2 * Packet matching code.
4 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
5 * Copyright (C) 2000-2005 Netfilter Core Team <coreteam@netfilter.org>
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License version 2 as
9 * published by the Free Software Foundation.
11 #include <linux/cache.h>
12 #include <linux/capability.h>
13 #include <linux/skbuff.h>
14 #include <linux/kmod.h>
15 #include <linux/vmalloc.h>
16 #include <linux/netdevice.h>
17 #include <linux/module.h>
18 #include <linux/icmp.h>
20 #include <net/compat.h>
21 #include <asm/uaccess.h>
22 #include <linux/mutex.h>
23 #include <linux/proc_fs.h>
24 #include <linux/err.h>
25 #include <linux/cpumask.h>
27 #include <linux/netfilter/x_tables.h>
28 #include <linux/netfilter_ipv4/ip_tables.h>
29 #include <net/netfilter/nf_log.h>
31 MODULE_LICENSE("GPL");
32 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
33 MODULE_DESCRIPTION("IPv4 packet filter");
35 /*#define DEBUG_IP_FIREWALL*/
36 /*#define DEBUG_ALLOW_ALL*/ /* Useful for remote debugging */
37 /*#define DEBUG_IP_FIREWALL_USER*/
39 #ifdef DEBUG_IP_FIREWALL
40 #define dprintf(format, args...) printk(format , ## args)
42 #define dprintf(format, args...)
45 #ifdef DEBUG_IP_FIREWALL_USER
46 #define duprintf(format, args...) printk(format , ## args)
48 #define duprintf(format, args...)
51 #ifdef CONFIG_NETFILTER_DEBUG
52 #define IP_NF_ASSERT(x) \
55 printk("IP_NF_ASSERT: %s:%s:%u\n", \
56 __func__, __FILE__, __LINE__); \
59 #define IP_NF_ASSERT(x)
63 /* All the better to debug you with... */
69 We keep a set of rules for each CPU, so we can avoid write-locking
70 them in the softirq when updating the counters and therefore
71 only need to read-lock in the softirq; doing a write_lock_bh() in user
72 context stops packets coming through and allows user context to read
73 the counters or update the rules.
75 Hence the start of any table is given by get_table() below. */
77 /* Returns whether matches rule or not. */
78 /* Performance critical - called for every packet */
80 ip_packet_match(const struct iphdr *ip,
83 const struct ipt_ip *ipinfo,
89 #define FWINV(bool, invflg) ((bool) ^ !!(ipinfo->invflags & (invflg)))
91 if (FWINV((ip->saddr&ipinfo->smsk.s_addr) != ipinfo->src.s_addr,
93 || FWINV((ip->daddr&ipinfo->dmsk.s_addr) != ipinfo->dst.s_addr,
95 dprintf("Source or dest mismatch.\n");
97 dprintf("SRC: %u.%u.%u.%u. Mask: %u.%u.%u.%u. Target: %u.%u.%u.%u.%s\n",
99 NIPQUAD(ipinfo->smsk.s_addr),
100 NIPQUAD(ipinfo->src.s_addr),
101 ipinfo->invflags & IPT_INV_SRCIP ? " (INV)" : "");
102 dprintf("DST: %u.%u.%u.%u Mask: %u.%u.%u.%u Target: %u.%u.%u.%u.%s\n",
104 NIPQUAD(ipinfo->dmsk.s_addr),
105 NIPQUAD(ipinfo->dst.s_addr),
106 ipinfo->invflags & IPT_INV_DSTIP ? " (INV)" : "");
110 /* Look for ifname matches; this should unroll nicely. */
111 for (i = 0, ret = 0; i < IFNAMSIZ/sizeof(unsigned long); i++) {
112 ret |= (((const unsigned long *)indev)[i]
113 ^ ((const unsigned long *)ipinfo->iniface)[i])
114 & ((const unsigned long *)ipinfo->iniface_mask)[i];
117 if (FWINV(ret != 0, IPT_INV_VIA_IN)) {
118 dprintf("VIA in mismatch (%s vs %s).%s\n",
119 indev, ipinfo->iniface,
120 ipinfo->invflags&IPT_INV_VIA_IN ?" (INV)":"");
124 for (i = 0, ret = 0; i < IFNAMSIZ/sizeof(unsigned long); i++) {
125 ret |= (((const unsigned long *)outdev)[i]
126 ^ ((const unsigned long *)ipinfo->outiface)[i])
127 & ((const unsigned long *)ipinfo->outiface_mask)[i];
130 if (FWINV(ret != 0, IPT_INV_VIA_OUT)) {
131 dprintf("VIA out mismatch (%s vs %s).%s\n",
132 outdev, ipinfo->outiface,
133 ipinfo->invflags&IPT_INV_VIA_OUT ?" (INV)":"");
137 /* Check specific protocol */
139 && FWINV(ip->protocol != ipinfo->proto, IPT_INV_PROTO)) {
140 dprintf("Packet protocol %hi does not match %hi.%s\n",
141 ip->protocol, ipinfo->proto,
142 ipinfo->invflags&IPT_INV_PROTO ? " (INV)":"");
146 /* If we have a fragment rule but the packet is not a fragment
147 * then we return zero */
148 if (FWINV((ipinfo->flags&IPT_F_FRAG) && !isfrag, IPT_INV_FRAG)) {
149 dprintf("Fragment rule but not fragment.%s\n",
150 ipinfo->invflags & IPT_INV_FRAG ? " (INV)" : "");
158 ip_checkentry(const struct ipt_ip *ip)
160 if (ip->flags & ~IPT_F_MASK) {
161 duprintf("Unknown flag bits set: %08X\n",
162 ip->flags & ~IPT_F_MASK);
165 if (ip->invflags & ~IPT_INV_MASK) {
166 duprintf("Unknown invflag bits set: %08X\n",
167 ip->invflags & ~IPT_INV_MASK);
174 ipt_error(struct sk_buff *skb,
175 const struct net_device *in,
176 const struct net_device *out,
177 unsigned int hooknum,
178 const struct xt_target *target,
179 const void *targinfo)
182 printk("ip_tables: error: `%s'\n", (char *)targinfo);
187 /* Performance critical - called for every packet */
189 do_match(struct ipt_entry_match *m, const struct sk_buff *skb,
190 struct xt_match_param *par)
192 par->match = m->u.kernel.match;
193 par->matchinfo = m->data;
195 /* Stop iteration if it doesn't match */
196 if (!m->u.kernel.match->match(skb, par))
202 /* Performance critical */
203 static inline struct ipt_entry *
204 get_entry(void *base, unsigned int offset)
206 return (struct ipt_entry *)(base + offset);
209 /* All zeroes == unconditional rule. */
210 /* Mildly perf critical (only if packet tracing is on) */
212 unconditional(const struct ipt_ip *ip)
216 for (i = 0; i < sizeof(*ip)/sizeof(__u32); i++)
217 if (((__u32 *)ip)[i])
224 #if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \
225 defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE)
226 static const char *const hooknames[] = {
227 [NF_INET_PRE_ROUTING] = "PREROUTING",
228 [NF_INET_LOCAL_IN] = "INPUT",
229 [NF_INET_FORWARD] = "FORWARD",
230 [NF_INET_LOCAL_OUT] = "OUTPUT",
231 [NF_INET_POST_ROUTING] = "POSTROUTING",
234 enum nf_ip_trace_comments {
235 NF_IP_TRACE_COMMENT_RULE,
236 NF_IP_TRACE_COMMENT_RETURN,
237 NF_IP_TRACE_COMMENT_POLICY,
240 static const char *const comments[] = {
241 [NF_IP_TRACE_COMMENT_RULE] = "rule",
242 [NF_IP_TRACE_COMMENT_RETURN] = "return",
243 [NF_IP_TRACE_COMMENT_POLICY] = "policy",
246 static struct nf_loginfo trace_loginfo = {
247 .type = NF_LOG_TYPE_LOG,
251 .logflags = NF_LOG_MASK,
256 /* Mildly perf critical (only if packet tracing is on) */
258 get_chainname_rulenum(struct ipt_entry *s, struct ipt_entry *e,
259 char *hookname, char **chainname,
260 char **comment, unsigned int *rulenum)
262 struct ipt_standard_target *t = (void *)ipt_get_target(s);
