aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
Diffstat (limited to 'net')
-rw-r--r--net/bridge/netfilter/ebtables.c59
-rw-r--r--net/ipv4/netfilter/arp_tables.c69
-rw-r--r--net/ipv4/netfilter/ip_tables.c88
-rw-r--r--net/ipv6/netfilter/ip6_tables.c88
4 files changed, 168 insertions, 136 deletions
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 208f4e32e732..bcdf02d866b8 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -82,7 +82,8 @@ static inline int ebt_do_match (struct ebt_entry_match *m,
82 return m->u.match->match(skb, par) ? EBT_MATCH : EBT_NOMATCH; 82 return m->u.match->match(skb, par) ? EBT_MATCH : EBT_NOMATCH;
83} 83}
84 84
85static inline int ebt_dev_check(char *entry, const struct net_device *device) 85static inline int
86ebt_dev_check(const char *entry, const struct net_device *device)
86{ 87{
87 int i = 0; 88 int i = 0;
88 const char *devname; 89 const char *devname;
@@ -100,8 +101,9 @@ static inline int ebt_dev_check(char *entry, const struct net_device *device)
100 101
101#define FWINV2(bool,invflg) ((bool) ^ !!(e->invflags & invflg)) 102#define FWINV2(bool,invflg) ((bool) ^ !!(e->invflags & invflg))
102/* process standard matches */ 103/* process standard matches */
103static inline int ebt_basic_match(struct ebt_entry *e, struct ethhdr *h, 104static inline int
104 const struct net_device *in, const struct net_device *out) 105ebt_basic_match(const struct ebt_entry *e, const struct ethhdr *h,
106 const struct net_device *in, const struct net_device *out)
105{ 107{
106 int verdict, i; 108 int verdict, i;
107 109
@@ -156,12 +158,12 @@ unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
156 int i, nentries; 158 int i, nentries;
157 struct ebt_entry *point; 159 struct ebt_entry *point;
158 struct ebt_counter *counter_base, *cb_base; 160 struct ebt_counter *counter_base, *cb_base;
159 struct ebt_entry_target *t; 161 const struct ebt_entry_target *t;
160 int verdict, sp = 0; 162 int verdict, sp = 0;
161 struct ebt_chainstack *cs; 163 struct ebt_chainstack *cs;
162 struct ebt_entries *chaininfo; 164 struct ebt_entries *chaininfo;
163 char *base; 165 const char *base;
164 struct ebt_table_info *private; 166 const struct ebt_table_info *private;
165 bool hotdrop = false; 167 bool hotdrop = false;
166 struct xt_match_param mtpar; 168 struct xt_match_param mtpar;
167 struct xt_target_param tgpar; 169 struct xt_target_param tgpar;
@@ -395,7 +397,7 @@ ebt_check_watcher(struct ebt_entry_watcher *w, struct xt_tgchk_param *par,
395 return 0; 397 return 0;
396} 398}
397 399
398static int ebt_verify_pointers(struct ebt_replace *repl, 400static int ebt_verify_pointers(const struct ebt_replace *repl,
399 struct ebt_table_info *newinfo) 401 struct ebt_table_info *newinfo)
400{ 402{
401 unsigned int limit = repl->entries_size; 403 unsigned int limit = repl->entries_size;
@@ -466,8 +468,8 @@ static int ebt_verify_pointers(struct ebt_replace *repl,
466 * to parse the userspace data 468 * to parse the userspace data
467 */ 469 */
468static inline int 470static inline int
469ebt_check_entry_size_and_hooks(struct ebt_entry *e, 471ebt_check_entry_size_and_hooks(const struct ebt_entry *e,
470 struct ebt_table_info *newinfo, 472 const struct ebt_table_info *newinfo,
471 unsigned int *n, unsigned int *cnt, 473 unsigned int *n, unsigned int *cnt,
472 unsigned int *totalcnt, unsigned int *udc_cnt) 474 unsigned int *totalcnt, unsigned int *udc_cnt)
473{ 475{
@@ -622,9 +624,8 @@ ebt_cleanup_entry(struct ebt_entry *e, struct net *net, unsigned int *cnt)
622} 624}
623 625
624static inline int 626static inline int
625ebt_check_entry(struct ebt_entry *e, 627ebt_check_entry(struct ebt_entry *e, struct net *net,
626 struct net *net, 628 const struct ebt_table_info *newinfo,
627 struct ebt_table_info *newinfo,
628 const char *name, unsigned int *cnt, 629 const char *name, unsigned int *cnt,
629 struct ebt_cl_stack *cl_s, unsigned int udc_cnt) 630 struct ebt_cl_stack *cl_s, unsigned int udc_cnt)
630{ 631{
@@ -743,12 +744,12 @@ cleanup_matches:
743 * the hook mask for udc tells us from which base chains the udc can be 744 * the hook mask for udc tells us from which base chains the udc can be
744 * accessed. This mask is a parameter to the check() functions of the extensions 745 * accessed. This mask is a parameter to the check() functions of the extensions
745 */ 746 */
746static int check_chainloops(struct ebt_entries *chain, struct ebt_cl_stack *cl_s, 747static int check_chainloops(const struct ebt_entries *chain, struct ebt_cl_stack *cl_s,
747 unsigned int udc_cnt, unsigned int hooknr, char *base) 748 unsigned int udc_cnt, unsigned int hooknr, char *base)
748{ 749{
749 int i, chain_nr = -1, pos = 0, nentries = chain->nentries, verdict; 750 int i, chain_nr = -1, pos = 0, nentries = chain->nentries, verdict;
750 struct ebt_entry *e = (struct ebt_entry *)chain->data; 751 const struct ebt_entry *e = (struct ebt_entry *)chain->data;
751 struct ebt_entry_target *t; 752 const struct ebt_entry_target *t;
752 753
753 while (pos < nentries || chain_nr != -1) { 754 while (pos < nentries || chain_nr != -1) {
754 /* end of udc, go back one 'recursion' step */ 755 /* end of udc, go back one 'recursion' step */
@@ -814,7 +815,7 @@ letscontinue:
814} 815}
815 816
816/* do the parsing of the table/chains/entries/matches/watchers/targets, heh */ 817/* do the parsing of the table/chains/entries/matches/watchers/targets, heh */
817static int translate_table(struct net *net, char *name, 818static int translate_table(struct net *net, const char *name,
818 struct ebt_table_info *newinfo) 819 struct ebt_table_info *newinfo)
819{ 820{
820 unsigned int i, j, k, udc_cnt; 821 unsigned int i, j, k, udc_cnt;
@@ -934,7 +935,7 @@ static int translate_table(struct net *net, char *name,
