2 * Packet matching code.
4 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
5 * Copyright (C) 2000-2005 Netfilter Core Team <coreteam@netfilter.org>
6 * Copyright (c) 2006-2010 Patrick McHardy <kaber@trash.net>
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License version 2 as
10 * published by the Free Software Foundation.
13 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
15 #include <linux/kernel.h>
16 #include <linux/capability.h>
18 #include <linux/skbuff.h>
19 #include <linux/kmod.h>
20 #include <linux/vmalloc.h>
21 #include <linux/netdevice.h>
22 #include <linux/module.h>
23 #include <linux/poison.h>
24 #include <linux/icmpv6.h>
26 #include <net/compat.h>
27 #include <asm/uaccess.h>
28 #include <linux/mutex.h>
29 #include <linux/proc_fs.h>
30 #include <linux/err.h>
31 #include <linux/cpumask.h>
33 #include <linux/netfilter_ipv6/ip6_tables.h>
34 #include <linux/netfilter/x_tables.h>
35 #include <net/netfilter/nf_log.h>
36 #include "../../netfilter/xt_repldata.h"
38 MODULE_LICENSE("GPL");
39 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
40 MODULE_DESCRIPTION("IPv6 packet filter");
42 /*#define DEBUG_IP_FIREWALL*/
43 /*#define DEBUG_ALLOW_ALL*/ /* Useful for remote debugging */
44 /*#define DEBUG_IP_FIREWALL_USER*/
46 #ifdef DEBUG_IP_FIREWALL
47 #define dprintf(format, args...) pr_info(format , ## args)
49 #define dprintf(format, args...)
52 #ifdef DEBUG_IP_FIREWALL_USER
53 #define duprintf(format, args...) pr_info(format , ## args)
55 #define duprintf(format, args...)
58 #ifdef CONFIG_NETFILTER_DEBUG
59 #define IP_NF_ASSERT(x) WARN_ON(!(x))
61 #define IP_NF_ASSERT(x)
65 /* All the better to debug you with... */
70 void *ip6t_alloc_initial_table(const struct xt_table *info)
72 return xt_alloc_initial_table(ip6t, IP6T);
74 EXPORT_SYMBOL_GPL(ip6t_alloc_initial_table);
77 We keep a set of rules for each CPU, so we can avoid write-locking
78 them in the softirq when updating the counters and therefore
79 only need to read-lock in the softirq; doing a write_lock_bh() in user
80 context stops packets coming through and allows user context to read
81 the counters or update the rules.
83 Hence the start of any table is given by get_table() below. */
85 /* Returns whether matches rule or not. */
86 /* Performance critical - called for every packet */
88 ip6_packet_match(const struct sk_buff *skb,
91 const struct ip6t_ip6 *ip6info,
92 unsigned int *protoff,
93 int *fragoff, bool *hotdrop)
96 const struct ipv6hdr *ipv6 = ipv6_hdr(skb);
98 #define FWINV(bool, invflg) ((bool) ^ !!(ip6info->invflags & (invflg)))
100 if (FWINV(ipv6_masked_addr_cmp(&ipv6->saddr, &ip6info->smsk,
101 &ip6info->src), IP6T_INV_SRCIP) ||
102 FWINV(ipv6_masked_addr_cmp(&ipv6->daddr, &ip6info->dmsk,
103 &ip6info->dst), IP6T_INV_DSTIP)) {
104 dprintf("Source or dest mismatch.\n");
106 dprintf("SRC: %u. Mask: %u. Target: %u.%s\n", ip->saddr,
107 ipinfo->smsk.s_addr, ipinfo->src.s_addr,
108 ipinfo->invflags & IP6T_INV_SRCIP ? " (INV)" : "");
109 dprintf("DST: %u. Mask: %u. Target: %u.%s\n", ip->daddr,
110 ipinfo->dmsk.s_addr, ipinfo->dst.s_addr,
111 ipinfo->invflags & IP6T_INV_DSTIP ? " (INV)" : "");*/
115 ret = ifname_compare_aligned(indev, ip6info->iniface, ip6info->iniface_mask);
117 if (FWINV(ret != 0, IP6T_INV_VIA_IN)) {
118 dprintf("VIA in mismatch (%s vs %s).%s\n",
119 indev, ip6info->iniface,
120 ip6info->invflags&IP6T_INV_VIA_IN ?" (INV)":"");
124 ret = ifname_compare_aligned(outdev, ip6info->outiface, ip6info->outiface_mask);
126 if (FWINV(ret != 0, IP6T_INV_VIA_OUT)) {
127 dprintf("VIA out mismatch (%s vs %s).%s\n",
128 outdev, ip6info->outiface,
129 ip6info->invflags&IP6T_INV_VIA_OUT ?" (INV)":"");
133 /* ... might want to do something with class and flowlabel here ... */
135 /* look for the desired protocol header */
136 if((ip6info->flags & IP6T_F_PROTO)) {
138 unsigned short _frag_off;
140 protohdr = ipv6_find_hdr(skb, protoff, -1, &_frag_off, NULL);
146 *fragoff = _frag_off;
148 dprintf("Packet protocol %hi ?= %s%hi.\n",
150 ip6info->invflags & IP6T_INV_PROTO ? "!":"",
153 if (ip6info->proto == protohdr) {
154 if(ip6info->invflags & IP6T_INV_PROTO) {
160 /* We need match for the '-p all', too! */
161 if ((ip6info->proto != 0) &&
162 !(ip6info->invflags & IP6T_INV_PROTO))
168 /* should be ip6 safe */
170 ip6_checkentry(const struct ip6t_ip6 *ipv6)
172 if (ipv6->flags & ~IP6T_F_MASK) {
173 duprintf("Unknown flag bits set: %08X\n",
174 ipv6->flags & ~IP6T_F_MASK);
177 if (ipv6->invflags & ~IP6T_INV_MASK) {
178 duprintf("Unknown invflag bits set: %08X\n",
179 ipv6->invflags & ~IP6T_INV_MASK);
186 ip6t_error(struct sk_buff *skb, const struct xt_action_param *par)
188 net_info_ratelimited("error: `%s'\n", (const char *)par->targinfo);
193 static inline struct ip6t_entry *
194 get_entry(const void *base, unsigned int offset)
196 return (struct ip6t_entry *)(base + offset);
199 /* All zeroes == unconditional rule. */
200 /* Mildly perf critical (only if packet tracing is on) */
201 static inline bool unconditional(const struct ip6t_ip6 *ipv6)
203 static const struct ip6t_ip6 uncond;
205 return memcmp(ipv6, &uncond, sizeof(uncond)) == 0;
208 static inline const struct xt_entry_target *
209 ip6t_get_target_c(const struct ip6t_entry *e)
211 return ip6t_get_target((struct ip6t_entry *)e);
214 #if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE)
215 /* This cries for unification! */
216 static const char *const hooknames[] = {
217 [NF_INET_PRE_ROUTING] = "PREROUTING",
218 [NF_INET_LOCAL_IN] = "INPUT",
219 [NF_INET_FORWARD] = "FORWARD",
220 [NF_INET_LOCAL_OUT] = "OUTPUT",
221 [NF_INET_POST_ROUTING] = "POSTROUTING",
224 enum nf_ip_trace_comments {
225 NF_IP6_TRACE_COMMENT_RULE,
226 NF_IP6_TRACE_COMMENT_RETURN,
227 NF_IP6_TRACE_COMMENT_POLICY,
230 static const char *const comments[] = {
231 [NF_IP6_TRACE_COMMENT_RULE] = "rule",
232 [NF_IP6_TRACE_COMMENT_RETURN] = "return",
233 [NF_IP6_TRACE_COMMENT_POLICY] = "policy",
236 static struct nf_loginfo trace_loginfo = {
237 .type = NF_LOG_TYPE_LOG,
240 .level = LOGLEVEL_WARNING,
241 .logflags = NF_LOG_MASK,
246 /* Mildly perf critical (only if packet tracing is on) */
248 get_chainname_rulenum(const struct ip6t_entry *s, const struct ip6t_entry *e,
249 const char *hookname, const char **chainname,
250 const char **comment, unsigned int *rulenum)
252 const struct xt_standard_target *t = (void *)ip6t_get_target_c(s);
254 if (strcmp(t->target.u.kernel.target->name, XT_ERROR_TARGET) == 0) {
