2 * Packet matching code.
4 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
5 * Copyright (C) 2000-2005 Netfilter Core Team <coreteam@netfilter.org>
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License version 2 as
9 * published by the Free Software Foundation.
11 #include <linux/cache.h>
12 #include <linux/capability.h>
13 #include <linux/skbuff.h>
14 #include <linux/kmod.h>
15 #include <linux/vmalloc.h>
16 #include <linux/netdevice.h>
17 #include <linux/module.h>
18 #include <linux/icmp.h>
20 #include <net/compat.h>
21 #include <asm/uaccess.h>
22 #include <linux/mutex.h>
23 #include <linux/proc_fs.h>
24 #include <linux/err.h>
25 #include <linux/cpumask.h>
27 #include <linux/netfilter/x_tables.h>
28 #include <linux/netfilter_ipv4/ip_tables.h>
29 #include <net/netfilter/nf_log.h>
31 MODULE_LICENSE("GPL");
32 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
33 MODULE_DESCRIPTION("IPv4 packet filter");
35 /*#define DEBUG_IP_FIREWALL*/
36 /*#define DEBUG_ALLOW_ALL*/ /* Useful for remote debugging */
37 /*#define DEBUG_IP_FIREWALL_USER*/
39 #ifdef DEBUG_IP_FIREWALL
40 #define dprintf(format, args...) printk(format , ## args)
42 #define dprintf(format, args...)
45 #ifdef DEBUG_IP_FIREWALL_USER
46 #define duprintf(format, args...) printk(format , ## args)
48 #define duprintf(format, args...)
51 #ifdef CONFIG_NETFILTER_DEBUG
52 #define IP_NF_ASSERT(x) \
55 printk("IP_NF_ASSERT: %s:%s:%u\n", \
56 __FUNCTION__, __FILE__, __LINE__); \
59 #define IP_NF_ASSERT(x)
63 /* All the better to debug you with... */
69 We keep a set of rules for each CPU, so we can avoid write-locking
70 them in the softirq when updating the counters and therefore
71 only need to read-lock in the softirq; doing a write_lock_bh() in user
72 context stops packets coming through and allows user context to read
73 the counters or update the rules.
75 Hence the start of any table is given by get_table() below. */
77 /* Returns whether matches rule or not. */
78 /* Performance critical - called for every packet */
80 ip_packet_match(const struct iphdr *ip,
83 const struct ipt_ip *ipinfo,
89 #define FWINV(bool, invflg) ((bool) ^ !!(ipinfo->invflags & (invflg)))
91 if (FWINV((ip->saddr&ipinfo->smsk.s_addr) != ipinfo->src.s_addr,
93 || FWINV((ip->daddr&ipinfo->dmsk.s_addr) != ipinfo->dst.s_addr,
95 dprintf("Source or dest mismatch.\n");
97 dprintf("SRC: %u.%u.%u.%u. Mask: %u.%u.%u.%u. Target: %u.%u.%u.%u.%s\n",
99 NIPQUAD(ipinfo->smsk.s_addr),
100 NIPQUAD(ipinfo->src.s_addr),
101 ipinfo->invflags & IPT_INV_SRCIP ? " (INV)" : "");
102 dprintf("DST: %u.%u.%u.%u Mask: %u.%u.%u.%u Target: %u.%u.%u.%u.%s\n",
104 NIPQUAD(ipinfo->dmsk.s_addr),
105 NIPQUAD(ipinfo->dst.s_addr),
106 ipinfo->invflags & IPT_INV_DSTIP ? " (INV)" : "");
110 /* Look for ifname matches; this should unroll nicely. */
111 for (i = 0, ret = 0; i < IFNAMSIZ/sizeof(unsigned long); i++) {
112 ret |= (((const unsigned long *)indev)[i]
113 ^ ((const unsigned long *)ipinfo->iniface)[i])
114 & ((const unsigned long *)ipinfo->iniface_mask)[i];
117 if (FWINV(ret != 0, IPT_INV_VIA_IN)) {
118 dprintf("VIA in mismatch (%s vs %s).%s\n",
119 indev, ipinfo->iniface,
120 ipinfo->invflags&IPT_INV_VIA_IN ?" (INV)":"");
124 for (i = 0, ret = 0; i < IFNAMSIZ/sizeof(unsigned long); i++) {
125 ret |= (((const unsigned long *)outdev)[i]
126 ^ ((const unsigned long *)ipinfo->outiface)[i])
127 & ((const unsigned long *)ipinfo->outiface_mask)[i];
130 if (FWINV(ret != 0, IPT_INV_VIA_OUT)) {
131 dprintf("VIA out mismatch (%s vs %s).%s\n",
132 outdev, ipinfo->outiface,
133 ipinfo->invflags&IPT_INV_VIA_OUT ?" (INV)":"");
137 /* Check specific protocol */
139 && FWINV(ip->protocol != ipinfo->proto, IPT_INV_PROTO)) {
140 dprintf("Packet protocol %hi does not match %hi.%s\n",
141 ip->protocol, ipinfo->proto,
142 ipinfo->invflags&IPT_INV_PROTO ? " (INV)":"");
146 /* If we have a fragment rule but the packet is not a fragment
147 * then we return zero */
148 if (FWINV((ipinfo->flags&IPT_F_FRAG) && !isfrag, IPT_INV_FRAG)) {
149 dprintf("Fragment rule but not fragment.%s\n",
150 ipinfo->invflags & IPT_INV_FRAG ? " (INV)" : "");
158 ip_checkentry(const struct ipt_ip *ip)
160 if (ip->flags & ~IPT_F_MASK) {
161 duprintf("Unknown flag bits set: %08X\n",
162 ip->flags & ~IPT_F_MASK);
165 if (ip->invflags & ~IPT_INV_MASK) {
166 duprintf("Unknown invflag bits set: %08X\n",
167 ip->invflags & ~IPT_INV_MASK);
174 ipt_error(struct sk_buff *skb,
175 const struct net_device *in,
176 const struct net_device *out,
177 unsigned int hooknum,
178 const struct xt_target *target,
179 const void *targinfo)
182 printk("ip_tables: error: `%s'\n", (char *)targinfo);
187 /* Performance critical - called for every packet */
189 do_match(struct ipt_entry_match *m,
190 const struct sk_buff *skb,
191 const struct net_device *in,
192 const struct net_device *out,
196 /* Stop iteration if it doesn't match */
197 if (!m->u.kernel.match->match(skb, in, out, m->u.kernel.match, m->data,
198 offset, ip_hdrlen(skb), hotdrop))
204 /* Performance critical */
205 static inline struct ipt_entry *
206 get_entry(void *base, unsigned int offset)
208 return (struct ipt_entry *)(base + offset);
211 /* All zeroes == unconditional rule. */
212 /* Mildly perf critical (only if packet tracing is on) */
214 unconditional(const struct ipt_ip *ip)
218 for (i = 0; i < sizeof(*ip)/sizeof(__u32); i++)
219 if (((__u32 *)ip)[i])
226 #if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \
227 defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE)
228 static const char *const hooknames[] = {
229 [NF_INET_PRE_ROUTING] = "PREROUTING",
230 [NF_INET_LOCAL_IN] = "INPUT",
231 [NF_INET_FORWARD] = "FORWARD",
232 [NF_INET_LOCAL_OUT] = "OUTPUT",
233 [NF_INET_POST_ROUTING] = "POSTROUTING",
236 enum nf_ip_trace_comments {
237 NF_IP_TRACE_COMMENT_RULE,
238 NF_IP_TRACE_COMMENT_RETURN,
239 NF_IP_TRACE_COMMENT_POLICY,
242 static const char *const comments[] = {
243 [NF_IP_TRACE_COMMENT_RULE] = "rule",
244 [NF_IP_TRACE_COMMENT_RETURN] = "return",
245 [NF_IP_TRACE_COMMENT_POLICY] = "policy",
248 static struct nf_loginfo trace_loginfo = {
249 .type = NF_LOG_TYPE_LOG,
253 .logflags = NF_LOG_MASK,
258 /* Mildly perf critical (only if packet tracing is on) */
260 get_chainname_rulenum(struct ipt_entry *s, struct ipt_entry *e,
261 char *hookname, char **chainname,
262 char **comment, unsigned int *rulenum)
264 struct ipt_standard_target *t = (void *)ipt_get_target(s);
