tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

netfilter: remove forward module param confusion.

It used to be an int, and it got changed to a bool parameter at least
7 years ago. It happens that NF_ACCEPT and NF_DROP are 0 and 1, so
this works, but it's unclear, and the check that it's in range is not
required.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

Rusty Russell and committed by
David S. Miller 523f610e 5d5440a8

+4 -14
+2 -7
net/ipv4/netfilter/iptable_filter.c
··· 52 52 static struct nf_hook_ops *filter_ops __read_mostly; 53 53 54 54 /* Default to forward because I got too much mail already. */ 55 - static bool forward = NF_ACCEPT; 55 + static bool forward = true; 56 56 module_param(forward, bool, 0000); 57 57 58 58 static int __net_init iptable_filter_net_init(struct net *net) ··· 64 64 return -ENOMEM; 65 65 /* Entry 1 is the FORWARD hook */ 66 66 ((struct ipt_standard *)repl->entries)[1].target.verdict = 67 - -forward - 1; 67 + forward ? -NF_ACCEPT - 1 : -NF_DROP - 1; 68 68 69 69 net->ipv4.iptable_filter = 70 70 ipt_register_table(net, &packet_filter, repl); ··· 87 87 static int __init iptable_filter_init(void) 88 88 { 89 89 int ret; 90 - 91 - if (forward < 0 || forward > NF_MAX_VERDICT) { 92 - pr_err("iptables forward must be 0 or 1\n"); 93 - return -EINVAL; 94 - } 95 90 96 91 ret = register_pernet_subsys(&iptable_filter_net_ops); 97 92 if (ret < 0)
+2 -7
net/ipv6/netfilter/ip6table_filter.c
··· 44 44 static struct nf_hook_ops *filter_ops __read_mostly; 45 45 46 46 /* Default to forward because I got too much mail already. */ 47 - static bool forward = NF_ACCEPT; 47 + static bool forward = true; 48 48 module_param(forward, bool, 0000); 49 49 50 50 static int __net_init ip6table_filter_net_init(struct net *net) ··· 56 56 return -ENOMEM; 57 57 /* Entry 1 is the FORWARD hook */ 58 58 ((struct ip6t_standard *)repl->entries)[1].target.verdict = 59 - -forward - 1; 59 + forward ? -NF_ACCEPT - 1 : -NF_DROP - 1; 60 60 61 61 net->ipv6.ip6table_filter = 62 62 ip6t_register_table(net, &packet_filter, repl); ··· 79 79 static int __init ip6table_filter_init(void) 80 80 { 81 81 int ret; 82 - 83 - if (forward < 0 || forward > NF_MAX_VERDICT) { 84 - pr_err("iptables forward must be 0 or 1\n"); 85 - return -EINVAL; 86 - } 87 82 88 83 ret = register_pernet_subsys(&ip6table_filter_net_ops); 89 84 if (ret < 0)