diff options
Diffstat (limited to 'net')
-rw-r--r-- | net/bridge/netfilter/ebtables.c | 59 | ||||
-rw-r--r-- | net/ipv4/netfilter/arp_tables.c | 69 | ||||
-rw-r--r-- | net/ipv4/netfilter/ip_tables.c | 88 | ||||
-rw-r--r-- | net/ipv6/netfilter/ip6_tables.c | 88 |
4 files changed, 168 insertions, 136 deletions
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c index 208f4e32e732..bcdf02d866b8 100644 --- a/net/bridge/netfilter/ebtables.c +++ b/net/bridge/netfilter/ebtables.c | |||
@@ -82,7 +82,8 @@ static inline int ebt_do_match (struct ebt_entry_match *m, | |||
82 | return m->u.match->match(skb, par) ? EBT_MATCH : EBT_NOMATCH; | 82 | return m->u.match->match(skb, par) ? EBT_MATCH : EBT_NOMATCH; |
83 | } | 83 | } |
84 | 84 | ||
85 | static inline int ebt_dev_check(char *entry, const struct net_device *device) | 85 | static inline int |
86 | ebt_dev_check(const char *entry, const struct net_device *device) | ||
86 | { | 87 | { |
87 | int i = 0; | 88 | int i = 0; |
88 | const char *devname; | 89 | const char *devname; |
@@ -100,8 +101,9 @@ static inline int ebt_dev_check(char *entry, const struct net_device *device) | |||
100 | 101 | ||
101 | #define FWINV2(bool,invflg) ((bool) ^ !!(e->invflags & invflg)) | 102 | #define FWINV2(bool,invflg) ((bool) ^ !!(e->invflags & invflg)) |
102 | /* process standard matches */ | 103 | /* process standard matches */ |
103 | static inline int ebt_basic_match(struct ebt_entry *e, struct ethhdr *h, | 104 | static inline int |
104 | const struct net_device *in, const struct net_device *out) | 105 | ebt_basic_match(const struct ebt_entry *e, const struct ethhdr *h, |
106 | const struct net_device *in, const struct net_device *out) | ||
105 | { | 107 | { |
106 | int verdict, i; | 108 | int verdict, i; |
107 | 109 | ||
@@ -156,12 +158,12 @@ unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb, | |||
156 | int i, nentries; | 158 | int i, nentries; |
157 | struct ebt_entry *point; | 159 | struct ebt_entry *point; |
158 | struct ebt_counter *counter_base, *cb_base; | 160 | struct ebt_counter *counter_base, *cb_base; |
159 | struct ebt_entry_target *t; | 161 | const struct ebt_entry_target *t; |
160 | int verdict, sp = 0; | 162 | int verdict, sp = 0; |
161 | struct ebt_chainstack *cs; | 163 | struct ebt_chainstack *cs; |
162 | struct ebt_entries *chaininfo; | 164 | struct ebt_entries *chaininfo; |
163 | char *base; | 165 | const char *base; |
164 | struct ebt_table_info *private; | 166 | const struct ebt_table_info *private; |
165 | bool hotdrop = false; | 167 | bool hotdrop = false; |
166 | struct xt_match_param mtpar; | 168 | struct xt_match_param mtpar; |
167 | struct xt_target_param tgpar; | 169 | struct xt_target_param tgpar; |
@@ -395,7 +397,7 @@ ebt_check_watcher(struct ebt_entry_watcher *w, struct xt_tgchk_param *par, | |||
395 | return 0; | 397 | return 0; |
396 | } | 398 | } |
397 | 399 | ||
398 | static int ebt_verify_pointers(struct ebt_replace *repl, | 400 | static int ebt_verify_pointers(const struct ebt_replace *repl, |
399 | struct ebt_table_info *newinfo) | 401 | struct ebt_table_info *newinfo) |
400 | { | 402 | { |
401 | unsigned int limit = repl->entries_size; | 403 | unsigned int limit = repl->entries_size; |
@@ -466,8 +468,8 @@ static int ebt_verify_pointers(struct ebt_replace *repl, | |||
466 | * to parse the userspace data | 468 | * to parse the userspace data |
467 | */ | 469 | */ |
468 | static inline int | 470 | static inline int |
469 | ebt_check_entry_size_and_hooks(struct ebt_entry *e, | 471 | ebt_check_entry_size_and_hooks(const struct ebt_entry *e, |
470 | struct ebt_table_info *newinfo, | 472 | const struct ebt_table_info *newinfo, |
471 | unsigned int *n, unsigned int *cnt, | 473 | unsigned int *n, unsigned int *cnt, |
472 | unsigned int *totalcnt, unsigned int *udc_cnt) | 474 | unsigned int *totalcnt, unsigned int *udc_cnt) |
473 | { | 475 | { |
@@ -622,9 +624,8 @@ ebt_cleanup_entry(struct ebt_entry *e, struct net *net, unsigned int *cnt) | |||
622 | } | 624 | } |
623 | 625 | ||
624 | static inline int | 626 | static inline int |
625 | ebt_check_entry(struct ebt_entry *e, | 627 | ebt_check_entry(struct ebt_entry *e, struct net *net, |
626 | struct net *net, | 628 | const struct ebt_table_info *newinfo, |
627 | struct ebt_table_info *newinfo, | ||
628 | const char *name, unsigned int *cnt, | 629 | const char *name, unsigned int *cnt, |
629 | struct ebt_cl_stack *cl_s, unsigned int udc_cnt) | 630 | struct ebt_cl_stack *cl_s, unsigned int udc_cnt) |
630 | { | 631 | { |
@@ -743,12 +744,12 @@ cleanup_matches: | |||
743 | * the hook mask for udc tells us from which base chains the udc can be | 744 | * the hook mask for udc tells us from which base chains the udc can be |
744 | * accessed. This mask is a parameter to the check() functions of the extensions | 745 | * accessed. This mask is a parameter to the check() functions of the extensions |
745 | */ | 746 | */ |
746 | static int check_chainloops(struct ebt_entries *chain, struct ebt_cl_stack *cl_s, | 747 | static int check_chainloops(const struct ebt_entries *chain, struct ebt_cl_stack *cl_s, |
747 | unsigned int udc_cnt, unsigned int hooknr, char *base) | 748 | unsigned int udc_cnt, unsigned int hooknr, char *base) |
748 | { | 749 | { |
749 | int i, chain_nr = -1, pos = 0, nentries = chain->nentries, verdict; | 750 | int i, chain_nr = -1, pos = 0, nentries = chain->nentries, verdict; |
750 | struct ebt_entry *e = (struct ebt_entry *)chain->data; | 751 | const struct ebt_entry *e = (struct ebt_entry *)chain->data; |
751 | struct ebt_entry_target *t; | 752 | const struct ebt_entry_target *t; |
752 | 753 | ||
753 | while (pos < nentries || chain_nr != -1) { | 754 | while (pos < nentries || chain_nr != -1) { |
754 | /* end of udc, go back one 'recursion' step */ | 755 | /* end of udc, go back one 'recursion' step */ |
@@ -814,7 +815,7 @@ letscontinue: | |||
814 | } | 815 | } |
815 | 816 | ||
816 | /* do the parsing of the table/chains/entries/matches/watchers/targets, heh */ | 817 | /* do the parsing of the table/chains/entries/matches/watchers/targets, heh */ |
817 | static int translate_table(struct net *net, char *name, | 818 | static int translate_table(struct net *net, const char *name, |
818 | struct ebt_table_info *newinfo) | 819 | struct ebt_table_info *newinfo) |
819 | { | 820 | { |
820 | unsigned int i, j, k, udc_cnt; | 821 | unsigned int i, j, k, udc_cnt; |
@@ -934,7 +935,7 @@ static int translate_table(struct net *net, char *name, | |||
934 | } | 935 | } |
935 | 936 | ||
936 | /* called under write_lock */ | 937 | /* called under write_lock */ |
937 | static void get_counters(struct ebt_counter *oldcounters, | 938 | static void get_counters(const struct ebt_counter *oldcounters, |
938 | struct ebt_counter *counters, unsigned int nentries) | 939 | struct ebt_counter *counters, unsigned int nentries) |
939 | { | 940 | { |
940 | int i, cpu; | 941 | int i, cpu; |
@@ -957,7 +958,8 @@ static void get_counters(struct ebt_counter *oldcounters, | |||