266 if (strcmp(t->target.u.kernel.target->name, IPT_ERROR_TARGET) == 0) {
267 /* Head of user chain: ERROR target with chainname */
268 *chainname = t->target.data;
273 if (s->target_offset == sizeof(struct ipt_entry)
274 && strcmp(t->target.u.kernel.target->name,
275 IPT_STANDARD_TARGET) == 0
277 && unconditional(&s->ip)) {
278 /* Tail of chains: STANDARD target (return/policy) */
279 *comment = *chainname == hookname
280 ? (char *)comments[NF_IP_TRACE_COMMENT_POLICY]
281 : (char *)comments[NF_IP_TRACE_COMMENT_RETURN];
290 static void trace_packet(struct sk_buff *skb,
292 const struct net_device *in,
293 const struct net_device *out,
294 const char *tablename,
295 struct xt_table_info *private,
299 struct ipt_entry *root;
300 char *hookname, *chainname, *comment;
301 unsigned int rulenum = 0;
303 table_base = (void *)private->entries[smp_processor_id()];
304 root = get_entry(table_base, private->hook_entry[hook]);
306 hookname = chainname = (char *)hooknames[hook];
307 comment = (char *)comments[NF_IP_TRACE_COMMENT_RULE];
309 IPT_ENTRY_ITERATE(root,
310 private->size - private->hook_entry[hook],
311 get_chainname_rulenum,
312 e, hookname, &chainname, &comment, &rulenum);
314 nf_log_packet(AF_INET, hook, skb, in, out, &trace_loginfo,
315 "TRACE: %s:%s:%s:%u ",
316 tablename, chainname, comment, rulenum);
320 /* Returns one of the generic firewall policies, like NF_ACCEPT. */
322 ipt_do_table(struct sk_buff *skb,
324 const struct net_device *in,
325 const struct net_device *out,
326 struct xt_table *table)
328 static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
332 bool hotdrop = false;
333 /* Initializing verdict to NF_DROP keeps gcc happy. */
334 unsigned int verdict = NF_DROP;
335 const char *indev, *outdev;
337 struct ipt_entry *e, *back;
338 struct xt_table_info *private;
342 datalen = skb->len - ip->ihl * 4;
343 indev = in ? in->name : nulldevname;
344 outdev = out ? out->name : nulldevname;
345 /* We handle fragments by dealing with the first fragment as
346 * if it was a normal packet. All other fragments are treated
347 * normally, except that they will NEVER match rules that ask
348 * things we don't know, ie. tcp syn flag or ports). If the
349 * rule is also a fragment-specific rule, non-fragments won't
351 offset = ntohs(ip->frag_off) & IP_OFFSET;
353 read_lock_bh(&table->lock);
354 IP_NF_ASSERT(table->valid_hooks & (1 << hook));
355 private = table->private;
356 table_base = (void *)private->entries[smp_processor_id()];
357 e = get_entry(table_base, private->hook_entry[hook]);
359 /* For return from builtin chain */
360 back = get_entry(table_base, private->underflow[hook]);
365 if (ip_packet_match(ip, indev, outdev, &e->ip, offset)) {
366 struct ipt_entry_target *t;
368 if (IPT_MATCH_ITERATE(e, do_match,
370 offset, &hotdrop) != 0)
373 ADD_COUNTER(e->counters, ntohs(ip->tot_len), 1);
375 t = ipt_get_target(e);
376 IP_NF_ASSERT(t->u.kernel.target);
378 #if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \
379 defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE)
380 /* The packet is traced: log it */
381 if (unlikely(skb->nf_trace))
382 trace_packet(skb, hook, in, out,
383 table->name, private, e);
385 /* Standard target? */
386 if (!t->u.kernel.target->target) {
389 v = ((struct ipt_standard_target *)t)->verdict;
391 /* Pop from stack? */
392 if (v != IPT_RETURN) {
393 verdict = (unsigned)(-v) - 1;
397 back = get_entry(table_base,
401 if (table_base + v != (void *)e + e->next_offset
402 && !(e->ip.flags & IPT_F_GOTO)) {
403 /* Save old back ptr in next entry */
404 struct ipt_entry *next
405 = (void *)e + e->next_offset;
407 = (void *)back - table_base;
408 /* set back pointer to next entry */
412 e = get_entry(table_base, v);
414 /* Targets which reenter must return
416 #ifdef CONFIG_NETFILTER_DEBUG
417 ((struct ipt_entry *)table_base)->comefrom
420 verdict = t->u.kernel.target->target(skb,
426 #ifdef CONFIG_NETFILTER_DEBUG
427 if (((struct ipt_entry *)table_base)->comefrom
429 && verdict == IPT_CONTINUE) {
430 printk("Target %s reentered!\n",
431 t->u.kernel.target->name);
434 ((struct ipt_entry *)table_base)->comefrom
437 /* Target might have changed stuff. */
439 datalen = skb->len - ip->ihl * 4;
441 if (verdict == IPT_CONTINUE)
442 e = (void *)e + e->next_offset;
450 e = (void *)e + e->next_offset;
454 read_unlock_bh(&table->lock);
456 #ifdef DEBUG_ALLOW_ALL
465 /* Figures out from what hook each rule can be called: returns 0 if
466 there are loops. Puts hook bitmask in comefrom. */
468 mark_source_chains(struct xt_table_info *newinfo,
469 unsigned int valid_hooks, void *entry0)
473 /* No recursion; use packet counter to save back ptrs (reset
474 to 0 as we leave), and comefrom to save source hook bitmask */
475 for (hook = 0; hook < NF_INET_NUMHOOKS; hook++) {
476 unsigned int pos = newinfo->hook_entry[hook];
477 struct ipt_entry *e = (struct ipt_entry *)(entry0 + pos);
479 if (!(valid_hooks & (1 << hook)))
482 /* Set initial back pointer. */
483 e->counters.pcnt = pos;
486 struct ipt_standard_target *t
487 = (void *)ipt_get_target(e);
488 int visited = e->comefrom & (1 << hook);
490 if (e->comefrom & (1 << NF_INET_NUMHOOKS)) {
491 printk("iptables: loop hook %u pos %u %08X.\n",
492 hook, pos, e->comefrom);
495 e->comefrom |= ((1 << hook) | (1 << NF_INET_NUMHOOKS));
497 /* Unconditional return/END. */
498 if ((e->target_offset == sizeof(struct ipt_entry)
499 && (strcmp(t->target.u.user.name,
500 IPT_STANDARD_TARGET) == 0)
502 && unconditional(&e->ip)) || visited) {
503 unsigned int oldpos, size;
505 if (t->verdict < -NF_MAX_VERDICT - 1) {
506 duprintf("mark_source_chains: bad "
507 "negative verdict (%i)\n",
512 /* Return: backtrack through the last
515 e->comefrom ^= (1<<NF_INET_NUMHOOKS);
516 #ifdef DEBUG_IP_FIREWALL_USER
518 & (1 << NF_INET_NUMHOOKS)) {
519 duprintf("Back unset "
526 pos = e->counters.pcnt;
527 e->counters.pcnt = 0;
529 /* We're at the start. */
533 e = (struct ipt_entry *)
535 } while (oldpos == pos + e->next_offset);
538 size = e->next_offset;
539 e = (struct ipt_entry *)
540 (entry0 + pos + size);
541 e->counters.pcnt = pos;
544 int newpos = t->verdict;
546 if (strcmp(t->target.u.user.name,
547 IPT_STANDARD_TARGET) == 0
549 if (newpos > newinfo->size -
550 sizeof(struct ipt_entry)) {
551 duprintf("mark_source_chains: "
552 "bad verdict (%i)\n",
556 /* This a jump; chase it. */
557 duprintf("Jump rule %u -> %u\n",