255 /* Head of user chain: ERROR target with chainname */
256 *chainname = t->target.data;
261 if (s->target_offset == sizeof(struct ip6t_entry) &&
262 strcmp(t->target.u.kernel.target->name,
263 XT_STANDARD_TARGET) == 0 &&
265 unconditional(&s->ipv6)) {
266 /* Tail of chains: STANDARD target (return/policy) */
267 *comment = *chainname == hookname
268 ? comments[NF_IP6_TRACE_COMMENT_POLICY]
269 : comments[NF_IP6_TRACE_COMMENT_RETURN];
278 static void trace_packet(const struct sk_buff *skb,
280 const struct net_device *in,
281 const struct net_device *out,
282 const char *tablename,
283 const struct xt_table_info *private,
284 const struct ip6t_entry *e)
286 const void *table_base;
287 const struct ip6t_entry *root;
288 const char *hookname, *chainname, *comment;
289 const struct ip6t_entry *iter;
290 unsigned int rulenum = 0;
291 struct net *net = dev_net(in ? in : out);
293 table_base = private->entries[smp_processor_id()];
294 root = get_entry(table_base, private->hook_entry[hook]);
296 hookname = chainname = hooknames[hook];
297 comment = comments[NF_IP6_TRACE_COMMENT_RULE];
299 xt_entry_foreach(iter, root, private->size - private->hook_entry[hook])
300 if (get_chainname_rulenum(iter, e, hookname,
301 &chainname, &comment, &rulenum) != 0)
304 nf_log_trace(net, AF_INET6, hook, skb, in, out, &trace_loginfo,
305 "TRACE: %s:%s:%s:%u ",
306 tablename, chainname, comment, rulenum);
310 static inline __pure struct ip6t_entry *
311 ip6t_next_entry(const struct ip6t_entry *entry)
313 return (void *)entry + entry->next_offset;
316 /* Returns one of the generic firewall policies, like NF_ACCEPT. */
318 ip6t_do_table(struct sk_buff *skb,
320 const struct nf_hook_state *state,
321 struct xt_table *table)
323 static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
324 /* Initializing verdict to NF_DROP keeps gcc happy. */
325 unsigned int verdict = NF_DROP;
326 const char *indev, *outdev;
327 const void *table_base;
328 struct ip6t_entry *e, **jumpstack;
329 unsigned int *stackptr, origptr, cpu;
330 const struct xt_table_info *private;
331 struct xt_action_param acpar;
335 indev = state->in ? state->in->name : nulldevname;
336 outdev = state->out ? state->out->name : nulldevname;
337 /* We handle fragments by dealing with the first fragment as
338 * if it was a normal packet. All other fragments are treated
339 * normally, except that they will NEVER match rules that ask
340 * things we don't know, ie. tcp syn flag or ports). If the
341 * rule is also a fragment-specific rule, non-fragments won't
343 acpar.hotdrop = false;
344 acpar.in = state->in;
345 acpar.out = state->out;
346 acpar.family = NFPROTO_IPV6;
347 acpar.hooknum = hook;
349 IP_NF_ASSERT(table->valid_hooks & (1 << hook));
352 addend = xt_write_recseq_begin();
353 private = table->private;
355 * Ensure we load private-> members after we've fetched the base
358 smp_read_barrier_depends();
359 cpu = smp_processor_id();
360 table_base = private->entries[cpu];
361 jumpstack = (struct ip6t_entry **)private->jumpstack[cpu];
362 stackptr = per_cpu_ptr(private->stackptr, cpu);
365 e = get_entry(table_base, private->hook_entry[hook]);
368 const struct xt_entry_target *t;
369 const struct xt_entry_match *ematch;
373 if (!ip6_packet_match(skb, indev, outdev, &e->ipv6,
374 &acpar.thoff, &acpar.fragoff, &acpar.hotdrop)) {
376 e = ip6t_next_entry(e);
380 xt_ematch_foreach(ematch, e) {
381 acpar.match = ematch->u.kernel.match;
382 acpar.matchinfo = ematch->data;
383 if (!acpar.match->match(skb, &acpar))
387 ADD_COUNTER(e->counters, skb->len, 1);
389 t = ip6t_get_target_c(e);
390 IP_NF_ASSERT(t->u.kernel.target);
392 #if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE)
393 /* The packet is traced: log it */
394 if (unlikely(skb->nf_trace))
395 trace_packet(skb, hook, state->in, state->out,
396 table->name, private, e);
398 /* Standard target? */
399 if (!t->u.kernel.target->target) {
402 v = ((struct xt_standard_target *)t)->verdict;
404 /* Pop from stack? */
405 if (v != XT_RETURN) {
406 verdict = (unsigned int)(-v) - 1;
409 if (*stackptr <= origptr)
410 e = get_entry(table_base,
411 private->underflow[hook]);
413 e = ip6t_next_entry(jumpstack[--*stackptr]);
416 if (table_base + v != ip6t_next_entry(e) &&
417 !(e->ipv6.flags & IP6T_F_GOTO)) {
418 if (*stackptr >= private->stacksize) {
422 jumpstack[(*stackptr)++] = e;
425 e = get_entry(table_base, v);
429 acpar.target = t->u.kernel.target;
430 acpar.targinfo = t->data;
432 verdict = t->u.kernel.target->target(skb, &acpar);
433 if (verdict == XT_CONTINUE)
434 e = ip6t_next_entry(e);
438 } while (!acpar.hotdrop);
442 xt_write_recseq_end(addend);
445 #ifdef DEBUG_ALLOW_ALL
454 /* Figures out from what hook each rule can be called: returns 0 if
455 there are loops. Puts hook bitmask in comefrom. */
457 mark_source_chains(const struct xt_table_info *newinfo,
458 unsigned int valid_hooks, void *entry0)
462 /* No recursion; use packet counter to save back ptrs (reset
463 to 0 as we leave), and comefrom to save source hook bitmask */
464 for (hook = 0; hook < NF_INET_NUMHOOKS; hook++) {
465 unsigned int pos = newinfo->hook_entry[hook];
466 struct ip6t_entry *e = (struct ip6t_entry *)(entry0 + pos);
468 if (!(valid_hooks & (1 << hook)))
471 /* Set initial back pointer. */
472 e->counters.pcnt = pos;
475 const struct xt_standard_target *t
476 = (void *)ip6t_get_target_c(e);
477 int visited = e->comefrom & (1 << hook);
479 if (e->comefrom & (1 << NF_INET_NUMHOOKS)) {
480 pr_err("iptables: loop hook %u pos %u %08X.\n",
481 hook, pos, e->comefrom);
484 e->comefrom |= ((1 << hook) | (1 << NF_INET_NUMHOOKS));
486 /* Unconditional return/END. */
487 if ((e->target_offset == sizeof(struct ip6t_entry) &&
488 (strcmp(t->target.u.user.name,
489 XT_STANDARD_TARGET) == 0) &&
491 unconditional(&e->ipv6)) || visited) {
492 unsigned int oldpos, size;
494 if ((strcmp(t->target.u.user.name,
495 XT_STANDARD_TARGET) == 0) &&
496 t->verdict < -NF_MAX_VERDICT - 1) {
497 duprintf("mark_source_chains: bad "
498 "negative verdict (%i)\n",
503 /* Return: backtrack through the last
506 e->comefrom ^= (1<<NF_INET_NUMHOOKS);
507 #ifdef DEBUG_IP_FIREWALL_USER
509 & (1 << NF_INET_NUMHOOKS)) {
510 duprintf("Back unset "
517 pos = e->counters.pcnt;
518 e->counters.pcnt = 0;
520 /* We're at the start. */
524 e = (struct ip6t_entry *)
526 } while (oldpos == pos + e->next_offset);
529 size = e->next_offset;
530 e = (struct ip6t_entry *)
531 (entry0 + pos + size);
