2 * Packet matching code.
4 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
5 * Copyright (C) 2000-2005 Netfilter Core Team <coreteam@netfilter.org>
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License version 2 as
9 * published by the Free Software Foundation.
12 #include <linux/capability.h>
14 #include <linux/skbuff.h>
15 #include <linux/kmod.h>
16 #include <linux/vmalloc.h>
17 #include <linux/netdevice.h>
18 #include <linux/module.h>
19 #include <linux/poison.h>
20 #include <linux/icmpv6.h>
22 #include <net/compat.h>
23 #include <asm/uaccess.h>
24 #include <linux/mutex.h>
25 #include <linux/proc_fs.h>
26 #include <linux/err.h>
27 #include <linux/cpumask.h>
29 #include <linux/netfilter_ipv6/ip6_tables.h>
30 #include <linux/netfilter/x_tables.h>
31 #include <net/netfilter/nf_log.h>
33 MODULE_LICENSE("GPL");
34 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
35 MODULE_DESCRIPTION("IPv6 packet filter");
37 /*#define DEBUG_IP_FIREWALL*/
38 /*#define DEBUG_ALLOW_ALL*/ /* Useful for remote debugging */
39 /*#define DEBUG_IP_FIREWALL_USER*/
41 #ifdef DEBUG_IP_FIREWALL
42 #define dprintf(format, args...) printk(format , ## args)
44 #define dprintf(format, args...)
47 #ifdef DEBUG_IP_FIREWALL_USER
48 #define duprintf(format, args...) printk(format , ## args)
50 #define duprintf(format, args...)
53 #ifdef CONFIG_NETFILTER_DEBUG
54 #define IP_NF_ASSERT(x) \
57 printk("IP_NF_ASSERT: %s:%s:%u\n", \
58 __func__, __FILE__, __LINE__); \
61 #define IP_NF_ASSERT(x)
65 /* All the better to debug you with... */
71 We keep a set of rules for each CPU, so we can avoid write-locking
72 them in the softirq when updating the counters and therefore
73 only need to read-lock in the softirq; doing a write_lock_bh() in user
74 context stops packets coming through and allows user context to read
75 the counters or update the rules.
77 Hence the start of any table is given by get_table() below. */
79 /* Check for an extension */
81 ip6t_ext_hdr(u8 nexthdr)
83 return ( (nexthdr == IPPROTO_HOPOPTS) ||
84 (nexthdr == IPPROTO_ROUTING) ||
85 (nexthdr == IPPROTO_FRAGMENT) ||
86 (nexthdr == IPPROTO_ESP) ||
87 (nexthdr == IPPROTO_AH) ||
88 (nexthdr == IPPROTO_NONE) ||
89 (nexthdr == IPPROTO_DSTOPTS) );
92 /* Returns whether matches rule or not. */
93 /* Performance critical - called for every packet */
95 ip6_packet_match(const struct sk_buff *skb,
98 const struct ip6t_ip6 *ip6info,
99 unsigned int *protoff,
100 int *fragoff, bool *hotdrop)
103 const struct ipv6hdr *ipv6 = ipv6_hdr(skb);
105 #define FWINV(bool, invflg) ((bool) ^ !!(ip6info->invflags & (invflg)))
107 if (FWINV(ipv6_masked_addr_cmp(&ipv6->saddr, &ip6info->smsk,
108 &ip6info->src), IP6T_INV_SRCIP)
109 || FWINV(ipv6_masked_addr_cmp(&ipv6->daddr, &ip6info->dmsk,
110 &ip6info->dst), IP6T_INV_DSTIP)) {
111 dprintf("Source or dest mismatch.\n");
113 dprintf("SRC: %u. Mask: %u. Target: %u.%s\n", ip->saddr,
114 ipinfo->smsk.s_addr, ipinfo->src.s_addr,
115 ipinfo->invflags & IP6T_INV_SRCIP ? " (INV)" : "");
116 dprintf("DST: %u. Mask: %u. Target: %u.%s\n", ip->daddr,
117 ipinfo->dmsk.s_addr, ipinfo->dst.s_addr,
118 ipinfo->invflags & IP6T_INV_DSTIP ? " (INV)" : "");*/
122 ret = ifname_compare_aligned(indev, ip6info->iniface, ip6info->iniface_mask);
124 if (FWINV(ret != 0, IP6T_INV_VIA_IN)) {
125 dprintf("VIA in mismatch (%s vs %s).%s\n",
126 indev, ip6info->iniface,
127 ip6info->invflags&IP6T_INV_VIA_IN ?" (INV)":"");
131 ret = ifname_compare_aligned(outdev, ip6info->outiface, ip6info->outiface_mask);
133 if (FWINV(ret != 0, IP6T_INV_VIA_OUT)) {
134 dprintf("VIA out mismatch (%s vs %s).%s\n",
135 outdev, ip6info->outiface,
136 ip6info->invflags&IP6T_INV_VIA_OUT ?" (INV)":"");
140 /* ... might want to do something with class and flowlabel here ... */
142 /* look for the desired protocol header */
143 if((ip6info->flags & IP6T_F_PROTO)) {
145 unsigned short _frag_off;
147 protohdr = ipv6_find_hdr(skb, protoff, -1, &_frag_off);
153 *fragoff = _frag_off;
155 dprintf("Packet protocol %hi ?= %s%hi.\n",
157 ip6info->invflags & IP6T_INV_PROTO ? "!":"",
160 if (ip6info->proto == protohdr) {
161 if(ip6info->invflags & IP6T_INV_PROTO) {
167 /* We need match for the '-p all', too! */
168 if ((ip6info->proto != 0) &&
169 !(ip6info->invflags & IP6T_INV_PROTO))
175 /* should be ip6 safe */
177 ip6_checkentry(const struct ip6t_ip6 *ipv6)
179 if (ipv6->flags & ~IP6T_F_MASK) {
180 duprintf("Unknown flag bits set: %08X\n",
181 ipv6->flags & ~IP6T_F_MASK);
184 if (ipv6->invflags & ~IP6T_INV_MASK) {
185 duprintf("Unknown invflag bits set: %08X\n",
186 ipv6->invflags & ~IP6T_INV_MASK);
193 ip6t_error(struct sk_buff *skb, const struct xt_target_param *par)
196 printk("ip6_tables: error: `%s'\n",
197 (const char *)par->targinfo);
202 /* Performance critical - called for every packet */
204 do_match(struct ip6t_entry_match *m, const struct sk_buff *skb,
205 struct xt_match_param *par)
207 par->match = m->u.kernel.match;
208 par->matchinfo = m->data;
210 /* Stop iteration if it doesn't match */
211 if (!m->u.kernel.match->match(skb, par))
217 static inline struct ip6t_entry *
218 get_entry(void *base, unsigned int offset)
220 return (struct ip6t_entry *)(base + offset);
223 /* All zeroes == unconditional rule. */
224 /* Mildly perf critical (only if packet tracing is on) */
226 unconditional(const struct ip6t_ip6 *ipv6)
230 for (i = 0; i < sizeof(*ipv6); i++)
231 if (((char *)ipv6)[i])
234 return (i == sizeof(*ipv6));
237 #if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \
238 defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE)
239 /* This cries for unification! */
240 static const char *const hooknames[] = {
241 [NF_INET_PRE_ROUTING] = "PREROUTING",
242 [NF_INET_LOCAL_IN] = "INPUT",
243 [NF_INET_FORWARD] = "FORWARD",
244 [NF_INET_LOCAL_OUT] = "OUTPUT",
245 [NF_INET_POST_ROUTING] = "POSTROUTING",
248 enum nf_ip_trace_comments {
249 NF_IP6_TRACE_COMMENT_RULE,
250 NF_IP6_TRACE_COMMENT_RETURN,
251 NF_IP6_TRACE_COMMENT_POLICY,
254 static const char *const comments[] = {
255 [NF_IP6_TRACE_COMMENT_RULE] = "rule",
256 [NF_IP6_TRACE_COMMENT_RETURN] = "return",
257 [NF_IP6_TRACE_COMMENT_POLICY] = "policy",
260 static struct nf_loginfo trace_loginfo = {
261 .type = NF_LOG_TYPE_LOG,
265 .logflags = NF_LOG_MASK,
270 /* Mildly perf critical (only if packet tracing is on) */
272 get_chainname_rulenum(struct ip6t_entry *s, struct ip6t_entry *e,
273 const char *hookname, const char **chainname,
274 const char **comment, unsigned int *rulenum)
