mirror of
https://github.com/adulau/aha.git
synced 2025-01-01 05:36:24 +00:00
netfilter: xtables: do centralized checkentry call (1/2)
It used to be that {ip,ip6,etc}_tables called extension->checkentry themselves, but this can be moved into the xtables core. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
This commit is contained in:
parent
147c3844ad
commit
367c679007
7 changed files with 45 additions and 67 deletions
|
@ -330,10 +330,12 @@ extern void xt_unregister_matches(struct xt_match *match, unsigned int n);
|
||||||
|
|
||||||
extern int xt_check_match(const struct xt_match *match, unsigned short family,
|
extern int xt_check_match(const struct xt_match *match, unsigned short family,
|
||||||
unsigned int size, const char *table, unsigned int hook,
|
unsigned int size, const char *table, unsigned int hook,
|
||||||
unsigned short proto, int inv_proto);
|
unsigned short proto, int inv_proto,
|
||||||
|
const void *entry, void *matchinfo);
|
||||||
extern int xt_check_target(const struct xt_target *target, unsigned short family,
|
extern int xt_check_target(const struct xt_target *target, unsigned short family,
|
||||||
unsigned int size, const char *table, unsigned int hook,
|
unsigned int size, const char *table, unsigned int hook,
|
||||||
unsigned short proto, int inv_proto);
|
unsigned short proto, int inv_proto,
|
||||||
|
const void *entry, void *targinfo);
|
||||||
|
|
||||||
extern struct xt_table *xt_register_table(struct net *net,
|
extern struct xt_table *xt_register_table(struct net *net,
|
||||||
struct xt_table *table,
|
struct xt_table *table,
|
||||||
|
|
|
@ -340,15 +340,11 @@ ebt_check_match(struct ebt_entry_match *m, struct ebt_entry *e,
|
||||||
m->u.match = match;
|
m->u.match = match;
|
||||||
|
|
||||||
ret = xt_check_match(match, NFPROTO_BRIDGE, m->match_size,
|
ret = xt_check_match(match, NFPROTO_BRIDGE, m->match_size,
|
||||||
name, hookmask, e->ethproto, e->invflags & EBT_IPROTO);
|
name, hookmask, e->ethproto, e->invflags & EBT_IPROTO,
|
||||||
|
e, m->data);
|
||||||
if (ret < 0) {
|
if (ret < 0) {
|
||||||
module_put(match->me);
|
module_put(match->me);
|
||||||
return ret;
|
return ret;
|
||||||
} else if (match->checkentry != NULL &&
|
|
||||||
!match->checkentry(name, e, NULL, m->data, hookmask)) {
|
|
||||||
module_put(match->me);
|
|
||||||
BUGPRINT("match->check failed\n");
|
|
||||||
return -EINVAL;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
(*cnt)++;
|
(*cnt)++;
|
||||||
|
@ -377,15 +373,11 @@ ebt_check_watcher(struct ebt_entry_watcher *w, struct ebt_entry *e,
|
||||||
w->u.watcher = watcher;
|
w->u.watcher = watcher;
|
||||||
|
|
||||||
ret = xt_check_target(watcher, NFPROTO_BRIDGE, w->watcher_size,
|
ret = xt_check_target(watcher, NFPROTO_BRIDGE, w->watcher_size,
|
||||||
name, hookmask, e->ethproto, e->invflags & EBT_IPROTO);
|
name, hookmask, e->ethproto, e->invflags & EBT_IPROTO,
|
||||||
|
e, w->data);
|
||||||
if (ret < 0) {
|
if (ret < 0) {
|
||||||
module_put(watcher->me);
|
module_put(watcher->me);
|
||||||
return ret;
|
return ret;
|
||||||
} else if (watcher->checkentry != NULL &&
|
|
||||||
!watcher->checkentry(name, e, NULL, w->data, hookmask)) {
|
|
||||||
module_put(watcher->me);
|
|
||||||
BUGPRINT("watcher->check failed\n");
|
|
||||||
return -EINVAL;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