264 if (strcmp(t->target.u.kernel.target->name, IPT_ERROR_TARGET) == 0) {
265 /* Head of user chain: ERROR target with chainname */
266 *chainname = t->target.data;
271 if (s->target_offset == sizeof(struct ipt_entry)
272 && strcmp(t->target.u.kernel.target->name,
273 IPT_STANDARD_TARGET) == 0
275 && unconditional(&s->ip)) {
276 /* Tail of chains: STANDARD target (return/policy) */
277 *comment = *chainname == hookname
278 ? (char *)comments[NF_IP_TRACE_COMMENT_POLICY]
279 : (char *)comments[NF_IP_TRACE_COMMENT_RETURN];
288 static void trace_packet(struct sk_buff *skb,
290 const struct net_device *in,
291 const struct net_device *out,
292 const char *tablename,
293 struct xt_table_info *private,
297 const struct ipt_entry *root;
298 char *hookname, *chainname, *comment;
299 unsigned int rulenum = 0;
301 table_base = (void *)private->entries[smp_processor_id()];
302 root = get_entry(table_base, private->hook_entry[hook]);
304 hookname = chainname = (char *)hooknames[hook];
305 comment = (char *)comments[NF_IP_TRACE_COMMENT_RULE];
307 IPT_ENTRY_ITERATE(root,
308 private->size - private->hook_entry[hook],
309 get_chainname_rulenum,
310 e, hookname, &chainname, &comment, &rulenum);
312 nf_log_packet(AF_INET, hook, skb, in, out, &trace_loginfo,
313 "TRACE: %s:%s:%s:%u ",
314 tablename, chainname, comment, rulenum);
318 /* Returns one of the generic firewall policies, like NF_ACCEPT. */
320 ipt_do_table(struct sk_buff *skb,
322 const struct net_device *in,
323 const struct net_device *out,
324 struct xt_table *table)
326 static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
327 const struct iphdr *ip;
329 bool hotdrop = false;
330 /* Initializing verdict to NF_DROP keeps gcc happy. */
331 unsigned int verdict = NF_DROP;
332 const char *indev, *outdev;
334 struct ipt_entry *e, *back;
335 struct xt_table_info *private;
336 struct xt_match_param mtpar;
340 datalen = skb->len - ip->ihl * 4;
341 indev = in ? in->name : nulldevname;
342 outdev = out ? out->name : nulldevname;
343 /* We handle fragments by dealing with the first fragment as
344 * if it was a normal packet. All other fragments are treated
345 * normally, except that they will NEVER match rules that ask
346 * things we don't know, ie. tcp syn flag or ports). If the
347 * rule is also a fragment-specific rule, non-fragments won't
349 mtpar.fragoff = ntohs(ip->frag_off) & IP_OFFSET;
350 mtpar.thoff = ip_hdrlen(skb);
351 mtpar.hotdrop = &hotdrop;
355 read_lock_bh(&table->lock);
356 IP_NF_ASSERT(table->valid_hooks & (1 << hook));
357 private = table->private;
358 table_base = (void *)private->entries[smp_processor_id()];
359 e = get_entry(table_base, private->hook_entry[hook]);
361 /* For return from builtin chain */
362 back = get_entry(table_base, private->underflow[hook]);
367 if (ip_packet_match(ip, indev, outdev,
368 &e->ip, mtpar.fragoff)) {
369 struct ipt_entry_target *t;
371 if (IPT_MATCH_ITERATE(e, do_match, skb, &mtpar) != 0)
374 ADD_COUNTER(e->counters, ntohs(ip->tot_len), 1);
376 t = ipt_get_target(e);
377 IP_NF_ASSERT(t->u.kernel.target);
379 #if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \
380 defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE)
381 /* The packet is traced: log it */
382 if (unlikely(skb->nf_trace))
383 trace_packet(skb, hook, in, out,
384 table->name, private, e);
386 /* Standard target? */
387 if (!t->u.kernel.target->target) {
390 v = ((struct ipt_standard_target *)t)->verdict;
392 /* Pop from stack? */
393 if (v != IPT_RETURN) {
394 verdict = (unsigned)(-v) - 1;
398 back = get_entry(table_base,
402 if (table_base + v != (void *)e + e->next_offset
403 && !(e->ip.flags & IPT_F_GOTO)) {
404 /* Save old back ptr in next entry */
405 struct ipt_entry *next
406 = (void *)e + e->next_offset;
408 = (void *)back - table_base;
409 /* set back pointer to next entry */
413 e = get_entry(table_base, v);
415 /* Targets which reenter must return
417 #ifdef CONFIG_NETFILTER_DEBUG
418 ((struct ipt_entry *)table_base)->comefrom
421 verdict = t->u.kernel.target->target(skb,
427 #ifdef CONFIG_NETFILTER_DEBUG
428 if (((struct ipt_entry *)table_base)->comefrom
430 && verdict == IPT_CONTINUE) {
431 printk("Target %s reentered!\n",
432 t->u.kernel.target->name);
435 ((struct ipt_entry *)table_base)->comefrom
438 /* Target might have changed stuff. */
440 datalen = skb->len - ip->ihl * 4;
442 if (verdict == IPT_CONTINUE)
443 e = (void *)e + e->next_offset;
451 e = (void *)e + e->next_offset;
455 read_unlock_bh(&table->lock);
457 #ifdef DEBUG_ALLOW_ALL
466 /* Figures out from what hook each rule can be called: returns 0 if
467 there are loops. Puts hook bitmask in comefrom. */
469 mark_source_chains(struct xt_table_info *newinfo,
470 unsigned int valid_hooks, void *entry0)
474 /* No recursion; use packet counter to save back ptrs (reset
475 to 0 as we leave), and comefrom to save source hook bitmask */
476 for (hook = 0; hook < NF_INET_NUMHOOKS; hook++) {
477 unsigned int pos = newinfo->hook_entry[hook];
478 struct ipt_entry *e = (struct ipt_entry *)(entry0 + pos);
480 if (!(valid_hooks & (1 << hook)))
483 /* Set initial back pointer. */
484 e->counters.pcnt = pos;
487 struct ipt_standard_target *t
488 = (void *)ipt_get_target(e);
489 int visited = e->comefrom & (1 << hook);
491 if (e->comefrom & (1 << NF_INET_NUMHOOKS)) {
492 printk("iptables: loop hook %u pos %u %08X.\n",
493 hook, pos, e->comefrom);
496 e->comefrom |= ((1 << hook) | (1 << NF_INET_NUMHOOKS));
498 /* Unconditional return/END. */
499 if ((e->target_offset == sizeof(struct ipt_entry)
500 && (strcmp(t->target.u.user.name,
501 IPT_STANDARD_TARGET) == 0)
503 && unconditional(&e->ip)) || visited) {
504 unsigned int oldpos, size;
506 if (t->verdict < -NF_MAX_VERDICT - 1) {
507 duprintf("mark_source_chains: bad "
508 "negative verdict (%i)\n",
513 /* Return: backtrack through the last
516 e->comefrom ^= (1<<NF_INET_NUMHOOKS);
517 #ifdef DEBUG_IP_FIREWALL_USER
519 & (1 << NF_INET_NUMHOOKS)) {
520 duprintf("Back unset "
527 pos = e->counters.pcnt;
528 e->counters.pcnt = 0;
530 /* We're at the start. */
534 e = (struct ipt_entry *)
536 } while (oldpos == pos + e->next_offset);
539 size = e->next_offset;
540 e = (struct ipt_entry *)
541 (entry0 + pos + size);
542 e->counters.pcnt = pos;
545 int newpos = t->verdict;
547 if (strcmp(t->target.u.user.name,
548 IPT_STANDARD_TARGET) == 0
550 if (newpos > newinfo->size -
