aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--net/ipv4/netfilter/ip_tables.c13
-rw-r--r--net/ipv6/netfilter/ip6_tables.c13
2 files changed, 17 insertions, 9 deletions
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index d91ecd4c264e..7b35c0b3841b 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -311,6 +311,8 @@ ipt_do_table(struct sk_buff *skb,
311 const struct net_device *out, 311 const struct net_device *out,
312 struct xt_table *table) 312 struct xt_table *table)
313{ 313{
314#define tb_comefrom ((struct ipt_entry *)table_base)->comefrom
315
314 static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long)))); 316 static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
315 const struct iphdr *ip; 317 const struct iphdr *ip;
316 u_int16_t datalen; 318 u_int16_t datalen;
@@ -409,18 +411,19 @@ ipt_do_table(struct sk_buff *skb,
409 abs. verdicts */ 411 abs. verdicts */
410 tgpar.target = t->u.kernel.target; 412 tgpar.target = t->u.kernel.target;
411 tgpar.targinfo = t->data; 413 tgpar.targinfo = t->data;
414
415
412#ifdef CONFIG_NETFILTER_DEBUG 416#ifdef CONFIG_NETFILTER_DEBUG
413 ((struct ipt_entry *)table_base)->comefrom = 0xeeeeeeec; 417 tb_comefrom = 0xeeeeeeec;
414#endif 418#endif
415 verdict = t->u.kernel.target->target(skb, &tgpar); 419 verdict = t->u.kernel.target->target(skb, &tgpar);
416#ifdef CONFIG_NETFILTER_DEBUG 420#ifdef CONFIG_NETFILTER_DEBUG
417 if (((struct ipt_entry *)table_base)->comefrom != 0xeeeeeeec && 421 if (comefrom != 0xeeeeeeec && verdict == IPT_CONTINUE) {
418 verdict == IPT_CONTINUE) {
419 printk("Target %s reentered!\n", 422 printk("Target %s reentered!\n",
420 t->u.kernel.target->name); 423 t->u.kernel.target->name);
421 verdict = NF_DROP; 424 verdict = NF_DROP;
422 } 425 }
423 ((struct ipt_entry *)table_base)->comefrom = 0x57acc001; 426 tb_comefrom = 0x57acc001;
424#endif 427#endif
425 /* Target might have changed stuff. */ 428 /* Target might have changed stuff. */
426 ip = ip_hdr(skb); 429 ip = ip_hdr(skb);
@@ -441,6 +444,8 @@ ipt_do_table(struct sk_buff *skb,
441 return NF_DROP; 444 return NF_DROP;
442 else return verdict; 445 else return verdict;
443#endif 446#endif
447
448#undef tb_comefrom
444} 449}
445 450
446/* Figures out from what hook each rule can be called: returns 0 if 451/* Figures out from what hook each rule can be called: returns 0 if
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 5a178be6c8cc..5164e0bf3bcc 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -343,6 +343,8 @@ ip6t_do_table(struct sk_buff *skb,
343 const struct net_device *out, 343 const struct net_device *out,
344 struct xt_table *table) 344 struct xt_table *table)
345{ 345{
346#define tb_comefrom ((struct ip6t_entry *)table_base)->comefrom
347
346 static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long)))); 348 static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
347 bool hotdrop = false; 349 bool hotdrop = false;
348 /* Initializing verdict to NF_DROP keeps gcc happy. */ 350 /* Initializing verdict to NF_DROP keeps gcc happy. */
@@ -440,18 +442,17 @@ ip6t_do_table(struct sk_buff *skb,
440 tgpar.targinfo = t->data; 442 tgpar.targinfo = t->data;
441 443
442#ifdef CONFIG_NETFILTER_DEBUG 444#ifdef CONFIG_NETFILTER_DEBUG
443 ((struct ip6t_entry *)table_base)->comefrom = 0xeeeeeeec; 445 tb_comefrom = 0xeeeeeeec;
444#endif 446#endif
445 verdict = t->u.kernel.target->target(skb, &tgpar); 447 verdict = t->u.kernel.target->target(skb, &tgpar);
446 448
447#ifdef CONFIG_NETFILTER_DEBUG 449#ifdef CONFIG_NETFILTER_DEBUG
448 if (((struct ip6t_entry *)table_base)->comefrom != 0xeeeeeeec && 450 if (tb_comefrom != 0xeeeeeeec && verdict == IP6T_CONTINUE) {
449 verdict == IP6T_CONTINUE) {
450 printk("Target %s reentered!\n", 451 printk("Target %s reentered!\n",
451 t->u.kernel.target->name); 452 t->u.kernel.target->name);
452 verdict = NF_DROP; 453 verdict = NF_DROP;
453 } 454 }
454 ((struct ip6t_entry *)table_base)->comefrom = 0x57acc001; 455 tb_comefrom = 0x57acc001;
455#endif 456#endif
456 if (verdict == IP6T_CONTINUE) 457 if (verdict == IP6T_CONTINUE)
457 e = ip6t_next_entry(e); 458 e = ip6t_next_entry(e);
@@ -461,7 +462,7 @@ ip6t_do_table(struct sk_buff *skb,
461 } while (!hotdrop); 462 } while (!hotdrop);
462 463
463#ifdef CONFIG_NETFILTER_DEBUG 464#ifdef CONFIG_NETFILTER_DEBUG
464 ((struct ip6t_entry *)table_base)->comefrom = NETFILTER_LINK_POISON; 465 tb_comefrom = NETFILTER_LINK_POISON;
465#endif 466#endif
466 xt_info_rdunlock_bh(); 467 xt_info_rdunlock_bh();
467 468
@@ -472,6 +473,8 @@ ip6t_do_table(struct sk_buff *skb,
472 return NF_DROP; 473 return NF_DROP;
473 else return verdict; 474 else return verdict;
474#endif 475#endif
476
477#undef tb_comefrom
475} 478}
476 479
477/* Figures out from what hook each rule can be called: returns 0 if 480/* Figures out from what hook each rule can be called: returns 0 if