Merge branch 'master'
[linux-2.6] / net / ipv4 / netfilter / ip_tables.c
1 /*
2  * Packet matching code.
3  *
4  * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
5  * Copyright (C) 2000-2005 Netfilter Core Team <coreteam@netfilter.org>
6  *
7  * This program is free software; you can redistribute it and/or modify
8  * it under the terms of the GNU General Public License version 2 as
9  * published by the Free Software Foundation.
10  *
11  * 19 Jan 2002 Harald Welte <laforge@gnumonks.org>
12  *      - increase module usage count as soon as we have rules inside
13  *        a table
14  * 08 Oct 2005 Harald Welte <lafore@netfilter.org>
15  *      - Generalize into "x_tables" layer and "{ip,ip6,arp}_tables"
16  */
17 #include <linux/config.h>
18 #include <linux/cache.h>
19 #include <linux/capability.h>
20 #include <linux/skbuff.h>
21 #include <linux/kmod.h>
22 #include <linux/vmalloc.h>
23 #include <linux/netdevice.h>
24 #include <linux/module.h>
25 #include <linux/icmp.h>
26 #include <net/ip.h>
27 #include <net/compat.h>
28 #include <asm/uaccess.h>
29 #include <linux/mutex.h>
30 #include <linux/proc_fs.h>
31 #include <linux/err.h>
32 #include <linux/cpumask.h>
33
34 #include <linux/netfilter/x_tables.h>
35 #include <linux/netfilter_ipv4/ip_tables.h>
36
37 MODULE_LICENSE("GPL");
38 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
39 MODULE_DESCRIPTION("IPv4 packet filter");
40
41 /*#define DEBUG_IP_FIREWALL*/
42 /*#define DEBUG_ALLOW_ALL*/ /* Useful for remote debugging */
43 /*#define DEBUG_IP_FIREWALL_USER*/
44
45 #ifdef DEBUG_IP_FIREWALL
46 #define dprintf(format, args...)  printk(format , ## args)
47 #else
48 #define dprintf(format, args...)
49 #endif
50
51 #ifdef DEBUG_IP_FIREWALL_USER
52 #define duprintf(format, args...) printk(format , ## args)
53 #else
54 #define duprintf(format, args...)
55 #endif
56
57 #ifdef CONFIG_NETFILTER_DEBUG
58 #define IP_NF_ASSERT(x)                                         \
59 do {                                                            \
60         if (!(x))                                               \
61                 printk("IP_NF_ASSERT: %s:%s:%u\n",              \
62                        __FUNCTION__, __FILE__, __LINE__);       \
63 } while(0)
64 #else
65 #define IP_NF_ASSERT(x)
66 #endif
67
68 #if 0
69 /* All the better to debug you with... */
70 #define static
71 #define inline
72 #endif
73
74 /*
75    We keep a set of rules for each CPU, so we can avoid write-locking
76    them in the softirq when updating the counters and therefore
77    only need to read-lock in the softirq; doing a write_lock_bh() in user
78    context stops packets coming through and allows user context to read
79    the counters or update the rules.
80
81    Hence the start of any table is given by get_table() below.  */
82
83 /* Returns whether matches rule or not. */
84 static inline int
85 ip_packet_match(const struct iphdr *ip,
86                 const char *indev,
87                 const char *outdev,
88                 const struct ipt_ip *ipinfo,
89                 int isfrag)
90 {
91         size_t i;
92         unsigned long ret;
93
94 #define FWINV(bool,invflg) ((bool) ^ !!(ipinfo->invflags & invflg))
95
96         if (FWINV((ip->saddr&ipinfo->smsk.s_addr) != ipinfo->src.s_addr,
97                   IPT_INV_SRCIP)
98             || FWINV((ip->daddr&ipinfo->dmsk.s_addr) != ipinfo->dst.s_addr,
99                      IPT_INV_DSTIP)) {
100                 dprintf("Source or dest mismatch.\n");
101
102                 dprintf("SRC: %u.%u.%u.%u. Mask: %u.%u.%u.%u. Target: %u.%u.%u.%u.%s\n",
103                         NIPQUAD(ip->saddr),
104                         NIPQUAD(ipinfo->smsk.s_addr),
105                         NIPQUAD(ipinfo->src.s_addr),
106                         ipinfo->invflags & IPT_INV_SRCIP ? " (INV)" : "");
107                 dprintf("DST: %u.%u.%u.%u Mask: %u.%u.%u.%u Target: %u.%u.%u.%u.%s\n",
108                         NIPQUAD(ip->daddr),
109                         NIPQUAD(ipinfo->dmsk.s_addr),
110                         NIPQUAD(ipinfo->dst.s_addr),
111                         ipinfo->invflags & IPT_INV_DSTIP ? " (INV)" : "");
112                 return 0;
113         }
114
115         /* Look for ifname matches; this should unroll nicely. */
116         for (i = 0, ret = 0; i < IFNAMSIZ/sizeof(unsigned long); i++) {
117                 ret |= (((const unsigned long *)indev)[i]
118                         ^ ((const unsigned long *)ipinfo->iniface)[i])
119                         & ((const unsigned long *)ipinfo->iniface_mask)[i];
120         }
121
122         if (FWINV(ret != 0, IPT_INV_VIA_IN)) {
123                 dprintf("VIA in mismatch (%s vs %s).%s\n",
124                         indev, ipinfo->iniface,
125                         ipinfo->invflags&IPT_INV_VIA_IN ?" (INV)":"");
126                 return 0;
127         }
128
129         for (i = 0, ret = 0; i < IFNAMSIZ/sizeof(unsigned long); i++) {
130                 ret |= (((const unsigned long *)outdev)[i]
131                         ^ ((const unsigned long *)ipinfo->outiface)[i])
132                         & ((const unsigned long *)ipinfo->outiface_mask)[i];
133         }
134
135         if (FWINV(ret != 0, IPT_INV_VIA_OUT)) {
136                 dprintf("VIA out mismatch (%s vs %s).%s\n",
137                         outdev, ipinfo->outiface,
138                         ipinfo->invflags&IPT_INV_VIA_OUT ?" (INV)":"");
139                 return 0;
140         }
141
142         /* Check specific protocol */
143         if (ipinfo->proto
144             && FWINV(ip->protocol != ipinfo->proto, IPT_INV_PROTO)) {
145                 dprintf("Packet protocol %hi does not match %hi.%s\n",
146                         ip->protocol, ipinfo->proto,
147                         ipinfo->invflags&IPT_INV_PROTO ? " (INV)":"");
148                 return 0;
149         }
150
151         /* If we have a fragment rule but the packet is not a fragment
152          * then we return zero */
153         if (FWINV((ipinfo->flags&IPT_F_FRAG) && !isfrag, IPT_INV_FRAG)) {
154                 dprintf("Fragment rule but not fragment.%s\n",
155                         ipinfo->invflags & IPT_INV_FRAG ? " (INV)" : "");
156                 return 0;
157         }
158
159         return 1;
160 }
161
162 static inline int
163 ip_checkentry(const struct ipt_ip *ip)
164 {
165         if (ip->flags & ~IPT_F_MASK) {
166                 duprintf("Unknown flag bits set: %08X\n",
167                          ip->flags & ~IPT_F_MASK);
168                 return 0;
169         }
170         if (ip->invflags & ~IPT_INV_MASK) {
171                 duprintf("Unknown invflag bits set: %08X\n",
172                          ip->invflags & ~IPT_INV_MASK);
173                 return 0;
174         }
175         return 1;
176 }
177
178 static unsigned int
179 ipt_error(struct sk_buff **pskb,
180           const struct net_device *in,
181           const struct net_device *out,
182           unsigned int hooknum,
183           const struct xt_target *target,
184           const void *targinfo,
185           void *userinfo)
186 {
187         if (net_ratelimit())
188                 printk("ip_tables: error: `%s'\n", (char *)targinfo);
189
190         return NF_DROP;
191 }
192
193 static inline
194 int do_match(struct ipt_entry_match *m,
195              const struct sk_buff *skb,
196              const struct net_device *in,
197              const struct net_device *out,
198              int offset,
199              int *hotdrop)
200 {
201         /* Stop iteration if it doesn't match */
202         if (!m->u.kernel.match->match(skb, in, out, m->u.kernel.match, m->data,
203                                       offset, skb->nh.iph->ihl*4, hotdrop))
204                 return 1;
205         else
206                 return 0;
207 }
208
209 static inline struct ipt_entry *
210 get_entry(void *base, unsigned int offset)
211 {
212         return (struct ipt_entry *)(base + offset);
213 }
214
215 /* Returns one of the generic firewall policies, like NF_ACCEPT. */
216 unsigned int
217 ipt_do_table(struct sk_buff **pskb,
218              unsigned int hook,
219              const struct net_device *in,
220              const struct net_device *out,
221              struct ipt_table *table,
222              void *userdata)
223 {
224         static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
225         u_int16_t offset;
226         struct iphdr *ip;
227         u_int16_t datalen;
228         int hotdrop = 0;
229         /* Initializing verdict to NF_DROP keeps gcc happy. */
230         unsigned int verdict = NF_DROP;
231         const char *indev, *outdev;
232         void *table_base;
233         struct ipt_entry *e, *back;
234         struct xt_table_info *private = table->private;
235
236         /* Initialization */
237         ip = (*pskb)->nh.iph;
238         datalen = (*pskb)->len - ip->ihl * 4;
239         indev = in ? in->name : nulldevname;
240         outdev = out ? out->name : nulldevname;
241         /* We handle fragments by dealing with the first fragment as
242          * if it was a normal packet.  All other fragments are treated
243          * normally, except that they will NEVER match rules that ask
244          * things we don't know, ie. tcp syn flag or ports).  If the
245          * rule is also a fragment-specific rule, non-fragments won't
246          * match it. */
247         offset = ntohs(ip->frag_off) & IP_OFFSET;
248
249         read_lock_bh(&table->lock);
250         IP_NF_ASSERT(table->valid_hooks & (1 << hook));
251         table_base = (void *)private->entries[smp_processor_id()];
252         e = get_entry(table_base, private->hook_entry[hook]);
253
254         /* For return from builtin chain */
255         back = get_entry(table_base, private->underflow[hook]);
256
257         do {
258                 IP_NF_ASSERT(e);
259                 IP_NF_ASSERT(back);
260                 if (ip_packet_match(ip, indev, outdev, &e->ip, offset)) {
261                         struct ipt_entry_target *t;
262
263                         if (IPT_MATCH_ITERATE(e, do_match,
264                                               *pskb, in, out,
265                                               offset, &hotdrop) != 0)
266                                 goto no_match;
267
268                         ADD_COUNTER(e->counters, ntohs(ip->tot_len), 1);
269
270                         t = ipt_get_target(e);
271                         IP_NF_ASSERT(t->u.kernel.target);
272                         /* Standard target? */
273                         if (!t->u.kernel.target->target) {
274                                 int v;
275
276                                 v = ((struct ipt_standard_target *)t)->verdict;
277                                 if (v < 0) {
278                                         /* Pop from stack? */
279                                         if (v != IPT_RETURN) {
280                                                 verdict = (unsigned)(-v) - 1;
281                                                 break;
282                                         }
283                                         e = back;
284                                         back = get_entry(table_base,
