2 * Packet matching code.
4 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
5 * Copyright (C) 2000-2005 Netfilter Core Team <coreteam@netfilter.org>
6 * Copyright (c) 2006-2010 Patrick McHardy <kaber@trash.net>
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License version 2 as
10 * published by the Free Software Foundation.
13 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
15 #include <linux/kernel.h>
16 #include <linux/capability.h>
18 #include <linux/skbuff.h>
19 #include <linux/kmod.h>
20 #include <linux/vmalloc.h>
21 #include <linux/netdevice.h>
22 #include <linux/module.h>
23 #include <linux/poison.h>
24 #include <linux/icmpv6.h>
26 #include <net/compat.h>
27 #include <linux/uaccess.h>
28 #include <linux/mutex.h>
29 #include <linux/proc_fs.h>
30 #include <linux/err.h>
31 #include <linux/cpumask.h>
33 #include <linux/netfilter_ipv6/ip6_tables.h>
34 #include <linux/netfilter/x_tables.h>
35 #include <net/netfilter/nf_log.h>
36 #include "../../netfilter/xt_repldata.h"
38 MODULE_LICENSE("GPL");
39 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
40 MODULE_DESCRIPTION("IPv6 packet filter");
41 MODULE_ALIAS("ip6t_icmp6");
43 void *ip6t_alloc_initial_table(const struct xt_table *info)
45 return xt_alloc_initial_table(ip6t, IP6T);
47 EXPORT_SYMBOL_GPL(ip6t_alloc_initial_table);
49 /* Returns whether matches rule or not. */
50 /* Performance critical - called for every packet */
52 ip6_packet_match(const struct sk_buff *skb,
55 const struct ip6t_ip6 *ip6info,
56 unsigned int *protoff,
57 int *fragoff, bool *hotdrop)
60 const struct ipv6hdr *ipv6 = ipv6_hdr(skb);
62 if (NF_INVF(ip6info, IP6T_INV_SRCIP,
63 ipv6_masked_addr_cmp(&ipv6->saddr, &ip6info->smsk,
65 NF_INVF(ip6info, IP6T_INV_DSTIP,
66 ipv6_masked_addr_cmp(&ipv6->daddr, &ip6info->dmsk,
70 ret = ifname_compare_aligned(indev, ip6info->iniface, ip6info->iniface_mask);
72 if (NF_INVF(ip6info, IP6T_INV_VIA_IN, ret != 0))
75 ret = ifname_compare_aligned(outdev, ip6info->outiface, ip6info->outiface_mask);
77 if (NF_INVF(ip6info, IP6T_INV_VIA_OUT, ret != 0))
80 /* ... might want to do something with class and flowlabel here ... */
82 /* look for the desired protocol header */
83 if (ip6info->flags & IP6T_F_PROTO) {
85 unsigned short _frag_off;
87 protohdr = ipv6_find_hdr(skb, protoff, -1, &_frag_off, NULL);
95 if (ip6info->proto == protohdr) {
96 if (ip6info->invflags & IP6T_INV_PROTO)
102 /* We need match for the '-p all', too! */
103 if ((ip6info->proto != 0) &&
104 !(ip6info->invflags & IP6T_INV_PROTO))
110 /* should be ip6 safe */
112 ip6_checkentry(const struct ip6t_ip6 *ipv6)
114 if (ipv6->flags & ~IP6T_F_MASK)
116 if (ipv6->invflags & ~IP6T_INV_MASK)
123 ip6t_error(struct sk_buff *skb, const struct xt_action_param *par)
125 net_info_ratelimited("error: `%s'\n", (const char *)par->targinfo);
130 static inline struct ip6t_entry *
131 get_entry(const void *base, unsigned int offset)
133 return (struct ip6t_entry *)(base + offset);
136 /* All zeroes == unconditional rule. */
137 /* Mildly perf critical (only if packet tracing is on) */
138 static inline bool unconditional(const struct ip6t_entry *e)
140 static const struct ip6t_ip6 uncond;
142 return e->target_offset == sizeof(struct ip6t_entry) &&
143 memcmp(&e->ipv6, &uncond, sizeof(uncond)) == 0;
146 static inline const struct xt_entry_target *
147 ip6t_get_target_c(const struct ip6t_entry *e)
149 return ip6t_get_target((struct ip6t_entry *)e);
152 #if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE)
153 /* This cries for unification! */
154 static const char *const hooknames[] = {
155 [NF_INET_PRE_ROUTING] = "PREROUTING",
156 [NF_INET_LOCAL_IN] = "INPUT",
157 [NF_INET_FORWARD] = "FORWARD",
158 [NF_INET_LOCAL_OUT] = "OUTPUT",
159 [NF_INET_POST_ROUTING] = "POSTROUTING",
162 enum nf_ip_trace_comments {
163 NF_IP6_TRACE_COMMENT_RULE,
164 NF_IP6_TRACE_COMMENT_RETURN,
165 NF_IP6_TRACE_COMMENT_POLICY,
168 static const char *const comments[] = {
169 [NF_IP6_TRACE_COMMENT_RULE] = "rule",
170 [NF_IP6_TRACE_COMMENT_RETURN] = "return",
171 [NF_IP6_TRACE_COMMENT_POLICY] = "policy",
174 static const struct nf_loginfo trace_loginfo = {
175 .type = NF_LOG_TYPE_LOG,
178 .level = LOGLEVEL_WARNING,
179 .logflags = NF_LOG_DEFAULT_MASK,
184 /* Mildly perf critical (only if packet tracing is on) */
186 get_chainname_rulenum(const struct ip6t_entry *s, const struct ip6t_entry *e,
187 const char *hookname, const char **chainname,
188 const char **comment, unsigned int *rulenum)
190 const struct xt_standard_target *t = (void *)ip6t_get_target_c(s);
192 if (strcmp(t->target.u.kernel.target->name, XT_ERROR_TARGET) == 0) {
193 /* Head of user chain: ERROR target with chainname */
194 *chainname = t->target.data;
199 if (unconditional(s) &&
200 strcmp(t->target.u.kernel.target->name,
201 XT_STANDARD_TARGET) == 0 &&
203 /* Tail of chains: STANDARD target (return/policy) */
204 *comment = *chainname == hookname
205 ? comments[NF_IP6_TRACE_COMMENT_POLICY]
206 : comments[NF_IP6_TRACE_COMMENT_RETURN];
215 static void trace_packet(struct net *net,
216 const struct sk_buff *skb,
218 const struct net_device *in,
