netfilter: xtables: change hotdrop pointer to direct modification

[safe/jmp/linux-2.6] / net / ipv4 / netfilter / ip_tables.c

diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 4e674f2..607f89f 100644 (file)
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -308,7 +308,6 @@ ipt_do_table(struct sk_buff *skb,
 {
        static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
        const struct iphdr *ip;
-       bool hotdrop = false;
        /* Initializing verdict to NF_DROP keeps gcc happy. */
        unsigned int verdict = NF_DROP;
        const char *indev, *outdev;
@@ -330,7 +329,7 @@ ipt_do_table(struct sk_buff *skb,
         * match it. */
        acpar.fragoff = ntohs(ip->frag_off) & IP_OFFSET;
        acpar.thoff   = ip_hdrlen(skb);
-       acpar.hotdrop = &hotdrop;
+       acpar.hotdrop = false;
        acpar.in      = in;
        acpar.out     = out;
        acpar.family  = NFPROTO_IPV4;
@@ -432,7 +431,7 @@ ipt_do_table(struct sk_buff *skb,
                else
                        /* Verdict */
                        break;
-       } while (!hotdrop);
+       } while (!acpar.hotdrop);
        xt_info_rdunlock_bh();
        pr_debug("Exiting %s; resetting sp from %u to %u\n",
                 __func__, *stackptr, origptr);
@@ -440,7 +439,7 @@ ipt_do_table(struct sk_buff *skb,
 #ifdef DEBUG_ALLOW_ALL
        return NF_ACCEPT;
 #else
-       if (hotdrop)
+       if (acpar.hotdrop)
                return NF_DROP;
        else return verdict;
 #endif
@@ -2154,7 +2153,7 @@ icmp_match(const struct sk_buff *skb, struct xt_action_param *par)
                 * can't.  Hence, no choice but to drop.
                 */
                duprintf("Dropping evil ICMP tinygram.\n");
-               *par->hotdrop = true;
+               par->hotdrop = true;
                return false;
        }