551 sizeof(struct ipt_entry)) {
552 duprintf("mark_source_chains: "
553 "bad verdict (%i)\n",
557 /* This a jump; chase it. */
558 duprintf("Jump rule %u -> %u\n",
561 /* ... this is a fallthru */
562 newpos = pos + e->next_offset;
564 e = (struct ipt_entry *)
566 e->counters.pcnt = pos;
571 duprintf("Finished chain %u\n", hook);
577 cleanup_match(struct ipt_entry_match *m, unsigned int *i)
579 if (i && (*i)-- == 0)
582 if (m->u.kernel.match->destroy)
583 m->u.kernel.match->destroy(m->u.kernel.match, m->data);
584 module_put(m->u.kernel.match->me);
589 check_entry(struct ipt_entry *e, const char *name)
591 struct ipt_entry_target *t;
593 if (!ip_checkentry(&e->ip)) {
594 duprintf("ip_tables: ip check failed %p %s.\n", e, name);
598 if (e->target_offset + sizeof(struct ipt_entry_target) >
602 t = ipt_get_target(e);
603 if (e->target_offset + t->u.target_size > e->next_offset)
610 check_match(struct ipt_entry_match *m, const char *name,
611 const struct ipt_ip *ip,
612 unsigned int hookmask, unsigned int *i)
614 struct xt_match *match;
617 match = m->u.kernel.match;
618 ret = xt_check_match(match, AF_INET, m->u.match_size - sizeof(*m),
619 name, hookmask, ip->proto,
620 ip->invflags & IPT_INV_PROTO, ip, m->data);
622 duprintf("ip_tables: check failed for `%s'.\n",
623 m->u.kernel.match->name);
631 find_check_match(struct ipt_entry_match *m,
633 const struct ipt_ip *ip,
634 unsigned int hookmask,
637 struct xt_match *match;
640 match = try_then_request_module(xt_find_match(AF_INET, m->u.user.name,
642 "ipt_%s", m->u.user.name);
643 if (IS_ERR(match) || !match) {
644 duprintf("find_check_match: `%s' not found\n", m->u.user.name);
645 return match ? PTR_ERR(match) : -ENOENT;
647 m->u.kernel.match = match;
649 ret = check_match(m, name, ip, hookmask, i);
655 module_put(m->u.kernel.match->me);
659 static int check_target(struct ipt_entry *e, const char *name)
661 struct ipt_entry_target *t;
662 struct xt_target *target;
665 t = ipt_get_target(e);
666 target = t->u.kernel.target;
667 ret = xt_check_target(target, AF_INET, t->u.target_size - sizeof(*t),
668 name, e->comefrom, e->ip.proto,
669 e->ip.invflags & IPT_INV_PROTO, e, t->data);
671 duprintf("ip_tables: check failed for `%s'.\n",
672 t->u.kernel.target->name);
679 find_check_entry(struct ipt_entry *e, const char *name, unsigned int size,
682 struct ipt_entry_target *t;
683 struct xt_target *target;
687 ret = check_entry(e, name);
692 ret = IPT_MATCH_ITERATE(e, find_check_match, name, &e->ip,
695 goto cleanup_matches;
697 t = ipt_get_target(e);
698 target = try_then_request_module(xt_find_target(AF_INET,
701 "ipt_%s", t->u.user.name);
702 if (IS_ERR(target) || !target) {
703 duprintf("find_check_entry: `%s' not found\n", t->u.user.name);
704 ret = target ? PTR_ERR(target) : -ENOENT;
705 goto cleanup_matches;
707 t->u.kernel.target = target;
709 ret = check_target(e, name);
716 module_put(t->u.kernel.target->me);
718 IPT_MATCH_ITERATE(e, cleanup_match, &j);
723 check_entry_size_and_hooks(struct ipt_entry *e,
724 struct xt_table_info *newinfo,
726 unsigned char *limit,
727 const unsigned int *hook_entries,
728 const unsigned int *underflows,
733 if ((unsigned long)e % __alignof__(struct ipt_entry) != 0
734 || (unsigned char *)e + sizeof(struct ipt_entry) >= limit) {
735 duprintf("Bad offset %p\n", e);
740 < sizeof(struct ipt_entry) + sizeof(struct ipt_entry_target)) {
741 duprintf("checking: element %p size %u\n",
746 /* Check hooks & underflows */
747 for (h = 0; h < NF_INET_NUMHOOKS; h++) {
748 if ((unsigned char *)e - base == hook_entries[h])
749 newinfo->hook_entry[h] = hook_entries[h];
750 if ((unsigned char *)e - base == underflows[h])
751 newinfo->underflow[h] = underflows[h];
754 /* FIXME: underflows must be unconditional, standard verdicts
755 < 0 (not IPT_RETURN). --RR */
757 /* Clear counters and comefrom */
758 e->counters = ((struct xt_counters) { 0, 0 });
766 cleanup_entry(struct ipt_entry *e, unsigned int *i)
768 struct ipt_entry_target *t;
770 if (i && (*i)-- == 0)
773 /* Cleanup all matches */
774 IPT_MATCH_ITERATE(e, cleanup_match, NULL);
775 t = ipt_get_target(e);
776 if (t->u.kernel.target->destroy)
777 t->u.kernel.target->destroy(t->u.kernel.target, t->data);
778 module_put(t->u.kernel.target->me);
782 /* Checks and translates the user-supplied table segment (held in
785 translate_table(const char *name,
786 unsigned int valid_hooks,
787 struct xt_table_info *newinfo,
791 const unsigned int *hook_entries,
792 const unsigned int *underflows)
797 newinfo->size = size;
798 newinfo->number = number;
800 /* Init all hooks to impossible value. */
801 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
802 newinfo->hook_entry[i] = 0xFFFFFFFF;
803 newinfo->underflow[i] = 0xFFFFFFFF;
806 duprintf("translate_table: size %u\n", newinfo->size);
808 /* Walk through entries, checking offsets. */
809 ret = IPT_ENTRY_ITERATE(entry0, newinfo->size,
810 check_entry_size_and_hooks,
814 hook_entries, underflows, &i);
819 duprintf("translate_table: %u not %u entries\n",
824 /* Check hooks all assigned */
825 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
826 /* Only hooks which are valid */
827 if (!(valid_hooks & (1 << i)))
829 if (newinfo->hook_entry[i] == 0xFFFFFFFF) {
830 duprintf("Invalid hook entry %u %u\n",
834 if (newinfo->underflow[i] == 0xFFFFFFFF) {
835 duprintf("Invalid underflow %u %u\n",
841 if (!mark_source_chains(newinfo, valid_hooks, entry0))
844 /* Finally, each sanity check must pass */
846 ret = IPT_ENTRY_ITERATE(entry0, newinfo->size,
847 find_check_entry, name, size, &i);
850 IPT_ENTRY_ITERATE(entry0, newinfo->size,
855 /* And one copy for every other CPU */
856 for_each_possible_cpu(i) {
857 if (newinfo->entries[i] && newinfo->entries[i] != entry0)
858 memcpy(newinfo->entries[i], entry0, newinfo->size);
866 add_entry_to_counter(const struct ipt_entry *e,
867 struct xt_counters total[],
870 ADD_COUNTER(total[*i], e->counters.bcnt, e->counters.pcnt);
877 set_entry_to_counter(const struct ipt_entry *e,
878 struct ipt_counters total[],
881 SET_COUNTER(total[*i], e->counters.bcnt, e->counters.pcnt);
888 get_counters(const struct xt_table_info *t,
889 struct xt_counters counters[])
895 /* Instead of clearing (by a previous call to memset())
896 * the counters and using adds, we set the counters
897 * with data used by 'current' CPU
898 * We dont care about preemption here.
