2 * Packet matching code.
4 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
5 * Copyright (C) 2000-2005 Netfilter Core Team <coreteam@netfilter.org>
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License version 2 as
9 * published by the Free Software Foundation.
11 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
12 #include <linux/cache.h>
13 #include <linux/capability.h>
14 #include <linux/skbuff.h>
15 #include <linux/kmod.h>
16 #include <linux/vmalloc.h>
17 #include <linux/netdevice.h>
18 #include <linux/module.h>
19 #include <linux/icmp.h>
21 #include <net/compat.h>
22 #include <asm/uaccess.h>
23 #include <linux/mutex.h>
24 #include <linux/proc_fs.h>
25 #include <linux/err.h>
26 #include <linux/cpumask.h>
28 #include <linux/netfilter/x_tables.h>
29 #include <linux/netfilter_ipv4/ip_tables.h>
30 #include <net/netfilter/nf_log.h>
31 #include "../../netfilter/xt_repldata.h"
33 MODULE_LICENSE("GPL");
34 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
35 MODULE_DESCRIPTION("IPv4 packet filter");
37 /*#define DEBUG_IP_FIREWALL*/
38 /*#define DEBUG_ALLOW_ALL*/ /* Useful for remote debugging */
39 /*#define DEBUG_IP_FIREWALL_USER*/
41 #ifdef DEBUG_IP_FIREWALL
42 #define dprintf(format, args...) pr_info(format , ## args)
44 #define dprintf(format, args...)
47 #ifdef DEBUG_IP_FIREWALL_USER
48 #define duprintf(format, args...) pr_info(format , ## args)
50 #define duprintf(format, args...)
53 #ifdef CONFIG_NETFILTER_DEBUG
54 #define IP_NF_ASSERT(x) WARN_ON(!(x))
56 #define IP_NF_ASSERT(x)
60 /* All the better to debug you with... */
65 void *ipt_alloc_initial_table(const struct xt_table *info)
67 return xt_alloc_initial_table(ipt, IPT);
69 EXPORT_SYMBOL_GPL(ipt_alloc_initial_table);
72 We keep a set of rules for each CPU, so we can avoid write-locking
73 them in the softirq when updating the counters and therefore
74 only need to read-lock in the softirq; doing a write_lock_bh() in user
75 context stops packets coming through and allows user context to read
76 the counters or update the rules.
78 Hence the start of any table is given by get_table() below. */
80 /* Returns whether matches rule or not. */
81 /* Performance critical - called for every packet */
83 ip_packet_match(const struct iphdr *ip,
86 const struct ipt_ip *ipinfo,
91 #define FWINV(bool, invflg) ((bool) ^ !!(ipinfo->invflags & (invflg)))
93 if (FWINV((ip->saddr&ipinfo->smsk.s_addr) != ipinfo->src.s_addr,
95 FWINV((ip->daddr&ipinfo->dmsk.s_addr) != ipinfo->dst.s_addr,
97 dprintf("Source or dest mismatch.\n");
99 dprintf("SRC: %pI4. Mask: %pI4. Target: %pI4.%s\n",
100 &ip->saddr, &ipinfo->smsk.s_addr, &ipinfo->src.s_addr,
101 ipinfo->invflags & IPT_INV_SRCIP ? " (INV)" : "");
102 dprintf("DST: %pI4 Mask: %pI4 Target: %pI4.%s\n",
103 &ip->daddr, &ipinfo->dmsk.s_addr, &ipinfo->dst.s_addr,
104 ipinfo->invflags & IPT_INV_DSTIP ? " (INV)" : "");
108 ret = ifname_compare_aligned(indev, ipinfo->iniface, ipinfo->iniface_mask);
110 if (FWINV(ret != 0, IPT_INV_VIA_IN)) {
111 dprintf("VIA in mismatch (%s vs %s).%s\n",
112 indev, ipinfo->iniface,
113 ipinfo->invflags&IPT_INV_VIA_IN ?" (INV)":"");
117 ret = ifname_compare_aligned(outdev, ipinfo->outiface, ipinfo->outiface_mask);
119 if (FWINV(ret != 0, IPT_INV_VIA_OUT)) {
120 dprintf("VIA out mismatch (%s vs %s).%s\n",
121 outdev, ipinfo->outiface,
122 ipinfo->invflags&IPT_INV_VIA_OUT ?" (INV)":"");
126 /* Check specific protocol */
128 FWINV(ip->protocol != ipinfo->proto, IPT_INV_PROTO)) {
129 dprintf("Packet protocol %hi does not match %hi.%s\n",
130 ip->protocol, ipinfo->proto,
131 ipinfo->invflags&IPT_INV_PROTO ? " (INV)":"");
135 /* If we have a fragment rule but the packet is not a fragment
136 * then we return zero */
137 if (FWINV((ipinfo->flags&IPT_F_FRAG) && !isfrag, IPT_INV_FRAG)) {
138 dprintf("Fragment rule but not fragment.%s\n",
139 ipinfo->invflags & IPT_INV_FRAG ? " (INV)" : "");
147 ip_checkentry(const struct ipt_ip *ip)
149 if (ip->flags & ~IPT_F_MASK) {
150 duprintf("Unknown flag bits set: %08X\n",
151 ip->flags & ~IPT_F_MASK);
154 if (ip->invflags & ~IPT_INV_MASK) {
155 duprintf("Unknown invflag bits set: %08X\n",
156 ip->invflags & ~IPT_INV_MASK);
163 ipt_error(struct sk_buff *skb, const struct xt_action_param *par)
166 pr_info("error: `%s'\n", (const char *)par->targinfo);
171 /* Performance critical */
172 static inline struct ipt_entry *
173 get_entry(const void *base, unsigned int offset)
175 return (struct ipt_entry *)(base + offset);
178 /* All zeroes == unconditional rule. */
179 /* Mildly perf critical (only if packet tracing is on) */
180 static inline bool unconditional(const struct ipt_ip *ip)
182 static const struct ipt_ip uncond;
184 return memcmp(ip, &uncond, sizeof(uncond)) == 0;
188 /* for const-correctness */
189 static inline const struct ipt_entry_target *
190 ipt_get_target_c(const struct ipt_entry *e)
192 return ipt_get_target((struct ipt_entry *)e);
195 #if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \
196 defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE)
197 static const char *const hooknames[] = {
198 [NF_INET_PRE_ROUTING] = "PREROUTING",
199 [NF_INET_LOCAL_IN] = "INPUT",
200 [NF_INET_FORWARD] = "FORWARD",
201 [NF_INET_LOCAL_OUT] = "OUTPUT",
202 [NF_INET_POST_ROUTING] = "POSTROUTING",
205 enum nf_ip_trace_comments {
206 NF_IP_TRACE_COMMENT_RULE,
207 NF_IP_TRACE_COMMENT_RETURN,
208 NF_IP_TRACE_COMMENT_POLICY,
211 static const char *const comments[] = {
212 [NF_IP_TRACE_COMMENT_RULE] = "rule",
213 [NF_IP_TRACE_COMMENT_RETURN] = "return",
214 [NF_IP_TRACE_COMMENT_POLICY] = "policy",
217 static struct nf_loginfo trace_loginfo = {
218 .type = NF_LOG_TYPE_LOG,
222 .logflags = NF_LOG_MASK,
227 /* Mildly perf critical (only if packet tracing is on) */
229 get_chainname_rulenum(const struct ipt_entry *s, const struct ipt_entry *e,
230 const char *hookname, const char **chainname,
231 const char **comment, unsigned int *rulenum)
233 const struct ipt_standard_target *t = (void *)ipt_get_target_c(s);
235 if (strcmp(t->target.u.kernel.target->name, IPT_ERROR_TARGET) == 0) {
236 /* Head of user chain: ERROR target with chainname */
237 *chainname = t->target.data;
242 if (s->target_offset == sizeof(struct ipt_entry) &&
243 strcmp(t->target.u.kernel.target->name,
244 IPT_STANDARD_TARGET) == 0 &&
246 unconditional(&s->ip)) {
247 /* Tail of chains: STANDARD target (return/policy) */
248 *comment = *chainname == hookname
249 ? comments[NF_IP_TRACE_COMMENT_POLICY]
250 : comments[NF_IP_TRACE_COMMENT_RETURN];
259 static void trace_packet(const struct sk_buff *skb,
261 const struct net_device *in,
262 const struct net_device *out,
263 const char *tablename,
