netfilter: xtables: move extension arguments into compound structure (2/6)

This patch does this for match extensions' checkentry functions. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
2026-05-01 15:00:59 -07:00 · 2008-10-08 11:35:18 +02:00
parent f7108a20de
commit 9b4fce7a35
48 changed files with 240 additions and 386 deletions
@@ -193,6 +193,25 @@ struct xt_match_param {
 	bool *hotdrop;
 };
 /**
 * struct xt_mtchk_param - parameters for match extensions'
 * checkentry functions
 *
 * @table:	table the rule is tried to be inserted into
 * @entryinfo:	the family-specific rule data
 * 		(struct ipt_ip, ip6t_ip, ebt_entry)
 * @match:	struct xt_match through which this function was invoked
 * @matchinfo:	per-match data
 * @hook_mask:	via which hooks the new rule is reachable
 */
 struct xt_mtchk_param {
 	const char *table;
 	const void *entryinfo;
 	const struct xt_match *match;
 	void *matchinfo;
 	unsigned int hook_mask;
 };
 struct xt_match
 {
 	struct list_head list;
@@ -208,12 +227,7 @@ struct xt_match
 		      const struct xt_match_param *);
 	/* Called when user tries to insert an entry of this type. */
-	/* Should return true or false. */
+	bool (*checkentry)(const struct xt_mtchk_param *);
 	bool (*checkentry)(const char *tablename,
 			   const void *ip,
 			   const struct xt_match *match,
 			   void *matchinfo,
 			   unsigned int hook_mask);
 	/* Called when entry of this type deleted. */
 	void (*destroy)(const struct xt_match *match, void *matchinfo);
@@ -342,10 +356,8 @@ extern void xt_unregister_match(struct xt_match *target);
 extern int xt_register_matches(struct xt_match *match, unsigned int n);
 extern void xt_unregister_matches(struct xt_match *match, unsigned int n);
-extern int xt_check_match(const struct xt_match *match, unsigned short family,
+extern int xt_check_match(struct xt_mtchk_param *, u_int8_t family,
-			  unsigned int size, const char *table, unsigned int hook,
+			  unsigned int size, u_int8_t proto, bool inv_proto);
 			  unsigned short proto, int inv_proto,
 			  const void *entry, void *matchinfo);
 extern int xt_check_target(const struct xt_target *target, unsigned short family,
 			   unsigned int size, const char *table, unsigned int hook,
 			   unsigned short proto, int inv_proto,
@@ -36,12 +36,9 @@ ebt_802_3_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 	return true;
 }
-static bool
+static bool ebt_802_3_mt_check(const struct xt_mtchk_param *par)
 ebt_802_3_mt_check(const char *table, const void *entry,
 		   const struct xt_match *match, void *data,
 		   unsigned int hook_mask)
 {
-	const struct ebt_802_3_info *info = data;
+	const struct ebt_802_3_info *info = par->matchinfo;
 	if (info->bitmask & ~EBT_802_3_MASK || info->invflags & ~EBT_802_3_MASK)
 		return false;
@@ -171,14 +171,11 @@ ebt_among_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 	return true;
 }
-static bool
+static bool ebt_among_mt_check(const struct xt_mtchk_param *par)
 ebt_among_mt_check(const char *table, const void *entry,
 		   const struct xt_match *match, void *data,
 		   unsigned int hook_mask)
 {
 	const struct ebt_among_info *info = par->matchinfo;
 	const struct ebt_entry_match *em =
-		container_of(data, const struct ebt_entry_match, data);
+		container_of(par->matchinfo, const struct ebt_entry_match, data);
 	const struct ebt_among_info *info = data;
