2 * Packet matching code.
4 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
5 * Copyright (C) 2000-2005 Netfilter Core Team <coreteam@netfilter.org>
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License version 2 as
9 * published by the Free Software Foundation.
11 #include <linux/cache.h>
12 #include <linux/capability.h>
13 #include <linux/skbuff.h>
14 #include <linux/kmod.h>
15 #include <linux/vmalloc.h>
16 #include <linux/netdevice.h>
17 #include <linux/module.h>
18 #include <linux/icmp.h>
20 #include <net/compat.h>
21 #include <asm/uaccess.h>
22 #include <linux/mutex.h>
23 #include <linux/proc_fs.h>
24 #include <linux/err.h>
25 #include <linux/cpumask.h>
27 #include <linux/netfilter/x_tables.h>
28 #include <linux/netfilter_ipv4/ip_tables.h>
29 #include <net/netfilter/nf_log.h>
31 MODULE_LICENSE("GPL");
32 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
33 MODULE_DESCRIPTION("IPv4 packet filter");
35 /*#define DEBUG_IP_FIREWALL*/
36 /*#define DEBUG_ALLOW_ALL*/ /* Useful for remote debugging */
37 /*#define DEBUG_IP_FIREWALL_USER*/
39 #ifdef DEBUG_IP_FIREWALL
40 #define dprintf(format, args...) printk(format , ## args)
42 #define dprintf(format, args...)
45 #ifdef DEBUG_IP_FIREWALL_USER
46 #define duprintf(format, args...) printk(format , ## args)
48 #define duprintf(format, args...)
51 #ifdef CONFIG_NETFILTER_DEBUG
52 #define IP_NF_ASSERT(x) \
55 printk("IP_NF_ASSERT: %s:%s:%u\n", \
56 __func__, __FILE__, __LINE__); \
59 #define IP_NF_ASSERT(x)
63 /* All the better to debug you with... */
69 We keep a set of rules for each CPU, so we can avoid write-locking
70 them in the softirq when updating the counters and therefore
71 only need to read-lock in the softirq; doing a write_lock_bh() in user
72 context stops packets coming through and allows user context to read
73 the counters or update the rules.
75 Hence the start of any table is given by get_table() below. */
77 /* Returns whether matches rule or not. */
78 /* Performance critical - called for every packet */
80 ip_packet_match(const struct iphdr *ip,
83 const struct ipt_ip *ipinfo,
88 #define FWINV(bool, invflg) ((bool) ^ !!(ipinfo->invflags & (invflg)))
90 if (FWINV((ip->saddr&ipinfo->smsk.s_addr) != ipinfo->src.s_addr,
92 || FWINV((ip->daddr&ipinfo->dmsk.s_addr) != ipinfo->dst.s_addr,
94 dprintf("Source or dest mismatch.\n");
96 dprintf("SRC: %pI4. Mask: %pI4. Target: %pI4.%s\n",
97 &ip->saddr, &ipinfo->smsk.s_addr, &ipinfo->src.s_addr,
98 ipinfo->invflags & IPT_INV_SRCIP ? " (INV)" : "");
99 dprintf("DST: %pI4 Mask: %pI4 Target: %pI4.%s\n",
100 &ip->daddr, &ipinfo->dmsk.s_addr, &ipinfo->dst.s_addr,
101 ipinfo->invflags & IPT_INV_DSTIP ? " (INV)" : "");
105 ret = ifname_compare_aligned(indev, ipinfo->iniface, ipinfo->iniface_mask);
107 if (FWINV(ret != 0, IPT_INV_VIA_IN)) {
108 dprintf("VIA in mismatch (%s vs %s).%s\n",
109 indev, ipinfo->iniface,
110 ipinfo->invflags&IPT_INV_VIA_IN ?" (INV)":"");
114 ret = ifname_compare_aligned(outdev, ipinfo->outiface, ipinfo->outiface_mask);
116 if (FWINV(ret != 0, IPT_INV_VIA_OUT)) {
117 dprintf("VIA out mismatch (%s vs %s).%s\n",
118 outdev, ipinfo->outiface,
119 ipinfo->invflags&IPT_INV_VIA_OUT ?" (INV)":"");
123 /* Check specific protocol */
125 && FWINV(ip->protocol != ipinfo->proto, IPT_INV_PROTO)) {
126 dprintf("Packet protocol %hi does not match %hi.%s\n",
127 ip->protocol, ipinfo->proto,
128 ipinfo->invflags&IPT_INV_PROTO ? " (INV)":"");
132 /* If we have a fragment rule but the packet is not a fragment
133 * then we return zero */
134 if (FWINV((ipinfo->flags&IPT_F_FRAG) && !isfrag, IPT_INV_FRAG)) {
135 dprintf("Fragment rule but not fragment.%s\n",
136 ipinfo->invflags & IPT_INV_FRAG ? " (INV)" : "");
144 ip_checkentry(const struct ipt_ip *ip)
146 if (ip->flags & ~IPT_F_MASK) {
147 duprintf("Unknown flag bits set: %08X\n",
148 ip->flags & ~IPT_F_MASK);
151 if (ip->invflags & ~IPT_INV_MASK) {
152 duprintf("Unknown invflag bits set: %08X\n",
153 ip->invflags & ~IPT_INV_MASK);
160 ipt_error(struct sk_buff *skb, const struct xt_target_param *par)
163 printk("ip_tables: error: `%s'\n",
164 (const char *)par->targinfo);
169 /* Performance critical - called for every packet */
171 do_match(struct ipt_entry_match *m, const struct sk_buff *skb,
172 struct xt_match_param *par)
174 par->match = m->u.kernel.match;
175 par->matchinfo = m->data;
177 /* Stop iteration if it doesn't match */
178 if (!m->u.kernel.match->match(skb, par))
184 /* Performance critical */
185 static inline struct ipt_entry *
186 get_entry(void *base, unsigned int offset)
188 return (struct ipt_entry *)(base + offset);
191 /* All zeroes == unconditional rule. */
192 /* Mildly perf critical (only if packet tracing is on) */
194 unconditional(const struct ipt_ip *ip)
198 for (i = 0; i < sizeof(*ip)/sizeof(__u32); i++)
199 if (((__u32 *)ip)[i])
206 #if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \
207 defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE)
208 static const char *const hooknames[] = {
209 [NF_INET_PRE_ROUTING] = "PREROUTING",
210 [NF_INET_LOCAL_IN] = "INPUT",
211 [NF_INET_FORWARD] = "FORWARD",
212 [NF_INET_LOCAL_OUT] = "OUTPUT",
213 [NF_INET_POST_ROUTING] = "POSTROUTING",
216 enum nf_ip_trace_comments {
217 NF_IP_TRACE_COMMENT_RULE,
218 NF_IP_TRACE_COMMENT_RETURN,
219 NF_IP_TRACE_COMMENT_POLICY,
222 static const char *const comments[] = {
223 [NF_IP_TRACE_COMMENT_RULE] = "rule",
224 [NF_IP_TRACE_COMMENT_RETURN] = "return",
225 [NF_IP_TRACE_COMMENT_POLICY] = "policy",
228 static struct nf_loginfo trace_loginfo = {
229 .type = NF_LOG_TYPE_LOG,
233 .logflags = NF_LOG_MASK,
238 /* Mildly perf critical (only if packet tracing is on) */
240 get_chainname_rulenum(struct ipt_entry *s, struct ipt_entry *e,
241 char *hookname, char **chainname,
242 char **comment, unsigned int *rulenum)
244 struct ipt_standard_target *t = (void *)ipt_get_target(s);
246 if (strcmp(t->target.u.kernel.target->name, IPT_ERROR_TARGET) == 0) {
247 /* Head of user chain: ERROR target with chainname */
248 *chainname = t->target.data;
253 if (s->target_offset == sizeof(struct ipt_entry)
254 && strcmp(t->target.u.kernel.target->name,
255 IPT_STANDARD_TARGET) == 0
257 && unconditional(&s->ip)) {
258 /* Tail of chains: STANDARD target (return/policy) */
259 *comment = *chainname == hookname
260 ? (char *)comments[NF_IP_TRACE_COMMENT_POLICY]
