]> pilppa.com Git - linux-2.6-omap-h63xx.git/commitdiff
[NETFILTER]: Convert ip_tables matches/targets to centralized error checking
authorPatrick McHardy <kaber@trash.net>
Tue, 21 Mar 2006 02:01:14 +0000 (18:01 -0800)
committerDavid S. Miller <davem@davemloft.net>
Tue, 21 Mar 2006 02:01:14 +0000 (18:01 -0800)
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
28 files changed:
net/ipv4/netfilter/ip_nat_rule.c
net/ipv4/netfilter/ip_tables.c
net/ipv4/netfilter/ipt_CLUSTERIP.c
net/ipv4/netfilter/ipt_DSCP.c
net/ipv4/netfilter/ipt_ECN.c
net/ipv4/netfilter/ipt_LOG.c
net/ipv4/netfilter/ipt_MASQUERADE.c
net/ipv4/netfilter/ipt_NETMAP.c
net/ipv4/netfilter/ipt_REDIRECT.c
net/ipv4/netfilter/ipt_REJECT.c
net/ipv4/netfilter/ipt_SAME.c
net/ipv4/netfilter/ipt_TCPMSS.c
net/ipv4/netfilter/ipt_TOS.c
net/ipv4/netfilter/ipt_TTL.c
net/ipv4/netfilter/ipt_ULOG.c
net/ipv4/netfilter/ipt_addrtype.c
net/ipv4/netfilter/ipt_ah.c
net/ipv4/netfilter/ipt_dscp.c
net/ipv4/netfilter/ipt_ecn.c
net/ipv4/netfilter/ipt_esp.c
net/ipv4/netfilter/ipt_hashlimit.c
net/ipv4/netfilter/ipt_iprange.c
net/ipv4/netfilter/ipt_multiport.c
net/ipv4/netfilter/ipt_owner.c
net/ipv4/netfilter/ipt_policy.c
net/ipv4/netfilter/ipt_recent.c
net/ipv4/netfilter/ipt_tos.c
net/ipv4/netfilter/ipt_ttl.c

index 1de86282d23249c4181f92c80106c1dafcb81f8f..ef4be3d505535b1f00aa02a890301e6087258111 100644 (file)
@@ -181,23 +181,6 @@ static int ipt_snat_checkentry(const char *tablename,
                printk("SNAT: multiple ranges no longer supported\n");
                return 0;
        }
-
-       if (targinfosize != IPT_ALIGN(sizeof(struct ip_nat_multi_range_compat))) {
-               DEBUGP("SNAT: Target size %u wrong for %u ranges\n",
-                      targinfosize, mr->rangesize);
-               return 0;
-       }
-
-       /* Only allow these for NAT. */
-       if (strcmp(tablename, "nat") != 0) {
-               DEBUGP("SNAT: wrong table %s\n", tablename);
-               return 0;
-       }
-
-       if (hook_mask & ~(1 << NF_IP_POST_ROUTING)) {
-               DEBUGP("SNAT: hook mask 0x%x bad\n", hook_mask);
-               return 0;
-       }
        return 1;
 }
 
@@ -214,24 +197,6 @@ static int ipt_dnat_checkentry(const char *tablename,
                printk("DNAT: multiple ranges no longer supported\n");
                return 0;
        }
-
-       if (targinfosize != IPT_ALIGN(sizeof(struct ip_nat_multi_range_compat))) {
-               DEBUGP("DNAT: Target size %u wrong for %u ranges\n",
-                      targinfosize, mr->rangesize);
-               return 0;
-       }
-
-       /* Only allow these for NAT. */
-       if (strcmp(tablename, "nat") != 0) {
-               DEBUGP("DNAT: wrong table %s\n", tablename);
-               return 0;
-       }
-
-       if (hook_mask & ~((1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_LOCAL_OUT))) {
-               DEBUGP("DNAT: hook mask 0x%x bad\n", hook_mask);
-               return 0;
-       }
-       
        return 1;
 }
 
@@ -299,12 +264,18 @@ int ip_nat_rule_find(struct sk_buff **pskb,
 static struct ipt_target ipt_snat_reg = {
        .name           = "SNAT",
        .target         = ipt_snat_target,
+       .targetsize     = sizeof(struct ip_nat_multi_range_compat),
+       .table          = "nat",
+       .hooks          = 1 << NF_IP_POST_ROUTING,
        .checkentry     = ipt_snat_checkentry,
 };
 
 static struct ipt_target ipt_dnat_reg = {
        .name           = "DNAT",
        .target         = ipt_dnat_target,
+       .targetsize     = sizeof(struct ip_nat_multi_range_compat),
+       .table          = "nat",
+       .hooks          = 1 << NF_IP_PRE_ROUTING,
        .checkentry     = ipt_dnat_checkentry,
 };
 
index f884ca223295208b8e3aa566b964c897e4043cdf..62f8d639ab9c02f53129611e536173da6285c125 100644 (file)
@@ -477,21 +477,12 @@ standard_check(const struct ipt_entry_target *t,
        struct ipt_standard_target *targ = (void *)t;
 
