2 * Packet matching code.
4 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
5 * Copyright (C) 2000-2005 Netfilter Core Team <coreteam@netfilter.org>
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License version 2 as
9 * published by the Free Software Foundation.
11 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
12 #include <linux/capability.h>
14 #include <linux/skbuff.h>
15 #include <linux/kmod.h>
16 #include <linux/vmalloc.h>
17 #include <linux/netdevice.h>
18 #include <linux/module.h>
19 #include <linux/poison.h>
20 #include <linux/icmpv6.h>
22 #include <net/compat.h>
23 #include <asm/uaccess.h>
24 #include <linux/mutex.h>
25 #include <linux/proc_fs.h>
26 #include <linux/err.h>
27 #include <linux/cpumask.h>
29 #include <linux/netfilter_ipv6/ip6_tables.h>
30 #include <linux/netfilter/x_tables.h>
31 #include <net/netfilter/nf_log.h>
32 #include "../../netfilter/xt_repldata.h"
34 MODULE_LICENSE("GPL");
35 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
36 MODULE_DESCRIPTION("IPv6 packet filter");
38 /*#define DEBUG_IP_FIREWALL*/
39 /*#define DEBUG_ALLOW_ALL*/ /* Useful for remote debugging */
40 /*#define DEBUG_IP_FIREWALL_USER*/
42 #ifdef DEBUG_IP_FIREWALL
43 #define dprintf(format, args...) pr_info(format , ## args)
45 #define dprintf(format, args...)
48 #ifdef DEBUG_IP_FIREWALL_USER
49 #define duprintf(format, args...) pr_info(format , ## args)
51 #define duprintf(format, args...)
54 #ifdef CONFIG_NETFILTER_DEBUG
55 #define IP_NF_ASSERT(x) WARN_ON(!(x))
57 #define IP_NF_ASSERT(x)
61 /* All the better to debug you with... */
66 void *ip6t_alloc_initial_table(const struct xt_table *info)
68 return xt_alloc_initial_table(ip6t, IP6T);
70 EXPORT_SYMBOL_GPL(ip6t_alloc_initial_table);
73 We keep a set of rules for each CPU, so we can avoid write-locking
74 them in the softirq when updating the counters and therefore
75 only need to read-lock in the softirq; doing a write_lock_bh() in user
76 context stops packets coming through and allows user context to read
77 the counters or update the rules.
79 Hence the start of any table is given by get_table() below. */
81 /* Check for an extension */
83 ip6t_ext_hdr(u8 nexthdr)
85 return (nexthdr == IPPROTO_HOPOPTS) ||
86 (nexthdr == IPPROTO_ROUTING) ||
87 (nexthdr == IPPROTO_FRAGMENT) ||
88 (nexthdr == IPPROTO_ESP) ||
89 (nexthdr == IPPROTO_AH) ||
90 (nexthdr == IPPROTO_NONE) ||
91 (nexthdr == IPPROTO_DSTOPTS);
94 /* Returns whether matches rule or not. */
95 /* Performance critical - called for every packet */
97 ip6_packet_match(const struct sk_buff *skb,
100 const struct ip6t_ip6 *ip6info,
101 unsigned int *protoff,
102 int *fragoff, bool *hotdrop)
105 const struct ipv6hdr *ipv6 = ipv6_hdr(skb);
107 #define FWINV(bool, invflg) ((bool) ^ !!(ip6info->invflags & (invflg)))
109 if (FWINV(ipv6_masked_addr_cmp(&ipv6->saddr, &ip6info->smsk,
110 &ip6info->src), IP6T_INV_SRCIP) ||
111 FWINV(ipv6_masked_addr_cmp(&ipv6->daddr, &ip6info->dmsk,
112 &ip6info->dst), IP6T_INV_DSTIP)) {
113 dprintf("Source or dest mismatch.\n");
115 dprintf("SRC: %u. Mask: %u. Target: %u.%s\n", ip->saddr,
116 ipinfo->smsk.s_addr, ipinfo->src.s_addr,
117 ipinfo->invflags & IP6T_INV_SRCIP ? " (INV)" : "");
118 dprintf("DST: %u. Mask: %u. Target: %u.%s\n", ip->daddr,
119 ipinfo->dmsk.s_addr, ipinfo->dst.s_addr,
120 ipinfo->invflags & IP6T_INV_DSTIP ? " (INV)" : "");*/
124 ret = ifname_compare_aligned(indev, ip6info->iniface, ip6info->iniface_mask);
126 if (FWINV(ret != 0, IP6T_INV_VIA_IN)) {
127 dprintf("VIA in mismatch (%s vs %s).%s\n",
128 indev, ip6info->iniface,
129 ip6info->invflags&IP6T_INV_VIA_IN ?" (INV)":"");
133 ret = ifname_compare_aligned(outdev, ip6info->outiface, ip6info->outiface_mask);
135 if (FWINV(ret != 0, IP6T_INV_VIA_OUT)) {
136 dprintf("VIA out mismatch (%s vs %s).%s\n",
137 outdev, ip6info->outiface,
138 ip6info->invflags&IP6T_INV_VIA_OUT ?" (INV)":"");
142 /* ... might want to do something with class and flowlabel here ... */
144 /* look for the desired protocol header */
145 if((ip6info->flags & IP6T_F_PROTO)) {
147 unsigned short _frag_off;
149 protohdr = ipv6_find_hdr(skb, protoff, -1, &_frag_off);
155 *fragoff = _frag_off;
157 dprintf("Packet protocol %hi ?= %s%hi.\n",
159 ip6info->invflags & IP6T_INV_PROTO ? "!":"",
162 if (ip6info->proto == protohdr) {
163 if(ip6info->invflags & IP6T_INV_PROTO) {
169 /* We need match for the '-p all', too! */
170 if ((ip6info->proto != 0) &&
171 !(ip6info->invflags & IP6T_INV_PROTO))
177 /* should be ip6 safe */
179 ip6_checkentry(const struct ip6t_ip6 *ipv6)
181 if (ipv6->flags & ~IP6T_F_MASK) {
182 duprintf("Unknown flag bits set: %08X\n",
183 ipv6->flags & ~IP6T_F_MASK);
186 if (ipv6->invflags & ~IP6T_INV_MASK) {
187 duprintf("Unknown invflag bits set: %08X\n",
188 ipv6->invflags & ~IP6T_INV_MASK);
195 ip6t_error(struct sk_buff *skb, const struct xt_action_param *par)
198 pr_info("error: `%s'\n", (const char *)par->targinfo);
203 static inline struct ip6t_entry *
204 get_entry(const void *base, unsigned int offset)
206 return (struct ip6t_entry *)(base + offset);
209 /* All zeroes == unconditional rule. */
210 /* Mildly perf critical (only if packet tracing is on) */
211 static inline bool unconditional(const struct ip6t_ip6 *ipv6)
213 static const struct ip6t_ip6 uncond;
215 return memcmp(ipv6, &uncond, sizeof(uncond)) == 0;
218 static inline const struct xt_entry_target *
219 ip6t_get_target_c(const struct ip6t_entry *e)
221 return ip6t_get_target((struct ip6t_entry *)e);
224 #if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \
225 defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE)
226 /* This cries for unification! */
227 static const char *const hooknames[] = {
228 [NF_INET_PRE_ROUTING] = "PREROUTING",
229 [NF_INET_LOCAL_IN] = "INPUT",
230 [NF_INET_FORWARD] = "FORWARD",
231 [NF_INET_LOCAL_OUT] = "OUTPUT",
232 [NF_INET_POST_ROUTING] = "POSTROUTING",
235 enum nf_ip_trace_comments {
236 NF_IP6_TRACE_COMMENT_RULE,
237 NF_IP6_TRACE_COMMENT_RETURN,
238 NF_IP6_TRACE_COMMENT_POLICY,
241 static const char *const comments[] = {
242 [NF_IP6_TRACE_COMMENT_RULE] = "rule",
243 [NF_IP6_TRACE_COMMENT_RETURN] = "return",
244 [NF_IP6_TRACE_COMMENT_POLICY] = "policy",
247 static struct nf_loginfo trace_loginfo = {
248 .type = NF_LOG_TYPE_LOG,
252 .logflags = NF_LOG_MASK,
257 /* Mildly perf critical (only if packet tracing is on) */
259 get_chainname_rulenum(const struct ip6t_entry *s, const struct ip6t_entry *e,
