[NETFILTER]: Change {ip,ip6,arp}_tables to use centralized error checking
Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Patrick McHardy
committed by
David S. Miller
David S. Miller
parent
37f9f7334b
commit
3cdc7c953e
@@ -480,6 +480,11 @@ static inline int check_entry(struct arpt_entry *e, const char *name, unsigned i
|
|||||||
}
|
}
|
||||||
t->u.kernel.target = target;
|
t->u.kernel.target = target;
|
||||||
|
|
||||||
|
ret = xt_check_target(target, NF_ARP, t->u.target_size - sizeof(*t),
|
||||||
|
name, e->comefrom, 0, 0);
|
||||||
|
if (ret)
|
||||||
|
goto err;
|
||||||
|
|
||||||
if (t->u.kernel.target == &arpt_standard_target) {
|
if (t->u.kernel.target == &arpt_standard_target) {
|
||||||
if (!standard_check(t, size)) {
|
if (!standard_check(t, size)) {
|
||||||
ret = -EINVAL;
|
ret = -EINVAL;
|
||||||
@@ -490,16 +495,16 @@ static inline int check_entry(struct arpt_entry *e, const char *name, unsigned i
|
|||||||
t->u.target_size
|
t->u.target_size
|
||||||
- sizeof(*t),
|
- sizeof(*t),
|
||||||
e->comefrom)) {
|
e->comefrom)) {
|
||||||
module_put(t->u.kernel.target->me);
|
|
||||||
duprintf("arp_tables: check failed for `%s'.\n",
|
duprintf("arp_tables: check failed for `%s'.\n",
|
||||||
t->u.kernel.target->name);
|
t->u.kernel.target->name);
|
||||||
ret = -EINVAL;
|
ret = -EINVAL;
|
||||||
goto out;
|
goto err;
|
||||||
}
|
}
|
||||||
|
|
||||||
(*i)++;
|
(*i)++;
|
||||||
return 0;
|
return 0;
|
||||||
|
err:
|
||||||
|
module_put(t->u.kernel.target->me);
|
||||||
out:
|
out:
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -508,6 +508,7 @@ check_match(struct ipt_entry_match *m,
|
|||||||
unsigned int *i)
|
unsigned int *i)
|
||||||
{
|
{
|
||||||
struct ipt_match *match;
|
struct ipt_match *match;
|
||||||
|
int ret;
|
||||||
|
|
||||||
match = try_then_request_module(xt_find_match(AF_INET, m->u.user.name,
|
match = try_then_request_module(xt_find_match(AF_INET, m->u.user.name,
|
||||||
m->u.user.revision),
|
m->u.user.revision),
|
||||||
@@ -518,18 +519,27 @@ check_match(struct ipt_entry_match *m,
|
|||||||
}
|
}
|
||||||
m->u.kernel.match = match;
|
m->u.kernel.match = match;
|
||||||
|
|
||||||
|
ret = xt_check_match(match, AF_INET, m->u.match_size - sizeof(*m),
|
||||||
|
name, hookmask, ip->proto,
|
||||||
|
ip->invflags & IPT_INV_PROTO);
|
||||||
|
if (ret)
|
||||||
|
goto err;
|
||||||
|
|
||||||
if (m->u.kernel.match->checkentry
|
if (m->u.kernel.match->checkentry
|
||||||
&& !m->u.kernel.match->checkentry(name, ip, m->data,
|
&& !m->u.kernel.match->checkentry(name, ip, m->data,
|
||||||
m->u.match_size - sizeof(*m),
|
m->u.match_size - sizeof(*m),
|
||||||
hookmask)) {
|
hookmask)) {
|
||||||
module_put(m->u.kernel.match->me);
|
|
||||||
duprintf("ip_tables: check failed for `%s'.\n",
|
duprintf("ip_tables: check failed for `%s'.\n",
|
||||||
m->u.kernel.match->name);
|
m->u.kernel.match->name);
|
||||||
return -EINVAL;
|
ret = -EINVAL;
|
||||||
|
goto err;
|
||||||
}
|
}
|
||||||
|
|
||||||
(*i)++;
|
(*i)++;
|
||||||
return 0;
|
return 0;
|
||||||
|
err:
|
||||||
|
module_put(m->u.kernel.match->me);
|
||||||
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
static struct ipt_target ipt_standard_target;
|
static struct ipt_target ipt_standard_target;
|
||||||
@@ -565,6 +575,12 @@ check_entry(struct ipt_entry *e, const char *name, unsigned int size,
|
|||||||
}
|
}
|
||||||
t->u.kernel.target = target;
|
t->u.kernel.target = target;
|
||||||
|
|
||||||
|
ret = xt_check_target(target, AF_INET, t->u.target_size - sizeof(*t),
|
||||||
|
name, e->comefrom, e->ip.proto,
|
||||||
|
e->ip.invflags & IPT_INV_PROTO);
|
||||||
|
if (ret)
|
||||||
|
goto err;
|
||||||
|
|
||||||
if (t->u.kernel.target == &ipt_standard_target) {
|
if (t->u.kernel.target == &ipt_standard_target) {
|
||||||
if (!standard_check(t, size)) {
|
if (!standard_check(t, size)) {
|
||||||
ret = -EINVAL;
|
ret = -EINVAL;
|
||||||
@@ -575,16 +591,16 @@ check_entry(struct ipt_entry *e, const char *name, unsigned int size,
|
|||||||