276 struct ip6t_standard_target *t = (void *)ip6t_get_target(s);
278 if (strcmp(t->target.u.kernel.target->name, IP6T_ERROR_TARGET) == 0) {
279 /* Head of user chain: ERROR target with chainname */
280 *chainname = t->target.data;
285 if (s->target_offset == sizeof(struct ip6t_entry)
286 && strcmp(t->target.u.kernel.target->name,
287 IP6T_STANDARD_TARGET) == 0
289 && unconditional(&s->ipv6)) {
290 /* Tail of chains: STANDARD target (return/policy) */
291 *comment = *chainname == hookname
292 ? comments[NF_IP6_TRACE_COMMENT_POLICY]
293 : comments[NF_IP6_TRACE_COMMENT_RETURN];
302 static void trace_packet(struct sk_buff *skb,
304 const struct net_device *in,
305 const struct net_device *out,
306 const char *tablename,
307 struct xt_table_info *private,
308 struct ip6t_entry *e)
311 const struct ip6t_entry *root;
312 const char *hookname, *chainname, *comment;
313 unsigned int rulenum = 0;
315 table_base = private->entries[smp_processor_id()];
316 root = get_entry(table_base, private->hook_entry[hook]);
318 hookname = chainname = hooknames[hook];
319 comment = comments[NF_IP6_TRACE_COMMENT_RULE];
321 IP6T_ENTRY_ITERATE(root,
322 private->size - private->hook_entry[hook],
323 get_chainname_rulenum,
324 e, hookname, &chainname, &comment, &rulenum);
326 nf_log_packet(AF_INET6, hook, skb, in, out, &trace_loginfo,
327 "TRACE: %s:%s:%s:%u ",
328 tablename, chainname, comment, rulenum);
332 static inline __pure struct ip6t_entry *
333 ip6t_next_entry(const struct ip6t_entry *entry)
335 return (void *)entry + entry->next_offset;
338 /* Returns one of the generic firewall policies, like NF_ACCEPT. */
340 ip6t_do_table(struct sk_buff *skb,
342 const struct net_device *in,
343 const struct net_device *out,
344 struct xt_table *table)
346 static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
347 bool hotdrop = false;
348 /* Initializing verdict to NF_DROP keeps gcc happy. */
349 unsigned int verdict = NF_DROP;
350 const char *indev, *outdev;
352 struct ip6t_entry *e, *back;
353 struct xt_table_info *private;
354 struct xt_match_param mtpar;
355 struct xt_target_param tgpar;
358 indev = in ? in->name : nulldevname;
359 outdev = out ? out->name : nulldevname;
360 /* We handle fragments by dealing with the first fragment as
361 * if it was a normal packet. All other fragments are treated
362 * normally, except that they will NEVER match rules that ask
363 * things we don't know, ie. tcp syn flag or ports). If the
364 * rule is also a fragment-specific rule, non-fragments won't
366 mtpar.hotdrop = &hotdrop;
367 mtpar.in = tgpar.in = in;
368 mtpar.out = tgpar.out = out;
369 mtpar.family = tgpar.family = NFPROTO_IPV6;
370 tgpar.hooknum = hook;
372 IP_NF_ASSERT(table->valid_hooks & (1 << hook));
375 private = table->private;
376 table_base = private->entries[smp_processor_id()];
378 e = get_entry(table_base, private->hook_entry[hook]);
380 /* For return from builtin chain */
381 back = get_entry(table_base, private->underflow[hook]);
384 struct ip6t_entry_target *t;
388 if (!ip6_packet_match(skb, indev, outdev, &e->ipv6,
389 &mtpar.thoff, &mtpar.fragoff, &hotdrop) ||
390 IP6T_MATCH_ITERATE(e, do_match, skb, &mtpar) != 0) {
391 e = ip6t_next_entry(e);
395 ADD_COUNTER(e->counters,
396 ntohs(ipv6_hdr(skb)->payload_len) +
397 sizeof(struct ipv6hdr), 1);
399 t = ip6t_get_target(e);
400 IP_NF_ASSERT(t->u.kernel.target);
402 #if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \
403 defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE)
404 /* The packet is traced: log it */
405 if (unlikely(skb->nf_trace))
406 trace_packet(skb, hook, in, out,
407 table->name, private, e);
409 /* Standard target? */
410 if (!t->u.kernel.target->target) {
413 v = ((struct ip6t_standard_target *)t)->verdict;
415 /* Pop from stack? */
416 if (v != IP6T_RETURN) {
417 verdict = (unsigned)(-v) - 1;
421 back = get_entry(table_base, back->comefrom);
424 if (table_base + v != ip6t_next_entry(e)
425 && !(e->ipv6.flags & IP6T_F_GOTO)) {
426 /* Save old back ptr in next entry */
427 struct ip6t_entry *next = ip6t_next_entry(e);
428 next->comefrom = (void *)back - table_base;
429 /* set back pointer to next entry */
433 e = get_entry(table_base, v);
437 /* Targets which reenter must return
439 tgpar.target = t->u.kernel.target;
440 tgpar.targinfo = t->data;
442 #ifdef CONFIG_NETFILTER_DEBUG
443 ((struct ip6t_entry *)table_base)->comefrom = 0xeeeeeeec;
445 verdict = t->u.kernel.target->target(skb, &tgpar);
447 #ifdef CONFIG_NETFILTER_DEBUG
448 if (((struct ip6t_entry *)table_base)->comefrom != 0xeeeeeeec &&
449 verdict == IP6T_CONTINUE) {
450 printk("Target %s reentered!\n",
451 t->u.kernel.target->name);
454 ((struct ip6t_entry *)table_base)->comefrom = 0x57acc001;
456 if (verdict == IP6T_CONTINUE)
457 e = ip6t_next_entry(e);
463 #ifdef CONFIG_NETFILTER_DEBUG
464 ((struct ip6t_entry *)table_base)->comefrom = NETFILTER_LINK_POISON;
466 xt_info_rdunlock_bh();
468 #ifdef DEBUG_ALLOW_ALL
477 /* Figures out from what hook each rule can be called: returns 0 if
478 there are loops. Puts hook bitmask in comefrom. */
480 mark_source_chains(struct xt_table_info *newinfo,
481 unsigned int valid_hooks, void *entry0)
485 /* No recursion; use packet counter to save back ptrs (reset
486 to 0 as we leave), and comefrom to save source hook bitmask */
487 for (hook = 0; hook < NF_INET_NUMHOOKS; hook++) {
488 unsigned int pos = newinfo->hook_entry[hook];
489 struct ip6t_entry *e = (struct ip6t_entry *)(entry0 + pos);
491 if (!(valid_hooks & (1 << hook)))
494 /* Set initial back pointer. */
495 e->counters.pcnt = pos;
498 struct ip6t_standard_target *t
499 = (void *)ip6t_get_target(e);
500 int visited = e->comefrom & (1 << hook);
502 if (e->comefrom & (1 << NF_INET_NUMHOOKS)) {
503 printk("iptables: loop hook %u pos %u %08X.\n",
504 hook, pos, e->comefrom);
507 e->comefrom |= ((1 << hook) | (1 << NF_INET_NUMHOOKS));
509 /* Unconditional return/END. */
510 if ((e->target_offset == sizeof(struct ip6t_entry)
511 && (strcmp(t->target.u.user.name,
512 IP6T_STANDARD_TARGET) == 0)
514 && unconditional(&e->ipv6)) || visited) {
515 unsigned int oldpos, size;
517 if ((strcmp(t->target.u.user.name,
518 IP6T_STANDARD_TARGET) == 0) &&
519 t->verdict < -NF_MAX_VERDICT - 1) {
520 duprintf("mark_source_chains: bad "
521 "negative verdict (%i)\n",
526 /* Return: backtrack through the last
529 e->comefrom ^= (1<<NF_INET_NUMHOOKS);
530 #ifdef DEBUG_IP_FIREWALL_USER
532 & (1 << NF_INET_NUMHOOKS)) {
533 duprintf("Back unset "
540 pos = e->counters.pcnt;
