2 * Packet matching code.
4 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
5 * Copyright (C) 2000-2005 Netfilter Core Team <coreteam@netfilter.org>
6 * Copyright (c) 2006-2010 Patrick McHardy <kaber@trash.net>
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License version 2 as
10 * published by the Free Software Foundation.
13 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
15 #include <linux/kernel.h>
16 #include <linux/capability.h>
18 #include <linux/skbuff.h>
19 #include <linux/kmod.h>
20 #include <linux/vmalloc.h>
21 #include <linux/netdevice.h>
22 #include <linux/module.h>
23 #include <linux/poison.h>
24 #include <linux/icmpv6.h>
26 #include <net/compat.h>
27 #include <asm/uaccess.h>
28 #include <linux/mutex.h>
29 #include <linux/proc_fs.h>
30 #include <linux/err.h>
31 #include <linux/cpumask.h>
33 #include <linux/netfilter_ipv6/ip6_tables.h>
34 #include <linux/netfilter/x_tables.h>
35 #include <net/netfilter/nf_log.h>
36 #include "../../netfilter/xt_repldata.h"
38 MODULE_LICENSE("GPL");
39 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
40 MODULE_DESCRIPTION("IPv6 packet filter");
42 /*#define DEBUG_IP_FIREWALL*/
43 /*#define DEBUG_ALLOW_ALL*/ /* Useful for remote debugging */
44 /*#define DEBUG_IP_FIREWALL_USER*/
46 #ifdef DEBUG_IP_FIREWALL
47 #define dprintf(format, args...) pr_info(format , ## args)
49 #define dprintf(format, args...)
52 #ifdef DEBUG_IP_FIREWALL_USER
53 #define duprintf(format, args...) pr_info(format , ## args)
55 #define duprintf(format, args...)
58 #ifdef CONFIG_NETFILTER_DEBUG
59 #define IP_NF_ASSERT(x) WARN_ON(!(x))
61 #define IP_NF_ASSERT(x)
65 /* All the better to debug you with... */
70 void *ip6t_alloc_initial_table(const struct xt_table *info)
72 return xt_alloc_initial_table(ip6t, IP6T);
74 EXPORT_SYMBOL_GPL(ip6t_alloc_initial_table);
77 We keep a set of rules for each CPU, so we can avoid write-locking
78 them in the softirq when updating the counters and therefore
79 only need to read-lock in the softirq; doing a write_lock_bh() in user
80 context stops packets coming through and allows user context to read
81 the counters or update the rules.
83 Hence the start of any table is given by get_table() below. */
85 /* Returns whether matches rule or not. */
86 /* Performance critical - called for every packet */
88 ip6_packet_match(const struct sk_buff *skb,
91 const struct ip6t_ip6 *ip6info,
92 unsigned int *protoff,
93 int *fragoff, bool *hotdrop)
96 const struct ipv6hdr *ipv6 = ipv6_hdr(skb);
98 #define FWINV(bool, invflg) ((bool) ^ !!(ip6info->invflags & (invflg)))
100 if (FWINV(ipv6_masked_addr_cmp(&ipv6->saddr, &ip6info->smsk,
101 &ip6info->src), IP6T_INV_SRCIP) ||
102 FWINV(ipv6_masked_addr_cmp(&ipv6->daddr, &ip6info->dmsk,
103 &ip6info->dst), IP6T_INV_DSTIP)) {
104 dprintf("Source or dest mismatch.\n");
106 dprintf("SRC: %u. Mask: %u. Target: %u.%s\n", ip->saddr,
107 ipinfo->smsk.s_addr, ipinfo->src.s_addr,
108 ipinfo->invflags & IP6T_INV_SRCIP ? " (INV)" : "");
109 dprintf("DST: %u. Mask: %u. Target: %u.%s\n", ip->daddr,
110 ipinfo->dmsk.s_addr, ipinfo->dst.s_addr,
111 ipinfo->invflags & IP6T_INV_DSTIP ? " (INV)" : "");*/
115 ret = ifname_compare_aligned(indev, ip6info->iniface, ip6info->iniface_mask);
117 if (FWINV(ret != 0, IP6T_INV_VIA_IN)) {
118 dprintf("VIA in mismatch (%s vs %s).%s\n",
119 indev, ip6info->iniface,
120 ip6info->invflags&IP6T_INV_VIA_IN ?" (INV)":"");
124 ret = ifname_compare_aligned(outdev, ip6info->outiface, ip6info->outiface_mask);
126 if (FWINV(ret != 0, IP6T_INV_VIA_OUT)) {
127 dprintf("VIA out mismatch (%s vs %s).%s\n",
128 outdev, ip6info->outiface,
129 ip6info->invflags&IP6T_INV_VIA_OUT ?" (INV)":"");
133 /* ... might want to do something with class and flowlabel here ... */
135 /* look for the desired protocol header */
136 if((ip6info->flags & IP6T_F_PROTO)) {
138 unsigned short _frag_off;
140 protohdr = ipv6_find_hdr(skb, protoff, -1, &_frag_off, NULL);
146 *fragoff = _frag_off;
148 dprintf("Packet protocol %hi ?= %s%hi.\n",
150 ip6info->invflags & IP6T_INV_PROTO ? "!":"",
153 if (ip6info->proto == protohdr) {
154 if(ip6info->invflags & IP6T_INV_PROTO) {
160 /* We need match for the '-p all', too! */
161 if ((ip6info->proto != 0) &&
162 !(ip6info->invflags & IP6T_INV_PROTO))
168 /* should be ip6 safe */
170 ip6_checkentry(const struct ip6t_ip6 *ipv6)
172 if (ipv6->flags & ~IP6T_F_MASK) {
173 duprintf("Unknown flag bits set: %08X\n",
174 ipv6->flags & ~IP6T_F_MASK);
177 if (ipv6->invflags & ~IP6T_INV_MASK) {
178 duprintf("Unknown invflag bits set: %08X\n",
179 ipv6->invflags & ~IP6T_INV_MASK);
186 ip6t_error(struct sk_buff *skb, const struct xt_action_param *par)
188 net_info_ratelimited("error: `%s'\n", (const char *)par->targinfo);
193 static inline struct ip6t_entry *
194 get_entry(const void *base, unsigned int offset)
196 return (struct ip6t_entry *)(base + offset);
199 /* All zeroes == unconditional rule. */
200 /* Mildly perf critical (only if packet tracing is on) */
201 static inline bool unconditional(const struct ip6t_ip6 *ipv6)
203 static const struct ip6t_ip6 uncond;
205 return memcmp(ipv6, &uncond, sizeof(uncond)) == 0;
208 static inline const struct xt_entry_target *
209 ip6t_get_target_c(const struct ip6t_entry *e)
211 return ip6t_get_target((struct ip6t_entry *)e);
214 #if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE)
215 /* This cries for unification! */
216 static const char *const hooknames[] = {
217 [NF_INET_PRE_ROUTING] = "PREROUTING",
218 [NF_INET_LOCAL_IN] = "INPUT",
219 [NF_INET_FORWARD] = "FORWARD",
220 [NF_INET_LOCAL_OUT] = "OUTPUT",
221 [NF_INET_POST_ROUTING] = "POSTROUTING",
224 enum nf_ip_trace_comments {
225 NF_IP6_TRACE_COMMENT_RULE,
226 NF_IP6_TRACE_COMMENT_RETURN,
227 NF_IP6_TRACE_COMMENT_POLICY,
230 static const char *const comments[] = {
231 [NF_IP6_TRACE_COMMENT_RULE] = "rule",
232 [NF_IP6_TRACE_COMMENT_RETURN] = "return",
233 [NF_IP6_TRACE_COMMENT_POLICY] = "policy",
236 static struct nf_loginfo trace_loginfo = {
237 .type = NF_LOG_TYPE_LOG,
240 .level = LOGLEVEL_WARNING,
241 .logflags = NF_LOG_MASK,
246 /* Mildly perf critical (only if packet tracing is on) */
248 get_chainname_rulenum(const struct ip6t_entry *s, const struct ip6t_entry *e,
249 const char *hookname, const char **chainname,
250 const char **comment, unsigned int *rulenum)
252 const struct xt_standard_target *t = (void *)ip6t_get_target_c(s);
254 if (strcmp(t->target.u.kernel.target->name, XT_ERROR_TARGET) == 0) {
