tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge branch 'master' of git://dev.medozas.de/linux
+316
-367
+19
-26
include/linux/netfilter/x_tables.h
+19
-26
include/linux/netfilter/x_tables.h
···
183
183
#include <linux/netdevice.h>
184
184
185
185
/**
186
-
* struct xt_match_param - parameters for match extensions' match functions
186
+
* struct xt_action_param - parameters for matches/targets
187
187
*
188
+
* @match: the match extension
189
+
* @target: the target extension
190
+
* @matchinfo: per-match data
191
+
* @targetinfo: per-target data
188
192
* @in: input netdevice
189
193
* @out: output netdevice
190
-
* @match: struct xt_match through which this function was invoked
191
-
* @matchinfo: per-match data
192
194
* @fragoff: packet is a fragment, this is the data offset
193
195
* @thoff: position of transport header relative to skb->data
194
196
* @hook: hook number given packet came from
195
197
* @family: Actual NFPROTO_* through which the function is invoked
196
198
* (helpful when match->family == NFPROTO_UNSPEC)
199
+
*
200
+
* Fields written to by extensions:
201
+
*
197
202
* @hotdrop: drop packet if we had inspection problems
198
203
* Network namespace obtainable using dev_net(in/out)
199
204
*/
200
-
struct xt_match_param {
205
+
struct xt_action_param {
206
+
union {
207
+
const struct xt_match *match;
208
+
const struct xt_target *target;
209
+
};
210
+
union {
211
+
const void *matchinfo, *targinfo;
212
+
};
201
213
const struct net_device *in, *out;
202
-
const struct xt_match *match;
203
-
const void *matchinfo;
204
214
int fragoff;
205
215
unsigned int thoff;
206
216
unsigned int hooknum;
207
217
u_int8_t family;
208
-
bool *hotdrop;
218
+
bool hotdrop;
209
219
};
210
220
211
221
/**
···
249
239
struct net *net;
250
240
const struct xt_match *match;
251
241
void *matchinfo;
252
-
u_int8_t family;
253
-
};
254
-
255
-
/**
256
-
* struct xt_target_param - parameters for target extensions' target functions
257
-
*
258
-
* @hooknum: hook through which this target was invoked
259
-
* @target: struct xt_target through which this function was invoked
260
-
* @targinfo: per-target data
261
-
*
262
-
* Other fields see above.
263
-
*/
264
-
struct xt_target_param {
265
-
const struct net_device *in, *out;
266
-
const struct xt_target *target;
267
-
const void *targinfo;
268
-
unsigned int hooknum;
269
242
u_int8_t family;
270
243
};
271
244
···
291
298
non-linear skb, using skb_header_pointer and
292
299
skb_ip_make_writable. */
293
300
bool (*match)(const struct sk_buff *skb,
294
-
const struct xt_match_param *);
301
+
struct xt_action_param *);
295
302
296
303
/* Called when user tries to insert an entry of this type. */
297
304
int (*checkentry)(const struct xt_mtchk_param *);
···
328
335
must now handle non-linear skbs, using skb_copy_bits and
329
336
skb_ip_make_writable. */
330
337
unsigned int (*target)(struct sk_buff *skb,
331
-
const struct xt_target_param *);
338
+
const struct xt_action_param *);
332
339
333
340
/* Called when user tries to insert an entry of this type:
334
341
hook_mask is a bitmask of hooks from which it can be
+1
-1
net/bridge/netfilter/ebt_802_3.c
+1
-1
net/bridge/netfilter/ebt_802_3.c
···
13
13
#include <linux/netfilter_bridge/ebt_802_3.h>
14
14
15
15
static bool
16
-
ebt_802_3_mt(const struct sk_buff *skb, const struct xt_match_param *par)
16
+
ebt_802_3_mt(const struct sk_buff *skb, struct xt_action_param *par)
17
17
{
18
18
const struct ebt_802_3_info *info = par->matchinfo;
19
19
const struct ebt_802_3_hdr *hdr = ebt_802_3_hdr(skb);
+1
-1
net/bridge/netfilter/ebt_among.c
+1
-1
net/bridge/netfilter/ebt_among.c
+1
-1
net/bridge/netfilter/ebt_arp.c
+1
-1
net/bridge/netfilter/ebt_arp.c
···
16
16
#include <linux/netfilter_bridge/ebt_arp.h>
17
17
18
18
static bool
19
-
ebt_arp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
19
+
ebt_arp_mt(const struct sk_buff *skb, struct xt_action_param *par)
20
20
{
21
21
const struct ebt_arp_info *info = par->matchinfo;
22
22
const struct arphdr *ah;
+1
-1
net/bridge/netfilter/ebt_arpreply.c
+1
-1
net/bridge/netfilter/ebt_arpreply.c
···
16
16
#include <linux/netfilter_bridge/ebt_arpreply.h>
17
17
18
18
static unsigned int
19
-
ebt_arpreply_tg(struct sk_buff *skb, const struct xt_target_param *par)
19
+
ebt_arpreply_tg(struct sk_buff *skb, const struct xt_action_param *par)
20
20
{
21
21
const struct ebt_arpreply_info *info = par->targinfo;
22
22
const __be32 *siptr, *diptr;
+1
-1
net/bridge/netfilter/ebt_dnat.c
+1
-1
net/bridge/netfilter/ebt_dnat.c
···
15
15
#include <linux/netfilter_bridge/ebt_nat.h>
16
16
17
17
static unsigned int
18
-
ebt_dnat_tg(struct sk_buff *skb, const struct xt_target_param *par)
18
+
ebt_dnat_tg(struct sk_buff *skb, const struct xt_action_param *par)
19
19
{
20
20
const struct ebt_nat_info *info = par->targinfo;
21
21
+1
-1
net/bridge/netfilter/ebt_ip.c
+1
-1
net/bridge/netfilter/ebt_ip.c
+1
-1
net/bridge/netfilter/ebt_ip6.c
+1
-1
net/bridge/netfilter/ebt_ip6.c
+1
-1
net/bridge/netfilter/ebt_limit.c
+1
-1
net/bridge/netfilter/ebt_limit.c
···
32
32
#define CREDITS_PER_JIFFY POW2_BELOW32(MAX_CPJ)
33
33
34
34
static bool
35
-
ebt_limit_mt(const struct sk_buff *skb, const struct xt_match_param *par)
35
+
ebt_limit_mt(const struct sk_buff *skb, struct xt_action_param *par)
36
36
{
37
37
struct ebt_limit_info *info = (void *)par->matchinfo;
38
38
unsigned long now = jiffies;
+1
-1
net/bridge/netfilter/ebt_log.c
+1
-1
net/bridge/netfilter/ebt_log.c
+1
-1
net/bridge/netfilter/ebt_mark.c
+1
-1
net/bridge/netfilter/ebt_mark.c
···
19
19
#include <linux/netfilter_bridge/ebt_mark_t.h>
20
20
21
21
static unsigned int
22
-
ebt_mark_tg(struct sk_buff *skb, const struct xt_target_param *par)
22
+
ebt_mark_tg(struct sk_buff *skb, const struct xt_action_param *par)
23
23
{
24
24
const struct ebt_mark_t_info *info = par->targinfo;
25
25
int action = info->target & -16;
+1
-1
net/bridge/netfilter/ebt_mark_m.c
+1
-1
net/bridge/netfilter/ebt_mark_m.c
···
13
13
#include <linux/netfilter_bridge/ebt_mark_m.h>
14
14
15
15
static bool
16
-
ebt_mark_mt(const struct sk_buff *skb, const struct xt_match_param *par)
16
+
ebt_mark_mt(const struct sk_buff *skb, struct xt_action_param *par)
17
17
{
18
18
const struct ebt_mark_m_info *info = par->matchinfo;
19
19
+1
-1
net/bridge/netfilter/ebt_nflog.c
+1
-1
net/bridge/netfilter/ebt_nflog.c
···
20
20
#include <net/netfilter/nf_log.h>
21
21
22
22
static unsigned int
23
-
ebt_nflog_tg(struct sk_buff *skb, const struct xt_target_param *par)
23
+
ebt_nflog_tg(struct sk_buff *skb, const struct xt_action_param *par)
24
24
{
25
25
const struct ebt_nflog_info *info = par->targinfo;
26
26
struct nf_loginfo li;
+1
-1
net/bridge/netfilter/ebt_pkttype.c
+1
-1
net/bridge/netfilter/ebt_pkttype.c
···
13
13
#include <linux/netfilter_bridge/ebt_pkttype.h>
14
14
15
15
static bool
16
-
ebt_pkttype_mt(const struct sk_buff *skb, const struct xt_match_param *par)
16
+
ebt_pkttype_mt(const struct sk_buff *skb, struct xt_action_param *par)
17
17
{
18
18
const struct ebt_pkttype_info *info = par->matchinfo;
19
19
+1
-1
net/bridge/netfilter/ebt_redirect.c
+1
-1
net/bridge/netfilter/ebt_redirect.c
···
16
16
#include <linux/netfilter_bridge/ebt_redirect.h>
17
17
18
18
static unsigned int
19
-
ebt_redirect_tg(struct sk_buff *skb, const struct xt_target_param *par)
19
+
ebt_redirect_tg(struct sk_buff *skb, const struct xt_action_param *par)
20
20
{
21
21
const struct ebt_redirect_info *info = par->targinfo;
22
22
+1
-1
net/bridge/netfilter/ebt_snat.c
+1
-1
net/bridge/netfilter/ebt_snat.c
···
17
17
#include <linux/netfilter_bridge/ebt_nat.h>
18
18
19
19
static unsigned int
20
-
ebt_snat_tg(struct sk_buff *skb, const struct xt_target_param *par)
20
+
ebt_snat_tg(struct sk_buff *skb, const struct xt_action_param *par)
21
21
{
22
22
const struct ebt_nat_info *info = par->targinfo;
23
23
+1
-1
net/bridge/netfilter/ebt_stp.c
+1
-1
net/bridge/netfilter/ebt_stp.c
+1
-1
net/bridge/netfilter/ebt_ulog.c
+1
-1
net/bridge/netfilter/ebt_ulog.c
+1
-1
net/bridge/netfilter/ebt_vlan.c
+1
-1
net/bridge/netfilter/ebt_vlan.c
···
36
36
#define EXIT_ON_MISMATCH(_MATCH_,_MASK_) {if (!((info->_MATCH_ == _MATCH_)^!!(info->invflags & _MASK_))) return false; }
37
37
38
38
static bool
39
-
ebt_vlan_mt(const struct sk_buff *skb, const struct xt_match_param *par)
39
+
ebt_vlan_mt(const struct sk_buff *skb, struct xt_action_param *par)
40
40
{
41
41
const struct ebt_vlan_info *info = par->matchinfo;
42
42
const struct vlan_hdr *fp;
+16
-17
net/bridge/netfilter/ebtables.c
+16
-17
net/bridge/netfilter/ebtables.c
···
86
86
87
87
static inline int
88
88
ebt_do_watcher(const struct ebt_entry_watcher *w, struct sk_buff *skb,
89
-
struct xt_target_param *par)
89
+