541 e->counters.pcnt = 0;
543 /* We're at the start. */
547 e = (struct ip6t_entry *)
549 } while (oldpos == pos + e->next_offset);
552 size = e->next_offset;
553 e = (struct ip6t_entry *)
554 (entry0 + pos + size);
555 e->counters.pcnt = pos;
558 int newpos = t->verdict;
560 if (strcmp(t->target.u.user.name,
561 IP6T_STANDARD_TARGET) == 0
563 if (newpos > newinfo->size -
564 sizeof(struct ip6t_entry)) {
565 duprintf("mark_source_chains: "
566 "bad verdict (%i)\n",
570 /* This a jump; chase it. */
571 duprintf("Jump rule %u -> %u\n",
574 /* ... this is a fallthru */
575 newpos = pos + e->next_offset;
577 e = (struct ip6t_entry *)
579 e->counters.pcnt = pos;
584 duprintf("Finished chain %u\n", hook);
590 cleanup_match(struct ip6t_entry_match *m, unsigned int *i)
592 struct xt_mtdtor_param par;
594 if (i && (*i)-- == 0)
597 par.match = m->u.kernel.match;
598 par.matchinfo = m->data;
599 par.family = NFPROTO_IPV6;
600 if (par.match->destroy != NULL)
601 par.match->destroy(&par);
602 module_put(par.match->me);
607 check_entry(struct ip6t_entry *e, const char *name)
609 struct ip6t_entry_target *t;
611 if (!ip6_checkentry(&e->ipv6)) {
612 duprintf("ip_tables: ip check failed %p %s.\n", e, name);
616 if (e->target_offset + sizeof(struct ip6t_entry_target) >
620 t = ip6t_get_target(e);
621 if (e->target_offset + t->u.target_size > e->next_offset)
627 static int check_match(struct ip6t_entry_match *m, struct xt_mtchk_param *par,
630 const struct ip6t_ip6 *ipv6 = par->entryinfo;
633 par->match = m->u.kernel.match;
634 par->matchinfo = m->data;
636 ret = xt_check_match(par, m->u.match_size - sizeof(*m),
637 ipv6->proto, ipv6->invflags & IP6T_INV_PROTO);
639 duprintf("ip_tables: check failed for `%s'.\n",
648 find_check_match(struct ip6t_entry_match *m, struct xt_mtchk_param *par,
651 struct xt_match *match;
654 match = try_then_request_module(xt_find_match(AF_INET6, m->u.user.name,
656 "ip6t_%s", m->u.user.name);
657 if (IS_ERR(match) || !match) {
658 duprintf("find_check_match: `%s' not found\n", m->u.user.name);
659 return match ? PTR_ERR(match) : -ENOENT;
661 m->u.kernel.match = match;
663 ret = check_match(m, par, i);
669 module_put(m->u.kernel.match->me);
673 static int check_target(struct ip6t_entry *e, const char *name)
675 struct ip6t_entry_target *t = ip6t_get_target(e);
676 struct xt_tgchk_param par = {
679 .target = t->u.kernel.target,
681 .hook_mask = e->comefrom,
682 .family = NFPROTO_IPV6,
686 t = ip6t_get_target(e);
687 ret = xt_check_target(&par, t->u.target_size - sizeof(*t),
688 e->ipv6.proto, e->ipv6.invflags & IP6T_INV_PROTO);
690 duprintf("ip_tables: check failed for `%s'.\n",
691 t->u.kernel.target->name);
698 find_check_entry(struct ip6t_entry *e, const char *name, unsigned int size,
701 struct ip6t_entry_target *t;
702 struct xt_target *target;
705 struct xt_mtchk_param mtpar;
707 ret = check_entry(e, name);
713 mtpar.entryinfo = &e->ipv6;
714 mtpar.hook_mask = e->comefrom;
715 mtpar.family = NFPROTO_IPV6;
716 ret = IP6T_MATCH_ITERATE(e, find_check_match, &mtpar, &j);
718 goto cleanup_matches;
720 t = ip6t_get_target(e);
721 target = try_then_request_module(xt_find_target(AF_INET6,
724 "ip6t_%s", t->u.user.name);
725 if (IS_ERR(target) || !target) {
726 duprintf("find_check_entry: `%s' not found\n", t->u.user.name);
727 ret = target ? PTR_ERR(target) : -ENOENT;
728 goto cleanup_matches;
730 t->u.kernel.target = target;
732 ret = check_target(e, name);
739 module_put(t->u.kernel.target->me);
741 IP6T_MATCH_ITERATE(e, cleanup_match, &j);
746 check_entry_size_and_hooks(struct ip6t_entry *e,
747 struct xt_table_info *newinfo,
749 unsigned char *limit,
750 const unsigned int *hook_entries,
751 const unsigned int *underflows,
756 if ((unsigned long)e % __alignof__(struct ip6t_entry) != 0
757 || (unsigned char *)e + sizeof(struct ip6t_entry) >= limit) {
758 duprintf("Bad offset %p\n", e);
763 < sizeof(struct ip6t_entry) + sizeof(struct ip6t_entry_target)) {
764 duprintf("checking: element %p size %u\n",
769 /* Check hooks & underflows */
770 for (h = 0; h < NF_INET_NUMHOOKS; h++) {
771 if ((unsigned char *)e - base == hook_entries[h])
772 newinfo->hook_entry[h] = hook_entries[h];
773 if ((unsigned char *)e - base == underflows[h])
774 newinfo->underflow[h] = underflows[h];
777 /* FIXME: underflows must be unconditional, standard verdicts
778 < 0 (not IP6T_RETURN). --RR */
780 /* Clear counters and comefrom */
781 e->counters = ((struct xt_counters) { 0, 0 });
789 cleanup_entry(struct ip6t_entry *e, unsigned int *i)
791 struct xt_tgdtor_param par;
792 struct ip6t_entry_target *t;
794 if (i && (*i)-- == 0)
797 /* Cleanup all matches */
798 IP6T_MATCH_ITERATE(e, cleanup_match, NULL);
799 t = ip6t_get_target(e);
801 par.target = t->u.kernel.target;
802 par.targinfo = t->data;
803 par.family = NFPROTO_IPV6;
804 if (par.target->destroy != NULL)
805 par.target->destroy(&par);
806 module_put(par.target->me);
810 /* Checks and translates the user-supplied table segment (held in
813 translate_table(const char *name,
814 unsigned int valid_hooks,
815 struct xt_table_info *newinfo,
819 const unsigned int *hook_entries,
820 const unsigned int *underflows)
825 newinfo->size = size;
826 newinfo->number = number;
828 /* Init all hooks to impossible value. */
829 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
830 newinfo->hook_entry[i] = 0xFFFFFFFF;
831 newinfo->underflow[i] = 0xFFFFFFFF;
834 duprintf("translate_table: size %u\n", newinfo->size);
836 /* Walk through entries, checking offsets. */
837 ret = IP6T_ENTRY_ITERATE(entry0, newinfo->size,
838 check_entry_size_and_hooks,
842 hook_entries, underflows, &i);
847 duprintf("translate_table: %u not %u entries\n",
852 /* Check hooks all assigned */
853 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
854 /* Only hooks which are valid */
855 if (!(valid_hooks & (1 << i)))
857 if (newinfo->hook_entry[i] == 0xFFFFFFFF) {
858 duprintf("Invalid hook entry %u %u\n",
862 if (newinfo->underflow[i] == 0xFFFFFFFF) {
863 duprintf("Invalid underflow %u %u\n",
869 if (!mark_source_chains(newinfo, valid_hooks, entry0))
872 /* Finally, each sanity check must pass */
874 ret = IP6T_ENTRY_ITERATE(entry0, newinfo->size,
875 find_check_entry, name, size, &i);
878 IP6T_ENTRY_ITERATE(entry0, newinfo->size,
883 /* And one copy for every other CPU */
884 for_each_possible_cpu(i) {
885 if (newinfo->entries[i] && newinfo->entries[i] != entry0)
886 memcpy(newinfo->entries[i], entry0, newinfo->size);
894 add_entry_to_counter(const struct ip6t_entry *e,
