2 * x_tables core - Backend for {ip,ip6,arp}_tables
4 * Copyright (C) 2006-2006 Harald Welte <laforge@netfilter.org>
5 * Copyright (C) 2006-2012 Patrick McHardy <kaber@trash.net>
7 * Based on existing ip_tables code which is
8 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
9 * Copyright (C) 2000-2005 Netfilter Core Team <coreteam@netfilter.org>
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License version 2 as
13 * published by the Free Software Foundation.
16 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
17 #include <linux/kernel.h>
18 #include <linux/module.h>
19 #include <linux/socket.h>
20 #include <linux/net.h>
21 #include <linux/proc_fs.h>
22 #include <linux/seq_file.h>
23 #include <linux/string.h>
24 #include <linux/vmalloc.h>
25 #include <linux/mutex.h>
27 #include <linux/slab.h>
28 #include <linux/audit.h>
29 #include <linux/user_namespace.h>
30 #include <net/net_namespace.h>
32 #include <linux/netfilter/x_tables.h>
33 #include <linux/netfilter_arp.h>
34 #include <linux/netfilter_ipv4/ip_tables.h>
35 #include <linux/netfilter_ipv6/ip6_tables.h>
36 #include <linux/netfilter_arp/arp_tables.h>
38 MODULE_LICENSE("GPL");
39 MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
40 MODULE_DESCRIPTION("{ip,ip6,arp,eb}_tables backend module");
42 #define XT_PCPU_BLOCK_SIZE 4096
43 #define XT_MAX_TABLE_SIZE (512 * 1024 * 1024)
46 unsigned int offset; /* offset in kernel */
47 int delta; /* delta in 32bit user land */
52 struct list_head match;
53 struct list_head target;
55 struct mutex compat_mutex;
56 struct compat_delta *compat_tab;
57 unsigned int number; /* number of slots in compat_tab[] */
58 unsigned int cur; /* number of used slots in compat_tab[] */
62 static struct xt_af *xt;
64 static const char *const xt_prefix[NFPROTO_NUMPROTO] = {
65 [NFPROTO_UNSPEC] = "x",
66 [NFPROTO_IPV4] = "ip",
67 [NFPROTO_ARP] = "arp",
68 [NFPROTO_BRIDGE] = "eb",
69 [NFPROTO_IPV6] = "ip6",
72 /* Registration hooks for targets. */
73 int xt_register_target(struct xt_target *target)
75 u_int8_t af = target->family;
77 mutex_lock(&xt[af].mutex);
78 list_add(&target->list, &xt[af].target);
79 mutex_unlock(&xt[af].mutex);
82 EXPORT_SYMBOL(xt_register_target);
85 xt_unregister_target(struct xt_target *target)
87 u_int8_t af = target->family;
89 mutex_lock(&xt[af].mutex);
90 list_del(&target->list);
91 mutex_unlock(&xt[af].mutex);
93 EXPORT_SYMBOL(xt_unregister_target);
96 xt_register_targets(struct xt_target *target, unsigned int n)
101 for (i = 0; i < n; i++) {
102 err = xt_register_target(&target[i]);
110 xt_unregister_targets(target, i);
113 EXPORT_SYMBOL(xt_register_targets);
116 xt_unregister_targets(struct xt_target *target, unsigned int n)
119 xt_unregister_target(&target[n]);
121 EXPORT_SYMBOL(xt_unregister_targets);
123 int xt_register_match(struct xt_match *match)
125 u_int8_t af = match->family;
127 mutex_lock(&xt[af].mutex);
128 list_add(&match->list, &xt[af].match);
129 mutex_unlock(&xt[af].mutex);
132 EXPORT_SYMBOL(xt_register_match);
135 xt_unregister_match(struct xt_match *match)
137 u_int8_t af = match->family;
139 mutex_lock(&xt[af].mutex);
140 list_del(&match->list);
141 mutex_unlock(&xt[af].mutex);
143 EXPORT_SYMBOL(xt_unregister_match);
146 xt_register_matches(struct xt_match *match, unsigned int n)
151 for (i = 0; i < n; i++) {
152 err = xt_register_match(&match[i]);
160 xt_unregister_matches(match, i);
163 EXPORT_SYMBOL(xt_register_matches);
166 xt_unregister_matches(struct xt_match *match, unsigned int n)
169 xt_unregister_match(&match[n]);
171 EXPORT_SYMBOL(xt_unregister_matches);
175 * These are weird, but module loading must not be done with mutex
176 * held (since they will register), and we have to have a single
180 /* Find match, grabs ref. Returns ERR_PTR() on error. */
181 struct xt_match *xt_find_match(u8 af, const char *name, u8 revision)
186 mutex_lock(&xt[af].mutex);
187 list_for_each_entry(m, &xt[af].match, list) {
