projects / deliverable / linux.git / blob
? search:


5678233
[deliverable/linux.git] /
1 /*
2 * Packet matching code.
3 *
4 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
5 * Copyright (C) 2000-2005 Netfilter Core Team <coreteam@netfilter.org>
6 *
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License version 2 as
9 * published by the Free Software Foundation.
10 */
11 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
12 #include <linux/capability.h>
13 #include <linux/in.h>
14 #include <linux/skbuff.h>
15 #include <linux/kmod.h>
16 #include <linux/vmalloc.h>
17 #include <linux/netdevice.h>
18 #include <linux/module.h>
19 #include <linux/poison.h>
20 #include <linux/icmpv6.h>
21 #include <net/ipv6.h>
22 #include <net/compat.h>
23 #include <asm/uaccess.h>
24 #include <linux/mutex.h>
25 #include <linux/proc_fs.h>
26 #include <linux/err.h>
27 #include <linux/cpumask.h>
28
29 #include <linux/netfilter_ipv6/ip6_tables.h>
30 #include <linux/netfilter/x_tables.h>
31 #include <net/netfilter/nf_log.h>
32 #include "../../netfilter/xt_repldata.h"
33
34 MODULE_LICENSE("GPL");
35 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
36 MODULE_DESCRIPTION("IPv6 packet filter");
37
38 /*#define DEBUG_IP_FIREWALL*/
39 /*#define DEBUG_ALLOW_ALL*/ /* Useful for remote debugging */
40 /*#define DEBUG_IP_FIREWALL_USER*/
41
42 #ifdef DEBUG_IP_FIREWALL
43 #define dprintf(format, args...) pr_info(format , ## args)
44 #else
45 #define dprintf(format, args...)
46 #endif
47
48 #ifdef DEBUG_IP_FIREWALL_USER
49 #define duprintf(format, args...) pr_info(format , ## args)
50 #else
51 #define duprintf(format, args...)
52 #endif
53
54 #ifdef CONFIG_NETFILTER_DEBUG
55 #define IP_NF_ASSERT(x) \
56 do { \
57 if (!(x)) \
58 printk("IP_NF_ASSERT: %s:%s:%u\n", \
59 __func__, __FILE__, __LINE__); \
60 } while(0)
61 #else
62 #define IP_NF_ASSERT(x)
63 #endif
64
65 #if 0
66 /* All the better to debug you with... */
67 #define static
68 #define inline
69 #endif
70
71 void *ip6t_alloc_initial_table(const struct xt_table *info)
72 {
73 return xt_alloc_initial_table(ip6t, IP6T);
74 }
75 EXPORT_SYMBOL_GPL(ip6t_alloc_initial_table);
76
77 /*
78 We keep a set of rules for each CPU, so we can avoid write-locking
79 them in the softirq when updating the counters and therefore
80 only need to read-lock in the softirq; doing a write_lock_bh() in user
81 context stops packets coming through and allows user context to read
82 the counters or update the rules.
83
84 Hence the start of any table is given by get_table() below. */
85
86 /* Check for an extension */
87 int
88 ip6t_ext_hdr(u8 nexthdr)
89 {
90 return ( (nexthdr == IPPROTO_HOPOPTS) ||
91 (nexthdr == IPPROTO_ROUTING) ||
92 (nexthdr == IPPROTO_FRAGMENT) ||
93 (nexthdr == IPPROTO_ESP) ||
94 (nexthdr == IPPROTO_AH) ||
95 (nexthdr == IPPROTO_NONE) ||
96 (nexthdr == IPPROTO_DSTOPTS) );
97 }
98
99 /* Returns whether matches rule or not. */
100 /* Performance critical - called for every packet */
101 static inline bool
102 ip6_packet_match(const struct sk_buff *skb,
103 const char *indev,
104 const char *outdev,
105 const struct ip6t_ip6 *ip6info,
106 unsigned int *protoff,
107 int *fragoff, bool *hotdrop)
108 {
109 unsigned long ret;
110 const struct ipv6hdr *ipv6 = ipv6_hdr(skb);
111
112 #define FWINV(bool, invflg) ((bool) ^ !!(ip6info->invflags & (invflg)))
113
114 if (FWINV(ipv6_masked_addr_cmp(&ipv6->saddr, &ip6info->smsk,
115 &ip6info->src), IP6T_INV_SRCIP) ||
116 FWINV(ipv6_masked_addr_cmp(&ipv6->daddr, &ip6info->dmsk,
117 &ip6info->dst), IP6T_INV_DSTIP)) {
118 dprintf("Source or dest mismatch.\n");
119 /*
120 dprintf("SRC: %u. Mask: %u. Target: %u.%s\n", ip->saddr,
121 ipinfo->smsk.s_addr, ipinfo->src.s_addr,
122 ipinfo->invflags & IP6T_INV_SRCIP ? " (INV)" : "");
123 dprintf("DST: %u. Mask: %u. Target: %u.%s\n", ip->daddr,
124 ipinfo->dmsk.s_addr, ipinfo->dst.s_addr,
125 ipinfo->invflags & IP6T_INV_DSTIP ? " (INV)" : "");*/
126 return false;
127 }
128
129 ret = ifname_compare_aligned(indev, ip6info->iniface, ip6info->iniface_mask);
130
131 if (FWINV(ret != 0, IP6T_INV_VIA_IN)) {
132 dprintf("VIA in mismatch (%s vs %s).%s\n",
133 indev, ip6info->iniface,
134 ip6info->invflags&IP6T_INV_VIA_IN ?" (INV)":"");
135 return false;
136 }
137
138 ret = ifname_compare_aligned(outdev, ip6info->outiface, ip6info->outiface_mask);
139
140 if (FWINV(ret != 0, IP6T_INV_VIA_OUT)) {
141 dprintf("VIA out mismatch (%s vs %s).%s\n",
142 outdev, ip6info->outiface,
143 ip6info->invflags&IP6T_INV_VIA_OUT ?" (INV)":"");
144 return false;
145 }
146
147 /* ... might want to do something with class and flowlabel here ... */
148
149 /* look for the desired protocol header */
150 if((ip6info->flags & IP6T_F_PROTO)) {
151 int protohdr;
152 unsigned short _frag_off;
153
154 protohdr = ipv6_find_hdr(skb, protoff, -1, &_frag_off);
155 if (protohdr < 0) {
156 if (_frag_off == 0)
157 *hotdrop = true;
158 return false;
159 }
160 *fragoff = _frag_off;
161
162 dprintf("Packet protocol %hi ?= %s%hi.\n",
163 protohdr,
164 ip6info->invflags & IP6T_INV_PROTO ? "!":"",
165 ip6info->proto);
166
167 if (ip6info->proto == protohdr) {
168 if(ip6info->invflags & IP6T_INV_PROTO) {
169 return false;
170 }
171 return true;
172 }
173
174 /* We need match for the '-p all', too! */
175 if ((ip6info->proto != 0) &&
176 !(ip6info->invflags & IP6T_INV_PROTO))
177 return false;
178 }
179 return true;
180 }
181
182 /* should be ip6 safe */
183 static bool
184 ip6_checkentry(const struct ip6t_ip6 *ipv6)
185 {
186 if (ipv6->flags & ~IP6T_F_MASK) {
187 duprintf("Unknown flag bits set: %08X\n",
188 ipv6->flags & ~IP6T_F_MASK);
189 return false;
190 }
191 if (ipv6->invflags & ~IP6T_INV_MASK) {
192 duprintf("Unknown invflag bits set: %08X\n",
193 ipv6->invflags & ~IP6T_INV_MASK);
194 return false;
195 }
196 return true;
197 }
198
199 static unsigned int
200 ip6t_error(struct sk_buff *skb, const struct xt_action_param *par)
201 {
202 if (net_ratelimit())
203 pr_info("error: `%s'\n", (const char *)par->targinfo);
204
205 return NF_DROP;
206 }
207
208 static inline struct ip6t_entry *
209 get_entry(const void *base, unsigned int offset)
210 {
211 return (struct ip6t_entry *)(base + offset);
212 }
213
214 /* All zeroes == unconditional rule. */
215 /* Mildly perf critical (only if packet tracing is on) */
216 static inline bool unconditional(const struct ip6t_ip6 *ipv6)
217 {
218 static const struct ip6t_ip6 uncond;
219
220 return memcmp(ipv6, &uncond, sizeof(uncond)) == 0;
221 }
222
223 static inline const struct ip6t_entry_target *
224 ip6t_get_target_c(const struct ip6t_entry *e)
225 {
226 return ip6t_get_target((struct ip6t_entry *)e);
227 }
228
229 #if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \
230 defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE)
231 /* This cries for unification! */
232 static const char *const hooknames[] = {
233 [NF_INET_PRE_ROUTING] = "PREROUTING",
234 [NF_INET_LOCAL_IN] = "INPUT",
235 [NF_INET_FORWARD] = "FORWARD",
236 [NF_INET_LOCAL_OUT] = "OUTPUT",
237 [NF_INET_POST_ROUTING] = "POSTROUTING",
238 };
239
240 enum nf_ip_trace_comments {
241 NF_IP6_TRACE_COMMENT_RULE,
242 NF_IP6_TRACE_COMMENT_RETURN,
243 NF_IP6_TRACE_COMMENT_POLICY,
244 };
245
246 static const char *const comments[] = {
247 [NF_IP6_TRACE_COMMENT_RULE] = "rule",
248 [NF_IP6_TRACE_COMMENT_RETURN] = "return",
249 [NF_IP6_TRACE_COMMENT_POLICY] = "policy",
250 };
251
252 static struct nf_loginfo trace_loginfo = {
253 .type = NF_LOG_TYPE_LOG,
254 .u = {
255 .log = {
256 .level = 4,
257 .logflags = NF_LOG_MASK,
258 },
259 },
260 };
261
262 /* Mildly perf critical (only if packet tracing is on) */
263 static inline int
264 get_chainname_rulenum(const struct ip6t_entry *s, const struct ip6t_entry *e,
265 const char *hookname, const char **chainname,
266 const char **comment, unsigned int *rulenum)
267 {
268 const struct ip6t_standard_target *t = (void *)ip6t_get_target_c(s);
269
270 if (strcmp(t->target.u.kernel.target->name, IP6T_ERROR_TARGET) == 0) {
271 /* Head of user chain: ERROR target with chainname */
272 *chainname = t->target.data;
273 (*rulenum) = 0;
274 } else if (s == e) {
275 (*rulenum)++;
276
277 if (s->target_offset == sizeof(struct ip6t_entry) &&
278 strcmp(t->target.u.kernel.target->name,
279 IP6T_STANDARD_TARGET) == 0 &&
280 t->verdict < 0 &&
281 unconditional(&s->ipv6)) {
282 /* Tail of chains: STANDARD target (return/policy) */
283 *comment = *chainname == hookname
284 ? comments[NF_IP6_TRACE_COMMENT_POLICY]
285 : comments[NF_IP6_TRACE_COMMENT_RETURN];
286 }
287 return 1;
288 } else
289 (*rulenum)++;
290
291 return 0;
292 }
293
294 static void trace_packet(const struct sk_buff *skb,
295 unsigned int hook,
296 const struct net_device *in,
297 const struct net_device *out,
298 const char *tablename,
299 const struct xt_table_info *private,
300 const struct ip6t_entry *e)
301 {
302 const void *table_base;
303 const struct ip6t_entry *root;
304 const char *hookname, *chainname, *comment;
305 const struct ip6t_entry *iter;
