Merge git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux-2.6-for-linus
[linux-2.6] / net / ipv4 / netfilter / ip_tables.c
1 /*
2  * Packet matching code.
3  *
4  * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
5  * Copyright (C) 2000-2005 Netfilter Core Team <coreteam@netfilter.org>
6  *
7  * This program is free software; you can redistribute it and/or modify
8  * it under the terms of the GNU General Public License version 2 as
9  * published by the Free Software Foundation.
10  */
11 #include <linux/cache.h>
12 #include <linux/capability.h>
13 #include <linux/skbuff.h>
14 #include <linux/kmod.h>
15 #include <linux/vmalloc.h>
16 #include <linux/netdevice.h>
17 #include <linux/module.h>
18 #include <linux/icmp.h>
19 #include <net/ip.h>
20 #include <net/compat.h>
21 #include <asm/uaccess.h>
22 #include <linux/mutex.h>
23 #include <linux/proc_fs.h>
24 #include <linux/err.h>
25 #include <linux/cpumask.h>
26
27 #include <linux/netfilter/x_tables.h>
28 #include <linux/netfilter_ipv4/ip_tables.h>
29 #include <net/netfilter/nf_log.h>
30
31 MODULE_LICENSE("GPL");
32 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
33 MODULE_DESCRIPTION("IPv4 packet filter");
34
35 /*#define DEBUG_IP_FIREWALL*/
36 /*#define DEBUG_ALLOW_ALL*/ /* Useful for remote debugging */
37 /*#define DEBUG_IP_FIREWALL_USER*/
38
39 #ifdef DEBUG_IP_FIREWALL
40 #define dprintf(format, args...)  printk(format , ## args)
41 #else
42 #define dprintf(format, args...)
43 #endif
44
45 #ifdef DEBUG_IP_FIREWALL_USER
46 #define duprintf(format, args...) printk(format , ## args)
47 #else
48 #define duprintf(format, args...)
49 #endif
50
51 #ifdef CONFIG_NETFILTER_DEBUG
52 #define IP_NF_ASSERT(x)                                         \
53 do {                                                            \
54         if (!(x))                                               \
55                 printk("IP_NF_ASSERT: %s:%s:%u\n",              \
56                        __func__, __FILE__, __LINE__);   \
57 } while(0)
58 #else
59 #define IP_NF_ASSERT(x)
60 #endif
61
62 #if 0
63 /* All the better to debug you with... */
64 #define static
65 #define inline
66 #endif
67
68 /*
69    We keep a set of rules for each CPU, so we can avoid write-locking
70    them in the softirq when updating the counters and therefore
71    only need to read-lock in the softirq; doing a write_lock_bh() in user
72    context stops packets coming through and allows user context to read
73    the counters or update the rules.
74
75    Hence the start of any table is given by get_table() below.  */
76
77 /* Returns whether matches rule or not. */
78 /* Performance critical - called for every packet */
79 static inline bool
80 ip_packet_match(const struct iphdr *ip,
81                 const char *indev,
82                 const char *outdev,
83                 const struct ipt_ip *ipinfo,
84                 int isfrag)
85 {
86         size_t i;
87         unsigned long ret;
88
89 #define FWINV(bool, invflg) ((bool) ^ !!(ipinfo->invflags & (invflg)))
90
91         if (FWINV((ip->saddr&ipinfo->smsk.s_addr) != ipinfo->src.s_addr,
92                   IPT_INV_SRCIP)
93             || FWINV((ip->daddr&ipinfo->dmsk.s_addr) != ipinfo->dst.s_addr,
94                      IPT_INV_DSTIP)) {
95                 dprintf("Source or dest mismatch.\n");
96
97                 dprintf("SRC: %u.%u.%u.%u. Mask: %u.%u.%u.%u. Target: %u.%u.%u.%u.%s\n",
98                         NIPQUAD(ip->saddr),
99                         NIPQUAD(ipinfo->smsk.s_addr),
100                         NIPQUAD(ipinfo->src.s_addr),
101                         ipinfo->invflags & IPT_INV_SRCIP ? " (INV)" : "");
102                 dprintf("DST: %u.%u.%u.%u Mask: %u.%u.%u.%u Target: %u.%u.%u.%u.%s\n",
103                         NIPQUAD(ip->daddr),
104                         NIPQUAD(ipinfo->dmsk.s_addr),
105                         NIPQUAD(ipinfo->dst.s_addr),
106                         ipinfo->invflags & IPT_INV_DSTIP ? " (INV)" : "");
107                 return false;
108         }
109
110         /* Look for ifname matches; this should unroll nicely. */
111         for (i = 0, ret = 0; i < IFNAMSIZ/sizeof(unsigned long); i++) {
112                 ret |= (((const unsigned long *)indev)[i]
113                         ^ ((const unsigned long *)ipinfo->iniface)[i])
114                         & ((const unsigned long *)ipinfo->iniface_mask)[i];
115         }
116
117         if (FWINV(ret != 0, IPT_INV_VIA_IN)) {
118                 dprintf("VIA in mismatch (%s vs %s).%s\n",
119                         indev, ipinfo->iniface,
120                         ipinfo->invflags&IPT_INV_VIA_IN ?" (INV)":"");
121                 return false;
122         }
123
124         for (i = 0, ret = 0; i < IFNAMSIZ/sizeof(unsigned long); i++) {
125                 ret |= (((const unsigned long *)outdev)[i]
126                         ^ ((const unsigned long *)ipinfo->outiface)[i])
127                         & ((const unsigned long *)ipinfo->outiface_mask)[i];
128         }
129
130         if (FWINV(ret != 0, IPT_INV_VIA_OUT)) {
131                 dprintf("VIA out mismatch (%s vs %s).%s\n",
132                         outdev, ipinfo->outiface,
133                         ipinfo->invflags&IPT_INV_VIA_OUT ?" (INV)":"");
134                 return false;
135         }
136
137         /* Check specific protocol */
138         if (ipinfo->proto
139             && FWINV(ip->protocol != ipinfo->proto, IPT_INV_PROTO)) {
140                 dprintf("Packet protocol %hi does not match %hi.%s\n",
141                         ip->protocol, ipinfo->proto,
142                         ipinfo->invflags&IPT_INV_PROTO ? " (INV)":"");
143                 return false;
144         }
145
146         /* If we have a fragment rule but the packet is not a fragment
147          * then we return zero */
148         if (FWINV((ipinfo->flags&IPT_F_FRAG) && !isfrag, IPT_INV_FRAG)) {
149                 dprintf("Fragment rule but not fragment.%s\n",
150                         ipinfo->invflags & IPT_INV_FRAG ? " (INV)" : "");
151                 return false;
152         }
153
154         return true;
155 }
156
157 static bool
158 ip_checkentry(const struct ipt_ip *ip)
159 {
160         if (ip->flags & ~IPT_F_MASK) {
161                 duprintf("Unknown flag bits set: %08X\n",
162                          ip->flags & ~IPT_F_MASK);
163                 return false;
164         }
165         if (ip->invflags & ~IPT_INV_MASK) {
166                 duprintf("Unknown invflag bits set: %08X\n",
167                          ip->invflags & ~IPT_INV_MASK);
168                 return false;
169         }
170         return true;
171 }
172
173 static unsigned int
174 ipt_error(struct sk_buff *skb, const struct xt_target_param *par)
175 {
176         if (net_ratelimit())
177                 printk("ip_tables: error: `%s'\n",
178                        (const char *)par->targinfo);
179
180         return NF_DROP;
181 }
182
183 /* Performance critical - called for every packet */
184 static inline bool
185 do_match(struct ipt_entry_match *m, const struct sk_buff *skb,
186          struct xt_match_param *par)
187 {
188         par->match     = m->u.kernel.match;
189         par->matchinfo = m->data;
190
191         /* Stop iteration if it doesn't match */
192         if (!m->u.kernel.match->match(skb, par))
193                 return true;
194         else
195                 return false;
196 }
197
198 /* Performance critical */
199 static inline struct ipt_entry *
200 get_entry(void *base, unsigned int offset)
201 {
202         return (struct ipt_entry *)(base + offset);
203 }
204
205 /* All zeroes == unconditional rule. */
206 /* Mildly perf critical (only if packet tracing is on) */
207 static inline int
208 unconditional(const struct ipt_ip *ip)
209 {
210         unsigned int i;
211
212         for (i = 0; i < sizeof(*ip)/sizeof(__u32); i++)
213                 if (((__u32 *)ip)[i])
214                         return 0;
215
216         return 1;
217 #undef FWINV
218 }
219
220 #if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \
221     defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE)
222 static const char *const hooknames[] = {
223         [NF_INET_PRE_ROUTING]           = "PREROUTING",
224         [NF_INET_LOCAL_IN]              = "INPUT",
225         [NF_INET_FORWARD]               = "FORWARD",
226         [NF_INET_LOCAL_OUT]             = "OUTPUT",
227         [NF_INET_POST_ROUTING]          = "POSTROUTING",
228 };
229
230 enum nf_ip_trace_comments {
231         NF_IP_TRACE_COMMENT_RULE,
232         NF_IP_TRACE_COMMENT_RETURN,
233         NF_IP_TRACE_COMMENT_POLICY,
234 };
235
236 static const char *const comments[] = {
237         [NF_IP_TRACE_COMMENT_RULE]      = "rule",
238         [NF_IP_TRACE_COMMENT_RETURN]    = "return",
239         [NF_IP_TRACE_COMMENT_POLICY]    = "policy",
240 };
241
242 static struct nf_loginfo trace_loginfo = {
243         .type = NF_LOG_TYPE_LOG,
244         .u = {
245                 .log = {
246                         .level = 4,
247                         .logflags = NF_LOG_MASK,
248                 },
249         },
250 };
251
252 /* Mildly perf critical (only if packet tracing is on) */
253 static inline int
254 get_chainname_rulenum(struct ipt_entry *s, struct ipt_entry *e,
255                       char *hookname, char **chainname,
256                       char **comment, unsigned int *rulenum)
257 {
258         struct ipt_standard_target *t = (void *)ipt_get_target(s);
259
260         if (strcmp(t->target.u.kernel.target->name, IPT_ERROR_TARGET) == 0) {
261                 /* Head of user chain: ERROR target with chainname */
262                 *chainname = t->target.data;
263                 (*rulenum) = 0;
264         } else if (s == e) {
265                 (*rulenum)++;
266
267                 if (s->target_offset == sizeof(struct ipt_entry)
268                    && strcmp(t->target.u.kernel.target->name,
269                              IPT_STANDARD_TARGET) == 0
270                    && t->verdict < 0
271                    && unconditional(&s->ip)) {
272                         /* Tail of chains: STANDARD target (return/policy) */
273                         *comment = *chainname == hookname
274                                 ? (char *)comments[NF_IP_TRACE_COMMENT_POLICY]
275                                 : (char *)comments[NF_IP_TRACE_COMMENT_RETURN];
276                 }
277                 return 1;
278         } else
279                 (*rulenum)++;
280
281         return 0;
282 }
283
284 static void trace_packet(struct sk_buff *skb,
285                          unsigned int hook,
286                          const struct net_device *in,
287                          const struct net_device *out,
288                          const char *tablename,
289                          struct xt_table_info *private,
290                          struct ipt_entry *e)
291 {
292         void *table_base;
293         const struct ipt_entry *root;
294         char *hookname, *chainname, *comment;
295         unsigned int rulenum = 0;
296
297         table_base = (void *)private->entries[smp_processor_id()];
298         root = get_entry(table_base, private->hook_entry[hook]);
299
300         hookname = chainname = (char *)hooknames[hook];
301         comment = (char *)comments[NF_IP_TRACE_COMMENT_RULE];
302
303         IPT_ENTRY_ITERATE(root,
304                           private->size - private->hook_entry[hook],
305                           get_chainname_rulenum,
306                           e, hookname, &chainname, &comment, &rulenum);
307
308         nf_log_packet(AF_INET, hook, skb, in, out, &trace_loginfo,
309                       "TRACE: %s:%s:%s:%u ",
310                       tablename, chainname, comment, rulenum);
311 }
312 #endif
313
314 /* Returns one of the generic firewall policies, like NF_ACCEPT. */
315 unsigned int
316 ipt_do_table(struct sk_buff *skb,
317              unsigned int hook,
318              const struct net_device *in,
319              const struct net_device *out,
