diff options
Diffstat (limited to 'net/ipv4')
| -rw-r--r-- | net/ipv4/netfilter/arp_tables.c | 69 | ||||
| -rw-r--r-- | net/ipv4/netfilter/ip_tables.c | 88 |
2 files changed, 88 insertions, 69 deletions
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c index 2303dc92a277..4db5c1ece0f9 100644 --- a/net/ipv4/netfilter/arp_tables.c +++ b/net/ipv4/netfilter/arp_tables.c | |||
| @@ -233,7 +233,14 @@ arpt_error(struct sk_buff *skb, const struct xt_target_param *par) | |||
| 233 | return NF_DROP; | 233 | return NF_DROP; |
| 234 | } | 234 | } |
| 235 | 235 | ||
| 236 | static inline struct arpt_entry *get_entry(void *base, unsigned int offset) | 236 | static inline const struct arpt_entry_target * |
| 237 | arpt_get_target_c(const struct arpt_entry *e) | ||
| 238 | { | ||
| 239 | return arpt_get_target((struct arpt_entry *)e); | ||
| 240 | } | ||
| 241 | |||
| 242 | static inline struct arpt_entry * | ||
| 243 | get_entry(const void *base, unsigned int offset) | ||
| 237 | { | 244 | { |
| 238 | return (struct arpt_entry *)(base + offset); | 245 | return (struct arpt_entry *)(base + offset); |
| 239 | } | 246 | } |
| @@ -280,7 +287,7 @@ unsigned int arpt_do_table(struct sk_buff *skb, | |||
| 280 | 287 | ||
| 281 | arp = arp_hdr(skb); | 288 | arp = arp_hdr(skb); |
| 282 | do { | 289 | do { |
| 283 | struct arpt_entry_target *t; | 290 | const struct arpt_entry_target *t; |
| 284 | int hdr_len; | 291 | int hdr_len; |
| 285 | 292 | ||
| 286 | if (!arp_packet_match(arp, skb->dev, indev, outdev, &e->arp)) { | 293 | if (!arp_packet_match(arp, skb->dev, indev, outdev, &e->arp)) { |
| @@ -292,7 +299,7 @@ unsigned int arpt_do_table(struct sk_buff *skb, | |||
| 292 | (2 * skb->dev->addr_len); | 299 | (2 * skb->dev->addr_len); |
| 293 | ADD_COUNTER(e->counters, hdr_len, 1); | 300 | ADD_COUNTER(e->counters, hdr_len, 1); |
| 294 | 301 | ||
| 295 | t = arpt_get_target(e); | 302 | t = arpt_get_target_c(e); |
| 296 | 303 | ||
| 297 | /* Standard target? */ | 304 | /* Standard target? */ |
| 298 | if (!t->u.kernel.target->target) { | 305 | if (!t->u.kernel.target->target) { |
| @@ -358,7 +365,7 @@ static inline bool unconditional(const struct arpt_arp *arp) | |||
| 358 | /* Figures out from what hook each rule can be called: returns 0 if | 365 | /* Figures out from what hook each rule can be called: returns 0 if |
| 359 | * there are loops. Puts hook bitmask in comefrom. | 366 | * there are loops. Puts hook bitmask in comefrom. |
| 360 | */ | 367 | */ |
| 361 | static int mark_source_chains(struct xt_table_info *newinfo, | 368 | static int mark_source_chains(const struct xt_table_info *newinfo, |
| 362 | unsigned int valid_hooks, void *entry0) | 369 | unsigned int valid_hooks, void *entry0) |
| 363 | { | 370 | { |
| 364 | unsigned int hook; | 371 | unsigned int hook; |
| @@ -379,7 +386,7 @@ static int mark_source_chains(struct xt_table_info *newinfo, | |||
| 379 | 386 | ||
| 380 | for (;;) { | 387 | for (;;) { |
| 381 | const struct arpt_standard_target *t | 388 | const struct arpt_standard_target *t |
| 382 | = (void *)arpt_get_target(e); | 389 | = (void *)arpt_get_target_c(e); |
| 383 | int visited = e->comefrom & (1 << hook); | 390 | int visited = e->comefrom & (1 << hook); |
| 384 | 391 | ||
| 385 | if (e->comefrom & (1 << NF_ARP_NUMHOOKS)) { | 392 | if (e->comefrom & (1 << NF_ARP_NUMHOOKS)) { |
| @@ -463,7 +470,7 @@ static int mark_source_chains(struct xt_table_info *newinfo, | |||
| 463 | return 1; | 470 | return 1; |
| 464 | } | 471 | } |
| 465 | 472 | ||
| 466 | static inline int check_entry(struct arpt_entry *e, const char *name) | 473 | static inline int check_entry(const struct arpt_entry *e, const char *name) |
| 467 | { | 474 | { |
