Switch the "hotdrop" variables to boolean
Signed-off-by: Jan Engelhardt <jengelh@gmx.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
46 files changed:
const void *matchinfo,
int offset,
unsigned int protoff,
const void *matchinfo,
int offset,
unsigned int protoff,
/* Called when user tries to insert an entry of this type. */
/* Should return true or false. */
/* Called when user tries to insert an entry of this type. */
/* Should return true or false. */
static const char nulldevname[IFNAMSIZ];
unsigned int verdict = NF_DROP;
struct arphdr *arp;
static const char nulldevname[IFNAMSIZ];
unsigned int verdict = NF_DROP;
struct arphdr *arp;
struct arpt_entry *e, *back;
const char *indev, *outdev;
void *table_base;
struct arpt_entry *e, *back;
const char *indev, *outdev;
void *table_base;
const struct net_device *in,
const struct net_device *out,
int offset,
const struct net_device *in,
const struct net_device *out,
int offset,
{
/* Stop iteration if it doesn't match */
if (!m->u.kernel.match->match(skb, in, out, m->u.kernel.match, m->data,
{
/* Stop iteration if it doesn't match */
if (!m->u.kernel.match->match(skb, in, out, m->u.kernel.match, m->data,
u_int16_t offset;
struct iphdr *ip;
u_int16_t datalen;
u_int16_t offset;
struct iphdr *ip;
u_int16_t datalen;
/* Initializing verdict to NF_DROP keeps gcc happy. */
unsigned int verdict = NF_DROP;
const char *indev, *outdev;
/* Initializing verdict to NF_DROP keeps gcc happy. */
unsigned int verdict = NF_DROP;
const char *indev, *outdev;
const void *matchinfo,
int offset,
unsigned int protoff,
const void *matchinfo,
int offset,
unsigned int protoff,
{
struct icmphdr _icmph, *ic;
const struct ipt_icmp *icmpinfo = matchinfo;
{
struct icmphdr _icmph, *ic;
const struct ipt_icmp *icmpinfo = matchinfo;
* can't. Hence, no choice but to drop.
*/
duprintf("Dropping evil ICMP tinygram.\n");
* can't. Hence, no choice but to drop.
*/
duprintf("Dropping evil ICMP tinygram.\n");
static int match(const struct sk_buff *skb,
const struct net_device *in, const struct net_device *out,
const struct xt_match *match, const void *matchinfo,
static int match(const struct sk_buff *skb,
const struct net_device *in, const struct net_device *out,
const struct xt_match *match, const void *matchinfo,
- int offset, unsigned int protoff, int *hotdrop)
+ int offset, unsigned int protoff, bool *hotdrop)
{
const struct ipt_addrtype_info *info = matchinfo;
const struct iphdr *iph = ip_hdr(skb);
{
const struct ipt_addrtype_info *info = matchinfo;
const struct iphdr *iph = ip_hdr(skb);
const void *matchinfo,
int offset,
unsigned int protoff,
const void *matchinfo,
int offset,
unsigned int protoff,
{
struct ip_auth_hdr _ahdr, *ah;
const struct ipt_ah *ahinfo = matchinfo;
{
struct ip_auth_hdr _ahdr, *ah;
const struct ipt_ah *ahinfo = matchinfo;
* can't. Hence, no choice but to drop.
*/
duprintf("Dropping evil AH tinygram.\n");
* can't. Hence, no choice but to drop.