t->u.target_size
|
t->u.target_size
|
||||||
- sizeof(*t),
|
- sizeof(*t),
|
||||||
e->comefrom)) {
|
e->comefrom)) {
|
||||||
module_put(t->u.kernel.target->me);
|
|
||||||
duprintf("ip_tables: check failed for `%s'.\n",
|
duprintf("ip_tables: check failed for `%s'.\n",
|
||||||
t->u.kernel.target->name);
|
t->u.kernel.target->name);
|
||||||
ret = -EINVAL;
|
ret = -EINVAL;
|
||||||
goto cleanup_matches;
|
goto err;
|
||||||
}
|
}
|
||||||
|
|
||||||
(*i)++;
|
(*i)++;
|
||||||
return 0;
|
return 0;
|
||||||
|
err:
|
||||||
|
module_put(t->u.kernel.target->me);
|
||||||
cleanup_matches:
|
cleanup_matches:
|
||||||
IPT_MATCH_ITERATE(e, cleanup_match, &j);
|
IPT_MATCH_ITERATE(e, cleanup_match, &j);
|
||||||
return ret;
|
return ret;
|
||||||
|
|||||||
@@ -575,6 +575,7 @@ check_match(struct ip6t_entry_match *m,
|
|||||||
unsigned int *i)
|
unsigned int *i)
|
||||||
{
|
{
|
||||||
struct ip6t_match *match;
|
struct ip6t_match *match;
|
||||||
|
int ret;
|
||||||
|
|
||||||
match = try_then_request_module(xt_find_match(AF_INET6, m->u.user.name,
|
match = try_then_request_module(xt_find_match(AF_INET6, m->u.user.name,
|
||||||
m->u.user.revision),
|
m->u.user.revision),
|
||||||
@@ -585,18 +586,27 @@ check_match(struct ip6t_entry_match *m,
|
|||||||
}
|
}
|
||||||
m->u.kernel.match = match;
|
m->u.kernel.match = match;
|
||||||
|
|
||||||
|
ret = xt_check_match(match, AF_INET6, m->u.match_size - sizeof(*m),
|
||||||
|
name, hookmask, ipv6->proto,
|
||||||
|
ipv6->invflags & IP6T_INV_PROTO);
|
||||||
|
if (ret)
|
||||||
|
goto err;
|
||||||
|
|
||||||
if (m->u.kernel.match->checkentry
|
if (m->u.kernel.match->checkentry
|
||||||
&& !m->u.kernel.match->checkentry(name, ipv6, m->data,
|
&& !m->u.kernel.match->checkentry(name, ipv6, m->data,
|
||||||
m->u.match_size - sizeof(*m),
|
m->u.match_size - sizeof(*m),
|
||||||
hookmask)) {
|
hookmask)) {
|
||||||
module_put(m->u.kernel.match->me);
|
|
||||||
duprintf("ip_tables: check failed for `%s'.\n",
|
duprintf("ip_tables: check failed for `%s'.\n",
|
||||||
m->u.kernel.match->name);
|
m->u.kernel.match->name);
|
||||||
return -EINVAL;
|
ret = -EINVAL;
|
||||||
|
goto err;
|
||||||
}
|
}
|
||||||
|
|
||||||
(*i)++;
|
(*i)++;
|
||||||
return 0;
|
return 0;
|
||||||
|
err:
|
||||||
|
module_put(m->u.kernel.match->me);
|
||||||
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
static struct ip6t_target ip6t_standard_target;
|
static struct ip6t_target ip6t_standard_target;
|
||||||
@@ -632,6 +642,12 @@ check_entry(struct ip6t_entry *e, const char *name, unsigned int size,
|
|||||||
}
|
}
|
||||||
t->u.kernel.target = target;
|
t->u.kernel.target = target;
|
||||||
|
|
||||||
|
ret = xt_check_target(target, AF_INET6, t->u.target_size - sizeof(*t),
|
||||||
|
name, e->comefrom, e->ipv6.proto,
|
||||||
|
e->ipv6.invflags & IP6T_INV_PROTO);
|
||||||
|
if (ret)
|
||||||
|
goto err;
|
||||||
|
|
||||||
if (t->u.kernel.target == &ip6t_standard_target) {
|
if (t->u.kernel.target == &ip6t_standard_target) {
|
||||||
if (!standard_check(t, size)) {
|
if (!standard_check(t, size)) {
|
||||||
ret = -EINVAL;
|
ret = -EINVAL;
|
||||||
@@ -642,16 +658,16 @@ check_entry(struct ip6t_entry *e, const char *name, unsigned int size,
|
|||||||
t->u.target_size
|
t->u.target_size
|
||||||
- sizeof(*t),
|
- sizeof(*t),
|
||||||
e->comefrom)) {
|
e->comefrom)) {
|
||||||
module_put(t->u.kernel.target->me);
|
|
||||||
duprintf("ip_tables: check failed for `%s'.\n",
|
duprintf("ip_tables: check failed for `%s'.\n",
|
||||||
t->u.kernel.target->name);
|
t->u.kernel.target->name);
|
||||||
ret = -EINVAL;
|
ret = -EINVAL;
|
||||||
goto cleanup_matches;
|
goto err;
|
||||||
}
|
}
|
||||||
|
|
||||||
(*i)++;
|
(*i)++;
|
||||||
return 0;
|
return 0;
|
||||||
|
err:
|
||||||
|
module_put(t->u.kernel.target->me);
|
||||||
cleanup_matches:
|
cleanup_matches:
|
||||||
IP6T_MATCH_ITERATE(e, cleanup_match, &j);
|
IP6T_MATCH_ITERATE(e, cleanup_match, &j);
|
||||||
return ret;
|
return ret;
|
||||||
|
|||||||
Reference in New Issue
Block a user