260 const char *hookname, const char **chainname,
261 const char **comment, unsigned int *rulenum)
263 const struct xt_standard_target *t = (void *)ip6t_get_target_c(s);
265 if (strcmp(t->target.u.kernel.target->name, XT_ERROR_TARGET) == 0) {
266 /* Head of user chain: ERROR target with chainname */
267 *chainname = t->target.data;
272 if (s->target_offset == sizeof(struct ip6t_entry) &&
273 strcmp(t->target.u.kernel.target->name,
274 XT_STANDARD_TARGET) == 0 &&
276 unconditional(&s->ipv6)) {
277 /* Tail of chains: STANDARD target (return/policy) */
278 *comment = *chainname == hookname
279 ? comments[NF_IP6_TRACE_COMMENT_POLICY]
280 : comments[NF_IP6_TRACE_COMMENT_RETURN];
289 static void trace_packet(const struct sk_buff *skb,
291 const struct net_device *in,
292 const struct net_device *out,
293 const char *tablename,
294 const struct xt_table_info *private,
295 const struct ip6t_entry *e)
297 const void *table_base;
298 const struct ip6t_entry *root;
299 const char *hookname, *chainname, *comment;
300 const struct ip6t_entry *iter;
301 unsigned int rulenum = 0;
303 table_base = private->entries[smp_processor_id()];
304 root = get_entry(table_base, private->hook_entry[hook]);
306 hookname = chainname = hooknames[hook];
307 comment = comments[NF_IP6_TRACE_COMMENT_RULE];
309 xt_entry_foreach(iter, root, private->size - private->hook_entry[hook])
310 if (get_chainname_rulenum(iter, e, hookname,
311 &chainname, &comment, &rulenum) != 0)
314 nf_log_packet(AF_INET6, hook, skb, in, out, &trace_loginfo,
315 "TRACE: %s:%s:%s:%u ",
316 tablename, chainname, comment, rulenum);
320 static inline __pure struct ip6t_entry *
321 ip6t_next_entry(const struct ip6t_entry *entry)
323 return (void *)entry + entry->next_offset;
326 /* Returns one of the generic firewall policies, like NF_ACCEPT. */
328 ip6t_do_table(struct sk_buff *skb,
330 const struct net_device *in,
331 const struct net_device *out,
332 struct xt_table *table)
334 static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
335 /* Initializing verdict to NF_DROP keeps gcc happy. */
336 unsigned int verdict = NF_DROP;
337 const char *indev, *outdev;
338 const void *table_base;
339 struct ip6t_entry *e, **jumpstack;
340 unsigned int *stackptr, origptr, cpu;
341 const struct xt_table_info *private;
342 struct xt_action_param acpar;
345 indev = in ? in->name : nulldevname;
346 outdev = out ? out->name : nulldevname;
347 /* We handle fragments by dealing with the first fragment as
348 * if it was a normal packet. All other fragments are treated
349 * normally, except that they will NEVER match rules that ask
350 * things we don't know, ie. tcp syn flag or ports). If the
351 * rule is also a fragment-specific rule, non-fragments won't
353 acpar.hotdrop = false;
356 acpar.family = NFPROTO_IPV6;
357 acpar.hooknum = hook;
359 IP_NF_ASSERT(table->valid_hooks & (1 << hook));
362 private = table->private;
363 cpu = smp_processor_id();
364 table_base = private->entries[cpu];
365 jumpstack = (struct ip6t_entry **)private->jumpstack[cpu];
366 stackptr = per_cpu_ptr(private->stackptr, cpu);
369 e = get_entry(table_base, private->hook_entry[hook]);
372 const struct xt_entry_target *t;
373 const struct xt_entry_match *ematch;
376 if (!ip6_packet_match(skb, indev, outdev, &e->ipv6,
377 &acpar.thoff, &acpar.fragoff, &acpar.hotdrop)) {
379 e = ip6t_next_entry(e);
383 xt_ematch_foreach(ematch, e) {
384 acpar.match = ematch->u.kernel.match;
385 acpar.matchinfo = ematch->data;
386 if (!acpar.match->match(skb, &acpar))
390 ADD_COUNTER(e->counters, skb->len, 1);
392 t = ip6t_get_target_c(e);
393 IP_NF_ASSERT(t->u.kernel.target);
395 #if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \
396 defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE)
397 /* The packet is traced: log it */
398 if (unlikely(skb->nf_trace))
399 trace_packet(skb, hook, in, out,
400 table->name, private, e);
402 /* Standard target? */
403 if (!t->u.kernel.target->target) {
406 v = ((struct xt_standard_target *)t)->verdict;
408 /* Pop from stack? */
409 if (v != XT_RETURN) {
410 verdict = (unsigned)(-v) - 1;
414 e = get_entry(table_base,
415 private->underflow[hook]);
417 e = ip6t_next_entry(jumpstack[--*stackptr]);
420 if (table_base + v != ip6t_next_entry(e) &&
421 !(e->ipv6.flags & IP6T_F_GOTO)) {
422 if (*stackptr >= private->stacksize) {
426 jumpstack[(*stackptr)++] = e;
429 e = get_entry(table_base, v);
433 acpar.target = t->u.kernel.target;
434 acpar.targinfo = t->data;
436 verdict = t->u.kernel.target->target(skb, &acpar);
437 if (verdict == XT_CONTINUE)
438 e = ip6t_next_entry(e);
442 } while (!acpar.hotdrop);
444 xt_info_rdunlock_bh();
447 #ifdef DEBUG_ALLOW_ALL
456 /* Figures out from what hook each rule can be called: returns 0 if
457 there are loops. Puts hook bitmask in comefrom. */
459 mark_source_chains(const struct xt_table_info *newinfo,
460 unsigned int valid_hooks, void *entry0)
464 /* No recursion; use packet counter to save back ptrs (reset
465 to 0 as we leave), and comefrom to save source hook bitmask */
466 for (hook = 0; hook < NF_INET_NUMHOOKS; hook++) {
467 unsigned int pos = newinfo->hook_entry[hook];
468 struct ip6t_entry *e = (struct ip6t_entry *)(entry0 + pos);
470 if (!(valid_hooks & (1 << hook)))
473 /* Set initial back pointer. */
474 e->counters.pcnt = pos;
477 const struct xt_standard_target *t
478 = (void *)ip6t_get_target_c(e);
479 int visited = e->comefrom & (1 << hook);
481 if (e->comefrom & (1 << NF_INET_NUMHOOKS)) {
482 pr_err("iptables: loop hook %u pos %u %08X.\n",
483 hook, pos, e->comefrom);
486 e->comefrom |= ((1 << hook) | (1 << NF_INET_NUMHOOKS));
488 /* Unconditional return/END. */
489 if ((e->target_offset == sizeof(struct ip6t_entry) &&
490 (strcmp(t->target.u.user.name,
491 XT_STANDARD_TARGET) == 0) &&
493 unconditional(&e->ipv6)) || visited) {
494 unsigned int oldpos, size;
496 if ((strcmp(t->target.u.user.name,
497 XT_STANDARD_TARGET) == 0) &&
498 t->verdict < -NF_MAX_VERDICT - 1) {
499 duprintf("mark_source_chains: bad "
500 "negative verdict (%i)\n",
505 /* Return: backtrack through the last
508 e->comefrom ^= (1<<NF_INET_NUMHOOKS);
509 #ifdef DEBUG_IP_FIREWALL_USER
511 & (1 << NF_INET_NUMHOOKS)) {
512 duprintf("Back unset "
519 pos = e->counters.pcnt;
520 e->counters.pcnt = 0;
522 /* We're at the start. */
526 e = (struct ip6t_entry *)
528 } while (oldpos == pos + e->next_offset);
