Commit 5d04bff0 authored by Patrick McHardy's avatar Patrick McHardy Committed by David S. Miller

[NETFILTER]: Convert x_tables matches/targets to centralized error checking

Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 7f939713
...@@ -39,47 +39,22 @@ target(struct sk_buff **pskb, ...@@ -39,47 +39,22 @@ target(struct sk_buff **pskb,
return XT_CONTINUE; return XT_CONTINUE;
} }
static int
checkentry(const char *tablename,
const void *e,
void *targinfo,
unsigned int targinfosize,
unsigned int hook_mask)
{
if (targinfosize != XT_ALIGN(sizeof(struct xt_classify_target_info))){
printk(KERN_ERR "CLASSIFY: invalid size (%u != %Zu).\n",
targinfosize,
XT_ALIGN(sizeof(struct xt_classify_target_info)));
return 0;
}
if (hook_mask & ~((1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_FORWARD) |
(1 << NF_IP_POST_ROUTING))) {
printk(KERN_ERR "CLASSIFY: only valid in LOCAL_OUT, FORWARD "
"and POST_ROUTING.\n");
return 0;
}
if (strcmp(tablename, "mangle") != 0) {
printk(KERN_ERR "CLASSIFY: can only be called from "
"\"mangle\" table, not \"%s\".\n",
tablename);
return 0;
}
return 1;
}
static struct xt_target classify_reg = { static struct xt_target classify_reg = {
.name = "CLASSIFY", .name = "CLASSIFY",
.target = target, .target = target,
.checkentry = checkentry, .targetsize = sizeof(struct xt_classify_target_info),
.table = "mangle",
.hooks = (1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_FORWARD) |
(1 << NF_IP_POST_ROUTING),
.me = THIS_MODULE, .me = THIS_MODULE,
}; };
static struct xt_target classify6_reg = { static struct xt_target classify6_reg = {
.name = "CLASSIFY", .name = "CLASSIFY",
.target = target, .target = target,
.checkentry = checkentry, .targetsize = sizeof(struct xt_classify_target_info),
.table = "mangle",
.hooks = (1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_FORWARD) |
(1 << NF_IP_POST_ROUTING),
.me = THIS_MODULE, .me = THIS_MODULE,
}; };
......
...@@ -79,12 +79,6 @@ checkentry(const char *tablename, ...@@ -79,12 +79,6 @@ checkentry(const char *tablename,
unsigned int hook_mask) unsigned int hook_mask)
{ {
struct xt_connmark_target_info *matchinfo = targinfo; struct xt_connmark_target_info *matchinfo = targinfo;
if (targinfosize != XT_ALIGN(sizeof(struct xt_connmark_target_info))) {
printk(KERN_WARNING "CONNMARK: targinfosize %u != %Zu\n",
targinfosize,
XT_ALIGN(sizeof(struct xt_connmark_target_info)));
return 0;
}
if (matchinfo->mode == XT_CONNMARK_RESTORE) { if (matchinfo->mode == XT_CONNMARK_RESTORE) {
if (strcmp(tablename, "mangle") != 0) { if (strcmp(tablename, "mangle") != 0) {
...@@ -103,14 +97,17 @@ checkentry(const char *tablename, ...@@ -103,14 +97,17 @@ checkentry(const char *tablename,
static struct xt_target connmark_reg = { static struct xt_target connmark_reg = {
.name = "CONNMARK", .name = "CONNMARK",
.target = &target, .target = target,
.checkentry = &checkentry, .targetsize = sizeof(struct xt_connmark_target_info),
.checkentry = checkentry,
.me = THIS_MODULE .me = THIS_MODULE
}; };
static struct xt_target connmark6_reg = { static struct xt_target connmark6_reg = {
.name = "CONNMARK", .name = "CONNMARK",
.target = &target, .target = target,
.checkentry = &checkentry, .targetsize = sizeof(struct xt_connmark_target_info),
.checkentry = checkentry,
.me = THIS_MODULE .me = THIS_MODULE
}; };
......