934} 935}
935 936
936/* called under write_lock */ 937/* called under write_lock */
937static void get_counters(struct ebt_counter *oldcounters, 938static void get_counters(const struct ebt_counter *oldcounters,
938 struct ebt_counter *counters, unsigned int nentries) 939 struct ebt_counter *counters, unsigned int nentries)
939{ 940{
940 int i, cpu; 941 int i, cpu;
@@ -957,7 +958,8 @@ static void get_counters(struct ebt_counter *oldcounters,
957} 958}
958 959
959/* replace the table */ 960/* replace the table */
960static int do_replace(struct net *net, void __user *user, unsigned int len) 961static int do_replace(struct net *net, const void __user *user,
962 unsigned int len)
961{ 963{
962 int ret, i, countersize; 964 int ret, i, countersize;
963 struct ebt_table_info *newinfo; 965 struct ebt_table_info *newinfo;
@@ -1237,7 +1239,8 @@ void ebt_unregister_table(struct net *net, struct ebt_table *table)
1237} 1239}
1238 1240
1239/* userspace just supplied us with counters */ 1241/* userspace just supplied us with counters */
1240static int update_counters(struct net *net, void __user *user, unsigned int len) 1242static int update_counters(struct net *net, const void __user *user,
1243 unsigned int len)
1241{ 1244{
1242 int i, ret; 1245 int i, ret;
1243 struct ebt_counter *tmp; 1246 struct ebt_counter *tmp;
@@ -1292,8 +1295,8 @@ free_tmp:
1292 return ret; 1295 return ret;
1293} 1296}
1294 1297
1295static inline int ebt_make_matchname(struct ebt_entry_match *m, 1298static inline int ebt_make_matchname(const struct ebt_entry_match *m,
1296 char *base, char __user *ubase) 1299 const char *base, char __user *ubase)
1297{ 1300{
1298 char __user *hlp = ubase + ((char *)m - base); 1301 char __user *hlp = ubase + ((char *)m - base);
1299 if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN)) 1302 if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN))
@@ -1301,8 +1304,8 @@ static inline int ebt_make_matchname(struct ebt_entry_match *m,
1301 return 0; 1304 return 0;
1302} 1305}
1303 1306
1304static inline int ebt_make_watchername(struct ebt_entry_watcher *w, 1307static inline int ebt_make_watchername(const struct ebt_entry_watcher *w,
1305 char *base, char __user *ubase) 1308 const char *base, char __user *ubase)
1306{ 1309{
1307 char __user *hlp = ubase + ((char *)w - base); 1310 char __user *hlp = ubase + ((char *)w - base);
1308 if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN)) 1311 if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN))
@@ -1310,11 +1313,12 @@ static inline int ebt_make_watchername(struct ebt_entry_watcher *w,
1310 return 0; 1313 return 0;
1311} 1314}
1312 1315
1313static inline int ebt_make_names(struct ebt_entry *e, char *base, char __user *ubase) 1316static inline int
1317ebt_make_names(struct ebt_entry *e, const char *base, char __user *ubase)
1314{ 1318{
1315 int ret; 1319 int ret;
1316 char __user *hlp; 1320 char __user *hlp;
1317 struct ebt_entry_target *t; 1321 const struct ebt_entry_target *t;
1318 1322
1319 if (e->bitmask == 0) 1323 if (e->bitmask == 0)
1320 return 0; 1324 return 0;
@@ -1335,10 +1339,11 @@ static inline int ebt_make_names(struct ebt_entry *e, char *base, char __user *u
1335 1339
1336/* called with ebt_mutex locked */ 1340/* called with ebt_mutex locked */
1337static int copy_everything_to_user(struct ebt_table *t, void __user *user, 1341static int copy_everything_to_user(struct ebt_table *t, void __user *user,
1338 int *len, int cmd) 1342 const int *len, int cmd)
1339{ 1343{
1340 struct ebt_replace tmp; 1344 struct ebt_replace tmp;
1341 struct ebt_counter *counterstmp, *oldcounters; 1345 struct ebt_counter *counterstmp;
1346 const struct ebt_counter *oldcounters;
1342 unsigned int entries_size, nentries; 1347 unsigned int entries_size, nentries;
1343 char *entries; 1348 char *entries;
1344 1349
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 2303dc92a277..4db5c1ece0f9 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -233,7 +233,14 @@ arpt_error(struct sk_buff *skb, const struct xt_target_param *par)
233 return NF_DROP; 233 return NF_DROP;
234} 234}
235 235
236static inline struct arpt_entry *get_entry(void *base, unsigned int offset) 236static inline const struct arpt_entry_target *
237arpt_get_target_c(const struct arpt_entry *e)
238{
239 return arpt_get_target((struct arpt_entry *)e);
240}
241
242static inline struct arpt_entry *
243get_entry(const void *base, unsigned int offset)
237{ 244{
238 return (struct arpt_entry *)(base + offset); 245 return (struct arpt_entry *)(base + offset);
239} 246}
@@ -280,7 +287,7 @@ unsigned int arpt_do_table(struct sk_buff *skb,
280 287
281 arp = arp_hdr(skb); 288 arp = arp_hdr(skb);
282 do { 289 do {
283 struct arpt_entry_target *t; 290 const struct arpt_entry_target *t;
284 int hdr_len; 291 int hdr_len;
285 292
286 if (!arp_packet_match(arp, skb->dev, indev, outdev, &e->arp)) { 293 if (!arp_packet_match(arp, skb->dev, indev, outdev, &e->arp)) {
@@ -292,7 +299,7 @@ unsigned int arpt_do_table(struct sk_buff *skb,
292 (2 * skb->dev->addr_len); 299 (2 * skb->dev->addr_len);
293 ADD_COUNTER(e->counters, hdr_len, 1); 300 ADD_COUNTER(e->counters, hdr_len, 1);
294 301
295 t = arpt_get_target(e); 302 t = arpt_get_target_c(e);
296 303
297 /* Standard target? */ 304 /* Standard target? */
298 if (!t->u.kernel.target->target) { 305 if (!t->u.kernel.target->target) {
@@ -358,7 +365,7 @@ static inline bool unconditional(const struct arpt_arp *arp)
358/* Figures out from what hook each rule can be called: returns 0 if 365/* Figures out from what hook each rule can be called: returns 0 if
359 * there are loops. Puts hook bitmask in comefrom. 366 * there are loops. Puts hook bitmask in comefrom.
