2 * Packet matching code.
4 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
5 * Copyright (C) 2000-2005 Netfilter Core Team <coreteam@netfilter.org>
6 * Copyright (c) 2006-2010 Patrick McHardy <kaber@trash.net>
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License version 2 as
10 * published by the Free Software Foundation.
13 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
15 #include <linux/kernel.h>
16 #include <linux/capability.h>
18 #include <linux/skbuff.h>
19 #include <linux/kmod.h>
20 #include <linux/vmalloc.h>
21 #include <linux/netdevice.h>
22 #include <linux/module.h>
23 #include <linux/poison.h>
24 #include <linux/icmpv6.h>
26 #include <net/compat.h>
27 #include <asm/uaccess.h>
28 #include <linux/mutex.h>
29 #include <linux/proc_fs.h>
30 #include <linux/err.h>
31 #include <linux/cpumask.h>
33 #include <linux/netfilter_ipv6/ip6_tables.h>
34 #include <linux/netfilter/x_tables.h>
35 #include <net/netfilter/nf_log.h>
36 #include "../../netfilter/xt_repldata.h"
38 MODULE_LICENSE("GPL");
39 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
40 MODULE_DESCRIPTION("IPv6 packet filter");
42 /*#define DEBUG_IP_FIREWALL*/
43 /*#define DEBUG_ALLOW_ALL*/ /* Useful for remote debugging */
44 /*#define DEBUG_IP_FIREWALL_USER*/
46 #ifdef DEBUG_IP_FIREWALL
47 #define dprintf(format, args...) pr_info(format , ## args)
49 #define dprintf(format, args...)
52 #ifdef DEBUG_IP_FIREWALL_USER
53 #define duprintf(format, args...) pr_info(format , ## args)
55 #define duprintf(format, args...)
58 #ifdef CONFIG_NETFILTER_DEBUG
59 #define IP_NF_ASSERT(x) WARN_ON(!(x))
61 #define IP_NF_ASSERT(x)
65 /* All the better to debug you with... */
70 void *ip6t_alloc_initial_table(const struct xt_table *info)
72 return xt_alloc_initial_table(ip6t, IP6T);
74 EXPORT_SYMBOL_GPL(ip6t_alloc_initial_table);
77 We keep a set of rules for each CPU, so we can avoid write-locking
78 them in the softirq when updating the counters and therefore
79 only need to read-lock in the softirq; doing a write_lock_bh() in user
80 context stops packets coming through and allows user context to read
81 the counters or update the rules.
83 Hence the start of any table is given by get_table() below. */
85 /* Returns whether matches rule or not. */
86 /* Performance critical - called for every packet */
88 ip6_packet_match(const struct sk_buff *skb,
91 const struct ip6t_ip6 *ip6info,
92 unsigned int *protoff,
93 int *fragoff, bool *hotdrop)
96 const struct ipv6hdr *ipv6 = ipv6_hdr(skb);
98 #define FWINV(bool, invflg) ((bool) ^ !!(ip6info->invflags & (invflg)))
100 if (FWINV(ipv6_masked_addr_cmp(&ipv6->saddr, &ip6info->smsk,
101 &ip6info->src), IP6T_INV_SRCIP) ||
102 FWINV(ipv6_masked_addr_cmp(&ipv6->daddr, &ip6info->dmsk,
103 &ip6info->dst), IP6T_INV_DSTIP)) {
104 dprintf("Source or dest mismatch.\n");
106 dprintf("SRC: %u. Mask: %u. Target: %u.%s\n", ip->saddr,
107 ipinfo->smsk.s_addr, ipinfo->src.s_addr,
108 ipinfo->invflags & IP6T_INV_SRCIP ? " (INV)" : "");
109 dprintf("DST: %u. Mask: %u. Target: %u.%s\n", ip->daddr,
110 ipinfo->dmsk.s_addr, ipinfo->dst.s_addr,
111 ipinfo->invflags & IP6T_INV_DSTIP ? " (INV)" : "");*/
115 ret = ifname_compare_aligned(indev, ip6info->iniface, ip6info->iniface_mask);
117 if (FWINV(ret != 0, IP6T_INV_VIA_IN)) {
118 dprintf("VIA in mismatch (%s vs %s).%s\n",
119 indev, ip6info->iniface,
120 ip6info->invflags&IP6T_INV_VIA_IN ?" (INV)":"");
124 ret = ifname_compare_aligned(outdev, ip6info->outiface, ip6info->outiface_mask);
126 if (FWINV(ret != 0, IP6T_INV_VIA_OUT)) {
127 dprintf("VIA out mismatch (%s vs %s).%s\n",
128 outdev, ip6info->outiface,
129 ip6info->invflags&IP6T_INV_VIA_OUT ?" (INV)":"");
133 /* ... might want to do something with class and flowlabel here ... */
135 /* look for the desired protocol header */
136 if((ip6info->flags & IP6T_F_PROTO)) {
138 unsigned short _frag_off;
140 protohdr = ipv6_find_hdr(skb, protoff, -1, &_frag_off, NULL);
146 *fragoff = _frag_off;
148 dprintf("Packet protocol %hi ?= %s%hi.\n",
150 ip6info->invflags & IP6T_INV_PROTO ? "!":"",
153 if (ip6info->proto == protohdr) {
154 if(ip6info->invflags & IP6T_INV_PROTO) {
160 /* We need match for the '-p all', too! */
161 if ((ip6info->proto != 0) &&
162 !(ip6info->invflags & IP6T_INV_PROTO))
168 /* should be ip6 safe */
170 ip6_checkentry(const struct ip6t_ip6 *ipv6)
172 if (ipv6->flags & ~IP6T_F_MASK) {
173 duprintf("Unknown flag bits set: %08X\n",
174 ipv6->flags & ~IP6T_F_MASK);
177 if (ipv6->invflags & ~IP6T_INV_MASK) {
178 duprintf("Unknown invflag bits set: %08X\n",
179 ipv6->invflags & ~IP6T_INV_MASK);
186 ip6t_error(struct sk_buff *skb, const struct xt_action_param *par)
188 net_info_ratelimited("error: `%s'\n", (const char *)par->targinfo);
193 static inline struct ip6t_entry *
194 get_entry(const void *base, unsigned int offset)
196 return (struct ip6t_entry *)(base + offset);
199 /* All zeroes == unconditional rule. */
200 /* Mildly perf critical (only if packet tracing is on) */
201 static inline bool unconditional(const struct ip6t_ip6 *ipv6)
203 static const struct ip6t_ip6 uncond;
205 return memcmp(ipv6, &uncond, sizeof(uncond)) == 0;
208 static inline const struct xt_entry_target *
209 ip6t_get_target_c(const struct ip6t_entry *e)
211 return ip6t_get_target((struct ip6t_entry *)e);
214 #if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE)
215 /* This cries for unification! */
216 static const char *const hooknames[] = {
217 [NF_INET_PRE_ROUTING] = "PREROUTING",
218 [NF_INET_LOCAL_IN] = "INPUT",
219 [NF_INET_FORWARD] = "FORWARD",
220 [NF_INET_LOCAL_OUT] = "OUTPUT",
221 [NF_INET_POST_ROUTING] = "POSTROUTING",
224 enum nf_ip_trace_comments {
225 NF_IP6_TRACE_COMMENT_RULE,
226 NF_IP6_TRACE_COMMENT_RETURN,
227 NF_IP6_TRACE_COMMENT_POLICY,
230 static const char *const comments[] = {
231 [NF_IP6_TRACE_COMMENT_RULE] = "rule",
232 [NF_IP6_TRACE_COMMENT_RETURN] = "return",
233 [NF_IP6_TRACE_COMMENT_POLICY] = "policy",
236 static struct nf_loginfo trace_loginfo = {
237 .type = NF_LOG_TYPE_LOG,
240 .level = LOGLEVEL_WARNING,
241 .logflags = NF_LOG_MASK,
246 /* Mildly perf critical (only if packet tracing is on) */
248 get_chainname_rulenum(const struct ip6t_entry *s, const struct ip6t_entry *e,
249 const char *hookname, const char **chainname,
250 const char **comment, unsigned int *rulenum)
252 const struct xt_standard_target *t = (void *)ip6t_get_target_c(s);
254 if (strcmp(t->target.u.kernel.target->name, XT_ERROR_TARGET) == 0) {