560 /* ... this is a fallthru */
561 newpos = pos + e->next_offset;
563 e = (struct ipt_entry *)
565 e->counters.pcnt = pos;
570 duprintf("Finished chain %u\n", hook);
576 cleanup_match(struct ipt_entry_match *m, unsigned int *i)
578 if (i && (*i)-- == 0)
581 if (m->u.kernel.match->destroy)
582 m->u.kernel.match->destroy(m->u.kernel.match, m->data);
583 module_put(m->u.kernel.match->me);
588 check_entry(struct ipt_entry *e, const char *name)
590 struct ipt_entry_target *t;
592 if (!ip_checkentry(&e->ip)) {
593 duprintf("ip_tables: ip check failed %p %s.\n", e, name);
597 if (e->target_offset + sizeof(struct ipt_entry_target) >
601 t = ipt_get_target(e);
602 if (e->target_offset + t->u.target_size > e->next_offset)
609 check_match(struct ipt_entry_match *m, const char *name,
610 const struct ipt_ip *ip,
611 unsigned int hookmask, unsigned int *i)
613 struct xt_match *match;
616 match = m->u.kernel.match;
617 ret = xt_check_match(match, AF_INET, m->u.match_size - sizeof(*m),
618 name, hookmask, ip->proto,
619 ip->invflags & IPT_INV_PROTO);
620 if (!ret && m->u.kernel.match->checkentry
621 && !m->u.kernel.match->checkentry(name, ip, match, m->data,
623 duprintf("ip_tables: check failed for `%s'.\n",
624 m->u.kernel.match->name);
633 find_check_match(struct ipt_entry_match *m,
635 const struct ipt_ip *ip,
636 unsigned int hookmask,
639 struct xt_match *match;
642 match = try_then_request_module(xt_find_match(AF_INET, m->u.user.name,
644 "ipt_%s", m->u.user.name);
645 if (IS_ERR(match) || !match) {
646 duprintf("find_check_match: `%s' not found\n", m->u.user.name);
647 return match ? PTR_ERR(match) : -ENOENT;
649 m->u.kernel.match = match;
651 ret = check_match(m, name, ip, hookmask, i);
657 module_put(m->u.kernel.match->me);
661 static int check_target(struct ipt_entry *e, const char *name)
663 struct ipt_entry_target *t;
664 struct xt_target *target;
667 t = ipt_get_target(e);
668 target = t->u.kernel.target;
669 ret = xt_check_target(target, AF_INET, t->u.target_size - sizeof(*t),
670 name, e->comefrom, e->ip.proto,
671 e->ip.invflags & IPT_INV_PROTO);
672 if (!ret && t->u.kernel.target->checkentry
673 && !t->u.kernel.target->checkentry(name, e, target, t->data,
675 duprintf("ip_tables: check failed for `%s'.\n",
676 t->u.kernel.target->name);
683 find_check_entry(struct ipt_entry *e, const char *name, unsigned int size,
686 struct ipt_entry_target *t;
687 struct xt_target *target;
691 ret = check_entry(e, name);
696 ret = IPT_MATCH_ITERATE(e, find_check_match, name, &e->ip,
699 goto cleanup_matches;
701 t = ipt_get_target(e);
702 target = try_then_request_module(xt_find_target(AF_INET,
705 "ipt_%s", t->u.user.name);
706 if (IS_ERR(target) || !target) {
707 duprintf("find_check_entry: `%s' not found\n", t->u.user.name);
708 ret = target ? PTR_ERR(target) : -ENOENT;
709 goto cleanup_matches;
711 t->u.kernel.target = target;
713 ret = check_target(e, name);
720 module_put(t->u.kernel.target->me);
722 IPT_MATCH_ITERATE(e, cleanup_match, &j);
727 check_entry_size_and_hooks(struct ipt_entry *e,
728 struct xt_table_info *newinfo,
730 unsigned char *limit,
731 const unsigned int *hook_entries,
732 const unsigned int *underflows,
737 if ((unsigned long)e % __alignof__(struct ipt_entry) != 0
738 || (unsigned char *)e + sizeof(struct ipt_entry) >= limit) {
739 duprintf("Bad offset %p\n", e);
744 < sizeof(struct ipt_entry) + sizeof(struct ipt_entry_target)) {
745 duprintf("checking: element %p size %u\n",
750 /* Check hooks & underflows */
751 for (h = 0; h < NF_INET_NUMHOOKS; h++) {
752 if ((unsigned char *)e - base == hook_entries[h])
753 newinfo->hook_entry[h] = hook_entries[h];
754 if ((unsigned char *)e - base == underflows[h])
755 newinfo->underflow[h] = underflows[h];
758 /* FIXME: underflows must be unconditional, standard verdicts
759 < 0 (not IPT_RETURN). --RR */
761 /* Clear counters and comefrom */
762 e->counters = ((struct xt_counters) { 0, 0 });
770 cleanup_entry(struct ipt_entry *e, unsigned int *i)
772 struct ipt_entry_target *t;
774 if (i && (*i)-- == 0)
777 /* Cleanup all matches */
778 IPT_MATCH_ITERATE(e, cleanup_match, NULL);
779 t = ipt_get_target(e);
780 if (t->u.kernel.target->destroy)
781 t->u.kernel.target->destroy(t->u.kernel.target, t->data);
782 module_put(t->u.kernel.target->me);
786 /* Checks and translates the user-supplied table segment (held in
789 translate_table(const char *name,
790 unsigned int valid_hooks,
791 struct xt_table_info *newinfo,
795 const unsigned int *hook_entries,
796 const unsigned int *underflows)
801 newinfo->size = size;
802 newinfo->number = number;
804 /* Init all hooks to impossible value. */
805 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
806 newinfo->hook_entry[i] = 0xFFFFFFFF;
807 newinfo->underflow[i] = 0xFFFFFFFF;
810 duprintf("translate_table: size %u\n", newinfo->size);
812 /* Walk through entries, checking offsets. */
813 ret = IPT_ENTRY_ITERATE(entry0, newinfo->size,
814 check_entry_size_and_hooks,
818 hook_entries, underflows, &i);
823 duprintf("translate_table: %u not %u entries\n",
828 /* Check hooks all assigned */
829 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
830 /* Only hooks which are valid */
831 if (!(valid_hooks & (1 << i)))
833 if (newinfo->hook_entry[i] == 0xFFFFFFFF) {
834 duprintf("Invalid hook entry %u %u\n",
838 if (newinfo->underflow[i] == 0xFFFFFFFF) {
839 duprintf("Invalid underflow %u %u\n",
845 if (!mark_source_chains(newinfo, valid_hooks, entry0))
848 /* Finally, each sanity check must pass */
850 ret = IPT_ENTRY_ITERATE(entry0, newinfo->size,
851 find_check_entry, name, size, &i);
854 IPT_ENTRY_ITERATE(entry0, newinfo->size,
859 /* And one copy for every other CPU */
860 for_each_possible_cpu(i) {
861 if (newinfo->entries[i] && newinfo->entries[i] != entry0)
862 memcpy(newinfo->entries[i], entry0, newinfo->size);
870 add_entry_to_counter(const struct ipt_entry *e,
871 struct xt_counters total[],
874 ADD_COUNTER(total[*i], e->counters.bcnt, e->counters.pcnt);
881 set_entry_to_counter(const struct ipt_entry *e,
882 struct ipt_counters total[],
885 SET_COUNTER(total[*i], e->counters.bcnt, e->counters.pcnt);
892 get_counters(const struct xt_table_info *t,
893 struct xt_counters counters[])
899 /* Instead of clearing (by a previous call to memset())
900 * the counters and using adds, we set the counters
901 * with data used by 'current' CPU
902 * We dont care about preemption here.
