projects / deliverable / linux.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
[NETFILTER]: ip6_tables: fix stack leagage
[deliverable/linux.git] / net / ipv6 / netfilter / ip6_tables.c
1 /*
2 * Packet matching code.
3 *
4 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
5 * Copyright (C) 2000-2005 Netfilter Core Team <coreteam@netfilter.org>
6 *
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License version 2 as
9 * published by the Free Software Foundation.
10 */
11
12 #include <linux/capability.h>
13 #include <linux/in.h>
14 #include <linux/skbuff.h>
15 #include <linux/kmod.h>
16 #include <linux/vmalloc.h>
17 #include <linux/netdevice.h>
18 #include <linux/module.h>
19 #include <linux/poison.h>
20 #include <linux/icmpv6.h>
21 #include <net/ipv6.h>
22 #include <net/compat.h>
23 #include <asm/uaccess.h>
24 #include <linux/mutex.h>
25 #include <linux/proc_fs.h>
26 #include <linux/err.h>
27 #include <linux/cpumask.h>
28
29 #include <linux/netfilter_ipv6/ip6_tables.h>
30 #include <linux/netfilter/x_tables.h>
31
32 MODULE_LICENSE("GPL");
33 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
34 MODULE_DESCRIPTION("IPv6 packet filter");
35
36 /*#define DEBUG_IP_FIREWALL*/
37 /*#define DEBUG_ALLOW_ALL*/ /* Useful for remote debugging */
38 /*#define DEBUG_IP_FIREWALL_USER*/
39
40 #ifdef DEBUG_IP_FIREWALL
41 #define dprintf(format, args...) printk(format , ## args)
42 #else
43 #define dprintf(format, args...)
44 #endif
45
46 #ifdef DEBUG_IP_FIREWALL_USER
47 #define duprintf(format, args...) printk(format , ## args)
48 #else
49 #define duprintf(format, args...)
50 #endif
51
52 #ifdef CONFIG_NETFILTER_DEBUG
53 #define IP_NF_ASSERT(x) \
54 do { \
55 if (!(x)) \
56 printk("IP_NF_ASSERT: %s:%s:%u\n", \
57 __FUNCTION__, __FILE__, __LINE__); \
58 } while(0)
59 #else
60 #define IP_NF_ASSERT(x)
61 #endif
62
63 #if 0
64 /* All the better to debug you with... */
65 #define static
66 #define inline
67 #endif
68
69 /*
70 We keep a set of rules for each CPU, so we can avoid write-locking
71 them in the softirq when updating the counters and therefore
72 only need to read-lock in the softirq; doing a write_lock_bh() in user
73 context stops packets coming through and allows user context to read
74 the counters or update the rules.
75
76 Hence the start of any table is given by get_table() below. */
77
78 /* Check for an extension */
79 int
80 ip6t_ext_hdr(u8 nexthdr)
81 {
82 return ( (nexthdr == IPPROTO_HOPOPTS) ||
83 (nexthdr == IPPROTO_ROUTING) ||
84 (nexthdr == IPPROTO_FRAGMENT) ||
85 (nexthdr == IPPROTO_ESP) ||
86 (nexthdr == IPPROTO_AH) ||
87 (nexthdr == IPPROTO_NONE) ||
88 (nexthdr == IPPROTO_DSTOPTS) );
89 }
90
91 /* Returns whether matches rule or not. */
92 static inline bool
93 ip6_packet_match(const struct sk_buff *skb,
94 const char *indev,
95 const char *outdev,
96 const struct ip6t_ip6 *ip6info,
97 unsigned int *protoff,
98 int *fragoff, bool *hotdrop)
99 {
100 size_t i;
101 unsigned long ret;
102 const struct ipv6hdr *ipv6 = ipv6_hdr(skb);
103
104 #define FWINV(bool,invflg) ((bool) ^ !!(ip6info->invflags & invflg))
105
106 if (FWINV(ipv6_masked_addr_cmp(&ipv6->saddr, &ip6info->smsk,
107 &ip6info->src), IP6T_INV_SRCIP)
108 || FWINV(ipv6_masked_addr_cmp(&ipv6->daddr, &ip6info->dmsk,
109 &ip6info->dst), IP6T_INV_DSTIP)) {
110 dprintf("Source or dest mismatch.\n");
111 /*
112 dprintf("SRC: %u. Mask: %u. Target: %u.%s\n", ip->saddr,
113 ipinfo->smsk.s_addr, ipinfo->src.s_addr,
114 ipinfo->invflags & IP6T_INV_SRCIP ? " (INV)" : "");
115 dprintf("DST: %u. Mask: %u. Target: %u.%s\n", ip->daddr,
116 ipinfo->dmsk.s_addr, ipinfo->dst.s_addr,
117 ipinfo->invflags & IP6T_INV_DSTIP ? " (INV)" : "");*/
118 return false;
119 }
120
121 /* Look for ifname matches; this should unroll nicely. */
122 for (i = 0, ret = 0; i < IFNAMSIZ/sizeof(unsigned long); i++) {
123 ret |= (((const unsigned long *)indev)[i]
124 ^ ((const unsigned long *)ip6info->iniface)[i])
125 & ((const unsigned long *)ip6info->iniface_mask)[i];
126 }
127
128 if (FWINV(ret != 0, IP6T_INV_VIA_IN)) {
129 dprintf("VIA in mismatch (%s vs %s).%s\n",
130 indev, ip6info->iniface,
131 ip6info->invflags&IP6T_INV_VIA_IN ?" (INV)":"");
132 return false;
133 }
134
135 for (i = 0, ret = 0; i < IFNAMSIZ/sizeof(unsigned long); i++) {
136 ret |= (((const unsigned long *)outdev)[i]
137 ^ ((const unsigned long *)ip6info->outiface)[i])
138 & ((const unsigned long *)ip6info->outiface_mask)[i];
139 }
140
141 if (FWINV(ret != 0, IP6T_INV_VIA_OUT)) {
142 dprintf("VIA out mismatch (%s vs %s).%s\n",
143 outdev, ip6info->outiface,
144 ip6info->invflags&IP6T_INV_VIA_OUT ?" (INV)":"");
145 return false;
146 }
147
148 /* ... might want to do something with class and flowlabel here ... */
149
150 /* look for the desired protocol header */
151 if((ip6info->flags & IP6T_F_PROTO)) {
152 int protohdr;
153 unsigned short _frag_off;
154
155 protohdr = ipv6_find_hdr(skb, protoff, -1, &_frag_off);
156 if (protohdr < 0) {
157 if (_frag_off == 0)
158 *hotdrop = true;
159 return false;
160 }
161 *fragoff = _frag_off;
162
163 dprintf("Packet protocol %hi ?= %s%hi.\n",
164 protohdr,
165 ip6info->invflags & IP6T_INV_PROTO ? "!":"",
166 ip6info->proto);
167
168 if (ip6info->proto == protohdr) {
169 if(ip6info->invflags & IP6T_INV_PROTO) {
170 return false;
171 }
172 return true;
173 }
174
175 /* We need match for the '-p all', too! */
176 if ((ip6info->proto != 0) &&
177 !(ip6info->invflags & IP6T_INV_PROTO))
178 return false;
179 }
180 return true;
181 }
182
183 /* should be ip6 safe */
184 static inline bool
185 ip6_checkentry(const struct ip6t_ip6 *ipv6)
186 {
187 if (ipv6->flags & ~IP6T_F_MASK) {
188 duprintf("Unknown flag bits set: %08X\n",
189 ipv6->flags & ~IP6T_F_MASK);
190 return false;
191 }
192 if (ipv6->invflags & ~IP6T_INV_MASK) {
193 duprintf("Unknown invflag bits set: %08X\n",
194 ipv6->invflags & ~IP6T_INV_MASK);
195 return false;
196 }
197 return true;
198 }
199
200 static unsigned int
201 ip6t_error(struct sk_buff *skb,
202 const struct net_device *in,
203 const struct net_device *out,
204 unsigned int hooknum,
205 const struct xt_target *target,
206 const void *targinfo)
207 {
208 if (net_ratelimit())
209 printk("ip6_tables: error: `%s'\n", (char *)targinfo);
210
211 return NF_DROP;
212 }
213
214 static inline
215 bool do_match(struct ip6t_entry_match *m,
216 const struct sk_buff *skb,
217 const struct net_device *in,
218 const struct net_device *out,
219 int offset,
220 unsigned int protoff,
221 bool *hotdrop)
222 {
223 /* Stop iteration if it doesn't match */
224 if (!m->u.kernel.match->match(skb, in, out, m->u.kernel.match, m->data,
225 offset, protoff, hotdrop))
226 return true;
227 else
228 return false;
229 }
230
231 static inline struct ip6t_entry *
232 get_entry(void *base, unsigned int offset)
233 {
234 return (struct ip6t_entry *)(base + offset);
235 }
236
237 /* All zeroes == unconditional rule. */
238 static inline int
239 unconditional(const struct ip6t_ip6 *ipv6)
240 {
241 unsigned int i;
242
243 for (i = 0; i < sizeof(*ipv6); i++)
244 if (((char *)ipv6)[i])
245 break;
246
247 return (i == sizeof(*ipv6));
248 }
249
250 #if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \
251 defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE)
252 /* This cries for unification! */
253 static const char *hooknames[] = {
254 [NF_INET_PRE_ROUTING] = "PREROUTING",
255 [NF_INET_LOCAL_IN] = "INPUT",
256 [NF_INET_FORWARD] = "FORWARD",
257 [NF_INET_LOCAL_OUT] = "OUTPUT",
258 [NF_INET_POST_ROUTING] = "POSTROUTING",
259 };
260
261 enum nf_ip_trace_comments {
262 NF_IP6_TRACE_COMMENT_RULE,
263 NF_IP6_TRACE_COMMENT_RETURN,
264 NF_IP6_TRACE_COMMENT_POLICY,
265 };
266
267 static const char *comments[] = {
268 [NF_IP6_TRACE_COMMENT_RULE] = "rule",
269 [NF_IP6_TRACE_COMMENT_RETURN] = "return",
270 [NF_IP6_TRACE_COMMENT_POLICY] = "policy",
271 };
272
273 static struct nf_loginfo trace_loginfo = {
274 .type = NF_LOG_TYPE_LOG,
275 .u = {
276 .log = {
277 .level = 4,
278 .logflags = NF_LOG_MASK,
279 },
280 },
281 };
282
283 static inline int
284 get_chainname_rulenum(struct ip6t_entry *s, struct ip6t_entry *e,
285 char *hookname, char **chainname,
286 char **comment, unsigned int *rulenum)
287 {
288 struct ip6t_standard_target *t = (void *)ip6t_get_target(s);
289
290 if (strcmp(t->target.u.kernel.target->name, IP6T_ERROR_TARGET) == 0) {
291 /* Head of user chain: ERROR target with chainname */
292 *chainname = t->target.data;