255 /* Head of user chain: ERROR target with chainname */
256 *chainname = t->target.data;
261 if (s->target_offset == sizeof(struct ip6t_entry) &&
262 strcmp(t->target.u.kernel.target->name,
263 XT_STANDARD_TARGET) == 0 &&
265 unconditional(&s->ipv6)) {
266 /* Tail of chains: STANDARD target (return/policy) */
267 *comment = *chainname == hookname
268 ? comments[NF_IP6_TRACE_COMMENT_POLICY]
269 : comments[NF_IP6_TRACE_COMMENT_RETURN];
278 static void trace_packet(const struct sk_buff *skb,
280 const struct net_device *in,
281 const struct net_device *out,
282 const char *tablename,
283 const struct xt_table_info *private,
284 const struct ip6t_entry *e)
286 const struct ip6t_entry *root;
287 const char *hookname, *chainname, *comment;
288 const struct ip6t_entry *iter;
289 unsigned int rulenum = 0;
290 struct net *net = dev_net(in ? in : out);
292 root = get_entry(private->entries, private->hook_entry[hook]);
294 hookname = chainname = hooknames[hook];
295 comment = comments[NF_IP6_TRACE_COMMENT_RULE];
297 xt_entry_foreach(iter, root, private->size - private->hook_entry[hook])
298 if (get_chainname_rulenum(iter, e, hookname,
299 &chainname, &comment, &rulenum) != 0)
302 nf_log_trace(net, AF_INET6, hook, skb, in, out, &trace_loginfo,
303 "TRACE: %s:%s:%s:%u ",
304 tablename, chainname, comment, rulenum);
308 static inline struct ip6t_entry *
309 ip6t_next_entry(const struct ip6t_entry *entry)
311 return (void *)entry + entry->next_offset;
314 /* Returns one of the generic firewall policies, like NF_ACCEPT. */
316 ip6t_do_table(struct sk_buff *skb,
318 const struct nf_hook_state *state,
319 struct xt_table *table)
321 static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
322 /* Initializing verdict to NF_DROP keeps gcc happy. */
323 unsigned int verdict = NF_DROP;
324 const char *indev, *outdev;
325 const void *table_base;
326 struct ip6t_entry *e, **jumpstack;
327 unsigned int stackidx, cpu;
328 const struct xt_table_info *private;
329 struct xt_action_param acpar;
334 indev = state->in ? state->in->name : nulldevname;
335 outdev = state->out ? state->out->name : nulldevname;
336 /* We handle fragments by dealing with the first fragment as
337 * if it was a normal packet. All other fragments are treated
338 * normally, except that they will NEVER match rules that ask
339 * things we don't know, ie. tcp syn flag or ports). If the
340 * rule is also a fragment-specific rule, non-fragments won't
342 acpar.hotdrop = false;
343 acpar.in = state->in;
344 acpar.out = state->out;
345 acpar.family = NFPROTO_IPV6;
346 acpar.hooknum = hook;
348 IP_NF_ASSERT(table->valid_hooks & (1 << hook));
351 addend = xt_write_recseq_begin();
352 private = table->private;
354 * Ensure we load private-> members after we've fetched the base
357 smp_read_barrier_depends();
358 cpu = smp_processor_id();
359 table_base = private->entries;
360 jumpstack = (struct ip6t_entry **)private->jumpstack[cpu];
362 /* Switch to alternate jumpstack if we're being invoked via TEE.
363 * TEE issues XT_CONTINUE verdict on original skb so we must not
364 * clobber the jumpstack.
366 * For recursion via REJECT or SYNPROXY the stack will be clobbered
367 * but it is no problem since absolute verdict is issued by these.
369 if (static_key_false(&xt_tee_enabled))
370 jumpstack += private->stacksize * __this_cpu_read(nf_skb_duplicated);
372 e = get_entry(table_base, private->hook_entry[hook]);
375 const struct xt_entry_target *t;
376 const struct xt_entry_match *ematch;
377 struct xt_counters *counter;
381 if (!ip6_packet_match(skb, indev, outdev, &e->ipv6,
382 &acpar.thoff, &acpar.fragoff, &acpar.hotdrop)) {
384 e = ip6t_next_entry(e);
388 xt_ematch_foreach(ematch, e) {
389 acpar.match = ematch->u.kernel.match;
390 acpar.matchinfo = ematch->data;
391 if (!acpar.match->match(skb, &acpar))
395 counter = xt_get_this_cpu_counter(&e->counters);
396 ADD_COUNTER(*counter, skb->len, 1);
398 t = ip6t_get_target_c(e);
399 IP_NF_ASSERT(t->u.kernel.target);
401 #if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE)
402 /* The packet is traced: log it */
403 if (unlikely(skb->nf_trace))
404 trace_packet(skb, hook, state->in, state->out,
405 table->name, private, e);
407 /* Standard target? */
408 if (!t->u.kernel.target->target) {
411 v = ((struct xt_standard_target *)t)->verdict;
413 /* Pop from stack? */
414 if (v != XT_RETURN) {
415 verdict = (unsigned int)(-v) - 1;
419 e = get_entry(table_base,
420 private->underflow[hook]);
422 e = ip6t_next_entry(jumpstack[--stackidx]);
425 if (table_base + v != ip6t_next_entry(e) &&
426 !(e->ipv6.flags & IP6T_F_GOTO)) {
427 jumpstack[stackidx++] = e;
430 e = get_entry(table_base, v);
434 acpar.target = t->u.kernel.target;
435 acpar.targinfo = t->data;
437 verdict = t->u.kernel.target->target(skb, &acpar);
438 if (verdict == XT_CONTINUE)
439 e = ip6t_next_entry(e);
443 } while (!acpar.hotdrop);
445 xt_write_recseq_end(addend);
448 #ifdef DEBUG_ALLOW_ALL
457 /* Figures out from what hook each rule can be called: returns 0 if
458 there are loops. Puts hook bitmask in comefrom. */
460 mark_source_chains(const struct xt_table_info *newinfo,
461 unsigned int valid_hooks, void *entry0)
465 /* No recursion; use packet counter to save back ptrs (reset
466 to 0 as we leave), and comefrom to save source hook bitmask */
467 for (hook = 0; hook < NF_INET_NUMHOOKS; hook++) {
468 unsigned int pos = newinfo->hook_entry[hook];
469 struct ip6t_entry *e = (struct ip6t_entry *)(entry0 + pos);
471 if (!(valid_hooks & (1 << hook)))
474 /* Set initial back pointer. */
475 e->counters.pcnt = pos;
478 const struct xt_standard_target *t
479 = (void *)ip6t_get_target_c(e);
480 int visited = e->comefrom & (1 << hook);
482 if (e->comefrom & (1 << NF_INET_NUMHOOKS)) {
483 pr_err("iptables: loop hook %u pos %u %08X.\n",
484 hook, pos, e->comefrom);
487 e->comefrom |= ((1 << hook) | (1 << NF_INET_NUMHOOKS));
489 /* Unconditional return/END. */
490 if ((e->target_offset == sizeof(struct ip6t_entry) &&
491 (strcmp(t->target.u.user.name,
492 XT_STANDARD_TARGET) == 0) &&
494 unconditional(&e->ipv6)) || visited) {
495 unsigned int oldpos, size;
497 if ((strcmp(t->target.u.user.name,
498 XT_STANDARD_TARGET) == 0) &&
499 t->verdict < -NF_MAX_VERDICT - 1) {
500 duprintf("mark_source_chains: bad "
501 "negative verdict (%i)\n",
506 /* Return: backtrack through the last
509 e->comefrom ^= (1<<NF_INET_NUMHOOKS);
510 #ifdef DEBUG_IP_FIREWALL_USER