904 curcpu = raw_smp_processor_id();
907 IPT_ENTRY_ITERATE(t->entries[curcpu],
909 set_entry_to_counter,
913 for_each_possible_cpu(cpu) {
917 IPT_ENTRY_ITERATE(t->entries[cpu],
919 add_entry_to_counter,
925 static struct xt_counters * alloc_counters(struct xt_table *table)
927 unsigned int countersize;
928 struct xt_counters *counters;
929 struct xt_table_info *private = table->private;
931 /* We need atomic snapshot of counters: rest doesn't change
932 (other than comefrom, which userspace doesn't care
934 countersize = sizeof(struct xt_counters) * private->number;
935 counters = vmalloc_node(countersize, numa_node_id());
937 if (counters == NULL)
938 return ERR_PTR(-ENOMEM);
940 /* First, sum counters... */
941 write_lock_bh(&table->lock);
942 get_counters(private, counters);
943 write_unlock_bh(&table->lock);
949 copy_entries_to_user(unsigned int total_size,
950 struct xt_table *table,
951 void __user *userptr)
953 unsigned int off, num;
955 struct xt_counters *counters;
956 struct xt_table_info *private = table->private;
960 counters = alloc_counters(table);
961 if (IS_ERR(counters))
962 return PTR_ERR(counters);
964 /* choose the copy that is on our node/cpu, ...
965 * This choice is lazy (because current thread is
966 * allowed to migrate to another cpu)
968 loc_cpu_entry = private->entries[raw_smp_processor_id()];
969 if (copy_to_user(userptr, loc_cpu_entry, total_size) != 0) {
974 /* FIXME: use iterator macros --RR */
975 /* ... then go back and fix counters and names */
976 for (off = 0, num = 0; off < total_size; off += e->next_offset, num++){
978 struct ipt_entry_match *m;
979 struct ipt_entry_target *t;
981 e = (struct ipt_entry *)(loc_cpu_entry + off);
982 if (copy_to_user(userptr + off
983 + offsetof(struct ipt_entry, counters),
985 sizeof(counters[num])) != 0) {
990 for (i = sizeof(struct ipt_entry);
991 i < e->target_offset;
992 i += m->u.match_size) {
995 if (copy_to_user(userptr + off + i
996 + offsetof(struct ipt_entry_match,
998 m->u.kernel.match->name,
999 strlen(m->u.kernel.match->name)+1)
1006 t = ipt_get_target(e);
1007 if (copy_to_user(userptr + off + e->target_offset
1008 + offsetof(struct ipt_entry_target,
1010 t->u.kernel.target->name,
1011 strlen(t->u.kernel.target->name)+1) != 0) {
1022 #ifdef CONFIG_COMPAT
1023 static void compat_standard_from_user(void *dst, void *src)
1025 int v = *(compat_int_t *)src;
1028 v += xt_compat_calc_jump(AF_INET, v);
1029 memcpy(dst, &v, sizeof(v));
1032 static int compat_standard_to_user(void __user *dst, void *src)
1034 compat_int_t cv = *(int *)src;
1037 cv -= xt_compat_calc_jump(AF_INET, cv);
1038 return copy_to_user(dst, &cv, sizeof(cv)) ? -EFAULT : 0;
1042 compat_calc_match(struct ipt_entry_match *m, int *size)
1044 *size += xt_compat_match_offset(m->u.kernel.match);
1048 static int compat_calc_entry(struct ipt_entry *e,
1049 const struct xt_table_info *info,
1050 void *base, struct xt_table_info *newinfo)
1052 struct ipt_entry_target *t;
1053 unsigned int entry_offset;
1056 off = sizeof(struct ipt_entry) - sizeof(struct compat_ipt_entry);
1057 entry_offset = (void *)e - base;
1058 IPT_MATCH_ITERATE(e, compat_calc_match, &off);
1059 t = ipt_get_target(e);
1060 off += xt_compat_target_offset(t->u.kernel.target);
1061 newinfo->size -= off;
1062 ret = xt_compat_add_offset(AF_INET, entry_offset, off);
1066 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1067 if (info->hook_entry[i] &&
1068 (e < (struct ipt_entry *)(base + info->hook_entry[i])))
1069 newinfo->hook_entry[i] -= off;
1070 if (info->underflow[i] &&
1071 (e < (struct ipt_entry *)(base + info->underflow[i])))
1072 newinfo->underflow[i] -= off;
1077 static int compat_table_info(const struct xt_table_info *info,
1078 struct xt_table_info *newinfo)
1080 void *loc_cpu_entry;
1082 if (!newinfo || !info)
1085 /* we dont care about newinfo->entries[] */
1086 memcpy(newinfo, info, offsetof(struct xt_table_info, entries));
1087 newinfo->initial_entries = 0;
1088 loc_cpu_entry = info->entries[raw_smp_processor_id()];
1089 return IPT_ENTRY_ITERATE(loc_cpu_entry, info->size,
1090 compat_calc_entry, info, loc_cpu_entry,
1095 static int get_info(void __user *user, int *len, int compat)
1097 char name[IPT_TABLE_MAXNAMELEN];
1101 if (*len != sizeof(struct ipt_getinfo)) {
1102 duprintf("length %u != %zu\n", *len,
1103 sizeof(struct ipt_getinfo));
1107 if (copy_from_user(name, user, sizeof(name)) != 0)
1110 name[IPT_TABLE_MAXNAMELEN-1] = '\0';
1111 #ifdef CONFIG_COMPAT
1113 xt_compat_lock(AF_INET);
1115 t = try_then_request_module(xt_find_table_lock(&init_net, AF_INET, name),
1116 "iptable_%s", name);
1117 if (t && !IS_ERR(t)) {
1118 struct ipt_getinfo info;
1119 struct xt_table_info *private = t->private;
1121 #ifdef CONFIG_COMPAT
1123 struct xt_table_info tmp;
1124 ret = compat_table_info(private, &tmp);
1125 xt_compat_flush_offsets(AF_INET);
1129 info.valid_hooks = t->valid_hooks;
1130 memcpy(info.hook_entry, private->hook_entry,
1131 sizeof(info.hook_entry));
1132 memcpy(info.underflow, private->underflow,
1133 sizeof(info.underflow));
1134 info.num_entries = private->number;
