2 * Packet matching code.
4 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
5 * Copyright (C) 2000-2005 Netfilter Core Team <coreteam@netfilter.org>
6 * Copyright (c) 2006-2010 Patrick McHardy <kaber@trash.net>
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License version 2 as
10 * published by the Free Software Foundation.
13 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
15 #include <linux/kernel.h>
16 #include <linux/capability.h>
18 #include <linux/skbuff.h>
19 #include <linux/kmod.h>
20 #include <linux/vmalloc.h>
21 #include <linux/netdevice.h>
22 #include <linux/module.h>
23 #include <linux/poison.h>
24 #include <linux/icmpv6.h>
26 #include <net/compat.h>
27 #include <asm/uaccess.h>
28 #include <linux/mutex.h>
29 #include <linux/proc_fs.h>
30 #include <linux/err.h>
31 #include <linux/cpumask.h>
33 #include <linux/netfilter_ipv6/ip6_tables.h>
34 #include <linux/netfilter/x_tables.h>
35 #include <net/netfilter/nf_log.h>
36 #include "../../netfilter/xt_repldata.h"
38 MODULE_LICENSE("GPL");
39 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
40 MODULE_DESCRIPTION("IPv6 packet filter");
42 /*#define DEBUG_IP_FIREWALL*/
43 /*#define DEBUG_ALLOW_ALL*/ /* Useful for remote debugging */
44 /*#define DEBUG_IP_FIREWALL_USER*/
46 #ifdef DEBUG_IP_FIREWALL
47 #define dprintf(format, args...) pr_info(format , ## args)
49 #define dprintf(format, args...)
52 #ifdef DEBUG_IP_FIREWALL_USER
53 #define duprintf(format, args...) pr_info(format , ## args)
55 #define duprintf(format, args...)
58 #ifdef CONFIG_NETFILTER_DEBUG
59 #define IP_NF_ASSERT(x) WARN_ON(!(x))
61 #define IP_NF_ASSERT(x)
65 /* All the better to debug you with... */
70 void *ip6t_alloc_initial_table(const struct xt_table *info)
72 return xt_alloc_initial_table(ip6t, IP6T);
74 EXPORT_SYMBOL_GPL(ip6t_alloc_initial_table);
77 We keep a set of rules for each CPU, so we can avoid write-locking
78 them in the softirq when updating the counters and therefore
79 only need to read-lock in the softirq; doing a write_lock_bh() in user
80 context stops packets coming through and allows user context to read
81 the counters or update the rules.
83 Hence the start of any table is given by get_table() below. */
85 /* Returns whether matches rule or not. */
86 /* Performance critical - called for every packet */
88 ip6_packet_match(const struct sk_buff *skb,
91 const struct ip6t_ip6 *ip6info,
92 unsigned int *protoff,
93 int *fragoff, bool *hotdrop)
96 const struct ipv6hdr *ipv6 = ipv6_hdr(skb);
98 #define FWINV(bool, invflg) ((bool) ^ !!(ip6info->invflags & (invflg)))
100 if (FWINV(ipv6_masked_addr_cmp(&ipv6->saddr, &ip6info->smsk,
101 &ip6info->src), IP6T_INV_SRCIP) ||
102 FWINV(ipv6_masked_addr_cmp(&ipv6->daddr, &ip6info->dmsk,
103 &ip6info->dst), IP6T_INV_DSTIP)) {
104 dprintf("Source or dest mismatch.\n");
106 dprintf("SRC: %u. Mask: %u. Target: %u.%s\n", ip->saddr,
107 ipinfo->smsk.s_addr, ipinfo->src.s_addr,
108 ipinfo->invflags & IP6T_INV_SRCIP ? " (INV)" : "");
109 dprintf("DST: %u. Mask: %u. Target: %u.%s\n", ip->daddr,
110 ipinfo->dmsk.s_addr, ipinfo->dst.s_addr,
111 ipinfo->invflags & IP6T_INV_DSTIP ? " (INV)" : "");*/
115 ret = ifname_compare_aligned(indev, ip6info->iniface, ip6info->iniface_mask);
117 if (FWINV(ret != 0, IP6T_INV_VIA_IN)) {
118 dprintf("VIA in mismatch (%s vs %s).%s\n",
119 indev, ip6info->iniface,
120 ip6info->invflags & IP6T_INV_VIA_IN ? " (INV)" : "");
124 ret = ifname_compare_aligned(outdev, ip6info->outiface, ip6info->outiface_mask);
126 if (FWINV(ret != 0, IP6T_INV_VIA_OUT)) {
127 dprintf("VIA out mismatch (%s vs %s).%s\n",
128 outdev, ip6info->outiface,
129 ip6info->invflags & IP6T_INV_VIA_OUT ? " (INV)" : "");
133 /* ... might want to do something with class and flowlabel here ... */
135 /* look for the desired protocol header */
136 if (ip6info->flags & IP6T_F_PROTO) {
138 unsigned short _frag_off;
140 protohdr = ipv6_find_hdr(skb, protoff, -1, &_frag_off, NULL);
146 *fragoff = _frag_off;
148 dprintf("Packet protocol %hi ?= %s%hi.\n",
150 ip6info->invflags & IP6T_INV_PROTO ? "!":"",
153 if (ip6info->proto == protohdr) {
154 if (ip6info->invflags & IP6T_INV_PROTO)
160 /* We need match for the '-p all', too! */
161 if ((ip6info->proto != 0) &&
162 !(ip6info->invflags & IP6T_INV_PROTO))
168 /* should be ip6 safe */
170 ip6_checkentry(const struct ip6t_ip6 *ipv6)
172 if (ipv6->flags & ~IP6T_F_MASK) {
173 duprintf("Unknown flag bits set: %08X\n",
174 ipv6->flags & ~IP6T_F_MASK);
177 if (ipv6->invflags & ~IP6T_INV_MASK) {
178 duprintf("Unknown invflag bits set: %08X\n",
179 ipv6->invflags & ~IP6T_INV_MASK);
186 ip6t_error(struct sk_buff *skb, const struct xt_action_param *par)
188 net_info_ratelimited("error: `%s'\n", (const char *)par->targinfo);
193 static inline struct ip6t_entry *
194 get_entry(const void *base, unsigned int offset)
196 return (struct ip6t_entry *)(base + offset);
199 /* All zeroes == unconditional rule. */
200 /* Mildly perf critical (only if packet tracing is on) */
201 static inline bool unconditional(const struct ip6t_entry *e)
203 static const struct ip6t_ip6 uncond;
205 return e->target_offset == sizeof(struct ip6t_entry) &&
206 memcmp(&e->ipv6, &uncond, sizeof(uncond)) == 0;
209 static inline const struct xt_entry_target *
210 ip6t_get_target_c(const struct ip6t_entry *e)
212 return ip6t_get_target((struct ip6t_entry *)e);
215 #if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE)
216 /* This cries for unification! */
217 static const char *const hooknames[] = {
218 [NF_INET_PRE_ROUTING] = "PREROUTING",
219 [NF_INET_LOCAL_IN] = "INPUT",
220 [NF_INET_FORWARD] = "FORWARD",
221 [NF_INET_LOCAL_OUT] = "OUTPUT",
222 [NF_INET_POST_ROUTING] = "POSTROUTING",
225 enum nf_ip_trace_comments {
226 NF_IP6_TRACE_COMMENT_RULE,
227 NF_IP6_TRACE_COMMENT_RETURN,
228 NF_IP6_TRACE_COMMENT_POLICY,
231 static const char *const comments[] = {
232 [NF_IP6_TRACE_COMMENT_RULE] = "rule",
233 [NF_IP6_TRACE_COMMENT_RETURN] = "return",
234 [NF_IP6_TRACE_COMMENT_POLICY] = "policy",
237 static struct nf_loginfo trace_loginfo = {
238 .type = NF_LOG_TYPE_LOG,
241 .level = LOGLEVEL_WARNING,
242 .logflags = NF_LOG_MASK,
247 /* Mildly perf critical (only if packet tracing is on) */
249 get_chainname_rulenum(const struct ip6t_entry *s, const struct ip6t_entry *e,
250 const char *hookname, const char **chainname,
251 const char **comment, unsigned int *rulenum)
253 const struct xt_standard_target *t = (void *)ip6t_get_target_c(s);
