tcph->check = 0; 190 tcph->check = 0;
191 tcph->check = tcp_v4_check(datalen, 191 tcph->check = tcp_v4_check(datalen,
192 iph->saddr, iph->daddr, 192 iph->saddr, iph->daddr,
193 csum_partial((char *)tcph, 193 csum_partial(tcph,
194 datalen, 0)); 194 datalen, 0));
195 } 195 }
196 } else 196 } else
@@ -278,7 +278,7 @@ nf_nat_mangle_udp_packet(struct sk_buff **pskb,
278 udph->check = 0; 278 udph->check = 0;
279 udph->check = csum_tcpudp_magic(iph->saddr, iph->daddr, 279 udph->check = csum_tcpudp_magic(iph->saddr, iph->daddr,
280 datalen, IPPROTO_UDP, 280 datalen, IPPROTO_UDP,
281 csum_partial((char *)udph, 281 csum_partial(udph,
282 datalen, 0)); 282 datalen, 0));
283 if (!udph->check) 283 if (!udph->check)
284 udph->check = CSUM_MANGLED_0; 284 udph->check = CSUM_MANGLED_0;
diff --git a/net/ipv6/netfilter/ip6t_HL.c b/net/ipv6/netfilter/ip6t_HL.c
index 82966c09fd64..20047ff5492f 100644
--- a/net/ipv6/netfilter/ip6t_HL.c
+++ b/net/ipv6/netfilter/ip6t_HL.c
@@ -64,7 +64,7 @@ static bool ip6t_hl_checkentry(const char *tablename,
64 void *targinfo, 64 void *targinfo,
65 unsigned int hook_mask) 65 unsigned int hook_mask)
66{ 66{
67 struct ip6t_HL_info *info = targinfo; 67 const struct ip6t_HL_info *info = targinfo;
68 68
69 if (info->mode > IP6T_HL_MAXMODE) { 69 if (info->mode > IP6T_HL_MAXMODE) {
70 printk(KERN_WARNING "ip6t_HL: invalid or unknown Mode %u\n", 70 printk(KERN_WARNING "ip6t_HL: invalid or unknown Mode %u\n",
diff --git a/net/ipv6/netfilter/ip6t_LOG.c b/net/ipv6/netfilter/ip6t_LOG.c
index aa4b9a14a11c..996168d2ca25 100644
--- a/net/ipv6/netfilter/ip6t_LOG.c
+++ b/net/ipv6/netfilter/ip6t_LOG.c
@@ -48,7 +48,8 @@ static void dump_packet(const struct nf_loginfo *info,
48{ 48{
49 u_int8_t currenthdr; 49 u_int8_t currenthdr;
50 int fragment; 50 int fragment;
51 struct ipv6hdr _ip6h, *ih; 51 struct ipv6hdr _ip6h;
52 const struct ipv6hdr *ih;
52 unsigned int ptr; 53 unsigned int ptr;
53 unsigned int hdrlen = 0; 54 unsigned int hdrlen = 0;
54 unsigned int logflags; 55 unsigned int logflags;
@@ -78,7 +79,8 @@ static void dump_packet(const struct nf_loginfo *info,
78 ptr = ip6hoff + sizeof(struct ipv6hdr); 79 ptr = ip6hoff + sizeof(struct ipv6hdr);
79 currenthdr = ih->nexthdr; 80 currenthdr = ih->nexthdr;
80 while (currenthdr != NEXTHDR_NONE && ip6t_ext_hdr(currenthdr)) { 81 while (currenthdr != NEXTHDR_NONE && ip6t_ext_hdr(currenthdr)) {
81 struct ipv6_opt_hdr _hdr, *hp; 82 struct ipv6_opt_hdr _hdr;
83 const struct ipv6_opt_hdr *hp;
82 84
83 hp = skb_header_pointer(skb, ptr, sizeof(_hdr), &_hdr); 85 hp = skb_header_pointer(skb, ptr, sizeof(_hdr), &_hdr);
84 if (hp == NULL) { 86 if (hp == NULL) {
@@ -92,7 +94,8 @@ static void dump_packet(const struct nf_loginfo *info,
92 94
93 switch (currenthdr) { 95 switch (currenthdr) {
94 case IPPROTO_FRAGMENT: { 96 case IPPROTO_FRAGMENT: {
95 struct frag_hdr _fhdr, *fh; 97 struct frag_hdr _fhdr;
98 const struct frag_hdr *fh;
96 99
97 printk("FRAG:"); 100 printk("FRAG:");
98 fh = skb_header_pointer(skb, ptr, sizeof(_fhdr), 101 fh = skb_header_pointer(skb, ptr, sizeof(_fhdr),
@@ -131,7 +134,8 @@ static void dump_packet(const struct nf_loginfo *info,
131 /* Max Length */ 134 /* Max Length */
132 case IPPROTO_AH: 135 case IPPROTO_AH:
133 if (logflags & IP6T_LOG_IPOPT) { 136 if (logflags & IP6T_LOG_IPOPT) {
134 struct ip_auth_hdr _ahdr, *ah; 137 struct ip_auth_hdr _ahdr;
138 const struct ip_auth_hdr *ah;
135 139
136 /* Max length: 3 "AH " */ 140 /* Max length: 3 "AH " */
137 printk("AH "); 141 printk("AH ");
@@ -162,7 +166,8 @@ static void dump_packet(const struct nf_loginfo *info,
162 break; 166 break;
163 case IPPROTO_ESP: 167 case IPPROTO_ESP:
164 if (logflags & IP6T_LOG_IPOPT) { 168 if (logflags & IP6T_LOG_IPOPT) {
165 struct ip_esp_hdr _esph, *eh; 169 struct ip_esp_hdr _esph;
170 const struct ip_esp_hdr *eh;
166 171
167 /* Max length: 4 "ESP " */ 172 /* Max length: 4 "ESP " */
168 printk("ESP "); 173 printk("ESP ");
@@ -202,7 +207,8 @@ static void dump_packet(const struct nf_loginfo *info,
202 207
203 switch (currenthdr) { 208 switch (currenthdr) {
204 case IPPROTO_TCP: { 209 case IPPROTO_TCP: {
205 struct tcphdr _tcph, *th; 210 struct tcphdr _tcph;
211 const struct tcphdr *th;
206 212
207 /* Max length: 10 "PROTO=TCP " */ 213 /* Max length: 10 "PROTO=TCP " */
208 printk("PROTO=TCP "); 214 printk("PROTO=TCP ");
@@ -250,7 +256,8 @@ static void dump_packet(const struct nf_loginfo *info,