        /* Check standard info. */
-       if (t->u.target_size
-           != IPT_ALIGN(sizeof(struct ipt_standard_target))) {
-               duprintf("standard_check: target size %u != %u\n",
-                        t->u.target_size,
-                        IPT_ALIGN(sizeof(struct ipt_standard_target)));
-               return 0;
-       }
-
        if (targ->verdict >= 0
            && targ->verdict > max_offset - sizeof(struct ipt_entry)) {
                duprintf("ipt_standard_check: bad verdict (%i)\n",
                         targ->verdict);
                return 0;
        }
-
        if (targ->verdict < -NF_MAX_VERDICT - 1) {
                duprintf("ipt_standard_check: bad negative verdict (%i)\n",
                         targ->verdict);
@@ -1330,24 +1321,22 @@ icmp_checkentry(const char *tablename,
           unsigned int matchsize,
           unsigned int hook_mask)
 {
-       const struct ipt_ip *ip = info;
        const struct ipt_icmp *icmpinfo = matchinfo;
 
-       /* Must specify proto == ICMP, and no unknown invflags */
-       return ip->proto == IPPROTO_ICMP
-               && !(ip->invflags & IPT_INV_PROTO)
-               && matchsize == IPT_ALIGN(sizeof(struct ipt_icmp))
-               && !(icmpinfo->invflags & ~IPT_ICMP_INV);
+       /* Must specify no unknown invflags */
+       return !(icmpinfo->invflags & ~IPT_ICMP_INV);
 }
 
 /* The built-in targets: standard (NULL) and error. */
 static struct ipt_target ipt_standard_target = {
        .name           = IPT_STANDARD_TARGET,
+       .targetsize     = sizeof(int),
 };
 
 static struct ipt_target ipt_error_target = {
        .name           = IPT_ERROR_TARGET,
        .target         = ipt_error,
+       .targetsize     = IPT_FUNCTION_MAXNAMELEN,
 };
 
 static struct nf_sockopt_ops ipt_sockopts = {
@@ -1362,8 +1351,10 @@ static struct nf_sockopt_ops ipt_sockopts = {
 
 static struct ipt_match icmp_matchstruct = {
        .name           = "icmp",
-       .match          = &icmp_match,
-       .checkentry     = &icmp_checkentry,
+       .match          = icmp_match,
+       .matchsize      = sizeof(struct ipt_icmp),
+       .proto          = IPPROTO_ICMP,
+       .checkentry     = icmp_checkentry,
 };
 
 static int __init init(void)
index d9bc971f03afd677907bf9651e2551f227f34e18..24f88dd5d8f9b5ca5863c6370b03b610d06c0061 100644 (file)
@@ -389,13 +389,6 @@ checkentry(const char *tablename,
 
        struct clusterip_config *config;
 
-       if (targinfosize != IPT_ALIGN(sizeof(struct ipt_clusterip_tgt_info))) {
-               printk(KERN_WARNING "CLUSTERIP: targinfosize %u != %Zu\n",
-                      targinfosize,
-                      IPT_ALIGN(sizeof(struct ipt_clusterip_tgt_info)));
-               return 0;
-       }
-
        if (cipinfo->hash_mode != CLUSTERIP_HASHMODE_SIP &&
            cipinfo->hash_mode != CLUSTERIP_HASHMODE_SIP_SPT &&
            cipinfo->hash_mode != CLUSTERIP_HASHMODE_SIP_SPT_DPT) {
@@ -476,12 +469,13 @@ static void destroy(void *matchinfo, unsigned int matchinfosize)
        clusterip_config_put(cipinfo->config);
 }
 
-static struct ipt_target clusterip_tgt = { 
-       .name = "CLUSTERIP",
-       .target = &target, 
-       .checkentry = &checkentry, 
-       .destroy = &destroy,
-       .me = THIS_MODULE
+static struct ipt_target clusterip_tgt = {
+       .name           = "CLUSTERIP",
+       .target         = target,
+       .targetsize     = sizeof(struct ipt_clusterip_tgt_info),
+       .checkentry     = checkentry,
+       .destroy        = destroy,
+       .me             = THIS_MODULE
 };
 
 
index 898cdf79ce18258eb75dc073ee5e228c81a21b60..a202467e4a88f0e7cbd37c12dbc80b7e82f67b77 100644 (file)
@@ -64,29 +64,18 @@ checkentry(const char *tablename,
 {
        const u_int8_t dscp = ((struct ipt_DSCP_info *)targinfo)->dscp;
 
-       if (targinfosize != IPT_ALIGN(sizeof(struct ipt_DSCP_info))) {
-               printk(KERN_WARNING "DSCP: targinfosize %u != %Zu\n",
-                      targinfosize,
-                      IPT_ALIGN(sizeof(struct ipt_DSCP_info)));
-               return 0;
-       }
-
-       if (strcmp(tablename, "mangle") != 0) {
-               printk(KERN_WARNING "DSCP: can only be called from \"mangle\" table, not \"%s\"\n", tablename);
-               return 0;
-       }
-
        if ((dscp > IPT_DSCP_MAX)) {
                printk(KERN_WARNING "DSCP: dscp %x out of range\n", dscp);
                return 0;
        }
-
        return 1;
 }
 
 static struct ipt_target ipt_dscp_reg = {
        .name           = "DSCP",
        .target         = target,
+       .targetsize     = sizeof(struct ipt_DSCP_info),
+       .table          = "mangle",
        .checkentry     = checkentry,
        .me             = THIS_MODULE,
 };
index 706445426a6dfc4096d97e76d33cfe27a74ea665..1bf1a4063b6f3040c4b3f4f7ed56dc2103975573 100644 (file)
@@ -121,18 +121,6 @@ checkentry(const char *tablename,
        const struct ipt_ECN_info *einfo = (struct ipt_ECN_info *)targinfo;
        const struct ipt_entry *e = e_void;
 
