2 * Packet matching code.
4 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
5 * Copyright (C) 2000-2005 Netfilter Core Team <coreteam@netfilter.org>
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License version 2 as
9 * published by the Free Software Foundation.
11 * 19 Jan 2002 Harald Welte <laforge@gnumonks.org>
12 * - increase module usage count as soon as we have rules inside
14 * 06 Jun 2002 Andras Kis-Szabo <kisza@sch.bme.hu>
15 * - new extension header parser code
16 * 15 Oct 2005 Harald Welte <laforge@netfilter.org>
17 * - Unification of {ip,ip6}_tables into x_tables
18 * - Removed tcp and udp code, since it's not ipv6 specific
21 #include <linux/capability.h>
23 #include <linux/skbuff.h>
24 #include <linux/kmod.h>
25 #include <linux/vmalloc.h>
26 #include <linux/netdevice.h>
27 #include <linux/module.h>
28 #include <linux/poison.h>
29 #include <linux/icmpv6.h>
31 #include <asm/uaccess.h>
32 #include <linux/mutex.h>
33 #include <linux/proc_fs.h>
34 #include <linux/cpumask.h>
36 #include <linux/netfilter_ipv6/ip6_tables.h>
37 #include <linux/netfilter/x_tables.h>
39 MODULE_LICENSE("GPL");
40 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
41 MODULE_DESCRIPTION("IPv6 packet filter");
43 #define IPV6_HDR_LEN (sizeof(struct ipv6hdr))
44 #define IPV6_OPTHDR_LEN (sizeof(struct ipv6_opt_hdr))
46 /*#define DEBUG_IP_FIREWALL*/
47 /*#define DEBUG_ALLOW_ALL*/ /* Useful for remote debugging */
48 /*#define DEBUG_IP_FIREWALL_USER*/
50 #ifdef DEBUG_IP_FIREWALL
51 #define dprintf(format, args...) printk(format , ## args)
53 #define dprintf(format, args...)
56 #ifdef DEBUG_IP_FIREWALL_USER
57 #define duprintf(format, args...) printk(format , ## args)
59 #define duprintf(format, args...)
62 #ifdef CONFIG_NETFILTER_DEBUG
63 #define IP_NF_ASSERT(x) \
66 printk("IP_NF_ASSERT: %s:%s:%u\n", \
67 __FUNCTION__, __FILE__, __LINE__); \
70 #define IP_NF_ASSERT(x)
74 /* All the better to debug you with... */
80 We keep a set of rules for each CPU, so we can avoid write-locking
81 them in the softirq when updating the counters and therefore
82 only need to read-lock in the softirq; doing a write_lock_bh() in user
83 context stops packets coming through and allows user context to read
84 the counters or update the rules.
86 Hence the start of any table is given by get_table() below. */
89 #define down(x) do { printk("DOWN:%u:" #x "\n", __LINE__); down(x); } while(0)
90 #define down_interruptible(x) ({ int __r; printk("DOWNi:%u:" #x "\n", __LINE__); __r = down_interruptible(x); if (__r != 0) printk("ABORT-DOWNi:%u\n", __LINE__); __r; })
91 #define up(x) do { printk("UP:%u:" #x "\n", __LINE__); up(x); } while(0)
94 /* Check for an extension */
96 ip6t_ext_hdr(u8 nexthdr)
98 return ( (nexthdr == IPPROTO_HOPOPTS) ||
99 (nexthdr == IPPROTO_ROUTING) ||
100 (nexthdr == IPPROTO_FRAGMENT) ||
101 (nexthdr == IPPROTO_ESP) ||
102 (nexthdr == IPPROTO_AH) ||
103 (nexthdr == IPPROTO_NONE) ||
104 (nexthdr == IPPROTO_DSTOPTS) );
107 /* Returns whether matches rule or not. */
109 ip6_packet_match(const struct sk_buff *skb,
112 const struct ip6t_ip6 *ip6info,
113 unsigned int *protoff,
114 int *fragoff, int *hotdrop)
118 const struct ipv6hdr *ipv6 = skb->nh.ipv6h;
120 #define FWINV(bool,invflg) ((bool) ^ !!(ip6info->invflags & invflg))
122 if (FWINV(ipv6_masked_addr_cmp(&ipv6->saddr, &ip6info->smsk,
123 &ip6info->src), IP6T_INV_SRCIP)
124 || FWINV(ipv6_masked_addr_cmp(&ipv6->daddr, &ip6info->dmsk,
125 &ip6info->dst), IP6T_INV_DSTIP)) {
126 dprintf("Source or dest mismatch.\n");
128 dprintf("SRC: %u. Mask: %u. Target: %u.%s\n", ip->saddr,
129 ipinfo->smsk.s_addr, ipinfo->src.s_addr,
130 ipinfo->invflags & IP6T_INV_SRCIP ? " (INV)" : "");
131 dprintf("DST: %u. Mask: %u. Target: %u.%s\n", ip->daddr,
132 ipinfo->dmsk.s_addr, ipinfo->dst.s_addr,
133 ipinfo->invflags & IP6T_INV_DSTIP ? " (INV)" : "");*/
137 /* Look for ifname matches; this should unroll nicely. */