320              struct xt_table *table)
321 {
322         static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
323         const struct iphdr *ip;
324         u_int16_t datalen;
325         bool hotdrop = false;
326         /* Initializing verdict to NF_DROP keeps gcc happy. */
327         unsigned int verdict = NF_DROP;
328         const char *indev, *outdev;
329         void *table_base;
330         struct ipt_entry *e, *back;
331         struct xt_table_info *private;
332         struct xt_match_param mtpar;
333         struct xt_target_param tgpar;
334
335         /* Initialization */
336         ip = ip_hdr(skb);
337         datalen = skb->len - ip->ihl * 4;
338         indev = in ? in->name : nulldevname;
339         outdev = out ? out->name : nulldevname;
340         /* We handle fragments by dealing with the first fragment as
341          * if it was a normal packet.  All other fragments are treated
342          * normally, except that they will NEVER match rules that ask
343          * things we don't know, ie. tcp syn flag or ports).  If the
344          * rule is also a fragment-specific rule, non-fragments won't
345          * match it. */
346         mtpar.fragoff = ntohs(ip->frag_off) & IP_OFFSET;
347         mtpar.thoff   = ip_hdrlen(skb);
348         mtpar.hotdrop = &hotdrop;
349         mtpar.in      = tgpar.in  = in;
350         mtpar.out     = tgpar.out = out;
351         mtpar.family  = tgpar.family = NFPROTO_IPV4;
352         tgpar.hooknum = hook;
353
354         read_lock_bh(&table->lock);
355         IP_NF_ASSERT(table->valid_hooks & (1 << hook));
356         private = table->private;
357         table_base = (void *)private->entries[smp_processor_id()];
358         e = get_entry(table_base, private->hook_entry[hook]);
359
360         /* For return from builtin chain */
361         back = get_entry(table_base, private->underflow[hook]);
362
363         do {
364                 IP_NF_ASSERT(e);
365                 IP_NF_ASSERT(back);
366                 if (ip_packet_match(ip, indev, outdev,
367                     &e->ip, mtpar.fragoff)) {
368                         struct ipt_entry_target *t;
369
370                         if (IPT_MATCH_ITERATE(e, do_match, skb, &mtpar) != 0)
371                                 goto no_match;
372
373                         ADD_COUNTER(e->counters, ntohs(ip->tot_len), 1);
374
375                         t = ipt_get_target(e);
376                         IP_NF_ASSERT(t->u.kernel.target);
377
378 #if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \
379     defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE)
380                         /* The packet is traced: log it */
381                         if (unlikely(skb->nf_trace))
382                                 trace_packet(skb, hook, in, out,
383                                              table->name, private, e);
384 #endif
385                         /* Standard target? */
386                         if (!t->u.kernel.target->target) {
387                                 int v;
388
389                                 v = ((struct ipt_standard_target *)t)->verdict;
390                                 if (v < 0) {
391                                         /* Pop from stack? */
392                                         if (v != IPT_RETURN) {
393                                                 verdict = (unsigned)(-v) - 1;
394                                                 break;
395                                         }
396                                         e = back;
397                                         back = get_entry(table_base,
398                                                          back->comefrom);
399                                         continue;
400                                 }
401                                 if (table_base + v != (void *)e + e->next_offset
402                                     && !(e->ip.flags & IPT_F_GOTO)) {
403                                         /* Save old back ptr in next entry */
404                                         struct ipt_entry *next
405                                                 = (void *)e + e->next_offset;
406                                         next->comefrom
407                                                 = (void *)back - table_base;
408                                         /* set back pointer to next entry */
409                                         back = next;
410                                 }
411
412                                 e = get_entry(table_base, v);
413                         } else {
414                                 /* Targets which reenter must return
415                                    abs. verdicts */
416                                 tgpar.target   = t->u.kernel.target;
417                                 tgpar.targinfo = t->data;
418 #ifdef CONFIG_NETFILTER_DEBUG
419                                 ((struct ipt_entry *)table_base)->comefrom
420                                         = 0xeeeeeeec;
421 #endif
422                                 verdict = t->u.kernel.target->target(skb,
423                                                                      &tgpar);
424 #ifdef CONFIG_NETFILTER_DEBUG
425                                 if (((struct ipt_entry *)table_base)->comefrom
426                                     != 0xeeeeeeec
427                                     && verdict == IPT_CONTINUE) {
428                                         printk("Target %s reentered!\n",
429                                                t->u.kernel.target->name);
430                                         verdict = NF_DROP;
431                                 }
432                                 ((struct ipt_entry *)table_base)->comefrom
433                                         = 0x57acc001;
434 #endif
435                                 /* Target might have changed stuff. */
436                                 ip = ip_hdr(skb);
437                                 datalen = skb->len - ip->ihl * 4;
438
439                                 if (verdict == IPT_CONTINUE)
440                                         e = (void *)e + e->next_offset;
441                                 else
442                                         /* Verdict */
443                                         break;
444                         }
445                 } else {
446
447                 no_match:
448                         e = (void *)e + e->next_offset;
449                 }
450         } while (!hotdrop);
451
452         read_unlock_bh(&table->lock);
453
454 #ifdef DEBUG_ALLOW_ALL
455         return NF_ACCEPT;
456 #else
457         if (hotdrop)
458                 return NF_DROP;
459         else return verdict;
460 #endif
461 }
462
463 /* Figures out from what hook each rule can be called: returns 0 if
464    there are loops.  Puts hook bitmask in comefrom. */
465 static int
466 mark_source_chains(struct xt_table_info *newinfo,
467                    unsigned int valid_hooks, void *entry0)
468 {
469         unsigned int hook;
470
471         /* No recursion; use packet counter to save back ptrs (reset
472            to 0 as we leave), and comefrom to save source hook bitmask */
473         for (hook = 0; hook < NF_INET_NUMHOOKS; hook++) {
474                 unsigned int pos = newinfo->hook_entry[hook];
475                 struct ipt_entry *e = (struct ipt_entry *)(entry0 + pos);
476
477                 if (!(valid_hooks & (1 << hook)))
478                         continue;
479
480                 /* Set initial back pointer. */
481                 e->counters.pcnt = pos;
482
483                 for (;;) {
484                         struct ipt_standard_target *t
485                                 = (void *)ipt_get_target(e);
486                         int visited = e->comefrom & (1 << hook);
487
488                         if (e->comefrom & (1 << NF_INET_NUMHOOKS)) {
489                                 printk("iptables: loop hook %u pos %u %08X.\n",
490                                        hook, pos, e->comefrom);
491                                 return 0;
492                         }
493                         e->comefrom |= ((1 << hook) | (1 << NF_INET_NUMHOOKS));
494
495                         /* Unconditional return/END. */
496                         if ((e->target_offset == sizeof(struct ipt_entry)
497                             && (strcmp(t->target.u.user.name,
498                                        IPT_STANDARD_TARGET) == 0)
499                             && t->verdict < 0
500                             && unconditional(&e->ip)) || visited) {
501                                 unsigned int oldpos, size;
502
503                                 if (t->verdict < -NF_MAX_VERDICT - 1) {
504                                         duprintf("mark_source_chains: bad "
505                                                 "negative verdict (%i)\n",
506                                                                 t->verdict);
507                                         return 0;
508                                 }
509
510                                 /* Return: backtrack through the last
511                                    big jump. */
512                                 do {
513                                         e->comefrom ^= (1<<NF_INET_NUMHOOKS);
514 #ifdef DEBUG_IP_FIREWALL_USER
515                                         if (e->comefrom
516                                             & (1 << NF_INET_NUMHOOKS)) {
517                                                 duprintf("Back unset "
518                                                          "on hook %u "
519                                                          "rule %u\n",
520                                                          hook, pos);
521                                         }
522 #endif
523                                         oldpos = pos;
524                                         pos = e->counters.pcnt;
525                                         e->counters.pcnt = 0;
526
527                                         /* We're at the start. */
528                                         if (pos == oldpos)
529                                                 goto next;
530
531                                         e = (struct ipt_entry *)
532                                                 (entry0 + pos);
533                                 } while (oldpos == pos + e->next_offset);
534
535                                 /* Move along one */
536                                 size = e->next_offset;
537                                 e = (struct ipt_entry *)
538                                         (entry0 + pos + size);
539                                 e->counters.pcnt = pos;
540                                 pos += size;
541                         } else {
542                                 int newpos = t->verdict;
543
544                                 if (strcmp(t->target.u.user.name,
545                                            IPT_STANDARD_TARGET) == 0
546                                     && newpos >= 0) {
547                                         if (newpos > newinfo->size -
548                                                 sizeof(struct ipt_entry)) {
549                                                 duprintf("mark_source_chains: "
550                                                         "bad verdict (%i)\n",
551                                                                 newpos);
552                                                 return 0;
553                                         }
554                                         /* This a jump; chase it. */
555                                         duprintf("Jump rule %u -> %u\n",
556                                                  pos, newpos);
557                                 } else {
558                                         /* ... this is a fallthru */
559                                         newpos = pos + e->next_offset;