250 256
251 if ((logflags & IP6T_LOG_TCPOPT) 257 if ((logflags & IP6T_LOG_TCPOPT)
252 && th->doff * 4 > sizeof(struct tcphdr)) { 258 && th->doff * 4 > sizeof(struct tcphdr)) {
253 u_int8_t _opt[60 - sizeof(struct tcphdr)], *op; 259 u_int8_t _opt[60 - sizeof(struct tcphdr)];
260 const u_int8_t *op;
254 unsigned int i; 261 unsigned int i;
255 unsigned int optsize = th->doff * 4 262 unsigned int optsize = th->doff * 4
256 - sizeof(struct tcphdr); 263 - sizeof(struct tcphdr);
@@ -273,7 +280,8 @@ static void dump_packet(const struct nf_loginfo *info,
273 } 280 }
274 case IPPROTO_UDP: 281 case IPPROTO_UDP:
275 case IPPROTO_UDPLITE: { 282 case IPPROTO_UDPLITE: {
276 struct udphdr _udph, *uh; 283 struct udphdr _udph;
284 const struct udphdr *uh;
277 285
278 if (currenthdr == IPPROTO_UDP) 286 if (currenthdr == IPPROTO_UDP)
279 /* Max length: 10 "PROTO=UDP " */ 287 /* Max length: 10 "PROTO=UDP " */
@@ -298,7 +306,8 @@ static void dump_packet(const struct nf_loginfo *info,
298 break; 306 break;
299 } 307 }
300 case IPPROTO_ICMPV6: { 308 case IPPROTO_ICMPV6: {
301 struct icmp6hdr _icmp6h, *ic; 309 struct icmp6hdr _icmp6h;
310 const struct icmp6hdr *ic;
302 311
303 /* Max length: 13 "PROTO=ICMPv6 " */ 312 /* Max length: 13 "PROTO=ICMPv6 " */
304 printk("PROTO=ICMPv6 "); 313 printk("PROTO=ICMPv6 ");
diff --git a/net/ipv6/netfilter/ip6t_REJECT.c b/net/ipv6/netfilter/ip6t_REJECT.c
index 8639a0599bf5..4df07f0adf1d 100644
--- a/net/ipv6/netfilter/ip6t_REJECT.c
+++ b/net/ipv6/netfilter/ip6t_REJECT.c
@@ -159,7 +159,7 @@ static void send_reset(struct sk_buff *oldskb)
159 tcph->check = csum_ipv6_magic(&ipv6_hdr(nskb)->saddr, 159 tcph->check = csum_ipv6_magic(&ipv6_hdr(nskb)->saddr,
160 &ipv6_hdr(nskb)->daddr, 160 &ipv6_hdr(nskb)->daddr,
161 sizeof(struct tcphdr), IPPROTO_TCP, 161 sizeof(struct tcphdr), IPPROTO_TCP,
162 csum_partial((char *)tcph, 162 csum_partial(tcph,
163 sizeof(struct tcphdr), 0)); 163 sizeof(struct tcphdr), 0));
164 164
165 nf_ct_attach(nskb, oldskb); 165 nf_ct_attach(nskb, oldskb);
diff --git a/net/ipv6/netfilter/ip6t_ah.c b/net/ipv6/netfilter/ip6t_ah.c
index 8fc00bdfc38b..b4b1d282761c 100644
--- a/net/ipv6/netfilter/ip6t_ah.c
+++ b/net/ipv6/netfilter/ip6t_ah.c
@@ -51,7 +51,8 @@ match(const struct sk_buff *skb,
51 unsigned int protoff, 51 unsigned int protoff,
52 bool *hotdrop) 52 bool *hotdrop)
53{ 53{
54 struct ip_auth_hdr *ah, _ah; 54 struct ip_auth_hdr _ah;
55 const struct ip_auth_hdr *ah;
55 const struct ip6t_ah *ahinfo = matchinfo; 56 const struct ip6t_ah *ahinfo = matchinfo;
56 unsigned int ptr; 57 unsigned int ptr;
57 unsigned int hdrlen = 0; 58 unsigned int hdrlen = 0;
diff --git a/net/ipv6/netfilter/ip6t_frag.c b/net/ipv6/netfilter/ip6t_frag.c
index f0aed898e8b7..e0e416bb284a 100644
--- a/net/ipv6/netfilter/ip6t_frag.c
+++ b/net/ipv6/netfilter/ip6t_frag.c
@@ -50,7 +50,8 @@ match(const struct sk_buff *skb,
50 unsigned int protoff, 50 unsigned int protoff,
51 bool *hotdrop) 51 bool *hotdrop)
52{ 52{
53 struct frag_hdr _frag, *fh; 53 struct frag_hdr _frag;
54 const struct frag_hdr *fh;
54 const struct ip6t_frag *fraginfo = matchinfo; 55 const struct ip6t_frag *fraginfo = matchinfo;
55 unsigned int ptr; 56 unsigned int ptr;
56 int err; 57 int err;
diff --git a/net/ipv6/netfilter/ip6t_hbh.c b/net/ipv6/netfilter/ip6t_hbh.c
index 6fdd79785f32..bbd2615ad2e1 100644
--- a/net/ipv6/netfilter/ip6t_hbh.c
+++ b/net/ipv6/netfilter/ip6t_hbh.c
@@ -57,14 +57,17 @@ match(const struct sk_buff *skb,
57 unsigned int protoff, 57 unsigned int protoff,
58 bool *hotdrop) 58 bool *hotdrop)
59{ 59{
60 struct ipv6_opt_hdr _optsh, *oh; 60 struct ipv6_opt_hdr _optsh;
61 const struct ipv6_opt_hdr *oh;
61 const struct ip6t_opts *optinfo = matchinfo; 62 const struct ip6t_opts *optinfo = matchinfo;
62 unsigned int temp; 63 unsigned int temp;
63 unsigned int ptr; 64 unsigned int ptr;
64 unsigned int hdrlen = 0; 65 unsigned int hdrlen = 0;
65 bool ret = false; 66 bool ret = false;
66 u8 _opttype, *tp = NULL; 67 u8 _opttype;
67 u8 _optlen, *lp = NULL; 68 u8 _optlen;
69 const u_int8_t *tp = NULL;
70 const u_int8_t *lp = NULL;
68 unsigned int optlen; 71 unsigned int optlen;
69 int err; 72 int err;
70 73
diff --git a/net/ipv6/netfilter/ip6t_mh.c b/net/ipv6/netfilter/ip6t_mh.c
index a3008b41d24b..e94fdd82f284 100644
--- a/net/ipv6/netfilter/ip6t_mh.c
+++ b/net/ipv6/netfilter/ip6t_mh.c
@@ -47,7 +47,8 @@ match(const struct sk_buff *skb,
