Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
x_tables.c
Go to the documentation of this file.
1 /*
2  * x_tables core - Backend for {ip,ip6,arp}_tables
3  *
4  * Copyright (C) 2006-2006 Harald Welte <[email protected]>
5  *
6  * Based on existing ip_tables code which is
7  * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
8  * Copyright (C) 2000-2005 Netfilter Core Team <[email protected]>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2 as
12  * published by the Free Software Foundation.
13  *
14  */
15 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
16 #include <linux/kernel.h>
17 #include <linux/module.h>
18 #include <linux/socket.h>
19 #include <linux/net.h>
20 #include <linux/proc_fs.h>
21 #include <linux/seq_file.h>
22 #include <linux/string.h>
23 #include <linux/vmalloc.h>
24 #include <linux/mutex.h>
25 #include <linux/mm.h>
26 #include <linux/slab.h>
27 #include <linux/audit.h>
28 #include <net/net_namespace.h>
29 
30 #include <linux/netfilter/x_tables.h>
31 #include <linux/netfilter_arp.h>
32 #include <linux/netfilter_ipv4/ip_tables.h>
33 #include <linux/netfilter_ipv6/ip6_tables.h>
34 #include <linux/netfilter_arp/arp_tables.h>
35 
36 MODULE_LICENSE("GPL");
37 MODULE_AUTHOR("Harald Welte <[email protected]>");
38 MODULE_DESCRIPTION("{ip,ip6,arp,eb}_tables backend module");
39 
40 #define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
41 
42 struct compat_delta {
43  unsigned int offset; /* offset in kernel */
44  int delta; /* delta in 32bit user land */
45 };
46 
47 struct xt_af {
48  struct mutex mutex;
49  struct list_head match;
50  struct list_head target;
51 #ifdef CONFIG_COMPAT
52  struct mutex compat_mutex;
53  struct compat_delta *compat_tab;
54  unsigned int number; /* number of slots in compat_tab[] */
55  unsigned int cur; /* number of used slots in compat_tab[] */
56 #endif
57 };
58 
59 static struct xt_af *xt;
60 
61 static const char *const xt_prefix[NFPROTO_NUMPROTO] = {
62  [NFPROTO_UNSPEC] = "x",
63  [NFPROTO_IPV4] = "ip",
64  [NFPROTO_ARP] = "arp",
65  [NFPROTO_BRIDGE] = "eb",
66  [NFPROTO_IPV6] = "ip6",
67 };
68 
69 /* Allow this many total (re)entries. */
70 static const unsigned int xt_jumpstack_multiplier = 2;
71 
72 /* Registration hooks for targets. */
73 int
74 xt_register_target(struct xt_target *target)
75 {
76  u_int8_t af = target->family;
77  int ret;
78 
79  ret = mutex_lock_interruptible(&xt[af].mutex);
80  if (ret != 0)
81  return ret;
82  list_add(&target->list, &xt[af].target);
83  mutex_unlock(&xt[af].mutex);
84  return ret;
85 }
86 EXPORT_SYMBOL(xt_register_target);
87 
88 void
89 xt_unregister_target(struct xt_target *target)
90 {
91  u_int8_t af = target->family;
92 
93  mutex_lock(&xt[af].mutex);
94  list_del(&target->list);
95  mutex_unlock(&xt[af].mutex);
96 }
97 EXPORT_SYMBOL(xt_unregister_target);
98 
99 int
100 xt_register_targets(struct xt_target *target, unsigned int n)
101 {
102  unsigned int i;
103  int err = 0;
104 
105  for (i = 0; i < n; i++) {
106  err = xt_register_target(&target[i]);
107  if (err)
108  goto err;
109  }
110  return err;
111 
112 err:
113  if (i > 0)
114  xt_unregister_targets(target, i);
115  return err;
116 }
117 EXPORT_SYMBOL(xt_register_targets);
118 
119 void
120 xt_unregister_targets(struct xt_target *target, unsigned int n)
121 {
122  while (n-- > 0)
123  xt_unregister_target(&target[n]);
124 }
125 EXPORT_SYMBOL(xt_unregister_targets);
126 
127 int
128 xt_register_match(struct xt_match *match)
129 {
130  u_int8_t af = match->family;
131  int ret;
132 
133  ret = mutex_lock_interruptible(&xt[af].mutex);
134  if (ret != 0)
135  return ret;
136 
137  list_add(&match->list, &xt[af].match);
138  mutex_unlock(&xt[af].mutex);
139 
140  return ret;
141 }
142 EXPORT_SYMBOL(xt_register_match);
143 
144 void
145 xt_unregister_match(struct xt_match *match)
146 {
147  u_int8_t af = match->family;
148 
149  mutex_lock(&xt[af].mutex);
150  list_del(&match->list);
151  mutex_unlock(&xt[af].mutex);
152 }
153 EXPORT_SYMBOL(xt_unregister_match);
154 
155 int
156 xt_register_matches(struct xt_match *match, unsigned int n)
157 {
158  unsigned int i;
159  int err = 0;
160 
161  for (i = 0; i < n; i++) {
162  err = xt_register_match(&match[i]);
163  if (err)
164  goto err;
165  }
166  return err;
167 
168 err:
169  if (i > 0)
170  xt_unregister_matches(match, i);
171  return err;
172 }
173 EXPORT_SYMBOL(xt_register_matches);
174 
175 void
176 xt_unregister_matches(struct xt_match *match, unsigned int n)
177 {
178  while (n-- > 0)
179  xt_unregister_match(&match[n]);
180 }
181 EXPORT_SYMBOL(xt_unregister_matches);
182 
183 
184 /*
185  * These are weird, but module loading must not be done with mutex
186  * held (since they will register), and we have to have a single
187  * function to use.
