net/netfilter/x_tables.c at v3.9-rc6

tjh.dev / kernel
fork
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork
kernel / net / netfilter / x_tables.c
at v3.9-rc6 1407 lines 34 kB view raw
wrap content
   1/*
   2 * x_tables core - Backend for {ip,ip6,arp}_tables
   3 *
   4 * Copyright (C) 2006-2006 Harald Welte <laforge@netfilter.org>
   5 *
   6 * Based on existing ip_tables code which is
   7 *   Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
   8 *   Copyright (C) 2000-2005 Netfilter Core Team <coreteam@netfilter.org>
   9 *
  10 * This program is free software; you can redistribute it and/or modify
  11 * it under the terms of the GNU General Public License version 2 as
  12 * published by the Free Software Foundation.
  13 *
  14 */
  15#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
  16#include <linux/kernel.h>
  17#include <linux/module.h>
  18#include <linux/socket.h>
  19#include <linux/net.h>
  20#include <linux/proc_fs.h>
  21#include <linux/seq_file.h>
  22#include <linux/string.h>
  23#include <linux/vmalloc.h>
  24#include <linux/mutex.h>
  25#include <linux/mm.h>
  26#include <linux/slab.h>
  27#include <linux/audit.h>
  28#include <net/net_namespace.h>
  29
  30#include <linux/netfilter/x_tables.h>
  31#include <linux/netfilter_arp.h>
  32#include <linux/netfilter_ipv4/ip_tables.h>
  33#include <linux/netfilter_ipv6/ip6_tables.h>
  34#include <linux/netfilter_arp/arp_tables.h>
  35
  36MODULE_LICENSE("GPL");
  37MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
  38MODULE_DESCRIPTION("{ip,ip6,arp,eb}_tables backend module");
  39
  40#define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
  41
  42struct compat_delta {
  43	unsigned int offset; /* offset in kernel */
  44	int delta; /* delta in 32bit user land */
  45};
  46
  47struct xt_af {
  48	struct mutex mutex;
  49	struct list_head match;
  50	struct list_head target;
  51#ifdef CONFIG_COMPAT
  52	struct mutex compat_mutex;
  53	struct compat_delta *compat_tab;
  54	unsigned int number; /* number of slots in compat_tab[] */
  55	unsigned int cur; /* number of used slots in compat_tab[] */
  56#endif
  57};
  58
  59static struct xt_af *xt;
  60
  61static const char *const xt_prefix[NFPROTO_NUMPROTO] = {
  62	[NFPROTO_UNSPEC] = "x",
  63	[NFPROTO_IPV4]   = "ip",
  64	[NFPROTO_ARP]    = "arp",
  65	[NFPROTO_BRIDGE] = "eb",
  66	[NFPROTO_IPV6]   = "ip6",
  67};
  68
  69/* Allow this many total (re)entries. */
  70static const unsigned int xt_jumpstack_multiplier = 2;
  71
  72/* Registration hooks for targets. */
  73int
  74xt_register_target(struct xt_target *target)
  75{
  76	u_int8_t af = target->family;
  77	int ret;
  78
  79	ret = mutex_lock_interruptible(&xt[af].mutex);
  80	if (ret != 0)
  81		return ret;
  82	list_add(&target->list, &xt[af].target);
  83	mutex_unlock(&xt[af].mutex);
  84	return ret;
  85}
  86EXPORT_SYMBOL(xt_register_target);
  87
  88void
  89xt_unregister_target(struct xt_target *target)
  90{
  91	u_int8_t af = target->family;
  92
  93	mutex_lock(&xt[af].mutex);
  94	list_del(&target->list);
  95	mutex_unlock(&xt[af].mutex);
  96}
  97EXPORT_SYMBOL(xt_unregister_target);
  98
  99int
 100xt_register_targets(struct xt_target *target, unsigned int n)
 101{
 102	unsigned int i;
 103	int err = 0;
 104
 105	for (i = 0; i < n; i++) {
 106		err = xt_register_target(&target[i]);
 107		if (err)
 108			goto err;
 109	}
 110	return err;
 111
 112err:
 113	if (i > 0)
 114		xt_unregister_targets(target, i);
 115	return err;
 116}
 117EXPORT_SYMBOL(xt_register_targets);
 118
 119void
 120xt_unregister_targets(struct xt_target *target, unsigned int n)
 121{
 122	while (n-- > 0)
 123		xt_unregister_target(&target[n]);
 124}
 125EXPORT_SYMBOL(xt_unregister_targets);
 126
 127int
 128xt_register_match(struct xt_match *match)
 129{
 130	u_int8_t af = match->family;
 131	int ret;
 132
 133	ret = mutex_lock_interruptible(&xt[af].mutex);
 134	if (ret != 0)
 135		return ret;
 136
 137	list_add(&match->list, &xt[af].match);
 138	mutex_unlock(&xt[af].mutex);
 139
 140	return ret;
 141}
 142EXPORT_SYMBOL(xt_register_match);
 143
 144void
 145xt_unregister_match(struct xt_match *match)
 146{
 147	u_int8_t af = match->family;
 148
 149	mutex_lock(&xt[af].mutex);
 150	list_del(&match->list);
 151	mutex_unlock(&xt[af].mutex);
 152}
 153EXPORT_SYMBOL(xt_unregister_match);
 154
 155int
 156xt_register_matches(struct xt_match *match, unsigned int n)
 157{
 158	unsigned int i;
 159	int err = 0;
 160
 161	for (i = 0; i < n; i++) {
 162		err = xt_register_match(&match[i]);
 163		if (err)
 164			goto err;
 165	}
 166	return err;
 167
 168err:
 169	if (i > 0)
 170		xt_unregister_matches(match, i);
 171	return err;
 172}
 173EXPORT_SYMBOL(xt_register_matches);
 174
 175void
 176xt_unregister_matches(struct xt_match *match, unsigned int n)
 177{
 178	while (n-- > 0)
 179		xt_unregister_match(&match[n]);
 180}
 181EXPORT_SYMBOL(xt_unregister_matches);
 182
 183
 184/*
 185 * These are weird, but module loading must not be done with mutex
 186 * held (since they will register), and we have to have a single
 187 * function to use.
