tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom
kernel / net / netfilter / x_tables.c
at v3.11-rc7 1408 lines 34 kB view raw
1/* 2 * x_tables core - Backend for {ip,ip6,arp}_tables 3 * 4 * Copyright (C) 2006-2006 Harald Welte <laforge@netfilter.org> 5 * Copyright (C) 2006-2012 Patrick McHardy <kaber@trash.net> 6 * 7 * Based on existing ip_tables code which is 8 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling 9 * Copyright (C) 2000-2005 Netfilter Core Team <coreteam@netfilter.org> 10 * 11 * This program is free software; you can redistribute it and/or modify 12 * it under the terms of the GNU General Public License version 2 as 13 * published by the Free Software Foundation. 14 * 15 */ 16#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 17#include <linux/kernel.h> 18#include <linux/module.h> 19#include <linux/socket.h> 20#include <linux/net.h> 21#include <linux/proc_fs.h> 22#include <linux/seq_file.h> 23#include <linux/string.h> 24#include <linux/vmalloc.h> 25#include <linux/mutex.h> 26#include <linux/mm.h> 27#include <linux/slab.h> 28#include <linux/audit.h> 29#include <net/net_namespace.h> 30 31#include <linux/netfilter/x_tables.h> 32#include <linux/netfilter_arp.h> 33#include <linux/netfilter_ipv4/ip_tables.h> 34#include <linux/netfilter_ipv6/ip6_tables.h> 35#include <linux/netfilter_arp/arp_tables.h> 36 37MODULE_LICENSE("GPL"); 38MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>"); 39MODULE_DESCRIPTION("{ip,ip6,arp,eb}_tables backend module"); 40 41#define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1)) 42 43struct compat_delta { 44 unsigned int offset; /* offset in kernel */ 45 int delta; /* delta in 32bit user land */ 46}; 47 48struct xt_af { 49 struct mutex mutex; 50 struct list_head match; 51 struct list_head target; 52#ifdef CONFIG_COMPAT 53 struct mutex compat_mutex; 54 struct compat_delta *compat_tab; 55 unsigned int number; /* number of slots in compat_tab[] */ 56 unsigned int cur; /* number of used slots in compat_tab[] */ 57#endif 58}; 59 60static struct xt_af *xt; 61 62static const char *const xt_prefix[NFPROTO_NUMPROTO] = { 63 [NFPROTO_UNSPEC] = "x", 64 [NFPROTO_IPV4] = "ip", 65 [NFPROTO_ARP] = "arp", 66 [NFPROTO_BRIDGE] = "eb", 67 [NFPROTO_IPV6] = "ip6", 68}; 69 70/* Allow this many total (re)entries. */ 71static const unsigned int xt_jumpstack_multiplier = 2; 72 73/* Registration hooks for targets. */ 74int 75xt_register_target(struct xt_target *target) 76{ 77 u_int8_t af = target->family; 78 int ret; 79 80 ret = mutex_lock_interruptible(&xt[af].mutex); 81 if (ret != 0) 82 return ret; 83 list_add(&target->list, &xt[af].target); 84 mutex_unlock(&xt[af].mutex); 85 return ret; 86} 87EXPORT_SYMBOL(xt_register_target); 88 89void 90xt_unregister_target(struct xt_target *target) 91{ 92 u_int8_t af = target->family; 93 94 mutex_lock(&xt[af].mutex); 95 list_del(&target->list); 96 mutex_unlock(&xt[af].mutex); 97} 98EXPORT_SYMBOL(xt_unregister_target); 99 100int 101xt_register_targets(struct xt_target *target, unsigned int n) 102{ 103 unsigned int i; 104 int err = 0; 105 106 for (i = 0; i < n; i++) { 107 err = xt_register_target(&target[i]); 108 if (err) 109 goto err; 110 } 111 return err; 112 113err: 114 if (i > 0) 115 xt_unregister_targets(target, i); 116 return err; 117} 118EXPORT_SYMBOL(xt_register_targets); 119 120void 121xt_unregister_targets(struct xt_target *target, unsigned int n) 122{ 123 while (n-- > 0) 124 xt_unregister_target(&target[n]); 125} 126EXPORT_SYMBOL(xt_unregister_targets); 127 128int 129xt_register_match(struct xt_match *match) 130{ 131 u_int8_t af = match->family; 132 int ret; 133 134 ret = mutex_lock_interruptible(&xt[af].mutex); 135 if (ret != 0) 136 return ret; 137 138 list_add(&match->list, &xt[af].match); 139 mutex_unlock(&xt[af].mutex); 140 141 return ret; 142} 143EXPORT_SYMBOL(xt_register_match); 144 145void 146xt_unregister_match(struct xt_match *match) 147{ 148 u_int8_t af = match->family; 149 150 mutex_lock(&xt[af].mutex); 151 list_del(&match->list); 152 mutex_unlock(&xt[af].mutex); 153} 154EXPORT_SYMBOL(xt_unregister_match); 155 156int 157xt_register_matches(struct xt_match *match, unsigned int n) 158{ 159 unsigned int i; 160 int err = 0; 161 162 for (i = 0; i < n; i++) { 163 err = xt_register_match(&match[i]); 164 if (err) 165 goto err; 166 } 167 return err; 168 169err: 170 if (i > 0) 171 xt_unregister_matches(match, i); 172 return err; 173} 174EXPORT_SYMBOL(xt_register_matches); 175 176void 177xt_unregister_matches(struct xt_match *match, unsigned int n) 178{ 179 while (n-- > 0) 180 xt_unregister_match(&match[n]); 181} 182EXPORT_SYMBOL(xt_unregister_matches); 183 184 185/* 186 * These are weird, but module loading must not be done