diff options
-rw-r--r-- | .gitignore | 1 | ||||
-rw-r--r-- | configure.ac | 149 | ||||
-rw-r--r-- | kernel/include/linux/netfilter/ipset/ip_set_compat.h.in (renamed from kernel/include/linux/netfilter/ipset/ip_set_compat.h) | 38 | ||||
-rw-r--r-- | kernel/net/netfilter/ipset/ip_set_core.c | 41 | ||||
-rw-r--r-- | kernel/net/netfilter/ipset/ip_set_getport.c | 5 | ||||
-rw-r--r-- | kernel/net/netfilter/ipset/pfxlen.c | 2 | ||||
-rw-r--r-- | kernel/net/netfilter/xt_set.c | 46 |
7 files changed, 241 insertions, 41 deletions
@@ -16,6 +16,7 @@ Makefile.in .tmp_versions Module.symvers modules.order +kernel/include/linux/netfilter/ipset/ip_set_compat.h /aclocal.m4 /autom4te.cache/ diff --git a/configure.ac b/configure.ac index 6d06ef5..df40dcd 100644 --- a/configure.ac +++ b/configure.ac @@ -67,6 +67,7 @@ then fi AC_PROG_GREP +AC_PROG_AWK if ! $GREP -q "NFNL_SUBSYS_IPSET" "$ksourcedir/include/linux/netfilter/nfnetlink.h" && \ ! $GREP -q "NFNL_SUBSYS_IPSET" "$ksourcedir/include/uapi/linux/netfilter/nfnetlink.h"; @@ -166,7 +167,150 @@ AC_CHECK_TYPES([union nf_inet_addr],,,[#include <linux/types.h> dnl Checks for functions AC_CHECK_FUNCS(gethostbyname2) -dnl Checks for compiler characteristics. +dnl Check kernel incompatibilities... Ugly like hell +AC_MSG_CHECKING([kernel source for struct xt_action_param]) +if test -f $ksourcedir/include/linux/netfilter/x_tables.h && \ + $GREP -q 'struct xt_action_param' $ksourcedir/include/linux/netfilter/x_tables.h; then + AC_MSG_RESULT(yes) + AC_SUBST(HAVE_STRUCT_XT_ACTION_PARAM, define) +else + AC_MSG_RESULT(no) + AC_SUBST(HAVE_STRUCT_XT_ACTION_PARAM, undef) +fi + +AC_MSG_CHECKING([kernel source for vzalloc]) +if test -f $ksourcedir/include/linux/vmalloc.h && \ + $GREP -q 'vzalloc' $ksourcedir/include/linux/vmalloc.h; then + AC_MSG_RESULT(yes) + AC_SUBST(HAVE_VZALLOC, define) +else + AC_MSG_RESULT(no) + AC_SUBST(HAVE_VZALLOC, undef) +fi + +AC_MSG_CHECKING([kernel source for ether_addr_equal]) +if test -f $ksourcedir/include/linux/etherdevice.h && \ + $GREP -q 'ether_addr_equal' $ksourcedir/include/linux/etherdevice.h; then + AC_MSG_RESULT(yes) + AC_SUBST(HAVE_ETHER_ADDR_EQUAL, define) +else + AC_MSG_RESULT(no) + AC_SUBST(HAVE_ETHER_ADDR_EQUAL, undef) +fi + +AC_MSG_CHECKING([kernel source for nla_put_be64]) +if test -f $ksourcedir/include/net/netlink.h && \ + $GREP -q 'nla_put_be64' $ksourcedir/include/net/netlink.h; then + AC_MSG_RESULT(yes) + AC_SUBST(HAVE_NLA_PUT_BE64, define) +else + AC_MSG_RESULT(no) + AC_SUBST(HAVE_NLA_PUT_BE64, undef) +fi + +AC_MSG_CHECKING([kernel source for portid in nl_info]) +if test -f $ksourcedir/include/linux/netlink.h && \ + $AWK '/^struct netlink_skb_parms/ {for(i=1; i<=5; i++) {getline; print}}' $ksourcedir/include/linux/netlink.h | $GREP -q 'portid;'; then + AC_MSG_RESULT(yes) + AC_SUBST(HAVE_NL_INFO_PORTID, define) +else + AC_MSG_RESULT(no) + AC_SUBST(HAVE_NL_INFO_PORTID, undef) +fi + +AC_MSG_CHECKING([kernel source for netlink_dump_start args]) +if test -f $ksourcedir/include/linux/netlink.h && \ + $AWK '/netlink_dump_start/ {for(i=1; i<=4; i++) {getline; print}}' $ksourcedir/include/linux/netlink.h | $GREP -q 'done.