9 files changed, 88 insertions, 56 deletions
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 7505dff4ffdf..7bc11ffbb845 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -8,7 +8,7 @@
 * Copyright (C) 2002 David S. Miller (davem@redhat.com)
 *
 */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/kernel.h>
 #include <linux/skbuff.h>
 #include <linux/netdevice.h>
@@ -341,15 +341,11 @@ unsigned int arpt_do_table(struct sk_buff *skb,
 }
 /* All zeroes == unconditional rule. */
-static inline int unconditional(const struct arpt_arp *arp)
+static inline bool unconditional(const struct arpt_arp *arp)
 {
-        unsigned int i;
+        static const struct arpt_arp uncond;
-        for (i = 0; i < sizeof(*arp)/sizeof(__u32); i++)
+        return memcmp(arp, &uncond, sizeof(uncond)) == 0;
-                if (((__u32 *)arp)[i])
-                        return 0;
-        return 1;
 }
 /* Figures out from what hook each rule can be called: returns 0 if
@@ -537,12 +533,28 @@ out:
        return ret;
 }
+static bool check_underflow(struct arpt_entry *e)
+{
+        const struct arpt_entry_target *t;
+        unsigned int verdict;
+        if (!unconditional(&e->arp))
+                return false;
+        t = arpt_get_target(e);
+        if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0)
+                return false;
+        verdict = ((struct arpt_standard_target *)t)->verdict;
+        verdict = -verdict - 1;
+        return verdict == NF_DROP || verdict == NF_ACCEPT;
+}
 static inline int check_entry_size_and_hooks(struct arpt_entry *e,
                                             struct xt_table_info *newinfo,
                                             unsigned char *base,
                                             unsigned char *limit,
                                             const unsigned int *hook_entries,
                                             const unsigned int *underflows,
+                                             unsigned int valid_hooks,
                                             unsigned int *i)
 {
        unsigned int h;
@@ -562,15 +574,21 @@ static inline int check_entry_size_and_hooks(struct arpt_entry *e,
        /* Check hooks & underflows */
        for (h = 0; h < NF_ARP_NUMHOOKS; h++) {
+                if (!(valid_hooks & (1 << h)))
+                        continue;
                if ((unsigned char *)e - base == hook_entries[h])
                        newinfo->hook_entry[h] = hook_entries[h];
-                if ((unsigned char *)e - base == underflows[h])
+                if ((unsigned char *)e - base == underflows[h]) {
+                        if (!check_underflow(e)) {
+                                pr_err("Underflows must be unconditional and "
+                                       "use the STANDARD target with "
+                                       "ACCEPT/DROP\n");
+                                return -EINVAL;
+                        }
                        newinfo->underflow[h] = underflows[h];
+                }
        }
-        /* FIXME: underflows must be unconditional, standard verdicts
-           < 0 (not ARPT_RETURN). --RR */
        /* Clear counters and comefrom */
        e->counters = ((struct xt_counters) { 0, 0 });
        e->comefrom = 0;
@@ -630,7 +648,7 @@ static int translate_table(const char *name,
                                 newinfo,
                                 entry0,
                                 entry0 + size,
-                                 hook_entries, underflows, &i);
+                                 hook_entries, underflows, valid_hooks, &i);
        duprintf("translate_table: ARPT_ENTRY_ITERATE gives %d\n", ret);
        if (ret != 0)
                return ret;
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index fdefae6b5dfc..0b43fd7ca04a 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -8,6 +8,7 @@
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/cache.h>
 #include <linux/capability.h>
 #include <linux/skbuff.h>
@@ -190,16 +191,11 @@ get_entry(void *base, unsigned int offset)
 /* All zeroes == unconditional rule. */
 /* Mildly perf critical (only if packet tracing is on) */
-static inline int
+static inline bool unconditional(const struct ipt_ip *ip)
-unconditional(const struct ipt_ip *ip)
 {
-        unsigned int i;
+        static const struct ipt_ip uncond;
-        for (i = 0; i < sizeof(*ip)/sizeof(__u32); i++)
-                if (((__u32 *)ip)[i])
-                        return 0;
-        return 1;
+        return memcmp(ip, &uncond, sizeof(uncond)) == 0;
 #undef FWINV
 }
@@ -315,7 +311,6 @@ ipt_do_table(struct sk_buff *skb,
        static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
        const struct iphdr *ip;
-        u_int16_t datalen;
        bool hotdrop = false;
        /* Initializing verdict to NF_DROP keeps gcc happy. */
        unsigned int verdict = NF_DROP;
@@ -328,7 +323,6 @@ ipt_do_table(struct sk_buff *skb,
        /* Initialization */
        ip = ip_hdr(skb);
-        datalen = skb->len - ip->ihl * 4;
        indev = in ? in->name : nulldevname;
        outdev = out ? out->name : nulldevname;
        /* We handle fragments by dealing with the first fragment as
@@ -427,8 +421,6 @@ ipt_do_table(struct sk_buff *skb,
 #endif
                /* Target might have changed stuff. */
                ip = ip_hdr(skb);
-                datalen = skb->len - ip->ihl * 4;
                if (verdict == IPT_CONTINUE)
                        e = ipt_next_entry(e);
                else
@@ -716,6 +708,21 @@ find_check_entry(struct ipt_entry *e, const char *name, unsigned int size,
        return ret;
 }
+static bool check_underflow(struct ipt_entry *e)
