2 * Packet matching code.
4 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
5 * Copyright (C) 2000-2005 Netfilter Core Team <coreteam@netfilter.org>
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License version 2 as
9 * published by the Free Software Foundation.
11 * 19 Jan 2002 Harald Welte <laforge@gnumonks.org>
12 * - increase module usage count as soon as we have rules inside
14 * 06 Jun 2002 Andras Kis-Szabo <kisza@sch.bme.hu>
15 * - new extension header parser code
16 * 15 Oct 2005 Harald Welte <laforge@netfilter.org>
17 * - Unification of {ip,ip6}_tables into x_tables
18 * - Removed tcp and udp code, since it's not ipv6 specific
21 #include <linux/capability.h>
23 #include <linux/skbuff.h>
24 #include <linux/kmod.h>
25 #include <linux/vmalloc.h>
26 #include <linux/netdevice.h>
27 #include <linux/module.h>
28 #include <linux/poison.h>
29 #include <linux/icmpv6.h>
31 #include <asm/uaccess.h>
32 #include <linux/mutex.h>
33 #include <linux/proc_fs.h>
34 #include <linux/cpumask.h>
36 #include <linux/netfilter_ipv6/ip6_tables.h>
37 #include <linux/netfilter/x_tables.h>
39 MODULE_LICENSE("GPL");
40 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
41 MODULE_DESCRIPTION("IPv6 packet filter");
43 #define IPV6_HDR_LEN (sizeof(struct ipv6hdr))
44 #define IPV6_OPTHDR_LEN (sizeof(struct ipv6_opt_hdr))
46 /*#define DEBUG_IP_FIREWALL*/
47 /*#define DEBUG_ALLOW_ALL*/ /* Useful for remote debugging */
48 /*#define DEBUG_IP_FIREWALL_USER*/
50 #ifdef DEBUG_IP_FIREWALL
51 #define dprintf(format, args...) printk(format , ## args)
53 #define dprintf(format, args...)
56 #ifdef DEBUG_IP_FIREWALL_USER
57 #define duprintf(format, args...) printk(format , ## args)
59 #define duprintf(format, args...)
62 #ifdef CONFIG_NETFILTER_DEBUG
63 #define IP_NF_ASSERT(x) \
66 printk("IP_NF_ASSERT: %s:%s:%u\n", \
67 __FUNCTION__, __FILE__, __LINE__); \
70 #define IP_NF_ASSERT(x)
74 #include <linux/netfilter_ipv4/listhelp.h>
77 /* All the better to debug you with... */
83 We keep a set of rules for each CPU, so we can avoid write-locking
84 them in the softirq when updating the counters and therefore
85 only need to read-lock in the softirq; doing a write_lock_bh() in user
86 context stops packets coming through and allows user context to read
87 the counters or update the rules.
89 Hence the start of any table is given by get_table() below. */
92 #define down(x) do { printk("DOWN:%u:" #x "\n", __LINE__); down(x); } while(0)
93 #define down_interruptible(x) ({ int __r; printk("DOWNi:%u:" #x "\n", __LINE__); __r = down_interruptible(x); if (__r != 0) printk("ABORT-DOWNi:%u\n", __LINE__); __r; })
94 #define up(x) do { printk("UP:%u:" #x "\n", __LINE__); up(x); } while(0)
97 /* Check for an extension */
99 ip6t_ext_hdr(u8 nexthdr)
101 return ( (nexthdr == IPPROTO_HOPOPTS) ||
102 (nexthdr == IPPROTO_ROUTING) ||
103 (nexthdr == IPPROTO_FRAGMENT) ||
104 (nexthdr == IPPROTO_ESP) ||
105 (nexthdr == IPPROTO_AH) ||
106 (nexthdr == IPPROTO_NONE) ||
107 (nexthdr == IPPROTO_DSTOPTS) );
110 /* Returns whether matches rule or not. */
112 ip6_packet_match(const struct sk_buff *skb,
115 const struct ip6t_ip6 *ip6info,
116 unsigned int *protoff,
121 const struct ipv6hdr *ipv6 = skb->nh.ipv6h;
123 #define FWINV(bool,invflg) ((bool) ^ !!(ip6info->invflags & invflg))
125 if (FWINV(ipv6_masked_addr_cmp(&ipv6->saddr, &ip6info->smsk,
126 &ip6info->src), IP6T_INV_SRCIP)
127 || FWINV(ipv6_masked_addr_cmp(&ipv6->daddr, &ip6info->dmsk,
128 &ip6info->dst), IP6T_INV_DSTIP)) {
129 dprintf("Source or dest mismatch.\n");
131 dprintf("SRC: %u. Mask: %u. Target: %u.%s\n", ip->saddr,
132 ipinfo->smsk.s_addr, ipinfo->src.s_addr,
133 ipinfo->invflags & IP6T_INV_SRCIP ? " (INV)" : "");
134 dprintf("DST: %u. Mask: %u. Target: %u.%s\n", ip->daddr,
135 ipinfo->dmsk.s_addr, ipinfo->dst.s_addr,
136 ipinfo->invflags & IP6T_INV_DSTIP ? " (INV)" : "");*/
140 /* Look for ifname matches; this should unroll nicely. */
