* nf-next: cleanups, err reporting (rd.2)
@ 2010-03-22 19:17 Jan Engelhardt
2010-03-22 19:17 ` [PATCH 1/9] netfilter: xtables: make use of caller family rather than target family Jan Engelhardt
` (9 more replies)
0 siblings, 10 replies; 23+ messages in thread
From: Jan Engelhardt @ 2010-03-22 19:17 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
I hope I now got them all.
Please review and merge.
The following changes since commit 2c46cd8163b25bf6f38e612e9f1d162f0357c8f1:
Zhitong Wang (1):
netfilter: remove unused headers in net/ipv4/netfilter/nf_nat_h323.c
are available in the git repository at:
git://dev.medozas.de/linux master
Jan Engelhardt (9):
netfilter: xtables: make use of caller family rather than target family
netfilter: xt extensions: use pr_<level> (2)
netfilter: xtables: make use of xt_request_find_target
netfilter: xtables: consolidate code into xt_request_find_match
netfilter: xt_recent: allow changing ip_list_[ug]id at runtime
netfilter: xtables: slightly better error reporting (1/2)
netfilter: xtables: slightly better error reporting (2/2)
netfilter: xtables: use only error codes for checkentry
netfilter: xtables: shorten up return clause
include/linux/netfilter/x_tables.h | 7 ++-
net/bridge/netfilter/ebt_802_3.c | 6 +-
net/bridge/netfilter/ebt_among.c | 25 +++++-------
net/bridge/netfilter/ebt_arp.c | 8 ++--
net/bridge/netfilter/ebt_arpreply.c | 8 ++--
net/bridge/netfilter/ebt_dnat.c | 10 ++--
net/bridge/netfilter/ebt_ip.c | 16 ++++----
net/bridge/netfilter/ebt_ip6.c | 16 ++++----
net/bridge/netfilter/ebt_limit.c | 9 ++--
net/bridge/netfilter/ebt_log.c | 8 ++--
net/bridge/netfilter/ebt_mark.c | 10 ++--
net/bridge/netfilter/ebt_mark_m.c | 10 ++--
net/bridge/netfilter/ebt_nflog.c | 6 +-
net/bridge/netfilter/ebt_pkttype.c | 6 +-
net/bridge/netfilter/ebt_redirect.c | 10 ++--
net/bridge/netfilter/ebt_snat.c | 10 ++--
net/bridge/netfilter/ebt_stp.c | 8 ++--
net/bridge/netfilter/ebt_ulog.c | 32 ++++++++-------
net/bridge/netfilter/ebt_vlan.c | 52 ++++++++++---------------
net/bridge/netfilter/ebtables.c | 23 ++---------
net/ipv4/netfilter/arp_tables.c | 20 ++++------
net/ipv4/netfilter/arpt_mangle.c | 2 +-
net/ipv4/netfilter/ip_tables.c | 58 ++++++++++++----------------
net/ipv4/netfilter/ipt_CLUSTERIP.c | 69 +++++++++++++++++-----------------
net/ipv4/netfilter/ipt_ECN.c | 21 ++++------
net/ipv4/netfilter/ipt_LOG.c | 15 +++----
net/ipv4/netfilter/ipt_MASQUERADE.c | 16 ++++----
net/ipv4/netfilter/ipt_NETMAP.c | 14 +++---
net/ipv4/netfilter/ipt_REDIRECT.c | 14 +++---
net/ipv4/netfilter/ipt_REJECT.c | 14 +++---
net/ipv4/netfilter/ipt_ULOG.c | 48 +++++++++++------------
net/ipv4/netfilter/ipt_addrtype.c | 24 ++++++------
net/ipv4/netfilter/ipt_ah.c | 6 +-
net/ipv4/netfilter/ipt_ecn.c | 15 +++----
net/ipv4/netfilter/nf_nat_rule.c | 4 +-
net/ipv6/netfilter/ip6_tables.c | 49 ++++++++++--------------
net/ipv6/netfilter/ip6t_LOG.c | 15 +++----
net/ipv6/netfilter/ip6t_REJECT.c | 28 +++++++-------
net/ipv6/netfilter/ip6t_ah.c | 12 +++---
net/ipv6/netfilter/ip6t_frag.c | 12 +++---
net/ipv6/netfilter/ip6t_hbh.c | 14 +++---
net/ipv6/netfilter/ip6t_ipv6header.c | 6 +-
net/ipv6/netfilter/ip6t_mh.c | 4 +-
net/ipv6/netfilter/ip6t_rt.c | 14 +++---
net/netfilter/x_tables.c | 39 ++++++++++++++++---
net/netfilter/xt_CONNSECMARK.c | 14 +++---
net/netfilter/xt_CT.c | 17 ++++++--
net/netfilter/xt_DSCP.c | 6 +-
net/netfilter/xt_HL.c | 16 ++++----
net/netfilter/xt_LED.c | 17 +++-----
net/netfilter/xt_NFLOG.c | 8 ++--
net/netfilter/xt_NFQUEUE.c | 12 +++---
net/netfilter/xt_RATEEST.c | 18 +++++----
net/netfilter/xt_SECMARK.c | 26 +++++++------
net/netfilter/xt_TCPMSS.c | 23 +++++------
net/netfilter/xt_TPROXY.c | 10 ++--
net/netfilter/xt_cluster.c | 8 ++--
net/netfilter/xt_connbytes.c | 15 +++----
net/netfilter/xt_connlimit.c | 12 +++--
net/netfilter/xt_connmark.c | 22 ++++++-----
net/netfilter/xt_conntrack.c | 11 +++--
net/netfilter/xt_dccp.c | 2 +-
net/netfilter/xt_dscp.c | 6 +-
net/netfilter/xt_esp.c | 8 ++--
net/netfilter/xt_hashlimit.c | 57 ++++++++++++++++------------
net/netfilter/xt_helper.c | 10 +++--
net/netfilter/xt_iprange.c | 1 +
net/netfilter/xt_limit.c | 8 ++--
net/netfilter/xt_multiport.c | 8 ++--
net/netfilter/xt_physdev.c | 8 ++--
net/netfilter/xt_policy.c | 12 +++---
net/netfilter/xt_quota.c | 8 ++--
net/netfilter/xt_rateest.c | 8 ++-
net/netfilter/xt_recent.c | 38 ++++++++++---------
net/netfilter/xt_sctp.c | 2 +-
net/netfilter/xt_socket.c | 5 +-
net/netfilter/xt_state.c | 11 +++--
net/netfilter/xt_statistic.c | 8 ++--
net/netfilter/xt_string.c | 15 +++----
net/netfilter/xt_tcpudp.c | 4 +-
net/netfilter/xt_time.c | 10 ++--
net/sched/act_ipt.c | 4 +-
82 files changed, 639 insertions(+), 642 deletions(-)
^ permalink raw reply [flat|nested] 23+ messages in thread
* [PATCH 1/9] netfilter: xtables: make use of caller family rather than target family
2010-03-22 19:17 nf-next: cleanups, err reporting (rd.2) Jan Engelhardt
@ 2010-03-22 19:17 ` Jan Engelhardt
2010-03-22 19:17 ` [PATCH 2/9] netfilter: xt extensions: use pr_<level> (2) Jan Engelhardt
` (8 subsequent siblings)
9 siblings, 0 replies; 23+ messages in thread
From: Jan Engelhardt @ 2010-03-22 19:17 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
Supplement to aa5fa3185791aac71c9172d4fda3e8729164b5d1.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
net/ipv4/netfilter/ipt_CLUSTERIP.c | 6 +++---
net/netfilter/xt_NFQUEUE.c | 4 ++--
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index 0886f96..a20bee7 100644
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -401,9 +401,9 @@ static bool clusterip_tg_check(const struct xt_tgchk_param *par)
}
cipinfo->config = config;
- if (nf_ct_l3proto_try_module_get(par->target->family) < 0) {
+ if (nf_ct_l3proto_try_module_get(par->family) < 0) {
printk(KERN_WARNING "can't load conntrack support for "
- "proto=%u\n", par->target->family);
+ "proto=%u\n", par->family);
return false;
}
@@ -421,7 +421,7 @@ static void clusterip_tg_destroy(const struct xt_tgdtor_param *par)
clusterip_config_put(cipinfo->config);
- nf_ct_l3proto_module_put(par->target->family);
+ nf_ct_l3proto_module_put(par->family);
}
#ifdef CONFIG_COMPAT
diff --git a/net/netfilter/xt_NFQUEUE.c b/net/netfilter/xt_NFQUEUE.c
index a37e216..7cc0de6 100644
--- a/net/netfilter/xt_NFQUEUE.c
+++ b/net/netfilter/xt_NFQUEUE.c
@@ -71,10 +71,10 @@ nfqueue_tg_v1(struct sk_buff *skb, const struct xt_target_param *par)
u32 queue = info->queuenum;
if (info->queues_total > 1) {
- if (par->target->family == NFPROTO_IPV4)
+ if (par->family == NFPROTO_IPV4)
queue = hash_v4(skb) % info->queues_total + queue;
#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
- else if (par->target->family == NFPROTO_IPV6)
+ else if (par->family == NFPROTO_IPV6)
queue = hash_v6(skb) % info->queues_total + queue;
#endif
}
--
1.7.0.2
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [PATCH 2/9] netfilter: xt extensions: use pr_<level> (2)
2010-03-22 19:17 nf-next: cleanups, err reporting (rd.2) Jan Engelhardt
2010-03-22 19:17 ` [PATCH 1/9] netfilter: xtables: make use of caller family rather than target family Jan Engelhardt
@ 2010-03-22 19:17 ` Jan Engelhardt
2010-03-22 19:17 ` [PATCH 3/9] netfilter: xtables: make use of xt_request_find_target Jan Engelhardt
` (7 subsequent siblings)
9 siblings, 0 replies; 23+ messages in thread
From: Jan Engelhardt @ 2010-03-22 19:17 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
Supplement to 1159683ef48469de71dc26f0ee1a9c30d131cf89.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
net/bridge/netfilter/ebt_among.c | 15 +++++-------
net/bridge/netfilter/ebt_limit.c | 3 +-
net/bridge/netfilter/ebt_ulog.c | 26 +++++++++++---------
net/bridge/netfilter/ebt_vlan.c | 36 ++++++++++------------------
net/bridge/netfilter/ebtables.c | 5 +--
net/ipv4/netfilter/ip_tables.c | 18 ++++++--------
net/ipv4/netfilter/ipt_CLUSTERIP.c | 43 ++++++++++++++++++-----------------
net/ipv4/netfilter/ipt_ECN.c | 11 +++-----
net/ipv4/netfilter/ipt_LOG.c | 7 ++---
net/ipv4/netfilter/ipt_MASQUERADE.c | 8 +++---
net/ipv4/netfilter/ipt_NETMAP.c | 6 ++--
net/ipv4/netfilter/ipt_REDIRECT.c | 6 ++--
net/ipv4/netfilter/ipt_REJECT.c | 6 ++--
net/ipv4/netfilter/ipt_ULOG.c | 40 +++++++++++++++-----------------
net/ipv4/netfilter/ipt_addrtype.c | 14 +++++-----
net/ipv4/netfilter/ipt_ecn.c | 5 +--
net/ipv6/netfilter/ip6_tables.c | 9 +++----
net/ipv6/netfilter/ip6t_LOG.c | 7 ++---
net/ipv6/netfilter/ip6t_REJECT.c | 20 ++++++++--------
net/ipv6/netfilter/ip6t_ah.c | 6 ++--
net/ipv6/netfilter/ip6t_frag.c | 6 ++--
net/ipv6/netfilter/ip6t_hbh.c | 6 ++--
net/ipv6/netfilter/ip6t_rt.c | 6 ++--
net/netfilter/xt_TCPMSS.c | 7 ++---
net/netfilter/xt_TPROXY.c | 4 +-
net/netfilter/xt_esp.c | 2 +-
net/netfilter/xt_iprange.c | 1 +
net/netfilter/xt_recent.c | 6 ++--
net/netfilter/xt_socket.c | 5 +--
net/netfilter/xt_time.c | 4 +-
30 files changed, 158 insertions(+), 180 deletions(-)
diff --git a/net/bridge/netfilter/ebt_among.c b/net/bridge/netfilter/ebt_among.c
index b595f09..60ad630 100644
--- a/net/bridge/netfilter/ebt_among.c
+++ b/net/bridge/netfilter/ebt_among.c
@@ -7,6 +7,7 @@
* August, 2003
*
*/
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/ip.h>
#include <linux/if_arp.h>
#include <linux/module.h>
@@ -186,21 +187,17 @@ static bool ebt_among_mt_check(const struct xt_mtchk_param *par)
expected_length += ebt_mac_wormhash_size(wh_src);
if (em->match_size != EBT_ALIGN(expected_length)) {
- printk(KERN_WARNING
- "ebtables: among: wrong size: %d "
- "against expected %d, rounded to %Zd\n",
- em->match_size, expected_length,
- EBT_ALIGN(expected_length));
+ pr_info("wrong size: %d against expected %d, rounded to %Zd\n",
+ em->match_size, expected_length,
+ EBT_ALIGN(expected_length));
return false;
}
if (wh_dst && (err = ebt_mac_wormhash_check_integrity(wh_dst))) {
- printk(KERN_WARNING
- "ebtables: among: dst integrity fail: %x\n", -err);
+ pr_info("dst integrity fail: %x\n", -err);
return false;
}
if (wh_src && (err = ebt_mac_wormhash_check_integrity(wh_src))) {
- printk(KERN_WARNING
- "ebtables: among: src integrity fail: %x\n", -err);
+ pr_info("src integrity fail: %x\n", -err);
return false;
}
return true;
diff --git a/net/bridge/netfilter/ebt_limit.c b/net/bridge/netfilter/ebt_limit.c
index 7a81827..5b7330b 100644
--- a/net/bridge/netfilter/ebt_limit.c
+++ b/net/bridge/netfilter/ebt_limit.c
@@ -10,6 +10,7 @@
* September, 2003
*
*/
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/module.h>
#include <linux/netdevice.h>
#include <linux/spinlock.h>
@@ -71,7 +72,7 @@ static bool ebt_limit_mt_check(const struct xt_mtchk_param *par)
/* Check for overflow. */
if (info->burst == 0 ||
user2credits(info->avg * info->burst) < user2credits(info->avg)) {
- printk("Overflow in ebt_limit, try lower: %u/%u\n",
+ pr_info("overflow, try lower: %u/%u\n",
info->avg, info->burst);
return false;
}
diff --git a/net/bridge/netfilter/ebt_ulog.c b/net/bridge/netfilter/ebt_ulog.c
index 84340ab..9faee5f 100644
--- a/net/bridge/netfilter/ebt_ulog.c
+++ b/net/bridge/netfilter/ebt_ulog.c
@@ -27,7 +27,7 @@
* flushed even if it is not full yet.
*
*/
-
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/module.h>
#include <linux/spinlock.h>
#include <linux/socket.h>
@@ -106,15 +106,15 @@ static struct sk_buff *ulog_alloc_skb(unsigned int size)
n = max(size, nlbufsiz);
skb = alloc_skb(n, GFP_ATOMIC);
if (!skb) {
- PRINTR(KERN_ERR "ebt_ulog: can't alloc whole buffer "
- "of size %ub!\n", n);
+ if (net_ratelimit())
+ pr_debug("cannot alloc whole buffer of size %ub!\n", n);
if (n > size) {
/* try to allocate only as much as we need for
* current packet */
skb = alloc_skb(size, GFP_ATOMIC);
- if (!skb)
- PRINTR(KERN_ERR "ebt_ulog: can't even allocate "
- "buffer of size %ub\n", size);
+ if (!skb && net_ratelimit())
+ pr_debug("cannot even allocate "
+ "buffer of size %ub\n", size);
}
}
@@ -141,8 +141,9 @@ static void ebt_ulog_packet(unsigned int hooknr, const struct sk_buff *skb,
size = NLMSG_SPACE(sizeof(*pm) + copy_len);
if (size > nlbufsiz) {
- PRINTR("ebt_ulog: Size %Zd needed, but nlbufsiz=%d\n",
- size, nlbufsiz);
+ if (net_ratelimit())
+ pr_debug("Size %Zd needed, but nlbufsiz=%d\n",
+ size, nlbufsiz);
return;
}
@@ -216,8 +217,9 @@ unlock:
return;
nlmsg_failure:
- printk(KERN_CRIT "ebt_ulog: error during NLMSG_PUT. This should "
- "not happen, please report to author.\n");
+ if (net_ratelimit())
+ pr_debug("error during NLMSG_PUT. This should "
+ "not happen, please report to author.\n");
goto unlock;
alloc_failure:
goto unlock;
@@ -291,8 +293,8 @@ static int __init ebt_ulog_init(void)
int i;
if (nlbufsiz >= 128*1024) {
- printk(KERN_NOTICE "ebt_ulog: Netlink buffer has to be <= 128kB,"
- " please try a smaller nlbufsiz parameter.\n");
+ pr_warning("Netlink buffer has to be <= 128kB,"
+ " please try a smaller nlbufsiz parameter.\n");
return -EINVAL;
}
diff --git a/net/bridge/netfilter/ebt_vlan.c b/net/bridge/netfilter/ebt_vlan.c
index be1dd2e..5c44f51 100644
--- a/net/bridge/netfilter/ebt_vlan.c
+++ b/net/bridge/netfilter/ebt_vlan.c
@@ -26,17 +26,12 @@
#include <linux/netfilter_bridge/ebtables.h>
#include <linux/netfilter_bridge/ebt_vlan.h>
-static int debug;
#define MODULE_VERS "0.6"
-module_param(debug, int, 0);
-MODULE_PARM_DESC(debug, "debug=1 is turn on debug messages");
MODULE_AUTHOR("Nick Fedchik <nick@fedchik.org.ua>");
MODULE_DESCRIPTION("Ebtables: 802.1Q VLAN tag match");
MODULE_LICENSE("GPL");
-
-#define DEBUG_MSG(args...) if (debug) printk (KERN_DEBUG "ebt_vlan: " args)
#define GET_BITMASK(_BIT_MASK_) info->bitmask & _BIT_MASK_
#define EXIT_ON_MISMATCH(_MATCH_,_MASK_) {if (!((info->_MATCH_ == _MATCH_)^!!(info->invflags & _MASK_))) return false; }
@@ -91,24 +86,23 @@ static bool ebt_vlan_mt_check(const struct xt_mtchk_param *par)
/* Is it 802.1Q frame checked? */
if (e->ethproto != htons(ETH_P_8021Q)) {
- DEBUG_MSG
- ("passed entry proto %2.4X is not 802.1Q (8100)\n",
- (unsigned short) ntohs(e->ethproto));
+ pr_debug("passed entry proto %2.4X is not 802.1Q (8100)\n",
+ ntohs(e->ethproto));
return false;
}
/* Check for bitmask range
* True if even one bit is out of mask */
if (info->bitmask & ~EBT_VLAN_MASK) {
- DEBUG_MSG("bitmask %2X is out of mask (%2X)\n",
- info->bitmask, EBT_VLAN_MASK);
+ pr_debug("bitmask %2X is out of mask (%2X)\n",
+ info->bitmask, EBT_VLAN_MASK);
return false;
}
/* Check for inversion flags range */
if (info->invflags & ~EBT_VLAN_MASK) {
- DEBUG_MSG("inversion flags %2X is out of mask (%2X)\n",
- info->invflags, EBT_VLAN_MASK);
+ pr_debug("inversion flags %2X is out of mask (%2X)\n",
+ info->invflags, EBT_VLAN_MASK);
return false;
}
@@ -121,9 +115,8 @@ static bool ebt_vlan_mt_check(const struct xt_mtchk_param *par)
if (GET_BITMASK(EBT_VLAN_ID)) {
if (!!info->id) { /* if id!=0 => check vid range */
if (info->id > VLAN_GROUP_ARRAY_LEN) {
- DEBUG_MSG
- ("id %d is out of range (1-4096)\n",
- info->id);
+ pr_debug("id %d is out of range (1-4096)\n",
+ info->id);
return false;
}
/* Note: This is valid VLAN-tagged frame point.
@@ -137,8 +130,8 @@ static bool ebt_vlan_mt_check(const struct xt_mtchk_param *par)
if (GET_BITMASK(EBT_VLAN_PRIO)) {
if ((unsigned char) info->prio > 7) {
- DEBUG_MSG("prio %d is out of range (0-7)\n",
- info->prio);
+ pr_debug("prio %d is out of range (0-7)\n",
+ info->prio);
return false;
}
}
@@ -147,9 +140,8 @@ static bool ebt_vlan_mt_check(const struct xt_mtchk_param *par)
* if_ether.h: ETH_ZLEN 60 - Min. octets in frame sans FCS */
if (GET_BITMASK(EBT_VLAN_ENCAP)) {
if ((unsigned short) ntohs(info->encap) < ETH_ZLEN) {
- DEBUG_MSG
- ("encap frame length %d is less than minimal\n",
- ntohs(info->encap));
+ pr_debug("encap frame length %d is less than "
+ "minimal\n", ntohs(info->encap));
return false;
}
}
@@ -169,9 +161,7 @@ static struct xt_match ebt_vlan_mt_reg __read_mostly = {
static int __init ebt_vlan_init(void)
{
- DEBUG_MSG("ebtables 802.1Q extension module v"
- MODULE_VERS "\n");
- DEBUG_MSG("module debug=%d\n", !!debug);
+ pr_debug("ebtables 802.1Q extension module v" MODULE_VERS "\n");
return xt_register_match(&ebt_vlan_mt_reg);
}
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index dfb5805..989d72c 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -14,8 +14,7 @@
* as published by the Free Software Foundation; either version
* 2 of the License, or (at your option) any later version.
*/
-
-
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/kmod.h>
#include <linux/module.h>
#include <linux/vmalloc.h>
@@ -2127,7 +2126,7 @@ static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base,
return ret;
new_offset += ret;
if (offsets_update && new_offset) {
- pr_debug("ebtables: change offset %d to %d\n",
+ pr_debug("change offset %d to %d\n",
offsets_update[i], offsets[j] + new_offset);
offsets_update[i] = offsets[j] + new_offset;
}
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index b29c66d..73fdf20 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -39,13 +39,13 @@ MODULE_DESCRIPTION("IPv4 packet filter");
/*#define DEBUG_IP_FIREWALL_USER*/
#ifdef DEBUG_IP_FIREWALL
-#define dprintf(format, args...) printk(format , ## args)
+#define dprintf(format, args...) pr_info(format , ## args)
#else
#define dprintf(format, args...)
#endif
#ifdef DEBUG_IP_FIREWALL_USER
-#define duprintf(format, args...) printk(format , ## args)
+#define duprintf(format, args...) pr_info(format , ## args)
#else
#define duprintf(format, args...)
#endif
@@ -168,8 +168,7 @@ static unsigned int
ipt_error(struct sk_buff *skb, const struct xt_target_param *par)
{
if (net_ratelimit())
- printk("ip_tables: error: `%s'\n",
- (const char *)par->targinfo);
+ pr_info("error: `%s'\n", (const char *)par->targinfo);
return NF_DROP;
}
@@ -591,7 +590,7 @@ check_entry(const struct ipt_entry *e, const char *name)
const struct ipt_entry_target *t;
if (!ip_checkentry(&e->ip)) {
- duprintf("ip_tables: ip check failed %p %s.\n", e, name);
+ duprintf("ip check failed %p %s.\n", e, name);
return -EINVAL;
}
@@ -618,8 +617,7 @@ check_match(struct ipt_entry_match *m, struct xt_mtchk_param *par)
ret = xt_check_match(par, m->u.match_size - sizeof(*m),
ip->proto, ip->invflags & IPT_INV_PROTO);
if (ret < 0) {
- duprintf("ip_tables: check failed for `%s'.\n",
- par.match->name);
+ duprintf("check failed for `%s'.\n", par.match->name);
return ret;
}
return 0;
@@ -667,7 +665,7 @@ static int check_target(struct ipt_entry *e, struct net *net, const char *name)
ret = xt_check_target(&par, t->u.target_size - sizeof(*t),
e->ip.proto, e->ip.invflags & IPT_INV_PROTO);
if (ret < 0) {
- duprintf("ip_tables: check failed for `%s'.\n",
+ duprintf("check failed for `%s'.\n",
t->u.kernel.target->name);
return ret;
}
@@ -1311,7 +1309,7 @@ do_replace(struct net *net, const void __user *user, unsigned int len)
if (ret != 0)
goto free_newinfo;
- duprintf("ip_tables: Translated table\n");
+ duprintf("Translated table\n");
ret = __do_replace(net, tmp.name, tmp.valid_hooks, newinfo,
tmp.num_counters, tmp.counters);
@@ -2276,7 +2274,7 @@ static int __init ip_tables_init(void)
if (ret < 0)
goto err5;
- printk(KERN_INFO "ip_tables: (C) 2000-2006 Netfilter Core Team\n");
+ pr_info("(C) 2000-2006 Netfilter Core Team\n");
return 0;
err5:
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index a20bee7..f019c34 100644
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -9,6 +9,7 @@
* published by the Free Software Foundation.
*
*/
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/module.h>
#include <linux/proc_fs.h>
#include <linux/jhash.h>
@@ -238,8 +239,7 @@ clusterip_hashfn(const struct sk_buff *skb,
break;
default:
if (net_ratelimit())
- printk(KERN_NOTICE "CLUSTERIP: unknown protocol `%u'\n",
- iph->protocol);
+ pr_info("unknown protocol %u\n", iph->protocol);
sport = dport = 0;
}
@@ -261,7 +261,7 @@ clusterip_hashfn(const struct sk_buff *skb,
hashval = 0;
/* This cannot happen, unless the check function wasn't called
* at rule load time */
- printk("CLUSTERIP: unknown mode `%u'\n", config->hash_mode);
+ pr_info("unknown mode %u\n", config->hash_mode);
BUG();
break;
}
@@ -294,7 +294,8 @@ clusterip_tg(struct sk_buff *skb, const struct xt_target_param *par)
ct = nf_ct_get(skb, &ctinfo);
if (ct == NULL) {
- printk(KERN_ERR "CLUSTERIP: no conntrack!\n");
+ if (net_ratelimit())
+ pr_info("no conntrack!\n");
/* FIXME: need to drop invalid ones, since replies
* to outgoing connections of other nodes will be
* marked as INVALID */
@@ -357,14 +358,13 @@ static bool clusterip_tg_check(const struct xt_tgchk_param *par)
if (cipinfo->hash_mode != CLUSTERIP_HASHMODE_SIP &&
cipinfo->hash_mode != CLUSTERIP_HASHMODE_SIP_SPT &&
cipinfo->hash_mode != CLUSTERIP_HASHMODE_SIP_SPT_DPT) {
- printk(KERN_WARNING "CLUSTERIP: unknown mode `%u'\n",
- cipinfo->hash_mode);
+ pr_info("unknown mode %u\n", cipinfo->hash_mode);
return false;
}
if (e->ip.dmsk.s_addr != htonl(0xffffffff) ||
e->ip.dst.s_addr == 0) {
- printk(KERN_ERR "CLUSTERIP: Please specify destination IP\n");
+ pr_info("Please specify destination IP\n");
return false;
}
@@ -373,26 +373,28 @@ static bool clusterip_tg_check(const struct xt_tgchk_param *par)
config = clusterip_config_find_get(e->ip.dst.s_addr, 1);
if (!config) {
if (!(cipinfo->flags & CLUSTERIP_FLAG_NEW)) {
- printk(KERN_WARNING "CLUSTERIP: no config found for %pI4, need 'new'\n", &e->ip.dst.s_addr);
+ pr_info("no config found for %pI4, need 'new'\n",
+ &e->ip.dst.s_addr);
return false;
} else {
struct net_device *dev;
if (e->ip.iniface[0] == '\0') {
- printk(KERN_WARNING "CLUSTERIP: Please specify an interface name\n");
+ pr_info("Please specify an interface name\n");
return false;
}
dev = dev_get_by_name(&init_net, e->ip.iniface);
if (!dev) {
- printk(KERN_WARNING "CLUSTERIP: no such interface %s\n", e->ip.iniface);
+ pr_info("no such interface %s\n",
+ e->ip.iniface);
return false;
}
config = clusterip_config_init(cipinfo,
e->ip.dst.s_addr, dev);
if (!config) {
- printk(KERN_WARNING "CLUSTERIP: cannot allocate config\n");
+ pr_info("cannot allocate config\n");
dev_put(dev);
return false;
}
@@ -402,8 +404,8 @@ static bool clusterip_tg_check(const struct xt_tgchk_param *par)
cipinfo->config = config;
if (nf_ct_l3proto_try_module_get(par->family) < 0) {
- printk(KERN_WARNING "can't load conntrack support for "
- "proto=%u\n", par->family);
+ pr_info("cannot load conntrack support for proto=%u\n",
+ par->family);
return false;
}
@@ -478,8 +480,8 @@ static void arp_print(struct arp_payload *payload)
}
hbuffer[--k]='\0';
- printk("src %pI4@%s, dst %pI4\n",
- &payload->src_ip, hbuffer, &payload->dst_ip);
+ pr_debug("src %pI4@%s, dst %pI4\n",
+ &payload->src_ip, hbuffer, &payload->dst_ip);
}
#endif
@@ -518,7 +520,7 @@ arp_mangle(unsigned int hook,
* this wouldn't work, since we didn't subscribe the mcast group on
* other interfaces */
if (c->dev != out) {
- pr_debug("CLUSTERIP: not mangling arp reply on different "
+ pr_debug("not mangling arp reply on different "
"interface: cip'%s'-skb'%s'\n",
c->dev->name, out->name);
clusterip_config_put(c);
@@ -529,7 +531,7 @@ arp_mangle(unsigned int hook,
memcpy(payload->src_hw, c->clustermac, arp->ar_hln);
#ifdef DEBUG
- pr_debug(KERN_DEBUG "CLUSTERIP mangled arp reply: ");
+ pr_debug("mangled arp reply: ");
arp_print(payload);
#endif
@@ -705,13 +707,13 @@ static int __init clusterip_tg_init(void)
#ifdef CONFIG_PROC_FS
clusterip_procdir = proc_mkdir("ipt_CLUSTERIP", init_net.proc_net);
if (!clusterip_procdir) {
- printk(KERN_ERR "CLUSTERIP: Unable to proc dir entry\n");
+ pr_err("Unable to proc dir entry\n");
ret = -ENOMEM;
goto cleanup_hook;
}
#endif /* CONFIG_PROC_FS */
- printk(KERN_NOTICE "ClusterIP Version %s loaded successfully\n",
+ pr_info("ClusterIP Version %s loaded successfully\n",
CLUSTERIP_VERSION);
return 0;
@@ -726,8 +728,7 @@ cleanup_target:
static void __exit clusterip_tg_exit(void)
{
- printk(KERN_NOTICE "ClusterIP Version %s unloading\n",
- CLUSTERIP_VERSION);
+ pr_info("ClusterIP Version %s unloading\n", CLUSTERIP_VERSION);
#ifdef CONFIG_PROC_FS
remove_proc_entry(clusterip_procdir->name, clusterip_procdir->parent);
#endif
diff --git a/net/ipv4/netfilter/ipt_ECN.c b/net/ipv4/netfilter/ipt_ECN.c
index ea5cea2..0198875 100644
--- a/net/ipv4/netfilter/ipt_ECN.c
+++ b/net/ipv4/netfilter/ipt_ECN.c
@@ -6,7 +6,7 @@
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*/
-
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/in.h>
#include <linux/module.h>
#include <linux/skbuff.h>
@@ -99,19 +99,16 @@ static bool ecn_tg_check(const struct xt_tgchk_param *par)
const struct ipt_entry *e = par->entryinfo;
if (einfo->operation & IPT_ECN_OP_MASK) {
- printk(KERN_WARNING "ECN: unsupported ECN operation %x\n",
- einfo->operation);
+ pr_info("unsupported ECN operation %x\n", einfo->operation);
return false;
}
if (einfo->ip_ect & ~IPT_ECN_IP_MASK) {
- printk(KERN_WARNING "ECN: new ECT codepoint %x out of mask\n",
- einfo->ip_ect);
+ pr_info("new ECT codepoint %x out of mask\n", einfo->ip_ect);
return false;
}
if ((einfo->operation & (IPT_ECN_OP_SET_ECE|IPT_ECN_OP_SET_CWR)) &&
(e->ip.proto != IPPROTO_TCP || (e->ip.invflags & XT_INV_PROTO))) {
- printk(KERN_WARNING "ECN: cannot use TCP operations on a "
- "non-tcp rule\n");
+ pr_info("cannot use TCP operations on a non-tcp rule\n");
return false;
}
return true;
diff --git a/net/ipv4/netfilter/ipt_LOG.c b/net/ipv4/netfilter/ipt_LOG.c
index ee128ef..b3bf623 100644
--- a/net/ipv4/netfilter/ipt_LOG.c
+++ b/net/ipv4/netfilter/ipt_LOG.c
@@ -9,7 +9,7 @@
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*/
-
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/module.h>
#include <linux/spinlock.h>
#include <linux/skbuff.h>
@@ -444,12 +444,11 @@ static bool log_tg_check(const struct xt_tgchk_param *par)
const struct ipt_log_info *loginfo = par->targinfo;
if (loginfo->level >= 8) {
- pr_debug("LOG: level %u >= 8\n", loginfo->level);
+ pr_debug("level %u >= 8\n", loginfo->level);
return false;
}
if (loginfo->prefix[sizeof(loginfo->prefix)-1] != '\0') {
- pr_debug("LOG: prefix term %i\n",
- loginfo->prefix[sizeof(loginfo->prefix)-1]);
+ pr_debug("prefix is not null-terminated\n");
return false;
}
return true;
diff --git a/net/ipv4/netfilter/ipt_MASQUERADE.c b/net/ipv4/netfilter/ipt_MASQUERADE.c
index 650b540..5063dda 100644
--- a/net/ipv4/netfilter/ipt_MASQUERADE.c
+++ b/net/ipv4/netfilter/ipt_MASQUERADE.c
@@ -8,7 +8,7 @@
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*/
-
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/types.h>
#include <linux/inetdevice.h>
#include <linux/ip.h>
@@ -33,11 +33,11 @@ static bool masquerade_tg_check(const struct xt_tgchk_param *par)
const struct nf_nat_multi_range_compat *mr = par->targinfo;
if (mr->range[0].flags & IP_NAT_RANGE_MAP_IPS) {
- pr_debug("masquerade_check: bad MAP_IPS.\n");
+ pr_debug("bad MAP_IPS.\n");
return false;
}
if (mr->rangesize != 1) {
- pr_debug("masquerade_check: bad rangesize %u\n", mr->rangesize);
+ pr_debug("bad rangesize %u\n", mr->rangesize);
return false;
}
return true;
@@ -72,7 +72,7 @@ masquerade_tg(struct sk_buff *skb, const struct xt_target_param *par)
rt = skb_rtable(skb);
newsrc = inet_select_addr(par->out, rt->rt_gateway, RT_SCOPE_UNIVERSE);
if (!newsrc) {
- printk("MASQUERADE: %s ate my IP address\n", par->out->name);
+ pr_info("%s ate my IP address\n", par->out->name);
return NF_DROP;
}
diff --git a/net/ipv4/netfilter/ipt_NETMAP.c b/net/ipv4/netfilter/ipt_NETMAP.c
index 7c29582..51ab01a 100644
--- a/net/ipv4/netfilter/ipt_NETMAP.c
+++ b/net/ipv4/netfilter/ipt_NETMAP.c
@@ -9,7 +9,7 @@
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*/
-
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/ip.h>
#include <linux/module.h>
#include <linux/netdevice.h>
@@ -27,11 +27,11 @@ static bool netmap_tg_check(const struct xt_tgchk_param *par)
const struct nf_nat_multi_range_compat *mr = par->targinfo;
if (!(mr->range[0].flags & IP_NAT_RANGE_MAP_IPS)) {
- pr_debug("NETMAP:check: bad MAP_IPS.\n");
+ pr_debug("bad MAP_IPS.\n");
return false;
}
if (mr->rangesize != 1) {
- pr_debug("NETMAP:check: bad rangesize %u.\n", mr->rangesize);
+ pr_debug("bad rangesize %u.\n", mr->rangesize);
return false;
}
return true;
diff --git a/net/ipv4/netfilter/ipt_REDIRECT.c b/net/ipv4/netfilter/ipt_REDIRECT.c
index 698e5e7..74f1f55 100644
--- a/net/ipv4/netfilter/ipt_REDIRECT.c
+++ b/net/ipv4/netfilter/ipt_REDIRECT.c
@@ -6,7 +6,7 @@
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*/
-
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/types.h>
#include <linux/ip.h>
#include <linux/timer.h>
@@ -31,11 +31,11 @@ static bool redirect_tg_check(const struct xt_tgchk_param *par)
const struct nf_nat_multi_range_compat *mr = par->targinfo;
if (mr->range[0].flags & IP_NAT_RANGE_MAP_IPS) {
- pr_debug("redirect_check: bad MAP_IPS.\n");
+ pr_debug("bad MAP_IPS.\n");
return false;
}
if (mr->rangesize != 1) {
- pr_debug("redirect_check: bad rangesize %u.\n", mr->rangesize);
+ pr_debug("bad rangesize %u.\n", mr->rangesize);
return false;
}
return true;
diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c
index 5113b8f..ff32252 100644
--- a/net/ipv4/netfilter/ipt_REJECT.c
+++ b/net/ipv4/netfilter/ipt_REJECT.c
@@ -9,7 +9,7 @@
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*/
-
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/ip.h>
@@ -180,13 +180,13 @@ static bool reject_tg_check(const struct xt_tgchk_param *par)
const struct ipt_entry *e = par->entryinfo;
if (rejinfo->with == IPT_ICMP_ECHOREPLY) {
- printk("ipt_REJECT: ECHOREPLY no longer supported.\n");
+ pr_info("ECHOREPLY no longer supported.\n");
return false;
} else if (rejinfo->with == IPT_TCP_RESET) {
/* Must specify that it's a TCP packet */
if (e->ip.proto != IPPROTO_TCP ||
(e->ip.invflags & XT_INV_PROTO)) {
- printk("ipt_REJECT: TCP_RESET invalid for non-tcp\n");
+ pr_info("TCP_RESET invalid for non-tcp\n");
return false;
}
}
diff --git a/net/ipv4/netfilter/ipt_ULOG.c b/net/ipv4/netfilter/ipt_ULOG.c
index 09a5d3f..043350e 100644
--- a/net/ipv4/netfilter/ipt_ULOG.c
+++ b/net/ipv4/netfilter/ipt_ULOG.c
@@ -29,7 +29,7 @@
* Specify, after how many hundredths of a second the queue should be
* flushed even if it is not full yet.
