]> err.no Git - linux-2.6/commitdiff
[NETFILTER]: Convert ip6_tables matches/targets to centralized error checking
authorPatrick McHardy <kaber@trash.net>
Tue, 21 Mar 2006 02:01:43 +0000 (18:01 -0800)
committerDavid S. Miller <davem@davemloft.net>
Tue, 21 Mar 2006 02:01:43 +0000 (18:01 -0800)
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 files changed:
net/ipv6/netfilter/ip6_tables.c
net/ipv6/netfilter/ip6t_HL.c
net/ipv6/netfilter/ip6t_LOG.c
net/ipv6/netfilter/ip6t_REJECT.c
net/ipv6/netfilter/ip6t_ah.c
net/ipv6/netfilter/ip6t_dst.c
net/ipv6/netfilter/ip6t_esp.c
net/ipv6/netfilter/ip6t_eui64.c
net/ipv6/netfilter/ip6t_frag.c
net/ipv6/netfilter/ip6t_hbh.c
net/ipv6/netfilter/ip6t_hl.c
net/ipv6/netfilter/ip6t_ipv6header.c
net/ipv6/netfilter/ip6t_multiport.c
net/ipv6/netfilter/ip6t_owner.c
net/ipv6/netfilter/ip6t_policy.c
net/ipv6/netfilter/ip6t_rt.c

index 1cd70683f2e2a52bf1c8a314bb8c37aa20d33ad4..e2e8d0140d7bac971bf3861faf1be05c85abec7f 100644 (file)
@@ -544,21 +544,12 @@ standard_check(const struct ip6t_entry_target *t,
        struct ip6t_standard_target *targ = (void *)t;
 
        /* Check standard info. */
-       if (t->u.target_size
-           != IP6T_ALIGN(sizeof(struct ip6t_standard_target))) {
-               duprintf("standard_check: target size %u != %u\n",
-                        t->u.target_size,
-                        IP6T_ALIGN(sizeof(struct ip6t_standard_target)));
-               return 0;
-       }
-
        if (targ->verdict >= 0
            && targ->verdict > max_offset - sizeof(struct ip6t_entry)) {
                duprintf("ip6t_standard_check: bad verdict (%i)\n",
                         targ->verdict);
                return 0;
        }
-
        if (targ->verdict < -NF_MAX_VERDICT - 1) {
                duprintf("ip6t_standard_check: bad negative verdict (%i)\n",
                         targ->verdict);
@@ -1385,24 +1376,22 @@ icmp6_checkentry(const char *tablename,
           unsigned int matchsize,
           unsigned int hook_mask)
 {
-       const struct ip6t_ip6 *ipv6 = entry;
        const struct ip6t_icmp *icmpinfo = matchinfo;
 
-       /* Must specify proto == ICMP, and no unknown invflags */
-       return ipv6->proto == IPPROTO_ICMPV6
-               && !(ipv6->invflags & IP6T_INV_PROTO)
-               && matchsize == IP6T_ALIGN(sizeof(struct ip6t_icmp))
-               && !(icmpinfo->invflags & ~IP6T_ICMP_INV);
+       /* Must specify no unknown invflags */
+       return !(icmpinfo->invflags & ~IP6T_ICMP_INV);
 }
 
 /* The built-in targets: standard (NULL) and error. */
 static struct ip6t_target ip6t_standard_target = {
        .name           = IP6T_STANDARD_TARGET,
+       .targetsize     = sizeof(int),
 };
 
 static struct ip6t_target ip6t_error_target = {
        .name           = IP6T_ERROR_TARGET,
        .target         = ip6t_error,
+       .targetsize     = IP6T_FUNCTION_MAXNAMELEN,
 };
 
 static struct nf_sockopt_ops ip6t_sockopts = {
@@ -1418,7 +1407,9 @@ static struct nf_sockopt_ops ip6t_sockopts = {
 static struct ip6t_match icmp6_matchstruct = {
        .name           = "icmp6",
        .match          = &icmp6_match,
-       .checkentry     = &icmp6_checkentry,
+       .matchsize      = sizeof(struct ip6t_icmp),
+       .checkentry     = icmp6_checkentry,
+       .proto          = IPPROTO_ICMPV6,
 };
 
