diff options
Diffstat (limited to 'net/ipv6')
-rw-r--r-- | net/ipv6/netfilter/ip6_tables.c | 132 |
1 files changed, 64 insertions, 68 deletions
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c index 9176e98ace7a..a6c2213f821e 100644 --- a/net/ipv6/netfilter/ip6_tables.c +++ b/net/ipv6/netfilter/ip6_tables.c | |||
@@ -381,91 +381,87 @@ ip6t_do_table(struct sk_buff *skb, | |||
381 | back = get_entry(table_base, private->underflow[hook]); | 381 | back = get_entry(table_base, private->underflow[hook]); |
382 | 382 | ||
383 | do { | 383 | do { |
384 | struct ip6t_entry_target *t; | ||
385 | |||
384 | IP_NF_ASSERT(e); | 386 | IP_NF_ASSERT(e); |
385 | IP_NF_ASSERT(back); | 387 | IP_NF_ASSERT(back); |
386 | if (ip6_packet_match(skb, indev, outdev, &e->ipv6, | 388 | if (!ip6_packet_match(skb, indev, outdev, &e->ipv6, |
387 | &mtpar.thoff, &mtpar.fragoff, &hotdrop)) { | 389 | &mtpar.thoff, &mtpar.fragoff, &hotdrop)) { |
388 | struct ip6t_entry_target *t; | 390 | no_match: |
391 | e = ip6t_next_entry(e); | ||
392 | continue; | ||
393 | } | ||
389 | 394 | ||
390 | if (IP6T_MATCH_ITERATE(e, do_match, skb, &mtpar) != 0) | 395 | if (IP6T_MATCH_ITERATE(e, do_match, skb, &mtpar) != 0) |
391 | goto no_match; | 396 | goto no_match; |
392 | 397 | ||
393 | ADD_COUNTER(e->counters, | 398 | ADD_COUNTER(e->counters, |
394 | ntohs(ipv6_hdr(skb)->payload_len) + | 399 | ntohs(ipv6_hdr(skb)->payload_len) + |
395 | sizeof(struct ipv6hdr), 1); | 400 | sizeof(struct ipv6hdr), 1); |
396 | 401 | ||
397 | t = ip6t_get_target(e); | 402 | t = ip6t_get_target(e); |
398 | IP_NF_ASSERT(t->u.kernel.target); | 403 | IP_NF_ASSERT(t->u.kernel.target); |
399 | 404 | ||
400 | #if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \ | 405 | #if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \ |
401 | defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE) | 406 | defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE) |
402 | /* The packet is traced: log it */ | 407 | /* The packet is traced: log it */ |
403 | if (unlikely(skb->nf_trace)) | 408 | if (unlikely(skb->nf_trace)) |
404 | trace_packet(skb, hook, in, out, | 409 | trace_packet(skb, hook, in, out, |
405 | table->name, private, e); | 410 | table->name, private, e); |
406 | #endif | 411 | #endif |
407 | /* Standard target? */ | 412 | /* Standard target? */ |
408 | if (!t->u.kernel.target->target) { | 413 | if (!t->u.kernel.target->target) { |
409 | int v; | 414 | int v; |
410 | 415 | ||
411 | v = ((struct ip6t_standard_target *)t)->verdict; | 416 | v = ((struct ip6t_standard_target *)t)->verdict; |
412 | if (v < 0) { | 417 | if (v < 0) { |
413 | /* Pop from stack? */ | 418 | /* Pop from stack? */ |
414 | if (v != IP6T_RETURN) { | 419 | if (v != IP6T_RETURN) { |
415 | verdict = (unsigned)(-v) - 1; | 420 | verdict = (unsigned)(-v) - 1; |
416 | break; | 421 | break; |
417 | } | ||
418 | e = back; | ||
419 | back = get_entry(table_base, | ||
