2 * Packet matching code.
4 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
5 * Copyright (C) 2000-2005 Netfilter Core Team <coreteam@netfilter.org>
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License version 2 as
9 * published by the Free Software Foundation.
11 #include <linux/cache.h>
12 #include <linux/capability.h>
13 #include <linux/skbuff.h>
14 #include <linux/kmod.h>
15 #include <linux/vmalloc.h>
16 #include <linux/netdevice.h>
17 #include <linux/module.h>
18 #include <linux/icmp.h>
20 #include <net/compat.h>
21 #include <asm/uaccess.h>
22 #include <linux/mutex.h>
23 #include <linux/proc_fs.h>
24 #include <linux/err.h>
25 #include <linux/cpumask.h>
27 #include <linux/netfilter/x_tables.h>
28 #include <linux/netfilter_ipv4/ip_tables.h>
30 MODULE_LICENSE("GPL");
31 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
32 MODULE_DESCRIPTION("IPv4 packet filter");
34 /*#define DEBUG_IP_FIREWALL*/
35 /*#define DEBUG_ALLOW_ALL*/ /* Useful for remote debugging */
36 /*#define DEBUG_IP_FIREWALL_USER*/
38 #ifdef DEBUG_IP_FIREWALL
39 #define dprintf(format, args...) printk(format , ## args)
41 #define dprintf(format, args...)
44 #ifdef DEBUG_IP_FIREWALL_USER
45 #define duprintf(format, args...) printk(format , ## args)
47 #define duprintf(format, args...)
50 #ifdef CONFIG_NETFILTER_DEBUG
51 #define IP_NF_ASSERT(x) \
54 printk("IP_NF_ASSERT: %s:%s:%u\n", \
55 __FUNCTION__, __FILE__, __LINE__); \
58 #define IP_NF_ASSERT(x)
62 /* All the better to debug you with... */
68 We keep a set of rules for each CPU, so we can avoid write-locking
69 them in the softirq when updating the counters and therefore
70 only need to read-lock in the softirq; doing a write_lock_bh() in user
71 context stops packets coming through and allows user context to read
72 the counters or update the rules.
74 Hence the start of any table is given by get_table() below. */
76 /* Returns whether matches rule or not. */
78 ip_packet_match(const struct iphdr *ip,
81 const struct ipt_ip *ipinfo,
87 #define FWINV(bool,invflg) ((bool) ^ !!(ipinfo->invflags & invflg))
89 if (FWINV((ip->saddr&ipinfo->smsk.s_addr) != ipinfo->src.s_addr,
91 || FWINV((ip->daddr&ipinfo->dmsk.s_addr) != ipinfo->dst.s_addr,
93 dprintf("Source or dest mismatch.\n");
95 dprintf("SRC: %u.%u.%u.%u. Mask: %u.%u.%u.%u. Target: %u.%u.%u.%u.%s\n",
97 NIPQUAD(ipinfo->smsk.s_addr),
98 NIPQUAD(ipinfo->src.s_addr),
99 ipinfo->invflags & IPT_INV_SRCIP ? " (INV)" : "");
100 dprintf("DST: %u.%u.%u.%u Mask: %u.%u.%u.%u Target: %u.%u.%u.%u.%s\n",
102 NIPQUAD(ipinfo->dmsk.s_addr),
103 NIPQUAD(ipinfo->dst.s_addr),
104 ipinfo->invflags & IPT_INV_DSTIP ? " (INV)" : "");
108 /* Look for ifname matches; this should unroll nicely. */
109 for (i = 0, ret = 0; i < IFNAMSIZ/sizeof(unsigned long); i++) {
110 ret |= (((const unsigned long *)indev)[i]
111 ^ ((const unsigned long *)ipinfo->iniface)[i])
112 & ((const unsigned long *)ipinfo->iniface_mask)[i];
115 if (FWINV(ret != 0, IPT_INV_VIA_IN)) {
116 dprintf("VIA in mismatch (%s vs %s).%s\n",
117 indev, ipinfo->iniface,
118 ipinfo->invflags&IPT_INV_VIA_IN ?" (INV)":"");
122 for (i = 0, ret = 0; i < IFNAMSIZ/sizeof(unsigned long); i++) {
123 ret |= (((const unsigned long *)outdev)[i]
124 ^ ((const unsigned long *)ipinfo->outiface)[i])
125 & ((const unsigned long *)ipinfo->outiface_mask)[i];
128 if (FWINV(ret != 0, IPT_INV_VIA_OUT)) {
129 dprintf("VIA out mismatch (%s vs %s).%s\n",
130 outdev, ipinfo->outiface,
131 ipinfo->invflags&IPT_INV_VIA_OUT ?" (INV)":"");
135 /* Check specific protocol */
137 && FWINV(ip->protocol != ipinfo->proto, IPT_INV_PROTO)) {
138 dprintf("Packet protocol %hi does not match %hi.%s\n",
139 ip->protocol, ipinfo->proto,
140 ipinfo->invflags&IPT_INV_PROTO ? " (INV)":"");
144 /* If we have a fragment rule but the packet is not a fragment
145 * then we return zero */
146 if (FWINV((ipinfo->flags&IPT_F_FRAG) && !isfrag, IPT_INV_FRAG)) {
147 dprintf("Fragment rule but not fragment.%s\n",
148 ipinfo->invflags & IPT_INV_FRAG ? " (INV)" : "");
156 ip_checkentry(const struct ipt_ip *ip)
158 if (ip->flags & ~IPT_F_MASK) {
159 duprintf("Unknown flag bits set: %08X\n",
160 ip->flags & ~IPT_F_MASK);
163 if (ip->invflags & ~IPT_INV_MASK) {
164 duprintf("Unknown invflag bits set: %08X\n",
165 ip->invflags & ~IPT_INV_MASK);
172 ipt_error(struct sk_buff **pskb,
173 const struct net_device *in,
174 const struct net_device *out,
175 unsigned int hooknum,
176 const struct xt_target *target,
177 const void *targinfo)
180 printk("ip_tables: error: `%s'\n", (char *)targinfo);
186 int do_match(struct ipt_entry_match *m,
187 const struct sk_buff *skb,
188 const struct net_device *in,
189 const struct net_device *out,
193 /* Stop iteration if it doesn't match */
194 if (!m->u.kernel.match->match(skb, in, out, m->u.kernel.match, m->data,
195 offset, ip_hdrlen(skb), hotdrop))
201 static inline struct ipt_entry *
202 get_entry(void *base, unsigned int offset)
204 return (struct ipt_entry *)(base + offset);
207 /* Returns one of the generic firewall policies, like NF_ACCEPT. */
209 ipt_do_table(struct sk_buff **pskb,
211 const struct net_device *in,
212 const struct net_device *out,
213 struct xt_table *table)
215 static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
220 /* Initializing verdict to NF_DROP keeps gcc happy. */
221 unsigned int verdict = NF_DROP;
222 const char *indev, *outdev;
224 struct ipt_entry *e, *back;
225 struct xt_table_info *private;
229 datalen = (*pskb)->len - ip->ihl * 4;
230 indev = in ? in->name : nulldevname;
231 outdev = out ? out->name : nulldevname;
232 /* We handle fragments by dealing with the first fragment as
233 * if it was a normal packet. All other fragments are treated
234 * normally, except that they will NEVER match rules that ask
235 * things we don't know, ie. tcp syn flag or ports). If the