47 unsigned int protoff, 47 unsigned int protoff,
48 bool *hotdrop) 48 bool *hotdrop)
49{ 49{
50 struct ip6_mh _mh, *mh; 50 struct ip6_mh _mh;
51 const struct ip6_mh *mh;
51 const struct ip6t_mh *mhinfo = matchinfo; 52 const struct ip6t_mh *mhinfo = matchinfo;
52 53
53 /* Must not be a fragment. */ 54 /* Must not be a fragment. */
diff --git a/net/ipv6/netfilter/ip6t_rt.c b/net/ipv6/netfilter/ip6t_rt.c
index e991ed4a692e..bc5ff4b1af39 100644
--- a/net/ipv6/netfilter/ip6t_rt.c
+++ b/net/ipv6/netfilter/ip6t_rt.c
@@ -52,13 +52,15 @@ match(const struct sk_buff *skb,
52 unsigned int protoff, 52 unsigned int protoff,
53 bool *hotdrop) 53 bool *hotdrop)
54{ 54{
55 struct ipv6_rt_hdr _route, *rh; 55 struct ipv6_rt_hdr _route;
56 const struct ipv6_rt_hdr *rh;
56 const struct ip6t_rt *rtinfo = matchinfo; 57 const struct ip6t_rt *rtinfo = matchinfo;
57 unsigned int temp; 58 unsigned int temp;
58 unsigned int ptr; 59 unsigned int ptr;
59 unsigned int hdrlen = 0; 60 unsigned int hdrlen = 0;
60 bool ret = false; 61 bool ret = false;
61 struct in6_addr *ap, _addr; 62 struct in6_addr _addr;
63 const struct in6_addr *ap;
62 int err; 64 int err;
63 65
64 err = ipv6_find_hdr(skb, &ptr, NEXTHDR_ROUTING, NULL); 66 err = ipv6_find_hdr(skb, &ptr, NEXTHDR_ROUTING, NULL);
@@ -100,9 +102,9 @@ match(const struct sk_buff *skb,
100 !!(rtinfo->invflags & IP6T_RT_INV_LEN)))); 102 !!(rtinfo->invflags & IP6T_RT_INV_LEN))));
101 DEBUGP("res %02X %02X %02X ", 103 DEBUGP("res %02X %02X %02X ",
102 (rtinfo->flags & IP6T_RT_RES), 104 (rtinfo->flags & IP6T_RT_RES),
103 ((struct rt0_hdr *)rh)->reserved, 105 ((const struct rt0_hdr *)rh)->reserved,
104 !((rtinfo->flags & IP6T_RT_RES) && 106 !((rtinfo->flags & IP6T_RT_RES) &&
105 (((struct rt0_hdr *)rh)->reserved))); 107 (((const struct rt0_hdr *)rh)->reserved)));
106 108
107 ret = (rh != NULL) 109 ret = (rh != NULL)
108 && 110 &&
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index 3aaabec70d19..381a77cf0c9e 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -231,13 +231,13 @@ void nf_proto_csum_replace4(__sum16 *sum, struct sk_buff *skb,
231{ 231{
232 __be32 diff[] = { ~from, to }; 232 __be32 diff[] = { ~from, to };
233 if (skb->ip_summed != CHECKSUM_PARTIAL) { 233 if (skb->ip_summed != CHECKSUM_PARTIAL) {
234 *sum = csum_fold(csum_partial((char *)diff, sizeof(diff), 234 *sum = csum_fold(csum_partial(diff, sizeof(diff),
235 ~csum_unfold(*sum))); 235 ~csum_unfold(*sum)));
236 if (skb->ip_summed == CHECKSUM_COMPLETE && pseudohdr) 236 if (skb->ip_summed == CHECKSUM_COMPLETE && pseudohdr)
237 skb->csum = ~csum_partial((char *)diff, sizeof(diff), 237 skb->csum = ~csum_partial(diff, sizeof(diff),
238 ~skb->csum); 238 ~skb->csum);
239 } else if (pseudohdr) 239 } else if (pseudohdr)
240 *sum = ~csum_fold(csum_partial((char *)diff, sizeof(diff), 240 *sum = ~csum_fold(csum_partial(diff, sizeof(diff),
241 csum_unfold(*sum))); 241 csum_unfold(*sum)));
242} 242}
243EXPORT_SYMBOL(nf_proto_csum_replace4); 243EXPORT_SYMBOL(nf_proto_csum_replace4);
diff --git a/net/netfilter/xt_CONNMARK.c b/net/netfilter/xt_CONNMARK.c
index 4e8aa1b0cba2..4284a59b03e1 100644
--- a/net/netfilter/xt_CONNMARK.c
+++ b/net/netfilter/xt_CONNMARK.c
@@ -83,7 +83,7 @@ checkentry(const char *tablename,
83 void *targinfo, 83 void *targinfo,
84 unsigned int hook_mask) 84 unsigned int hook_mask)
85{ 85{
86 struct xt_connmark_target_info *matchinfo = targinfo; 86 const struct xt_connmark_target_info *matchinfo = targinfo;
87 87
88 if (nf_ct_l3proto_try_module_get(target->family) < 0) { 88 if (nf_ct_l3proto_try_module_get(target->family) < 0) {
89 printk(KERN_WARNING "can't load conntrack support for " 89 printk(KERN_WARNING "can't load conntrack support for "
@@ -121,7 +121,7 @@ struct compat_xt_connmark_target_info {
121 121
122static void compat_from_user(void *dst, void *src) 122static void compat_from_user(void *dst, void *src)
123{ 123{
124 struct compat_xt_connmark_target_info *cm = src; 124 const struct compat_xt_connmark_target_info *cm = src;
125 struct xt_connmark_target_info m = { 125 struct xt_connmark_target_info m = {
126 .mark = cm->mark, 126 .mark = cm->mark,
127 .mask = cm->mask, 127 .mask = cm->mask,
@@ -132,7 +132,7 @@ static void compat_from_user(void *dst, void *src)
132 132
133static int compat_to_user(void __user *dst, void *src) 133static int compat_to_user(void __user *dst, void *src)
134{ 134{
135 struct xt_connmark_target_info *m = src; 135 const struct xt_connmark_target_info *m = src;
