Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
ip_tables.c
Go to the documentation of this file.
1 /*
2  * Packet matching code.
3  *
4  * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
5  * Copyright (C) 2000-2005 Netfilter Core Team <[email protected]>
6  *
7  * This program is free software; you can redistribute it and/or modify
8  * it under the terms of the GNU General Public License version 2 as
9  * published by the Free Software Foundation.
10  */
11 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
12 #include <linux/cache.h>
13 #include <linux/capability.h>
14 #include <linux/skbuff.h>
15 #include <linux/kmod.h>
16 #include <linux/vmalloc.h>
17 #include <linux/netdevice.h>
18 #include <linux/module.h>
19 #include <linux/icmp.h>
20 #include <net/ip.h>
21 #include <net/compat.h>
22 #include <asm/uaccess.h>
23 #include <linux/mutex.h>
24 #include <linux/proc_fs.h>
25 #include <linux/err.h>
26 #include <linux/cpumask.h>
27 
28 #include <linux/netfilter/x_tables.h>
29 #include <linux/netfilter_ipv4/ip_tables.h>
30 #include <net/netfilter/nf_log.h>
31 #include "../../netfilter/xt_repldata.h"
32 
33 MODULE_LICENSE("GPL");
34 MODULE_AUTHOR("Netfilter Core Team <[email protected]>");
35 MODULE_DESCRIPTION("IPv4 packet filter");
36 
37 /*#define DEBUG_IP_FIREWALL*/
38 /*#define DEBUG_ALLOW_ALL*/ /* Useful for remote debugging */
39 /*#define DEBUG_IP_FIREWALL_USER*/
40 
41 #ifdef DEBUG_IP_FIREWALL
42 #define dprintf(format, args...) pr_info(format , ## args)
43 #else
44 #define dprintf(format, args...)
45 #endif
46 
47 #ifdef DEBUG_IP_FIREWALL_USER
48 #define duprintf(format, args...) pr_info(format , ## args)
49 #else
50 #define duprintf(format, args...)
51 #endif
52 
53 #ifdef CONFIG_NETFILTER_DEBUG
54 #define IP_NF_ASSERT(x) WARN_ON(!(x))
55 #else
56 #define IP_NF_ASSERT(x)
57 #endif
58 
59 #if 0
60 /* All the better to debug you with... */
61 #define static
62 #define inline
63 #endif
64 
65 void *ipt_alloc_initial_table(const struct xt_table *info)
66 {
67  return xt_alloc_initial_table(ipt, IPT);
68 }
69 EXPORT_SYMBOL_GPL(ipt_alloc_initial_table);
70 
71 /* Returns whether matches rule or not. */
72 /* Performance critical - called for every packet */
73 static inline bool
74 ip_packet_match(const struct iphdr *ip,
75  const char *indev,
76  const char *outdev,
77  const struct ipt_ip *ipinfo,
78  int isfrag)
79 {
80  unsigned long ret;
81 
82 #define FWINV(bool, invflg) ((bool) ^ !!(ipinfo->invflags & (invflg)))
83 
84  if (FWINV((ip->saddr&ipinfo->smsk.s_addr) != ipinfo->src.s_addr,
85  IPT_INV_SRCIP) ||
86  FWINV((ip->daddr&ipinfo->dmsk.s_addr) != ipinfo->dst.s_addr,
87  IPT_INV_DSTIP)) {
88  dprintf("Source or dest mismatch.\n");
89 
90  dprintf("SRC: %pI4. Mask: %pI4. Target: %pI4.%s\n",
91  &ip->saddr, &ipinfo->smsk.s_addr, &ipinfo->src.s_addr,
92  ipinfo->invflags & IPT_INV_SRCIP ? " (INV)" : "");
93  dprintf("DST: %pI4 Mask: %pI4 Target: %pI4.%s\n",
94  &ip->daddr, &ipinfo->dmsk.s_addr, &ipinfo->dst.s_addr,
95  ipinfo->invflags & IPT_INV_DSTIP ? " (INV)" : "");
96  return false;
97  }
98 
99  ret = ifname_compare_aligned(indev, ipinfo->iniface, ipinfo->iniface_mask);
100 
101  if (FWINV(ret != 0, IPT_INV_VIA_IN)) {
102  dprintf("VIA in mismatch (%s vs %s).%s\n",
103  indev, ipinfo->iniface,
104  ipinfo->invflags&IPT_INV_VIA_IN ?" (INV)":"");
105  return false;
106  }
107 
108  ret = ifname_compare_aligned(outdev, ipinfo->outiface, ipinfo->outiface_mask);
109 
110  if (FWINV(ret != 0, IPT_INV_VIA_OUT)) {
111  dprintf("VIA out mismatch (%s vs %s).%s\n",
112  outdev, ipinfo->outiface,
113  ipinfo->invflags&IPT_INV_VIA_OUT ?" (INV)":"");
114  return false;
115  }
116 
117  /* Check specific protocol */
118  if (ipinfo->proto &&
119  FWINV(ip->protocol != ipinfo->proto, IPT_INV_PROTO)) {
120  dprintf("Packet protocol %hi does not match %hi.%s\n",
121  ip->protocol, ipinfo->proto,
122  ipinfo->invflags&IPT_INV_PROTO ? " (INV)":"");
123  return false;
124  }
125 
126  /* If we have a fragment rule but the packet is not a fragment
127  * then we return zero */
128  if (FWINV((ipinfo->flags&IPT_F_FRAG) && !isfrag, IPT_INV_FRAG)) {
129  dprintf("Fragment rule but not fragment.%s\n",
130  ipinfo->invflags & IPT_INV_FRAG ? " (INV)" : "");
131  return false;
132  }
133 
134  return true;
135 }
136 
137 static bool
138 ip_checkentry(const struct ipt_ip *ip)
139 {
140  if (ip->flags & ~IPT_F_MASK) {
141  duprintf("Unknown flag bits set: %08X\n",
142  ip->flags & ~IPT_F_MASK);
143  return false;
144  }
145  if (ip->invflags & ~IPT_INV_MASK) {
146  duprintf("Unknown invflag bits set: %08X\n",
147  ip->invflags & ~IPT_INV_MASK);
148  return false;
149  }
150  return true;
151 }
152 
153 static unsigned int
154 ipt_error(struct sk_buff *skb, const struct xt_action_param *par)
155 {
156  net_info_ratelimited("error: `%s'\n", (const char *)par->targinfo);
157 
158  return NF_DROP;
159 }
160 
161 /* Performance critical */
162 static inline struct ipt_entry *
163 get_entry(const void *base, unsigned int offset)
164 {
165  return (struct ipt_entry *)(base + offset);
166 }
167 
168 /* All zeroes == unconditional rule. */
169 /* Mildly perf critical (only if packet tracing is on) */
170 static inline bool unconditional(const struct ipt_ip *ip)
171 {
172  static const struct ipt_ip uncond;
173 
174  return memcmp(ip, &uncond, sizeof(uncond)) == 0;
175 #undef FWINV
176 }
177 
178 /* for const-correctness */
179 static inline const struct xt_entry_target *
180 ipt_get_target_c(const struct ipt_entry *e)
181 {
182  return ipt_get_target((struct ipt_entry *)e);
183 }
184 
185 #if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \
186  defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE)
187 static const char *const hooknames[] = {
188  [NF_INET_PRE_ROUTING] = "PREROUTING",
189  [NF_INET_LOCAL_IN] = "INPUT",
190  [NF_INET_FORWARD] = "FORWARD",
191  [NF_INET_LOCAL_OUT] = "OUTPUT",
192  [NF_INET_POST_ROUTING] = "POSTROUTING",
193 };
194 
195 enum nf_ip_trace_comments {
196  NF_IP_TRACE_COMMENT_RULE,
197  NF_IP_TRACE_COMMENT_RETURN,
198  NF_IP_TRACE_COMMENT_POLICY,
199 };
200 
201 static const char *const comments[] = {
202  [NF_IP_TRACE_COMMENT_RULE] = "rule",
203  [NF_IP_TRACE_COMMENT_RETURN] = "return",
204  [NF_IP_TRACE_COMMENT_POLICY] = "policy",
205 };
206 
207 static struct nf_loginfo trace_loginfo = {
208  .type = NF_LOG_TYPE_LOG,
209  .u = {
210  .log = {
211  .level = 4,
212  .logflags = NF_LOG_MASK,
213  },
214  },
215 };
216 
217 /* Mildly perf critical (only if packet tracing is on) */
218 static inline int
219 get_chainname_rulenum(const struct ipt_entry *s, const struct ipt_entry *e,
220  const char *hookname, const char **chainname,
221  const char **comment, unsigned int *rulenum)
222 {
223  const struct xt_standard_target *t = (void *)ipt_get_target_c(s);
224 
225  if (strcmp(t->target.u.kernel.target->name, XT_ERROR_TARGET) == 0) {
226  /* Head of user chain: ERROR target with chainname */
227  *chainname = t->target.data;
228  (*rulenum) = 0;
229  } else if (s == e) {
230  (*rulenum)++;
231 
232  if (s->target_offset == sizeof(struct ipt_entry) &&
233  strcmp(t->target.u.kernel.target->name,
234  XT_STANDARD_TARGET) == 0 &&
235  t->verdict < 0 &&
236  unconditional(&s->ip)) {
237  /* Tail of chains: STANDARD target (return/policy) */
238  *comment = *chainname == hookname
239  ? comments[NF_IP_TRACE_COMMENT_POLICY]
240  : comments[NF_IP_TRACE_COMMENT_RETURN];
241  }
242  return 1;
243  } else
244  (*rulenum)++;
245 
246  return 0;
247 }
248 
249 static void trace_packet(const struct sk_buff *skb,
250  unsigned int hook,
251  const struct net_device *in,
252  const struct net_device *out,
253  const char *tablename,
254  const struct xt_table_info *private,
255  const struct ipt_entry *e)
256 {
257  const void *table_base;
258  const struct ipt_entry *root;
259  const char *hookname, *chainname, *comment;
260  const struct ipt_entry *iter;
261  unsigned int rulenum = 0;
262 
263  table_base = private->entries[smp_processor_id()];
264  root = get_entry(table_base, private->hook_entry[hook]);
265 
266  hookname = chainname = hooknames[hook];
267  comment = comments[NF_IP_TRACE_COMMENT_RULE];
268 
269  xt_entry_foreach(iter, root, private->size - private->hook_entry[hook])
270  if (get_chainname_rulenum(iter, e, hookname,
271  &chainname, &comment, &rulenum) != 0)
272  break;
273 
274  nf_log_packet(AF_INET, hook, skb, in, out, &trace_loginfo,
275  "TRACE: %s:%s:%s:%u ",
276  tablename, chainname, comment, rulenum);
277 }
278 #endif
279 
280 static inline __pure
281 struct ipt_entry *ipt_next_entry(const struct ipt_entry *entry)
282 {
283  return (void *)entry + entry->next_offset;
284 }
285 
286 /* Returns one of the generic firewall policies, like NF_ACCEPT. */
287 unsigned int
288 ipt_do_table(struct sk_buff *skb,
289  unsigned int hook,