138 for (i = 0, ret = 0; i < IFNAMSIZ/sizeof(unsigned long); i++) {
139 ret |= (((const unsigned long *)indev)[i]
140 ^ ((const unsigned long *)ip6info->iniface)[i])
141 & ((const unsigned long *)ip6info->iniface_mask)[i];
144 if (FWINV(ret != 0, IP6T_INV_VIA_IN)) {
145 dprintf("VIA in mismatch (%s vs %s).%s\n",
146 indev, ip6info->iniface,
147 ip6info->invflags&IP6T_INV_VIA_IN ?" (INV)":"");
151 for (i = 0, ret = 0; i < IFNAMSIZ/sizeof(unsigned long); i++) {
152 ret |= (((const unsigned long *)outdev)[i]
153 ^ ((const unsigned long *)ip6info->outiface)[i])
154 & ((const unsigned long *)ip6info->outiface_mask)[i];
157 if (FWINV(ret != 0, IP6T_INV_VIA_OUT)) {
158 dprintf("VIA out mismatch (%s vs %s).%s\n",
159 outdev, ip6info->outiface,
160 ip6info->invflags&IP6T_INV_VIA_OUT ?" (INV)":"");
164 /* ... might want to do something with class and flowlabel here ... */
166 /* look for the desired protocol header */
167 if((ip6info->flags & IP6T_F_PROTO)) {
169 unsigned short _frag_off;
171 protohdr = ipv6_find_hdr(skb, protoff, -1, &_frag_off);
177 *fragoff = _frag_off;
179 dprintf("Packet protocol %hi ?= %s%hi.\n",
181 ip6info->invflags & IP6T_INV_PROTO ? "!":"",
184 if (ip6info->proto == protohdr) {
185 if(ip6info->invflags & IP6T_INV_PROTO) {
191 /* We need match for the '-p all', too! */
192 if ((ip6info->proto != 0) &&
193 !(ip6info->invflags & IP6T_INV_PROTO))
199 /* should be ip6 safe */
201 ip6_checkentry(const struct ip6t_ip6 *ipv6)
203 if (ipv6->flags & ~IP6T_F_MASK) {
204 duprintf("Unknown flag bits set: %08X\n",
205 ipv6->flags & ~IP6T_F_MASK);
208 if (ipv6->invflags & ~IP6T_INV_MASK) {
209 duprintf("Unknown invflag bits set: %08X\n",
210 ipv6->invflags & ~IP6T_INV_MASK);
217 ip6t_error(struct sk_buff **pskb,
218 const struct net_device *in,
219 const struct net_device *out,
220 unsigned int hooknum,
221 const struct xt_target *target,
222 const void *targinfo)
225 printk("ip6_tables: error: `%s'\n", (char *)targinfo);
231 int do_match(struct ip6t_entry_match *m,
232 const struct sk_buff *skb,
233 const struct net_device *in,
234 const struct net_device *out,
236 unsigned int protoff,
239 /* Stop iteration if it doesn't match */
240 if (!m->u.kernel.match->match(skb, in, out, m->u.kernel.match, m->data,
241 offset, protoff, hotdrop))
247 static inline struct ip6t_entry *
248 get_entry(void *base, unsigned int offset)
250 return (struct ip6t_entry *)(base + offset);
253 /* Returns one of the generic firewall policies, like NF_ACCEPT. */
255 ip6t_do_table(struct sk_buff **pskb,
257 const struct net_device *in,
258 const struct net_device *out,
259 struct xt_table *table)
261 static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
263 unsigned int protoff = 0;
265 /* Initializing verdict to NF_DROP keeps gcc happy. */
266 unsigned int verdict = NF_DROP;
267 const char *indev, *outdev;
269 struct ip6t_entry *e, *back;
270 struct xt_table_info *private;
273 indev = in ? in->name : nulldevname;
274 outdev = out ? out->name : nulldevname;
275 /* We handle fragments by dealing with the first fragment as
276 * if it was a normal packet. All other fragments are treated
277 * normally, except that they will NEVER match rules that ask
278 * things we don't know, ie. tcp syn flag or ports). If the
279 * rule is also a fragment-specific rule, non-fragments won't
282 read_lock_bh(&table->lock);
283 private = table->private;
284 IP_NF_ASSERT(table->valid_hooks & (1 << hook));
285 table_base = (void *)private->entries[smp_processor_id()];
286 e = get_entry(table_base, private->hook_entry[hook]);
288 /* For return from builtin chain */
289 back = get_entry(table_base, private->underflow[hook]);
294 if (ip6_packet_match(*pskb, indev, outdev, &e->ipv6,
295 &protoff, &offset, &hotdrop)) {
296 struct ip6t_entry_target *t;
298 if (IP6T_MATCH_ITERATE(e, do_match,
300 offset, protoff, &hotdrop) != 0)