306 unsigned int rulenum = 0;
307
308 table_base = private->entries[smp_processor_id()];
309 root = get_entry(table_base, private->hook_entry[hook]);
310
311 hookname = chainname = hooknames[hook];
312 comment = comments[NF_IP6_TRACE_COMMENT_RULE];
313
314 xt_entry_foreach(iter, root, private->size - private->hook_entry[hook])
315 if (get_chainname_rulenum(iter, e, hookname,
316 &chainname, &comment, &rulenum) != 0)
317 break;
318
319 nf_log_packet(AF_INET6, hook, skb, in, out, &trace_loginfo,
320 "TRACE: %s:%s:%s:%u ",
321 tablename, chainname, comment, rulenum);
322 }
323 #endif
324
325 static inline __pure struct ip6t_entry *
326 ip6t_next_entry(const struct ip6t_entry *entry)
327 {
328 return (void *)entry + entry->next_offset;
329 }
330
331 /* Returns one of the generic firewall policies, like NF_ACCEPT. */
332 unsigned int
333 ip6t_do_table(struct sk_buff *skb,
334 unsigned int hook,
335 const struct net_device *in,
336 const struct net_device *out,
337 struct xt_table *table)
338 {
339 static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
340 /* Initializing verdict to NF_DROP keeps gcc happy. */
341 unsigned int verdict = NF_DROP;
342 const char *indev, *outdev;
343 const void *table_base;
344 struct ip6t_entry *e, **jumpstack;
345 unsigned int *stackptr, origptr, cpu;
346 const struct xt_table_info *private;
347 struct xt_action_param acpar;
348
349 /* Initialization */
350 indev = in ? in->name : nulldevname;
351 outdev = out ? out->name : nulldevname;
352 /* We handle fragments by dealing with the first fragment as
353 * if it was a normal packet. All other fragments are treated
354 * normally, except that they will NEVER match rules that ask
355 * things we don't know, ie. tcp syn flag or ports). If the
356 * rule is also a fragment-specific rule, non-fragments won't
357 * match it. */
358 acpar.hotdrop = false;
359 acpar.in = in;
360 acpar.out = out;
361 acpar.family = NFPROTO_IPV6;
362 acpar.hooknum = hook;
363
364 IP_NF_ASSERT(table->valid_hooks & (1 << hook));
365
366 xt_info_rdlock_bh();
367 private = table->private;
368 cpu = smp_processor_id();
369 table_base = private->entries[cpu];
370 jumpstack = (struct ip6t_entry **)private->jumpstack[cpu];
371 stackptr = &private->stackptr[cpu];
372 origptr = *stackptr;
373
374 e = get_entry(table_base, private->hook_entry[hook]);
375
376 do {
377 const struct ip6t_entry_target *t;
378 const struct xt_entry_match *ematch;
379
380 IP_NF_ASSERT(e);
381 if (!ip6_packet_match(skb, indev, outdev, &e->ipv6,
382 &acpar.thoff, &acpar.fragoff, &acpar.hotdrop)) {
383 no_match:
384 e = ip6t_next_entry(e);
385 continue;
386 }
387
388 xt_ematch_foreach(ematch, e) {
389 acpar.match = ematch->u.kernel.match;
390 acpar.matchinfo = ematch->data;
391 if (!acpar.match->match(skb, &acpar))
392 goto no_match;
393 }
394
395 ADD_COUNTER(e->counters,
396 ntohs(ipv6_hdr(skb)->payload_len) +
397 sizeof(struct ipv6hdr), 1);
398
399 t = ip6t_get_target_c(e);
400 IP_NF_ASSERT(t->u.kernel.target);
401
402 #if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \
403 defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE)
404 /* The packet is traced: log it */
405 if (unlikely(skb->nf_trace))
406 trace_packet(skb, hook, in, out,
407 table->name, private, e);
408 #endif
409 /* Standard target? */
410 if (!t->u.kernel.target->target) {
411 int v;
412
413 v = ((struct ip6t_standard_target *)t)->verdict;
414 if (v < 0) {
415 /* Pop from stack? */
416 if (v != IP6T_RETURN) {
417 verdict = (unsigned)(-v) - 1;
418 break;
419 }
420 if (*stackptr == 0)
421 e = get_entry(table_base,
422 private->underflow[hook]);
423 else
424 e = ip6t_next_entry(jumpstack[--*stackptr]);
425 continue;
426 }
427 if (table_base + v != ip6t_next_entry(e) &&
428 !(e->ipv6.flags & IP6T_F_GOTO)) {
429 if (*stackptr >= private->stacksize) {
430 verdict = NF_DROP;
431 break;
432 }
433 jumpstack[(*stackptr)++] = e;
434 }
435
436 e = get_entry(table_base, v);
437 continue;
438 }
439
440 acpar.target = t->u.kernel.target;
441 acpar.targinfo = t->data;
442
443 verdict = t->u.kernel.target->target(skb, &acpar);
444 if (verdict == IP6T_CONTINUE)
445 e = ip6t_next_entry(e);
446 else
447 /* Verdict */
448 break;
449 } while (!acpar.hotdrop);
450
451 xt_info_rdunlock_bh();
452 *stackptr = origptr;
453
454 #ifdef DEBUG_ALLOW_ALL
455 return NF_ACCEPT;
456 #else
457 if (acpar.hotdrop)
458 return NF_DROP;
459 else return verdict;
460 #endif
461 }
462
463 /* Figures out from what hook each rule can be called: returns 0 if
464 there are loops. Puts hook bitmask in comefrom. */
465 static int
466 mark_source_chains(const struct xt_table_info *newinfo,
467 unsigned int valid_hooks, void *entry0)
468 {
469 unsigned int hook;
470
471 /* No recursion; use packet counter to save back ptrs (reset
472 to 0 as we leave), and comefrom to save source hook bitmask */
473 for (hook = 0; hook < NF_INET_NUMHOOKS; hook++) {
474 unsigned int pos = newinfo->hook_entry[hook];
475 struct ip6t_entry *e = (struct ip6t_entry *)(entry0 + pos);
476
477 if (!(valid_hooks & (1 << hook)))
478 continue;
479
480 /* Set initial back pointer. */
481 e->counters.pcnt = pos;
482
483 for (;;) {
484 const struct ip6t_standard_target *t
485 = (void *)ip6t_get_target_c(e);
486 int visited = e->comefrom & (1 << hook);
487
488 if (e->comefrom & (1 << NF_INET_NUMHOOKS)) {
489 printk("iptables: loop hook %u pos %u %08X.\n",
490 hook, pos, e->comefrom);
491 return 0;
492 }
493 e->comefrom |= ((1 << hook) | (1 << NF_INET_NUMHOOKS));
494
495 /* Unconditional return/END. */
496 if ((e->target_offset == sizeof(struct ip6t_entry) &&
497 (strcmp(t->target.u.user.name,
498 IP6T_STANDARD_TARGET) == 0) &&
499 t->verdict < 0 &&
500 unconditional(&e->ipv6)) || visited) {
501 unsigned int oldpos, size;
502
503 if ((strcmp(t->target.u.user.name,
504 IP6T_STANDARD_TARGET) == 0) &&
505 t->verdict < -NF_MAX_VERDICT - 1) {
506 duprintf("mark_source_chains: bad "
507 "negative verdict (%i)\n",
508 t->verdict);
509 return 0;
510 }
511
512 /* Return: backtrack through the last
513 big jump. */
514 do {
515 e->comefrom ^= (1<<NF_INET_NUMHOOKS);
516 #ifdef DEBUG_IP_FIREWALL_USER
517 if (e->comefrom
518 & (1 << NF_INET_NUMHOOKS)) {
519 duprintf("Back unset "
520 "on hook %u "
521 "rule %u\n",
522 hook, pos);
523 }
524 #endif
525 oldpos = pos;
526 pos = e->counters.pcnt;
527 e->counters.pcnt = 0;
528
529 /* We're at the start. */
530 if (pos == oldpos)
531 goto next;
532
533 e = (struct ip6t_entry *)
534 (entry0 + pos);
535 } while (oldpos == pos + e->next_offset);
536
537 /* Move along one */
538 size = e->next_offset;
539 e = (struct ip6t_entry *)
540 (entry0 + pos + size);
541 e->counters.pcnt = pos;
542 pos += size;
543 } else {
544 int newpos = t->verdict;
545
546 if (strcmp(t->target.u.user.name,
547 IP6T_STANDARD_TARGET) == 0 &&
548 newpos >= 0) {
549 if (newpos > newinfo->size -
550 sizeof(struct ip6t_entry)) {
551 duprintf("mark_source_chains: "
552 "bad verdict (%i)\n",
553 newpos);
554 return 0;
555 }
556 /* This a jump; chase it. */
557 duprintf("Jump rule %u -> %u\n",
558 pos, newpos);
559 } else {
560 /* ... this is a fallthru */
561 newpos = pos + e->next_offset;
562 }
563 e = (struct ip6t_entry *)
564 (entry0 + newpos);
565 e->counters.pcnt = pos;
566 pos = newpos;
567 }
568 }
569 next:
570 duprintf("Finished chain %u\n", hook);
571 }
572 return 1;
573 }
574
575 static void cleanup_match(struct ip6t_entry_match *m, struct net *net)
576 {
577 struct xt_mtdtor_param par;
578
579 par.net = net;
580 par.match = m->u.kernel.match;
581 par.matchinfo = m->data;
582 par.family = NFPROTO_IPV6;
583 if (par.match->destroy != NULL)
584 par.match->destroy(&par);
585 module_put(par.match->me);
586 }
587
588 static int
589 check_entry(const struct ip6t_entry *e, const char *name)
590 {
591 const struct ip6t_entry_target *t;
592
593 if (!ip6_checkentry(&e->ipv6)) {
594 duprintf("ip_tables: ip check failed %p %s.\n", e, name);
595 return -EINVAL;
596 }
597
598 if (e->target_offset + sizeof(struct ip6t_entry_target) >
599 e->next_offset)
600 return -EINVAL;
601
602 t = ip6t_get_target_c(e);
603 if (e->target_offset + t->u.target_size > e->next_offset)
604 return -EINVAL;
605
606 return 0;
607 }
608
609 static int check_match(struct ip6t_entry_match *m, struct xt_mtchk_param *par)
610 {
611 const struct ip6t_ip6 *ipv6 = par->entryinfo;
612 int ret;
613
614 par->match = m->u.kernel.match;
615 par->matchinfo = m->data;
616
617 ret = xt_check_match(par, m->u.match_size - sizeof(*m),
618 ipv6->proto, ipv6->invflags & IP6T_INV_PROTO);
619 if (ret < 0) {
620 duprintf("ip_tables: check failed for `%s'.\n",
621 par.match->name);
622 return ret;
623 }
624 return 0;
625 }
626
627 static int
628 find_check_match(struct ip6t_entry_match *m, struct xt_mtchk_param *par)
629 {
630 struct xt_match *match;
631 int ret;
632
633 match = xt_request_find_match(NFPROTO_IPV6, m->u.user.name,
634 m->u.user.revision);
635 if (IS_ERR(match)) {
636 duprintf("find_check_match: `%s' not found\n", m->u.user.name);