-       if (targinfosize != IPT_ALIGN(sizeof(struct ipt_ECN_info))) {
-               printk(KERN_WARNING "ECN: targinfosize %u != %Zu\n",
-                      targinfosize,
-                      IPT_ALIGN(sizeof(struct ipt_ECN_info)));
-               return 0;
-       }
-
-       if (strcmp(tablename, "mangle") != 0) {
-               printk(KERN_WARNING "ECN: can only be called from \"mangle\" table, not \"%s\"\n", tablename);
-               return 0;
-       }
-
        if (einfo->operation & IPT_ECN_OP_MASK) {
                printk(KERN_WARNING "ECN: unsupported ECN operation %x\n",
                        einfo->operation);
@@ -143,20 +131,20 @@ checkentry(const char *tablename,
                        einfo->ip_ect);
                return 0;
        }
-
        if ((einfo->operation & (IPT_ECN_OP_SET_ECE|IPT_ECN_OP_SET_CWR))
            && (e->ip.proto != IPPROTO_TCP || (e->ip.invflags & IPT_INV_PROTO))) {
                printk(KERN_WARNING "ECN: cannot use TCP operations on a "
                       "non-tcp rule\n");
                return 0;
        }
-
        return 1;
 }
 
 static struct ipt_target ipt_ecn_reg = {
        .name           = "ECN",
        .target         = target,
+       .targetsize     = sizeof(struct ipt_ECN_info),
+       .table          = "mangle",
        .checkentry     = checkentry,
        .me             = THIS_MODULE,
 };
index cc27545ff97f67b3d60dbea1b3f32bce4f8d3001..f2c7a9343656fb98af0e8551e3d5ca985a347b34 100644 (file)
@@ -443,29 +443,22 @@ static int ipt_log_checkentry(const char *tablename,
 {
        const struct ipt_log_info *loginfo = targinfo;
 
-       if (targinfosize != IPT_ALIGN(sizeof(struct ipt_log_info))) {
-               DEBUGP("LOG: targinfosize %u != %u\n",
-                      targinfosize, IPT_ALIGN(sizeof(struct ipt_log_info)));
-               return 0;
-       }
-
        if (loginfo->level >= 8) {
                DEBUGP("LOG: level %u >= 8\n", loginfo->level);
                return 0;
        }
-
        if (loginfo->prefix[sizeof(loginfo->prefix)-1] != '\0') {
                DEBUGP("LOG: prefix term %i\n",
                       loginfo->prefix[sizeof(loginfo->prefix)-1]);
                return 0;
        }
-
        return 1;
 }
 
 static struct ipt_target ipt_log_reg = {
        .name           = "LOG",
        .target         = ipt_log_target,
+       .targetsize     = sizeof(struct ipt_log_info),
        .checkentry     = ipt_log_checkentry,
        .me             = THIS_MODULE,
 };
index 12c56d3343ca3b7d38bd5153f21e7a2b23eb0fd1..df5ea08f1a15997b2c9742bae556166f255f64a2 100644 (file)
@@ -47,19 +47,6 @@ masquerade_check(const char *tablename,
 {
        const struct ip_nat_multi_range_compat *mr = targinfo;
 
-       if (strcmp(tablename, "nat") != 0) {
-               DEBUGP("masquerade_check: bad table `%s'.\n", tablename);
-               return 0;
-       }
-       if (targinfosize != IPT_ALIGN(sizeof(*mr))) {
-               DEBUGP("masquerade_check: size %u != %u.\n",
-                      targinfosize, sizeof(*mr));
-               return 0;
-       }
-       if (hook_mask & ~(1 << NF_IP_POST_ROUTING)) {
-               DEBUGP("masquerade_check: bad hooks %x.\n", hook_mask);
-               return 0;
-       }
        if (mr->range[0].flags & IP_NAT_RANGE_MAP_IPS) {
                DEBUGP("masquerade_check: bad MAP_IPS.\n");
                return 0;
@@ -179,6 +166,9 @@ static struct notifier_block masq_inet_notifier = {
 static struct ipt_target masquerade = {
        .name           = "MASQUERADE",
        .target         = masquerade_target,
+       .targetsize     = sizeof(struct ip_nat_multi_range_compat),
+       .table          = "nat",
+       .hooks          = 1 << NF_IP_POST_ROUTING,
        .checkentry     = masquerade_check,
        .me             = THIS_MODULE,
 };
index b074467fe67b642c0345c152c989363dd617c9bc..836d67e663912ee7f147f1a2d634f7491696ccd9 100644 (file)
@@ -38,19 +38,6 @@ check(const char *tablename,
 {
        const struct ip_nat_multi_range_compat *mr = targinfo;
 
-       if (strcmp(tablename, "nat") != 0) {
-               DEBUGP(MODULENAME":check: bad table `%s'.\n", tablename);
-               return 0;
-       }
-       if (targinfosize != IPT_ALIGN(sizeof(*mr))) {
-               DEBUGP(MODULENAME":check: size %u.\n", targinfosize);
-               return 0;
-       }
-       if (hook_mask & ~((1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_POST_ROUTING) |
-                         (1 << NF_IP_LOCAL_OUT))) {
-               DEBUGP(MODULENAME":check: bad hooks %x.\n", hook_mask);
-               return 0;
-       }
        if (!(mr->range[0].flags & IP_NAT_RANGE_MAP_IPS)) {
                DEBUGP(MODULENAME":check: bad MAP_IPS.\n");
                return 0;
@@ -101,6 +88,10 @@ target(struct sk_buff **pskb,
 static struct ipt_target target_module = { 
        .name           = MODULENAME,
        .target         = target, 
+       .targetsize     = sizeof(struct ip_nat_multi_range_compat),
+       .table          = "nat",
+       .hooks          = (1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_POST_ROUTING) |
+                         (1 << NF_IP_LOCAL_OUT),
        .checkentry     = check,
        .me             = THIS_MODULE 
 };
index 140be51f2f01970772d3112d678962fde4c448ea..cc165e09d0b892c872620339d1ea542f72ad84d7 100644 (file)
@@ -40,18 +40,6 @@ redirect_check(const char *tablename,
 {
        const struct ip_nat_multi_range_compat *mr = targinfo;
 
