2 * Packet matching code.
4 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
5 * Copyright (C) 2000-2005 Netfilter Core Team <coreteam@netfilter.org>
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License version 2 as
9 * published by the Free Software Foundation.
11 * 19 Jan 2002 Harald Welte <laforge@gnumonks.org>
12 * - increase module usage count as soon as we have rules inside
14 * 06 Jun 2002 Andras Kis-Szabo <kisza@sch.bme.hu>
15 * - new extension header parser code
16 * 15 Oct 2005 Harald Welte <laforge@netfilter.org>
17 * - Unification of {ip,ip6}_tables into x_tables
18 * - Removed tcp and udp code, since it's not ipv6 specific
21 #include <linux/capability.h>
23 #include <linux/skbuff.h>
24 #include <linux/kmod.h>
25 #include <linux/vmalloc.h>
26 #include <linux/netdevice.h>
27 #include <linux/module.h>
28 #include <linux/poison.h>
29 #include <linux/icmpv6.h>
31 #include <asm/uaccess.h>
32 #include <linux/mutex.h>
33 #include <linux/proc_fs.h>
34 #include <linux/cpumask.h>
36 #include <linux/netfilter_ipv6/ip6_tables.h>
37 #include <linux/netfilter/x_tables.h>
39 MODULE_LICENSE("GPL");
40 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
41 MODULE_DESCRIPTION("IPv6 packet filter");
43 #define IPV6_HDR_LEN (sizeof(struct ipv6hdr))
44 #define IPV6_OPTHDR_LEN (sizeof(struct ipv6_opt_hdr))
46 /*#define DEBUG_IP_FIREWALL*/
47 /*#define DEBUG_ALLOW_ALL*/ /* Useful for remote debugging */
48 /*#define DEBUG_IP_FIREWALL_USER*/
50 #ifdef DEBUG_IP_FIREWALL
51 #define dprintf(format, args...) printk(format , ## args)
53 #define dprintf(format, args...)
56 #ifdef DEBUG_IP_FIREWALL_USER
57 #define duprintf(format, args...) printk(format , ## args)
59 #define duprintf(format, args...)
62 #ifdef CONFIG_NETFILTER_DEBUG
63 #define IP_NF_ASSERT(x) \
66 printk("IP_NF_ASSERT: %s:%s:%u\n", \
67 __FUNCTION__, __FILE__, __LINE__); \
70 #define IP_NF_ASSERT(x)
74 /* All the better to debug you with... */
80 We keep a set of rules for each CPU, so we can avoid write-locking
81 them in the softirq when updating the counters and therefore
82 only need to read-lock in the softirq; doing a write_lock_bh() in user
83 context stops packets coming through and allows user context to read
84 the counters or update the rules.
86 Hence the start of any table is given by get_table() below. */
89 #define down(x) do { printk("DOWN:%u:" #x "\n", __LINE__); down(x); } while(0)
90 #define down_interruptible(x) ({ int __r; printk("DOWNi:%u:" #x "\n", __LINE__); __r = down_interruptible(x); if (__r != 0) printk("ABORT-DOWNi:%u\n", __LINE__); __r; })
91 #define up(x) do { printk("UP:%u:" #x "\n", __LINE__); up(x); } while(0)
94 /* Check for an extension */
96 ip6t_ext_hdr(u8 nexthdr)
98 return ( (nexthdr == IPPROTO_HOPOPTS) ||
99 (nexthdr == IPPROTO_ROUTING) ||
100 (nexthdr == IPPROTO_FRAGMENT) ||
101 (nexthdr == IPPROTO_ESP) ||
102 (nexthdr == IPPROTO_AH) ||
103 (nexthdr == IPPROTO_NONE) ||
104 (nexthdr == IPPROTO_DSTOPTS) );
107 /* Returns whether matches rule or not. */
109 ip6_packet_match(const struct sk_buff *skb,
112 const struct ip6t_ip6 *ip6info,
113 unsigned int *protoff,
114 int *fragoff, int *hotdrop)
118 const struct ipv6hdr *ipv6 = skb->nh.ipv6h;
120 #define FWINV(bool,invflg) ((bool) ^ !!(ip6info->invflags & invflg))
122 if (FWINV(ipv6_masked_addr_cmp(&ipv6->saddr, &ip6info->smsk,
123 &ip6info->src), IP6T_INV_SRCIP)
124 || FWINV(ipv6_masked_addr_cmp(&ipv6->daddr, &ip6info->dmsk,
125 &ip6info->dst), IP6T_INV_DSTIP)) {
126 dprintf("Source or dest mismatch.\n");
128 dprintf("SRC: %u. Mask: %u. Target: %u.%s\n", ip->saddr,
129 ipinfo->smsk.s_addr, ipinfo->src.s_addr,
130 ipinfo->invflags & IP6T_INV_SRCIP ? " (INV)" : "");
131 dprintf("DST: %u. Mask: %u. Target: %u.%s\n", ip->daddr,
132 ipinfo->dmsk.s_addr, ipinfo->dst.s_addr,
133 ipinfo->invflags & IP6T_INV_DSTIP ? " (INV)" : "");*/
137 /* Look for ifname matches; this should unroll nicely. */