*/
duprintf("Dropping evil AH tinygram.\n");
static inline int match_tcp(const struct sk_buff *skb,
const struct ipt_ecn_info *einfo,
static inline int match_tcp(const struct sk_buff *skb,
const struct ipt_ecn_info *einfo,
{
struct tcphdr _tcph, *th;
{
struct tcphdr _tcph, *th;
*/
th = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(_tcph), &_tcph);
if (th == NULL) {
*/
th = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(_tcph), &_tcph);
if (th == NULL) {
static int match(const struct sk_buff *skb,
const struct net_device *in, const struct net_device *out,
const struct xt_match *match, const void *matchinfo,
static int match(const struct sk_buff *skb,
const struct net_device *in, const struct net_device *out,
const struct xt_match *match, const void *matchinfo,
- int offset, unsigned int protoff, int *hotdrop)
+ int offset, unsigned int protoff, bool *hotdrop)
{
const struct ipt_ecn_info *info = matchinfo;
{
const struct ipt_ecn_info *info = matchinfo;
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
- int offset, unsigned int protoff, int *hotdrop)
+ int offset, unsigned int protoff, bool *hotdrop)
{
const struct ipt_iprange_info *info = matchinfo;
const struct iphdr *iph = ip_hdr(skb);
{
const struct ipt_iprange_info *info = matchinfo;
const struct iphdr *iph = ip_hdr(skb);
const void *matchinfo,
int offset,
unsigned int protoff,
const void *matchinfo,
int offset,
unsigned int protoff,
{
const struct ipt_owner_info *info = matchinfo;
{
const struct ipt_owner_info *info = matchinfo;
ipt_recent_match(const struct sk_buff *skb,
const struct net_device *in, const struct net_device *out,
const struct xt_match *match, const void *matchinfo,
ipt_recent_match(const struct sk_buff *skb,
const struct net_device *in, const struct net_device *out,
const struct xt_match *match, const void *matchinfo,
- int offset, unsigned int protoff, int *hotdrop)
+ int offset, unsigned int protoff, bool *hotdrop)
{
const struct ipt_recent_info *info = matchinfo;
struct recent_table *t;
{
const struct ipt_recent_info *info = matchinfo;
struct recent_table *t;
goto out;
e = recent_entry_init(t, addr, ttl);
if (e == NULL)
goto out;
e = recent_entry_init(t, addr, ttl);
if (e == NULL)
const void *matchinfo,
int offset,
unsigned int protoff,
const void *matchinfo,
int offset,
unsigned int protoff,
{
const struct ipt_tos_info *info = matchinfo;
{
const struct ipt_tos_info *info = matchinfo;
static int match(const struct sk_buff *skb,
const struct net_device *in, const struct net_device *out,
const struct xt_match *match, const void *matchinfo,
static int match(const struct sk_buff *skb,
const struct net_device *in, const struct net_device *out,
const struct xt_match *match, const void *matchinfo,
- int offset, unsigned int protoff, int *hotdrop)
+ int offset, unsigned int protoff, bool *hotdrop)
{
const struct ipt_ttl_info *info = matchinfo;
const u8 ttl = ip_hdr(skb)->ttl;
{
const struct ipt_ttl_info *info = matchinfo;
const u8 ttl = ip_hdr(skb)->ttl;
const char *outdev,
const struct ip6t_ip6 *ip6info,
unsigned int *protoff,
const char *outdev,
const struct ip6t_ip6 *ip6info,
unsigned int *protoff,
- int *fragoff, int *hotdrop)
+ int *fragoff, bool *hotdrop)
{
size_t i;
unsigned long ret;
{