...@@ -78,23 +78,10 @@ checkentry_v0(const char *tablename, ...@@ -78,23 +78,10 @@ checkentry_v0(const char *tablename,
{ {
struct xt_mark_target_info *markinfo = targinfo; struct xt_mark_target_info *markinfo = targinfo;
if (targinfosize != XT_ALIGN(sizeof(struct xt_mark_target_info))) {
printk(KERN_WARNING "MARK: targinfosize %u != %Zu\n",
targinfosize,
XT_ALIGN(sizeof(struct xt_mark_target_info)));
return 0;
}
if (strcmp(tablename, "mangle") != 0) {
printk(KERN_WARNING "MARK: can only be called from \"mangle\" table, not \"%s\"\n", tablename);
return 0;
}
if (markinfo->mark > 0xffffffff) { if (markinfo->mark > 0xffffffff) {
printk(KERN_WARNING "MARK: Only supports 32bit wide mark\n"); printk(KERN_WARNING "MARK: Only supports 32bit wide mark\n");
return 0; return 0;
} }
return 1; return 1;
} }
...@@ -107,18 +94,6 @@ checkentry_v1(const char *tablename, ...@@ -107,18 +94,6 @@ checkentry_v1(const char *tablename,
{ {
struct xt_mark_target_info_v1 *markinfo = targinfo; struct xt_mark_target_info_v1 *markinfo = targinfo;
if (targinfosize != XT_ALIGN(sizeof(struct xt_mark_target_info_v1))){
printk(KERN_WARNING "MARK: targinfosize %u != %Zu\n",
targinfosize,
XT_ALIGN(sizeof(struct xt_mark_target_info_v1)));
return 0;
}
if (strcmp(tablename, "mangle") != 0) {
printk(KERN_WARNING "MARK: can only be called from \"mangle\" table, not \"%s\"\n", tablename);
return 0;
}
if (markinfo->mode != XT_MARK_SET if (markinfo->mode != XT_MARK_SET
&& markinfo->mode != XT_MARK_AND && markinfo->mode != XT_MARK_AND
&& markinfo->mode != XT_MARK_OR) { && markinfo->mode != XT_MARK_OR) {
...@@ -126,18 +101,18 @@ checkentry_v1(const char *tablename, ...@@ -126,18 +101,18 @@ checkentry_v1(const char *tablename,
markinfo->mode); markinfo->mode);
return 0; return 0;
} }
if (markinfo->mark > 0xffffffff) { if (markinfo->mark > 0xffffffff) {
printk(KERN_WARNING "MARK: Only supports 32bit wide mark\n"); printk(KERN_WARNING "MARK: Only supports 32bit wide mark\n");
return 0; return 0;
} }
return 1; return 1;
} }
static struct xt_target ipt_mark_reg_v0 = { static struct xt_target ipt_mark_reg_v0 = {
.name = "MARK", .name = "MARK",
.target = target_v0, .target = target_v0,
.targetsize = sizeof(struct xt_mark_target_info),
.table = "mangle",
.checkentry = checkentry_v0, .checkentry = checkentry_v0,
.me = THIS_MODULE, .me = THIS_MODULE,
.revision = 0, .revision = 0,
...@@ -146,6 +121,8 @@ static struct xt_target ipt_mark_reg_v0 = { ...@@ -146,6 +121,8 @@ static struct xt_target ipt_mark_reg_v0 = {
static struct xt_target ipt_mark_reg_v1 = { static struct xt_target ipt_mark_reg_v1 = {
.name = "MARK", .name = "MARK",
.target = target_v1, .target = target_v1,
.targetsize = sizeof(struct xt_mark_target_info_v1),
.table = "mangle",
.checkentry = checkentry_v1, .checkentry = checkentry_v1,
.me = THIS_MODULE, .me = THIS_MODULE,
.revision = 1, .revision = 1,
...@@ -154,6 +131,8 @@ static struct xt_target ipt_mark_reg_v1 = { ...@@ -154,6 +131,8 @@ static struct xt_target ipt_mark_reg_v1 = {
static struct xt_target ip6t_mark_reg_v0 = { static struct xt_target ip6t_mark_reg_v0 = {
.name = "MARK", .name = "MARK",
.target = target_v0, .target = target_v0,
.targetsize = sizeof(struct xt_mark_target_info),
.table = "mangle",
.checkentry = checkentry_v0, .checkentry = checkentry_v0,
.me = THIS_MODULE, .me = THIS_MODULE,
.revision = 0, .revision = 0,
......
...@@ -36,41 +36,24 @@ target(struct sk_buff **pskb, ...@@ -36,41 +36,24 @@ target(struct sk_buff **pskb,
return NF_QUEUE_NR(tinfo->queuenum); return NF_QUEUE_NR(tinfo->queuenum);
} }
static int
checkentry(const char *tablename,
const void *entry,
void *targinfo,
unsigned int targinfosize,
unsigned int hook_mask)
{
if (targinfosize != XT_ALIGN(sizeof(struct xt_NFQ_info))) {
printk(KERN_WARNING "NFQUEUE: targinfosize %u != %Zu\n",
targinfosize,
XT_ALIGN(sizeof(struct xt_NFQ_info)));
return 0;
}
return 1;
}
static struct xt_target ipt_NFQ_reg = { static struct xt_target ipt_NFQ_reg = {
.name = "NFQUEUE", .name = "NFQUEUE",
.target = target, .target = target,
.checkentry = checkentry, .targetsize = sizeof(struct xt_NFQ_info),
.me = THIS_MODULE, .me = THIS_MODULE,
}; };
static struct xt_target ip6t_NFQ_reg = { static struct xt_target ip6t_NFQ_reg = {
.name = "NFQUEUE", .name = "NFQUEUE",
.target = target, .target = target,
.checkentry = checkentry, .targetsize = sizeof(struct xt_NFQ_info),
.me = THIS_MODULE, .me = THIS_MODULE,
}; };
static struct xt_target arpt_NFQ_reg = { static struct xt_target arpt_NFQ_reg = {
.name = "NFQUEUE", .name = "NFQUEUE",
.target = target, .target = target,
.checkentry = checkentry, .targetsize = sizeof(struct xt_NFQ_info),
.me = THIS_MODULE, .me = THIS_MODULE,
}; };
......
...@@ -33,37 +33,19 @@ target(struct sk_buff **pskb, ...@@ -33,37 +33,19 @@ target(struct sk_buff **pskb,
return XT_CONTINUE; return XT_CONTINUE;
} }
static int
checkentry(const char *tablename,
const void *entry,
void *targinfo,
unsigned int targinfosize,
unsigned int hook_mask)
{
if (targinfosize != 0) {
printk(KERN_WARNING "NOTRACK: targinfosize %u != 0\n",
targinfosize);
return 0;
}
if (strcmp(tablename, "raw") != 0) {
printk(KERN_WARNING "NOTRACK: can only be called from \"raw\" table, not \"%s\"\n", tablename);
return 0;
}
return 1;
}
static struct xt_target notrack_reg = { static struct xt_target notrack_reg = {
.name = "NOTRACK", .name = "NOTRACK",
.target = target, .target = target,
.checkentry = checkentry, .targetsize = 0,
.table = "raw",
.me = THIS_MODULE, .me = THIS_MODULE,
}; };
static struct xt_target notrack6_reg = { static struct xt_target notrack6_reg = {
.name = "NOTRACK", .name = "NOTRACK",
.target = target, .target = target,
.checkentry = checkentry, .targetsize = 0,
.table = "raw",
.me = THIS_MODULE, .me = THIS_MODULE,
}; };
......