*;'; then + AC_MSG_RESULT(5 args) + AC_SUBST(HAVE_NETLINK_DUMP_START_ARGS, 5) +elif test -f $ksourcedir/include/linux/netlink.h && \ + $AWK '/netlink_dump_start/ {for(i=1; i<=4; i++) {getline; print}}' $ksourcedir/include/linux/netlink.h | $GREP -q 'min_dump_alloc.*;'; then + AC_MSG_RESULT(6 args) + AC_SUBST(HAVE_NETLINK_DUMP_START_ARGS, 6) +else + AC_MSG_RESULT(4 args) + AC_SUBST(HAVE_NETLINK_DUMP_START_ARGS, 4) +fi + +AC_MSG_CHECKING([kernel source for ns_capable]) +if test -f $ksourcedir/include/linux/capability.h && \ + $GREP -q 'ns_capable' $ksourcedir/include/linux/capability.h; then + AC_MSG_RESULT(yes) + AC_SUBST(HAVE_NS_CAPABLE, define) +else + AC_MSG_RESULT(no) + AC_SUBST(HAVE_NS_CAPABLE, undef) +fi + +AC_MSG_CHECKING([kernel source for nfnl_lock per subsys]) +if test -f $ksourcedir/include/linux/netfilter/nfnetlink.h && \ + $GREP -q 'nfnl_lock.* subsys_id' $ksourcedir/include/linux/netfilter/nfnetlink.h; then + AC_MSG_RESULT(yes) + AC_SUBST(HAVE_NFNL_LOCK_SUBSYS, define) +else + AC_MSG_RESULT(no) + AC_SUBST(HAVE_NFNL_LOCK_SUBSYS, undef) +fi + +AC_MSG_CHECKING([kernel source for export.h]) +if test -f $ksourcedir/include/linux/export.h; then + AC_MSG_RESULT(yes) + AC_SUBST(HAVE_EXPORT_H, define) +else + AC_MSG_RESULT(no) + AC_SUBST(HAVE_EXPORT_H, undef) +fi + +AC_MSG_CHECKING([kernel source for ipv6_skip_exthdr args]) +if test -f $ksourcedir/include/net/ipv6.h && \ + $AWK '/ipv6_skip_exthdr/ {getline; print}' $ksourcedir/include/net/ipv6.h | $GREP -q 'frag_offp'; then + AC_MSG_RESULT(4 args) + AC_SUBST(HAVE_IPV6_SKIP_EXTHDR_ARGS, 4) +else + AC_MSG_RESULT(3 args) + AC_SUBST(HAVE_IPV6_SKIP_EXTHDR_ARGS, 3) +fi + +AC_MSG_CHECKING([kernel source for bool checkentry function prototype]) +if test -f $ksourcedir/net/netfilter/xt_state.c && \ + $GREP -q 'bool state_mt_check' $ksourcedir/net/netfilter/xt_state.c; then + AC_MSG_RESULT(yes) + AC_SUBST(HAVE_CHECKENTRY_BOOL, define) +else + AC_MSG_RESULT(no) + AC_SUBST(HAVE_CHECKENTRY_BOOL, undef) +fi + +AC_MSG_CHECKING([kernel source for old struct xt_target_param]) +if test -f $ksourcedir/net/netfilter/xt_TCPMSS.c && \ + $GREP -q 'const struct xt_target_param' $ksourcedir/net/netfilter/xt_TCPMSS.c; then + AC_MSG_RESULT(yes) + AC_SUBST(HAVE_XT_TARGET_PARAM, define) +else + AC_MSG_RESULT(no) + AC_SUBST(HAVE_XT_TARGET_PARAM, undef) +fi + +AC_MSG_CHECKING([kernel source for id in struct pernet_operations]) +if test -f $ksourcedir/include/net/net_namespace.h && \ + $AWK '/struct pernet_operations/ {for(i=1; i<=6; i++) {getline; print}}' $ksourcedir/include/net/net_namespace.h | $GREP -q 'int \*id;'; then + AC_MSG_RESULT(yes) + AC_SUBST(HAVE_NET_OPS_ID, define) +else + AC_MSG_RESULT(no) + AC_SUBST(HAVE_NET_OPS_ID, undef) +fi + +AC_MSG_CHECKING([kernel source for struct net_generic]) +if test -f $ksourcedir/include/net/netns/generic.h && \ + $GREP -q 'struct net_generic' $ksourcedir/include/net/netns/generic.h; then + AC_MSG_RESULT(yes) +else + AC_MSG_RESULT(no) + AC_MSG_ERROR([Netns support is required in the Linux kernel tree]) +fi + +dnl Checks for compiler characteristics. dnl Check extra warning flags except dnl -Wconversion -> we need it dnl -Wunreachable-code -> fails with ntoh* @@ -210,7 +354,8 @@ dnl Checks for library functions. dnl Generate output AC_CONFIG_FILES([Makefile include/libipset/Makefile - lib/Makefile lib/libipset.pc src/Makefile]) + lib/Makefile lib/libipset.pc src/Makefile + kernel/include/linux/netfilter/ipset/ip_set_compat.h]) AC_OUTPUT dnl Summary diff --git a/kernel/include/linux/netfilter/ipset/ip_set_compat.h b/kernel/include/linux/netfilter/ipset/ip_set_compat.h.in index cdc8f53..b93c5d9 100644 --- a/kernel/include/linux/netfilter/ipset/ip_set_compat.h +++ b/kernel/include/linux/netfilter/ipset/ip_set_compat.h.in @@ -1,6 +1,20 @@ #ifndef __IP_SET_COMPAT_H #define __IP_SET_COMPAT_H +#@HAVE_STRUCT_XT_ACTION_PARAM@ HAVE_STRUCT_XT_ACTION_PARAM +#@HAVE_VZALLOC@ HAVE_VZALLOC +#@HAVE_ETHER_ADDR_EQUAL@ HAVE_ETHER_ADDR_EQUAL +#@HAVE_NLA_PUT_BE64@ HAVE_NLA_PUT_BE64 +#@HAVE_NL_INFO_PORTID@ HAVE_NL_INFO_PORTID +#define HAVE_NETLINK_DUMP_START_ARGS @HAVE_NETLINK_DUMP_START_ARGS@ +#@HAVE_NS_CAPABLE@ HAVE_NS_CAPABLE +#@HAVE_NFNL_LOCK_SUBSYS@ HAVE_NFNL_LOCK_SUBSYS +#@HAVE_EXPORT_H@ HAVE_EXPORT_H +#define HAVE_IPV6_SKIP_EXTHDR_ARGS @HAVE_IPV6_SKIP_EXTHDR_ARGS@ +#@HAVE_CHECKENTRY_BOOL@ HAVE_CHECKENTRY_BOOL +#@HAVE_XT_TARGET_PARAM@ HAVE_XT_TARGET_PARAM +#@HAVE_NET_OPS_ID@ HAVE_NET_OPS_ID + /* Not everything could be moved here. Compatibility stuffs can be found in * xt_set.c, ip_set_core.c, ip_set_getport.c, pfxlen.c too. */ @@ -31,24 +45,26 @@ #error "NETFILTER_NETLINK must be enabled: select NFACCT/NFQUEUE/LOG over NFNETLINK" #endif -#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 35) +#ifndef HAVE_STRUCT_XT_ACTION_PARAM #define xt_action_param xt_match_param #endif -#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 37) +#ifndef HAVE_VZALLOC #define vzalloc(size) __vmalloc(size,\ GFP_KERNEL|__GFP_ZERO|__GFP_HIGHMEM,\ PAGE_KERNEL) #endif -#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 5, 0) +#ifndef HAVE_ETHER_ADDR_EQUAL #include <linux/etherdevice.h> static inline bool ether_addr_equal(const u8 *addr1, const u8 *addr2) { return !compare_ether_addr(addr1, addr2); } +#endif +#ifndef HAVE_NLA_PUT_BE64 static inline int nla_put_be64(struct sk_buff *skb, int attrtype, __be64 value) { return nla_put(skb, attrtype, sizeof(__be64), &value); @@ -60,22 +76,22 @@ static inline int nla_put_net64(struct sk_buff *skb, int attrtype, __be64 value) } #endif -#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 7, 0) -#define NETLINK_PORTID(skb) NETLINK_CB(skb).pid -#else +#ifdef