Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 367c6790 authored by Jan Engelhardt's avatar Jan Engelhardt Committed by Patrick McHardy
Browse files

netfilter: xtables: do centralized checkentry call (1/2) 



It used to be that {ip,ip6,etc}_tables called extension->checkentry
themselves, but this can be moved into the xtables core.

Signed-off-by: default avatarJan Engelhardt <jengelh@medozas.de>
Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
parent 147c3844

include/linux/netfilter/x_tables.h

+4 −2
Original line number Original line Diff line number Diff line
@@ -330,10 +330,12 @@ extern void xt_unregister_matches(struct xt_match *match, unsigned int n); 




extern int xt_check_match(const struct xt_match *match, unsigned short family,

extern int xt_check_match(const struct xt_match *match, unsigned short family,

			  unsigned int size, const char *table, unsigned int hook,

			  unsigned int size, const char *table, unsigned int hook,

			  unsigned short proto, int inv_proto);

			  unsigned short proto, int inv_proto,

			  const void *entry, void *matchinfo);

extern int xt_check_target(const struct xt_target *target, unsigned short family,

extern int xt_check_target(const struct xt_target *target, unsigned short family,

			   unsigned int size, const char *table, unsigned int hook,

			   unsigned int size, const char *table, unsigned int hook,

			   unsigned short proto, int inv_proto);

			   unsigned short proto, int inv_proto,

			   const void *entry, void *targinfo);





extern struct xt_table *xt_register_table(struct net *net,

extern struct xt_table *xt_register_table(struct net *net,

					  struct xt_table *table,

					  struct xt_table *table,

net/bridge/netfilter/ebtables.c

+6 −18
Original line number Original line Diff line number Diff line
@@ -340,15 +340,11 @@ ebt_check_match(struct ebt_entry_match *m, struct ebt_entry *e, 
	m->u.match = match;

	m->u.match = match;





	ret = xt_check_match(match, NFPROTO_BRIDGE, m->match_size,

	ret = xt_check_match(match, NFPROTO_BRIDGE, m->match_size,

	      name, hookmask, e->ethproto, e->invflags & EBT_IPROTO);

	      name, hookmask, e->ethproto, e->invflags & EBT_IPROTO,

	      e, m->data);

	if (ret < 0) {

	if (ret < 0) {

		module_put(match->me);

		module_put(match->me);

		return ret;

		return ret;

	} else if (match->checkentry != NULL &&

	    !match->checkentry(name, e, NULL, m->data, hookmask)) {

		module_put(match->me);

		BUGPRINT("match->check failed\n");

		return -EINVAL;

	}

	}





	(*cnt)++;

	(*cnt)++;
@@ -377,15 +373,11 @@ ebt_check_watcher(struct ebt_entry_watcher *w, struct ebt_entry *e, 
	w->u.watcher = watcher;

	w->u.watcher = watcher;





	ret = xt_check_target(watcher, NFPROTO_BRIDGE, w->watcher_size,

	ret = xt_check_target(watcher, NFPROTO_BRIDGE, w->watcher_size,

	      name, hookmask, e->ethproto, e->invflags & EBT_IPROTO);

	      name, hookmask, e->ethproto, e->invflags & EBT_IPROTO,

	      e, w->data);

	if (ret < 0) {

	if (ret < 0) {

		module_put(watcher->me);

		module_put(watcher->me);

		return ret;

		return ret;

	} else if (watcher->checkentry != NULL &&

	    !watcher->checkentry(name, e, NULL, w->data, hookmask)) {

		module_put(watcher->me);

		BUGPRINT("watcher->check failed\n");

		return -EINVAL;

	}

	}





	(*cnt)++;

	(*cnt)++;
@@ -692,15 +684,11 @@ ebt_check_entry(struct ebt_entry *e, struct ebt_table_info *newinfo, 
	}

	}





	ret = xt_check_target(target, NFPROTO_BRIDGE, t->target_size,

	ret = xt_check_target(target, NFPROTO_BRIDGE, t->target_size,

	      name, hookmask, e->ethproto, e->invflags & EBT_IPROTO);

	      name, hookmask, e->ethproto, e->invflags & EBT_IPROTO,

	      e, t->data);

	if (ret < 0) {

	if (ret < 0) {

		module_put(target->me);

		module_put(target->me);

		goto cleanup_watchers;

		goto cleanup_watchers;

	} else if (t->u.target->checkentry &&

	    !t->u.target->checkentry(name, e, NULL, t->data, hookmask)) {

		module_put(t->u.target->me);

		ret = -EINVAL;

		goto cleanup_watchers;

	}

	}

	(*cnt)++;

	(*cnt)++;

	return 0;

	return 0;

net/ipv4/netfilter/arp_tables.c

+4 −6
Original line number Original line Diff line number Diff line
@@ -465,16 +465,14 @@ static inline int check_target(struct arpt_entry *e, const char *name) 




	ret = xt_check_target(target, NFPROTO_ARP,

	ret = xt_check_target(target, NFPROTO_ARP,

			      t->u.target_size - sizeof(*t),

			      t->u.target_size - sizeof(*t),

			      name, e->comefrom, 0, 0);

			      name, e->comefrom, 0, 0, e, t->data);

	if (!ret && t->u.kernel.target->checkentry

	if (ret < 0) {

	    && !t->u.kernel.target->checkentry(name, e, target, t->data,

					       e->comefrom)) {

		duprintf("arp_tables: check failed for `%s'.\n",

		duprintf("arp_tables: check failed for `%s'.\n",

			 t->u.kernel.target->name);

			 t->u.kernel.target->name);

		ret = -EINVAL;