285                                                          back->comefrom);
286                                         continue;
287                                 }
288                                 if (table_base + v != (void *)e + e->next_offset
289                                     && !(e->ip.flags & IPT_F_GOTO)) {
290                                         /* Save old back ptr in next entry */
291                                         struct ipt_entry *next
292                                                 = (void *)e + e->next_offset;
293                                         next->comefrom
294                                                 = (void *)back - table_base;
295                                         /* set back pointer to next entry */
296                                         back = next;
297                                 }
298
299                                 e = get_entry(table_base, v);
300                         } else {
301                                 /* Targets which reenter must return
302                                    abs. verdicts */
303 #ifdef CONFIG_NETFILTER_DEBUG
304                                 ((struct ipt_entry *)table_base)->comefrom
305                                         = 0xeeeeeeec;
306 #endif
307                                 verdict = t->u.kernel.target->target(pskb,
308                                                                      in, out,
309                                                                      hook,
310                                                                      t->u.kernel.target,
311                                                                      t->data,
312                                                                      userdata);
313
314 #ifdef CONFIG_NETFILTER_DEBUG
315                                 if (((struct ipt_entry *)table_base)->comefrom
316                                     != 0xeeeeeeec
317                                     && verdict == IPT_CONTINUE) {
318                                         printk("Target %s reentered!\n",
319                                                t->u.kernel.target->name);
320                                         verdict = NF_DROP;
321                                 }
322                                 ((struct ipt_entry *)table_base)->comefrom
323                                         = 0x57acc001;
324 #endif
325                                 /* Target might have changed stuff. */
326                                 ip = (*pskb)->nh.iph;
327                                 datalen = (*pskb)->len - ip->ihl * 4;
328
329                                 if (verdict == IPT_CONTINUE)
330                                         e = (void *)e + e->next_offset;
331                                 else
332                                         /* Verdict */
333                                         break;
334                         }
335                 } else {
336
337                 no_match:
338                         e = (void *)e + e->next_offset;
339                 }
340         } while (!hotdrop);
341
342         read_unlock_bh(&table->lock);
343
344 #ifdef DEBUG_ALLOW_ALL
345         return NF_ACCEPT;
346 #else
347         if (hotdrop)
348                 return NF_DROP;
349         else return verdict;
350 #endif
351 }
352
353 /* All zeroes == unconditional rule. */
354 static inline int
355 unconditional(const struct ipt_ip *ip)
356 {
357         unsigned int i;
358
359         for (i = 0; i < sizeof(*ip)/sizeof(__u32); i++)
360                 if (((__u32 *)ip)[i])
361                         return 0;
362
363         return 1;
364 }
365
366 /* Figures out from what hook each rule can be called: returns 0 if
367    there are loops.  Puts hook bitmask in comefrom. */
368 static int
369 mark_source_chains(struct xt_table_info *newinfo,
370                    unsigned int valid_hooks, void *entry0)
371 {
372         unsigned int hook;
373
374         /* No recursion; use packet counter to save back ptrs (reset
375            to 0 as we leave), and comefrom to save source hook bitmask */
376         for (hook = 0; hook < NF_IP_NUMHOOKS; hook++) {
377                 unsigned int pos = newinfo->hook_entry[hook];
378                 struct ipt_entry *e
379                         = (struct ipt_entry *)(entry0 + pos);
380
381                 if (!(valid_hooks & (1 << hook)))
382                         continue;
383
384                 /* Set initial back pointer. */
385                 e->counters.pcnt = pos;
386
387                 for (;;) {
388                         struct ipt_standard_target *t
389                                 = (void *)ipt_get_target(e);
390
391                         if (e->comefrom & (1 << NF_IP_NUMHOOKS)) {
392                                 printk("iptables: loop hook %u pos %u %08X.\n",
393                                        hook, pos, e->comefrom);
394                                 return 0;
395                         }
396                         e->comefrom
397                                 |= ((1 << hook) | (1 << NF_IP_NUMHOOKS));
398
399                         /* Unconditional return/END. */
400                         if (e->target_offset == sizeof(struct ipt_entry)
401                             && (strcmp(t->target.u.user.name,
402                                        IPT_STANDARD_TARGET) == 0)
403                             && t->verdict < 0
404                             && unconditional(&e->ip)) {
405                                 unsigned int oldpos, size;
406
407                                 /* Return: backtrack through the last
408                                    big jump. */
409                                 do {
410                                         e->comefrom ^= (1<<NF_IP_NUMHOOKS);
411 #ifdef DEBUG_IP_FIREWALL_USER
412                                         if (e->comefrom
413                                             & (1 << NF_IP_NUMHOOKS)) {
414                                                 duprintf("Back unset "
415                                                          "on hook %u "
416                                                          "rule %u\n",
417                                                          hook, pos);
418                                         }
419 #endif
420                                         oldpos = pos;
421                                         pos = e->counters.pcnt;
422                                         e->counters.pcnt = 0;
423
424                                         /* We're at the start. */
425                                         if (pos == oldpos)
426                                                 goto next;
427
428                                         e = (struct ipt_entry *)
429                                                 (entry0 + pos);
430                                 } while (oldpos == pos + e->next_offset);
431
432                                 /* Move along one */
433                                 size = e->next_offset;
434                                 e = (struct ipt_entry *)
435                                         (entry0 + pos + size);
436                                 e->counters.pcnt = pos;
437                                 pos += size;
438                         } else {
439                                 int newpos = t->verdict;
440
441                                 if (strcmp(t->target.u.user.name,
442                                            IPT_STANDARD_TARGET) == 0
443                                     && newpos >= 0) {
444                                         /* This a jump; chase it. */
445                                         duprintf("Jump rule %u -> %u\n",
446                                                  pos, newpos);
447                                 } else {
448                                         /* ... this is a fallthru */
449                                         newpos = pos + e->next_offset;
450                                 }
451                                 e = (struct ipt_entry *)
452                                         (entry0 + newpos);
453                                 e->counters.pcnt = pos;
454                                 pos = newpos;
455                         }
456                 }
457                 next:
458                 duprintf("Finished chain %u\n", hook);
459         }
460         return 1;
461 }
462
463 static inline int
464 cleanup_match(struct ipt_entry_match *m, unsigned int *i)
465 {
466         if (i && (*i)-- == 0)
467                 return 1;
468
469         if (m->u.kernel.match->destroy)
470                 m->u.kernel.match->destroy(m->u.kernel.match, m->data,
471                                            m->u.match_size - sizeof(*m));
472         module_put(m->u.kernel.match->me);
473         return 0;
474 }
475
476 static inline int
477 standard_check(const struct ipt_entry_target *t,
478                unsigned int max_offset)
479 {
480         struct ipt_standard_target *targ = (void *)t;
481
482         /* Check standard info. */
483         if (targ->verdict >= 0
484             && targ->verdict > max_offset - sizeof(struct ipt_entry)) {
485                 duprintf("ipt_standard_check: bad verdict (%i)\n",
486                          targ->verdict);
487                 return 0;
488         }
489         if (targ->verdict < -NF_MAX_VERDICT - 1) {
490                 duprintf("ipt_standard_check: bad negative verdict (%i)\n",
491                          targ->verdict);
492                 return 0;
493         }
494         return 1;
495 }
496
497 static inline int
498 check_match(struct ipt_entry_match *m,
499             const char *name,
500             const struct ipt_ip *ip,
501             unsigned int hookmask,
502             unsigned int *i)
503 {
504         struct ipt_match *match;
505         int ret;
506
507         match = try_then_request_module(xt_find_match(AF_INET, m->u.user.name,
508                                                    m->u.user.revision),
509                                         "ipt_%s", m->u.user.name);
510         if (IS_ERR(match) || !match) {
511                 duprintf("check_match: `%s' not found\n", m->u.user.name);
512                 return match ? PTR_ERR(match) : -ENOENT;
513         }
514         m->u.kernel.match = match;
515
516         ret = xt_check_match(match, AF_INET, m->u.match_size - sizeof(*m),
517                              name, hookmask, ip->proto,
518                              ip->invflags & IPT_INV_PROTO);
519         if (ret)
520                 goto err;
521
522         if (m->u.kernel.match->checkentry
523             && !m->u.kernel.match->checkentry(name, ip, match, m->data,
524                                               m->u.match_size - sizeof(*m),
525                                               hookmask)) {
526                 duprintf("ip_tables: check failed for `%s'.\n",
527                          m->u.kernel.match->name);
528                 ret = -EINVAL;
529                 goto err;
530         }
531
532         (*i)++;
533         return 0;
534 err:
535         module_put(m->u.kernel.match->me);
536         return ret;
537 }
538
539 static struct ipt_target ipt_standard_target;
540
541 static inline int
542 check_entry(struct ipt_entry *e, const char *name, unsigned int size,
543             unsigned int *i)
544 {
545         struct ipt_entry_target *t;
546         struct ipt_target *target;
547         int ret;
548         unsigned int j;
549
550         if (!ip_checkentry(&e->ip)) {
551                 duprintf("ip_tables: ip check failed %p %s.\n", e, name);
552                 return -EINVAL;
553         }
554
555         j = 0;
556         ret = IPT_MATCH_ITERATE(e, check_match, name, &e->ip, e->comefrom, &j);
557         if (ret != 0)
558                 goto cleanup_matches;
559
560         t = ipt_get_target(e);
561         target = try_then_request_module(xt_find_target(AF_INET,
562                                                      t->u.user.name,
563                                                      t->u.user.revision),
564                                          "ipt_%s", t->u.user.name);
565         if (IS_ERR(target) || !target) {
566                 duprintf("check_entry: `%s' not found\n", t->u.user.name);
567                 ret = target ? PTR_ERR(target) : -ENOENT;
568                 goto cleanup_matches;
569         }
570         t->u.kernel.target = target;
571
572         ret = xt_check_target(target, AF_INET, t->u.target_size - sizeof(*t),
573                               name, e->comefrom, e->ip.proto,
574                               e->ip.invflags & IPT_INV_PROTO);
575         if (ret)
576                 goto err;
577
578         if (t->u.kernel.target == &ipt_standard_target) {
579                 if (!standard_check(t, size)) {
580                         ret = -EINVAL;
581                         goto cleanup_matches;
582                 }
583         } else if (t->u.kernel.target->checkentry
584                    && !t->u.kernel.target->checkentry(name, e, target, t->data,
585                                                       t->u.target_size
586                                                       - sizeof(*t),
587                                                       e->comefrom)) {
588                 duprintf("ip_tables: check failed for `%s'.\n",
589                          t->u.kernel.target->name);
590                 ret = -EINVAL;
591                 goto err;
592         }
593
594         (*i)++;
595         return 0;
596  err:
597         module_put(t->u.kernel.target->me);
598  cleanup_matches:
599         IPT_MATCH_ITERATE(e, cleanup_match, &j);
600         return ret;
601 }
602
603 static inline int
604 check_entry_size_and_hooks(struct ipt_entry *e,
605                            struct xt_table_info *newinfo,
606                            unsigned char *base,
607                            unsigned char *limit,
608                            const unsigned int *hook_entries,
609                            const unsigned int *underflows,
610                            unsigned int *i)
611 {
612         unsigned int h;
613
614         if ((unsigned long)e % __alignof__(struct ipt_entry) != 0
615             || (unsigned char *)e + sizeof(struct ipt_entry) >= limit) {
616                 duprintf("Bad offset %p\n", e);
617                 return -EINVAL;
618         }
619
620         if (e->next_offset
621             < sizeof(struct ipt_entry) + sizeof(struct ipt_entry_target)) {
622                 duprintf("checking: element %p size %u\n",
623                          e, e->next_offset);
624                 return -EINVAL;
625         }
626
627         /* Check hooks & underflows */
628         for (h = 0; h < NF_IP_NUMHOOKS; h++) {
629                 if ((unsigned char *)e - base == hook_entries[h])
630                         newinfo->hook_entry[h] = hook_entries[h];
631                 if ((unsigned char *)e - base == underflows[h])
632                         newinfo->underflow[h] = underflows[h];
633         }
634
635         /* FIXME: underflows must be unconditional, standard verdicts
636            < 0 (not IPT_RETURN). --RR */
637
638         /* Clear counters and comefrom */
639         e->counters = ((struct xt_counters) { 0, 0 });
640         e->comefrom = 0;
641
642         (*i)++;
643         return 0;
644 }
645
646 static inline int
647 cleanup_entry(struct ipt_entry *e, unsigned int *i)
648 {
649         struct ipt_entry_target *t;
650
651         if (i && (*i)-- == 0)
652                 return 1;
653
654         /* Cleanup all matches */
655         IPT_MATCH_ITERATE(e, cleanup_match, NULL);
656         t = ipt_get_target(e);
657         if (t->u.kernel.target->destroy)
658                 t->u.kernel.target->destroy(t->u.kernel.target, t->data,
659                                             t->u.target_size - sizeof(*t));
660         module_put(t->u.kernel.target->me);
661         return 0;
662 }
663
664 /* Checks and translates the user-supplied table segment (held in
665    newinfo) */
666 static int
667 translate_table(const char *name,
668                 unsigned int valid_hooks,
669                 struct xt_table_info *newinfo,
670                 void *entry0,
671                 unsigned int size,
672                 unsigned int number,
673                 const unsigned int *hook_entries,
674                 const unsigned int *underflows)
675 {
676         unsigned int i;
677         int ret;
678
679         newinfo->size = size;
680         newinfo->number = number;
681
682         /* Init all hooks to impossible value. */
683         for (i = 0; i < NF_IP_NUMHOOKS; i++) {
684                 newinfo->hook_entry[i] = 0xFFFFFFFF;
685                 newinfo->underflow[i] = 0xFFFFFFFF;
686         }
687
688         duprintf("translate_table: size %u\n", newinfo->size);
689         i = 0;
690         /* Walk through entries, checking offsets. */
691         ret = IPT_ENTRY_ITERATE(entry0, newinfo->size,
692                                 check_entry_size_and_hooks,
693                                 newinfo,
694                                 entry0,
695                                 entry0 + size,
696                                 hook_entries, underflows, &i);
697         if (ret != 0)
698                 return ret;
699
700         if (i != number) {
701                 duprintf("translate_table: %u not %u entries\n",
702                          i, number);
703                 return -EINVAL;
704         }
705
706         /* Check hooks all assigned */
707         for (i = 0; i < NF_IP_NUMHOOKS; i++) {
708                 /* Only hooks which are valid */
709                 if (!(valid_hooks & (1 << i)))
710                         continue;
711                 if (newinfo->hook_entry[i] == 0xFFFFFFFF) {
712                         duprintf("Invalid hook entry %u %u\n",
713                                  i, hook_entries[i]);
714                         return -EINVAL;
715                 }
716                 if (newinfo->underflow[i] == 0xFFFFFFFF) {
717                         duprintf("Invalid underflow %u %u\n",
718                                  i, underflows[i]);
719                         return -EINVAL;
720                 }
721         }
722
723         if (!mark_source_chains(newinfo, valid_hooks, entry0))
724                 return -ELOOP;
725
726         /* Finally, each sanity check must pass */
727         i = 0;
728         ret = IPT_ENTRY_ITERATE(entry0, newinfo->size,
729                                 check_entry, name, size, &i);
730
731         if (ret != 0) {
732                 IPT_ENTRY_ITERATE(entry0, newinfo->size,
733                                   cleanup_entry, &i);
734                 return ret;
735         }
736
737         /* And one copy for every other CPU */
738         for_each_possible_cpu(i) {
739                 if (newinfo->entries[i] && newinfo->entries[i] != entry0)
740                         memcpy(newinfo->entries[i], entry0, newinfo->size);
741         }
742
743         return ret;
744 }
745
746 /* Gets counters. */
747 static inline int
748 add_entry_to_counter(const struct ipt_entry *e,
749                      struct xt_counters total[],
750                      unsigned int *i)
751 {
752         ADD_COUNTER(total[*i], e->counters.bcnt, e->counters.pcnt);
753
754         (*i)++;
755         return 0;
756 }
757
758 static inline int
759 set_entry_to_counter(const struct ipt_entry *e,
760                      struct ipt_counters total[],
761                      unsigned int *i)
762 {
763         SET_COUNTER(total[*i], e->counters.bcnt, e->counters.pcnt);
764
765         (*i)++;
766         return 0;
767 }
768
769 static void
770 get_counters(const struct xt_table_info *t,
771              struct xt_counters counters[])
772 {
773         unsigned int cpu;
774         unsigned int i;
775         unsigned int curcpu;
776
777         /* Instead of clearing (by a previous call to memset())
778          * the counters and using adds, we set the counters
779          * with data used by 'current' CPU
780          * We dont care about preemption here.
781          */
782         curcpu = raw_smp_processor_id();
783
784         i = 0;
785         IPT_ENTRY_ITERATE(t->entries[curcpu],
786                           t->size,
787                           set_entry_to_counter,
788                           counters,
789                           &i);
790
791         for_each_possible_cpu(cpu) {
792                 if (cpu == curcpu)
793                         continue;
794                 i = 0;
795                 IPT_ENTRY_ITERATE(t->entries[cpu],
796                                   t->size,
797                                   add_entry_to_counter,
798                                   counters,
799                                   &i);
800         }
801 }
802
803 static inline struct xt_counters * alloc_counters(struct ipt_table *table)
804 {
805         unsigned int countersize;
806         struct xt_counters *counters;
807         struct xt_table_info *private = table->private;
808
809         /* We need atomic snapshot of counters: rest doesn't change
810            (other than comefrom, which userspace doesn't care
811            about). */
812         countersize = sizeof(struct xt_counters) * private->number;
813         counters = vmalloc_node(countersize, numa_node_id());
814
815         if (counters == NULL)
816                 return ERR_PTR(-ENOMEM);
817
818         /* First, sum counters... */
819         write_lock_bh(&table->lock);
820         get_counters(private, counters);
821         write_unlock_bh(&table->lock);
822
823         return counters;
824 }
825
826 static int
827 copy_entries_to_user(unsigned int total_size,
828                      struct ipt_table *table,
829                      void __user *userptr)
830 {
831         unsigned int off, num;
832         struct ipt_entry *e;
833         struct xt_counters *counters;
834         struct xt_table_info *private = table->private;
835         int ret = 0;
836         void *loc_cpu_entry;
837
838         counters = alloc_counters(table);
839         if (IS_ERR(counters))
840                 return PTR_ERR(counters);
841
842         /* choose the copy that is on our node/cpu, ...