 static int __init init(void)
index 306200c3505788fd8675c5c4a8bdd839f0ff6cc0..ab39ee90418eeef50fed58dab34bf57dca460265 100644 (file)
@@ -69,37 +69,24 @@ static int ip6t_hl_checkentry(const char *tablename,
 {
        struct ip6t_HL_info *info = targinfo;
 
-       if (targinfosize != IP6T_ALIGN(sizeof(struct ip6t_HL_info))) {
-               printk(KERN_WARNING "ip6t_HL: targinfosize %u != %Zu\n",
-                               targinfosize,
-                               IP6T_ALIGN(sizeof(struct ip6t_HL_info)));
-               return 0;       
-       }       
-
-       if (strcmp(tablename, "mangle")) {
-               printk(KERN_WARNING "ip6t_HL: can only be called from "
-                       "\"mangle\" table, not \"%s\"\n", tablename);
-               return 0;
-       }
-
        if (info->mode > IP6T_HL_MAXMODE) {
                printk(KERN_WARNING "ip6t_HL: invalid or unknown Mode %u\n", 
                        info->mode);
                return 0;
        }
-
        if ((info->mode != IP6T_HL_SET) && (info->hop_limit == 0)) {
                printk(KERN_WARNING "ip6t_HL: increment/decrement doesn't "
                        "make sense with value 0\n");
                return 0;
        }
-       
        return 1;
 }
 
 static struct ip6t_target ip6t_HL = { 
        .name           = "HL", 
        .target         = ip6t_hl_target, 
+       .targetsize     = sizeof(struct ip6t_HL_info),
+       .table          = "mangle",
        .checkentry     = ip6t_hl_checkentry, 
        .me             = THIS_MODULE
 };
index 6b930efa9fb9965bc78bcb64009ffb81a51e8b0d..6a3a2da5f2b463274e173520dd0c47f0cdba763f 100644 (file)
@@ -455,29 +455,22 @@ static int ip6t_log_checkentry(const char *tablename,
 {
        const struct ip6t_log_info *loginfo = targinfo;
 
-       if (targinfosize != IP6T_ALIGN(sizeof(struct ip6t_log_info))) {
-               DEBUGP("LOG: targinfosize %u != %u\n",
-                      targinfosize, IP6T_ALIGN(sizeof(struct ip6t_log_info)));
-               return 0;
-       }
-
        if (loginfo->level >= 8) {
                DEBUGP("LOG: level %u >= 8\n", loginfo->level);
                return 0;
        }
-
        if (loginfo->prefix[sizeof(loginfo->prefix)-1] != '\0') {
                DEBUGP("LOG: prefix term %i\n",
                       loginfo->prefix[sizeof(loginfo->prefix)-1]);
                return 0;
        }
-
        return 1;
 }
 
 static struct ip6t_target ip6t_log_reg = {
        .name           = "LOG",
        .target         = ip6t_log_target, 
+       .targetsize     = sizeof(struct ip6t_log_info),
        .checkentry     = ip6t_log_checkentry, 
        .me             = THIS_MODULE,
 };
index 0e6d1d4bbd5c406e6db2a5558f10f6dd1818f82d..86407060f6dacf432d6a61d69c4f3c66fb369c18 100644 (file)
@@ -228,24 +228,6 @@ static int check(const char *tablename,
        const struct ip6t_reject_info *rejinfo = targinfo;
        const struct ip6t_entry *e = entry;
 