136 struct compat_xt_connmark_target_info cm = { 136 struct compat_xt_connmark_target_info cm = {
137 .mark = m->mark, 137 .mark = m->mark,
138 .mask = m->mask, 138 .mask = m->mask,
diff --git a/net/netfilter/xt_CONNSECMARK.c b/net/netfilter/xt_CONNSECMARK.c
index ab2f0d016953..8d5e154013d6 100644
--- a/net/netfilter/xt_CONNSECMARK.c
+++ b/net/netfilter/xt_CONNSECMARK.c
@@ -33,7 +33,7 @@ MODULE_ALIAS("ip6t_CONNSECMARK");
33 * If the packet has a security mark and the connection does not, copy 33 * If the packet has a security mark and the connection does not, copy
34 * the security mark from the packet to the connection. 34 * the security mark from the packet to the connection.
35 */ 35 */
36static void secmark_save(struct sk_buff *skb) 36static void secmark_save(const struct sk_buff *skb)
37{ 37{
38 if (skb->secmark) { 38 if (skb->secmark) {
39 struct nf_conn *ct; 39 struct nf_conn *ct;
@@ -89,7 +89,7 @@ static bool checkentry(const char *tablename, const void *entry,
89 const struct xt_target *target, void *targinfo, 89 const struct xt_target *target, void *targinfo,
90 unsigned int hook_mask) 90 unsigned int hook_mask)
91{ 91{
92 struct xt_connsecmark_target_info *info = targinfo; 92 const struct xt_connsecmark_target_info *info = targinfo;
93 93
94 if (nf_ct_l3proto_try_module_get(target->family) < 0) { 94 if (nf_ct_l3proto_try_module_get(target->family) < 0) {
95 printk(KERN_WARNING "can't load conntrack support for " 95 printk(KERN_WARNING "can't load conntrack support for "
diff --git a/net/netfilter/xt_MARK.c b/net/netfilter/xt_MARK.c
index bd9cdf29cc3b..6b7369fc263f 100644
--- a/net/netfilter/xt_MARK.c
+++ b/net/netfilter/xt_MARK.c
@@ -72,7 +72,7 @@ checkentry_v0(const char *tablename,
72 void *targinfo, 72 void *targinfo,
73 unsigned int hook_mask) 73 unsigned int hook_mask)
74{ 74{
75 struct xt_mark_target_info *markinfo = targinfo; 75 const struct xt_mark_target_info *markinfo = targinfo;
76 76
77 if (markinfo->mark > 0xffffffff) { 77 if (markinfo->mark > 0xffffffff) {
78 printk(KERN_WARNING "MARK: Only supports 32bit wide mark\n"); 78 printk(KERN_WARNING "MARK: Only supports 32bit wide mark\n");
@@ -88,7 +88,7 @@ checkentry_v1(const char *tablename,
88 void *targinfo, 88 void *targinfo,
89 unsigned int hook_mask) 89 unsigned int hook_mask)
90{ 90{
91 struct xt_mark_target_info_v1 *markinfo = targinfo; 91 const struct xt_mark_target_info_v1 *markinfo = targinfo;
92 92
93 if (markinfo->mode != XT_MARK_SET 93 if (markinfo->mode != XT_MARK_SET
94 && markinfo->mode != XT_MARK_AND 94 && markinfo->mode != XT_MARK_AND
@@ -114,7 +114,7 @@ struct compat_xt_mark_target_info_v1 {
114 114
115static void compat_from_user_v1(void *dst, void *src) 115static void compat_from_user_v1(void *dst, void *src)
116{ 116{
117 struct compat_xt_mark_target_info_v1 *cm = src; 117 const struct compat_xt_mark_target_info_v1 *cm = src;
118 struct xt_mark_target_info_v1 m = { 118 struct xt_mark_target_info_v1 m = {
119 .mark = cm->mark, 119 .mark = cm->mark,
120 .mode = cm->mode, 120 .mode = cm->mode,
@@ -124,7 +124,7 @@ static void compat_from_user_v1(void *dst, void *src)
124 124
125static int compat_to_user_v1(void __user *dst, void *src) 125static int compat_to_user_v1(void __user *dst, void *src)
126{ 126{
127 struct xt_mark_target_info_v1 *m = src; 127 const struct xt_mark_target_info_v1 *m = src;
128 struct compat_xt_mark_target_info_v1 cm = { 128 struct compat_xt_mark_target_info_v1 cm = {
129 .mark = m->mark, 129 .mark = m->mark,
130 .mode = m->mode, 130 .mode = m->mode,
diff --git a/net/netfilter/xt_NFLOG.c b/net/netfilter/xt_NFLOG.c
index 0c6f2838cc98..20e55d588a3c 100644
--- a/net/netfilter/xt_NFLOG.c
+++ b/net/netfilter/xt_NFLOG.c
@@ -43,7 +43,7 @@ nflog_checkentry(const char *tablename, const void *entry,
43 const struct xt_target *target, void *targetinfo, 43 const struct xt_target *target, void *targetinfo,
44 unsigned int hookmask) 44 unsigned int hookmask)
45{ 45{
46 struct xt_nflog_info *info = targetinfo; 46 const struct xt_nflog_info *info = targetinfo;
47 47
48 if (info->flags & ~XT_NFLOG_MASK) 48 if (info->flags & ~XT_NFLOG_MASK)
49 return false; 49 return false;
diff --git a/net/netfilter/xt_connbytes.c b/net/netfilter/xt_connbytes.c
index 12541784109a..99c246e45c42 100644
--- a/net/netfilter/xt_connbytes.c
+++ b/net/netfilter/xt_connbytes.c
@@ -26,7 +26,7 @@ match(const struct sk_buff *skb,