1135 info.size = private->size;
1136 strcpy(info.name, name);
1138 if (copy_to_user(user, &info, *len) != 0)
1146 ret = t ? PTR_ERR(t) : -ENOENT;
1147 #ifdef CONFIG_COMPAT
1149 xt_compat_unlock(AF_INET);
1155 get_entries(struct ipt_get_entries __user *uptr, int *len)
1158 struct ipt_get_entries get;
1161 if (*len < sizeof(get)) {
1162 duprintf("get_entries: %u < %zu\n", *len, sizeof(get));
1165 if (copy_from_user(&get, uptr, sizeof(get)) != 0)
1167 if (*len != sizeof(struct ipt_get_entries) + get.size) {
1168 duprintf("get_entries: %u != %zu\n",
1169 *len, sizeof(get) + get.size);
1173 t = xt_find_table_lock(&init_net, AF_INET, get.name);
1174 if (t && !IS_ERR(t)) {
1175 struct xt_table_info *private = t->private;
1176 duprintf("t->private->number = %u\n", private->number);
1177 if (get.size == private->size)
1178 ret = copy_entries_to_user(private->size,
1179 t, uptr->entrytable);
1181 duprintf("get_entries: I've got %u not %u!\n",
1182 private->size, get.size);
1188 ret = t ? PTR_ERR(t) : -ENOENT;
1194 __do_replace(const char *name, unsigned int valid_hooks,
1195 struct xt_table_info *newinfo, unsigned int num_counters,
1196 void __user *counters_ptr)
1200 struct xt_table_info *oldinfo;
1201 struct xt_counters *counters;
1202 void *loc_cpu_old_entry;
1205 counters = vmalloc(num_counters * sizeof(struct xt_counters));
1211 t = try_then_request_module(xt_find_table_lock(&init_net, AF_INET, name),
1212 "iptable_%s", name);
1213 if (!t || IS_ERR(t)) {
1214 ret = t ? PTR_ERR(t) : -ENOENT;
1215 goto free_newinfo_counters_untrans;
1219 if (valid_hooks != t->valid_hooks) {
1220 duprintf("Valid hook crap: %08X vs %08X\n",
1221 valid_hooks, t->valid_hooks);
1226 oldinfo = xt_replace_table(t, num_counters, newinfo, &ret);
1230 /* Update module usage count based on number of rules */
1231 duprintf("do_replace: oldnum=%u, initnum=%u, newnum=%u\n",
1232 oldinfo->number, oldinfo->initial_entries, newinfo->number);
1233 if ((oldinfo->number > oldinfo->initial_entries) ||
1234 (newinfo->number <= oldinfo->initial_entries))
1236 if ((oldinfo->number > oldinfo->initial_entries) &&
1237 (newinfo->number <= oldinfo->initial_entries))
1240 /* Get the old counters. */
1241 get_counters(oldinfo, counters);
1242 /* Decrease module usage counts and free resource */
1243 loc_cpu_old_entry = oldinfo->entries[raw_smp_processor_id()];
1244 IPT_ENTRY_ITERATE(loc_cpu_old_entry, oldinfo->size, cleanup_entry,
1246 xt_free_table_info(oldinfo);
1247 if (copy_to_user(counters_ptr, counters,
1248 sizeof(struct xt_counters) * num_counters) != 0)
1257 free_newinfo_counters_untrans:
1264 do_replace(void __user *user, unsigned int len)
1267 struct ipt_replace tmp;
1268 struct xt_table_info *newinfo;
1269 void *loc_cpu_entry;
1271 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
1274 /* overflow check */
1275 if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
1278 newinfo = xt_alloc_table_info(tmp.size);
1282 /* choose the copy that is on our node/cpu */
1283 loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
1284 if (copy_from_user(loc_cpu_entry, user + sizeof(tmp),
1290 ret = translate_table(tmp.name, tmp.valid_hooks,
1291 newinfo, loc_cpu_entry, tmp.size, tmp.num_entries,
1292 tmp.hook_entry, tmp.underflow);
1296 duprintf("ip_tables: Translated table\n");
1298 ret = __do_replace(tmp.name, tmp.valid_hooks, newinfo,
1299 tmp.num_counters, tmp.counters);
1301 goto free_newinfo_untrans;
1304 free_newinfo_untrans:
1305 IPT_ENTRY_ITERATE(loc_cpu_entry, newinfo->size, cleanup_entry, NULL);
1307 xt_free_table_info(newinfo);
1311 /* We're lazy, and add to the first CPU; overflow works its fey magic
1312 * and everything is OK. */
1314 add_counter_to_entry(struct ipt_entry *e,
1315 const struct xt_counters addme[],
1319 duprintf("add_counter: Entry %u %lu/%lu + %lu/%lu\n",
1321 (long unsigned int)e->counters.pcnt,
1322 (long unsigned int)e->counters.bcnt,
1323 (long unsigned int)addme[*i].pcnt,
1324 (long unsigned int)addme[*i].bcnt);
1327 ADD_COUNTER(e->counters, addme[*i].bcnt, addme[*i].pcnt);
1334 do_add_counters(void __user *user, unsigned int len, int compat)
1337 struct xt_counters_info tmp;
1338 struct xt_counters *paddc;
1339 unsigned int num_counters;
1344 struct xt_table_info *private;
1346 void *loc_cpu_entry;
1347 #ifdef CONFIG_COMPAT
1348 struct compat_xt_counters_info compat_tmp;
1352 size = sizeof(struct compat_xt_counters_info);
1357 size = sizeof(struct xt_counters_info);
1360 if (copy_from_user(ptmp, user, size) != 0)
1363 #ifdef CONFIG_COMPAT
1365 num_counters = compat_tmp.num_counters;
1366 name = compat_tmp.name;
1370 num_counters = tmp.num_counters;
1374 if (len != size + num_counters * sizeof(struct xt_counters))
1377 paddc = vmalloc_node(len - size, numa_node_id());
1381 if (copy_from_user(paddc, user + size, len - size) != 0) {
1386 t = xt_find_table_lock(&init_net, AF_INET, name);
1387 if (!t || IS_ERR(t)) {
1388 ret = t ? PTR_ERR(t) : -ENOENT;
1392 write_lock_bh(&t->lock);
1393 private = t->private;
1394 if (private->number != num_counters) {
1396 goto unlock_up_free;