264 const struct xt_table_info *private,
265 const struct ipt_entry *e)
267 const void *table_base;
268 const struct ipt_entry *root;
269 const char *hookname, *chainname, *comment;
270 const struct ipt_entry *iter;
271 unsigned int rulenum = 0;
273 table_base = private->entries[smp_processor_id()];
274 root = get_entry(table_base, private->hook_entry[hook]);
276 hookname = chainname = hooknames[hook];
277 comment = comments[NF_IP_TRACE_COMMENT_RULE];
279 xt_entry_foreach(iter, root, private->size - private->hook_entry[hook])
280 if (get_chainname_rulenum(iter, e, hookname,
281 &chainname, &comment, &rulenum) != 0)
284 nf_log_packet(AF_INET, hook, skb, in, out, &trace_loginfo,
285 "TRACE: %s:%s:%s:%u ",
286 tablename, chainname, comment, rulenum);
291 struct ipt_entry *ipt_next_entry(const struct ipt_entry *entry)
293 return (void *)entry + entry->next_offset;
296 /* Returns one of the generic firewall policies, like NF_ACCEPT. */
298 ipt_do_table(struct sk_buff *skb,
300 const struct net_device *in,
301 const struct net_device *out,
302 struct xt_table *table)
304 static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
305 const struct iphdr *ip;
306 /* Initializing verdict to NF_DROP keeps gcc happy. */
307 unsigned int verdict = NF_DROP;
308 const char *indev, *outdev;
309 const void *table_base;
310 struct ipt_entry *e, **jumpstack;
311 unsigned int *stackptr, origptr, cpu;
312 const struct xt_table_info *private;
313 struct xt_action_param acpar;
317 indev = in ? in->name : nulldevname;
318 outdev = out ? out->name : nulldevname;
319 /* We handle fragments by dealing with the first fragment as
320 * if it was a normal packet. All other fragments are treated
321 * normally, except that they will NEVER match rules that ask
322 * things we don't know, ie. tcp syn flag or ports). If the
323 * rule is also a fragment-specific rule, non-fragments won't
325 acpar.fragoff = ntohs(ip->frag_off) & IP_OFFSET;
326 acpar.thoff = ip_hdrlen(skb);
327 acpar.hotdrop = false;
330 acpar.family = NFPROTO_IPV4;
331 acpar.hooknum = hook;
333 IP_NF_ASSERT(table->valid_hooks & (1 << hook));
335 private = table->private;
336 cpu = smp_processor_id();
337 table_base = private->entries[cpu];
338 jumpstack = (struct ipt_entry **)private->jumpstack[cpu];
339 stackptr = per_cpu_ptr(private->stackptr, cpu);
342 e = get_entry(table_base, private->hook_entry[hook]);
344 pr_debug("Entering %s(hook %u); sp at %u (UF %p)\n",
345 table->name, hook, origptr,
346 get_entry(table_base, private->underflow[hook]));
349 const struct ipt_entry_target *t;
350 const struct xt_entry_match *ematch;
353 if (!ip_packet_match(ip, indev, outdev,
354 &e->ip, acpar.fragoff)) {
356 e = ipt_next_entry(e);
360 xt_ematch_foreach(ematch, e) {
361 acpar.match = ematch->u.kernel.match;
362 acpar.matchinfo = ematch->data;
363 if (!acpar.match->match(skb, &acpar))
367 ADD_COUNTER(e->counters, ntohs(ip->tot_len), 1);
369 t = ipt_get_target(e);
370 IP_NF_ASSERT(t->u.kernel.target);
372 #if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \
373 defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE)
374 /* The packet is traced: log it */
375 if (unlikely(skb->nf_trace))
376 trace_packet(skb, hook, in, out,
377 table->name, private, e);
379 /* Standard target? */
380 if (!t->u.kernel.target->target) {
383 v = ((struct ipt_standard_target *)t)->verdict;
385 /* Pop from stack? */
386 if (v != IPT_RETURN) {
387 verdict = (unsigned)(-v) - 1;
390 if (*stackptr == 0) {
391 e = get_entry(table_base,
392 private->underflow[hook]);
393 pr_debug("Underflow (this is normal) "
396 e = jumpstack[--*stackptr];
397 pr_debug("Pulled %p out from pos %u\n",
399 e = ipt_next_entry(e);
403 if (table_base + v != ipt_next_entry(e) &&
404 !(e->ip.flags & IPT_F_GOTO)) {
405 if (*stackptr >= private->stacksize) {
409 jumpstack[(*stackptr)++] = e;
410 pr_debug("Pushed %p into pos %u\n",
414 e = get_entry(table_base, v);
418 acpar.target = t->u.kernel.target;
419 acpar.targinfo = t->data;
421 verdict = t->u.kernel.target->target(skb, &acpar);
422 /* Target might have changed stuff. */
424 if (verdict == IPT_CONTINUE)
425 e = ipt_next_entry(e);
429 } while (!acpar.hotdrop);
430 xt_info_rdunlock_bh();
431 pr_debug("Exiting %s; resetting sp from %u to %u\n",
432 __func__, *stackptr, origptr);
434 #ifdef DEBUG_ALLOW_ALL
443 /* Figures out from what hook each rule can be called: returns 0 if
444 there are loops. Puts hook bitmask in comefrom. */
446 mark_source_chains(const struct xt_table_info *newinfo,
447 unsigned int valid_hooks, void *entry0)
451 /* No recursion; use packet counter to save back ptrs (reset
452 to 0 as we leave), and comefrom to save source hook bitmask */
453 for (hook = 0; hook < NF_INET_NUMHOOKS; hook++) {
454 unsigned int pos = newinfo->hook_entry[hook];
455 struct ipt_entry *e = (struct ipt_entry *)(entry0 + pos);
457 if (!(valid_hooks & (1 << hook)))
460 /* Set initial back pointer. */
461 e->counters.pcnt = pos;
464 const struct ipt_standard_target *t
465 = (void *)ipt_get_target_c(e);
466 int visited = e->comefrom & (1 << hook);
468 if (e->comefrom & (1 << NF_INET_NUMHOOKS)) {
469 pr_err("iptables: loop hook %u pos %u %08X.\n",
470 hook, pos, e->comefrom);
473 e->comefrom |= ((1 << hook) | (1 << NF_INET_NUMHOOKS));
475 /* Unconditional return/END. */
476 if ((e->target_offset == sizeof(struct ipt_entry) &&
477 (strcmp(t->target.u.user.name,
478 IPT_STANDARD_TARGET) == 0) &&
479 t->verdict < 0 && unconditional(&e->ip)) ||
481 unsigned int oldpos, size;
483 if ((strcmp(t->target.u.user.name,
484 IPT_STANDARD_TARGET) == 0) &&
485 t->verdict < -NF_MAX_VERDICT - 1) {
486 duprintf("mark_source_chains: bad "
487 "negative verdict (%i)\n",
492 /* Return: backtrack through the last
495 e->comefrom ^= (1<<NF_INET_NUMHOOKS);
496 #ifdef DEBUG_IP_FIREWALL_USER
498 & (1 << NF_INET_NUMHOOKS)) {
499 duprintf("Back unset "
506 pos = e->counters.pcnt;
507 e->counters.pcnt = 0;
509 /* We're at the start. */
513 e = (struct ipt_entry *)
515 } while (oldpos == pos + e->next_offset);
518 size = e->next_offset;
519 e = (struct ipt_entry *)
520 (entry0 + pos + size);
521 e->counters.pcnt = pos;
524 int newpos = t->verdict;
526 if (strcmp(t->target.u.user.name,
527 IPT_STANDARD_TARGET) == 0 &&
529 if (newpos > newinfo->size -
530 sizeof(struct ipt_entry)) {
531 duprintf("mark_source_chains: "
532 "bad verdict (%i)\n",
536 /* This a jump; chase it. */
537 duprintf("Jump rule %u -> %u\n",
540 /* ... this is a fallthru */
541 newpos = pos + e->next_offset;
543 e = (struct ipt_entry *)
545 e->counters.pcnt = pos;
550 duprintf("Finished chain %u\n", hook);