	}

		return ret;

		return ret;

	}

	}

	return 0;

}





static inline int

static inline int

find_check_entry(struct arpt_entry *e, const char *name, unsigned int size,

find_check_entry(struct arpt_entry *e, const char *name, unsigned int size,

net/ipv4/netfilter/ip_tables.c

+9 −14
Original line number Original line Diff line number Diff line
@@ -616,18 +616,15 @@ check_match(struct ipt_entry_match *m, const char *name, 
	match = m->u.kernel.match;

	match = m->u.kernel.match;

	ret = xt_check_match(match, AF_INET, m->u.match_size - sizeof(*m),

	ret = xt_check_match(match, AF_INET, m->u.match_size - sizeof(*m),

			     name, hookmask, ip->proto,

			     name, hookmask, ip->proto,

			     ip->invflags & IPT_INV_PROTO);

			     ip->invflags & IPT_INV_PROTO, ip, m->data);

	if (!ret && m->u.kernel.match->checkentry

	if (ret < 0) {

	    && !m->u.kernel.match->checkentry(name, ip, match, m->data,

					      hookmask)) {

		duprintf("ip_tables: check failed for `%s'.\n",

		duprintf("ip_tables: check failed for `%s'.\n",

			 m->u.kernel.match->name);

			 m->u.kernel.match->name);

		ret = -EINVAL;

	}

	if (!ret)

		(*i)++;

		return ret;

		return ret;

	}

	}

	++*i;

	return 0;

}





static int

static int

find_check_match(struct ipt_entry_match *m,

find_check_match(struct ipt_entry_match *m,
@@ -668,16 +665,14 @@ static int check_target(struct ipt_entry *e, const char *name) 
	target = t->u.kernel.target;

	target = t->u.kernel.target;

	ret = xt_check_target(target, AF_INET, t->u.target_size - sizeof(*t),

	ret = xt_check_target(target, AF_INET, t->u.target_size - sizeof(*t),

			      name, e->comefrom, e->ip.proto,

			      name, e->comefrom, e->ip.proto,

			      e->ip.invflags & IPT_INV_PROTO);

			      e->ip.invflags & IPT_INV_PROTO, e, t->data);

	if (!ret && t->u.kernel.target->checkentry

	if (ret < 0) {

	    && !t->u.kernel.target->checkentry(name, e, target, t->data,

					       e->comefrom)) {

		duprintf("ip_tables: check failed for `%s'.\n",

		duprintf("ip_tables: check failed for `%s'.\n",

			 t->u.kernel.target->name);

			 t->u.kernel.target->name);

		ret = -EINVAL;

	}

		return ret;

		return ret;

	}

	}

	return 0;

}





static int

static int

find_check_entry(struct ipt_entry *e, const char *name, unsigned int size,

find_check_entry(struct ipt_entry *e, const char *name, unsigned int size,

net/ipv6/netfilter/ip6_tables.c

+9 −14
Original line number Original line Diff line number Diff line
@@ -642,18 +642,15 @@ static int check_match(struct ip6t_entry_match *m, const char *name, 
	match = m->u.kernel.match;

	match = m->u.kernel.match;

	ret = xt_check_match(match, AF_INET6, m->u.match_size - sizeof(*m),

	ret = xt_check_match(match, AF_INET6, m->u.match_size - sizeof(*m),

			     name, hookmask, ipv6->proto,

			     name, hookmask, ipv6->proto,

			     ipv6->invflags & IP6T_INV_PROTO);

			     ipv6->invflags & IP6T_INV_PROTO, ipv6, m->data);

	if (!ret && m->u.kernel.match->checkentry

	if (ret < 0) {

	    && !m->u.kernel.match->checkentry(name, ipv6, match, m->data,

					      hookmask)) {

		duprintf("ip_tables: check failed for `%s'.\n",

		duprintf("ip_tables: check failed for `%s'.\n",

			 m->u.kernel.match->name);

			 m->u.kernel.match->name);

		ret = -EINVAL;

	}

	if (!ret)

		(*i)++;

		return ret;

		return ret;

	}

	}

	++*i;

	return 0;

}





static int

static int

find_check_match(struct ip6t_entry_match *m,

find_check_match(struct ip6t_entry_match *m,
@@ -694,16 +691,14 @@ static int check_target(struct ip6t_entry *e, const char *name) 
	target = t->u.kernel.target;

	target = t->u.kernel.target;

	ret = xt_check_target(target, AF_INET6, t->u.target_size - sizeof(*t),

	ret = xt_check_target(target, AF_INET6, t->u.target_size - sizeof(*t),

			      name, e->comefrom, e->ipv6.proto,

			      name, e->comefrom, e->ipv6.proto,

			      e->ipv6.invflags & IP6T_INV_PROTO);

			      e->ipv6.invflags & IP6T_INV_PROTO, e, t->data);

	if (!ret && t->u.kernel.target->checkentry

	if (ret < 0) {

	    && !t->u.kernel.target->checkentry(name, e, target, t->data,

					       e->comefrom)) {

		duprintf("ip_tables: check failed for `%s'.\n",

		duprintf("ip_tables: check failed for `%s'.\n",

			 t->u.kernel.target->name);

			 t->u.kernel.target->name);

		ret = -EINVAL;

	}

		return ret;

		return ret;

	}

	}

	return 0;

}





static int

static int

find_check_entry(struct ip6t_entry *e, const char *name, unsigned int size,

find_check_entry(struct ip6t_entry *e, const char *name, unsigned int size,