*/
-
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/module.h>
#include <linux/spinlock.h>
#include <linux/socket.h>
@@ -56,8 +56,6 @@ MODULE_ALIAS_NET_PF_PROTO(PF_NETLINK, NETLINK_NFLOG);
#define ULOG_NL_EVENT 111 /* Harald's favorite number */
#define ULOG_MAXNLGROUPS 32 /* numer of nlgroups */
-#define PRINTR(format, args...) do { if (net_ratelimit()) printk(format , ## args); } while (0)
-
static unsigned int nlbufsiz = NLMSG_GOODSIZE;
module_param(nlbufsiz, uint, 0400);
MODULE_PARM_DESC(nlbufsiz, "netlink buffer size");
@@ -90,12 +88,12 @@ static void ulog_send(unsigned int nlgroupnum)
ulog_buff_t *ub = &ulog_buffers[nlgroupnum];
if (timer_pending(&ub->timer)) {
- pr_debug("ipt_ULOG: ulog_send: timer was pending, deleting\n");
+ pr_debug("ulog_send: timer was pending, deleting\n");
del_timer(&ub->timer);
}
if (!ub->skb) {
- pr_debug("ipt_ULOG: ulog_send: nothing to send\n");
+ pr_debug("ulog_send: nothing to send\n");
return;
}
@@ -104,7 +102,7 @@ static void ulog_send(unsigned int nlgroupnum)
ub->lastnlh->nlmsg_type = NLMSG_DONE;
NETLINK_CB(ub->skb).dst_group = nlgroupnum + 1;
- pr_debug("ipt_ULOG: throwing %d packets to netlink group %u\n",
+ pr_debug("throwing %d packets to netlink group %u\n",
ub->qlen, nlgroupnum + 1);
netlink_broadcast(nflognl, ub->skb, 0, nlgroupnum + 1, GFP_ATOMIC);
@@ -117,7 +115,7 @@ static void ulog_send(unsigned int nlgroupnum)
/* timer function to flush queue in flushtimeout time */
static void ulog_timer(unsigned long data)
{
- pr_debug("ipt_ULOG: timer function called, calling ulog_send\n");
+ pr_debug("timer function called, calling ulog_send\n");
/* lock to protect against somebody modifying our structure
* from ipt_ulog_target at the same time */
@@ -138,16 +136,16 @@ static struct sk_buff *ulog_alloc_skb(unsigned int size)
n = max(size, nlbufsiz);
skb = alloc_skb(n, GFP_ATOMIC);
if (!skb) {
- PRINTR("ipt_ULOG: can't alloc whole buffer %ub!\n", n);
+ if (net_ratelimit())
+ pr_debug("cannot alloc whole buffer %ub!\n", n);
if (n > size) {
/* try to allocate only as much as we need for
* current packet */
skb = alloc_skb(size, GFP_ATOMIC);
- if (!skb)
- PRINTR("ipt_ULOG: can't even allocate %ub\n",
- size);
+ if (!skb && net_ratelimit())
+ pr_debug("cannot even allocate %ub\n", size);
}
}
@@ -198,8 +196,7 @@ static void ipt_ulog_packet(unsigned int hooknum,
goto alloc_failure;
}
- pr_debug("ipt_ULOG: qlen %d, qthreshold %Zu\n", ub->qlen,
- loginfo->qthreshold);
+ pr_debug("qlen %d, qthreshold %Zu\n", ub->qlen, loginfo->qthreshold);
/* NLMSG_PUT contains a hidden goto nlmsg_failure !!! */
nlh = NLMSG_PUT(ub->skb, 0, ub->qlen, ULOG_NL_EVENT,
@@ -272,10 +269,12 @@ static void ipt_ulog_packet(unsigned int hooknum,
return;
nlmsg_failure:
- PRINTR("ipt_ULOG: error during NLMSG_PUT\n");
+ if (net_ratelimit())
+ pr_debug("error during NLMSG_PUT\n");
alloc_failure:
- PRINTR("ipt_ULOG: Error building netlink message\n");
+ if (net_ratelimit())
+ pr_debug("Error building netlink message\n");
spin_unlock_bh(&ulog_lock);
}
@@ -318,12 +317,11 @@ static bool ulog_tg_check(const struct xt_tgchk_param *par)
const struct ipt_ulog_info *loginfo = par->targinfo;
if (loginfo->prefix[sizeof(loginfo->prefix) - 1] != '\0') {
- pr_debug("ipt_ULOG: prefix term %i\n",
- loginfo->prefix[sizeof(loginfo->prefix) - 1]);
+ pr_debug("prefix not null-terminated\n");
return false;
}
if (loginfo->qthreshold > ULOG_MAX_QLEN) {
- pr_debug("ipt_ULOG: queue threshold %Zu > MAX_QLEN\n",
+ pr_debug("queue threshold %Zu > MAX_QLEN\n",
loginfo->qthreshold);
return false;
}
@@ -389,10 +387,10 @@ static int __init ulog_tg_init(void)
{
int ret, i;
- pr_debug("ipt_ULOG: init module\n");
+ pr_debug("init module\n");
if (nlbufsiz > 128*1024) {
- printk("Netlink buffer has to be <= 128kB\n");
+ pr_warning("Netlink buffer has to be <= 128kB\n");
return -EINVAL;
}
@@ -422,7 +420,7 @@ static void __exit ulog_tg_exit(void)
ulog_buff_t *ub;
int i;
- pr_debug("ipt_ULOG: cleanup_module\n");
+ pr_debug("cleanup_module\n");
if (nflog)
nf_log_unregister(&ipt_ulog_logger);
diff --git a/net/ipv4/netfilter/ipt_addrtype.c b/net/ipv4/netfilter/ipt_addrtype.c
index 3b216be..ea4f58a 100644
--- a/net/ipv4/netfilter/ipt_addrtype.c
+++ b/net/ipv4/netfilter/ipt_addrtype.c
@@ -8,7 +8,7 @@
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*/
-
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/skbuff.h>
@@ -76,24 +76,24 @@ static bool addrtype_mt_checkentry_v1(const struct xt_mtchk_param *par)
if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_IN &&
info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT) {
- printk(KERN_ERR "ipt_addrtype: both incoming and outgoing "
- "interface limitation cannot be selected\n");
+ pr_info("both incoming and outgoing "
+ "interface limitation cannot be selected\n");
return false;
}
if (par->hook_mask & ((1 << NF_INET_PRE_ROUTING) |
(1 << NF_INET_LOCAL_IN)) &&
info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT) {
- printk(KERN_ERR "ipt_addrtype: output interface limitation "
- "not valid in PRE_ROUTING and INPUT\n");
+ pr_info("output interface limitation "
+ "not valid in PREROUTING and INPUT\n");
return false;
}
if (par->hook_mask & ((1 << NF_INET_POST_ROUTING) |
(1 << NF_INET_LOCAL_OUT)) &&
info->flags & IPT_ADDRTYPE_LIMIT_IFACE_IN) {
- printk(KERN_ERR "ipt_addrtype: input interface limitation "
- "not valid in POST_ROUTING and OUTPUT\n");
+ pr_info("input interface limitation "
+ "not valid in POSTROUTING and OUTPUT\n");
return false;
}
diff --git a/net/ipv4/netfilter/ipt_ecn.c b/net/ipv4/netfilter/ipt_ecn.c
index 2a1e56b..e661108 100644
--- a/net/ipv4/netfilter/ipt_ecn.c
+++ b/net/ipv4/netfilter/ipt_ecn.c
@@ -6,7 +6,7 @@
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*/
-
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/in.h>
#include <linux/ip.h>
#include <net/ip.h>
@@ -98,8 +98,7 @@ static bool ecn_mt_check(const struct xt_mtchk_param *par)
if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR) &&
ip->proto != IPPROTO_TCP) {
- printk(KERN_WARNING "ipt_ecn: can't match TCP bits in rule for"
- " non-tcp packets\n");
+ pr_info("cannot match TCP bits in rule for non-tcp packets\n");
return false;
}
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 9210e31..1b2414e 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -40,13 +40,13 @@ MODULE_DESCRIPTION("IPv6 packet filter");
/*#define DEBUG_IP_FIREWALL_USER*/
#ifdef DEBUG_IP_FIREWALL
-#define dprintf(format, args...) printk(format , ## args)
+#define dprintf(format, args...) pr_info(format , ## args)
#else
#define dprintf(format, args...)
#endif
#ifdef DEBUG_IP_FIREWALL_USER
-#define duprintf(format, args...) printk(format , ## args)
+#define duprintf(format, args...) pr_info(format , ## args)
#else
#define duprintf(format, args...)
#endif
@@ -200,8 +200,7 @@ static unsigned int
ip6t_error(struct sk_buff *skb, const struct xt_target_param *par)
{
if (net_ratelimit())
- printk("ip6_tables: error: `%s'\n",
- (const char *)par->targinfo);
+ pr_info("error: `%s'\n", (const char *)par->targinfo);
return NF_DROP;
}
@@ -2308,7 +2307,7 @@ static int __init ip6_tables_init(void)
if (ret < 0)
goto err5;
- printk(KERN_INFO "ip6_tables: (C) 2000-2006 Netfilter Core Team\n");
+ pr_info("(C) 2000-2006 Netfilter Core Team\n");
return 0;
err5:
diff --git a/net/ipv6/netfilter/ip6t_LOG.c b/net/ipv6/netfilter/ip6t_LOG.c
index e16c0c7..5a79883 100644
--- a/net/ipv6/netfilter/ip6t_LOG.c
+++ b/net/ipv6/netfilter/ip6t_LOG.c
@@ -9,7 +9,7 @@
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*/
-
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/if_arp.h>
@@ -456,12 +456,11 @@ static bool log_tg6_check(const struct xt_tgchk_param *par)
const struct ip6t_log_info *loginfo = par->targinfo;
if (loginfo->level >= 8) {
- pr_debug("LOG: level %u >= 8\n", loginfo->level);
+ pr_debug("level %u >= 8\n", loginfo->level);
return false;
}
if (loginfo->prefix[sizeof(loginfo->prefix)-1] != '\0') {
- pr_debug("LOG: prefix term %i\n",
- loginfo->prefix[sizeof(loginfo->prefix)-1]);
+ pr_debug("prefix not null-terminated\n");
return false;
}
return true;
diff --git a/net/ipv6/netfilter/ip6t_REJECT.c b/net/ipv6/netfilter/ip6t_REJECT.c
index dd8afba..45efb9f 100644
--- a/net/ipv6/netfilter/ip6t_REJECT.c
+++ b/net/ipv6/netfilter/ip6t_REJECT.c
@@ -14,7 +14,7 @@
* as published by the Free Software Foundation; either version
* 2 of the License, or (at your option) any later version.
*/
-
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/icmpv6.h>
@@ -49,7 +49,7 @@ static void send_reset(struct net *net, struct sk_buff *oldskb)
if ((!(ipv6_addr_type(&oip6h->saddr) & IPV6_ADDR_UNICAST)) ||
(!(ipv6_addr_type(&oip6h->daddr) & IPV6_ADDR_UNICAST))) {
- pr_debug("ip6t_REJECT: addr is not unicast.\n");
+ pr_debug("addr is not unicast.\n");
return;
}
@@ -57,7 +57,7 @@ static void send_reset(struct net *net, struct sk_buff *oldskb)
tcphoff = ipv6_skip_exthdr(oldskb, ((u8*)(oip6h+1) - oldskb->data), &proto);
if ((tcphoff < 0) || (tcphoff > oldskb->len)) {
- pr_debug("ip6t_REJECT: Can't get TCP header.\n");
+ pr_debug("Cannot get TCP header.\n");
return;
}
@@ -65,7 +65,7 @@ static void send_reset(struct net *net, struct sk_buff *oldskb)
/* IP header checks: fragment, too short. */
if (proto != IPPROTO_TCP || otcplen < sizeof(struct tcphdr)) {
- pr_debug("ip6t_REJECT: proto(%d) != IPPROTO_TCP, "
+ pr_debug("proto(%d) != IPPROTO_TCP, "
"or too short. otcplen = %d\n",
proto, otcplen);
return;
@@ -76,14 +76,14 @@ static void send_reset(struct net *net, struct sk_buff *oldskb)
/* No RST for RST. */
if (otcph.rst) {
- pr_debug("ip6t_REJECT: RST is set\n");
+ pr_debug("RST is set\n");
return;
}
/* Check checksum. */
if (csum_ipv6_magic(&oip6h->saddr, &oip6h->daddr, otcplen, IPPROTO_TCP,
skb_checksum(oldskb, tcphoff, otcplen, 0))) {
- pr_debug("ip6t_REJECT: TCP checksum is invalid\n");
+ pr_debug("TCP checksum is invalid\n");
return;
}
@@ -107,7 +107,7 @@ static void send_reset(struct net *net, struct sk_buff *oldskb)
if (!nskb) {
if (net_ratelimit())
- printk("ip6t_REJECT: Can't alloc skb\n");
+ pr_debug("cannot alloc skb\n");
dst_release(dst);
return;
}
@@ -206,7 +206,7 @@ reject_tg6(struct sk_buff *skb, const struct xt_target_param *par)
break;
default:
if (net_ratelimit())
- printk(KERN_WARNING "ip6t_REJECT: case %u not handled yet\n", reject->with);
+ pr_info("case %u not handled yet\n", reject->with);
break;
}
@@ -219,13 +219,13 @@ static bool reject_tg6_check(const struct xt_tgchk_param *par)
const struct ip6t_entry *e = par->entryinfo;
if (rejinfo->with == IP6T_ICMP6_ECHOREPLY) {
- printk("ip6t_REJECT: ECHOREPLY is not supported.\n");
+ pr_info("ECHOREPLY is not supported.\n");
return false;
} else if (rejinfo->with == IP6T_TCP_RESET) {
/* Must specify that it's a TCP packet */
if (e->ipv6.proto != IPPROTO_TCP ||
(e->ipv6.invflags & XT_INV_PROTO)) {
- printk("ip6t_REJECT: TCP_RESET illegal for non-tcp\n");
+ pr_info("TCP_RESET illegal for non-tcp\n");
return false;
}
}
diff --git a/net/ipv6/netfilter/ip6t_ah.c b/net/ipv6/netfilter/ip6t_ah.c
index ac0b7c6..4429bfd 100644
--- a/net/ipv6/netfilter/ip6t_ah.c
+++ b/net/ipv6/netfilter/ip6t_ah.c
@@ -6,7 +6,7 @@
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*/
-
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/ip.h>
@@ -29,7 +29,7 @@ spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, bool invert)
{
bool r;
- pr_debug("ah spi_match:%c 0x%x <= 0x%x <= 0x%x",
+ pr_debug("spi_match:%c 0x%x <= 0x%x <= 0x%x\n",
invert ? '!' : ' ', min, spi, max);
r = (spi >= min && spi <= max) ^ invert;
pr_debug(" result %s\n", r ? "PASS" : "FAILED");
@@ -92,7 +92,7 @@ static bool ah_mt6_check(const struct xt_mtchk_param *par)
const struct ip6t_ah *ahinfo = par->matchinfo;
if (ahinfo->invflags & ~IP6T_AH_INV_MASK) {
- pr_debug("ip6t_ah: unknown flags %X\n", ahinfo->invflags);
+ pr_debug("unknown flags %X\n", ahinfo->invflags);
return false;
}
return true;
diff --git a/net/ipv6/netfilter/ip6t_frag.c b/net/ipv6/netfilter/ip6t_frag.c
index 7b91c25..5c0da91 100644
--- a/net/ipv6/netfilter/ip6t_frag.c
+++ b/net/ipv6/netfilter/ip6t_frag.c
@@ -6,7 +6,7 @@
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*/
-
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/ipv6.h>
@@ -27,7 +27,7 @@ static inline bool
id_match(u_int32_t min, u_int32_t max, u_int32_t id, bool invert)
{
bool r;
- pr_debug("frag id_match:%c 0x%x <= 0x%x <= 0x%x", invert ? '!' : ' ',
+ pr_debug("id_match:%c 0x%x <= 0x%x <= 0x%x\n", invert ? '!' : ' ',
min, id, max);
r = (id >= min && id <= max) ^ invert;
pr_debug(" result %s\n", r ? "PASS" : "FAILED");
@@ -107,7 +107,7 @@ static bool frag_mt6_check(const struct xt_mtchk_param *par)
const struct ip6t_frag *fraginfo = par->matchinfo;
if (fraginfo->invflags & ~IP6T_FRAG_INV_MASK) {
- pr_debug("ip6t_frag: unknown flags %X\n", fraginfo->invflags);
+ pr_debug("unknown flags %X\n", fraginfo->invflags);
return false;
}
return true;
diff --git a/net/ipv6/netfilter/ip6t_hbh.c b/net/ipv6/netfilter/ip6t_hbh.c
index 82593c8..f4b7388 100644
--- a/net/ipv6/netfilter/ip6t_hbh.c
+++ b/net/ipv6/netfilter/ip6t_hbh.c
@@ -6,7 +6,7 @@
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*/
-
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/ipv6.h>
@@ -169,12 +169,12 @@ static bool hbh_mt6_check(const struct xt_mtchk_param *par)
const struct ip6t_opts *optsinfo = par->matchinfo;
if (optsinfo->invflags & ~IP6T_OPTS_INV_MASK) {
- pr_debug("ip6t_opts: unknown flags %X\n", optsinfo->invflags);
+ pr_debug("unknown flags %X\n", optsinfo->invflags);
return false;
}
if (optsinfo->flags & IP6T_OPTS_NSTRICT) {
- pr_debug("ip6t_opts: Not strict - not implemented");
+ pr_debug("Not strict - not implemented");
return false;
}
diff --git a/net/ipv6/netfilter/ip6t_rt.c b/net/ipv6/netfilter/ip6t_rt.c
index b77307f..c58d653 100644
--- a/net/ipv6/netfilter/ip6t_rt.c
+++ b/net/ipv6/netfilter/ip6t_rt.c
@@ -6,7 +6,7 @@
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*/
-
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/ipv6.h>
@@ -29,7 +29,7 @@ static inline bool
segsleft_match(u_int32_t min, u_int32_t max, u_int32_t id, bool invert)
{
bool r;
- pr_debug("rt segsleft_match:%c 0x%x <= 0x%x <= 0x%x",
+ pr_debug("segsleft_match:%c 0x%x <= 0x%x <= 0x%x\n",
invert ? '!' : ' ', min, id, max);
r = (id >= min && id <= max) ^ invert;
pr_debug(" result %s\n", r ? "PASS" : "FAILED");
@@ -188,7 +188,7 @@ static bool rt_mt6_check(const struct xt_mtchk_param *par)
const struct ip6t_rt *rtinfo = par->matchinfo;
if (rtinfo->invflags & ~IP6T_RT_INV_MASK) {
- pr_debug("ip6t_rt: unknown flags %X\n", rtinfo->invflags);
+ pr_debug("unknown flags %X\n", rtinfo->invflags);
return false;
}
if ((rtinfo->flags & (IP6T_RT_RES | IP6T_RT_FST_MASK)) &&
diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c
index 2077da3..45161d9 100644
--- a/net/netfilter/xt_TCPMSS.c
+++ b/net/netfilter/xt_TCPMSS.c
@@ -67,15 +67,14 @@ tcpmss_mangle_packet(struct sk_buff *skb,
if (info->mss == XT_TCPMSS_CLAMP_PMTU) {
if (dst_mtu(skb_dst(skb)) <= minlen) {
if (net_ratelimit())
- pr_err("xt_TCPMSS: "
- "unknown or invalid path-MTU (%u)\n",
+ pr_err("unknown or invalid path-MTU (%u)\n",
dst_mtu(skb_dst(skb)));
return -1;
}
if (in_mtu <= minlen) {
if (net_ratelimit())
- pr_err("xt_TCPMSS: unknown or "
- "invalid path-MTU (%u)\n", in_mtu);
+ pr_err("unknown or invalid path-MTU (%u)\n",
+ in_mtu);
return -1;
}
newmss = min(dst_mtu(skb_dst(skb)), in_mtu) - minlen;
diff --git a/net/netfilter/xt_TPROXY.c b/net/netfilter/xt_TPROXY.c
index 1340c2f..e9244fd 100644
--- a/net/netfilter/xt_TPROXY.c
+++ b/net/netfilter/xt_TPROXY.c
@@ -9,7 +9,7 @@
* published by the Free Software Foundation.
*
*/
-
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/ip.h>
@@ -67,7 +67,7 @@ static bool tproxy_tg_check(const struct xt_tgchk_param *par)
&& !(i->invflags & IPT_INV_PROTO))
return true;
- pr_info("xt_TPROXY: Can be used only in combination with "
+ pr_info("Can be used only in combination with "
"either -p tcp or -p udp\n");
return false;
}
diff --git a/net/netfilter/xt_esp.c b/net/netfilter/xt_esp.c
index f9deecb..1a446d6 100644
--- a/net/netfilter/xt_esp.c
+++ b/net/netfilter/xt_esp.c
@@ -29,7 +29,7 @@ static inline bool
spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, bool invert)
{
bool r;
- pr_debug("esp spi_match:%c 0x%x <= 0x%x <= 0x%x\n",
+ pr_debug("spi_match:%c 0x%x <= 0x%x <= 0x%x\n",
invert ? '!' : ' ', min, spi, max);
r = (spi >= min && spi <= max) ^ invert;
pr_debug(" result %s\n", r ? "PASS" : "FAILED");
diff --git a/net/netfilter/xt_iprange.c b/net/netfilter/xt_iprange.c
index ffc9638..8471d97 100644
--- a/net/netfilter/xt_iprange.c
+++ b/net/netfilter/xt_iprange.c
@@ -8,6 +8,7 @@
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*/
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/ip.h>
diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c
index aa9817e..72cbced 100644
--- a/net/netfilter/xt_recent.c
+++ b/net/netfilter/xt_recent.c
@@ -321,8 +321,8 @@ static bool recent_mt_check(const struct xt_mtchk_param *par)
hash_rnd_inited = true;
}
if (info->check_set & ~XT_RECENT_VALID_FLAGS) {
- pr_info(KBUILD_MODNAME ": Unsupported user space flags "
- "(%08x)\n", info->check_set);
+ pr_info("Unsupported user space flags (%08x)\n",
+ info->check_set);
return false;
}
if (hweight8(info->check_set &
@@ -336,7 +336,7 @@ static bool recent_mt_check(const struct xt_mtchk_param *par)
if ((info->check_set & XT_RECENT_REAP) && !info->seconds)
return false;
if (info->hit_count > ip_pkt_list_tot) {
- pr_info(KBUILD_MODNAME ": hitcount (%u) is larger than "
+ pr_info("hitcount (%u) is larger than "
"packets to be remembered (%u)\n",
info->hit_count, ip_pkt_list_tot);
return false;
diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c
index 6a90256..a9b1686 100644
--- a/net/netfilter/xt_socket.c
+++ b/net/netfilter/xt_socket.c
@@ -9,7 +9,7 @@
* published by the Free Software Foundation.
*
*/
-
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/netfilter/x_tables.h>
@@ -165,8 +165,7 @@ socket_match(const struct sk_buff *skb, const struct xt_match_param *par,
sk = NULL;
}
- pr_debug("socket match: proto %u %08x:%u -> %08x:%u "
- "(orig %08x:%u) sock %p\n",
+ pr_debug("proto %u %08x:%u -> %08x:%u (orig %08x:%u) sock %p\n",
protocol, ntohl(saddr), ntohs(sport),
ntohl(daddr), ntohs(dport),
ntohl(iph->daddr), hp ? ntohs(hp->dest) : 0, sk);
diff --git a/net/netfilter/xt_time.c b/net/netfilter/xt_time.c
index 9a9c9a3..45ed05b 100644
--- a/net/netfilter/xt_time.c
+++ b/net/netfilter/xt_time.c
@@ -223,8 +223,8 @@ static bool time_mt_check(const struct xt_mtchk_param *par)
if (info->daytime_start > XT_TIME_MAX_DAYTIME ||
info->daytime_stop > XT_TIME_MAX_DAYTIME) {
- printk(KERN_WARNING "xt_time: invalid argument - start or "
- "stop time greater than 23:59:59\n");
+ pr_info("invalid argument - start or "
+ "stop time greater than 23:59:59\n");
return false;
}
--
1.7.0.2
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [PATCH 3/9] netfilter: xtables: make use of xt_request_find_target
2010-03-22 19:17 nf-next: cleanups, err reporting (rd.2) Jan Engelhardt
2010-03-22 19:17 ` [PATCH 1/9] netfilter: xtables: make use of caller family rather than target family Jan Engelhardt
2010-03-22 19:17 ` [PATCH 2/9] netfilter: xt extensions: use pr_<level> (2) Jan Engelhardt
@ 2010-03-22 19:17 ` Jan Engelhardt
2010-03-23 14:24 ` Patrick McHardy
2010-03-22 19:18 ` [PATCH 4/9] netfilter: xtables: consolidate code into xt_request_find_match Jan Engelhardt
` (6 subsequent siblings)
9 siblings, 1 reply; 23+ messages in thread
From: Jan Engelhardt @ 2010-03-22 19:17 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
net/bridge/netfilter/ebtables.c | 13 ++-----------
net/ipv4/netfilter/arp_tables.c | 20 ++++++++------------
net/ipv4/netfilter/ip_tables.c | 20 ++++++++------------
net/ipv6/netfilter/ip6_tables.c | 20 ++++++++------------
net/netfilter/x_tables.c | 4 +---
net/sched/act_ipt.c | 4 ++--
6 files changed, 29 insertions(+), 52 deletions(-)
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 989d72c..6d3b256 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -395,13 +395,9 @@ ebt_check_watcher(struct ebt_entry_watcher *w, struct xt_tgchk_param *par,
left - sizeof(struct ebt_entry_watcher) < w->watcher_size)
return -EINVAL;
- watcher = try_then_request_module(
- xt_find_target(NFPROTO_BRIDGE, w->u.name, 0),
- "ebt_%s", w->u.name);
+ watcher = xt_request_find_target(NFPROTO_BRIDGE, w->u.name, 0);
if (IS_ERR(watcher))
return PTR_ERR(watcher);
- if (watcher == NULL)
- return -ENOENT;
w->u.watcher = watcher;
par->target = watcher;
@@ -714,15 +710,10 @@ ebt_check_entry(struct ebt_entry *e, struct net *net,
t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
gap = e->next_offset - e->target_offset;
- target = try_then_request_module(
- xt_find_target(NFPROTO_BRIDGE, t->u.name, 0),
- "ebt_%s", t->u.name);
+ target = xt_request_find_target(NFPROTO_BRIDGE, t->u.name, 0);
if (IS_ERR(target)) {
ret = PTR_ERR(target);
goto cleanup_watchers;
- } else if (target == NULL) {
- ret = -ENOENT;
- goto cleanup_watchers;
}
t->u.target = target;
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index f07d77f..0665e1b 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -523,13 +523,11 @@ find_check_entry(struct arpt_entry *e, const char *name, unsigned int size)
return ret;
t = arpt_get_target(e);
- target = try_then_request_module(xt_find_target(NFPROTO_ARP,
- t->u.user.name,
- t->u.user.revision),
- "arpt_%s", t->u.user.name);
- if (IS_ERR(target) || !target) {
+ target = xt_request_find_target(NFPROTO_ARP, t->u.user.name,
+ t->u.user.revision);
+ if (IS_ERR(target)) {
duprintf("find_check_entry: `%s' not found\n", t->u.user.name);
- ret = target ? PTR_ERR(target) : -ENOENT;
+ ret = PTR_ERR(target);
goto out;
}
t->u.kernel.target = target;
@@ -1252,14 +1250,12 @@ check_compat_entry_size_and_hooks(struct compat_arpt_entry *e,
entry_offset = (void *)e - (void *)base;
t = compat_arpt_get_target(e);
- target = try_then_request_module(xt_find_target(NFPROTO_ARP,
- t->u.user.name,
- t->u.user.revision),
- "arpt_%s", t->u.user.name);
- if (IS_ERR(target) || !target) {
+ target = xt_request_find_target(NFPROTO_ARP, t->u.user.name,
+ t->u.user.revision);
+ if (IS_ERR(target)) {
duprintf("check_compat_entry_size_and_hooks: `%s' not found\n",
t->u.user.name);
- ret = target ? PTR_ERR(target) : -ENOENT;
+ ret = PTR_ERR(target);
goto out;
}
t->u.kernel.target = target;
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 73fdf20..a8b0036 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -701,13 +701,11 @@ find_check_entry(struct ipt_entry *e, struct net *net, const char *name,
}
t = ipt_get_target(e);
- target = try_then_request_module(xt_find_target(AF_INET,
- t->u.user.name,
- t->u.user.revision),
- "ipt_%s", t->u.user.name);
- if (IS_ERR(target) || !target) {
+ target = xt_request_find_target(NFPROTO_IPV4, t->u.user.name,
+ t->u.user.revision);
+ if (IS_ERR(target)) {
duprintf("find_check_entry: `%s' not found\n", t->u.user.name);
- ret = target ? PTR_ERR(target) : -ENOENT;
+ ret = PTR_ERR(target);
goto cleanup_matches;
}
t->u.kernel.target = target;
@@ -1547,14 +1545,12 @@ check_compat_entry_size_and_hooks(struct compat_ipt_entry *e,
}
t = compat_ipt_get_target(e);
- target = try_then_request_module(xt_find_target(AF_INET,
- t->u.user.name,
- t->u.user.revision),
- "ipt_%s", t->u.user.name);
- if (IS_ERR(target) || !target) {
+ target = xt_request_find_target(NFPROTO_IPV4, t->u.user.name,
+ t->u.user.revision);
+ if (IS_ERR(target)) {
duprintf("check_compat_entry_size_and_hooks: `%s' not found\n",
t->u.user.name);
- ret = target ? PTR_ERR(target) : -ENOENT;
+ ret = PTR_ERR(target);
goto release_matches;
}
t->u.kernel.target = target;
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 1b2414e..6399f82 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -733,13 +733,11 @@ find_check_entry(struct ip6t_entry *e, struct net *net, const char *name,
}
t = ip6t_get_target(e);
- target = try_then_request_module(xt_find_target(AF_INET6,
- t->u.user.name,
- t->u.user.revision),
- "ip6t_%s", t->u.user.name);
- if (IS_ERR(target) || !target) {
+ target = xt_request_find_target(NFPROTO_IPV6, t->u.user.name,
+ t->u.user.revision);
+ if (IS_ERR(target)) {
duprintf("find_check_entry: `%s' not found\n", t->u.user.name);
- ret = target ? PTR_ERR(target) : -ENOENT;
+ ret = PTR_ERR(target);
goto cleanup_matches;
}
t->u.kernel.target = target;
@@ -1581,14 +1579,12 @@ check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e,
}
t = compat_ip6t_get_target(e);
- target = try_then_request_module(xt_find_target(AF_INET6,
- t->u.user.name,
- t->u.user.revision),
- "ip6t_%s", t->u.user.name);
- if (IS_ERR(target) || !target) {
+ target = xt_request_find_target(NFPROTO_IPV6, t->u.user.name,
+ t->u.user.revision);
+ if (IS_ERR(target)) {
duprintf("check_compat_entry_size_and_hooks: `%s' not found\n",
t->u.user.name);
- ret = target ? PTR_ERR(target) : -ENOENT;
+ ret = PTR_ERR(target);
goto release_matches;
}
t->u.kernel.target = target;
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 9a248d4..bf2806a 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -250,9 +250,7 @@ struct xt_target *xt_request_find_target(u8 af, const char *name, u8 revision)
target = try_then_request_module(xt_find_target(af, name, revision),
"%st_%s", xt_prefix[af], name);
- if (IS_ERR(target) || !target)
- return NULL;
- return target;
+ return (target != NULL) ? target : ERR_PTR(-ENOENT);
}
EXPORT_SYMBOL_GPL(xt_request_find_target);
diff --git a/net/sched/act_ipt.c b/net/sched/act_ipt.c
index 082c520..b9f79c2 100644
--- a/net/sched/act_ipt.c
+++ b/net/sched/act_ipt.c
@@ -46,8 +46,8 @@ static int ipt_init_target(struct ipt_entry_target *t, char *table, unsigned int
target = xt_request_find_target(AF_INET, t->u.user.name,
t->u.user.revision);
- if (!target)
- return -ENOENT;
+ if (IS_ERR(target))
+ return PTR_ERR(target);
t->u.kernel.target = target;
par.table = table;
--
1.7.0.2
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [PATCH 4/9] netfilter: xtables: consolidate code into xt_request_find_match
2010-03-22 19:17 nf-next: cleanups, err reporting (rd.2) Jan Engelhardt
` (2 preceding siblings ...)