+{
+        const struct ipt_entry_target *t;
+        unsigned int verdict;
+        if (!unconditional(&e->ip))
+                return false;
+        t = ipt_get_target(e);
+        if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0)
+                return false;
+        verdict = ((struct ipt_standard_target *)t)->verdict;
+        verdict = -verdict - 1;
+        return verdict == NF_DROP || verdict == NF_ACCEPT;
+}
 static int
 check_entry_size_and_hooks(struct ipt_entry *e,
                           struct xt_table_info *newinfo,
@@ -723,6 +730,7 @@ check_entry_size_and_hooks(struct ipt_entry *e,
                           unsigned char *limit,
                           const unsigned int *hook_entries,
                           const unsigned int *underflows,
+                           unsigned int valid_hooks,
                           unsigned int *i)
 {
        unsigned int h;
@@ -742,15 +750,21 @@ check_entry_size_and_hooks(struct ipt_entry *e,
        /* Check hooks & underflows */
        for (h = 0; h < NF_INET_NUMHOOKS; h++) {
+                if (!(valid_hooks & (1 << h)))
+                        continue;
                if ((unsigned char *)e - base == hook_entries[h])
                        newinfo->hook_entry[h] = hook_entries[h];
-                if ((unsigned char *)e - base == underflows[h])
+                if ((unsigned char *)e - base == underflows[h]) {
+                        if (!check_underflow(e)) {
+                                pr_err("Underflows must be unconditional and "
+                                       "use the STANDARD target with "
+                                       "ACCEPT/DROP\n");
+                                return -EINVAL;
+                        }
                        newinfo->underflow[h] = underflows[h];
+                }
        }
-        /* FIXME: underflows must be unconditional, standard verdicts
-           < 0 (not IPT_RETURN). --RR */
        /* Clear counters and comefrom */
        e->counters = ((struct xt_counters) { 0, 0 });
        e->comefrom = 0;
@@ -813,7 +827,7 @@ translate_table(const char *name,
                                newinfo,
                                entry0,
                                entry0 + size,
-                                hook_entries, underflows, &i);
+                                hook_entries, underflows, valid_hooks, &i);
        if (ret != 0)
                return ret;
diff --git a/net/ipv4/netfilter/iptable_filter.c b/net/ipv4/netfilter/iptable_filter.c
index c30a969724f8..97dbd94a8e37 100644
--- a/net/ipv4/netfilter/iptable_filter.c
+++ b/net/ipv4/netfilter/iptable_filter.c
@@ -57,7 +57,7 @@ static struct xt_table packet_filter = {
        .name           = "filter",
        .valid_hooks    = FILTER_VALID_HOOKS,
        .me             = THIS_MODULE,
-        .af             = AF_INET,
+        .af             = NFPROTO_IPV4,
 };
 /* The work comes in here from netfilter.c. */
@@ -102,21 +102,21 @@ static struct nf_hook_ops ipt_ops[] __read_mostly = {
        {
                .hook           = ipt_local_in_hook,
                .owner          = THIS_MODULE,
-                .pf             = PF_INET,
+                .pf             = NFPROTO_IPV4,
                .hooknum        = NF_INET_LOCAL_IN,
                .priority       = NF_IP_PRI_FILTER,
        },
        {
                .hook           = ipt_hook,
                .owner          = THIS_MODULE,
-                .pf             = PF_INET,
+                .pf             = NFPROTO_IPV4,
                .hooknum        = NF_INET_FORWARD,
                .priority       = NF_IP_PRI_FILTER,
        },
        {
                .hook           = ipt_local_out_hook,
                .owner          = THIS_MODULE,
-                .pf             = PF_INET,
+                .pf             = NFPROTO_IPV4,
                .hooknum        = NF_INET_LOCAL_OUT,
                .priority       = NF_IP_PRI_FILTER,
        },
diff --git a/net/ipv4/netfilter/iptable_mangle.c b/net/ipv4/netfilter/iptable_mangle.c
index 4087614d9519..28647f10aa7e 100644
--- a/net/ipv4/netfilter/iptable_mangle.c
+++ b/net/ipv4/netfilter/iptable_mangle.c
@@ -68,7 +68,7 @@ static struct xt_table packet_mangler = {
        .name           = "mangle",
        .valid_hooks    = MANGLE_VALID_HOOKS,
        .me             = THIS_MODULE,
-        .af             = AF_INET,
+        .af             = NFPROTO_IPV4,
 };
 /* The work comes in here from netfilter.c. */
@@ -162,35 +162,35 @@ static struct nf_hook_ops ipt_ops[] __read_mostly = {
        {
                .hook           = ipt_pre_routing_hook,
                .owner          = THIS_MODULE,
-                .pf             = PF_INET,
+                .pf             = NFPROTO_IPV4,
                .hooknum        = NF_INET_PRE_ROUTING,
                .priority       = NF_IP_PRI_MANGLE,
        },
        {
                .hook           = ipt_local_in_hook,
                .owner          = THIS_MODULE,
-                .pf             = PF_INET,
+                .pf             = NFPROTO_IPV4,
                .hooknum        = NF_INET_LOCAL_IN,
                .priority       = NF_IP_PRI_MANGLE,
        },
        {
                .hook           = ipt_forward_hook,
                .owner          = THIS_MODULE,
-                .pf             = PF_INET,
+                .pf             = NFPROTO_IPV4,
                .hooknum        = NF_INET_FORWARD,
                .priority       = NF_IP_PRI_MANGLE,
        },
        {
                .hook           = ipt_local_hook,
                .owner          = THIS_MODULE,
-                .pf             = PF_INET,