957 | } | 958 | } |
958 | 959 | ||
959 | /* replace the table */ | 960 | /* replace the table */ |
960 | static int do_replace(struct net *net, void __user *user, unsigned int len) | 961 | static int do_replace(struct net *net, const void __user *user, |
962 | unsigned int len) | ||
961 | { | 963 | { |
962 | int ret, i, countersize; | 964 | int ret, i, countersize; |
963 | struct ebt_table_info *newinfo; | 965 | struct ebt_table_info *newinfo; |
@@ -1237,7 +1239,8 @@ void ebt_unregister_table(struct net *net, struct ebt_table *table) | |||
1237 | } | 1239 | } |
1238 | 1240 | ||
1239 | /* userspace just supplied us with counters */ | 1241 | /* userspace just supplied us with counters */ |
1240 | static int update_counters(struct net *net, void __user *user, unsigned int len) | 1242 | static int update_counters(struct net *net, const void __user *user, |
1243 | unsigned int len) | ||
1241 | { | 1244 | { |
1242 | int i, ret; | 1245 | int i, ret; |
1243 | struct ebt_counter *tmp; | 1246 | struct ebt_counter *tmp; |
@@ -1292,8 +1295,8 @@ free_tmp: | |||
1292 | return ret; | 1295 | return ret; |
1293 | } | 1296 | } |
1294 | 1297 | ||
1295 | static inline int ebt_make_matchname(struct ebt_entry_match *m, | 1298 | static inline int ebt_make_matchname(const struct ebt_entry_match *m, |
1296 | char *base, char __user *ubase) | 1299 | const char *base, char __user *ubase) |
1297 | { | 1300 | { |
1298 | char __user *hlp = ubase + ((char *)m - base); | 1301 | char __user *hlp = ubase + ((char *)m - base); |
1299 | if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN)) | 1302 | if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN)) |
@@ -1301,8 +1304,8 @@ static inline int ebt_make_matchname(struct ebt_entry_match *m, | |||
1301 | return 0; | 1304 | return 0; |
1302 | } | 1305 | } |
1303 | 1306 | ||
1304 | static inline int ebt_make_watchername(struct ebt_entry_watcher *w, | 1307 | static inline int ebt_make_watchername(const struct ebt_entry_watcher *w, |
1305 | char *base, char __user *ubase) | 1308 | const char *base, char __user *ubase) |
1306 | { | 1309 | { |
1307 | char __user *hlp = ubase + ((char *)w - base); | 1310 | char __user *hlp = ubase + ((char *)w - base); |
1308 | if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN)) | 1311 | if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN)) |
@@ -1310,11 +1313,12 @@ static inline int ebt_make_watchername(struct ebt_entry_watcher *w, | |||
1310 | return 0; | 1313 | return 0; |
1311 | } | 1314 | } |
1312 | 1315 | ||
1313 | static inline int ebt_make_names(struct ebt_entry *e, char *base, char __user *ubase) | 1316 | static inline int |
1317 | ebt_make_names(struct ebt_entry *e, const char *base, char __user *ubase) | ||
1314 | { | 1318 | { |
1315 | int ret; | 1319 | int ret; |
1316 | char __user *hlp; | 1320 | char __user *hlp; |
1317 | struct ebt_entry_target *t; | 1321 | const struct ebt_entry_target *t; |
1318 | 1322 | ||
1319 | if (e->bitmask == 0) | 1323 | if (e->bitmask == 0) |
1320 | return 0; | 1324 | return 0; |
@@ -1335,10 +1339,11 @@ static inline int ebt_make_names(struct ebt_entry *e, char *base, char __user *u | |||
1335 | 1339 | ||
1336 | /* called with ebt_mutex locked */ | 1340 | /* called with ebt_mutex locked */ |
1337 | static int copy_everything_to_user(struct ebt_table *t, void __user *user, | 1341 | static int copy_everything_to_user(struct ebt_table *t, void __user *user, |
1338 | int *len, int cmd) | 1342 | const int *len, int cmd) |
1339 | { | 1343 | { |
1340 | struct ebt_replace tmp; | 1344 | struct ebt_replace tmp; |
1341 | struct ebt_counter *counterstmp, *oldcounters; | 1345 | struct ebt_counter *counterstmp; |
1346 | const struct ebt_counter *oldcounters; | ||
1342 | unsigned int entries_size, nentries; | 1347 | unsigned int entries_size, nentries; |
1343 | char *entries; | 1348 | char *entries; |
1344 | 1349 | ||
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c index 2303dc92a277..4db5c1ece0f9 100644 --- a/net/ipv4/netfilter/arp_tables.c +++ b/net/ipv4/netfilter/arp_tables.c | |||
@@ -233,7 +233,14 @@ arpt_error(struct sk_buff *skb, const struct xt_target_param *par) | |||
233 | return NF_DROP; | 233 | return NF_DROP; |
234 | } | 234 | } |
235 | 235 | ||
236 | static inline struct arpt_entry *get_entry(void *base, unsigned int offset) | 236 | static inline const struct arpt_entry_target * |
237 | arpt_get_target_c(const struct arpt_entry *e) | ||
238 | { | ||
239 | return arpt_get_target((struct arpt_entry *)e); | ||
240 | } | ||
241 | |||
242 | static inline struct arpt_entry * | ||
243 | get_entry(const void *base, unsigned int offset) | ||
237 | { | 244 | { |
238 | return (struct arpt_entry *)(base + offset); | 245 | return (struct arpt_entry *)(base + offset); |
239 | } | 246 | } |
@@ -280,7 +287,7 @@ unsigned int arpt_do_table(struct sk_buff *skb, | |||
280 | 287 | ||
281 | arp = arp_hdr(skb); | 288 | arp = arp_hdr(skb); |
282 | do { | 289 | do { |
283 | struct arpt_entry_target *t; | 290 | const struct arpt_entry_target *t; |
284 | int hdr_len; | 291 | int hdr_len; |
285 | 292 | ||
286 | if (!arp_packet_match(arp, skb->dev, indev, outdev, &e->arp)) { | 293 | if (!arp_packet_match(arp, skb->dev, indev, outdev, &e->arp)) { |
@@ -292,7 +299,7 @@ unsigned int arpt_do_table(struct sk_buff *skb, | |||
292 | (2 * skb->dev->addr_len); | 299 | (2 * skb->dev->addr_len); |
293 | ADD_COUNTER(e->counters, hdr_len, 1); | 300 | ADD_COUNTER(e->counters, hdr_len, 1); |
294 | 301 | ||
295 | t = arpt_get_target(e); | 302 | t = arpt_get_target_c(e); |
296 | 303 | ||
297 | /* Standard target? */ | 304 | /* Standard target? */ |
298 | if (!t->u.kernel.target->target) { | 305 | if (!t->u.kernel.target->target) { |
@@ -358,7 +365,7 @@ static inline bool unconditional(const struct arpt_arp *arp) | |||
358 | /* Figures out from what hook each rule can be called: returns 0 if | 365 | /* Figures out from what hook each rule can be called: returns 0 if |
359 | * there are loops. Puts hook bitmask in comefrom. | 366 | * there are loops. Puts hook bitmask in comefrom. |
360 | */ | 367 | */ |
361 | static int mark_source_chains(struct xt_table_info *newinfo, | 368 | static int mark_source_chains(const struct xt_table_info *newinfo, |
362 | unsigned int valid_hooks, void *entry0) | 369 | unsigned int valid_hooks, void *entry0) |
363 | { | 370 | { |
364 | unsigned int hook; | 371 | unsigned int hook; |
@@ -379,7 +386,7 @@ static int mark_source_chains(struct xt_table_info *newinfo, | |||
379 | 386 | ||
380 | for (;;) { | 387 | for (;;) { |
381 | const struct arpt_standard_target *t | 388 | const struct arpt_standard_target *t |
382 | = (void *)arpt_get_target(e); | 389 | = (void *)arpt_get_target_c(e); |
383 | int visited = e->comefrom & (1 << hook); | 390 | int visited = e->comefrom & (1 << hook); |
384 | 391 | ||
385 | if (e->comefrom & (1 << NF_ARP_NUMHOOKS)) { | 392 | if (e->comefrom & (1 << NF_ARP_NUMHOOKS)) { |
@@ -463,7 +470,7 @@ static int mark_source_chains(struct xt_table_info *newinfo, | |||
