2 * Packet matching code.
4 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
5 * Copyright (C) 2000-2005 Netfilter Core Team <coreteam@netfilter.org>
6 * Copyright (c) 2006-2010 Patrick McHardy <kaber@trash.net>
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License version 2 as
10 * published by the Free Software Foundation.
13 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
15 #include <linux/kernel.h>
16 #include <linux/capability.h>
18 #include <linux/skbuff.h>
19 #include <linux/kmod.h>
20 #include <linux/vmalloc.h>
21 #include <linux/netdevice.h>
22 #include <linux/module.h>
23 #include <linux/poison.h>
24 #include <linux/icmpv6.h>
26 #include <net/compat.h>
27 #include <linux/uaccess.h>
28 #include <linux/mutex.h>
29 #include <linux/proc_fs.h>
30 #include <linux/err.h>
31 #include <linux/cpumask.h>
33 #include <linux/netfilter_ipv6/ip6_tables.h>
34 #include <linux/netfilter/x_tables.h>
35 #include <net/netfilter/nf_log.h>
36 #include "../../netfilter/xt_repldata.h"
38 MODULE_LICENSE("GPL");
39 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
40 MODULE_DESCRIPTION("IPv6 packet filter");
42 #ifdef CONFIG_NETFILTER_DEBUG
43 #define IP_NF_ASSERT(x) WARN_ON(!(x))
45 #define IP_NF_ASSERT(x)
48 void *ip6t_alloc_initial_table(const struct xt_table
*info
)
50 return xt_alloc_initial_table(ip6t
, IP6T
);
52 EXPORT_SYMBOL_GPL(ip6t_alloc_initial_table
);
55 We keep a set of rules for each CPU, so we can avoid write-locking
56 them in the softirq when updating the counters and therefore
57 only need to read-lock in the softirq; doing a write_lock_bh() in user
58 context stops packets coming through and allows user context to read
59 the counters or update the rules.
61 Hence the start of any table is given by get_table() below. */
63 /* Returns whether matches rule or not. */
64 /* Performance critical - called for every packet */
66 ip6_packet_match(const struct sk_buff
*skb
,
69 const struct ip6t_ip6
*ip6info
,
70 unsigned int *protoff
,
71 int *fragoff
, bool *hotdrop
)
74 const struct ipv6hdr
*ipv6
= ipv6_hdr(skb
);
76 if (NF_INVF(ip6info
, IP6T_INV_SRCIP
,
77 ipv6_masked_addr_cmp(&ipv6
->saddr
, &ip6info
->smsk
,
79 NF_INVF(ip6info
, IP6T_INV_DSTIP
,
80 ipv6_masked_addr_cmp(&ipv6
->daddr
, &ip6info
->dmsk
,
84 ret
= ifname_compare_aligned(indev
, ip6info
->iniface
, ip6info
->iniface_mask
);
86 if (NF_INVF(ip6info
, IP6T_INV_VIA_IN
, ret
!= 0))
89 ret
= ifname_compare_aligned(outdev
, ip6info
->outiface
, ip6info
->outiface_mask
);
91 if (NF_INVF(ip6info
, IP6T_INV_VIA_OUT
, ret
!= 0))
94 /* ... might want to do something with class and flowlabel here ... */
96 /* look for the desired protocol header */
97 if (ip6info
->flags
& IP6T_F_PROTO
) {
99 unsigned short _frag_off
;
101 protohdr
= ipv6_find_hdr(skb
, protoff
, -1, &_frag_off
, NULL
);
107 *fragoff
= _frag_off
;
109 if (ip6info
->proto
== protohdr
) {
110 if (ip6info
->invflags
& IP6T_INV_PROTO
)
116 /* We need match for the '-p all', too! */
117 if ((ip6info
->proto
!= 0) &&
118 !(ip6info
->invflags
& IP6T_INV_PROTO
))
124 /* should be ip6 safe */
126 ip6_checkentry(const struct ip6t_ip6
*ipv6
)
128 if (ipv6
->flags
& ~IP6T_F_MASK
)
130 if (ipv6
->invflags
& ~IP6T_INV_MASK
)
137 ip6t_error(struct sk_buff
*skb
, const struct xt_action_param
*par
)
139 net_info_ratelimited("error: `%s'\n", (const char *)par
->targinfo
);
144 static inline struct ip6t_entry
*
145 get_entry(const void *base
, unsigned int offset
)
147 return (struct ip6t_entry
*)(base
+ offset
);
150 /* All zeroes == unconditional rule. */
151 /* Mildly perf critical (only if packet tracing is on) */
152 static inline bool unconditional(const struct ip6t_entry
*e
)
154 static const struct ip6t_ip6 uncond
;
156 return e
->target_offset
== sizeof(struct ip6t_entry
) &&
157 memcmp(&e
->ipv6
, &uncond
, sizeof(uncond
)) == 0;
160 static inline const struct xt_entry_target
*
161 ip6t_get_target_c(const struct ip6t_entry
*e
)
163 return ip6t_get_target((struct ip6t_entry
*)e
);
166 #if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE)
167 /* This cries for unification! */
168 static const char *const hooknames
[] = {
169 [NF_INET_PRE_ROUTING
] = "PREROUTING",
170 [NF_INET_LOCAL_IN
] = "INPUT",
171 [NF_INET_FORWARD
] = "FORWARD",
172 [NF_INET_LOCAL_OUT
] = "OUTPUT",
173 [NF_INET_POST_ROUTING
] = "POSTROUTING",
176 enum nf_ip_trace_comments
{
177 NF_IP6_TRACE_COMMENT_RULE
,
178 NF_IP6_TRACE_COMMENT_RETURN
,
179 NF_IP6_TRACE_COMMENT_POLICY
,
182 static const char *const comments
[] = {
183 [NF_IP6_TRACE_COMMENT_RULE
] = "rule",
184 [NF_IP6_TRACE_COMMENT_RETURN
] = "return",
185 [NF_IP6_TRACE_COMMENT_POLICY
] = "policy",
188 static struct nf_loginfo trace_loginfo
= {
189 .type
= NF_LOG_TYPE_LOG
,
192 .level
= LOGLEVEL_WARNING
,
193 .logflags
= NF_LOG_DEFAULT_MASK
,
198 /* Mildly perf critical (only if packet tracing is on) */
200 get_chainname_rulenum(const struct ip6t_entry
*s
, const struct ip6t_entry
*e
,
201 const char *hookname
, const char **chainname
,
202 const char **comment
, unsigned int *rulenum
)
204 const struct xt_standard_target
*t
= (void *)ip6t_get_target_c(s
);
206 if (strcmp(t
->target
.u
.kernel
.target
->name
, XT_ERROR_TARGET
) == 0) {
207 /* Head of user chain: ERROR target with chainname */
208 *chainname
= t
->target
.data
;
213 if (unconditional(s
) &&
214 strcmp(t
->target
.u
.kernel
.target
->name
,
215 XT_STANDARD_TARGET
) == 0 &&
217 /* Tail of chains: STANDARD target (return/policy) */