with mutex 187 * held (since they will register), and we have to have a single 188 * function to use. 189 */ 190 191/* Find match, grabs ref. Returns ERR_PTR() on error. */ 192struct xt_match *xt_find_match(u8 af, const char *name, u8 revision) 193{ 194 struct xt_match *m; 195 int err = -ENOENT; 196 197 if (mutex_lock_interruptible(&xt[af].mutex) != 0) 198 return ERR_PTR(-EINTR); 199 200 list_for_each_entry(m, &xt[af].match, list) { 201 if (strcmp(m->name, name) == 0) { 202 if (m->revision == revision) { 203 if (try_module_get(m->me)) { 204 mutex_unlock(&xt[af].mutex); 205 return m; 206 } 207 } else 208 err = -EPROTOTYPE; /* Found something. */ 209 } 210 } 211 mutex_unlock(&xt[af].mutex); 212 213 if (af != NFPROTO_UNSPEC) 214 /* Try searching again in the family-independent list */ 215 return xt_find_match(NFPROTO_UNSPEC, name, revision); 216 217 return ERR_PTR(err); 218} 219EXPORT_SYMBOL(xt_find_match); 220 221struct xt_match * 222xt_request_find_match(uint8_t nfproto, const char *name, uint8_t revision) 223{ 224 struct xt_match *match; 225 226 match = xt_find_match(nfproto, name, revision); 227 if (IS_ERR(match)) { 228 request_module("%st_%s", xt_prefix[nfproto], name); 229 match = xt_find_match(nfproto, name, revision); 230 } 231 232 return match; 233} 234EXPORT_SYMBOL_GPL(xt_request_find_match); 235 236/* Find target, grabs ref. Returns ERR_PTR() on error. */ 237struct xt_target *xt_find_target(u8 af, const char *name, u8 revision) 238{ 239 struct xt_target *t; 240 int err = -ENOENT; 241 242 if (mutex_lock_interruptible(&xt[af].mutex) != 0) 243 return ERR_PTR(-EINTR); 244 245 list_for_each_entry(t, &xt[af].target, list) { 246 if (strcmp(t->name, name) == 0) { 247 if (t->revision == revision) { 248 if (try_module_get(t->me)) { 249 mutex_unlock(&xt[af].mutex); 250 return t; 251 } 252 } else 253 err = -EPROTOTYPE; /* Found something. */ 254 } 255 } 256 mutex_unlock(&xt[af].mutex); 257 258 if (af != NFPROTO_UNSPEC) 259 /* Try searching again in the family-independent list */ 260 return xt_find_target(NFPROTO_UNSPEC, name, revision); 261 262 return ERR_PTR(err); 263} 264EXPORT_SYMBOL(xt_find_target); 265 266struct xt_target *xt_request_find_target(u8 af, const char *name, u8 revision) 267{ 268 struct xt_target *target; 269 270 target = xt_find_target(af, name, revision); 271 if (IS_ERR(target)) { 272 request_module("%st_%s", xt_prefix[af], name); 273 target = xt_find_target(af, name, revision); 274 } 275 276 return target; 277} 278EXPORT_SYMBOL_GPL(xt_request_find_target); 279 280static int match_revfn(u8 af, const char *name, u8 revision, int *bestp) 281{ 282 const struct xt_match *m; 283 int have_rev = 0; 284 285 list_for_each_entry(m, &xt[af].match, list) { 286 if (strcmp(m->name, name) == 0) { 287 if (m->revision > *bestp) 288 *bestp = m->revision; 289 if (m->revision == revision) 290 have_rev = 1; 291 } 292 } 293 294 if (af != NFPROTO_UNSPEC && !have_rev) 295 return match_revfn(NFPROTO_UNSPEC, name, revision, bestp); 296 297 return have_rev; 298} 299 300static int target_revfn(u8 af, const char *name, u8 revision, int *bestp) 301{ 302 const struct xt_target *t; 303 int have_rev = 0; 304 305 list_for_each_entry(t, &xt[af].target, list) { 306 if (strcmp(t->name, name) == 0) { 307 if (t->revision > *bestp) 308 *bestp = t->revision; 309 if (t->revision == revision) 310 have_rev = 1; 311 } 312 } 313 314 if (af != NFPROTO_UNSPEC && !have_rev) 315 return target_revfn(NFPROTO_UNSPEC, name, revision, bestp); 316 317 return have_rev; 318} 319 320/* Returns true or false (if no such extension at all) */ 321int xt_find_revision(u8 af, const char *name, u8 revision, int target, 322 int *err) 323{ 324 int have_rev, best = -1; 325 326 if (mutex_lock_interruptible(&xt[af].mutex) != 0) { 327 *err = -EINTR; 328 return 1; 329 } 330 if (target == 1) 331 have_rev = target_revfn(af, name, revision, &best); 332 else 333 have_rev = match_revfn(af, name, revision, &best); 334 mutex_unlock(&xt[af].mutex); 335 336 /* Nothing at all? Return 0 to try loading module. */ 337 if (best == -1) { 338 *err = -ENOENT; 339 return 0; 340 } 341 342 *err = best; 343 if (!have_rev) 344 *err = -EPROTONOSUPPORT; 345 return 1; 346} 347EXPORT_SYMBOL_GPL(xt_find_revision); 348 349static char * 350textify_hooks(char *buf, size_t size, unsigned int mask, uint8_t nfproto) 351{ 352 static const char *const inetbr_names[] = { 353 "PREROUTING", "INPUT", "FORWARD", 354 "OUTPUT", "POSTROUTING", "BROUTING", 355 }; 356 static const char *const arp_names[] = { 357 "INPUT", "FORWARD", "OUTPUT", 358 }; 359 const char *const *names; 360 unsigned int i, max; 361 char *p = buf; 362 bool np = false; 363 int res; 364 365 names = (nfproto == NFPROTO_ARP) ? arp_names : inetbr_names; 366 max = (nfproto == NFPROTO_ARP) ? ARRAY_SIZE(arp_names) : 367 ARRAY_SIZE(inetbr_names); 368 *p = '\0'; 369 for (i = 0; i < max; ++i) { 370 if (!