463 | return 1; | 470 | return 1; |
464 | } | 471 | } |
465 | 472 | ||
466 | static inline int check_entry(struct arpt_entry *e, const char *name) | 473 | static inline int check_entry(const struct arpt_entry *e, const char *name) |
467 | { | 474 | { |
468 | const struct arpt_entry_target *t; | 475 | const struct arpt_entry_target *t; |
469 | 476 | ||
@@ -475,7 +482,7 @@ static inline int check_entry(struct arpt_entry *e, const char *name) | |||
475 | if (e->target_offset + sizeof(struct arpt_entry_target) > e->next_offset) | 482 | if (e->target_offset + sizeof(struct arpt_entry_target) > e->next_offset) |
476 | return -EINVAL; | 483 | return -EINVAL; |
477 | 484 | ||
478 | t = arpt_get_target(e); | 485 | t = arpt_get_target_c(e); |
479 | if (e->target_offset + t->u.target_size > e->next_offset) | 486 | if (e->target_offset + t->u.target_size > e->next_offset) |
480 | return -EINVAL; | 487 | return -EINVAL; |
481 | 488 | ||
@@ -540,14 +547,14 @@ out: | |||
540 | return ret; | 547 | return ret; |
541 | } | 548 | } |
542 | 549 | ||
543 | static bool check_underflow(struct arpt_entry *e) | 550 | static bool check_underflow(const struct arpt_entry *e) |
544 | { | 551 | { |
545 | const struct arpt_entry_target *t; | 552 | const struct arpt_entry_target *t; |
546 | unsigned int verdict; | 553 | unsigned int verdict; |
547 | 554 | ||
548 | if (!unconditional(&e->arp)) | 555 | if (!unconditional(&e->arp)) |
549 | return false; | 556 | return false; |
550 | t = arpt_get_target(e); | 557 | t = arpt_get_target_c(e); |
551 | if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0) | 558 | if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0) |
552 | return false; | 559 | return false; |
553 | verdict = ((struct arpt_standard_target *)t)->verdict; | 560 | verdict = ((struct arpt_standard_target *)t)->verdict; |
@@ -557,8 +564,8 @@ static bool check_underflow(struct arpt_entry *e) | |||
557 | 564 | ||
558 | static inline int check_entry_size_and_hooks(struct arpt_entry *e, | 565 | static inline int check_entry_size_and_hooks(struct arpt_entry *e, |
559 | struct xt_table_info *newinfo, | 566 | struct xt_table_info *newinfo, |
560 | unsigned char *base, | 567 | const unsigned char *base, |
561 | unsigned char *limit, | 568 | const unsigned char *limit, |
562 | const unsigned int *hook_entries, | 569 | const unsigned int *hook_entries, |
563 | const unsigned int *underflows, | 570 | const unsigned int *underflows, |
564 | unsigned int valid_hooks, | 571 | unsigned int valid_hooks, |
@@ -768,11 +775,11 @@ static void get_counters(const struct xt_table_info *t, | |||
768 | local_bh_enable(); | 775 | local_bh_enable(); |
769 | } | 776 | } |
770 | 777 | ||
771 | static struct xt_counters *alloc_counters(struct xt_table *table) | 778 | static struct xt_counters *alloc_counters(const struct xt_table *table) |
772 | { | 779 | { |
773 | unsigned int countersize; | 780 | unsigned int countersize; |
774 | struct xt_counters *counters; | 781 | struct xt_counters *counters; |
775 | struct xt_table_info *private = table->private; | 782 | const struct xt_table_info *private = table->private; |
776 | 783 | ||
777 | /* We need atomic snapshot of counters: rest doesn't change | 784 | /* We need atomic snapshot of counters: rest doesn't change |
778 | * (other than comefrom, which userspace doesn't care | 785 | * (other than comefrom, which userspace doesn't care |
@@ -790,11 +797,11 @@ static struct xt_counters *alloc_counters(struct xt_table *table) | |||
790 | } | 797 | } |
791 | 798 | ||
792 | static int copy_entries_to_user(unsigned int total_size, | 799 | static int copy_entries_to_user(unsigned int total_size, |
793 | struct xt_table *table, | 800 | const struct xt_table *table, |
794 | void __user *userptr) | 801 | void __user *userptr) |
795 | { | 802 | { |
796 | unsigned int off, num; | 803 | unsigned int off, num; |
797 | struct arpt_entry *e; | 804 | const struct arpt_entry *e; |
798 | struct xt_counters *counters; | 805 | struct xt_counters *counters; |
799 | struct xt_table_info *private = table->private; | 806 | struct xt_table_info *private = table->private; |
800 | int ret = 0; | 807 | int ret = 0; |
@@ -814,7 +821,7 @@ static int copy_entries_to_user(unsigned int total_size, | |||
814 | /* FIXME: use iterator macros --RR */ | 821 | /* FIXME: use iterator macros --RR */ |
815 | /* ... then go back and fix counters and names */ | 822 | /* ... then go back and fix counters and names */ |
816 | for (off = 0, num = 0; off < total_size; off += e->next_offset, num++){ | 823 | for (off = 0, num = 0; off < total_size; off += e->next_offset, num++){ |
817 | struct arpt_entry_target *t; | 824 | const struct arpt_entry_target *t; |
818 | 825 | ||
819 | e = (struct arpt_entry *)(loc_cpu_entry + off); | 826 | e = (struct arpt_entry *)(loc_cpu_entry + off); |
820 | if (copy_to_user(userptr + off | 827 | if (copy_to_user(userptr + off |
@@ -825,7 +832,7 @@ static int copy_entries_to_user(unsigned int total_size, | |||
825 | goto free_counters; | 832 | goto free_counters; |
826 | } | 833 | } |
827 | 834 | ||
828 | t = arpt_get_target(e); | 835 | t = arpt_get_target_c(e); |
829 | if (copy_to_user(userptr + off + e->target_offset | 836 | if (copy_to_user(userptr + off + e->target_offset |
830 | + offsetof(struct arpt_entry_target, | 837 | + offsetof(struct arpt_entry_target, |
831 | u.user.name), | 838 | u.user.name), |
@@ -860,18 +867,18 @@ static int compat_standard_to_user(void __user *dst, const void *src) | |||
860 | return copy_to_user(dst, &cv, sizeof(cv)) ? -EFAULT : 0; | 867 | return copy_to_user(dst, &cv, sizeof(cv)) ? -EFAULT : 0; |
861 | } | 868 | } |
862 | 869 | ||
863 | static int compat_calc_entry(struct arpt_entry *e, | 870 | static int compat_calc_entry(const struct arpt_entry *e, |
864 | const struct xt_table_info *info, | 871 | const struct xt_table_info *info, |
865 | void *base, struct xt_table_info *newinfo) | 872 | const void *base, struct xt_table_info *newinfo) |
866 | { | 873 | { |
867 | struct arpt_entry_target *t; | 874 | const struct arpt_entry_target *t; |
868 | unsigned int entry_offset; | 875 | unsigned int entry_offset; |
869 | int off, i, ret; | 876 | int off, i, ret; |
870 | 877 | ||
871 | off = sizeof(struct arpt_entry) - sizeof(struct compat_arpt_entry); | 878 | off = sizeof(struct arpt_entry) - sizeof(struct compat_arpt_entry); |
872 | entry_offset = (void *)e - base; | 879 | entry_offset = (void *)e - base; |
873 | 880 | ||
874 | t = arpt_get_target(e); | 881 | t = arpt_get_target_c(e); |
875 | off += xt_compat_target_offset(t->u.kernel.target); | 882 | off += xt_compat_target_offset(t->u.kernel.target); |
876 | newinfo->size -= off; | 883 | newinfo->size -= off; |
877 | ret = xt_compat_add_offset(NFPROTO_ARP, entry_offset, off); | 884 | ret = xt_compat_add_offset(NFPROTO_ARP, entry_offset, off); |
@@ -907,7 +914,8 @@ static int compat_table_info(const struct xt_table_info *info, | |||
907 | } | 914 | } |
908 | #endif | 915 | #endif |
909 | 916 | ||
