diff options
Diffstat (limited to 'net/ipv4')
-rw-r--r-- | net/ipv4/netfilter/arptable_filter.c | 8 | ||||
-rw-r--r-- | net/ipv4/netfilter/iptable_filter.c | 21 | ||||
-rw-r--r-- | net/ipv4/netfilter/iptable_raw.c | 19 | ||||
-rw-r--r-- | net/ipv4/netfilter/iptable_security.c | 23 |
4 files changed, 30 insertions, 41 deletions
diff --git a/net/ipv4/netfilter/arptable_filter.c b/net/ipv4/netfilter/arptable_filter.c index e9d823b149cd..deeda9b2cf05 100644 --- a/net/ipv4/netfilter/arptable_filter.c +++ b/net/ipv4/netfilter/arptable_filter.c | |||
@@ -58,13 +58,9 @@ arptable_filter_hook(unsigned int hook, struct sk_buff *skb, | |||
58 | const struct net_device *in, const struct net_device *out, | 58 | const struct net_device *in, const struct net_device *out, |
59 | int (*okfn)(struct sk_buff *)) | 59 | int (*okfn)(struct sk_buff *)) |
60 | { | 60 | { |
61 | if (hook == NF_ARP_OUT) | 61 | const struct net *net = dev_net((in != NULL) ? in : out); |
62 | return arpt_do_table(skb, hook, in, out, | ||
63 | dev_net(out)->ipv4.arptable_filter); | ||
64 | 62 | ||
65 | /* INPUT/FORWARD: */ | 63 | return arpt_do_table(skb, hook, in, out, net->ipv4.arptable_filter); |
66 | return arpt_do_table(skb, hook, in, out, | ||
67 | dev_net(in)->ipv4.arptable_filter); | ||
68 | } | 64 | } |
69 | 65 | ||
70 | static struct nf_hook_ops arpt_ops[] __read_mostly = { | 66 | static struct nf_hook_ops arpt_ops[] __read_mostly = { |
diff --git a/net/ipv4/netfilter/iptable_filter.c b/net/ipv4/netfilter/iptable_filter.c index 5369833ad56a..1bfeaae6f624 100644 --- a/net/ipv4/netfilter/iptable_filter.c +++ b/net/ipv4/netfilter/iptable_filter.c | |||
@@ -65,19 +65,16 @@ iptable_filter_hook(unsigned int hook, struct sk_buff *skb, | |||
65 | const struct net_device *in, const struct net_device *out, | 65 | const struct net_device *in, const struct net_device *out, |
66 | int (*okfn)(struct sk_buff *)) | 66 | int (*okfn)(struct sk_buff *)) |
67 | { | 67 | { |
68 | if (hook == NF_INET_LOCAL_OUT) { | 68 | const struct net *net; |
69 | if (skb->len < sizeof(struct iphdr) || | 69 | |
70 | ip_hdrlen(skb) < sizeof(struct iphdr)) | 70 | if (hook == NF_INET_LOCAL_OUT && |
71 | /* root is playing with raw sockets. */ | 71 | (skb->len < sizeof(struct iphdr) || |
72 | return NF_ACCEPT; | 72 | ip_hdrlen(skb) < sizeof(struct iphdr))) |
73 | 73 | /* root is playing with raw sockets. */ | |
74 | return ipt_do_table(skb, hook, in, out, | 74 | return NF_ACCEPT; |
75 | dev_net(out)->ipv4.iptable_filter); | ||
76 | } | ||
77 | 75 | ||
78 | /* LOCAL_IN/FORWARD: */ | 76 | net = dev_net((in != NULL) ? in : out); |
79 | return ipt_do_table(skb, hook, in, out, | 77 | return ipt_do_table(skb, hook, in, out, net->ipv4.iptable_filter); |
80 | dev_net(in)->ipv4.iptable_filter); | ||
81 | } | 78 | } |
82 | 79 | ||
83 | static struct nf_hook_ops ipt_ops[] __read_mostly = { | 80 | static struct nf_hook_ops ipt_ops[] __read_mostly = { |