218 *comment
= *chainname
== hookname
219 ? comments
[NF_IP6_TRACE_COMMENT_POLICY
]
220 : comments
[NF_IP6_TRACE_COMMENT_RETURN
];
229 static void trace_packet(struct net
*net
,
230 const struct sk_buff
*skb
,
232 const struct net_device
*in
,
233 const struct net_device
*out
,
234 const char *tablename
,
235 const struct xt_table_info
*private,
236 const struct ip6t_entry
*e
)
238 const struct ip6t_entry
*root
;
239 const char *hookname
, *chainname
, *comment
;
240 const struct ip6t_entry
*iter
;
241 unsigned int rulenum
= 0;
243 root
= get_entry(private->entries
, private->hook_entry
[hook
]);
245 hookname
= chainname
= hooknames
[hook
];
246 comment
= comments
[NF_IP6_TRACE_COMMENT_RULE
];
248 xt_entry_foreach(iter
, root
, private->size
- private->hook_entry
[hook
])
249 if (get_chainname_rulenum(iter
, e
, hookname
,
250 &chainname
, &comment
, &rulenum
) != 0)
253 nf_log_trace(net
, AF_INET6
, hook
, skb
, in
, out
, &trace_loginfo
,
254 "TRACE: %s:%s:%s:%u ",
255 tablename
, chainname
, comment
, rulenum
);
259 static inline struct ip6t_entry
*
260 ip6t_next_entry(const struct ip6t_entry
*entry
)
262 return (void *)entry
+ entry
->next_offset
;
265 /* Returns one of the generic firewall policies, like NF_ACCEPT. */
267 ip6t_do_table(struct sk_buff
*skb
,
268 const struct nf_hook_state
*state
,
269 struct xt_table
*table
)
271 unsigned int hook
= state
->hook
;
272 static const char nulldevname
[IFNAMSIZ
] __attribute__((aligned(sizeof(long))));
273 /* Initializing verdict to NF_DROP keeps gcc happy. */
274 unsigned int verdict
= NF_DROP
;
275 const char *indev
, *outdev
;
276 const void *table_base
;
277 struct ip6t_entry
*e
, **jumpstack
;
278 unsigned int stackidx
, cpu
;
279 const struct xt_table_info
*private;
280 struct xt_action_param acpar
;
285 indev
= state
->in
? state
->in
->name
: nulldevname
;
286 outdev
= state
->out
? state
->out
->name
: nulldevname
;
287 /* We handle fragments by dealing with the first fragment as
288 * if it was a normal packet. All other fragments are treated
289 * normally, except that they will NEVER match rules that ask
290 * things we don't know, ie. tcp syn flag or ports). If the
291 * rule is also a fragment-specific rule, non-fragments won't
293 acpar
.hotdrop
= false;
296 IP_NF_ASSERT(table
->valid_hooks
& (1 << hook
));
299 addend
= xt_write_recseq_begin();
300 private = table
->private;
302 * Ensure we load private-> members after we've fetched the base
305 smp_read_barrier_depends();
306 cpu
= smp_processor_id();
307 table_base
= private->entries
;
308 jumpstack
= (struct ip6t_entry
**)private->jumpstack
[cpu
];
310 /* Switch to alternate jumpstack if we're being invoked via TEE.
311 * TEE issues XT_CONTINUE verdict on original skb so we must not
312 * clobber the jumpstack.
314 * For recursion via REJECT or SYNPROXY the stack will be clobbered
315 * but it is no problem since absolute verdict is issued by these.
317 if (static_key_false(&xt_tee_enabled
))
318 jumpstack
+= private->stacksize
* __this_cpu_read(nf_skb_duplicated
);
320 e
= get_entry(table_base
, private->hook_entry
[hook
]);
323 const struct xt_entry_target
*t
;
324 const struct xt_entry_match
*ematch
;
325 struct xt_counters
*counter
;
329 if (!ip6_packet_match(skb
, indev
, outdev
, &e
->ipv6
,
330 &acpar
.thoff
, &acpar
.fragoff
, &acpar
.hotdrop
)) {
332 e
= ip6t_next_entry(e
);
336 xt_ematch_foreach(ematch
, e
) {
337 acpar
.match
= ematch
->u
.kernel
.match
;
338 acpar
.matchinfo
= ematch
->data
;
339 if (!acpar
.match
->match(skb
, &acpar
))
343 counter
= xt_get_this_cpu_counter(&e
->counters
);
344 ADD_COUNTER(*counter
, skb
->len
, 1);
346 t
= ip6t_get_target_c(e
);
347 IP_NF_ASSERT(t
->u
.kernel
.target
);
349 #if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE)
350 /* The packet is traced: log it */
351 if (unlikely(skb
->nf_trace
))
352 trace_packet(state
->net
, skb
, hook
, state
->in
,
353 state
->out
, table
->name
, private, e
);
355 /* Standard target? */
356 if (!t
->u
.kernel
.target
->target
) {
359 v
= ((struct xt_standard_target
*)t
)->verdict
;
361 /* Pop from stack? */
362 if (v
!= XT_RETURN
) {
363 verdict
= (unsigned int)(-v
) - 1;
367 e
= get_entry(table_base
,
368 private->underflow
[hook
]);
370 e
= ip6t_next_entry(jumpstack
[--stackidx
]);
373 if (table_base
+ v
!= ip6t_next_entry(e
) &&
374 !(e
->ipv6
.flags
& IP6T_F_GOTO
)) {
375 jumpstack
[stackidx
++] = e
;
378 e
= get_entry(table_base
, v
);
382 acpar
.target
= t
->u
.kernel
.target
;
383 acpar
.targinfo
= t
->data
;
385 verdict
= t
->u
.kernel
.target
->target(skb
, &acpar
);
386 if (verdict
== XT_CONTINUE
)
387 e
= ip6t_next_entry(e
);
391 } while (!acpar
.hotdrop
);
393 xt_write_recseq_end(addend
);
401 /* Figures out from what hook each rule can be called: returns 0 if
402 there are loops. Puts hook bitmask in comefrom. */
404 mark_source_chains(const struct xt_table_info
*newinfo
,
405 unsigned int valid_hooks
, void *entry0
,
406 unsigned int *offsets
)
410 /* No recursion; use packet counter to save back ptrs (reset
411 to 0 as we leave), and comefrom to save source hook bitmask */
412 for (hook
= 0; hook
< NF_INET_NUMHOOKS
; hook
++) {
413 unsigned int pos
= newinfo
->hook_entry
[hook
];
414 struct ip6t_entry
*e
= (struct ip6t_entry
*)(entry0
+ pos
);
416 if (!(valid_hooks
& (1 << hook
)))
419 /* Set initial back pointer. */
420 e
->counters
.pcnt
= pos
;
423 const struct xt_standard_target
*t