360 */ 367 */
361static int mark_source_chains(struct xt_table_info *newinfo, 368static int mark_source_chains(const struct xt_table_info *newinfo,
362 unsigned int valid_hooks, void *entry0) 369 unsigned int valid_hooks, void *entry0)
363{ 370{
364 unsigned int hook; 371 unsigned int hook;
@@ -379,7 +386,7 @@ static int mark_source_chains(struct xt_table_info *newinfo,
379 386
380 for (;;) { 387 for (;;) {
381 const struct arpt_standard_target *t 388 const struct arpt_standard_target *t
382 = (void *)arpt_get_target(e); 389 = (void *)arpt_get_target_c(e);
383 int visited = e->comefrom & (1 << hook); 390 int visited = e->comefrom & (1 << hook);
384 391
385 if (e->comefrom & (1 << NF_ARP_NUMHOOKS)) { 392 if (e->comefrom & (1 << NF_ARP_NUMHOOKS)) {
@@ -463,7 +470,7 @@ static int mark_source_chains(struct xt_table_info *newinfo,
463 return 1; 470 return 1;
464} 471}
465 472
466static inline int check_entry(struct arpt_entry *e, const char *name) 473static inline int check_entry(const struct arpt_entry *e, const char *name)
467{ 474{
468 const struct arpt_entry_target *t; 475 const struct arpt_entry_target *t;
469 476
@@ -475,7 +482,7 @@ static inline int check_entry(struct arpt_entry *e, const char *name)
475 if (e->target_offset + sizeof(struct arpt_entry_target) > e->next_offset) 482 if (e->target_offset + sizeof(struct arpt_entry_target) > e->next_offset)
476 return -EINVAL; 483 return -EINVAL;
477 484
478 t = arpt_get_target(e); 485 t = arpt_get_target_c(e);
479 if (e->target_offset + t->u.target_size > e->next_offset) 486 if (e->target_offset + t->u.target_size > e->next_offset)
480 return -EINVAL; 487 return -EINVAL;
481 488
@@ -540,14 +547,14 @@ out:
540 return ret; 547 return ret;
541} 548}
542 549
543static bool check_underflow(struct arpt_entry *e) 550static bool check_underflow(const struct arpt_entry *e)
544{ 551{
545 const struct arpt_entry_target *t; 552 const struct arpt_entry_target *t;
546 unsigned int verdict; 553 unsigned int verdict;
547 554
548 if (!unconditional(&e->arp)) 555 if (!unconditional(&e->arp))
549 return false; 556 return false;
550 t = arpt_get_target(e); 557 t = arpt_get_target_c(e);
551 if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0) 558 if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0)
552 return false; 559 return false;
553 verdict = ((struct arpt_standard_target *)t)->verdict; 560 verdict = ((struct arpt_standard_target *)t)->verdict;
@@ -557,8 +564,8 @@ static bool check_underflow(struct arpt_entry *e)
557 564
558static inline int check_entry_size_and_hooks(struct arpt_entry *e, 565static inline int check_entry_size_and_hooks(struct arpt_entry *e,
559 struct xt_table_info *newinfo, 566 struct xt_table_info *newinfo,
560 unsigned char *base, 567 const unsigned char *base,
561 unsigned char *limit, 568 const unsigned char *limit,
562 const unsigned int *hook_entries, 569 const unsigned int *hook_entries,
563 const unsigned int *underflows, 570 const unsigned int *underflows,
564 unsigned int valid_hooks, 571 unsigned int valid_hooks,
@@ -768,11 +775,11 @@ static void get_counters(const struct xt_table_info *t,
768 local_bh_enable(); 775 local_bh_enable();
769} 776}
770 777
771static struct xt_counters *alloc_counters(struct xt_table *table) 778static struct xt_counters *alloc_counters(const struct xt_table *table)
772{ 779{
773 unsigned int countersize; 780 unsigned int countersize;
774 struct xt_counters *counters; 781 struct xt_counters *counters;
775 struct xt_table_info *private = table->private; 782 const struct xt_table_info *private = table->private;
776 783
777 /* We need atomic snapshot of counters: rest doesn't change 784 /* We need atomic snapshot of counters: rest doesn't change
778 * (other than comefrom, which userspace doesn't care 785 * (other than comefrom, which userspace doesn't care
@@ -790,11 +797,11 @@ static struct xt_counters *alloc_counters(struct xt_table *table)
790} 797}
791 798
792static int copy_entries_to_user(unsigned int total_size, 799static int copy_entries_to_user(unsigned int total_size,
793 struct xt_table *table, 800 const struct xt_table *table,
794 void __user *userptr) 801 void __user *userptr)
795{ 802{
796 unsigned int off, num; 803 unsigned int off, num;
797 struct arpt_entry *e; 804 const struct arpt_entry *e;
798 struct xt_counters *counters; 805 struct xt_counters *counters;
799 struct xt_table_info *private = table->private; 806 struct xt_table_info *private = table->private;
800 int ret = 0; 807 int ret = 0;
@@ -814,7 +821,7 @@ static int copy_entries_to_user(unsigned int total_size,
814 /* FIXME: use iterator macros --RR */ 821 /* FIXME: use iterator macros --RR */
815 /* ... then go back and fix counters and names */ 822 /* ... then go back and fix counters and names */
816 for (off = 0, num = 0; off < total_size; off += e->next_offset, num++){ 823 for (off = 0, num = 0; off < total_size; off += e->next_offset, num++){
817 struct arpt_entry_target *t; 824 const struct arpt_entry_target *t;
818 825
819 e = (struct arpt_entry *)(loc_cpu_entry + off); 826 e = (struct arpt_entry *)(loc_cpu_entry + off);
820 if (copy_to_user(userptr + off 827 if (copy_to_user(userptr + off
@@ -825,7 +832,7 @@ static int copy_entries_to_user(unsigned int total_size,
825 goto free_counters; 832 goto free_counters;
826 } 833 }
827 834
828 t = arpt_get_target(e); 835 t = arpt_get_target_c(e);
829 if (copy_to_user(userptr + off + e->target_offset 836 if (copy_to_user(userptr + off + e->target_offset
830 + offsetof(struct arpt_entry_target, 837 + offsetof(struct arpt_entry_target,
831 u.user.name), 838 u.user.name),
@@ -860,18 +867,18 @@ static int compat_standard_to_user(void __user *dst, const void *src)
860 return copy_to_user(dst, &cv, sizeof(cv)) ? -EFAULT : 0; 867 return copy_to_user(dst, &cv, sizeof(cv)) ? -EFAULT : 0;
861} 868}
862 869
863static int compat_calc_entry(struct arpt_entry *e, 870static int compat_calc_entry(const struct arpt_entry *e,
864 const struct xt_table_info *info, 871 const struct xt_table_info *info,
865 void *base, struct xt_table_info *newinfo) 872 const void *base, struct xt_table_info *newinfo)
866{ 873{
867 struct arpt_entry_target *t; 874 const struct arpt_entry_target *t;
868 unsigned int entry_offset; 875 unsigned int entry_offset;
