2 * Packet matching code.
4 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
5 * Copyright (C) 2000-2005 Netfilter Core Team <coreteam@netfilter.org>
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License version 2 as
9 * published by the Free Software Foundation.
11 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
12 #include <linux/cache.h>
13 #include <linux/capability.h>
14 #include <linux/skbuff.h>
15 #include <linux/kmod.h>
16 #include <linux/vmalloc.h>
17 #include <linux/netdevice.h>
18 #include <linux/module.h>
19 #include <linux/icmp.h>
21 #include <net/compat.h>
22 #include <asm/uaccess.h>
23 #include <linux/mutex.h>
24 #include <linux/proc_fs.h>
25 #include <linux/err.h>
26 #include <linux/cpumask.h>
28 #include <linux/netfilter/x_tables.h>
29 #include <linux/netfilter_ipv4/ip_tables.h>
30 #include <net/netfilter/nf_log.h>
31 #include "../../netfilter/xt_repldata.h"
33 MODULE_LICENSE("GPL");
34 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
35 MODULE_DESCRIPTION("IPv4 packet filter");
37 /*#define DEBUG_IP_FIREWALL*/
38 /*#define DEBUG_ALLOW_ALL*/ /* Useful for remote debugging */
39 /*#define DEBUG_IP_FIREWALL_USER*/
41 #ifdef DEBUG_IP_FIREWALL
42 #define dprintf(format, args...) pr_info(format , ## args)
44 #define dprintf(format, args...)
47 #ifdef DEBUG_IP_FIREWALL_USER
48 #define duprintf(format, args...) pr_info(format , ## args)
50 #define duprintf(format, args...)
53 #ifdef CONFIG_NETFILTER_DEBUG
54 #define IP_NF_ASSERT(x) WARN_ON(!(x))
56 #define IP_NF_ASSERT(x)
60 /* All the better to debug you with... */
65 void *ipt_alloc_initial_table(const struct xt_table *info)
67 return xt_alloc_initial_table(ipt, IPT);
69 EXPORT_SYMBOL_GPL(ipt_alloc_initial_table);
72 We keep a set of rules for each CPU, so we can avoid write-locking
73 them in the softirq when updating the counters and therefore
74 only need to read-lock in the softirq; doing a write_lock_bh() in user
75 context stops packets coming through and allows user context to read
76 the counters or update the rules.
78 Hence the start of any table is given by get_table() below. */
80 /* Returns whether matches rule or not. */
81 /* Performance critical - called for every packet */
83 ip_packet_match(const struct iphdr *ip,
86 const struct ipt_ip *ipinfo,
91 #define FWINV(bool, invflg) ((bool) ^ !!(ipinfo->invflags & (invflg)))
93 if (FWINV((ip->saddr&ipinfo->smsk.s_addr) != ipinfo->src.s_addr,
95 FWINV((ip->daddr&ipinfo->dmsk.s_addr) != ipinfo->dst.s_addr,
97 dprintf("Source or dest mismatch.\n");
99 dprintf("SRC: %pI4. Mask: %pI4. Target: %pI4.%s\n",
100 &ip->saddr, &ipinfo->smsk.s_addr, &ipinfo->src.s_addr,
101 ipinfo->invflags & IPT_INV_SRCIP ? " (INV)" : "");
102 dprintf("DST: %pI4 Mask: %pI4 Target: %pI4.%s\n",
103 &ip->daddr, &ipinfo->dmsk.s_addr, &ipinfo->dst.s_addr,
104 ipinfo->invflags & IPT_INV_DSTIP ? " (INV)" : "");
108 ret = ifname_compare_aligned(indev, ipinfo->iniface, ipinfo->iniface_mask);
110 if (FWINV(ret != 0, IPT_INV_VIA_IN)) {
111 dprintf("VIA in mismatch (%s vs %s).%s\n",
112 indev, ipinfo->iniface,
113 ipinfo->invflags&IPT_INV_VIA_IN ?" (INV)":"");
117 ret = ifname_compare_aligned(outdev, ipinfo->outiface, ipinfo->outiface_mask);
119 if (FWINV(ret != 0, IPT_INV_VIA_OUT)) {
120 dprintf("VIA out mismatch (%s vs %s).%s\n",
121 outdev, ipinfo->outiface,
122 ipinfo->invflags&IPT_INV_VIA_OUT ?" (INV)":"");
126 /* Check specific protocol */
128 FWINV(ip->protocol != ipinfo->proto, IPT_INV_PROTO)) {
129 dprintf("Packet protocol %hi does not match %hi.%s\n",
130 ip->protocol, ipinfo->proto,
131 ipinfo->invflags&IPT_INV_PROTO ? " (INV)":"");
135 /* If we have a fragment rule but the packet is not a fragment
136 * then we return zero */
137 if (FWINV((ipinfo->flags&IPT_F_FRAG) && !isfrag, IPT_INV_FRAG)) {
138 dprintf("Fragment rule but not fragment.%s\n",
139 ipinfo->invflags & IPT_INV_FRAG ? " (INV)" : "");
147 ip_checkentry(const struct ipt_ip *ip)
149 if (ip->flags & ~IPT_F_MASK) {
150 duprintf("Unknown flag bits set: %08X\n",
151 ip->flags & ~IPT_F_MASK);
154 if (ip->invflags & ~IPT_INV_MASK) {
155 duprintf("Unknown invflag bits set: %08X\n",
156 ip->invflags & ~IPT_INV_MASK);
163 ipt_error(struct sk_buff *skb, const struct xt_action_param *par)
166 pr_info("error: `%s'\n", (const char *)par->targinfo);
171 /* Performance critical */
172 static inline struct ipt_entry *
173 get_entry(const void *base, unsigned int offset)
175 return (struct ipt_entry *)(base + offset);
178 /* All zeroes == unconditional rule. */
179 /* Mildly perf critical (only if packet tracing is on) */
180 static inline bool unconditional(const struct ipt_ip *ip)
182 static const struct ipt_ip uncond;
184 return memcmp(ip, &uncond, sizeof(uncond)) == 0;
188 /* for const-correctness */
189 static inline const struct ipt_entry_target *
190 ipt_get_target_c(const struct ipt_entry *e)
192 return ipt_get_target((struct ipt_entry *)e);
195 #if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \
196 defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE)
197 static const char *const hooknames[] = {
198 [NF_INET_PRE_ROUTING] = "PREROUTING",
199 [NF_INET_LOCAL_IN] = "INPUT",
200 [NF_INET_FORWARD] = "FORWARD",
201 [NF_INET_LOCAL_OUT] = "OUTPUT",
202 [NF_INET_POST_ROUTING] = "POSTROUTING",
205 enum nf_ip_trace_comments {
206 NF_IP_TRACE_COMMENT_RULE,
207 NF_IP_TRACE_COMMENT_RETURN,
208 NF_IP_TRACE_COMMENT_POLICY,
211 static const char *const comments[] = {
212 [NF_IP_TRACE_COMMENT_RULE] = "rule",
213 [NF_IP_TRACE_COMMENT_RETURN] = "return",
214 [NF_IP_TRACE_COMMENT_POLICY] = "policy",
217 static struct nf_loginfo trace_loginfo = {
218 .type = NF_LOG_TYPE_LOG,
222 .logflags = NF_LOG_MASK,
227 /* Mildly perf critical (only if packet tracing is on) */
229 get_chainname_rulenum(const struct ipt_entry *s, const struct ipt_entry *e,
230 const char *hookname, const char **chainname,
231 const char **comment, unsigned int *rulenum)
233 const struct ipt_standard_target *t = (void *)ipt_get_target_c(s);
235 if (strcmp(t->target.u.kernel.target->name, IPT_ERROR_TARGET) == 0) {
236 /* Head of user chain: ERROR target with chainname */
237 *chainname = t->target.data;
242 if (s->target_offset == sizeof(struct ipt_entry) &&
243 strcmp(t->target.u.kernel.target->name,
244 IPT_STANDARD_TARGET) == 0 &&
246 unconditional(&s->ip)) {
247 /* Tail of chains: STANDARD target (return/policy) */
248 *comment = *chainname == hookname
249 ? comments[NF_IP_TRACE_COMMENT_POLICY]
250 : comments[NF_IP_TRACE_COMMENT_RETURN];
259 static void trace_packet(const struct sk_buff *skb,
261 const struct net_device *in,
262 const struct net_device *out,
263 const char *tablename,