532 e->counters.pcnt = pos;
535 int newpos = t->verdict;
537 if (strcmp(t->target.u.user.name,
538 XT_STANDARD_TARGET) == 0 &&
540 if (newpos > newinfo->size -
541 sizeof(struct ip6t_entry)) {
542 duprintf("mark_source_chains: "
543 "bad verdict (%i)\n",
547 /* This a jump; chase it. */
548 duprintf("Jump rule %u -> %u\n",
551 /* ... this is a fallthru */
552 newpos = pos + e->next_offset;
554 e = (struct ip6t_entry *)
556 e->counters.pcnt = pos;
561 duprintf("Finished chain %u\n", hook);
566 static void cleanup_match(struct xt_entry_match *m, struct net *net)
568 struct xt_mtdtor_param par;
571 par.match = m->u.kernel.match;
572 par.matchinfo = m->data;
573 par.family = NFPROTO_IPV6;
574 if (par.match->destroy != NULL)
575 par.match->destroy(&par);
576 module_put(par.match->me);
580 check_entry(const struct ip6t_entry *e, const char *name)
582 const struct xt_entry_target *t;
584 if (!ip6_checkentry(&e->ipv6)) {
585 duprintf("ip_tables: ip check failed %p %s.\n", e, name);
589 if (e->target_offset + sizeof(struct xt_entry_target) >
593 t = ip6t_get_target_c(e);
594 if (e->target_offset + t->u.target_size > e->next_offset)
600 static int check_match(struct xt_entry_match *m, struct xt_mtchk_param *par)
602 const struct ip6t_ip6 *ipv6 = par->entryinfo;
605 par->match = m->u.kernel.match;
606 par->matchinfo = m->data;
608 ret = xt_check_match(par, m->u.match_size - sizeof(*m),
609 ipv6->proto, ipv6->invflags & IP6T_INV_PROTO);
611 duprintf("ip_tables: check failed for `%s'.\n",
619 find_check_match(struct xt_entry_match *m, struct xt_mtchk_param *par)
621 struct xt_match *match;
624 match = xt_request_find_match(NFPROTO_IPV6, m->u.user.name,
627 duprintf("find_check_match: `%s' not found\n", m->u.user.name);
628 return PTR_ERR(match);
630 m->u.kernel.match = match;
632 ret = check_match(m, par);
638 module_put(m->u.kernel.match->me);
642 static int check_target(struct ip6t_entry *e, struct net *net, const char *name)
644 struct xt_entry_target *t = ip6t_get_target(e);
645 struct xt_tgchk_param par = {
649 .target = t->u.kernel.target,
651 .hook_mask = e->comefrom,
652 .family = NFPROTO_IPV6,
656 t = ip6t_get_target(e);
657 ret = xt_check_target(&par, t->u.target_size - sizeof(*t),
658 e->ipv6.proto, e->ipv6.invflags & IP6T_INV_PROTO);
660 duprintf("ip_tables: check failed for `%s'.\n",
661 t->u.kernel.target->name);
668 find_check_entry(struct ip6t_entry *e, struct net *net, const char *name,
671 struct xt_entry_target *t;
672 struct xt_target *target;
675 struct xt_mtchk_param mtpar;
676 struct xt_entry_match *ematch;
678 ret = check_entry(e, name);
685 mtpar.entryinfo = &e->ipv6;
686 mtpar.hook_mask = e->comefrom;
687 mtpar.family = NFPROTO_IPV6;
688 xt_ematch_foreach(ematch, e) {
689 ret = find_check_match(ematch, &mtpar);
691 goto cleanup_matches;
695 t = ip6t_get_target(e);
696 target = xt_request_find_target(NFPROTO_IPV6, t->u.user.name,
698 if (IS_ERR(target)) {
699 duprintf("find_check_entry: `%s' not found\n", t->u.user.name);
700 ret = PTR_ERR(target);
701 goto cleanup_matches;
703 t->u.kernel.target = target;
705 ret = check_target(e, net, name);
710 module_put(t->u.kernel.target->me);
712 xt_ematch_foreach(ematch, e) {
715 cleanup_match(ematch, net);
720 static bool check_underflow(const struct ip6t_entry *e)
722 const struct xt_entry_target *t;
723 unsigned int verdict;
725 if (!unconditional(&e->ipv6))
727 t = ip6t_get_target_c(e);
728 if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0)
730 verdict = ((struct xt_standard_target *)t)->verdict;
731 verdict = -verdict - 1;
732 return verdict == NF_DROP || verdict == NF_ACCEPT;
736 check_entry_size_and_hooks(struct ip6t_entry *e,
737 struct xt_table_info *newinfo,
738 const unsigned char *base,
739 const unsigned char *limit,
740 const unsigned int *hook_entries,
741 const unsigned int *underflows,
742 unsigned int valid_hooks)
746 if ((unsigned long)e % __alignof__(struct ip6t_entry) != 0 ||
747 (unsigned char *)e + sizeof(struct ip6t_entry) >= limit) {
748 duprintf("Bad offset %p\n", e);
753 < sizeof(struct ip6t_entry) + sizeof(struct xt_entry_target)) {
754 duprintf("checking: element %p size %u\n",
759 /* Check hooks & underflows */
760 for (h = 0; h < NF_INET_NUMHOOKS; h++) {
761 if (!(valid_hooks & (1 << h)))
763 if ((unsigned char *)e - base == hook_entries[h])
764 newinfo->hook_entry[h] = hook_entries[h];
765 if ((unsigned char *)e - base == underflows[h]) {
766 if (!check_underflow(e)) {
767 pr_err("Underflows must be unconditional and "
768 "use the STANDARD target with "
772 newinfo->underflow[h] = underflows[h];
776 /* Clear counters and comefrom */
777 e->counters = ((struct xt_counters) { 0, 0 });
782 static void cleanup_entry(struct ip6t_entry *e, struct net *net)
784 struct xt_tgdtor_param par;
785 struct xt_entry_target *t;
786 struct xt_entry_match *ematch;
788 /* Cleanup all matches */
789 xt_ematch_foreach(ematch, e)
790 cleanup_match(ematch, net);
791 t = ip6t_get_target(e);
794 par.target = t->u.kernel.target;
795 par.targinfo = t->data;
796 par.family = NFPROTO_IPV6;
797 if (par.target->destroy != NULL)
798 par.target->destroy(&par);
799 module_put(par.target->me);
802 /* Checks and translates the user-supplied table segment (held in
805 translate_table(struct net *net, struct xt_table_info *newinfo, void *entry0,
806 const struct ip6t_replace *repl)
808 struct ip6t_entry *iter;
812 newinfo->size = repl->size;
813 newinfo->number = repl->num_entries;
815 /* Init all hooks to impossible value. */
816 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
817 newinfo->hook_entry[i] = 0xFFFFFFFF;
818 newinfo->underflow[i] = 0xFFFFFFFF;
821 duprintf("translate_table: size %u\n", newinfo->size);
823 /* Walk through entries, checking offsets. */
824 xt_entry_foreach(iter, entry0, newinfo->size) {
825 ret = check_entry_size_and_hooks(iter, newinfo, entry0,
833 if (strcmp(ip6t_get_target(iter)->u.user.name,
834 XT_ERROR_TARGET) == 0)
835 ++newinfo->stacksize;
838 if (i != repl->num_entries) {
839 duprintf("translate_table: %u not %u entries\n",
840 i, repl->num_entries);
844 /* Check hooks all assigned */
845 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
846 /* Only hooks which are valid */
847 if (!(repl->valid_hooks & (1 << i)))
849 if (newinfo->hook_entry[i] == 0xFFFFFFFF) {
850 duprintf("Invalid hook entry %u %u\n",
851 i, repl->hook_entry[i]);
854 if (newinfo->underflow[i] == 0xFFFFFFFF) {
855 duprintf("Invalid underflow %u %u\n",
