2  * Packet matching code.
 
   4  * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
 
   5  * Copyright (C) 2000-2005 Netfilter Core Team <coreteam@netfilter.org>
 
   7  * This program is free software; you can redistribute it and/or modify
 
   8  * it under the terms of the GNU General Public License version 2 as
 
   9  * published by the Free Software Foundation.
 
  11  * 19 Jan 2002 Harald Welte <laforge@gnumonks.org>
 
  12  *      - increase module usage count as soon as we have rules inside
 
  14  * 08 Oct 2005 Harald Welte <lafore@netfilter.org>
 
  15  *      - Generalize into "x_tables" layer and "{ip,ip6,arp}_tables"
 
  17 #include <linux/cache.h>
 
  18 #include <linux/capability.h>
 
  19 #include <linux/skbuff.h>
 
  20 #include <linux/kmod.h>
 
  21 #include <linux/vmalloc.h>
 
  22 #include <linux/netdevice.h>
 
  23 #include <linux/module.h>
 
  24 #include <linux/icmp.h>
 
  26 #include <net/compat.h>
 
  27 #include <asm/uaccess.h>
 
  28 #include <linux/mutex.h>
 
  29 #include <linux/proc_fs.h>
 
  30 #include <linux/err.h>
 
  31 #include <linux/cpumask.h>
 
  33 #include <linux/netfilter/x_tables.h>
 
  34 #include <linux/netfilter_ipv4/ip_tables.h>
 
  36 MODULE_LICENSE("GPL");
 
  37 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
 
  38 MODULE_DESCRIPTION("IPv4 packet filter");
 
  40 /*#define DEBUG_IP_FIREWALL*/
 
  41 /*#define DEBUG_ALLOW_ALL*/ /* Useful for remote debugging */
 
  42 /*#define DEBUG_IP_FIREWALL_USER*/
 
  44 #ifdef DEBUG_IP_FIREWALL
 
  45 #define dprintf(format, args...)  printk(format , ## args)
 
  47 #define dprintf(format, args...)
 
  50 #ifdef DEBUG_IP_FIREWALL_USER
 
  51 #define duprintf(format, args...) printk(format , ## args)
 
  53 #define duprintf(format, args...)
 
  56 #ifdef CONFIG_NETFILTER_DEBUG
 
  57 #define IP_NF_ASSERT(x)                                         \
 
  60                 printk("IP_NF_ASSERT: %s:%s:%u\n",              \
 
  61                        __FUNCTION__, __FILE__, __LINE__);       \
 
  64 #define IP_NF_ASSERT(x)
 
  68 /* All the better to debug you with... */
 
  74    We keep a set of rules for each CPU, so we can avoid write-locking
 
  75    them in the softirq when updating the counters and therefore
 
  76    only need to read-lock in the softirq; doing a write_lock_bh() in user
 
  77    context stops packets coming through and allows user context to read
 
  78    the counters or update the rules.
 
  80    Hence the start of any table is given by get_table() below.  */
 
  82 /* Returns whether matches rule or not. */
 
  84 ip_packet_match(const struct iphdr *ip,
 
  87                 const struct ipt_ip *ipinfo,
 
  93 #define FWINV(bool,invflg) ((bool) ^ !!(ipinfo->invflags & invflg))
 
  95         if (FWINV((ip->saddr&ipinfo->smsk.s_addr) != ipinfo->src.s_addr,
 
  97             || FWINV((ip->daddr&ipinfo->dmsk.s_addr) != ipinfo->dst.s_addr,
 
  99                 dprintf("Source or dest mismatch.\n");
 
 101                 dprintf("SRC: %u.%u.%u.%u. Mask: %u.%u.%u.%u. Target: %u.%u.%u.%u.%s\n",
 
 103                         NIPQUAD(ipinfo->smsk.s_addr),
 
 104                         NIPQUAD(ipinfo->src.s_addr),
 
 105                         ipinfo->invflags & IPT_INV_SRCIP ? " (INV)" : "");
 
 106                 dprintf("DST: %u.%u.%u.%u Mask: %u.%u.%u.%u Target: %u.%u.%u.%u.%s\n",
 
 108                         NIPQUAD(ipinfo->dmsk.s_addr),
 
 109                         NIPQUAD(ipinfo->dst.s_addr),
 
 110                         ipinfo->invflags & IPT_INV_DSTIP ? " (INV)" : "");
 
 114         /* Look for ifname matches; this should unroll nicely. */
 
 115         for (i = 0, ret = 0; i < IFNAMSIZ/sizeof(unsigned long); i++) {
 
 116                 ret |= (((const unsigned long *)indev)[i]
 
 117                         ^ ((const unsigned long *)ipinfo->iniface)[i])
 
 118                         & ((const unsigned long *)ipinfo->iniface_mask)[i];
 
 121         if (FWINV(ret != 0, IPT_INV_VIA_IN)) {
 
 122                 dprintf("VIA in mismatch (%s vs %s).%s\n",
 
 123                         indev, ipinfo->iniface,
 
 124                         ipinfo->invflags&IPT_INV_VIA_IN ?" (INV)":"");
 
 128         for (i = 0, ret = 0; i < IFNAMSIZ/sizeof(unsigned long); i++) {
 
 129                 ret |= (((const unsigned long *)outdev)[i]
 
 130                         ^ ((const unsigned long *)ipinfo->outiface)[i])
 
 131                         & ((const unsigned long *)ipinfo->outiface_mask)[i];
 
 134         if (FWINV(ret != 0, IPT_INV_VIA_OUT)) {
 
 135                 dprintf("VIA out mismatch (%s vs %s).%s\n",
 
 136                         outdev, ipinfo->outiface,
 
 137                         ipinfo->invflags&IPT_INV_VIA_OUT ?" (INV)":"");
 
 141         /* Check specific protocol */
 
 143             && FWINV(ip->protocol != ipinfo->proto, IPT_INV_PROTO)) {
 
 144                 dprintf("Packet protocol %hi does not match %hi.%s\n",
 
 145                         ip->protocol, ipinfo->proto,
 
 146                         ipinfo->invflags&IPT_INV_PROTO ? " (INV)":"");
 
 150         /* If we have a fragment rule but the packet is not a fragment
 
 151          * then we return zero */
 
 152         if (FWINV((ipinfo->flags&IPT_F_FRAG) && !isfrag, IPT_INV_FRAG)) {
 
 153                 dprintf("Fragment rule but not fragment.%s\n",
 
 154                         ipinfo->invflags & IPT_INV_FRAG ? " (INV)" : "");
 
 162 ip_checkentry(const struct ipt_ip *ip)
 
 164         if (ip->flags & ~IPT_F_MASK) {
 
 165                 duprintf("Unknown flag bits set: %08X\n",
 
 166                          ip->flags & ~IPT_F_MASK);
 
 169         if (ip->invflags & ~IPT_INV_MASK) {
 
 170                 duprintf("Unknown invflag bits set: %08X\n",
 
 171                          ip->invflags & ~IPT_INV_MASK);
 
 178 ipt_error(struct sk_buff **pskb,
 
 179           const struct net_device *in,
 
 180           const struct net_device *out,
 
 181           unsigned int hooknum,
 
 182           const struct xt_target *target,
 
 183           const void *targinfo)
 
 186                 printk("ip_tables: error: `%s'\n", (char *)targinfo);
 
 192 int do_match(struct ipt_entry_match *m,
 
 193              const struct sk_buff *skb,
 
 194              const struct net_device *in,
 
 195              const struct net_device *out,
 
 199         /* Stop iteration if it doesn't match */
 
 200         if (!m->u.kernel.match->match(skb, in, out, m->u.kernel.match, m->data,
 
 201                                       offset, skb->nh.iph->ihl*4, hotdrop))
 
 207 static inline struct ipt_entry *
 
 208 get_entry(void *base, unsigned int offset)
 
 210         return (struct ipt_entry *)(base + offset);
 
 213 /* Returns one of the generic firewall policies, like NF_ACCEPT. */
 
 215 ipt_do_table(struct sk_buff **pskb,
 
 217              const struct net_device *in,
 
 218              const struct net_device *out,
 
 219              struct ipt_table *table)
 