264 const struct xt_table_info *private,
265 const struct ipt_entry *e)
267 const void *table_base;
268 const struct ipt_entry *root;
269 const char *hookname, *chainname, *comment;
270 const struct ipt_entry *iter;
271 unsigned int rulenum = 0;
273 table_base = private->entries[smp_processor_id()];
274 root = get_entry(table_base, private->hook_entry[hook]);
276 hookname = chainname = hooknames[hook];
277 comment = comments[NF_IP_TRACE_COMMENT_RULE];
279 xt_entry_foreach(iter, root, private->size - private->hook_entry[hook])
280 if (get_chainname_rulenum(iter, e, hookname,
281 &chainname, &comment, &rulenum) != 0)
284 nf_log_packet(AF_INET, hook, skb, in, out, &trace_loginfo,
285 "TRACE: %s:%s:%s:%u ",
286 tablename, chainname, comment, rulenum);
291 struct ipt_entry *ipt_next_entry(const struct ipt_entry *entry)
293 return (void *)entry + entry->next_offset;
296 /* Returns one of the generic firewall policies, like NF_ACCEPT. */
298 ipt_do_table(struct sk_buff *skb,
300 const struct net_device *in,
301 const struct net_device *out,
302 struct xt_table *table)
304 static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
305 const struct iphdr *ip;
306 /* Initializing verdict to NF_DROP keeps gcc happy. */
307 unsigned int verdict = NF_DROP;
308 const char *indev, *outdev;
309 const void *table_base;
310 struct ipt_entry *e, **jumpstack;
311 unsigned int *stackptr, origptr, cpu;
312 const struct xt_table_info *private;
313 struct xt_action_param acpar;
317 indev = in ? in->name : nulldevname;
318 outdev = out ? out->name : nulldevname;
319 /* We handle fragments by dealing with the first fragment as
320 * if it was a normal packet. All other fragments are treated
321 * normally, except that they will NEVER match rules that ask
322 * things we don't know, ie. tcp syn flag or ports). If the
323 * rule is also a fragment-specific rule, non-fragments won't
325 acpar.fragoff = ntohs(ip->frag_off) & IP_OFFSET;
326 acpar.thoff = ip_hdrlen(skb);
327 acpar.hotdrop = false;
330 acpar.family = NFPROTO_IPV4;
331 acpar.hooknum = hook;
333 IP_NF_ASSERT(table->valid_hooks & (1 << hook));
335 private = table->private;
336 cpu = smp_processor_id();
337 table_base = private->entries[cpu];
338 jumpstack = (struct ipt_entry **)private->jumpstack[cpu];
339 stackptr = per_cpu_ptr(private->stackptr, cpu);
342 e = get_entry(table_base, private->hook_entry[hook]);
344 pr_debug("Entering %s(hook %u); sp at %u (UF %p)\n",
345 table->name, hook, origptr,
346 get_entry(table_base, private->underflow[hook]));
349 const struct ipt_entry_target *t;
350 const struct xt_entry_match *ematch;
353 if (!ip_packet_match(ip, indev, outdev,
354 &e->ip, acpar.fragoff)) {
356 e = ipt_next_entry(e);
360 xt_ematch_foreach(ematch, e) {
361 acpar.match = ematch->u.kernel.match;
362 acpar.matchinfo = ematch->data;
363 if (!acpar.match->match(skb, &acpar))
367 ADD_COUNTER(e->counters, skb->len, 1);
369 t = ipt_get_target(e);
370 IP_NF_ASSERT(t->u.kernel.target);
372 #if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \
373 defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE)
374 /* The packet is traced: log it */
375 if (unlikely(skb->nf_trace))
376 trace_packet(skb, hook, in, out,
377 table->name, private, e);
379 /* Standard target? */
380 if (!t->u.kernel.target->target) {
383 v = ((struct ipt_standard_target *)t)->verdict;
385 /* Pop from stack? */
386 if (v != IPT_RETURN) {
387 verdict = (unsigned)(-v) - 1;
390 if (*stackptr == 0) {
391 e = get_entry(table_base,
392 private->underflow[hook]);
393 pr_debug("Underflow (this is normal) "
396 e = jumpstack[--*stackptr];
397 pr_debug("Pulled %p out from pos %u\n",
399 e = ipt_next_entry(e);
403 if (table_base + v != ipt_next_entry(e) &&
404 !(e->ip.flags & IPT_F_GOTO)) {
405 if (*stackptr >= private->stacksize) {
409 jumpstack[(*stackptr)++] = e;
410 pr_debug("Pushed %p into pos %u\n",
414 e = get_entry(table_base, v);
418 acpar.target = t->u.kernel.target;
419 acpar.targinfo = t->data;
421 verdict = t->u.kernel.target->target(skb, &acpar);
422 /* Target might have changed stuff. */
424 if (verdict == IPT_CONTINUE)
425 e = ipt_next_entry(e);
429 } while (!acpar.hotdrop);
430 xt_info_rdunlock_bh();
431 pr_debug("Exiting %s; resetting sp from %u to %u\n",
432 __func__, *stackptr, origptr);
434 #ifdef DEBUG_ALLOW_ALL
443 /* Figures out from what hook each rule can be called: returns 0 if
444 there are loops. Puts hook bitmask in comefrom. */
446 mark_source_chains(const struct xt_table_info *newinfo,
447 unsigned int valid_hooks, void *entry0)
451 /* No recursion; use packet counter to save back ptrs (reset
452 to 0 as we leave), and comefrom to save source hook bitmask */
453 for (hook = 0; hook < NF_INET_NUMHOOKS; hook++) {
454 unsigned int pos = newinfo->hook_entry[hook];
455 struct ipt_entry *e = (struct ipt_entry *)(entry0 + pos);
457 if (!(valid_hooks & (1 << hook)))
460 /* Set initial back pointer. */
461 e->counters.pcnt = pos;
464 const struct ipt_standard_target *t
465 = (void *)ipt_get_target_c(e);
466 int visited = e->comefrom & (1 << hook);
468 if (e->comefrom & (1 << NF_INET_NUMHOOKS)) {
469 pr_err("iptables: loop hook %u pos %u %08X.\n",
470 hook, pos, e->comefrom);
473 e->comefrom |= ((1 << hook) | (1 << NF_INET_NUMHOOKS));
475 /* Unconditional return/END. */
476 if ((e->target_offset == sizeof(struct ipt_entry) &&
477 (strcmp(t->target.u.user.name,
478 IPT_STANDARD_TARGET) == 0) &&
479 t->verdict < 0 && unconditional(&e->ip)) ||
481 unsigned int oldpos, size;
483 if ((strcmp(t->target.u.user.name,
484 IPT_STANDARD_TARGET) == 0) &&
485 t->verdict < -NF_MAX_VERDICT - 1) {
486 duprintf("mark_source_chains: bad "
487 "negative verdict (%i)\n",
492 /* Return: backtrack through the last
495 e->comefrom ^= (1<<NF_INET_NUMHOOKS);
496 #ifdef DEBUG_IP_FIREWALL_USER
498 & (1 << NF_INET_NUMHOOKS)) {
499 duprintf("Back unset "
506 pos = e->counters.pcnt;
507 e->counters.pcnt = 0;
509 /* We're at the start. */
513 e = (struct ipt_entry *)
515 } while (oldpos == pos + e->next_offset);
518 size = e->next_offset;
519 e = (struct ipt_entry *)
520 (entry0 + pos + size);
521 e->counters.pcnt = pos;
524 int newpos = t->verdict;
526 if (strcmp(t->target.u.user.name,
527 IPT_STANDARD_TARGET) == 0 &&
529 if (newpos > newinfo->size -
530 sizeof(struct ipt_entry)) {
531 duprintf("mark_source_chains: "
532 "bad verdict (%i)\n",
536 /* This a jump; chase it. */
537 duprintf("Jump rule %u -> %u\n",
540 /* ... this is a fallthru */
541 newpos = pos + e->next_offset;
543 e = (struct ipt_entry *)
545 e->counters.pcnt = pos;
550 duprintf("Finished chain %u\n", hook);
555 static void cleanup_match(struct ipt_entry_match *m, struct net *net)