...@@ -28,30 +28,17 @@ match(const struct sk_buff *skb, ...@@ -28,30 +28,17 @@ match(const struct sk_buff *skb,
return 1; return 1;
} }
static int
checkentry(const char *tablename,
const void *ip,
void *matchinfo,
unsigned int matchsize,
unsigned int hook_mask)
{
/* Check the size */
if (matchsize != XT_ALIGN(sizeof(struct xt_comment_info)))
return 0;
return 1;
}
static struct xt_match comment_match = { static struct xt_match comment_match = {
.name = "comment", .name = "comment",
.match = match, .match = match,
.checkentry = checkentry, .matchsize = sizeof(struct xt_comment_info),
.me = THIS_MODULE .me = THIS_MODULE
}; };
static struct xt_match comment6_match = { static struct xt_match comment6_match = {
.name = "comment", .name = "comment",
.match = match, .match = match,
.checkentry = checkentry, .matchsize = sizeof(struct xt_comment_info),
.me = THIS_MODULE .me = THIS_MODULE
}; };
......
...@@ -128,9 +128,6 @@ static int check(const char *tablename, ...@@ -128,9 +128,6 @@ static int check(const char *tablename,
{ {
const struct xt_connbytes_info *sinfo = matchinfo; const struct xt_connbytes_info *sinfo = matchinfo;
if (matchsize != XT_ALIGN(sizeof(struct xt_connbytes_info)))
return 0;
if (sinfo->what != XT_CONNBYTES_PKTS && if (sinfo->what != XT_CONNBYTES_PKTS &&
sinfo->what != XT_CONNBYTES_BYTES && sinfo->what != XT_CONNBYTES_BYTES &&
sinfo->what != XT_CONNBYTES_AVGPKT) sinfo->what != XT_CONNBYTES_AVGPKT)
...@@ -146,14 +143,16 @@ static int check(const char *tablename, ...@@ -146,14 +143,16 @@ static int check(const char *tablename,
static struct xt_match connbytes_match = { static struct xt_match connbytes_match = {
.name = "connbytes", .name = "connbytes",
.match = &match, .match = match,
.checkentry = &check, .checkentry = check,
.matchsize = sizeof(struct xt_connbytes_info),
.me = THIS_MODULE .me = THIS_MODULE
}; };
static struct xt_match connbytes6_match = { static struct xt_match connbytes6_match = {
.name = "connbytes", .name = "connbytes",
.match = &match, .match = match,
.checkentry = &check, .checkentry = check,
.matchsize = sizeof(struct xt_connbytes_info),
.me = THIS_MODULE .me = THIS_MODULE
}; };
......
...@@ -56,33 +56,31 @@ checkentry(const char *tablename, ...@@ -56,33 +56,31 @@ checkentry(const char *tablename,
unsigned int matchsize, unsigned int matchsize,
unsigned int hook_mask) unsigned int hook_mask)
{ {
struct xt_connmark_info *cm = struct xt_connmark_info *cm = (struct xt_connmark_info *)matchinfo;
(struct xt_connmark_info *)matchinfo;
if (matchsize != XT_ALIGN(sizeof(struct xt_connmark_info)))
return 0;
if (cm->mark > 0xffffffff || cm->mask > 0xffffffff) { if (cm->mark > 0xffffffff || cm->mask > 0xffffffff) {
printk(KERN_WARNING "connmark: only support 32bit mark\n"); printk(KERN_WARNING "connmark: only support 32bit mark\n");
return 0; return 0;
} }
return 1; return 1;
} }
static struct xt_match connmark_match = { static struct xt_match connmark_match = {
.name = "connmark", .name = "connmark",
.match = &match, .match = match,
.checkentry = &checkentry, .matchsize = sizeof(struct xt_connmark_info),
.checkentry = checkentry,
.me = THIS_MODULE .me = THIS_MODULE
}; };
static struct xt_match connmark6_match = { static struct xt_match connmark6_match = {
.name = "connmark", .name = "connmark",
.match = &match, .match = match,
.checkentry = &checkentry, .matchsize = sizeof(struct xt_connmark_info),
.checkentry = checkentry,
.me = THIS_MODULE .me = THIS_MODULE
}; };
static int __init init(void) static int __init init(void)
{ {
int ret; int ret;
......
...@@ -201,22 +201,10 @@ match(const struct sk_buff *skb, ...@@ -201,22 +201,10 @@ match(const struct sk_buff *skb,
#endif /* CONFIG_NF_IP_CONNTRACK */ #endif /* CONFIG_NF_IP_CONNTRACK */
static int check(const char *tablename,
const void *ip,
void *matchinfo,
unsigned int matchsize,
unsigned int hook_mask)
{
if (matchsize != XT_ALIGN(sizeof(struct xt_conntrack_info)))
return 0;
return 1;
}
static struct xt_match conntrack_match = { static struct xt_match conntrack_match = {
.name = "conntrack", .name = "conntrack",
.match = &match, .match = match,
.checkentry = &check, .matchsize = sizeof(struct xt_conntrack_info),
.me = THIS_MODULE, .me = THIS_MODULE,
}; };
......