138 for (i = 0, ret = 0; i < IFNAMSIZ/sizeof(unsigned long); i++) {
139 ret |= (((const unsigned long *)indev)[i]
140 ^ ((const unsigned long *)ip6info->iniface)[i])
141 & ((const unsigned long *)ip6info->iniface_mask)[i];
144 if (FWINV(ret != 0, IP6T_INV_VIA_IN)) {
145 dprintf("VIA in mismatch (%s vs %s).%s\n",
146 indev, ip6info->iniface,
147 ip6info->invflags&IP6T_INV_VIA_IN ?" (INV)":"");
151 for (i = 0, ret = 0; i < IFNAMSIZ/sizeof(unsigned long); i++) {
152 ret |= (((const unsigned long *)outdev)[i]
153 ^ ((const unsigned long *)ip6info->outiface)[i])
154 & ((const unsigned long *)ip6info->outiface_mask)[i];
157 if (FWINV(ret != 0, IP6T_INV_VIA_OUT)) {
158 dprintf("VIA out mismatch (%s vs %s).%s\n",
159 outdev, ip6info->outiface,
160 ip6info->invflags&IP6T_INV_VIA_OUT ?" (INV)":"");
164 /* ... might want to do something with class and flowlabel here ... */
166 /* look for the desired protocol header */
167 if((ip6info->flags & IP6T_F_PROTO)) {
169 unsigned short _frag_off;
171 protohdr = ipv6_find_hdr(skb, protoff, -1, &_frag_off);
177 *fragoff = _frag_off;
179 dprintf("Packet protocol %hi ?= %s%hi.\n",
181 ip6info->invflags & IP6T_INV_PROTO ? "!":"",
184 if (ip6info->proto == protohdr) {
185 if(ip6info->invflags & IP6T_INV_PROTO) {
191 /* We need match for the '-p all', too! */
192 if ((ip6info->proto != 0) &&
193 !(ip6info->invflags & IP6T_INV_PROTO))
199 /* should be ip6 safe */
201 ip6_checkentry(const struct ip6t_ip6 *ipv6)
203 if (ipv6->flags & ~IP6T_F_MASK) {
204 duprintf("Unknown flag bits set: %08X\n",
205 ipv6->flags & ~IP6T_F_MASK);
208 if (ipv6->invflags & ~IP6T_INV_MASK) {
209 duprintf("Unknown invflag bits set: %08X\n",
210 ipv6->invflags & ~IP6T_INV_MASK);
217 ip6t_error(struct sk_buff **pskb,
218 const struct net_device *in,
219 const struct net_device *out,
220 unsigned int hooknum,
221 const struct xt_target *target,
222 const void *targinfo)
225 printk("ip6_tables: error: `%s'\n", (char *)targinfo);
231 int do_match(struct ip6t_entry_match *m,
232 const struct sk_buff *skb,
233 const struct net_device *in,
234 const struct net_device *out,
236 unsigned int protoff,
239 /* Stop iteration if it doesn't match */
240 if (!m->u.kernel.match->match(skb, in, out, m->u.kernel.match, m->data,
241 offset, protoff, hotdrop))
247 static inline struct ip6t_entry *
248 get_entry(void *base, unsigned int offset)
250 return (struct ip6t_entry *)(base + offset);
253 /* Returns one of the generic firewall policies, like NF_ACCEPT. */
255 ip6t_do_table(struct sk_buff **pskb,
257 const struct net_device *in,
258 const struct net_device *out,
259 struct xt_table *table)
261 static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
263 unsigned int protoff = 0;
265 /* Initializing verdict to NF_DROP keeps gcc happy. */
266 unsigned int verdict = NF_DROP;
267 const char *indev, *outdev;
269 struct ip6t_entry *e, *back;
270 struct xt_table_info *private;
273 indev = in ? in->name : nulldevname;
274 outdev = out ? out->name : nulldevname;
275 /* We handle fragments by dealing with the first fragment as
276 * if it was a normal packet. All other fragments are treated
277 * normally, except that they will NEVER match rules that ask
278 * things we don't know, ie. tcp syn flag or ports). If the
279 * rule is also a fragment-specific rule, non-fragments won't
282 read_lock_bh(&table->lock);
283 private = table->private;
284 IP_NF_ASSERT(table->valid_hooks & (1 << hook));
285 table_base = (void *)private->entries[smp_processor_id()];
286 e = get_entry(table_base, private->hook_entry[hook]);
288 /* For return from builtin chain */
289 back = get_entry(table_base, private->underflow[hook]);
294 if (ip6_packet_match(*pskb, indev, outdev, &e->ipv6,
295 &protoff, &offset, &hotdrop)) {
296 struct ip6t_entry_target *t;
298 if (IP6T_MATCH_ITERATE(e, do_match,
300 offset, protoff, &hotdrop) != 0)