188 if (strcmp(m->name, name) == 0) {
189 if (m->revision == revision) {
190 if (try_module_get(m->me)) {
191 mutex_unlock(&xt[af].mutex);
195 err = -EPROTOTYPE; /* Found something. */
198 mutex_unlock(&xt[af].mutex);
200 if (af != NFPROTO_UNSPEC)
201 /* Try searching again in the family-independent list */
202 return xt_find_match(NFPROTO_UNSPEC, name, revision);
206 EXPORT_SYMBOL(xt_find_match);
209 xt_request_find_match(uint8_t nfproto, const char *name, uint8_t revision)
211 struct xt_match *match;
213 if (strnlen(name, XT_EXTENSION_MAXNAMELEN) == XT_EXTENSION_MAXNAMELEN)
214 return ERR_PTR(-EINVAL);
216 match = xt_find_match(nfproto, name, revision);
218 request_module("%st_%s", xt_prefix[nfproto], name);
219 match = xt_find_match(nfproto, name, revision);
224 EXPORT_SYMBOL_GPL(xt_request_find_match);
226 /* Find target, grabs ref. Returns ERR_PTR() on error. */
227 struct xt_target *xt_find_target(u8 af, const char *name, u8 revision)
232 mutex_lock(&xt[af].mutex);
233 list_for_each_entry(t, &xt[af].target, list) {
234 if (strcmp(t->name, name) == 0) {
235 if (t->revision == revision) {
236 if (try_module_get(t->me)) {
237 mutex_unlock(&xt[af].mutex);
241 err = -EPROTOTYPE; /* Found something. */
244 mutex_unlock(&xt[af].mutex);
246 if (af != NFPROTO_UNSPEC)
247 /* Try searching again in the family-independent list */
248 return xt_find_target(NFPROTO_UNSPEC, name, revision);
252 EXPORT_SYMBOL(xt_find_target);
254 struct xt_target *xt_request_find_target(u8 af, const char *name, u8 revision)
256 struct xt_target *target;
258 if (strnlen(name, XT_EXTENSION_MAXNAMELEN) == XT_EXTENSION_MAXNAMELEN)
259 return ERR_PTR(-EINVAL);
261 target = xt_find_target(af, name, revision);
262 if (IS_ERR(target)) {
263 request_module("%st_%s", xt_prefix[af], name);
264 target = xt_find_target(af, name, revision);
269 EXPORT_SYMBOL_GPL(xt_request_find_target);
272 static int xt_obj_to_user(u16 __user *psize, u16 size,
273 void __user *pname, const char *name,
274 u8 __user *prev, u8 rev)
276 if (put_user(size, psize))
278 if (copy_to_user(pname, name, strlen(name) + 1))
280 if (put_user(rev, prev))
286 #define XT_OBJ_TO_USER(U, K, TYPE, C_SIZE) \
287 xt_obj_to_user(&U->u.TYPE##_size, C_SIZE ? : K->u.TYPE##_size, \
288 U->u.user.name, K->u.kernel.TYPE->name, \
289 &U->u.user.revision, K->u.kernel.TYPE->revision)
291 int xt_data_to_user(void __user *dst, const void *src,
292 int usersize, int size, int aligned_size)
294 usersize = usersize ? : size;
295 if (copy_to_user(dst, src, usersize))
297 if (usersize != aligned_size &&
298 clear_user(dst + usersize, aligned_size - usersize))
303 EXPORT_SYMBOL_GPL(xt_data_to_user);
305 #define XT_DATA_TO_USER(U, K, TYPE) \
306 xt_data_to_user(U->data, K->data, \
307 K->u.kernel.TYPE->usersize, \
308 K->u.kernel.TYPE->TYPE##size, \
309 XT_ALIGN(K->u.kernel.TYPE->TYPE##size))
311 int xt_match_to_user(const struct xt_entry_match *m,
312 struct xt_entry_match __user *u)
314 return XT_OBJ_TO_USER(u, m, match, 0) ||
315 XT_DATA_TO_USER(u, m, match);
317 EXPORT_SYMBOL_GPL(xt_match_to_user);
319 int xt_target_to_user(const struct xt_entry_target *t,
320 struct xt_entry_target __user *u)
322 return XT_OBJ_TO_USER(u, t, target, 0) ||
323 XT_DATA_TO_USER(u, t, target);
325 EXPORT_SYMBOL_GPL(xt_target_to_user);
327 static int match_revfn(u8 af, const char *name, u8 revision, int *bestp)
329 const struct xt_match *m;
332 list_for_each_entry(m, &xt[af].match, list) {
333 if (strcmp(m->name, name) == 0) {
334 if (m->revision > *bestp)
335 *bestp = m->revision;
336 if (m->revision == revision)
341 if (af != NFPROTO_UNSPEC && !have_rev)
342 return match_revfn(NFPROTO_UNSPEC, name, revision, bestp);
347 static int target_revfn(u8 af, const char *name, u8 revision, int *bestp)
349 const struct xt_target *t;
352 list_for_each_entry(t, &xt[af].target, list) {
353 if (strcmp(t->name, name) == 0) {
354 if (t->revision > *bestp)