869 int off, i, ret; 876 int off, i, ret;
870 877
871 off = sizeof(struct arpt_entry) - sizeof(struct compat_arpt_entry); 878 off = sizeof(struct arpt_entry) - sizeof(struct compat_arpt_entry);
872 entry_offset = (void *)e - base; 879 entry_offset = (void *)e - base;
873 880
874 t = arpt_get_target(e); 881 t = arpt_get_target_c(e);
875 off += xt_compat_target_offset(t->u.kernel.target); 882 off += xt_compat_target_offset(t->u.kernel.target);
876 newinfo->size -= off; 883 newinfo->size -= off;
877 ret = xt_compat_add_offset(NFPROTO_ARP, entry_offset, off); 884 ret = xt_compat_add_offset(NFPROTO_ARP, entry_offset, off);
@@ -907,7 +914,8 @@ static int compat_table_info(const struct xt_table_info *info,
907} 914}
908#endif 915#endif
909 916
910static int get_info(struct net *net, void __user *user, int *len, int compat) 917static int get_info(struct net *net, void __user *user,
918 const int *len, int compat)
911{ 919{
912 char name[ARPT_TABLE_MAXNAMELEN]; 920 char name[ARPT_TABLE_MAXNAMELEN];
913 struct xt_table *t; 921 struct xt_table *t;
@@ -966,7 +974,7 @@ static int get_info(struct net *net, void __user *user, int *len, int compat)
966} 974}
967 975
968static int get_entries(struct net *net, struct arpt_get_entries __user *uptr, 976static int get_entries(struct net *net, struct arpt_get_entries __user *uptr,
969 int *len) 977 const int *len)
970{ 978{
971 int ret; 979 int ret;
972 struct arpt_get_entries get; 980 struct arpt_get_entries get;
@@ -1080,7 +1088,8 @@ static int __do_replace(struct net *net, const char *name,
1080 return ret; 1088 return ret;
1081} 1089}
1082 1090
1083static int do_replace(struct net *net, void __user *user, unsigned int len) 1091static int do_replace(struct net *net, const void __user *user,
1092 unsigned int len)
1084{ 1093{
1085 int ret; 1094 int ret;
1086 struct arpt_replace tmp; 1095 struct arpt_replace tmp;
@@ -1140,8 +1149,8 @@ add_counter_to_entry(struct arpt_entry *e,
1140 return 0; 1149 return 0;
1141} 1150}
1142 1151
1143static int do_add_counters(struct net *net, void __user *user, unsigned int len, 1152static int do_add_counters(struct net *net, const void __user *user,
1144 int compat) 1153 unsigned int len, int compat)
1145{ 1154{
1146 unsigned int i, curcpu; 1155 unsigned int i, curcpu;
1147 struct xt_counters_info tmp; 1156 struct xt_counters_info tmp;
@@ -1245,10 +1254,10 @@ static inline int
1245check_compat_entry_size_and_hooks(struct compat_arpt_entry *e, 1254check_compat_entry_size_and_hooks(struct compat_arpt_entry *e,
1246 struct xt_table_info *newinfo, 1255 struct xt_table_info *newinfo,
1247 unsigned int *size, 1256 unsigned int *size,
1248 unsigned char *base, 1257 const unsigned char *base,
1249 unsigned char *limit, 1258 const unsigned char *limit,
1250 unsigned int *hook_entries, 1259 const unsigned int *hook_entries,
1251 unsigned int *underflows, 1260 const unsigned int *underflows,
1252 unsigned int *i, 1261 unsigned int *i,
1253 const char *name) 1262 const char *name)
1254{ 1263{
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 2a4f745ce36e..e94c18bdfc68 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -176,7 +176,7 @@ ipt_error(struct sk_buff *skb, const struct xt_target_param *par)
176 176
177/* Performance critical - called for every packet */ 177/* Performance critical - called for every packet */
178static inline bool 178static inline bool
179do_match(struct ipt_entry_match *m, const struct sk_buff *skb, 179do_match(const struct ipt_entry_match *m, const struct sk_buff *skb,
180 struct xt_match_param *par) 180 struct xt_match_param *par)
181{ 181{
182 par->match = m->u.kernel.match; 182 par->match = m->u.kernel.match;
@@ -191,7 +191,7 @@ do_match(struct ipt_entry_match *m, const struct sk_buff *skb,
191 191
192/* Performance critical */ 192/* Performance critical */
193static inline struct ipt_entry * 193static inline struct ipt_entry *
194get_entry(void *base, unsigned int offset) 194get_entry(const void *base, unsigned int offset)
195{ 195{
196 return (struct ipt_entry *)(base + offset); 196 return (struct ipt_entry *)(base + offset);
197} 197}
@@ -206,6 +206,13 @@ static inline bool unconditional(const struct ipt_ip *ip)
206#undef FWINV 206#undef FWINV
207} 207}
208 208
209/* for const-correctness */
210static inline const struct ipt_entry_target *
211ipt_get_target_c(const struct ipt_entry *e)
212{
213 return ipt_get_target((struct ipt_entry *)e);
214}
215
209#if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \ 216#if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \
210 defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE) 217 defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE)
211static const char *const hooknames[] = { 218static const char *const hooknames[] = {
@@ -240,11 +247,11 @@ static struct nf_loginfo trace_loginfo = {
240 247
241/* Mildly perf critical (only if packet tracing is on) */ 248/* Mildly perf critical (only if packet tracing is on) */
242static inline int 249static inline int
243get_chainname_rulenum(struct ipt_entry *s, struct ipt_entry *e, 250get_chainname_rulenum(const struct ipt_entry *s, const struct ipt_entry *e,
244 const char *hookname, const char **chainname, 251 const char *hookname, const char **chainname,
245 const char **comment, unsigned int *rulenum) 252 const char **comment, unsigned int *rulenum)
246{ 253{
247 struct ipt_standard_target *t = (void *)ipt_get_target(s); 254 const struct ipt_standard_target *t = (void *)ipt_get_target_c(s);
248 255
249 if (strcmp(t->target.u.kernel.target->name, IPT_ERROR_TARGET) == 0) { 256 if (strcmp(t->target.u.kernel.target->name, IPT_ERROR_TARGET) == 0) {
250 /* Head of user chain: ERROR target with chainname */ 257 /* Head of user chain: ERROR target with chainname */
@@ -270,15 +277,15 @@ get_chainname_rulenum(struct ipt_entry *s, struct ipt_entry *e,
270 return 0; 277 return 0;
271} 278}
272 279
273static void trace_packet(struct sk_buff *skb, 280static void trace_packet(const struct sk_buff *skb,
274 unsigned int hook, 281 unsigned int hook,
275 const struct net_device *in, 282 const struct net_device *in,
276 const struct net_device *out, 283 const struct net_device *out,
277 const char *tablename, 284 const char *tablename,