struct xt_action_param *par)
90
90
{
91
91
par->target = w->u.watcher;
92
92
par->targinfo = w->data;
···
95
95
return 0;
96
96
}
97
97
98
-
static inline int ebt_do_match (struct ebt_entry_match *m,
99
-
const struct sk_buff *skb, struct xt_match_param *par)
98
+
static inline int
99
+
ebt_do_match(struct ebt_entry_match *m, const struct sk_buff *skb,
100
+
struct xt_action_param *par)
100
101
{
101
102
par->match = m->u.match;
102
103
par->matchinfo = m->data;
···
186
185
struct ebt_entries *chaininfo;
187
186
const char *base;
188
187
const struct ebt_table_info *private;
189
-
bool hotdrop = false;
190
-
struct xt_match_param mtpar;
191
-
struct xt_target_param tgpar;
188
+
struct xt_action_param acpar;
192
189
193
-
mtpar.family = tgpar.family = NFPROTO_BRIDGE;
194
-
mtpar.in = tgpar.in = in;
195
-
mtpar.out = tgpar.out = out;
196
-
mtpar.hotdrop = &hotdrop;
197
-
mtpar.hooknum = tgpar.hooknum = hook;
190
+
acpar.family = NFPROTO_BRIDGE;
191
+
acpar.in = in;
192
+
acpar.out = out;
193
+
acpar.hotdrop = false;
194
+
acpar.hooknum = hook;
198
195
199
196
read_lock_bh(&table->lock);
200
197
private = table->private;
···
213
214
if (ebt_basic_match(point, eth_hdr(skb), in, out))
214
215
goto letscontinue;
215
216
216
-
if (EBT_MATCH_ITERATE(point, ebt_do_match, skb, &mtpar) != 0)
217
+
if (EBT_MATCH_ITERATE(point, ebt_do_match, skb, &acpar) != 0)
217
218
goto letscontinue;
218
-
if (hotdrop) {
219
+
if (acpar.hotdrop) {
219
220
read_unlock_bh(&table->lock);
220
221
return NF_DROP;
221
222
}
···
226
227
227
228
/* these should only watch: not modify, nor tell us
228
229
what to do with the packet */
229
-
EBT_WATCHER_ITERATE(point, ebt_do_watcher, skb, &tgpar);
230
+
EBT_WATCHER_ITERATE(point, ebt_do_watcher, skb, &acpar);
230
231
231
232
t = (struct ebt_entry_target *)
232
233
(((char *)point) + point->target_offset);
···
234
235
if (!t->u.target->target)
235
236
verdict = ((struct ebt_standard_target *)t)->verdict;
236
237
else {
237
-
tgpar.target = t->u.target;
238
-
tgpar.targinfo = t->data;
239
-
verdict = t->u.target->target(skb, &tgpar);
238
+
acpar.target = t->u.target;
239
+
acpar.targinfo = t->data;
240
+
verdict = t->u.target->target(skb, &acpar);
240
241
}
241
242
if (verdict == EBT_ACCEPT) {
242
243
read_unlock_bh(&table->lock);
+30
-35
net/ipv4/netfilter/arp_tables.c
+30
-35
net/ipv4/netfilter/arp_tables.c
···
224
224
}
225
225
226
226
static unsigned int
227
-
arpt_error(struct sk_buff *skb, const struct xt_target_param *par)
227
+
arpt_error(struct sk_buff *skb, const struct xt_action_param *par)
228
228
{
229
229
if (net_ratelimit())
230
230
printk("arp_tables: error: '%s'\n",
···
260
260
static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
261
261
unsigned int verdict = NF_DROP;
262
262
const struct arphdr *arp;
263
-
bool hotdrop = false;
264
263
struct arpt_entry *e, *back;
265
264
const char *indev, *outdev;
266
265
void *table_base;
267
266
const struct xt_table_info *private;
268
-
struct xt_target_param tgpar;
267
+
struct xt_action_param acpar;
269
268
270
269
if (!pskb_may_pull(skb, arp_hdr_len(skb->dev)))
271
270
return NF_DROP;
···
279
280
e = get_entry(table_base, private->hook_entry[hook]);
280
281
back = get_entry(table_base, private->underflow[hook]);
281
282
282
-
tgpar.in = in;
283
-
tgpar.out = out;
284
-
tgpar.hooknum = hook;
285
-
tgpar.family = NFPROTO_ARP;
283
+
acpar.in = in;
284
+
acpar.out = out;
285
+
acpar.hooknum = hook;
286
+
acpar.family = NFPROTO_ARP;
287
+
acpar.hotdrop = false;
286
288
287
289
arp = arp_hdr(skb);
288
290
do {
···
333
333
/* Targets which reenter must return
334
334
* abs. verdicts
335
335
*/
336
-
tgpar.target = t->u.kernel.target;
337
-
tgpar.targinfo = t->data;
338
-
verdict = t->u.kernel.target->target(skb, &tgpar);
336
+
acpar.target = t->u.kernel.target;
337
+
acpar.targinfo = t->data;
338
+
verdict = t->u.kernel.target->target(skb, &acpar);
339
339
340
340
/* Target might have changed stuff. */
341
341
arp = arp_hdr(skb);
···
345
345
else
346
346
/* Verdict */
347
347
break;
348
-
} while (!hotdrop);
348
+
} while (!acpar.hotdrop);
349
349
xt_info_rdunlock_bh();
350
350
351
-
if (hotdrop)
351
+
if (acpar.hotdrop)
352
352
return NF_DROP;
353
353
else
354
354
return verdict;
···
1828
1828
}
1829
1829
1830
1830
/* The built-in targets: standard (NULL) and error. */
1831
-
static struct xt_target arpt_standard_target __read_mostly = {
1832
-
.name = ARPT_STANDARD_TARGET,
1833
-
.targetsize = sizeof(int),
1834
-
.family = NFPROTO_ARP,
1831
+
static struct xt_target arpt_builtin_tg[] __read_mostly = {
1832
+
{
1833
+
.name = ARPT_STANDARD_TARGET,
1834
+
.targetsize = sizeof(int),
1835
+
.family = NFPROTO_ARP,
1835
1836
#ifdef CONFIG_COMPAT
1836
-
.compatsize = sizeof(compat_int_t),
1837
-
.compat_from_user = compat_standard_from_user,
1838
-
.compat_to_user = compat_standard_to_user,
1837
+
.compatsize = sizeof(compat_int_t),
1838
+
.compat_from_user = compat_standard_from_user,
1839
+
.compat_to_user = compat_standard_to_user,
1839
1840
#endif
1840
-
};
1841
-
1842
-
static struct xt_target arpt_error_target __read_mostly = {
1843
-
.name = ARPT_ERROR_TARGET,
1844
-
.target = arpt_error,
1845
-
.targetsize = ARPT_FUNCTION_MAXNAMELEN,
1846
-
.family = NFPROTO_ARP,
1841
+
},
1842
+
{
1843
+
.name = ARPT_ERROR_TARGET,
1844
+
.target = arpt_error,
1845
+
.targetsize = ARPT_FUNCTION_MAXNAMELEN,
1846
+
.family = NFPROTO_ARP,
1847
+
},
1847
1848
};
1848
1849
1849
1850
static struct nf_sockopt_ops arpt_sockopts = {
···
1888
1887
goto err1;
1889
1888
1890
1889
/* Noone else will be downing sem now, so we won't sleep */
1891
-
ret = xt_register_target(&arpt_standard_target);
1890
+
ret = xt_register_targets(arpt_builtin_tg, ARRAY_SIZE(arpt_builtin_tg));
1892
1891
if (ret < 0)
1893
1892
goto err2;
1894
-
ret = xt_register_target(&arpt_error_target);
1895
-
if (ret < 0)
1896
-
goto err3;
1897
1893
1898
1894
/* Register setsockopt */
1899
1895
ret = nf_register_sockopt(&arpt_sockopts);
···
1901
1903
return 0;
1902
1904
1903
1905
err4:
1904
-
xt_unregister_target(&arpt_error_target);
1905
-
err3:
1906
-
xt_unregister_target(&arpt_standard_target);
1906
+
xt_unregister_targets(arpt_builtin_tg, ARRAY_SIZE(arpt_builtin_tg));
1907
1907
err2:
1908
1908
unregister_pernet_subsys(&arp_tables_net_ops);
1909
1909
err1:
···
1911
1915
static void __exit arp_tables_fini(void)
1912
1916
{
1913
1917
nf_unregister_sockopt(&arpt_sockopts);
1914
-
xt_unregister_target(&arpt_error_target);
1915
-
xt_unregister_target(&arpt_standard_target);
1918
+
xt_unregister_targets(arpt_builtin_tg, ARRAY_SIZE(arpt_builtin_tg));
1916
1919
unregister_pernet_subsys(&arp_tables_net_ops);
1917
1920
}
1918
1921
+1
-1
net/ipv4/netfilter/arpt_mangle.c
+1
-1
net/ipv4/netfilter/arpt_mangle.c
···
9
9
MODULE_DESCRIPTION("arptables arp payload mangle target");
10
10
11
11
static unsigned int
12
-
target(struct sk_buff *skb, const struct xt_target_param *par)
12
+
target(struct sk_buff *skb, const struct xt_action_param *par)
13
13
{
14
14
const struct arpt_mangle *mangle = par->targinfo;
15
15
const struct arphdr *arp;
+54
-74
net/ipv4/netfilter/ip_tables.c
+54
-74
net/ipv4/netfilter/ip_tables.c
···
165
165
}
166
166
167
167
static unsigned int
168
-
ipt_error(struct sk_buff *skb, const struct xt_target_param *par)
168
+
ipt_error(struct sk_buff *skb, const struct xt_action_param *par)
169
169
{
170
170
if (net_ratelimit())
171
171
pr_info("error: `%s'\n", (const char *)par->targinfo);
172
172
173
173
return NF_DROP;
174
-
}
175
-
176
-
/* Performance critical - called for every packet */
177
-
static inline bool
178
-
do_match(const struct ipt_entry_match *m, const struct sk_buff *skb,
179
-
struct xt_match_param *par)
180
-
{
181
-
par->match = m->u.kernel.match;
182
-
par->matchinfo = m->data;
183
-
184
-
/* Stop iteration if it doesn't match */
185
-
if (!m->u.kernel.match->match(skb, par))
186
-
return true;
187
-
else
188
-
return false;
189
174
}
190
175
191
176
/* Performance critical */
···
308
323
{
309
324
static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
310
325
const struct iphdr *ip;
311
-
bool hotdrop = false;
312
326
/* Initializing verdict to NF_DROP keeps gcc happy. */
313
327
unsigned int verdict = NF_DROP;
314
328
const char *indev, *outdev;
···
315
331
struct ipt_entry *e, **jumpstack;
316
332
unsigned int *stackptr, origptr, cpu;
317
333
const struct xt_table_info *private;
318
-
struct xt_match_param mtpar;
319
-
struct xt_target_param tgpar;
334
+
struct xt_action_param acpar;
320
335
321
336
/* Initialization */
322
337
ip = ip_hdr(skb);
···
327
344
* things we don't know, ie. tcp syn flag or ports). If the
328
345
* rule is also a fragment-specific rule, non-fragments won't
329