424 = (void *)ip6t_get_target_c(e
);
425 int visited
= e
->comefrom
& (1 << hook
);
427 if (e
->comefrom
& (1 << NF_INET_NUMHOOKS
))
430 e
->comefrom
|= ((1 << hook
) | (1 << NF_INET_NUMHOOKS
));
432 /* Unconditional return/END. */
433 if ((unconditional(e
) &&
434 (strcmp(t
->target
.u
.user
.name
,
435 XT_STANDARD_TARGET
) == 0) &&
436 t
->verdict
< 0) || visited
) {
437 unsigned int oldpos
, size
;
439 if ((strcmp(t
->target
.u
.user
.name
,
440 XT_STANDARD_TARGET
) == 0) &&
441 t
->verdict
< -NF_MAX_VERDICT
- 1)
444 /* Return: backtrack through the last
447 e
->comefrom
^= (1<<NF_INET_NUMHOOKS
);
449 pos
= e
->counters
.pcnt
;
450 e
->counters
.pcnt
= 0;
452 /* We're at the start. */
456 e
= (struct ip6t_entry
*)
458 } while (oldpos
== pos
+ e
->next_offset
);
461 size
= e
->next_offset
;
462 e
= (struct ip6t_entry
*)
463 (entry0
+ pos
+ size
);
464 if (pos
+ size
>= newinfo
->size
)
466 e
->counters
.pcnt
= pos
;
469 int newpos
= t
->verdict
;
471 if (strcmp(t
->target
.u
.user
.name
,
472 XT_STANDARD_TARGET
) == 0 &&
474 /* This a jump; chase it. */
475 if (!xt_find_jump_offset(offsets
, newpos
,
478 e
= (struct ip6t_entry
*)
481 /* ... this is a fallthru */
482 newpos
= pos
+ e
->next_offset
;
483 if (newpos
>= newinfo
->size
)
486 e
= (struct ip6t_entry
*)
488 e
->counters
.pcnt
= pos
;
497 static void cleanup_match(struct xt_entry_match
*m
, struct net
*net
)
499 struct xt_mtdtor_param par
;
502 par
.match
= m
->u
.kernel
.match
;
503 par
.matchinfo
= m
->data
;
504 par
.family
= NFPROTO_IPV6
;
505 if (par
.match
->destroy
!= NULL
)
506 par
.match
->destroy(&par
);
507 module_put(par
.match
->me
);
510 static int check_match(struct xt_entry_match
*m
, struct xt_mtchk_param
*par
)
512 const struct ip6t_ip6
*ipv6
= par
->entryinfo
;
514 par
->match
= m
->u
.kernel
.match
;
515 par
->matchinfo
= m
->data
;
517 return xt_check_match(par
, m
->u
.match_size
- sizeof(*m
),
518 ipv6
->proto
, ipv6
->invflags
& IP6T_INV_PROTO
);
522 find_check_match(struct xt_entry_match
*m
, struct xt_mtchk_param
*par
)
524 struct xt_match
*match
;
527 match
= xt_request_find_match(NFPROTO_IPV6
, m
->u
.user
.name
,
530 return PTR_ERR(match
);
532 m
->u
.kernel
.match
= match
;
534 ret
= check_match(m
, par
);
540 module_put(m
->u
.kernel
.match
->me
);
544 static int check_target(struct ip6t_entry
*e
, struct net
*net
, const char *name
)
546 struct xt_entry_target
*t
= ip6t_get_target(e
);
547 struct xt_tgchk_param par
= {
551 .target
= t
->u
.kernel
.target
,
553 .hook_mask
= e
->comefrom
,
554 .family
= NFPROTO_IPV6
,
557 t
= ip6t_get_target(e
);
558 return xt_check_target(&par
, t
->u
.target_size
- sizeof(*t
),
560 e
->ipv6
.invflags
& IP6T_INV_PROTO
);
564 find_check_entry(struct ip6t_entry
*e
, struct net
*net
, const char *name
,
566 struct xt_percpu_counter_alloc_state
*alloc_state
)
568 struct xt_entry_target
*t
;
569 struct xt_target
*target
;
572 struct xt_mtchk_param mtpar
;
573 struct xt_entry_match
*ematch
;
575 if (!xt_percpu_counter_alloc(alloc_state
, &e
->counters
))
581 mtpar
.entryinfo
= &e
->ipv6
;
582 mtpar
.hook_mask
= e
->comefrom
;
583 mtpar
.family
= NFPROTO_IPV6
;
584 xt_ematch_foreach(ematch
, e
) {
585 ret
= find_check_match(ematch
, &mtpar
);
587 goto cleanup_matches
;
591 t
= ip6t_get_target(e
);
592 target
= xt_request_find_target(NFPROTO_IPV6
, t
->u
.user
.name
,
594 if (IS_ERR(target
)) {
595 ret
= PTR_ERR(target
);
596 goto cleanup_matches
;
598 t
->u
.kernel
.target
= target
;
600 ret
= check_target(e
, net
, name
);
605 module_put(t
->u
.kernel
.target
->me
);
607 xt_ematch_foreach(ematch
, e
) {
610 cleanup_match(ematch
, net
);
613 xt_percpu_counter_free(&e
->counters
);
618 static bool check_underflow(const struct ip6t_entry
*e
)
620 const struct xt_entry_target
*t
;
621 unsigned int verdict
;
623 if (!unconditional(e
))
625 t
= ip6t_get_target_c(e
);
626 if (strcmp(t
->u
.user
.name
, XT_STANDARD_TARGET
) != 0)
628 verdict
= ((struct xt_standard_target
*)t
)->verdict
;
629 verdict
= -verdict
- 1;
630 return verdict
== NF_DROP
|| verdict
== NF_ACCEPT
;
634 check_entry_size_and_hooks(struct ip6t_entry
*e
,
635 struct xt_table_info
*newinfo
,
636 const unsigned char *base
,
637 const unsigned char *limit
,
638 const unsigned int *hook_entries
,
639 const unsigned int *underflows
,
640 unsigned int valid_hooks
)
645 if ((unsigned long)e
% __alignof__(struct ip6t_entry
) != 0 ||
646 (unsigned char *)e
+ sizeof(struct ip6t_entry
) >= limit
||
647 (unsigned char *)e
+ e
->next_offset
> limit
)
651 < sizeof(struct ip6t_entry
) + sizeof(struct xt_entry_target
))
654 if (!ip6_checkentry(&e
->ipv6
))
657 err
= xt_check_entry_offsets(e
, e
->elems
, e
->target_offset
,
662 /* Check hooks & underflows */
663 for (h
= 0; h
< NF_INET_NUMHOOKS
; h
++) {
664 if (!(valid_hooks
& (1 << h
)))
666 if ((unsigned char *)e
- base
== hook_entries
[h
])
667 newinfo
->hook_entry
[h
] = hook_entries
[h
];
668 if ((unsigned char *)e
- base
== underflows
[h
]) {
669 if (!check_underflow(e
))
672 newinfo
->underflow
[h
] = underflows
[h
];
676 /* Clear counters and comefrom */
677 e
->counters
= ((struct xt_counters
) { 0, 0 });
682 static void cleanup_entry(struct ip6t_entry
*e
, struct net
*net
)
684 struct xt_tgdtor_param par
;
685 struct xt_entry_target
*t
;
686 struct xt_entry_match
*ematch
;
688 /* Cleanup all matches */
689 xt_ematch_foreach(ematch
, e
)
690 cleanup_match(ematch
, net
);
691 t
= ip6t_get_target(e
);
694 par
.target
= t
->u
.kernel