(mask & (1 << i))) 371 continue; 372 res = snprintf(p, size, "%s%s", np ? "/" : "", names[i]); 373 if (res > 0) { 374 size -= res; 375 p += res; 376 } 377 np = true; 378 } 379 380 return buf; 381} 382 383int xt_check_match(struct xt_mtchk_param *par, 384 unsigned int size, u_int8_t proto, bool inv_proto) 385{ 386 int ret; 387 388 if (XT_ALIGN(par->match->matchsize) != size && 389 par->match->matchsize != -1) { 390 /* 391 * ebt_among is exempt from centralized matchsize checking 392 * because it uses a dynamic-size data set. 393 */ 394 pr_err("%s_tables: %s.%u match: invalid size " 395 "%u (kernel) != (user) %u\n", 396 xt_prefix[par->family], par->match->name, 397 par->match->revision, 398 XT_ALIGN(par->match->matchsize), size); 399 return -EINVAL; 400 } 401 if (par->match->table != NULL && 402 strcmp(par->match->table, par->table) != 0) { 403 pr_err("%s_tables: %s match: only valid in %s table, not %s\n", 404 xt_prefix[par->family], par->match->name, 405 par->match->table, par->table); 406 return -EINVAL; 407 } 408 if (par->match->hooks && (par->hook_mask & ~par->match->hooks) != 0) { 409 char used[64], allow[64]; 410 411 pr_err("%s_tables: %s match: used from hooks %s, but only " 412 "valid from %s\n", 413 xt_prefix[par->family], par->match->name, 414 textify_hooks(used, sizeof(used), par->hook_mask, 415 par->family), 416 textify_hooks(allow, sizeof(allow), par->match->hooks, 417 par->family)); 418 return -EINVAL; 419 } 420 if (par->match->proto && (par->match->proto != proto || inv_proto)) { 421 pr_err("%s_tables: %s match: only valid for protocol %u\n", 422 xt_prefix[par->family], par->match->name, 423 par->match->proto); 424 return -EINVAL; 425 } 426 if (par->match->checkentry != NULL) { 427 ret = par->match->checkentry(par); 428 if (ret < 0) 429 return ret; 430 else if (ret > 0) 431 /* Flag up potential errors. */ 432 return -EIO; 433 } 434 return 0; 435} 436EXPORT_SYMBOL_GPL(xt_check_match); 437 438#ifdef CONFIG_COMPAT 439int xt_compat_add_offset(u_int8_t af, unsigned int offset, int delta) 440{ 441 struct xt_af *xp = &xt[af]; 442 443 if (!xp->compat_tab) { 444 if (!xp->number) 445 return -EINVAL; 446 xp->compat_tab = vmalloc(sizeof(struct compat_delta) * xp->number); 447 if (!xp->compat_tab) 448 return -ENOMEM; 449 xp->cur = 0; 450 } 451 452 if (xp->cur >= xp->number) 453 return -EINVAL; 454 455 if (xp->cur) 456 delta += xp->compat_tab[xp->cur - 1].delta; 457 xp->compat_tab[xp->cur].offset = offset; 458 xp->compat_tab[xp->cur].delta = delta; 459 xp->cur++; 460 return 0; 461} 462EXPORT_SYMBOL_GPL(xt_compat_add_offset); 463 464void xt_compat_flush_offsets(u_int8_t af) 465{ 466 if (xt[af].compat_tab) { 467 vfree(xt[af].compat_tab); 468 xt[af].compat_tab = NULL; 469 xt[af].number = 0; 470 xt[af].cur = 0; 471 } 472} 473EXPORT_SYMBOL_GPL(xt_compat_flush_offsets); 474 475int xt_compat_calc_jump(u_int8_t af, unsigned int offset) 476{ 477 struct compat_delta *tmp = xt[af].compat_tab; 478 int mid, left = 0, right = xt[af].cur - 1; 479 480 while (left <= right) { 481 mid = (left + right) >> 1; 482 if (offset > tmp[mid].offset) 483 left = mid + 1; 484 else if (offset < tmp[mid].offset) 485 right = mid - 1; 486 else 487 return mid ? tmp[mid - 1].delta : 0; 488 } 489 return left ? tmp[left - 1].delta : 0; 490} 491EXPORT_SYMBOL_GPL(xt_compat_calc_jump); 492 493void xt_compat_init_offsets(u_int8_t af, unsigned int number) 494{ 495 xt[af].number = number; 496 xt[af].cur = 0; 497} 498EXPORT_SYMBOL(xt_compat_init_offsets); 499 500int xt_compat_match_offset(const struct xt_match *match) 501{ 502 u_int16_t csize = match->compatsize ? : match->matchsize; 503 return XT_ALIGN(match->matchsize) - COMPAT_XT_ALIGN(csize); 504} 505EXPORT_SYMBOL_GPL(xt_compat_match_offset); 506 507int xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr, 508 unsigned int *size) 509{ 510 const struct xt_match *match = m->u.kernel.match; 511 struct compat_xt_entry_match *cm = (struct compat_xt_entry_match *)m; 512 int pad, off = xt_compat_match_offset(match); 513 u_int16_t msize = cm->u.user.match_size; 514 515 m = *dstptr; 516 memcpy(m, cm, sizeof(*cm)); 517 if (match->compat_from_user) 518 match->compat_from_user(m->data, cm->data); 519 else 520 memcpy(m->data, cm->data, msize - sizeof(*cm)); 521 pad = XT_ALIGN(match->matchsize) - match->matchsize; 522 if (pad > 0) 523 memset(m->data + match->matchsize, 0, pad); 524 525 msize += off; 526 m->u.user.match_size = msize; 527 528 *size += off; 529 *dstptr += msize; 530 return 0; 531} 532EXPORT_SYMBOL_GPL(xt_compat_match_from_user); 533 534int