843          * This choice is lazy (because current thread is
844          * allowed to migrate to another cpu)
845          */
846         loc_cpu_entry = private->entries[raw_smp_processor_id()];
847         /* ... then copy entire thing ... */
848         if (copy_to_user(userptr, loc_cpu_entry, total_size) != 0) {
849                 ret = -EFAULT;
850                 goto free_counters;
851         }
852
853         /* FIXME: use iterator macros --RR */
854         /* ... then go back and fix counters and names */
855         for (off = 0, num = 0; off < total_size; off += e->next_offset, num++){
856                 unsigned int i;
857                 struct ipt_entry_match *m;
858                 struct ipt_entry_target *t;
859
860                 e = (struct ipt_entry *)(loc_cpu_entry + off);
861                 if (copy_to_user(userptr + off
862                                  + offsetof(struct ipt_entry, counters),
863                                  &counters[num],
864                                  sizeof(counters[num])) != 0) {
865                         ret = -EFAULT;
866                         goto free_counters;
867                 }
868
869                 for (i = sizeof(struct ipt_entry);
870                      i < e->target_offset;
871                      i += m->u.match_size) {
872                         m = (void *)e + i;
873
874                         if (copy_to_user(userptr + off + i
875                                          + offsetof(struct ipt_entry_match,
876                                                     u.user.name),
877                                          m->u.kernel.match->name,
878                                          strlen(m->u.kernel.match->name)+1)
879                             != 0) {
880                                 ret = -EFAULT;
881                                 goto free_counters;
882                         }
883                 }
884
885                 t = ipt_get_target(e);
886                 if (copy_to_user(userptr + off + e->target_offset
887                                  + offsetof(struct ipt_entry_target,
888                                             u.user.name),
889                                  t->u.kernel.target->name,
890                                  strlen(t->u.kernel.target->name)+1) != 0) {
891                         ret = -EFAULT;
892                         goto free_counters;
893                 }
894         }
895
896  free_counters:
897         vfree(counters);
898         return ret;
899 }
900
901 #ifdef CONFIG_COMPAT
902 struct compat_delta {
903         struct compat_delta *next;
904         u_int16_t offset;
905         short delta;
906 };
907
908 static struct compat_delta *compat_offsets = NULL;
909
910 static int compat_add_offset(u_int16_t offset, short delta)
911 {
912         struct compat_delta *tmp;
913
914         tmp = kmalloc(sizeof(struct compat_delta), GFP_KERNEL);
915         if (!tmp)
916                 return -ENOMEM;
917         tmp->offset = offset;
918         tmp->delta = delta;
919         if (compat_offsets) {
920                 tmp->next = compat_offsets->next;
921                 compat_offsets->next = tmp;
922         } else {
923                 compat_offsets = tmp;
924                 tmp->next = NULL;
925         }
926         return 0;
927 }
928
929 static void compat_flush_offsets(void)
930 {
931         struct compat_delta *tmp, *next;
932
933         if (compat_offsets) {
934                 for(tmp = compat_offsets; tmp; tmp = next) {
935                         next = tmp->next;
936                         kfree(tmp);
937                 }
938                 compat_offsets = NULL;
939         }
940 }
941
942 static short compat_calc_jump(u_int16_t offset)
943 {
944         struct compat_delta *tmp;
945         short delta;
946
947         for(tmp = compat_offsets, delta = 0; tmp; tmp = tmp->next)
948                 if (tmp->offset < offset)
949                         delta += tmp->delta;
950         return delta;
951 }
952
953 struct compat_ipt_standard_target
954 {
955         struct compat_xt_entry_target target;
956         compat_int_t verdict;
957 };
958
959 struct compat_ipt_standard
960 {
961         struct compat_ipt_entry entry;
962         struct compat_ipt_standard_target target;
963 };
964
965 #define IPT_ST_LEN              XT_ALIGN(sizeof(struct ipt_standard_target))
966 #define IPT_ST_COMPAT_LEN       COMPAT_XT_ALIGN(sizeof(struct compat_ipt_standard_target))
967 #define IPT_ST_OFFSET           (IPT_ST_LEN - IPT_ST_COMPAT_LEN)
968
969 static int compat_ipt_standard_fn(void *target,
970                 void **dstptr, int *size, int convert)
971 {
972         struct compat_ipt_standard_target compat_st, *pcompat_st;
973         struct ipt_standard_target st, *pst;
974         int ret;
975
976         ret = 0;
977         switch (convert) {
978                 case COMPAT_TO_USER:
979                         pst = target;
980                         memcpy(&compat_st.target, &pst->target,
981                                 sizeof(compat_st.target));
982                         compat_st.verdict = pst->verdict;
983                         if (compat_st.verdict > 0)
984                                 compat_st.verdict -=
985                                         compat_calc_jump(compat_st.verdict);
986                         compat_st.target.u.user.target_size = IPT_ST_COMPAT_LEN;
987                         if (copy_to_user(*dstptr, &compat_st, IPT_ST_COMPAT_LEN))
988                                 ret = -EFAULT;
989                         *size -= IPT_ST_OFFSET;
990                         *dstptr += IPT_ST_COMPAT_LEN;
991                         break;
992                 case COMPAT_FROM_USER:
993                         pcompat_st = target;
994                         memcpy(&st.target, &pcompat_st->target, IPT_ST_COMPAT_LEN);
995                         st.verdict = pcompat_st->verdict;
996                         if (st.verdict > 0)
997                                 st.verdict += compat_calc_jump(st.verdict);
998                         st.target.u.user.target_size = IPT_ST_LEN;
999                         memcpy(*dstptr, &st, IPT_ST_LEN);
1000                         *size += IPT_ST_OFFSET;
1001                         *dstptr += IPT_ST_LEN;
1002                         break;
1003                 case COMPAT_CALC_SIZE:
1004                         *size += IPT_ST_OFFSET;
1005                         break;
1006                 default:
1007                         ret = -ENOPROTOOPT;
1008                         break;
1009         }
1010         return ret;
1011 }
1012
1013 static inline int
1014 compat_calc_match(struct ipt_entry_match *m, int * size)
1015 {
1016         if (m->u.kernel.match->compat)
1017                 m->u.kernel.match->compat(m, NULL, size, COMPAT_CALC_SIZE);
1018         else
1019                 xt_compat_match(m, NULL, size, COMPAT_CALC_SIZE);
1020         return 0;
1021 }
1022
1023 static int compat_calc_entry(struct ipt_entry *e, struct xt_table_info *info,
1024                 void *base, struct xt_table_info *newinfo)
1025 {
1026         struct ipt_entry_target *t;
1027         u_int16_t entry_offset;
1028         int off, i, ret;
1029
1030         off = 0;
1031         entry_offset = (void *)e - base;
1032         IPT_MATCH_ITERATE(e, compat_calc_match, &off);
1033         t = ipt_get_target(e);
1034         if (t->u.kernel.target->compat)
1035                 t->u.kernel.target->compat(t, NULL, &off, COMPAT_CALC_SIZE);
1036         else
1037                 xt_compat_target(t, NULL, &off, COMPAT_CALC_SIZE);
1038         newinfo->size -= off;
1039         ret = compat_add_offset(entry_offset, off);
1040         if (ret)
1041                 return ret;
1042
1043         for (i = 0; i< NF_IP_NUMHOOKS; i++) {
1044                 if (info->hook_entry[i] && (e < (struct ipt_entry *)
1045                                 (base + info->hook_entry[i])))
1046                         newinfo->hook_entry[i] -= off;
1047                 if (info->underflow[i] && (e < (struct ipt_entry *)
1048                                 (base + info->underflow[i])))
1049                         newinfo->underflow[i] -= off;
1050         }
1051         return 0;
1052 }
1053
1054 static int compat_table_info(struct xt_table_info *info,
1055                 struct xt_table_info *newinfo)
1056 {
1057         void *loc_cpu_entry;
1058         int i;
1059
1060         if (!newinfo || !info)
1061                 return -EINVAL;
1062
1063         memset(newinfo, 0, sizeof(struct xt_table_info));
1064         newinfo->size = info->size;
1065         newinfo->number = info->number;
1066         for (i = 0; i < NF_IP_NUMHOOKS; i++) {
1067                 newinfo->hook_entry[i] = info->hook_entry[i];
1068                 newinfo->underflow[i] = info->underflow[i];
1069         }
1070         loc_cpu_entry = info->entries[raw_smp_processor_id()];
1071         return IPT_ENTRY_ITERATE(loc_cpu_entry, info->size,
1072                         compat_calc_entry, info, loc_cpu_entry, newinfo);
1073 }
1074 #endif
1075
1076 static int get_info(void __user *user, int *len, int compat)
1077 {
1078         char name[IPT_TABLE_MAXNAMELEN];
1079         struct ipt_table *t;
1080         int ret;
1081
1082         if (*len != sizeof(struct ipt_getinfo)) {
1083                 duprintf("length %u != %u\n", *len,
1084                         (unsigned int)sizeof(struct ipt_getinfo));
1085                 return -EINVAL;
1086         }
1087
1088         if (copy_from_user(name, user, sizeof(name)) != 0)
1089                 return -EFAULT;
1090
1091         name[IPT_TABLE_MAXNAMELEN-1] = '\0';
1092 #ifdef CONFIG_COMPAT
1093         if (compat)
1094                 xt_compat_lock(AF_INET);
1095 #endif
1096         t = try_then_request_module(xt_find_table_lock(AF_INET, name),
1097                         "iptable_%s", name);
1098         if (t && !IS_ERR(t)) {
1099                 struct ipt_getinfo info;
1100                 struct xt_table_info *private = t->private;
1101
1102 #ifdef CONFIG_COMPAT
1103                 if (compat) {
1104                         struct xt_table_info tmp;
1105                         ret = compat_table_info(private, &tmp);
1106                         compat_flush_offsets();
1107                         private =  &tmp;
1108                 }
1109 #endif
1110                 info.valid_hooks = t->valid_hooks;
1111                 memcpy(info.hook_entry, private->hook_entry,
1112                                 sizeof(info.hook_entry));
1113                 memcpy(info.underflow, private->underflow,
1114                                 sizeof(info.underflow));
1115                 info.num_entries = private->number;
1116                 info.size = private->size;
1117                 strcpy(info.name, name);
1118