531 size = e->next_offset;
532 e = (struct ip6t_entry *)
533 (entry0 + pos + size);
534 e->counters.pcnt = pos;
537 int newpos = t->verdict;
539 if (strcmp(t->target.u.user.name,
540 XT_STANDARD_TARGET) == 0 &&
542 if (newpos > newinfo->size -
543 sizeof(struct ip6t_entry)) {
544 duprintf("mark_source_chains: "
545 "bad verdict (%i)\n",
549 /* This a jump; chase it. */
550 duprintf("Jump rule %u -> %u\n",
553 /* ... this is a fallthru */
554 newpos = pos + e->next_offset;
556 e = (struct ip6t_entry *)
558 e->counters.pcnt = pos;
563 duprintf("Finished chain %u\n", hook);
568 static void cleanup_match(struct xt_entry_match *m, struct net *net)
570 struct xt_mtdtor_param par;
573 par.match = m->u.kernel.match;
574 par.matchinfo = m->data;
575 par.family = NFPROTO_IPV6;
576 if (par.match->destroy != NULL)
577 par.match->destroy(&par);
578 module_put(par.match->me);
582 check_entry(const struct ip6t_entry *e, const char *name)
584 const struct xt_entry_target *t;
586 if (!ip6_checkentry(&e->ipv6)) {
587 duprintf("ip_tables: ip check failed %p %s.\n", e, name);
591 if (e->target_offset + sizeof(struct xt_entry_target) >
595 t = ip6t_get_target_c(e);
596 if (e->target_offset + t->u.target_size > e->next_offset)
602 static int check_match(struct xt_entry_match *m, struct xt_mtchk_param *par)
604 const struct ip6t_ip6 *ipv6 = par->entryinfo;
607 par->match = m->u.kernel.match;
608 par->matchinfo = m->data;
610 ret = xt_check_match(par, m->u.match_size - sizeof(*m),
611 ipv6->proto, ipv6->invflags & IP6T_INV_PROTO);
613 duprintf("ip_tables: check failed for `%s'.\n",
621 find_check_match(struct xt_entry_match *m, struct xt_mtchk_param *par)
623 struct xt_match *match;
626 match = xt_request_find_match(NFPROTO_IPV6, m->u.user.name,
629 duprintf("find_check_match: `%s' not found\n", m->u.user.name);
630 return PTR_ERR(match);
632 m->u.kernel.match = match;
634 ret = check_match(m, par);
640 module_put(m->u.kernel.match->me);
644 static int check_target(struct ip6t_entry *e, struct net *net, const char *name)
646 struct xt_entry_target *t = ip6t_get_target(e);
647 struct xt_tgchk_param par = {
651 .target = t->u.kernel.target,
653 .hook_mask = e->comefrom,
654 .family = NFPROTO_IPV6,
658 t = ip6t_get_target(e);
659 ret = xt_check_target(&par, t->u.target_size - sizeof(*t),
660 e->ipv6.proto, e->ipv6.invflags & IP6T_INV_PROTO);
662 duprintf("ip_tables: check failed for `%s'.\n",
663 t->u.kernel.target->name);
670 find_check_entry(struct ip6t_entry *e, struct net *net, const char *name,
673 struct xt_entry_target *t;
674 struct xt_target *target;
677 struct xt_mtchk_param mtpar;
678 struct xt_entry_match *ematch;
680 ret = check_entry(e, name);
687 mtpar.entryinfo = &e->ipv6;
688 mtpar.hook_mask = e->comefrom;
689 mtpar.family = NFPROTO_IPV6;
690 xt_ematch_foreach(ematch, e) {
691 ret = find_check_match(ematch, &mtpar);
693 goto cleanup_matches;
697 t = ip6t_get_target(e);
698 target = xt_request_find_target(NFPROTO_IPV6, t->u.user.name,
700 if (IS_ERR(target)) {
701 duprintf("find_check_entry: `%s' not found\n", t->u.user.name);
702 ret = PTR_ERR(target);
703 goto cleanup_matches;
705 t->u.kernel.target = target;
707 ret = check_target(e, net, name);
712 module_put(t->u.kernel.target->me);
714 xt_ematch_foreach(ematch, e) {
717 cleanup_match(ematch, net);
722 static bool check_underflow(const struct ip6t_entry *e)
724 const struct xt_entry_target *t;
725 unsigned int verdict;
727 if (!unconditional(&e->ipv6))
729 t = ip6t_get_target_c(e);
730 if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0)
732 verdict = ((struct xt_standard_target *)t)->verdict;
733 verdict = -verdict - 1;
734 return verdict == NF_DROP || verdict == NF_ACCEPT;
738 check_entry_size_and_hooks(struct ip6t_entry *e,
739 struct xt_table_info *newinfo,
740 const unsigned char *base,
741 const unsigned char *limit,
742 const unsigned int *hook_entries,
743 const unsigned int *underflows,
744 unsigned int valid_hooks)
748 if ((unsigned long)e % __alignof__(struct ip6t_entry) != 0 ||
749 (unsigned char *)e + sizeof(struct ip6t_entry) >= limit) {
750 duprintf("Bad offset %p\n", e);
755 < sizeof(struct ip6t_entry) + sizeof(struct xt_entry_target)) {
756 duprintf("checking: element %p size %u\n",
761 /* Check hooks & underflows */
762 for (h = 0; h < NF_INET_NUMHOOKS; h++) {
763 if (!(valid_hooks & (1 << h)))
765 if ((unsigned char *)e - base == hook_entries[h])
766 newinfo->hook_entry[h] = hook_entries[h];
767 if ((unsigned char *)e - base == underflows[h]) {
768 if (!check_underflow(e)) {
769 pr_err("Underflows must be unconditional and "
770 "use the STANDARD target with "
774 newinfo->underflow[h] = underflows[h];
778 /* Clear counters and comefrom */
779 e->counters = ((struct xt_counters) { 0, 0 });
784 static void cleanup_entry(struct ip6t_entry *e, struct net *net)
786 struct xt_tgdtor_param par;
787 struct xt_entry_target *t;
788 struct xt_entry_match *ematch;
790 /* Cleanup all matches */
791 xt_ematch_foreach(ematch, e)
792 cleanup_match(ematch, net);
793 t = ip6t_get_target(e);
796 par.target = t->u.kernel.target;
797 par.targinfo = t->data;
798 par.family = NFPROTO_IPV6;
799 if (par.target->destroy != NULL)
800 par.target->destroy(&par);
801 module_put(par.target->me);
804 /* Checks and translates the user-supplied table segment (held in
807 translate_table(struct net *net, struct xt_table_info *newinfo, void *entry0,
808 const struct ip6t_replace *repl)
810 struct ip6t_entry *iter;
814 newinfo->size = repl->size;
815 newinfo->number = repl->num_entries;
817 /* Init all hooks to impossible value. */
818 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
819 newinfo->hook_entry[i] = 0xFFFFFFFF;
820 newinfo->underflow[i] = 0xFFFFFFFF;
823 duprintf("translate_table: size %u\n", newinfo->size);
825 /* Walk through entries, checking offsets. */
826 xt_entry_foreach(iter, entry0, newinfo->size) {
827 ret = check_entry_size_and_hooks(iter, newinfo, entry0,
835 if (strcmp(ip6t_get_target(iter)->u.user.name,
836 XT_ERROR_TARGET) == 0)
837 ++newinfo->stacksize;
840 if (i != repl->num_entries) {
841 duprintf("translate_table: %u not %u entries\n",
842 i, repl->num_entries);
846 /* Check hooks all assigned */
847 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
848 /* Only hooks which are valid */
849 if (!(repl->valid_hooks & (1 << i)))
851 if (newinfo->hook_entry[i] == 0xFFFFFFFF) {