261 : (char *)comments[NF_IP_TRACE_COMMENT_RETURN];
270 static void trace_packet(struct sk_buff *skb,
272 const struct net_device *in,
273 const struct net_device *out,
274 const char *tablename,
275 struct xt_table_info *private,
279 const struct ipt_entry *root;
280 char *hookname, *chainname, *comment;
281 unsigned int rulenum = 0;
283 table_base = (void *)private->entries[smp_processor_id()];
284 root = get_entry(table_base, private->hook_entry[hook]);
286 hookname = chainname = (char *)hooknames[hook];
287 comment = (char *)comments[NF_IP_TRACE_COMMENT_RULE];
289 IPT_ENTRY_ITERATE(root,
290 private->size - private->hook_entry[hook],
291 get_chainname_rulenum,
292 e, hookname, &chainname, &comment, &rulenum);
294 nf_log_packet(AF_INET, hook, skb, in, out, &trace_loginfo,
295 "TRACE: %s:%s:%s:%u ",
296 tablename, chainname, comment, rulenum);
300 /* Returns one of the generic firewall policies, like NF_ACCEPT. */
302 ipt_do_table(struct sk_buff *skb,
304 const struct net_device *in,
305 const struct net_device *out,
306 struct xt_table *table)
308 static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
309 const struct iphdr *ip;
311 bool hotdrop = false;
312 /* Initializing verdict to NF_DROP keeps gcc happy. */
313 unsigned int verdict = NF_DROP;
314 const char *indev, *outdev;
316 struct ipt_entry *e, *back;
317 struct xt_table_info *private;
318 struct xt_match_param mtpar;
319 struct xt_target_param tgpar;
323 datalen = skb->len - ip->ihl * 4;
324 indev = in ? in->name : nulldevname;
325 outdev = out ? out->name : nulldevname;
326 /* We handle fragments by dealing with the first fragment as
327 * if it was a normal packet. All other fragments are treated
328 * normally, except that they will NEVER match rules that ask
329 * things we don't know, ie. tcp syn flag or ports). If the
330 * rule is also a fragment-specific rule, non-fragments won't
332 mtpar.fragoff = ntohs(ip->frag_off) & IP_OFFSET;
333 mtpar.thoff = ip_hdrlen(skb);
334 mtpar.hotdrop = &hotdrop;
335 mtpar.in = tgpar.in = in;
336 mtpar.out = tgpar.out = out;
337 mtpar.family = tgpar.family = NFPROTO_IPV4;
338 tgpar.hooknum = hook;
340 IP_NF_ASSERT(table->valid_hooks & (1 << hook));
343 private = rcu_dereference(table->private);
344 table_base = rcu_dereference(private->entries[smp_processor_id()]);
346 e = get_entry(table_base, private->hook_entry[hook]);
348 /* For return from builtin chain */
349 back = get_entry(table_base, private->underflow[hook]);
354 if (ip_packet_match(ip, indev, outdev,
355 &e->ip, mtpar.fragoff)) {
356 struct ipt_entry_target *t;
358 if (IPT_MATCH_ITERATE(e, do_match, skb, &mtpar) != 0)
361 ADD_COUNTER(e->counters, ntohs(ip->tot_len), 1);
363 t = ipt_get_target(e);
364 IP_NF_ASSERT(t->u.kernel.target);
366 #if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \
367 defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE)
368 /* The packet is traced: log it */
369 if (unlikely(skb->nf_trace))
370 trace_packet(skb, hook, in, out,
371 table->name, private, e);
373 /* Standard target? */
374 if (!t->u.kernel.target->target) {
377 v = ((struct ipt_standard_target *)t)->verdict;
379 /* Pop from stack? */
380 if (v != IPT_RETURN) {
381 verdict = (unsigned)(-v) - 1;
385 back = get_entry(table_base,
389 if (table_base + v != (void *)e + e->next_offset
390 && !(e->ip.flags & IPT_F_GOTO)) {
391 /* Save old back ptr in next entry */
392 struct ipt_entry *next
393 = (void *)e + e->next_offset;
395 = (void *)back - table_base;
396 /* set back pointer to next entry */
400 e = get_entry(table_base, v);
402 /* Targets which reenter must return
404 tgpar.target = t->u.kernel.target;
405 tgpar.targinfo = t->data;
406 #ifdef CONFIG_NETFILTER_DEBUG
407 ((struct ipt_entry *)table_base)->comefrom
410 verdict = t->u.kernel.target->target(skb,
412 #ifdef CONFIG_NETFILTER_DEBUG
413 if (((struct ipt_entry *)table_base)->comefrom
415 && verdict == IPT_CONTINUE) {
416 printk("Target %s reentered!\n",
417 t->u.kernel.target->name);
420 ((struct ipt_entry *)table_base)->comefrom
423 /* Target might have changed stuff. */
425 datalen = skb->len - ip->ihl * 4;
427 if (verdict == IPT_CONTINUE)
428 e = (void *)e + e->next_offset;
436 e = (void *)e + e->next_offset;
442 #ifdef DEBUG_ALLOW_ALL
451 /* Figures out from what hook each rule can be called: returns 0 if
452 there are loops. Puts hook bitmask in comefrom. */
454 mark_source_chains(struct xt_table_info *newinfo,
455 unsigned int valid_hooks, void *entry0)
459 /* No recursion; use packet counter to save back ptrs (reset
460 to 0 as we leave), and comefrom to save source hook bitmask */
461 for (hook = 0; hook < NF_INET_NUMHOOKS; hook++) {
462 unsigned int pos = newinfo->hook_entry[hook];
463 struct ipt_entry *e = (struct ipt_entry *)(entry0 + pos);
465 if (!(valid_hooks & (1 << hook)))
468 /* Set initial back pointer. */
469 e->counters.pcnt = pos;
472 struct ipt_standard_target *t
473 = (void *)ipt_get_target(e);
474 int visited = e->comefrom & (1 << hook);
476 if (e->comefrom & (1 << NF_INET_NUMHOOKS)) {
477 printk("iptables: loop hook %u pos %u %08X.\n",
478 hook, pos, e->comefrom);
481 e->comefrom |= ((1 << hook) | (1 << NF_INET_NUMHOOKS));
483 /* Unconditional return/END. */
484 if ((e->target_offset == sizeof(struct ipt_entry)
485 && (strcmp(t->target.u.user.name,
486 IPT_STANDARD_TARGET) == 0)
488 && unconditional(&e->ip)) || visited) {
489 unsigned int oldpos, size;
491 if (t->verdict < -NF_MAX_VERDICT - 1) {
492 duprintf("mark_source_chains: bad "
493 "negative verdict (%i)\n",
498 /* Return: backtrack through the last
501 e->comefrom ^= (1<<NF_INET_NUMHOOKS);
502 #ifdef DEBUG_IP_FIREWALL_USER
504 & (1 << NF_INET_NUMHOOKS)) {
505 duprintf("Back unset "
512 pos = e->counters.pcnt;
513 e->counters.pcnt = 0;
515 /* We're at the start. */
519 e = (struct ipt_entry *)
521 } while (oldpos == pos + e->next_offset);
524 size = e->next_offset;
525 e = (struct ipt_entry *)
526 (entry0 + pos + size);
527 e->counters.pcnt = pos;
530 int newpos = t->verdict;
532 if (strcmp(t->target.u.user.name,
533 IPT_STANDARD_TARGET) == 0
535 if (newpos > newinfo->size -
536 sizeof(struct ipt_entry)) {
537 duprintf("mark_source_chains: "
538 "bad verdict (%i)\n",
542 /* This a jump; chase it. */
543 duprintf("Jump rule %u -> %u\n",
546 /* ... this is a fallthru */
547 newpos = pos + e->next_offset;