255 if (strcmp(t->target.u.kernel.target->name, XT_ERROR_TARGET) == 0) {
256 /* Head of user chain: ERROR target with chainname */
257 *chainname = t->target.data;
262 if (unconditional(s) &&
263 strcmp(t->target.u.kernel.target->name,
264 XT_STANDARD_TARGET) == 0 &&
266 /* Tail of chains: STANDARD target (return/policy) */
267 *comment = *chainname == hookname
268 ? comments[NF_IP6_TRACE_COMMENT_POLICY]
269 : comments[NF_IP6_TRACE_COMMENT_RETURN];
278 static void trace_packet(struct net *net,
279 const struct sk_buff *skb,
281 const struct net_device *in,
282 const struct net_device *out,
283 const char *tablename,
284 const struct xt_table_info *private,
285 const struct ip6t_entry *e)
287 const struct ip6t_entry *root;
288 const char *hookname, *chainname, *comment;
289 const struct ip6t_entry *iter;
290 unsigned int rulenum = 0;
292 root = get_entry(private->entries, private->hook_entry[hook]);
294 hookname = chainname = hooknames[hook];
295 comment = comments[NF_IP6_TRACE_COMMENT_RULE];
297 xt_entry_foreach(iter, root, private->size - private->hook_entry[hook])
298 if (get_chainname_rulenum(iter, e, hookname,
299 &chainname, &comment, &rulenum) != 0)
302 nf_log_trace(net, AF_INET6, hook, skb, in, out, &trace_loginfo,
303 "TRACE: %s:%s:%s:%u ",
304 tablename, chainname, comment, rulenum);
308 static inline struct ip6t_entry *
309 ip6t_next_entry(const struct ip6t_entry *entry)
311 return (void *)entry + entry->next_offset;
314 /* Returns one of the generic firewall policies, like NF_ACCEPT. */
316 ip6t_do_table(struct sk_buff *skb,
317 const struct nf_hook_state *state,
318 struct xt_table *table)
320 unsigned int hook = state->hook;
321 static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
322 /* Initializing verdict to NF_DROP keeps gcc happy. */
323 unsigned int verdict = NF_DROP;
324 const char *indev, *outdev;
325 const void *table_base;
326 struct ip6t_entry *e, **jumpstack;
327 unsigned int stackidx, cpu;
328 const struct xt_table_info *private;
329 struct xt_action_param acpar;
334 indev = state->in ? state->in->name : nulldevname;
335 outdev = state->out ? state->out->name : nulldevname;
336 /* We handle fragments by dealing with the first fragment as
337 * if it was a normal packet. All other fragments are treated
338 * normally, except that they will NEVER match rules that ask
339 * things we don't know, ie. tcp syn flag or ports). If the
340 * rule is also a fragment-specific rule, non-fragments won't
342 acpar.hotdrop = false;
343 acpar.net = state->net;
344 acpar.in = state->in;
345 acpar.out = state->out;
346 acpar.family = NFPROTO_IPV6;
347 acpar.hooknum = hook;
349 IP_NF_ASSERT(table->valid_hooks & (1 << hook));
352 addend = xt_write_recseq_begin();
353 private = table->private;
355 * Ensure we load private-> members after we've fetched the base
358 smp_read_barrier_depends();
359 cpu = smp_processor_id();
360 table_base = private->entries;
361 jumpstack = (struct ip6t_entry **)private->jumpstack[cpu];
363 /* Switch to alternate jumpstack if we're being invoked via TEE.
364 * TEE issues XT_CONTINUE verdict on original skb so we must not
365 * clobber the jumpstack.
367 * For recursion via REJECT or SYNPROXY the stack will be clobbered
368 * but it is no problem since absolute verdict is issued by these.
370 if (static_key_false(&xt_tee_enabled))
371 jumpstack += private->stacksize * __this_cpu_read(nf_skb_duplicated);
373 e = get_entry(table_base, private->hook_entry[hook]);
376 const struct xt_entry_target *t;
377 const struct xt_entry_match *ematch;
378 struct xt_counters *counter;
382 if (!ip6_packet_match(skb, indev, outdev, &e->ipv6,
383 &acpar.thoff, &acpar.fragoff, &acpar.hotdrop)) {
385 e = ip6t_next_entry(e);
389 xt_ematch_foreach(ematch, e) {
390 acpar.match = ematch->u.kernel.match;
391 acpar.matchinfo = ematch->data;
392 if (!acpar.match->match(skb, &acpar))
396 counter = xt_get_this_cpu_counter(&e->counters);
397 ADD_COUNTER(*counter, skb->len, 1);
399 t = ip6t_get_target_c(e);
400 IP_NF_ASSERT(t->u.kernel.target);
402 #if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE)
403 /* The packet is traced: log it */
404 if (unlikely(skb->nf_trace))
405 trace_packet(state->net, skb, hook, state->in,
406 state->out, table->name, private, e);
408 /* Standard target? */
409 if (!t->u.kernel.target->target) {
412 v = ((struct xt_standard_target *)t)->verdict;
414 /* Pop from stack? */
415 if (v != XT_RETURN) {
416 verdict = (unsigned int)(-v) - 1;
420 e = get_entry(table_base,
421 private->underflow[hook]);
423 e = ip6t_next_entry(jumpstack[--stackidx]);
426 if (table_base + v != ip6t_next_entry(e) &&
427 !(e->ipv6.flags & IP6T_F_GOTO)) {
428 jumpstack[stackidx++] = e;
431 e = get_entry(table_base, v);
435 acpar.target = t->u.kernel.target;
436 acpar.targinfo = t->data;
438 verdict = t->u.kernel.target->target(skb, &acpar);
439 if (verdict == XT_CONTINUE)
440 e = ip6t_next_entry(e);
444 } while (!acpar.hotdrop);
446 xt_write_recseq_end(addend);
449 #ifdef DEBUG_ALLOW_ALL
458 /* Figures out from what hook each rule can be called: returns 0 if
459 there are loops. Puts hook bitmask in comefrom. */
461 mark_source_chains(const struct xt_table_info *newinfo,
462 unsigned int valid_hooks, void *entry0)
466 /* No recursion; use packet counter to save back ptrs (reset
467 to 0 as we leave), and comefrom to save source hook bitmask */
468 for (hook = 0; hook < NF_INET_NUMHOOKS; hook++) {
469 unsigned int pos = newinfo->hook_entry[hook];
470 struct ip6t_entry *e = (struct ip6t_entry *)(entry0 + pos);
472 if (!(valid_hooks & (1 << hook)))
475 /* Set initial back pointer. */
476 e->counters.pcnt = pos;
479 const struct xt_standard_target *t
480 = (void *)ip6t_get_target_c(e);
481 int visited = e->comefrom & (1 << hook);
483 if (e->comefrom & (1 << NF_INET_NUMHOOKS)) {
484 pr_err("iptables: loop hook %u pos %u %08X.\n",
485 hook, pos, e->comefrom);
488 e->comefrom |= ((1 << hook) | (1 << NF_INET_NUMHOOKS));
490 /* Unconditional return/END. */
491 if ((unconditional(e) &&
492 (strcmp(t->target.u.user.name,
493 XT_STANDARD_TARGET) == 0) &&
494 t->verdict < 0) || visited) {
495 unsigned int oldpos, size;
497 if ((strcmp(t->target.u.user.name,
498 XT_STANDARD_TARGET) == 0) &&
499 t->verdict < -NF_MAX_VERDICT - 1) {
500 duprintf("mark_source_chains: bad "
501 "negative verdict (%i)\n",
506 /* Return: backtrack through the last
509 e->comefrom ^= (1<<NF_INET_NUMHOOKS);
510 #ifdef DEBUG_IP_FIREWALL_USER