 221         static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
 
 226         /* Initializing verdict to NF_DROP keeps gcc happy. */
 
 227         unsigned int verdict = NF_DROP;
 
 228         const char *indev, *outdev;
 
 230         struct ipt_entry *e, *back;
 
 231         struct xt_table_info *private;
 
 234         ip = (*pskb)->nh.iph;
 
 235         datalen = (*pskb)->len - ip->ihl * 4;
 
 236         indev = in ? in->name : nulldevname;
 
 237         outdev = out ? out->name : nulldevname;
 
 238         /* We handle fragments by dealing with the first fragment as
 
 239          * if it was a normal packet.  All other fragments are treated
 
 240          * normally, except that they will NEVER match rules that ask
 
 241          * things we don't know, ie. tcp syn flag or ports).  If the
 
 242          * rule is also a fragment-specific rule, non-fragments won't
 
 244         offset = ntohs(ip->frag_off) & IP_OFFSET;
 
 246         read_lock_bh(&table->lock);
 
 247         IP_NF_ASSERT(table->valid_hooks & (1 << hook));
 
 248         private = table->private;
 
 249         table_base = (void *)private->entries[smp_processor_id()];
 
 250         e = get_entry(table_base, private->hook_entry[hook]);
 
 252         /* For return from builtin chain */
 
 253         back = get_entry(table_base, private->underflow[hook]);
 
 258                 if (ip_packet_match(ip, indev, outdev, &e->ip, offset)) {
 
 259                         struct ipt_entry_target *t;
 
 261                         if (IPT_MATCH_ITERATE(e, do_match,
 
 263                                               offset, &hotdrop) != 0)
 
 266                         ADD_COUNTER(e->counters, ntohs(ip->tot_len), 1);
 
 268                         t = ipt_get_target(e);
 
 269                         IP_NF_ASSERT(t->u.kernel.target);
 
 270                         /* Standard target? */
 
 271                         if (!t->u.kernel.target->target) {
 
 274                                 v = ((struct ipt_standard_target *)t)->verdict;
 
 276                                         /* Pop from stack? */
 
 277                                         if (v != IPT_RETURN) {
 
 278                                                 verdict = (unsigned)(-v) - 1;
 
 282                                         back = get_entry(table_base,
 
 286                                 if (table_base + v != (void *)e + e->next_offset
 
 287                                     && !(e->ip.flags & IPT_F_GOTO)) {
 
 288                                         /* Save old back ptr in next entry */
 
 289                                         struct ipt_entry *next
 
 290                                                 = (void *)e + e->next_offset;
 
 292                                                 = (void *)back - table_base;
 
 293                                         /* set back pointer to next entry */
 
 297                                 e = get_entry(table_base, v);
 
 299                                 /* Targets which reenter must return
 
 301 #ifdef CONFIG_NETFILTER_DEBUG
 
 302                                 ((struct ipt_entry *)table_base)->comefrom
 
 305                                 verdict = t->u.kernel.target->target(pskb,
 
 311 #ifdef CONFIG_NETFILTER_DEBUG
 
 312                                 if (((struct ipt_entry *)table_base)->comefrom
 
 314                                     && verdict == IPT_CONTINUE) {
 
 315                                         printk("Target %s reentered!\n",
 
 316                                                t->u.kernel.target->name);
 
 319                                 ((struct ipt_entry *)table_base)->comefrom
 
 322                                 /* Target might have changed stuff. */
 
 323                                 ip = (*pskb)->nh.iph;
 
 324                                 datalen = (*pskb)->len - ip->ihl * 4;
 
 326                                 if (verdict == IPT_CONTINUE)
 
 327                                         e = (void *)e + e->next_offset;
 
 335                         e = (void *)e + e->next_offset;
 
 339         read_unlock_bh(&table->lock);
 
 341 #ifdef DEBUG_ALLOW_ALL
 
 350 /* All zeroes == unconditional rule. */
 
 352 unconditional(const struct ipt_ip *ip)
 
 356         for (i = 0; i < sizeof(*ip)/sizeof(__u32); i++)
 
 357                 if (((__u32 *)ip)[i])
 
 363 /* Figures out from what hook each rule can be called: returns 0 if
 
 364    there are loops.  Puts hook bitmask in comefrom. */
 
 366 mark_source_chains(struct xt_table_info *newinfo,
 
 367                    unsigned int valid_hooks, void *entry0)
 
 371         /* No recursion; use packet counter to save back ptrs (reset
 
 372            to 0 as we leave), and comefrom to save source hook bitmask */
 
 373         for (hook = 0; hook < NF_IP_NUMHOOKS; hook++) {
 
 374                 unsigned int pos = newinfo->hook_entry[hook];
 
 376                         = (struct ipt_entry *)(entry0 + pos);
 
 378                 if (!(valid_hooks & (1 << hook)))
 
 381                 /* Set initial back pointer. */
 
 382                 e->counters.pcnt = pos;
 
 385                         struct ipt_standard_target *t
 
 386                                 = (void *)ipt_get_target(e);
 
 387                         int visited = e->comefrom & (1 << hook);
 
 389                         if (e->comefrom & (1 << NF_IP_NUMHOOKS)) {
 
 390                                 printk("iptables: loop hook %u pos %u %08X.\n",
 
 391                                        hook, pos, e->comefrom);
 
 395                                 |= ((1 << hook) | (1 << NF_IP_NUMHOOKS));
 
 397                         /* Unconditional return/END. */
 
 398                         if ((e->target_offset == sizeof(struct ipt_entry)
 
 399                             && (strcmp(t->target.u.user.name,
 
 400                                        IPT_STANDARD_TARGET) == 0)
 
 402                             && unconditional(&e->ip)) || visited) {
 
 403                                 unsigned int oldpos, size;
 
 405                                 if (t->verdict < -NF_MAX_VERDICT - 1) {
 
 406                                         duprintf("mark_source_chains: bad "
 
 407                                                 "negative verdict (%i)\n",
 
 412                                 /* Return: backtrack through the last
 
 415                                         e->comefrom ^= (1<<NF_IP_NUMHOOKS);
 
 416 #ifdef DEBUG_IP_FIREWALL_USER
 
 418                                             & (1 << NF_IP_NUMHOOKS)) {
 
 419                                                 duprintf("Back unset "
 
 426                                         pos = e->counters.pcnt;
 
 427                                         e->counters.pcnt = 0;
 
 429                                         /* We're at the start. */
 
 433                                         e = (struct ipt_entry *)
 
 435                                 } while (oldpos == pos + e->next_offset);
 
 438                                 size = e->next_offset;
 
 439                                 e = (struct ipt_entry *)
 
 440                                         (entry0 + pos + size);
 
 441                                 e->counters.pcnt = pos;
 
 444                                 int newpos = t->verdict;
 
 446                                 if (strcmp(t->target.u.user.name,
 
 447                                            IPT_STANDARD_TARGET) == 0
 
 449                                         if (newpos > newinfo->size -
 
 450                                                 sizeof(struct ipt_entry)) {
 
 451                                                 duprintf("mark_source_chains: "
 
 452                                                         "bad verdict (%i)\n",
 
 456                                         /* This a jump; chase it. */
 
 457                                         duprintf("Jump rule %u -> %u\n",
 
 460                                         /* ... this is a fallthru */
 
 461                                         newpos = pos + e->next_offset;
 
 463                                 e = (struct ipt_entry *)
 
 465                                 e->counters.pcnt = pos;
 
 470                 duprintf("Finished chain %u\n", hook);
 
 476 cleanup_match(struct ipt_entry_match *m, unsigned int *i)
 
 478         if (i && (*i)-- == 0)
 
 481         if (m->u.kernel.match->destroy)
 
 482                 m->u.kernel.match->destroy(m->u.kernel.match, m->data);
 
 483         module_put(m->u.kernel.match->me);
 
 488 check_entry(struct ipt_entry *e, const char *name)
 
 490         struct ipt_entry_target *t;
 
 492         if (!ip_checkentry(&e->ip)) {
 
 493                 duprintf("ip_tables: ip check failed %p %s.\n", e, name);
 