346
* match it. */
330
-
mtpar.fragoff = ntohs(ip->frag_off) & IP_OFFSET;
331
-
mtpar.thoff = ip_hdrlen(skb);
332
-
mtpar.hotdrop = &hotdrop;
333
-
mtpar.in = tgpar.in = in;
334
-
mtpar.out = tgpar.out = out;
335
-
mtpar.family = tgpar.family = NFPROTO_IPV4;
336
-
mtpar.hooknum = tgpar.hooknum = hook;
347
+
acpar.fragoff = ntohs(ip->frag_off) & IP_OFFSET;
348
+
acpar.thoff = ip_hdrlen(skb);
349
+
acpar.hotdrop = false;
350
+
acpar.in = in;
351
+
acpar.out = out;
352
+
acpar.family = NFPROTO_IPV4;
353
+
acpar.hooknum = hook;
337
354
338
355
IP_NF_ASSERT(table->valid_hooks & (1 << hook));
339
356
xt_info_rdlock_bh();
···
356
373
357
374
IP_NF_ASSERT(e);
358
375
if (!ip_packet_match(ip, indev, outdev,
359
-
&e->ip, mtpar.fragoff)) {
376
+
&e->ip, acpar.fragoff)) {
360
377
no_match:
361
378
e = ipt_next_entry(e);
362
379
continue;
363
380
}
364
381
365
-
xt_ematch_foreach(ematch, e)
366
-
if (do_match(ematch, skb, &mtpar) != 0)
382
+
xt_ematch_foreach(ematch, e) {
383
+
acpar.match = ematch->u.kernel.match;
384
+
acpar.matchinfo = ematch->data;
385
+
if (!acpar.match->match(skb, &acpar))
367
386
goto no_match;
387
+
}
368
388
369
389
ADD_COUNTER(e->counters, ntohs(ip->tot_len), 1);
370
390
···
420
434
continue;
421
435
}
422
436
423
-
tgpar.target = t->u.kernel.target;
424
-
tgpar.targinfo = t->data;
437
+
acpar.target = t->u.kernel.target;
438
+
acpar.targinfo = t->data;
425
439
426
-
427
-
verdict = t->u.kernel.target->target(skb, &tgpar);
440
+
verdict = t->u.kernel.target->target(skb, &acpar);
428
441
/* Target might have changed stuff. */
429
442
ip = ip_hdr(skb);
430
443
if (verdict == IPT_CONTINUE)
···
431
446
else
432
447
/* Verdict */
433
448
break;
434
-
} while (!hotdrop);
449
+
} while (!acpar.hotdrop);
435
450
xt_info_rdunlock_bh();
436
451
pr_debug("Exiting %s; resetting sp from %u to %u\n",
437
452
__func__, *stackptr, origptr);
···
439
454
#ifdef DEBUG_ALLOW_ALL
440
455
return NF_ACCEPT;
441
456
#else
442
-
if (hotdrop)
457
+
if (acpar.hotdrop)
443
458
return NF_DROP;
444
459
else return verdict;
445
460
#endif
···
576
591
const struct ipt_entry_target *t;
577
592
578
593
if (!ip_checkentry(&e->ip)) {
579
-
duprintf("ip check failed %p %s.\n", e, name);
594
+
duprintf("ip check failed %p %s.\n", e, par->match->name);
580
595
return -EINVAL;
581
596
}
582
597
···
603
618
ret = xt_check_match(par, m->u.match_size - sizeof(*m),
604
619
ip->proto, ip->invflags & IPT_INV_PROTO);
605
620
if (ret < 0) {
606
-
duprintf("check failed for `%s'.\n", par.match->name);
621
+
duprintf("check failed for `%s'.\n", par->match->name);
607
622
return ret;
608
623
}
609
624
return 0;
···
2137
2152
}
2138
2153
2139
2154
static bool
2140
-
icmp_match(const struct sk_buff *skb, const struct xt_match_param *par)
2155
+
icmp_match(const struct sk_buff *skb, struct xt_action_param *par)
2141
2156
{
2142
2157
const struct icmphdr *ic;
2143
2158
struct icmphdr _icmph;
···
2153
2168
* can't. Hence, no choice but to drop.
2154
2169
*/
2155
2170
duprintf("Dropping evil ICMP tinygram.\n");
2156
-
*par->hotdrop = true;
2171
+
par->hotdrop = true;
2157
2172
return false;
2158
2173
}
2159
2174
···
2172
2187
return (icmpinfo->invflags & ~IPT_ICMP_INV) ? -EINVAL : 0;
2173
2188
}
2174
2189
2175
-
/* The built-in targets: standard (NULL) and error. */
2176
-
static struct xt_target ipt_standard_target __read_mostly = {
2177
-
.name = IPT_STANDARD_TARGET,
2178
-
.targetsize = sizeof(int),
2179
-
.family = NFPROTO_IPV4,
2190
+
static struct xt_target ipt_builtin_tg[] __read_mostly = {
2191
+
{
2192
+
.name = IPT_STANDARD_TARGET,
2193
+
.targetsize = sizeof(int),
2194
+
.family = NFPROTO_IPV4,
2180
2195
#ifdef CONFIG_COMPAT
2181
-
.compatsize = sizeof(compat_int_t),
2182
-
.compat_from_user = compat_standard_from_user,
2183
-
.compat_to_user = compat_standard_to_user,
2196
+
.compatsize = sizeof(compat_int_t),
2197
+
.compat_from_user = compat_standard_from_user,
2198
+
.compat_to_user = compat_standard_to_user,
2184
2199
#endif
2185
-
};
2186
-
2187
-
static struct xt_target ipt_error_target __read_mostly = {
2188
-
.name = IPT_ERROR_TARGET,
2189
-
.target = ipt_error,
2190
-
.targetsize = IPT_FUNCTION_MAXNAMELEN,
2191
-
.family = NFPROTO_IPV4,
2200
+
},
2201
+
{
2202
+
.name = IPT_ERROR_TARGET,
2203
+
.target = ipt_error,
2204
+
.targetsize = IPT_FUNCTION_MAXNAMELEN,
2205
+
.family = NFPROTO_IPV4,
2206
+
},
2192
2207
};
2193
2208
2194
2209
static struct nf_sockopt_ops ipt_sockopts = {
···
2208
2223
.owner = THIS_MODULE,
2209
2224
};
2210
2225
2211
-
static struct xt_match icmp_matchstruct __read_mostly = {
2212
-
.name = "icmp",
2213
-
.match = icmp_match,
2214
-
.matchsize = sizeof(struct ipt_icmp),
2215
-
.checkentry = icmp_checkentry,
2216
-
.proto = IPPROTO_ICMP,
2217
-
.family = NFPROTO_IPV4,
2226
+
static struct xt_match ipt_builtin_mt[] __read_mostly = {
2227
+
{
2228
+
.name = "icmp",
2229
+
.match = icmp_match,
2230
+
.matchsize = sizeof(struct ipt_icmp),
2231
+
.checkentry = icmp_checkentry,
2232
+
.proto = IPPROTO_ICMP,
2233
+
.family = NFPROTO_IPV4,
2234
+
},
2218
2235
};
2219
2236
2220
2237
static int __net_init ip_tables_net_init(struct net *net)
···
2243
2256
goto err1;
2244
2257
2245
2258
/* Noone else will be downing sem now, so we won't sleep */
2246
-
ret = xt_register_target(&ipt_standard_target);
2259
+
ret = xt_register_targets(ipt_builtin_tg, ARRAY_SIZE(ipt_builtin_tg));
2247
2260
if (ret < 0)
2248
2261
goto err2;
2249
-
ret = xt_register_target(&ipt_error_target);
2250
-
if (ret < 0)
2251
-
goto err3;
2252
-
ret = xt_register_match(&icmp_matchstruct);
2262
+
ret = xt_register_matches(ipt_builtin_mt, ARRAY_SIZE(ipt_builtin_mt));
2253
2263
if (ret < 0)
2254
2264
goto err4;
2255
2265
···
2259
2275
return 0;
2260
2276
2261
2277
err5:
2262
-
xt_unregister_match(&icmp_matchstruct);
2278
+
xt_unregister_matches(ipt_builtin_mt, ARRAY_SIZE(ipt_builtin_mt));
2263
2279
err4:
2264
-
xt_unregister_target(&ipt_error_target);
2265
-
err3:
2266
-
xt_unregister_target(&ipt_standard_target);
2280
+
xt_unregister_targets(ipt_builtin_tg, ARRAY_SIZE(ipt_builtin_tg));
2267
2281
err2:
2268
2282
unregister_pernet_subsys(&ip_tables_net_ops);
2269
2283
err1:
···
2272
2290
{
2273
2291
nf_unregister_sockopt(&ipt_sockopts);
2274
2292
2275
-
xt_unregister_match(&icmp_matchstruct);
2276
-
xt_unregister_target(&ipt_error_target);
2277
-
xt_unregister_target(&ipt_standard_target);
2278
-
2293
+
xt_unregister_matches(ipt_builtin_mt, ARRAY_SIZE(ipt_builtin_mt));
2294
+
xt_unregister_targets(ipt_builtin_tg, ARRAY_SIZE(ipt_builtin_tg));
2279
2295
unregister_pernet_subsys(&ip_tables_net_ops);
2280
2296
}
2281
2297
+1
-1
net/ipv4/netfilter/ipt_CLUSTERIP.c
+1
-1
net/ipv4/netfilter/ipt_CLUSTERIP.c
···
282
282
***********************************************************************/
283
283
284
284
static unsigned int
285
-
clusterip_tg(struct sk_buff *skb, const struct xt_target_param *par)
285
+
clusterip_tg(struct sk_buff *skb, const struct xt_action_param *par)
286
286
{
287
287
const struct ipt_clusterip_tgt_info *cipinfo = par->targinfo;
288
288
struct nf_conn *ct;
+1
-1
net/ipv4/netfilter/ipt_ECN.c
+1
-1
net/ipv4/netfilter/ipt_ECN.c
+1
-1
net/ipv4/netfilter/ipt_LOG.c
+1
-1
net/ipv4/netfilter/ipt_LOG.c
+1
-1
net/ipv4/netfilter/ipt_MASQUERADE.c
+1
-1
net/ipv4/netfilter/ipt_MASQUERADE.c
+1
-1
net/ipv4/netfilter/ipt_NETMAP.c
+1
-1
net/ipv4/netfilter/ipt_NETMAP.c
+1
-1
net/ipv4/netfilter/ipt_REDIRECT.c
+1
-1
net/ipv4/netfilter/ipt_REDIRECT.c
+1
-1
net/ipv4/netfilter/ipt_REJECT.c
+1
-1
net/ipv4/netfilter/ipt_REJECT.c
+1
-1
net/ipv4/netfilter/ipt_ULOG.c
+1
-1
net/ipv4/netfilter/ipt_ULOG.c
+2
-2
net/ipv4/netfilter/ipt_addrtype.c
+2
-2
net/ipv4/netfilter/ipt_addrtype.c
···
30
30
}
31
31
32
32
static bool
33
-
addrtype_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
33
+
addrtype_mt_v0(const struct sk_buff *skb, struct xt_action_param *par)
34
34
{
35
35
struct net *net = dev_net(par->in ? par->in : par->out);
36
36
const struct ipt_addrtype_info *info = par->matchinfo;
···
48
48
}
49
49
50
50
static bool
51
-
addrtype_mt_v1(const struct sk_buff *skb, const struct xt_match_param *par)
51
+
addrtype_mt_v1(const struct sk_buff *skb, struct xt_action_param *par)
52
52
{
53
53
struct net *net = dev_net(par->in ? par->in : par->out);
54
54
const struct ipt_addrtype_info_v1 *info = par->matchinfo;
+2
-2
net/ipv4/netfilter/ipt_ah.c
+2
-2
net/ipv4/netfilter/ipt_ah.c
···
30
30
return r;
31
31
}
32
32
33
-
static bool ah_mt(const struct sk_buff *skb, const struct xt_match_param *par)
33
+
static bool ah_mt(const struct sk_buff *skb, struct xt_action_param *par)
34
34
{
35
35
struct ip_auth_hdr _ahdr;
36
36
const struct ip_auth_hdr *ah;
···
46
46
* can't. Hence, no choice but to drop.