512 & (1 << NF_INET_NUMHOOKS)) {
513 duprintf("Back unset "
520 pos = e->counters.pcnt;
521 e->counters.pcnt = 0;
523 /* We're at the start. */
527 e = (struct ip6t_entry *)
529 } while (oldpos == pos + e->next_offset);
532 size = e->next_offset;
533 e = (struct ip6t_entry *)
534 (entry0 + pos + size);
535 e->counters.pcnt = pos;
538 int newpos = t->verdict;
540 if (strcmp(t->target.u.user.name,
541 XT_STANDARD_TARGET) == 0 &&
543 if (newpos > newinfo->size -
544 sizeof(struct ip6t_entry)) {
545 duprintf("mark_source_chains: "
546 "bad verdict (%i)\n",
550 /* This a jump; chase it. */
551 duprintf("Jump rule %u -> %u\n",
554 /* ... this is a fallthru */
555 newpos = pos + e->next_offset;
557 e = (struct ip6t_entry *)
559 e->counters.pcnt = pos;
564 duprintf("Finished chain %u\n", hook);
569 static void cleanup_match(struct xt_entry_match *m, struct net *net)
571 struct xt_mtdtor_param par;
574 par.match = m->u.kernel.match;
575 par.matchinfo = m->data;
576 par.family = NFPROTO_IPV6;
577 if (par.match->destroy != NULL)
578 par.match->destroy(&par);
579 module_put(par.match->me);
583 check_entry(const struct ip6t_entry *e)
585 const struct xt_entry_target *t;
587 if (!ip6_checkentry(&e->ipv6))
590 if (e->target_offset + sizeof(struct xt_entry_target) >
594 t = ip6t_get_target_c(e);
595 if (e->target_offset + t->u.target_size > e->next_offset)
601 static int check_match(struct xt_entry_match *m, struct xt_mtchk_param *par)
603 const struct ip6t_ip6 *ipv6 = par->entryinfo;
606 par->match = m->u.kernel.match;
607 par->matchinfo = m->data;
609 ret = xt_check_match(par, m->u.match_size - sizeof(*m),
610 ipv6->proto, ipv6->invflags & IP6T_INV_PROTO);
612 duprintf("ip_tables: check failed for `%s'.\n",
620 find_check_match(struct xt_entry_match *m, struct xt_mtchk_param *par)
622 struct xt_match *match;
625 match = xt_request_find_match(NFPROTO_IPV6, m->u.user.name,
628 duprintf("find_check_match: `%s' not found\n", m->u.user.name);
629 return PTR_ERR(match);
631 m->u.kernel.match = match;
633 ret = check_match(m, par);
639 module_put(m->u.kernel.match->me);
643 static int check_target(struct ip6t_entry *e, struct net *net, const char *name)
645 struct xt_entry_target *t = ip6t_get_target(e);
646 struct xt_tgchk_param par = {
650 .target = t->u.kernel.target,
652 .hook_mask = e->comefrom,
653 .family = NFPROTO_IPV6,
657 t = ip6t_get_target(e);
658 ret = xt_check_target(&par, t->u.target_size - sizeof(*t),
659 e->ipv6.proto, e->ipv6.invflags & IP6T_INV_PROTO);
661 duprintf("ip_tables: check failed for `%s'.\n",
662 t->u.kernel.target->name);
669 find_check_entry(struct ip6t_entry *e, struct net *net, const char *name,
672 struct xt_entry_target *t;
673 struct xt_target *target;
676 struct xt_mtchk_param mtpar;
677 struct xt_entry_match *ematch;
679 e->counters.pcnt = xt_percpu_counter_alloc();
680 if (IS_ERR_VALUE(e->counters.pcnt))
686 mtpar.entryinfo = &e->ipv6;
687 mtpar.hook_mask = e->comefrom;
688 mtpar.family = NFPROTO_IPV6;
689 xt_ematch_foreach(ematch, e) {
690 ret = find_check_match(ematch, &mtpar);
692 goto cleanup_matches;
696 t = ip6t_get_target(e);
697 target = xt_request_find_target(NFPROTO_IPV6, t->u.user.name,
699 if (IS_ERR(target)) {
700 duprintf("find_check_entry: `%s' not found\n", t->u.user.name);
701 ret = PTR_ERR(target);
702 goto cleanup_matches;
704 t->u.kernel.target = target;
706 ret = check_target(e, net, name);
711 module_put(t->u.kernel.target->me);
713 xt_ematch_foreach(ematch, e) {
716 cleanup_match(ematch, net);
719 xt_percpu_counter_free(e->counters.pcnt);
724 static bool check_underflow(const struct ip6t_entry *e)
726 const struct xt_entry_target *t;
727 unsigned int verdict;
729 if (!unconditional(e))
731 t = ip6t_get_target_c(e);
732 if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0)
734 verdict = ((struct xt_standard_target *)t)->verdict;
735 verdict = -verdict - 1;
736 return verdict == NF_DROP || verdict == NF_ACCEPT;
740 check_entry_size_and_hooks(struct ip6t_entry *e,
741 struct xt_table_info *newinfo,
742 const unsigned char *base,
743 const unsigned char *limit,
744 const unsigned int *hook_entries,
745 const unsigned int *underflows,
746 unsigned int valid_hooks)
751 if ((unsigned long)e % __alignof__(struct ip6t_entry) != 0 ||
752 (unsigned char *)e + sizeof(struct ip6t_entry) >= limit ||
753 (unsigned char *)e + e->next_offset > limit) {
754 duprintf("Bad offset %p\n", e);
759 < sizeof(struct ip6t_entry) + sizeof(struct xt_entry_target)) {
760 duprintf("checking: element %p size %u\n",
765 err = check_entry(e);
769 /* Check hooks & underflows */
770 for (h = 0; h < NF_INET_NUMHOOKS; h++) {
771 if (!(valid_hooks & (1 << h)))
773 if ((unsigned char *)e - base == hook_entries[h])
774 newinfo->hook_entry[h] = hook_entries[h];
775 if ((unsigned char *)e - base == underflows[h]) {
776 if (!check_underflow(e)) {
777 pr_debug("Underflows must be unconditional and "
778 "use the STANDARD target with "
782 newinfo->underflow[h] = underflows[h];
786 /* Clear counters and comefrom */
787 e->counters = ((struct xt_counters) { 0, 0 });
792 static void cleanup_entry(struct ip6t_entry *e, struct net *net)
794 struct xt_tgdtor_param par;
795 struct xt_entry_target *t;
796 struct xt_entry_match *ematch;
798 /* Cleanup all matches */
799 xt_ematch_foreach(ematch, e)
800 cleanup_match(ematch, net);
801 t = ip6t_get_target(e);
804 par.target = t->u.kernel.target;
805 par.targinfo = t->data;
806 par.family = NFPROTO_IPV6;
807 if (par.target->destroy != NULL)
808 par.target->destroy(&par);
809 module_put(par.target->me);
811 xt_percpu_counter_free(e->counters.pcnt);
814 /* Checks and translates the user-supplied table segment (held in
817 translate_table(struct net *net, struct xt_table_info *newinfo, void *entry0,
818 const struct ip6t_replace *repl)
820 struct ip6t_entry *iter;
824 newinfo->size = repl->size;
825 newinfo->number = repl->num_entries;
827 /* Init all hooks to impossible value. */
828 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
829 newinfo->hook_entry[i] = 0xFFFFFFFF;
830 newinfo->underflow[i] = 0xFFFFFFFF;
833 duprintf("translate_table: size %u\n", newinfo->size);
835 /* Walk through entries, checking offsets. */
836 xt_entry_foreach(iter, entry0, newinfo->size) {
837 ret = check_entry_size_and_hooks(iter, newinfo, entry0,
845 if (strcmp(ip6t_get_target(iter)->u.user.name,
846 XT_ERROR_TARGET) == 0)
847 ++newinfo->stacksize;
850 if (i != repl->num_entries) {