219 const struct net_device *out,
220 const char *tablename,
221 const struct xt_table_info *private,
222 const struct ip6t_entry *e)
224 const struct ip6t_entry *root;
225 const char *hookname, *chainname, *comment;
226 const struct ip6t_entry *iter;
227 unsigned int rulenum = 0;
229 root = get_entry(private->entries, private->hook_entry[hook]);
231 hookname = chainname = hooknames[hook];
232 comment = comments[NF_IP6_TRACE_COMMENT_RULE];
234 xt_entry_foreach(iter, root, private->size - private->hook_entry[hook])
235 if (get_chainname_rulenum(iter, e, hookname,
236 &chainname, &comment, &rulenum) != 0)
239 nf_log_trace(net, AF_INET6, hook, skb, in, out, &trace_loginfo,
240 "TRACE: %s:%s:%s:%u ",
241 tablename, chainname, comment, rulenum);
245 static inline struct ip6t_entry *
246 ip6t_next_entry(const struct ip6t_entry *entry)
248 return (void *)entry + entry->next_offset;
251 /* Returns one of the generic firewall policies, like NF_ACCEPT. */
253 ip6t_do_table(struct sk_buff *skb,
254 const struct nf_hook_state *state,
255 struct xt_table *table)
257 unsigned int hook = state->hook;
258 static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
259 /* Initializing verdict to NF_DROP keeps gcc happy. */
260 unsigned int verdict = NF_DROP;
261 const char *indev, *outdev;
262 const void *table_base;
263 struct ip6t_entry *e, **jumpstack;
264 unsigned int stackidx, cpu;
265 const struct xt_table_info *private;
266 struct xt_action_param acpar;
271 indev = state->in ? state->in->name : nulldevname;
272 outdev = state->out ? state->out->name : nulldevname;
273 /* We handle fragments by dealing with the first fragment as
274 * if it was a normal packet. All other fragments are treated
275 * normally, except that they will NEVER match rules that ask
276 * things we don't know, ie. tcp syn flag or ports). If the
277 * rule is also a fragment-specific rule, non-fragments won't
279 acpar.hotdrop = false;
282 WARN_ON(!(table->valid_hooks & (1 << hook)));
285 addend = xt_write_recseq_begin();
286 private = READ_ONCE(table->private); /* Address dependency. */
287 cpu = smp_processor_id();
288 table_base = private->entries;
289 jumpstack = (struct ip6t_entry **)private->jumpstack[cpu];
291 /* Switch to alternate jumpstack if we're being invoked via TEE.
292 * TEE issues XT_CONTINUE verdict on original skb so we must not
293 * clobber the jumpstack.
295 * For recursion via REJECT or SYNPROXY the stack will be clobbered
296 * but it is no problem since absolute verdict is issued by these.
298 if (static_key_false(&xt_tee_enabled))
299 jumpstack += private->stacksize * __this_cpu_read(nf_skb_duplicated);
301 e = get_entry(table_base, private->hook_entry[hook]);
304 const struct xt_entry_target *t;
305 const struct xt_entry_match *ematch;
306 struct xt_counters *counter;
310 if (!ip6_packet_match(skb, indev, outdev, &e->ipv6,
311 &acpar.thoff, &acpar.fragoff, &acpar.hotdrop)) {
313 e = ip6t_next_entry(e);
317 xt_ematch_foreach(ematch, e) {
318 acpar.match = ematch->u.kernel.match;
319 acpar.matchinfo = ematch->data;
320 if (!acpar.match->match(skb, &acpar))
324 counter = xt_get_this_cpu_counter(&e->counters);
325 ADD_COUNTER(*counter, skb->len, 1);
327 t = ip6t_get_target_c(e);
328 WARN_ON(!t->u.kernel.target);
330 #if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE)
331 /* The packet is traced: log it */
332 if (unlikely(skb->nf_trace))
333 trace_packet(state->net, skb, hook, state->in,
334 state->out, table->name, private, e);
336 /* Standard target? */
337 if (!t->u.kernel.target->target) {
340 v = ((struct xt_standard_target *)t)->verdict;
342 /* Pop from stack? */
343 if (v != XT_RETURN) {
344 verdict = (unsigned int)(-v) - 1;
348 e = get_entry(table_base,
349 private->underflow[hook]);
351 e = ip6t_next_entry(jumpstack[--stackidx]);
354 if (table_base + v != ip6t_next_entry(e) &&
355 !(e->ipv6.flags & IP6T_F_GOTO)) {
356 if (unlikely(stackidx >= private->stacksize)) {
360 jumpstack[stackidx++] = e;
363 e = get_entry(table_base, v);
367 acpar.target = t->u.kernel.target;
368 acpar.targinfo = t->data;
370 verdict = t->u.kernel.target->target(skb, &acpar);
371 if (verdict == XT_CONTINUE)
372 e = ip6t_next_entry(e);
376 } while (!acpar.hotdrop);
378 xt_write_recseq_end(addend);
386 /* Figures out from what hook each rule can be called: returns 0 if
387 there are loops. Puts hook bitmask in comefrom. */
389 mark_source_chains(const struct xt_table_info *newinfo,
390 unsigned int valid_hooks, void *entry0,
391 unsigned int *offsets)
395 /* No recursion; use packet counter to save back ptrs (reset
396 to 0 as we leave), and comefrom to save source hook bitmask */
397 for (hook = 0; hook < NF_INET_NUMHOOKS; hook++) {
398 unsigned int pos = newinfo->hook_entry[hook];
399 struct ip6t_entry *e = entry0 + pos;
401 if (!(valid_hooks & (1 << hook)))
404 /* Set initial back pointer. */
405 e->counters.pcnt = pos;
408 const struct xt_standard_target *t
409 = (void *)ip6t_get_target_c(e);
410 int visited = e->comefrom & (1 << hook);
412 if (e->comefrom & (1 << NF_INET_NUMHOOKS))
415 e->comefrom |= ((1 << hook) | (1 << NF_INET_NUMHOOKS));