-       if (targinfosize != IP6T_ALIGN(sizeof(struct ip6t_reject_info))) {
-               DEBUGP("ip6t_REJECT: targinfosize %u != 0\n", targinfosize);
-               return 0;
-       }
-
-       /* Only allow these for packet filtering. */
-       if (strcmp(tablename, "filter") != 0) {
-               DEBUGP("ip6t_REJECT: bad table `%s'.\n", tablename);
-               return 0;
-       }
-
-       if ((hook_mask & ~((1 << NF_IP6_LOCAL_IN)
-                          | (1 << NF_IP6_FORWARD)
-                          | (1 << NF_IP6_LOCAL_OUT))) != 0) {
-               DEBUGP("ip6t_REJECT: bad hook mask %X\n", hook_mask);
-               return 0;
-       }
-
        if (rejinfo->with == IP6T_ICMP6_ECHOREPLY) {
                printk("ip6t_REJECT: ECHOREPLY is not supported.\n");
                return 0;
@@ -257,13 +239,16 @@ static int check(const char *tablename,
                        return 0;
                }
        }
-
        return 1;
 }
 
 static struct ip6t_target ip6t_reject_reg = {
        .name           = "REJECT",
        .target         = reject6_target,
+       .targetsize     = sizeof(struct ip6t_reject_info),
+       .table          = "filter",
+       .hooks          = (1 << NF_IP6_LOCAL_IN) | (1 << NF_IP6_FORWARD) |
+                         (1 << NF_IP6_LOCAL_OUT),
        .checkentry     = check,
        .me             = THIS_MODULE
 };
index 219a30365dff27dcef63046176e9f8a6ef19d41c..28710edcff4e72ab8d4733964c88b69cd05abc50 100644 (file)
@@ -105,11 +105,6 @@ checkentry(const char *tablename,
 {
        const struct ip6t_ah *ahinfo = matchinfo;
 
-       if (matchinfosize != IP6T_ALIGN(sizeof(struct ip6t_ah))) {
-               DEBUGP("ip6t_ah: matchsize %u != %u\n",
-                      matchinfosize, IP6T_ALIGN(sizeof(struct ip6t_ah)));
-               return 0;
-       }
        if (ahinfo->invflags & ~IP6T_AH_INV_MASK) {
                DEBUGP("ip6t_ah: unknown flags %X\n", ahinfo->invflags);
                return 0;
@@ -119,8 +114,9 @@ checkentry(const char *tablename,
 
 static struct ip6t_match ah_match = {
        .name           = "ah",
-       .match          = &match,
-       .checkentry     = &checkentry,
+       .match          = match,
+       .matchsize      = sizeof(struct ip6t_ah),
+       .checkentry     = checkentry,
        .me             = THIS_MODULE,
 };
 
index b4c153a53500f242b3fae2d67f67ef3ec22dbe53..2fbde5944e00eba8485e01cbb8ca50bfb76f251e 100644 (file)
@@ -185,16 +185,10 @@ checkentry(const char *tablename,
 {
        const struct ip6t_opts *optsinfo = matchinfo;
 
-       if (matchinfosize != IP6T_ALIGN(sizeof(struct ip6t_opts))) {
-               DEBUGP("ip6t_opts: matchsize %u != %u\n",
-                      matchinfosize, IP6T_ALIGN(sizeof(struct ip6t_opts)));
-               return 0;
-       }
        if (optsinfo->invflags & ~IP6T_OPTS_INV_MASK) {
                DEBUGP("ip6t_opts: unknown flags %X\n", optsinfo->invflags);
                return 0;
        }
-
        return 1;
 }
 
@@ -204,8 +198,9 @@ static struct ip6t_match opts_match = {
 #else
        .name           = "dst",
 #endif
-       .match          = &match,
-       .checkentry     = &checkentry,
+       .match          = match,
+       .matchsize      = sizeof(struct ip6t_opts),
+       .checkentry     = checkentry,
        .me             = THIS_MODULE,
 };
 
index 724285df87115e5e75e26e99c248ca0cab823dfd..ede722328c3dbbf0fd280af86ce0102b819e16d4 100644 (file)
@@ -83,11 +83,6 @@ checkentry(const char *tablename,
 {
        const struct ip6t_esp *espinfo = matchinfo;
 