 188 */
 189
 190/* Find match, grabs ref.  Returns ERR_PTR() on error. */
 191struct xt_match *xt_find_match(u8 af, const char *name, u8 revision)
 192{
 193	struct xt_match *m;
 194	int err = -ENOENT;
 195
 196	if (mutex_lock_interruptible(&xt[af].mutex) != 0)
 197		return ERR_PTR(-EINTR);
 198
 199	list_for_each_entry(m, &xt[af].match, list) {
 200		if (strcmp(m->name, name) == 0) {
 201			if (m->revision == revision) {
 202				if (try_module_get(m->me)) {
 203					mutex_unlock(&xt[af].mutex);
 204					return m;
 205				}
 206			} else
 207				err = -EPROTOTYPE; /* Found something. */
 208		}
 209	}
 210	mutex_unlock(&xt[af].mutex);
 211
 212	if (af != NFPROTO_UNSPEC)
 213		/* Try searching again in the family-independent list */
 214		return xt_find_match(NFPROTO_UNSPEC, name, revision);
 215
 216	return ERR_PTR(err);
 217}
 218EXPORT_SYMBOL(xt_find_match);
 219
 220struct xt_match *
 221xt_request_find_match(uint8_t nfproto, const char *name, uint8_t revision)
 222{
 223	struct xt_match *match;
 224
 225	match = xt_find_match(nfproto, name, revision);
 226	if (IS_ERR(match)) {
 227		request_module("%st_%s", xt_prefix[nfproto], name);
 228		match = xt_find_match(nfproto, name, revision);
 229	}
 230
 231	return match;
 232}
 233EXPORT_SYMBOL_GPL(xt_request_find_match);
 234
 235/* Find target, grabs ref.  Returns ERR_PTR() on error. */
 236struct xt_target *xt_find_target(u8 af, const char *name, u8 revision)
 237{
 238	struct xt_target *t;
 239	int err = -ENOENT;
 240
 241	if (mutex_lock_interruptible(&xt[af].mutex) != 0)
 242		return ERR_PTR(-EINTR);
 243
 244	list_for_each_entry(t, &xt[af].target, list) {
 245		if (strcmp(t->name, name) == 0) {
 246			if (t->revision == revision) {
 247				if (try_module_get(t->me)) {
 248					mutex_unlock(&xt[af].mutex);
 249					return t;
 250				}
 251			} else
 252				err = -EPROTOTYPE; /* Found something. */
 253		}
 254	}
 255	mutex_unlock(&xt[af].mutex);
 256
 257	if (af != NFPROTO_UNSPEC)
 258		/* Try searching again in the family-independent list */
 259		return xt_find_target(NFPROTO_UNSPEC, name, revision);
 260
 261	return ERR_PTR(err);
 262}
 263EXPORT_SYMBOL(xt_find_target);
 264
 265struct xt_target *xt_request_find_target(u8 af, const char *name, u8 revision)
 266{
 267	struct xt_target *target;
 268
 269	target = xt_find_target(af, name, revision);
 270	if (IS_ERR(target)) {
 271		request_module("%st_%s", xt_prefix[af], name);
 272		target = xt_find_target(af, name, revision);
 273	}
 274
 275	return target;
 276}
 277EXPORT_SYMBOL_GPL(xt_request_find_target);
 278
 279static int match_revfn(u8 af, const char *name, u8 revision, int *bestp)
 280{
 281	const struct xt_match *m;
 282	int have_rev = 0;
 283
 284	list_for_each_entry(m, &xt[af].match, list) {
 285		if (strcmp(m->name, name) == 0) {
 286			if (m->revision > *bestp)
 287				*bestp = m->revision;
 288			if (m->revision == revision)
 289				have_rev = 1;
 290		}
 291	}
 292
 293	if (af != NFPROTO_UNSPEC && !have_rev)
 294		return match_revfn(NFPROTO_UNSPEC, name, revision, bestp);
 295
 296	return have_rev;
 297}
 298
 299static int target_revfn(u8 af, const char *name, u8 revision, int *bestp)
 300{
 301	const struct xt_target *t;
 302	int have_rev = 0;
 303
 304	list_for_each_entry(t, &xt[af].target, list) {
 305		if (strcmp(t->name, name) == 0) {
 306			if (t->revision > *bestp)
 307				*bestp = t->revision;
 308			if (t->revision == revision)
 309				have_rev = 1;
 310		}
 311	}
 312
 313	if (af != NFPROTO_UNSPEC && !have_rev)
 314		return target_revfn(NFPROTO_UNSPEC, name, revision, bestp);
 315
 316	return have_rev;
 317}
 318
 319/* Returns true or false (if no such extension at all) */
 320int xt_find_revision(u8 af, const char *name, u8 revision, int target,
 321		     int *err)
 322{
 323	int have_rev, best = -1;
 324
 325	if (mutex_lock_interruptible(&xt[af].mutex) != 0) {
 326		*err = -EINTR;
 327		return 1;
 328	}
 329	if (target == 1)
 330		have_rev = target_revfn(af, name, revision, &best);
 331	else
 332		have_rev = match_revfn(af, name, revision, &best);
 333	mutex_unlock(&xt[af].mutex);
 334
 335	/* Nothing at all?  Return 0 to try loading module. */
 336	if (best == -1) {
 337		*err = -ENOENT;
 338		return 0;
 339	}
 340
 341	*err = best;
 342	if (!have_rev)
 343		*err = -EPROTONOSUPPORT;
 344	return 1;
 345}
 346EXPORT_SYMBOL_GPL(xt_find_revision);
 347
 348static char *
 349textify_hooks(char *buf, size_t size, unsigned int mask, uint8_t nfproto)
 350{
 351	static const char *const inetbr_names[] = {
 352		"PREROUTING", "INPUT", "FORWARD",
 353		"OUTPUT", "POSTROUTING", "BROUTING",
 354	};
 355	static const char *const arp_names[] = {
 356		"INPUT", "FORWARD", "OUTPUT",
 357	};
 358	const char *const *names;
 359	unsigned int i, max;
 360	char *p = buf;
 361	bool np = false;
 362	int res;
 363
 364	names = (nfproto == NFPROTO_ARP) ? arp_names : inetbr_names;
 365	max   = (nfproto == NFPROTO_ARP) ? ARRAY_SIZE(arp_names) :
 366	                                   ARRAY_SIZE(inetbr_names);
 367	*p = '\0';
 368	for (i = 0; i < max; ++i) {
 369		if (!(mask & (1 << i)))
 370			continue;
 371		res = snprintf(p, size, "%s%s", np ? "/" : "", names[i]);
 372		if (res > 0) {
 373			size -= res;
 374			p += res;
 375		}
 376		np = true;
 377	}
 378
 379	return buf;
 380}
 381
 382int xt_check_match(struct xt_mtchk_param *par,
 383		   unsigned int size, u_int8_t proto, bool inv_proto)
 384{
 385	int ret;
 386
 387	if (XT_ALIGN(par->match->matchsize) != size &&
 388	    par->match->matchsize != -1) {
 389		/*
 390		 * ebt_among is exempt from centralized matchsize checking
 391		 * because it uses a dynamic-size data set.