895 struct xt_counters total[],
898 ADD_COUNTER(total[*i], e->counters.bcnt, e->counters.pcnt);
905 set_entry_to_counter(const struct ip6t_entry *e,
906 struct ip6t_counters total[],
909 SET_COUNTER(total[*i], e->counters.bcnt, e->counters.pcnt);
916 get_counters(const struct xt_table_info *t,
917 struct xt_counters counters[])
923 /* Instead of clearing (by a previous call to memset())
924 * the counters and using adds, we set the counters
925 * with data used by 'current' CPU
927 * Bottom half has to be disabled to prevent deadlock
928 * if new softirq were to run and call ipt_do_table
931 curcpu = smp_processor_id();
934 IP6T_ENTRY_ITERATE(t->entries[curcpu],
936 set_entry_to_counter,
940 for_each_possible_cpu(cpu) {
945 IP6T_ENTRY_ITERATE(t->entries[cpu],
947 add_entry_to_counter,
950 xt_info_wrunlock(cpu);
955 static struct xt_counters *alloc_counters(struct xt_table *table)
957 unsigned int countersize;
958 struct xt_counters *counters;
959 struct xt_table_info *private = table->private;
961 /* We need atomic snapshot of counters: rest doesn't change
962 (other than comefrom, which userspace doesn't care
964 countersize = sizeof(struct xt_counters) * private->number;
965 counters = vmalloc_node(countersize, numa_node_id());
967 if (counters == NULL)
968 return ERR_PTR(-ENOMEM);
970 get_counters(private, counters);
976 copy_entries_to_user(unsigned int total_size,
977 struct xt_table *table,
978 void __user *userptr)
980 unsigned int off, num;
981 struct ip6t_entry *e;
982 struct xt_counters *counters;
983 const struct xt_table_info *private = table->private;
985 const void *loc_cpu_entry;
987 counters = alloc_counters(table);
988 if (IS_ERR(counters))
989 return PTR_ERR(counters);
991 /* choose the copy that is on our node/cpu, ...
992 * This choice is lazy (because current thread is
993 * allowed to migrate to another cpu)
995 loc_cpu_entry = private->entries[raw_smp_processor_id()];
996 if (copy_to_user(userptr, loc_cpu_entry, total_size) != 0) {
1001 /* FIXME: use iterator macros --RR */
1002 /* ... then go back and fix counters and names */
1003 for (off = 0, num = 0; off < total_size; off += e->next_offset, num++){
1005 const struct ip6t_entry_match *m;
1006 const struct ip6t_entry_target *t;
1008 e = (struct ip6t_entry *)(loc_cpu_entry + off);
1009 if (copy_to_user(userptr + off
1010 + offsetof(struct ip6t_entry, counters),
1012 sizeof(counters[num])) != 0) {
1017 for (i = sizeof(struct ip6t_entry);
1018 i < e->target_offset;
1019 i += m->u.match_size) {
1022 if (copy_to_user(userptr + off + i
1023 + offsetof(struct ip6t_entry_match,
1025 m->u.kernel.match->name,
1026 strlen(m->u.kernel.match->name)+1)
1033 t = ip6t_get_target(e);
1034 if (copy_to_user(userptr + off + e->target_offset
1035 + offsetof(struct ip6t_entry_target,
1037 t->u.kernel.target->name,
1038 strlen(t->u.kernel.target->name)+1) != 0) {
1049 #ifdef CONFIG_COMPAT
1050 static void compat_standard_from_user(void *dst, void *src)
1052 int v = *(compat_int_t *)src;
1055 v += xt_compat_calc_jump(AF_INET6, v);
1056 memcpy(dst, &v, sizeof(v));
1059 static int compat_standard_to_user(void __user *dst, void *src)
1061 compat_int_t cv = *(int *)src;
1064 cv -= xt_compat_calc_jump(AF_INET6, cv);
1065 return copy_to_user(dst, &cv, sizeof(cv)) ? -EFAULT : 0;
1069 compat_calc_match(struct ip6t_entry_match *m, int *size)
1071 *size += xt_compat_match_offset(m->u.kernel.match);
1075 static int compat_calc_entry(struct ip6t_entry *e,
1076 const struct xt_table_info *info,
1077 void *base, struct xt_table_info *newinfo)
1079 struct ip6t_entry_target *t;
1080 unsigned int entry_offset;
1083 off = sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
1084 entry_offset = (void *)e - base;
1085 IP6T_MATCH_ITERATE(e, compat_calc_match, &off);
1086 t = ip6t_get_target(e);
1087 off += xt_compat_target_offset(t->u.kernel.target);
1088 newinfo->size -= off;
1089 ret = xt_compat_add_offset(AF_INET6, entry_offset, off);
1093 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1094 if (info->hook_entry[i] &&
1095 (e < (struct ip6t_entry *)(base + info->hook_entry[i])))
1096 newinfo->hook_entry[i] -= off;
1097 if (info->underflow[i] &&
1098 (e < (struct ip6t_entry *)(base + info->underflow[i])))
1099 newinfo->underflow[i] -= off;
1104 static int compat_table_info(const struct xt_table_info *info,
1105 struct xt_table_info *newinfo)
1107 void *loc_cpu_entry;
1109 if (!newinfo || !info)
1112 /* we dont care about newinfo->entries[] */
1113 memcpy(newinfo, info, offsetof(struct xt_table_info, entries));
1114 newinfo->initial_entries = 0;
1115 loc_cpu_entry = info->entries[raw_smp_processor_id()];
1116 return IP6T_ENTRY_ITERATE(loc_cpu_entry, info->size,
1117 compat_calc_entry, info, loc_cpu_entry,
1122 static int get_info(struct net *net, void __user *user, int *len, int compat)
1124 char name[IP6T_TABLE_MAXNAMELEN];
1128 if (*len != sizeof(struct ip6t_getinfo)) {
1129 duprintf("length %u != %zu\n", *len,
1130 sizeof(struct ip6t_getinfo));
1134 if (copy_from_user(name, user, sizeof(name)) != 0)
1137 name[IP6T_TABLE_MAXNAMELEN-1] = '\0';
1138 #ifdef CONFIG_COMPAT
1140 xt_compat_lock(AF_INET6);
1142 t = try_then_request_module(xt_find_table_lock(net, AF_INET6, name),
1143 "ip6table_%s", name);
1144 if (t && !IS_ERR(t)) {
1145 struct ip6t_getinfo info;
1146 const struct xt_table_info *private = t->private;
1148 #ifdef CONFIG_COMPAT
1150 struct xt_table_info tmp;
1151 ret = compat_table_info(private, &tmp);
1152 xt_compat_flush_offsets(AF_INET6);
1156 info.valid_hooks = t->valid_hooks;
1157 memcpy(info.hook_entry, private->hook_entry,
1158 sizeof(info.hook_entry));
1159 memcpy(info.underflow, private->underflow,
1160 sizeof(info.underflow));
1161 info.num_entries = private->number;
1162 info.size = private->size;
1163 strcpy(info.name, name);
1165 if (copy_to_user(user, &info, *len) != 0)
1173 ret = t ? PTR_ERR(t) : -ENOENT;
1174 #ifdef CONFIG_COMPAT
1176 xt_compat_unlock(AF_INET6);
1182 get_entries(struct net *net, struct ip6t_get_entries __user *uptr, int *len)
1185 struct ip6t_get_entries get;
1188 if (*len < sizeof(get)) {
1189 duprintf("get_entries: %u < %zu\n", *len, sizeof(get));
1192 if (copy_from_user(&get, uptr, sizeof(get)) != 0)
1194 if (*len != sizeof(struct ip6t_get_entries) + get.size) {
1195 duprintf("get_entries: %u != %zu\n",
1196 *len, sizeof(get) + get.size);
1200 t = xt_find_table_lock(net, AF_INET6, get.name);
1201 if (t && !IS_ERR(t)) {
1202 struct xt_table_info *private = t->private;