 497         if (e->target_offset + sizeof(struct ipt_entry_target) > e->next_offset)
 
 500         t = ipt_get_target(e);
 
 501         if (e->target_offset + t->u.target_size > e->next_offset)
 
 507 static inline int check_match(struct ipt_entry_match *m, const char *name,
 
 508                                 const struct ipt_ip *ip, unsigned int hookmask)
 
 510         struct ipt_match *match;
 
 513         match = m->u.kernel.match;
 
 514         ret = xt_check_match(match, AF_INET, m->u.match_size - sizeof(*m),
 
 515                              name, hookmask, ip->proto,
 
 516                              ip->invflags & IPT_INV_PROTO);
 
 517         if (!ret && m->u.kernel.match->checkentry
 
 518             && !m->u.kernel.match->checkentry(name, ip, match, m->data,
 
 520                 duprintf("ip_tables: check failed for `%s'.\n",
 
 521                          m->u.kernel.match->name);
 
 528 find_check_match(struct ipt_entry_match *m,
 
 530             const struct ipt_ip *ip,
 
 531             unsigned int hookmask,
 
 534         struct ipt_match *match;
 
 537         match = try_then_request_module(xt_find_match(AF_INET, m->u.user.name,
 
 539                                         "ipt_%s", m->u.user.name);
 
 540         if (IS_ERR(match) || !match) {
 
 541                 duprintf("find_check_match: `%s' not found\n", m->u.user.name);
 
 542                 return match ? PTR_ERR(match) : -ENOENT;
 
 544         m->u.kernel.match = match;
 
 546         ret = check_match(m, name, ip, hookmask);
 
 553         module_put(m->u.kernel.match->me);
 
 557 static inline int check_target(struct ipt_entry *e, const char *name)
 
 559         struct ipt_entry_target *t;
 
 560         struct ipt_target *target;
 
 563         t = ipt_get_target(e);
 
 564         target = t->u.kernel.target;
 
 565         ret = xt_check_target(target, AF_INET, t->u.target_size - sizeof(*t),
 
 566                               name, e->comefrom, e->ip.proto,
 
 567                               e->ip.invflags & IPT_INV_PROTO);
 
 568         if (!ret && t->u.kernel.target->checkentry
 
 569                    && !t->u.kernel.target->checkentry(name, e, target,
 
 570                                                       t->data, e->comefrom)) {
 
 571                 duprintf("ip_tables: check failed for `%s'.\n",
 
 572                          t->u.kernel.target->name);
 
 579 find_check_entry(struct ipt_entry *e, const char *name, unsigned int size,
 
 582         struct ipt_entry_target *t;
 
 583         struct ipt_target *target;
 
 587         ret = check_entry(e, name);
 
 592         ret = IPT_MATCH_ITERATE(e, find_check_match, name, &e->ip,
 
 595                 goto cleanup_matches;
 
 597         t = ipt_get_target(e);
 
 598         target = try_then_request_module(xt_find_target(AF_INET,
 
 601                                          "ipt_%s", t->u.user.name);
 
 602         if (IS_ERR(target) || !target) {
 
 603                 duprintf("find_check_entry: `%s' not found\n", t->u.user.name);
 
 604                 ret = target ? PTR_ERR(target) : -ENOENT;
 
 605                 goto cleanup_matches;
 
 607         t->u.kernel.target = target;
 
 609         ret = check_target(e, name);
 
 616         module_put(t->u.kernel.target->me);
 
 618         IPT_MATCH_ITERATE(e, cleanup_match, &j);
 
 623 check_entry_size_and_hooks(struct ipt_entry *e,
 
 624                            struct xt_table_info *newinfo,
 
 626                            unsigned char *limit,
 
 627                            const unsigned int *hook_entries,
 
 628                            const unsigned int *underflows,
 
 633         if ((unsigned long)e % __alignof__(struct ipt_entry) != 0
 
 634             || (unsigned char *)e + sizeof(struct ipt_entry) >= limit) {
 
 635                 duprintf("Bad offset %p\n", e);
 
 640             < sizeof(struct ipt_entry) + sizeof(struct ipt_entry_target)) {
 
 641                 duprintf("checking: element %p size %u\n",
 
 646         /* Check hooks & underflows */
 
 647         for (h = 0; h < NF_IP_NUMHOOKS; h++) {
 
 648                 if ((unsigned char *)e - base == hook_entries[h])
 
 649                         newinfo->hook_entry[h] = hook_entries[h];
 
 650                 if ((unsigned char *)e - base == underflows[h])
 
 651                         newinfo->underflow[h] = underflows[h];
 
 654         /* FIXME: underflows must be unconditional, standard verdicts
 
 655            < 0 (not IPT_RETURN). --RR */
 
 657         /* Clear counters and comefrom */
 
 658         e->counters = ((struct xt_counters) { 0, 0 });
 
 666 cleanup_entry(struct ipt_entry *e, unsigned int *i)
 
 668         struct ipt_entry_target *t;
 
 670         if (i && (*i)-- == 0)
 
 673         /* Cleanup all matches */
 
 674         IPT_MATCH_ITERATE(e, cleanup_match, NULL);
 
 675         t = ipt_get_target(e);
 
 676         if (t->u.kernel.target->destroy)
 
 677                 t->u.kernel.target->destroy(t->u.kernel.target, t->data);
 
 678         module_put(t->u.kernel.target->me);
 
 682 /* Checks and translates the user-supplied table segment (held in
 
 685 translate_table(const char *name,
 
 686                 unsigned int valid_hooks,
 
 687                 struct xt_table_info *newinfo,
 
 691                 const unsigned int *hook_entries,
 
 692                 const unsigned int *underflows)
 
 697         newinfo->size = size;
 
 698         newinfo->number = number;
 
 700         /* Init all hooks to impossible value. */
 
 701         for (i = 0; i < NF_IP_NUMHOOKS; i++) {
 
 702                 newinfo->hook_entry[i] = 0xFFFFFFFF;
 
 703                 newinfo->underflow[i] = 0xFFFFFFFF;
 
 706         duprintf("translate_table: size %u\n", newinfo->size);
 
 708         /* Walk through entries, checking offsets. */
 
 709         ret = IPT_ENTRY_ITERATE(entry0, newinfo->size,
 
 710                                 check_entry_size_and_hooks,
 
 714                                 hook_entries, underflows, &i);
 
 719                 duprintf("translate_table: %u not %u entries\n",
 
 724         /* Check hooks all assigned */
 
 725         for (i = 0; i < NF_IP_NUMHOOKS; i++) {
 
 726                 /* Only hooks which are valid */
 
 727                 if (!(valid_hooks & (1 << i)))
 
 729                 if (newinfo->hook_entry[i] == 0xFFFFFFFF) {
 
 730                         duprintf("Invalid hook entry %u %u\n",
 
 734                 if (newinfo->underflow[i] == 0xFFFFFFFF) {
 
 735                         duprintf("Invalid underflow %u %u\n",
 
 741         if (!mark_source_chains(newinfo, valid_hooks, entry0))
 
 744         /* Finally, each sanity check must pass */
 
 746         ret = IPT_ENTRY_ITERATE(entry0, newinfo->size,
 
 747                                 find_check_entry, name, size, &i);
 
 750                 IPT_ENTRY_ITERATE(entry0, newinfo->size,
 
 755         /* And one copy for every other CPU */
 
 756         for_each_possible_cpu(i) {
 
 757                 if (newinfo->entries[i] && newinfo->entries[i] != entry0)
 
 758                         memcpy(newinfo->entries[i], entry0, newinfo->size);
 
 766 add_entry_to_counter(const struct ipt_entry *e,
 
 767                      struct xt_counters total[],
 
 770         ADD_COUNTER(total[*i], e->counters.bcnt, e->counters.pcnt);
 
 777 set_entry_to_counter(const struct ipt_entry *e,
 
 778                      struct ipt_counters total[],
 
 781         SET_COUNTER(total[*i], e->counters.bcnt, e->counters.pcnt);
 
 788 get_counters(const struct xt_table_info *t,
 
 789              struct xt_counters counters[])
 
 795         /* Instead of clearing (by a previous call to memset())
 
 796          * the counters and using adds, we set the counters
 
 797          * with data used by 'current' CPU
 
 798          * We dont care about preemption here.
 