+                .pf             = NFPROTO_IPV4,
                .hooknum        = NF_INET_LOCAL_OUT,
                .priority       = NF_IP_PRI_MANGLE,
        },
        {
                .hook           = ipt_post_routing_hook,
                .owner          = THIS_MODULE,
-                .pf             = PF_INET,
+                .pf             = NFPROTO_IPV4,
                .hooknum        = NF_INET_POST_ROUTING,
                .priority       = NF_IP_PRI_MANGLE,
        },
diff --git a/net/ipv4/netfilter/iptable_raw.c b/net/ipv4/netfilter/iptable_raw.c
index e5356da1fb54..494784c999eb 100644
--- a/net/ipv4/netfilter/iptable_raw.c
+++ b/net/ipv4/netfilter/iptable_raw.c
@@ -40,7 +40,7 @@ static struct xt_table packet_raw = {
        .name = "raw",
        .valid_hooks =  RAW_VALID_HOOKS,
        .me = THIS_MODULE,
-        .af = AF_INET,
+        .af = NFPROTO_IPV4,
 };
 /* The work comes in here from netfilter.c. */
@@ -74,14 +74,14 @@ ipt_local_hook(unsigned int hook,
 static struct nf_hook_ops ipt_ops[] __read_mostly = {
        {
                .hook = ipt_hook,
-                .pf = PF_INET,
+                .pf = NFPROTO_IPV4,
                .hooknum = NF_INET_PRE_ROUTING,
                .priority = NF_IP_PRI_RAW,
                .owner = THIS_MODULE,
        },
        {
                .hook = ipt_local_hook,
-                .pf = PF_INET,
+                .pf = NFPROTO_IPV4,
                .hooknum = NF_INET_LOCAL_OUT,
                .priority = NF_IP_PRI_RAW,
                .owner = THIS_MODULE,
diff --git a/net/ipv4/netfilter/iptable_security.c b/net/ipv4/netfilter/iptable_security.c
index 29ab630f240a..8804e1a0f915 100644
--- a/net/ipv4/netfilter/iptable_security.c
+++ b/net/ipv4/netfilter/iptable_security.c
@@ -61,7 +61,7 @@ static struct xt_table security_table = {
        .name           = "security",
        .valid_hooks    = SECURITY_VALID_HOOKS,
        .me             = THIS_MODULE,
-        .af             = AF_INET,
+        .af             = NFPROTO_IPV4,
 };
 static unsigned int
@@ -105,21 +105,21 @@ static struct nf_hook_ops ipt_ops[] __read_mostly = {
        {
                .hook           = ipt_local_in_hook,
                .owner          = THIS_MODULE,
-                .pf             = PF_INET,
+                .pf             = NFPROTO_IPV4,
                .hooknum        = NF_INET_LOCAL_IN,
                .priority       = NF_IP_PRI_SECURITY,
        },
        {
                .hook           = ipt_forward_hook,
                .owner          = THIS_MODULE,
-                .pf             = PF_INET,
+                .pf             = NFPROTO_IPV4,
                .hooknum        = NF_INET_FORWARD,
                .priority       = NF_IP_PRI_SECURITY,
        },
        {
                .hook           = ipt_local_out_hook,
                .owner          = THIS_MODULE,
-                .pf             = PF_INET,
+                .pf             = NFPROTO_IPV4,
                .hooknum        = NF_INET_LOCAL_OUT,
                .priority       = NF_IP_PRI_SECURITY,
        },
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
index 05a9bc8df536..9ac2fdc36ecc 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -158,28 +158,28 @@ static struct nf_hook_ops ipv4_conntrack_ops[] __read_mostly = {
        {
                .hook           = ipv4_conntrack_in,
                .owner          = THIS_MODULE,
-                .pf             = PF_INET,
+                .pf             = NFPROTO_IPV4,
                .hooknum        = NF_INET_PRE_ROUTING,
                .priority       = NF_IP_PRI_CONNTRACK,
        },
        {
                .hook           = ipv4_conntrack_local,
                .owner          = THIS_MODULE,
-                .pf             = PF_INET,
+                .pf             = NFPROTO_IPV4,
                .hooknum        = NF_INET_LOCAL_OUT,
                .priority       = NF_IP_PRI_CONNTRACK,
        },
        {
                .hook           = ipv4_confirm,
                .owner          = THIS_MODULE,
-                .pf             = PF_INET,
+                .pf             = NFPROTO_IPV4,
                .hooknum        = NF_INET_POST_ROUTING,
                .priority       = NF_IP_PRI_CONNTRACK_CONFIRM,
        },
        {
                .hook           = ipv4_confirm,
                .owner          = THIS_MODULE,
-                .pf             = PF_INET,
+                .pf             = NFPROTO_IPV4,
                .hooknum        = NF_INET_LOCAL_IN,
                .priority       = NF_IP_PRI_CONNTRACK_CONFIRM,
        },
diff --git a/net/ipv4/netfilter/nf_nat_rule.c b/net/ipv4/netfilter/nf_nat_rule.c
index 6348a793936e..6448a9b7d6f0 100644
--- a/net/ipv4/netfilter/nf_nat_rule.c
+++ b/net/ipv4/netfilter/nf_nat_rule.c
@@ -62,7 +62,7 @@ static struct xt_table nat_table = {
        .name           = "nat",
        .valid_hooks    = NAT_VALID_HOOKS,
        .me             = THIS_MODULE,
-        .af             = AF_INET,
+        .af             = NFPROTO_IPV4,
 };
 /* Source NAT */
diff --git a/net/ipv4/netfilter/nf_nat_standalone.c b/net/ipv4/netfilter/nf_nat_standalone.c
index 5567bd0d0750..5f41d017ddd8 100644
--- a/net/ipv4/netfilter/nf_nat_standalone.c
+++ b/net/ipv4/netfilter/nf_nat_standalone.c
@@ -251,7 +251,7 @@ static struct nf_hook_ops nf_nat_ops[] __read_mostly = {
        {
                .hook           = nf_nat_in,
                .owner          = THIS_MODULE,
-                .pf             = PF_INET,
+                .pf             = NFPROTO_IPV4,
                .hooknum        = NF_INET_PRE_ROUTING,
                .priority       = NF_IP_PRI_NAT_DST,
        },