555 static void cleanup_match(struct ipt_entry_match *m, struct net *net)
557 struct xt_mtdtor_param par;
560 par.match = m->u.kernel.match;
561 par.matchinfo = m->data;
562 par.family = NFPROTO_IPV4;
563 if (par.match->destroy != NULL)
564 par.match->destroy(&par);
565 module_put(par.match->me);
569 check_entry(const struct ipt_entry *e, const char *name)
571 const struct ipt_entry_target *t;
573 if (!ip_checkentry(&e->ip)) {
574 duprintf("ip check failed %p %s.\n", e, par->match->name);
578 if (e->target_offset + sizeof(struct ipt_entry_target) >
582 t = ipt_get_target_c(e);
583 if (e->target_offset + t->u.target_size > e->next_offset)
590 check_match(struct ipt_entry_match *m, struct xt_mtchk_param *par)
592 const struct ipt_ip *ip = par->entryinfo;
595 par->match = m->u.kernel.match;
596 par->matchinfo = m->data;
598 ret = xt_check_match(par, m->u.match_size - sizeof(*m),
599 ip->proto, ip->invflags & IPT_INV_PROTO);
601 duprintf("check failed for `%s'.\n", par->match->name);
608 find_check_match(struct ipt_entry_match *m, struct xt_mtchk_param *par)
610 struct xt_match *match;
613 match = xt_request_find_match(NFPROTO_IPV4, m->u.user.name,
616 duprintf("find_check_match: `%s' not found\n", m->u.user.name);
617 return PTR_ERR(match);
619 m->u.kernel.match = match;
621 ret = check_match(m, par);
627 module_put(m->u.kernel.match->me);
631 static int check_target(struct ipt_entry *e, struct net *net, const char *name)
633 struct ipt_entry_target *t = ipt_get_target(e);
634 struct xt_tgchk_param par = {
638 .target = t->u.kernel.target,
640 .hook_mask = e->comefrom,
641 .family = NFPROTO_IPV4,
645 ret = xt_check_target(&par, t->u.target_size - sizeof(*t),
646 e->ip.proto, e->ip.invflags & IPT_INV_PROTO);
648 duprintf("check failed for `%s'.\n",
649 t->u.kernel.target->name);
656 find_check_entry(struct ipt_entry *e, struct net *net, const char *name,
659 struct ipt_entry_target *t;
660 struct xt_target *target;
663 struct xt_mtchk_param mtpar;
664 struct xt_entry_match *ematch;
666 ret = check_entry(e, name);
673 mtpar.entryinfo = &e->ip;
674 mtpar.hook_mask = e->comefrom;
675 mtpar.family = NFPROTO_IPV4;
676 xt_ematch_foreach(ematch, e) {
677 ret = find_check_match(ematch, &mtpar);
679 goto cleanup_matches;
683 t = ipt_get_target(e);
684 target = xt_request_find_target(NFPROTO_IPV4, t->u.user.name,
686 if (IS_ERR(target)) {
687 duprintf("find_check_entry: `%s' not found\n", t->u.user.name);
688 ret = PTR_ERR(target);
689 goto cleanup_matches;
691 t->u.kernel.target = target;
693 ret = check_target(e, net, name);
698 module_put(t->u.kernel.target->me);
700 xt_ematch_foreach(ematch, e) {
703 cleanup_match(ematch, net);
708 static bool check_underflow(const struct ipt_entry *e)
710 const struct ipt_entry_target *t;
711 unsigned int verdict;
713 if (!unconditional(&e->ip))
715 t = ipt_get_target_c(e);
716 if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0)
718 verdict = ((struct ipt_standard_target *)t)->verdict;
719 verdict = -verdict - 1;
720 return verdict == NF_DROP || verdict == NF_ACCEPT;
724 check_entry_size_and_hooks(struct ipt_entry *e,
725 struct xt_table_info *newinfo,
726 const unsigned char *base,
727 const unsigned char *limit,
728 const unsigned int *hook_entries,
729 const unsigned int *underflows,
730 unsigned int valid_hooks)
734 if ((unsigned long)e % __alignof__(struct ipt_entry) != 0 ||
735 (unsigned char *)e + sizeof(struct ipt_entry) >= limit) {
736 duprintf("Bad offset %p\n", e);
741 < sizeof(struct ipt_entry) + sizeof(struct ipt_entry_target)) {
742 duprintf("checking: element %p size %u\n",
747 /* Check hooks & underflows */
748 for (h = 0; h < NF_INET_NUMHOOKS; h++) {
749 if (!(valid_hooks & (1 << h)))
751 if ((unsigned char *)e - base == hook_entries[h])
752 newinfo->hook_entry[h] = hook_entries[h];
753 if ((unsigned char *)e - base == underflows[h]) {
754 if (!check_underflow(e)) {
755 pr_err("Underflows must be unconditional and "
756 "use the STANDARD target with "
760 newinfo->underflow[h] = underflows[h];
764 /* Clear counters and comefrom */
765 e->counters = ((struct xt_counters) { 0, 0 });
771 cleanup_entry(struct ipt_entry *e, struct net *net)
773 struct xt_tgdtor_param par;
774 struct ipt_entry_target *t;
775 struct xt_entry_match *ematch;
777 /* Cleanup all matches */
778 xt_ematch_foreach(ematch, e)
779 cleanup_match(ematch, net);
780 t = ipt_get_target(e);
783 par.target = t->u.kernel.target;
784 par.targinfo = t->data;
785 par.family = NFPROTO_IPV4;
786 if (par.target->destroy != NULL)
787 par.target->destroy(&par);
788 module_put(par.target->me);
791 /* Checks and translates the user-supplied table segment (held in
794 translate_table(struct net *net, struct xt_table_info *newinfo, void *entry0,
795 const struct ipt_replace *repl)
797 struct ipt_entry *iter;
801 newinfo->size = repl->size;
802 newinfo->number = repl->num_entries;
804 /* Init all hooks to impossible value. */
805 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
806 newinfo->hook_entry[i] = 0xFFFFFFFF;
807 newinfo->underflow[i] = 0xFFFFFFFF;
810 duprintf("translate_table: size %u\n", newinfo->size);
812 /* Walk through entries, checking offsets. */
813 xt_entry_foreach(iter, entry0, newinfo->size) {
814 ret = check_entry_size_and_hooks(iter, newinfo, entry0,
822 if (strcmp(ipt_get_target(iter)->u.user.name,
823 XT_ERROR_TARGET) == 0)
824 ++newinfo->stacksize;
827 if (i != repl->num_entries) {
828 duprintf("translate_table: %u not %u entries\n",
829 i, repl->num_entries);
833 /* Check hooks all assigned */
834 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
835 /* Only hooks which are valid */
836 if (!(repl->valid_hooks & (1 << i)))
838 if (newinfo->hook_entry[i] == 0xFFFFFFFF) {
839 duprintf("Invalid hook entry %u %u\n",
840 i, repl->hook_entry[i]);
843 if (newinfo->underflow[i] == 0xFFFFFFFF) {
844 duprintf("Invalid underflow %u %u\n",
845 i, repl->underflow[i]);
850 if (!mark_source_chains(newinfo, repl->valid_hooks, entry0))
853 /* Finally, each sanity check must pass */
855 xt_entry_foreach(iter, entry0, newinfo->size) {
856 ret = find_check_entry(iter, net, repl->name, repl->size);
863 xt_entry_foreach(iter, entry0, newinfo->size) {
866 cleanup_entry(iter, net);
871 /* And one copy for every other CPU */
872 for_each_possible_cpu(i) {
873 if (newinfo->entries[i] && newinfo->entries[i] != entry0)
874 memcpy(newinfo->entries[i], entry0, newinfo->size);
881 get_counters(const struct xt_table_info *t,
882 struct xt_counters counters[])
884 struct ipt_entry *iter;
889 /* Instead of clearing (by a previous call to memset())
890 * the counters and using adds, we set the counters
891 * with data used by 'current' CPU.