-       if (matchinfosize != IP6T_ALIGN(sizeof(struct ip6t_esp))) {
-               DEBUGP("ip6t_esp: matchsize %u != %u\n",
-                        matchinfosize, IP6T_ALIGN(sizeof(struct ip6t_esp)));
-               return 0;
-       }
        if (espinfo->invflags & ~IP6T_ESP_INV_MASK) {
                DEBUGP("ip6t_esp: unknown flags %X\n",
                         espinfo->invflags);
@@ -98,8 +93,9 @@ checkentry(const char *tablename,
 
 static struct ip6t_match esp_match = {
        .name           = "esp",
-       .match          = &match,
-       .checkentry     = &checkentry,
+       .match          = match,
+       .matchsize      = sizeof(struct ip6t_esp),
+       .checkentry     = checkentry,
        .me             = THIS_MODULE,
 };
 
index 27396ac0b9edb0a229c270ca92a648c325ae61fa..bfee5be7e57bdd1ccc8106256d42916c9e8ddb3a 100644 (file)
@@ -60,30 +60,12 @@ match(const struct sk_buff *skb,
        return 0;
 }
 
-static int
-ip6t_eui64_checkentry(const char *tablename,
-                     const void *ip,
-                     void *matchinfo,
-                     unsigned int matchsize,
-                     unsigned int hook_mask)
-{
-       if (hook_mask
-           & ~((1 << NF_IP6_PRE_ROUTING) | (1 << NF_IP6_LOCAL_IN) |
-               (1 << NF_IP6_FORWARD))) {
-               printk("ip6t_eui64: only valid for PRE_ROUTING, LOCAL_IN or FORWARD.\n");
-               return 0;
-       }
-
-       if (matchsize != IP6T_ALIGN(sizeof(int)))
-               return 0;
-
-       return 1;
-}
-
 static struct ip6t_match eui64_match = {
        .name           = "eui64",
-       .match          = &match,
-       .checkentry     = &ip6t_eui64_checkentry,
+       .match          = match,
+       .matchsize      = sizeof(int),
+       .hooks          = (1 << NF_IP6_PRE_ROUTING) | (1 << NF_IP6_LOCAL_IN) |
+                         (1 << NF_IP6_FORWARD),
        .me             = THIS_MODULE,
 };
 
index 4c14125a0e26d18ec775bcfcfe0b27661d98713e..305de9bc6731d665b13e2661c22518e7f51601c7 100644 (file)
@@ -122,23 +122,18 @@ checkentry(const char *tablename,
 {
        const struct ip6t_frag *fraginfo = matchinfo;
 
-       if (matchinfosize != IP6T_ALIGN(sizeof(struct ip6t_frag))) {
-               DEBUGP("ip6t_frag: matchsize %u != %u\n",
-                      matchinfosize, IP6T_ALIGN(sizeof(struct ip6t_frag)));
-               return 0;
-       }
        if (fraginfo->invflags & ~IP6T_FRAG_INV_MASK) {
                DEBUGP("ip6t_frag: unknown flags %X\n", fraginfo->invflags);
                return 0;
        }
-
        return 1;
 }
 
 static struct ip6t_match frag_match = {
        .name           = "frag",
-       .match          = &match,
-       .checkentry     = &checkentry,
+       .match          = match,
+       .matchsize      = sizeof(struct ip6t_frag),
+       .checkentry     = checkentry,
        .me             = THIS_MODULE,
 };
 
index 37a8474a7e0c911e1508aafc5a8e4f6f4d86c4a1..ac8d4791bc2aeffa01b177e23dab9139f26d6581 100644 (file)
@@ -185,16 +185,10 @@ checkentry(const char *tablename,
 {
        const struct ip6t_opts *optsinfo = matchinfo;
 
