Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
act_ipt.c
Go to the documentation of this file.
1 /*
2  * net/sched/ipt.c iptables target interface
3  *
4  *TODO: Add other tables. For now we only support the ipv4 table targets
5  *
6  * This program is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU General Public License
8  * as published by the Free Software Foundation; either version
9  * 2 of the License, or (at your option) any later version.
10  *
11  * Copyright: Jamal Hadi Salim (2002-4)
12  */
13 
14 #include <linux/types.h>
15 #include <linux/kernel.h>
16 #include <linux/string.h>
17 #include <linux/errno.h>
18 #include <linux/skbuff.h>
19 #include <linux/rtnetlink.h>
20 #include <linux/module.h>
21 #include <linux/init.h>
22 #include <linux/slab.h>
23 #include <net/netlink.h>
24 #include <net/pkt_sched.h>
25 #include <linux/tc_act/tc_ipt.h>
26 #include <net/tc_act/tc_ipt.h>
27 
28 #include <linux/netfilter_ipv4/ip_tables.h>
29 
30 
31 #define IPT_TAB_MASK 15
32 static struct tcf_common *tcf_ipt_ht[IPT_TAB_MASK + 1];
33 static u32 ipt_idx_gen;
34 static DEFINE_RWLOCK(ipt_lock);
35 
36 static struct tcf_hashinfo ipt_hash_info = {
37  .htab = tcf_ipt_ht,
38  .hmask = IPT_TAB_MASK,
39  .lock = &ipt_lock,
40 };
41 
42 static int ipt_init_target(struct xt_entry_target *t, char *table, unsigned int hook)
43 {
44  struct xt_tgchk_param par;
45  struct xt_target *target;
46  int ret = 0;
47 
48  target = xt_request_find_target(AF_INET, t->u.user.name,
49  t->u.user.revision);
50  if (IS_ERR(target))
51  return PTR_ERR(target);
52 
53  t->u.kernel.target = target;
54  par.table = table;
55  par.entryinfo = NULL;
56  par.target = target;
57  par.targinfo = t->data;
58  par.hook_mask = hook;
59  par.family = NFPROTO_IPV4;
60 
61  ret = xt_check_target(&par, t->u.target_size - sizeof(*t), 0, false);
62  if (ret < 0) {
63  module_put(t->u.kernel.target->me);
64  return ret;
65  }
66  return 0;
67 }
68 
69 static void ipt_destroy_target(struct xt_entry_target *t)
70 {
71  struct xt_tgdtor_param par = {
72  .target = t->u.kernel.target,
73  .targinfo = t->data,
74  };
75  if (par.target->destroy != NULL)
76  par.target->destroy(&par);
77  module_put(par.target->me);
78 }
79 
80 static int tcf_ipt_release(struct tcf_ipt *ipt, int bind)
81 {
82  int ret = 0;
83  if (ipt) {
84  if (bind)
85  ipt->tcf_bindcnt--;
86  ipt->tcf_refcnt--;
87  if (ipt->tcf_bindcnt <= 0 && ipt->tcf_refcnt <= 0) {
88  ipt_destroy_target(ipt->tcfi_t);
89  kfree(ipt->tcfi_tname);
90  kfree(ipt->tcfi_t);
91  tcf_hash_destroy(&ipt->common, &ipt_hash_info);
92  ret = ACT_P_DELETED;
93  }
94  }
95  return ret;
96 }
97 
98 static const struct nla_policy ipt_policy[TCA_IPT_MAX + 1] = {
99  [TCA_IPT_TABLE] = { .type = NLA_STRING, .len = IFNAMSIZ },
100  [TCA_IPT_HOOK] = { .type = NLA_U32 },
101  [TCA_IPT_INDEX] = { .type = NLA_U32 },
102  [TCA_IPT_TARG] = { .len = sizeof(struct xt_entry_target) },
103 };
104 
105 static int tcf_ipt_init(struct nlattr *nla, struct nlattr *est,
