Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 1c524830 authored by Patrick McHardy's avatar Patrick McHardy Committed by David S. Miller
Browse files

[NETFILTER]: x_tables: pass registered match/target data to match/target functions 



This allows to make decisions based on the revision (and address family
with a follow-up patch) at runtime.

Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 5d04bff0

include/linux/netfilter/x_tables.h

+8 −2
Original line number Original line Diff line number Diff line
@@ -100,6 +100,7 @@ struct xt_match 
	int (*match)(const struct sk_buff *skb,

	int (*match)(const struct sk_buff *skb,

		     const struct net_device *in,

		     const struct net_device *in,

		     const struct net_device *out,

		     const struct net_device *out,

		     const struct xt_match *match,

		     const void *matchinfo,

		     const void *matchinfo,

		     int offset,

		     int offset,

		     unsigned int protoff,

		     unsigned int protoff,
@@ -109,12 +110,14 @@ struct xt_match 
	/* Should return true or false. */

	/* Should return true or false. */

	int (*checkentry)(const char *tablename,

	int (*checkentry)(const char *tablename,

			  const void *ip,

			  const void *ip,

			  const struct xt_match *match,

			  void *matchinfo,

			  void *matchinfo,

			  unsigned int matchinfosize,

			  unsigned int matchinfosize,

			  unsigned int hook_mask);

			  unsigned int hook_mask);





	/* Called when entry of this type deleted. */

	/* Called when entry of this type deleted. */

	void (*destroy)(void *matchinfo, unsigned int matchinfosize);

	void (*destroy)(const struct xt_match *match, void *matchinfo,

			unsigned int matchinfosize);





	/* Set this to THIS_MODULE if you are a module, otherwise NULL */

	/* Set this to THIS_MODULE if you are a module, otherwise NULL */

	struct module *me;

	struct module *me;
@@ -140,6 +143,7 @@ struct xt_target 
			       const struct net_device *in,

			       const struct net_device *in,

			       const struct net_device *out,

			       const struct net_device *out,

			       unsigned int hooknum,

			       unsigned int hooknum,

			       const struct xt_target *target,

			       const void *targinfo,

			       const void *targinfo,

			       void *userdata);

			       void *userdata);
@@ -149,12 +153,14 @@ struct xt_target 
	/* Should return true or false. */

	/* Should return true or false. */

	int (*checkentry)(const char *tablename,

	int (*checkentry)(const char *tablename,

			  const void *entry,

			  const void *entry,

			  const struct xt_target *target,

			  void *targinfo,

			  void *targinfo,

			  unsigned int targinfosize,

			  unsigned int targinfosize,

			  unsigned int hook_mask);

			  unsigned int hook_mask);





	/* Called when entry of this type deleted. */

	/* Called when entry of this type deleted. */

	void (*destroy)(void *targinfo, unsigned int targinfosize);

	void (*destroy)(const struct xt_target *target, void *targinfo,

			unsigned int targinfosize);





	/* Set this to THIS_MODULE if you are a module, otherwise NULL */

	/* Set this to THIS_MODULE if you are a module, otherwise NULL */

	struct module *me;

	struct module *me;

net/ipv4/netfilter/arp_tables.c

+3 −2
Original line number Original line Diff line number Diff line
@@ -300,6 +300,7 @@ unsigned int arpt_do_table(struct sk_buff **pskb, 
				verdict = t->u.kernel.target->target(pskb,

				verdict = t->u.kernel.target->target(pskb,

								     in, out,

								     in, out,

								     hook,

								     hook,

								     t->u.kernel.target,

								     t->data,

								     t->data,

								     userdata);

								     userdata);
@@ -491,7 +492,7 @@ static inline int check_entry(struct arpt_entry *e, const char *name, unsigned i 
			goto out;

			goto out;

		}

		}

	} else if (t->u.kernel.target->checkentry

	} else if (t->u.kernel.target->checkentry

		   && !t->u.kernel.target->checkentry(name, e, t->data,

		   && !t->u.kernel.target->checkentry(name, e, target, t->data,

						      t->u.target_size

						      t->u.target_size

						      - sizeof(*t),

						      - sizeof(*t),

						      e->comefrom)) {

						      e->comefrom)) {
@@ -560,7 +561,7 @@ static inline int cleanup_entry(struct arpt_entry *e, unsigned int *i) 




	t = arpt_get_target(e);

	t = arpt_get_target(e);

	if (t->u.kernel.target->destroy)

	if (t->u.kernel.target->destroy)

		t->u.kernel.target->destroy(t->data,

		t->u.kernel.target->destroy(t->u.kernel.target, t->data,

					    t->u.target_size - sizeof(*t));

					    t->u.target_size - sizeof(*t));

	module_put(t->u.kernel.target->me);

	module_put(t->u.kernel.target->me);

	return 0;

	return 0;

net/ipv4/netfilter/ip_tables.c

+7 −6
Original line number Original line Diff line number Diff line
@@ -197,8 +197,8 @@ int do_match(struct ipt_entry_match *m, 
	     int *hotdrop)

	     int *hotdrop)