893 * Bottom half has to be disabled to prevent deadlock
894 * if new softirq were to run and call ipt_do_table
897 curcpu = smp_processor_id();
900 xt_entry_foreach(iter, t->entries[curcpu], t->size) {
901 SET_COUNTER(counters[i], iter->counters.bcnt,
902 iter->counters.pcnt);
906 for_each_possible_cpu(cpu) {
911 xt_entry_foreach(iter, t->entries[cpu], t->size) {
912 ADD_COUNTER(counters[i], iter->counters.bcnt,
913 iter->counters.pcnt);
914 ++i; /* macro does multi eval of i */
916 xt_info_wrunlock(cpu);
921 static struct xt_counters *alloc_counters(const struct xt_table *table)
923 unsigned int countersize;
924 struct xt_counters *counters;
925 const struct xt_table_info *private = table->private;
927 /* We need atomic snapshot of counters: rest doesn't change
928 (other than comefrom, which userspace doesn't care
930 countersize = sizeof(struct xt_counters) * private->number;
931 counters = vmalloc_node(countersize, numa_node_id());
933 if (counters == NULL)
934 return ERR_PTR(-ENOMEM);
936 get_counters(private, counters);
942 copy_entries_to_user(unsigned int total_size,
943 const struct xt_table *table,
944 void __user *userptr)
946 unsigned int off, num;
947 const struct ipt_entry *e;
948 struct xt_counters *counters;
949 const struct xt_table_info *private = table->private;
951 const void *loc_cpu_entry;
953 counters = alloc_counters(table);
954 if (IS_ERR(counters))
955 return PTR_ERR(counters);
957 /* choose the copy that is on our node/cpu, ...
958 * This choice is lazy (because current thread is
959 * allowed to migrate to another cpu)
961 loc_cpu_entry = private->entries[raw_smp_processor_id()];
962 if (copy_to_user(userptr, loc_cpu_entry, total_size) != 0) {
967 /* FIXME: use iterator macros --RR */
968 /* ... then go back and fix counters and names */
969 for (off = 0, num = 0; off < total_size; off += e->next_offset, num++){
971 const struct ipt_entry_match *m;
972 const struct ipt_entry_target *t;
974 e = (struct ipt_entry *)(loc_cpu_entry + off);
975 if (copy_to_user(userptr + off
976 + offsetof(struct ipt_entry, counters),
978 sizeof(counters[num])) != 0) {
983 for (i = sizeof(struct ipt_entry);
984 i < e->target_offset;
985 i += m->u.match_size) {
988 if (copy_to_user(userptr + off + i
989 + offsetof(struct ipt_entry_match,
991 m->u.kernel.match->name,
992 strlen(m->u.kernel.match->name)+1)
999 t = ipt_get_target_c(e);
1000 if (copy_to_user(userptr + off + e->target_offset
1001 + offsetof(struct ipt_entry_target,
1003 t->u.kernel.target->name,
1004 strlen(t->u.kernel.target->name)+1) != 0) {
1015 #ifdef CONFIG_COMPAT
1016 static void compat_standard_from_user(void *dst, const void *src)
1018 int v = *(compat_int_t *)src;
1021 v += xt_compat_calc_jump(AF_INET, v);
1022 memcpy(dst, &v, sizeof(v));
1025 static int compat_standard_to_user(void __user *dst, const void *src)
1027 compat_int_t cv = *(int *)src;
1030 cv -= xt_compat_calc_jump(AF_INET, cv);
1031 return copy_to_user(dst, &cv, sizeof(cv)) ? -EFAULT : 0;
1034 static int compat_calc_entry(const struct ipt_entry *e,
1035 const struct xt_table_info *info,
1036 const void *base, struct xt_table_info *newinfo)
1038 const struct xt_entry_match *ematch;
1039 const struct ipt_entry_target *t;
1040 unsigned int entry_offset;
1043 off = sizeof(struct ipt_entry) - sizeof(struct compat_ipt_entry);
1044 entry_offset = (void *)e - base;
1045 xt_ematch_foreach(ematch, e)
1046 off += xt_compat_match_offset(ematch->u.kernel.match);
1047 t = ipt_get_target_c(e);
1048 off += xt_compat_target_offset(t->u.kernel.target);
1049 newinfo->size -= off;
1050 ret = xt_compat_add_offset(AF_INET, entry_offset, off);
1054 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1055 if (info->hook_entry[i] &&
1056 (e < (struct ipt_entry *)(base + info->hook_entry[i])))
1057 newinfo->hook_entry[i] -= off;
1058 if (info->underflow[i] &&
1059 (e < (struct ipt_entry *)(base + info->underflow[i])))
1060 newinfo->underflow[i] -= off;
1065 static int compat_table_info(const struct xt_table_info *info,
1066 struct xt_table_info *newinfo)
1068 struct ipt_entry *iter;
1069 void *loc_cpu_entry;
1072 if (!newinfo || !info)
1075 /* we dont care about newinfo->entries[] */
1076 memcpy(newinfo, info, offsetof(struct xt_table_info, entries));
1077 newinfo->initial_entries = 0;
1078 loc_cpu_entry = info->entries[raw_smp_processor_id()];
1079 xt_entry_foreach(iter, loc_cpu_entry, info->size) {
1080 ret = compat_calc_entry(iter, info, loc_cpu_entry, newinfo);
1088 static int get_info(struct net *net, void __user *user,
1089 const int *len, int compat)
1091 char name[IPT_TABLE_MAXNAMELEN];
1095 if (*len != sizeof(struct ipt_getinfo)) {
1096 duprintf("length %u != %zu\n", *len,
1097 sizeof(struct ipt_getinfo));
1101 if (copy_from_user(name, user, sizeof(name)) != 0)
1104 name[IPT_TABLE_MAXNAMELEN-1] = '\0';
1105 #ifdef CONFIG_COMPAT
1107 xt_compat_lock(AF_INET);
1109 t = try_then_request_module(xt_find_table_lock(net, AF_INET, name),
1110 "iptable_%s", name);
1111 if (t && !IS_ERR(t)) {
1112 struct ipt_getinfo info;
1113 const struct xt_table_info *private = t->private;
1114 #ifdef CONFIG_COMPAT
1115 struct xt_table_info tmp;
1118 ret = compat_table_info(private, &tmp);
1119 xt_compat_flush_offsets(AF_INET);
1123 info.valid_hooks = t->valid_hooks;
1124 memcpy(info.hook_entry, private->hook_entry,
1125 sizeof(info.hook_entry));
1126 memcpy(info.underflow, private->underflow,
1127 sizeof(info.underflow));
1128 info.num_entries = private->number;
1129 info.size = private->size;
1130 strcpy(info.name, name);
1132 if (copy_to_user(user, &info, *len) != 0)
1140 ret = t ? PTR_ERR(t) : -ENOENT;
1141 #ifdef CONFIG_COMPAT
1143 xt_compat_unlock(AF_INET);
1149 get_entries(struct net *net, struct ipt_get_entries __user *uptr,
1153 struct ipt_get_entries get;
1156 if (*len < sizeof(get)) {
1157 duprintf("get_entries: %u < %zu\n", *len, sizeof(get));
1160 if (copy_from_user(&get, uptr, sizeof(get)) != 0)
1162 if (*len != sizeof(struct ipt_get_entries) + get.size) {
1163 duprintf("get_entries: %u != %zu\n",
1164 *len, sizeof(get) + get.size);
1168 t = xt_find_table_lock(net, AF_INET, get.name);
1169 if (t && !IS_ERR(t)) {
