aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--include/linux/netfilter/x_tables.h4
-rw-r--r--net/ipv4/netfilter/arp_tables.c31
-rw-r--r--net/ipv4/netfilter/arpt_mangle.c2
-rw-r--r--net/ipv4/netfilter/ip_tables.c31
-rw-r--r--net/ipv6/netfilter/ip6_tables.c29
-rw-r--r--net/netfilter/x_tables.c18
6 files changed, 59 insertions, 56 deletions
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index b2c62cc618f5..2326296b6f25 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -430,13 +430,13 @@ extern int xt_compat_add_offset(int af, unsigned int offset, short delta);
430extern void xt_compat_flush_offsets(int af); 430extern void xt_compat_flush_offsets(int af);
431extern short xt_compat_calc_jump(int af, unsigned int offset); 431extern short xt_compat_calc_jump(int af, unsigned int offset);
432 432
433extern int xt_compat_match_offset(struct xt_match *match); 433extern int xt_compat_match_offset(const struct xt_match *match);
434extern int xt_compat_match_from_user(struct xt_entry_match *m, 434extern int xt_compat_match_from_user(struct xt_entry_match *m,
435 void **dstptr, unsigned int *size); 435 void **dstptr, unsigned int *size);
436extern int xt_compat_match_to_user(struct xt_entry_match *m, 436extern int xt_compat_match_to_user(struct xt_entry_match *m,
437 void __user **dstptr, unsigned int *size); 437 void __user **dstptr, unsigned int *size);
438 438
439extern int xt_compat_target_offset(struct xt_target *target); 439extern int xt_compat_target_offset(const struct xt_target *target);
440extern void xt_compat_target_from_user(struct xt_entry_target *t, 440extern void xt_compat_target_from_user(struct xt_entry_target *t,
441 void **dstptr, unsigned int *size); 441 void **dstptr, unsigned int *size);
442extern int xt_compat_target_to_user(struct xt_entry_target *t, 442extern int xt_compat_target_to_user(struct xt_entry_target *t,
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 1563f29b5117..10cc442330c3 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -59,7 +59,7 @@ do { \
59#endif 59#endif
60 60
61static inline int arp_devaddr_compare(const struct arpt_devaddr_info *ap, 61static inline int arp_devaddr_compare(const struct arpt_devaddr_info *ap,
62 char *hdr_addr, int len) 62 const char *hdr_addr, int len)
63{ 63{
64 int i, ret; 64 int i, ret;
65 65
@@ -80,8 +80,8 @@ static inline int arp_packet_match(const struct arphdr *arphdr,
80 const char *outdev, 80 const char *outdev,
81 const struct arpt_arp *arpinfo) 81 const struct arpt_arp *arpinfo)
82{ 82{
83 char *arpptr = (char *)(arphdr + 1); 83 const char *arpptr = (char *)(arphdr + 1);
84 char *src_devaddr, *tgt_devaddr; 84 const char *src_devaddr, *tgt_devaddr;
85 __be32 src_ipaddr, tgt_ipaddr; 85 __be32 src_ipaddr, tgt_ipaddr;
86 int i, ret; 86 int i, ret;
87 87
@@ -226,12 +226,12 @@ unsigned int arpt_do_table(struct sk_buff *skb,
226{ 226{
227 static const char nulldevname[IFNAMSIZ]; 227 static const char nulldevname[IFNAMSIZ];
228 unsigned int verdict = NF_DROP; 228 unsigned int verdict = NF_DROP;
229 struct arphdr *arp; 229 const struct arphdr *arp;
230 bool hotdrop = false; 230 bool hotdrop = false;
231 struct arpt_entry *e, *back; 231 struct arpt_entry *e, *back;
232 const char *indev, *outdev; 232 const char *indev, *outdev;
233 void *table_base; 233 void *table_base;
