2 * x_tables core - Backend for {ip,ip6,arp}_tables
4 * Copyright (C) 2006-2006 Harald Welte <laforge@netfilter.org>
6 * Based on existing ip_tables code which is
7 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
8 * Copyright (C) 2000-2005 Netfilter Core Team <coreteam@netfilter.org>
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2 as
12 * published by the Free Software Foundation.
16 #include <linux/kernel.h>
17 #include <linux/socket.h>
18 #include <linux/net.h>
19 #include <linux/proc_fs.h>
20 #include <linux/seq_file.h>
21 #include <linux/string.h>
22 #include <linux/vmalloc.h>
23 #include <linux/mutex.h>
25 #include <net/net_namespace.h>
27 #include <linux/netfilter/x_tables.h>
28 #include <linux/netfilter_arp.h>
31 MODULE_LICENSE("GPL");
32 MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
33 MODULE_DESCRIPTION("[ip,ip6,arp]_tables backend module");
35 #define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
38 struct compat_delta *next;
45 struct list_head match;
46 struct list_head target;
48 struct mutex compat_mutex;
49 struct compat_delta *compat_offsets;
53 static struct xt_af *xt;
55 #ifdef DEBUG_IP_FIREWALL_USER
56 #define duprintf(format, args...) printk(format , ## args)
58 #define duprintf(format, args...)
67 static const char *xt_prefix[NPROTO] = {
73 /* Registration hooks for targets. */
75 xt_register_target(struct xt_target *target)
77 int ret, af = target->family;
79 ret = mutex_lock_interruptible(&xt[af].mutex);
82 list_add(&target->list, &xt[af].target);
83 mutex_unlock(&xt[af].mutex);
86 EXPORT_SYMBOL(xt_register_target);
89 xt_unregister_target(struct xt_target *target)
91 int af = target->family;
93 mutex_lock(&xt[af].mutex);
94 list_del(&target->list);
95 mutex_unlock(&xt[af].mutex);
97 EXPORT_SYMBOL(xt_unregister_target);
100 xt_register_targets(struct xt_target *target, unsigned int n)
105 for (i = 0; i < n; i++) {
106 err = xt_register_target(&target[i]);
114 xt_unregister_targets(target, i);
117 EXPORT_SYMBOL(xt_register_targets);
120 xt_unregister_targets(struct xt_target *target, unsigned int n)
124 for (i = 0; i < n; i++)
125 xt_unregister_target(&target[i]);
127 EXPORT_SYMBOL(xt_unregister_targets);
130 xt_register_match(struct xt_match *match)
132 int ret, af = match->family;
134 ret = mutex_lock_interruptible(&xt[af].mutex);
138 list_add(&match->list, &xt[af].match);
139 mutex_unlock(&xt[af].mutex);
143 EXPORT_SYMBOL(xt_register_match);
146 xt_unregister_match(struct xt_match *match)
148 int af = match->family;
150 mutex_lock(&xt[af].mutex);
151 list_del(&match->list);
152 mutex_unlock(&xt[af].mutex);
154 EXPORT_SYMBOL(xt_unregister_match);
157 xt_register_matches(struct xt_match *match, unsigned int n)
162 for (i = 0; i < n; i++) {
163 err = xt_register_match(&match[i]);
171 xt_unregister_matches(match, i);
174 EXPORT_SYMBOL(xt_register_matches);
177 xt_unregister_matches(struct xt_match *match, unsigned int n)
181 for (i = 0; i < n; i++)
182 xt_unregister_match(&match[i]);
184 EXPORT_SYMBOL(xt_unregister_matches);
188 * These are weird, but module loading must not be done with mutex
189 * held (since they will register), and we have to have a single
190 * function to use try_then_request_module().