856 i, repl->underflow[i]);
861 if (!mark_source_chains(newinfo, repl->valid_hooks, entry0))
864 /* Finally, each sanity check must pass */
866 xt_entry_foreach(iter, entry0, newinfo->size) {
867 ret = find_check_entry(iter, net, repl->name, repl->size);
874 xt_entry_foreach(iter, entry0, newinfo->size) {
877 cleanup_entry(iter, net);
882 /* And one copy for every other CPU */
883 for_each_possible_cpu(i) {
884 if (newinfo->entries[i] && newinfo->entries[i] != entry0)
885 memcpy(newinfo->entries[i], entry0, newinfo->size);
892 get_counters(const struct xt_table_info *t,
893 struct xt_counters counters[])
895 struct ip6t_entry *iter;
899 for_each_possible_cpu(cpu) {
900 seqcount_t *s = &per_cpu(xt_recseq, cpu);
903 xt_entry_foreach(iter, t->entries[cpu], t->size) {
908 start = read_seqcount_begin(s);
909 bcnt = iter->counters.bcnt;
910 pcnt = iter->counters.pcnt;
911 } while (read_seqcount_retry(s, start));
913 ADD_COUNTER(counters[i], bcnt, pcnt);
919 static struct xt_counters *alloc_counters(const struct xt_table *table)
921 unsigned int countersize;
922 struct xt_counters *counters;
923 const struct xt_table_info *private = table->private;
925 /* We need atomic snapshot of counters: rest doesn't change
926 (other than comefrom, which userspace doesn't care
928 countersize = sizeof(struct xt_counters) * private->number;
929 counters = vzalloc(countersize);
931 if (counters == NULL)
932 return ERR_PTR(-ENOMEM);
934 get_counters(private, counters);
940 copy_entries_to_user(unsigned int total_size,
941 const struct xt_table *table,
942 void __user *userptr)
944 unsigned int off, num;
945 const struct ip6t_entry *e;
946 struct xt_counters *counters;
947 const struct xt_table_info *private = table->private;
949 const void *loc_cpu_entry;
951 counters = alloc_counters(table);
952 if (IS_ERR(counters))
953 return PTR_ERR(counters);
955 /* choose the copy that is on our node/cpu, ...
956 * This choice is lazy (because current thread is
957 * allowed to migrate to another cpu)
959 loc_cpu_entry = private->entries[raw_smp_processor_id()];
960 if (copy_to_user(userptr, loc_cpu_entry, total_size) != 0) {
965 /* FIXME: use iterator macros --RR */
966 /* ... then go back and fix counters and names */
967 for (off = 0, num = 0; off < total_size; off += e->next_offset, num++){
969 const struct xt_entry_match *m;
970 const struct xt_entry_target *t;
972 e = (struct ip6t_entry *)(loc_cpu_entry + off);
973 if (copy_to_user(userptr + off
974 + offsetof(struct ip6t_entry, counters),
976 sizeof(counters[num])) != 0) {
981 for (i = sizeof(struct ip6t_entry);
982 i < e->target_offset;
983 i += m->u.match_size) {
986 if (copy_to_user(userptr + off + i
987 + offsetof(struct xt_entry_match,
989 m->u.kernel.match->name,
990 strlen(m->u.kernel.match->name)+1)
997 t = ip6t_get_target_c(e);
998 if (copy_to_user(userptr + off + e->target_offset
999 + offsetof(struct xt_entry_target,
1001 t->u.kernel.target->name,
1002 strlen(t->u.kernel.target->name)+1) != 0) {
1013 #ifdef CONFIG_COMPAT
1014 static void compat_standard_from_user(void *dst, const void *src)
1016 int v = *(compat_int_t *)src;
1019 v += xt_compat_calc_jump(AF_INET6, v);
1020 memcpy(dst, &v, sizeof(v));
1023 static int compat_standard_to_user(void __user *dst, const void *src)
1025 compat_int_t cv = *(int *)src;
1028 cv -= xt_compat_calc_jump(AF_INET6, cv);
1029 return copy_to_user(dst, &cv, sizeof(cv)) ? -EFAULT : 0;
1032 static int compat_calc_entry(const struct ip6t_entry *e,
1033 const struct xt_table_info *info,
1034 const void *base, struct xt_table_info *newinfo)
1036 const struct xt_entry_match *ematch;
1037 const struct xt_entry_target *t;
1038 unsigned int entry_offset;
1041 off = sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
1042 entry_offset = (void *)e - base;
1043 xt_ematch_foreach(ematch, e)
1044 off += xt_compat_match_offset(ematch->u.kernel.match);
1045 t = ip6t_get_target_c(e);
1046 off += xt_compat_target_offset(t->u.kernel.target);
1047 newinfo->size -= off;
1048 ret = xt_compat_add_offset(AF_INET6, entry_offset, off);
1052 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1053 if (info->hook_entry[i] &&
1054 (e < (struct ip6t_entry *)(base + info->hook_entry[i])))
1055 newinfo->hook_entry[i] -= off;
1056 if (info->underflow[i] &&
1057 (e < (struct ip6t_entry *)(base + info->underflow[i])))
1058 newinfo->underflow[i] -= off;
1063 static int compat_table_info(const struct xt_table_info *info,
1064 struct xt_table_info *newinfo)
1066 struct ip6t_entry *iter;
1067 void *loc_cpu_entry;
1070 if (!newinfo || !info)
1073 /* we dont care about newinfo->entries[] */
1074 memcpy(newinfo, info, offsetof(struct xt_table_info, entries));
1075 newinfo->initial_entries = 0;
1076 loc_cpu_entry = info->entries[raw_smp_processor_id()];
1077 xt_compat_init_offsets(AF_INET6, info->number);
1078 xt_entry_foreach(iter, loc_cpu_entry, info->size) {
1079 ret = compat_calc_entry(iter, info, loc_cpu_entry, newinfo);
1087 static int get_info(struct net *net, void __user *user,
1088 const int *len, int compat)
1090 char name[XT_TABLE_MAXNAMELEN];
1094 if (*len != sizeof(struct ip6t_getinfo)) {
1095 duprintf("length %u != %zu\n", *len,
1096 sizeof(struct ip6t_getinfo));
1100 if (copy_from_user(name, user, sizeof(name)) != 0)
1103 name[XT_TABLE_MAXNAMELEN-1] = '\0';
1104 #ifdef CONFIG_COMPAT
1106 xt_compat_lock(AF_INET6);
1108 t = try_then_request_module(xt_find_table_lock(net, AF_INET6, name),
1109 "ip6table_%s", name);
1110 if (!IS_ERR_OR_NULL(t)) {
1111 struct ip6t_getinfo info;
1112 const struct xt_table_info *private = t->private;
1113 #ifdef CONFIG_COMPAT
1114 struct xt_table_info tmp;
1117 ret = compat_table_info(private, &tmp);
1118 xt_compat_flush_offsets(AF_INET6);
1122 memset(&info, 0, sizeof(info));
1123 info.valid_hooks = t->valid_hooks;
1124 memcpy(info.hook_entry, private->hook_entry,
1125 sizeof(info.hook_entry));
1126 memcpy(info.underflow, private->underflow,
1127 sizeof(info.underflow));
1128 info.num_entries = private->number;
1129 info.size = private->size;
1130 strcpy(info.name, name);
1132 if (copy_to_user(user, &info, *len) != 0)
1140 ret = t ? PTR_ERR(t) : -ENOENT;
1141 #ifdef CONFIG_COMPAT
1143 xt_compat_unlock(AF_INET6);
1149 get_entries(struct net *net, struct ip6t_get_entries __user *uptr,
1153 struct ip6t_get_entries get;
1156 if (*len < sizeof(get)) {
1157 duprintf("get_entries: %u < %zu\n", *len, sizeof(get));
1160 if (copy_from_user(&get, uptr, sizeof(get)) != 0)