290  const struct net_device *in,
291  const struct net_device *out,
292  struct xt_table *table)
293 {
294  static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
295  const struct iphdr *ip;
296  /* Initializing verdict to NF_DROP keeps gcc happy. */
297  unsigned int verdict = NF_DROP;
298  const char *indev, *outdev;
299  const void *table_base;
300  struct ipt_entry *e, **jumpstack;
301  unsigned int *stackptr, origptr, cpu;
302  const struct xt_table_info *private;
303  struct xt_action_param acpar;
304  unsigned int addend;
305 
306  /* Initialization */
307  ip = ip_hdr(skb);
308  indev = in ? in->name : nulldevname;
309  outdev = out ? out->name : nulldevname;
310  /* We handle fragments by dealing with the first fragment as
311  * if it was a normal packet. All other fragments are treated
312  * normally, except that they will NEVER match rules that ask
313  * things we don't know, ie. tcp syn flag or ports). If the
314  * rule is also a fragment-specific rule, non-fragments won't
315  * match it. */
316  acpar.fragoff = ntohs(ip->frag_off) & IP_OFFSET;
317  acpar.thoff = ip_hdrlen(skb);
318  acpar.hotdrop = false;
319  acpar.in = in;
320  acpar.out = out;
321  acpar.family = NFPROTO_IPV4;
322  acpar.hooknum = hook;
323 
324  IP_NF_ASSERT(table->valid_hooks & (1 << hook));
325  local_bh_disable();
326  addend = xt_write_recseq_begin();
327  private = table->private;
328  cpu = smp_processor_id();
329  table_base = private->entries[cpu];
330  jumpstack = (struct ipt_entry **)private->jumpstack[cpu];
331  stackptr = per_cpu_ptr(private->stackptr, cpu);
332  origptr = *stackptr;
333 
334  e = get_entry(table_base, private->hook_entry[hook]);
335 
336  pr_debug("Entering %s(hook %u); sp at %u (UF %p)\n",
337  table->name, hook, origptr,
338  get_entry(table_base, private->underflow[hook]));
339 
340  do {
341  const struct xt_entry_target *t;
342  const struct xt_entry_match *ematch;
343 
344  IP_NF_ASSERT(e);
345  if (!ip_packet_match(ip, indev, outdev,
346  &e->ip, acpar.fragoff)) {
347  no_match:
348  e = ipt_next_entry(e);
349  continue;
350  }
351 
352  xt_ematch_foreach(ematch, e) {
353  acpar.match = ematch->u.kernel.match;
354  acpar.matchinfo = ematch->data;
355  if (!acpar.match->match(skb, &acpar))
356  goto no_match;
357  }
358 
359  ADD_COUNTER(e->counters, skb->len, 1);
360 
361  t = ipt_get_target(e);
362  IP_NF_ASSERT(t->u.kernel.target);
363 
364 #if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \
365  defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE)
366  /* The packet is traced: log it */
367  if (unlikely(skb->nf_trace))
368  trace_packet(skb, hook, in, out,
369  table->name, private, e);
370 #endif
371  /* Standard target? */
372  if (!t->u.kernel.target->target) {
373  int v;
374 
375  v = ((struct xt_standard_target *)t)->verdict;
376  if (v < 0) {
377  /* Pop from stack? */
378  if (v != XT_RETURN) {
379  verdict = (unsigned int)(-v) - 1;
380  break;
381  }
382  if (*stackptr <= origptr) {
383  e = get_entry(table_base,
384  private->underflow[hook]);
385  pr_debug("Underflow (this is normal) "
386  "to %p\n", e);
387  } else {
388  e = jumpstack[--*stackptr];
389  pr_debug("Pulled %p out from pos %u\n",
390  e, *stackptr);
391  e = ipt_next_entry(e);
392  }
393  continue;
394  }
395  if (table_base + v != ipt_next_entry(e) &&
396  !(e->ip.flags & IPT_F_GOTO)) {
397  if (*stackptr >= private->stacksize) {
398  verdict = NF_DROP;
399  break;
400  }
401  jumpstack[(*stackptr)++] = e;
402  pr_debug("Pushed %p into pos %u\n",
403  e, *stackptr - 1);
404  }
405 
406  e = get_entry(table_base, v);
407  continue;
408  }
409 
410  acpar.target = t->u.kernel.target;
411  acpar.targinfo = t->data;
412 
413  verdict = t->u.kernel.target->target(skb, &acpar);
414  /* Target might have changed stuff. */
415  ip = ip_hdr(skb);
416  if (verdict == XT_CONTINUE)
417  e = ipt_next_entry(e);
418  else
419  /* Verdict */
420  break;
421  } while (!acpar.hotdrop);
422  pr_debug("Exiting %s; resetting sp from %u to %u\n",
423  __func__, *stackptr, origptr);
424  *stackptr = origptr;
425  xt_write_recseq_end(addend);
426  local_bh_enable();
427 
428 #ifdef DEBUG_ALLOW_ALL
429  return NF_ACCEPT;
430 #else
431  if (acpar.hotdrop)
432  return NF_DROP;
433  else return verdict;
434 #endif
435 }
436 
437 /* Figures out from what hook each rule can be called: returns 0 if
438  there are loops. Puts hook bitmask in comefrom. */
439 static int
440 mark_source_chains(const struct xt_table_info *newinfo,
441  unsigned int valid_hooks, void *entry0)
442 {
443  unsigned int hook;
444 
445  /* No recursion; use packet counter to save back ptrs (reset
446  to 0 as we leave), and comefrom to save source hook bitmask */
447  for (hook = 0; hook < NF_INET_NUMHOOKS; hook++) {
448  unsigned int pos = newinfo->hook_entry[hook];
449  struct ipt_entry *e = (struct ipt_entry *)(entry0 + pos);
450 
451  if (!(valid_hooks & (1 << hook)))
452  continue;
453 
454  /* Set initial back pointer. */
455  e->counters.pcnt = pos;
456 
457  for (;;) {
458  const struct xt_standard_target *t
459  = (void *)ipt_get_target_c(e);
460  int visited = e->comefrom & (1 << hook);
461 
462  if (e->comefrom & (1 << NF_INET_NUMHOOKS)) {
463  pr_err("iptables: loop hook %u pos %u %08X.\n",
464  hook, pos, e->comefrom);
465  return 0;
466  }
467  e->comefrom |= ((1 << hook) | (1 << NF_INET_NUMHOOKS));
468 
469  /* Unconditional return/END. */
470  if ((e->target_offset == sizeof(struct ipt_entry) &&
471  (strcmp(t->target.u.user.name,
472  XT_STANDARD_TARGET) == 0) &&
473  t->verdict < 0 && unconditional(&e->ip)) ||
474  visited) {
475  unsigned int oldpos, size;
476 
477  if ((strcmp(t->target.u.user.name,
478  XT_STANDARD_TARGET) == 0) &&
479  t->verdict < -NF_MAX_VERDICT - 1) {
480  duprintf("mark_source_chains: bad "
481  "negative verdict (%i)\n",
482  t->verdict);
483  return 0;
484  }
485 
486  /* Return: backtrack through the last
487  big jump. */
488  do {
489  e->comefrom ^= (1<<NF_INET_NUMHOOKS);
490 #ifdef DEBUG_IP_FIREWALL_USER
491  if (e->comefrom
492  & (1 << NF_INET_NUMHOOKS)) {
493  duprintf("Back unset "
494  "on hook %u "
495  "rule %u\n",
496  hook, pos);
497  }
498 #endif
499  oldpos = pos;
500  pos = e->counters.pcnt;
501  e->counters.pcnt = 0;
502 
503  /* We're at the start. */
504  if (pos == oldpos)
505  goto next;
506 
507  e = (struct ipt_entry *)
508  (entry0 + pos);
509  } while (oldpos == pos + e->next_offset);
510 
511  /* Move along one */
512  size = e->next_offset;
513  e = (struct ipt_entry *)
514  (entry0 + pos + size);
515  e->counters.pcnt = pos;
516  pos += size;
517  } else {
518  int newpos = t->verdict;
519 
520  if (strcmp(t->target.u.user.name,
521  XT_STANDARD_TARGET) == 0 &&
522  newpos >= 0) {
523  if (newpos > newinfo->size -
524  sizeof(struct ipt_entry)) {
525  duprintf("mark_source_chains: "
526  "bad verdict (%i)\n",
527  newpos);
528  return 0;
529  }
530  /* This a jump; chase it. */
531  duprintf("Jump rule %u -> %u\n",
532  pos, newpos);
533  } else {
534  /* ... this is a fallthru */
535  newpos = pos + e->next_offset;
536  }
537  e = (struct ipt_entry *)
538  (entry0 + newpos);
539  e->counters.pcnt = pos;
540  pos = newpos;
541  }
542  }
543  next:
544  duprintf("Finished chain %u\n", hook);
545  }
546  return 1;
547 }
548 
549 static void cleanup_match(struct xt_entry_match *m, struct net *net)
550 {
551  struct xt_mtdtor_param par;
552 
553  par.net = net;
554  par.match = m->u.kernel.match;
555  par.matchinfo = m->data;
556  par.family = NFPROTO_IPV4;
557  if (par.match->destroy != NULL)
558  par.match->destroy(&par);
559  module_put(par.match->me);
560 }
561 
562 static int
563 check_entry(const struct ipt_entry *e, const char *name)
564 {
565  const struct xt_entry_target *t;
566 
567  if (!ip_checkentry(&e->ip)) {
568  duprintf("ip check failed %p %s.\n", e, name);
569  return -EINVAL;
570  }
571 
572  if (e->target_offset + sizeof(struct xt_entry_target) >
573  e->next_offset)
574  return -EINVAL;
575 
576  t = ipt_get_target_c(e);
577  if (e->target_offset + t->u.target_size > e->next_offset)
578  return -EINVAL;
579 
580  return 0;
581 }
582 
583 static int
584 check_match(struct xt_entry_match *m, struct xt_mtchk_param *par)
585 {
586  const struct ipt_ip *ip = par->entryinfo;
587  int ret;
588 
589  par->match = m->u.kernel.match;
590  par->matchinfo = m->data;
591 
592  ret = xt_check_match(par, m->u.match_size - sizeof(*m),
593  ip->proto, ip->invflags & IPT_INV_PROTO);
594  if (ret < 0) {
595  duprintf("check failed for `%s'.\n", par->match->name);
596  return ret;
597  }
598  return 0;
599 }
600 
601 static int
602 find_check_match(struct xt_entry_match *m, struct xt_mtchk_param *par)
603 {
604  struct xt_match *match;
605  int ret;
606 
607  match = xt_request_find_match(NFPROTO_IPV4, m->u.user.name,