47
47
*/
48
48
pr_debug("Dropping evil AH tinygram.\n");
49
-
*par->hotdrop = true;
49
+
par->hotdrop = true;
50
50
return 0;
51
51
}
52
52
+2
-2
net/ipv4/netfilter/ipt_ecn.c
+2
-2
net/ipv4/netfilter/ipt_ecn.c
···
67
67
return true;
68
68
}
69
69
70
-
static bool ecn_mt(const struct sk_buff *skb, const struct xt_match_param *par)
70
+
static bool ecn_mt(const struct sk_buff *skb, struct xt_action_param *par)
71
71
{
72
72
const struct ipt_ecn_info *info = par->matchinfo;
73
73
···
78
78
if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR)) {
79
79
if (ip_hdr(skb)->protocol != IPPROTO_TCP)
80
80
return false;
81
-
if (!match_tcp(skb, info, par->hotdrop))
81
+
if (!match_tcp(skb, info, &par->hotdrop))
82
82
return false;
83
83
}
84
84
+2
-2
net/ipv4/netfilter/nf_nat_rule.c
+2
-2
net/ipv4/netfilter/nf_nat_rule.c
···
39
39
40
40
/* Source NAT */
41
41
static unsigned int
42
-
ipt_snat_target(struct sk_buff *skb, const struct xt_target_param *par)
42
+
ipt_snat_target(struct sk_buff *skb, const struct xt_action_param *par)
43
43
{
44
44
struct nf_conn *ct;
45
45
enum ip_conntrack_info ctinfo;
···
58
58
}
59
59
60
60
static unsigned int
61
-
ipt_dnat_target(struct sk_buff *skb, const struct xt_target_param *par)
61
+
ipt_dnat_target(struct sk_buff *skb, const struct xt_action_param *par)
62
62
{
63
63
struct nf_conn *ct;
64
64
enum ip_conntrack_info ctinfo;
+50
-68
net/ipv6/netfilter/ip6_tables.c
+50
-68
net/ipv6/netfilter/ip6_tables.c
···
197
197
}
198
198
199
199
static unsigned int
200
-
ip6t_error(struct sk_buff *skb, const struct xt_target_param *par)
200
+
ip6t_error(struct sk_buff *skb, const struct xt_action_param *par)
201
201
{
202
202
if (net_ratelimit())
203
203
pr_info("error: `%s'\n", (const char *)par->targinfo);
204
204
205
205
return NF_DROP;
206
-
}
207
-
208
-
/* Performance critical - called for every packet */
209
-
static inline bool
210
-
do_match(const struct ip6t_entry_match *m, const struct sk_buff *skb,
211
-
struct xt_match_param *par)
212
-
{
213
-
par->match = m->u.kernel.match;
214
-
par->matchinfo = m->data;
215
-
216
-
/* Stop iteration if it doesn't match */
217
-
if (!m->u.kernel.match->match(skb, par))
218
-
return true;
219
-
else
220
-
return false;
221
206
}
222
207
223
208
static inline struct ip6t_entry *
···
337
352
struct xt_table *table)
338
353
{
339
354
static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
340
-
bool hotdrop = false;
341
355
/* Initializing verdict to NF_DROP keeps gcc happy. */
342
356
unsigned int verdict = NF_DROP;
343
357
const char *indev, *outdev;
···
344
360
struct ip6t_entry *e, **jumpstack;
345
361
unsigned int *stackptr, origptr, cpu;
346
362
const struct xt_table_info *private;
347
-
struct xt_match_param mtpar;
348
-
struct xt_target_param tgpar;
363
+
struct xt_action_param acpar;
349
364
350
365
/* Initialization */
351
366
indev = in ? in->name : nulldevname;
···
355
372
* things we don't know, ie. tcp syn flag or ports). If the
356
373
* rule is also a fragment-specific rule, non-fragments won't
357
374
* match it. */
358
-
mtpar.hotdrop = &hotdrop;
359
-
mtpar.in = tgpar.in = in;
360
-
mtpar.out = tgpar.out = out;
361
-
mtpar.family = tgpar.family = NFPROTO_IPV6;
362
-
mtpar.hooknum = tgpar.hooknum = hook;
375
+
acpar.hotdrop = false;
376
+
acpar.in = in;
377
+
acpar.out = out;
378
+
acpar.family = NFPROTO_IPV6;
379
+
acpar.hooknum = hook;
363
380
364
381
IP_NF_ASSERT(table->valid_hooks & (1 << hook));
365
382
···
379
396
380
397
IP_NF_ASSERT(e);
381
398
if (!ip6_packet_match(skb, indev, outdev, &e->ipv6,
382
-
&mtpar.thoff, &mtpar.fragoff, &hotdrop)) {
399
+
&acpar.thoff, &acpar.fragoff, &acpar.hotdrop)) {
383
400
no_match:
384
401
e = ip6t_next_entry(e);
385
402
continue;
386
403
}
387
404
388
-
xt_ematch_foreach(ematch, e)
389
-
if (do_match(ematch, skb, &mtpar) != 0)
405
+
xt_ematch_foreach(ematch, e) {
406
+
acpar.match = ematch->u.kernel.match;
407
+
acpar.matchinfo = ematch->data;
408
+
if (!acpar.match->match(skb, &acpar))
390
409
goto no_match;
410
+
}
391
411
392
412
ADD_COUNTER(e->counters,
393
413
ntohs(ipv6_hdr(skb)->payload_len) +
···
437
451
continue;
438
452
}
439
453
440
-
tgpar.target = t->u.kernel.target;
441
-
tgpar.targinfo = t->data;
454
+
acpar.target = t->u.kernel.target;
455
+
acpar.targinfo = t->data;
442
456
443
-
verdict = t->u.kernel.target->target(skb, &tgpar);
457
+
verdict = t->u.kernel.target->target(skb, &acpar);
444
458
if (verdict == IP6T_CONTINUE)
445
459
e = ip6t_next_entry(e);
446
460
else
447
461
/* Verdict */
448
462
break;
449
-
} while (!hotdrop);
463
+
} while (!acpar.hotdrop);
450
464
451
465
xt_info_rdunlock_bh();
452
466
*stackptr = origptr;
···
454
468
#ifdef DEBUG_ALLOW_ALL
455
469
return NF_ACCEPT;
456
470
#else
457
-
if (hotdrop)
471
+
if (acpar.hotdrop)
458
472
return NF_DROP;
459
473
else return verdict;
460
474
#endif
···
2153
2167
}
2154
2168
2155
2169
static bool
2156
-
icmp6_match(const struct sk_buff *skb, const struct xt_match_param *par)
2170
+
icmp6_match(const struct sk_buff *skb, struct xt_action_param *par)
2157
2171
{
2158
2172
const struct icmp6hdr *ic;
2159
2173
struct icmp6hdr _icmph;
···
2169
2183
* can't. Hence, no choice but to drop.