xt_compat_match_to_user(const struct xt_entry_match *m, 535 void __user **dstptr, unsigned int *size) 536{ 537 const struct xt_match *match = m->u.kernel.match; 538 struct compat_xt_entry_match __user *cm = *dstptr; 539 int off = xt_compat_match_offset(match); 540 u_int16_t msize = m->u.user.match_size - off; 541 542 if (copy_to_user(cm, m, sizeof(*cm)) || 543 put_user(msize, &cm->u.user.match_size) || 544 copy_to_user(cm->u.user.name, m->u.kernel.match->name, 545 strlen(m->u.kernel.match->name) + 1)) 546 return -EFAULT; 547 548 if (match->compat_to_user) { 549 if (match->compat_to_user((void __user *)cm->data, m->data)) 550 return -EFAULT; 551 } else { 552 if (copy_to_user(cm->data, m->data, msize - sizeof(*cm))) 553 return -EFAULT; 554 } 555 556 *size -= off; 557 *dstptr += msize; 558 return 0; 559} 560EXPORT_SYMBOL_GPL(xt_compat_match_to_user); 561#endif /* CONFIG_COMPAT */ 562 563int xt_check_target(struct xt_tgchk_param *par, 564 unsigned int size, u_int8_t proto, bool inv_proto) 565{ 566 int ret; 567 568 if (XT_ALIGN(par->target->targetsize) != size) { 569 pr_err("%s_tables: %s.%u target: invalid size " 570 "%u (kernel) != (user) %u\n", 571 xt_prefix[par->family], par->target->name, 572 par->target->revision, 573 XT_ALIGN(par->target->targetsize), size); 574 return -EINVAL; 575 } 576 if (par->target->table != NULL && 577 strcmp(par->target->table, par->table) != 0) { 578 pr_err("%s_tables: %s target: only valid in %s table, not %s\n", 579 xt_prefix[par->family], par->target->name, 580 par->target->table, par->table); 581 return -EINVAL; 582 } 583 if (par->target->hooks && (par->hook_mask & ~par->target->hooks) != 0) { 584 char used[64], allow[64]; 585 586 pr_err("%s_tables: %s target: used from hooks %s, but only " 587 "usable from %s\n", 588 xt_prefix[par->family], par->target->name, 589 textify_hooks(used, sizeof(used), par->hook_mask, 590 par->family), 591 textify_hooks(allow, sizeof(allow), par->target->hooks, 592 par->family)); 593 return -EINVAL; 594 } 595 if (par->target->proto && (par->target->proto != proto || inv_proto)) { 596 pr_err("%s_tables: %s target: only valid for protocol %u\n", 597 xt_prefix[par->family], par->target->name, 598 par->target->proto); 599 return -EINVAL; 600 } 601 if (par->target->checkentry != NULL) { 602 ret = par->target->checkentry(par); 603 if (ret < 0) 604 return ret; 605 else if (ret > 0) 606 /* Flag up potential errors. */ 607 return -EIO; 608 } 609 return 0; 610} 611EXPORT_SYMBOL_GPL(xt_check_target); 612 613#ifdef CONFIG_COMPAT 614int xt_compat_target_offset(const struct xt_target *target) 615{ 616 u_int16_t csize = target->compatsize ? : target->targetsize; 617 return XT_ALIGN(target->targetsize) - COMPAT_XT_ALIGN(csize); 618} 619EXPORT_SYMBOL_GPL(xt_compat_target_offset); 620 621void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr, 622 unsigned int *size) 623{ 624 const struct xt_target *target = t->u.kernel.target; 625 struct compat_xt_entry_target *ct = (struct compat_xt_entry_target *)t; 626 int pad, off = xt_compat_target_offset(target); 627 u_int16_t tsize = ct->u.user.target_size; 628 629 t = *dstptr; 630 memcpy(t, ct, sizeof(*ct)); 631 if (target->compat_from_user) 632 target->compat_from_user(t->data, ct->data); 633 else 634 memcpy(t->data, ct->data, tsize - sizeof(*ct)); 635 pad = XT_ALIGN(target->targetsize) - target->targetsize; 636 if (pad > 0) 637 memset(t->data + target->targetsize, 0, pad); 638 639 tsize += off; 640 t->u.user.target_size = tsize; 641 642 *size += off; 643 *dstptr += tsize; 644} 645EXPORT_SYMBOL_GPL(xt_compat_target_from_user); 646 647int xt_compat_target_to_user(const struct xt_entry_target *t, 648 void __user **dstptr, unsigned int *size) 649{ 650 const struct xt_target *target = t->u.kernel.target; 651 struct compat_xt_entry_target __user *ct = *dstptr; 652 int off = xt_compat_target_offset(target); 653 u_int16_t tsize = t->u.user.target_size - off; 654 655 if (copy_to_user(ct, t, sizeof(*ct)) || 656 put_user(tsize, &ct->u.user.target_size) || 657 copy_to_user(ct->u.user.name, t->u.kernel.target->name, 658 strlen(t->u.kernel.target->name) + 1)) 659 return -EFAULT; 660 661 if (target->compat_to_user) { 662 if (target->compat_to_user((void __user *)ct->data, t->data)) 663 return -EFAULT; 664 } else { 665 if (copy_to_user(ct->data, t->data, tsize - sizeof(*ct))) 666 return -EFAULT; 667 } 668 669 *size -= off; 670 *dstptr += tsize; 671 return 0; 672} 673EXPORT_SYMBOL_GPL(xt_compat_target_to_user); 674#endif 675 676struct xt_table_info *xt_alloc_table_info(unsigned int size) 677{ 678 struct xt_table_info *newinfo; 679 int cpu; 680 681 /* Pedantry: prevent them from hitting BUG() in vmalloc.c --RR */ 682 if ((SMP_ALIGN(size) >> PAGE_SHIFT) + 