| 468 | const struct arpt_entry_target *t; | 475 | const struct arpt_entry_target *t; |
| 469 | 476 | ||
| @@ -475,7 +482,7 @@ static inline int check_entry(struct arpt_entry *e, const char *name) | |||
| 475 | if (e->target_offset + sizeof(struct arpt_entry_target) > e->next_offset) | 482 | if (e->target_offset + sizeof(struct arpt_entry_target) > e->next_offset) |
| 476 | return -EINVAL; | 483 | return -EINVAL; |
| 477 | 484 | ||
| 478 | t = arpt_get_target(e); | 485 | t = arpt_get_target_c(e); |
| 479 | if (e->target_offset + t->u.target_size > e->next_offset) | 486 | if (e->target_offset + t->u.target_size > e->next_offset) |
| 480 | return -EINVAL; | 487 | return -EINVAL; |
| 481 | 488 | ||
| @@ -540,14 +547,14 @@ out: | |||
| 540 | return ret; | 547 | return ret; |
| 541 | } | 548 | } |
| 542 | 549 | ||
| 543 | static bool check_underflow(struct arpt_entry *e) | 550 | static bool check_underflow(const struct arpt_entry *e) |
| 544 | { | 551 | { |
| 545 | const struct arpt_entry_target *t; | 552 | const struct arpt_entry_target *t; |
| 546 | unsigned int verdict; | 553 | unsigned int verdict; |
| 547 | 554 | ||
| 548 | if (!unconditional(&e->arp)) | 555 | if (!unconditional(&e->arp)) |
| 549 | return false; | 556 | return false; |
| 550 | t = arpt_get_target(e); | 557 | t = arpt_get_target_c(e); |
| 551 | if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0) | 558 | if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0) |
| 552 | return false; | 559 | return false; |
| 553 | verdict = ((struct arpt_standard_target *)t)->verdict; | 560 | verdict = ((struct arpt_standard_target *)t)->verdict; |
| @@ -557,8 +564,8 @@ static bool check_underflow(struct arpt_entry *e) | |||
| 557 | 564 | ||
| 558 | static inline int check_entry_size_and_hooks(struct arpt_entry *e, | 565 | static inline int check_entry_size_and_hooks(struct arpt_entry *e, |
| 559 | struct xt_table_info *newinfo, | 566 | struct xt_table_info *newinfo, |
| 560 | unsigned char *base, | 567 | const unsigned char *base, |
| 561 | unsigned char *limit, | 568 | const unsigned char *limit, |
| 562 | const unsigned int *hook_entries, | 569 | const unsigned int *hook_entries, |
| 563 | const unsigned int *underflows, | 570 | const unsigned int *underflows, |
| 564 | unsigned int valid_hooks, | 571 | unsigned int valid_hooks, |
| @@ -768,11 +775,11 @@ static void get_counters(const struct xt_table_info *t, | |||
| 768 | local_bh_enable(); | 775 | local_bh_enable(); |
| 769 | } | 776 | } |
| 770 | 777 | ||
| 771 | static struct xt_counters *alloc_counters(struct xt_table *table) | 778 | static struct xt_counters *alloc_counters(const struct xt_table *table) |
| 772 | { | 779 | { |
| 773 | unsigned int countersize; | 780 | unsigned int countersize; |
| 774 | struct xt_counters *counters; | 781 | struct xt_counters *counters; |
| 775 | struct xt_table_info *private = table->private; | 782 | const struct xt_table_info *private = table->private; |
| 776 | 783 | ||
| 777 | /* We need atomic snapshot of counters: rest doesn't change | 784 | /* We need atomic snapshot of counters: rest doesn't change |
| 778 | * (other than comefrom, which userspace doesn't care | 785 | * (other than comefrom, which userspace doesn't care |
| @@ -790,11 +797,11 @@ static struct xt_counters *alloc_counters(struct xt_table *table) | |||
| 790 | } | 797 | } |
| 791 | 798 | ||
| 792 | static int copy_entries_to_user(unsigned int total_size, | 799 | static int copy_entries_to_user(unsigned int total_size, |
| 793 | struct xt_table *table, | 800 | const struct xt_table *table, |
| 794 | void __user *userptr) | 801 | void __user *userptr) |
| 795 | { | 802 | { |
| 796 | unsigned int off, num; | 803 | unsigned int off, num; |