900 curcpu = raw_smp_processor_id();
903 IPT_ENTRY_ITERATE(t->entries[curcpu],
905 set_entry_to_counter,
909 for_each_possible_cpu(cpu) {
913 IPT_ENTRY_ITERATE(t->entries[cpu],
915 add_entry_to_counter,
921 static struct xt_counters * alloc_counters(struct xt_table *table)
923 unsigned int countersize;
924 struct xt_counters *counters;
925 const struct xt_table_info *private = table->private;
927 /* We need atomic snapshot of counters: rest doesn't change
928 (other than comefrom, which userspace doesn't care
930 countersize = sizeof(struct xt_counters) * private->number;
931 counters = vmalloc_node(countersize, numa_node_id());
933 if (counters == NULL)
934 return ERR_PTR(-ENOMEM);
936 /* First, sum counters... */
937 write_lock_bh(&table->lock);
938 get_counters(private, counters);
939 write_unlock_bh(&table->lock);
945 copy_entries_to_user(unsigned int total_size,
946 struct xt_table *table,
947 void __user *userptr)
949 unsigned int off, num;
951 struct xt_counters *counters;
952 const struct xt_table_info *private = table->private;
954 const void *loc_cpu_entry;
956 counters = alloc_counters(table);
957 if (IS_ERR(counters))
958 return PTR_ERR(counters);
960 /* choose the copy that is on our node/cpu, ...
961 * This choice is lazy (because current thread is
962 * allowed to migrate to another cpu)
964 loc_cpu_entry = private->entries[raw_smp_processor_id()];
965 if (copy_to_user(userptr, loc_cpu_entry, total_size) != 0) {
970 /* FIXME: use iterator macros --RR */
971 /* ... then go back and fix counters and names */
972 for (off = 0, num = 0; off < total_size; off += e->next_offset, num++){
974 const struct ipt_entry_match *m;
975 const struct ipt_entry_target *t;
977 e = (struct ipt_entry *)(loc_cpu_entry + off);
978 if (copy_to_user(userptr + off
979 + offsetof(struct ipt_entry, counters),
981 sizeof(counters[num])) != 0) {
986 for (i = sizeof(struct ipt_entry);
987 i < e->target_offset;
988 i += m->u.match_size) {
991 if (copy_to_user(userptr + off + i
992 + offsetof(struct ipt_entry_match,
994 m->u.kernel.match->name,
995 strlen(m->u.kernel.match->name)+1)
1002 t = ipt_get_target(e);
1003 if (copy_to_user(userptr + off + e->target_offset
1004 + offsetof(struct ipt_entry_target,
1006 t->u.kernel.target->name,
1007 strlen(t->u.kernel.target->name)+1) != 0) {
1018 #ifdef CONFIG_COMPAT
1019 static void compat_standard_from_user(void *dst, void *src)
1021 int v = *(compat_int_t *)src;
1024 v += xt_compat_calc_jump(AF_INET, v);
1025 memcpy(dst, &v, sizeof(v));
1028 static int compat_standard_to_user(void __user *dst, void *src)
1030 compat_int_t cv = *(int *)src;
1033 cv -= xt_compat_calc_jump(AF_INET, cv);
1034 return copy_to_user(dst, &cv, sizeof(cv)) ? -EFAULT : 0;
1038 compat_calc_match(struct ipt_entry_match *m, int *size)
1040 *size += xt_compat_match_offset(m->u.kernel.match);
1044 static int compat_calc_entry(struct ipt_entry *e,
1045 const struct xt_table_info *info,
1046 void *base, struct xt_table_info *newinfo)
1048 struct ipt_entry_target *t;
1049 unsigned int entry_offset;
1052 off = sizeof(struct ipt_entry) - sizeof(struct compat_ipt_entry);
1053 entry_offset = (void *)e - base;
1054 IPT_MATCH_ITERATE(e, compat_calc_match, &off);
1055 t = ipt_get_target(e);
1056 off += xt_compat_target_offset(t->u.kernel.target);
1057 newinfo->size -= off;
1058 ret = xt_compat_add_offset(AF_INET, entry_offset, off);
1062 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1063 if (info->hook_entry[i] &&
1064 (e < (struct ipt_entry *)(base + info->hook_entry[i])))
1065 newinfo->hook_entry[i] -= off;
1066 if (info->underflow[i] &&
1067 (e < (struct ipt_entry *)(base + info->underflow[i])))
1068 newinfo->underflow[i] -= off;
1073 static int compat_table_info(const struct xt_table_info *info,
1074 struct xt_table_info *newinfo)
1076 void *loc_cpu_entry;
1078 if (!newinfo || !info)
1081 /* we dont care about newinfo->entries[] */
1082 memcpy(newinfo, info, offsetof(struct xt_table_info, entries));
1083 newinfo->initial_entries = 0;
1084 loc_cpu_entry = info->entries[raw_smp_processor_id()];
1085 return IPT_ENTRY_ITERATE(loc_cpu_entry, info->size,
1086 compat_calc_entry, info, loc_cpu_entry,
1091 static int get_info(struct net *net, void __user *user, int *len, int compat)
1093 char name[IPT_TABLE_MAXNAMELEN];
1097 if (*len != sizeof(struct ipt_getinfo)) {
1098 duprintf("length %u != %zu\n", *len,
1099 sizeof(struct ipt_getinfo));
1103 if (copy_from_user(name, user, sizeof(name)) != 0)
1106 name[IPT_TABLE_MAXNAMELEN-1] = '\0';
1107 #ifdef CONFIG_COMPAT
1109 xt_compat_lock(AF_INET);
1111 t = try_then_request_module(xt_find_table_lock(net, AF_INET, name),
1112 "iptable_%s", name);
1113 if (t && !IS_ERR(t)) {
1114 struct ipt_getinfo info;
1115 const struct xt_table_info *private = t->private;
1117 #ifdef CONFIG_COMPAT
1119 struct xt_table_info tmp;
1120 ret = compat_table_info(private, &tmp);
1121 xt_compat_flush_offsets(AF_INET);
1125 info.valid_hooks = t->valid_hooks;
1126 memcpy(info.hook_entry, private->hook_entry,
1127 sizeof(info.hook_entry));
1128 memcpy(info.underflow, private->underflow,
1129 sizeof(info.underflow));
1130 info.num_entries = private->number;
1131 info.size = private->size;
1132 strcpy(info.name, name);
1134 if (copy_to_user(user, &info, *len) != 0)
1142 ret = t ? PTR_ERR(t) : -ENOENT;
1143 #ifdef CONFIG_COMPAT
1145 xt_compat_unlock(AF_INET);
1151 get_entries(struct net *net, struct ipt_get_entries __user *uptr, int *len)
1154 struct ipt_get_entries get;
1157 if (*len < sizeof(get)) {
1158 duprintf("get_entries: %u < %zu\n", *len, sizeof(get));
1161 if (copy_from_user(&get, uptr, sizeof(get)) != 0)
1163 if (*len != sizeof(struct ipt_get_entries) + get.size) {