...@@ -133,52 +133,29 @@ checkentry(const char *tablename, ...@@ -133,52 +133,29 @@ checkentry(const char *tablename,
unsigned int matchsize, unsigned int matchsize,
unsigned int hook_mask) unsigned int hook_mask)
{ {
const struct ipt_ip *ip = inf; const struct xt_dccp_info *info = matchinfo;
const struct xt_dccp_info *info;
info = (const struct xt_dccp_info *)matchinfo; return !(info->flags & ~XT_DCCP_VALID_FLAGS)
return ip->proto == IPPROTO_DCCP
&& !(ip->invflags & XT_INV_PROTO)
&& matchsize == XT_ALIGN(sizeof(struct xt_dccp_info))
&& !(info->flags & ~XT_DCCP_VALID_FLAGS)
&& !(info->invflags & ~XT_DCCP_VALID_FLAGS)
&& !(info->invflags & ~info->flags);
}
static int
checkentry6(const char *tablename,
const void *inf,
void *matchinfo,
unsigned int matchsize,
unsigned int hook_mask)
{
const struct ip6t_ip6 *ip = inf;
const struct xt_dccp_info *info;
info = (const struct xt_dccp_info *)matchinfo;
return ip->proto == IPPROTO_DCCP
&& !(ip->invflags & XT_INV_PROTO)
&& matchsize == XT_ALIGN(sizeof(struct xt_dccp_info))
&& !(info->flags & ~XT_DCCP_VALID_FLAGS)
&& !(info->invflags & ~XT_DCCP_VALID_FLAGS) && !(info->invflags & ~XT_DCCP_VALID_FLAGS)
&& !(info->invflags & ~info->flags); && !(info->invflags & ~info->flags);
} }
static struct xt_match dccp_match = static struct xt_match dccp_match =
{ {
.name = "dccp", .name = "dccp",
.match = &match, .match = match,
.checkentry = &checkentry, .matchsize = sizeof(struct xt_dccp_info),
.proto = IPPROTO_DCCP,
.checkentry = checkentry,
.me = THIS_MODULE, .me = THIS_MODULE,
}; };
static struct xt_match dccp6_match = static struct xt_match dccp6_match =
{ {
.name = "dccp", .name = "dccp",
.match = &match, .match = match,
.checkentry = &checkentry6, .matchsize = sizeof(struct xt_dccp_info),
.proto = IPPROTO_DCCP,
.checkentry = checkentry,
.me = THIS_MODULE, .me = THIS_MODULE,
}; };
......
...@@ -142,24 +142,21 @@ static int check(const char *tablename, ...@@ -142,24 +142,21 @@ static int check(const char *tablename,
struct xt_helper_info *info = matchinfo; struct xt_helper_info *info = matchinfo;
info->name[29] = '\0'; info->name[29] = '\0';
/* verify size */
if (matchsize != XT_ALIGN(sizeof(struct xt_helper_info)))
return 0;
return 1; return 1;
} }
static struct xt_match helper_match = { static struct xt_match helper_match = {
.name = "helper", .name = "helper",
.match = &match, .match = match,
.checkentry = &check, .matchsize = sizeof(struct xt_helper_info),
.checkentry = check,
.me = THIS_MODULE, .me = THIS_MODULE,
}; };
static struct xt_match helper6_match = { static struct xt_match helper6_match = {
.name = "helper", .name = "helper",
.match = &match, .match = match,
.checkentry = &check, .matchsize = sizeof(struct xt_helper_info),
.checkentry = check,
.me = THIS_MODULE, .me = THIS_MODULE,
}; };
......
...@@ -50,29 +50,17 @@ match6(const struct sk_buff *skb, ...@@ -50,29 +50,17 @@ match6(const struct sk_buff *skb,
return (pktlen >= info->min && pktlen <= info->max) ^ info->invert; return (pktlen >= info->min && pktlen <= info->max) ^ info->invert;
} }
static int
checkentry(const char *tablename,
const void *ip,
void *matchinfo,
unsigned int matchsize,
unsigned int hook_mask)
{
if (matchsize != XT_ALIGN(sizeof(struct xt_length_info)))
return 0;
return 1;
}
static struct xt_match length_match = { static struct xt_match length_match = {
.name = "length", .name = "length",
.match = &match, .match = match,
.checkentry = &checkentry, .matchsize = sizeof(struct xt_length_info),
.me = THIS_MODULE, .me = THIS_MODULE,
}; };
static struct xt_match length6_match = { static struct xt_match length6_match = {
.name = "length", .name = "length",
.match = &match6, .match = match6,
.checkentry = &checkentry, .matchsize = sizeof(struct xt_length_info),
.me = THIS_MODULE, .me = THIS_MODULE,
}; };
......
