OpenWrt – Blame information for rev 1
?pathlinks?
Rev | Author | Line No. | Line |
---|---|---|---|
1 | office | 1 | --- a/net/ipv4/netfilter/ip_tables.c |
2 | +++ b/net/ipv4/netfilter/ip_tables.c |
||
3 | @@ -310,6 +310,33 @@ struct ipt_entry *ipt_next_entry(const s |
||
4 | return (void *)entry + entry->next_offset; |
||
5 | } |
||
6 | |||
7 | +static bool |
||
8 | +ipt_handle_default_rule(struct ipt_entry *e, unsigned int *verdict) |
||
9 | +{ |
||
10 | + struct xt_entry_target *t; |
||
11 | + struct xt_standard_target *st; |
||
12 | + |
||
13 | + if (e->target_offset != sizeof(struct ipt_entry)) |
||
14 | + return false; |
||
15 | + |
||
16 | + if (!(e->ip.flags & IPT_F_NO_DEF_MATCH)) |
||
17 | + return false; |
||
18 | + |
||
19 | + t = ipt_get_target(e); |
||
20 | + if (t->u.kernel.target->target) |
||
21 | + return false; |
||
22 | + |
||
23 | + st = (struct xt_standard_target *) t; |
||
24 | + if (st->verdict == XT_RETURN) |
||
25 | + return false; |
||
26 | + |
||
27 | + if (st->verdict >= 0) |
||
28 | + return false; |
||
29 | + |
||
30 | + *verdict = (unsigned)(-st->verdict) - 1; |
||
31 | + return true; |
||
32 | +} |
||
33 | + |
||
34 | /* Returns one of the generic firewall policies, like NF_ACCEPT. */ |
||
35 | unsigned int |
||
36 | ipt_do_table(struct sk_buff *skb, |
||
37 | @@ -331,9 +358,33 @@ ipt_do_table(struct sk_buff *skb, |
||
38 | unsigned int addend; |
||
39 | |||
40 | /* Initialization */ |
||
41 | + IP_NF_ASSERT(table->valid_hooks & (1 << hook)); |
||
42 | + local_bh_disable(); |
||
43 | + private = table->private; |
||
44 | + cpu = smp_processor_id(); |
||
45 | + /* |
||
46 | + * Ensure we load private-> members after we've fetched the base |
||
47 | + * pointer. |
||
48 | + */ |
||
49 | + smp_read_barrier_depends(); |
||
50 | + table_base = private->entries[cpu]; |
||
51 | + |
||
52 | + e = get_entry(table_base, private->hook_entry[hook]); |
||
53 | + if (ipt_handle_default_rule(e, &verdict)) { |
||
54 | + ADD_COUNTER(e->counters, skb->len, 1); |
||
55 | + local_bh_enable(); |
||
56 | + return verdict; |
||
57 | + } |
||
58 | + |
||
59 | ip = ip_hdr(skb); |
||
60 | indev = in ? in->name : nulldevname; |
||
61 | outdev = out ? out->name : nulldevname; |
||
62 | + |
||
63 | + addend = xt_write_recseq_begin(); |
||
64 | + jumpstack = (struct ipt_entry **)private->jumpstack[cpu]; |
||
65 | + stackptr = per_cpu_ptr(private->stackptr, cpu); |
||
66 | + origptr = *stackptr; |
||
67 | + |
||
68 | /* We handle fragments by dealing with the first fragment as |
||
69 | * if it was a normal packet. All other fragments are treated |
||
70 | * normally, except that they will NEVER match rules that ask |
||
71 | @@ -348,23 +399,6 @@ ipt_do_table(struct sk_buff *skb, |
||
72 | acpar.family = NFPROTO_IPV4; |
||
73 | acpar.hooknum = hook; |
||
74 | |||
75 | - IP_NF_ASSERT(table->valid_hooks & (1 << hook)); |
||
76 | - local_bh_disable(); |
||
77 | - addend = xt_write_recseq_begin(); |
||
78 | - private = table->private; |
||
79 | - cpu = smp_processor_id(); |
||
80 | - /* |
||
81 | - * Ensure we load private-> members after we've fetched the base |
||
82 | - * pointer. |
||
83 | - */ |
||
84 | - smp_read_barrier_depends(); |
||
85 | - table_base = private->entries[cpu]; |
||
86 | - jumpstack = (struct ipt_entry **)private->jumpstack[cpu]; |
||
87 | - stackptr = per_cpu_ptr(private->stackptr, cpu); |
||
88 | - origptr = *stackptr; |
||
89 | - |
||
90 | - e = get_entry(table_base, private->hook_entry[hook]); |
||
91 | - |
||
92 | pr_debug("Entering %s(hook %u); sp at %u (UF %p)\n", |
||
93 | table->name, hook, origptr, |
||
94 | get_entry(table_base, private->underflow[hook])); |