293 (*rulenum) = 0;
294 } else if (s == e) {
295 (*rulenum)++;
296
297 if (s->target_offset == sizeof(struct ip6t_entry)
298 && strcmp(t->target.u.kernel.target->name,
299 IP6T_STANDARD_TARGET) == 0
300 && t->verdict < 0
301 && unconditional(&s->ipv6)) {
302 /* Tail of chains: STANDARD target (return/policy) */
303 *comment = *chainname == hookname
304 ? (char *)comments[NF_IP6_TRACE_COMMENT_POLICY]
305 : (char *)comments[NF_IP6_TRACE_COMMENT_RETURN];
306 }
307 return 1;
308 } else
309 (*rulenum)++;
310
311 return 0;
312 }
313
314 static void trace_packet(struct sk_buff *skb,
315 unsigned int hook,
316 const struct net_device *in,
317 const struct net_device *out,
318 char *tablename,
319 struct xt_table_info *private,
320 struct ip6t_entry *e)
321 {
322 void *table_base;
323 struct ip6t_entry *root;
324 char *hookname, *chainname, *comment;
325 unsigned int rulenum = 0;
326
327 table_base = (void *)private->entries[smp_processor_id()];
328 root = get_entry(table_base, private->hook_entry[hook]);
329
330 hookname = chainname = (char *)hooknames[hook];
331 comment = (char *)comments[NF_IP6_TRACE_COMMENT_RULE];
332
333 IP6T_ENTRY_ITERATE(root,
334 private->size - private->hook_entry[hook],
335 get_chainname_rulenum,
336 e, hookname, &chainname, &comment, &rulenum);
337
338 nf_log_packet(AF_INET6, hook, skb, in, out, &trace_loginfo,
339 "TRACE: %s:%s:%s:%u ",
340 tablename, chainname, comment, rulenum);
341 }
342 #endif
343
344 /* Returns one of the generic firewall policies, like NF_ACCEPT. */
345 unsigned int
346 ip6t_do_table(struct sk_buff *skb,
347 unsigned int hook,
348 const struct net_device *in,
349 const struct net_device *out,
350 struct xt_table *table)
351 {
352 static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
353 int offset = 0;
354 unsigned int protoff = 0;
355 bool hotdrop = false;
356 /* Initializing verdict to NF_DROP keeps gcc happy. */
357 unsigned int verdict = NF_DROP;
358 const char *indev, *outdev;
359 void *table_base;
360 struct ip6t_entry *e, *back;
361 struct xt_table_info *private;
362
363 /* Initialization */
364 indev = in ? in->name : nulldevname;
365 outdev = out ? out->name : nulldevname;
366 /* We handle fragments by dealing with the first fragment as
367 * if it was a normal packet. All other fragments are treated
368 * normally, except that they will NEVER match rules that ask
369 * things we don't know, ie. tcp syn flag or ports). If the
370 * rule is also a fragment-specific rule, non-fragments won't
371 * match it. */
372
373 read_lock_bh(&table->lock);
374 IP_NF_ASSERT(table->valid_hooks & (1 << hook));
375 private = table->private;
376 table_base = (void *)private->entries[smp_processor_id()];
377 e = get_entry(table_base, private->hook_entry[hook]);
378
379 /* For return from builtin chain */
380 back = get_entry(table_base, private->underflow[hook]);
381
382 do {
383 IP_NF_ASSERT(e);
384 IP_NF_ASSERT(back);
385 if (ip6_packet_match(skb, indev, outdev, &e->ipv6,
386 &protoff, &offset, &hotdrop)) {
387 struct ip6t_entry_target *t;
388
389 if (IP6T_MATCH_ITERATE(e, do_match,
390 skb, in, out,
391 offset, protoff, &hotdrop) != 0)
392 goto no_match;
393
394 ADD_COUNTER(e->counters,
395 ntohs(ipv6_hdr(skb)->payload_len) +
396 sizeof(struct ipv6hdr), 1);
397
398 t = ip6t_get_target(e);
399 IP_NF_ASSERT(t->u.kernel.target);
400
401 #if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \
402 defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE)
403 /* The packet is traced: log it */
404 if (unlikely(skb->nf_trace))
405 trace_packet(skb, hook, in, out,
406 table->name, private, e);
407 #endif
408 /* Standard target? */
409 if (!t->u.kernel.target->target) {
410 int v;
411
412 v = ((struct ip6t_standard_target *)t)->verdict;
413 if (v < 0) {
414 /* Pop from stack? */
415 if (v != IP6T_RETURN) {
416 verdict = (unsigned)(-v) - 1;
417 break;
418 }
419 e = back;
420 back = get_entry(table_base,
421 back->comefrom);
422 continue;
423 }
424 if (table_base + v != (void *)e + e->next_offset
425 && !(e->ipv6.flags & IP6T_F_GOTO)) {
426 /* Save old back ptr in next entry */
427 struct ip6t_entry *next
428 = (void *)e + e->next_offset;
429 next->comefrom
430 = (void *)back - table_base;
431 /* set back pointer to next entry */
432 back = next;
433 }
434
435 e = get_entry(table_base, v);
436 } else {
437 /* Targets which reenter must return
438 abs. verdicts */
439 #ifdef CONFIG_NETFILTER_DEBUG
440 ((struct ip6t_entry *)table_base)->comefrom
441 = 0xeeeeeeec;
442 #endif
443 verdict = t->u.kernel.target->target(skb,
444 in, out,
445 hook,
446 t->u.kernel.target,
447 t->data);
448
449 #ifdef CONFIG_NETFILTER_DEBUG
450 if (((struct ip6t_entry *)table_base)->comefrom
451 != 0xeeeeeeec
452 && verdict == IP6T_CONTINUE) {
453 printk("Target %s reentered!\n",
454 t->u.kernel.target->name);
455 verdict = NF_DROP;
456 }
457 ((struct ip6t_entry *)table_base)->comefrom
458 = 0x57acc001;
459 #endif
460 if (verdict == IP6T_CONTINUE)
461 e = (void *)e + e->next_offset;
462 else
463 /* Verdict */
464 break;
465 }
466 } else {
467
468 no_match:
469 e = (void *)e + e->next_offset;
470 }
471 } while (!hotdrop);
472
473 #ifdef CONFIG_NETFILTER_DEBUG
474 ((struct ip6t_entry *)table_base)->comefrom = NETFILTER_LINK_POISON;
475 #endif
476 read_unlock_bh(&table->lock);
477
478 #ifdef DEBUG_ALLOW_ALL
479 return NF_ACCEPT;
480 #else
481 if (hotdrop)
482 return NF_DROP;
483 else return verdict;
484 #endif
485 }
486
487 /* Figures out from what hook each rule can be called: returns 0 if
488 there are loops. Puts hook bitmask in comefrom. */
489 static int
490 mark_source_chains(struct xt_table_info *newinfo,
491 unsigned int valid_hooks, void *entry0)
492 {
493 unsigned int hook;
494
495 /* No recursion; use packet counter to save back ptrs (reset
496 to 0 as we leave), and comefrom to save source hook bitmask */
497 for (hook = 0; hook < NF_INET_NUMHOOKS; hook++) {
498 unsigned int pos = newinfo->hook_entry[hook];
499 struct ip6t_entry *e = (struct ip6t_entry *)(entry0 + pos);
500
501 if (!(valid_hooks & (1 << hook)))
502 continue;
503
504 /* Set initial back pointer. */
505 e->counters.pcnt = pos;
506
507 for (;;) {
508 struct ip6t_standard_target *t
509 = (void *)ip6t_get_target(e);
510 int visited = e->comefrom & (1 << hook);
511
512 if (e->comefrom & (1 << NF_INET_NUMHOOKS)) {
513 printk("iptables: loop hook %u pos %u %08X.\n",
514 hook, pos, e->comefrom);
515 return 0;
516 }
517 e->comefrom |= ((1 << hook) | (1 << NF_INET_NUMHOOKS));
518
519 /* Unconditional return/END. */
520 if ((e->target_offset == sizeof(struct ip6t_entry)
521 && (strcmp(t->target.u.user.name,
522 IP6T_STANDARD_TARGET) == 0)
523 && t->verdict < 0
524 && unconditional(&e->ipv6)) || visited) {
525 unsigned int oldpos, size;
526
527 if (t->verdict < -NF_MAX_VERDICT - 1) {
528 duprintf("mark_source_chains: bad "
529 "negative verdict (%i)\n",
530 t->verdict);
531 return 0;
532 }
533
534 /* Return: backtrack through the last
535 big jump. */
536 do {
537 e->comefrom ^= (1<<NF_INET_NUMHOOKS);
538 #ifdef DEBUG_IP_FIREWALL_USER
539 if (e->comefrom
540 & (1 << NF_INET_NUMHOOKS)) {
541 duprintf("Back unset "
542 "on hook %u "
543 "rule %u\n",
544 hook, pos);
545 }
546 #endif
547 oldpos = pos;
548 pos = e->counters.pcnt;
549 e->counters.pcnt = 0;
550
551 /* We're at the start. */
552 if (pos == oldpos)
553 goto next;
554
555 e = (struct ip6t_entry *)
556 (entry0 + pos);
557 } while (oldpos == pos + e->next_offset);
558
559 /* Move along one */
560 size = e->next_offset;
561 e = (struct ip6t_entry *)
562 (entry0 + pos + size);
563 e->counters.pcnt = pos;
564 pos += size;
565 } else {
566 int newpos = t->verdict;
567
568 if (strcmp(t->target.u.user.name,
569 IP6T_STANDARD_TARGET) == 0
570 && newpos >= 0) {
571 if (newpos > newinfo->size -
572 sizeof(struct ip6t_entry)) {
573 duprintf("mark_source_chains: "
574 "bad verdict (%i)\n",
575 newpos);
576 return 0;
577 }
578 /* This a jump; chase it. */
579 duprintf("Jump rule %u -> %u\n",
580 pos, newpos);
581 } else {
582 /* ... this is a fallthru */
583 newpos = pos + e->next_offset;
584 }
585 e = (struct ip6t_entry *)
586 (entry0 + newpos);
587 e->counters.pcnt = pos;
588 pos = newpos;
589 }
590 }
591 next:
592 duprintf("Finished chain %u\n", hook);
593 }
594 return 1;
595 }
596
597 static inline int
598 cleanup_match(struct ip6t_entry_match *m, unsigned int *i)
599 {
600 if (i && (*i)-- == 0)
601 return 1;
602