236 * rule is also a fragment-specific rule, non-fragments won't
238 offset = ntohs(ip->frag_off) & IP_OFFSET;
240 read_lock_bh(&table->lock);
241 IP_NF_ASSERT(table->valid_hooks & (1 << hook));
242 private = table->private;
243 table_base = (void *)private->entries[smp_processor_id()];
244 e = get_entry(table_base, private->hook_entry[hook]);
246 /* For return from builtin chain */
247 back = get_entry(table_base, private->underflow[hook]);
252 if (ip_packet_match(ip, indev, outdev, &e->ip, offset)) {
253 struct ipt_entry_target *t;
255 if (IPT_MATCH_ITERATE(e, do_match,
257 offset, &hotdrop) != 0)
260 ADD_COUNTER(e->counters, ntohs(ip->tot_len), 1);
262 t = ipt_get_target(e);
263 IP_NF_ASSERT(t->u.kernel.target);
264 /* Standard target? */
265 if (!t->u.kernel.target->target) {
268 v = ((struct ipt_standard_target *)t)->verdict;
270 /* Pop from stack? */
271 if (v != IPT_RETURN) {
272 verdict = (unsigned)(-v) - 1;
276 back = get_entry(table_base,
280 if (table_base + v != (void *)e + e->next_offset
281 && !(e->ip.flags & IPT_F_GOTO)) {
282 /* Save old back ptr in next entry */
283 struct ipt_entry *next
284 = (void *)e + e->next_offset;
286 = (void *)back - table_base;
287 /* set back pointer to next entry */
291 e = get_entry(table_base, v);
293 /* Targets which reenter must return
295 #ifdef CONFIG_NETFILTER_DEBUG
296 ((struct ipt_entry *)table_base)->comefrom
299 verdict = t->u.kernel.target->target(pskb,
305 #ifdef CONFIG_NETFILTER_DEBUG
306 if (((struct ipt_entry *)table_base)->comefrom
308 && verdict == IPT_CONTINUE) {
309 printk("Target %s reentered!\n",
310 t->u.kernel.target->name);
313 ((struct ipt_entry *)table_base)->comefrom
316 /* Target might have changed stuff. */
318 datalen = (*pskb)->len - ip->ihl * 4;
320 if (verdict == IPT_CONTINUE)
321 e = (void *)e + e->next_offset;
329 e = (void *)e + e->next_offset;
333 read_unlock_bh(&table->lock);
335 #ifdef DEBUG_ALLOW_ALL
344 /* All zeroes == unconditional rule. */
346 unconditional(const struct ipt_ip *ip)
350 for (i = 0; i < sizeof(*ip)/sizeof(__u32); i++)
351 if (((__u32 *)ip)[i])
357 /* Figures out from what hook each rule can be called: returns 0 if
358 there are loops. Puts hook bitmask in comefrom. */
360 mark_source_chains(struct xt_table_info *newinfo,
361 unsigned int valid_hooks, void *entry0)
365 /* No recursion; use packet counter to save back ptrs (reset
366 to 0 as we leave), and comefrom to save source hook bitmask */
367 for (hook = 0; hook < NF_IP_NUMHOOKS; hook++) {
368 unsigned int pos = newinfo->hook_entry[hook];
370 = (struct ipt_entry *)(entry0 + pos);
372 if (!(valid_hooks & (1 << hook)))
375 /* Set initial back pointer. */
376 e->counters.pcnt = pos;
379 struct ipt_standard_target *t
380 = (void *)ipt_get_target(e);
381 int visited = e->comefrom & (1 << hook);
383 if (e->comefrom & (1 << NF_IP_NUMHOOKS)) {
384 printk("iptables: loop hook %u pos %u %08X.\n",
385 hook, pos, e->comefrom);
389 |= ((1 << hook) | (1 << NF_IP_NUMHOOKS));
391 /* Unconditional return/END. */
392 if ((e->target_offset == sizeof(struct ipt_entry)
393 && (strcmp(t->target.u.user.name,
394 IPT_STANDARD_TARGET) == 0)
396 && unconditional(&e->ip)) || visited) {
397 unsigned int oldpos, size;
399 if (t->verdict < -NF_MAX_VERDICT - 1) {
400 duprintf("mark_source_chains: bad "
401 "negative verdict (%i)\n",
406 /* Return: backtrack through the last
409 e->comefrom ^= (1<<NF_IP_NUMHOOKS);
410 #ifdef DEBUG_IP_FIREWALL_USER
412 & (1 << NF_IP_NUMHOOKS)) {
413 duprintf("Back unset "
420 pos = e->counters.pcnt;
421 e->counters.pcnt = 0;
423 /* We're at the start. */
427 e = (struct ipt_entry *)
429 } while (oldpos == pos + e->next_offset);
432 size = e->next_offset;
433 e = (struct ipt_entry *)
434 (entry0 + pos + size);
435 e->counters.pcnt = pos;
438 int newpos = t->verdict;
440 if (strcmp(t->target.u.user.name,
441 IPT_STANDARD_TARGET) == 0
443 if (newpos > newinfo->size -
444 sizeof(struct ipt_entry)) {
445 duprintf("mark_source_chains: "
446 "bad verdict (%i)\n",
450 /* This a jump; chase it. */
451 duprintf("Jump rule %u -> %u\n",
454 /* ... this is a fallthru */
455 newpos = pos + e->next_offset;
457 e = (struct ipt_entry *)
459 e->counters.pcnt = pos;
464 duprintf("Finished chain %u\n", hook);
470 cleanup_match(struct ipt_entry_match *m, unsigned int *i)
472 if (i && (*i)-- == 0)
475 if (m->u.kernel.match->destroy)
476 m->u.kernel.match->destroy(m->u.kernel.match, m->data);
477 module_put(m->u.kernel.match->me);
482 check_entry(struct ipt_entry *e, const char *name)
484 struct ipt_entry_target *t;
486 if (!ip_checkentry(&e->ip)) {
487 duprintf("ip_tables: ip check failed %p %s.\n", e, name);
491 if (e->target_offset + sizeof(struct ipt_entry_target) > e->next_offset)
494 t = ipt_get_target(e);
495 if (e->target_offset + t->u.target_size > e->next_offset)
501 static inline int check_match(struct ipt_entry_match *m, const char *name,
502 const struct ipt_ip *ip, unsigned int hookmask)
504 struct xt_match *match;
507 match = m->u.kernel.match;
508 ret = xt_check_match(match, AF_INET, m->u.match_size - sizeof(*m),
509 name, hookmask, ip->proto,
510 ip->invflags & IPT_INV_PROTO);
511 if (!ret && m->u.kernel.match->checkentry
512 && !m->u.kernel.match->checkentry(name, ip, match, m->data,
514 duprintf("ip_tables: check failed for `%s'.\n",
515 m->u.kernel.match->name);
522 find_check_match(struct ipt_entry_match *m,
524 const struct ipt_ip *ip,
525 unsigned int hookmask,
528 struct xt_match *match;
531 match = try_then_request_module(xt_find_match(AF_INET, m->u.user.name,
533 "ipt_%s", m->u.user.name);
534 if (IS_ERR(match) || !match) {
535 duprintf("find_check_match: `%s' not found\n", m->u.user.name);
536 return match ? PTR_ERR(match) : -ENOENT;
538 m->u.kernel.match = match;
540 ret = check_match(m, name, ip, hookmask);
547 module_put(m->u.kernel.match->me);