637 return PTR_ERR(match);
638 }
639 m->u.kernel.match = match;
640
641 ret = check_match(m, par);
642 if (ret)
643 goto err;
644
645 return 0;
646 err:
647 module_put(m->u.kernel.match->me);
648 return ret;
649 }
650
651 static int check_target(struct ip6t_entry *e, struct net *net, const char *name)
652 {
653 struct ip6t_entry_target *t = ip6t_get_target(e);
654 struct xt_tgchk_param par = {
655 .net = net,
656 .table = name,
657 .entryinfo = e,
658 .target = t->u.kernel.target,
659 .targinfo = t->data,
660 .hook_mask = e->comefrom,
661 .family = NFPROTO_IPV6,
662 };
663 int ret;
664
665 t = ip6t_get_target(e);
666 ret = xt_check_target(&par, t->u.target_size - sizeof(*t),
667 e->ipv6.proto, e->ipv6.invflags & IP6T_INV_PROTO);
668 if (ret < 0) {
669 duprintf("ip_tables: check failed for `%s'.\n",
670 t->u.kernel.target->name);
671 return ret;
672 }
673 return 0;
674 }
675
676 static int
677 find_check_entry(struct ip6t_entry *e, struct net *net, const char *name,
678 unsigned int size)
679 {
680 struct ip6t_entry_target *t;
681 struct xt_target *target;
682 int ret;
683 unsigned int j;
684 struct xt_mtchk_param mtpar;
685 struct xt_entry_match *ematch;
686
687 ret = check_entry(e, name);
688 if (ret)
689 return ret;
690
691 j = 0;
692 mtpar.net = net;
693 mtpar.table = name;
694 mtpar.entryinfo = &e->ipv6;
695 mtpar.hook_mask = e->comefrom;
696 mtpar.family = NFPROTO_IPV6;
697 xt_ematch_foreach(ematch, e) {
698 ret = find_check_match(ematch, &mtpar);
699 if (ret != 0)
700 goto cleanup_matches;
701 ++j;
702 }
703
704 t = ip6t_get_target(e);
705 target = xt_request_find_target(NFPROTO_IPV6, t->u.user.name,
706 t->u.user.revision);
707 if (IS_ERR(target)) {
708 duprintf("find_check_entry: `%s' not found\n", t->u.user.name);
709 ret = PTR_ERR(target);
710 goto cleanup_matches;
711 }
712 t->u.kernel.target = target;
713
714 ret = check_target(e, net, name);
715 if (ret)
716 goto err;
717 return 0;
718 err:
719 module_put(t->u.kernel.target->me);
720 cleanup_matches:
721 xt_ematch_foreach(ematch, e) {
722 if (j-- == 0)
723 break;
724 cleanup_match(ematch, net);
725 }
726 return ret;
727 }
728
729 static bool check_underflow(const struct ip6t_entry *e)
730 {
731 const struct ip6t_entry_target *t;
732 unsigned int verdict;
733
734 if (!unconditional(&e->ipv6))
735 return false;
736 t = ip6t_get_target_c(e);
737 if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0)
738 return false;
739 verdict = ((struct ip6t_standard_target *)t)->verdict;
740 verdict = -verdict - 1;
741 return verdict == NF_DROP || verdict == NF_ACCEPT;
742 }
743
744 static int
745 check_entry_size_and_hooks(struct ip6t_entry *e,
746 struct xt_table_info *newinfo,
747 const unsigned char *base,
748 const unsigned char *limit,
749 const unsigned int *hook_entries,
750 const unsigned int *underflows,
751 unsigned int valid_hooks)
752 {
753 unsigned int h;
754
755 if ((unsigned long)e % __alignof__(struct ip6t_entry) != 0 ||
756 (unsigned char *)e + sizeof(struct ip6t_entry) >= limit) {
757 duprintf("Bad offset %p\n", e);
758 return -EINVAL;
759 }
760
761 if (e->next_offset
762 < sizeof(struct ip6t_entry) + sizeof(struct ip6t_entry_target)) {
763 duprintf("checking: element %p size %u\n",
764 e, e->next_offset);
765 return -EINVAL;
766 }
767
768 /* Check hooks & underflows */
769 for (h = 0; h < NF_INET_NUMHOOKS; h++) {
770 if (!(valid_hooks & (1 << h)))
771 continue;
772 if ((unsigned char *)e - base == hook_entries[h])
773 newinfo->hook_entry[h] = hook_entries[h];
774 if ((unsigned char *)e - base == underflows[h]) {
775 if (!check_underflow(e)) {
776 pr_err("Underflows must be unconditional and "
777 "use the STANDARD target with "
778 "ACCEPT/DROP\n");
779 return -EINVAL;
780 }
781 newinfo->underflow[h] = underflows[h];
782 }
783 }
784
785 /* Clear counters and comefrom */
786 e->counters = ((struct xt_counters) { 0, 0 });
787 e->comefrom = 0;
788 return 0;
789 }
790
791 static void cleanup_entry(struct ip6t_entry *e, struct net *net)
792 {
793 struct xt_tgdtor_param par;
794 struct ip6t_entry_target *t;
795 struct xt_entry_match *ematch;
796
797 /* Cleanup all matches */
798 xt_ematch_foreach(ematch, e)
799 cleanup_match(ematch, net);
800 t = ip6t_get_target(e);
801
802 par.net = net;
803 par.target = t->u.kernel.target;
804 par.targinfo = t->data;
805 par.family = NFPROTO_IPV6;
806 if (par.target->destroy != NULL)
807 par.target->destroy(&par);
808 module_put(par.target->me);
809 }
810
811 /* Checks and translates the user-supplied table segment (held in
812 newinfo) */
813 static int
814 translate_table(struct net *net, struct xt_table_info *newinfo, void *entry0,
815 const struct ip6t_replace *repl)
816 {
817 struct ip6t_entry *iter;
818 unsigned int i;
819 int ret = 0;
820
821 newinfo->size = repl->size;
822 newinfo->number = repl->num_entries;
823
824 /* Init all hooks to impossible value. */
825 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
826 newinfo->hook_entry[i] = 0xFFFFFFFF;
827 newinfo->underflow[i] = 0xFFFFFFFF;
828 }
829
830 duprintf("translate_table: size %u\n", newinfo->size);
831 i = 0;
832 /* Walk through entries, checking offsets. */
833 xt_entry_foreach(iter, entry0, newinfo->size) {
834 ret = check_entry_size_and_hooks(iter, newinfo, entry0,
835 entry0 + repl->size,
836 repl->hook_entry,
837 repl->underflow,
838 repl->valid_hooks);
839 if (ret != 0)
840 return ret;
841 ++i;
842 if (strcmp(ip6t_get_target(iter)->u.user.name,
843 XT_ERROR_TARGET) == 0)
844 ++newinfo->stacksize;
845 }
846
847 if (i != repl->num_entries) {
848 duprintf("translate_table: %u not %u entries\n",
849 i, repl->num_entries);
850 return -EINVAL;
851 }
852
853 /* Check hooks all assigned */
854 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
855 /* Only hooks which are valid */
856 if (!(repl->valid_hooks & (1 << i)))
857 continue;
858 if (newinfo->hook_entry[i] == 0xFFFFFFFF) {
859 duprintf("Invalid hook entry %u %u\n",
860 i, repl->hook_entry[i]);
861 return -EINVAL;
862 }
863 if (newinfo->underflow[i] == 0xFFFFFFFF) {
864 duprintf("Invalid underflow %u %u\n",
865 i, repl->underflow[i]);
866 return -EINVAL;
867 }
868 }
869
870 if (!mark_source_chains(newinfo, repl->valid_hooks, entry0))
871 return -ELOOP;
872
873 /* Finally, each sanity check must pass */
874 i = 0;
875 xt_entry_foreach(iter, entry0, newinfo->size) {
876 ret = find_check_entry(iter, net, repl->name, repl->size);
877 if (ret != 0)
878 break;
879 ++i;
880 }
881
882 if (ret != 0) {
883 xt_entry_foreach(iter, entry0, newinfo->size) {
884 if (i-- == 0)
885 break;
886 cleanup_entry(iter, net);
887 }
888 return ret;
889 }
890
891 /* And one copy for every other CPU */
892 for_each_possible_cpu(i) {
893 if (newinfo->entries[i] && newinfo->entries[i] != entry0)
894 memcpy(newinfo->entries[i], entry0, newinfo->size);
895 }
896
897 return ret;
898 }
899
900 static void
901 get_counters(const struct xt_table_info *t,
902 struct xt_counters counters[])
903 {
904 struct ip6t_entry *iter;
905 unsigned int cpu;
906 unsigned int i;
907 unsigned int curcpu;
908
909 /* Instead of clearing (by a previous call to memset())
910 * the counters and using adds, we set the counters
911 * with data used by 'current' CPU
912 *
913 * Bottom half has to be disabled to prevent deadlock
914 * if new softirq were to run and call ipt_do_table
915 */
916 local_bh_disable();
917 curcpu = smp_processor_id();
918
919 i = 0;
920 xt_entry_foreach(iter, t->entries[curcpu], t->size) {
921 SET_COUNTER(counters[i], iter->counters.bcnt,
922 iter->counters.pcnt);
923 ++i;
924 }
925
926 for_each_possible_cpu(cpu) {
927 if (cpu == curcpu)
928 continue;
929 i = 0;
930 xt_info_wrlock(cpu);
931 xt_entry_foreach(iter, t->entries[cpu], t->size) {
932 ADD_COUNTER(counters[i], iter->counters.bcnt,
933 iter->counters.pcnt);
934 ++i;
935 }
936 xt_info_wrunlock(cpu);
937 }
938 local_bh_enable();
939 }
940
941 static struct xt_counters *alloc_counters(const struct xt_table *table)
942 {
943 unsigned int countersize;
944 struct xt_counters *counters;
945 const struct xt_table_info *private = table->private;
946
947 /* We need atomic snapshot of counters: rest doesn't change
948 (other than comefrom, which userspace doesn't care
949 about). */
950 countersize = sizeof(struct xt_counters) * private->number;
951 counters = vmalloc_node(countersize, numa_node_id());
952
953 if (counters == NULL)
954 return ERR_PTR(-ENOMEM);
955
956 get_counters(private, counters);
957
958 return counters;
959 }
960
961 static int
962 copy_entries_to_user(unsigned int total_size,
963 const struct xt_table *table,
964 void __user *userptr)
965 {
966 unsigned int off, num;
967 const struct ip6t_entry *e;
968 struct xt_counters *counters;
969 const struct xt_table_info *private = table->private;
970 int ret = 0;
971 const void *loc_cpu_entry;
972
973 counters = alloc_counters(table);
974 if (IS_ERR(counters))
975 return PTR_ERR(counters);
976
977 /* choose the copy that is on our node/cpu, ...