255 /* Head of user chain: ERROR target with chainname */
256 *chainname = t->target.data;
261 if (s->target_offset == sizeof(struct ip6t_entry) &&
262 strcmp(t->target.u.kernel.target->name,
263 XT_STANDARD_TARGET) == 0 &&
265 unconditional(&s->ipv6)) {
266 /* Tail of chains: STANDARD target (return/policy) */
267 *comment = *chainname == hookname
268 ? comments[NF_IP6_TRACE_COMMENT_POLICY]
269 : comments[NF_IP6_TRACE_COMMENT_RETURN];
278 static void trace_packet(const struct sk_buff *skb,
280 const struct net_device *in,
281 const struct net_device *out,
282 const char *tablename,
283 const struct xt_table_info *private,
284 const struct ip6t_entry *e)
286 const void *table_base;
287 const struct ip6t_entry *root;
288 const char *hookname, *chainname, *comment;
289 const struct ip6t_entry *iter;
290 unsigned int rulenum = 0;
291 struct net *net = dev_net(in ? in : out);
293 table_base = private->entries[smp_processor_id()];
294 root = get_entry(table_base, private->hook_entry[hook]);
296 hookname = chainname = hooknames[hook];
297 comment = comments[NF_IP6_TRACE_COMMENT_RULE];
299 xt_entry_foreach(iter, root, private->size - private->hook_entry[hook])
300 if (get_chainname_rulenum(iter, e, hookname,
301 &chainname, &comment, &rulenum) != 0)
304 nf_log_trace(net, AF_INET6, hook, skb, in, out, &trace_loginfo,
305 "TRACE: %s:%s:%s:%u ",
306 tablename, chainname, comment, rulenum);
310 static inline __pure struct ip6t_entry *
311 ip6t_next_entry(const struct ip6t_entry *entry)
313 return (void *)entry + entry->next_offset;
316 /* Returns one of the generic firewall policies, like NF_ACCEPT. */
318 ip6t_do_table(struct sk_buff *skb,
320 const struct nf_hook_state *state,
321 struct xt_table *table)
323 static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
324 /* Initializing verdict to NF_DROP keeps gcc happy. */
325 unsigned int verdict = NF_DROP;
326 const char *indev, *outdev;
327 const void *table_base;
328 struct ip6t_entry *e, **jumpstack;
329 unsigned int *stackptr, origptr, cpu;
330 const struct xt_table_info *private;
331 struct xt_action_param acpar;
335 indev = state->in ? state->in->name : nulldevname;
336 outdev = state->out ? state->out->name : nulldevname;
337 /* We handle fragments by dealing with the first fragment as
338 * if it was a normal packet. All other fragments are treated
339 * normally, except that they will NEVER match rules that ask
340 * things we don't know, ie. tcp syn flag or ports). If the
341 * rule is also a fragment-specific rule, non-fragments won't
343 acpar.hotdrop = false;
344 acpar.in = state->in;
345 acpar.out = state->out;
346 acpar.family = NFPROTO_IPV6;
347 acpar.hooknum = hook;
349 IP_NF_ASSERT(table->valid_hooks & (1 << hook));
352 addend = xt_write_recseq_begin();
353 private = table->private;
355 * Ensure we load private-> members after we've fetched the base
358 smp_read_barrier_depends();
359 cpu = smp_processor_id();
360 table_base = private->entries[cpu];
361 jumpstack = (struct ip6t_entry **)private->jumpstack[cpu];
362 stackptr = per_cpu_ptr(private->stackptr, cpu);
365 e = get_entry(table_base, private->hook_entry[hook]);
368 const struct xt_entry_target *t;
369 const struct xt_entry_match *ematch;
373 if (!ip6_packet_match(skb, indev, outdev, &e->ipv6,
374 &acpar.thoff, &acpar.fragoff, &acpar.hotdrop)) {
376 e = ip6t_next_entry(e);
380 xt_ematch_foreach(ematch, e) {
381 acpar.match = ematch->u.kernel.match;
382 acpar.matchinfo = ematch->data;
383 if (!acpar.match->match(skb, &acpar))
387 ADD_COUNTER(e->counters, skb->len, 1);
389 t = ip6t_get_target_c(e);
390 IP_NF_ASSERT(t->u.kernel.target);
392 #if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE)
393 /* The packet is traced: log it */
394 if (unlikely(skb->nf_trace))
395 trace_packet(skb, hook, state->in, state->out,
396 table->name, private, e);
398 /* Standard target? */
399 if (!t->u.kernel.target->target) {
402 v = ((struct xt_standard_target *)t)->verdict;
404 /* Pop from stack? */
405 if (v != XT_RETURN) {
406 verdict = (unsigned int)(-v) - 1;
409 if (*stackptr <= origptr)
410 e = get_entry(table_base,
411 private->underflow[hook]);
413 e = ip6t_next_entry(jumpstack[--*stackptr]);
416 if (table_base + v != ip6t_next_entry(e) &&
417 !(e->ipv6.flags & IP6T_F_GOTO)) {
418 if (*stackptr >= private->stacksize) {
422 jumpstack[(*stackptr)++] = e;
425 e = get_entry(table_base, v);
429 acpar.target = t->u.kernel.target;
430 acpar.targinfo = t->data;
432 verdict = t->u.kernel.target->target(skb, &acpar);
433 if (verdict == XT_CONTINUE)
434 e = ip6t_next_entry(e);
438 } while (!acpar.hotdrop);
442 xt_write_recseq_end(addend);
445 #ifdef DEBUG_ALLOW_ALL
454 /* Figures out from what hook each rule can be called: returns 0 if
455 there are loops. Puts hook bitmask in comefrom. */
457 mark_source_chains(const struct xt_table_info *newinfo,
458 unsigned int valid_hooks, void *entry0)
462 /* No recursion; use packet counter to save back ptrs (reset
463 to 0 as we leave), and comefrom to save source hook bitmask */
464 for (hook = 0; hook < NF_INET_NUMHOOKS; hook++) {
465 unsigned int pos = newinfo->hook_entry[hook];
466 struct ip6t_entry *e = (struct ip6t_entry *)(entry0 + pos);
468 if (!(valid_hooks & (1 << hook)))
471 /* Set initial back pointer. */
472 e->counters.pcnt = pos;
475 const struct xt_standard_target *t
476 = (void *)ip6t_get_target_c(e);
477 int visited = e->comefrom & (1 << hook);
479 if (e->comefrom & (1 << NF_INET_NUMHOOKS)) {
480 pr_err("iptables: loop hook %u pos %u %08X.\n",
481 hook, pos, e->comefrom);
484 e->comefrom |= ((1 << hook) | (1 << NF_INET_NUMHOOKS));
486 /* Unconditional return/END. */
487 if ((e->target_offset == sizeof(struct ip6t_entry) &&
488 (strcmp(t->target.u.user.name,
489 XT_STANDARD_TARGET) == 0) &&
491 unconditional(&e->ipv6)) || visited) {
492 unsigned int oldpos, size;
494 if ((strcmp(t->target.u.user.name,
495 XT_STANDARD_TARGET) == 0) &&
496 t->verdict < -NF_MAX_VERDICT - 1) {
497 duprintf("mark_source_chains: bad "
498 "negative verdict (%i)\n",
503 /* Return: backtrack through the last
506 e->comefrom ^= (1<<NF_INET_NUMHOOKS);
507 #ifdef DEBUG_IP_FIREWALL_USER
509 & (1 << NF_INET_NUMHOOKS)) {
510 duprintf("Back unset "
517 pos = e->counters.pcnt;
518 e->counters.pcnt = 0;
520 /* We're at the start. */
524 e = (struct ip6t_entry *)
526 } while (oldpos == pos + e->next_offset);
529 size = e->next_offset;
530 e = (struct ip6t_entry *)
531 (entry0 + pos + size);