1170 const struct xt_table_info *private = t->private;
1171 duprintf("t->private->number = %u\n", private->number);
1172 if (get.size == private->size)
1173 ret = copy_entries_to_user(private->size,
1174 t, uptr->entrytable);
1176 duprintf("get_entries: I've got %u not %u!\n",
1177 private->size, get.size);
1183 ret = t ? PTR_ERR(t) : -ENOENT;
1189 __do_replace(struct net *net, const char *name, unsigned int valid_hooks,
1190 struct xt_table_info *newinfo, unsigned int num_counters,
1191 void __user *counters_ptr)
1195 struct xt_table_info *oldinfo;
1196 struct xt_counters *counters;
1197 void *loc_cpu_old_entry;
1198 struct ipt_entry *iter;
1201 counters = vmalloc(num_counters * sizeof(struct xt_counters));
1207 t = try_then_request_module(xt_find_table_lock(net, AF_INET, name),
1208 "iptable_%s", name);
1209 if (!t || IS_ERR(t)) {
1210 ret = t ? PTR_ERR(t) : -ENOENT;
1211 goto free_newinfo_counters_untrans;
1215 if (valid_hooks != t->valid_hooks) {
1216 duprintf("Valid hook crap: %08X vs %08X\n",
1217 valid_hooks, t->valid_hooks);
1222 oldinfo = xt_replace_table(t, num_counters, newinfo, &ret);
1226 /* Update module usage count based on number of rules */
1227 duprintf("do_replace: oldnum=%u, initnum=%u, newnum=%u\n",
1228 oldinfo->number, oldinfo->initial_entries, newinfo->number);
1229 if ((oldinfo->number > oldinfo->initial_entries) ||
1230 (newinfo->number <= oldinfo->initial_entries))
1232 if ((oldinfo->number > oldinfo->initial_entries) &&
1233 (newinfo->number <= oldinfo->initial_entries))
1236 /* Get the old counters, and synchronize with replace */
1237 get_counters(oldinfo, counters);
1239 /* Decrease module usage counts and free resource */
1240 loc_cpu_old_entry = oldinfo->entries[raw_smp_processor_id()];
1241 xt_entry_foreach(iter, loc_cpu_old_entry, oldinfo->size)
1242 cleanup_entry(iter, net);
1244 xt_free_table_info(oldinfo);
1245 if (copy_to_user(counters_ptr, counters,
1246 sizeof(struct xt_counters) * num_counters) != 0)
1255 free_newinfo_counters_untrans:
1262 do_replace(struct net *net, const void __user *user, unsigned int len)
1265 struct ipt_replace tmp;
1266 struct xt_table_info *newinfo;
1267 void *loc_cpu_entry;
1268 struct ipt_entry *iter;
1270 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
1273 /* overflow check */
1274 if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
1277 newinfo = xt_alloc_table_info(tmp.size);
1281 /* choose the copy that is on our node/cpu */
1282 loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
1283 if (copy_from_user(loc_cpu_entry, user + sizeof(tmp),
1289 ret = translate_table(net, newinfo, loc_cpu_entry, &tmp);
1293 duprintf("Translated table\n");
1295 ret = __do_replace(net, tmp.name, tmp.valid_hooks, newinfo,
1296 tmp.num_counters, tmp.counters);
1298 goto free_newinfo_untrans;
1301 free_newinfo_untrans:
1302 xt_entry_foreach(iter, loc_cpu_entry, newinfo->size)
1303 cleanup_entry(iter, net);
1305 xt_free_table_info(newinfo);
1310 do_add_counters(struct net *net, const void __user *user,
1311 unsigned int len, int compat)
1313 unsigned int i, curcpu;
1314 struct xt_counters_info tmp;
1315 struct xt_counters *paddc;
1316 unsigned int num_counters;
1321 const struct xt_table_info *private;
1323 void *loc_cpu_entry;
1324 struct ipt_entry *iter;
1325 #ifdef CONFIG_COMPAT
1326 struct compat_xt_counters_info compat_tmp;
1330 size = sizeof(struct compat_xt_counters_info);
1335 size = sizeof(struct xt_counters_info);
1338 if (copy_from_user(ptmp, user, size) != 0)
1341 #ifdef CONFIG_COMPAT
1343 num_counters = compat_tmp.num_counters;
1344 name = compat_tmp.name;
1348 num_counters = tmp.num_counters;
1352 if (len != size + num_counters * sizeof(struct xt_counters))
1355 paddc = vmalloc_node(len - size, numa_node_id());
1359 if (copy_from_user(paddc, user + size, len - size) != 0) {
1364 t = xt_find_table_lock(net, AF_INET, name);
1365 if (!t || IS_ERR(t)) {
1366 ret = t ? PTR_ERR(t) : -ENOENT;
1371 private = t->private;
1372 if (private->number != num_counters) {
1374 goto unlock_up_free;
1378 /* Choose the copy that is on our node */
1379 curcpu = smp_processor_id();
1380 loc_cpu_entry = private->entries[curcpu];
1381 xt_info_wrlock(curcpu);
1382 xt_entry_foreach(iter, loc_cpu_entry, private->size) {
1383 ADD_COUNTER(iter->counters, paddc[i].bcnt, paddc[i].pcnt);
1386 xt_info_wrunlock(curcpu);
1397 #ifdef CONFIG_COMPAT
1398 struct compat_ipt_replace {
1399 char name[IPT_TABLE_MAXNAMELEN];
1403 u32 hook_entry[NF_INET_NUMHOOKS];
1404 u32 underflow[NF_INET_NUMHOOKS];
1406 compat_uptr_t counters; /* struct ipt_counters * */
1407 struct compat_ipt_entry entries[0];
1411 compat_copy_entry_to_user(struct ipt_entry *e, void __user **dstptr,
1412 unsigned int *size, struct xt_counters *counters,
1415 struct ipt_entry_target *t;
1416 struct compat_ipt_entry __user *ce;
1417 u_int16_t target_offset, next_offset;
1418 compat_uint_t origsize;
1419 const struct xt_entry_match *ematch;
1423 ce = (struct compat_ipt_entry __user *)*dstptr;
1424 if (copy_to_user(ce, e, sizeof(struct ipt_entry)) != 0 ||
1425 copy_to_user(&ce->counters, &counters[i],
1426 sizeof(counters[i])) != 0)
1429 *dstptr += sizeof(struct compat_ipt_entry);
1430 *size -= sizeof(struct ipt_entry) - sizeof(struct compat_ipt_entry);
1432 xt_ematch_foreach(ematch, e) {
1433 ret = xt_compat_match_to_user(ematch, dstptr, size);
1437 target_offset = e->target_offset - (origsize - *size);
1438 t = ipt_get_target(e);
1439 ret = xt_compat_target_to_user(t, dstptr, size);
1442 next_offset = e->next_offset - (origsize - *size);
1443 if (put_user(target_offset, &ce->target_offset) != 0 ||
1444 put_user(next_offset, &ce->next_offset) != 0)
1450 compat_find_calc_match(struct ipt_entry_match *m,
1452 const struct ipt_ip *ip,
1453 unsigned int hookmask,
1456 struct xt_match *match;
1458 match = xt_request_find_match(NFPROTO_IPV4, m->u.user.name,
1459 m->u.user.revision);
1460 if (IS_ERR(match)) {
1461 duprintf("compat_check_calc_match: `%s' not found\n",
1463 return PTR_ERR(match);
1465 m->u.kernel.match = match;
1466 *size += xt_compat_match_offset(match);
1470 static void compat_release_entry(struct compat_ipt_entry *e)