| 797 | struct arpt_entry *e; | 804 | const struct arpt_entry *e; |
| 798 | struct xt_counters *counters; | 805 | struct xt_counters *counters; |
| 799 | struct xt_table_info *private = table->private; | 806 | struct xt_table_info *private = table->private; |
| 800 | int ret = 0; | 807 | int ret = 0; |
| @@ -814,7 +821,7 @@ static int copy_entries_to_user(unsigned int total_size, | |||
| 814 | /* FIXME: use iterator macros --RR */ | 821 | /* FIXME: use iterator macros --RR */ |
| 815 | /* ... then go back and fix counters and names */ | 822 | /* ... then go back and fix counters and names */ |
| 816 | for (off = 0, num = 0; off < total_size; off += e->next_offset, num++){ | 823 | for (off = 0, num = 0; off < total_size; off += e->next_offset, num++){ |
| 817 | struct arpt_entry_target *t; | 824 | const struct arpt_entry_target *t; |
| 818 | 825 | ||
| 819 | e = (struct arpt_entry *)(loc_cpu_entry + off); | 826 | e = (struct arpt_entry *)(loc_cpu_entry + off); |
| 820 | if (copy_to_user(userptr + off | 827 | if (copy_to_user(userptr + off |
| @@ -825,7 +832,7 @@ static int copy_entries_to_user(unsigned int total_size, | |||
| 825 | goto free_counters; | 832 | goto free_counters; |
| 826 | } | 833 | } |
| 827 | 834 | ||
| 828 | t = arpt_get_target(e); | 835 | t = arpt_get_target_c(e); |
| 829 | if (copy_to_user(userptr + off + e->target_offset | 836 | if (copy_to_user(userptr + off + e->target_offset |
| 830 | + offsetof(struct arpt_entry_target, | 837 | + offsetof(struct arpt_entry_target, |
| 831 | u.user.name), | 838 | u.user.name), |
| @@ -860,18 +867,18 @@ static int compat_standard_to_user(void __user *dst, const void *src) | |||
| 860 | return copy_to_user(dst, &cv, sizeof(cv)) ? -EFAULT : 0; | 867 | return copy_to_user(dst, &cv, sizeof(cv)) ? -EFAULT : 0; |
| 861 | } | 868 | } |
| 862 | 869 | ||
| 863 | static int compat_calc_entry(struct arpt_entry *e, | 870 | static int compat_calc_entry(const struct arpt_entry *e, |
| 864 | const struct xt_table_info *info, | 871 | const struct xt_table_info *info, |
| 865 | void *base, struct xt_table_info *newinfo) | 872 | const void *base, struct xt_table_info *newinfo) |
| 866 | { | 873 | { |
| 867 | struct arpt_entry_target *t; | 874 | const struct arpt_entry_target *t; |
| 868 | unsigned int entry_offset; | 875 | unsigned int entry_offset; |
| 869 | int off, i, ret; | 876 | int off, i, ret; |
| 870 | 877 | ||
| 871 | off = sizeof(struct arpt_entry) - sizeof(struct compat_arpt_entry); | 878 | off = sizeof(struct arpt_entry) - sizeof(struct compat_arpt_entry); |
| 872 | entry_offset = (void *)e - base; | 879 | entry_offset = (void *)e - base; |
| 873 | 880 | ||
| 874 | t = arpt_get_target(e); | 881 | t = arpt_get_target_c(e); |
| 875 | off += xt_compat_target_offset(t->u.kernel.target); | 882 | off += xt_compat_target_offset(t->u.kernel.target); |
| 876 | newinfo->size -= off; | 883 | newinfo->size -= off; |
| 877 | ret = xt_compat_add_offset(NFPROTO_ARP, entry_offset, off); | 884 | ret = xt_compat_add_offset(NFPROTO_ARP, entry_offset, off); |
| @@ -907,7 +914,8 @@ static int compat_table_info(const struct xt_table_info *info, | |||
| 907 | } | 914 | } |
| 908 | #endif | 915 | #endif |
| 909 | 916 | ||
| 910 | static int get_info(struct net *net, void __user *user, int *len, int compat) | 917 | static int get_info(struct net *net, void __user *user, |
| 918 | const int *len, int compat) | ||
| 911 | { | 919 | { |
| 912 | char name[ARPT_TABLE_MAXNAMELEN]; | 920 | char name[ARPT_TABLE_MAXNAMELEN]; |
| 913 | struct xt_table *t; | 921 | struct xt_table *t; |
| @@ -966,7 +974,7 @@ static int get_info(struct net *net, void __user *user, int *len, int compat) | |||
| 966 | } | 974 | } |
| 967 | 975 | ||