141 for (i = 0, ret = 0; i < IFNAMSIZ/sizeof(unsigned long); i++) {
142 ret |= (((const unsigned long *)indev)[i]
143 ^ ((const unsigned long *)ip6info->iniface)[i])
144 & ((const unsigned long *)ip6info->iniface_mask)[i];
147 if (FWINV(ret != 0, IP6T_INV_VIA_IN)) {
148 dprintf("VIA in mismatch (%s vs %s).%s\n",
149 indev, ip6info->iniface,
150 ip6info->invflags&IP6T_INV_VIA_IN ?" (INV)":"");
154 for (i = 0, ret = 0; i < IFNAMSIZ/sizeof(unsigned long); i++) {
155 ret |= (((const unsigned long *)outdev)[i]
156 ^ ((const unsigned long *)ip6info->outiface)[i])
157 & ((const unsigned long *)ip6info->outiface_mask)[i];
160 if (FWINV(ret != 0, IP6T_INV_VIA_OUT)) {
161 dprintf("VIA out mismatch (%s vs %s).%s\n",
162 outdev, ip6info->outiface,
163 ip6info->invflags&IP6T_INV_VIA_OUT ?" (INV)":"");
167 /* ... might want to do something with class and flowlabel here ... */
169 /* look for the desired protocol header */
170 if((ip6info->flags & IP6T_F_PROTO)) {
172 unsigned short _frag_off;
174 protohdr = ipv6_find_hdr(skb, protoff, -1, &_frag_off);
178 *fragoff = _frag_off;
180 dprintf("Packet protocol %hi ?= %s%hi.\n",
182 ip6info->invflags & IP6T_INV_PROTO ? "!":"",
185 if (ip6info->proto == protohdr) {
186 if(ip6info->invflags & IP6T_INV_PROTO) {
192 /* We need match for the '-p all', too! */
193 if ((ip6info->proto != 0) &&
194 !(ip6info->invflags & IP6T_INV_PROTO))
200 /* should be ip6 safe */
202 ip6_checkentry(const struct ip6t_ip6 *ipv6)
204 if (ipv6->flags & ~IP6T_F_MASK) {
205 duprintf("Unknown flag bits set: %08X\n",
206 ipv6->flags & ~IP6T_F_MASK);
209 if (ipv6->invflags & ~IP6T_INV_MASK) {
210 duprintf("Unknown invflag bits set: %08X\n",
211 ipv6->invflags & ~IP6T_INV_MASK);
218 ip6t_error(struct sk_buff **pskb,
219 const struct net_device *in,
220 const struct net_device *out,
221 unsigned int hooknum,
222 const struct xt_target *target,
223 const void *targinfo,
227 printk("ip6_tables: error: `%s'\n", (char *)targinfo);
233 int do_match(struct ip6t_entry_match *m,
234 const struct sk_buff *skb,
235 const struct net_device *in,
236 const struct net_device *out,
238 unsigned int protoff,
241 /* Stop iteration if it doesn't match */
242 if (!m->u.kernel.match->match(skb, in, out, m->u.kernel.match, m->data,
243 offset, protoff, hotdrop))
249 static inline struct ip6t_entry *
250 get_entry(void *base, unsigned int offset)
252 return (struct ip6t_entry *)(base + offset);
255 /* Returns one of the generic firewall policies, like NF_ACCEPT. */
257 ip6t_do_table(struct sk_buff **pskb,
259 const struct net_device *in,
260 const struct net_device *out,
261 struct xt_table *table,
264 static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
266 unsigned int protoff = 0;
268 /* Initializing verdict to NF_DROP keeps gcc happy. */
269 unsigned int verdict = NF_DROP;
270 const char *indev, *outdev;
272 struct ip6t_entry *e, *back;
273 struct xt_table_info *private;
276 indev = in ? in->name : nulldevname;
277 outdev = out ? out->name : nulldevname;
278 /* We handle fragments by dealing with the first fragment as
279 * if it was a normal packet. All other fragments are treated
280 * normally, except that they will NEVER match rules that ask
281 * things we don't know, ie. tcp syn flag or ports). If the
282 * rule is also a fragment-specific rule, non-fragments won't
285 read_lock_bh(&table->lock);
286 private = table->private;
287 IP_NF_ASSERT(table->valid_hooks & (1 << hook));
288 table_base = (void *)private->entries[smp_processor_id()];
289 e = get_entry(table_base, private->hook_entry[hook]);
291 /* For return from builtin chain */
292 back = get_entry(table_base, private->underflow[hook]);
297 if (ip6_packet_match(*pskb, indev, outdev, &e->ipv6,
298 &protoff, &offset)) {
299 struct ip6t_entry_target *t;
301 if (IP6T_MATCH_ITERATE(e, do_match,
303 offset, protoff, &hotdrop) != 0)
306 ADD_COUNTER(e->counters,
