netfilter: xtables: move extension arguments into compound structure (5/6)

tjh.dev / kernel

fork atom

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

fork atom

netfilter: xtables: move extension arguments into compound structure (5/6)

This patch does this for target extensions' checkentry functions.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>

authored by

Jan Engelhardt and committed by

Patrick McHardy 17 years ago af5d6dc2 7eb35586

+206 -281

39 changed files

expand all collapse all

include

linux

netfilter

x_tables.h

netfilter_bridge

ebtables.h

net

bridge

netfilter

ebt_arpreply.c

ebt_dnat.c

ebt_log.c

ebt_mark.c

ebt_nflog.c

ebt_redirect.c

ebt_snat.c

ebt_ulog.c

ebtables.c

ipv4

netfilter

arp_tables.c

arpt_mangle.c

ip_tables.c

ipt_CLUSTERIP.c

ipt_ECN.c

ipt_LOG.c

ipt_MASQUERADE.c

ipt_NETMAP.c

ipt_REDIRECT.c

ipt_REJECT.c

ipt_TTL.c

ipt_ULOG.c

nf_nat_rule.c

ipv6

netfilter

ip6_tables.c

ip6t_HL.c

ip6t_LOG.c

ip6t_REJECT.c

netfilter

x_tables.c

xt_CONNMARK.c

xt_CONNSECMARK.c

xt_DSCP.c

xt_MARK.c

xt_NFLOG.c

xt_RATEEST.c

xt_SECMARK.c

xt_TCPMSS.c

xt_TPROXY.c

sched

act_ipt.c

+20 -9

include/linux/netfilter/x_tables.h

reviewed

··· 234 234 const void *targinfo; 235 235 }; 236 236 237 237 + /** 238 238 + * struct xt_tgchk_param - parameters for target extensions' 239 239 + * checkentry functions 240 240 + * 241 241 + * @entryinfo: the family-specific rule data 242 242 + * (struct ipt_entry, ip6t_entry, arpt_entry, ebt_entry) 243 243 + * 244 244 + * Other fields see above. 245 245 + */ 246 246 + struct xt_tgchk_param { 247 247 + const char *table; 248 248 + void *entryinfo; 249 249 + const struct xt_target *target; 250 250 + void *targinfo; 251 251 + unsigned int hook_mask; 252 252 + }; 253 253 + 237 254 struct xt_match 238 255 { 239 256 struct list_head list; ··· 308 291 hook_mask is a bitmask of hooks from which it can be 309 292 called. */ 310 293 /* Should return true or false. */ 311 311 - bool (*checkentry)(const char *tablename, 312 312 - const void *entry, 313 313 - const struct xt_target *target, 314 314 - void *targinfo, 315 315 - unsigned int hook_mask); 294 294 + bool (*checkentry)(const struct xt_tgchk_param *); 316 295 317 296 /* Called when entry of this type deleted. */ 318 297 void (*destroy)(const struct xt_target *target, void *targinfo); ··· 389 376 390 377 extern int xt_check_match(struct xt_mtchk_param *, u_int8_t family, 391 378 unsigned int size, u_int8_t proto, bool inv_proto); 392 392 - extern int xt_check_target(const struct xt_target *target, unsigned short family, 393 393 - unsigned int size, const char *table, unsigned int hook, 394 394 - unsigned short proto, int inv_proto, 395 395 - const void *entry, void *targinfo); 379 379 + extern int xt_check_target(struct xt_tgchk_param *, u_int8_t family, 380 380 + unsigned int size, u_int8_t proto, bool inv_proto); 396 381 397 382 extern struct xt_table *xt_register_table(struct net *net, 398 383 struct xt_table *table,

+2 -2

include/linux/netfilter_bridge/ebtables.h

reviewed

··· 310 310 #define FWINV(bool,invflg) ((bool) ^ !!(info->invflags & invflg)) 311 311 /* True if the hook mask denotes that the rule is in a base chain, 312 312 * used in the check() functions */ 313 313 - #define BASE_CHAIN (hookmask & (1 << NF_BR_NUMHOOKS)) 313 313 + #define BASE_CHAIN (par->hook_mask & (1 << NF_BR_NUMHOOKS)) 314 314 /* Clear the bit in the hook mask that tells if the rule is on a base chain */ 315 315 - #define CLEAR_BASE_CHAIN_BIT (hookmask &= ~(1 << NF_BR_NUMHOOKS)) 315 315 + #define CLEAR_BASE_CHAIN_BIT (par->hook_mask &= ~(1 << NF_BR_NUMHOOKS)) 316 316 /* True if the target is not a standard target */ 317 317 #define INVALID_TARGET (info->target < -NUM_STANDARD_TARGETS || info->target >= 0) 318 318

+3 -7

net/bridge/netfilter/ebt_arpreply.c

reviewed

··· 57 57 return info->target; 58 58 } 59 59 60 60 - static bool 61 61 - ebt_arpreply_tg_check(const char *tablename, const void *entry, 62 62 - const struct xt_target *target, void *data, 63 63 - unsigned int hookmask) 60 60 + static bool ebt_arpreply_tg_check(const struct xt_tgchk_param *par) 64 61 { 65 65 - const struct ebt_arpreply_info *info = data; 66 66 - const struct ebt_entry *e = entry; 62 62 + const struct ebt_arpreply_info *info = par->targinfo; 63 63 + const struct ebt_entry *e = par->entryinfo; 67 64 68 65 if (BASE_CHAIN && info->target == EBT_RETURN) 69 66 return false; 70 67 if (e->ethproto != htons(ETH_P_ARP) || 71 68 e->invflags & EBT_IPROTO) 72 69 return false; 73 73 - CLEAR_BASE_CHAIN_BIT; 74 70 return true; 75 71 } 76 72