1164 duprintf("get_entries: %u != %zu\n",
1165 *len, sizeof(get) + get.size);
1169 t = xt_find_table_lock(net, AF_INET, get.name);
1170 if (t && !IS_ERR(t)) {
1171 const struct xt_table_info *private = t->private;
1172 duprintf("t->private->number = %u\n", private->number);
1173 if (get.size == private->size)
1174 ret = copy_entries_to_user(private->size,
1175 t, uptr->entrytable);
1177 duprintf("get_entries: I've got %u not %u!\n",
1178 private->size, get.size);
1184 ret = t ? PTR_ERR(t) : -ENOENT;
1190 __do_replace(struct net *net, const char *name, unsigned int valid_hooks,
1191 struct xt_table_info *newinfo, unsigned int num_counters,
1192 void __user *counters_ptr)
1196 struct xt_table_info *oldinfo;
1197 struct xt_counters *counters;
1198 void *loc_cpu_old_entry;
1201 counters = vmalloc(num_counters * sizeof(struct xt_counters));
1207 t = try_then_request_module(xt_find_table_lock(net, AF_INET, name),
1208 "iptable_%s", name);
1209 if (!t || IS_ERR(t)) {
1210 ret = t ? PTR_ERR(t) : -ENOENT;
1211 goto free_newinfo_counters_untrans;
1215 if (valid_hooks != t->valid_hooks) {
1216 duprintf("Valid hook crap: %08X vs %08X\n",
1217 valid_hooks, t->valid_hooks);
1222 oldinfo = xt_replace_table(t, num_counters, newinfo, &ret);
1226 /* Update module usage count based on number of rules */
1227 duprintf("do_replace: oldnum=%u, initnum=%u, newnum=%u\n",
1228 oldinfo->number, oldinfo->initial_entries, newinfo->number);
1229 if ((oldinfo->number > oldinfo->initial_entries) ||
1230 (newinfo->number <= oldinfo->initial_entries))
1232 if ((oldinfo->number > oldinfo->initial_entries) &&
1233 (newinfo->number <= oldinfo->initial_entries))
1236 /* Get the old counters. */
1237 get_counters(oldinfo, counters);
1238 /* Decrease module usage counts and free resource */
1239 loc_cpu_old_entry = oldinfo->entries[raw_smp_processor_id()];
1240 IPT_ENTRY_ITERATE(loc_cpu_old_entry, oldinfo->size, cleanup_entry,
1242 xt_free_table_info(oldinfo);
1243 if (copy_to_user(counters_ptr, counters,
1244 sizeof(struct xt_counters) * num_counters) != 0)
1253 free_newinfo_counters_untrans:
1260 do_replace(struct net *net, void __user *user, unsigned int len)
1263 struct ipt_replace tmp;
1264 struct xt_table_info *newinfo;
1265 void *loc_cpu_entry;
1267 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
1270 /* overflow check */
1271 if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
1274 newinfo = xt_alloc_table_info(tmp.size);
1278 /* choose the copy that is on our node/cpu */
1279 loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
1280 if (copy_from_user(loc_cpu_entry, user + sizeof(tmp),
1286 ret = translate_table(tmp.name, tmp.valid_hooks,
1287 newinfo, loc_cpu_entry, tmp.size, tmp.num_entries,
1288 tmp.hook_entry, tmp.underflow);
1292 duprintf("ip_tables: Translated table\n");
1294 ret = __do_replace(net, tmp.name, tmp.valid_hooks, newinfo,
1295 tmp.num_counters, tmp.counters);
1297 goto free_newinfo_untrans;
1300 free_newinfo_untrans:
1301 IPT_ENTRY_ITERATE(loc_cpu_entry, newinfo->size, cleanup_entry, NULL);
1303 xt_free_table_info(newinfo);
1307 /* We're lazy, and add to the first CPU; overflow works its fey magic
1308 * and everything is OK. */
1310 add_counter_to_entry(struct ipt_entry *e,
1311 const struct xt_counters addme[],
1315 duprintf("add_counter: Entry %u %lu/%lu + %lu/%lu\n",
1317 (long unsigned int)e->counters.pcnt,
1318 (long unsigned int)e->counters.bcnt,
1319 (long unsigned int)addme[*i].pcnt,
1320 (long unsigned int)addme[*i].bcnt);
1323 ADD_COUNTER(e->counters, addme[*i].bcnt, addme[*i].pcnt);
1330 do_add_counters(struct net *net, void __user *user, unsigned int len, int compat)
1333 struct xt_counters_info tmp;
1334 struct xt_counters *paddc;
1335 unsigned int num_counters;
1340 const struct xt_table_info *private;
1342 void *loc_cpu_entry;
1343 #ifdef CONFIG_COMPAT
1344 struct compat_xt_counters_info compat_tmp;
1348 size = sizeof(struct compat_xt_counters_info);
1353 size = sizeof(struct xt_counters_info);
1356 if (copy_from_user(ptmp, user, size) != 0)
1359 #ifdef CONFIG_COMPAT
1361 num_counters = compat_tmp.num_counters;
1362 name = compat_tmp.name;
1366 num_counters = tmp.num_counters;
1370 if (len != size + num_counters * sizeof(struct xt_counters))
1373 paddc = vmalloc_node(len - size, numa_node_id());
1377 if (copy_from_user(paddc, user + size, len - size) != 0) {
1382 t = xt_find_table_lock(net, AF_INET, name);
1383 if (!t || IS_ERR(t)) {
1384 ret = t ? PTR_ERR(t) : -ENOENT;
1388 write_lock_bh(&t->lock);
1389 private = t->private;
1390 if (private->number != num_counters) {
1392 goto unlock_up_free;
1396 /* Choose the copy that is on our node */
1397 loc_cpu_entry = private->entries[raw_smp_processor_id()];
1398 IPT_ENTRY_ITERATE(loc_cpu_entry,
1400 add_counter_to_entry,
1404 write_unlock_bh(&t->lock);
1413 #ifdef CONFIG_COMPAT
1414 struct compat_ipt_replace {
1415 char name[IPT_TABLE_MAXNAMELEN];
1419 u32 hook_entry[NF_INET_NUMHOOKS];
1420 u32 underflow[NF_INET_NUMHOOKS];
1422 compat_uptr_t counters; /* struct ipt_counters * */
1423 struct compat_ipt_entry entries[0];
1427 compat_copy_entry_to_user(struct ipt_entry *e, void __user **dstptr,
1428 unsigned int *size, struct xt_counters *counters,
1431 struct ipt_entry_target *t;
1432 struct compat_ipt_entry __user *ce;
1433 u_int16_t target_offset, next_offset;
1434 compat_uint_t origsize;
1439 ce = (struct compat_ipt_entry __user *)*dstptr;
1440 if (copy_to_user(ce, e, sizeof(struct ipt_entry)))
1443 if (copy_to_user(&ce->counters, &counters[*i], sizeof(counters[*i])))
1446 *dstptr += sizeof(struct compat_ipt_entry);
1447 *size -= sizeof(struct ipt_entry) - sizeof(struct compat_ipt_entry);