 800         curcpu = raw_smp_processor_id();
 
 803         IPT_ENTRY_ITERATE(t->entries[curcpu],
 
 805                           set_entry_to_counter,
 
 809         for_each_possible_cpu(cpu) {
 
 813                 IPT_ENTRY_ITERATE(t->entries[cpu],
 
 815                                   add_entry_to_counter,
 
 821 static inline struct xt_counters * alloc_counters(struct ipt_table *table)
 
 823         unsigned int countersize;
 
 824         struct xt_counters *counters;
 
 825         struct xt_table_info *private = table->private;
 
 827         /* We need atomic snapshot of counters: rest doesn't change
 
 828            (other than comefrom, which userspace doesn't care
 
 830         countersize = sizeof(struct xt_counters) * private->number;
 
 831         counters = vmalloc_node(countersize, numa_node_id());
 
 833         if (counters == NULL)
 
 834                 return ERR_PTR(-ENOMEM);
 
 836         /* First, sum counters... */
 
 837         write_lock_bh(&table->lock);
 
 838         get_counters(private, counters);
 
 839         write_unlock_bh(&table->lock);
 
 845 copy_entries_to_user(unsigned int total_size,
 
 846                      struct ipt_table *table,
 
 847                      void __user *userptr)
 
 849         unsigned int off, num;
 
 851         struct xt_counters *counters;
 
 852         struct xt_table_info *private = table->private;
 
 856         counters = alloc_counters(table);
 
 857         if (IS_ERR(counters))
 
 858                 return PTR_ERR(counters);
 
 860         /* choose the copy that is on our node/cpu, ...
 
 861          * This choice is lazy (because current thread is
 
 862          * allowed to migrate to another cpu)
 
 864         loc_cpu_entry = private->entries[raw_smp_processor_id()];
 
 865         /* ... then copy entire thing ... */
 
 866         if (copy_to_user(userptr, loc_cpu_entry, total_size) != 0) {
 
 871         /* FIXME: use iterator macros --RR */
 
 872         /* ... then go back and fix counters and names */
 
 873         for (off = 0, num = 0; off < total_size; off += e->next_offset, num++){
 
 875                 struct ipt_entry_match *m;
 
 876                 struct ipt_entry_target *t;
 
 878                 e = (struct ipt_entry *)(loc_cpu_entry + off);
 
 879                 if (copy_to_user(userptr + off
 
 880                                  + offsetof(struct ipt_entry, counters),
 
 882                                  sizeof(counters[num])) != 0) {
 
 887                 for (i = sizeof(struct ipt_entry);
 
 888                      i < e->target_offset;
 
 889                      i += m->u.match_size) {
 
 892                         if (copy_to_user(userptr + off + i
 
 893                                          + offsetof(struct ipt_entry_match,
 
 895                                          m->u.kernel.match->name,
 
 896                                          strlen(m->u.kernel.match->name)+1)
 
 903                 t = ipt_get_target(e);
 
 904                 if (copy_to_user(userptr + off + e->target_offset
 
 905                                  + offsetof(struct ipt_entry_target,
 
 907                                  t->u.kernel.target->name,
 
 908                                  strlen(t->u.kernel.target->name)+1) != 0) {
 
 920 struct compat_delta {
 
 921         struct compat_delta *next;
 
 926 static struct compat_delta *compat_offsets = NULL;
 
 928 static int compat_add_offset(unsigned int offset, short delta)
 
 930         struct compat_delta *tmp;
 
 932         tmp = kmalloc(sizeof(struct compat_delta), GFP_KERNEL);
 
 935         tmp->offset = offset;
 
 937         if (compat_offsets) {
 
 938                 tmp->next = compat_offsets->next;
 
 939                 compat_offsets->next = tmp;
 
 941                 compat_offsets = tmp;
 
 947 static void compat_flush_offsets(void)
 
 949         struct compat_delta *tmp, *next;
 
 951         if (compat_offsets) {
 
 952                 for(tmp = compat_offsets; tmp; tmp = next) {
 
 956                 compat_offsets = NULL;
 
 960 static short compat_calc_jump(unsigned int offset)
 
 962         struct compat_delta *tmp;
 
 965         for(tmp = compat_offsets, delta = 0; tmp; tmp = tmp->next)
 
 966                 if (tmp->offset < offset)
 
 971 static void compat_standard_from_user(void *dst, void *src)
 
 973         int v = *(compat_int_t *)src;
 
 976                 v += compat_calc_jump(v);
 
 977         memcpy(dst, &v, sizeof(v));
 
 980 static int compat_standard_to_user(void __user *dst, void *src)
 
 982         compat_int_t cv = *(int *)src;
 
 985                 cv -= compat_calc_jump(cv);
 
 986         return copy_to_user(dst, &cv, sizeof(cv)) ? -EFAULT : 0;
 
 990 compat_calc_match(struct ipt_entry_match *m, int * size)
 
 992         *size += xt_compat_match_offset(m->u.kernel.match);
 
 996 static int compat_calc_entry(struct ipt_entry *e, struct xt_table_info *info,
 
 997                 void *base, struct xt_table_info *newinfo)
 
 999         struct ipt_entry_target *t;
 
1000         unsigned int entry_offset;
 
1004         entry_offset = (void *)e - base;
 
1005         IPT_MATCH_ITERATE(e, compat_calc_match, &off);
 
1006         t = ipt_get_target(e);
 
1007         off += xt_compat_target_offset(t->u.kernel.target);
 
1008         newinfo->size -= off;
 
1009         ret = compat_add_offset(entry_offset, off);
 
1013         for (i = 0; i< NF_IP_NUMHOOKS; i++) {
 
1014                 if (info->hook_entry[i] && (e < (struct ipt_entry *)
 
1015                                 (base + info->hook_entry[i])))
 
1016                         newinfo->hook_entry[i] -= off;
 
1017                 if (info->underflow[i] && (e < (struct ipt_entry *)
 
1018                                 (base + info->underflow[i])))
 
1019                         newinfo->underflow[i] -= off;
 
1024 static int compat_table_info(struct xt_table_info *info,
 
1025                 struct xt_table_info *newinfo)
 
1027         void *loc_cpu_entry;
 
1030         if (!newinfo || !info)
 
1033         memset(newinfo, 0, sizeof(struct xt_table_info));
 
1034         newinfo->size = info->size;
 
1035         newinfo->number = info->number;
 
1036         for (i = 0; i < NF_IP_NUMHOOKS; i++) {
 
1037                 newinfo->hook_entry[i] = info->hook_entry[i];
 
1038                 newinfo->underflow[i] = info->underflow[i];
 
1040         loc_cpu_entry = info->entries[raw_smp_processor_id()];
 
1041         return IPT_ENTRY_ITERATE(loc_cpu_entry, info->size,
 
1042                         compat_calc_entry, info, loc_cpu_entry, newinfo);
 
1046 static int get_info(void __user *user, int *len, int compat)
 
1048         char name[IPT_TABLE_MAXNAMELEN];
 
1049         struct ipt_table *t;
 
1052         if (*len != sizeof(struct ipt_getinfo)) {
 
1053                 duprintf("length %u != %u\n", *len,
 
1054                         (unsigned int)sizeof(struct ipt_getinfo));
 
1058         if (copy_from_user(name, user, sizeof(name)) != 0)
 
1061         name[IPT_TABLE_MAXNAMELEN-1] = '\0';
 
1062 #ifdef CONFIG_COMPAT
 
1064                 xt_compat_lock(AF_INET);
 
1066         t = try_then_request_module(xt_find_table_lock(AF_INET, name),
 
1067                         "iptable_%s", name);
 
1068         if (t && !IS_ERR(t)) {
 
1069                 struct ipt_getinfo info;
 
1070                 struct xt_table_info *private = t->private;
 
1072 #ifdef CONFIG_COMPAT
 
1074                         struct xt_table_info tmp;
 
1075                         ret = compat_table_info(private, &tmp);
 
