lk/linux-kernel-test
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

[NETFILTER]: x_tables: pass registered match/target data to match/target functions

Browse Source 
This allows to make decisions based on the revision (and address family
with a follow-up patch) at runtime.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Patrick McHardy
2006-03-20 18:02:15 -08:00
committed by David S. Miller
parent 5d04bff096
commit 1c524830d0
5 changed files with 30 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
include/linux/netfilter/x_tables.h
View File

@@ -100,6 +100,7 @@ struct xt_match
int (*match)(const struct sk_buff *skb, int (*match)(const struct sk_buff *skb,
const struct net_device *in, const struct net_device *in,
const struct net_device *out, const struct net_device *out,
const struct xt_match *match,
const void *matchinfo, const void *matchinfo,
int offset, int offset,
unsigned int protoff, unsigned int protoff,
@@ -109,12 +110,14 @@ struct xt_match
/* Should return true or false. */ /* Should return true or false. */
int (*checkentry)(const char *tablename, int (*checkentry)(const char *tablename,
const void *ip, const void *ip,
const struct xt_match *match,
void *matchinfo, void *matchinfo,
unsigned int matchinfosize, unsigned int matchinfosize,
unsigned int hook_mask); unsigned int hook_mask);
/* Called when entry of this type deleted. */ /* Called when entry of this type deleted. */
void (*destroy)(void *matchinfo, unsigned int matchinfosize); void (*destroy)(const struct xt_match *match, void *matchinfo,
unsigned int matchinfosize);
/* Set this to THIS_MODULE if you are a module, otherwise NULL */ /* Set this to THIS_MODULE if you are a module, otherwise NULL */
struct module *me; struct module *me;
@@ -140,6 +143,7 @@ struct xt_target
const struct net_device *in, const struct net_device *in,
const struct net_device *out, const struct net_device *out,
unsigned int hooknum, unsigned int hooknum,
const struct xt_target *target,
const void *targinfo, const void *targinfo,
void *userdata); void *userdata);
@@ -149,12 +153,14 @@ struct xt_target
/* Should return true or false. */ /* Should return true or false. */
int (*checkentry)(const char *tablename, int (*checkentry)(const char *tablename,
const void *entry, const void *entry,
const struct xt_target *target,
void *targinfo, void *targinfo,
unsigned int targinfosize, unsigned int targinfosize,
unsigned int hook_mask); unsigned int hook_mask);
/* Called when entry of this type deleted. */ /* Called when entry of this type deleted. */
void (*destroy)(void *targinfo, unsigned int targinfosize); void (*destroy)(const struct xt_target *target, void *targinfo,
unsigned int targinfosize);
/* Set this to THIS_MODULE if you are a module, otherwise NULL */ /* Set this to THIS_MODULE if you are a module, otherwise NULL */
struct module *me; struct module *me;

5
net/ipv4/netfilter/arp_tables.c
View File

@@ -300,6 +300,7 @@ unsigned int arpt_do_table(struct sk_buff **pskb,
verdict = t->u.kernel.target->target(pskb, verdict = t->u.kernel.target->target(pskb,
in, out, in, out,
hook, hook,
t->u.kernel.target,
t->data, t->data,
userdata); userdata);
@@ -491,7 +492,7 @@ static inline int check_entry(struct arpt_entry *e, const char *name, unsigned i
goto out; goto out;
} }
} else if (t->u.kernel.target->checkentry } else if (t->u.kernel.target->checkentry
&& !t->u.kernel.target->checkentry(name, e, t->data, && !t->u.kernel.target->checkentry(name, e, target, t->data,
t->u.target_size t->u.target_size
- sizeof(*t), - sizeof(*t),
e->comefrom)) { e->comefrom)) {
@@ -560,7 +561,7 @@ static inline int cleanup_entry(struct arpt_entry *e, unsigned int *i)
t = arpt_get_target(e); t = arpt_get_target(e);
if (t->u.kernel.target->destroy) if (t->u.kernel.target->destroy)
t->u.kernel.target->destroy(t->data, t->u.kernel.target->destroy(t->u.kernel.target, t->data,
t->u.target_size - sizeof(*t)); t->u.target_size - sizeof(*t));
module_put(t->u.kernel.target->me); module_put(t->u.kernel.target->me);
return 0; return 0;