193 /* Find match, grabs ref. Returns ERR_PTR() on error. */
194 struct xt_match *xt_find_match(int af, const char *name, u8 revision)
199 if (mutex_lock_interruptible(&xt[af].mutex) != 0)
200 return ERR_PTR(-EINTR);
202 list_for_each_entry(m, &xt[af].match, list) {
203 if (strcmp(m->name, name) == 0) {
204 if (m->revision == revision) {
205 if (try_module_get(m->me)) {
206 mutex_unlock(&xt[af].mutex);
210 err = -EPROTOTYPE; /* Found something. */
213 mutex_unlock(&xt[af].mutex);
216 EXPORT_SYMBOL(xt_find_match);
218 /* Find target, grabs ref. Returns ERR_PTR() on error. */
219 struct xt_target *xt_find_target(int af, const char *name, u8 revision)
224 if (mutex_lock_interruptible(&xt[af].mutex) != 0)
225 return ERR_PTR(-EINTR);
227 list_for_each_entry(t, &xt[af].target, list) {
228 if (strcmp(t->name, name) == 0) {
229 if (t->revision == revision) {
230 if (try_module_get(t->me)) {
231 mutex_unlock(&xt[af].mutex);
235 err = -EPROTOTYPE; /* Found something. */
238 mutex_unlock(&xt[af].mutex);
241 EXPORT_SYMBOL(xt_find_target);
243 struct xt_target *xt_request_find_target(int af, const char *name, u8 revision)
245 struct xt_target *target;
247 target = try_then_request_module(xt_find_target(af, name, revision),
248 "%st_%s", xt_prefix[af], name);
249 if (IS_ERR(target) || !target)
253 EXPORT_SYMBOL_GPL(xt_request_find_target);
255 static int match_revfn(int af, const char *name, u8 revision, int *bestp)
260 list_for_each_entry(m, &xt[af].match, list) {
261 if (strcmp(m->name, name) == 0) {
262 if (m->revision > *bestp)
263 *bestp = m->revision;
264 if (m->revision == revision)
271 static int target_revfn(int af, const char *name, u8 revision, int *bestp)
276 list_for_each_entry(t, &xt[af].target, list) {
277 if (strcmp(t->name, name) == 0) {
278 if (t->revision > *bestp)
279 *bestp = t->revision;
280 if (t->revision == revision)
287 /* Returns true or false (if no such extension at all) */
288 int xt_find_revision(int af, const char *name, u8 revision, int target,
291 int have_rev, best = -1;
293 if (mutex_lock_interruptible(&xt[af].mutex) != 0) {
298 have_rev = target_revfn(af, name, revision, &best);
300 have_rev = match_revfn(af, name, revision, &best);
301 mutex_unlock(&xt[af].mutex);
303 /* Nothing at all? Return 0 to try loading module. */
311 *err = -EPROTONOSUPPORT;
314 EXPORT_SYMBOL_GPL(xt_find_revision);
316 int xt_check_match(const struct xt_match *match, unsigned short family,
317 unsigned int size, const char *table, unsigned int hook_mask,
318 unsigned short proto, int inv_proto)
320 if (XT_ALIGN(match->matchsize) != size) {
321 printk("%s_tables: %s match: invalid size %Zu != %u\n",
322 xt_prefix[family], match->name,
323 XT_ALIGN(match->matchsize), size);
326 if (match->table && strcmp(match->table, table)) {
327 printk("%s_tables: %s match: only valid in %s table, not %s\n",
328 xt_prefix[family], match->name, match->table, table);
331 if (match->hooks && (hook_mask & ~match->hooks) != 0) {
332 printk("%s_tables: %s match: bad hook_mask %u/%u\n",
333 xt_prefix[family], match->name, hook_mask, match->hooks);
336 if (match->proto && (match->proto != proto || inv_proto)) {
337 printk("%s_tables: %s match: only valid for protocol %u\n",
338 xt_prefix[family], match->name, match->proto);
343 EXPORT_SYMBOL_GPL(xt_check_match);