{

{

	/* Stop iteration if it doesn't match */

	/* Stop iteration if it doesn't match */

	if (!m->u.kernel.match->match(skb, in, out, m->data, offset, 

	if (!m->u.kernel.match->match(skb, in, out, m->u.kernel.match, m->data,

	    skb->nh.iph->ihl*4, hotdrop))

				      offset, skb->nh.iph->ihl*4, hotdrop))

		return 1;

		return 1;

	else

	else

		return 0;

		return 0;
@@ -305,6 +305,7 @@ ipt_do_table(struct sk_buff **pskb, 
				verdict = t->u.kernel.target->target(pskb,

				verdict = t->u.kernel.target->target(pskb,

								     in, out,

								     in, out,

								     hook,

								     hook,

								     t->u.kernel.target,

								     t->data,

								     t->data,

								     userdata);

								     userdata);
@@ -464,7 +465,7 @@ cleanup_match(struct ipt_entry_match *m, unsigned int *i) 
		return 1;

		return 1;





	if (m->u.kernel.match->destroy)

	if (m->u.kernel.match->destroy)

		m->u.kernel.match->destroy(m->data,

		m->u.kernel.match->destroy(m->u.kernel.match, m->data,

					   m->u.match_size - sizeof(*m));

					   m->u.match_size - sizeof(*m));

	module_put(m->u.kernel.match->me);

	module_put(m->u.kernel.match->me);

	return 0;

	return 0;
@@ -517,7 +518,7 @@ check_match(struct ipt_entry_match *m, 
		goto err;

		goto err;





	if (m->u.kernel.match->checkentry

	if (m->u.kernel.match->checkentry

	    && !m->u.kernel.match->checkentry(name, ip, m->data,

	    && !m->u.kernel.match->checkentry(name, ip, match, m->data,

					      m->u.match_size - sizeof(*m),

					      m->u.match_size - sizeof(*m),

					      hookmask)) {

					      hookmask)) {

		duprintf("ip_tables: check failed for `%s'.\n",

		duprintf("ip_tables: check failed for `%s'.\n",
@@ -578,7 +579,7 @@ check_entry(struct ipt_entry *e, const char *name, unsigned int size, 
			goto cleanup_matches;

			goto cleanup_matches;

		}

		}

	} else if (t->u.kernel.target->checkentry

	} else if (t->u.kernel.target->checkentry

		   && !t->u.kernel.target->checkentry(name, e, t->data,

		   && !t->u.kernel.target->checkentry(name, e, target, t->data,

						      t->u.target_size

						      t->u.target_size

						      - sizeof(*t),

						      - sizeof(*t),

						      e->comefrom)) {

						      e->comefrom)) {
@@ -652,7 +653,7 @@ cleanup_entry(struct ipt_entry *e, unsigned int *i) 
	IPT_MATCH_ITERATE(e, cleanup_match, NULL);

	IPT_MATCH_ITERATE(e, cleanup_match, NULL);

	t = ipt_get_target(e);

	t = ipt_get_target(e);

	if (t->u.kernel.target->destroy)

	if (t->u.kernel.target->destroy)

		t->u.kernel.target->destroy(t->data,

		t->u.kernel.target->destroy(t->u.kernel.target, t->data,

					    t->u.target_size - sizeof(*t));

					    t->u.target_size - sizeof(*t));

	module_put(t->u.kernel.target->me);

	module_put(t->u.kernel.target->me);

	return 0;

	return 0;

net/ipv6/netfilter/ip6_tables.c

+6 −5
Original line number Original line Diff line number Diff line
@@ -251,7 +251,7 @@ int do_match(struct ip6t_entry_match *m, 
	     int *hotdrop)

	     int *hotdrop)

{

{

	/* Stop iteration if it doesn't match */

	/* Stop iteration if it doesn't match */

	if (!m->u.kernel.match->match(skb, in, out, m->data,

	if (!m->u.kernel.match->match(skb, in, out, m->u.kernel.match, m->data,

				      offset, protoff, hotdrop))

				      offset, protoff, hotdrop))

		return 1;

		return 1;

	else

	else
@@ -373,6 +373,7 @@ ip6t_do_table(struct sk_buff **pskb, 
				verdict = t->u.kernel.target->target(pskb,

				verdict = t->u.kernel.target->target(pskb,

								     in, out,

								     in, out,

								     hook,

								     hook,

								     t->u.kernel.target,

								     t->data,

								     t->data,

								     userdata);

								     userdata);
@@ -531,7 +532,7 @@ cleanup_match(struct ip6t_entry_match *m, unsigned int *i) 
		return 1;

		return 1;