852 duprintf("Invalid hook entry %u %u\n",
853 i, repl->hook_entry[i]);
856 if (newinfo->underflow[i] == 0xFFFFFFFF) {
857 duprintf("Invalid underflow %u %u\n",
858 i, repl->underflow[i]);
863 if (!mark_source_chains(newinfo, repl->valid_hooks, entry0))
866 /* Finally, each sanity check must pass */
868 xt_entry_foreach(iter, entry0, newinfo->size) {
869 ret = find_check_entry(iter, net, repl->name, repl->size);
876 xt_entry_foreach(iter, entry0, newinfo->size) {
879 cleanup_entry(iter, net);
884 /* And one copy for every other CPU */
885 for_each_possible_cpu(i) {
886 if (newinfo->entries[i] && newinfo->entries[i] != entry0)
887 memcpy(newinfo->entries[i], entry0, newinfo->size);
894 get_counters(const struct xt_table_info *t,
895 struct xt_counters counters[])
897 struct ip6t_entry *iter;
901 for_each_possible_cpu(cpu) {
902 seqlock_t *lock = &per_cpu(xt_info_locks, cpu).lock;
905 xt_entry_foreach(iter, t->entries[cpu], t->size) {
910 start = read_seqbegin(lock);
911 bcnt = iter->counters.bcnt;
912 pcnt = iter->counters.pcnt;
913 } while (read_seqretry(lock, start));
915 ADD_COUNTER(counters[i], bcnt, pcnt);
921 static struct xt_counters *alloc_counters(const struct xt_table *table)
923 unsigned int countersize;
924 struct xt_counters *counters;
925 const struct xt_table_info *private = table->private;
927 /* We need atomic snapshot of counters: rest doesn't change
928 (other than comefrom, which userspace doesn't care
930 countersize = sizeof(struct xt_counters) * private->number;
931 counters = vzalloc(countersize);
933 if (counters == NULL)
934 return ERR_PTR(-ENOMEM);
936 get_counters(private, counters);
942 copy_entries_to_user(unsigned int total_size,
943 const struct xt_table *table,
944 void __user *userptr)
946 unsigned int off, num;
947 const struct ip6t_entry *e;
948 struct xt_counters *counters;
949 const struct xt_table_info *private = table->private;
951 const void *loc_cpu_entry;
953 counters = alloc_counters(table);
954 if (IS_ERR(counters))
955 return PTR_ERR(counters);
957 /* choose the copy that is on our node/cpu, ...
958 * This choice is lazy (because current thread is
959 * allowed to migrate to another cpu)
961 loc_cpu_entry = private->entries[raw_smp_processor_id()];
962 if (copy_to_user(userptr, loc_cpu_entry, total_size) != 0) {
967 /* FIXME: use iterator macros --RR */
968 /* ... then go back and fix counters and names */
969 for (off = 0, num = 0; off < total_size; off += e->next_offset, num++){
971 const struct xt_entry_match *m;
972 const struct xt_entry_target *t;
974 e = (struct ip6t_entry *)(loc_cpu_entry + off);
975 if (copy_to_user(userptr + off
976 + offsetof(struct ip6t_entry, counters),
978 sizeof(counters[num])) != 0) {
983 for (i = sizeof(struct ip6t_entry);
984 i < e->target_offset;
985 i += m->u.match_size) {
988 if (copy_to_user(userptr + off + i
989 + offsetof(struct xt_entry_match,
991 m->u.kernel.match->name,
992 strlen(m->u.kernel.match->name)+1)
999 t = ip6t_get_target_c(e);
1000 if (copy_to_user(userptr + off + e->target_offset
1001 + offsetof(struct xt_entry_target,
1003 t->u.kernel.target->name,
1004 strlen(t->u.kernel.target->name)+1) != 0) {
1015 #ifdef CONFIG_COMPAT
1016 static void compat_standard_from_user(void *dst, const void *src)
1018 int v = *(compat_int_t *)src;
1021 v += xt_compat_calc_jump(AF_INET6, v);
1022 memcpy(dst, &v, sizeof(v));
1025 static int compat_standard_to_user(void __user *dst, const void *src)
1027 compat_int_t cv = *(int *)src;
1030 cv -= xt_compat_calc_jump(AF_INET6, cv);
1031 return copy_to_user(dst, &cv, sizeof(cv)) ? -EFAULT : 0;
1034 static int compat_calc_entry(const struct ip6t_entry *e,
1035 const struct xt_table_info *info,
1036 const void *base, struct xt_table_info *newinfo)
1038 const struct xt_entry_match *ematch;
1039 const struct xt_entry_target *t;
1040 unsigned int entry_offset;
1043 off = sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
1044 entry_offset = (void *)e - base;
1045 xt_ematch_foreach(ematch, e)
1046 off += xt_compat_match_offset(ematch->u.kernel.match);
1047 t = ip6t_get_target_c(e);
1048 off += xt_compat_target_offset(t->u.kernel.target);
1049 newinfo->size -= off;
1050 ret = xt_compat_add_offset(AF_INET6, entry_offset, off);
1054 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1055 if (info->hook_entry[i] &&
1056 (e < (struct ip6t_entry *)(base + info->hook_entry[i])))
1057 newinfo->hook_entry[i] -= off;
1058 if (info->underflow[i] &&
1059 (e < (struct ip6t_entry *)(base + info->underflow[i])))
1060 newinfo->underflow[i] -= off;
1065 static int compat_table_info(const struct xt_table_info *info,
1066 struct xt_table_info *newinfo)
1068 struct ip6t_entry *iter;
1069 void *loc_cpu_entry;
1072 if (!newinfo || !info)
1075 /* we dont care about newinfo->entries[] */
1076 memcpy(newinfo, info, offsetof(struct xt_table_info, entries));
1077 newinfo->initial_entries = 0;
1078 loc_cpu_entry = info->entries[raw_smp_processor_id()];
1079 xt_entry_foreach(iter, loc_cpu_entry, info->size) {
1080 ret = compat_calc_entry(iter, info, loc_cpu_entry, newinfo);
1088 static int get_info(struct net *net, void __user *user,
1089 const int *len, int compat)
1091 char name[XT_TABLE_MAXNAMELEN];
1095 if (*len != sizeof(struct ip6t_getinfo)) {
1096 duprintf("length %u != %zu\n", *len,
1097 sizeof(struct ip6t_getinfo));
1101 if (copy_from_user(name, user, sizeof(name)) != 0)
1104 name[XT_TABLE_MAXNAMELEN-1] = '\0';
1105 #ifdef CONFIG_COMPAT
1107 xt_compat_lock(AF_INET6);
1109 t = try_then_request_module(xt_find_table_lock(net, AF_INET6, name),
1110 "ip6table_%s", name);
1111 if (t && !IS_ERR(t)) {
1112 struct ip6t_getinfo info;
1113 const struct xt_table_info *private = t->private;
1114 #ifdef CONFIG_COMPAT
1115 struct xt_table_info tmp;
1118 ret = compat_table_info(private, &tmp);
1119 xt_compat_flush_offsets(AF_INET6);
1123 memset(&info, 0, sizeof(info));
1124 info.valid_hooks = t->valid_hooks;
1125 memcpy(info.hook_entry, private->hook_entry,
1126 sizeof(info.hook_entry));
1127 memcpy(info.underflow, private->underflow,
1128 sizeof(info.underflow));
1129 info.num_entries = private->number;
1130 info.size = private->size;
1131 strcpy(info.name, name);
1133 if (copy_to_user(user, &info, *len) != 0)
1141 ret = t ? PTR_ERR(t) : -ENOENT;
1142 #ifdef CONFIG_COMPAT
1144 xt_compat_unlock(AF_INET6);
1150 get_entries(struct net *net, struct ip6t_get_entries __user *uptr,
1154 struct ip6t_get_entries get;