603 if (m->u.kernel.match->destroy)
604 m->u.kernel.match->destroy(m->u.kernel.match, m->data);
605 module_put(m->u.kernel.match->me);
606 return 0;
607 }
608
609 static inline int
610 check_entry(struct ip6t_entry *e, const char *name)
611 {
612 struct ip6t_entry_target *t;
613
614 if (!ip6_checkentry(&e->ipv6)) {
615 duprintf("ip_tables: ip check failed %p %s.\n", e, name);
616 return -EINVAL;
617 }
618
619 if (e->target_offset + sizeof(struct ip6t_entry_target) >
620 e->next_offset)
621 return -EINVAL;
622
623 t = ip6t_get_target(e);
624 if (e->target_offset + t->u.target_size > e->next_offset)
625 return -EINVAL;
626
627 return 0;
628 }
629
630 static inline int check_match(struct ip6t_entry_match *m, const char *name,
631 const struct ip6t_ip6 *ipv6,
632 unsigned int hookmask, unsigned int *i)
633 {
634 struct xt_match *match;
635 int ret;
636
637 match = m->u.kernel.match;
638 ret = xt_check_match(match, AF_INET6, m->u.match_size - sizeof(*m),
639 name, hookmask, ipv6->proto,
640 ipv6->invflags & IP6T_INV_PROTO);
641 if (!ret && m->u.kernel.match->checkentry
642 && !m->u.kernel.match->checkentry(name, ipv6, match, m->data,
643 hookmask)) {
644 duprintf("ip_tables: check failed for `%s'.\n",
645 m->u.kernel.match->name);
646 ret = -EINVAL;
647 }
648 if (!ret)
649 (*i)++;
650 return ret;
651 }
652
653 static inline int
654 find_check_match(struct ip6t_entry_match *m,
655 const char *name,
656 const struct ip6t_ip6 *ipv6,
657 unsigned int hookmask,
658 unsigned int *i)
659 {
660 struct xt_match *match;
661 int ret;
662
663 match = try_then_request_module(xt_find_match(AF_INET6, m->u.user.name,
664 m->u.user.revision),
665 "ip6t_%s", m->u.user.name);
666 if (IS_ERR(match) || !match) {
667 duprintf("find_check_match: `%s' not found\n", m->u.user.name);
668 return match ? PTR_ERR(match) : -ENOENT;
669 }
670 m->u.kernel.match = match;
671
672 ret = check_match(m, name, ipv6, hookmask, i);
673 if (ret)
674 goto err;
675
676 return 0;
677 err:
678 module_put(m->u.kernel.match->me);
679 return ret;
680 }
681
682 static inline int check_target(struct ip6t_entry *e, const char *name)
683 {
684 struct ip6t_entry_target *t;
685 struct xt_target *target;
686 int ret;
687
688 t = ip6t_get_target(e);
689 target = t->u.kernel.target;
690 ret = xt_check_target(target, AF_INET6, t->u.target_size - sizeof(*t),
691 name, e->comefrom, e->ipv6.proto,
692 e->ipv6.invflags & IP6T_INV_PROTO);
693 if (!ret && t->u.kernel.target->checkentry
694 && !t->u.kernel.target->checkentry(name, e, target, t->data,
695 e->comefrom)) {
696 duprintf("ip_tables: check failed for `%s'.\n",
697 t->u.kernel.target->name);
698 ret = -EINVAL;
699 }
700 return ret;
701 }
702
703 static inline int
704 find_check_entry(struct ip6t_entry *e, const char *name, unsigned int size,
705 unsigned int *i)
706 {
707 struct ip6t_entry_target *t;
708 struct xt_target *target;
709 int ret;
710 unsigned int j;
711
712 ret = check_entry(e, name);
713 if (ret)
714 return ret;
715
716 j = 0;
717 ret = IP6T_MATCH_ITERATE(e, find_check_match, name, &e->ipv6,
718 e->comefrom, &j);
719 if (ret != 0)
720 goto cleanup_matches;
721
722 t = ip6t_get_target(e);
723 target = try_then_request_module(xt_find_target(AF_INET6,
724 t->u.user.name,
725 t->u.user.revision),
726 "ip6t_%s", t->u.user.name);
727 if (IS_ERR(target) || !target) {
728 duprintf("find_check_entry: `%s' not found\n", t->u.user.name);
729 ret = target ? PTR_ERR(target) : -ENOENT;
730 goto cleanup_matches;
731 }
732 t->u.kernel.target = target;
733
734 ret = check_target(e, name);
735 if (ret)
736 goto err;
737
738 (*i)++;
739 return 0;
740 err:
741 module_put(t->u.kernel.target->me);
742 cleanup_matches:
743 IP6T_MATCH_ITERATE(e, cleanup_match, &j);
744 return ret;
745 }
746
747 static inline int
748 check_entry_size_and_hooks(struct ip6t_entry *e,
749 struct xt_table_info *newinfo,
750 unsigned char *base,
751 unsigned char *limit,
752 const unsigned int *hook_entries,
753 const unsigned int *underflows,
754 unsigned int *i)
755 {
756 unsigned int h;
757
758 if ((unsigned long)e % __alignof__(struct ip6t_entry) != 0
759 || (unsigned char *)e + sizeof(struct ip6t_entry) >= limit) {
760 duprintf("Bad offset %p\n", e);
761 return -EINVAL;
762 }
763
764 if (e->next_offset
765 < sizeof(struct ip6t_entry) + sizeof(struct ip6t_entry_target)) {
766 duprintf("checking: element %p size %u\n",
767 e, e->next_offset);
768 return -EINVAL;
769 }
770
771 /* Check hooks & underflows */
772 for (h = 0; h < NF_INET_NUMHOOKS; h++) {
773 if ((unsigned char *)e - base == hook_entries[h])
774 newinfo->hook_entry[h] = hook_entries[h];
775 if ((unsigned char *)e - base == underflows[h])
776 newinfo->underflow[h] = underflows[h];
777 }
778
779 /* FIXME: underflows must be unconditional, standard verdicts
780 < 0 (not IP6T_RETURN). --RR */
781
782 /* Clear counters and comefrom */
783 e->counters = ((struct xt_counters) { 0, 0 });
784 e->comefrom = 0;
785
786 (*i)++;
787 return 0;
788 }
789
790 static inline int
791 cleanup_entry(struct ip6t_entry *e, unsigned int *i)
792 {
793 struct ip6t_entry_target *t;
794
795 if (i && (*i)-- == 0)
796 return 1;
797
798 /* Cleanup all matches */
799 IP6T_MATCH_ITERATE(e, cleanup_match, NULL);
800 t = ip6t_get_target(e);
801 if (t->u.kernel.target->destroy)
802 t->u.kernel.target->destroy(t->u.kernel.target, t->data);
803 module_put(t->u.kernel.target->me);
804 return 0;
805 }
806
807 /* Checks and translates the user-supplied table segment (held in
808 newinfo) */
809 static int
810 translate_table(const char *name,
811 unsigned int valid_hooks,
812 struct xt_table_info *newinfo,
813 void *entry0,
814 unsigned int size,
815 unsigned int number,
816 const unsigned int *hook_entries,
817 const unsigned int *underflows)
818 {
819 unsigned int i;
820 int ret;
821
822 newinfo->size = size;
823 newinfo->number = number;
824
825 /* Init all hooks to impossible value. */
826 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
827 newinfo->hook_entry[i] = 0xFFFFFFFF;
828 newinfo->underflow[i] = 0xFFFFFFFF;
829 }
830
831 duprintf("translate_table: size %u\n", newinfo->size);
832 i = 0;
833 /* Walk through entries, checking offsets. */
834 ret = IP6T_ENTRY_ITERATE(entry0, newinfo->size,
835 check_entry_size_and_hooks,
836 newinfo,
837 entry0,
838 entry0 + size,
839 hook_entries, underflows, &i);
840 if (ret != 0)
841 return ret;
842
843 if (i != number) {
844 duprintf("translate_table: %u not %u entries\n",
845 i, number);
846 return -EINVAL;
847 }
848
849 /* Check hooks all assigned */
850 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
851 /* Only hooks which are valid */
852 if (!(valid_hooks & (1 << i)))
853 continue;
854 if (newinfo->hook_entry[i] == 0xFFFFFFFF) {
855 duprintf("Invalid hook entry %u %u\n",
856 i, hook_entries[i]);
857 return -EINVAL;
858 }
859 if (newinfo->underflow[i] == 0xFFFFFFFF) {
860 duprintf("Invalid underflow %u %u\n",
861 i, underflows[i]);
862 return -EINVAL;
863 }
864 }
865
866 if (!mark_source_chains(newinfo, valid_hooks, entry0))
867 return -ELOOP;
868
869 /* Finally, each sanity check must pass */
870 i = 0;
871 ret = IP6T_ENTRY_ITERATE(entry0, newinfo->size,
872 find_check_entry, name, size, &i);
873
874 if (ret != 0) {
875 IP6T_ENTRY_ITERATE(entry0, newinfo->size,
876 cleanup_entry, &i);
877 return ret;
878 }
879
880 /* And one copy for every other CPU */
881 for_each_possible_cpu(i) {
882 if (newinfo->entries[i] && newinfo->entries[i] != entry0)
883 memcpy(newinfo->entries[i], entry0, newinfo->size);
884 }
885
886 return ret;
887 }
888
889 /* Gets counters. */
890 static inline int
891 add_entry_to_counter(const struct ip6t_entry *e,
892 struct xt_counters total[],
893 unsigned int *i)
894 {
895 ADD_COUNTER(total[*i], e->counters.bcnt, e->counters.pcnt);
896
897 (*i)++;
898 return 0;
899 }
900
901 static inline int
902 set_entry_to_counter(const struct ip6t_entry *e,
903 struct ip6t_counters total[],
904 unsigned int *i)
905 {
906 SET_COUNTER(total[*i], e->counters.bcnt, e->counters.pcnt);
907
908 (*i)++;
909 return 0;
910 }
911
912 static void
913 get_counters(const struct xt_table_info *t,
914 struct xt_counters counters[])
915 {
916 unsigned int cpu;
917 unsigned int i;
918 unsigned int curcpu;
919
920 /* Instead of clearing (by a previous call to memset())
921 * the counters and using adds, we set the counters
922 * with data used by 'current' CPU
923 * We dont care about preemption here.