355 *bestp = t->revision;
356 if (t->revision == revision)
361 if (af != NFPROTO_UNSPEC && !have_rev)
362 return target_revfn(NFPROTO_UNSPEC, name, revision, bestp);
367 /* Returns true or false (if no such extension at all) */
368 int xt_find_revision(u8 af, const char *name, u8 revision, int target,
371 int have_rev, best = -1;
373 mutex_lock(&xt[af].mutex);
375 have_rev = target_revfn(af, name, revision, &best);
377 have_rev = match_revfn(af, name, revision, &best);
378 mutex_unlock(&xt[af].mutex);
380 /* Nothing at all? Return 0 to try loading module. */
388 *err = -EPROTONOSUPPORT;
391 EXPORT_SYMBOL_GPL(xt_find_revision);
394 textify_hooks(char *buf, size_t size, unsigned int mask, uint8_t nfproto)
396 static const char *const inetbr_names[] = {
397 "PREROUTING", "INPUT", "FORWARD",
398 "OUTPUT", "POSTROUTING", "BROUTING",
400 static const char *const arp_names[] = {
401 "INPUT", "FORWARD", "OUTPUT",
403 const char *const *names;
409 names = (nfproto == NFPROTO_ARP) ? arp_names : inetbr_names;
410 max = (nfproto == NFPROTO_ARP) ? ARRAY_SIZE(arp_names) :
411 ARRAY_SIZE(inetbr_names);
413 for (i = 0; i < max; ++i) {
414 if (!(mask & (1 << i)))
416 res = snprintf(p, size, "%s%s", np ? "/" : "", names[i]);
427 int xt_check_match(struct xt_mtchk_param *par,
428 unsigned int size, u_int8_t proto, bool inv_proto)
432 if (XT_ALIGN(par->match->matchsize) != size &&
433 par->match->matchsize != -1) {
435 * ebt_among is exempt from centralized matchsize checking
436 * because it uses a dynamic-size data set.
438 pr_err_ratelimited("%s_tables: %s.%u match: invalid size %u (kernel) != (user) %u\n",
439 xt_prefix[par->family], par->match->name,
440 par->match->revision,
441 XT_ALIGN(par->match->matchsize), size);
444 if (par->match->table != NULL &&
445 strcmp(par->match->table, par->table) != 0) {
446 pr_info_ratelimited("%s_tables: %s match: only valid in %s table, not %s\n",
447 xt_prefix[par->family], par->match->name,
448 par->match->table, par->table);
451 if (par->match->hooks && (par->hook_mask & ~par->match->hooks) != 0) {
452 char used[64], allow[64];
454 pr_info_ratelimited("%s_tables: %s match: used from hooks %s, but only valid from %s\n",
455 xt_prefix[par->family], par->match->name,
456 textify_hooks(used, sizeof(used),
457 par->hook_mask, par->family),
458 textify_hooks(allow, sizeof(allow),
463 if (par->match->proto && (par->match->proto != proto || inv_proto)) {
464 pr_info_ratelimited("%s_tables: %s match: only valid for protocol %u\n",
465 xt_prefix[par->family], par->match->name,
469 if (par->match->checkentry != NULL) {
470 ret = par->match->checkentry(par);
474 /* Flag up potential errors. */
479 EXPORT_SYMBOL_GPL(xt_check_match);
481 /** xt_check_entry_match - check that matches end before start of target
483 * @match: beginning of xt_entry_match
484 * @target: beginning of this rules target (alleged end of matches)
485 * @alignment: alignment requirement of match structures
487 * Validates that all matches add up to the beginning of the target,
488 * and that each match covers at least the base structure size.
490 * Return: 0 on success, negative errno on failure.
492 static int xt_check_entry_match(const char *match, const char *target,
493 const size_t alignment)
495 const struct xt_entry_match *pos;
496 int length = target - match;
498 if (length == 0) /* no matches */
501 pos = (struct xt_entry_match *)match;
503 if ((unsigned long)pos % alignment)
506 if (length < (int)sizeof(struct xt_entry_match))
509 if (pos->u.match_size < sizeof(struct xt_entry_match))
512 if (pos->u.match_size > length)
515 length -= pos->u.match_size;
516 pos = ((void *)((char *)(pos) + (pos)->u.match_size));
517 } while (length > 0);
522 /** xt_check_table_hooks - check hook entry points are sane
524 * @info xt_table_info to check
525 * @valid_hooks - hook entry points that we can enter from
527 * Validates that the hook entry and underflows points are set up.
