提交 367c6790 编写于 作者: J Jan Engelhardt 提交者: Patrick McHardy

netfilter: xtables: do centralized checkentry call (1/2)

It used to be that {ip,ip6,etc}_tables called extension->checkentry
themselves, but this can be moved into the xtables core.
Signed-off-by: NJan Engelhardt <jengelh@medozas.de>
Signed-off-by: NPatrick McHardy <kaber@trash.net>
上级 147c3844
...@@ -330,10 +330,12 @@ extern void xt_unregister_matches(struct xt_match *match, unsigned int n); ...@@ -330,10 +330,12 @@ extern void xt_unregister_matches(struct xt_match *match, unsigned int n);
extern int xt_check_match(const struct xt_match *match, unsigned short family, extern int xt_check_match(const struct xt_match *match, unsigned short family,
unsigned int size, const char *table, unsigned int hook, unsigned int size, const char *table, unsigned int hook,
unsigned short proto, int inv_proto); unsigned short proto, int inv_proto,
const void *entry, void *matchinfo);
extern int xt_check_target(const struct xt_target *target, unsigned short family, extern int xt_check_target(const struct xt_target *target, unsigned short family,
unsigned int size, const char *table, unsigned int hook, unsigned int size, const char *table, unsigned int hook,
unsigned short proto, int inv_proto); unsigned short proto, int inv_proto,
const void *entry, void *targinfo);
extern struct xt_table *xt_register_table(struct net *net, extern struct xt_table *xt_register_table(struct net *net,
struct xt_table *table, struct xt_table *table,
......
...@@ -340,15 +340,11 @@ ebt_check_match(struct ebt_entry_match *m, struct ebt_entry *e, ...@@ -340,15 +340,11 @@ ebt_check_match(struct ebt_entry_match *m, struct ebt_entry *e,
m->u.match = match; m->u.match = match;
ret = xt_check_match(match, NFPROTO_BRIDGE, m->match_size, ret = xt_check_match(match, NFPROTO_BRIDGE, m->match_size,
name, hookmask, e->ethproto, e->invflags & EBT_IPROTO); name, hookmask, e->ethproto, e->invflags & EBT_IPROTO,
e, m->data);
if (ret < 0) { if (ret < 0) {
module_put(match->me); module_put(match->me);
return ret; return ret;
} else if (match->checkentry != NULL &&
!match->checkentry(name, e, NULL, m->data, hookmask)) {
module_put(match->me);
BUGPRINT("match->check failed\n");
return -EINVAL;
} }
(*cnt)++; (*cnt)++;
...@@ -377,15 +373,11 @@ ebt_check_watcher(struct ebt_entry_watcher *w, struct ebt_entry *e, ...@@ -377,15 +373,11 @@ ebt_check_watcher(struct ebt_entry_watcher *w, struct ebt_entry *e,
w->u.watcher = watcher; w->u.watcher = watcher;
ret = xt_check_target(watcher, NFPROTO_BRIDGE, w->watcher_size, ret = xt_check_target(watcher, NFPROTO_BRIDGE, w->watcher_size,
name, hookmask, e->ethproto, e->invflags & EBT_IPROTO); name, hookmask, e->ethproto, e->invflags & EBT_IPROTO,
e, w->data);
if (ret < 0) { if (ret < 0) {
module_put(watcher->me); module_put(watcher->me);
return ret; return ret;
} else if (watcher->checkentry != NULL &&
!watcher->checkentry(name, e, NULL, w->data, hookmask)) {
module_put(watcher->me);
BUGPRINT("watcher->check failed\n");
return -EINVAL;
} }
(*cnt)++; (*cnt)++;
...@@ -692,15 +684,11 @@ ebt_check_entry(struct ebt_entry *e, struct ebt_table_info *newinfo, ...@@ -692,15 +684,11 @@ ebt_check_entry(struct ebt_entry *e, struct ebt_table_info *newinfo,
} }
ret = xt_check_target(target, NFPROTO_BRIDGE, t->target_size, ret = xt_check_target(target, NFPROTO_BRIDGE, t->target_size,
name, hookmask, e->ethproto, e->invflags & EBT_IPROTO); name, hookmask, e->ethproto, e->invflags & EBT_IPROTO,
e, t->data);
if (ret < 0) { if (ret < 0) {
module_put(target->me); module_put(target->me);
goto cleanup_watchers; goto cleanup_watchers;
} else if (t->u.target->checkentry &&
!t->u.target->checkentry(name, e, NULL, t->data, hookmask)) {
module_put(t->u.target->me);
ret = -EINVAL;
goto cleanup_watchers;
} }
(*cnt)++; (*cnt)++;
return 0; return 0;
......