532 e->counters.pcnt = pos;
535 int newpos = t->verdict;
537 if (strcmp(t->target.u.user.name,
538 XT_STANDARD_TARGET) == 0 &&
540 if (newpos > newinfo->size -
541 sizeof(struct ip6t_entry)) {
542 duprintf("mark_source_chains: "
543 "bad verdict (%i)\n",
547 /* This a jump; chase it. */
548 duprintf("Jump rule %u -> %u\n",
551 /* ... this is a fallthru */
552 newpos = pos + e->next_offset;
554 e = (struct ip6t_entry *)
556 e->counters.pcnt = pos;
561 duprintf("Finished chain %u\n", hook);
566 static void cleanup_match(struct xt_entry_match *m, struct net *net)
568 struct xt_mtdtor_param par;
571 par.match = m->u.kernel.match;
572 par.matchinfo = m->data;
573 par.family = NFPROTO_IPV6;
574 if (par.match->destroy != NULL)
575 par.match->destroy(&par);
576 module_put(par.match->me);
580 check_entry(const struct ip6t_entry *e, const char *name)
582 const struct xt_entry_target *t;
584 if (!ip6_checkentry(&e->ipv6)) {
585 duprintf("ip_tables: ip check failed %p %s.\n", e, name);
589 if (e->target_offset + sizeof(struct xt_entry_target) >
593 t = ip6t_get_target_c(e);
594 if (e->target_offset + t->u.target_size > e->next_offset)
600 static int check_match(struct xt_entry_match *m, struct xt_mtchk_param *par)
602 const struct ip6t_ip6 *ipv6 = par->entryinfo;
605 par->match = m->u.kernel.match;
606 par->matchinfo = m->data;
608 ret = xt_check_match(par, m->u.match_size - sizeof(*m),
609 ipv6->proto, ipv6->invflags & IP6T_INV_PROTO);
611 duprintf("ip_tables: check failed for `%s'.\n",
619 find_check_match(struct xt_entry_match *m, struct xt_mtchk_param *par)
621 struct xt_match *match;
624 match = xt_request_find_match(NFPROTO_IPV6, m->u.user.name,
627 duprintf("find_check_match: `%s' not found\n", m->u.user.name);
628 return PTR_ERR(match);
630 m->u.kernel.match = match;
632 ret = check_match(m, par);
638 module_put(m->u.kernel.match->me);
642 static int check_target(struct ip6t_entry *e, struct net *net, const char *name)
644 struct xt_entry_target *t = ip6t_get_target(e);
645 struct xt_tgchk_param par = {
649 .target = t->u.kernel.target,
651 .hook_mask = e->comefrom,
652 .family = NFPROTO_IPV6,
656 t = ip6t_get_target(e);
657 ret = xt_check_target(&par, t->u.target_size - sizeof(*t),
658 e->ipv6.proto, e->ipv6.invflags & IP6T_INV_PROTO);
660 duprintf("ip_tables: check failed for `%s'.\n",
661 t->u.kernel.target->name);
668 find_check_entry(struct ip6t_entry *e, struct net *net, const char *name,
671 struct xt_entry_target *t;
672 struct xt_target *target;
675 struct xt_mtchk_param mtpar;
676 struct xt_entry_match *ematch;
678 ret = check_entry(e, name);
685 mtpar.entryinfo = &e->ipv6;
686 mtpar.hook_mask = e->comefrom;
687 mtpar.family = NFPROTO_IPV6;
688 xt_ematch_foreach(ematch, e) {
689 ret = find_check_match(ematch, &mtpar);
691 goto cleanup_matches;
695 t = ip6t_get_target(e);
696 target = xt_request_find_target(NFPROTO_IPV6, t->u.user.name,
698 if (IS_ERR(target)) {
699 duprintf("find_check_entry: `%s' not found\n", t->u.user.name);
700 ret = PTR_ERR(target);
701 goto cleanup_matches;
703 t->u.kernel.target = target;
705 ret = check_target(e, net, name);
710 module_put(t->u.kernel.target->me);
712 xt_ematch_foreach(ematch, e) {
715 cleanup_match(ematch, net);
720 static bool check_underflow(const struct ip6t_entry *e)
722 const struct xt_entry_target *t;
723 unsigned int verdict;
725 if (!unconditional(&e->ipv6))
727 t = ip6t_get_target_c(e);
728 if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0)
730 verdict = ((struct xt_standard_target *)t)->verdict;
731 verdict = -verdict - 1;
732 return verdict == NF_DROP || verdict == NF_ACCEPT;
736 check_entry_size_and_hooks(struct ip6t_entry *e,
737 struct xt_table_info *newinfo,
738 const unsigned char *base,
739 const unsigned char *limit,
740 const unsigned int *hook_entries,
741 const unsigned int *underflows,
742 unsigned int valid_hooks)
746 if ((unsigned long)e % __alignof__(struct ip6t_entry) != 0 ||
747 (unsigned char *)e + sizeof(struct ip6t_entry) >= limit) {
748 duprintf("Bad offset %p\n", e);
753 < sizeof(struct ip6t_entry) + sizeof(struct xt_entry_target)) {
754 duprintf("checking: element %p size %u\n",
759 /* Check hooks & underflows */
760 for (h = 0; h < NF_INET_NUMHOOKS; h++) {
761 if (!(valid_hooks & (1 << h)))
763 if ((unsigned char *)e - base == hook_entries[h])
764 newinfo->hook_entry[h] = hook_entries[h];
765 if ((unsigned char *)e - base == underflows[h]) {
766 if (!check_underflow(e)) {
767 pr_err("Underflows must be unconditional and "
768 "use the STANDARD target with "
772 newinfo->underflow[h] = underflows[h];
776 /* Clear counters and comefrom */
777 e->counters = ((struct xt_counters) { 0, 0 });
782 static void cleanup_entry(struct ip6t_entry *e, struct net *net)
784 struct xt_tgdtor_param par;
785 struct xt_entry_target *t;
786 struct xt_entry_match *ematch;
788 /* Cleanup all matches */
789 xt_ematch_foreach(ematch, e)
790 cleanup_match(ematch, net);
791 t = ip6t_get_target(e);
794 par.target = t->u.kernel.target;
795 par.targinfo = t->data;
796 par.family = NFPROTO_IPV6;
797 if (par.target->destroy != NULL)
798 par.target->destroy(&par);
799 module_put(par.target->me);
802 /* Checks and translates the user-supplied table segment (held in
805 translate_table(struct net *net, struct xt_table_info *newinfo, void *entry0,
806 const struct ip6t_replace *repl)
808 struct ip6t_entry *iter;
812 newinfo->size = repl->size;
813 newinfo->number = repl->num_entries;
815 /* Init all hooks to impossible value. */
816 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
817 newinfo->hook_entry[i] = 0xFFFFFFFF;
818 newinfo->underflow[i] = 0xFFFFFFFF;
821 duprintf("translate_table: size %u\n", newinfo->size);
823 /* Walk through entries, checking offsets. */
824 xt_entry_foreach(iter, entry0, newinfo->size) {
825 ret = check_entry_size_and_hooks(iter, newinfo, entry0,
833 if (strcmp(ip6t_get_target(iter)->u.user.name,
834 XT_ERROR_TARGET) == 0)
835 ++newinfo->stacksize;
838 if (i != repl->num_entries) {
839 duprintf("translate_table: %u not %u entries\n",
840 i, repl->num_entries);
844 /* Check hooks all assigned */
845 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
846 /* Only hooks which are valid */
847 if (!(repl->valid_hooks & (1 << i)))
849 if (newinfo->hook_entry[i] == 0xFFFFFFFF) {
850 duprintf("Invalid hook entry %u %u\n",
851 i, repl->hook_entry[i]);
854 if (newinfo->underflow[i] == 0xFFFFFFFF) {
855 duprintf("Invalid underflow %u %u\n",