2010-03-22 19:17 ` [PATCH 3/9] netfilter: xtables: make use of xt_request_find_target Jan Engelhardt
@ 2010-03-22 19:18 ` Jan Engelhardt
2010-03-23 14:27 ` Patrick McHardy
2010-03-22 19:18 ` [PATCH 5/9] netfilter: xt_recent: allow changing ip_list_[ug]id at runtime Jan Engelhardt
` (5 subsequent siblings)
9 siblings, 1 reply; 23+ messages in thread
From: Jan Engelhardt @ 2010-03-22 19:18 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter/x_tables.h | 1 +
net/bridge/netfilter/ebtables.c | 5 +----
net/ipv4/netfilter/ip_tables.c | 18 ++++++++----------
net/ipv6/netfilter/ip6_tables.c | 18 ++++++++----------
net/netfilter/x_tables.c | 11 +++++++++++
5 files changed, 29 insertions(+), 24 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index f8f5551..3c13d24 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -436,6 +436,7 @@ extern struct xt_table_info *xt_replace_table(struct xt_table *table,
extern struct xt_match *xt_find_match(u8 af, const char *name, u8 revision);
extern struct xt_target *xt_find_target(u8 af, const char *name, u8 revision);
+extern struct xt_match *xt_request_find_match(uint8_t, const char *, uint8_t);
extern struct xt_target *xt_request_find_target(u8 af, const char *name,
u8 revision);
extern int xt_find_revision(u8 af, const char *name, u8 revision,
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 6d3b256..c41f3fa 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -361,12 +361,9 @@ ebt_check_match(struct ebt_entry_match *m, struct xt_mtchk_param *par,
left - sizeof(struct ebt_entry_match) < m->match_size)
return -EINVAL;
- match = try_then_request_module(xt_find_match(NFPROTO_BRIDGE,
- m->u.name, 0), "ebt_%s", m->u.name);
+ match = xt_request_find_match(NFPROTO_BRIDGE, m->u.name, 0);
if (IS_ERR(match))
return PTR_ERR(match);
- if (match == NULL)
- return -ENOENT;
m->u.match = match;
par->match = match;
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index a8b0036..9c8441b 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -629,12 +629,11 @@ find_check_match(struct ipt_entry_match *m, struct xt_mtchk_param *par)
struct xt_match *match;
int ret;
- match = try_then_request_module(xt_find_match(AF_INET, m->u.user.name,
- m->u.user.revision),
- "ipt_%s", m->u.user.name);
- if (IS_ERR(match) || !match) {
+ match = xt_request_find_match(NFPROTO_IPV4, m->u.user.name,
+ m->u.user.revision);
+ if (IS_ERR(match)) {
duprintf("find_check_match: `%s' not found\n", m->u.user.name);
- return match ? PTR_ERR(match) : -ENOENT;
+ return PTR_ERR(match);
}
m->u.kernel.match = match;
@@ -1472,13 +1471,12 @@ compat_find_calc_match(struct ipt_entry_match *m,
{
struct xt_match *match;
- match = try_then_request_module(xt_find_match(AF_INET, m->u.user.name,
- m->u.user.revision),
- "ipt_%s", m->u.user.name);
- if (IS_ERR(match) || !match) {
+ match = xt_request_find_match(NFPROTO_IPV4, m->u.user.name,
+ m->u.user.revision);
+ if (IS_ERR(match)) {
duprintf("compat_check_calc_match: `%s' not found\n",
m->u.user.name);
- return match ? PTR_ERR(match) : -ENOENT;
+ return PTR_ERR(match);
}
m->u.kernel.match = match;
*size += xt_compat_match_offset(match);
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 6399f82..d4dee25 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -660,12 +660,11 @@ find_check_match(struct ip6t_entry_match *m, struct xt_mtchk_param *par)
struct xt_match *match;
int ret;
- match = try_then_request_module(xt_find_match(AF_INET6, m->u.user.name,
- m->u.user.revision),
- "ip6t_%s", m->u.user.name);
- if (IS_ERR(match) || !match) {
+ match = xt_request_find_match(NFPROTO_IPV6, m->u.user.name,
+ m->u.user.revision);
+ if (IS_ERR(match)) {
duprintf("find_check_match: `%s' not found\n", m->u.user.name);
- return match ? PTR_ERR(match) : -ENOENT;
+ return PTR_ERR(match);
}
m->u.kernel.match = match;
@@ -1506,13 +1505,12 @@ compat_find_calc_match(struct ip6t_entry_match *m,
{
struct xt_match *match;
- match = try_then_request_module(xt_find_match(AF_INET6, m->u.user.name,
- m->u.user.revision),
- "ip6t_%s", m->u.user.name);
- if (IS_ERR(match) || !match) {
+ match = xt_request_find_match(NFPROTO_IPV6, m->u.user.name,
+ m->u.user.revision);
+ if (IS_ERR(match)) {
duprintf("compat_check_calc_match: `%s' not found\n",
m->u.user.name);
- return match ? PTR_ERR(match) : -ENOENT;
+ return PTR_ERR(match);
}
m->u.kernel.match = match;
*size += xt_compat_match_offset(match);
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index bf2806a..4e84d8a 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -214,6 +214,17 @@ struct xt_match *xt_find_match(u8 af, const char *name, u8 revision)
}
EXPORT_SYMBOL(xt_find_match);
+struct xt_match *
+xt_request_find_match(uint8_t nfproto, const char *name, uint8_t revision)
+{
+ struct xt_match *match;
+
+ match = try_then_request_module(xt_find_match(nfproto, name, revision),
+ "%st_%s", xt_prefix[nfproto], name);
+ return (match != NULL) ? match : ERR_PTR(-ENOENT);
+}
+EXPORT_SYMBOL_GPL(xt_request_find_match);
+
/* Find target, grabs ref. Returns ERR_PTR() on error. */
struct xt_target *xt_find_target(u8 af, const char *name, u8 revision)
{
--
1.7.0.2
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [PATCH 5/9] netfilter: xt_recent: allow changing ip_list_[ug]id at runtime
2010-03-22 19:17 nf-next: cleanups, err reporting (rd.2) Jan Engelhardt
` (3 preceding siblings ...)
2010-03-22 19:18 ` [PATCH 4/9] netfilter: xtables: consolidate code into xt_request_find_match Jan Engelhardt
@ 2010-03-22 19:18 ` Jan Engelhardt
2010-03-23 14:18 ` Patrick McHardy
2010-03-22 19:18 ` [PATCH 6/9] netfilter: xtables: slightly better error reporting (1/2) Jan Engelhardt
` (4 subsequent siblings)
9 siblings, 1 reply; 23+ messages in thread
From: Jan Engelhardt @ 2010-03-22 19:18 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
net/netfilter/xt_recent.c | 8 ++++----
1 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c
index 72cbced..8530944 100644
--- a/net/netfilter/xt_recent.c
+++ b/net/netfilter/xt_recent.c
@@ -51,14 +51,14 @@ module_param(ip_list_tot, uint, 0400);
module_param(ip_pkt_list_tot, uint, 0400);
module_param(ip_list_hash_size, uint, 0400);
module_param(ip_list_perms, uint, 0400);
-module_param(ip_list_uid, uint, 0400);
-module_param(ip_list_gid, uint, 0400);
+module_param(ip_list_uid, uint, S_IRUGO | S_IWUSR);
+module_param(ip_list_gid, uint, S_IRUGO | S_IWUSR);
MODULE_PARM_DESC(ip_list_tot, "number of IPs to remember per list");
MODULE_PARM_DESC(ip_pkt_list_tot, "number of packets per IP address to remember (max. 255)");
MODULE_PARM_DESC(ip_list_hash_size, "size of hash table used to look up IPs");
MODULE_PARM_DESC(ip_list_perms, "permissions on /proc/net/xt_recent/* files");
-MODULE_PARM_DESC(ip_list_uid,"owner of /proc/net/xt_recent/* files");
-MODULE_PARM_DESC(ip_list_gid,"owning group of /proc/net/xt_recent/* files");
+MODULE_PARM_DESC(ip_list_uid, "default owner of /proc/net/xt_recent/* files");
+MODULE_PARM_DESC(ip_list_gid, "default owning group of /proc/net/xt_recent/* files");
struct recent_entry {
struct list_head list;
--
1.7.0.2
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [PATCH 6/9] netfilter: xtables: slightly better error reporting (1/2)
2010-03-22 19:17 nf-next: cleanups, err reporting (rd.2) Jan Engelhardt
` (4 preceding siblings ...)
2010-03-22 19:18 ` [PATCH 5/9] netfilter: xt_recent: allow changing ip_list_[ug]id at runtime Jan Engelhardt
@ 2010-03-22 19:18 ` Jan Engelhardt
2010-03-22 19:18 ` [PATCH 7/9] netfilter: xtables: slightly better error reporting (2/2) Jan Engelhardt
` (3 subsequent siblings)
9 siblings, 0 replies; 23+ messages in thread
From: Jan Engelhardt @ 2010-03-22 19:18 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
Restore function signatures from bool to int so that we can report
memory allocation failures or similar using -ENOMEM rather than
always having to pass -EINVAL back.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter/x_tables.h | 6 +++---
net/bridge/netfilter/ebt_802_3.c | 2 +-
net/bridge/netfilter/ebt_among.c | 2 +-
net/bridge/netfilter/ebt_arp.c | 2 +-
net/bridge/netfilter/ebt_arpreply.c | 2 +-
net/bridge/netfilter/ebt_dnat.c | 2 +-
net/bridge/netfilter/ebt_ip.c | 2 +-
net/bridge/netfilter/ebt_ip6.c | 2 +-
net/bridge/netfilter/ebt_limit.c | 2 +-
net/bridge/netfilter/ebt_log.c | 2 +-
net/bridge/netfilter/ebt_mark.c | 2 +-
net/bridge/netfilter/ebt_mark_m.c | 2 +-
net/bridge/netfilter/ebt_nflog.c | 2 +-
net/bridge/netfilter/ebt_pkttype.c | 2 +-
net/bridge/netfilter/ebt_redirect.c | 2 +-
net/bridge/netfilter/ebt_snat.c | 2 +-
net/bridge/netfilter/ebt_stp.c | 2 +-
net/bridge/netfilter/ebt_ulog.c | 2 +-
net/bridge/netfilter/ebt_vlan.c | 2 +-
net/ipv4/netfilter/arpt_mangle.c | 2 +-
net/ipv4/netfilter/ip_tables.c | 2 +-
net/ipv4/netfilter/ipt_CLUSTERIP.c | 2 +-
net/ipv4/netfilter/ipt_ECN.c | 2 +-
net/ipv4/netfilter/ipt_LOG.c | 2 +-
net/ipv4/netfilter/ipt_MASQUERADE.c | 2 +-
net/ipv4/netfilter/ipt_NETMAP.c | 2 +-
net/ipv4/netfilter/ipt_REDIRECT.c | 2 +-
net/ipv4/netfilter/ipt_REJECT.c | 2 +-
net/ipv4/netfilter/ipt_ULOG.c | 2 +-
net/ipv4/netfilter/ipt_addrtype.c | 2 +-
net/ipv4/netfilter/ipt_ah.c | 2 +-
net/ipv4/netfilter/ipt_ecn.c | 2 +-
net/ipv4/netfilter/nf_nat_rule.c | 4 ++--
net/ipv6/netfilter/ip6_tables.c | 2 +-
net/ipv6/netfilter/ip6t_LOG.c | 2 +-
net/ipv6/netfilter/ip6t_REJECT.c | 2 +-
net/ipv6/netfilter/ip6t_ah.c | 2 +-
net/ipv6/netfilter/ip6t_frag.c | 2 +-
net/ipv6/netfilter/ip6t_hbh.c | 2 +-
| 2 +-
net/ipv6/netfilter/ip6t_mh.c | 2 +-
net/ipv6/netfilter/ip6t_rt.c | 2 +-
net/netfilter/xt_CONNSECMARK.c | 2 +-
net/netfilter/xt_CT.c | 2 +-
net/netfilter/xt_DSCP.c | 2 +-
net/netfilter/xt_HL.c | 4 ++--
net/netfilter/xt_LED.c | 2 +-
net/netfilter/xt_NFLOG.c | 2 +-
net/netfilter/xt_NFQUEUE.c | 2 +-
net/netfilter/xt_RATEEST.c | 2 +-
net/netfilter/xt_SECMARK.c | 2 +-
net/netfilter/xt_TCPMSS.c | 4 ++--
net/netfilter/xt_TPROXY.c | 2 +-
net/netfilter/xt_cluster.c | 2 +-
net/netfilter/xt_connbytes.c | 2 +-
net/netfilter/xt_connlimit.c | 2 +-
net/netfilter/xt_connmark.c | 4 ++--
net/netfilter/xt_conntrack.c | 2 +-
net/netfilter/xt_dccp.c | 2 +-
net/netfilter/xt_dscp.c | 2 +-
net/netfilter/xt_esp.c | 2 +-
net/netfilter/xt_hashlimit.c | 4 ++--
net/netfilter/xt_helper.c | 2 +-
net/netfilter/xt_limit.c | 2 +-
net/netfilter/xt_multiport.c | 8 ++++----
net/netfilter/xt_physdev.c | 2 +-
net/netfilter/xt_policy.c | 2 +-
net/netfilter/xt_quota.c | 2 +-
net/netfilter/xt_rateest.c | 2 +-
net/netfilter/xt_recent.c | 2 +-
net/netfilter/xt_sctp.c | 2 +-
net/netfilter/xt_state.c | 2 +-
net/netfilter/xt_statistic.c | 2 +-
net/netfilter/xt_string.c | 2 +-
net/netfilter/xt_tcpudp.c | 4 ++--
net/netfilter/xt_time.c | 2 +-
76 files changed, 87 insertions(+), 87 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 3c13d24..47eb99d 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -303,7 +303,7 @@ struct xt_match {
const struct xt_match_param *);
/* Called when user tries to insert an entry of this type. */
- bool (*checkentry)(const struct xt_mtchk_param *);
+ int (*checkentry)(const struct xt_mtchk_param *);
/* Called when entry of this type deleted. */
void (*destroy)(const struct xt_mtdtor_param *);
@@ -342,8 +342,8 @@ struct xt_target {
/* Called when user tries to insert an entry of this type:
hook_mask is a bitmask of hooks from which it can be
called. */
- /* Should return true or false. */
- bool (*checkentry)(const struct xt_tgchk_param *);
+ /* Should return true or false, or an error code (-Exxxx). */
+ int (*checkentry)(const struct xt_tgchk_param *);
/* Called when entry of this type deleted. */
void (*destroy)(const struct xt_tgdtor_param *);
diff --git a/net/bridge/netfilter/ebt_802_3.c b/net/bridge/netfilter/ebt_802_3.c
index 5d11767..7b6f4c4 100644
--- a/net/bridge/netfilter/ebt_802_3.c
+++ b/net/bridge/netfilter/ebt_802_3.c
@@ -36,7 +36,7 @@ ebt_802_3_mt(const struct sk_buff *skb, const struct xt_match_param *par)
return true;
}
-static bool ebt_802_3_mt_check(const struct xt_mtchk_param *par)
+static int ebt_802_3_mt_check(const struct xt_mtchk_param *par)
{
const struct ebt_802_3_info *info = par->matchinfo;
diff --git a/net/bridge/netfilter/ebt_among.c b/net/bridge/netfilter/ebt_among.c
index 60ad630..8a75d39 100644
--- a/net/bridge/netfilter/ebt_among.c
+++ b/net/bridge/netfilter/ebt_among.c
@@ -172,7 +172,7 @@ ebt_among_mt(const struct sk_buff *skb, const struct xt_match_param *par)
return true;
}
-static bool ebt_among_mt_check(const struct xt_mtchk_param *par)
+static int ebt_among_mt_check(const struct xt_mtchk_param *par)
{
const struct ebt_among_info *info = par->matchinfo;
const struct ebt_entry_match *em =
diff --git a/net/bridge/netfilter/ebt_arp.c b/net/bridge/netfilter/ebt_arp.c
index e727697..fc62055 100644
--- a/net/bridge/netfilter/ebt_arp.c
+++ b/net/bridge/netfilter/ebt_arp.c
@@ -100,7 +100,7 @@ ebt_arp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
return true;
}
-static bool ebt_arp_mt_check(const struct xt_mtchk_param *par)
+static int ebt_arp_mt_check(const struct xt_mtchk_param *par)
{
const struct ebt_arp_info *info = par->matchinfo;
const struct ebt_entry *e = par->entryinfo;
diff --git a/net/bridge/netfilter/ebt_arpreply.c b/net/bridge/netfilter/ebt_arpreply.c
index f392e9d..2491564 100644
--- a/net/bridge/netfilter/ebt_arpreply.c
+++ b/net/bridge/netfilter/ebt_arpreply.c
@@ -57,7 +57,7 @@ ebt_arpreply_tg(struct sk_buff *skb, const struct xt_target_param *par)
return info->target;
}
-static bool ebt_arpreply_tg_check(const struct xt_tgchk_param *par)
+static int ebt_arpreply_tg_check(const struct xt_tgchk_param *par)
{
const struct ebt_arpreply_info *info = par->targinfo;
const struct ebt_entry *e = par->entryinfo;
diff --git a/net/bridge/netfilter/ebt_dnat.c b/net/bridge/netfilter/ebt_dnat.c
index 2bb40d7..5fddebe 100644
--- a/net/bridge/netfilter/ebt_dnat.c
+++ b/net/bridge/netfilter/ebt_dnat.c
@@ -26,7 +26,7 @@ ebt_dnat_tg(struct sk_buff *skb, const struct xt_target_param *par)
return info->target;
}
-static bool ebt_dnat_tg_check(const struct xt_tgchk_param *par)
+static int ebt_dnat_tg_check(const struct xt_tgchk_param *par)
{
const struct ebt_nat_info *info = par->targinfo;
unsigned int hook_mask;
diff --git a/net/bridge/netfilter/ebt_ip.c b/net/bridge/netfilter/ebt_ip.c
index 5de6df6..d1a555d 100644
--- a/net/bridge/netfilter/ebt_ip.c
+++ b/net/bridge/netfilter/ebt_ip.c
@@ -77,7 +77,7 @@ ebt_ip_mt(const struct sk_buff *skb, const struct xt_match_param *par)
return true;
}
-static bool ebt_ip_mt_check(const struct xt_mtchk_param *par)
+static int ebt_ip_mt_check(const struct xt_mtchk_param *par)
{
const struct ebt_ip_info *info = par->matchinfo;
const struct ebt_entry *e = par->entryinfo;
diff --git a/net/bridge/netfilter/ebt_ip6.c b/net/bridge/netfilter/ebt_ip6.c
index 63e3888..fa4ecf5 100644
--- a/net/bridge/netfilter/ebt_ip6.c
+++ b/net/bridge/netfilter/ebt_ip6.c
@@ -80,7 +80,7 @@ ebt_ip6_mt(const struct sk_buff *skb, const struct xt_match_param *par)
return true;
}
-static bool ebt_ip6_mt_check(const struct xt_mtchk_param *par)
+static int ebt_ip6_mt_check(const struct xt_mtchk_param *par)
{
const struct ebt_entry *e = par->entryinfo;
struct ebt_ip6_info *info = par->matchinfo;
diff --git a/net/bridge/netfilter/ebt_limit.c b/net/bridge/netfilter/ebt_limit.c
index 5b7330b..abfb0ec 100644
--- a/net/bridge/netfilter/ebt_limit.c
+++ b/net/bridge/netfilter/ebt_limit.c
@@ -65,7 +65,7 @@ user2credits(u_int32_t user)
return (user * HZ * CREDITS_PER_JIFFY) / EBT_LIMIT_SCALE;
}
-static bool ebt_limit_mt_check(const struct xt_mtchk_param *par)
+static int ebt_limit_mt_check(const struct xt_mtchk_param *par)
{
struct ebt_limit_info *info = par->matchinfo;
diff --git a/net/bridge/netfilter/ebt_log.c b/net/bridge/netfilter/ebt_log.c
index e873924..a0aeac6 100644
--- a/net/bridge/netfilter/ebt_log.c
+++ b/net/bridge/netfilter/ebt_log.c
@@ -24,7 +24,7 @@
static DEFINE_SPINLOCK(ebt_log_lock);
-static bool ebt_log_tg_check(const struct xt_tgchk_param *par)
+static int ebt_log_tg_check(const struct xt_tgchk_param *par)
{
struct ebt_log_info *info = par->targinfo;
diff --git a/net/bridge/netfilter/ebt_mark.c b/net/bridge/netfilter/ebt_mark.c
index 2b5ce53..dd94daf 100644
--- a/net/bridge/netfilter/ebt_mark.c
+++ b/net/bridge/netfilter/ebt_mark.c
@@ -36,7 +36,7 @@ ebt_mark_tg(struct sk_buff *skb, const struct xt_target_param *par)
return info->target | ~EBT_VERDICT_BITS;
}
-static bool ebt_mark_tg_check(const struct xt_tgchk_param *par)
+static int ebt_mark_tg_check(const struct xt_tgchk_param *par)
{
const struct ebt_mark_t_info *info = par->targinfo;
int tmp;
diff --git a/net/bridge/netfilter/ebt_mark_m.c b/net/bridge/netfilter/ebt_mark_m.c
index 8de8c39..1e5b0b3 100644
--- a/net/bridge/netfilter/ebt_mark_m.c
+++ b/net/bridge/netfilter/ebt_mark_m.c
@@ -22,7 +22,7 @@ ebt_mark_mt(const struct sk_buff *skb, const struct xt_match_param *par)
return ((skb->mark & info->mask) == info->mark) ^ info->invert;
}
-static bool ebt_mark_mt_check(const struct xt_mtchk_param *par)
+static int ebt_mark_mt_check(const struct xt_mtchk_param *par)
{
const struct ebt_mark_m_info *info = par->matchinfo;
diff --git a/net/bridge/netfilter/ebt_nflog.c b/net/bridge/netfilter/ebt_nflog.c
index 40dbd24..1f2b7bb 100644
--- a/net/bridge/netfilter/ebt_nflog.c
+++ b/net/bridge/netfilter/ebt_nflog.c
@@ -35,7 +35,7 @@ ebt_nflog_tg(struct sk_buff *skb, const struct xt_target_param *par)
return EBT_CONTINUE;
}
-static bool ebt_nflog_tg_check(const struct xt_tgchk_param *par)
+static int ebt_nflog_tg_check(const struct xt_tgchk_param *par)
{
struct ebt_nflog_info *info = par->targinfo;
diff --git a/net/bridge/netfilter/ebt_pkttype.c b/net/bridge/netfilter/ebt_pkttype.c
index e2a07e6..9b3c645 100644
--- a/net/bridge/netfilter/ebt_pkttype.c
+++ b/net/bridge/netfilter/ebt_pkttype.c
@@ -20,7 +20,7 @@ ebt_pkttype_mt(const struct sk_buff *skb, const struct xt_match_param *par)
return (skb->pkt_type == info->pkt_type) ^ info->invert;
}
-static bool ebt_pkttype_mt_check(const struct xt_mtchk_param *par)
+static int ebt_pkttype_mt_check(const struct xt_mtchk_param *par)
{
const struct ebt_pkttype_info *info = par->matchinfo;
diff --git a/net/bridge/netfilter/ebt_redirect.c b/net/bridge/netfilter/ebt_redirect.c
index 9be8fbc..73c4d3a 100644
--- a/net/bridge/netfilter/ebt_redirect.c
+++ b/net/bridge/netfilter/ebt_redirect.c
@@ -32,7 +32,7 @@ ebt_redirect_tg(struct sk_buff *skb, const struct xt_target_param *par)
return info->target;
}
-static bool ebt_redirect_tg_check(const struct xt_tgchk_param *par)
+static int ebt_redirect_tg_check(const struct xt_tgchk_param *par)
{
const struct ebt_redirect_info *info = par->targinfo;
unsigned int hook_mask;
diff --git a/net/bridge/netfilter/ebt_snat.c b/net/bridge/netfilter/ebt_snat.c
index 9c7b520..94bcecd 100644
--- a/net/bridge/netfilter/ebt_snat.c
+++ b/net/bridge/netfilter/ebt_snat.c
@@ -42,7 +42,7 @@ out:
return info->target | ~EBT_VERDICT_BITS;
}
-static bool ebt_snat_tg_check(const struct xt_tgchk_param *par)
+static int ebt_snat_tg_check(const struct xt_tgchk_param *par)
{
const struct ebt_nat_info *info = par->targinfo;
int tmp;
diff --git a/net/bridge/netfilter/ebt_stp.c b/net/bridge/netfilter/ebt_stp.c
index 92a93d3..521186f 100644
--- a/net/bridge/netfilter/ebt_stp.c
+++ b/net/bridge/netfilter/ebt_stp.c
@@ -153,7 +153,7 @@ ebt_stp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
return true;
}
-static bool ebt_stp_mt_check(const struct xt_mtchk_param *par)
+static int ebt_stp_mt_check(const struct xt_mtchk_param *par)
{
const struct ebt_stp_info *info = par->matchinfo;
const uint8_t bridge_ula[6] = {0x01, 0x80, 0xc2, 0x00, 0x00, 0x00};
diff --git a/net/bridge/netfilter/ebt_ulog.c b/net/bridge/netfilter/ebt_ulog.c
index 9faee5f..482674e 100644
--- a/net/bridge/netfilter/ebt_ulog.c
+++ b/net/bridge/netfilter/ebt_ulog.c
@@ -256,7 +256,7 @@ ebt_ulog_tg(struct sk_buff *skb, const struct xt_target_param *par)
return EBT_CONTINUE;
}
-static bool ebt_ulog_tg_check(const struct xt_tgchk_param *par)
+static int ebt_ulog_tg_check(const struct xt_tgchk_param *par)
{
struct ebt_ulog_info *uloginfo = par->targinfo;
diff --git a/net/bridge/netfilter/ebt_vlan.c b/net/bridge/netfilter/ebt_vlan.c
index 5c44f51..04a9575 100644
--- a/net/bridge/netfilter/ebt_vlan.c
+++ b/net/bridge/netfilter/ebt_vlan.c
@@ -79,7 +79,7 @@ ebt_vlan_mt(const struct sk_buff *skb, const struct xt_match_param *par)
return true;
}
-static bool ebt_vlan_mt_check(const struct xt_mtchk_param *par)
+static int ebt_vlan_mt_check(const struct xt_mtchk_param *par)
{
struct ebt_vlan_info *info = par->matchinfo;
const struct ebt_entry *e = par->entryinfo;
diff --git a/net/ipv4/netfilter/arpt_mangle.c b/net/ipv4/netfilter/arpt_mangle.c
index b0d5b1d..4b51a02 100644
--- a/net/ipv4/netfilter/arpt_mangle.c
+++ b/net/ipv4/netfilter/arpt_mangle.c
@@ -54,7 +54,7 @@ target(struct sk_buff *skb, const struct xt_target_param *par)
return mangle->target;
}
-static bool checkentry(const struct xt_tgchk_param *par)
+static int checkentry(const struct xt_tgchk_param *par)
{
const struct arpt_mangle *mangle = par->targinfo;
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 9c8441b..dd845d8 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -2176,7 +2176,7 @@ icmp_match(const struct sk_buff *skb, const struct xt_match_param *par)
!!(icmpinfo->invflags&IPT_ICMP_INV));
}
-static bool icmp_checkentry(const struct xt_mtchk_param *par)
+static int icmp_checkentry(const struct xt_mtchk_param *par)
{
const struct ipt_icmp *icmpinfo = par->matchinfo;
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index f019c34..b8972ec 100644
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -348,7 +348,7 @@ clusterip_tg(struct sk_buff *skb, const struct xt_target_param *par)
return XT_CONTINUE;
}
-static bool clusterip_tg_check(const struct xt_tgchk_param *par)
+static int clusterip_tg_check(const struct xt_tgchk_param *par)
{
struct ipt_clusterip_tgt_info *cipinfo = par->targinfo;
const struct ipt_entry *e = par->entryinfo;
diff --git a/net/ipv4/netfilter/ipt_ECN.c b/net/ipv4/netfilter/ipt_ECN.c
index 0198875..9d96500 100644
--- a/net/ipv4/netfilter/ipt_ECN.c
+++ b/net/ipv4/netfilter/ipt_ECN.c
@@ -93,7 +93,7 @@ ecn_tg(struct sk_buff *skb, const struct xt_target_param *par)
return XT_CONTINUE;
}
-static bool ecn_tg_check(const struct xt_tgchk_param *par)
+static int ecn_tg_check(const struct xt_tgchk_param *par)
{
const struct ipt_ECN_info *einfo = par->targinfo;
const struct ipt_entry *e = par->entryinfo;
diff --git a/net/ipv4/netfilter/ipt_LOG.c b/net/ipv4/netfilter/ipt_LOG.c
index b3bf623..c9ee5c4 100644
--- a/net/ipv4/netfilter/ipt_LOG.c
+++ b/net/ipv4/netfilter/ipt_LOG.c
@@ -439,7 +439,7 @@ log_tg(struct sk_buff *skb, const struct xt_target_param *par)
return XT_CONTINUE;
}
-static bool log_tg_check(const struct xt_tgchk_param *par)
+static int log_tg_check(const struct xt_tgchk_param *par)
{
const struct ipt_log_info *loginfo = par->targinfo;
diff --git a/net/ipv4/netfilter/ipt_MASQUERADE.c b/net/ipv4/netfilter/ipt_MASQUERADE.c
index 5063dda..5a182f6 100644
--- a/net/ipv4/netfilter/ipt_MASQUERADE.c
+++ b/net/ipv4/netfilter/ipt_MASQUERADE.c
@@ -28,7 +28,7 @@ MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
MODULE_DESCRIPTION("Xtables: automatic-address SNAT");
/* FIXME: Multiple targets. --RR */
-static bool masquerade_tg_check(const struct xt_tgchk_param *par)
+static int masquerade_tg_check(const struct xt_tgchk_param *par)
{
const struct nf_nat_multi_range_compat *mr = par->targinfo;
diff --git a/net/ipv4/netfilter/ipt_NETMAP.c b/net/ipv4/netfilter/ipt_NETMAP.c
index 51ab01a..cbfe5f7 100644
--- a/net/ipv4/netfilter/ipt_NETMAP.c
+++ b/net/ipv4/netfilter/ipt_NETMAP.c
@@ -22,7 +22,7 @@ MODULE_LICENSE("GPL");
MODULE_AUTHOR("Svenning Soerensen <svenning@post5.tele.dk>");
MODULE_DESCRIPTION("Xtables: 1:1 NAT mapping of IPv4 subnets");
-static bool netmap_tg_check(const struct xt_tgchk_param *par)
+static int netmap_tg_check(const struct xt_tgchk_param *par)
{
const struct nf_nat_multi_range_compat *mr = par->targinfo;
diff --git a/net/ipv4/netfilter/ipt_REDIRECT.c b/net/ipv4/netfilter/ipt_REDIRECT.c
index 74f1f55..f8daec2 100644
--- a/net/ipv4/netfilter/ipt_REDIRECT.c
+++ b/net/ipv4/netfilter/ipt_REDIRECT.c
@@ -26,7 +26,7 @@ MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
MODULE_DESCRIPTION("Xtables: Connection redirection to localhost");
/* FIXME: Take multiple ranges --RR */
-static bool redirect_tg_check(const struct xt_tgchk_param *par)
+static int redirect_tg_check(const struct xt_tgchk_param *par)
{
const struct nf_nat_multi_range_compat *mr = par->targinfo;
diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c
index ff32252..cf76f1b 100644
--- a/net/ipv4/netfilter/ipt_REJECT.c
+++ b/net/ipv4/netfilter/ipt_REJECT.c
@@ -174,7 +174,7 @@ reject_tg(struct sk_buff *skb, const struct xt_target_param *par)
return NF_DROP;
}
-static bool reject_tg_check(const struct xt_tgchk_param *par)
+static int reject_tg_check(const struct xt_tgchk_param *par)
{
const struct ipt_reject_info *rejinfo = par->targinfo;
const struct ipt_entry *e = par->entryinfo;
diff --git a/net/ipv4/netfilter/ipt_ULOG.c b/net/ipv4/netfilter/ipt_ULOG.c
index 043350e..3836d29 100644
--- a/net/ipv4/netfilter/ipt_ULOG.c
+++ b/net/ipv4/netfilter/ipt_ULOG.c
@@ -312,7 +312,7 @@ static void ipt_logfn(u_int8_t pf,
ipt_ulog_packet(hooknum, skb, in, out, &loginfo, prefix);
}
-static bool ulog_tg_check(const struct xt_tgchk_param *par)