420 | back->comefrom); | ||
421 | continue; | ||
422 | } | ||
423 | if (table_base + v != ip6t_next_entry(e) | ||
424 | && !(e->ipv6.flags & IP6T_F_GOTO)) { | ||
425 | /* Save old back ptr in next entry */ | ||
426 | struct ip6t_entry *next | ||
427 | = ip6t_next_entry(e); | ||
428 | next->comefrom | ||
429 | = (void *)back - table_base; | ||
430 | /* set back pointer to next entry */ | ||
431 | back = next; | ||
432 | } | 422 | } |
423 | e = back; | ||
424 | back = get_entry(table_base, back->comefrom); | ||
425 | continue; | ||
426 | } | ||
427 | if (table_base + v != ip6t_next_entry(e) | ||
428 | && !(e->ipv6.flags & IP6T_F_GOTO)) { | ||
429 | /* Save old back ptr in next entry */ | ||
430 | struct ip6t_entry *next = ip6t_next_entry(e); | ||
431 | next->comefrom = (void *)back - table_base; | ||
432 | /* set back pointer to next entry */ | ||
433 | back = next; | ||
434 | } | ||
433 | 435 | ||
434 | e = get_entry(table_base, v); | 436 | e = get_entry(table_base, v); |
435 | } else { | 437 | } else { |
436 | /* Targets which reenter must return | 438 | /* Targets which reenter must return |
437 | abs. verdicts */ | 439 | abs. verdicts */ |
438 | tgpar.target = t->u.kernel.target; | 440 | tgpar.target = t->u.kernel.target; |
439 | tgpar.targinfo = t->data; | 441 | tgpar.targinfo = t->data; |
440 | 442 | ||
441 | #ifdef CONFIG_NETFILTER_DEBUG | 443 | #ifdef CONFIG_NETFILTER_DEBUG |
442 | ((struct ip6t_entry *)table_base)->comefrom | 444 | ((struct ip6t_entry *)table_base)->comefrom |
443 | = 0xeeeeeeec; | 445 | = 0xeeeeeeec; |
444 | #endif | 446 | #endif |
445 | verdict = t->u.kernel.target->target(skb, | 447 | verdict = t->u.kernel.target->target(skb, &tgpar); |
446 | &tgpar); | ||
447 | 448 | ||
448 | #ifdef CONFIG_NETFILTER_DEBUG | 449 | #ifdef CONFIG_NETFILTER_DEBUG |
449 | if (((struct ip6t_entry *)table_base)->comefrom | 450 | if (((struct ip6t_entry *)table_base)->comefrom |
450 | != 0xeeeeeeec | 451 | != 0xeeeeeeec |
451 | && verdict == IP6T_CONTINUE) { | 452 | && verdict == IP6T_CONTINUE) { |
452 | printk("Target %s reentered!\n", | 453 | printk("Target %s reentered!\n", |
453 | t->u.kernel.target->name); | 454 | t->u.kernel.target->name); |
454 | verdict = NF_DROP; | 455 | verdict = NF_DROP; |
455 | } | ||
456 | ((struct ip6t_entry *)table_base)->comefrom | ||
457 | = 0x57acc001; | ||
458 | #endif | ||
459 | if (verdict == IP6T_CONTINUE) | ||
460 | e = ip6t_next_entry(e); | ||
461 | else | ||
462 | /* Verdict */ | ||
463 | break; | ||
464 | } | 456 | } |
465 | } else { | 457 | ((struct ip6t_entry *)table_base)->comefrom |
466 | 458 | = 0x57acc001; | |
467 | no_match: | 459 | #endif |
468 | e = ip6t_next_entry(e); | 460 | if (verdict == IP6T_CONTINUE) |
461 | e = ip6t_next_entry(e); | ||
462 | else | ||
463 | /* Verdict */ | ||
464 | break; | ||
469 | } | 465 | } |
470 | } while (!hotdrop); | 466 | } while (!hotdrop); |
471 | 467 | ||