346 int xt_compat_add_offset(int af, unsigned int offset, short delta)
348 struct compat_delta *tmp;
350 tmp = kmalloc(sizeof(struct compat_delta), GFP_KERNEL);
354 tmp->offset = offset;
357 if (xt[af].compat_offsets) {
358 tmp->next = xt[af].compat_offsets->next;
359 xt[af].compat_offsets->next = tmp;
361 xt[af].compat_offsets = tmp;
366 EXPORT_SYMBOL_GPL(xt_compat_add_offset);
368 void xt_compat_flush_offsets(int af)
370 struct compat_delta *tmp, *next;
372 if (xt[af].compat_offsets) {
373 for (tmp = xt[af].compat_offsets; tmp; tmp = next) {
377 xt[af].compat_offsets = NULL;
380 EXPORT_SYMBOL_GPL(xt_compat_flush_offsets);
382 short xt_compat_calc_jump(int af, unsigned int offset)
384 struct compat_delta *tmp;
387 for (tmp = xt[af].compat_offsets, delta = 0; tmp; tmp = tmp->next)
388 if (tmp->offset < offset)
392 EXPORT_SYMBOL_GPL(xt_compat_calc_jump);
394 int xt_compat_match_offset(struct xt_match *match)
396 u_int16_t csize = match->compatsize ? : match->matchsize;
397 return XT_ALIGN(match->matchsize) - COMPAT_XT_ALIGN(csize);
399 EXPORT_SYMBOL_GPL(xt_compat_match_offset);
401 int xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr,
404 struct xt_match *match = m->u.kernel.match;
405 struct compat_xt_entry_match *cm = (struct compat_xt_entry_match *)m;
406 int pad, off = xt_compat_match_offset(match);
407 u_int16_t msize = cm->u.user.match_size;
410 memcpy(m, cm, sizeof(*cm));
411 if (match->compat_from_user)
412 match->compat_from_user(m->data, cm->data);
414 memcpy(m->data, cm->data, msize - sizeof(*cm));
415 pad = XT_ALIGN(match->matchsize) - match->matchsize;
417 memset(m->data + match->matchsize, 0, pad);
420 m->u.user.match_size = msize;
426 EXPORT_SYMBOL_GPL(xt_compat_match_from_user);
428 int xt_compat_match_to_user(struct xt_entry_match *m, void __user **dstptr,
431 struct xt_match *match = m->u.kernel.match;
432 struct compat_xt_entry_match __user *cm = *dstptr;
433 int off = xt_compat_match_offset(match);
434 u_int16_t msize = m->u.user.match_size - off;
436 if (copy_to_user(cm, m, sizeof(*cm)) ||
437 put_user(msize, &cm->u.user.match_size) ||
438 copy_to_user(cm->u.user.name, m->u.kernel.match->name,
439 strlen(m->u.kernel.match->name) + 1))
442 if (match->compat_to_user) {
443 if (match->compat_to_user((void __user *)cm->data, m->data))
446 if (copy_to_user(cm->data, m->data, msize - sizeof(*cm)))
454 EXPORT_SYMBOL_GPL(xt_compat_match_to_user);
455 #endif /* CONFIG_COMPAT */
457 int xt_check_target(const struct xt_target *target, unsigned short family,
458 unsigned int size, const char *table, unsigned int hook_mask,
459 unsigned short proto, int inv_proto)
461 if (XT_ALIGN(target->targetsize) != size) {
462 printk("%s_tables: %s target: invalid size %Zu != %u\n",
463 xt_prefix[family], target->name,
464 XT_ALIGN(target->targetsize), size);
467 if (target->table && strcmp(target->table, table)) {
468 printk("%s_tables: %s target: only valid in %s table, not %s\n",
469 xt_prefix[family], target->name, target->table, table);
472 if (target->hooks && (hook_mask & ~target->hooks) != 0) {
473 printk("%s_tables: %s target: bad hook_mask %u/%u\n",
474 xt_prefix[family], target->name, hook_mask,
478 if (target->proto && (target->proto != proto || inv_proto)) {
479 printk("%s_tables: %s target: only valid for protocol %u\n",