307 ntohs((*pskb)->nh.ipv6h->payload_len)
311 t = ip6t_get_target(e);
312 IP_NF_ASSERT(t->u.kernel.target);
313 /* Standard target? */
314 if (!t->u.kernel.target->target) {
317 v = ((struct ip6t_standard_target *)t)->verdict;
319 /* Pop from stack? */
320 if (v != IP6T_RETURN) {
321 verdict = (unsigned)(-v) - 1;
325 back = get_entry(table_base,
329 if (table_base + v != (void *)e + e->next_offset
330 && !(e->ipv6.flags & IP6T_F_GOTO)) {
331 /* Save old back ptr in next entry */
332 struct ip6t_entry *next
333 = (void *)e + e->next_offset;
335 = (void *)back - table_base;
336 /* set back pointer to next entry */
340 e = get_entry(table_base, v);
342 /* Targets which reenter must return
344 #ifdef CONFIG_NETFILTER_DEBUG
345 ((struct ip6t_entry *)table_base)->comefrom
348 verdict = t->u.kernel.target->target(pskb,
355 #ifdef CONFIG_NETFILTER_DEBUG
356 if (((struct ip6t_entry *)table_base)->comefrom
358 && verdict == IP6T_CONTINUE) {
359 printk("Target %s reentered!\n",
360 t->u.kernel.target->name);
363 ((struct ip6t_entry *)table_base)->comefrom
366 if (verdict == IP6T_CONTINUE)
367 e = (void *)e + e->next_offset;
375 e = (void *)e + e->next_offset;
379 #ifdef CONFIG_NETFILTER_DEBUG
380 ((struct ip6t_entry *)table_base)->comefrom = NETFILTER_LINK_POISON;
382 read_unlock_bh(&table->lock);
384 #ifdef DEBUG_ALLOW_ALL
393 /* All zeroes == unconditional rule. */
395 unconditional(const struct ip6t_ip6 *ipv6)
399 for (i = 0; i < sizeof(*ipv6); i++)
400 if (((char *)ipv6)[i])
403 return (i == sizeof(*ipv6));
406 /* Figures out from what hook each rule can be called: returns 0 if
407 there are loops. Puts hook bitmask in comefrom. */
409 mark_source_chains(struct xt_table_info *newinfo,
410 unsigned int valid_hooks, void *entry0)
414 /* No recursion; use packet counter to save back ptrs (reset
415 to 0 as we leave), and comefrom to save source hook bitmask */
416 for (hook = 0; hook < NF_IP6_NUMHOOKS; hook++) {
417 unsigned int pos = newinfo->hook_entry[hook];
419 = (struct ip6t_entry *)(entry0 + pos);
421 if (!(valid_hooks & (1 << hook)))
424 /* Set initial back pointer. */
425 e->counters.pcnt = pos;
428 struct ip6t_standard_target *t
429 = (void *)ip6t_get_target(e);
431 if (e->comefrom & (1 << NF_IP6_NUMHOOKS)) {
432 printk("iptables: loop hook %u pos %u %08X.\n",
433 hook, pos, e->comefrom);
437 |= ((1 << hook) | (1 << NF_IP6_NUMHOOKS));
439 /* Unconditional return/END. */
440 if (e->target_offset == sizeof(struct ip6t_entry)
441 && (strcmp(t->target.u.user.name,
442 IP6T_STANDARD_TARGET) == 0)
444 && unconditional(&e->ipv6)) {
445 unsigned int oldpos, size;
447 /* Return: backtrack through the last
450 e->comefrom ^= (1<<NF_IP6_NUMHOOKS);
451 #ifdef DEBUG_IP_FIREWALL_USER
453 & (1 << NF_IP6_NUMHOOKS)) {
454 duprintf("Back unset "
461 pos = e->counters.pcnt;
462 e->counters.pcnt = 0;
464 /* We're at the start. */
468 e = (struct ip6t_entry *)
470 } while (oldpos == pos + e->next_offset);
473 size = e->next_offset;
474 e = (struct ip6t_entry *)
475 (entry0 + pos + size);
476 e->counters.pcnt = pos;
479 int newpos = t->verdict;
481 if (strcmp(t->target.u.user.name,
482 IP6T_STANDARD_TARGET) == 0
484 /* This a jump; chase it. */
485 duprintf("Jump rule %u -> %u\n",
488 /* ... this is a fallthru */
489 newpos = pos + e->next_offset;
491 e = (struct ip6t_entry *)
493 e->counters.pcnt = pos;
498 duprintf("Finished chain %u\n", hook);
504 cleanup_match(struct ip6t_entry_match *m, unsigned int *i)
506 if (i && (*i)-- == 0)
509 if (m->u.kernel.match->destroy)
510 m->u.kernel.match->destroy(m->u.kernel.match, m->data,
511 m->u.match_size - sizeof(*m));
512 module_put(m->u.kernel.match->me);
517 standard_check(const struct ip6t_entry_target *t,
518 unsigned int max_offset)
520 struct ip6t_standard_target *targ = (void *)t;
522 /* Check standard info. */
523 if (targ->verdict >= 0
524 && targ->verdict > max_offset - sizeof(struct ip6t_entry)) {