978 * This choice is lazy (because current thread is
979 * allowed to migrate to another cpu)
980 */
981 loc_cpu_entry = private->entries[raw_smp_processor_id()];
982 if (copy_to_user(userptr, loc_cpu_entry, total_size) != 0) {
983 ret = -EFAULT;
984 goto free_counters;
985 }
986
987 /* FIXME: use iterator macros --RR */
988 /* ... then go back and fix counters and names */
989 for (off = 0, num = 0; off < total_size; off += e->next_offset, num++){
990 unsigned int i;
991 const struct ip6t_entry_match *m;
992 const struct ip6t_entry_target *t;
993
994 e = (struct ip6t_entry *)(loc_cpu_entry + off);
995 if (copy_to_user(userptr + off
996 + offsetof(struct ip6t_entry, counters),
997 &counters[num],
998 sizeof(counters[num])) != 0) {
999 ret = -EFAULT;
1000 goto free_counters;
1001 }
1002
1003 for (i = sizeof(struct ip6t_entry);
1004 i < e->target_offset;
1005 i += m->u.match_size) {
1006 m = (void *)e + i;
1007
1008 if (copy_to_user(userptr + off + i
1009 + offsetof(struct ip6t_entry_match,
1010 u.user.name),
1011 m->u.kernel.match->name,
1012 strlen(m->u.kernel.match->name)+1)
1013 != 0) {
1014 ret = -EFAULT;
1015 goto free_counters;
1016 }
1017 }
1018
1019 t = ip6t_get_target_c(e);
1020 if (copy_to_user(userptr + off + e->target_offset
1021 + offsetof(struct ip6t_entry_target,
1022 u.user.name),
1023 t->u.kernel.target->name,
1024 strlen(t->u.kernel.target->name)+1) != 0) {
1025 ret = -EFAULT;
1026 goto free_counters;
1027 }
1028 }
1029
1030 free_counters:
1031 vfree(counters);
1032 return ret;
1033 }
1034
1035 #ifdef CONFIG_COMPAT
1036 static void compat_standard_from_user(void *dst, const void *src)
1037 {
1038 int v = *(compat_int_t *)src;
1039
1040 if (v > 0)
1041 v += xt_compat_calc_jump(AF_INET6, v);
1042 memcpy(dst, &v, sizeof(v));
1043 }
1044
1045 static int compat_standard_to_user(void __user *dst, const void *src)
1046 {
1047 compat_int_t cv = *(int *)src;
1048
1049 if (cv > 0)
1050 cv -= xt_compat_calc_jump(AF_INET6, cv);
1051 return copy_to_user(dst, &cv, sizeof(cv)) ? -EFAULT : 0;
1052 }
1053
1054 static int compat_calc_entry(const struct ip6t_entry *e,
1055 const struct xt_table_info *info,
1056 const void *base, struct xt_table_info *newinfo)
1057 {
1058 const struct xt_entry_match *ematch;
1059 const struct ip6t_entry_target *t;
1060 unsigned int entry_offset;
1061 int off, i, ret;
1062
1063 off = sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
1064 entry_offset = (void *)e - base;
1065 xt_ematch_foreach(ematch, e)
1066 off += xt_compat_match_offset(ematch->u.kernel.match);
1067 t = ip6t_get_target_c(e);
1068 off += xt_compat_target_offset(t->u.kernel.target);
1069 newinfo->size -= off;
1070 ret = xt_compat_add_offset(AF_INET6, entry_offset, off);
1071 if (ret)
1072 return ret;
1073
1074 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1075 if (info->hook_entry[i] &&
1076 (e < (struct ip6t_entry *)(base + info->hook_entry[i])))
1077 newinfo->hook_entry[i] -= off;
1078 if (info->underflow[i] &&
1079 (e < (struct ip6t_entry *)(base + info->underflow[i])))
1080 newinfo->underflow[i] -= off;
1081 }
1082 return 0;
1083 }
1084
1085 static int compat_table_info(const struct xt_table_info *info,
1086 struct xt_table_info *newinfo)
1087 {
1088 struct ip6t_entry *iter;
1089 void *loc_cpu_entry;
1090 int ret;
1091
1092 if (!newinfo || !info)
1093 return -EINVAL;
1094
1095 /* we dont care about newinfo->entries[] */
1096 memcpy(newinfo, info, offsetof(struct xt_table_info, entries));
1097 newinfo->initial_entries = 0;
1098 loc_cpu_entry = info->entries[raw_smp_processor_id()];
1099 xt_entry_foreach(iter, loc_cpu_entry, info->size) {
1100 ret = compat_calc_entry(iter, info, loc_cpu_entry, newinfo);
1101 if (ret != 0)
1102 return ret;
1103 }
1104 return 0;
1105 }
1106 #endif
1107
1108 static int get_info(struct net *net, void __user *user,
1109 const int *len, int compat)
1110 {
1111 char name[IP6T_TABLE_MAXNAMELEN];
1112 struct xt_table *t;
1113 int ret;
1114
1115 if (*len != sizeof(struct ip6t_getinfo)) {
1116 duprintf("length %u != %zu\n", *len,
1117 sizeof(struct ip6t_getinfo));
1118 return -EINVAL;
1119 }
1120
1121 if (copy_from_user(name, user, sizeof(name)) != 0)
1122 return -EFAULT;
1123
1124 name[IP6T_TABLE_MAXNAMELEN-1] = '\0';
1125 #ifdef CONFIG_COMPAT
1126 if (compat)
1127 xt_compat_lock(AF_INET6);
1128 #endif
1129 t = try_then_request_module(xt_find_table_lock(net, AF_INET6, name),
1130 "ip6table_%s", name);
1131 if (t && !IS_ERR(t)) {
1132 struct ip6t_getinfo info;
1133 const struct xt_table_info *private = t->private;
1134 #ifdef CONFIG_COMPAT
1135 struct xt_table_info tmp;
1136
1137 if (compat) {
1138 ret = compat_table_info(private, &tmp);
1139 xt_compat_flush_offsets(AF_INET6);
1140 private = &tmp;
1141 }
1142 #endif
1143 info.valid_hooks = t->valid_hooks;
1144 memcpy(info.hook_entry, private->hook_entry,
1145 sizeof(info.hook_entry));
1146 memcpy(info.underflow, private->underflow,
1147 sizeof(info.underflow));
1148 info.num_entries = private->number;
1149 info.size = private->size;
1150 strcpy(info.name, name);
1151
1152 if (copy_to_user(user, &info, *len) != 0)
1153 ret = -EFAULT;
1154 else
1155 ret = 0;
1156
1157 xt_table_unlock(t);
1158 module_put(t->me);
1159 } else
1160 ret = t ? PTR_ERR(t) : -ENOENT;
1161 #ifdef CONFIG_COMPAT
1162 if (compat)
1163 xt_compat_unlock(AF_INET6);
1164 #endif
1165 return ret;
1166 }
1167
1168 static int
1169 get_entries(struct net *net, struct ip6t_get_entries __user *uptr,
1170 const int *len)
1171 {
1172 int ret;
1173 struct ip6t_get_entries get;
1174 struct xt_table *t;
1175
1176 if (*len < sizeof(get)) {
1177 duprintf("get_entries: %u < %zu\n", *len, sizeof(get));
1178 return -EINVAL;
1179 }
1180 if (copy_from_user(&get, uptr, sizeof(get)) != 0)
1181 return -EFAULT;
1182 if (*len != sizeof(struct ip6t_get_entries) + get.size) {
1183 duprintf("get_entries: %u != %zu\n",
1184 *len, sizeof(get) + get.size);
1185 return -EINVAL;
1186 }
1187
1188 t = xt_find_table_lock(net, AF_INET6, get.name);
1189 if (t && !IS_ERR(t)) {
1190 struct xt_table_info *private = t->private;
1191 duprintf("t->private->number = %u\n", private->number);
1192 if (get.size == private->size)
1193 ret = copy_entries_to_user(private->size,
1194 t, uptr->entrytable);
1195 else {
1196 duprintf("get_entries: I've got %u not %u!\n",
1197 private->size, get.size);
1198 ret = -EAGAIN;
1199 }
1200 module_put(t->me);
1201 xt_table_unlock(t);
1202 } else
1203 ret = t ? PTR_ERR(t) : -ENOENT;
1204
1205 return ret;
1206 }
1207
1208 static int
1209 __do_replace(struct net *net, const char *name, unsigned int valid_hooks,
1210 struct xt_table_info *newinfo, unsigned int num_counters,
1211 void __user *counters_ptr)
1212 {
1213 int ret;
1214 struct xt_table *t;
1215 struct xt_table_info *oldinfo;
1216 struct xt_counters *counters;
1217 const void *loc_cpu_old_entry;
1218 struct ip6t_entry *iter;
1219
1220 ret = 0;
1221 counters = vmalloc_node(num_counters * sizeof(struct xt_counters),
1222 numa_node_id());
1223 if (!counters) {
1224 ret = -ENOMEM;
1225 goto out;
1226 }
1227
1228 t = try_then_request_module(xt_find_table_lock(net, AF_INET6, name),
1229 "ip6table_%s", name);
1230 if (!t || IS_ERR(t)) {
1231 ret = t ? PTR_ERR(t) : -ENOENT;
1232 goto free_newinfo_counters_untrans;
1233 }
1234
1235 /* You lied! */
1236 if (valid_hooks != t->valid_hooks) {
1237 duprintf("Valid hook crap: %08X vs %08X\n",
1238 valid_hooks, t->valid_hooks);
1239 ret = -EINVAL;
1240 goto put_module;
1241 }
1242
1243 oldinfo = xt_replace_table(t, num_counters, newinfo, &ret);