1076                         compat_flush_offsets();
 
1080                 info.valid_hooks = t->valid_hooks;
 
1081                 memcpy(info.hook_entry, private->hook_entry,
 
1082                                 sizeof(info.hook_entry));
 
1083                 memcpy(info.underflow, private->underflow,
 
1084                                 sizeof(info.underflow));
 
1085                 info.num_entries = private->number;
 
1086                 info.size = private->size;
 
1087                 strcpy(info.name, name);
 
1089                 if (copy_to_user(user, &info, *len) != 0)
 
1097                 ret = t ? PTR_ERR(t) : -ENOENT;
 
1098 #ifdef CONFIG_COMPAT
 
1100                 xt_compat_unlock(AF_INET);
 
1106 get_entries(struct ipt_get_entries __user *uptr, int *len)
 
1109         struct ipt_get_entries get;
 
1110         struct ipt_table *t;
 
1112         if (*len < sizeof(get)) {
 
1113                 duprintf("get_entries: %u < %d\n", *len,
 
1114                                 (unsigned int)sizeof(get));
 
1117         if (copy_from_user(&get, uptr, sizeof(get)) != 0)
 
1119         if (*len != sizeof(struct ipt_get_entries) + get.size) {
 
1120                 duprintf("get_entries: %u != %u\n", *len,
 
1121                                 (unsigned int)(sizeof(struct ipt_get_entries) +
 
1126         t = xt_find_table_lock(AF_INET, get.name);
 
1127         if (t && !IS_ERR(t)) {
 
1128                 struct xt_table_info *private = t->private;
 
1129                 duprintf("t->private->number = %u\n",
 
1131                 if (get.size == private->size)
 
1132                         ret = copy_entries_to_user(private->size,
 
1133                                                    t, uptr->entrytable);
 
1135                         duprintf("get_entries: I've got %u not %u!\n",
 
1143                 ret = t ? PTR_ERR(t) : -ENOENT;
 
1149 __do_replace(const char *name, unsigned int valid_hooks,
 
1150                 struct xt_table_info *newinfo, unsigned int num_counters,
 
1151                 void __user *counters_ptr)
 
1154         struct ipt_table *t;
 
1155         struct xt_table_info *oldinfo;
 
1156         struct xt_counters *counters;
 
1157         void *loc_cpu_old_entry;
 
1160         counters = vmalloc(num_counters * sizeof(struct xt_counters));
 
1166         t = try_then_request_module(xt_find_table_lock(AF_INET, name),
 
1167                                     "iptable_%s", name);
 
1168         if (!t || IS_ERR(t)) {
 
1169                 ret = t ? PTR_ERR(t) : -ENOENT;
 
1170                 goto free_newinfo_counters_untrans;
 
1174         if (valid_hooks != t->valid_hooks) {
 
1175                 duprintf("Valid hook crap: %08X vs %08X\n",
 
1176                          valid_hooks, t->valid_hooks);
 
1181         oldinfo = xt_replace_table(t, num_counters, newinfo, &ret);
 
1185         /* Update module usage count based on number of rules */
 
1186         duprintf("do_replace: oldnum=%u, initnum=%u, newnum=%u\n",
 
1187                 oldinfo->number, oldinfo->initial_entries, newinfo->number);
 
1188         if ((oldinfo->number > oldinfo->initial_entries) ||
 
1189             (newinfo->number <= oldinfo->initial_entries))
 
1191         if ((oldinfo->number > oldinfo->initial_entries) &&
 
1192             (newinfo->number <= oldinfo->initial_entries))
 
1195         /* Get the old counters. */
 
1196         get_counters(oldinfo, counters);
 
1197         /* Decrease module usage counts and free resource */
 
1198         loc_cpu_old_entry = oldinfo->entries[raw_smp_processor_id()];
 
1199         IPT_ENTRY_ITERATE(loc_cpu_old_entry, oldinfo->size, cleanup_entry,NULL);
 
1200         xt_free_table_info(oldinfo);
 
1201         if (copy_to_user(counters_ptr, counters,
 
1202                          sizeof(struct xt_counters) * num_counters) != 0)
 
1211  free_newinfo_counters_untrans:
 
1218 do_replace(void __user *user, unsigned int len)
 
1221         struct ipt_replace tmp;
 
1222         struct xt_table_info *newinfo;
 
1223         void *loc_cpu_entry;
 
1225         if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
 
1228         /* Hack: Causes ipchains to give correct error msg --RR */
 
1229         if (len != sizeof(tmp) + tmp.size)
 
1230                 return -ENOPROTOOPT;
 
1232         /* overflow check */
 
1233         if (tmp.size >= (INT_MAX - sizeof(struct xt_table_info)) / NR_CPUS -
 
1236         if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
 
1239         newinfo = xt_alloc_table_info(tmp.size);
 
1243         /* choose the copy that is our node/cpu */
 
1244         loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
 
1245         if (copy_from_user(loc_cpu_entry, user + sizeof(tmp),
 
1251         ret = translate_table(tmp.name, tmp.valid_hooks,
 
1252                               newinfo, loc_cpu_entry, tmp.size, tmp.num_entries,
 
1253                               tmp.hook_entry, tmp.underflow);
 
1257         duprintf("ip_tables: Translated table\n");
 
1259         ret = __do_replace(tmp.name, tmp.valid_hooks,
 
1260                               newinfo, tmp.num_counters,
 
1263                 goto free_newinfo_untrans;
 
1266  free_newinfo_untrans:
 
1267         IPT_ENTRY_ITERATE(loc_cpu_entry, newinfo->size, cleanup_entry,NULL);
 
1269         xt_free_table_info(newinfo);
 
1273 /* We're lazy, and add to the first CPU; overflow works its fey magic
 
1274  * and everything is OK. */
 
1276 add_counter_to_entry(struct ipt_entry *e,
 
1277                      const struct xt_counters addme[],
 
1281         duprintf("add_counter: Entry %u %lu/%lu + %lu/%lu\n",
 
1283                  (long unsigned int)e->counters.pcnt,
 
1284                  (long unsigned int)e->counters.bcnt,
 
1285                  (long unsigned int)addme[*i].pcnt,
 
1286                  (long unsigned int)addme[*i].bcnt);
 
1289         ADD_COUNTER(e->counters, addme[*i].bcnt, addme[*i].pcnt);
 
1296 do_add_counters(void __user *user, unsigned int len, int compat)
 
1299         struct xt_counters_info tmp;
 
1300         struct xt_counters *paddc;
 
1301         unsigned int num_counters;
 
1305         struct ipt_table *t;
 
1306         struct xt_table_info *private;
 
1308         void *loc_cpu_entry;
 
1309 #ifdef CONFIG_COMPAT
 
1310         struct compat_xt_counters_info compat_tmp;
 
1314                 size = sizeof(struct compat_xt_counters_info);
 
1319                 size = sizeof(struct xt_counters_info);
 
1322         if (copy_from_user(ptmp, user, size) != 0)
 
1325 #ifdef CONFIG_COMPAT
 
1327                 num_counters = compat_tmp.num_counters;
 
1328                 name = compat_tmp.name;
 
1332                 num_counters = tmp.num_counters;
 
1336         if (len != size + num_counters * sizeof(struct xt_counters))
 
1339         paddc = vmalloc_node(len - size, numa_node_id());
 
1343         if (copy_from_user(paddc, user + size, len - size) != 0) {
 
1348         t = xt_find_table_lock(AF_INET, name);
 
1349         if (!t || IS_ERR(t)) {
 
1350                 ret = t ? PTR_ERR(t) : -ENOENT;
 
1354         write_lock_bh(&t->lock);
 
1355         private = t->private;
 
1356         if (private->number != num_counters) {
 
1358                 goto unlock_up_free;
 
1362         /* Choose the copy that is on our node */
 
1363         loc_cpu_entry = private->entries[raw_smp_processor_id()];
 
1364         IPT_ENTRY_ITERATE(loc_cpu_entry,
 
1366                           add_counter_to_entry,
 
1370         write_unlock_bh(&t->lock);
 