560                                 }
561                                 e = (struct ipt_entry *)
562                                         (entry0 + newpos);
563                                 e->counters.pcnt = pos;
564                                 pos = newpos;
565                         }
566                 }
567                 next:
568                 duprintf("Finished chain %u\n", hook);
569         }
570         return 1;
571 }
572
573 static int
574 cleanup_match(struct ipt_entry_match *m, unsigned int *i)
575 {
576         struct xt_mtdtor_param par;
577
578         if (i && (*i)-- == 0)
579                 return 1;
580
581         par.match     = m->u.kernel.match;
582         par.matchinfo = m->data;
583         par.family    = NFPROTO_IPV4;
584         if (par.match->destroy != NULL)
585                 par.match->destroy(&par);
586         module_put(par.match->me);
587         return 0;
588 }
589
590 static int
591 check_entry(struct ipt_entry *e, const char *name)
592 {
593         struct ipt_entry_target *t;
594
595         if (!ip_checkentry(&e->ip)) {
596                 duprintf("ip_tables: ip check failed %p %s.\n", e, name);
597                 return -EINVAL;
598         }
599
600         if (e->target_offset + sizeof(struct ipt_entry_target) >
601             e->next_offset)
602                 return -EINVAL;
603
604         t = ipt_get_target(e);
605         if (e->target_offset + t->u.target_size > e->next_offset)
606                 return -EINVAL;
607
608         return 0;
609 }
610
611 static int
612 check_match(struct ipt_entry_match *m, struct xt_mtchk_param *par,
613             unsigned int *i)
614 {
615         const struct ipt_ip *ip = par->entryinfo;
616         int ret;
617
618         par->match     = m->u.kernel.match;
619         par->matchinfo = m->data;
620
621         ret = xt_check_match(par, m->u.match_size - sizeof(*m),
622               ip->proto, ip->invflags & IPT_INV_PROTO);
623         if (ret < 0) {
624                 duprintf("ip_tables: check failed for `%s'.\n",
625                          par.match->name);
626                 return ret;
627         }
628         ++*i;
629         return 0;
630 }
631
632 static int
633 find_check_match(struct ipt_entry_match *m, struct xt_mtchk_param *par,
634                  unsigned int *i)
635 {
636         struct xt_match *match;
637         int ret;
638
639         match = try_then_request_module(xt_find_match(AF_INET, m->u.user.name,
640                                                       m->u.user.revision),
641                                         "ipt_%s", m->u.user.name);
642         if (IS_ERR(match) || !match) {
643                 duprintf("find_check_match: `%s' not found\n", m->u.user.name);
644                 return match ? PTR_ERR(match) : -ENOENT;
645         }
646         m->u.kernel.match = match;
647
648         ret = check_match(m, par, i);
649         if (ret)
650                 goto err;
651
652         return 0;
653 err:
654         module_put(m->u.kernel.match->me);
655         return ret;
656 }
657
658 static int check_target(struct ipt_entry *e, const char *name)
659 {
660         struct ipt_entry_target *t = ipt_get_target(e);
661         struct xt_tgchk_param par = {
662                 .table     = name,
663                 .entryinfo = e,
664                 .target    = t->u.kernel.target,
665                 .targinfo  = t->data,
666                 .hook_mask = e->comefrom,
667                 .family    = NFPROTO_IPV4,
668         };
669         int ret;
670
671         ret = xt_check_target(&par, t->u.target_size - sizeof(*t),
672               e->ip.proto, e->ip.invflags & IPT_INV_PROTO);
673         if (ret < 0) {
674                 duprintf("ip_tables: check failed for `%s'.\n",
675                          t->u.kernel.target->name);
676                 return ret;
677         }
678         return 0;
679 }
680
681 static int
682 find_check_entry(struct ipt_entry *e, const char *name, unsigned int size,
683                  unsigned int *i)
684 {
685         struct ipt_entry_target *t;
686         struct xt_target *target;
687         int ret;
688         unsigned int j;
689         struct xt_mtchk_param mtpar;
690
691         ret = check_entry(e, name);
692         if (ret)
693                 return ret;
694
695         j = 0;
696         mtpar.table     = name;
697         mtpar.entryinfo = &e->ip;
698         mtpar.hook_mask = e->comefrom;
699         mtpar.family    = NFPROTO_IPV4;
700         ret = IPT_MATCH_ITERATE(e, find_check_match, &mtpar, &j);
701         if (ret != 0)
702                 goto cleanup_matches;
703
704         t = ipt_get_target(e);
705         target = try_then_request_module(xt_find_target(AF_INET,
706                                                         t->u.user.name,
707                                                         t->u.user.revision),
708                                          "ipt_%s", t->u.user.name);
709         if (IS_ERR(target) || !target) {
710                 duprintf("find_check_entry: `%s' not found\n", t->u.user.name);
711                 ret = target ? PTR_ERR(target) : -ENOENT;
712                 goto cleanup_matches;
713         }
714         t->u.kernel.target = target;
715
716         ret = check_target(e, name);
717         if (ret)
718                 goto err;
719
720         (*i)++;
721         return 0;
722  err:
723         module_put(t->u.kernel.target->me);
724  cleanup_matches:
725         IPT_MATCH_ITERATE(e, cleanup_match, &j);
726         return ret;
727 }
728
729 static int
730 check_entry_size_and_hooks(struct ipt_entry *e,
731                            struct xt_table_info *newinfo,
732                            unsigned char *base,
733                            unsigned char *limit,
734                            const unsigned int *hook_entries,
735                            const unsigned int *underflows,
736                            unsigned int *i)
737 {
738         unsigned int h;
739
740         if ((unsigned long)e % __alignof__(struct ipt_entry) != 0
741             || (unsigned char *)e + sizeof(struct ipt_entry) >= limit) {
742                 duprintf("Bad offset %p\n", e);
743                 return -EINVAL;
744         }
745
746         if (e->next_offset
747             < sizeof(struct ipt_entry) + sizeof(struct ipt_entry_target)) {
748                 duprintf("checking: element %p size %u\n",
749                          e, e->next_offset);
750                 return -EINVAL;
751         }
752
753         /* Check hooks & underflows */
754         for (h = 0; h < NF_INET_NUMHOOKS; h++) {
755                 if ((unsigned char *)e - base == hook_entries[h])
756                         newinfo->hook_entry[h] = hook_entries[h];
757                 if ((unsigned char *)e - base == underflows[h])
758                         newinfo->underflow[h] = underflows[h];
759         }
760
761         /* FIXME: underflows must be unconditional, standard verdicts
762            < 0 (not IPT_RETURN). --RR */
763
764         /* Clear counters and comefrom */
765         e->counters = ((struct xt_counters) { 0, 0 });
766         e->comefrom = 0;
767
768         (*i)++;
769         return 0;
770 }
771
772 static int
773 cleanup_entry(struct ipt_entry *e, unsigned int *i)
774 {
775         struct xt_tgdtor_param par;
776         struct ipt_entry_target *t;
777
778         if (i && (*i)-- == 0)
779                 return 1;
780
781         /* Cleanup all matches */
782         IPT_MATCH_ITERATE(e, cleanup_match, NULL);
783         t = ipt_get_target(e);
784
785         par.target   = t->u.kernel.target;
786         par.targinfo = t->data;
787         par.family   = NFPROTO_IPV4;
788         if (par.target->destroy != NULL)
789                 par.target->destroy(&par);
790         module_put(par.target->me);
791         return 0;
792 }
793
794 /* Checks and translates the user-supplied table segment (held in
795    newinfo) */
796 static int
797 translate_table(const char *name,
798                 unsigned int valid_hooks,
799                 struct xt_table_info *newinfo,
800                 void *entry0,
801                 unsigned int size,
802                 unsigned int number,
803                 const unsigned int *hook_entries,
804                 const unsigned int *underflows)
805 {
806         unsigned int i;
807         int ret;
808
809         newinfo->size = size;
810         newinfo->number = number;
811
812         /* Init all hooks to impossible value. */
813         for (i = 0; i < NF_INET_NUMHOOKS; i++) {
814                 newinfo->hook_entry[i] = 0xFFFFFFFF;
815                 newinfo->underflow[i] = 0xFFFFFFFF;
816         }
817
818         duprintf("translate_table: size %u\n", newinfo->size);
819         i = 0;
820         /* Walk through entries, checking offsets. */
821         ret = IPT_ENTRY_ITERATE(entry0, newinfo->size,
822                                 check_entry_size_and_hooks,
823                                 newinfo,
824                                 entry0,
825                                 entry0 + size,
826                                 hook_entries, underflows, &i);
827         if (ret != 0)
828                 return ret;
829
830         if (i != number) {
831                 duprintf("translate_table: %u not %u entries\n",
832                          i, number);
833                 return -EINVAL;
834         }
835
836         /* Check hooks all assigned */
837         for (i = 0; i < NF_INET_NUMHOOKS; i++) {
838                 /* Only hooks which are valid */
839                 if (!(valid_hooks & (1 << i)))
840                         continue;
841                 if (newinfo->hook_entry[i] == 0xFFFFFFFF) {
842                         duprintf("Invalid hook entry %u %u\n",
843                                  i, hook_entries[i]);
844                         return -EINVAL;
845                 }
846                 if (newinfo->underflow[i] == 0xFFFFFFFF) {
847                         duprintf("Invalid underflow %u %u\n",
848                                  i, underflows[i]);
849                         return -EINVAL;
850                 }
851         }
852
853         if (!mark_source_chains(newinfo, valid_hooks, entry0))
854                 return -ELOOP;
855
856         /* Finally, each sanity check must pass */
857         i = 0;
858         ret = IPT_ENTRY_ITERATE(entry0, newinfo->size,
859                                 find_check_entry, name, size, &i);
860
861         if (ret != 0) {
862                 IPT_ENTRY_ITERATE(entry0, newinfo->size,
863                                 cleanup_entry, &i);
864                 return ret;
865         }
866
867         /* And one copy for every other CPU */
868         for_each_possible_cpu(i) {
869                 if (newinfo->entries[i] && newinfo->entries[i] != entry0)
870                         memcpy(newinfo->entries[i], entry0, newinfo->size);
871         }
872
873         return ret;
874 }
875
876 /* Gets counters. */
877 static inline int
878 add_entry_to_counter(const struct ipt_entry *e,
879                      struct xt_counters total[],
880                      unsigned int *i)
881 {
882         ADD_COUNTER(total[*i], e->counters.bcnt, e->counters.pcnt);
883
884         (*i)++;
885         return 0;
886 }
887
888 static inline int
889 set_entry_to_counter(const struct ipt_entry *e,
890                      struct ipt_counters total[],
891                      unsigned int *i)
892 {
893         SET_COUNTER(total[*i], e->counters.bcnt, e->counters.pcnt);
894
895         (*i)++;
896         return 0;
897 }
898
899 static void
900 get_counters(const struct xt_table_info *t,
901              struct xt_counters counters[])
902 {
903         unsigned int cpu;
904         unsigned int i;
905         unsigned int curcpu;
906
907         /* Instead of clearing (by a previous call to memset())
908          * the counters and using adds, we set the counters
909          * with data used by 'current' CPU
910          * We dont care about preemption here.
