|
@@ -337,7 +337,6 @@ ip6t_do_table(struct sk_buff *skb,
|
|
|
struct xt_table *table)
|
|
|
{
|
|
|
static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
|
|
|
- bool hotdrop = false;
|
|
|
/* Initializing verdict to NF_DROP keeps gcc happy. */
|
|
|
unsigned int verdict = NF_DROP;
|
|
|
const char *indev, *outdev;
|
|
@@ -356,7 +355,7 @@ ip6t_do_table(struct sk_buff *skb,
|
|
|
* things we don't know, ie. tcp syn flag or ports). If the
|
|
|
* rule is also a fragment-specific rule, non-fragments won't
|
|
|
* match it. */
|
|
|
- acpar.hotdrop = &hotdrop;
|
|
|
+ acpar.hotdrop = false;
|
|
|
acpar.in = in;
|
|
|
acpar.out = out;
|
|
|
acpar.family = NFPROTO_IPV6;
|
|
@@ -380,7 +379,7 @@ ip6t_do_table(struct sk_buff *skb,
|
|
|
|
|
|
IP_NF_ASSERT(e);
|
|
|
if (!ip6_packet_match(skb, indev, outdev, &e->ipv6,
|
|
|
- &acpar.thoff, &acpar.fragoff, &hotdrop)) {
|
|
|
+ &acpar.thoff, &acpar.fragoff, &acpar.hotdrop)) {
|
|
|
no_match:
|
|
|
e = ip6t_next_entry(e);
|
|
|
continue;
|
|
@@ -447,7 +446,7 @@ ip6t_do_table(struct sk_buff *skb,
|
|
|
else
|
|
|
/* Verdict */
|
|
|
break;
|
|
|
- } while (!hotdrop);
|
|
|
+ } while (!acpar.hotdrop);
|
|
|
|
|
|
xt_info_rdunlock_bh();
|
|
|
*stackptr = origptr;
|
|
@@ -455,7 +454,7 @@ ip6t_do_table(struct sk_buff *skb,
|
|
|
#ifdef DEBUG_ALLOW_ALL
|
|
|
return NF_ACCEPT;
|
|
|
#else
|
|
|
- if (hotdrop)
|
|
|
+ if (acpar.hotdrop)
|
|
|
return NF_DROP;
|
|
|
else return verdict;
|
|
|
#endif
|
|
@@ -2170,7 +2169,7 @@ icmp6_match(const struct sk_buff *skb, struct xt_action_param *par)
|
|
|
* can't. Hence, no choice but to drop.
|
|
|
*/
|
|
|
duprintf("Dropping evil ICMP tinygram.\n");
|
|
|
- *par->hotdrop = true;
|
|
|
+ par->hotdrop = true;
|
|
|
return false;
|
|
|
}
|
|
|
|