1379 #ifdef CONFIG_COMPAT
 
1380 struct compat_ipt_replace {
 
1381         char                    name[IPT_TABLE_MAXNAMELEN];
 
1385         u32                     hook_entry[NF_IP_NUMHOOKS];
 
1386         u32                     underflow[NF_IP_NUMHOOKS];
 
1388         compat_uptr_t           counters;       /* struct ipt_counters * */
 
1389         struct compat_ipt_entry entries[0];
 
1392 static inline int compat_copy_match_to_user(struct ipt_entry_match *m,
 
1393                 void __user **dstptr, compat_uint_t *size)
 
1395         return xt_compat_match_to_user(m, dstptr, size);
 
1398 static int compat_copy_entry_to_user(struct ipt_entry *e,
 
1399                 void __user **dstptr, compat_uint_t *size)
 
1401         struct ipt_entry_target *t;
 
1402         struct compat_ipt_entry __user *ce;
 
1403         u_int16_t target_offset, next_offset;
 
1404         compat_uint_t origsize;
 
1409         ce = (struct compat_ipt_entry __user *)*dstptr;
 
1410         if (copy_to_user(ce, e, sizeof(struct ipt_entry)))
 
1413         *dstptr += sizeof(struct compat_ipt_entry);
 
1414         ret = IPT_MATCH_ITERATE(e, compat_copy_match_to_user, dstptr, size);
 
1415         target_offset = e->target_offset - (origsize - *size);
 
1418         t = ipt_get_target(e);
 
1419         ret = xt_compat_target_to_user(t, dstptr, size);
 
1423         next_offset = e->next_offset - (origsize - *size);
 
1424         if (put_user(target_offset, &ce->target_offset))
 
1426         if (put_user(next_offset, &ce->next_offset))
 
1434 compat_check_calc_match(struct ipt_entry_match *m,
 
1436             const struct ipt_ip *ip,
 
1437             unsigned int hookmask,
 
1440         struct ipt_match *match;
 
1442         match = try_then_request_module(xt_find_match(AF_INET, m->u.user.name,
 
1443                                                    m->u.user.revision),
 
1444                                         "ipt_%s", m->u.user.name);
 
1445         if (IS_ERR(match) || !match) {
 
1446                 duprintf("compat_check_calc_match: `%s' not found\n",
 
1448                 return match ? PTR_ERR(match) : -ENOENT;
 
1450         m->u.kernel.match = match;
 
1451         *size += xt_compat_match_offset(match);
 
1458 check_compat_entry_size_and_hooks(struct ipt_entry *e,
 
1459                            struct xt_table_info *newinfo,
 
1461                            unsigned char *base,
 
1462                            unsigned char *limit,
 
1463                            unsigned int *hook_entries,
 
1464                            unsigned int *underflows,
 
1468         struct ipt_entry_target *t;
 
1469         struct ipt_target *target;
 
1470         unsigned int entry_offset;
 
1473         duprintf("check_compat_entry_size_and_hooks %p\n", e);
 
1474         if ((unsigned long)e % __alignof__(struct compat_ipt_entry) != 0
 
1475             || (unsigned char *)e + sizeof(struct compat_ipt_entry) >= limit) {
 
1476                 duprintf("Bad offset %p, limit = %p\n", e, limit);
 
1480         if (e->next_offset < sizeof(struct compat_ipt_entry) +
 
1481                         sizeof(struct compat_xt_entry_target)) {
 
1482                 duprintf("checking: element %p size %u\n",
 
1487         ret = check_entry(e, name);
 
1492         entry_offset = (void *)e - (void *)base;
 
1494         ret = IPT_MATCH_ITERATE(e, compat_check_calc_match, name, &e->ip,
 
1495                         e->comefrom, &off, &j);
 
1497                 goto cleanup_matches;
 
1499         t = ipt_get_target(e);
 
1500         target = try_then_request_module(xt_find_target(AF_INET,
 
1502                                                      t->u.user.revision),
 
1503                                          "ipt_%s", t->u.user.name);
 
1504         if (IS_ERR(target) || !target) {
 
1505                 duprintf("check_compat_entry_size_and_hooks: `%s' not found\n",
 
1507                 ret = target ? PTR_ERR(target) : -ENOENT;
 
1508                 goto cleanup_matches;
 
1510         t->u.kernel.target = target;
 
1512         off += xt_compat_target_offset(target);
 
1514         ret = compat_add_offset(entry_offset, off);
 
1518         /* Check hooks & underflows */
 
1519         for (h = 0; h < NF_IP_NUMHOOKS; h++) {
 
1520                 if ((unsigned char *)e - base == hook_entries[h])
 
1521                         newinfo->hook_entry[h] = hook_entries[h];
 
1522                 if ((unsigned char *)e - base == underflows[h])
 
1523                         newinfo->underflow[h] = underflows[h];
 
1526         /* Clear counters and comefrom */
 
1527         e->counters = ((struct ipt_counters) { 0, 0 });
 
1534         module_put(t->u.kernel.target->me);
 
1536         IPT_MATCH_ITERATE(e, cleanup_match, &j);
 
1540 static inline int compat_copy_match_from_user(struct ipt_entry_match *m,
 
1541         void **dstptr, compat_uint_t *size, const char *name,
 
1542         const struct ipt_ip *ip, unsigned int hookmask)
 
1544         xt_compat_match_from_user(m, dstptr, size);
 
1548 static int compat_copy_entry_from_user(struct ipt_entry *e, void **dstptr,
 
1549         unsigned int *size, const char *name,
 
1550         struct xt_table_info *newinfo, unsigned char *base)
 
1552         struct ipt_entry_target *t;
 
1553         struct ipt_target *target;
 
1554         struct ipt_entry *de;
 
1555         unsigned int origsize;
 
1560         de = (struct ipt_entry *)*dstptr;
 
1561         memcpy(de, e, sizeof(struct ipt_entry));
 
1563         *dstptr += sizeof(struct compat_ipt_entry);
 
1564         ret = IPT_MATCH_ITERATE(e, compat_copy_match_from_user, dstptr, size,
 
1565                         name, &de->ip, de->comefrom);
 
1568         de->target_offset = e->target_offset - (origsize - *size);
 
1569         t = ipt_get_target(e);
 
1570         target = t->u.kernel.target;
 
1571         xt_compat_target_from_user(t, dstptr, size);
 
1573         de->next_offset = e->next_offset - (origsize - *size);
 
1574         for (h = 0; h < NF_IP_NUMHOOKS; h++) {
 
1575                 if ((unsigned char *)de - base < newinfo->hook_entry[h])
 
1576                         newinfo->hook_entry[h] -= origsize - *size;
 
1577                 if ((unsigned char *)de - base < newinfo->underflow[h])
 
1578                         newinfo->underflow[h] -= origsize - *size;
 
1583 static inline int compat_check_entry(struct ipt_entry *e, const char *name)
 
1587         ret = IPT_MATCH_ITERATE(e, check_match, name, &e->ip, e->comefrom);
 
1591         return check_target(e, name);
 
1595 translate_compat_table(const char *name,
 
1596                 unsigned int valid_hooks,
 
1597                 struct xt_table_info **pinfo,
 
1599                 unsigned int total_size,
 
1600                 unsigned int number,
 
1601                 unsigned int *hook_entries,
 
1602                 unsigned int *underflows)
 
1605         struct xt_table_info *newinfo, *info;
 
1606         void *pos, *entry0, *entry1;
 
1613         info->number = number;
 
1615         /* Init all hooks to impossible value. */
 
1616         for (i = 0; i < NF_IP_NUMHOOKS; i++) {
 
1617                 info->hook_entry[i] = 0xFFFFFFFF;
 
1618                 info->underflow[i] = 0xFFFFFFFF;
 
1621         duprintf("translate_compat_table: size %u\n", info->size);
 
1623         xt_compat_lock(AF_INET);
 
1624         /* Walk through entries, checking offsets. */
 
1625         ret = IPT_ENTRY_ITERATE(entry0, total_size,
 
1626                                 check_compat_entry_size_and_hooks,
 
1627                                 info, &size, entry0,
 
1628                                 entry0 + total_size,
 
1629                                 hook_entries, underflows, &j, name);
 
