aboutsummaryrefslogtreecommitdiffstats
path: root/net/ipv6
diff options
context:
space:
mode:
Diffstat (limited to 'net/ipv6')
-rw-r--r--net/ipv6/netfilter/ip6_tables.c132
1 files changed, 64 insertions, 68 deletions
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 9176e98ace7a..a6c2213f821e 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -381,91 +381,87 @@ ip6t_do_table(struct sk_buff *skb,
381 back = get_entry(table_base, private->underflow[hook]); 381 back = get_entry(table_base, private->underflow[hook]);
382 382
383 do { 383 do {
384 struct ip6t_entry_target *t;
385
384 IP_NF_ASSERT(e); 386 IP_NF_ASSERT(e);
385 IP_NF_ASSERT(back); 387 IP_NF_ASSERT(back);
386 if (ip6_packet_match(skb, indev, outdev, &e->ipv6, 388 if (!ip6_packet_match(skb, indev, outdev, &e->ipv6,
387 &mtpar.thoff, &mtpar.fragoff, &hotdrop)) { 389 &mtpar.thoff, &mtpar.fragoff, &hotdrop)) {
388 struct ip6t_entry_target *t; 390 no_match:
391 e = ip6t_next_entry(e);
392 continue;
393 }
389 394
390 if (IP6T_MATCH_ITERATE(e, do_match, skb, &mtpar) != 0) 395 if (IP6T_MATCH_ITERATE(e, do_match, skb, &mtpar) != 0)
391 goto no_match; 396 goto no_match;
392 397
393 ADD_COUNTER(e->counters, 398 ADD_COUNTER(e->counters,
394 ntohs(ipv6_hdr(skb)->payload_len) + 399 ntohs(ipv6_hdr(skb)->payload_len) +
395 sizeof(struct ipv6hdr), 1); 400 sizeof(struct ipv6hdr), 1);
396 401
397 t = ip6t_get_target(e); 402 t = ip6t_get_target(e);
398 IP_NF_ASSERT(t->u.kernel.target); 403 IP_NF_ASSERT(t->u.kernel.target);
399 404
400#if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \ 405#if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \
401 defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE) 406 defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE)
402 /* The packet is traced: log it */ 407 /* The packet is traced: log it */
403 if (unlikely(skb->nf_trace)) 408 if (unlikely(skb->nf_trace))
404 trace_packet(skb, hook, in, out, 409 trace_packet(skb, hook, in, out,
405 table->name, private, e); 410 table->name, private, e);
406#endif 411#endif
407 /* Standard target? */ 412 /* Standard target? */
408 if (!t->u.kernel.target->target) { 413 if (!t->u.kernel.target->target) {
409 int v; 414 int v;
410 415
411 v = ((struct ip6t_standard_target *)t)->verdict; 416 v = ((struct ip6t_standard_target *)t)->verdict;
412 if (v < 0) { 417 if (v < 0) {
413 /* Pop from stack? */ 418 /* Pop from stack? */
414 if (v != IP6T_RETURN) { 419 if (v != IP6T_RETURN) {
415 verdict = (unsigned)(-v) - 1; 420 verdict = (unsigned)(-v) - 1;
416 break; 421 break;
417 }
418 e = back;
419 back = get_entry(table_base,
420 back->comefrom);
421 continue;
422 }
423 if (table_base + v != ip6t_next_entry(e)
424 && !(e->ipv6.flags & IP6T_F_GOTO)) {
425 /* Save old back ptr in next entry */
426 struct ip6t_entry *next
427 = ip6t_next_entry(e);
428 next->comefrom
429 = (void *)back - table_base;
430 /* set back pointer to next entry */
431 back = next;
432 } 422 }
423 e = back;
424 back = get_entry(table_base, back->comefrom);
425 continue;
426 }
427 if (table_base + v != ip6t_next_entry(e)
428 && !(e->ipv6.flags & IP6T_F_GOTO)) {
429 /* Save old back ptr in next entry */
430 struct ip6t_entry *next = ip6t_next_entry(e);
431 next->comefrom = (void *)back - table_base;
432 /* set back pointer to next entry */
433 back = next;
434 }
433 435
434 e = get_entry(table_base, v); 436 e = get_entry(table_base, v);
435 } else { 437 } else {
436 /* Targets which reenter must return 438 /* Targets which reenter must return
437 abs. verdicts */ 439 abs. verdicts */
438 tgpar.target = t->u.kernel.target; 440 tgpar.target = t->u.kernel.target;
439 tgpar.targinfo = t->data; 441 tgpar.targinfo = t->data;
440 442
441#ifdef CONFIG_NETFILTER_DEBUG 443#ifdef CONFIG_NETFILTER_DEBUG
442 ((struct ip6t_entry *)table_base)->comefrom 444 ((struct ip6t_entry *)table_base)->comefrom
443 = 0xeeeeeeec; 445 = 0xeeeeeeec;
444#endif 446#endif
445 verdict = t->u.kernel.target->target(skb, 447 verdict = t->u.kernel.target->target(skb, &tgpar);
446 &tgpar);
447 448
448#ifdef CONFIG_NETFILTER_DEBUG 449#ifdef CONFIG_NETFILTER_DEBUG
449 if (((struct ip6t_entry *)table_base)->comefrom 450 if (((struct ip6t_entry *)table_base)->comefrom
450 != 0xeeeeeeec 451 != 0xeeeeeeec
451 && verdict == IP6T_CONTINUE) { 452 && verdict == IP6T_CONTINUE) {
452 printk("Target %s reentered!\n", 453 printk("Target %s reentered!\n",
453 t->u.kernel.target->name); 454 t->u.kernel.target->name);
454 verdict = NF_DROP; 455 verdict = NF_DROP;
455 }
456 ((struct ip6t_entry *)table_base)->comefrom
457 = 0x57acc001;
458#endif
459 if (verdict == IP6T_CONTINUE)
460 e = ip6t_next_entry(e);
461 else
462 /* Verdict */
463 break;
464 } 456 }
465 } else { 457 ((struct ip6t_entry *)table_base)->comefrom
466 458 = 0x57acc001;
467 no_match: 459#endif
468 e = ip6t_next_entry(e); 460 if (verdict == IP6T_CONTINUE)
461 e = ip6t_next_entry(e);
462 else
463 /* Verdict */
464 break;
469 } 465 }
470 } while (!hotdrop); 466 } while (!hotdrop);
471 467