1157 if (*len < sizeof(get)) {
1158 duprintf("get_entries: %u < %zu\n", *len, sizeof(get));
1161 if (copy_from_user(&get, uptr, sizeof(get)) != 0)
1163 if (*len != sizeof(struct ip6t_get_entries) + get.size) {
1164 duprintf("get_entries: %u != %zu\n",
1165 *len, sizeof(get) + get.size);
1169 t = xt_find_table_lock(net, AF_INET6, get.name);
1170 if (t && !IS_ERR(t)) {
1171 struct xt_table_info *private = t->private;
1172 duprintf("t->private->number = %u\n", private->number);
1173 if (get.size == private->size)
1174 ret = copy_entries_to_user(private->size,
1175 t, uptr->entrytable);
1177 duprintf("get_entries: I've got %u not %u!\n",
1178 private->size, get.size);
1184 ret = t ? PTR_ERR(t) : -ENOENT;
1190 __do_replace(struct net *net, const char *name, unsigned int valid_hooks,
1191 struct xt_table_info *newinfo, unsigned int num_counters,
1192 void __user *counters_ptr)
1196 struct xt_table_info *oldinfo;
1197 struct xt_counters *counters;
1198 const void *loc_cpu_old_entry;
1199 struct ip6t_entry *iter;
1202 counters = vzalloc(num_counters * sizeof(struct xt_counters));
1208 t = try_then_request_module(xt_find_table_lock(net, AF_INET6, name),
1209 "ip6table_%s", name);
1210 if (!t || IS_ERR(t)) {
1211 ret = t ? PTR_ERR(t) : -ENOENT;
1212 goto free_newinfo_counters_untrans;
1216 if (valid_hooks != t->valid_hooks) {
1217 duprintf("Valid hook crap: %08X vs %08X\n",
1218 valid_hooks, t->valid_hooks);
1223 oldinfo = xt_replace_table(t, num_counters, newinfo, &ret);
1227 /* Update module usage count based on number of rules */
1228 duprintf("do_replace: oldnum=%u, initnum=%u, newnum=%u\n",
1229 oldinfo->number, oldinfo->initial_entries, newinfo->number);
1230 if ((oldinfo->number > oldinfo->initial_entries) ||
1231 (newinfo->number <= oldinfo->initial_entries))
1233 if ((oldinfo->number > oldinfo->initial_entries) &&
1234 (newinfo->number <= oldinfo->initial_entries))
1237 /* Get the old counters, and synchronize with replace */
1238 get_counters(oldinfo, counters);
1240 /* Decrease module usage counts and free resource */
1241 loc_cpu_old_entry = oldinfo->entries[raw_smp_processor_id()];
1242 xt_entry_foreach(iter, loc_cpu_old_entry, oldinfo->size)
1243 cleanup_entry(iter, net);
1245 xt_free_table_info(oldinfo);
1246 if (copy_to_user(counters_ptr, counters,
1247 sizeof(struct xt_counters) * num_counters) != 0)
1256 free_newinfo_counters_untrans:
1263 do_replace(struct net *net, const void __user *user, unsigned int len)
1266 struct ip6t_replace tmp;
1267 struct xt_table_info *newinfo;
1268 void *loc_cpu_entry;
1269 struct ip6t_entry *iter;
1271 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
1274 /* overflow check */
1275 if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
1278 newinfo = xt_alloc_table_info(tmp.size);
1282 /* choose the copy that is on our node/cpu */
1283 loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
1284 if (copy_from_user(loc_cpu_entry, user + sizeof(tmp),
1290 ret = translate_table(net, newinfo, loc_cpu_entry, &tmp);
1294 duprintf("ip_tables: Translated table\n");
1296 ret = __do_replace(net, tmp.name, tmp.valid_hooks, newinfo,
1297 tmp.num_counters, tmp.counters);
1299 goto free_newinfo_untrans;
1302 free_newinfo_untrans:
1303 xt_entry_foreach(iter, loc_cpu_entry, newinfo->size)
1304 cleanup_entry(iter, net);
1306 xt_free_table_info(newinfo);
1311 do_add_counters(struct net *net, const void __user *user, unsigned int len,
1314 unsigned int i, curcpu;
1315 struct xt_counters_info tmp;
1316 struct xt_counters *paddc;
1317 unsigned int num_counters;
1322 const struct xt_table_info *private;
1324 const void *loc_cpu_entry;
1325 struct ip6t_entry *iter;
1326 #ifdef CONFIG_COMPAT
1327 struct compat_xt_counters_info compat_tmp;
1331 size = sizeof(struct compat_xt_counters_info);
1336 size = sizeof(struct xt_counters_info);
1339 if (copy_from_user(ptmp, user, size) != 0)
1342 #ifdef CONFIG_COMPAT
1344 num_counters = compat_tmp.num_counters;
1345 name = compat_tmp.name;
1349 num_counters = tmp.num_counters;
1353 if (len != size + num_counters * sizeof(struct xt_counters))
1356 paddc = vmalloc(len - size);
1360 if (copy_from_user(paddc, user + size, len - size) != 0) {
1365 t = xt_find_table_lock(net, AF_INET6, name);
1366 if (!t || IS_ERR(t)) {
1367 ret = t ? PTR_ERR(t) : -ENOENT;
1373 private = t->private;
1374 if (private->number != num_counters) {
1376 goto unlock_up_free;
1380 /* Choose the copy that is on our node */
1381 curcpu = smp_processor_id();
1382 xt_info_wrlock(curcpu);
1383 loc_cpu_entry = private->entries[curcpu];
1384 xt_entry_foreach(iter, loc_cpu_entry, private->size) {
1385 ADD_COUNTER(iter->counters, paddc[i].bcnt, paddc[i].pcnt);
1388 xt_info_wrunlock(curcpu);
1400 #ifdef CONFIG_COMPAT
1401 struct compat_ip6t_replace {
1402 char name[XT_TABLE_MAXNAMELEN];
1406 u32 hook_entry[NF_INET_NUMHOOKS];
1407 u32 underflow[NF_INET_NUMHOOKS];
1409 compat_uptr_t counters; /* struct xt_counters * */
1410 struct compat_ip6t_entry entries[0];
1414 compat_copy_entry_to_user(struct ip6t_entry *e, void __user **dstptr,
1415 unsigned int *size, struct xt_counters *counters,
1418 struct xt_entry_target *t;
1419 struct compat_ip6t_entry __user *ce;
1420 u_int16_t target_offset, next_offset;
1421 compat_uint_t origsize;
1422 const struct xt_entry_match *ematch;
1426 ce = (struct compat_ip6t_entry __user *)*dstptr;
1427 if (copy_to_user(ce, e, sizeof(struct ip6t_entry)) != 0 ||
1428 copy_to_user(&ce->counters, &counters[i],
1429 sizeof(counters[i])) != 0)
1432 *dstptr += sizeof(struct compat_ip6t_entry);
1433 *size -= sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
1435 xt_ematch_foreach(ematch, e) {
1436 ret = xt_compat_match_to_user(ematch, dstptr, size);
1440 target_offset = e->target_offset - (origsize - *size);
1441 t = ip6t_get_target(e);
1442 ret = xt_compat_target_to_user(t, dstptr, size);
1445 next_offset = e->next_offset - (origsize - *size);
1446 if (put_user(target_offset, &ce->target_offset) != 0 ||
1447 put_user(next_offset, &ce->next_offset) != 0)
1453 compat_find_calc_match(struct xt_entry_match *m,
1455 const struct ip6t_ip6 *ipv6,
1456 unsigned int hookmask,
1459 struct xt_match *match;
1461 match = xt_request_find_match(NFPROTO_IPV6, m->u.user.name,
1462 m->u.user.revision);
1463 if (IS_ERR(match)) {
1464 duprintf("compat_check_calc_match: `%s' not found\n",
1466 return PTR_ERR(match);
1468 m->u.kernel.match = match;