303 ADD_COUNTER(e->counters,
304 ntohs((*pskb)->nh.ipv6h->payload_len)
308 t = ip6t_get_target(e);
309 IP_NF_ASSERT(t->u.kernel.target);
310 /* Standard target? */
311 if (!t->u.kernel.target->target) {
314 v = ((struct ip6t_standard_target *)t)->verdict;
316 /* Pop from stack? */
317 if (v != IP6T_RETURN) {
318 verdict = (unsigned)(-v) - 1;
322 back = get_entry(table_base,
326 if (table_base + v != (void *)e + e->next_offset
327 && !(e->ipv6.flags & IP6T_F_GOTO)) {
328 /* Save old back ptr in next entry */
329 struct ip6t_entry *next
330 = (void *)e + e->next_offset;
332 = (void *)back - table_base;
333 /* set back pointer to next entry */
337 e = get_entry(table_base, v);
339 /* Targets which reenter must return
341 #ifdef CONFIG_NETFILTER_DEBUG
342 ((struct ip6t_entry *)table_base)->comefrom
345 verdict = t->u.kernel.target->target(pskb,
351 #ifdef CONFIG_NETFILTER_DEBUG
352 if (((struct ip6t_entry *)table_base)->comefrom
354 && verdict == IP6T_CONTINUE) {
355 printk("Target %s reentered!\n",
356 t->u.kernel.target->name);
359 ((struct ip6t_entry *)table_base)->comefrom
362 if (verdict == IP6T_CONTINUE)
363 e = (void *)e + e->next_offset;
371 e = (void *)e + e->next_offset;
375 #ifdef CONFIG_NETFILTER_DEBUG
376 ((struct ip6t_entry *)table_base)->comefrom = NETFILTER_LINK_POISON;
378 read_unlock_bh(&table->lock);
380 #ifdef DEBUG_ALLOW_ALL
389 /* All zeroes == unconditional rule. */
391 unconditional(const struct ip6t_ip6 *ipv6)
395 for (i = 0; i < sizeof(*ipv6); i++)
396 if (((char *)ipv6)[i])
399 return (i == sizeof(*ipv6));
402 /* Figures out from what hook each rule can be called: returns 0 if
403 there are loops. Puts hook bitmask in comefrom. */
405 mark_source_chains(struct xt_table_info *newinfo,
406 unsigned int valid_hooks, void *entry0)
410 /* No recursion; use packet counter to save back ptrs (reset
411 to 0 as we leave), and comefrom to save source hook bitmask */
412 for (hook = 0; hook < NF_IP6_NUMHOOKS; hook++) {
413 unsigned int pos = newinfo->hook_entry[hook];
415 = (struct ip6t_entry *)(entry0 + pos);
417 if (!(valid_hooks & (1 << hook)))
420 /* Set initial back pointer. */
421 e->counters.pcnt = pos;
424 struct ip6t_standard_target *t
425 = (void *)ip6t_get_target(e);
427 if (e->comefrom & (1 << NF_IP6_NUMHOOKS)) {
428 printk("iptables: loop hook %u pos %u %08X.\n",
429 hook, pos, e->comefrom);
433 |= ((1 << hook) | (1 << NF_IP6_NUMHOOKS));
435 /* Unconditional return/END. */
436 if (e->target_offset == sizeof(struct ip6t_entry)
437 && (strcmp(t->target.u.user.name,
438 IP6T_STANDARD_TARGET) == 0)
440 && unconditional(&e->ipv6)) {
441 unsigned int oldpos, size;
443 /* Return: backtrack through the last
446 e->comefrom ^= (1<<NF_IP6_NUMHOOKS);
447 #ifdef DEBUG_IP_FIREWALL_USER
449 & (1 << NF_IP6_NUMHOOKS)) {
450 duprintf("Back unset "
457 pos = e->counters.pcnt;
458 e->counters.pcnt = 0;
460 /* We're at the start. */
464 e = (struct ip6t_entry *)
466 } while (oldpos == pos + e->next_offset);
469 size = e->next_offset;
470 e = (struct ip6t_entry *)
471 (entry0 + pos + size);
472 e->counters.pcnt = pos;
475 int newpos = t->verdict;
477 if (strcmp(t->target.u.user.name,
478 IP6T_STANDARD_TARGET) == 0
480 /* This a jump; chase it. */
481 duprintf("Jump rule %u -> %u\n",
484 /* ... this is a fallthru */
485 newpos = pos + e->next_offset;
487 e = (struct ip6t_entry *)
489 e->counters.pcnt = pos;
494 duprintf("Finished chain %u\n", hook);
500 cleanup_match(struct ip6t_entry_match *m, unsigned int *i)
502 if (i && (*i)-- == 0)
505 if (m->u.kernel.match->destroy)
506 m->u.kernel.match->destroy(m->u.kernel.match, m->data);
507 module_put(m->u.kernel.match->me);
512 standard_check(const struct ip6t_entry_target *t,
513 unsigned int max_offset)
515 struct ip6t_standard_target *targ = (void *)t;
517 /* Check standard info. */
518 if (targ->verdict >= 0
519 && targ->verdict > max_offset - sizeof(struct ip6t_entry)) {