...@@ -465,15 +465,13 @@ static inline int check_target(struct arpt_entry *e, const char *name) ...@@ -465,15 +465,13 @@ static inline int check_target(struct arpt_entry *e, const char *name)
ret = xt_check_target(target, NFPROTO_ARP, ret = xt_check_target(target, NFPROTO_ARP,
t->u.target_size - sizeof(*t), t->u.target_size - sizeof(*t),
name, e->comefrom, 0, 0); name, e->comefrom, 0, 0, e, t->data);
if (!ret && t->u.kernel.target->checkentry if (ret < 0) {
&& !t->u.kernel.target->checkentry(name, e, target, t->data,
e->comefrom)) {
duprintf("arp_tables: check failed for `%s'.\n", duprintf("arp_tables: check failed for `%s'.\n",
t->u.kernel.target->name); t->u.kernel.target->name);
ret = -EINVAL;
}
return ret; return ret;
}
return 0;
} }
static inline int static inline int
......
...@@ -616,17 +616,14 @@ check_match(struct ipt_entry_match *m, const char *name, ...@@ -616,17 +616,14 @@ check_match(struct ipt_entry_match *m, const char *name,
match = m->u.kernel.match; match = m->u.kernel.match;
ret = xt_check_match(match, AF_INET, m->u.match_size - sizeof(*m), ret = xt_check_match(match, AF_INET, m->u.match_size - sizeof(*m),
name, hookmask, ip->proto, name, hookmask, ip->proto,
ip->invflags & IPT_INV_PROTO); ip->invflags & IPT_INV_PROTO, ip, m->data);
if (!ret && m->u.kernel.match->checkentry if (ret < 0) {
&& !m->u.kernel.match->checkentry(name, ip, match, m->data,
hookmask)) {
duprintf("ip_tables: check failed for `%s'.\n", duprintf("ip_tables: check failed for `%s'.\n",
m->u.kernel.match->name); m->u.kernel.match->name);
ret = -EINVAL;
}
if (!ret)
(*i)++;
return ret; return ret;
}
++*i;
return 0;
} }
static int static int
...@@ -668,15 +665,13 @@ static int check_target(struct ipt_entry *e, const char *name) ...@@ -668,15 +665,13 @@ static int check_target(struct ipt_entry *e, const char *name)
target = t->u.kernel.target; target = t->u.kernel.target;
ret = xt_check_target(target, AF_INET, t->u.target_size - sizeof(*t), ret = xt_check_target(target, AF_INET, t->u.target_size - sizeof(*t),
name, e->comefrom, e->ip.proto, name, e->comefrom, e->ip.proto,
e->ip.invflags & IPT_INV_PROTO); e->ip.invflags & IPT_INV_PROTO, e, t->data);
if (!ret && t->u.kernel.target->checkentry if (ret < 0) {
&& !t->u.kernel.target->checkentry(name, e, target, t->data,
e->comefrom)) {
duprintf("ip_tables: check failed for `%s'.\n", duprintf("ip_tables: check failed for `%s'.\n",
t->u.kernel.target->name); t->u.kernel.target->name);
ret = -EINVAL;
}
return ret; return ret;
}
return 0;
} }
static int static int
......
...@@ -642,17 +642,14 @@ static int check_match(struct ip6t_entry_match *m, const char *name, ...@@ -642,17 +642,14 @@ static int check_match(struct ip6t_entry_match *m, const char *name,
match = m->u.kernel.match; match = m->u.kernel.match;
ret = xt_check_match(match, AF_INET6, m->u.match_size - sizeof(*m), ret = xt_check_match(match, AF_INET6, m->u.match_size - sizeof(*m),
name, hookmask, ipv6->proto, name, hookmask, ipv6->proto,
ipv6->invflags & IP6T_INV_PROTO); ipv6->invflags & IP6T_INV_PROTO, ipv6, m->data);
if (!ret && m->u.kernel.match->checkentry if (ret < 0) {
&& !m->u.kernel.match->checkentry(name, ipv6, match, m->data,
hookmask)) {
duprintf("ip_tables: check failed for `%s'.\n", duprintf("ip_tables: check failed for `%s'.\n",
m->u.kernel.match->name); m->u.kernel.match->name);
ret = -EINVAL;
}
if (!ret)
(*i)++;
return ret; return ret;
}
++*i;
return 0;
} }
static int static int
...@@ -694,15 +691,13 @@ static int check_target(struct ip6t_entry *e, const char *name) ...@@ -694,15 +691,13 @@ static int check_target(struct ip6t_entry *e, const char *name)
target = t->u.kernel.target; target = t->u.kernel.target;
ret = xt_check_target(target, AF_INET6, t->u.target_size - sizeof(*t), ret = xt_check_target(target, AF_INET6, t->u.target_size - sizeof(*t),
name, e->comefrom, e->ipv6.proto, name, e->comefrom, e->ipv6.proto,
e->ipv6.invflags & IP6T_INV_PROTO); e->ipv6.invflags & IP6T_INV_PROTO, e, t->data);
if (!ret && t->u.kernel.target->checkentry if (ret < 0) {
&& !t->u.kernel.target->checkentry(name, e, target, t->data,
e->comefrom)) {
duprintf("ip_tables: check failed for `%s'.\n", duprintf("ip_tables: check failed for `%s'.\n",
t->u.kernel.target->name); t->u.kernel.target->name);
ret = -EINVAL;
}
return ret; return ret;
}
return 0;
} }
static int static int
......