-       if (matchinfosize != IP6T_ALIGN(sizeof(struct ip6t_opts))) {
-               DEBUGP("ip6t_opts: matchsize %u != %u\n",
-                      matchinfosize, IP6T_ALIGN(sizeof(struct ip6t_opts)));
-               return 0;
-       }
        if (optsinfo->invflags & ~IP6T_OPTS_INV_MASK) {
                DEBUGP("ip6t_opts: unknown flags %X\n", optsinfo->invflags);
                return 0;
        }
-
        return 1;
 }
 
@@ -204,8 +198,9 @@ static struct ip6t_match opts_match = {
 #else
        .name           = "dst",
 #endif
-       .match          = &match,
-       .checkentry     = &checkentry,
+       .match          = match,
+       .matchsize      = sizeof(struct ip6t_opts),
+       .checkentry     = checkentry,
        .me             = THIS_MODULE,
 };
 
index c5d9079f2d9dfc885f764f4984b5e9e8deb8d8b4..1eabb6507300dd80ddcd7220b226316b7332cfb8 100644 (file)
@@ -48,20 +48,10 @@ static int match(const struct sk_buff *skb, const struct net_device *in,
        return 0;
 }
 
-static int checkentry(const char *tablename, const void *entry,
-                     void *matchinfo, unsigned int matchsize,
-                     unsigned int hook_mask)
-{
-       if (matchsize != IP6T_ALIGN(sizeof(struct ip6t_hl_info)))
-               return 0;
-
-       return 1;
-}
-
 static struct ip6t_match hl_match = {
        .name           = "hl",
-       .match          = &match,
-       .checkentry     = &checkentry,
+       .match          = match,
+       .matchsize      = sizeof(struct ip6t_hl_info),
        .me             = THIS_MODULE,
 };
 
index 83ad6b272f7e6fbf201f09fc1b74a19a71abd0b2..063032a214c795a880da36723c26aac2ac5a209b 100644 (file)
@@ -131,11 +131,6 @@ ipv6header_checkentry(const char *tablename,
 {
        const struct ip6t_ipv6header_info *info = matchinfo;
 
-       /* Check for obvious errors */
-       /* This match is valid in all hooks! */
-       if (matchsize != IP6T_ALIGN(sizeof(struct ip6t_ipv6header_info)))
-               return 0;
-
        /* invflags is 0 or 0xff in hard mode */
        if ((!info->modeflag) && info->invflags != 0x00 &&
            info->invflags != 0xFF)
@@ -147,6 +142,7 @@ ipv6header_checkentry(const char *tablename,
 static struct ip6t_match ip6t_ipv6header_match = {
        .name           = "ipv6header",
        .match          = &ipv6header_match,
+       .matchsize      = sizeof(struct ip6t_ipv6header_info),
        .checkentry     = &ipv6header_checkentry,
        .destroy        = NULL,
        .me             = THIS_MODULE,
index 49f7829dfbc2343db16fd8f343a848cf97d61a72..b86774daf170bef230465bbf711f48a4abbd5633 100644 (file)
@@ -92,13 +92,9 @@ checkentry(const char *tablename,
        const struct ip6t_ip6 *ip = info;
        const struct ip6t_multiport *multiinfo = matchinfo;
 
-       if (matchsize != IP6T_ALIGN(sizeof(struct ip6t_multiport)))
-               return 0;
-
        /* Must specify proto == TCP/UDP, no unknown flags or bad count */
        return (ip->proto == IPPROTO_TCP || ip->proto == IPPROTO_UDP)
                && !(ip->invflags & IP6T_INV_PROTO)
-               && matchsize == IP6T_ALIGN(sizeof(struct ip6t_multiport))
                && (multiinfo->flags == IP6T_MULTIPORT_SOURCE
                    || multiinfo->flags == IP6T_MULTIPORT_DESTINATION
                    || multiinfo->flags == IP6T_MULTIPORT_EITHER)
@@ -107,8 +103,9 @@ checkentry(const char *tablename,
 
 static struct ip6t_match multiport_match = {
        .name           = "multiport",
-       .match          = &match,
-       .checkentry     = &checkentry,
+       .match          = match,
+       .matchsize      = sizeof(struct ip6t_multiport),
+       .checkentry     = checkentry,
        .me             = THIS_MODULE,
 };
 
index 8c8a4c7ec9340cee4d778087d3e731b5649ce212..e26cd6da0420ba2a9919e1b83cd3d230232a31f0 100644 (file)
@@ -60,28 +60,20 @@ checkentry(const char *tablename,
 {
        const struct ip6t_owner_info *info = matchinfo;
 