549 e = (struct ipt_entry *)
551 e->counters.pcnt = pos;
556 duprintf("Finished chain %u\n", hook);
562 cleanup_match(struct ipt_entry_match *m, unsigned int *i)
564 struct xt_mtdtor_param par;
566 if (i && (*i)-- == 0)
569 par.match = m->u.kernel.match;
570 par.matchinfo = m->data;
571 par.family = NFPROTO_IPV4;
572 if (par.match->destroy != NULL)
573 par.match->destroy(&par);
574 module_put(par.match->me);
579 check_entry(struct ipt_entry *e, const char *name)
581 struct ipt_entry_target *t;
583 if (!ip_checkentry(&e->ip)) {
584 duprintf("ip_tables: ip check failed %p %s.\n", e, name);
588 if (e->target_offset + sizeof(struct ipt_entry_target) >
592 t = ipt_get_target(e);
593 if (e->target_offset + t->u.target_size > e->next_offset)
600 check_match(struct ipt_entry_match *m, struct xt_mtchk_param *par,
603 const struct ipt_ip *ip = par->entryinfo;
606 par->match = m->u.kernel.match;
607 par->matchinfo = m->data;
609 ret = xt_check_match(par, m->u.match_size - sizeof(*m),
610 ip->proto, ip->invflags & IPT_INV_PROTO);
612 duprintf("ip_tables: check failed for `%s'.\n",
621 find_check_match(struct ipt_entry_match *m, struct xt_mtchk_param *par,
624 struct xt_match *match;
627 match = try_then_request_module(xt_find_match(AF_INET, m->u.user.name,
629 "ipt_%s", m->u.user.name);
630 if (IS_ERR(match) || !match) {
631 duprintf("find_check_match: `%s' not found\n", m->u.user.name);
632 return match ? PTR_ERR(match) : -ENOENT;
634 m->u.kernel.match = match;
636 ret = check_match(m, par, i);
642 module_put(m->u.kernel.match->me);
646 static int check_target(struct ipt_entry *e, const char *name)
648 struct ipt_entry_target *t = ipt_get_target(e);
649 struct xt_tgchk_param par = {
652 .target = t->u.kernel.target,
654 .hook_mask = e->comefrom,
655 .family = NFPROTO_IPV4,
659 ret = xt_check_target(&par, t->u.target_size - sizeof(*t),
660 e->ip.proto, e->ip.invflags & IPT_INV_PROTO);
662 duprintf("ip_tables: check failed for `%s'.\n",
663 t->u.kernel.target->name);
670 find_check_entry(struct ipt_entry *e, const char *name, unsigned int size,
673 struct ipt_entry_target *t;
674 struct xt_target *target;
677 struct xt_mtchk_param mtpar;
679 ret = check_entry(e, name);
685 mtpar.entryinfo = &e->ip;
686 mtpar.hook_mask = e->comefrom;
687 mtpar.family = NFPROTO_IPV4;
688 ret = IPT_MATCH_ITERATE(e, find_check_match, &mtpar, &j);
690 goto cleanup_matches;
692 t = ipt_get_target(e);
693 target = try_then_request_module(xt_find_target(AF_INET,
696 "ipt_%s", t->u.user.name);
697 if (IS_ERR(target) || !target) {
698 duprintf("find_check_entry: `%s' not found\n", t->u.user.name);
699 ret = target ? PTR_ERR(target) : -ENOENT;
700 goto cleanup_matches;
702 t->u.kernel.target = target;
704 ret = check_target(e, name);
711 module_put(t->u.kernel.target->me);
713 IPT_MATCH_ITERATE(e, cleanup_match, &j);
718 check_entry_size_and_hooks(struct ipt_entry *e,
719 struct xt_table_info *newinfo,
721 unsigned char *limit,
722 const unsigned int *hook_entries,
723 const unsigned int *underflows,
728 if ((unsigned long)e % __alignof__(struct ipt_entry) != 0
729 || (unsigned char *)e + sizeof(struct ipt_entry) >= limit) {
730 duprintf("Bad offset %p\n", e);
735 < sizeof(struct ipt_entry) + sizeof(struct ipt_entry_target)) {
736 duprintf("checking: element %p size %u\n",
741 /* Check hooks & underflows */
742 for (h = 0; h < NF_INET_NUMHOOKS; h++) {
743 if ((unsigned char *)e - base == hook_entries[h])
744 newinfo->hook_entry[h] = hook_entries[h];
745 if ((unsigned char *)e - base == underflows[h])
746 newinfo->underflow[h] = underflows[h];
749 /* FIXME: underflows must be unconditional, standard verdicts
750 < 0 (not IPT_RETURN). --RR */
752 /* Clear counters and comefrom */
753 e->counters = ((struct xt_counters) { 0, 0 });
761 cleanup_entry(struct ipt_entry *e, unsigned int *i)
763 struct xt_tgdtor_param par;
764 struct ipt_entry_target *t;
766 if (i && (*i)-- == 0)
769 /* Cleanup all matches */
770 IPT_MATCH_ITERATE(e, cleanup_match, NULL);
771 t = ipt_get_target(e);
773 par.target = t->u.kernel.target;
774 par.targinfo = t->data;
775 par.family = NFPROTO_IPV4;
776 if (par.target->destroy != NULL)
777 par.target->destroy(&par);
778 module_put(par.target->me);
782 /* Checks and translates the user-supplied table segment (held in
785 translate_table(const char *name,
786 unsigned int valid_hooks,
787 struct xt_table_info *newinfo,
791 const unsigned int *hook_entries,
792 const unsigned int *underflows)
797 newinfo->size = size;
798 newinfo->number = number;
800 /* Init all hooks to impossible value. */
801 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
802 newinfo->hook_entry[i] = 0xFFFFFFFF;
803 newinfo->underflow[i] = 0xFFFFFFFF;
806 duprintf("translate_table: size %u\n", newinfo->size);
808 /* Walk through entries, checking offsets. */
809 ret = IPT_ENTRY_ITERATE(entry0, newinfo->size,
810 check_entry_size_and_hooks,
814 hook_entries, underflows, &i);
819 duprintf("translate_table: %u not %u entries\n",
824 /* Check hooks all assigned */
825 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
826 /* Only hooks which are valid */
827 if (!(valid_hooks & (1 << i)))
829 if (newinfo->hook_entry[i] == 0xFFFFFFFF) {
830 duprintf("Invalid hook entry %u %u\n",
834 if (newinfo->underflow[i] == 0xFFFFFFFF) {
835 duprintf("Invalid underflow %u %u\n",
841 if (!mark_source_chains(newinfo, valid_hooks, entry0))
844 /* Finally, each sanity check must pass */
846 ret = IPT_ENTRY_ITERATE(entry0, newinfo->size,
847 find_check_entry, name, size, &i);
850 IPT_ENTRY_ITERATE(entry0, newinfo->size,
855 /* And one copy for every other CPU */
856 for_each_possible_cpu(i) {
857 if (newinfo->entries[i] && newinfo->entries[i] != entry0)
858 memcpy(newinfo->entries[i], entry0, newinfo->size);
866 add_entry_to_counter(const struct ipt_entry *e,
867 struct xt_counters total[],
870 ADD_COUNTER(total[*i], e->counters.bcnt, e->counters.pcnt);
877 set_entry_to_counter(const struct ipt_entry *e,
878 struct ipt_counters total[],
881 SET_COUNTER(total[*i], e->counters.bcnt, e->counters.pcnt);
888 get_counters(const struct xt_table_info *t,
889 struct xt_counters counters[])
895 /* Instead of clearing (by a previous call to memset())
896 * the counters and using adds, we set the counters
897 * with data used by 'current' CPU
898 * We dont care about preemption here.