924 */
925 curcpu = raw_smp_processor_id();
926
927 i = 0;
928 IP6T_ENTRY_ITERATE(t->entries[curcpu],
929 t->size,
930 set_entry_to_counter,
931 counters,
932 &i);
933
934 for_each_possible_cpu(cpu) {
935 if (cpu == curcpu)
936 continue;
937 i = 0;
938 IP6T_ENTRY_ITERATE(t->entries[cpu],
939 t->size,
940 add_entry_to_counter,
941 counters,
942 &i);
943 }
944 }
945
946 static inline struct xt_counters *alloc_counters(struct xt_table *table)
947 {
948 unsigned int countersize;
949 struct xt_counters *counters;
950 struct xt_table_info *private = table->private;
951
952 /* We need atomic snapshot of counters: rest doesn't change
953 (other than comefrom, which userspace doesn't care
954 about). */
955 countersize = sizeof(struct xt_counters) * private->number;
956 counters = vmalloc_node(countersize, numa_node_id());
957
958 if (counters == NULL)
959 return ERR_PTR(-ENOMEM);
960
961 /* First, sum counters... */
962 write_lock_bh(&table->lock);
963 get_counters(private, counters);
964 write_unlock_bh(&table->lock);
965
966 return counters;
967 }
968
969 static int
970 copy_entries_to_user(unsigned int total_size,
971 struct xt_table *table,
972 void __user *userptr)
973 {
974 unsigned int off, num;
975 struct ip6t_entry *e;
976 struct xt_counters *counters;
977 struct xt_table_info *private = table->private;
978 int ret = 0;
979 void *loc_cpu_entry;
980
981 counters = alloc_counters(table);
982 if (IS_ERR(counters))
983 return PTR_ERR(counters);
984
985 /* choose the copy that is on our node/cpu, ...
986 * This choice is lazy (because current thread is
987 * allowed to migrate to another cpu)
988 */
989 loc_cpu_entry = private->entries[raw_smp_processor_id()];
990 if (copy_to_user(userptr, loc_cpu_entry, total_size) != 0) {
991 ret = -EFAULT;
992 goto free_counters;
993 }
994
995 /* FIXME: use iterator macros --RR */
996 /* ... then go back and fix counters and names */
997 for (off = 0, num = 0; off < total_size; off += e->next_offset, num++){
998 unsigned int i;
999 struct ip6t_entry_match *m;
1000 struct ip6t_entry_target *t;
1001
1002 e = (struct ip6t_entry *)(loc_cpu_entry + off);
1003 if (copy_to_user(userptr + off
1004 + offsetof(struct ip6t_entry, counters),
1005 &counters[num],
1006 sizeof(counters[num])) != 0) {
1007 ret = -EFAULT;
1008 goto free_counters;
1009 }
1010
1011 for (i = sizeof(struct ip6t_entry);
1012 i < e->target_offset;
1013 i += m->u.match_size) {
1014 m = (void *)e + i;
1015
1016 if (copy_to_user(userptr + off + i
1017 + offsetof(struct ip6t_entry_match,
1018 u.user.name),
1019 m->u.kernel.match->name,
1020 strlen(m->u.kernel.match->name)+1)
1021 != 0) {
1022 ret = -EFAULT;
1023 goto free_counters;
1024 }
1025 }
1026
1027 t = ip6t_get_target(e);
1028 if (copy_to_user(userptr + off + e->target_offset
1029 + offsetof(struct ip6t_entry_target,
1030 u.user.name),
1031 t->u.kernel.target->name,
1032 strlen(t->u.kernel.target->name)+1) != 0) {
1033 ret = -EFAULT;
1034 goto free_counters;
1035 }
1036 }
1037
1038 free_counters:
1039 vfree(counters);
1040 return ret;
1041 }
1042
1043 #ifdef CONFIG_COMPAT
1044 static void compat_standard_from_user(void *dst, void *src)
1045 {
1046 int v = *(compat_int_t *)src;
1047
1048 if (v > 0)
1049 v += xt_compat_calc_jump(AF_INET6, v);
1050 memcpy(dst, &v, sizeof(v));
1051 }
1052
1053 static int compat_standard_to_user(void __user *dst, void *src)
1054 {
1055 compat_int_t cv = *(int *)src;
1056
1057 if (cv > 0)
1058 cv -= xt_compat_calc_jump(AF_INET6, cv);
1059 return copy_to_user(dst, &cv, sizeof(cv)) ? -EFAULT : 0;
1060 }
1061
1062 static inline int
1063 compat_calc_match(struct ip6t_entry_match *m, int *size)
1064 {
1065 *size += xt_compat_match_offset(m->u.kernel.match);
1066 return 0;
1067 }
1068
1069 static int compat_calc_entry(struct ip6t_entry *e,
1070 const struct xt_table_info *info,
1071 void *base, struct xt_table_info *newinfo)
1072 {
1073 struct ip6t_entry_target *t;
1074 unsigned int entry_offset;
1075 int off, i, ret;
1076
1077 off = sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
1078 entry_offset = (void *)e - base;
1079 IP6T_MATCH_ITERATE(e, compat_calc_match, &off);
1080 t = ip6t_get_target(e);
1081 off += xt_compat_target_offset(t->u.kernel.target);
1082 newinfo->size -= off;
1083 ret = xt_compat_add_offset(AF_INET6, entry_offset, off);
1084 if (ret)
1085 return ret;
1086
1087 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1088 if (info->hook_entry[i] &&
1089 (e < (struct ip6t_entry *)(base + info->hook_entry[i])))
1090 newinfo->hook_entry[i] -= off;
1091 if (info->underflow[i] &&
1092 (e < (struct ip6t_entry *)(base + info->underflow[i])))
1093 newinfo->underflow[i] -= off;
1094 }
1095 return 0;
1096 }
1097
1098 static int compat_table_info(const struct xt_table_info *info,
1099 struct xt_table_info *newinfo)
1100 {
1101 void *loc_cpu_entry;
1102
1103 if (!newinfo || !info)
1104 return -EINVAL;
1105
1106 /* we dont care about newinfo->entries[] */
1107 memcpy(newinfo, info, offsetof(struct xt_table_info, entries));
1108 newinfo->initial_entries = 0;
1109 loc_cpu_entry = info->entries[raw_smp_processor_id()];
1110 return IP6T_ENTRY_ITERATE(loc_cpu_entry, info->size,
1111 compat_calc_entry, info, loc_cpu_entry,
1112 newinfo);
1113 }
1114 #endif
1115
1116 static int get_info(void __user *user, int *len, int compat)
1117 {
1118 char name[IP6T_TABLE_MAXNAMELEN];
1119 struct xt_table *t;
1120 int ret;
1121
1122 if (*len != sizeof(struct ip6t_getinfo)) {
1123 duprintf("length %u != %zu\n", *len,
1124 sizeof(struct ip6t_getinfo));
1125 return -EINVAL;
1126 }
1127
1128 if (copy_from_user(name, user, sizeof(name)) != 0)
1129 return -EFAULT;
1130
1131 name[IP6T_TABLE_MAXNAMELEN-1] = '\0';
1132 #ifdef CONFIG_COMPAT
1133 if (compat)
1134 xt_compat_lock(AF_INET6);
1135 #endif
1136 t = try_then_request_module(xt_find_table_lock(AF_INET6, name),
1137 "ip6table_%s", name);
1138 if (t && !IS_ERR(t)) {
1139 struct ip6t_getinfo info;
1140 struct xt_table_info *private = t->private;
1141
1142 #ifdef CONFIG_COMPAT
1143 if (compat) {
1144 struct xt_table_info tmp;
1145 ret = compat_table_info(private, &tmp);
1146 xt_compat_flush_offsets(AF_INET6);
1147 private = &tmp;
1148 }
1149 #endif
1150 info.valid_hooks = t->valid_hooks;
1151 memcpy(info.hook_entry, private->hook_entry,
1152 sizeof(info.hook_entry));
1153 memcpy(info.underflow, private->underflow,
1154 sizeof(info.underflow));
1155 info.num_entries = private->number;
1156 info.size = private->size;
1157 strcpy(info.name, name);
1158
1159 if (copy_to_user(user, &info, *len) != 0)
1160 ret = -EFAULT;
1161 else
1162 ret = 0;
1163
1164 xt_table_unlock(t);
1165 module_put(t->me);
1166 } else
1167 ret = t ? PTR_ERR(t) : -ENOENT;
1168 #ifdef CONFIG_COMPAT
1169 if (compat)
1170 xt_compat_unlock(AF_INET6);
1171 #endif
1172 return ret;
1173 }
1174
1175 static int
1176 get_entries(struct ip6t_get_entries __user *uptr, int *len)
1177 {
1178 int ret;
1179 struct ip6t_get_entries get;
1180 struct xt_table *t;
1181
1182 if (*len < sizeof(get)) {
1183 duprintf("get_entries: %u < %zu\n", *len, sizeof(get));
1184 return -EINVAL;
1185 }
1186 if (copy_from_user(&get, uptr, sizeof(get)) != 0)
1187 return -EFAULT;
1188 if (*len != sizeof(struct ip6t_get_entries) + get.size) {
1189 duprintf("get_entries: %u != %zu\n",
1190 *len, sizeof(get) + get.size);
1191 return -EINVAL;
1192 }
1193
1194 t = xt_find_table_lock(AF_INET6, get.name);
1195 if (t && !IS_ERR(t)) {
1196 struct xt_table_info *private = t->private;
1197 duprintf("t->private->number = %u\n", private->number);
1198 if (get.size == private->size)
1199 ret = copy_entries_to_user(private->size,
1200 t, uptr->entrytable);
1201 else {
1202 duprintf("get_entries: I've got %u not %u!\n",
1203 private->size, get.size);
1204 ret = -EINVAL;
1205 }
1206 module_put(t->me);
1207 xt_table_unlock(t);
1208 } else
1209 ret = t ? PTR_ERR(t) : -ENOENT;
1210
1211 return ret;
1212 }
1213
1214 static int
1215 __do_replace(const char *name, unsigned int valid_hooks,
1216 struct xt_table_info *newinfo, unsigned int num_counters,
1217 void __user *counters_ptr)
1218 {
1219 int ret;
1220 struct xt_table *t;
1221 struct xt_table_info *oldinfo;
1222 struct xt_counters *counters;
1223 void *loc_cpu_old_entry;
1224
1225 ret = 0;
1226 counters = vmalloc_node(num_counters * sizeof(struct xt_counters),
1227 numa_node_id());
1228 if (!counters) {
1229 ret = -ENOMEM;
1230 goto out;
1231 }