188  */
189 
190 /* Find match, grabs ref. Returns ERR_PTR() on error. */
191 struct xt_match *xt_find_match(u8 af, const char *name, u8 revision)
192 {
193  struct xt_match *m;
194  int err = -ENOENT;
195 
196  if (mutex_lock_interruptible(&xt[af].mutex) != 0)
197  return ERR_PTR(-EINTR);
198 
199  list_for_each_entry(m, &xt[af].match, list) {
200  if (strcmp(m->name, name) == 0) {
201  if (m->revision == revision) {
202  if (try_module_get(m->me)) {
203  mutex_unlock(&xt[af].mutex);
204  return m;
205  }
206  } else
207  err = -EPROTOTYPE; /* Found something. */
208  }
209  }
210  mutex_unlock(&xt[af].mutex);
211 
212  if (af != NFPROTO_UNSPEC)
213  /* Try searching again in the family-independent list */
214  return xt_find_match(NFPROTO_UNSPEC, name, revision);
215 
216  return ERR_PTR(err);
217 }
218 EXPORT_SYMBOL(xt_find_match);
219 
220 struct xt_match *
221 xt_request_find_match(uint8_t nfproto, const char *name, uint8_t revision)
222 {
223  struct xt_match *match;
224 
225  match = xt_find_match(nfproto, name, revision);
226  if (IS_ERR(match)) {
227  request_module("%st_%s", xt_prefix[nfproto], name);
228  match = xt_find_match(nfproto, name, revision);
229  }
230 
231  return match;
232 }
233 EXPORT_SYMBOL_GPL(xt_request_find_match);
234 
235 /* Find target, grabs ref. Returns ERR_PTR() on error. */
236 struct xt_target *xt_find_target(u8 af, const char *name, u8 revision)
237 {
238  struct xt_target *t;
239  int err = -ENOENT;
240 
241  if (mutex_lock_interruptible(&xt[af].mutex) != 0)
242  return ERR_PTR(-EINTR);
243 
244  list_for_each_entry(t, &xt[af].target, list) {
245  if (strcmp(t->name, name) == 0) {
246  if (t->revision == revision) {
247  if (try_module_get(t->me)) {
248  mutex_unlock(&xt[af].mutex);
249  return t;
250  }
251  } else
252  err = -EPROTOTYPE; /* Found something. */
253  }
254  }
255  mutex_unlock(&xt[af].mutex);
256 
257  if (af != NFPROTO_UNSPEC)
258  /* Try searching again in the family-independent list */
259  return xt_find_target(NFPROTO_UNSPEC, name, revision);
260 
261  return ERR_PTR(err);
262 }
263 EXPORT_SYMBOL(xt_find_target);
264 
265 struct xt_target *xt_request_find_target(u8 af, const char *name, u8 revision)
266 {
267  struct xt_target *target;
268 
269  target = xt_find_target(af, name, revision);
270  if (IS_ERR(target)) {
271  request_module("%st_%s", xt_prefix[af], name);
272  target = xt_find_target(af, name, revision);
273  }
274 
275  return target;
276 }
277 EXPORT_SYMBOL_GPL(xt_request_find_target);
278 
279 static int match_revfn(u8 af, const char *name, u8 revision, int *bestp)
280 {
281  const struct xt_match *m;
282  int have_rev = 0;
283 
284  list_for_each_entry(m, &xt[af].match, list) {
285  if (strcmp(m->name, name) == 0) {
286  if (m->revision > *bestp)
287  *bestp = m->revision;
288  if (m->revision == revision)
289  have_rev = 1;
290  }
291  }
292 
293  if (af != NFPROTO_UNSPEC && !have_rev)
294  return match_revfn(NFPROTO_UNSPEC, name, revision, bestp);
295 
296  return have_rev;
297 }
298 
299 static int target_revfn(u8 af, const char *name, u8 revision, int *bestp)
300 {
301  const struct xt_target *t;
302  int have_rev = 0;
303 
304  list_for_each_entry(t, &xt[af].target, list) {
305  if (strcmp(t->name, name) == 0) {
306  if (t->revision > *bestp)
307  *bestp = t->revision;
308  if (t->revision == revision)
309  have_rev = 1;
310  }
311  }
312 
313  if (af != NFPROTO_UNSPEC && !have_rev)
314  return target_revfn(NFPROTO_UNSPEC, name, revision, bestp);
315 
316  return have_rev;
317 }
318 
319 /* Returns true or false (if no such extension at all) */
320 int xt_find_revision(u8 af, const char *name, u8 revision, int target,
321  int *err)
322 {
323  int have_rev, best = -1;
324 
325  if (mutex_lock_interruptible(&xt[af].mutex) != 0) {
326  *err = -EINTR;
327  return 1;
328  }
329  if (target == 1)
330  have_rev = target_revfn(af, name, revision, &best);
331  else
332  have_rev = match_revfn(af, name, revision, &best);
333  mutex_unlock(&xt[af].mutex);
334 
335  /* Nothing at all? Return 0 to try loading module. */
336  if (best == -1) {
337  *err = -ENOENT;
338  return 0;
339  }
340 
341  *err = best;
342  if (!have_rev)
343  *err = -EPROTONOSUPPORT;
344  return 1;
345 }
346 EXPORT_SYMBOL_GPL(xt_find_revision);
347 
348 static char *textify_hooks(char *buf, size_t size, unsigned int mask)
349 {
350  static const char *const names[] = {
351  "PREROUTING", "INPUT", "FORWARD",
352  "OUTPUT", "POSTROUTING", "BROUTING",
353  };
354  unsigned int i;
355  char *p = buf;
356  bool np = false;
357  int res;
358 
359  *p = '\0';
360  for (i = 0; i < ARRAY_SIZE(names); ++i) {
361  if (!(mask & (1 << i)))
362  continue;
363  res = snprintf(p, size, "%s%s", np ? "/" : "", names[i]);
364  if (res > 0) {
365  size -= res;
366  p += res;
367  }
368  np = true;
369  }
370 
371  return buf;
372 }
373 
374 int xt_check_match(struct xt_mtchk_param *par,
375  unsigned int size, u_int8_t proto, bool inv_proto)
376 {
377  int ret;
378 
379  if (XT_ALIGN(par->match->matchsize) != size &&
380  par->match->matchsize != -1) {
381  /*
382  * ebt_among is exempt from centralized matchsize checking
383  * because it uses a dynamic-size data set.