+10 -9

net/bridge/netfilter/ebt_dnat.c

reviewed

··· 26 26 return info->target; 27 27 } 28 28 29 29 - static bool 30 30 - ebt_dnat_tg_check(const char *tablename, const void *entry, 31 31 - const struct xt_target *target, void *data, 32 32 - unsigned int hookmask) 29 29 + static bool ebt_dnat_tg_check(const struct xt_tgchk_param *par) 33 30 { 34 34 - const struct ebt_nat_info *info = data; 31 31 + const struct ebt_nat_info *info = par->targinfo; 32 32 + unsigned int hook_mask; 35 33 36 34 if (BASE_CHAIN && info->target == EBT_RETURN) 37 35 return false; 38 38 - CLEAR_BASE_CHAIN_BIT; 39 39 - if ( (strcmp(tablename, "nat") || 40 40 - (hookmask & ~((1 << NF_BR_PRE_ROUTING) | (1 << NF_BR_LOCAL_OUT)))) && 41 41 - (strcmp(tablename, "broute") || hookmask & ~(1 << NF_BR_BROUTING)) ) 36 36 + 37 37 + hook_mask = par->hook_mask & ~(1 << NF_BR_NUMHOOKS); 38 38 + if ((strcmp(par->table, "nat") != 0 || 39 39 + (hook_mask & ~((1 << NF_BR_PRE_ROUTING) | 40 40 + (1 << NF_BR_LOCAL_OUT)))) && 41 41 + (strcmp(par->table, "broute") != 0 || 42 42 + hook_mask & ~(1 << NF_BR_BROUTING))) 42 43 return false; 43 44 if (INVALID_TARGET) 44 45 return false;

+2 -5

net/bridge/netfilter/ebt_log.c

reviewed

··· 24 24 25 25 static DEFINE_SPINLOCK(ebt_log_lock); 26 26 27 27 - static bool 28 28 - ebt_log_tg_check(const char *table, const void *entry, 29 29 - const struct xt_target *target, void *data, 30 30 - unsigned int hook_mask) 27 27 + static bool ebt_log_tg_check(const struct xt_tgchk_param *par) 31 28 { 32 32 - struct ebt_log_info *info = data; 29 29 + struct ebt_log_info *info = par->targinfo; 33 30 34 31 if (info->bitmask & ~EBT_LOG_MASK) 35 32 return false;

+2 -6

net/bridge/netfilter/ebt_mark.c

reviewed

··· 36 36 return info->target | ~EBT_VERDICT_BITS; 37 37 } 38 38 39 39 - static bool 40 40 - ebt_mark_tg_check(const char *table, const void *e, 41 41 - const struct xt_target *target, void *data, 42 42 - unsigned int hookmask) 39 39 + static bool ebt_mark_tg_check(const struct xt_tgchk_param *par) 43 40 { 44 44 - const struct ebt_mark_t_info *info = data; 41 41 + const struct ebt_mark_t_info *info = par->targinfo; 45 42 int tmp; 46 43 47 44 tmp = info->target | ~EBT_VERDICT_BITS; 48 45 if (BASE_CHAIN && tmp == EBT_RETURN) 49 46 return false; 50 50 - CLEAR_BASE_CHAIN_BIT; 51 47 if (tmp < -NUM_STANDARD_TARGETS || tmp >= 0) 52 48 return false; 53 49 tmp = info->target & ~EBT_VERDICT_BITS;

+2 -5

net/bridge/netfilter/ebt_nflog.c

reviewed

··· 35 35 return EBT_CONTINUE; 36 36 } 37 37 38 38 - static bool 39 39 - ebt_nflog_tg_check(const char *table, const void *e, 40 40 - const struct xt_target *target, void *data, 41 41 - unsigned int hookmask) 38 38 + static bool ebt_nflog_tg_check(const struct xt_tgchk_param *par) 42 39 { 43 43 - struct ebt_nflog_info *info = data; 40 40 + struct ebt_nflog_info *info = par->targinfo; 44 41 45 42 if (info->flags & ~EBT_NFLOG_MASK) 46 43 return false;

+9 -8

net/bridge/netfilter/ebt_redirect.c

reviewed

··· 32 32 return info->target; 33 33 } 34 34 35 35 - static bool 36 36 - ebt_redirect_tg_check(const char *tablename, const void *e, 37 37 - const struct xt_target *target, void *data, 38 38 - unsigned int hookmask) 35 35 + static bool ebt_redirect_tg_check(const struct xt_tgchk_param *par) 39 36 { 40 40 - const struct ebt_redirect_info *info = data; 37 37 + const struct ebt_redirect_info *info = par->targinfo; 38 38 + unsigned int hook_mask; 41 39 42 40 if (BASE_CHAIN && info->target == EBT_RETURN) 43 41 return false; 44 44 - CLEAR_BASE_CHAIN_BIT; 45 45 - if ( (strcmp(tablename, "nat") || hookmask & ~(1 << NF_BR_PRE_ROUTING)) && 46 46 - (strcmp(tablename, "broute") || hookmask & ~(1 << NF_BR_BROUTING)) ) 42 42 + 43 43 + hook_mask = par->hook_mask & ~(1 << NF_BR_NUMHOOKS); 44 44 + if ((strcmp(par->table, "nat") != 0 || 45 45 + hook_mask & ~(1 << NF_BR_PRE_ROUTING)) && 46 46 + (strcmp(par->table, "broute") != 0 || 47 47 + hook_mask & ~(1 << NF_BR_BROUTING))) 47 48 return false; 48 49 if (INVALID_TARGET) 49 50 return false;

+2 -6

net/bridge/netfilter/ebt_snat.c

reviewed

··· 42 42 return info->target | ~EBT_VERDICT_BITS; 43 43 } 44 44 45 45 - static bool 46 46 - ebt_snat_tg_check(const char *tablename, const void *e, 47 47 - const struct xt_target *target, void *data, 48 48 - unsigned int hookmask) 45 45 + static bool ebt_snat_tg_check(const struct xt_tgchk_param *par) 49 46 { 50 50 - const struct ebt_nat_info *info = data; 47 47 + const struct ebt_nat_info *info = par->targinfo; 51 48 int tmp; 52 49 53 50 tmp = info->target | ~EBT_VERDICT_BITS; 54 51 if (BASE_CHAIN && tmp == EBT_RETURN) 55 52 return false; 56 56 - CLEAR_BASE_CHAIN_BIT; 57 53 58 54 if (tmp < -NUM_STANDARD_TARGETS || tmp >= 0) 59 55 return false;