608  m->u.user.revision);
609  if (IS_ERR(match)) {
610  duprintf("find_check_match: `%s' not found\n", m->u.user.name);
611  return PTR_ERR(match);
612  }
613  m->u.kernel.match = match;
614 
615  ret = check_match(m, par);
616  if (ret)
617  goto err;
618 
619  return 0;
620 err:
621  module_put(m->u.kernel.match->me);
622  return ret;
623 }
624 
625 static int check_target(struct ipt_entry *e, struct net *net, const char *name)
626 {
627  struct xt_entry_target *t = ipt_get_target(e);
628  struct xt_tgchk_param par = {
629  .net = net,
630  .table = name,
631  .entryinfo = e,
632  .target = t->u.kernel.target,
633  .targinfo = t->data,
634  .hook_mask = e->comefrom,
635  .family = NFPROTO_IPV4,
636  };
637  int ret;
638 
639  ret = xt_check_target(&par, t->u.target_size - sizeof(*t),
640  e->ip.proto, e->ip.invflags & IPT_INV_PROTO);
641  if (ret < 0) {
642  duprintf("check failed for `%s'.\n",
643  t->u.kernel.target->name);
644  return ret;
645  }
646  return 0;
647 }
648 
649 static int
650 find_check_entry(struct ipt_entry *e, struct net *net, const char *name,
651  unsigned int size)
652 {
653  struct xt_entry_target *t;
654  struct xt_target *target;
655  int ret;
656  unsigned int j;
657  struct xt_mtchk_param mtpar;
658  struct xt_entry_match *ematch;
659 
660  ret = check_entry(e, name);
661  if (ret)
662  return ret;
663 
664  j = 0;
665  mtpar.net = net;
666  mtpar.table = name;
667  mtpar.entryinfo = &e->ip;
668  mtpar.hook_mask = e->comefrom;
669  mtpar.family = NFPROTO_IPV4;
670  xt_ematch_foreach(ematch, e) {
671  ret = find_check_match(ematch, &mtpar);
672  if (ret != 0)
673  goto cleanup_matches;
674  ++j;
675  }
676 
677  t = ipt_get_target(e);
678  target = xt_request_find_target(NFPROTO_IPV4, t->u.user.name,
679  t->u.user.revision);
680  if (IS_ERR(target)) {
681  duprintf("find_check_entry: `%s' not found\n", t->u.user.name);
682  ret = PTR_ERR(target);
683  goto cleanup_matches;
684  }
685  t->u.kernel.target = target;
686 
687  ret = check_target(e, net, name);
688  if (ret)
689  goto err;
690  return 0;
691  err:
692  module_put(t->u.kernel.target->me);
693  cleanup_matches:
694  xt_ematch_foreach(ematch, e) {
695  if (j-- == 0)
696  break;
697  cleanup_match(ematch, net);
698  }
699  return ret;
700 }
701 
702 static bool check_underflow(const struct ipt_entry *e)
703 {
704  const struct xt_entry_target *t;
705  unsigned int verdict;
706 
707  if (!unconditional(&e->ip))
708  return false;
709  t = ipt_get_target_c(e);
710  if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0)
711  return false;
712  verdict = ((struct xt_standard_target *)t)->verdict;
713  verdict = -verdict - 1;
714  return verdict == NF_DROP || verdict == NF_ACCEPT;
715 }
716 
717 static int
718 check_entry_size_and_hooks(struct ipt_entry *e,
719  struct xt_table_info *newinfo,
720  const unsigned char *base,
721  const unsigned char *limit,
722  const unsigned int *hook_entries,
723  const unsigned int *underflows,
724  unsigned int valid_hooks)
725 {
726  unsigned int h;
727 
728  if ((unsigned long)e % __alignof__(struct ipt_entry) != 0 ||
729  (unsigned char *)e + sizeof(struct ipt_entry) >= limit) {
730  duprintf("Bad offset %p\n", e);
731  return -EINVAL;
732  }
733 
734  if (e->next_offset
735  < sizeof(struct ipt_entry) + sizeof(struct xt_entry_target)) {
736  duprintf("checking: element %p size %u\n",
737  e, e->next_offset);
738  return -EINVAL;
739  }
740 
741  /* Check hooks & underflows */
742  for (h = 0; h < NF_INET_NUMHOOKS; h++) {
743  if (!(valid_hooks & (1 << h)))
744  continue;
745  if ((unsigned char *)e - base == hook_entries[h])
746  newinfo->hook_entry[h] = hook_entries[h];
747  if ((unsigned char *)e - base == underflows[h]) {
748  if (!check_underflow(e)) {
749  pr_err("Underflows must be unconditional and "
750  "use the STANDARD target with "
751  "ACCEPT/DROP\n");
752  return -EINVAL;
753  }
754  newinfo->underflow[h] = underflows[h];
755  }
756  }
757 
758  /* Clear counters and comefrom */
759  e->counters = ((struct xt_counters) { 0, 0 });
760  e->comefrom = 0;
761  return 0;
762 }
763 
764 static void
765 cleanup_entry(struct ipt_entry *e, struct net *net)
766 {
767  struct xt_tgdtor_param par;
768  struct xt_entry_target *t;
769  struct xt_entry_match *ematch;
770 
771  /* Cleanup all matches */
772  xt_ematch_foreach(ematch, e)
773  cleanup_match(ematch, net);
774  t = ipt_get_target(e);
775 
776  par.net = net;
777  par.target = t->u.kernel.target;
778  par.targinfo = t->data;
779  par.family = NFPROTO_IPV4;
780  if (par.target->destroy != NULL)
781  par.target->destroy(&par);
782  module_put(par.target->me);
783 }
784 
785 /* Checks and translates the user-supplied table segment (held in
786  newinfo) */
787 static int
788 translate_table(struct net *net, struct xt_table_info *newinfo, void *entry0,
789  const struct ipt_replace *repl)
790 {
791  struct ipt_entry *iter;
792  unsigned int i;
793  int ret = 0;
794 
795  newinfo->size = repl->size;
796  newinfo->number = repl->num_entries;
797 
798  /* Init all hooks to impossible value. */
799  for (i = 0; i < NF_INET_NUMHOOKS; i++) {
800  newinfo->hook_entry[i] = 0xFFFFFFFF;
801  newinfo->underflow[i] = 0xFFFFFFFF;
802  }
803 
804  duprintf("translate_table: size %u\n", newinfo->size);
805  i = 0;
806  /* Walk through entries, checking offsets. */
807  xt_entry_foreach(iter, entry0, newinfo->size) {
808  ret = check_entry_size_and_hooks(iter, newinfo, entry0,
809  entry0 + repl->size,
810  repl->hook_entry,
811  repl->underflow,
812  repl->valid_hooks);
813  if (ret != 0)
814  return ret;
815  ++i;
816  if (strcmp(ipt_get_target(iter)->u.user.name,
817  XT_ERROR_TARGET) == 0)
818  ++newinfo->stacksize;
819  }
820 
821  if (i != repl->num_entries) {
822  duprintf("translate_table: %u not %u entries\n",
823  i, repl->num_entries);
824  return -EINVAL;
825  }
826 
827  /* Check hooks all assigned */
828  for (i = 0; i < NF_INET_NUMHOOKS; i++) {
829  /* Only hooks which are valid */
830  if (!(repl->valid_hooks & (1 << i)))
831  continue;
832  if (newinfo->hook_entry[i] == 0xFFFFFFFF) {
833  duprintf("Invalid hook entry %u %u\n",
834  i, repl->hook_entry[i]);
835  return -EINVAL;
836  }
837  if (newinfo->underflow[i] == 0xFFFFFFFF) {
838  duprintf("Invalid underflow %u %u\n",
839  i, repl->underflow[i]);
840  return -EINVAL;
841  }
842  }
843 
844  if (!mark_source_chains(newinfo, repl->valid_hooks, entry0))
845  return -ELOOP;
846 
847  /* Finally, each sanity check must pass */
848  i = 0;
849  xt_entry_foreach(iter, entry0, newinfo->size) {
850  ret = find_check_entry(iter, net, repl->name, repl->size);
851  if (ret != 0)
852  break;
853  ++i;
854  }
855 
856  if (ret != 0) {
857  xt_entry_foreach(iter, entry0, newinfo->size) {
858  if (i-- == 0)
859  break;
860  cleanup_entry(iter, net);
861  }
862  return ret;
863  }
864 
865  /* And one copy for every other CPU */
866  for_each_possible_cpu(i) {
867  if (newinfo->entries[i] && newinfo->entries[i] != entry0)
868  memcpy(newinfo->entries[i], entry0, newinfo->size);
869  }
870 
871  return ret;
872 }
873 
874 static void
875 get_counters(const struct xt_table_info *t,
876  struct xt_counters counters[])
877 {
878  struct ipt_entry *iter;
879  unsigned int cpu;
880  unsigned int i;
881 
882  for_each_possible_cpu(cpu) {
883  seqcount_t *s = &per_cpu(xt_recseq, cpu);
884 
885  i = 0;
886  xt_entry_foreach(iter, t->entries[cpu], t->size) {
887  u64 bcnt, pcnt;
888  unsigned int start;
889 
890  do {
891  start = read_seqcount_begin(s);
892  bcnt = iter->counters.bcnt;
893  pcnt = iter->counters.pcnt;
894  } while (read_seqcount_retry(s, start));
895 
896  ADD_COUNTER(counters[i], bcnt, pcnt);
897  ++i; /* macro does multi eval of i */
898  }
899  }
900 }
901 
902 static struct xt_counters *alloc_counters(const struct xt_table *table)
903 {
904  unsigned int countersize;
905  struct xt_counters *counters;
906  const struct xt_table_info *private = table->private;
907 
908  /* We need atomic snapshot of counters: rest doesn't change
909  (other than comefrom, which userspace doesn't care
910  about). */
911  countersize = sizeof(struct xt_counters) * private->number;
912  counters = vzalloc(countersize);
913 
914  if (counters == NULL)
915  return ERR_PTR(-ENOMEM);
916 
917  get_counters(private, counters);
918 
919  return counters;
920 }
921 
922 static int
923 copy_entries_to_user(unsigned int total_size,
924  const struct xt_table *table,
925  void __user *userptr)
926 {
927  unsigned int off, num;
928  const struct ipt_entry *e;
929  struct xt_counters *counters;
930  const struct xt_table_info *private = table->private;
931  int ret = 0;
932  const void *loc_cpu_entry;
933 
934  counters = alloc_counters(table);
935  if (IS_ERR(counters))
936  return PTR_ERR(counters);
937 
938  /* choose the copy that is on our node/cpu, ...