@@ -259,7 +259,7 @@ static struct nf_hook_ops nf_nat_ops[] __read_mostly = {
        {
                .hook           = nf_nat_out,
                .owner          = THIS_MODULE,
-                .pf             = PF_INET,
+                .pf             = NFPROTO_IPV4,
                .hooknum        = NF_INET_POST_ROUTING,
                .priority       = NF_IP_PRI_NAT_SRC,
        },
@@ -267,7 +267,7 @@ static struct nf_hook_ops nf_nat_ops[] __read_mostly = {
        {
                .hook           = nf_nat_local_fn,
                .owner          = THIS_MODULE,
-                .pf             = PF_INET,
+                .pf             = NFPROTO_IPV4,
                .hooknum        = NF_INET_LOCAL_OUT,
                .priority       = NF_IP_PRI_NAT_DST,
        },
@@ -275,7 +275,7 @@ static struct nf_hook_ops nf_nat_ops[] __read_mostly = {
        {
                .hook           = nf_nat_fn,
                .owner          = THIS_MODULE,
-                .pf             = PF_INET,
+                .pf             = NFPROTO_IPV4,
                .hooknum        = NF_INET_LOCAL_IN,
                .priority       = NF_IP_PRI_NAT_SRC,
        },

diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c index 7505dff4ffdf..7bc11ffbb845 100644 --- a/net/ipv4/netfilter/arp_tables.c +++ b/net/ipv4/netfilter/arp_tables.c
@@ -8,7 +8,7 @@
8	* Copyright (C) 2002 David S. Miller (davem@redhat.com)	8	* Copyright (C) 2002 David S. Miller (davem@redhat.com)
9	*	9	*
10	*/	10	*/
11		11	#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
12	#include <linux/kernel.h>	12	#include <linux/kernel.h>
13	#include <linux/skbuff.h>	13	#include <linux/skbuff.h>
14	#include <linux/netdevice.h>	14	#include <linux/netdevice.h>
@@ -341,15 +341,11 @@ unsigned int arpt_do_table(struct sk_buff *skb,
341	}	341	}
342		342
343	/* All zeroes == unconditional rule. */	343	/* All zeroes == unconditional rule. */
344	static inline int unconditional(const struct arpt_arp *arp)	344	static inline bool unconditional(const struct arpt_arp *arp)
345	{	345	{
346	unsigned int i;	346	static const struct arpt_arp uncond;
347		347
348	for (i = 0; i < sizeof(*arp)/sizeof(__u32); i++)	348	return memcmp(arp, &uncond, sizeof(uncond)) == 0;
349	if (((__u32 *)arp)[i])
350	return 0;
351
352	return 1;
353	}	349	}
354		350
355	/* Figures out from what hook each rule can be called: returns 0 if	351	/* Figures out from what hook each rule can be called: returns 0 if
@@ -537,12 +533,28 @@ out:
537	return ret;	533	return ret;
538	}	534	}
539		535
		536	static bool check_underflow(struct arpt_entry *e)
		537	{
		538	const struct arpt_entry_target *t;
		539	unsigned int verdict;
		540
		541	if (!unconditional(&e->arp))
		542	return false;
		543	t = arpt_get_target(e);
		544	if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0)
		545	return false;
		546	verdict = ((struct arpt_standard_target *)t)->verdict;
		547	verdict = -verdict - 1;
		548	return verdict == NF_DROP \|\| verdict == NF_ACCEPT;
		549	}
		550
540	static inline int check_entry_size_and_hooks(struct arpt_entry *e,	551	static inline int check_entry_size_and_hooks(struct arpt_entry *e,
541	struct xt_table_info *newinfo,	552	struct xt_table_info *newinfo,
542	unsigned char *base,	553	unsigned char *base,
543	unsigned char *limit,	554	unsigned char *limit,
544	const unsigned int *hook_entries,	555	const unsigned int *hook_entries,
545	const unsigned int *underflows,	556	const unsigned int *underflows,
		557	unsigned int valid_hooks,
546	unsigned int *i)	558	unsigned int *i)
547	{	559	{
548	unsigned int h;	560	unsigned int h;
@@ -562,15 +574,21 @@ static inline int check_entry_size_and_hooks(struct arpt_entry *e,
562		574
563	/* Check hooks & underflows */	575	/* Check hooks & underflows */
564	for (h = 0; h < NF_ARP_NUMHOOKS; h++) {	576	for (h = 0; h < NF_ARP_NUMHOOKS; h++) {
		577	if (!(valid_hooks & (1 << h)))
		578	continue;
565	if ((unsigned char *)e - base == hook_entries[h])	579	if ((unsigned char *)e - base == hook_entries[h])
566	newinfo->hook_entry[h] = hook_entries[h];	580	newinfo->hook_entry[h] = hook_entries[h];
567	if ((unsigned char *)e - base == underflows[h])	581	if ((unsigned char *)e - base == underflows[h]) {
		582	if (!check_underflow(e)) {
		583	pr_err("Underflows must be unconditional and "
		584	"use the STANDARD target with "
		585	"ACCEPT/DROP\n");
		586	return -EINVAL;
		587	}
568	newinfo->underflow[h] = underflows[h];	588	newinfo->underflow[h] = underflows[h];
		589	}
569	}	590	}
570		591
571	/* FIXME: underflows must be unconditional, standard verdicts
572	< 0 (not ARPT_RETURN). --RR */
573
574	/* Clear counters and comefrom */	592	/* Clear counters and comefrom */
575	e->counters = ((struct xt_counters) { 0, 0 });	593	e->counters = ((struct xt_counters) { 0, 0 });
576	e->comefrom = 0;	594	e->comefrom = 0;
@@ -630,7 +648,7 @@ static int translate_table(const char *name,
630	newinfo,	648	newinfo,
631	entry0,	649	entry0,
632	entry0 + size,	650	entry0 + size,
633	hook_entries, underflows, &i);	651	hook_entries, underflows, valid_hooks, &i);
634	duprintf("translate_table: ARPT_ENTRY_ITERATE gives %d\n", ret);	652	duprintf("translate_table: ARPT_ENTRY_ITERATE gives %d\n", ret);
635	if (ret != 0)	653	if (ret != 0)
636	return ret;	654	return ret;


diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c index fdefae6b5dfc..0b43fd7ca04a 100644 --- a/net/ipv4/netfilter/ip_tables.c +++ b/net/ipv4/netfilter/ip_tables.c
@@ -8,6 +8,7 @@
8	* it under the terms of the GNU General Public License version 2 as	8	* it under the terms of the GNU General Public License version 2 as
9	* published by the Free Software Foundation.	9	* published by the Free Software Foundation.