851 duprintf("translate_table: %u not %u entries\n",
852 i, repl->num_entries);
856 /* Check hooks all assigned */
857 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
858 /* Only hooks which are valid */
859 if (!(repl->valid_hooks & (1 << i)))
861 if (newinfo->hook_entry[i] == 0xFFFFFFFF) {
862 duprintf("Invalid hook entry %u %u\n",
863 i, repl->hook_entry[i]);
866 if (newinfo->underflow[i] == 0xFFFFFFFF) {
867 duprintf("Invalid underflow %u %u\n",
868 i, repl->underflow[i]);
873 if (!mark_source_chains(newinfo, repl->valid_hooks, entry0))
876 /* Finally, each sanity check must pass */
878 xt_entry_foreach(iter, entry0, newinfo->size) {
879 ret = find_check_entry(iter, net, repl->name, repl->size);
886 xt_entry_foreach(iter, entry0, newinfo->size) {
889 cleanup_entry(iter, net);
898 get_counters(const struct xt_table_info *t,
899 struct xt_counters counters[])
901 struct ip6t_entry *iter;
905 for_each_possible_cpu(cpu) {
906 seqcount_t *s = &per_cpu(xt_recseq, cpu);
909 xt_entry_foreach(iter, t->entries, t->size) {
910 struct xt_counters *tmp;
914 tmp = xt_get_per_cpu_counter(&iter->counters, cpu);
916 start = read_seqcount_begin(s);
919 } while (read_seqcount_retry(s, start));
921 ADD_COUNTER(counters[i], bcnt, pcnt);
927 static struct xt_counters *alloc_counters(const struct xt_table *table)
929 unsigned int countersize;
930 struct xt_counters *counters;
931 const struct xt_table_info *private = table->private;
933 /* We need atomic snapshot of counters: rest doesn't change
934 (other than comefrom, which userspace doesn't care
936 countersize = sizeof(struct xt_counters) * private->number;
937 counters = vzalloc(countersize);
939 if (counters == NULL)
940 return ERR_PTR(-ENOMEM);
942 get_counters(private, counters);
948 copy_entries_to_user(unsigned int total_size,
949 const struct xt_table *table,
950 void __user *userptr)
952 unsigned int off, num;
953 const struct ip6t_entry *e;
954 struct xt_counters *counters;
955 const struct xt_table_info *private = table->private;
957 const void *loc_cpu_entry;
959 counters = alloc_counters(table);
960 if (IS_ERR(counters))
961 return PTR_ERR(counters);
963 loc_cpu_entry = private->entries;
964 if (copy_to_user(userptr, loc_cpu_entry, total_size) != 0) {
969 /* FIXME: use iterator macros --RR */
970 /* ... then go back and fix counters and names */
971 for (off = 0, num = 0; off < total_size; off += e->next_offset, num++){
973 const struct xt_entry_match *m;
974 const struct xt_entry_target *t;
976 e = (struct ip6t_entry *)(loc_cpu_entry + off);
977 if (copy_to_user(userptr + off
978 + offsetof(struct ip6t_entry, counters),
980 sizeof(counters[num])) != 0) {
985 for (i = sizeof(struct ip6t_entry);
986 i < e->target_offset;
987 i += m->u.match_size) {
990 if (copy_to_user(userptr + off + i
991 + offsetof(struct xt_entry_match,
993 m->u.kernel.match->name,
994 strlen(m->u.kernel.match->name)+1)
1001 t = ip6t_get_target_c(e);
1002 if (copy_to_user(userptr + off + e->target_offset
1003 + offsetof(struct xt_entry_target,
1005 t->u.kernel.target->name,
1006 strlen(t->u.kernel.target->name)+1) != 0) {
1017 #ifdef CONFIG_COMPAT
1018 static void compat_standard_from_user(void *dst, const void *src)
1020 int v = *(compat_int_t *)src;
1023 v += xt_compat_calc_jump(AF_INET6, v);
1024 memcpy(dst, &v, sizeof(v));
1027 static int compat_standard_to_user(void __user *dst, const void *src)
1029 compat_int_t cv = *(int *)src;
1032 cv -= xt_compat_calc_jump(AF_INET6, cv);
1033 return copy_to_user(dst, &cv, sizeof(cv)) ? -EFAULT : 0;
1036 static int compat_calc_entry(const struct ip6t_entry *e,
1037 const struct xt_table_info *info,
1038 const void *base, struct xt_table_info *newinfo)
1040 const struct xt_entry_match *ematch;
1041 const struct xt_entry_target *t;
1042 unsigned int entry_offset;
1045 off = sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
1046 entry_offset = (void *)e - base;
1047 xt_ematch_foreach(ematch, e)
1048 off += xt_compat_match_offset(ematch->u.kernel.match);
1049 t = ip6t_get_target_c(e);
1050 off += xt_compat_target_offset(t->u.kernel.target);
1051 newinfo->size -= off;
1052 ret = xt_compat_add_offset(AF_INET6, entry_offset, off);
1056 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1057 if (info->hook_entry[i] &&
1058 (e < (struct ip6t_entry *)(base + info->hook_entry[i])))
1059 newinfo->hook_entry[i] -= off;
1060 if (info->underflow[i] &&
1061 (e < (struct ip6t_entry *)(base + info->underflow[i])))
1062 newinfo->underflow[i] -= off;
1067 static int compat_table_info(const struct xt_table_info *info,
1068 struct xt_table_info *newinfo)
1070 struct ip6t_entry *iter;
1071 const void *loc_cpu_entry;
1074 if (!newinfo || !info)
1077 /* we dont care about newinfo->entries */
1078 memcpy(newinfo, info, offsetof(struct xt_table_info, entries));
1079 newinfo->initial_entries = 0;
1080 loc_cpu_entry = info->entries;
1081 xt_compat_init_offsets(AF_INET6, info->number);
1082 xt_entry_foreach(iter, loc_cpu_entry, info->size) {
1083 ret = compat_calc_entry(iter, info, loc_cpu_entry, newinfo);
1091 static int get_info(struct net *net, void __user *user,
1092 const int *len, int compat)
1094 char name[XT_TABLE_MAXNAMELEN];
1098 if (*len != sizeof(struct ip6t_getinfo)) {
1099 duprintf("length %u != %zu\n", *len,
1100 sizeof(struct ip6t_getinfo));
1104 if (copy_from_user(name, user, sizeof(name)) != 0)
1107 name[XT_TABLE_MAXNAMELEN-1] = '\0';
1108 #ifdef CONFIG_COMPAT
1110 xt_compat_lock(AF_INET6);
1112 t = try_then_request_module(xt_find_table_lock(net, AF_INET6, name),
1113 "ip6table_%s", name);
1114 if (!IS_ERR_OR_NULL(t)) {
1115 struct ip6t_getinfo info;
1116 const struct xt_table_info *private = t->private;
1117 #ifdef CONFIG_COMPAT
1118 struct xt_table_info tmp;
1121 ret = compat_table_info(private, &tmp);
1122 xt_compat_flush_offsets(AF_INET6);
1126 memset(&info, 0, sizeof(info));
1127 info.valid_hooks = t->valid_hooks;
1128 memcpy(info.hook_entry, private->hook_entry,
1129 sizeof(info.hook_entry));
1130 memcpy(info.underflow, private->underflow,
1131 sizeof(info.underflow));
1132 info.num_entries = private->number;
1133 info.size = private->size;
1134 strcpy(info.name, name);
1136 if (copy_to_user(user, &info, *len) != 0)
1144 ret = t ? PTR_ERR(t) : -ENOENT;
1145 #ifdef CONFIG_COMPAT
1147 xt_compat_unlock(AF_INET6);
1153 get_entries(struct net *net, struct ip6t_get_entries __user *uptr,
1157 struct ip6t_get_entries get;
1160 if (*len < sizeof(get)) {