384  */
385  pr_err("%s_tables: %s.%u match: invalid size "
386  "%u (kernel) != (user) %u\n",
387  xt_prefix[par->family], par->match->name,
388  par->match->revision,
389  XT_ALIGN(par->match->matchsize), size);
390  return -EINVAL;
391  }
392  if (par->match->table != NULL &&
393  strcmp(par->match->table, par->table) != 0) {
394  pr_err("%s_tables: %s match: only valid in %s table, not %s\n",
395  xt_prefix[par->family], par->match->name,
396  par->match->table, par->table);
397  return -EINVAL;
398  }
399  if (par->match->hooks && (par->hook_mask & ~par->match->hooks) != 0) {
400  char used[64], allow[64];
401 
402  pr_err("%s_tables: %s match: used from hooks %s, but only "
403  "valid from %s\n",
404  xt_prefix[par->family], par->match->name,
405  textify_hooks(used, sizeof(used), par->hook_mask),
406  textify_hooks(allow, sizeof(allow), par->match->hooks));
407  return -EINVAL;
408  }
409  if (par->match->proto && (par->match->proto != proto || inv_proto)) {
410  pr_err("%s_tables: %s match: only valid for protocol %u\n",
411  xt_prefix[par->family], par->match->name,
412  par->match->proto);
413  return -EINVAL;
414  }
415  if (par->match->checkentry != NULL) {
416  ret = par->match->checkentry(par);
417  if (ret < 0)
418  return ret;
419  else if (ret > 0)
420  /* Flag up potential errors. */
421  return -EIO;
422  }
423  return 0;
424 }
425 EXPORT_SYMBOL_GPL(xt_check_match);
426 
427 #ifdef CONFIG_COMPAT
428 int xt_compat_add_offset(u_int8_t af, unsigned int offset, int delta)
429 {
430  struct xt_af *xp = &xt[af];
431 
432  if (!xp->compat_tab) {
433  if (!xp->number)
434  return -EINVAL;
435  xp->compat_tab = vmalloc(sizeof(struct compat_delta) * xp->number);
436  if (!xp->compat_tab)
437  return -ENOMEM;
438  xp->cur = 0;
439  }
440 
441  if (xp->cur >= xp->number)
442  return -EINVAL;
443 
444  if (xp->cur)
445  delta += xp->compat_tab[xp->cur - 1].delta;
446  xp->compat_tab[xp->cur].offset = offset;
447  xp->compat_tab[xp->cur].delta = delta;
448  xp->cur++;
449  return 0;
450 }
451 EXPORT_SYMBOL_GPL(xt_compat_add_offset);
452 
453 void xt_compat_flush_offsets(u_int8_t af)
454 {
455  if (xt[af].compat_tab) {
456  vfree(xt[af].compat_tab);
457  xt[af].compat_tab = NULL;
458  xt[af].number = 0;
459  xt[af].cur = 0;
460  }
461 }
462 EXPORT_SYMBOL_GPL(xt_compat_flush_offsets);
463 
464 int xt_compat_calc_jump(u_int8_t af, unsigned int offset)
465 {
466  struct compat_delta *tmp = xt[af].compat_tab;
467  int mid, left = 0, right = xt[af].cur - 1;
468 
469  while (left <= right) {
470  mid = (left + right) >> 1;
471  if (offset > tmp[mid].offset)
472  left = mid + 1;
473  else if (offset < tmp[mid].offset)
474  right = mid - 1;
475  else
476  return mid ? tmp[mid - 1].delta : 0;
477  }
478  return left ? tmp[left - 1].delta : 0;
479 }
480 EXPORT_SYMBOL_GPL(xt_compat_calc_jump);
481 
482 void xt_compat_init_offsets(u_int8_t af, unsigned int number)
483 {
484  xt[af].number = number;
485  xt[af].cur = 0;
486 }
487 EXPORT_SYMBOL(xt_compat_init_offsets);
488 
489 int xt_compat_match_offset(const struct xt_match *match)
490 {
491  u_int16_t csize = match->compatsize ? : match->matchsize;
492  return XT_ALIGN(match->matchsize) - COMPAT_XT_ALIGN(csize);
493 }
494 EXPORT_SYMBOL_GPL(xt_compat_match_offset);
495 
496 int xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr,
497  unsigned int *size)
498 {
499  const struct xt_match *match = m->u.kernel.match;
500  struct compat_xt_entry_match *cm = (struct compat_xt_entry_match *)m;
501  int pad, off = xt_compat_match_offset(match);
502  u_int16_t msize = cm->u.user.match_size;
503 
504  m = *dstptr;
505  memcpy(m, cm, sizeof(*cm));
506  if (match->compat_from_user)
507  match->compat_from_user(m->data, cm->data);
508  else
509  memcpy(m->data, cm->data, msize - sizeof(*cm));
510  pad = XT_ALIGN(match->matchsize) - match->matchsize;
511  if (pad > 0)
512  memset(m->data + match->matchsize, 0, pad);
513 
514  msize += off;
515  m->u.user.match_size = msize;
516 
517  *size += off;
518  *dstptr += msize;
519  return 0;
520 }
521 EXPORT_SYMBOL_GPL(xt_compat_match_from_user);
522 
523 int xt_compat_match_to_user(const struct xt_entry_match *m,
524  void __user **dstptr, unsigned int *size)
525 {
526  const struct xt_match *match = m->u.kernel.match;
527  struct compat_xt_entry_match __user *cm = *dstptr;
528  int off = xt_compat_match_offset(match);
529  u_int16_t msize = m->u.user.match_size - off;
530 