...@@ -113,9 +113,6 @@ ipt_limit_checkentry(const char *tablename, ...@@ -113,9 +113,6 @@ ipt_limit_checkentry(const char *tablename,
{ {
struct xt_rateinfo *r = matchinfo; struct xt_rateinfo *r = matchinfo;
if (matchsize != XT_ALIGN(sizeof(struct xt_rateinfo)))
return 0;
/* Check for overflow. */ /* Check for overflow. */
if (r->burst == 0 if (r->burst == 0
|| user2credits(r->avg * r->burst) < user2credits(r->avg)) { || user2credits(r->avg * r->burst) < user2credits(r->avg)) {
...@@ -140,12 +137,14 @@ ipt_limit_checkentry(const char *tablename, ...@@ -140,12 +137,14 @@ ipt_limit_checkentry(const char *tablename,
static struct xt_match ipt_limit_reg = { static struct xt_match ipt_limit_reg = {
.name = "limit", .name = "limit",
.match = ipt_limit_match, .match = ipt_limit_match,
.matchsize = sizeof(struct xt_rateinfo),
.checkentry = ipt_limit_checkentry, .checkentry = ipt_limit_checkentry,
.me = THIS_MODULE, .me = THIS_MODULE,
}; };
static struct xt_match limit6_reg = { static struct xt_match limit6_reg = {
.name = "limit", .name = "limit",
.match = ipt_limit_match, .match = ipt_limit_match,
.matchsize = sizeof(struct xt_rateinfo),
.checkentry = ipt_limit_checkentry, .checkentry = ipt_limit_checkentry,
.me = THIS_MODULE, .me = THIS_MODULE,
}; };
......
...@@ -42,37 +42,20 @@ match(const struct sk_buff *skb, ...@@ -42,37 +42,20 @@ match(const struct sk_buff *skb,
^ info->invert)); ^ info->invert));
} }
static int
ipt_mac_checkentry(const char *tablename,
const void *inf,
void *matchinfo,
unsigned int matchsize,
unsigned int hook_mask)
{
/* FORWARD isn't always valid, but it's nice to be able to do --RR */
if (hook_mask
& ~((1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_LOCAL_IN)
| (1 << NF_IP_FORWARD))) {
printk("xt_mac: only valid for PRE_ROUTING, LOCAL_IN or FORWARD.\n");
return 0;
}
if (matchsize != XT_ALIGN(sizeof(struct xt_mac_info)))
return 0;
return 1;
}
static struct xt_match mac_match = { static struct xt_match mac_match = {
.name = "mac", .name = "mac",
.match = &match, .match = match,
.checkentry = &ipt_mac_checkentry, .matchsize = sizeof(struct xt_mac_info),
.hooks = (1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_LOCAL_IN) |
(1 << NF_IP_FORWARD),
.me = THIS_MODULE, .me = THIS_MODULE,
}; };
static struct xt_match mac6_match = { static struct xt_match mac6_match = {
.name = "mac", .name = "mac",
.match = &match, .match = match,
.checkentry = &ipt_mac_checkentry, .matchsize = sizeof(struct xt_mac_info),
.hooks = (1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_LOCAL_IN) |
(1 << NF_IP_FORWARD),
.me = THIS_MODULE, .me = THIS_MODULE,
}; };
......
...@@ -42,28 +42,26 @@ checkentry(const char *tablename, ...@@ -42,28 +42,26 @@ checkentry(const char *tablename,
{ {
struct xt_mark_info *minfo = (struct xt_mark_info *) matchinfo; struct xt_mark_info *minfo = (struct xt_mark_info *) matchinfo;
if (matchsize != XT_ALIGN(sizeof(struct xt_mark_info)))
return 0;
if (minfo->mark > 0xffffffff || minfo->mask > 0xffffffff) { if (minfo->mark > 0xffffffff || minfo->mask > 0xffffffff) {
printk(KERN_WARNING "mark: only supports 32bit mark\n"); printk(KERN_WARNING "mark: only supports 32bit mark\n");
return 0; return 0;
} }
return 1; return 1;
} }
static struct xt_match mark_match = { static struct xt_match mark_match = {
.name = "mark", .name = "mark",
.match = &match, .match = match,
.checkentry = &checkentry, .matchsize = sizeof(struct xt_mark_info),
.checkentry = checkentry,
.me = THIS_MODULE, .me = THIS_MODULE,
}; };
static struct xt_match mark6_match = { static struct xt_match mark6_match = {
.name = "mark", .name = "mark",
.match = &match, .match = match,
.checkentry = &checkentry, .matchsize = sizeof(struct xt_mark_info),
.checkentry = checkentry,
.me = THIS_MODULE, .me = THIS_MODULE,
}; };
......
...@@ -108,8 +108,6 @@ checkentry(const char *tablename, ...@@ -108,8 +108,6 @@ checkentry(const char *tablename,
{ {
const struct xt_physdev_info *info = matchinfo; const struct xt_physdev_info *info = matchinfo;
if (matchsize != XT_ALIGN(sizeof(struct xt_physdev_info)))
return 0;
if (!(info->bitmask & XT_PHYSDEV_OP_MASK) || if (!(info->bitmask & XT_PHYSDEV_OP_MASK) ||
info->bitmask & ~XT_PHYSDEV_OP_MASK) info->bitmask & ~XT_PHYSDEV_OP_MASK)
return 0; return 0;
...@@ -118,15 +116,17 @@ checkentry(const char *tablename, ...@@ -118,15 +116,17 @@ checkentry(const char *tablename,
static struct xt_match physdev_match = { static struct xt_match physdev_match = {
.name = "physdev", .name = "physdev",
.match = &match, .match = match,
.checkentry = &checkentry, .matchsize = sizeof(struct xt_physdev_info),
.checkentry = checkentry,
.me = THIS_MODULE, .me = THIS_MODULE,
}; };
static struct xt_match physdev6_match = { static struct xt_match physdev6_match = {
.name = "physdev", .name = "physdev",
.match = &match, .match = match,
.checkentry = &checkentry, .matchsize = sizeof(struct xt_physdev_info),
.checkentry = checkentry,
.me = THIS_MODULE, .me = THIS_MODULE,
}; };
......