 	int expected_length = sizeof(struct ebt_among_info);
 	const struct ebt_mac_wormhash *wh_dst, *wh_src;
 	int err;
@@ -100,13 +100,10 @@ ebt_arp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 	return true;
 }
-static bool
+static bool ebt_arp_mt_check(const struct xt_mtchk_param *par)
 ebt_arp_mt_check(const char *table, const void *entry,
 		 const struct xt_match *match, void *data,
 		 unsigned int hook_mask)
 {
-	const struct ebt_arp_info *info = data;
+	const struct ebt_arp_info *info = par->matchinfo;
-	const struct ebt_entry *e = entry;
+	const struct ebt_entry *e = par->entryinfo;
 	if ((e->ethproto != htons(ETH_P_ARP) &&
 	   e->ethproto != htons(ETH_P_RARP)) ||
@@ -77,13 +77,10 @@ ebt_ip_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 	return true;
 }
-static bool
+static bool ebt_ip_mt_check(const struct xt_mtchk_param *par)
 ebt_ip_mt_check(const char *table, const void *entry,
 		const struct xt_match *match, void *data,
 		unsigned int hook_mask)
 {
-	const struct ebt_ip_info *info = data;
+	const struct ebt_ip_info *info = par->matchinfo;
-	const struct ebt_entry *e = entry;
+	const struct ebt_entry *e = par->entryinfo;
 	if (e->ethproto != htons(ETH_P_IP) ||
 	   e->invflags & EBT_IPROTO)
@@ -90,13 +90,10 @@ ebt_ip6_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 	return true;
 }
-static bool
+static bool ebt_ip6_mt_check(const struct xt_mtchk_param *par)
 ebt_ip6_mt_check(const char *table, const void *entry,
 		 const struct xt_match *match, void *data,
 		 unsigned int hook_mask)
 {
-	const struct ebt_entry *e = entry;
+	const struct ebt_entry *e = par->entryinfo;
-	struct ebt_ip6_info *info = data;
+	struct ebt_ip6_info *info = par->matchinfo;
 	if (e->ethproto != htons(ETH_P_IPV6) || e->invflags & EBT_IPROTO)
 		return false;
@@ -64,12 +64,9 @@ user2credits(u_int32_t user)
 	return (user * HZ * CREDITS_PER_JIFFY) / EBT_LIMIT_SCALE;
 }
-static bool
+static bool ebt_limit_mt_check(const struct xt_mtchk_param *par)
 ebt_limit_mt_check(const char *table, const void *e,
 		   const struct xt_match *match, void *data,
 		   unsigned int hook_mask)
 {
-	struct ebt_limit_info *info = data;
+	struct ebt_limit_info *info = par->matchinfo;
 	/* Check for overflow. */
 	if (info->burst == 0 ||
@@ -22,12 +22,9 @@ ebt_mark_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 	return ((skb->mark & info->mask) == info->mark) ^ info->invert;
 }
-static bool
+static bool ebt_mark_mt_check(const struct xt_mtchk_param *par)
 ebt_mark_mt_check(const char *table, const void *e,
 		  const struct xt_match *match, void *data,
 		  unsigned int hook_mask)
 {
-	const struct ebt_mark_m_info *info = data;
+	const struct ebt_mark_m_info *info = par->matchinfo;
 	if (info->bitmask & ~EBT_MARK_MASK)
 		return false;
@@ -20,12 +20,9 @@ ebt_pkttype_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 	return (skb->pkt_type == info->pkt_type) ^ info->invert;
 }
-static bool
+static bool ebt_pkttype_mt_check(const struct xt_mtchk_param *par)
 ebt_pkttype_mt_check(const char *table, const void *e,
 		     const struct xt_match *match, void *data,
 		     unsigned int hook_mask)
 {
-	const struct ebt_pkttype_info *info = data;
+	const struct ebt_pkttype_info *info = par->matchinfo;
 	if (info->invert != 0 && info->invert != 1)
 		return false;
@@ -153,15 +153,12 @@ ebt_stp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 	return true;