531  if (copy_to_user(cm, m, sizeof(*cm)) ||
532  put_user(msize, &cm->u.user.match_size) ||
533  copy_to_user(cm->u.user.name, m->u.kernel.match->name,
534  strlen(m->u.kernel.match->name) + 1))
535  return -EFAULT;
536 
537  if (match->compat_to_user) {
538  if (match->compat_to_user((void __user *)cm->data, m->data))
539  return -EFAULT;
540  } else {
541  if (copy_to_user(cm->data, m->data, msize - sizeof(*cm)))
542  return -EFAULT;
543  }
544 
545  *size -= off;
546  *dstptr += msize;
547  return 0;
548 }
549 EXPORT_SYMBOL_GPL(xt_compat_match_to_user);
550 #endif /* CONFIG_COMPAT */
551 
552 int xt_check_target(struct xt_tgchk_param *par,
553  unsigned int size, u_int8_t proto, bool inv_proto)
554 {
555  int ret;
556 
557  if (XT_ALIGN(par->target->targetsize) != size) {
558  pr_err("%s_tables: %s.%u target: invalid size "
559  "%u (kernel) != (user) %u\n",
560  xt_prefix[par->family], par->target->name,
561  par->target->revision,
562  XT_ALIGN(par->target->targetsize), size);
563  return -EINVAL;
564  }
565  if (par->target->table != NULL &&
566  strcmp(par->target->table, par->table) != 0) {
567  pr_err("%s_tables: %s target: only valid in %s table, not %s\n",
568  xt_prefix[par->family], par->target->name,
569  par->target->table, par->table);
570  return -EINVAL;
571  }
572  if (par->target->hooks && (par->hook_mask & ~par->target->hooks) != 0) {
573  char used[64], allow[64];
574 
575  pr_err("%s_tables: %s target: used from hooks %s, but only "
576  "usable from %s\n",
577  xt_prefix[par->family], par->target->name,
578  textify_hooks(used, sizeof(used), par->hook_mask),
579  textify_hooks(allow, sizeof(allow), par->target->hooks));
580  return -EINVAL;
581  }
582  if (par->target->proto && (par->target->proto != proto || inv_proto)) {
583  pr_err("%s_tables: %s target: only valid for protocol %u\n",
584  xt_prefix[par->family], par->target->name,
585  par->target->proto);
586  return -EINVAL;
587  }
588  if (par->target->checkentry != NULL) {
589  ret = par->target->checkentry(par);
590  if (ret < 0)
591  return ret;
592  else if (ret > 0)
593  /* Flag up potential errors. */
594  return -EIO;
595  }
596  return 0;
597 }
598 EXPORT_SYMBOL_GPL(xt_check_target);
599 
600 #ifdef CONFIG_COMPAT
601 int xt_compat_target_offset(const struct xt_target *target)
602 {
603  u_int16_t csize = target->compatsize ? : target->targetsize;
604  return XT_ALIGN(target->targetsize) - COMPAT_XT_ALIGN(csize);
605 }
606 EXPORT_SYMBOL_GPL(xt_compat_target_offset);
607 
608 void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr,
609  unsigned int *size)
610 {
611  const struct xt_target *target = t->u.kernel.target;
612  struct compat_xt_entry_target *ct = (struct compat_xt_entry_target *)t;
613  int pad, off = xt_compat_target_offset(target);
614  u_int16_t tsize = ct->u.user.target_size;
615 
616  t = *dstptr;
617  memcpy(t, ct, sizeof(*ct));
618  if (target->compat_from_user)
619  target->compat_from_user(t->data, ct->data);
620  else
621  memcpy(t->data, ct->data, tsize - sizeof(*ct));
622  pad = XT_ALIGN(target->targetsize) - target->targetsize;
623  if (pad > 0)
624  memset(t->data + target->targetsize, 0, pad);
625 
626  tsize += off;
627  t->u.user.target_size = tsize;
628 
629  *size += off;
630  *dstptr += tsize;
631 }
632 EXPORT_SYMBOL_GPL(xt_compat_target_from_user);
633 
634 int xt_compat_target_to_user(const struct xt_entry_target *t,
635  void __user **dstptr, unsigned int *size)
636 {
637  const struct xt_target *target = t->u.kernel.target;
638  struct compat_xt_entry_target __user *ct = *dstptr;
639  int off = xt_compat_target_offset(target);
640  u_int16_t tsize = t->u.user.target_size - off;
641 
642  if (copy_to_user(ct, t, sizeof(*ct)) ||
643  put_user(tsize, &ct->u.user.target_size) ||
644  copy_to_user(ct->u.user.name, t->u.kernel.target->name,
645  strlen(t->u.kernel.target->name) + 1))
646  return -EFAULT;
647 
648  if (target->compat_to_user) {
649  if (target->compat_to_user((void __user *)ct->data, t->data))
650  return -EFAULT;
651  } else {
652  if (copy_to_user(ct->data, t->data, tsize - sizeof(*ct)))
653  return -EFAULT;
654  }
655 
656  *size -= off;
657  *dstptr += tsize;
658  return 0;
659 }
660 EXPORT_SYMBOL_GPL(xt_compat_target_to_user);
661 #endif
662 
663 struct xt_table_info *xt_alloc_table_info(unsigned int size)
664 {
665  struct xt_table_info *newinfo;
666  int cpu;
667 
668  /* Pedantry: prevent them from hitting BUG() in vmalloc.c --RR */