900 curcpu = raw_smp_processor_id();
903 IPT_ENTRY_ITERATE(t->entries[curcpu],
905 set_entry_to_counter,
909 for_each_possible_cpu(cpu) {
913 IPT_ENTRY_ITERATE(t->entries[cpu],
915 add_entry_to_counter,
922 /* We're lazy, and add to the first CPU; overflow works its fey magic
923 * and everything is OK. */
925 add_counter_to_entry(struct ipt_entry *e,
926 const struct xt_counters addme[],
929 ADD_COUNTER(e->counters, addme[*i].bcnt, addme[*i].pcnt);
935 /* Take values from counters and add them back onto the current cpu */
936 static void put_counters(struct xt_table_info *t,
937 const struct xt_counters counters[])
942 cpu = smp_processor_id();
944 IPT_ENTRY_ITERATE(t->entries[cpu],
946 add_counter_to_entry,
954 zero_entry_counter(struct ipt_entry *e, void *arg)
956 e->counters.bcnt = 0;
957 e->counters.pcnt = 0;
962 clone_counters(struct xt_table_info *newinfo, const struct xt_table_info *info)
965 const void *loc_cpu_entry = info->entries[raw_smp_processor_id()];
967 memcpy(newinfo, info, offsetof(struct xt_table_info, entries));
968 for_each_possible_cpu(cpu) {
969 memcpy(newinfo->entries[cpu], loc_cpu_entry, info->size);
970 IPT_ENTRY_ITERATE(newinfo->entries[cpu], newinfo->size,
971 zero_entry_counter, NULL);
975 static struct xt_counters * alloc_counters(struct xt_table *table)
977 unsigned int countersize;
978 struct xt_counters *counters;
979 struct xt_table_info *private = table->private;
980 struct xt_table_info *info;
982 /* We need atomic snapshot of counters: rest doesn't change
983 (other than comefrom, which userspace doesn't care
985 countersize = sizeof(struct xt_counters) * private->number;
986 counters = vmalloc_node(countersize, numa_node_id());
988 if (counters == NULL)
991 info = xt_alloc_table_info(private->size);
995 clone_counters(info, private);
997 mutex_lock(&table->lock);
998 xt_table_entry_swap_rcu(private, info);
999 synchronize_net(); /* Wait until smoke has cleared */
1001 get_counters(info, counters);
1002 put_counters(private, counters);
1003 mutex_unlock(&table->lock);
1005 xt_free_table_info(info);
1012 return ERR_PTR(-ENOMEM);
1016 copy_entries_to_user(unsigned int total_size,
1017 struct xt_table *table,
1018 void __user *userptr)
1020 unsigned int off, num;
1021 struct ipt_entry *e;
1022 struct xt_counters *counters;
1023 const struct xt_table_info *private = table->private;
1025 const void *loc_cpu_entry;
1027 counters = alloc_counters(table);
1028 if (IS_ERR(counters))
1029 return PTR_ERR(counters);
1031 /* choose the copy that is on our node/cpu, ...
1032 * This choice is lazy (because current thread is
1033 * allowed to migrate to another cpu)
1035 loc_cpu_entry = private->entries[raw_smp_processor_id()];
1036 if (copy_to_user(userptr, loc_cpu_entry, total_size) != 0) {
1041 /* FIXME: use iterator macros --RR */
1042 /* ... then go back and fix counters and names */
1043 for (off = 0, num = 0; off < total_size; off += e->next_offset, num++){
1045 const struct ipt_entry_match *m;
1046 const struct ipt_entry_target *t;
1048 e = (struct ipt_entry *)(loc_cpu_entry + off);
1049 if (copy_to_user(userptr + off
1050 + offsetof(struct ipt_entry, counters),
1052 sizeof(counters[num])) != 0) {
1057 for (i = sizeof(struct ipt_entry);
1058 i < e->target_offset;
1059 i += m->u.match_size) {
1062 if (copy_to_user(userptr + off + i
1063 + offsetof(struct ipt_entry_match,
1065 m->u.kernel.match->name,
1066 strlen(m->u.kernel.match->name)+1)
1073 t = ipt_get_target(e);
1074 if (copy_to_user(userptr + off + e->target_offset
1075 + offsetof(struct ipt_entry_target,
1077 t->u.kernel.target->name,
1078 strlen(t->u.kernel.target->name)+1) != 0) {
1089 #ifdef CONFIG_COMPAT
1090 static void compat_standard_from_user(void *dst, void *src)
1092 int v = *(compat_int_t *)src;
1095 v += xt_compat_calc_jump(AF_INET, v);
1096 memcpy(dst, &v, sizeof(v));
1099 static int compat_standard_to_user(void __user *dst, void *src)
1101 compat_int_t cv = *(int *)src;
1104 cv -= xt_compat_calc_jump(AF_INET, cv);
1105 return copy_to_user(dst, &cv, sizeof(cv)) ? -EFAULT : 0;
1109 compat_calc_match(struct ipt_entry_match *m, int *size)
1111 *size += xt_compat_match_offset(m->u.kernel.match);
1115 static int compat_calc_entry(struct ipt_entry *e,
1116 const struct xt_table_info *info,
1117 void *base, struct xt_table_info *newinfo)
1119 struct ipt_entry_target *t;
1120 unsigned int entry_offset;
1123 off = sizeof(struct ipt_entry) - sizeof(struct compat_ipt_entry);
1124 entry_offset = (void *)e - base;
1125 IPT_MATCH_ITERATE(e, compat_calc_match, &off);
1126 t = ipt_get_target(e);
1127 off += xt_compat_target_offset(t->u.kernel.target);
1128 newinfo->size -= off;
1129 ret = xt_compat_add_offset(AF_INET, entry_offset, off);
1133 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1134 if (info->hook_entry[i] &&
1135 (e < (struct ipt_entry *)(base + info->hook_entry[i])))
1136 newinfo->hook_entry[i] -= off;
1137 if (info->underflow[i] &&
1138 (e < (struct ipt_entry *)(base + info->underflow[i])))
1139 newinfo->underflow[i] -= off;
1144 static int compat_table_info(const struct xt_table_info *info,
1145 struct xt_table_info *newinfo)
1147 void *loc_cpu_entry;
1149 if (!newinfo || !info)
1152 /* we dont care about newinfo->entries[] */
1153 memcpy(newinfo, info, offsetof(struct xt_table_info, entries));
1154 newinfo->initial_entries = 0;
1155 loc_cpu_entry = info->entries[raw_smp_processor_id()];
1156 return IPT_ENTRY_ITERATE(loc_cpu_entry, info->size,
1157 compat_calc_entry, info, loc_cpu_entry,
1162 static int get_info(struct net *net, void __user *user, int *len, int compat)
1164 char name[IPT_TABLE_MAXNAMELEN];
1168 if (*len != sizeof(struct ipt_getinfo)) {
1169 duprintf("length %u != %zu\n", *len,
1170 sizeof(struct ipt_getinfo));
1174 if (copy_from_user(name, user, sizeof(name)) != 0)
1177 name[IPT_TABLE_MAXNAMELEN-1] = '\0';
1178 #ifdef CONFIG_COMPAT