(*cnt)++;
|
(*cnt)++;
|
||||||
|
@ -692,15 +684,11 @@ ebt_check_entry(struct ebt_entry *e, struct ebt_table_info *newinfo,
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = xt_check_target(target, NFPROTO_BRIDGE, t->target_size,
|
ret = xt_check_target(target, NFPROTO_BRIDGE, t->target_size,
|
||||||
name, hookmask, e->ethproto, e->invflags & EBT_IPROTO);
|
name, hookmask, e->ethproto, e->invflags & EBT_IPROTO,
|
||||||
|
e, t->data);
|
||||||
if (ret < 0) {
|
if (ret < 0) {
|
||||||
module_put(target->me);
|
module_put(target->me);
|
||||||
goto cleanup_watchers;
|
goto cleanup_watchers;
|
||||||
} else if (t->u.target->checkentry &&
|
|
||||||
!t->u.target->checkentry(name, e, NULL, t->data, hookmask)) {
|
|
||||||
module_put(t->u.target->me);
|
|
||||||
ret = -EINVAL;
|
|
||||||
goto cleanup_watchers;
|
|
||||||
}
|
}
|
||||||
(*cnt)++;
|
(*cnt)++;
|
||||||
return 0;
|
return 0;
|
||||||
|
|
|
@ -465,16 +465,14 @@ static inline int check_target(struct arpt_entry *e, const char *name)
|
||||||
|
|
||||||
ret = xt_check_target(target, NFPROTO_ARP,
|
ret = xt_check_target(target, NFPROTO_ARP,
|
||||||
t->u.target_size - sizeof(*t),
|
t->u.target_size - sizeof(*t),
|
||||||
name, e->comefrom, 0, 0);
|
name, e->comefrom, 0, 0, e, t->data);
|
||||||
if (!ret && t->u.kernel.target->checkentry
|
if (ret < 0) {
|
||||||
&& !t->u.kernel.target->checkentry(name, e, target, t->data,
|
|
||||||
e->comefrom)) {
|
|
||||||
duprintf("arp_tables: check failed for `%s'.\n",
|
duprintf("arp_tables: check failed for `%s'.\n",
|
||||||
t->u.kernel.target->name);
|
t->u.kernel.target->name);
|
||||||
ret = -EINVAL;
|
|
||||||
}
|
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
static inline int
|
static inline int
|
||||||
find_check_entry(struct arpt_entry *e, const char *name, unsigned int size,
|
find_check_entry(struct arpt_entry *e, const char *name, unsigned int size,
|
||||||
|
|
|
@ -616,18 +616,15 @@ check_match(struct ipt_entry_match *m, const char *name,
|
||||||
match = m->u.kernel.match;
|
match = m->u.kernel.match;
|
||||||
ret = xt_check_match(match, AF_INET, m->u.match_size - sizeof(*m),
|
ret = xt_check_match(match, AF_INET, m->u.match_size - sizeof(*m),
|
||||||
name, hookmask, ip->proto,
|
name, hookmask, ip->proto,
|
||||||
ip->invflags & IPT_INV_PROTO);
|
ip->invflags & IPT_INV_PROTO, ip, m->data);
|
||||||
if (!ret && m->u.kernel.match->checkentry
|
if (ret < 0) {
|
||||||
&& !m->u.kernel.match->checkentry(name, ip, match, m->data,
|
|
||||||
hookmask)) {
|
|
||||||
duprintf("ip_tables: check failed for `%s'.\n",
|
duprintf("ip_tables: check failed for `%s'.\n",
|
||||||
m->u.kernel.match->name);
|
m->u.kernel.match->name);
|
||||||
ret = -EINVAL;
|
|
||||||
}
|
|
||||||
if (!ret)
|
|
||||||
(*i)++;
|
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
++*i;
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
static int
|
static int
|
||||||
find_check_match(struct ipt_entry_match *m,
|
find_check_match(struct ipt_entry_match *m,
|
||||||
|
@ -668,16 +665,14 @@ static int check_target(struct ipt_entry *e, const char *name)
|
||||||
target = t->u.kernel.target;
|
target = t->u.kernel.target;
|
||||||
ret = xt_check_target(target, AF_INET, t->u.target_size - sizeof(*t),
|
ret = xt_check_target(target, AF_INET, t->u.target_size - sizeof(*t),