525 duprintf("ip6t_standard_check: bad verdict (%i)\n",
529 if (targ->verdict < -NF_MAX_VERDICT - 1) {
530 duprintf("ip6t_standard_check: bad negative verdict (%i)\n",
538 check_match(struct ip6t_entry_match *m,
540 const struct ip6t_ip6 *ipv6,
541 unsigned int hookmask,
544 struct ip6t_match *match;
547 match = try_then_request_module(xt_find_match(AF_INET6, m->u.user.name,
549 "ip6t_%s", m->u.user.name);
550 if (IS_ERR(match) || !match) {
551 duprintf("check_match: `%s' not found\n", m->u.user.name);
552 return match ? PTR_ERR(match) : -ENOENT;
554 m->u.kernel.match = match;
556 ret = xt_check_match(match, AF_INET6, m->u.match_size - sizeof(*m),
557 name, hookmask, ipv6->proto,
558 ipv6->invflags & IP6T_INV_PROTO);
562 if (m->u.kernel.match->checkentry
563 && !m->u.kernel.match->checkentry(name, ipv6, match, m->data,
564 m->u.match_size - sizeof(*m),
566 duprintf("ip_tables: check failed for `%s'.\n",
567 m->u.kernel.match->name);
575 module_put(m->u.kernel.match->me);
579 static struct ip6t_target ip6t_standard_target;
582 check_entry(struct ip6t_entry *e, const char *name, unsigned int size,
585 struct ip6t_entry_target *t;
586 struct ip6t_target *target;
590 if (!ip6_checkentry(&e->ipv6)) {
591 duprintf("ip_tables: ip check failed %p %s.\n", e, name);
596 ret = IP6T_MATCH_ITERATE(e, check_match, name, &e->ipv6, e->comefrom, &j);
598 goto cleanup_matches;
600 t = ip6t_get_target(e);
601 target = try_then_request_module(xt_find_target(AF_INET6,
604 "ip6t_%s", t->u.user.name);
605 if (IS_ERR(target) || !target) {
606 duprintf("check_entry: `%s' not found\n", t->u.user.name);
607 ret = target ? PTR_ERR(target) : -ENOENT;
608 goto cleanup_matches;
610 t->u.kernel.target = target;
612 ret = xt_check_target(target, AF_INET6, t->u.target_size - sizeof(*t),
613 name, e->comefrom, e->ipv6.proto,
614 e->ipv6.invflags & IP6T_INV_PROTO);
618 if (t->u.kernel.target == &ip6t_standard_target) {
619 if (!standard_check(t, size)) {
621 goto cleanup_matches;
623 } else if (t->u.kernel.target->checkentry
624 && !t->u.kernel.target->checkentry(name, e, target, t->data,
628 duprintf("ip_tables: check failed for `%s'.\n",
629 t->u.kernel.target->name);
637 module_put(t->u.kernel.target->me);
639 IP6T_MATCH_ITERATE(e, cleanup_match, &j);
644 check_entry_size_and_hooks(struct ip6t_entry *e,
645 struct xt_table_info *newinfo,
647 unsigned char *limit,
648 const unsigned int *hook_entries,
649 const unsigned int *underflows,
654 if ((unsigned long)e % __alignof__(struct ip6t_entry) != 0
655 || (unsigned char *)e + sizeof(struct ip6t_entry) >= limit) {
656 duprintf("Bad offset %p\n", e);
661 < sizeof(struct ip6t_entry) + sizeof(struct ip6t_entry_target)) {
662 duprintf("checking: element %p size %u\n",
667 /* Check hooks & underflows */
668 for (h = 0; h < NF_IP6_NUMHOOKS; h++) {
669 if ((unsigned char *)e - base == hook_entries[h])
670 newinfo->hook_entry[h] = hook_entries[h];
671 if ((unsigned char *)e - base == underflows[h])
672 newinfo->underflow[h] = underflows[h];
675 /* FIXME: underflows must be unconditional, standard verdicts
676 < 0 (not IP6T_RETURN). --RR */
678 /* Clear counters and comefrom */
679 e->counters = ((struct xt_counters) { 0, 0 });
687 cleanup_entry(struct ip6t_entry *e, unsigned int *i)
689 struct ip6t_entry_target *t;
691 if (i && (*i)-- == 0)
694 /* Cleanup all matches */
695 IP6T_MATCH_ITERATE(e, cleanup_match, NULL);
696 t = ip6t_get_target(e);
697 if (t->u.kernel.target->destroy)
698 t->u.kernel.target->destroy(t->u.kernel.target, t->data,
699 t->u.target_size - sizeof(*t));
700 module_put(t->u.kernel.target->me);
704 /* Checks and translates the user-supplied table segment (held in
707 translate_table(const char *name,
708 unsigned int valid_hooks,
709 struct xt_table_info *newinfo,
713 const unsigned int *hook_entries,
714 const unsigned int *underflows)
719 newinfo->size = size;
720 newinfo->number = number;
722 /* Init all hooks to impossible value. */