 392		 */
 393		pr_err("%s_tables: %s.%u match: invalid size "
 394		       "%u (kernel) != (user) %u\n",
 395		       xt_prefix[par->family], par->match->name,
 396		       par->match->revision,
 397		       XT_ALIGN(par->match->matchsize), size);
 398		return -EINVAL;
 399	}
 400	if (par->match->table != NULL &&
 401	    strcmp(par->match->table, par->table) != 0) {
 402		pr_err("%s_tables: %s match: only valid in %s table, not %s\n",
 403		       xt_prefix[par->family], par->match->name,
 404		       par->match->table, par->table);
 405		return -EINVAL;
 406	}
 407	if (par->match->hooks && (par->hook_mask & ~par->match->hooks) != 0) {
 408		char used[64], allow[64];
 409
 410		pr_err("%s_tables: %s match: used from hooks %s, but only "
 411		       "valid from %s\n",
 412		       xt_prefix[par->family], par->match->name,
 413		       textify_hooks(used, sizeof(used), par->hook_mask,
 414		                     par->family),
 415		       textify_hooks(allow, sizeof(allow), par->match->hooks,
 416		                     par->family));
 417		return -EINVAL;
 418	}
 419	if (par->match->proto && (par->match->proto != proto || inv_proto)) {
 420		pr_err("%s_tables: %s match: only valid for protocol %u\n",
 421		       xt_prefix[par->family], par->match->name,
 422		       par->match->proto);
 423		return -EINVAL;
 424	}
 425	if (par->match->checkentry != NULL) {
 426		ret = par->match->checkentry(par);
 427		if (ret < 0)
 428			return ret;
 429		else if (ret > 0)
 430			/* Flag up potential errors. */
 431			return -EIO;
 432	}
 433	return 0;
 434}
 435EXPORT_SYMBOL_GPL(xt_check_match);
 436
 437#ifdef CONFIG_COMPAT
 438int xt_compat_add_offset(u_int8_t af, unsigned int offset, int delta)
 439{
 440	struct xt_af *xp = &xt[af];
 441
 442	if (!xp->compat_tab) {
 443		if (!xp->number)
 444			return -EINVAL;
 445		xp->compat_tab = vmalloc(sizeof(struct compat_delta) * xp->number);
 446		if (!xp->compat_tab)
 447			return -ENOMEM;
 448		xp->cur = 0;
 449	}
 450
 451	if (xp->cur >= xp->number)
 452		return -EINVAL;
 453
 454	if (xp->cur)
 455		delta += xp->compat_tab[xp->cur - 1].delta;
 456	xp->compat_tab[xp->cur].offset = offset;
 457	xp->compat_tab[xp->cur].delta = delta;
 458	xp->cur++;
 459	return 0;
 460}
 461EXPORT_SYMBOL_GPL(xt_compat_add_offset);
 462
 463void xt_compat_flush_offsets(u_int8_t af)
 464{
 465	if (xt[af].compat_tab) {
 466		vfree(xt[af].compat_tab);
 467		xt[af].compat_tab = NULL;
 468		xt[af].number = 0;
 469		xt[af].cur = 0;
 470	}
 471}
 472EXPORT_SYMBOL_GPL(xt_compat_flush_offsets);
 473
 474int xt_compat_calc_jump(u_int8_t af, unsigned int offset)
 475{
 476	struct compat_delta *tmp = xt[af].compat_tab;
 477	int mid, left = 0, right = xt[af].cur - 1;
 478
 479	while (left <= right) {
 480		mid = (left + right) >> 1;
 481		if (offset > tmp[mid].offset)
 482			left = mid + 1;
 483		else if (offset < tmp[mid].offset)
 484			right = mid - 1;
 485		else
 486			return mid ? tmp[mid - 1].delta : 0;
 487	}
 488	return left ? tmp[left - 1].delta : 0;
 489}
 490EXPORT_SYMBOL_GPL(xt_compat_calc_jump);
 491
 492void xt_compat_init_offsets(u_int8_t af, unsigned int number)
 493{
 494	xt[af].number = number;
 495	xt[af].cur = 0;
 496}
 497EXPORT_SYMBOL(xt_compat_init_offsets);
 498
 499int xt_compat_match_offset(const struct xt_match *match)
 500{
 501	u_int16_t csize = match->compatsize ? : match->matchsize;
 502	return XT_ALIGN(match->matchsize) - COMPAT_XT_ALIGN(csize);
 503}
 504EXPORT_SYMBOL_GPL(xt_compat_match_offset);
 505
 506int xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr,
 507			      unsigned int *size)
 508{
 509	const struct xt_match *match = m->u.kernel.match;
 510	struct compat_xt_entry_match *cm = (struct compat_xt_entry_match *)m;
 511	int pad, off = xt_compat_match_offset(match);
 512	u_int16_t msize = cm->u.user.match_size;
 513
 514	m = *dstptr;
 515	memcpy(m, cm, sizeof(*cm));
 516	if (match->compat_from_user)
 517		match->compat_from_user(m->data, cm->data);
 518	else
 519		memcpy(m->data, cm->data, msize - sizeof(*cm));
 520	pad = XT_ALIGN(match->matchsize) - match->matchsize;
 521	if (pad > 0)
 522		memset(m->data + match->matchsize, 0, pad);
 523
 524	msize += off;
 525	m->u.user.match_size = msize;
 526
 527	*size += off;
 528	*dstptr += msize;
 529	return 0;
 530}
 531EXPORT_SYMBOL_GPL(xt_compat_match_from_user);
 532
 533int xt_compat_match_to_user(const struct xt_entry_match *m,
 534			    void __user **dstptr, unsigned int *size)
 535{
 536	const struct xt_match *match = m->u.kernel.match;
 537	struct compat_xt_entry_match __user *cm = *dstptr;
 538	int off = xt_compat_match_offset(match);
 539	u_int16_t msize = m->u.user.match_size - off;