2 > totalram_pages) 683 return NULL; 684 685 newinfo = kzalloc(XT_TABLE_INFO_SZ, GFP_KERNEL); 686 if (!newinfo) 687 return NULL; 688 689 newinfo->size = size; 690 691 for_each_possible_cpu(cpu) { 692 if (size <= PAGE_SIZE) 693 newinfo->entries[cpu] = kmalloc_node(size, 694 GFP_KERNEL, 695 cpu_to_node(cpu)); 696 else 697 newinfo->entries[cpu] = vmalloc_node(size, 698 cpu_to_node(cpu)); 699 700 if (newinfo->entries[cpu] == NULL) { 701 xt_free_table_info(newinfo); 702 return NULL; 703 } 704 } 705 706 return newinfo; 707} 708EXPORT_SYMBOL(xt_alloc_table_info); 709 710void xt_free_table_info(struct xt_table_info *info) 711{ 712 int cpu; 713 714 for_each_possible_cpu(cpu) { 715 if (info->size <= PAGE_SIZE) 716 kfree(info->entries[cpu]); 717 else 718 vfree(info->entries[cpu]); 719 } 720 721 if (info->jumpstack != NULL) { 722 if (sizeof(void *) * info->stacksize > PAGE_SIZE) { 723 for_each_possible_cpu(cpu) 724 vfree(info->jumpstack[cpu]); 725 } else { 726 for_each_possible_cpu(cpu) 727 kfree(info->jumpstack[cpu]); 728 } 729 } 730 731 if (sizeof(void **) * nr_cpu_ids > PAGE_SIZE) 732 vfree(info->jumpstack); 733 else 734 kfree(info->jumpstack); 735 736 free_percpu(info->stackptr); 737 738 kfree(info); 739} 740EXPORT_SYMBOL(xt_free_table_info); 741 742/* Find table by name, grabs mutex & ref. Returns ERR_PTR() on error. */ 743struct xt_table *xt_find_table_lock(struct net *net, u_int8_t af, 744 const char *name) 745{ 746 struct xt_table *t; 747 748 if (mutex_lock_interruptible(&xt[af].mutex) != 0) 749 return ERR_PTR(-EINTR); 750 751 list_for_each_entry(t, &net->xt.tables[af], list) 752 if (strcmp(t->name, name) == 0 && try_module_get(t->me)) 753 return t; 754 mutex_unlock(&xt[af].mutex); 755 return NULL; 756} 757EXPORT_SYMBOL_GPL(xt_find_table_lock); 758 759void xt_table_unlock(struct xt_table *table) 760{ 761 mutex_unlock(&xt[table->af].mutex); 762} 763EXPORT_SYMBOL_GPL(xt_table_unlock); 764 765#ifdef CONFIG_COMPAT 766void xt_compat_lock(u_int8_t af) 767{ 768 mutex_lock(&xt[af].compat_mutex); 769} 770EXPORT_SYMBOL_GPL(xt_compat_lock); 771 772void xt_compat_unlock(u_int8_t af) 773{ 774 mutex_unlock(&xt[af].compat_mutex); 775} 776EXPORT_SYMBOL_GPL(xt_compat_unlock); 777#endif 778 779DEFINE_PER_CPU(seqcount_t, xt_recseq); 780EXPORT_PER_CPU_SYMBOL_GPL(xt_recseq); 781 782static int xt_jumpstack_alloc(struct xt_table_info *i) 783{ 784 unsigned int size; 785 int cpu; 786 787 i->stackptr = alloc_percpu(unsigned int); 788 if (i->stackptr == NULL) 789 return -ENOMEM; 790 791 size = sizeof(void **) * nr_cpu_ids; 792 if (size > PAGE_SIZE) 793 i->jumpstack = vzalloc(size); 794 else 795 i->jumpstack = kzalloc(size, GFP_KERNEL); 796 if (i->jumpstack == NULL) 797 return -ENOMEM; 798 799 i->stacksize *= xt_jumpstack_multiplier; 800 size = sizeof(void *) * i->stacksize; 801 for_each_possible_cpu(cpu) { 802 if (size > PAGE_SIZE) 803 i->jumpstack[cpu] = vmalloc_node(size, 804 cpu_to_node(cpu)); 805 else 806 i->jumpstack[cpu] = kmalloc_node(size, 807 GFP_KERNEL, cpu_to_node(cpu)); 808 if (i->jumpstack[cpu] == NULL) 809 /* 810 * Freeing will be done later on by the callers. The 811 * chain is: xt_replace_table -> __do_replace -> 812 * do_replace -> xt_free_table_info. 813 */ 814 return -ENOMEM; 815 } 816 817 return 0; 818} 819 820struct xt_table_info * 821xt_replace_table(struct xt_table *table, 822 unsigned int num_counters, 823 struct xt_table_info *newinfo, 824 int *error) 825{ 826 struct xt_table_info *private; 827 int ret; 828 829 ret = xt_jumpstack_alloc(newinfo); 830 if (ret < 0) { 831 *error = ret; 832 return NULL; 833 } 834 835 /* Do the substitution. */ 836 local_bh_disable(); 837 private = table->private; 838 839 /* Check inside lock: is the old number correct? */ 840 if (num_counters != private->number) { 841 pr_debug("num_counters != table->private->number (%u/%u)\n", 842 num_counters, private->number); 843 local_bh_enable(); 844 *error = -EAGAIN; 845 return NULL; 846 } 847 848 table->private = newinfo; 849 newinfo->initial_entries = private->initial_entries; 850 851 /* 852 * Even though table entries have now been swapped, other CPU's 853 * may still be using the old entries. This is okay, because 854 * resynchronization happens because of the locking done 855 * during the get_counters() routine. 