...@@ -32,32 +32,20 @@ static int match(const struct sk_buff *skb, ...@@ -32,32 +32,20 @@ static int match(const struct sk_buff *skb,
return (skb->pkt_type == info->pkttype) ^ info->invert; return (skb->pkt_type == info->pkttype) ^ info->invert;
} }
static int checkentry(const char *tablename,
const void *ip,
void *matchinfo,
unsigned int matchsize,
unsigned int hook_mask)
{
if (matchsize != XT_ALIGN(sizeof(struct xt_pkttype_info)))
return 0;
return 1;
}
static struct xt_match pkttype_match = { static struct xt_match pkttype_match = {
.name = "pkttype", .name = "pkttype",
.match = &match, .match = match,
.checkentry = &checkentry, .matchsize = sizeof(struct xt_pkttype_info),
.me = THIS_MODULE, .me = THIS_MODULE,
}; };
static struct xt_match pkttype6_match = { static struct xt_match pkttype6_match = {
.name = "pkttype", .name = "pkttype",
.match = &match, .match = match,
.checkentry = &checkentry, .matchsize = sizeof(struct xt_pkttype_info),
.me = THIS_MODULE, .me = THIS_MODULE,
}; };
static int __init init(void) static int __init init(void)
{ {
int ret; int ret;
......
...@@ -38,30 +38,12 @@ match(const struct sk_buff *skb, ...@@ -38,30 +38,12 @@ match(const struct sk_buff *skb,
return (info->id == (dst->tclassid & info->mask)) ^ info->invert; return (info->id == (dst->tclassid & info->mask)) ^ info->invert;
} }
static int check(const char *tablename,
const void *ip,
void *matchinfo,
unsigned int matchsize,
unsigned int hook_mask)
{
if (hook_mask
& ~((1 << NF_IP_POST_ROUTING) | (1 << NF_IP_FORWARD) |
(1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_LOCAL_IN))) {
printk("xt_realm: only valid for POST_ROUTING, LOCAL_OUT, "
"LOCAL_IN or FORWARD.\n");
return 0;
}
if (matchsize != XT_ALIGN(sizeof(struct xt_realm_info))) {
printk("xt_realm: invalid matchsize.\n");
return 0;
}
return 1;
}
static struct xt_match realm_match = { static struct xt_match realm_match = {
.name = "realm", .name = "realm",
.match = match, .match = match,
.checkentry = check, .matchsize = sizeof(struct xt_realm_info),
.hooks = (1 << NF_IP_POST_ROUTING) | (1 << NF_IP_FORWARD) |
(1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_LOCAL_IN),
.me = THIS_MODULE .me = THIS_MODULE
}; };
......
...@@ -166,15 +166,9 @@ checkentry(const char *tablename, ...@@ -166,15 +166,9 @@ checkentry(const char *tablename,
unsigned int matchsize, unsigned int matchsize,
unsigned int hook_mask) unsigned int hook_mask)
{ {
const struct xt_sctp_info *info; const struct xt_sctp_info *info = matchinfo;
const struct ipt_ip *ip = inf;
info = (const struct xt_sctp_info *)matchinfo;
return ip->proto == IPPROTO_SCTP return !(info->flags & ~XT_SCTP_VALID_FLAGS)
&& !(ip->invflags & XT_INV_PROTO)
&& matchsize == XT_ALIGN(sizeof(struct xt_sctp_info))
&& !(info->flags & ~XT_SCTP_VALID_FLAGS)
&& !(info->invflags & ~XT_SCTP_VALID_FLAGS) && !(info->invflags & ~XT_SCTP_VALID_FLAGS)
&& !(info->invflags & ~info->flags) && !(info->invflags & ~info->flags)
&& ((!(info->flags & XT_SCTP_CHUNK_TYPES)) || && ((!(info->flags & XT_SCTP_CHUNK_TYPES)) ||
...@@ -184,48 +178,24 @@ checkentry(const char *tablename, ...@@ -184,48 +178,24 @@ checkentry(const char *tablename,
| SCTP_CHUNK_MATCH_ONLY))); | SCTP_CHUNK_MATCH_ONLY)));
} }
static int static struct xt_match sctp_match = {
checkentry6(const char *tablename,
const void *inf,
void *matchinfo,
unsigned int matchsize,
unsigned int hook_mask)
{
const struct xt_sctp_info *info;
const struct ip6t_ip6 *ip = inf;
info = (const struct xt_sctp_info *)matchinfo;
return ip->proto == IPPROTO_SCTP
&& !(ip->invflags & XT_INV_PROTO)
&& matchsize == XT_ALIGN(sizeof(struct xt_sctp_info))
&& !(info->flags & ~XT_SCTP_VALID_FLAGS)
&& !(info->invflags & ~XT_SCTP_VALID_FLAGS)
&& !(info->invflags & ~info->flags)
&& ((!(info->flags & XT_SCTP_CHUNK_TYPES)) ||
(info->chunk_match_type &
(SCTP_CHUNK_MATCH_ALL
| SCTP_CHUNK_MATCH_ANY
| SCTP_CHUNK_MATCH_ONLY)));
}
static struct xt_match sctp_match =
{
.name = "sctp", .name = "sctp",
.match = &match, .match = match,
.checkentry = &checkentry, .matchsize = sizeof(struct xt_sctp_info),
.proto = IPPROTO_SCTP,
.checkentry = checkentry,
.me = THIS_MODULE .me = THIS_MODULE
}; };
static struct xt_match sctp6_match =
{ static struct xt_match sctp6_match = {
.name = "sctp", .name = "sctp",
.match = &match, .match = match,
.checkentry = &checkentry6, .matchsize = sizeof(struct xt_sctp_info),
.proto = IPPROTO_SCTP,
.checkentry = checkentry,
.me = THIS_MODULE .me = THIS_MODULE
}; };
static int __init init(void) static int __init init(void)
{ {
int ret; int ret;
......