939  * This choice is lazy (because current thread is
940  * allowed to migrate to another cpu)
941  */
942  loc_cpu_entry = private->entries[raw_smp_processor_id()];
943  if (copy_to_user(userptr, loc_cpu_entry, total_size) != 0) {
944  ret = -EFAULT;
945  goto free_counters;
946  }
947 
948  /* FIXME: use iterator macros --RR */
949  /* ... then go back and fix counters and names */
950  for (off = 0, num = 0; off < total_size; off += e->next_offset, num++){
951  unsigned int i;
952  const struct xt_entry_match *m;
953  const struct xt_entry_target *t;
954 
955  e = (struct ipt_entry *)(loc_cpu_entry + off);
956  if (copy_to_user(userptr + off
957  + offsetof(struct ipt_entry, counters),
958  &counters[num],
959  sizeof(counters[num])) != 0) {
960  ret = -EFAULT;
961  goto free_counters;
962  }
963 
964  for (i = sizeof(struct ipt_entry);
965  i < e->target_offset;
966  i += m->u.match_size) {
967  m = (void *)e + i;
968 
969  if (copy_to_user(userptr + off + i
970  + offsetof(struct xt_entry_match,
971  u.user.name),
972  m->u.kernel.match->name,
973  strlen(m->u.kernel.match->name)+1)
974  != 0) {
975  ret = -EFAULT;
976  goto free_counters;
977  }
978  }
979 
980  t = ipt_get_target_c(e);
981  if (copy_to_user(userptr + off + e->target_offset
982  + offsetof(struct xt_entry_target,
983  u.user.name),
984  t->u.kernel.target->name,
985  strlen(t->u.kernel.target->name)+1) != 0) {
986  ret = -EFAULT;
987  goto free_counters;
988  }
989  }
990 
991  free_counters:
992  vfree(counters);
993  return ret;
994 }
995 
996 #ifdef CONFIG_COMPAT
997 static void compat_standard_from_user(void *dst, const void *src)
998 {
999  int v = *(compat_int_t *)src;
1000 
1001  if (v > 0)
1002  v += xt_compat_calc_jump(AF_INET, v);
1003  memcpy(dst, &v, sizeof(v));
1004 }
1005 
1006 static int compat_standard_to_user(void __user *dst, const void *src)
1007 {
1008  compat_int_t cv = *(int *)src;
1009 
1010  if (cv > 0)
1011  cv -= xt_compat_calc_jump(AF_INET, cv);
1012  return copy_to_user(dst, &cv, sizeof(cv)) ? -EFAULT : 0;
1013 }
1014 
1015 static int compat_calc_entry(const struct ipt_entry *e,
1016  const struct xt_table_info *info,
1017  const void *base, struct xt_table_info *newinfo)
1018 {
1019  const struct xt_entry_match *ematch;
1020  const struct xt_entry_target *t;
1021  unsigned int entry_offset;
1022  int off, i, ret;
1023 
1024  off = sizeof(struct ipt_entry) - sizeof(struct compat_ipt_entry);
1025  entry_offset = (void *)e - base;
1026  xt_ematch_foreach(ematch, e)
1027  off += xt_compat_match_offset(ematch->u.kernel.match);
1028  t = ipt_get_target_c(e);
1029  off += xt_compat_target_offset(t->u.kernel.target);
1030  newinfo->size -= off;
1031  ret = xt_compat_add_offset(AF_INET, entry_offset, off);
1032  if (ret)
1033  return ret;
1034 
1035  for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1036  if (info->hook_entry[i] &&
1037  (e < (struct ipt_entry *)(base + info->hook_entry[i])))
1038  newinfo->hook_entry[i] -= off;
1039  if (info->underflow[i] &&
1040  (e < (struct ipt_entry *)(base + info->underflow[i])))
1041  newinfo->underflow[i] -= off;
1042  }
1043  return 0;
1044 }
1045 
1046 static int compat_table_info(const struct xt_table_info *info,
1047  struct xt_table_info *newinfo)
1048 {
1049  struct ipt_entry *iter;
1050  void *loc_cpu_entry;
1051  int ret;
1052 
1053  if (!newinfo || !info)
1054  return -EINVAL;
1055 
1056  /* we dont care about newinfo->entries[] */
1057  memcpy(newinfo, info, offsetof(struct xt_table_info, entries));
1058  newinfo->initial_entries = 0;
1059  loc_cpu_entry = info->entries[raw_smp_processor_id()];
1060  xt_compat_init_offsets(AF_INET, info->number);
1061  xt_entry_foreach(iter, loc_cpu_entry, info->size) {
1062  ret = compat_calc_entry(iter, info, loc_cpu_entry, newinfo);
1063  if (ret != 0)
1064  return ret;
1065  }
1066  return 0;
1067 }
1068 #endif
1069 
1070 static int get_info(struct net *net, void __user *user,
1071  const int *len, int compat)
1072 {
1073  char name[XT_TABLE_MAXNAMELEN];
1074  struct xt_table *t;
1075  int ret;
1076 
1077  if (*len != sizeof(struct ipt_getinfo)) {
1078  duprintf("length %u != %zu\n", *len,
1079  sizeof(struct ipt_getinfo));
1080  return -EINVAL;
1081  }
1082 
1083  if (copy_from_user(name, user, sizeof(name)) != 0)
1084  return -EFAULT;
1085 
1086  name[XT_TABLE_MAXNAMELEN-1] = '\0';
1087 #ifdef CONFIG_COMPAT
1088  if (compat)
1089  xt_compat_lock(AF_INET);
1090 #endif
1091  t = try_then_request_module(xt_find_table_lock(net, AF_INET, name),
1092  "iptable_%s", name);
1093  if (t && !IS_ERR(t)) {
1094  struct ipt_getinfo info;
1095  const struct xt_table_info *private = t->private;
1096 #ifdef CONFIG_COMPAT
1097  struct xt_table_info tmp;
1098 
1099  if (compat) {
1100  ret = compat_table_info(private, &tmp);
1101  xt_compat_flush_offsets(AF_INET);
1102  private = &tmp;
1103  }
1104 #endif
1105  memset(&info, 0, sizeof(info));
1106  info.valid_hooks = t->valid_hooks;
1107  memcpy(info.hook_entry, private->hook_entry,
1108  sizeof(info.hook_entry));
1109  memcpy(info.underflow, private->underflow,
1110  sizeof(info.underflow));
1111  info.num_entries = private->number;
1112  info.size = private->size;
1113  strcpy(info.name, name);
1114 
1115  if (copy_to_user(user, &info, *len) != 0)
1116  ret = -EFAULT;
1117  else
1118  ret = 0;
1119 
1120  xt_table_unlock(t);
1121  module_put(t->me);
1122  } else
1123  ret = t ? PTR_ERR(t) : -ENOENT;
1124 #ifdef CONFIG_COMPAT
1125  if (compat)
1126  xt_compat_unlock(AF_INET);
1127 #endif
1128  return ret;
1129 }
1130 
1131 static int
1132 get_entries(struct net *net, struct ipt_get_entries __user *uptr,
1133  const int *len)
1134 {
1135  int ret;
1136  struct ipt_get_entries get;
1137  struct xt_table *t;
1138 
1139  if (*len < sizeof(get)) {
1140  duprintf("get_entries: %u < %zu\n", *len, sizeof(get));
1141  return -EINVAL;
1142  }
1143  if (copy_from_user(&get, uptr, sizeof(get)) != 0)
1144  return -EFAULT;
1145  if (*len != sizeof(struct ipt_get_entries) + get.size) {
1146  duprintf("get_entries: %u != %zu\n",
1147  *len, sizeof(get) + get.size);
1148  return -EINVAL;
1149  }
1150 
1151  t = xt_find_table_lock(net, AF_INET, get.name);
1152  if (t && !IS_ERR(t)) {
1153  const struct xt_table_info *private = t->private;
1154  duprintf("t->private->number = %u\n", private->number);
1155  if (get.size == private->size)
1156  ret = copy_entries_to_user(private->size,
1157  t, uptr->entrytable);
1158  else {
1159  duprintf("get_entries: I've got %u not %u!\n",
1160  private->size, get.size);
1161  ret = -EAGAIN;
1162  }
1163  module_put(t->me);
1164  xt_table_unlock(t);
1165  } else
1166  ret = t ? PTR_ERR(t) : -ENOENT;
1167 
1168  return ret;
1169 }
1170 
1171 static int
1172 __do_replace(struct net *net, const char *name, unsigned int valid_hooks,
1173  struct xt_table_info *newinfo, unsigned int num_counters,
1174  void __user *counters_ptr)
1175 {
1176  int ret;
1177  struct xt_table *t;
1178  struct xt_table_info *oldinfo;
1179  struct xt_counters *counters;
1180  void *loc_cpu_old_entry;
1181  struct ipt_entry *iter;
1182 
1183  ret = 0;
1184  counters = vzalloc(num_counters * sizeof(struct xt_counters));
1185  if (!counters) {
1186  ret = -ENOMEM;
1187  goto out;
1188  }
1189 
1190  t = try_then_request_module(xt_find_table_lock(net, AF_INET, name),
1191  "iptable_%s", name);
1192  if (!t || IS_ERR(t)) {
1193  ret = t ? PTR_ERR(t) : -ENOENT;
1194  goto free_newinfo_counters_untrans;
1195  }
1196 
1197  /* You lied! */
1198  if (valid_hooks != t->valid_hooks) {
1199  duprintf("Valid hook crap: %08X vs %08X\n",
1200  valid_hooks, t->valid_hooks);
1201  ret = -EINVAL;
1202  goto put_module;
1203  }
1204 
1205  oldinfo = xt_replace_table(t, num_counters, newinfo, &ret);
1206  if (!oldinfo)
1207  goto put_module;
1208 