417 /* Unconditional return/END. */
418 if ((unconditional(e) &&
419 (strcmp(t->target.u.user.name,
420 XT_STANDARD_TARGET) == 0) &&
421 t->verdict < 0) || visited) {
422 unsigned int oldpos, size;
424 /* Return: backtrack through the last
427 e->comefrom ^= (1<<NF_INET_NUMHOOKS);
429 pos = e->counters.pcnt;
430 e->counters.pcnt = 0;
432 /* We're at the start. */
437 } while (oldpos == pos + e->next_offset);
440 size = e->next_offset;
441 e = entry0 + pos + size;
442 if (pos + size >= newinfo->size)
444 e->counters.pcnt = pos;
447 int newpos = t->verdict;
449 if (strcmp(t->target.u.user.name,
450 XT_STANDARD_TARGET) == 0 &&
452 /* This a jump; chase it. */
453 if (!xt_find_jump_offset(offsets, newpos,
457 /* ... this is a fallthru */
458 newpos = pos + e->next_offset;
459 if (newpos >= newinfo->size)
463 e->counters.pcnt = pos;
472 static void cleanup_match(struct xt_entry_match *m, struct net *net)
474 struct xt_mtdtor_param par;
477 par.match = m->u.kernel.match;
478 par.matchinfo = m->data;
479 par.family = NFPROTO_IPV6;
480 if (par.match->destroy != NULL)
481 par.match->destroy(&par);
482 module_put(par.match->me);
485 static int check_match(struct xt_entry_match *m, struct xt_mtchk_param *par)
487 const struct ip6t_ip6 *ipv6 = par->entryinfo;
489 par->match = m->u.kernel.match;
490 par->matchinfo = m->data;
492 return xt_check_match(par, m->u.match_size - sizeof(*m),
493 ipv6->proto, ipv6->invflags & IP6T_INV_PROTO);
497 find_check_match(struct xt_entry_match *m, struct xt_mtchk_param *par)
499 struct xt_match *match;
502 match = xt_request_find_match(NFPROTO_IPV6, m->u.user.name,
505 return PTR_ERR(match);
507 m->u.kernel.match = match;
509 ret = check_match(m, par);
515 module_put(m->u.kernel.match->me);
519 static int check_target(struct ip6t_entry *e, struct net *net, const char *name)
521 struct xt_entry_target *t = ip6t_get_target(e);
522 struct xt_tgchk_param par = {
526 .target = t->u.kernel.target,
528 .hook_mask = e->comefrom,
529 .family = NFPROTO_IPV6,
532 return xt_check_target(&par, t->u.target_size - sizeof(*t),
534 e->ipv6.invflags & IP6T_INV_PROTO);
538 find_check_entry(struct ip6t_entry *e, struct net *net, const char *name,
540 struct xt_percpu_counter_alloc_state *alloc_state)
542 struct xt_entry_target *t;
543 struct xt_target *target;
546 struct xt_mtchk_param mtpar;
547 struct xt_entry_match *ematch;
549 if (!xt_percpu_counter_alloc(alloc_state, &e->counters))
555 mtpar.entryinfo = &e->ipv6;
556 mtpar.hook_mask = e->comefrom;
557 mtpar.family = NFPROTO_IPV6;
558 xt_ematch_foreach(ematch, e) {
559 ret = find_check_match(ematch, &mtpar);
561 goto cleanup_matches;
565 t = ip6t_get_target(e);
566 target = xt_request_find_target(NFPROTO_IPV6, t->u.user.name,
568 if (IS_ERR(target)) {
569 ret = PTR_ERR(target);
570 goto cleanup_matches;
572 t->u.kernel.target = target;
574 ret = check_target(e, net, name);
579 module_put(t->u.kernel.target->me);
581 xt_ematch_foreach(ematch, e) {
584 cleanup_match(ematch, net);
587 xt_percpu_counter_free(&e->counters);
592 static bool check_underflow(const struct ip6t_entry *e)
594 const struct xt_entry_target *t;
595 unsigned int verdict;
597 if (!unconditional(e))
599 t = ip6t_get_target_c(e);
600 if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0)
602 verdict = ((struct xt_standard_target *)t)->verdict;
603 verdict = -verdict - 1;
604 return verdict == NF_DROP || verdict == NF_ACCEPT;
608 check_entry_size_and_hooks(struct ip6t_entry *e,
609 struct xt_table_info *newinfo,
610 const unsigned char *base,
611 const unsigned char *limit,
612 const unsigned int *hook_entries,
613 const unsigned int *underflows,
614 unsigned int valid_hooks)
619 if ((unsigned long)e % __alignof__(struct ip6t_entry) != 0 ||
620 (unsigned char *)e + sizeof(struct ip6t_entry) >= limit ||
621 (unsigned char *)e + e->next_offset > limit)
625 < sizeof(struct ip6t_entry) + sizeof(struct xt_entry_target))
628 if (!ip6_checkentry(&e->ipv6))
631 err = xt_check_entry_offsets(e, e->elems, e->target_offset,
636 /* Check hooks & underflows */
637 for (h = 0; h < NF_INET_NUMHOOKS; h++) {
638 if (!(valid_hooks & (1 << h)))
640 if ((unsigned char *)e - base == hook_entries[h])
641 newinfo->hook_entry[h] = hook_entries[h];
642 if ((unsigned char *)e - base == underflows[h]) {
643 if (!check_underflow(e))
646 newinfo->underflow[h] = underflows[h];
650 /* Clear counters and comefrom */
651 e->counters = ((struct xt_counters) { 0, 0 });
656 static void cleanup_entry(struct ip6t_entry *e, struct net *net)
658 struct xt_tgdtor_param par;
659 struct xt_entry_target *t;
660 struct xt_entry_match *ematch;
662 /* Cleanup all matches */
663 xt_ematch_foreach(ematch, e)
664 cleanup_match(ematch, net);
665 t = ip6t_get_target(e);
668 par.target = t->u.kernel.target;
669 par.targinfo = t->data;
670 par.family = NFPROTO_IPV6;
671 if (par.target->destroy != NULL)
672 par.target->destroy(&par);
673 module_put(par.target->me);
674 xt_percpu_counter_free(&e->counters);
677 /* Checks and translates the user-supplied table segment (held in
680 translate_table(struct net *net, struct xt_table_info *newinfo, void *entry0,