10	*/	10	*/
		11	#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
11	#include <linux/cache.h>	12	#include <linux/cache.h>
12	#include <linux/capability.h>	13	#include <linux/capability.h>
13	#include <linux/skbuff.h>	14	#include <linux/skbuff.h>
@@ -190,16 +191,11 @@ get_entry(void *base, unsigned int offset)
190		191
191	/* All zeroes == unconditional rule. */	192	/* All zeroes == unconditional rule. */
192	/* Mildly perf critical (only if packet tracing is on) */	193	/* Mildly perf critical (only if packet tracing is on) */
193	static inline int	194	static inline bool unconditional(const struct ipt_ip *ip)
194	unconditional(const struct ipt_ip *ip)
195	{	195	{
196	unsigned int i;	196	static const struct ipt_ip uncond;
197
198	for (i = 0; i < sizeof(*ip)/sizeof(__u32); i++)
199	if (((__u32 *)ip)[i])
200	return 0;
201		197
202	return 1;	198	return memcmp(ip, &uncond, sizeof(uncond)) == 0;
203	#undef FWINV	199	#undef FWINV
204	}	200	}
205		201
@@ -315,7 +311,6 @@ ipt_do_table(struct sk_buff *skb,
315		311
316	static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));	312	static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
317	const struct iphdr *ip;	313	const struct iphdr *ip;
318	u_int16_t datalen;
319	bool hotdrop = false;	314	bool hotdrop = false;
320	/* Initializing verdict to NF_DROP keeps gcc happy. */	315	/* Initializing verdict to NF_DROP keeps gcc happy. */
321	unsigned int verdict = NF_DROP;	316	unsigned int verdict = NF_DROP;
@@ -328,7 +323,6 @@ ipt_do_table(struct sk_buff *skb,
328		323
329	/* Initialization */	324	/* Initialization */
330	ip = ip_hdr(skb);	325	ip = ip_hdr(skb);
331	datalen = skb->len - ip->ihl * 4;
332	indev = in ? in->name : nulldevname;	326	indev = in ? in->name : nulldevname;
333	outdev = out ? out->name : nulldevname;	327	outdev = out ? out->name : nulldevname;
334	/* We handle fragments by dealing with the first fragment as	328	/* We handle fragments by dealing with the first fragment as
@@ -427,8 +421,6 @@ ipt_do_table(struct sk_buff *skb,
427	#endif	421	#endif
428	/* Target might have changed stuff. */	422	/* Target might have changed stuff. */
429	ip = ip_hdr(skb);	423	ip = ip_hdr(skb);
430	datalen = skb->len - ip->ihl * 4;
431
432	if (verdict == IPT_CONTINUE)	424	if (verdict == IPT_CONTINUE)
433	e = ipt_next_entry(e);	425	e = ipt_next_entry(e);
434	else	426	else
@@ -716,6 +708,21 @@ find_check_entry(struct ipt_entry e, const char name, unsigned int size,
716	return ret;	708	return ret;
717	}	709	}
718		710
		711	static bool check_underflow(struct ipt_entry *e)
		712	{
		713	const struct ipt_entry_target *t;
		714	unsigned int verdict;
		715
		716	if (!unconditional(&e->ip))
		717	return false;
		718	t = ipt_get_target(e);
		719	if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0)
		720	return false;
		721	verdict = ((struct ipt_standard_target *)t)->verdict;
		722	verdict = -verdict - 1;
		723	return verdict == NF_DROP \|\| verdict == NF_ACCEPT;
		724	}
		725
719	static int	726	static int
720	check_entry_size_and_hooks(struct ipt_entry *e,	727	check_entry_size_and_hooks(struct ipt_entry *e,
721	struct xt_table_info *newinfo,	728	struct xt_table_info *newinfo,
@@ -723,6 +730,7 @@ check_entry_size_and_hooks(struct ipt_entry *e,
723	unsigned char *limit,	730	unsigned char *limit,
724	const unsigned int *hook_entries,	731	const unsigned int *hook_entries,
725	const unsigned int *underflows,	732	const unsigned int *underflows,
		733	unsigned int valid_hooks,
726	unsigned int *i)	734	unsigned int *i)
727	{	735	{
728	unsigned int h;	736	unsigned int h;
@@ -742,15 +750,21 @@ check_entry_size_and_hooks(struct ipt_entry *e,
742		750
743	/* Check hooks & underflows */	751	/* Check hooks & underflows */
744	for (h = 0; h < NF_INET_NUMHOOKS; h++) {	752	for (h = 0; h < NF_INET_NUMHOOKS; h++) {
		753	if (!(valid_hooks & (1 << h)))
		754	continue;
745	if ((unsigned char *)e - base == hook_entries[h])	755	if ((unsigned char *)e - base == hook_entries[h])