...@@ -323,7 +323,8 @@ EXPORT_SYMBOL_GPL(xt_find_revision); ...@@ -323,7 +323,8 @@ EXPORT_SYMBOL_GPL(xt_find_revision);
int xt_check_match(const struct xt_match *match, unsigned short family, int xt_check_match(const struct xt_match *match, unsigned short family,
unsigned int size, const char *table, unsigned int hook_mask, unsigned int size, const char *table, unsigned int hook_mask,
unsigned short proto, int inv_proto) unsigned short proto, int inv_proto, const void *entry,
void *matchinfo)
{ {
if (XT_ALIGN(match->matchsize) != size && if (XT_ALIGN(match->matchsize) != size &&
match->matchsize != -1) { match->matchsize != -1) {
...@@ -351,6 +352,9 @@ int xt_check_match(const struct xt_match *match, unsigned short family, ...@@ -351,6 +352,9 @@ int xt_check_match(const struct xt_match *match, unsigned short family,
xt_prefix[family], match->name, match->proto); xt_prefix[family], match->name, match->proto);
return -EINVAL; return -EINVAL;
} }
if (match->checkentry != NULL &&
!match->checkentry(table, entry, match, matchinfo, hook_mask))
return -EINVAL;
return 0; return 0;
} }
EXPORT_SYMBOL_GPL(xt_check_match); EXPORT_SYMBOL_GPL(xt_check_match);
...@@ -469,7 +473,8 @@ EXPORT_SYMBOL_GPL(xt_compat_match_to_user); ...@@ -469,7 +473,8 @@ EXPORT_SYMBOL_GPL(xt_compat_match_to_user);
int xt_check_target(const struct xt_target *target, unsigned short family, int xt_check_target(const struct xt_target *target, unsigned short family,
unsigned int size, const char *table, unsigned int hook_mask, unsigned int size, const char *table, unsigned int hook_mask,
unsigned short proto, int inv_proto) unsigned short proto, int inv_proto, const void *entry,
void *targinfo)
{ {
if (XT_ALIGN(target->targetsize) != size) { if (XT_ALIGN(target->targetsize) != size) {
printk("%s_tables: %s target: invalid size %Zu != %u\n", printk("%s_tables: %s target: invalid size %Zu != %u\n",
...@@ -493,6 +498,9 @@ int xt_check_target(const struct xt_target *target, unsigned short family, ...@@ -493,6 +498,9 @@ int xt_check_target(const struct xt_target *target, unsigned short family,
xt_prefix[family], target->name, target->proto); xt_prefix[family], target->name, target->proto);
return -EINVAL; return -EINVAL;
} }
if (target->checkentry != NULL &&
!target->checkentry(table, entry, target, targinfo, hook_mask))
return -EINVAL;
return 0; return 0;
} }
EXPORT_SYMBOL_GPL(xt_check_target); EXPORT_SYMBOL_GPL(xt_check_target);
......
...@@ -51,20 +51,12 @@ static int ipt_init_target(struct ipt_entry_target *t, char *table, unsigned int ...@@ -51,20 +51,12 @@ static int ipt_init_target(struct ipt_entry_target *t, char *table, unsigned int
t->u.kernel.target = target; t->u.kernel.target = target;
ret = xt_check_target(target, AF_INET, t->u.target_size - sizeof(*t), ret = xt_check_target(target, AF_INET, t->u.target_size - sizeof(*t),
table, hook, 0, 0); table, hook, 0, 0, NULL, t->data);
if (ret) { if (ret < 0) {
module_put(t->u.kernel.target->me); module_put(t->u.kernel.target->me);
return ret; return ret;
} }
if (t->u.kernel.target->checkentry return 0;
&& !t->u.kernel.target->checkentry(table, NULL,
t->u.kernel.target, t->data,
hook)) {
module_put(t->u.kernel.target->me);
ret = -EINVAL;
}
return ret;
} }
static void ipt_destroy_target(struct ipt_entry_target *t) static void ipt_destroy_target(struct ipt_entry_target *t)
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册