 }
-static bool
+static bool ebt_stp_mt_check(const struct xt_mtchk_param *par)
 ebt_stp_mt_check(const char *table, const void *entry,
 		 const struct xt_match *match, void *data,
 		 unsigned int hook_mask)
 {
-	const struct ebt_stp_info *info = data;
+	const struct ebt_stp_info *info = par->matchinfo;
 	const uint8_t bridge_ula[6] = {0x01, 0x80, 0xc2, 0x00, 0x00, 0x00};
 	const uint8_t msk[6] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff};
-	const struct ebt_entry *e = entry;
+	const struct ebt_entry *e = par->entryinfo;
 	if (info->bitmask & ~EBT_STP_MASK || info->invflags & ~EBT_STP_MASK ||
 	    !(info->bitmask & EBT_STP_MASK))
@@ -84,13 +84,10 @@ ebt_vlan_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 	return true;
 }
-static bool
+static bool ebt_vlan_mt_check(const struct xt_mtchk_param *par)
 ebt_vlan_mt_check(const char *table, const void *entry,
 		  const struct xt_match *match, void *data,
 		  unsigned int hook_mask)
 {
-	struct ebt_vlan_info *info = data;
+	struct ebt_vlan_info *info = par->matchinfo;
-	const struct ebt_entry *e = entry;
+	const struct ebt_entry *e = par->entryinfo;
 	/* Is it 802.1Q frame checked? */
 	if (e->ethproto != htons(ETH_P_8021Q)) {
@@ -324,9 +324,10 @@ find_table_lock(const char *name, int *error, struct mutex *mutex)
 }
 static inline int
-ebt_check_match(struct ebt_entry_match *m, struct ebt_entry *e,
+ebt_check_match(struct ebt_entry_match *m, struct xt_mtchk_param *par,
-   const char *name, unsigned int hookmask, unsigned int *cnt)
+		unsigned int *cnt)
 {
 	const struct ebt_entry *e = par->entryinfo;
 	struct xt_match *match;
 	size_t left = ((char *)e + e->watchers_offset) - (char *)m;
 	int ret;
@@ -343,9 +344,10 @@ ebt_check_match(struct ebt_entry_match *m, struct ebt_entry *e,
 		return -ENOENT;
 	m->u.match = match;
-	ret = xt_check_match(match, NFPROTO_BRIDGE, m->match_size,
+	par->match     = match;
-	      name, hookmask, e->ethproto, e->invflags & EBT_IPROTO,
+	par->matchinfo = m->data;
-	      e, m->data);
+	ret = xt_check_match(par, NFPROTO_BRIDGE, m->match_size,
 	      e->ethproto, e->invflags & EBT_IPROTO);
 	if (ret < 0) {
 		module_put(match->me);
 		return ret;
@@ -607,6 +609,7 @@ ebt_check_entry(struct ebt_entry *e, struct ebt_table_info *newinfo,
 	unsigned int i, j, hook = 0, hookmask = 0;
 	size_t gap;
 	int ret;
 	struct xt_mtchk_param par;
 	/* don't mess with the struct ebt_entries */
 	if (e->bitmask == 0)
@@ -647,7 +650,11 @@ ebt_check_entry(struct ebt_entry *e, struct ebt_table_info *newinfo,
 			hookmask = cl_s[i - 1].hookmask;
 	}
 	i = 0;
-	ret = EBT_MATCH_ITERATE(e, ebt_check_match, e, name, hookmask, &i);
+
 	par.table     = name;
 	par.entryinfo = e;
 	par.hook_mask = hookmask;
 	ret = EBT_MATCH_ITERATE(e, ebt_check_match, &par, &i);
 	if (ret != 0)
 		goto cleanup_matches;
 	j = 0;
@@ -607,20 +607,20 @@ check_entry(struct ipt_entry *e, const char *name)
 }
 static int
-check_match(struct ipt_entry_match *m, const char *name,
+check_match(struct ipt_entry_match *m, struct xt_mtchk_param *par,
-			      const struct ipt_ip *ip,
+	    unsigned int *i)
 			      unsigned int hookmask, unsigned int *i)
 {
-	struct xt_match *match;
+	const struct ipt_ip *ip = par->entryinfo;
 	int ret;
-	match = m->u.kernel.match;
+	par->match     = m->u.kernel.match;
-	ret = xt_check_match(match, AF_INET, m->u.match_size - sizeof(*m),