480 xt_prefix[family], target->name, target->proto);
485 EXPORT_SYMBOL_GPL(xt_check_target);
488 int xt_compat_target_offset(struct xt_target *target)
490 u_int16_t csize = target->compatsize ? : target->targetsize;
491 return XT_ALIGN(target->targetsize) - COMPAT_XT_ALIGN(csize);
493 EXPORT_SYMBOL_GPL(xt_compat_target_offset);
495 void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr,
498 struct xt_target *target = t->u.kernel.target;
499 struct compat_xt_entry_target *ct = (struct compat_xt_entry_target *)t;
500 int pad, off = xt_compat_target_offset(target);
501 u_int16_t tsize = ct->u.user.target_size;
504 memcpy(t, ct, sizeof(*ct));
505 if (target->compat_from_user)
506 target->compat_from_user(t->data, ct->data);
508 memcpy(t->data, ct->data, tsize - sizeof(*ct));
509 pad = XT_ALIGN(target->targetsize) - target->targetsize;
511 memset(t->data + target->targetsize, 0, pad);
514 t->u.user.target_size = tsize;
519 EXPORT_SYMBOL_GPL(xt_compat_target_from_user);
521 int xt_compat_target_to_user(struct xt_entry_target *t, void __user **dstptr,
524 struct xt_target *target = t->u.kernel.target;
525 struct compat_xt_entry_target __user *ct = *dstptr;
526 int off = xt_compat_target_offset(target);
527 u_int16_t tsize = t->u.user.target_size - off;
529 if (copy_to_user(ct, t, sizeof(*ct)) ||
530 put_user(tsize, &ct->u.user.target_size) ||
531 copy_to_user(ct->u.user.name, t->u.kernel.target->name,
532 strlen(t->u.kernel.target->name) + 1))
535 if (target->compat_to_user) {
536 if (target->compat_to_user((void __user *)ct->data, t->data))
539 if (copy_to_user(ct->data, t->data, tsize - sizeof(*ct)))
547 EXPORT_SYMBOL_GPL(xt_compat_target_to_user);
550 struct xt_table_info *xt_alloc_table_info(unsigned int size)
552 struct xt_table_info *newinfo;
555 /* Pedantry: prevent them from hitting BUG() in vmalloc.c --RR */
556 if ((SMP_ALIGN(size) >> PAGE_SHIFT) + 2 > num_physpages)
559 newinfo = kzalloc(XT_TABLE_INFO_SZ, GFP_KERNEL);
563 newinfo->size = size;
565 for_each_possible_cpu(cpu) {
566 if (size <= PAGE_SIZE)
567 newinfo->entries[cpu] = kmalloc_node(size,
571 newinfo->entries[cpu] = vmalloc_node(size,
574 if (newinfo->entries[cpu] == NULL) {
575 xt_free_table_info(newinfo);
582 EXPORT_SYMBOL(xt_alloc_table_info);
584 void xt_free_table_info(struct xt_table_info *info)
588 for_each_possible_cpu(cpu) {
589 if (info->size <= PAGE_SIZE)
590 kfree(info->entries[cpu]);
592 vfree(info->entries[cpu]);
596 EXPORT_SYMBOL(xt_free_table_info);
598 /* Find table by name, grabs mutex & ref. Returns ERR_PTR() on error. */
599 struct xt_table *xt_find_table_lock(struct net *net, int af, const char *name)
603 if (mutex_lock_interruptible(&xt[af].mutex) != 0)
604 return ERR_PTR(-EINTR);
606 list_for_each_entry(t, &net->xt.tables[af], list)
607 if (strcmp(t->name, name) == 0 && try_module_get(t->me))
609 mutex_unlock(&xt[af].mutex);
612 EXPORT_SYMBOL_GPL(xt_find_table_lock);
614 void xt_table_unlock(struct xt_table *table)
616 mutex_unlock(&xt[table->af].mutex);
618 EXPORT_SYMBOL_GPL(xt_table_unlock);
621 void xt_compat_lock(int af)
623 mutex_lock(&xt[af].compat_mutex);
625 EXPORT_SYMBOL_GPL(xt_compat_lock);
627 void xt_compat_unlock(int af)
629 mutex_unlock(&xt[af].compat_mutex);
631 EXPORT_SYMBOL_GPL(xt_compat_unlock);
634 struct xt_table_info *