512 & (1 << NF_INET_NUMHOOKS)) {
513 duprintf("Back unset "
520 pos = e->counters.pcnt;
521 e->counters.pcnt = 0;
523 /* We're at the start. */
527 e = (struct ip6t_entry *)
529 } while (oldpos == pos + e->next_offset);
532 size = e->next_offset;
533 e = (struct ip6t_entry *)
534 (entry0 + pos + size);
535 e->counters.pcnt = pos;
538 int newpos = t->verdict;
540 if (strcmp(t->target.u.user.name,
541 XT_STANDARD_TARGET) == 0 &&
543 if (newpos > newinfo->size -
544 sizeof(struct ip6t_entry)) {
545 duprintf("mark_source_chains: "
546 "bad verdict (%i)\n",
550 /* This a jump; chase it. */
551 duprintf("Jump rule %u -> %u\n",
554 /* ... this is a fallthru */
555 newpos = pos + e->next_offset;
557 e = (struct ip6t_entry *)
559 e->counters.pcnt = pos;
564 duprintf("Finished chain %u\n", hook);
569 static void cleanup_match(struct xt_entry_match *m, struct net *net)
571 struct xt_mtdtor_param par;
574 par.match = m->u.kernel.match;
575 par.matchinfo = m->data;
576 par.family = NFPROTO_IPV6;
577 if (par.match->destroy != NULL)
578 par.match->destroy(&par);
579 module_put(par.match->me);
583 check_entry(const struct ip6t_entry *e, const char *name)
585 const struct xt_entry_target *t;
587 if (!ip6_checkentry(&e->ipv6)) {
588 duprintf("ip_tables: ip check failed %p %s.\n", e, name);
592 if (e->target_offset + sizeof(struct xt_entry_target) >
596 t = ip6t_get_target_c(e);
597 if (e->target_offset + t->u.target_size > e->next_offset)
603 static int check_match(struct xt_entry_match *m, struct xt_mtchk_param *par)
605 const struct ip6t_ip6 *ipv6 = par->entryinfo;
608 par->match = m->u.kernel.match;
609 par->matchinfo = m->data;
611 ret = xt_check_match(par, m->u.match_size - sizeof(*m),
612 ipv6->proto, ipv6->invflags & IP6T_INV_PROTO);
614 duprintf("ip_tables: check failed for `%s'.\n",
622 find_check_match(struct xt_entry_match *m, struct xt_mtchk_param *par)
624 struct xt_match *match;
627 match = xt_request_find_match(NFPROTO_IPV6, m->u.user.name,
630 duprintf("find_check_match: `%s' not found\n", m->u.user.name);
631 return PTR_ERR(match);
633 m->u.kernel.match = match;
635 ret = check_match(m, par);
641 module_put(m->u.kernel.match->me);
645 static int check_target(struct ip6t_entry *e, struct net *net, const char *name)
647 struct xt_entry_target *t = ip6t_get_target(e);
648 struct xt_tgchk_param par = {
652 .target = t->u.kernel.target,
654 .hook_mask = e->comefrom,
655 .family = NFPROTO_IPV6,
659 t = ip6t_get_target(e);
660 ret = xt_check_target(&par, t->u.target_size - sizeof(*t),
661 e->ipv6.proto, e->ipv6.invflags & IP6T_INV_PROTO);
663 duprintf("ip_tables: check failed for `%s'.\n",
664 t->u.kernel.target->name);
671 find_check_entry(struct ip6t_entry *e, struct net *net, const char *name,
674 struct xt_entry_target *t;
675 struct xt_target *target;
678 struct xt_mtchk_param mtpar;
679 struct xt_entry_match *ematch;
681 ret = check_entry(e, name);
685 e->counters.pcnt = xt_percpu_counter_alloc();
686 if (IS_ERR_VALUE(e->counters.pcnt))
692 mtpar.entryinfo = &e->ipv6;
693 mtpar.hook_mask = e->comefrom;
694 mtpar.family = NFPROTO_IPV6;
695 xt_ematch_foreach(ematch, e) {
696 ret = find_check_match(ematch, &mtpar);
698 goto cleanup_matches;
702 t = ip6t_get_target(e);
703 target = xt_request_find_target(NFPROTO_IPV6, t->u.user.name,
705 if (IS_ERR(target)) {
706 duprintf("find_check_entry: `%s' not found\n", t->u.user.name);
707 ret = PTR_ERR(target);
708 goto cleanup_matches;
710 t->u.kernel.target = target;
712 ret = check_target(e, net, name);
717 module_put(t->u.kernel.target->me);
719 xt_ematch_foreach(ematch, e) {
722 cleanup_match(ematch, net);
725 xt_percpu_counter_free(e->counters.pcnt);
730 static bool check_underflow(const struct ip6t_entry *e)
732 const struct xt_entry_target *t;
733 unsigned int verdict;
735 if (!unconditional(&e->ipv6))
737 t = ip6t_get_target_c(e);
738 if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0)
740 verdict = ((struct xt_standard_target *)t)->verdict;
741 verdict = -verdict - 1;
742 return verdict == NF_DROP || verdict == NF_ACCEPT;
746 check_entry_size_and_hooks(struct ip6t_entry *e,
747 struct xt_table_info *newinfo,
748 const unsigned char *base,
749 const unsigned char *limit,
750 const unsigned int *hook_entries,
751 const unsigned int *underflows,
752 unsigned int valid_hooks)
756 if ((unsigned long)e % __alignof__(struct ip6t_entry) != 0 ||
757 (unsigned char *)e + sizeof(struct ip6t_entry) >= limit) {
758 duprintf("Bad offset %p\n", e);
763 < sizeof(struct ip6t_entry) + sizeof(struct xt_entry_target)) {
764 duprintf("checking: element %p size %u\n",
769 /* Check hooks & underflows */
770 for (h = 0; h < NF_INET_NUMHOOKS; h++) {
771 if (!(valid_hooks & (1 << h)))
773 if ((unsigned char *)e - base == hook_entries[h])
774 newinfo->hook_entry[h] = hook_entries[h];
775 if ((unsigned char *)e - base == underflows[h]) {
776 if (!check_underflow(e)) {
777 pr_err("Underflows must be unconditional and "
778 "use the STANDARD target with "
782 newinfo->underflow[h] = underflows[h];
786 /* Clear counters and comefrom */
787 e->counters = ((struct xt_counters) { 0, 0 });
792 static void cleanup_entry(struct ip6t_entry *e, struct net *net)
794 struct xt_tgdtor_param par;
795 struct xt_entry_target *t;
796 struct xt_entry_match *ematch;
798 /* Cleanup all matches */
799 xt_ematch_foreach(ematch, e)
800 cleanup_match(ematch, net);
801 t = ip6t_get_target(e);
804 par.target = t->u.kernel.target;
805 par.targinfo = t->data;
806 par.family = NFPROTO_IPV6;
807 if (par.target->destroy != NULL)
808 par.target->destroy(&par);
809 module_put(par.target->me);
811 xt_percpu_counter_free(e->counters.pcnt);
814 /* Checks and translates the user-supplied table segment (held in
817 translate_table(struct net *net, struct xt_table_info *newinfo, void *entry0,
818 const struct ip6t_replace *repl)
820 struct ip6t_entry *iter;
824 newinfo->size = repl->size;
825 newinfo->number = repl->num_entries;
827 /* Init all hooks to impossible value. */
828 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
829 newinfo->hook_entry[i] = 0xFFFFFFFF;
830 newinfo->underflow[i] = 0xFFFFFFFF;
833 duprintf("translate_table: size %u\n", newinfo->size);
835 /* Walk through entries, checking offsets. */
836 xt_entry_foreach(iter, entry0, newinfo->size) {
837 ret = check_entry_size_and_hooks(iter, newinfo, entry0,
845 if (strcmp(ip6t_get_target(iter)->u.user.name,
846 XT_ERROR_TARGET) == 0)