diff --git a/net/ipv4/netfilter/iptable_raw.c b/net/ipv4/netfilter/iptable_raw.c index 2c55575e89f5..d16e43777c31 100644 --- a/net/ipv4/netfilter/iptable_raw.c +++ b/net/ipv4/netfilter/iptable_raw.c | |||
@@ -49,17 +49,16 @@ iptable_raw_hook(unsigned int hook, struct sk_buff *skb, | |||
49 | const struct net_device *in, const struct net_device *out, | 49 | const struct net_device *in, const struct net_device *out, |
50 | int (*okfn)(struct sk_buff *)) | 50 | int (*okfn)(struct sk_buff *)) |
51 | { | 51 | { |
52 | if (hook == NF_INET_PRE_ROUTING) | 52 | const struct net *net; |
53 | return ipt_do_table(skb, hook, in, out, | 53 | |
54 | dev_net(in)->ipv4.iptable_raw); | 54 | if (hook == NF_INET_LOCAL_OUT && |
55 | 55 | (skb->len < sizeof(struct iphdr) || | |
56 | /* OUTPUT: */ | 56 | ip_hdrlen(skb) < sizeof(struct iphdr))) |
57 | /* root is playing with raw sockets. */ | 57 | /* root is playing with raw sockets. */ |
58 | if (skb->len < sizeof(struct iphdr) || | ||
59 | ip_hdrlen(skb) < sizeof(struct iphdr)) | ||
60 | return NF_ACCEPT; | 58 | return NF_ACCEPT; |
61 | return ipt_do_table(skb, hook, in, out, | 59 | |
62 | dev_net(out)->ipv4.iptable_raw); | 60 | net = dev_net((in != NULL) ? in : out); |
61 | return ipt_do_table(skb, hook, in, out, net->ipv4.iptable_raw); | ||
63 | } | 62 | } |
64 | 63 | ||
65 | /* 'raw' is the very first table. */ | 64 | /* 'raw' is the very first table. */ |
diff --git a/net/ipv4/netfilter/iptable_security.c b/net/ipv4/netfilter/iptable_security.c index 1c666bab3269..324505aaaa73 100644 --- a/net/ipv4/netfilter/iptable_security.c +++ b/net/ipv4/netfilter/iptable_security.c | |||
@@ -70,19 +70,16 @@ iptable_security_hook(unsigned int hook, struct sk_buff *skb, | |||
70 | const struct net_device *out, | 70 | const struct net_device *out, |
71 | int (*okfn)(struct sk_buff *)) | 71 | int (*okfn)(struct sk_buff *)) |
72 | { | 72 | { |
73 | if (hook == NF_INET_LOCAL_OUT) { | 73 | const struct net *net; |
74 | if (skb->len < sizeof(struct iphdr) || | 74 | |
75 | ip_hdrlen(skb) < sizeof(struct iphdr)) | 75 | if (hook == NF_INET_LOCAL_OUT && |
76 | /* Somebody is playing with raw sockets. */ | 76 | (skb->len < sizeof(struct iphdr) || |
77 | return NF_ACCEPT; | 77 | ip_hdrlen(skb) < sizeof(struct iphdr))) |
78 | 78 | /* Somebody is playing with raw sockets. */ | |
79 | return ipt_do_table(skb, hook, in, out, | 79 | return NF_ACCEPT; |
80 | dev_net(out)->ipv4.iptable_security); | 80 | |
81 | } | 81 | net = dev_net((in != NULL) ? in : out); |
82 | 82 | return ipt_do_table(skb, hook, in, out, net->ipv4.iptable_security); | |
83 | /* INPUT/FORWARD: */ | ||
84 | return ipt_do_table(skb, hook, in, out, | ||
85 | dev_net(in)->ipv4.iptable_security); | ||
86 | } | 83 | } |
87 | 84 | ||
88 | static struct nf_hook_ops ipt_ops[] __read_mostly = { | 85 | static struct nf_hook_ops ipt_ops[] __read_mostly = { |