+2 -5

net/bridge/netfilter/ebt_ulog.c

reviewed

··· 254 254 return EBT_CONTINUE; 255 255 } 256 256 257 257 - static bool 258 258 - ebt_ulog_tg_check(const char *table, const void *entry, 259 259 - const struct xt_target *target, void *data, 260 260 - unsigned int hookmask) 257 257 + static bool ebt_ulog_tg_check(const struct xt_tgchk_param *par) 261 258 { 262 262 - struct ebt_ulog_info *uloginfo = data; 259 259 + struct ebt_ulog_info *uloginfo = par->targinfo; 263 260 264 261 if (uloginfo->nlgroup > 31) 265 262 return false;

+16 -12

net/bridge/netfilter/ebtables.c

reviewed

··· 363 363 } 364 364 365 365 static inline int 366 366 - ebt_check_watcher(struct ebt_entry_watcher *w, struct ebt_entry *e, 367 367 - const char *name, unsigned int hookmask, unsigned int *cnt) 366 366 + ebt_check_watcher(struct ebt_entry_watcher *w, struct xt_tgchk_param *par, 367 367 + unsigned int *cnt) 368 368 { 369 369 + const struct ebt_entry *e = par->entryinfo; 369 370 struct xt_target *watcher; 370 371 size_t left = ((char *)e + e->target_offset) - (char *)w; 371 372 int ret; ··· 384 383 return -ENOENT; 385 384 w->u.watcher = watcher; 386 385 387 387 - ret = xt_check_target(watcher, NFPROTO_BRIDGE, w->watcher_size, 388 388 - name, hookmask, e->ethproto, e->invflags & EBT_IPROTO, 389 389 - e, w->data); 386 386 + par->target = watcher; 387 387 + par->targinfo = w->data; 388 388 + ret = xt_check_target(par, NFPROTO_BRIDGE, w->watcher_size, 389 389 + e->ethproto, e->invflags & EBT_IPROTO); 390 390 if (ret < 0) { 391 391 module_put(watcher->me); 392 392 return ret; ··· 621 619 size_t gap; 622 620 int ret; 623 621 struct xt_mtchk_param mtpar; 622 622 + struct xt_tgchk_param tgpar; 624 623 625 624 /* don't mess with the struct ebt_entries */ 626 625 if (e->bitmask == 0) ··· 663 660 } 664 661 i = 0; 665 662 666 666 - mtpar.table = name; 667 667 - mtpar.entryinfo = e; 668 668 - mtpar.hook_mask = hookmask; 663 663 + mtpar.table = tgpar.table = name; 664 664 + mtpar.entryinfo = tgpar.entryinfo = e; 665 665 + mtpar.hook_mask = tgpar.hook_mask = hookmask; 669 666 ret = EBT_MATCH_ITERATE(e, ebt_check_match, &mtpar, &i); 670 667 if (ret != 0) 671 668 goto cleanup_matches; 672 669 j = 0; 673 673 - ret = EBT_WATCHER_ITERATE(e, ebt_check_watcher, e, name, hookmask, &j); 670 670 + ret = EBT_WATCHER_ITERATE(e, ebt_check_watcher, &tgpar, &j); 674 671 if (ret != 0) 675 672 goto cleanup_watchers; 676 673 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset); ··· 706 703 goto cleanup_watchers; 707 704 } 708 705 709 709 - ret = xt_check_target(target, NFPROTO_BRIDGE, t->target_size, 710 710 - name, hookmask, e->ethproto, e->invflags & EBT_IPROTO, 711 711 - e, t->data); 706 706 + tgpar.target = target; 707 707 + tgpar.targinfo = t->data; 708 708 + ret = xt_check_target(&tgpar, NFPROTO_BRIDGE, t->target_size, 709 709 + e->ethproto, e->invflags & EBT_IPROTO); 712 710 if (ret < 0) { 713 711 module_put(target->me); 714 712 goto cleanup_watchers;

+10 -8

net/ipv4/netfilter/arp_tables.c

reviewed

··· 457 457 458 458 static inline int check_target(struct arpt_entry *e, const char *name) 459 459 { 460 460 - struct arpt_entry_target *t; 461 461 - struct xt_target *target; 460 460 + struct arpt_entry_target *t = arpt_get_target(e); 462 461 int ret; 462 462 + struct xt_tgchk_param par = { 463 463 + .table = name, 464 464 + .entryinfo = e, 465 465 + .target = t->u.kernel.target, 466 466 + .targinfo = t->data, 467 467 + .hook_mask = e->comefrom, 468 468 + }; 463 469 464 464 - t = arpt_get_target(e); 465 465 - target = t->u.kernel.target; 466 466 - 467 467 - ret = xt_check_target(target, NFPROTO_ARP, 468 468 - t->u.target_size - sizeof(*t), 469 469 - name, e->comefrom, 0, 0, e, t->data); 470 470 + ret = xt_check_target(&par, NFPROTO_ARP, 471 471 + t->u.target_size - sizeof(*t), 0, false); 470 472 if (ret < 0) { 471 473 duprintf("arp_tables: check failed for `%s'.\n", 472 474 t->u.kernel.target->name);

+2 -4

net/ipv4/netfilter/arpt_mangle.c

reviewed

··· 54 54 return mangle->target; 55 55 } 56 56 57 57 - static bool 58 58 - checkentry(const char *tablename, const void *e, const struct xt_target *target, 59 59 - void *targinfo, unsigned int hook_mask) 57 57 + static bool checkentry(const struct xt_tgchk_param *par) 60 58 { 61 61 - const struct arpt_mangle *mangle = targinfo; 59 59 + const struct arpt_mangle *mangle = par->targinfo; 62 60 63 61 if (mangle->flags & ~ARPT_MANGLE_MASK || 64 62 !(mangle->flags & ARPT_MANGLE_MASK))