847 ++newinfo->stacksize;
850 if (i != repl->num_entries) {
851 duprintf("translate_table: %u not %u entries\n",
852 i, repl->num_entries);
856 /* Check hooks all assigned */
857 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
858 /* Only hooks which are valid */
859 if (!(repl->valid_hooks & (1 << i)))
861 if (newinfo->hook_entry[i] == 0xFFFFFFFF) {
862 duprintf("Invalid hook entry %u %u\n",
863 i, repl->hook_entry[i]);
866 if (newinfo->underflow[i] == 0xFFFFFFFF) {
867 duprintf("Invalid underflow %u %u\n",
868 i, repl->underflow[i]);
873 if (!mark_source_chains(newinfo, repl->valid_hooks, entry0))
876 /* Finally, each sanity check must pass */
878 xt_entry_foreach(iter, entry0, newinfo->size) {
879 ret = find_check_entry(iter, net, repl->name, repl->size);
886 xt_entry_foreach(iter, entry0, newinfo->size) {
889 cleanup_entry(iter, net);
898 get_counters(const struct xt_table_info *t,
899 struct xt_counters counters[])
901 struct ip6t_entry *iter;
905 for_each_possible_cpu(cpu) {
906 seqcount_t *s = &per_cpu(xt_recseq, cpu);
909 xt_entry_foreach(iter, t->entries, t->size) {
910 struct xt_counters *tmp;
914 tmp = xt_get_per_cpu_counter(&iter->counters, cpu);
916 start = read_seqcount_begin(s);
919 } while (read_seqcount_retry(s, start));
921 ADD_COUNTER(counters[i], bcnt, pcnt);
927 static struct xt_counters *alloc_counters(const struct xt_table *table)
929 unsigned int countersize;
930 struct xt_counters *counters;
931 const struct xt_table_info *private = table->private;
933 /* We need atomic snapshot of counters: rest doesn't change
934 (other than comefrom, which userspace doesn't care
936 countersize = sizeof(struct xt_counters) * private->number;
937 counters = vzalloc(countersize);
939 if (counters == NULL)
940 return ERR_PTR(-ENOMEM);
942 get_counters(private, counters);
948 copy_entries_to_user(unsigned int total_size,
949 const struct xt_table *table,
950 void __user *userptr)
952 unsigned int off, num;
953 const struct ip6t_entry *e;
954 struct xt_counters *counters;
955 const struct xt_table_info *private = table->private;
957 const void *loc_cpu_entry;
959 counters = alloc_counters(table);
960 if (IS_ERR(counters))
961 return PTR_ERR(counters);
963 loc_cpu_entry = private->entries;
964 if (copy_to_user(userptr, loc_cpu_entry, total_size) != 0) {
969 /* FIXME: use iterator macros --RR */
970 /* ... then go back and fix counters and names */
971 for (off = 0, num = 0; off < total_size; off += e->next_offset, num++){
973 const struct xt_entry_match *m;
974 const struct xt_entry_target *t;
976 e = (struct ip6t_entry *)(loc_cpu_entry + off);
977 if (copy_to_user(userptr + off
978 + offsetof(struct ip6t_entry, counters),
980 sizeof(counters[num])) != 0) {
985 for (i = sizeof(struct ip6t_entry);
986 i < e->target_offset;
987 i += m->u.match_size) {
990 if (copy_to_user(userptr + off + i
991 + offsetof(struct xt_entry_match,
993 m->u.kernel.match->name,
994 strlen(m->u.kernel.match->name)+1)
1001 t = ip6t_get_target_c(e);
1002 if (copy_to_user(userptr + off + e->target_offset
1003 + offsetof(struct xt_entry_target,
1005 t->u.kernel.target->name,
1006 strlen(t->u.kernel.target->name)+1) != 0) {
1017 #ifdef CONFIG_COMPAT
1018 static void compat_standard_from_user(void *dst, const void *src)
1020 int v = *(compat_int_t *)src;
1023 v += xt_compat_calc_jump(AF_INET6, v);
1024 memcpy(dst, &v, sizeof(v));
1027 static int compat_standard_to_user(void __user *dst, const void *src)
1029 compat_int_t cv = *(int *)src;
1032 cv -= xt_compat_calc_jump(AF_INET6, cv);
1033 return copy_to_user(dst, &cv, sizeof(cv)) ? -EFAULT : 0;
1036 static int compat_calc_entry(const struct ip6t_entry *e,
1037 const struct xt_table_info *info,
1038 const void *base, struct xt_table_info *newinfo)
1040 const struct xt_entry_match *ematch;
1041 const struct xt_entry_target *t;
1042 unsigned int entry_offset;
1045 off = sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
1046 entry_offset = (void *)e - base;
1047 xt_ematch_foreach(ematch, e)
1048 off += xt_compat_match_offset(ematch->u.kernel.match);
1049 t = ip6t_get_target_c(e);
1050 off += xt_compat_target_offset(t->u.kernel.target);
1051 newinfo->size -= off;
1052 ret = xt_compat_add_offset(AF_INET6, entry_offset, off);
1056 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1057 if (info->hook_entry[i] &&
1058 (e < (struct ip6t_entry *)(base + info->hook_entry[i])))
1059 newinfo->hook_entry[i] -= off;
1060 if (info->underflow[i] &&
1061 (e < (struct ip6t_entry *)(base + info->underflow[i])))
1062 newinfo->underflow[i] -= off;
1067 static int compat_table_info(const struct xt_table_info *info,
1068 struct xt_table_info *newinfo)
1070 struct ip6t_entry *iter;
1071 const void *loc_cpu_entry;
1074 if (!newinfo || !info)
1077 /* we dont care about newinfo->entries */
1078 memcpy(newinfo, info, offsetof(struct xt_table_info, entries));
1079 newinfo->initial_entries = 0;
1080 loc_cpu_entry = info->entries;
1081 xt_compat_init_offsets(AF_INET6, info->number);
1082 xt_entry_foreach(iter, loc_cpu_entry, info->size) {
1083 ret = compat_calc_entry(iter, info, loc_cpu_entry, newinfo);
1091 static int get_info(struct net *net, void __user *user,
1092 const int *len, int compat)
1094 char name[XT_TABLE_MAXNAMELEN];
1098 if (*len != sizeof(struct ip6t_getinfo)) {
1099 duprintf("length %u != %zu\n", *len,
1100 sizeof(struct ip6t_getinfo));
1104 if (copy_from_user(name, user, sizeof(name)) != 0)
1107 name[XT_TABLE_MAXNAMELEN-1] = '\0';
1108 #ifdef CONFIG_COMPAT
1110 xt_compat_lock(AF_INET6);
1112 t = try_then_request_module(xt_find_table_lock(net, AF_INET6, name),
1113 "ip6table_%s", name);
1114 if (!IS_ERR_OR_NULL(t)) {
1115 struct ip6t_getinfo info;
1116 const struct xt_table_info *private = t->private;
1117 #ifdef CONFIG_COMPAT
1118 struct xt_table_info tmp;
1121 ret = compat_table_info(private, &tmp);
1122 xt_compat_flush_offsets(AF_INET6);
1126 memset(&info, 0, sizeof(info));
1127 info.valid_hooks = t->valid_hooks;
1128 memcpy(info.hook_entry, private->hook_entry,
1129 sizeof(info.hook_entry));
1130 memcpy(info.underflow, private->underflow,
1131 sizeof(info.underflow));
1132 info.num_entries = private->number;
1133 info.size = private->size;
1134 strcpy(info.name, name);
1136 if (copy_to_user(user, &info, *len) != 0)
1144 ret = t ? PTR_ERR(t) : -ENOENT;
1145 #ifdef CONFIG_COMPAT
1147 xt_compat_unlock(AF_INET6);
1153 get_entries(struct net *net, struct ip6t_get_entries __user *uptr,