HAVE_NL_INFO_PORTID #define NETLINK_PORTID(skb) NETLINK_CB(skb).portid +#else +#define NETLINK_PORTID(skb) NETLINK_CB(skb).pid #endif -#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 8, 0) +#ifndef HAVE_NS_CAPABLE #define ns_capable(ns, cap) capable(cap) #endif -#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 9, 0) -#define lock_nfnl() nfnl_lock() -#define unlock_nfnl() nfnl_unlock() -#else +#ifdef HAVE_NFNL_LOCK_SUBSYS #define lock_nfnl() nfnl_lock(NFNL_SUBSYS_IPSET) #define unlock_nfnl() nfnl_unlock(NFNL_SUBSYS_IPSET) +#else +#define lock_nfnl() nfnl_lock() +#define unlock_nfnl() nfnl_unlock() #endif #ifdef NLA_PUT_NET16 diff --git a/kernel/net/netfilter/ipset/ip_set_core.c b/kernel/net/netfilter/ipset/ip_set_core.c index 9506973..c1989d9 100644 --- a/kernel/net/netfilter/ipset/ip_set_core.c +++ b/kernel/net/netfilter/ipset/ip_set_core.c @@ -1388,11 +1388,11 @@ ip_set_dump(struct sock *ctnl, struct sk_buff *skb, if (unlikely(protocol_failed(attr))) return -IPSET_ERR_PROTOCOL; -#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 1, 0) +#if HAVE_NETLINK_DUMP_START_ARGS == 5 return netlink_dump_start(ctnl, skb, nlh, ip_set_dump_start, ip_set_dump_done); -#elif LINUX_VERSION_CODE < KERNEL_VERSION(3, 4, 0) +#elif HAVE_NETLINK_DUMP_START_ARGS == 6 return netlink_dump_start(ctnl, skb, nlh, ip_set_dump_start, ip_set_dump_done, 0); @@ -1977,20 +1977,42 @@ static struct nf_sockopt_ops so_set __read_mostly = { static int __net_init ip_set_net_init(struct net *net) { - struct ip_set_net *inst = ip_set_pernet(net); + struct ip_set_net *inst; struct ip_set **list; +#ifdef HAVE_NET_OPS_ID + inst = ip_set_pernet(net); +#else + int err; + + inst = kzalloc(sizeof(struct ip_set_net), GFP_KERNEL); + if (!inst) + return -ENOMEM; + err = net_assign_generic(net, ip_set_net_id, inst); + if (err < 0) + goto err_alloc; +#endif inst->ip_set_max = max_sets ? max_sets : CONFIG_IP_SET_MAX; if (inst->ip_set_max >= IPSET_INVALID_ID) inst->ip_set_max = IPSET_INVALID_ID - 1; list = kzalloc(sizeof(struct ip_set *) * inst->ip_set_max, GFP_KERNEL); if (!list) +#ifdef HAVE_NET_OPS_ID return -ENOMEM; +#else + goto err_alloc; +#endif inst->is_deleted = 0; rcu_assign_pointer(inst->ip_set_list, list); pr_notice("ip_set: protocol %u\n", IPSET_PROTOCOL); return 0; + +#ifndef HAVE_NET_OPS_ID +err_alloc: + kfree(inst); + return err; +#endif } static void __net_exit @@ -2009,13 +2031,18 @@ ip_set_net_exit(struct net *net) ip_set_destroy_set(inst, i); } kfree(rcu_dereference_protected(inst->ip_set_list, 1)); +#ifndef HAVE_NET_OPS_ID + kfree(inst); +#endif } static struct pernet_operations ip_set_net_ops = { .init = ip_set_net_init, .exit = ip_set_net_exit, +#ifdef HAVE_NET_OPS_ID .id = &ip_set_net_id, .size = sizeof(struct ip_set_net) +#endif }; @@ -2033,7 +2060,11 @@ ip_set_init(void) nfnetlink_subsys_unregister(&ip_set_netlink_subsys); return ret; } +#ifdef HAVE_NET_OPS_ID ret = register_pernet_subsys(&ip_set_net_ops); +#else + ret = register_pernet_gen_device(&ip_set_net_id, &ip_set_net_ops); +#endif if (ret) { pr_err("ip_set: cannot register pernet_subsys.