520 duprintf("ip6t_standard_check: bad verdict (%i)\n",
524 if (targ->verdict < -NF_MAX_VERDICT - 1) {
525 duprintf("ip6t_standard_check: bad negative verdict (%i)\n",
533 check_match(struct ip6t_entry_match *m,
535 const struct ip6t_ip6 *ipv6,
536 unsigned int hookmask,
539 struct ip6t_match *match;
542 match = try_then_request_module(xt_find_match(AF_INET6, m->u.user.name,
544 "ip6t_%s", m->u.user.name);
545 if (IS_ERR(match) || !match) {
546 duprintf("check_match: `%s' not found\n", m->u.user.name);
547 return match ? PTR_ERR(match) : -ENOENT;
549 m->u.kernel.match = match;
551 ret = xt_check_match(match, AF_INET6, m->u.match_size - sizeof(*m),
552 name, hookmask, ipv6->proto,
553 ipv6->invflags & IP6T_INV_PROTO);
557 if (m->u.kernel.match->checkentry
558 && !m->u.kernel.match->checkentry(name, ipv6, match, m->data,
560 duprintf("ip_tables: check failed for `%s'.\n",
561 m->u.kernel.match->name);
569 module_put(m->u.kernel.match->me);
573 static struct ip6t_target ip6t_standard_target;
576 check_entry(struct ip6t_entry *e, const char *name, unsigned int size,
579 struct ip6t_entry_target *t;
580 struct ip6t_target *target;
584 if (!ip6_checkentry(&e->ipv6)) {
585 duprintf("ip_tables: ip check failed %p %s.\n", e, name);
590 ret = IP6T_MATCH_ITERATE(e, check_match, name, &e->ipv6, e->comefrom, &j);
592 goto cleanup_matches;
594 t = ip6t_get_target(e);
595 target = try_then_request_module(xt_find_target(AF_INET6,
598 "ip6t_%s", t->u.user.name);
599 if (IS_ERR(target) || !target) {
600 duprintf("check_entry: `%s' not found\n", t->u.user.name);
601 ret = target ? PTR_ERR(target) : -ENOENT;
602 goto cleanup_matches;
604 t->u.kernel.target = target;
606 ret = xt_check_target(target, AF_INET6, t->u.target_size - sizeof(*t),
607 name, e->comefrom, e->ipv6.proto,
608 e->ipv6.invflags & IP6T_INV_PROTO);
612 if (t->u.kernel.target == &ip6t_standard_target) {
613 if (!standard_check(t, size)) {
617 } else if (t->u.kernel.target->checkentry
618 && !t->u.kernel.target->checkentry(name, e, target, t->data,
620 duprintf("ip_tables: check failed for `%s'.\n",
621 t->u.kernel.target->name);
629 module_put(t->u.kernel.target->me);
631 IP6T_MATCH_ITERATE(e, cleanup_match, &j);
636 check_entry_size_and_hooks(struct ip6t_entry *e,
637 struct xt_table_info *newinfo,
639 unsigned char *limit,
640 const unsigned int *hook_entries,
641 const unsigned int *underflows,
646 if ((unsigned long)e % __alignof__(struct ip6t_entry) != 0
647 || (unsigned char *)e + sizeof(struct ip6t_entry) >= limit) {
648 duprintf("Bad offset %p\n", e);
653 < sizeof(struct ip6t_entry) + sizeof(struct ip6t_entry_target)) {
654 duprintf("checking: element %p size %u\n",
659 /* Check hooks & underflows */
660 for (h = 0; h < NF_IP6_NUMHOOKS; h++) {
661 if ((unsigned char *)e - base == hook_entries[h])
662 newinfo->hook_entry[h] = hook_entries[h];
663 if ((unsigned char *)e - base == underflows[h])
664 newinfo->underflow[h] = underflows[h];
667 /* FIXME: underflows must be unconditional, standard verdicts
668 < 0 (not IP6T_RETURN). --RR */
670 /* Clear counters and comefrom */
671 e->counters = ((struct xt_counters) { 0, 0 });
679 cleanup_entry(struct ip6t_entry *e, unsigned int *i)
681 struct ip6t_entry_target *t;
683 if (i && (*i)-- == 0)
686 /* Cleanup all matches */
687 IP6T_MATCH_ITERATE(e, cleanup_match, NULL);
688 t = ip6t_get_target(e);
689 if (t->u.kernel.target->destroy)
690 t->u.kernel.target->destroy(t->u.kernel.target, t->data);
691 module_put(t->u.kernel.target->me);
695 /* Checks and translates the user-supplied table segment (held in
698 translate_table(const char *name,
699 unsigned int valid_hooks,
700 struct xt_table_info *newinfo,
704 const unsigned int *hook_entries,
705 const unsigned int *underflows)
710 newinfo->size = size;
711 newinfo->number = number;
713 /* Init all hooks to impossible value. */
714 for (i = 0; i < NF_IP6_NUMHOOKS; i++) {