303 ADD_COUNTER(e->counters,
304 ntohs((*pskb)->nh.ipv6h->payload_len)
308 t = ip6t_get_target(e);
309 IP_NF_ASSERT(t->u.kernel.target);
310 /* Standard target? */
311 if (!t->u.kernel.target->target) {
314 v = ((struct ip6t_standard_target *)t)->verdict;
316 /* Pop from stack? */
317 if (v != IP6T_RETURN) {
318 verdict = (unsigned)(-v) - 1;
322 back = get_entry(table_base,
326 if (table_base + v != (void *)e + e->next_offset
327 && !(e->ipv6.flags & IP6T_F_GOTO)) {
328 /* Save old back ptr in next entry */
329 struct ip6t_entry *next
330 = (void *)e + e->next_offset;
332 = (void *)back - table_base;
333 /* set back pointer to next entry */
337 e = get_entry(table_base, v);
339 /* Targets which reenter must return
341 #ifdef CONFIG_NETFILTER_DEBUG
342 ((struct ip6t_entry *)table_base)->comefrom
345 verdict = t->u.kernel.target->target(pskb,
351 #ifdef CONFIG_NETFILTER_DEBUG
352 if (((struct ip6t_entry *)table_base)->comefrom
354 && verdict == IP6T_CONTINUE) {
355 printk("Target %s reentered!\n",
356 t->u.kernel.target->name);
359 ((struct ip6t_entry *)table_base)->comefrom
362 if (verdict == IP6T_CONTINUE)
363 e = (void *)e + e->next_offset;
371 e = (void *)e + e->next_offset;
375 #ifdef CONFIG_NETFILTER_DEBUG
376 ((struct ip6t_entry *)table_base)->comefrom = NETFILTER_LINK_POISON;
378 read_unlock_bh(&table->lock);
380 #ifdef DEBUG_ALLOW_ALL
389 /* All zeroes == unconditional rule. */
391 unconditional(const struct ip6t_ip6 *ipv6)
395 for (i = 0; i < sizeof(*ipv6); i++)
396 if (((char *)ipv6)[i])
399 return (i == sizeof(*ipv6));
402 /* Figures out from what hook each rule can be called: returns 0 if
403 there are loops. Puts hook bitmask in comefrom. */
405 mark_source_chains(struct xt_table_info *newinfo,
406 unsigned int valid_hooks, void *entry0)
410 /* No recursion; use packet counter to save back ptrs (reset
411 to 0 as we leave), and comefrom to save source hook bitmask */
412 for (hook = 0; hook < NF_IP6_NUMHOOKS; hook++) {
413 unsigned int pos = newinfo->hook_entry[hook];
415 = (struct ip6t_entry *)(entry0 + pos);
416 int visited = e->comefrom & (1 << hook);
418 if (!(valid_hooks & (1 << hook)))
421 /* Set initial back pointer. */
422 e->counters.pcnt = pos;
425 struct ip6t_standard_target *t
426 = (void *)ip6t_get_target(e);
428 if (e->comefrom & (1 << NF_IP6_NUMHOOKS)) {
429 printk("iptables: loop hook %u pos %u %08X.\n",
430 hook, pos, e->comefrom);
434 |= ((1 << hook) | (1 << NF_IP6_NUMHOOKS));
436 /* Unconditional return/END. */
437 if ((e->target_offset == sizeof(struct ip6t_entry)
438 && (strcmp(t->target.u.user.name,
439 IP6T_STANDARD_TARGET) == 0)
441 && unconditional(&e->ipv6)) || visited) {
442 unsigned int oldpos, size;
444 if (t->verdict < -NF_MAX_VERDICT - 1) {
445 duprintf("mark_source_chains: bad "
446 "negative verdict (%i)\n",
451 /* Return: backtrack through the last
454 e->comefrom ^= (1<<NF_IP6_NUMHOOKS);
455 #ifdef DEBUG_IP_FIREWALL_USER
457 & (1 << NF_IP6_NUMHOOKS)) {
458 duprintf("Back unset "
465 pos = e->counters.pcnt;
466 e->counters.pcnt = 0;
468 /* We're at the start. */
472 e = (struct ip6t_entry *)
474 } while (oldpos == pos + e->next_offset);
477 size = e->next_offset;
478 e = (struct ip6t_entry *)
479 (entry0 + pos + size);
480 e->counters.pcnt = pos;
483 int newpos = t->verdict;
485 if (strcmp(t->target.u.user.name,
486 IP6T_STANDARD_TARGET) == 0
488 if (newpos > newinfo->size -
489 sizeof(struct ip6t_entry)) {
490 duprintf("mark_source_chains: "
491 "bad verdict (%i)\n",
495 /* This a jump; chase it. */
496 duprintf("Jump rule %u -> %u\n",
499 /* ... this is a fallthru */
500 newpos = pos + e->next_offset;
502 e = (struct ip6t_entry *)
504 e->counters.pcnt = pos;
509 duprintf("Finished chain %u\n", hook);
515 cleanup_match(struct ip6t_entry_match *m, unsigned int *i)
517 if (i && (*i)-- == 0)
520 if (m->u.kernel.match->destroy)
521 m->u.kernel.match->destroy(m->u.kernel.match, m->data);