1635                 duprintf("translate_compat_table: %u not %u entries\n",
 
1640         /* Check hooks all assigned */
 
1641         for (i = 0; i < NF_IP_NUMHOOKS; i++) {
 
1642                 /* Only hooks which are valid */
 
1643                 if (!(valid_hooks & (1 << i)))
 
1645                 if (info->hook_entry[i] == 0xFFFFFFFF) {
 
1646                         duprintf("Invalid hook entry %u %u\n",
 
1647                                  i, hook_entries[i]);
 
1650                 if (info->underflow[i] == 0xFFFFFFFF) {
 
1651                         duprintf("Invalid underflow %u %u\n",
 
1658         newinfo = xt_alloc_table_info(size);
 
1662         newinfo->number = number;
 
1663         for (i = 0; i < NF_IP_NUMHOOKS; i++) {
 
1664                 newinfo->hook_entry[i] = info->hook_entry[i];
 
1665                 newinfo->underflow[i] = info->underflow[i];
 
1667         entry1 = newinfo->entries[raw_smp_processor_id()];
 
1670         ret = IPT_ENTRY_ITERATE(entry0, total_size,
 
1671                         compat_copy_entry_from_user, &pos, &size,
 
1672                         name, newinfo, entry1);
 
1673         compat_flush_offsets();
 
1674         xt_compat_unlock(AF_INET);
 
1679         if (!mark_source_chains(newinfo, valid_hooks, entry1))
 
1682         ret = IPT_ENTRY_ITERATE(entry1, newinfo->size, compat_check_entry,
 
1687         /* And one copy for every other CPU */
 
1688         for_each_possible_cpu(i)
 
1689                 if (newinfo->entries[i] && newinfo->entries[i] != entry1)
 
1690                         memcpy(newinfo->entries[i], entry1, newinfo->size);
 
1694         xt_free_table_info(info);
 
1698         xt_free_table_info(newinfo);
 
1700         IPT_ENTRY_ITERATE(entry0, total_size, cleanup_entry, &j);
 
1703         compat_flush_offsets();
 
1704         xt_compat_unlock(AF_INET);
 
1709 compat_do_replace(void __user *user, unsigned int len)
 
1712         struct compat_ipt_replace tmp;
 
1713         struct xt_table_info *newinfo;
 
1714         void *loc_cpu_entry;
 
1716         if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
 
1719         /* Hack: Causes ipchains to give correct error msg --RR */
 
1720         if (len != sizeof(tmp) + tmp.size)
 
1721                 return -ENOPROTOOPT;
 
1723         /* overflow check */
 
1724         if (tmp.size >= (INT_MAX - sizeof(struct xt_table_info)) / NR_CPUS -
 
1727         if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
 
1730         newinfo = xt_alloc_table_info(tmp.size);
 
1734         /* choose the copy that is our node/cpu */
 
1735         loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
 
1736         if (copy_from_user(loc_cpu_entry, user + sizeof(tmp),
 
1742         ret = translate_compat_table(tmp.name, tmp.valid_hooks,
 
1743                               &newinfo, &loc_cpu_entry, tmp.size,
 
1744                               tmp.num_entries, tmp.hook_entry, tmp.underflow);
 
1748         duprintf("compat_do_replace: Translated table\n");
 
1750         ret = __do_replace(tmp.name, tmp.valid_hooks,
 
1751                               newinfo, tmp.num_counters,
 
1752                               compat_ptr(tmp.counters));
 
1754                 goto free_newinfo_untrans;
 
1757  free_newinfo_untrans:
 
1758         IPT_ENTRY_ITERATE(loc_cpu_entry, newinfo->size, cleanup_entry,NULL);
 
1760         xt_free_table_info(newinfo);
 
1765 compat_do_ipt_set_ctl(struct sock *sk,  int cmd, void __user *user,
 
1770         if (!capable(CAP_NET_ADMIN))
 
1774         case IPT_SO_SET_REPLACE:
 
1775                 ret = compat_do_replace(user, len);
 
1778         case IPT_SO_SET_ADD_COUNTERS:
 
1779                 ret = do_add_counters(user, len, 1);
 
1783                 duprintf("do_ipt_set_ctl:  unknown request %i\n", cmd);
 
1790 struct compat_ipt_get_entries
 
1792         char name[IPT_TABLE_MAXNAMELEN];
 
1794         struct compat_ipt_entry entrytable[0];
 
1797 static int compat_copy_entries_to_user(unsigned int total_size,
 
1798                      struct ipt_table *table, void __user *userptr)
 
1800         unsigned int off, num;
 
1801         struct compat_ipt_entry e;
 
1802         struct xt_counters *counters;
 
1803         struct xt_table_info *private = table->private;
 
1807         void *loc_cpu_entry;
 
1809         counters = alloc_counters(table);
 
1810         if (IS_ERR(counters))
 
1811                 return PTR_ERR(counters);
 
1813         /* choose the copy that is on our node/cpu, ...
 
1814          * This choice is lazy (because current thread is
 
1815          * allowed to migrate to another cpu)
 
1817         loc_cpu_entry = private->entries[raw_smp_processor_id()];
 
1820         ret = IPT_ENTRY_ITERATE(loc_cpu_entry, total_size,
 
1821                         compat_copy_entry_to_user, &pos, &size);
 
1825         /* ... then go back and fix counters and names */
 
1826         for (off = 0, num = 0; off < size; off += e.next_offset, num++) {
 
1828                 struct ipt_entry_match m;
 
1829                 struct ipt_entry_target t;
 
1832                 if (copy_from_user(&e, userptr + off,
 
1833                                         sizeof(struct compat_ipt_entry)))
 
1835                 if (copy_to_user(userptr + off +
 
1836                         offsetof(struct compat_ipt_entry, counters),
 
1837                          &counters[num], sizeof(counters[num])))
 
1840                 for (i = sizeof(struct compat_ipt_entry);
 
1841                                 i < e.target_offset; i += m.u.match_size) {
 
1842                         if (copy_from_user(&m, userptr + off + i,
 
1843                                         sizeof(struct ipt_entry_match)))
 
1845                         if (copy_to_user(userptr + off + i +
 
1846                                 offsetof(struct ipt_entry_match, u.user.name),
 
1847                                 m.u.kernel.match->name,
 
1848                                 strlen(m.u.kernel.match->name) + 1))
 
1852                 if (copy_from_user(&t, userptr + off + e.target_offset,
 
1853                                         sizeof(struct ipt_entry_target)))
 
1855                 if (copy_to_user(userptr + off + e.target_offset +
 
1856                         offsetof(struct ipt_entry_target, u.user.name),
 
1857                         t.u.kernel.target->name,
 
1858                         strlen(t.u.kernel.target->name) + 1))
 
1868 compat_get_entries(struct compat_ipt_get_entries __user *uptr, int *len)
 
1871         struct compat_ipt_get_entries get;
 
1872         struct ipt_table *t;
 
1875         if (*len < sizeof(get)) {
 
1876                 duprintf("compat_get_entries: %u < %u\n",
 
1877                                 *len, (unsigned int)sizeof(get));
 
1881         if (copy_from_user(&get, uptr, sizeof(get)) != 0)
 
1884         if (*len != sizeof(struct compat_ipt_get_entries) + get.size) {
 
1885                 duprintf("compat_get_entries: %u != %u\n", *len,
 
1886                         (unsigned int)(sizeof(struct compat_ipt_get_entries) +
 
1891         xt_compat_lock(AF_INET);
 
1892         t = xt_find_table_lock(AF_INET, get.name);
 
1893         if (t && !IS_ERR(t)) {
 
1894                 struct xt_table_info *private = t->private;
 
1895                 struct xt_table_info info;
 
1896                 duprintf("t->private->number = %u\n",
 
1898                 ret = compat_table_info(private, &info);
 
1899                 if (!ret && get.size == info.size) {
 
1900                         ret = compat_copy_entries_to_user(private->size,
 
1901                                                    t, uptr->entrytable);
 
1903                         duprintf("compat_get_entries: I've got %u not %u!\n",
 
1908                 compat_flush_offsets();
 