746	newinfo->hook_entry[h] = hook_entries[h];	756	newinfo->hook_entry[h] = hook_entries[h];
747	if ((unsigned char *)e - base == underflows[h])	757	if ((unsigned char *)e - base == underflows[h]) {
		758	if (!check_underflow(e)) {
		759	pr_err("Underflows must be unconditional and "
		760	"use the STANDARD target with "
		761	"ACCEPT/DROP\n");
		762	return -EINVAL;
		763	}
748	newinfo->underflow[h] = underflows[h];	764	newinfo->underflow[h] = underflows[h];
		765	}
749	}	766	}
750		767
751	/* FIXME: underflows must be unconditional, standard verdicts
752	< 0 (not IPT_RETURN). --RR */
753
754	/* Clear counters and comefrom */	768	/* Clear counters and comefrom */
755	e->counters = ((struct xt_counters) { 0, 0 });	769	e->counters = ((struct xt_counters) { 0, 0 });
756	e->comefrom = 0;	770	e->comefrom = 0;
@@ -813,7 +827,7 @@ translate_table(const char *name,
813	newinfo,	827	newinfo,
814	entry0,	828	entry0,
815	entry0 + size,	829	entry0 + size,
816	hook_entries, underflows, &i);	830	hook_entries, underflows, valid_hooks, &i);
817	if (ret != 0)	831	if (ret != 0)
818	return ret;	832	return ret;
819		833


diff --git a/net/ipv4/netfilter/iptable_filter.c b/net/ipv4/netfilter/iptable_filter.c index c30a969724f8..97dbd94a8e37 100644 --- a/net/ipv4/netfilter/iptable_filter.c +++ b/net/ipv4/netfilter/iptable_filter.c
@@ -57,7 +57,7 @@ static struct xt_table packet_filter = {
57	.name = "filter",	57	.name = "filter",
58	.valid_hooks = FILTER_VALID_HOOKS,	58	.valid_hooks = FILTER_VALID_HOOKS,
59	.me = THIS_MODULE,	59	.me = THIS_MODULE,
60	.af = AF_INET,	60	.af = NFPROTO_IPV4,
61	};	61	};
62		62
63	/* The work comes in here from netfilter.c. */	63	/* The work comes in here from netfilter.c. */
@@ -102,21 +102,21 @@ static struct nf_hook_ops ipt_ops[] __read_mostly = {
102	{	102	{
103	.hook = ipt_local_in_hook,	103	.hook = ipt_local_in_hook,
104	.owner = THIS_MODULE,	104	.owner = THIS_MODULE,
105	.pf = PF_INET,	105	.pf = NFPROTO_IPV4,
106	.hooknum = NF_INET_LOCAL_IN,	106	.hooknum = NF_INET_LOCAL_IN,
107	.priority = NF_IP_PRI_FILTER,	107	.priority = NF_IP_PRI_FILTER,
108	},	108	},
109	{	109	{
110	.hook = ipt_hook,	110	.hook = ipt_hook,
111	.owner = THIS_MODULE,	111	.owner = THIS_MODULE,
112	.pf = PF_INET,	112	.pf = NFPROTO_IPV4,
113	.hooknum = NF_INET_FORWARD,	113	.hooknum = NF_INET_FORWARD,
114	.priority = NF_IP_PRI_FILTER,	114	.priority = NF_IP_PRI_FILTER,
115	},	115	},
116	{	116	{
117	.hook = ipt_local_out_hook,	117	.hook = ipt_local_out_hook,
118	.owner = THIS_MODULE,	118	.owner = THIS_MODULE,
119	.pf = PF_INET,	119	.pf = NFPROTO_IPV4,
120	.hooknum = NF_INET_LOCAL_OUT,	120	.hooknum = NF_INET_LOCAL_OUT,
121	.priority = NF_IP_PRI_FILTER,	121	.priority = NF_IP_PRI_FILTER,
122	},	122	},


diff --git a/net/ipv4/netfilter/iptable_mangle.c b/net/ipv4/netfilter/iptable_mangle.c index 4087614d9519..28647f10aa7e 100644 --- a/net/ipv4/netfilter/iptable_mangle.c +++ b/net/ipv4/netfilter/iptable_mangle.c
@@ -68,7 +68,7 @@ static struct xt_table packet_mangler = {
68	.name = "mangle",	68	.name = "mangle",
69	.valid_hooks = MANGLE_VALID_HOOKS,	69	.valid_hooks = MANGLE_VALID_HOOKS,
70	.me = THIS_MODULE,	70	.me = THIS_MODULE,
71	.af = AF_INET,	71	.af = NFPROTO_IPV4,
72	};	72	};
73		73
74	/* The work comes in here from netfilter.c. */	74	/* The work comes in here from netfilter.c. */
@@ -162,35 +162,35 @@ static struct nf_hook_ops ipt_ops[] __read_mostly = {
162	{	162	{
163	.hook = ipt_pre_routing_hook,	163	.hook = ipt_pre_routing_hook,
164	.owner = THIS_MODULE,	164	.owner = THIS_MODULE,
165	.pf = PF_INET,	165	.pf = NFPROTO_IPV4,
166	.hooknum = NF_INET_PRE_ROUTING,	166	.hooknum = NF_INET_PRE_ROUTING,
167	.priority = NF_IP_PRI_MANGLE,	167	.priority = NF_IP_PRI_MANGLE,
168	},	168	},
169	{	169	{
170	.hook = ipt_local_in_hook,	170	.hook = ipt_local_in_hook,
171	.owner = THIS_MODULE,	171	.owner = THIS_MODULE,
172	.pf = PF_INET,	172	.pf = NFPROTO_IPV4,