1203 duprintf("t->private->number = %u\n", private->number);
1204 if (get.size == private->size)
1205 ret = copy_entries_to_user(private->size,
1206 t, uptr->entrytable);
1208 duprintf("get_entries: I've got %u not %u!\n",
1209 private->size, get.size);
1215 ret = t ? PTR_ERR(t) : -ENOENT;
1221 __do_replace(struct net *net, const char *name, unsigned int valid_hooks,
1222 struct xt_table_info *newinfo, unsigned int num_counters,
1223 void __user *counters_ptr)
1227 struct xt_table_info *oldinfo;
1228 struct xt_counters *counters;
1229 const void *loc_cpu_old_entry;
1232 counters = vmalloc_node(num_counters * sizeof(struct xt_counters),
1239 t = try_then_request_module(xt_find_table_lock(net, AF_INET6, name),
1240 "ip6table_%s", name);
1241 if (!t || IS_ERR(t)) {
1242 ret = t ? PTR_ERR(t) : -ENOENT;
1243 goto free_newinfo_counters_untrans;
1247 if (valid_hooks != t->valid_hooks) {
1248 duprintf("Valid hook crap: %08X vs %08X\n",
1249 valid_hooks, t->valid_hooks);
1254 oldinfo = xt_replace_table(t, num_counters, newinfo, &ret);
1258 /* Update module usage count based on number of rules */
1259 duprintf("do_replace: oldnum=%u, initnum=%u, newnum=%u\n",
1260 oldinfo->number, oldinfo->initial_entries, newinfo->number);
1261 if ((oldinfo->number > oldinfo->initial_entries) ||
1262 (newinfo->number <= oldinfo->initial_entries))
1264 if ((oldinfo->number > oldinfo->initial_entries) &&
1265 (newinfo->number <= oldinfo->initial_entries))
1268 /* Get the old counters, and synchronize with replace */
1269 get_counters(oldinfo, counters);
1271 /* Decrease module usage counts and free resource */
1272 loc_cpu_old_entry = oldinfo->entries[raw_smp_processor_id()];
1273 IP6T_ENTRY_ITERATE(loc_cpu_old_entry, oldinfo->size, cleanup_entry,
1275 xt_free_table_info(oldinfo);
1276 if (copy_to_user(counters_ptr, counters,
1277 sizeof(struct xt_counters) * num_counters) != 0)
1286 free_newinfo_counters_untrans:
1293 do_replace(struct net *net, void __user *user, unsigned int len)
1296 struct ip6t_replace tmp;
1297 struct xt_table_info *newinfo;
1298 void *loc_cpu_entry;
1300 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
1303 /* overflow check */
1304 if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
1307 newinfo = xt_alloc_table_info(tmp.size);
1311 /* choose the copy that is on our node/cpu */
1312 loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
1313 if (copy_from_user(loc_cpu_entry, user + sizeof(tmp),
1319 ret = translate_table(tmp.name, tmp.valid_hooks,
1320 newinfo, loc_cpu_entry, tmp.size, tmp.num_entries,
1321 tmp.hook_entry, tmp.underflow);
1325 duprintf("ip_tables: Translated table\n");
1327 ret = __do_replace(net, tmp.name, tmp.valid_hooks, newinfo,
1328 tmp.num_counters, tmp.counters);
1330 goto free_newinfo_untrans;
1333 free_newinfo_untrans:
1334 IP6T_ENTRY_ITERATE(loc_cpu_entry, newinfo->size, cleanup_entry, NULL);
1336 xt_free_table_info(newinfo);
1340 /* We're lazy, and add to the first CPU; overflow works its fey magic
1341 * and everything is OK. */
1343 add_counter_to_entry(struct ip6t_entry *e,
1344 const struct xt_counters addme[],
1347 ADD_COUNTER(e->counters, addme[*i].bcnt, addme[*i].pcnt);
1354 do_add_counters(struct net *net, void __user *user, unsigned int len,
1357 unsigned int i, curcpu;
1358 struct xt_counters_info tmp;
1359 struct xt_counters *paddc;
1360 unsigned int num_counters;
1365 const struct xt_table_info *private;
1367 const void *loc_cpu_entry;
1368 #ifdef CONFIG_COMPAT
1369 struct compat_xt_counters_info compat_tmp;
1373 size = sizeof(struct compat_xt_counters_info);
1378 size = sizeof(struct xt_counters_info);
1381 if (copy_from_user(ptmp, user, size) != 0)
1384 #ifdef CONFIG_COMPAT
1386 num_counters = compat_tmp.num_counters;
1387 name = compat_tmp.name;
1391 num_counters = tmp.num_counters;
1395 if (len != size + num_counters * sizeof(struct xt_counters))
1398 paddc = vmalloc_node(len - size, numa_node_id());
1402 if (copy_from_user(paddc, user + size, len - size) != 0) {
1407 t = xt_find_table_lock(net, AF_INET6, name);
1408 if (!t || IS_ERR(t)) {
1409 ret = t ? PTR_ERR(t) : -ENOENT;
1415 private = t->private;
1416 if (private->number != num_counters) {
1418 goto unlock_up_free;
1422 /* Choose the copy that is on our node */
1423 curcpu = smp_processor_id();
1424 xt_info_wrlock(curcpu);
1425 loc_cpu_entry = private->entries[curcpu];
1426 IP6T_ENTRY_ITERATE(loc_cpu_entry,
1428 add_counter_to_entry,
1431 xt_info_wrunlock(curcpu);
1443 #ifdef CONFIG_COMPAT
1444 struct compat_ip6t_replace {
1445 char name[IP6T_TABLE_MAXNAMELEN];
1449 u32 hook_entry[NF_INET_NUMHOOKS];
1450 u32 underflow[NF_INET_NUMHOOKS];
1452 compat_uptr_t counters; /* struct ip6t_counters * */
1453 struct compat_ip6t_entry entries[0];
1457 compat_copy_entry_to_user(struct ip6t_entry *e, void __user **dstptr,
1458 unsigned int *size, struct xt_counters *counters,
1461 struct ip6t_entry_target *t;
1462 struct compat_ip6t_entry __user *ce;
1463 u_int16_t target_offset, next_offset;
1464 compat_uint_t origsize;
1469 ce = (struct compat_ip6t_entry __user *)*dstptr;
1470 if (copy_to_user(ce, e, sizeof(struct ip6t_entry)))
1473 if (copy_to_user(&ce->counters, &counters[*i], sizeof(counters[*i])))
1476 *dstptr += sizeof(struct compat_ip6t_entry);
1477 *size -= sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
1479 ret = IP6T_MATCH_ITERATE(e, xt_compat_match_to_user, dstptr, size);
1480 target_offset = e->target_offset - (origsize - *size);
1483 t = ip6t_get_target(e);
1484 ret = xt_compat_target_to_user(t, dstptr, size);
1488 next_offset = e->next_offset - (origsize - *size);
1489 if (put_user(target_offset, &ce->target_offset))
1491 if (put_user(next_offset, &ce->next_offset))
1501 compat_find_calc_match(struct ip6t_entry_match *m,
1503 const struct ip6t_ip6 *ipv6,
1504 unsigned int hookmask,
1505 int *size, unsigned int *i)
1507 struct xt_match *match;
1509 match = try_then_request_module(xt_find_match(AF_INET6, m->u.user.name,
1510 m->u.user.revision),
1511 "ip6t_%s", m->u.user.name);
1512 if (IS_ERR(match) || !match) {
1513 duprintf("compat_check_calc_match: `%s' not found\n",
1515 return match ? PTR_ERR(match) : -ENOENT;
1517 m->u.kernel.match = match;
1518 *size += xt_compat_match_offset(match);
1525 compat_release_match(struct ip6t_entry_match *m, unsigned int *i)
1527 if (i && (*i)-- == 0)
1530 module_put(m->u.kernel.match->me);
1535 compat_release_entry(struct compat_ip6t_entry *e, unsigned int *i)
1537 struct ip6t_entry_target *t;
1539 if (i && (*i)-- == 0)