635 xt_replace_table(struct xt_table *table,
636 unsigned int num_counters,
637 struct xt_table_info *newinfo,
640 struct xt_table_info *oldinfo, *private;
642 /* Do the substitution. */
643 write_lock_bh(&table->lock);
644 private = table->private;
645 /* Check inside lock: is the old number correct? */
646 if (num_counters != private->number) {
647 duprintf("num_counters != table->private->number (%u/%u)\n",
648 num_counters, private->number);
649 write_unlock_bh(&table->lock);
654 table->private = newinfo;
655 newinfo->initial_entries = oldinfo->initial_entries;
656 write_unlock_bh(&table->lock);
660 EXPORT_SYMBOL_GPL(xt_replace_table);
662 struct xt_table *xt_register_table(struct net *net, struct xt_table *table,
663 struct xt_table_info *bootstrap,
664 struct xt_table_info *newinfo)
667 struct xt_table_info *private;
670 /* Don't add one object to multiple lists. */
671 table = kmemdup(table, sizeof(struct xt_table), GFP_KERNEL);
677 ret = mutex_lock_interruptible(&xt[table->af].mutex);
681 /* Don't autoload: we'd eat our tail... */
682 list_for_each_entry(t, &net->xt.tables[table->af], list) {
683 if (strcmp(t->name, table->name) == 0) {
689 /* Simplifies replace_table code. */
690 table->private = bootstrap;
691 rwlock_init(&table->lock);
692 if (!xt_replace_table(table, 0, newinfo, &ret))
695 private = table->private;
696 duprintf("table->private->number = %u\n", private->number);
698 /* save number of initial entries */
699 private->initial_entries = private->number;
701 list_add(&table->list, &net->xt.tables[table->af]);
702 mutex_unlock(&xt[table->af].mutex);
706 mutex_unlock(&xt[table->af].mutex);
712 EXPORT_SYMBOL_GPL(xt_register_table);
714 void *xt_unregister_table(struct xt_table *table)
716 struct xt_table_info *private;
718 mutex_lock(&xt[table->af].mutex);
719 private = table->private;
720 list_del(&table->list);
721 mutex_unlock(&xt[table->af].mutex);
726 EXPORT_SYMBOL_GPL(xt_unregister_table);
728 #ifdef CONFIG_PROC_FS
729 static struct list_head *xt_get_idx(struct list_head *list, struct seq_file *seq, loff_t pos)
731 struct list_head *head = list->next;
733 if (!head || list_empty(list))
736 while (pos && (head = head->next)) {
741 return pos ? NULL : head;
744 static struct list_head *type2list(u_int16_t af, u_int16_t type)
746 struct list_head *list;
750 list = &xt[af].target;
753 list = &xt[af].match;
756 list = &init_net.xt.tables[af];
766 static void *xt_tgt_seq_start(struct seq_file *seq, loff_t *pos)
768 struct proc_dir_entry *pde = (struct proc_dir_entry *) seq->private;
769 u_int16_t af = (unsigned long)pde->data & 0xffff;
770 u_int16_t type = (unsigned long)pde->data >> 16;
771 struct list_head *list;
776 list = type2list(af, type);
780 if (mutex_lock_interruptible(&xt[af].mutex) != 0)
783 return xt_get_idx(list, seq, *pos);
786 static void *xt_tgt_seq_next(struct seq_file *seq, void *v, loff_t *pos)
788 struct proc_dir_entry *pde = seq->private;
789 u_int16_t af = (unsigned long)pde->data & 0xffff;
790 u_int16_t type = (unsigned long)pde->data >> 16;
791 struct list_head *list;
796 list = type2list(af, type);
801 return xt_get_idx(list, seq, *pos);
804 static void xt_tgt_seq_stop(struct seq_file *seq, void *v)
806 struct proc_dir_entry *pde = seq->private;
807 u_int16_t af = (unsigned long)pde->data & 0xffff;