669  if ((SMP_ALIGN(size) >> PAGE_SHIFT) + 2 > totalram_pages)
670  return NULL;
671 
672  newinfo = kzalloc(XT_TABLE_INFO_SZ, GFP_KERNEL);
673  if (!newinfo)
674  return NULL;
675 
676  newinfo->size = size;
677 
678  for_each_possible_cpu(cpu) {
679  if (size <= PAGE_SIZE)
680  newinfo->entries[cpu] = kmalloc_node(size,
681  GFP_KERNEL,
682  cpu_to_node(cpu));
683  else
684  newinfo->entries[cpu] = vmalloc_node(size,
685  cpu_to_node(cpu));
686 
687  if (newinfo->entries[cpu] == NULL) {
688  xt_free_table_info(newinfo);
689  return NULL;
690  }
691  }
692 
693  return newinfo;
694 }
695 EXPORT_SYMBOL(xt_alloc_table_info);
696 
697 void xt_free_table_info(struct xt_table_info *info)
698 {
699  int cpu;
700 
701  for_each_possible_cpu(cpu) {
702  if (info->size <= PAGE_SIZE)
703  kfree(info->entries[cpu]);
704  else
705  vfree(info->entries[cpu]);
706  }
707 
708  if (info->jumpstack != NULL) {
709  if (sizeof(void *) * info->stacksize > PAGE_SIZE) {
710  for_each_possible_cpu(cpu)
711  vfree(info->jumpstack[cpu]);
712  } else {
713  for_each_possible_cpu(cpu)
714  kfree(info->jumpstack[cpu]);
715  }
716  }
717 
718  if (sizeof(void **) * nr_cpu_ids > PAGE_SIZE)
719  vfree(info->jumpstack);
720  else
721  kfree(info->jumpstack);
722 
723  free_percpu(info->stackptr);
724 
725  kfree(info);
726 }
727 EXPORT_SYMBOL(xt_free_table_info);
728 
729 /* Find table by name, grabs mutex & ref. Returns ERR_PTR() on error. */
730 struct xt_table *xt_find_table_lock(struct net *net, u_int8_t af,
731  const char *name)
732 {
733  struct xt_table *t;
734 
735  if (mutex_lock_interruptible(&xt[af].mutex) != 0)
736  return ERR_PTR(-EINTR);
737 
738  list_for_each_entry(t, &net->xt.tables[af], list)
739  if (strcmp(t->name, name) == 0 && try_module_get(t->me))
740  return t;
741  mutex_unlock(&xt[af].mutex);
742  return NULL;
743 }
744 EXPORT_SYMBOL_GPL(xt_find_table_lock);
745 
746 void xt_table_unlock(struct xt_table *table)
747 {
748  mutex_unlock(&xt[table->af].mutex);
749 }
750 EXPORT_SYMBOL_GPL(xt_table_unlock);
751 
752 #ifdef CONFIG_COMPAT
753 void xt_compat_lock(u_int8_t af)
754 {
755  mutex_lock(&xt[af].compat_mutex);
756 }
757 EXPORT_SYMBOL_GPL(xt_compat_lock);
758 
759 void xt_compat_unlock(u_int8_t af)
760 {
761  mutex_unlock(&xt[af].compat_mutex);
762 }
763 EXPORT_SYMBOL_GPL(xt_compat_unlock);
764 #endif
765 
766 DEFINE_PER_CPU(seqcount_t, xt_recseq);
767 EXPORT_PER_CPU_SYMBOL_GPL(xt_recseq);
768 
769 static int xt_jumpstack_alloc(struct xt_table_info *i)
770 {
771  unsigned int size;
772  int cpu;
773 
774  i->stackptr = alloc_percpu(unsigned int);
775  if (i->stackptr == NULL)
776  return -ENOMEM;
777 
778  size = sizeof(void **) * nr_cpu_ids;
779  if (size > PAGE_SIZE)
780  i->jumpstack = vzalloc(size);
781  else
782  i->jumpstack = kzalloc(size, GFP_KERNEL);
783  if (i->jumpstack == NULL)
784  return -ENOMEM;
785 
786  i->stacksize *= xt_jumpstack_multiplier;
787  size = sizeof(void *) * i->stacksize;
788  for_each_possible_cpu(cpu) {
789  if (size > PAGE_SIZE)
790  i->jumpstack[cpu] = vmalloc_node(size,
791  cpu_to_node(cpu));
792  else
793  i->jumpstack[cpu] = kmalloc_node(size,
794  GFP_KERNEL, cpu_to_node(cpu));
795  if (i->jumpstack[cpu] == NULL)
796  /*
797  * Freeing will be done later on by the callers. The
798  * chain is: xt_replace_table -> __do_replace ->
799  * do_replace -> xt_free_table_info.
800  */
801  return -ENOMEM;
802  }
803 
804  return 0;
805 }
806 
807 struct xt_table_info *
808 xt_replace_table(struct xt_table *table,
809  unsigned int num_counters,
810  struct xt_table_info *newinfo,
811  int *error)
812 {
813  struct xt_table_info *private;
814  int ret;
815 
816  ret = xt_jumpstack_alloc(newinfo);
817  if (ret < 0) {
818  *error = ret;
819  return NULL;
820  }
821 
822  /* Do the substitution. */
823  local_bh_disable();
824  private = table->private;
825 
826  /* Check inside lock: is the old number correct? */
827  if (num_counters != private->number) {
828  pr_debug("num_counters != table->private->number (%u/%u)\n",
829  num_counters, private->number);
830  local_bh_enable();
831  *error = -EAGAIN;
832  return NULL;
833  }
834 
835  table->private = newinfo;
836  newinfo->initial_entries = private->initial_entries;
837 
838  /*
839  * Even though table entries have now been swapped, other CPU's
840  * may still be using the old entries. This is okay, because
841  * resynchronization happens because of the locking done
842  * during the get_counters() routine.
