diff options
Diffstat (limited to 'net/netfilter')
-rw-r--r-- | net/netfilter/x_tables.c | 12 | ||||
-rw-r--r-- | net/netfilter/xt_CONNSECMARK.c | 6 | ||||
-rw-r--r-- | net/netfilter/xt_CT.c | 6 | ||||
-rw-r--r-- | net/netfilter/xt_DSCP.c | 4 | ||||
-rw-r--r-- | net/netfilter/xt_HL.c | 10 | ||||
-rw-r--r-- | net/netfilter/xt_LED.c | 10 | ||||
-rw-r--r-- | net/netfilter/xt_NFLOG.c | 6 | ||||
-rw-r--r-- | net/netfilter/xt_NFQUEUE.c | 6 | ||||
-rw-r--r-- | net/netfilter/xt_RATEEST.c | 9 | ||||
-rw-r--r-- | net/netfilter/xt_SECMARK.c | 10 | ||||
-rw-r--r-- | net/netfilter/xt_TCPMSS.c | 12 | ||||
-rw-r--r-- | net/netfilter/xt_TPROXY.c | 4 |
12 files changed, 50 insertions, 45 deletions
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c index 7ee177746172..8e23d8f68459 100644 --- a/net/netfilter/x_tables.c +++ b/net/netfilter/x_tables.c @@ -528,6 +528,8 @@ EXPORT_SYMBOL_GPL(xt_compat_match_to_user); int xt_check_target(struct xt_tgchk_param *par, unsigned int size, u_int8_t proto, bool inv_proto) { + int ret; + if (XT_ALIGN(par->target->targetsize) != size) { pr_err("%s_tables: %s.%u target: invalid size " "%u (kernel) != (user) %u\n", @@ -559,8 +561,14 @@ int xt_check_target(struct xt_tgchk_param *par, par->target->proto); return -EINVAL; } - if (par->target->checkentry != NULL && !par->target->checkentry(par)) - return -EINVAL; + if (par->target->checkentry != NULL) { + ret = par->target->checkentry(par); + if (ret < 0) + return ret; + else if (ret > 0) + /* Flag up potential errors. */ + return -EIO; + } return 0; } EXPORT_SYMBOL_GPL(xt_check_target); diff --git a/net/netfilter/xt_CONNSECMARK.c b/net/netfilter/xt_CONNSECMARK.c index 3f9d0f4f852d..2287a82a0703 100644 --- a/net/netfilter/xt_CONNSECMARK.c +++ b/net/netfilter/xt_CONNSECMARK.c @@ -92,7 +92,7 @@ static int connsecmark_tg_check(const struct xt_tgchk_param *par) strcmp(par->table, "security") != 0) { pr_info("target only valid in the \'mangle\' " "or \'security\' tables, not \'%s\'.\n", par->table); - return false; + return -EINVAL; } switch (info->mode) { @@ -108,9 +108,9 @@ static int connsecmark_tg_check(const struct xt_tgchk_param *par) if (nf_ct_l3proto_try_module_get(par->family) < 0) { pr_info("cannot load conntrack support for proto=%u\n", par->family); - return false; + return -EINVAL; } - return true; + return 0; } static void connsecmark_tg_destroy(const struct xt_tgdtor_param *par) diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c index c1553bf06cf6..ee566e2e4534 100644 --- a/net/netfilter/xt_CT.c +++ b/net/netfilter/xt_CT.c @@ -62,7 +62,7 @@ static int xt_ct_tg_check(const struct xt_tgchk_param *par) u8 proto; if (info->flags & ~XT_CT_NOTRACK) - return false; + return -EINVAL; if (info->flags & XT_CT_NOTRACK) { ct = &nf_conntrack_untracked; @@ -108,14 +108,14 @@ static int xt_ct_tg_check(const struct xt_tgchk_param *par) __set_bit(IPS_CONFIRMED_BIT, &ct->status); out: info->ct = ct; - return true; + return 0; err3: nf_conntrack_free(ct); err2: nf_ct_l3proto_module_put(par->family); err1: - return false; + return -EINVAL; } static void xt_ct_tg_destroy(const struct xt_tgdtor_param *par) diff --git a/net/netfilter/xt_DSCP.c b/net/netfilter/xt_DSCP.c index 1fa7b67bf225..aa263b80f8c0 100644 --- a/net/netfilter/xt_DSCP.c +++ b/net/netfilter/xt_DSCP.c @@ -66,9 +66,9 @@ static int dscp_tg_check(const struct xt_tgchk_param *par) if (info->dscp > XT_DSCP_MAX) { pr_info("dscp %x out of range\n", info->dscp); - return false; + return -EINVAL; } - return true; + return 0; } static unsigned int diff --git a/net/netfilter/xt_HL.c b/net/netfilter/xt_HL.c index 15ba16108182..7a47383ec723 100644 --- a/net/netfilter/xt_HL.c +++ b/net/netfilter/xt_HL.c @@ -110,8 +110,8 @@ static int ttl_tg_check(const struct xt_tgchk_param *par) return false; } if (info->mode != IPT_TTL_SET && info->ttl == 0) - return false; - return true; + return -EINVAL; + return 0; } static int hl_tg6_check(const struct xt_tgchk_param *par) @@ -120,14 +120,14 @@ static int hl_tg6_check(const struct xt_tgchk_param *par) if (info->mode > IP6T_HL_MAXMODE) { pr_info("invalid or unknown mode %u\n", info->mode); - return false; + return -EINVAL; } if (info->mode != IP6T_HL_SET && info->hop_limit == 0) { pr_info("increment/decrement does not " "make sense with value 0\n"); - return false; + return -EINVAL; } - return true; + return 0; } static struct xt_target hl_tg_reg[] __read_mostly = { diff --git a/net/netfilter/xt_LED.c b/net/netfilter/xt_LED.c index 1a3e3dd5a774..22b5b7057397 100644 --- a/net/netfilter/xt_LED.c +++ b/net/netfilter/xt_LED.c @@ -88,12 +88,12 @@ static int led_tg_check(const struct xt_tgchk_param *par) if (ledinfo->id[0] == '\0') { pr_info("No 'id' parameter given.\n"); - return false; + return -EINVAL; } ledinternal = kzalloc(sizeof(struct xt_led_info_internal), GFP_KERNEL); if (!ledinternal) - return false; + return -EINVAL; ledinternal->netfilter_led_trigger.name = ledinfo->id; @@ -111,13 +111,11 @@ static int led_tg_check(const struct xt_tgchk_param *par) (unsigned long)ledinfo); ledinfo->internal_data = ledinternal; - - return true; + return 0; exit_alloc: kfree(ledinternal); - - return false; + return -EINVAL; } static void led_tg_destroy(const struct xt_tgdtor_param *par) diff --git a/net/netfilter/xt_NFLOG.c b/net/netfilter/xt_NFLOG.c index 13e6c0002c8a..42dd8747b421 100644 --- a/net/netfilter/xt_NFLOG.c +++ b/net/netfilter/xt_NFLOG.c @@ -42,10 +42,10 @@ static int nflog_tg_check(const struct xt_tgchk_param *par) const struct xt_nflog_info *info = par->targinfo; if (info->flags & ~XT_NFLOG_MASK) - return false; + return -EINVAL; if (info->prefix[sizeof(info->prefix) - 1] != '\0') - return false; - return true; + return -EINVAL; + return 0; } static struct xt_target nflog_tg_reg __read_mostly = { diff --git a/net/netfilter/xt_NFQUEUE.c b/net/netfilter/xt_NFQUEUE.c index d435579a64ca..add1789ae4a8 100644 --- a/net/netfilter/xt_NFQUEUE.c +++ b/net/netfilter/xt_NFQUEUE.c @@ -92,15 +92,15 @@ static int nfqueue_tg_v1_check(const struct xt_tgchk_param *par) } if (info->queues_total == 0) { pr_err("NFQUEUE: number of total queues is 0\n"); - return false; + return -EINVAL; } maxid = info->queues_total - 1 + info->queuenum; if (maxid > 0xffff) { pr_err("NFQUEUE: number of queues (%u) out of range (got %u)\n", info->queues_total, maxid); - return false; + return -EINVAL; } - return true; + return 0; } static struct xt_target nfqueue_tg_reg[] __read_mostly = { diff --git a/net/netfilter/xt_RATEEST.c b/net/netfilter/xt_RATEEST.c