522 module_put(m->u.kernel.match->me);
527 check_match(struct ip6t_entry_match *m,
529 const struct ip6t_ip6 *ipv6,
530 unsigned int hookmask,
533 struct ip6t_match *match;
536 match = try_then_request_module(xt_find_match(AF_INET6, m->u.user.name,
538 "ip6t_%s", m->u.user.name);
539 if (IS_ERR(match) || !match) {
540 duprintf("check_match: `%s' not found\n", m->u.user.name);
541 return match ? PTR_ERR(match) : -ENOENT;
543 m->u.kernel.match = match;
545 ret = xt_check_match(match, AF_INET6, m->u.match_size - sizeof(*m),
546 name, hookmask, ipv6->proto,
547 ipv6->invflags & IP6T_INV_PROTO);
551 if (m->u.kernel.match->checkentry
552 && !m->u.kernel.match->checkentry(name, ipv6, match, m->data,
554 duprintf("ip_tables: check failed for `%s'.\n",
555 m->u.kernel.match->name);
563 module_put(m->u.kernel.match->me);
567 static struct ip6t_target ip6t_standard_target;
570 check_entry(struct ip6t_entry *e, const char *name, unsigned int size,
573 struct ip6t_entry_target *t;
574 struct ip6t_target *target;
578 if (!ip6_checkentry(&e->ipv6)) {
579 duprintf("ip_tables: ip check failed %p %s.\n", e, name);
583 if (e->target_offset + sizeof(struct ip6t_entry_target) >
588 ret = IP6T_MATCH_ITERATE(e, check_match, name, &e->ipv6, e->comefrom, &j);
590 goto cleanup_matches;
592 t = ip6t_get_target(e);
594 if (e->target_offset + t->u.target_size > e->next_offset)
595 goto cleanup_matches;
596 target = try_then_request_module(xt_find_target(AF_INET6,
599 "ip6t_%s", t->u.user.name);
600 if (IS_ERR(target) || !target) {
601 duprintf("check_entry: `%s' not found\n", t->u.user.name);
602 ret = target ? PTR_ERR(target) : -ENOENT;
603 goto cleanup_matches;
605 t->u.kernel.target = target;
607 ret = xt_check_target(target, AF_INET6, t->u.target_size - sizeof(*t),
608 name, e->comefrom, e->ipv6.proto,
609 e->ipv6.invflags & IP6T_INV_PROTO);
613 if (t->u.kernel.target->checkentry
614 && !t->u.kernel.target->checkentry(name, e, target, t->data,
616 duprintf("ip_tables: check failed for `%s'.\n",
617 t->u.kernel.target->name);
625 module_put(t->u.kernel.target->me);
627 IP6T_MATCH_ITERATE(e, cleanup_match, &j);
632 check_entry_size_and_hooks(struct ip6t_entry *e,
633 struct xt_table_info *newinfo,
635 unsigned char *limit,
636 const unsigned int *hook_entries,
637 const unsigned int *underflows,
642 if ((unsigned long)e % __alignof__(struct ip6t_entry) != 0
643 || (unsigned char *)e + sizeof(struct ip6t_entry) >= limit) {
644 duprintf("Bad offset %p\n", e);
649 < sizeof(struct ip6t_entry) + sizeof(struct ip6t_entry_target)) {
650 duprintf("checking: element %p size %u\n",
655 /* Check hooks & underflows */
656 for (h = 0; h < NF_IP6_NUMHOOKS; h++) {
657 if ((unsigned char *)e - base == hook_entries[h])
658 newinfo->hook_entry[h] = hook_entries[h];
659 if ((unsigned char *)e - base == underflows[h])
660 newinfo->underflow[h] = underflows[h];
663 /* FIXME: underflows must be unconditional, standard verdicts
664 < 0 (not IP6T_RETURN). --RR */
666 /* Clear counters and comefrom */
667 e->counters = ((struct xt_counters) { 0, 0 });
675 cleanup_entry(struct ip6t_entry *e, unsigned int *i)
677 struct ip6t_entry_target *t;
679 if (i && (*i)-- == 0)
682 /* Cleanup all matches */
683 IP6T_MATCH_ITERATE(e, cleanup_match, NULL);
684 t = ip6t_get_target(e);
685 if (t->u.kernel.target->destroy)
686 t->u.kernel.target->destroy(t->u.kernel.target, t->data);
687 module_put(t->u.kernel.target->me);
691 /* Checks and translates the user-supplied table segment (held in
694 translate_table(const char *name,
695 unsigned int valid_hooks,
696 struct xt_table_info *newinfo,
700 const unsigned int *hook_entries,
701 const unsigned int *underflows)
706 newinfo->size = size;
707 newinfo->number = number;
709 /* Init all hooks to impossible value. */
710 for (i = 0; i < NF_IP6_NUMHOOKS; i++) {
711 newinfo->hook_entry[i] = 0xFFFFFFFF;
712 newinfo->underflow[i] = 0xFFFFFFFF;