+static int ulog_tg_check(const struct xt_tgchk_param *par)
{
const struct ipt_ulog_info *loginfo = par->targinfo;
diff --git a/net/ipv4/netfilter/ipt_addrtype.c b/net/ipv4/netfilter/ipt_addrtype.c
index ea4f58a..81197f4 100644
--- a/net/ipv4/netfilter/ipt_addrtype.c
+++ b/net/ipv4/netfilter/ipt_addrtype.c
@@ -70,7 +70,7 @@ addrtype_mt_v1(const struct sk_buff *skb, const struct xt_match_param *par)
return ret;
}
-static bool addrtype_mt_checkentry_v1(const struct xt_mtchk_param *par)
+static int addrtype_mt_checkentry_v1(const struct xt_mtchk_param *par)
{
struct ipt_addrtype_info_v1 *info = par->matchinfo;
diff --git a/net/ipv4/netfilter/ipt_ah.c b/net/ipv4/netfilter/ipt_ah.c
index 4f27e17..667ded1 100644
--- a/net/ipv4/netfilter/ipt_ah.c
+++ b/net/ipv4/netfilter/ipt_ah.c
@@ -55,7 +55,7 @@ static bool ah_mt(const struct sk_buff *skb, const struct xt_match_param *par)
!!(ahinfo->invflags & IPT_AH_INV_SPI));
}
-static bool ah_mt_check(const struct xt_mtchk_param *par)
+static int ah_mt_check(const struct xt_mtchk_param *par)
{
const struct ipt_ah *ahinfo = par->matchinfo;
diff --git a/net/ipv4/netfilter/ipt_ecn.c b/net/ipv4/netfilter/ipt_ecn.c
index e661108..d1e234f 100644
--- a/net/ipv4/netfilter/ipt_ecn.c
+++ b/net/ipv4/netfilter/ipt_ecn.c
@@ -85,7 +85,7 @@ static bool ecn_mt(const struct sk_buff *skb, const struct xt_match_param *par)
return true;
}
-static bool ecn_mt_check(const struct xt_mtchk_param *par)
+static int ecn_mt_check(const struct xt_mtchk_param *par)
{
const struct ipt_ecn_info *info = par->matchinfo;
const struct ipt_ip *ip = par->entryinfo;
diff --git a/net/ipv4/netfilter/nf_nat_rule.c b/net/ipv4/netfilter/nf_nat_rule.c
index ab74cc0..a3813af 100644
--- a/net/ipv4/netfilter/nf_nat_rule.c
+++ b/net/ipv4/netfilter/nf_nat_rule.c
@@ -73,7 +73,7 @@ ipt_dnat_target(struct sk_buff *skb, const struct xt_target_param *par)
return nf_nat_setup_info(ct, &mr->range[0], IP_NAT_MANIP_DST);
}
-static bool ipt_snat_checkentry(const struct xt_tgchk_param *par)
+static int ipt_snat_checkentry(const struct xt_tgchk_param *par)
{
const struct nf_nat_multi_range_compat *mr = par->targinfo;
@@ -85,7 +85,7 @@ static bool ipt_snat_checkentry(const struct xt_tgchk_param *par)
return true;
}
-static bool ipt_dnat_checkentry(const struct xt_tgchk_param *par)
+static int ipt_dnat_checkentry(const struct xt_tgchk_param *par)
{
const struct nf_nat_multi_range_compat *mr = par->targinfo;
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index d4dee25..b0d5d41 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -2209,7 +2209,7 @@ icmp6_match(const struct sk_buff *skb, const struct xt_match_param *par)
}
/* Called when user tries to insert an entry of this type. */
-static bool icmp6_checkentry(const struct xt_mtchk_param *par)
+static int icmp6_checkentry(const struct xt_mtchk_param *par)
{
const struct ip6t_icmp *icmpinfo = par->matchinfo;
diff --git a/net/ipv6/netfilter/ip6t_LOG.c b/net/ipv6/netfilter/ip6t_LOG.c
index 5a79883..bcc3fc1 100644
--- a/net/ipv6/netfilter/ip6t_LOG.c
+++ b/net/ipv6/netfilter/ip6t_LOG.c
@@ -451,7 +451,7 @@ log_tg6(struct sk_buff *skb, const struct xt_target_param *par)
}
-static bool log_tg6_check(const struct xt_tgchk_param *par)
+static int log_tg6_check(const struct xt_tgchk_param *par)
{
const struct ip6t_log_info *loginfo = par->targinfo;
diff --git a/net/ipv6/netfilter/ip6t_REJECT.c b/net/ipv6/netfilter/ip6t_REJECT.c
index 45efb9f..8d5141e 100644
--- a/net/ipv6/netfilter/ip6t_REJECT.c
+++ b/net/ipv6/netfilter/ip6t_REJECT.c
@@ -213,7 +213,7 @@ reject_tg6(struct sk_buff *skb, const struct xt_target_param *par)
return NF_DROP;
}
-static bool reject_tg6_check(const struct xt_tgchk_param *par)
+static int reject_tg6_check(const struct xt_tgchk_param *par)
{
const struct ip6t_reject_info *rejinfo = par->targinfo;
const struct ip6t_entry *e = par->entryinfo;
diff --git a/net/ipv6/netfilter/ip6t_ah.c b/net/ipv6/netfilter/ip6t_ah.c
index 4429bfd..3d57044 100644
--- a/net/ipv6/netfilter/ip6t_ah.c
+++ b/net/ipv6/netfilter/ip6t_ah.c
@@ -87,7 +87,7 @@ static bool ah_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
!(ahinfo->hdrres && ah->reserved);
}
-static bool ah_mt6_check(const struct xt_mtchk_param *par)
+static int ah_mt6_check(const struct xt_mtchk_param *par)
{
const struct ip6t_ah *ahinfo = par->matchinfo;
diff --git a/net/ipv6/netfilter/ip6t_frag.c b/net/ipv6/netfilter/ip6t_frag.c
index 5c0da91..c2dba27 100644
--- a/net/ipv6/netfilter/ip6t_frag.c
+++ b/net/ipv6/netfilter/ip6t_frag.c
@@ -102,7 +102,7 @@ frag_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
(ntohs(fh->frag_off) & IP6_MF));
}
-static bool frag_mt6_check(const struct xt_mtchk_param *par)
+static int frag_mt6_check(const struct xt_mtchk_param *par)
{
const struct ip6t_frag *fraginfo = par->matchinfo;
diff --git a/net/ipv6/netfilter/ip6t_hbh.c b/net/ipv6/netfilter/ip6t_hbh.c
index f4b7388..1b29431 100644
--- a/net/ipv6/netfilter/ip6t_hbh.c
+++ b/net/ipv6/netfilter/ip6t_hbh.c
@@ -164,7 +164,7 @@ hbh_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
return false;
}
-static bool hbh_mt6_check(const struct xt_mtchk_param *par)
+static int hbh_mt6_check(const struct xt_mtchk_param *par)
{
const struct ip6t_opts *optsinfo = par->matchinfo;
--git a/net/ipv6/netfilter/ip6t_ipv6header.c b/net/ipv6/netfilter/ip6t_ipv6header.c
index 91490ad..90e1e04 100644
--- a/net/ipv6/netfilter/ip6t_ipv6header.c
+++ b/net/ipv6/netfilter/ip6t_ipv6header.c
@@ -118,7 +118,7 @@ ipv6header_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
}
}
-static bool ipv6header_mt6_check(const struct xt_mtchk_param *par)
+static int ipv6header_mt6_check(const struct xt_mtchk_param *par)
{
const struct ip6t_ipv6header_info *info = par->matchinfo;
diff --git a/net/ipv6/netfilter/ip6t_mh.c b/net/ipv6/netfilter/ip6t_mh.c
index 0181eb8..d940804 100644
--- a/net/ipv6/netfilter/ip6t_mh.c
+++ b/net/ipv6/netfilter/ip6t_mh.c
@@ -62,7 +62,7 @@ static bool mh_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
!!(mhinfo->invflags & IP6T_MH_INV_TYPE));
}
-static bool mh_mt6_check(const struct xt_mtchk_param *par)
+static int mh_mt6_check(const struct xt_mtchk_param *par)
{
const struct ip6t_mh *mhinfo = par->matchinfo;
diff --git a/net/ipv6/netfilter/ip6t_rt.c b/net/ipv6/netfilter/ip6t_rt.c
index c58d653..76397f3 100644
--- a/net/ipv6/netfilter/ip6t_rt.c
+++ b/net/ipv6/netfilter/ip6t_rt.c
@@ -183,7 +183,7 @@ static bool rt_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
return false;
}
-static bool rt_mt6_check(const struct xt_mtchk_param *par)
+static int rt_mt6_check(const struct xt_mtchk_param *par)
{
const struct ip6t_rt *rtinfo = par->matchinfo;
diff --git a/net/netfilter/xt_CONNSECMARK.c b/net/netfilter/xt_CONNSECMARK.c
index 6812865..3f9d0f4 100644
--- a/net/netfilter/xt_CONNSECMARK.c
+++ b/net/netfilter/xt_CONNSECMARK.c
@@ -84,7 +84,7 @@ connsecmark_tg(struct sk_buff *skb, const struct xt_target_param *par)
return XT_CONTINUE;
}
-static bool connsecmark_tg_check(const struct xt_tgchk_param *par)
+static int connsecmark_tg_check(const struct xt_tgchk_param *par)
{
const struct xt_connsecmark_target_info *info = par->targinfo;
diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c
index 6509e03..c1553bf 100644
--- a/net/netfilter/xt_CT.c
+++ b/net/netfilter/xt_CT.c
@@ -53,7 +53,7 @@ static u8 xt_ct_find_proto(const struct xt_tgchk_param *par)
return 0;
}
-static bool xt_ct_tg_check(const struct xt_tgchk_param *par)
+static int xt_ct_tg_check(const struct xt_tgchk_param *par)
{
struct xt_ct_target_info *info = par->targinfo;
struct nf_conntrack_tuple t;
diff --git a/net/netfilter/xt_DSCP.c b/net/netfilter/xt_DSCP.c
index bbf08a9..1fa7b67 100644
--- a/net/netfilter/xt_DSCP.c
+++ b/net/netfilter/xt_DSCP.c
@@ -60,7 +60,7 @@ dscp_tg6(struct sk_buff *skb, const struct xt_target_param *par)
return XT_CONTINUE;
}
-static bool dscp_tg_check(const struct xt_tgchk_param *par)
+static int dscp_tg_check(const struct xt_tgchk_param *par)
{
const struct xt_DSCP_info *info = par->targinfo;
diff --git a/net/netfilter/xt_HL.c b/net/netfilter/xt_HL.c
index 7004ed2..15ba161 100644
--- a/net/netfilter/xt_HL.c
+++ b/net/netfilter/xt_HL.c
@@ -101,7 +101,7 @@ hl_tg6(struct sk_buff *skb, const struct xt_target_param *par)
return XT_CONTINUE;
}
-static bool ttl_tg_check(const struct xt_tgchk_param *par)
+static int ttl_tg_check(const struct xt_tgchk_param *par)
{
const struct ipt_TTL_info *info = par->targinfo;
@@ -114,7 +114,7 @@ static bool ttl_tg_check(const struct xt_tgchk_param *par)
return true;
}
-static bool hl_tg6_check(const struct xt_tgchk_param *par)
+static int hl_tg6_check(const struct xt_tgchk_param *par)
{
const struct ip6t_HL_info *info = par->targinfo;
diff --git a/net/netfilter/xt_LED.c b/net/netfilter/xt_LED.c
index f511bea..1a3e3dd 100644
--- a/net/netfilter/xt_LED.c
+++ b/net/netfilter/xt_LED.c
@@ -80,7 +80,7 @@ static void led_timeout_callback(unsigned long data)
led_trigger_event(&ledinternal->netfilter_led_trigger, LED_OFF);
}
-static bool led_tg_check(const struct xt_tgchk_param *par)
+static int led_tg_check(const struct xt_tgchk_param *par)
{
struct xt_led_info *ledinfo = par->targinfo;
struct xt_led_info_internal *ledinternal;
diff --git a/net/netfilter/xt_NFLOG.c b/net/netfilter/xt_NFLOG.c
index a57c5cf..13e6c00 100644
--- a/net/netfilter/xt_NFLOG.c
+++ b/net/netfilter/xt_NFLOG.c
@@ -37,7 +37,7 @@ nflog_tg(struct sk_buff *skb, const struct xt_target_param *par)
return XT_CONTINUE;
}
-static bool nflog_tg_check(const struct xt_tgchk_param *par)
+static int nflog_tg_check(const struct xt_tgchk_param *par)
{
const struct xt_nflog_info *info = par->targinfo;
diff --git a/net/netfilter/xt_NFQUEUE.c b/net/netfilter/xt_NFQUEUE.c
index 7cc0de6..d435579 100644
--- a/net/netfilter/xt_NFQUEUE.c
+++ b/net/netfilter/xt_NFQUEUE.c
@@ -81,7 +81,7 @@ nfqueue_tg_v1(struct sk_buff *skb, const struct xt_target_param *par)
return NF_QUEUE_NR(queue);
}
-static bool nfqueue_tg_v1_check(const struct xt_tgchk_param *par)
+static int nfqueue_tg_v1_check(const struct xt_tgchk_param *par)
{
const struct xt_NFQ_info_v1 *info = par->targinfo;
u32 maxid;
diff --git a/net/netfilter/xt_RATEEST.c b/net/netfilter/xt_RATEEST.c
index 87ae97e..9743e50 100644
--- a/net/netfilter/xt_RATEEST.c
+++ b/net/netfilter/xt_RATEEST.c
@@ -85,7 +85,7 @@ xt_rateest_tg(struct sk_buff *skb, const struct xt_target_param *par)
return XT_CONTINUE;
}
-static bool xt_rateest_tg_checkentry(const struct xt_tgchk_param *par)
+static int xt_rateest_tg_checkentry(const struct xt_tgchk_param *par)
{
struct xt_rateest_target_info *info = par->targinfo;
struct xt_rateest *est;
diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c
index 4855fd9..48f8e4f 100644
--- a/net/netfilter/xt_SECMARK.c
+++ b/net/netfilter/xt_SECMARK.c
@@ -80,7 +80,7 @@ static bool checkentry_selinux(struct xt_secmark_target_info *info)
return true;
}
-static bool secmark_tg_check(const struct xt_tgchk_param *par)
+static int secmark_tg_check(const struct xt_tgchk_param *par)
{
struct xt_secmark_target_info *info = par->targinfo;
diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c
index 45161d9..70288dc 100644
--- a/net/netfilter/xt_TCPMSS.c
+++ b/net/netfilter/xt_TCPMSS.c
@@ -234,7 +234,7 @@ static inline bool find_syn_match(const struct xt_entry_match *m)
return false;
}
-static bool tcpmss_tg4_check(const struct xt_tgchk_param *par)
+static int tcpmss_tg4_check(const struct xt_tgchk_param *par)
{
const struct xt_tcpmss_info *info = par->targinfo;
const struct ipt_entry *e = par->entryinfo;
@@ -256,7 +256,7 @@ static bool tcpmss_tg4_check(const struct xt_tgchk_param *par)
}
#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
-static bool tcpmss_tg6_check(const struct xt_tgchk_param *par)
+static int tcpmss_tg6_check(const struct xt_tgchk_param *par)
{
const struct xt_tcpmss_info *info = par->targinfo;
const struct ip6t_entry *e = par->entryinfo;
diff --git a/net/netfilter/xt_TPROXY.c b/net/netfilter/xt_TPROXY.c
index e9244fd..189df9a 100644
--- a/net/netfilter/xt_TPROXY.c
+++ b/net/netfilter/xt_TPROXY.c
@@ -59,7 +59,7 @@ tproxy_tg(struct sk_buff *skb, const struct xt_target_param *par)
return NF_DROP;
}
-static bool tproxy_tg_check(const struct xt_tgchk_param *par)
+static int tproxy_tg_check(const struct xt_tgchk_param *par)
{
const struct ipt_ip *i = par->entryinfo;
diff --git a/net/netfilter/xt_cluster.c b/net/netfilter/xt_cluster.c
index 4c273e8..1f2c35e 100644
--- a/net/netfilter/xt_cluster.c
+++ b/net/netfilter/xt_cluster.c
@@ -132,7 +132,7 @@ xt_cluster_mt(const struct sk_buff *skb, const struct xt_match_param *par)
!!(info->flags & XT_CLUSTER_F_INV);
}
-static bool xt_cluster_mt_checkentry(const struct xt_mtchk_param *par)
+static int xt_cluster_mt_checkentry(const struct xt_mtchk_param *par)
{
struct xt_cluster_match_info *info = par->matchinfo;
diff --git a/net/netfilter/xt_connbytes.c b/net/netfilter/xt_connbytes.c
index edb7bbd..136ef4c 100644
--- a/net/netfilter/xt_connbytes.c
+++ b/net/netfilter/xt_connbytes.c
@@ -93,7 +93,7 @@ connbytes_mt(const struct sk_buff *skb, const struct xt_match_param *par)
return what >= sinfo->count.from;
}
-static bool connbytes_mt_check(const struct xt_mtchk_param *par)
+static int connbytes_mt_check(const struct xt_mtchk_param *par)
{
const struct xt_connbytes_info *sinfo = par->matchinfo;
diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c
index d5b26da..a9fec38 100644
--- a/net/netfilter/xt_connlimit.c
+++ b/net/netfilter/xt_connlimit.c
@@ -216,7 +216,7 @@ connlimit_mt(const struct sk_buff *skb, const struct xt_match_param *par)
return false;
}
-static bool connlimit_mt_check(const struct xt_mtchk_param *par)
+static int connlimit_mt_check(const struct xt_mtchk_param *par)
{
struct xt_connlimit_info *info = par->matchinfo;
unsigned int i;
diff --git a/net/netfilter/xt_connmark.c b/net/netfilter/xt_connmark.c
index 7a51ba6..0e69427 100644
--- a/net/netfilter/xt_connmark.c
+++ b/net/netfilter/xt_connmark.c
@@ -74,7 +74,7 @@ connmark_tg(struct sk_buff *skb, const struct xt_target_param *par)
return XT_CONTINUE;
}
-static bool connmark_tg_check(const struct xt_tgchk_param *par)
+static int connmark_tg_check(const struct xt_tgchk_param *par)
{
if (nf_ct_l3proto_try_module_get(par->family) < 0) {
pr_info("cannot load conntrack support for proto=%u\n",
@@ -103,7 +103,7 @@ connmark_mt(const struct sk_buff *skb, const struct xt_match_param *par)
return ((ct->mark & info->mask) == info->mark) ^ info->invert;
}
-static bool connmark_mt_check(const struct xt_mtchk_param *par)
+static int connmark_mt_check(const struct xt_mtchk_param *par)
{
if (nf_ct_l3proto_try_module_get(par->family) < 0) {
pr_info("cannot load conntrack support for proto=%u\n",
diff --git a/net/netfilter/xt_conntrack.c b/net/netfilter/xt_conntrack.c
index 387172b..500e033 100644
--- a/net/netfilter/xt_conntrack.c
+++ b/net/netfilter/xt_conntrack.c
@@ -206,7 +206,7 @@ conntrack_mt_v2(const struct sk_buff *skb, const struct xt_match_param *par)
return conntrack_mt(skb, par, info->state_mask, info->status_mask);
}
-static bool conntrack_mt_check(const struct xt_mtchk_param *par)
+static int conntrack_mt_check(const struct xt_mtchk_param *par)
{
if (nf_ct_l3proto_try_module_get(par->family) < 0) {
pr_info("cannot load conntrack support for proto=%u\n",
diff --git a/net/netfilter/xt_dccp.c b/net/netfilter/xt_dccp.c
index 0989f29..1394deb 100644
--- a/net/netfilter/xt_dccp.c
+++ b/net/netfilter/xt_dccp.c
@@ -123,7 +123,7 @@ dccp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
XT_DCCP_OPTION, info->flags, info->invflags);
}
-static bool dccp_mt_check(const struct xt_mtchk_param *par)
+static int dccp_mt_check(const struct xt_mtchk_param *par)
{
const struct xt_dccp_info *info = par->matchinfo;
diff --git a/net/netfilter/xt_dscp.c b/net/netfilter/xt_dscp.c
index 6ecedc1..295da4c 100644
--- a/net/netfilter/xt_dscp.c
+++ b/net/netfilter/xt_dscp.c
@@ -42,7 +42,7 @@ dscp_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
return (dscp == info->dscp) ^ !!info->invert;
}
-static bool dscp_mt_check(const struct xt_mtchk_param *par)
+static int dscp_mt_check(const struct xt_mtchk_param *par)
{
const struct xt_dscp_info *info = par->matchinfo;
diff --git a/net/netfilter/xt_esp.c b/net/netfilter/xt_esp.c
index 1a446d6..9f5da97 100644
--- a/net/netfilter/xt_esp.c
+++ b/net/netfilter/xt_esp.c
@@ -60,7 +60,7 @@ static bool esp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
!!(espinfo->invflags & XT_ESP_INV_SPI));
}
-static bool esp_mt_check(const struct xt_mtchk_param *par)
+static int esp_mt_check(const struct xt_mtchk_param *par)
{
const struct xt_esp *espinfo = par->matchinfo;
diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
index 8f3e0c0..d13800c 100644
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@@ -671,7 +671,7 @@ hashlimit_mt(const struct sk_buff *skb, const struct xt_match_param *par)
return false;
}
-static bool hashlimit_mt_check_v0(const struct xt_mtchk_param *par)
+static int hashlimit_mt_check_v0(const struct xt_mtchk_param *par)
{
struct net *net = par->net;
struct xt_hashlimit_info *r = par->matchinfo;
@@ -707,7 +707,7 @@ static bool hashlimit_mt_check_v0(const struct xt_mtchk_param *par)
return true;
}
-static bool hashlimit_mt_check(const struct xt_mtchk_param *par)
+static int hashlimit_mt_check(const struct xt_mtchk_param *par)
{
struct net *net = par->net;
struct xt_hashlimit_mtinfo1 *info = par->matchinfo;
diff --git a/net/netfilter/xt_helper.c b/net/netfilter/xt_helper.c
index 482aff2..6e177b2 100644
--- a/net/netfilter/xt_helper.c
+++ b/net/netfilter/xt_helper.c
@@ -54,7 +54,7 @@ helper_mt(const struct sk_buff *skb, const struct xt_match_param *par)
return ret;
}
-static bool helper_mt_check(const struct xt_mtchk_param *par)
+static int helper_mt_check(const struct xt_mtchk_param *par)
{
struct xt_helper_info *info = par->matchinfo;
diff --git a/net/netfilter/xt_limit.c b/net/netfilter/xt_limit.c
index b3dfca6..138a324 100644
--- a/net/netfilter/xt_limit.c
+++ b/net/netfilter/xt_limit.c
@@ -97,7 +97,7 @@ user2credits(u_int32_t user)
return (user * HZ * CREDITS_PER_JIFFY) / XT_LIMIT_SCALE;
}
-static bool limit_mt_check(const struct xt_mtchk_param *par)
+static int limit_mt_check(const struct xt_mtchk_param *par)
{
struct xt_rateinfo *r = par->matchinfo;
struct xt_limit_priv *priv;
diff --git a/net/netfilter/xt_multiport.c b/net/netfilter/xt_multiport.c
index 4fa90c8..b446738 100644
--- a/net/netfilter/xt_multiport.c
+++ b/net/netfilter/xt_multiport.c
@@ -152,7 +152,7 @@ check(u_int16_t proto,
&& count <= XT_MULTI_PORTS;
}
-static bool multiport_mt_check_v0(const struct xt_mtchk_param *par)
+static int multiport_mt_check_v0(const struct xt_mtchk_param *par)
{
const struct ipt_ip *ip = par->entryinfo;
const struct xt_multiport *multiinfo = par->matchinfo;
@@ -161,7 +161,7 @@ static bool multiport_mt_check_v0(const struct xt_mtchk_param *par)
multiinfo->count);
}
-static bool multiport_mt_check(const struct xt_mtchk_param *par)
+static int multiport_mt_check(const struct xt_mtchk_param *par)
{
const struct ipt_ip *ip = par->entryinfo;
const struct xt_multiport_v1 *multiinfo = par->matchinfo;
@@ -170,7 +170,7 @@ static bool multiport_mt_check(const struct xt_mtchk_param *par)
multiinfo->count);
}
-static bool multiport_mt6_check_v0(const struct xt_mtchk_param *par)
+static int multiport_mt6_check_v0(const struct xt_mtchk_param *par)
{
const struct ip6t_ip6 *ip = par->entryinfo;
const struct xt_multiport *multiinfo = par->matchinfo;
@@ -179,7 +179,7 @@ static bool multiport_mt6_check_v0(const struct xt_mtchk_param *par)
multiinfo->count);
}
-static bool multiport_mt6_check(const struct xt_mtchk_param *par)
+static int multiport_mt6_check(const struct xt_mtchk_param *par)
{
const struct ip6t_ip6 *ip = par->entryinfo;
const struct xt_multiport_v1 *multiinfo = par->matchinfo;
diff --git a/net/netfilter/xt_physdev.c b/net/netfilter/xt_physdev.c
index 3d42a27..850e412 100644
--- a/net/netfilter/xt_physdev.c
+++ b/net/netfilter/xt_physdev.c
@@ -83,7 +83,7 @@ match_outdev:
return (!!ret ^ !(info->invert & XT_PHYSDEV_OP_OUT));
}
-static bool physdev_mt_check(const struct xt_mtchk_param *par)
+static int physdev_mt_check(const struct xt_mtchk_param *par)
{
const struct xt_physdev_info *info = par->matchinfo;
diff --git a/net/netfilter/xt_policy.c b/net/netfilter/xt_policy.c
index de3aded..c9965b6 100644
--- a/net/netfilter/xt_policy.c
+++ b/net/netfilter/xt_policy.c
@@ -128,7 +128,7 @@ policy_mt(const struct sk_buff *skb, const struct xt_match_param *par)
return ret;
}
-static bool policy_mt_check(const struct xt_mtchk_param *par)
+static int policy_mt_check(const struct xt_mtchk_param *par)
{
const struct xt_policy_info *info = par->matchinfo;
diff --git a/net/netfilter/xt_quota.c b/net/netfilter/xt_quota.c
index 390b7d0..2861fac 100644
--- a/net/netfilter/xt_quota.c
+++ b/net/netfilter/xt_quota.c
@@ -43,7 +43,7 @@ quota_mt(const struct sk_buff *skb, const struct xt_match_param *par)
return ret;
}
-static bool quota_mt_check(const struct xt_mtchk_param *par)
+static int quota_mt_check(const struct xt_mtchk_param *par)
{
struct xt_quota_info *q = par->matchinfo;
diff --git a/net/netfilter/xt_rateest.c b/net/netfilter/xt_rateest.c
index 4fc6a91..3b5e3d6 100644
--- a/net/netfilter/xt_rateest.c
+++ b/net/netfilter/xt_rateest.c
@@ -74,7 +74,7 @@ xt_rateest_mt(const struct sk_buff *skb, const struct xt_match_param *par)
return ret;
}
-static bool xt_rateest_mt_checkentry(const struct xt_mtchk_param *par)
+static int xt_rateest_mt_checkentry(const struct xt_mtchk_param *par)
{
struct xt_rateest_match_info *info = par->matchinfo;
struct xt_rateest *est1, *est2;
diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c
index 8530944..52042c8 100644
--- a/net/netfilter/xt_recent.c
+++ b/net/netfilter/xt_recent.c
@@ -305,7 +305,7 @@ out:
return ret;
}
-static bool recent_mt_check(const struct xt_mtchk_param *par)
+static int recent_mt_check(const struct xt_mtchk_param *par)
{
struct recent_net *recent_net = recent_pernet(par->net);
const struct xt_recent_mtinfo *info = par->matchinfo;
diff --git a/net/netfilter/xt_sctp.c b/net/netfilter/xt_sctp.c
index 43c7e1d..f0a33bd 100644
--- a/net/netfilter/xt_sctp.c
+++ b/net/netfilter/xt_sctp.c
@@ -144,7 +144,7 @@ sctp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
XT_SCTP_CHUNK_TYPES, info->flags, info->invflags);
}
-static bool sctp_mt_check(const struct xt_mtchk_param *par)
+static int sctp_mt_check(const struct xt_mtchk_param *par)
{
const struct xt_sctp_info *info = par->matchinfo;
diff --git a/net/netfilter/xt_state.c b/net/netfilter/xt_state.c
index 94893be..8b15b13 100644
--- a/net/netfilter/xt_state.c
+++ b/net/netfilter/xt_state.c
@@ -37,7 +37,7 @@ state_mt(const struct sk_buff *skb, const struct xt_match_param *par)
return (sinfo->statemask & statebit);
}
-static bool state_mt_check(const struct xt_mtchk_param *par)
+static int state_mt_check(const struct xt_mtchk_param *par)
{
if (nf_ct_l3proto_try_module_get(par->family) < 0) {
pr_info("cannot load conntrack support for proto=%u\n",
diff --git a/net/netfilter/xt_statistic.c b/net/netfilter/xt_statistic.c
index 51ac1bb..a577ab0 100644
--- a/net/netfilter/xt_statistic.c
+++ b/net/netfilter/xt_statistic.c
@@ -52,7 +52,7 @@ statistic_mt(const struct sk_buff *skb, const struct xt_match_param *par)
return ret;
}
-static bool statistic_mt_check(const struct xt_mtchk_param *par)
+static int statistic_mt_check(const struct xt_mtchk_param *par)
{
struct xt_statistic_info *info = par->matchinfo;
diff --git a/net/netfilter/xt_string.c b/net/netfilter/xt_string.c
index b4d7741..7d14121 100644
--- a/net/netfilter/xt_string.c
+++ b/net/netfilter/xt_string.c
@@ -40,7 +40,7 @@ string_mt(const struct sk_buff *skb, const struct xt_match_param *par)
#define STRING_TEXT_PRIV(m) ((struct xt_string_info *)(m))
-static bool string_mt_check(const struct xt_mtchk_param *par)
+static int string_mt_check(const struct xt_mtchk_param *par)
{
struct xt_string_info *conf = par->matchinfo;
struct ts_config *ts_conf;
diff --git a/net/netfilter/xt_tcpudp.c b/net/netfilter/xt_tcpudp.c
index b53887f..0072841 100644
--- a/net/netfilter/xt_tcpudp.c
+++ b/net/netfilter/xt_tcpudp.c
@@ -120,7 +120,7 @@ static bool tcp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
return true;
}
-static bool tcp_mt_check(const struct xt_mtchk_param *par)
+static int tcp_mt_check(const struct xt_mtchk_param *par)
{
const struct xt_tcp *tcpinfo = par->matchinfo;
@@ -155,7 +155,7 @@ static bool udp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
!!(udpinfo->invflags & XT_UDP_INV_DSTPT));
}
-static bool udp_mt_check(const struct xt_mtchk_param *par)
+static int udp_mt_check(const struct xt_mtchk_param *par)
{
const struct xt_udp *udpinfo = par->matchinfo;
diff --git a/net/netfilter/xt_time.c b/net/netfilter/xt_time.c
index 45ed05b..db74f4f 100644
--- a/net/netfilter/xt_time.c
+++ b/net/netfilter/xt_time.c
@@ -217,7 +217,7 @@ time_mt(const struct sk_buff *skb, const struct xt_match_param *par)
return true;
}
-static bool time_mt_check(const struct xt_mtchk_param *par)
+static int time_mt_check(const struct xt_mtchk_param *par)
{
const struct xt_time_info *info = par->matchinfo;
--
1.7.0.2
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [PATCH 7/9] netfilter: xtables: slightly better error reporting (2/2)
2010-03-22 19:17 nf-next: cleanups, err reporting (rd.2) Jan Engelhardt
` (5 preceding siblings ...)