1244 if (!oldinfo)
1245 goto put_module;
1246
1247 /* Update module usage count based on number of rules */
1248 duprintf("do_replace: oldnum=%u, initnum=%u, newnum=%u\n",
1249 oldinfo->number, oldinfo->initial_entries, newinfo->number);
1250 if ((oldinfo->number > oldinfo->initial_entries) ||
1251 (newinfo->number <= oldinfo->initial_entries))
1252 module_put(t->me);
1253 if ((oldinfo->number > oldinfo->initial_entries) &&
1254 (newinfo->number <= oldinfo->initial_entries))
1255 module_put(t->me);
1256
1257 /* Get the old counters, and synchronize with replace */
1258 get_counters(oldinfo, counters);
1259
1260 /* Decrease module usage counts and free resource */
1261 loc_cpu_old_entry = oldinfo->entries[raw_smp_processor_id()];
1262 xt_entry_foreach(iter, loc_cpu_old_entry, oldinfo->size)
1263 cleanup_entry(iter, net);
1264
1265 xt_free_table_info(oldinfo);
1266 if (copy_to_user(counters_ptr, counters,
1267 sizeof(struct xt_counters) * num_counters) != 0)
1268 ret = -EFAULT;
1269 vfree(counters);
1270 xt_table_unlock(t);
1271 return ret;
1272
1273 put_module:
1274 module_put(t->me);
1275 xt_table_unlock(t);
1276 free_newinfo_counters_untrans:
1277 vfree(counters);
1278 out:
1279 return ret;
1280 }
1281
1282 static int
1283 do_replace(struct net *net, const void __user *user, unsigned int len)
1284 {
1285 int ret;
1286 struct ip6t_replace tmp;
1287 struct xt_table_info *newinfo;
1288 void *loc_cpu_entry;
1289 struct ip6t_entry *iter;
1290
1291 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
1292 return -EFAULT;
1293
1294 /* overflow check */
1295 if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
1296 return -ENOMEM;
1297
1298 newinfo = xt_alloc_table_info(tmp.size);
1299 if (!newinfo)
1300 return -ENOMEM;
1301
1302 /* choose the copy that is on our node/cpu */
1303 loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
1304 if (copy_from_user(loc_cpu_entry, user + sizeof(tmp),
1305 tmp.size) != 0) {
1306 ret = -EFAULT;
1307 goto free_newinfo;
1308 }
1309
1310 ret = translate_table(net, newinfo, loc_cpu_entry, &tmp);
1311 if (ret != 0)
1312 goto free_newinfo;
1313
1314 duprintf("ip_tables: Translated table\n");
1315
1316 ret = __do_replace(net, tmp.name, tmp.valid_hooks, newinfo,
1317 tmp.num_counters, tmp.counters);
1318 if (ret)
1319 goto free_newinfo_untrans;
1320 return 0;
1321
1322 free_newinfo_untrans:
1323 xt_entry_foreach(iter, loc_cpu_entry, newinfo->size)
1324 cleanup_entry(iter, net);
1325 free_newinfo:
1326 xt_free_table_info(newinfo);
1327 return ret;
1328 }
1329
1330 static int
1331 do_add_counters(struct net *net, const void __user *user, unsigned int len,
1332 int compat)
1333 {
1334 unsigned int i, curcpu;
1335 struct xt_counters_info tmp;
1336 struct xt_counters *paddc;
1337 unsigned int num_counters;
1338 char *name;
1339 int size;
1340 void *ptmp;
1341 struct xt_table *t;
1342 const struct xt_table_info *private;
1343 int ret = 0;
1344 const void *loc_cpu_entry;
1345 struct ip6t_entry *iter;
1346 #ifdef CONFIG_COMPAT
1347 struct compat_xt_counters_info compat_tmp;
1348
1349 if (compat) {
1350 ptmp = &compat_tmp;
1351 size = sizeof(struct compat_xt_counters_info);
1352 } else
1353 #endif
1354 {
1355 ptmp = &tmp;
1356 size = sizeof(struct xt_counters_info);
1357 }
1358
1359 if (copy_from_user(ptmp, user, size) != 0)
1360 return -EFAULT;
1361
1362 #ifdef CONFIG_COMPAT
1363 if (compat) {
1364 num_counters = compat_tmp.num_counters;
1365 name = compat_tmp.name;
1366 } else
1367 #endif
1368 {
1369 num_counters = tmp.num_counters;
1370 name = tmp.name;
1371 }
1372
1373 if (len != size + num_counters * sizeof(struct xt_counters))
1374 return -EINVAL;
1375
1376 paddc = vmalloc_node(len - size, numa_node_id());
1377 if (!paddc)
1378 return -ENOMEM;
1379
1380 if (copy_from_user(paddc, user + size, len - size) != 0) {
1381 ret = -EFAULT;
1382 goto free;
1383 }
1384
1385 t = xt_find_table_lock(net, AF_INET6, name);
1386 if (!t || IS_ERR(t)) {
1387 ret = t ? PTR_ERR(t) : -ENOENT;
1388 goto free;
1389 }
1390
1391
1392 local_bh_disable();
1393 private = t->private;
1394 if (private->number != num_counters) {
1395 ret = -EINVAL;
1396 goto unlock_up_free;
1397 }
1398
1399 i = 0;
1400 /* Choose the copy that is on our node */
1401 curcpu = smp_processor_id();
1402 xt_info_wrlock(curcpu);
1403 loc_cpu_entry = private->entries[curcpu];
1404 xt_entry_foreach(iter, loc_cpu_entry, private->size) {
1405 ADD_COUNTER(iter->counters, paddc[i].bcnt, paddc[i].pcnt);
1406 ++i;
1407 }
1408 xt_info_wrunlock(curcpu);
1409
1410 unlock_up_free:
1411 local_bh_enable();
1412 xt_table_unlock(t);
1413 module_put(t->me);
1414 free:
1415 vfree(paddc);
1416
1417 return ret;
1418 }
1419
1420 #ifdef CONFIG_COMPAT
1421 struct compat_ip6t_replace {
1422 char name[IP6T_TABLE_MAXNAMELEN];
1423 u32 valid_hooks;
1424 u32 num_entries;
1425 u32 size;
1426 u32 hook_entry[NF_INET_NUMHOOKS];
1427 u32 underflow[NF_INET_NUMHOOKS];
1428 u32 num_counters;
1429 compat_uptr_t counters; /* struct ip6t_counters * */
1430 struct compat_ip6t_entry entries[0];
1431 };
1432
1433 static int
1434 compat_copy_entry_to_user(struct ip6t_entry *e, void __user **dstptr,
1435 unsigned int *size, struct xt_counters *counters,
1436 unsigned int i)
1437 {
1438 struct ip6t_entry_target *t;
1439 struct compat_ip6t_entry __user *ce;
1440 u_int16_t target_offset, next_offset;
1441 compat_uint_t origsize;
1442 const struct xt_entry_match *ematch;
1443 int ret = 0;
1444
1445 origsize = *size;
1446 ce = (struct compat_ip6t_entry __user *)*dstptr;
1447 if (copy_to_user(ce, e, sizeof(struct ip6t_entry)) != 0 ||
1448 copy_to_user(&ce->counters, &counters[i],
1449 sizeof(counters[i])) != 0)
1450 return -EFAULT;
1451
1452 *dstptr += sizeof(struct compat_ip6t_entry);
1453 *size -= sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
1454
1455 xt_ematch_foreach(ematch, e) {
1456 ret = xt_compat_match_to_user(ematch, dstptr, size);
1457 if (ret != 0)
1458 return ret;
1459 }
1460 target_offset = e->target_offset - (origsize - *size);
1461 t = ip6t_get_target(e);
1462 ret = xt_compat_target_to_user(t, dstptr, size);
1463 if (ret)
1464 return ret;
1465 next_offset = e->next_offset - (origsize - *size);
1466 if (put_user(target_offset, &ce->target_offset) != 0 ||
1467 put_user(next_offset, &ce->next_offset) != 0)
1468 return -EFAULT;
1469 return 0;
1470 }
1471
1472 static int
1473 compat_find_calc_match(struct ip6t_entry_match *m,
1474 const char *name,
1475 const struct ip6t_ip6 *ipv6,
1476 unsigned int hookmask,
1477 int *size)
1478 {
1479 struct xt_match *match;
1480
1481 match = xt_request_find_match(NFPROTO_IPV6, m->u.user.name,
1482 m->u.user.revision);
1483 if (IS_ERR(match)) {
1484 duprintf("compat_check_calc_match: `%s' not found\n",
1485 m->u.user.name);
1486 return PTR_ERR(match);
1487 }
1488 m->u.kernel.match = match;
1489 *size += xt_compat_match_offset(match);
1490 return 0;
1491 }
1492
1493 static void compat_release_entry(struct compat_ip6t_entry *e)
1494 {
1495 struct ip6t_entry_target *t;
1496 struct xt_entry_match *ematch;
1497
1498 /* Cleanup all matches */
1499 xt_ematch_foreach(ematch, e)
1500 module_put(ematch->u.kernel.match->me);
1501 t = compat_ip6t_get_target(e);
1502 module_put(t->u.kernel.target->me);
1503 }
1504
1505 static int
1506 check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e,
1507 struct xt_table_info *newinfo,
1508 unsigned int *size,
1509 const unsigned char *base,
1510 const unsigned char *limit,
1511 const unsigned int *hook_entries,
1512 const unsigned int *underflows,
1513 const char *name)