1449 ret = IPT_MATCH_ITERATE(e, xt_compat_match_to_user, dstptr, size);
1450 target_offset = e->target_offset - (origsize - *size);
1453 t = ipt_get_target(e);
1454 ret = xt_compat_target_to_user(t, dstptr, size);
1458 next_offset = e->next_offset - (origsize - *size);
1459 if (put_user(target_offset, &ce->target_offset))
1461 if (put_user(next_offset, &ce->next_offset))
1471 compat_find_calc_match(struct ipt_entry_match *m,
1473 const struct ipt_ip *ip,
1474 unsigned int hookmask,
1475 int *size, unsigned int *i)
1477 struct xt_match *match;
1479 match = try_then_request_module(xt_find_match(AF_INET, m->u.user.name,
1480 m->u.user.revision),
1481 "ipt_%s", m->u.user.name);
1482 if (IS_ERR(match) || !match) {
1483 duprintf("compat_check_calc_match: `%s' not found\n",
1485 return match ? PTR_ERR(match) : -ENOENT;
1487 m->u.kernel.match = match;
1488 *size += xt_compat_match_offset(match);
1495 compat_release_match(struct ipt_entry_match *m, unsigned int *i)
1497 if (i && (*i)-- == 0)
1500 module_put(m->u.kernel.match->me);
1505 compat_release_entry(struct compat_ipt_entry *e, unsigned int *i)
1507 struct ipt_entry_target *t;
1509 if (i && (*i)-- == 0)
1512 /* Cleanup all matches */
1513 COMPAT_IPT_MATCH_ITERATE(e, compat_release_match, NULL);
1514 t = compat_ipt_get_target(e);
1515 module_put(t->u.kernel.target->me);
1520 check_compat_entry_size_and_hooks(struct compat_ipt_entry *e,
1521 struct xt_table_info *newinfo,
1523 unsigned char *base,
1524 unsigned char *limit,
1525 unsigned int *hook_entries,
1526 unsigned int *underflows,
1530 struct ipt_entry_target *t;
1531 struct xt_target *target;
1532 unsigned int entry_offset;
1536 duprintf("check_compat_entry_size_and_hooks %p\n", e);
1537 if ((unsigned long)e % __alignof__(struct compat_ipt_entry) != 0
1538 || (unsigned char *)e + sizeof(struct compat_ipt_entry) >= limit) {
1539 duprintf("Bad offset %p, limit = %p\n", e, limit);
1543 if (e->next_offset < sizeof(struct compat_ipt_entry) +
1544 sizeof(struct compat_xt_entry_target)) {
1545 duprintf("checking: element %p size %u\n",
1550 /* For purposes of check_entry casting the compat entry is fine */
1551 ret = check_entry((struct ipt_entry *)e, name);
1555 off = sizeof(struct ipt_entry) - sizeof(struct compat_ipt_entry);
1556 entry_offset = (void *)e - (void *)base;
1558 ret = COMPAT_IPT_MATCH_ITERATE(e, compat_find_calc_match, name,
1559 &e->ip, e->comefrom, &off, &j);
1561 goto release_matches;
1563 t = compat_ipt_get_target(e);
1564 target = try_then_request_module(xt_find_target(AF_INET,
1566 t->u.user.revision),
1567 "ipt_%s", t->u.user.name);
1568 if (IS_ERR(target) || !target) {
1569 duprintf("check_compat_entry_size_and_hooks: `%s' not found\n",
1571 ret = target ? PTR_ERR(target) : -ENOENT;
1572 goto release_matches;
1574 t->u.kernel.target = target;
1576 off += xt_compat_target_offset(target);
1578 ret = xt_compat_add_offset(AF_INET, entry_offset, off);
1582 /* Check hooks & underflows */
1583 for (h = 0; h < NF_INET_NUMHOOKS; h++) {
1584 if ((unsigned char *)e - base == hook_entries[h])
1585 newinfo->hook_entry[h] = hook_entries[h];
1586 if ((unsigned char *)e - base == underflows[h])
1587 newinfo->underflow[h] = underflows[h];
1590 /* Clear counters and comefrom */
1591 memset(&e->counters, 0, sizeof(e->counters));
1598 module_put(t->u.kernel.target->me);
1600 IPT_MATCH_ITERATE(e, compat_release_match, &j);
1605 compat_copy_entry_from_user(struct compat_ipt_entry *e, void **dstptr,
1606 unsigned int *size, const char *name,
1607 struct xt_table_info *newinfo, unsigned char *base)
1609 struct ipt_entry_target *t;
1610 struct xt_target *target;
1611 struct ipt_entry *de;
1612 unsigned int origsize;
1617 de = (struct ipt_entry *)*dstptr;
1618 memcpy(de, e, sizeof(struct ipt_entry));
1619 memcpy(&de->counters, &e->counters, sizeof(e->counters));
1621 *dstptr += sizeof(struct ipt_entry);
1622 *size += sizeof(struct ipt_entry) - sizeof(struct compat_ipt_entry);
1624 ret = COMPAT_IPT_MATCH_ITERATE(e, xt_compat_match_from_user,
1628 de->target_offset = e->target_offset - (origsize - *size);
1629 t = compat_ipt_get_target(e);
1630 target = t->u.kernel.target;
1631 xt_compat_target_from_user(t, dstptr, size);
1633 de->next_offset = e->next_offset - (origsize - *size);
1634 for (h = 0; h < NF_INET_NUMHOOKS; h++) {
1635 if ((unsigned char *)de - base < newinfo->hook_entry[h])
1636 newinfo->hook_entry[h] -= origsize - *size;
1637 if ((unsigned char *)de - base < newinfo->underflow[h])
1638 newinfo->underflow[h] -= origsize - *size;
1644 compat_check_entry(struct ipt_entry *e, const char *name,
1651 ret = IPT_MATCH_ITERATE(e, check_match, name, &e->ip,
1654 goto cleanup_matches;
1656 ret = check_target(e, name);
1658 goto cleanup_matches;
1664 IPT_MATCH_ITERATE(e, cleanup_match, &j);
1669 translate_compat_table(const char *name,
1670 unsigned int valid_hooks,
1671 struct xt_table_info **pinfo,
1673 unsigned int total_size,
1674 unsigned int number,
1675 unsigned int *hook_entries,
1676 unsigned int *underflows)
1679 struct xt_table_info *newinfo, *info;
1680 void *pos, *entry0, *entry1;
1687 info->number = number;
1689 /* Init all hooks to impossible value. */
1690 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1691 info->hook_entry[i] = 0xFFFFFFFF;
1692 info->underflow[i] = 0xFFFFFFFF;
1695 duprintf("translate_compat_table: size %u\n", info->size);
1697 xt_compat_lock(AF_INET);
1698 /* Walk through entries, checking offsets. */
1699 ret = COMPAT_IPT_ENTRY_ITERATE(entry0, total_size,
1700 check_compat_entry_size_and_hooks,
1701 info, &size, entry0,
1702 entry0 + total_size,
1703 hook_entries, underflows, &j, name);
1709 duprintf("translate_compat_table: %u not %u entries\n",