278 struct xt_table_info *private, 285 const struct xt_table_info *private,
279 struct ipt_entry *e) 286 const struct ipt_entry *e)
280{ 287{
281 void *table_base; 288 const void *table_base;
282 const struct ipt_entry *root; 289 const struct ipt_entry *root;
283 const char *hookname, *chainname, *comment; 290 const char *hookname, *chainname, *comment;
284 unsigned int rulenum = 0; 291 unsigned int rulenum = 0;
@@ -322,9 +329,9 @@ ipt_do_table(struct sk_buff *skb,
322 /* Initializing verdict to NF_DROP keeps gcc happy. */ 329 /* Initializing verdict to NF_DROP keeps gcc happy. */
323 unsigned int verdict = NF_DROP; 330 unsigned int verdict = NF_DROP;
324 const char *indev, *outdev; 331 const char *indev, *outdev;
325 void *table_base; 332 const void *table_base;
326 struct ipt_entry *e, *back; 333 struct ipt_entry *e, *back;
327 struct xt_table_info *private; 334 const struct xt_table_info *private;
328 struct xt_match_param mtpar; 335 struct xt_match_param mtpar;
329 struct xt_target_param tgpar; 336 struct xt_target_param tgpar;
330 337
@@ -357,7 +364,7 @@ ipt_do_table(struct sk_buff *skb,
357 back = get_entry(table_base, private->underflow[hook]); 364 back = get_entry(table_base, private->underflow[hook]);
358 365
359 do { 366 do {
360 struct ipt_entry_target *t; 367 const struct ipt_entry_target *t;
361 368
362 IP_NF_ASSERT(e); 369 IP_NF_ASSERT(e);
363 IP_NF_ASSERT(back); 370 IP_NF_ASSERT(back);
@@ -450,7 +457,7 @@ ipt_do_table(struct sk_buff *skb,
450/* Figures out from what hook each rule can be called: returns 0 if 457/* Figures out from what hook each rule can be called: returns 0 if
451 there are loops. Puts hook bitmask in comefrom. */ 458 there are loops. Puts hook bitmask in comefrom. */
452static int 459static int
453mark_source_chains(struct xt_table_info *newinfo, 460mark_source_chains(const struct xt_table_info *newinfo,
454 unsigned int valid_hooks, void *entry0) 461 unsigned int valid_hooks, void *entry0)
455{ 462{
456 unsigned int hook; 463 unsigned int hook;
@@ -468,8 +475,8 @@ mark_source_chains(struct xt_table_info *newinfo,
468 e->counters.pcnt = pos; 475 e->counters.pcnt = pos;
469 476
470 for (;;) { 477 for (;;) {
471 struct ipt_standard_target *t 478 const struct ipt_standard_target *t
472 = (void *)ipt_get_target(e); 479 = (void *)ipt_get_target_c(e);
473 int visited = e->comefrom & (1 << hook); 480 int visited = e->comefrom & (1 << hook);
474 481
475 if (e->comefrom & (1 << NF_INET_NUMHOOKS)) { 482 if (e->comefrom & (1 << NF_INET_NUMHOOKS)) {
@@ -578,9 +585,9 @@ cleanup_match(struct ipt_entry_match *m, struct net *net, unsigned int *i)
578} 585}
579 586
580static int 587static int
581check_entry(struct ipt_entry *e, const char *name) 588check_entry(const struct ipt_entry *e, const char *name)
582{ 589{
583 struct ipt_entry_target *t; 590 const struct ipt_entry_target *t;
584 591
585 if (!ip_checkentry(&e->ip)) { 592 if (!ip_checkentry(&e->ip)) {
586 duprintf("ip_tables: ip check failed %p %s.\n", e, name); 593 duprintf("ip_tables: ip check failed %p %s.\n", e, name);
@@ -591,7 +598,7 @@ check_entry(struct ipt_entry *e, const char *name)
591 e->next_offset) 598 e->next_offset)
592 return -EINVAL; 599 return -EINVAL;
593 600
594 t = ipt_get_target(e); 601 t = ipt_get_target_c(e);
595 if (e->target_offset + t->u.target_size > e->next_offset) 602 if (e->target_offset + t->u.target_size > e->next_offset)
596 return -EINVAL; 603 return -EINVAL;
597 604
@@ -718,14 +725,14 @@ find_check_entry(struct ipt_entry *e, struct net *net, const char *name,
718 return ret; 725 return ret;
719} 726}
720 727
721static bool check_underflow(struct ipt_entry *e) 728static bool check_underflow(const struct ipt_entry *e)
722{ 729{
723 const struct ipt_entry_target *t; 730 const struct ipt_entry_target *t;
724 unsigned int verdict; 731 unsigned int verdict;
725 732
726 if (!unconditional(&e->ip)) 733 if (!unconditional(&e->ip))
727 return false; 734 return false;
728 t = ipt_get_target(e); 735 t = ipt_get_target_c(e);
729 if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0) 736 if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0)
730 return false; 737 return false;
731 verdict = ((struct ipt_standard_target *)t)->verdict; 738 verdict = ((struct ipt_standard_target *)t)->verdict;
@@ -736,8 +743,8 @@ static bool check_underflow(struct ipt_entry *e)
736static int 743static int
737check_entry_size_and_hooks(struct ipt_entry *e, 744check_entry_size_and_hooks(struct ipt_entry *e,
738 struct xt_table_info *newinfo, 745 struct xt_table_info *newinfo,
739 unsigned char *base, 746 const unsigned char *base,
740 unsigned char *limit, 747 const unsigned char *limit,
741 const unsigned int *hook_entries, 748 const unsigned int *hook_entries,
742 const unsigned int *underflows, 749 const unsigned int *underflows,
743 unsigned int valid_hooks, 750 unsigned int valid_hooks,
@@ -952,11 +959,11 @@ get_counters(const struct xt_table_info *t,
952 local_bh_enable(); 959 local_bh_enable();
953} 960}
954 961
955static struct xt_counters * alloc_counters(struct xt_table *table) 962static struct xt_counters *alloc_counters(const struct xt_table *table)
956{ 963{
957 unsigned int countersize; 964 unsigned int countersize;
958 struct xt_counters *counters; 965 struct xt_counters *counters;
959 struct xt_table_info *private = table->private; 966 const struct xt_table_info *private = table->private;
960 967
961 /* We need atomic snapshot of counters: rest doesn't change 968 /* We need atomic snapshot of counters: rest doesn't change
962 (other than comefrom, which userspace doesn't care 969 (other than comefrom, which userspace doesn't care
@@ -974,11 +981,11 @@ static struct xt_counters * alloc_counters(struct xt_table *table)
974 981
975static int 982static int
976copy_entries_to_user(unsigned int total_size, 983copy_entries_to_user(unsigned int total_size,
977 struct xt_table *table, 984 const struct xt_table *table,
978 void __user *userptr) 985 void __user *userptr)
979{ 986{
980 unsigned int off, num; 987 unsigned int off, num;
981 struct ipt_entry *e; 988 const struct ipt_entry *e;
982 struct xt_counters *counters; 989 struct xt_counters *counters;
983 const struct xt_table_info *private = table->private; 990 const struct xt_table_info *private = table->private;
984 int ret = 0; 991 int ret = 0;