 540
 541	if (copy_to_user(cm, m, sizeof(*cm)) ||
 542	    put_user(msize, &cm->u.user.match_size) ||
 543	    copy_to_user(cm->u.user.name, m->u.kernel.match->name,
 544			 strlen(m->u.kernel.match->name) + 1))
 545		return -EFAULT;
 546
 547	if (match->compat_to_user) {
 548		if (match->compat_to_user((void __user *)cm->data, m->data))
 549			return -EFAULT;
 550	} else {
 551		if (copy_to_user(cm->data, m->data, msize - sizeof(*cm)))
 552			return -EFAULT;
 553	}
 554
 555	*size -= off;
 556	*dstptr += msize;
 557	return 0;
 558}
 559EXPORT_SYMBOL_GPL(xt_compat_match_to_user);
 560#endif /* CONFIG_COMPAT */
 561
 562int xt_check_target(struct xt_tgchk_param *par,
 563		    unsigned int size, u_int8_t proto, bool inv_proto)
 564{
 565	int ret;
 566
 567	if (XT_ALIGN(par->target->targetsize) != size) {
 568		pr_err("%s_tables: %s.%u target: invalid size "
 569		       "%u (kernel) != (user) %u\n",
 570		       xt_prefix[par->family], par->target->name,
 571		       par->target->revision,
 572		       XT_ALIGN(par->target->targetsize), size);
 573		return -EINVAL;
 574	}
 575	if (par->target->table != NULL &&
 576	    strcmp(par->target->table, par->table) != 0) {
 577		pr_err("%s_tables: %s target: only valid in %s table, not %s\n",
 578		       xt_prefix[par->family], par->target->name,
 579		       par->target->table, par->table);
 580		return -EINVAL;
 581	}
 582	if (par->target->hooks && (par->hook_mask & ~par->target->hooks) != 0) {
 583		char used[64], allow[64];
 584
 585		pr_err("%s_tables: %s target: used from hooks %s, but only "
 586		       "usable from %s\n",
 587		       xt_prefix[par->family], par->target->name,
 588		       textify_hooks(used, sizeof(used), par->hook_mask,
 589		                     par->family),
 590		       textify_hooks(allow, sizeof(allow), par->target->hooks,
 591		                     par->family));
 592		return -EINVAL;
 593	}
 594	if (par->target->proto && (par->target->proto != proto || inv_proto)) {
 595		pr_err("%s_tables: %s target: only valid for protocol %u\n",
 596		       xt_prefix[par->family], par->target->name,
 597		       par->target->proto);
 598		return -EINVAL;
 599	}
 600	if (par->target->checkentry != NULL) {
 601		ret = par->target->checkentry(par);
 602		if (ret < 0)
 603			return ret;
 604		else if (ret > 0)
 605			/* Flag up potential errors. */
 606			return -EIO;
 607	}
 608	return 0;
 609}
 610EXPORT_SYMBOL_GPL(xt_check_target);
 611
 612#ifdef CONFIG_COMPAT
 613int xt_compat_target_offset(const struct xt_target *target)
 614{
 615	u_int16_t csize = target->compatsize ? : target->targetsize;
 616	return XT_ALIGN(target->targetsize) - COMPAT_XT_ALIGN(csize);
 617}
 618EXPORT_SYMBOL_GPL(xt_compat_target_offset);
 619
 620void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr,
 621				unsigned int *size)
 622{
 623	const struct xt_target *target = t->u.kernel.target;
 624	struct compat_xt_entry_target *ct = (struct compat_xt_entry_target *)t;
 625	int pad, off = xt_compat_target_offset(target);
 626	u_int16_t tsize = ct->u.user.target_size;
 627
 628	t = *dstptr;
 629	memcpy(t, ct, sizeof(*ct));
 630	if (target->compat_from_user)
 631		target->compat_from_user(t->data, ct->data);
 632	else
 633		memcpy(t->data, ct->data, tsize - sizeof(*ct));
 634	pad = XT_ALIGN(target->targetsize) - target->targetsize;
 635	if (pad > 0)
 636		memset(t->data + target->targetsize, 0, pad);
 637
 638	tsize += off;
 639	t->u.user.target_size = tsize;
 640
 641	*size += off;
 642	*dstptr += tsize;
 643}
 644EXPORT_SYMBOL_GPL(xt_compat_target_from_user);
 645
 646int xt_compat_target_to_user(const struct xt_entry_target *t,
 647			     void __user **dstptr, unsigned int *size)
 648{
 649	const struct xt_target *target = t->u.kernel.target;
 650	struct compat_xt_entry_target __user *ct = *dstptr;
 651	int off = xt_compat_target_offset(target);
 652	u_int16_t tsize = t->u.user.target_size - off;
 653
 654	if (copy_to_user(ct, t, sizeof(*ct)) ||
 655	    put_user(tsize, &ct->u.user.target_size) ||
 656	    copy_to_user(ct->u.user.name, t->u.kernel.target->name,
 657			 strlen(t->u.kernel.target->name) + 1))
 658		return -EFAULT;
 659
 660	if (target->compat_to_user) {
 661		if (target->compat_to_user((void __user *)ct->data, t->data))
 662			return -EFAULT;
 663	} else {
 664		if (copy_to_user(ct->data, t->data, tsize - sizeof(*ct)))
 665			return -EFAULT;
 666	}
 667
 668	*size -= off;
 669	*dstptr += tsize;
 670	return 0;
 671}
 672EXPORT_SYMBOL_GPL(xt_compat_target_to_user);
 673#endif
 674
 675struct xt_table_info *xt_alloc_table_info(unsigned int size)
 676{
 677	struct xt_table_info *newinfo;
 678	int cpu;
 679