715 newinfo->hook_entry[i] = 0xFFFFFFFF;
716 newinfo->underflow[i] = 0xFFFFFFFF;
719 duprintf("translate_table: size %u\n", newinfo->size);
721 /* Walk through entries, checking offsets. */
722 ret = IP6T_ENTRY_ITERATE(entry0, newinfo->size,
723 check_entry_size_and_hooks,
727 hook_entries, underflows, &i);
732 duprintf("translate_table: %u not %u entries\n",
737 /* Check hooks all assigned */
738 for (i = 0; i < NF_IP6_NUMHOOKS; i++) {
739 /* Only hooks which are valid */
740 if (!(valid_hooks & (1 << i)))
742 if (newinfo->hook_entry[i] == 0xFFFFFFFF) {
743 duprintf("Invalid hook entry %u %u\n",
747 if (newinfo->underflow[i] == 0xFFFFFFFF) {
748 duprintf("Invalid underflow %u %u\n",
754 if (!mark_source_chains(newinfo, valid_hooks, entry0))
757 /* Finally, each sanity check must pass */
759 ret = IP6T_ENTRY_ITERATE(entry0, newinfo->size,
760 check_entry, name, size, &i);
763 IP6T_ENTRY_ITERATE(entry0, newinfo->size,
768 /* And one copy for every other CPU */
769 for_each_possible_cpu(i) {
770 if (newinfo->entries[i] && newinfo->entries[i] != entry0)
771 memcpy(newinfo->entries[i], entry0, newinfo->size);
779 add_entry_to_counter(const struct ip6t_entry *e,
780 struct xt_counters total[],
783 ADD_COUNTER(total[*i], e->counters.bcnt, e->counters.pcnt);
790 set_entry_to_counter(const struct ip6t_entry *e,
791 struct ip6t_counters total[],
794 SET_COUNTER(total[*i], e->counters.bcnt, e->counters.pcnt);
801 get_counters(const struct xt_table_info *t,
802 struct xt_counters counters[])
808 /* Instead of clearing (by a previous call to memset())
809 * the counters and using adds, we set the counters
810 * with data used by 'current' CPU
811 * We dont care about preemption here.
813 curcpu = raw_smp_processor_id();
816 IP6T_ENTRY_ITERATE(t->entries[curcpu],
818 set_entry_to_counter,
822 for_each_possible_cpu(cpu) {
826 IP6T_ENTRY_ITERATE(t->entries[cpu],
828 add_entry_to_counter,
835 copy_entries_to_user(unsigned int total_size,
836 struct xt_table *table,
837 void __user *userptr)
839 unsigned int off, num, countersize;
840 struct ip6t_entry *e;
841 struct xt_counters *counters;
842 struct xt_table_info *private = table->private;
846 /* We need atomic snapshot of counters: rest doesn't change
847 (other than comefrom, which userspace doesn't care
849 countersize = sizeof(struct xt_counters) * private->number;
850 counters = vmalloc(countersize);
852 if (counters == NULL)
855 /* First, sum counters... */
856 write_lock_bh(&table->lock);
857 get_counters(private, counters);
858 write_unlock_bh(&table->lock);
860 /* choose the copy that is on ourc node/cpu */
861 loc_cpu_entry = private->entries[raw_smp_processor_id()];
862 if (copy_to_user(userptr, loc_cpu_entry, total_size) != 0) {
867 /* FIXME: use iterator macros --RR */
868 /* ... then go back and fix counters and names */
869 for (off = 0, num = 0; off < total_size; off += e->next_offset, num++){
871 struct ip6t_entry_match *m;
872 struct ip6t_entry_target *t;
874 e = (struct ip6t_entry *)(loc_cpu_entry + off);
875 if (copy_to_user(userptr + off
876 + offsetof(struct ip6t_entry, counters),
878 sizeof(counters[num])) != 0) {
883 for (i = sizeof(struct ip6t_entry);
884 i < e->target_offset;
885 i += m->u.match_size) {
888 if (copy_to_user(userptr + off + i
889 + offsetof(struct ip6t_entry_match,
891 m->u.kernel.match->name,
892 strlen(m->u.kernel.match->name)+1)
899 t = ip6t_get_target(e);
900 if (copy_to_user(userptr + off + e->target_offset
901 + offsetof(struct ip6t_entry_target,
903 t->u.kernel.target->name,
904 strlen(t->u.kernel.target->name)+1) != 0) {
916 get_entries(const struct ip6t_get_entries *entries,
917 struct ip6t_get_entries __user *uptr)
922 t = xt_find_table_lock(AF_INET6, entries->name);
923 if (t && !IS_ERR(t)) {
924 struct xt_table_info *private = t->private;
925 duprintf("t->private->number = %u\n", private->number);
926 if (entries->size == private->size)