1157 struct ip6t_get_entries get;
1160 if (*len < sizeof(get)) {
1161 duprintf("get_entries: %u < %zu\n", *len, sizeof(get));
1164 if (copy_from_user(&get, uptr, sizeof(get)) != 0)
1166 if (*len != sizeof(struct ip6t_get_entries) + get.size) {
1167 duprintf("get_entries: %u != %zu\n",
1168 *len, sizeof(get) + get.size);
1172 t = xt_find_table_lock(net, AF_INET6, get.name);
1173 if (!IS_ERR_OR_NULL(t)) {
1174 struct xt_table_info *private = t->private;
1175 duprintf("t->private->number = %u\n", private->number);
1176 if (get.size == private->size)
1177 ret = copy_entries_to_user(private->size,
1178 t, uptr->entrytable);
1180 duprintf("get_entries: I've got %u not %u!\n",
1181 private->size, get.size);
1187 ret = t ? PTR_ERR(t) : -ENOENT;
1193 __do_replace(struct net *net, const char *name, unsigned int valid_hooks,
1194 struct xt_table_info *newinfo, unsigned int num_counters,
1195 void __user *counters_ptr)
1199 struct xt_table_info *oldinfo;
1200 struct xt_counters *counters;
1201 struct ip6t_entry *iter;
1204 counters = vzalloc(num_counters * sizeof(struct xt_counters));
1210 t = try_then_request_module(xt_find_table_lock(net, AF_INET6, name),
1211 "ip6table_%s", name);
1212 if (IS_ERR_OR_NULL(t)) {
1213 ret = t ? PTR_ERR(t) : -ENOENT;
1214 goto free_newinfo_counters_untrans;
1218 if (valid_hooks != t->valid_hooks) {
1219 duprintf("Valid hook crap: %08X vs %08X\n",
1220 valid_hooks, t->valid_hooks);
1225 oldinfo = xt_replace_table(t, num_counters, newinfo, &ret);
1229 /* Update module usage count based on number of rules */
1230 duprintf("do_replace: oldnum=%u, initnum=%u, newnum=%u\n",
1231 oldinfo->number, oldinfo->initial_entries, newinfo->number);
1232 if ((oldinfo->number > oldinfo->initial_entries) ||
1233 (newinfo->number <= oldinfo->initial_entries))
1235 if ((oldinfo->number > oldinfo->initial_entries) &&
1236 (newinfo->number <= oldinfo->initial_entries))
1239 /* Get the old counters, and synchronize with replace */
1240 get_counters(oldinfo, counters);
1242 /* Decrease module usage counts and free resource */
1243 xt_entry_foreach(iter, oldinfo->entries, oldinfo->size)
1244 cleanup_entry(iter, net);
1246 xt_free_table_info(oldinfo);
1247 if (copy_to_user(counters_ptr, counters,
1248 sizeof(struct xt_counters) * num_counters) != 0) {
1249 /* Silent error, can't fail, new table is already in place */
1250 net_warn_ratelimited("ip6tables: counters copy to user failed while replacing table\n");
1259 free_newinfo_counters_untrans:
1266 do_replace(struct net *net, const void __user *user, unsigned int len)
1269 struct ip6t_replace tmp;
1270 struct xt_table_info *newinfo;
1271 void *loc_cpu_entry;
1272 struct ip6t_entry *iter;
1274 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
1277 /* overflow check */
1278 if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
1280 if (tmp.num_counters == 0)
1283 tmp.name[sizeof(tmp.name)-1] = 0;
1285 newinfo = xt_alloc_table_info(tmp.size);
1289 loc_cpu_entry = newinfo->entries;
1290 if (copy_from_user(loc_cpu_entry, user + sizeof(tmp),
1296 ret = translate_table(net, newinfo, loc_cpu_entry, &tmp);
1300 duprintf("ip_tables: Translated table\n");
1302 ret = __do_replace(net, tmp.name, tmp.valid_hooks, newinfo,
1303 tmp.num_counters, tmp.counters);
1305 goto free_newinfo_untrans;
1308 free_newinfo_untrans:
1309 xt_entry_foreach(iter, loc_cpu_entry, newinfo->size)
1310 cleanup_entry(iter, net);
1312 xt_free_table_info(newinfo);
1317 do_add_counters(struct net *net, const void __user *user, unsigned int len,
1321 struct xt_counters_info tmp;
1322 struct xt_counters *paddc;
1323 unsigned int num_counters;
1328 const struct xt_table_info *private;
1330 struct ip6t_entry *iter;
1331 unsigned int addend;
1332 #ifdef CONFIG_COMPAT
1333 struct compat_xt_counters_info compat_tmp;
1337 size = sizeof(struct compat_xt_counters_info);
1342 size = sizeof(struct xt_counters_info);
1345 if (copy_from_user(ptmp, user, size) != 0)
1348 #ifdef CONFIG_COMPAT
1350 num_counters = compat_tmp.num_counters;
1351 name = compat_tmp.name;
1355 num_counters = tmp.num_counters;
1359 if (len != size + num_counters * sizeof(struct xt_counters))
1362 paddc = vmalloc(len - size);
1366 if (copy_from_user(paddc, user + size, len - size) != 0) {
1371 t = xt_find_table_lock(net, AF_INET6, name);
1372 if (IS_ERR_OR_NULL(t)) {
1373 ret = t ? PTR_ERR(t) : -ENOENT;
1378 private = t->private;
1379 if (private->number != num_counters) {
1381 goto unlock_up_free;
1385 addend = xt_write_recseq_begin();
1386 xt_entry_foreach(iter, private->entries, private->size) {
1387 struct xt_counters *tmp;
1389 tmp = xt_get_this_cpu_counter(&iter->counters);
1390 ADD_COUNTER(*tmp, paddc[i].bcnt, paddc[i].pcnt);
1393 xt_write_recseq_end(addend);
1404 #ifdef CONFIG_COMPAT
1405 struct compat_ip6t_replace {
1406 char name[XT_TABLE_MAXNAMELEN];
1410 u32 hook_entry[NF_INET_NUMHOOKS];
1411 u32 underflow[NF_INET_NUMHOOKS];
1413 compat_uptr_t counters; /* struct xt_counters * */
1414 struct compat_ip6t_entry entries[0];
1418 compat_copy_entry_to_user(struct ip6t_entry *e, void __user **dstptr,
1419 unsigned int *size, struct xt_counters *counters,
1422 struct xt_entry_target *t;
1423 struct compat_ip6t_entry __user *ce;
1424 u_int16_t target_offset, next_offset;
1425 compat_uint_t origsize;
1426 const struct xt_entry_match *ematch;
1430 ce = (struct compat_ip6t_entry __user *)*dstptr;
1431 if (copy_to_user(ce, e, sizeof(struct ip6t_entry)) != 0 ||
1432 copy_to_user(&ce->counters, &counters[i],
1433 sizeof(counters[i])) != 0)
1436 *dstptr += sizeof(struct compat_ip6t_entry);
1437 *size -= sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
1439 xt_ematch_foreach(ematch, e) {
1440 ret = xt_compat_match_to_user(ematch, dstptr, size);
1444 target_offset = e->target_offset - (origsize - *size);
1445 t = ip6t_get_target(e);
1446 ret = xt_compat_target_to_user(t, dstptr, size);
1449 next_offset = e->next_offset - (origsize - *size);
1450 if (put_user(target_offset, &ce->target_offset) != 0 ||
1451 put_user(next_offset, &ce->next_offset) != 0)
1457 compat_find_calc_match(struct xt_entry_match *m,
1459 const struct ip6t_ip6 *ipv6,
1462 struct xt_match *match;
1464 match = xt_request_find_match(NFPROTO_IPV6, m->u.user.name,
1465 m->u.user.revision);
1466 if (IS_ERR(match)) {
1467 duprintf("compat_check_calc_match: `%s' not found\n",
1469 return PTR_ERR(match);
1471 m->u.kernel.match = match;
1472 *size += xt_compat_match_offset(match);