.target
;
695 par
.targinfo
= t
->data
;
696 par
.family
= NFPROTO_IPV6
;
697 if (par
.target
->destroy
!= NULL
)
698 par
.target
->destroy(&par
);
699 module_put(par
.target
->me
);
700 xt_percpu_counter_free(&e
->counters
);
703 /* Checks and translates the user-supplied table segment (held in
706 translate_table(struct net
*net
, struct xt_table_info
*newinfo
, void *entry0
,
707 const struct ip6t_replace
*repl
)
709 struct xt_percpu_counter_alloc_state alloc_state
= { 0 };
710 struct ip6t_entry
*iter
;
711 unsigned int *offsets
;
715 newinfo
->size
= repl
->size
;
716 newinfo
->number
= repl
->num_entries
;
718 /* Init all hooks to impossible value. */
719 for (i
= 0; i
< NF_INET_NUMHOOKS
; i
++) {
720 newinfo
->hook_entry
[i
] = 0xFFFFFFFF;
721 newinfo
->underflow
[i
] = 0xFFFFFFFF;
724 offsets
= xt_alloc_entry_offsets(newinfo
->number
);
728 /* Walk through entries, checking offsets. */
729 xt_entry_foreach(iter
, entry0
, newinfo
->size
) {
730 ret
= check_entry_size_and_hooks(iter
, newinfo
, entry0
,
737 if (i
< repl
->num_entries
)
738 offsets
[i
] = (void *)iter
- entry0
;
740 if (strcmp(ip6t_get_target(iter
)->u
.user
.name
,
741 XT_ERROR_TARGET
) == 0)
742 ++newinfo
->stacksize
;
746 if (i
!= repl
->num_entries
)
749 /* Check hooks all assigned */
750 for (i
= 0; i
< NF_INET_NUMHOOKS
; i
++) {
751 /* Only hooks which are valid */
752 if (!(repl
->valid_hooks
& (1 << i
)))
754 if (newinfo
->hook_entry
[i
] == 0xFFFFFFFF)
756 if (newinfo
->underflow
[i
] == 0xFFFFFFFF)
760 if (!mark_source_chains(newinfo
, repl
->valid_hooks
, entry0
, offsets
)) {
766 /* Finally, each sanity check must pass */
768 xt_entry_foreach(iter
, entry0
, newinfo
->size
) {
769 ret
= find_check_entry(iter
, net
, repl
->name
, repl
->size
,
777 xt_entry_foreach(iter
, entry0
, newinfo
->size
) {
780 cleanup_entry(iter
, net
);
792 get_counters(const struct xt_table_info
*t
,
793 struct xt_counters counters
[])
795 struct ip6t_entry
*iter
;
799 for_each_possible_cpu(cpu
) {
800 seqcount_t
*s
= &per_cpu(xt_recseq
, cpu
);
803 xt_entry_foreach(iter
, t
->entries
, t
->size
) {
804 struct xt_counters
*tmp
;
808 tmp
= xt_get_per_cpu_counter(&iter
->counters
, cpu
);
810 start
= read_seqcount_begin(s
);
813 } while (read_seqcount_retry(s
, start
));
815 ADD_COUNTER(counters
[i
], bcnt
, pcnt
);
821 static struct xt_counters
*alloc_counters(const struct xt_table
*table
)
823 unsigned int countersize
;
824 struct xt_counters
*counters
;
825 const struct xt_table_info
*private = table
->private;
827 /* We need atomic snapshot of counters: rest doesn't change
828 (other than comefrom, which userspace doesn't care
830 countersize
= sizeof(struct xt_counters
) * private->number
;
831 counters
= vzalloc(countersize
);
833 if (counters
== NULL
)
834 return ERR_PTR(-ENOMEM
);
836 get_counters(private, counters
);
842 copy_entries_to_user(unsigned int total_size
,
843 const struct xt_table
*table
,
844 void __user
*userptr
)
846 unsigned int off
, num
;
847 const struct ip6t_entry
*e
;
848 struct xt_counters
*counters
;
849 const struct xt_table_info
*private = table
->private;
851 const void *loc_cpu_entry
;
853 counters
= alloc_counters(table
);
854 if (IS_ERR(counters
))
855 return PTR_ERR(counters
);
857 loc_cpu_entry
= private->entries
;
859 /* FIXME: use iterator macros --RR */
860 /* ... then go back and fix counters and names */
861 for (off
= 0, num
= 0; off
< total_size
; off
+= e
->next_offset
, num
++){
863 const struct xt_entry_match
*m
;
864 const struct xt_entry_target
*t
;
866 e
= (struct ip6t_entry
*)(loc_cpu_entry
+ off
);
867 if (copy_to_user(userptr
+ off
, e
, sizeof(*e
))) {
871 if (copy_to_user(userptr
+ off
872 + offsetof(struct ip6t_entry
, counters
),
874 sizeof(counters
[num
])) != 0) {
879 for (i
= sizeof(struct ip6t_entry
);
880 i
< e
->target_offset
;
881 i
+= m
->u
.match_size
) {
884 if (xt_match_to_user(m
, userptr
+ off
+ i
)) {
890 t
= ip6t_get_target_c(e
);
891 if (xt_target_to_user(t
, userptr
+ off
+ e
->target_offset
)) {
903 static void compat_standard_from_user(void *dst
, const void *src
)
905 int v
= *(compat_int_t
*)src
;
908 v
+= xt_compat_calc_jump(AF_INET6
, v
);
909 memcpy(dst
, &v
, sizeof(v
));
912 static int compat_standard_to_user(void __user
*dst
, const void *src
)
914 compat_int_t cv
= *(int *)src
;
917 cv
-= xt_compat_calc_jump(AF_INET6
, cv
);
918 return copy_to_user(dst
, &cv
, sizeof(cv
)) ? -EFAULT
: 0;
921 static int compat_calc_entry(const struct ip6t_entry
*e
,
922 const struct xt_table_info
*info
,
923 const void *base
, struct xt_table_info
*newinfo
)
925 const struct xt_entry_match
*ematch
;
926 const struct xt_entry_target
*t
;
927 unsigned int entry_offset
;
930 off
= sizeof(struct ip6t_entry
) - sizeof(struct compat_ip6t_entry
);
931 entry_offset
= (void *)e
- base
;
932 xt_ematch_foreach(ematch
, e
)
933 off
+= xt_compat_match_offset(ematch
->u
.kernel
.match
);
934 t
= ip6t_get_target_c(e
);
935 off
+= xt_compat_target_offset(t
->u
.kernel
.target
);
936 newinfo
->size
-= off
;
937 ret
= xt_compat_add_offset(AF_INET6
, entry_offset
, off
);
941 for (i
= 0; i
< NF_INET_NUMHOOKS
; i
++) {
942 if (info
->hook_entry
[i
] &&
943 (e
< (struct ip6t_entry
*)(base
+ info
->hook_entry
[i
])))
944 newinfo
->hook_entry
[i
] -= off
;
945 if (info
->underflow
[i
] &&
946 (e
< (struct ip6t_entry
*)(base
+ info
->underflow
[i
])))
947 newinfo
->underflow
[i
] -= off
;
952 static int compat_table_info(const struct xt_table_info
