aboutsummaryrefslogtreecommitdiffstats
path: root/net/ipv4
diff options
context:
space:
mode:
Diffstat (limited to 'net/ipv4')
-rw-r--r--net/ipv4/netfilter/arptable_filter.c8
-rw-r--r--net/ipv4/netfilter/iptable_filter.c21
-rw-r--r--net/ipv4/netfilter/iptable_raw.c19
-rw-r--r--net/ipv4/netfilter/iptable_security.c23
4 files changed, 30 insertions, 41 deletions
diff --git a/net/ipv4/netfilter/arptable_filter.c b/net/ipv4/netfilter/arptable_filter.c
index e9d823b149cd..deeda9b2cf05 100644
--- a/net/ipv4/netfilter/arptable_filter.c
+++ b/net/ipv4/netfilter/arptable_filter.c
@@ -58,13 +58,9 @@ arptable_filter_hook(unsigned int hook, struct sk_buff *skb,
58 const struct net_device *in, const struct net_device *out, 58 const struct net_device *in, const struct net_device *out,
59 int (*okfn)(struct sk_buff *)) 59 int (*okfn)(struct sk_buff *))
60{ 60{
61 if (hook == NF_ARP_OUT) 61 const struct net *net = dev_net((in != NULL) ? in : out);
62 return arpt_do_table(skb, hook, in, out,
63 dev_net(out)->ipv4.arptable_filter);
64 62
65 /* INPUT/FORWARD: */ 63 return arpt_do_table(skb, hook, in, out, net->ipv4.arptable_filter);
66 return arpt_do_table(skb, hook, in, out,
67 dev_net(in)->ipv4.arptable_filter);
68} 64}
69 65
70static struct nf_hook_ops arpt_ops[] __read_mostly = { 66static struct nf_hook_ops arpt_ops[] __read_mostly = {
diff --git a/net/ipv4/netfilter/iptable_filter.c b/net/ipv4/netfilter/iptable_filter.c
index 5369833ad56a..1bfeaae6f624 100644
--- a/net/ipv4/netfilter/iptable_filter.c
+++ b/net/ipv4/netfilter/iptable_filter.c
@@ -65,19 +65,16 @@ iptable_filter_hook(unsigned int hook, struct sk_buff *skb,
65 const struct net_device *in, const struct net_device *out, 65 const struct net_device *in, const struct net_device *out,
66 int (*okfn)(struct sk_buff *)) 66 int (*okfn)(struct sk_buff *))
67{ 67{
68 if (hook == NF_INET_LOCAL_OUT) { 68 const struct net *net;
69 if (skb->len < sizeof(struct iphdr) || 69
70 ip_hdrlen(skb) < sizeof(struct iphdr)) 70 if (hook == NF_INET_LOCAL_OUT &&
71 /* root is playing with raw sockets. */ 71 (skb->len < sizeof(struct iphdr) ||
72 return NF_ACCEPT; 72 ip_hdrlen(skb) < sizeof(struct iphdr)))
73 73 /* root is playing with raw sockets. */
74 return ipt_do_table(skb, hook, in, out, 74 return NF_ACCEPT;
75 dev_net(out)->ipv4.iptable_filter);
76 }
77 75
78 /* LOCAL_IN/FORWARD: */ 76 net = dev_net((in != NULL) ? in : out);
79 return ipt_do_table(skb, hook, in, out, 77 return ipt_do_table(skb, hook, in, out, net->ipv4.iptable_filter);
80 dev_net(in)->ipv4.iptable_filter);
81} 78}
82 79
83static struct nf_hook_ops ipt_ops[] __read_mostly = { 80static struct nf_hook_ops ipt_ops[] __read_mostly = {
diff --git a/net/ipv4/netfilter/iptable_raw.c b/net/ipv4/netfilter/iptable_raw.c
index 2c55575e89f5..d16e43777c31 100644
--- a/net/ipv4/netfilter/iptable_raw.c
+++ b/net/ipv4/netfilter/iptable_raw.c
@@ -49,17 +49,16 @@ iptable_raw_hook(unsigned int hook, struct sk_buff *skb,
49 const struct net_device *in, const struct net_device *out, 49 const struct net_device *in, const struct net_device *out,
50 int (*okfn)(struct sk_buff *)) 50 int (*okfn)(struct sk_buff *))
51{ 51{
52 if (hook == NF_INET_PRE_ROUTING) 52 const struct net *net;
53 return ipt_do_table(skb, hook, in, out, 53
54 dev_net(in)->ipv4.iptable_raw); 54 if (hook == NF_INET_LOCAL_OUT &&
55 55 (skb->len < sizeof(struct iphdr) ||
56 /* OUTPUT: */ 56 ip_hdrlen(skb) < sizeof(struct iphdr)))
57 /* root is playing with raw sockets. */ 57 /* root is playing with raw sockets. */
58 if (skb->len < sizeof(struct iphdr) ||
59 ip_hdrlen(skb) < sizeof(struct iphdr))
60 return NF_ACCEPT; 58 return NF_ACCEPT;
61 return ipt_do_table(skb, hook, in, out, 59
62 dev_net(out)->ipv4.iptable_raw); 60 net = dev_net((in != NULL) ? in : out);
61 return ipt_do_table(skb, hook, in, out, net->ipv4.iptable_raw);
63} 62}
64 63
65/* 'raw' is the very first table. */ 64/* 'raw' is the very first table. */
diff --git a/net/ipv4/netfilter/iptable_security.c b/net/ipv4/netfilter/iptable_security.c
index 1c666bab3269..324505aaaa73 100644
--- a/net/ipv4/netfilter/iptable_security.c
+++ b/net/ipv4/netfilter/iptable_security.c
@@ -70,19 +70,16 @@ iptable_security_hook(unsigned int hook, struct sk_buff *skb,
70 const struct net_device *out, 70 const struct net_device *out,
71 int (*okfn)(struct sk_buff *)) 71 int (*okfn)(struct sk_buff *))
72{ 72{
73 if (hook == NF_INET_LOCAL_OUT) { 73 const struct net *net;
74 if (skb->len < sizeof(struct iphdr) || 74
75 ip_hdrlen(skb) < sizeof(struct iphdr)) 75 if (hook == NF_INET_LOCAL_OUT &&
76 /* Somebody is playing with raw sockets. */ 76 (skb->len < sizeof(struct iphdr) ||
77 return NF_ACCEPT; 77 ip_hdrlen(skb) < sizeof(struct iphdr)))
78 78 /* Somebody is playing with raw sockets. */
79 return ipt_do_table(skb, hook, in, out, 79 return NF_ACCEPT;
80 dev_net(out)->ipv4.iptable_security); 80
81 } 81 net = dev_net((in != NULL) ? in : out);
82 82 return ipt_do_table(skb, hook, in, out, net->ipv4.iptable_security);
83 /* INPUT/FORWARD: */
84 return ipt_do_table(skb, hook, in, out,
85 dev_net(in)->ipv4.iptable_security);
86} 83}
87 84
88static struct nf_hook_ops ipt_ops[] __read_mostly = { 85static struct nf_hook_ops ipt_ops[] __read_mostly = {