1400 /* Choose the copy that is on our node */
1401 loc_cpu_entry = private->entries[raw_smp_processor_id()];
1402 IPT_ENTRY_ITERATE(loc_cpu_entry,
1404 add_counter_to_entry,
1408 write_unlock_bh(&t->lock);
1417 #ifdef CONFIG_COMPAT
1418 struct compat_ipt_replace {
1419 char name[IPT_TABLE_MAXNAMELEN];
1423 u32 hook_entry[NF_INET_NUMHOOKS];
1424 u32 underflow[NF_INET_NUMHOOKS];
1426 compat_uptr_t counters; /* struct ipt_counters * */
1427 struct compat_ipt_entry entries[0];
1431 compat_copy_entry_to_user(struct ipt_entry *e, void __user **dstptr,
1432 compat_uint_t *size, struct xt_counters *counters,
1435 struct ipt_entry_target *t;
1436 struct compat_ipt_entry __user *ce;
1437 u_int16_t target_offset, next_offset;
1438 compat_uint_t origsize;
1443 ce = (struct compat_ipt_entry __user *)*dstptr;
1444 if (copy_to_user(ce, e, sizeof(struct ipt_entry)))
1447 if (copy_to_user(&ce->counters, &counters[*i], sizeof(counters[*i])))
1450 *dstptr += sizeof(struct compat_ipt_entry);
1451 *size -= sizeof(struct ipt_entry) - sizeof(struct compat_ipt_entry);
1453 ret = IPT_MATCH_ITERATE(e, xt_compat_match_to_user, dstptr, size);
1454 target_offset = e->target_offset - (origsize - *size);
1457 t = ipt_get_target(e);
1458 ret = xt_compat_target_to_user(t, dstptr, size);
1462 next_offset = e->next_offset - (origsize - *size);
1463 if (put_user(target_offset, &ce->target_offset))
1465 if (put_user(next_offset, &ce->next_offset))
1475 compat_find_calc_match(struct ipt_entry_match *m,
1477 const struct ipt_ip *ip,
1478 unsigned int hookmask,
1481 struct xt_match *match;
1483 match = try_then_request_module(xt_find_match(AF_INET, m->u.user.name,
1484 m->u.user.revision),
1485 "ipt_%s", m->u.user.name);
1486 if (IS_ERR(match) || !match) {
1487 duprintf("compat_check_calc_match: `%s' not found\n",
1489 return match ? PTR_ERR(match) : -ENOENT;
1491 m->u.kernel.match = match;
1492 *size += xt_compat_match_offset(match);
1499 compat_release_match(struct ipt_entry_match *m, unsigned int *i)
1501 if (i && (*i)-- == 0)
1504 module_put(m->u.kernel.match->me);
1509 compat_release_entry(struct compat_ipt_entry *e, unsigned int *i)
1511 struct ipt_entry_target *t;
1513 if (i && (*i)-- == 0)
1516 /* Cleanup all matches */
1517 COMPAT_IPT_MATCH_ITERATE(e, compat_release_match, NULL);
1518 t = compat_ipt_get_target(e);
1519 module_put(t->u.kernel.target->me);
1524 check_compat_entry_size_and_hooks(struct compat_ipt_entry *e,
1525 struct xt_table_info *newinfo,
1527 unsigned char *base,
1528 unsigned char *limit,
1529 unsigned int *hook_entries,
1530 unsigned int *underflows,
1534 struct ipt_entry_target *t;
1535 struct xt_target *target;
1536 unsigned int entry_offset;
1539 duprintf("check_compat_entry_size_and_hooks %p\n", e);
1540 if ((unsigned long)e % __alignof__(struct compat_ipt_entry) != 0
1541 || (unsigned char *)e + sizeof(struct compat_ipt_entry) >= limit) {
1542 duprintf("Bad offset %p, limit = %p\n", e, limit);
1546 if (e->next_offset < sizeof(struct compat_ipt_entry) +
1547 sizeof(struct compat_xt_entry_target)) {
1548 duprintf("checking: element %p size %u\n",
1553 /* For purposes of check_entry casting the compat entry is fine */
1554 ret = check_entry((struct ipt_entry *)e, name);
1558 off = sizeof(struct ipt_entry) - sizeof(struct compat_ipt_entry);
1559 entry_offset = (void *)e - (void *)base;
1561 ret = COMPAT_IPT_MATCH_ITERATE(e, compat_find_calc_match, name,
1562 &e->ip, e->comefrom, &off, &j);
1564 goto release_matches;
1566 t = compat_ipt_get_target(e);
1567 target = try_then_request_module(xt_find_target(AF_INET,
1569 t->u.user.revision),
1570 "ipt_%s", t->u.user.name);
1571 if (IS_ERR(target) || !target) {
1572 duprintf("check_compat_entry_size_and_hooks: `%s' not found\n",
1574 ret = target ? PTR_ERR(target) : -ENOENT;
1575 goto release_matches;
1577 t->u.kernel.target = target;
1579 off += xt_compat_target_offset(target);
1581 ret = xt_compat_add_offset(AF_INET, entry_offset, off);
1585 /* Check hooks & underflows */
1586 for (h = 0; h < NF_INET_NUMHOOKS; h++) {
1587 if ((unsigned char *)e - base == hook_entries[h])
1588 newinfo->hook_entry[h] = hook_entries[h];
1589 if ((unsigned char *)e - base == underflows[h])
1590 newinfo->underflow[h] = underflows[h];
1593 /* Clear counters and comefrom */
1594 memset(&e->counters, 0, sizeof(e->counters));
1601 module_put(t->u.kernel.target->me);
1603 IPT_MATCH_ITERATE(e, compat_release_match, &j);
1608 compat_copy_entry_from_user(struct compat_ipt_entry *e, void **dstptr,
1609 unsigned int *size, const char *name,
1610 struct xt_table_info *newinfo, unsigned char *base)
1612 struct ipt_entry_target *t;
1613 struct xt_target *target;
1614 struct ipt_entry *de;
1615 unsigned int origsize;
1620 de = (struct ipt_entry *)*dstptr;
1621 memcpy(de, e, sizeof(struct ipt_entry));
1622 memcpy(&de->counters, &e->counters, sizeof(e->counters));
1624 *dstptr += sizeof(struct ipt_entry);
1625 *size += sizeof(struct ipt_entry) - sizeof(struct compat_ipt_entry);
1627 ret = COMPAT_IPT_MATCH_ITERATE(e, xt_compat_match_from_user,
1631 de->target_offset = e->target_offset - (origsize - *size);