1180 xt_compat_lock(AF_INET);
1182 t = try_then_request_module(xt_find_table_lock(net, AF_INET, name),
1183 "iptable_%s", name);
1184 if (t && !IS_ERR(t)) {
1185 struct ipt_getinfo info;
1186 const struct xt_table_info *private = t->private;
1188 #ifdef CONFIG_COMPAT
1190 struct xt_table_info tmp;
1191 ret = compat_table_info(private, &tmp);
1192 xt_compat_flush_offsets(AF_INET);
1196 info.valid_hooks = t->valid_hooks;
1197 memcpy(info.hook_entry, private->hook_entry,
1198 sizeof(info.hook_entry));
1199 memcpy(info.underflow, private->underflow,
1200 sizeof(info.underflow));
1201 info.num_entries = private->number;
1202 info.size = private->size;
1203 strcpy(info.name, name);
1205 if (copy_to_user(user, &info, *len) != 0)
1213 ret = t ? PTR_ERR(t) : -ENOENT;
1214 #ifdef CONFIG_COMPAT
1216 xt_compat_unlock(AF_INET);
1222 get_entries(struct net *net, struct ipt_get_entries __user *uptr, int *len)
1225 struct ipt_get_entries get;
1228 if (*len < sizeof(get)) {
1229 duprintf("get_entries: %u < %zu\n", *len, sizeof(get));
1232 if (copy_from_user(&get, uptr, sizeof(get)) != 0)
1234 if (*len != sizeof(struct ipt_get_entries) + get.size) {
1235 duprintf("get_entries: %u != %zu\n",
1236 *len, sizeof(get) + get.size);
1240 t = xt_find_table_lock(net, AF_INET, get.name);
1241 if (t && !IS_ERR(t)) {
1242 const struct xt_table_info *private = t->private;
1243 duprintf("t->private->number = %u\n", private->number);
1244 if (get.size == private->size)
1245 ret = copy_entries_to_user(private->size,
1246 t, uptr->entrytable);
1248 duprintf("get_entries: I've got %u not %u!\n",
1249 private->size, get.size);
1255 ret = t ? PTR_ERR(t) : -ENOENT;
1261 __do_replace(struct net *net, const char *name, unsigned int valid_hooks,
1262 struct xt_table_info *newinfo, unsigned int num_counters,
1263 void __user *counters_ptr)
1267 struct xt_table_info *oldinfo;
1268 struct xt_counters *counters;
1269 void *loc_cpu_old_entry;
1272 counters = vmalloc(num_counters * sizeof(struct xt_counters));
1278 t = try_then_request_module(xt_find_table_lock(net, AF_INET, name),
1279 "iptable_%s", name);
1280 if (!t || IS_ERR(t)) {
1281 ret = t ? PTR_ERR(t) : -ENOENT;
1282 goto free_newinfo_counters_untrans;
1286 if (valid_hooks != t->valid_hooks) {
1287 duprintf("Valid hook crap: %08X vs %08X\n",
1288 valid_hooks, t->valid_hooks);
1293 oldinfo = xt_replace_table(t, num_counters, newinfo, &ret);
1297 /* Update module usage count based on number of rules */
1298 duprintf("do_replace: oldnum=%u, initnum=%u, newnum=%u\n",
1299 oldinfo->number, oldinfo->initial_entries, newinfo->number);
1300 if ((oldinfo->number > oldinfo->initial_entries) ||
1301 (newinfo->number <= oldinfo->initial_entries))
1303 if ((oldinfo->number > oldinfo->initial_entries) &&
1304 (newinfo->number <= oldinfo->initial_entries))
1307 /* Get the old counters. */
1308 get_counters(oldinfo, counters);
1309 /* Decrease module usage counts and free resource */
1310 loc_cpu_old_entry = oldinfo->entries[raw_smp_processor_id()];
1311 IPT_ENTRY_ITERATE(loc_cpu_old_entry, oldinfo->size, cleanup_entry,
1313 xt_free_table_info(oldinfo);
1314 if (copy_to_user(counters_ptr, counters,
1315 sizeof(struct xt_counters) * num_counters) != 0)
1324 free_newinfo_counters_untrans:
1331 do_replace(struct net *net, void __user *user, unsigned int len)
1334 struct ipt_replace tmp;
1335 struct xt_table_info *newinfo;
1336 void *loc_cpu_entry;
1338 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
1341 /* overflow check */
1342 if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
1345 newinfo = xt_alloc_table_info(tmp.size);
1349 /* choose the copy that is on our node/cpu */
1350 loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
1351 if (copy_from_user(loc_cpu_entry, user + sizeof(tmp),
1357 ret = translate_table(tmp.name, tmp.valid_hooks,
1358 newinfo, loc_cpu_entry, tmp.size, tmp.num_entries,
1359 tmp.hook_entry, tmp.underflow);
1363 duprintf("ip_tables: Translated table\n");
1365 ret = __do_replace(net, tmp.name, tmp.valid_hooks, newinfo,
1366 tmp.num_counters, tmp.counters);
1368 goto free_newinfo_untrans;
1371 free_newinfo_untrans:
1372 IPT_ENTRY_ITERATE(loc_cpu_entry, newinfo->size, cleanup_entry, NULL);
1374 xt_free_table_info(newinfo);
1380 do_add_counters(struct net *net, void __user *user, unsigned int len, int compat)
1383 struct xt_counters_info tmp;
1384 struct xt_counters *paddc;
1385 unsigned int num_counters;
1390 const struct xt_table_info *private;
1392 void *loc_cpu_entry;
1393 #ifdef CONFIG_COMPAT
1394 struct compat_xt_counters_info compat_tmp;
1398 size = sizeof(struct compat_xt_counters_info);
1403 size = sizeof(struct xt_counters_info);
1406 if (copy_from_user(ptmp, user, size) != 0)
1409 #ifdef CONFIG_COMPAT
1411 num_counters = compat_tmp.num_counters;
1412 name = compat_tmp.name;
1416 num_counters = tmp.num_counters;
1420 if (len != size + num_counters * sizeof(struct xt_counters))
1423 paddc = vmalloc_node(len - size, numa_node_id());
1427 if (copy_from_user(paddc, user + size, len - size) != 0) {
1432 t = xt_find_table_lock(net, AF_INET, name);
1433 if (!t || IS_ERR(t)) {
1434 ret = t ? PTR_ERR(t) : -ENOENT;
1438 mutex_lock(&t->lock);
1439 private = t->private;
1440 if (private->number != num_counters) {
1442 goto unlock_up_free;
1447 /* Choose the copy that is on our node */
1448 loc_cpu_entry = private->entries[raw_smp_processor_id()];
1449 IPT_ENTRY_ITERATE(loc_cpu_entry,
1451 add_counter_to_entry,
1456 mutex_unlock(&t->lock);
1465 #ifdef CONFIG_COMPAT
1466 struct compat_ipt_replace {
1467 char name[IPT_TABLE_MAXNAMELEN];
1471 u32 hook_entry[NF_INET_NUMHOOKS];
1472 u32 underflow[NF_INET_NUMHOOKS];
1474 compat_uptr_t counters; /* struct ipt_counters * */
1475 struct compat_ipt_entry entries[0];
1479 compat_copy_entry_to_user(struct ipt_entry *e, void __user **dstptr,
1480 unsigned int *size, struct xt_counters *counters,