1476 static void compat_release_entry(struct compat_ip6t_entry *e)
1478 struct xt_entry_target *t;
1479 struct xt_entry_match *ematch;
1481 /* Cleanup all matches */
1482 xt_ematch_foreach(ematch, e)
1483 module_put(ematch->u.kernel.match->me);
1484 t = compat_ip6t_get_target(e);
1485 module_put(t->u.kernel.target->me);
1489 check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e,
1490 struct xt_table_info *newinfo,
1492 const unsigned char *base,
1493 const unsigned char *limit,
1494 const unsigned int *hook_entries,
1495 const unsigned int *underflows,
1498 struct xt_entry_match *ematch;
1499 struct xt_entry_target *t;
1500 struct xt_target *target;
1501 unsigned int entry_offset;
1505 duprintf("check_compat_entry_size_and_hooks %p\n", e);
1506 if ((unsigned long)e % __alignof__(struct compat_ip6t_entry) != 0 ||
1507 (unsigned char *)e + sizeof(struct compat_ip6t_entry) >= limit) {
1508 duprintf("Bad offset %p, limit = %p\n", e, limit);
1512 if (e->next_offset < sizeof(struct compat_ip6t_entry) +
1513 sizeof(struct compat_xt_entry_target)) {
1514 duprintf("checking: element %p size %u\n",
1519 /* For purposes of check_entry casting the compat entry is fine */
1520 ret = check_entry((struct ip6t_entry *)e, name);
1524 off = sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
1525 entry_offset = (void *)e - (void *)base;
1527 xt_ematch_foreach(ematch, e) {
1528 ret = compat_find_calc_match(ematch, name, &e->ipv6, &off);
1530 goto release_matches;
1534 t = compat_ip6t_get_target(e);
1535 target = xt_request_find_target(NFPROTO_IPV6, t->u.user.name,
1536 t->u.user.revision);
1537 if (IS_ERR(target)) {
1538 duprintf("check_compat_entry_size_and_hooks: `%s' not found\n",
1540 ret = PTR_ERR(target);
1541 goto release_matches;
1543 t->u.kernel.target = target;
1545 off += xt_compat_target_offset(target);
1547 ret = xt_compat_add_offset(AF_INET6, entry_offset, off);
1551 /* Check hooks & underflows */
1552 for (h = 0; h < NF_INET_NUMHOOKS; h++) {
1553 if ((unsigned char *)e - base == hook_entries[h])
1554 newinfo->hook_entry[h] = hook_entries[h];
1555 if ((unsigned char *)e - base == underflows[h])
1556 newinfo->underflow[h] = underflows[h];
1559 /* Clear counters and comefrom */
1560 memset(&e->counters, 0, sizeof(e->counters));
1565 module_put(t->u.kernel.target->me);
1567 xt_ematch_foreach(ematch, e) {
1570 module_put(ematch->u.kernel.match->me);
1576 compat_copy_entry_from_user(struct compat_ip6t_entry *e, void **dstptr,
1577 unsigned int *size, const char *name,
1578 struct xt_table_info *newinfo, unsigned char *base)
1580 struct xt_entry_target *t;
1581 struct ip6t_entry *de;
1582 unsigned int origsize;
1584 struct xt_entry_match *ematch;
1588 de = (struct ip6t_entry *)*dstptr;
1589 memcpy(de, e, sizeof(struct ip6t_entry));
1590 memcpy(&de->counters, &e->counters, sizeof(e->counters));
1592 *dstptr += sizeof(struct ip6t_entry);
1593 *size += sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
1595 xt_ematch_foreach(ematch, e) {
1596 ret = xt_compat_match_from_user(ematch, dstptr, size);
1600 de->target_offset = e->target_offset - (origsize - *size);
1601 t = compat_ip6t_get_target(e);
1602 xt_compat_target_from_user(t, dstptr, size);
1604 de->next_offset = e->next_offset - (origsize - *size);
1605 for (h = 0; h < NF_INET_NUMHOOKS; h++) {
1606 if ((unsigned char *)de - base < newinfo->hook_entry[h])
1607 newinfo->hook_entry[h] -= origsize - *size;
1608 if ((unsigned char *)de - base < newinfo->underflow[h])
1609 newinfo->underflow[h] -= origsize - *size;
1614 static int compat_check_entry(struct ip6t_entry *e, struct net *net,
1619 struct xt_mtchk_param mtpar;
1620 struct xt_entry_match *ematch;
1622 e->counters.pcnt = xt_percpu_counter_alloc();
1623 if (IS_ERR_VALUE(e->counters.pcnt))
1628 mtpar.entryinfo = &e->ipv6;
1629 mtpar.hook_mask = e->comefrom;
1630 mtpar.family = NFPROTO_IPV6;
1631 xt_ematch_foreach(ematch, e) {
1632 ret = check_match(ematch, &mtpar);
1634 goto cleanup_matches;
1638 ret = check_target(e, net, name);
1640 goto cleanup_matches;
1644 xt_ematch_foreach(ematch, e) {
1647 cleanup_match(ematch, net);
1650 xt_percpu_counter_free(e->counters.pcnt);
1656 translate_compat_table(struct net *net,
1658 unsigned int valid_hooks,
1659 struct xt_table_info **pinfo,
1661 unsigned int total_size,
1662 unsigned int number,
1663 unsigned int *hook_entries,
1664 unsigned int *underflows)
1667 struct xt_table_info *newinfo, *info;
1668 void *pos, *entry0, *entry1;
1669 struct compat_ip6t_entry *iter0;
1670 struct ip6t_entry *iter1;
1677 info->number = number;
1679 /* Init all hooks to impossible value. */
1680 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1681 info->hook_entry[i] = 0xFFFFFFFF;
1682 info->underflow[i] = 0xFFFFFFFF;
1685 duprintf("translate_compat_table: size %u\n", info->size);
1687 xt_compat_lock(AF_INET6);
1688 xt_compat_init_offsets(AF_INET6, number);
1689 /* Walk through entries, checking offsets. */
1690 xt_entry_foreach(iter0, entry0, total_size) {
1691 ret = check_compat_entry_size_and_hooks(iter0, info, &size,
1693 entry0 + total_size,
1704 duprintf("translate_compat_table: %u not %u entries\n",
1709 /* Check hooks all assigned */
1710 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1711 /* Only hooks which are valid */
1712 if (!(valid_hooks & (1 << i)))
1714 if (info->hook_entry[i] == 0xFFFFFFFF) {
1715 duprintf("Invalid hook entry %u %u\n",
1716 i, hook_entries[i]);
1719 if (info->underflow[i] == 0xFFFFFFFF) {
1720 duprintf("Invalid underflow %u %u\n",
1727 newinfo = xt_alloc_table_info(size);
1731 newinfo->number = number;
1732 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1733 newinfo->hook_entry[i] = info->hook_entry[i];
1734 newinfo->underflow[i] = info->underflow[i];
1736 entry1 = newinfo->entries;
1739 xt_entry_foreach(iter0, entry0, total_size) {
1740 ret = compat_copy_entry_from_user(iter0, &pos, &size,
1741 name, newinfo, entry1);
1745 xt_compat_flush_offsets(AF_INET6);
1746 xt_compat_unlock(AF_INET6);
1751 if (!mark_source_chains(newinfo, valid_hooks, entry1))
1755 xt_entry_foreach(iter1, entry1, newinfo->size) {
1756 ret = compat_check_entry(iter1, net, name);
1760 if (strcmp(ip6t_get_target(iter1)->u.user.name,
1761 XT_ERROR_TARGET) == 0)
1762 ++newinfo->stacksize;
1766 * The first i matches need cleanup_entry (calls ->destroy)
1767 * because they had called ->check already. The other j-i
1768 * entries need only release.