\n"); nf_unregister_sockopt(&so_set); @@ -2046,7 +2077,11 @@ ip_set_init(void) static void __exit ip_set_fini(void) { +#ifdef HAVE_NET_OPS_ID unregister_pernet_subsys(&ip_set_net_ops); +#else + unregister_pernet_gen_device(ip_set_net_id, &ip_set_net_ops); +#endif nf_unregister_sockopt(&so_set); nfnetlink_subsys_unregister(&ip_set_netlink_subsys); pr_debug("these are the famous last words\n"); diff --git a/kernel/net/netfilter/ipset/ip_set_getport.c b/kernel/net/netfilter/ipset/ip_set_getport.c index a0d96eb..5d5ff82 100644 --- a/kernel/net/netfilter/ipset/ip_set_getport.c +++ b/kernel/net/netfilter/ipset/ip_set_getport.c @@ -8,7 +8,7 @@ /* Get Layer-4 data from the packets */ #include <linux/version.h> -#if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 2, 0) +#ifdef HAVE_EXPORT_H #include <linux/export.h> #endif #include <linux/ip.h> @@ -21,6 +21,7 @@ #include <net/ipv6.h> #include <linux/netfilter/ipset/ip_set_getport.h> +#include <linux/netfilter/ipset/ip_set_compat.h> /* We must handle non-linear skbs */ static bool @@ -138,7 +139,7 @@ ip_set_get_ip6_port(const struct sk_buff *skb, bool src, __be16 frag_off = 0; nexthdr = ipv6_hdr(skb)->nexthdr; -#if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 3, 0) +#if HAVE_IPV6_SKIP_EXTHDR_ARGS == 4 protoff = ipv6_skip_exthdr(skb, sizeof(struct ipv6hdr), &nexthdr, &frag_off); #else diff --git a/kernel/net/netfilter/ipset/pfxlen.c b/kernel/net/netfilter/ipset/pfxlen.c index 1fe890f..e69f5ef 100644 --- a/kernel/net/netfilter/ipset/pfxlen.c +++ b/kernel/net/netfilter/ipset/pfxlen.c @@ -1,5 +1,5 @@ #include <linux/version.h> -#if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 2, 0) +#ifdef HAVE_EXPORT_H #include <linux/export.h> #endif #include <linux/netfilter/ipset/pfxlen.h> diff --git a/kernel/net/netfilter/xt_set.c b/kernel/net/netfilter/xt_set.c index 4a4cee9..46fdbe0 100644 --- a/kernel/net/netfilter/xt_set.c +++ b/kernel/net/netfilter/xt_set.c @@ -28,16 +28,18 @@ MODULE_ALIAS("ip6t_set"); MODULE_ALIAS("ipt_SET"); MODULE_ALIAS("ip6t_SET"); -#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 35) +#ifdef HAVE_CHECKENTRY_BOOL #define CHECK_OK 1 #define CHECK_FAIL(err) 0 #define CONST const #define FTYPE bool +#define XT_PAR_NET(par) NULL #else /* LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,35) */ #define CHECK_OK 0 #define CHECK_FAIL(err) (err) #define CONST #define FTYPE int +#define XT_PAR_NET(par) (par)->net #endif static inline int @@ -94,7 +96,7 @@ set_match_v0_checkentry(const struct xt_mtchk_param *par) struct xt_set_info_match_v0 *info = par->matchinfo; ip_set_id_t index; - index = ip_set_nfnl_get_byindex(par->net, info->match_set.index); + index = ip_set_nfnl_get_byindex(XT_PAR_NET(par), info->match_set.index); if (index == IPSET_INVALID_ID) { pr_warning("Cannot find set indentified by id %u to match\n", @@ -104,7 +106,7 @@ set_match_v0_checkentry(const struct xt_mtchk_param *par) if (info->match_set.u.flags[IPSET_DIM_MAX-1] != 0) { pr_warning("Protocol error: set match dimension " "is over the limit!