681 const struct ip6t_replace *repl)
683 struct xt_percpu_counter_alloc_state alloc_state = { 0 };
684 struct ip6t_entry *iter;
685 unsigned int *offsets;
689 newinfo->size = repl->size;
690 newinfo->number = repl->num_entries;
692 /* Init all hooks to impossible value. */
693 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
694 newinfo->hook_entry[i] = 0xFFFFFFFF;
695 newinfo->underflow[i] = 0xFFFFFFFF;
698 offsets = xt_alloc_entry_offsets(newinfo->number);
702 /* Walk through entries, checking offsets. */
703 xt_entry_foreach(iter, entry0, newinfo->size) {
704 ret = check_entry_size_and_hooks(iter, newinfo, entry0,
711 if (i < repl->num_entries)
712 offsets[i] = (void *)iter - entry0;
714 if (strcmp(ip6t_get_target(iter)->u.user.name,
715 XT_ERROR_TARGET) == 0)
716 ++newinfo->stacksize;
720 if (i != repl->num_entries)
723 ret = xt_check_table_hooks(newinfo, repl->valid_hooks);
727 if (!mark_source_chains(newinfo, repl->valid_hooks, entry0, offsets)) {
733 /* Finally, each sanity check must pass */
735 xt_entry_foreach(iter, entry0, newinfo->size) {
736 ret = find_check_entry(iter, net, repl->name, repl->size,
744 xt_entry_foreach(iter, entry0, newinfo->size) {
747 cleanup_entry(iter, net);
759 get_counters(const struct xt_table_info *t,
760 struct xt_counters counters[])
762 struct ip6t_entry *iter;
766 for_each_possible_cpu(cpu) {
767 seqcount_t *s = &per_cpu(xt_recseq, cpu);
770 xt_entry_foreach(iter, t->entries, t->size) {
771 struct xt_counters *tmp;
775 tmp = xt_get_per_cpu_counter(&iter->counters, cpu);
777 start = read_seqcount_begin(s);
780 } while (read_seqcount_retry(s, start));
782 ADD_COUNTER(counters[i], bcnt, pcnt);
789 static void get_old_counters(const struct xt_table_info *t,
790 struct xt_counters counters[])
792 struct ip6t_entry *iter;
795 for_each_possible_cpu(cpu) {
797 xt_entry_foreach(iter, t->entries, t->size) {
798 const struct xt_counters *tmp;
800 tmp = xt_get_per_cpu_counter(&iter->counters, cpu);
801 ADD_COUNTER(counters[i], tmp->bcnt, tmp->pcnt);
808 static struct xt_counters *alloc_counters(const struct xt_table *table)
810 unsigned int countersize;
811 struct xt_counters *counters;
812 const struct xt_table_info *private = table->private;
814 /* We need atomic snapshot of counters: rest doesn't change
815 (other than comefrom, which userspace doesn't care
817 countersize = sizeof(struct xt_counters) * private->number;
818 counters = vzalloc(countersize);
820 if (counters == NULL)
821 return ERR_PTR(-ENOMEM);
823 get_counters(private, counters);
829 copy_entries_to_user(unsigned int total_size,
830 const struct xt_table *table,
831 void __user *userptr)
833 unsigned int off, num;
834 const struct ip6t_entry *e;
835 struct xt_counters *counters;
836 const struct xt_table_info *private = table->private;
838 const void *loc_cpu_entry;
840 counters = alloc_counters(table);
841 if (IS_ERR(counters))
842 return PTR_ERR(counters);
844 loc_cpu_entry = private->entries;
846 /* FIXME: use iterator macros --RR */
847 /* ... then go back and fix counters and names */
848 for (off = 0, num = 0; off < total_size; off += e->next_offset, num++){
850 const struct xt_entry_match *m;
851 const struct xt_entry_target *t;
853 e = loc_cpu_entry + off;
854 if (copy_to_user(userptr + off, e, sizeof(*e))) {
858 if (copy_to_user(userptr + off
859 + offsetof(struct ip6t_entry, counters),
861 sizeof(counters[num])) != 0) {
866 for (i = sizeof(struct ip6t_entry);
867 i < e->target_offset;
868 i += m->u.match_size) {
871 if (xt_match_to_user(m, userptr + off + i)) {
877 t = ip6t_get_target_c(e);
878 if (xt_target_to_user(t, userptr + off + e->target_offset)) {
890 static void compat_standard_from_user(void *dst, const void *src)
892 int v = *(compat_int_t *)src;
895 v += xt_compat_calc_jump(AF_INET6, v);
896 memcpy(dst, &v, sizeof(v));
899 static int compat_standard_to_user(void __user *dst, const void *src)
901 compat_int_t cv = *(int *)src;
904 cv -= xt_compat_calc_jump(AF_INET6, cv);
905 return copy_to_user(dst, &cv, sizeof(cv)) ? -EFAULT : 0;
908 static int compat_calc_entry(const struct ip6t_entry *e,
909 const struct xt_table_info *info,
910 const void *base, struct xt_table_info *newinfo)
912 const struct xt_entry_match *ematch;
913 const struct xt_entry_target *t;
914 unsigned int entry_offset;
917 off = sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
918 entry_offset = (void *)e - base;
919 xt_ematch_foreach(ematch, e)
920 off += xt_compat_match_offset(ematch->u.kernel.match);
921 t = ip6t_get_target_c(e);
922 off += xt_compat_target_offset(t->u.kernel.target);
923 newinfo->size -= off;
924 ret = xt_compat_add_offset(AF_INET6, entry_offset, off);
928 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
929 if (info->hook_entry[i] &&
930 (e < (struct ip6t_entry *)(base + info->hook_entry[i])))
931 newinfo->hook_entry[i] -= off;
932 if (info->underflow[i] &&
933 (e < (struct ip6t_entry *)(base + info->underflow[i])))
934 newinfo->underflow[i] -= off;
939 static int compat_table_info(const struct xt_table_info *info,
940 struct xt_table_info *newinfo)
942 struct ip6t_entry *iter;
943 const void *loc_cpu_entry;