1772 xt_entry_foreach(iter0, entry0, newinfo->size) {
1777 compat_release_entry(iter0);
1779 xt_entry_foreach(iter1, entry1, newinfo->size) {
1782 cleanup_entry(iter1, net);
1784 xt_free_table_info(newinfo);
1790 xt_free_table_info(info);
1794 xt_free_table_info(newinfo);
1796 xt_entry_foreach(iter0, entry0, total_size) {
1799 compat_release_entry(iter0);
1803 xt_compat_flush_offsets(AF_INET6);
1804 xt_compat_unlock(AF_INET6);
1809 compat_do_replace(struct net *net, void __user *user, unsigned int len)
1812 struct compat_ip6t_replace tmp;
1813 struct xt_table_info *newinfo;
1814 void *loc_cpu_entry;
1815 struct ip6t_entry *iter;
1817 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
1820 /* overflow check */
1821 if (tmp.size >= INT_MAX / num_possible_cpus())
1823 if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
1825 if (tmp.num_counters == 0)
1828 tmp.name[sizeof(tmp.name)-1] = 0;
1830 newinfo = xt_alloc_table_info(tmp.size);
1834 loc_cpu_entry = newinfo->entries;
1835 if (copy_from_user(loc_cpu_entry, user + sizeof(tmp),
1841 ret = translate_compat_table(net, tmp.name, tmp.valid_hooks,
1842 &newinfo, &loc_cpu_entry, tmp.size,
1843 tmp.num_entries, tmp.hook_entry,
1848 duprintf("compat_do_replace: Translated table\n");
1850 ret = __do_replace(net, tmp.name, tmp.valid_hooks, newinfo,
1851 tmp.num_counters, compat_ptr(tmp.counters));
1853 goto free_newinfo_untrans;
1856 free_newinfo_untrans:
1857 xt_entry_foreach(iter, loc_cpu_entry, newinfo->size)
1858 cleanup_entry(iter, net);
1860 xt_free_table_info(newinfo);
1865 compat_do_ip6t_set_ctl(struct sock *sk, int cmd, void __user *user,
1870 if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
1874 case IP6T_SO_SET_REPLACE:
1875 ret = compat_do_replace(sock_net(sk), user, len);
1878 case IP6T_SO_SET_ADD_COUNTERS:
1879 ret = do_add_counters(sock_net(sk), user, len, 1);
1883 duprintf("do_ip6t_set_ctl: unknown request %i\n", cmd);
1890 struct compat_ip6t_get_entries {
1891 char name[XT_TABLE_MAXNAMELEN];
1893 struct compat_ip6t_entry entrytable[0];
1897 compat_copy_entries_to_user(unsigned int total_size, struct xt_table *table,
1898 void __user *userptr)
1900 struct xt_counters *counters;
1901 const struct xt_table_info *private = table->private;
1906 struct ip6t_entry *iter;
1908 counters = alloc_counters(table);
1909 if (IS_ERR(counters))
1910 return PTR_ERR(counters);
1914 xt_entry_foreach(iter, private->entries, total_size) {
1915 ret = compat_copy_entry_to_user(iter, &pos,
1916 &size, counters, i++);
1926 compat_get_entries(struct net *net, struct compat_ip6t_get_entries __user *uptr,
1930 struct compat_ip6t_get_entries get;
1933 if (*len < sizeof(get)) {
1934 duprintf("compat_get_entries: %u < %zu\n", *len, sizeof(get));
1938 if (copy_from_user(&get, uptr, sizeof(get)) != 0)
1941 if (*len != sizeof(struct compat_ip6t_get_entries) + get.size) {
1942 duprintf("compat_get_entries: %u != %zu\n",
1943 *len, sizeof(get) + get.size);
1947 xt_compat_lock(AF_INET6);
1948 t = xt_find_table_lock(net, AF_INET6, get.name);
1949 if (!IS_ERR_OR_NULL(t)) {
1950 const struct xt_table_info *private = t->private;
1951 struct xt_table_info info;
1952 duprintf("t->private->number = %u\n", private->number);
1953 ret = compat_table_info(private, &info);
1954 if (!ret && get.size == info.size) {
1955 ret = compat_copy_entries_to_user(private->size,
1956 t, uptr->entrytable);
1958 duprintf("compat_get_entries: I've got %u not %u!\n",
1959 private->size, get.size);
1962 xt_compat_flush_offsets(AF_INET6);
1966 ret = t ? PTR_ERR(t) : -ENOENT;
1968 xt_compat_unlock(AF_INET6);
1972 static int do_ip6t_get_ctl(struct sock *, int, void __user *, int *);
1975 compat_do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1979 if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
1983 case IP6T_SO_GET_INFO:
1984 ret = get_info(sock_net(sk), user, len, 1);
1986 case IP6T_SO_GET_ENTRIES:
1987 ret = compat_get_entries(sock_net(sk), user, len);
1990 ret = do_ip6t_get_ctl(sk, cmd, user, len);
1997 do_ip6t_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
2001 if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
2005 case IP6T_SO_SET_REPLACE:
2006 ret = do_replace(sock_net(sk), user, len);
2009 case IP6T_SO_SET_ADD_COUNTERS:
2010 ret = do_add_counters(sock_net(sk), user, len, 0);
2014 duprintf("do_ip6t_set_ctl: unknown request %i\n", cmd);
2022 do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
2026 if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
2030 case IP6T_SO_GET_INFO:
2031 ret = get_info(sock_net(sk), user, len, 0);
2034 case IP6T_SO_GET_ENTRIES:
2035 ret = get_entries(sock_net(sk), user, len);
2038 case IP6T_SO_GET_REVISION_MATCH:
2039 case IP6T_SO_GET_REVISION_TARGET: {
2040 struct xt_get_revision rev;
2043 if (*len != sizeof(rev)) {
2047 if (copy_from_user(&rev, user, sizeof(rev)) != 0) {
2051 rev.name[sizeof(rev.name)-1] = 0;
2053 if (cmd == IP6T_SO_GET_REVISION_TARGET)
2058 try_then_request_module(xt_find_revision(AF_INET6, rev.name,
2061 "ip6t_%s", rev.name);
2066 duprintf("do_ip6t_get_ctl: unknown request %i\n", cmd);