551 static inline int check_target(struct ipt_entry *e, const char *name)
553 struct ipt_entry_target *t;
554 struct xt_target *target;
557 t = ipt_get_target(e);
558 target = t->u.kernel.target;
559 ret = xt_check_target(target, AF_INET, t->u.target_size - sizeof(*t),
560 name, e->comefrom, e->ip.proto,
561 e->ip.invflags & IPT_INV_PROTO);
562 if (!ret && t->u.kernel.target->checkentry
563 && !t->u.kernel.target->checkentry(name, e, target,
564 t->data, e->comefrom)) {
565 duprintf("ip_tables: check failed for `%s'.\n",
566 t->u.kernel.target->name);
573 find_check_entry(struct ipt_entry *e, const char *name, unsigned int size,
576 struct ipt_entry_target *t;
577 struct xt_target *target;
581 ret = check_entry(e, name);
586 ret = IPT_MATCH_ITERATE(e, find_check_match, name, &e->ip,
589 goto cleanup_matches;
591 t = ipt_get_target(e);
592 target = try_then_request_module(xt_find_target(AF_INET,
595 "ipt_%s", t->u.user.name);
596 if (IS_ERR(target) || !target) {
597 duprintf("find_check_entry: `%s' not found\n", t->u.user.name);
598 ret = target ? PTR_ERR(target) : -ENOENT;
599 goto cleanup_matches;
601 t->u.kernel.target = target;
603 ret = check_target(e, name);
610 module_put(t->u.kernel.target->me);
612 IPT_MATCH_ITERATE(e, cleanup_match, &j);
617 check_entry_size_and_hooks(struct ipt_entry *e,
618 struct xt_table_info *newinfo,
620 unsigned char *limit,
621 const unsigned int *hook_entries,
622 const unsigned int *underflows,
627 if ((unsigned long)e % __alignof__(struct ipt_entry) != 0
628 || (unsigned char *)e + sizeof(struct ipt_entry) >= limit) {
629 duprintf("Bad offset %p\n", e);
634 < sizeof(struct ipt_entry) + sizeof(struct ipt_entry_target)) {
635 duprintf("checking: element %p size %u\n",
640 /* Check hooks & underflows */
641 for (h = 0; h < NF_IP_NUMHOOKS; h++) {
642 if ((unsigned char *)e - base == hook_entries[h])
643 newinfo->hook_entry[h] = hook_entries[h];
644 if ((unsigned char *)e - base == underflows[h])
645 newinfo->underflow[h] = underflows[h];
648 /* FIXME: underflows must be unconditional, standard verdicts
649 < 0 (not IPT_RETURN). --RR */
651 /* Clear counters and comefrom */
652 e->counters = ((struct xt_counters) { 0, 0 });
660 cleanup_entry(struct ipt_entry *e, unsigned int *i)
662 struct ipt_entry_target *t;
664 if (i && (*i)-- == 0)
667 /* Cleanup all matches */
668 IPT_MATCH_ITERATE(e, cleanup_match, NULL);
669 t = ipt_get_target(e);
670 if (t->u.kernel.target->destroy)
671 t->u.kernel.target->destroy(t->u.kernel.target, t->data);
672 module_put(t->u.kernel.target->me);
676 /* Checks and translates the user-supplied table segment (held in
679 translate_table(const char *name,
680 unsigned int valid_hooks,
681 struct xt_table_info *newinfo,
685 const unsigned int *hook_entries,
686 const unsigned int *underflows)
691 newinfo->size = size;
692 newinfo->number = number;
694 /* Init all hooks to impossible value. */
695 for (i = 0; i < NF_IP_NUMHOOKS; i++) {
696 newinfo->hook_entry[i] = 0xFFFFFFFF;
697 newinfo->underflow[i] = 0xFFFFFFFF;
700 duprintf("translate_table: size %u\n", newinfo->size);
702 /* Walk through entries, checking offsets. */
703 ret = IPT_ENTRY_ITERATE(entry0, newinfo->size,
704 check_entry_size_and_hooks,
708 hook_entries, underflows, &i);
713 duprintf("translate_table: %u not %u entries\n",
718 /* Check hooks all assigned */
719 for (i = 0; i < NF_IP_NUMHOOKS; i++) {
720 /* Only hooks which are valid */
721 if (!(valid_hooks & (1 << i)))
723 if (newinfo->hook_entry[i] == 0xFFFFFFFF) {
724 duprintf("Invalid hook entry %u %u\n",
728 if (newinfo->underflow[i] == 0xFFFFFFFF) {
729 duprintf("Invalid underflow %u %u\n",
735 if (!mark_source_chains(newinfo, valid_hooks, entry0))
738 /* Finally, each sanity check must pass */
740 ret = IPT_ENTRY_ITERATE(entry0, newinfo->size,
741 find_check_entry, name, size, &i);
744 IPT_ENTRY_ITERATE(entry0, newinfo->size,
749 /* And one copy for every other CPU */
750 for_each_possible_cpu(i) {
751 if (newinfo->entries[i] && newinfo->entries[i] != entry0)
752 memcpy(newinfo->entries[i], entry0, newinfo->size);
760 add_entry_to_counter(const struct ipt_entry *e,
761 struct xt_counters total[],
764 ADD_COUNTER(total[*i], e->counters.bcnt, e->counters.pcnt);
771 set_entry_to_counter(const struct ipt_entry *e,
772 struct ipt_counters total[],
775 SET_COUNTER(total[*i], e->counters.bcnt, e->counters.pcnt);
782 get_counters(const struct xt_table_info *t,
783 struct xt_counters counters[])
789 /* Instead of clearing (by a previous call to memset())
790 * the counters and using adds, we set the counters
791 * with data used by 'current' CPU
792 * We dont care about preemption here.
794 curcpu = raw_smp_processor_id();
797 IPT_ENTRY_ITERATE(t->entries[curcpu],
799 set_entry_to_counter,
803 for_each_possible_cpu(cpu) {
807 IPT_ENTRY_ITERATE(t->entries[cpu],
809 add_entry_to_counter,
815 static inline struct xt_counters * alloc_counters(struct xt_table *table)
817 unsigned int countersize;
818 struct xt_counters *counters;
819 struct xt_table_info *private = table->private;
821 /* We need atomic snapshot of counters: rest doesn't change
822 (other than comefrom, which userspace doesn't care
824 countersize = sizeof(struct xt_counters) * private->number;
825 counters = vmalloc_node(countersize, numa_node_id());
827 if (counters == NULL)
828 return ERR_PTR(-ENOMEM);
830 /* First, sum counters... */
831 write_lock_bh(&table->lock);
832 get_counters(private, counters);
833 write_unlock_bh(&table->lock);
839 copy_entries_to_user(unsigned int total_size,
840 struct xt_table *table,
841 void __user *userptr)
843 unsigned int off, num;
845 struct xt_counters *counters;
846 struct xt_table_info *private = table->private;
850 counters = alloc_counters(table);
851 if (IS_ERR(counters))
852 return PTR_ERR(counters);
854 /* choose the copy that is on our node/cpu, ...