1472 struct ipt_entry_target *t;
1473 struct xt_entry_match *ematch;
1475 /* Cleanup all matches */
1476 xt_ematch_foreach(ematch, e)
1477 module_put(ematch->u.kernel.match->me);
1478 t = compat_ipt_get_target(e);
1479 module_put(t->u.kernel.target->me);
1483 check_compat_entry_size_and_hooks(struct compat_ipt_entry *e,
1484 struct xt_table_info *newinfo,
1486 const unsigned char *base,
1487 const unsigned char *limit,
1488 const unsigned int *hook_entries,
1489 const unsigned int *underflows,
1492 struct xt_entry_match *ematch;
1493 struct ipt_entry_target *t;
1494 struct xt_target *target;
1495 unsigned int entry_offset;
1499 duprintf("check_compat_entry_size_and_hooks %p\n", e);
1500 if ((unsigned long)e % __alignof__(struct compat_ipt_entry) != 0 ||
1501 (unsigned char *)e + sizeof(struct compat_ipt_entry) >= limit) {
1502 duprintf("Bad offset %p, limit = %p\n", e, limit);
1506 if (e->next_offset < sizeof(struct compat_ipt_entry) +
1507 sizeof(struct compat_xt_entry_target)) {
1508 duprintf("checking: element %p size %u\n",
1513 /* For purposes of check_entry casting the compat entry is fine */
1514 ret = check_entry((struct ipt_entry *)e, name);
1518 off = sizeof(struct ipt_entry) - sizeof(struct compat_ipt_entry);
1519 entry_offset = (void *)e - (void *)base;
1521 xt_ematch_foreach(ematch, e) {
1522 ret = compat_find_calc_match(ematch, name,
1523 &e->ip, e->comefrom, &off);
1525 goto release_matches;
1529 t = compat_ipt_get_target(e);
1530 target = xt_request_find_target(NFPROTO_IPV4, t->u.user.name,
1531 t->u.user.revision);
1532 if (IS_ERR(target)) {
1533 duprintf("check_compat_entry_size_and_hooks: `%s' not found\n",
1535 ret = PTR_ERR(target);
1536 goto release_matches;
1538 t->u.kernel.target = target;
1540 off += xt_compat_target_offset(target);
1542 ret = xt_compat_add_offset(AF_INET, entry_offset, off);
1546 /* Check hooks & underflows */
1547 for (h = 0; h < NF_INET_NUMHOOKS; h++) {
1548 if ((unsigned char *)e - base == hook_entries[h])
1549 newinfo->hook_entry[h] = hook_entries[h];
1550 if ((unsigned char *)e - base == underflows[h])
1551 newinfo->underflow[h] = underflows[h];
1554 /* Clear counters and comefrom */
1555 memset(&e->counters, 0, sizeof(e->counters));
1560 module_put(t->u.kernel.target->me);
1562 xt_ematch_foreach(ematch, e) {
1565 module_put(ematch->u.kernel.match->me);
1571 compat_copy_entry_from_user(struct compat_ipt_entry *e, void **dstptr,
1572 unsigned int *size, const char *name,
1573 struct xt_table_info *newinfo, unsigned char *base)
1575 struct ipt_entry_target *t;
1576 struct xt_target *target;
1577 struct ipt_entry *de;
1578 unsigned int origsize;
1580 struct xt_entry_match *ematch;
1584 de = (struct ipt_entry *)*dstptr;
1585 memcpy(de, e, sizeof(struct ipt_entry));
1586 memcpy(&de->counters, &e->counters, sizeof(e->counters));
1588 *dstptr += sizeof(struct ipt_entry);
1589 *size += sizeof(struct ipt_entry) - sizeof(struct compat_ipt_entry);
1591 xt_ematch_foreach(ematch, e) {
1592 ret = xt_compat_match_from_user(ematch, dstptr, size);
1596 de->target_offset = e->target_offset - (origsize - *size);
1597 t = compat_ipt_get_target(e);
1598 target = t->u.kernel.target;
1599 xt_compat_target_from_user(t, dstptr, size);
1601 de->next_offset = e->next_offset - (origsize - *size);
1602 for (h = 0; h < NF_INET_NUMHOOKS; h++) {
1603 if ((unsigned char *)de - base < newinfo->hook_entry[h])
1604 newinfo->hook_entry[h] -= origsize - *size;
1605 if ((unsigned char *)de - base < newinfo->underflow[h])
1606 newinfo->underflow[h] -= origsize - *size;
1612 compat_check_entry(struct ipt_entry *e, struct net *net, const char *name)
1614 struct xt_entry_match *ematch;
1615 struct xt_mtchk_param mtpar;
1622 mtpar.entryinfo = &e->ip;
1623 mtpar.hook_mask = e->comefrom;
1624 mtpar.family = NFPROTO_IPV4;
1625 xt_ematch_foreach(ematch, e) {
1626 ret = check_match(ematch, &mtpar);
1628 goto cleanup_matches;
1632 ret = check_target(e, net, name);
1634 goto cleanup_matches;
1638 xt_ematch_foreach(ematch, e) {
1641 cleanup_match(ematch, net);
1647 translate_compat_table(struct net *net,
1649 unsigned int valid_hooks,
1650 struct xt_table_info **pinfo,
1652 unsigned int total_size,
1653 unsigned int number,
1654 unsigned int *hook_entries,
1655 unsigned int *underflows)
1658 struct xt_table_info *newinfo, *info;
1659 void *pos, *entry0, *entry1;
1660 struct compat_ipt_entry *iter0;
1661 struct ipt_entry *iter1;
1668 info->number = number;
1670 /* Init all hooks to impossible value. */
1671 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1672 info->hook_entry[i] = 0xFFFFFFFF;
1673 info->underflow[i] = 0xFFFFFFFF;
1676 duprintf("translate_compat_table: size %u\n", info->size);
1678 xt_compat_lock(AF_INET);
1679 /* Walk through entries, checking offsets. */
1680 xt_entry_foreach(iter0, entry0, total_size) {
1681 ret = check_compat_entry_size_and_hooks(iter0, info, &size,
1683 entry0 + total_size,
1694 duprintf("translate_compat_table: %u not %u entries\n",
1699 /* Check hooks all assigned */
1700 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1701 /* Only hooks which are valid */
1702 if (!(valid_hooks & (1 << i)))
1704 if (info->hook_entry[i] == 0xFFFFFFFF) {
1705 duprintf("Invalid hook entry %u %u\n",
1706 i, hook_entries[i]);
1709 if (info->underflow[i] == 0xFFFFFFFF) {
1710 duprintf("Invalid underflow %u %u\n",
1717 newinfo = xt_alloc_table_info(size);
1721 newinfo->number = number;
1722 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1723 newinfo->hook_entry[i] = info->hook_entry[i];
1724 newinfo->underflow[i] = info->underflow[i];
1726 entry1 = newinfo->entries[raw_smp_processor_id()];
1729 xt_entry_foreach(iter0, entry0, total_size) {
1730 ret = compat_copy_entry_from_user(iter0, &pos, &size,
1731 name, newinfo, entry1);
1735 xt_compat_flush_offsets(AF_INET);
1736 xt_compat_unlock(AF_INET);
1741 if (!mark_source_chains(newinfo, valid_hooks, entry1))
1745 xt_entry_foreach(iter1, entry1, newinfo->size) {
1746 ret = compat_check_entry(iter1, net, name);
1753 * The first i matches need cleanup_entry (calls ->destroy)
1754 * because they had called ->check already. The other j-i
1755 * entries need only release.