715 duprintf("translate_table: size %u\n", newinfo->size);
717 /* Walk through entries, checking offsets. */
718 ret = IP6T_ENTRY_ITERATE(entry0, newinfo->size,
719 check_entry_size_and_hooks,
723 hook_entries, underflows, &i);
728 duprintf("translate_table: %u not %u entries\n",
733 /* Check hooks all assigned */
734 for (i = 0; i < NF_IP6_NUMHOOKS; i++) {
735 /* Only hooks which are valid */
736 if (!(valid_hooks & (1 << i)))
738 if (newinfo->hook_entry[i] == 0xFFFFFFFF) {
739 duprintf("Invalid hook entry %u %u\n",
743 if (newinfo->underflow[i] == 0xFFFFFFFF) {
744 duprintf("Invalid underflow %u %u\n",
750 if (!mark_source_chains(newinfo, valid_hooks, entry0))
753 /* Finally, each sanity check must pass */
755 ret = IP6T_ENTRY_ITERATE(entry0, newinfo->size,
756 check_entry, name, size, &i);
759 IP6T_ENTRY_ITERATE(entry0, newinfo->size,
764 /* And one copy for every other CPU */
765 for_each_possible_cpu(i) {
766 if (newinfo->entries[i] && newinfo->entries[i] != entry0)
767 memcpy(newinfo->entries[i], entry0, newinfo->size);
775 add_entry_to_counter(const struct ip6t_entry *e,
776 struct xt_counters total[],
779 ADD_COUNTER(total[*i], e->counters.bcnt, e->counters.pcnt);
786 set_entry_to_counter(const struct ip6t_entry *e,
787 struct ip6t_counters total[],
790 SET_COUNTER(total[*i], e->counters.bcnt, e->counters.pcnt);
797 get_counters(const struct xt_table_info *t,
798 struct xt_counters counters[])
804 /* Instead of clearing (by a previous call to memset())
805 * the counters and using adds, we set the counters
806 * with data used by 'current' CPU
807 * We dont care about preemption here.
809 curcpu = raw_smp_processor_id();
812 IP6T_ENTRY_ITERATE(t->entries[curcpu],
814 set_entry_to_counter,
818 for_each_possible_cpu(cpu) {
822 IP6T_ENTRY_ITERATE(t->entries[cpu],
824 add_entry_to_counter,
831 copy_entries_to_user(unsigned int total_size,
832 struct xt_table *table,
833 void __user *userptr)
835 unsigned int off, num, countersize;
836 struct ip6t_entry *e;
837 struct xt_counters *counters;
838 struct xt_table_info *private = table->private;
842 /* We need atomic snapshot of counters: rest doesn't change
843 (other than comefrom, which userspace doesn't care
845 countersize = sizeof(struct xt_counters) * private->number;
846 counters = vmalloc(countersize);
848 if (counters == NULL)
851 /* First, sum counters... */
852 write_lock_bh(&table->lock);
853 get_counters(private, counters);
854 write_unlock_bh(&table->lock);
856 /* choose the copy that is on ourc node/cpu */
857 loc_cpu_entry = private->entries[raw_smp_processor_id()];
858 if (copy_to_user(userptr, loc_cpu_entry, total_size) != 0) {
863 /* FIXME: use iterator macros --RR */
864 /* ... then go back and fix counters and names */
865 for (off = 0, num = 0; off < total_size; off += e->next_offset, num++){
867 struct ip6t_entry_match *m;
868 struct ip6t_entry_target *t;
870 e = (struct ip6t_entry *)(loc_cpu_entry + off);
871 if (copy_to_user(userptr + off
872 + offsetof(struct ip6t_entry, counters),
874 sizeof(counters[num])) != 0) {
879 for (i = sizeof(struct ip6t_entry);
880 i < e->target_offset;
881 i += m->u.match_size) {
884 if (copy_to_user(userptr + off + i
885 + offsetof(struct ip6t_entry_match,
887 m->u.kernel.match->name,
888 strlen(m->u.kernel.match->name)+1)
895 t = ip6t_get_target(e);
896 if (copy_to_user(userptr + off + e->target_offset
897 + offsetof(struct ip6t_entry_target,
899 t->u.kernel.target->name,
900 strlen(t->u.kernel.target->name)+1) != 0) {
912 get_entries(const struct ip6t_get_entries *entries,
913 struct ip6t_get_entries __user *uptr)
918 t = xt_find_table_lock(AF_INET6, entries->name);
919 if (t && !IS_ERR(t)) {
920 struct xt_table_info *private = t->private;
921 duprintf("t->private->number = %u\n", private->number);
922 if (entries->size == private->size)
923 ret = copy_entries_to_user(private->size,
924 t, uptr->entrytable);