911          */
912         curcpu = raw_smp_processor_id();
913
914         i = 0;
915         IPT_ENTRY_ITERATE(t->entries[curcpu],
916                           t->size,
917                           set_entry_to_counter,
918                           counters,
919                           &i);
920
921         for_each_possible_cpu(cpu) {
922                 if (cpu == curcpu)
923                         continue;
924                 i = 0;
925                 IPT_ENTRY_ITERATE(t->entries[cpu],
926                                   t->size,
927                                   add_entry_to_counter,
928                                   counters,
929                                   &i);
930         }
931 }
932
933 static struct xt_counters * alloc_counters(struct xt_table *table)
934 {
935         unsigned int countersize;
936         struct xt_counters *counters;
937         const struct xt_table_info *private = table->private;
938
939         /* We need atomic snapshot of counters: rest doesn't change
940            (other than comefrom, which userspace doesn't care
941            about). */
942         countersize = sizeof(struct xt_counters) * private->number;
943         counters = vmalloc_node(countersize, numa_node_id());
944
945         if (counters == NULL)
946                 return ERR_PTR(-ENOMEM);
947
948         /* First, sum counters... */
949         write_lock_bh(&table->lock);
950         get_counters(private, counters);
951         write_unlock_bh(&table->lock);
952
953         return counters;
954 }
955
956 static int
957 copy_entries_to_user(unsigned int total_size,
958                      struct xt_table *table,
959                      void __user *userptr)
960 {
961         unsigned int off, num;
962         struct ipt_entry *e;
963         struct xt_counters *counters;
964         const struct xt_table_info *private = table->private;
965         int ret = 0;
966         const void *loc_cpu_entry;
967
968         counters = alloc_counters(table);
969         if (IS_ERR(counters))
970                 return PTR_ERR(counters);
971
972         /* choose the copy that is on our node/cpu, ...
973          * This choice is lazy (because current thread is
974          * allowed to migrate to another cpu)
975          */
976         loc_cpu_entry = private->entries[raw_smp_processor_id()];
977         if (copy_to_user(userptr, loc_cpu_entry, total_size) != 0) {
978                 ret = -EFAULT;
979                 goto free_counters;
980         }
981
982         /* FIXME: use iterator macros --RR */
983         /* ... then go back and fix counters and names */
984         for (off = 0, num = 0; off < total_size; off += e->next_offset, num++){
985                 unsigned int i;
986                 const struct ipt_entry_match *m;
987                 const struct ipt_entry_target *t;
988
989                 e = (struct ipt_entry *)(loc_cpu_entry + off);
990                 if (copy_to_user(userptr + off
991                                  + offsetof(struct ipt_entry, counters),
992                                  &counters[num],
993                                  sizeof(counters[num])) != 0) {
994                         ret = -EFAULT;
995                         goto free_counters;
996                 }
997
998                 for (i = sizeof(struct ipt_entry);
999                      i < e->target_offset;
1000                      i += m->u.match_size) {
1001                         m = (void *)e + i;
1002
1003                         if (copy_to_user(userptr + off + i
1004                                          + offsetof(struct ipt_entry_match,
1005                                                     u.user.name),
1006                                          m->u.kernel.match->name,
1007                                          strlen(m->u.kernel.match->name)+1)
1008                             != 0) {
1009                                 ret = -EFAULT;
1010                                 goto free_counters;
1011                         }
1012                 }
1013
1014                 t = ipt_get_target(e);
1015                 if (copy_to_user(userptr + off + e->target_offset
1016                                  + offsetof(struct ipt_entry_target,
1017                                             u.user.name),
1018                                  t->u.kernel.target->name,
1019                                  strlen(t->u.kernel.target->name)+1) != 0) {
1020                         ret = -EFAULT;
1021                         goto free_counters;
1022                 }
1023         }
1024
1025  free_counters:
1026         vfree(counters);
1027         return ret;
1028 }
1029
1030 #ifdef CONFIG_COMPAT
1031 static void compat_standard_from_user(void *dst, void *src)
1032 {
1033         int v = *(compat_int_t *)src;
1034
1035         if (v > 0)
1036                 v += xt_compat_calc_jump(AF_INET, v);
1037         memcpy(dst, &v, sizeof(v));
1038 }
1039
1040 static int compat_standard_to_user(void __user *dst, void *src)
1041 {
1042         compat_int_t cv = *(int *)src;
1043
1044         if (cv > 0)
1045                 cv -= xt_compat_calc_jump(AF_INET, cv);
1046         return copy_to_user(dst, &cv, sizeof(cv)) ? -EFAULT : 0;
1047 }
1048
1049 static inline int
1050 compat_calc_match(struct ipt_entry_match *m, int *size)
1051 {
1052         *size += xt_compat_match_offset(m->u.kernel.match);
1053         return 0;
1054 }
1055
1056 static int compat_calc_entry(struct ipt_entry *e,
1057                              const struct xt_table_info *info,
1058                              void *base, struct xt_table_info *newinfo)
1059 {
1060         struct ipt_entry_target *t;
1061         unsigned int entry_offset;
1062         int off, i, ret;
1063
1064         off = sizeof(struct ipt_entry) - sizeof(struct compat_ipt_entry);
1065         entry_offset = (void *)e - base;
1066         IPT_MATCH_ITERATE(e, compat_calc_match, &off);
1067         t = ipt_get_target(e);
1068         off += xt_compat_target_offset(t->u.kernel.target);
1069         newinfo->size -= off;
1070         ret = xt_compat_add_offset(AF_INET, entry_offset, off);
1071         if (ret)
1072                 return ret;
1073
1074         for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1075                 if (info->hook_entry[i] &&
1076                     (e < (struct ipt_entry *)(base + info->hook_entry[i])))
1077                         newinfo->hook_entry[i] -= off;
1078                 if (info->underflow[i] &&
1079                     (e < (struct ipt_entry *)(base + info->underflow[i])))
1080                         newinfo->underflow[i] -= off;
1081         }
1082         return 0;
1083 }
1084
1085 static int compat_table_info(const struct xt_table_info *info,
1086                              struct xt_table_info *newinfo)
1087 {
1088         void *loc_cpu_entry;
1089
1090         if (!newinfo || !info)
1091                 return -EINVAL;
1092
1093         /* we dont care about newinfo->entries[] */
1094         memcpy(newinfo, info, offsetof(struct xt_table_info, entries));
1095         newinfo->initial_entries = 0;
1096         loc_cpu_entry = info->entries[raw_smp_processor_id()];
1097         return IPT_ENTRY_ITERATE(loc_cpu_entry, info->size,
1098                                  compat_calc_entry, info, loc_cpu_entry,
1099                                  newinfo);
1100 }
1101 #endif
1102
1103 static int get_info(struct net *net, void __user *user, int *len, int compat)
1104 {
1105         char name[IPT_TABLE_MAXNAMELEN];
1106         struct xt_table *t;
1107         int ret;
1108
1109         if (*len != sizeof(struct ipt_getinfo)) {
1110                 duprintf("length %u != %zu\n", *len,
1111                          sizeof(struct ipt_getinfo));
1112                 return -EINVAL;
1113         }
1114
1115         if (copy_from_user(name, user, sizeof(name)) != 0)
1116                 return -EFAULT;
1117
1118         name[IPT_TABLE_MAXNAMELEN-1] = '\0';
1119 #ifdef CONFIG_COMPAT
1120         if (compat)
1121                 xt_compat_lock(AF_INET);
1122 #endif
1123         t = try_then_request_module(xt_find_table_lock(net, AF_INET, name),
1124                                     "iptable_%s", name);
1125         if (t && !IS_ERR(t)) {
1126                 struct ipt_getinfo info;
1127                 const struct xt_table_info *private = t->private;
1128
1129 #ifdef CONFIG_COMPAT
1130                 if (compat) {
1131                         struct xt_table_info tmp;
1132                         ret = compat_table_info(private, &tmp);
1133                         xt_compat_flush_offsets(AF_INET);
1134                         private = &tmp;
1135                 }
1136 #endif
1137                 info.valid_hooks = t->valid_hooks;
1138                 memcpy(info.hook_entry, private->hook_entry,
1139                        sizeof(info.hook_entry));
1140                 memcpy(info.underflow, private->underflow,
1141                        sizeof(info.underflow));
1142                 info.num_entries = private->number;
1143                 info.size = private->size;
1144                 strcpy(info.name, name);
1145
1146                 if (copy_to_user(user, &info, *len) != 0)
1147                         ret = -EFAULT;
1148                 else
1149                         ret = 0;
1150
1151                 xt_table_unlock(t);
1152                 module_put(t->me);
1153         } else
1154                 ret = t ? PTR_ERR(t) : -ENOENT;
1155 #ifdef CONFIG_COMPAT
1156         if (compat)
1157                 xt_compat_unlock(AF_INET);
1158 #endif
1159         return ret;
1160 }
1161
1162 static int
1163 get_entries(struct net *net, struct ipt_get_entries __user *uptr, int *len)
1164 {
1165         int ret;
1166         struct ipt_get_entries get;
1167         struct xt_table *t;
1168
1169         if (*len < sizeof(get)) {
1170                 duprintf("get_entries: %u < %zu\n", *len, sizeof(get));
1171                 return -EINVAL;
1172         }
1173         if (copy_from_user(&get, uptr, sizeof(get)) != 0)
1174                 return -EFAULT;
1175         if (*len != sizeof(struct ipt_get_entries) + get.size) {