2170
2184
*/
2171
2185
duprintf("Dropping evil ICMP tinygram.\n");
2172
-
*par->hotdrop = true;
2186
+
par->hotdrop = true;
2173
2187
return false;
2174
2188
}
2175
2189
···
2190
2204
}
2191
2205
2192
2206
/* The built-in targets: standard (NULL) and error. */
2193
-
static struct xt_target ip6t_standard_target __read_mostly = {
2194
-
.name = IP6T_STANDARD_TARGET,
2195
-
.targetsize = sizeof(int),
2196
-
.family = NFPROTO_IPV6,
2207
+
static struct xt_target ip6t_builtin_tg[] __read_mostly = {
2208
+
{
2209
+
.name = IP6T_STANDARD_TARGET,
2210
+
.targetsize = sizeof(int),
2211
+
.family = NFPROTO_IPV6,
2197
2212
#ifdef CONFIG_COMPAT
2198
-
.compatsize = sizeof(compat_int_t),
2199
-
.compat_from_user = compat_standard_from_user,
2200
-
.compat_to_user = compat_standard_to_user,
2213
+
.compatsize = sizeof(compat_int_t),
2214
+
.compat_from_user = compat_standard_from_user,
2215
+
.compat_to_user = compat_standard_to_user,
2201
2216
#endif
2202
-
};
2203
-
2204
-
static struct xt_target ip6t_error_target __read_mostly = {
2205
-
.name = IP6T_ERROR_TARGET,
2206
-
.target = ip6t_error,
2207
-
.targetsize = IP6T_FUNCTION_MAXNAMELEN,
2208
-
.family = NFPROTO_IPV6,
2217
+
},
2218
+
{
2219
+
.name = IP6T_ERROR_TARGET,
2220
+
.target = ip6t_error,
2221
+
.targetsize = IP6T_FUNCTION_MAXNAMELEN,
2222
+
.family = NFPROTO_IPV6,
2223
+
},
2209
2224
};
2210
2225
2211
2226
static struct nf_sockopt_ops ip6t_sockopts = {
···
2226
2239
.owner = THIS_MODULE,
2227
2240
};
2228
2241
2229
-
static struct xt_match icmp6_matchstruct __read_mostly = {
2230
-
.name = "icmp6",
2231
-
.match = icmp6_match,
2232
-
.matchsize = sizeof(struct ip6t_icmp),
2233
-
.checkentry = icmp6_checkentry,
2234
-
.proto = IPPROTO_ICMPV6,
2235
-
.family = NFPROTO_IPV6,
2242
+
static struct xt_match ip6t_builtin_mt[] __read_mostly = {
2243
+
{
2244
+
.name = "icmp6",
2245
+
.match = icmp6_match,
2246
+
.matchsize = sizeof(struct ip6t_icmp),
2247
+
.checkentry = icmp6_checkentry,
2248
+
.proto = IPPROTO_ICMPV6,
2249
+
.family = NFPROTO_IPV6,
2250
+
},
2236
2251
};
2237
2252
2238
2253
static int __net_init ip6_tables_net_init(struct net *net)
···
2261
2272
goto err1;
2262
2273
2263
2274
/* Noone else will be downing sem now, so we won't sleep */
2264
-
ret = xt_register_target(&ip6t_standard_target);
2275
+
ret = xt_register_targets(ip6t_builtin_tg, ARRAY_SIZE(ip6t_builtin_tg));
2265
2276
if (ret < 0)
2266
2277
goto err2;
2267
-
ret = xt_register_target(&ip6t_error_target);
2268
-
if (ret < 0)
2269
-
goto err3;
2270
-
ret = xt_register_match(&icmp6_matchstruct);
2278
+
ret = xt_register_matches(ip6t_builtin_mt, ARRAY_SIZE(ip6t_builtin_mt));
2271
2279
if (ret < 0)
2272
2280
goto err4;
2273
2281
···
2277
2291
return 0;
2278
2292
2279
2293
err5:
2280
-
xt_unregister_match(&icmp6_matchstruct);
2294
+
xt_unregister_matches(ip6t_builtin_mt, ARRAY_SIZE(ip6t_builtin_mt));
2281
2295
err4:
2282
-
xt_unregister_target(&ip6t_error_target);
2283
-
err3:
2284
-
xt_unregister_target(&ip6t_standard_target);
2296
+
xt_unregister_targets(ip6t_builtin_tg, ARRAY_SIZE(ip6t_builtin_tg));
2285
2297
err2:
2286
2298
unregister_pernet_subsys(&ip6_tables_net_ops);
2287
2299
err1:
···
2290
2306
{
2291
2307
nf_unregister_sockopt(&ip6t_sockopts);
2292
2308
2293
-
xt_unregister_match(&icmp6_matchstruct);
2294
-
xt_unregister_target(&ip6t_error_target);
2295
-
xt_unregister_target(&ip6t_standard_target);
2296
-
2309
+
xt_unregister_matches(ip6t_builtin_mt, ARRAY_SIZE(ip6t_builtin_mt));
2310
+
xt_unregister_targets(ip6t_builtin_tg, ARRAY_SIZE(ip6t_builtin_tg));
2297
2311
unregister_pernet_subsys(&ip6_tables_net_ops);
2298
2312
}
2299
2313
+1
-1
net/ipv6/netfilter/ip6t_LOG.c
+1
-1
net/ipv6/netfilter/ip6t_LOG.c
+1
-1
net/ipv6/netfilter/ip6t_REJECT.c
+1
-1
net/ipv6/netfilter/ip6t_REJECT.c
···
175
175
}
176
176
177
177
static unsigned int
178
-
reject_tg6(struct sk_buff *skb, const struct xt_target_param *par)
178
+
reject_tg6(struct sk_buff *skb, const struct xt_action_param *par)
179
179
{
180
180
const struct ip6t_reject_info *reject = par->targinfo;
181
181
struct net *net = dev_net((par->in != NULL) ? par->in : par->out);
+3
-3
net/ipv6/netfilter/ip6t_ah.c
+3
-3
net/ipv6/netfilter/ip6t_ah.c
···
36
36
return r;
37
37
}
38
38
39
-
static bool ah_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
39
+
static bool ah_mt6(const struct sk_buff *skb, struct xt_action_param *par)
40
40
{
41
41
struct ip_auth_hdr _ah;
42
42
const struct ip_auth_hdr *ah;
···
48
48
err = ipv6_find_hdr(skb, &ptr, NEXTHDR_AUTH, NULL);
49
49
if (err < 0) {
50
50
if (err != -ENOENT)
51
-
*par->hotdrop = true;
51
+
par->hotdrop = true;
52
52
return false;
53
53
}
54
54
55
55
ah = skb_header_pointer(skb, ptr, sizeof(_ah), &_ah);
56
56
if (ah == NULL) {
57
-
*par->hotdrop = true;
57
+
par->hotdrop = true;
58
58
return false;
59
59
}
60
60
+2
-2
net/ipv6/netfilter/ip6t_eui64.c
+2
-2
net/ipv6/netfilter/ip6t_eui64.c
···
20
20
MODULE_AUTHOR("Andras Kis-Szabo <kisza@sch.bme.hu>");
21
21
22
22
static bool
23
-
eui64_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
23
+
eui64_mt6(const struct sk_buff *skb, struct xt_action_param *par)
24
24
{
25
25
unsigned char eui64[8];
26
26
27
27
if (!(skb_mac_header(skb) >= skb->head &&
28
28
skb_mac_header(skb) + ETH_HLEN <= skb->data) &&
29
29
par->fragoff != 0) {
30
-
*par->hotdrop = true;
30
+
par->hotdrop = true;
31
31
return false;
32
32
}
33
33
+3
-3
net/ipv6/netfilter/ip6t_frag.c
+3
-3
net/ipv6/netfilter/ip6t_frag.c
···
35
35
}
36
36
37
37
static bool
38
-
frag_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
38
+
frag_mt6(const struct sk_buff *skb, struct xt_action_param *par)
39
39
{
40
40
struct frag_hdr _frag;
41
41
const struct frag_hdr *fh;
···
46
46
err = ipv6_find_hdr(skb, &ptr, NEXTHDR_FRAGMENT, NULL);
47
47
if (err < 0) {
48
48
if (err != -ENOENT)
49
-
*par->hotdrop = true;
49
+
par->hotdrop = true;
50
50
return false;
51
51
}
52
52
53
53
fh = skb_header_pointer(skb, ptr, sizeof(_frag), &_frag);
54
54
if (fh == NULL) {
55
-
*par->hotdrop = true;
55
+
par->hotdrop = true;
56
56
return false;
57
57
}
58
58
+3
-3
net/ipv6/netfilter/ip6t_hbh.c
+3
-3
net/ipv6/netfilter/ip6t_hbh.c
···
44
44
static struct xt_match hbh_mt6_reg[] __read_mostly;
45
45
46
46
static bool
47
-
hbh_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
47
+
hbh_mt6(const struct sk_buff *skb, struct xt_action_param *par)
48
48
{
49
49
struct ipv6_opt_hdr _optsh;
50
50
const struct ipv6_opt_hdr *oh;
···
65
65
NEXTHDR_HOP : NEXTHDR_DEST, NULL);
66
66
if (err < 0) {
67
67
if (err != -ENOENT)
68
-
*par->hotdrop = true;
68
+
par->hotdrop = true;
69
69
return false;
70
70
}
71
71
72
72
oh = skb_header_pointer(skb, ptr, sizeof(_optsh), &_optsh);
73
73
if (oh == NULL) {
74
-
*par->hotdrop = true;
74
+
par->hotdrop = true;
75
75
return false;
76
76
}
77
77
+1
-1
net/ipv6/netfilter/ip6t_ipv6header.c
+1
-1
net/ipv6/netfilter/ip6t_ipv6header.c
···
27
27
MODULE_AUTHOR("Andras Kis-Szabo <kisza@sch.bme.hu>");
28
28
29
29
static bool
30
-
ipv6header_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
30
+
ipv6header_mt6(const struct sk_buff *skb, struct xt_action_param *par)
31
31
{
32
32
const struct ip6t_ipv6header_info *info = par->matchinfo;
33
33
unsigned int temp;
+3
-3
net/ipv6/netfilter/ip6t_mh.c
+3
-3
net/ipv6/netfilter/ip6t_mh.c
···
32
32
return (type >= min && type <= max) ^ invert;
33
33
}
34
34
35
-
static bool mh_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
35
+
static bool mh_mt6(const struct sk_buff *skb, struct xt_action_param *par)
36
36
{
37
37
struct ip6_mh _mh;
38
38
const struct ip6_mh *mh;
···
47
47
/* We've been asked to examine this packet, and we
48
48
can't. Hence, no choice but to drop. */
49
49
pr_debug("Dropping evil MH tinygram.\n");
50
-
*par->hotdrop = true;
50
+
par->hotdrop = true;
51
51
return false;
52
52
}
53
53
54
54
if (mh->ip6mh_proto != IPPROTO_NONE) {
55
55
pr_debug("Dropping invalid MH Payload Proto: %u\n",
56
56
mh->ip6mh_proto);
57
-
*par->hotdrop = true;
57
+
par->hotdrop = true;
58
58
return false;
59
59
}
60
60
+3
-3
net/ipv6/netfilter/ip6t_rt.c
+3
-3
net/ipv6/netfilter/ip6t_rt.c
···
36
36
return r;
37
37
}
38
38
39
-
static bool rt_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
39
+
static bool rt_mt6(const struct sk_buff *skb, struct xt_action_param *par)
40
40
{
41
41
struct ipv6_rt_hdr _route;
42
42
const struct ipv6_rt_hdr *rh;
···
52
52
err = ipv6_find_hdr(skb, &ptr, NEXTHDR_ROUTING, NULL);
53
53
if (err < 0) {
54
54
if (err != -ENOENT)
55
-
*par->hotdrop = true;
55
+
par->hotdrop = true;
56
56
return false;
57
57
}
58
58
59
59
rh = skb_header_pointer(skb, ptr, sizeof(_route), &_route);
60
60
if (rh == NULL) {
61
-
*par->hotdrop = true;
61
+
par->hotdrop = true;
62
62
return false;
63
63
}
64
64
+1
-1