234 struct xt_table_info *private; 234 const struct xt_table_info *private;
235 235
236 if (!pskb_may_pull(skb, arp_hdr_len(skb->dev))) 236 if (!pskb_may_pull(skb, arp_hdr_len(skb->dev)))
237 return NF_DROP; 237 return NF_DROP;
@@ -352,7 +352,7 @@ static int mark_source_chains(struct xt_table_info *newinfo,
352 e->counters.pcnt = pos; 352 e->counters.pcnt = pos;
353 353
354 for (;;) { 354 for (;;) {
355 struct arpt_standard_target *t 355 const struct arpt_standard_target *t
356 = (void *)arpt_get_target(e); 356 = (void *)arpt_get_target(e);
357 int visited = e->comefrom & (1 << hook); 357 int visited = e->comefrom & (1 << hook);
358 358
@@ -437,7 +437,7 @@ static int mark_source_chains(struct xt_table_info *newinfo,
437 437
438static inline int check_entry(struct arpt_entry *e, const char *name) 438static inline int check_entry(struct arpt_entry *e, const char *name)
439{ 439{
440 struct arpt_entry_target *t; 440 const struct arpt_entry_target *t;
441 441
442 if (!arp_checkentry(&e->arp)) { 442 if (!arp_checkentry(&e->arp)) {
443 duprintf("arp_tables: arp check failed %p %s.\n", e, name); 443 duprintf("arp_tables: arp check failed %p %s.\n", e, name);
@@ -710,7 +710,7 @@ static inline struct xt_counters *alloc_counters(struct arpt_table *table)
710{ 710{
711 unsigned int countersize; 711 unsigned int countersize;
712 struct xt_counters *counters; 712 struct xt_counters *counters;
713 struct xt_table_info *private = table->private; 713 const struct xt_table_info *private = table->private;
714 714
715 /* We need atomic snapshot of counters: rest doesn't change 715 /* We need atomic snapshot of counters: rest doesn't change
716 * (other than comefrom, which userspace doesn't care 716 * (other than comefrom, which userspace doesn't care
@@ -737,7 +737,7 @@ static int copy_entries_to_user(unsigned int total_size,
737 unsigned int off, num; 737 unsigned int off, num;
738 struct arpt_entry *e; 738 struct arpt_entry *e;
739 struct xt_counters *counters; 739 struct xt_counters *counters;
740 struct xt_table_info *private = table->private; 740 const struct xt_table_info *private = table->private;
741 int ret = 0; 741 int ret = 0;
742 void *loc_cpu_entry; 742 void *loc_cpu_entry;
743 743
@@ -872,7 +872,7 @@ static int get_info(struct net *net, void __user *user, int *len, int compat)
872 "arptable_%s", name); 872 "arptable_%s", name);
873 if (t && !IS_ERR(t)) { 873 if (t && !IS_ERR(t)) {
874 struct arpt_getinfo info; 874 struct arpt_getinfo info;
875 struct xt_table_info *private = t->private; 875 const struct xt_table_info *private = t->private;
876 876
877#ifdef CONFIG_COMPAT 877#ifdef CONFIG_COMPAT
878 if (compat) { 878 if (compat) {
@@ -927,7 +927,8 @@ static int get_entries(struct net *net, struct arpt_get_entries __user *uptr,
927 927
928 t = xt_find_table_lock(net, NF_ARP, get.name); 928 t = xt_find_table_lock(net, NF_ARP, get.name);
929 if (t && !IS_ERR(t)) { 929 if (t && !IS_ERR(t)) {
930 struct xt_table_info *private = t->private; 930 const struct xt_table_info *private = t->private;
931
931 duprintf("t->private->number = %u\n", 932 duprintf("t->private->number = %u\n",
932 private->number); 933 private->number);
933 if (get.size == private->size) 934 if (get.size == private->size)
@@ -1087,11 +1088,11 @@ static int do_add_counters(struct net *net, void __user *user, unsigned int len,