@@ -1030,7 +1037,7 @@ copy_entries_to_user(unsigned int total_size,
1030 } 1037 }
1031 } 1038 }
1032 1039
1033 t = ipt_get_target(e); 1040 t = ipt_get_target_c(e);
1034 if (copy_to_user(userptr + off + e->target_offset 1041 if (copy_to_user(userptr + off + e->target_offset
1035 + offsetof(struct ipt_entry_target, 1042 + offsetof(struct ipt_entry_target,
1036 u.user.name), 1043 u.user.name),
@@ -1066,24 +1073,24 @@ static int compat_standard_to_user(void __user *dst, const void *src)
1066} 1073}
1067 1074
1068static inline int 1075static inline int
1069compat_calc_match(struct ipt_entry_match *m, int *size) 1076compat_calc_match(const struct ipt_entry_match *m, int *size)
1070{ 1077{
1071 *size += xt_compat_match_offset(m->u.kernel.match); 1078 *size += xt_compat_match_offset(m->u.kernel.match);
1072 return 0; 1079 return 0;
1073} 1080}
1074 1081
1075static int compat_calc_entry(struct ipt_entry *e, 1082static int compat_calc_entry(const struct ipt_entry *e,
1076 const struct xt_table_info *info, 1083 const struct xt_table_info *info,
1077 void *base, struct xt_table_info *newinfo) 1084 const void *base, struct xt_table_info *newinfo)
1078{ 1085{
1079 struct ipt_entry_target *t; 1086 const struct ipt_entry_target *t;
1080 unsigned int entry_offset; 1087 unsigned int entry_offset;
1081 int off, i, ret; 1088 int off, i, ret;
1082 1089
1083 off = sizeof(struct ipt_entry) - sizeof(struct compat_ipt_entry); 1090 off = sizeof(struct ipt_entry) - sizeof(struct compat_ipt_entry);
1084 entry_offset = (void *)e - base; 1091 entry_offset = (void *)e - base;
1085 IPT_MATCH_ITERATE(e, compat_calc_match, &off); 1092 IPT_MATCH_ITERATE(e, compat_calc_match, &off);
1086 t = ipt_get_target(e); 1093 t = ipt_get_target_c(e);
1087 off += xt_compat_target_offset(t->u.kernel.target); 1094 off += xt_compat_target_offset(t->u.kernel.target);
1088 newinfo->size -= off; 1095 newinfo->size -= off;
1089 ret = xt_compat_add_offset(AF_INET, entry_offset, off); 1096 ret = xt_compat_add_offset(AF_INET, entry_offset, off);
@@ -1119,7 +1126,8 @@ static int compat_table_info(const struct xt_table_info *info,
1119} 1126}
1120#endif 1127#endif
1121 1128
1122static int get_info(struct net *net, void __user *user, int *len, int compat) 1129static int get_info(struct net *net, void __user *user,
1130 const int *len, int compat)
1123{ 1131{
1124 char name[IPT_TABLE_MAXNAMELEN]; 1132 char name[IPT_TABLE_MAXNAMELEN];
1125 struct xt_table *t; 1133 struct xt_table *t;
@@ -1179,7 +1187,8 @@ static int get_info(struct net *net, void __user *user, int *len, int compat)
1179} 1187}
1180 1188
1181static int 1189static int
1182get_entries(struct net *net, struct ipt_get_entries __user *uptr, int *len) 1190get_entries(struct net *net, struct ipt_get_entries __user *uptr,
1191 const int *len)
1183{ 1192{
1184 int ret; 1193 int ret;
1185 struct ipt_get_entries get; 1194 struct ipt_get_entries get;
@@ -1289,7 +1298,7 @@ __do_replace(struct net *net, const char *name, unsigned int valid_hooks,
1289} 1298}
1290 1299
1291static int 1300static int
1292do_replace(struct net *net, void __user *user, unsigned int len) 1301do_replace(struct net *net, const void __user *user, unsigned int len)
1293{ 1302{
1294 int ret; 1303 int ret;
1295 struct ipt_replace tmp; 1304 struct ipt_replace tmp;
@@ -1350,7 +1359,8 @@ add_counter_to_entry(struct ipt_entry *e,
1350} 1359}
1351 1360
1352static int 1361static int
1353do_add_counters(struct net *net, void __user *user, unsigned int len, int compat) 1362do_add_counters(struct net *net, const void __user *user,
1363 unsigned int len, int compat)
1354{ 1364{
1355 unsigned int i, curcpu; 1365 unsigned int i, curcpu;
1356 struct xt_counters_info tmp; 1366 struct xt_counters_info tmp;
@@ -1546,10 +1556,10 @@ static int
1546check_compat_entry_size_and_hooks(struct compat_ipt_entry *e, 1556check_compat_entry_size_and_hooks(struct compat_ipt_entry *e,
1547 struct xt_table_info *newinfo, 1557 struct xt_table_info *newinfo,
1548 unsigned int *size, 1558 unsigned int *size,
1549 unsigned char *base, 1559 const unsigned char *base,
1550 unsigned char *limit, 1560 const unsigned char *limit,
1551 unsigned int *hook_entries, 1561 const unsigned int *hook_entries,
1552 unsigned int *underflows, 1562 const unsigned int *underflows,
1553 unsigned int *i, 1563 unsigned int *i,
1554 const char *name) 1564 const char *name)
1555{ 1565{
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 3ff4fd50e96e..4185099c2943 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -208,7 +208,7 @@ ip6t_error(struct sk_buff *skb, const struct xt_target_param *par)
208 208
209/* Performance critical - called for every packet */ 209/* Performance critical - called for every packet */
210static inline bool 210static inline bool
211do_match(struct ip6t_entry_match *m, const struct sk_buff *skb, 211do_match(const struct ip6t_entry_match *m, const struct sk_buff *skb,
212 struct xt_match_param *par) 212 struct xt_match_param *par)
213{ 213{
214 par->match = m->u.kernel.match; 214 par->match = m->u.kernel.match;
@@ -222,7 +222,7 @@ do_match(struct ip6t_entry_match *m, const struct sk_buff *skb,
222} 222}
223 223
224static inline struct ip6t_entry * 224static inline struct ip6t_entry *
225get_entry(void *base, unsigned int offset) 225get_entry(const void *base, unsigned int offset)
226{ 226{
227 return (struct ip6t_entry *)(base + offset); 227 return (struct ip6t_entry *)(base + offset);
228} 228}
@@ -236,6 +236,12 @@ static inline bool unconditional(const struct ip6t_ip6 *ipv6)
236 return memcmp(ipv6, &uncond, sizeof(uncond)) == 0; 236 return memcmp(ipv6, &uncond, sizeof(uncond)) == 0;
237} 237}
238 238
239static inline const struct ip6t_entry_target *
240ip6t_get_target_c(const struct ip6t_entry *e)
241{
242 return ip6t_get_target((struct ip6t_entry *)e);
243}
244
239#if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \ 245#if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \
240 defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE) 246 defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE)
241/* This cries for unification! */ 247/* This cries for unification! */
@@ -271,11 +277,11 @@ static struct nf_loginfo trace_loginfo = {
271 277