-       if (hook_mask
-           & ~((1 << NF_IP6_LOCAL_OUT) | (1 << NF_IP6_POST_ROUTING))) {
-               printk("ip6t_owner: only valid for LOCAL_OUT or POST_ROUTING.\n");
-               return 0;
-       }
-
-       if (matchsize != IP6T_ALIGN(sizeof(struct ip6t_owner_info)))
-               return 0;
-
        if (info->match & (IP6T_OWNER_PID | IP6T_OWNER_SID)) {
                printk("ipt_owner: pid and sid matching "
                       "not supported anymore\n");
                return 0;
        }
-
        return 1;
 }
 
 static struct ip6t_match owner_match = {
        .name           = "owner",
-       .match          = &match,
-       .checkentry     = &checkentry,
+       .match          = match,
+       .matchsize      = sizeof(struct ip6t_owner_info),
+       .hooks          = (1 << NF_IP6_LOCAL_OUT) | (1 << NF_IP6_POST_ROUTING),
+       .checkentry     = checkentry,
        .me             = THIS_MODULE,
 };
 
index 3d39ec924041a4883fb86f7e90a3db9c912f8976..ac8a5447aa85ce8bb4b9d9073bdd40ac24b0c45a 100644 (file)
@@ -125,11 +125,6 @@ static int checkentry(const char *tablename, const void *ip_void,
 {
        struct ip6t_policy_info *info = matchinfo;
 
-       if (matchsize != IP6T_ALIGN(sizeof(*info))) {
-               printk(KERN_ERR "ip6t_policy: matchsize %u != %zu\n",
-                      matchsize, IP6T_ALIGN(sizeof(*info)));
-               return 0;
-       }
        if (!(info->flags & (IP6T_POLICY_MATCH_IN|IP6T_POLICY_MATCH_OUT))) {
                printk(KERN_ERR "ip6t_policy: neither incoming nor "
                                "outgoing policy selected\n");
@@ -158,6 +153,7 @@ static int checkentry(const char *tablename, const void *ip_void,
 static struct ip6t_match policy_match = {
        .name           = "policy",
        .match          = match,
+       .matchsize      = sizeof(struct ip6t_policy_info),
        .checkentry     = checkentry,
        .me             = THIS_MODULE,
 };
index 8f82476dc89e6a46d6d644fb95abbcf568718ea1..a3810748f547db558f5da1989aa3baf0d21a05bc 100644 (file)
@@ -200,11 +200,6 @@ checkentry(const char *tablename,
 {
        const struct ip6t_rt *rtinfo = matchinfo;
 
-       if (matchinfosize != IP6T_ALIGN(sizeof(struct ip6t_rt))) {
-               DEBUGP("ip6t_rt: matchsize %u != %u\n",
-                      matchinfosize, IP6T_ALIGN(sizeof(struct ip6t_rt)));
-               return 0;
-       }
        if (rtinfo->invflags & ~IP6T_RT_INV_MASK) {
                DEBUGP("ip6t_rt: unknown flags %X\n", rtinfo->invflags);
                return 0;
@@ -222,8 +217,9 @@ checkentry(const char *tablename,
 
 static struct ip6t_match rt_match = {
        .name           = "rt",
-       .match          = &match,
-       .checkentry     = &checkentry,
+       .match          = match,
+       .matchsize      = sizeof(struct ip6t_rt),
+       .checkentry     = checkentry,
        .me             = THIS_MODULE,
 };