843  */
844  local_bh_enable();
845 
846 #ifdef CONFIG_AUDIT
847  if (audit_enabled) {
848  struct audit_buffer *ab;
849 
850  ab = audit_log_start(current->audit_context, GFP_KERNEL,
851  AUDIT_NETFILTER_CFG);
852  if (ab) {
853  audit_log_format(ab, "table=%s family=%u entries=%u",
854  table->name, table->af,
855  private->number);
856  audit_log_end(ab);
857  }
858  }
859 #endif
860 
861  return private;
862 }
863 EXPORT_SYMBOL_GPL(xt_replace_table);
864 
865 struct xt_table *xt_register_table(struct net *net,
866  const struct xt_table *input_table,
867  struct xt_table_info *bootstrap,
868  struct xt_table_info *newinfo)
869 {
870  int ret;
871  struct xt_table_info *private;
872  struct xt_table *t, *table;
873 
874  /* Don't add one object to multiple lists. */
875  table = kmemdup(input_table, sizeof(struct xt_table), GFP_KERNEL);
876  if (!table) {
877  ret = -ENOMEM;
878  goto out;
879  }
880 
881  ret = mutex_lock_interruptible(&xt[table->af].mutex);
882  if (ret != 0)
883  goto out_free;
884 
885  /* Don't autoload: we'd eat our tail... */
886  list_for_each_entry(t, &net->xt.tables[table->af], list) {
887  if (strcmp(t->name, table->name) == 0) {
888  ret = -EEXIST;
889  goto unlock;
890  }
891  }
892 
893  /* Simplifies replace_table code. */
894  table->private = bootstrap;
895 
896  if (!xt_replace_table(table, 0, newinfo, &ret))
897  goto unlock;
898 
899  private = table->private;
900  pr_debug("table->private->number = %u\n", private->number);
901 
902  /* save number of initial entries */
903  private->initial_entries = private->number;
904 
905  list_add(&table->list, &net->xt.tables[table->af]);
906  mutex_unlock(&xt[table->af].mutex);
907  return table;
908 
909  unlock:
910  mutex_unlock(&xt[table->af].mutex);
911 out_free:
912  kfree(table);
913 out:
914  return ERR_PTR(ret);
915 }
916 EXPORT_SYMBOL_GPL(xt_register_table);
917 
918 void *xt_unregister_table(struct xt_table *table)
919 {
920  struct xt_table_info *private;
921 
922  mutex_lock(&xt[table->af].mutex);
923  private = table->private;
924  list_del(&table->list);
925  mutex_unlock(&xt[table->af].mutex);
926  kfree(table);
927 
928  return private;
929 }
930 EXPORT_SYMBOL_GPL(xt_unregister_table);
931 
932 #ifdef CONFIG_PROC_FS
933 struct xt_names_priv {
934  struct seq_net_private p;
935  u_int8_t af;
936 };
937 static void *xt_table_seq_start(struct seq_file *seq, loff_t *pos)
938 {
939  struct xt_names_priv *priv = seq->private;
940  struct net *net = seq_file_net(seq);
941  u_int8_t af = priv->af;
942 
943  mutex_lock(&xt[af].mutex);
944  return seq_list_start(&net->xt.tables[af], *pos);
945 }
946 
947 static void *xt_table_seq_next(struct seq_file *seq, void *v, loff_t *pos)
948 {
949  struct xt_names_priv *priv = seq->private;
950  struct net *net = seq_file_net(seq);
951  u_int8_t af = priv->af;
952 
953  return seq_list_next(v, &net->xt.tables[af], pos);
954 }
955 
956 static void xt_table_seq_stop(struct seq_file *seq, void *v)
957 {
958  struct xt_names_priv *priv = seq->private;
959  u_int8_t af = priv->af;
960 
961  mutex_unlock(&xt[af].mutex);
962 }
963 
964 static int xt_table_seq_show(struct seq_file *seq, void *v)
965 {
966  struct xt_table *table = list_entry(v, struct xt_table, list);
967 
968  if (strlen(table->name))
969  return seq_printf(seq, "%s\n", table->name);
970  else
971  return 0;
972 }
973 
974 static const struct seq_operations xt_table_seq_ops = {
975  .start = xt_table_seq_start,
976  .next = xt_table_seq_next,
977  .stop = xt_table_seq_stop,
978  .show = xt_table_seq_show,
979 };
980 
981 static int xt_table_open(struct inode *inode, struct file *file)
982 {
983  int ret;
984  struct xt_names_priv *priv;
985 
986  ret = seq_open_net(inode, file, &xt_table_seq_ops,
987  sizeof(struct xt_names_priv));
988  if (!ret) {
989  priv = ((struct seq_file *)file->private_data)->private;
990  priv->af = (unsigned long)PDE(inode)->data;
991  }
992  return ret;
993 }
994 
995 static const struct file_operations xt_table_ops = {
996  .owner = THIS_MODULE,
997  .open = xt_table_open,
998  .read = seq_read,
999  .llseek = seq_lseek,
1000  .release = seq_release_net,
1001 };
1002 
1003 /*
1004  * Traverse state for ip{,6}_{tables,matches} for helping crossing
1005  * the multi-AF mutexes.
1006  */
1007 struct nf_mttg_trav {
1008  struct list_head *head, *curr;
1009  uint8_t class, nfproto;
1010 };
1011 
1012 enum {
1013  MTTG_TRAV_INIT,
1014  MTTG_TRAV_NFP_UNSPEC,
1015  MTTG_TRAV_NFP_SPEC,
1016  MTTG_TRAV_DONE,
1017 };
1018 
1019 static void *xt_mttg_seq_next(struct seq_file *seq, void *v, loff_t *ppos,
1020  bool is_target)
1021 {
1022  static const uint8_t next_class[] = {
1023  [MTTG_TRAV_NFP_UNSPEC] = MTTG_TRAV_NFP_SPEC,
1024  [MTTG_TRAV_NFP_SPEC] = MTTG_TRAV_DONE,
1025  };
1026  struct nf_mttg_trav *trav = seq->private;
1027 
1028  switch (trav->class) {
1029  case MTTG_TRAV_INIT:
1030  trav->class = MTTG_TRAV_NFP_UNSPEC;
1031  mutex_lock(&xt[NFPROTO_UNSPEC].mutex);
1032  trav->head = trav->curr = is_target ?
1033  &xt[NFPROTO_UNSPEC].target : &xt[NFPROTO_UNSPEC].match;
1034  break;
1035  case MTTG_TRAV_NFP_UNSPEC:
1036  trav->curr = trav->curr->next;
1037  if (trav->curr != trav->head)
1038  break;
1039  mutex_unlock(&xt[NFPROTO_UNSPEC].mutex);
1040  mutex_lock(&xt[trav->nfproto].mutex);
1041  trav->head = trav->curr = is_target ?