1087 struct xt_counters_info tmp; 1088 struct xt_counters_info tmp;
1088 struct xt_counters *paddc; 1089 struct xt_counters *paddc;
1089 unsigned int num_counters; 1090 unsigned int num_counters;
1090 char *name; 1091 const char *name;
1091 int size; 1092 int size;
1092 void *ptmp; 1093 void *ptmp;
1093 struct arpt_table *t; 1094 struct arpt_table *t;
1094 struct xt_table_info *private; 1095 const struct xt_table_info *private;
1095 int ret = 0; 1096 int ret = 0;
1096 void *loc_cpu_entry; 1097 void *loc_cpu_entry;
1097#ifdef CONFIG_COMPAT 1098#ifdef CONFIG_COMPAT
@@ -1558,7 +1559,7 @@ static int compat_copy_entries_to_user(unsigned int total_size,
1558 void __user *userptr) 1559 void __user *userptr)
1559{ 1560{
1560 struct xt_counters *counters; 1561 struct xt_counters *counters;
1561 struct xt_table_info *private = table->private; 1562 const struct xt_table_info *private = table->private;
1562 void __user *pos; 1563 void __user *pos;
1563 unsigned int size; 1564 unsigned int size;
1564 int ret = 0; 1565 int ret = 0;
@@ -1609,7 +1610,7 @@ static int compat_get_entries(struct net *net,
1609 xt_compat_lock(NF_ARP); 1610 xt_compat_lock(NF_ARP);
1610 t = xt_find_table_lock(net, NF_ARP, get.name); 1611 t = xt_find_table_lock(net, NF_ARP, get.name);
1611 if (t && !IS_ERR(t)) { 1612 if (t && !IS_ERR(t)) {
1612 struct xt_table_info *private = t->private; 1613 const struct xt_table_info *private = t->private;
1613 struct xt_table_info info; 1614 struct xt_table_info info;
1614 1615
1615 duprintf("t->private->number = %u\n", private->number); 1616 duprintf("t->private->number = %u\n", private->number);
diff --git a/net/ipv4/netfilter/arpt_mangle.c b/net/ipv4/netfilter/arpt_mangle.c
index 3f4222b0a803..3e732c827fc2 100644
--- a/net/ipv4/netfilter/arpt_mangle.c
+++ b/net/ipv4/netfilter/arpt_mangle.c
@@ -15,7 +15,7 @@ target(struct sk_buff *skb,
15 const void *targinfo) 15 const void *targinfo)
16{ 16{
17 const struct arpt_mangle *mangle = targinfo; 17 const struct arpt_mangle *mangle = targinfo;
18 struct arphdr *arp; 18 const struct arphdr *arp;
19 unsigned char *arpptr; 19 unsigned char *arpptr;
20 int pln, hln; 20 int pln, hln;
21 21
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index a819d191e1aa..aa124b50cb4a 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -296,7 +296,7 @@ static void trace_packet(struct sk_buff *skb,
296 struct ipt_entry *e) 296 struct ipt_entry *e)
297{ 297{
298 void *table_base; 298 void *table_base;
299 struct ipt_entry *root; 299 const struct ipt_entry *root;
300 char *hookname, *chainname, *comment; 300 char *hookname, *chainname, *comment;
301 unsigned int rulenum = 0; 301 unsigned int rulenum = 0;
302 302
@@ -327,7 +327,7 @@ ipt_do_table(struct sk_buff *skb,
327{ 327{
328 static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long)))); 328 static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
329 u_int16_t offset; 329 u_int16_t offset;
330 struct iphdr *ip; 330 const struct iphdr *ip;
331 u_int16_t datalen; 331 u_int16_t datalen;
332 bool hotdrop = false; 332 bool hotdrop = false;
333 /* Initializing verdict to NF_DROP keeps gcc happy. */ 333 /* Initializing verdict to NF_DROP keeps gcc happy. */
@@ -926,7 +926,7 @@ static struct xt_counters * alloc_counters(struct xt_table *table)