13
net/ipv4/netfilter/ip_tables.c
View File

@@ -197,8 +197,8 @@ int do_match(struct ipt_entry_match *m,
int *hotdrop) int *hotdrop)
{ {
/* Stop iteration if it doesn't match */ /* Stop iteration if it doesn't match */
if (!m->u.kernel.match->match(skb, in, out, m->data, offset, if (!m->u.kernel.match->match(skb, in, out, m->u.kernel.match, m->data,
skb->nh.iph->ihl*4, hotdrop)) offset, skb->nh.iph->ihl*4, hotdrop))
return 1; return 1;
else else
return 0; return 0;
@@ -305,6 +305,7 @@ ipt_do_table(struct sk_buff **pskb,
verdict = t->u.kernel.target->target(pskb, verdict = t->u.kernel.target->target(pskb,
in, out, in, out,
hook, hook,
t->u.kernel.target,
t->data, t->data,
userdata); userdata);
@@ -464,7 +465,7 @@ cleanup_match(struct ipt_entry_match *m, unsigned int *i)
return 1; return 1;
if (m->u.kernel.match->destroy) if (m->u.kernel.match->destroy)
m->u.kernel.match->destroy(m->data, m->u.kernel.match->destroy(m->u.kernel.match, m->data,
m->u.match_size - sizeof(*m)); m->u.match_size - sizeof(*m));
module_put(m->u.kernel.match->me); module_put(m->u.kernel.match->me);
return 0; return 0;
@@ -517,7 +518,7 @@ check_match(struct ipt_entry_match *m,
goto err; goto err;
if (m->u.kernel.match->checkentry if (m->u.kernel.match->checkentry
&& !m->u.kernel.match->checkentry(name, ip, m->data, && !m->u.kernel.match->checkentry(name, ip, match, m->data,
m->u.match_size - sizeof(*m), m->u.match_size - sizeof(*m),
hookmask)) { hookmask)) {
duprintf("ip_tables: check failed for `%s'.\n", duprintf("ip_tables: check failed for `%s'.\n",
@@ -578,7 +579,7 @@ check_entry(struct ipt_entry *e, const char *name, unsigned int size,
goto cleanup_matches; goto cleanup_matches;
} }
} else if (t->u.kernel.target->checkentry } else if (t->u.kernel.target->checkentry
&& !t->u.kernel.target->checkentry(name, e, t->data, && !t->u.kernel.target->checkentry(name, e, target, t->data,
t->u.target_size t->u.target_size
- sizeof(*t), - sizeof(*t),
e->comefrom)) { e->comefrom)) {
@@ -652,7 +653,7 @@ cleanup_entry(struct ipt_entry *e, unsigned int *i)
IPT_MATCH_ITERATE(e, cleanup_match, NULL); IPT_MATCH_ITERATE(e, cleanup_match, NULL);
t = ipt_get_target(e); t = ipt_get_target(e);
if (t->u.kernel.target->destroy) if (t->u.kernel.target->destroy)
t->u.kernel.target->destroy(t->data, t->u.kernel.target->destroy(t->u.kernel.target, t->data,
t->u.target_size - sizeof(*t)); t->u.target_size - sizeof(*t));
module_put(t->u.kernel.target->me); module_put(t->u.kernel.target->me);
return 0; return 0;

