diff options
Diffstat (limited to 'net')
-rw-r--r-- | net/ipv4/netfilter/arp_tables.c | 33 | ||||
-rw-r--r-- | net/ipv4/netfilter/ip_tables.c | 52 | ||||
-rw-r--r-- | net/ipv6/netfilter/ip6_tables.c | 44 |
3 files changed, 63 insertions, 66 deletions
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c index ecba246dc2a7..7505dff4ffdf 100644 --- a/net/ipv4/netfilter/arp_tables.c +++ b/net/ipv4/netfilter/arp_tables.c | |||
@@ -313,23 +313,24 @@ unsigned int arpt_do_table(struct sk_buff *skb, | |||
313 | } | 313 | } |
314 | 314 | ||
315 | e = get_entry(table_base, v); | 315 | e = get_entry(table_base, v); |
316 | } else { | 316 | continue; |
317 | /* Targets which reenter must return | ||
318 | * abs. verdicts | ||
319 | */ | ||
320 | tgpar.target = t->u.kernel.target; | ||
321 | tgpar.targinfo = t->data; | ||
322 | verdict = t->u.kernel.target->target(skb, &tgpar); | ||
323 | |||
324 | /* Target might have changed stuff. */ | ||
325 | arp = arp_hdr(skb); | ||
326 | |||
327 | if (verdict == ARPT_CONTINUE) | ||
328 | e = arpt_next_entry(e); | ||
329 | else | ||
330 | /* Verdict */ | ||
331 | break; | ||
332 | } | 317 | } |
318 | |||
319 | /* Targets which reenter must return | ||
320 | * abs. verdicts | ||
321 | */ | ||
322 | tgpar.target = t->u.kernel.target; | ||
323 | tgpar.targinfo = t->data; | ||
324 | verdict = t->u.kernel.target->target(skb, &tgpar); | ||
325 | |||
326 | /* Target might have changed stuff. */ | ||
327 | arp = arp_hdr(skb); | ||
328 | |||
329 | if (verdict == ARPT_CONTINUE) | ||
330 | e = arpt_next_entry(e); | ||
331 | else | ||
332 | /* Verdict */ | ||
333 | break; | ||
333 | } while (!hotdrop); | 334 | } while (!hotdrop); |
334 | xt_info_rdunlock_bh(); | 335 | xt_info_rdunlock_bh(); |
335 | 336 | ||
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c index cfcb7af91724..d91ecd4c264e 100644 --- a/net/ipv4/netfilter/ip_tables.c +++ b/net/ipv4/netfilter/ip_tables.c | |||
@@ -402,37 +402,35 @@ ipt_do_table(struct sk_buff *skb, | |||
402 | } | 402 | } |
403 | 403 | ||
404 | e = get_entry(table_base, v); | 404 | e = get_entry(table_base, v); |
405 | } else { | 405 | continue; |
406 | /* Targets which reenter must return | 406 | } |
407 | abs. verdicts */ | 407 | |
408 | tgpar.target = t->u.kernel.target; | 408 | /* Targets which reenter must return |
409 | tgpar.targinfo = t->data; | 409 | abs. verdicts */ |
410 | tgpar.target = t->u.kernel.target; | ||
411 | tgpar.targinfo = t->data; | ||
410 | #ifdef CONFIG_NETFILTER_DEBUG | 412 | #ifdef CONFIG_NETFILTER_DEBUG |
411 | ((struct ipt_entry *)table_base)->comefrom | 413 | ((struct ipt_entry *)table_base)->comefrom = 0xeeeeeeec; |
412 | = 0xeeeeeeec; | ||
413 | #endif | 414 | #endif |
414 | verdict = t->u.kernel.target->target(skb, &tgpar); | 415 | verdict = t->u.kernel.target->target(skb, &tgpar); |
415 | #ifdef CONFIG_NETFILTER_DEBUG | 416 | #ifdef CONFIG_NETFILTER_DEBUG |
416 | if (((struct ipt_entry *)table_base)->comefrom | 417 | if (((struct ipt_entry *)table_base)->comefrom != 0xeeeeeeec && |
417 | != 0xeeeeeeec | 418 | verdict == IPT_CONTINUE) { |
418 | && verdict == IPT_CONTINUE) { | 419 | printk("Target %s reentered!\n", |
419 | printk("Target %s reentered!\n", | 420 | t->u.kernel.target->name); |