2073 struct xt_table *ip6t_register_table(struct net *net,
2074 const struct xt_table *table,
2075 const struct ip6t_replace *repl)
2078 struct xt_table_info *newinfo;
2079 struct xt_table_info bootstrap = {0};
2080 void *loc_cpu_entry;
2081 struct xt_table *new_table;
2083 newinfo = xt_alloc_table_info(repl->size);
2089 loc_cpu_entry = newinfo->entries;
2090 memcpy(loc_cpu_entry, repl->entries, repl->size);
2092 ret = translate_table(net, newinfo, loc_cpu_entry, repl);
2096 new_table = xt_register_table(net, table, &bootstrap, newinfo);
2097 if (IS_ERR(new_table)) {
2098 ret = PTR_ERR(new_table);
2104 xt_free_table_info(newinfo);
2106 return ERR_PTR(ret);
2109 void ip6t_unregister_table(struct net *net, struct xt_table *table)
2111 struct xt_table_info *private;
2112 void *loc_cpu_entry;
2113 struct module *table_owner = table->me;
2114 struct ip6t_entry *iter;
2116 private = xt_unregister_table(table);
2118 /* Decrease module usage counts and free resources */
2119 loc_cpu_entry = private->entries;
2120 xt_entry_foreach(iter, loc_cpu_entry, private->size)
2121 cleanup_entry(iter, net);
2122 if (private->number > private->initial_entries)
2123 module_put(table_owner);
2124 xt_free_table_info(private);
2127 /* Returns 1 if the type and code is matched by the range, 0 otherwise */
2129 icmp6_type_code_match(u_int8_t test_type, u_int8_t min_code, u_int8_t max_code,
2130 u_int8_t type, u_int8_t code,
2133 return (type == test_type && code >= min_code && code <= max_code)
2138 icmp6_match(const struct sk_buff *skb, struct xt_action_param *par)
2140 const struct icmp6hdr *ic;
2141 struct icmp6hdr _icmph;
2142 const struct ip6t_icmp *icmpinfo = par->matchinfo;
2144 /* Must not be a fragment. */
2145 if (par->fragoff != 0)
2148 ic = skb_header_pointer(skb, par->thoff, sizeof(_icmph), &_icmph);
2150 /* We've been asked to examine this packet, and we
2151 * can't. Hence, no choice but to drop.
2153 duprintf("Dropping evil ICMP tinygram.\n");
2154 par->hotdrop = true;
2158 return icmp6_type_code_match(icmpinfo->type,
2161 ic->icmp6_type, ic->icmp6_code,
2162 !!(icmpinfo->invflags&IP6T_ICMP_INV));
2165 /* Called when user tries to insert an entry of this type. */
2166 static int icmp6_checkentry(const struct xt_mtchk_param *par)
2168 const struct ip6t_icmp *icmpinfo = par->matchinfo;
2170 /* Must specify no unknown invflags */
2171 return (icmpinfo->invflags & ~IP6T_ICMP_INV) ? -EINVAL : 0;
2174 /* The built-in targets: standard (NULL) and error. */
2175 static struct xt_target ip6t_builtin_tg[] __read_mostly = {
2177 .name = XT_STANDARD_TARGET,
2178 .targetsize = sizeof(int),
2179 .family = NFPROTO_IPV6,
2180 #ifdef CONFIG_COMPAT
2181 .compatsize = sizeof(compat_int_t),
2182 .compat_from_user = compat_standard_from_user,
2183 .compat_to_user = compat_standard_to_user,
2187 .name = XT_ERROR_TARGET,
2188 .target = ip6t_error,
2189 .targetsize = XT_FUNCTION_MAXNAMELEN,
2190 .family = NFPROTO_IPV6,
2194 static struct nf_sockopt_ops ip6t_sockopts = {
2196 .set_optmin = IP6T_BASE_CTL,
2197 .set_optmax = IP6T_SO_SET_MAX+1,
2198 .set = do_ip6t_set_ctl,
2199 #ifdef CONFIG_COMPAT
2200 .compat_set = compat_do_ip6t_set_ctl,
2202 .get_optmin = IP6T_BASE_CTL,
2203 .get_optmax = IP6T_SO_GET_MAX+1,
2204 .get = do_ip6t_get_ctl,
2205 #ifdef CONFIG_COMPAT
2206 .compat_get = compat_do_ip6t_get_ctl,
2208 .owner = THIS_MODULE,
2211 static struct xt_match ip6t_builtin_mt[] __read_mostly = {
2214 .match = icmp6_match,
2215 .matchsize = sizeof(struct ip6t_icmp),
2216 .checkentry = icmp6_checkentry,
2217 .proto = IPPROTO_ICMPV6,
2218 .family = NFPROTO_IPV6,
2222 static int __net_init ip6_tables_net_init(struct net *net)
2224 return xt_proto_init(net, NFPROTO_IPV6);
2227 static void __net_exit ip6_tables_net_exit(struct net *net)
2229 xt_proto_fini(net, NFPROTO_IPV6);
2232 static struct pernet_operations ip6_tables_net_ops = {
2233 .init = ip6_tables_net_init,
2234 .exit = ip6_tables_net_exit,
2237 static int __init ip6_tables_init(void)
2241 ret = register_pernet_subsys(&ip6_tables_net_ops);
2245 /* No one else will be downing sem now, so we won't sleep */
2246 ret = xt_register_targets(ip6t_builtin_tg, ARRAY_SIZE(ip6t_builtin_tg));
2249 ret = xt_register_matches(ip6t_builtin_mt, ARRAY_SIZE(ip6t_builtin_mt));
2253 /* Register setsockopt */
2254 ret = nf_register_sockopt(&ip6t_sockopts);
2258 pr_info("(C) 2000-2006 Netfilter Core Team\n");
2262 xt_unregister_matches(ip6t_builtin_mt, ARRAY_SIZE(ip6t_builtin_mt));
2264 xt_unregister_targets(ip6t_builtin_tg, ARRAY_SIZE(ip6t_builtin_tg));
2266 unregister_pernet_subsys(&ip6_tables_net_ops);
2271 static void __exit ip6_tables_fini(void)
2273 nf_unregister_sockopt(&ip6t_sockopts);
2275 xt_unregister_matches(ip6t_builtin_mt, ARRAY_SIZE(ip6t_builtin_mt));
2276 xt_unregister_targets(ip6t_builtin_tg, ARRAY_SIZE(ip6t_builtin_tg));
2277 unregister_pernet_subsys(&ip6_tables_net_ops);
2280 EXPORT_SYMBOL(ip6t_register_table);
2281 EXPORT_SYMBOL(ip6t_unregister_table);
2282 EXPORT_SYMBOL(ip6t_do_table);
2284 module_init(ip6_tables_init);
2285 module_exit(ip6_tables_fini);
projects / karo-tx-linux.git / blob