723 for (i = 0; i < NF_IP6_NUMHOOKS; i++) {
724 newinfo->hook_entry[i] = 0xFFFFFFFF;
725 newinfo->underflow[i] = 0xFFFFFFFF;
728 duprintf("translate_table: size %u\n", newinfo->size);
730 /* Walk through entries, checking offsets. */
731 ret = IP6T_ENTRY_ITERATE(entry0, newinfo->size,
732 check_entry_size_and_hooks,
736 hook_entries, underflows, &i);
741 duprintf("translate_table: %u not %u entries\n",
746 /* Check hooks all assigned */
747 for (i = 0; i < NF_IP6_NUMHOOKS; i++) {
748 /* Only hooks which are valid */
749 if (!(valid_hooks & (1 << i)))
751 if (newinfo->hook_entry[i] == 0xFFFFFFFF) {
752 duprintf("Invalid hook entry %u %u\n",
756 if (newinfo->underflow[i] == 0xFFFFFFFF) {
757 duprintf("Invalid underflow %u %u\n",
763 if (!mark_source_chains(newinfo, valid_hooks, entry0))
766 /* Finally, each sanity check must pass */
768 ret = IP6T_ENTRY_ITERATE(entry0, newinfo->size,
769 check_entry, name, size, &i);
772 IP6T_ENTRY_ITERATE(entry0, newinfo->size,
777 /* And one copy for every other CPU */
778 for_each_possible_cpu(i) {
779 if (newinfo->entries[i] && newinfo->entries[i] != entry0)
780 memcpy(newinfo->entries[i], entry0, newinfo->size);
788 add_entry_to_counter(const struct ip6t_entry *e,
789 struct xt_counters total[],
792 ADD_COUNTER(total[*i], e->counters.bcnt, e->counters.pcnt);
799 set_entry_to_counter(const struct ip6t_entry *e,
800 struct ip6t_counters total[],
803 SET_COUNTER(total[*i], e->counters.bcnt, e->counters.pcnt);
810 get_counters(const struct xt_table_info *t,
811 struct xt_counters counters[])
817 /* Instead of clearing (by a previous call to memset())
818 * the counters and using adds, we set the counters
819 * with data used by 'current' CPU
820 * We dont care about preemption here.
822 curcpu = raw_smp_processor_id();
825 IP6T_ENTRY_ITERATE(t->entries[curcpu],
827 set_entry_to_counter,
831 for_each_possible_cpu(cpu) {
835 IP6T_ENTRY_ITERATE(t->entries[cpu],
837 add_entry_to_counter,
844 copy_entries_to_user(unsigned int total_size,
845 struct xt_table *table,
846 void __user *userptr)
848 unsigned int off, num, countersize;
849 struct ip6t_entry *e;
850 struct xt_counters *counters;
851 struct xt_table_info *private = table->private;
855 /* We need atomic snapshot of counters: rest doesn't change
856 (other than comefrom, which userspace doesn't care
858 countersize = sizeof(struct xt_counters) * private->number;
859 counters = vmalloc(countersize);
861 if (counters == NULL)
864 /* First, sum counters... */
865 write_lock_bh(&table->lock);
866 get_counters(private, counters);
867 write_unlock_bh(&table->lock);
869 /* choose the copy that is on ourc node/cpu */
870 loc_cpu_entry = private->entries[raw_smp_processor_id()];
871 if (copy_to_user(userptr, loc_cpu_entry, total_size) != 0) {
876 /* FIXME: use iterator macros --RR */
877 /* ... then go back and fix counters and names */
878 for (off = 0, num = 0; off < total_size; off += e->next_offset, num++){
880 struct ip6t_entry_match *m;
881 struct ip6t_entry_target *t;
883 e = (struct ip6t_entry *)(loc_cpu_entry + off);
884 if (copy_to_user(userptr + off
885 + offsetof(struct ip6t_entry, counters),
887 sizeof(counters[num])) != 0) {
892 for (i = sizeof(struct ip6t_entry);
893 i < e->target_offset;
894 i += m->u.match_size) {
897 if (copy_to_user(userptr + off + i
898 + offsetof(struct ip6t_entry_match,
900 m->u.kernel.match->name,
901 strlen(m->u.kernel.match->name)+1)
908 t = ip6t_get_target(e);
909 if (copy_to_user(userptr + off + e->target_offset
910 + offsetof(struct ip6t_entry_target,
912 t->u.kernel.target->name,
913 strlen(t->u.kernel.target->name)+1) != 0) {
925 get_entries(const struct ip6t_get_entries *entries,
926 struct ip6t_get_entries __user *uptr)
931 t = xt_find_table_lock(AF_INET6, entries->name);
932 if (t && !IS_ERR(t)) {
933 struct xt_table_info *private = t->private;
934 duprintf("t->private->number = %u\n", private->number);