856 i, repl->underflow[i]);
861 if (!mark_source_chains(newinfo, repl->valid_hooks, entry0))
864 /* Finally, each sanity check must pass */
866 xt_entry_foreach(iter, entry0, newinfo->size) {
867 ret = find_check_entry(iter, net, repl->name, repl->size);
874 xt_entry_foreach(iter, entry0, newinfo->size) {
877 cleanup_entry(iter, net);
882 /* And one copy for every other CPU */
883 for_each_possible_cpu(i) {
884 if (newinfo->entries[i] && newinfo->entries[i] != entry0)
885 memcpy(newinfo->entries[i], entry0, newinfo->size);
892 get_counters(const struct xt_table_info *t,
893 struct xt_counters counters[])
895 struct ip6t_entry *iter;
899 for_each_possible_cpu(cpu) {
900 seqcount_t *s = &per_cpu(xt_recseq, cpu);
903 xt_entry_foreach(iter, t->entries[cpu], t->size) {
908 start = read_seqcount_begin(s);
909 bcnt = iter->counters.bcnt;
910 pcnt = iter->counters.pcnt;
911 } while (read_seqcount_retry(s, start));
913 ADD_COUNTER(counters[i], bcnt, pcnt);
919 static struct xt_counters *alloc_counters(const struct xt_table *table)
921 unsigned int countersize;
922 struct xt_counters *counters;
923 const struct xt_table_info *private = table->private;
925 /* We need atomic snapshot of counters: rest doesn't change
926 (other than comefrom, which userspace doesn't care
928 countersize = sizeof(struct xt_counters) * private->number;
929 counters = vzalloc(countersize);
931 if (counters == NULL)
932 return ERR_PTR(-ENOMEM);
934 get_counters(private, counters);
940 copy_entries_to_user(unsigned int total_size,
941 const struct xt_table *table,
942 void __user *userptr)
944 unsigned int off, num;
945 const struct ip6t_entry *e;
946 struct xt_counters *counters;
947 const struct xt_table_info *private = table->private;
949 const void *loc_cpu_entry;
951 counters = alloc_counters(table);
952 if (IS_ERR(counters))
953 return PTR_ERR(counters);
955 /* choose the copy that is on our node/cpu, ...
956 * This choice is lazy (because current thread is
957 * allowed to migrate to another cpu)
959 loc_cpu_entry = private->entries[raw_smp_processor_id()];
960 if (copy_to_user(userptr, loc_cpu_entry, total_size) != 0) {
965 /* FIXME: use iterator macros --RR */
966 /* ... then go back and fix counters and names */
967 for (off = 0, num = 0; off < total_size; off += e->next_offset, num++){
969 const struct xt_entry_match *m;
970 const struct xt_entry_target *t;
972 e = (struct ip6t_entry *)(loc_cpu_entry + off);
973 if (copy_to_user(userptr + off
974 + offsetof(struct ip6t_entry, counters),
976 sizeof(counters[num])) != 0) {
981 for (i = sizeof(struct ip6t_entry);
982 i < e->target_offset;
983 i += m->u.match_size) {
986 if (copy_to_user(userptr + off + i
987 + offsetof(struct xt_entry_match,
989 m->u.kernel.match->name,
990 strlen(m->u.kernel.match->name)+1)
997 t = ip6t_get_target_c(e);
998 if (copy_to_user(userptr + off + e->target_offset
999 + offsetof(struct xt_entry_target,
1001 t->u.kernel.target->name,
1002 strlen(t->u.kernel.target->name)+1) != 0) {
1013 #ifdef CONFIG_COMPAT
1014 static void compat_standard_from_user(void *dst, const void *src)
1016 int v = *(compat_int_t *)src;
1019 v += xt_compat_calc_jump(AF_INET6, v);
1020 memcpy(dst, &v, sizeof(v));
1023 static int compat_standard_to_user(void __user *dst, const void *src)
1025 compat_int_t cv = *(int *)src;
1028 cv -= xt_compat_calc_jump(AF_INET6, cv);
1029 return copy_to_user(dst, &cv, sizeof(cv)) ? -EFAULT : 0;
1032 static int compat_calc_entry(const struct ip6t_entry *e,
1033 const struct xt_table_info *info,
1034 const void *base, struct xt_table_info *newinfo)
1036 const struct xt_entry_match *ematch;
1037 const struct xt_entry_target *t;
1038 unsigned int entry_offset;
1041 off = sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
1042 entry_offset = (void *)e - base;
1043 xt_ematch_foreach(ematch, e)
1044 off += xt_compat_match_offset(ematch->u.kernel.match);
1045 t = ip6t_get_target_c(e);
1046 off += xt_compat_target_offset(t->u.kernel.target);
1047 newinfo->size -= off;
1048 ret = xt_compat_add_offset(AF_INET6, entry_offset, off);
1052 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1053 if (info->hook_entry[i] &&
1054 (e < (struct ip6t_entry *)(base + info->hook_entry[i])))
1055 newinfo->hook_entry[i] -= off;
1056 if (info->underflow[i] &&
1057 (e < (struct ip6t_entry *)(base + info->underflow[i])))
1058 newinfo->underflow[i] -= off;
1063 static int compat_table_info(const struct xt_table_info *info,
1064 struct xt_table_info *newinfo)
1066 struct ip6t_entry *iter;
1067 void *loc_cpu_entry;
1070 if (!newinfo || !info)
1073 /* we dont care about newinfo->entries[] */
1074 memcpy(newinfo, info, offsetof(struct xt_table_info, entries));
1075 newinfo->initial_entries = 0;
1076 loc_cpu_entry = info->entries[raw_smp_processor_id()];
1077 xt_compat_init_offsets(AF_INET6, info->number);
1078 xt_entry_foreach(iter, loc_cpu_entry, info->size) {
1079 ret = compat_calc_entry(iter, info, loc_cpu_entry, newinfo);
1087 static int get_info(struct net *net, void __user *user,
1088 const int *len, int compat)
1090 char name[XT_TABLE_MAXNAMELEN];
1094 if (*len != sizeof(struct ip6t_getinfo)) {
1095 duprintf("length %u != %zu\n", *len,
1096 sizeof(struct ip6t_getinfo));
1100 if (copy_from_user(name, user, sizeof(name)) != 0)
1103 name[XT_TABLE_MAXNAMELEN-1] = '\0';
1104 #ifdef CONFIG_COMPAT
1106 xt_compat_lock(AF_INET6);
1108 t = try_then_request_module(xt_find_table_lock(net, AF_INET6, name),
1109 "ip6table_%s", name);
1110 if (!IS_ERR_OR_NULL(t)) {
1111 struct ip6t_getinfo info;
1112 const struct xt_table_info *private = t->private;
1113 #ifdef CONFIG_COMPAT
1114 struct xt_table_info tmp;
1117 ret = compat_table_info(private, &tmp);
1118 xt_compat_flush_offsets(AF_INET6);
1122 memset(&info, 0, sizeof(info));
1123 info.valid_hooks = t->valid_hooks;
1124 memcpy(info.hook_entry, private->hook_entry,
1125 sizeof(info.hook_entry));
1126 memcpy(info.underflow, private->underflow,
1127 sizeof(info.underflow));
1128 info.num_entries = private->number;
1129 info.size = private->size;
1130 strcpy(info.name, name);
1132 if (copy_to_user(user, &info, *len) != 0)
1140 ret = t ? PTR_ERR(t) : -ENOENT;
1141 #ifdef CONFIG_COMPAT
1143 xt_compat_unlock(AF_INET6);
1149 get_entries(struct net *net, struct ip6t_get_entries __user *uptr,
1153 struct ip6t_get_entries get;
1156 if (*len < sizeof(get)) {
1157 duprintf("get_entries: %u < %zu\n", *len, sizeof(get));