2010-03-22 19:18 ` [PATCH 6/9] netfilter: xtables: slightly better error reporting (1/2) Jan Engelhardt
@ 2010-03-22 19:18 ` Jan Engelhardt
2010-03-23 14:44 ` Patrick McHardy
2010-03-22 19:18 ` [PATCH 8/9] netfilter: xtables: use only error codes for checkentry Jan Engelhardt
` (2 subsequent siblings)
9 siblings, 1 reply; 23+ messages in thread
From: Jan Engelhardt @ 2010-03-22 19:18 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
When extended status codes are available, such as ENOMEM on failed
allocations, or subsequent functions (e.g. nf_ct_get_l3proto), passing
them up to userspace seems like a good idea compared to just always
EINVAL.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
net/ipv4/netfilter/ipt_CLUSTERIP.c | 11 ++++++-----
net/ipv4/netfilter/ipt_LOG.c | 2 +-
net/netfilter/x_tables.c | 22 ++++++++++++++++++----
net/netfilter/xt_CONNSECMARK.c | 8 +++++---
net/netfilter/xt_CT.c | 11 +++++++++--
net/netfilter/xt_DSCP.c | 2 +-
net/netfilter/xt_HL.c | 4 ++--
net/netfilter/xt_LED.c | 11 +++--------
net/netfilter/xt_NFQUEUE.c | 2 +-
net/netfilter/xt_RATEEST.c | 9 ++++++---
net/netfilter/xt_SECMARK.c | 16 +++++++++-------
net/netfilter/xt_cluster.c | 2 +-
net/netfilter/xt_connbytes.c | 6 ++++--
net/netfilter/xt_connlimit.c | 8 +++++---
net/netfilter/xt_connmark.c | 14 ++++++++++----
net/netfilter/xt_conntrack.c | 7 +++++--
net/netfilter/xt_dscp.c | 2 +-
net/netfilter/xt_hashlimit.c | 33 ++++++++++++++++++++-------------
net/netfilter/xt_helper.c | 6 ++++--
net/netfilter/xt_limit.c | 4 ++--
net/netfilter/xt_quota.c | 2 +-
net/netfilter/xt_rateest.c | 2 ++
net/netfilter/xt_recent.c | 7 +++++--
net/netfilter/xt_state.c | 7 +++++--
net/netfilter/xt_statistic.c | 2 +-
net/netfilter/xt_string.c | 2 +-
net/netfilter/xt_time.c | 2 +-
27 files changed, 129 insertions(+), 75 deletions(-)
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index b8972ec..e29e8e5 100644
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -352,8 +352,8 @@ static int clusterip_tg_check(const struct xt_tgchk_param *par)
{
struct ipt_clusterip_tgt_info *cipinfo = par->targinfo;
const struct ipt_entry *e = par->entryinfo;
-
struct clusterip_config *config;
+ int ret;
if (cipinfo->hash_mode != CLUSTERIP_HASHMODE_SIP &&
cipinfo->hash_mode != CLUSTERIP_HASHMODE_SIP_SPT &&
@@ -388,7 +388,7 @@ static int clusterip_tg_check(const struct xt_tgchk_param *par)
if (!dev) {
pr_info("no such interface %s\n",
e->ip.iniface);
- return false;
+ return -ENOENT;
}
config = clusterip_config_init(cipinfo,
@@ -396,17 +396,18 @@ static int clusterip_tg_check(const struct xt_tgchk_param *par)
if (!config) {
pr_info("cannot allocate config\n");
dev_put(dev);
- return false;
+ return -ENOMEM;
}
dev_mc_add(config->dev,config->clustermac, ETH_ALEN, 0);
}
}
cipinfo->config = config;
- if (nf_ct_l3proto_try_module_get(par->family) < 0) {
+ ret = nf_ct_l3proto_try_module_get(par->family);
+ if (ret < 0) {
pr_info("cannot load conntrack support for proto=%u\n",
par->family);
- return false;
+ return ret;
}
return true;
diff --git a/net/ipv4/netfilter/ipt_LOG.c b/net/ipv4/netfilter/ipt_LOG.c
index c9ee5c4..33213d6 100644
--- a/net/ipv4/netfilter/ipt_LOG.c
+++ b/net/ipv4/netfilter/ipt_LOG.c
@@ -445,7 +445,7 @@ static int log_tg_check(const struct xt_tgchk_param *par)
if (loginfo->level >= 8) {
pr_debug("level %u >= 8\n", loginfo->level);
- return false;
+ return -EDOM;
}
if (loginfo->prefix[sizeof(loginfo->prefix)-1] != '\0') {
pr_debug("prefix is not null-terminated\n");
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 4e84d8a..6ead6e0 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -363,6 +363,8 @@ static char *textify_hooks(char *buf, size_t size, unsigned int mask)
int xt_check_match(struct xt_mtchk_param *par,
unsigned int size, u_int8_t proto, bool inv_proto)
{
+ int ret;
+
if (XT_ALIGN(par->match->matchsize) != size &&
par->match->matchsize != -1) {
/*
@@ -399,8 +401,13 @@ int xt_check_match(struct xt_mtchk_param *par,
par->match->proto);
return -EINVAL;
}
- if (par->match->checkentry != NULL && !par->match->checkentry(par))
- return -EINVAL;
+ if (par->match->checkentry != NULL) {
+ ret = par->match->checkentry(par);
+ if (ret < 0)
+ return ret;
+ else if (ret == 0)
+ return -EINVAL;
+ }
return 0;
}
EXPORT_SYMBOL_GPL(xt_check_match);
@@ -520,6 +527,8 @@ EXPORT_SYMBOL_GPL(xt_compat_match_to_user);
int xt_check_target(struct xt_tgchk_param *par,
unsigned int size, u_int8_t proto, bool inv_proto)
{
+ int ret;
+
if (XT_ALIGN(par->target->targetsize) != size) {
pr_err("%s_tables: %s.%u target: invalid size "
"%u (kernel) != (user) %u\n",
@@ -551,8 +560,13 @@ int xt_check_target(struct xt_tgchk_param *par,
par->target->proto);
return -EINVAL;
}
- if (par->target->checkentry != NULL && !par->target->checkentry(par))
- return -EINVAL;
+ if (par->target->checkentry != NULL) {
+ ret = par->target->checkentry(par);
+ if (ret < 0)
+ return ret;
+ else if (ret == false)
+ return -EINVAL;
+ }
return 0;
}
EXPORT_SYMBOL_GPL(xt_check_target);
diff --git a/net/netfilter/xt_CONNSECMARK.c b/net/netfilter/xt_CONNSECMARK.c
index 3f9d0f4..d338d18 100644
--- a/net/netfilter/xt_CONNSECMARK.c
+++ b/net/netfilter/xt_CONNSECMARK.c
@@ -87,6 +87,7 @@ connsecmark_tg(struct sk_buff *skb, const struct xt_target_param *par)
static int connsecmark_tg_check(const struct xt_tgchk_param *par)
{
const struct xt_connsecmark_target_info *info = par->targinfo;
+ int ret;
if (strcmp(par->table, "mangle") != 0 &&
strcmp(par->table, "security") != 0) {
@@ -102,13 +103,14 @@ static int connsecmark_tg_check(const struct xt_tgchk_param *par)
default:
pr_info("invalid mode: %hu\n", info->mode);
- return false;
+ return -EDOM;
}
- if (nf_ct_l3proto_try_module_get(par->family) < 0) {
+ ret = nf_ct_l3proto_try_module_get(par->family);
+ if (ret < 0) {
pr_info("cannot load conntrack support for proto=%u\n",
par->family);
- return false;
+ return ret;
}
return true;
}
diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c
index c1553bf..da5b951 100644
--- a/net/netfilter/xt_CT.c
+++ b/net/netfilter/xt_CT.c
@@ -59,6 +59,7 @@ static int xt_ct_tg_check(const struct xt_tgchk_param *par)
struct nf_conntrack_tuple t;
struct nf_conn_help *help;
struct nf_conn *ct;
+ int ret = 0;
u8 proto;
if (info->flags & ~XT_CT_NOTRACK)
@@ -75,28 +76,34 @@ static int xt_ct_tg_check(const struct xt_tgchk_param *par)
goto err1;
#endif
- if (nf_ct_l3proto_try_module_get(par->family) < 0)
+ ret = nf_ct_l3proto_try_module_get(par->family);
+ if (ret < 0)
goto err1;
memset(&t, 0, sizeof(t));
ct = nf_conntrack_alloc(par->net, info->zone, &t, &t, GFP_KERNEL);
+ ret = PTR_ERR(ct);
if (IS_ERR(ct))
goto err2;
+ ret = 0;
if ((info->ct_events || info->exp_events) &&
!nf_ct_ecache_ext_add(ct, info->ct_events, info->exp_events,
GFP_KERNEL))
goto err3;
if (info->helper[0]) {
+ ret = -ENOENT;
proto = xt_ct_find_proto(par);
if (!proto)
goto err3;
+ ret = -ENOMEM;
help = nf_ct_helper_ext_add(ct, GFP_KERNEL);
if (help == NULL)
goto err3;
+ ret = -ENOENT;
help->helper = nf_conntrack_helper_try_module_get(info->helper,
par->family,
proto);
@@ -115,7 +122,7 @@ err3:
err2:
nf_ct_l3proto_module_put(par->family);
err1:
- return false;
+ return ret;
}
static void xt_ct_tg_destroy(const struct xt_tgdtor_param *par)
diff --git a/net/netfilter/xt_DSCP.c b/net/netfilter/xt_DSCP.c
index 1fa7b67..0c9aae6 100644
--- a/net/netfilter/xt_DSCP.c
+++ b/net/netfilter/xt_DSCP.c
@@ -66,7 +66,7 @@ static int dscp_tg_check(const struct xt_tgchk_param *par)
if (info->dscp > XT_DSCP_MAX) {
pr_info("dscp %x out of range\n", info->dscp);
- return false;
+ return -EDOM;
}
return true;
}
diff --git a/net/netfilter/xt_HL.c b/net/netfilter/xt_HL.c
index 15ba161..22ed2dc 100644
--- a/net/netfilter/xt_HL.c
+++ b/net/netfilter/xt_HL.c
@@ -107,7 +107,7 @@ static int ttl_tg_check(const struct xt_tgchk_param *par)
if (info->mode > IPT_TTL_MAXMODE) {
pr_info("TTL: invalid or unknown mode %u\n", info->mode);
- return false;
+ return -EDOM;
}
if (info->mode != IPT_TTL_SET && info->ttl == 0)
return false;
@@ -120,7 +120,7 @@ static int hl_tg6_check(const struct xt_tgchk_param *par)
if (info->mode > IP6T_HL_MAXMODE) {
pr_info("invalid or unknown mode %u\n", info->mode);
- return false;
+ return -EDOM;
}
if (info->mode != IP6T_HL_SET && info->hop_limit == 0) {
pr_info("increment/decrement does not "
diff --git a/net/netfilter/xt_LED.c b/net/netfilter/xt_LED.c
index 1a3e3dd..899da12 100644
--- a/net/netfilter/xt_LED.c
+++ b/net/netfilter/xt_LED.c
@@ -93,7 +93,7 @@ static int led_tg_check(const struct xt_tgchk_param *par)
ledinternal = kzalloc(sizeof(struct xt_led_info_internal), GFP_KERNEL);
if (!ledinternal)
- return false;
+ return -ENOMEM;
ledinternal->netfilter_led_trigger.name = ledinfo->id;
@@ -102,7 +102,8 @@ static int led_tg_check(const struct xt_tgchk_param *par)
pr_warning("led_trigger_register() failed\n");
if (err == -EEXIST)
pr_warning("Trigger name is already in use.\n");
- goto exit_alloc;
+ kfree(ledinternal);
+ return err;
}
/* See if we need to set up a timer */
@@ -111,13 +112,7 @@ static int led_tg_check(const struct xt_tgchk_param *par)
(unsigned long)ledinfo);
ledinfo->internal_data = ledinternal;
-
return true;
-
-exit_alloc:
- kfree(ledinternal);
-
- return false;
}
static void led_tg_destroy(const struct xt_tgdtor_param *par)
diff --git a/net/netfilter/xt_NFQUEUE.c b/net/netfilter/xt_NFQUEUE.c
index d435579..143f0e0 100644
--- a/net/netfilter/xt_NFQUEUE.c
+++ b/net/netfilter/xt_NFQUEUE.c
@@ -98,7 +98,7 @@ static int nfqueue_tg_v1_check(const struct xt_tgchk_param *par)
if (maxid > 0xffff) {
pr_err("NFQUEUE: number of queues (%u) out of range (got %u)\n",
info->queues_total, maxid);
- return false;
+ return -EDOM;
}
return true;
}
diff --git a/net/netfilter/xt_RATEEST.c b/net/netfilter/xt_RATEEST.c
index 9743e50..3c5d1c9 100644
--- a/net/netfilter/xt_RATEEST.c
+++ b/net/netfilter/xt_RATEEST.c
@@ -93,6 +93,7 @@ static int xt_rateest_tg_checkentry(const struct xt_tgchk_param *par)
struct nlattr opt;
struct gnet_estimator est;
} cfg;
+ int ret;
if (unlikely(!rnd_inited)) {
get_random_bytes(&jhash_rnd, sizeof(jhash_rnd));
@@ -115,6 +116,7 @@ static int xt_rateest_tg_checkentry(const struct xt_tgchk_param *par)
return true;
}
+ ret = -ENOMEM;
est = kzalloc(sizeof(*est), GFP_KERNEL);
if (!est)
goto err1;
@@ -130,8 +132,9 @@ static int xt_rateest_tg_checkentry(const struct xt_tgchk_param *par)
cfg.est.interval = info->interval;
cfg.est.ewma_log = info->ewma_log;
- if (gen_new_estimator(&est->bstats, &est->rstats, &est->lock,
- &cfg.opt) < 0)
+ ret = gen_new_estimator(&est->bstats, &est->rstats,
+ &est->lock, &cfg.opt);
+ if (ret < 0)
goto err2;
info->est = est;
@@ -142,7 +145,7 @@ static int xt_rateest_tg_checkentry(const struct xt_tgchk_param *par)
err2:
kfree(est);
err1:
- return false;
+ return ret;
}
static void xt_rateest_tg_destroy(const struct xt_tgdtor_param *par)
diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c
index 48f8e4f..6525eee 100644
--- a/net/netfilter/xt_SECMARK.c
+++ b/net/netfilter/xt_SECMARK.c
@@ -50,7 +50,7 @@ secmark_tg(struct sk_buff *skb, const struct xt_target_param *par)
return XT_CONTINUE;
}
-static bool checkentry_selinux(struct xt_secmark_target_info *info)
+static int checkentry_selinux(struct xt_secmark_target_info *info)
{
int err;
struct xt_secmark_target_selinux_info *sel = &info->u.sel;
@@ -62,18 +62,18 @@ static bool checkentry_selinux(struct xt_secmark_target_info *info)
if (err == -EINVAL)
pr_info("invalid SELinux context \'%s\'\n",
sel->selctx);
- return false;
+ return err;
}
if (!sel->selsid) {
pr_info("unable to map SELinux context \'%s\'\n", sel->selctx);
- return false;
+ return -ENOENT;
}
err = selinux_secmark_relabel_packet_permission(sel->selsid);
if (err) {
pr_info("unable to obtain relabeling permission\n");
- return false;
+ return err;
}
selinux_secmark_refcount_inc();
@@ -83,6 +83,7 @@ static bool checkentry_selinux(struct xt_secmark_target_info *info)
static int secmark_tg_check(const struct xt_tgchk_param *par)
{
struct xt_secmark_target_info *info = par->targinfo;
+ int err;
if (strcmp(par->table, "mangle") != 0 &&
strcmp(par->table, "security") != 0) {
@@ -99,13 +100,14 @@ static int secmark_tg_check(const struct xt_tgchk_param *par)
switch (info->mode) {
case SECMARK_MODE_SEL:
- if (!checkentry_selinux(info))
- return false;
+ err = checkentry_selinux(info);
+ if (err <= 0)
+ return err;
break;
default:
pr_info("invalid mode: %hu\n", info->mode);
- return false;
+ return -EDOM;
}
if (!mode)
diff --git a/net/netfilter/xt_cluster.c b/net/netfilter/xt_cluster.c
index 1f2c35e..0c8a653 100644
--- a/net/netfilter/xt_cluster.c
+++ b/net/netfilter/xt_cluster.c
@@ -145,7 +145,7 @@ static int xt_cluster_mt_checkentry(const struct xt_mtchk_param *par)
if (info->node_mask >= (1ULL << info->total_nodes)) {
pr_info("this node mask cannot be "
"higher than the total number of nodes\n");
- return false;
+ return -EDOM;
}
return true;
}
diff --git a/net/netfilter/xt_connbytes.c b/net/netfilter/xt_connbytes.c
index 136ef4c..d50a53e 100644
--- a/net/netfilter/xt_connbytes.c
+++ b/net/netfilter/xt_connbytes.c
@@ -96,6 +96,7 @@ connbytes_mt(const struct sk_buff *skb, const struct xt_match_param *par)
static int connbytes_mt_check(const struct xt_mtchk_param *par)
{
const struct xt_connbytes_info *sinfo = par->matchinfo;
+ int ret;
if (sinfo->what != XT_CONNBYTES_PKTS &&
sinfo->what != XT_CONNBYTES_BYTES &&
@@ -107,10 +108,11 @@ static int connbytes_mt_check(const struct xt_mtchk_param *par)
sinfo->direction != XT_CONNBYTES_DIR_BOTH)
return false;
- if (nf_ct_l3proto_try_module_get(par->family) < 0) {
+ ret = nf_ct_l3proto_try_module_get(par->family);
+ if (ret < 0) {
pr_info("cannot load conntrack support for proto=%u\n",
par->family);
- return false;
+ return ret;
}
return true;
diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c
index a9fec38..f8d92aa 100644
--- a/net/netfilter/xt_connlimit.c
+++ b/net/netfilter/xt_connlimit.c
@@ -220,22 +220,24 @@ static int connlimit_mt_check(const struct xt_mtchk_param *par)
{
struct xt_connlimit_info *info = par->matchinfo;
unsigned int i;
+ int ret;
if (unlikely(!connlimit_rnd_inited)) {
get_random_bytes(&connlimit_rnd, sizeof(connlimit_rnd));
connlimit_rnd_inited = true;
}
- if (nf_ct_l3proto_try_module_get(par->family) < 0) {
+ ret = nf_ct_l3proto_try_module_get(par->family);
+ if (ret < 0) {
pr_info("cannot load conntrack support for "
"address family %u\n", par->family);
- return false;
+ return ret;
}
/* init private data */
info->data = kmalloc(sizeof(struct xt_connlimit_data), GFP_KERNEL);
if (info->data == NULL) {
nf_ct_l3proto_module_put(par->family);
- return false;
+ return -ENOMEM;
}
spin_lock_init(&info->data->lock);
diff --git a/net/netfilter/xt_connmark.c b/net/netfilter/xt_connmark.c
index 0e69427..1ffbafb 100644
--- a/net/netfilter/xt_connmark.c
+++ b/net/netfilter/xt_connmark.c
@@ -76,10 +76,13 @@ connmark_tg(struct sk_buff *skb, const struct xt_target_param *par)
static int connmark_tg_check(const struct xt_tgchk_param *par)
{
- if (nf_ct_l3proto_try_module_get(par->family) < 0) {
+ int ret;
+
+ ret = nf_ct_l3proto_try_module_get(par->family);
+ if (ret < 0) {
pr_info("cannot load conntrack support for proto=%u\n",
par->family);
- return false;
+ return ret;
}
return true;
}
@@ -105,10 +108,13 @@ connmark_mt(const struct sk_buff *skb, const struct xt_match_param *par)
static int connmark_mt_check(const struct xt_mtchk_param *par)
{
- if (nf_ct_l3proto_try_module_get(par->family) < 0) {
+ int ret;
+
+ ret = nf_ct_l3proto_try_module_get(par->family);
+ if (ret < 0) {
pr_info("cannot load conntrack support for proto=%u\n",
par->family);
- return false;
+ return ret;
}
return true;
}
diff --git a/net/netfilter/xt_conntrack.c b/net/netfilter/xt_conntrack.c
index 500e033..59d2589 100644
--- a/net/netfilter/xt_conntrack.c
+++ b/net/netfilter/xt_conntrack.c
@@ -208,10 +208,13 @@ conntrack_mt_v2(const struct sk_buff *skb, const struct xt_match_param *par)
static int conntrack_mt_check(const struct xt_mtchk_param *par)
{
- if (nf_ct_l3proto_try_module_get(par->family) < 0) {
+ int ret;
+
+ ret = nf_ct_l3proto_try_module_get(par->family);
+ if (ret < 0) {
pr_info("cannot load conntrack support for proto=%u\n",
par->family);
- return false;
+ return ret;
}
return true;
}
diff --git a/net/netfilter/xt_dscp.c b/net/netfilter/xt_dscp.c
index 295da4c..97331ac 100644
--- a/net/netfilter/xt_dscp.c
+++ b/net/netfilter/xt_dscp.c
@@ -48,7 +48,7 @@ static int dscp_mt_check(const struct xt_mtchk_param *par)
if (info->dscp > XT_DSCP_MAX) {
pr_info("dscp %x out of range\n", info->dscp);
- return false;
+ return -EDOM;
}
return true;
diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
index d13800c..e769fc6 100644
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@@ -214,7 +214,7 @@ static int htable_create_v0(struct net *net, struct xt_hashlimit_info *minfo, u_
hinfo = vmalloc(sizeof(struct xt_hashlimit_htable) +
sizeof(struct list_head) * size);
if (!hinfo)
- return -1;
+ return -ENOMEM;
minfo->hinfo = hinfo;
/* copy match config into hashtable config */
@@ -250,7 +250,7 @@ static int htable_create_v0(struct net *net, struct xt_hashlimit_info *minfo, u_
&dl_file_ops, hinfo);
if (!hinfo->pde) {
vfree(hinfo);
- return -1;
+ return -ENOMEM;
}
hinfo->net = net;
@@ -285,7 +285,7 @@ static int htable_create(struct net *net, struct xt_hashlimit_mtinfo1 *minfo,
hinfo = vmalloc(sizeof(struct xt_hashlimit_htable) +
sizeof(struct list_head) * size);
if (hinfo == NULL)
- return -1;
+ return -ENOMEM;
minfo->hinfo = hinfo;
/* copy match config into hashtable config */
@@ -311,7 +311,7 @@ static int htable_create(struct net *net, struct xt_hashlimit_mtinfo1 *minfo,
&dl_file_ops, hinfo);
if (hinfo->pde == NULL) {
vfree(hinfo);
- return -1;
+ return -ENOMEM;
}
hinfo->net = net;
@@ -675,13 +675,14 @@ static int hashlimit_mt_check_v0(const struct xt_mtchk_param *par)
{
struct net *net = par->net;
struct xt_hashlimit_info *r = par->matchinfo;
+ int ret;
/* Check for overflow. */
if (r->cfg.burst == 0 ||
user2credits(r->cfg.avg * r->cfg.burst) < user2credits(r->cfg.avg)) {
pr_info("overflow, try lower: %u/%u\n",
r->cfg.avg, r->cfg.burst);
- return false;
+ return -ERANGE;
}
if (r->cfg.mode == 0 ||
r->cfg.mode > (XT_HASHLIMIT_HASH_DPT |
@@ -698,12 +699,14 @@ static int hashlimit_mt_check_v0(const struct xt_mtchk_param *par)
mutex_lock(&hashlimit_mutex);
r->hinfo = htable_find_get(net, r->name, par->family);
- if (!r->hinfo && htable_create_v0(net, r, par->family) != 0) {
- mutex_unlock(&hashlimit_mutex);
- return false;
+ if (r->hinfo == NULL) {
+ ret = htable_create_v0(net, r, par->family);
+ if (ret < 0) {
+ mutex_unlock(&hashlimit_mutex);
+ return ret;
+ }
}
mutex_unlock(&hashlimit_mutex);
-
return true;
}
@@ -711,6 +714,7 @@ static int hashlimit_mt_check(const struct xt_mtchk_param *par)
{
struct net *net = par->net;
struct xt_hashlimit_mtinfo1 *info = par->matchinfo;
+ int ret;
/* Check for overflow. */
if (info->cfg.burst == 0 ||
@@ -718,7 +722,7 @@ static int hashlimit_mt_check(const struct xt_mtchk_param *par)
user2credits(info->cfg.avg)) {
pr_info("overflow, try lower: %u/%u\n",
info->cfg.avg, info->cfg.burst);
- return false;
+ return -ERANGE;
}
if (info->cfg.gc_interval == 0 || info->cfg.expire == 0)
return false;
@@ -734,9 +738,12 @@ static int hashlimit_mt_check(const struct xt_mtchk_param *par)
mutex_lock(&hashlimit_mutex);
info->hinfo = htable_find_get(net, info->name, par->family);
- if (!info->hinfo && htable_create(net, info, par->family) != 0) {
- mutex_unlock(&hashlimit_mutex);
- return false;
+ if (info->hinfo == NULL) {
+ ret = htable_create(net, info, par->family);
+ if (ret < 0) {
+ mutex_unlock(&hashlimit_mutex);
+ return ret;
+ }
}
mutex_unlock(&hashlimit_mutex);
return true;
diff --git a/net/netfilter/xt_helper.c b/net/netfilter/xt_helper.c
index 6e177b2..2b3671a 100644
--- a/net/netfilter/xt_helper.c
+++ b/net/netfilter/xt_helper.c
@@ -57,11 +57,13 @@ helper_mt(const struct sk_buff *skb, const struct xt_match_param *par)
static int helper_mt_check(const struct xt_mtchk_param *par)
{
struct xt_helper_info *info = par->matchinfo;
+ int ret;
- if (nf_ct_l3proto_try_module_get(par->family) < 0) {
+ ret = nf_ct_l3proto_try_module_get(par->family);
+ if (ret < 0) {
pr_info("cannot load conntrack support for proto=%u\n",
par->family);
- return false;
+ return ret;
}
info->name[29] = '\0';
return true;
diff --git a/net/netfilter/xt_limit.c b/net/netfilter/xt_limit.c
index 138a324..de99e08 100644
--- a/net/netfilter/xt_limit.c
+++ b/net/netfilter/xt_limit.c
@@ -107,12 +107,12 @@ static int limit_mt_check(const struct xt_mtchk_param *par)
|| user2credits(r->avg * r->burst) < user2credits(r->avg)) {
pr_info("Overflow, try lower: %u/%u\n",
r->avg, r->burst);
- return false;
+ return -ERANGE;
}
priv = kmalloc(sizeof(*priv), GFP_KERNEL);
if (priv == NULL)
- return false;
+ return -ENOMEM;
/* For SMP, we only want to use one set of state. */
r->master = priv;
diff --git a/net/netfilter/xt_quota.c b/net/netfilter/xt_quota.c
index 2861fac..d61f05d 100644
--- a/net/netfilter/xt_quota.c
+++ b/net/netfilter/xt_quota.c
@@ -52,7 +52,7 @@ static int quota_mt_check(const struct xt_mtchk_param *par)
q->master = kmalloc(sizeof(*q->master), GFP_KERNEL);
if (q->master == NULL)
- return false;
+ return -ENOMEM;
q->master->quota = q->quota;
return true;
diff --git a/net/netfilter/xt_rateest.c b/net/netfilter/xt_rateest.c
index 3b5e3d6..9badfa6 100644
--- a/net/netfilter/xt_rateest.c
+++ b/net/netfilter/xt_rateest.c
@@ -78,6 +78,7 @@ static int xt_rateest_mt_checkentry(const struct xt_mtchk_param *par)
{
struct xt_rateest_match_info *info = par->matchinfo;
struct xt_rateest *est1, *est2;
+ int ret = false;
if (hweight32(info->flags & (XT_RATEEST_MATCH_ABS |
XT_RATEEST_MATCH_REL)) != 1)
@@ -95,6 +96,7 @@ static int xt_rateest_mt_checkentry(const struct xt_mtchk_param *par)
goto err1;
}
+ ret = -ENOENT;
est1 = xt_rateest_lookup(info->name1);
if (!est1)
goto err1;
diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c
index 52042c8..99eb6b2 100644
--- a/net/netfilter/xt_recent.c
+++ b/net/netfilter/xt_recent.c
@@ -314,7 +314,7 @@ static int recent_mt_check(const struct xt_mtchk_param *par)
struct proc_dir_entry *pde;
#endif
unsigned i;
- bool ret = false;
+ int ret = false;
if (unlikely(!hash_rnd_inited)) {
get_random_bytes(&hash_rnd, sizeof(hash_rnd));
@@ -355,8 +355,10 @@ static int recent_mt_check(const struct xt_mtchk_param *par)
t = kzalloc(sizeof(*t) + sizeof(t->iphash[0]) * ip_list_hash_size,
GFP_KERNEL);
- if (t == NULL)
+ if (t == NULL) {
+ ret = -ENOMEM;
goto out;
+ }
t->refcnt = 1;
strcpy(t->name, info->name);
INIT_LIST_HEAD(&t->lru_list);
@@ -367,6 +369,7 @@ static int recent_mt_check(const struct xt_mtchk_param *par)
&recent_mt_fops, t);
if (pde == NULL) {
kfree(t);
+ ret = -ENOMEM;
goto out;
}
pde->uid = ip_list_uid;
diff --git a/net/netfilter/xt_state.c b/net/netfilter/xt_state.c
index 8b15b13..e69375e 100644
--- a/net/netfilter/xt_state.c
+++ b/net/netfilter/xt_state.c
@@ -39,10 +39,13 @@ state_mt(const struct sk_buff *skb, const struct xt_match_param *par)
static int state_mt_check(const struct xt_mtchk_param *par)
{
- if (nf_ct_l3proto_try_module_get(par->family) < 0) {
+ int ret;
+
+ ret = nf_ct_l3proto_try_module_get(par->family);
+ if (ret < 0) {
pr_info("cannot load conntrack support for proto=%u\n",
par->family);
- return false;
+ return ret;
}
return true;
}
diff --git a/net/netfilter/xt_statistic.c b/net/netfilter/xt_statistic.c
index a577ab0..c07e450 100644
--- a/net/netfilter/xt_statistic.c
+++ b/net/netfilter/xt_statistic.c
@@ -62,7 +62,7 @@ static int statistic_mt_check(const struct xt_mtchk_param *par)
info->master = kzalloc(sizeof(*info->master), GFP_KERNEL);
if (info->master == NULL)
- return false;
+ return -ENOMEM;
info->master->count = info->u.nth.count;
return true;
diff --git a/net/netfilter/xt_string.c b/net/netfilter/xt_string.c
index 7d14121..fa7d066 100644
--- a/net/netfilter/xt_string.c
+++ b/net/netfilter/xt_string.c
@@ -63,7 +63,7 @@ static int string_mt_check(const struct xt_mtchk_param *par)
ts_conf = textsearch_prepare(conf->algo, conf->pattern, conf->patlen,
GFP_KERNEL, flags);
if (IS_ERR(ts_conf))
- return false;
+ return PTR_ERR(ts_conf);
conf->config = ts_conf;
diff --git a/net/netfilter/xt_time.c b/net/netfilter/xt_time.c
index db74f4f..c5a30b3 100644
--- a/net/netfilter/xt_time.c
+++ b/net/netfilter/xt_time.c
@@ -225,7 +225,7 @@ static int time_mt_check(const struct xt_mtchk_param *par)
info->daytime_stop > XT_TIME_MAX_DAYTIME) {
pr_info("invalid argument - start or "
"stop time greater than 23:59:59\n");
- return false;
+ return -EDOM;
}
return true;
--
1.7.0.2
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [PATCH 8/9] netfilter: xtables: use only error codes for checkentry
2010-03-22 19:17 nf-next: cleanups, err reporting (rd.2) Jan Engelhardt
` (6 preceding siblings ...)