net/netfilter/xt_CLASSIFY.c
+1
-1
net/netfilter/xt_CLASSIFY.c
···
27
27
MODULE_ALIAS("ip6t_CLASSIFY");
28
28
29
29
static unsigned int
30
-
classify_tg(struct sk_buff *skb, const struct xt_target_param *par)
30
+
classify_tg(struct sk_buff *skb, const struct xt_action_param *par)
31
31
{
32
32
const struct xt_classify_target_info *clinfo = par->targinfo;
33
33
+1
-1
net/netfilter/xt_CONNSECMARK.c
+1
-1
net/netfilter/xt_CONNSECMARK.c
+1
-1
net/netfilter/xt_CT.c
+1
-1
net/netfilter/xt_CT.c
···
20
20
#include <net/netfilter/nf_conntrack_zones.h>
21
21
22
22
static unsigned int xt_ct_target(struct sk_buff *skb,
23
-
const struct xt_target_param *par)
23
+
const struct xt_action_param *par)
24
24
{
25
25
const struct xt_ct_target_info *info = par->targinfo;
26
26
struct nf_conn *ct = info->ct;
+4
-4
net/netfilter/xt_DSCP.c
+4
-4
net/netfilter/xt_DSCP.c
···
28
28
MODULE_ALIAS("ip6t_TOS");
29
29
30
30
static unsigned int
31
-
dscp_tg(struct sk_buff *skb, const struct xt_target_param *par)
31
+
dscp_tg(struct sk_buff *skb, const struct xt_action_param *par)
32
32
{
33
33
const struct xt_DSCP_info *dinfo = par->targinfo;
34
34
u_int8_t dscp = ipv4_get_dsfield(ip_hdr(skb)) >> XT_DSCP_SHIFT;
···
45
45
}
46
46
47
47
static unsigned int
48
-
dscp_tg6(struct sk_buff *skb, const struct xt_target_param *par)
48
+
dscp_tg6(struct sk_buff *skb, const struct xt_action_param *par)
49
49
{
50
50
const struct xt_DSCP_info *dinfo = par->targinfo;
51
51
u_int8_t dscp = ipv6_get_dsfield(ipv6_hdr(skb)) >> XT_DSCP_SHIFT;
···
72
72
}
73
73
74
74
static unsigned int
75
-
tos_tg(struct sk_buff *skb, const struct xt_target_param *par)
75
+
tos_tg(struct sk_buff *skb, const struct xt_action_param *par)
76
76
{
77
77
const struct xt_tos_target_info *info = par->targinfo;
78
78
struct iphdr *iph = ip_hdr(skb);
···
92
92
}
93
93
94
94
static unsigned int
95
-
tos_tg6(struct sk_buff *skb, const struct xt_target_param *par)
95
+
tos_tg6(struct sk_buff *skb, const struct xt_action_param *par)
96
96
{
97
97
const struct xt_tos_target_info *info = par->targinfo;
98
98
struct ipv6hdr *iph = ipv6_hdr(skb);
+2
-2
net/netfilter/xt_HL.c
+2
-2
net/netfilter/xt_HL.c
···
26
26
MODULE_LICENSE("GPL");
27
27
28
28
static unsigned int
29
-
ttl_tg(struct sk_buff *skb, const struct xt_target_param *par)
29
+
ttl_tg(struct sk_buff *skb, const struct xt_action_param *par)
30
30
{
31
31
struct iphdr *iph;
32
32
const struct ipt_TTL_info *info = par->targinfo;
···
66
66
}
67
67
68
68
static unsigned int
69
-
hl_tg6(struct sk_buff *skb, const struct xt_target_param *par)
69
+
hl_tg6(struct sk_buff *skb, const struct xt_action_param *par)
70
70
{
71
71
struct ipv6hdr *ip6h;
72
72
const struct ip6t_HL_info *info = par->targinfo;
+1
-1
net/netfilter/xt_LED.c
+1
-1
net/netfilter/xt_LED.c
···
49
49
};
50
50
51
51
static unsigned int
52
-
led_tg(struct sk_buff *skb, const struct xt_target_param *par)
52
+
led_tg(struct sk_buff *skb, const struct xt_action_param *par)
53
53
{
54
54
const struct xt_led_info *ledinfo = par->targinfo;
55
55
struct xt_led_info_internal *ledinternal = ledinfo->internal_data;
+1
-1
net/netfilter/xt_NFLOG.c
+1
-1
net/netfilter/xt_NFLOG.c
···
22
22
MODULE_ALIAS("ip6t_NFLOG");
23
23
24
24
static unsigned int
25
-
nflog_tg(struct sk_buff *skb, const struct xt_target_param *par)
25
+
nflog_tg(struct sk_buff *skb, const struct xt_action_param *par)
26
26
{
27
27
const struct xt_nflog_info *info = par->targinfo;
28
28
struct nf_loginfo li;
+2
-2
net/netfilter/xt_NFQUEUE.c
+2
-2
net/netfilter/xt_NFQUEUE.c
···
31
31
static bool rnd_inited __read_mostly;
32
32
33
33
static unsigned int
34
-
nfqueue_tg(struct sk_buff *skb, const struct xt_target_param *par)
34
+
nfqueue_tg(struct sk_buff *skb, const struct xt_action_param *par)
35
35
{
36
36
const struct xt_NFQ_info *tinfo = par->targinfo;
37
37
···
65
65
#endif
66
66
67
67
static unsigned int
68
-
nfqueue_tg_v1(struct sk_buff *skb, const struct xt_target_param *par)
68
+
nfqueue_tg_v1(struct sk_buff *skb, const struct xt_action_param *par)
69
69
{
70
70
const struct xt_NFQ_info_v1 *info = par->targinfo;
71
71
u32 queue = info->queuenum;
+1
-1
net/netfilter/xt_NOTRACK.c
+1
-1
net/netfilter/xt_NOTRACK.c
···
13
13
MODULE_ALIAS("ip6t_NOTRACK");
14
14
15
15
static unsigned int
16
-
notrack_tg(struct sk_buff *skb, const struct xt_target_param *par)
16
+
notrack_tg(struct sk_buff *skb, const struct xt_action_param *par)
17
17
{
18
18
/* Previously seen (loopback)? Ignore. */
19
19
if (skb->nfct != NULL)
+1
-1
net/netfilter/xt_RATEEST.c
+1
-1
net/netfilter/xt_RATEEST.c
···
73
73
EXPORT_SYMBOL_GPL(xt_rateest_put);
74
74
75
75
static unsigned int
76
-
xt_rateest_tg(struct sk_buff *skb, const struct xt_target_param *par)
76
+
xt_rateest_tg(struct sk_buff *skb, const struct xt_action_param *par)
77
77
{
78
78
const struct xt_rateest_target_info *info = par->targinfo;
79
79
struct gnet_stats_basic_packed *stats = &info->est->bstats;
+1
-1
net/netfilter/xt_SECMARK.c
+1
-1
net/netfilter/xt_SECMARK.c
+2
-2
net/netfilter/xt_TCPMSS.c
+2
-2
net/netfilter/xt_TCPMSS.c
···
172
172
}
173
173
174
174
static unsigned int
175
-
tcpmss_tg4(struct sk_buff *skb, const struct xt_target_param *par)
175
+
tcpmss_tg4(struct sk_buff *skb, const struct xt_action_param *par)
176
176
{
177
177
struct iphdr *iph = ip_hdr(skb);
178
178
__be16 newlen;
···
195
195
196
196
#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
197
197
static unsigned int
198
-
tcpmss_tg6(struct sk_buff *skb, const struct xt_target_param *par)
198
+
tcpmss_tg6(struct sk_buff *skb, const struct xt_action_param *par)
199
199
{
200
200
struct ipv6hdr *ipv6h = ipv6_hdr(skb);
201
201
u8 nexthdr;
+2
-2
net/netfilter/xt_TCPOPTSTRIP.c
+2
-2
net/netfilter/xt_TCPOPTSTRIP.c
···
74
74
}
75
75
76
76
static unsigned int
77
-
tcpoptstrip_tg4(struct sk_buff *skb, const struct xt_target_param *par)
77
+
tcpoptstrip_tg4(struct sk_buff *skb, const struct xt_action_param *par)
78
78
{
79
79
return tcpoptstrip_mangle_packet(skb, par->targinfo, ip_hdrlen(skb),
80
80
sizeof(struct iphdr) + sizeof(struct tcphdr));
···
82
82
83
83
#if defined(CONFIG_IP6_NF_MANGLE) || defined(CONFIG_IP6_NF_MANGLE_MODULE)
84
84
static unsigned int
85
-
tcpoptstrip_tg6(struct sk_buff *skb, const struct xt_target_param *par)
85
+
tcpoptstrip_tg6(struct sk_buff *skb, const struct xt_action_param *par)
86
86
{
87
87
struct ipv6hdr *ipv6h = ipv6_hdr(skb);
88
88
int tcphoff;
+2
-2
net/netfilter/xt_TEE.c
+2
-2
net/netfilter/xt_TEE.c
···
84
84
}
85
85
86
86
static unsigned int
87
-
tee_tg4(struct sk_buff *skb, const struct xt_target_param *par)
87
+
tee_tg4(struct sk_buff *skb, const struct xt_action_param *par)
88
88
{
89
89
const struct xt_tee_tginfo *info = par->targinfo;
90
90
struct iphdr *iph;
···
165
165
}
166
166
167
167
static unsigned int
168
-
tee_tg6(struct sk_buff *skb, const struct xt_target_param *par)
168
+
tee_tg6(struct sk_buff *skb, const struct xt_action_param *par)
169
169
{
170
170
const struct xt_tee_tginfo *info = par->targinfo;
171
171
+1
-1
net/netfilter/xt_TPROXY.c
+1
-1
net/netfilter/xt_TPROXY.c
···
25
25
#include <net/netfilter/nf_tproxy_core.h>
26
26
27
27
static unsigned int
28
-
tproxy_tg(struct sk_buff *skb, const struct xt_target_param *par)
28
+
tproxy_tg(struct sk_buff *skb, const struct xt_action_param *par)
29
29
{
30
30
const struct iphdr *iph = ip_hdr(skb);
31
31
const struct xt_tproxy_target_info *tgi = par->targinfo;
+1
-1
net/netfilter/xt_TRACE.c
+1
-1
net/netfilter/xt_TRACE.c
+1
-1
net/netfilter/xt_cluster.c
+1
-1
net/netfilter/xt_cluster.c
···
86
86
}
87
87
88
88
static bool
89
-
xt_cluster_mt(const struct sk_buff *skb, const struct xt_match_param *par)
89
+
xt_cluster_mt(const struct sk_buff *skb, struct xt_action_param *par)
90
90
{
91
91
struct sk_buff *pskb = (struct sk_buff *)skb;
92
92
const struct xt_cluster_match_info *info = par->matchinfo;
+1
-1
net/netfilter/xt_comment.c
+1
-1
net/netfilter/xt_comment.c
+1
-1
net/netfilter/xt_connbytes.c
+1
-1
net/netfilter/xt_connbytes.c
···
18
18
MODULE_ALIAS("ip6t_connbytes");
19
19
20
20
static bool
21
-
connbytes_mt(const struct sk_buff *skb, const struct xt_match_param *par)
21
+
connbytes_mt(const struct sk_buff *skb, struct xt_action_param *par)
22
22
{
23
23
const struct xt_connbytes_info *sinfo = par->matchinfo;
24
24
const struct nf_conn *ct;
+3
-3
net/netfilter/xt_connlimit.c
+3
-3
net/netfilter/xt_connlimit.c
···
173
173
}
174
174
175
175
static bool
176
-
connlimit_mt(const struct sk_buff *skb, const struct xt_match_param *par)
176
+
connlimit_mt(const struct sk_buff *skb, struct xt_action_param *par)
177
177
{
178
178
struct net *net = dev_net(par->in ? par->in : par->out);
179
179
const struct xt_connlimit_info *info = par->matchinfo;
···
206
206
207
207
if (connections < 0) {