1483 struct ipt_entry_target *t;
1484 struct compat_ipt_entry __user *ce;
1485 u_int16_t target_offset, next_offset;
1486 compat_uint_t origsize;
1491 ce = (struct compat_ipt_entry __user *)*dstptr;
1492 if (copy_to_user(ce, e, sizeof(struct ipt_entry)))
1495 if (copy_to_user(&ce->counters, &counters[*i], sizeof(counters[*i])))
1498 *dstptr += sizeof(struct compat_ipt_entry);
1499 *size -= sizeof(struct ipt_entry) - sizeof(struct compat_ipt_entry);
1501 ret = IPT_MATCH_ITERATE(e, xt_compat_match_to_user, dstptr, size);
1502 target_offset = e->target_offset - (origsize - *size);
1505 t = ipt_get_target(e);
1506 ret = xt_compat_target_to_user(t, dstptr, size);
1510 next_offset = e->next_offset - (origsize - *size);
1511 if (put_user(target_offset, &ce->target_offset))
1513 if (put_user(next_offset, &ce->next_offset))
1523 compat_find_calc_match(struct ipt_entry_match *m,
1525 const struct ipt_ip *ip,
1526 unsigned int hookmask,
1527 int *size, unsigned int *i)
1529 struct xt_match *match;
1531 match = try_then_request_module(xt_find_match(AF_INET, m->u.user.name,
1532 m->u.user.revision),
1533 "ipt_%s", m->u.user.name);
1534 if (IS_ERR(match) || !match) {
1535 duprintf("compat_check_calc_match: `%s' not found\n",
1537 return match ? PTR_ERR(match) : -ENOENT;
1539 m->u.kernel.match = match;
1540 *size += xt_compat_match_offset(match);
1547 compat_release_match(struct ipt_entry_match *m, unsigned int *i)
1549 if (i && (*i)-- == 0)
1552 module_put(m->u.kernel.match->me);
1557 compat_release_entry(struct compat_ipt_entry *e, unsigned int *i)
1559 struct ipt_entry_target *t;
1561 if (i && (*i)-- == 0)
1564 /* Cleanup all matches */
1565 COMPAT_IPT_MATCH_ITERATE(e, compat_release_match, NULL);
1566 t = compat_ipt_get_target(e);
1567 module_put(t->u.kernel.target->me);
1572 check_compat_entry_size_and_hooks(struct compat_ipt_entry *e,
1573 struct xt_table_info *newinfo,
1575 unsigned char *base,
1576 unsigned char *limit,
1577 unsigned int *hook_entries,
1578 unsigned int *underflows,
1582 struct ipt_entry_target *t;
1583 struct xt_target *target;
1584 unsigned int entry_offset;
1588 duprintf("check_compat_entry_size_and_hooks %p\n", e);
1589 if ((unsigned long)e % __alignof__(struct compat_ipt_entry) != 0
1590 || (unsigned char *)e + sizeof(struct compat_ipt_entry) >= limit) {
1591 duprintf("Bad offset %p, limit = %p\n", e, limit);
1595 if (e->next_offset < sizeof(struct compat_ipt_entry) +
1596 sizeof(struct compat_xt_entry_target)) {
1597 duprintf("checking: element %p size %u\n",
1602 /* For purposes of check_entry casting the compat entry is fine */
1603 ret = check_entry((struct ipt_entry *)e, name);
1607 off = sizeof(struct ipt_entry) - sizeof(struct compat_ipt_entry);
1608 entry_offset = (void *)e - (void *)base;
1610 ret = COMPAT_IPT_MATCH_ITERATE(e, compat_find_calc_match, name,
1611 &e->ip, e->comefrom, &off, &j);
1613 goto release_matches;
1615 t = compat_ipt_get_target(e);
1616 target = try_then_request_module(xt_find_target(AF_INET,
1618 t->u.user.revision),
1619 "ipt_%s", t->u.user.name);
1620 if (IS_ERR(target) || !target) {
1621 duprintf("check_compat_entry_size_and_hooks: `%s' not found\n",
1623 ret = target ? PTR_ERR(target) : -ENOENT;
1624 goto release_matches;
1626 t->u.kernel.target = target;
1628 off += xt_compat_target_offset(target);
1630 ret = xt_compat_add_offset(AF_INET, entry_offset, off);
1634 /* Check hooks & underflows */
1635 for (h = 0; h < NF_INET_NUMHOOKS; h++) {
1636 if ((unsigned char *)e - base == hook_entries[h])
1637 newinfo->hook_entry[h] = hook_entries[h];
1638 if ((unsigned char *)e - base == underflows[h])
1639 newinfo->underflow[h] = underflows[h];
1642 /* Clear counters and comefrom */
1643 memset(&e->counters, 0, sizeof(e->counters));
1650 module_put(t->u.kernel.target->me);
1652 IPT_MATCH_ITERATE(e, compat_release_match, &j);
1657 compat_copy_entry_from_user(struct compat_ipt_entry *e, void **dstptr,
1658 unsigned int *size, const char *name,
1659 struct xt_table_info *newinfo, unsigned char *base)
1661 struct ipt_entry_target *t;
1662 struct xt_target *target;
1663 struct ipt_entry *de;
1664 unsigned int origsize;
1669 de = (struct ipt_entry *)*dstptr;
1670 memcpy(de, e, sizeof(struct ipt_entry));
1671 memcpy(&de->counters, &e->counters, sizeof(e->counters));
1673 *dstptr += sizeof(struct ipt_entry);
1674 *size += sizeof(struct ipt_entry) - sizeof(struct compat_ipt_entry);
1676 ret = COMPAT_IPT_MATCH_ITERATE(e, xt_compat_match_from_user,
1680 de->target_offset = e->target_offset - (origsize - *size);
1681 t = compat_ipt_get_target(e);
1682 target = t->u.kernel.target;
1683 xt_compat_target_from_user(t, dstptr, size);
1685 de->next_offset = e->next_offset - (origsize - *size);
1686 for (h = 0; h < NF_INET_NUMHOOKS; h++) {
1687 if ((unsigned char *)de - base < newinfo->hook_entry[h])
1688 newinfo->hook_entry[h] -= origsize - *size;
1689 if ((unsigned char *)de - base < newinfo->underflow[h])
1690 newinfo->underflow[h] -= origsize - *size;
1696 compat_check_entry(struct ipt_entry *e, const char *name,
1699 struct xt_mtchk_param mtpar;
1705 mtpar.entryinfo = &e->ip;
1706 mtpar.hook_mask = e->comefrom;
1707 mtpar.family = NFPROTO_IPV4;
1708 ret = IPT_MATCH_ITERATE(e, check_match, &mtpar, &j);
1710 goto cleanup_matches;
1712 ret = check_target(e, name);
1714 goto cleanup_matches;
1720 IPT_MATCH_ITERATE(e, cleanup_match, &j);
1725 translate_compat_table(const char *name,
1726 unsigned int valid_hooks,
1727 struct xt_table_info **pinfo,
1729 unsigned int total_size,
1730 unsigned int number,
1731 unsigned int *hook_entries,
1732 unsigned int *underflows)
1735 struct xt_table_info *newinfo, *info;
1736 void *pos, *entry0, *entry1;
1743 info->number = number;
1745 /* Init all hooks to impossible value. */
1746 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1747 info->hook_entry[i] = 0xFFFFFFFF;