+10 -7

net/ipv4/netfilter/ip_tables.c

reviewed

··· 655 655 656 656 static int check_target(struct ipt_entry *e, const char *name) 657 657 { 658 658 - struct ipt_entry_target *t; 659 659 - struct xt_target *target; 658 658 + struct ipt_entry_target *t = ipt_get_target(e); 659 659 + struct xt_tgchk_param par = { 660 660 + .table = name, 661 661 + .entryinfo = e, 662 662 + .target = t->u.kernel.target, 663 663 + .targinfo = t->data, 664 664 + .hook_mask = e->comefrom, 665 665 + }; 660 666 int ret; 661 667 662 662 - t = ipt_get_target(e); 663 663 - target = t->u.kernel.target; 664 664 - ret = xt_check_target(target, AF_INET, t->u.target_size - sizeof(*t), 665 665 - name, e->comefrom, e->ip.proto, 666 666 - e->ip.invflags & IPT_INV_PROTO, e, t->data); 668 668 + ret = xt_check_target(&par, NFPROTO_IPV4, t->u.target_size - sizeof(*t), 669 669 + e->ip.proto, e->ip.invflags & IPT_INV_PROTO); 667 670 if (ret < 0) { 668 671 duprintf("ip_tables: check failed for `%s'.\n", 669 672 t->u.kernel.target->name);

+5 -8

net/ipv4/netfilter/ipt_CLUSTERIP.c

reviewed

··· 347 347 return XT_CONTINUE; 348 348 } 349 349 350 350 - static bool 351 351 - clusterip_tg_check(const char *tablename, const void *e_void, 352 352 - const struct xt_target *target, void *targinfo, 353 353 - unsigned int hook_mask) 350 350 + static bool clusterip_tg_check(const struct xt_tgchk_param *par) 354 351 { 355 355 - struct ipt_clusterip_tgt_info *cipinfo = targinfo; 356 356 - const struct ipt_entry *e = e_void; 352 352 + struct ipt_clusterip_tgt_info *cipinfo = par->targinfo; 353 353 + const struct ipt_entry *e = par->entryinfo; 357 354 358 355 struct clusterip_config *config; 359 356 ··· 401 404 } 402 405 cipinfo->config = config; 403 406 404 404 - if (nf_ct_l3proto_try_module_get(target->family) < 0) { 407 407 + if (nf_ct_l3proto_try_module_get(par->target->family) < 0) { 405 408 printk(KERN_WARNING "can't load conntrack support for " 406 406 - "proto=%u\n", target->family); 409 409 + "proto=%u\n", par->target->family); 407 410 return false; 408 411 } 409 412

+3 -6

net/ipv4/netfilter/ipt_ECN.c

reviewed

··· 93 93 return XT_CONTINUE; 94 94 } 95 95 96 96 - static bool 97 97 - ecn_tg_check(const char *tablename, const void *e_void, 98 98 - const struct xt_target *target, void *targinfo, 99 99 - unsigned int hook_mask) 96 96 + static bool ecn_tg_check(const struct xt_tgchk_param *par) 100 97 { 101 101 - const struct ipt_ECN_info *einfo = targinfo; 102 102 - const struct ipt_entry *e = e_void; 98 98 + const struct ipt_ECN_info *einfo = par->targinfo; 99 99 + const struct ipt_entry *e = par->entryinfo; 103 100 104 101 if (einfo->operation & IPT_ECN_OP_MASK) { 105 102 printk(KERN_WARNING "ECN: unsupported ECN operation %x\n",

+2 -5

net/ipv4/netfilter/ipt_LOG.c

reviewed

··· 440 440 return XT_CONTINUE; 441 441 } 442 442 443 443 - static bool 444 444 - log_tg_check(const char *tablename, const void *e, 445 445 - const struct xt_target *target, void *targinfo, 446 446 - unsigned int hook_mask) 443 443 + static bool log_tg_check(const struct xt_tgchk_param *par) 447 444 { 448 448 - const struct ipt_log_info *loginfo = targinfo; 445 445 + const struct ipt_log_info *loginfo = par->targinfo; 449 446 450 447 if (loginfo->level >= 8) { 451 448 pr_debug("LOG: level %u >= 8\n", loginfo->level);

+2 -5

net/ipv4/netfilter/ipt_MASQUERADE.c

reviewed

··· 31 31 static DEFINE_RWLOCK(masq_lock); 32 32 33 33 /* FIXME: Multiple targets. --RR */ 34 34 - static bool 35 35 - masquerade_tg_check(const char *tablename, const void *e, 36 36 - const struct xt_target *target, void *targinfo, 37 37 - unsigned int hook_mask) 34 34 + static bool masquerade_tg_check(const struct xt_tgchk_param *par) 38 35 { 39 39 - const struct nf_nat_multi_range_compat *mr = targinfo; 36 36 + const struct nf_nat_multi_range_compat *mr = par->targinfo; 40 37 41 38 if (mr->range[0].flags & IP_NAT_RANGE_MAP_IPS) { 42 39 pr_debug("masquerade_check: bad MAP_IPS.\n");

+2 -5

net/ipv4/netfilter/ipt_NETMAP.c

reviewed

··· 22 22 MODULE_AUTHOR("Svenning Soerensen <svenning@post5.tele.dk>"); 23 23 MODULE_DESCRIPTION("Xtables: 1:1 NAT mapping of IPv4 subnets"); 24 24 25 25 - static bool 26 26 - netmap_tg_check(const char *tablename, const void *e, 27 27 - const struct xt_target *target, void *targinfo, 28 28 - unsigned int hook_mask) 25 25 + static bool netmap_tg_check(const struct xt_tgchk_param *par) 29 26 { 30 30 - const struct nf_nat_multi_range_compat *mr = targinfo; 27 27 + const struct nf_nat_multi_range_compat *mr = par->targinfo; 31 28 32 29 if (!(mr->range[0].flags & IP_NAT_RANGE_MAP_IPS)) { 33 30 pr_debug("NETMAP:check: bad MAP_IPS.\n");