size_t i;
unsigned long ret;
protohdr = ipv6_find_hdr(skb, protoff, -1, &_frag_off);
if (protohdr < 0) {
if (_frag_off == 0)
protohdr = ipv6_find_hdr(skb, protoff, -1, &_frag_off);
if (protohdr < 0) {
if (_frag_off == 0)
return 0;
}
*fragoff = _frag_off;
return 0;
}
*fragoff = _frag_off;
const struct net_device *out,
int offset,
unsigned int protoff,
const struct net_device *out,
int offset,
unsigned int protoff,
{
/* Stop iteration if it doesn't match */
if (!m->u.kernel.match->match(skb, in, out, m->u.kernel.match, m->data,
{
/* Stop iteration if it doesn't match */
if (!m->u.kernel.match->match(skb, in, out, m->u.kernel.match, m->data,
static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
int offset = 0;
unsigned int protoff = 0;
static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
int offset = 0;
unsigned int protoff = 0;
/* Initializing verdict to NF_DROP keeps gcc happy. */
unsigned int verdict = NF_DROP;
const char *indev, *outdev;
/* Initializing verdict to NF_DROP keeps gcc happy. */
unsigned int verdict = NF_DROP;
const char *indev, *outdev;
const void *matchinfo,
int offset,
unsigned int protoff,
const void *matchinfo,
int offset,
unsigned int protoff,
{
struct icmp6hdr _icmp, *ic;
const struct ip6t_icmp *icmpinfo = matchinfo;
{
struct icmp6hdr _icmp, *ic;
const struct ip6t_icmp *icmpinfo = matchinfo;
/* We've been asked to examine this packet, and we
can't. Hence, no choice but to drop. */
duprintf("Dropping evil ICMP tinygram.\n");
/* We've been asked to examine this packet, and we
can't. Hence, no choice but to drop. */
duprintf("Dropping evil ICMP tinygram.\n");
const void *matchinfo,
int offset,
unsigned int protoff,
const void *matchinfo,
int offset,
unsigned int protoff,
{
struct ip_auth_hdr *ah, _ah;
const struct ip6t_ah *ahinfo = matchinfo;
{
struct ip_auth_hdr *ah, _ah;
const struct ip6t_ah *ahinfo = matchinfo;
err = ipv6_find_hdr(skb, &ptr, NEXTHDR_AUTH, NULL);
if (err < 0) {
if (err != -ENOENT)
err = ipv6_find_hdr(skb, &ptr, NEXTHDR_AUTH, NULL);
if (err < 0) {
if (err != -ENOENT)
return 0;
}
ah = skb_header_pointer(skb, ptr, sizeof(_ah), &_ah);
if (ah == NULL) {
return 0;
}
ah = skb_header_pointer(skb, ptr, sizeof(_ah), &_ah);
if (ah == NULL) {
const void *matchinfo,
int offset,
unsigned int protoff,
const void *matchinfo,
int offset,
unsigned int protoff,
{
unsigned char eui64[8];
int i = 0;
{
unsigned char eui64[8];
int i = 0;
if (!(skb_mac_header(skb) >= skb->head &&
(skb_mac_header(skb) + ETH_HLEN) <= skb->data) &&
offset != 0) {
if (!(skb_mac_header(skb) >= skb->head &&
(skb_mac_header(skb) + ETH_HLEN) <= skb->data) &&
offset != 0) {
const void *matchinfo,
int offset,
unsigned int protoff,
const void *matchinfo,
int offset,
unsigned int protoff,
{
struct frag_hdr _frag, *fh;
const struct ip6t_frag *fraginfo = matchinfo;
{
struct frag_hdr _frag, *fh;
const struct ip6t_frag *fraginfo = matchinfo;
err = ipv6_find_hdr(skb, &ptr, NEXTHDR_FRAGMENT, NULL);
if (err < 0) {
if (err != -ENOENT)
err = ipv6_find_hdr(skb, &ptr, NEXTHDR_FRAGMENT, NULL);
if (err < 0) {
if (err != -ENOENT)
return 0;
}
fh = skb_header_pointer(skb, ptr, sizeof(_frag), &_frag);
if (fh == NULL) {
return 0;
}
fh = skb_header_pointer(skb, ptr, sizeof(_frag), &_frag);
if (fh == NULL) {
const void *matchinfo,
int offset,
unsigned int protoff,
const void *matchinfo,
int offset,
unsigned int protoff,
{
struct ipv6_opt_hdr _optsh, *oh;
const struct ip6t_opts *optinfo = matchinfo;
{
struct ipv6_opt_hdr _optsh, *oh;
const struct ip6t_opts *optinfo = matchinfo;
err = ipv6_find_hdr(skb, &ptr, match->data, NULL);
if (err < 0) {
if (err != -ENOENT)
err = ipv6_find_hdr(skb, &ptr, match->data, NULL);
if (err < 0) {
if (err != -ENOENT)
return 0;
}
oh = skb_header_pointer(skb, ptr, sizeof(_optsh), &_optsh);
if (oh == NULL) {
return 0;
}
oh = skb_header_pointer(skb, ptr, sizeof(_optsh), &_optsh);
if (oh == NULL) {
static int match(const struct sk_buff *skb,
const struct net_device *in, const struct net_device *out,
const struct xt_match *match, const void *matchinfo,
static int match(const struct sk_buff *skb,
const struct net_device *in, const struct net_device *out,
const struct xt_match *match, const void *matchinfo,
- int offset, unsigned int protoff, int *hotdrop)
+ int offset, unsigned int protoff, bool *hotdrop)
{
const struct ip6t_hl_info *info = matchinfo;
const struct ipv6hdr *ip6h = ipv6_hdr(skb);
{
const struct ip6t_hl_info *info = matchinfo;
const struct ipv6hdr *ip6h = ipv6_hdr(skb);
const void *matchinfo,
int offset,
unsigned int protoff,
const void *matchinfo,
int offset,
unsigned int protoff,
{
const struct ip6t_ipv6header_info *info = matchinfo;
unsigned int temp;
{
const struct ip6t_ipv6header_info *info = matchinfo;
unsigned int temp;
const void *matchinfo,
int offset,
unsigned int protoff,
const void *matchinfo,
int offset,
unsigned int protoff,
{
struct ip6_mh _mh, *mh;
const struct ip6t_mh *mhinfo = matchinfo;
{
struct ip6_mh _mh, *mh;
const struct ip6t_mh *mhinfo = matchinfo;
/* We've been asked to examine this packet, and we
can't. Hence, no choice but to drop. */
duprintf("Dropping evil MH tinygram.\n");
/* We've been asked to examine this packet, and we
can't. Hence, no choice but to drop. */
duprintf("Dropping evil MH tinygram.\n");
return 0;
}
if (mh->ip6mh_proto != IPPROTO_NONE) {
duprintf("Dropping invalid MH Payload Proto: %u\n",
mh->ip6mh_proto);
return 0;
}
if (mh->ip6mh_proto != IPPROTO_NONE) {
duprintf("Dropping invalid MH Payload Proto: %u\n",
mh->ip6mh_proto);
const void *matchinfo,
int offset,
unsigned int protoff,
const void *matchinfo,
int offset,
unsigned int protoff,
{
const struct ip6t_owner_info *info = matchinfo;
{
const struct ip6t_owner_info *info = matchinfo;
const void *matchinfo,
int offset,
unsigned int protoff,
const void *matchinfo,
int offset,
unsigned int protoff,
{
struct ipv6_rt_hdr _route, *rh;
const struct ip6t_rt *rtinfo = matchinfo;
{
struct ipv6_rt_hdr _route, *rh;
const struct ip6t_rt *rtinfo = matchinfo;
err = ipv6_find_hdr(skb, &ptr, NEXTHDR_ROUTING, NULL);
if (err < 0) {
if (err != -ENOENT)
err = ipv6_find_hdr(skb, &ptr, NEXTHDR_ROUTING, NULL);
if (err < 0) {
if (err != -ENOENT)
return 0;
}
rh = skb_header_pointer(skb, ptr, sizeof(_route), &_route);
if (rh == NULL) {
return 0;
}
rh = skb_header_pointer(skb, ptr, sizeof(_route), &_route);
if (rh == NULL) {
const void *matchinfo,
int offset,
unsigned int protooff,
const void *matchinfo,
int offset,
unsigned int protooff,
{
/* We always match */
return 1;
{
/* We always match */
return 1;
const void *matchinfo,
int offset,
unsigned int protoff,
const void *matchinfo,
int offset,
unsigned int protoff,
{
const struct xt_connbytes_info *sinfo = matchinfo;
struct nf_conn *ct;
{
const struct xt_connbytes_info *sinfo = matchinfo;
struct nf_conn *ct;
const void *matchinfo,
int offset,
unsigned int protoff,
const void *matchinfo,
int offset,
unsigned int protoff,
{
const struct xt_connmark_info *info = matchinfo;
struct nf_conn *ct;
{
const struct xt_connmark_info *info = matchinfo;
struct nf_conn *ct;
const void *matchinfo,
int offset,
unsigned int protoff,
const void *matchinfo,
int offset,
unsigned int protoff,
{
const struct xt_conntrack_info *sinfo = matchinfo;
struct nf_conn *ct;
{
const struct xt_conntrack_info *sinfo = matchinfo;
struct nf_conn *ct;
const struct sk_buff *skb,
unsigned int protoff,
const struct dccp_hdr *dh,
const struct sk_buff *skb,
unsigned int protoff,
const struct dccp_hdr *dh,
{
/* tcp.doff is only 4 bits, ie. max 15 * 4 bytes */
unsigned char *op;
{
/* tcp.doff is only 4 bits, ie. max 15 * 4 bytes */
unsigned char *op;
unsigned int i;
if (dh->dccph_doff * 4 < __dccp_hdr_len(dh)) {
unsigned int i;
if (dh->dccph_doff * 4 < __dccp_hdr_len(dh)) {
if (op == NULL) {
/* If we don't have the whole header, drop packet. */
spin_unlock_bh(&dccp_buflock);
if (op == NULL) {
/* If we don't have the whole header, drop packet. */
spin_unlock_bh(&dccp_buflock);
static inline int
match_option(u_int8_t option, const struct sk_buff *skb, unsigned int protoff,
static inline int
match_option(u_int8_t option, const struct sk_buff *skb, unsigned int protoff,
- const struct dccp_hdr *dh, int *hotdrop)
+ const struct dccp_hdr *dh, bool *hotdrop)
{
return dccp_find_option(option, skb, protoff, dh, hotdrop);
}
{
return dccp_find_option(option, skb, protoff, dh, hotdrop);
}
const void *matchinfo,
int offset,
unsigned int protoff,
const void *matchinfo,
int offset,
unsigned int protoff,
{
const struct xt_dccp_info *info = matchinfo;
struct dccp_hdr _dh, *dh;
{
const struct xt_dccp_info *info = matchinfo;
struct dccp_hdr _dh, *dh;
dh = skb_header_pointer(skb, protoff, sizeof(_dh), &_dh);
if (dh == NULL) {
dh = skb_header_pointer(skb, protoff, sizeof(_dh), &_dh);
if (dh == NULL) {
const void *matchinfo,
int offset,
unsigned int protoff,
const void *matchinfo,
int offset,
unsigned int protoff,
{
const struct xt_dscp_info *info = matchinfo;
u_int8_t dscp = ipv4_get_dsfield(ip_hdr(skb)) >> XT_DSCP_SHIFT;
{
const struct xt_dscp_info *info = matchinfo;
u_int8_t dscp = ipv4_get_dsfield(ip_hdr(skb)) >> XT_DSCP_SHIFT;
const void *matchinfo,
int offset,
unsigned int protoff,
const void *matchinfo,
int offset,
unsigned int protoff,
{
const struct xt_dscp_info *info = matchinfo;
u_int8_t dscp = ipv6_get_dsfield(ipv6_hdr(skb)) >> XT_DSCP_SHIFT;
{
const struct xt_dscp_info *info = matchinfo;
u_int8_t dscp = ipv6_get_dsfield(ipv6_hdr(skb)) >> XT_DSCP_SHIFT;
const void *matchinfo,
int offset,
unsigned int protoff,
const void *matchinfo,
int offset,
unsigned int protoff,
{
struct ip_esp_hdr _esp, *eh;
const struct xt_esp *espinfo = matchinfo;
{
struct ip_esp_hdr _esp, *eh;
const struct xt_esp *espinfo = matchinfo;
* can't. Hence, no choice but to drop.
*/
duprintf("Dropping evil ESP tinygram.\n");
* can't. Hence, no choice but to drop.
*/
duprintf("Dropping evil ESP tinygram.\n");
const void *matchinfo,
int offset,
unsigned int protoff,
const void *matchinfo,
int offset,
unsigned int protoff,
{
struct xt_hashlimit_info *r =
((struct xt_hashlimit_info *)matchinfo)->u.master;
{
struct xt_hashlimit_info *r =
((struct xt_hashlimit_info *)matchinfo)->u.master;
const void *matchinfo,
int offset,
unsigned int protoff,
const void *matchinfo,
int offset,
unsigned int protoff,
{
const struct xt_helper_info *info = matchinfo;
struct nf_conn *ct;
{
const struct xt_helper_info *info = matchinfo;
struct nf_conn *ct;
const void *matchinfo,
int offset,
unsigned int protoff,
const void *matchinfo,
int offset,
unsigned int protoff,
{
const struct xt_length_info *info = matchinfo;
u_int16_t pktlen = ntohs(ip_hdr(skb)->tot_len);
{
const struct xt_length_info *info = matchinfo;
u_int16_t pktlen = ntohs(ip_hdr(skb)->tot_len);
const void *matchinfo,
int offset,
unsigned int protoff,
const void *matchinfo,
int offset,
unsigned int protoff,
{
const struct xt_length_info *info = matchinfo;
const u_int16_t pktlen = (ntohs(ipv6_hdr(skb)->payload_len) +
{
const struct xt_length_info *info = matchinfo;
const u_int16_t pktlen = (ntohs(ipv6_hdr(skb)->payload_len) +
const void *matchinfo,
int offset,
unsigned int protoff,
const void *matchinfo,
int offset,
unsigned int protoff,
{
struct xt_rateinfo *r = ((struct xt_rateinfo *)matchinfo)->master;
unsigned long now = jiffies;
{
struct xt_rateinfo *r = ((struct xt_rateinfo *)matchinfo)->master;
unsigned long now = jiffies;
const void *matchinfo,
int offset,
unsigned int protoff,
const void *matchinfo,
int offset,
unsigned int protoff,
{
const struct xt_mac_info *info = matchinfo;
{
const struct xt_mac_info *info = matchinfo;
const void *matchinfo,
int offset,
unsigned int protoff,
const void *matchinfo,
int offset,
unsigned int protoff,
{
const struct xt_mark_info *info = matchinfo;
{
const struct xt_mark_info *info = matchinfo;
const void *matchinfo,
int offset,
unsigned int protoff,
const void *matchinfo,
int offset,
unsigned int protoff,
{
__be16 _ports[2], *pptr;
const struct xt_multiport *multiinfo = matchinfo;
{
__be16 _ports[2], *pptr;
const struct xt_multiport *multiinfo = matchinfo;
* can't. Hence, no choice but to drop.
*/
duprintf("xt_multiport: Dropping evil offset=0 tinygram.\n");
* can't. Hence, no choice but to drop.
*/
duprintf("xt_multiport: Dropping evil offset=0 tinygram.\n");
const void *matchinfo,
int offset,
unsigned int protoff,
const void *matchinfo,
int offset,
unsigned int protoff,
{
__be16 _ports[2], *pptr;
const struct xt_multiport_v1 *multiinfo = matchinfo;
{
__be16 _ports[2], *pptr;
const struct xt_multiport_v1 *multiinfo = matchinfo;
* can't. Hence, no choice but to drop.
*/
duprintf("xt_multiport: Dropping evil offset=0 tinygram.\n");
* can't. Hence, no choice but to drop.
*/
duprintf("xt_multiport: Dropping evil offset=0 tinygram.\n");
const void *matchinfo,
int offset,
unsigned int protoff,
const void *matchinfo,
int offset,
unsigned int protoff,
{
int i;
static const char nulldevname[IFNAMSIZ];
{
int i;
static const char nulldevname[IFNAMSIZ];
const void *matchinfo,
int offset,
unsigned int protoff,
const void *matchinfo,
int offset,
unsigned int protoff,
{
u_int8_t type;
const struct xt_pkttype_info *info = matchinfo;
{
u_int8_t type;
const struct xt_pkttype_info *info = matchinfo;
const void *matchinfo,
int offset,
unsigned int protoff,
const void *matchinfo,
int offset,
unsigned int protoff,
{
const struct xt_policy_info *info = matchinfo;
int ret;
{
const struct xt_policy_info *info = matchinfo;
int ret;
match(const struct sk_buff *skb,
const struct net_device *in, const struct net_device *out,
const struct xt_match *match, const void *matchinfo,
match(const struct sk_buff *skb,
const struct net_device *in, const struct net_device *out,
const struct xt_match *match, const void *matchinfo,
- int offset, unsigned int protoff, int *hotdrop)
+ int offset, unsigned int protoff, bool *hotdrop)
{
struct xt_quota_info *q = ((struct xt_quota_info *)matchinfo)->master;
int ret = q->flags & XT_QUOTA_INVERT ? 1 : 0;
{
struct xt_quota_info *q = ((struct xt_quota_info *)matchinfo)->master;
int ret = q->flags & XT_QUOTA_INVERT ? 1 : 0;
const void *matchinfo,
int offset,
unsigned int protoff,
const void *matchinfo,
int offset,
unsigned int protoff,
{
const struct xt_realm_info *info = matchinfo;
struct dst_entry *dst = skb->dst;
{
const struct xt_realm_info *info = matchinfo;
struct dst_entry *dst = skb->dst;
int chunk_match_type,
const struct xt_sctp_flag_info *flag_info,
const int flag_count,
int chunk_match_type,
const struct xt_sctp_flag_info *flag_info,
const int flag_count,
{
u_int32_t chunkmapcopy[256 / sizeof (u_int32_t)];
sctp_chunkhdr_t _sch, *sch;
{
u_int32_t chunkmapcopy[256 / sizeof (u_int32_t)];
sctp_chunkhdr_t _sch, *sch;
sch = skb_header_pointer(skb, offset, sizeof(_sch), &_sch);
if (sch == NULL || sch->length == 0) {
duprintf("Dropping invalid SCTP packet.\n");
sch = skb_header_pointer(skb, offset, sizeof(_sch), &_sch);
if (sch == NULL || sch->length == 0) {
duprintf("Dropping invalid SCTP packet.\n");
const void *matchinfo,
int offset,
unsigned int protoff,
const void *matchinfo,
int offset,
unsigned int protoff,
{
const struct xt_sctp_info *info = matchinfo;
sctp_sctphdr_t _sh, *sh;
{
const struct xt_sctp_info *info = matchinfo;
sctp_sctphdr_t _sh, *sh;
sh = skb_header_pointer(skb, protoff, sizeof(_sh), &_sh);
if (sh == NULL) {
duprintf("Dropping evil TCP offset=0 tinygram.\n");
sh = skb_header_pointer(skb, protoff, sizeof(_sh), &_sh);
if (sh == NULL) {
duprintf("Dropping evil TCP offset=0 tinygram.\n");
return 0;
}
duprintf("spt: %d\tdpt: %d\n", ntohs(sh->source), ntohs(sh->dest));
return 0;
}
duprintf("spt: %d\tdpt: %d\n", ntohs(sh->source), ntohs(sh->dest));
const void *matchinfo,
int offset,
unsigned int protoff,
const void *matchinfo,
int offset,
unsigned int protoff,
{
const struct xt_state_info *sinfo = matchinfo;
enum ip_conntrack_info ctinfo;
{
const struct xt_state_info *sinfo = matchinfo;
enum ip_conntrack_info ctinfo;
match(const struct sk_buff *skb,
const struct net_device *in, const struct net_device *out,
const struct xt_match *match, const void *matchinfo,
match(const struct sk_buff *skb,
const struct net_device *in, const struct net_device *out,
const struct xt_match *match, const void *matchinfo,
- int offset, unsigned int protoff, int *hotdrop)
+ int offset, unsigned int protoff, bool *hotdrop)
{
struct xt_statistic_info *info = (struct xt_statistic_info *)matchinfo;
int ret = info->flags & XT_STATISTIC_INVERT ? 1 : 0;
{
struct xt_statistic_info *info = (struct xt_statistic_info *)matchinfo;
int ret = info->flags & XT_STATISTIC_INVERT ? 1 : 0;
const void *matchinfo,
int offset,
unsigned int protoff,
const void *matchinfo,
int offset,
unsigned int protoff,
{
const struct xt_string_info *conf = matchinfo;
struct ts_state state;
{
const struct xt_string_info *conf = matchinfo;
struct ts_state state;
const void *matchinfo,
int offset,
unsigned int protoff,
const void *matchinfo,
int offset,
unsigned int protoff,
{
const struct xt_tcpmss_match_info *info = matchinfo;
struct tcphdr _tcph, *th;
{
const struct xt_tcpmss_match_info *info = matchinfo;
struct tcphdr _tcph, *th;
return info->invert;
dropit:
return info->invert;
dropit:
unsigned int protoff,
unsigned int optlen,
int invert,
unsigned int protoff,
unsigned int optlen,
int invert,
{
/* tcp.doff is only 4 bits, ie. max 15 * 4 bytes */
u_int8_t _opt[60 - sizeof(struct tcphdr)], *op;
{
/* tcp.doff is only 4 bits, ie. max 15 * 4 bytes */
u_int8_t _opt[60 - sizeof(struct tcphdr)], *op;
op = skb_header_pointer(skb, protoff + sizeof(struct tcphdr),
optlen, _opt);
if (op == NULL) {
op = skb_header_pointer(skb, protoff + sizeof(struct tcphdr),
optlen, _opt);
if (op == NULL) {
const void *matchinfo,
int offset,
unsigned int protoff,
const void *matchinfo,
int offset,
unsigned int protoff,
{
struct tcphdr _tcph, *th;
const struct xt_tcp *tcpinfo = matchinfo;
{
struct tcphdr _tcph, *th;
const struct xt_tcp *tcpinfo = matchinfo;
*/
if (offset == 1) {
duprintf("Dropping evil TCP offset=1 frag.\n");
*/
if (offset == 1) {
duprintf("Dropping evil TCP offset=1 frag.\n");
}
/* Must not be a fragment. */
return 0;
}
/* Must not be a fragment. */
return 0;
/* We've been asked to examine this packet, and we
can't. Hence, no choice but to drop. */
duprintf("Dropping evil TCP offset=0 tinygram.\n");
/* We've been asked to examine this packet, and we
can't. Hence, no choice but to drop. */
duprintf("Dropping evil TCP offset=0 tinygram.\n");
return 0;
if (tcpinfo->option) {
if (th->doff * 4 < sizeof(_tcph)) {
return 0;
if (tcpinfo->option) {
if (th->doff * 4 < sizeof(_tcph)) {
return 0;
}
if (!tcp_find_option(tcpinfo->option, skb, protoff,
return 0;
}
if (!tcp_find_option(tcpinfo->option, skb, protoff,
const void *matchinfo,
int offset,
unsigned int protoff,
const void *matchinfo,
int offset,
unsigned int protoff,
{
struct udphdr _udph, *uh;
const struct xt_udp *udpinfo = matchinfo;
{
struct udphdr _udph, *uh;
const struct xt_udp *udpinfo = matchinfo;
/* We've been asked to examine this packet, and we
can't. Hence, no choice but to drop. */
duprintf("Dropping evil UDP tinygram.\n");
/* We've been asked to examine this packet, and we
can't. Hence, no choice but to drop. */
duprintf("Dropping evil UDP tinygram.\n");
git://ftp.safe.ca / safe / jmp / linux-2.6 / commitdiff