910 | static int get_info(struct net *net, void __user *user, int *len, int compat) | 917 | static int get_info(struct net *net, void __user *user, |
918 | const int *len, int compat) | ||
911 | { | 919 | { |
912 | char name[ARPT_TABLE_MAXNAMELEN]; | 920 | char name[ARPT_TABLE_MAXNAMELEN]; |
913 | struct xt_table *t; | 921 | struct xt_table *t; |
@@ -966,7 +974,7 @@ static int get_info(struct net *net, void __user *user, int *len, int compat) | |||
966 | } | 974 | } |
967 | 975 | ||
968 | static int get_entries(struct net *net, struct arpt_get_entries __user *uptr, | 976 | static int get_entries(struct net *net, struct arpt_get_entries __user *uptr, |
969 | int *len) | 977 | const int *len) |
970 | { | 978 | { |
971 | int ret; | 979 | int ret; |
972 | struct arpt_get_entries get; | 980 | struct arpt_get_entries get; |
@@ -1080,7 +1088,8 @@ static int __do_replace(struct net *net, const char *name, | |||
1080 | return ret; | 1088 | return ret; |
1081 | } | 1089 | } |
1082 | 1090 | ||
1083 | static int do_replace(struct net *net, void __user *user, unsigned int len) | 1091 | static int do_replace(struct net *net, const void __user *user, |
1092 | unsigned int len) | ||
1084 | { | 1093 | { |
1085 | int ret; | 1094 | int ret; |
1086 | struct arpt_replace tmp; | 1095 | struct arpt_replace tmp; |
@@ -1140,8 +1149,8 @@ add_counter_to_entry(struct arpt_entry *e, | |||
1140 | return 0; | 1149 | return 0; |
1141 | } | 1150 | } |
1142 | 1151 | ||
1143 | static int do_add_counters(struct net *net, void __user *user, unsigned int len, | 1152 | static int do_add_counters(struct net *net, const void __user *user, |
1144 | int compat) | 1153 | unsigned int len, int compat) |
1145 | { | 1154 | { |
1146 | unsigned int i, curcpu; | 1155 | unsigned int i, curcpu; |
1147 | struct xt_counters_info tmp; | 1156 | struct xt_counters_info tmp; |
@@ -1245,10 +1254,10 @@ static inline int | |||
1245 | check_compat_entry_size_and_hooks(struct compat_arpt_entry *e, | 1254 | check_compat_entry_size_and_hooks(struct compat_arpt_entry *e, |
1246 | struct xt_table_info *newinfo, | 1255 | struct xt_table_info *newinfo, |
1247 | unsigned int *size, | 1256 | unsigned int *size, |
1248 | unsigned char *base, | 1257 | const unsigned char *base, |
1249 | unsigned char *limit, | 1258 | const unsigned char *limit, |
1250 | unsigned int *hook_entries, | 1259 | const unsigned int *hook_entries, |
1251 | unsigned int *underflows, | 1260 | const unsigned int *underflows, |
1252 | unsigned int *i, | 1261 | unsigned int *i, |
1253 | const char *name) | 1262 | const char *name) |
1254 | { | 1263 | { |
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c index 2a4f745ce36e..e94c18bdfc68 100644 --- a/net/ipv4/netfilter/ip_tables.c +++ b/net/ipv4/netfilter/ip_tables.c | |||
@@ -176,7 +176,7 @@ ipt_error(struct sk_buff *skb, const struct xt_target_param *par) | |||
176 | 176 | ||
177 | /* Performance critical - called for every packet */ | 177 | /* Performance critical - called for every packet */ |
178 | static inline bool | 178 | static inline bool |
179 | do_match(struct ipt_entry_match *m, const struct sk_buff *skb, | 179 | do_match(const struct ipt_entry_match *m, const struct sk_buff *skb, |
180 | struct xt_match_param *par) | 180 | struct xt_match_param *par) |
181 | { | 181 | { |
182 | par->match = m->u.kernel.match; | 182 | par->match = m->u.kernel.match; |
@@ -191,7 +191,7 @@ do_match(struct ipt_entry_match *m, const struct sk_buff *skb, | |||
191 | 191 | ||
192 | /* Performance critical */ | 192 | /* Performance critical */ |
193 | static inline struct ipt_entry * | 193 | static inline struct ipt_entry * |
194 | get_entry(void *base, unsigned int offset) | 194 | get_entry(const void *base, unsigned int offset) |
195 | { | 195 | { |
196 | return (struct ipt_entry *)(base + offset); | 196 | return (struct ipt_entry *)(base + offset); |
197 | } | 197 | } |
@@ -206,6 +206,13 @@ static inline bool unconditional(const struct ipt_ip *ip) | |||
206 | #undef FWINV | 206 | #undef FWINV |
207 | } | 207 | } |
208 | 208 | ||
209 | /* for const-correctness */ | ||
210 | static inline const struct ipt_entry_target * | ||
211 | ipt_get_target_c(const struct ipt_entry *e) | ||
212 | { | ||
213 | return ipt_get_target((struct ipt_entry *)e); | ||
214 | } | ||
215 | |||
209 | #if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \ | 216 | #if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \ |
210 | defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE) | 217 | defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE) |
211 | static const char *const hooknames[] = { | 218 | static const char *const hooknames[] = { |
@@ -240,11 +247,11 @@ static struct nf_loginfo trace_loginfo = { | |||
240 | 247 | ||
241 | /* Mildly perf critical (only if packet tracing is on) */ | 248 | /* Mildly perf critical (only if packet tracing is on) */ |
242 | static inline int | 249 | static inline int |
243 | get_chainname_rulenum(struct ipt_entry *s, struct ipt_entry *e, | 250 | get_chainname_rulenum(const struct ipt_entry *s, const struct ipt_entry *e, |
244 | const char *hookname, const char **chainname, | 251 | const char *hookname, const char **chainname, |
245 | const char **comment, unsigned int *rulenum) | 252 | const char **comment, unsigned int *rulenum) |
246 | { | 253 | { |
247 | struct ipt_standard_target *t = (void *)ipt_get_target(s); | 254 | const struct ipt_standard_target *t = (void *)ipt_get_target_c(s); |
248 | 255 | ||
249 | if (strcmp(t->target.u.kernel.target->name, IPT_ERROR_TARGET) == 0) { | 256 | if (strcmp(t->target.u.kernel.target->name, IPT_ERROR_TARGET) == 0) { |
250 | /* Head of user chain: ERROR target with chainname */ | 257 | /* Head of user chain: ERROR target with chainname */ |
@@ -270,15 +277,15 @@ get_chainname_rulenum(struct ipt_entry *s, struct ipt_entry *e, | |||
270 | return 0; | 277 | return 0; |
271 | } | 278 | } |
272 | 279 | ||
273 | static void trace_packet(struct sk_buff *skb, | 280 | static void trace_packet(const struct sk_buff *skb, |
274 | unsigned int hook, | 281 | unsigned int hook, |
275 | const struct net_device *in, | 282 | const struct net_device *in, |
276 | const struct net_device *out, | 283 | const struct net_device *out, |
277 | const char *tablename, | 284 | const char *tablename, |
278 | struct xt_table_info *private, | 285 | const struct xt_table_info *private, |
279 | struct ipt_entry *e) | 286 | const struct ipt_entry *e) |
280 | { | 287 | { |
281 | void *table_base; | 288 | const void *table_base; |
282 | const struct ipt_entry *root; | 289 | const struct ipt_entry *root; |
283 | const char *hookname, *chainname, *comment; | 290 | const char *hookname, *chainname, *comment; |
284 | unsigned int rulenum = 0; | 291 | unsigned int rulenum = 0; |
@@ -322,9 +329,9 @@ ipt_do_table(struct sk_buff *skb, | |||
322 | /* Initializing verdict to NF_DROP keeps gcc happy. */ | 329 | /* Initializing verdict to NF_DROP keeps gcc happy. */ |