-       if (strcmp(tablename, "nat") != 0) {
-               DEBUGP("redirect_check: bad table `%s'.\n", table);
-               return 0;
-       }
-       if (targinfosize != IPT_ALIGN(sizeof(*mr))) {
-               DEBUGP("redirect_check: size %u.\n", targinfosize);
-               return 0;
-       }
-       if (hook_mask & ~((1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_LOCAL_OUT))) {
-               DEBUGP("redirect_check: bad hooks %x.\n", hook_mask);
-               return 0;
-       }
        if (mr->range[0].flags & IP_NAT_RANGE_MAP_IPS) {
                DEBUGP("redirect_check: bad MAP_IPS.\n");
                return 0;
@@ -115,6 +103,9 @@ redirect_target(struct sk_buff **pskb,
 static struct ipt_target redirect_reg = {
        .name           = "REDIRECT",
        .target         = redirect_target,
+       .targetsize     = sizeof(struct ip_nat_multi_range_compat),
+       .table          = "nat",
+       .hooks          = (1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_LOCAL_OUT),
        .checkentry     = redirect_check,
        .me             = THIS_MODULE,
 };
index 3eb47aae78c5b4cf1e215d9975f9c4e6c3440067..ddd6bd1b977602a52aa85bde3c5db03279eaecc1 100644 (file)
@@ -290,23 +290,6 @@ static int check(const char *tablename,
        const struct ipt_reject_info *rejinfo = targinfo;
        const struct ipt_entry *e = e_void;
 
-       if (targinfosize != IPT_ALIGN(sizeof(struct ipt_reject_info))) {
-               DEBUGP("REJECT: targinfosize %u != 0\n", targinfosize);
-               return 0;
-       }
-
-       /* Only allow these for packet filtering. */
-       if (strcmp(tablename, "filter") != 0) {
-               DEBUGP("REJECT: bad table `%s'.\n", tablename);
-               return 0;
-       }
-       if ((hook_mask & ~((1 << NF_IP_LOCAL_IN)
-                          | (1 << NF_IP_FORWARD)
-                          | (1 << NF_IP_LOCAL_OUT))) != 0) {
-               DEBUGP("REJECT: bad hook mask %X\n", hook_mask);
-               return 0;
-       }
-
        if (rejinfo->with == IPT_ICMP_ECHOREPLY) {
                printk("REJECT: ECHOREPLY no longer supported.\n");
                return 0;
@@ -318,13 +301,16 @@ static int check(const char *tablename,
                        return 0;
                }
        }
-
        return 1;
 }
 
 static struct ipt_target ipt_reject_reg = {
        .name           = "REJECT",
        .target         = reject,
+       .targetsize     = sizeof(struct ipt_reject_info),
+       .table          = "filter",
+       .hooks          = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD) |
+                         (1 << NF_IP_LOCAL_OUT),
        .checkentry     = check,
        .me             = THIS_MODULE,
 };
index a22de59bba0e0581ea29552300550a4788d1e057..8743c3a70157d7d819edb107bf8fd8415410aa8e 100644 (file)
@@ -59,18 +59,6 @@ same_check(const char *tablename,
 
        mr->ipnum = 0;
 
-       if (strcmp(tablename, "nat") != 0) {
-               DEBUGP("same_check: bad table `%s'.\n", tablename);
-               return 0;
-       }
-       if (targinfosize != IPT_ALIGN(sizeof(*mr))) {
-               DEBUGP("same_check: size %u.\n", targinfosize);
-               return 0;
-       }
-       if (hook_mask & ~(1 << NF_IP_PRE_ROUTING | 1 << NF_IP_POST_ROUTING)) {
-               DEBUGP("same_check: bad hooks %x.\n", hook_mask);
-               return 0;
-       }
        if (mr->rangesize < 1) {
                DEBUGP("same_check: need at least one dest range.\n");
                return 0;
@@ -191,6 +179,9 @@ same_target(struct sk_buff **pskb,
 static struct ipt_target same_reg = { 
        .name           = "SAME",
        .target         = same_target,
+       .targetsize     = sizeof(struct ipt_same_info),
+       .table          = "nat",
+       .hooks          = (1 << NF_IP_PRE_ROUTING | 1 << NF_IP_POST_ROUTING),
        .checkentry     = same_check,
        .destroy        = same_destroy,
        .me             = THIS_MODULE,
index c122841e182c965d0c8629eb26987af736830001..4be6e2bf26d261664b6da45fab484d9a27a070be 100644 (file)
@@ -218,13 +218,6 @@ ipt_tcpmss_checkentry(const char *tablename,
        const struct ipt_tcpmss_info *tcpmssinfo = targinfo;
        const struct ipt_entry *e = e_void;
 