272/* Mildly perf critical (only if packet tracing is on) */ 278/* Mildly perf critical (only if packet tracing is on) */
273static inline int 279static inline int
274get_chainname_rulenum(struct ip6t_entry *s, struct ip6t_entry *e, 280get_chainname_rulenum(const struct ip6t_entry *s, const struct ip6t_entry *e,
275 const char *hookname, const char **chainname, 281 const char *hookname, const char **chainname,
276 const char **comment, unsigned int *rulenum) 282 const char **comment, unsigned int *rulenum)
277{ 283{
278 struct ip6t_standard_target *t = (void *)ip6t_get_target(s); 284 const struct ip6t_standard_target *t = (void *)ip6t_get_target_c(s);
279 285
280 if (strcmp(t->target.u.kernel.target->name, IP6T_ERROR_TARGET) == 0) { 286 if (strcmp(t->target.u.kernel.target->name, IP6T_ERROR_TARGET) == 0) {
281 /* Head of user chain: ERROR target with chainname */ 287 /* Head of user chain: ERROR target with chainname */
@@ -301,15 +307,15 @@ get_chainname_rulenum(struct ip6t_entry *s, struct ip6t_entry *e,
301 return 0; 307 return 0;
302} 308}
303 309
304static void trace_packet(struct sk_buff *skb, 310static void trace_packet(const struct sk_buff *skb,
305 unsigned int hook, 311 unsigned int hook,
306 const struct net_device *in, 312 const struct net_device *in,
307 const struct net_device *out, 313 const struct net_device *out,
308 const char *tablename, 314 const char *tablename,
309 struct xt_table_info *private, 315 const struct xt_table_info *private,
310 struct ip6t_entry *e) 316 const struct ip6t_entry *e)
311{ 317{
312 void *table_base; 318 const void *table_base;
313 const struct ip6t_entry *root; 319 const struct ip6t_entry *root;
314 const char *hookname, *chainname, *comment; 320 const char *hookname, *chainname, *comment;
315 unsigned int rulenum = 0; 321 unsigned int rulenum = 0;
@@ -352,9 +358,9 @@ ip6t_do_table(struct sk_buff *skb,
352 /* Initializing verdict to NF_DROP keeps gcc happy. */ 358 /* Initializing verdict to NF_DROP keeps gcc happy. */
353 unsigned int verdict = NF_DROP; 359 unsigned int verdict = NF_DROP;
354 const char *indev, *outdev; 360 const char *indev, *outdev;
355 void *table_base; 361 const void *table_base;
356 struct ip6t_entry *e, *back; 362 struct ip6t_entry *e, *back;
357 struct xt_table_info *private; 363 const struct xt_table_info *private;
358 struct xt_match_param mtpar; 364 struct xt_match_param mtpar;
359 struct xt_target_param tgpar; 365 struct xt_target_param tgpar;
360 366
@@ -385,7 +391,7 @@ ip6t_do_table(struct sk_buff *skb,
385 back = get_entry(table_base, private->underflow[hook]); 391 back = get_entry(table_base, private->underflow[hook]);
386 392
387 do { 393 do {
388 struct ip6t_entry_target *t; 394 const struct ip6t_entry_target *t;
389 395
390 IP_NF_ASSERT(e); 396 IP_NF_ASSERT(e);
391 IP_NF_ASSERT(back); 397 IP_NF_ASSERT(back);
@@ -400,7 +406,7 @@ ip6t_do_table(struct sk_buff *skb,
400 ntohs(ipv6_hdr(skb)->payload_len) + 406 ntohs(ipv6_hdr(skb)->payload_len) +
401 sizeof(struct ipv6hdr), 1); 407 sizeof(struct ipv6hdr), 1);
402 408
403 t = ip6t_get_target(e); 409 t = ip6t_get_target_c(e);
404 IP_NF_ASSERT(t->u.kernel.target); 410 IP_NF_ASSERT(t->u.kernel.target);
405 411
406#if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \ 412#if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \
@@ -482,7 +488,7 @@ ip6t_do_table(struct sk_buff *skb,
482/* Figures out from what hook each rule can be called: returns 0 if 488/* Figures out from what hook each rule can be called: returns 0 if
483 there are loops. Puts hook bitmask in comefrom. */ 489 there are loops. Puts hook bitmask in comefrom. */
484static int 490static int
485mark_source_chains(struct xt_table_info *newinfo, 491mark_source_chains(const struct xt_table_info *newinfo,
486 unsigned int valid_hooks, void *entry0) 492 unsigned int valid_hooks, void *entry0)
487{ 493{
488 unsigned int hook; 494 unsigned int hook;
@@ -500,8 +506,8 @@ mark_source_chains(struct xt_table_info *newinfo,
500 e->counters.pcnt = pos; 506 e->counters.pcnt = pos;
501 507
502 for (;;) { 508 for (;;) {
503 struct ip6t_standard_target *t 509 const struct ip6t_standard_target *t
504 = (void *)ip6t_get_target(e); 510 = (void *)ip6t_get_target_c(e);
505 int visited = e->comefrom & (1 << hook); 511 int visited = e->comefrom & (1 << hook);
506 512
507 if (e->comefrom & (1 << NF_INET_NUMHOOKS)) { 513 if (e->comefrom & (1 << NF_INET_NUMHOOKS)) {
@@ -610,9 +616,9 @@ cleanup_match(struct ip6t_entry_match *m, struct net *net, unsigned int *i)
610} 616}
611 617
612static int 618static int
613check_entry(struct ip6t_entry *e, const char *name) 619check_entry(const struct ip6t_entry *e, const char *name)
614{ 620{
615 struct ip6t_entry_target *t; 621 const struct ip6t_entry_target *t;
616 622
617 if (!ip6_checkentry(&e->ipv6)) { 623 if (!ip6_checkentry(&e->ipv6)) {
618 duprintf("ip_tables: ip check failed %p %s.\n", e, name); 624 duprintf("ip_tables: ip check failed %p %s.\n", e, name);
@@ -623,7 +629,7 @@ check_entry(struct ip6t_entry *e, const char *name)
623 e->next_offset) 629 e->next_offset)
624 return -EINVAL; 630 return -EINVAL;
625 631
626 t = ip6t_get_target(e); 632 t = ip6t_get_target_c(e);
627 if (e->target_offset + t->u.target_size > e->next_offset) 633 if (e->target_offset + t->u.target_size > e->next_offset)
628 return -EINVAL; 634 return -EINVAL;
629 635
@@ -750,14 +756,14 @@ find_check_entry(struct ip6t_entry *e, struct net *net, const char *name,
750 return ret; 756 return ret;
751} 757}
752 758
753static bool check_underflow(struct ip6t_entry *e) 759static bool check_underflow(const struct ip6t_entry *e)
754{ 760{
755 const struct ip6t_entry_target *t; 761 const struct ip6t_entry_target *t;
756 unsigned int verdict; 762 unsigned int verdict;
757 763
758 if (!unconditional(&e->ipv6)) 764 if (!unconditional(&e->ipv6))
759 return false; 765 return false;
760 t = ip6t_get_target(e); 766 t = ip6t_get_target_c(e);
761 if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0) 767 if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0)
762 return false; 768 return false;
763 verdict = ((struct ip6t_standard_target *)t)->verdict; 769 verdict = ((struct ip6t_standard_target *)t)->verdict;
@@ -768,8 +774,8 @@ static bool check_underflow(struct ip6t_entry *e)
768static int 774static int