557 struct xt_mtdtor_param par;
560 par.match = m->u.kernel.match;
561 par.matchinfo = m->data;
562 par.family = NFPROTO_IPV4;
563 if (par.match->destroy != NULL)
564 par.match->destroy(&par);
565 module_put(par.match->me);
569 check_entry(const struct ipt_entry *e, const char *name)
571 const struct ipt_entry_target *t;
573 if (!ip_checkentry(&e->ip)) {
574 duprintf("ip check failed %p %s.\n", e, par->match->name);
578 if (e->target_offset + sizeof(struct ipt_entry_target) >
582 t = ipt_get_target_c(e);
583 if (e->target_offset + t->u.target_size > e->next_offset)
590 check_match(struct ipt_entry_match *m, struct xt_mtchk_param *par)
592 const struct ipt_ip *ip = par->entryinfo;
595 par->match = m->u.kernel.match;
596 par->matchinfo = m->data;
598 ret = xt_check_match(par, m->u.match_size - sizeof(*m),
599 ip->proto, ip->invflags & IPT_INV_PROTO);
601 duprintf("check failed for `%s'.\n", par->match->name);
608 find_check_match(struct ipt_entry_match *m, struct xt_mtchk_param *par)
610 struct xt_match *match;
613 match = xt_request_find_match(NFPROTO_IPV4, m->u.user.name,
616 duprintf("find_check_match: `%s' not found\n", m->u.user.name);
617 return PTR_ERR(match);
619 m->u.kernel.match = match;
621 ret = check_match(m, par);
627 module_put(m->u.kernel.match->me);
631 static int check_target(struct ipt_entry *e, struct net *net, const char *name)
633 struct ipt_entry_target *t = ipt_get_target(e);
634 struct xt_tgchk_param par = {
638 .target = t->u.kernel.target,
640 .hook_mask = e->comefrom,
641 .family = NFPROTO_IPV4,
645 ret = xt_check_target(&par, t->u.target_size - sizeof(*t),
646 e->ip.proto, e->ip.invflags & IPT_INV_PROTO);
648 duprintf("check failed for `%s'.\n",
649 t->u.kernel.target->name);
656 find_check_entry(struct ipt_entry *e, struct net *net, const char *name,
659 struct ipt_entry_target *t;
660 struct xt_target *target;
663 struct xt_mtchk_param mtpar;
664 struct xt_entry_match *ematch;
666 ret = check_entry(e, name);
673 mtpar.entryinfo = &e->ip;
674 mtpar.hook_mask = e->comefrom;
675 mtpar.family = NFPROTO_IPV4;
676 xt_ematch_foreach(ematch, e) {
677 ret = find_check_match(ematch, &mtpar);
679 goto cleanup_matches;
683 t = ipt_get_target(e);
684 target = xt_request_find_target(NFPROTO_IPV4, t->u.user.name,
686 if (IS_ERR(target)) {
687 duprintf("find_check_entry: `%s' not found\n", t->u.user.name);
688 ret = PTR_ERR(target);
689 goto cleanup_matches;
691 t->u.kernel.target = target;
693 ret = check_target(e, net, name);
698 module_put(t->u.kernel.target->me);
700 xt_ematch_foreach(ematch, e) {
703 cleanup_match(ematch, net);
708 static bool check_underflow(const struct ipt_entry *e)
710 const struct ipt_entry_target *t;
711 unsigned int verdict;
713 if (!unconditional(&e->ip))
715 t = ipt_get_target_c(e);
716 if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0)
718 verdict = ((struct ipt_standard_target *)t)->verdict;
719 verdict = -verdict - 1;
720 return verdict == NF_DROP || verdict == NF_ACCEPT;
724 check_entry_size_and_hooks(struct ipt_entry *e,
725 struct xt_table_info *newinfo,
726 const unsigned char *base,
727 const unsigned char *limit,
728 const unsigned int *hook_entries,
729 const unsigned int *underflows,
730 unsigned int valid_hooks)
734 if ((unsigned long)e % __alignof__(struct ipt_entry) != 0 ||
735 (unsigned char *)e + sizeof(struct ipt_entry) >= limit) {
736 duprintf("Bad offset %p\n", e);
741 < sizeof(struct ipt_entry) + sizeof(struct ipt_entry_target)) {
742 duprintf("checking: element %p size %u\n",
747 /* Check hooks & underflows */
748 for (h = 0; h < NF_INET_NUMHOOKS; h++) {
749 if (!(valid_hooks & (1 << h)))
751 if ((unsigned char *)e - base == hook_entries[h])
752 newinfo->hook_entry[h] = hook_entries[h];
753 if ((unsigned char *)e - base == underflows[h]) {
754 if (!check_underflow(e)) {
755 pr_err("Underflows must be unconditional and "
756 "use the STANDARD target with "
760 newinfo->underflow[h] = underflows[h];
764 /* Clear counters and comefrom */
765 e->counters = ((struct xt_counters) { 0, 0 });
771 cleanup_entry(struct ipt_entry *e, struct net *net)
773 struct xt_tgdtor_param par;
774 struct ipt_entry_target *t;
775 struct xt_entry_match *ematch;
777 /* Cleanup all matches */
778 xt_ematch_foreach(ematch, e)
779 cleanup_match(ematch, net);
780 t = ipt_get_target(e);
783 par.target = t->u.kernel.target;
784 par.targinfo = t->data;
785 par.family = NFPROTO_IPV4;
786 if (par.target->destroy != NULL)
787 par.target->destroy(&par);
788 module_put(par.target->me);
791 /* Checks and translates the user-supplied table segment (held in
794 translate_table(struct net *net, struct xt_table_info *newinfo, void *entry0,
795 const struct ipt_replace *repl)
797 struct ipt_entry *iter;
801 newinfo->size = repl->size;
802 newinfo->number = repl->num_entries;
804 /* Init all hooks to impossible value. */
805 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
806 newinfo->hook_entry[i] = 0xFFFFFFFF;
807 newinfo->underflow[i] = 0xFFFFFFFF;
810 duprintf("translate_table: size %u\n", newinfo->size);
812 /* Walk through entries, checking offsets. */
813 xt_entry_foreach(iter, entry0, newinfo->size) {
814 ret = check_entry_size_and_hooks(iter, newinfo, entry0,
822 if (strcmp(ipt_get_target(iter)->u.user.name,
823 XT_ERROR_TARGET) == 0)
824 ++newinfo->stacksize;
827 if (i != repl->num_entries) {
828 duprintf("translate_table: %u not %u entries\n",
829 i, repl->num_entries);
833 /* Check hooks all assigned */
834 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
835 /* Only hooks which are valid */
836 if (!(repl->valid_hooks & (1 << i)))
838 if (newinfo->hook_entry[i] == 0xFFFFFFFF) {
839 duprintf("Invalid hook entry %u %u\n",
840 i, repl->hook_entry[i]);
843 if (newinfo->underflow[i] == 0xFFFFFFFF) {
844 duprintf("Invalid underflow %u %u\n",
845 i, repl->underflow[i]);
850 if (!mark_source_chains(newinfo, repl->valid_hooks, entry0))
853 /* Finally, each sanity check must pass */
855 xt_entry_foreach(iter, entry0, newinfo->size) {
856 ret = find_check_entry(iter, net, repl->name, repl->size);
863 xt_entry_foreach(iter, entry0, newinfo->size) {
866 cleanup_entry(iter, net);
871 /* And one copy for every other CPU */
872 for_each_possible_cpu(i) {
873 if (newinfo->entries[i] && newinfo->entries[i] != entry0)
874 memcpy(newinfo->entries[i], entry0, newinfo->size);
881 get_counters(const struct xt_table_info *t,
882 struct xt_counters counters[])
884 struct ipt_entry *iter;
887 unsigned int curcpu = get_cpu();
889 /* Instead of clearing (by a previous call to memset())
890 * the counters and using adds, we set the counters
891 * with data used by 'current' CPU.