1119                 if (copy_to_user(user, &info, *len) != 0)
1120                         ret = -EFAULT;
1121                 else
1122                         ret = 0;
1123
1124                 xt_table_unlock(t);
1125                 module_put(t->me);
1126         } else
1127                 ret = t ? PTR_ERR(t) : -ENOENT;
1128 #ifdef CONFIG_COMPAT
1129         if (compat)
1130                 xt_compat_unlock(AF_INET);
1131 #endif
1132         return ret;
1133 }
1134
1135 static int
1136 get_entries(struct ipt_get_entries __user *uptr, int *len)
1137 {
1138         int ret;
1139         struct ipt_get_entries get;
1140         struct ipt_table *t;
1141
1142         if (*len < sizeof(get)) {
1143                 duprintf("get_entries: %u < %d\n", *len,
1144                                 (unsigned int)sizeof(get));
1145                 return -EINVAL;
1146         }
1147         if (copy_from_user(&get, uptr, sizeof(get)) != 0)
1148                 return -EFAULT;
1149         if (*len != sizeof(struct ipt_get_entries) + get.size) {
1150                 duprintf("get_entries: %u != %u\n", *len,
1151                                 (unsigned int)(sizeof(struct ipt_get_entries) +
1152                                 get.size));
1153                 return -EINVAL;
1154         }
1155
1156         t = xt_find_table_lock(AF_INET, get.name);
1157         if (t && !IS_ERR(t)) {
1158                 struct xt_table_info *private = t->private;
1159                 duprintf("t->private->number = %u\n",
1160                          private->number);
1161                 if (get.size == private->size)
1162                         ret = copy_entries_to_user(private->size,
1163                                                    t, uptr->entrytable);
1164                 else {
1165                         duprintf("get_entries: I've got %u not %u!\n",
1166                                  private->size,
1167                                  get.size);
1168                         ret = -EINVAL;
1169                 }
1170                 module_put(t->me);
1171                 xt_table_unlock(t);
1172         } else
1173                 ret = t ? PTR_ERR(t) : -ENOENT;
1174
1175         return ret;
1176 }
1177
1178 static int
1179 __do_replace(const char *name, unsigned int valid_hooks,
1180                 struct xt_table_info *newinfo, unsigned int num_counters,
1181                 void __user *counters_ptr)
1182 {
1183         int ret;
1184         struct ipt_table *t;
1185         struct xt_table_info *oldinfo;
1186         struct xt_counters *counters;
1187         void *loc_cpu_old_entry;
1188
1189         ret = 0;
1190         counters = vmalloc(num_counters * sizeof(struct xt_counters));
1191         if (!counters) {
1192                 ret = -ENOMEM;
1193                 goto out;
1194         }
1195
1196         t = try_then_request_module(xt_find_table_lock(AF_INET, name),
1197                                     "iptable_%s", name);
1198         if (!t || IS_ERR(t)) {
1199                 ret = t ? PTR_ERR(t) : -ENOENT;
1200                 goto free_newinfo_counters_untrans;
1201         }
1202
1203         /* You lied! */
1204         if (valid_hooks != t->valid_hooks) {
1205                 duprintf("Valid hook crap: %08X vs %08X\n",
1206                          valid_hooks, t->valid_hooks);
1207                 ret = -EINVAL;
1208                 goto put_module;
1209         }
1210
1211         oldinfo = xt_replace_table(t, num_counters, newinfo, &ret);
1212         if (!oldinfo)
1213                 goto put_module;
1214
1215         /* Update module usage count based on number of rules */
1216         duprintf("do_replace: oldnum=%u, initnum=%u, newnum=%u\n",
1217                 oldinfo->number, oldinfo->initial_entries, newinfo->number);
1218         if ((oldinfo->number > oldinfo->initial_entries) ||
1219             (newinfo->number <= oldinfo->initial_entries))
1220                 module_put(t->me);
1221         if ((oldinfo->number > oldinfo->initial_entries) &&
1222             (newinfo->number <= oldinfo->initial_entries))
1223                 module_put(t->me);
1224
1225         /* Get the old counters. */
1226         get_counters(oldinfo, counters);
1227         /* Decrease module usage counts and free resource */
1228         loc_cpu_old_entry = oldinfo->entries[raw_smp_processor_id()];
1229         IPT_ENTRY_ITERATE(loc_cpu_old_entry, oldinfo->size, cleanup_entry,NULL);
1230         xt_free_table_info(oldinfo);
1231         if (copy_to_user(counters_ptr, counters,
1232                          sizeof(struct xt_counters) * num_counters) != 0)
1233                 ret = -EFAULT;
1234         vfree(counters);
1235         xt_table_unlock(t);
1236         return ret;
1237
1238  put_module:
1239         module_put(t->me);
1240         xt_table_unlock(t);
1241  free_newinfo_counters_untrans:
1242         vfree(counters);
1243  out:
1244         return ret;
1245 }
1246
1247 static int
1248 do_replace(void __user *user, unsigned int len)
1249 {
1250         int ret;
1251         struct ipt_replace tmp;
1252         struct xt_table_info *newinfo;
1253         void *loc_cpu_entry;
1254
1255         if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
1256                 return -EFAULT;
1257
1258         /* Hack: Causes ipchains to give correct error msg --RR */
1259         if (len != sizeof(tmp) + tmp.size)
1260                 return -ENOPROTOOPT;
1261
1262         /* overflow check */
1263         if (tmp.size >= (INT_MAX - sizeof(struct xt_table_info)) / NR_CPUS -
1264                         SMP_CACHE_BYTES)
1265                 return -ENOMEM;
1266         if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
1267                 return -ENOMEM;
1268
1269         newinfo = xt_alloc_table_info(tmp.size);
1270         if (!newinfo)
1271                 return -ENOMEM;
1272
1273         /* choose the copy that is our node/cpu */
1274         loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
1275         if (copy_from_user(loc_cpu_entry, user + sizeof(tmp),
1276                            tmp.size) != 0) {
1277                 ret = -EFAULT;
1278                 goto free_newinfo;
1279         }
1280
1281         ret = translate_table(tmp.name, tmp.valid_hooks,
1282                               newinfo, loc_cpu_entry, tmp.size, tmp.num_entries,
1283                               tmp.hook_entry, tmp.underflow);
1284         if (ret != 0)
1285                 goto free_newinfo;
1286
1287         duprintf("ip_tables: Translated table\n");
1288
1289         ret = __do_replace(tmp.name, tmp.valid_hooks,
1290                               newinfo, tmp.num_counters,
1291                               tmp.counters);
1292         if (ret)
1293                 goto free_newinfo_untrans;
1294         return 0;
1295
1296  free_newinfo_untrans:
1297         IPT_ENTRY_ITERATE(loc_cpu_entry, newinfo->size, cleanup_entry,NULL);
1298  free_newinfo:
1299         xt_free_table_info(newinfo);
1300         return ret;
1301 }
1302
1303 /* We're lazy, and add to the first CPU; overflow works its fey magic
1304  * and everything is OK. */
1305 static inline int
1306 add_counter_to_entry(struct ipt_entry *e,
1307                      const struct xt_counters addme[],
1308                      unsigned int *i)
1309 {
1310 #if 0
1311         duprintf("add_counter: Entry %u %lu/%lu + %lu/%lu\n",
1312                  *i,
1313                  (long unsigned int)e->counters.pcnt,
1314                  (long unsigned int)e->counters.bcnt,
1315                  (long unsigned int)addme[*i].pcnt,
1316                  (long unsigned int)addme[*i].bcnt);
1317 #endif
1318
1319         ADD_COUNTER(e->counters, addme[*i].bcnt, addme[*i].pcnt);
1320
1321         (*i)++;
1322         return 0;
1323 }
1324
1325 static int
1326 do_add_counters(void __user *user, unsigned int len, int compat)
1327 {
1328         unsigned int i;
1329         struct xt_counters_info tmp;
1330         struct xt_counters *paddc;
1331         unsigned int num_counters;
1332         char *name;
1333         int size;
1334         void *ptmp;
1335         struct ipt_table *t;
1336         struct xt_table_info *private;
1337         int ret = 0;
1338         void *loc_cpu_entry;
1339 #ifdef CONFIG_COMPAT
1340         struct compat_xt_counters_info compat_tmp;
1341
1342         if (compat) {
1343                 ptmp = &compat_tmp;
1344                 size = sizeof(struct compat_xt_counters_info);
1345         } else
1346 #endif
1347         {
1348                 ptmp = &tmp;
1349                 size = sizeof(struct xt_counters_info);
1350         }
1351
1352         if (copy_from_user(ptmp, user, size) != 0)
1353                 return -EFAULT;
1354
1355 #ifdef CONFIG_COMPAT
1356         if (compat) {
1357                 num_counters = compat_tmp.num_counters;
1358                 name = compat_tmp.name;
1359         } else
1360 #endif
1361         {
1362                 num_counters = tmp.num_counters;
1363                 name = tmp.name;
1364         }
1365
1366         if (len != size + num_counters * sizeof(struct xt_counters))
1367                 return -EINVAL;
1368
1369         paddc = vmalloc_node(len - size, numa_node_id());
1370         if (!paddc)
1371                 return -ENOMEM;
1372
1373         if (copy_from_user(paddc, user + size, len - size) != 0) {
1374                 ret = -EFAULT;
1375                 goto free;
1376         }
1377
1378         t = xt_find_table_lock(AF_INET, name);
1379         if (!t || IS_ERR(t)) {
1380                 ret = t ? PTR_ERR(t) : -ENOENT;
1381                 goto free;
1382         }
1383
1384         write_lock_bh(&t->lock);
1385         private = t->private;
1386         if (private->number != num_counters) {
1387                 ret = -EINVAL;
1388                 goto unlock_up_free;
1389         }
1390
1391         i = 0;
1392         /* Choose the copy that is on our node */
1393         loc_cpu_entry = private->entries[raw_smp_processor_id()];
1394         IPT_ENTRY_ITERATE(loc_cpu_entry,
1395                           private->size,
1396                           add_counter_to_entry,
1397                           paddc,
1398                           &i);
1399  unlock_up_free:
1400         write_unlock_bh(&t->lock);
1401         xt_table_unlock(t);
1402         module_put(t->me);
1403  free:
1404         vfree(paddc);
1405
1406         return ret;
1407 }
1408
1409 #ifdef CONFIG_COMPAT
1410 struct compat_ipt_replace {
1411         char                    name[IPT_TABLE_MAXNAMELEN];
1412         u32                     valid_hooks;
1413         u32                     num_entries;
1414         u32                     size;
1415         u32                     hook_entry[NF_IP_NUMHOOKS];
1416         u32                     underflow[NF_IP_NUMHOOKS];
1417         u32                     num_counters;