529 * Return: 0 on success, negative errno on failure.
531 int xt_check_table_hooks(const struct xt_table_info *info, unsigned int valid_hooks)
533 const char *err = "unsorted underflow";
534 unsigned int i, max_uflow, max_entry;
535 bool check_hooks = false;
537 BUILD_BUG_ON(ARRAY_SIZE(info->hook_entry) != ARRAY_SIZE(info->underflow));
542 for (i = 0; i < ARRAY_SIZE(info->hook_entry); i++) {
543 if (!(valid_hooks & (1 << i)))
546 if (info->hook_entry[i] == 0xFFFFFFFF)
548 if (info->underflow[i] == 0xFFFFFFFF)
552 if (max_uflow > info->underflow[i])
555 if (max_uflow == info->underflow[i]) {
556 err = "duplicate underflow";
559 if (max_entry > info->hook_entry[i]) {
560 err = "unsorted entry";
563 if (max_entry == info->hook_entry[i]) {
564 err = "duplicate entry";
568 max_entry = info->hook_entry[i];
569 max_uflow = info->underflow[i];
575 pr_err_ratelimited("%s at hook %d\n", err, i);
578 EXPORT_SYMBOL(xt_check_table_hooks);
580 static bool verdict_ok(int verdict)
586 int v = -verdict - 1;
588 if (verdict == XT_RETURN)
592 case NF_ACCEPT: return true;
593 case NF_DROP: return true;
594 case NF_QUEUE: return true;
605 static bool error_tg_ok(unsigned int usersize, unsigned int kernsize,
606 const char *msg, unsigned int msglen)
608 return usersize == kernsize && strnlen(msg, msglen) < msglen;
612 int xt_compat_add_offset(u_int8_t af, unsigned int offset, int delta)
614 struct xt_af *xp = &xt[af];
616 WARN_ON(!mutex_is_locked(&xt[af].compat_mutex));
618 if (WARN_ON(!xp->compat_tab))
621 if (xp->cur >= xp->number)
625 delta += xp->compat_tab[xp->cur - 1].delta;
626 xp->compat_tab[xp->cur].offset = offset;
627 xp->compat_tab[xp->cur].delta = delta;
631 EXPORT_SYMBOL_GPL(xt_compat_add_offset);
633 void xt_compat_flush_offsets(u_int8_t af)
635 WARN_ON(!mutex_is_locked(&xt[af].compat_mutex));
637 if (xt[af].compat_tab) {
638 vfree(xt[af].compat_tab);
639 xt[af].compat_tab = NULL;
644 EXPORT_SYMBOL_GPL(xt_compat_flush_offsets);
646 int xt_compat_calc_jump(u_int8_t af, unsigned int offset)
648 struct compat_delta *tmp = xt[af].compat_tab;
649 int mid, left = 0, right = xt[af].cur - 1;
651 while (left <= right) {
652 mid = (left + right) >> 1;
653 if (offset > tmp[mid].offset)
655 else if (offset < tmp[mid].offset)
658 return mid ? tmp[mid - 1].delta : 0;
660 return left ? tmp[left - 1].delta : 0;
662 EXPORT_SYMBOL_GPL(xt_compat_calc_jump);
664 int xt_compat_init_offsets(u8 af, unsigned int number)
668 WARN_ON(!mutex_is_locked(&xt[af].compat_mutex));
670 if (!number || number > (INT_MAX / sizeof(struct compat_delta)))
673 if (WARN_ON(xt[af].compat_tab))
676 mem = sizeof(struct compat_delta) * number;
677 if (mem > XT_MAX_TABLE_SIZE)
680 xt[af].compat_tab = vmalloc(mem);
681 if (!xt[af].compat_tab)
684 xt[af].number = number;
689 EXPORT_SYMBOL(xt_compat_init_offsets);
691 int xt_compat_match_offset(const struct xt_match *match)
693 u_int16_t csize = match->compatsize ? : match->matchsize;
694 return XT_ALIGN(match->matchsize) - COMPAT_XT_ALIGN(csize);
696 EXPORT_SYMBOL_GPL(xt_compat_match_offset);
698 void xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr,
701 const struct xt_match *match = m->u.kernel.match;
702 struct compat_xt_entry_match *cm = (struct compat_xt_entry_match *)m;
703 int pad, off = xt_compat_match_offset(match);
704 u_int16_t msize = cm->u.user.match_size;
705 char name[sizeof(m->u.user.name)];
708 memcpy(m, cm, sizeof(*cm));
709 if (match->compat_from_user)
710 match->compat_from_user(m->data, cm->data);
712 memcpy(m->data, cm->data, msize - sizeof(*cm));
713 pad = XT_ALIGN(match->matchsize) - match->matchsize;
715 memset(m->data + match->matchsize, 0, pad);
718 m->u.user.match_size = msize;
719 strlcpy(name, match->name, sizeof(name));
720 module_put(match->me);
721 strncpy(m->u.user.name, name, sizeof(m->u.user.name));