946 if (!newinfo || !info)
949 /* we dont care about newinfo->entries */
950 memcpy(newinfo, info, offsetof(struct xt_table_info, entries));
951 newinfo->initial_entries = 0;
952 loc_cpu_entry = info->entries;
953 ret = xt_compat_init_offsets(AF_INET6, info->number);
956 xt_entry_foreach(iter, loc_cpu_entry, info->size) {
957 ret = compat_calc_entry(iter, info, loc_cpu_entry, newinfo);
965 static int get_info(struct net *net, void __user *user,
966 const int *len, int compat)
968 char name[XT_TABLE_MAXNAMELEN];
972 if (*len != sizeof(struct ip6t_getinfo))
975 if (copy_from_user(name, user, sizeof(name)) != 0)
978 name[XT_TABLE_MAXNAMELEN-1] = '\0';
981 xt_compat_lock(AF_INET6);
983 t = xt_request_find_table_lock(net, AF_INET6, name);
985 struct ip6t_getinfo info;
986 const struct xt_table_info *private = t->private;
988 struct xt_table_info tmp;
991 ret = compat_table_info(private, &tmp);
992 xt_compat_flush_offsets(AF_INET6);
996 memset(&info, 0, sizeof(info));
997 info.valid_hooks = t->valid_hooks;
998 memcpy(info.hook_entry, private->hook_entry,
999 sizeof(info.hook_entry));
1000 memcpy(info.underflow, private->underflow,
1001 sizeof(info.underflow));
1002 info.num_entries = private->number;
1003 info.size = private->size;
1004 strcpy(info.name, name);
1006 if (copy_to_user(user, &info, *len) != 0)
1015 #ifdef CONFIG_COMPAT
1017 xt_compat_unlock(AF_INET6);
1023 get_entries(struct net *net, struct ip6t_get_entries __user *uptr,
1027 struct ip6t_get_entries get;
1030 if (*len < sizeof(get))
1032 if (copy_from_user(&get, uptr, sizeof(get)) != 0)
1034 if (*len != sizeof(struct ip6t_get_entries) + get.size)
1037 get.name[sizeof(get.name) - 1] = '\0';
1039 t = xt_find_table_lock(net, AF_INET6, get.name);
1041 struct xt_table_info *private = t->private;
1042 if (get.size == private->size)
1043 ret = copy_entries_to_user(private->size,
1044 t, uptr->entrytable);
1057 __do_replace(struct net *net, const char *name, unsigned int valid_hooks,
1058 struct xt_table_info *newinfo, unsigned int num_counters,
1059 void __user *counters_ptr)
1063 struct xt_table_info *oldinfo;
1064 struct xt_counters *counters;
1065 struct ip6t_entry *iter;
1068 counters = xt_counters_alloc(num_counters);
1074 t = xt_request_find_table_lock(net, AF_INET6, name);
1077 goto free_newinfo_counters_untrans;
1081 if (valid_hooks != t->valid_hooks) {
1086 oldinfo = xt_replace_table(t, num_counters, newinfo, &ret);
1090 /* Update module usage count based on number of rules */
1091 if ((oldinfo->number > oldinfo->initial_entries) ||
1092 (newinfo->number <= oldinfo->initial_entries))
1094 if ((oldinfo->number > oldinfo->initial_entries) &&
1095 (newinfo->number <= oldinfo->initial_entries))
1100 get_old_counters(oldinfo, counters);
1102 /* Decrease module usage counts and free resource */
1103 xt_entry_foreach(iter, oldinfo->entries, oldinfo->size)
1104 cleanup_entry(iter, net);
1106 xt_free_table_info(oldinfo);
1107 if (copy_to_user(counters_ptr, counters,
1108 sizeof(struct xt_counters) * num_counters) != 0) {
1109 /* Silent error, can't fail, new table is already in place */
1110 net_warn_ratelimited("ip6tables: counters copy to user failed while replacing table\n");
1118 free_newinfo_counters_untrans:
1125 do_replace(struct net *net, const void __user *user, unsigned int len)
1128 struct ip6t_replace tmp;
1129 struct xt_table_info *newinfo;
1130 void *loc_cpu_entry;
1131 struct ip6t_entry *iter;
1133 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
1136 /* overflow check */
1137 if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
1139 if (tmp.num_counters == 0)
1142 tmp.name[sizeof(tmp.name)-1] = 0;
1144 newinfo = xt_alloc_table_info(tmp.size);
1148 loc_cpu_entry = newinfo->entries;
1149 if (copy_from_user(loc_cpu_entry, user + sizeof(tmp),
1155 ret = translate_table(net, newinfo, loc_cpu_entry, &tmp);
1159 ret = __do_replace(net, tmp.name, tmp.valid_hooks, newinfo,
1160 tmp.num_counters, tmp.counters);
1162 goto free_newinfo_untrans;
1165 free_newinfo_untrans:
1166 xt_entry_foreach(iter, loc_cpu_entry, newinfo->size)
1167 cleanup_entry(iter, net);
1169 xt_free_table_info(newinfo);
1174 do_add_counters(struct net *net, const void __user *user, unsigned int len,
1178 struct xt_counters_info tmp;
1179 struct xt_counters *paddc;
1181 const struct xt_table_info *private;
1183 struct ip6t_entry *iter;
1184 unsigned int addend;
1186 paddc = xt_copy_counters_from_user(user, len, &tmp, compat);
1188 return PTR_ERR(paddc);
1189 t = xt_find_table_lock(net, AF_INET6, tmp.name);
1196 private = t->private;
1197 if (private->number != tmp.num_counters) {
1199 goto unlock_up_free;
1203 addend = xt_write_recseq_begin();
1204 xt_entry_foreach(iter, private->entries, private->size) {
1205 struct xt_counters *tmp;
1207 tmp = xt_get_this_cpu_counter(&iter->counters);
1208 ADD_COUNTER(*tmp, paddc[i].bcnt, paddc[i].pcnt);
1211 xt_write_recseq_end(addend);
1222 #ifdef CONFIG_COMPAT
1223 struct compat_ip6t_replace {
1224 char name[XT_TABLE_MAXNAMELEN];
1228 u32 hook_entry[NF_INET_NUMHOOKS];
1229 u32 underflow[NF_INET_NUMHOOKS];
1231 compat_uptr_t counters; /* struct xt_counters * */