1632 t = compat_ipt_get_target(e);
1633 target = t->u.kernel.target;
1634 xt_compat_target_from_user(t, dstptr, size);
1636 de->next_offset = e->next_offset - (origsize - *size);
1637 for (h = 0; h < NF_INET_NUMHOOKS; h++) {
1638 if ((unsigned char *)de - base < newinfo->hook_entry[h])
1639 newinfo->hook_entry[h] -= origsize - *size;
1640 if ((unsigned char *)de - base < newinfo->underflow[h])
1641 newinfo->underflow[h] -= origsize - *size;
1647 compat_check_entry(struct ipt_entry *e, const char *name,
1653 ret = IPT_MATCH_ITERATE(e, check_match, name, &e->ip,
1656 goto cleanup_matches;
1658 ret = check_target(e, name);
1660 goto cleanup_matches;
1666 IPT_MATCH_ITERATE(e, cleanup_match, &j);
1671 translate_compat_table(const char *name,
1672 unsigned int valid_hooks,
1673 struct xt_table_info **pinfo,
1675 unsigned int total_size,
1676 unsigned int number,
1677 unsigned int *hook_entries,
1678 unsigned int *underflows)
1681 struct xt_table_info *newinfo, *info;
1682 void *pos, *entry0, *entry1;
1689 info->number = number;
1691 /* Init all hooks to impossible value. */
1692 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1693 info->hook_entry[i] = 0xFFFFFFFF;
1694 info->underflow[i] = 0xFFFFFFFF;
1697 duprintf("translate_compat_table: size %u\n", info->size);
1699 xt_compat_lock(AF_INET);
1700 /* Walk through entries, checking offsets. */
1701 ret = COMPAT_IPT_ENTRY_ITERATE(entry0, total_size,
1702 check_compat_entry_size_and_hooks,
1703 info, &size, entry0,
1704 entry0 + total_size,
1705 hook_entries, underflows, &j, name);
1711 duprintf("translate_compat_table: %u not %u entries\n",
1716 /* Check hooks all assigned */
1717 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1718 /* Only hooks which are valid */
1719 if (!(valid_hooks & (1 << i)))
1721 if (info->hook_entry[i] == 0xFFFFFFFF) {
1722 duprintf("Invalid hook entry %u %u\n",
1723 i, hook_entries[i]);
1726 if (info->underflow[i] == 0xFFFFFFFF) {
1727 duprintf("Invalid underflow %u %u\n",
1734 newinfo = xt_alloc_table_info(size);
1738 newinfo->number = number;
1739 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1740 newinfo->hook_entry[i] = info->hook_entry[i];
1741 newinfo->underflow[i] = info->underflow[i];
1743 entry1 = newinfo->entries[raw_smp_processor_id()];
1746 ret = COMPAT_IPT_ENTRY_ITERATE(entry0, total_size,
1747 compat_copy_entry_from_user,
1748 &pos, &size, name, newinfo, entry1);
1749 xt_compat_flush_offsets(AF_INET);
1750 xt_compat_unlock(AF_INET);
1755 if (!mark_source_chains(newinfo, valid_hooks, entry1))
1759 ret = IPT_ENTRY_ITERATE(entry1, newinfo->size, compat_check_entry,
1763 COMPAT_IPT_ENTRY_ITERATE_CONTINUE(entry0, newinfo->size, i,
1764 compat_release_entry, &j);
1765 IPT_ENTRY_ITERATE(entry1, newinfo->size, cleanup_entry, &i);
1766 xt_free_table_info(newinfo);
1770 /* And one copy for every other CPU */
1771 for_each_possible_cpu(i)
1772 if (newinfo->entries[i] && newinfo->entries[i] != entry1)
1773 memcpy(newinfo->entries[i], entry1, newinfo->size);
1777 xt_free_table_info(info);
1781 xt_free_table_info(newinfo);
1783 COMPAT_IPT_ENTRY_ITERATE(entry0, total_size, compat_release_entry, &j);
1786 xt_compat_flush_offsets(AF_INET);
1787 xt_compat_unlock(AF_INET);
1792 compat_do_replace(void __user *user, unsigned int len)
1795 struct compat_ipt_replace tmp;
1796 struct xt_table_info *newinfo;
1797 void *loc_cpu_entry;
1799 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
1802 /* overflow check */
1803 if (tmp.size >= INT_MAX / num_possible_cpus())
1805 if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
1808 newinfo = xt_alloc_table_info(tmp.size);
1812 /* choose the copy that is on our node/cpu */
1813 loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
1814 if (copy_from_user(loc_cpu_entry, user + sizeof(tmp),
1820 ret = translate_compat_table(tmp.name, tmp.valid_hooks,
1821 &newinfo, &loc_cpu_entry, tmp.size,
1822 tmp.num_entries, tmp.hook_entry,
1827 duprintf("compat_do_replace: Translated table\n");
1829 ret = __do_replace(tmp.name, tmp.valid_hooks, newinfo,
1830 tmp.num_counters, compat_ptr(tmp.counters));
1832 goto free_newinfo_untrans;
1835 free_newinfo_untrans:
1836 IPT_ENTRY_ITERATE(loc_cpu_entry, newinfo->size, cleanup_entry, NULL);
1838 xt_free_table_info(newinfo);
1843 compat_do_ipt_set_ctl(struct sock *sk, int cmd, void __user *user,
1848 if (!capable(CAP_NET_ADMIN))
1852 case IPT_SO_SET_REPLACE:
1853 ret = compat_do_replace(user, len);
1856 case IPT_SO_SET_ADD_COUNTERS:
1857 ret = do_add_counters(user, len, 1);
1861 duprintf("do_ipt_set_ctl: unknown request %i\n", cmd);
1868 struct compat_ipt_get_entries {
1869 char name[IPT_TABLE_MAXNAMELEN];
1871 struct compat_ipt_entry entrytable[0];
1875 compat_copy_entries_to_user(unsigned int total_size, struct xt_table *table,
1876 void __user *userptr)
1878 struct xt_counters *counters;
1879 struct xt_table_info *private = table->private;
1883 void *loc_cpu_entry;
1886 counters = alloc_counters(table);
1887 if (IS_ERR(counters))
1888 return PTR_ERR(counters);
1890 /* choose the copy that is on our node/cpu, ...