893 * Bottom half has to be disabled to prevent deadlock
894 * if new softirq were to run and call ipt_do_table
898 xt_entry_foreach(iter, t->entries[curcpu], t->size) {
899 SET_COUNTER(counters[i], iter->counters.bcnt,
900 iter->counters.pcnt);
904 /* Processing counters from other cpus, we can let bottom half enabled,
905 * (preemption is disabled)
908 for_each_possible_cpu(cpu) {
913 xt_entry_foreach(iter, t->entries[cpu], t->size) {
914 ADD_COUNTER(counters[i], iter->counters.bcnt,
915 iter->counters.pcnt);
916 ++i; /* macro does multi eval of i */
918 xt_info_wrunlock(cpu);
923 static struct xt_counters *alloc_counters(const struct xt_table *table)
925 unsigned int countersize;
926 struct xt_counters *counters;
927 const struct xt_table_info *private = table->private;
929 /* We need atomic snapshot of counters: rest doesn't change
930 (other than comefrom, which userspace doesn't care
932 countersize = sizeof(struct xt_counters) * private->number;
933 counters = vmalloc(countersize);
935 if (counters == NULL)
936 return ERR_PTR(-ENOMEM);
938 get_counters(private, counters);
944 copy_entries_to_user(unsigned int total_size,
945 const struct xt_table *table,
946 void __user *userptr)
948 unsigned int off, num;
949 const struct ipt_entry *e;
950 struct xt_counters *counters;
951 const struct xt_table_info *private = table->private;
953 const void *loc_cpu_entry;
955 counters = alloc_counters(table);
956 if (IS_ERR(counters))
957 return PTR_ERR(counters);
959 /* choose the copy that is on our node/cpu, ...
960 * This choice is lazy (because current thread is
961 * allowed to migrate to another cpu)
963 loc_cpu_entry = private->entries[raw_smp_processor_id()];
964 if (copy_to_user(userptr, loc_cpu_entry, total_size) != 0) {
969 /* FIXME: use iterator macros --RR */
970 /* ... then go back and fix counters and names */
971 for (off = 0, num = 0; off < total_size; off += e->next_offset, num++){
973 const struct ipt_entry_match *m;
974 const struct ipt_entry_target *t;
976 e = (struct ipt_entry *)(loc_cpu_entry + off);
977 if (copy_to_user(userptr + off
978 + offsetof(struct ipt_entry, counters),
980 sizeof(counters[num])) != 0) {
985 for (i = sizeof(struct ipt_entry);
986 i < e->target_offset;
987 i += m->u.match_size) {
990 if (copy_to_user(userptr + off + i
991 + offsetof(struct ipt_entry_match,
993 m->u.kernel.match->name,
994 strlen(m->u.kernel.match->name)+1)
1001 t = ipt_get_target_c(e);
1002 if (copy_to_user(userptr + off + e->target_offset
1003 + offsetof(struct ipt_entry_target,
1005 t->u.kernel.target->name,
1006 strlen(t->u.kernel.target->name)+1) != 0) {
1017 #ifdef CONFIG_COMPAT
1018 static void compat_standard_from_user(void *dst, const void *src)
1020 int v = *(compat_int_t *)src;
1023 v += xt_compat_calc_jump(AF_INET, v);
1024 memcpy(dst, &v, sizeof(v));
1027 static int compat_standard_to_user(void __user *dst, const void *src)
1029 compat_int_t cv = *(int *)src;
1032 cv -= xt_compat_calc_jump(AF_INET, cv);
1033 return copy_to_user(dst, &cv, sizeof(cv)) ? -EFAULT : 0;
1036 static int compat_calc_entry(const struct ipt_entry *e,
1037 const struct xt_table_info *info,
1038 const void *base, struct xt_table_info *newinfo)
1040 const struct xt_entry_match *ematch;
1041 const struct ipt_entry_target *t;
1042 unsigned int entry_offset;
1045 off = sizeof(struct ipt_entry) - sizeof(struct compat_ipt_entry);
1046 entry_offset = (void *)e - base;
1047 xt_ematch_foreach(ematch, e)
1048 off += xt_compat_match_offset(ematch->u.kernel.match);
1049 t = ipt_get_target_c(e);
1050 off += xt_compat_target_offset(t->u.kernel.target);
1051 newinfo->size -= off;
1052 ret = xt_compat_add_offset(AF_INET, entry_offset, off);
1056 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1057 if (info->hook_entry[i] &&
1058 (e < (struct ipt_entry *)(base + info->hook_entry[i])))
1059 newinfo->hook_entry[i] -= off;
1060 if (info->underflow[i] &&
1061 (e < (struct ipt_entry *)(base + info->underflow[i])))
1062 newinfo->underflow[i] -= off;
1067 static int compat_table_info(const struct xt_table_info *info,
1068 struct xt_table_info *newinfo)
1070 struct ipt_entry *iter;
1071 void *loc_cpu_entry;
1074 if (!newinfo || !info)
1077 /* we dont care about newinfo->entries[] */
1078 memcpy(newinfo, info, offsetof(struct xt_table_info, entries));
1079 newinfo->initial_entries = 0;
1080 loc_cpu_entry = info->entries[raw_smp_processor_id()];
1081 xt_entry_foreach(iter, loc_cpu_entry, info->size) {
1082 ret = compat_calc_entry(iter, info, loc_cpu_entry, newinfo);
1090 static int get_info(struct net *net, void __user *user,
1091 const int *len, int compat)
1093 char name[IPT_TABLE_MAXNAMELEN];
1097 if (*len != sizeof(struct ipt_getinfo)) {
1098 duprintf("length %u != %zu\n", *len,
1099 sizeof(struct ipt_getinfo));
1103 if (copy_from_user(name, user, sizeof(name)) != 0)
1106 name[IPT_TABLE_MAXNAMELEN-1] = '\0';
1107 #ifdef CONFIG_COMPAT
1109 xt_compat_lock(AF_INET);
1111 t = try_then_request_module(xt_find_table_lock(net, AF_INET, name),
1112 "iptable_%s", name);
1113 if (t && !IS_ERR(t)) {
1114 struct ipt_getinfo info;
1115 const struct xt_table_info *private = t->private;
1116 #ifdef CONFIG_COMPAT
1117 struct xt_table_info tmp;
1120 ret = compat_table_info(private, &tmp);
1121 xt_compat_flush_offsets(AF_INET);
1125 info.valid_hooks = t->valid_hooks;
1126 memcpy(info.hook_entry, private->hook_entry,
1127 sizeof(info.hook_entry));
1128 memcpy(info.underflow, private->underflow,
1129 sizeof(info.underflow));
1130 info.num_entries = private->number;
1131 info.size = private->size;
1132 strcpy(info.name, name);
1134 if (copy_to_user(user, &info, *len) != 0)
1142 ret = t ? PTR_ERR(t) : -ENOENT;
1143 #ifdef CONFIG_COMPAT
1145 xt_compat_unlock(AF_INET);
1151 get_entries(struct net *net, struct ipt_get_entries __user *uptr,
1155 struct ipt_get_entries get;
1158 if (*len < sizeof(get)) {
1159 duprintf("get_entries: %u < %zu\n", *len, sizeof(get));
1162 if (copy_from_user(&get, uptr, sizeof(get)) != 0)
1164 if (*len != sizeof(struct ipt_get_entries) + get.size) {
1165 duprintf("get_entries: %u != %zu\n",
1166 *len, sizeof(get) + get.size);
1170 t = xt_find_table_lock(net, AF_INET, get.name);