	if (m->u.kernel.match->destroy)

	if (m->u.kernel.match->destroy)

		m->u.kernel.match->destroy(m->data,

		m->u.kernel.match->destroy(m->u.kernel.match, m->data,

					   m->u.match_size - sizeof(*m));

					   m->u.match_size - sizeof(*m));

	module_put(m->u.kernel.match->me);

	module_put(m->u.kernel.match->me);

	return 0;

	return 0;
@@ -584,7 +585,7 @@ check_match(struct ip6t_entry_match *m, 
		goto err;

		goto err;





	if (m->u.kernel.match->checkentry

	if (m->u.kernel.match->checkentry

	    && !m->u.kernel.match->checkentry(name, ipv6, m->data,

	    && !m->u.kernel.match->checkentry(name, ipv6, match,  m->data,

					      m->u.match_size - sizeof(*m),

					      m->u.match_size - sizeof(*m),

					      hookmask)) {

					      hookmask)) {

		duprintf("ip_tables: check failed for `%s'.\n",

		duprintf("ip_tables: check failed for `%s'.\n",
@@ -645,7 +646,7 @@ check_entry(struct ip6t_entry *e, const char *name, unsigned int size, 
			goto cleanup_matches;

			goto cleanup_matches;

		}

		}

	} else if (t->u.kernel.target->checkentry

	} else if (t->u.kernel.target->checkentry

		   && !t->u.kernel.target->checkentry(name, e, t->data,

		   && !t->u.kernel.target->checkentry(name, e, target, t->data,

						      t->u.target_size

						      t->u.target_size

						      - sizeof(*t),

						      - sizeof(*t),

						      e->comefrom)) {

						      e->comefrom)) {
@@ -719,7 +720,7 @@ cleanup_entry(struct ip6t_entry *e, unsigned int *i) 
	IP6T_MATCH_ITERATE(e, cleanup_match, NULL);

	IP6T_MATCH_ITERATE(e, cleanup_match, NULL);

	t = ip6t_get_target(e);

	t = ip6t_get_target(e);

	if (t->u.kernel.target->destroy)

	if (t->u.kernel.target->destroy)

		t->u.kernel.target->destroy(t->data,

		t->u.kernel.target->destroy(t->u.kernel.target, t->data,

					    t->u.target_size - sizeof(*t));

					    t->u.target_size - sizeof(*t));

	module_put(t->u.kernel.target->me);

	module_put(t->u.kernel.target->me);

	return 0;

	return 0;

net/sched/act_ipt.c

+6 −4
Original line number Original line Diff line number Diff line
@@ -70,7 +70,8 @@ ipt_init_target(struct ipt_entry_target *t, char *table, unsigned int hook) 
	t->u.kernel.target = target;

	t->u.kernel.target = target;





	if (t->u.kernel.target->checkentry

	if (t->u.kernel.target->checkentry

	    && !t->u.kernel.target->checkentry(table, NULL, t->data,

	    && !t->u.kernel.target->checkentry(table, NULL,

		    			       t->u.kernel.target, t->data,

					       t->u.target_size - sizeof(*t),

					       t->u.target_size - sizeof(*t),

					       hook)) {

					       hook)) {

		DPRINTK("ipt_init_target: check failed for `%s'.\n",

		DPRINTK("ipt_init_target: check failed for `%s'.\n",
@@ -86,7 +87,7 @@ static void 
ipt_destroy_target(struct ipt_entry_target *t)

ipt_destroy_target(struct ipt_entry_target *t)

{

{

	if (t->u.kernel.target->destroy)

	if (t->u.kernel.target->destroy)

		t->u.kernel.target->destroy(t->data,

		t->u.kernel.target->destroy(t->u.kernel.target, t->data,

		                            t->u.target_size - sizeof(*t));

		                            t->u.target_size - sizeof(*t));

        module_put(t->u.kernel.target->me);

        module_put(t->u.kernel.target->me);

}

}
@@ -224,8 +225,9 @@ tcf_ipt(struct sk_buff *skb, struct tc_action *a, struct tcf_result *res) 
	/* iptables targets take a double skb pointer in case the skb

	/* iptables targets take a double skb pointer in case the skb

	 * needs to be replaced. We don't own the skb, so this must not

	 * needs to be replaced. We don't own the skb, so this must not

	 * happen. The pskb_expand_head above should make sure of this */

	 * happen. The pskb_expand_head above should make sure of this */

	ret = p->t->u.kernel.target->target(&skb, skb->dev, NULL,

	ret = p->t->u.kernel.target->target(&skb, skb->dev, NULL, p->hook,

					    p->hook, p->t->data, NULL);

					    p->t->u.kernel.target, p->t->data,

					    NULL);

	switch (ret) {

	switch (ret) {

	case NF_ACCEPT:

	case NF_ACCEPT:

		result = TC_ACT_OK;

		result = TC_ACT_OK;