855 * This choice is lazy (because current thread is
856 * allowed to migrate to another cpu)
858 loc_cpu_entry = private->entries[raw_smp_processor_id()];
859 /* ... then copy entire thing ... */
860 if (copy_to_user(userptr, loc_cpu_entry, total_size) != 0) {
865 /* FIXME: use iterator macros --RR */
866 /* ... then go back and fix counters and names */
867 for (off = 0, num = 0; off < total_size; off += e->next_offset, num++){
869 struct ipt_entry_match *m;
870 struct ipt_entry_target *t;
872 e = (struct ipt_entry *)(loc_cpu_entry + off);
873 if (copy_to_user(userptr + off
874 + offsetof(struct ipt_entry, counters),
876 sizeof(counters[num])) != 0) {
881 for (i = sizeof(struct ipt_entry);
882 i < e->target_offset;
883 i += m->u.match_size) {
886 if (copy_to_user(userptr + off + i
887 + offsetof(struct ipt_entry_match,
889 m->u.kernel.match->name,
890 strlen(m->u.kernel.match->name)+1)
897 t = ipt_get_target(e);
898 if (copy_to_user(userptr + off + e->target_offset
899 + offsetof(struct ipt_entry_target,
901 t->u.kernel.target->name,
902 strlen(t->u.kernel.target->name)+1) != 0) {
914 struct compat_delta {
915 struct compat_delta *next;
920 static struct compat_delta *compat_offsets = NULL;
922 static int compat_add_offset(unsigned int offset, short delta)
924 struct compat_delta *tmp;
926 tmp = kmalloc(sizeof(struct compat_delta), GFP_KERNEL);
929 tmp->offset = offset;
931 if (compat_offsets) {
932 tmp->next = compat_offsets->next;
933 compat_offsets->next = tmp;
935 compat_offsets = tmp;
941 static void compat_flush_offsets(void)
943 struct compat_delta *tmp, *next;
945 if (compat_offsets) {
946 for(tmp = compat_offsets; tmp; tmp = next) {
950 compat_offsets = NULL;
954 static short compat_calc_jump(unsigned int offset)
956 struct compat_delta *tmp;
959 for(tmp = compat_offsets, delta = 0; tmp; tmp = tmp->next)
960 if (tmp->offset < offset)
965 static void compat_standard_from_user(void *dst, void *src)
967 int v = *(compat_int_t *)src;
970 v += compat_calc_jump(v);
971 memcpy(dst, &v, sizeof(v));
974 static int compat_standard_to_user(void __user *dst, void *src)
976 compat_int_t cv = *(int *)src;
979 cv -= compat_calc_jump(cv);
980 return copy_to_user(dst, &cv, sizeof(cv)) ? -EFAULT : 0;
984 compat_calc_match(struct ipt_entry_match *m, int * size)
986 *size += xt_compat_match_offset(m->u.kernel.match);
990 static int compat_calc_entry(struct ipt_entry *e, struct xt_table_info *info,
991 void *base, struct xt_table_info *newinfo)
993 struct ipt_entry_target *t;
994 unsigned int entry_offset;
998 entry_offset = (void *)e - base;
999 IPT_MATCH_ITERATE(e, compat_calc_match, &off);
1000 t = ipt_get_target(e);
1001 off += xt_compat_target_offset(t->u.kernel.target);
1002 newinfo->size -= off;
1003 ret = compat_add_offset(entry_offset, off);
1007 for (i = 0; i< NF_IP_NUMHOOKS; i++) {
1008 if (info->hook_entry[i] && (e < (struct ipt_entry *)
1009 (base + info->hook_entry[i])))
1010 newinfo->hook_entry[i] -= off;
1011 if (info->underflow[i] && (e < (struct ipt_entry *)
1012 (base + info->underflow[i])))
1013 newinfo->underflow[i] -= off;
1018 static int compat_table_info(struct xt_table_info *info,
1019 struct xt_table_info *newinfo)
1021 void *loc_cpu_entry;
1024 if (!newinfo || !info)
1027 memset(newinfo, 0, sizeof(struct xt_table_info));
1028 newinfo->size = info->size;
1029 newinfo->number = info->number;
1030 for (i = 0; i < NF_IP_NUMHOOKS; i++) {
1031 newinfo->hook_entry[i] = info->hook_entry[i];
1032 newinfo->underflow[i] = info->underflow[i];
1034 loc_cpu_entry = info->entries[raw_smp_processor_id()];
1035 return IPT_ENTRY_ITERATE(loc_cpu_entry, info->size,
1036 compat_calc_entry, info, loc_cpu_entry, newinfo);
1040 static int get_info(void __user *user, int *len, int compat)
1042 char name[IPT_TABLE_MAXNAMELEN];
1046 if (*len != sizeof(struct ipt_getinfo)) {
1047 duprintf("length %u != %u\n", *len,
1048 (unsigned int)sizeof(struct ipt_getinfo));
1052 if (copy_from_user(name, user, sizeof(name)) != 0)
1055 name[IPT_TABLE_MAXNAMELEN-1] = '\0';
1056 #ifdef CONFIG_COMPAT
1058 xt_compat_lock(AF_INET);
1060 t = try_then_request_module(xt_find_table_lock(AF_INET, name),
1061 "iptable_%s", name);
1062 if (t && !IS_ERR(t)) {
1063 struct ipt_getinfo info;
1064 struct xt_table_info *private = t->private;
1066 #ifdef CONFIG_COMPAT
1068 struct xt_table_info tmp;
1069 ret = compat_table_info(private, &tmp);
1070 compat_flush_offsets();
1074 info.valid_hooks = t->valid_hooks;
1075 memcpy(info.hook_entry, private->hook_entry,
1076 sizeof(info.hook_entry));
1077 memcpy(info.underflow, private->underflow,
1078 sizeof(info.underflow));
1079 info.num_entries = private->number;
1080 info.size = private->size;
1081 strcpy(info.name, name);
1083 if (copy_to_user(user, &info, *len) != 0)
1091 ret = t ? PTR_ERR(t) : -ENOENT;
1092 #ifdef CONFIG_COMPAT
1094 xt_compat_unlock(AF_INET);
1100 get_entries(struct ipt_get_entries __user *uptr, int *len)
1103 struct ipt_get_entries get;
1106 if (*len < sizeof(get)) {
1107 duprintf("get_entries: %u < %d\n", *len,
1108 (unsigned int)sizeof(get));
1111 if (copy_from_user(&get, uptr, sizeof(get)) != 0)
1113 if (*len != sizeof(struct ipt_get_entries) + get.size) {
1114 duprintf("get_entries: %u != %u\n", *len,
1115 (unsigned int)(sizeof(struct ipt_get_entries) +
1120 t = xt_find_table_lock(AF_INET, get.name);
1121 if (t && !IS_ERR(t)) {
1122 struct xt_table_info *private = t->private;
1123 duprintf("t->private->number = %u\n",
1125 if (get.size == private->size)