\n"); - ip_set_nfnl_put(par->net, info->match_set.index); + ip_set_nfnl_put(XT_PAR_NET(par), info->match_set.index); return CHECK_FAIL(-ERANGE); } @@ -119,7 +121,7 @@ set_match_v0_destroy(const struct xt_mtdtor_param *par) { struct xt_set_info_match_v0 *info = par->matchinfo; - ip_set_nfnl_put(par->net, info->match_set.index); + ip_set_nfnl_put(XT_PAR_NET(par), info->match_set.index); } /* Revision 1 */ @@ -144,7 +146,7 @@ set_match_v1_checkentry(const struct xt_mtchk_param *par) struct xt_set_info_match_v1 *info = par->matchinfo; ip_set_id_t index; - index = ip_set_nfnl_get_byindex(par->net, info->match_set.index); + index = ip_set_nfnl_get_byindex(XT_PAR_NET(par), info->match_set.index); if (index == IPSET_INVALID_ID) { pr_warning("Cannot find set indentified by id %u to match\n", @@ -154,7 +156,7 @@ set_match_v1_checkentry(const struct xt_mtchk_param *par) if (info->match_set.dim > IPSET_DIM_MAX) { pr_warning("Protocol error: set match dimension " "is over the limit!\n"); - ip_set_nfnl_put(par->net, info->match_set.index); + ip_set_nfnl_put(XT_PAR_NET(par), info->match_set.index); return CHECK_FAIL(-ERANGE); } @@ -166,7 +168,7 @@ set_match_v1_destroy(const struct xt_mtdtor_param *par) { struct xt_set_info_match_v1 *info = par->matchinfo; - ip_set_nfnl_put(par->net, info->match_set.index); + ip_set_nfnl_put(XT_PAR_NET(par), info->match_set.index); } /* Revision 3 match */ @@ -217,7 +219,7 @@ set_match_v3(const struct sk_buff *skb, CONST struct xt_action_param *par) /* Revision 0 interface: backward compatible with netfilter/iptables */ -#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 35) +#ifdef HAVE_XT_TARGET_PARAM #undef xt_action_param #define xt_action_param xt_target_param #define CAST_TO_MATCH (const struct xt_match_param *) @@ -249,7 +251,7 @@ set_target_v0_checkentry(const struct xt_tgchk_param *par) ip_set_id_t index; if (info->add_set.index != IPSET_INVALID_ID) { - index = ip_set_nfnl_get_byindex(par->net, info->add_set.index); + index = ip_set_nfnl_get_byindex(XT_PAR_NET(par), info->add_set.index); if (index == IPSET_INVALID_ID) { pr_warning("Cannot find add_set index %u as target\n", info->add_set.index); @@ -258,12 +260,12 @@ set_target_v0_checkentry(const struct xt_tgchk_param *par) } if (info->del_set.index != IPSET_INVALID_ID) { - index = ip_set_nfnl_get_byindex(par->net, info->del_set.index); + index = ip_set_nfnl_get_byindex(XT_PAR_NET(par), info->del_set.index); if (index == IPSET_INVALID_ID) { pr_warning("Cannot find del_set index %u as target\n", info->del_set.index); if (info->add_set.index != IPSET_INVALID_ID) - ip_set_nfnl_put(par->net, info->add_set.index); + ip_set_nfnl_put(XT_PAR_NET(par), info->add_set.index); return CHECK_FAIL(-ENOENT); } } @@ -272,9 +274,9 @@ set_target_v0_checkentry(const struct xt_tgchk_param *par) pr_warning("Protocol error: SET target dimension " "is over the limit!