 680	/* Pedantry: prevent them from hitting BUG() in vmalloc.c --RR */
 681	if ((SMP_ALIGN(size) >> PAGE_SHIFT) + 2 > totalram_pages)
 682		return NULL;
 683
 684	newinfo = kzalloc(XT_TABLE_INFO_SZ, GFP_KERNEL);
 685	if (!newinfo)
 686		return NULL;
 687
 688	newinfo->size = size;
 689
 690	for_each_possible_cpu(cpu) {
 691		if (size <= PAGE_SIZE)
 692			newinfo->entries[cpu] = kmalloc_node(size,
 693							GFP_KERNEL,
 694							cpu_to_node(cpu));
 695		else
 696			newinfo->entries[cpu] = vmalloc_node(size,
 697							cpu_to_node(cpu));
 698
 699		if (newinfo->entries[cpu] == NULL) {
 700			xt_free_table_info(newinfo);
 701			return NULL;
 702		}
 703	}
 704
 705	return newinfo;
 706}
 707EXPORT_SYMBOL(xt_alloc_table_info);
 708
 709void xt_free_table_info(struct xt_table_info *info)
 710{
 711	int cpu;
 712
 713	for_each_possible_cpu(cpu) {
 714		if (info->size <= PAGE_SIZE)
 715			kfree(info->entries[cpu]);
 716		else
 717			vfree(info->entries[cpu]);
 718	}
 719
 720	if (info->jumpstack != NULL) {
 721		if (sizeof(void *) * info->stacksize > PAGE_SIZE) {
 722			for_each_possible_cpu(cpu)
 723				vfree(info->jumpstack[cpu]);
 724		} else {
 725			for_each_possible_cpu(cpu)
 726				kfree(info->jumpstack[cpu]);
 727		}
 728	}
 729
 730	if (sizeof(void **) * nr_cpu_ids > PAGE_SIZE)
 731		vfree(info->jumpstack);
 732	else
 733		kfree(info->jumpstack);
 734
 735	free_percpu(info->stackptr);
 736
 737	kfree(info);
 738}
 739EXPORT_SYMBOL(xt_free_table_info);
 740
 741/* Find table by name, grabs mutex & ref.  Returns ERR_PTR() on error. */
 742struct xt_table *xt_find_table_lock(struct net *net, u_int8_t af,
 743				    const char *name)
 744{
 745	struct xt_table *t;
 746
 747	if (mutex_lock_interruptible(&xt[af].mutex) != 0)
 748		return ERR_PTR(-EINTR);
 749
 750	list_for_each_entry(t, &net->xt.tables[af], list)
 751		if (strcmp(t->name, name) == 0 && try_module_get(t->me))
 752			return t;
 753	mutex_unlock(&xt[af].mutex);
 754	return NULL;
 755}
 756EXPORT_SYMBOL_GPL(xt_find_table_lock);
 757
 758void xt_table_unlock(struct xt_table *table)
 759{
 760	mutex_unlock(&xt[table->af].mutex);
 761}
 762EXPORT_SYMBOL_GPL(xt_table_unlock);
 763
 764#ifdef CONFIG_COMPAT
 765void xt_compat_lock(u_int8_t af)
 766{
 767	mutex_lock(&xt[af].compat_mutex);
 768}
 769EXPORT_SYMBOL_GPL(xt_compat_lock);
 770
 771void xt_compat_unlock(u_int8_t af)
 772{
 773	mutex_unlock(&xt[af].compat_mutex);
 774}
 775EXPORT_SYMBOL_GPL(xt_compat_unlock);
 776#endif
 777
 778DEFINE_PER_CPU(seqcount_t, xt_recseq);
 779EXPORT_PER_CPU_SYMBOL_GPL(xt_recseq);
 780
 781static int xt_jumpstack_alloc(struct xt_table_info *i)
 782{
 783	unsigned int size;
 784	int cpu;
 785
 786	i->stackptr = alloc_percpu(unsigned int);
 787	if (i->stackptr == NULL)
 788		return -ENOMEM;
 789
 790	size = sizeof(void **) * nr_cpu_ids;
 791	if (size > PAGE_SIZE)
 792		i->jumpstack = vzalloc(size);
 793	else
 794		i->jumpstack = kzalloc(size, GFP_KERNEL);
 795	if (i->jumpstack == NULL)
 796		return -ENOMEM;
 797
 798	i->stacksize *= xt_jumpstack_multiplier;
 799	size = sizeof(void *) * i->stacksize;
 800	for_each_possible_cpu(cpu) {
 801		if (size > PAGE_SIZE)
 802			i->jumpstack[cpu] = vmalloc_node(size,
 803				cpu_to_node(cpu));
 804		else
 805			i->jumpstack[cpu] = kmalloc_node(size,
 806				GFP_KERNEL, cpu_to_node(cpu));
 807		if (i->jumpstack[cpu] == NULL)
 808			/*
 809			 * Freeing will be done later on by the callers. The
 810			 * chain is: xt_replace_table -> __do_replace ->
 811			 * do_replace -> xt_free_table_info.
 812			 */
 813			return -ENOMEM;
 814	}
 815
 816	return 0;
 817}
 818
 819struct xt_table_info *
 820xt_replace_table(struct xt_table *table,
 821	      unsigned int num_counters,
 822	      struct xt_table_info *newinfo,
 823	      int *error)
 824{
 825	struct xt_table_info *private;
 826	int ret;
 827
 828	ret = xt_jumpstack_alloc(newinfo);
 829	if (ret < 0) {
 830		*error = ret;
 831		return NULL;
 832	}
 833
 834	/* Do the substitution. */
 835	local_bh_disable();
 836	private = table->private;
 837
 838	/* Check inside lock: is the old number correct? */
 839	if (num_counters != private->number) {
 840		pr_debug("num_counters != table->private->number (%u/%u)\n",
 841			 num_counters, private->number);
 842		local_bh_enable();
 843		*error = -EAGAIN;
 844		return NULL;
 845	}
 846
 847	table->private = newinfo;
 848	newinfo->initial_entries = private->initial_entries;
 849
 850	/*
 851	 * Even though table entries have now been swapped, other CPU's
 852	 * may still be using the old entries. This is okay, because
 853	 * resynchronization happens because of the locking done
 854	 * during the get_counters() routine.