1042  &xt[trav->nfproto].target : &xt[trav->nfproto].match;
1043  trav->class = next_class[trav->class];
1044  break;
1045  case MTTG_TRAV_NFP_SPEC:
1046  trav->curr = trav->curr->next;
1047  if (trav->curr != trav->head)
1048  break;
1049  /* fallthru, _stop will unlock */
1050  default:
1051  return NULL;
1052  }
1053 
1054  if (ppos != NULL)
1055  ++*ppos;
1056  return trav;
1057 }
1058 
1059 static void *xt_mttg_seq_start(struct seq_file *seq, loff_t *pos,
1060  bool is_target)
1061 {
1062  struct nf_mttg_trav *trav = seq->private;
1063  unsigned int j;
1064 
1065  trav->class = MTTG_TRAV_INIT;
1066  for (j = 0; j < *pos; ++j)
1067  if (xt_mttg_seq_next(seq, NULL, NULL, is_target) == NULL)
1068  return NULL;
1069  return trav;
1070 }
1071 
1072 static void xt_mttg_seq_stop(struct seq_file *seq, void *v)
1073 {
1074  struct nf_mttg_trav *trav = seq->private;
1075 
1076  switch (trav->class) {
1077  case MTTG_TRAV_NFP_UNSPEC:
1078  mutex_unlock(&xt[NFPROTO_UNSPEC].mutex);
1079  break;
1080  case MTTG_TRAV_NFP_SPEC:
1081  mutex_unlock(&xt[trav->nfproto].mutex);
1082  break;
1083  }
1084 }
1085 
1086 static void *xt_match_seq_start(struct seq_file *seq, loff_t *pos)
1087 {
1088  return xt_mttg_seq_start(seq, pos, false);
1089 }
1090 
1091 static void *xt_match_seq_next(struct seq_file *seq, void *v, loff_t *ppos)
1092 {
1093  return xt_mttg_seq_next(seq, v, ppos, false);
1094 }
1095 
1096 static int xt_match_seq_show(struct seq_file *seq, void *v)
1097 {
1098  const struct nf_mttg_trav *trav = seq->private;
1099  const struct xt_match *match;
1100 
1101  switch (trav->class) {
1102  case MTTG_TRAV_NFP_UNSPEC:
1103  case MTTG_TRAV_NFP_SPEC:
1104  if (trav->curr == trav->head)
1105  return 0;
1106  match = list_entry(trav->curr, struct xt_match, list);
1107  return (*match->name == '\0') ? 0 :
1108  seq_printf(seq, "%s\n", match->name);
1109  }
1110  return 0;
1111 }
1112 
1113 static const struct seq_operations xt_match_seq_ops = {
1114  .start = xt_match_seq_start,
1115  .next = xt_match_seq_next,
1116  .stop = xt_mttg_seq_stop,
1117  .show = xt_match_seq_show,
1118 };
1119 
1120 static int xt_match_open(struct inode *inode, struct file *file)
1121 {
1122  struct seq_file *seq;
1123  struct nf_mttg_trav *trav;
1124  int ret;
1125 
1126  trav = kmalloc(sizeof(*trav), GFP_KERNEL);
1127  if (trav == NULL)
1128  return -ENOMEM;
1129 
1130  ret = seq_open(file, &xt_match_seq_ops);
1131  if (ret < 0) {
1132  kfree(trav);
1133  return ret;
1134  }
1135 
1136  seq = file->private_data;
1137  seq->private = trav;
1138  trav->nfproto = (unsigned long)PDE(inode)->data;
1139  return 0;
1140 }
1141 
1142 static const struct file_operations xt_match_ops = {
1143  .owner = THIS_MODULE,
1144  .open = xt_match_open,
1145  .read = seq_read,
1146  .llseek = seq_lseek,
1147  .release = seq_release_private,
1148 };
1149 
1150 static void *xt_target_seq_start(struct seq_file *seq, loff_t *pos)
1151 {
1152  return xt_mttg_seq_start(seq, pos, true);
1153 }
1154 
1155 static void *xt_target_seq_next(struct seq_file *seq, void *v, loff_t *ppos)
1156 {
1157  return xt_mttg_seq_next(seq, v, ppos, true);
1158 }
1159 
1160 static int xt_target_seq_show(struct seq_file *seq, void *v)
1161 {
1162  const struct nf_mttg_trav *trav = seq->private;
1163  const struct xt_target *target;
1164 
1165  switch (trav->class) {
1166  case MTTG_TRAV_NFP_UNSPEC:
1167  case MTTG_TRAV_NFP_SPEC:
1168  if (trav->curr == trav->head)
1169  return 0;
1170  target = list_entry(trav->curr, struct xt_target, list);
1171  return (*target->name == '\0') ? 0 :
1172  seq_printf(seq, "%s\n", target->name);
1173  }
1174  return 0;
1175 }
1176 
1177 static const struct seq_operations xt_target_seq_ops = {
1178  .start = xt_target_seq_start,
1179  .next = xt_target_seq_next,
1180  .stop = xt_mttg_seq_stop,
1181  .show = xt_target_seq_show,
1182 };
1183 
1184 static int xt_target_open(struct inode *inode, struct file *file)
1185 {
1186  struct seq_file *seq;
1187  struct nf_mttg_trav *trav;
1188  int ret;
1189 
1190  trav = kmalloc(sizeof(*trav), GFP_KERNEL);
1191  if (trav == NULL)
1192  return -ENOMEM;
1193 
1194  ret = seq_open(file, &xt_target_seq_ops);
1195  if (ret < 0) {
1196  kfree(trav);
1197  return ret;
1198  }
1199 
1200  seq = file->private_data;
1201  seq->private = trav;
1202  trav->nfproto = (unsigned long)PDE(inode)->data;
1203  return 0;
1204 }
1205 
1206 static const struct file_operations xt_target_ops = {
1207  .owner = THIS_MODULE,
1208  .open = xt_target_open,
1209  .read = seq_read,
1210  .llseek = seq_lseek,
1211  .release = seq_release_private,
1212 };
1213 