1232
1233 t = try_then_request_module(xt_find_table_lock(AF_INET6, name),
1234 "ip6table_%s", name);
1235 if (!t || IS_ERR(t)) {
1236 ret = t ? PTR_ERR(t) : -ENOENT;
1237 goto free_newinfo_counters_untrans;
1238 }
1239
1240 /* You lied! */
1241 if (valid_hooks != t->valid_hooks) {
1242 duprintf("Valid hook crap: %08X vs %08X\n",
1243 valid_hooks, t->valid_hooks);
1244 ret = -EINVAL;
1245 goto put_module;
1246 }
1247
1248 oldinfo = xt_replace_table(t, num_counters, newinfo, &ret);
1249 if (!oldinfo)
1250 goto put_module;
1251
1252 /* Update module usage count based on number of rules */
1253 duprintf("do_replace: oldnum=%u, initnum=%u, newnum=%u\n",
1254 oldinfo->number, oldinfo->initial_entries, newinfo->number);
1255 if ((oldinfo->number > oldinfo->initial_entries) ||
1256 (newinfo->number <= oldinfo->initial_entries))
1257 module_put(t->me);
1258 if ((oldinfo->number > oldinfo->initial_entries) &&
1259 (newinfo->number <= oldinfo->initial_entries))
1260 module_put(t->me);
1261
1262 /* Get the old counters. */
1263 get_counters(oldinfo, counters);
1264 /* Decrease module usage counts and free resource */
1265 loc_cpu_old_entry = oldinfo->entries[raw_smp_processor_id()];
1266 IP6T_ENTRY_ITERATE(loc_cpu_old_entry, oldinfo->size, cleanup_entry,
1267 NULL);
1268 xt_free_table_info(oldinfo);
1269 if (copy_to_user(counters_ptr, counters,
1270 sizeof(struct xt_counters) * num_counters) != 0)
1271 ret = -EFAULT;
1272 vfree(counters);
1273 xt_table_unlock(t);
1274 return ret;
1275
1276 put_module:
1277 module_put(t->me);
1278 xt_table_unlock(t);
1279 free_newinfo_counters_untrans:
1280 vfree(counters);
1281 out:
1282 return ret;
1283 }
1284
1285 static int
1286 do_replace(void __user *user, unsigned int len)
1287 {
1288 int ret;
1289 struct ip6t_replace tmp;
1290 struct xt_table_info *newinfo;
1291 void *loc_cpu_entry;
1292
1293 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
1294 return -EFAULT;
1295
1296 /* overflow check */
1297 if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
1298 return -ENOMEM;
1299
1300 newinfo = xt_alloc_table_info(tmp.size);
1301 if (!newinfo)
1302 return -ENOMEM;
1303
1304 /* choose the copy that is on our node/cpu */
1305 loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
1306 if (copy_from_user(loc_cpu_entry, user + sizeof(tmp),
1307 tmp.size) != 0) {
1308 ret = -EFAULT;
1309 goto free_newinfo;
1310 }
1311
1312 ret = translate_table(tmp.name, tmp.valid_hooks,
1313 newinfo, loc_cpu_entry, tmp.size, tmp.num_entries,
1314 tmp.hook_entry, tmp.underflow);
1315 if (ret != 0)
1316 goto free_newinfo;
1317
1318 duprintf("ip_tables: Translated table\n");
1319
1320 ret = __do_replace(tmp.name, tmp.valid_hooks, newinfo,
1321 tmp.num_counters, tmp.counters);
1322 if (ret)
1323 goto free_newinfo_untrans;
1324 return 0;
1325
1326 free_newinfo_untrans:
1327 IP6T_ENTRY_ITERATE(loc_cpu_entry, newinfo->size, cleanup_entry, NULL);
1328 free_newinfo:
1329 xt_free_table_info(newinfo);
1330 return ret;
1331 }
1332
1333 /* We're lazy, and add to the first CPU; overflow works its fey magic
1334 * and everything is OK. */
1335 static inline int
1336 add_counter_to_entry(struct ip6t_entry *e,
1337 const struct xt_counters addme[],
1338 unsigned int *i)
1339 {
1340 #if 0
1341 duprintf("add_counter: Entry %u %lu/%lu + %lu/%lu\n",
1342 *i,
1343 (long unsigned int)e->counters.pcnt,
1344 (long unsigned int)e->counters.bcnt,
1345 (long unsigned int)addme[*i].pcnt,
1346 (long unsigned int)addme[*i].bcnt);
1347 #endif
1348
1349 ADD_COUNTER(e->counters, addme[*i].bcnt, addme[*i].pcnt);
1350
1351 (*i)++;
1352 return 0;
1353 }
1354
1355 static int
1356 do_add_counters(void __user *user, unsigned int len, int compat)
1357 {
1358 unsigned int i;
1359 struct xt_counters_info tmp;
1360 struct xt_counters *paddc;
1361 unsigned int num_counters;
1362 char *name;
1363 int size;
1364 void *ptmp;
1365 struct xt_table *t;
1366 struct xt_table_info *private;
1367 int ret = 0;
1368 void *loc_cpu_entry;
1369 #ifdef CONFIG_COMPAT
1370 struct compat_xt_counters_info compat_tmp;
1371
1372 if (compat) {
1373 ptmp = &compat_tmp;
1374 size = sizeof(struct compat_xt_counters_info);
1375 } else
1376 #endif
1377 {
1378 ptmp = &tmp;
1379 size = sizeof(struct xt_counters_info);
1380 }
1381
1382 if (copy_from_user(ptmp, user, size) != 0)
1383 return -EFAULT;
1384
1385 #ifdef CONFIG_COMPAT
1386 if (compat) {
1387 num_counters = compat_tmp.num_counters;
1388 name = compat_tmp.name;
1389 } else
1390 #endif
1391 {
1392 num_counters = tmp.num_counters;
1393 name = tmp.name;
1394 }
1395
1396 if (len != size + num_counters * sizeof(struct xt_counters))
1397 return -EINVAL;
1398
1399 paddc = vmalloc_node(len - size, numa_node_id());
1400 if (!paddc)
1401 return -ENOMEM;
1402
1403 if (copy_from_user(paddc, user + size, len - size) != 0) {
1404 ret = -EFAULT;
1405 goto free;
1406 }
1407
1408 t = xt_find_table_lock(AF_INET6, name);
1409 if (!t || IS_ERR(t)) {
1410 ret = t ? PTR_ERR(t) : -ENOENT;
1411 goto free;
1412 }
1413
1414 write_lock_bh(&t->lock);
1415 private = t->private;
1416 if (private->number != num_counters) {
1417 ret = -EINVAL;
1418 goto unlock_up_free;
1419 }
1420
1421 i = 0;
1422 /* Choose the copy that is on our node */
1423 loc_cpu_entry = private->entries[smp_processor_id()];
1424 IP6T_ENTRY_ITERATE(loc_cpu_entry,
1425 private->size,
1426 add_counter_to_entry,
1427 paddc,
1428 &i);
1429 unlock_up_free:
1430 write_unlock_bh(&t->lock);
1431 xt_table_unlock(t);
1432 module_put(t->me);
1433 free:
1434 vfree(paddc);
1435
1436 return ret;
1437 }
1438
1439 #ifdef CONFIG_COMPAT
1440 struct compat_ip6t_replace {
1441 char name[IP6T_TABLE_MAXNAMELEN];
1442 u32 valid_hooks;
1443 u32 num_entries;
1444 u32 size;
1445 u32 hook_entry[NF_INET_NUMHOOKS];
1446 u32 underflow[NF_INET_NUMHOOKS];
1447 u32 num_counters;
1448 compat_uptr_t counters; /* struct ip6t_counters * */
1449 struct compat_ip6t_entry entries[0];
1450 };
1451
1452 static int
1453 compat_copy_entry_to_user(struct ip6t_entry *e, void __user **dstptr,
1454 compat_uint_t *size, struct xt_counters *counters,
1455 unsigned int *i)
1456 {
1457 struct ip6t_entry_target *t;
1458 struct compat_ip6t_entry __user *ce;
1459 u_int16_t target_offset, next_offset;
1460 compat_uint_t origsize;
1461 int ret;
1462
1463 ret = -EFAULT;
1464 origsize = *size;
1465 ce = (struct compat_ip6t_entry __user *)*dstptr;
1466 if (copy_to_user(ce, e, sizeof(struct ip6t_entry)))
1467 goto out;
1468
1469 if (copy_to_user(&ce->counters, &counters[*i], sizeof(counters[*i])))
1470 goto out;
1471
1472 *dstptr += sizeof(struct compat_ip6t_entry);
1473 *size -= sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
1474
1475 ret = IP6T_MATCH_ITERATE(e, xt_compat_match_to_user, dstptr, size);
1476 target_offset = e->target_offset - (origsize - *size);
1477 if (ret)
1478 goto out;
1479 t = ip6t_get_target(e);
1480 ret = xt_compat_target_to_user(t, dstptr, size);
1481 if (ret)
1482 goto out;
1483 ret = -EFAULT;
1484 next_offset = e->next_offset - (origsize - *size);
1485 if (put_user(target_offset, &ce->target_offset))
1486 goto out;
1487 if (put_user(next_offset, &ce->next_offset))
1488 goto out;
1489
1490 (*i)++;
1491 return 0;
1492 out:
1493 return ret;
1494 }
1495
1496 static inline int
1497 compat_find_calc_match(struct ip6t_entry_match *m,
1498 const char *name,
1499 const struct ip6t_ip6 *ipv6,
1500 unsigned int hookmask,
1501 int *size, int *i)
1502 {
1503 struct xt_match *match;
1504
1505 match = try_then_request_module(xt_find_match(AF_INET6, m->u.user.name,
1506 m->u.user.revision),
1507 "ip6t_%s", m->u.user.name);
1508 if (IS_ERR(match) || !match) {
1509 duprintf("compat_check_calc_match: `%s' not found\n",
1510 m->u.user.name);
1511 return match ? PTR_ERR(match) : -ENOENT;
1512 }
1513 m->u.kernel.match = match;
1514 *size += xt_compat_match_offset(match);
1515
1516 (*i)++;
1517 return 0;
1518 }
1519
1520 static inline int
1521 compat_release_match(struct ip6t_entry_match *m, unsigned int *i)
1522 {
1523 if (i && (*i)-- == 0)
1524 return 1;
1525
1526 module_put(m->u.kernel.match->me);
1527 return 0;
1528 }
1529
1530 static inline int
1531 compat_release_entry(struct compat_ip6t_entry *e, unsigned int *i)
1532 {
1533 struct ip6t_entry_target *t;
1534
1535 if (i && (*i)-- == 0)
1536 return 1;
1537
1538 /* Cleanup all matches */
1539 COMPAT_IP6T_MATCH_ITERATE(e, compat_release_match, NULL);