+2 -5

net/ipv4/netfilter/ipt_REDIRECT.c

reviewed

··· 26 26 MODULE_DESCRIPTION("Xtables: Connection redirection to localhost"); 27 27 28 28 /* FIXME: Take multiple ranges --RR */ 29 29 - static bool 30 30 - redirect_tg_check(const char *tablename, const void *e, 31 31 - const struct xt_target *target, void *targinfo, 32 32 - unsigned int hook_mask) 29 29 + static bool redirect_tg_check(const struct xt_tgchk_param *par) 33 30 { 34 34 - const struct nf_nat_multi_range_compat *mr = targinfo; 31 31 + const struct nf_nat_multi_range_compat *mr = par->targinfo; 35 32 36 33 if (mr->range[0].flags & IP_NAT_RANGE_MAP_IPS) { 37 34 pr_debug("redirect_check: bad MAP_IPS.\n");

+3 -6

net/ipv4/netfilter/ipt_REJECT.c

reviewed

··· 175 175 return NF_DROP; 176 176 } 177 177 178 178 - static bool 179 179 - reject_tg_check(const char *tablename, const void *e_void, 180 180 - const struct xt_target *target, void *targinfo, 181 181 - unsigned int hook_mask) 178 178 + static bool reject_tg_check(const struct xt_tgchk_param *par) 182 179 { 183 183 - const struct ipt_reject_info *rejinfo = targinfo; 184 184 - const struct ipt_entry *e = e_void; 180 180 + const struct ipt_reject_info *rejinfo = par->targinfo; 181 181 + const struct ipt_entry *e = par->entryinfo; 185 182 186 183 if (rejinfo->with == IPT_ICMP_ECHOREPLY) { 187 184 printk("ipt_REJECT: ECHOREPLY no longer supported.\n");

+2 -5

net/ipv4/netfilter/ipt_TTL.c

reviewed

··· 59 59 return XT_CONTINUE; 60 60 } 61 61 62 62 - static bool 63 63 - ttl_tg_check(const char *tablename, const void *e, 64 64 - const struct xt_target *target, void *targinfo, 65 65 - unsigned int hook_mask) 62 62 + static bool ttl_tg_check(const struct xt_tgchk_param *par) 66 63 { 67 67 - const struct ipt_TTL_info *info = targinfo; 64 64 + const struct ipt_TTL_info *info = par->targinfo; 68 65 69 66 if (info->mode > IPT_TTL_MAXMODE) { 70 67 printk(KERN_WARNING "ipt_TTL: invalid or unknown Mode %u\n",

+2 -5

net/ipv4/netfilter/ipt_ULOG.c

reviewed

··· 313 313 ipt_ulog_packet(hooknum, skb, in, out, &loginfo, prefix); 314 314 } 315 315 316 316 - static bool 317 317 - ulog_tg_check(const char *tablename, const void *e, 318 318 - const struct xt_target *target, void *targinfo, 319 319 - unsigned int hookmask) 316 316 + static bool ulog_tg_check(const struct xt_tgchk_param *par) 320 317 { 321 321 - const struct ipt_ulog_info *loginfo = targinfo; 318 318 + const struct ipt_ulog_info *loginfo = par->targinfo; 322 319 323 320 if (loginfo->prefix[sizeof(loginfo->prefix) - 1] != '\0') { 324 321 pr_debug("ipt_ULOG: prefix term %i\n",

+4 -12

net/ipv4/netfilter/nf_nat_rule.c

reviewed

··· 128 128 return nf_nat_setup_info(ct, &mr->range[0], IP_NAT_MANIP_DST); 129 129 } 130 130 131 131 - static bool ipt_snat_checkentry(const char *tablename, 132 132 - const void *entry, 133 133 - const struct xt_target *target, 134 134 - void *targinfo, 135 135 - unsigned int hook_mask) 131 131 + static bool ipt_snat_checkentry(const struct xt_tgchk_param *par) 136 132 { 137 137 - const struct nf_nat_multi_range_compat *mr = targinfo; 133 133 + const struct nf_nat_multi_range_compat *mr = par->targinfo; 138 134 139 135 /* Must be a valid range */ 140 136 if (mr->rangesize != 1) { ··· 140 144 return true; 141 145 } 142 146 143 143 - static bool ipt_dnat_checkentry(const char *tablename, 144 144 - const void *entry, 145 145 - const struct xt_target *target, 146 146 - void *targinfo, 147 147 - unsigned int hook_mask) 147 147 + static bool ipt_dnat_checkentry(const struct xt_tgchk_param *par) 148 148 { 149 149 - const struct nf_nat_multi_range_compat *mr = targinfo; 149 149 + const struct nf_nat_multi_range_compat *mr = par->targinfo; 150 150 151 151 /* Must be a valid range */ 152 152 if (mr->rangesize != 1) {

+10 -6

net/ipv6/netfilter/ip6_tables.c

reviewed

··· 679 679 680 680 static int check_target(struct ip6t_entry *e, const char *name) 681 681 { 682 682 - struct ip6t_entry_target *t; 683 683 - struct xt_target *target; 682 682 + struct ip6t_entry_target *t = ip6t_get_target(e); 683 683 + struct xt_tgchk_param par = { 684 684 + .table = name, 685 685 + .entryinfo = e, 686 686 + .target = t->u.kernel.target, 687 687 + .targinfo = t->data, 688 688 + .hook_mask = e->comefrom, 689 689 + }; 684 690 int ret; 685 691 686 692 t = ip6t_get_target(e); 687 687 - target = t->u.kernel.target; 688 688 - ret = xt_check_target(target, AF_INET6, t->u.target_size - sizeof(*t), 689 689 - name, e->comefrom, e->ipv6.proto, 690 690 - e->ipv6.invflags & IP6T_INV_PROTO, e, t->data); 693 693 + ret = xt_check_target(&par, NFPROTO_IPV6, t->u.target_size - sizeof(*t), 694 694 + e->ipv6.proto, e->ipv6.invflags & IP6T_INV_PROTO); 691 695 if (ret < 0) { 692 696 duprintf("ip_tables: check failed for `%s'.\n", 693 697 t->u.kernel.target->name);

+2 -5

net/ipv6/netfilter/ip6t_HL.c

reviewed

··· 54 54 return XT_CONTINUE; 55 55 } 56 56 57 57 - static bool 58 58 - hl_tg6_check(const char *tablename, const void *entry, 59 59 - const struct xt_target *target, void *targinfo, 60 60 - unsigned int hook_mask) 57 57 + static bool hl_tg6_check(const struct xt_tgchk_param *par) 61 58 { 62 62 - const struct ip6t_HL_info *info = targinfo; 59 59 + const struct ip6t_HL_info *info = par->targinfo; 63 60 64 61 if (info->mode > IP6T_HL_MAXMODE) { 65 62 printk(KERN_WARNING "ip6t_HL: invalid or unknown Mode %u\n",