1176                 duprintf("get_entries: %u != %zu\n",
1177                          *len, sizeof(get) + get.size);
1178                 return -EINVAL;
1179         }
1180
1181         t = xt_find_table_lock(net, AF_INET, get.name);
1182         if (t && !IS_ERR(t)) {
1183                 const struct xt_table_info *private = t->private;
1184                 duprintf("t->private->number = %u\n", private->number);
1185                 if (get.size == private->size)
1186                         ret = copy_entries_to_user(private->size,
1187                                                    t, uptr->entrytable);
1188                 else {
1189                         duprintf("get_entries: I've got %u not %u!\n",
1190                                  private->size, get.size);
1191                         ret = -EAGAIN;
1192                 }
1193                 module_put(t->me);
1194                 xt_table_unlock(t);
1195         } else
1196                 ret = t ? PTR_ERR(t) : -ENOENT;
1197
1198         return ret;
1199 }
1200
1201 static int
1202 __do_replace(struct net *net, const char *name, unsigned int valid_hooks,
1203              struct xt_table_info *newinfo, unsigned int num_counters,
1204              void __user *counters_ptr)
1205 {
1206         int ret;
1207         struct xt_table *t;
1208         struct xt_table_info *oldinfo;
1209         struct xt_counters *counters;
1210         void *loc_cpu_old_entry;
1211
1212         ret = 0;
1213         counters = vmalloc(num_counters * sizeof(struct xt_counters));
1214         if (!counters) {
1215                 ret = -ENOMEM;
1216                 goto out;
1217         }
1218
1219         t = try_then_request_module(xt_find_table_lock(net, AF_INET, name),
1220                                     "iptable_%s", name);
1221         if (!t || IS_ERR(t)) {
1222                 ret = t ? PTR_ERR(t) : -ENOENT;
1223                 goto free_newinfo_counters_untrans;
1224         }
1225
1226         /* You lied! */
1227         if (valid_hooks != t->valid_hooks) {
1228                 duprintf("Valid hook crap: %08X vs %08X\n",
1229                          valid_hooks, t->valid_hooks);
1230                 ret = -EINVAL;
1231                 goto put_module;
1232         }
1233
1234         oldinfo = xt_replace_table(t, num_counters, newinfo, &ret);
1235         if (!oldinfo)
1236                 goto put_module;
1237
1238         /* Update module usage count based on number of rules */
1239         duprintf("do_replace: oldnum=%u, initnum=%u, newnum=%u\n",
1240                 oldinfo->number, oldinfo->initial_entries, newinfo->number);
1241         if ((oldinfo->number > oldinfo->initial_entries) ||
1242             (newinfo->number <= oldinfo->initial_entries))
1243                 module_put(t->me);
1244         if ((oldinfo->number > oldinfo->initial_entries) &&
1245             (newinfo->number <= oldinfo->initial_entries))
1246                 module_put(t->me);
1247
1248         /* Get the old counters. */
1249         get_counters(oldinfo, counters);
1250         /* Decrease module usage counts and free resource */
1251         loc_cpu_old_entry = oldinfo->entries[raw_smp_processor_id()];
1252         IPT_ENTRY_ITERATE(loc_cpu_old_entry, oldinfo->size, cleanup_entry,
1253                           NULL);
1254         xt_free_table_info(oldinfo);
1255         if (copy_to_user(counters_ptr, counters,
1256                          sizeof(struct xt_counters) * num_counters) != 0)
1257                 ret = -EFAULT;
1258         vfree(counters);
1259         xt_table_unlock(t);
1260         return ret;
1261
1262  put_module:
1263         module_put(t->me);
1264         xt_table_unlock(t);
1265  free_newinfo_counters_untrans:
1266         vfree(counters);
1267  out:
1268         return ret;
1269 }
1270
1271 static int
1272 do_replace(struct net *net, void __user *user, unsigned int len)
1273 {
1274         int ret;
1275         struct ipt_replace tmp;
1276         struct xt_table_info *newinfo;
1277         void *loc_cpu_entry;
1278
1279         if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
1280                 return -EFAULT;
1281
1282         /* overflow check */
1283         if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
1284                 return -ENOMEM;
1285
1286         newinfo = xt_alloc_table_info(tmp.size);
1287         if (!newinfo)
1288                 return -ENOMEM;
1289
1290         /* choose the copy that is on our node/cpu */
1291         loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
1292         if (copy_from_user(loc_cpu_entry, user + sizeof(tmp),
1293                            tmp.size) != 0) {
1294                 ret = -EFAULT;
1295                 goto free_newinfo;
1296         }
1297
1298         ret = translate_table(tmp.name, tmp.valid_hooks,
1299                               newinfo, loc_cpu_entry, tmp.size, tmp.num_entries,
1300                               tmp.hook_entry, tmp.underflow);
1301         if (ret != 0)
1302                 goto free_newinfo;
1303
1304         duprintf("ip_tables: Translated table\n");
1305
1306         ret = __do_replace(net, tmp.name, tmp.valid_hooks, newinfo,
1307                            tmp.num_counters, tmp.counters);
1308         if (ret)
1309                 goto free_newinfo_untrans;
1310         return 0;
1311
1312  free_newinfo_untrans:
1313         IPT_ENTRY_ITERATE(loc_cpu_entry, newinfo->size, cleanup_entry, NULL);
1314  free_newinfo:
1315         xt_free_table_info(newinfo);
1316         return ret;
1317 }
1318
1319 /* We're lazy, and add to the first CPU; overflow works its fey magic
1320  * and everything is OK. */
1321 static int
1322 add_counter_to_entry(struct ipt_entry *e,
1323                      const struct xt_counters addme[],
1324                      unsigned int *i)
1325 {
1326 #if 0
1327         duprintf("add_counter: Entry %u %lu/%lu + %lu/%lu\n",
1328                  *i,
1329                  (long unsigned int)e->counters.pcnt,
1330                  (long unsigned int)e->counters.bcnt,
1331                  (long unsigned int)addme[*i].pcnt,
1332                  (long unsigned int)addme[*i].bcnt);
1333 #endif
1334
1335         ADD_COUNTER(e->counters, addme[*i].bcnt, addme[*i].pcnt);
1336
1337         (*i)++;
1338         return 0;
1339 }
1340
1341 static int
1342 do_add_counters(struct net *net, void __user *user, unsigned int len, int compat)
1343 {
1344         unsigned int i;
1345         struct xt_counters_info tmp;
1346         struct xt_counters *paddc;
1347         unsigned int num_counters;
1348         const char *name;
1349         int size;
1350         void *ptmp;
1351         struct xt_table *t;
1352         const struct xt_table_info *private;
1353         int ret = 0;
1354         void *loc_cpu_entry;
1355 #ifdef CONFIG_COMPAT
1356         struct compat_xt_counters_info compat_tmp;
1357
1358         if (compat) {
1359                 ptmp = &compat_tmp;
1360                 size = sizeof(struct compat_xt_counters_info);
1361         } else
1362 #endif
1363         {
1364                 ptmp = &tmp;
1365                 size = sizeof(struct xt_counters_info);
1366         }
1367
1368         if (copy_from_user(ptmp, user, size) != 0)
1369                 return -EFAULT;
1370
1371 #ifdef CONFIG_COMPAT
1372         if (compat) {
1373                 num_counters = compat_tmp.num_counters;
1374                 name = compat_tmp.name;
1375         } else
1376 #endif
1377         {
1378                 num_counters = tmp.num_counters;
1379                 name = tmp.name;
1380         }
1381
1382         if (len != size + num_counters * sizeof(struct xt_counters))
1383                 return -EINVAL;
1384
1385         paddc = vmalloc_node(len - size, numa_node_id());
1386         if (!paddc)
1387                 return -ENOMEM;
1388
1389         if (copy_from_user(paddc, user + size, len - size) != 0) {
1390                 ret = -EFAULT;
1391                 goto free;
1392         }
1393
1394         t = xt_find_table_lock(net, AF_INET, name);
1395         if (!t || IS_ERR(t)) {
1396                 ret = t ? PTR_ERR(t) : -ENOENT;
1397                 goto free;
1398         }
1399
1400         write_lock_bh(&t->lock);
1401         private = t->private;
1402         if (private->number != num_counters) {
1403                 ret = -EINVAL;
1404                 goto unlock_up_free;
1405         }
1406
1407         i = 0;
1408         /* Choose the copy that is on our node */
1409         loc_cpu_entry = private->entries[raw_smp_processor_id()];
1410         IPT_ENTRY_ITERATE(loc_cpu_entry,
1411                           private->size,
1412                           add_counter_to_entry,
1413                           paddc,
1414                           &i);
1415  unlock_up_free:
1416         write_unlock_bh(&t->lock);
1417         xt_table_unlock(t);
1418         module_put(t->me);
1419  free:
1420         vfree(paddc);
1421
1422         return ret;
1423 }
1424
1425 #ifdef CONFIG_COMPAT
1426 struct compat_ipt_replace {
1427         char                    name[IPT_TABLE_MAXNAMELEN];
1428         u32                     valid_hooks;
1429         u32                     num_entries;
1430         u32                     size;
1431         u32                     hook_entry[NF_INET_NUMHOOKS];
1432         u32                     underflow[NF_INET_NUMHOOKS];
1433         u32                     num_counters;
1434         compat_uptr_t           counters;       /* struct ipt_counters * */
1435         struct compat_ipt_entry entries[0];
1436 };
1437
1438 static int
1439 compat_copy_entry_to_user(struct ipt_entry *e, void __user **dstptr,
1440                           unsigned int *size, struct xt_counters *counters,
1441                           unsigned int *i)
1442 {
1443         struct ipt_entry_target *t;
1444         struct compat_ipt_entry __user *ce;
1445         u_int16_t target_offset, next_offset;
1446         compat_uint_t origsize;
1447         int ret;
1448
1449         ret = -EFAULT;
1450         origsize = *size;
1451         ce = (struct compat_ipt_entry __user *)*dstptr;
1452         if (copy_to_user(ce, e, sizeof(struct ipt_entry)))
1453                 goto out;
1454