1162 if (*len != sizeof(struct ip6t_get_entries) + get.size) {
1163 duprintf("get_entries: %u != %zu\n",
1164 *len, sizeof(get) + get.size);
1168 t = xt_find_table_lock(net, AF_INET6, get.name);
1169 if (!IS_ERR_OR_NULL(t)) {
1170 struct xt_table_info *private = t->private;
1171 duprintf("t->private->number = %u\n", private->number);
1172 if (get.size == private->size)
1173 ret = copy_entries_to_user(private->size,
1174 t, uptr->entrytable);
1176 duprintf("get_entries: I've got %u not %u!\n",
1177 private->size, get.size);
1183 ret = t ? PTR_ERR(t) : -ENOENT;
1189 __do_replace(struct net *net, const char *name, unsigned int valid_hooks,
1190 struct xt_table_info *newinfo, unsigned int num_counters,
1191 void __user *counters_ptr)
1195 struct xt_table_info *oldinfo;
1196 struct xt_counters *counters;
1197 const void *loc_cpu_old_entry;
1198 struct ip6t_entry *iter;
1201 counters = vzalloc(num_counters * sizeof(struct xt_counters));
1207 t = try_then_request_module(xt_find_table_lock(net, AF_INET6, name),
1208 "ip6table_%s", name);
1209 if (IS_ERR_OR_NULL(t)) {
1210 ret = t ? PTR_ERR(t) : -ENOENT;
1211 goto free_newinfo_counters_untrans;
1215 if (valid_hooks != t->valid_hooks) {
1216 duprintf("Valid hook crap: %08X vs %08X\n",
1217 valid_hooks, t->valid_hooks);
1222 oldinfo = xt_replace_table(t, num_counters, newinfo, &ret);
1226 /* Update module usage count based on number of rules */
1227 duprintf("do_replace: oldnum=%u, initnum=%u, newnum=%u\n",
1228 oldinfo->number, oldinfo->initial_entries, newinfo->number);
1229 if ((oldinfo->number > oldinfo->initial_entries) ||
1230 (newinfo->number <= oldinfo->initial_entries))
1232 if ((oldinfo->number > oldinfo->initial_entries) &&
1233 (newinfo->number <= oldinfo->initial_entries))
1236 /* Get the old counters, and synchronize with replace */
1237 get_counters(oldinfo, counters);
1239 /* Decrease module usage counts and free resource */
1240 loc_cpu_old_entry = oldinfo->entries[raw_smp_processor_id()];
1241 xt_entry_foreach(iter, loc_cpu_old_entry, oldinfo->size)
1242 cleanup_entry(iter, net);
1244 xt_free_table_info(oldinfo);
1245 if (copy_to_user(counters_ptr, counters,
1246 sizeof(struct xt_counters) * num_counters) != 0) {
1247 /* Silent error, can't fail, new table is already in place */
1248 net_warn_ratelimited("ip6tables: counters copy to user failed while replacing table\n");
1257 free_newinfo_counters_untrans:
1264 do_replace(struct net *net, const void __user *user, unsigned int len)
1267 struct ip6t_replace tmp;
1268 struct xt_table_info *newinfo;
1269 void *loc_cpu_entry;
1270 struct ip6t_entry *iter;
1272 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
1275 /* overflow check */
1276 if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
1278 if (tmp.num_counters == 0)
1281 tmp.name[sizeof(tmp.name)-1] = 0;
1283 newinfo = xt_alloc_table_info(tmp.size);
1287 /* choose the copy that is on our node/cpu */
1288 loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
1289 if (copy_from_user(loc_cpu_entry, user + sizeof(tmp),
1295 ret = translate_table(net, newinfo, loc_cpu_entry, &tmp);
1299 duprintf("ip_tables: Translated table\n");
1301 ret = __do_replace(net, tmp.name, tmp.valid_hooks, newinfo,
1302 tmp.num_counters, tmp.counters);
1304 goto free_newinfo_untrans;
1307 free_newinfo_untrans:
1308 xt_entry_foreach(iter, loc_cpu_entry, newinfo->size)
1309 cleanup_entry(iter, net);
1311 xt_free_table_info(newinfo);
1316 do_add_counters(struct net *net, const void __user *user, unsigned int len,
1319 unsigned int i, curcpu;
1320 struct xt_counters_info tmp;
1321 struct xt_counters *paddc;
1322 unsigned int num_counters;
1327 const struct xt_table_info *private;
1329 const void *loc_cpu_entry;
1330 struct ip6t_entry *iter;
1331 unsigned int addend;
1332 #ifdef CONFIG_COMPAT
1333 struct compat_xt_counters_info compat_tmp;
1337 size = sizeof(struct compat_xt_counters_info);
1342 size = sizeof(struct xt_counters_info);
1345 if (copy_from_user(ptmp, user, size) != 0)
1348 #ifdef CONFIG_COMPAT
1350 num_counters = compat_tmp.num_counters;
1351 name = compat_tmp.name;
1355 num_counters = tmp.num_counters;
1359 if (len != size + num_counters * sizeof(struct xt_counters))
1362 paddc = vmalloc(len - size);
1366 if (copy_from_user(paddc, user + size, len - size) != 0) {
1371 t = xt_find_table_lock(net, AF_INET6, name);
1372 if (IS_ERR_OR_NULL(t)) {
1373 ret = t ? PTR_ERR(t) : -ENOENT;
1379 private = t->private;
1380 if (private->number != num_counters) {
1382 goto unlock_up_free;
1386 /* Choose the copy that is on our node */
1387 curcpu = smp_processor_id();
1388 addend = xt_write_recseq_begin();
1389 loc_cpu_entry = private->entries[curcpu];
1390 xt_entry_foreach(iter, loc_cpu_entry, private->size) {
1391 ADD_COUNTER(iter->counters, paddc[i].bcnt, paddc[i].pcnt);
1394 xt_write_recseq_end(addend);
1406 #ifdef CONFIG_COMPAT
1407 struct compat_ip6t_replace {
1408 char name[XT_TABLE_MAXNAMELEN];
1412 u32 hook_entry[NF_INET_NUMHOOKS];
1413 u32 underflow[NF_INET_NUMHOOKS];
1415 compat_uptr_t counters; /* struct xt_counters * */
1416 struct compat_ip6t_entry entries[0];
1420 compat_copy_entry_to_user(struct ip6t_entry *e, void __user **dstptr,
1421 unsigned int *size, struct xt_counters *counters,
1424 struct xt_entry_target *t;
1425 struct compat_ip6t_entry __user *ce;
1426 u_int16_t target_offset, next_offset;
1427 compat_uint_t origsize;
1428 const struct xt_entry_match *ematch;
1432 ce = (struct compat_ip6t_entry __user *)*dstptr;
1433 if (copy_to_user(ce, e, sizeof(struct ip6t_entry)) != 0 ||
1434 copy_to_user(&ce->counters, &counters[i],
1435 sizeof(counters[i])) != 0)
1438 *dstptr += sizeof(struct compat_ip6t_entry);
1439 *size -= sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
1441 xt_ematch_foreach(ematch, e) {
1442 ret = xt_compat_match_to_user(ematch, dstptr, size);
1446 target_offset = e->target_offset - (origsize - *size);
1447 t = ip6t_get_target(e);
1448 ret = xt_compat_target_to_user(t, dstptr, size);
1451 next_offset = e->next_offset - (origsize - *size);
1452 if (put_user(target_offset, &ce->target_offset) != 0 ||
1453 put_user(next_offset, &ce->next_offset) != 0)
1459 compat_find_calc_match(struct xt_entry_match *m,
1461 const struct ip6t_ip6 *ipv6,
1462 unsigned int hookmask,
1465 struct xt_match *match;
1467 match = xt_request_find_match(NFPROTO_IPV6, m->u.user.name,
1468 m->u.user.revision);
1469 if (IS_ERR(match)) {
1470 duprintf("compat_check_calc_match: `%s' not found\n",