208
208
/* kmalloc failed, drop it entirely */
209
-
*par->hotdrop = true;
209
+
par->hotdrop = true;
210
210
return false;
211
211
}
212
212
213
213
return (connections > info->limit) ^ info->inverse;
214
214
215
215
hotdrop:
216
-
*par->hotdrop = true;
216
+
par->hotdrop = true;
217
217
return false;
218
218
}
219
219
+2
-2
net/netfilter/xt_connmark.c
+2
-2
net/netfilter/xt_connmark.c
···
37
37
MODULE_ALIAS("ip6t_connmark");
38
38
39
39
static unsigned int
40
-
connmark_tg(struct sk_buff *skb, const struct xt_target_param *par)
40
+
connmark_tg(struct sk_buff *skb, const struct xt_action_param *par)
41
41
{
42
42
const struct xt_connmark_tginfo1 *info = par->targinfo;
43
43
enum ip_conntrack_info ctinfo;
···
91
91
}
92
92
93
93
static bool
94
-
connmark_mt(const struct sk_buff *skb, const struct xt_match_param *par)
94
+
connmark_mt(const struct sk_buff *skb, struct xt_action_param *par)
95
95
{
96
96
const struct xt_connmark_mtinfo1 *info = par->matchinfo;
97
97
enum ip_conntrack_info ctinfo;
+3
-3
net/netfilter/xt_conntrack.c
+3
-3
net/netfilter/xt_conntrack.c
···
113
113
}
114
114
115
115
static bool
116
-
conntrack_mt(const struct sk_buff *skb, const struct xt_match_param *par,
116
+
conntrack_mt(const struct sk_buff *skb, struct xt_action_param *par,
117
117
u16 state_mask, u16 status_mask)
118
118
{
119
119
const struct xt_conntrack_mtinfo2 *info = par->matchinfo;
···
191
191
}
192
192
193
193
static bool
194
-
conntrack_mt_v1(const struct sk_buff *skb, const struct xt_match_param *par)
194
+
conntrack_mt_v1(const struct sk_buff *skb, struct xt_action_param *par)
195
195
{
196
196
const struct xt_conntrack_mtinfo1 *info = par->matchinfo;
197
197
···
199
199
}
200
200
201
201
static bool
202
-
conntrack_mt_v2(const struct sk_buff *skb, const struct xt_match_param *par)
202
+
conntrack_mt_v2(const struct sk_buff *skb, struct xt_action_param *par)
203
203
{
204
204
const struct xt_conntrack_mtinfo2 *info = par->matchinfo;
205
205
+3
-3
net/netfilter/xt_dccp.c
+3
-3
net/netfilter/xt_dccp.c
···
96
96
}
97
97
98
98
static bool
99
-
dccp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
99
+
dccp_mt(const struct sk_buff *skb, struct xt_action_param *par)
100
100
{
101
101
const struct xt_dccp_info *info = par->matchinfo;
102
102
const struct dccp_hdr *dh;
···
107
107
108
108
dh = skb_header_pointer(skb, par->thoff, sizeof(_dh), &_dh);
109
109
if (dh == NULL) {
110
-
*par->hotdrop = true;
110
+
par->hotdrop = true;
111
111
return false;
112
112
}
113
113
···
120
120
&& DCCHECK(match_types(dh, info->typemask),
121
121
XT_DCCP_TYPE, info->flags, info->invflags)
122
122
&& DCCHECK(match_option(info->option, skb, par->thoff, dh,
123
-
par->hotdrop),
123
+
&par->hotdrop),
124
124
XT_DCCP_OPTION, info->flags, info->invflags);
125
125
}
126
126
+3
-3
net/netfilter/xt_dscp.c
+3
-3
net/netfilter/xt_dscp.c
···
25
25
MODULE_ALIAS("ip6t_tos");
26
26
27
27
static bool
28
-
dscp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
28
+
dscp_mt(const struct sk_buff *skb, struct xt_action_param *par)
29
29
{
30
30
const struct xt_dscp_info *info = par->matchinfo;
31
31
u_int8_t dscp = ipv4_get_dsfield(ip_hdr(skb)) >> XT_DSCP_SHIFT;
···
34
34
}
35
35
36
36
static bool
37
-
dscp_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
37
+
dscp_mt6(const struct sk_buff *skb, struct xt_action_param *par)
38
38
{
39
39
const struct xt_dscp_info *info = par->matchinfo;
40
40
u_int8_t dscp = ipv6_get_dsfield(ipv6_hdr(skb)) >> XT_DSCP_SHIFT;
···
54
54
return 0;
55
55
}
56
56
57
-
static bool tos_mt(const struct sk_buff *skb, const struct xt_match_param *par)
57
+
static bool tos_mt(const struct sk_buff *skb, struct xt_action_param *par)
58
58
{
59
59
const struct xt_tos_match_info *info = par->matchinfo;
60
60
+2
-2
net/netfilter/xt_esp.c
+2
-2
net/netfilter/xt_esp.c
···
36
36
return r;
37
37
}
38
38
39
-
static bool esp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
39
+
static bool esp_mt(const struct sk_buff *skb, struct xt_action_param *par)
40
40
{
41
41
const struct ip_esp_hdr *eh;
42
42
struct ip_esp_hdr _esp;
···
52
52
* can't. Hence, no choice but to drop.
53
53
*/
54
54
pr_debug("Dropping evil ESP tinygram.\n");
55
-
*par->hotdrop = true;
55
+
par->hotdrop = true;
56
56
return false;
57
57
}
58
58
+2
-2
net/netfilter/xt_hashlimit.c
+2
-2
net/netfilter/xt_hashlimit.c
···
516
516
}
517
517
518
518
static bool
519
-
hashlimit_mt(const struct sk_buff *skb, const struct xt_match_param *par)
519
+
hashlimit_mt(const struct sk_buff *skb, struct xt_action_param *par)
520
520
{
521
521
const struct xt_hashlimit_mtinfo1 *info = par->matchinfo;
522
522
struct xt_hashlimit_htable *hinfo = info->hinfo;
···
562
562
return info->cfg.mode & XT_HASHLIMIT_INVERT;
563
563
564
564
hotdrop:
565
-
*par->hotdrop = true;
565
+
par->hotdrop = true;
566
566
return false;
567
567
}
568
568
+1
-1
net/netfilter/xt_helper.c
+1
-1
net/netfilter/xt_helper.c
+2
-2
net/netfilter/xt_hl.c
+2
-2
net/netfilter/xt_hl.c
···
25
25
MODULE_ALIAS("ipt_ttl");
26
26
MODULE_ALIAS("ip6t_hl");
27
27
28
-
static bool ttl_mt(const struct sk_buff *skb, const struct xt_match_param *par)
28
+
static bool ttl_mt(const struct sk_buff *skb, struct xt_action_param *par)
29
29
{
30
30
const struct ipt_ttl_info *info = par->matchinfo;
31
31
const u8 ttl = ip_hdr(skb)->ttl;
···
44
44
return false;
45
45
}
46
46
47
-
static bool hl_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
47
+
static bool hl_mt6(const struct sk_buff *skb, struct xt_action_param *par)
48
48
{
49
49
const struct ip6t_hl_info *info = par->matchinfo;
50
50
const struct ipv6hdr *ip6h = ipv6_hdr(skb);
+2
-2
net/netfilter/xt_iprange.c
+2
-2
net/netfilter/xt_iprange.c
···
17
17
#include <linux/netfilter/xt_iprange.h>
18
18
19
19
static bool
20
-
iprange_mt4(const struct sk_buff *skb, const struct xt_match_param *par)
20
+
iprange_mt4(const struct sk_buff *skb, struct xt_action_param *par)
21
21
{
22
22
const struct xt_iprange_mtinfo *info = par->matchinfo;
23
23
const struct iphdr *iph = ip_hdr(skb);
···
68
68
}
69
69
70
70
static bool
71
-
iprange_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
71
+
iprange_mt6(const struct sk_buff *skb, struct xt_action_param *par)
72
72
{
73
73
const struct xt_iprange_mtinfo *info = par->matchinfo;
74
74
const struct ipv6hdr *iph = ipv6_hdr(skb);
+2
-2
net/netfilter/xt_length.c
+2
-2
net/netfilter/xt_length.c
···
21
21
MODULE_ALIAS("ip6t_length");
22
22
23
23
static bool
24
-
length_mt(const struct sk_buff *skb, const struct xt_match_param *par)
24
+
length_mt(const struct sk_buff *skb, struct xt_action_param *par)
25
25
{
26
26
const struct xt_length_info *info = par->matchinfo;
27
27
u_int16_t pktlen = ntohs(ip_hdr(skb)->tot_len);
···
30
30
}
31
31
32
32
static bool
33
-
length_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
33
+
length_mt6(const struct sk_buff *skb, struct xt_action_param *par)
34
34
{
35
35
const struct xt_length_info *info = par->matchinfo;
36
36
const u_int16_t pktlen = ntohs(ipv6_hdr(skb)->payload_len) +
+1
-1
net/netfilter/xt_limit.c
+1
-1
net/netfilter/xt_limit.c
···
65
65
#define CREDITS_PER_JIFFY POW2_BELOW32(MAX_CPJ)
66
66
67
67
static bool
68
-
limit_mt(const struct sk_buff *skb, const struct xt_match_param *par)
68
+
limit_mt(const struct sk_buff *skb, struct xt_action_param *par)
69
69
{
70
70
const struct xt_rateinfo *r = par->matchinfo;
71
71
struct xt_limit_priv *priv = r->master;
+1
-1
net/netfilter/xt_mac.c
+1
-1
net/netfilter/xt_mac.c
···
25
25
MODULE_ALIAS("ipt_mac");
26
26
MODULE_ALIAS("ip6t_mac");
27
27
28
-
static bool mac_mt(const struct sk_buff *skb, const struct xt_match_param *par)
28
+
static bool mac_mt(const struct sk_buff *skb, struct xt_action_param *par)
29
29
{
30
30
const struct xt_mac_info *info = par->matchinfo;
31
31
bool ret;
+2
-2
net/netfilter/xt_mark.c
+2
-2
net/netfilter/xt_mark.c
···
25
25
MODULE_ALIAS("ip6t_MARK");
26
26
27
27
static unsigned int
28
-
mark_tg(struct sk_buff *skb, const struct xt_target_param *par)
28
+
mark_tg(struct sk_buff *skb, const struct xt_action_param *par)
29
29
{
30
30
const struct xt_mark_tginfo2 *info = par->targinfo;
31
31
···
34
34
}
35
35
36
36
static bool
37
-
mark_mt(const struct sk_buff *skb, const struct xt_match_param *par)
37
+
mark_mt(const struct sk_buff *skb, struct xt_action_param *par)
38
38
{
39
39
const struct xt_mark_mtinfo1 *info = par->matchinfo;
40
40
+4
-4
net/netfilter/xt_multiport.c
+4
-4
net/netfilter/xt_multiport.c
···
72
72
}
73
73
74
74
static bool
75
-
multiport_mt(const struct sk_buff *skb, const struct xt_match_param *par)
75
+
multiport_mt(const struct sk_buff *skb, struct xt_action_param *par)
76
76
{
77
77
const __be16 *pptr;
78
78
__be16 _ports[2];
···
87
87
* can't. Hence, no choice but to drop.