927 ret = copy_entries_to_user(private->size,
928 t, uptr->entrytable);
930 duprintf("get_entries: I've got %u not %u!\n",
931 private->size, entries->size);
937 ret = t ? PTR_ERR(t) : -ENOENT;
943 do_replace(void __user *user, unsigned int len)
946 struct ip6t_replace tmp;
948 struct xt_table_info *newinfo, *oldinfo;
949 struct xt_counters *counters;
950 void *loc_cpu_entry, *loc_cpu_old_entry;
952 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
956 if (tmp.size >= (INT_MAX - sizeof(struct xt_table_info)) / NR_CPUS -
959 if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
962 newinfo = xt_alloc_table_info(tmp.size);
966 /* choose the copy that is on our node/cpu */
967 loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
968 if (copy_from_user(loc_cpu_entry, user + sizeof(tmp),
974 counters = vmalloc(tmp.num_counters * sizeof(struct xt_counters));
980 ret = translate_table(tmp.name, tmp.valid_hooks,
981 newinfo, loc_cpu_entry, tmp.size, tmp.num_entries,
982 tmp.hook_entry, tmp.underflow);
984 goto free_newinfo_counters;
986 duprintf("ip_tables: Translated table\n");
988 t = try_then_request_module(xt_find_table_lock(AF_INET6, tmp.name),
989 "ip6table_%s", tmp.name);
990 if (!t || IS_ERR(t)) {
991 ret = t ? PTR_ERR(t) : -ENOENT;
992 goto free_newinfo_counters_untrans;
996 if (tmp.valid_hooks != t->valid_hooks) {
997 duprintf("Valid hook crap: %08X vs %08X\n",
998 tmp.valid_hooks, t->valid_hooks);
1003 oldinfo = xt_replace_table(t, tmp.num_counters, newinfo, &ret);
1007 /* Update module usage count based on number of rules */
1008 duprintf("do_replace: oldnum=%u, initnum=%u, newnum=%u\n",
1009 oldinfo->number, oldinfo->initial_entries, newinfo->number);
1010 if ((oldinfo->number > oldinfo->initial_entries) ||
1011 (newinfo->number <= oldinfo->initial_entries))
1013 if ((oldinfo->number > oldinfo->initial_entries) &&
1014 (newinfo->number <= oldinfo->initial_entries))
1017 /* Get the old counters. */
1018 get_counters(oldinfo, counters);
1019 /* Decrease module usage counts and free resource */
1020 loc_cpu_old_entry = oldinfo->entries[raw_smp_processor_id()];
1021 IP6T_ENTRY_ITERATE(loc_cpu_old_entry, oldinfo->size, cleanup_entry,NULL);
1022 xt_free_table_info(oldinfo);
1023 if (copy_to_user(tmp.counters, counters,
1024 sizeof(struct xt_counters) * tmp.num_counters) != 0)
1033 free_newinfo_counters_untrans:
1034 IP6T_ENTRY_ITERATE(loc_cpu_entry, newinfo->size, cleanup_entry,NULL);
1035 free_newinfo_counters:
1038 xt_free_table_info(newinfo);
1042 /* We're lazy, and add to the first CPU; overflow works its fey magic
1043 * and everything is OK. */
1045 add_counter_to_entry(struct ip6t_entry *e,
1046 const struct xt_counters addme[],
1050 duprintf("add_counter: Entry %u %lu/%lu + %lu/%lu\n",
1052 (long unsigned int)e->counters.pcnt,
1053 (long unsigned int)e->counters.bcnt,
1054 (long unsigned int)addme[*i].pcnt,
1055 (long unsigned int)addme[*i].bcnt);
1058 ADD_COUNTER(e->counters, addme[*i].bcnt, addme[*i].pcnt);
1065 do_add_counters(void __user *user, unsigned int len)
1068 struct xt_counters_info tmp, *paddc;
1069 struct xt_table_info *private;
1072 void *loc_cpu_entry;
1074 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
1077 if (len != sizeof(tmp) + tmp.num_counters*sizeof(struct xt_counters))
1080 paddc = vmalloc(len);
1084 if (copy_from_user(paddc, user, len) != 0) {
1089 t = xt_find_table_lock(AF_INET6, tmp.name);
1090 if (!t || IS_ERR(t)) {
1091 ret = t ? PTR_ERR(t) : -ENOENT;
1095 write_lock_bh(&t->lock);
1096 private = t->private;
1097 if (private->number != tmp.num_counters) {
1099 goto unlock_up_free;
1103 /* Choose the copy that is on our node */
1104 loc_cpu_entry = private->entries[smp_processor_id()];
1105 IP6T_ENTRY_ITERATE(loc_cpu_entry,
1107 add_counter_to_entry,
1111 write_unlock_bh(&t->lock);
1121 do_ip6t_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