1209  /* Update module usage count based on number of rules */
1210  duprintf("do_replace: oldnum=%u, initnum=%u, newnum=%u\n",
1211  oldinfo->number, oldinfo->initial_entries, newinfo->number);
1212  if ((oldinfo->number > oldinfo->initial_entries) ||
1213  (newinfo->number <= oldinfo->initial_entries))
1214  module_put(t->me);
1215  if ((oldinfo->number > oldinfo->initial_entries) &&
1216  (newinfo->number <= oldinfo->initial_entries))
1217  module_put(t->me);
1218 
1219  /* Get the old counters, and synchronize with replace */
1220  get_counters(oldinfo, counters);
1221 
1222  /* Decrease module usage counts and free resource */
1223  loc_cpu_old_entry = oldinfo->entries[raw_smp_processor_id()];
1224  xt_entry_foreach(iter, loc_cpu_old_entry, oldinfo->size)
1225  cleanup_entry(iter, net);
1226 
1227  xt_free_table_info(oldinfo);
1228  if (copy_to_user(counters_ptr, counters,
1229  sizeof(struct xt_counters) * num_counters) != 0)
1230  ret = -EFAULT;
1231  vfree(counters);
1232  xt_table_unlock(t);
1233  return ret;
1234 
1235  put_module:
1236  module_put(t->me);
1237  xt_table_unlock(t);
1238  free_newinfo_counters_untrans:
1239  vfree(counters);
1240  out:
1241  return ret;
1242 }
1243 
1244 static int
1245 do_replace(struct net *net, const void __user *user, unsigned int len)
1246 {
1247  int ret;
1248  struct ipt_replace tmp;
1249  struct xt_table_info *newinfo;
1250  void *loc_cpu_entry;
1251  struct ipt_entry *iter;
1252 
1253  if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
1254  return -EFAULT;
1255 
1256  /* overflow check */
1257  if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
1258  return -ENOMEM;
1259  tmp.name[sizeof(tmp.name)-1] = 0;
1260 
1261  newinfo = xt_alloc_table_info(tmp.size);
1262  if (!newinfo)
1263  return -ENOMEM;
1264 
1265  /* choose the copy that is on our node/cpu */
1266  loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
1267  if (copy_from_user(loc_cpu_entry, user + sizeof(tmp),
1268  tmp.size) != 0) {
1269  ret = -EFAULT;
1270  goto free_newinfo;
1271  }
1272 
1273  ret = translate_table(net, newinfo, loc_cpu_entry, &tmp);
1274  if (ret != 0)
1275  goto free_newinfo;
1276 
1277  duprintf("Translated table\n");
1278 
1279  ret = __do_replace(net, tmp.name, tmp.valid_hooks, newinfo,
1280  tmp.num_counters, tmp.counters);
1281  if (ret)
1282  goto free_newinfo_untrans;
1283  return 0;
1284 
1285  free_newinfo_untrans:
1286  xt_entry_foreach(iter, loc_cpu_entry, newinfo->size)
1287  cleanup_entry(iter, net);
1288  free_newinfo:
1289  xt_free_table_info(newinfo);
1290  return ret;
1291 }
1292 
1293 static int
1294 do_add_counters(struct net *net, const void __user *user,
1295  unsigned int len, int compat)
1296 {
1297  unsigned int i, curcpu;
1298  struct xt_counters_info tmp;
1299  struct xt_counters *paddc;
1300  unsigned int num_counters;
1301  const char *name;
1302  int size;
1303  void *ptmp;
1304  struct xt_table *t;
1305  const struct xt_table_info *private;
1306  int ret = 0;
1307  void *loc_cpu_entry;
1308  struct ipt_entry *iter;
1309  unsigned int addend;
1310 #ifdef CONFIG_COMPAT
1311  struct compat_xt_counters_info compat_tmp;
1312 
1313  if (compat) {
1314  ptmp = &compat_tmp;
1315  size = sizeof(struct compat_xt_counters_info);
1316  } else
1317 #endif
1318  {
1319  ptmp = &tmp;
1320  size = sizeof(struct xt_counters_info);
1321  }
1322 
1323  if (copy_from_user(ptmp, user, size) != 0)
1324  return -EFAULT;
1325 
1326 #ifdef CONFIG_COMPAT
1327  if (compat) {
1328  num_counters = compat_tmp.num_counters;
1329  name = compat_tmp.name;
1330  } else
1331 #endif
1332  {
1333  num_counters = tmp.num_counters;
1334  name = tmp.name;
1335  }
1336 
1337  if (len != size + num_counters * sizeof(struct xt_counters))
1338  return -EINVAL;
1339 
1340  paddc = vmalloc(len - size);
1341  if (!paddc)
1342  return -ENOMEM;
1343 
1344  if (copy_from_user(paddc, user + size, len - size) != 0) {
1345  ret = -EFAULT;
1346  goto free;
1347  }
1348 
1349  t = xt_find_table_lock(net, AF_INET, name);
1350  if (!t || IS_ERR(t)) {
1351  ret = t ? PTR_ERR(t) : -ENOENT;
1352  goto free;
1353  }
1354 
1355  local_bh_disable();
1356  private = t->private;
1357  if (private->number != num_counters) {
1358  ret = -EINVAL;
1359  goto unlock_up_free;
1360  }
1361 
1362  i = 0;
1363  /* Choose the copy that is on our node */
1364  curcpu = smp_processor_id();
1365  loc_cpu_entry = private->entries[curcpu];
1366  addend = xt_write_recseq_begin();
1367  xt_entry_foreach(iter, loc_cpu_entry, private->size) {
1368  ADD_COUNTER(iter->counters, paddc[i].bcnt, paddc[i].pcnt);
1369  ++i;
1370  }
1371  xt_write_recseq_end(addend);
1372  unlock_up_free:
1373  local_bh_enable();
1374  xt_table_unlock(t);
1375  module_put(t->me);
1376  free:
1377  vfree(paddc);
1378 
1379  return ret;
1380 }
1381 
1382 #ifdef CONFIG_COMPAT
1383 struct compat_ipt_replace {
1384  char name[XT_TABLE_MAXNAMELEN];
1385  u32 valid_hooks;
1386  u32 num_entries;
1387  u32 size;
1388  u32 hook_entry[NF_INET_NUMHOOKS];
1389  u32 underflow[NF_INET_NUMHOOKS];
1390  u32 num_counters;
1391  compat_uptr_t counters; /* struct xt_counters * */
1392  struct compat_ipt_entry entries[0];
1393 };
1394 
1395 static int
1396 compat_copy_entry_to_user(struct ipt_entry *e, void __user **dstptr,
1397  unsigned int *size, struct xt_counters *counters,
1398  unsigned int i)
1399 {
1400  struct xt_entry_target *t;
1401  struct compat_ipt_entry __user *ce;
1402  u_int16_t target_offset, next_offset;
1403  compat_uint_t origsize;
1404  const struct xt_entry_match *ematch;
1405  int ret = 0;
1406 
1407  origsize = *size;
1408  ce = (struct compat_ipt_entry __user *)*dstptr;
1409  if (copy_to_user(ce, e, sizeof(struct ipt_entry)) != 0 ||
1410  copy_to_user(&ce->counters, &counters[i],
1411  sizeof(counters[i])) != 0)
1412  return -EFAULT;
1413 
1414  *dstptr += sizeof(struct compat_ipt_entry);
1415  *size -= sizeof(struct ipt_entry) - sizeof(struct compat_ipt_entry);
1416 
1417  xt_ematch_foreach(ematch, e) {
1418  ret = xt_compat_match_to_user(ematch, dstptr, size);
1419  if (ret != 0)
1420  return ret;
1421  }
1422  target_offset = e->target_offset - (origsize - *size);
1423  t = ipt_get_target(e);
1424  ret = xt_compat_target_to_user(t, dstptr, size);
1425  if (ret)
1426  return ret;
1427  next_offset = e->next_offset - (origsize - *size);
1428  if (put_user(target_offset, &ce->target_offset) != 0 ||
1429  put_user(next_offset, &ce->next_offset) != 0)
1430  return -EFAULT;
1431  return 0;
1432 }
1433 
1434 static int
1435 compat_find_calc_match(struct xt_entry_match *m,
1436  const char *name,
1437  const struct ipt_ip *ip,
1438  unsigned int hookmask,
1439  int *size)
1440 {
1441  struct xt_match *match;
1442 
1443  match = xt_request_find_match(NFPROTO_IPV4, m->u.user.name,
1444  m->u.user.revision);
1445  if (IS_ERR(match)) {
1446  duprintf("compat_check_calc_match: `%s' not found\n",
1447  m->u.user.name);
1448  return PTR_ERR(match);
1449  }
1450  m->u.kernel.match = match;
1451  *size += xt_compat_match_offset(match);
1452  return 0;
1453 }
1454 
1455 static void compat_release_entry(struct compat_ipt_entry *e)
1456 {
1457  struct xt_entry_target *t;
1458  struct xt_entry_match *ematch;
1459 
1460  /* Cleanup all matches */
1461  xt_ematch_foreach(ematch, e)
1462  module_put(ematch->u.kernel.match->me);
1463  t = compat_ipt_get_target(e);
1464  module_put(t->u.kernel.target->me);
1465 }
1466 
1467 static int
1468 check_compat_entry_size_and_hooks(struct compat_ipt_entry *e,
1469  struct xt_table_info *newinfo,
1470  unsigned int *size,
1471  const unsigned char *base,
1472  const unsigned char *limit,
1473  const unsigned int *hook_entries,
1474  const unsigned int *underflows,
1475  const char *name)
1476 {
1477  struct xt_entry_match *ematch;
1478  struct xt_entry_target *t;