1514 {
1515 struct xt_entry_match *ematch;
1516 struct ip6t_entry_target *t;
1517 struct xt_target *target;
1518 unsigned int entry_offset;
1519 unsigned int j;
1520 int ret, off, h;
1521
1522 duprintf("check_compat_entry_size_and_hooks %p\n", e);
1523 if ((unsigned long)e % __alignof__(struct compat_ip6t_entry) != 0 ||
1524 (unsigned char *)e + sizeof(struct compat_ip6t_entry) >= limit) {
1525 duprintf("Bad offset %p, limit = %p\n", e, limit);
1526 return -EINVAL;
1527 }
1528
1529 if (e->next_offset < sizeof(struct compat_ip6t_entry) +
1530 sizeof(struct compat_xt_entry_target)) {
1531 duprintf("checking: element %p size %u\n",
1532 e, e->next_offset);
1533 return -EINVAL;
1534 }
1535
1536 /* For purposes of check_entry casting the compat entry is fine */
1537 ret = check_entry((struct ip6t_entry *)e, name);
1538 if (ret)
1539 return ret;
1540
1541 off = sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
1542 entry_offset = (void *)e - (void *)base;
1543 j = 0;
1544 xt_ematch_foreach(ematch, e) {
1545 ret = compat_find_calc_match(ematch, name,
1546 &e->ipv6, e->comefrom, &off);
1547 if (ret != 0)
1548 goto release_matches;
1549 ++j;
1550 }
1551
1552 t = compat_ip6t_get_target(e);
1553 target = xt_request_find_target(NFPROTO_IPV6, t->u.user.name,
1554 t->u.user.revision);
1555 if (IS_ERR(target)) {
1556 duprintf("check_compat_entry_size_and_hooks: `%s' not found\n",
1557 t->u.user.name);
1558 ret = PTR_ERR(target);
1559 goto release_matches;
1560 }
1561 t->u.kernel.target = target;
1562
1563 off += xt_compat_target_offset(target);
1564 *size += off;
1565 ret = xt_compat_add_offset(AF_INET6, entry_offset, off);
1566 if (ret)
1567 goto out;
1568
1569 /* Check hooks & underflows */
1570 for (h = 0; h < NF_INET_NUMHOOKS; h++) {
1571 if ((unsigned char *)e - base == hook_entries[h])
1572 newinfo->hook_entry[h] = hook_entries[h];
1573 if ((unsigned char *)e - base == underflows[h])
1574 newinfo->underflow[h] = underflows[h];
1575 }
1576
1577 /* Clear counters and comefrom */
1578 memset(&e->counters, 0, sizeof(e->counters));
1579 e->comefrom = 0;
1580 return 0;
1581
1582 out:
1583 module_put(t->u.kernel.target->me);
1584 release_matches:
1585 xt_ematch_foreach(ematch, e) {
1586 if (j-- == 0)
1587 break;
1588 module_put(ematch->u.kernel.match->me);
1589 }
1590 return ret;
1591 }
1592
1593 static int
1594 compat_copy_entry_from_user(struct compat_ip6t_entry *e, void **dstptr,
1595 unsigned int *size, const char *name,
1596 struct xt_table_info *newinfo, unsigned char *base)
1597 {
1598 struct ip6t_entry_target *t;
1599 struct xt_target *target;
1600 struct ip6t_entry *de;
1601 unsigned int origsize;
1602 int ret, h;
1603 struct xt_entry_match *ematch;
1604
1605 ret = 0;
1606 origsize = *size;
1607 de = (struct ip6t_entry *)*dstptr;
1608 memcpy(de, e, sizeof(struct ip6t_entry));
1609 memcpy(&de->counters, &e->counters, sizeof(e->counters));
1610
1611 *dstptr += sizeof(struct ip6t_entry);
1612 *size += sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
1613
1614 xt_ematch_foreach(ematch, e) {
1615 ret = xt_compat_match_from_user(ematch, dstptr, size);
1616 if (ret != 0)
1617 return ret;
1618 }
1619 de->target_offset = e->target_offset - (origsize - *size);
1620 t = compat_ip6t_get_target(e);
1621 target = t->u.kernel.target;
1622 xt_compat_target_from_user(t, dstptr, size);
1623
1624 de->next_offset = e->next_offset - (origsize - *size);
1625 for (h = 0; h < NF_INET_NUMHOOKS; h++) {
1626 if ((unsigned char *)de - base < newinfo->hook_entry[h])
1627 newinfo->hook_entry[h] -= origsize - *size;
1628 if ((unsigned char *)de - base < newinfo->underflow[h])
1629 newinfo->underflow[h] -= origsize - *size;
1630 }
1631 return ret;
1632 }
1633
1634 static int compat_check_entry(struct ip6t_entry *e, struct net *net,
1635 const char *name)
1636 {
1637 unsigned int j;
1638 int ret = 0;
1639 struct xt_mtchk_param mtpar;
1640 struct xt_entry_match *ematch;
1641
1642 j = 0;
1643 mtpar.net = net;
1644 mtpar.table = name;
1645 mtpar.entryinfo = &e->ipv6;
1646 mtpar.hook_mask = e->comefrom;
1647 mtpar.family = NFPROTO_IPV6;
1648 xt_ematch_foreach(ematch, e) {
1649 ret = check_match(ematch, &mtpar);
1650 if (ret != 0)
1651 goto cleanup_matches;
1652 ++j;
1653 }
1654
1655 ret = check_target(e, net, name);
1656 if (ret)
1657 goto cleanup_matches;
1658 return 0;
1659
1660 cleanup_matches:
1661 xt_ematch_foreach(ematch, e) {
1662 if (j-- == 0)
1663 break;
1664 cleanup_match(ematch, net);
1665 }
1666 return ret;
1667 }
1668
1669 static int
1670 translate_compat_table(struct net *net,
1671 const char *name,
1672 unsigned int valid_hooks,
1673 struct xt_table_info **pinfo,
1674 void **pentry0,
1675 unsigned int total_size,
1676 unsigned int number,
1677 unsigned int *hook_entries,
1678 unsigned int *underflows)
1679 {
1680 unsigned int i, j;
1681 struct xt_table_info *newinfo, *info;
1682 void *pos, *entry0, *entry1;
1683 struct compat_ip6t_entry *iter0;
1684 struct ip6t_entry *iter1;
1685 unsigned int size;
1686 int ret = 0;
1687
1688 info = *pinfo;
1689 entry0 = *pentry0;
1690 size = total_size;
1691 info->number = number;
1692
1693 /* Init all hooks to impossible value. */
1694 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1695 info->hook_entry[i] = 0xFFFFFFFF;
1696 info->underflow[i] = 0xFFFFFFFF;
1697 }
1698
1699 duprintf("translate_compat_table: size %u\n", info->size);
1700 j = 0;
1701 xt_compat_lock(AF_INET6);
1702 /* Walk through entries, checking offsets. */
1703 xt_entry_foreach(iter0, entry0, total_size) {
1704 ret = check_compat_entry_size_and_hooks(iter0, info, &size,
1705 entry0,
1706 entry0 + total_size,
1707 hook_entries,
1708 underflows,
1709 name);
1710 if (ret != 0)
1711 goto out_unlock;
1712 ++j;
1713 }
1714
1715 ret = -EINVAL;
1716 if (j != number) {
1717 duprintf("translate_compat_table: %u not %u entries\n",
1718 j, number);
1719 goto out_unlock;
1720 }
1721
1722 /* Check hooks all assigned */
1723 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1724 /* Only hooks which are valid */
1725 if (!(valid_hooks & (1 << i)))
1726 continue;
1727 if (info->hook_entry[i] == 0xFFFFFFFF) {
1728 duprintf("Invalid hook entry %u %u\n",
1729 i, hook_entries[i]);
1730 goto out_unlock;
1731 }
1732 if (info->underflow[i] == 0xFFFFFFFF) {
1733 duprintf("Invalid underflow %u %u\n",
1734 i, underflows[i]);
1735 goto out_unlock;
1736 }
1737 }
1738
1739 ret = -ENOMEM;
1740 newinfo = xt_alloc_table_info(size);
1741 if (!newinfo)
1742 goto out_unlock;
1743
1744 newinfo->number = number;
1745 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1746 newinfo->hook_entry[i] = info->hook_entry[i];
1747 newinfo->underflow[i] = info->underflow[i];
1748 }
1749 entry1 = newinfo->entries[raw_smp_processor_id()];
1750 pos = entry1;
1751 size = total_size;
1752 xt_entry_foreach(iter0, entry0, total_size) {
1753 ret = compat_copy_entry_from_user(iter0, &pos, &size,
1754 name, newinfo, entry1);
1755 if (ret != 0)
1756 break;
1757 }
1758 xt_compat_flush_offsets(AF_INET6);
1759 xt_compat_unlock(AF_INET6);
1760 if (ret)
1761 goto free_newinfo;
1762
1763 ret = -ELOOP;
1764 if (!mark_source_chains(newinfo, valid_hooks, entry1))
1765 goto free_newinfo;
1766
1767 i = 0;
1768 xt_entry_foreach(iter1, entry1, newinfo->size) {
1769 ret = compat_check_entry(iter1, net, name);
1770 if (ret != 0)
1771 break;
1772 ++i;
1773 }
1774 if (ret) {
1775 /*
1776 * The first i matches need cleanup_entry (calls ->destroy)
1777 * because they had called ->check already. The other j-i
1778 * entries need only release.