926{ 926{
927 unsigned int countersize; 927 unsigned int countersize;
928 struct xt_counters *counters; 928 struct xt_counters *counters;
929 struct xt_table_info *private = table->private; 929 const struct xt_table_info *private = table->private;
930 930
931 /* We need atomic snapshot of counters: rest doesn't change 931 /* We need atomic snapshot of counters: rest doesn't change
932 (other than comefrom, which userspace doesn't care 932 (other than comefrom, which userspace doesn't care
@@ -953,9 +953,9 @@ copy_entries_to_user(unsigned int total_size,
953 unsigned int off, num; 953 unsigned int off, num;
954 struct ipt_entry *e; 954 struct ipt_entry *e;
955 struct xt_counters *counters; 955 struct xt_counters *counters;
956 struct xt_table_info *private = table->private; 956 const struct xt_table_info *private = table->private;
957 int ret = 0; 957 int ret = 0;
958 void *loc_cpu_entry; 958 const void *loc_cpu_entry;
959 959
960 counters = alloc_counters(table); 960 counters = alloc_counters(table);
961 if (IS_ERR(counters)) 961 if (IS_ERR(counters))
@@ -975,8 +975,8 @@ copy_entries_to_user(unsigned int total_size,
975 /* ... then go back and fix counters and names */ 975 /* ... then go back and fix counters and names */
976 for (off = 0, num = 0; off < total_size; off += e->next_offset, num++){ 976 for (off = 0, num = 0; off < total_size; off += e->next_offset, num++){
977 unsigned int i; 977 unsigned int i;
978 struct ipt_entry_match *m; 978 const struct ipt_entry_match *m;
979 struct ipt_entry_target *t; 979 const struct ipt_entry_target *t;
980 980
981 e = (struct ipt_entry *)(loc_cpu_entry + off); 981 e = (struct ipt_entry *)(loc_cpu_entry + off);
982 if (copy_to_user(userptr + off 982 if (copy_to_user(userptr + off
@@ -1116,7 +1116,7 @@ static int get_info(struct net *net, void __user *user, int *len, int compat)
1116 "iptable_%s", name); 1116 "iptable_%s", name);
1117 if (t && !IS_ERR(t)) { 1117 if (t && !IS_ERR(t)) {
1118 struct ipt_getinfo info; 1118 struct ipt_getinfo info;
1119 struct xt_table_info *private = t->private; 1119 const struct xt_table_info *private = t->private;
1120 1120
1121#ifdef CONFIG_COMPAT 1121#ifdef CONFIG_COMPAT
1122 if (compat) { 1122 if (compat) {
@@ -1172,7 +1172,7 @@ get_entries(struct net *net, struct ipt_get_entries __user *uptr, int *len)
1172 1172
1173 t = xt_find_table_lock(net, AF_INET, get.name); 1173 t = xt_find_table_lock(net, AF_INET, get.name);
1174 if (t && !IS_ERR(t)) { 1174 if (t && !IS_ERR(t)) {
1175 struct xt_table_info *private = t->private; 1175 const struct xt_table_info *private = t->private;
1176 duprintf("t->private->number = %u\n", private->number); 1176 duprintf("t->private->number = %u\n", private->number);
1177 if (get.size == private->size) 1177 if (get.size == private->size)
1178 ret = copy_entries_to_user(private->size, 1178 ret = copy_entries_to_user(private->size,
@@ -1337,11 +1337,11 @@ do_add_counters(struct net *net, void __user *user, unsigned int len, int compat
1337 struct xt_counters_info tmp; 1337 struct xt_counters_info tmp;
1338 struct xt_counters *paddc; 1338 struct xt_counters *paddc;
1339 unsigned int num_counters; 1339 unsigned int num_counters;
1340 char *name; 1340 const char *name;
1341 int size; 1341 int size;
1342 void *ptmp; 1342 void *ptmp;
