netfilter: xtables: change hotdrop pointer to direct modification (b4ba2611) · Commits · e / devices / android_kernel_samsung_universal8895

include/linux/netfilter/x_tables.h

+4 −1

Original line number	Diff line number	Diff line
		@@ -196,6 +196,9 @@ struct xt_counters_info {
		* @hook: hook number given packet came from
		* @family: Actual NFPROTO_* through which the function is invoked
		* (helpful when match->family == NFPROTO_UNSPEC)
		*
		* Fields written to by extensions:
		*
		* @hotdrop: drop packet if we had inspection problems
		* Network namespace obtainable using dev_net(in/out)
		*/
		@@ -212,7 +215,7 @@ struct xt_action_param {
		unsigned int thoff;
		unsigned int hooknum;
		u_int8_t family;
		bool *hotdrop;
		bool hotdrop;
		};

		/**

+2 −3

Original line number	Diff line number	Diff line
		@@ -186,13 +186,12 @@ unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
		struct ebt_entries *chaininfo;
		const char *base;
		const struct ebt_table_info *private;
		bool hotdrop = false;
		struct xt_action_param acpar;

		acpar.family = NFPROTO_BRIDGE;
		acpar.in = in;
		acpar.out = out;
		acpar.hotdrop = &hotdrop;
		acpar.hotdrop = false;
		acpar.hooknum = hook;

		read_lock_bh(&table->lock);
		@@ -216,7 +215,7 @@ unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,

		if (EBT_MATCH_ITERATE(point, ebt_do_match, skb, &acpar) != 0)
		goto letscontinue;
		if (hotdrop) {
		if (acpar.hotdrop) {
		read_unlock_bh(&table->lock);
		return NF_DROP;
		}

+3 −3

Original line number	Diff line number	Diff line
		@@ -260,7 +260,6 @@ unsigned int arpt_do_table(struct sk_buff *skb,
		static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
		unsigned int verdict = NF_DROP;
		const struct arphdr *arp;
		bool hotdrop = false;
		struct arpt_entry e, back;
		const char indev, outdev;
		void *table_base;
		@@ -284,6 +283,7 @@ unsigned int arpt_do_table(struct sk_buff *skb,
		acpar.out = out;
		acpar.hooknum = hook;
		acpar.family = NFPROTO_ARP;
		acpar.hotdrop = false;

		arp = arp_hdr(skb);
		do {
		@@ -345,10 +345,10 @@ unsigned int arpt_do_table(struct sk_buff *skb,
		else
		/* Verdict */
		break;
		} while (!hotdrop);
		} while (!acpar.hotdrop);
		xt_info_rdunlock_bh();

		if (hotdrop)
		if (acpar.hotdrop)
		return NF_DROP;
		else
		return verdict;

+4 −5

Original line number	Diff line number	Diff line
		@@ -308,7 +308,6 @@ ipt_do_table(struct sk_buff *skb,
		{
		static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
		const struct iphdr *ip;
		bool hotdrop = false;
		/* Initializing verdict to NF_DROP keeps gcc happy. */
		unsigned int verdict = NF_DROP;
		const char indev, outdev;
		@@ -330,7 +329,7 @@ ipt_do_table(struct sk_buff *skb,
		* match it. */
		acpar.fragoff = ntohs(ip->frag_off) & IP_OFFSET;
		acpar.thoff = ip_hdrlen(skb);
		acpar.hotdrop = &hotdrop;
		acpar.hotdrop = false;
		acpar.in = in;
		acpar.out = out;
		acpar.family = NFPROTO_IPV4;
		@@ -432,7 +431,7 @@ ipt_do_table(struct sk_buff *skb,
		else
		/* Verdict */
		break;
		} while (!hotdrop);
		} while (!acpar.hotdrop);
		xt_info_rdunlock_bh();
		pr_debug("Exiting %s; resetting sp from %u to %u\n",
		__func__, *stackptr, origptr);
		@@ -440,7 +439,7 @@ ipt_do_table(struct sk_buff *skb,
		#ifdef DEBUG_ALLOW_ALL
		return NF_ACCEPT;
		#else
		if (hotdrop)
		if (acpar.hotdrop)
		return NF_DROP;
		else return verdict;
		#endif
		@@ -2154,7 +2153,7 @@ icmp_match(const struct sk_buff skb, struct xt_action_param par)
		* can't. Hence, no choice but to drop.
		*/
		duprintf("Dropping evil ICMP tinygram.\n");
		*par->hotdrop = true;
		par->hotdrop = true;
		return false;
		}

+1 −1

Original line number	Diff line number	Diff line
		@@ -46,7 +46,7 @@ static bool ah_mt(const struct sk_buff skb, struct xt_action_param par)
		* can't. Hence, no choice but to drop.
		*/
		pr_debug("Dropping evil AH tinygram.\n");
		*par->hotdrop = true;
		par->hotdrop = true;
		return 0;
		}