323 | unsigned int verdict = NF_DROP; | 330 | unsigned int verdict = NF_DROP; |
324 | const char *indev, *outdev; | 331 | const char *indev, *outdev; |
325 | void *table_base; | 332 | const void *table_base; |
326 | struct ipt_entry *e, *back; | 333 | struct ipt_entry *e, *back; |
327 | struct xt_table_info *private; | 334 | const struct xt_table_info *private; |
328 | struct xt_match_param mtpar; | 335 | struct xt_match_param mtpar; |
329 | struct xt_target_param tgpar; | 336 | struct xt_target_param tgpar; |
330 | 337 | ||
@@ -357,7 +364,7 @@ ipt_do_table(struct sk_buff *skb, | |||
357 | back = get_entry(table_base, private->underflow[hook]); | 364 | back = get_entry(table_base, private->underflow[hook]); |
358 | 365 | ||
359 | do { | 366 | do { |
360 | struct ipt_entry_target *t; | 367 | const struct ipt_entry_target *t; |
361 | 368 | ||
362 | IP_NF_ASSERT(e); | 369 | IP_NF_ASSERT(e); |
363 | IP_NF_ASSERT(back); | 370 | IP_NF_ASSERT(back); |
@@ -450,7 +457,7 @@ ipt_do_table(struct sk_buff *skb, | |||
450 | /* Figures out from what hook each rule can be called: returns 0 if | 457 | /* Figures out from what hook each rule can be called: returns 0 if |
451 | there are loops. Puts hook bitmask in comefrom. */ | 458 | there are loops. Puts hook bitmask in comefrom. */ |
452 | static int | 459 | static int |
453 | mark_source_chains(struct xt_table_info *newinfo, | 460 | mark_source_chains(const struct xt_table_info *newinfo, |
454 | unsigned int valid_hooks, void *entry0) | 461 | unsigned int valid_hooks, void *entry0) |
455 | { | 462 | { |
456 | unsigned int hook; | 463 | unsigned int hook; |
@@ -468,8 +475,8 @@ mark_source_chains(struct xt_table_info *newinfo, | |||
468 | e->counters.pcnt = pos; | 475 | e->counters.pcnt = pos; |
469 | 476 | ||
470 | for (;;) { | 477 | for (;;) { |
471 | struct ipt_standard_target *t | 478 | const struct ipt_standard_target *t |
472 | = (void *)ipt_get_target(e); | 479 | = (void *)ipt_get_target_c(e); |
473 | int visited = e->comefrom & (1 << hook); | 480 | int visited = e->comefrom & (1 << hook); |
474 | 481 | ||
475 | if (e->comefrom & (1 << NF_INET_NUMHOOKS)) { | 482 | if (e->comefrom & (1 << NF_INET_NUMHOOKS)) { |
@@ -578,9 +585,9 @@ cleanup_match(struct ipt_entry_match *m, struct net *net, unsigned int *i) | |||
578 | } | 585 | } |
579 | 586 | ||
580 | static int | 587 | static int |
581 | check_entry(struct ipt_entry *e, const char *name) | 588 | check_entry(const struct ipt_entry *e, const char *name) |
582 | { | 589 | { |
583 | struct ipt_entry_target *t; | 590 | const struct ipt_entry_target *t; |
584 | 591 | ||
585 | if (!ip_checkentry(&e->ip)) { | 592 | if (!ip_checkentry(&e->ip)) { |
586 | duprintf("ip_tables: ip check failed %p %s.\n", e, name); | 593 | duprintf("ip_tables: ip check failed %p %s.\n", e, name); |
@@ -591,7 +598,7 @@ check_entry(struct ipt_entry *e, const char *name) | |||
591 | e->next_offset) | 598 | e->next_offset) |
592 | return -EINVAL; | 599 | return -EINVAL; |
593 | 600 | ||
594 | t = ipt_get_target(e); | 601 | t = ipt_get_target_c(e); |
595 | if (e->target_offset + t->u.target_size > e->next_offset) | 602 | if (e->target_offset + t->u.target_size > e->next_offset) |
596 | return -EINVAL; | 603 | return -EINVAL; |
597 | 604 | ||
@@ -718,14 +725,14 @@ find_check_entry(struct ipt_entry *e, struct net *net, const char *name, | |||
718 | return ret; | 725 | return ret; |
719 | } | 726 | } |
720 | 727 | ||
721 | static bool check_underflow(struct ipt_entry *e) | 728 | static bool check_underflow(const struct ipt_entry *e) |
722 | { | 729 | { |
723 | const struct ipt_entry_target *t; | 730 | const struct ipt_entry_target *t; |
724 | unsigned int verdict; | 731 | unsigned int verdict; |
725 | 732 | ||
726 | if (!unconditional(&e->ip)) | 733 | if (!unconditional(&e->ip)) |
727 | return false; | 734 | return false; |
728 | t = ipt_get_target(e); | 735 | t = ipt_get_target_c(e); |
729 | if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0) | 736 | if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0) |
730 | return false; | 737 | return false; |
731 | verdict = ((struct ipt_standard_target *)t)->verdict; | 738 | verdict = ((struct ipt_standard_target *)t)->verdict; |
@@ -736,8 +743,8 @@ static bool check_underflow(struct ipt_entry *e) | |||
736 | static int | 743 | static int |
737 | check_entry_size_and_hooks(struct ipt_entry *e, | 744 | check_entry_size_and_hooks(struct ipt_entry *e, |
738 | struct xt_table_info *newinfo, | 745 | struct xt_table_info *newinfo, |
739 | unsigned char *base, | 746 | const unsigned char *base, |
740 | unsigned char *limit, | 747 | const unsigned char *limit, |
741 | const unsigned int *hook_entries, | 748 | const unsigned int *hook_entries, |
742 | const unsigned int *underflows, | 749 | const unsigned int *underflows, |
743 | unsigned int valid_hooks, | 750 | unsigned int valid_hooks, |
@@ -952,11 +959,11 @@ get_counters(const struct xt_table_info *t, | |||
952 | local_bh_enable(); | 959 | local_bh_enable(); |
953 | } | 960 | } |
954 | 961 | ||
955 | static struct xt_counters * alloc_counters(struct xt_table *table) | 962 | static struct xt_counters *alloc_counters(const struct xt_table *table) |
956 | { | 963 | { |
957 | unsigned int countersize; | 964 | unsigned int countersize; |
958 | struct xt_counters *counters; | 965 | struct xt_counters *counters; |
959 | struct xt_table_info *private = table->private; | 966 | const struct xt_table_info *private = table->private; |
960 | 967 | ||
961 | /* We need atomic snapshot of counters: rest doesn't change | 968 | /* We need atomic snapshot of counters: rest doesn't change |
962 | (other than comefrom, which userspace doesn't care | 969 | (other than comefrom, which userspace doesn't care |
@@ -974,11 +981,11 @@ static struct xt_counters * alloc_counters(struct xt_table *table) | |||
974 | 981 | ||
975 | static int | 982 | static int |
976 | copy_entries_to_user(unsigned int total_size, | 983 | copy_entries_to_user(unsigned int total_size, |
977 | struct xt_table *table, | 984 | const struct xt_table *table, |
978 | void __user *userptr) | 985 | void __user *userptr) |
979 | { | 986 | { |
980 | unsigned int off, num; | 987 | unsigned int off, num; |
981 | struct ipt_entry *e; | 988 | const struct ipt_entry *e; |
982 | struct xt_counters *counters; | 989 | struct xt_counters *counters; |
983 | const struct xt_table_info *private = table->private; | 990 | const struct xt_table_info *private = table->private; |
984 | int ret = 0; | 991 | int ret = 0; |
@@ -1030,7 +1037,7 @@ copy_entries_to_user(unsigned int total_size, | |||
1030 | } | 1037 | } |
1031 | } | 1038 | } |
1032 | 1039 | ||
1033 | t = ipt_get_target(e); | 1040 | t = ipt_get_target_c(e); |
1034 | if (copy_to_user(userptr + off + e->target_offset | 1041 | if (copy_to_user(userptr + off + e->target_offset |
1035 | + offsetof(struct ipt_entry_target, | 1042 | + offsetof(struct ipt_entry_target, |
1036 | u.user.name), | 1043 | u.user.name), |
@@ -1066,24 +1073,24 @@ static int compat_standard_to_user(void __user *dst, const void *src) | |||