1161 duprintf("get_entries: %u < %zu\n", *len, sizeof(get));
1164 if (copy_from_user(&get, uptr, sizeof(get)) != 0)
1166 if (*len != sizeof(struct ip6t_get_entries) + get.size) {
1167 duprintf("get_entries: %u != %zu\n",
1168 *len, sizeof(get) + get.size);
1171 get.name[sizeof(get.name) - 1] = '\0';
1173 t = xt_find_table_lock(net, AF_INET6, get.name);
1174 if (!IS_ERR_OR_NULL(t)) {
1175 struct xt_table_info *private = t->private;
1176 duprintf("t->private->number = %u\n", private->number);
1177 if (get.size == private->size)
1178 ret = copy_entries_to_user(private->size,
1179 t, uptr->entrytable);
1181 duprintf("get_entries: I've got %u not %u!\n",
1182 private->size, get.size);
1188 ret = t ? PTR_ERR(t) : -ENOENT;
1194 __do_replace(struct net *net, const char *name, unsigned int valid_hooks,
1195 struct xt_table_info *newinfo, unsigned int num_counters,
1196 void __user *counters_ptr)
1200 struct xt_table_info *oldinfo;
1201 struct xt_counters *counters;
1202 struct ip6t_entry *iter;
1205 counters = vzalloc(num_counters * sizeof(struct xt_counters));
1211 t = try_then_request_module(xt_find_table_lock(net, AF_INET6, name),
1212 "ip6table_%s", name);
1213 if (IS_ERR_OR_NULL(t)) {
1214 ret = t ? PTR_ERR(t) : -ENOENT;
1215 goto free_newinfo_counters_untrans;
1219 if (valid_hooks != t->valid_hooks) {
1220 duprintf("Valid hook crap: %08X vs %08X\n",
1221 valid_hooks, t->valid_hooks);
1226 oldinfo = xt_replace_table(t, num_counters, newinfo, &ret);
1230 /* Update module usage count based on number of rules */
1231 duprintf("do_replace: oldnum=%u, initnum=%u, newnum=%u\n",
1232 oldinfo->number, oldinfo->initial_entries, newinfo->number);
1233 if ((oldinfo->number > oldinfo->initial_entries) ||
1234 (newinfo->number <= oldinfo->initial_entries))
1236 if ((oldinfo->number > oldinfo->initial_entries) &&
1237 (newinfo->number <= oldinfo->initial_entries))
1240 /* Get the old counters, and synchronize with replace */
1241 get_counters(oldinfo, counters);
1243 /* Decrease module usage counts and free resource */
1244 xt_entry_foreach(iter, oldinfo->entries, oldinfo->size)
1245 cleanup_entry(iter, net);
1247 xt_free_table_info(oldinfo);
1248 if (copy_to_user(counters_ptr, counters,
1249 sizeof(struct xt_counters) * num_counters) != 0) {
1250 /* Silent error, can't fail, new table is already in place */
1251 net_warn_ratelimited("ip6tables: counters copy to user failed while replacing table\n");
1260 free_newinfo_counters_untrans:
1267 do_replace(struct net *net, const void __user *user, unsigned int len)
1270 struct ip6t_replace tmp;
1271 struct xt_table_info *newinfo;
1272 void *loc_cpu_entry;
1273 struct ip6t_entry *iter;
1275 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
1278 /* overflow check */
1279 if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
1281 if (tmp.num_counters == 0)
1284 tmp.name[sizeof(tmp.name)-1] = 0;
1286 newinfo = xt_alloc_table_info(tmp.size);
1290 loc_cpu_entry = newinfo->entries;
1291 if (copy_from_user(loc_cpu_entry, user + sizeof(tmp),
1297 ret = translate_table(net, newinfo, loc_cpu_entry, &tmp);
1301 duprintf("ip_tables: Translated table\n");
1303 ret = __do_replace(net, tmp.name, tmp.valid_hooks, newinfo,
1304 tmp.num_counters, tmp.counters);
1306 goto free_newinfo_untrans;
1309 free_newinfo_untrans:
1310 xt_entry_foreach(iter, loc_cpu_entry, newinfo->size)
1311 cleanup_entry(iter, net);
1313 xt_free_table_info(newinfo);
1318 do_add_counters(struct net *net, const void __user *user, unsigned int len,
1322 struct xt_counters_info tmp;
1323 struct xt_counters *paddc;
1324 unsigned int num_counters;
1329 const struct xt_table_info *private;
1331 struct ip6t_entry *iter;
1332 unsigned int addend;
1333 #ifdef CONFIG_COMPAT
1334 struct compat_xt_counters_info compat_tmp;
1338 size = sizeof(struct compat_xt_counters_info);
1343 size = sizeof(struct xt_counters_info);
1346 if (copy_from_user(ptmp, user, size) != 0)
1349 #ifdef CONFIG_COMPAT
1351 num_counters = compat_tmp.num_counters;
1352 name = compat_tmp.name;
1356 num_counters = tmp.num_counters;
1360 if (len != size + num_counters * sizeof(struct xt_counters))
1363 paddc = vmalloc(len - size);
1367 if (copy_from_user(paddc, user + size, len - size) != 0) {
1372 t = xt_find_table_lock(net, AF_INET6, name);
1373 if (IS_ERR_OR_NULL(t)) {
1374 ret = t ? PTR_ERR(t) : -ENOENT;
1379 private = t->private;
1380 if (private->number != num_counters) {
1382 goto unlock_up_free;
1386 addend = xt_write_recseq_begin();
1387 xt_entry_foreach(iter, private->entries, private->size) {
1388 struct xt_counters *tmp;
1390 tmp = xt_get_this_cpu_counter(&iter->counters);
1391 ADD_COUNTER(*tmp, paddc[i].bcnt, paddc[i].pcnt);
1394 xt_write_recseq_end(addend);
1405 #ifdef CONFIG_COMPAT
1406 struct compat_ip6t_replace {
1407 char name[XT_TABLE_MAXNAMELEN];
1411 u32 hook_entry[NF_INET_NUMHOOKS];
1412 u32 underflow[NF_INET_NUMHOOKS];
1414 compat_uptr_t counters; /* struct xt_counters * */
1415 struct compat_ip6t_entry entries[0];
1419 compat_copy_entry_to_user(struct ip6t_entry *e, void __user **dstptr,
1420 unsigned int *size, struct xt_counters *counters,
1423 struct xt_entry_target *t;
1424 struct compat_ip6t_entry __user *ce;
1425 u_int16_t target_offset, next_offset;
1426 compat_uint_t origsize;
1427 const struct xt_entry_match *ematch;
1431 ce = (struct compat_ip6t_entry __user *)*dstptr;
1432 if (copy_to_user(ce, e, sizeof(struct ip6t_entry)) != 0 ||
1433 copy_to_user(&ce->counters, &counters[i],
1434 sizeof(counters[i])) != 0)
1437 *dstptr += sizeof(struct compat_ip6t_entry);
1438 *size -= sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
1440 xt_ematch_foreach(ematch, e) {
1441 ret = xt_compat_match_to_user(ematch, dstptr, size);
1445 target_offset = e->target_offset - (origsize - *size);
1446 t = ip6t_get_target(e);
1447 ret = xt_compat_target_to_user(t, dstptr, size);
1450 next_offset = e->next_offset - (origsize - *size);
1451 if (put_user(target_offset, &ce->target_offset) != 0 ||
1452 put_user(next_offset, &ce->next_offset) != 0)
1458 compat_find_calc_match(struct xt_entry_match *m,
1460 const struct ip6t_ip6 *ipv6,
1463 struct xt_match *match;
1465 match = xt_request_find_match(NFPROTO_IPV6, m->u.user.name,
1466 m->u.user.revision);
1467 if (IS_ERR(match)) {
1468 duprintf("compat_check_calc_match: `%s' not found\n",
1470 return PTR_ERR(match);
1472 m->u.kernel.match = match;
1473 *size += xt_compat_match_offset(match);