| 968 | static int get_entries(struct net *net, struct arpt_get_entries __user *uptr, | 976 | static int get_entries(struct net *net, struct arpt_get_entries __user *uptr, |
| 969 | int *len) | 977 | const int *len) |
| 970 | { | 978 | { |
| 971 | int ret; | 979 | int ret; |
| 972 | struct arpt_get_entries get; | 980 | struct arpt_get_entries get; |
| @@ -1080,7 +1088,8 @@ static int __do_replace(struct net *net, const char *name, | |||
| 1080 | return ret; | 1088 | return ret; |
| 1081 | } | 1089 | } |
| 1082 | 1090 | ||
| 1083 | static int do_replace(struct net *net, void __user *user, unsigned int len) | 1091 | static int do_replace(struct net *net, const void __user *user, |
| 1092 | unsigned int len) | ||
| 1084 | { | 1093 | { |
| 1085 | int ret; | 1094 | int ret; |
| 1086 | struct arpt_replace tmp; | 1095 | struct arpt_replace tmp; |
| @@ -1140,8 +1149,8 @@ add_counter_to_entry(struct arpt_entry *e, | |||
| 1140 | return 0; | 1149 | return 0; |
| 1141 | } | 1150 | } |
| 1142 | 1151 | ||
| 1143 | static int do_add_counters(struct net *net, void __user *user, unsigned int len, | 1152 | static int do_add_counters(struct net *net, const void __user *user, |
| 1144 | int compat) | 1153 | unsigned int len, int compat) |
| 1145 | { | 1154 | { |
| 1146 | unsigned int i, curcpu; | 1155 | unsigned int i, curcpu; |
| 1147 | struct xt_counters_info tmp; | 1156 | struct xt_counters_info tmp; |
| @@ -1245,10 +1254,10 @@ static inline int | |||
| 1245 | check_compat_entry_size_and_hooks(struct compat_arpt_entry *e, | 1254 | check_compat_entry_size_and_hooks(struct compat_arpt_entry *e, |
| 1246 | struct xt_table_info *newinfo, | 1255 | struct xt_table_info *newinfo, |
| 1247 | unsigned int *size, | 1256 | unsigned int *size, |
| 1248 | unsigned char *base, | 1257 | const unsigned char *base, |
| 1249 | unsigned char *limit, | 1258 | const unsigned char *limit, |
| 1250 | unsigned int *hook_entries, | 1259 | const unsigned int *hook_entries, |
| 1251 | unsigned int *underflows, | 1260 | const unsigned int *underflows, |
| 1252 | unsigned int *i, | 1261 | unsigned int *i, |
| 1253 | const char *name) | 1262 | const char *name) |
| 1254 | { | 1263 | { |
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c index 2a4f745ce36e..e94c18bdfc68 100644 --- a/net/ipv4/netfilter/ip_tables.c +++ b/net/ipv4/netfilter/ip_tables.c | |||
| @@ -176,7 +176,7 @@ ipt_error(struct sk_buff *skb, const struct xt_target_param *par) | |||
| 176 | 176 | ||
| 177 | /* Performance critical - called for every packet */ | 177 | /* Performance critical - called for every packet */ |
| 178 | static inline bool | 178 | static inline bool |
| 179 | do_match(struct ipt_entry_match *m, const struct sk_buff *skb, | 179 | do_match(const struct ipt_entry_match *m, const struct sk_buff *skb, |
| 180 | struct xt_match_param *par) | 180 | struct xt_match_param *par) |
| 181 | { | 181 | { |
| 182 | par->match = m->u.kernel.match; | 182 | par->match = m->u.kernel.match; |
| @@ -191,7 +191,7 @@ do_match(struct ipt_entry_match *m, const struct sk_buff *skb, | |||
| 191 | 191 | ||
| 192 | /* Performance critical */ | 192 | /* Performance critical */ |
| 193 | static inline struct ipt_entry * | 193 | static inline struct ipt_entry * |
| 194 | get_entry(void *base, unsigned int offset) | 194 | get_entry(const void *base, unsigned int offset) |
| 195 | { | 195 | { |
| 196 | return (struct ipt_entry *)(base + offset); | 196 | return (struct ipt_entry *)(base + offset); |
| 197 | } | 197 | } |
| @@ -206,6 +206,13 @@ static inline bool unconditional(const struct ipt_ip *ip) | |||
| 206 | #undef FWINV | 206 | #undef FWINV |
| 207 | } | 207 | } |
| 208 | 208 | ||
| 209 | /* for const-correctness */ | ||