1343 struct xt_table *t; 1343 struct xt_table *t;
1344 struct xt_table_info *private; 1344 const struct xt_table_info *private;
1345 int ret = 0; 1345 int ret = 0;
1346 void *loc_cpu_entry; 1346 void *loc_cpu_entry;
1347#ifdef CONFIG_COMPAT 1347#ifdef CONFIG_COMPAT
@@ -1878,11 +1878,11 @@ compat_copy_entries_to_user(unsigned int total_size, struct xt_table *table,
1878 void __user *userptr) 1878 void __user *userptr)
1879{ 1879{
1880 struct xt_counters *counters; 1880 struct xt_counters *counters;
1881 struct xt_table_info *private = table->private; 1881 const struct xt_table_info *private = table->private;
1882 void __user *pos; 1882 void __user *pos;
1883 unsigned int size; 1883 unsigned int size;
1884 int ret = 0; 1884 int ret = 0;
1885 void *loc_cpu_entry; 1885 const void *loc_cpu_entry;
1886 unsigned int i = 0; 1886 unsigned int i = 0;
1887 1887
1888 counters = alloc_counters(table); 1888 counters = alloc_counters(table);
@@ -1929,7 +1929,7 @@ compat_get_entries(struct net *net, struct compat_ipt_get_entries __user *uptr,
1929 xt_compat_lock(AF_INET); 1929 xt_compat_lock(AF_INET);
1930 t = xt_find_table_lock(net, AF_INET, get.name); 1930 t = xt_find_table_lock(net, AF_INET, get.name);
1931 if (t && !IS_ERR(t)) { 1931 if (t && !IS_ERR(t)) {
1932 struct xt_table_info *private = t->private; 1932 const struct xt_table_info *private = t->private;
1933 struct xt_table_info info; 1933 struct xt_table_info info;
1934 duprintf("t->private->number = %u\n", private->number); 1934 duprintf("t->private->number = %u\n", private->number);
1935 ret = compat_table_info(private, &info); 1935 ret = compat_table_info(private, &info);
@@ -2130,7 +2130,8 @@ icmp_match(const struct sk_buff *skb,
2130 unsigned int protoff, 2130 unsigned int protoff,
2131 bool *hotdrop) 2131 bool *hotdrop)
2132{ 2132{
2133 struct icmphdr _icmph, *ic; 2133 const struct icmphdr *ic;
2134 struct icmphdr _icmph;
2134 const struct ipt_icmp *icmpinfo = matchinfo; 2135 const struct ipt_icmp *icmpinfo = matchinfo;
2135 2136
2136 /* Must not be a fragment. */ 2137 /* Must not be a fragment. */
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 70ef0d276cc0..782183f63366 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -325,7 +325,7 @@ static void trace_packet(struct sk_buff *skb,
325 struct ip6t_entry *e) 325 struct ip6t_entry *e)
326{ 326{
327 void *table_base; 327 void *table_base;
328 struct ip6t_entry *root; 328 const struct ip6t_entry *root;
329 char *hookname, *chainname, *comment; 329 char *hookname, *chainname, *comment;
330 unsigned int rulenum = 0; 330 unsigned int rulenum = 0;
331 331
@@ -952,7 +952,7 @@ static struct xt_counters *alloc_counters(struct xt_table *table)
952{ 952{
953 unsigned int countersize; 953 unsigned int countersize;
954 struct xt_counters *counters; 954 struct xt_counters *counters;
955 struct xt_table_info *private = table->private; 955 const struct xt_table_info *private = table->private;
956 956
957 /* We need atomic snapshot of counters: rest doesn't change 957 /* We need atomic snapshot of counters: rest doesn't change
958 (other than comefrom, which userspace doesn't care 958 (other than comefrom, which userspace doesn't care
@@ -979,9 +979,9 @@ copy_entries_to_user(unsigned int total_size,
979 unsigned int off, num; 979 unsigned int off, num;