|
||||||
name, e->comefrom, e->ip.proto,
|
name, e->comefrom, e->ip.proto,
|
||||||
e->ip.invflags & IPT_INV_PROTO);
|
e->ip.invflags & IPT_INV_PROTO, e, t->data);
|
||||||
if (!ret && t->u.kernel.target->checkentry
|
if (ret < 0) {
|
||||||
&& !t->u.kernel.target->checkentry(name, e, target, t->data,
|
|
||||||
e->comefrom)) {
|
|
||||||
duprintf("ip_tables: check failed for `%s'.\n",
|
duprintf("ip_tables: check failed for `%s'.\n",
|
||||||
t->u.kernel.target->name);
|
t->u.kernel.target->name);
|
||||||
ret = -EINVAL;
|
|
||||||
}
|
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
static int
|
static int
|
||||||
find_check_entry(struct ipt_entry *e, const char *name, unsigned int size,
|
find_check_entry(struct ipt_entry *e, const char *name, unsigned int size,
|
||||||
|
|
|
@ -642,18 +642,15 @@ static int check_match(struct ip6t_entry_match *m, const char *name,
|
||||||
match = m->u.kernel.match;
|
match = m->u.kernel.match;
|
||||||
ret = xt_check_match(match, AF_INET6, m->u.match_size - sizeof(*m),
|
ret = xt_check_match(match, AF_INET6, m->u.match_size - sizeof(*m),
|
||||||
name, hookmask, ipv6->proto,
|
name, hookmask, ipv6->proto,
|
||||||
ipv6->invflags & IP6T_INV_PROTO);
|
ipv6->invflags & IP6T_INV_PROTO, ipv6, m->data);
|
||||||
if (!ret && m->u.kernel.match->checkentry
|
if (ret < 0) {
|
||||||
&& !m->u.kernel.match->checkentry(name, ipv6, match, m->data,
|
|
||||||
hookmask)) {
|
|
||||||
duprintf("ip_tables: check failed for `%s'.\n",
|
duprintf("ip_tables: check failed for `%s'.\n",
|
||||||
m->u.kernel.match->name);
|
m->u.kernel.match->name);
|
||||||
ret = -EINVAL;
|
|
||||||
}
|
|
||||||
if (!ret)
|
|
||||||
(*i)++;
|
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
++*i;
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
static int
|
static int
|
||||||
find_check_match(struct ip6t_entry_match *m,
|
find_check_match(struct ip6t_entry_match *m,
|
||||||
|
@ -694,16 +691,14 @@ static int check_target(struct ip6t_entry *e, const char *name)
|
||||||
target = t->u.kernel.target;
|
target = t->u.kernel.target;
|
||||||
ret = xt_check_target(target, AF_INET6, t->u.target_size - sizeof(*t),
|
ret = xt_check_target(target, AF_INET6, t->u.target_size - sizeof(*t),
|
||||||
name, e->comefrom, e->ipv6.proto,
|
name, e->comefrom, e->ipv6.proto,
|
||||||
e->ipv6.invflags & IP6T_INV_PROTO);
|
e->ipv6.invflags & IP6T_INV_PROTO, e, t->data);
|
||||||
if (!ret && t->u.kernel.target->checkentry
|
if (ret < 0) {
|
||||||
&& !t->u.kernel.target->checkentry(name, e, target, t->data,
|
|
||||||
e->comefrom)) {
|
|
||||||
duprintf("ip_tables: check failed for `%s'.\n",
|
duprintf("ip_tables: check failed for `%s'.\n",
|
||||||
t->u.kernel.target->name);
|
t->u.kernel.target->name);
|
||||||
ret = -EINVAL;
|
|
||||||
}
|
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
static int
|
static int
|
||||||
find_check_entry(struct ip6t_entry *e, const char *name, unsigned int size,
|
find_check_entry(struct ip6t_entry *e, const char *name, unsigned int size,
|
||||||
|
|
|
@ -323,7 +323,8 @@ EXPORT_SYMBOL_GPL(xt_find_revision);
|
||||||
|
|
||||||
int xt_check_match(const struct xt_match *match, unsigned short family,
|
int xt_check_match(const struct xt_match *match, unsigned short family,
|
||||||
unsigned int size, const char *table, unsigned int hook_mask,