1232 struct compat_ip6t_entry entries[0];
1236 compat_copy_entry_to_user(struct ip6t_entry *e, void __user **dstptr,
1237 unsigned int *size, struct xt_counters *counters,
1240 struct xt_entry_target *t;
1241 struct compat_ip6t_entry __user *ce;
1242 u_int16_t target_offset, next_offset;
1243 compat_uint_t origsize;
1244 const struct xt_entry_match *ematch;
1249 if (copy_to_user(ce, e, sizeof(struct ip6t_entry)) != 0 ||
1250 copy_to_user(&ce->counters, &counters[i],
1251 sizeof(counters[i])) != 0)
1254 *dstptr += sizeof(struct compat_ip6t_entry);
1255 *size -= sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
1257 xt_ematch_foreach(ematch, e) {
1258 ret = xt_compat_match_to_user(ematch, dstptr, size);
1262 target_offset = e->target_offset - (origsize - *size);
1263 t = ip6t_get_target(e);
1264 ret = xt_compat_target_to_user(t, dstptr, size);
1267 next_offset = e->next_offset - (origsize - *size);
1268 if (put_user(target_offset, &ce->target_offset) != 0 ||
1269 put_user(next_offset, &ce->next_offset) != 0)
1275 compat_find_calc_match(struct xt_entry_match *m,
1276 const struct ip6t_ip6 *ipv6,
1279 struct xt_match *match;
1281 match = xt_request_find_match(NFPROTO_IPV6, m->u.user.name,
1282 m->u.user.revision);
1284 return PTR_ERR(match);
1286 m->u.kernel.match = match;
1287 *size += xt_compat_match_offset(match);
1291 static void compat_release_entry(struct compat_ip6t_entry *e)
1293 struct xt_entry_target *t;
1294 struct xt_entry_match *ematch;
1296 /* Cleanup all matches */
1297 xt_ematch_foreach(ematch, e)
1298 module_put(ematch->u.kernel.match->me);
1299 t = compat_ip6t_get_target(e);
1300 module_put(t->u.kernel.target->me);
1304 check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e,
1305 struct xt_table_info *newinfo,
1307 const unsigned char *base,
1308 const unsigned char *limit)
1310 struct xt_entry_match *ematch;
1311 struct xt_entry_target *t;
1312 struct xt_target *target;
1313 unsigned int entry_offset;
1317 if ((unsigned long)e % __alignof__(struct compat_ip6t_entry) != 0 ||
1318 (unsigned char *)e + sizeof(struct compat_ip6t_entry) >= limit ||
1319 (unsigned char *)e + e->next_offset > limit)
1322 if (e->next_offset < sizeof(struct compat_ip6t_entry) +
1323 sizeof(struct compat_xt_entry_target))
1326 if (!ip6_checkentry(&e->ipv6))
1329 ret = xt_compat_check_entry_offsets(e, e->elems,
1330 e->target_offset, e->next_offset);
1334 off = sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
1335 entry_offset = (void *)e - (void *)base;
1337 xt_ematch_foreach(ematch, e) {
1338 ret = compat_find_calc_match(ematch, &e->ipv6, &off);
1340 goto release_matches;
1344 t = compat_ip6t_get_target(e);
1345 target = xt_request_find_target(NFPROTO_IPV6, t->u.user.name,
1346 t->u.user.revision);
1347 if (IS_ERR(target)) {
1348 ret = PTR_ERR(target);
1349 goto release_matches;
1351 t->u.kernel.target = target;
1353 off += xt_compat_target_offset(target);
1355 ret = xt_compat_add_offset(AF_INET6, entry_offset, off);
1362 module_put(t->u.kernel.target->me);
1364 xt_ematch_foreach(ematch, e) {
1367 module_put(ematch->u.kernel.match->me);
1373 compat_copy_entry_from_user(struct compat_ip6t_entry *e, void **dstptr,
1375 struct xt_table_info *newinfo, unsigned char *base)
1377 struct xt_entry_target *t;
1378 struct ip6t_entry *de;
1379 unsigned int origsize;
1381 struct xt_entry_match *ematch;
1385 memcpy(de, e, sizeof(struct ip6t_entry));
1386 memcpy(&de->counters, &e->counters, sizeof(e->counters));
1388 *dstptr += sizeof(struct ip6t_entry);
1389 *size += sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
1391 xt_ematch_foreach(ematch, e)
1392 xt_compat_match_from_user(ematch, dstptr, size);
1394 de->target_offset = e->target_offset - (origsize - *size);
1395 t = compat_ip6t_get_target(e);
1396 xt_compat_target_from_user(t, dstptr, size);
1398 de->next_offset = e->next_offset - (origsize - *size);
1399 for (h = 0; h < NF_INET_NUMHOOKS; h++) {
1400 if ((unsigned char *)de - base < newinfo->hook_entry[h])
1401 newinfo->hook_entry[h] -= origsize - *size;
1402 if ((unsigned char *)de - base < newinfo->underflow[h])
1403 newinfo->underflow[h] -= origsize - *size;
1408 translate_compat_table(struct net *net,
1409 struct xt_table_info **pinfo,
1411 const struct compat_ip6t_replace *compatr)
1414 struct xt_table_info *newinfo, *info;
1415 void *pos, *entry0, *entry1;
1416 struct compat_ip6t_entry *iter0;
1417 struct ip6t_replace repl;
1423 size = compatr->size;
1424 info->number = compatr->num_entries;
1427 xt_compat_lock(AF_INET6);
1428 ret = xt_compat_init_offsets(AF_INET6, compatr->num_entries);
1431 /* Walk through entries, checking offsets. */
1432 xt_entry_foreach(iter0, entry0, compatr->size) {
1433 ret = check_compat_entry_size_and_hooks(iter0, info, &size,
1435 entry0 + compatr->size);
1442 if (j != compatr->num_entries)
1446 newinfo = xt_alloc_table_info(size);
1450 newinfo->number = compatr->num_entries;
1451 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1452 newinfo->hook_entry[i] = compatr->hook_entry[i];
1453 newinfo->underflow[i] = compatr->underflow[i];
1455 entry1 = newinfo->entries;