726 EXPORT_SYMBOL_GPL(xt_compat_match_from_user);
728 #define COMPAT_XT_DATA_TO_USER(U, K, TYPE, C_SIZE) \
729 xt_data_to_user(U->data, K->data, \
730 K->u.kernel.TYPE->usersize, \
732 COMPAT_XT_ALIGN(C_SIZE))
734 int xt_compat_match_to_user(const struct xt_entry_match *m,
735 void __user **dstptr, unsigned int *size)
737 const struct xt_match *match = m->u.kernel.match;
738 struct compat_xt_entry_match __user *cm = *dstptr;
739 int off = xt_compat_match_offset(match);
740 u_int16_t msize = m->u.user.match_size - off;
742 if (XT_OBJ_TO_USER(cm, m, match, msize))
745 if (match->compat_to_user) {
746 if (match->compat_to_user((void __user *)cm->data, m->data))
749 if (COMPAT_XT_DATA_TO_USER(cm, m, match, msize - sizeof(*cm)))
757 EXPORT_SYMBOL_GPL(xt_compat_match_to_user);
759 /* non-compat version may have padding after verdict */
760 struct compat_xt_standard_target {
761 struct compat_xt_entry_target t;
762 compat_uint_t verdict;
765 struct compat_xt_error_target {
766 struct compat_xt_entry_target t;
767 char errorname[XT_FUNCTION_MAXNAMELEN];
770 int xt_compat_check_entry_offsets(const void *base, const char *elems,
771 unsigned int target_offset,
772 unsigned int next_offset)
774 long size_of_base_struct = elems - (const char *)base;
775 const struct compat_xt_entry_target *t;
776 const char *e = base;
778 if (target_offset < size_of_base_struct)
781 if (target_offset + sizeof(*t) > next_offset)
784 t = (void *)(e + target_offset);
785 if (t->u.target_size < sizeof(*t))
788 if (target_offset + t->u.target_size > next_offset)
791 if (strcmp(t->u.user.name, XT_STANDARD_TARGET) == 0) {
792 const struct compat_xt_standard_target *st = (const void *)t;
794 if (COMPAT_XT_ALIGN(target_offset + sizeof(*st)) != next_offset)
797 if (!verdict_ok(st->verdict))
799 } else if (strcmp(t->u.user.name, XT_ERROR_TARGET) == 0) {
800 const struct compat_xt_error_target *et = (const void *)t;
802 if (!error_tg_ok(t->u.target_size, sizeof(*et),
803 et->errorname, sizeof(et->errorname)))
807 /* compat_xt_entry match has less strict alignment requirements,
808 * otherwise they are identical. In case of padding differences
809 * we need to add compat version of xt_check_entry_match.
811 BUILD_BUG_ON(sizeof(struct compat_xt_entry_match) != sizeof(struct xt_entry_match));
813 return xt_check_entry_match(elems, base + target_offset,
814 __alignof__(struct compat_xt_entry_match));
816 EXPORT_SYMBOL(xt_compat_check_entry_offsets);
817 #endif /* CONFIG_COMPAT */
820 * xt_check_entry_offsets - validate arp/ip/ip6t_entry
822 * @base: pointer to arp/ip/ip6t_entry
823 * @elems: pointer to first xt_entry_match, i.e. ip(6)t_entry->elems
824 * @target_offset: the arp/ip/ip6_t->target_offset
825 * @next_offset: the arp/ip/ip6_t->next_offset
827 * validates that target_offset and next_offset are sane and that all
828 * match sizes (if any) align with the target offset.
830 * This function does not validate the targets or matches themselves, it
831 * only tests that all the offsets and sizes are correct, that all
832 * match structures are aligned, and that the last structure ends where
833 * the target structure begins.
835 * Also see xt_compat_check_entry_offsets for CONFIG_COMPAT version.
837 * The arp/ip/ip6t_entry structure @base must have passed following tests:
838 * - it must point to a valid memory location
839 * - base to base + next_offset must be accessible, i.e. not exceed allocated
842 * A well-formed entry looks like this:
844 * ip(6)t_entry match [mtdata] match [mtdata] target [tgdata] ip(6)t_entry
845 * e->elems[]-----' | |
849 * target_offset---------------------------------' |
850 * next_offset---------------------------------------------------'
852 * elems[]: flexible array member at end of ip(6)/arpt_entry struct.