1542 /* Cleanup all matches */
1543 COMPAT_IP6T_MATCH_ITERATE(e, compat_release_match, NULL);
1544 t = compat_ip6t_get_target(e);
1545 module_put(t->u.kernel.target->me);
1550 check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e,
1551 struct xt_table_info *newinfo,
1553 unsigned char *base,
1554 unsigned char *limit,
1555 unsigned int *hook_entries,
1556 unsigned int *underflows,
1560 struct ip6t_entry_target *t;
1561 struct xt_target *target;
1562 unsigned int entry_offset;
1566 duprintf("check_compat_entry_size_and_hooks %p\n", e);
1567 if ((unsigned long)e % __alignof__(struct compat_ip6t_entry) != 0
1568 || (unsigned char *)e + sizeof(struct compat_ip6t_entry) >= limit) {
1569 duprintf("Bad offset %p, limit = %p\n", e, limit);
1573 if (e->next_offset < sizeof(struct compat_ip6t_entry) +
1574 sizeof(struct compat_xt_entry_target)) {
1575 duprintf("checking: element %p size %u\n",
1580 /* For purposes of check_entry casting the compat entry is fine */
1581 ret = check_entry((struct ip6t_entry *)e, name);
1585 off = sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
1586 entry_offset = (void *)e - (void *)base;
1588 ret = COMPAT_IP6T_MATCH_ITERATE(e, compat_find_calc_match, name,
1589 &e->ipv6, e->comefrom, &off, &j);
1591 goto release_matches;
1593 t = compat_ip6t_get_target(e);
1594 target = try_then_request_module(xt_find_target(AF_INET6,
1596 t->u.user.revision),
1597 "ip6t_%s", t->u.user.name);
1598 if (IS_ERR(target) || !target) {
1599 duprintf("check_compat_entry_size_and_hooks: `%s' not found\n",
1601 ret = target ? PTR_ERR(target) : -ENOENT;
1602 goto release_matches;
1604 t->u.kernel.target = target;
1606 off += xt_compat_target_offset(target);
1608 ret = xt_compat_add_offset(AF_INET6, entry_offset, off);
1612 /* Check hooks & underflows */
1613 for (h = 0; h < NF_INET_NUMHOOKS; h++) {
1614 if ((unsigned char *)e - base == hook_entries[h])
1615 newinfo->hook_entry[h] = hook_entries[h];
1616 if ((unsigned char *)e - base == underflows[h])
1617 newinfo->underflow[h] = underflows[h];
1620 /* Clear counters and comefrom */
1621 memset(&e->counters, 0, sizeof(e->counters));
1628 module_put(t->u.kernel.target->me);
1630 IP6T_MATCH_ITERATE(e, compat_release_match, &j);
1635 compat_copy_entry_from_user(struct compat_ip6t_entry *e, void **dstptr,
1636 unsigned int *size, const char *name,
1637 struct xt_table_info *newinfo, unsigned char *base)
1639 struct ip6t_entry_target *t;
1640 struct xt_target *target;
1641 struct ip6t_entry *de;
1642 unsigned int origsize;
1647 de = (struct ip6t_entry *)*dstptr;
1648 memcpy(de, e, sizeof(struct ip6t_entry));
1649 memcpy(&de->counters, &e->counters, sizeof(e->counters));
1651 *dstptr += sizeof(struct ip6t_entry);
1652 *size += sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
1654 ret = COMPAT_IP6T_MATCH_ITERATE(e, xt_compat_match_from_user,
1658 de->target_offset = e->target_offset - (origsize - *size);
1659 t = compat_ip6t_get_target(e);
1660 target = t->u.kernel.target;
1661 xt_compat_target_from_user(t, dstptr, size);
1663 de->next_offset = e->next_offset - (origsize - *size);
1664 for (h = 0; h < NF_INET_NUMHOOKS; h++) {
1665 if ((unsigned char *)de - base < newinfo->hook_entry[h])
1666 newinfo->hook_entry[h] -= origsize - *size;
1667 if ((unsigned char *)de - base < newinfo->underflow[h])
1668 newinfo->underflow[h] -= origsize - *size;
1673 static int compat_check_entry(struct ip6t_entry *e, const char *name,
1678 struct xt_mtchk_param mtpar;
1682 mtpar.entryinfo = &e->ipv6;
1683 mtpar.hook_mask = e->comefrom;
1684 mtpar.family = NFPROTO_IPV6;
1685 ret = IP6T_MATCH_ITERATE(e, check_match, &mtpar, &j);
1687 goto cleanup_matches;
1689 ret = check_target(e, name);
1691 goto cleanup_matches;
1697 IP6T_MATCH_ITERATE(e, cleanup_match, &j);
1702 translate_compat_table(const char *name,
1703 unsigned int valid_hooks,
1704 struct xt_table_info **pinfo,
1706 unsigned int total_size,
1707 unsigned int number,
1708 unsigned int *hook_entries,
1709 unsigned int *underflows)
1712 struct xt_table_info *newinfo, *info;
1713 void *pos, *entry0, *entry1;
1720 info->number = number;
1722 /* Init all hooks to impossible value. */
1723 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1724 info->hook_entry[i] = 0xFFFFFFFF;
1725 info->underflow[i] = 0xFFFFFFFF;
1728 duprintf("translate_compat_table: size %u\n", info->size);
1730 xt_compat_lock(AF_INET6);
1731 /* Walk through entries, checking offsets. */
1732 ret = COMPAT_IP6T_ENTRY_ITERATE(entry0, total_size,
1733 check_compat_entry_size_and_hooks,
1734 info, &size, entry0,
1735 entry0 + total_size,
1736 hook_entries, underflows, &j, name);
1742 duprintf("translate_compat_table: %u not %u entries\n",
1747 /* Check hooks all assigned */
1748 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1749 /* Only hooks which are valid */
1750 if (!(valid_hooks & (1 << i)))
1752 if (info->hook_entry[i] == 0xFFFFFFFF) {
1753 duprintf("Invalid hook entry %u %u\n",
1754 i, hook_entries[i]);
1757 if (info->underflow[i] == 0xFFFFFFFF) {
1758 duprintf("Invalid underflow %u %u\n",
1765 newinfo = xt_alloc_table_info(size);
1769 newinfo->number = number;
1770 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1771 newinfo->hook_entry[i] = info->hook_entry[i];
1772 newinfo->underflow[i] = info->underflow[i];
1774 entry1 = newinfo->entries[raw_smp_processor_id()];
1777 ret = COMPAT_IP6T_ENTRY_ITERATE(entry0, total_size,
1778 compat_copy_entry_from_user,
1779 &pos, &size, name, newinfo, entry1);
1780 xt_compat_flush_offsets(AF_INET6);
1781 xt_compat_unlock(AF_INET6);
1786 if (!mark_source_chains(newinfo, valid_hooks, entry1))
1790 ret = IP6T_ENTRY_ITERATE(entry1, newinfo->size, compat_check_entry,
1794 COMPAT_IP6T_ENTRY_ITERATE_CONTINUE(entry0, newinfo->size, i,
1795 compat_release_entry, &j);
1796 IP6T_ENTRY_ITERATE(entry1, newinfo->size, cleanup_entry, &i);
1797 xt_free_table_info(newinfo);
1801 /* And one copy for every other CPU */
1802 for_each_possible_cpu(i)
1803 if (newinfo->entries[i] && newinfo->entries[i] != entry1)
1804 memcpy(newinfo->entries[i], entry1, newinfo->size);
1808 xt_free_table_info(info);
1812 xt_free_table_info(newinfo);
1814 COMPAT_IP6T_ENTRY_ITERATE(entry0, total_size, compat_release_entry, &j);
1817 xt_compat_flush_offsets(AF_INET6);
1818 xt_compat_unlock(AF_INET6);
1823 compat_do_replace(struct net *net, void __user *user, unsigned int len)
1826 struct compat_ip6t_replace tmp;
1827 struct xt_table_info *newinfo;
1828 void *loc_cpu_entry;