1912                 ret = t ? PTR_ERR(t) : -ENOENT;
 
1914         xt_compat_unlock(AF_INET);
 
1918 static int do_ipt_get_ctl(struct sock *, int, void __user *, int *);
 
1921 compat_do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
 
1925         if (!capable(CAP_NET_ADMIN))
 
1929         case IPT_SO_GET_INFO:
 
1930                 ret = get_info(user, len, 1);
 
1932         case IPT_SO_GET_ENTRIES:
 
1933                 ret = compat_get_entries(user, len);
 
1936                 ret = do_ipt_get_ctl(sk, cmd, user, len);
 
1943 do_ipt_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
 
1947         if (!capable(CAP_NET_ADMIN))
 
1951         case IPT_SO_SET_REPLACE:
 
1952                 ret = do_replace(user, len);
 
1955         case IPT_SO_SET_ADD_COUNTERS:
 
1956                 ret = do_add_counters(user, len, 0);
 
1960                 duprintf("do_ipt_set_ctl:  unknown request %i\n", cmd);
 
1968 do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
 
1972         if (!capable(CAP_NET_ADMIN))
 
1976         case IPT_SO_GET_INFO:
 
1977                 ret = get_info(user, len, 0);
 
1980         case IPT_SO_GET_ENTRIES:
 
1981                 ret = get_entries(user, len);
 
1984         case IPT_SO_GET_REVISION_MATCH:
 
1985         case IPT_SO_GET_REVISION_TARGET: {
 
1986                 struct ipt_get_revision rev;
 
1989                 if (*len != sizeof(rev)) {
 
1993                 if (copy_from_user(&rev, user, sizeof(rev)) != 0) {
 
1998                 if (cmd == IPT_SO_GET_REVISION_TARGET)
 
2003                 try_then_request_module(xt_find_revision(AF_INET, rev.name,
 
2006                                         "ipt_%s", rev.name);
 
2011                 duprintf("do_ipt_get_ctl: unknown request %i\n", cmd);
 
2018 int ipt_register_table(struct xt_table *table, const struct ipt_replace *repl)
 
2021         struct xt_table_info *newinfo;
 
2022         static struct xt_table_info bootstrap
 
2023                 = { 0, 0, 0, { 0 }, { 0 }, { } };
 
2024         void *loc_cpu_entry;
 
2026         newinfo = xt_alloc_table_info(repl->size);
 
2030         /* choose the copy on our node/cpu
 
2031          * but dont care of preemption
 
2033         loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
 
2034         memcpy(loc_cpu_entry, repl->entries, repl->size);
 
2036         ret = translate_table(table->name, table->valid_hooks,
 
2037                               newinfo, loc_cpu_entry, repl->size,
 
2042                 xt_free_table_info(newinfo);
 
2046         ret = xt_register_table(table, &bootstrap, newinfo);
 
2048                 xt_free_table_info(newinfo);
 
2055 void ipt_unregister_table(struct ipt_table *table)
 
2057         struct xt_table_info *private;
 
2058         void *loc_cpu_entry;
 
2060         private = xt_unregister_table(table);
 
2062         /* Decrease module usage counts and free resources */
 
2063         loc_cpu_entry = private->entries[raw_smp_processor_id()];
 
2064         IPT_ENTRY_ITERATE(loc_cpu_entry, private->size, cleanup_entry, NULL);
 
2065         xt_free_table_info(private);
 
2068 /* Returns 1 if the type and code is matched by the range, 0 otherwise */
 
2070 icmp_type_code_match(u_int8_t test_type, u_int8_t min_code, u_int8_t max_code,
 
2071                      u_int8_t type, u_int8_t code,
 
2074         return ((test_type == 0xFF) || (type == test_type && code >= min_code && code <= max_code))
 
2079 icmp_match(const struct sk_buff *skb,
 
2080            const struct net_device *in,
 
2081            const struct net_device *out,
 
2082            const struct xt_match *match,
 
2083            const void *matchinfo,
 
2085            unsigned int protoff,
 
2088         struct icmphdr _icmph, *ic;
 
2089         const struct ipt_icmp *icmpinfo = matchinfo;
 
2091         /* Must not be a fragment. */
 
2095         ic = skb_header_pointer(skb, protoff, sizeof(_icmph), &_icmph);
 
2097                 /* We've been asked to examine this packet, and we
 
2098                  * can't.  Hence, no choice but to drop.
 
2100                 duprintf("Dropping evil ICMP tinygram.\n");
 
2105         return icmp_type_code_match(icmpinfo->type,
 
2109                                     !!(icmpinfo->invflags&IPT_ICMP_INV));
 
2112 /* Called when user tries to insert an entry of this type. */
 
2114 icmp_checkentry(const char *tablename,
 
2116            const struct xt_match *match,
 
2118            unsigned int hook_mask)
 
2120         const struct ipt_icmp *icmpinfo = matchinfo;
 
2122         /* Must specify no unknown invflags */
 
2123         return !(icmpinfo->invflags & ~IPT_ICMP_INV);
 
2126 /* The built-in targets: standard (NULL) and error. */
 
2127 static struct ipt_target ipt_standard_target = {
 
2128         .name           = IPT_STANDARD_TARGET,
 
2129         .targetsize     = sizeof(int),
 
2131 #ifdef CONFIG_COMPAT
 
2132         .compatsize     = sizeof(compat_int_t),
 
2133         .compat_from_user = compat_standard_from_user,
 
2134         .compat_to_user = compat_standard_to_user,
 
2138 static struct ipt_target ipt_error_target = {
 
2139         .name           = IPT_ERROR_TARGET,
 
2140         .target         = ipt_error,
 
2141         .targetsize     = IPT_FUNCTION_MAXNAMELEN,
 
2145 static struct nf_sockopt_ops ipt_sockopts = {
 
2147         .set_optmin     = IPT_BASE_CTL,
 
2148         .set_optmax     = IPT_SO_SET_MAX+1,
 
2149         .set            = do_ipt_set_ctl,
 
2150 #ifdef CONFIG_COMPAT
 
2151         .compat_set     = compat_do_ipt_set_ctl,
 
2153         .get_optmin     = IPT_BASE_CTL,
 
2154         .get_optmax     = IPT_SO_GET_MAX+1,
 
2155         .get            = do_ipt_get_ctl,
 
2156 #ifdef CONFIG_COMPAT
 
2157         .compat_get     = compat_do_ipt_get_ctl,
 
2161 static struct ipt_match icmp_matchstruct = {
 
2163         .match          = icmp_match,
 
2164         .matchsize      = sizeof(struct ipt_icmp),
 
2165         .proto          = IPPROTO_ICMP,
 
2167         .checkentry     = icmp_checkentry,
 
2170 static int __init ip_tables_init(void)
 
2174         ret = xt_proto_init(AF_INET);
 
2178         /* Noone else will be downing sem now, so we won't sleep */
 
2179         ret = xt_register_target(&ipt_standard_target);
 
2182         ret = xt_register_target(&ipt_error_target);
 
2185         ret = xt_register_match(&icmp_matchstruct);
 
2189         /* Register setsockopt */
 
2190         ret = nf_register_sockopt(&ipt_sockopts);
 
2194         printk("ip_tables: (C) 2000-2006 Netfilter Core Team\n");
 
2198         xt_unregister_match(&icmp_matchstruct);
 
2200         xt_unregister_target(&ipt_error_target);
 
2202         xt_unregister_target(&ipt_standard_target);
 
2204         xt_proto_fini(AF_INET);
 
2209 static void __exit ip_tables_fini(void)
 
2211         nf_unregister_sockopt(&ipt_sockopts);
 
2213         xt_unregister_match(&icmp_matchstruct);
 
2214         xt_unregister_target(&ipt_error_target);
 
2215         xt_unregister_target(&ipt_standard_target);
 
2217         xt_proto_fini(AF_INET);
 
2220 EXPORT_SYMBOL(ipt_register_table);
 
2221 EXPORT_SYMBOL(ipt_unregister_table);
 
2222 EXPORT_SYMBOL(ipt_do_table);
 
2223 module_init(ip_tables_init);
 
2224 module_exit(ip_tables_fini);