| 210 | static inline const struct ipt_entry_target * | ||
| 211 | ipt_get_target_c(const struct ipt_entry *e) | ||
| 212 | { | ||
| 213 | return ipt_get_target((struct ipt_entry *)e); | ||
| 214 | } | ||
| 215 | |||
| 209 | #if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \ | 216 | #if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \ |
| 210 | defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE) | 217 | defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE) |
| 211 | static const char *const hooknames[] = { | 218 | static const char *const hooknames[] = { |
| @@ -240,11 +247,11 @@ static struct nf_loginfo trace_loginfo = { | |||
| 240 | 247 | ||
| 241 | /* Mildly perf critical (only if packet tracing is on) */ | 248 | /* Mildly perf critical (only if packet tracing is on) */ |
| 242 | static inline int | 249 | static inline int |
| 243 | get_chainname_rulenum(struct ipt_entry *s, struct ipt_entry *e, | 250 | get_chainname_rulenum(const struct ipt_entry *s, const struct ipt_entry *e, |
| 244 | const char *hookname, const char **chainname, | 251 | const char *hookname, const char **chainname, |
| 245 | const char **comment, unsigned int *rulenum) | 252 | const char **comment, unsigned int *rulenum) |
| 246 | { | 253 | { |
| 247 | struct ipt_standard_target *t = (void *)ipt_get_target(s); | 254 | const struct ipt_standard_target *t = (void *)ipt_get_target_c(s); |
| 248 | 255 | ||
| 249 | if (strcmp(t->target.u.kernel.target->name, IPT_ERROR_TARGET) == 0) { | 256 | if (strcmp(t->target.u.kernel.target->name, IPT_ERROR_TARGET) == 0) { |
| 250 | /* Head of user chain: ERROR target with chainname */ | 257 | /* Head of user chain: ERROR target with chainname */ |
| @@ -270,15 +277,15 @@ get_chainname_rulenum(struct ipt_entry *s, struct ipt_entry *e, | |||
| 270 | return 0; | 277 | return 0; |
| 271 | } | 278 | } |
| 272 | 279 | ||
| 273 | static void trace_packet(struct sk_buff *skb, | 280 | static void trace_packet(const struct sk_buff *skb, |
| 274 | unsigned int hook, | 281 | unsigned int hook, |
| 275 | const struct net_device *in, | 282 | const struct net_device *in, |
| 276 | const struct net_device *out, | 283 | const struct net_device *out, |
| 277 | const char *tablename, | 284 | const char *tablename, |
| 278 | struct xt_table_info *private, | 285 | const struct xt_table_info *private, |
| 279 | struct ipt_entry *e) | 286 | const struct ipt_entry *e) |
| 280 | { | 287 | { |
| 281 | void *table_base; | 288 | const void *table_base; |
| 282 | const struct ipt_entry *root; | 289 | const struct ipt_entry *root; |
| 283 | const char *hookname, *chainname, *comment; | 290 | const char *hookname, *chainname, *comment; |
| 284 | unsigned int rulenum = 0; | 291 | unsigned int rulenum = 0; |
| @@ -322,9 +329,9 @@ ipt_do_table(struct sk_buff *skb, | |||
| 322 | /* Initializing verdict to NF_DROP keeps gcc happy. */ | 329 | /* Initializing verdict to NF_DROP keeps gcc happy. */ |
| 323 | unsigned int verdict = NF_DROP; | 330 | unsigned int verdict = NF_DROP; |
| 324 | const char *indev, *outdev; | 331 | const char *indev, *outdev; |
| 325 | void *table_base; | 332 | const void *table_base; |
| 326 | struct ipt_entry *e, *back; | 333 | struct ipt_entry *e, *back; |
| 327 | struct xt_table_info *private; | 334 | const struct xt_table_info *private; |
| 328 | struct xt_match_param mtpar; | 335 | struct xt_match_param mtpar; |
| 329 | struct xt_target_param tgpar; | 336 | struct xt_target_param tgpar; |
| 330 | 337 | ||
| @@ -357,7 +364,7 @@ ipt_do_table(struct sk_buff *skb, | |||
| 357 | back = get_entry(table_base, private->underflow[hook]); | 364 | back = get_entry(table_base, private->underflow[hook]); |
| 358 | 365 | ||