853 * This is where matches (if any) and the target reside.
854 * target_offset: beginning of target.
855 * next_offset: start of the next rule; also: size of this rule.
856 * Since targets have a minimum size, target_offset + minlen <= next_offset.
858 * Every match stores its size, sum of sizes must not exceed target_offset.
860 * Return: 0 on success, negative errno on failure.
862 int xt_check_entry_offsets(const void *base,
864 unsigned int target_offset,
865 unsigned int next_offset)
867 long size_of_base_struct = elems - (const char *)base;
868 const struct xt_entry_target *t;
869 const char *e = base;
871 /* target start is within the ip/ip6/arpt_entry struct */
872 if (target_offset < size_of_base_struct)
875 if (target_offset + sizeof(*t) > next_offset)
878 t = (void *)(e + target_offset);
879 if (t->u.target_size < sizeof(*t))
882 if (target_offset + t->u.target_size > next_offset)
885 if (strcmp(t->u.user.name, XT_STANDARD_TARGET) == 0) {
886 const struct xt_standard_target *st = (const void *)t;
888 if (XT_ALIGN(target_offset + sizeof(*st)) != next_offset)
891 if (!verdict_ok(st->verdict))
893 } else if (strcmp(t->u.user.name, XT_ERROR_TARGET) == 0) {
894 const struct xt_error_target *et = (const void *)t;
896 if (!error_tg_ok(t->u.target_size, sizeof(*et),
897 et->errorname, sizeof(et->errorname)))
901 return xt_check_entry_match(elems, base + target_offset,
902 __alignof__(struct xt_entry_match));
904 EXPORT_SYMBOL(xt_check_entry_offsets);
907 * xt_alloc_entry_offsets - allocate array to store rule head offsets
909 * @size: number of entries
911 * Return: NULL or kmalloc'd or vmalloc'd array
913 unsigned int *xt_alloc_entry_offsets(unsigned int size)
915 if (size > XT_MAX_TABLE_SIZE / sizeof(unsigned int))
918 return kvmalloc_array(size, sizeof(unsigned int), GFP_KERNEL | __GFP_ZERO);
921 EXPORT_SYMBOL(xt_alloc_entry_offsets);
924 * xt_find_jump_offset - check if target is a valid jump offset
926 * @offsets: array containing all valid rule start offsets of a rule blob
927 * @target: the jump target to search for
928 * @size: entries in @offset
930 bool xt_find_jump_offset(const unsigned int *offsets,
931 unsigned int target, unsigned int size)
933 int m, low = 0, hi = size;
938 if (offsets[m] > target)
940 else if (offsets[m] < target)
948 EXPORT_SYMBOL(xt_find_jump_offset);
950 int xt_check_target(struct xt_tgchk_param *par,
951 unsigned int size, u_int8_t proto, bool inv_proto)
955 if (XT_ALIGN(par->target->targetsize) != size) {
956 pr_err_ratelimited("%s_tables: %s.%u target: invalid size %u (kernel) != (user) %u\n",
957 xt_prefix[par->family], par->target->name,
958 par->target->revision,
959 XT_ALIGN(par->target->targetsize), size);
962 if (par->target->table != NULL &&
963 strcmp(par->target->table, par->table) != 0) {
964 pr_info_ratelimited("%s_tables: %s target: only valid in %s table, not %s\n",
965 xt_prefix[par->family], par->target->name,
966 par->target->table, par->table);
969 if (par->target->hooks && (par->hook_mask & ~par->target->hooks) != 0) {
970 char used[64], allow[64];
972 pr_info_ratelimited("%s_tables: %s target: used from hooks %s, but only usable from %s\n",
973 xt_prefix[par->family], par->target->name,
974 textify_hooks(used, sizeof(used),
975 par->hook_mask, par->family),
976 textify_hooks(allow, sizeof(allow),
981 if (par->target->proto && (par->target->proto != proto || inv_proto)) {
982 pr_info_ratelimited("%s_tables: %s target: only valid for protocol %u\n",
983 xt_prefix[par->family], par->target->name,
987 if (par->target->checkentry != NULL) {
988 ret = par->target->checkentry(par);
992 /* Flag up potential errors. */
997 EXPORT_SYMBOL_GPL(xt_check_target);
1000 * xt_copy_counters_from_user - copy counters and metadata from userspace
1002 * @user: src pointer to userspace memory
1003 * @len: alleged size of userspace memory
1004 * @info: where to store the xt_counters_info metadata
1005 * @compat: true if we setsockopt call is done by 32bit task on 64bit kernel
1007 * Copies counter meta data from @user and stores it in @info.