1126 ret = copy_entries_to_user(private->size,
1127 t, uptr->entrytable);
1129 duprintf("get_entries: I've got %u not %u!\n",
1137 ret = t ? PTR_ERR(t) : -ENOENT;
1143 __do_replace(const char *name, unsigned int valid_hooks,
1144 struct xt_table_info *newinfo, unsigned int num_counters,
1145 void __user *counters_ptr)
1149 struct xt_table_info *oldinfo;
1150 struct xt_counters *counters;
1151 void *loc_cpu_old_entry;
1154 counters = vmalloc(num_counters * sizeof(struct xt_counters));
1160 t = try_then_request_module(xt_find_table_lock(AF_INET, name),
1161 "iptable_%s", name);
1162 if (!t || IS_ERR(t)) {
1163 ret = t ? PTR_ERR(t) : -ENOENT;
1164 goto free_newinfo_counters_untrans;
1168 if (valid_hooks != t->valid_hooks) {
1169 duprintf("Valid hook crap: %08X vs %08X\n",
1170 valid_hooks, t->valid_hooks);
1175 oldinfo = xt_replace_table(t, num_counters, newinfo, &ret);
1179 /* Update module usage count based on number of rules */
1180 duprintf("do_replace: oldnum=%u, initnum=%u, newnum=%u\n",
1181 oldinfo->number, oldinfo->initial_entries, newinfo->number);
1182 if ((oldinfo->number > oldinfo->initial_entries) ||
1183 (newinfo->number <= oldinfo->initial_entries))
1185 if ((oldinfo->number > oldinfo->initial_entries) &&
1186 (newinfo->number <= oldinfo->initial_entries))
1189 /* Get the old counters. */
1190 get_counters(oldinfo, counters);
1191 /* Decrease module usage counts and free resource */
1192 loc_cpu_old_entry = oldinfo->entries[raw_smp_processor_id()];
1193 IPT_ENTRY_ITERATE(loc_cpu_old_entry, oldinfo->size, cleanup_entry,NULL);
1194 xt_free_table_info(oldinfo);
1195 if (copy_to_user(counters_ptr, counters,
1196 sizeof(struct xt_counters) * num_counters) != 0)
1205 free_newinfo_counters_untrans:
1212 do_replace(void __user *user, unsigned int len)
1215 struct ipt_replace tmp;
1216 struct xt_table_info *newinfo;
1217 void *loc_cpu_entry;
1219 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
1222 /* Hack: Causes ipchains to give correct error msg --RR */
1223 if (len != sizeof(tmp) + tmp.size)
1224 return -ENOPROTOOPT;
1226 /* overflow check */
1227 if (tmp.size >= (INT_MAX - sizeof(struct xt_table_info)) / NR_CPUS -
1230 if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
1233 newinfo = xt_alloc_table_info(tmp.size);
1237 /* choose the copy that is our node/cpu */
1238 loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
1239 if (copy_from_user(loc_cpu_entry, user + sizeof(tmp),
1245 ret = translate_table(tmp.name, tmp.valid_hooks,
1246 newinfo, loc_cpu_entry, tmp.size, tmp.num_entries,
1247 tmp.hook_entry, tmp.underflow);
1251 duprintf("ip_tables: Translated table\n");
1253 ret = __do_replace(tmp.name, tmp.valid_hooks,
1254 newinfo, tmp.num_counters,
1257 goto free_newinfo_untrans;
1260 free_newinfo_untrans:
1261 IPT_ENTRY_ITERATE(loc_cpu_entry, newinfo->size, cleanup_entry,NULL);
1263 xt_free_table_info(newinfo);
1267 /* We're lazy, and add to the first CPU; overflow works its fey magic
1268 * and everything is OK. */
1270 add_counter_to_entry(struct ipt_entry *e,
1271 const struct xt_counters addme[],
1275 duprintf("add_counter: Entry %u %lu/%lu + %lu/%lu\n",
1277 (long unsigned int)e->counters.pcnt,
1278 (long unsigned int)e->counters.bcnt,
1279 (long unsigned int)addme[*i].pcnt,
1280 (long unsigned int)addme[*i].bcnt);
1283 ADD_COUNTER(e->counters, addme[*i].bcnt, addme[*i].pcnt);
1290 do_add_counters(void __user *user, unsigned int len, int compat)
1293 struct xt_counters_info tmp;
1294 struct xt_counters *paddc;
1295 unsigned int num_counters;
1300 struct xt_table_info *private;
1302 void *loc_cpu_entry;
1303 #ifdef CONFIG_COMPAT
1304 struct compat_xt_counters_info compat_tmp;
1308 size = sizeof(struct compat_xt_counters_info);
1313 size = sizeof(struct xt_counters_info);
1316 if (copy_from_user(ptmp, user, size) != 0)
1319 #ifdef CONFIG_COMPAT
1321 num_counters = compat_tmp.num_counters;
1322 name = compat_tmp.name;
1326 num_counters = tmp.num_counters;
1330 if (len != size + num_counters * sizeof(struct xt_counters))
1333 paddc = vmalloc_node(len - size, numa_node_id());
1337 if (copy_from_user(paddc, user + size, len - size) != 0) {
1342 t = xt_find_table_lock(AF_INET, name);
1343 if (!t || IS_ERR(t)) {
1344 ret = t ? PTR_ERR(t) : -ENOENT;
1348 write_lock_bh(&t->lock);
1349 private = t->private;
1350 if (private->number != num_counters) {
1352 goto unlock_up_free;
1356 /* Choose the copy that is on our node */
1357 loc_cpu_entry = private->entries[raw_smp_processor_id()];
1358 IPT_ENTRY_ITERATE(loc_cpu_entry,
1360 add_counter_to_entry,
1364 write_unlock_bh(&t->lock);
1373 #ifdef CONFIG_COMPAT
1374 struct compat_ipt_replace {
1375 char name[IPT_TABLE_MAXNAMELEN];
1379 u32 hook_entry[NF_IP_NUMHOOKS];
1380 u32 underflow[NF_IP_NUMHOOKS];
1382 compat_uptr_t counters; /* struct ipt_counters * */
1383 struct compat_ipt_entry entries[0];
1386 static inline int compat_copy_match_to_user(struct ipt_entry_match *m,
1387 void __user **dstptr, compat_uint_t *size)
1389 return xt_compat_match_to_user(m, dstptr, size);
1392 static int compat_copy_entry_to_user(struct ipt_entry *e,
1393 void __user **dstptr, compat_uint_t *size)
1395 struct ipt_entry_target *t;
1396 struct compat_ipt_entry __user *ce;
1397 u_int16_t target_offset, next_offset;
1398 compat_uint_t origsize;
1403 ce = (struct compat_ipt_entry __user *)*dstptr;
1404 if (copy_to_user(ce, e, sizeof(struct ipt_entry)))
1407 *dstptr += sizeof(struct compat_ipt_entry);
1408 ret = IPT_MATCH_ITERATE(e, compat_copy_match_to_user, dstptr, size);