1214 #define FORMAT_TABLES "_tables_names"
1215 #define FORMAT_MATCHES "_tables_matches"
1216 #define FORMAT_TARGETS "_tables_targets"
1217 
1218 #endif /* CONFIG_PROC_FS */
1219 
1228 struct nf_hook_ops *xt_hook_link(const struct xt_table *table, nf_hookfn *fn)
1229 {
1230  unsigned int hook_mask = table->valid_hooks;
1231  uint8_t i, num_hooks = hweight32(hook_mask);
1232  uint8_t hooknum;
1233  struct nf_hook_ops *ops;
1234  int ret;
1235 
1236  ops = kmalloc(sizeof(*ops) * num_hooks, GFP_KERNEL);
1237  if (ops == NULL)
1238  return ERR_PTR(-ENOMEM);
1239 
1240  for (i = 0, hooknum = 0; i < num_hooks && hook_mask != 0;
1241  hook_mask >>= 1, ++hooknum) {
1242  if (!(hook_mask & 1))
1243  continue;
1244  ops[i].hook = fn;
1245  ops[i].owner = table->me;
1246  ops[i].pf = table->af;
1247  ops[i].hooknum = hooknum;
1248  ops[i].priority = table->priority;
1249  ++i;
1250  }
1251 
1252  ret = nf_register_hooks(ops, num_hooks);
1253  if (ret < 0) {
1254  kfree(ops);
1255  return ERR_PTR(ret);
1256  }
1257 
1258  return ops;
1259 }
1260 EXPORT_SYMBOL_GPL(xt_hook_link);
1261 
1267 void xt_hook_unlink(const struct xt_table *table, struct nf_hook_ops *ops)
1268 {
1269  nf_unregister_hooks(ops, hweight32(table->valid_hooks));
1270  kfree(ops);
1271 }
1272 EXPORT_SYMBOL_GPL(xt_hook_unlink);
1273 
1274 int xt_proto_init(struct net *net, u_int8_t af)
1275 {
1276 #ifdef CONFIG_PROC_FS
1277  char buf[XT_FUNCTION_MAXNAMELEN];
1278  struct proc_dir_entry *proc;
1279 #endif
1280 
1281  if (af >= ARRAY_SIZE(xt_prefix))
1282  return -EINVAL;
1283 
1284 
1285 #ifdef CONFIG_PROC_FS
1286  strlcpy(buf, xt_prefix[af], sizeof(buf));
1287  strlcat(buf, FORMAT_TABLES, sizeof(buf));
1288  proc = proc_create_data(buf, 0440, net->proc_net, &xt_table_ops,
1289  (void *)(unsigned long)af);
1290  if (!proc)
1291  goto out;
1292 
1293  strlcpy(buf, xt_prefix[af], sizeof(buf));
1294  strlcat(buf, FORMAT_MATCHES, sizeof(buf));
1295  proc = proc_create_data(buf, 0440, net->proc_net, &xt_match_ops,
1296  (void *)(unsigned long)af);
1297  if (!proc)
1298  goto out_remove_tables;
1299 
1300  strlcpy(buf, xt_prefix[af], sizeof(buf));
1301  strlcat(buf, FORMAT_TARGETS, sizeof(buf));
1302  proc = proc_create_data(buf, 0440, net->proc_net, &xt_target_ops,
1303  (void *)(unsigned long)af);
1304  if (!proc)
1305  goto out_remove_matches;
1306 #endif
1307 
1308  return 0;
1309 
1310 #ifdef CONFIG_PROC_FS
1311 out_remove_matches:
1312  strlcpy(buf, xt_prefix[af], sizeof(buf));
1313  strlcat(buf, FORMAT_MATCHES, sizeof(buf));
1314  proc_net_remove(net, buf);
1315 
1316 out_remove_tables:
1317  strlcpy(buf, xt_prefix[af], sizeof(buf));
1318  strlcat(buf, FORMAT_TABLES, sizeof(buf));
1319  proc_net_remove(net, buf);
1320 out:
1321  return -1;
1322 #endif
1323 }
1324 EXPORT_SYMBOL_GPL(xt_proto_init);
1325 
1326 void xt_proto_fini(struct net *net, u_int8_t af)
1327 {
1328 #ifdef CONFIG_PROC_FS
1329  char buf[XT_FUNCTION_MAXNAMELEN];
1330 
1331  strlcpy(buf, xt_prefix[af], sizeof(buf));
1332  strlcat(buf, FORMAT_TABLES, sizeof(buf));
1333  proc_net_remove(net, buf);
1334 
1335  strlcpy(buf, xt_prefix[af], sizeof(buf));
1336  strlcat(buf, FORMAT_TARGETS, sizeof(buf));
1337  proc_net_remove(net, buf);
1338 
1339  strlcpy(buf, xt_prefix[af], sizeof(buf));
1340  strlcat(buf, FORMAT_MATCHES, sizeof(buf));
1341  proc_net_remove(net, buf);
1342 #endif /*CONFIG_PROC_FS*/
1343 }
1344 EXPORT_SYMBOL_GPL(xt_proto_fini);
1345 
1346 static int __net_init xt_net_init(struct net *net)
1347 {
1348  int i;
1349 
1350  for (i = 0; i < NFPROTO_NUMPROTO; i++)
1351  INIT_LIST_HEAD(&net->xt.tables[i]);
1352  return 0;
1353 }
1354 
1355 static struct pernet_operations xt_net_ops = {
1356  .init = xt_net_init,
1357 };
1358 
1359 static int __init xt_init(void)
1360 {
1361  unsigned int i;
1362  int rv;
1363 
1364  for_each_possible_cpu(i) {
1365  seqcount_init(&per_cpu(xt_recseq, i));
1366  }
1367 
1368  xt = kmalloc(sizeof(struct xt_af) * NFPROTO_NUMPROTO, GFP_KERNEL);
1369  if (!xt)
1370  return -ENOMEM;
1371 
1372  for (i = 0; i < NFPROTO_NUMPROTO; i++) {
1373  mutex_init(&xt[i].mutex);
1374 #ifdef CONFIG_COMPAT
1375  mutex_init(&xt[i].compat_mutex);
1376  xt[i].compat_tab = NULL;
1377 #endif
1378  INIT_LIST_HEAD(&xt[i].target);
1379  INIT_LIST_HEAD(&xt[i].match);
1380  }
1381  rv = register_pernet_subsys(&xt_net_ops);
1382  if (rv < 0)
1383  kfree(xt);
1384  return rv;
1385 }
1386 
1387 static void __exit xt_fini(void)
1388 {
1389  unregister_pernet_subsys(&xt_net_ops);
1390  kfree(xt);
1391 }
1392 
1393 module_init(xt_init);
1394 module_exit(xt_fini);
1395 
Generated on Thu Jan 10 2013 15:00:51 for Linux Kernel by   doxygen 1.8.2