1418         compat_uptr_t           counters;       /* struct ipt_counters * */
1419         struct compat_ipt_entry entries[0];
1420 };
1421
1422 static inline int compat_copy_match_to_user(struct ipt_entry_match *m,
1423                 void __user **dstptr, compat_uint_t *size)
1424 {
1425         if (m->u.kernel.match->compat)
1426                 return m->u.kernel.match->compat(m, dstptr, size,
1427                                 COMPAT_TO_USER);
1428         else
1429                 return xt_compat_match(m, dstptr, size, COMPAT_TO_USER);
1430 }
1431
1432 static int compat_copy_entry_to_user(struct ipt_entry *e,
1433                 void __user **dstptr, compat_uint_t *size)
1434 {
1435         struct ipt_entry_target __user *t;
1436         struct compat_ipt_entry __user *ce;
1437         u_int16_t target_offset, next_offset;
1438         compat_uint_t origsize;
1439         int ret;
1440
1441         ret = -EFAULT;
1442         origsize = *size;
1443         ce = (struct compat_ipt_entry __user *)*dstptr;
1444         if (copy_to_user(ce, e, sizeof(struct ipt_entry)))
1445                 goto out;
1446
1447         *dstptr += sizeof(struct compat_ipt_entry);
1448         ret = IPT_MATCH_ITERATE(e, compat_copy_match_to_user, dstptr, size);
1449         target_offset = e->target_offset - (origsize - *size);
1450         if (ret)
1451                 goto out;
1452         t = ipt_get_target(e);
1453         if (t->u.kernel.target->compat)
1454                 ret = t->u.kernel.target->compat(t, dstptr, size,
1455                                 COMPAT_TO_USER);
1456         else
1457                 ret = xt_compat_target(t, dstptr, size, COMPAT_TO_USER);
1458         if (ret)
1459                 goto out;
1460         ret = -EFAULT;
1461         next_offset = e->next_offset - (origsize - *size);
1462         if (put_user(target_offset, &ce->target_offset))
1463                 goto out;
1464         if (put_user(next_offset, &ce->next_offset))
1465                 goto out;
1466         return 0;
1467 out:
1468         return ret;
1469 }
1470
1471 static inline int
1472 compat_check_calc_match(struct ipt_entry_match *m,
1473             const char *name,
1474             const struct ipt_ip *ip,
1475             unsigned int hookmask,
1476             int *size, int *i)
1477 {
1478         struct ipt_match *match;
1479
1480         match = try_then_request_module(xt_find_match(AF_INET, m->u.user.name,
1481                                                    m->u.user.revision),
1482                                         "ipt_%s", m->u.user.name);
1483         if (IS_ERR(match) || !match) {
1484                 duprintf("compat_check_calc_match: `%s' not found\n",
1485                                 m->u.user.name);
1486                 return match ? PTR_ERR(match) : -ENOENT;
1487         }
1488         m->u.kernel.match = match;
1489
1490         if (m->u.kernel.match->compat)
1491                 m->u.kernel.match->compat(m, NULL, size, COMPAT_CALC_SIZE);
1492         else
1493                 xt_compat_match(m, NULL, size, COMPAT_CALC_SIZE);
1494
1495         (*i)++;
1496         return 0;
1497 }
1498
1499 static inline int
1500 check_compat_entry_size_and_hooks(struct ipt_entry *e,
1501                            struct xt_table_info *newinfo,
1502                            unsigned int *size,
1503                            unsigned char *base,
1504                            unsigned char *limit,
1505                            unsigned int *hook_entries,
1506                            unsigned int *underflows,
1507                            unsigned int *i,
1508                            const char *name)
1509 {
1510         struct ipt_entry_target *t;
1511         struct ipt_target *target;
1512         u_int16_t entry_offset;
1513         int ret, off, h, j;
1514
1515         duprintf("check_compat_entry_size_and_hooks %p\n", e);
1516         if ((unsigned long)e % __alignof__(struct compat_ipt_entry) != 0
1517             || (unsigned char *)e + sizeof(struct compat_ipt_entry) >= limit) {
1518                 duprintf("Bad offset %p, limit = %p\n", e, limit);
1519                 return -EINVAL;
1520         }
1521
1522         if (e->next_offset < sizeof(struct compat_ipt_entry) +
1523                         sizeof(struct compat_xt_entry_target)) {
1524                 duprintf("checking: element %p size %u\n",
1525                          e, e->next_offset);
1526                 return -EINVAL;
1527         }
1528
1529         if (!ip_checkentry(&e->ip)) {
1530                 duprintf("ip_tables: ip check failed %p %s.\n", e, name);
1531                 return -EINVAL;
1532         }
1533
1534         off = 0;
1535         entry_offset = (void *)e - (void *)base;
1536         j = 0;
1537         ret = IPT_MATCH_ITERATE(e, compat_check_calc_match, name, &e->ip,
1538                         e->comefrom, &off, &j);
1539         if (ret != 0)
1540                 goto out;
1541
1542         t = ipt_get_target(e);
1543         target = try_then_request_module(xt_find_target(AF_INET,
1544                                                      t->u.user.name,
1545                                                      t->u.user.revision),
1546                                          "ipt_%s", t->u.user.name);
1547         if (IS_ERR(target) || !target) {
1548                 duprintf("check_entry: `%s' not found\n", t->u.user.name);
1549                 ret = target ? PTR_ERR(target) : -ENOENT;
1550                 goto out;
1551         }
1552         t->u.kernel.target = target;
1553
1554         if (t->u.kernel.target->compat)
1555                 t->u.kernel.target->compat(t, NULL, &off, COMPAT_CALC_SIZE);
1556         else
1557                 xt_compat_target(t, NULL, &off, COMPAT_CALC_SIZE);
1558         *size += off;
1559         ret = compat_add_offset(entry_offset, off);
1560         if (ret)
1561                 goto out;
1562
1563         /* Check hooks & underflows */
1564         for (h = 0; h < NF_IP_NUMHOOKS; h++) {
1565                 if ((unsigned char *)e - base == hook_entries[h])
1566                         newinfo->hook_entry[h] = hook_entries[h];
1567                 if ((unsigned char *)e - base == underflows[h])
1568                         newinfo->underflow[h] = underflows[h];
1569         }
1570
1571         /* Clear counters and comefrom */
1572         e->counters = ((struct ipt_counters) { 0, 0 });
1573         e->comefrom = 0;
1574
1575         (*i)++;
1576         return 0;
1577 out:
1578         IPT_MATCH_ITERATE(e, cleanup_match, &j);
1579         return ret;
1580 }
1581
1582 static inline int compat_copy_match_from_user(struct ipt_entry_match *m,
1583         void **dstptr, compat_uint_t *size, const char *name,
1584         const struct ipt_ip *ip, unsigned int hookmask)
1585 {
1586         struct ipt_entry_match *dm;
1587         struct ipt_match *match;
1588         int ret;
1589
1590         dm = (struct ipt_entry_match *)*dstptr;
1591         match = m->u.kernel.match;
1592         if (match->compat)
1593                 match->compat(m, dstptr, size, COMPAT_FROM_USER);
1594         else
1595                 xt_compat_match(m, dstptr, size, COMPAT_FROM_USER);
1596
1597         ret = xt_check_match(match, AF_INET, dm->u.match_size - sizeof(*dm),
1598                              name, hookmask, ip->proto,
1599                              ip->invflags & IPT_INV_PROTO);
1600         if (ret)
1601                 return ret;
1602
1603         if (m->u.kernel.match->checkentry
1604             && !m->u.kernel.match->checkentry(name, ip, match, dm->data,
1605                                               dm->u.match_size - sizeof(*dm),
1606                                               hookmask)) {
1607                 duprintf("ip_tables: check failed for `%s'.\n",
1608                          m->u.kernel.match->name);
1609                 return -EINVAL;
1610         }
1611         return 0;
1612 }
1613
1614 static int compat_copy_entry_from_user(struct ipt_entry *e, void **dstptr,
1615         unsigned int *size, const char *name,
1616         struct xt_table_info *newinfo, unsigned char *base)
1617 {
1618         struct ipt_entry_target *t;
1619         struct ipt_target *target;
1620         struct ipt_entry *de;
1621         unsigned int origsize;
1622         int ret, h;
1623
1624         ret = 0;
1625         origsize = *size;
1626         de = (struct ipt_entry *)*dstptr;
1627         memcpy(de, e, sizeof(struct ipt_entry));
1628
1629         *dstptr += sizeof(struct compat_ipt_entry);
1630         ret = IPT_MATCH_ITERATE(e, compat_copy_match_from_user, dstptr, size,
1631                         name, &de->ip, de->comefrom);
1632         if (ret)
1633                 goto out;
1634         de->target_offset = e->target_offset - (origsize - *size);
1635         t = ipt_get_target(e);
1636         target = t->u.kernel.target;
1637         if (target->compat)
1638                 target->compat(t, dstptr, size, COMPAT_FROM_USER);
1639         else
1640                 xt_compat_target(t, dstptr, size, COMPAT_FROM_USER);
1641
1642         de->next_offset = e->next_offset - (origsize - *size);
1643         for (h = 0; h < NF_IP_NUMHOOKS; h++) {
1644                 if ((unsigned char *)de - base < newinfo->hook_entry[h])
1645                         newinfo->hook_entry[h] -= origsize - *size;
1646                 if ((unsigned char *)de - base < newinfo->underflow[h])
1647                         newinfo->underflow[h] -= origsize - *size;
1648         }
1649
1650         t = ipt_get_target(de);
1651         target = t->u.kernel.target;
1652         ret = xt_check_target(target, AF_INET, t->u.target_size - sizeof(*t),
1653                               name, e->comefrom, e->ip.proto,
1654                               e->ip.invflags & IPT_INV_PROTO);
1655         if (ret)
1656                 goto out;
1657
1658         ret = -EINVAL;
1659         if (t->u.kernel.target == &ipt_standard_target) {
1660                 if (!standard_check(t, *size))
1661                         goto out;
1662         } else if (t->u.kernel.target->checkentry
1663                    && !t->u.kernel.target->checkentry(name, de, target,
1664                                 t->data, t->u.target_size - sizeof(*t),
1665                                 de->comefrom)) {
1666                 duprintf("ip_tables: compat: check failed for `%s'.\n",
1667                          t->u.kernel.target->name);
1668                 goto out;
1669         }
1670         ret = 0;
1671 out:
1672         return ret;
1673 }
1674
1675 static int
1676 translate_compat_table(const char *name,
1677                 unsigned int valid_hooks,
1678                 struct xt_table_info **pinfo,
1679                 void **pentry0,
1680                 unsigned int total_size,
1681                 unsigned int number,