1479  struct xt_target *target;
1480  unsigned int entry_offset;
1481  unsigned int j;
1482  int ret, off, h;
1483 
1484  duprintf("check_compat_entry_size_and_hooks %p\n", e);
1485  if ((unsigned long)e % __alignof__(struct compat_ipt_entry) != 0 ||
1486  (unsigned char *)e + sizeof(struct compat_ipt_entry) >= limit) {
1487  duprintf("Bad offset %p, limit = %p\n", e, limit);
1488  return -EINVAL;
1489  }
1490 
1491  if (e->next_offset < sizeof(struct compat_ipt_entry) +
1492  sizeof(struct compat_xt_entry_target)) {
1493  duprintf("checking: element %p size %u\n",
1494  e, e->next_offset);
1495  return -EINVAL;
1496  }
1497 
1498  /* For purposes of check_entry casting the compat entry is fine */
1499  ret = check_entry((struct ipt_entry *)e, name);
1500  if (ret)
1501  return ret;
1502 
1503  off = sizeof(struct ipt_entry) - sizeof(struct compat_ipt_entry);
1504  entry_offset = (void *)e - (void *)base;
1505  j = 0;
1506  xt_ematch_foreach(ematch, e) {
1507  ret = compat_find_calc_match(ematch, name,
1508  &e->ip, e->comefrom, &off);
1509  if (ret != 0)
1510  goto release_matches;
1511  ++j;
1512  }
1513 
1514  t = compat_ipt_get_target(e);
1515  target = xt_request_find_target(NFPROTO_IPV4, t->u.user.name,
1516  t->u.user.revision);
1517  if (IS_ERR(target)) {
1518  duprintf("check_compat_entry_size_and_hooks: `%s' not found\n",
1519  t->u.user.name);
1520  ret = PTR_ERR(target);
1521  goto release_matches;
1522  }
1523  t->u.kernel.target = target;
1524 
1525  off += xt_compat_target_offset(target);
1526  *size += off;
1527  ret = xt_compat_add_offset(AF_INET, entry_offset, off);
1528  if (ret)
1529  goto out;
1530 
1531  /* Check hooks & underflows */
1532  for (h = 0; h < NF_INET_NUMHOOKS; h++) {
1533  if ((unsigned char *)e - base == hook_entries[h])
1534  newinfo->hook_entry[h] = hook_entries[h];
1535  if ((unsigned char *)e - base == underflows[h])
1536  newinfo->underflow[h] = underflows[h];
1537  }
1538 
1539  /* Clear counters and comefrom */
1540  memset(&e->counters, 0, sizeof(e->counters));
1541  e->comefrom = 0;
1542  return 0;
1543 
1544 out:
1545  module_put(t->u.kernel.target->me);
1546 release_matches:
1547  xt_ematch_foreach(ematch, e) {
1548  if (j-- == 0)
1549  break;
1550  module_put(ematch->u.kernel.match->me);
1551  }
1552  return ret;
1553 }
1554 
1555 static int
1556 compat_copy_entry_from_user(struct compat_ipt_entry *e, void **dstptr,
1557  unsigned int *size, const char *name,
1558  struct xt_table_info *newinfo, unsigned char *base)
1559 {
1560  struct xt_entry_target *t;
1561  struct xt_target *target;
1562  struct ipt_entry *de;
1563  unsigned int origsize;
1564  int ret, h;
1565  struct xt_entry_match *ematch;
1566 
1567  ret = 0;
1568  origsize = *size;
1569  de = (struct ipt_entry *)*dstptr;
1570  memcpy(de, e, sizeof(struct ipt_entry));
1571  memcpy(&de->counters, &e->counters, sizeof(e->counters));
1572 
1573  *dstptr += sizeof(struct ipt_entry);
1574  *size += sizeof(struct ipt_entry) - sizeof(struct compat_ipt_entry);
1575 
1576  xt_ematch_foreach(ematch, e) {
1577  ret = xt_compat_match_from_user(ematch, dstptr, size);
1578  if (ret != 0)
1579  return ret;
1580  }
1581  de->target_offset = e->target_offset - (origsize - *size);
1582  t = compat_ipt_get_target(e);
1583  target = t->u.kernel.target;
1584  xt_compat_target_from_user(t, dstptr, size);
1585 
1586  de->next_offset = e->next_offset - (origsize - *size);
1587  for (h = 0; h < NF_INET_NUMHOOKS; h++) {
1588  if ((unsigned char *)de - base < newinfo->hook_entry[h])
1589  newinfo->hook_entry[h] -= origsize - *size;
1590  if ((unsigned char *)de - base < newinfo->underflow[h])
1591  newinfo->underflow[h] -= origsize - *size;
1592  }
1593  return ret;
1594 }
1595 
1596 static int
1597 compat_check_entry(struct ipt_entry *e, struct net *net, const char *name)
1598 {
1599  struct xt_entry_match *ematch;
1600  struct xt_mtchk_param mtpar;
1601  unsigned int j;
1602  int ret = 0;
1603 
1604  j = 0;
1605  mtpar.net = net;
1606  mtpar.table = name;
1607  mtpar.entryinfo = &e->ip;
1608  mtpar.hook_mask = e->comefrom;
1609  mtpar.family = NFPROTO_IPV4;
1610  xt_ematch_foreach(ematch, e) {
1611  ret = check_match(ematch, &mtpar);
1612  if (ret != 0)
1613  goto cleanup_matches;
1614  ++j;
1615  }
1616 
1617  ret = check_target(e, net, name);
1618  if (ret)
1619  goto cleanup_matches;
1620  return 0;
1621 
1622  cleanup_matches:
1623  xt_ematch_foreach(ematch, e) {
1624  if (j-- == 0)
1625  break;
1626  cleanup_match(ematch, net);
1627  }
1628  return ret;
1629 }
1630 
1631 static int
1632 translate_compat_table(struct net *net,
1633  const char *name,
1634  unsigned int valid_hooks,
1635  struct xt_table_info **pinfo,
1636  void **pentry0,
1637  unsigned int total_size,
1638  unsigned int number,
1639  unsigned int *hook_entries,
1640  unsigned int *underflows)
1641 {
1642  unsigned int i, j;
1643  struct xt_table_info *newinfo, *info;
1644  void *pos, *entry0, *entry1;
1645  struct compat_ipt_entry *iter0;
1646  struct ipt_entry *iter1;
1647  unsigned int size;
1648  int ret;
1649 
1650  info = *pinfo;
1651  entry0 = *pentry0;
1652  size = total_size;
1653  info->number = number;
1654 
1655  /* Init all hooks to impossible value. */
1656  for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1657  info->hook_entry[i] = 0xFFFFFFFF;
1658  info->underflow[i] = 0xFFFFFFFF;
1659  }
1660 
1661  duprintf("translate_compat_table: size %u\n", info->size);
1662  j = 0;
1663  xt_compat_lock(AF_INET);
1664  xt_compat_init_offsets(AF_INET, number);
1665  /* Walk through entries, checking offsets. */
1666  xt_entry_foreach(iter0, entry0, total_size) {
1667  ret = check_compat_entry_size_and_hooks(iter0, info, &size,
1668  entry0,
1669  entry0 + total_size,
1670  hook_entries,
1671  underflows,
1672  name);
1673  if (ret != 0)
1674  goto out_unlock;
1675  ++j;
1676  }
1677 
1678  ret = -EINVAL;
1679  if (j != number) {
1680  duprintf("translate_compat_table: %u not %u entries\n",
1681  j, number);
1682  goto out_unlock;
1683  }
1684 
1685  /* Check hooks all assigned */
1686  for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1687  /* Only hooks which are valid */
1688  if (!(valid_hooks & (1 << i)))
1689  continue;
1690  if (info->hook_entry[i] == 0xFFFFFFFF) {
1691  duprintf("Invalid hook entry %u %u\n",
1692  i, hook_entries[i]);
1693  goto out_unlock;
1694  }
1695  if (info->underflow[i] == 0xFFFFFFFF) {
1696  duprintf("Invalid underflow %u %u\n",
1697  i, underflows[i]);
1698  goto out_unlock;
1699  }
1700  }
1701 
1702  ret = -ENOMEM;
1703  newinfo = xt_alloc_table_info(size);
1704  if (!newinfo)
1705  goto out_unlock;
1706 
1707  newinfo->number = number;
1708  for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1709  newinfo->hook_entry[i] = info->hook_entry[i];
1710  newinfo->underflow[i] = info->underflow[i];
1711  }
1712  entry1 = newinfo->entries[raw_smp_processor_id()];
1713  pos = entry1;
1714  size = total_size;
1715  xt_entry_foreach(iter0, entry0, total_size) {
1716  ret = compat_copy_entry_from_user(iter0, &pos, &size,
1717  name, newinfo, entry1);
1718  if (ret != 0)
1719  break;
1720  }
1721  xt_compat_flush_offsets(AF_INET);
1722  xt_compat_unlock(AF_INET);
1723  if (ret)
1724  goto free_newinfo;
1725 
1726  ret = -ELOOP;
1727  if (!mark_source_chains(newinfo, valid_hooks, entry1))
1728  goto free_newinfo;
1729 
1730  i = 0;
1731  xt_entry_foreach(iter1, entry1, newinfo->size) {
1732  ret = compat_check_entry(iter1, net, name);
1733  if (ret != 0)
1734  break;
1735  ++i;
1736  if (strcmp(ipt_get_target(iter1)->u.user.name,
1737  XT_ERROR_TARGET) == 0)
1738  ++newinfo->stacksize;
1739  }
1740  if (ret) {
1741  /*
1742  * The first i matches need cleanup_entry (calls ->destroy)
1743  * because they had called ->check already. The other j-i
1744  * entries need only release.