*info
,
953 struct xt_table_info
*newinfo
)
955 struct ip6t_entry
*iter
;
956 const void *loc_cpu_entry
;
959 if (!newinfo
|| !info
)
962 /* we dont care about newinfo->entries */
963 memcpy(newinfo
, info
, offsetof(struct xt_table_info
, entries
));
964 newinfo
->initial_entries
= 0;
965 loc_cpu_entry
= info
->entries
;
966 xt_compat_init_offsets(AF_INET6
, info
->number
);
967 xt_entry_foreach(iter
, loc_cpu_entry
, info
->size
) {
968 ret
= compat_calc_entry(iter
, info
, loc_cpu_entry
, newinfo
);
976 static int get_info(struct net
*net
, void __user
*user
,
977 const int *len
, int compat
)
979 char name
[XT_TABLE_MAXNAMELEN
];
983 if (*len
!= sizeof(struct ip6t_getinfo
))
986 if (copy_from_user(name
, user
, sizeof(name
)) != 0)
989 name
[XT_TABLE_MAXNAMELEN
-1] = '\0';
992 xt_compat_lock(AF_INET6
);
994 t
= try_then_request_module(xt_find_table_lock(net
, AF_INET6
, name
),
995 "ip6table_%s", name
);
997 struct ip6t_getinfo info
;
998 const struct xt_table_info
*private = t
->private;
1000 struct xt_table_info tmp
;
1003 ret
= compat_table_info(private, &tmp
);
1004 xt_compat_flush_offsets(AF_INET6
);
1008 memset(&info
, 0, sizeof(info
));
1009 info
.valid_hooks
= t
->valid_hooks
;
1010 memcpy(info
.hook_entry
, private->hook_entry
,
1011 sizeof(info
.hook_entry
));
1012 memcpy(info
.underflow
, private->underflow
,
1013 sizeof(info
.underflow
));
1014 info
.num_entries
= private->number
;
1015 info
.size
= private->size
;
1016 strcpy(info
.name
, name
);
1018 if (copy_to_user(user
, &info
, *len
) != 0)
1027 #ifdef CONFIG_COMPAT
1029 xt_compat_unlock(AF_INET6
);
1035 get_entries(struct net
*net
, struct ip6t_get_entries __user
*uptr
,
1039 struct ip6t_get_entries get
;
1042 if (*len
< sizeof(get
))
1044 if (copy_from_user(&get
, uptr
, sizeof(get
)) != 0)
1046 if (*len
!= sizeof(struct ip6t_get_entries
) + get
.size
)
1049 get
.name
[sizeof(get
.name
) - 1] = '\0';
1051 t
= xt_find_table_lock(net
, AF_INET6
, get
.name
);
1053 struct xt_table_info
*private = t
->private;
1054 if (get
.size
== private->size
)
1055 ret
= copy_entries_to_user(private->size
,
1056 t
, uptr
->entrytable
);
1069 __do_replace(struct net
*net
, const char *name
, unsigned int valid_hooks
,
1070 struct xt_table_info
*newinfo
, unsigned int num_counters
,
1071 void __user
*counters_ptr
)
1075 struct xt_table_info
*oldinfo
;
1076 struct xt_counters
*counters
;
1077 struct ip6t_entry
*iter
;
1080 counters
= vzalloc(num_counters
* sizeof(struct xt_counters
));
1086 t
= try_then_request_module(xt_find_table_lock(net
, AF_INET6
, name
),
1087 "ip6table_%s", name
);
1090 goto free_newinfo_counters_untrans
;
1094 if (valid_hooks
!= t
->valid_hooks
) {
1099 oldinfo
= xt_replace_table(t
, num_counters
, newinfo
, &ret
);
1103 /* Update module usage count based on number of rules */
1104 if ((oldinfo
->number
> oldinfo
->initial_entries
) ||
1105 (newinfo
->number
<= oldinfo
->initial_entries
))
1107 if ((oldinfo
->number
> oldinfo
->initial_entries
) &&
1108 (newinfo
->number
<= oldinfo
->initial_entries
))
1111 /* Get the old counters, and synchronize with replace */
1112 get_counters(oldinfo
, counters
);
1114 /* Decrease module usage counts and free resource */
1115 xt_entry_foreach(iter
, oldinfo
->entries
, oldinfo
->size
)
1116 cleanup_entry(iter
, net
);
1118 xt_free_table_info(oldinfo
);
1119 if (copy_to_user(counters_ptr
, counters
,
1120 sizeof(struct xt_counters
) * num_counters
) != 0) {
1121 /* Silent error, can't fail, new table is already in place */
1122 net_warn_ratelimited("ip6tables: counters copy to user failed while replacing table\n");
1131 free_newinfo_counters_untrans
:
1138 do_replace(struct net
*net
, const void __user
*user
, unsigned int len
)
1141 struct ip6t_replace tmp
;
1142 struct xt_table_info
*newinfo
;
1143 void *loc_cpu_entry
;
1144 struct ip6t_entry
*iter
;
1146 if (copy_from_user(&tmp
, user
, sizeof(tmp
)) != 0)
1149 /* overflow check */
1150 if (tmp
.num_counters
>= INT_MAX
/ sizeof(struct xt_counters
))
1152 if (tmp
.num_counters
== 0)
1155 tmp
.name
[sizeof(tmp
.name
)-1] = 0;
1157 newinfo
= xt_alloc_table_info(tmp
.size
);
1161 loc_cpu_entry
= newinfo
->entries
;
1162 if (copy_from_user(loc_cpu_entry
, user
+ sizeof(tmp
),
1168 ret
= translate_table(net
, newinfo
, loc_cpu_entry
, &tmp
);
1172 ret
= __do_replace(net
, tmp
.name
, tmp
.valid_hooks
, newinfo
,
1173 tmp
.num_counters
, tmp
.counters
);
1175 goto free_newinfo_untrans
;
1178 free_newinfo_untrans
:
1179 xt_entry_foreach(iter
, loc_cpu_entry
, newinfo
->size
)
1180 cleanup_entry(iter
, net
);
1182 xt_free_table_info(newinfo
);
1187 do_add_counters(struct net
*net
, const void __user
*user
, unsigned int len
,
1191 struct xt_counters_info tmp
;
1192 struct xt_counters
*paddc
;
1194 const struct xt_table_info
*private;
1196 struct ip6t_entry
*iter
;
1197 unsigned int addend
;
1199 paddc
= xt_copy_counters_from_user(user
, len
, &tmp
, compat
);
1201 return PTR_ERR(paddc
);
1202 t
= xt_find_table_lock(net
, AF_INET6
, tmp
.name
);
1209 private = t
->private;
1210 if (private->number
!= tmp
.num_counters
) {
1212 goto unlock_up_free
;
1216 addend
= xt_write_recseq_begin();
1217 xt_entry_foreach(iter
, private->entries
, private->size
) {
1218 struct xt_counters
*tmp
;
1220 tmp
= xt_get_this_cpu_counter(&iter
->counters
);
1221 ADD_COUNTER(*tmp
, paddc
[i
].bcnt
, paddc
[i
].pcnt
);
1224 xt_write_recseq_end(addend
);
1235 #ifdef CONFIG_COMPAT