926 duprintf("get_entries: I've got %u not %u!\n",
927 private->size, entries->size);
933 ret = t ? PTR_ERR(t) : -ENOENT;
939 do_replace(void __user *user, unsigned int len)
942 struct ip6t_replace tmp;
944 struct xt_table_info *newinfo, *oldinfo;
945 struct xt_counters *counters;
946 void *loc_cpu_entry, *loc_cpu_old_entry;
948 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
952 if (tmp.size >= (INT_MAX - sizeof(struct xt_table_info)) / NR_CPUS -
955 if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
958 newinfo = xt_alloc_table_info(tmp.size);
962 /* choose the copy that is on our node/cpu */
963 loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
964 if (copy_from_user(loc_cpu_entry, user + sizeof(tmp),
970 counters = vmalloc(tmp.num_counters * sizeof(struct xt_counters));
976 ret = translate_table(tmp.name, tmp.valid_hooks,
977 newinfo, loc_cpu_entry, tmp.size, tmp.num_entries,
978 tmp.hook_entry, tmp.underflow);
980 goto free_newinfo_counters;
982 duprintf("ip_tables: Translated table\n");
984 t = try_then_request_module(xt_find_table_lock(AF_INET6, tmp.name),
985 "ip6table_%s", tmp.name);
986 if (!t || IS_ERR(t)) {
987 ret = t ? PTR_ERR(t) : -ENOENT;
988 goto free_newinfo_counters_untrans;
992 if (tmp.valid_hooks != t->valid_hooks) {
993 duprintf("Valid hook crap: %08X vs %08X\n",
994 tmp.valid_hooks, t->valid_hooks);
999 oldinfo = xt_replace_table(t, tmp.num_counters, newinfo, &ret);
1003 /* Update module usage count based on number of rules */
1004 duprintf("do_replace: oldnum=%u, initnum=%u, newnum=%u\n",
1005 oldinfo->number, oldinfo->initial_entries, newinfo->number);
1006 if ((oldinfo->number > oldinfo->initial_entries) ||
1007 (newinfo->number <= oldinfo->initial_entries))
1009 if ((oldinfo->number > oldinfo->initial_entries) &&
1010 (newinfo->number <= oldinfo->initial_entries))
1013 /* Get the old counters. */
1014 get_counters(oldinfo, counters);
1015 /* Decrease module usage counts and free resource */
1016 loc_cpu_old_entry = oldinfo->entries[raw_smp_processor_id()];
1017 IP6T_ENTRY_ITERATE(loc_cpu_old_entry, oldinfo->size, cleanup_entry,NULL);
1018 xt_free_table_info(oldinfo);
1019 if (copy_to_user(tmp.counters, counters,
1020 sizeof(struct xt_counters) * tmp.num_counters) != 0)
1029 free_newinfo_counters_untrans:
1030 IP6T_ENTRY_ITERATE(loc_cpu_entry, newinfo->size, cleanup_entry,NULL);
1031 free_newinfo_counters:
1034 xt_free_table_info(newinfo);
1038 /* We're lazy, and add to the first CPU; overflow works its fey magic
1039 * and everything is OK. */
1041 add_counter_to_entry(struct ip6t_entry *e,
1042 const struct xt_counters addme[],
1046 duprintf("add_counter: Entry %u %lu/%lu + %lu/%lu\n",
1048 (long unsigned int)e->counters.pcnt,
1049 (long unsigned int)e->counters.bcnt,
1050 (long unsigned int)addme[*i].pcnt,
1051 (long unsigned int)addme[*i].bcnt);
1054 ADD_COUNTER(e->counters, addme[*i].bcnt, addme[*i].pcnt);
1061 do_add_counters(void __user *user, unsigned int len)
1064 struct xt_counters_info tmp, *paddc;
1065 struct xt_table_info *private;
1068 void *loc_cpu_entry;
1070 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
1073 if (len != sizeof(tmp) + tmp.num_counters*sizeof(struct xt_counters))
1076 paddc = vmalloc(len);
1080 if (copy_from_user(paddc, user, len) != 0) {
1085 t = xt_find_table_lock(AF_INET6, tmp.name);
1086 if (!t || IS_ERR(t)) {
1087 ret = t ? PTR_ERR(t) : -ENOENT;
1091 write_lock_bh(&t->lock);
1092 private = t->private;
1093 if (private->number != tmp.num_counters) {
1095 goto unlock_up_free;
1099 /* Choose the copy that is on our node */
1100 loc_cpu_entry = private->entries[smp_processor_id()];
1101 IP6T_ENTRY_ITERATE(loc_cpu_entry,
1103 add_counter_to_entry,
1107 write_unlock_bh(&t->lock);
1117 do_ip6t_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
1121 if (!capable(CAP_NET_ADMIN))
1125 case IP6T_SO_SET_REPLACE:
1126 ret = do_replace(user, len);