26 bool *hotdrop) 26 bool *hotdrop)
27{ 27{
28 const struct xt_connbytes_info *sinfo = matchinfo; 28 const struct xt_connbytes_info *sinfo = matchinfo;
29 struct nf_conn *ct; 29 const struct nf_conn *ct;
30 enum ip_conntrack_info ctinfo; 30 enum ip_conntrack_info ctinfo;
31 u_int64_t what = 0; /* initialize to make gcc happy */ 31 u_int64_t what = 0; /* initialize to make gcc happy */
32 u_int64_t bytes = 0; 32 u_int64_t bytes = 0;
diff --git a/net/netfilter/xt_connmark.c b/net/netfilter/xt_connmark.c
index 94d5251b3d88..71f3c1a5d5e5 100644
--- a/net/netfilter/xt_connmark.c
+++ b/net/netfilter/xt_connmark.c
@@ -41,7 +41,7 @@ match(const struct sk_buff *skb,
41 bool *hotdrop) 41 bool *hotdrop)
42{ 42{
43 const struct xt_connmark_info *info = matchinfo; 43 const struct xt_connmark_info *info = matchinfo;
44 struct nf_conn *ct; 44 const struct nf_conn *ct;
45 enum ip_conntrack_info ctinfo; 45 enum ip_conntrack_info ctinfo;
46 46
47 ct = nf_ct_get(skb, &ctinfo); 47 ct = nf_ct_get(skb, &ctinfo);
@@ -58,7 +58,7 @@ checkentry(const char *tablename,
58 void *matchinfo, 58 void *matchinfo,
59 unsigned int hook_mask) 59 unsigned int hook_mask)
60{ 60{
61 struct xt_connmark_info *cm = matchinfo; 61 const struct xt_connmark_info *cm = matchinfo;
62 62
63 if (cm->mark > 0xffffffff || cm->mask > 0xffffffff) { 63 if (cm->mark > 0xffffffff || cm->mask > 0xffffffff) {
64 printk(KERN_WARNING "connmark: only support 32bit mark\n"); 64 printk(KERN_WARNING "connmark: only support 32bit mark\n");
@@ -88,7 +88,7 @@ struct compat_xt_connmark_info {
88 88
89static void compat_from_user(void *dst, void *src) 89static void compat_from_user(void *dst, void *src)
90{ 90{
91 struct compat_xt_connmark_info *cm = src; 91 const struct compat_xt_connmark_info *cm = src;
92 struct xt_connmark_info m = { 92 struct xt_connmark_info m = {
93 .mark = cm->mark, 93 .mark = cm->mark,
94 .mask = cm->mask, 94 .mask = cm->mask,
@@ -99,7 +99,7 @@ static void compat_from_user(void *dst, void *src)
99 99
100static int compat_to_user(void __user *dst, void *src) 100static int compat_to_user(void __user *dst, void *src)
101{ 101{
102 struct xt_connmark_info *m = src; 102 const struct xt_connmark_info *m = src;
103 struct compat_xt_connmark_info cm = { 103 struct compat_xt_connmark_info cm = {
104 .mark = m->mark, 104 .mark = m->mark,
105 .mask = m->mask, 105 .mask = m->mask,
diff --git a/net/netfilter/xt_conntrack.c b/net/netfilter/xt_conntrack.c
index 87364f58a4b9..9e3ec31f2016 100644
--- a/net/netfilter/xt_conntrack.c
+++ b/net/netfilter/xt_conntrack.c
@@ -30,11 +30,11 @@ match(const struct sk_buff *skb,
30 bool *hotdrop) 30 bool *hotdrop)
31{ 31{
32 const struct xt_conntrack_info *sinfo = matchinfo; 32 const struct xt_conntrack_info *sinfo = matchinfo;
33 struct nf_conn *ct; 33 const struct nf_conn *ct;
34 enum ip_conntrack_info ctinfo; 34 enum ip_conntrack_info ctinfo;
35 unsigned int statebit; 35 unsigned int statebit;
36 36
37 ct = nf_ct_get((struct sk_buff *)skb, &ctinfo); 37 ct = nf_ct_get(skb, &ctinfo);
38 38
39#define FWINV(bool,invflg) ((bool) ^ !!(sinfo->invflags & invflg)) 39#define FWINV(bool,invflg) ((bool) ^ !!(sinfo->invflags & invflg))
40 40
@@ -150,7 +150,7 @@ struct compat_xt_conntrack_info
150 150
151static void compat_from_user(void *dst, void *src) 151static void compat_from_user(void *dst, void *src)
152{ 152{
153 struct compat_xt_conntrack_info *cm = src; 153 const struct compat_xt_conntrack_info *cm = src;
154 struct xt_conntrack_info m = { 154 struct xt_conntrack_info m = {
155 .statemask = cm->statemask, 155 .statemask = cm->statemask,
156 .statusmask = cm->statusmask, 156 .statusmask = cm->statusmask,
@@ -167,7 +167,7 @@ static void compat_from_user(void *dst, void *src)
167 167
168static int compat_to_user(void __user *dst, void *src) 168static int compat_to_user(void __user *dst, void *src)
169{ 169{
170 struct xt_conntrack_info *m = src; 170 const struct xt_conntrack_info *m = src;
171 struct compat_xt_conntrack_info cm = { 171 struct compat_xt_conntrack_info cm = {
172 .statemask = m->statemask, 172 .statemask = m->statemask,
173 .statusmask = m->statusmask, 173 .statusmask = m->statusmask,
diff --git a/net/netfilter/xt_dccp.c b/net/netfilter/xt_dccp.c
index 24895902cfe0..1b77c5bcb348 100644
--- a/net/netfilter/xt_dccp.c
+++ b/net/netfilter/xt_dccp.c
@@ -39,7 +39,7 @@ dccp_find_option(u_int8_t option,