2010-03-22 19:18 ` [PATCH 7/9] netfilter: xtables: slightly better error reporting (2/2) Jan Engelhardt
@ 2010-03-22 19:18 ` Jan Engelhardt
2010-03-22 19:18 ` [PATCH 9/9] netfilter: xtables: shorten up return clause Jan Engelhardt
2010-03-23 16:35 ` nf-next: cleanups, err reporting (rd.2) Jan Engelhardt
9 siblings, 0 replies; 23+ messages in thread
From: Jan Engelhardt @ 2010-03-22 19:18 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
Convert the return true/false to integer codes.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
net/bridge/netfilter/ebt_802_3.c | 4 ++--
net/bridge/netfilter/ebt_among.c | 8 ++++----
net/bridge/netfilter/ebt_arp.c | 6 +++---
net/bridge/netfilter/ebt_arpreply.c | 6 +++---
net/bridge/netfilter/ebt_dnat.c | 8 ++++----
net/bridge/netfilter/ebt_ip.c | 14 +++++++-------
net/bridge/netfilter/ebt_ip6.c | 14 +++++++-------
net/bridge/netfilter/ebt_limit.c | 4 ++--
net/bridge/netfilter/ebt_log.c | 6 +++---
net/bridge/netfilter/ebt_mark.c | 8 ++++----
net/bridge/netfilter/ebt_mark_m.c | 8 ++++----
net/bridge/netfilter/ebt_nflog.c | 4 ++--
net/bridge/netfilter/ebt_pkttype.c | 4 ++--
net/bridge/netfilter/ebt_redirect.c | 8 ++++----
net/bridge/netfilter/ebt_snat.c | 8 ++++----
net/bridge/netfilter/ebt_stp.c | 6 +++---
net/bridge/netfilter/ebt_ulog.c | 4 ++--
net/bridge/netfilter/ebt_vlan.c | 14 +++++++-------
net/ipv4/netfilter/ipt_CLUSTERIP.c | 10 +++++-----
net/ipv4/netfilter/ipt_ECN.c | 8 ++++----
net/ipv4/netfilter/ipt_LOG.c | 4 ++--
net/ipv4/netfilter/ipt_MASQUERADE.c | 6 +++---
net/ipv4/netfilter/ipt_NETMAP.c | 6 +++---
net/ipv4/netfilter/ipt_REDIRECT.c | 6 +++---
net/ipv4/netfilter/ipt_REJECT.c | 6 +++---
net/ipv4/netfilter/ipt_ULOG.c | 6 +++---
net/ipv4/netfilter/ipt_addrtype.c | 8 ++++----
net/ipv4/netfilter/ipt_ah.c | 4 ++--
net/ipv4/netfilter/ipt_ecn.c | 8 ++++----
net/ipv6/netfilter/ip6t_LOG.c | 6 +++---
net/ipv6/netfilter/ip6t_REJECT.c | 6 +++---
net/ipv6/netfilter/ip6t_ah.c | 4 ++--
net/ipv6/netfilter/ip6t_frag.c | 4 ++--
net/ipv6/netfilter/ip6t_hbh.c | 6 +++---
| 4 ++--
net/ipv6/netfilter/ip6t_mh.c | 2 +-
net/ipv6/netfilter/ip6t_rt.c | 6 +++---
net/netfilter/x_tables.c | 10 ++++++----
net/netfilter/xt_CONNSECMARK.c | 4 ++--
net/netfilter/xt_CT.c | 4 ++--
net/netfilter/xt_DSCP.c | 2 +-
net/netfilter/xt_HL.c | 8 ++++----
net/netfilter/xt_LED.c | 4 ++--
net/netfilter/xt_NFLOG.c | 6 +++---
net/netfilter/xt_NFQUEUE.c | 4 ++--
net/netfilter/xt_RATEEST.c | 7 +++----
net/netfilter/xt_SECMARK.c | 10 +++++-----
net/netfilter/xt_TCPMSS.c | 12 ++++++------
net/netfilter/xt_TPROXY.c | 4 ++--
net/netfilter/xt_cluster.c | 4 ++--
net/netfilter/xt_connbytes.c | 6 +++---
net/netfilter/xt_connlimit.c | 2 +-
net/netfilter/xt_connmark.c | 4 ++--
net/netfilter/xt_conntrack.c | 2 +-
net/netfilter/xt_dscp.c | 2 +-
net/netfilter/xt_esp.c | 4 ++--
net/netfilter/xt_hashlimit.c | 20 ++++++++++----------
net/netfilter/xt_helper.c | 2 +-
net/netfilter/xt_limit.c | 2 +-
net/netfilter/xt_physdev.c | 6 +++---
net/netfilter/xt_policy.c | 10 +++++-----
net/netfilter/xt_quota.c | 4 ++--
net/netfilter/xt_rateest.c | 6 +++---
net/netfilter/xt_recent.c | 17 ++++++++---------
net/netfilter/xt_state.c | 2 +-
net/netfilter/xt_statistic.c | 4 ++--
net/netfilter/xt_string.c | 11 +++++------
net/netfilter/xt_time.c | 2 +-
68 files changed, 214 insertions(+), 215 deletions(-)
diff --git a/net/bridge/netfilter/ebt_802_3.c b/net/bridge/netfilter/ebt_802_3.c
index 7b6f4c4..f7de8db 100644
--- a/net/bridge/netfilter/ebt_802_3.c
+++ b/net/bridge/netfilter/ebt_802_3.c
@@ -41,9 +41,9 @@ static int ebt_802_3_mt_check(const struct xt_mtchk_param *par)
const struct ebt_802_3_info *info = par->matchinfo;
if (info->bitmask & ~EBT_802_3_MASK || info->invflags & ~EBT_802_3_MASK)
- return false;
+ return -EINVAL;
- return true;
+ return 0;
}
static struct xt_match ebt_802_3_mt_reg __read_mostly = {
diff --git a/net/bridge/netfilter/ebt_among.c b/net/bridge/netfilter/ebt_among.c
index 8a75d39..20068e0 100644
--- a/net/bridge/netfilter/ebt_among.c
+++ b/net/bridge/netfilter/ebt_among.c
@@ -190,17 +190,17 @@ static int ebt_among_mt_check(const struct xt_mtchk_param *par)
pr_info("wrong size: %d against expected %d, rounded to %Zd\n",
em->match_size, expected_length,
EBT_ALIGN(expected_length));
- return false;
+ return -EINVAL;
}
if (wh_dst && (err = ebt_mac_wormhash_check_integrity(wh_dst))) {
pr_info("dst integrity fail: %x\n", -err);
- return false;
+ return -EINVAL;
}
if (wh_src && (err = ebt_mac_wormhash_check_integrity(wh_src))) {
pr_info("src integrity fail: %x\n", -err);
- return false;
+ return -EINVAL;
}
- return true;
+ return 0;
}
static struct xt_match ebt_among_mt_reg __read_mostly = {
diff --git a/net/bridge/netfilter/ebt_arp.c b/net/bridge/netfilter/ebt_arp.c
index fc62055..952150c 100644
--- a/net/bridge/netfilter/ebt_arp.c
+++ b/net/bridge/netfilter/ebt_arp.c
@@ -108,10 +108,10 @@ static int ebt_arp_mt_check(const struct xt_mtchk_param *par)
if ((e->ethproto != htons(ETH_P_ARP) &&
e->ethproto != htons(ETH_P_RARP)) ||
e->invflags & EBT_IPROTO)
- return false;
+ return -EINVAL;
if (info->bitmask & ~EBT_ARP_MASK || info->invflags & ~EBT_ARP_MASK)
- return false;
- return true;
+ return -EINVAL;
+ return 0;
}
static struct xt_match ebt_arp_mt_reg __read_mostly = {
diff --git a/net/bridge/netfilter/ebt_arpreply.c b/net/bridge/netfilter/ebt_arpreply.c
index 2491564..4581adb 100644
--- a/net/bridge/netfilter/ebt_arpreply.c
+++ b/net/bridge/netfilter/ebt_arpreply.c
@@ -63,11 +63,11 @@ static int ebt_arpreply_tg_check(const struct xt_tgchk_param *par)
const struct ebt_entry *e = par->entryinfo;
if (BASE_CHAIN && info->target == EBT_RETURN)
- return false;
+ return -EINVAL;
if (e->ethproto != htons(ETH_P_ARP) ||
e->invflags & EBT_IPROTO)
- return false;
- return true;
+ return -EINVAL;
+ return 0;
}
static struct xt_target ebt_arpreply_tg_reg __read_mostly = {
diff --git a/net/bridge/netfilter/ebt_dnat.c b/net/bridge/netfilter/ebt_dnat.c
index 5fddebe..59d5b7c 100644
--- a/net/bridge/netfilter/ebt_dnat.c
+++ b/net/bridge/netfilter/ebt_dnat.c
@@ -32,7 +32,7 @@ static int ebt_dnat_tg_check(const struct xt_tgchk_param *par)
unsigned int hook_mask;
if (BASE_CHAIN && info->target == EBT_RETURN)
- return false;
+ return -EINVAL;
hook_mask = par->hook_mask & ~(1 << NF_BR_NUMHOOKS);
if ((strcmp(par->table, "nat") != 0 ||
@@ -40,10 +40,10 @@ static int ebt_dnat_tg_check(const struct xt_tgchk_param *par)
(1 << NF_BR_LOCAL_OUT)))) &&
(strcmp(par->table, "broute") != 0 ||
hook_mask & ~(1 << NF_BR_BROUTING)))
- return false;
+ return -EINVAL;
if (INVALID_TARGET)
- return false;
- return true;
+ return -EINVAL;
+ return 0;
}
static struct xt_target ebt_dnat_tg_reg __read_mostly = {
diff --git a/net/bridge/netfilter/ebt_ip.c b/net/bridge/netfilter/ebt_ip.c
index d1a555d..a1c76c7 100644
--- a/net/bridge/netfilter/ebt_ip.c
+++ b/net/bridge/netfilter/ebt_ip.c
@@ -84,24 +84,24 @@ static int ebt_ip_mt_check(const struct xt_mtchk_param *par)
if (e->ethproto != htons(ETH_P_IP) ||
e->invflags & EBT_IPROTO)
- return false;
+ return -EINVAL;
if (info->bitmask & ~EBT_IP_MASK || info->invflags & ~EBT_IP_MASK)
- return false;
+ return -EINVAL;
if (info->bitmask & (EBT_IP_DPORT | EBT_IP_SPORT)) {
if (info->invflags & EBT_IP_PROTO)
- return false;
+ return -EINVAL;
if (info->protocol != IPPROTO_TCP &&
info->protocol != IPPROTO_UDP &&
info->protocol != IPPROTO_UDPLITE &&
info->protocol != IPPROTO_SCTP &&
info->protocol != IPPROTO_DCCP)
- return false;
+ return -EINVAL;
}
if (info->bitmask & EBT_IP_DPORT && info->dport[0] > info->dport[1])
- return false;
+ return -EINVAL;
if (info->bitmask & EBT_IP_SPORT && info->sport[0] > info->sport[1])
- return false;
- return true;
+ return -EINVAL;
+ return 0;
}
static struct xt_match ebt_ip_mt_reg __read_mostly = {
diff --git a/net/bridge/netfilter/ebt_ip6.c b/net/bridge/netfilter/ebt_ip6.c
index fa4ecf5..33f8413 100644
--- a/net/bridge/netfilter/ebt_ip6.c
+++ b/net/bridge/netfilter/ebt_ip6.c
@@ -86,24 +86,24 @@ static int ebt_ip6_mt_check(const struct xt_mtchk_param *par)
struct ebt_ip6_info *info = par->matchinfo;
if (e->ethproto != htons(ETH_P_IPV6) || e->invflags & EBT_IPROTO)
- return false;
+ return -EINVAL;
if (info->bitmask & ~EBT_IP6_MASK || info->invflags & ~EBT_IP6_MASK)
- return false;
+ return -EINVAL;
if (info->bitmask & (EBT_IP6_DPORT | EBT_IP6_SPORT)) {
if (info->invflags & EBT_IP6_PROTO)
- return false;
+ return -EINVAL;
if (info->protocol != IPPROTO_TCP &&
info->protocol != IPPROTO_UDP &&
info->protocol != IPPROTO_UDPLITE &&
info->protocol != IPPROTO_SCTP &&
info->protocol != IPPROTO_DCCP)
- return false;
+ return -EINVAL;
}
if (info->bitmask & EBT_IP6_DPORT && info->dport[0] > info->dport[1])
- return false;
+ return -EINVAL;
if (info->bitmask & EBT_IP6_SPORT && info->sport[0] > info->sport[1])
- return false;
- return true;
+ return -EINVAL;
+ return 0;
}
static struct xt_match ebt_ip6_mt_reg __read_mostly = {
diff --git a/net/bridge/netfilter/ebt_limit.c b/net/bridge/netfilter/ebt_limit.c
index abfb0ec..21d1a89 100644
--- a/net/bridge/netfilter/ebt_limit.c
+++ b/net/bridge/netfilter/ebt_limit.c
@@ -74,7 +74,7 @@ static int ebt_limit_mt_check(const struct xt_mtchk_param *par)
user2credits(info->avg * info->burst) < user2credits(info->avg)) {
pr_info("overflow, try lower: %u/%u\n",
info->avg, info->burst);
- return false;
+ return -ERANGE;
}
/* User avg in seconds * EBT_LIMIT_SCALE: convert to jiffies * 128. */
@@ -82,7 +82,7 @@ static int ebt_limit_mt_check(const struct xt_mtchk_param *par)
info->credit = user2credits(info->avg * info->burst);
info->credit_cap = user2credits(info->avg * info->burst);
info->cost = user2credits(info->avg);
- return true;
+ return 0;
}
diff --git a/net/bridge/netfilter/ebt_log.c b/net/bridge/netfilter/ebt_log.c
index a0aeac6..2ba36f2 100644
--- a/net/bridge/netfilter/ebt_log.c
+++ b/net/bridge/netfilter/ebt_log.c
@@ -29,11 +29,11 @@ static int ebt_log_tg_check(const struct xt_tgchk_param *par)
struct ebt_log_info *info = par->targinfo;
if (info->bitmask & ~EBT_LOG_MASK)
- return false;
+ return -EINVAL;
if (info->loglevel >= 8)
- return false;
+ return -EDOM;
info->prefix[EBT_LOG_PREFIX_SIZE - 1] = '\0';
- return true;
+ return 0;
}
struct tcpudphdr
diff --git a/net/bridge/netfilter/ebt_mark.c b/net/bridge/netfilter/ebt_mark.c
index dd94daf..126e536 100644
--- a/net/bridge/netfilter/ebt_mark.c
+++ b/net/bridge/netfilter/ebt_mark.c
@@ -43,14 +43,14 @@ static int ebt_mark_tg_check(const struct xt_tgchk_param *par)
tmp = info->target | ~EBT_VERDICT_BITS;
if (BASE_CHAIN && tmp == EBT_RETURN)
- return false;
+ return -EINVAL;
if (tmp < -NUM_STANDARD_TARGETS || tmp >= 0)
- return false;
+ return -EINVAL;
tmp = info->target & ~EBT_VERDICT_BITS;
if (tmp != MARK_SET_VALUE && tmp != MARK_OR_VALUE &&
tmp != MARK_AND_VALUE && tmp != MARK_XOR_VALUE)
- return false;
- return true;
+ return -EINVAL;
+ return 0;
}
#ifdef CONFIG_COMPAT
struct compat_ebt_mark_t_info {
diff --git a/net/bridge/netfilter/ebt_mark_m.c b/net/bridge/netfilter/ebt_mark_m.c
index 1e5b0b3..e4366c0 100644
--- a/net/bridge/netfilter/ebt_mark_m.c
+++ b/net/bridge/netfilter/ebt_mark_m.c
@@ -27,12 +27,12 @@ static int ebt_mark_mt_check(const struct xt_mtchk_param *par)
const struct ebt_mark_m_info *info = par->matchinfo;
if (info->bitmask & ~EBT_MARK_MASK)
- return false;
+ return -EINVAL;
if ((info->bitmask & EBT_MARK_OR) && (info->bitmask & EBT_MARK_AND))
- return false;
+ return -EINVAL;
if (!info->bitmask)
- return false;
- return true;
+ return -EINVAL;
+ return 0;
}
diff --git a/net/bridge/netfilter/ebt_nflog.c b/net/bridge/netfilter/ebt_nflog.c
index 1f2b7bb..22e2ad5 100644
--- a/net/bridge/netfilter/ebt_nflog.c
+++ b/net/bridge/netfilter/ebt_nflog.c
@@ -40,9 +40,9 @@ static int ebt_nflog_tg_check(const struct xt_tgchk_param *par)
struct ebt_nflog_info *info = par->targinfo;
if (info->flags & ~EBT_NFLOG_MASK)
- return false;
+ return -EINVAL;
info->prefix[EBT_NFLOG_PREFIX_SIZE - 1] = '\0';
- return true;
+ return 0;
}
static struct xt_target ebt_nflog_tg_reg __read_mostly = {
diff --git a/net/bridge/netfilter/ebt_pkttype.c b/net/bridge/netfilter/ebt_pkttype.c
index 9b3c645..f34bcc3 100644
--- a/net/bridge/netfilter/ebt_pkttype.c
+++ b/net/bridge/netfilter/ebt_pkttype.c
@@ -25,9 +25,9 @@ static int ebt_pkttype_mt_check(const struct xt_mtchk_param *par)
const struct ebt_pkttype_info *info = par->matchinfo;
if (info->invert != 0 && info->invert != 1)
- return false;
+ return -EINVAL;
/* Allow any pkt_type value */
- return true;
+ return 0;
}
static struct xt_match ebt_pkttype_mt_reg __read_mostly = {
diff --git a/net/bridge/netfilter/ebt_redirect.c b/net/bridge/netfilter/ebt_redirect.c
index 73c4d3a..a6044a6 100644
--- a/net/bridge/netfilter/ebt_redirect.c
+++ b/net/bridge/netfilter/ebt_redirect.c
@@ -38,17 +38,17 @@ static int ebt_redirect_tg_check(const struct xt_tgchk_param *par)
unsigned int hook_mask;
if (BASE_CHAIN && info->target == EBT_RETURN)
- return false;
+ return -EINVAL;
hook_mask = par->hook_mask & ~(1 << NF_BR_NUMHOOKS);
if ((strcmp(par->table, "nat") != 0 ||
hook_mask & ~(1 << NF_BR_PRE_ROUTING)) &&
(strcmp(par->table, "broute") != 0 ||
hook_mask & ~(1 << NF_BR_BROUTING)))
- return false;
+ return -EINVAL;
if (INVALID_TARGET)
- return false;
- return true;
+ return -EINVAL;
+ return 0;
}
static struct xt_target ebt_redirect_tg_reg __read_mostly = {
diff --git a/net/bridge/netfilter/ebt_snat.c b/net/bridge/netfilter/ebt_snat.c
index 94bcecd..79caca3 100644
--- a/net/bridge/netfilter/ebt_snat.c
+++ b/net/bridge/netfilter/ebt_snat.c
@@ -49,14 +49,14 @@ static int ebt_snat_tg_check(const struct xt_tgchk_param *par)
tmp = info->target | ~EBT_VERDICT_BITS;
if (BASE_CHAIN && tmp == EBT_RETURN)
- return false;
+ return -EINVAL;
if (tmp < -NUM_STANDARD_TARGETS || tmp >= 0)
- return false;
+ return -EINVAL;
tmp = info->target | EBT_VERDICT_BITS;
if ((tmp & ~NAT_ARP_BIT) != ~NAT_ARP_BIT)
- return false;
- return true;
+ return -EINVAL;
+ return 0;
}
static struct xt_target ebt_snat_tg_reg __read_mostly = {
diff --git a/net/bridge/netfilter/ebt_stp.c b/net/bridge/netfilter/ebt_stp.c
index 521186f..02f28fd 100644
--- a/net/bridge/netfilter/ebt_stp.c
+++ b/net/bridge/netfilter/ebt_stp.c
@@ -162,13 +162,13 @@ static int ebt_stp_mt_check(const struct xt_mtchk_param *par)
if (info->bitmask & ~EBT_STP_MASK || info->invflags & ~EBT_STP_MASK ||
!(info->bitmask & EBT_STP_MASK))
- return false;
+ return -EINVAL;
/* Make sure the match only receives stp frames */
if (compare_ether_addr(e->destmac, bridge_ula) ||
compare_ether_addr(e->destmsk, msk) || !(e->bitmask & EBT_DESTMAC))
- return false;
+ return -EINVAL;
- return true;
+ return 0;
}
static struct xt_match ebt_stp_mt_reg __read_mostly = {
diff --git a/net/bridge/netfilter/ebt_ulog.c b/net/bridge/netfilter/ebt_ulog.c
index 482674e..5d873b2 100644
--- a/net/bridge/netfilter/ebt_ulog.c
+++ b/net/bridge/netfilter/ebt_ulog.c
@@ -261,14 +261,14 @@ static int ebt_ulog_tg_check(const struct xt_tgchk_param *par)
struct ebt_ulog_info *uloginfo = par->targinfo;
if (uloginfo->nlgroup > 31)
- return false;
+ return -EINVAL;
uloginfo->prefix[EBT_ULOG_PREFIX_LEN - 1] = '\0';
if (uloginfo->qthreshold > EBT_ULOG_MAX_QLEN)
uloginfo->qthreshold = EBT_ULOG_MAX_QLEN;
- return true;
+ return 0;
}
static struct xt_target ebt_ulog_tg_reg __read_mostly = {
diff --git a/net/bridge/netfilter/ebt_vlan.c b/net/bridge/netfilter/ebt_vlan.c
index 04a9575..bf8ae5c 100644
--- a/net/bridge/netfilter/ebt_vlan.c
+++ b/net/bridge/netfilter/ebt_vlan.c
@@ -88,7 +88,7 @@ static int ebt_vlan_mt_check(const struct xt_mtchk_param *par)
if (e->ethproto != htons(ETH_P_8021Q)) {
pr_debug("passed entry proto %2.4X is not 802.1Q (8100)\n",
ntohs(e->ethproto));
- return false;
+ return -EINVAL;
}
/* Check for bitmask range
@@ -96,14 +96,14 @@ static int ebt_vlan_mt_check(const struct xt_mtchk_param *par)
if (info->bitmask & ~EBT_VLAN_MASK) {
pr_debug("bitmask %2X is out of mask (%2X)\n",
info->bitmask, EBT_VLAN_MASK);
- return false;
+ return -EINVAL;
}
/* Check for inversion flags range */
if (info->invflags & ~EBT_VLAN_MASK) {
pr_debug("inversion flags %2X is out of mask (%2X)\n",
info->invflags, EBT_VLAN_MASK);
- return false;
+ return -EINVAL;
}
/* Reserved VLAN ID (VID) values
@@ -117,7 +117,7 @@ static int ebt_vlan_mt_check(const struct xt_mtchk_param *par)
if (info->id > VLAN_GROUP_ARRAY_LEN) {
pr_debug("id %d is out of range (1-4096)\n",
info->id);
- return false;
+ return -EINVAL;
}
/* Note: This is valid VLAN-tagged frame point.
* Any value of user_priority are acceptable,
@@ -132,7 +132,7 @@ static int ebt_vlan_mt_check(const struct xt_mtchk_param *par)
if ((unsigned char) info->prio > 7) {
pr_debug("prio %d is out of range (0-7)\n",
info->prio);
- return false;
+ return -EINVAL;
}
}
/* Check for encapsulated proto range - it is possible to be
@@ -142,11 +142,11 @@ static int ebt_vlan_mt_check(const struct xt_mtchk_param *par)
if ((unsigned short) ntohs(info->encap) < ETH_ZLEN) {
pr_debug("encap frame length %d is less than "
"minimal\n", ntohs(info->encap));
- return false;
+ return -EINVAL;
}
}
- return true;
+ return 0;
}
static struct xt_match ebt_vlan_mt_reg __read_mostly = {
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index e29e8e5..8bd4714 100644
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -359,13 +359,13 @@ static int clusterip_tg_check(const struct xt_tgchk_param *par)
cipinfo->hash_mode != CLUSTERIP_HASHMODE_SIP_SPT &&
cipinfo->hash_mode != CLUSTERIP_HASHMODE_SIP_SPT_DPT) {
pr_info("unknown mode %u\n", cipinfo->hash_mode);
- return false;
+ return -EINVAL;
}
if (e->ip.dmsk.s_addr != htonl(0xffffffff) ||
e->ip.dst.s_addr == 0) {
pr_info("Please specify destination IP\n");
- return false;
+ return -EINVAL;
}
/* FIXME: further sanity checks */
@@ -375,13 +375,13 @@ static int clusterip_tg_check(const struct xt_tgchk_param *par)
if (!(cipinfo->flags & CLUSTERIP_FLAG_NEW)) {
pr_info("no config found for %pI4, need 'new'\n",
&e->ip.dst.s_addr);
- return false;
+ return -EINVAL;
} else {
struct net_device *dev;
if (e->ip.iniface[0] == '\0') {
pr_info("Please specify an interface name\n");
- return false;
+ return -EINVAL;
}
dev = dev_get_by_name(&init_net, e->ip.iniface);
@@ -410,7 +410,7 @@ static int clusterip_tg_check(const struct xt_tgchk_param *par)
return ret;
}
- return true;
+ return 0;
}
/* drop reference count of cluster config when rule is deleted */
diff --git a/net/ipv4/netfilter/ipt_ECN.c b/net/ipv4/netfilter/ipt_ECN.c
index 9d96500..563049f 100644
--- a/net/ipv4/netfilter/ipt_ECN.c
+++ b/net/ipv4/netfilter/ipt_ECN.c
@@ -100,18 +100,18 @@ static int ecn_tg_check(const struct xt_tgchk_param *par)
if (einfo->operation & IPT_ECN_OP_MASK) {
pr_info("unsupported ECN operation %x\n", einfo->operation);
- return false;
+ return -EINVAL;
}
if (einfo->ip_ect & ~IPT_ECN_IP_MASK) {
pr_info("new ECT codepoint %x out of mask\n", einfo->ip_ect);
- return false;
+ return -EINVAL;
}
if ((einfo->operation & (IPT_ECN_OP_SET_ECE|IPT_ECN_OP_SET_CWR)) &&
(e->ip.proto != IPPROTO_TCP || (e->ip.invflags & XT_INV_PROTO))) {
pr_info("cannot use TCP operations on a non-tcp rule\n");
- return false;
+ return -EINVAL;
}
- return true;
+ return 0;
}
static struct xt_target ecn_tg_reg __read_mostly = {
diff --git a/net/ipv4/netfilter/ipt_LOG.c b/net/ipv4/netfilter/ipt_LOG.c
index 33213d6..e9dbd8a 100644
--- a/net/ipv4/netfilter/ipt_LOG.c
+++ b/net/ipv4/netfilter/ipt_LOG.c
@@ -449,9 +449,9 @@ static int log_tg_check(const struct xt_tgchk_param *par)
}
if (loginfo->prefix[sizeof(loginfo->prefix)-1] != '\0') {
pr_debug("prefix is not null-terminated\n");
- return false;
+ return -EINVAL;
}
- return true;
+ return 0;
}
static struct xt_target log_tg_reg __read_mostly = {
diff --git a/net/ipv4/netfilter/ipt_MASQUERADE.c b/net/ipv4/netfilter/ipt_MASQUERADE.c
index 5a182f6..02b1bc4 100644
--- a/net/ipv4/netfilter/ipt_MASQUERADE.c
+++ b/net/ipv4/netfilter/ipt_MASQUERADE.c
@@ -34,13 +34,13 @@ static int masquerade_tg_check(const struct xt_tgchk_param *par)
if (mr->range[0].flags & IP_NAT_RANGE_MAP_IPS) {
pr_debug("bad MAP_IPS.\n");
- return false;
+ return -EINVAL;
}
if (mr->rangesize != 1) {
pr_debug("bad rangesize %u\n", mr->rangesize);
- return false;
+ return -EINVAL;
}
- return true;
+ return 0;
}
static unsigned int
diff --git a/net/ipv4/netfilter/ipt_NETMAP.c b/net/ipv4/netfilter/ipt_NETMAP.c
index cbfe5f7..708c7f8 100644
--- a/net/ipv4/netfilter/ipt_NETMAP.c
+++ b/net/ipv4/netfilter/ipt_NETMAP.c
@@ -28,13 +28,13 @@ static int netmap_tg_check(const struct xt_tgchk_param *par)
if (!(mr->range[0].flags & IP_NAT_RANGE_MAP_IPS)) {
pr_debug("bad MAP_IPS.\n");
- return false;
+ return -EINVAL;
}
if (mr->rangesize != 1) {
pr_debug("bad rangesize %u.\n", mr->rangesize);
- return false;
+ return -EINVAL;
}
- return true;
+ return 0;
}
static unsigned int
diff --git a/net/ipv4/netfilter/ipt_REDIRECT.c b/net/ipv4/netfilter/ipt_REDIRECT.c
index f8daec2..3cf1019 100644
--- a/net/ipv4/netfilter/ipt_REDIRECT.c
+++ b/net/ipv4/netfilter/ipt_REDIRECT.c
@@ -32,13 +32,13 @@ static int redirect_tg_check(const struct xt_tgchk_param *par)
if (mr->range[0].flags & IP_NAT_RANGE_MAP_IPS) {
pr_debug("bad MAP_IPS.\n");
- return false;
+ return -EINVAL;
}
if (mr->rangesize != 1) {
pr_debug("bad rangesize %u.\n", mr->rangesize);
- return false;
+ return -EINVAL;
}
- return true;
+ return 0;
}
static unsigned int
diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c
index cf76f1b..b026014 100644
--- a/net/ipv4/netfilter/ipt_REJECT.c
+++ b/net/ipv4/netfilter/ipt_REJECT.c
@@ -181,16 +181,16 @@ static int reject_tg_check(const struct xt_tgchk_param *par)
if (rejinfo->with == IPT_ICMP_ECHOREPLY) {
pr_info("ECHOREPLY no longer supported.\n");
- return false;
+ return -EINVAL;
} else if (rejinfo->with == IPT_TCP_RESET) {
/* Must specify that it's a TCP packet */
if (e->ip.proto != IPPROTO_TCP ||
(e->ip.invflags & XT_INV_PROTO)) {
pr_info("TCP_RESET invalid for non-tcp\n");
- return false;
+ return -EINVAL;
}
}
- return true;
+ return 0;
}
static struct xt_target reject_tg_reg __read_mostly = {
diff --git a/net/ipv4/netfilter/ipt_ULOG.c b/net/ipv4/netfilter/ipt_ULOG.c
index 3836d29..7e3002e 100644
--- a/net/ipv4/netfilter/ipt_ULOG.c
+++ b/net/ipv4/netfilter/ipt_ULOG.c
@@ -318,14 +318,14 @@ static int ulog_tg_check(const struct xt_tgchk_param *par)
if (loginfo->prefix[sizeof(loginfo->prefix) - 1] != '\0') {
pr_debug("prefix not null-terminated\n");
- return false;
+ return -EINVAL;
}
if (loginfo->qthreshold > ULOG_MAX_QLEN) {
pr_debug("queue threshold %Zu > MAX_QLEN\n",
loginfo->qthreshold);
- return false;
+ return -EINVAL;
}
- return true;
+ return 0;
}
#ifdef CONFIG_COMPAT
diff --git a/net/ipv4/netfilter/ipt_addrtype.c b/net/ipv4/netfilter/ipt_addrtype.c
index 81197f4..e4b8f2b 100644
--- a/net/ipv4/netfilter/ipt_addrtype.c
+++ b/net/ipv4/netfilter/ipt_addrtype.c
@@ -78,7 +78,7 @@ static int addrtype_mt_checkentry_v1(const struct xt_mtchk_param *par)
info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT) {
pr_info("both incoming and outgoing "
"interface limitation cannot be selected\n");
- return false;
+ return -EINVAL;
}
if (par->hook_mask & ((1 << NF_INET_PRE_ROUTING) |
@@ -86,7 +86,7 @@ static int addrtype_mt_checkentry_v1(const struct xt_mtchk_param *par)
info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT) {
pr_info("output interface limitation "
"not valid in PREROUTING and INPUT\n");
- return false;
+ return -EINVAL;
}
if (par->hook_mask & ((1 << NF_INET_POST_ROUTING) |
@@ -94,10 +94,10 @@ static int addrtype_mt_checkentry_v1(const struct xt_mtchk_param *par)
info->flags & IPT_ADDRTYPE_LIMIT_IFACE_IN) {
pr_info("input interface limitation "
"not valid in POSTROUTING and OUTPUT\n");
- return false;
+ return -EINVAL;
}
- return true;
+ return 0;
}
static struct xt_match addrtype_mt_reg[] __read_mostly = {
diff --git a/net/ipv4/netfilter/ipt_ah.c b/net/ipv4/netfilter/ipt_ah.c
index 667ded1..9f98102 100644
--- a/net/ipv4/netfilter/ipt_ah.c
+++ b/net/ipv4/netfilter/ipt_ah.c
@@ -62,9 +62,9 @@ static int ah_mt_check(const struct xt_mtchk_param *par)
/* Must specify no unknown invflags */
if (ahinfo->invflags & ~IPT_AH_INV_MASK) {
pr_debug("unknown flags %X\n", ahinfo->invflags);
- return false;
+ return -EINVAL;
}
- return true;
+ return 0;
}
static struct xt_match ah_mt_reg __read_mostly = {
diff --git a/net/ipv4/netfilter/ipt_ecn.c b/net/ipv4/netfilter/ipt_ecn.c
index d1e234f..32e2410 100644
--- a/net/ipv4/netfilter/ipt_ecn.c
+++ b/net/ipv4/netfilter/ipt_ecn.c
@@ -91,18 +91,18 @@ static int ecn_mt_check(const struct xt_mtchk_param *par)
const struct ipt_ip *ip = par->entryinfo;
if (info->operation & IPT_ECN_OP_MATCH_MASK)
- return false;
+ return -EINVAL;
if (info->invert & IPT_ECN_OP_MATCH_MASK)
- return false;
+ return -EINVAL;
if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR) &&
ip->proto != IPPROTO_TCP) {
pr_info("cannot match TCP bits in rule for non-tcp packets\n");
- return false;
+ return -EINVAL;
}
- return true;
+ return 0;
}
static struct xt_match ecn_mt_reg __read_mostly = {
diff --git a/net/ipv6/netfilter/ip6t_LOG.c b/net/ipv6/netfilter/ip6t_LOG.c
index bcc3fc1..64254aa 100644
--- a/net/ipv6/netfilter/ip6t_LOG.c
+++ b/net/ipv6/netfilter/ip6t_LOG.c
@@ -457,13 +457,13 @@ static int log_tg6_check(const struct xt_tgchk_param *par)
if (loginfo->level >= 8) {
pr_debug("level %u >= 8\n", loginfo->level);
- return false;
+ return -EDOM;
}
if (loginfo->prefix[sizeof(loginfo->prefix)-1] != '\0') {
pr_debug("prefix not null-terminated\n");
- return false;
+ return -EINVAL;
}
- return true;
+ return 0;
}
static struct xt_target log_tg6_reg __read_mostly = {
diff --git a/net/ipv6/netfilter/ip6t_REJECT.c b/net/ipv6/netfilter/ip6t_REJECT.c
index 8d5141e..55b9b2d 100644
--- a/net/ipv6/netfilter/ip6t_REJECT.c
+++ b/net/ipv6/netfilter/ip6t_REJECT.c
@@ -220,16 +220,16 @@ static int reject_tg6_check(const struct xt_tgchk_param *par)
if (rejinfo->with == IP6T_ICMP6_ECHOREPLY) {
pr_info("ECHOREPLY is not supported.\n");
- return false;
+ return -EINVAL;
} else if (rejinfo->with == IP6T_TCP_RESET) {
/* Must specify that it's a TCP packet */
if (e->ipv6.proto != IPPROTO_TCP ||
(e->ipv6.invflags & XT_INV_PROTO)) {
pr_info("TCP_RESET illegal for non-tcp\n");
- return false;
+ return -EINVAL;
}
}
- return true;
+ return 0;
}
static struct xt_target reject_tg6_reg __read_mostly = {
diff --git a/net/ipv6/netfilter/ip6t_ah.c b/net/ipv6/netfilter/ip6t_ah.c
index 3d57044..1580693 100644
--- a/net/ipv6/netfilter/ip6t_ah.c
+++ b/net/ipv6/netfilter/ip6t_ah.c
@@ -93,9 +93,9 @@ static int ah_mt6_check(const struct xt_mtchk_param *par)
if (ahinfo->invflags & ~IP6T_AH_INV_MASK) {
pr_debug("unknown flags %X\n", ahinfo->invflags);
- return false;
+ return -EINVAL;
}
- return true;
+ return 0;
}
static struct xt_match ah_mt6_reg __read_mostly = {
diff --git a/net/ipv6/netfilter/ip6t_frag.c b/net/ipv6/netfilter/ip6t_frag.c
index c2dba27..a5daf0f 100644
--- a/net/ipv6/netfilter/ip6t_frag.c
+++ b/net/ipv6/netfilter/ip6t_frag.c
@@ -108,9 +108,9 @@ static int frag_mt6_check(const struct xt_mtchk_param *par)
if (fraginfo->invflags & ~IP6T_FRAG_INV_MASK) {
pr_debug("unknown flags %X\n", fraginfo->invflags);
- return false;
+ return -EINVAL;
}
- return true;
+ return 0;
}
static struct xt_match frag_mt6_reg __read_mostly = {
diff --git a/net/ipv6/netfilter/ip6t_hbh.c b/net/ipv6/netfilter/ip6t_hbh.c
index 1b29431..5e6acda 100644
--- a/net/ipv6/netfilter/ip6t_hbh.c
+++ b/net/ipv6/netfilter/ip6t_hbh.c
@@ -170,15 +170,15 @@ static int hbh_mt6_check(const struct xt_mtchk_param *par)
if (optsinfo->invflags & ~IP6T_OPTS_INV_MASK) {
pr_debug("unknown flags %X\n", optsinfo->invflags);
- return false;
+ return -EINVAL;
}
if (optsinfo->flags & IP6T_OPTS_NSTRICT) {
pr_debug("Not strict - not implemented");
- return false;
+ return -EINVAL;
}
- return true;
+ return 0;
}
static struct xt_match hbh_mt6_reg[] __read_mostly = {
--git a/net/ipv6/netfilter/ip6t_ipv6header.c b/net/ipv6/netfilter/ip6t_ipv6header.c
index 90e1e04..46fbabb 100644
--- a/net/ipv6/netfilter/ip6t_ipv6header.c
+++ b/net/ipv6/netfilter/ip6t_ipv6header.c
@@ -125,9 +125,9 @@ static int ipv6header_mt6_check(const struct xt_mtchk_param *par)
/* invflags is 0 or 0xff in hard mode */
if ((!info->modeflag) && info->invflags != 0x00 &&
info->invflags != 0xFF)
- return false;
+ return -EINVAL;
- return true;
+ return 0;
}
static struct xt_match ipv6header_mt6_reg __read_mostly = {
diff --git a/net/ipv6/netfilter/ip6t_mh.c b/net/ipv6/netfilter/ip6t_mh.c
index d940804..c9f443e 100644
--- a/net/ipv6/netfilter/ip6t_mh.c
+++ b/net/ipv6/netfilter/ip6t_mh.c
@@ -67,7 +67,7 @@ static int mh_mt6_check(const struct xt_mtchk_param *par)
const struct ip6t_mh *mhinfo = par->matchinfo;