1469 *size += xt_compat_match_offset(match);
1473 static void compat_release_entry(struct compat_ip6t_entry *e)
1475 struct xt_entry_target *t;
1476 struct xt_entry_match *ematch;
1478 /* Cleanup all matches */
1479 xt_ematch_foreach(ematch, e)
1480 module_put(ematch->u.kernel.match->me);
1481 t = compat_ip6t_get_target(e);
1482 module_put(t->u.kernel.target->me);
1486 check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e,
1487 struct xt_table_info *newinfo,
1489 const unsigned char *base,
1490 const unsigned char *limit,
1491 const unsigned int *hook_entries,
1492 const unsigned int *underflows,
1495 struct xt_entry_match *ematch;
1496 struct xt_entry_target *t;
1497 struct xt_target *target;
1498 unsigned int entry_offset;
1502 duprintf("check_compat_entry_size_and_hooks %p\n", e);
1503 if ((unsigned long)e % __alignof__(struct compat_ip6t_entry) != 0 ||
1504 (unsigned char *)e + sizeof(struct compat_ip6t_entry) >= limit) {
1505 duprintf("Bad offset %p, limit = %p\n", e, limit);
1509 if (e->next_offset < sizeof(struct compat_ip6t_entry) +
1510 sizeof(struct compat_xt_entry_target)) {
1511 duprintf("checking: element %p size %u\n",
1516 /* For purposes of check_entry casting the compat entry is fine */
1517 ret = check_entry((struct ip6t_entry *)e, name);
1521 off = sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
1522 entry_offset = (void *)e - (void *)base;
1524 xt_ematch_foreach(ematch, e) {
1525 ret = compat_find_calc_match(ematch, name,
1526 &e->ipv6, e->comefrom, &off);
1528 goto release_matches;
1532 t = compat_ip6t_get_target(e);
1533 target = xt_request_find_target(NFPROTO_IPV6, t->u.user.name,
1534 t->u.user.revision);
1535 if (IS_ERR(target)) {
1536 duprintf("check_compat_entry_size_and_hooks: `%s' not found\n",
1538 ret = PTR_ERR(target);
1539 goto release_matches;
1541 t->u.kernel.target = target;
1543 off += xt_compat_target_offset(target);
1545 ret = xt_compat_add_offset(AF_INET6, entry_offset, off);
1549 /* Check hooks & underflows */
1550 for (h = 0; h < NF_INET_NUMHOOKS; h++) {
1551 if ((unsigned char *)e - base == hook_entries[h])
1552 newinfo->hook_entry[h] = hook_entries[h];
1553 if ((unsigned char *)e - base == underflows[h])
1554 newinfo->underflow[h] = underflows[h];
1557 /* Clear counters and comefrom */
1558 memset(&e->counters, 0, sizeof(e->counters));
1563 module_put(t->u.kernel.target->me);
1565 xt_ematch_foreach(ematch, e) {
1568 module_put(ematch->u.kernel.match->me);
1574 compat_copy_entry_from_user(struct compat_ip6t_entry *e, void **dstptr,
1575 unsigned int *size, const char *name,
1576 struct xt_table_info *newinfo, unsigned char *base)
1578 struct xt_entry_target *t;
1579 struct xt_target *target;
1580 struct ip6t_entry *de;
1581 unsigned int origsize;
1583 struct xt_entry_match *ematch;
1587 de = (struct ip6t_entry *)*dstptr;
1588 memcpy(de, e, sizeof(struct ip6t_entry));
1589 memcpy(&de->counters, &e->counters, sizeof(e->counters));
1591 *dstptr += sizeof(struct ip6t_entry);
1592 *size += sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
1594 xt_ematch_foreach(ematch, e) {
1595 ret = xt_compat_match_from_user(ematch, dstptr, size);
1599 de->target_offset = e->target_offset - (origsize - *size);
1600 t = compat_ip6t_get_target(e);
1601 target = t->u.kernel.target;
1602 xt_compat_target_from_user(t, dstptr, size);
1604 de->next_offset = e->next_offset - (origsize - *size);
1605 for (h = 0; h < NF_INET_NUMHOOKS; h++) {
1606 if ((unsigned char *)de - base < newinfo->hook_entry[h])
1607 newinfo->hook_entry[h] -= origsize - *size;
1608 if ((unsigned char *)de - base < newinfo->underflow[h])
1609 newinfo->underflow[h] -= origsize - *size;
1614 static int compat_check_entry(struct ip6t_entry *e, struct net *net,
1619 struct xt_mtchk_param mtpar;
1620 struct xt_entry_match *ematch;
1625 mtpar.entryinfo = &e->ipv6;
1626 mtpar.hook_mask = e->comefrom;
1627 mtpar.family = NFPROTO_IPV6;
1628 xt_ematch_foreach(ematch, e) {
1629 ret = check_match(ematch, &mtpar);
1631 goto cleanup_matches;
1635 ret = check_target(e, net, name);
1637 goto cleanup_matches;
1641 xt_ematch_foreach(ematch, e) {
1644 cleanup_match(ematch, net);
1650 translate_compat_table(struct net *net,
1652 unsigned int valid_hooks,
1653 struct xt_table_info **pinfo,
1655 unsigned int total_size,
1656 unsigned int number,
1657 unsigned int *hook_entries,
1658 unsigned int *underflows)
1661 struct xt_table_info *newinfo, *info;
1662 void *pos, *entry0, *entry1;
1663 struct compat_ip6t_entry *iter0;
1664 struct ip6t_entry *iter1;
1671 info->number = number;
1673 /* Init all hooks to impossible value. */
1674 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1675 info->hook_entry[i] = 0xFFFFFFFF;
1676 info->underflow[i] = 0xFFFFFFFF;
1679 duprintf("translate_compat_table: size %u\n", info->size);
1681 xt_compat_lock(AF_INET6);
1682 /* Walk through entries, checking offsets. */
1683 xt_entry_foreach(iter0, entry0, total_size) {
1684 ret = check_compat_entry_size_and_hooks(iter0, info, &size,
1686 entry0 + total_size,
1697 duprintf("translate_compat_table: %u not %u entries\n",
1702 /* Check hooks all assigned */
1703 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1704 /* Only hooks which are valid */
1705 if (!(valid_hooks & (1 << i)))
1707 if (info->hook_entry[i] == 0xFFFFFFFF) {
1708 duprintf("Invalid hook entry %u %u\n",
1709 i, hook_entries[i]);
1712 if (info->underflow[i] == 0xFFFFFFFF) {
1713 duprintf("Invalid underflow %u %u\n",
1720 newinfo = xt_alloc_table_info(size);
1724 newinfo->number = number;
1725 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1726 newinfo->hook_entry[i] = info->hook_entry[i];
1727 newinfo->underflow[i] = info->underflow[i];
1729 entry1 = newinfo->entries[raw_smp_processor_id()];
1732 xt_entry_foreach(iter0, entry0, total_size) {
1733 ret = compat_copy_entry_from_user(iter0, &pos, &size,
1734 name, newinfo, entry1);
1738 xt_compat_flush_offsets(AF_INET6);
1739 xt_compat_unlock(AF_INET6);
1744 if (!mark_source_chains(newinfo, valid_hooks, entry1))
1748 xt_entry_foreach(iter1, entry1, newinfo->size) {
1749 ret = compat_check_entry(iter1, net, name);
1753 if (strcmp(ip6t_get_target(iter1)->u.user.name,
1754 XT_ERROR_TARGET) == 0)
1755 ++newinfo->stacksize;
1759 * The first i matches need cleanup_entry (calls ->destroy)
1760 * because they had called ->check already. The other j-i
1761 * entries need only release.