1236 struct compat_ip6t_replace
{
1237 char name
[XT_TABLE_MAXNAMELEN
];
1241 u32 hook_entry
[NF_INET_NUMHOOKS
];
1242 u32 underflow
[NF_INET_NUMHOOKS
];
1244 compat_uptr_t counters
; /* struct xt_counters * */
1245 struct compat_ip6t_entry entries
[0];
1249 compat_copy_entry_to_user(struct ip6t_entry
*e
, void __user
**dstptr
,
1250 unsigned int *size
, struct xt_counters
*counters
,
1253 struct xt_entry_target
*t
;
1254 struct compat_ip6t_entry __user
*ce
;
1255 u_int16_t target_offset
, next_offset
;
1256 compat_uint_t origsize
;
1257 const struct xt_entry_match
*ematch
;
1261 ce
= (struct compat_ip6t_entry __user
*)*dstptr
;
1262 if (copy_to_user(ce
, e
, sizeof(struct ip6t_entry
)) != 0 ||
1263 copy_to_user(&ce
->counters
, &counters
[i
],
1264 sizeof(counters
[i
])) != 0)
1267 *dstptr
+= sizeof(struct compat_ip6t_entry
);
1268 *size
-= sizeof(struct ip6t_entry
) - sizeof(struct compat_ip6t_entry
);
1270 xt_ematch_foreach(ematch
, e
) {
1271 ret
= xt_compat_match_to_user(ematch
, dstptr
, size
);
1275 target_offset
= e
->target_offset
- (origsize
- *size
);
1276 t
= ip6t_get_target(e
);
1277 ret
= xt_compat_target_to_user(t
, dstptr
, size
);
1280 next_offset
= e
->next_offset
- (origsize
- *size
);
1281 if (put_user(target_offset
, &ce
->target_offset
) != 0 ||
1282 put_user(next_offset
, &ce
->next_offset
) != 0)
1288 compat_find_calc_match(struct xt_entry_match
*m
,
1289 const struct ip6t_ip6
*ipv6
,
1292 struct xt_match
*match
;
1294 match
= xt_request_find_match(NFPROTO_IPV6
, m
->u
.user
.name
,
1295 m
->u
.user
.revision
);
1297 return PTR_ERR(match
);
1299 m
->u
.kernel
.match
= match
;
1300 *size
+= xt_compat_match_offset(match
);
1304 static void compat_release_entry(struct compat_ip6t_entry
*e
)
1306 struct xt_entry_target
*t
;
1307 struct xt_entry_match
*ematch
;
1309 /* Cleanup all matches */
1310 xt_ematch_foreach(ematch
, e
)
1311 module_put(ematch
->u
.kernel
.match
->me
);
1312 t
= compat_ip6t_get_target(e
);
1313 module_put(t
->u
.kernel
.target
->me
);
1317 check_compat_entry_size_and_hooks(struct compat_ip6t_entry
*e
,
1318 struct xt_table_info
*newinfo
,
1320 const unsigned char *base
,
1321 const unsigned char *limit
)
1323 struct xt_entry_match
*ematch
;
1324 struct xt_entry_target
*t
;
1325 struct xt_target
*target
;
1326 unsigned int entry_offset
;
1330 if ((unsigned long)e
% __alignof__(struct compat_ip6t_entry
) != 0 ||
1331 (unsigned char *)e
+ sizeof(struct compat_ip6t_entry
) >= limit
||
1332 (unsigned char *)e
+ e
->next_offset
> limit
)
1335 if (e
->next_offset
< sizeof(struct compat_ip6t_entry
) +
1336 sizeof(struct compat_xt_entry_target
))
1339 if (!ip6_checkentry(&e
->ipv6
))
1342 ret
= xt_compat_check_entry_offsets(e
, e
->elems
,
1343 e
->target_offset
, e
->next_offset
);
1347 off
= sizeof(struct ip6t_entry
) - sizeof(struct compat_ip6t_entry
);
1348 entry_offset
= (void *)e
- (void *)base
;
1350 xt_ematch_foreach(ematch
, e
) {
1351 ret
= compat_find_calc_match(ematch
, &e
->ipv6
, &off
);
1353 goto release_matches
;
1357 t
= compat_ip6t_get_target(e
);
1358 target
= xt_request_find_target(NFPROTO_IPV6
, t
->u
.user
.name
,
1359 t
->u
.user
.revision
);
1360 if (IS_ERR(target
)) {
1361 ret
= PTR_ERR(target
);
1362 goto release_matches
;
1364 t
->u
.kernel
.target
= target
;
1366 off
+= xt_compat_target_offset(target
);
1368 ret
= xt_compat_add_offset(AF_INET6
, entry_offset
, off
);
1375 module_put(t
->u
.kernel
.target
->me
);
1377 xt_ematch_foreach(ematch
, e
) {
1380 module_put(ematch
->u
.kernel
.match
->me
);
1386 compat_copy_entry_from_user(struct compat_ip6t_entry
*e
, void **dstptr
,
1388 struct xt_table_info
*newinfo
, unsigned char *base
)
1390 struct xt_entry_target
*t
;
1391 struct ip6t_entry
*de
;
1392 unsigned int origsize
;
1394 struct xt_entry_match
*ematch
;
1397 de
= (struct ip6t_entry
*)*dstptr
;
1398 memcpy(de
, e
, sizeof(struct ip6t_entry
));
1399 memcpy(&de
->counters
, &e
->counters
, sizeof(e
->counters
));
1401 *dstptr
+= sizeof(struct ip6t_entry
);
1402 *size
+= sizeof(struct ip6t_entry
) - sizeof(struct compat_ip6t_entry
);
1404 xt_ematch_foreach(ematch
, e
)
1405 xt_compat_match_from_user(ematch
, dstptr
, size
);
1407 de
->target_offset
= e
->target_offset
- (origsize
- *size
);
1408 t
= compat_ip6t_get_target(e
);
1409 xt_compat_target_from_user(t
, dstptr
, size
);
1411 de
->next_offset
= e
->next_offset
- (origsize
- *size
);
1412 for (h
= 0; h
< NF_INET_NUMHOOKS
; h
++) {
1413 if ((unsigned char *)de
- base
< newinfo
->hook_entry
[h
])
1414 newinfo
->hook_entry
[h
] -= origsize
- *size
;
1415 if ((unsigned char *)de
- base
< newinfo
->underflow
[h
])
1416 newinfo
->underflow
[h
] -= origsize
- *size
;
1421 translate_compat_table(struct net
*net
,
1422 struct xt_table_info
**pinfo
,
1424 const struct compat_ip6t_replace
*compatr
)
1427 struct xt_table_info
*newinfo
, *info
;
1428 void *pos
, *entry0
, *entry1
;
1429 struct compat_ip6t_entry
*iter0
;
1430 struct ip6t_replace repl
;
1436 size
= compatr
->size
;
1437 info
->number
= compatr
->num_entries
;
1440 xt_compat_lock(AF_INET6
);
1441 xt_compat_init_offsets(AF_INET6
, compatr
->num_entries
);
1442 /* Walk through entries, checking offsets. */
1443 xt_entry_foreach(iter0
, entry0
, compatr
->size
) {
1444 ret
= check_compat_entry_size_and_hooks(iter0
, info
, &size
,
1446 entry0
+ compatr
->size
);
1453 if (j
!= compatr
->num_entries
)
1457 newinfo
= xt_alloc_table_info(size
);
1461 newinfo
->number
= compatr
->num_entries