1748 info->underflow[i] = 0xFFFFFFFF;
1751 duprintf("translate_compat_table: size %u\n", info->size);
1753 xt_compat_lock(AF_INET);
1754 /* Walk through entries, checking offsets. */
1755 ret = COMPAT_IPT_ENTRY_ITERATE(entry0, total_size,
1756 check_compat_entry_size_and_hooks,
1757 info, &size, entry0,
1758 entry0 + total_size,
1759 hook_entries, underflows, &j, name);
1765 duprintf("translate_compat_table: %u not %u entries\n",
1770 /* Check hooks all assigned */
1771 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1772 /* Only hooks which are valid */
1773 if (!(valid_hooks & (1 << i)))
1775 if (info->hook_entry[i] == 0xFFFFFFFF) {
1776 duprintf("Invalid hook entry %u %u\n",
1777 i, hook_entries[i]);
1780 if (info->underflow[i] == 0xFFFFFFFF) {
1781 duprintf("Invalid underflow %u %u\n",
1788 newinfo = xt_alloc_table_info(size);
1792 newinfo->number = number;
1793 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1794 newinfo->hook_entry[i] = info->hook_entry[i];
1795 newinfo->underflow[i] = info->underflow[i];
1797 entry1 = newinfo->entries[raw_smp_processor_id()];
1800 ret = COMPAT_IPT_ENTRY_ITERATE(entry0, total_size,
1801 compat_copy_entry_from_user,
1802 &pos, &size, name, newinfo, entry1);
1803 xt_compat_flush_offsets(AF_INET);
1804 xt_compat_unlock(AF_INET);
1809 if (!mark_source_chains(newinfo, valid_hooks, entry1))
1813 ret = IPT_ENTRY_ITERATE(entry1, newinfo->size, compat_check_entry,
1817 COMPAT_IPT_ENTRY_ITERATE_CONTINUE(entry0, newinfo->size, i,
1818 compat_release_entry, &j);
1819 IPT_ENTRY_ITERATE(entry1, newinfo->size, cleanup_entry, &i);
1820 xt_free_table_info(newinfo);
1824 /* And one copy for every other CPU */
1825 for_each_possible_cpu(i)
1826 if (newinfo->entries[i] && newinfo->entries[i] != entry1)
1827 memcpy(newinfo->entries[i], entry1, newinfo->size);
1831 xt_free_table_info(info);
1835 xt_free_table_info(newinfo);
1837 COMPAT_IPT_ENTRY_ITERATE(entry0, total_size, compat_release_entry, &j);
1840 xt_compat_flush_offsets(AF_INET);
1841 xt_compat_unlock(AF_INET);
1846 compat_do_replace(struct net *net, void __user *user, unsigned int len)
1849 struct compat_ipt_replace tmp;
1850 struct xt_table_info *newinfo;
1851 void *loc_cpu_entry;
1853 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
1856 /* overflow check */
1857 if (tmp.size >= INT_MAX / num_possible_cpus())
1859 if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
1862 newinfo = xt_alloc_table_info(tmp.size);
1866 /* choose the copy that is on our node/cpu */
1867 loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
1868 if (copy_from_user(loc_cpu_entry, user + sizeof(tmp),
1874 ret = translate_compat_table(tmp.name, tmp.valid_hooks,
1875 &newinfo, &loc_cpu_entry, tmp.size,
1876 tmp.num_entries, tmp.hook_entry,
1881 duprintf("compat_do_replace: Translated table\n");
1883 ret = __do_replace(net, tmp.name, tmp.valid_hooks, newinfo,
1884 tmp.num_counters, compat_ptr(tmp.counters));
1886 goto free_newinfo_untrans;
1889 free_newinfo_untrans:
1890 IPT_ENTRY_ITERATE(loc_cpu_entry, newinfo->size, cleanup_entry, NULL);
1892 xt_free_table_info(newinfo);
1897 compat_do_ipt_set_ctl(struct sock *sk, int cmd, void __user *user,
1902 if (!capable(CAP_NET_ADMIN))
1906 case IPT_SO_SET_REPLACE:
1907 ret = compat_do_replace(sock_net(sk), user, len);
1910 case IPT_SO_SET_ADD_COUNTERS:
1911 ret = do_add_counters(sock_net(sk), user, len, 1);
1915 duprintf("do_ipt_set_ctl: unknown request %i\n", cmd);
1922 struct compat_ipt_get_entries {
1923 char name[IPT_TABLE_MAXNAMELEN];
1925 struct compat_ipt_entry entrytable[0];
1929 compat_copy_entries_to_user(unsigned int total_size, struct xt_table *table,
1930 void __user *userptr)
1932 struct xt_counters *counters;
1933 const struct xt_table_info *private = table->private;
1937 const void *loc_cpu_entry;
1940 counters = alloc_counters(table);
1941 if (IS_ERR(counters))
1942 return PTR_ERR(counters);
1944 /* choose the copy that is on our node/cpu, ...
1945 * This choice is lazy (because current thread is
1946 * allowed to migrate to another cpu)
1948 loc_cpu_entry = private->entries[raw_smp_processor_id()];
1951 ret = IPT_ENTRY_ITERATE(loc_cpu_entry, total_size,
1952 compat_copy_entry_to_user,
1953 &pos, &size, counters, &i);
1960 compat_get_entries(struct net *net, struct compat_ipt_get_entries __user *uptr,
1964 struct compat_ipt_get_entries get;
1967 if (*len < sizeof(get)) {
1968 duprintf("compat_get_entries: %u < %zu\n", *len, sizeof(get));
1972 if (copy_from_user(&get, uptr, sizeof(get)) != 0)
1975 if (*len != sizeof(struct compat_ipt_get_entries) + get.size) {
1976 duprintf("compat_get_entries: %u != %zu\n",
1977 *len, sizeof(get) + get.size);
1981 xt_compat_lock(AF_INET);
1982 t = xt_find_table_lock(net, AF_INET, get.name);
1983 if (t && !IS_ERR(t)) {
1984 const struct xt_table_info *private = t->private;
1985 struct xt_table_info info;
1986 duprintf("t->private->number = %u\n", private->number);
1987 ret = compat_table_info(private, &info);
1988 if (!ret && get.size == info.size) {
1989 ret = compat_copy_entries_to_user(private->size,
1990 t, uptr->entrytable);
1992 duprintf("compat_get_entries: I've got %u not %u!\n",
1993 private->size, get.size);
1996 xt_compat_flush_offsets(AF_INET);
2000 ret = t ? PTR_ERR(t) : -ENOENT;
2002 xt_compat_unlock(AF_INET);
2006 static int do_ipt_get_ctl(struct sock *, int, void __user *, int *);
2009 compat_do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
2013 if (!capable(CAP_NET_ADMIN))
2017 case IPT_SO_GET_INFO:
2018 ret = get_info(sock_net(sk), user, len, 1);
2020 case IPT_SO_GET_ENTRIES:
2021 ret = compat_get_entries(sock_net(sk), user, len);
2024 ret = do_ipt_get_ctl(sk, cmd, user, len);
2031 do_ipt_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
2035 if (!capable(CAP_NET_ADMIN))
2039 case IPT_SO_SET_REPLACE:
2040 ret = do_replace(sock_net(sk), user, len);
