| 1 | --- a/net/ipv4/netfilter/ip_tables.c |
| 2 | +++ b/net/ipv4/netfilter/ip_tables.c |
| 3 | @@ -319,6 +319,33 @@ struct ipt_entry *ipt_next_entry(const s |
| 4 | return (void *)entry + entry->next_offset; |
| 5 | } |
| 6 | |
| 7 | +static bool |
| 8 | +ipt_handle_default_rule(struct ipt_entry *e, unsigned int *verdict) |
| 9 | +{ |
| 10 | + struct xt_entry_target *t; |
| 11 | + struct xt_standard_target *st; |
| 12 | + |
| 13 | + if (e->target_offset != sizeof(struct ipt_entry)) |
| 14 | + return false; |
| 15 | + |
| 16 | + if (!(e->ip.flags & IPT_F_NO_DEF_MATCH)) |
| 17 | + return false; |
| 18 | + |
| 19 | + t = ipt_get_target(e); |
| 20 | + if (t->u.kernel.target->target) |
| 21 | + return false; |
| 22 | + |
| 23 | + st = (struct xt_standard_target *) t; |
| 24 | + if (st->verdict == XT_RETURN) |
| 25 | + return false; |
| 26 | + |
| 27 | + if (st->verdict >= 0) |
| 28 | + return false; |
| 29 | + |
| 30 | + *verdict = (unsigned)(-st->verdict) - 1; |
| 31 | + return true; |
| 32 | +} |
| 33 | + |
| 34 | /* Returns one of the generic firewall policies, like NF_ACCEPT. */ |
| 35 | unsigned int |
| 36 | ipt_do_table(struct sk_buff *skb, |
| 37 | @@ -342,6 +369,23 @@ ipt_do_table(struct sk_buff *skb, |
| 38 | ip = ip_hdr(skb); |
| 39 | indev = in ? in->name : nulldevname; |
| 40 | outdev = out ? out->name : nulldevname; |
| 41 | + |
| 42 | + IP_NF_ASSERT(table->valid_hooks & (1 << hook)); |
| 43 | + xt_info_rdlock_bh(); |
| 44 | + private = table->private; |
| 45 | + cpu = smp_processor_id(); |
| 46 | + table_base = private->entries[cpu]; |
| 47 | + jumpstack = (struct ipt_entry **)private->jumpstack[cpu]; |
| 48 | + stackptr = per_cpu_ptr(private->stackptr, cpu); |
| 49 | + origptr = *stackptr; |
| 50 | + |
| 51 | + e = get_entry(table_base, private->hook_entry[hook]); |
| 52 | + if (ipt_handle_default_rule(e, &verdict)) { |
| 53 | + ADD_COUNTER(e->counters, skb->len, 1); |
| 54 | + xt_info_rdunlock_bh(); |
| 55 | + return verdict; |
| 56 | + } |
| 57 | + |
| 58 | /* We handle fragments by dealing with the first fragment as |
| 59 | * if it was a normal packet. All other fragments are treated |
| 60 | * normally, except that they will NEVER match rules that ask |
| 61 | @@ -356,17 +400,6 @@ ipt_do_table(struct sk_buff *skb, |
| 62 | acpar.family = NFPROTO_IPV4; |
| 63 | acpar.hooknum = hook; |
| 64 | |
| 65 | - IP_NF_ASSERT(table->valid_hooks & (1 << hook)); |
| 66 | - xt_info_rdlock_bh(); |
| 67 | - private = table->private; |
| 68 | - cpu = smp_processor_id(); |
| 69 | - table_base = private->entries[cpu]; |
| 70 | - jumpstack = (struct ipt_entry **)private->jumpstack[cpu]; |
| 71 | - stackptr = per_cpu_ptr(private->stackptr, cpu); |
| 72 | - origptr = *stackptr; |
| 73 | - |
| 74 | - e = get_entry(table_base, private->hook_entry[hook]); |
| 75 | - |
| 76 | pr_debug("Entering %s(hook %u); sp at %u (UF %p)\n", |
| 77 | table->name, hook, origptr, |
| 78 | get_entry(table_base, private->underflow[hook])); |
| 79 | |