1477 static void compat_release_entry(struct compat_ip6t_entry *e)
1479 struct xt_entry_target *t;
1480 struct xt_entry_match *ematch;
1482 /* Cleanup all matches */
1483 xt_ematch_foreach(ematch, e)
1484 module_put(ematch->u.kernel.match->me);
1485 t = compat_ip6t_get_target(e);
1486 module_put(t->u.kernel.target->me);
1490 check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e,
1491 struct xt_table_info *newinfo,
1493 const unsigned char *base,
1494 const unsigned char *limit,
1495 const unsigned int *hook_entries,
1496 const unsigned int *underflows,
1499 struct xt_entry_match *ematch;
1500 struct xt_entry_target *t;
1501 struct xt_target *target;
1502 unsigned int entry_offset;
1506 duprintf("check_compat_entry_size_and_hooks %p\n", e);
1507 if ((unsigned long)e % __alignof__(struct compat_ip6t_entry) != 0 ||
1508 (unsigned char *)e + sizeof(struct compat_ip6t_entry) >= limit ||
1509 (unsigned char *)e + e->next_offset > limit) {
1510 duprintf("Bad offset %p, limit = %p\n", e, limit);
1514 if (e->next_offset < sizeof(struct compat_ip6t_entry) +
1515 sizeof(struct compat_xt_entry_target)) {
1516 duprintf("checking: element %p size %u\n",
1521 /* For purposes of check_entry casting the compat entry is fine */
1522 ret = check_entry((struct ip6t_entry *)e);
1526 off = sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
1527 entry_offset = (void *)e - (void *)base;
1529 xt_ematch_foreach(ematch, e) {
1530 ret = compat_find_calc_match(ematch, name, &e->ipv6, &off);
1532 goto release_matches;
1536 t = compat_ip6t_get_target(e);
1537 target = xt_request_find_target(NFPROTO_IPV6, t->u.user.name,
1538 t->u.user.revision);
1539 if (IS_ERR(target)) {
1540 duprintf("check_compat_entry_size_and_hooks: `%s' not found\n",
1542 ret = PTR_ERR(target);
1543 goto release_matches;
1545 t->u.kernel.target = target;
1547 off += xt_compat_target_offset(target);
1549 ret = xt_compat_add_offset(AF_INET6, entry_offset, off);
1553 /* Check hooks & underflows */
1554 for (h = 0; h < NF_INET_NUMHOOKS; h++) {
1555 if ((unsigned char *)e - base == hook_entries[h])
1556 newinfo->hook_entry[h] = hook_entries[h];
1557 if ((unsigned char *)e - base == underflows[h])
1558 newinfo->underflow[h] = underflows[h];
1561 /* Clear counters and comefrom */
1562 memset(&e->counters, 0, sizeof(e->counters));
1567 module_put(t->u.kernel.target->me);
1569 xt_ematch_foreach(ematch, e) {
1572 module_put(ematch->u.kernel.match->me);
1578 compat_copy_entry_from_user(struct compat_ip6t_entry *e, void **dstptr,
1579 unsigned int *size, const char *name,
1580 struct xt_table_info *newinfo, unsigned char *base)
1582 struct xt_entry_target *t;
1583 struct ip6t_entry *de;
1584 unsigned int origsize;
1586 struct xt_entry_match *ematch;
1590 de = (struct ip6t_entry *)*dstptr;
1591 memcpy(de, e, sizeof(struct ip6t_entry));
1592 memcpy(&de->counters, &e->counters, sizeof(e->counters));
1594 *dstptr += sizeof(struct ip6t_entry);
1595 *size += sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
1597 xt_ematch_foreach(ematch, e) {
1598 ret = xt_compat_match_from_user(ematch, dstptr, size);
1602 de->target_offset = e->target_offset - (origsize - *size);
1603 t = compat_ip6t_get_target(e);
1604 xt_compat_target_from_user(t, dstptr, size);
1606 de->next_offset = e->next_offset - (origsize - *size);
1607 for (h = 0; h < NF_INET_NUMHOOKS; h++) {
1608 if ((unsigned char *)de - base < newinfo->hook_entry[h])
1609 newinfo->hook_entry[h] -= origsize - *size;
1610 if ((unsigned char *)de - base < newinfo->underflow[h])
1611 newinfo->underflow[h] -= origsize - *size;
1616 static int compat_check_entry(struct ip6t_entry *e, struct net *net,
1621 struct xt_mtchk_param mtpar;
1622 struct xt_entry_match *ematch;
1624 e->counters.pcnt = xt_percpu_counter_alloc();
1625 if (IS_ERR_VALUE(e->counters.pcnt))
1630 mtpar.entryinfo = &e->ipv6;
1631 mtpar.hook_mask = e->comefrom;
1632 mtpar.family = NFPROTO_IPV6;
1633 xt_ematch_foreach(ematch, e) {
1634 ret = check_match(ematch, &mtpar);
1636 goto cleanup_matches;
1640 ret = check_target(e, net, name);
1642 goto cleanup_matches;
1646 xt_ematch_foreach(ematch, e) {
1649 cleanup_match(ematch, net);
1652 xt_percpu_counter_free(e->counters.pcnt);
1658 translate_compat_table(struct net *net,
1660 unsigned int valid_hooks,
1661 struct xt_table_info **pinfo,
1663 unsigned int total_size,
1664 unsigned int number,
1665 unsigned int *hook_entries,
1666 unsigned int *underflows)
1669 struct xt_table_info *newinfo, *info;
1670 void *pos, *entry0, *entry1;
1671 struct compat_ip6t_entry *iter0;
1672 struct ip6t_entry *iter1;
1679 info->number = number;
1681 /* Init all hooks to impossible value. */
1682 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1683 info->hook_entry[i] = 0xFFFFFFFF;
1684 info->underflow[i] = 0xFFFFFFFF;
1687 duprintf("translate_compat_table: size %u\n", info->size);
1689 xt_compat_lock(AF_INET6);
1690 xt_compat_init_offsets(AF_INET6, number);
1691 /* Walk through entries, checking offsets. */
1692 xt_entry_foreach(iter0, entry0, total_size) {
1693 ret = check_compat_entry_size_and_hooks(iter0, info, &size,
1695 entry0 + total_size,
1706 duprintf("translate_compat_table: %u not %u entries\n",
1711 /* Check hooks all assigned */
1712 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1713 /* Only hooks which are valid */
1714 if (!(valid_hooks & (1 << i)))
1716 if (info->hook_entry[i] == 0xFFFFFFFF) {
1717 duprintf("Invalid hook entry %u %u\n",
1718 i, hook_entries[i]);
1721 if (info->underflow[i] == 0xFFFFFFFF) {
1722 duprintf("Invalid underflow %u %u\n",
1729 newinfo = xt_alloc_table_info(size);
1733 newinfo->number = number;
1734 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1735 newinfo->hook_entry[i] = info->hook_entry[i];
1736 newinfo->underflow[i] = info->underflow[i];
1738 entry1 = newinfo->entries;
1741 xt_entry_foreach(iter0, entry0, total_size) {
1742 ret = compat_copy_entry_from_user(iter0, &pos, &size,
1743 name, newinfo, entry1);
1747 xt_compat_flush_offsets(AF_INET6);
1748 xt_compat_unlock(AF_INET6);
1753 if (!mark_source_chains(newinfo, valid_hooks, entry1))
1757 xt_entry_foreach(iter1, entry1, newinfo->size) {
1758 ret = compat_check_entry(iter1, net, name);
1762 if (strcmp(ip6t_get_target(iter1)->u.user.name,
1763 XT_ERROR_TARGET) == 0)
1764 ++newinfo->stacksize;
1768 * The first i matches need cleanup_entry (calls ->destroy)
1769 * because they had called ->check already. The other j-i
1770 * entries need only release.