;
1462 for (i
= 0; i
< NF_INET_NUMHOOKS
; i
++) {
1463 newinfo
->hook_entry
[i
] = compatr
->hook_entry
[i
];
1464 newinfo
->underflow
[i
] = compatr
->underflow
[i
];
1466 entry1
= newinfo
->entries
;
1468 size
= compatr
->size
;
1469 xt_entry_foreach(iter0
, entry0
, compatr
->size
)
1470 compat_copy_entry_from_user(iter0
, &pos
, &size
,
1473 /* all module references in entry0 are now gone. */
1474 xt_compat_flush_offsets(AF_INET6
);
1475 xt_compat_unlock(AF_INET6
);
1477 memcpy(&repl
, compatr
, sizeof(*compatr
));
1479 for (i
= 0; i
< NF_INET_NUMHOOKS
; i
++) {
1480 repl
.hook_entry
[i
] = newinfo
->hook_entry
[i
];
1481 repl
.underflow
[i
] = newinfo
->underflow
[i
];
1484 repl
.num_counters
= 0;
1485 repl
.counters
= NULL
;
1486 repl
.size
= newinfo
->size
;
1487 ret
= translate_table(net
, newinfo
, entry1
, &repl
);
1493 xt_free_table_info(info
);
1497 xt_free_table_info(newinfo
);
1500 xt_compat_flush_offsets(AF_INET6
);
1501 xt_compat_unlock(AF_INET6
);
1502 xt_entry_foreach(iter0
, entry0
, compatr
->size
) {
1505 compat_release_entry(iter0
);
1511 compat_do_replace(struct net
*net
, void __user
*user
, unsigned int len
)
1514 struct compat_ip6t_replace tmp
;
1515 struct xt_table_info
*newinfo
;
1516 void *loc_cpu_entry
;
1517 struct ip6t_entry
*iter
;
1519 if (copy_from_user(&tmp
, user
, sizeof(tmp
)) != 0)
1522 /* overflow check */
1523 if (tmp
.num_counters
>= INT_MAX
/ sizeof(struct xt_counters
))
1525 if (tmp
.num_counters
== 0)
1528 tmp
.name
[sizeof(tmp
.name
)-1] = 0;
1530 newinfo
= xt_alloc_table_info(tmp
.size
);
1534 loc_cpu_entry
= newinfo
->entries
;
1535 if (copy_from_user(loc_cpu_entry
, user
+ sizeof(tmp
),
1541 ret
= translate_compat_table(net
, &newinfo
, &loc_cpu_entry
, &tmp
);
1545 ret
= __do_replace(net
, tmp
.name
, tmp
.valid_hooks
, newinfo
,
1546 tmp
.num_counters
, compat_ptr(tmp
.counters
));
1548 goto free_newinfo_untrans
;
1551 free_newinfo_untrans
:
1552 xt_entry_foreach(iter
, loc_cpu_entry
, newinfo
->size
)
1553 cleanup_entry(iter
, net
);
1555 xt_free_table_info(newinfo
);
1560 compat_do_ip6t_set_ctl(struct sock
*sk
, int cmd
, void __user
*user
,
1565 if (!ns_capable(sock_net(sk
)->user_ns
, CAP_NET_ADMIN
))
1569 case IP6T_SO_SET_REPLACE
:
1570 ret
= compat_do_replace(sock_net(sk
), user
, len
);
1573 case IP6T_SO_SET_ADD_COUNTERS
:
1574 ret
= do_add_counters(sock_net(sk
), user
, len
, 1);
1584 struct compat_ip6t_get_entries
{
1585 char name
[XT_TABLE_MAXNAMELEN
];
1587 struct compat_ip6t_entry entrytable
[0];
1591 compat_copy_entries_to_user(unsigned int total_size
, struct xt_table
*table
,
1592 void __user
*userptr
)
1594 struct xt_counters
*counters
;
1595 const struct xt_table_info
*private = table
->private;
1600 struct ip6t_entry
*iter
;
1602 counters
= alloc_counters(table
);
1603 if (IS_ERR(counters
))
1604 return PTR_ERR(counters
);
1608 xt_entry_foreach(iter
, private->entries
, total_size
) {
1609 ret
= compat_copy_entry_to_user(iter
, &pos
,
1610 &size
, counters
, i
++);
1620 compat_get_entries(struct net
*net
, struct compat_ip6t_get_entries __user
*uptr
,
1624 struct compat_ip6t_get_entries get
;
1627 if (*len
< sizeof(get
))
1630 if (copy_from_user(&get
, uptr
, sizeof(get
)) != 0)
1633 if (*len
!= sizeof(struct compat_ip6t_get_entries
) + get
.size
)
1636 get
.name
[sizeof(get
.name
) - 1] = '\0';
1638 xt_compat_lock(AF_INET6
);
1639 t
= xt_find_table_lock(net
, AF_INET6
, get
.name
);
1641 const struct xt_table_info
*private = t
->private;
1642 struct xt_table_info info
;
1643 ret
= compat_table_info(private, &info
);
1644 if (!ret
&& get
.size
== info
.size
)
1645 ret
= compat_copy_entries_to_user(private->size
,
1646 t
, uptr
->entrytable
);
1650 xt_compat_flush_offsets(AF_INET6
);
1656 xt_compat_unlock(AF_INET6
);
1660 static int do_ip6t_get_ctl(struct sock
*, int, void __user
*, int *);
1663 compat_do_ip6t_get_ctl(struct sock
*sk
, int cmd
, void __user
*user
, int *len
)
1667 if (!ns_capable(sock_net(sk
)->user_ns
, CAP_NET_ADMIN
))
1671 case IP6T_SO_GET_INFO
:
1672 ret
= get_info(sock_net(sk
), user
, len
, 1);
1674 case IP6T_SO_GET_ENTRIES
:
1675 ret
= compat_get_entries(sock_net(sk
), user
, len
);
1678 ret
= do_ip6t_get_ctl(sk
, cmd
, user
, len
);
1685 do_ip6t_set_ctl(struct sock
*sk
, int cmd
, void __user
*user
, unsigned int len
)
1689 if (!ns_capable(sock_net(sk
)->user_ns
, CAP_NET_ADMIN
))
1693 case IP6T_SO_SET_REPLACE
:
1694 ret
= do_replace(sock_net(sk
), user
, len
);
1697 case IP6T_SO_SET_ADD_COUNTERS
:
1698 ret
= do_add_counters(sock_net(sk
), user
, len
, 0);
1709 do_ip6t_get_ctl(struct sock
*sk
, int cmd
, void __user
*user
, int *len
)
1713 if (!ns_capable(sock_net(sk
)->user_ns
, CAP_NET_ADMIN
))
1717 case IP6T_SO_GET_INFO
:
1718 ret
= get_info(sock_net(sk
), user
, len
, 0);
1721 case IP6T_SO_GET_ENTRIES
:
1722 ret
= get_entries(sock_net(sk
), user
, len
);
1725 case IP6T_SO_GET_REVISION_MATCH
:
1726 case IP6T_SO_GET_REVISION_TARGET
: {
1727 struct xt_get_revision rev
;
1730 if (*len
!= sizeof(rev
)) {
1734 if (copy_from_user(&rev
, user
, sizeof(rev
)) != 0) {
1738 rev
.name
[sizeof(rev
.name
)-1] = 0;
1740 if (cmd
== IP6T_SO_GET_REVISION_TARGET
)
1745 try_then_request_module(xt_find_revision(AF_INET6
, rev
.name
,
1748 "ip6t_%s", rev
.name
);
1759 static void __ip6t_unregister_table(struct net
*net
, struct xt_table
*table
)
1761 struct xt_table_info
*private;
1762 void *loc_cpu_entry
;
1763 struct module
*table_owner
= table
->me
;