39 bool *hotdrop) 39 bool *hotdrop)
40{ 40{
41 /* tcp.doff is only 4 bits, ie. max 15 * 4 bytes */ 41 /* tcp.doff is only 4 bits, ie. max 15 * 4 bytes */
42 unsigned char *op; 42 const unsigned char *op;
43 unsigned int optoff = __dccp_hdr_len(dh); 43 unsigned int optoff = __dccp_hdr_len(dh);
44 unsigned int optlen = dh->dccph_doff*4 - __dccp_hdr_len(dh); 44 unsigned int optlen = dh->dccph_doff*4 - __dccp_hdr_len(dh);
45 unsigned int i; 45 unsigned int i;
diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
index a1b5996447dd..deb5890aa3ac 100644
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@@ -95,7 +95,7 @@ static HLIST_HEAD(hashlimit_htables);
95static struct kmem_cache *hashlimit_cachep __read_mostly; 95static struct kmem_cache *hashlimit_cachep __read_mostly;
96 96
97static inline bool dst_cmp(const struct dsthash_ent *ent, 97static inline bool dst_cmp(const struct dsthash_ent *ent,
98 struct dsthash_dst *b) 98 const struct dsthash_dst *b)
99{ 99{
100 return !memcmp(&ent->dst, b, sizeof(ent->dst)); 100 return !memcmp(&ent->dst, b, sizeof(ent->dst));
101} 101}
@@ -107,7 +107,8 @@ hash_dst(const struct xt_hashlimit_htable *ht, const struct dsthash_dst *dst)
107} 107}
108 108
109static struct dsthash_ent * 109static struct dsthash_ent *
110dsthash_find(const struct xt_hashlimit_htable *ht, struct dsthash_dst *dst) 110dsthash_find(const struct xt_hashlimit_htable *ht,
111 const struct dsthash_dst *dst)
111{ 112{
112 struct dsthash_ent *ent; 113 struct dsthash_ent *ent;
113 struct hlist_node *pos; 114 struct hlist_node *pos;
@@ -123,7 +124,8 @@ dsthash_find(const struct xt_hashlimit_htable *ht, struct dsthash_dst *dst)
123 124
124/* allocate dsthash_ent, initialize dst, put in htable and lock it */ 125/* allocate dsthash_ent, initialize dst, put in htable and lock it */
125static struct dsthash_ent * 126static struct dsthash_ent *
126dsthash_alloc_init(struct xt_hashlimit_htable *ht, struct dsthash_dst *dst) 127dsthash_alloc_init(struct xt_hashlimit_htable *ht,
128 const struct dsthash_dst *dst)
127{ 129{
128 struct dsthash_ent *ent; 130 struct dsthash_ent *ent;
129 131
@@ -228,19 +230,21 @@ static int htable_create(struct xt_hashlimit_info *minfo, int family)
228 return 0; 230 return 0;
229} 231}
230 232
231static bool select_all(struct xt_hashlimit_htable *ht, struct dsthash_ent *he) 233static bool select_all(const struct xt_hashlimit_htable *ht,
234 const struct dsthash_ent *he)
232{ 235{
233 return 1; 236 return 1;
234} 237}
235 238
236static bool select_gc(struct xt_hashlimit_htable *ht, struct dsthash_ent *he) 239static bool select_gc(const struct xt_hashlimit_htable *ht,
240 const struct dsthash_ent *he)
237{ 241{
238 return (jiffies >= he->expires); 242 return (jiffies >= he->expires);
239} 243}
240 244
241static void htable_selective_cleanup(struct xt_hashlimit_htable *ht, 245static void htable_selective_cleanup(struct xt_hashlimit_htable *ht,
242 bool (*select)(struct xt_hashlimit_htable *ht, 246 bool (*select)(const struct xt_hashlimit_htable *ht,
243 struct dsthash_ent *he)) 247 const struct dsthash_ent *he))
244{ 248{
245 unsigned int i; 249 unsigned int i;
246 250
@@ -283,7 +287,8 @@ static void htable_destroy(struct xt_hashlimit_htable *hinfo)
283 vfree(hinfo); 287 vfree(hinfo);
284} 288}
285 289
286static struct xt_hashlimit_htable *htable_find_get(char *name, int family) 290static struct xt_hashlimit_htable *htable_find_get(const char *name,
291 int family)
287{ 292{
288 struct xt_hashlimit_htable *hinfo; 293 struct xt_hashlimit_htable *hinfo;
289 struct hlist_node *pos; 294 struct hlist_node *pos;
@@ -368,7 +373,8 @@ static inline void rateinfo_recalc(struct dsthash_ent *dh, unsigned long now)
368} 373}
369 374
370static int 375static int
371hashlimit_init_dst(struct xt_hashlimit_htable *hinfo, struct dsthash_dst *dst, 376hashlimit_init_dst(const struct xt_hashlimit_htable *hinfo,
377 struct dsthash_dst *dst,
372 const struct sk_buff *skb, unsigned int protoff) 378 const struct sk_buff *skb, unsigned int protoff)
373{ 379{
374 __be16 _ports[2], *ports; 380 __be16 _ports[2], *ports;
@@ -443,8 +449,8 @@ hashlimit_match(const struct sk_buff *skb,
443 unsigned int protoff, 449 unsigned int protoff,
444 bool *hotdrop) 450 bool *hotdrop)
445{ 451{
446 struct xt_hashlimit_info *r = 452 const struct xt_hashlimit_info *r =
447 ((struct xt_hashlimit_info *)matchinfo)->u.master; 453 ((const struct xt_hashlimit_info *)matchinfo)->u.master;