1066 | } | 1073 | } |
1067 | 1074 | ||
1068 | static inline int | 1075 | static inline int |
1069 | compat_calc_match(struct ipt_entry_match *m, int *size) | 1076 | compat_calc_match(const struct ipt_entry_match *m, int *size) |
1070 | { | 1077 | { |
1071 | *size += xt_compat_match_offset(m->u.kernel.match); | 1078 | *size += xt_compat_match_offset(m->u.kernel.match); |
1072 | return 0; | 1079 | return 0; |
1073 | } | 1080 | } |
1074 | 1081 | ||
1075 | static int compat_calc_entry(struct ipt_entry *e, | 1082 | static int compat_calc_entry(const struct ipt_entry *e, |
1076 | const struct xt_table_info *info, | 1083 | const struct xt_table_info *info, |
1077 | void *base, struct xt_table_info *newinfo) | 1084 | const void *base, struct xt_table_info *newinfo) |
1078 | { | 1085 | { |
1079 | struct ipt_entry_target *t; | 1086 | const struct ipt_entry_target *t; |
1080 | unsigned int entry_offset; | 1087 | unsigned int entry_offset; |
1081 | int off, i, ret; | 1088 | int off, i, ret; |
1082 | 1089 | ||
1083 | off = sizeof(struct ipt_entry) - sizeof(struct compat_ipt_entry); | 1090 | off = sizeof(struct ipt_entry) - sizeof(struct compat_ipt_entry); |
1084 | entry_offset = (void *)e - base; | 1091 | entry_offset = (void *)e - base; |
1085 | IPT_MATCH_ITERATE(e, compat_calc_match, &off); | 1092 | IPT_MATCH_ITERATE(e, compat_calc_match, &off); |
1086 | t = ipt_get_target(e); | 1093 | t = ipt_get_target_c(e); |
1087 | off += xt_compat_target_offset(t->u.kernel.target); | 1094 | off += xt_compat_target_offset(t->u.kernel.target); |
1088 | newinfo->size -= off; | 1095 | newinfo->size -= off; |
1089 | ret = xt_compat_add_offset(AF_INET, entry_offset, off); | 1096 | ret = xt_compat_add_offset(AF_INET, entry_offset, off); |
@@ -1119,7 +1126,8 @@ static int compat_table_info(const struct xt_table_info *info, | |||
1119 | } | 1126 | } |
1120 | #endif | 1127 | #endif |
1121 | 1128 | ||
1122 | static int get_info(struct net *net, void __user *user, int *len, int compat) | 1129 | static int get_info(struct net *net, void __user *user, |
1130 | const int *len, int compat) | ||
1123 | { | 1131 | { |
1124 | char name[IPT_TABLE_MAXNAMELEN]; | 1132 | char name[IPT_TABLE_MAXNAMELEN]; |
1125 | struct xt_table *t; | 1133 | struct xt_table *t; |
@@ -1179,7 +1187,8 @@ static int get_info(struct net *net, void __user *user, int *len, int compat) | |||
1179 | } | 1187 | } |
1180 | 1188 | ||
1181 | static int | 1189 | static int |
1182 | get_entries(struct net *net, struct ipt_get_entries __user *uptr, int *len) | 1190 | get_entries(struct net *net, struct ipt_get_entries __user *uptr, |
1191 | const int *len) | ||
1183 | { | 1192 | { |
1184 | int ret; | 1193 | int ret; |
1185 | struct ipt_get_entries get; | 1194 | struct ipt_get_entries get; |
@@ -1289,7 +1298,7 @@ __do_replace(struct net *net, const char *name, unsigned int valid_hooks, | |||
1289 | } | 1298 | } |
1290 | 1299 | ||
1291 | static int | 1300 | static int |
1292 | do_replace(struct net *net, void __user *user, unsigned int len) | 1301 | do_replace(struct net *net, const void __user *user, unsigned int len) |
1293 | { | 1302 | { |
1294 | int ret; | 1303 | int ret; |
1295 | struct ipt_replace tmp; | 1304 | struct ipt_replace tmp; |
@@ -1350,7 +1359,8 @@ add_counter_to_entry(struct ipt_entry *e, | |||
1350 | } | 1359 | } |
1351 | 1360 | ||
1352 | static int | 1361 | static int |
1353 | do_add_counters(struct net *net, void __user *user, unsigned int len, int compat) | 1362 | do_add_counters(struct net *net, const void __user *user, |
1363 | unsigned int len, int compat) | ||
1354 | { | 1364 | { |
1355 | unsigned int i, curcpu; | 1365 | unsigned int i, curcpu; |
1356 | struct xt_counters_info tmp; | 1366 | struct xt_counters_info tmp; |
@@ -1546,10 +1556,10 @@ static int | |||
1546 | check_compat_entry_size_and_hooks(struct compat_ipt_entry *e, | 1556 | check_compat_entry_size_and_hooks(struct compat_ipt_entry *e, |
1547 | struct xt_table_info *newinfo, | 1557 | struct xt_table_info *newinfo, |
1548 | unsigned int *size, | 1558 | unsigned int *size, |
1549 | unsigned char *base, | 1559 | const unsigned char *base, |
1550 | unsigned char *limit, | 1560 | const unsigned char *limit, |
1551 | unsigned int *hook_entries, | 1561 | const unsigned int *hook_entries, |
1552 | unsigned int *underflows, | 1562 | const unsigned int *underflows, |
1553 | unsigned int *i, | 1563 | unsigned int *i, |
1554 | const char *name) | 1564 | const char *name) |
1555 | { | 1565 | { |
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c index 3ff4fd50e96e..4185099c2943 100644 --- a/net/ipv6/netfilter/ip6_tables.c +++ b/net/ipv6/netfilter/ip6_tables.c | |||
@@ -208,7 +208,7 @@ ip6t_error(struct sk_buff *skb, const struct xt_target_param *par) | |||
208 | 208 | ||
209 | /* Performance critical - called for every packet */ | 209 | /* Performance critical - called for every packet */ |
210 | static inline bool | 210 | static inline bool |
211 | do_match(struct ip6t_entry_match *m, const struct sk_buff *skb, | 211 | do_match(const struct ip6t_entry_match *m, const struct sk_buff *skb, |
212 | struct xt_match_param *par) | 212 | struct xt_match_param *par) |
213 | { | 213 | { |
214 | par->match = m->u.kernel.match; | 214 | par->match = m->u.kernel.match; |
@@ -222,7 +222,7 @@ do_match(struct ip6t_entry_match *m, const struct sk_buff *skb, | |||
222 | } | 222 | } |
223 | 223 | ||
224 | static inline struct ip6t_entry * | 224 | static inline struct ip6t_entry * |
225 | get_entry(void *base, unsigned int offset) | 225 | get_entry(const void *base, unsigned int offset) |
226 | { | 226 | { |
227 | return (struct ip6t_entry *)(base + offset); | 227 | return (struct ip6t_entry *)(base + offset); |
228 | } | 228 | } |
@@ -236,6 +236,12 @@ static inline bool unconditional(const struct ip6t_ip6 *ipv6) | |||
236 | return memcmp(ipv6, &uncond, sizeof(uncond)) == 0; | 236 | return memcmp(ipv6, &uncond, sizeof(uncond)) == 0; |
237 | } | 237 | } |
238 | 238 | ||
239 | static inline const struct ip6t_entry_target * | ||
240 | ip6t_get_target_c(const struct ip6t_entry *e) | ||
241 | { | ||
242 | return ip6t_get_target((struct ip6t_entry *)e); | ||
243 | } | ||
244 | |||
239 | #if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \ | 245 | #if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \ |
240 | defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE) | 246 | defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE) |
241 | /* This cries for unification! */ | 247 | /* This cries for unification! */ |
@@ -271,11 +277,11 @@ static struct nf_loginfo trace_loginfo = { | |||
271 | 277 | ||
272 | /* Mildly perf critical (only if packet tracing is on) */ | 278 | /* Mildly perf critical (only if packet tracing is on) */ |
273 | static inline int | 279 | static inline int |
274 | get_chainname_rulenum(struct ip6t_entry *s, struct ip6t_entry *e, | 280 | get_chainname_rulenum(const struct ip6t_entry *s, const struct ip6t_entry *e, |