...@@ -43,29 +43,17 @@ match(const struct sk_buff *skb, ...@@ -43,29 +43,17 @@ match(const struct sk_buff *skb,
return (sinfo->statemask & statebit); return (sinfo->statemask & statebit);
} }
static int check(const char *tablename,
const void *ip,
void *matchinfo,
unsigned int matchsize,
unsigned int hook_mask)
{
if (matchsize != XT_ALIGN(sizeof(struct xt_state_info)))
return 0;
return 1;
}
static struct xt_match state_match = { static struct xt_match state_match = {
.name = "state", .name = "state",
.match = &match, .match = match,
.checkentry = &check, .matchsize = sizeof(struct xt_state_info),
.me = THIS_MODULE, .me = THIS_MODULE,
}; };
static struct xt_match state6_match = { static struct xt_match state6_match = {
.name = "state", .name = "state",
.match = &match, .match = match,
.checkentry = &check, .matchsize = sizeof(struct xt_state_info),
.me = THIS_MODULE, .me = THIS_MODULE,
}; };
......
...@@ -50,9 +50,6 @@ static int checkentry(const char *tablename, ...@@ -50,9 +50,6 @@ static int checkentry(const char *tablename,
struct xt_string_info *conf = matchinfo; struct xt_string_info *conf = matchinfo;
struct ts_config *ts_conf; struct ts_config *ts_conf;
if (matchsize != XT_ALIGN(sizeof(struct xt_string_info)))
return 0;
/* Damn, can't handle this case properly with iptables... */ /* Damn, can't handle this case properly with iptables... */
if (conf->from_offset > conf->to_offset) if (conf->from_offset > conf->to_offset)
return 0; return 0;
...@@ -75,6 +72,7 @@ static void destroy(void *matchinfo, unsigned int matchsize) ...@@ -75,6 +72,7 @@ static void destroy(void *matchinfo, unsigned int matchsize)
static struct xt_match string_match = { static struct xt_match string_match = {
.name = "string", .name = "string",
.match = match, .match = match,
.matchsize = sizeof(struct xt_string_info),
.checkentry = checkentry, .checkentry = checkentry,
.destroy = destroy, .destroy = destroy,
.me = THIS_MODULE .me = THIS_MODULE
...@@ -82,6 +80,7 @@ static struct xt_match string_match = { ...@@ -82,6 +80,7 @@ static struct xt_match string_match = {
static struct xt_match string6_match = { static struct xt_match string6_match = {
.name = "string", .name = "string",
.match = match, .match = match,
.matchsize = sizeof(struct xt_string_info),
.checkentry = checkentry, .checkentry = checkentry,
.destroy = destroy, .destroy = destroy,
.me = THIS_MODULE .me = THIS_MODULE
......
...@@ -92,58 +92,19 @@ match(const struct sk_buff *skb, ...@@ -92,58 +92,19 @@ match(const struct sk_buff *skb,
info->invert, hotdrop); info->invert, hotdrop);
} }
static int
checkentry(const char *tablename,
const void *ipinfo,
void *matchinfo,
unsigned int matchsize,
unsigned int hook_mask)
{
const struct ipt_ip *ip = ipinfo;
if (matchsize != XT_ALIGN(sizeof(struct xt_tcpmss_match_info)))
return 0;
/* Must specify -p tcp */
if (ip->proto != IPPROTO_TCP || (ip->invflags & IPT_INV_PROTO)) {
printk("tcpmss: Only works on TCP packets\n");
return 0;
}
return 1;
}
static int
checkentry6(const char *tablename,
const void *ipinfo,
void *matchinfo,
unsigned int matchsize,
unsigned int hook_mask)
{
const struct ip6t_ip6 *ip = ipinfo;
if (matchsize != XT_ALIGN(sizeof(struct xt_tcpmss_match_info)))
return 0;
/* Must specify -p tcp */
if (ip->proto != IPPROTO_TCP || (ip->invflags & XT_INV_PROTO)) {
printk("tcpmss: Only works on TCP packets\n");
return 0;
}
return 1;
}
static struct xt_match tcpmss_match = { static struct xt_match tcpmss_match = {
.name = "tcpmss", .name = "tcpmss",
.match = &match, .match = match,
.checkentry = &checkentry, .matchsize = sizeof(struct xt_tcpmss_match_info),
.proto = IPPROTO_TCP,
.me = THIS_MODULE, .me = THIS_MODULE,
}; };
static struct xt_match tcpmss6_match = { static struct xt_match tcpmss6_match = {
.name = "tcpmss", .name = "tcpmss",
.match = &match, .match = match,
.checkentry = &checkentry6, .matchsize = sizeof(struct xt_tcpmss_match_info),
.proto = IPPROTO_TCP,
.me = THIS_MODULE, .me = THIS_MODULE,
}; };
......