1472 return PTR_ERR(match);
1474 m->u.kernel.match = match;
1475 *size += xt_compat_match_offset(match);
1479 static void compat_release_entry(struct compat_ip6t_entry *e)
1481 struct xt_entry_target *t;
1482 struct xt_entry_match *ematch;
1484 /* Cleanup all matches */
1485 xt_ematch_foreach(ematch, e)
1486 module_put(ematch->u.kernel.match->me);
1487 t = compat_ip6t_get_target(e);
1488 module_put(t->u.kernel.target->me);
1492 check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e,
1493 struct xt_table_info *newinfo,
1495 const unsigned char *base,
1496 const unsigned char *limit,
1497 const unsigned int *hook_entries,
1498 const unsigned int *underflows,
1501 struct xt_entry_match *ematch;
1502 struct xt_entry_target *t;
1503 struct xt_target *target;
1504 unsigned int entry_offset;
1508 duprintf("check_compat_entry_size_and_hooks %p\n", e);
1509 if ((unsigned long)e % __alignof__(struct compat_ip6t_entry) != 0 ||
1510 (unsigned char *)e + sizeof(struct compat_ip6t_entry) >= limit) {
1511 duprintf("Bad offset %p, limit = %p\n", e, limit);
1515 if (e->next_offset < sizeof(struct compat_ip6t_entry) +
1516 sizeof(struct compat_xt_entry_target)) {
1517 duprintf("checking: element %p size %u\n",
1522 /* For purposes of check_entry casting the compat entry is fine */
1523 ret = check_entry((struct ip6t_entry *)e, name);
1527 off = sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
1528 entry_offset = (void *)e - (void *)base;
1530 xt_ematch_foreach(ematch, e) {
1531 ret = compat_find_calc_match(ematch, name,
1532 &e->ipv6, e->comefrom, &off);
1534 goto release_matches;
1538 t = compat_ip6t_get_target(e);
1539 target = xt_request_find_target(NFPROTO_IPV6, t->u.user.name,
1540 t->u.user.revision);
1541 if (IS_ERR(target)) {
1542 duprintf("check_compat_entry_size_and_hooks: `%s' not found\n",
1544 ret = PTR_ERR(target);
1545 goto release_matches;
1547 t->u.kernel.target = target;
1549 off += xt_compat_target_offset(target);
1551 ret = xt_compat_add_offset(AF_INET6, entry_offset, off);
1555 /* Check hooks & underflows */
1556 for (h = 0; h < NF_INET_NUMHOOKS; h++) {
1557 if ((unsigned char *)e - base == hook_entries[h])
1558 newinfo->hook_entry[h] = hook_entries[h];
1559 if ((unsigned char *)e - base == underflows[h])
1560 newinfo->underflow[h] = underflows[h];
1563 /* Clear counters and comefrom */
1564 memset(&e->counters, 0, sizeof(e->counters));
1569 module_put(t->u.kernel.target->me);
1571 xt_ematch_foreach(ematch, e) {
1574 module_put(ematch->u.kernel.match->me);
1580 compat_copy_entry_from_user(struct compat_ip6t_entry *e, void **dstptr,
1581 unsigned int *size, const char *name,
1582 struct xt_table_info *newinfo, unsigned char *base)
1584 struct xt_entry_target *t;
1585 struct ip6t_entry *de;
1586 unsigned int origsize;
1588 struct xt_entry_match *ematch;
1592 de = (struct ip6t_entry *)*dstptr;
1593 memcpy(de, e, sizeof(struct ip6t_entry));
1594 memcpy(&de->counters, &e->counters, sizeof(e->counters));
1596 *dstptr += sizeof(struct ip6t_entry);
1597 *size += sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
1599 xt_ematch_foreach(ematch, e) {
1600 ret = xt_compat_match_from_user(ematch, dstptr, size);
1604 de->target_offset = e->target_offset - (origsize - *size);
1605 t = compat_ip6t_get_target(e);
1606 xt_compat_target_from_user(t, dstptr, size);
1608 de->next_offset = e->next_offset - (origsize - *size);
1609 for (h = 0; h < NF_INET_NUMHOOKS; h++) {
1610 if ((unsigned char *)de - base < newinfo->hook_entry[h])
1611 newinfo->hook_entry[h] -= origsize - *size;
1612 if ((unsigned char *)de - base < newinfo->underflow[h])
1613 newinfo->underflow[h] -= origsize - *size;
1618 static int compat_check_entry(struct ip6t_entry *e, struct net *net,
1623 struct xt_mtchk_param mtpar;
1624 struct xt_entry_match *ematch;
1629 mtpar.entryinfo = &e->ipv6;
1630 mtpar.hook_mask = e->comefrom;
1631 mtpar.family = NFPROTO_IPV6;
1632 xt_ematch_foreach(ematch, e) {
1633 ret = check_match(ematch, &mtpar);
1635 goto cleanup_matches;
1639 ret = check_target(e, net, name);
1641 goto cleanup_matches;
1645 xt_ematch_foreach(ematch, e) {
1648 cleanup_match(ematch, net);
1654 translate_compat_table(struct net *net,
1656 unsigned int valid_hooks,
1657 struct xt_table_info **pinfo,
1659 unsigned int total_size,
1660 unsigned int number,
1661 unsigned int *hook_entries,
1662 unsigned int *underflows)
1665 struct xt_table_info *newinfo, *info;
1666 void *pos, *entry0, *entry1;
1667 struct compat_ip6t_entry *iter0;
1668 struct ip6t_entry *iter1;
1675 info->number = number;
1677 /* Init all hooks to impossible value. */
1678 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1679 info->hook_entry[i] = 0xFFFFFFFF;
1680 info->underflow[i] = 0xFFFFFFFF;
1683 duprintf("translate_compat_table: size %u\n", info->size);
1685 xt_compat_lock(AF_INET6);
1686 xt_compat_init_offsets(AF_INET6, number);
1687 /* Walk through entries, checking offsets. */
1688 xt_entry_foreach(iter0, entry0, total_size) {
1689 ret = check_compat_entry_size_and_hooks(iter0, info, &size,
1691 entry0 + total_size,
1702 duprintf("translate_compat_table: %u not %u entries\n",
1707 /* Check hooks all assigned */
1708 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1709 /* Only hooks which are valid */
1710 if (!(valid_hooks & (1 << i)))
1712 if (info->hook_entry[i] == 0xFFFFFFFF) {
1713 duprintf("Invalid hook entry %u %u\n",
1714 i, hook_entries[i]);
1717 if (info->underflow[i] == 0xFFFFFFFF) {
1718 duprintf("Invalid underflow %u %u\n",
1725 newinfo = xt_alloc_table_info(size);
1729 newinfo->number = number;
1730 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1731 newinfo->hook_entry[i] = info->hook_entry[i];
1732 newinfo->underflow[i] = info->underflow[i];
1734 entry1 = newinfo->entries[raw_smp_processor_id()];
1737 xt_entry_foreach(iter0, entry0, total_size) {
1738 ret = compat_copy_entry_from_user(iter0, &pos, &size,
1739 name, newinfo, entry1);
1743 xt_compat_flush_offsets(AF_INET6);
1744 xt_compat_unlock(AF_INET6);
1749 if (!mark_source_chains(newinfo, valid_hooks, entry1))
1753 xt_entry_foreach(iter1, entry1, newinfo->size) {
1754 ret = compat_check_entry(iter1, net, name);
1758 if (strcmp(ip6t_get_target(iter1)->u.user.name,
1759 XT_ERROR_TARGET) == 0)
1760 ++newinfo->stacksize;
1764 * The first i matches need cleanup_entry (calls ->destroy)
1765 * because they had called ->check already. The other j-i
1766 * entries need only release.