275 | const char *hookname, const char **chainname, | 281 | const char *hookname, const char **chainname, |
276 | const char **comment, unsigned int *rulenum) | 282 | const char **comment, unsigned int *rulenum) |
277 | { | 283 | { |
278 | struct ip6t_standard_target *t = (void *)ip6t_get_target(s); | 284 | const struct ip6t_standard_target *t = (void *)ip6t_get_target_c(s); |
279 | 285 | ||
280 | if (strcmp(t->target.u.kernel.target->name, IP6T_ERROR_TARGET) == 0) { | 286 | if (strcmp(t->target.u.kernel.target->name, IP6T_ERROR_TARGET) == 0) { |
281 | /* Head of user chain: ERROR target with chainname */ | 287 | /* Head of user chain: ERROR target with chainname */ |
@@ -301,15 +307,15 @@ get_chainname_rulenum(struct ip6t_entry *s, struct ip6t_entry *e, | |||
301 | return 0; | 307 | return 0; |
302 | } | 308 | } |
303 | 309 | ||
304 | static void trace_packet(struct sk_buff *skb, | 310 | static void trace_packet(const struct sk_buff *skb, |
305 | unsigned int hook, | 311 | unsigned int hook, |
306 | const struct net_device *in, | 312 | const struct net_device *in, |
307 | const struct net_device *out, | 313 | const struct net_device *out, |
308 | const char *tablename, | 314 | const char *tablename, |
309 | struct xt_table_info *private, | 315 | const struct xt_table_info *private, |
310 | struct ip6t_entry *e) | 316 | const struct ip6t_entry *e) |
311 | { | 317 | { |
312 | void *table_base; | 318 | const void *table_base; |
313 | const struct ip6t_entry *root; | 319 | const struct ip6t_entry *root; |
314 | const char *hookname, *chainname, *comment; | 320 | const char *hookname, *chainname, *comment; |
315 | unsigned int rulenum = 0; | 321 | unsigned int rulenum = 0; |
@@ -352,9 +358,9 @@ ip6t_do_table(struct sk_buff *skb, | |||
352 | /* Initializing verdict to NF_DROP keeps gcc happy. */ | 358 | /* Initializing verdict to NF_DROP keeps gcc happy. */ |
353 | unsigned int verdict = NF_DROP; | 359 | unsigned int verdict = NF_DROP; |
354 | const char *indev, *outdev; | 360 | const char *indev, *outdev; |
355 | void *table_base; | 361 | const void *table_base; |
356 | struct ip6t_entry *e, *back; | 362 | struct ip6t_entry *e, *back; |
357 | struct xt_table_info *private; | 363 | const struct xt_table_info *private; |
358 | struct xt_match_param mtpar; | 364 | struct xt_match_param mtpar; |
359 | struct xt_target_param tgpar; | 365 | struct xt_target_param tgpar; |
360 | 366 | ||
@@ -385,7 +391,7 @@ ip6t_do_table(struct sk_buff *skb, | |||
385 | back = get_entry(table_base, private->underflow[hook]); | 391 | back = get_entry(table_base, private->underflow[hook]); |
386 | 392 | ||
387 | do { | 393 | do { |
388 | struct ip6t_entry_target *t; | 394 | const struct ip6t_entry_target *t; |
389 | 395 | ||
390 | IP_NF_ASSERT(e); | 396 | IP_NF_ASSERT(e); |
391 | IP_NF_ASSERT(back); | 397 | IP_NF_ASSERT(back); |
@@ -400,7 +406,7 @@ ip6t_do_table(struct sk_buff *skb, | |||
400 | ntohs(ipv6_hdr(skb)->payload_len) + | 406 | ntohs(ipv6_hdr(skb)->payload_len) + |
401 | sizeof(struct ipv6hdr), 1); | 407 | sizeof(struct ipv6hdr), 1); |
402 | 408 | ||
403 | t = ip6t_get_target(e); | 409 | t = ip6t_get_target_c(e); |
404 | IP_NF_ASSERT(t->u.kernel.target); | 410 | IP_NF_ASSERT(t->u.kernel.target); |
405 | 411 | ||
406 | #if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \ | 412 | #if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \ |
@@ -482,7 +488,7 @@ ip6t_do_table(struct sk_buff *skb, | |||
482 | /* Figures out from what hook each rule can be called: returns 0 if | 488 | /* Figures out from what hook each rule can be called: returns 0 if |
483 | there are loops. Puts hook bitmask in comefrom. */ | 489 | there are loops. Puts hook bitmask in comefrom. */ |
484 | static int | 490 | static int |
485 | mark_source_chains(struct xt_table_info *newinfo, | 491 | mark_source_chains(const struct xt_table_info *newinfo, |
486 | unsigned int valid_hooks, void *entry0) | 492 | unsigned int valid_hooks, void *entry0) |
487 | { | 493 | { |
488 | unsigned int hook; | 494 | unsigned int hook; |
@@ -500,8 +506,8 @@ mark_source_chains(struct xt_table_info *newinfo, | |||
500 | e->counters.pcnt = pos; | 506 | e->counters.pcnt = pos; |
501 | 507 | ||
502 | for (;;) { | 508 | for (;;) { |
503 | struct ip6t_standard_target *t | 509 | const struct ip6t_standard_target *t |
504 | = (void *)ip6t_get_target(e); | 510 | = (void *)ip6t_get_target_c(e); |
505 | int visited = e->comefrom & (1 << hook); | 511 | int visited = e->comefrom & (1 << hook); |
506 | 512 | ||
507 | if (e->comefrom & (1 << NF_INET_NUMHOOKS)) { | 513 | if (e->comefrom & (1 << NF_INET_NUMHOOKS)) { |
@@ -610,9 +616,9 @@ cleanup_match(struct ip6t_entry_match *m, struct net *net, unsigned int *i) | |||
610 | } | 616 | } |
611 | 617 | ||
612 | static int | 618 | static int |
613 | check_entry(struct ip6t_entry *e, const char *name) | 619 | check_entry(const struct ip6t_entry *e, const char *name) |
614 | { | 620 | { |
615 | struct ip6t_entry_target *t; | 621 | const struct ip6t_entry_target *t; |
616 | 622 | ||
617 | if (!ip6_checkentry(&e->ipv6)) { | 623 | if (!ip6_checkentry(&e->ipv6)) { |
618 | duprintf("ip_tables: ip check failed %p %s.\n", e, name); | 624 | duprintf("ip_tables: ip check failed %p %s.\n", e, name); |
@@ -623,7 +629,7 @@ check_entry(struct ip6t_entry *e, const char *name) | |||
623 | e->next_offset) | 629 | e->next_offset) |
624 | return -EINVAL; | 630 | return -EINVAL; |
625 | 631 | ||
626 | t = ip6t_get_target(e); | 632 | t = ip6t_get_target_c(e); |
627 | if (e->target_offset + t->u.target_size > e->next_offset) | 633 | if (e->target_offset + t->u.target_size > e->next_offset) |
628 | return -EINVAL; | 634 | return -EINVAL; |
629 | 635 | ||
@@ -750,14 +756,14 @@ find_check_entry(struct ip6t_entry *e, struct net *net, const char *name, | |||
750 | return ret; | 756 | return ret; |
751 | } | 757 | } |
752 | 758 | ||
753 | static bool check_underflow(struct ip6t_entry *e) | 759 | static bool check_underflow(const struct ip6t_entry *e) |
754 | { | 760 | { |
755 | const struct ip6t_entry_target *t; | 761 | const struct ip6t_entry_target *t; |
756 | unsigned int verdict; | 762 | unsigned int verdict; |
757 | 763 | ||
758 | if (!unconditional(&e->ipv6)) | 764 | if (!unconditional(&e->ipv6)) |
759 | return false; | 765 | return false; |
760 | t = ip6t_get_target(e); | 766 | t = ip6t_get_target_c(e); |
761 | if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0) | 767 | if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0) |
762 | return false; | 768 | return false; |
763 | verdict = ((struct ip6t_standard_target *)t)->verdict; | 769 | verdict = ((struct ip6t_standard_target *)t)->verdict; |
@@ -768,8 +774,8 @@ static bool check_underflow(struct ip6t_entry *e) | |||
768 | static int | 774 | static int |
769 | check_entry_size_and_hooks(struct ip6t_entry *e, | 775 | check_entry_size_and_hooks(struct ip6t_entry *e, |
770 | struct xt_table_info *newinfo, | 776 | struct xt_table_info *newinfo, |