173	.hooknum = NF_INET_LOCAL_IN,	173	.hooknum = NF_INET_LOCAL_IN,
174	.priority = NF_IP_PRI_MANGLE,	174	.priority = NF_IP_PRI_MANGLE,
175	},	175	},
176	{	176	{
177	.hook = ipt_forward_hook,	177	.hook = ipt_forward_hook,
178	.owner = THIS_MODULE,	178	.owner = THIS_MODULE,
179	.pf = PF_INET,	179	.pf = NFPROTO_IPV4,
180	.hooknum = NF_INET_FORWARD,	180	.hooknum = NF_INET_FORWARD,
181	.priority = NF_IP_PRI_MANGLE,	181	.priority = NF_IP_PRI_MANGLE,
182	},	182	},
183	{	183	{
184	.hook = ipt_local_hook,	184	.hook = ipt_local_hook,
185	.owner = THIS_MODULE,	185	.owner = THIS_MODULE,
186	.pf = PF_INET,	186	.pf = NFPROTO_IPV4,
187	.hooknum = NF_INET_LOCAL_OUT,	187	.hooknum = NF_INET_LOCAL_OUT,
188	.priority = NF_IP_PRI_MANGLE,	188	.priority = NF_IP_PRI_MANGLE,
189	},	189	},
190	{	190	{
191	.hook = ipt_post_routing_hook,	191	.hook = ipt_post_routing_hook,
192	.owner = THIS_MODULE,	192	.owner = THIS_MODULE,
193	.pf = PF_INET,	193	.pf = NFPROTO_IPV4,
194	.hooknum = NF_INET_POST_ROUTING,	194	.hooknum = NF_INET_POST_ROUTING,
195	.priority = NF_IP_PRI_MANGLE,	195	.priority = NF_IP_PRI_MANGLE,
196	},	196	},


diff --git a/net/ipv4/netfilter/iptable_raw.c b/net/ipv4/netfilter/iptable_raw.c index e5356da1fb54..494784c999eb 100644 --- a/net/ipv4/netfilter/iptable_raw.c +++ b/net/ipv4/netfilter/iptable_raw.c
@@ -40,7 +40,7 @@ static struct xt_table packet_raw = {
40	.name = "raw",	40	.name = "raw",
41	.valid_hooks = RAW_VALID_HOOKS,	41	.valid_hooks = RAW_VALID_HOOKS,
42	.me = THIS_MODULE,	42	.me = THIS_MODULE,
43	.af = AF_INET,	43	.af = NFPROTO_IPV4,
44	};	44	};
45		45
46	/* The work comes in here from netfilter.c. */	46	/* The work comes in here from netfilter.c. */
@@ -74,14 +74,14 @@ ipt_local_hook(unsigned int hook,
74	static struct nf_hook_ops ipt_ops[] __read_mostly = {	74	static struct nf_hook_ops ipt_ops[] __read_mostly = {
75	{	75	{
76	.hook = ipt_hook,	76	.hook = ipt_hook,
77	.pf = PF_INET,	77	.pf = NFPROTO_IPV4,
78	.hooknum = NF_INET_PRE_ROUTING,	78	.hooknum = NF_INET_PRE_ROUTING,
79	.priority = NF_IP_PRI_RAW,	79	.priority = NF_IP_PRI_RAW,
80	.owner = THIS_MODULE,	80	.owner = THIS_MODULE,
81	},	81	},
82	{	82	{
83	.hook = ipt_local_hook,	83	.hook = ipt_local_hook,
84	.pf = PF_INET,	84	.pf = NFPROTO_IPV4,
85	.hooknum = NF_INET_LOCAL_OUT,	85	.hooknum = NF_INET_LOCAL_OUT,
86	.priority = NF_IP_PRI_RAW,	86	.priority = NF_IP_PRI_RAW,
87	.owner = THIS_MODULE,	87	.owner = THIS_MODULE,


diff --git a/net/ipv4/netfilter/iptable_security.c b/net/ipv4/netfilter/iptable_security.c index 29ab630f240a..8804e1a0f915 100644 --- a/net/ipv4/netfilter/iptable_security.c +++ b/net/ipv4/netfilter/iptable_security.c
@@ -61,7 +61,7 @@ static struct xt_table security_table = {
61	.name = "security",	61	.name = "security",
62	.valid_hooks = SECURITY_VALID_HOOKS,	62	.valid_hooks = SECURITY_VALID_HOOKS,
63	.me = THIS_MODULE,	63	.me = THIS_MODULE,
64	.af = AF_INET,	64	.af = NFPROTO_IPV4,
65	};	65	};
66		66
67	static unsigned int	67	static unsigned int
@@ -105,21 +105,21 @@ static struct nf_hook_ops ipt_ops[] __read_mostly = {
105	{	105	{
106	.hook = ipt_local_in_hook,	106	.hook = ipt_local_in_hook,
107	.owner = THIS_MODULE,	107	.owner = THIS_MODULE,
108	.pf = PF_INET,	108	.pf = NFPROTO_IPV4,
109	.hooknum = NF_INET_LOCAL_IN,	109	.hooknum = NF_INET_LOCAL_IN,
110	.priority = NF_IP_PRI_SECURITY,	110	.priority = NF_IP_PRI_SECURITY,
111	},	111	},
112	{	112	{
113	.hook = ipt_forward_hook,	113	.hook = ipt_forward_hook,
114	.owner = THIS_MODULE,	114	.owner = THIS_MODULE,
115	.pf = PF_INET,	115	.pf = NFPROTO_IPV4,
116	.hooknum = NF_INET_FORWARD,	116	.hooknum = NF_INET_FORWARD,
117	.priority = NF_IP_PRI_SECURITY,	117	.priority = NF_IP_PRI_SECURITY,
118	},	118	},
119	{	119	{
120	.hook = ipt_local_out_hook,	120	.hook = ipt_local_out_hook,
121	.owner = THIS_MODULE,	121	.owner = THIS_MODULE,
122	.pf = PF_INET,	122	.pf = NFPROTO_IPV4,
123	.hooknum = NF_INET_LOCAL_OUT,	123	.hooknum = NF_INET_LOCAL_OUT,
124	.priority = NF_IP_PRI_SECURITY,	124	.priority = NF_IP_PRI_SECURITY,