 855	 */
 856	local_bh_enable();
 857
 858#ifdef CONFIG_AUDIT
 859	if (audit_enabled) {
 860		struct audit_buffer *ab;
 861
 862		ab = audit_log_start(current->audit_context, GFP_KERNEL,
 863				     AUDIT_NETFILTER_CFG);
 864		if (ab) {
 865			audit_log_format(ab, "table=%s family=%u entries=%u",
 866					 table->name, table->af,
 867					 private->number);
 868			audit_log_end(ab);
 869		}
 870	}
 871#endif
 872
 873	return private;
 874}
 875EXPORT_SYMBOL_GPL(xt_replace_table);
 876
 877struct xt_table *xt_register_table(struct net *net,
 878				   const struct xt_table *input_table,
 879				   struct xt_table_info *bootstrap,
 880				   struct xt_table_info *newinfo)
 881{
 882	int ret;
 883	struct xt_table_info *private;
 884	struct xt_table *t, *table;
 885
 886	/* Don't add one object to multiple lists. */
 887	table = kmemdup(input_table, sizeof(struct xt_table), GFP_KERNEL);
 888	if (!table) {
 889		ret = -ENOMEM;
 890		goto out;
 891	}
 892
 893	ret = mutex_lock_interruptible(&xt[table->af].mutex);
 894	if (ret != 0)
 895		goto out_free;
 896
 897	/* Don't autoload: we'd eat our tail... */
 898	list_for_each_entry(t, &net->xt.tables[table->af], list) {
 899		if (strcmp(t->name, table->name) == 0) {
 900			ret = -EEXIST;
 901			goto unlock;
 902		}
 903	}
 904
 905	/* Simplifies replace_table code. */
 906	table->private = bootstrap;
 907
 908	if (!xt_replace_table(table, 0, newinfo, &ret))
 909		goto unlock;
 910
 911	private = table->private;
 912	pr_debug("table->private->number = %u\n", private->number);
 913
 914	/* save number of initial entries */
 915	private->initial_entries = private->number;
 916
 917	list_add(&table->list, &net->xt.tables[table->af]);
 918	mutex_unlock(&xt[table->af].mutex);
 919	return table;
 920
 921 unlock:
 922	mutex_unlock(&xt[table->af].mutex);
 923out_free:
 924	kfree(table);
 925out:
 926	return ERR_PTR(ret);
 927}
 928EXPORT_SYMBOL_GPL(xt_register_table);
 929
 930void *xt_unregister_table(struct xt_table *table)
 931{
 932	struct xt_table_info *private;
 933
 934	mutex_lock(&xt[table->af].mutex);
 935	private = table->private;
 936	list_del(&table->list);
 937	mutex_unlock(&xt[table->af].mutex);
 938	kfree(table);
 939
 940	return private;
 941}
 942EXPORT_SYMBOL_GPL(xt_unregister_table);
 943
 944#ifdef CONFIG_PROC_FS
 945struct xt_names_priv {
 946	struct seq_net_private p;
 947	u_int8_t af;
 948};
 949static void *xt_table_seq_start(struct seq_file *seq, loff_t *pos)
 950{
 951	struct xt_names_priv *priv = seq->private;
 952	struct net *net = seq_file_net(seq);
 953	u_int8_t af = priv->af;
 954
 955	mutex_lock(&xt[af].mutex);
 956	return seq_list_start(&net->xt.tables[af], *pos);
 957}
 958
 959static void *xt_table_seq_next(struct seq_file *seq, void *v, loff_t *pos)
 960{
 961	struct xt_names_priv *priv = seq->private;
 962	struct net *net = seq_file_net(seq);
 963	u_int8_t af = priv->af;
 964
 965	return seq_list_next(v, &net->xt.tables[af], pos);
 966}
 967
 968static void xt_table_seq_stop(struct seq_file *seq, void *v)
 969{
 970	struct xt_names_priv *priv = seq->private;
 971	u_int8_t af = priv->af;
 972
 973	mutex_unlock(&xt[af].mutex);
 974}
 975
 976static int xt_table_seq_show(struct seq_file *seq, void *v)
 977{
 978	struct xt_table *table = list_entry(v, struct xt_table, list);
 979
 980	if (strlen(table->name))
 981		return seq_printf(seq, "%s\n", table->name);
 982	else
 983		return 0;
 984}
 985
 986static const struct seq_operations xt_table_seq_ops = {
 987	.start	= xt_table_seq_start,
 988	.next	= xt_table_seq_next,
 989	.stop	= xt_table_seq_stop,
 990	.show	= xt_table_seq_show,
 991};
 992
 993static int xt_table_open(struct inode *inode, struct file *file)
 994{
 995	int ret;
 996	struct xt_names_priv *priv;
 997
 998	ret = seq_open_net(inode, file, &xt_table_seq_ops,
 999			   sizeof(struct xt_names_priv));
1000	if (!ret) {
1001		priv = ((struct seq_file *)file->private_data)->private;
1002		priv->af = (unsigned long)PDE(inode)->data;
1003	}
1004	return ret;
1005}
1006
1007static const struct file_operations xt_table_ops = {
1008	.owner	 = THIS_MODULE,
1009	.open	 = xt_table_open,
1010	.read	 = seq_read,
1011	.llseek	 = seq_lseek,
1012	.release = seq_release_net,
1013};
1014
1015/*
1016 * Traverse state for ip{,6}_{tables,matches} for helping crossing
1017 * the multi-AF mutexes.
1018 */
1019struct nf_mttg_trav {
1020	struct list_head *head, *curr;
1021	uint8_t class, nfproto;
1022};
1023
1024enum {
1025	MTTG_TRAV_INIT,
1026	MTTG_TRAV_NFP_UNSPEC,
1027	MTTG_TRAV_NFP_SPEC,
1028	MTTG_TRAV_DONE,
1029};
1030
1031static void *xt_mttg_seq_next(struct seq_file *seq, void *v, loff_t *ppos,
1032    bool is_target)
1033{
1034	static const uint8_t next_class[] = {
1035		[MTTG_TRAV_NFP_UNSPEC] = MTTG_TRAV_NFP_SPEC,
1036		[MTTG_TRAV_NFP_SPEC]   = MTTG_TRAV_DONE,
1037	};
1038	struct nf_mttg_trav *trav = seq->private;
1039
1040	switch (trav->class) {
1041	case MTTG_TRAV_INIT:
1042		trav->class = MTTG_TRAV_NFP_UNSPEC;
1043		mutex_lock(&xt[NFPROTO_UNSPEC].mutex);
1044		trav->head = trav->curr = is_target ?
1045			&xt[NFPROTO_UNSPEC].target : &xt[NFPROTO_UNSPEC].match;
1046 		break;
1047	case MTTG_TRAV_NFP_UNSPEC:
1048		trav->curr = trav->curr->next;
1049		if (trav->curr != trav->head)
1050			break;
1051		mutex_unlock(&xt[NFPROTO_UNSPEC].mutex);
1052		mutex_lock(&xt[trav->nfproto].mutex);
1053		trav->head = trav->curr = is_target ?