1714 /* Check hooks all assigned */
1715 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1716 /* Only hooks which are valid */
1717 if (!(valid_hooks & (1 << i)))
1719 if (info->hook_entry[i] == 0xFFFFFFFF) {
1720 duprintf("Invalid hook entry %u %u\n",
1721 i, hook_entries[i]);
1724 if (info->underflow[i] == 0xFFFFFFFF) {
1725 duprintf("Invalid underflow %u %u\n",
1732 newinfo = xt_alloc_table_info(size);
1736 newinfo->number = number;
1737 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1738 newinfo->hook_entry[i] = info->hook_entry[i];
1739 newinfo->underflow[i] = info->underflow[i];
1741 entry1 = newinfo->entries[raw_smp_processor_id()];
1744 ret = COMPAT_IPT_ENTRY_ITERATE(entry0, total_size,
1745 compat_copy_entry_from_user,
1746 &pos, &size, name, newinfo, entry1);
1747 xt_compat_flush_offsets(AF_INET);
1748 xt_compat_unlock(AF_INET);
1753 if (!mark_source_chains(newinfo, valid_hooks, entry1))
1757 ret = IPT_ENTRY_ITERATE(entry1, newinfo->size, compat_check_entry,
1761 COMPAT_IPT_ENTRY_ITERATE_CONTINUE(entry0, newinfo->size, i,
1762 compat_release_entry, &j);
1763 IPT_ENTRY_ITERATE(entry1, newinfo->size, cleanup_entry, &i);
1764 xt_free_table_info(newinfo);
1768 /* And one copy for every other CPU */
1769 for_each_possible_cpu(i)
1770 if (newinfo->entries[i] && newinfo->entries[i] != entry1)
1771 memcpy(newinfo->entries[i], entry1, newinfo->size);
1775 xt_free_table_info(info);
1779 xt_free_table_info(newinfo);
1781 COMPAT_IPT_ENTRY_ITERATE(entry0, total_size, compat_release_entry, &j);
1784 xt_compat_flush_offsets(AF_INET);
1785 xt_compat_unlock(AF_INET);
1790 compat_do_replace(struct net *net, void __user *user, unsigned int len)
1793 struct compat_ipt_replace tmp;
1794 struct xt_table_info *newinfo;
1795 void *loc_cpu_entry;
1797 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
1800 /* overflow check */
1801 if (tmp.size >= INT_MAX / num_possible_cpus())
1803 if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
1806 newinfo = xt_alloc_table_info(tmp.size);
1810 /* choose the copy that is on our node/cpu */
1811 loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
1812 if (copy_from_user(loc_cpu_entry, user + sizeof(tmp),
1818 ret = translate_compat_table(tmp.name, tmp.valid_hooks,
1819 &newinfo, &loc_cpu_entry, tmp.size,
1820 tmp.num_entries, tmp.hook_entry,
1825 duprintf("compat_do_replace: Translated table\n");
1827 ret = __do_replace(net, tmp.name, tmp.valid_hooks, newinfo,
1828 tmp.num_counters, compat_ptr(tmp.counters));
1830 goto free_newinfo_untrans;
1833 free_newinfo_untrans:
1834 IPT_ENTRY_ITERATE(loc_cpu_entry, newinfo->size, cleanup_entry, NULL);
1836 xt_free_table_info(newinfo);
1841 compat_do_ipt_set_ctl(struct sock *sk, int cmd, void __user *user,
1846 if (!capable(CAP_NET_ADMIN))
1850 case IPT_SO_SET_REPLACE:
1851 ret = compat_do_replace(sock_net(sk), user, len);
1854 case IPT_SO_SET_ADD_COUNTERS:
1855 ret = do_add_counters(sock_net(sk), user, len, 1);
1859 duprintf("do_ipt_set_ctl: unknown request %i\n", cmd);
1866 struct compat_ipt_get_entries {
1867 char name[IPT_TABLE_MAXNAMELEN];
1869 struct compat_ipt_entry entrytable[0];
1873 compat_copy_entries_to_user(unsigned int total_size, struct xt_table *table,
1874 void __user *userptr)
1876 struct xt_counters *counters;
1877 const struct xt_table_info *private = table->private;
1881 const void *loc_cpu_entry;
1884 counters = alloc_counters(table);
1885 if (IS_ERR(counters))
1886 return PTR_ERR(counters);
1888 /* choose the copy that is on our node/cpu, ...
1889 * This choice is lazy (because current thread is
1890 * allowed to migrate to another cpu)
1892 loc_cpu_entry = private->entries[raw_smp_processor_id()];
1895 ret = IPT_ENTRY_ITERATE(loc_cpu_entry, total_size,
1896 compat_copy_entry_to_user,
1897 &pos, &size, counters, &i);
1904 compat_get_entries(struct net *net, struct compat_ipt_get_entries __user *uptr,
1908 struct compat_ipt_get_entries get;
1911 if (*len < sizeof(get)) {
1912 duprintf("compat_get_entries: %u < %zu\n", *len, sizeof(get));
1916 if (copy_from_user(&get, uptr, sizeof(get)) != 0)
1919 if (*len != sizeof(struct compat_ipt_get_entries) + get.size) {
1920 duprintf("compat_get_entries: %u != %zu\n",
1921 *len, sizeof(get) + get.size);
1925 xt_compat_lock(AF_INET);
1926 t = xt_find_table_lock(net, AF_INET, get.name);
1927 if (t && !IS_ERR(t)) {
1928 const struct xt_table_info *private = t->private;
1929 struct xt_table_info info;
1930 duprintf("t->private->number = %u\n", private->number);
1931 ret = compat_table_info(private, &info);
1932 if (!ret && get.size == info.size) {
1933 ret = compat_copy_entries_to_user(private->size,
1934 t, uptr->entrytable);
1936 duprintf("compat_get_entries: I've got %u not %u!\n",
1937 private->size, get.size);
1940 xt_compat_flush_offsets(AF_INET);
1944 ret = t ? PTR_ERR(t) : -ENOENT;
1946 xt_compat_unlock(AF_INET);
1950 static int do_ipt_get_ctl(struct sock *, int, void __user *, int *);
1953 compat_do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1957 if (!capable(CAP_NET_ADMIN))
1961 case IPT_SO_GET_INFO:
1962 ret = get_info(sock_net(sk), user, len, 1);
1964 case IPT_SO_GET_ENTRIES:
1965 ret = compat_get_entries(sock_net(sk), user, len);
1968 ret = do_ipt_get_ctl(sk, cmd, user, len);
1975 do_ipt_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
1979 if (!capable(CAP_NET_ADMIN))
1983 case IPT_SO_SET_REPLACE:
1984 ret = do_replace(sock_net(sk), user, len);
1987 case IPT_SO_SET_ADD_COUNTERS:
1988 ret = do_add_counters(sock_net(sk), user, len, 0);
1992 duprintf("do_ipt_set_ctl: unknown request %i\n", cmd);
2000 do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
2004 if (!capable(CAP_NET_ADMIN))