| 359 | do { | 366 | do { |
| 360 | struct ipt_entry_target *t; | 367 | const struct ipt_entry_target *t; |
| 361 | 368 | ||
| 362 | IP_NF_ASSERT(e); | 369 | IP_NF_ASSERT(e); |
| 363 | IP_NF_ASSERT(back); | 370 | IP_NF_ASSERT(back); |
| @@ -450,7 +457,7 @@ ipt_do_table(struct sk_buff *skb, | |||
| 450 | /* Figures out from what hook each rule can be called: returns 0 if | 457 | /* Figures out from what hook each rule can be called: returns 0 if |
| 451 | there are loops. Puts hook bitmask in comefrom. */ | 458 | there are loops. Puts hook bitmask in comefrom. */ |
| 452 | static int | 459 | static int |
| 453 | mark_source_chains(struct xt_table_info *newinfo, | 460 | mark_source_chains(const struct xt_table_info *newinfo, |
| 454 | unsigned int valid_hooks, void *entry0) | 461 | unsigned int valid_hooks, void *entry0) |
| 455 | { | 462 | { |
| 456 | unsigned int hook; | 463 | unsigned int hook; |
| @@ -468,8 +475,8 @@ mark_source_chains(struct xt_table_info *newinfo, | |||
| 468 | e->counters.pcnt = pos; | 475 | e->counters.pcnt = pos; |
| 469 | 476 | ||
| 470 | for (;;) { | 477 | for (;;) { |
| 471 | struct ipt_standard_target *t | 478 | const struct ipt_standard_target *t |
| 472 | = (void *)ipt_get_target(e); | 479 | = (void *)ipt_get_target_c(e); |
| 473 | int visited = e->comefrom & (1 << hook); | 480 | int visited = e->comefrom & (1 << hook); |
| 474 | 481 | ||
| 475 | if (e->comefrom & (1 << NF_INET_NUMHOOKS)) { | 482 | if (e->comefrom & (1 << NF_INET_NUMHOOKS)) { |
| @@ -578,9 +585,9 @@ cleanup_match(struct ipt_entry_match *m, struct net *net, unsigned int *i) | |||
| 578 | } | 585 | } |
| 579 | 586 | ||
| 580 | static int | 587 | static int |
| 581 | check_entry(struct ipt_entry *e, const char *name) | 588 | check_entry(const struct ipt_entry *e, const char *name) |
| 582 | { | 589 | { |
| 583 | struct ipt_entry_target *t; | 590 | const struct ipt_entry_target *t; |
| 584 | 591 | ||
| 585 | if (!ip_checkentry(&e->ip)) { | 592 | if (!ip_checkentry(&e->ip)) { |
| 586 | duprintf("ip_tables: ip check failed %p %s.\n", e, name); | 593 | duprintf("ip_tables: ip check failed %p %s.\n", e, name); |
| @@ -591,7 +598,7 @@ check_entry(struct ipt_entry *e, const char *name) | |||
| 591 | e->next_offset) | 598 | e->next_offset) |
| 592 | return -EINVAL; | 599 | return -EINVAL; |
| 593 | 600 | ||
| 594 | t = ipt_get_target(e); | 601 | t = ipt_get_target_c(e); |
| 595 | if (e->target_offset + t->u.target_size > e->next_offset) | 602 | if (e->target_offset + t->u.target_size > e->next_offset) |
| 596 | return -EINVAL; | 603 | return -EINVAL; |
| 597 | 604 | ||
| @@ -718,14 +725,14 @@ find_check_entry(struct ipt_entry *e, struct net *net, const char *name, | |||
| 718 | return ret; | 725 | return ret; |
| 719 | } | 726 | } |
| 720 | 727 | ||
| 721 | static bool check_underflow(struct ipt_entry *e) | 728 | static bool check_underflow(const struct ipt_entry *e) |
| 722 | { | 729 | { |
| 723 | const struct ipt_entry_target *t; | 730 | const struct ipt_entry_target *t; |
| 724 | unsigned int verdict; | 731 | unsigned int verdict; |
| 725 | 732 | ||
| 726 | if (!unconditional(&e->ip)) | 733 | if (!unconditional(&e->ip)) |
| 727 | return false; | 734 | return false; |
| 728 | t = ipt_get_target(e); | 735 | t = ipt_get_target_c(e); |
| 729 | if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0) | 736 | if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0) |
| 730 | return false; | 737 | return false; |
| 731 | verdict = ((struct ipt_standard_target *)t)->verdict; | 738 | verdict = ((struct ipt_standard_target *)t)->verdict; |
| @@ -736,8 +743,8 @@ static bool check_underflow(struct ipt_entry *e) | |||
| 736 | static int | 743 | static int |