+	par->matchinfo = m->data;
-			     name, hookmask, ip->proto,
+
-			     ip->invflags & IPT_INV_PROTO, ip, m->data);
+	ret = xt_check_match(par, NFPROTO_IPV4, m->u.match_size - sizeof(*m),
 	      ip->proto, ip->invflags & IPT_INV_PROTO);
 	if (ret < 0) {
 		duprintf("ip_tables: check failed for `%s'.\n",
-			 m->u.kernel.match->name);
+			 par.match->name);
 		return ret;
 	}
 	++*i;
@@ -628,10 +628,7 @@ check_match(struct ipt_entry_match *m, const char *name,
 }
 static int
-find_check_match(struct ipt_entry_match *m,
+find_check_match(struct ipt_entry_match *m, struct xt_mtchk_param *par,
 		 const char *name,
 		 const struct ipt_ip *ip,
 		 unsigned int hookmask,
 		 unsigned int *i)
 {
 	struct xt_match *match;
@@ -646,7 +643,7 @@ find_check_match(struct ipt_entry_match *m,
 	}
 	m->u.kernel.match = match;
-	ret = check_match(m, name, ip, hookmask, i);
+	ret = check_match(m, par, i);
 	if (ret)
 		goto err;
@@ -683,14 +680,17 @@ find_check_entry(struct ipt_entry *e, const char *name, unsigned int size,
 	struct xt_target *target;
 	int ret;
 	unsigned int j;
 	struct xt_mtchk_param mtpar;
 	ret = check_entry(e, name);
 	if (ret)
 		return ret;
 	j = 0;
-	ret = IPT_MATCH_ITERATE(e, find_check_match, name, &e->ip,
+	mtpar.table     = name;
-				e->comefrom, &j);
+	mtpar.entryinfo = &e->ip;
 	mtpar.hook_mask = e->comefrom;
 	ret = IPT_MATCH_ITERATE(e, find_check_match, &mtpar, &j);
 	if (ret != 0)
 		goto cleanup_matches;
@@ -1644,12 +1644,15 @@ static int
 compat_check_entry(struct ipt_entry *e, const char *name,
 				     unsigned int *i)
 {
 	struct xt_mtchk_param mtpar;
 	unsigned int j;
 	int ret;
 	j = 0;
-	ret = IPT_MATCH_ITERATE(e, check_match, name, &e->ip,
+	mtpar.table     = name;
-				e->comefrom, &j);
+	mtpar.entryinfo = &e->ip;
 	mtpar.hook_mask = e->comefrom;
 	ret = IPT_MATCH_ITERATE(e, check_match, &mtpar, &j);
 	if (ret)
 		goto cleanup_matches;
@@ -2144,15 +2147,9 @@ icmp_match(const struct sk_buff *skb, const struct xt_match_param *par)
 				    !!(icmpinfo->invflags&IPT_ICMP_INV));
 }
-/* Called when user tries to insert an entry of this type. */
+static bool icmp_checkentry(const struct xt_mtchk_param *par)
 static bool
 icmp_checkentry(const char *tablename,
 	   const void *entry,
 	   const struct xt_match *match,
 	   void *matchinfo,
 	   unsigned int hook_mask)
 {
-	const struct ipt_icmp *icmpinfo = matchinfo;
+	const struct ipt_icmp *icmpinfo = par->matchinfo;
 	/* Must specify no unknown invflags */
 	return !(icmpinfo->invflags & ~IPT_ICMP_INV);
@@ -68,12 +68,9 @@ addrtype_mt_v1(const struct sk_buff *skb, const struct xt_match_param *par)
 	return ret;
 }
-static bool
+static bool addrtype_mt_checkentry_v1(const struct xt_mtchk_param *par)
 addrtype_mt_checkentry_v1(const char *tablename, const void *ip_void,
 			  const struct xt_match *match, void *matchinfo,
 			  unsigned int hook_mask)
 {
-	struct ipt_addrtype_info_v1 *info = matchinfo;
+	struct ipt_addrtype_info_v1 *info = par->matchinfo;
 	if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_IN &&
 	    info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT) {
@@ -82,14 +79,16 @@ addrtype_mt_checkentry_v1(const char *tablename, const void *ip_void,
 		return false;
 	}
-	if (hook_mask & (1 << NF_INET_PRE_ROUTING | 1 << NF_INET_LOCAL_IN) &&
+	if (par->hook_mask & ((1 << NF_INET_PRE_ROUTING) |