+2 -5

net/ipv6/netfilter/ip6t_LOG.c

reviewed

··· 453 453 } 454 454 455 455 456 456 - static bool 457 457 - log_tg6_check(const char *tablename, const void *entry, 458 458 - const struct xt_target *target, void *targinfo, 459 459 - unsigned int hook_mask) 456 456 + static bool log_tg6_check(const struct xt_tgchk_param *par) 460 457 { 461 461 - const struct ip6t_log_info *loginfo = targinfo; 458 458 + const struct ip6t_log_info *loginfo = par->targinfo; 462 459 463 460 if (loginfo->level >= 8) { 464 461 pr_debug("LOG: level %u >= 8\n", loginfo->level);

+3 -6

net/ipv6/netfilter/ip6t_REJECT.c

reviewed

··· 213 213 return NF_DROP; 214 214 } 215 215 216 216 - static bool 217 217 - reject_tg6_check(const char *tablename, const void *entry, 218 218 - const struct xt_target *target, void *targinfo, 219 219 - unsigned int hook_mask) 216 216 + static bool reject_tg6_check(const struct xt_tgchk_param *par) 220 217 { 221 221 - const struct ip6t_reject_info *rejinfo = targinfo; 222 222 - const struct ip6t_entry *e = entry; 218 218 + const struct ip6t_reject_info *rejinfo = par->targinfo; 219 219 + const struct ip6t_entry *e = par->entryinfo; 223 220 224 221 if (rejinfo->with == IP6T_ICMP6_ECHOREPLY) { 225 222 printk("ip6t_REJECT: ECHOREPLY is not supported.\n");

+16 -16

net/netfilter/x_tables.c

reviewed

··· 471 471 EXPORT_SYMBOL_GPL(xt_compat_match_to_user); 472 472 #endif /* CONFIG_COMPAT */ 473 473 474 474 - int xt_check_target(const struct xt_target *target, unsigned short family, 475 475 - unsigned int size, const char *table, unsigned int hook_mask, 476 476 - unsigned short proto, int inv_proto, const void *entry, 477 477 - void *targinfo) 474 474 + int xt_check_target(struct xt_tgchk_param *par, u_int8_t family, 475 475 + unsigned int size, u_int8_t proto, bool inv_proto) 478 476 { 479 479 - if (XT_ALIGN(target->targetsize) != size) { 477 477 + if (XT_ALIGN(par->target->targetsize) != size) { 480 478 printk("%s_tables: %s target: invalid size %Zu != %u\n", 481 481 - xt_prefix[family], target->name, 482 482 - XT_ALIGN(target->targetsize), size); 479 479 + xt_prefix[family], par->target->name, 480 480 + XT_ALIGN(par->target->targetsize), size); 483 481 return -EINVAL; 484 482 } 485 485 - if (target->table && strcmp(target->table, table)) { 483 483 + if (par->target->table != NULL && 484 484 + strcmp(par->target->table, par->table) != 0) { 486 485 printk("%s_tables: %s target: only valid in %s table, not %s\n", 487 487 - xt_prefix[family], target->name, target->table, table); 486 486 + xt_prefix[family], par->target->name, 487 487 + par->target->table, par->table); 488 488 return -EINVAL; 489 489 } 490 490 - if (target->hooks && (hook_mask & ~target->hooks) != 0) { 490 490 + if (par->target->hooks && (par->hook_mask & ~par->target->hooks) != 0) { 491 491 printk("%s_tables: %s target: bad hook_mask %#x/%#x\n", 492 492 - xt_prefix[family], target->name, hook_mask, 493 493 - target->hooks); 492 492 + xt_prefix[family], par->target->name, par->hook_mask, 493 493 + par->target->hooks); 494 494 return -EINVAL; 495 495 } 496 496 - if (target->proto && (target->proto != proto || inv_proto)) { 496 496 + if (par->target->proto && (par->target->proto != proto || inv_proto)) { 497 497 printk("%s_tables: %s target: only valid for protocol %u\n", 498 498 - xt_prefix[family], target->name, target->proto); 498 498 + xt_prefix[family], par->target->name, 499 499 + par->target->proto); 499 500 return -EINVAL; 500 501 } 501 501 - if (target->checkentry != NULL && 502 502 - !target->checkentry(table, entry, target, targinfo, hook_mask)) 502 502 + if (par->target->checkentry != NULL && !par->target->checkentry(par)) 503 503 return -EINVAL; 504 504 return 0; 505 505 }

+9 -15

net/netfilter/xt_CONNMARK.c

reviewed

··· 112 112 return XT_CONTINUE; 113 113 } 114 114 115 115 - static bool 116 116 - connmark_tg_check_v0(const char *tablename, const void *entry, 117 117 - const struct xt_target *target, void *targinfo, 118 118 - unsigned int hook_mask) 115 115 + static bool connmark_tg_check_v0(const struct xt_tgchk_param *par) 119 116 { 120 120 - const struct xt_connmark_target_info *matchinfo = targinfo; 117 117 + const struct xt_connmark_target_info *matchinfo = par->targinfo; 121 118 122 119 if (matchinfo->mode == XT_CONNMARK_RESTORE) { 123 123 - if (strcmp(tablename, "mangle") != 0) { 120 120 + if (strcmp(par->table, "mangle") != 0) { 124 121 printk(KERN_WARNING "CONNMARK: restore can only be " 125 122 "called from \"mangle\" table, not \"%s\"\n", 126 126 - tablename); 123 123 + par->table); 127 124 return false; 128 125 } 129 126 } ··· 128 131 printk(KERN_WARNING "CONNMARK: Only supports 32bit mark\n"); 129 132 return false; 130 133 } 131 131 - if (nf_ct_l3proto_try_module_get(target->family) < 0) { 134 134 + if (nf_ct_l3proto_try_module_get(par->target->family) < 0) { 132 135 printk(KERN_WARNING "can't load conntrack support for " 133 133 - "proto=%u\n", target->family); 136 136 + "proto=%u\n", par->target->family); 134 137 return false; 135 138 } 136 139 return true; 137 140 } 138 141 139 139 - static bool 140 140 - connmark_tg_check(const char *tablename, const void *entry, 141 141 - const struct xt_target *target, void *targinfo, 142 142 - unsigned int hook_mask) 142 142 + static bool connmark_tg_check(const struct xt_tgchk_param *par) 143 143 { 144 144 - if (nf_ct_l3proto_try_module_get(target->family) < 0) { 144 144 + if (nf_ct_l3proto_try_module_get(par->target->family) < 0) { 145 145 printk(KERN_WARNING "cannot load conntrack support for " 146 146 - "proto=%u\n", target->family); 146 146 + "proto=%u\n", par->target->family); 147 147 return false; 148 148 } 149 149 return true;