1054			&xt[trav->nfproto].target : &xt[trav->nfproto].match;
1055		trav->class = next_class[trav->class];
1056		break;
1057	case MTTG_TRAV_NFP_SPEC:
1058		trav->curr = trav->curr->next;
1059		if (trav->curr != trav->head)
1060			break;
1061		/* fallthru, _stop will unlock */
1062	default:
1063		return NULL;
1064	}
1065
1066	if (ppos != NULL)
1067		++*ppos;
1068	return trav;
1069}
1070
1071static void *xt_mttg_seq_start(struct seq_file *seq, loff_t *pos,
1072    bool is_target)
1073{
1074	struct nf_mttg_trav *trav = seq->private;
1075	unsigned int j;
1076
1077	trav->class = MTTG_TRAV_INIT;
1078	for (j = 0; j < *pos; ++j)
1079		if (xt_mttg_seq_next(seq, NULL, NULL, is_target) == NULL)
1080			return NULL;
1081	return trav;
1082}
1083
1084static void xt_mttg_seq_stop(struct seq_file *seq, void *v)
1085{
1086	struct nf_mttg_trav *trav = seq->private;
1087
1088	switch (trav->class) {
1089	case MTTG_TRAV_NFP_UNSPEC:
1090		mutex_unlock(&xt[NFPROTO_UNSPEC].mutex);
1091		break;
1092	case MTTG_TRAV_NFP_SPEC:
1093		mutex_unlock(&xt[trav->nfproto].mutex);
1094		break;
1095	}
1096}
1097
1098static void *xt_match_seq_start(struct seq_file *seq, loff_t *pos)
1099{
1100	return xt_mttg_seq_start(seq, pos, false);
1101}
1102
1103static void *xt_match_seq_next(struct seq_file *seq, void *v, loff_t *ppos)
1104{
1105	return xt_mttg_seq_next(seq, v, ppos, false);
1106}
1107
1108static int xt_match_seq_show(struct seq_file *seq, void *v)
1109{
1110	const struct nf_mttg_trav *trav = seq->private;
1111	const struct xt_match *match;
1112
1113	switch (trav->class) {
1114	case MTTG_TRAV_NFP_UNSPEC:
1115	case MTTG_TRAV_NFP_SPEC:
1116		if (trav->curr == trav->head)
1117			return 0;
1118		match = list_entry(trav->curr, struct xt_match, list);
1119		return (*match->name == '\0') ? 0 :
1120		       seq_printf(seq, "%s\n", match->name);
1121	}
1122	return 0;
1123}
1124
1125static const struct seq_operations xt_match_seq_ops = {
1126	.start	= xt_match_seq_start,
1127	.next	= xt_match_seq_next,
1128	.stop	= xt_mttg_seq_stop,
1129	.show	= xt_match_seq_show,
1130};
1131
1132static int xt_match_open(struct inode *inode, struct file *file)
1133{
1134	struct seq_file *seq;
1135	struct nf_mttg_trav *trav;
1136	int ret;
1137
1138	trav = kmalloc(sizeof(*trav), GFP_KERNEL);
1139	if (trav == NULL)
1140		return -ENOMEM;
1141
1142	ret = seq_open(file, &xt_match_seq_ops);
1143	if (ret < 0) {
1144		kfree(trav);
1145		return ret;
1146	}
1147
1148	seq = file->private_data;
1149	seq->private = trav;
1150	trav->nfproto = (unsigned long)PDE(inode)->data;
1151	return 0;
1152}
1153
1154static const struct file_operations xt_match_ops = {
1155	.owner	 = THIS_MODULE,
1156	.open	 = xt_match_open,
1157	.read	 = seq_read,
1158	.llseek	 = seq_lseek,
1159	.release = seq_release_private,
1160};
1161
1162static void *xt_target_seq_start(struct seq_file *seq, loff_t *pos)
1163{
1164	return xt_mttg_seq_start(seq, pos, true);
1165}
1166
1167static void *xt_target_seq_next(struct seq_file *seq, void *v, loff_t *ppos)
1168{
1169	return xt_mttg_seq_next(seq, v, ppos, true);
1170}
1171
1172static int xt_target_seq_show(struct seq_file *seq, void *v)
1173{
1174	const struct nf_mttg_trav *trav = seq->private;
1175	const struct xt_target *target;
1176
1177	switch (trav->class) {
1178	case MTTG_TRAV_NFP_UNSPEC:
1179	case MTTG_TRAV_NFP_SPEC:
1180		if (trav->curr == trav->head)
1181			return 0;
1182		target = list_entry(trav->curr, struct xt_target, list);
1183		return (*target->name == '\0') ? 0 :
1184		       seq_printf(seq, "%s\n", target->name);
1185	}
1186	return 0;
1187}
1188
1189static const struct seq_operations xt_target_seq_ops = {
1190	.start	= xt_target_seq_start,
1191	.next	= xt_target_seq_next,
1192	.stop	= xt_mttg_seq_stop,
1193	.show	= xt_target_seq_show,
1194};
1195
1196static int xt_target_open(struct inode *inode, struct file *file)
1197{
1198	struct seq_file *seq;
1199	struct nf_mttg_trav *trav;
1200	int ret;
1201
1202	trav = kmalloc(sizeof(*trav), GFP_KERNEL);
1203	if (trav == NULL)
1204		return -ENOMEM;
1205
1206	ret = seq_open(file, &xt_target_seq_ops);
1207	if (ret < 0) {
1208		kfree(trav);
1209		return ret;
1210	}
1211
1212	seq = file->private_data;
1213	seq->private = trav;
1214	trav->nfproto = (unsigned long)PDE(inode)->data;
1215	return 0;
1216}
1217
1218static const struct file_operations xt_target_ops = {
1219	.owner	 = THIS_MODULE,
1220	.open	 = xt_target_open,
1221	.read	 = seq_read,
1222	.llseek	 = seq_lseek,
1223	.release = seq_release_private,
1224};
1225
1226#define FORMAT_TABLES	"_tables_names"
1227#define	FORMAT_MATCHES	"_tables_matches"
1228#define FORMAT_TARGETS 	"_tables_targets"
1229
1230#endif /* CONFIG_PROC_FS */
1231
1232/**
1233 * xt_hook_link - set up hooks for a new table
1234 * @table:	table with metadata needed to set up hooks
1235 * @fn:		Hook function
1236 *
1237 * This function will take care of creating and registering the necessary
1238 * Netfilter hooks for XT tables.