1455         if (copy_to_user(&ce->counters, &counters[*i], sizeof(counters[*i])))
1456                 goto out;
1457
1458         *dstptr += sizeof(struct compat_ipt_entry);
1459         *size -= sizeof(struct ipt_entry) - sizeof(struct compat_ipt_entry);
1460
1461         ret = IPT_MATCH_ITERATE(e, xt_compat_match_to_user, dstptr, size);
1462         target_offset = e->target_offset - (origsize - *size);
1463         if (ret)
1464                 goto out;
1465         t = ipt_get_target(e);
1466         ret = xt_compat_target_to_user(t, dstptr, size);
1467         if (ret)
1468                 goto out;
1469         ret = -EFAULT;
1470         next_offset = e->next_offset - (origsize - *size);
1471         if (put_user(target_offset, &ce->target_offset))
1472                 goto out;
1473         if (put_user(next_offset, &ce->next_offset))
1474                 goto out;
1475
1476         (*i)++;
1477         return 0;
1478 out:
1479         return ret;
1480 }
1481
1482 static int
1483 compat_find_calc_match(struct ipt_entry_match *m,
1484                        const char *name,
1485                        const struct ipt_ip *ip,
1486                        unsigned int hookmask,
1487                        int *size, unsigned int *i)
1488 {
1489         struct xt_match *match;
1490
1491         match = try_then_request_module(xt_find_match(AF_INET, m->u.user.name,
1492                                                       m->u.user.revision),
1493                                         "ipt_%s", m->u.user.name);
1494         if (IS_ERR(match) || !match) {
1495                 duprintf("compat_check_calc_match: `%s' not found\n",
1496                          m->u.user.name);
1497                 return match ? PTR_ERR(match) : -ENOENT;
1498         }
1499         m->u.kernel.match = match;
1500         *size += xt_compat_match_offset(match);
1501
1502         (*i)++;
1503         return 0;
1504 }
1505
1506 static int
1507 compat_release_match(struct ipt_entry_match *m, unsigned int *i)
1508 {
1509         if (i && (*i)-- == 0)
1510                 return 1;
1511
1512         module_put(m->u.kernel.match->me);
1513         return 0;
1514 }
1515
1516 static int
1517 compat_release_entry(struct compat_ipt_entry *e, unsigned int *i)
1518 {
1519         struct ipt_entry_target *t;
1520
1521         if (i && (*i)-- == 0)
1522                 return 1;
1523
1524         /* Cleanup all matches */
1525         COMPAT_IPT_MATCH_ITERATE(e, compat_release_match, NULL);
1526         t = compat_ipt_get_target(e);
1527         module_put(t->u.kernel.target->me);
1528         return 0;
1529 }
1530
1531 static int
1532 check_compat_entry_size_and_hooks(struct compat_ipt_entry *e,
1533                                   struct xt_table_info *newinfo,
1534                                   unsigned int *size,
1535                                   unsigned char *base,
1536                                   unsigned char *limit,
1537                                   unsigned int *hook_entries,
1538                                   unsigned int *underflows,
1539                                   unsigned int *i,
1540                                   const char *name)
1541 {
1542         struct ipt_entry_target *t;
1543         struct xt_target *target;
1544         unsigned int entry_offset;
1545         unsigned int j;
1546         int ret, off, h;
1547
1548         duprintf("check_compat_entry_size_and_hooks %p\n", e);
1549         if ((unsigned long)e % __alignof__(struct compat_ipt_entry) != 0
1550             || (unsigned char *)e + sizeof(struct compat_ipt_entry) >= limit) {
1551                 duprintf("Bad offset %p, limit = %p\n", e, limit);
1552                 return -EINVAL;
1553         }
1554
1555         if (e->next_offset < sizeof(struct compat_ipt_entry) +
1556                              sizeof(struct compat_xt_entry_target)) {
1557                 duprintf("checking: element %p size %u\n",
1558                          e, e->next_offset);
1559                 return -EINVAL;
1560         }
1561
1562         /* For purposes of check_entry casting the compat entry is fine */
1563         ret = check_entry((struct ipt_entry *)e, name);
1564         if (ret)
1565                 return ret;
1566
1567         off = sizeof(struct ipt_entry) - sizeof(struct compat_ipt_entry);
1568         entry_offset = (void *)e - (void *)base;
1569         j = 0;
1570         ret = COMPAT_IPT_MATCH_ITERATE(e, compat_find_calc_match, name,
1571                                        &e->ip, e->comefrom, &off, &j);
1572         if (ret != 0)
1573                 goto release_matches;
1574
1575         t = compat_ipt_get_target(e);
1576         target = try_then_request_module(xt_find_target(AF_INET,
1577                                                         t->u.user.name,
1578                                                         t->u.user.revision),
1579                                          "ipt_%s", t->u.user.name);
1580         if (IS_ERR(target) || !target) {
1581                 duprintf("check_compat_entry_size_and_hooks: `%s' not found\n",
1582                          t->u.user.name);
1583                 ret = target ? PTR_ERR(target) : -ENOENT;
1584                 goto release_matches;
1585         }
1586         t->u.kernel.target = target;
1587
1588         off += xt_compat_target_offset(target);
1589         *size += off;
1590         ret = xt_compat_add_offset(AF_INET, entry_offset, off);
1591         if (ret)
1592                 goto out;
1593
1594         /* Check hooks & underflows */
1595         for (h = 0; h < NF_INET_NUMHOOKS; h++) {
1596                 if ((unsigned char *)e - base == hook_entries[h])
1597                         newinfo->hook_entry[h] = hook_entries[h];
1598                 if ((unsigned char *)e - base == underflows[h])
1599                         newinfo->underflow[h] = underflows[h];
1600         }
1601
1602         /* Clear counters and comefrom */
1603         memset(&e->counters, 0, sizeof(e->counters));
1604         e->comefrom = 0;
1605
1606         (*i)++;
1607         return 0;
1608
1609 out:
1610         module_put(t->u.kernel.target->me);
1611 release_matches:
1612         IPT_MATCH_ITERATE(e, compat_release_match, &j);
1613         return ret;
1614 }
1615
1616 static int
1617 compat_copy_entry_from_user(struct compat_ipt_entry *e, void **dstptr,
1618                             unsigned int *size, const char *name,
1619                             struct xt_table_info *newinfo, unsigned char *base)
1620 {
1621         struct ipt_entry_target *t;
1622         struct xt_target *target;
1623         struct ipt_entry *de;
1624         unsigned int origsize;
1625         int ret, h;
1626
1627         ret = 0;
1628         origsize = *size;
1629         de = (struct ipt_entry *)*dstptr;
1630         memcpy(de, e, sizeof(struct ipt_entry));
1631         memcpy(&de->counters, &e->counters, sizeof(e->counters));
1632
1633         *dstptr += sizeof(struct ipt_entry);
1634         *size += sizeof(struct ipt_entry) - sizeof(struct compat_ipt_entry);
1635
1636         ret = COMPAT_IPT_MATCH_ITERATE(e, xt_compat_match_from_user,
1637                                        dstptr, size);
1638         if (ret)
1639                 return ret;
1640         de->target_offset = e->target_offset - (origsize - *size);
1641         t = compat_ipt_get_target(e);
1642         target = t->u.kernel.target;
1643         xt_compat_target_from_user(t, dstptr, size);
1644
1645         de->next_offset = e->next_offset - (origsize - *size);
1646         for (h = 0; h < NF_INET_NUMHOOKS; h++) {
1647                 if ((unsigned char *)de - base < newinfo->hook_entry[h])
1648                         newinfo->hook_entry[h] -= origsize - *size;
1649                 if ((unsigned char *)de - base < newinfo->underflow[h])
1650                         newinfo->underflow[h] -= origsize - *size;
1651         }
1652         return ret;
1653 }
1654
1655 static int
1656 compat_check_entry(struct ipt_entry *e, const char *name,
1657                                      unsigned int *i)
1658 {
1659         struct xt_mtchk_param mtpar;
1660         unsigned int j;
1661         int ret;
1662
1663         j = 0;
1664         mtpar.table     = name;
1665         mtpar.entryinfo = &e->ip;
1666         mtpar.hook_mask = e->comefrom;
1667         mtpar.family    = NFPROTO_IPV4;
1668         ret = IPT_MATCH_ITERATE(e, check_match, &mtpar, &j);
1669         if (ret)
1670                 goto cleanup_matches;
1671
1672         ret = check_target(e, name);
1673         if (ret)
1674                 goto cleanup_matches;
1675
1676         (*i)++;
1677         return 0;
1678
1679  cleanup_matches:
1680         IPT_MATCH_ITERATE(e, cleanup_match, &j);
1681         return ret;
1682 }
1683
1684 static int
1685 translate_compat_table(const char *name,
1686                        unsigned int valid_hooks,
1687                        struct xt_table_info **pinfo,
1688                        void **pentry0,
1689                        unsigned int total_size,
1690                        unsigned int number,
1691                        unsigned int *hook_entries,
1692                        unsigned int *underflows)
1693 {
1694         unsigned int i, j;
1695         struct xt_table_info *newinfo, *info;
1696         void *pos, *entry0, *entry1;
1697         unsigned int size;
1698         int ret;
1699
1700         info = *pinfo;
1701         entry0 = *pentry0;
1702         size = total_size;
1703         info->number = number;
1704
1705         /* Init all hooks to impossible value. */
1706         for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1707                 info->hook_entry[i] = 0xFFFFFFFF;
1708                 info->underflow[i] = 0xFFFFFFFF;
1709         }
1710
1711         duprintf("translate_compat_table: size %u\n", info->size);
1712         j = 0;
1713         xt_compat_lock(AF_INET);
1714         /* Walk through entries, checking offsets. */
1715         ret = COMPAT_IPT_ENTRY_ITERATE(entry0, total_size,
1716                                        check_compat_entry_size_and_hooks,
1717                                        info, &size, entry0,