1759 xt_entry_foreach(iter0, entry0, newinfo->size) {
1764 compat_release_entry(iter0);
1766 xt_entry_foreach(iter1, entry1, newinfo->size) {
1769 cleanup_entry(iter1, net);
1771 xt_free_table_info(newinfo);
1775 /* And one copy for every other CPU */
1776 for_each_possible_cpu(i)
1777 if (newinfo->entries[i] && newinfo->entries[i] != entry1)
1778 memcpy(newinfo->entries[i], entry1, newinfo->size);
1782 xt_free_table_info(info);
1786 xt_free_table_info(newinfo);
1788 xt_entry_foreach(iter0, entry0, total_size) {
1791 compat_release_entry(iter0);
1795 xt_compat_flush_offsets(AF_INET);
1796 xt_compat_unlock(AF_INET);
1801 compat_do_replace(struct net *net, void __user *user, unsigned int len)
1804 struct compat_ipt_replace tmp;
1805 struct xt_table_info *newinfo;
1806 void *loc_cpu_entry;
1807 struct ipt_entry *iter;
1809 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
1812 /* overflow check */
1813 if (tmp.size >= INT_MAX / num_possible_cpus())
1815 if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
1818 newinfo = xt_alloc_table_info(tmp.size);
1822 /* choose the copy that is on our node/cpu */
1823 loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
1824 if (copy_from_user(loc_cpu_entry, user + sizeof(tmp),
1830 ret = translate_compat_table(net, tmp.name, tmp.valid_hooks,
1831 &newinfo, &loc_cpu_entry, tmp.size,
1832 tmp.num_entries, tmp.hook_entry,
1837 duprintf("compat_do_replace: Translated table\n");
1839 ret = __do_replace(net, tmp.name, tmp.valid_hooks, newinfo,
1840 tmp.num_counters, compat_ptr(tmp.counters));
1842 goto free_newinfo_untrans;
1845 free_newinfo_untrans:
1846 xt_entry_foreach(iter, loc_cpu_entry, newinfo->size)
1847 cleanup_entry(iter, net);
1849 xt_free_table_info(newinfo);
1854 compat_do_ipt_set_ctl(struct sock *sk, int cmd, void __user *user,
1859 if (!capable(CAP_NET_ADMIN))
1863 case IPT_SO_SET_REPLACE:
1864 ret = compat_do_replace(sock_net(sk), user, len);
1867 case IPT_SO_SET_ADD_COUNTERS:
1868 ret = do_add_counters(sock_net(sk), user, len, 1);
1872 duprintf("do_ipt_set_ctl: unknown request %i\n", cmd);
1879 struct compat_ipt_get_entries {
1880 char name[IPT_TABLE_MAXNAMELEN];
1882 struct compat_ipt_entry entrytable[0];
1886 compat_copy_entries_to_user(unsigned int total_size, struct xt_table *table,
1887 void __user *userptr)
1889 struct xt_counters *counters;
1890 const struct xt_table_info *private = table->private;
1894 const void *loc_cpu_entry;
1896 struct ipt_entry *iter;
1898 counters = alloc_counters(table);
1899 if (IS_ERR(counters))
1900 return PTR_ERR(counters);
1902 /* choose the copy that is on our node/cpu, ...
1903 * This choice is lazy (because current thread is
1904 * allowed to migrate to another cpu)
1906 loc_cpu_entry = private->entries[raw_smp_processor_id()];
1909 xt_entry_foreach(iter, loc_cpu_entry, total_size) {
1910 ret = compat_copy_entry_to_user(iter, &pos,
1911 &size, counters, i++);
1921 compat_get_entries(struct net *net, struct compat_ipt_get_entries __user *uptr,
1925 struct compat_ipt_get_entries get;
1928 if (*len < sizeof(get)) {
1929 duprintf("compat_get_entries: %u < %zu\n", *len, sizeof(get));
1933 if (copy_from_user(&get, uptr, sizeof(get)) != 0)
1936 if (*len != sizeof(struct compat_ipt_get_entries) + get.size) {
1937 duprintf("compat_get_entries: %u != %zu\n",
1938 *len, sizeof(get) + get.size);
1942 xt_compat_lock(AF_INET);
1943 t = xt_find_table_lock(net, AF_INET, get.name);
1944 if (t && !IS_ERR(t)) {
1945 const struct xt_table_info *private = t->private;
1946 struct xt_table_info info;
1947 duprintf("t->private->number = %u\n", private->number);
1948 ret = compat_table_info(private, &info);
1949 if (!ret && get.size == info.size) {
1950 ret = compat_copy_entries_to_user(private->size,
1951 t, uptr->entrytable);
1953 duprintf("compat_get_entries: I've got %u not %u!\n",
1954 private->size, get.size);
1957 xt_compat_flush_offsets(AF_INET);
1961 ret = t ? PTR_ERR(t) : -ENOENT;
1963 xt_compat_unlock(AF_INET);
1967 static int do_ipt_get_ctl(struct sock *, int, void __user *, int *);
1970 compat_do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1974 if (!capable(CAP_NET_ADMIN))
1978 case IPT_SO_GET_INFO:
1979 ret = get_info(sock_net(sk), user, len, 1);
1981 case IPT_SO_GET_ENTRIES:
1982 ret = compat_get_entries(sock_net(sk), user, len);
1985 ret = do_ipt_get_ctl(sk, cmd, user, len);
1992 do_ipt_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
1996 if (!capable(CAP_NET_ADMIN))
2000 case IPT_SO_SET_REPLACE:
2001 ret = do_replace(sock_net(sk), user, len);
2004 case IPT_SO_SET_ADD_COUNTERS:
2005 ret = do_add_counters(sock_net(sk), user, len, 0);
2009 duprintf("do_ipt_set_ctl: unknown request %i\n", cmd);
2017 do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
2021 if (!capable(CAP_NET_ADMIN))
2025 case IPT_SO_GET_INFO:
2026 ret = get_info(sock_net(sk), user, len, 0);
2029 case IPT_SO_GET_ENTRIES:
2030 ret = get_entries(sock_net(sk), user, len);
2033 case IPT_SO_GET_REVISION_MATCH:
2034 case IPT_SO_GET_REVISION_TARGET: {
2035 struct ipt_get_revision rev;
2038 if (*len != sizeof(rev)) {
2042 if (copy_from_user(&rev, user, sizeof(rev)) != 0) {
2047 if (cmd == IPT_SO_GET_REVISION_TARGET)