1125 if (!capable(CAP_NET_ADMIN))
1129 case IP6T_SO_SET_REPLACE:
1130 ret = do_replace(user, len);
1133 case IP6T_SO_SET_ADD_COUNTERS:
1134 ret = do_add_counters(user, len);
1138 duprintf("do_ip6t_set_ctl: unknown request %i\n", cmd);
1146 do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1150 if (!capable(CAP_NET_ADMIN))
1154 case IP6T_SO_GET_INFO: {
1155 char name[IP6T_TABLE_MAXNAMELEN];
1158 if (*len != sizeof(struct ip6t_getinfo)) {
1159 duprintf("length %u != %u\n", *len,
1160 sizeof(struct ip6t_getinfo));
1165 if (copy_from_user(name, user, sizeof(name)) != 0) {
1169 name[IP6T_TABLE_MAXNAMELEN-1] = '\0';
1171 t = try_then_request_module(xt_find_table_lock(AF_INET6, name),
1172 "ip6table_%s", name);
1173 if (t && !IS_ERR(t)) {
1174 struct ip6t_getinfo info;
1175 struct xt_table_info *private = t->private;
1177 info.valid_hooks = t->valid_hooks;
1178 memcpy(info.hook_entry, private->hook_entry,
1179 sizeof(info.hook_entry));
1180 memcpy(info.underflow, private->underflow,
1181 sizeof(info.underflow));
1182 info.num_entries = private->number;
1183 info.size = private->size;
1184 memcpy(info.name, name, sizeof(info.name));
1186 if (copy_to_user(user, &info, *len) != 0)
1193 ret = t ? PTR_ERR(t) : -ENOENT;
1197 case IP6T_SO_GET_ENTRIES: {
1198 struct ip6t_get_entries get;
1200 if (*len < sizeof(get)) {
1201 duprintf("get_entries: %u < %u\n", *len, sizeof(get));
1203 } else if (copy_from_user(&get, user, sizeof(get)) != 0) {
1205 } else if (*len != sizeof(struct ip6t_get_entries) + get.size) {
1206 duprintf("get_entries: %u != %u\n", *len,
1207 sizeof(struct ip6t_get_entries) + get.size);
1210 ret = get_entries(&get, user);
1214 case IP6T_SO_GET_REVISION_MATCH:
1215 case IP6T_SO_GET_REVISION_TARGET: {
1216 struct ip6t_get_revision rev;
1219 if (*len != sizeof(rev)) {
1223 if (copy_from_user(&rev, user, sizeof(rev)) != 0) {
1228 if (cmd == IP6T_SO_GET_REVISION_TARGET)
1233 try_then_request_module(xt_find_revision(AF_INET6, rev.name,
1236 "ip6t_%s", rev.name);
1241 duprintf("do_ip6t_get_ctl: unknown request %i\n", cmd);
1248 int ip6t_register_table(struct xt_table *table,
1249 const struct ip6t_replace *repl)
1252 struct xt_table_info *newinfo;
1253 static struct xt_table_info bootstrap
1254 = { 0, 0, 0, { 0 }, { 0 }, { } };
1255 void *loc_cpu_entry;
1257 newinfo = xt_alloc_table_info(repl->size);
1261 /* choose the copy on our node/cpu */
1262 loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
1263 memcpy(loc_cpu_entry, repl->entries, repl->size);
1265 ret = translate_table(table->name, table->valid_hooks,
1266 newinfo, loc_cpu_entry, repl->size,
1271 xt_free_table_info(newinfo);
1275 ret = xt_register_table(table, &bootstrap, newinfo);
1277 xt_free_table_info(newinfo);
1284 void ip6t_unregister_table(struct xt_table *table)
1286 struct xt_table_info *private;
1287 void *loc_cpu_entry;
1289 private = xt_unregister_table(table);
1291 /* Decrease module usage counts and free resources */
1292 loc_cpu_entry = private->entries[raw_smp_processor_id()];
1293 IP6T_ENTRY_ITERATE(loc_cpu_entry, private->size, cleanup_entry, NULL);
1294 xt_free_table_info(private);
1297 /* Returns 1 if the type and code is matched by the range, 0 otherwise */
1299 icmp6_type_code_match(u_int8_t test_type, u_int8_t min_code, u_int8_t max_code,
1300 u_int8_t type, u_int8_t code,
1303 return (type == test_type && code >= min_code && code <= max_code)
1308 icmp6_match(const struct sk_buff *skb,
1309 const struct net_device *in,
1310 const struct net_device *out,
1311 const struct xt_match *match,
1312 const void *matchinfo,
1314 unsigned int protoff,
1317 struct icmp6hdr _icmp, *ic;
1318 const struct ip6t_icmp *icmpinfo = matchinfo;
1320 /* Must not be a fragment. */
1324 ic = skb_header_pointer(skb, protoff, sizeof(_icmp), &_icmp);
1326 /* We've been asked to examine this packet, and we
1327 can't. Hence, no choice but to drop. */