856 */ 857 local_bh_enable(); 858 859#ifdef CONFIG_AUDIT 860 if (audit_enabled) { 861 struct audit_buffer *ab; 862 863 ab = audit_log_start(current->audit_context, GFP_KERNEL, 864 AUDIT_NETFILTER_CFG); 865 if (ab) { 866 audit_log_format(ab, "table=%s family=%u entries=%u", 867 table->name, table->af, 868 private->number); 869 audit_log_end(ab); 870 } 871 } 872#endif 873 874 return private; 875} 876EXPORT_SYMBOL_GPL(xt_replace_table); 877 878struct xt_table *xt_register_table(struct net *net, 879 const struct xt_table *input_table, 880 struct xt_table_info *bootstrap, 881 struct xt_table_info *newinfo) 882{ 883 int ret; 884 struct xt_table_info *private; 885 struct xt_table *t, *table; 886 887 /* Don't add one object to multiple lists. */ 888 table = kmemdup(input_table, sizeof(struct xt_table), GFP_KERNEL); 889 if (!table) { 890 ret = -ENOMEM; 891 goto out; 892 } 893 894 ret = mutex_lock_interruptible(&xt[table->af].mutex); 895 if (ret != 0) 896 goto out_free; 897 898 /* Don't autoload: we'd eat our tail... */ 899 list_for_each_entry(t, &net->xt.tables[table->af], list) { 900 if (strcmp(t->name, table->name) == 0) { 901 ret = -EEXIST; 902 goto unlock; 903 } 904 } 905 906 /* Simplifies replace_table code. */ 907 table->private = bootstrap; 908 909 if (!xt_replace_table(table, 0, newinfo, &ret)) 910 goto unlock; 911 912 private = table->private; 913 pr_debug("table->private->number = %u\n", private->number); 914 915 /* save number of initial entries */ 916 private->initial_entries = private->number; 917 918 list_add(&table->list, &net->xt.tables[table->af]); 919 mutex_unlock(&xt[table->af].mutex); 920 return table; 921 922 unlock: 923 mutex_unlock(&xt[table->af].mutex); 924out_free: 925 kfree(table); 926out: 927 return ERR_PTR(ret); 928} 929EXPORT_SYMBOL_GPL(xt_register_table); 930 931void *xt_unregister_table(struct xt_table *table) 932{ 933 struct xt_table_info *private; 934 935 mutex_lock(&xt[table->af].mutex); 936 private = table->private; 937 list_del(&table->list); 938 mutex_unlock(&xt[table->af].mutex); 939 kfree(table); 940 941 return private; 942} 943EXPORT_SYMBOL_GPL(xt_unregister_table); 944 945#ifdef CONFIG_PROC_FS 946struct xt_names_priv { 947 struct seq_net_private p; 948 u_int8_t af; 949}; 950static void *xt_table_seq_start(struct seq_file *seq, loff_t *pos) 951{ 952 struct xt_names_priv *priv = seq->private; 953 struct net *net = seq_file_net(seq); 954 u_int8_t af = priv->af; 955 956 mutex_lock(&xt[af].mutex); 957 return seq_list_start(&net->xt.tables[af], *pos); 958} 959 960static void *xt_table_seq_next(struct seq_file *seq, void *v, loff_t *pos) 961{ 962 struct xt_names_priv *priv = seq->private; 963 struct net *net = seq_file_net(seq); 964 u_int8_t af = priv->af; 965 966 return seq_list_next(v, &net->xt.tables[af], pos); 967} 968 969static void xt_table_seq_stop(struct seq_file *seq, void *v) 970{ 971 struct xt_names_priv *priv = seq->private; 972 u_int8_t af = priv->af; 973 974 mutex_unlock(&xt[af].mutex); 975} 976 977static int xt_table_seq_show(struct seq_file *seq, void *v) 978{ 979 struct xt_table *table = list_entry(v, struct xt_table, list); 980 981 if (strlen(table->name)) 982 return seq_printf(seq, "%s\n", table->name); 983 else 984 return 0; 985} 986 987static const struct seq_operations xt_table_seq_ops = { 988 .start = xt_table_seq_start, 989 .next = xt_table_seq_next, 990 .stop = xt_table_seq_stop, 991 .show = xt_table_seq_show, 992}; 993 994static int xt_table_open(struct inode *inode, struct file *file) 995{ 996 int ret; 997 struct xt_names_priv *priv; 998 999 ret = seq_open_net(inode, file, &xt_table_seq_ops, 1000 sizeof(struct xt_names_priv)); 1001 if (!ret) { 1002 priv = ((struct seq_file *)file->private_data)->private; 1003 priv->af = (unsigned long)PDE_DATA(inode); 1004 } 1005 return ret; 1006} 1007 1008static const struct file_operations xt_table_ops = { 1009 .owner = THIS_MODULE, 1010 .open = xt_table_open, 1011 .read = seq_read, 1012 .llseek = seq_lseek, 1013 .release = seq_release_net, 1014}; 1015 1016/* 1017 * Traverse state for ip{,6}_{tables,matches} for helping crossing 1018 * the multi-AF mutexes. 1019 */ 1020struct nf_mttg_trav { 1021 struct list_head *head, *curr; 1022 uint8_t class, nfproto; 1023}; 1024 1025enum { 1026 MTTG_TRAV_INIT, 1027 MTTG_TRAV_NFP_UNSPEC, 1028 MTTG_TRAV_NFP_SPEC, 1029 MTTG_TRAV_DONE, 1030}; 1031 1032static void *xt_mttg_seq_next(struct seq_file *seq, void *v, loff_t *ppos, 1033 bool is_target) 1034{ 1035 static const uint8_t next_class[] = { 1036 [MTTG_TRAV_NFP_UNSPEC] = MTTG_TRAV_NFP_SPEC, 1037 [MTTG_TRAV_NFP_SPEC] = MTTG_TRAV_DONE, 1038 }; 1039 struct nf_mttg_trav *trav = seq->private; 1040 1041 switch (trav->class) { 1042 case MTTG_TRAV_INIT: 1043 trav->class = MTTG_TRAV_NFP_UNSPEC; 1044 mutex_lock(&xt[NFPROTO_UNSPEC].mutex); 1045 trav->head = trav->curr = is_target ? 1046 &xt[NFPROTO_UNSPEC].target : &xt[NFPROTO_UNSPEC].match; 1047 break; 1048 case MTTG_TRAV_NFP_UNSPEC: 1049 trav->curr = trav->curr->next; 1050 if (trav->curr != trav->head) 1051 break; 1052 mutex_unlock(&xt[NFPROTO_UNSPEC].mutex); 1053 mutex_lock(&xt[trav->nfproto].mutex); 1054 trav->head = trav->curr = is_target ? 