448 struct xt_hashlimit_htable *hinfo = r->hinfo; 454 struct xt_hashlimit_htable *hinfo = r->hinfo;
449 unsigned long now = jiffies; 455 unsigned long now = jiffies;
450 struct dsthash_ent *dh; 456 struct dsthash_ent *dh;
@@ -543,7 +549,7 @@ hashlimit_checkentry(const char *tablename,
543static void 549static void
544hashlimit_destroy(const struct xt_match *match, void *matchinfo) 550hashlimit_destroy(const struct xt_match *match, void *matchinfo)
545{ 551{
546 struct xt_hashlimit_info *r = matchinfo; 552 const struct xt_hashlimit_info *r = matchinfo;
547 553
548 htable_put(r->hinfo); 554 htable_put(r->hinfo);
549} 555}
diff --git a/net/netfilter/xt_helper.c b/net/netfilter/xt_helper.c
index a2688b807a99..047d0046b28c 100644
--- a/net/netfilter/xt_helper.c
+++ b/net/netfilter/xt_helper.c
@@ -39,12 +39,12 @@ match(const struct sk_buff *skb,
39 bool *hotdrop) 39 bool *hotdrop)
40{ 40{
41 const struct xt_helper_info *info = matchinfo; 41 const struct xt_helper_info *info = matchinfo;
42 struct nf_conn *ct; 42 const struct nf_conn *ct;
43 struct nf_conn_help *master_help; 43 const struct nf_conn_help *master_help;
44 enum ip_conntrack_info ctinfo; 44 enum ip_conntrack_info ctinfo;
45 bool ret = info->invert; 45 bool ret = info->invert;
46 46
47 ct = nf_ct_get((struct sk_buff *)skb, &ctinfo); 47 ct = nf_ct_get(skb, &ctinfo);
48 if (!ct) { 48 if (!ct) {
49 DEBUGP("xt_helper: Eek! invalid conntrack?\n"); 49 DEBUGP("xt_helper: Eek! invalid conntrack?\n");
50 return ret; 50 return ret;
diff --git a/net/netfilter/xt_limit.c b/net/netfilter/xt_limit.c
index 2717aa65246a..b042419462af 100644
--- a/net/netfilter/xt_limit.c
+++ b/net/netfilter/xt_limit.c
@@ -67,7 +67,8 @@ ipt_limit_match(const struct sk_buff *skb,
67 unsigned int protoff, 67 unsigned int protoff,
68 bool *hotdrop) 68 bool *hotdrop)
69{ 69{
70 struct xt_rateinfo *r = ((struct xt_rateinfo *)matchinfo)->master; 70 struct xt_rateinfo *r =
71 ((const struct xt_rateinfo *)matchinfo)->master;
71 unsigned long now = jiffies; 72 unsigned long now = jiffies;
72 73
73 spin_lock_bh(&limit_lock); 74 spin_lock_bh(&limit_lock);
@@ -144,7 +145,7 @@ struct compat_xt_rateinfo {
144 * master pointer, which does not need to be preserved. */ 145 * master pointer, which does not need to be preserved. */
145static void compat_from_user(void *dst, void *src) 146static void compat_from_user(void *dst, void *src)
146{ 147{
147 struct compat_xt_rateinfo *cm = src; 148 const struct compat_xt_rateinfo *cm = src;
148 struct xt_rateinfo m = { 149 struct xt_rateinfo m = {
149 .avg = cm->avg, 150 .avg = cm->avg,
150 .burst = cm->burst, 151 .burst = cm->burst,
@@ -158,7 +159,7 @@ static void compat_from_user(void *dst, void *src)
158 159
159static int compat_to_user(void __user *dst, void *src) 160static int compat_to_user(void __user *dst, void *src)
160{ 161{
161 struct xt_rateinfo *m = src; 162 const struct xt_rateinfo *m = src;
162 struct compat_xt_rateinfo cm = { 163 struct compat_xt_rateinfo cm = {
163 .avg = m->avg, 164 .avg = m->avg,
164 .burst = m->burst, 165 .burst = m->burst,
diff --git a/net/netfilter/xt_mark.c b/net/netfilter/xt_mark.c
index 83ed806764b4..b8ab79452f08 100644
--- a/net/netfilter/xt_mark.c
+++ b/net/netfilter/xt_mark.c
@@ -60,7 +60,7 @@ struct compat_xt_mark_info {
60 60
61static void compat_from_user(void *dst, void *src) 61static void compat_from_user(void *dst, void *src)
62{ 62{
63 struct compat_xt_mark_info *cm = src; 63 const struct compat_xt_mark_info *cm = src;
64 struct xt_mark_info m = { 64 struct xt_mark_info m = {
65 .mark = cm->mark, 65 .mark = cm->mark,
66 .mask = cm->mask, 66 .mask = cm->mask,
@@ -71,7 +71,7 @@ static void compat_from_user(void *dst, void *src)
71 71
72static int compat_to_user(void __user *dst, void *src) 72static int compat_to_user(void __user *dst, void *src)
73{ 73{
74 struct xt_mark_info *m = src; 74 const struct xt_mark_info *m = src;
75 struct compat_xt_mark_info cm = { 75 struct compat_xt_mark_info cm = {
76 .mark = m->mark, 76 .mark = m->mark,
77 .mask = m->mask, 77 .mask = m->mask,
diff --git a/net/netfilter/xt_physdev.c b/net/netfilter/xt_physdev.c
index 34f0d3e44ea7..467b2dcf7e6b 100644
--- a/net/netfilter/xt_physdev.c
+++ b/net/netfilter/xt_physdev.c
@@ -36,7 +36,7 @@ match(const struct sk_buff *skb,
36 const struct xt_physdev_info *info = matchinfo; 36 const struct xt_physdev_info *info = matchinfo;