1770 xt_entry_foreach(iter0, entry0, newinfo->size) {
1775 compat_release_entry(iter0);
1777 xt_entry_foreach(iter1, entry1, newinfo->size) {
1780 cleanup_entry(iter1, net);
1782 xt_free_table_info(newinfo);
1786 /* And one copy for every other CPU */
1787 for_each_possible_cpu(i)
1788 if (newinfo->entries[i] && newinfo->entries[i] != entry1)
1789 memcpy(newinfo->entries[i], entry1, newinfo->size);
1793 xt_free_table_info(info);
1797 xt_free_table_info(newinfo);
1799 xt_entry_foreach(iter0, entry0, total_size) {
1802 compat_release_entry(iter0);
1806 xt_compat_flush_offsets(AF_INET6);
1807 xt_compat_unlock(AF_INET6);
1812 compat_do_replace(struct net *net, void __user *user, unsigned int len)
1815 struct compat_ip6t_replace tmp;
1816 struct xt_table_info *newinfo;
1817 void *loc_cpu_entry;
1818 struct ip6t_entry *iter;
1820 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
1823 /* overflow check */
1824 if (tmp.size >= INT_MAX / num_possible_cpus())
1826 if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
1828 if (tmp.num_counters == 0)
1831 tmp.name[sizeof(tmp.name)-1] = 0;
1833 newinfo = xt_alloc_table_info(tmp.size);
1837 /* choose the copy that is on our node/cpu */
1838 loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
1839 if (copy_from_user(loc_cpu_entry, user + sizeof(tmp),
1845 ret = translate_compat_table(net, tmp.name, tmp.valid_hooks,
1846 &newinfo, &loc_cpu_entry, tmp.size,
1847 tmp.num_entries, tmp.hook_entry,
1852 duprintf("compat_do_replace: Translated table\n");
1854 ret = __do_replace(net, tmp.name, tmp.valid_hooks, newinfo,
1855 tmp.num_counters, compat_ptr(tmp.counters));
1857 goto free_newinfo_untrans;
1860 free_newinfo_untrans:
1861 xt_entry_foreach(iter, loc_cpu_entry, newinfo->size)
1862 cleanup_entry(iter, net);
1864 xt_free_table_info(newinfo);
1869 compat_do_ip6t_set_ctl(struct sock *sk, int cmd, void __user *user,
1874 if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
1878 case IP6T_SO_SET_REPLACE:
1879 ret = compat_do_replace(sock_net(sk), user, len);
1882 case IP6T_SO_SET_ADD_COUNTERS:
1883 ret = do_add_counters(sock_net(sk), user, len, 1);
1887 duprintf("do_ip6t_set_ctl: unknown request %i\n", cmd);
1894 struct compat_ip6t_get_entries {
1895 char name[XT_TABLE_MAXNAMELEN];
1897 struct compat_ip6t_entry entrytable[0];
1901 compat_copy_entries_to_user(unsigned int total_size, struct xt_table *table,
1902 void __user *userptr)
1904 struct xt_counters *counters;
1905 const struct xt_table_info *private = table->private;
1909 const void *loc_cpu_entry;
1911 struct ip6t_entry *iter;
1913 counters = alloc_counters(table);
1914 if (IS_ERR(counters))
1915 return PTR_ERR(counters);
1917 /* choose the copy that is on our node/cpu, ...
1918 * This choice is lazy (because current thread is
1919 * allowed to migrate to another cpu)
1921 loc_cpu_entry = private->entries[raw_smp_processor_id()];
1924 xt_entry_foreach(iter, loc_cpu_entry, total_size) {
1925 ret = compat_copy_entry_to_user(iter, &pos,
1926 &size, counters, i++);
1936 compat_get_entries(struct net *net, struct compat_ip6t_get_entries __user *uptr,
1940 struct compat_ip6t_get_entries get;
1943 if (*len < sizeof(get)) {
1944 duprintf("compat_get_entries: %u < %zu\n", *len, sizeof(get));
1948 if (copy_from_user(&get, uptr, sizeof(get)) != 0)
1951 if (*len != sizeof(struct compat_ip6t_get_entries) + get.size) {
1952 duprintf("compat_get_entries: %u != %zu\n",
1953 *len, sizeof(get) + get.size);
1957 xt_compat_lock(AF_INET6);
1958 t = xt_find_table_lock(net, AF_INET6, get.name);
1959 if (!IS_ERR_OR_NULL(t)) {
1960 const struct xt_table_info *private = t->private;
1961 struct xt_table_info info;
1962 duprintf("t->private->number = %u\n", private->number);
1963 ret = compat_table_info(private, &info);
1964 if (!ret && get.size == info.size) {
1965 ret = compat_copy_entries_to_user(private->size,
1966 t, uptr->entrytable);
1968 duprintf("compat_get_entries: I've got %u not %u!\n",
1969 private->size, get.size);
1972 xt_compat_flush_offsets(AF_INET6);
1976 ret = t ? PTR_ERR(t) : -ENOENT;
1978 xt_compat_unlock(AF_INET6);
1982 static int do_ip6t_get_ctl(struct sock *, int, void __user *, int *);
1985 compat_do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1989 if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
1993 case IP6T_SO_GET_INFO:
1994 ret = get_info(sock_net(sk), user, len, 1);
1996 case IP6T_SO_GET_ENTRIES:
1997 ret = compat_get_entries(sock_net(sk), user, len);
2000 ret = do_ip6t_get_ctl(sk, cmd, user, len);
2007 do_ip6t_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
2011 if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
2015 case IP6T_SO_SET_REPLACE:
2016 ret = do_replace(sock_net(sk), user, len);
2019 case IP6T_SO_SET_ADD_COUNTERS:
2020 ret = do_add_counters(sock_net(sk), user, len, 0);
2024 duprintf("do_ip6t_set_ctl: unknown request %i\n", cmd);
2032 do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
2036 if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
2040 case IP6T_SO_GET_INFO:
2041 ret = get_info(sock_net(sk), user, len, 0);
2044 case IP6T_SO_GET_ENTRIES:
2045 ret = get_entries(sock_net(sk), user, len);
2048 case IP6T_SO_GET_REVISION_MATCH:
2049 case IP6T_SO_GET_REVISION_TARGET: {
2050 struct xt_get_revision rev;
2053 if (*len != sizeof(rev)) {
2057 if (copy_from_user(&rev, user, sizeof(rev)) != 0) {
2061 rev.name[sizeof(rev.name)-1] = 0;