1682                 unsigned int *hook_entries,
1683                 unsigned int *underflows)
1684 {
1685         unsigned int i;
1686         struct xt_table_info *newinfo, *info;
1687         void *pos, *entry0, *entry1;
1688         unsigned int size;
1689         int ret;
1690
1691         info = *pinfo;
1692         entry0 = *pentry0;
1693         size = total_size;
1694         info->number = number;
1695
1696         /* Init all hooks to impossible value. */
1697         for (i = 0; i < NF_IP_NUMHOOKS; i++) {
1698                 info->hook_entry[i] = 0xFFFFFFFF;
1699                 info->underflow[i] = 0xFFFFFFFF;
1700         }
1701
1702         duprintf("translate_compat_table: size %u\n", info->size);
1703         i = 0;
1704         xt_compat_lock(AF_INET);
1705         /* Walk through entries, checking offsets. */
1706         ret = IPT_ENTRY_ITERATE(entry0, total_size,
1707                                 check_compat_entry_size_and_hooks,
1708                                 info, &size, entry0,
1709                                 entry0 + total_size,
1710                                 hook_entries, underflows, &i, name);
1711         if (ret != 0)
1712                 goto out_unlock;
1713
1714         ret = -EINVAL;
1715         if (i != number) {
1716                 duprintf("translate_compat_table: %u not %u entries\n",
1717                          i, number);
1718                 goto out_unlock;
1719         }
1720
1721         /* Check hooks all assigned */
1722         for (i = 0; i < NF_IP_NUMHOOKS; i++) {
1723                 /* Only hooks which are valid */
1724                 if (!(valid_hooks & (1 << i)))
1725                         continue;
1726                 if (info->hook_entry[i] == 0xFFFFFFFF) {
1727                         duprintf("Invalid hook entry %u %u\n",
1728                                  i, hook_entries[i]);
1729                         goto out_unlock;
1730                 }
1731                 if (info->underflow[i] == 0xFFFFFFFF) {
1732                         duprintf("Invalid underflow %u %u\n",
1733                                  i, underflows[i]);
1734                         goto out_unlock;
1735                 }
1736         }
1737
1738         ret = -ENOMEM;
1739         newinfo = xt_alloc_table_info(size);
1740         if (!newinfo)
1741                 goto out_unlock;
1742
1743         newinfo->number = number;
1744         for (i = 0; i < NF_IP_NUMHOOKS; i++) {
1745                 newinfo->hook_entry[i] = info->hook_entry[i];
1746                 newinfo->underflow[i] = info->underflow[i];
1747         }
1748         entry1 = newinfo->entries[raw_smp_processor_id()];
1749         pos = entry1;
1750         size =  total_size;
1751         ret = IPT_ENTRY_ITERATE(entry0, total_size,
1752                         compat_copy_entry_from_user, &pos, &size,
1753                         name, newinfo, entry1);
1754         compat_flush_offsets();
1755         xt_compat_unlock(AF_INET);
1756         if (ret)
1757                 goto free_newinfo;
1758
1759         ret = -ELOOP;
1760         if (!mark_source_chains(newinfo, valid_hooks, entry1))
1761                 goto free_newinfo;
1762
1763         /* And one copy for every other CPU */
1764         for_each_cpu(i)
1765                 if (newinfo->entries[i] && newinfo->entries[i] != entry1)
1766                         memcpy(newinfo->entries[i], entry1, newinfo->size);
1767
1768         *pinfo = newinfo;
1769         *pentry0 = entry1;
1770         xt_free_table_info(info);
1771         return 0;
1772
1773 free_newinfo:
1774         xt_free_table_info(newinfo);
1775 out:
1776         return ret;
1777 out_unlock:
1778         xt_compat_unlock(AF_INET);
1779         goto out;
1780 }
1781
1782 static int
1783 compat_do_replace(void __user *user, unsigned int len)
1784 {
1785         int ret;
1786         struct compat_ipt_replace tmp;
1787         struct xt_table_info *newinfo;
1788         void *loc_cpu_entry;
1789
1790         if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
1791                 return -EFAULT;
1792
1793         /* Hack: Causes ipchains to give correct error msg --RR */
1794         if (len != sizeof(tmp) + tmp.size)
1795                 return -ENOPROTOOPT;
1796
1797         /* overflow check */
1798         if (tmp.size >= (INT_MAX - sizeof(struct xt_table_info)) / NR_CPUS -
1799                         SMP_CACHE_BYTES)
1800                 return -ENOMEM;
1801         if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
1802                 return -ENOMEM;
1803
1804         newinfo = xt_alloc_table_info(tmp.size);
1805         if (!newinfo)
1806                 return -ENOMEM;
1807
1808         /* choose the copy that is our node/cpu */
1809         loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
1810         if (copy_from_user(loc_cpu_entry, user + sizeof(tmp),
1811                            tmp.size) != 0) {
1812                 ret = -EFAULT;
1813                 goto free_newinfo;
1814         }
1815
1816         ret = translate_compat_table(tmp.name, tmp.valid_hooks,
1817                               &newinfo, &loc_cpu_entry, tmp.size,
1818                               tmp.num_entries, tmp.hook_entry, tmp.underflow);
1819         if (ret != 0)
1820                 goto free_newinfo;
1821
1822         duprintf("compat_do_replace: Translated table\n");
1823
1824         ret = __do_replace(tmp.name, tmp.valid_hooks,
1825                               newinfo, tmp.num_counters,
1826                               compat_ptr(tmp.counters));
1827         if (ret)
1828                 goto free_newinfo_untrans;
1829         return 0;
1830
1831  free_newinfo_untrans:
1832         IPT_ENTRY_ITERATE(loc_cpu_entry, newinfo->size, cleanup_entry,NULL);
1833  free_newinfo:
1834         xt_free_table_info(newinfo);
1835         return ret;
1836 }
1837
1838 static int
1839 compat_do_ipt_set_ctl(struct sock *sk,  int cmd, void __user *user,
1840                 unsigned int len)
1841 {
1842         int ret;
1843
1844         if (!capable(CAP_NET_ADMIN))
1845                 return -EPERM;
1846
1847         switch (cmd) {
1848         case IPT_SO_SET_REPLACE:
1849                 ret = compat_do_replace(user, len);
1850                 break;
1851
1852         case IPT_SO_SET_ADD_COUNTERS:
1853                 ret = do_add_counters(user, len, 1);
1854                 break;
1855
1856         default:
1857                 duprintf("do_ipt_set_ctl:  unknown request %i\n", cmd);
1858                 ret = -EINVAL;
1859         }
1860
1861         return ret;
1862 }
1863
1864 struct compat_ipt_get_entries
1865 {
1866         char name[IPT_TABLE_MAXNAMELEN];
1867         compat_uint_t size;
1868         struct compat_ipt_entry entrytable[0];
1869 };
1870
1871 static int compat_copy_entries_to_user(unsigned int total_size,
1872                      struct ipt_table *table, void __user *userptr)
1873 {
1874         unsigned int off, num;
1875         struct compat_ipt_entry e;
1876         struct xt_counters *counters;
1877         struct xt_table_info *private = table->private;
1878         void __user *pos;
1879         unsigned int size;
1880         int ret = 0;
1881         void *loc_cpu_entry;
1882
1883         counters = alloc_counters(table);
1884         if (IS_ERR(counters))
1885                 return PTR_ERR(counters);
1886
1887         /* choose the copy that is on our node/cpu, ...
1888          * This choice is lazy (because current thread is
1889          * allowed to migrate to another cpu)
1890          */
1891         loc_cpu_entry = private->entries[raw_smp_processor_id()];
1892         pos = userptr;
1893         size = total_size;
1894         ret = IPT_ENTRY_ITERATE(loc_cpu_entry, total_size,
1895                         compat_copy_entry_to_user, &pos, &size);
1896         if (ret)
1897                 goto free_counters;
1898
1899         /* ... then go back and fix counters and names */
1900         for (off = 0, num = 0; off < size; off += e.next_offset, num++) {
1901                 unsigned int i;
1902                 struct ipt_entry_match m;
1903                 struct ipt_entry_target t;
1904
1905                 ret = -EFAULT;
1906                 if (copy_from_user(&e, userptr + off,
1907                                         sizeof(struct compat_ipt_entry)))
1908                         goto free_counters;
1909                 if (copy_to_user(userptr + off +
1910                         offsetof(struct compat_ipt_entry, counters),
1911                          &counters[num], sizeof(counters[num])))
1912                         goto free_counters;
1913
1914                 for (i = sizeof(struct compat_ipt_entry);
1915                                 i < e.target_offset; i += m.u.match_size) {
1916                         if (copy_from_user(&m, userptr + off + i,
1917                                         sizeof(struct ipt_entry_match)))
1918                                 goto free_counters;
1919                         if (copy_to_user(userptr + off + i +
1920                                 offsetof(struct ipt_entry_match, u.user.name),
1921                                 m.u.kernel.match->name,
1922                                 strlen(m.u.kernel.match->name) + 1))
1923                                 goto free_counters;
1924                 }
1925
1926                 if (copy_from_user(&t, userptr + off + e.target_offset,
1927                                         sizeof(struct ipt_entry_target)))
1928                         goto free_counters;
1929                 if (copy_to_user(userptr + off + e.target_offset +
1930                         offsetof(struct ipt_entry_target, u.user.name),
1931                         t.u.kernel.target->name,
1932                         strlen(t.u.kernel.target->name) + 1))
1933                         goto free_counters;
1934         }
1935         ret = 0;
1936 free_counters:
1937         vfree(counters);
1938         return ret;
1939 }
1940
1941 static int
1942 compat_get_entries(struct compat_ipt_get_entries __user *uptr, int *len)
1943 {
1944         int ret;
1945         struct compat_ipt_get_entries get;
1946         struct ipt_table *t;
1947
1948
1949         if (*len < sizeof(get)) {
1950                 duprintf("compat_get_entries: %u < %u\n",
1951                                 *len, (unsigned int)sizeof(get));
1952                 return -EINVAL;
1953         }
1954
1955         if (copy_from_user(&get, uptr, sizeof(get)) != 0)
1956                 return -EFAULT;
1957
1958         if (*len != sizeof(struct compat_ipt_get_entries) + get.size) {
1959                 duprintf("compat_get_entries: %u != %u\n", *len,
1960                         (unsigned int)(sizeof(struct compat_ipt_get_entries) +
1961                         get.size));
1962                 return -EINVAL;