1745  */
1746  int skip = i;
1747  j -= i;
1748  xt_entry_foreach(iter0, entry0, newinfo->size) {
1749  if (skip-- > 0)
1750  continue;
1751  if (j-- == 0)
1752  break;
1753  compat_release_entry(iter0);
1754  }
1755  xt_entry_foreach(iter1, entry1, newinfo->size) {
1756  if (i-- == 0)
1757  break;
1758  cleanup_entry(iter1, net);
1759  }
1760  xt_free_table_info(newinfo);
1761  return ret;
1762  }
1763 
1764  /* And one copy for every other CPU */
1765  for_each_possible_cpu(i)
1766  if (newinfo->entries[i] && newinfo->entries[i] != entry1)
1767  memcpy(newinfo->entries[i], entry1, newinfo->size);
1768 
1769  *pinfo = newinfo;
1770  *pentry0 = entry1;
1771  xt_free_table_info(info);
1772  return 0;
1773 
1774 free_newinfo:
1775  xt_free_table_info(newinfo);
1776 out:
1777  xt_entry_foreach(iter0, entry0, total_size) {
1778  if (j-- == 0)
1779  break;
1780  compat_release_entry(iter0);
1781  }
1782  return ret;
1783 out_unlock:
1784  xt_compat_flush_offsets(AF_INET);
1785  xt_compat_unlock(AF_INET);
1786  goto out;
1787 }
1788 
1789 static int
1790 compat_do_replace(struct net *net, void __user *user, unsigned int len)
1791 {
1792  int ret;
1793  struct compat_ipt_replace tmp;
1794  struct xt_table_info *newinfo;
1795  void *loc_cpu_entry;
1796  struct ipt_entry *iter;
1797 
1798  if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
1799  return -EFAULT;
1800 
1801  /* overflow check */
1802  if (tmp.size >= INT_MAX / num_possible_cpus())
1803  return -ENOMEM;
1804  if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
1805  return -ENOMEM;
1806  tmp.name[sizeof(tmp.name)-1] = 0;
1807 
1808  newinfo = xt_alloc_table_info(tmp.size);
1809  if (!newinfo)
1810  return -ENOMEM;
1811 
1812  /* choose the copy that is on our node/cpu */
1813  loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
1814  if (copy_from_user(loc_cpu_entry, user + sizeof(tmp),
1815  tmp.size) != 0) {
1816  ret = -EFAULT;
1817  goto free_newinfo;
1818  }
1819 
1820  ret = translate_compat_table(net, tmp.name, tmp.valid_hooks,
1821  &newinfo, &loc_cpu_entry, tmp.size,
1822  tmp.num_entries, tmp.hook_entry,
1823  tmp.underflow);
1824  if (ret != 0)
1825  goto free_newinfo;
1826 
1827  duprintf("compat_do_replace: Translated table\n");
1828 
1829  ret = __do_replace(net, tmp.name, tmp.valid_hooks, newinfo,
1830  tmp.num_counters, compat_ptr(tmp.counters));
1831  if (ret)
1832  goto free_newinfo_untrans;
1833  return 0;
1834 
1835  free_newinfo_untrans:
1836  xt_entry_foreach(iter, loc_cpu_entry, newinfo->size)
1837  cleanup_entry(iter, net);
1838  free_newinfo:
1839  xt_free_table_info(newinfo);
1840  return ret;
1841 }
1842 
1843 static int
1844 compat_do_ipt_set_ctl(struct sock *sk, int cmd, void __user *user,
1845  unsigned int len)
1846 {
1847  int ret;
1848 
1849  if (!capable(CAP_NET_ADMIN))
1850  return -EPERM;
1851 
1852  switch (cmd) {
1853  case IPT_SO_SET_REPLACE:
1854  ret = compat_do_replace(sock_net(sk), user, len);
1855  break;
1856 
1857  case IPT_SO_SET_ADD_COUNTERS:
1858  ret = do_add_counters(sock_net(sk), user, len, 1);
1859  break;
1860 
1861  default:
1862  duprintf("do_ipt_set_ctl: unknown request %i\n", cmd);
1863  ret = -EINVAL;
1864  }
1865 
1866  return ret;
1867 }
1868 
1869 struct compat_ipt_get_entries {
1870  char name[XT_TABLE_MAXNAMELEN];
1871  compat_uint_t size;
1872  struct compat_ipt_entry entrytable[0];
1873 };
1874 
1875 static int
1876 compat_copy_entries_to_user(unsigned int total_size, struct xt_table *table,
1877  void __user *userptr)
1878 {
1879  struct xt_counters *counters;
1880  const struct xt_table_info *private = table->private;
1881  void __user *pos;
1882  unsigned int size;
1883  int ret = 0;
1884  const void *loc_cpu_entry;
1885  unsigned int i = 0;
1886  struct ipt_entry *iter;
1887 
1888  counters = alloc_counters(table);
1889  if (IS_ERR(counters))
1890  return PTR_ERR(counters);
1891 
1892  /* choose the copy that is on our node/cpu, ...
1893  * This choice is lazy (because current thread is
1894  * allowed to migrate to another cpu)
1895  */
1896  loc_cpu_entry = private->entries[raw_smp_processor_id()];
1897  pos = userptr;
1898  size = total_size;
1899  xt_entry_foreach(iter, loc_cpu_entry, total_size) {
1900  ret = compat_copy_entry_to_user(iter, &pos,
1901  &size, counters, i++);
1902  if (ret != 0)
1903  break;
1904  }
1905 
1906  vfree(counters);
1907  return ret;
1908 }
1909 
1910 static int
1911 compat_get_entries(struct net *net, struct compat_ipt_get_entries __user *uptr,
1912  int *len)
1913 {
1914  int ret;
1915  struct compat_ipt_get_entries get;
1916  struct xt_table *t;
1917 
1918  if (*len < sizeof(get)) {
1919  duprintf("compat_get_entries: %u < %zu\n", *len, sizeof(get));
1920  return -EINVAL;
1921  }
1922 
1923  if (copy_from_user(&get, uptr, sizeof(get)) != 0)
1924  return -EFAULT;
1925 
1926  if (*len != sizeof(struct compat_ipt_get_entries) + get.size) {
1927  duprintf("compat_get_entries: %u != %zu\n",
1928  *len, sizeof(get) + get.size);
1929  return -EINVAL;
1930  }
1931 
1932  xt_compat_lock(AF_INET);
1933  t = xt_find_table_lock(net, AF_INET, get.name);
1934  if (t && !IS_ERR(t)) {
1935  const struct xt_table_info *private = t->private;
1936  struct xt_table_info info;
1937  duprintf("t->private->number = %u\n", private->number);
1938  ret = compat_table_info(private, &info);
1939  if (!ret && get.size == info.size) {
1940  ret = compat_copy_entries_to_user(private->size,
1941  t, uptr->entrytable);
1942  } else if (!ret) {
1943  duprintf("compat_get_entries: I've got %u not %u!\n",
1944  private->size, get.size);
1945  ret = -EAGAIN;
1946  }
1947  xt_compat_flush_offsets(AF_INET);
1948  module_put(t->me);
1949  xt_table_unlock(t);
1950  } else
1951  ret = t ? PTR_ERR(t) : -ENOENT;
1952 
1953  xt_compat_unlock(AF_INET);
1954  return ret;
1955 }
1956 
1957 static int do_ipt_get_ctl(struct sock *, int, void __user *, int *);
1958 
1959 static int
1960 compat_do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1961 {
1962  int ret;
1963 
1964  if (!capable(CAP_NET_ADMIN))
1965  return -EPERM;
1966 
1967  switch (cmd) {
1968  case IPT_SO_GET_INFO:
1969  ret = get_info(sock_net(sk), user, len, 1);
1970  break;
1971  case IPT_SO_GET_ENTRIES:
1972  ret = compat_get_entries(sock_net(sk), user, len);
1973  break;
1974  default:
1975  ret = do_ipt_get_ctl(sk, cmd, user, len);
1976  }
1977  return ret;
1978 }
1979 #endif
1980 
1981 static int
1982 do_ipt_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
1983 {
1984  int ret;
1985 
1986  if (!capable(CAP_NET_ADMIN))
1987  return -EPERM;
1988 
1989  switch (cmd) {
1990  case IPT_SO_SET_REPLACE:
1991  ret = do_replace(sock_net(sk), user, len);
1992  break;
1993 
1994  case IPT_SO_SET_ADD_COUNTERS:
1995  ret = do_add_counters(sock_net(sk), user, len, 0);
1996  break;
1997 
1998  default:
1999  duprintf("do_ipt_set_ctl: unknown request %i\n", cmd);
2000  ret = -EINVAL;
2001  }
2002 
2003  return ret;
2004 }
2005 
2006 static int
2007 do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
2008 {
2009  int ret;
2010 
2011  if (!capable(CAP_NET_ADMIN))
2012  return -EPERM;
2013 
2014  switch (cmd) {
2015  case IPT_SO_GET_INFO:
2016  ret = get_info(sock_net(sk), user, len, 0);