1160 if (copy_from_user(&get, uptr, sizeof(get)) != 0)
1162 if (*len != sizeof(struct ip6t_get_entries) + get.size) {
1163 duprintf("get_entries: %u != %zu\n",
1164 *len, sizeof(get) + get.size);
1168 t = xt_find_table_lock(net, AF_INET6, get.name);
1169 if (!IS_ERR_OR_NULL(t)) {
1170 struct xt_table_info *private = t->private;
1171 duprintf("t->private->number = %u\n", private->number);
1172 if (get.size == private->size)
1173 ret = copy_entries_to_user(private->size,
1174 t, uptr->entrytable);
1176 duprintf("get_entries: I've got %u not %u!\n",
1177 private->size, get.size);
1183 ret = t ? PTR_ERR(t) : -ENOENT;
1189 __do_replace(struct net *net, const char *name, unsigned int valid_hooks,
1190 struct xt_table_info *newinfo, unsigned int num_counters,
1191 void __user *counters_ptr)
1195 struct xt_table_info *oldinfo;
1196 struct xt_counters *counters;
1197 const void *loc_cpu_old_entry;
1198 struct ip6t_entry *iter;
1201 counters = vzalloc(num_counters * sizeof(struct xt_counters));
1207 t = try_then_request_module(xt_find_table_lock(net, AF_INET6, name),
1208 "ip6table_%s", name);
1209 if (IS_ERR_OR_NULL(t)) {
1210 ret = t ? PTR_ERR(t) : -ENOENT;
1211 goto free_newinfo_counters_untrans;
1215 if (valid_hooks != t->valid_hooks) {
1216 duprintf("Valid hook crap: %08X vs %08X\n",
1217 valid_hooks, t->valid_hooks);
1222 oldinfo = xt_replace_table(t, num_counters, newinfo, &ret);
1226 /* Update module usage count based on number of rules */
1227 duprintf("do_replace: oldnum=%u, initnum=%u, newnum=%u\n",
1228 oldinfo->number, oldinfo->initial_entries, newinfo->number);
1229 if ((oldinfo->number > oldinfo->initial_entries) ||
1230 (newinfo->number <= oldinfo->initial_entries))
1232 if ((oldinfo->number > oldinfo->initial_entries) &&
1233 (newinfo->number <= oldinfo->initial_entries))
1236 /* Get the old counters, and synchronize with replace */
1237 get_counters(oldinfo, counters);
1239 /* Decrease module usage counts and free resource */
1240 loc_cpu_old_entry = oldinfo->entries[raw_smp_processor_id()];
1241 xt_entry_foreach(iter, loc_cpu_old_entry, oldinfo->size)
1242 cleanup_entry(iter, net);
1244 xt_free_table_info(oldinfo);
1245 if (copy_to_user(counters_ptr, counters,
1246 sizeof(struct xt_counters) * num_counters) != 0) {
1247 /* Silent error, can't fail, new table is already in place */
1248 net_warn_ratelimited("ip6tables: counters copy to user failed while replacing table\n");
1257 free_newinfo_counters_untrans:
1264 do_replace(struct net *net, const void __user *user, unsigned int len)
1267 struct ip6t_replace tmp;
1268 struct xt_table_info *newinfo;
1269 void *loc_cpu_entry;
1270 struct ip6t_entry *iter;
1272 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
1275 /* overflow check */
1276 if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
1278 if (tmp.num_counters == 0)
1281 tmp.name[sizeof(tmp.name)-1] = 0;
1283 newinfo = xt_alloc_table_info(tmp.size);
1287 /* choose the copy that is on our node/cpu */
1288 loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
1289 if (copy_from_user(loc_cpu_entry, user + sizeof(tmp),
1295 ret = translate_table(net, newinfo, loc_cpu_entry, &tmp);
1299 duprintf("ip_tables: Translated table\n");
1301 ret = __do_replace(net, tmp.name, tmp.valid_hooks, newinfo,
1302 tmp.num_counters, tmp.counters);
1304 goto free_newinfo_untrans;
1307 free_newinfo_untrans:
1308 xt_entry_foreach(iter, loc_cpu_entry, newinfo->size)
1309 cleanup_entry(iter, net);
1311 xt_free_table_info(newinfo);
1316 do_add_counters(struct net *net, const void __user *user, unsigned int len,
1319 unsigned int i, curcpu;
1320 struct xt_counters_info tmp;
1321 struct xt_counters *paddc;
1322 unsigned int num_counters;
1327 const struct xt_table_info *private;
1329 const void *loc_cpu_entry;
1330 struct ip6t_entry *iter;
1331 unsigned int addend;
1332 #ifdef CONFIG_COMPAT
1333 struct compat_xt_counters_info compat_tmp;
1337 size = sizeof(struct compat_xt_counters_info);
1342 size = sizeof(struct xt_counters_info);
1345 if (copy_from_user(ptmp, user, size) != 0)
1348 #ifdef CONFIG_COMPAT
1350 num_counters = compat_tmp.num_counters;
1351 name = compat_tmp.name;
1355 num_counters = tmp.num_counters;
1359 if (len != size + num_counters * sizeof(struct xt_counters))
1362 paddc = vmalloc(len - size);
1366 if (copy_from_user(paddc, user + size, len - size) != 0) {
1371 t = xt_find_table_lock(net, AF_INET6, name);
1372 if (IS_ERR_OR_NULL(t)) {
1373 ret = t ? PTR_ERR(t) : -ENOENT;
1379 private = t->private;
1380 if (private->number != num_counters) {
1382 goto unlock_up_free;
1386 /* Choose the copy that is on our node */
1387 curcpu = smp_processor_id();
1388 addend = xt_write_recseq_begin();
1389 loc_cpu_entry = private->entries[curcpu];
1390 xt_entry_foreach(iter, loc_cpu_entry, private->size) {
1391 ADD_COUNTER(iter->counters, paddc[i].bcnt, paddc[i].pcnt);
1394 xt_write_recseq_end(addend);
1406 #ifdef CONFIG_COMPAT
1407 struct compat_ip6t_replace {
1408 char name[XT_TABLE_MAXNAMELEN];
1412 u32 hook_entry[NF_INET_NUMHOOKS];
1413 u32 underflow[NF_INET_NUMHOOKS];
1415 compat_uptr_t counters; /* struct xt_counters * */
1416 struct compat_ip6t_entry entries[0];
1420 compat_copy_entry_to_user(struct ip6t_entry *e, void __user **dstptr,
1421 unsigned int *size, struct xt_counters *counters,
1424 struct xt_entry_target *t;
1425 struct compat_ip6t_entry __user *ce;
1426 u_int16_t target_offset, next_offset;
1427 compat_uint_t origsize;
1428 const struct xt_entry_match *ematch;
1432 ce = (struct compat_ip6t_entry __user *)*dstptr;
1433 if (copy_to_user(ce, e, sizeof(struct ip6t_entry)) != 0 ||
1434 copy_to_user(&ce->counters, &counters[i],
1435 sizeof(counters[i])) != 0)
1438 *dstptr += sizeof(struct compat_ip6t_entry);
1439 *size -= sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
1441 xt_ematch_foreach(ematch, e) {
1442 ret = xt_compat_match_to_user(ematch, dstptr, size);
1446 target_offset = e->target_offset - (origsize - *size);
1447 t = ip6t_get_target(e);
1448 ret = xt_compat_target_to_user(t, dstptr, size);
1451 next_offset = e->next_offset - (origsize - *size);
1452 if (put_user(target_offset, &ce->target_offset) != 0 ||
1453 put_user(next_offset, &ce->next_offset) != 0)
1459 compat_find_calc_match(struct xt_entry_match *m,
1461 const struct ip6t_ip6 *ipv6,
1464 struct xt_match *match;
1466 match = xt_request_find_match(NFPROTO_IPV6, m->u.user.name,
1467 m->u.user.revision);
1468 if (IS_ERR(match)) {