1239 */
1240struct nf_hook_ops *xt_hook_link(const struct xt_table *table, nf_hookfn *fn)
1241{
1242	unsigned int hook_mask = table->valid_hooks;
1243	uint8_t i, num_hooks = hweight32(hook_mask);
1244	uint8_t hooknum;
1245	struct nf_hook_ops *ops;
1246	int ret;
1247
1248	ops = kmalloc(sizeof(*ops) * num_hooks, GFP_KERNEL);
1249	if (ops == NULL)
1250		return ERR_PTR(-ENOMEM);
1251
1252	for (i = 0, hooknum = 0; i < num_hooks && hook_mask != 0;
1253	     hook_mask >>= 1, ++hooknum) {
1254		if (!(hook_mask & 1))
1255			continue;
1256		ops[i].hook     = fn;
1257		ops[i].owner    = table->me;
1258		ops[i].pf       = table->af;
1259		ops[i].hooknum  = hooknum;
1260		ops[i].priority = table->priority;
1261		++i;
1262	}
1263
1264	ret = nf_register_hooks(ops, num_hooks);
1265	if (ret < 0) {
1266		kfree(ops);
1267		return ERR_PTR(ret);
1268	}
1269
1270	return ops;
1271}
1272EXPORT_SYMBOL_GPL(xt_hook_link);
1273
1274/**
1275 * xt_hook_unlink - remove hooks for a table
1276 * @ops:	nf_hook_ops array as returned by nf_hook_link
1277 * @hook_mask:	the very same mask that was passed to nf_hook_link
1278 */
1279void xt_hook_unlink(const struct xt_table *table, struct nf_hook_ops *ops)
1280{
1281	nf_unregister_hooks(ops, hweight32(table->valid_hooks));
1282	kfree(ops);
1283}
1284EXPORT_SYMBOL_GPL(xt_hook_unlink);
1285
1286int xt_proto_init(struct net *net, u_int8_t af)
1287{
1288#ifdef CONFIG_PROC_FS
1289	char buf[XT_FUNCTION_MAXNAMELEN];
1290	struct proc_dir_entry *proc;
1291#endif
1292
1293	if (af >= ARRAY_SIZE(xt_prefix))
1294		return -EINVAL;
1295
1296
1297#ifdef CONFIG_PROC_FS
1298	strlcpy(buf, xt_prefix[af], sizeof(buf));
1299	strlcat(buf, FORMAT_TABLES, sizeof(buf));
1300	proc = proc_create_data(buf, 0440, net->proc_net, &xt_table_ops,
1301				(void *)(unsigned long)af);
1302	if (!proc)
1303		goto out;
1304
1305	strlcpy(buf, xt_prefix[af], sizeof(buf));
1306	strlcat(buf, FORMAT_MATCHES, sizeof(buf));
1307	proc = proc_create_data(buf, 0440, net->proc_net, &xt_match_ops,
1308				(void *)(unsigned long)af);
1309	if (!proc)
1310		goto out_remove_tables;
1311
1312	strlcpy(buf, xt_prefix[af], sizeof(buf));
1313	strlcat(buf, FORMAT_TARGETS, sizeof(buf));
1314	proc = proc_create_data(buf, 0440, net->proc_net, &xt_target_ops,
1315				(void *)(unsigned long)af);
1316	if (!proc)
1317		goto out_remove_matches;
1318#endif
1319
1320	return 0;
1321
1322#ifdef CONFIG_PROC_FS
1323out_remove_matches:
1324	strlcpy(buf, xt_prefix[af], sizeof(buf));
1325	strlcat(buf, FORMAT_MATCHES, sizeof(buf));
1326	remove_proc_entry(buf, net->proc_net);
1327
1328out_remove_tables:
1329	strlcpy(buf, xt_prefix[af], sizeof(buf));
1330	strlcat(buf, FORMAT_TABLES, sizeof(buf));
1331	remove_proc_entry(buf, net->proc_net);
1332out:
1333	return -1;
1334#endif
1335}
1336EXPORT_SYMBOL_GPL(xt_proto_init);
1337
1338void xt_proto_fini(struct net *net, u_int8_t af)
1339{
1340#ifdef CONFIG_PROC_FS
1341	char buf[XT_FUNCTION_MAXNAMELEN];
1342
1343	strlcpy(buf, xt_prefix[af], sizeof(buf));
1344	strlcat(buf, FORMAT_TABLES, sizeof(buf));
1345	remove_proc_entry(buf, net->proc_net);
1346
1347	strlcpy(buf, xt_prefix[af], sizeof(buf));
1348	strlcat(buf, FORMAT_TARGETS, sizeof(buf));
1349	remove_proc_entry(buf, net->proc_net);
1350
1351	strlcpy(buf, xt_prefix[af], sizeof(buf));
1352	strlcat(buf, FORMAT_MATCHES, sizeof(buf));
1353	remove_proc_entry(buf, net->proc_net);
1354#endif /*CONFIG_PROC_FS*/
1355}
1356EXPORT_SYMBOL_GPL(xt_proto_fini);
1357
1358static int __net_init xt_net_init(struct net *net)
1359{
1360	int i;
1361
1362	for (i = 0; i < NFPROTO_NUMPROTO; i++)
1363		INIT_LIST_HEAD(&net->xt.tables[i]);
1364	return 0;
1365}
1366
1367static struct pernet_operations xt_net_ops = {
1368	.init = xt_net_init,
1369};
1370
1371static int __init xt_init(void)
1372{
1373	unsigned int i;
1374	int rv;
1375
1376	for_each_possible_cpu(i) {
1377		seqcount_init(&per_cpu(xt_recseq, i));
1378	}
1379
1380	xt = kmalloc(sizeof(struct xt_af) * NFPROTO_NUMPROTO, GFP_KERNEL);
1381	if (!xt)
1382		return -ENOMEM;
1383
1384	for (i = 0; i < NFPROTO_NUMPROTO; i++) {
1385		mutex_init(&xt[i].mutex);
1386#ifdef CONFIG_COMPAT
1387		mutex_init(&xt[i].compat_mutex);
1388		xt[i].compat_tab = NULL;
1389#endif
1390		INIT_LIST_HEAD(&xt[i].target);
1391		INIT_LIST_HEAD(&xt[i].match);
1392	}
1393	rv = register_pernet_subsys(&xt_net_ops);
1394	if (rv < 0)
1395		kfree(xt);
1396	return rv;
1397}
1398
1399static void __exit xt_fini(void)
1400{
1401	unregister_pernet_subsys(&xt_net_ops);
1402	kfree(xt);
1403}
1404
1405module_init(xt_init);
1406module_exit(xt_fini);
1407
Configure Feed

Configure Feed