1830 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
1833 /* overflow check */
1834 if (tmp.size >= INT_MAX / num_possible_cpus())
1836 if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
1839 newinfo = xt_alloc_table_info(tmp.size);
1843 /* choose the copy that is on our node/cpu */
1844 loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
1845 if (copy_from_user(loc_cpu_entry, user + sizeof(tmp),
1851 ret = translate_compat_table(tmp.name, tmp.valid_hooks,
1852 &newinfo, &loc_cpu_entry, tmp.size,
1853 tmp.num_entries, tmp.hook_entry,
1858 duprintf("compat_do_replace: Translated table\n");
1860 ret = __do_replace(net, tmp.name, tmp.valid_hooks, newinfo,
1861 tmp.num_counters, compat_ptr(tmp.counters));
1863 goto free_newinfo_untrans;
1866 free_newinfo_untrans:
1867 IP6T_ENTRY_ITERATE(loc_cpu_entry, newinfo->size, cleanup_entry, NULL);
1869 xt_free_table_info(newinfo);
1874 compat_do_ip6t_set_ctl(struct sock *sk, int cmd, void __user *user,
1879 if (!capable(CAP_NET_ADMIN))
1883 case IP6T_SO_SET_REPLACE:
1884 ret = compat_do_replace(sock_net(sk), user, len);
1887 case IP6T_SO_SET_ADD_COUNTERS:
1888 ret = do_add_counters(sock_net(sk), user, len, 1);
1892 duprintf("do_ip6t_set_ctl: unknown request %i\n", cmd);
1899 struct compat_ip6t_get_entries {
1900 char name[IP6T_TABLE_MAXNAMELEN];
1902 struct compat_ip6t_entry entrytable[0];
1906 compat_copy_entries_to_user(unsigned int total_size, struct xt_table *table,
1907 void __user *userptr)
1909 struct xt_counters *counters;
1910 const struct xt_table_info *private = table->private;
1914 const void *loc_cpu_entry;
1917 counters = alloc_counters(table);
1918 if (IS_ERR(counters))
1919 return PTR_ERR(counters);
1921 /* choose the copy that is on our node/cpu, ...
1922 * This choice is lazy (because current thread is
1923 * allowed to migrate to another cpu)
1925 loc_cpu_entry = private->entries[raw_smp_processor_id()];
1928 ret = IP6T_ENTRY_ITERATE(loc_cpu_entry, total_size,
1929 compat_copy_entry_to_user,
1930 &pos, &size, counters, &i);
1937 compat_get_entries(struct net *net, struct compat_ip6t_get_entries __user *uptr,
1941 struct compat_ip6t_get_entries get;
1944 if (*len < sizeof(get)) {
1945 duprintf("compat_get_entries: %u < %zu\n", *len, sizeof(get));
1949 if (copy_from_user(&get, uptr, sizeof(get)) != 0)
1952 if (*len != sizeof(struct compat_ip6t_get_entries) + get.size) {
1953 duprintf("compat_get_entries: %u != %zu\n",
1954 *len, sizeof(get) + get.size);
1958 xt_compat_lock(AF_INET6);
1959 t = xt_find_table_lock(net, AF_INET6, get.name);
1960 if (t && !IS_ERR(t)) {
1961 const struct xt_table_info *private = t->private;
1962 struct xt_table_info info;
1963 duprintf("t->private->number = %u\n", private->number);
1964 ret = compat_table_info(private, &info);
1965 if (!ret && get.size == info.size) {
1966 ret = compat_copy_entries_to_user(private->size,
1967 t, uptr->entrytable);
1969 duprintf("compat_get_entries: I've got %u not %u!\n",
1970 private->size, get.size);
1973 xt_compat_flush_offsets(AF_INET6);
1977 ret = t ? PTR_ERR(t) : -ENOENT;
1979 xt_compat_unlock(AF_INET6);
1983 static int do_ip6t_get_ctl(struct sock *, int, void __user *, int *);
1986 compat_do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1990 if (!capable(CAP_NET_ADMIN))
1994 case IP6T_SO_GET_INFO:
1995 ret = get_info(sock_net(sk), user, len, 1);
1997 case IP6T_SO_GET_ENTRIES:
1998 ret = compat_get_entries(sock_net(sk), user, len);
2001 ret = do_ip6t_get_ctl(sk, cmd, user, len);
2008 do_ip6t_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
2012 if (!capable(CAP_NET_ADMIN))
2016 case IP6T_SO_SET_REPLACE:
2017 ret = do_replace(sock_net(sk), user, len);
2020 case IP6T_SO_SET_ADD_COUNTERS:
2021 ret = do_add_counters(sock_net(sk), user, len, 0);
2025 duprintf("do_ip6t_set_ctl: unknown request %i\n", cmd);
2033 do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
2037 if (!capable(CAP_NET_ADMIN))
2041 case IP6T_SO_GET_INFO:
2042 ret = get_info(sock_net(sk), user, len, 0);
2045 case IP6T_SO_GET_ENTRIES:
2046 ret = get_entries(sock_net(sk), user, len);
2049 case IP6T_SO_GET_REVISION_MATCH:
2050 case IP6T_SO_GET_REVISION_TARGET: {
2051 struct ip6t_get_revision rev;
2054 if (*len != sizeof(rev)) {
2058 if (copy_from_user(&rev, user, sizeof(rev)) != 0) {
2063 if (cmd == IP6T_SO_GET_REVISION_TARGET)
2068 try_then_request_module(xt_find_revision(AF_INET6, rev.name,
2071 "ip6t_%s", rev.name);
2076 duprintf("do_ip6t_get_ctl: unknown request %i\n", cmd);
2083 struct xt_table *ip6t_register_table(struct net *net, struct xt_table *table,
2084 const struct ip6t_replace *repl)
2087 struct xt_table_info *newinfo;
2088 struct xt_table_info bootstrap
2089 = { 0, 0, 0, { 0 }, { 0 }, { } };
2090 void *loc_cpu_entry;
2091 struct xt_table *new_table;
2093 newinfo = xt_alloc_table_info(repl->size);
2099 /* choose the copy on our node/cpu, but dont care about preemption */
2100 loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
2101 memcpy(loc_cpu_entry, repl->entries, repl->size);
2103 ret = translate_table(table->name, table->valid_hooks,
2104 newinfo, loc_cpu_entry, repl->size,
2111 new_table = xt_register_table(net, table, &bootstrap, newinfo);
2112 if (IS_ERR(new_table)) {
2113 ret = PTR_ERR(new_table);
2119 xt_free_table_info(newinfo);
2121 return ERR_PTR(ret);
2124 void ip6t_unregister_table(struct xt_table *table)
2126 struct xt_table_info *private;
2127 void *loc_cpu_entry;
2128 struct module *table_owner = table->me;
2130 private = xt_unregister_table(table);
2132 /* Decrease module usage counts and free resources */
2133 loc_cpu_entry = private->entries[raw_smp_processor_id()];
2134 IP6T_ENTRY_ITERATE(loc_cpu_entry, private->size, cleanup_entry, NULL);
2135 if (private->number > private->initial_entries)
2136 module_put(table_owner);
2137 xt_free_table_info(private);
2140 /* Returns 1 if the type and code is matched by the range, 0 otherwise */
2142 icmp6_type_code_match(u_int8_t test_type, u_int8_t min_code, u_int8_t max_code,
2143 u_int8_t type, u_int8_t code,
2146 return (type == test_type && code >= min_code && code <= max_code)
2151 icmp6_match(const struct sk_buff *skb, const struct xt_match_param *par)
2153 const struct icmp6hdr *ic;
2154 struct icmp6hdr _icmph;
2155 const struct ip6t_icmp *icmpinfo = par->matchinfo;
2157 /* Must not be a fragment. */
2158 if (par->fragoff != 0)
2161 ic = skb_header_pointer(skb, par->thoff, sizeof(_icmph), &_icmph);
2163 /* We've been asked to examine this packet, and we
2164 * can't. Hence, no choice but to drop.