37 bool ret; 37 bool ret;
38 const char *indev, *outdev; 38 const char *indev, *outdev;
39 struct nf_bridge_info *nf_bridge; 39 const struct nf_bridge_info *nf_bridge;
40 40
41 /* Not a bridged IP packet or no info available yet: 41 /* Not a bridged IP packet or no info available yet:
42 * LOCAL_OUT/mangle and LOCAL_OUT/nat don't know if 42 * LOCAL_OUT/mangle and LOCAL_OUT/nat don't know if
diff --git a/net/netfilter/xt_policy.c b/net/netfilter/xt_policy.c
index 1534de55cdb6..5ab6d71f8d05 100644
--- a/net/netfilter/xt_policy.c
+++ b/net/netfilter/xt_policy.c
@@ -34,7 +34,7 @@ xt_addr_cmp(const union xt_policy_addr *a1, const union xt_policy_addr *m,
34} 34}
35 35
36static inline bool 36static inline bool
37match_xfrm_state(struct xfrm_state *x, const struct xt_policy_elem *e, 37match_xfrm_state(const struct xfrm_state *x, const struct xt_policy_elem *e,
38 unsigned short family) 38 unsigned short family)
39{ 39{
40#define MATCH_ADDR(x,y,z) (!e->match.x || \ 40#define MATCH_ADDR(x,y,z) (!e->match.x || \
@@ -55,7 +55,7 @@ match_policy_in(const struct sk_buff *skb, const struct xt_policy_info *info,
55 unsigned short family) 55 unsigned short family)
56{ 56{
57 const struct xt_policy_elem *e; 57 const struct xt_policy_elem *e;
58 struct sec_path *sp = skb->sp; 58 const struct sec_path *sp = skb->sp;
59 int strict = info->flags & XT_POLICY_MATCH_STRICT; 59 int strict = info->flags & XT_POLICY_MATCH_STRICT;
60 int i, pos; 60 int i, pos;
61 61
@@ -85,7 +85,7 @@ match_policy_out(const struct sk_buff *skb, const struct xt_policy_info *info,
85 unsigned short family) 85 unsigned short family)
86{ 86{
87 const struct xt_policy_elem *e; 87 const struct xt_policy_elem *e;
88 struct dst_entry *dst = skb->dst; 88 const struct dst_entry *dst = skb->dst;
89 int strict = info->flags & XT_POLICY_MATCH_STRICT; 89 int strict = info->flags & XT_POLICY_MATCH_STRICT;
90 int i, pos; 90 int i, pos;
91 91
diff --git a/net/netfilter/xt_quota.c b/net/netfilter/xt_quota.c
index e13d62a8caba..feb130d14f2c 100644
--- a/net/netfilter/xt_quota.c
+++ b/net/netfilter/xt_quota.c
@@ -22,7 +22,8 @@ match(const struct sk_buff *skb,
22 const struct xt_match *match, const void *matchinfo, 22 const struct xt_match *match, const void *matchinfo,
23 int offset, unsigned int protoff, bool *hotdrop) 23 int offset, unsigned int protoff, bool *hotdrop)
24{ 24{
25 struct xt_quota_info *q = ((struct xt_quota_info *)matchinfo)->master; 25 struct xt_quota_info *q =
26 ((const struct xt_quota_info *)matchinfo)->master;
26 bool ret = q->flags & XT_QUOTA_INVERT; 27 bool ret = q->flags & XT_QUOTA_INVERT;
27 28
28 spin_lock_bh(&quota_lock); 29 spin_lock_bh(&quota_lock);
@@ -43,7 +44,7 @@ checkentry(const char *tablename, const void *entry,
43 const struct xt_match *match, void *matchinfo, 44 const struct xt_match *match, void *matchinfo,
44 unsigned int hook_mask) 45 unsigned int hook_mask)
45{ 46{
46 struct xt_quota_info *q = (struct xt_quota_info *)matchinfo; 47 struct xt_quota_info *q = matchinfo;
47 48
48 if (q->flags & ~XT_QUOTA_MASK) 49 if (q->flags & ~XT_QUOTA_MASK)
49 return false; 50 return false;
diff --git a/net/netfilter/xt_realm.c b/net/netfilter/xt_realm.c
index ad82c132694c..44b807d279ad 100644
--- a/net/netfilter/xt_realm.c
+++ b/net/netfilter/xt_realm.c
@@ -32,7 +32,7 @@ match(const struct sk_buff *skb,
32 bool *hotdrop) 32 bool *hotdrop)
33{ 33{
34 const struct xt_realm_info *info = matchinfo; 34 const struct xt_realm_info *info = matchinfo;
35 struct dst_entry *dst = skb->dst; 35 const struct dst_entry *dst = skb->dst;
36 36
37 return (info->id == (dst->tclassid & info->mask)) ^ info->invert; 37 return (info->id == (dst->tclassid & info->mask)) ^ info->invert;
38} 38}
diff --git a/net/netfilter/xt_statistic.c b/net/netfilter/xt_statistic.c
index 0af42892e9dc..3da4978287f3 100644
--- a/net/netfilter/xt_statistic.c
+++ b/net/netfilter/xt_statistic.c
@@ -57,7 +57,7 @@ checkentry(const char *tablename, const void *entry,
57 const struct xt_match *match, void *matchinfo, 57 const struct xt_match *match, void *matchinfo,
58 unsigned int hook_mask) 58 unsigned int hook_mask)
59{ 59{
60 struct xt_statistic_info *info = (struct xt_statistic_info *)matchinfo; 60 struct xt_statistic_info *info = matchinfo;
61 61
62 if (info->mode > XT_STATISTIC_MODE_MAX || 62 if (info->mode > XT_STATISTIC_MODE_MAX ||
63 info->flags & ~XT_STATISTIC_MASK) 63 info->flags & ~XT_STATISTIC_MASK)