-       if (targinfosize != IPT_ALIGN(sizeof(struct ipt_tcpmss_info))) {
-               DEBUGP("ipt_tcpmss_checkentry: targinfosize %u != %u\n",
-                      targinfosize, IPT_ALIGN(sizeof(struct ipt_tcpmss_info)));
-               return 0;
-       }
-
-
        if((tcpmssinfo->mss == IPT_TCPMSS_CLAMP_PMTU) && 
                        ((hook_mask & ~((1 << NF_IP_FORWARD)
                                | (1 << NF_IP_LOCAL_OUT)
@@ -233,11 +226,8 @@ ipt_tcpmss_checkentry(const char *tablename,
                return 0;
        }
 
-       if (e->ip.proto == IPPROTO_TCP
-           && !(e->ip.invflags & IPT_INV_PROTO)
-           && IPT_MATCH_ITERATE(e, find_syn_match))
+       if (IPT_MATCH_ITERATE(e, find_syn_match))
                return 1;
-
        printk("TCPMSS: Only works on TCP SYN packets\n");
        return 0;
 }
@@ -245,6 +235,8 @@ ipt_tcpmss_checkentry(const char *tablename,
 static struct ipt_target ipt_tcpmss_reg = {
        .name           = "TCPMSS",
        .target         = ipt_tcpmss_target,
+       .targetsize     = sizeof(struct ipt_tcpmss_info),
+       .proto          = IPPROTO_TCP,
        .checkentry     = ipt_tcpmss_checkentry,
        .me             = THIS_MODULE,
 };
index 3a44a56db2397352c6b012867a9bb683dd2969f9..6568e3e30e47631924772dad825cf081dfa1f9ee 100644 (file)
@@ -59,18 +59,6 @@ checkentry(const char *tablename,
 {
        const u_int8_t tos = ((struct ipt_tos_target_info *)targinfo)->tos;
 
-       if (targinfosize != IPT_ALIGN(sizeof(struct ipt_tos_target_info))) {
-               printk(KERN_WARNING "TOS: targinfosize %u != %Zu\n",
-                      targinfosize,
-                      IPT_ALIGN(sizeof(struct ipt_tos_target_info)));
-               return 0;
-       }
-
-       if (strcmp(tablename, "mangle") != 0) {
-               printk(KERN_WARNING "TOS: can only be called from \"mangle\" table, not \"%s\"\n", tablename);
-               return 0;
-       }
-
        if (tos != IPTOS_LOWDELAY
            && tos != IPTOS_THROUGHPUT
            && tos != IPTOS_RELIABILITY
@@ -79,13 +67,14 @@ checkentry(const char *tablename,
                printk(KERN_WARNING "TOS: bad tos value %#x\n", tos);
                return 0;
        }
-
        return 1;
 }
 
 static struct ipt_target ipt_tos_reg = {
        .name           = "TOS",
        .target         = target,
+       .targetsize     = sizeof(struct ipt_tos_target_info),
+       .table          = "mangle",
        .checkentry     = checkentry,
        .me             = THIS_MODULE,
 };
index b769eb231970ba82a4737e6cd6654254f0e1a848..61d94e09693967ccba235765df750c37cd09f8f4 100644 (file)
@@ -73,34 +73,21 @@ static int ipt_ttl_checkentry(const char *tablename,
 {
        struct ipt_TTL_info *info = targinfo;
 
-       if (targinfosize != IPT_ALIGN(sizeof(struct ipt_TTL_info))) {
-               printk(KERN_WARNING "ipt_TTL: targinfosize %u != %Zu\n",
-                               targinfosize,
-                               IPT_ALIGN(sizeof(struct ipt_TTL_info)));
-               return 0;
-       }
-
-       if (strcmp(tablename, "mangle")) {
-               printk(KERN_WARNING "ipt_TTL: can only be called from "
-                       "\"mangle\" table, not \"%s\"\n", tablename);
-               return 0;
-       }
-
        if (info->mode > IPT_TTL_MAXMODE) {
                printk(KERN_WARNING "ipt_TTL: invalid or unknown Mode %u\n", 
                        info->mode);
                return 0;
        }
-
        if ((info->mode != IPT_TTL_SET) && (info->ttl == 0))
                return 0;
-
        return 1;
 }
 
 static struct ipt_target ipt_TTL = { 
        .name           = "TTL",
        .target         = ipt_ttl_target, 
+       .targetsize     = sizeof(struct ipt_TTL_info),
+       .table          = "mangle",
        .checkentry     = ipt_ttl_checkentry, 
        .me             = THIS_MODULE,
 };
index 180a9ea57b69fb4e05a7c8b171f1bc1628ae6f8c..c95e7e9f74ff555da2b0bee8f56636e9cf0a34d2 100644 (file)
@@ -345,36 +345,30 @@ static int ipt_ulog_checkentry(const char *tablename,
 {
        struct ipt_ulog_info *loginfo = (struct ipt_ulog_info *) targinfo;
 
-       if (targinfosize != IPT_ALIGN(sizeof(struct ipt_ulog_info))) {
-               DEBUGP("ipt_ULOG: targinfosize %u != 0\n", targinfosize);
-               return 0;
-       }
-
        if (loginfo->prefix[sizeof(loginfo->prefix) - 1] != '\0') {
                DEBUGP("ipt_ULOG: prefix term %i\n",
                       loginfo->prefix[sizeof(loginfo->prefix) - 1]);
                return 0;
        }
-
        if (loginfo->qthreshold > ULOG_MAX_QLEN) {
                DEBUGP("ipt_ULOG: queue threshold %i > MAX_QLEN\n",
                        loginfo->qthreshold);
                return 0;
        }
-
        return 1;
 }
 
 static struct ipt_target ipt_ulog_reg = {
        .name           = "ULOG",
        .target         = ipt_ulog_target,
+       .targetsize     = sizeof(struct ipt_ulog_info),
        .checkentry     = ipt_ulog_checkentry,
        .me             = THIS_MODULE,
 };
 
 static struct nf_logger ipt_ulog_logger = {
        .name           = "ipt_ULOG",
-       .logfn          = &ipt_logfn,
+       .logfn          = ipt_logfn,
        .me             = THIS_MODULE,
 };
 
index d6b83a976518c1bd0352e40a926b7f9ac7bdbe1b..ad5dc4658022b05b3ae625835783284090bb0f9f 100644 (file)
@@ -43,23 +43,10 @@ static int match(const struct sk_buff *skb, const struct net_device *in,
        return ret;
 }
 