1540 t = compat_ip6t_get_target(e);
1541 module_put(t->u.kernel.target->me);
1542 return 0;
1543 }
1544
1545 static inline int
1546 check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e,
1547 struct xt_table_info *newinfo,
1548 unsigned int *size,
1549 unsigned char *base,
1550 unsigned char *limit,
1551 unsigned int *hook_entries,
1552 unsigned int *underflows,
1553 unsigned int *i,
1554 const char *name)
1555 {
1556 struct ip6t_entry_target *t;
1557 struct xt_target *target;
1558 unsigned int entry_offset;
1559 int ret, off, h, j;
1560
1561 duprintf("check_compat_entry_size_and_hooks %p\n", e);
1562 if ((unsigned long)e % __alignof__(struct compat_ip6t_entry) != 0
1563 || (unsigned char *)e + sizeof(struct compat_ip6t_entry) >= limit) {
1564 duprintf("Bad offset %p, limit = %p\n", e, limit);
1565 return -EINVAL;
1566 }
1567
1568 if (e->next_offset < sizeof(struct compat_ip6t_entry) +
1569 sizeof(struct compat_xt_entry_target)) {
1570 duprintf("checking: element %p size %u\n",
1571 e, e->next_offset);
1572 return -EINVAL;
1573 }
1574
1575 /* For purposes of check_entry casting the compat entry is fine */
1576 ret = check_entry((struct ip6t_entry *)e, name);
1577 if (ret)
1578 return ret;
1579
1580 off = sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
1581 entry_offset = (void *)e - (void *)base;
1582 j = 0;
1583 ret = COMPAT_IP6T_MATCH_ITERATE(e, compat_find_calc_match, name,
1584 &e->ipv6, e->comefrom, &off, &j);
1585 if (ret != 0)
1586 goto release_matches;
1587
1588 t = compat_ip6t_get_target(e);
1589 target = try_then_request_module(xt_find_target(AF_INET6,
1590 t->u.user.name,
1591 t->u.user.revision),
1592 "ip6t_%s", t->u.user.name);
1593 if (IS_ERR(target) || !target) {
1594 duprintf("check_compat_entry_size_and_hooks: `%s' not found\n",
1595 t->u.user.name);
1596 ret = target ? PTR_ERR(target) : -ENOENT;
1597 goto release_matches;
1598 }
1599 t->u.kernel.target = target;
1600
1601 off += xt_compat_target_offset(target);
1602 *size += off;
1603 ret = xt_compat_add_offset(AF_INET6, entry_offset, off);
1604 if (ret)
1605 goto out;
1606
1607 /* Check hooks & underflows */
1608 for (h = 0; h < NF_INET_NUMHOOKS; h++) {
1609 if ((unsigned char *)e - base == hook_entries[h])
1610 newinfo->hook_entry[h] = hook_entries[h];
1611 if ((unsigned char *)e - base == underflows[h])
1612 newinfo->underflow[h] = underflows[h];
1613 }
1614
1615 /* Clear counters and comefrom */
1616 memset(&e->counters, 0, sizeof(e->counters));
1617 e->comefrom = 0;
1618
1619 (*i)++;
1620 return 0;
1621
1622 out:
1623 module_put(t->u.kernel.target->me);
1624 release_matches:
1625 IP6T_MATCH_ITERATE(e, compat_release_match, &j);
1626 return ret;
1627 }
1628
1629 static int
1630 compat_copy_entry_from_user(struct compat_ip6t_entry *e, void **dstptr,
1631 unsigned int *size, const char *name,
1632 struct xt_table_info *newinfo, unsigned char *base)
1633 {
1634 struct ip6t_entry_target *t;
1635 struct xt_target *target;
1636 struct ip6t_entry *de;
1637 unsigned int origsize;
1638 int ret, h;
1639
1640 ret = 0;
1641 origsize = *size;
1642 de = (struct ip6t_entry *)*dstptr;
1643 memcpy(de, e, sizeof(struct ip6t_entry));
1644 memcpy(&de->counters, &e->counters, sizeof(e->counters));
1645
1646 *dstptr += sizeof(struct ip6t_entry);
1647 *size += sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
1648
1649 ret = COMPAT_IP6T_MATCH_ITERATE(e, xt_compat_match_from_user,
1650 dstptr, size);
1651 if (ret)
1652 return ret;
1653 de->target_offset = e->target_offset - (origsize - *size);
1654 t = compat_ip6t_get_target(e);
1655 target = t->u.kernel.target;
1656 xt_compat_target_from_user(t, dstptr, size);
1657
1658 de->next_offset = e->next_offset - (origsize - *size);
1659 for (h = 0; h < NF_INET_NUMHOOKS; h++) {
1660 if ((unsigned char *)de - base < newinfo->hook_entry[h])
1661 newinfo->hook_entry[h] -= origsize - *size;
1662 if ((unsigned char *)de - base < newinfo->underflow[h])
1663 newinfo->underflow[h] -= origsize - *size;
1664 }
1665 return ret;
1666 }
1667
1668 static inline int compat_check_entry(struct ip6t_entry *e, const char *name,
1669 unsigned int *i)
1670 {
1671 int j, ret;
1672
1673 j = 0;
1674 ret = IP6T_MATCH_ITERATE(e, check_match, name, &e->ipv6,
1675 e->comefrom, &j);
1676 if (ret)
1677 goto cleanup_matches;
1678
1679 ret = check_target(e, name);
1680 if (ret)
1681 goto cleanup_matches;
1682
1683 (*i)++;
1684 return 0;
1685
1686 cleanup_matches:
1687 IP6T_MATCH_ITERATE(e, cleanup_match, &j);
1688 return ret;
1689 }
1690
1691 static int
1692 translate_compat_table(const char *name,
1693 unsigned int valid_hooks,
1694 struct xt_table_info **pinfo,
1695 void **pentry0,
1696 unsigned int total_size,
1697 unsigned int number,
1698 unsigned int *hook_entries,
1699 unsigned int *underflows)
1700 {
1701 unsigned int i, j;
1702 struct xt_table_info *newinfo, *info;
1703 void *pos, *entry0, *entry1;
1704 unsigned int size;
1705 int ret;
1706
1707 info = *pinfo;
1708 entry0 = *pentry0;
1709 size = total_size;
1710 info->number = number;
1711
1712 /* Init all hooks to impossible value. */
1713 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1714 info->hook_entry[i] = 0xFFFFFFFF;
1715 info->underflow[i] = 0xFFFFFFFF;
1716 }
1717
1718 duprintf("translate_compat_table: size %u\n", info->size);
1719 j = 0;
1720 xt_compat_lock(AF_INET6);
1721 /* Walk through entries, checking offsets. */
1722 ret = COMPAT_IP6T_ENTRY_ITERATE(entry0, total_size,
1723 check_compat_entry_size_and_hooks,
1724 info, &size, entry0,
1725 entry0 + total_size,
1726 hook_entries, underflows, &j, name);
1727 if (ret != 0)
1728 goto out_unlock;
1729
1730 ret = -EINVAL;
1731 if (j != number) {
1732 duprintf("translate_compat_table: %u not %u entries\n",
1733 j, number);
1734 goto out_unlock;
1735 }
1736
1737 /* Check hooks all assigned */
1738 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1739 /* Only hooks which are valid */
1740 if (!(valid_hooks & (1 << i)))
1741 continue;
1742 if (info->hook_entry[i] == 0xFFFFFFFF) {
1743 duprintf("Invalid hook entry %u %u\n",
1744 i, hook_entries[i]);
1745 goto out_unlock;
1746 }
1747 if (info->underflow[i] == 0xFFFFFFFF) {
1748 duprintf("Invalid underflow %u %u\n",
1749 i, underflows[i]);
1750 goto out_unlock;
1751 }
1752 }
1753
1754 ret = -ENOMEM;
1755 newinfo = xt_alloc_table_info(size);
1756 if (!newinfo)
1757 goto out_unlock;
1758
1759 newinfo->number = number;
1760 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1761 newinfo->hook_entry[i] = info->hook_entry[i];
1762 newinfo->underflow[i] = info->underflow[i];
1763 }
1764 entry1 = newinfo->entries[raw_smp_processor_id()];
1765 pos = entry1;
1766 size = total_size;
1767 ret = COMPAT_IP6T_ENTRY_ITERATE(entry0, total_size,
1768 compat_copy_entry_from_user,
1769 &pos, &size, name, newinfo, entry1);
1770 xt_compat_flush_offsets(AF_INET6);
1771 xt_compat_unlock(AF_INET6);
1772 if (ret)
1773 goto free_newinfo;
1774
1775 ret = -ELOOP;
1776 if (!mark_source_chains(newinfo, valid_hooks, entry1))
1777 goto free_newinfo;
1778
1779 i = 0;
1780 ret = IP6T_ENTRY_ITERATE(entry1, newinfo->size, compat_check_entry,
1781 name, &i);
1782 if (ret) {
1783 j -= i;
1784 COMPAT_IP6T_ENTRY_ITERATE_CONTINUE(entry0, newinfo->size, i,
1785 compat_release_entry, &j);
1786 IP6T_ENTRY_ITERATE(entry1, newinfo->size, cleanup_entry, &i);
1787 xt_free_table_info(newinfo);
1788 return ret;
1789 }
1790
1791 /* And one copy for every other CPU */
1792 for_each_possible_cpu(i)
1793 if (newinfo->entries[i] && newinfo->entries[i] != entry1)
1794 memcpy(newinfo->entries[i], entry1, newinfo->size);
1795
1796 *pinfo = newinfo;
1797 *pentry0 = entry1;
1798 xt_free_table_info(info);
1799 return 0;
1800
1801 free_newinfo:
1802 xt_free_table_info(newinfo);
1803 out:
1804 COMPAT_IP6T_ENTRY_ITERATE(entry0, total_size, compat_release_entry, &j);
1805 return ret;
1806 out_unlock:
1807 xt_compat_flush_offsets(AF_INET6);
1808 xt_compat_unlock(AF_INET6);
1809 goto out;
1810 }
1811
1812 static int
1813 compat_do_replace(void __user *user, unsigned int len)
1814 {
1815 int ret;
1816 struct compat_ip6t_replace tmp;
1817 struct xt_table_info *newinfo;
1818 void *loc_cpu_entry;
1819
1820 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
1821 return -EFAULT;
1822
1823 /* overflow check */
1824 if (tmp.size >= INT_MAX / num_possible_cpus())
1825 return -ENOMEM;
1826 if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