index 9743e50be8ef..7af5fba39cdd 100644 --- a/net/netfilter/xt_RATEEST.c +++ b/net/netfilter/xt_RATEEST.c @@ -109,10 +109,10 @@ static int xt_rateest_tg_checkentry(const struct xt_tgchk_param *par) (info->interval != est->params.interval || info->ewma_log != est->params.ewma_log)) { xt_rateest_put(est); - return false; + return -EINVAL; } info->est = est; - return true; + return 0; } est = kzalloc(sizeof(*est), GFP_KERNEL); @@ -136,13 +136,12 @@ static int xt_rateest_tg_checkentry(const struct xt_tgchk_param *par) info->est = est; xt_rateest_hash_insert(est); - - return true; + return 0; err2: kfree(est); err1: - return false; + return -EINVAL; } static void xt_rateest_tg_destroy(const struct xt_tgdtor_param *par) diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c index 48f8e4f7ea8a..39098fc9887d 100644 --- a/net/netfilter/xt_SECMARK.c +++ b/net/netfilter/xt_SECMARK.c @@ -88,29 +88,29 @@ static int secmark_tg_check(const struct xt_tgchk_param *par) strcmp(par->table, "security") != 0) { pr_info("target only valid in the \'mangle\' " "or \'security\' tables, not \'%s\'.\n", par->table); - return false; + return -EINVAL; } if (mode && mode != info->mode) { pr_info("mode already set to %hu cannot mix with " "rules for mode %hu\n", mode, info->mode); - return false; + return -EINVAL; } switch (info->mode) { case SECMARK_MODE_SEL: if (!checkentry_selinux(info)) - return false; + return -EINVAL; break; default: pr_info("invalid mode: %hu\n", info->mode); - return false; + return -EINVAL; } if (!mode) mode = info->mode; - return true; + return 0; } static void secmark_tg_destroy(const struct xt_tgdtor_param *par) diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c index 70288dc31583..385677b963d5 100644 --- a/net/netfilter/xt_TCPMSS.c +++ b/net/netfilter/xt_TCPMSS.c @@ -246,13 +246,13 @@ static int tcpmss_tg4_check(const struct xt_tgchk_param *par) (1 << NF_INET_POST_ROUTING))) != 0) { pr_info("path-MTU clamping only supported in " "FORWARD, OUTPUT and POSTROUTING hooks\n"); - return false; + return -EINVAL; } xt_ematch_foreach(ematch, e) if (find_syn_match(ematch)) - return true; + return 0; pr_info("Only works on TCP SYN packets\n"); - return false; + return -EINVAL; } #if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE) @@ -268,13 +268,13 @@ static int tcpmss_tg6_check(const struct xt_tgchk_param *par) (1 << NF_INET_POST_ROUTING))) != 0) { pr_info("path-MTU clamping only supported in " "FORWARD, OUTPUT and POSTROUTING hooks\n"); - return false; + return -EINVAL; } xt_ematch_foreach(ematch, e) if (find_syn_match(ematch)) - return true; + return 0; pr_info("Only works on TCP SYN packets\n"); - return false; + return -EINVAL; } #endif diff --git a/net/netfilter/xt_TPROXY.c b/net/netfilter/xt_TPROXY.c index 189df9af4de6..4f246ddc5c48 100644 --- a/net/netfilter/xt_TPROXY.c +++ b/net/netfilter/xt_TPROXY.c @@ -65,11 +65,11 @@ static int tproxy_tg_check(const struct xt_tgchk_param *par) if ((i->proto == IPPROTO_TCP || i->proto == IPPROTO_UDP) && !(i->invflags & IPT_INV_PROTO)) - return true; + return 0; pr_info("Can be used only in combination with " "either -p tcp or -p udp\n"); - return false; + return -EINVAL; } static struct xt_target tproxy_tg_reg __read_mostly = { |