1055 &xt[trav->nfproto].target : &xt[trav->nfproto].match; 1056 trav->class = next_class[trav->class]; 1057 break; 1058 case MTTG_TRAV_NFP_SPEC: 1059 trav->curr = trav->curr->next; 1060 if (trav->curr != trav->head) 1061 break; 1062 /* fallthru, _stop will unlock */ 1063 default: 1064 return NULL; 1065 } 1066 1067 if (ppos != NULL) 1068 ++*ppos; 1069 return trav; 1070} 1071 1072static void *xt_mttg_seq_start(struct seq_file *seq, loff_t *pos, 1073 bool is_target) 1074{ 1075 struct nf_mttg_trav *trav = seq->private; 1076 unsigned int j; 1077 1078 trav->class = MTTG_TRAV_INIT; 1079 for (j = 0; j < *pos; ++j) 1080 if (xt_mttg_seq_next(seq, NULL, NULL, is_target) == NULL) 1081 return NULL; 1082 return trav; 1083} 1084 1085static void xt_mttg_seq_stop(struct seq_file *seq, void *v) 1086{ 1087 struct nf_mttg_trav *trav = seq->private; 1088 1089 switch (trav->class) { 1090 case MTTG_TRAV_NFP_UNSPEC: 1091 mutex_unlock(&xt[NFPROTO_UNSPEC].mutex); 1092 break; 1093 case MTTG_TRAV_NFP_SPEC: 1094 mutex_unlock(&xt[trav->nfproto].mutex); 1095 break; 1096 } 1097} 1098 1099static void *xt_match_seq_start(struct seq_file *seq, loff_t *pos) 1100{ 1101 return xt_mttg_seq_start(seq, pos, false); 1102} 1103 1104static void *xt_match_seq_next(struct seq_file *seq, void *v, loff_t *ppos) 1105{ 1106 return xt_mttg_seq_next(seq, v, ppos, false); 1107} 1108 1109static int xt_match_seq_show(struct seq_file *seq, void *v) 1110{ 1111 const struct nf_mttg_trav *trav = seq->private; 1112 const struct xt_match *match; 1113 1114 switch (trav->class) { 1115 case MTTG_TRAV_NFP_UNSPEC: 1116 case MTTG_TRAV_NFP_SPEC: 1117 if (trav->curr == trav->head) 1118 return 0; 1119 match = list_entry(trav->curr, struct xt_match, list); 1120 return (*match->name == '\0') ? 0 : 1121 seq_printf(seq, "%s\n", match->name); 1122 } 1123 return 0; 1124} 1125 1126static const struct seq_operations xt_match_seq_ops = { 1127 .start = xt_match_seq_start, 1128 .next = xt_match_seq_next, 1129 .stop = xt_mttg_seq_stop, 1130 .show = xt_match_seq_show, 1131}; 1132 1133static int xt_match_open(struct inode *inode, struct file *file) 1134{ 1135 struct seq_file *seq; 1136 struct nf_mttg_trav *trav; 1137 int ret; 1138 1139 trav = kmalloc(sizeof(*trav), GFP_KERNEL); 1140 if (trav == NULL) 1141 return -ENOMEM; 1142 1143 ret = seq_open(file, &xt_match_seq_ops); 1144 if (ret < 0) { 1145 kfree(trav); 1146 return ret; 1147 } 1148 1149 seq = file->private_data; 1150 seq->private = trav; 1151 trav->nfproto = (unsigned long)PDE_DATA(inode); 1152 return 0; 1153} 1154 1155static const struct file_operations xt_match_ops = { 1156 .owner = THIS_MODULE, 1157 .open = xt_match_open, 1158 .read = seq_read, 1159 .llseek = seq_lseek, 1160 .release = seq_release_private, 1161}; 1162 1163static void *xt_target_seq_start(struct seq_file *seq, loff_t *pos) 1164{ 1165 return xt_mttg_seq_start(seq, pos, true); 1166} 1167 1168static void *xt_target_seq_next(struct seq_file *seq, void *v, loff_t *ppos) 1169{ 1170 return xt_mttg_seq_next(seq, v, ppos, true); 1171} 1172 1173static int xt_target_seq_show(struct seq_file *seq, void *v) 1174{ 1175 const struct nf_mttg_trav *trav = seq->private; 1176 const struct xt_target *target; 1177 1178 switch (trav->class) { 1179 case MTTG_TRAV_NFP_UNSPEC: 1180 case MTTG_TRAV_NFP_SPEC: 1181 if (trav->curr == trav->head) 1182 return 0; 1183 target = list_entry(trav->curr, struct xt_target, list); 1184 return (*target->name == '\0') ? 0 : 1185 seq_printf(seq, "%s\n", target->name); 1186 } 1187 return 0; 1188} 1189 1190static const struct seq_operations xt_target_seq_ops = { 1191 .start = xt_target_seq_start, 1192 .next = xt_target_seq_next, 1193 .stop = xt_mttg_seq_stop, 1194 .show = xt_target_seq_show, 1195}; 1196 1197static int xt_target_open(struct inode *inode, struct file *file) 1198{ 1199 struct seq_file *seq; 1200 struct nf_mttg_trav *trav; 1201 int ret; 1202 1203 trav = kmalloc(sizeof(*trav), GFP_KERNEL); 1204 if (trav == NULL) 1205 return -ENOMEM; 1206 1207 ret = seq_open(file, &xt_target_seq_ops); 1208 if (ret < 0) { 1209 kfree(trav); 1210 return ret; 1211 } 1212 1213 seq = file->private_data; 1214 seq->private = trav; 1215 trav->nfproto = (unsigned long)PDE_DATA(inode); 1216 return 0; 1217} 1218 1219static const struct file_operations xt_target_ops = { 1220 .owner = THIS_MODULE, 1221 .open = xt_target_open, 1222 .read = seq_read, 1223 .llseek = seq_lseek, 1224 .release = seq_release_private, 1225}; 1226 1227#define FORMAT_TABLES "_tables_names" 1228#define FORMAT_MATCHES "_tables_matches" 1229#define FORMAT_TARGETS "_tables_targets" 1230 1231#endif /* CONFIG_PROC_FS */ 1232 1233/** 1234 * xt_hook_link - set up hooks for a new table 1235 * @table: table with metadata needed to set up hooks 1236 * @fn: Hook function 1237 * 1238 * This function will take care of creating and registering the necessary 1239 * Netfilter hooks for XT tables. 