 	    (1 << NF_INET_LOCAL_IN)) &&
 	    info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT) {
 		printk(KERN_ERR "ipt_addrtype: output interface limitation "
 				"not valid in PRE_ROUTING and INPUT\n");
 		return false;
 	}
-	if (hook_mask & (1 << NF_INET_POST_ROUTING | 1 << NF_INET_LOCAL_OUT) &&
+	if (par->hook_mask & ((1 << NF_INET_POST_ROUTING) |
 	    (1 << NF_INET_LOCAL_OUT)) &&
 	    info->flags & IPT_ADDRTYPE_LIMIT_IFACE_IN) {
 		printk(KERN_ERR "ipt_addrtype: input interface limitation "
 				"not valid in POST_ROUTING and OUTPUT\n");
@@ -61,13 +61,9 @@ static bool ah_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 			 !!(ahinfo->invflags & IPT_AH_INV_SPI));
 }
-/* Called when user tries to insert an entry of this type. */
+static bool ah_mt_check(const struct xt_mtchk_param *par)
 static bool
 ah_mt_check(const char *tablename, const void *ip_void,
            const struct xt_match *match, void *matchinfo,
            unsigned int hook_mask)
 {
-	const struct ipt_ah *ahinfo = matchinfo;
+	const struct ipt_ah *ahinfo = par->matchinfo;
 	/* Must specify no unknown invflags */
 	if (ahinfo->invflags & ~IPT_AH_INV_MASK) {
@@ -85,13 +85,10 @@ static bool ecn_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 	return true;
 }
-static bool
+static bool ecn_mt_check(const struct xt_mtchk_param *par)
 ecn_mt_check(const char *tablename, const void *ip_void,
             const struct xt_match *match, void *matchinfo,
             unsigned int hook_mask)
 {
-	const struct ipt_ecn_info *info = matchinfo;
+	const struct ipt_ecn_info *info = par->matchinfo;
-	const struct ipt_ip *ip = ip_void;
+	const struct ipt_ip *ip = par->entryinfo;
 	if (info->operation & IPT_ECN_OP_MATCH_MASK)
 		return false;
@@ -629,20 +629,20 @@ check_entry(struct ip6t_entry *e, const char *name)
 	return 0;
 }
-static int check_match(struct ip6t_entry_match *m, const char *name,
+static int check_match(struct ip6t_entry_match *m, struct xt_mtchk_param *par,
-			      const struct ip6t_ip6 *ipv6,
+		       unsigned int *i)
 			      unsigned int hookmask, unsigned int *i)
 {
-	struct xt_match *match;
+	const struct ip6t_ip6 *ipv6 = par->entryinfo;
 	int ret;
-	match = m->u.kernel.match;
+	par->match     = m->u.kernel.match;
-	ret = xt_check_match(match, AF_INET6, m->u.match_size - sizeof(*m),
+	par->matchinfo = m->data;
-			     name, hookmask, ipv6->proto,
+
-			     ipv6->invflags & IP6T_INV_PROTO, ipv6, m->data);
+	ret = xt_check_match(par, NFPROTO_IPV6, m->u.match_size - sizeof(*m),
 			     ipv6->proto, ipv6->invflags & IP6T_INV_PROTO);
 	if (ret < 0) {
 		duprintf("ip_tables: check failed for `%s'.\n",
-			 m->u.kernel.match->name);
+			 par.match->name);
 		return ret;
 	}
 	++*i;
@@ -650,10 +650,7 @@ static int check_match(struct ip6t_entry_match *m, const char *name,
 }
 static int
-find_check_match(struct ip6t_entry_match *m,
+find_check_match(struct ip6t_entry_match *m, struct xt_mtchk_param *par,
 		 const char *name,
 		 const struct ip6t_ip6 *ipv6,
 		 unsigned int hookmask,
 		 unsigned int *i)
 {
 	struct xt_match *match;
@@ -668,7 +665,7 @@ find_check_match(struct ip6t_entry_match *m,
 	}
 	m->u.kernel.match = match;
-	ret = check_match(m, name, ipv6, hookmask, i);
+	ret = check_match(m, par, i);
 	if (ret)
 		goto err;
@@ -705,14 +702,17 @@ find_check_entry(struct ip6t_entry *e, const char *name, unsigned int size,