420 | t->u.kernel.target->name); | 421 | verdict = NF_DROP; |
421 | verdict = NF_DROP; | ||
422 | } | ||
423 | ((struct ipt_entry *)table_base)->comefrom | ||
424 | = 0x57acc001; | ||
425 | #endif | ||
426 | /* Target might have changed stuff. */ | ||
427 | ip = ip_hdr(skb); | ||
428 | datalen = skb->len - ip->ihl * 4; | ||
429 | |||
430 | if (verdict == IPT_CONTINUE) | ||
431 | e = ipt_next_entry(e); | ||
432 | else | ||
433 | /* Verdict */ | ||
434 | break; | ||
435 | } | 422 | } |
423 | ((struct ipt_entry *)table_base)->comefrom = 0x57acc001; | ||
424 | #endif | ||
425 | /* Target might have changed stuff. */ | ||
426 | ip = ip_hdr(skb); | ||
427 | datalen = skb->len - ip->ihl * 4; | ||
428 | |||
429 | if (verdict == IPT_CONTINUE) | ||
430 | e = ipt_next_entry(e); | ||
431 | else | ||
432 | /* Verdict */ | ||
433 | break; | ||
436 | } while (!hotdrop); | 434 | } while (!hotdrop); |
437 | xt_info_rdunlock_bh(); | 435 | xt_info_rdunlock_bh(); |
438 | 436 | ||
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c index d01b8a39fbd8..5a178be6c8cc 100644 --- a/net/ipv6/netfilter/ip6_tables.c +++ b/net/ipv6/netfilter/ip6_tables.c | |||
@@ -431,35 +431,33 @@ ip6t_do_table(struct sk_buff *skb, | |||
431 | } | 431 | } |
432 | 432 | ||
433 | e = get_entry(table_base, v); | 433 | e = get_entry(table_base, v); |
434 | } else { | 434 | continue; |
435 | /* Targets which reenter must return | 435 | } |
436 | abs. verdicts */ | 436 | |
437 | tgpar.target = t->u.kernel.target; | 437 | /* Targets which reenter must return |
438 | tgpar.targinfo = t->data; | 438 | abs. verdicts */ |
439 | tgpar.target = t->u.kernel.target; | ||
440 | tgpar.targinfo = t->data; | ||
439 | 441 | ||
440 | #ifdef CONFIG_NETFILTER_DEBUG | 442 | #ifdef CONFIG_NETFILTER_DEBUG |
441 | ((struct ip6t_entry *)table_base)->comefrom | 443 | ((struct ip6t_entry *)table_base)->comefrom = 0xeeeeeeec; |
442 | = 0xeeeeeeec; | ||
443 | #endif | 444 | #endif |
444 | verdict = t->u.kernel.target->target(skb, &tgpar); | 445 | verdict = t->u.kernel.target->target(skb, &tgpar); |
445 | 446 | ||
446 | #ifdef CONFIG_NETFILTER_DEBUG | 447 | #ifdef CONFIG_NETFILTER_DEBUG |
447 | if (((struct ip6t_entry *)table_base)->comefrom | 448 | if (((struct ip6t_entry *)table_base)->comefrom != 0xeeeeeeec && |
448 | != 0xeeeeeeec | 449 | verdict == IP6T_CONTINUE) { |
449 | && verdict == IP6T_CONTINUE) { | 450 | printk("Target %s reentered!\n", |
450 | printk("Target %s reentered!\n", | 451 | t->u.kernel.target->name); |
451 | t->u.kernel.target->name); | 452 | verdict = NF_DROP; |
452 | verdict = NF_DROP; | ||
453 | } | ||
454 | ((struct ip6t_entry *)table_base)->comefrom | ||
455 | = 0x57acc001; | ||
456 | #endif | ||
457 | if (verdict == IP6T_CONTINUE) | ||
458 | e = ip6t_next_entry(e); | ||
459 | else | ||
460 | /* Verdict */ | ||
461 | break; | ||
462 | } | 453 | } |
454 | ((struct ip6t_entry *)table_base)->comefrom = 0x57acc001; | ||
455 | #endif | ||
456 | if (verdict == IP6T_CONTINUE) | ||
457 | e = ip6t_next_entry(e); | ||
458 | else | ||
459 | /* Verdict */ | ||
460 | break; | ||
463 | } while (!hotdrop); | 461 | } while (!hotdrop); |
464 | 462 | ||
465 | #ifdef CONFIG_NETFILTER_DEBUG | 463 | #ifdef CONFIG_NETFILTER_DEBUG |