935 if (entries->size == private->size)
936 ret = copy_entries_to_user(private->size,
937 t, uptr->entrytable);
939 duprintf("get_entries: I've got %u not %u!\n",
940 private->size, entries->size);
946 ret = t ? PTR_ERR(t) : -ENOENT;
952 do_replace(void __user *user, unsigned int len)
955 struct ip6t_replace tmp;
957 struct xt_table_info *newinfo, *oldinfo;
958 struct xt_counters *counters;
959 void *loc_cpu_entry, *loc_cpu_old_entry;
961 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
965 if (tmp.size >= (INT_MAX - sizeof(struct xt_table_info)) / NR_CPUS -
968 if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
971 newinfo = xt_alloc_table_info(tmp.size);
975 /* choose the copy that is on our node/cpu */
976 loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
977 if (copy_from_user(loc_cpu_entry, user + sizeof(tmp),
983 counters = vmalloc(tmp.num_counters * sizeof(struct xt_counters));
989 ret = translate_table(tmp.name, tmp.valid_hooks,
990 newinfo, loc_cpu_entry, tmp.size, tmp.num_entries,
991 tmp.hook_entry, tmp.underflow);
993 goto free_newinfo_counters;
995 duprintf("ip_tables: Translated table\n");
997 t = try_then_request_module(xt_find_table_lock(AF_INET6, tmp.name),
998 "ip6table_%s", tmp.name);
999 if (!t || IS_ERR(t)) {
1000 ret = t ? PTR_ERR(t) : -ENOENT;
1001 goto free_newinfo_counters_untrans;
1005 if (tmp.valid_hooks != t->valid_hooks) {
1006 duprintf("Valid hook crap: %08X vs %08X\n",
1007 tmp.valid_hooks, t->valid_hooks);
1012 oldinfo = xt_replace_table(t, tmp.num_counters, newinfo, &ret);
1016 /* Update module usage count based on number of rules */
1017 duprintf("do_replace: oldnum=%u, initnum=%u, newnum=%u\n",
1018 oldinfo->number, oldinfo->initial_entries, newinfo->number);
1019 if ((oldinfo->number > oldinfo->initial_entries) ||
1020 (newinfo->number <= oldinfo->initial_entries))
1022 if ((oldinfo->number > oldinfo->initial_entries) &&
1023 (newinfo->number <= oldinfo->initial_entries))
1026 /* Get the old counters. */
1027 get_counters(oldinfo, counters);
1028 /* Decrease module usage counts and free resource */
1029 loc_cpu_old_entry = oldinfo->entries[raw_smp_processor_id()];
1030 IP6T_ENTRY_ITERATE(loc_cpu_old_entry, oldinfo->size, cleanup_entry,NULL);
1031 xt_free_table_info(oldinfo);
1032 if (copy_to_user(tmp.counters, counters,
1033 sizeof(struct xt_counters) * tmp.num_counters) != 0)
1042 free_newinfo_counters_untrans:
1043 IP6T_ENTRY_ITERATE(loc_cpu_entry, newinfo->size, cleanup_entry,NULL);
1044 free_newinfo_counters:
1047 xt_free_table_info(newinfo);
1051 /* We're lazy, and add to the first CPU; overflow works its fey magic
1052 * and everything is OK. */
1054 add_counter_to_entry(struct ip6t_entry *e,
1055 const struct xt_counters addme[],
1059 duprintf("add_counter: Entry %u %lu/%lu + %lu/%lu\n",
1061 (long unsigned int)e->counters.pcnt,
1062 (long unsigned int)e->counters.bcnt,
1063 (long unsigned int)addme[*i].pcnt,
1064 (long unsigned int)addme[*i].bcnt);
1067 ADD_COUNTER(e->counters, addme[*i].bcnt, addme[*i].pcnt);
1074 do_add_counters(void __user *user, unsigned int len)
1077 struct xt_counters_info tmp, *paddc;
1078 struct xt_table_info *private;
1081 void *loc_cpu_entry;
1083 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
1086 if (len != sizeof(tmp) + tmp.num_counters*sizeof(struct xt_counters))
1089 paddc = vmalloc(len);
1093 if (copy_from_user(paddc, user, len) != 0) {
1098 t = xt_find_table_lock(AF_INET6, tmp.name);
1099 if (!t || IS_ERR(t)) {
1100 ret = t ? PTR_ERR(t) : -ENOENT;
1104 write_lock_bh(&t->lock);
1105 private = t->private;
1106 if (private->number != tmp.num_counters) {
1108 goto unlock_up_free;
1112 /* Choose the copy that is on our node */
1113 loc_cpu_entry = private->entries[smp_processor_id()];
1114 IP6T_ENTRY_ITERATE(loc_cpu_entry,
1116 add_counter_to_entry,
1120 write_unlock_bh(&t->lock);
1130 do_ip6t_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
