netsched: Allow meta match on vlan tag on receive
[safe/jmp/linux-2.6] / net / sched / act_ipt.c
index 7ab2419..082c520 100644 (file)
@@ -40,6 +40,7 @@ static struct tcf_hashinfo ipt_hash_info = {
 
 static int ipt_init_target(struct ipt_entry_target *t, char *table, unsigned int hook)
 {
+       struct xt_tgchk_param par;
        struct xt_target *target;
        int ret = 0;
 
@@ -49,29 +50,30 @@ static int ipt_init_target(struct ipt_entry_target *t, char *table, unsigned int
                return -ENOENT;
 
        t->u.kernel.target = target;
-
-       ret = xt_check_target(target, AF_INET, t->u.target_size - sizeof(*t),
-                             table, hook, 0, 0);
-       if (ret) {
+       par.table     = table;
+       par.entryinfo = NULL;
+       par.target    = target;
+       par.targinfo  = t->data;
+       par.hook_mask = hook;
+       par.family    = NFPROTO_IPV4;
+
+       ret = xt_check_target(&par, t->u.target_size - sizeof(*t), 0, false);
+       if (ret < 0) {
                module_put(t->u.kernel.target->me);
                return ret;
        }
-       if (t->u.kernel.target->checkentry
-           && !t->u.kernel.target->checkentry(table, NULL,
-                                              t->u.kernel.target, t->data,
-                                              hook)) {
-               module_put(t->u.kernel.target->me);
-               ret = -EINVAL;
-       }
-
-       return ret;
+       return 0;
 }
 
 static void ipt_destroy_target(struct ipt_entry_target *t)
 {
-       if (t->u.kernel.target->destroy)
-               t->u.kernel.target->destroy(t->u.kernel.target, t->data);
-       module_put(t->u.kernel.target->me);
+       struct xt_tgdtor_param par = {
+               .target   = t->u.kernel.target,
+               .targinfo = t->data,
+       };
+       if (par.target->destroy != NULL)
+               par.target->destroy(&par);
+       module_put(par.target->me);
 }
 
 static int tcf_ipt_release(struct tcf_ipt *ipt, int bind)
@@ -92,6 +94,13 @@ static int tcf_ipt_release(struct tcf_ipt *ipt, int bind)
        return ret;
 }
 
+static const struct nla_policy ipt_policy[TCA_IPT_MAX + 1] = {
+       [TCA_IPT_TABLE] = { .type = NLA_STRING, .len = IFNAMSIZ },
+       [TCA_IPT_HOOK]  = { .type = NLA_U32 },
+       [TCA_IPT_INDEX] = { .type = NLA_U32 },
+       [TCA_IPT_TARG]  = { .len = sizeof(struct ipt_entry_target) },
+};
+
 static int tcf_ipt_init(struct nlattr *nla, struct nlattr *est,
                        struct tc_action *a, int ovr, int bind)
 {
@@ -107,30 +116,28 @@ static int tcf_ipt_init(struct nlattr *nla, struct nlattr *est,
        if (nla == NULL)
                return -EINVAL;
 
-       err = nla_parse_nested(tb, TCA_IPT_MAX, nla, NULL);
+       err = nla_parse_nested(tb, TCA_IPT_MAX, nla, ipt_policy);
        if (err < 0)
                return err;
 
-       if (tb[TCA_IPT_HOOK] == NULL ||
-           nla_len(tb[TCA_IPT_HOOK]) < sizeof(u32))
+       if (tb[TCA_IPT_HOOK] == NULL)
                return -EINVAL;
-       if (tb[TCA_IPT_TARG] == NULL ||
-           nla_len(tb[TCA_IPT_TARG]) < sizeof(*t))
+       if (tb[TCA_IPT_TARG] == NULL)
                return -EINVAL;
+
        td = (struct ipt_entry_target *)nla_data(tb[TCA_IPT_TARG]);
        if (nla_len(tb[TCA_IPT_TARG]) < td->u.target_size)
                return -EINVAL;
 
-       if (tb[TCA_IPT_INDEX] != NULL &&
-           nla_len(tb[TCA_IPT_INDEX]) >= sizeof(u32))
+       if (tb[TCA_IPT_INDEX] != NULL)
                index = nla_get_u32(tb[TCA_IPT_INDEX]);
 
        pc = tcf_hash_check(index, a, bind, &ipt_hash_info);
        if (!pc) {
                pc = tcf_hash_create(index, est, a, sizeof(*ipt), bind,
                                     &ipt_idx_gen, &ipt_hash_info);
-               if (unlikely(!pc))
-                       return -ENOMEM;
+               if (IS_ERR(pc))
+                   return PTR_ERR(pc);
                ret = ACT_P_CREATED;
        } else {
                if (!ovr) {
@@ -191,6 +198,7 @@ static int tcf_ipt(struct sk_buff *skb, struct tc_action *a,
 {
        int ret = 0, result = 0;
        struct tcf_ipt *ipt = a->priv;
+       struct xt_target_param par;
 
        if (skb_cloned(skb)) {
                if (pskb_expand_head(skb, 0, 0, GFP_ATOMIC))
@@ -200,16 +208,19 @@ static int tcf_ipt(struct sk_buff *skb, struct tc_action *a,
        spin_lock(&ipt->tcf_lock);
 
        ipt->tcf_tm.lastuse = jiffies;
-       ipt->tcf_bstats.bytes += skb->len;
+       ipt->tcf_bstats.bytes += qdisc_pkt_len(skb);
        ipt->tcf_bstats.packets++;
 
        /* yes, we have to worry about both in and out dev
         worry later - danger - this API seems to have changed
         from earlier kernels */
-       ret = ipt->tcfi_t->u.kernel.target->target(skb, skb->dev, NULL,
-                                                  ipt->tcfi_hook,
-                                                  ipt->tcfi_t->u.kernel.target,
-                                                  ipt->tcfi_t->data);
+       par.in       = skb->dev;
+       par.out      = NULL;
+       par.hooknum  = ipt->tcfi_hook;
+       par.target   = ipt->tcfi_t->u.kernel.target;
+       par.targinfo = ipt->tcfi_t->data;
+       ret = par.target->target(skb, &par);
+
        switch (ret) {
        case NF_ACCEPT:
                result = TC_ACT_OK;