771 | unsigned char *base, | 777 | const unsigned char *base, |
772 | unsigned char *limit, | 778 | const unsigned char *limit, |
773 | const unsigned int *hook_entries, | 779 | const unsigned int *hook_entries, |
774 | const unsigned int *underflows, | 780 | const unsigned int *underflows, |
775 | unsigned int valid_hooks, | 781 | unsigned int valid_hooks, |
@@ -984,11 +990,11 @@ get_counters(const struct xt_table_info *t, | |||
984 | local_bh_enable(); | 990 | local_bh_enable(); |
985 | } | 991 | } |
986 | 992 | ||
987 | static struct xt_counters *alloc_counters(struct xt_table *table) | 993 | static struct xt_counters *alloc_counters(const struct xt_table *table) |
988 | { | 994 | { |
989 | unsigned int countersize; | 995 | unsigned int countersize; |
990 | struct xt_counters *counters; | 996 | struct xt_counters *counters; |
991 | struct xt_table_info *private = table->private; | 997 | const struct xt_table_info *private = table->private; |
992 | 998 | ||
993 | /* We need atomic snapshot of counters: rest doesn't change | 999 | /* We need atomic snapshot of counters: rest doesn't change |
994 | (other than comefrom, which userspace doesn't care | 1000 | (other than comefrom, which userspace doesn't care |
@@ -1006,11 +1012,11 @@ static struct xt_counters *alloc_counters(struct xt_table *table) | |||
1006 | 1012 | ||
1007 | static int | 1013 | static int |
1008 | copy_entries_to_user(unsigned int total_size, | 1014 | copy_entries_to_user(unsigned int total_size, |
1009 | struct xt_table *table, | 1015 | const struct xt_table *table, |
1010 | void __user *userptr) | 1016 | void __user *userptr) |
1011 | { | 1017 | { |
1012 | unsigned int off, num; | 1018 | unsigned int off, num; |
1013 | struct ip6t_entry *e; | 1019 | const struct ip6t_entry *e; |
1014 | struct xt_counters *counters; | 1020 | struct xt_counters *counters; |
1015 | const struct xt_table_info *private = table->private; | 1021 | const struct xt_table_info *private = table->private; |
1016 | int ret = 0; | 1022 | int ret = 0; |
@@ -1062,7 +1068,7 @@ copy_entries_to_user(unsigned int total_size, | |||
1062 | } | 1068 | } |
1063 | } | 1069 | } |
1064 | 1070 | ||
1065 | t = ip6t_get_target(e); | 1071 | t = ip6t_get_target_c(e); |
1066 | if (copy_to_user(userptr + off + e->target_offset | 1072 | if (copy_to_user(userptr + off + e->target_offset |
1067 | + offsetof(struct ip6t_entry_target, | 1073 | + offsetof(struct ip6t_entry_target, |
1068 | u.user.name), | 1074 | u.user.name), |
@@ -1098,24 +1104,24 @@ static int compat_standard_to_user(void __user *dst, const void *src) | |||
1098 | } | 1104 | } |
1099 | 1105 | ||
1100 | static inline int | 1106 | static inline int |
1101 | compat_calc_match(struct ip6t_entry_match *m, int *size) | 1107 | compat_calc_match(const struct ip6t_entry_match *m, int *size) |
1102 | { | 1108 | { |
1103 | *size += xt_compat_match_offset(m->u.kernel.match); | 1109 | *size += xt_compat_match_offset(m->u.kernel.match); |
1104 | return 0; | 1110 | return 0; |
1105 | } | 1111 | } |
1106 | 1112 | ||
1107 | static int compat_calc_entry(struct ip6t_entry *e, | 1113 | static int compat_calc_entry(const struct ip6t_entry *e, |
1108 | const struct xt_table_info *info, | 1114 | const struct xt_table_info *info, |
1109 | void *base, struct xt_table_info *newinfo) | 1115 | const void *base, struct xt_table_info *newinfo) |
1110 | { | 1116 | { |
1111 | struct ip6t_entry_target *t; | 1117 | const struct ip6t_entry_target *t; |
1112 | unsigned int entry_offset; | 1118 | unsigned int entry_offset; |
1113 | int off, i, ret; | 1119 | int off, i, ret; |
1114 | 1120 | ||
1115 | off = sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry); | 1121 | off = sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry); |
1116 | entry_offset = (void *)e - base; | 1122 | entry_offset = (void *)e - base; |
1117 | IP6T_MATCH_ITERATE(e, compat_calc_match, &off); | 1123 | IP6T_MATCH_ITERATE(e, compat_calc_match, &off); |
1118 | t = ip6t_get_target(e); | 1124 | t = ip6t_get_target_c(e); |
1119 | off += xt_compat_target_offset(t->u.kernel.target); | 1125 | off += xt_compat_target_offset(t->u.kernel.target); |
1120 | newinfo->size -= off; | 1126 | newinfo->size -= off; |
1121 | ret = xt_compat_add_offset(AF_INET6, entry_offset, off); | 1127 | ret = xt_compat_add_offset(AF_INET6, entry_offset, off); |
@@ -1151,7 +1157,8 @@ static int compat_table_info(const struct xt_table_info *info, | |||
1151 | } | 1157 | } |
1152 | #endif | 1158 | #endif |
1153 | 1159 | ||
1154 | static int get_info(struct net *net, void __user *user, int *len, int compat) | 1160 | static int get_info(struct net *net, void __user *user, |
1161 | const int *len, int compat) | ||
1155 | { | 1162 | { |
1156 | char name[IP6T_TABLE_MAXNAMELEN]; | 1163 | char name[IP6T_TABLE_MAXNAMELEN]; |
1157 | struct xt_table *t; | 1164 | struct xt_table *t; |
@@ -1211,7 +1218,8 @@ static int get_info(struct net *net, void __user *user, int *len, int compat) | |||
1211 | } | 1218 | } |
1212 | 1219 | ||
1213 | static int | 1220 | static int |
1214 | get_entries(struct net *net, struct ip6t_get_entries __user *uptr, int *len) | 1221 | get_entries(struct net *net, struct ip6t_get_entries __user *uptr, |
1222 | const int *len) | ||
1215 | { | 1223 | { |
1216 | int ret; | 1224 | int ret; |
1217 | struct ip6t_get_entries get; | 1225 | struct ip6t_get_entries get; |
@@ -1322,7 +1330,7 @@ __do_replace(struct net *net, const char *name, unsigned int valid_hooks, | |||
1322 | } | 1330 | } |
1323 | 1331 | ||
1324 | static int | 1332 | static int |
1325 | do_replace(struct net *net, void __user *user, unsigned int len) | 1333 | do_replace(struct net *net, const void __user *user, unsigned int len) |
1326 | { | 1334 | { |
1327 | int ret; | 1335 | int ret; |
1328 | struct ip6t_replace tmp; | 1336 | struct ip6t_replace tmp; |
@@ -1383,7 +1391,7 @@ add_counter_to_entry(struct ip6t_entry *e, | |||
1383 | } | 1391 | } |
1384 | 1392 | ||
1385 | static int | 1393 | static int |
1386 | do_add_counters(struct net *net, void __user *user, unsigned int len, | 1394 | do_add_counters(struct net *net, const void __user *user, unsigned int len, |
1387 | int compat) | 1395 | int compat) |
1388 | { | 1396 | { |
1389 | unsigned int i, curcpu; | 1397 | unsigned int i, curcpu; |
@@ -1582,10 +1590,10 @@ static int | |||
1582 | check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e, | 1590 | check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e, |
1583 | struct xt_table_info *newinfo, | 1591 | struct xt_table_info *newinfo, |
1584 | unsigned int *size, | 1592 | unsigned int *size, |
1585 | unsigned char *base, | 1593 | const unsigned char *base, |
1586 | unsigned char *limit, | 1594 | const unsigned char *limit, |
1587 | unsigned int *hook_entries, | 1595 | const unsigned int *hook_entries, |
1588 | unsigned int *underflows, | 1596 | const unsigned int *underflows, |
1589 | unsigned int *i, | 1597 | unsigned int *i, |
1590 | const char *name) | 1598 | const char *name) |
1591 | { | 1599 | { |