2052 try_then_request_module(xt_find_revision(AF_INET, rev.name,
2055 "ipt_%s", rev.name);
2060 duprintf("do_ipt_get_ctl: unknown request %i\n", cmd);
2067 struct xt_table *ipt_register_table(struct net *net,
2068 const struct xt_table *table,
2069 const struct ipt_replace *repl)
2072 struct xt_table_info *newinfo;
2073 struct xt_table_info bootstrap = {0};
2074 void *loc_cpu_entry;
2075 struct xt_table *new_table;
2077 newinfo = xt_alloc_table_info(repl->size);
2083 /* choose the copy on our node/cpu, but dont care about preemption */
2084 loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
2085 memcpy(loc_cpu_entry, repl->entries, repl->size);
2087 ret = translate_table(net, newinfo, loc_cpu_entry, repl);
2091 new_table = xt_register_table(net, table, &bootstrap, newinfo);
2092 if (IS_ERR(new_table)) {
2093 ret = PTR_ERR(new_table);
2100 xt_free_table_info(newinfo);
2102 return ERR_PTR(ret);
2105 void ipt_unregister_table(struct net *net, struct xt_table *table)
2107 struct xt_table_info *private;
2108 void *loc_cpu_entry;
2109 struct module *table_owner = table->me;
2110 struct ipt_entry *iter;
2112 private = xt_unregister_table(table);
2114 /* Decrease module usage counts and free resources */
2115 loc_cpu_entry = private->entries[raw_smp_processor_id()];
2116 xt_entry_foreach(iter, loc_cpu_entry, private->size)
2117 cleanup_entry(iter, net);
2118 if (private->number > private->initial_entries)
2119 module_put(table_owner);
2120 xt_free_table_info(private);
2123 /* Returns 1 if the type and code is matched by the range, 0 otherwise */
2125 icmp_type_code_match(u_int8_t test_type, u_int8_t min_code, u_int8_t max_code,
2126 u_int8_t type, u_int8_t code,
2129 return ((test_type == 0xFF) ||
2130 (type == test_type && code >= min_code && code <= max_code))
2135 icmp_match(const struct sk_buff *skb, struct xt_action_param *par)
2137 const struct icmphdr *ic;
2138 struct icmphdr _icmph;
2139 const struct ipt_icmp *icmpinfo = par->matchinfo;
2141 /* Must not be a fragment. */
2142 if (par->fragoff != 0)
2145 ic = skb_header_pointer(skb, par->thoff, sizeof(_icmph), &_icmph);
2147 /* We've been asked to examine this packet, and we
2148 * can't. Hence, no choice but to drop.
2150 duprintf("Dropping evil ICMP tinygram.\n");
2151 par->hotdrop = true;
2155 return icmp_type_code_match(icmpinfo->type,
2159 !!(icmpinfo->invflags&IPT_ICMP_INV));
2162 static int icmp_checkentry(const struct xt_mtchk_param *par)
2164 const struct ipt_icmp *icmpinfo = par->matchinfo;
2166 /* Must specify no unknown invflags */
2167 return (icmpinfo->invflags & ~IPT_ICMP_INV) ? -EINVAL : 0;
2170 static struct xt_target ipt_builtin_tg[] __read_mostly = {
2172 .name = IPT_STANDARD_TARGET,
2173 .targetsize = sizeof(int),
2174 .family = NFPROTO_IPV4,
2175 #ifdef CONFIG_COMPAT
2176 .compatsize = sizeof(compat_int_t),
2177 .compat_from_user = compat_standard_from_user,
2178 .compat_to_user = compat_standard_to_user,
2182 .name = IPT_ERROR_TARGET,
2183 .target = ipt_error,
2184 .targetsize = IPT_FUNCTION_MAXNAMELEN,
2185 .family = NFPROTO_IPV4,
2189 static struct nf_sockopt_ops ipt_sockopts = {
2191 .set_optmin = IPT_BASE_CTL,
2192 .set_optmax = IPT_SO_SET_MAX+1,
2193 .set = do_ipt_set_ctl,
2194 #ifdef CONFIG_COMPAT
2195 .compat_set = compat_do_ipt_set_ctl,
2197 .get_optmin = IPT_BASE_CTL,
2198 .get_optmax = IPT_SO_GET_MAX+1,
2199 .get = do_ipt_get_ctl,
2200 #ifdef CONFIG_COMPAT
2201 .compat_get = compat_do_ipt_get_ctl,
2203 .owner = THIS_MODULE,
2206 static struct xt_match ipt_builtin_mt[] __read_mostly = {
2209 .match = icmp_match,
2210 .matchsize = sizeof(struct ipt_icmp),
2211 .checkentry = icmp_checkentry,
2212 .proto = IPPROTO_ICMP,
2213 .family = NFPROTO_IPV4,
2217 static int __net_init ip_tables_net_init(struct net *net)
2219 return xt_proto_init(net, NFPROTO_IPV4);
2222 static void __net_exit ip_tables_net_exit(struct net *net)
2224 xt_proto_fini(net, NFPROTO_IPV4);
2227 static struct pernet_operations ip_tables_net_ops = {
2228 .init = ip_tables_net_init,
2229 .exit = ip_tables_net_exit,
2232 static int __init ip_tables_init(void)
2236 ret = register_pernet_subsys(&ip_tables_net_ops);
2240 /* Noone else will be downing sem now, so we won't sleep */
2241 ret = xt_register_targets(ipt_builtin_tg, ARRAY_SIZE(ipt_builtin_tg));
2244 ret = xt_register_matches(ipt_builtin_mt, ARRAY_SIZE(ipt_builtin_mt));
2248 /* Register setsockopt */
2249 ret = nf_register_sockopt(&ipt_sockopts);
2253 pr_info("(C) 2000-2006 Netfilter Core Team\n");
2257 xt_unregister_matches(ipt_builtin_mt, ARRAY_SIZE(ipt_builtin_mt));
2259 xt_unregister_targets(ipt_builtin_tg, ARRAY_SIZE(ipt_builtin_tg));
2261 unregister_pernet_subsys(&ip_tables_net_ops);
2266 static void __exit ip_tables_fini(void)
2268 nf_unregister_sockopt(&ipt_sockopts);
2270 xt_unregister_matches(ipt_builtin_mt, ARRAY_SIZE(ipt_builtin_mt));
2271 xt_unregister_targets(ipt_builtin_tg, ARRAY_SIZE(ipt_builtin_tg));
2272 unregister_pernet_subsys(&ip_tables_net_ops);
2275 EXPORT_SYMBOL(ipt_register_table);
2276 EXPORT_SYMBOL(ipt_unregister_table);
2277 EXPORT_SYMBOL(ipt_do_table);
2278 module_init(ip_tables_init);
2279 module_exit(ip_tables_fini);
git.openpandora.org / pandora-kernel.git / blob