1718                                        entry0 + total_size,
1719                                        hook_entries, underflows, &j, name);
1720         if (ret != 0)
1721                 goto out_unlock;
1722
1723         ret = -EINVAL;
1724         if (j != number) {
1725                 duprintf("translate_compat_table: %u not %u entries\n",
1726                          j, number);
1727                 goto out_unlock;
1728         }
1729
1730         /* Check hooks all assigned */
1731         for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1732                 /* Only hooks which are valid */
1733                 if (!(valid_hooks & (1 << i)))
1734                         continue;
1735                 if (info->hook_entry[i] == 0xFFFFFFFF) {
1736                         duprintf("Invalid hook entry %u %u\n",
1737                                  i, hook_entries[i]);
1738                         goto out_unlock;
1739                 }
1740                 if (info->underflow[i] == 0xFFFFFFFF) {
1741                         duprintf("Invalid underflow %u %u\n",
1742                                  i, underflows[i]);
1743                         goto out_unlock;
1744                 }
1745         }
1746
1747         ret = -ENOMEM;
1748         newinfo = xt_alloc_table_info(size);
1749         if (!newinfo)
1750                 goto out_unlock;
1751
1752         newinfo->number = number;
1753         for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1754                 newinfo->hook_entry[i] = info->hook_entry[i];
1755                 newinfo->underflow[i] = info->underflow[i];
1756         }
1757         entry1 = newinfo->entries[raw_smp_processor_id()];
1758         pos = entry1;
1759         size = total_size;
1760         ret = COMPAT_IPT_ENTRY_ITERATE(entry0, total_size,
1761                                        compat_copy_entry_from_user,
1762                                        &pos, &size, name, newinfo, entry1);
1763         xt_compat_flush_offsets(AF_INET);
1764         xt_compat_unlock(AF_INET);
1765         if (ret)
1766                 goto free_newinfo;
1767
1768         ret = -ELOOP;
1769         if (!mark_source_chains(newinfo, valid_hooks, entry1))
1770                 goto free_newinfo;
1771
1772         i = 0;
1773         ret = IPT_ENTRY_ITERATE(entry1, newinfo->size, compat_check_entry,
1774                                 name, &i);
1775         if (ret) {
1776                 j -= i;
1777                 COMPAT_IPT_ENTRY_ITERATE_CONTINUE(entry0, newinfo->size, i,
1778                                                   compat_release_entry, &j);
1779                 IPT_ENTRY_ITERATE(entry1, newinfo->size, cleanup_entry, &i);
1780                 xt_free_table_info(newinfo);
1781                 return ret;
1782         }
1783
1784         /* And one copy for every other CPU */
1785         for_each_possible_cpu(i)
1786                 if (newinfo->entries[i] && newinfo->entries[i] != entry1)
1787                         memcpy(newinfo->entries[i], entry1, newinfo->size);
1788
1789         *pinfo = newinfo;
1790         *pentry0 = entry1;
1791         xt_free_table_info(info);
1792         return 0;
1793
1794 free_newinfo:
1795         xt_free_table_info(newinfo);
1796 out:
1797         COMPAT_IPT_ENTRY_ITERATE(entry0, total_size, compat_release_entry, &j);
1798         return ret;
1799 out_unlock:
1800         xt_compat_flush_offsets(AF_INET);
1801         xt_compat_unlock(AF_INET);
1802         goto out;
1803 }
1804
1805 static int
1806 compat_do_replace(struct net *net, void __user *user, unsigned int len)
1807 {
1808         int ret;
1809         struct compat_ipt_replace tmp;
1810         struct xt_table_info *newinfo;
1811         void *loc_cpu_entry;
1812
1813         if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
1814                 return -EFAULT;
1815
1816         /* overflow check */
1817         if (tmp.size >= INT_MAX / num_possible_cpus())
1818                 return -ENOMEM;
1819         if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
1820                 return -ENOMEM;
1821
1822         newinfo = xt_alloc_table_info(tmp.size);
1823         if (!newinfo)
1824                 return -ENOMEM;
1825
1826         /* choose the copy that is on our node/cpu */
1827         loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
1828         if (copy_from_user(loc_cpu_entry, user + sizeof(tmp),
1829                            tmp.size) != 0) {
1830                 ret = -EFAULT;
1831                 goto free_newinfo;
1832         }
1833
1834         ret = translate_compat_table(tmp.name, tmp.valid_hooks,
1835                                      &newinfo, &loc_cpu_entry, tmp.size,
1836                                      tmp.num_entries, tmp.hook_entry,
1837                                      tmp.underflow);
1838         if (ret != 0)
1839                 goto free_newinfo;
1840
1841         duprintf("compat_do_replace: Translated table\n");
1842
1843         ret = __do_replace(net, tmp.name, tmp.valid_hooks, newinfo,
1844                            tmp.num_counters, compat_ptr(tmp.counters));
1845         if (ret)
1846                 goto free_newinfo_untrans;
1847         return 0;
1848
1849  free_newinfo_untrans:
1850         IPT_ENTRY_ITERATE(loc_cpu_entry, newinfo->size, cleanup_entry, NULL);
1851  free_newinfo:
1852         xt_free_table_info(newinfo);
1853         return ret;
1854 }
1855
1856 static int
1857 compat_do_ipt_set_ctl(struct sock *sk,  int cmd, void __user *user,
1858                       unsigned int len)
1859 {
1860         int ret;
1861
1862         if (!capable(CAP_NET_ADMIN))
1863                 return -EPERM;
1864
1865         switch (cmd) {
1866         case IPT_SO_SET_REPLACE:
1867                 ret = compat_do_replace(sock_net(sk), user, len);
1868                 break;
1869
1870         case IPT_SO_SET_ADD_COUNTERS:
1871                 ret = do_add_counters(sock_net(sk), user, len, 1);
1872                 break;
1873
1874         default:
1875                 duprintf("do_ipt_set_ctl:  unknown request %i\n", cmd);
1876                 ret = -EINVAL;
1877         }
1878
1879         return ret;
1880 }
1881
1882 struct compat_ipt_get_entries {
1883         char name[IPT_TABLE_MAXNAMELEN];
1884         compat_uint_t size;
1885         struct compat_ipt_entry entrytable[0];
1886 };
1887
1888 static int
1889 compat_copy_entries_to_user(unsigned int total_size, struct xt_table *table,
1890                             void __user *userptr)
1891 {
1892         struct xt_counters *counters;
1893         const struct xt_table_info *private = table->private;
1894         void __user *pos;
1895         unsigned int size;
1896         int ret = 0;
1897         const void *loc_cpu_entry;
1898         unsigned int i = 0;
1899
1900         counters = alloc_counters(table);
1901         if (IS_ERR(counters))
1902                 return PTR_ERR(counters);
1903
1904         /* choose the copy that is on our node/cpu, ...
1905          * This choice is lazy (because current thread is
1906          * allowed to migrate to another cpu)
1907          */
1908         loc_cpu_entry = private->entries[raw_smp_processor_id()];
1909         pos = userptr;
1910         size = total_size;
1911         ret = IPT_ENTRY_ITERATE(loc_cpu_entry, total_size,
1912                                 compat_copy_entry_to_user,
1913                                 &pos, &size, counters, &i);
1914
1915         vfree(counters);
1916         return ret;
1917 }
1918
1919 static int
1920 compat_get_entries(struct net *net, struct compat_ipt_get_entries __user *uptr,
1921                    int *len)
1922 {
1923         int ret;
1924         struct compat_ipt_get_entries get;
1925         struct xt_table *t;
1926
1927         if (*len < sizeof(get)) {
1928                 duprintf("compat_get_entries: %u < %zu\n", *len, sizeof(get));
1929                 return -EINVAL;
1930         }
1931
1932         if (copy_from_user(&get, uptr, sizeof(get)) != 0)
1933                 return -EFAULT;
1934
1935         if (*len != sizeof(struct compat_ipt_get_entries) + get.size) {
1936                 duprintf("compat_get_entries: %u != %zu\n",
1937                          *len, sizeof(get) + get.size);
1938                 return -EINVAL;
1939         }
1940
1941         xt_compat_lock(AF_INET);
1942         t = xt_find_table_lock(net, AF_INET, get.name);
1943         if (t && !IS_ERR(t)) {
1944                 const struct xt_table_info *private = t->private;
1945                 struct xt_table_info info;
1946                 duprintf("t->private->number = %u\n", private->number);
1947                 ret = compat_table_info(private, &info);
1948                 if (!ret && get.size == info.size) {
1949                         ret = compat_copy_entries_to_user(private->size,
1950                                                           t, uptr->entrytable);
1951                 } else if (!ret) {
1952                         duprintf("compat_get_entries: I've got %u not %u!\n",
1953                                  private->size, get.size);
1954                         ret = -EAGAIN;
1955                 }
1956                 xt_compat_flush_offsets(AF_INET);
1957                 module_put(t->me);
1958                 xt_table_unlock(t);
1959         } else
1960                 ret = t ? PTR_ERR(t) : -ENOENT;
1961
1962         xt_compat_unlock(AF_INET);
1963         return ret;
1964 }
1965
1966 static int do_ipt_get_ctl(struct sock *, int, void __user *, int *);
1967
1968 static int
1969 compat_do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1970 {
1971         int ret;
1972
1973         if (!capable(CAP_NET_ADMIN))
1974                 return -EPERM;
1975
1976         switch (cmd) {
1977         case IPT_SO_GET_INFO:
1978                 ret = get_info(sock_net(sk), user, len, 1);
1979                 break;
1980         case IPT_SO_GET_ENTRIES:
1981                 ret = compat_get_entries(sock_net(sk), user, len);
1982                 break;
1983         default:
1984                 ret = do_ipt_get_ctl(sk, cmd, user, len);
1985         }
1986         return ret;
1987 }
1988 #endif
1989
1990 static int