1409 target_offset = e->target_offset - (origsize - *size);
1412 t = ipt_get_target(e);
1413 ret = xt_compat_target_to_user(t, dstptr, size);
1417 next_offset = e->next_offset - (origsize - *size);
1418 if (put_user(target_offset, &ce->target_offset))
1420 if (put_user(next_offset, &ce->next_offset))
1428 compat_check_calc_match(struct ipt_entry_match *m,
1430 const struct ipt_ip *ip,
1431 unsigned int hookmask,
1434 struct xt_match *match;
1436 match = try_then_request_module(xt_find_match(AF_INET, m->u.user.name,
1437 m->u.user.revision),
1438 "ipt_%s", m->u.user.name);
1439 if (IS_ERR(match) || !match) {
1440 duprintf("compat_check_calc_match: `%s' not found\n",
1442 return match ? PTR_ERR(match) : -ENOENT;
1444 m->u.kernel.match = match;
1445 *size += xt_compat_match_offset(match);
1452 check_compat_entry_size_and_hooks(struct ipt_entry *e,
1453 struct xt_table_info *newinfo,
1455 unsigned char *base,
1456 unsigned char *limit,
1457 unsigned int *hook_entries,
1458 unsigned int *underflows,
1462 struct ipt_entry_target *t;
1463 struct xt_target *target;
1464 unsigned int entry_offset;
1467 duprintf("check_compat_entry_size_and_hooks %p\n", e);
1468 if ((unsigned long)e % __alignof__(struct compat_ipt_entry) != 0
1469 || (unsigned char *)e + sizeof(struct compat_ipt_entry) >= limit) {
1470 duprintf("Bad offset %p, limit = %p\n", e, limit);
1474 if (e->next_offset < sizeof(struct compat_ipt_entry) +
1475 sizeof(struct compat_xt_entry_target)) {
1476 duprintf("checking: element %p size %u\n",
1481 ret = check_entry(e, name);
1486 entry_offset = (void *)e - (void *)base;
1488 ret = IPT_MATCH_ITERATE(e, compat_check_calc_match, name, &e->ip,
1489 e->comefrom, &off, &j);
1491 goto cleanup_matches;
1493 t = ipt_get_target(e);
1494 target = try_then_request_module(xt_find_target(AF_INET,
1496 t->u.user.revision),
1497 "ipt_%s", t->u.user.name);
1498 if (IS_ERR(target) || !target) {
1499 duprintf("check_compat_entry_size_and_hooks: `%s' not found\n",
1501 ret = target ? PTR_ERR(target) : -ENOENT;
1502 goto cleanup_matches;
1504 t->u.kernel.target = target;
1506 off += xt_compat_target_offset(target);
1508 ret = compat_add_offset(entry_offset, off);
1512 /* Check hooks & underflows */
1513 for (h = 0; h < NF_IP_NUMHOOKS; h++) {
1514 if ((unsigned char *)e - base == hook_entries[h])
1515 newinfo->hook_entry[h] = hook_entries[h];
1516 if ((unsigned char *)e - base == underflows[h])
1517 newinfo->underflow[h] = underflows[h];
1520 /* Clear counters and comefrom */
1521 e->counters = ((struct ipt_counters) { 0, 0 });
1528 module_put(t->u.kernel.target->me);
1530 IPT_MATCH_ITERATE(e, cleanup_match, &j);
1534 static inline int compat_copy_match_from_user(struct ipt_entry_match *m,
1535 void **dstptr, compat_uint_t *size, const char *name,
1536 const struct ipt_ip *ip, unsigned int hookmask)
1538 xt_compat_match_from_user(m, dstptr, size);
1542 static int compat_copy_entry_from_user(struct ipt_entry *e, void **dstptr,
1543 unsigned int *size, const char *name,
1544 struct xt_table_info *newinfo, unsigned char *base)
1546 struct ipt_entry_target *t;
1547 struct xt_target *target;
1548 struct ipt_entry *de;
1549 unsigned int origsize;
1554 de = (struct ipt_entry *)*dstptr;
1555 memcpy(de, e, sizeof(struct ipt_entry));
1557 *dstptr += sizeof(struct compat_ipt_entry);
1558 ret = IPT_MATCH_ITERATE(e, compat_copy_match_from_user, dstptr, size,
1559 name, &de->ip, de->comefrom);
1562 de->target_offset = e->target_offset - (origsize - *size);
1563 t = ipt_get_target(e);
1564 target = t->u.kernel.target;
1565 xt_compat_target_from_user(t, dstptr, size);
1567 de->next_offset = e->next_offset - (origsize - *size);
1568 for (h = 0; h < NF_IP_NUMHOOKS; h++) {
1569 if ((unsigned char *)de - base < newinfo->hook_entry[h])
1570 newinfo->hook_entry[h] -= origsize - *size;
1571 if ((unsigned char *)de - base < newinfo->underflow[h])
1572 newinfo->underflow[h] -= origsize - *size;
1577 static inline int compat_check_entry(struct ipt_entry *e, const char *name)
1581 ret = IPT_MATCH_ITERATE(e, check_match, name, &e->ip, e->comefrom);
1585 return check_target(e, name);
1589 translate_compat_table(const char *name,
1590 unsigned int valid_hooks,
1591 struct xt_table_info **pinfo,
1593 unsigned int total_size,
1594 unsigned int number,
1595 unsigned int *hook_entries,
1596 unsigned int *underflows)
1599 struct xt_table_info *newinfo, *info;
1600 void *pos, *entry0, *entry1;
1607 info->number = number;
1609 /* Init all hooks to impossible value. */
1610 for (i = 0; i < NF_IP_NUMHOOKS; i++) {
1611 info->hook_entry[i] = 0xFFFFFFFF;
1612 info->underflow[i] = 0xFFFFFFFF;
1615 duprintf("translate_compat_table: size %u\n", info->size);
1617 xt_compat_lock(AF_INET);
1618 /* Walk through entries, checking offsets. */
1619 ret = IPT_ENTRY_ITERATE(entry0, total_size,
1620 check_compat_entry_size_and_hooks,
1621 info, &size, entry0,
1622 entry0 + total_size,
1623 hook_entries, underflows, &j, name);
1629 duprintf("translate_compat_table: %u not %u entries\n",
1634 /* Check hooks all assigned */
1635 for (i = 0; i < NF_IP_NUMHOOKS; i++) {
1636 /* Only hooks which are valid */
1637 if (!(valid_hooks & (1 << i)))
1639 if (info->hook_entry[i] == 0xFFFFFFFF) {
1640 duprintf("Invalid hook entry %u %u\n",
1641 i, hook_entries[i]);
1644 if (info->underflow[i] == 0xFFFFFFFF) {
1645 duprintf("Invalid underflow %u %u\n",
1652 newinfo = xt_alloc_table_info(size);
1656 newinfo->number = number;
1657 for (i = 0; i < NF_IP_NUMHOOKS; i++) {