106  struct tc_action *a, int ovr, int bind)
107 {
108  struct nlattr *tb[TCA_IPT_MAX + 1];
109  struct tcf_ipt *ipt;
110  struct tcf_common *pc;
111  struct xt_entry_target *td, *t;
112  char *tname;
113  int ret = 0, err;
114  u32 hook = 0;
115  u32 index = 0;
116 
117  if (nla == NULL)
118  return -EINVAL;
119 
120  err = nla_parse_nested(tb, TCA_IPT_MAX, nla, ipt_policy);
121  if (err < 0)
122  return err;
123 
124  if (tb[TCA_IPT_HOOK] == NULL)
125  return -EINVAL;
126  if (tb[TCA_IPT_TARG] == NULL)
127  return -EINVAL;
128 
129  td = (struct xt_entry_target *)nla_data(tb[TCA_IPT_TARG]);
130  if (nla_len(tb[TCA_IPT_TARG]) < td->u.target_size)
131  return -EINVAL;
132 
133  if (tb[TCA_IPT_INDEX] != NULL)
134  index = nla_get_u32(tb[TCA_IPT_INDEX]);
135 
136  pc = tcf_hash_check(index, a, bind, &ipt_hash_info);
137  if (!pc) {
138  pc = tcf_hash_create(index, est, a, sizeof(*ipt), bind,
139  &ipt_idx_gen, &ipt_hash_info);
140  if (IS_ERR(pc))
141  return PTR_ERR(pc);
142  ret = ACT_P_CREATED;
143  } else {
144  if (!ovr) {
145  tcf_ipt_release(to_ipt(pc), bind);
146  return -EEXIST;
147  }
148  }
149  ipt = to_ipt(pc);
150 
151  hook = nla_get_u32(tb[TCA_IPT_HOOK]);
152 
153  err = -ENOMEM;
154  tname = kmalloc(IFNAMSIZ, GFP_KERNEL);
155  if (unlikely(!tname))
156  goto err1;
157  if (tb[TCA_IPT_TABLE] == NULL ||
158  nla_strlcpy(tname, tb[TCA_IPT_TABLE], IFNAMSIZ) >= IFNAMSIZ)
159  strcpy(tname, "mangle");
160 
161  t = kmemdup(td, td->u.target_size, GFP_KERNEL);
162  if (unlikely(!t))
163  goto err2;
164 
165  err = ipt_init_target(t, tname, hook);
166  if (err < 0)
167  goto err3;
168 
169  spin_lock_bh(&ipt->tcf_lock);
170  if (ret != ACT_P_CREATED) {
171  ipt_destroy_target(ipt->tcfi_t);
172  kfree(ipt->tcfi_tname);
173  kfree(ipt->tcfi_t);
174  }
175  ipt->tcfi_tname = tname;
176  ipt->tcfi_t = t;
177  ipt->tcfi_hook = hook;
178  spin_unlock_bh(&ipt->tcf_lock);
179  if (ret == ACT_P_CREATED)
180  tcf_hash_insert(pc, &ipt_hash_info);
181  return ret;
182 
183 err3:
184  kfree(t);
185 err2:
186  kfree(tname);
187 err1:
188  if (ret == ACT_P_CREATED) {
189  if (est)
190  gen_kill_estimator(&pc->tcfc_bstats,
191  &pc->tcfc_rate_est);
192  kfree_rcu(pc, tcfc_rcu);
193  }
194  return err;
195 }
196 
197 static int tcf_ipt_cleanup(struct tc_action *a, int bind)
198 {
199  struct tcf_ipt *ipt = a->priv;
200  return tcf_ipt_release(ipt, bind);
201 }
202 
203 static int tcf_ipt(struct sk_buff *skb, const struct tc_action *a,
204  struct tcf_result *res)
205 {
206  int ret = 0, result = 0;
207  struct tcf_ipt *ipt = a->priv;
208  struct xt_action_param par;
209 
210  if (skb_cloned(skb)) {
211  if (pskb_expand_head(skb, 0, 0, GFP_ATOMIC))
212  return TC_ACT_UNSPEC;
213  }
214 
215  spin_lock(&ipt->tcf_lock);
216 
217  ipt->tcf_tm.lastuse = jiffies;
218  bstats_update(&ipt->tcf_bstats, skb);
219 
220  /* yes, we have to worry about both in and out dev
221  * worry later - danger - this API seems to have changed