1765 xt_entry_foreach(iter0, entry0, newinfo->size) {
1770 compat_release_entry(iter0);
1772 xt_entry_foreach(iter1, entry1, newinfo->size) {
1775 cleanup_entry(iter1, net);
1777 xt_free_table_info(newinfo);
1781 /* And one copy for every other CPU */
1782 for_each_possible_cpu(i)
1783 if (newinfo->entries[i] && newinfo->entries[i] != entry1)
1784 memcpy(newinfo->entries[i], entry1, newinfo->size);
1788 xt_free_table_info(info);
1792 xt_free_table_info(newinfo);
1794 xt_entry_foreach(iter0, entry0, total_size) {
1797 compat_release_entry(iter0);
1801 xt_compat_flush_offsets(AF_INET6);
1802 xt_compat_unlock(AF_INET6);
1807 compat_do_replace(struct net *net, void __user *user, unsigned int len)
1810 struct compat_ip6t_replace tmp;
1811 struct xt_table_info *newinfo;
1812 void *loc_cpu_entry;
1813 struct ip6t_entry *iter;
1815 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
1818 /* overflow check */
1819 if (tmp.size >= INT_MAX / num_possible_cpus())
1821 if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
1824 newinfo = xt_alloc_table_info(tmp.size);
1828 /* choose the copy that is on our node/cpu */
1829 loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
1830 if (copy_from_user(loc_cpu_entry, user + sizeof(tmp),
1836 ret = translate_compat_table(net, tmp.name, tmp.valid_hooks,
1837 &newinfo, &loc_cpu_entry, tmp.size,
1838 tmp.num_entries, tmp.hook_entry,
1843 duprintf("compat_do_replace: Translated table\n");
1845 ret = __do_replace(net, tmp.name, tmp.valid_hooks, newinfo,
1846 tmp.num_counters, compat_ptr(tmp.counters));
1848 goto free_newinfo_untrans;
1851 free_newinfo_untrans:
1852 xt_entry_foreach(iter, loc_cpu_entry, newinfo->size)
1853 cleanup_entry(iter, net);
1855 xt_free_table_info(newinfo);
1860 compat_do_ip6t_set_ctl(struct sock *sk, int cmd, void __user *user,
1865 if (!capable(CAP_NET_ADMIN))
1869 case IP6T_SO_SET_REPLACE:
1870 ret = compat_do_replace(sock_net(sk), user, len);
1873 case IP6T_SO_SET_ADD_COUNTERS:
1874 ret = do_add_counters(sock_net(sk), user, len, 1);
1878 duprintf("do_ip6t_set_ctl: unknown request %i\n", cmd);
1885 struct compat_ip6t_get_entries {
1886 char name[XT_TABLE_MAXNAMELEN];
1888 struct compat_ip6t_entry entrytable[0];
1892 compat_copy_entries_to_user(unsigned int total_size, struct xt_table *table,
1893 void __user *userptr)
1895 struct xt_counters *counters;
1896 const struct xt_table_info *private = table->private;
1900 const void *loc_cpu_entry;
1902 struct ip6t_entry *iter;
1904 counters = alloc_counters(table);
1905 if (IS_ERR(counters))
1906 return PTR_ERR(counters);
1908 /* choose the copy that is on our node/cpu, ...
1909 * This choice is lazy (because current thread is
1910 * allowed to migrate to another cpu)
1912 loc_cpu_entry = private->entries[raw_smp_processor_id()];
1915 xt_entry_foreach(iter, loc_cpu_entry, total_size) {
1916 ret = compat_copy_entry_to_user(iter, &pos,
1917 &size, counters, i++);
1927 compat_get_entries(struct net *net, struct compat_ip6t_get_entries __user *uptr,
1931 struct compat_ip6t_get_entries get;
1934 if (*len < sizeof(get)) {
1935 duprintf("compat_get_entries: %u < %zu\n", *len, sizeof(get));
1939 if (copy_from_user(&get, uptr, sizeof(get)) != 0)
1942 if (*len != sizeof(struct compat_ip6t_get_entries) + get.size) {
1943 duprintf("compat_get_entries: %u != %zu\n",
1944 *len, sizeof(get) + get.size);
1948 xt_compat_lock(AF_INET6);
1949 t = xt_find_table_lock(net, AF_INET6, get.name);
1950 if (t && !IS_ERR(t)) {
1951 const struct xt_table_info *private = t->private;
1952 struct xt_table_info info;
1953 duprintf("t->private->number = %u\n", private->number);
1954 ret = compat_table_info(private, &info);
1955 if (!ret && get.size == info.size) {
1956 ret = compat_copy_entries_to_user(private->size,
1957 t, uptr->entrytable);
1959 duprintf("compat_get_entries: I've got %u not %u!\n",
1960 private->size, get.size);
1963 xt_compat_flush_offsets(AF_INET6);
1967 ret = t ? PTR_ERR(t) : -ENOENT;
1969 xt_compat_unlock(AF_INET6);
1973 static int do_ip6t_get_ctl(struct sock *, int, void __user *, int *);
1976 compat_do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1980 if (!capable(CAP_NET_ADMIN))
1984 case IP6T_SO_GET_INFO:
1985 ret = get_info(sock_net(sk), user, len, 1);
1987 case IP6T_SO_GET_ENTRIES:
1988 ret = compat_get_entries(sock_net(sk), user, len);
1991 ret = do_ip6t_get_ctl(sk, cmd, user, len);
1998 do_ip6t_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
2002 if (!capable(CAP_NET_ADMIN))
2006 case IP6T_SO_SET_REPLACE:
2007 ret = do_replace(sock_net(sk), user, len);
2010 case IP6T_SO_SET_ADD_COUNTERS:
2011 ret = do_add_counters(sock_net(sk), user, len, 0);
2015 duprintf("do_ip6t_set_ctl: unknown request %i\n", cmd);
2023 do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
2027 if (!capable(CAP_NET_ADMIN))
2031 case IP6T_SO_GET_INFO:
2032 ret = get_info(sock_net(sk), user, len, 0);
2035 case IP6T_SO_GET_ENTRIES:
2036 ret = get_entries(sock_net(sk), user, len);
2039 case IP6T_SO_GET_REVISION_MATCH:
2040 case IP6T_SO_GET_REVISION_TARGET: {
2041 struct xt_get_revision rev;
2044 if (*len != sizeof(rev)) {
2048 if (copy_from_user(&rev, user, sizeof(rev)) != 0) {
2053 if (cmd == IP6T_SO_GET_REVISION_TARGET)
2058 try_then_request_module(xt_find_revision(AF_INET6, rev.name,
2061 "ip6t_%s", rev.name);
2066 duprintf("do_ip6t_get_ctl: unknown request %i\n", cmd);
2073 struct xt_table *ip6t_register_table(struct net *net,
2074 const struct xt_table *table,
2075 const struct ip6t_replace *repl)
2078 struct xt_table_info *newinfo;
2079 struct xt_table_info bootstrap = {0};
2080 void *loc_cpu_entry;
2081 struct xt_table *new_table;
2083 newinfo = xt_alloc_table_info(repl->size);
2089 /* choose the copy on our node/cpu, but dont care about preemption */
2090 loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
2091 memcpy(loc_cpu_entry, repl->entries, repl->size);
2093 ret = translate_table(net, newinfo, loc_cpu_entry, repl);
2097 new_table = xt_register_table(net, table, &bootstrap, newinfo);
2098 if (IS_ERR(new_table)) {
2099 ret = PTR_ERR(new_table);
2105 xt_free_table_info(newinfo);
2107 return ERR_PTR(ret);
2110 void ip6t_unregister_table(struct net *net, struct xt_table *table)
2112 struct xt_table_info *private;
2113 void *loc_cpu_entry;
2114 struct module *table_owner = table->me;
2115 struct ip6t_entry *iter;
2117 private = xt_unregister_table(table);
2119 /* Decrease module usage counts and free resources */
2120 loc_cpu_entry = private->entries[raw_smp_processor_id()];
2121 xt_entry_foreach(iter, loc_cpu_entry, private->size)
2122 cleanup_entry(iter, net);
2123 if (private->number > private->initial_entries)
2124 module_put(table_owner);
2125 xt_free_table_info(private);
2128 /* Returns 1 if the type and code is matched by the range, 0 otherwise */
2130 icmp6_type_code_match(u_int8_t test_type, u_int8_t min_code, u_int8_t max_code,
2131 u_int8_t type, u_int8_t code,
2134 return (type == test_type && code >= min_code && code <= max_code)
2139 icmp6_match(const struct sk_buff *skb, struct xt_action_param *par)
2141 const struct icmp6hdr *ic;
2142 struct icmp6hdr _icmph;
2143 const struct ip6t_icmp *icmpinfo = par->matchinfo;
2145 /* Must not be a fragment. */
2146 if (par->fragoff != 0)
2149 ic = skb_header_pointer(skb, par->thoff, sizeof(_icmph), &_icmph);
2151 /* We've been asked to examine this packet, and we
2152 * can't. Hence, no choice but to drop.