1827 return -ENOMEM;
1828
1829 newinfo = xt_alloc_table_info(tmp.size);
1830 if (!newinfo)
1831 return -ENOMEM;
1832
1833 /* choose the copy that is on our node/cpu */
1834 loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
1835 if (copy_from_user(loc_cpu_entry, user + sizeof(tmp),
1836 tmp.size) != 0) {
1837 ret = -EFAULT;
1838 goto free_newinfo;
1839 }
1840
1841 ret = translate_compat_table(tmp.name, tmp.valid_hooks,
1842 &newinfo, &loc_cpu_entry, tmp.size,
1843 tmp.num_entries, tmp.hook_entry,
1844 tmp.underflow);
1845 if (ret != 0)
1846 goto free_newinfo;
1847
1848 duprintf("compat_do_replace: Translated table\n");
1849
1850 ret = __do_replace(tmp.name, tmp.valid_hooks, newinfo,
1851 tmp.num_counters, compat_ptr(tmp.counters));
1852 if (ret)
1853 goto free_newinfo_untrans;
1854 return 0;
1855
1856 free_newinfo_untrans:
1857 IP6T_ENTRY_ITERATE(loc_cpu_entry, newinfo->size, cleanup_entry, NULL);
1858 free_newinfo:
1859 xt_free_table_info(newinfo);
1860 return ret;
1861 }
1862
1863 static int
1864 compat_do_ip6t_set_ctl(struct sock *sk, int cmd, void __user *user,
1865 unsigned int len)
1866 {
1867 int ret;
1868
1869 if (!capable(CAP_NET_ADMIN))
1870 return -EPERM;
1871
1872 switch (cmd) {
1873 case IP6T_SO_SET_REPLACE:
1874 ret = compat_do_replace(user, len);
1875 break;
1876
1877 case IP6T_SO_SET_ADD_COUNTERS:
1878 ret = do_add_counters(user, len, 1);
1879 break;
1880
1881 default:
1882 duprintf("do_ip6t_set_ctl: unknown request %i\n", cmd);
1883 ret = -EINVAL;
1884 }
1885
1886 return ret;
1887 }
1888
1889 struct compat_ip6t_get_entries {
1890 char name[IP6T_TABLE_MAXNAMELEN];
1891 compat_uint_t size;
1892 struct compat_ip6t_entry entrytable[0];
1893 };
1894
1895 static int
1896 compat_copy_entries_to_user(unsigned int total_size, struct xt_table *table,
1897 void __user *userptr)
1898 {
1899 struct xt_counters *counters;
1900 struct xt_table_info *private = table->private;
1901 void __user *pos;
1902 unsigned int size;
1903 int ret = 0;
1904 void *loc_cpu_entry;
1905 unsigned int i = 0;
1906
1907 counters = alloc_counters(table);
1908 if (IS_ERR(counters))
1909 return PTR_ERR(counters);
1910
1911 /* choose the copy that is on our node/cpu, ...
1912 * This choice is lazy (because current thread is
1913 * allowed to migrate to another cpu)
1914 */
1915 loc_cpu_entry = private->entries[raw_smp_processor_id()];
1916 pos = userptr;
1917 size = total_size;
1918 ret = IP6T_ENTRY_ITERATE(loc_cpu_entry, total_size,
1919 compat_copy_entry_to_user,
1920 &pos, &size, counters, &i);
1921
1922 vfree(counters);
1923 return ret;
1924 }
1925
1926 static int
1927 compat_get_entries(struct compat_ip6t_get_entries __user *uptr, int *len)
1928 {
1929 int ret;
1930 struct compat_ip6t_get_entries get;
1931 struct xt_table *t;
1932
1933 if (*len < sizeof(get)) {
1934 duprintf("compat_get_entries: %u < %zu\n", *len, sizeof(get));
1935 return -EINVAL;
1936 }
1937
1938 if (copy_from_user(&get, uptr, sizeof(get)) != 0)
1939 return -EFAULT;
1940
1941 if (*len != sizeof(struct compat_ip6t_get_entries) + get.size) {
1942 duprintf("compat_get_entries: %u != %zu\n",
1943 *len, sizeof(get) + get.size);
1944 return -EINVAL;
1945 }
1946
1947 xt_compat_lock(AF_INET6);
1948 t = xt_find_table_lock(AF_INET6, get.name);
1949 if (t && !IS_ERR(t)) {
1950 struct xt_table_info *private = t->private;
1951 struct xt_table_info info;
1952 duprintf("t->private->number = %u\n", private->number);
1953 ret = compat_table_info(private, &info);
1954 if (!ret && get.size == info.size) {
1955 ret = compat_copy_entries_to_user(private->size,
1956 t, uptr->entrytable);
1957 } else if (!ret) {
1958 duprintf("compat_get_entries: I've got %u not %u!\n",
1959 private->size, get.size);
1960 ret = -EINVAL;
1961 }
1962 xt_compat_flush_offsets(AF_INET6);
1963 module_put(t->me);
1964 xt_table_unlock(t);
1965 } else
1966 ret = t ? PTR_ERR(t) : -ENOENT;
1967
1968 xt_compat_unlock(AF_INET6);
1969 return ret;
1970 }
1971
1972 static int do_ip6t_get_ctl(struct sock *, int, void __user *, int *);
1973
1974 static int
1975 compat_do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1976 {
1977 int ret;
1978
1979 if (!capable(CAP_NET_ADMIN))
1980 return -EPERM;
1981
1982 switch (cmd) {
1983 case IP6T_SO_GET_INFO:
1984 ret = get_info(user, len, 1);
1985 break;
1986 case IP6T_SO_GET_ENTRIES:
1987 ret = compat_get_entries(user, len);
1988 break;
1989 default:
1990 ret = do_ip6t_get_ctl(sk, cmd, user, len);
1991 }
1992 return ret;
1993 }
1994 #endif
1995
1996 static int
1997 do_ip6t_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
1998 {
1999 int ret;
2000
2001 if (!capable(CAP_NET_ADMIN))
2002 return -EPERM;
2003
2004 switch (cmd) {
2005 case IP6T_SO_SET_REPLACE:
2006 ret = do_replace(user, len);
2007 break;
2008
2009 case IP6T_SO_SET_ADD_COUNTERS:
2010 ret = do_add_counters(user, len, 0);
2011 break;
2012
2013 default:
2014 duprintf("do_ip6t_set_ctl: unknown request %i\n", cmd);
2015 ret = -EINVAL;
2016 }
2017
2018 return ret;
2019 }
2020
2021 static int
2022 do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
2023 {
2024 int ret;
2025
2026 if (!capable(CAP_NET_ADMIN))
2027 return -EPERM;
2028
2029 switch (cmd) {
2030 case IP6T_SO_GET_INFO:
2031 ret = get_info(user, len, 0);
2032 break;
2033
2034 case IP6T_SO_GET_ENTRIES:
2035 ret = get_entries(user, len);
2036 break;
2037
2038 case IP6T_SO_GET_REVISION_MATCH:
2039 case IP6T_SO_GET_REVISION_TARGET: {
2040 struct ip6t_get_revision rev;
2041 int target;
2042
2043 if (*len != sizeof(rev)) {
2044 ret = -EINVAL;
2045 break;
2046 }
2047 if (copy_from_user(&rev, user, sizeof(rev)) != 0) {
2048 ret = -EFAULT;
2049 break;
2050 }
2051
2052 if (cmd == IP6T_SO_GET_REVISION_TARGET)
2053 target = 1;
2054 else
2055 target = 0;
2056
2057 try_then_request_module(xt_find_revision(AF_INET6, rev.name,
2058 rev.revision,
2059 target, &ret),
2060 "ip6t_%s", rev.name);
2061 break;
2062 }
2063
2064 default:
2065 duprintf("do_ip6t_get_ctl: unknown request %i\n", cmd);
2066 ret = -EINVAL;
2067 }
2068
2069 return ret;
2070 }
2071
2072 int ip6t_register_table(struct xt_table *table, const struct ip6t_replace *repl)
2073 {
2074 int ret;
2075 struct xt_table_info *newinfo;
2076 struct xt_table_info bootstrap
2077 = { 0, 0, 0, { 0 }, { 0 }, { } };
2078 void *loc_cpu_entry;
2079
2080 newinfo = xt_alloc_table_info(repl->size);
2081 if (!newinfo)
2082 return -ENOMEM;
2083
2084 /* choose the copy on our node/cpu, but dont care about preemption */
2085 loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
2086 memcpy(loc_cpu_entry, repl->entries, repl->size);
2087
2088 ret = translate_table(table->name, table->valid_hooks,
2089 newinfo, loc_cpu_entry, repl->size,
2090 repl->num_entries,
2091 repl->hook_entry,
2092 repl->underflow);
2093 if (ret != 0) {
2094 xt_free_table_info(newinfo);
2095 return ret;
2096 }
2097
2098 ret = xt_register_table(table, &bootstrap, newinfo);
2099 if (ret != 0) {
2100 xt_free_table_info(newinfo);
2101 return ret;
2102 }
2103
2104 return 0;
2105 }
2106
2107 void ip6t_unregister_table(struct xt_table *table)
2108 {
2109 struct xt_table_info *private;
2110 void *loc_cpu_entry;
2111
2112 private = xt_unregister_table(table);
2113
2114 /* Decrease module usage counts and free resources */
2115 loc_cpu_entry = private->entries[raw_smp_processor_id()];
2116 IP6T_ENTRY_ITERATE(loc_cpu_entry, private->size, cleanup_entry, NULL);
2117 xt_free_table_info(private);
2118 }
2119
2120 /* Returns 1 if the type and code is matched by the range, 0 otherwise */
2121 static inline bool
2122 icmp6_type_code_match(u_int8_t test_type, u_int8_t min_code, u_int8_t max_code,
2123 u_int8_t type, u_int8_t code,
2124 bool invert)
2125 {
2126 return (type == test_type && code >= min_code && code <= max_code)
2127 ^ invert;
2128 }
2129
2130 static bool
2131 icmp6_match(const struct sk_buff *skb,
2132 const struct net_device *in,
2133 const struct net_device *out,
2134 const struct xt_match *match,
2135 const void *matchinfo,
2136 int offset,
2137 unsigned int protoff,
2138 bool *hotdrop)
2139 {
2140 struct icmp6hdr _icmph, *ic;
2141 const struct ip6t_icmp *icmpinfo = matchinfo;
2142
2143 /* Must not be a fragment. */
2144 if (offset)
2145 return false;
2146
2147 ic = skb_header_pointer(skb, protoff, sizeof(_icmph), &_icmph);
2148 if (ic == NULL) {
2149 /* We've been asked to examine this packet, and we
2150 * can't. Hence, no choice but to drop.