-static int checkentry(const char *tablename, const void *ip,
-                     void *matchinfo, unsigned int matchsize,
-                     unsigned int hook_mask)
-{
-       if (matchsize != IPT_ALIGN(sizeof(struct ipt_addrtype_info))) {
-               printk(KERN_ERR "ipt_addrtype: invalid size (%u != %Zu)\n",
-                      matchsize, IPT_ALIGN(sizeof(struct ipt_addrtype_info)));
-               return 0;
-       }
-
-       return 1;
-}
-
 static struct ipt_match addrtype_match = {
        .name           = "addrtype",
        .match          = match,
-       .checkentry     = checkentry,
+       .matchsize      = sizeof(struct ipt_addrtype_info),
        .me             = THIS_MODULE
 };
 
index 144adfec13cccff549bb4e716c979b7057e02037..a33eeea38e1d5b0df20010f8f4f8dc1de9940ec3 100644 (file)
@@ -76,32 +76,21 @@ checkentry(const char *tablename,
           unsigned int hook_mask)
 {
        const struct ipt_ah *ahinfo = matchinfo;
-       const struct ipt_ip *ip = ip_void;
 
-       /* Must specify proto == AH, and no unknown invflags */
-       if (ip->proto != IPPROTO_AH || (ip->invflags & IPT_INV_PROTO)) {
-               duprintf("ipt_ah: Protocol %u != %u\n", ip->proto,
-                        IPPROTO_AH);
-               return 0;
-       }
-       if (matchinfosize != IPT_ALIGN(sizeof(struct ipt_ah))) {
-               duprintf("ipt_ah: matchsize %u != %u\n",
-                        matchinfosize, IPT_ALIGN(sizeof(struct ipt_ah)));
-               return 0;
-       }
+       /* Must specify no unknown invflags */
        if (ahinfo->invflags & ~IPT_AH_INV_MASK) {
-               duprintf("ipt_ah: unknown flags %X\n",
-                        ahinfo->invflags);
+               duprintf("ipt_ah: unknown flags %X\n", ahinfo->invflags);
                return 0;
        }
-
        return 1;
 }
 
 static struct ipt_match ah_match = {
        .name           = "ah",
-       .match          = &match,
-       .checkentry     = &checkentry,
+       .match          = match,
+       .matchsize      = sizeof(struct ipt_ah),
+       .proto          = IPPROTO_AH,
+       .checkentry     = checkentry,
        .me             = THIS_MODULE,
 };
 
index 92063b4f8602c8de8c34b2dcf33426fcf7ce7353..e7889ba22f4c860db6858dc82ef242bc7c932b11 100644 (file)
@@ -31,20 +31,10 @@ static int match(const struct sk_buff *skb, const struct net_device *in,
        return ((iph->tos&IPT_DSCP_MASK) == sh_dscp) ^ info->invert;
 }
 
-static int checkentry(const char *tablename, const void *ip,
-                     void *matchinfo, unsigned int matchsize,
-                     unsigned int hook_mask)
-{
-       if (matchsize != IPT_ALIGN(sizeof(struct ipt_dscp_info)))
-               return 0;
-
-       return 1;
-}
-
 static struct ipt_match dscp_match = {
        .name           = "dscp",
-       .match          = &match,
-       .checkentry     = &checkentry,
+       .match          = match,
+       .matchsize      = sizeof(struct ipt_dscp_info),
        .me             = THIS_MODULE,
 };
 
index e68b0c7981f0c7d4594d3e42854914873a43562a..723957f773105328deaba8ab41e6501d56afbbf2 100644 (file)
@@ -92,9 +92,6 @@ static int checkentry(const char *tablename, const void *ip_void,
        const struct ipt_ecn_info *info = matchinfo;
        const struct ipt_ip *ip = ip_void;
 
-       if (matchsize != IPT_ALIGN(sizeof(struct ipt_ecn_info)))
-               return 0;
-
        if (info->operation & IPT_ECN_OP_MATCH_MASK)
                return 0;
 
@@ -113,8 +110,9 @@ static int checkentry(const char *tablename, const void *ip_void,
 
 static struct ipt_match ecn_match = {
        .name           = "ecn",
-       .match          = &match,
-       .checkentry     = &checkentry,
+       .match          = match,
+       .matchsize      = sizeof(struct ipt_ecn_info),
+       .checkentry     = checkentry,
        .me             = THIS_MODULE,
 };
 
index 9de191a8162da78e3177a5e0b356d128a39363b2..984fa4862ce99b9e7112c3316b7febd9bd3a6424 100644 (file)
@@ -77,32 +77,21 @@ checkentry(const char *tablename,
           unsigned int hook_mask)
 {
        const struct ipt_esp *espinfo = matchinfo;
-       const struct ipt_ip *ip = ip_void;
 