1469 duprintf("compat_check_calc_match: `%s' not found\n",
1471 return PTR_ERR(match);
1473 m->u.kernel.match = match;
1474 *size += xt_compat_match_offset(match);
1478 static void compat_release_entry(struct compat_ip6t_entry *e)
1480 struct xt_entry_target *t;
1481 struct xt_entry_match *ematch;
1483 /* Cleanup all matches */
1484 xt_ematch_foreach(ematch, e)
1485 module_put(ematch->u.kernel.match->me);
1486 t = compat_ip6t_get_target(e);
1487 module_put(t->u.kernel.target->me);
1491 check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e,
1492 struct xt_table_info *newinfo,
1494 const unsigned char *base,
1495 const unsigned char *limit,
1496 const unsigned int *hook_entries,
1497 const unsigned int *underflows,
1500 struct xt_entry_match *ematch;
1501 struct xt_entry_target *t;
1502 struct xt_target *target;
1503 unsigned int entry_offset;
1507 duprintf("check_compat_entry_size_and_hooks %p\n", e);
1508 if ((unsigned long)e % __alignof__(struct compat_ip6t_entry) != 0 ||
1509 (unsigned char *)e + sizeof(struct compat_ip6t_entry) >= limit) {
1510 duprintf("Bad offset %p, limit = %p\n", e, limit);
1514 if (e->next_offset < sizeof(struct compat_ip6t_entry) +
1515 sizeof(struct compat_xt_entry_target)) {
1516 duprintf("checking: element %p size %u\n",
1521 /* For purposes of check_entry casting the compat entry is fine */
1522 ret = check_entry((struct ip6t_entry *)e, name);
1526 off = sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
1527 entry_offset = (void *)e - (void *)base;
1529 xt_ematch_foreach(ematch, e) {
1530 ret = compat_find_calc_match(ematch, name, &e->ipv6, &off);
1532 goto release_matches;
1536 t = compat_ip6t_get_target(e);
1537 target = xt_request_find_target(NFPROTO_IPV6, t->u.user.name,
1538 t->u.user.revision);
1539 if (IS_ERR(target)) {
1540 duprintf("check_compat_entry_size_and_hooks: `%s' not found\n",
1542 ret = PTR_ERR(target);
1543 goto release_matches;
1545 t->u.kernel.target = target;
1547 off += xt_compat_target_offset(target);
1549 ret = xt_compat_add_offset(AF_INET6, entry_offset, off);
1553 /* Check hooks & underflows */
1554 for (h = 0; h < NF_INET_NUMHOOKS; h++) {
1555 if ((unsigned char *)e - base == hook_entries[h])
1556 newinfo->hook_entry[h] = hook_entries[h];
1557 if ((unsigned char *)e - base == underflows[h])
1558 newinfo->underflow[h] = underflows[h];
1561 /* Clear counters and comefrom */
1562 memset(&e->counters, 0, sizeof(e->counters));
1567 module_put(t->u.kernel.target->me);
1569 xt_ematch_foreach(ematch, e) {
1572 module_put(ematch->u.kernel.match->me);
1578 compat_copy_entry_from_user(struct compat_ip6t_entry *e, void **dstptr,
1579 unsigned int *size, const char *name,
1580 struct xt_table_info *newinfo, unsigned char *base)
1582 struct xt_entry_target *t;
1583 struct ip6t_entry *de;
1584 unsigned int origsize;
1586 struct xt_entry_match *ematch;
1590 de = (struct ip6t_entry *)*dstptr;
1591 memcpy(de, e, sizeof(struct ip6t_entry));
1592 memcpy(&de->counters, &e->counters, sizeof(e->counters));
1594 *dstptr += sizeof(struct ip6t_entry);
1595 *size += sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
1597 xt_ematch_foreach(ematch, e) {
1598 ret = xt_compat_match_from_user(ematch, dstptr, size);
1602 de->target_offset = e->target_offset - (origsize - *size);
1603 t = compat_ip6t_get_target(e);
1604 xt_compat_target_from_user(t, dstptr, size);
1606 de->next_offset = e->next_offset - (origsize - *size);
1607 for (h = 0; h < NF_INET_NUMHOOKS; h++) {
1608 if ((unsigned char *)de - base < newinfo->hook_entry[h])
1609 newinfo->hook_entry[h] -= origsize - *size;
1610 if ((unsigned char *)de - base < newinfo->underflow[h])
1611 newinfo->underflow[h] -= origsize - *size;
1616 static int compat_check_entry(struct ip6t_entry *e, struct net *net,
1621 struct xt_mtchk_param mtpar;
1622 struct xt_entry_match *ematch;
1627 mtpar.entryinfo = &e->ipv6;
1628 mtpar.hook_mask = e->comefrom;
1629 mtpar.family = NFPROTO_IPV6;
1630 xt_ematch_foreach(ematch, e) {
1631 ret = check_match(ematch, &mtpar);
1633 goto cleanup_matches;
1637 ret = check_target(e, net, name);
1639 goto cleanup_matches;
1643 xt_ematch_foreach(ematch, e) {
1646 cleanup_match(ematch, net);
1652 translate_compat_table(struct net *net,
1654 unsigned int valid_hooks,
1655 struct xt_table_info **pinfo,
1657 unsigned int total_size,
1658 unsigned int number,
1659 unsigned int *hook_entries,
1660 unsigned int *underflows)
1663 struct xt_table_info *newinfo, *info;
1664 void *pos, *entry0, *entry1;
1665 struct compat_ip6t_entry *iter0;
1666 struct ip6t_entry *iter1;
1673 info->number = number;
1675 /* Init all hooks to impossible value. */
1676 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1677 info->hook_entry[i] = 0xFFFFFFFF;
1678 info->underflow[i] = 0xFFFFFFFF;
1681 duprintf("translate_compat_table: size %u\n", info->size);
1683 xt_compat_lock(AF_INET6);
1684 xt_compat_init_offsets(AF_INET6, number);
1685 /* Walk through entries, checking offsets. */
1686 xt_entry_foreach(iter0, entry0, total_size) {
1687 ret = check_compat_entry_size_and_hooks(iter0, info, &size,
1689 entry0 + total_size,
1700 duprintf("translate_compat_table: %u not %u entries\n",
1705 /* Check hooks all assigned */
1706 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1707 /* Only hooks which are valid */
1708 if (!(valid_hooks & (1 << i)))
1710 if (info->hook_entry[i] == 0xFFFFFFFF) {
1711 duprintf("Invalid hook entry %u %u\n",
1712 i, hook_entries[i]);
1715 if (info->underflow[i] == 0xFFFFFFFF) {
1716 duprintf("Invalid underflow %u %u\n",
1723 newinfo = xt_alloc_table_info(size);
1727 newinfo->number = number;
1728 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1729 newinfo->hook_entry[i] = info->hook_entry[i];
1730 newinfo->underflow[i] = info->underflow[i];
1732 entry1 = newinfo->entries[raw_smp_processor_id()];
1735 xt_entry_foreach(iter0, entry0, total_size) {
1736 ret = compat_copy_entry_from_user(iter0, &pos, &size,
1737 name, newinfo, entry1);
1741 xt_compat_flush_offsets(AF_INET6);
1742 xt_compat_unlock(AF_INET6);
1747 if (!mark_source_chains(newinfo, valid_hooks, entry1))
1751 xt_entry_foreach(iter1, entry1, newinfo->size) {
1752 ret = compat_check_entry(iter1, net, name);
1756 if (strcmp(ip6t_get_target(iter1)->u.user.name,
1757 XT_ERROR_TARGET) == 0)
1758 ++newinfo->stacksize;
1762 * The first i matches need cleanup_entry (calls ->destroy)
1763 * because they had called ->check already. The other j-i
1764 * entries need only release.