1779 */
1780 int skip = i;
1781 j -= i;
1782 xt_entry_foreach(iter0, entry0, newinfo->size) {
1783 if (skip-- > 0)
1784 continue;
1785 if (j-- == 0)
1786 break;
1787 compat_release_entry(iter0);
1788 }
1789 xt_entry_foreach(iter1, entry1, newinfo->size) {
1790 if (i-- == 0)
1791 break;
1792 cleanup_entry(iter1, net);
1793 }
1794 xt_free_table_info(newinfo);
1795 return ret;
1796 }
1797
1798 /* And one copy for every other CPU */
1799 for_each_possible_cpu(i)
1800 if (newinfo->entries[i] && newinfo->entries[i] != entry1)
1801 memcpy(newinfo->entries[i], entry1, newinfo->size);
1802
1803 *pinfo = newinfo;
1804 *pentry0 = entry1;
1805 xt_free_table_info(info);
1806 return 0;
1807
1808 free_newinfo:
1809 xt_free_table_info(newinfo);
1810 out:
1811 xt_entry_foreach(iter0, entry0, total_size) {
1812 if (j-- == 0)
1813 break;
1814 compat_release_entry(iter0);
1815 }
1816 return ret;
1817 out_unlock:
1818 xt_compat_flush_offsets(AF_INET6);
1819 xt_compat_unlock(AF_INET6);
1820 goto out;
1821 }
1822
1823 static int
1824 compat_do_replace(struct net *net, void __user *user, unsigned int len)
1825 {
1826 int ret;
1827 struct compat_ip6t_replace tmp;
1828 struct xt_table_info *newinfo;
1829 void *loc_cpu_entry;
1830 struct ip6t_entry *iter;
1831
1832 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
1833 return -EFAULT;
1834
1835 /* overflow check */
1836 if (tmp.size >= INT_MAX / num_possible_cpus())
1837 return -ENOMEM;
1838 if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
1839 return -ENOMEM;
1840
1841 newinfo = xt_alloc_table_info(tmp.size);
1842 if (!newinfo)
1843 return -ENOMEM;
1844
1845 /* choose the copy that is on our node/cpu */
1846 loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
1847 if (copy_from_user(loc_cpu_entry, user + sizeof(tmp),
1848 tmp.size) != 0) {
1849 ret = -EFAULT;
1850 goto free_newinfo;
1851 }
1852
1853 ret = translate_compat_table(net, tmp.name, tmp.valid_hooks,
1854 &newinfo, &loc_cpu_entry, tmp.size,
1855 tmp.num_entries, tmp.hook_entry,
1856 tmp.underflow);
1857 if (ret != 0)
1858 goto free_newinfo;
1859
1860 duprintf("compat_do_replace: Translated table\n");
1861
1862 ret = __do_replace(net, tmp.name, tmp.valid_hooks, newinfo,
1863 tmp.num_counters, compat_ptr(tmp.counters));
1864 if (ret)
1865 goto free_newinfo_untrans;
1866 return 0;
1867
1868 free_newinfo_untrans:
1869 xt_entry_foreach(iter, loc_cpu_entry, newinfo->size)
1870 cleanup_entry(iter, net);
1871 free_newinfo:
1872 xt_free_table_info(newinfo);
1873 return ret;
1874 }
1875
1876 static int
1877 compat_do_ip6t_set_ctl(struct sock *sk, int cmd, void __user *user,
1878 unsigned int len)
1879 {
1880 int ret;
1881
1882 if (!capable(CAP_NET_ADMIN))
1883 return -EPERM;
1884
1885 switch (cmd) {
1886 case IP6T_SO_SET_REPLACE:
1887 ret = compat_do_replace(sock_net(sk), user, len);
1888 break;
1889
1890 case IP6T_SO_SET_ADD_COUNTERS:
1891 ret = do_add_counters(sock_net(sk), user, len, 1);
1892 break;
1893
1894 default:
1895 duprintf("do_ip6t_set_ctl: unknown request %i\n", cmd);
1896 ret = -EINVAL;
1897 }
1898
1899 return ret;
1900 }
1901
1902 struct compat_ip6t_get_entries {
1903 char name[IP6T_TABLE_MAXNAMELEN];
1904 compat_uint_t size;
1905 struct compat_ip6t_entry entrytable[0];
1906 };
1907
1908 static int
1909 compat_copy_entries_to_user(unsigned int total_size, struct xt_table *table,
1910 void __user *userptr)
1911 {
1912 struct xt_counters *counters;
1913 const struct xt_table_info *private = table->private;
1914 void __user *pos;
1915 unsigned int size;
1916 int ret = 0;
1917 const void *loc_cpu_entry;
1918 unsigned int i = 0;
1919 struct ip6t_entry *iter;
1920
1921 counters = alloc_counters(table);
1922 if (IS_ERR(counters))
1923 return PTR_ERR(counters);
1924
1925 /* choose the copy that is on our node/cpu, ...
1926 * This choice is lazy (because current thread is
1927 * allowed to migrate to another cpu)
1928 */
1929 loc_cpu_entry = private->entries[raw_smp_processor_id()];
1930 pos = userptr;
1931 size = total_size;
1932 xt_entry_foreach(iter, loc_cpu_entry, total_size) {
1933 ret = compat_copy_entry_to_user(iter, &pos,
1934 &size, counters, i++);
1935 if (ret != 0)
1936 break;
1937 }
1938
1939 vfree(counters);
1940 return ret;
1941 }
1942
1943 static int
1944 compat_get_entries(struct net *net, struct compat_ip6t_get_entries __user *uptr,
1945 int *len)
1946 {
1947 int ret;
1948 struct compat_ip6t_get_entries get;
1949 struct xt_table *t;
1950
1951 if (*len < sizeof(get)) {
1952 duprintf("compat_get_entries: %u < %zu\n", *len, sizeof(get));
1953 return -EINVAL;
1954 }
1955
1956 if (copy_from_user(&get, uptr, sizeof(get)) != 0)
1957 return -EFAULT;
1958
1959 if (*len != sizeof(struct compat_ip6t_get_entries) + get.size) {
1960 duprintf("compat_get_entries: %u != %zu\n",
1961 *len, sizeof(get) + get.size);
1962 return -EINVAL;
1963 }
1964
1965 xt_compat_lock(AF_INET6);
1966 t = xt_find_table_lock(net, AF_INET6, get.name);
1967 if (t && !IS_ERR(t)) {
1968 const struct xt_table_info *private = t->private;
1969 struct xt_table_info info;
1970 duprintf("t->private->number = %u\n", private->number);
1971 ret = compat_table_info(private, &info);
1972 if (!ret && get.size == info.size) {
1973 ret = compat_copy_entries_to_user(private->size,
1974 t, uptr->entrytable);
1975 } else if (!ret) {
1976 duprintf("compat_get_entries: I've got %u not %u!\n",
1977 private->size, get.size);
1978 ret = -EAGAIN;
1979 }
1980 xt_compat_flush_offsets(AF_INET6);
1981 module_put(t->me);
1982 xt_table_unlock(t);
1983 } else
1984 ret = t ? PTR_ERR(t) : -ENOENT;
1985
1986 xt_compat_unlock(AF_INET6);
1987 return ret;
1988 }
1989
1990 static int do_ip6t_get_ctl(struct sock *, int, void __user *, int *);
1991
1992 static int
1993 compat_do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1994 {
1995 int ret;
1996
1997 if (!capable(CAP_NET_ADMIN))
1998 return -EPERM;
1999
2000 switch (cmd) {
2001 case IP6T_SO_GET_INFO:
2002 ret = get_info(sock_net(sk), user, len, 1);
2003 break;
2004 case IP6T_SO_GET_ENTRIES:
2005 ret = compat_get_entries(sock_net(sk), user, len);
2006 break;
2007 default:
2008 ret = do_ip6t_get_ctl(sk, cmd, user, len);
2009 }
2010 return ret;
2011 }
2012 #endif
2013
2014 static int
2015 do_ip6t_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
2016 {
2017 int ret;
2018
2019 if (!capable(CAP_NET_ADMIN))
2020 return -EPERM;
2021
2022 switch (cmd) {
2023 case IP6T_SO_SET_REPLACE:
2024 ret = do_replace(sock_net(sk), user, len);
2025 break;
2026
2027 case IP6T_SO_SET_ADD_COUNTERS:
2028 ret = do_add_counters(sock_net(sk), user, len, 0);
2029 break;
2030
2031 default:
2032 duprintf("do_ip6t_set_ctl: unknown request %i\n", cmd);
2033 ret = -EINVAL;
2034 }
2035
2036 return ret;
2037 }
2038
2039 static int
2040 do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
2041 {
2042 int ret;
2043
2044 if (!capable(CAP_NET_ADMIN))
2045 return -EPERM;
2046
2047 switch (cmd) {
2048 case IP6T_SO_GET_INFO:
2049 ret = get_info(sock_net(sk), user, len, 0);
2050 break;
2051
2052 case IP6T_SO_GET_ENTRIES:
2053 ret = get_entries(sock_net(sk), user, len);
2054 break;
2055
2056 case IP6T_SO_GET_REVISION_MATCH:
2057 case IP6T_SO_GET_REVISION_TARGET: {
2058 struct ip6t_get_revision rev;
2059 int target;
2060
2061 if (*len != sizeof(rev)) {
2062 ret = -EINVAL;
2063 break;
2064 }
2065 if (copy_from_user(&rev, user, sizeof(rev)) != 0) {
2066 ret = -EFAULT;
2067 break;
2068 }
2069
2070 if (cmd == IP6T_SO_GET_REVISION_TARGET)
2071 target = 1;
2072 else
2073 target = 0;
2074
2075 try_then_request_module(xt_find_revision(AF_INET6, rev.name,
2076 rev.revision,
2077 target, &ret),
2078 "ip6t_%s", rev.name);
2079 break;
2080 }
2081
2082 default:
2083 duprintf("do_ip6t_get_ctl: unknown request %i\n", cmd);
2084 ret = -EINVAL;
2085 }
2086
2087 return ret;
2088 }
2089
2090 struct xt_table *ip6t_register_table(struct net *net,
2091 const struct xt_table *table,
2092 const struct ip6t_replace *repl)
2093 {
2094 int ret;
2095 struct xt_table_info *newinfo;
2096 struct xt_table_info bootstrap = {0};
2097 void *loc_cpu_entry;
2098 struct xt_table *new_table;
2099
2100 newinfo = xt_alloc_table_info(repl->size);
2101 if (!newinfo) {
2102 ret = -ENOMEM;
2103 goto out;
2104 }
2105
2106 /* choose the copy on our node/cpu, but dont care about preemption */
2107 loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
2108 memcpy(loc_cpu_entry, repl->entries, repl->size);
2109
2110 ret = translate_table(net, newinfo, loc_cpu_entry, repl);
2111 if (ret != 0)
2112 goto out_free;
2113
2114 new_table = xt_register_table(net, table, &bootstrap, newinfo);
2115 if (IS_ERR(new_table)) {
2116 ret = PTR_ERR(new_table);
2117 goto out_free;
2118 }
2119 return new_table;
2120
2121 out_free:
2122 xt_free_table_info(newinfo);
2123 out:
2124 return ERR_PTR(ret);
2125 }
2126
2127 void ip6t_unregister_table(struct net *net, struct xt_table *table)
2128 {
2129 struct xt_table_info *private;
2130 void *loc_cpu_entry;
2131 struct module *table_owner = table->me;
2132 struct ip6t_entry *iter;
2133
2134 private = xt_unregister_table(table);
2135
2136 /* Decrease module usage counts and free resources */
2137 loc_cpu_entry = private->entries[raw_smp_processor_id()];
2138 xt_entry_foreach(iter, loc_cpu_entry, private->size)
2139 cleanup_entry(iter, net);
2140 if (private->number > private->initial_entries)
2141 module_put(table_owner);
2142 xt_free_table_info(private);
2143 }
2144
2145 /* Returns 1 if the type and code is matched by the range, 0 otherwise */
2146 static inline bool
2147 icmp6_type_code_match(u_int8_t test_type, u_int8_t min_code, u_int8_t max_code,
2148 u_int8_t type, u_int8_t code,
2149 bool invert)
2150 {
2151 return (type == test_type && code >= min_code && code <= max_code)
2152 ^ invert;
2153 }
2154
2155 static bool
2156 icmp6_match(const struct sk_buff *skb, struct xt_action_param *par)
2157 {
2158 const struct icmp6hdr *ic;
2159 struct icmp6hdr _icmph;
2160 const struct ip6t_icmp *icmpinfo = par->matchinfo;
2161
2162 /* Must not be a fragment. */
2163 if (par->fragoff != 0)
2164 return false;
2165
2166 ic = skb_header_pointer(skb, par->thoff, sizeof(_icmph), &_icmph);
2167 if (ic == NULL) {
2168 /* We've been asked to examine this packet, and we
2169 * can't. Hence, no choice but to drop.