1171 if (t && !IS_ERR(t)) {
1172 const struct xt_table_info *private = t->private;
1173 duprintf("t->private->number = %u\n", private->number);
1174 if (get.size == private->size)
1175 ret = copy_entries_to_user(private->size,
1176 t, uptr->entrytable);
1178 duprintf("get_entries: I've got %u not %u!\n",
1179 private->size, get.size);
1185 ret = t ? PTR_ERR(t) : -ENOENT;
1191 __do_replace(struct net *net, const char *name, unsigned int valid_hooks,
1192 struct xt_table_info *newinfo, unsigned int num_counters,
1193 void __user *counters_ptr)
1197 struct xt_table_info *oldinfo;
1198 struct xt_counters *counters;
1199 void *loc_cpu_old_entry;
1200 struct ipt_entry *iter;
1203 counters = vmalloc(num_counters * sizeof(struct xt_counters));
1209 t = try_then_request_module(xt_find_table_lock(net, AF_INET, name),
1210 "iptable_%s", name);
1211 if (!t || IS_ERR(t)) {
1212 ret = t ? PTR_ERR(t) : -ENOENT;
1213 goto free_newinfo_counters_untrans;
1217 if (valid_hooks != t->valid_hooks) {
1218 duprintf("Valid hook crap: %08X vs %08X\n",
1219 valid_hooks, t->valid_hooks);
1224 oldinfo = xt_replace_table(t, num_counters, newinfo, &ret);
1228 /* Update module usage count based on number of rules */
1229 duprintf("do_replace: oldnum=%u, initnum=%u, newnum=%u\n",
1230 oldinfo->number, oldinfo->initial_entries, newinfo->number);
1231 if ((oldinfo->number > oldinfo->initial_entries) ||
1232 (newinfo->number <= oldinfo->initial_entries))
1234 if ((oldinfo->number > oldinfo->initial_entries) &&
1235 (newinfo->number <= oldinfo->initial_entries))
1238 /* Get the old counters, and synchronize with replace */
1239 get_counters(oldinfo, counters);
1241 /* Decrease module usage counts and free resource */
1242 loc_cpu_old_entry = oldinfo->entries[raw_smp_processor_id()];
1243 xt_entry_foreach(iter, loc_cpu_old_entry, oldinfo->size)
1244 cleanup_entry(iter, net);
1246 xt_free_table_info(oldinfo);
1247 if (copy_to_user(counters_ptr, counters,
1248 sizeof(struct xt_counters) * num_counters) != 0)
1257 free_newinfo_counters_untrans:
1264 do_replace(struct net *net, const void __user *user, unsigned int len)
1267 struct ipt_replace tmp;
1268 struct xt_table_info *newinfo;
1269 void *loc_cpu_entry;
1270 struct ipt_entry *iter;
1272 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
1275 /* overflow check */
1276 if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
1279 newinfo = xt_alloc_table_info(tmp.size);
1283 /* choose the copy that is on our node/cpu */
1284 loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
1285 if (copy_from_user(loc_cpu_entry, user + sizeof(tmp),
1291 ret = translate_table(net, newinfo, loc_cpu_entry, &tmp);
1295 duprintf("Translated table\n");
1297 ret = __do_replace(net, tmp.name, tmp.valid_hooks, newinfo,
1298 tmp.num_counters, tmp.counters);
1300 goto free_newinfo_untrans;
1303 free_newinfo_untrans:
1304 xt_entry_foreach(iter, loc_cpu_entry, newinfo->size)
1305 cleanup_entry(iter, net);
1307 xt_free_table_info(newinfo);
1312 do_add_counters(struct net *net, const void __user *user,
1313 unsigned int len, int compat)
1315 unsigned int i, curcpu;
1316 struct xt_counters_info tmp;
1317 struct xt_counters *paddc;
1318 unsigned int num_counters;
1323 const struct xt_table_info *private;
1325 void *loc_cpu_entry;
1326 struct ipt_entry *iter;
1327 #ifdef CONFIG_COMPAT
1328 struct compat_xt_counters_info compat_tmp;
1332 size = sizeof(struct compat_xt_counters_info);
1337 size = sizeof(struct xt_counters_info);
1340 if (copy_from_user(ptmp, user, size) != 0)
1343 #ifdef CONFIG_COMPAT
1345 num_counters = compat_tmp.num_counters;
1346 name = compat_tmp.name;
1350 num_counters = tmp.num_counters;
1354 if (len != size + num_counters * sizeof(struct xt_counters))
1357 paddc = vmalloc(len - size);
1361 if (copy_from_user(paddc, user + size, len - size) != 0) {
1366 t = xt_find_table_lock(net, AF_INET, name);
1367 if (!t || IS_ERR(t)) {
1368 ret = t ? PTR_ERR(t) : -ENOENT;
1373 private = t->private;
1374 if (private->number != num_counters) {
1376 goto unlock_up_free;
1380 /* Choose the copy that is on our node */
1381 curcpu = smp_processor_id();
1382 loc_cpu_entry = private->entries[curcpu];
1383 xt_info_wrlock(curcpu);
1384 xt_entry_foreach(iter, loc_cpu_entry, private->size) {
1385 ADD_COUNTER(iter->counters, paddc[i].bcnt, paddc[i].pcnt);
1388 xt_info_wrunlock(curcpu);
1399 #ifdef CONFIG_COMPAT
1400 struct compat_ipt_replace {
1401 char name[IPT_TABLE_MAXNAMELEN];
1405 u32 hook_entry[NF_INET_NUMHOOKS];
1406 u32 underflow[NF_INET_NUMHOOKS];
1408 compat_uptr_t counters; /* struct ipt_counters * */
1409 struct compat_ipt_entry entries[0];
1413 compat_copy_entry_to_user(struct ipt_entry *e, void __user **dstptr,
1414 unsigned int *size, struct xt_counters *counters,
1417 struct ipt_entry_target *t;
1418 struct compat_ipt_entry __user *ce;
1419 u_int16_t target_offset, next_offset;
1420 compat_uint_t origsize;
1421 const struct xt_entry_match *ematch;
1425 ce = (struct compat_ipt_entry __user *)*dstptr;
1426 if (copy_to_user(ce, e, sizeof(struct ipt_entry)) != 0 ||
1427 copy_to_user(&ce->counters, &counters[i],
1428 sizeof(counters[i])) != 0)
1431 *dstptr += sizeof(struct compat_ipt_entry);
1432 *size -= sizeof(struct ipt_entry) - sizeof(struct compat_ipt_entry);
1434 xt_ematch_foreach(ematch, e) {
1435 ret = xt_compat_match_to_user(ematch, dstptr, size);
1439 target_offset = e->target_offset - (origsize - *size);
1440 t = ipt_get_target(e);
1441 ret = xt_compat_target_to_user(t, dstptr, size);
1444 next_offset = e->next_offset - (origsize - *size);
1445 if (put_user(target_offset, &ce->target_offset) != 0 ||
1446 put_user(next_offset, &ce->next_offset) != 0)
1452 compat_find_calc_match(struct ipt_entry_match *m,
1454 const struct ipt_ip *ip,
1455 unsigned int hookmask,
1458 struct xt_match *match;
1460 match = xt_request_find_match(NFPROTO_IPV4, m->u.user.name,
1461 m->u.user.revision);
1462 if (IS_ERR(match)) {
1463 duprintf("compat_check_calc_match: `%s' not found\n",
1465 return PTR_ERR(match);
1467 m->u.kernel.match = match;
1468 *size += xt_compat_match_offset(match);
1472 static void compat_release_entry(struct compat_ipt_entry *e)