980 struct ip6t_entry *e; 980 struct ip6t_entry *e;
981 struct xt_counters *counters; 981 struct xt_counters *counters;
982 struct xt_table_info *private = table->private; 982 const struct xt_table_info *private = table->private;
983 int ret = 0; 983 int ret = 0;
984 void *loc_cpu_entry; 984 const void *loc_cpu_entry;
985 985
986 counters = alloc_counters(table); 986 counters = alloc_counters(table);
987 if (IS_ERR(counters)) 987 if (IS_ERR(counters))
@@ -1001,8 +1001,8 @@ copy_entries_to_user(unsigned int total_size,
1001 /* ... then go back and fix counters and names */ 1001 /* ... then go back and fix counters and names */
1002 for (off = 0, num = 0; off < total_size; off += e->next_offset, num++){ 1002 for (off = 0, num = 0; off < total_size; off += e->next_offset, num++){
1003 unsigned int i; 1003 unsigned int i;
1004 struct ip6t_entry_match *m; 1004 const struct ip6t_entry_match *m;
1005 struct ip6t_entry_target *t; 1005 const struct ip6t_entry_target *t;
1006 1006
1007 e = (struct ip6t_entry *)(loc_cpu_entry + off); 1007 e = (struct ip6t_entry *)(loc_cpu_entry + off);
1008 if (copy_to_user(userptr + off 1008 if (copy_to_user(userptr + off
@@ -1142,7 +1142,7 @@ static int get_info(struct net *net, void __user *user, int *len, int compat)
1142 "ip6table_%s", name); 1142 "ip6table_%s", name);
1143 if (t && !IS_ERR(t)) { 1143 if (t && !IS_ERR(t)) {
1144 struct ip6t_getinfo info; 1144 struct ip6t_getinfo info;
1145 struct xt_table_info *private = t->private; 1145 const struct xt_table_info *private = t->private;
1146 1146
1147#ifdef CONFIG_COMPAT 1147#ifdef CONFIG_COMPAT
1148 if (compat) { 1148 if (compat) {
@@ -1225,7 +1225,7 @@ __do_replace(struct net *net, const char *name, unsigned int valid_hooks,
1225 struct xt_table *t; 1225 struct xt_table *t;
1226 struct xt_table_info *oldinfo; 1226 struct xt_table_info *oldinfo;
1227 struct xt_counters *counters; 1227 struct xt_counters *counters;
1228 void *loc_cpu_old_entry; 1228 const void *loc_cpu_old_entry;
1229 1229
1230 ret = 0; 1230 ret = 0;
1231 counters = vmalloc_node(num_counters * sizeof(struct xt_counters), 1231 counters = vmalloc_node(num_counters * sizeof(struct xt_counters),
@@ -1369,9 +1369,9 @@ do_add_counters(struct net *net, void __user *user, unsigned int len,
1369 int size; 1369 int size;
1370 void *ptmp; 1370 void *ptmp;
1371 struct xt_table *t; 1371 struct xt_table *t;
1372 struct xt_table_info *private; 1372 const struct xt_table_info *private;
1373 int ret = 0; 1373 int ret = 0;
1374 void *loc_cpu_entry; 1374 const void *loc_cpu_entry;
1375#ifdef CONFIG_COMPAT 1375#ifdef CONFIG_COMPAT
1376 struct compat_xt_counters_info compat_tmp; 1376 struct compat_xt_counters_info compat_tmp;
1377 1377
@@ -1905,11 +1905,11 @@ compat_copy_entries_to_user(unsigned int total_size, struct xt_table *table,
1905 void __user *userptr) 1905 void __user *userptr)
1906{ 1906{
1907 struct xt_counters *counters; 1907 struct xt_counters *counters;
1908 struct xt_table_info *private = table->private; 1908 const struct xt_table_info *private = table->private;
1909 void __user *pos; 1909 void __user *pos;
1910 unsigned int size; 1910 unsigned int size;
1911 int ret = 0; 1911 int ret = 0;
1912 void *loc_cpu_entry; 1912 const void *loc_cpu_entry;
1913 unsigned int i = 0; 1913 unsigned int i = 0;
