aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--net/bridge/netfilter/ebt_802_3.c4
-rw-r--r--net/bridge/netfilter/ebt_among.c8
-rw-r--r--net/bridge/netfilter/ebt_arp.c6
-rw-r--r--net/bridge/netfilter/ebt_ip.c14
-rw-r--r--net/bridge/netfilter/ebt_ip6.c14
-rw-r--r--net/bridge/netfilter/ebt_limit.c4
-rw-r--r--net/bridge/netfilter/ebt_mark_m.c8
-rw-r--r--net/bridge/netfilter/ebt_pkttype.c4
-rw-r--r--net/bridge/netfilter/ebt_stp.c6
-rw-r--r--net/bridge/netfilter/ebt_vlan.c14
-rw-r--r--net/ipv4/netfilter/ip_tables.c2
-rw-r--r--net/ipv4/netfilter/ipt_addrtype.c8
-rw-r--r--net/ipv4/netfilter/ipt_ah.c4
-rw-r--r--net/ipv4/netfilter/ipt_ecn.c8
-rw-r--r--net/ipv6/netfilter/ip6_tables.c2
-rw-r--r--net/ipv6/netfilter/ip6t_ah.c4
-rw-r--r--net/ipv6/netfilter/ip6t_frag.c4
-rw-r--r--net/ipv6/netfilter/ip6t_hbh.c6
-rw-r--r--net/ipv6/netfilter/ip6t_ipv6header.c4
-rw-r--r--net/ipv6/netfilter/ip6t_mh.c2
-rw-r--r--net/ipv6/netfilter/ip6t_rt.c6
-rw-r--r--net/netfilter/x_tables.c12
-rw-r--r--net/netfilter/xt_cluster.c6
-rw-r--r--net/netfilter/xt_connbytes.c8
-rw-r--r--net/netfilter/xt_connlimit.c6
-rw-r--r--net/netfilter/xt_connmark.c8
-rw-r--r--net/netfilter/xt_conntrack.c4
-rw-r--r--net/netfilter/xt_dccp.c8
-rw-r--r--net/netfilter/xt_dscp.c4
-rw-r--r--net/netfilter/xt_esp.c4
-rw-r--r--net/netfilter/xt_hashlimit.c29
-rw-r--r--net/netfilter/xt_helper.c4
-rw-r--r--net/netfilter/xt_limit.c6
-rw-r--r--net/netfilter/xt_physdev.c6
-rw-r--r--net/netfilter/xt_policy.c10
-rw-r--r--net/netfilter/xt_quota.c6
-rw-r--r--net/netfilter/xt_rateest.c4
-rw-r--r--net/netfilter/xt_recent.c18
-rw-r--r--net/netfilter/xt_sctp.c12
-rw-r--r--net/netfilter/xt_state.c4
-rw-r--r--net/netfilter/xt_statistic.c6
-rw-r--r--net/netfilter/xt_string.c13
-rw-r--r--net/netfilter/xt_tcpudp.c4
-rw-r--r--net/netfilter/xt_time.c4
44 files changed, 162 insertions, 156 deletions
diff --git a/net/bridge/netfilter/ebt_802_3.c b/net/bridge/netfilter/ebt_802_3.c
index 7b6f4c4cccb7..f7de8dbc3422 100644
--- a/net/bridge/netfilter/ebt_802_3.c
+++ b/net/bridge/netfilter/ebt_802_3.c
@@ -41,9 +41,9 @@ static int ebt_802_3_mt_check(const struct xt_mtchk_param *par)
41 const struct ebt_802_3_info *info = par->matchinfo; 41 const struct ebt_802_3_info *info = par->matchinfo;
42 42
43 if (info->bitmask & ~EBT_802_3_MASK || info->invflags & ~EBT_802_3_MASK) 43 if (info->bitmask & ~EBT_802_3_MASK || info->invflags & ~EBT_802_3_MASK)
44 return false; 44 return -EINVAL;
45 45
46 return true; 46 return 0;
47} 47}
48 48
49static struct xt_match ebt_802_3_mt_reg __read_mostly = { 49static struct xt_match ebt_802_3_mt_reg __read_mostly = {
diff --git a/net/bridge/netfilter/ebt_among.c b/net/bridge/netfilter/ebt_among.c
index 8a75d399b510..20068e03fa81 100644
--- a/net/bridge/netfilter/ebt_among.c
+++ b/net/bridge/netfilter/ebt_among.c
@@ -190,17 +190,17 @@ static int ebt_among_mt_check(const struct xt_mtchk_param *par)
190 pr_info("wrong size: %d against expected %d, rounded to %Zd\n", 190 pr_info("wrong size: %d against expected %d, rounded to %Zd\n",
191 em->match_size, expected_length, 191 em->match_size, expected_length,
192 EBT_ALIGN(expected_length)); 192 EBT_ALIGN(expected_length));
193 return false; 193 return -EINVAL;
194 } 194 }
195 if (wh_dst && (err = ebt_mac_wormhash_check_integrity(wh_dst))) { 195 if (wh_dst && (err = ebt_mac_wormhash_check_integrity(wh_dst))) {
196 pr_info("dst integrity fail: %x\n", -err); 196 pr_info("dst integrity fail: %x\n", -err);
197 return false; 197 return -EINVAL;
198 } 198 }
199 if (wh_src && (err = ebt_mac_wormhash_check_integrity(wh_src))) { 199 if (wh_src && (err = ebt_mac_wormhash_check_integrity(wh_src))) {
200 pr_info("src integrity fail: %x\n", -err); 200 pr_info("src integrity fail: %x\n", -err);
201 return false; 201 return -EINVAL;
202 } 202 }
203 return true; 203 return 0;
204} 204}
205 205
206static struct xt_match ebt_among_mt_reg __read_mostly = { 206static struct xt_match ebt_among_mt_reg __read_mostly = {
diff --git a/net/bridge/netfilter/ebt_arp.c b/net/bridge/netfilter/ebt_arp.c
index fc62055adb17..952150cd5e7d 100644
--- a/net/bridge/netfilter/ebt_arp.c
+++ b/net/bridge/netfilter/ebt_arp.c
@@ -108,10 +108,10 @@ static int ebt_arp_mt_check(const struct xt_mtchk_param *par)
108 if ((e->ethproto != htons(ETH_P_ARP) && 108 if ((e->ethproto != htons(ETH_P_ARP) &&
109 e->ethproto != htons(ETH_P_RARP)) || 109 e->ethproto != htons(ETH_P_RARP)) ||
110 e->invflags & EBT_IPROTO) 110 e->invflags & EBT_IPROTO)
111 return false; 111 return -EINVAL;
112 if (info->bitmask & ~EBT_ARP_MASK || info->invflags & ~EBT_ARP_MASK) 112 if (info->bitmask & ~EBT_ARP_MASK || info->invflags & ~EBT_ARP_MASK)
113 return false; 113 return -EINVAL;
114 return true; 114 return 0;
115} 115}
116 116
117static struct xt_match ebt_arp_mt_reg __read_mostly = { 117static struct xt_match ebt_arp_mt_reg __read_mostly = {
diff --git a/net/bridge/netfilter/ebt_ip.c b/net/bridge/netfilter/ebt_ip.c
index d1a555dc8878..a1c76c7e5219 100644
--- a/net/bridge/netfilter/ebt_ip.c
+++ b/net/bridge/netfilter/ebt_ip.c
@@ -84,24 +84,24 @@ static int ebt_ip_mt_check(const struct xt_mtchk_param *par)
84 84
85 if (e->ethproto != htons(ETH_P_IP) || 85 if (e->ethproto != htons(ETH_P_IP) ||
86 e->invflags & EBT_IPROTO) 86 e->invflags & EBT_IPROTO)
87 return false; 87 return -EINVAL;
88 if (info->bitmask & ~EBT_IP_MASK || info->invflags & ~EBT_IP_MASK) 88 if (info->bitmask & ~EBT_IP_MASK || info->invflags & ~EBT_IP_MASK)
89 return false; 89 return -EINVAL;
90 if (info->bitmask & (EBT_IP_DPORT | EBT_IP_SPORT)) { 90 if (info->bitmask & (EBT_IP_DPORT | EBT_IP_SPORT)) {
91 if (info->invflags & EBT_IP_PROTO) 91 if (info->invflags & EBT_IP_PROTO)
92 return false; 92 return -EINVAL;
93 if (info->protocol != IPPROTO_TCP && 93 if (info->protocol != IPPROTO_TCP &&
94 info->protocol != IPPROTO_UDP && 94 info->protocol != IPPROTO_UDP &&
95 info->protocol != IPPROTO_UDPLITE && 95 info->protocol != IPPROTO_UDPLITE &&
96 info->protocol != IPPROTO_SCTP && 96 info->protocol != IPPROTO_SCTP &&
97 info->protocol != IPPROTO_DCCP) 97 info->protocol != IPPROTO_DCCP)
98 return false; 98 return -EINVAL;
99 } 99 }
100 if (info->bitmask & EBT_IP_DPORT && info->dport[0] > info->dport[1]) 100 if (info->bitmask & EBT_IP_DPORT && info->dport[0] > info->dport[1])
101 return false; 101 return -EINVAL;
102 if (info->bitmask & EBT_IP_SPORT && info->sport[0] > info->sport[1]) 102 if (info->bitmask & EBT_IP_SPORT && info->sport[0] > info->sport[1])
103 return false; 103 return -EINVAL;
104 return true; 104 return 0;
105} 105}
106 106
107static struct xt_match ebt_ip_mt_reg __read_mostly = { 107static struct xt_match ebt_ip_mt_reg __read_mostly = {
diff --git a/net/bridge/netfilter/ebt_ip6.c b/net/bridge/netfilter/ebt_ip6.c
index fa4ecf50fdc9..33f8413f05ad 100644
--- a/net/bridge/netfilter/ebt_ip6.c
+++ b/net/bridge/netfilter/ebt_ip6.c
@@ -86,24 +86,24 @@ static int ebt_ip6_mt_check(const struct xt_mtchk_param *par)
86 struct ebt_ip6_info *info = par->matchinfo; 86 struct ebt_ip6_info *info = par->matchinfo;
87 87
88 if (e->ethproto != htons(ETH_P_IPV6) || e->invflags & EBT_IPROTO) 88 if (e->ethproto != htons(ETH_P_IPV6) || e->invflags & EBT_IPROTO)
89 return false; 89 return -EINVAL;
90 if (info->bitmask & ~EBT_IP6_MASK || info->invflags & ~EBT_IP6_MASK) 90 if (info->bitmask & ~EBT_IP6_MASK || info->invflags & ~EBT_IP6_MASK)
91 return false; 91 return -EINVAL;
92 if (info->bitmask & (EBT_IP6_DPORT | EBT_IP6_SPORT)) { 92 if (info->bitmask & (EBT_IP6_DPORT | EBT_IP6_SPORT)) {
93 if (info->invflags & EBT_IP6_PROTO) 93 if (info->invflags & EBT_IP6_PROTO)
94 return false; 94 return -EINVAL;
95 if (info->protocol != IPPROTO_TCP && 95 if (info->protocol != IPPROTO_TCP &&
96 info->protocol != IPPROTO_UDP && 96 info->protocol != IPPROTO_UDP &&
97 info->protocol != IPPROTO_UDPLITE && 97 info->protocol != IPPROTO_UDPLITE &&
98 info->protocol != IPPROTO_SCTP && 98 info->protocol != IPPROTO_SCTP &&
99 info->protocol != IPPROTO_DCCP) 99 info->protocol != IPPROTO_DCCP)
100 return false; 100 return -EINVAL;
101 } 101 }
102 if (info->bitmask & EBT_IP6_DPORT && info->dport[0] > info->dport[1]) 102 if (info->bitmask & EBT_IP6_DPORT && info->dport[0] > info->dport[1])
103 return false; 103 return -EINVAL;
104 if (info->bitmask & EBT_IP6_SPORT && info->sport[0] > info->sport[1]) 104 if (info->bitmask & EBT_IP6_SPORT && info->sport[0] > info->sport[1])
105 return false; 105 return -EINVAL;
106 return true; 106 return 0;
107} 107}
108 108
109static struct xt_match ebt_ip6_mt_reg __read_mostly = { 109static struct xt_match ebt_ip6_mt_reg __read_mostly = {
diff --git a/net/bridge/netfilter/ebt_limit.c b/net/bridge/netfilter/ebt_limit.c
index abfb0ecd7c17..4b0e2e53fa57 100644
--- a/net/bridge/netfilter/ebt_limit.c
+++ b/net/bridge/netfilter/ebt_limit.c
@@ -74,7 +74,7 @@ static int ebt_limit_mt_check(const struct xt_mtchk_param *par)
74 user2credits(info->avg * info->burst) < user2credits(info->avg)) { 74 user2credits(info->avg * info->burst) < user2credits(info->avg)) {
75 pr_info("overflow, try lower: %u/%u\n", 75 pr_info("overflow, try lower: %u/%u\n",
76 info->avg, info->burst); 76 info->avg, info->burst);
77 return false; 77 return -EINVAL;
78 } 78 }
79 79
80 /* User avg in seconds * EBT_LIMIT_SCALE: convert to jiffies * 128. */ 80 /* User avg in seconds * EBT_LIMIT_SCALE: convert to jiffies * 128. */
@@ -82,7 +82,7 @@ static int ebt_limit_mt_check(const struct xt_mtchk_param *par)
82 info->credit = user2credits(info->avg * info->burst); 82 info->credit = user2credits(info->avg * info->burst);
83 info->credit_cap = user2credits(info->avg * info->burst); 83 info->credit_cap = user2credits(info->avg * info->burst);
84 info->cost = user2credits(info->avg); 84 info->cost = user2credits(info->avg);
85 return true; 85 return 0;
86} 86}
87 87
88 88
diff --git a/net/bridge/netfilter/ebt_mark_m.c b/net/bridge/netfilter/ebt_mark_m.c
index 1e5b0b316fbe..e4366c0a1a43 100644
--- a/net/bridge/netfilter/ebt_mark_m.c
+++ b/net/bridge/netfilter/ebt_mark_m.c
@@ -27,12 +27,12 @@ static int ebt_mark_mt_check(const struct xt_mtchk_param *par)
27 const struct ebt_mark_m_info *info = par->matchinfo; 27 const struct ebt_mark_m_info *info = par->matchinfo;
28 28
29 if (info->bitmask & ~EBT_MARK_MASK) 29 if (info->bitmask & ~EBT_MARK_MASK)
30 return false; 30 return -EINVAL;
31 if ((info->bitmask & EBT_MARK_OR) && (info->bitmask & EBT_MARK_AND)) 31 if ((info->bitmask & EBT_MARK_OR) && (info->bitmask & EBT_MARK_AND))
32 return false; 32 return -EINVAL;
33 if (!info->bitmask) 33 if (!info->bitmask)
34 return false; 34 return -EINVAL;
35 return true; 35 return 0;
36} 36}
37 37
38 38
diff --git a/net/bridge/netfilter/ebt_pkttype.c b/net/bridge/netfilter/ebt_pkttype.c
index 9b3c64516605..f34bcc3197bd 100644
--- a/net/bridge/netfilter/ebt_pkttype.c
+++ b/net/bridge/netfilter/ebt_pkttype.c
@@ -25,9 +25,9 @@ static int ebt_pkttype_mt_check(const struct xt_mtchk_param *par)
25 const struct ebt_pkttype_info *info = par->matchinfo; 25 const struct ebt_pkttype_info *info = par->matchinfo;
26 26
27 if (info->invert != 0 && info->invert != 1) 27 if (info->invert != 0 && info->invert != 1)
28 return false; 28 return -EINVAL;
29 /* Allow any pkt_type value */ 29 /* Allow any pkt_type value */
30 return true; 30 return 0;
31} 31}
32 32
33static struct xt_match ebt_pkttype_mt_reg __read_mostly = { 33static struct xt_match ebt_pkttype_mt_reg __read_mostly = {
diff --git a/net/bridge/netfilter/ebt_stp.c b/net/bridge/netfilter/ebt_stp.c
index 521186fa6994..02f28fdda393 100644
--- a/net/bridge/netfilter/ebt_stp.c
+++ b/net/bridge/netfilter/ebt_stp.c
@@ -162,13 +162,13 @@ static int ebt_stp_mt_check(const struct xt_mtchk_param *par)
162 162
163 if (info->bitmask & ~EBT_STP_MASK || info->invflags & ~EBT_STP_MASK || 163 if (info->bitmask & ~EBT_STP_MASK || info->invflags & ~EBT_STP_MASK ||
164 !(info->bitmask & EBT_STP_MASK)) 164 !(info->bitmask & EBT_STP_MASK))
165 return false; 165 return -EINVAL;
166 /* Make sure the match only receives stp frames */ 166 /* Make sure the match only receives stp frames */
167 if (compare_ether_addr(e->destmac, bridge_ula) || 167 if (compare_ether_addr(e->destmac, bridge_ula) ||
168 compare_ether_addr(e->destmsk, msk) || !(e->bitmask & EBT_DESTMAC)) 168 compare_ether_addr(e->destmsk, msk) || !(e->bitmask & EBT_DESTMAC))
169 return false; 169 return -EINVAL;
170 170
171 return true; 171 return 0;
172} 172}
173 173
174static struct xt_match ebt_stp_mt_reg __read_mostly = { 174static struct xt_match ebt_stp_mt_reg __read_mostly = {
diff --git a/net/bridge/netfilter/ebt_vlan.c b/net/bridge/netfilter/ebt_vlan.c
index 04a9575389d8..bf8ae5c7a0c5 100644
--- a/net/bridge/netfilter/ebt_vlan.c
+++ b/net/bridge/netfilter/ebt_vlan.c
@@ -88,7 +88,7 @@ static int ebt_vlan_mt_check(const struct xt_mtchk_param *par)
88 if (e->ethproto != htons(ETH_P_8021Q)) { 88 if (e->ethproto != htons(ETH_P_8021Q)) {
89 pr_debug("passed entry proto %2.4X is not 802.1Q (8100)\n", 89 pr_debug("passed entry proto %2.4X is not 802.1Q (8100)\n",
90 ntohs(e->ethproto)); 90 ntohs(e->ethproto));
91 return false; 91 return -EINVAL;
92 } 92 }
93 93
94 /* Check for bitmask range 94 /* Check for bitmask range
@@ -96,14 +96,14 @@ static int ebt_vlan_mt_check(const struct xt_mtchk_param *par)
96 if (info->bitmask & ~EBT_VLAN_MASK) { 96 if (info->bitmask & ~EBT_VLAN_MASK) {
97 pr_debug("bitmask %2X is out of mask (%2X)\n", 97 pr_debug("bitmask %2X is out of mask (%2X)\n",
98 info->bitmask, EBT_VLAN_MASK); 98 info->bitmask, EBT_VLAN_MASK);
99 return false; 99 return -EINVAL;
100 } 100 }
101 101
102 /* Check for inversion flags range */ 102 /* Check for inversion flags range */
103 if (info->invflags & ~EBT_VLAN_MASK) { 103 if (info->invflags & ~EBT_VLAN_MASK) {
104 pr_debug("inversion flags %2X is out of mask (%2X)\n", 104 pr_debug("inversion flags %2X is out of mask (%2X)\n",
105 info->invflags, EBT_VLAN_MASK); 105 info->invflags, EBT_VLAN_MASK);
106 return false; 106 return -EINVAL;
107 } 107 }
108 108
109 /* Reserved VLAN ID (VID) values 109 /* Reserved VLAN ID (VID) values
@@ -117,7 +117,7 @@ static int ebt_vlan_mt_check(const struct xt_mtchk_param *par)
117 if (info->id > VLAN_GROUP_ARRAY_LEN) { 117 if (info->id > VLAN_GROUP_ARRAY_LEN) {
118 pr_debug("id %d is out of range (1-4096)\n", 118 pr_debug("id %d is out of range (1-4096)\n",
119 info->id); 119 info->id);
120 return false; 120 return -EINVAL;
121 } 121 }
122 /* Note: This is valid VLAN-tagged frame point. 122 /* Note: This is valid VLAN-tagged frame point.
123 * Any value of user_priority are acceptable, 123 * Any value of user_priority are acceptable,
@@ -132,7 +132,7 @@ static int ebt_vlan_mt_check(const struct xt_mtchk_param *par)
132 if ((unsigned char) info->prio > 7) { 132 if ((unsigned char) info->prio > 7) {
133 pr_debug("prio %d is out of range (0-7)\n", 133 pr_debug("prio %d is out of range (0-7)\n",
134 info->prio); 134 info->prio);
135 return false; 135 return -EINVAL;
136 } 136 }
137 } 137 }
138 /* Check for encapsulated proto range - it is possible to be 138 /* Check for encapsulated proto range - it is possible to be
@@ -142,11 +142,11 @@ static int ebt_vlan_mt_check(const struct xt_mtchk_param *par)
142 if ((unsigned short) ntohs(info->encap) < ETH_ZLEN) { 142 if ((unsigned short) ntohs(info->encap) < ETH_ZLEN) {
143 pr_debug("encap frame length %d is less than " 143 pr_debug("encap frame length %d is less than "
144 "minimal\n", ntohs(info->encap)); 144 "minimal\n", ntohs(info->encap));
145 return false; 145 return -EINVAL;
146 } 146 }
147 } 147 }
148 148
149 return true; 149 return 0;
150} 150}
151 151
152static struct xt_match ebt_vlan_mt_reg __read_mostly = { 152static struct xt_match ebt_vlan_mt_reg __read_mostly = {
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 771ffa7b9aff..18c5b1573f3e 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -2181,7 +2181,7 @@ static int icmp_checkentry(const struct xt_mtchk_param *par)
2181 const struct ipt_icmp *icmpinfo = par->matchinfo; 2181 const struct ipt_icmp *icmpinfo = par->matchinfo;
2182 2182
2183 /* Must specify no unknown invflags */ 2183 /* Must specify no unknown invflags */
2184 return !(icmpinfo->invflags & ~IPT_ICMP_INV); 2184 return (icmpinfo->invflags & ~IPT_ICMP_INV) ? -EINVAL : 0;
2185} 2185}
2186 2186
2187/* The built-in targets: standard (NULL) and error. */ 2187/* The built-in targets: standard (NULL) and error. */
diff --git a/net/ipv4/netfilter/ipt_addrtype.c b/net/ipv4/netfilter/ipt_addrtype.c
index 81197f456d7f..e4b8f2bf8aaa 100644
--- a/net/ipv4/netfilter/ipt_addrtype.c
+++ b/net/ipv4/netfilter/ipt_addrtype.c
@@ -78,7 +78,7 @@ static int addrtype_mt_checkentry_v1(const struct xt_mtchk_param *par)
78 info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT) { 78 info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT) {
79 pr_info("both incoming and outgoing " 79 pr_info("both incoming and outgoing "
80 "interface limitation cannot be selected\n"); 80 "interface limitation cannot be selected\n");
81 return false; 81 return -EINVAL;
82 } 82 }
83 83
84 if (par->hook_mask & ((1 << NF_INET_PRE_ROUTING) | 84 if (par->hook_mask & ((1 << NF_INET_PRE_ROUTING) |
@@ -86,7 +86,7 @@ static int addrtype_mt_checkentry_v1(const struct xt_mtchk_param *par)
86 info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT) { 86 info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT) {
87 pr_info("output interface limitation " 87 pr_info("output interface limitation "
88 "not valid in PREROUTING and INPUT\n"); 88 "not valid in PREROUTING and INPUT\n");
89 return false; 89 return -EINVAL;
90 } 90 }
91 91
92 if (par->hook_mask & ((1 << NF_INET_POST_ROUTING) | 92 if (par->hook_mask & ((1 << NF_INET_POST_ROUTING) |
@@ -94,10 +94,10 @@ static int addrtype_mt_checkentry_v1(const struct xt_mtchk_param *par)
94 info->flags & IPT_ADDRTYPE_LIMIT_IFACE_IN) { 94 info->flags & IPT_ADDRTYPE_LIMIT_IFACE_IN) {
95 pr_info("input interface limitation " 95 pr_info("input interface limitation "
96 "not valid in POSTROUTING and OUTPUT\n"); 96 "not valid in POSTROUTING and OUTPUT\n");
97 return false; 97 return -EINVAL;
98 } 98 }
99 99
100 return true; 100 return 0;
101} 101}
102 102
103static struct xt_match addrtype_mt_reg[] __read_mostly = { 103static struct xt_match addrtype_mt_reg[] __read_mostly = {
diff --git a/net/ipv4/netfilter/ipt_ah.c b/net/ipv4/netfilter/ipt_ah.c
index 667ded16e120..9f9810204892 100644
--- a/net/ipv4/netfilter/ipt_ah.c
+++ b/net/ipv4/netfilter/ipt_ah.c
@@ -62,9 +62,9 @@ static int ah_mt_check(const struct xt_mtchk_param *par)
62 /* Must specify no unknown invflags */ 62 /* Must specify no unknown invflags */
63 if (ahinfo->invflags & ~IPT_AH_INV_MASK) { 63 if (ahinfo->invflags & ~IPT_AH_INV_MASK) {
64 pr_debug("unknown flags %X\n", ahinfo->invflags); 64 pr_debug("unknown flags %X\n", ahinfo->invflags);
65 return false; 65 return -EINVAL;
66 } 66 }
67 return true; 67 return 0;
68} 68}
69 69
70static struct xt_match ah_mt_reg __read_mostly = { 70static struct xt_match ah_mt_reg __read_mostly = {
diff --git a/net/ipv4/netfilter/ipt_ecn.c b/net/ipv4/netfilter/ipt_ecn.c
index d1e234fe7f1a..32e24100d8d1 100644
--- a/net/ipv4/netfilter/ipt_ecn.c
+++ b/net/ipv4/netfilter/ipt_ecn.c
@@ -91,18 +91,18 @@ static int ecn_mt_check(const struct xt_mtchk_param *par)
91 const struct ipt_ip *ip = par->entryinfo; 91 const struct ipt_ip *ip = par->entryinfo;
92 92
93 if (info->operation & IPT_ECN_OP_MATCH_MASK) 93 if (info->operation & IPT_ECN_OP_MATCH_MASK)
94 return false; 94 return -EINVAL;
95 95
96 if (info->invert & IPT_ECN_OP_MATCH_MASK) 96 if (info->invert & IPT_ECN_OP_MATCH_MASK)
97 return false; 97 return -EINVAL;
98 98
99 if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR) && 99 if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR) &&
100 ip->proto != IPPROTO_TCP) { 100 ip->proto != IPPROTO_TCP) {
101 pr_info("cannot match TCP bits in rule for non-tcp packets\n"); 101 pr_info("cannot match TCP bits in rule for non-tcp packets\n");
102 return false; 102 return -EINVAL;
103 } 103 }
104 104
105 return true; 105 return 0;
106} 106}
107 107
108static struct xt_match ecn_mt_reg __read_mostly = { 108static struct xt_match ecn_mt_reg __read_mostly = {
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 595b45d52ff3..f2b815e72329 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -2214,7 +2214,7 @@ static int icmp6_checkentry(const struct xt_mtchk_param *par)
2214 const struct ip6t_icmp *icmpinfo = par->matchinfo; 2214 const struct ip6t_icmp *icmpinfo = par->matchinfo;
2215 2215
2216 /* Must specify no unknown invflags */ 2216 /* Must specify no unknown invflags */
2217 return !(icmpinfo->invflags & ~IP6T_ICMP_INV); 2217 return (icmpinfo->invflags & ~IP6T_ICMP_INV) ? -EINVAL : 0;
2218} 2218}
2219 2219
2220/* The built-in targets: standard (NULL) and error. */ 2220/* The built-in targets: standard (NULL) and error. */
diff --git a/net/ipv6/netfilter/ip6t_ah.c b/net/ipv6/netfilter/ip6t_ah.c
index 3d570446deef..1580693c86c1 100644
--- a/net/ipv6/netfilter/ip6t_ah.c
+++ b/net/ipv6/netfilter/ip6t_ah.c
@@ -93,9 +93,9 @@ static int ah_mt6_check(const struct xt_mtchk_param *par)
93 93
94 if (ahinfo->invflags & ~IP6T_AH_INV_MASK) { 94 if (ahinfo->invflags & ~IP6T_AH_INV_MASK) {
95 pr_debug("unknown flags %X\n", ahinfo->invflags); 95 pr_debug("unknown flags %X\n", ahinfo->invflags);
96 return false; 96 return -EINVAL;
97 } 97 }
98 return true; 98 return 0;
99} 99}
100 100
101static struct xt_match ah_mt6_reg __read_mostly = { 101static struct xt_match ah_mt6_reg __read_mostly = {
diff --git a/net/ipv6/netfilter/ip6t_frag.c b/net/ipv6/netfilter/ip6t_frag.c
index c2dba2701fa3..a5daf0ffb4ec 100644
--- a/net/ipv6/netfilter/ip6t_frag.c
+++ b/net/ipv6/netfilter/ip6t_frag.c
@@ -108,9 +108,9 @@ static int frag_mt6_check(const struct xt_mtchk_param *par)
108 108
109 if (fraginfo->invflags & ~IP6T_FRAG_INV_MASK) { 109 if (fraginfo->invflags & ~IP6T_FRAG_INV_MASK) {
110 pr_debug("unknown flags %X\n", fraginfo->invflags); 110 pr_debug("unknown flags %X\n", fraginfo->invflags);
111 return false; 111 return -EINVAL;
112 } 112 }
113 return true; 113 return 0;
114} 114}
115 115
116static struct xt_match frag_mt6_reg __read_mostly = { 116static struct xt_match frag_mt6_reg __read_mostly = {
diff --git a/net/ipv6/netfilter/ip6t_hbh.c b/net/ipv6/netfilter/ip6t_hbh.c
index 1b294317707b..5e6acdae6d80 100644
--- a/net/ipv6/netfilter/ip6t_hbh.c
+++ b/net/ipv6/netfilter/ip6t_hbh.c
@@ -170,15 +170,15 @@ static int hbh_mt6_check(const struct xt_mtchk_param *par)
170 170
171 if (optsinfo->invflags & ~IP6T_OPTS_INV_MASK) { 171 if (optsinfo->invflags & ~IP6T_OPTS_INV_MASK) {
172 pr_debug("unknown flags %X\n", optsinfo->invflags); 172 pr_debug("unknown flags %X\n", optsinfo->invflags);
173 return false; 173 return -EINVAL;
174 } 174 }
175 175
176 if (optsinfo->flags & IP6T_OPTS_NSTRICT) { 176 if (optsinfo->flags & IP6T_OPTS_NSTRICT) {
177 pr_debug("Not strict - not implemented"); 177 pr_debug("Not strict - not implemented");
178 return false; 178 return -EINVAL;
179 } 179 }
180 180
181 return true; 181 return 0;
182} 182}
183 183
184static struct xt_match hbh_mt6_reg[] __read_mostly = { 184static struct xt_match hbh_mt6_reg[] __read_mostly = {
diff --git a/net/ipv6/netfilter/ip6t_ipv6header.c b/net/ipv6/netfilter/ip6t_ipv6header.c
index 90e1e04b7932..46fbabb493fa 100644
--- a/net/ipv6/netfilter/ip6t_ipv6header.c
+++ b/net/ipv6/netfilter/ip6t_ipv6header.c
@@ -125,9 +125,9 @@ static int ipv6header_mt6_check(const struct xt_mtchk_param *par)
125 /* invflags is 0 or 0xff in hard mode */ 125 /* invflags is 0 or 0xff in hard mode */
126 if ((!info->modeflag) && info->invflags != 0x00 && 126 if ((!info->modeflag) && info->invflags != 0x00 &&
127 info->invflags != 0xFF) 127 info->invflags != 0xFF)
128 return false; 128 return -EINVAL;
129 129
130 return true; 130 return 0;
131} 131}
132 132
133static struct xt_match ipv6header_mt6_reg __read_mostly = { 133static struct xt_match ipv6header_mt6_reg __read_mostly = {
diff --git a/net/ipv6/netfilter/ip6t_mh.c b/net/ipv6/netfilter/ip6t_mh.c
index d9408045994c..c9f443e0138f 100644
--- a/net/ipv6/netfilter/ip6t_mh.c
+++ b/net/ipv6/netfilter/ip6t_mh.c
@@ -67,7 +67,7 @@ static int mh_mt6_check(const struct xt_mtchk_param *par)
67 const struct ip6t_mh *mhinfo = par->matchinfo; 67 const struct ip6t_mh *mhinfo = par->matchinfo;
68 68
69 /* Must specify no unknown invflags */ 69 /* Must specify no unknown invflags */
70 return !(mhinfo->invflags & ~IP6T_MH_INV_MASK); 70 return (mhinfo->invflags & ~IP6T_MH_INV_MASK) ? -EINVAL : 0;
71} 71}
72 72
73static struct xt_match mh_mt6_reg __read_mostly = { 73static struct xt_match mh_mt6_reg __read_mostly = {
diff --git a/net/ipv6/netfilter/ip6t_rt.c b/net/ipv6/netfilter/ip6t_rt.c
index 76397f35eafd..09322720d2a6 100644
--- a/net/ipv6/netfilter/ip6t_rt.c
+++ b/net/ipv6/netfilter/ip6t_rt.c
@@ -189,17 +189,17 @@ static int rt_mt6_check(const struct xt_mtchk_param *par)
189 189
190 if (rtinfo->invflags & ~IP6T_RT_INV_MASK) { 190 if (rtinfo->invflags & ~IP6T_RT_INV_MASK) {
191 pr_debug("unknown flags %X\n", rtinfo->invflags); 191 pr_debug("unknown flags %X\n", rtinfo->invflags);
192 return false; 192 return -EINVAL;
193 } 193 }
194 if ((rtinfo->flags & (IP6T_RT_RES | IP6T_RT_FST_MASK)) && 194 if ((rtinfo->flags & (IP6T_RT_RES | IP6T_RT_FST_MASK)) &&
195 (!(rtinfo->flags & IP6T_RT_TYP) || 195 (!(rtinfo->flags & IP6T_RT_TYP) ||
196 (rtinfo->rt_type != 0) || 196 (rtinfo->rt_type != 0) ||
197 (rtinfo->invflags & IP6T_RT_INV_TYP))) { 197 (rtinfo->invflags & IP6T_RT_INV_TYP))) {
198 pr_debug("`--rt-type 0' required before `--rt-0-*'"); 198 pr_debug("`--rt-type 0' required before `--rt-0-*'");
199 return false; 199 return -EINVAL;
200 } 200 }
201 201
202 return true; 202 return 0;
203} 203}
204 204
205static struct xt_match rt_mt6_reg __read_mostly = { 205static struct xt_match rt_mt6_reg __read_mostly = {
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index ee7fe215b3e1..7ee177746172 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -363,6 +363,8 @@ static char *textify_hooks(char *buf, size_t size, unsigned int mask)
363int xt_check_match(struct xt_mtchk_param *par, 363int xt_check_match(struct xt_mtchk_param *par,
364 unsigned int size, u_int8_t proto, bool inv_proto) 364 unsigned int size, u_int8_t proto, bool inv_proto)
365{ 365{
366 int ret;
367
366 if (XT_ALIGN(par->match->matchsize) != size && 368 if (XT_ALIGN(par->match->matchsize) != size &&
367 par->match->matchsize != -1) { 369 par->match->matchsize != -1) {
368 /* 370 /*
@@ -399,8 +401,14 @@ int xt_check_match(struct xt_mtchk_param *par,
399 par->match->proto); 401 par->match->proto);
400 return -EINVAL; 402 return -EINVAL;
401 } 403 }
402 if (par->match->checkentry != NULL && !par->match->checkentry(par)) 404 if (par->match->checkentry != NULL) {
403 return -EINVAL; 405 ret = par->match->checkentry(par);
406 if (ret < 0)
407 return ret;
408 else if (ret > 0)
409 /* Flag up potential errors. */
410 return -EIO;
411 }
404 return 0; 412 return 0;
405} 413}
406EXPORT_SYMBOL_GPL(xt_check_match); 414EXPORT_SYMBOL_GPL(xt_check_match);
diff --git a/net/netfilter/xt_cluster.c b/net/netfilter/xt_cluster.c
index 1f2c35ef1427..30cb7762fc41 100644
--- a/net/netfilter/xt_cluster.c
+++ b/net/netfilter/xt_cluster.c
@@ -140,14 +140,14 @@ static int xt_cluster_mt_checkentry(const struct xt_mtchk_param *par)
140 pr_info("you have exceeded the maximum " 140 pr_info("you have exceeded the maximum "
141 "number of cluster nodes (%u > %u)\n", 141 "number of cluster nodes (%u > %u)\n",
142 info->total_nodes, XT_CLUSTER_NODES_MAX); 142 info->total_nodes, XT_CLUSTER_NODES_MAX);
143 return false; 143 return -EINVAL;
144 } 144 }
145 if (info->node_mask >= (1ULL << info->total_nodes)) { 145 if (info->node_mask >= (1ULL << info->total_nodes)) {
146 pr_info("this node mask cannot be " 146 pr_info("this node mask cannot be "
147 "higher than the total number of nodes\n"); 147 "higher than the total number of nodes\n");
148 return false; 148 return -EINVAL;
149 } 149 }
150 return true; 150 return 0;
151} 151}
152 152
153static struct xt_match xt_cluster_match __read_mostly = { 153static struct xt_match xt_cluster_match __read_mostly = {
diff --git a/net/netfilter/xt_connbytes.c b/net/netfilter/xt_connbytes.c
index 136ef4ccdacb..bf8e286361c3 100644
--- a/net/netfilter/xt_connbytes.c
+++ b/net/netfilter/xt_connbytes.c
@@ -100,20 +100,20 @@ static int connbytes_mt_check(const struct xt_mtchk_param *par)
100 if (sinfo->what != XT_CONNBYTES_PKTS && 100 if (sinfo->what != XT_CONNBYTES_PKTS &&
101 sinfo->what != XT_CONNBYTES_BYTES && 101 sinfo->what != XT_CONNBYTES_BYTES &&
102 sinfo->what != XT_CONNBYTES_AVGPKT) 102 sinfo->what != XT_CONNBYTES_AVGPKT)
103 return false; 103 return -EINVAL;
104 104
105 if (sinfo->direction != XT_CONNBYTES_DIR_ORIGINAL && 105 if (sinfo->direction != XT_CONNBYTES_DIR_ORIGINAL &&
106 sinfo->direction != XT_CONNBYTES_DIR_REPLY && 106 sinfo->direction != XT_CONNBYTES_DIR_REPLY &&
107 sinfo->direction != XT_CONNBYTES_DIR_BOTH) 107 sinfo->direction != XT_CONNBYTES_DIR_BOTH)
108 return false; 108 return -EINVAL;
109 109
110 if (nf_ct_l3proto_try_module_get(par->family) < 0) { 110 if (nf_ct_l3proto_try_module_get(par->family) < 0) {
111 pr_info("cannot load conntrack support for proto=%u\n", 111 pr_info("cannot load conntrack support for proto=%u\n",
112 par->family); 112 par->family);
113 return false; 113 return -EINVAL;
114 } 114 }
115 115
116 return true; 116 return 0;
117} 117}
118 118
119static void connbytes_mt_destroy(const struct xt_mtdtor_param *par) 119static void connbytes_mt_destroy(const struct xt_mtdtor_param *par)
diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c
index a9fec38ab029..68e89f08140b 100644
--- a/net/netfilter/xt_connlimit.c
+++ b/net/netfilter/xt_connlimit.c
@@ -228,21 +228,21 @@ static int connlimit_mt_check(const struct xt_mtchk_param *par)
228 if (nf_ct_l3proto_try_module_get(par->family) < 0) { 228 if (nf_ct_l3proto_try_module_get(par->family) < 0) {
229 pr_info("cannot load conntrack support for " 229 pr_info("cannot load conntrack support for "
230 "address family %u\n", par->family); 230 "address family %u\n", par->family);
231 return false; 231 return -EINVAL;
232 } 232 }
233 233
234 /* init private data */ 234 /* init private data */
235 info->data = kmalloc(sizeof(struct xt_connlimit_data), GFP_KERNEL); 235 info->data = kmalloc(sizeof(struct xt_connlimit_data), GFP_KERNEL);
236 if (info->data == NULL) { 236 if (info->data == NULL) {
237 nf_ct_l3proto_module_put(par->family); 237 nf_ct_l3proto_module_put(par->family);
238 return false; 238 return -EINVAL;
239 } 239 }
240 240
241 spin_lock_init(&info->data->lock); 241 spin_lock_init(&info->data->lock);
242 for (i = 0; i < ARRAY_SIZE(info->data->iphash); ++i) 242 for (i = 0; i < ARRAY_SIZE(info->data->iphash); ++i)
243 INIT_LIST_HEAD(&info->data->iphash[i]); 243 INIT_LIST_HEAD(&info->data->iphash[i]);
244 244
245 return true; 245 return 0;
246} 246}
247 247
248static void connlimit_mt_destroy(const struct xt_mtdtor_param *par) 248static void connlimit_mt_destroy(const struct xt_mtdtor_param *par)
diff --git a/net/netfilter/xt_connmark.c b/net/netfilter/xt_connmark.c
index 0e69427f8cda..e137af5559e0 100644
--- a/net/netfilter/xt_connmark.c
+++ b/net/netfilter/xt_connmark.c
@@ -79,9 +79,9 @@ static int connmark_tg_check(const struct xt_tgchk_param *par)
79 if (nf_ct_l3proto_try_module_get(par->family) < 0) { 79 if (nf_ct_l3proto_try_module_get(par->family) < 0) {
80 pr_info("cannot load conntrack support for proto=%u\n", 80 pr_info("cannot load conntrack support for proto=%u\n",
81 par->family); 81 par->family);
82 return false; 82 return -EINVAL;
83 } 83 }
84 return true; 84 return 0;
85} 85}
86 86
87static void connmark_tg_destroy(const struct xt_tgdtor_param *par) 87static void connmark_tg_destroy(const struct xt_tgdtor_param *par)
@@ -108,9 +108,9 @@ static int connmark_mt_check(const struct xt_mtchk_param *par)
108 if (nf_ct_l3proto_try_module_get(par->family) < 0) { 108 if (nf_ct_l3proto_try_module_get(par->family) < 0) {
109 pr_info("cannot load conntrack support for proto=%u\n", 109 pr_info("cannot load conntrack support for proto=%u\n",
110 par->family); 110 par->family);
111 return false; 111 return -EINVAL;
112 } 112 }
113 return true; 113 return 0;
114} 114}
115 115
116static void connmark_mt_destroy(const struct xt_mtdtor_param *par) 116static void connmark_mt_destroy(const struct xt_mtdtor_param *par)
diff --git a/net/netfilter/xt_conntrack.c b/net/netfilter/xt_conntrack.c
index 500e0338a187..26e34aa7f8d1 100644
--- a/net/netfilter/xt_conntrack.c
+++ b/net/netfilter/xt_conntrack.c
@@ -211,9 +211,9 @@ static int conntrack_mt_check(const struct xt_mtchk_param *par)
211 if (nf_ct_l3proto_try_module_get(par->family) < 0) { 211 if (nf_ct_l3proto_try_module_get(par->family) < 0) {
212 pr_info("cannot load conntrack support for proto=%u\n", 212 pr_info("cannot load conntrack support for proto=%u\n",
213 par->family); 213 par->family);
214 return false; 214 return -EINVAL;
215 } 215 }
216 return true; 216 return 0;
217} 217}
218 218
219static void conntrack_mt_destroy(const struct xt_mtdtor_param *par) 219static void conntrack_mt_destroy(const struct xt_mtdtor_param *par)
diff --git a/net/netfilter/xt_dccp.c b/net/netfilter/xt_dccp.c
index da8c301d24ea..f54699ca5609 100644
--- a/net/netfilter/xt_dccp.c
+++ b/net/netfilter/xt_dccp.c
@@ -128,12 +128,12 @@ static int dccp_mt_check(const struct xt_mtchk_param *par)
128 const struct xt_dccp_info *info = par->matchinfo; 128 const struct xt_dccp_info *info = par->matchinfo;
129 129
130 if (info->flags & ~XT_DCCP_VALID_FLAGS) 130 if (info->flags & ~XT_DCCP_VALID_FLAGS)
131 return false; 131 return -EINVAL;
132 if (info->invflags & ~XT_DCCP_VALID_FLAGS) 132 if (info->invflags & ~XT_DCCP_VALID_FLAGS)
133 return false; 133 return -EINVAL;
134 if (info->invflags & ~info->flags) 134 if (info->invflags & ~info->flags)
135 return false; 135 return -EINVAL;
136 return true; 136 return 0;
137} 137}
138 138
139static struct xt_match dccp_mt_reg[] __read_mostly = { 139static struct xt_match dccp_mt_reg[] __read_mostly = {
diff --git a/net/netfilter/xt_dscp.c b/net/netfilter/xt_dscp.c
index 295da4ce822c..f355fb9e06fa 100644
--- a/net/netfilter/xt_dscp.c
+++ b/net/netfilter/xt_dscp.c
@@ -48,10 +48,10 @@ static int dscp_mt_check(const struct xt_mtchk_param *par)
48 48
49 if (info->dscp > XT_DSCP_MAX) { 49 if (info->dscp > XT_DSCP_MAX) {
50 pr_info("dscp %x out of range\n", info->dscp); 50 pr_info("dscp %x out of range\n", info->dscp);
51 return false; 51 return -EINVAL;
52 } 52 }
53 53
54 return true; 54 return 0;
55} 55}
56 56
57static bool tos_mt(const struct sk_buff *skb, const struct xt_match_param *par) 57static bool tos_mt(const struct sk_buff *skb, const struct xt_match_param *par)
diff --git a/net/netfilter/xt_esp.c b/net/netfilter/xt_esp.c
index 9f5da9795674..143bfdc8e38f 100644
--- a/net/netfilter/xt_esp.c
+++ b/net/netfilter/xt_esp.c
@@ -66,10 +66,10 @@ static int esp_mt_check(const struct xt_mtchk_param *par)
66 66
67 if (espinfo->invflags & ~XT_ESP_INV_MASK) { 67 if (espinfo->invflags & ~XT_ESP_INV_MASK) {
68 pr_debug("unknown flags %X\n", espinfo->invflags); 68 pr_debug("unknown flags %X\n", espinfo->invflags);
69 return false; 69 return -EINVAL;
70 } 70 }
71 71
72 return true; 72 return 0;
73} 73}
74 74
75static struct xt_match esp_mt_reg[] __read_mostly = { 75static struct xt_match esp_mt_reg[] __read_mostly = {
diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
index d13800c95930..0c0152902b3b 100644
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@@ -681,30 +681,29 @@ static int hashlimit_mt_check_v0(const struct xt_mtchk_param *par)
681 user2credits(r->cfg.avg * r->cfg.burst) < user2credits(r->cfg.avg)) { 681 user2credits(r->cfg.avg * r->cfg.burst) < user2credits(r->cfg.avg)) {
682 pr_info("overflow, try lower: %u/%u\n", 682 pr_info("overflow, try lower: %u/%u\n",
683 r->cfg.avg, r->cfg.burst); 683 r->cfg.avg, r->cfg.burst);
684 return false; 684 return -EINVAL;
685 } 685 }
686 if (r->cfg.mode == 0 || 686 if (r->cfg.mode == 0 ||
687 r->cfg.mode > (XT_HASHLIMIT_HASH_DPT | 687 r->cfg.mode > (XT_HASHLIMIT_HASH_DPT |
688 XT_HASHLIMIT_HASH_DIP | 688 XT_HASHLIMIT_HASH_DIP |
689 XT_HASHLIMIT_HASH_SIP | 689 XT_HASHLIMIT_HASH_SIP |
690 XT_HASHLIMIT_HASH_SPT)) 690 XT_HASHLIMIT_HASH_SPT))
691 return false; 691 return -EINVAL;
692 if (!r->cfg.gc_interval) 692 if (!r->cfg.gc_interval)
693 return false; 693 return -EINVAL;
694 if (!r->cfg.expire) 694 if (!r->cfg.expire)
695 return false; 695 return -EINVAL;
696 if (r->name[sizeof(r->name) - 1] != '\0') 696 if (r->name[sizeof(r->name) - 1] != '\0')
697 return false; 697 return -EINVAL;
698 698
699 mutex_lock(&hashlimit_mutex); 699 mutex_lock(&hashlimit_mutex);
700 r->hinfo = htable_find_get(net, r->name, par->family); 700 r->hinfo = htable_find_get(net, r->name, par->family);
701 if (!r->hinfo && htable_create_v0(net, r, par->family) != 0) { 701 if (!r->hinfo && htable_create_v0(net, r, par->family) != 0) {
702 mutex_unlock(&hashlimit_mutex); 702 mutex_unlock(&hashlimit_mutex);
703 return false; 703 return -EINVAL;
704 } 704 }
705 mutex_unlock(&hashlimit_mutex); 705 mutex_unlock(&hashlimit_mutex);
706 706 return 0;
707 return true;
708} 707}
709 708
710static int hashlimit_mt_check(const struct xt_mtchk_param *par) 709static int hashlimit_mt_check(const struct xt_mtchk_param *par)
@@ -718,28 +717,28 @@ static int hashlimit_mt_check(const struct xt_mtchk_param *par)
718 user2credits(info->cfg.avg)) { 717 user2credits(info->cfg.avg)) {
719 pr_info("overflow, try lower: %u/%u\n", 718 pr_info("overflow, try lower: %u/%u\n",
720 info->cfg.avg, info->cfg.burst); 719 info->cfg.avg, info->cfg.burst);
721 return false; 720 return -EINVAL;
722 } 721 }
723 if (info->cfg.gc_interval == 0 || info->cfg.expire == 0) 722 if (info->cfg.gc_interval == 0 || info->cfg.expire == 0)
724 return false; 723 return -EINVAL;
725 if (info->name[sizeof(info->name)-1] != '\0') 724 if (info->name[sizeof(info->name)-1] != '\0')
726 return false; 725 return -EINVAL;
727 if (par->family == NFPROTO_IPV4) { 726 if (par->family == NFPROTO_IPV4) {
728 if (info->cfg.srcmask > 32 || info->cfg.dstmask > 32) 727 if (info->cfg.srcmask > 32 || info->cfg.dstmask > 32)
729 return false; 728 return -EINVAL;
730 } else { 729 } else {
731 if (info->cfg.srcmask > 128 || info->cfg.dstmask > 128) 730 if (info->cfg.srcmask > 128 || info->cfg.dstmask > 128)
732 return false; 731 return -EINVAL;
733 } 732 }
734 733
735 mutex_lock(&hashlimit_mutex); 734 mutex_lock(&hashlimit_mutex);
736 info->hinfo = htable_find_get(net, info->name, par->family); 735 info->hinfo = htable_find_get(net, info->name, par->family);
737 if (!info->hinfo && htable_create(net, info, par->family) != 0) { 736 if (!info->hinfo && htable_create(net, info, par->family) != 0) {
738 mutex_unlock(&hashlimit_mutex); 737 mutex_unlock(&hashlimit_mutex);
739 return false; 738 return -EINVAL;
740 } 739 }
741 mutex_unlock(&hashlimit_mutex); 740 mutex_unlock(&hashlimit_mutex);
742 return true; 741 return 0;
743} 742}
744 743
745static void 744static void
diff --git a/net/netfilter/xt_helper.c b/net/netfilter/xt_helper.c
index 6e177b279f90..eb308b32bfe0 100644
--- a/net/netfilter/xt_helper.c
+++ b/net/netfilter/xt_helper.c
@@ -61,10 +61,10 @@ static int helper_mt_check(const struct xt_mtchk_param *par)
61 if (nf_ct_l3proto_try_module_get(par->family) < 0) { 61 if (nf_ct_l3proto_try_module_get(par->family) < 0) {
62 pr_info("cannot load conntrack support for proto=%u\n", 62 pr_info("cannot load conntrack support for proto=%u\n",
63 par->family); 63 par->family);
64 return false; 64 return -EINVAL;
65 } 65 }
66 info->name[29] = '\0'; 66 info->name[29] = '\0';
67 return true; 67 return 0;
68} 68}
69 69
70static void helper_mt_destroy(const struct xt_mtdtor_param *par) 70static void helper_mt_destroy(const struct xt_mtdtor_param *par)
diff --git a/net/netfilter/xt_limit.c b/net/netfilter/xt_limit.c
index 138a324df8df..5ff0580ce878 100644
--- a/net/netfilter/xt_limit.c
+++ b/net/netfilter/xt_limit.c
@@ -107,12 +107,12 @@ static int limit_mt_check(const struct xt_mtchk_param *par)
107 || user2credits(r->avg * r->burst) < user2credits(r->avg)) { 107 || user2credits(r->avg * r->burst) < user2credits(r->avg)) {
108 pr_info("Overflow, try lower: %u/%u\n", 108 pr_info("Overflow, try lower: %u/%u\n",
109 r->avg, r->burst); 109 r->avg, r->burst);
110 return false; 110 return -EINVAL;
111 } 111 }
112 112
113 priv = kmalloc(sizeof(*priv), GFP_KERNEL); 113 priv = kmalloc(sizeof(*priv), GFP_KERNEL);
114 if (priv == NULL) 114 if (priv == NULL)
115 return false; 115 return -EINVAL;
116 116
117 /* For SMP, we only want to use one set of state. */ 117 /* For SMP, we only want to use one set of state. */
118 r->master = priv; 118 r->master = priv;
@@ -124,7 +124,7 @@ static int limit_mt_check(const struct xt_mtchk_param *par)
124 r->credit_cap = user2credits(r->avg * r->burst); /* Credits full. */ 124 r->credit_cap = user2credits(r->avg * r->burst); /* Credits full. */
125 r->cost = user2credits(r->avg); 125 r->cost = user2credits(r->avg);
126 } 126 }
127 return true; 127 return 0;
128} 128}
129 129
130static void limit_mt_destroy(const struct xt_mtdtor_param *par) 130static void limit_mt_destroy(const struct xt_mtdtor_param *par)
diff --git a/net/netfilter/xt_physdev.c b/net/netfilter/xt_physdev.c
index 850e412c83ef..d0bdf3dd4d25 100644
--- a/net/netfilter/xt_physdev.c
+++ b/net/netfilter/xt_physdev.c
@@ -89,7 +89,7 @@ static int physdev_mt_check(const struct xt_mtchk_param *par)
89 89
90 if (!(info->bitmask & XT_PHYSDEV_OP_MASK) || 90 if (!(info->bitmask & XT_PHYSDEV_OP_MASK) ||
91 info->bitmask & ~XT_PHYSDEV_OP_MASK) 91 info->bitmask & ~XT_PHYSDEV_OP_MASK)
92 return false; 92 return -EINVAL;
93 if (info->bitmask & XT_PHYSDEV_OP_OUT && 93 if (info->bitmask & XT_PHYSDEV_OP_OUT &&
94 (!(info->bitmask & XT_PHYSDEV_OP_BRIDGED) || 94 (!(info->bitmask & XT_PHYSDEV_OP_BRIDGED) ||
95 info->invert & XT_PHYSDEV_OP_BRIDGED) && 95 info->invert & XT_PHYSDEV_OP_BRIDGED) &&
@@ -99,9 +99,9 @@ static int physdev_mt_check(const struct xt_mtchk_param *par)
99 "POSTROUTING chains for non-bridged traffic is not " 99 "POSTROUTING chains for non-bridged traffic is not "
100 "supported anymore.\n"); 100 "supported anymore.\n");
101 if (par->hook_mask & (1 << NF_INET_LOCAL_OUT)) 101 if (par->hook_mask & (1 << NF_INET_LOCAL_OUT))
102 return false; 102 return -EINVAL;
103 } 103 }
104 return true; 104 return 0;
105} 105}
106 106
107static struct xt_match physdev_mt_reg __read_mostly = { 107static struct xt_match physdev_mt_reg __read_mostly = {
diff --git a/net/netfilter/xt_policy.c b/net/netfilter/xt_policy.c
index c9965b640b16..1fa239c1fb93 100644
--- a/net/netfilter/xt_policy.c
+++ b/net/netfilter/xt_policy.c
@@ -134,23 +134,23 @@ static int policy_mt_check(const struct xt_mtchk_param *par)
134 134
135 if (!(info->flags & (XT_POLICY_MATCH_IN|XT_POLICY_MATCH_OUT))) { 135 if (!(info->flags & (XT_POLICY_MATCH_IN|XT_POLICY_MATCH_OUT))) {
136 pr_info("neither incoming nor outgoing policy selected\n"); 136 pr_info("neither incoming nor outgoing policy selected\n");
137 return false; 137 return -EINVAL;
138 } 138 }
139 if (par->hook_mask & ((1 << NF_INET_PRE_ROUTING) | 139 if (par->hook_mask & ((1 << NF_INET_PRE_ROUTING) |
140 (1 << NF_INET_LOCAL_IN)) && info->flags & XT_POLICY_MATCH_OUT) { 140 (1 << NF_INET_LOCAL_IN)) && info->flags & XT_POLICY_MATCH_OUT) {
141 pr_info("output policy not valid in PREROUTING and INPUT\n"); 141 pr_info("output policy not valid in PREROUTING and INPUT\n");
142 return false; 142 return -EINVAL;
143 } 143 }
144 if (par->hook_mask & ((1 << NF_INET_POST_ROUTING) | 144 if (par->hook_mask & ((1 << NF_INET_POST_ROUTING) |
145 (1 << NF_INET_LOCAL_OUT)) && info->flags & XT_POLICY_MATCH_IN) { 145 (1 << NF_INET_LOCAL_OUT)) && info->flags & XT_POLICY_MATCH_IN) {
146 pr_info("input policy not valid in POSTROUTING and OUTPUT\n"); 146 pr_info("input policy not valid in POSTROUTING and OUTPUT\n");
147 return false; 147 return -EINVAL;
148 } 148 }
149 if (info->len > XT_POLICY_MAX_ELEM) { 149 if (info->len > XT_POLICY_MAX_ELEM) {
150 pr_info("too many policy elements\n"); 150 pr_info("too many policy elements\n");
151 return false; 151 return -EINVAL;
152 } 152 }
153 return true; 153 return 0;
154} 154}
155 155
156static struct xt_match policy_mt_reg[] __read_mostly = { 156static struct xt_match policy_mt_reg[] __read_mostly = {
diff --git a/net/netfilter/xt_quota.c b/net/netfilter/xt_quota.c
index 2861fac5f2e1..766e71c6dc55 100644
--- a/net/netfilter/xt_quota.c
+++ b/net/netfilter/xt_quota.c
@@ -48,14 +48,14 @@ static int quota_mt_check(const struct xt_mtchk_param *par)
48 struct xt_quota_info *q = par->matchinfo; 48 struct xt_quota_info *q = par->matchinfo;
49 49
50 if (q->flags & ~XT_QUOTA_MASK) 50 if (q->flags & ~XT_QUOTA_MASK)
51 return false; 51 return -EINVAL;
52 52
53 q->master = kmalloc(sizeof(*q->master), GFP_KERNEL); 53 q->master = kmalloc(sizeof(*q->master), GFP_KERNEL);
54 if (q->master == NULL) 54 if (q->master == NULL)
55 return false; 55 return -EINVAL;
56 56
57 q->master->quota = q->quota; 57 q->master->quota = q->quota;
58 return true; 58 return 0;
59} 59}
60 60
61static void quota_mt_destroy(const struct xt_mtdtor_param *par) 61static void quota_mt_destroy(const struct xt_mtdtor_param *par)
diff --git a/net/netfilter/xt_rateest.c b/net/netfilter/xt_rateest.c
index 3b5e3d613b18..0b5c6122737d 100644
--- a/net/netfilter/xt_rateest.c
+++ b/net/netfilter/xt_rateest.c
@@ -109,12 +109,12 @@ static int xt_rateest_mt_checkentry(const struct xt_mtchk_param *par)
109 109
110 info->est1 = est1; 110 info->est1 = est1;
111 info->est2 = est2; 111 info->est2 = est2;
112 return true; 112 return 0;
113 113
114err2: 114err2:
115 xt_rateest_put(est1); 115 xt_rateest_put(est1);
116err1: 116err1:
117 return false; 117 return -EINVAL;
118} 118}
119 119
120static void xt_rateest_mt_destroy(const struct xt_mtdtor_param *par) 120static void xt_rateest_mt_destroy(const struct xt_mtdtor_param *par)
diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c
index 52042c8bf7f2..0994ff54a731 100644
--- a/net/netfilter/xt_recent.c
+++ b/net/netfilter/xt_recent.c
@@ -314,7 +314,7 @@ static int recent_mt_check(const struct xt_mtchk_param *par)
314 struct proc_dir_entry *pde; 314 struct proc_dir_entry *pde;
315#endif 315#endif
316 unsigned i; 316 unsigned i;
317 bool ret = false; 317 int ret = -EINVAL;
318 318
319 if (unlikely(!hash_rnd_inited)) { 319 if (unlikely(!hash_rnd_inited)) {
320 get_random_bytes(&hash_rnd, sizeof(hash_rnd)); 320 get_random_bytes(&hash_rnd, sizeof(hash_rnd));
@@ -323,33 +323,33 @@ static int recent_mt_check(const struct xt_mtchk_param *par)
323 if (info->check_set & ~XT_RECENT_VALID_FLAGS) { 323 if (info->check_set & ~XT_RECENT_VALID_FLAGS) {
324 pr_info("Unsupported user space flags (%08x)\n", 324 pr_info("Unsupported user space flags (%08x)\n",
325 info->check_set); 325 info->check_set);
326 return false; 326 return -EINVAL;
327 } 327 }
328 if (hweight8(info->check_set & 328 if (hweight8(info->check_set &
329 (XT_RECENT_SET | XT_RECENT_REMOVE | 329 (XT_RECENT_SET | XT_RECENT_REMOVE |
330 XT_RECENT_CHECK | XT_RECENT_UPDATE)) != 1) 330 XT_RECENT_CHECK | XT_RECENT_UPDATE)) != 1)
331 return false; 331 return -EINVAL;
332 if ((info->check_set & (XT_RECENT_SET | XT_RECENT_REMOVE)) && 332 if ((info->check_set & (XT_RECENT_SET | XT_RECENT_REMOVE)) &&
333 (info->seconds || info->hit_count || 333 (info->seconds || info->hit_count ||
334 (info->check_set & XT_RECENT_MODIFIERS))) 334 (info->check_set & XT_RECENT_MODIFIERS)))
335 return false; 335 return -EINVAL;
336 if ((info->check_set & XT_RECENT_REAP) && !info->seconds) 336 if ((info->check_set & XT_RECENT_REAP) && !info->seconds)
337 return false; 337 return -EINVAL;
338 if (info->hit_count > ip_pkt_list_tot) { 338 if (info->hit_count > ip_pkt_list_tot) {
339 pr_info("hitcount (%u) is larger than " 339 pr_info("hitcount (%u) is larger than "
340 "packets to be remembered (%u)\n", 340 "packets to be remembered (%u)\n",
341 info->hit_count, ip_pkt_list_tot); 341 info->hit_count, ip_pkt_list_tot);
342 return false; 342 return -EINVAL;
343 } 343 }
344 if (info->name[0] == '\0' || 344 if (info->name[0] == '\0' ||
345 strnlen(info->name, XT_RECENT_NAME_LEN) == XT_RECENT_NAME_LEN) 345 strnlen(info->name, XT_RECENT_NAME_LEN) == XT_RECENT_NAME_LEN)
346 return false; 346 return -EINVAL;
347 347
348 mutex_lock(&recent_mutex); 348 mutex_lock(&recent_mutex);
349 t = recent_table_lookup(recent_net, info->name); 349 t = recent_table_lookup(recent_net, info->name);
350 if (t != NULL) { 350 if (t != NULL) {
351 t->refcnt++; 351 t->refcnt++;
352 ret = true; 352 ret = 0;
353 goto out; 353 goto out;
354 } 354 }
355 355
@@ -375,7 +375,7 @@ static int recent_mt_check(const struct xt_mtchk_param *par)
375 spin_lock_bh(&recent_lock); 375 spin_lock_bh(&recent_lock);
376 list_add_tail(&t->list, &recent_net->tables); 376 list_add_tail(&t->list, &recent_net->tables);
377 spin_unlock_bh(&recent_lock); 377 spin_unlock_bh(&recent_lock);
378 ret = true; 378 ret = 0;
379out: 379out:
380 mutex_unlock(&recent_mutex); 380 mutex_unlock(&recent_mutex);
381 return ret; 381 return ret;
diff --git a/net/netfilter/xt_sctp.c b/net/netfilter/xt_sctp.c
index 5037a7a0059c..c3694df54672 100644
--- a/net/netfilter/xt_sctp.c
+++ b/net/netfilter/xt_sctp.c
@@ -149,17 +149,17 @@ static int sctp_mt_check(const struct xt_mtchk_param *par)
149 const struct xt_sctp_info *info = par->matchinfo; 149 const struct xt_sctp_info *info = par->matchinfo;
150 150
151 if (info->flags & ~XT_SCTP_VALID_FLAGS) 151 if (info->flags & ~XT_SCTP_VALID_FLAGS)
152 return false; 152 return -EINVAL;
153 if (info->invflags & ~XT_SCTP_VALID_FLAGS) 153 if (info->invflags & ~XT_SCTP_VALID_FLAGS)
154 return false; 154 return -EINVAL;
155 if (info->invflags & ~info->flags) 155 if (info->invflags & ~info->flags)
156 return false; 156 return -EINVAL;
157 if (!(info->flags & XT_SCTP_CHUNK_TYPES)) 157 if (!(info->flags & XT_SCTP_CHUNK_TYPES))
158 return true; 158 return 0;
159 if (info->chunk_match_type & (SCTP_CHUNK_MATCH_ALL | 159 if (info->chunk_match_type & (SCTP_CHUNK_MATCH_ALL |
160 SCTP_CHUNK_MATCH_ANY | SCTP_CHUNK_MATCH_ONLY)) 160 SCTP_CHUNK_MATCH_ANY | SCTP_CHUNK_MATCH_ONLY))
161 return true; 161 return 0;
162 return false; 162 return -EINVAL;
163} 163}
164 164
165static struct xt_match sctp_mt_reg[] __read_mostly = { 165static struct xt_match sctp_mt_reg[] __read_mostly = {
diff --git a/net/netfilter/xt_state.c b/net/netfilter/xt_state.c
index 8b15b1317f1f..8e8c9df51784 100644
--- a/net/netfilter/xt_state.c
+++ b/net/netfilter/xt_state.c
@@ -42,9 +42,9 @@ static int state_mt_check(const struct xt_mtchk_param *par)
42 if (nf_ct_l3proto_try_module_get(par->family) < 0) { 42 if (nf_ct_l3proto_try_module_get(par->family) < 0) {
43 pr_info("cannot load conntrack support for proto=%u\n", 43 pr_info("cannot load conntrack support for proto=%u\n",
44 par->family); 44 par->family);
45 return false; 45 return -EINVAL;
46 } 46 }
47 return true; 47 return 0;
48} 48}
49 49
50static void state_mt_destroy(const struct xt_mtdtor_param *par) 50static void state_mt_destroy(const struct xt_mtdtor_param *par)
diff --git a/net/netfilter/xt_statistic.c b/net/netfilter/xt_statistic.c
index a577ab008f57..29d76f8f1880 100644
--- a/net/netfilter/xt_statistic.c
+++ b/net/netfilter/xt_statistic.c
@@ -58,14 +58,14 @@ static int statistic_mt_check(const struct xt_mtchk_param *par)
58 58
59 if (info->mode > XT_STATISTIC_MODE_MAX || 59 if (info->mode > XT_STATISTIC_MODE_MAX ||
60 info->flags & ~XT_STATISTIC_MASK) 60 info->flags & ~XT_STATISTIC_MASK)
61 return false; 61 return -EINVAL;
62 62
63 info->master = kzalloc(sizeof(*info->master), GFP_KERNEL); 63 info->master = kzalloc(sizeof(*info->master), GFP_KERNEL);
64 if (info->master == NULL) 64 if (info->master == NULL)
65 return false; 65 return -EINVAL;
66 info->master->count = info->u.nth.count; 66 info->master->count = info->u.nth.count;
67 67
68 return true; 68 return 0;
69} 69}
70 70
71static void statistic_mt_destroy(const struct xt_mtdtor_param *par) 71static void statistic_mt_destroy(const struct xt_mtdtor_param *par)
diff --git a/net/netfilter/xt_string.c b/net/netfilter/xt_string.c
index 7d1412154e27..e1f22a7a4152 100644
--- a/net/netfilter/xt_string.c
+++ b/net/netfilter/xt_string.c
@@ -48,26 +48,25 @@ static int string_mt_check(const struct xt_mtchk_param *par)
48 48
49 /* Damn, can't handle this case properly with iptables... */ 49 /* Damn, can't handle this case properly with iptables... */
50 if (conf->from_offset > conf->to_offset) 50 if (conf->from_offset > conf->to_offset)
51 return false; 51 return -EINVAL;
52 if (conf->algo[XT_STRING_MAX_ALGO_NAME_SIZE - 1] != '\0') 52 if (conf->algo[XT_STRING_MAX_ALGO_NAME_SIZE - 1] != '\0')
53 return false; 53 return -EINVAL;
54 if (conf->patlen > XT_STRING_MAX_PATTERN_SIZE) 54 if (conf->patlen > XT_STRING_MAX_PATTERN_SIZE)
55 return false; 55 return -EINVAL;
56 if (par->match->revision == 1) { 56 if (par->match->revision == 1) {
57 if (conf->u.v1.flags & 57 if (conf->u.v1.flags &
58 ~(XT_STRING_FLAG_IGNORECASE | XT_STRING_FLAG_INVERT)) 58 ~(XT_STRING_FLAG_IGNORECASE | XT_STRING_FLAG_INVERT))
59 return false; 59 return -EINVAL;
60 if (conf->u.v1.flags & XT_STRING_FLAG_IGNORECASE) 60 if (conf->u.v1.flags & XT_STRING_FLAG_IGNORECASE)
61 flags |= TS_IGNORECASE; 61 flags |= TS_IGNORECASE;
62 } 62 }
63 ts_conf = textsearch_prepare(conf->algo, conf->pattern, conf->patlen, 63 ts_conf = textsearch_prepare(conf->algo, conf->pattern, conf->patlen,
64 GFP_KERNEL, flags); 64 GFP_KERNEL, flags);
65 if (IS_ERR(ts_conf)) 65 if (IS_ERR(ts_conf))
66 return false; 66 return -EINVAL;
67 67
68 conf->config = ts_conf; 68 conf->config = ts_conf;
69 69 return 0;
70 return true;
71} 70}
72 71
73static void string_mt_destroy(const struct xt_mtdtor_param *par) 72static void string_mt_destroy(const struct xt_mtdtor_param *par)
diff --git a/net/netfilter/xt_tcpudp.c b/net/netfilter/xt_tcpudp.c
index 00728410099f..efa2ede24ae6 100644
--- a/net/netfilter/xt_tcpudp.c
+++ b/net/netfilter/xt_tcpudp.c
@@ -125,7 +125,7 @@ static int tcp_mt_check(const struct xt_mtchk_param *par)
125 const struct xt_tcp *tcpinfo = par->matchinfo; 125 const struct xt_tcp *tcpinfo = par->matchinfo;
126 126
127 /* Must specify no unknown invflags */ 127 /* Must specify no unknown invflags */
128 return !(tcpinfo->invflags & ~XT_TCP_INV_MASK); 128 return (tcpinfo->invflags & ~XT_TCP_INV_MASK) ? -EINVAL : 0;
129} 129}
130 130
131static bool udp_mt(const struct sk_buff *skb, const struct xt_match_param *par) 131static bool udp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
@@ -160,7 +160,7 @@ static int udp_mt_check(const struct xt_mtchk_param *par)
160 const struct xt_udp *udpinfo = par->matchinfo; 160 const struct xt_udp *udpinfo = par->matchinfo;
161 161
162 /* Must specify no unknown invflags */ 162 /* Must specify no unknown invflags */
163 return !(udpinfo->invflags & ~XT_UDP_INV_MASK); 163 return (udpinfo->invflags & ~XT_UDP_INV_MASK) ? -EINVAL : 0;
164} 164}
165 165
166static struct xt_match tcpudp_mt_reg[] __read_mostly = { 166static struct xt_match tcpudp_mt_reg[] __read_mostly = {
diff --git a/net/netfilter/xt_time.c b/net/netfilter/xt_time.c
index db74f4fd57df..8dde5e51ff19 100644
--- a/net/netfilter/xt_time.c
+++ b/net/netfilter/xt_time.c
@@ -225,10 +225,10 @@ static int time_mt_check(const struct xt_mtchk_param *par)
225 info->daytime_stop > XT_TIME_MAX_DAYTIME) { 225 info->daytime_stop > XT_TIME_MAX_DAYTIME) {
226 pr_info("invalid argument - start or " 226 pr_info("invalid argument - start or "
227 "stop time greater than 23:59:59\n"); 227 "stop time greater than 23:59:59\n");
228 return false; 228 return -EINVAL;
229 } 229 }
230 230
231 return true; 231 return 0;
232} 232}
233 233
234static struct xt_match xt_time_mt_reg __read_mostly = { 234static struct xt_match xt_time_mt_reg __read_mostly = {
generated by cgit v1.2.2 (git 2.25.0) at 2024-09-20 06:02:50 -0400