1774 xt_entry_foreach(iter0, entry0, newinfo->size) {
1779 compat_release_entry(iter0);
1781 xt_entry_foreach(iter1, entry1, newinfo->size) {
1784 cleanup_entry(iter1, net);
1786 xt_free_table_info(newinfo);
1792 xt_free_table_info(info);
1796 xt_free_table_info(newinfo);
1798 xt_entry_foreach(iter0, entry0, total_size) {
1801 compat_release_entry(iter0);
1805 xt_compat_flush_offsets(AF_INET6);
1806 xt_compat_unlock(AF_INET6);
1811 compat_do_replace(struct net *net, void __user *user, unsigned int len)
1814 struct compat_ip6t_replace tmp;
1815 struct xt_table_info *newinfo;
1816 void *loc_cpu_entry;
1817 struct ip6t_entry *iter;
1819 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
1822 /* overflow check */
1823 if (tmp.size >= INT_MAX / num_possible_cpus())
1825 if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
1827 if (tmp.num_counters == 0)
1830 tmp.name[sizeof(tmp.name)-1] = 0;
1832 newinfo = xt_alloc_table_info(tmp.size);
1836 loc_cpu_entry = newinfo->entries;
1837 if (copy_from_user(loc_cpu_entry, user + sizeof(tmp),
1843 ret = translate_compat_table(net, tmp.name, tmp.valid_hooks,
1844 &newinfo, &loc_cpu_entry, tmp.size,
1845 tmp.num_entries, tmp.hook_entry,
1850 duprintf("compat_do_replace: Translated table\n");
1852 ret = __do_replace(net, tmp.name, tmp.valid_hooks, newinfo,
1853 tmp.num_counters, compat_ptr(tmp.counters));
1855 goto free_newinfo_untrans;
1858 free_newinfo_untrans:
1859 xt_entry_foreach(iter, loc_cpu_entry, newinfo->size)
1860 cleanup_entry(iter, net);
1862 xt_free_table_info(newinfo);
1867 compat_do_ip6t_set_ctl(struct sock *sk, int cmd, void __user *user,
1872 if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
1876 case IP6T_SO_SET_REPLACE:
1877 ret = compat_do_replace(sock_net(sk), user, len);
1880 case IP6T_SO_SET_ADD_COUNTERS:
1881 ret = do_add_counters(sock_net(sk), user, len, 1);
1885 duprintf("do_ip6t_set_ctl: unknown request %i\n", cmd);
1892 struct compat_ip6t_get_entries {
1893 char name[XT_TABLE_MAXNAMELEN];
1895 struct compat_ip6t_entry entrytable[0];
1899 compat_copy_entries_to_user(unsigned int total_size, struct xt_table *table,
1900 void __user *userptr)
1902 struct xt_counters *counters;
1903 const struct xt_table_info *private = table->private;
1908 struct ip6t_entry *iter;
1910 counters = alloc_counters(table);
1911 if (IS_ERR(counters))
1912 return PTR_ERR(counters);
1916 xt_entry_foreach(iter, private->entries, total_size) {
1917 ret = compat_copy_entry_to_user(iter, &pos,
1918 &size, counters, i++);
1928 compat_get_entries(struct net *net, struct compat_ip6t_get_entries __user *uptr,
1932 struct compat_ip6t_get_entries get;
1935 if (*len < sizeof(get)) {
1936 duprintf("compat_get_entries: %u < %zu\n", *len, sizeof(get));
1940 if (copy_from_user(&get, uptr, sizeof(get)) != 0)
1943 if (*len != sizeof(struct compat_ip6t_get_entries) + get.size) {
1944 duprintf("compat_get_entries: %u != %zu\n",
1945 *len, sizeof(get) + get.size);
1948 get.name[sizeof(get.name) - 1] = '\0';
1950 xt_compat_lock(AF_INET6);
1951 t = xt_find_table_lock(net, AF_INET6, get.name);
1952 if (!IS_ERR_OR_NULL(t)) {
1953 const struct xt_table_info *private = t->private;
1954 struct xt_table_info info;
1955 duprintf("t->private->number = %u\n", private->number);
1956 ret = compat_table_info(private, &info);
1957 if (!ret && get.size == info.size) {
1958 ret = compat_copy_entries_to_user(private->size,
1959 t, uptr->entrytable);
1961 duprintf("compat_get_entries: I've got %u not %u!\n",
1962 private->size, get.size);
1965 xt_compat_flush_offsets(AF_INET6);
1969 ret = t ? PTR_ERR(t) : -ENOENT;
1971 xt_compat_unlock(AF_INET6);
1975 static int do_ip6t_get_ctl(struct sock *, int, void __user *, int *);
1978 compat_do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1982 if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
1986 case IP6T_SO_GET_INFO:
1987 ret = get_info(sock_net(sk), user, len, 1);
1989 case IP6T_SO_GET_ENTRIES:
1990 ret = compat_get_entries(sock_net(sk), user, len);
1993 ret = do_ip6t_get_ctl(sk, cmd, user, len);
2000 do_ip6t_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
2004 if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
2008 case IP6T_SO_SET_REPLACE:
2009 ret = do_replace(sock_net(sk), user, len);
2012 case IP6T_SO_SET_ADD_COUNTERS:
2013 ret = do_add_counters(sock_net(sk), user, len, 0);
2017 duprintf("do_ip6t_set_ctl: unknown request %i\n", cmd);
2025 do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
2029 if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
2033 case IP6T_SO_GET_INFO:
2034 ret = get_info(sock_net(sk), user, len, 0);
2037 case IP6T_SO_GET_ENTRIES:
2038 ret = get_entries(sock_net(sk), user, len);
2041 case IP6T_SO_GET_REVISION_MATCH:
2042 case IP6T_SO_GET_REVISION_TARGET: {
2043 struct xt_get_revision rev;
2046 if (*len != sizeof(rev)) {
2050 if (copy_from_user(&rev, user, sizeof(rev)) != 0) {
2054 rev.name[sizeof(rev.name)-1] = 0;
2056 if (cmd == IP6T_SO_GET_REVISION_TARGET)
2061 try_then_request_module(xt_find_revision(AF_INET6, rev.name,
2064 "ip6t_%s", rev.name);
2069 duprintf("do_ip6t_get_ctl: unknown request %i\n", cmd);
2076 static void __ip6t_unregister_table(struct net *net, struct xt_table *table)
2078 struct xt_table_info *private;
2079 void *loc_cpu_entry;
2080 struct module *table_owner = table->me;
2081 struct ip6t_entry *iter;