1009 * vmallocs memory to hold the counters, then copies the counter data
1010 * from @user to the new memory and returns a pointer to it.
1012 * If @compat is true, @info gets converted automatically to the 64bit
1015 * The metadata associated with the counters is stored in @info.
1017 * Return: returns pointer that caller has to test via IS_ERR().
1018 * If IS_ERR is false, caller has to vfree the pointer.
1020 void *xt_copy_counters_from_user(const void __user *user, unsigned int len,
1021 struct xt_counters_info *info, bool compat)
1026 #ifdef CONFIG_COMPAT
1028 /* structures only differ in size due to alignment */
1029 struct compat_xt_counters_info compat_tmp;
1031 if (len <= sizeof(compat_tmp))
1032 return ERR_PTR(-EINVAL);
1034 len -= sizeof(compat_tmp);
1035 if (copy_from_user(&compat_tmp, user, sizeof(compat_tmp)) != 0)
1036 return ERR_PTR(-EFAULT);
1038 memcpy(info->name, compat_tmp.name, sizeof(info->name) - 1);
1039 info->num_counters = compat_tmp.num_counters;
1040 user += sizeof(compat_tmp);
1044 if (len <= sizeof(*info))
1045 return ERR_PTR(-EINVAL);
1047 len -= sizeof(*info);
1048 if (copy_from_user(info, user, sizeof(*info)) != 0)
1049 return ERR_PTR(-EFAULT);
1051 user += sizeof(*info);
1053 info->name[sizeof(info->name) - 1] = '\0';
1055 size = sizeof(struct xt_counters);
1056 size *= info->num_counters;
1058 if (size != (u64)len)
1059 return ERR_PTR(-EINVAL);
1063 return ERR_PTR(-ENOMEM);
1065 if (copy_from_user(mem, user, len) == 0)
1069 return ERR_PTR(-EFAULT);
1071 EXPORT_SYMBOL_GPL(xt_copy_counters_from_user);
1073 #ifdef CONFIG_COMPAT
1074 int xt_compat_target_offset(const struct xt_target *target)
1076 u_int16_t csize = target->compatsize ? : target->targetsize;
1077 return XT_ALIGN(target->targetsize) - COMPAT_XT_ALIGN(csize);
1079 EXPORT_SYMBOL_GPL(xt_compat_target_offset);
1081 void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr,
1084 const struct xt_target *target = t->u.kernel.target;
1085 struct compat_xt_entry_target *ct = (struct compat_xt_entry_target *)t;
1086 int pad, off = xt_compat_target_offset(target);
1087 u_int16_t tsize = ct->u.user.target_size;
1088 char name[sizeof(t->u.user.name)];
1091 memcpy(t, ct, sizeof(*ct));
1092 if (target->compat_from_user)
1093 target->compat_from_user(t->data, ct->data);
1095 memcpy(t->data, ct->data, tsize - sizeof(*ct));
1096 pad = XT_ALIGN(target->targetsize) - target->targetsize;
1098 memset(t->data + target->targetsize, 0, pad);
1101 t->u.user.target_size = tsize;
1102 strlcpy(name, target->name, sizeof(name));
1103 module_put(target->me);
1104 strncpy(t->u.user.name, name, sizeof(t->u.user.name));
1109 EXPORT_SYMBOL_GPL(xt_compat_target_from_user);
1111 int xt_compat_target_to_user(const struct xt_entry_target *t,
1112 void __user **dstptr, unsigned int *size)
1114 const struct xt_target *target = t->u.kernel.target;
1115 struct compat_xt_entry_target __user *ct = *dstptr;
1116 int off = xt_compat_target_offset(target);
1117 u_int16_t tsize = t->u.user.target_size - off;
1119 if (XT_OBJ_TO_USER(ct, t, target, tsize))
1122 if (target->compat_to_user) {
1123 if (target->compat_to_user((void __user *)ct->data, t->data))
1126 if (COMPAT_XT_DATA_TO_USER(ct, t, target, tsize - sizeof(*ct)))
1134 EXPORT_SYMBOL_GPL(xt_compat_target_to_user);
1137 struct xt_table_info *xt_alloc_table_info(unsigned int size)
1139 struct xt_table_info *info = NULL;
1140 size_t sz = sizeof(*info) + size;
1142 if (sz < sizeof(*info) || sz >= XT_MAX_TABLE_SIZE)
1145 /* __GFP_NORETRY is not fully supported by kvmalloc but it should
1146 * work reasonably well if sz is too large and bail out rather