125	},	125	},


diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c index 05a9bc8df536..9ac2fdc36ecc 100644 --- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c +++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -158,28 +158,28 @@ static struct nf_hook_ops ipv4_conntrack_ops[] __read_mostly = {
158	{	158	{
159	.hook = ipv4_conntrack_in,	159	.hook = ipv4_conntrack_in,
160	.owner = THIS_MODULE,	160	.owner = THIS_MODULE,
161	.pf = PF_INET,	161	.pf = NFPROTO_IPV4,
162	.hooknum = NF_INET_PRE_ROUTING,	162	.hooknum = NF_INET_PRE_ROUTING,
163	.priority = NF_IP_PRI_CONNTRACK,	163	.priority = NF_IP_PRI_CONNTRACK,
164	},	164	},
165	{	165	{
166	.hook = ipv4_conntrack_local,	166	.hook = ipv4_conntrack_local,
167	.owner = THIS_MODULE,	167	.owner = THIS_MODULE,
168	.pf = PF_INET,	168	.pf = NFPROTO_IPV4,
169	.hooknum = NF_INET_LOCAL_OUT,	169	.hooknum = NF_INET_LOCAL_OUT,
170	.priority = NF_IP_PRI_CONNTRACK,	170	.priority = NF_IP_PRI_CONNTRACK,
171	},	171	},
172	{	172	{
173	.hook = ipv4_confirm,	173	.hook = ipv4_confirm,
174	.owner = THIS_MODULE,	174	.owner = THIS_MODULE,
175	.pf = PF_INET,	175	.pf = NFPROTO_IPV4,
176	.hooknum = NF_INET_POST_ROUTING,	176	.hooknum = NF_INET_POST_ROUTING,
177	.priority = NF_IP_PRI_CONNTRACK_CONFIRM,	177	.priority = NF_IP_PRI_CONNTRACK_CONFIRM,
178	},	178	},
179	{	179	{
180	.hook = ipv4_confirm,	180	.hook = ipv4_confirm,
181	.owner = THIS_MODULE,	181	.owner = THIS_MODULE,
182	.pf = PF_INET,	182	.pf = NFPROTO_IPV4,
183	.hooknum = NF_INET_LOCAL_IN,	183	.hooknum = NF_INET_LOCAL_IN,
184	.priority = NF_IP_PRI_CONNTRACK_CONFIRM,	184	.priority = NF_IP_PRI_CONNTRACK_CONFIRM,
185	},	185	},


diff --git a/net/ipv4/netfilter/nf_nat_rule.c b/net/ipv4/netfilter/nf_nat_rule.c index 6348a793936e..6448a9b7d6f0 100644 --- a/net/ipv4/netfilter/nf_nat_rule.c +++ b/net/ipv4/netfilter/nf_nat_rule.c
@@ -62,7 +62,7 @@ static struct xt_table nat_table = {
62	.name = "nat",	62	.name = "nat",
63	.valid_hooks = NAT_VALID_HOOKS,	63	.valid_hooks = NAT_VALID_HOOKS,
64	.me = THIS_MODULE,	64	.me = THIS_MODULE,
65	.af = AF_INET,	65	.af = NFPROTO_IPV4,
66	};	66	};
67		67
68	/* Source NAT */	68	/* Source NAT */


diff --git a/net/ipv4/netfilter/nf_nat_standalone.c b/net/ipv4/netfilter/nf_nat_standalone.c index 5567bd0d0750..5f41d017ddd8 100644 --- a/net/ipv4/netfilter/nf_nat_standalone.c +++ b/net/ipv4/netfilter/nf_nat_standalone.c
@@ -251,7 +251,7 @@ static struct nf_hook_ops nf_nat_ops[] __read_mostly = {
251	{	251	{
252	.hook = nf_nat_in,	252	.hook = nf_nat_in,
253	.owner = THIS_MODULE,	253	.owner = THIS_MODULE,
254	.pf = PF_INET,	254	.pf = NFPROTO_IPV4,
255	.hooknum = NF_INET_PRE_ROUTING,	255	.hooknum = NF_INET_PRE_ROUTING,
256	.priority = NF_IP_PRI_NAT_DST,	256	.priority = NF_IP_PRI_NAT_DST,
257	},	257	},
@@ -259,7 +259,7 @@ static struct nf_hook_ops nf_nat_ops[] __read_mostly = {
259	{	259	{
260	.hook = nf_nat_out,	260	.hook = nf_nat_out,
261	.owner = THIS_MODULE,	261	.owner = THIS_MODULE,
262	.pf = PF_INET,	262	.pf = NFPROTO_IPV4,
263	.hooknum = NF_INET_POST_ROUTING,	263	.hooknum = NF_INET_POST_ROUTING,
264	.priority = NF_IP_PRI_NAT_SRC,	264	.priority = NF_IP_PRI_NAT_SRC,
265	},	265	},
@@ -267,7 +267,7 @@ static struct nf_hook_ops nf_nat_ops[] __read_mostly = {
267	{	267	{
268	.hook = nf_nat_local_fn,	268	.hook = nf_nat_local_fn,
269	.owner = THIS_MODULE,	269	.owner = THIS_MODULE,
270	.pf = PF_INET,	270	.pf = NFPROTO_IPV4,
271	.hooknum = NF_INET_LOCAL_OUT,	271	.hooknum = NF_INET_LOCAL_OUT,
272	.priority = NF_IP_PRI_NAT_DST,	272	.priority = NF_IP_PRI_NAT_DST,
273	},	273	},
@@ -275,7 +275,7 @@ static struct nf_hook_ops nf_nat_ops[] __read_mostly = {
275	{	275	{
276	.hook = nf_nat_fn,	276	.hook = nf_nat_fn,
277	.owner = THIS_MODULE,	277	.owner = THIS_MODULE,
278	.pf = PF_INET,	278	.pf = NFPROTO_IPV4,
279	.hooknum = NF_INET_LOCAL_IN,	279	.hooknum = NF_INET_LOCAL_IN,
280	.priority = NF_IP_PRI_NAT_SRC,	280	.priority = NF_IP_PRI_NAT_SRC,
281	},	281	},