2151 */
2152 duprintf("Dropping evil ICMP tinygram.\n");
2153 *hotdrop = true;
2154 return false;
2155 }
2156
2157 return icmp6_type_code_match(icmpinfo->type,
2158 icmpinfo->code[0],
2159 icmpinfo->code[1],
2160 ic->icmp6_type, ic->icmp6_code,
2161 !!(icmpinfo->invflags&IP6T_ICMP_INV));
2162 }
2163
2164 /* Called when user tries to insert an entry of this type. */
2165 static bool
2166 icmp6_checkentry(const char *tablename,
2167 const void *entry,
2168 const struct xt_match *match,
2169 void *matchinfo,
2170 unsigned int hook_mask)
2171 {
2172 const struct ip6t_icmp *icmpinfo = matchinfo;
2173
2174 /* Must specify no unknown invflags */
2175 return !(icmpinfo->invflags & ~IP6T_ICMP_INV);
2176 }
2177
2178 /* The built-in targets: standard (NULL) and error. */
2179 static struct xt_target ip6t_standard_target __read_mostly = {
2180 .name = IP6T_STANDARD_TARGET,
2181 .targetsize = sizeof(int),
2182 .family = AF_INET6,
2183 #ifdef CONFIG_COMPAT
2184 .compatsize = sizeof(compat_int_t),
2185 .compat_from_user = compat_standard_from_user,
2186 .compat_to_user = compat_standard_to_user,
2187 #endif
2188 };
2189
2190 static struct xt_target ip6t_error_target __read_mostly = {
2191 .name = IP6T_ERROR_TARGET,
2192 .target = ip6t_error,
2193 .targetsize = IP6T_FUNCTION_MAXNAMELEN,
2194 .family = AF_INET6,
2195 };
2196
2197 static struct nf_sockopt_ops ip6t_sockopts = {
2198 .pf = PF_INET6,
2199 .set_optmin = IP6T_BASE_CTL,
2200 .set_optmax = IP6T_SO_SET_MAX+1,
2201 .set = do_ip6t_set_ctl,
2202 #ifdef CONFIG_COMPAT
2203 .compat_set = compat_do_ip6t_set_ctl,
2204 #endif
2205 .get_optmin = IP6T_BASE_CTL,
2206 .get_optmax = IP6T_SO_GET_MAX+1,
2207 .get = do_ip6t_get_ctl,
2208 #ifdef CONFIG_COMPAT
2209 .compat_get = compat_do_ip6t_get_ctl,
2210 #endif
2211 .owner = THIS_MODULE,
2212 };
2213
2214 static struct xt_match icmp6_matchstruct __read_mostly = {
2215 .name = "icmp6",
2216 .match = icmp6_match,
2217 .matchsize = sizeof(struct ip6t_icmp),
2218 .checkentry = icmp6_checkentry,
2219 .proto = IPPROTO_ICMPV6,
2220 .family = AF_INET6,
2221 };
2222
2223 static int __init ip6_tables_init(void)
2224 {
2225 int ret;
2226
2227 ret = xt_proto_init(AF_INET6);
2228 if (ret < 0)
2229 goto err1;
2230
2231 /* Noone else will be downing sem now, so we won't sleep */
2232 ret = xt_register_target(&ip6t_standard_target);
2233 if (ret < 0)
2234 goto err2;
2235 ret = xt_register_target(&ip6t_error_target);
2236 if (ret < 0)
2237 goto err3;
2238 ret = xt_register_match(&icmp6_matchstruct);
2239 if (ret < 0)
2240 goto err4;
2241
2242 /* Register setsockopt */
2243 ret = nf_register_sockopt(&ip6t_sockopts);
2244 if (ret < 0)
2245 goto err5;
2246
2247 printk(KERN_INFO "ip6_tables: (C) 2000-2006 Netfilter Core Team\n");
2248 return 0;
2249
2250 err5:
2251 xt_unregister_match(&icmp6_matchstruct);
2252 err4:
2253 xt_unregister_target(&ip6t_error_target);
2254 err3:
2255 xt_unregister_target(&ip6t_standard_target);
2256 err2:
2257 xt_proto_fini(AF_INET6);
2258 err1:
2259 return ret;
2260 }
2261
2262 static void __exit ip6_tables_fini(void)
2263 {
2264 nf_unregister_sockopt(&ip6t_sockopts);
2265
2266 xt_unregister_match(&icmp6_matchstruct);
2267 xt_unregister_target(&ip6t_error_target);
2268 xt_unregister_target(&ip6t_standard_target);
2269 xt_proto_fini(AF_INET6);
2270 }
2271
2272 /*
2273 * find the offset to specified header or the protocol number of last header
2274 * if target < 0. "last header" is transport protocol header, ESP, or
2275 * "No next header".
2276 *
2277 * If target header is found, its offset is set in *offset and return protocol
2278 * number. Otherwise, return -1.
2279 *
2280 * If the first fragment doesn't contain the final protocol header or
2281 * NEXTHDR_NONE it is considered invalid.
2282 *
2283 * Note that non-1st fragment is special case that "the protocol number
2284 * of last header" is "next header" field in Fragment header. In this case,
2285 * *offset is meaningless and fragment offset is stored in *fragoff if fragoff
2286 * isn't NULL.
2287 *
2288 */
2289 int ipv6_find_hdr(const struct sk_buff *skb, unsigned int *offset,
2290 int target, unsigned short *fragoff)
2291 {
2292 unsigned int start = skb_network_offset(skb) + sizeof(struct ipv6hdr);
2293 u8 nexthdr = ipv6_hdr(skb)->nexthdr;
2294 unsigned int len = skb->len - start;
2295
2296 if (fragoff)
2297 *fragoff = 0;
2298
2299 while (nexthdr != target) {
2300 struct ipv6_opt_hdr _hdr, *hp;
2301 unsigned int hdrlen;
2302
2303 if ((!ipv6_ext_hdr(nexthdr)) || nexthdr == NEXTHDR_NONE) {
2304 if (target < 0)
2305 break;
2306 return -ENOENT;
2307 }
2308
2309 hp = skb_header_pointer(skb, start, sizeof(_hdr), &_hdr);
2310 if (hp == NULL)
2311 return -EBADMSG;
2312 if (nexthdr == NEXTHDR_FRAGMENT) {
2313 unsigned short _frag_off;
2314 __be16 *fp;
2315 fp = skb_header_pointer(skb,
2316 start+offsetof(struct frag_hdr,
2317 frag_off),
2318 sizeof(_frag_off),
2319 &_frag_off);
2320 if (fp == NULL)
2321 return -EBADMSG;
2322
2323 _frag_off = ntohs(*fp) & ~0x7;
2324 if (_frag_off) {
2325 if (target < 0 &&
2326 ((!ipv6_ext_hdr(hp->nexthdr)) ||
2327 hp->nexthdr == NEXTHDR_NONE)) {
2328 if (fragoff)
2329 *fragoff = _frag_off;
2330 return hp->nexthdr;
2331 }
2332 return -ENOENT;
2333 }
2334 hdrlen = 8;
2335 } else if (nexthdr == NEXTHDR_AUTH)
2336 hdrlen = (hp->hdrlen + 2) << 2;
2337 else
2338 hdrlen = ipv6_optlen(hp);
2339
2340 nexthdr = hp->nexthdr;
2341 len -= hdrlen;
2342 start += hdrlen;
2343 }
2344
2345 *offset = start;
2346 return nexthdr;
2347 }
2348
2349 EXPORT_SYMBOL(ip6t_register_table);
2350 EXPORT_SYMBOL(ip6t_unregister_table);
2351 EXPORT_SYMBOL(ip6t_do_table);
2352 EXPORT_SYMBOL(ip6t_ext_hdr);
2353 EXPORT_SYMBOL(ipv6_find_hdr);
2354
2355 module_init(ip6_tables_init);
2356 module_exit(ip6_tables_fini);
Linux kernel - Deliverables
This page took 0.084778 seconds and 5 git commands to generate.