2008 case IPT_SO_GET_INFO:
2009 ret = get_info(sock_net(sk), user, len, 0);
2012 case IPT_SO_GET_ENTRIES:
2013 ret = get_entries(sock_net(sk), user, len);
2016 case IPT_SO_GET_REVISION_MATCH:
2017 case IPT_SO_GET_REVISION_TARGET: {
2018 struct ipt_get_revision rev;
2021 if (*len != sizeof(rev)) {
2025 if (copy_from_user(&rev, user, sizeof(rev)) != 0) {
2030 if (cmd == IPT_SO_GET_REVISION_TARGET)
2035 try_then_request_module(xt_find_revision(AF_INET, rev.name,
2038 "ipt_%s", rev.name);
2043 duprintf("do_ipt_get_ctl: unknown request %i\n", cmd);
2050 struct xt_table *ipt_register_table(struct net *net, struct xt_table *table,
2051 const struct ipt_replace *repl)
2054 struct xt_table_info *newinfo;
2055 struct xt_table_info bootstrap
2056 = { 0, 0, 0, { 0 }, { 0 }, { } };
2057 void *loc_cpu_entry;
2058 struct xt_table *new_table;
2060 newinfo = xt_alloc_table_info(repl->size);
2066 /* choose the copy on our node/cpu, but dont care about preemption */
2067 loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
2068 memcpy(loc_cpu_entry, repl->entries, repl->size);
2070 ret = translate_table(table->name, table->valid_hooks,
2071 newinfo, loc_cpu_entry, repl->size,
2078 new_table = xt_register_table(net, table, &bootstrap, newinfo);
2079 if (IS_ERR(new_table)) {
2080 ret = PTR_ERR(new_table);
2087 xt_free_table_info(newinfo);
2089 return ERR_PTR(ret);
2092 void ipt_unregister_table(struct xt_table *table)
2094 struct xt_table_info *private;
2095 void *loc_cpu_entry;
2096 struct module *table_owner = table->me;
2098 private = xt_unregister_table(table);
2100 /* Decrease module usage counts and free resources */
2101 loc_cpu_entry = private->entries[raw_smp_processor_id()];
2102 IPT_ENTRY_ITERATE(loc_cpu_entry, private->size, cleanup_entry, NULL);
2103 if (private->number > private->initial_entries)
2104 module_put(table_owner);
2105 xt_free_table_info(private);
2108 /* Returns 1 if the type and code is matched by the range, 0 otherwise */
2110 icmp_type_code_match(u_int8_t test_type, u_int8_t min_code, u_int8_t max_code,
2111 u_int8_t type, u_int8_t code,
2114 return ((test_type == 0xFF) ||
2115 (type == test_type && code >= min_code && code <= max_code))
2120 icmp_match(const struct sk_buff *skb, const struct xt_match_param *par)
2122 const struct icmphdr *ic;
2123 struct icmphdr _icmph;
2124 const struct ipt_icmp *icmpinfo = par->matchinfo;
2126 /* Must not be a fragment. */
2127 if (par->fragoff != 0)
2130 ic = skb_header_pointer(skb, par->thoff, sizeof(_icmph), &_icmph);
2132 /* We've been asked to examine this packet, and we
2133 * can't. Hence, no choice but to drop.
2135 duprintf("Dropping evil ICMP tinygram.\n");
2136 *par->hotdrop = true;
2140 return icmp_type_code_match(icmpinfo->type,
2144 !!(icmpinfo->invflags&IPT_ICMP_INV));
2147 /* Called when user tries to insert an entry of this type. */
2149 icmp_checkentry(const char *tablename,
2151 const struct xt_match *match,
2153 unsigned int hook_mask)
2155 const struct ipt_icmp *icmpinfo = matchinfo;
2157 /* Must specify no unknown invflags */
2158 return !(icmpinfo->invflags & ~IPT_ICMP_INV);
2161 /* The built-in targets: standard (NULL) and error. */
2162 static struct xt_target ipt_standard_target __read_mostly = {
2163 .name = IPT_STANDARD_TARGET,
2164 .targetsize = sizeof(int),
2166 #ifdef CONFIG_COMPAT
2167 .compatsize = sizeof(compat_int_t),
2168 .compat_from_user = compat_standard_from_user,
2169 .compat_to_user = compat_standard_to_user,
2173 static struct xt_target ipt_error_target __read_mostly = {
2174 .name = IPT_ERROR_TARGET,
2175 .target = ipt_error,
2176 .targetsize = IPT_FUNCTION_MAXNAMELEN,
2180 static struct nf_sockopt_ops ipt_sockopts = {
2182 .set_optmin = IPT_BASE_CTL,
2183 .set_optmax = IPT_SO_SET_MAX+1,
2184 .set = do_ipt_set_ctl,
2185 #ifdef CONFIG_COMPAT
2186 .compat_set = compat_do_ipt_set_ctl,
2188 .get_optmin = IPT_BASE_CTL,
2189 .get_optmax = IPT_SO_GET_MAX+1,
2190 .get = do_ipt_get_ctl,
2191 #ifdef CONFIG_COMPAT
2192 .compat_get = compat_do_ipt_get_ctl,
2194 .owner = THIS_MODULE,
2197 static struct xt_match icmp_matchstruct __read_mostly = {
2199 .match = icmp_match,
2200 .matchsize = sizeof(struct ipt_icmp),
2201 .checkentry = icmp_checkentry,
2202 .proto = IPPROTO_ICMP,
2206 static int __net_init ip_tables_net_init(struct net *net)
2208 return xt_proto_init(net, AF_INET);
2211 static void __net_exit ip_tables_net_exit(struct net *net)
2213 xt_proto_fini(net, AF_INET);
2216 static struct pernet_operations ip_tables_net_ops = {
2217 .init = ip_tables_net_init,
2218 .exit = ip_tables_net_exit,
2221 static int __init ip_tables_init(void)
2225 ret = register_pernet_subsys(&ip_tables_net_ops);
2229 /* Noone else will be downing sem now, so we won't sleep */
2230 ret = xt_register_target(&ipt_standard_target);
2233 ret = xt_register_target(&ipt_error_target);
2236 ret = xt_register_match(&icmp_matchstruct);
2240 /* Register setsockopt */
2241 ret = nf_register_sockopt(&ipt_sockopts);
2245 printk(KERN_INFO "ip_tables: (C) 2000-2006 Netfilter Core Team\n");
2249 xt_unregister_match(&icmp_matchstruct);
2251 xt_unregister_target(&ipt_error_target);
2253 xt_unregister_target(&ipt_standard_target);
2255 unregister_pernet_subsys(&ip_tables_net_ops);
2260 static void __exit ip_tables_fini(void)
2262 nf_unregister_sockopt(&ipt_sockopts);
2264 xt_unregister_match(&icmp_matchstruct);
2265 xt_unregister_target(&ipt_error_target);
2266 xt_unregister_target(&ipt_standard_target);
2268 unregister_pernet_subsys(&ip_tables_net_ops);
2271 EXPORT_SYMBOL(ipt_register_table);
2272 EXPORT_SYMBOL(ipt_unregister_table);
2273 EXPORT_SYMBOL(ipt_do_table);
2274 module_init(ip_tables_init);
2275 module_exit(ip_tables_fini);