1328 duprintf("Dropping evil ICMP tinygram.\n");
1333 return icmp6_type_code_match(icmpinfo->type,
1336 ic->icmp6_type, ic->icmp6_code,
1337 !!(icmpinfo->invflags&IP6T_ICMP_INV));
1340 /* Called when user tries to insert an entry of this type. */
1342 icmp6_checkentry(const char *tablename,
1344 const struct xt_match *match,
1346 unsigned int hook_mask)
1348 const struct ip6t_icmp *icmpinfo = matchinfo;
1350 /* Must specify no unknown invflags */
1351 return !(icmpinfo->invflags & ~IP6T_ICMP_INV);
1354 /* The built-in targets: standard (NULL) and error. */
1355 static struct ip6t_target ip6t_standard_target = {
1356 .name = IP6T_STANDARD_TARGET,
1357 .targetsize = sizeof(int),
1361 static struct ip6t_target ip6t_error_target = {
1362 .name = IP6T_ERROR_TARGET,
1363 .target = ip6t_error,
1364 .targetsize = IP6T_FUNCTION_MAXNAMELEN,
1368 static struct nf_sockopt_ops ip6t_sockopts = {
1370 .set_optmin = IP6T_BASE_CTL,
1371 .set_optmax = IP6T_SO_SET_MAX+1,
1372 .set = do_ip6t_set_ctl,
1373 .get_optmin = IP6T_BASE_CTL,
1374 .get_optmax = IP6T_SO_GET_MAX+1,
1375 .get = do_ip6t_get_ctl,
1378 static struct ip6t_match icmp6_matchstruct = {
1380 .match = &icmp6_match,
1381 .matchsize = sizeof(struct ip6t_icmp),
1382 .checkentry = icmp6_checkentry,
1383 .proto = IPPROTO_ICMPV6,
1387 static int __init ip6_tables_init(void)
1391 ret = xt_proto_init(AF_INET6);
1395 /* Noone else will be downing sem now, so we won't sleep */
1396 ret = xt_register_target(&ip6t_standard_target);
1399 ret = xt_register_target(&ip6t_error_target);
1402 ret = xt_register_match(&icmp6_matchstruct);
1406 /* Register setsockopt */
1407 ret = nf_register_sockopt(&ip6t_sockopts);
1411 printk("ip6_tables: (C) 2000-2006 Netfilter Core Team\n");
1415 xt_unregister_match(&icmp6_matchstruct);
1417 xt_unregister_target(&ip6t_error_target);
1419 xt_unregister_target(&ip6t_standard_target);
1421 xt_proto_fini(AF_INET6);
1426 static void __exit ip6_tables_fini(void)
1428 nf_unregister_sockopt(&ip6t_sockopts);
1429 xt_unregister_match(&icmp6_matchstruct);
1430 xt_unregister_target(&ip6t_error_target);
1431 xt_unregister_target(&ip6t_standard_target);
1432 xt_proto_fini(AF_INET6);
1436 * find the offset to specified header or the protocol number of last header
1437 * if target < 0. "last header" is transport protocol header, ESP, or
1440 * If target header is found, its offset is set in *offset and return protocol
1441 * number. Otherwise, return -1.
1443 * Note that non-1st fragment is special case that "the protocol number
1444 * of last header" is "next header" field in Fragment header. In this case,
1445 * *offset is meaningless and fragment offset is stored in *fragoff if fragoff
1449 int ipv6_find_hdr(const struct sk_buff *skb, unsigned int *offset,
1450 int target, unsigned short *fragoff)
1452 unsigned int start = (u8*)(skb->nh.ipv6h + 1) - skb->data;
1453 u8 nexthdr = skb->nh.ipv6h->nexthdr;
1454 unsigned int len = skb->len - start;
1459 while (nexthdr != target) {
1460 struct ipv6_opt_hdr _hdr, *hp;
1461 unsigned int hdrlen;
1463 if ((!ipv6_ext_hdr(nexthdr)) || nexthdr == NEXTHDR_NONE) {
1469 hp = skb_header_pointer(skb, start, sizeof(_hdr), &_hdr);
1472 if (nexthdr == NEXTHDR_FRAGMENT) {
1473 unsigned short _frag_off, *fp;
1474 fp = skb_header_pointer(skb,
1475 start+offsetof(struct frag_hdr,
1482 _frag_off = ntohs(*fp) & ~0x7;
1485 ((!ipv6_ext_hdr(hp->nexthdr)) ||
1486 nexthdr == NEXTHDR_NONE)) {
1488 *fragoff = _frag_off;
1494 } else if (nexthdr == NEXTHDR_AUTH)
1495 hdrlen = (hp->hdrlen + 2) << 2;
1497 hdrlen = ipv6_optlen(hp);
1499 nexthdr = hp->nexthdr;
1508 EXPORT_SYMBOL(ip6t_register_table);
1509 EXPORT_SYMBOL(ip6t_unregister_table);
1510 EXPORT_SYMBOL(ip6t_do_table);
1511 EXPORT_SYMBOL(ip6t_ext_hdr);
1512 EXPORT_SYMBOL(ipv6_find_hdr);
1514 module_init(ip6_tables_init);
1515 module_exit(ip6_tables_fini);
git://ftp.safe.ca / safe / jmp / linux-2.6 / blob