1991 do_ipt_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
1992 {
1993         int ret;
1994
1995         if (!capable(CAP_NET_ADMIN))
1996                 return -EPERM;
1997
1998         switch (cmd) {
1999         case IPT_SO_SET_REPLACE:
2000                 ret = do_replace(sock_net(sk), user, len);
2001                 break;
2002
2003         case IPT_SO_SET_ADD_COUNTERS:
2004                 ret = do_add_counters(sock_net(sk), user, len, 0);
2005                 break;
2006
2007         default:
2008                 duprintf("do_ipt_set_ctl:  unknown request %i\n", cmd);
2009                 ret = -EINVAL;
2010         }
2011
2012         return ret;
2013 }
2014
2015 static int
2016 do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
2017 {
2018         int ret;
2019
2020         if (!capable(CAP_NET_ADMIN))
2021                 return -EPERM;
2022
2023         switch (cmd) {
2024         case IPT_SO_GET_INFO:
2025                 ret = get_info(sock_net(sk), user, len, 0);
2026                 break;
2027
2028         case IPT_SO_GET_ENTRIES:
2029                 ret = get_entries(sock_net(sk), user, len);
2030                 break;
2031
2032         case IPT_SO_GET_REVISION_MATCH:
2033         case IPT_SO_GET_REVISION_TARGET: {
2034                 struct ipt_get_revision rev;
2035                 int target;
2036
2037                 if (*len != sizeof(rev)) {
2038                         ret = -EINVAL;
2039                         break;
2040                 }
2041                 if (copy_from_user(&rev, user, sizeof(rev)) != 0) {
2042                         ret = -EFAULT;
2043                         break;
2044                 }
2045
2046                 if (cmd == IPT_SO_GET_REVISION_TARGET)
2047                         target = 1;
2048                 else
2049                         target = 0;
2050
2051                 try_then_request_module(xt_find_revision(AF_INET, rev.name,
2052                                                          rev.revision,
2053                                                          target, &ret),
2054                                         "ipt_%s", rev.name);
2055                 break;
2056         }
2057
2058         default:
2059                 duprintf("do_ipt_get_ctl: unknown request %i\n", cmd);
2060                 ret = -EINVAL;
2061         }
2062
2063         return ret;
2064 }
2065
2066 struct xt_table *ipt_register_table(struct net *net, struct xt_table *table,
2067                                     const struct ipt_replace *repl)
2068 {
2069         int ret;
2070         struct xt_table_info *newinfo;
2071         struct xt_table_info bootstrap
2072                 = { 0, 0, 0, { 0 }, { 0 }, { } };
2073         void *loc_cpu_entry;
2074         struct xt_table *new_table;
2075
2076         newinfo = xt_alloc_table_info(repl->size);
2077         if (!newinfo) {
2078                 ret = -ENOMEM;
2079                 goto out;
2080         }
2081
2082         /* choose the copy on our node/cpu, but dont care about preemption */
2083         loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
2084         memcpy(loc_cpu_entry, repl->entries, repl->size);
2085
2086         ret = translate_table(table->name, table->valid_hooks,
2087                               newinfo, loc_cpu_entry, repl->size,
2088                               repl->num_entries,
2089                               repl->hook_entry,
2090                               repl->underflow);
2091         if (ret != 0)
2092                 goto out_free;
2093
2094         new_table = xt_register_table(net, table, &bootstrap, newinfo);
2095         if (IS_ERR(new_table)) {
2096                 ret = PTR_ERR(new_table);
2097                 goto out_free;
2098         }
2099
2100         return new_table;
2101
2102 out_free:
2103         xt_free_table_info(newinfo);
2104 out:
2105         return ERR_PTR(ret);
2106 }
2107
2108 void ipt_unregister_table(struct xt_table *table)
2109 {
2110         struct xt_table_info *private;
2111         void *loc_cpu_entry;
2112         struct module *table_owner = table->me;
2113
2114         private = xt_unregister_table(table);
2115
2116         /* Decrease module usage counts and free resources */
2117         loc_cpu_entry = private->entries[raw_smp_processor_id()];
2118         IPT_ENTRY_ITERATE(loc_cpu_entry, private->size, cleanup_entry, NULL);
2119         if (private->number > private->initial_entries)
2120                 module_put(table_owner);
2121         xt_free_table_info(private);
2122 }
2123
2124 /* Returns 1 if the type and code is matched by the range, 0 otherwise */
2125 static inline bool
2126 icmp_type_code_match(u_int8_t test_type, u_int8_t min_code, u_int8_t max_code,
2127                      u_int8_t type, u_int8_t code,
2128                      bool invert)
2129 {
2130         return ((test_type == 0xFF) ||
2131                 (type == test_type && code >= min_code && code <= max_code))
2132                 ^ invert;
2133 }
2134
2135 static bool
2136 icmp_match(const struct sk_buff *skb, const struct xt_match_param *par)
2137 {
2138         const struct icmphdr *ic;
2139         struct icmphdr _icmph;
2140         const struct ipt_icmp *icmpinfo = par->matchinfo;
2141
2142         /* Must not be a fragment. */
2143         if (par->fragoff != 0)
2144                 return false;
2145
2146         ic = skb_header_pointer(skb, par->thoff, sizeof(_icmph), &_icmph);
2147         if (ic == NULL) {
2148                 /* We've been asked to examine this packet, and we
2149                  * can't.  Hence, no choice but to drop.
2150                  */
2151                 duprintf("Dropping evil ICMP tinygram.\n");
2152                 *par->hotdrop = true;
2153                 return false;
2154         }
2155
2156         return icmp_type_code_match(icmpinfo->type,
2157                                     icmpinfo->code[0],
2158                                     icmpinfo->code[1],
2159                                     ic->type, ic->code,
2160                                     !!(icmpinfo->invflags&IPT_ICMP_INV));
2161 }
2162
2163 static bool icmp_checkentry(const struct xt_mtchk_param *par)
2164 {
2165         const struct ipt_icmp *icmpinfo = par->matchinfo;
2166
2167         /* Must specify no unknown invflags */
2168         return !(icmpinfo->invflags & ~IPT_ICMP_INV);
2169 }
2170
2171 /* The built-in targets: standard (NULL) and error. */
2172 static struct xt_target ipt_standard_target __read_mostly = {
2173         .name           = IPT_STANDARD_TARGET,
2174         .targetsize     = sizeof(int),
2175         .family         = AF_INET,
2176 #ifdef CONFIG_COMPAT
2177         .compatsize     = sizeof(compat_int_t),
2178         .compat_from_user = compat_standard_from_user,
2179         .compat_to_user = compat_standard_to_user,
2180 #endif
2181 };
2182
2183 static struct xt_target ipt_error_target __read_mostly = {
2184         .name           = IPT_ERROR_TARGET,
2185         .target         = ipt_error,
2186         .targetsize     = IPT_FUNCTION_MAXNAMELEN,
2187         .family         = AF_INET,
2188 };
2189
2190 static struct nf_sockopt_ops ipt_sockopts = {
2191         .pf             = PF_INET,
2192         .set_optmin     = IPT_BASE_CTL,
2193         .set_optmax     = IPT_SO_SET_MAX+1,
2194         .set            = do_ipt_set_ctl,
2195 #ifdef CONFIG_COMPAT
2196         .compat_set     = compat_do_ipt_set_ctl,
2197 #endif
2198         .get_optmin     = IPT_BASE_CTL,
2199         .get_optmax     = IPT_SO_GET_MAX+1,
2200         .get            = do_ipt_get_ctl,
2201 #ifdef CONFIG_COMPAT
2202         .compat_get     = compat_do_ipt_get_ctl,
2203 #endif
2204         .owner          = THIS_MODULE,
2205 };
2206
2207 static struct xt_match icmp_matchstruct __read_mostly = {
2208         .name           = "icmp",
2209         .match          = icmp_match,
2210         .matchsize      = sizeof(struct ipt_icmp),
2211         .checkentry     = icmp_checkentry,
2212         .proto          = IPPROTO_ICMP,
2213         .family         = AF_INET,
2214 };
2215
2216 static int __net_init ip_tables_net_init(struct net *net)
2217 {
2218         return xt_proto_init(net, AF_INET);
2219 }
2220
2221 static void __net_exit ip_tables_net_exit(struct net *net)
2222 {
2223         xt_proto_fini(net, AF_INET);
2224 }
2225
2226 static struct pernet_operations ip_tables_net_ops = {
2227         .init = ip_tables_net_init,
2228         .exit = ip_tables_net_exit,
2229 };
2230
2231 static int __init ip_tables_init(void)
2232 {
2233         int ret;
2234
2235         ret = register_pernet_subsys(&ip_tables_net_ops);
2236         if (ret < 0)
2237                 goto err1;
2238
2239         /* Noone else will be downing sem now, so we won't sleep */
2240         ret = xt_register_target(&ipt_standard_target);
2241         if (ret < 0)
2242                 goto err2;
2243         ret = xt_register_target(&ipt_error_target);
2244         if (ret < 0)
2245                 goto err3;
2246         ret = xt_register_match(&icmp_matchstruct);
2247         if (ret < 0)
2248                 goto err4;
2249
2250         /* Register setsockopt */
2251         ret = nf_register_sockopt(&ipt_sockopts);
2252         if (ret < 0)
2253                 goto err5;
2254
2255         printk(KERN_INFO "ip_tables: (C) 2000-2006 Netfilter Core Team\n");
2256         return 0;
2257
2258 err5:
2259         xt_unregister_match(&icmp_matchstruct);
2260 err4:
2261         xt_unregister_target(&ipt_error_target);
2262 err3:
2263         xt_unregister_target(&ipt_standard_target);
2264 err2:
2265         unregister_pernet_subsys(&ip_tables_net_ops);
2266 err1:
2267         return ret;
2268 }
2269
2270 static void __exit ip_tables_fini(void)
2271 {
2272         nf_unregister_sockopt(&ipt_sockopts);
2273
2274         xt_unregister_match(&icmp_matchstruct);
2275         xt_unregister_target(&ipt_error_target);
2276         xt_unregister_target(&ipt_standard_target);
2277
2278         unregister_pernet_subsys(&ip_tables_net_ops);
2279 }
2280
2281 EXPORT_SYMBOL(ipt_register_table);
2282 EXPORT_SYMBOL(ipt_unregister_table);
2283 EXPORT_SYMBOL(ipt_do_table);
2284 module_init(ip_tables_init);
2285 module_exit(ip_tables_fini);