2083 private = xt_unregister_table(table);
2085 /* Decrease module usage counts and free resources */
2086 loc_cpu_entry = private->entries;
2087 xt_entry_foreach(iter, loc_cpu_entry, private->size)
2088 cleanup_entry(iter, net);
2089 if (private->number > private->initial_entries)
2090 module_put(table_owner);
2091 xt_free_table_info(private);
2094 int ip6t_register_table(struct net *net, const struct xt_table *table,
2095 const struct ip6t_replace *repl,
2096 const struct nf_hook_ops *ops,
2097 struct xt_table **res)
2100 struct xt_table_info *newinfo;
2101 struct xt_table_info bootstrap = {0};
2102 void *loc_cpu_entry;
2103 struct xt_table *new_table;
2105 newinfo = xt_alloc_table_info(repl->size);
2109 loc_cpu_entry = newinfo->entries;
2110 memcpy(loc_cpu_entry, repl->entries, repl->size);
2112 ret = translate_table(net, newinfo, loc_cpu_entry, repl);
2116 new_table = xt_register_table(net, table, &bootstrap, newinfo);
2117 if (IS_ERR(new_table)) {
2118 ret = PTR_ERR(new_table);
2122 /* set res now, will see skbs right after nf_register_net_hooks */
2123 WRITE_ONCE(*res, new_table);
2125 ret = nf_register_net_hooks(net, ops, hweight32(table->valid_hooks));
2127 __ip6t_unregister_table(net, new_table);
2134 xt_free_table_info(newinfo);
2138 void ip6t_unregister_table(struct net *net, struct xt_table *table,
2139 const struct nf_hook_ops *ops)
2141 nf_unregister_net_hooks(net, ops, hweight32(table->valid_hooks));
2142 __ip6t_unregister_table(net, table);
2145 /* Returns 1 if the type and code is matched by the range, 0 otherwise */
2147 icmp6_type_code_match(u_int8_t test_type, u_int8_t min_code, u_int8_t max_code,
2148 u_int8_t type, u_int8_t code,
2151 return (type == test_type && code >= min_code && code <= max_code)
2156 icmp6_match(const struct sk_buff *skb, struct xt_action_param *par)
2158 const struct icmp6hdr *ic;
2159 struct icmp6hdr _icmph;
2160 const struct ip6t_icmp *icmpinfo = par->matchinfo;
2162 /* Must not be a fragment. */
2163 if (par->fragoff != 0)
2166 ic = skb_header_pointer(skb, par->thoff, sizeof(_icmph), &_icmph);
2168 /* We've been asked to examine this packet, and we
2169 * can't. Hence, no choice but to drop.
2171 duprintf("Dropping evil ICMP tinygram.\n");
2172 par->hotdrop = true;
2176 return icmp6_type_code_match(icmpinfo->type,
2179 ic->icmp6_type, ic->icmp6_code,
2180 !!(icmpinfo->invflags&IP6T_ICMP_INV));
2183 /* Called when user tries to insert an entry of this type. */
2184 static int icmp6_checkentry(const struct xt_mtchk_param *par)
2186 const struct ip6t_icmp *icmpinfo = par->matchinfo;
2188 /* Must specify no unknown invflags */
2189 return (icmpinfo->invflags & ~IP6T_ICMP_INV) ? -EINVAL : 0;
2192 /* The built-in targets: standard (NULL) and error. */
2193 static struct xt_target ip6t_builtin_tg[] __read_mostly = {
2195 .name = XT_STANDARD_TARGET,
2196 .targetsize = sizeof(int),
2197 .family = NFPROTO_IPV6,
2198 #ifdef CONFIG_COMPAT
2199 .compatsize = sizeof(compat_int_t),
2200 .compat_from_user = compat_standard_from_user,
2201 .compat_to_user = compat_standard_to_user,
2205 .name = XT_ERROR_TARGET,
2206 .target = ip6t_error,
2207 .targetsize = XT_FUNCTION_MAXNAMELEN,
2208 .family = NFPROTO_IPV6,
2212 static struct nf_sockopt_ops ip6t_sockopts = {
2214 .set_optmin = IP6T_BASE_CTL,
2215 .set_optmax = IP6T_SO_SET_MAX+1,
2216 .set = do_ip6t_set_ctl,
2217 #ifdef CONFIG_COMPAT
2218 .compat_set = compat_do_ip6t_set_ctl,
2220 .get_optmin = IP6T_BASE_CTL,
2221 .get_optmax = IP6T_SO_GET_MAX+1,
2222 .get = do_ip6t_get_ctl,
2223 #ifdef CONFIG_COMPAT
2224 .compat_get = compat_do_ip6t_get_ctl,
2226 .owner = THIS_MODULE,
2229 static struct xt_match ip6t_builtin_mt[] __read_mostly = {
2232 .match = icmp6_match,
2233 .matchsize = sizeof(struct ip6t_icmp),
2234 .checkentry = icmp6_checkentry,
2235 .proto = IPPROTO_ICMPV6,
2236 .family = NFPROTO_IPV6,
2240 static int __net_init ip6_tables_net_init(struct net *net)
2242 return xt_proto_init(net, NFPROTO_IPV6);
2245 static void __net_exit ip6_tables_net_exit(struct net *net)
2247 xt_proto_fini(net, NFPROTO_IPV6);
2250 static struct pernet_operations ip6_tables_net_ops = {
2251 .init = ip6_tables_net_init,
2252 .exit = ip6_tables_net_exit,
2255 static int __init ip6_tables_init(void)
2259 ret = register_pernet_subsys(&ip6_tables_net_ops);
2263 /* No one else will be downing sem now, so we won't sleep */
2264 ret = xt_register_targets(ip6t_builtin_tg, ARRAY_SIZE(ip6t_builtin_tg));
2267 ret = xt_register_matches(ip6t_builtin_mt, ARRAY_SIZE(ip6t_builtin_mt));
2271 /* Register setsockopt */
2272 ret = nf_register_sockopt(&ip6t_sockopts);
2276 pr_info("(C) 2000-2006 Netfilter Core Team\n");
2280 xt_unregister_matches(ip6t_builtin_mt, ARRAY_SIZE(ip6t_builtin_mt));
2282 xt_unregister_targets(ip6t_builtin_tg, ARRAY_SIZE(ip6t_builtin_tg));
2284 unregister_pernet_subsys(&ip6_tables_net_ops);
2289 static void __exit ip6_tables_fini(void)
2291 nf_unregister_sockopt(&ip6t_sockopts);
2293 xt_unregister_matches(ip6t_builtin_mt, ARRAY_SIZE(ip6t_builtin_mt));
2294 xt_unregister_targets(ip6t_builtin_tg, ARRAY_SIZE(ip6t_builtin_tg));
2295 unregister_pernet_subsys(&ip6_tables_net_ops);
2298 EXPORT_SYMBOL(ip6t_register_table);
2299 EXPORT_SYMBOL(ip6t_unregister_table);
2300 EXPORT_SYMBOL(ip6t_do_table);
2302 module_init(ip6_tables_init);
2303 module_exit(ip6_tables_fini);
projects / cascardo / linux.git / blob