1134 if (!capable(CAP_NET_ADMIN))
1138 case IP6T_SO_SET_REPLACE:
1139 ret = do_replace(user, len);
1142 case IP6T_SO_SET_ADD_COUNTERS:
1143 ret = do_add_counters(user, len);
1147 duprintf("do_ip6t_set_ctl: unknown request %i\n", cmd);
1155 do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1159 if (!capable(CAP_NET_ADMIN))
1163 case IP6T_SO_GET_INFO: {
1164 char name[IP6T_TABLE_MAXNAMELEN];
1167 if (*len != sizeof(struct ip6t_getinfo)) {
1168 duprintf("length %u != %u\n", *len,
1169 sizeof(struct ip6t_getinfo));
1174 if (copy_from_user(name, user, sizeof(name)) != 0) {
1178 name[IP6T_TABLE_MAXNAMELEN-1] = '\0';
1180 t = try_then_request_module(xt_find_table_lock(AF_INET6, name),
1181 "ip6table_%s", name);
1182 if (t && !IS_ERR(t)) {
1183 struct ip6t_getinfo info;
1184 struct xt_table_info *private = t->private;
1186 info.valid_hooks = t->valid_hooks;
1187 memcpy(info.hook_entry, private->hook_entry,
1188 sizeof(info.hook_entry));
1189 memcpy(info.underflow, private->underflow,
1190 sizeof(info.underflow));
1191 info.num_entries = private->number;
1192 info.size = private->size;
1193 memcpy(info.name, name, sizeof(info.name));
1195 if (copy_to_user(user, &info, *len) != 0)
1202 ret = t ? PTR_ERR(t) : -ENOENT;
1206 case IP6T_SO_GET_ENTRIES: {
1207 struct ip6t_get_entries get;
1209 if (*len < sizeof(get)) {
1210 duprintf("get_entries: %u < %u\n", *len, sizeof(get));
1212 } else if (copy_from_user(&get, user, sizeof(get)) != 0) {
1214 } else if (*len != sizeof(struct ip6t_get_entries) + get.size) {
1215 duprintf("get_entries: %u != %u\n", *len,
1216 sizeof(struct ip6t_get_entries) + get.size);
1219 ret = get_entries(&get, user);
1223 case IP6T_SO_GET_REVISION_MATCH:
1224 case IP6T_SO_GET_REVISION_TARGET: {
1225 struct ip6t_get_revision rev;
1228 if (*len != sizeof(rev)) {
1232 if (copy_from_user(&rev, user, sizeof(rev)) != 0) {
1237 if (cmd == IP6T_SO_GET_REVISION_TARGET)
1242 try_then_request_module(xt_find_revision(AF_INET6, rev.name,
1245 "ip6t_%s", rev.name);
1250 duprintf("do_ip6t_get_ctl: unknown request %i\n", cmd);
1257 int ip6t_register_table(struct xt_table *table,
1258 const struct ip6t_replace *repl)
1261 struct xt_table_info *newinfo;
1262 static struct xt_table_info bootstrap
1263 = { 0, 0, 0, { 0 }, { 0 }, { } };
1264 void *loc_cpu_entry;
1266 newinfo = xt_alloc_table_info(repl->size);
1270 /* choose the copy on our node/cpu */
1271 loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
1272 memcpy(loc_cpu_entry, repl->entries, repl->size);
1274 ret = translate_table(table->name, table->valid_hooks,
1275 newinfo, loc_cpu_entry, repl->size,
1280 xt_free_table_info(newinfo);
1284 ret = xt_register_table(table, &bootstrap, newinfo);
1286 xt_free_table_info(newinfo);
1293 void ip6t_unregister_table(struct xt_table *table)
1295 struct xt_table_info *private;
1296 void *loc_cpu_entry;
1298 private = xt_unregister_table(table);
1300 /* Decrease module usage counts and free resources */
1301 loc_cpu_entry = private->entries[raw_smp_processor_id()];
1302 IP6T_ENTRY_ITERATE(loc_cpu_entry, private->size, cleanup_entry, NULL);
1303 xt_free_table_info(private);
1306 /* Returns 1 if the type and code is matched by the range, 0 otherwise */
1308 icmp6_type_code_match(u_int8_t test_type, u_int8_t min_code, u_int8_t max_code,
1309 u_int8_t type, u_int8_t code,
1312 return (type == test_type && code >= min_code && code <= max_code)
1317 icmp6_match(const struct sk_buff *skb,
1318 const struct net_device *in,
1319 const struct net_device *out,
1320 const struct xt_match *match,
1321 const void *matchinfo,
1323 unsigned int protoff,
1326 struct icmp6hdr _icmp, *ic;
1327 const struct ip6t_icmp *icmpinfo = matchinfo;
1329 /* Must not be a fragment. */
1333 ic = skb_header_pointer(skb, protoff, sizeof(_icmp), &_icmp);
1335 /* We've been asked to examine this packet, and we
1336 can't. Hence, no choice but to drop. */