2043 case IPT_SO_SET_ADD_COUNTERS:
2044 ret = do_add_counters(sock_net(sk), user, len, 0);
2048 duprintf("do_ipt_set_ctl: unknown request %i\n", cmd);
2056 do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
2060 if (!capable(CAP_NET_ADMIN))
2064 case IPT_SO_GET_INFO:
2065 ret = get_info(sock_net(sk), user, len, 0);
2068 case IPT_SO_GET_ENTRIES:
2069 ret = get_entries(sock_net(sk), user, len);
2072 case IPT_SO_GET_REVISION_MATCH:
2073 case IPT_SO_GET_REVISION_TARGET: {
2074 struct ipt_get_revision rev;
2077 if (*len != sizeof(rev)) {
2081 if (copy_from_user(&rev, user, sizeof(rev)) != 0) {
2086 if (cmd == IPT_SO_GET_REVISION_TARGET)
2091 try_then_request_module(xt_find_revision(AF_INET, rev.name,
2094 "ipt_%s", rev.name);
2099 duprintf("do_ipt_get_ctl: unknown request %i\n", cmd);
2106 struct xt_table *ipt_register_table(struct net *net, struct xt_table *table,
2107 const struct ipt_replace *repl)
2110 struct xt_table_info *newinfo;
2111 struct xt_table_info bootstrap
2112 = { 0, 0, 0, { 0 }, { 0 }, { } };
2113 void *loc_cpu_entry;
2114 struct xt_table *new_table;
2116 newinfo = xt_alloc_table_info(repl->size);
2122 /* choose the copy on our node/cpu, but dont care about preemption */
2123 loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
2124 memcpy(loc_cpu_entry, repl->entries, repl->size);
2126 ret = translate_table(table->name, table->valid_hooks,
2127 newinfo, loc_cpu_entry, repl->size,
2134 new_table = xt_register_table(net, table, &bootstrap, newinfo);
2135 if (IS_ERR(new_table)) {
2136 ret = PTR_ERR(new_table);
2143 xt_free_table_info(newinfo);
2145 return ERR_PTR(ret);
2148 void ipt_unregister_table(struct xt_table *table)
2150 struct xt_table_info *private;
2151 void *loc_cpu_entry;
2152 struct module *table_owner = table->me;
2154 private = xt_unregister_table(table);
2156 /* Decrease module usage counts and free resources */
2157 loc_cpu_entry = private->entries[raw_smp_processor_id()];
2158 IPT_ENTRY_ITERATE(loc_cpu_entry, private->size, cleanup_entry, NULL);
2159 if (private->number > private->initial_entries)
2160 module_put(table_owner);
2161 xt_free_table_info(private);
2164 /* Returns 1 if the type and code is matched by the range, 0 otherwise */
2166 icmp_type_code_match(u_int8_t test_type, u_int8_t min_code, u_int8_t max_code,
2167 u_int8_t type, u_int8_t code,
2170 return ((test_type == 0xFF) ||
2171 (type == test_type && code >= min_code && code <= max_code))
2176 icmp_match(const struct sk_buff *skb, const struct xt_match_param *par)
2178 const struct icmphdr *ic;
2179 struct icmphdr _icmph;
2180 const struct ipt_icmp *icmpinfo = par->matchinfo;
2182 /* Must not be a fragment. */
2183 if (par->fragoff != 0)
2186 ic = skb_header_pointer(skb, par->thoff, sizeof(_icmph), &_icmph);
2188 /* We've been asked to examine this packet, and we
2189 * can't. Hence, no choice but to drop.
2191 duprintf("Dropping evil ICMP tinygram.\n");
2192 *par->hotdrop = true;
2196 return icmp_type_code_match(icmpinfo->type,
2200 !!(icmpinfo->invflags&IPT_ICMP_INV));
2203 static bool icmp_checkentry(const struct xt_mtchk_param *par)
2205 const struct ipt_icmp *icmpinfo = par->matchinfo;
2207 /* Must specify no unknown invflags */
2208 return !(icmpinfo->invflags & ~IPT_ICMP_INV);
2211 /* The built-in targets: standard (NULL) and error. */
2212 static struct xt_target ipt_standard_target __read_mostly = {
2213 .name = IPT_STANDARD_TARGET,
2214 .targetsize = sizeof(int),
2216 #ifdef CONFIG_COMPAT
2217 .compatsize = sizeof(compat_int_t),
2218 .compat_from_user = compat_standard_from_user,
2219 .compat_to_user = compat_standard_to_user,
2223 static struct xt_target ipt_error_target __read_mostly = {
2224 .name = IPT_ERROR_TARGET,
2225 .target = ipt_error,
2226 .targetsize = IPT_FUNCTION_MAXNAMELEN,
2230 static struct nf_sockopt_ops ipt_sockopts = {
2232 .set_optmin = IPT_BASE_CTL,
2233 .set_optmax = IPT_SO_SET_MAX+1,
2234 .set = do_ipt_set_ctl,
2235 #ifdef CONFIG_COMPAT
2236 .compat_set = compat_do_ipt_set_ctl,
2238 .get_optmin = IPT_BASE_CTL,
2239 .get_optmax = IPT_SO_GET_MAX+1,
2240 .get = do_ipt_get_ctl,
2241 #ifdef CONFIG_COMPAT
2242 .compat_get = compat_do_ipt_get_ctl,
2244 .owner = THIS_MODULE,
2247 static struct xt_match icmp_matchstruct __read_mostly = {
2249 .match = icmp_match,
2250 .matchsize = sizeof(struct ipt_icmp),
2251 .checkentry = icmp_checkentry,
2252 .proto = IPPROTO_ICMP,
2256 static int __net_init ip_tables_net_init(struct net *net)
2258 return xt_proto_init(net, AF_INET);
2261 static void __net_exit ip_tables_net_exit(struct net *net)
2263 xt_proto_fini(net, AF_INET);
2266 static struct pernet_operations ip_tables_net_ops = {
2267 .init = ip_tables_net_init,
2268 .exit = ip_tables_net_exit,
2271 static int __init ip_tables_init(void)
2275 ret = register_pernet_subsys(&ip_tables_net_ops);
2279 /* Noone else will be downing sem now, so we won't sleep */
2280 ret = xt_register_target(&ipt_standard_target);
2283 ret = xt_register_target(&ipt_error_target);
2286 ret = xt_register_match(&icmp_matchstruct);
2290 /* Register setsockopt */
2291 ret = nf_register_sockopt(&ipt_sockopts);
2295 printk(KERN_INFO "ip_tables: (C) 2000-2006 Netfilter Core Team\n");
2299 xt_unregister_match(&icmp_matchstruct);
2301 xt_unregister_target(&ipt_error_target);
2303 xt_unregister_target(&ipt_standard_target);
2305 unregister_pernet_subsys(&ip_tables_net_ops);
2310 static void __exit ip_tables_fini(void)
2312 nf_unregister_sockopt(&ipt_sockopts);
2314 xt_unregister_match(&icmp_matchstruct);
2315 xt_unregister_target(&ipt_error_target);
2316 xt_unregister_target(&ipt_standard_target);
2318 unregister_pernet_subsys(&ip_tables_net_ops);
2321 EXPORT_SYMBOL(ipt_register_table);
2322 EXPORT_SYMBOL(ipt_unregister_table);
2323 EXPORT_SYMBOL(ipt_do_table);
2324 module_init(ip_tables_init);
2325 module_exit(ip_tables_fini);
git://ftp.safe.ca / safe / jmp / linux-2.6 / blob