1474 struct ipt_entry_target *t;
1475 struct xt_entry_match *ematch;
1477 /* Cleanup all matches */
1478 xt_ematch_foreach(ematch, e)
1479 module_put(ematch->u.kernel.match->me);
1480 t = compat_ipt_get_target(e);
1481 module_put(t->u.kernel.target->me);
1485 check_compat_entry_size_and_hooks(struct compat_ipt_entry *e,
1486 struct xt_table_info *newinfo,
1488 const unsigned char *base,
1489 const unsigned char *limit,
1490 const unsigned int *hook_entries,
1491 const unsigned int *underflows,
1494 struct xt_entry_match *ematch;
1495 struct ipt_entry_target *t;
1496 struct xt_target *target;
1497 unsigned int entry_offset;
1501 duprintf("check_compat_entry_size_and_hooks %p\n", e);
1502 if ((unsigned long)e % __alignof__(struct compat_ipt_entry) != 0 ||
1503 (unsigned char *)e + sizeof(struct compat_ipt_entry) >= limit) {
1504 duprintf("Bad offset %p, limit = %p\n", e, limit);
1508 if (e->next_offset < sizeof(struct compat_ipt_entry) +
1509 sizeof(struct compat_xt_entry_target)) {
1510 duprintf("checking: element %p size %u\n",
1515 /* For purposes of check_entry casting the compat entry is fine */
1516 ret = check_entry((struct ipt_entry *)e, name);
1520 off = sizeof(struct ipt_entry) - sizeof(struct compat_ipt_entry);
1521 entry_offset = (void *)e - (void *)base;
1523 xt_ematch_foreach(ematch, e) {
1524 ret = compat_find_calc_match(ematch, name,
1525 &e->ip, e->comefrom, &off);
1527 goto release_matches;
1531 t = compat_ipt_get_target(e);
1532 target = xt_request_find_target(NFPROTO_IPV4, t->u.user.name,
1533 t->u.user.revision);
1534 if (IS_ERR(target)) {
1535 duprintf("check_compat_entry_size_and_hooks: `%s' not found\n",
1537 ret = PTR_ERR(target);
1538 goto release_matches;
1540 t->u.kernel.target = target;
1542 off += xt_compat_target_offset(target);
1544 ret = xt_compat_add_offset(AF_INET, entry_offset, off);
1548 /* Check hooks & underflows */
1549 for (h = 0; h < NF_INET_NUMHOOKS; h++) {
1550 if ((unsigned char *)e - base == hook_entries[h])
1551 newinfo->hook_entry[h] = hook_entries[h];
1552 if ((unsigned char *)e - base == underflows[h])
1553 newinfo->underflow[h] = underflows[h];
1556 /* Clear counters and comefrom */
1557 memset(&e->counters, 0, sizeof(e->counters));
1562 module_put(t->u.kernel.target->me);
1564 xt_ematch_foreach(ematch, e) {
1567 module_put(ematch->u.kernel.match->me);
1573 compat_copy_entry_from_user(struct compat_ipt_entry *e, void **dstptr,
1574 unsigned int *size, const char *name,
1575 struct xt_table_info *newinfo, unsigned char *base)
1577 struct ipt_entry_target *t;
1578 struct xt_target *target;
1579 struct ipt_entry *de;
1580 unsigned int origsize;
1582 struct xt_entry_match *ematch;
1586 de = (struct ipt_entry *)*dstptr;
1587 memcpy(de, e, sizeof(struct ipt_entry));
1588 memcpy(&de->counters, &e->counters, sizeof(e->counters));
1590 *dstptr += sizeof(struct ipt_entry);
1591 *size += sizeof(struct ipt_entry) - sizeof(struct compat_ipt_entry);
1593 xt_ematch_foreach(ematch, e) {
1594 ret = xt_compat_match_from_user(ematch, dstptr, size);
1598 de->target_offset = e->target_offset - (origsize - *size);
1599 t = compat_ipt_get_target(e);
1600 target = t->u.kernel.target;
1601 xt_compat_target_from_user(t, dstptr, size);
1603 de->next_offset = e->next_offset - (origsize - *size);
1604 for (h = 0; h < NF_INET_NUMHOOKS; h++) {
1605 if ((unsigned char *)de - base < newinfo->hook_entry[h])
1606 newinfo->hook_entry[h] -= origsize - *size;
1607 if ((unsigned char *)de - base < newinfo->underflow[h])
1608 newinfo->underflow[h] -= origsize - *size;
1614 compat_check_entry(struct ipt_entry *e, struct net *net, const char *name)
1616 struct xt_entry_match *ematch;
1617 struct xt_mtchk_param mtpar;
1624 mtpar.entryinfo = &e->ip;
1625 mtpar.hook_mask = e->comefrom;
1626 mtpar.family = NFPROTO_IPV4;
1627 xt_ematch_foreach(ematch, e) {
1628 ret = check_match(ematch, &mtpar);
1630 goto cleanup_matches;
1634 ret = check_target(e, net, name);
1636 goto cleanup_matches;
1640 xt_ematch_foreach(ematch, e) {
1643 cleanup_match(ematch, net);
1649 translate_compat_table(struct net *net,
1651 unsigned int valid_hooks,
1652 struct xt_table_info **pinfo,
1654 unsigned int total_size,
1655 unsigned int number,
1656 unsigned int *hook_entries,
1657 unsigned int *underflows)
1660 struct xt_table_info *newinfo, *info;
1661 void *pos, *entry0, *entry1;
1662 struct compat_ipt_entry *iter0;
1663 struct ipt_entry *iter1;
1670 info->number = number;
1672 /* Init all hooks to impossible value. */
1673 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1674 info->hook_entry[i] = 0xFFFFFFFF;
1675 info->underflow[i] = 0xFFFFFFFF;
1678 duprintf("translate_compat_table: size %u\n", info->size);
1680 xt_compat_lock(AF_INET);
1681 /* Walk through entries, checking offsets. */
1682 xt_entry_foreach(iter0, entry0, total_size) {
1683 ret = check_compat_entry_size_and_hooks(iter0, info, &size,
1685 entry0 + total_size,
1696 duprintf("translate_compat_table: %u not %u entries\n",
1701 /* Check hooks all assigned */
1702 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1703 /* Only hooks which are valid */
1704 if (!(valid_hooks & (1 << i)))
1706 if (info->hook_entry[i] == 0xFFFFFFFF) {
1707 duprintf("Invalid hook entry %u %u\n",
1708 i, hook_entries[i]);
1711 if (info->underflow[i] == 0xFFFFFFFF) {
1712 duprintf("Invalid underflow %u %u\n",
1719 newinfo = xt_alloc_table_info(size);
1723 newinfo->number = number;
1724 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1725 newinfo->hook_entry[i] = info->hook_entry[i];
1726 newinfo->underflow[i] = info->underflow[i];
1728 entry1 = newinfo->entries[raw_smp_processor_id()];
1731 xt_entry_foreach(iter0, entry0, total_size) {
1732 ret = compat_copy_entry_from_user(iter0, &pos, &size,
1733 name, newinfo, entry1);
1737 xt_compat_flush_offsets(AF_INET);
1738 xt_compat_unlock(AF_INET);
1743 if (!mark_source_chains(newinfo, valid_hooks, entry1))
1747 xt_entry_foreach(iter1, entry1, newinfo->size) {
1748 ret = compat_check_entry(iter1, net, name);
1755 * The first i matches need cleanup_entry (calls ->destroy)
1756 * because they had called ->check already. The other j-i
1757 * entries need only release.