1914 1914
1915 counters = alloc_counters(table); 1915 counters = alloc_counters(table);
@@ -1956,7 +1956,7 @@ compat_get_entries(struct net *net, struct compat_ip6t_get_entries __user *uptr,
1956 xt_compat_lock(AF_INET6); 1956 xt_compat_lock(AF_INET6);
1957 t = xt_find_table_lock(net, AF_INET6, get.name); 1957 t = xt_find_table_lock(net, AF_INET6, get.name);
1958 if (t && !IS_ERR(t)) { 1958 if (t && !IS_ERR(t)) {
1959 struct xt_table_info *private = t->private; 1959 const struct xt_table_info *private = t->private;
1960 struct xt_table_info info; 1960 struct xt_table_info info;
1961 duprintf("t->private->number = %u\n", private->number); 1961 duprintf("t->private->number = %u\n", private->number);
1962 ret = compat_table_info(private, &info); 1962 ret = compat_table_info(private, &info);
@@ -2155,7 +2155,8 @@ icmp6_match(const struct sk_buff *skb,
2155 unsigned int protoff, 2155 unsigned int protoff,
2156 bool *hotdrop) 2156 bool *hotdrop)
2157{ 2157{
2158 struct icmp6hdr _icmph, *ic; 2158 const struct icmp6hdr *ic;
2159 struct icmp6hdr _icmph;
2159 const struct ip6t_icmp *icmpinfo = matchinfo; 2160 const struct ip6t_icmp *icmpinfo = matchinfo;
2160 2161
2161 /* Must not be a fragment. */ 2162 /* Must not be a fragment. */
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 0bd95680a494..f52f7f810ac4 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -58,7 +58,7 @@ static struct xt_af *xt;
58#define duprintf(format, args...) 58#define duprintf(format, args...)
59#endif 59#endif
60 60
61static const char *xt_prefix[NPROTO] = { 61static const char *const xt_prefix[NPROTO] = {
62 [AF_INET] = "ip", 62 [AF_INET] = "ip",
63 [AF_INET6] = "ip6", 63 [AF_INET6] = "ip6",
64 [NF_ARP] = "arp", 64 [NF_ARP] = "arp",
@@ -248,7 +248,7 @@ EXPORT_SYMBOL_GPL(xt_request_find_target);
248 248
249static int match_revfn(int af, const char *name, u8 revision, int *bestp) 249static int match_revfn(int af, const char *name, u8 revision, int *bestp)
250{ 250{
251 struct xt_match *m; 251 const struct xt_match *m;
252 int have_rev = 0; 252 int have_rev = 0;
253 253
254 list_for_each_entry(m, &xt[af].match, list) { 254 list_for_each_entry(m, &xt[af].match, list) {
@@ -264,7 +264,7 @@ static int match_revfn(int af, const char *name, u8 revision, int *bestp)
264 264
265static int target_revfn(int af, const char *name, u8 revision, int *bestp) 265static int target_revfn(int af, const char *name, u8 revision, int *bestp)
266{ 266{
267 struct xt_target *t; 267 const struct xt_target *t;
268 int have_rev = 0; 268 int have_rev = 0;
269 269
270 list_for_each_entry(t, &xt[af].target, list) { 270 list_for_each_entry(t, &xt[af].target, list) {
@@ -385,7 +385,7 @@ short xt_compat_calc_jump(int af, unsigned int offset)
385} 385}
386EXPORT_SYMBOL_GPL(xt_compat_calc_jump); 386EXPORT_SYMBOL_GPL(xt_compat_calc_jump);
387 387
388int xt_compat_match_offset(struct xt_match *match) 388int xt_compat_match_offset(const struct xt_match *match)
389{ 389{
390 u_int16_t csize = match->compatsize ? : match->matchsize; 390 u_int16_t csize = match->compatsize ? : match->matchsize;
391 return XT_ALIGN(match->matchsize) - COMPAT_XT_ALIGN(csize); 391 return XT_ALIGN(match->matchsize) - COMPAT_XT_ALIGN(csize);
@@ -395,7 +395,7 @@ EXPORT_SYMBOL_GPL(xt_compat_match_offset);