2166 duprintf("Dropping evil ICMP tinygram.\n");
2167 *par->hotdrop = true;
2171 return icmp6_type_code_match(icmpinfo->type,
2174 ic->icmp6_type, ic->icmp6_code,
2175 !!(icmpinfo->invflags&IP6T_ICMP_INV));
2178 /* Called when user tries to insert an entry of this type. */
2179 static bool icmp6_checkentry(const struct xt_mtchk_param *par)
2181 const struct ip6t_icmp *icmpinfo = par->matchinfo;
2183 /* Must specify no unknown invflags */
2184 return !(icmpinfo->invflags & ~IP6T_ICMP_INV);
2187 /* The built-in targets: standard (NULL) and error. */
2188 static struct xt_target ip6t_standard_target __read_mostly = {
2189 .name = IP6T_STANDARD_TARGET,
2190 .targetsize = sizeof(int),
2191 .family = NFPROTO_IPV6,
2192 #ifdef CONFIG_COMPAT
2193 .compatsize = sizeof(compat_int_t),
2194 .compat_from_user = compat_standard_from_user,
2195 .compat_to_user = compat_standard_to_user,
2199 static struct xt_target ip6t_error_target __read_mostly = {
2200 .name = IP6T_ERROR_TARGET,
2201 .target = ip6t_error,
2202 .targetsize = IP6T_FUNCTION_MAXNAMELEN,
2203 .family = NFPROTO_IPV6,
2206 static struct nf_sockopt_ops ip6t_sockopts = {
2208 .set_optmin = IP6T_BASE_CTL,
2209 .set_optmax = IP6T_SO_SET_MAX+1,
2210 .set = do_ip6t_set_ctl,
2211 #ifdef CONFIG_COMPAT
2212 .compat_set = compat_do_ip6t_set_ctl,
2214 .get_optmin = IP6T_BASE_CTL,
2215 .get_optmax = IP6T_SO_GET_MAX+1,
2216 .get = do_ip6t_get_ctl,
2217 #ifdef CONFIG_COMPAT
2218 .compat_get = compat_do_ip6t_get_ctl,
2220 .owner = THIS_MODULE,
2223 static struct xt_match icmp6_matchstruct __read_mostly = {
2225 .match = icmp6_match,
2226 .matchsize = sizeof(struct ip6t_icmp),
2227 .checkentry = icmp6_checkentry,
2228 .proto = IPPROTO_ICMPV6,
2229 .family = NFPROTO_IPV6,
2232 static int __net_init ip6_tables_net_init(struct net *net)
2234 return xt_proto_init(net, NFPROTO_IPV6);
2237 static void __net_exit ip6_tables_net_exit(struct net *net)
2239 xt_proto_fini(net, NFPROTO_IPV6);
2242 static struct pernet_operations ip6_tables_net_ops = {
2243 .init = ip6_tables_net_init,
2244 .exit = ip6_tables_net_exit,
2247 static int __init ip6_tables_init(void)
2251 ret = register_pernet_subsys(&ip6_tables_net_ops);
2255 /* Noone else will be downing sem now, so we won't sleep */
2256 ret = xt_register_target(&ip6t_standard_target);
2259 ret = xt_register_target(&ip6t_error_target);
2262 ret = xt_register_match(&icmp6_matchstruct);
2266 /* Register setsockopt */
2267 ret = nf_register_sockopt(&ip6t_sockopts);
2271 printk(KERN_INFO "ip6_tables: (C) 2000-2006 Netfilter Core Team\n");
2275 xt_unregister_match(&icmp6_matchstruct);
2277 xt_unregister_target(&ip6t_error_target);
2279 xt_unregister_target(&ip6t_standard_target);
2281 unregister_pernet_subsys(&ip6_tables_net_ops);
2286 static void __exit ip6_tables_fini(void)
2288 nf_unregister_sockopt(&ip6t_sockopts);
2290 xt_unregister_match(&icmp6_matchstruct);
2291 xt_unregister_target(&ip6t_error_target);
2292 xt_unregister_target(&ip6t_standard_target);
2294 unregister_pernet_subsys(&ip6_tables_net_ops);
2298 * find the offset to specified header or the protocol number of last header
2299 * if target < 0. "last header" is transport protocol header, ESP, or
2302 * If target header is found, its offset is set in *offset and return protocol
2303 * number. Otherwise, return -1.
2305 * If the first fragment doesn't contain the final protocol header or
2306 * NEXTHDR_NONE it is considered invalid.
2308 * Note that non-1st fragment is special case that "the protocol number
2309 * of last header" is "next header" field in Fragment header. In this case,
2310 * *offset is meaningless and fragment offset is stored in *fragoff if fragoff
2314 int ipv6_find_hdr(const struct sk_buff *skb, unsigned int *offset,
2315 int target, unsigned short *fragoff)
2317 unsigned int start = skb_network_offset(skb) + sizeof(struct ipv6hdr);
2318 u8 nexthdr = ipv6_hdr(skb)->nexthdr;
2319 unsigned int len = skb->len - start;
2324 while (nexthdr != target) {
2325 struct ipv6_opt_hdr _hdr, *hp;
2326 unsigned int hdrlen;
2328 if ((!ipv6_ext_hdr(nexthdr)) || nexthdr == NEXTHDR_NONE) {
2334 hp = skb_header_pointer(skb, start, sizeof(_hdr), &_hdr);
2337 if (nexthdr == NEXTHDR_FRAGMENT) {
2338 unsigned short _frag_off;
2340 fp = skb_header_pointer(skb,
2341 start+offsetof(struct frag_hdr,
2348 _frag_off = ntohs(*fp) & ~0x7;
2351 ((!ipv6_ext_hdr(hp->nexthdr)) ||
2352 hp->nexthdr == NEXTHDR_NONE)) {
2354 *fragoff = _frag_off;
2360 } else if (nexthdr == NEXTHDR_AUTH)
2361 hdrlen = (hp->hdrlen + 2) << 2;
2363 hdrlen = ipv6_optlen(hp);
2365 nexthdr = hp->nexthdr;
2374 EXPORT_SYMBOL(ip6t_register_table);
2375 EXPORT_SYMBOL(ip6t_unregister_table);
2376 EXPORT_SYMBOL(ip6t_do_table);
2377 EXPORT_SYMBOL(ip6t_ext_hdr);
2378 EXPORT_SYMBOL(ipv6_find_hdr);
2380 module_init(ip6_tables_init);
2381 module_exit(ip6_tables_fini);