1457 size = compatr->size;
1458 xt_entry_foreach(iter0, entry0, compatr->size)
1459 compat_copy_entry_from_user(iter0, &pos, &size,
1462 /* all module references in entry0 are now gone. */
1463 xt_compat_flush_offsets(AF_INET6);
1464 xt_compat_unlock(AF_INET6);
1466 memcpy(&repl, compatr, sizeof(*compatr));
1468 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1469 repl.hook_entry[i] = newinfo->hook_entry[i];
1470 repl.underflow[i] = newinfo->underflow[i];
1473 repl.num_counters = 0;
1474 repl.counters = NULL;
1475 repl.size = newinfo->size;
1476 ret = translate_table(net, newinfo, entry1, &repl);
1482 xt_free_table_info(info);
1486 xt_free_table_info(newinfo);
1489 xt_compat_flush_offsets(AF_INET6);
1490 xt_compat_unlock(AF_INET6);
1491 xt_entry_foreach(iter0, entry0, compatr->size) {
1494 compat_release_entry(iter0);
1500 compat_do_replace(struct net *net, void __user *user, unsigned int len)
1503 struct compat_ip6t_replace tmp;
1504 struct xt_table_info *newinfo;
1505 void *loc_cpu_entry;
1506 struct ip6t_entry *iter;
1508 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
1511 /* overflow check */
1512 if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
1514 if (tmp.num_counters == 0)
1517 tmp.name[sizeof(tmp.name)-1] = 0;
1519 newinfo = xt_alloc_table_info(tmp.size);
1523 loc_cpu_entry = newinfo->entries;
1524 if (copy_from_user(loc_cpu_entry, user + sizeof(tmp),
1530 ret = translate_compat_table(net, &newinfo, &loc_cpu_entry, &tmp);
1534 ret = __do_replace(net, tmp.name, tmp.valid_hooks, newinfo,
1535 tmp.num_counters, compat_ptr(tmp.counters));
1537 goto free_newinfo_untrans;
1540 free_newinfo_untrans:
1541 xt_entry_foreach(iter, loc_cpu_entry, newinfo->size)
1542 cleanup_entry(iter, net);
1544 xt_free_table_info(newinfo);
1549 compat_do_ip6t_set_ctl(struct sock *sk, int cmd, void __user *user,
1554 if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
1558 case IP6T_SO_SET_REPLACE:
1559 ret = compat_do_replace(sock_net(sk), user, len);
1562 case IP6T_SO_SET_ADD_COUNTERS:
1563 ret = do_add_counters(sock_net(sk), user, len, 1);
1573 struct compat_ip6t_get_entries {
1574 char name[XT_TABLE_MAXNAMELEN];
1576 struct compat_ip6t_entry entrytable[0];
1580 compat_copy_entries_to_user(unsigned int total_size, struct xt_table *table,
1581 void __user *userptr)
1583 struct xt_counters *counters;
1584 const struct xt_table_info *private = table->private;
1589 struct ip6t_entry *iter;
1591 counters = alloc_counters(table);
1592 if (IS_ERR(counters))
1593 return PTR_ERR(counters);
1597 xt_entry_foreach(iter, private->entries, total_size) {
1598 ret = compat_copy_entry_to_user(iter, &pos,
1599 &size, counters, i++);
1609 compat_get_entries(struct net *net, struct compat_ip6t_get_entries __user *uptr,
1613 struct compat_ip6t_get_entries get;
1616 if (*len < sizeof(get))
1619 if (copy_from_user(&get, uptr, sizeof(get)) != 0)
1622 if (*len != sizeof(struct compat_ip6t_get_entries) + get.size)
1625 get.name[sizeof(get.name) - 1] = '\0';
1627 xt_compat_lock(AF_INET6);
1628 t = xt_find_table_lock(net, AF_INET6, get.name);
1630 const struct xt_table_info *private = t->private;
1631 struct xt_table_info info;
1632 ret = compat_table_info(private, &info);
1633 if (!ret && get.size == info.size)
1634 ret = compat_copy_entries_to_user(private->size,
1635 t, uptr->entrytable);
1639 xt_compat_flush_offsets(AF_INET6);
1645 xt_compat_unlock(AF_INET6);
1649 static int do_ip6t_get_ctl(struct sock *, int, void __user *, int *);
1652 compat_do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1656 if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
1660 case IP6T_SO_GET_INFO:
1661 ret = get_info(sock_net(sk), user, len, 1);
1663 case IP6T_SO_GET_ENTRIES:
1664 ret = compat_get_entries(sock_net(sk), user, len);
1667 ret = do_ip6t_get_ctl(sk, cmd, user, len);
1674 do_ip6t_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
1678 if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
1682 case IP6T_SO_SET_REPLACE:
1683 ret = do_replace(sock_net(sk), user, len);
1686 case IP6T_SO_SET_ADD_COUNTERS:
1687 ret = do_add_counters(sock_net(sk), user, len, 0);
1698 do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1702 if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
1706 case IP6T_SO_GET_INFO:
1707 ret = get_info(sock_net(sk), user, len, 0);
1710 case IP6T_SO_GET_ENTRIES:
1711 ret = get_entries(sock_net(sk), user, len);
1714 case IP6T_SO_GET_REVISION_MATCH:
1715 case IP6T_SO_GET_REVISION_TARGET: {
1716 struct xt_get_revision rev;
1719 if (*len != sizeof(rev)) {
1723 if (copy_from_user(&rev, user, sizeof(rev)) != 0) {
1727 rev.name[sizeof(rev.name)-1] = 0;
1729 if (cmd == IP6T_SO_GET_REVISION_TARGET)
1734 try_then_request_module(xt_find_revision(AF_INET6, rev.name,
1737 "ip6t_%s", rev.name);
1748 static void __ip6t_unregister_table(struct net *net, struct xt_table *table)
1750 struct xt_table_info *private;
1751 void *loc_cpu_entry;
1752 struct module *table_owner = table->me;
1753 struct ip6t_entry *iter;
1755 private = xt_unregister_table(table);
1757 /* Decrease module usage counts and free resources */