1963         }
1964
1965         xt_compat_lock(AF_INET);
1966         t = xt_find_table_lock(AF_INET, get.name);
1967         if (t && !IS_ERR(t)) {
1968                 struct xt_table_info *private = t->private;
1969                 struct xt_table_info info;
1970                 duprintf("t->private->number = %u\n",
1971                          private->number);
1972                 ret = compat_table_info(private, &info);
1973                 if (!ret && get.size == info.size) {
1974                         ret = compat_copy_entries_to_user(private->size,
1975                                                    t, uptr->entrytable);
1976                 } else if (!ret) {
1977                         duprintf("compat_get_entries: I've got %u not %u!\n",
1978                                  private->size,
1979                                  get.size);
1980                         ret = -EINVAL;
1981                 }
1982                 compat_flush_offsets();
1983                 module_put(t->me);
1984                 xt_table_unlock(t);
1985         } else
1986                 ret = t ? PTR_ERR(t) : -ENOENT;
1987
1988         xt_compat_unlock(AF_INET);
1989         return ret;
1990 }
1991
1992 static int
1993 compat_do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1994 {
1995         int ret;
1996
1997         switch (cmd) {
1998         case IPT_SO_GET_INFO:
1999                 ret = get_info(user, len, 1);
2000                 break;
2001         case IPT_SO_GET_ENTRIES:
2002                 ret = compat_get_entries(user, len);
2003                 break;
2004         default:
2005                 duprintf("compat_do_ipt_get_ctl: unknown request %i\n", cmd);
2006                 ret = -EINVAL;
2007         }
2008         return ret;
2009 }
2010 #endif
2011
2012 static int
2013 do_ipt_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
2014 {
2015         int ret;
2016
2017         if (!capable(CAP_NET_ADMIN))
2018                 return -EPERM;
2019
2020         switch (cmd) {
2021         case IPT_SO_SET_REPLACE:
2022                 ret = do_replace(user, len);
2023                 break;
2024
2025         case IPT_SO_SET_ADD_COUNTERS:
2026                 ret = do_add_counters(user, len, 0);
2027                 break;
2028
2029         default:
2030                 duprintf("do_ipt_set_ctl:  unknown request %i\n", cmd);
2031                 ret = -EINVAL;
2032         }
2033
2034         return ret;
2035 }
2036
2037 static int
2038 do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
2039 {
2040         int ret;
2041
2042         if (!capable(CAP_NET_ADMIN))
2043                 return -EPERM;
2044
2045         switch (cmd) {
2046         case IPT_SO_GET_INFO:
2047                 ret = get_info(user, len, 0);
2048                 break;
2049
2050         case IPT_SO_GET_ENTRIES:
2051                 ret = get_entries(user, len);
2052                 break;
2053
2054         case IPT_SO_GET_REVISION_MATCH:
2055         case IPT_SO_GET_REVISION_TARGET: {
2056                 struct ipt_get_revision rev;
2057                 int target;
2058
2059                 if (*len != sizeof(rev)) {
2060                         ret = -EINVAL;
2061                         break;
2062                 }
2063                 if (copy_from_user(&rev, user, sizeof(rev)) != 0) {
2064                         ret = -EFAULT;
2065                         break;
2066                 }
2067
2068                 if (cmd == IPT_SO_GET_REVISION_TARGET)
2069                         target = 1;
2070                 else
2071                         target = 0;
2072
2073                 try_then_request_module(xt_find_revision(AF_INET, rev.name,
2074                                                          rev.revision,
2075                                                          target, &ret),
2076                                         "ipt_%s", rev.name);
2077                 break;
2078         }
2079
2080         default:
2081                 duprintf("do_ipt_get_ctl: unknown request %i\n", cmd);
2082                 ret = -EINVAL;
2083         }
2084
2085         return ret;
2086 }
2087
2088 int ipt_register_table(struct xt_table *table, const struct ipt_replace *repl)
2089 {
2090         int ret;
2091         struct xt_table_info *newinfo;
2092         static struct xt_table_info bootstrap
2093                 = { 0, 0, 0, { 0 }, { 0 }, { } };
2094         void *loc_cpu_entry;
2095
2096         newinfo = xt_alloc_table_info(repl->size);
2097         if (!newinfo)
2098                 return -ENOMEM;
2099
2100         /* choose the copy on our node/cpu
2101          * but dont care of preemption
2102          */
2103         loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
2104         memcpy(loc_cpu_entry, repl->entries, repl->size);
2105
2106         ret = translate_table(table->name, table->valid_hooks,
2107                               newinfo, loc_cpu_entry, repl->size,
2108                               repl->num_entries,
2109                               repl->hook_entry,
2110                               repl->underflow);
2111         if (ret != 0) {
2112                 xt_free_table_info(newinfo);
2113                 return ret;
2114         }
2115
2116         if (xt_register_table(table, &bootstrap, newinfo) != 0) {
2117                 xt_free_table_info(newinfo);
2118                 return ret;
2119         }
2120
2121         return 0;
2122 }
2123
2124 void ipt_unregister_table(struct ipt_table *table)
2125 {
2126         struct xt_table_info *private;
2127         void *loc_cpu_entry;
2128
2129         private = xt_unregister_table(table);
2130
2131         /* Decrease module usage counts and free resources */
2132         loc_cpu_entry = private->entries[raw_smp_processor_id()];
2133         IPT_ENTRY_ITERATE(loc_cpu_entry, private->size, cleanup_entry, NULL);
2134         xt_free_table_info(private);
2135 }
2136
2137 /* Returns 1 if the type and code is matched by the range, 0 otherwise */
2138 static inline int
2139 icmp_type_code_match(u_int8_t test_type, u_int8_t min_code, u_int8_t max_code,
2140                      u_int8_t type, u_int8_t code,
2141                      int invert)
2142 {
2143         return ((test_type == 0xFF) || (type == test_type && code >= min_code && code <= max_code))
2144                 ^ invert;
2145 }
2146
2147 static int
2148 icmp_match(const struct sk_buff *skb,
2149            const struct net_device *in,
2150            const struct net_device *out,
2151            const struct xt_match *match,
2152            const void *matchinfo,
2153            int offset,
2154            unsigned int protoff,
2155            int *hotdrop)
2156 {
2157         struct icmphdr _icmph, *ic;
2158         const struct ipt_icmp *icmpinfo = matchinfo;
2159
2160         /* Must not be a fragment. */
2161         if (offset)
2162                 return 0;
2163
2164         ic = skb_header_pointer(skb, protoff, sizeof(_icmph), &_icmph);
2165         if (ic == NULL) {
2166                 /* We've been asked to examine this packet, and we
2167                  * can't.  Hence, no choice but to drop.
2168                  */
2169                 duprintf("Dropping evil ICMP tinygram.\n");
2170                 *hotdrop = 1;
2171                 return 0;
2172         }
2173
2174         return icmp_type_code_match(icmpinfo->type,
2175                                     icmpinfo->code[0],
2176                                     icmpinfo->code[1],
2177                                     ic->type, ic->code,
2178                                     !!(icmpinfo->invflags&IPT_ICMP_INV));
2179 }
2180
2181 /* Called when user tries to insert an entry of this type. */
2182 static int
2183 icmp_checkentry(const char *tablename,
2184            const void *info,
2185            const struct xt_match *match,
2186            void *matchinfo,
2187            unsigned int matchsize,
2188            unsigned int hook_mask)
2189 {
2190         const struct ipt_icmp *icmpinfo = matchinfo;
2191
2192         /* Must specify no unknown invflags */
2193         return !(icmpinfo->invflags & ~IPT_ICMP_INV);
2194 }
2195
2196 /* The built-in targets: standard (NULL) and error. */
2197 static struct ipt_target ipt_standard_target = {
2198         .name           = IPT_STANDARD_TARGET,
2199         .targetsize     = sizeof(int),
2200         .family         = AF_INET,
2201 #ifdef CONFIG_COMPAT
2202         .compat         = &compat_ipt_standard_fn,
2203 #endif
2204 };
2205
2206 static struct ipt_target ipt_error_target = {
2207         .name           = IPT_ERROR_TARGET,
2208         .target         = ipt_error,
2209         .targetsize     = IPT_FUNCTION_MAXNAMELEN,
2210         .family         = AF_INET,
2211 };
2212
2213 static struct nf_sockopt_ops ipt_sockopts = {
2214         .pf             = PF_INET,
2215         .set_optmin     = IPT_BASE_CTL,
2216         .set_optmax     = IPT_SO_SET_MAX+1,
2217         .set            = do_ipt_set_ctl,
2218 #ifdef CONFIG_COMPAT
2219         .compat_set     = compat_do_ipt_set_ctl,
2220 #endif
2221         .get_optmin     = IPT_BASE_CTL,
2222         .get_optmax     = IPT_SO_GET_MAX+1,
2223         .get            = do_ipt_get_ctl,
2224 #ifdef CONFIG_COMPAT
2225         .compat_get     = compat_do_ipt_get_ctl,
2226 #endif
2227 };
2228
2229 static struct ipt_match icmp_matchstruct = {
2230         .name           = "icmp",
2231         .match          = icmp_match,
2232         .matchsize      = sizeof(struct ipt_icmp),
2233         .proto          = IPPROTO_ICMP,
2234         .family         = AF_INET,
2235         .checkentry     = icmp_checkentry,
2236 };
2237
2238 static int __init ip_tables_init(void)
2239 {
2240         int ret;
2241
2242         xt_proto_init(AF_INET);
2243
2244         /* Noone else will be downing sem now, so we won't sleep */
2245         xt_register_target(&ipt_standard_target);
2246         xt_register_target(&ipt_error_target);
2247         xt_register_match(&icmp_matchstruct);
2248
2249         /* Register setsockopt */
2250         ret = nf_register_sockopt(&ipt_sockopts);
2251         if (ret < 0) {
2252                 duprintf("Unable to register sockopts.\n");
2253                 return ret;
2254         }
2255
2256         printk("ip_tables: (C) 2000-2006 Netfilter Core Team\n");
2257         return 0;
2258 }
2259
2260 static void __exit ip_tables_fini(void)
2261 {
2262         nf_unregister_sockopt(&ipt_sockopts);
2263
2264         xt_unregister_match(&icmp_matchstruct);
2265         xt_unregister_target(&ipt_error_target);
2266         xt_unregister_target(&ipt_standard_target);
2267
2268         xt_proto_fini(AF_INET);
2269 }
2270
2271 EXPORT_SYMBOL(ipt_register_table);
2272 EXPORT_SYMBOL(ipt_unregister_table);
2273 EXPORT_SYMBOL(ipt_do_table);
2274 module_init(ip_tables_init);
2275 module_exit(ip_tables_fini);