2017  break;
2018 
2019  case IPT_SO_GET_ENTRIES:
2020  ret = get_entries(sock_net(sk), user, len);
2021  break;
2022 
2023  case IPT_SO_GET_REVISION_MATCH:
2024  case IPT_SO_GET_REVISION_TARGET: {
2025  struct xt_get_revision rev;
2026  int target;
2027 
2028  if (*len != sizeof(rev)) {
2029  ret = -EINVAL;
2030  break;
2031  }
2032  if (copy_from_user(&rev, user, sizeof(rev)) != 0) {
2033  ret = -EFAULT;
2034  break;
2035  }
2036  rev.name[sizeof(rev.name)-1] = 0;
2037 
2038  if (cmd == IPT_SO_GET_REVISION_TARGET)
2039  target = 1;
2040  else
2041  target = 0;
2042 
2043  try_then_request_module(xt_find_revision(AF_INET, rev.name,
2044  rev.revision,
2045  target, &ret),
2046  "ipt_%s", rev.name);
2047  break;
2048  }
2049 
2050  default:
2051  duprintf("do_ipt_get_ctl: unknown request %i\n", cmd);
2052  ret = -EINVAL;
2053  }
2054 
2055  return ret;
2056 }
2057 
2058 struct xt_table *ipt_register_table(struct net *net,
2059  const struct xt_table *table,
2060  const struct ipt_replace *repl)
2061 {
2062  int ret;
2063  struct xt_table_info *newinfo;
2064  struct xt_table_info bootstrap = {0};
2065  void *loc_cpu_entry;
2066  struct xt_table *new_table;
2067 
2068  newinfo = xt_alloc_table_info(repl->size);
2069  if (!newinfo) {
2070  ret = -ENOMEM;
2071  goto out;
2072  }
2073 
2074  /* choose the copy on our node/cpu, but dont care about preemption */
2075  loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
2076  memcpy(loc_cpu_entry, repl->entries, repl->size);
2077 
2078  ret = translate_table(net, newinfo, loc_cpu_entry, repl);
2079  if (ret != 0)
2080  goto out_free;
2081 
2082  new_table = xt_register_table(net, table, &bootstrap, newinfo);
2083  if (IS_ERR(new_table)) {
2084  ret = PTR_ERR(new_table);
2085  goto out_free;
2086  }
2087 
2088  return new_table;
2089 
2090 out_free:
2091  xt_free_table_info(newinfo);
2092 out:
2093  return ERR_PTR(ret);
2094 }
2095 
2096 void ipt_unregister_table(struct net *net, struct xt_table *table)
2097 {
2098  struct xt_table_info *private;
2099  void *loc_cpu_entry;
2100  struct module *table_owner = table->me;
2101  struct ipt_entry *iter;
2102 
2103  private = xt_unregister_table(table);
2104 
2105  /* Decrease module usage counts and free resources */
2106  loc_cpu_entry = private->entries[raw_smp_processor_id()];
2107  xt_entry_foreach(iter, loc_cpu_entry, private->size)
2108  cleanup_entry(iter, net);
2109  if (private->number > private->initial_entries)
2110  module_put(table_owner);
2111  xt_free_table_info(private);
2112 }
2113 
2114 /* Returns 1 if the type and code is matched by the range, 0 otherwise */
2115 static inline bool
2116 icmp_type_code_match(u_int8_t test_type, u_int8_t min_code, u_int8_t max_code,
2117  u_int8_t type, u_int8_t code,
2118  bool invert)
2119 {
2120  return ((test_type == 0xFF) ||
2121  (type == test_type && code >= min_code && code <= max_code))
2122  ^ invert;
2123 }
2124 
2125 static bool
2126 icmp_match(const struct sk_buff *skb, struct xt_action_param *par)
2127 {
2128  const struct icmphdr *ic;
2129  struct icmphdr _icmph;
2130  const struct ipt_icmp *icmpinfo = par->matchinfo;
2131 
2132  /* Must not be a fragment. */
2133  if (par->fragoff != 0)
2134  return false;
2135 
2136  ic = skb_header_pointer(skb, par->thoff, sizeof(_icmph), &_icmph);
2137  if (ic == NULL) {
2138  /* We've been asked to examine this packet, and we
2139  * can't. Hence, no choice but to drop.
2140  */
2141  duprintf("Dropping evil ICMP tinygram.\n");
2142  par->hotdrop = true;
2143  return false;
2144  }
2145 
2146  return icmp_type_code_match(icmpinfo->type,
2147  icmpinfo->code[0],
2148  icmpinfo->code[1],
2149  ic->type, ic->code,
2150  !!(icmpinfo->invflags&IPT_ICMP_INV));
2151 }
2152 
2153 static int icmp_checkentry(const struct xt_mtchk_param *par)
2154 {
2155  const struct ipt_icmp *icmpinfo = par->matchinfo;
2156 
2157  /* Must specify no unknown invflags */
2158  return (icmpinfo->invflags & ~IPT_ICMP_INV) ? -EINVAL : 0;
2159 }
2160 
2161 static struct xt_target ipt_builtin_tg[] __read_mostly = {
2162  {
2163  .name = XT_STANDARD_TARGET,
2164  .targetsize = sizeof(int),
2165  .family = NFPROTO_IPV4,
2166 #ifdef CONFIG_COMPAT
2167  .compatsize = sizeof(compat_int_t),
2168  .compat_from_user = compat_standard_from_user,
2169  .compat_to_user = compat_standard_to_user,
2170 #endif
2171  },
2172  {
2173  .name = XT_ERROR_TARGET,
2174  .target = ipt_error,
2175  .targetsize = XT_FUNCTION_MAXNAMELEN,
2176  .family = NFPROTO_IPV4,
2177  },
2178 };
2179 
2180 static struct nf_sockopt_ops ipt_sockopts = {
2181  .pf = PF_INET,
2182  .set_optmin = IPT_BASE_CTL,
2183  .set_optmax = IPT_SO_SET_MAX+1,
2184  .set = do_ipt_set_ctl,
2185 #ifdef CONFIG_COMPAT
2186  .compat_set = compat_do_ipt_set_ctl,
2187 #endif
2188  .get_optmin = IPT_BASE_CTL,
2189  .get_optmax = IPT_SO_GET_MAX+1,
2190  .get = do_ipt_get_ctl,
2191 #ifdef CONFIG_COMPAT
2192  .compat_get = compat_do_ipt_get_ctl,
2193 #endif
2194  .owner = THIS_MODULE,
2195 };
2196 
2197 static struct xt_match ipt_builtin_mt[] __read_mostly = {
2198  {
2199  .name = "icmp",
2200  .match = icmp_match,
2201  .matchsize = sizeof(struct ipt_icmp),
2202  .checkentry = icmp_checkentry,
2203  .proto = IPPROTO_ICMP,
2204  .family = NFPROTO_IPV4,
2205  },
2206 };
2207 
2208 static int __net_init ip_tables_net_init(struct net *net)
2209 {
2210  return xt_proto_init(net, NFPROTO_IPV4);
2211 }
2212 
2213 static void __net_exit ip_tables_net_exit(struct net *net)
2214 {
2215  xt_proto_fini(net, NFPROTO_IPV4);
2216 }
2217 
2218 static struct pernet_operations ip_tables_net_ops = {
2219  .init = ip_tables_net_init,
2220  .exit = ip_tables_net_exit,
2221 };
2222 
2223 static int __init ip_tables_init(void)
2224 {
2225  int ret;
2226 
2227  ret = register_pernet_subsys(&ip_tables_net_ops);
2228  if (ret < 0)
2229  goto err1;
2230 
2231  /* No one else will be downing sem now, so we won't sleep */
2232  ret = xt_register_targets(ipt_builtin_tg, ARRAY_SIZE(ipt_builtin_tg));
2233  if (ret < 0)
2234  goto err2;
2235  ret = xt_register_matches(ipt_builtin_mt, ARRAY_SIZE(ipt_builtin_mt));
2236  if (ret < 0)
2237  goto err4;
2238 
2239  /* Register setsockopt */
2240  ret = nf_register_sockopt(&ipt_sockopts);
2241  if (ret < 0)
2242  goto err5;
2243 
2244  pr_info("(C) 2000-2006 Netfilter Core Team\n");
2245  return 0;
2246 
2247 err5:
2248  xt_unregister_matches(ipt_builtin_mt, ARRAY_SIZE(ipt_builtin_mt));
2249 err4:
2250  xt_unregister_targets(ipt_builtin_tg, ARRAY_SIZE(ipt_builtin_tg));
2251 err2:
2252  unregister_pernet_subsys(&ip_tables_net_ops);
2253 err1:
2254  return ret;
2255 }
2256 
2257 static void __exit ip_tables_fini(void)
2258 {
2259  nf_unregister_sockopt(&ipt_sockopts);
2260 
2261  xt_unregister_matches(ipt_builtin_mt, ARRAY_SIZE(ipt_builtin_mt));
2262  xt_unregister_targets(ipt_builtin_tg, ARRAY_SIZE(ipt_builtin_tg));
2263  unregister_pernet_subsys(&ip_tables_net_ops);
2264 }
2265 
2266 EXPORT_SYMBOL(ipt_register_table);
2267 EXPORT_SYMBOL(ipt_unregister_table);
2268 EXPORT_SYMBOL(ipt_do_table);
2269 module_init(ip_tables_init);
2270 module_exit(ip_tables_fini);
Generated on Thu Jan 10 2013 14:58:37 for Linux Kernel by   doxygen 1.8.2