2170 */
2171 duprintf("Dropping evil ICMP tinygram.\n");
2172 par->hotdrop = true;
2173 return false;
2174 }
2175
2176 return icmp6_type_code_match(icmpinfo->type,
2177 icmpinfo->code[0],
2178 icmpinfo->code[1],
2179 ic->icmp6_type, ic->icmp6_code,
2180 !!(icmpinfo->invflags&IP6T_ICMP_INV));
2181 }
2182
2183 /* Called when user tries to insert an entry of this type. */
2184 static int icmp6_checkentry(const struct xt_mtchk_param *par)
2185 {
2186 const struct ip6t_icmp *icmpinfo = par->matchinfo;
2187
2188 /* Must specify no unknown invflags */
2189 return (icmpinfo->invflags & ~IP6T_ICMP_INV) ? -EINVAL : 0;
2190 }
2191
2192 /* The built-in targets: standard (NULL) and error. */
2193 static struct xt_target ip6t_builtin_tg[] __read_mostly = {
2194 {
2195 .name = IP6T_STANDARD_TARGET,
2196 .targetsize = sizeof(int),
2197 .family = NFPROTO_IPV6,
2198 #ifdef CONFIG_COMPAT
2199 .compatsize = sizeof(compat_int_t),
2200 .compat_from_user = compat_standard_from_user,
2201 .compat_to_user = compat_standard_to_user,
2202 #endif
2203 },
2204 {
2205 .name = IP6T_ERROR_TARGET,
2206 .target = ip6t_error,
2207 .targetsize = IP6T_FUNCTION_MAXNAMELEN,
2208 .family = NFPROTO_IPV6,
2209 },
2210 };
2211
2212 static struct nf_sockopt_ops ip6t_sockopts = {
2213 .pf = PF_INET6,
2214 .set_optmin = IP6T_BASE_CTL,
2215 .set_optmax = IP6T_SO_SET_MAX+1,
2216 .set = do_ip6t_set_ctl,
2217 #ifdef CONFIG_COMPAT
2218 .compat_set = compat_do_ip6t_set_ctl,
2219 #endif
2220 .get_optmin = IP6T_BASE_CTL,
2221 .get_optmax = IP6T_SO_GET_MAX+1,
2222 .get = do_ip6t_get_ctl,
2223 #ifdef CONFIG_COMPAT
2224 .compat_get = compat_do_ip6t_get_ctl,
2225 #endif
2226 .owner = THIS_MODULE,
2227 };
2228
2229 static struct xt_match ip6t_builtin_mt[] __read_mostly = {
2230 {
2231 .name = "icmp6",
2232 .match = icmp6_match,
2233 .matchsize = sizeof(struct ip6t_icmp),
2234 .checkentry = icmp6_checkentry,
2235 .proto = IPPROTO_ICMPV6,
2236 .family = NFPROTO_IPV6,
2237 },
2238 };
2239
2240 static int __net_init ip6_tables_net_init(struct net *net)
2241 {
2242 return xt_proto_init(net, NFPROTO_IPV6);
2243 }
2244
2245 static void __net_exit ip6_tables_net_exit(struct net *net)
2246 {
2247 xt_proto_fini(net, NFPROTO_IPV6);
2248 }
2249
2250 static struct pernet_operations ip6_tables_net_ops = {
2251 .init = ip6_tables_net_init,
2252 .exit = ip6_tables_net_exit,
2253 };
2254
2255 static int __init ip6_tables_init(void)
2256 {
2257 int ret;
2258
2259 ret = register_pernet_subsys(&ip6_tables_net_ops);
2260 if (ret < 0)
2261 goto err1;
2262
2263 /* Noone else will be downing sem now, so we won't sleep */
2264 ret = xt_register_targets(ip6t_builtin_tg, ARRAY_SIZE(ip6t_builtin_tg));
2265 if (ret < 0)
2266 goto err2;
2267 ret = xt_register_matches(ip6t_builtin_mt, ARRAY_SIZE(ip6t_builtin_mt));
2268 if (ret < 0)
2269 goto err4;
2270
2271 /* Register setsockopt */
2272 ret = nf_register_sockopt(&ip6t_sockopts);
2273 if (ret < 0)
2274 goto err5;
2275
2276 pr_info("(C) 2000-2006 Netfilter Core Team\n");
2277 return 0;
2278
2279 err5:
2280 xt_unregister_matches(ip6t_builtin_mt, ARRAY_SIZE(ip6t_builtin_mt));
2281 err4:
2282 xt_unregister_targets(ip6t_builtin_tg, ARRAY_SIZE(ip6t_builtin_tg));
2283 err2:
2284 unregister_pernet_subsys(&ip6_tables_net_ops);
2285 err1:
2286 return ret;
2287 }
2288
2289 static void __exit ip6_tables_fini(void)
2290 {
2291 nf_unregister_sockopt(&ip6t_sockopts);
2292
2293 xt_unregister_matches(ip6t_builtin_mt, ARRAY_SIZE(ip6t_builtin_mt));
2294 xt_unregister_targets(ip6t_builtin_tg, ARRAY_SIZE(ip6t_builtin_tg));
2295 unregister_pernet_subsys(&ip6_tables_net_ops);
2296 }
2297
2298 /*
2299 * find the offset to specified header or the protocol number of last header
2300 * if target < 0. "last header" is transport protocol header, ESP, or
2301 * "No next header".
2302 *
2303 * If target header is found, its offset is set in *offset and return protocol
2304 * number. Otherwise, return -1.
2305 *
2306 * If the first fragment doesn't contain the final protocol header or
2307 * NEXTHDR_NONE it is considered invalid.
2308 *
2309 * Note that non-1st fragment is special case that "the protocol number
2310 * of last header" is "next header" field in Fragment header. In this case,
2311 * *offset is meaningless and fragment offset is stored in *fragoff if fragoff
2312 * isn't NULL.
2313 *
2314 */
2315 int ipv6_find_hdr(const struct sk_buff *skb, unsigned int *offset,
2316 int target, unsigned short *fragoff)
2317 {
2318 unsigned int start = skb_network_offset(skb) + sizeof(struct ipv6hdr);
2319 u8 nexthdr = ipv6_hdr(skb)->nexthdr;
2320 unsigned int len = skb->len - start;
2321
2322 if (fragoff)
2323 *fragoff = 0;
2324
2325 while (nexthdr != target) {
2326 struct ipv6_opt_hdr _hdr, *hp;
2327 unsigned int hdrlen;
2328
2329 if ((!ipv6_ext_hdr(nexthdr)) || nexthdr == NEXTHDR_NONE) {
2330 if (target < 0)
2331 break;
2332 return -ENOENT;
2333 }
2334
2335 hp = skb_header_pointer(skb, start, sizeof(_hdr), &_hdr);
2336 if (hp == NULL)
2337 return -EBADMSG;
2338 if (nexthdr == NEXTHDR_FRAGMENT) {
2339 unsigned short _frag_off;
2340 __be16 *fp;
2341 fp = skb_header_pointer(skb,
2342 start+offsetof(struct frag_hdr,
2343 frag_off),
2344 sizeof(_frag_off),
2345 &_frag_off);
2346 if (fp == NULL)
2347 return -EBADMSG;
2348
2349 _frag_off = ntohs(*fp) & ~0x7;
2350 if (_frag_off) {
2351 if (target < 0 &&
2352 ((!ipv6_ext_hdr(hp->nexthdr)) ||
2353 hp->nexthdr == NEXTHDR_NONE)) {
2354 if (fragoff)
2355 *fragoff = _frag_off;
2356 return hp->nexthdr;
2357 }
2358 return -ENOENT;
2359 }
2360 hdrlen = 8;
2361 } else if (nexthdr == NEXTHDR_AUTH)
2362 hdrlen = (hp->hdrlen + 2) << 2;
2363 else
2364 hdrlen = ipv6_optlen(hp);
2365
2366 nexthdr = hp->nexthdr;
2367 len -= hdrlen;
2368 start += hdrlen;
2369 }
2370
2371 *offset = start;
2372 return nexthdr;
2373 }
2374
2375 EXPORT_SYMBOL(ip6t_register_table);
2376 EXPORT_SYMBOL(ip6t_unregister_table);
2377 EXPORT_SYMBOL(ip6t_do_table);
2378 EXPORT_SYMBOL(ip6t_ext_hdr);
2379 EXPORT_SYMBOL(ipv6_find_hdr);
2380
2381 module_init(ip6_tables_init);
2382 module_exit(ip6_tables_fini);
Linux kernel - Deliverables
This page took 0.070268 seconds and 4 git commands to generate.