1768 xt_entry_foreach(iter0, entry0, newinfo->size) {
1773 compat_release_entry(iter0);
1775 xt_entry_foreach(iter1, entry1, newinfo->size) {
1778 cleanup_entry(iter1, net);
1780 xt_free_table_info(newinfo);
1784 /* And one copy for every other CPU */
1785 for_each_possible_cpu(i)
1786 if (newinfo->entries[i] && newinfo->entries[i] != entry1)
1787 memcpy(newinfo->entries[i], entry1, newinfo->size);
1791 xt_free_table_info(info);
1795 xt_free_table_info(newinfo);
1797 xt_entry_foreach(iter0, entry0, total_size) {
1800 compat_release_entry(iter0);
1804 xt_compat_flush_offsets(AF_INET6);
1805 xt_compat_unlock(AF_INET6);
1810 compat_do_replace(struct net *net, void __user *user, unsigned int len)
1813 struct compat_ip6t_replace tmp;
1814 struct xt_table_info *newinfo;
1815 void *loc_cpu_entry;
1816 struct ip6t_entry *iter;
1818 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
1821 /* overflow check */
1822 if (tmp.size >= INT_MAX / num_possible_cpus())
1824 if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
1826 if (tmp.num_counters == 0)
1829 tmp.name[sizeof(tmp.name)-1] = 0;
1831 newinfo = xt_alloc_table_info(tmp.size);
1835 /* choose the copy that is on our node/cpu */
1836 loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
1837 if (copy_from_user(loc_cpu_entry, user + sizeof(tmp),
1843 ret = translate_compat_table(net, tmp.name, tmp.valid_hooks,
1844 &newinfo, &loc_cpu_entry, tmp.size,
1845 tmp.num_entries, tmp.hook_entry,
1850 duprintf("compat_do_replace: Translated table\n");
1852 ret = __do_replace(net, tmp.name, tmp.valid_hooks, newinfo,
1853 tmp.num_counters, compat_ptr(tmp.counters));
1855 goto free_newinfo_untrans;
1858 free_newinfo_untrans:
1859 xt_entry_foreach(iter, loc_cpu_entry, newinfo->size)
1860 cleanup_entry(iter, net);
1862 xt_free_table_info(newinfo);
1867 compat_do_ip6t_set_ctl(struct sock *sk, int cmd, void __user *user,
1872 if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
1876 case IP6T_SO_SET_REPLACE:
1877 ret = compat_do_replace(sock_net(sk), user, len);
1880 case IP6T_SO_SET_ADD_COUNTERS:
1881 ret = do_add_counters(sock_net(sk), user, len, 1);
1885 duprintf("do_ip6t_set_ctl: unknown request %i\n", cmd);
1892 struct compat_ip6t_get_entries {
1893 char name[XT_TABLE_MAXNAMELEN];
1895 struct compat_ip6t_entry entrytable[0];
1899 compat_copy_entries_to_user(unsigned int total_size, struct xt_table *table,
1900 void __user *userptr)
1902 struct xt_counters *counters;
1903 const struct xt_table_info *private = table->private;
1907 const void *loc_cpu_entry;
1909 struct ip6t_entry *iter;
1911 counters = alloc_counters(table);
1912 if (IS_ERR(counters))
1913 return PTR_ERR(counters);
1915 /* choose the copy that is on our node/cpu, ...
1916 * This choice is lazy (because current thread is
1917 * allowed to migrate to another cpu)
1919 loc_cpu_entry = private->entries[raw_smp_processor_id()];
1922 xt_entry_foreach(iter, loc_cpu_entry, total_size) {
1923 ret = compat_copy_entry_to_user(iter, &pos,
1924 &size, counters, i++);
1934 compat_get_entries(struct net *net, struct compat_ip6t_get_entries __user *uptr,
1938 struct compat_ip6t_get_entries get;
1941 if (*len < sizeof(get)) {
1942 duprintf("compat_get_entries: %u < %zu\n", *len, sizeof(get));
1946 if (copy_from_user(&get, uptr, sizeof(get)) != 0)
1949 if (*len != sizeof(struct compat_ip6t_get_entries) + get.size) {
1950 duprintf("compat_get_entries: %u != %zu\n",
1951 *len, sizeof(get) + get.size);
1955 xt_compat_lock(AF_INET6);
1956 t = xt_find_table_lock(net, AF_INET6, get.name);
1957 if (!IS_ERR_OR_NULL(t)) {
1958 const struct xt_table_info *private = t->private;
1959 struct xt_table_info info;
1960 duprintf("t->private->number = %u\n", private->number);
1961 ret = compat_table_info(private, &info);
1962 if (!ret && get.size == info.size) {
1963 ret = compat_copy_entries_to_user(private->size,
1964 t, uptr->entrytable);
1966 duprintf("compat_get_entries: I've got %u not %u!\n",
1967 private->size, get.size);
1970 xt_compat_flush_offsets(AF_INET6);
1974 ret = t ? PTR_ERR(t) : -ENOENT;
1976 xt_compat_unlock(AF_INET6);
1980 static int do_ip6t_get_ctl(struct sock *, int, void __user *, int *);
1983 compat_do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1987 if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
1991 case IP6T_SO_GET_INFO:
1992 ret = get_info(sock_net(sk), user, len, 1);
1994 case IP6T_SO_GET_ENTRIES:
1995 ret = compat_get_entries(sock_net(sk), user, len);
1998 ret = do_ip6t_get_ctl(sk, cmd, user, len);
2005 do_ip6t_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
2009 if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
2013 case IP6T_SO_SET_REPLACE:
2014 ret = do_replace(sock_net(sk), user, len);
2017 case IP6T_SO_SET_ADD_COUNTERS:
2018 ret = do_add_counters(sock_net(sk), user, len, 0);
2022 duprintf("do_ip6t_set_ctl: unknown request %i\n", cmd);
2030 do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
2034 if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
2038 case IP6T_SO_GET_INFO:
2039 ret = get_info(sock_net(sk), user, len, 0);
2042 case IP6T_SO_GET_ENTRIES:
2043 ret = get_entries(sock_net(sk), user, len);
2046 case IP6T_SO_GET_REVISION_MATCH:
2047 case IP6T_SO_GET_REVISION_TARGET: {
2048 struct xt_get_revision rev;
2051 if (*len != sizeof(rev)) {
2055 if (copy_from_user(&rev, user, sizeof(rev)) != 0) {
2059 rev.name[sizeof(rev.name)-1] = 0;