+7 -9

net/netfilter/xt_CONNSECMARK.c

reviewed

··· 85 85 return XT_CONTINUE; 86 86 } 87 87 88 88 - static bool 89 89 - connsecmark_tg_check(const char *tablename, const void *entry, 90 90 - const struct xt_target *target, void *targinfo, 91 91 - unsigned int hook_mask) 88 88 + static bool connsecmark_tg_check(const struct xt_tgchk_param *par) 92 89 { 93 93 - const struct xt_connsecmark_target_info *info = targinfo; 90 90 + const struct xt_connsecmark_target_info *info = par->targinfo; 94 91 95 95 - if (strcmp(tablename, "mangle") && strcmp(tablename, "security")) { 92 92 + if (strcmp(par->table, "mangle") != 0 && 93 93 + strcmp(par->table, "security") != 0) { 96 94 printk(KERN_INFO PFX "target only valid in the \'mangle\' " 97 97 - "or \'security\' tables, not \'%s\'.\n", tablename); 95 95 + "or \'security\' tables, not \'%s\'.\n", par->table); 98 96 return false; 99 97 } 100 98 ··· 106 108 return false; 107 109 } 108 110 109 109 - if (nf_ct_l3proto_try_module_get(target->family) < 0) { 111 111 + if (nf_ct_l3proto_try_module_get(par->target->family) < 0) { 110 112 printk(KERN_WARNING "can't load conntrack support for " 111 111 - "proto=%u\n", target->family); 113 113 + "proto=%u\n", par->target->family); 112 114 return false; 113 115 } 114 116 return true;

+7 -12

net/netfilter/xt_DSCP.c

reviewed

··· 61 61 return XT_CONTINUE; 62 62 } 63 63 64 64 - static bool 65 65 - dscp_tg_check(const char *tablename, const void *e_void, 66 66 - const struct xt_target *target, void *targinfo, 67 67 - unsigned int hook_mask) 64 64 + static bool dscp_tg_check(const struct xt_tgchk_param *par) 68 65 { 69 69 - const u_int8_t dscp = ((struct xt_DSCP_info *)targinfo)->dscp; 66 66 + const struct xt_DSCP_info *info = par->targinfo; 70 67 71 71 - if (dscp > XT_DSCP_MAX) { 72 72 - printk(KERN_WARNING "DSCP: dscp %x out of range\n", dscp); 68 68 + if (info->dscp > XT_DSCP_MAX) { 69 69 + printk(KERN_WARNING "DSCP: dscp %x out of range\n", info->dscp); 73 70 return false; 74 71 } 75 72 return true; ··· 92 95 return XT_CONTINUE; 93 96 } 94 97 95 95 - static bool 96 96 - tos_tg_check_v0(const char *tablename, const void *e_void, 97 97 - const struct xt_target *target, void *targinfo, 98 98 - unsigned int hook_mask) 98 98 + static bool tos_tg_check_v0(const struct xt_tgchk_param *par) 99 99 { 100 100 - const u_int8_t tos = ((struct ipt_tos_target_info *)targinfo)->tos; 100 100 + const struct ipt_tos_target_info *info = par->targinfo; 101 101 + const uint8_t tos = info->tos; 101 102 102 103 if (tos != IPTOS_LOWDELAY && tos != IPTOS_THROUGHPUT && 103 104 tos != IPTOS_RELIABILITY && tos != IPTOS_MINCOST &&

+4 -10

net/netfilter/xt_MARK.c

reviewed

··· 66 66 return XT_CONTINUE; 67 67 } 68 68 69 69 - static bool 70 70 - mark_tg_check_v0(const char *tablename, const void *entry, 71 71 - const struct xt_target *target, void *targinfo, 72 72 - unsigned int hook_mask) 69 69 + static bool mark_tg_check_v0(const struct xt_tgchk_param *par) 73 70 { 74 74 - const struct xt_mark_target_info *markinfo = targinfo; 71 71 + const struct xt_mark_target_info *markinfo = par->targinfo; 75 72 76 73 if (markinfo->mark > 0xffffffff) { 77 74 printk(KERN_WARNING "MARK: Only supports 32bit wide mark\n"); ··· 77 80 return true; 78 81 } 79 82 80 80 - static bool 81 81 - mark_tg_check_v1(const char *tablename, const void *entry, 82 82 - const struct xt_target *target, void *targinfo, 83 83 - unsigned int hook_mask) 83 83 + static bool mark_tg_check_v1(const struct xt_tgchk_param *par) 84 84 { 85 85 - const struct xt_mark_target_info_v1 *markinfo = targinfo; 85 85 + const struct xt_mark_target_info_v1 *markinfo = par->targinfo; 86 86 87 87 if (markinfo->mode != XT_MARK_SET 88 88 && markinfo->mode != XT_MARK_AND

+2 -5

net/netfilter/xt_NFLOG.c

reviewed

··· 36 36 return XT_CONTINUE; 37 37 } 38 38 39 39 - static bool 40 40 - nflog_tg_check(const char *tablename, const void *entry, 41 41 - const struct xt_target *target, void *targetinfo, 42 42 - unsigned int hookmask) 39 39 + static bool nflog_tg_check(const struct xt_tgchk_param *par) 43 40 { 44 44 - const struct xt_nflog_info *info = targetinfo; 41 41 + const struct xt_nflog_info *info = par->targinfo; 45 42 46 43 if (info->flags & ~XT_NFLOG_MASK) 47 44 return false;