-       /* Must specify proto == ESP, and no unknown invflags */
-       if (ip->proto != IPPROTO_ESP || (ip->invflags & IPT_INV_PROTO)) {
-               duprintf("ipt_esp: Protocol %u != %u\n", ip->proto,
-                        IPPROTO_ESP);
-               return 0;
-       }
-       if (matchinfosize != IPT_ALIGN(sizeof(struct ipt_esp))) {
-               duprintf("ipt_esp: matchsize %u != %u\n",
-                        matchinfosize, IPT_ALIGN(sizeof(struct ipt_esp)));
-               return 0;
-       }
+       /* Must specify no unknown invflags */
        if (espinfo->invflags & ~IPT_ESP_INV_MASK) {
-               duprintf("ipt_esp: unknown flags %X\n",
-                        espinfo->invflags);
+               duprintf("ipt_esp: unknown flags %X\n", espinfo->invflags);
                return 0;
        }
-
        return 1;
 }
 
 static struct ipt_match esp_match = {
        .name           = "esp",
-       .match          = &match,
-       .checkentry     = &checkentry,
+       .match          = match,
+       .matchsize      = sizeof(struct ipt_esp),
+       .proto          = IPPROTO_ESP,
+       .checkentry     = checkentry,
        .me             = THIS_MODULE,
 };
 
index 4fe48c1bd5f3f2b08ac6e600eb43f13d6e5dc4fb..156d9c255b2be80e6ab279187f6b154a7dedec74 100644 (file)
@@ -512,9 +512,6 @@ hashlimit_checkentry(const char *tablename,
 {
        struct ipt_hashlimit_info *r = matchinfo;
 
-       if (matchsize != IPT_ALIGN(sizeof(struct ipt_hashlimit_info)))
-               return 0;
-
        /* Check for overflow. */
        if (r->cfg.burst == 0
            || user2credits(r->cfg.avg * r->cfg.burst) < 
@@ -565,12 +562,13 @@ hashlimit_destroy(void *matchinfo, unsigned int matchsize)
        htable_put(r->hinfo);
 }
 
-static struct ipt_match ipt_hashlimit = { 
-       .name = "hashlimit", 
-       .match = hashlimit_match, 
-       .checkentry = hashlimit_checkentry, 
-       .destroy = hashlimit_destroy,
-       .me = THIS_MODULE 
+static struct ipt_match ipt_hashlimit = {
+       .name           = "hashlimit",
+       .match          = hashlimit_match,
+       .matchsize      = sizeof(struct ipt_hashlimit_info),
+       .checkentry     = hashlimit_checkentry,
+       .destroy        = hashlimit_destroy,
+       .me             = THIS_MODULE
 };
 
 /* PROC stuff */
index 13fb16fb78923d2bcdbde8bca839e396a8682256..0885ff5d0db7a067fac67a852284afc629883ef5 100644 (file)
@@ -62,27 +62,12 @@ match(const struct sk_buff *skb,
        return 1;
 }
 
-static int check(const char *tablename,
-                const void *inf,
-                void *matchinfo,
-                unsigned int matchsize,
-                unsigned int hook_mask)
-{
-       /* verify size */
-       if (matchsize != IPT_ALIGN(sizeof(struct ipt_iprange_info)))
-               return 0;
-
-       return 1;
-}
-
-static struct ipt_match iprange_match = 
-{ 
-       .list = { NULL, NULL }, 
-       .name = "iprange", 
-       .match = &match, 
-       .checkentry = &check, 
-       .destroy = NULL, 
-       .me = THIS_MODULE
+static struct ipt_match iprange_match = {
+       .name           = "iprange",
+       .match          = match,
+       .matchsize      = sizeof(struct ipt_iprange_info),
+       .destroy        = NULL,
+       .me             = THIS_MODULE
 };
 
 static int __init init(void)
index 2d52326553f1fa1b36cea95ada0685bdd8115e51..8f1684c3e5c6a47838f607fa77283037802b1f4c 100644 (file)
@@ -153,40 +153,19 @@ match_v1(const struct sk_buff *skb,
        return ports_match_v1(multiinfo, ntohs(pptr[0]), ntohs(pptr[1]));
 }
 
-/* Called when user tries to insert an entry of this type. */
-static int
-checkentry(const char *tablename,
-          const void *ip,
-          void *matchinfo,
-          unsigned int matchsize,
-          unsigned int hook_mask)
-{
-       return (matchsize == IPT_ALIGN(sizeof(struct ipt_multiport)));
-}
-
-static int
-checkentry_v1(const char *tablename,
-             const void *ip,
-             void *matchinfo,
-             unsigned int matchsize,
-             unsigned int hook_mask)
-{
-       return (matchsize == IPT_ALIGN(sizeof(struct ipt_multiport_v1)));
-}
-
 static struct ipt_match multiport_match = {
        .name           = "multiport",
        .revision       = 0,
-       .match          = &match,
-       .checkentry     = &checkentry,
+       .match          = match,
+       .matchsize      = sizeof(struct ipt_multiport),
        .me             = THIS_MODULE,
 };
 
 static struct ipt_match multiport_match_v1 = {
        .name           = "multiport",
        .revision       = 1,
-       .match          = &match_v1,
-       .checkentry     = &checkentry_v1,
+       .match          = match_v1,
+       .matchsize      = sizeof(struct ipt_multiport_v1),
        .me             = THIS_MODULE,
 };
 
index 4843d0c9734f28c26a3d0bf35f4acb86f4204442..18adc1d214d425d01a25eba516b0583124010c1a 100644 (file)
@@ -59,31 +59,20 @@ checkentry(const char *tablename,
 {
        const struct ipt_owner_info *info = matchinfo;
 