1658 newinfo->hook_entry[i] = info->hook_entry[i];
1659 newinfo->underflow[i] = info->underflow[i];
1661 entry1 = newinfo->entries[raw_smp_processor_id()];
1664 ret = IPT_ENTRY_ITERATE(entry0, total_size,
1665 compat_copy_entry_from_user, &pos, &size,
1666 name, newinfo, entry1);
1667 compat_flush_offsets();
1668 xt_compat_unlock(AF_INET);
1673 if (!mark_source_chains(newinfo, valid_hooks, entry1))
1676 ret = IPT_ENTRY_ITERATE(entry1, newinfo->size, compat_check_entry,
1681 /* And one copy for every other CPU */
1682 for_each_possible_cpu(i)
1683 if (newinfo->entries[i] && newinfo->entries[i] != entry1)
1684 memcpy(newinfo->entries[i], entry1, newinfo->size);
1688 xt_free_table_info(info);
1692 xt_free_table_info(newinfo);
1694 IPT_ENTRY_ITERATE(entry0, total_size, cleanup_entry, &j);
1697 compat_flush_offsets();
1698 xt_compat_unlock(AF_INET);
1703 compat_do_replace(void __user *user, unsigned int len)
1706 struct compat_ipt_replace tmp;
1707 struct xt_table_info *newinfo;
1708 void *loc_cpu_entry;
1710 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
1713 /* Hack: Causes ipchains to give correct error msg --RR */
1714 if (len != sizeof(tmp) + tmp.size)
1715 return -ENOPROTOOPT;
1717 /* overflow check */
1718 if (tmp.size >= (INT_MAX - sizeof(struct xt_table_info)) / NR_CPUS -
1721 if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
1724 newinfo = xt_alloc_table_info(tmp.size);
1728 /* choose the copy that is our node/cpu */
1729 loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
1730 if (copy_from_user(loc_cpu_entry, user + sizeof(tmp),
1736 ret = translate_compat_table(tmp.name, tmp.valid_hooks,
1737 &newinfo, &loc_cpu_entry, tmp.size,
1738 tmp.num_entries, tmp.hook_entry, tmp.underflow);
1742 duprintf("compat_do_replace: Translated table\n");
1744 ret = __do_replace(tmp.name, tmp.valid_hooks,
1745 newinfo, tmp.num_counters,
1746 compat_ptr(tmp.counters));
1748 goto free_newinfo_untrans;
1751 free_newinfo_untrans:
1752 IPT_ENTRY_ITERATE(loc_cpu_entry, newinfo->size, cleanup_entry,NULL);
1754 xt_free_table_info(newinfo);
1759 compat_do_ipt_set_ctl(struct sock *sk, int cmd, void __user *user,
1764 if (!capable(CAP_NET_ADMIN))
1768 case IPT_SO_SET_REPLACE:
1769 ret = compat_do_replace(user, len);
1772 case IPT_SO_SET_ADD_COUNTERS:
1773 ret = do_add_counters(user, len, 1);
1777 duprintf("do_ipt_set_ctl: unknown request %i\n", cmd);
1784 struct compat_ipt_get_entries
1786 char name[IPT_TABLE_MAXNAMELEN];
1788 struct compat_ipt_entry entrytable[0];
1791 static int compat_copy_entries_to_user(unsigned int total_size,
1792 struct xt_table *table, void __user *userptr)
1794 unsigned int off, num;
1795 struct compat_ipt_entry e;
1796 struct xt_counters *counters;
1797 struct xt_table_info *private = table->private;
1801 void *loc_cpu_entry;
1803 counters = alloc_counters(table);
1804 if (IS_ERR(counters))
1805 return PTR_ERR(counters);
1807 /* choose the copy that is on our node/cpu, ...
1808 * This choice is lazy (because current thread is
1809 * allowed to migrate to another cpu)
1811 loc_cpu_entry = private->entries[raw_smp_processor_id()];
1814 ret = IPT_ENTRY_ITERATE(loc_cpu_entry, total_size,
1815 compat_copy_entry_to_user, &pos, &size);
1819 /* ... then go back and fix counters and names */
1820 for (off = 0, num = 0; off < size; off += e.next_offset, num++) {
1822 struct ipt_entry_match m;
1823 struct ipt_entry_target t;
1826 if (copy_from_user(&e, userptr + off,
1827 sizeof(struct compat_ipt_entry)))
1829 if (copy_to_user(userptr + off +
1830 offsetof(struct compat_ipt_entry, counters),
1831 &counters[num], sizeof(counters[num])))
1834 for (i = sizeof(struct compat_ipt_entry);
1835 i < e.target_offset; i += m.u.match_size) {
1836 if (copy_from_user(&m, userptr + off + i,
1837 sizeof(struct ipt_entry_match)))
1839 if (copy_to_user(userptr + off + i +
1840 offsetof(struct ipt_entry_match, u.user.name),
1841 m.u.kernel.match->name,
1842 strlen(m.u.kernel.match->name) + 1))
1846 if (copy_from_user(&t, userptr + off + e.target_offset,
1847 sizeof(struct ipt_entry_target)))
1849 if (copy_to_user(userptr + off + e.target_offset +
1850 offsetof(struct ipt_entry_target, u.user.name),
1851 t.u.kernel.target->name,
1852 strlen(t.u.kernel.target->name) + 1))
1862 compat_get_entries(struct compat_ipt_get_entries __user *uptr, int *len)
1865 struct compat_ipt_get_entries get;
1869 if (*len < sizeof(get)) {
1870 duprintf("compat_get_entries: %u < %u\n",
1871 *len, (unsigned int)sizeof(get));
1875 if (copy_from_user(&get, uptr, sizeof(get)) != 0)
1878 if (*len != sizeof(struct compat_ipt_get_entries) + get.size) {
1879 duprintf("compat_get_entries: %u != %u\n", *len,
1880 (unsigned int)(sizeof(struct compat_ipt_get_entries) +
1885 xt_compat_lock(AF_INET);
1886 t = xt_find_table_lock(AF_INET, get.name);
1887 if (t && !IS_ERR(t)) {
1888 struct xt_table_info *private = t->private;
1889 struct xt_table_info info;
1890 duprintf("t->private->number = %u\n",
1892 ret = compat_table_info(private, &info);
1893 if (!ret && get.size == info.size) {
1894 ret = compat_copy_entries_to_user(private->size,
1895 t, uptr->entrytable);
1897 duprintf("compat_get_entries: I've got %u not %u!\n",
1902 compat_flush_offsets();
1906 ret = t ? PTR_ERR(t) : -ENOENT;
1908 xt_compat_unlock(AF_INET);
1912 static int do_ipt_get_ctl(struct sock *, int, void __user *, int *);
1915 compat_do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1919 if (!capable(CAP_NET_ADMIN))
1923 case IPT_SO_GET_INFO:
1924 ret = get_info(user, len, 1);