2063 if (cmd == IP6T_SO_GET_REVISION_TARGET)
2068 try_then_request_module(xt_find_revision(AF_INET6, rev.name,
2071 "ip6t_%s", rev.name);
2076 duprintf("do_ip6t_get_ctl: unknown request %i\n", cmd);
2083 struct xt_table *ip6t_register_table(struct net *net,
2084 const struct xt_table *table,
2085 const struct ip6t_replace *repl)
2088 struct xt_table_info *newinfo;
2089 struct xt_table_info bootstrap = {0};
2090 void *loc_cpu_entry;
2091 struct xt_table *new_table;
2093 newinfo = xt_alloc_table_info(repl->size);
2099 /* choose the copy on our node/cpu, but dont care about preemption */
2100 loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
2101 memcpy(loc_cpu_entry, repl->entries, repl->size);
2103 ret = translate_table(net, newinfo, loc_cpu_entry, repl);
2107 new_table = xt_register_table(net, table, &bootstrap, newinfo);
2108 if (IS_ERR(new_table)) {
2109 ret = PTR_ERR(new_table);
2115 xt_free_table_info(newinfo);
2117 return ERR_PTR(ret);
2120 void ip6t_unregister_table(struct net *net, struct xt_table *table)
2122 struct xt_table_info *private;
2123 void *loc_cpu_entry;
2124 struct module *table_owner = table->me;
2125 struct ip6t_entry *iter;
2127 private = xt_unregister_table(table);
2129 /* Decrease module usage counts and free resources */
2130 loc_cpu_entry = private->entries[raw_smp_processor_id()];
2131 xt_entry_foreach(iter, loc_cpu_entry, private->size)
2132 cleanup_entry(iter, net);
2133 if (private->number > private->initial_entries)
2134 module_put(table_owner);
2135 xt_free_table_info(private);
2138 /* Returns 1 if the type and code is matched by the range, 0 otherwise */
2140 icmp6_type_code_match(u_int8_t test_type, u_int8_t min_code, u_int8_t max_code,
2141 u_int8_t type, u_int8_t code,
2144 return (type == test_type && code >= min_code && code <= max_code)
2149 icmp6_match(const struct sk_buff *skb, struct xt_action_param *par)
2151 const struct icmp6hdr *ic;
2152 struct icmp6hdr _icmph;
2153 const struct ip6t_icmp *icmpinfo = par->matchinfo;
2155 /* Must not be a fragment. */
2156 if (par->fragoff != 0)
2159 ic = skb_header_pointer(skb, par->thoff, sizeof(_icmph), &_icmph);
2161 /* We've been asked to examine this packet, and we
2162 * can't. Hence, no choice but to drop.
2164 duprintf("Dropping evil ICMP tinygram.\n");
2165 par->hotdrop = true;
2169 return icmp6_type_code_match(icmpinfo->type,
2172 ic->icmp6_type, ic->icmp6_code,
2173 !!(icmpinfo->invflags&IP6T_ICMP_INV));
2176 /* Called when user tries to insert an entry of this type. */
2177 static int icmp6_checkentry(const struct xt_mtchk_param *par)
2179 const struct ip6t_icmp *icmpinfo = par->matchinfo;
2181 /* Must specify no unknown invflags */
2182 return (icmpinfo->invflags & ~IP6T_ICMP_INV) ? -EINVAL : 0;
2185 /* The built-in targets: standard (NULL) and error. */
2186 static struct xt_target ip6t_builtin_tg[] __read_mostly = {
2188 .name = XT_STANDARD_TARGET,
2189 .targetsize = sizeof(int),
2190 .family = NFPROTO_IPV6,
2191 #ifdef CONFIG_COMPAT
2192 .compatsize = sizeof(compat_int_t),
2193 .compat_from_user = compat_standard_from_user,
2194 .compat_to_user = compat_standard_to_user,
2198 .name = XT_ERROR_TARGET,
2199 .target = ip6t_error,
2200 .targetsize = XT_FUNCTION_MAXNAMELEN,
2201 .family = NFPROTO_IPV6,
2205 static struct nf_sockopt_ops ip6t_sockopts = {
2207 .set_optmin = IP6T_BASE_CTL,
2208 .set_optmax = IP6T_SO_SET_MAX+1,
2209 .set = do_ip6t_set_ctl,
2210 #ifdef CONFIG_COMPAT
2211 .compat_set = compat_do_ip6t_set_ctl,
2213 .get_optmin = IP6T_BASE_CTL,
2214 .get_optmax = IP6T_SO_GET_MAX+1,
2215 .get = do_ip6t_get_ctl,
2216 #ifdef CONFIG_COMPAT
2217 .compat_get = compat_do_ip6t_get_ctl,
2219 .owner = THIS_MODULE,
2222 static struct xt_match ip6t_builtin_mt[] __read_mostly = {
2225 .match = icmp6_match,
2226 .matchsize = sizeof(struct ip6t_icmp),
2227 .checkentry = icmp6_checkentry,
2228 .proto = IPPROTO_ICMPV6,
2229 .family = NFPROTO_IPV6,
2233 static int __net_init ip6_tables_net_init(struct net *net)
2235 return xt_proto_init(net, NFPROTO_IPV6);
2238 static void __net_exit ip6_tables_net_exit(struct net *net)
2240 xt_proto_fini(net, NFPROTO_IPV6);
2243 static struct pernet_operations ip6_tables_net_ops = {
2244 .init = ip6_tables_net_init,
2245 .exit = ip6_tables_net_exit,
2248 static int __init ip6_tables_init(void)
2252 ret = register_pernet_subsys(&ip6_tables_net_ops);
2256 /* No one else will be downing sem now, so we won't sleep */
2257 ret = xt_register_targets(ip6t_builtin_tg, ARRAY_SIZE(ip6t_builtin_tg));
2260 ret = xt_register_matches(ip6t_builtin_mt, ARRAY_SIZE(ip6t_builtin_mt));
2264 /* Register setsockopt */
2265 ret = nf_register_sockopt(&ip6t_sockopts);
2269 pr_info("(C) 2000-2006 Netfilter Core Team\n");
2273 xt_unregister_matches(ip6t_builtin_mt, ARRAY_SIZE(ip6t_builtin_mt));
2275 xt_unregister_targets(ip6t_builtin_tg, ARRAY_SIZE(ip6t_builtin_tg));
2277 unregister_pernet_subsys(&ip6_tables_net_ops);
2282 static void __exit ip6_tables_fini(void)
2284 nf_unregister_sockopt(&ip6t_sockopts);
2286 xt_unregister_matches(ip6t_builtin_mt, ARRAY_SIZE(ip6t_builtin_mt));
2287 xt_unregister_targets(ip6t_builtin_tg, ARRAY_SIZE(ip6t_builtin_tg));
2288 unregister_pernet_subsys(&ip6_tables_net_ops);
2291 EXPORT_SYMBOL(ip6t_register_table);
2292 EXPORT_SYMBOL(ip6t_unregister_table);
2293 EXPORT_SYMBOL(ip6t_do_table);
2295 module_init(ip6_tables_init);
2296 module_exit(ip6_tables_fini);
Code Review / kvmfornfv.git / blob