 	struct xt_target *target;
 	int ret;
 	unsigned int j;
 	struct xt_mtchk_param mtpar;
 	ret = check_entry(e, name);
 	if (ret)
 		return ret;
 	j = 0;
-	ret = IP6T_MATCH_ITERATE(e, find_check_match, name, &e->ipv6,
+	mtpar.table     = name;
-				 e->comefrom, &j);
+	mtpar.entryinfo = &e->ipv6;
 	mtpar.hook_mask = e->comefrom;
 	ret = IP6T_MATCH_ITERATE(e, find_check_match, &mtpar, &j);
 	if (ret != 0)
 		goto cleanup_matches;
@@ -1669,10 +1669,13 @@ static int compat_check_entry(struct ip6t_entry *e, const char *name,
 {
 	unsigned int j;
 	int ret;
 	struct xt_mtchk_param mtpar;
 	j = 0;
-	ret = IP6T_MATCH_ITERATE(e, check_match, name, &e->ipv6,
+	mtpar.table     = name;
-				 e->comefrom, &j);
+	mtpar.entryinfo = &e->ipv6;
 	mtpar.hook_mask = e->comefrom;
 	ret = IP6T_MATCH_ITERATE(e, check_match, &mtpar, &j);
 	if (ret)
 		goto cleanup_matches;
@@ -2166,14 +2169,9 @@ icmp6_match(const struct sk_buff *skb, const struct xt_match_param *par)
 }
 /* Called when user tries to insert an entry of this type. */
-static bool
+static bool icmp6_checkentry(const struct xt_mtchk_param *par)
 icmp6_checkentry(const char *tablename,
 	   const void *entry,
 	   const struct xt_match *match,
 	   void *matchinfo,
 	   unsigned int hook_mask)
 {
-	const struct ip6t_icmp *icmpinfo = matchinfo;
+	const struct ip6t_icmp *icmpinfo = par->matchinfo;
 	/* Must specify no unknown invflags */
 	return !(icmpinfo->invflags & ~IP6T_ICMP_INV);
@@ -90,13 +90,9 @@ static bool ah_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
 	       !(ahinfo->hdrres && ah->reserved);
 }
-/* Called when user tries to insert an entry of this type. */
+static bool ah_mt6_check(const struct xt_mtchk_param *par)
 static bool
 ah_mt6_check(const char *tablename, const void *entry,
             const struct xt_match *match, void *matchinfo,
             unsigned int hook_mask)
 {
-	const struct ip6t_ah *ahinfo = matchinfo;
+	const struct ip6t_ah *ahinfo = par->matchinfo;
 	if (ahinfo->invflags & ~IP6T_AH_INV_MASK) {
 		pr_debug("ip6t_ah: unknown flags %X\n", ahinfo->invflags);
@@ -107,13 +107,9 @@ frag_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
 		 && (ntohs(fh->frag_off) & IP6_MF));
 }
-/* Called when user tries to insert an entry of this type. */
+static bool frag_mt6_check(const struct xt_mtchk_param *par)
 static bool
 frag_mt6_check(const char *tablename, const void *ip,
               const struct xt_match *match, void *matchinfo,
               unsigned int hook_mask)
 {
-	const struct ip6t_frag *fraginfo = matchinfo;
+	const struct ip6t_frag *fraginfo = par->matchinfo;
 	if (fraginfo->invflags & ~IP6T_FRAG_INV_MASK) {
 		pr_debug("ip6t_frag: unknown flags %X\n", fraginfo->invflags);
@@ -160,13 +160,9 @@ hbh_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
 	return false;
 }
-/* Called when user tries to insert an entry of this type. */
+static bool hbh_mt6_check(const struct xt_mtchk_param *par)
 static bool
 hbh_mt6_check(const char *tablename, const void *entry,
              const struct xt_match *match, void *matchinfo,
              unsigned int hook_mask)
 {
-	const struct ip6t_opts *optsinfo = matchinfo;
+	const struct ip6t_opts *optsinfo = par->matchinfo;
 	if (optsinfo->invflags & ~IP6T_OPTS_INV_MASK) {
 		pr_debug("ip6t_opts: unknown flags %X\n", optsinfo->invflags);
--- a/Show More
+++ b/Show More