222  * from earlier kernels
223  */
224  par.in = skb->dev;
225  par.out = NULL;
226  par.hooknum = ipt->tcfi_hook;
227  par.target = ipt->tcfi_t->u.kernel.target;
228  par.targinfo = ipt->tcfi_t->data;
229  ret = par.target->target(skb, &par);
230 
231  switch (ret) {
232  case NF_ACCEPT:
233  result = TC_ACT_OK;
234  break;
235  case NF_DROP:
236  result = TC_ACT_SHOT;
237  ipt->tcf_qstats.drops++;
238  break;
239  case XT_CONTINUE:
240  result = TC_ACT_PIPE;
241  break;
242  default:
243  net_notice_ratelimited("tc filter: Bogus netfilter code %d assume ACCEPT\n",
244  ret);
245  result = TC_POLICE_OK;
246  break;
247  }
248  spin_unlock(&ipt->tcf_lock);
249  return result;
250 
251 }
252 
253 static int tcf_ipt_dump(struct sk_buff *skb, struct tc_action *a, int bind, int ref)
254 {
255  unsigned char *b = skb_tail_pointer(skb);
256  struct tcf_ipt *ipt = a->priv;
257  struct xt_entry_target *t;
258  struct tcf_t tm;
259  struct tc_cnt c;
260 
261  /* for simple targets kernel size == user size
262  * user name = target name
263  * for foolproof you need to not assume this
264  */
265 
266  t = kmemdup(ipt->tcfi_t, ipt->tcfi_t->u.user.target_size, GFP_ATOMIC);
267  if (unlikely(!t))
268  goto nla_put_failure;
269 
270  c.bindcnt = ipt->tcf_bindcnt - bind;
271  c.refcnt = ipt->tcf_refcnt - ref;
272  strcpy(t->u.user.name, ipt->tcfi_t->u.kernel.target->name);
273 
274  if (nla_put(skb, TCA_IPT_TARG, ipt->tcfi_t->u.user.target_size, t) ||
275  nla_put_u32(skb, TCA_IPT_INDEX, ipt->tcf_index) ||
276  nla_put_u32(skb, TCA_IPT_HOOK, ipt->tcfi_hook) ||
277  nla_put(skb, TCA_IPT_CNT, sizeof(struct tc_cnt), &c) ||
278  nla_put_string(skb, TCA_IPT_TABLE, ipt->tcfi_tname))
279  goto nla_put_failure;
280  tm.install = jiffies_to_clock_t(jiffies - ipt->tcf_tm.install);
281  tm.lastuse = jiffies_to_clock_t(jiffies - ipt->tcf_tm.lastuse);
282  tm.expires = jiffies_to_clock_t(ipt->tcf_tm.expires);
283  if (nla_put(skb, TCA_IPT_TM, sizeof (tm), &tm))
284  goto nla_put_failure;
285  kfree(t);
286  return skb->len;
287 
288 nla_put_failure:
289  nlmsg_trim(skb, b);
290  kfree(t);
291  return -1;
292 }
293 
294 static struct tc_action_ops act_ipt_ops = {
295  .kind = "ipt",
296  .hinfo = &ipt_hash_info,
297  .type = TCA_ACT_IPT,
298  .capab = TCA_CAP_NONE,
299  .owner = THIS_MODULE,
300  .act = tcf_ipt,
301  .dump = tcf_ipt_dump,
302  .cleanup = tcf_ipt_cleanup,
303  .lookup = tcf_hash_search,
304  .init = tcf_ipt_init,
305  .walk = tcf_generic_walker
306 };
307 
308 MODULE_AUTHOR("Jamal Hadi Salim(2002-4)");
309 MODULE_DESCRIPTION("Iptables target actions");
310 MODULE_LICENSE("GPL");
311 
312 static int __init ipt_init_module(void)
313 {
314  return tcf_register_action(&act_ipt_ops);
315 }
316 
317 static void __exit ipt_cleanup_module(void)
318 {
319  tcf_unregister_action(&act_ipt_ops);
320 }
321 
322 module_init(ipt_init_module);
323 module_exit(ipt_cleanup_module);
Generated on Thu Jan 10 2013 15:01:45 for Linux Kernel by   doxygen 1.8.2