1758 loc_cpu_entry = private->entries;
1759 xt_entry_foreach(iter, loc_cpu_entry, private->size)
1760 cleanup_entry(iter, net);
1761 if (private->number > private->initial_entries)
1762 module_put(table_owner);
1763 xt_free_table_info(private);
1766 int ip6t_register_table(struct net *net, const struct xt_table *table,
1767 const struct ip6t_replace *repl,
1768 const struct nf_hook_ops *ops,
1769 struct xt_table **res)
1772 struct xt_table_info *newinfo;
1773 struct xt_table_info bootstrap = {0};
1774 void *loc_cpu_entry;
1775 struct xt_table *new_table;
1777 newinfo = xt_alloc_table_info(repl->size);
1781 loc_cpu_entry = newinfo->entries;
1782 memcpy(loc_cpu_entry, repl->entries, repl->size);
1784 ret = translate_table(net, newinfo, loc_cpu_entry, repl);
1788 new_table = xt_register_table(net, table, &bootstrap, newinfo);
1789 if (IS_ERR(new_table)) {
1790 ret = PTR_ERR(new_table);
1794 /* set res now, will see skbs right after nf_register_net_hooks */
1795 WRITE_ONCE(*res, new_table);
1797 ret = nf_register_net_hooks(net, ops, hweight32(table->valid_hooks));
1799 __ip6t_unregister_table(net, new_table);
1806 xt_free_table_info(newinfo);
1810 void ip6t_unregister_table(struct net *net, struct xt_table *table,
1811 const struct nf_hook_ops *ops)
1813 nf_unregister_net_hooks(net, ops, hweight32(table->valid_hooks));
1814 __ip6t_unregister_table(net, table);
1817 /* Returns 1 if the type and code is matched by the range, 0 otherwise */
1819 icmp6_type_code_match(u_int8_t test_type, u_int8_t min_code, u_int8_t max_code,
1820 u_int8_t type, u_int8_t code,
1823 return (type == test_type && code >= min_code && code <= max_code)
1828 icmp6_match(const struct sk_buff *skb, struct xt_action_param *par)
1830 const struct icmp6hdr *ic;
1831 struct icmp6hdr _icmph;
1832 const struct ip6t_icmp *icmpinfo = par->matchinfo;
1834 /* Must not be a fragment. */
1835 if (par->fragoff != 0)
1838 ic = skb_header_pointer(skb, par->thoff, sizeof(_icmph), &_icmph);
1840 /* We've been asked to examine this packet, and we
1841 * can't. Hence, no choice but to drop.
1843 par->hotdrop = true;
1847 return icmp6_type_code_match(icmpinfo->type,
1850 ic->icmp6_type, ic->icmp6_code,
1851 !!(icmpinfo->invflags&IP6T_ICMP_INV));
1854 /* Called when user tries to insert an entry of this type. */
1855 static int icmp6_checkentry(const struct xt_mtchk_param *par)
1857 const struct ip6t_icmp *icmpinfo = par->matchinfo;
1859 /* Must specify no unknown invflags */
1860 return (icmpinfo->invflags & ~IP6T_ICMP_INV) ? -EINVAL : 0;
1863 /* The built-in targets: standard (NULL) and error. */
1864 static struct xt_target ip6t_builtin_tg[] __read_mostly = {
1866 .name = XT_STANDARD_TARGET,
1867 .targetsize = sizeof(int),
1868 .family = NFPROTO_IPV6,
1869 #ifdef CONFIG_COMPAT
1870 .compatsize = sizeof(compat_int_t),
1871 .compat_from_user = compat_standard_from_user,
1872 .compat_to_user = compat_standard_to_user,
1876 .name = XT_ERROR_TARGET,
1877 .target = ip6t_error,
1878 .targetsize = XT_FUNCTION_MAXNAMELEN,
1879 .family = NFPROTO_IPV6,
1883 static struct nf_sockopt_ops ip6t_sockopts = {
1885 .set_optmin = IP6T_BASE_CTL,
1886 .set_optmax = IP6T_SO_SET_MAX+1,
1887 .set = do_ip6t_set_ctl,
1888 #ifdef CONFIG_COMPAT
1889 .compat_set = compat_do_ip6t_set_ctl,
1891 .get_optmin = IP6T_BASE_CTL,
1892 .get_optmax = IP6T_SO_GET_MAX+1,
1893 .get = do_ip6t_get_ctl,
1894 #ifdef CONFIG_COMPAT
1895 .compat_get = compat_do_ip6t_get_ctl,
1897 .owner = THIS_MODULE,
1900 static struct xt_match ip6t_builtin_mt[] __read_mostly = {
1903 .match = icmp6_match,
1904 .matchsize = sizeof(struct ip6t_icmp),
1905 .checkentry = icmp6_checkentry,
1906 .proto = IPPROTO_ICMPV6,
1907 .family = NFPROTO_IPV6,
1911 static int __net_init ip6_tables_net_init(struct net *net)
1913 return xt_proto_init(net, NFPROTO_IPV6);
1916 static void __net_exit ip6_tables_net_exit(struct net *net)
1918 xt_proto_fini(net, NFPROTO_IPV6);
1921 static struct pernet_operations ip6_tables_net_ops = {
1922 .init = ip6_tables_net_init,
1923 .exit = ip6_tables_net_exit,
1926 static int __init ip6_tables_init(void)
1930 ret = register_pernet_subsys(&ip6_tables_net_ops);
1934 /* No one else will be downing sem now, so we won't sleep */
1935 ret = xt_register_targets(ip6t_builtin_tg, ARRAY_SIZE(ip6t_builtin_tg));
1938 ret = xt_register_matches(ip6t_builtin_mt, ARRAY_SIZE(ip6t_builtin_mt));
1942 /* Register setsockopt */
1943 ret = nf_register_sockopt(&ip6t_sockopts);
1950 xt_unregister_matches(ip6t_builtin_mt, ARRAY_SIZE(ip6t_builtin_mt));
1952 xt_unregister_targets(ip6t_builtin_tg, ARRAY_SIZE(ip6t_builtin_tg));
1954 unregister_pernet_subsys(&ip6_tables_net_ops);
1959 static void __exit ip6_tables_fini(void)
1961 nf_unregister_sockopt(&ip6t_sockopts);
1963 xt_unregister_matches(ip6t_builtin_mt, ARRAY_SIZE(ip6t_builtin_mt));
1964 xt_unregister_targets(ip6t_builtin_tg, ARRAY_SIZE(ip6t_builtin_tg));
1965 unregister_pernet_subsys(&ip6_tables_net_ops);
1968 EXPORT_SYMBOL(ip6t_register_table);
1969 EXPORT_SYMBOL(ip6t_unregister_table);
1970 EXPORT_SYMBOL(ip6t_do_table);
1972 module_init(ip6_tables_init);
1973 module_exit(ip6_tables_fini);