769check_entry_size_and_hooks(struct ip6t_entry *e, 775check_entry_size_and_hooks(struct ip6t_entry *e,
770 struct xt_table_info *newinfo, 776 struct xt_table_info *newinfo,
771 unsigned char *base, 777 const unsigned char *base,
772 unsigned char *limit, 778 const unsigned char *limit,
773 const unsigned int *hook_entries, 779 const unsigned int *hook_entries,
774 const unsigned int *underflows, 780 const unsigned int *underflows,
775 unsigned int valid_hooks, 781 unsigned int valid_hooks,
@@ -984,11 +990,11 @@ get_counters(const struct xt_table_info *t,
984 local_bh_enable(); 990 local_bh_enable();
985} 991}
986 992
987static struct xt_counters *alloc_counters(struct xt_table *table) 993static struct xt_counters *alloc_counters(const struct xt_table *table)
988{ 994{
989 unsigned int countersize; 995 unsigned int countersize;
990 struct xt_counters *counters; 996 struct xt_counters *counters;
991 struct xt_table_info *private = table->private; 997 const struct xt_table_info *private = table->private;
992 998
993 /* We need atomic snapshot of counters: rest doesn't change 999 /* We need atomic snapshot of counters: rest doesn't change
994 (other than comefrom, which userspace doesn't care 1000 (other than comefrom, which userspace doesn't care
@@ -1006,11 +1012,11 @@ static struct xt_counters *alloc_counters(struct xt_table *table)
1006 1012
1007static int 1013static int
1008copy_entries_to_user(unsigned int total_size, 1014copy_entries_to_user(unsigned int total_size,
1009 struct xt_table *table, 1015 const struct xt_table *table,
1010 void __user *userptr) 1016 void __user *userptr)
1011{ 1017{
1012 unsigned int off, num; 1018 unsigned int off, num;
1013 struct ip6t_entry *e; 1019 const struct ip6t_entry *e;
1014 struct xt_counters *counters; 1020 struct xt_counters *counters;
1015 const struct xt_table_info *private = table->private; 1021 const struct xt_table_info *private = table->private;
1016 int ret = 0; 1022 int ret = 0;
@@ -1062,7 +1068,7 @@ copy_entries_to_user(unsigned int total_size,
1062 } 1068 }
1063 } 1069 }
1064 1070
1065 t = ip6t_get_target(e); 1071 t = ip6t_get_target_c(e);
1066 if (copy_to_user(userptr + off + e->target_offset 1072 if (copy_to_user(userptr + off + e->target_offset
1067 + offsetof(struct ip6t_entry_target, 1073 + offsetof(struct ip6t_entry_target,
1068 u.user.name), 1074 u.user.name),
@@ -1098,24 +1104,24 @@ static int compat_standard_to_user(void __user *dst, const void *src)
1098} 1104}
1099 1105
1100static inline int 1106static inline int
1101compat_calc_match(struct ip6t_entry_match *m, int *size) 1107compat_calc_match(const struct ip6t_entry_match *m, int *size)
1102{ 1108{
1103 *size += xt_compat_match_offset(m->u.kernel.match); 1109 *size += xt_compat_match_offset(m->u.kernel.match);
1104 return 0; 1110 return 0;
1105} 1111}
1106 1112
1107static int compat_calc_entry(struct ip6t_entry *e, 1113static int compat_calc_entry(const struct ip6t_entry *e,
1108 const struct xt_table_info *info, 1114 const struct xt_table_info *info,
1109 void *base, struct xt_table_info *newinfo) 1115 const void *base, struct xt_table_info *newinfo)
1110{ 1116{
1111 struct ip6t_entry_target *t; 1117 const struct ip6t_entry_target *t;
1112 unsigned int entry_offset; 1118 unsigned int entry_offset;
1113 int off, i, ret; 1119 int off, i, ret;
1114 1120
1115 off = sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry); 1121 off = sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
1116 entry_offset = (void *)e - base; 1122 entry_offset = (void *)e - base;
1117 IP6T_MATCH_ITERATE(e, compat_calc_match, &off); 1123 IP6T_MATCH_ITERATE(e, compat_calc_match, &off);
1118 t = ip6t_get_target(e); 1124 t = ip6t_get_target_c(e);
1119 off += xt_compat_target_offset(t->u.kernel.target); 1125 off += xt_compat_target_offset(t->u.kernel.target);
1120 newinfo->size -= off; 1126 newinfo->size -= off;
1121 ret = xt_compat_add_offset(AF_INET6, entry_offset, off); 1127 ret = xt_compat_add_offset(AF_INET6, entry_offset, off);
@@ -1151,7 +1157,8 @@ static int compat_table_info(const struct xt_table_info *info,
1151} 1157}
1152#endif 1158#endif
1153 1159
1154static int get_info(struct net *net, void __user *user, int *len, int compat) 1160static int get_info(struct net *net, void __user *user,
1161 const int *len, int compat)
1155{ 1162{
1156 char name[IP6T_TABLE_MAXNAMELEN]; 1163 char name[IP6T_TABLE_MAXNAMELEN];
1157 struct xt_table *t; 1164 struct xt_table *t;
@@ -1211,7 +1218,8 @@ static int get_info(struct net *net, void __user *user, int *len, int compat)
1211} 1218}
1212 1219
1213static int 1220static int
1214get_entries(struct net *net, struct ip6t_get_entries __user *uptr, int *len) 1221get_entries(struct net *net, struct ip6t_get_entries __user *uptr,
1222 const int *len)
1215{ 1223{
1216 int ret; 1224 int ret;
1217 struct ip6t_get_entries get; 1225 struct ip6t_get_entries get;
@@ -1322,7 +1330,7 @@ __do_replace(struct net *net, const char *name, unsigned int valid_hooks,
1322} 1330}
1323 1331
1324static int 1332static int
1325do_replace(struct net *net, void __user *user, unsigned int len) 1333do_replace(struct net *net, const void __user *user, unsigned int len)
1326{ 1334{
1327 int ret; 1335 int ret;
1328 struct ip6t_replace tmp; 1336 struct ip6t_replace tmp;
@@ -1383,7 +1391,7 @@ add_counter_to_entry(struct ip6t_entry *e,
1383} 1391}
1384 1392
1385static int 1393static int
1386do_add_counters(struct net *net, void __user *user, unsigned int len, 1394do_add_counters(struct net *net, const void __user *user, unsigned int len,
1387 int compat) 1395 int compat)
1388{ 1396{
1389 unsigned int i, curcpu; 1397 unsigned int i, curcpu;
@@ -1582,10 +1590,10 @@ static int
1582check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e, 1590check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e,
1583 struct xt_table_info *newinfo, 1591 struct xt_table_info *newinfo,
1584 unsigned int *size, 1592 unsigned int *size,
1585 unsigned char *base, 1593 const unsigned char *base,
1586 unsigned char *limit, 1594 const unsigned char *limit,
1587 unsigned int *hook_entries, 1595 const unsigned int *hook_entries,
1588 unsigned int *underflows, 1596 const unsigned int *underflows,
1589 unsigned int *i, 1597 unsigned int *i,
1590 const char *name) 1598 const char *name)
1591{ 1599{