1891 * This choice is lazy (because current thread is
1892 * allowed to migrate to another cpu)
1894 loc_cpu_entry = private->entries[raw_smp_processor_id()];
1897 ret = IPT_ENTRY_ITERATE(loc_cpu_entry, total_size,
1898 compat_copy_entry_to_user,
1899 &pos, &size, counters, &i);
1906 compat_get_entries(struct compat_ipt_get_entries __user *uptr, int *len)
1909 struct compat_ipt_get_entries get;
1912 if (*len < sizeof(get)) {
1913 duprintf("compat_get_entries: %u < %zu\n", *len, sizeof(get));
1917 if (copy_from_user(&get, uptr, sizeof(get)) != 0)
1920 if (*len != sizeof(struct compat_ipt_get_entries) + get.size) {
1921 duprintf("compat_get_entries: %u != %zu\n",
1922 *len, sizeof(get) + get.size);
1926 xt_compat_lock(AF_INET);
1927 t = xt_find_table_lock(&init_net, AF_INET, get.name);
1928 if (t && !IS_ERR(t)) {
1929 struct xt_table_info *private = t->private;
1930 struct xt_table_info info;
1931 duprintf("t->private->number = %u\n", private->number);
1932 ret = compat_table_info(private, &info);
1933 if (!ret && get.size == info.size) {
1934 ret = compat_copy_entries_to_user(private->size,
1935 t, uptr->entrytable);
1937 duprintf("compat_get_entries: I've got %u not %u!\n",
1938 private->size, get.size);
1941 xt_compat_flush_offsets(AF_INET);
1945 ret = t ? PTR_ERR(t) : -ENOENT;
1947 xt_compat_unlock(AF_INET);
1951 static int do_ipt_get_ctl(struct sock *, int, void __user *, int *);
1954 compat_do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1958 if (!capable(CAP_NET_ADMIN))
1962 case IPT_SO_GET_INFO:
1963 ret = get_info(user, len, 1);
1965 case IPT_SO_GET_ENTRIES:
1966 ret = compat_get_entries(user, len);
1969 ret = do_ipt_get_ctl(sk, cmd, user, len);
1976 do_ipt_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
1980 if (!capable(CAP_NET_ADMIN))
1984 case IPT_SO_SET_REPLACE:
1985 ret = do_replace(user, len);
1988 case IPT_SO_SET_ADD_COUNTERS:
1989 ret = do_add_counters(user, len, 0);
1993 duprintf("do_ipt_set_ctl: unknown request %i\n", cmd);
2001 do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
2005 if (!capable(CAP_NET_ADMIN))
2009 case IPT_SO_GET_INFO:
2010 ret = get_info(user, len, 0);
2013 case IPT_SO_GET_ENTRIES:
2014 ret = get_entries(user, len);
2017 case IPT_SO_GET_REVISION_MATCH:
2018 case IPT_SO_GET_REVISION_TARGET: {
2019 struct ipt_get_revision rev;
2022 if (*len != sizeof(rev)) {
2026 if (copy_from_user(&rev, user, sizeof(rev)) != 0) {
2031 if (cmd == IPT_SO_GET_REVISION_TARGET)
2036 try_then_request_module(xt_find_revision(AF_INET, rev.name,
2039 "ipt_%s", rev.name);
2044 duprintf("do_ipt_get_ctl: unknown request %i\n", cmd);
2051 int ipt_register_table(struct xt_table *table, const struct ipt_replace *repl)
2054 struct xt_table_info *newinfo;
2055 struct xt_table_info bootstrap
2056 = { 0, 0, 0, { 0 }, { 0 }, { } };
2057 void *loc_cpu_entry;
2058 struct xt_table *new_table;
2060 newinfo = xt_alloc_table_info(repl->size);
2064 /* choose the copy on our node/cpu, but dont care about preemption */
2065 loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
2066 memcpy(loc_cpu_entry, repl->entries, repl->size);
2068 ret = translate_table(table->name, table->valid_hooks,
2069 newinfo, loc_cpu_entry, repl->size,
2074 xt_free_table_info(newinfo);
2078 new_table = xt_register_table(&init_net, table, &bootstrap, newinfo);
2079 if (IS_ERR(new_table)) {
2080 xt_free_table_info(newinfo);
2081 return PTR_ERR(new_table);
2087 void ipt_unregister_table(struct xt_table *table)
2089 struct xt_table_info *private;
2090 void *loc_cpu_entry;
2092 private = xt_unregister_table(table);
2094 /* Decrease module usage counts and free resources */
2095 loc_cpu_entry = private->entries[raw_smp_processor_id()];
2096 IPT_ENTRY_ITERATE(loc_cpu_entry, private->size, cleanup_entry, NULL);
2097 xt_free_table_info(private);
2100 /* Returns 1 if the type and code is matched by the range, 0 otherwise */
2102 icmp_type_code_match(u_int8_t test_type, u_int8_t min_code, u_int8_t max_code,
2103 u_int8_t type, u_int8_t code,
2106 return ((test_type == 0xFF) ||
2107 (type == test_type && code >= min_code && code <= max_code))
2112 icmp_match(const struct sk_buff *skb,
2113 const struct net_device *in,
2114 const struct net_device *out,
2115 const struct xt_match *match,
2116 const void *matchinfo,
2118 unsigned int protoff,
2121 struct icmphdr _icmph, *ic;
2122 const struct ipt_icmp *icmpinfo = matchinfo;
2124 /* Must not be a fragment. */
2128 ic = skb_header_pointer(skb, protoff, sizeof(_icmph), &_icmph);
2130 /* We've been asked to examine this packet, and we
2131 * can't. Hence, no choice but to drop.
2133 duprintf("Dropping evil ICMP tinygram.\n");
2138 return icmp_type_code_match(icmpinfo->type,
2142 !!(icmpinfo->invflags&IPT_ICMP_INV));
2145 /* Called when user tries to insert an entry of this type. */
2147 icmp_checkentry(const char *tablename,
2149 const struct xt_match *match,
2151 unsigned int hook_mask)
2153 const struct ipt_icmp *icmpinfo = matchinfo;
2155 /* Must specify no unknown invflags */
2156 return !(icmpinfo->invflags & ~IPT_ICMP_INV);
2159 /* The built-in targets: standard (NULL) and error. */
2160 static struct xt_target ipt_standard_target __read_mostly = {
2161 .name = IPT_STANDARD_TARGET,
2162 .targetsize = sizeof(int),
2164 #ifdef CONFIG_COMPAT
2165 .compatsize = sizeof(compat_int_t),
2166 .compat_from_user = compat_standard_from_user,
2167 .compat_to_user = compat_standard_to_user,
2171 static struct xt_target ipt_error_target __read_mostly = {
2172 .name = IPT_ERROR_TARGET,
2173 .target = ipt_error,
2174 .targetsize = IPT_FUNCTION_MAXNAMELEN,
2178 static struct nf_sockopt_ops ipt_sockopts = {
2180 .set_optmin = IPT_BASE_CTL,
2181 .set_optmax = IPT_SO_SET_MAX+1,
2182 .set = do_ipt_set_ctl,
2183 #ifdef CONFIG_COMPAT
2184 .compat_set = compat_do_ipt_set_ctl,
2186 .get_optmin = IPT_BASE_CTL,
2187 .get_optmax = IPT_SO_GET_MAX+1,
2188 .get = do_ipt_get_ctl,
2189 #ifdef CONFIG_COMPAT
2190 .compat_get = compat_do_ipt_get_ctl,
2192 .owner = THIS_MODULE,
2195 static struct xt_match icmp_matchstruct __read_mostly = {
2197 .match = icmp_match,
2198 .matchsize = sizeof(struct ipt_icmp),
2199 .checkentry = icmp_checkentry,
2200 .proto = IPPROTO_ICMP,
2204 static int __init ip_tables_init(void)
2208 ret = xt_proto_init(AF_INET);
2212 /* Noone else will be downing sem now, so we won't sleep */
2213 ret = xt_register_target(&ipt_standard_target);
2216 ret = xt_register_target(&ipt_error_target);
2219 ret = xt_register_match(&icmp_matchstruct);
2223 /* Register setsockopt */
2224 ret = nf_register_sockopt(&ipt_sockopts);
2228 printk(KERN_INFO "ip_tables: (C) 2000-2006 Netfilter Core Team\n");
2232 xt_unregister_match(&icmp_matchstruct);
2234 xt_unregister_target(&ipt_error_target);
2236 xt_unregister_target(&ipt_standard_target);
2238 xt_proto_fini(AF_INET);
2243 static void __exit ip_tables_fini(void)
2245 nf_unregister_sockopt(&ipt_sockopts);
2247 xt_unregister_match(&icmp_matchstruct);
2248 xt_unregister_target(&ipt_error_target);
2249 xt_unregister_target(&ipt_standard_target);
2251 xt_proto_fini(AF_INET);
2254 EXPORT_SYMBOL(ipt_register_table);
2255 EXPORT_SYMBOL(ipt_unregister_table);
2256 EXPORT_SYMBOL(ipt_do_table);
2257 module_init(ip_tables_init);
2258 module_exit(ip_tables_fini);
git://ftp.safe.ca / safe / jmp / linux-2.6 / blob