1926 case IPT_SO_GET_ENTRIES:
1927 ret = compat_get_entries(user, len);
1930 ret = do_ipt_get_ctl(sk, cmd, user, len);
1937 do_ipt_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
1941 if (!capable(CAP_NET_ADMIN))
1945 case IPT_SO_SET_REPLACE:
1946 ret = do_replace(user, len);
1949 case IPT_SO_SET_ADD_COUNTERS:
1950 ret = do_add_counters(user, len, 0);
1954 duprintf("do_ipt_set_ctl: unknown request %i\n", cmd);
1962 do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1966 if (!capable(CAP_NET_ADMIN))
1970 case IPT_SO_GET_INFO:
1971 ret = get_info(user, len, 0);
1974 case IPT_SO_GET_ENTRIES:
1975 ret = get_entries(user, len);
1978 case IPT_SO_GET_REVISION_MATCH:
1979 case IPT_SO_GET_REVISION_TARGET: {
1980 struct ipt_get_revision rev;
1983 if (*len != sizeof(rev)) {
1987 if (copy_from_user(&rev, user, sizeof(rev)) != 0) {
1992 if (cmd == IPT_SO_GET_REVISION_TARGET)
1997 try_then_request_module(xt_find_revision(AF_INET, rev.name,
2000 "ipt_%s", rev.name);
2005 duprintf("do_ipt_get_ctl: unknown request %i\n", cmd);
2012 int ipt_register_table(struct xt_table *table, const struct ipt_replace *repl)
2015 struct xt_table_info *newinfo;
2016 static struct xt_table_info bootstrap
2017 = { 0, 0, 0, { 0 }, { 0 }, { } };
2018 void *loc_cpu_entry;
2020 newinfo = xt_alloc_table_info(repl->size);
2024 /* choose the copy on our node/cpu
2025 * but dont care of preemption
2027 loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
2028 memcpy(loc_cpu_entry, repl->entries, repl->size);
2030 ret = translate_table(table->name, table->valid_hooks,
2031 newinfo, loc_cpu_entry, repl->size,
2036 xt_free_table_info(newinfo);
2040 ret = xt_register_table(table, &bootstrap, newinfo);
2042 xt_free_table_info(newinfo);
2049 void ipt_unregister_table(struct xt_table *table)
2051 struct xt_table_info *private;
2052 void *loc_cpu_entry;
2054 private = xt_unregister_table(table);
2056 /* Decrease module usage counts and free resources */
2057 loc_cpu_entry = private->entries[raw_smp_processor_id()];
2058 IPT_ENTRY_ITERATE(loc_cpu_entry, private->size, cleanup_entry, NULL);
2059 xt_free_table_info(private);
2062 /* Returns 1 if the type and code is matched by the range, 0 otherwise */
2064 icmp_type_code_match(u_int8_t test_type, u_int8_t min_code, u_int8_t max_code,
2065 u_int8_t type, u_int8_t code,
2068 return ((test_type == 0xFF) || (type == test_type && code >= min_code && code <= max_code))
2073 icmp_match(const struct sk_buff *skb,
2074 const struct net_device *in,
2075 const struct net_device *out,
2076 const struct xt_match *match,
2077 const void *matchinfo,
2079 unsigned int protoff,
2082 struct icmphdr _icmph, *ic;
2083 const struct ipt_icmp *icmpinfo = matchinfo;
2085 /* Must not be a fragment. */
2089 ic = skb_header_pointer(skb, protoff, sizeof(_icmph), &_icmph);
2091 /* We've been asked to examine this packet, and we
2092 * can't. Hence, no choice but to drop.
2094 duprintf("Dropping evil ICMP tinygram.\n");
2099 return icmp_type_code_match(icmpinfo->type,
2103 !!(icmpinfo->invflags&IPT_ICMP_INV));
2106 /* Called when user tries to insert an entry of this type. */
2108 icmp_checkentry(const char *tablename,
2110 const struct xt_match *match,
2112 unsigned int hook_mask)
2114 const struct ipt_icmp *icmpinfo = matchinfo;
2116 /* Must specify no unknown invflags */
2117 return !(icmpinfo->invflags & ~IPT_ICMP_INV);
2120 /* The built-in targets: standard (NULL) and error. */
2121 static struct xt_target ipt_standard_target = {
2122 .name = IPT_STANDARD_TARGET,
2123 .targetsize = sizeof(int),
2125 #ifdef CONFIG_COMPAT
2126 .compatsize = sizeof(compat_int_t),
2127 .compat_from_user = compat_standard_from_user,
2128 .compat_to_user = compat_standard_to_user,
2132 static struct xt_target ipt_error_target = {
2133 .name = IPT_ERROR_TARGET,
2134 .target = ipt_error,
2135 .targetsize = IPT_FUNCTION_MAXNAMELEN,
2139 static struct nf_sockopt_ops ipt_sockopts = {
2141 .set_optmin = IPT_BASE_CTL,
2142 .set_optmax = IPT_SO_SET_MAX+1,
2143 .set = do_ipt_set_ctl,
2144 #ifdef CONFIG_COMPAT
2145 .compat_set = compat_do_ipt_set_ctl,
2147 .get_optmin = IPT_BASE_CTL,
2148 .get_optmax = IPT_SO_GET_MAX+1,
2149 .get = do_ipt_get_ctl,
2150 #ifdef CONFIG_COMPAT
2151 .compat_get = compat_do_ipt_get_ctl,
2155 static struct xt_match icmp_matchstruct = {
2157 .match = icmp_match,
2158 .matchsize = sizeof(struct ipt_icmp),
2159 .proto = IPPROTO_ICMP,
2161 .checkentry = icmp_checkentry,
2164 static int __init ip_tables_init(void)
2168 ret = xt_proto_init(AF_INET);
2172 /* Noone else will be downing sem now, so we won't sleep */
2173 ret = xt_register_target(&ipt_standard_target);
2176 ret = xt_register_target(&ipt_error_target);
2179 ret = xt_register_match(&icmp_matchstruct);
2183 /* Register setsockopt */
2184 ret = nf_register_sockopt(&ipt_sockopts);
2188 printk("ip_tables: (C) 2000-2006 Netfilter Core Team\n");
2192 xt_unregister_match(&icmp_matchstruct);
2194 xt_unregister_target(&ipt_error_target);
2196 xt_unregister_target(&ipt_standard_target);
2198 xt_proto_fini(AF_INET);
2203 static void __exit ip_tables_fini(void)
2205 nf_unregister_sockopt(&ipt_sockopts);
2207 xt_unregister_match(&icmp_matchstruct);
2208 xt_unregister_target(&ipt_error_target);
2209 xt_unregister_target(&ipt_standard_target);
2211 xt_proto_fini(AF_INET);
2214 EXPORT_SYMBOL(ipt_register_table);
2215 EXPORT_SYMBOL(ipt_unregister_table);
2216 EXPORT_SYMBOL(ipt_do_table);
2217 module_init(ip_tables_init);
2218 module_exit(ip_tables_fini);
projects / linux-2.6 / blob