1764 struct ip6t_entry
*iter
;
1766 private = xt_unregister_table(table
);
1768 /* Decrease module usage counts and free resources */
1769 loc_cpu_entry
= private->entries
;
1770 xt_entry_foreach(iter
, loc_cpu_entry
, private->size
)
1771 cleanup_entry(iter
, net
);
1772 if (private->number
> private->initial_entries
)
1773 module_put(table_owner
);
1774 xt_free_table_info(private);
1777 int ip6t_register_table(struct net
*net
, const struct xt_table
*table
,
1778 const struct ip6t_replace
*repl
,
1779 const struct nf_hook_ops
*ops
,
1780 struct xt_table
**res
)
1783 struct xt_table_info
*newinfo
;
1784 struct xt_table_info bootstrap
= {0};
1785 void *loc_cpu_entry
;
1786 struct xt_table
*new_table
;
1788 newinfo
= xt_alloc_table_info(repl
->size
);
1792 loc_cpu_entry
= newinfo
->entries
;
1793 memcpy(loc_cpu_entry
, repl
->entries
, repl
->size
);
1795 ret
= translate_table(net
, newinfo
, loc_cpu_entry
, repl
);
1799 new_table
= xt_register_table(net
, table
, &bootstrap
, newinfo
);
1800 if (IS_ERR(new_table
)) {
1801 ret
= PTR_ERR(new_table
);
1805 /* set res now, will see skbs right after nf_register_net_hooks */
1806 WRITE_ONCE(*res
, new_table
);
1808 ret
= nf_register_net_hooks(net
, ops
, hweight32(table
->valid_hooks
));
1810 __ip6t_unregister_table(net
, new_table
);
1817 xt_free_table_info(newinfo
);
1821 void ip6t_unregister_table(struct net
*net
, struct xt_table
*table
,
1822 const struct nf_hook_ops
*ops
)
1824 nf_unregister_net_hooks(net
, ops
, hweight32(table
->valid_hooks
));
1825 __ip6t_unregister_table(net
, table
);
1828 /* Returns 1 if the type and code is matched by the range, 0 otherwise */
1830 icmp6_type_code_match(u_int8_t test_type
, u_int8_t min_code
, u_int8_t max_code
,
1831 u_int8_t type
, u_int8_t code
,
1834 return (type
== test_type
&& code
>= min_code
&& code
<= max_code
)
1839 icmp6_match(const struct sk_buff
*skb
, struct xt_action_param
*par
)
1841 const struct icmp6hdr
*ic
;
1842 struct icmp6hdr _icmph
;
1843 const struct ip6t_icmp
*icmpinfo
= par
->matchinfo
;
1845 /* Must not be a fragment. */
1846 if (par
->fragoff
!= 0)
1849 ic
= skb_header_pointer(skb
, par
->thoff
, sizeof(_icmph
), &_icmph
);
1851 /* We've been asked to examine this packet, and we
1852 * can't. Hence, no choice but to drop.
1854 par
->hotdrop
= true;
1858 return icmp6_type_code_match(icmpinfo
->type
,
1861 ic
->icmp6_type
, ic
->icmp6_code
,
1862 !!(icmpinfo
->invflags
&IP6T_ICMP_INV
));
1865 /* Called when user tries to insert an entry of this type. */
1866 static int icmp6_checkentry(const struct xt_mtchk_param
*par
)
1868 const struct ip6t_icmp
*icmpinfo
= par
->matchinfo
;
1870 /* Must specify no unknown invflags */
1871 return (icmpinfo
->invflags
& ~IP6T_ICMP_INV
) ? -EINVAL
: 0;
1874 /* The built-in targets: standard (NULL) and error. */
1875 static struct xt_target ip6t_builtin_tg
[] __read_mostly
= {
1877 .name
= XT_STANDARD_TARGET
,
1878 .targetsize
= sizeof(int),
1879 .family
= NFPROTO_IPV6
,
1880 #ifdef CONFIG_COMPAT
1881 .compatsize
= sizeof(compat_int_t
),
1882 .compat_from_user
= compat_standard_from_user
,
1883 .compat_to_user
= compat_standard_to_user
,
1887 .name
= XT_ERROR_TARGET
,
1888 .target
= ip6t_error
,
1889 .targetsize
= XT_FUNCTION_MAXNAMELEN
,
1890 .family
= NFPROTO_IPV6
,
1894 static struct nf_sockopt_ops ip6t_sockopts
= {
1896 .set_optmin
= IP6T_BASE_CTL
,
1897 .set_optmax
= IP6T_SO_SET_MAX
+1,
1898 .set
= do_ip6t_set_ctl
,
1899 #ifdef CONFIG_COMPAT
1900 .compat_set
= compat_do_ip6t_set_ctl
,
1902 .get_optmin
= IP6T_BASE_CTL
,
1903 .get_optmax
= IP6T_SO_GET_MAX
+1,
1904 .get
= do_ip6t_get_ctl
,
1905 #ifdef CONFIG_COMPAT
1906 .compat_get
= compat_do_ip6t_get_ctl
,
1908 .owner
= THIS_MODULE
,
1911 static struct xt_match ip6t_builtin_mt
[] __read_mostly
= {
1914 .match
= icmp6_match
,
1915 .matchsize
= sizeof(struct ip6t_icmp
),
1916 .checkentry
= icmp6_checkentry
,
1917 .proto
= IPPROTO_ICMPV6
,
1918 .family
= NFPROTO_IPV6
,
1922 static int __net_init
ip6_tables_net_init(struct net
*net
)
1924 return xt_proto_init(net
, NFPROTO_IPV6
);
1927 static void __net_exit
ip6_tables_net_exit(struct net
*net
)
1929 xt_proto_fini(net
, NFPROTO_IPV6
);
1932 static struct pernet_operations ip6_tables_net_ops
= {
1933 .init
= ip6_tables_net_init
,
1934 .exit
= ip6_tables_net_exit
,
1937 static int __init
ip6_tables_init(void)
1941 ret
= register_pernet_subsys(&ip6_tables_net_ops
);
1945 /* No one else will be downing sem now, so we won't sleep */
1946 ret
= xt_register_targets(ip6t_builtin_tg
, ARRAY_SIZE(ip6t_builtin_tg
));
1949 ret
= xt_register_matches(ip6t_builtin_mt
, ARRAY_SIZE(ip6t_builtin_mt
));
1953 /* Register setsockopt */
1954 ret
= nf_register_sockopt(&ip6t_sockopts
);
1958 pr_info("(C) 2000-2006 Netfilter Core Team\n");
1962 xt_unregister_matches(ip6t_builtin_mt
, ARRAY_SIZE(ip6t_builtin_mt
));
1964 xt_unregister_targets(ip6t_builtin_tg
, ARRAY_SIZE(ip6t_builtin_tg
));
1966 unregister_pernet_subsys(&ip6_tables_net_ops
);
1971 static void __exit
ip6_tables_fini(void)
1973 nf_unregister_sockopt(&ip6t_sockopts
);
1975 xt_unregister_matches(ip6t_builtin_mt
, ARRAY_SIZE(ip6t_builtin_mt
));
1976 xt_unregister_targets(ip6t_builtin_tg
, ARRAY_SIZE(ip6t_builtin_tg
));
1977 unregister_pernet_subsys(&ip6_tables_net_ops
);
1980 EXPORT_SYMBOL(ip6t_register_table
);
1981 EXPORT_SYMBOL(ip6t_unregister_table
);
1982 EXPORT_SYMBOL(ip6t_do_table
);
1984 module_init(ip6_tables_init
);
1985 module_exit(ip6_tables_fini
);