/* Must specify no unknown invflags */
- return !(mhinfo->invflags & ~IP6T_MH_INV_MASK);
+ return (mhinfo->invflags & ~IP6T_MH_INV_MASK) ? -EINVAL : 0;
}
static struct xt_match mh_mt6_reg __read_mostly = {
diff --git a/net/ipv6/netfilter/ip6t_rt.c b/net/ipv6/netfilter/ip6t_rt.c
index 76397f3..0932272 100644
--- a/net/ipv6/netfilter/ip6t_rt.c
+++ b/net/ipv6/netfilter/ip6t_rt.c
@@ -189,17 +189,17 @@ static int rt_mt6_check(const struct xt_mtchk_param *par)
if (rtinfo->invflags & ~IP6T_RT_INV_MASK) {
pr_debug("unknown flags %X\n", rtinfo->invflags);
- return false;
+ return -EINVAL;
}
if ((rtinfo->flags & (IP6T_RT_RES | IP6T_RT_FST_MASK)) &&
(!(rtinfo->flags & IP6T_RT_TYP) ||
(rtinfo->rt_type != 0) ||
(rtinfo->invflags & IP6T_RT_INV_TYP))) {
pr_debug("`--rt-type 0' required before `--rt-0-*'");
- return false;
+ return -EINVAL;
}
- return true;
+ return 0;
}
static struct xt_match rt_mt6_reg __read_mostly = {
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 6ead6e0..fd04b44 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -405,8 +405,9 @@ int xt_check_match(struct xt_mtchk_param *par,
ret = par->match->checkentry(par);
if (ret < 0)
return ret;
- else if (ret == 0)
- return -EINVAL;
+ else if (ret > 0)
+ /* Flag up potential errors. */
+ return -EIO;
}
return 0;
}
@@ -564,8 +565,9 @@ int xt_check_target(struct xt_tgchk_param *par,
ret = par->target->checkentry(par);
if (ret < 0)
return ret;
- else if (ret == false)
- return -EINVAL;
+ else if (ret > 0)
+ /* Flag up potential errors. */
+ return -EIO;
}
return 0;
}
diff --git a/net/netfilter/xt_CONNSECMARK.c b/net/netfilter/xt_CONNSECMARK.c
index d338d18..99e0b84 100644
--- a/net/netfilter/xt_CONNSECMARK.c
+++ b/net/netfilter/xt_CONNSECMARK.c
@@ -93,7 +93,7 @@ static int connsecmark_tg_check(const struct xt_tgchk_param *par)
strcmp(par->table, "security") != 0) {
pr_info("target only valid in the \'mangle\' "
"or \'security\' tables, not \'%s\'.\n", par->table);
- return false;
+ return -EINVAL;
}
switch (info->mode) {
@@ -112,7 +112,7 @@ static int connsecmark_tg_check(const struct xt_tgchk_param *par)
par->family);
return ret;
}
- return true;
+ return 0;
}
static void connsecmark_tg_destroy(const struct xt_tgdtor_param *par)
diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c
index da5b951..65dd348 100644
--- a/net/netfilter/xt_CT.c
+++ b/net/netfilter/xt_CT.c
@@ -63,7 +63,7 @@ static int xt_ct_tg_check(const struct xt_tgchk_param *par)
u8 proto;
if (info->flags & ~XT_CT_NOTRACK)
- return false;
+ return -EINVAL;
if (info->flags & XT_CT_NOTRACK) {
ct = &nf_conntrack_untracked;
@@ -115,7 +115,7 @@ static int xt_ct_tg_check(const struct xt_tgchk_param *par)
__set_bit(IPS_CONFIRMED_BIT, &ct->status);
out:
info->ct = ct;
- return true;
+ return 0;
err3:
nf_conntrack_free(ct);
diff --git a/net/netfilter/xt_DSCP.c b/net/netfilter/xt_DSCP.c
index 0c9aae6..969634f 100644
--- a/net/netfilter/xt_DSCP.c
+++ b/net/netfilter/xt_DSCP.c
@@ -68,7 +68,7 @@ static int dscp_tg_check(const struct xt_tgchk_param *par)
pr_info("dscp %x out of range\n", info->dscp);
return -EDOM;
}
- return true;
+ return 0;
}
static unsigned int
diff --git a/net/netfilter/xt_HL.c b/net/netfilter/xt_HL.c
index 22ed2dc..df1f314 100644
--- a/net/netfilter/xt_HL.c
+++ b/net/netfilter/xt_HL.c
@@ -110,8 +110,8 @@ static int ttl_tg_check(const struct xt_tgchk_param *par)
return -EDOM;
}
if (info->mode != IPT_TTL_SET && info->ttl == 0)
- return false;
- return true;
+ return -EINVAL;
+ return 0;
}
static int hl_tg6_check(const struct xt_tgchk_param *par)
@@ -125,9 +125,9 @@ static int hl_tg6_check(const struct xt_tgchk_param *par)
if (info->mode != IP6T_HL_SET && info->hop_limit == 0) {
pr_info("increment/decrement does not "
"make sense with value 0\n");
- return false;
+ return -EINVAL;
}
- return true;
+ return 0;
}
static struct xt_target hl_tg_reg[] __read_mostly = {
diff --git a/net/netfilter/xt_LED.c b/net/netfilter/xt_LED.c
index 899da12..656531e 100644
--- a/net/netfilter/xt_LED.c
+++ b/net/netfilter/xt_LED.c
@@ -88,7 +88,7 @@ static int led_tg_check(const struct xt_tgchk_param *par)
if (ledinfo->id[0] == '\0') {
pr_info("No 'id' parameter given.\n");
- return false;
+ return -EINVAL;
}
ledinternal = kzalloc(sizeof(struct xt_led_info_internal), GFP_KERNEL);
@@ -112,7 +112,7 @@ static int led_tg_check(const struct xt_tgchk_param *par)
(unsigned long)ledinfo);
ledinfo->internal_data = ledinternal;
- return true;
+ return 0;
}
static void led_tg_destroy(const struct xt_tgdtor_param *par)
diff --git a/net/netfilter/xt_NFLOG.c b/net/netfilter/xt_NFLOG.c
index 13e6c00..42dd874 100644
--- a/net/netfilter/xt_NFLOG.c
+++ b/net/netfilter/xt_NFLOG.c
@@ -42,10 +42,10 @@ static int nflog_tg_check(const struct xt_tgchk_param *par)
const struct xt_nflog_info *info = par->targinfo;
if (info->flags & ~XT_NFLOG_MASK)
- return false;
+ return -EINVAL;
if (info->prefix[sizeof(info->prefix) - 1] != '\0')
- return false;
- return true;
+ return -EINVAL;
+ return 0;
}
static struct xt_target nflog_tg_reg __read_mostly = {
diff --git a/net/netfilter/xt_NFQUEUE.c b/net/netfilter/xt_NFQUEUE.c
index 143f0e0..a3f05a6 100644
--- a/net/netfilter/xt_NFQUEUE.c
+++ b/net/netfilter/xt_NFQUEUE.c
@@ -92,7 +92,7 @@ static int nfqueue_tg_v1_check(const struct xt_tgchk_param *par)
}
if (info->queues_total == 0) {
pr_err("NFQUEUE: number of total queues is 0\n");
- return false;
+ return -EINVAL;
}
maxid = info->queues_total - 1 + info->queuenum;
if (maxid > 0xffff) {
@@ -100,7 +100,7 @@ static int nfqueue_tg_v1_check(const struct xt_tgchk_param *par)
info->queues_total, maxid);
return -EDOM;
}
- return true;
+ return 0;
}
static struct xt_target nfqueue_tg_reg[] __read_mostly = {
diff --git a/net/netfilter/xt_RATEEST.c b/net/netfilter/xt_RATEEST.c
index 3c5d1c9..40751c6 100644
--- a/net/netfilter/xt_RATEEST.c
+++ b/net/netfilter/xt_RATEEST.c
@@ -110,10 +110,10 @@ static int xt_rateest_tg_checkentry(const struct xt_tgchk_param *par)
(info->interval != est->params.interval ||
info->ewma_log != est->params.ewma_log)) {
xt_rateest_put(est);
- return false;
+ return -EINVAL;
}
info->est = est;
- return true;
+ return 0;
}
ret = -ENOMEM;
@@ -139,8 +139,7 @@ static int xt_rateest_tg_checkentry(const struct xt_tgchk_param *par)
info->est = est;
xt_rateest_hash_insert(est);
-
- return true;
+ return 0;
err2:
kfree(est);
diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c
index 6525eee..836d126 100644
--- a/net/netfilter/xt_SECMARK.c
+++ b/net/netfilter/xt_SECMARK.c
@@ -77,7 +77,7 @@ static int checkentry_selinux(struct xt_secmark_target_info *info)
}
selinux_secmark_refcount_inc();
- return true;
+ return 0;
}
static int secmark_tg_check(const struct xt_tgchk_param *par)
@@ -89,19 +89,19 @@ static int secmark_tg_check(const struct xt_tgchk_param *par)
strcmp(par->table, "security") != 0) {
pr_info("target only valid in the \'mangle\' "
"or \'security\' tables, not \'%s\'.\n", par->table);
- return false;
+ return -EINVAL;
}
if (mode && mode != info->mode) {
pr_info("mode already set to %hu cannot mix with "
"rules for mode %hu\n", mode, info->mode);
- return false;
+ return -EINVAL;
}
switch (info->mode) {
case SECMARK_MODE_SEL:
err = checkentry_selinux(info);
- if (err <= 0)
+ if (err < 0)
return err;
break;
@@ -112,7 +112,7 @@ static int secmark_tg_check(const struct xt_tgchk_param *par)
if (!mode)
mode = info->mode;
- return true;
+ return 0;
}
static void secmark_tg_destroy(const struct xt_tgdtor_param *par)
diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c
index 70288dc..385677b 100644
--- a/net/netfilter/xt_TCPMSS.c
+++ b/net/netfilter/xt_TCPMSS.c
@@ -246,13 +246,13 @@ static int tcpmss_tg4_check(const struct xt_tgchk_param *par)
(1 << NF_INET_POST_ROUTING))) != 0) {
pr_info("path-MTU clamping only supported in "
"FORWARD, OUTPUT and POSTROUTING hooks\n");
- return false;
+ return -EINVAL;
}
xt_ematch_foreach(ematch, e)
if (find_syn_match(ematch))
- return true;
+ return 0;
pr_info("Only works on TCP SYN packets\n");
- return false;
+ return -EINVAL;
}
#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
@@ -268,13 +268,13 @@ static int tcpmss_tg6_check(const struct xt_tgchk_param *par)
(1 << NF_INET_POST_ROUTING))) != 0) {
pr_info("path-MTU clamping only supported in "
"FORWARD, OUTPUT and POSTROUTING hooks\n");
- return false;
+ return -EINVAL;
}
xt_ematch_foreach(ematch, e)
if (find_syn_match(ematch))
- return true;
+ return 0;
pr_info("Only works on TCP SYN packets\n");
- return false;
+ return -EINVAL;
}
#endif
diff --git a/net/netfilter/xt_TPROXY.c b/net/netfilter/xt_TPROXY.c
index 189df9a..4f246dd 100644
--- a/net/netfilter/xt_TPROXY.c
+++ b/net/netfilter/xt_TPROXY.c
@@ -65,11 +65,11 @@ static int tproxy_tg_check(const struct xt_tgchk_param *par)
if ((i->proto == IPPROTO_TCP || i->proto == IPPROTO_UDP)
&& !(i->invflags & IPT_INV_PROTO))
- return true;
+ return 0;
pr_info("Can be used only in combination with "
"either -p tcp or -p udp\n");
- return false;
+ return -EINVAL;
}
static struct xt_target tproxy_tg_reg __read_mostly = {
diff --git a/net/netfilter/xt_cluster.c b/net/netfilter/xt_cluster.c
index 0c8a653..6c941e1 100644
--- a/net/netfilter/xt_cluster.c
+++ b/net/netfilter/xt_cluster.c
@@ -140,14 +140,14 @@ static int xt_cluster_mt_checkentry(const struct xt_mtchk_param *par)
pr_info("you have exceeded the maximum "
"number of cluster nodes (%u > %u)\n",
info->total_nodes, XT_CLUSTER_NODES_MAX);
- return false;
+ return -EINVAL;
}
if (info->node_mask >= (1ULL << info->total_nodes)) {
pr_info("this node mask cannot be "
"higher than the total number of nodes\n");
return -EDOM;
}
- return true;
+ return 0;
}
static struct xt_match xt_cluster_match __read_mostly = {
diff --git a/net/netfilter/xt_connbytes.c b/net/netfilter/xt_connbytes.c
index d50a53e..2ff332e 100644
--- a/net/netfilter/xt_connbytes.c
+++ b/net/netfilter/xt_connbytes.c
@@ -101,12 +101,12 @@ static int connbytes_mt_check(const struct xt_mtchk_param *par)
if (sinfo->what != XT_CONNBYTES_PKTS &&
sinfo->what != XT_CONNBYTES_BYTES &&
sinfo->what != XT_CONNBYTES_AVGPKT)
- return false;
+ return -EINVAL;
if (sinfo->direction != XT_CONNBYTES_DIR_ORIGINAL &&
sinfo->direction != XT_CONNBYTES_DIR_REPLY &&
sinfo->direction != XT_CONNBYTES_DIR_BOTH)
- return false;
+ return -EINVAL;
ret = nf_ct_l3proto_try_module_get(par->family);
if (ret < 0) {
@@ -115,7 +115,7 @@ static int connbytes_mt_check(const struct xt_mtchk_param *par)
return ret;
}
- return true;
+ return 0;
}
static void connbytes_mt_destroy(const struct xt_mtdtor_param *par)
diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c
index f8d92aa..370088e 100644
--- a/net/netfilter/xt_connlimit.c
+++ b/net/netfilter/xt_connlimit.c
@@ -244,7 +244,7 @@ static int connlimit_mt_check(const struct xt_mtchk_param *par)
for (i = 0; i < ARRAY_SIZE(info->data->iphash); ++i)
INIT_LIST_HEAD(&info->data->iphash[i]);
- return true;
+ return 0;
}
static void connlimit_mt_destroy(const struct xt_mtdtor_param *par)
diff --git a/net/netfilter/xt_connmark.c b/net/netfilter/xt_connmark.c
index 1ffbafb..71e38a1 100644
--- a/net/netfilter/xt_connmark.c
+++ b/net/netfilter/xt_connmark.c
@@ -84,7 +84,7 @@ static int connmark_tg_check(const struct xt_tgchk_param *par)
par->family);
return ret;
}
- return true;
+ return 0;
}
static void connmark_tg_destroy(const struct xt_tgdtor_param *par)
@@ -116,7 +116,7 @@ static int connmark_mt_check(const struct xt_mtchk_param *par)
par->family);
return ret;
}
- return true;
+ return 0;
}
static void connmark_mt_destroy(const struct xt_mtdtor_param *par)
diff --git a/net/netfilter/xt_conntrack.c b/net/netfilter/xt_conntrack.c
index 59d2589..e0bcf8d 100644
--- a/net/netfilter/xt_conntrack.c
+++ b/net/netfilter/xt_conntrack.c
@@ -216,7 +216,7 @@ static int conntrack_mt_check(const struct xt_mtchk_param *par)
par->family);
return ret;
}
- return true;
+ return 0;
}
static void conntrack_mt_destroy(const struct xt_mtdtor_param *par)
diff --git a/net/netfilter/xt_dscp.c b/net/netfilter/xt_dscp.c
index 97331ac..9db51fd 100644
--- a/net/netfilter/xt_dscp.c
+++ b/net/netfilter/xt_dscp.c
@@ -51,7 +51,7 @@ static int dscp_mt_check(const struct xt_mtchk_param *par)
return -EDOM;
}
- return true;
+ return 0;
}
static bool tos_mt(const struct sk_buff *skb, const struct xt_match_param *par)
diff --git a/net/netfilter/xt_esp.c b/net/netfilter/xt_esp.c
index 9f5da97..143bfdc 100644
--- a/net/netfilter/xt_esp.c
+++ b/net/netfilter/xt_esp.c
@@ -66,10 +66,10 @@ static int esp_mt_check(const struct xt_mtchk_param *par)
if (espinfo->invflags & ~XT_ESP_INV_MASK) {
pr_debug("unknown flags %X\n", espinfo->invflags);
- return false;
+ return -EINVAL;
}
- return true;
+ return 0;
}
static struct xt_match esp_mt_reg[] __read_mostly = {
diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
index e769fc6..c89fde7 100644
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@@ -689,13 +689,13 @@ static int hashlimit_mt_check_v0(const struct xt_mtchk_param *par)
XT_HASHLIMIT_HASH_DIP |
XT_HASHLIMIT_HASH_SIP |
XT_HASHLIMIT_HASH_SPT))
- return false;
+ return -EINVAL;
if (!r->cfg.gc_interval)
- return false;
+ return -EINVAL;
if (!r->cfg.expire)
- return false;
+ return -EINVAL;
if (r->name[sizeof(r->name) - 1] != '\0')
- return false;
+ return -EINVAL;
mutex_lock(&hashlimit_mutex);
r->hinfo = htable_find_get(net, r->name, par->family);
@@ -707,7 +707,7 @@ static int hashlimit_mt_check_v0(const struct xt_mtchk_param *par)
}
}
mutex_unlock(&hashlimit_mutex);
- return true;
+ return 0;
}
static int hashlimit_mt_check(const struct xt_mtchk_param *par)
@@ -725,15 +725,15 @@ static int hashlimit_mt_check(const struct xt_mtchk_param *par)
return -ERANGE;
}
if (info->cfg.gc_interval == 0 || info->cfg.expire == 0)
- return false;
+ return -EINVAL;
if (info->name[sizeof(info->name)-1] != '\0')
- return false;
+ return -EINVAL;
if (par->family == NFPROTO_IPV4) {
if (info->cfg.srcmask > 32 || info->cfg.dstmask > 32)
- return false;
+ return -EINVAL;
} else {
if (info->cfg.srcmask > 128 || info->cfg.dstmask > 128)
- return false;
+ return -EINVAL;
}
mutex_lock(&hashlimit_mutex);
@@ -746,7 +746,7 @@ static int hashlimit_mt_check(const struct xt_mtchk_param *par)
}
}
mutex_unlock(&hashlimit_mutex);
- return true;
+ return 0;
}
static void
diff --git a/net/netfilter/xt_helper.c b/net/netfilter/xt_helper.c
index 2b3671a..b8b3e13 100644
--- a/net/netfilter/xt_helper.c
+++ b/net/netfilter/xt_helper.c
@@ -66,7 +66,7 @@ static int helper_mt_check(const struct xt_mtchk_param *par)
return ret;
}
info->name[29] = '\0';
- return true;
+ return 0;
}
static void helper_mt_destroy(const struct xt_mtdtor_param *par)
diff --git a/net/netfilter/xt_limit.c b/net/netfilter/xt_limit.c
index de99e08..e2a284e 100644
--- a/net/netfilter/xt_limit.c
+++ b/net/netfilter/xt_limit.c
@@ -124,7 +124,7 @@ static int limit_mt_check(const struct xt_mtchk_param *par)
r->credit_cap = user2credits(r->avg * r->burst); /* Credits full. */
r->cost = user2credits(r->avg);
}
- return true;
+ return 0;
}
static void limit_mt_destroy(const struct xt_mtdtor_param *par)
diff --git a/net/netfilter/xt_physdev.c b/net/netfilter/xt_physdev.c
index 850e412..d0bdf3d 100644
--- a/net/netfilter/xt_physdev.c
+++ b/net/netfilter/xt_physdev.c
@@ -89,7 +89,7 @@ static int physdev_mt_check(const struct xt_mtchk_param *par)
if (!(info->bitmask & XT_PHYSDEV_OP_MASK) ||
info->bitmask & ~XT_PHYSDEV_OP_MASK)
- return false;
+ return -EINVAL;
if (info->bitmask & XT_PHYSDEV_OP_OUT &&
(!(info->bitmask & XT_PHYSDEV_OP_BRIDGED) ||
info->invert & XT_PHYSDEV_OP_BRIDGED) &&
@@ -99,9 +99,9 @@ static int physdev_mt_check(const struct xt_mtchk_param *par)
"POSTROUTING chains for non-bridged traffic is not "
"supported anymore.\n");
if (par->hook_mask & (1 << NF_INET_LOCAL_OUT))
- return false;
+ return -EINVAL;
}
- return true;
+ return 0;
}
static struct xt_match physdev_mt_reg __read_mostly = {
diff --git a/net/netfilter/xt_policy.c b/net/netfilter/xt_policy.c
index c9965b6..1fa239c 100644
--- a/net/netfilter/xt_policy.c
+++ b/net/netfilter/xt_policy.c
@@ -134,23 +134,23 @@ static int policy_mt_check(const struct xt_mtchk_param *par)
if (!(info->flags & (XT_POLICY_MATCH_IN|XT_POLICY_MATCH_OUT))) {
pr_info("neither incoming nor outgoing policy selected\n");
- return false;
+ return -EINVAL;
}
if (par->hook_mask & ((1 << NF_INET_PRE_ROUTING) |
(1 << NF_INET_LOCAL_IN)) && info->flags & XT_POLICY_MATCH_OUT) {
pr_info("output policy not valid in PREROUTING and INPUT\n");
- return false;
+ return -EINVAL;
}
if (par->hook_mask & ((1 << NF_INET_POST_ROUTING) |
(1 << NF_INET_LOCAL_OUT)) && info->flags & XT_POLICY_MATCH_IN) {
pr_info("input policy not valid in POSTROUTING and OUTPUT\n");
- return false;
+ return -EINVAL;
}
if (info->len > XT_POLICY_MAX_ELEM) {
pr_info("too many policy elements\n");
- return false;
+ return -EINVAL;
}
- return true;
+ return 0;
}
static struct xt_match policy_mt_reg[] __read_mostly = {
diff --git a/net/netfilter/xt_quota.c b/net/netfilter/xt_quota.c
index d61f05d..3e5cbd8 100644
--- a/net/netfilter/xt_quota.c
+++ b/net/netfilter/xt_quota.c
@@ -48,14 +48,14 @@ static int quota_mt_check(const struct xt_mtchk_param *par)
struct xt_quota_info *q = par->matchinfo;
if (q->flags & ~XT_QUOTA_MASK)
- return false;
+ return -EINVAL;
q->master = kmalloc(sizeof(*q->master), GFP_KERNEL);
if (q->master == NULL)
return -ENOMEM;
q->master->quota = q->quota;
- return true;
+ return 0;
}
static void quota_mt_destroy(const struct xt_mtdtor_param *par)
diff --git a/net/netfilter/xt_rateest.c b/net/netfilter/xt_rateest.c
index 9badfa6..0504755 100644
--- a/net/netfilter/xt_rateest.c
+++ b/net/netfilter/xt_rateest.c
@@ -78,7 +78,7 @@ static int xt_rateest_mt_checkentry(const struct xt_mtchk_param *par)
{
struct xt_rateest_match_info *info = par->matchinfo;
struct xt_rateest *est1, *est2;
- int ret = false;
+ int ret = 0;
if (hweight32(info->flags & (XT_RATEEST_MATCH_ABS |
XT_RATEEST_MATCH_REL)) != 1)
@@ -111,12 +111,12 @@ static int xt_rateest_mt_checkentry(const struct xt_mtchk_param *par)
info->est1 = est1;
info->est2 = est2;
- return true;
+ return 0;
err2:
xt_rateest_put(est1);
err1:
- return false;
+ return ret;
}
static void xt_rateest_mt_destroy(const struct xt_mtdtor_param *par)
diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c
index 99eb6b2..bb38d75 100644
--- a/net/netfilter/xt_recent.c
+++ b/net/netfilter/xt_recent.c
@@ -314,7 +314,7 @@ static int recent_mt_check(const struct xt_mtchk_param *par)
struct proc_dir_entry *pde;
#endif
unsigned i;
- int ret = false;
+ int ret = 0;
if (unlikely(!hash_rnd_inited)) {
get_random_bytes(&hash_rnd, sizeof(hash_rnd));
@@ -323,33 +323,33 @@ static int recent_mt_check(const struct xt_mtchk_param *par)
if (info->check_set & ~XT_RECENT_VALID_FLAGS) {
pr_info("Unsupported user space flags (%08x)\n",
info->check_set);
- return false;
+ return -EINVAL;
}
if (hweight8(info->check_set &
(XT_RECENT_SET | XT_RECENT_REMOVE |
XT_RECENT_CHECK | XT_RECENT_UPDATE)) != 1)
- return false;
+ return -EINVAL;
if ((info->check_set & (XT_RECENT_SET | XT_RECENT_REMOVE)) &&
(info->seconds || info->hit_count ||
(info->check_set & XT_RECENT_MODIFIERS)))
- return false;
+ return -EINVAL;
if ((info->check_set & XT_RECENT_REAP) && !info->seconds)
- return false;
+ return -EINVAL;
if (info->hit_count > ip_pkt_list_tot) {
pr_info("hitcount (%u) is larger than "
"packets to be remembered (%u)\n",
info->hit_count, ip_pkt_list_tot);
- return false;
+ return -EINVAL;
}
if (info->name[0] == '\0' ||
strnlen(info->name, XT_RECENT_NAME_LEN) == XT_RECENT_NAME_LEN)
- return false;
+ return -EINVAL;
mutex_lock(&recent_mutex);
t = recent_table_lookup(recent_net, info->name);
if (t != NULL) {
t->refcnt++;
- ret = true;
+ ret = 0;
goto out;
}
@@ -378,7 +378,6 @@ static int recent_mt_check(const struct xt_mtchk_param *par)
spin_lock_bh(&recent_lock);
list_add_tail(&t->list, &recent_net->tables);
spin_unlock_bh(&recent_lock);
- ret = true;
out:
mutex_unlock(&recent_mutex);
return ret;
diff --git a/net/netfilter/xt_state.c b/net/netfilter/xt_state.c
index e69375e..2b75230 100644
--- a/net/netfilter/xt_state.c
+++ b/net/netfilter/xt_state.c
@@ -47,7 +47,7 @@ static int state_mt_check(const struct xt_mtchk_param *par)
par->family);
return ret;
}
- return true;
+ return 0;
}
static void state_mt_destroy(const struct xt_mtdtor_param *par)
diff --git a/net/netfilter/xt_statistic.c b/net/netfilter/xt_statistic.c
index c07e450..8ed2b29 100644
--- a/net/netfilter/xt_statistic.c
+++ b/net/netfilter/xt_statistic.c
@@ -58,14 +58,14 @@ static int statistic_mt_check(const struct xt_mtchk_param *par)
if (info->mode > XT_STATISTIC_MODE_MAX ||
info->flags & ~XT_STATISTIC_MASK)
- return false;
+ return -EINVAL;
info->master = kzalloc(sizeof(*info->master), GFP_KERNEL);
if (info->master == NULL)
return -ENOMEM;
info->master->count = info->u.nth.count;
- return true;
+ return 0;
}
static void statistic_mt_destroy(const struct xt_mtdtor_param *par)
diff --git a/net/netfilter/xt_string.c b/net/netfilter/xt_string.c
index fa7d066..b0f8292 100644
--- a/net/netfilter/xt_string.c
+++ b/net/netfilter/xt_string.c
@@ -48,15 +48,15 @@ static int string_mt_check(const struct xt_mtchk_param *par)
/* Damn, can't handle this case properly with iptables... */
if (conf->from_offset > conf->to_offset)
- return false;
+ return -EINVAL;
if (conf->algo[XT_STRING_MAX_ALGO_NAME_SIZE - 1] != '\0')
- return false;
+ return -EINVAL;
if (conf->patlen > XT_STRING_MAX_PATTERN_SIZE)
- return false;
+ return -EINVAL;
if (par->match->revision == 1) {
if (conf->u.v1.flags &
~(XT_STRING_FLAG_IGNORECASE | XT_STRING_FLAG_INVERT))
- return false;
+ return -EINVAL;
if (conf->u.v1.flags & XT_STRING_FLAG_IGNORECASE)
flags |= TS_IGNORECASE;
}
@@ -66,8 +66,7 @@ static int string_mt_check(const struct xt_mtchk_param *par)
return PTR_ERR(ts_conf);
conf->config = ts_conf;
-
- return true;
+ return 0;
}
static void string_mt_destroy(const struct xt_mtdtor_param *par)
diff --git a/net/netfilter/xt_time.c b/net/netfilter/xt_time.c
index c5a30b3..d8556fd 100644
--- a/net/netfilter/xt_time.c
+++ b/net/netfilter/xt_time.c
@@ -228,7 +228,7 @@ static int time_mt_check(const struct xt_mtchk_param *par)
return -EDOM;
}
- return true;
+ return 0;
}
static struct xt_match xt_time_mt_reg __read_mostly = {
--
1.7.0.2
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [PATCH 9/9] netfilter: xtables: shorten up return clause
2010-03-22 19:17 nf-next: cleanups, err reporting (rd.2) Jan Engelhardt
` (7 preceding siblings ...)
2010-03-22 19:18 ` [PATCH 8/9] netfilter: xtables: use only error codes for checkentry Jan Engelhardt
@ 2010-03-22 19:18 ` Jan Engelhardt
2010-03-23 16:35 ` nf-next: cleanups, err reporting (rd.2) Jan Engelhardt
9 siblings, 0 replies; 23+ messages in thread
From: Jan Engelhardt @ 2010-03-22 19:18 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
The return value of nf_ct_l3proto_get can directly be returned even in
the case of success.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
net/ipv4/netfilter/ipt_CLUSTERIP.c | 7 ++-----
net/netfilter/xt_CONNSECMARK.c | 6 ++----
net/netfilter/xt_connbytes.c | 7 ++-----
net/netfilter/xt_connmark.c | 12 ++++--------
net/netfilter/xt_conntrack.c | 6 ++----
net/netfilter/xt_state.c | 6 ++----
6 files changed, 14 insertions(+), 30 deletions(-)
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index 8bd4714..e6dccbf 100644
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -404,13 +404,10 @@ static int clusterip_tg_check(const struct xt_tgchk_param *par)
cipinfo->config = config;
ret = nf_ct_l3proto_try_module_get(par->family);
- if (ret < 0) {
+ if (ret < 0)
pr_info("cannot load conntrack support for proto=%u\n",
par->family);
- return ret;
- }
-
- return 0;
+ return ret;
}
/* drop reference count of cluster config when rule is deleted */
diff --git a/net/netfilter/xt_CONNSECMARK.c b/net/netfilter/xt_CONNSECMARK.c
index 99e0b84..cf1a835 100644
--- a/net/netfilter/xt_CONNSECMARK.c
+++ b/net/netfilter/xt_CONNSECMARK.c
@@ -107,12 +107,10 @@ static int connsecmark_tg_check(const struct xt_tgchk_param *par)
}
ret = nf_ct_l3proto_try_module_get(par->family);
- if (ret < 0) {
+ if (ret < 0)
pr_info("cannot load conntrack support for proto=%u\n",
par->family);
- return ret;
- }
- return 0;
+ return ret;
}
static void connsecmark_tg_destroy(const struct xt_tgdtor_param *par)
diff --git a/net/netfilter/xt_connbytes.c b/net/netfilter/xt_connbytes.c
index 2ff332e..ff738a5 100644
--- a/net/netfilter/xt_connbytes.c
+++ b/net/netfilter/xt_connbytes.c
@@ -109,13 +109,10 @@ static int connbytes_mt_check(const struct xt_mtchk_param *par)
return -EINVAL;
ret = nf_ct_l3proto_try_module_get(par->family);
- if (ret < 0) {
+ if (ret < 0)
pr_info("cannot load conntrack support for proto=%u\n",
par->family);
- return ret;
- }
-
- return 0;
+ return ret;
}
static void connbytes_mt_destroy(const struct xt_mtdtor_param *par)
diff --git a/net/netfilter/xt_connmark.c b/net/netfilter/xt_connmark.c
index 71e38a1..ae10154 100644
--- a/net/netfilter/xt_connmark.c
+++ b/net/netfilter/xt_connmark.c
@@ -79,12 +79,10 @@ static int connmark_tg_check(const struct xt_tgchk_param *par)
int ret;
ret = nf_ct_l3proto_try_module_get(par->family);
- if (ret < 0) {
+ if (ret < 0)
pr_info("cannot load conntrack support for proto=%u\n",
par->family);
- return ret;
- }
- return 0;
+ return ret;
}
static void connmark_tg_destroy(const struct xt_tgdtor_param *par)
@@ -111,12 +109,10 @@ static int connmark_mt_check(const struct xt_mtchk_param *par)
int ret;
ret = nf_ct_l3proto_try_module_get(par->family);
- if (ret < 0) {
+ if (ret < 0)
pr_info("cannot load conntrack support for proto=%u\n",
par->family);
- return ret;
- }
- return 0;
+ return ret;
}
static void connmark_mt_destroy(const struct xt_mtdtor_param *par)
diff --git a/net/netfilter/xt_conntrack.c b/net/netfilter/xt_conntrack.c
index e0bcf8d..3348706 100644
--- a/net/netfilter/xt_conntrack.c
+++ b/net/netfilter/xt_conntrack.c
@@ -211,12 +211,10 @@ static int conntrack_mt_check(const struct xt_mtchk_param *par)
int ret;
ret = nf_ct_l3proto_try_module_get(par->family);
- if (ret < 0) {
+ if (ret < 0)
pr_info("cannot load conntrack support for proto=%u\n",
par->family);
- return ret;
- }
- return 0;
+ return ret;
}
static void conntrack_mt_destroy(const struct xt_mtdtor_param *par)
diff --git a/net/netfilter/xt_state.c b/net/netfilter/xt_state.c
index 2b75230..be00d7b 100644
--- a/net/netfilter/xt_state.c
+++ b/net/netfilter/xt_state.c
@@ -42,12 +42,10 @@ static int state_mt_check(const struct xt_mtchk_param *par)
int ret;
ret = nf_ct_l3proto_try_module_get(par->family);
- if (ret < 0) {
+ if (ret < 0)
pr_info("cannot load conntrack support for proto=%u\n",
par->family);
- return ret;
- }
- return 0;
+ return ret;
}
static void state_mt_destroy(const struct xt_mtdtor_param *par)
--
1.7.0.2
^ permalink raw reply related [flat|nested] 23+ messages in thread
* Re: [PATCH 5/9] netfilter: xt_recent: allow changing ip_list_[ug]id at runtime
2010-03-22 19:18 ` [PATCH 5/9] netfilter: xt_recent: allow changing ip_list_[ug]id at runtime Jan Engelhardt
@ 2010-03-23 14:18 ` Patrick McHardy
2010-03-23 14:23 ` Jan Engelhardt
0 siblings, 1 reply; 23+ messages in thread
From: Patrick McHardy @ 2010-03-23 14:18 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter-devel
Jan Engelhardt wrote:
> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
> ---
> net/netfilter/xt_recent.c | 8 ++++----
> 1 files changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c
> index 72cbced..8530944 100644
> --- a/net/netfilter/xt_recent.c
> +++ b/net/netfilter/xt_recent.c
> @@ -51,14 +51,14 @@ module_param(ip_list_tot, uint, 0400);
> module_param(ip_pkt_list_tot, uint, 0400);
> module_param(ip_list_hash_size, uint, 0400);
> module_param(ip_list_perms, uint, 0400);
> -module_param(ip_list_uid, uint, 0400);
> -module_param(ip_list_gid, uint, 0400);
> +module_param(ip_list_uid, uint, S_IRUGO | S_IWUSR);
> +module_param(ip_list_gid, uint, S_IRUGO | S_IWUSR);
> MODULE_PARM_DESC(ip_list_tot, "number of IPs to remember per list");
> MODULE_PARM_DESC(ip_pkt_list_tot, "number of packets per IP address to remember (max. 255)");
> MODULE_PARM_DESC(ip_list_hash_size, "size of hash table used to look up IPs");
> MODULE_PARM_DESC(ip_list_perms, "permissions on /proc/net/xt_recent/* files");
> -MODULE_PARM_DESC(ip_list_uid,"owner of /proc/net/xt_recent/* files");
> -MODULE_PARM_DESC(ip_list_gid,"owning group of /proc/net/xt_recent/* files");
> +MODULE_PARM_DESC(ip_list_uid, "default owner of /proc/net/xt_recent/* files");
> +MODULE_PARM_DESC(ip_list_gid, "default owning group of /proc/net/xt_recent/* files");
>
So what will be updating the permissions of the existing proc files?