-        if (hook_mask
-            & ~((1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_POST_ROUTING))) {
-                printk("ipt_owner: only valid for LOCAL_OUT or POST_ROUTING.\n");
-                return 0;
-        }
-
-       if (matchsize != IPT_ALIGN(sizeof(struct ipt_owner_info))) {
-               printk("Matchsize %u != %Zu\n", matchsize,
-                      IPT_ALIGN(sizeof(struct ipt_owner_info)));
-               return 0;
-       }
-
        if (info->match & (IPT_OWNER_PID|IPT_OWNER_SID|IPT_OWNER_COMM)) {
                printk("ipt_owner: pid, sid and command matching "
                       "not supported anymore\n");
                return 0;
        }
-
        return 1;
 }
 
 static struct ipt_match owner_match = {
        .name           = "owner",
-       .match          = &match,
-       .checkentry     = &checkentry,
+       .match          = match,
+       .matchsize      = sizeof(struct ipt_owner_info),
+       .hooks          = (1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_POST_ROUTING),
+       .checkentry     = checkentry,
        .me             = THIS_MODULE,
 };
 
index 5a7a265280f927a4ccac41140e7b682c8d3f3fe9..3fa6607c0c6c5d828df774daa6b259b3318aa37c 100644 (file)
@@ -125,11 +125,6 @@ static int checkentry(const char *tablename, const void *ip_void,
 {
        struct ipt_policy_info *info = matchinfo;
 
-       if (matchsize != IPT_ALIGN(sizeof(*info))) {
-               printk(KERN_ERR "ipt_policy: matchsize %u != %zu\n",
-                      matchsize, IPT_ALIGN(sizeof(*info)));
-               return 0;
-       }
        if (!(info->flags & (IPT_POLICY_MATCH_IN|IPT_POLICY_MATCH_OUT))) {
                printk(KERN_ERR "ipt_policy: neither incoming nor "
                                "outgoing policy selected\n");
@@ -158,6 +153,7 @@ static int checkentry(const char *tablename, const void *ip_void,
 static struct ipt_match policy_match = {
        .name           = "policy",
        .match          = match,
+       .matchsize      = sizeof(struct ipt_policy_info),
        .checkentry     = checkentry,
        .me             = THIS_MODULE,
 };
index 44611d6d14f5c4d95e906773b2006d7ff6e40294..e2ccd4295344f455f2dd8c5bd67342d9fceca111 100644 (file)
@@ -670,8 +670,6 @@ checkentry(const char *tablename,
        if(debug) printk(KERN_INFO RECENT_NAME ": checkentry() entered.\n");
 #endif
 
-       if (matchsize != IPT_ALIGN(sizeof(struct ipt_recent_info))) return 0;
-
        /* seconds and hit_count only valid for CHECK/UPDATE */
        if(info->check_set & IPT_RECENT_SET) { flag++; if(info->seconds || info->hit_count) return 0; }
        if(info->check_set & IPT_RECENT_REMOVE) { flag++; if(info->seconds || info->hit_count) return 0; }
@@ -951,12 +949,13 @@ destroy(void *matchinfo, unsigned int matchsize)
 /* This is the structure we pass to ipt_register to register our
  * module with iptables.
  */
-static struct ipt_match recent_match = { 
-  .name = "recent", 
-  .match = &match, 
-  .checkentry = &checkentry, 
-  .destroy = &destroy, 
-  .me = THIS_MODULE
+static struct ipt_match recent_match = {
+       .name           = "recent",
+       .match          = match,
+       .matchsize      = sizeof(struct ipt_recent_info),
+       .checkentry     = checkentry,
+       .destroy        = destroy,
+       .me             = THIS_MODULE
 };
 
 /* Kernel module initialization. */
index 9ab765e126f24db8aa5f4cfab815b5a3ddaf1593..4675c786189b4607c9f2426e1b47fc5b6285c1e0 100644 (file)
@@ -31,23 +31,10 @@ match(const struct sk_buff *skb,
        return (skb->nh.iph->tos == info->tos) ^ info->invert;
 }
 
-static int
-checkentry(const char *tablename,
-           const void *ip,
-           void *matchinfo,
-           unsigned int matchsize,
-           unsigned int hook_mask)
-{
-       if (matchsize != IPT_ALIGN(sizeof(struct ipt_tos_info)))
-               return 0;
-
-       return 1;
-}
-
 static struct ipt_match tos_match = {
        .name           = "tos",
-       .match          = &match,
-       .checkentry     = &checkentry,
+       .match          = match,
+       .matchsize      = sizeof(struct ipt_tos_info),
        .me             = THIS_MODULE,
 };
 
index 82da53f430ab27d0b35e74220525434876fa5001..bb694a0b361d84c810b5551c9334477440548fa9 100644 (file)
@@ -47,20 +47,10 @@ static int match(const struct sk_buff *skb, const struct net_device *in,
        return 0;
 }
 
-static int checkentry(const char *tablename, const void  *ip,
-                     void *matchinfo, unsigned int matchsize,
-                     unsigned int hook_mask)
-{
-       if (matchsize != IPT_ALIGN(sizeof(struct ipt_ttl_info)))
-               return 0;
-
-       return 1;
-}
-
 static struct ipt_match ttl_match = {
        .name           = "ttl",
-       .match          = &match,
-       .checkentry     = &checkentry,
+       .match          = match,
+       .matchsize      = sizeof(struct ipt_ttl_info),
        .me             = THIS_MODULE,
 };