2061 if (cmd == IP6T_SO_GET_REVISION_TARGET)
2066 try_then_request_module(xt_find_revision(AF_INET6, rev.name,
2069 "ip6t_%s", rev.name);
2074 duprintf("do_ip6t_get_ctl: unknown request %i\n", cmd);
2081 struct xt_table *ip6t_register_table(struct net *net,
2082 const struct xt_table *table,
2083 const struct ip6t_replace *repl)
2086 struct xt_table_info *newinfo;
2087 struct xt_table_info bootstrap = {0};
2088 void *loc_cpu_entry;
2089 struct xt_table *new_table;
2091 newinfo = xt_alloc_table_info(repl->size);
2097 /* choose the copy on our node/cpu, but dont care about preemption */
2098 loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
2099 memcpy(loc_cpu_entry, repl->entries, repl->size);
2101 ret = translate_table(net, newinfo, loc_cpu_entry, repl);
2105 new_table = xt_register_table(net, table, &bootstrap, newinfo);
2106 if (IS_ERR(new_table)) {
2107 ret = PTR_ERR(new_table);
2113 xt_free_table_info(newinfo);
2115 return ERR_PTR(ret);
2118 void ip6t_unregister_table(struct net *net, struct xt_table *table)
2120 struct xt_table_info *private;
2121 void *loc_cpu_entry;
2122 struct module *table_owner = table->me;
2123 struct ip6t_entry *iter;
2125 private = xt_unregister_table(table);
2127 /* Decrease module usage counts and free resources */
2128 loc_cpu_entry = private->entries[raw_smp_processor_id()];
2129 xt_entry_foreach(iter, loc_cpu_entry, private->size)
2130 cleanup_entry(iter, net);
2131 if (private->number > private->initial_entries)
2132 module_put(table_owner);
2133 xt_free_table_info(private);
2136 /* Returns 1 if the type and code is matched by the range, 0 otherwise */
2138 icmp6_type_code_match(u_int8_t test_type, u_int8_t min_code, u_int8_t max_code,
2139 u_int8_t type, u_int8_t code,
2142 return (type == test_type && code >= min_code && code <= max_code)
2147 icmp6_match(const struct sk_buff *skb, struct xt_action_param *par)
2149 const struct icmp6hdr *ic;
2150 struct icmp6hdr _icmph;
2151 const struct ip6t_icmp *icmpinfo = par->matchinfo;
2153 /* Must not be a fragment. */
2154 if (par->fragoff != 0)
2157 ic = skb_header_pointer(skb, par->thoff, sizeof(_icmph), &_icmph);
2159 /* We've been asked to examine this packet, and we
2160 * can't. Hence, no choice but to drop.
2162 duprintf("Dropping evil ICMP tinygram.\n");
2163 par->hotdrop = true;
2167 return icmp6_type_code_match(icmpinfo->type,
2170 ic->icmp6_type, ic->icmp6_code,
2171 !!(icmpinfo->invflags&IP6T_ICMP_INV));
2174 /* Called when user tries to insert an entry of this type. */
2175 static int icmp6_checkentry(const struct xt_mtchk_param *par)
2177 const struct ip6t_icmp *icmpinfo = par->matchinfo;
2179 /* Must specify no unknown invflags */
2180 return (icmpinfo->invflags & ~IP6T_ICMP_INV) ? -EINVAL : 0;
2183 /* The built-in targets: standard (NULL) and error. */
2184 static struct xt_target ip6t_builtin_tg[] __read_mostly = {
2186 .name = XT_STANDARD_TARGET,
2187 .targetsize = sizeof(int),
2188 .family = NFPROTO_IPV6,
2189 #ifdef CONFIG_COMPAT
2190 .compatsize = sizeof(compat_int_t),
2191 .compat_from_user = compat_standard_from_user,
2192 .compat_to_user = compat_standard_to_user,
2196 .name = XT_ERROR_TARGET,
2197 .target = ip6t_error,
2198 .targetsize = XT_FUNCTION_MAXNAMELEN,
2199 .family = NFPROTO_IPV6,
2203 static struct nf_sockopt_ops ip6t_sockopts = {
2205 .set_optmin = IP6T_BASE_CTL,
2206 .set_optmax = IP6T_SO_SET_MAX+1,
2207 .set = do_ip6t_set_ctl,
2208 #ifdef CONFIG_COMPAT
2209 .compat_set = compat_do_ip6t_set_ctl,
2211 .get_optmin = IP6T_BASE_CTL,
2212 .get_optmax = IP6T_SO_GET_MAX+1,
2213 .get = do_ip6t_get_ctl,
2214 #ifdef CONFIG_COMPAT
2215 .compat_get = compat_do_ip6t_get_ctl,
2217 .owner = THIS_MODULE,
2220 static struct xt_match ip6t_builtin_mt[] __read_mostly = {
2223 .match = icmp6_match,
2224 .matchsize = sizeof(struct ip6t_icmp),
2225 .checkentry = icmp6_checkentry,
2226 .proto = IPPROTO_ICMPV6,
2227 .family = NFPROTO_IPV6,
2231 static int __net_init ip6_tables_net_init(struct net *net)
2233 return xt_proto_init(net, NFPROTO_IPV6);
2236 static void __net_exit ip6_tables_net_exit(struct net *net)
2238 xt_proto_fini(net, NFPROTO_IPV6);
2241 static struct pernet_operations ip6_tables_net_ops = {
2242 .init = ip6_tables_net_init,
2243 .exit = ip6_tables_net_exit,
2246 static int __init ip6_tables_init(void)
2250 ret = register_pernet_subsys(&ip6_tables_net_ops);
2254 /* No one else will be downing sem now, so we won't sleep */
2255 ret = xt_register_targets(ip6t_builtin_tg, ARRAY_SIZE(ip6t_builtin_tg));
2258 ret = xt_register_matches(ip6t_builtin_mt, ARRAY_SIZE(ip6t_builtin_mt));
2262 /* Register setsockopt */
2263 ret = nf_register_sockopt(&ip6t_sockopts);
2267 pr_info("(C) 2000-2006 Netfilter Core Team\n");
2271 xt_unregister_matches(ip6t_builtin_mt, ARRAY_SIZE(ip6t_builtin_mt));
2273 xt_unregister_targets(ip6t_builtin_tg, ARRAY_SIZE(ip6t_builtin_tg));
2275 unregister_pernet_subsys(&ip6_tables_net_ops);
2280 static void __exit ip6_tables_fini(void)
2282 nf_unregister_sockopt(&ip6t_sockopts);
2284 xt_unregister_matches(ip6t_builtin_mt, ARRAY_SIZE(ip6t_builtin_mt));
2285 xt_unregister_targets(ip6t_builtin_tg, ARRAY_SIZE(ip6t_builtin_tg));
2286 unregister_pernet_subsys(&ip6_tables_net_ops);
2289 EXPORT_SYMBOL(ip6t_register_table);
2290 EXPORT_SYMBOL(ip6t_unregister_table);
2291 EXPORT_SYMBOL(ip6t_do_table);
2293 module_init(ip6_tables_init);
2294 module_exit(ip6_tables_fini);