--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
-@@ -248,6 +248,33 @@ struct ipt_entry *ipt_next_entry(const s
+@@ -249,6 +249,33 @@ struct ipt_entry *ipt_next_entry(const s
return (void *)entry + entry->next_offset;
}
/* Returns one of the generic firewall policies, like NF_ACCEPT. */
unsigned int
ipt_do_table(struct sk_buff *skb,
-@@ -268,24 +295,8 @@ ipt_do_table(struct sk_buff *skb,
+@@ -269,27 +296,28 @@ ipt_do_table(struct sk_buff *skb,
unsigned int addend;
/* Initialization */
-- stackidx = 0;
-- ip = ip_hdr(skb);
-- indev = state->in ? state->in->name : nulldevname;
-- outdev = state->out ? state->out->name : nulldevname;
-- /* We handle fragments by dealing with the first fragment as
-- * if it was a normal packet. All other fragments are treated
-- * normally, except that they will NEVER match rules that ask
-- * things we don't know, ie. tcp syn flag or ports). If the
-- * rule is also a fragment-specific rule, non-fragments won't
-- * match it. */
-- acpar.fragoff = ntohs(ip->frag_off) & IP_OFFSET;
-- acpar.thoff = ip_hdrlen(skb);
-- acpar.hotdrop = false;
-- acpar.state = state;
--
- WARN_ON(!(table->valid_hooks & (1 << hook)));
- local_bh_disable();
-- addend = xt_write_recseq_begin();
- private = table->private;
- cpu = smp_processor_id();
- /*
-@@ -294,6 +305,23 @@ ipt_do_table(struct sk_buff *skb,
- */
- smp_read_barrier_depends();
- table_base = private->entries;
++ WARN_ON(!(table->valid_hooks & (1 << hook)));
++ local_bh_disable();
++ private = READ_ONCE(table->private); /* Address dependency. */
++ cpu = smp_processor_id();
++ table_base = private->entries;
+
+ e = get_entry(table_base, private->hook_entry[hook]);
+ if (ipt_handle_default_rule(e, &verdict)) {
+ return verdict;
+ }
+
-+ stackidx = 0;
-+ ip = ip_hdr(skb);
-+ indev = state->in ? state->in->name : nulldevname;
-+ outdev = state->out ? state->out->name : nulldevname;
-+
-+ addend = xt_write_recseq_begin();
+ stackidx = 0;
+ ip = ip_hdr(skb);
+ indev = state->in ? state->in->name : nulldevname;
+ outdev = state->out ? state->out->name : nulldevname;
+- /* We handle fragments by dealing with the first fragment as
+- * if it was a normal packet. All other fragments are treated
+- * normally, except that they will NEVER match rules that ask
+- * things we don't know, ie. tcp syn flag or ports). If the
+- * rule is also a fragment-specific rule, non-fragments won't
+- * match it. */
+- acpar.fragoff = ntohs(ip->frag_off) & IP_OFFSET;
+- acpar.thoff = ip_hdrlen(skb);
+- acpar.hotdrop = false;
+- acpar.state = state;
+
+- WARN_ON(!(table->valid_hooks & (1 << hook)));
+- local_bh_disable();
+ addend = xt_write_recseq_begin();
+- private = READ_ONCE(table->private); /* Address dependency. */
+- cpu = smp_processor_id();
+- table_base = private->entries;
jumpstack = (struct ipt_entry **)private->jumpstack[cpu];
/* Switch to alternate jumpstack if we're being invoked via TEE.
-@@ -306,7 +334,16 @@ ipt_do_table(struct sk_buff *skb,
+@@ -302,7 +330,16 @@ ipt_do_table(struct sk_buff *skb,
if (static_key_false(&xt_tee_enabled))
jumpstack += private->stacksize * __this_cpu_read(nf_skb_duplicated);
projects / openwrt / staging / dedeckeh.git / blobdiff