88
88
*/
89
89
pr_debug("Dropping evil offset=0 tinygram.\n");
90
-
*par->hotdrop = true;
90
+
par->hotdrop = true;
91
91
return false;
92
92
}
93
93
···
117
117
const struct xt_multiport_v1 *multiinfo = par->matchinfo;
118
118
119
119
return check(ip->proto, ip->invflags, multiinfo->flags,
120
-
multiinfo->count);
120
+
multiinfo->count) ? 0 : -EINVAL;
121
121
}
122
122
123
123
static int multiport_mt6_check(const struct xt_mtchk_param *par)
···
126
126
const struct xt_multiport_v1 *multiinfo = par->matchinfo;
127
127
128
128
return check(ip->proto, ip->invflags, multiinfo->flags,
129
-
multiinfo->count);
129
+
multiinfo->count) ? 0 : -EINVAL;
130
130
}
131
131
132
132
static struct xt_match multiport_mt_reg[] __read_mostly = {
+2
-2
net/netfilter/xt_osf.c
+2
-2
net/netfilter/xt_osf.c
···
193
193
return ip->ttl == f_ttl;
194
194
}
195
195
196
-
static bool xt_osf_match_packet(const struct sk_buff *skb,
197
-
const struct xt_match_param *p)
196
+
static bool
197
+
xt_osf_match_packet(const struct sk_buff *skb, struct xt_action_param *p)
198
198
{
199
199
const struct xt_osf_info *info = p->matchinfo;
200
200
const struct iphdr *ip = ip_hdr(skb);
+1
-1
net/netfilter/xt_owner.c
+1
-1
net/netfilter/xt_owner.c
···
18
18
#include <linux/netfilter/xt_owner.h>
19
19
20
20
static bool
21
-
owner_mt(const struct sk_buff *skb, const struct xt_match_param *par)
21
+
owner_mt(const struct sk_buff *skb, struct xt_action_param *par)
22
22
{
23
23
const struct xt_owner_match_info *info = par->matchinfo;
24
24
const struct file *filp;
+1
-1
net/netfilter/xt_physdev.c
+1
-1
net/netfilter/xt_physdev.c
···
22
22
23
23
24
24
static bool
25
-
physdev_mt(const struct sk_buff *skb, const struct xt_match_param *par)
25
+
physdev_mt(const struct sk_buff *skb, struct xt_action_param *par)
26
26
{
27
27
static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
28
28
const struct xt_physdev_info *info = par->matchinfo;
+1
-1
net/netfilter/xt_pkttype.c
+1
-1
net/netfilter/xt_pkttype.c
···
23
23
MODULE_ALIAS("ip6t_pkttype");
24
24
25
25
static bool
26
-
pkttype_mt(const struct sk_buff *skb, const struct xt_match_param *par)
26
+
pkttype_mt(const struct sk_buff *skb, struct xt_action_param *par)
27
27
{
28
28
const struct xt_pkttype_info *info = par->matchinfo;
29
29
u_int8_t type;
+1
-1
net/netfilter/xt_policy.c
+1
-1
net/netfilter/xt_policy.c
+1
-1
net/netfilter/xt_quota.c
+1
-1
net/netfilter/xt_quota.c
···
23
23
static DEFINE_SPINLOCK(quota_lock);
24
24
25
25
static bool
26
-
quota_mt(const struct sk_buff *skb, const struct xt_match_param *par)
26
+
quota_mt(const struct sk_buff *skb, struct xt_action_param *par)
27
27
{
28
28
struct xt_quota_info *q = (void *)par->matchinfo;
29
29
struct xt_quota_priv *priv = q->master;
+1
-1
net/netfilter/xt_rateest.c
+1
-1
net/netfilter/xt_rateest.c
+1
-1
net/netfilter/xt_realm.c
+1
-1
net/netfilter/xt_realm.c
···
22
22
MODULE_ALIAS("ipt_realm");
23
23
24
24
static bool
25
-
realm_mt(const struct sk_buff *skb, const struct xt_match_param *par)
25
+
realm_mt(const struct sk_buff *skb, struct xt_action_param *par)
26
26
{
27
27
const struct xt_realm_info *info = par->matchinfo;
28
28
const struct dst_entry *dst = skb_dst(skb);
+2
-2
net/netfilter/xt_recent.c
+2
-2
net/netfilter/xt_recent.c
···
224
224
}
225
225
226
226
static bool
227
-
recent_mt(const struct sk_buff *skb, const struct xt_match_param *par)
227
+
recent_mt(const struct sk_buff *skb, struct xt_action_param *par)
228
228
{
229
229
struct net *net = dev_net(par->in ? par->in : par->out);
230
230
struct recent_net *recent_net = recent_pernet(net);
···
268
268
goto out;
269
269
e = recent_entry_init(t, &addr, par->family, ttl);
270
270
if (e == NULL)
271
-
*par->hotdrop = true;
271
+
par->hotdrop = true;
272
272
ret = !ret;
273
273
goto out;
274
274
}
+3
-3
net/netfilter/xt_sctp.c
+3
-3
net/netfilter/xt_sctp.c
···
114
114
}
115
115
116
116
static bool
117
-
sctp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
117
+
sctp_mt(const struct sk_buff *skb, struct xt_action_param *par)
118
118
{
119
119
const struct xt_sctp_info *info = par->matchinfo;
120
120
const sctp_sctphdr_t *sh;
···
128
128
sh = skb_header_pointer(skb, par->thoff, sizeof(_sh), &_sh);
129
129
if (sh == NULL) {
130
130
pr_debug("Dropping evil TCP offset=0 tinygram.\n");
131
-
*par->hotdrop = true;
131
+
par->hotdrop = true;
132
132
return false;
133
133
}
134
134
pr_debug("spt: %d\tdpt: %d\n", ntohs(sh->source), ntohs(sh->dest));
···
140
140
&& ntohs(sh->dest) <= info->dpts[1],
141
141
XT_SCTP_DEST_PORTS, info->flags, info->invflags)
142
142
&& SCCHECK(match_packet(skb, par->thoff + sizeof(sctp_sctphdr_t),
143
-
info, par->hotdrop),
143
+
info, &par->hotdrop),
144
144
XT_SCTP_CHUNK_TYPES, info->flags, info->invflags);
145
145
}
146
146
+3
-3
net/netfilter/xt_socket.c
+3
-3
net/netfilter/xt_socket.c
···
88
88
89
89
90
90
static bool
91
-
socket_match(const struct sk_buff *skb, const struct xt_match_param *par,
91
+
socket_match(const struct sk_buff *skb, struct xt_action_param *par,
92
92
const struct xt_socket_mtinfo1 *info)
93
93
{
94
94
const struct iphdr *iph = ip_hdr(skb);
···
174
174
}
175
175
176
176
static bool
177
-
socket_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
177
+
socket_mt_v0(const struct sk_buff *skb, struct xt_action_param *par)
178
178
{
179
179
return socket_match(skb, par, NULL);
180
180
}
181
181
182
182
static bool
183
-
socket_mt_v1(const struct sk_buff *skb, const struct xt_match_param *par)
183
+
socket_mt_v1(const struct sk_buff *skb, struct xt_action_param *par)
184
184
{
185
185
return socket_match(skb, par, par->matchinfo);
186
186
}
+1
-1
net/netfilter/xt_state.c
+1
-1
net/netfilter/xt_state.c
···
21
21
MODULE_ALIAS("ip6t_state");
22
22
23
23
static bool
24
-
state_mt(const struct sk_buff *skb, const struct xt_match_param *par)
24
+
state_mt(const struct sk_buff *skb, struct xt_action_param *par)
25
25
{
26
26
const struct xt_state_info *sinfo = par->matchinfo;
27
27
enum ip_conntrack_info ctinfo;
+1
-1
net/netfilter/xt_statistic.c
+1
-1
net/netfilter/xt_statistic.c
···
30
30
static DEFINE_SPINLOCK(nth_lock);
31
31
32
32
static bool
33
-
statistic_mt(const struct sk_buff *skb, const struct xt_match_param *par)
33
+
statistic_mt(const struct sk_buff *skb, struct xt_action_param *par)
34
34
{
35
35
const struct xt_statistic_info *info = par->matchinfo;
36
36
bool ret = info->flags & XT_STATISTIC_INVERT;
+1
-1
net/netfilter/xt_string.c
+1
-1
net/netfilter/xt_string.c
···
23
23
MODULE_ALIAS("ip6t_string");
24
24
25
25
static bool
26
-
string_mt(const struct sk_buff *skb, const struct xt_match_param *par)
26
+
string_mt(const struct sk_buff *skb, struct xt_action_param *par)
27
27
{
28
28
const struct xt_string_info *conf = par->matchinfo;
29
29
struct ts_state state;
+2
-2
net/netfilter/xt_tcpmss.c
+2
-2
net/netfilter/xt_tcpmss.c
···
25
25
MODULE_ALIAS("ip6t_tcpmss");
26
26
27
27
static bool
28
-
tcpmss_mt(const struct sk_buff *skb, const struct xt_match_param *par)
28
+
tcpmss_mt(const struct sk_buff *skb, struct xt_action_param *par)
29
29
{
30
30
const struct xt_tcpmss_match_info *info = par->matchinfo;
31
31
const struct tcphdr *th;
···
73
73
return info->invert;
74
74
75
75
dropit:
76
-
*par->hotdrop = true;
76
+
par->hotdrop = true;
77
77
return false;
78
78
}
79
79
+7
-7
net/netfilter/xt_tcpudp.c
+7
-7
net/netfilter/xt_tcpudp.c
···
62
62
return invert;
63
63
}
64
64
65
-
static bool tcp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
65
+
static bool tcp_mt(const struct sk_buff *skb, struct xt_action_param *par)
66
66
{
67
67
const struct tcphdr *th;
68
68
struct tcphdr _tcph;
···
77
77
*/
78
78
if (par->fragoff == 1) {
79
79
pr_debug("Dropping evil TCP offset=1 frag.\n");
80
-
*par->hotdrop = true;
80
+
par->hotdrop = true;
81
81
}
82
82
/* Must not be a fragment. */
83
83
return false;
···
90
90
/* We've been asked to examine this packet, and we
91
91
can't. Hence, no choice but to drop. */
92
92
pr_debug("Dropping evil TCP offset=0 tinygram.\n");
93
-
*par->hotdrop = true;
93
+
par->hotdrop = true;
94
94
return false;
95
95
}
96
96
···
108
108
return false;
109
109
if (tcpinfo->option) {
110
110
if (th->doff * 4 < sizeof(_tcph)) {
111
-
*par->hotdrop = true;
111
+
par->hotdrop = true;
112
112
return false;
113
113
}
114
114
if (!tcp_find_option(tcpinfo->option, skb, par->thoff,
115
115
th->doff*4 - sizeof(_tcph),
116
116
tcpinfo->invflags & XT_TCP_INV_OPTION,
117
-
par->hotdrop))
117
+
&par->hotdrop))
118
118
return false;
119
119
}
120
120
return true;
···
128
128
return (tcpinfo->invflags & ~XT_TCP_INV_MASK) ? -EINVAL : 0;
129
129
}
130
130
131
-
static bool udp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
131
+
static bool udp_mt(const struct sk_buff *skb, struct xt_action_param *par)
132
132
{
133
133
const struct udphdr *uh;
134
134
struct udphdr _udph;
···
143
143
/* We've been asked to examine this packet, and we
144
144
can't. Hence, no choice but to drop. */
145
145
pr_debug("Dropping evil UDP tinygram.\n");
146
-
*par->hotdrop = true;
146
+
par->hotdrop = true;
147
147
return false;
148
148
}
149
149
+1
-1
net/netfilter/xt_time.c
+1
-1
net/netfilter/xt_time.c
+1
-1
net/netfilter/xt_u32.c
+1
-1
net/netfilter/xt_u32.c