2154 duprintf("Dropping evil ICMP tinygram.\n");
2155 par->hotdrop = true;
2159 return icmp6_type_code_match(icmpinfo->type,
2162 ic->icmp6_type, ic->icmp6_code,
2163 !!(icmpinfo->invflags&IP6T_ICMP_INV));
2166 /* Called when user tries to insert an entry of this type. */
2167 static int icmp6_checkentry(const struct xt_mtchk_param *par)
2169 const struct ip6t_icmp *icmpinfo = par->matchinfo;
2171 /* Must specify no unknown invflags */
2172 return (icmpinfo->invflags & ~IP6T_ICMP_INV) ? -EINVAL : 0;
2175 /* The built-in targets: standard (NULL) and error. */
2176 static struct xt_target ip6t_builtin_tg[] __read_mostly = {
2178 .name = XT_STANDARD_TARGET,
2179 .targetsize = sizeof(int),
2180 .family = NFPROTO_IPV6,
2181 #ifdef CONFIG_COMPAT
2182 .compatsize = sizeof(compat_int_t),
2183 .compat_from_user = compat_standard_from_user,
2184 .compat_to_user = compat_standard_to_user,
2188 .name = XT_ERROR_TARGET,
2189 .target = ip6t_error,
2190 .targetsize = XT_FUNCTION_MAXNAMELEN,
2191 .family = NFPROTO_IPV6,
2195 static struct nf_sockopt_ops ip6t_sockopts = {
2197 .set_optmin = IP6T_BASE_CTL,
2198 .set_optmax = IP6T_SO_SET_MAX+1,
2199 .set = do_ip6t_set_ctl,
2200 #ifdef CONFIG_COMPAT
2201 .compat_set = compat_do_ip6t_set_ctl,
2203 .get_optmin = IP6T_BASE_CTL,
2204 .get_optmax = IP6T_SO_GET_MAX+1,
2205 .get = do_ip6t_get_ctl,
2206 #ifdef CONFIG_COMPAT
2207 .compat_get = compat_do_ip6t_get_ctl,
2209 .owner = THIS_MODULE,
2212 static struct xt_match ip6t_builtin_mt[] __read_mostly = {
2215 .match = icmp6_match,
2216 .matchsize = sizeof(struct ip6t_icmp),
2217 .checkentry = icmp6_checkentry,
2218 .proto = IPPROTO_ICMPV6,
2219 .family = NFPROTO_IPV6,
2223 static int __net_init ip6_tables_net_init(struct net *net)
2225 return xt_proto_init(net, NFPROTO_IPV6);
2228 static void __net_exit ip6_tables_net_exit(struct net *net)
2230 xt_proto_fini(net, NFPROTO_IPV6);
2233 static struct pernet_operations ip6_tables_net_ops = {
2234 .init = ip6_tables_net_init,
2235 .exit = ip6_tables_net_exit,
2238 static int __init ip6_tables_init(void)
2242 ret = register_pernet_subsys(&ip6_tables_net_ops);
2246 /* Noone else will be downing sem now, so we won't sleep */
2247 ret = xt_register_targets(ip6t_builtin_tg, ARRAY_SIZE(ip6t_builtin_tg));
2250 ret = xt_register_matches(ip6t_builtin_mt, ARRAY_SIZE(ip6t_builtin_mt));
2254 /* Register setsockopt */
2255 ret = nf_register_sockopt(&ip6t_sockopts);
2259 pr_info("(C) 2000-2006 Netfilter Core Team\n");
2263 xt_unregister_matches(ip6t_builtin_mt, ARRAY_SIZE(ip6t_builtin_mt));
2265 xt_unregister_targets(ip6t_builtin_tg, ARRAY_SIZE(ip6t_builtin_tg));
2267 unregister_pernet_subsys(&ip6_tables_net_ops);
2272 static void __exit ip6_tables_fini(void)
2274 nf_unregister_sockopt(&ip6t_sockopts);
2276 xt_unregister_matches(ip6t_builtin_mt, ARRAY_SIZE(ip6t_builtin_mt));
2277 xt_unregister_targets(ip6t_builtin_tg, ARRAY_SIZE(ip6t_builtin_tg));
2278 unregister_pernet_subsys(&ip6_tables_net_ops);
2282 * find the offset to specified header or the protocol number of last header
2283 * if target < 0. "last header" is transport protocol header, ESP, or
2286 * If target header is found, its offset is set in *offset and return protocol
2287 * number. Otherwise, return -1.
2289 * If the first fragment doesn't contain the final protocol header or
2290 * NEXTHDR_NONE it is considered invalid.
2292 * Note that non-1st fragment is special case that "the protocol number
2293 * of last header" is "next header" field in Fragment header. In this case,
2294 * *offset is meaningless and fragment offset is stored in *fragoff if fragoff
2298 int ipv6_find_hdr(const struct sk_buff *skb, unsigned int *offset,
2299 int target, unsigned short *fragoff)
2301 unsigned int start = skb_network_offset(skb) + sizeof(struct ipv6hdr);
2302 u8 nexthdr = ipv6_hdr(skb)->nexthdr;
2303 unsigned int len = skb->len - start;
2308 while (nexthdr != target) {
2309 struct ipv6_opt_hdr _hdr, *hp;
2310 unsigned int hdrlen;
2312 if ((!ipv6_ext_hdr(nexthdr)) || nexthdr == NEXTHDR_NONE) {
2318 hp = skb_header_pointer(skb, start, sizeof(_hdr), &_hdr);
2321 if (nexthdr == NEXTHDR_FRAGMENT) {
2322 unsigned short _frag_off;
2324 fp = skb_header_pointer(skb,
2325 start+offsetof(struct frag_hdr,
2332 _frag_off = ntohs(*fp) & ~0x7;
2335 ((!ipv6_ext_hdr(hp->nexthdr)) ||
2336 hp->nexthdr == NEXTHDR_NONE)) {
2338 *fragoff = _frag_off;
2344 } else if (nexthdr == NEXTHDR_AUTH)
2345 hdrlen = (hp->hdrlen + 2) << 2;
2347 hdrlen = ipv6_optlen(hp);
2349 nexthdr = hp->nexthdr;
2358 EXPORT_SYMBOL(ip6t_register_table);
2359 EXPORT_SYMBOL(ip6t_unregister_table);
2360 EXPORT_SYMBOL(ip6t_do_table);
2361 EXPORT_SYMBOL(ip6t_ext_hdr);
2362 EXPORT_SYMBOL(ipv6_find_hdr);
2364 module_init(ip6_tables_init);
2365 module_exit(ip6_tables_fini);