1129 case IP6T_SO_SET_ADD_COUNTERS:
1130 ret = do_add_counters(user, len);
1134 duprintf("do_ip6t_set_ctl: unknown request %i\n", cmd);
1142 do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1146 if (!capable(CAP_NET_ADMIN))
1150 case IP6T_SO_GET_INFO: {
1151 char name[IP6T_TABLE_MAXNAMELEN];
1154 if (*len != sizeof(struct ip6t_getinfo)) {
1155 duprintf("length %u != %u\n", *len,
1156 sizeof(struct ip6t_getinfo));
1161 if (copy_from_user(name, user, sizeof(name)) != 0) {
1165 name[IP6T_TABLE_MAXNAMELEN-1] = '\0';
1167 t = try_then_request_module(xt_find_table_lock(AF_INET6, name),
1168 "ip6table_%s", name);
1169 if (t && !IS_ERR(t)) {
1170 struct ip6t_getinfo info;
1171 struct xt_table_info *private = t->private;
1173 info.valid_hooks = t->valid_hooks;
1174 memcpy(info.hook_entry, private->hook_entry,
1175 sizeof(info.hook_entry));
1176 memcpy(info.underflow, private->underflow,
1177 sizeof(info.underflow));
1178 info.num_entries = private->number;
1179 info.size = private->size;
1180 memcpy(info.name, name, sizeof(info.name));
1182 if (copy_to_user(user, &info, *len) != 0)
1189 ret = t ? PTR_ERR(t) : -ENOENT;
1193 case IP6T_SO_GET_ENTRIES: {
1194 struct ip6t_get_entries get;
1196 if (*len < sizeof(get)) {
1197 duprintf("get_entries: %u < %u\n", *len, sizeof(get));
1199 } else if (copy_from_user(&get, user, sizeof(get)) != 0) {
1201 } else if (*len != sizeof(struct ip6t_get_entries) + get.size) {
1202 duprintf("get_entries: %u != %u\n", *len,
1203 sizeof(struct ip6t_get_entries) + get.size);
1206 ret = get_entries(&get, user);
1210 case IP6T_SO_GET_REVISION_MATCH:
1211 case IP6T_SO_GET_REVISION_TARGET: {
1212 struct ip6t_get_revision rev;
1215 if (*len != sizeof(rev)) {
1219 if (copy_from_user(&rev, user, sizeof(rev)) != 0) {
1224 if (cmd == IP6T_SO_GET_REVISION_TARGET)
1229 try_then_request_module(xt_find_revision(AF_INET6, rev.name,
1232 "ip6t_%s", rev.name);
1237 duprintf("do_ip6t_get_ctl: unknown request %i\n", cmd);
1244 int ip6t_register_table(struct xt_table *table,
1245 const struct ip6t_replace *repl)
1248 struct xt_table_info *newinfo;
1249 static struct xt_table_info bootstrap
1250 = { 0, 0, 0, { 0 }, { 0 }, { } };
1251 void *loc_cpu_entry;
1253 newinfo = xt_alloc_table_info(repl->size);
1257 /* choose the copy on our node/cpu */
1258 loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
1259 memcpy(loc_cpu_entry, repl->entries, repl->size);
1261 ret = translate_table(table->name, table->valid_hooks,
1262 newinfo, loc_cpu_entry, repl->size,
1267 xt_free_table_info(newinfo);
1271 ret = xt_register_table(table, &bootstrap, newinfo);
1273 xt_free_table_info(newinfo);
1280 void ip6t_unregister_table(struct xt_table *table)
1282 struct xt_table_info *private;
1283 void *loc_cpu_entry;
1285 private = xt_unregister_table(table);
1287 /* Decrease module usage counts and free resources */
1288 loc_cpu_entry = private->entries[raw_smp_processor_id()];
1289 IP6T_ENTRY_ITERATE(loc_cpu_entry, private->size, cleanup_entry, NULL);
1290 xt_free_table_info(private);
1293 /* Returns 1 if the type and code is matched by the range, 0 otherwise */
1295 icmp6_type_code_match(u_int8_t test_type, u_int8_t min_code, u_int8_t max_code,
1296 u_int8_t type, u_int8_t code,
1299 return (type == test_type && code >= min_code && code <= max_code)
1304 icmp6_match(const struct sk_buff *skb,
1305 const struct net_device *in,
1306 const struct net_device *out,
1307 const struct xt_match *match,
1308 const void *matchinfo,
1310 unsigned int protoff,
1313 struct icmp6hdr _icmp, *ic;
1314 const struct ip6t_icmp *icmpinfo = matchinfo;
1316 /* Must not be a fragment. */
1320 ic = skb_header_pointer(skb, protoff, sizeof(_icmp), &_icmp);
1322 /* We've been asked to examine this packet, and we
1323 can't. Hence, no choice but to drop. */
1324 duprintf("Dropping evil ICMP tinygram.\n");
1329 return icmp6_type_code_match(icmpinfo->type,