...@@ -142,35 +142,12 @@ tcp_checkentry(const char *tablename, ...@@ -142,35 +142,12 @@ tcp_checkentry(const char *tablename,
unsigned int matchsize, unsigned int matchsize,
unsigned int hook_mask) unsigned int hook_mask)
{ {
const struct ipt_ip *ip = info;
const struct xt_tcp *tcpinfo = matchinfo; const struct xt_tcp *tcpinfo = matchinfo;
/* Must specify proto == TCP, and no unknown invflags */ /* Must specify no unknown invflags */
return ip->proto == IPPROTO_TCP return !(tcpinfo->invflags & ~XT_TCP_INV_MASK);
&& !(ip->invflags & XT_INV_PROTO)
&& matchsize == XT_ALIGN(sizeof(struct xt_tcp))
&& !(tcpinfo->invflags & ~XT_TCP_INV_MASK);
} }
/* Called when user tries to insert an entry of this type. */
static int
tcp6_checkentry(const char *tablename,
const void *entry,
void *matchinfo,
unsigned int matchsize,
unsigned int hook_mask)
{
const struct ip6t_ip6 *ipv6 = entry;
const struct xt_tcp *tcpinfo = matchinfo;
/* Must specify proto == TCP, and no unknown invflags */
return ipv6->proto == IPPROTO_TCP
&& !(ipv6->invflags & XT_INV_PROTO)
&& matchsize == XT_ALIGN(sizeof(struct xt_tcp))
&& !(tcpinfo->invflags & ~XT_TCP_INV_MASK);
}
static int static int
udp_match(const struct sk_buff *skb, udp_match(const struct sk_buff *skb,
const struct net_device *in, const struct net_device *in,
...@@ -209,86 +186,47 @@ static int ...@@ -209,86 +186,47 @@ static int
udp_checkentry(const char *tablename, udp_checkentry(const char *tablename,
const void *info, const void *info,
void *matchinfo, void *matchinfo,
unsigned int matchinfosize, unsigned int matchsize,
unsigned int hook_mask)
{
const struct ipt_ip *ip = info;
const struct xt_udp *udpinfo = matchinfo;
/* Must specify proto == UDP, and no unknown invflags */
if (ip->proto != IPPROTO_UDP || (ip->invflags & XT_INV_PROTO)) {
duprintf("ipt_udp: Protocol %u != %u\n", ip->proto,
IPPROTO_UDP);
return 0;
}
if (matchinfosize != XT_ALIGN(sizeof(struct xt_udp))) {
duprintf("ipt_udp: matchsize %u != %u\n",
matchinfosize, XT_ALIGN(sizeof(struct xt_udp)));
return 0;
}
if (udpinfo->invflags & ~XT_UDP_INV_MASK) {
duprintf("ipt_udp: unknown flags %X\n",
udpinfo->invflags);
return 0;
}
return 1;
}
/* Called when user tries to insert an entry of this type. */
static int
udp6_checkentry(const char *tablename,
const void *entry,
void *matchinfo,
unsigned int matchinfosize,
unsigned int hook_mask) unsigned int hook_mask)
{ {
const struct ip6t_ip6 *ipv6 = entry; const struct xt_tcp *udpinfo = matchinfo;
const struct xt_udp *udpinfo = matchinfo;
/* Must specify proto == UDP, and no unknown invflags */ /* Must specify no unknown invflags */
if (ipv6->proto != IPPROTO_UDP || (ipv6->invflags & XT_INV_PROTO)) { return !(udpinfo->invflags & ~XT_UDP_INV_MASK);
duprintf("ip6t_udp: Protocol %u != %u\n", ipv6->proto,
IPPROTO_UDP);
return 0;
}
if (matchinfosize != XT_ALIGN(sizeof(struct xt_udp))) {
duprintf("ip6t_udp: matchsize %u != %u\n",
matchinfosize, XT_ALIGN(sizeof(struct xt_udp)));
return 0;
}
if (udpinfo->invflags & ~XT_UDP_INV_MASK) {
duprintf("ip6t_udp: unknown flags %X\n",
udpinfo->invflags);
return 0;
}
return 1;
} }
static struct xt_match tcp_matchstruct = { static struct xt_match tcp_matchstruct = {
.name = "tcp", .name = "tcp",
.match = &tcp_match, .match = tcp_match,
.checkentry = &tcp_checkentry, .matchsize = sizeof(struct xt_tcp),
.proto = IPPROTO_TCP,
.checkentry = tcp_checkentry,
.me = THIS_MODULE, .me = THIS_MODULE,
}; };
static struct xt_match tcp6_matchstruct = { static struct xt_match tcp6_matchstruct = {
.name = "tcp", .name = "tcp",
.match = &tcp_match, .match = tcp_match,
.checkentry = &tcp6_checkentry, .matchsize = sizeof(struct xt_tcp),
.proto = IPPROTO_TCP,
.checkentry = tcp_checkentry,
.me = THIS_MODULE, .me = THIS_MODULE,
}; };
static struct xt_match udp_matchstruct = { static struct xt_match udp_matchstruct = {
.name = "udp", .name = "udp",
.match = &udp_match, .match = udp_match,
.checkentry = &udp_checkentry, .matchsize = sizeof(struct xt_udp),
.proto = IPPROTO_UDP,
.checkentry = udp_checkentry,
.me = THIS_MODULE, .me = THIS_MODULE,
}; };
static struct xt_match udp6_matchstruct = { static struct xt_match udp6_matchstruct = {
.name = "udp", .name = "udp",
.match = &udp_match, .match = udp_match,
.checkentry = &udp6_checkentry, .matchsize = sizeof(struct xt_udp),
.proto = IPPROTO_UDP,
.checkentry = udp_checkentry,
.me = THIS_MODULE, .me = THIS_MODULE,
}; };
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment