const struct ebt_entry *e = par->entryinfo;
if (BASE_CHAIN && info->target == EBT_RETURN)
- return false;
+ return -EINVAL;
if (e->ethproto != htons(ETH_P_ARP) ||
e->invflags & EBT_IPROTO)
- return false;
- return true;
+ return -EINVAL;
+ return 0;
}
static struct xt_target ebt_arpreply_tg_reg __read_mostly = {
unsigned int hook_mask;
if (BASE_CHAIN && info->target == EBT_RETURN)
- return false;
+ return -EINVAL;
hook_mask = par->hook_mask & ~(1 << NF_BR_NUMHOOKS);
if ((strcmp(par->table, "nat") != 0 ||
(1 << NF_BR_LOCAL_OUT)))) &&
(strcmp(par->table, "broute") != 0 ||
hook_mask & ~(1 << NF_BR_BROUTING)))
- return false;
+ return -EINVAL;
if (INVALID_TARGET)
- return false;
- return true;
+ return -EINVAL;
+ return 0;
}
static struct xt_target ebt_dnat_tg_reg __read_mostly = {
struct ebt_log_info *info = par->targinfo;
if (info->bitmask & ~EBT_LOG_MASK)
- return false;
+ return -EINVAL;
if (info->loglevel >= 8)
- return false;
+ return -EINVAL;
info->prefix[EBT_LOG_PREFIX_SIZE - 1] = '\0';
- return true;
+ return 0;
}
struct tcpudphdr
tmp = info->target | ~EBT_VERDICT_BITS;
if (BASE_CHAIN && tmp == EBT_RETURN)
- return false;
+ return -EINVAL;
if (tmp < -NUM_STANDARD_TARGETS || tmp >= 0)
- return false;
+ return -EINVAL;
tmp = info->target & ~EBT_VERDICT_BITS;
if (tmp != MARK_SET_VALUE && tmp != MARK_OR_VALUE &&
tmp != MARK_AND_VALUE && tmp != MARK_XOR_VALUE)
- return false;
- return true;
+ return -EINVAL;
+ return 0;
}
#ifdef CONFIG_COMPAT
struct compat_ebt_mark_t_info {
struct ebt_nflog_info *info = par->targinfo;
if (info->flags & ~EBT_NFLOG_MASK)
- return false;
+ return -EINVAL;
info->prefix[EBT_NFLOG_PREFIX_SIZE - 1] = '\0';
- return true;
+ return 0;
}
static struct xt_target ebt_nflog_tg_reg __read_mostly = {
unsigned int hook_mask;
if (BASE_CHAIN && info->target == EBT_RETURN)
- return false;
+ return -EINVAL;
hook_mask = par->hook_mask & ~(1 << NF_BR_NUMHOOKS);
if ((strcmp(par->table, "nat") != 0 ||
hook_mask & ~(1 << NF_BR_PRE_ROUTING)) &&
(strcmp(par->table, "broute") != 0 ||
hook_mask & ~(1 << NF_BR_BROUTING)))
- return false;
+ return -EINVAL;
if (INVALID_TARGET)
- return false;
- return true;
+ return -EINVAL;
+ return 0;
}
static struct xt_target ebt_redirect_tg_reg __read_mostly = {
tmp = info->target | ~EBT_VERDICT_BITS;
if (BASE_CHAIN && tmp == EBT_RETURN)
- return false;
+ return -EINVAL;
if (tmp < -NUM_STANDARD_TARGETS || tmp >= 0)
- return false;
+ return -EINVAL;
tmp = info->target | EBT_VERDICT_BITS;
if ((tmp & ~NAT_ARP_BIT) != ~NAT_ARP_BIT)
- return false;
- return true;
+ return -EINVAL;
+ return 0;
}
static struct xt_target ebt_snat_tg_reg __read_mostly = {
struct ebt_ulog_info *uloginfo = par->targinfo;
if (uloginfo->nlgroup > 31)
- return false;
+ return -EINVAL;
uloginfo->prefix[EBT_ULOG_PREFIX_LEN - 1] = '\0';
if (uloginfo->qthreshold > EBT_ULOG_MAX_QLEN)
uloginfo->qthreshold = EBT_ULOG_MAX_QLEN;
- return true;
+ return 0;
}
static struct xt_target ebt_ulog_tg_reg __read_mostly = {
cipinfo->hash_mode != CLUSTERIP_HASHMODE_SIP_SPT &&
cipinfo->hash_mode != CLUSTERIP_HASHMODE_SIP_SPT_DPT) {
pr_info("unknown mode %u\n", cipinfo->hash_mode);
- return false;
+ return -EINVAL;
}
if (e->ip.dmsk.s_addr != htonl(0xffffffff) ||
e->ip.dst.s_addr == 0) {
pr_info("Please specify destination IP\n");
- return false;
+ return -EINVAL;
}
/* FIXME: further sanity checks */
if (!(cipinfo->flags & CLUSTERIP_FLAG_NEW)) {
pr_info("no config found for %pI4, need 'new'\n",
&e->ip.dst.s_addr);
- return false;
+ return -EINVAL;
} else {
struct net_device *dev;
if (e->ip.iniface[0] == '\0') {
pr_info("Please specify an interface name\n");
- return false;
+ return -EINVAL;
}
dev = dev_get_by_name(&init_net, e->ip.iniface);
if (!dev) {
pr_info("no such interface %s\n",
e->ip.iniface);
- return false;
+ return -EINVAL;
}
config = clusterip_config_init(cipinfo,
if (!config) {
pr_info("cannot allocate config\n");
dev_put(dev);
- return false;
+ return -EINVAL;
}
dev_mc_add(config->dev,config->clustermac, ETH_ALEN, 0);
}
if (nf_ct_l3proto_try_module_get(par->family) < 0) {
pr_info("cannot load conntrack support for proto=%u\n",
par->family);
- return false;
+ return -EINVAL;
}
- return true;
+ return 0;
}
/* drop reference count of cluster config when rule is deleted */
if (einfo->operation & IPT_ECN_OP_MASK) {
pr_info("unsupported ECN operation %x\n", einfo->operation);
- return false;
+ return -EINVAL;
}
if (einfo->ip_ect & ~IPT_ECN_IP_MASK) {
pr_info("new ECT codepoint %x out of mask\n", einfo->ip_ect);
- return false;
+ return -EINVAL;
}
if ((einfo->operation & (IPT_ECN_OP_SET_ECE|IPT_ECN_OP_SET_CWR)) &&
(e->ip.proto != IPPROTO_TCP || (e->ip.invflags & XT_INV_PROTO))) {
pr_info("cannot use TCP operations on a non-tcp rule\n");
- return false;
+ return -EINVAL;
}
- return true;
+ return 0;
}
static struct xt_target ecn_tg_reg __read_mostly = {
if (loginfo->level >= 8) {
pr_debug("level %u >= 8\n", loginfo->level);
- return false;
+ return -EINVAL;
}
if (loginfo->prefix[sizeof(loginfo->prefix)-1] != '\0') {
pr_debug("prefix is not null-terminated\n");
- return false;
+ return -EINVAL;
}
- return true;
+ return 0;
}
static struct xt_target log_tg_reg __read_mostly = {
if (mr->range[0].flags & IP_NAT_RANGE_MAP_IPS) {
pr_debug("bad MAP_IPS.\n");
- return false;
+ return -EINVAL;
}
if (mr->rangesize != 1) {
pr_debug("bad rangesize %u\n", mr->rangesize);
- return false;
+ return -EINVAL;
}
- return true;
+ return 0;
}
static unsigned int
if (!(mr->range[0].flags & IP_NAT_RANGE_MAP_IPS)) {
pr_debug("bad MAP_IPS.\n");
- return false;
+ return -EINVAL;
}
if (mr->rangesize != 1) {
pr_debug("bad rangesize %u.\n", mr->rangesize);
- return false;
+ return -EINVAL;
}
- return true;
+ return 0;
}
static unsigned int
if (mr->range[0].flags & IP_NAT_RANGE_MAP_IPS) {
pr_debug("bad MAP_IPS.\n");
- return false;
+ return -EINVAL;
}
if (mr->rangesize != 1) {
pr_debug("bad rangesize %u.\n", mr->rangesize);
- return false;
+ return -EINVAL;
}
- return true;
+ return 0;
}
static unsigned int
if (rejinfo->with == IPT_ICMP_ECHOREPLY) {
pr_info("ECHOREPLY no longer supported.\n");
- return false;
+ return -EINVAL;
} else if (rejinfo->with == IPT_TCP_RESET) {
/* Must specify that it's a TCP packet */
if (e->ip.proto != IPPROTO_TCP ||
(e->ip.invflags & XT_INV_PROTO)) {
pr_info("TCP_RESET invalid for non-tcp\n");
- return false;
+ return -EINVAL;
}
}
- return true;
+ return 0;
}
static struct xt_target reject_tg_reg __read_mostly = {
if (loginfo->prefix[sizeof(loginfo->prefix) - 1] != '\0') {
pr_debug("prefix not null-terminated\n");
- return false;
+ return -EINVAL;
}
if (loginfo->qthreshold > ULOG_MAX_QLEN) {
pr_debug("queue threshold %Zu > MAX_QLEN\n",
loginfo->qthreshold);
- return false;
+ return -EINVAL;
}
- return true;
+ return 0;
}
#ifdef CONFIG_COMPAT
/* Must be a valid range */
if (mr->rangesize != 1) {
pr_info("SNAT: multiple ranges no longer supported\n");
- return false;
+ return -EINVAL;
}
- return true;
+ return 0;
}
static int ipt_dnat_checkentry(const struct xt_tgchk_param *par)
/* Must be a valid range */
if (mr->rangesize != 1) {
pr_info("DNAT: multiple ranges no longer supported\n");
- return false;
+ return -EINVAL;
}
- return true;
+ return 0;
}
unsigned int
if (loginfo->level >= 8) {
pr_debug("level %u >= 8\n", loginfo->level);
- return false;
+ return -EINVAL;
}
if (loginfo->prefix[sizeof(loginfo->prefix)-1] != '\0') {
pr_debug("prefix not null-terminated\n");
- return false;
+ return -EINVAL;
}
- return true;
+ return 0;
}
static struct xt_target log_tg6_reg __read_mostly = {
if (rejinfo->with == IP6T_ICMP6_ECHOREPLY) {
pr_info("ECHOREPLY is not supported.\n");
- return false;
+ return -EINVAL;
} else if (rejinfo->with == IP6T_TCP_RESET) {
/* Must specify that it's a TCP packet */
if (e->ipv6.proto != IPPROTO_TCP ||
(e->ipv6.invflags & XT_INV_PROTO)) {
pr_info("TCP_RESET illegal for non-tcp\n");
- return false;
+ return -EINVAL;
}
}
- return true;
+ return 0;
}
static struct xt_target reject_tg6_reg __read_mostly = {
int xt_check_target(struct xt_tgchk_param *par,
unsigned int size, u_int8_t proto, bool inv_proto)
{
+ int ret;
+
if (XT_ALIGN(par->target->targetsize) != size) {
pr_err("%s_tables: %s.%u target: invalid size "
"%u (kernel) != (user) %u\n",
par->target->proto);
return -EINVAL;
}
- if (par->target->checkentry != NULL && !par->target->checkentry(par))
- return -EINVAL;
+ if (par->target->checkentry != NULL) {
+ ret = par->target->checkentry(par);
+ if (ret < 0)
+ return ret;
+ else if (ret > 0)
+ /* Flag up potential errors. */
+ return -EIO;
+ }
return 0;
}
EXPORT_SYMBOL_GPL(xt_check_target);
strcmp(par->table, "security") != 0) {
pr_info("target only valid in the \'mangle\' "
"or \'security\' tables, not \'%s\'.\n", par->table);
- return false;
+ return -EINVAL;
}
switch (info->mode) {
if (nf_ct_l3proto_try_module_get(par->family) < 0) {
pr_info("cannot load conntrack support for proto=%u\n",
par->family);
- return false;
+ return -EINVAL;
}
- return true;
+ return 0;
}
static void connsecmark_tg_destroy(const struct xt_tgdtor_param *par)
u8 proto;
if (info->flags & ~XT_CT_NOTRACK)
- return false;
+ return -EINVAL;
if (info->flags & XT_CT_NOTRACK) {
ct = &nf_conntrack_untracked;
__set_bit(IPS_CONFIRMED_BIT, &ct->status);
out:
info->ct = ct;
- return true;
+ return 0;
err3:
nf_conntrack_free(ct);
err2:
nf_ct_l3proto_module_put(par->family);
err1:
- return false;
+ return -EINVAL;
}
static void xt_ct_tg_destroy(const struct xt_tgdtor_param *par)
if (info->dscp > XT_DSCP_MAX) {
pr_info("dscp %x out of range\n", info->dscp);
- return false;
+ return -EINVAL;
}
- return true;
+ return 0;
}
static unsigned int
return false;
}
if (info->mode != IPT_TTL_SET && info->ttl == 0)
- return false;
- return true;
+ return -EINVAL;
+ return 0;
}
static int hl_tg6_check(const struct xt_tgchk_param *par)
if (info->mode > IP6T_HL_MAXMODE) {
pr_info("invalid or unknown mode %u\n", info->mode);
- return false;
+ return -EINVAL;
}
if (info->mode != IP6T_HL_SET && info->hop_limit == 0) {
pr_info("increment/decrement does not "
"make sense with value 0\n");
- return false;
+ return -EINVAL;
}
- return true;
+ return 0;
}
static struct xt_target hl_tg_reg[] __read_mostly = {
if (ledinfo->id[0] == '\0') {
pr_info("No 'id' parameter given.\n");
- return false;
+ return -EINVAL;
}
ledinternal = kzalloc(sizeof(struct xt_led_info_internal), GFP_KERNEL);
if (!ledinternal)
- return false;
+ return -EINVAL;
ledinternal->netfilter_led_trigger.name = ledinfo->id;
(unsigned long)ledinfo);
ledinfo->internal_data = ledinternal;
-
- return true;
+ return 0;
exit_alloc:
kfree(ledinternal);
-
- return false;
+ return -EINVAL;
}
static void led_tg_destroy(const struct xt_tgdtor_param *par)
const struct xt_nflog_info *info = par->targinfo;
if (info->flags & ~XT_NFLOG_MASK)
- return false;
+ return -EINVAL;
if (info->prefix[sizeof(info->prefix) - 1] != '\0')
- return false;
- return true;
+ return -EINVAL;
+ return 0;
}
static struct xt_target nflog_tg_reg __read_mostly = {
}
if (info->queues_total == 0) {
pr_err("NFQUEUE: number of total queues is 0\n");
- return false;
+ return -EINVAL;
}
maxid = info->queues_total - 1 + info->queuenum;
if (maxid > 0xffff) {
pr_err("NFQUEUE: number of queues (%u) out of range (got %u)\n",
info->queues_total, maxid);
- return false;
+ return -EINVAL;
}
- return true;
+ return 0;
}
static struct xt_target nfqueue_tg_reg[] __read_mostly = {
(info->interval != est->params.interval ||
info->ewma_log != est->params.ewma_log)) {
xt_rateest_put(est);
- return false;
+ return -EINVAL;
}
info->est = est;
- return true;
+ return 0;
}
est = kzalloc(sizeof(*est), GFP_KERNEL);
info->est = est;
xt_rateest_hash_insert(est);
-
- return true;
+ return 0;
err2:
kfree(est);
err1:
- return false;
+ return -EINVAL;
}
static void xt_rateest_tg_destroy(const struct xt_tgdtor_param *par)
strcmp(par->table, "security") != 0) {
pr_info("target only valid in the \'mangle\' "
"or \'security\' tables, not \'%s\'.\n", par->table);
- return false;
+ return -EINVAL;
}
if (mode && mode != info->mode) {
pr_info("mode already set to %hu cannot mix with "
"rules for mode %hu\n", mode, info->mode);
- return false;
+ return -EINVAL;
}
switch (info->mode) {
case SECMARK_MODE_SEL:
if (!checkentry_selinux(info))
- return false;
+ return -EINVAL;
break;
default:
pr_info("invalid mode: %hu\n", info->mode);
- return false;
+ return -EINVAL;
}
if (!mode)
mode = info->mode;
- return true;
+ return 0;
}
static void secmark_tg_destroy(const struct xt_tgdtor_param *par)
(1 << NF_INET_POST_ROUTING))) != 0) {
pr_info("path-MTU clamping only supported in "
"FORWARD, OUTPUT and POSTROUTING hooks\n");
- return false;
+ return -EINVAL;
}
xt_ematch_foreach(ematch, e)
if (find_syn_match(ematch))
- return true;
+ return 0;
pr_info("Only works on TCP SYN packets\n");
- return false;
+ return -EINVAL;
}
#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
(1 << NF_INET_POST_ROUTING))) != 0) {
pr_info("path-MTU clamping only supported in "
"FORWARD, OUTPUT and POSTROUTING hooks\n");
- return false;
+ return -EINVAL;
}
xt_ematch_foreach(ematch, e)
if (find_syn_match(ematch))
- return true;
+ return 0;
pr_info("Only works on TCP SYN packets\n");
- return false;
+ return -EINVAL;
}
#endif
if ((i->proto == IPPROTO_TCP || i->proto == IPPROTO_UDP)
&& !(i->invflags & IPT_INV_PROTO))
- return true;
+ return 0;
pr_info("Can be used only in combination with "
"either -p tcp or -p udp\n");
- return false;
+ return -EINVAL;
}
static struct xt_target tproxy_tg_reg __read_mostly = {
git://ftp.safe.ca / safe / jmp / linux-2.6 / commitdiff