+2 -7

net/netfilter/xt_RATEEST.c

reviewed

··· 84 84 return XT_CONTINUE; 85 85 } 86 86 87 87 - static bool 88 88 - xt_rateest_tg_checkentry(const char *tablename, 89 89 - const void *entry, 90 90 - const struct xt_target *target, 91 91 - void *targinfo, 92 92 - unsigned int hook_mask) 87 87 + static bool xt_rateest_tg_checkentry(const struct xt_tgchk_param *par) 93 88 { 94 94 - struct xt_rateest_target_info *info = targinfo; 89 89 + struct xt_rateest_target_info *info = par->targinfo; 95 90 struct xt_rateest *est; 96 91 struct { 97 92 struct nlattr opt;

+5 -7

net/netfilter/xt_SECMARK.c

reviewed

··· 80 80 return true; 81 81 } 82 82 83 83 - static bool 84 84 - secmark_tg_check(const char *tablename, const void *entry, 85 85 - const struct xt_target *target, void *targinfo, 86 86 - unsigned int hook_mask) 83 83 + static bool secmark_tg_check(const struct xt_tgchk_param *par) 87 84 { 88 88 - struct xt_secmark_target_info *info = targinfo; 85 85 + struct xt_secmark_target_info *info = par->targinfo; 89 86 90 90 - if (strcmp(tablename, "mangle") && strcmp(tablename, "security")) { 87 87 + if (strcmp(par->table, "mangle") != 0 && 88 88 + strcmp(par->table, "security") != 0) { 91 89 printk(KERN_INFO PFX "target only valid in the \'mangle\' " 92 92 - "or \'security\' tables, not \'%s\'.\n", tablename); 90 90 + "or \'security\' tables, not \'%s\'.\n", par->table); 93 91 return false; 94 92 } 95 93

+8 -14

net/netfilter/xt_TCPMSS.c

reviewed

··· 237 237 return false; 238 238 } 239 239 240 240 - static bool 241 241 - tcpmss_tg4_check(const char *tablename, const void *entry, 242 242 - const struct xt_target *target, void *targinfo, 243 243 - unsigned int hook_mask) 240 240 + static bool tcpmss_tg4_check(const struct xt_tgchk_param *par) 244 241 { 245 245 - const struct xt_tcpmss_info *info = targinfo; 246 246 - const struct ipt_entry *e = entry; 242 242 + const struct xt_tcpmss_info *info = par->targinfo; 243 243 + const struct ipt_entry *e = par->entryinfo; 247 244 248 245 if (info->mss == XT_TCPMSS_CLAMP_PMTU && 249 249 - (hook_mask & ~((1 << NF_INET_FORWARD) | 246 246 + (par->hook_mask & ~((1 << NF_INET_FORWARD) | 250 247 (1 << NF_INET_LOCAL_OUT) | 251 248 (1 << NF_INET_POST_ROUTING))) != 0) { 252 249 printk("xt_TCPMSS: path-MTU clamping only supported in " ··· 257 260 } 258 261 259 262 #if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE) 260 260 - static bool 261 261 - tcpmss_tg6_check(const char *tablename, const void *entry, 262 262 - const struct xt_target *target, void *targinfo, 263 263 - unsigned int hook_mask) 263 263 + static bool tcpmss_tg6_check(const struct xt_tgchk_param *par) 264 264 { 265 265 - const struct xt_tcpmss_info *info = targinfo; 266 266 - const struct ip6t_entry *e = entry; 265 265 + const struct xt_tcpmss_info *info = par->targinfo; 266 266 + const struct ip6t_entry *e = par->entryinfo; 267 267 268 268 if (info->mss == XT_TCPMSS_CLAMP_PMTU && 269 269 - (hook_mask & ~((1 << NF_INET_FORWARD) | 269 269 + (par->hook_mask & ~((1 << NF_INET_FORWARD) | 270 270 (1 << NF_INET_LOCAL_OUT) | 271 271 (1 << NF_INET_POST_ROUTING))) != 0) { 272 272 printk("xt_TCPMSS: path-MTU clamping only supported in "

+2 -7

net/netfilter/xt_TPROXY.c

reviewed

··· 59 59 return NF_DROP; 60 60 } 61 61 62 62 - static bool 63 63 - tproxy_tg_check(const char *tablename, 64 64 - const void *entry, 65 65 - const struct xt_target *target, 66 66 - void *targetinfo, 67 67 - unsigned int hook_mask) 62 62 + static bool tproxy_tg_check(const struct xt_tgchk_param *par) 68 63 { 69 69 - const struct ipt_ip *i = entry; 64 64 + const struct ipt_ip *i = par->entryinfo; 70 65 71 66 if ((i->proto == IPPROTO_TCP || i->proto == IPPROTO_UDP) 72 67 && !(i->invflags & IPT_INV_PROTO))

+8 -2

net/sched/act_ipt.c

reviewed

··· 40 40 41 41 static int ipt_init_target(struct ipt_entry_target *t, char *table, unsigned int hook) 42 42 { 43 43 + struct xt_tgchk_param par; 43 44 struct xt_target *target; 44 45 int ret = 0; 45 46 ··· 50 49 return -ENOENT; 51 50 52 51 t->u.kernel.target = target; 52 52 + par.table = table; 53 53 + par.entryinfo = NULL; 54 54 + par.target = target; 55 55 + par.targinfo = t->data; 56 56 + par.hook_mask = hook; 53 57 54 54 - ret = xt_check_target(target, AF_INET, t->u.target_size - sizeof(*t), 55 55 - table, hook, 0, 0, NULL, t->data); 58 58 + ret = xt_check_target(&par, NFPROTO_IPV4, 59 59 + t->u.target_size - sizeof(*t), 0, false); 56 60 if (ret < 0) { 57 61 module_put(t->u.kernel.target->me); 58 62 return ret;