1761 xt_entry_foreach(iter0, entry0, newinfo->size) {
1766 compat_release_entry(iter0);
1768 xt_entry_foreach(iter1, entry1, newinfo->size) {
1771 cleanup_entry(iter1, net);
1773 xt_free_table_info(newinfo);
1777 /* And one copy for every other CPU */
1778 for_each_possible_cpu(i)
1779 if (newinfo->entries[i] && newinfo->entries[i] != entry1)
1780 memcpy(newinfo->entries[i], entry1, newinfo->size);
1784 xt_free_table_info(info);
1788 xt_free_table_info(newinfo);
1790 xt_entry_foreach(iter0, entry0, total_size) {
1793 compat_release_entry(iter0);
1797 xt_compat_flush_offsets(AF_INET);
1798 xt_compat_unlock(AF_INET);
1803 compat_do_replace(struct net *net, void __user *user, unsigned int len)
1806 struct compat_ipt_replace tmp;
1807 struct xt_table_info *newinfo;
1808 void *loc_cpu_entry;
1809 struct ipt_entry *iter;
1811 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
1814 /* overflow check */
1815 if (tmp.size >= INT_MAX / num_possible_cpus())
1817 if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
1820 newinfo = xt_alloc_table_info(tmp.size);
1824 /* choose the copy that is on our node/cpu */
1825 loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
1826 if (copy_from_user(loc_cpu_entry, user + sizeof(tmp),
1832 ret = translate_compat_table(net, tmp.name, tmp.valid_hooks,
1833 &newinfo, &loc_cpu_entry, tmp.size,
1834 tmp.num_entries, tmp.hook_entry,
1839 duprintf("compat_do_replace: Translated table\n");
1841 ret = __do_replace(net, tmp.name, tmp.valid_hooks, newinfo,
1842 tmp.num_counters, compat_ptr(tmp.counters));
1844 goto free_newinfo_untrans;
1847 free_newinfo_untrans:
1848 xt_entry_foreach(iter, loc_cpu_entry, newinfo->size)
1849 cleanup_entry(iter, net);
1851 xt_free_table_info(newinfo);
1856 compat_do_ipt_set_ctl(struct sock *sk, int cmd, void __user *user,
1861 if (!capable(CAP_NET_ADMIN))
1865 case IPT_SO_SET_REPLACE:
1866 ret = compat_do_replace(sock_net(sk), user, len);
1869 case IPT_SO_SET_ADD_COUNTERS:
1870 ret = do_add_counters(sock_net(sk), user, len, 1);
1874 duprintf("do_ipt_set_ctl: unknown request %i\n", cmd);
1881 struct compat_ipt_get_entries {
1882 char name[IPT_TABLE_MAXNAMELEN];
1884 struct compat_ipt_entry entrytable[0];
1888 compat_copy_entries_to_user(unsigned int total_size, struct xt_table *table,
1889 void __user *userptr)
1891 struct xt_counters *counters;
1892 const struct xt_table_info *private = table->private;
1896 const void *loc_cpu_entry;
1898 struct ipt_entry *iter;
1900 counters = alloc_counters(table);
1901 if (IS_ERR(counters))
1902 return PTR_ERR(counters);
1904 /* choose the copy that is on our node/cpu, ...
1905 * This choice is lazy (because current thread is
1906 * allowed to migrate to another cpu)
1908 loc_cpu_entry = private->entries[raw_smp_processor_id()];
1911 xt_entry_foreach(iter, loc_cpu_entry, total_size) {
1912 ret = compat_copy_entry_to_user(iter, &pos,
1913 &size, counters, i++);
1923 compat_get_entries(struct net *net, struct compat_ipt_get_entries __user *uptr,
1927 struct compat_ipt_get_entries get;
1930 if (*len < sizeof(get)) {
1931 duprintf("compat_get_entries: %u < %zu\n", *len, sizeof(get));
1935 if (copy_from_user(&get, uptr, sizeof(get)) != 0)
1938 if (*len != sizeof(struct compat_ipt_get_entries) + get.size) {
1939 duprintf("compat_get_entries: %u != %zu\n",
1940 *len, sizeof(get) + get.size);
1944 xt_compat_lock(AF_INET);
1945 t = xt_find_table_lock(net, AF_INET, get.name);
1946 if (t && !IS_ERR(t)) {
1947 const struct xt_table_info *private = t->private;
1948 struct xt_table_info info;
1949 duprintf("t->private->number = %u\n", private->number);
1950 ret = compat_table_info(private, &info);
1951 if (!ret && get.size == info.size) {
1952 ret = compat_copy_entries_to_user(private->size,
1953 t, uptr->entrytable);
1955 duprintf("compat_get_entries: I've got %u not %u!\n",
1956 private->size, get.size);
1959 xt_compat_flush_offsets(AF_INET);
1963 ret = t ? PTR_ERR(t) : -ENOENT;
1965 xt_compat_unlock(AF_INET);
1969 static int do_ipt_get_ctl(struct sock *, int, void __user *, int *);
1972 compat_do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1976 if (!capable(CAP_NET_ADMIN))
1980 case IPT_SO_GET_INFO:
1981 ret = get_info(sock_net(sk), user, len, 1);
1983 case IPT_SO_GET_ENTRIES:
1984 ret = compat_get_entries(sock_net(sk), user, len);
1987 ret = do_ipt_get_ctl(sk, cmd, user, len);
1994 do_ipt_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
1998 if (!capable(CAP_NET_ADMIN))
2002 case IPT_SO_SET_REPLACE:
2003 ret = do_replace(sock_net(sk), user, len);
2006 case IPT_SO_SET_ADD_COUNTERS:
2007 ret = do_add_counters(sock_net(sk), user, len, 0);
2011 duprintf("do_ipt_set_ctl: unknown request %i\n", cmd);
2019 do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
2023 if (!capable(CAP_NET_ADMIN))
2027 case IPT_SO_GET_INFO:
2028 ret = get_info(sock_net(sk), user, len, 0);
2031 case IPT_SO_GET_ENTRIES:
2032 ret = get_entries(sock_net(sk), user, len);
2035 case IPT_SO_GET_REVISION_MATCH:
2036 case IPT_SO_GET_REVISION_TARGET: {
2037 struct ipt_get_revision rev;
2040 if (*len != sizeof(rev)) {
2044 if (copy_from_user(&rev, user, sizeof(rev)) != 0) {
2049 if (cmd == IPT_SO_GET_REVISION_TARGET)