395int xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr, 395int xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr,
396 unsigned int *size) 396 unsigned int *size)
397{ 397{
398 struct xt_match *match = m->u.kernel.match; 398 const struct xt_match *match = m->u.kernel.match;
399 struct compat_xt_entry_match *cm = (struct compat_xt_entry_match *)m; 399 struct compat_xt_entry_match *cm = (struct compat_xt_entry_match *)m;
400 int pad, off = xt_compat_match_offset(match); 400 int pad, off = xt_compat_match_offset(match);
401 u_int16_t msize = cm->u.user.match_size; 401 u_int16_t msize = cm->u.user.match_size;
@@ -422,7 +422,7 @@ EXPORT_SYMBOL_GPL(xt_compat_match_from_user);
422int xt_compat_match_to_user(struct xt_entry_match *m, void __user **dstptr, 422int xt_compat_match_to_user(struct xt_entry_match *m, void __user **dstptr,
423 unsigned int *size) 423 unsigned int *size)
424{ 424{
425 struct xt_match *match = m->u.kernel.match; 425 const struct xt_match *match = m->u.kernel.match;
426 struct compat_xt_entry_match __user *cm = *dstptr; 426 struct compat_xt_entry_match __user *cm = *dstptr;
427 int off = xt_compat_match_offset(match); 427 int off = xt_compat_match_offset(match);
428 u_int16_t msize = m->u.user.match_size - off; 428 u_int16_t msize = m->u.user.match_size - off;
@@ -479,7 +479,7 @@ int xt_check_target(const struct xt_target *target, unsigned short family,
479EXPORT_SYMBOL_GPL(xt_check_target); 479EXPORT_SYMBOL_GPL(xt_check_target);
480 480
481#ifdef CONFIG_COMPAT 481#ifdef CONFIG_COMPAT
482int xt_compat_target_offset(struct xt_target *target) 482int xt_compat_target_offset(const struct xt_target *target)
483{ 483{
484 u_int16_t csize = target->compatsize ? : target->targetsize; 484 u_int16_t csize = target->compatsize ? : target->targetsize;
485 return XT_ALIGN(target->targetsize) - COMPAT_XT_ALIGN(csize); 485 return XT_ALIGN(target->targetsize) - COMPAT_XT_ALIGN(csize);
@@ -489,7 +489,7 @@ EXPORT_SYMBOL_GPL(xt_compat_target_offset);
489void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr, 489void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr,
490 unsigned int *size) 490 unsigned int *size)
491{ 491{
492 struct xt_target *target = t->u.kernel.target; 492 const struct xt_target *target = t->u.kernel.target;
493 struct compat_xt_entry_target *ct = (struct compat_xt_entry_target *)t; 493 struct compat_xt_entry_target *ct = (struct compat_xt_entry_target *)t;
494 int pad, off = xt_compat_target_offset(target); 494 int pad, off = xt_compat_target_offset(target);
495 u_int16_t tsize = ct->u.user.target_size; 495 u_int16_t tsize = ct->u.user.target_size;
@@ -515,7 +515,7 @@ EXPORT_SYMBOL_GPL(xt_compat_target_from_user);
515int xt_compat_target_to_user(struct xt_entry_target *t, void __user **dstptr, 515int xt_compat_target_to_user(struct xt_entry_target *t, void __user **dstptr,
516 unsigned int *size) 516 unsigned int *size)
517{ 517{
518 struct xt_target *target = t->u.kernel.target; 518 const struct xt_target *target = t->u.kernel.target;
519 struct compat_xt_entry_target __user *ct = *dstptr; 519 struct compat_xt_entry_target __user *ct = *dstptr;
520 int off = xt_compat_target_offset(target); 520 int off = xt_compat_target_offset(target);
521 u_int16_t tsize = t->u.user.target_size - off; 521 u_int16_t tsize = t->u.user.target_size - off;