11
net/ipv6/netfilter/ip6_tables.c
View File

@@ -251,7 +251,7 @@ int do_match(struct ip6t_entry_match *m,
int *hotdrop) int *hotdrop)
{ {
/* Stop iteration if it doesn't match */ /* Stop iteration if it doesn't match */
if (!m->u.kernel.match->match(skb, in, out, m->data, if (!m->u.kernel.match->match(skb, in, out, m->u.kernel.match, m->data,
offset, protoff, hotdrop)) offset, protoff, hotdrop))
return 1; return 1;
else else
@@ -373,6 +373,7 @@ ip6t_do_table(struct sk_buff **pskb,
verdict = t->u.kernel.target->target(pskb, verdict = t->u.kernel.target->target(pskb,
in, out, in, out,
hook, hook,
t->u.kernel.target,
t->data, t->data,
userdata); userdata);
@@ -531,7 +532,7 @@ cleanup_match(struct ip6t_entry_match *m, unsigned int *i)
return 1; return 1;
if (m->u.kernel.match->destroy) if (m->u.kernel.match->destroy)
m->u.kernel.match->destroy(m->data, m->u.kernel.match->destroy(m->u.kernel.match, m->data,
m->u.match_size - sizeof(*m)); m->u.match_size - sizeof(*m));
module_put(m->u.kernel.match->me); module_put(m->u.kernel.match->me);
return 0; return 0;
@@ -584,7 +585,7 @@ check_match(struct ip6t_entry_match *m,
goto err; goto err;
if (m->u.kernel.match->checkentry if (m->u.kernel.match->checkentry
&& !m->u.kernel.match->checkentry(name, ipv6, m->data, && !m->u.kernel.match->checkentry(name, ipv6, match, m->data,
m->u.match_size - sizeof(*m), m->u.match_size - sizeof(*m),
hookmask)) { hookmask)) {
duprintf("ip_tables: check failed for `%s'.\n", duprintf("ip_tables: check failed for `%s'.\n",
@@ -645,7 +646,7 @@ check_entry(struct ip6t_entry *e, const char *name, unsigned int size,
goto cleanup_matches; goto cleanup_matches;
} }
} else if (t->u.kernel.target->checkentry } else if (t->u.kernel.target->checkentry
&& !t->u.kernel.target->checkentry(name, e, t->data, && !t->u.kernel.target->checkentry(name, e, target, t->data,
t->u.target_size t->u.target_size
- sizeof(*t), - sizeof(*t),
e->comefrom)) { e->comefrom)) {
@@ -719,7 +720,7 @@ cleanup_entry(struct ip6t_entry *e, unsigned int *i)
IP6T_MATCH_ITERATE(e, cleanup_match, NULL); IP6T_MATCH_ITERATE(e, cleanup_match, NULL);
t = ip6t_get_target(e); t = ip6t_get_target(e);
if (t->u.kernel.target->destroy) if (t->u.kernel.target->destroy)
t->u.kernel.target->destroy(t->data, t->u.kernel.target->destroy(t->u.kernel.target, t->data,
t->u.target_size - sizeof(*t)); t->u.target_size - sizeof(*t));
module_put(t->u.kernel.target->me); module_put(t->u.kernel.target->me);
return 0; return 0;

10
net/sched/act_ipt.c
View File

@@ -70,7 +70,8 @@ ipt_init_target(struct ipt_entry_target *t, char *table, unsigned int hook)
t->u.kernel.target = target; t->u.kernel.target = target;
if (t->u.kernel.target->checkentry if (t->u.kernel.target->checkentry
&& !t->u.kernel.target->checkentry(table, NULL, t->data, && !t->u.kernel.target->checkentry(table, NULL,
t->u.kernel.target, t->data,
t->u.target_size - sizeof(*t), t->u.target_size - sizeof(*t),
hook)) { hook)) {
DPRINTK("ipt_init_target: check failed for `%s'.\n", DPRINTK("ipt_init_target: check failed for `%s'.\n",
@@ -86,7 +87,7 @@ static void
ipt_destroy_target(struct ipt_entry_target *t) ipt_destroy_target(struct ipt_entry_target *t)
{ {
if (t->u.kernel.target->destroy) if (t->u.kernel.target->destroy)
t->u.kernel.target->destroy(t->data, t->u.kernel.target->destroy(t->u.kernel.target, t->data,
t->u.target_size - sizeof(*t)); t->u.target_size - sizeof(*t));
module_put(t->u.kernel.target->me); module_put(t->u.kernel.target->me);
} }
@@ -224,8 +225,9 @@ tcf_ipt(struct sk_buff *skb, struct tc_action *a, struct tcf_result *res)
/* iptables targets take a double skb pointer in case the skb /* iptables targets take a double skb pointer in case the skb
* needs to be replaced. We don't own the skb, so this must not * needs to be replaced. We don't own the skb, so this must not
* happen. The pskb_expand_head above should make sure of this */ * happen. The pskb_expand_head above should make sure of this */
ret = p->t->u.kernel.target->target(&skb, skb->dev, NULL, ret = p->t->u.kernel.target->target(&skb, skb->dev, NULL, p->hook,
p->hook, p->t->data, NULL); p->t->u.kernel.target, p->t->data,
NULL);
switch (ret) { switch (ret) {
case NF_ACCEPT: case NF_ACCEPT:
result = TC_ACT_OK; result = TC_ACT_OK;