| 737 | check_entry_size_and_hooks(struct ipt_entry *e, | 744 | check_entry_size_and_hooks(struct ipt_entry *e, |
| 738 | struct xt_table_info *newinfo, | 745 | struct xt_table_info *newinfo, |
| 739 | unsigned char *base, | 746 | const unsigned char *base, |
| 740 | unsigned char *limit, | 747 | const unsigned char *limit, |
| 741 | const unsigned int *hook_entries, | 748 | const unsigned int *hook_entries, |
| 742 | const unsigned int *underflows, | 749 | const unsigned int *underflows, |
| 743 | unsigned int valid_hooks, | 750 | unsigned int valid_hooks, |
| @@ -952,11 +959,11 @@ get_counters(const struct xt_table_info *t, | |||
| 952 | local_bh_enable(); | 959 | local_bh_enable(); |
| 953 | } | 960 | } |
| 954 | 961 | ||
| 955 | static struct xt_counters * alloc_counters(struct xt_table *table) | 962 | static struct xt_counters *alloc_counters(const struct xt_table *table) |
| 956 | { | 963 | { |
| 957 | unsigned int countersize; | 964 | unsigned int countersize; |
| 958 | struct xt_counters *counters; | 965 | struct xt_counters *counters; |
| 959 | struct xt_table_info *private = table->private; | 966 | const struct xt_table_info *private = table->private; |
| 960 | 967 | ||
| 961 | /* We need atomic snapshot of counters: rest doesn't change | 968 | /* We need atomic snapshot of counters: rest doesn't change |
| 962 | (other than comefrom, which userspace doesn't care | 969 | (other than comefrom, which userspace doesn't care |
| @@ -974,11 +981,11 @@ static struct xt_counters * alloc_counters(struct xt_table *table) | |||
| 974 | 981 | ||
| 975 | static int | 982 | static int |
| 976 | copy_entries_to_user(unsigned int total_size, | 983 | copy_entries_to_user(unsigned int total_size, |
| 977 | struct xt_table *table, | 984 | const struct xt_table *table, |
| 978 | void __user *userptr) | 985 | void __user *userptr) |
| 979 | { | 986 | { |
| 980 | unsigned int off, num; | 987 | unsigned int off, num; |
| 981 | struct ipt_entry *e; | 988 | const struct ipt_entry *e; |
| 982 | struct xt_counters *counters; | 989 | struct xt_counters *counters; |
| 983 | const struct xt_table_info *private = table->private; | 990 | const struct xt_table_info *private = table->private; |
| 984 | int ret = 0; | 991 | int ret = 0; |
| @@ -1030,7 +1037,7 @@ copy_entries_to_user(unsigned int total_size, | |||
| 1030 | } | 1037 | } |
| 1031 | } | 1038 | } |
| 1032 | 1039 | ||
| 1033 | t = ipt_get_target(e); | 1040 | t = ipt_get_target_c(e); |
| 1034 | if (copy_to_user(userptr + off + e->target_offset | 1041 | if (copy_to_user(userptr + off + e->target_offset |
| 1035 | + offsetof(struct ipt_entry_target, | 1042 | + offsetof(struct ipt_entry_target, |
| 1036 | u.user.name), | 1043 | u.user.name), |
| @@ -1066,24 +1073,24 @@ static int compat_standard_to_user(void __user *dst, const void *src) | |||
| 1066 | } | 1073 | } |
| 1067 | 1074 | ||
| 1068 | static inline int | 1075 | static inline int |
| 1069 | compat_calc_match(struct ipt_entry_match *m, int *size) | 1076 | compat_calc_match(const struct ipt_entry_match *m, int *size) |
| 1070 | { | 1077 | { |
| 1071 | *size += xt_compat_match_offset(m->u.kernel.match); | 1078 | *size += xt_compat_match_offset(m->u.kernel.match); |
| 1072 | return 0; | 1079 | return 0; |
| 1073 | } | 1080 | } |
| 1074 | 1081 | ||
| 1075 | static int compat_calc_entry(struct ipt_entry *e, | 1082 | static int compat_calc_entry(const struct ipt_entry *e, |
| 1076 | const struct xt_table_info *info, | 1083 | const struct xt_table_info *info, |
| 1077 | void *base, struct xt_table_info *newinfo) | 1084 | const void *base, struct xt_table_info *newinfo) |
| 1078 | { | 1085 | { |
| 1079 | struct ipt_entry_target *t; | 1086 | const struct ipt_entry_target *t; |
| 1080 | unsigned int entry_offset; | 1087 | unsigned int entry_offset; |
| 1081 | int off, i, ret; | 1088 | int off, i, ret; |
| 1082 | 1089 | ||
| 1083 | off = sizeof(struct ipt_entry) - sizeof(struct compat_ipt_entry); | 1090 | off = sizeof(struct ipt_entry) - sizeof(struct compat_ipt_entry); |
| 1084 | entry_offset = (void *)e - base; | 1091 | entry_offset = (void *)e - base; |
| 1085 | IPT_MATCH_ITERATE(e, compat_calc_match, &off); | 1092 | IPT_MATCH_ITERATE(e, compat_calc_match, &off); |
| 1086 | t = ipt_get_target(e); | 1093 | t = ipt_get_target_c(e); |
| 1087 | off += xt_compat_target_offset(t->u.kernel.target); | 1094 | off += xt_compat_target_offset(t->u.kernel.target); |
| 1088 | newinfo->size -= off; | 1095 | newinfo->size -= off; |
| 1089 | ret = xt_compat_add_offset(AF_INET, entry_offset, off); | 1096 | ret = xt_compat_add_offset(AF_INET, entry_offset, off); |
| @@ -1119,7 +1126,8 @@ static int compat_table_info(const struct xt_table_info *info, | |||
| 1119 | } | 1126 | } |
| 1120 | #endif | 1127 | #endif |
| 1121 | 1128 | ||
| 1122 | static int get_info(struct net *net, void __user *user, int *len, int compat) | 1129 | static int get_info(struct net *net, void __user *user, |
| 1130 | const int *len, int compat) | ||
| 1123 | { | 1131 | { |
| 1124 | char name[IPT_TABLE_MAXNAMELEN]; | 1132 | char name[IPT_TABLE_MAXNAMELEN]; |
| 1125 | struct xt_table *t; | 1133 | struct xt_table *t; |
| @@ -1179,7 +1187,8 @@ static int get_info(struct net *net, void __user *user, int *len, int compat) | |||
| 1179 | } | 1187 | } |
| 1180 | 1188 | ||
| 1181 | static int | 1189 | static int |
| 1182 | get_entries(struct net *net, struct ipt_get_entries __user *uptr, int *len) | 1190 | get_entries(struct net *net, struct ipt_get_entries __user *uptr, |
| 1191 | const int *len) | ||
| 1183 | { | 1192 | { |
| 1184 | int ret; | 1193 | int ret; |
| 1185 | struct ipt_get_entries get; | 1194 | struct ipt_get_entries get; |
| @@ -1289,7 +1298,7 @@ __do_replace(struct net *net, const char *name, unsigned int valid_hooks, | |||
| 1289 | } | 1298 | } |
| 1290 | 1299 | ||
| 1291 | static int | 1300 | static int |
| 1292 | do_replace(struct net *net, void __user *user, unsigned int len) | 1301 | do_replace(struct net *net, const void __user *user, unsigned int len) |
| 1293 | { | 1302 | { |
| 1294 | int ret; | 1303 | int ret; |
| 1295 | struct ipt_replace tmp; | 1304 | struct ipt_replace tmp; |
| @@ -1350,7 +1359,8 @@ add_counter_to_entry(struct ipt_entry *e, | |||
| 1350 | } | 1359 | } |
| 1351 | 1360 | ||
| 1352 | static int | 1361 | static int |
| 1353 | do_add_counters(struct net *net, void __user *user, unsigned int len, int compat) | 1362 | do_add_counters(struct net *net, const void __user *user, |
| 1363 | unsigned int len, int compat) | ||
| 1354 | { | 1364 | { |
| 1355 | unsigned int i, curcpu; | 1365 | unsigned int i, curcpu; |
| 1356 | struct xt_counters_info tmp; | 1366 | struct xt_counters_info tmp; |
| @@ -1546,10 +1556,10 @@ static int | |||
| 1546 | check_compat_entry_size_and_hooks(struct compat_ipt_entry *e, | 1556 | check_compat_entry_size_and_hooks(struct compat_ipt_entry *e, |
| 1547 | struct xt_table_info *newinfo, | 1557 | struct xt_table_info *newinfo, |
| 1548 | unsigned int *size, | 1558 | unsigned int *size, |
| 1549 | unsigned char *base, | 1559 | const unsigned char *base, |
| 1550 | unsigned char *limit, | 1560 | const unsigned char *limit, |
| 1551 | unsigned int *hook_entries, | 1561 | const unsigned int *hook_entries, |
| 1552 | unsigned int *underflows, | 1562 | const unsigned int *underflows, |
| 1553 | unsigned int *i, | 1563 | unsigned int *i, |
| 1554 | const char *name) | 1564 | const char *name) |
| 1555 | { | 1565 | { |