|
unsigned int size, const char *table, unsigned int hook_mask,
|
||||||
unsigned short proto, int inv_proto)
|
unsigned short proto, int inv_proto, const void *entry,
|
||||||
|
void *matchinfo)
|
||||||
{
|
{
|
||||||
if (XT_ALIGN(match->matchsize) != size &&
|
if (XT_ALIGN(match->matchsize) != size &&
|
||||||
match->matchsize != -1) {
|
match->matchsize != -1) {
|
||||||
|
@ -351,6 +352,9 @@ int xt_check_match(const struct xt_match *match, unsigned short family,
|
||||||
xt_prefix[family], match->name, match->proto);
|
xt_prefix[family], match->name, match->proto);
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
}
|
}
|
||||||
|
if (match->checkentry != NULL &&
|
||||||
|
!match->checkentry(table, entry, match, matchinfo, hook_mask))
|
||||||
|
return -EINVAL;
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
EXPORT_SYMBOL_GPL(xt_check_match);
|
EXPORT_SYMBOL_GPL(xt_check_match);
|
||||||
|
@ -469,7 +473,8 @@ EXPORT_SYMBOL_GPL(xt_compat_match_to_user);
|
||||||
|
|
||||||
int xt_check_target(const struct xt_target *target, unsigned short family,
|
int xt_check_target(const struct xt_target *target, unsigned short family,
|
||||||
unsigned int size, const char *table, unsigned int hook_mask,
|
unsigned int size, const char *table, unsigned int hook_mask,
|
||||||
unsigned short proto, int inv_proto)
|
unsigned short proto, int inv_proto, const void *entry,
|
||||||
|
void *targinfo)
|
||||||
{
|
{
|
||||||
if (XT_ALIGN(target->targetsize) != size) {
|
if (XT_ALIGN(target->targetsize) != size) {
|
||||||
printk("%s_tables: %s target: invalid size %Zu != %u\n",
|
printk("%s_tables: %s target: invalid size %Zu != %u\n",
|
||||||
|
@ -493,6 +498,9 @@ int xt_check_target(const struct xt_target *target, unsigned short family,
|
||||||
xt_prefix[family], target->name, target->proto);
|
xt_prefix[family], target->name, target->proto);
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
}
|
}
|
||||||
|
if (target->checkentry != NULL &&
|
||||||
|
!target->checkentry(table, entry, target, targinfo, hook_mask))
|
||||||
|
return -EINVAL;
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
EXPORT_SYMBOL_GPL(xt_check_target);
|
EXPORT_SYMBOL_GPL(xt_check_target);
|
||||||
|
|
|
@ -51,20 +51,12 @@ static int ipt_init_target(struct ipt_entry_target *t, char *table, unsigned int
|
||||||
t->u.kernel.target = target;
|
t->u.kernel.target = target;
|
||||||
|
|
||||||
ret = xt_check_target(target, AF_INET, t->u.target_size - sizeof(*t),
|
ret = xt_check_target(target, AF_INET, t->u.target_size - sizeof(*t),
|
||||||
table, hook, 0, 0);
|
table, hook, 0, 0, NULL, t->data);
|
||||||
if (ret) {
|
if (ret < 0) {
|
||||||
module_put(t->u.kernel.target->me);
|
module_put(t->u.kernel.target->me);
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
if (t->u.kernel.target->checkentry
|
return 0;
|
||||||
&& !t->u.kernel.target->checkentry(table, NULL,
|
|
||||||
t->u.kernel.target, t->data,
|
|
||||||
hook)) {
|
|
||||||
module_put(t->u.kernel.target->me);
|
|
||||||
ret = -EINVAL;
|
|
||||||
}
|
|
||||||
|
|
||||||
return ret;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
static void ipt_destroy_target(struct ipt_entry_target *t)
|
static void ipt_destroy_target(struct ipt_entry_target *t)
|
||||||
|
|
Loading…
Reference in a new issue