1332 ic->icmp6_type, ic->icmp6_code,
1333 !!(icmpinfo->invflags&IP6T_ICMP_INV));
1336 /* Called when user tries to insert an entry of this type. */
1338 icmp6_checkentry(const char *tablename,
1340 const struct xt_match *match,
1342 unsigned int hook_mask)
1344 const struct ip6t_icmp *icmpinfo = matchinfo;
1346 /* Must specify no unknown invflags */
1347 return !(icmpinfo->invflags & ~IP6T_ICMP_INV);
1350 /* The built-in targets: standard (NULL) and error. */
1351 static struct ip6t_target ip6t_standard_target = {
1352 .name = IP6T_STANDARD_TARGET,
1353 .targetsize = sizeof(int),
1357 static struct ip6t_target ip6t_error_target = {
1358 .name = IP6T_ERROR_TARGET,
1359 .target = ip6t_error,
1360 .targetsize = IP6T_FUNCTION_MAXNAMELEN,
1364 static struct nf_sockopt_ops ip6t_sockopts = {
1366 .set_optmin = IP6T_BASE_CTL,
1367 .set_optmax = IP6T_SO_SET_MAX+1,
1368 .set = do_ip6t_set_ctl,
1369 .get_optmin = IP6T_BASE_CTL,
1370 .get_optmax = IP6T_SO_GET_MAX+1,
1371 .get = do_ip6t_get_ctl,
1374 static struct ip6t_match icmp6_matchstruct = {
1376 .match = &icmp6_match,
1377 .matchsize = sizeof(struct ip6t_icmp),
1378 .checkentry = icmp6_checkentry,
1379 .proto = IPPROTO_ICMPV6,
1383 static int __init ip6_tables_init(void)
1387 ret = xt_proto_init(AF_INET6);
1391 /* Noone else will be downing sem now, so we won't sleep */
1392 ret = xt_register_target(&ip6t_standard_target);
1395 ret = xt_register_target(&ip6t_error_target);
1398 ret = xt_register_match(&icmp6_matchstruct);
1402 /* Register setsockopt */
1403 ret = nf_register_sockopt(&ip6t_sockopts);
1407 printk("ip6_tables: (C) 2000-2006 Netfilter Core Team\n");
1411 xt_unregister_match(&icmp6_matchstruct);
1413 xt_unregister_target(&ip6t_error_target);
1415 xt_unregister_target(&ip6t_standard_target);
1417 xt_proto_fini(AF_INET6);
1422 static void __exit ip6_tables_fini(void)
1424 nf_unregister_sockopt(&ip6t_sockopts);
1425 xt_unregister_match(&icmp6_matchstruct);
1426 xt_unregister_target(&ip6t_error_target);
1427 xt_unregister_target(&ip6t_standard_target);
1428 xt_proto_fini(AF_INET6);
1432 * find the offset to specified header or the protocol number of last header
1433 * if target < 0. "last header" is transport protocol header, ESP, or
1436 * If target header is found, its offset is set in *offset and return protocol
1437 * number. Otherwise, return -1.
1439 * If the first fragment doesn't contain the final protocol header or
1440 * NEXTHDR_NONE it is considered invalid.
1442 * Note that non-1st fragment is special case that "the protocol number
1443 * of last header" is "next header" field in Fragment header. In this case,
1444 * *offset is meaningless and fragment offset is stored in *fragoff if fragoff
1448 int ipv6_find_hdr(const struct sk_buff *skb, unsigned int *offset,
1449 int target, unsigned short *fragoff)
1451 unsigned int start = (u8*)(skb->nh.ipv6h + 1) - skb->data;
1452 u8 nexthdr = skb->nh.ipv6h->nexthdr;
1453 unsigned int len = skb->len - start;
1458 while (nexthdr != target) {
1459 struct ipv6_opt_hdr _hdr, *hp;
1460 unsigned int hdrlen;
1462 if ((!ipv6_ext_hdr(nexthdr)) || nexthdr == NEXTHDR_NONE) {
1468 hp = skb_header_pointer(skb, start, sizeof(_hdr), &_hdr);
1471 if (nexthdr == NEXTHDR_FRAGMENT) {
1472 unsigned short _frag_off;
1474 fp = skb_header_pointer(skb,
1475 start+offsetof(struct frag_hdr,
1482 _frag_off = ntohs(*fp) & ~0x7;
1485 ((!ipv6_ext_hdr(hp->nexthdr)) ||
1486 hp->nexthdr == NEXTHDR_NONE)) {
1488 *fragoff = _frag_off;
1494 } else if (nexthdr == NEXTHDR_AUTH)
1495 hdrlen = (hp->hdrlen + 2) << 2;
1497 hdrlen = ipv6_optlen(hp);
1499 nexthdr = hp->nexthdr;
1508 EXPORT_SYMBOL(ip6t_register_table);
1509 EXPORT_SYMBOL(ip6t_unregister_table);
1510 EXPORT_SYMBOL(ip6t_do_table);
1511 EXPORT_SYMBOL(ip6t_ext_hdr);
1512 EXPORT_SYMBOL(ipv6_find_hdr);
1514 module_init(ip6_tables_init);
1515 module_exit(ip6_tables_fini);
projects / linux-2.6 / blob