1240 */ 1241struct nf_hook_ops *xt_hook_link(const struct xt_table *table, nf_hookfn *fn) 1242{ 1243 unsigned int hook_mask = table->valid_hooks; 1244 uint8_t i, num_hooks = hweight32(hook_mask); 1245 uint8_t hooknum; 1246 struct nf_hook_ops *ops; 1247 int ret; 1248 1249 ops = kmalloc(sizeof(*ops) * num_hooks, GFP_KERNEL); 1250 if (ops == NULL) 1251 return ERR_PTR(-ENOMEM); 1252 1253 for (i = 0, hooknum = 0; i < num_hooks && hook_mask != 0; 1254 hook_mask >>= 1, ++hooknum) { 1255 if (!(hook_mask & 1)) 1256 continue; 1257 ops[i].hook = fn; 1258 ops[i].owner = table->me; 1259 ops[i].pf = table->af; 1260 ops[i].hooknum = hooknum; 1261 ops[i].priority = table->priority; 1262 ++i; 1263 } 1264 1265 ret = nf_register_hooks(ops, num_hooks); 1266 if (ret < 0) { 1267 kfree(ops); 1268 return ERR_PTR(ret); 1269 } 1270 1271 return ops; 1272} 1273EXPORT_SYMBOL_GPL(xt_hook_link); 1274 1275/** 1276 * xt_hook_unlink - remove hooks for a table 1277 * @ops: nf_hook_ops array as returned by nf_hook_link 1278 * @hook_mask: the very same mask that was passed to nf_hook_link 1279 */ 1280void xt_hook_unlink(const struct xt_table *table, struct nf_hook_ops *ops) 1281{ 1282 nf_unregister_hooks(ops, hweight32(table->valid_hooks)); 1283 kfree(ops); 1284} 1285EXPORT_SYMBOL_GPL(xt_hook_unlink); 1286 1287int xt_proto_init(struct net *net, u_int8_t af) 1288{ 1289#ifdef CONFIG_PROC_FS 1290 char buf[XT_FUNCTION_MAXNAMELEN]; 1291 struct proc_dir_entry *proc; 1292#endif 1293 1294 if (af >= ARRAY_SIZE(xt_prefix)) 1295 return -EINVAL; 1296 1297 1298#ifdef CONFIG_PROC_FS 1299 strlcpy(buf, xt_prefix[af], sizeof(buf)); 1300 strlcat(buf, FORMAT_TABLES, sizeof(buf)); 1301 proc = proc_create_data(buf, 0440, net->proc_net, &xt_table_ops, 1302 (void *)(unsigned long)af); 1303 if (!proc) 1304 goto out; 1305 1306 strlcpy(buf, xt_prefix[af], sizeof(buf)); 1307 strlcat(buf, FORMAT_MATCHES, sizeof(buf)); 1308 proc = proc_create_data(buf, 0440, net->proc_net, &xt_match_ops, 1309 (void *)(unsigned long)af); 1310 if (!proc) 1311 goto out_remove_tables; 1312 1313 strlcpy(buf, xt_prefix[af], sizeof(buf)); 1314 strlcat(buf, FORMAT_TARGETS, sizeof(buf)); 1315 proc = proc_create_data(buf, 0440, net->proc_net, &xt_target_ops, 1316 (void *)(unsigned long)af); 1317 if (!proc) 1318 goto out_remove_matches; 1319#endif 1320 1321 return 0; 1322 1323#ifdef CONFIG_PROC_FS 1324out_remove_matches: 1325 strlcpy(buf, xt_prefix[af], sizeof(buf)); 1326 strlcat(buf, FORMAT_MATCHES, sizeof(buf)); 1327 remove_proc_entry(buf, net->proc_net); 1328 1329out_remove_tables: 1330 strlcpy(buf, xt_prefix[af], sizeof(buf)); 1331 strlcat(buf, FORMAT_TABLES, sizeof(buf)); 1332 remove_proc_entry(buf, net->proc_net); 1333out: 1334 return -1; 1335#endif 1336} 1337EXPORT_SYMBOL_GPL(xt_proto_init); 1338 1339void xt_proto_fini(struct net *net, u_int8_t af) 1340{ 1341#ifdef CONFIG_PROC_FS 1342 char buf[XT_FUNCTION_MAXNAMELEN]; 1343 1344 strlcpy(buf, xt_prefix[af], sizeof(buf)); 1345 strlcat(buf, FORMAT_TABLES, sizeof(buf)); 1346 remove_proc_entry(buf, net->proc_net); 1347 1348 strlcpy(buf, xt_prefix[af], sizeof(buf)); 1349 strlcat(buf, FORMAT_TARGETS, sizeof(buf)); 1350 remove_proc_entry(buf, net->proc_net); 1351 1352 strlcpy(buf, xt_prefix[af], sizeof(buf)); 1353 strlcat(buf, FORMAT_MATCHES, sizeof(buf)); 1354 remove_proc_entry(buf, net->proc_net); 1355#endif /*CONFIG_PROC_FS*/ 1356} 1357EXPORT_SYMBOL_GPL(xt_proto_fini); 1358 1359static int __net_init xt_net_init(struct net *net) 1360{ 1361 int i; 1362 1363 for (i = 0; i < NFPROTO_NUMPROTO; i++) 1364 INIT_LIST_HEAD(&net->xt.tables[i]); 1365 return 0; 1366} 1367 1368static struct pernet_operations xt_net_ops = { 1369 .init = xt_net_init, 1370}; 1371 1372static int __init xt_init(void) 1373{ 1374 unsigned int i; 1375 int rv; 1376 1377 for_each_possible_cpu(i) { 1378 seqcount_init(&per_cpu(xt_recseq, i)); 1379 } 1380 1381 xt = kmalloc(sizeof(struct xt_af) * NFPROTO_NUMPROTO, GFP_KERNEL); 1382 if (!xt) 1383 return -ENOMEM; 1384 1385 for (i = 0; i < NFPROTO_NUMPROTO; i++) { 1386 mutex_init(&xt[i].mutex); 1387#ifdef CONFIG_COMPAT 1388 mutex_init(&xt[i].compat_mutex); 1389 xt[i].compat_tab = NULL; 1390#endif 1391 INIT_LIST_HEAD(&xt[i].target); 1392 INIT_LIST_HEAD(&xt[i].match); 1393 } 1394 rv = register_pernet_subsys(&xt_net_ops); 1395 if (rv < 0) 1396 kfree(xt); 1397 return rv; 1398} 1399 1400static void __exit xt_fini(void) 1401{ 1402 unregister_pernet_subsys(&xt_net_ops); 1403 kfree(xt); 1404} 1405 1406module_init(xt_init); 1407module_exit(xt_fini); 1408