\n"); if (info->add_set.index != IPSET_INVALID_ID) - ip_set_nfnl_put(par->net, info->add_set.index); + ip_set_nfnl_put(XT_PAR_NET(par), info->add_set.index); if (info->del_set.index != IPSET_INVALID_ID) - ip_set_nfnl_put(par->net, info->del_set.index); + ip_set_nfnl_put(XT_PAR_NET(par), info->del_set.index); return CHECK_FAIL(-ERANGE); } @@ -291,9 +293,9 @@ set_target_v0_destroy(const struct xt_tgdtor_param *par) const struct xt_set_info_target_v0 *info = par->targinfo; if (info->add_set.index != IPSET_INVALID_ID) - ip_set_nfnl_put(par->net, info->add_set.index); + ip_set_nfnl_put(XT_PAR_NET(par), info->add_set.index); if (info->del_set.index != IPSET_INVALID_ID) - ip_set_nfnl_put(par->net, info->del_set.index); + ip_set_nfnl_put(XT_PAR_NET(par), info->del_set.index); } /* Revision 1 target */ @@ -322,7 +324,7 @@ set_target_v1_checkentry(const struct xt_tgchk_param *par) ip_set_id_t index; if (info->add_set.index != IPSET_INVALID_ID) { - index = ip_set_nfnl_get_byindex(par->net, info->add_set.index); + index = ip_set_nfnl_get_byindex(XT_PAR_NET(par), info->add_set.index); if (index == IPSET_INVALID_ID) { pr_warning("Cannot find add_set index %u as target\n", info->add_set.index); @@ -331,12 +333,12 @@ set_target_v1_checkentry(const struct xt_tgchk_param *par) } if (info->del_set.index != IPSET_INVALID_ID) { - index = ip_set_nfnl_get_byindex(par->net, info->del_set.index); + index = ip_set_nfnl_get_byindex(XT_PAR_NET(par), info->del_set.index); if (index == IPSET_INVALID_ID) { pr_warning("Cannot find del_set index %u as target\n", info->del_set.index); if (info->add_set.index != IPSET_INVALID_ID) - ip_set_nfnl_put(par->net, info->add_set.index); + ip_set_nfnl_put(XT_PAR_NET(par), info->add_set.index); return CHECK_FAIL(-ENOENT); } } @@ -345,9 +347,9 @@ set_target_v1_checkentry(const struct xt_tgchk_param *par) pr_warning("Protocol error: SET target dimension " "is over the limit!\n"); if (info->add_set.index != IPSET_INVALID_ID) - ip_set_nfnl_put(par->net, info->add_set.index); + ip_set_nfnl_put(XT_PAR_NET(par), info->add_set.index); if (info->del_set.index != IPSET_INVALID_ID) - ip_set_nfnl_put(par->net, info->del_set.index); + ip_set_nfnl_put(XT_PAR_NET(par), info->del_set.index); return CHECK_FAIL(-ERANGE); } @@ -360,9 +362,9 @@ set_target_v1_destroy(const struct xt_tgdtor_param *par) const struct xt_set_info_target_v1 *info = par->targinfo; if (info->add_set.index != IPSET_INVALID_ID) - ip_set_nfnl_put(par->net, info->add_set.index); + ip_set_nfnl_put(XT_PAR_NET(par), info->add_set.index); if (info->del_set.index != IPSET_INVALID_ID) - ip_set_nfnl_put(par->net, info->del_set.index); + ip_set_nfnl_put(XT_PAR_NET(par), info->del_set.index); } /* Revision 2 target */ |