1337 duprintf("Dropping evil ICMP tinygram.\n");
1342 return icmp6_type_code_match(icmpinfo->type,
1345 ic->icmp6_type, ic->icmp6_code,
1346 !!(icmpinfo->invflags&IP6T_ICMP_INV));
1349 /* Called when user tries to insert an entry of this type. */
1351 icmp6_checkentry(const char *tablename,
1353 const struct xt_match *match,
1355 unsigned int matchsize,
1356 unsigned int hook_mask)
1358 const struct ip6t_icmp *icmpinfo = matchinfo;
1360 /* Must specify no unknown invflags */
1361 return !(icmpinfo->invflags & ~IP6T_ICMP_INV);
1364 /* The built-in targets: standard (NULL) and error. */
1365 static struct ip6t_target ip6t_standard_target = {
1366 .name = IP6T_STANDARD_TARGET,
1367 .targetsize = sizeof(int),
1371 static struct ip6t_target ip6t_error_target = {
1372 .name = IP6T_ERROR_TARGET,
1373 .target = ip6t_error,
1374 .targetsize = IP6T_FUNCTION_MAXNAMELEN,
1378 static struct nf_sockopt_ops ip6t_sockopts = {
1380 .set_optmin = IP6T_BASE_CTL,
1381 .set_optmax = IP6T_SO_SET_MAX+1,
1382 .set = do_ip6t_set_ctl,
1383 .get_optmin = IP6T_BASE_CTL,
1384 .get_optmax = IP6T_SO_GET_MAX+1,
1385 .get = do_ip6t_get_ctl,
1388 static struct ip6t_match icmp6_matchstruct = {
1390 .match = &icmp6_match,
1391 .matchsize = sizeof(struct ip6t_icmp),
1392 .checkentry = icmp6_checkentry,
1393 .proto = IPPROTO_ICMPV6,
1397 static int __init ip6_tables_init(void)
1401 ret = xt_proto_init(AF_INET6);
1405 /* Noone else will be downing sem now, so we won't sleep */
1406 ret = xt_register_target(&ip6t_standard_target);
1409 ret = xt_register_target(&ip6t_error_target);
1412 ret = xt_register_match(&icmp6_matchstruct);
1416 /* Register setsockopt */
1417 ret = nf_register_sockopt(&ip6t_sockopts);
1421 printk("ip6_tables: (C) 2000-2006 Netfilter Core Team\n");
1425 xt_unregister_match(&icmp6_matchstruct);
1427 xt_unregister_target(&ip6t_error_target);
1429 xt_unregister_target(&ip6t_standard_target);
1431 xt_proto_fini(AF_INET6);
1436 static void __exit ip6_tables_fini(void)
1438 nf_unregister_sockopt(&ip6t_sockopts);
1439 xt_unregister_match(&icmp6_matchstruct);
1440 xt_unregister_target(&ip6t_error_target);
1441 xt_unregister_target(&ip6t_standard_target);
1442 xt_proto_fini(AF_INET6);
1446 * find the offset to specified header or the protocol number of last header
1447 * if target < 0. "last header" is transport protocol header, ESP, or
1450 * If target header is found, its offset is set in *offset and return protocol
1451 * number. Otherwise, return -1.
1453 * Note that non-1st fragment is special case that "the protocol number
1454 * of last header" is "next header" field in Fragment header. In this case,
1455 * *offset is meaningless and fragment offset is stored in *fragoff if fragoff
1459 int ipv6_find_hdr(const struct sk_buff *skb, unsigned int *offset,
1460 int target, unsigned short *fragoff)
1462 unsigned int start = (u8*)(skb->nh.ipv6h + 1) - skb->data;
1463 u8 nexthdr = skb->nh.ipv6h->nexthdr;
1464 unsigned int len = skb->len - start;
1469 while (nexthdr != target) {
1470 struct ipv6_opt_hdr _hdr, *hp;
1471 unsigned int hdrlen;
1473 if ((!ipv6_ext_hdr(nexthdr)) || nexthdr == NEXTHDR_NONE) {
1479 hp = skb_header_pointer(skb, start, sizeof(_hdr), &_hdr);
1482 if (nexthdr == NEXTHDR_FRAGMENT) {
1483 unsigned short _frag_off, *fp;
1484 fp = skb_header_pointer(skb,
1485 start+offsetof(struct frag_hdr,
1492 _frag_off = ntohs(*fp) & ~0x7;
1495 ((!ipv6_ext_hdr(hp->nexthdr)) ||
1496 nexthdr == NEXTHDR_NONE)) {
1498 *fragoff = _frag_off;
1504 } else if (nexthdr == NEXTHDR_AUTH)
1505 hdrlen = (hp->hdrlen + 2) << 2;
1507 hdrlen = ipv6_optlen(hp);
1509 nexthdr = hp->nexthdr;
1518 EXPORT_SYMBOL(ip6t_register_table);
1519 EXPORT_SYMBOL(ip6t_unregister_table);
1520 EXPORT_SYMBOL(ip6t_do_table);
1521 EXPORT_SYMBOL(ip6t_ext_hdr);
1522 EXPORT_SYMBOL(ipv6_find_hdr);
1524 module_init(ip6_tables_init);
1525 module_exit(ip6_tables_fini);
git.samba.org / sfrench / cifs-2.6.git / blob