^ permalink raw reply [flat|nested] 23+ messages in thread
* Re: [PATCH 5/9] netfilter: xt_recent: allow changing ip_list_[ug]id at runtime
2010-03-23 14:18 ` Patrick McHardy
@ 2010-03-23 14:23 ` Jan Engelhardt
2010-03-23 14:55 ` Patrick McHardy
0 siblings, 1 reply; 23+ messages in thread
From: Jan Engelhardt @ 2010-03-23 14:23 UTC (permalink / raw)
To: Patrick McHardy; +Cc: netfilter-devel
On Tuesday 2010-03-23 15:18, Patrick McHardy wrote:
>> module_param(ip_list_perms, uint, 0400);
>> -module_param(ip_list_uid, uint, 0400);
>> -module_param(ip_list_gid, uint, 0400);
>> +module_param(ip_list_uid, uint, S_IRUGO | S_IWUSR);
>> +module_param(ip_list_gid, uint, S_IRUGO | S_IWUSR);
>> MODULE_PARM_DESC(ip_list_tot, "number of IPs to remember per list");
>> MODULE_PARM_DESC(ip_pkt_list_tot, "number of packets per IP address to remember (max. 255)");
>> MODULE_PARM_DESC(ip_list_hash_size, "size of hash table used to look up IPs");
>> MODULE_PARM_DESC(ip_list_perms, "permissions on /proc/net/xt_recent/* files");
>> -MODULE_PARM_DESC(ip_list_uid,"owner of /proc/net/xt_recent/* files");
>> -MODULE_PARM_DESC(ip_list_gid,"owning group of /proc/net/xt_recent/* files");
>> +MODULE_PARM_DESC(ip_list_uid, "default owner of /proc/net/xt_recent/* files");
>> +MODULE_PARM_DESC(ip_list_gid, "default owning group of /proc/net/xt_recent/* files");
>
>So what will be updating the permissions of the existing proc files?
The administrator with the use of chmod/chown/chgrp.
^ permalink raw reply [flat|nested] 23+ messages in thread
* Re: [PATCH 3/9] netfilter: xtables: make use of xt_request_find_target
2010-03-22 19:17 ` [PATCH 3/9] netfilter: xtables: make use of xt_request_find_target Jan Engelhardt
@ 2010-03-23 14:24 ` Patrick McHardy
2010-03-23 14:27 ` Jan Engelhardt
0 siblings, 1 reply; 23+ messages in thread
From: Patrick McHardy @ 2010-03-23 14:24 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter-devel
Jan Engelhardt wrote:
> diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
> index f07d77f..0665e1b 100644
> --- a/net/ipv4/netfilter/arp_tables.c
> +++ b/net/ipv4/netfilter/arp_tables.c
> @@ -523,13 +523,11 @@ find_check_entry(struct arpt_entry *e, const char *name, unsigned int size)
> return ret;
>
> t = arpt_get_target(e);
> - target = try_then_request_module(xt_find_target(NFPROTO_ARP,
> - t->u.user.name,
> - t->u.user.revision),
> - "arpt_%s", t->u.user.name);
> - if (IS_ERR(target) || !target) {
> + target = xt_request_find_target(NFPROTO_ARP, t->u.user.name,
> + t->u.user.revision);
>
Indentation according to maintainers taste, please :)
> + if (IS_ERR(target)) {
> duprintf("find_check_entry: `%s' not found\n", t->u.user.name);
> - ret = target ? PTR_ERR(target) : -ENOENT;
> + ret = PTR_ERR(target);
> goto out;
> }
^ permalink raw reply [flat|nested] 23+ messages in thread
* Re: [PATCH 4/9] netfilter: xtables: consolidate code into xt_request_find_match
2010-03-22 19:18 ` [PATCH 4/9] netfilter: xtables: consolidate code into xt_request_find_match Jan Engelhardt
@ 2010-03-23 14:27 ` Patrick McHardy
0 siblings, 0 replies; 23+ messages in thread
From: Patrick McHardy @ 2010-03-23 14:27 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter-devel
Jan Engelhardt wrote:
> --- a/net/ipv4/netfilter/ip_tables.c
> +++ b/net/ipv4/netfilter/ip_tables.c
> @@ -629,12 +629,11 @@ find_check_match(struct ipt_entry_match *m, struct xt_mtchk_param *par)
> struct xt_match *match;
> int ret;
>
> - match = try_then_request_module(xt_find_match(AF_INET, m->u.user.name,
> - m->u.user.revision),
> - "ipt_%s", m->u.user.name);
> - if (IS_ERR(match) || !match) {
> + match = xt_request_find_match(NFPROTO_IPV4, m->u.user.name,
> + m->u.user.revision);
>
Please fix indentation in this patch as well.
^ permalink raw reply [flat|nested] 23+ messages in thread
* Re: [PATCH 3/9] netfilter: xtables: make use of xt_request_find_target
2010-03-23 14:24 ` Patrick McHardy
@ 2010-03-23 14:27 ` Jan Engelhardt
0 siblings, 0 replies; 23+ messages in thread
From: Jan Engelhardt @ 2010-03-23 14:27 UTC (permalink / raw)
To: Patrick McHardy; +Cc: netfilter-devel
On Tuesday 2010-03-23 15:24, Patrick McHardy wrote:
>Jan Engelhardt wrote:
>> diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
>> index f07d77f..0665e1b 100644
>> --- a/net/ipv4/netfilter/arp_tables.c
>> +++ b/net/ipv4/netfilter/arp_tables.c
>> @@ -523,13 +523,11 @@ find_check_entry(struct arpt_entry *e, const char *name, unsigned int size)
>> return ret;
>>
>> t = arpt_get_target(e);
>> - target = try_then_request_module(xt_find_target(NFPROTO_ARP,
>> - t->u.user.name,
>> - t->u.user.revision),
>> - "arpt_%s", t->u.user.name);
>> - if (IS_ERR(target) || !target) {
>> + target = xt_request_find_target(NFPROTO_ARP, t->u.user.name,
>> + t->u.user.revision);
>
>Indentation according to maintainers taste, please :)
With sugar on top?
(SCNR)
^ permalink raw reply [flat|nested] 23+ messages in thread
* Re: [PATCH 7/9] netfilter: xtables: slightly better error reporting (2/2)
2010-03-22 19:18 ` [PATCH 7/9] netfilter: xtables: slightly better error reporting (2/2) Jan Engelhardt
@ 2010-03-23 14:44 ` Patrick McHardy
2010-03-23 15:00 ` Jan Engelhardt
0 siblings, 1 reply; 23+ messages in thread
From: Patrick McHardy @ 2010-03-23 14:44 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter-devel
Jan Engelhardt wrote:
> diff --git a/net/ipv4/netfilter/ipt_LOG.c b/net/ipv4/netfilter/ipt_LOG.c
> index c9ee5c4..33213d6 100644
> --- a/net/ipv4/netfilter/ipt_LOG.c
> +++ b/net/ipv4/netfilter/ipt_LOG.c
> @@ -445,7 +445,7 @@ static int log_tg_check(const struct xt_tgchk_param *par)
>
> if (loginfo->level >= 8) {
> pr_debug("level %u >= 8\n", loginfo->level);
> - return false;
> + return -EDOM;
>
Mhh is that really a "Math argument out of domain of func"? ERANGE seems
slightly
better fitting to me.
> }
> if (loginfo->prefix[sizeof(loginfo->prefix)-1] != '\0') {
> pr_debug("prefix is not null-terminated\n");
> diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
> index 4e84d8a..6ead6e0 100644
> --- a/net/netfilter/x_tables.c
> +++ b/net/netfilter/x_tables.c
> @@ -363,6 +363,8 @@ static char *textify_hooks(char *buf, size_t size, unsigned int mask)
> int xt_check_match(struct xt_mtchk_param *par,
> unsigned int size, u_int8_t proto, bool inv_proto)
> {
> + int ret;
> +
> if (XT_ALIGN(par->match->matchsize) != size &&
> par->match->matchsize != -1) {
> /*
> @@ -399,8 +401,13 @@ int xt_check_match(struct xt_mtchk_param *par,
> par->match->proto);
> return -EINVAL;
> }
> - if (par->match->checkentry != NULL && !par->match->checkentry(par))
> - return -EINVAL;
> + if (par->match->checkentry != NULL) {
> + ret = par->match->checkentry(par);
> + if (ret < 0)
> + return ret;
> + else if (ret == 0)
> + return -EINVAL;
>
I'd suggest to do the true/false conversion before this patch. Currently I
don't understand the split of these patches, this one keeps lots of boolean
return values and initializations, but changes some.
> --- a/net/netfilter/xt_CONNSECMARK.c
> +++ b/net/netfilter/xt_CONNSECMARK.c
> @@ -87,6 +87,7 @@ connsecmark_tg(struct sk_buff *skb, const struct xt_target_param *par)
> static int connsecmark_tg_check(const struct xt_tgchk_param *par)
> {
> const struct xt_connsecmark_target_info *info = par->targinfo;
> + int ret;
>
> if (strcmp(par->table, "mangle") != 0 &&
> strcmp(par->table, "security") != 0) {
> @@ -102,13 +103,14 @@ static int connsecmark_tg_check(const struct xt_tgchk_param *par)
>
> default:
> pr_info("invalid mode: %hu\n", info->mode);
> - return false;
> + return -EDOM;
>
Actually EINVAL does seem like the best fit here.
>
> diff --git a/net/netfilter/xt_LED.c b/net/netfilter/xt_LED.c
> index 1a3e3dd..899da12 100644
> --- a/net/netfilter/xt_LED.c
> +++ b/net/netfilter/xt_LED.c
> @@ -93,7 +93,7 @@ static int led_tg_check(const struct xt_tgchk_param *par)
>
> ledinternal = kzalloc(sizeof(struct xt_led_info_internal), GFP_KERNEL);
> if (!ledinternal)
> - return false;
> + return -ENOMEM;
>
> ledinternal->netfilter_led_trigger.name = ledinfo->id;
>
> @@ -102,7 +102,8 @@ static int led_tg_check(const struct xt_tgchk_param *par)
> pr_warning("led_trigger_register() failed\n");
> if (err == -EEXIST)
> pr_warning("Trigger name is already in use.\n");
> - goto exit_alloc;
> + kfree(ledinternal);
> + return err;
> }
>
> /* See if we need to set up a timer */
> @@ -111,13 +112,7 @@ static int led_tg_check(const struct xt_tgchk_param *par)
> (unsigned long)ledinfo);
>
> ledinfo->internal_data = ledinternal;
> -
> return true;
>
^^ return true? I'd also prefer to keep the goto-based error handling.
> -
> -exit_alloc:
> - kfree(ledinternal);
> -
> - return false;
> }
>
> diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c
> index 48f8e4f..6525eee 100644
> --- a/net/netfilter/xt_SECMARK.c
> +++ b/net/netfilter/xt_SECMARK.c
> @@ -50,7 +50,7 @@ secmark_tg(struct sk_buff *skb, const struct xt_target_param *par)
> return XT_CONTINUE;
> }
>
> -static bool checkentry_selinux(struct xt_secmark_target_info *info)
> +static int checkentry_selinux(struct xt_secmark_target_info *info)
> {
> int err;
> struct xt_secmark_target_selinux_info *sel = &info->u.sel;
> @@ -62,18 +62,18 @@ static bool checkentry_selinux(struct xt_secmark_target_info *info)
> if (err == -EINVAL)
> pr_info("invalid SELinux context \'%s\'\n",
> sel->selctx);
> - return false;
> + return err;
> }
>
> if (!sel->selsid) {
> pr_info("unable to map SELinux context \'%s\'\n", sel->selctx);
> - return false;
> + return -ENOENT;
> }
>
> err = selinux_secmark_relabel_packet_permission(sel->selsid);
> if (err) {
> pr_info("unable to obtain relabeling permission\n");
> - return false;
> + return err;
> }
>
> selinux_secmark_refcount_inc();
>
Missing conversion of "return true" at the end?
> @@ -83,6 +83,7 @@ static bool checkentry_selinux(struct xt_secmark_target_info *info)
> static int secmark_tg_check(const struct xt_tgchk_param *par)
> {
> struct xt_secmark_target_info *info = par->targinfo;
> + int err;
>
> if (strcmp(par->table, "mangle") != 0 &&
> strcmp(par->table, "security") != 0) {
> @@ -99,13 +100,14 @@ static int secmark_tg_check(const struct xt_tgchk_param *par)
>
> switch (info->mode) {
> case SECMARK_MODE_SEL:
> - if (!checkentry_selinux(info))
> - return false;
> + err = checkentry_selinux(info);
> + if (err <= 0)
>
<= ?
> + return err;
> break;
>
> default:
> pr_info("invalid mode: %hu\n", info->mode);
> - return false;
> + return -EDOM;
> }
>
> if (!mode)
>
I stopped here since I don't understand the logic this partial conversion
follows.
^ permalink raw reply [flat|nested] 23+ messages in thread
* Re: [PATCH 5/9] netfilter: xt_recent: allow changing ip_list_[ug]id at runtime
2010-03-23 14:23 ` Jan Engelhardt
@ 2010-03-23 14:55 ` Patrick McHardy
2010-03-23 15:06 ` Jan Engelhardt
0 siblings, 1 reply; 23+ messages in thread
From: Patrick McHardy @ 2010-03-23 14:55 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter-devel
Jan Engelhardt wrote:
> On Tuesday 2010-03-23 15:18, Patrick McHardy wrote:
>
>>> module_param(ip_list_perms, uint, 0400);
>>> -module_param(ip_list_uid, uint, 0400);
>>> -module_param(ip_list_gid, uint, 0400);
>>> +module_param(ip_list_uid, uint, S_IRUGO | S_IWUSR);
>>> +module_param(ip_list_gid, uint, S_IRUGO | S_IWUSR);
>>> MODULE_PARM_DESC(ip_list_tot, "number of IPs to remember per list");
>>> MODULE_PARM_DESC(ip_pkt_list_tot, "number of packets per IP address to remember (max. 255)");
>>> MODULE_PARM_DESC(ip_list_hash_size, "size of hash table used to look up IPs");
>>> MODULE_PARM_DESC(ip_list_perms, "permissions on /proc/net/xt_recent/* files");
>>> -MODULE_PARM_DESC(ip_list_uid,"owner of /proc/net/xt_recent/* files");
>>> -MODULE_PARM_DESC(ip_list_gid,"owning group of /proc/net/xt_recent/* files");
>>> +MODULE_PARM_DESC(ip_list_uid, "default owner of /proc/net/xt_recent/* files");
>>> +MODULE_PARM_DESC(ip_list_gid, "default owning group of /proc/net/xt_recent/* files");
>>>
>> So what will be updating the permissions of the existing proc files?
>>
>
> The administrator with the use of chmod/chown/chgrp.
>
I'm not sure whether this will have the desired effect. I vaguely recall
that
proc used to forget about permission changes. That might have been
fixed, but
I was unable to find something in the changelogs.
^ permalink raw reply [flat|nested] 23+ messages in thread
* Re: [PATCH 7/9] netfilter: xtables: slightly better error reporting (2/2)
2010-03-23 14:44 ` Patrick McHardy
@ 2010-03-23 15:00 ` Jan Engelhardt
2010-03-23 15:02 ` Patrick McHardy
0 siblings, 1 reply; 23+ messages in thread
From: Jan Engelhardt @ 2010-03-23 15:00 UTC (permalink / raw)
To: Patrick McHardy; +Cc: netfilter-devel
On Tuesday 2010-03-23 15:44, Patrick McHardy wrote:
>Jan Engelhardt wrote:
>> diff --git a/net/ipv4/netfilter/ipt_LOG.c b/net/ipv4/netfilter/ipt_LOG.c
>> index c9ee5c4..33213d6 100644
>> --- a/net/ipv4/netfilter/ipt_LOG.c
>> +++ b/net/ipv4/netfilter/ipt_LOG.c
>> @@ -445,7 +445,7 @@ static int log_tg_check(const struct xt_tgchk_param *par)
>>
>> if (loginfo->level >= 8) {
>> pr_debug("level %u >= 8\n", loginfo->level);
>> - return false;
>> + return -EDOM;
>>
>
>Mhh is that really a "Math argument out of domain of func"? ERANGE seems
>slightly
>better fitting to me.
I had to look up the difference too, but it's pretty obvious
(to me at least).
EDOM is for when a function is not defined at a point, such as log(0)
or divide(1.0, 0.0). Of course you could say "that's ±Inf", but that
infinity argument I'll leave to academia.
However, "2^63 * 4" for example is well-defined in maths, but
computers are the limiting factor, hence ERANGE is appropriate in
this case.
>> {
>> + int ret;
>> +
>> if (XT_ALIGN(par->match->matchsize) != size &&
>> par->match->matchsize != -1) {
>> /*
>> @@ -399,8 +401,13 @@ int xt_check_match(struct xt_mtchk_param *par,
>> par->match->proto);
>> return -EINVAL;
>> }
>> - if (par->match->checkentry != NULL && !par->match->checkentry(par))
>> - return -EINVAL;
>> + if (par->match->checkentry != NULL) {
>> + ret = par->match->checkentry(par);
>> + if (ret < 0)
>> + return ret;
>> + else if (ret == 0)
>> + return -EINVAL;
>
>I'd suggest to do the true/false conversion before this patch. Currently I
>don't understand the split of these patches, this one keeps lots of boolean
>return values and initializations, but changes some.
I did this so that the two main changes,
A1. replacing 'return false' by "detailed" code
(EDOM, etc.)
A2. replacing all remaining bools that did not get a detailed_code
by EINVAL.
It is also possible to change the order, as in
B1. change everything to EINVAL first
B2. then change EINVAL -> detailed_code.
Should I switch?
>> case SECMARK_MODE_SEL:
>> - if (!checkentry_selinux(info))
>> - return false;
>> + err = checkentry_selinux(info);
>> + if (err <= 0)
>>
><= ?
This is all cleared up by the A2 commit.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 23+ messages in thread
* Re: [PATCH 7/9] netfilter: xtables: slightly better error reporting (2/2)
2010-03-23 15:00 ` Jan Engelhardt
@ 2010-03-23 15:02 ` Patrick McHardy
0 siblings, 0 replies; 23+ messages in thread
From: Patrick McHardy @ 2010-03-23 15:02 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter-devel
Jan Engelhardt wrote:
> On Tuesday 2010-03-23 15:44, Patrick McHardy wrote:
>
>> Jan Engelhardt wrote:
>>
>>> diff --git a/net/ipv4/netfilter/ipt_LOG.c b/net/ipv4/netfilter/ipt_LOG.c
>>> index c9ee5c4..33213d6 100644
>>> --- a/net/ipv4/netfilter/ipt_LOG.c
>>> +++ b/net/ipv4/netfilter/ipt_LOG.c
>>> @@ -445,7 +445,7 @@ static int log_tg_check(const struct xt_tgchk_param *par)
>>>
>>> if (loginfo->level >= 8) {
>>> pr_debug("level %u >= 8\n", loginfo->level);
>>> - return false;
>>> + return -EDOM;
>>>
>>>
>> Mhh is that really a "Math argument out of domain of func"? ERANGE seems
>> slightly
>> better fitting to me.
>>
>
> I had to look up the difference too, but it's pretty obvious
> (to me at least).
>
> EDOM is for when a function is not defined at a point, such as log(0)
> or divide(1.0, 0.0). Of course you could say "that's ±Inf", but that
> infinity argument I'll leave to academia.
>
> However, "2^63 * 4" for example is well-defined in maths, but
> computers are the limiting factor, hence ERANGE is appropriate in
> this case.
>
>
>
>>> {
>>> + int ret;
>>> +
>>> if (XT_ALIGN(par->match->matchsize) != size &&
>>> par->match->matchsize != -1) {
>>> /*
>>> @@ -399,8 +401,13 @@ int xt_check_match(struct xt_mtchk_param *par,
>>> par->match->proto);
>>> return -EINVAL;
>>> }
>>> - if (par->match->checkentry != NULL && !par->match->checkentry(par))
>>> - return -EINVAL;
>>> + if (par->match->checkentry != NULL) {
>>> + ret = par->match->checkentry(par);
>>> + if (ret < 0)
>>> + return ret;
>>> + else if (ret == 0)
>>> + return -EINVAL;
>>>
>> I'd suggest to do the true/false conversion before this patch. Currently I
>> don't understand the split of these patches, this one keeps lots of boolean
>> return values and initializations, but changes some.
>>
>
> I did this so that the two main changes,
>
> A1. replacing 'return false' by "detailed" code
> (EDOM, etc.)
>
> A2. replacing all remaining bools that did not get a detailed_code
> by EINVAL.
>
> It is also possible to change the order, as in
>
> B1. change everything to EINVAL first
>
> B2. then change EINVAL -> detailed_code.
>
> Should I switch?
Yes, I think that would ease review. Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 23+ messages in thread
* Re: [PATCH 5/9] netfilter: xt_recent: allow changing ip_list_[ug]id at runtime
2010-03-23 14:55 ` Patrick McHardy
@ 2010-03-23 15:06 ` Jan Engelhardt
2010-03-23 15:10 ` Patrick McHardy
0 siblings, 1 reply; 23+ messages in thread
From: Jan Engelhardt @ 2010-03-23 15:06 UTC (permalink / raw)
To: Patrick McHardy; +Cc: netfilter-devel
On Tuesday 2010-03-23 15:55, Patrick McHardy wrote:
>>>> -MODULE_PARM_DESC(ip_list_uid,"owner of /proc/net/xt_recent/* files");
>>>> -MODULE_PARM_DESC(ip_list_gid,"owning group of /proc/net/xt_recent/* files");
>>>> +MODULE_PARM_DESC(ip_list_uid, "default owner of /proc/net/xt_recent/* files");
>>>> +MODULE_PARM_DESC(ip_list_gid, "default owning group of /proc/net/xt_recent/* files");
>>>>
>>> So what will be updating the permissions of the existing proc files?
>>
>> The administrator with the use of chmod/chown/chgrp.
>
>I'm not sure whether this will have the desired effect. I vaguely
>recall that proc used to forget about permission changes. That might
>have been fixed, but I was unable to find something in the
>changelogs.
I believe that the procfs alzheimer only applies to
entries that are dynamically created during dentry lookup,
e.g. all the things in /proc/1234. You will note that
the inode numbers of these entries changes over time.
This is not the case however for anything created with
proc_create_data AFAICT.
16:04 linux:~ # ls -il /proc/1/stat
13294 -r--r--r-- 1 root root 0 Mar 23 16:04 /proc/1/stat
16:04 linux:~ # ls -il /proc/net/xt_recent/foo
4026532102 -rw-r--r-- 1 bin root 0 Mar 23 16:04
/proc/net/xt_recent/foo
# Drive out cached stuff
16:04 linux:~ # find / -xdev -type f -print0 | xargs -0 cat >/dev/null
16:04 linux:~ # echo 3 >/proc/sys/vm/drop_caches
16:04 linux:~ # ls -il /proc/1/stat
13399 -r--r--r-- 1 root root 0 Mar 23 16:04 /proc/1/stat
16:04 linux:~ # ls -il /proc/net/xt_recent/foo
4026532102 -rw-r--r-- 1 bin root 0 Mar 23 16:04 /proc/net/xt_recent/foo
As you can see, /proc/X was reinstantiated, while xt_recent's data
remained.
^ permalink raw reply [flat|nested] 23+ messages in thread
* Re: [PATCH 5/9] netfilter: xt_recent: allow changing ip_list_[ug]id at runtime
2010-03-23 15:06 ` Jan Engelhardt
@ 2010-03-23 15:10 ` Patrick McHardy
0 siblings, 0 replies; 23+ messages in thread
From: Patrick McHardy @ 2010-03-23 15:10 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter-devel
Jan Engelhardt wrote:
> On Tuesday 2010-03-23 15:55, Patrick McHardy wrote:
>
>
>>>>> -MODULE_PARM_DESC(ip_list_uid,"owner of /proc/net/xt_recent/* files");
>>>>> -MODULE_PARM_DESC(ip_list_gid,"owning group of /proc/net/xt_recent/* files");
>>>>> +MODULE_PARM_DESC(ip_list_uid, "default owner of /proc/net/xt_recent/* files");
>>>>> +MODULE_PARM_DESC(ip_list_gid, "default owning group of /proc/net/xt_recent/* files");
>>>>>
>>>>>
>>>> So what will be updating the permissions of the existing proc files?
>>>>
>>> The administrator with the use of chmod/chown/chgrp.
>>>
>> I'm not sure whether this will have the desired effect. I vaguely
>> recall that proc used to forget about permission changes. That might
>> have been fixed, but I was unable to find something in the
>> changelogs.
>>
>
> I believe that the procfs alzheimer only applies to
> entries that are dynamically created during dentry lookup,
> e.g. all the things in /proc/1234. You will note that
> the inode numbers of these entries changes over time.
>
> This is not the case however for anything created with
> proc_create_data AFAICT.
>
> 16:04 linux:~ # ls -il /proc/1/stat
> 13294 -r--r--r-- 1 root root 0 Mar 23 16:04 /proc/1/stat
> 16:04 linux:~ # ls -il /proc/net/xt_recent/foo
> 4026532102 -rw-r--r-- 1 bin root 0 Mar 23 16:04
> /proc/net/xt_recent/foo
>
> # Drive out cached stuff
> 16:04 linux:~ # find / -xdev -type f -print0 | xargs -0 cat >/dev/null
> 16:04 linux:~ # echo 3 >/proc/sys/vm/drop_caches
>
> 16:04 linux:~ # ls -il /proc/1/stat
> 13399 -r--r--r-- 1 root root 0 Mar 23 16:04 /proc/1/stat
> 16:04 linux:~ # ls -il /proc/net/xt_recent/foo
> 4026532102 -rw-r--r-- 1 bin root 0 Mar 23 16:04 /proc/net/xt_recent/foo
>
> As you can see, /proc/X was reinstantiated, while xt_recent's data
> remained.
>
Sounds good. In any case its not directly related to your patch, so this
seems fine.
^ permalink raw reply [flat|nested] 23+ messages in thread
* Re: nf-next: cleanups, err reporting (rd.2)
2010-03-22 19:17 nf-next: cleanups, err reporting (rd.2) Jan Engelhardt
` (8 preceding siblings ...)
2010-03-22 19:18 ` [PATCH 9/9] netfilter: xtables: shorten up return clause Jan Engelhardt
@ 2010-03-23 16:35 ` Jan Engelhardt
2010-03-25 12:48 ` Patrick McHardy
9 siblings, 1 reply; 23+ messages in thread
From: Jan Engelhardt @ 2010-03-23 16:35 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
On Monday 2010-03-22 20:17, Jan Engelhardt wrote:
>
>Jan Engelhardt (9):
> netfilter: xtables: make use of caller family rather than target family
> netfilter: xt extensions: use pr_<level> (2)
> netfilter: xtables: make use of xt_request_find_target
> netfilter: xtables: consolidate code into xt_request_find_match
> netfilter: xt_recent: allow changing ip_list_[ug]id at runtime
I have incorporated your comments; as I'm still on with the error reporting
pieces, here is the batch of five instead:
Please merge.
The following changes since commit 2c46cd8163b25bf6f38e612e9f1d162f0357c8f1:
Zhitong Wang (1):
netfilter: remove unused headers in net/ipv4/netfilter/nf_nat_h323.c
are available in the git repository at:
git://dev.medozas.de/linux master
Jan Engelhardt (5):
netfilter: xtables: make use of caller family rather than target family
netfilter: xt extensions: use pr_<level> (2)
netfilter: xtables: make use of xt_request_find_target
netfilter: xtables: consolidate code into xt_request_find_match
netfilter: xt_recent: allow changing ip_list_[ug]id at runtime
include/linux/netfilter/x_tables.h | 1 +
net/bridge/netfilter/ebt_among.c | 15 ++++-----
net/bridge/netfilter/ebt_limit.c | 3 +-
net/bridge/netfilter/ebt_ulog.c | 26 +++++++++-------
net/bridge/netfilter/ebt_vlan.c | 36 ++++++++--------------
net/bridge/netfilter/ebtables.c | 23 +++-----------
net/ipv4/netfilter/arp_tables.c | 20 +++++-------
net/ipv4/netfilter/ip_tables.c | 56 +++++++++++++++--------------------
net/ipv4/netfilter/ipt_CLUSTERIP.c | 47 +++++++++++++++--------------
net/ipv4/netfilter/ipt_ECN.c | 11 ++----
net/ipv4/netfilter/ipt_LOG.c | 7 ++--
net/ipv4/netfilter/ipt_MASQUERADE.c | 8 ++--
net/ipv4/netfilter/ipt_NETMAP.c | 6 ++--
net/ipv4/netfilter/ipt_REDIRECT.c | 6 ++--
net/ipv4/netfilter/ipt_REJECT.c | 6 ++--
net/ipv4/netfilter/ipt_ULOG.c | 40 ++++++++++++-------------
net/ipv4/netfilter/ipt_addrtype.c | 14 ++++----
net/ipv4/netfilter/ipt_ecn.c | 5 +--
net/ipv6/netfilter/ip6_tables.c | 47 ++++++++++++-----------------
net/ipv6/netfilter/ip6t_LOG.c | 7 ++--
net/ipv6/netfilter/ip6t_REJECT.c | 20 ++++++------
net/ipv6/netfilter/ip6t_ah.c | 6 ++--
net/ipv6/netfilter/ip6t_frag.c | 6 ++--
net/ipv6/netfilter/ip6t_hbh.c | 6 ++--
net/ipv6/netfilter/ip6t_rt.c | 6 ++--
net/netfilter/x_tables.c | 15 +++++++--
net/netfilter/xt_NFQUEUE.c | 4 +-
net/netfilter/xt_TCPMSS.c | 7 ++--
net/netfilter/xt_TPROXY.c | 4 +-
net/netfilter/xt_esp.c | 2 +-
net/netfilter/xt_iprange.c | 1 +
net/netfilter/xt_recent.c | 14 ++++----
net/netfilter/xt_socket.c | 5 +--
net/netfilter/xt_time.c | 4 +-
net/sched/act_ipt.c | 4 +-
35 files changed, 224 insertions(+), 264 deletions(-)
^ permalink raw reply [flat|nested] 23+ messages in thread
* Re: nf-next: cleanups, err reporting (rd.2)
2010-03-23 16:35 ` nf-next: cleanups, err reporting (rd.2) Jan Engelhardt
@ 2010-03-25 12:48 ` Patrick McHardy
0 siblings, 0 replies; 23+ messages in thread
From: Patrick McHardy @ 2010-03-25 12:48 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter-devel
Jan Engelhardt wrote:
> On Monday 2010-03-22 20:17, Jan Engelhardt wrote:
>> Jan Engelhardt (9):
>> netfilter: xtables: make use of caller family rather than target family
>> netfilter: xt extensions: use pr_<level> (2)
>> netfilter: xtables: make use of xt_request_find_target
>> netfilter: xtables: consolidate code into xt_request_find_match
>> netfilter: xt_recent: allow changing ip_list_[ug]id at runtime
>
> I have incorporated your comments; as I'm still on with the error reporting
> pieces, here is the batch of five instead:
> Please merge.
>
>
> The following changes since commit 2c46cd8163b25bf6f38e612e9f1d162f0357c8f1:
> Zhitong Wang (1):
> netfilter: remove unused headers in net/ipv4/netfilter/nf_nat_h323.c
>
> are available in the git repository at:
>
> git://dev.medozas.de/linux master
>
> Jan Engelhardt (5):
> netfilter: xtables: make use of caller family rather than target family
> netfilter: xt extensions: use pr_<level> (2)
> netfilter: xtables: make use of xt_request_find_target
> netfilter: xtables: consolidate code into xt_request_find_match
> netfilter: xt_recent: allow changing ip_list_[ug]id at runtime
Please repost these patches, I have a few more comments but I'd like
to make sure they're still relevant for the latest patchset.
^ permalink raw reply [flat|nested] 23+ messages in thread
end of thread, other threads:[~2010-03-25 12:48 UTC | newest]
Thread overview: 23+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-03-22 19:17 nf-next: cleanups, err reporting (rd.2) Jan Engelhardt
2010-03-22 19:17 ` [PATCH 1/9] netfilter: xtables: make use of caller family rather than target family Jan Engelhardt
2010-03-22 19:17 ` [PATCH 2/9] netfilter: xt extensions: use pr_<level> (2) Jan Engelhardt
2010-03-22 19:17 ` [PATCH 3/9] netfilter: xtables: make use of xt_request_find_target Jan Engelhardt
2010-03-23 14:24 ` Patrick McHardy
2010-03-23 14:27 ` Jan Engelhardt
2010-03-22 19:18 ` [PATCH 4/9] netfilter: xtables: consolidate code into xt_request_find_match Jan Engelhardt
2010-03-23 14:27 ` Patrick McHardy
2010-03-22 19:18 ` [PATCH 5/9] netfilter: xt_recent: allow changing ip_list_[ug]id at runtime Jan Engelhardt
2010-03-23 14:18 ` Patrick McHardy
2010-03-23 14:23 ` Jan Engelhardt
2010-03-23 14:55 ` Patrick McHardy
2010-03-23 15:06 ` Jan Engelhardt
2010-03-23 15:10 ` Patrick McHardy
2010-03-22 19:18 ` [PATCH 6/9] netfilter: xtables: slightly better error reporting (1/2) Jan Engelhardt
2010-03-22 19:18 ` [PATCH 7/9] netfilter: xtables: slightly better error reporting (2/2) Jan Engelhardt
2010-03-23 14:44 ` Patrick McHardy
2010-03-23 15:00 ` Jan Engelhardt
2010-03-23 15:02 ` Patrick McHardy
2010-03-22 19:18 ` [PATCH 8/9] netfilter: xtables: use only error codes for checkentry Jan Engelhardt
2010-03-22 19:18 ` [PATCH 9/9] netfilter: xtables: shorten up return clause Jan Engelhardt
2010-03-23 16:35 ` nf-next: cleanups, err reporting (rd.2) Jan Engelhardt
2010-03-25 12:48 ` Patrick McHardy
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.