2054 try_then_request_module(xt_find_revision(AF_INET, rev.name,
2057 "ipt_%s", rev.name);
2062 duprintf("do_ipt_get_ctl: unknown request %i\n", cmd);
2069 struct xt_table *ipt_register_table(struct net *net,
2070 const struct xt_table *table,
2071 const struct ipt_replace *repl)
2074 struct xt_table_info *newinfo;
2075 struct xt_table_info bootstrap = {0};
2076 void *loc_cpu_entry;
2077 struct xt_table *new_table;
2079 newinfo = xt_alloc_table_info(repl->size);
2085 /* choose the copy on our node/cpu, but dont care about preemption */
2086 loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
2087 memcpy(loc_cpu_entry, repl->entries, repl->size);
2089 ret = translate_table(net, newinfo, loc_cpu_entry, repl);
2093 new_table = xt_register_table(net, table, &bootstrap, newinfo);
2094 if (IS_ERR(new_table)) {
2095 ret = PTR_ERR(new_table);
2102 xt_free_table_info(newinfo);
2104 return ERR_PTR(ret);
2107 void ipt_unregister_table(struct net *net, struct xt_table *table)
2109 struct xt_table_info *private;
2110 void *loc_cpu_entry;
2111 struct module *table_owner = table->me;
2112 struct ipt_entry *iter;
2114 private = xt_unregister_table(table);
2116 /* Decrease module usage counts and free resources */
2117 loc_cpu_entry = private->entries[raw_smp_processor_id()];
2118 xt_entry_foreach(iter, loc_cpu_entry, private->size)
2119 cleanup_entry(iter, net);
2120 if (private->number > private->initial_entries)
2121 module_put(table_owner);
2122 xt_free_table_info(private);
2125 /* Returns 1 if the type and code is matched by the range, 0 otherwise */
2127 icmp_type_code_match(u_int8_t test_type, u_int8_t min_code, u_int8_t max_code,
2128 u_int8_t type, u_int8_t code,
2131 return ((test_type == 0xFF) ||
2132 (type == test_type && code >= min_code && code <= max_code))
2137 icmp_match(const struct sk_buff *skb, struct xt_action_param *par)
2139 const struct icmphdr *ic;
2140 struct icmphdr _icmph;
2141 const struct ipt_icmp *icmpinfo = par->matchinfo;
2143 /* Must not be a fragment. */
2144 if (par->fragoff != 0)
2147 ic = skb_header_pointer(skb, par->thoff, sizeof(_icmph), &_icmph);
2149 /* We've been asked to examine this packet, and we
2150 * can't. Hence, no choice but to drop.
2152 duprintf("Dropping evil ICMP tinygram.\n");
2153 par->hotdrop = true;
2157 return icmp_type_code_match(icmpinfo->type,
2161 !!(icmpinfo->invflags&IPT_ICMP_INV));
2164 static int icmp_checkentry(const struct xt_mtchk_param *par)
2166 const struct ipt_icmp *icmpinfo = par->matchinfo;
2168 /* Must specify no unknown invflags */
2169 return (icmpinfo->invflags & ~IPT_ICMP_INV) ? -EINVAL : 0;
2172 static struct xt_target ipt_builtin_tg[] __read_mostly = {
2174 .name = IPT_STANDARD_TARGET,
2175 .targetsize = sizeof(int),
2176 .family = NFPROTO_IPV4,
2177 #ifdef CONFIG_COMPAT
2178 .compatsize = sizeof(compat_int_t),
2179 .compat_from_user = compat_standard_from_user,
2180 .compat_to_user = compat_standard_to_user,
2184 .name = IPT_ERROR_TARGET,
2185 .target = ipt_error,
2186 .targetsize = IPT_FUNCTION_MAXNAMELEN,
2187 .family = NFPROTO_IPV4,
2191 static struct nf_sockopt_ops ipt_sockopts = {
2193 .set_optmin = IPT_BASE_CTL,
2194 .set_optmax = IPT_SO_SET_MAX+1,
2195 .set = do_ipt_set_ctl,
2196 #ifdef CONFIG_COMPAT
2197 .compat_set = compat_do_ipt_set_ctl,
2199 .get_optmin = IPT_BASE_CTL,
2200 .get_optmax = IPT_SO_GET_MAX+1,
2201 .get = do_ipt_get_ctl,
2202 #ifdef CONFIG_COMPAT
2203 .compat_get = compat_do_ipt_get_ctl,
2205 .owner = THIS_MODULE,
2208 static struct xt_match ipt_builtin_mt[] __read_mostly = {
2211 .match = icmp_match,
2212 .matchsize = sizeof(struct ipt_icmp),
2213 .checkentry = icmp_checkentry,
2214 .proto = IPPROTO_ICMP,
2215 .family = NFPROTO_IPV4,
2219 static int __net_init ip_tables_net_init(struct net *net)
2221 return xt_proto_init(net, NFPROTO_IPV4);
2224 static void __net_exit ip_tables_net_exit(struct net *net)
2226 xt_proto_fini(net, NFPROTO_IPV4);
2229 static struct pernet_operations ip_tables_net_ops = {
2230 .init = ip_tables_net_init,
2231 .exit = ip_tables_net_exit,
2234 static int __init ip_tables_init(void)
2238 ret = register_pernet_subsys(&ip_tables_net_ops);
2242 /* Noone else will be downing sem now, so we won't sleep */
2243 ret = xt_register_targets(ipt_builtin_tg, ARRAY_SIZE(ipt_builtin_tg));
2246 ret = xt_register_matches(ipt_builtin_mt, ARRAY_SIZE(ipt_builtin_mt));
2250 /* Register setsockopt */
2251 ret = nf_register_sockopt(&ipt_sockopts);
2255 pr_info("(C) 2000-2006 Netfilter Core Team\n");
2259 xt_unregister_matches(ipt_builtin_mt, ARRAY_SIZE(ipt_builtin_mt));
2261 xt_unregister_targets(ipt_builtin_tg, ARRAY_SIZE(ipt_builtin_tg));
2263 unregister_pernet_subsys(&ip_tables_net_ops);
2268 static void __exit ip_tables_fini(void)
2270 nf_unregister_sockopt(&ipt_sockopts);
2272 xt_unregister_matches(ipt_builtin_mt, ARRAY_SIZE(ipt_builtin_mt));
2273 xt_unregister_targets(ipt_builtin_tg, ARRAY_SIZE(ipt_builtin_tg));
2274 unregister_pernet_subsys(&ip_tables_net_ops);
2277 EXPORT_SYMBOL(ipt_register_table);
2278 EXPORT_SYMBOL(ipt_unregister_table);
2279 EXPORT_SYMBOL(ipt_do_table);
2280 module_init(ip_tables_init);
2281 module_exit(ip_tables_fini);