809 mutex_unlock(&xt[af].mutex);
812 static int xt_name_seq_show(struct seq_file *seq, void *v)
814 char *name = (char *)v + sizeof(struct list_head);
817 return seq_printf(seq, "%s\n", name);
822 static const struct seq_operations xt_tgt_seq_ops = {
823 .start = xt_tgt_seq_start,
824 .next = xt_tgt_seq_next,
825 .stop = xt_tgt_seq_stop,
826 .show = xt_name_seq_show,
829 static int xt_tgt_open(struct inode *inode, struct file *file)
833 ret = seq_open(file, &xt_tgt_seq_ops);
835 struct seq_file *seq = file->private_data;
836 struct proc_dir_entry *pde = PDE(inode);
844 static const struct file_operations xt_file_ops = {
845 .owner = THIS_MODULE,
849 .release = seq_release,
852 #define FORMAT_TABLES "_tables_names"
853 #define FORMAT_MATCHES "_tables_matches"
854 #define FORMAT_TARGETS "_tables_targets"
856 #endif /* CONFIG_PROC_FS */
858 int xt_proto_init(int af)
860 #ifdef CONFIG_PROC_FS
861 char buf[XT_FUNCTION_MAXNAMELEN];
862 struct proc_dir_entry *proc;
869 #ifdef CONFIG_PROC_FS
870 strlcpy(buf, xt_prefix[af], sizeof(buf));
871 strlcat(buf, FORMAT_TABLES, sizeof(buf));
872 proc = proc_net_fops_create(&init_net, buf, 0440, &xt_file_ops);
875 proc->data = (void *) ((unsigned long) af | (TABLE << 16));
878 strlcpy(buf, xt_prefix[af], sizeof(buf));
879 strlcat(buf, FORMAT_MATCHES, sizeof(buf));
880 proc = proc_net_fops_create(&init_net, buf, 0440, &xt_file_ops);
882 goto out_remove_tables;
883 proc->data = (void *) ((unsigned long) af | (MATCH << 16));
885 strlcpy(buf, xt_prefix[af], sizeof(buf));
886 strlcat(buf, FORMAT_TARGETS, sizeof(buf));
887 proc = proc_net_fops_create(&init_net, buf, 0440, &xt_file_ops);
889 goto out_remove_matches;
890 proc->data = (void *) ((unsigned long) af | (TARGET << 16));
895 #ifdef CONFIG_PROC_FS
897 strlcpy(buf, xt_prefix[af], sizeof(buf));
898 strlcat(buf, FORMAT_MATCHES, sizeof(buf));
899 proc_net_remove(&init_net, buf);
902 strlcpy(buf, xt_prefix[af], sizeof(buf));
903 strlcat(buf, FORMAT_TABLES, sizeof(buf));
904 proc_net_remove(&init_net, buf);
909 EXPORT_SYMBOL_GPL(xt_proto_init);
911 void xt_proto_fini(int af)
913 #ifdef CONFIG_PROC_FS
914 char buf[XT_FUNCTION_MAXNAMELEN];
916 strlcpy(buf, xt_prefix[af], sizeof(buf));
917 strlcat(buf, FORMAT_TABLES, sizeof(buf));
918 proc_net_remove(&init_net, buf);
920 strlcpy(buf, xt_prefix[af], sizeof(buf));
921 strlcat(buf, FORMAT_TARGETS, sizeof(buf));
922 proc_net_remove(&init_net, buf);
924 strlcpy(buf, xt_prefix[af], sizeof(buf));
925 strlcat(buf, FORMAT_MATCHES, sizeof(buf));
926 proc_net_remove(&init_net, buf);
927 #endif /*CONFIG_PROC_FS*/
929 EXPORT_SYMBOL_GPL(xt_proto_fini);
931 static int __net_init xt_net_init(struct net *net)
935 for (i = 0; i < NPROTO; i++)
936 INIT_LIST_HEAD(&net->xt.tables[i]);
940 static struct pernet_operations xt_net_ops = {
944 static int __init xt_init(void)
948 xt = kmalloc(sizeof(struct xt_af) * NPROTO, GFP_KERNEL);
952 for (i = 0; i < NPROTO; i++) {
953 mutex_init(&xt[i].mutex);
955 mutex_init(&xt[i].compat_mutex);
956 xt[i].compat_offsets = NULL;
958 INIT_LIST_HEAD(&xt[i].target);
959 INIT_LIST_HEAD(&xt[i].match);
961 rv = register_pernet_subsys(&xt_net_ops);
967 static void __exit xt_fini(void)
969 unregister_pernet_subsys(&xt_net_ops);
973 module_init(xt_init);
974 module_exit(xt_fini);
git://ftp.safe.ca / safe / jmp / linux-2.6 / blob