1147 * than shoot all processes down before realizing there is nothing
1150 info = kvmalloc(sz, GFP_KERNEL | __GFP_NORETRY);
1154 memset(info, 0, sizeof(*info));
1158 EXPORT_SYMBOL(xt_alloc_table_info);
1160 void xt_free_table_info(struct xt_table_info *info)
1164 if (info->jumpstack != NULL) {
1165 for_each_possible_cpu(cpu)
1166 kvfree(info->jumpstack[cpu]);
1167 kvfree(info->jumpstack);
1172 EXPORT_SYMBOL(xt_free_table_info);
1174 /* Find table by name, grabs mutex & ref. Returns ERR_PTR on error. */
1175 struct xt_table *xt_find_table_lock(struct net *net, u_int8_t af,
1178 struct xt_table *t, *found = NULL;
1180 mutex_lock(&xt[af].mutex);
1181 list_for_each_entry(t, &net->xt.tables[af], list)
1182 if (strcmp(t->name, name) == 0 && try_module_get(t->me))
1185 if (net == &init_net)
1188 /* Table doesn't exist in this netns, re-try init */
1189 list_for_each_entry(t, &init_net.xt.tables[af], list) {
1192 if (strcmp(t->name, name))
1194 if (!try_module_get(t->me))
1196 mutex_unlock(&xt[af].mutex);
1197 err = t->table_init(net);
1200 return ERR_PTR(err);
1205 mutex_lock(&xt[af].mutex);
1212 /* and once again: */
1213 list_for_each_entry(t, &net->xt.tables[af], list)
1214 if (strcmp(t->name, name) == 0)
1217 module_put(found->me);
1219 mutex_unlock(&xt[af].mutex);
1220 return ERR_PTR(-ENOENT);
1222 EXPORT_SYMBOL_GPL(xt_find_table_lock);
1224 struct xt_table *xt_request_find_table_lock(struct net *net, u_int8_t af,
1227 struct xt_table *t = xt_find_table_lock(net, af, name);
1229 #ifdef CONFIG_MODULES
1231 int err = request_module("%stable_%s", xt_prefix[af], name);
1233 return ERR_PTR(err);
1234 t = xt_find_table_lock(net, af, name);
1240 EXPORT_SYMBOL_GPL(xt_request_find_table_lock);
1242 void xt_table_unlock(struct xt_table *table)
1244 mutex_unlock(&xt[table->af].mutex);
1246 EXPORT_SYMBOL_GPL(xt_table_unlock);
1248 #ifdef CONFIG_COMPAT
1249 void xt_compat_lock(u_int8_t af)
1251 mutex_lock(&xt[af].compat_mutex);
1253 EXPORT_SYMBOL_GPL(xt_compat_lock);
1255 void xt_compat_unlock(u_int8_t af)
1257 mutex_unlock(&xt[af].compat_mutex);
1259 EXPORT_SYMBOL_GPL(xt_compat_unlock);
1262 DEFINE_PER_CPU(seqcount_t, xt_recseq);
1263 EXPORT_PER_CPU_SYMBOL_GPL(xt_recseq);
1265 struct static_key xt_tee_enabled __read_mostly;
1266 EXPORT_SYMBOL_GPL(xt_tee_enabled);
1268 static int xt_jumpstack_alloc(struct xt_table_info *i)
1273 size = sizeof(void **) * nr_cpu_ids;
1274 if (size > PAGE_SIZE)
1275 i->jumpstack = kvzalloc(size, GFP_KERNEL);
1277 i->jumpstack = kzalloc(size, GFP_KERNEL);
1278 if (i->jumpstack == NULL)
1281 /* ruleset without jumps -- no stack needed */
1282 if (i->stacksize == 0)
1285 /* Jumpstack needs to be able to record two full callchains, one
1286 * from the first rule set traversal, plus one table reentrancy
1287 * via -j TEE without clobbering the callchain that brought us to
1290 * This is done by allocating two jumpstacks per cpu, on reentry
1291 * the upper half of the stack is used.
1293 * see the jumpstack setup in ipt_do_table() for more details.
1295 size = sizeof(void *) * i->stacksize * 2u;
1296 for_each_possible_cpu(cpu) {
1297 i->jumpstack[cpu] = kvmalloc_node(size, GFP_KERNEL,
1299 if (i->jumpstack[cpu] == NULL)
1301 * Freeing will be done later on by the callers. The
1302 * chain is: xt_replace_table -> __do_replace ->
1303 * do_replace -> xt_free_table_info.
1311 struct xt_counters *xt_counters_alloc(unsigned int counters)
1313 struct xt_counters *mem;
1315 if (counters == 0 || counters > INT_MAX / sizeof(*mem))
1318 counters *= sizeof(*mem);
1319 if (counters > XT_MAX_TABLE_SIZE)
1322 return vzalloc(counters);
1324 EXPORT_SYMBOL(xt_counters_alloc);
1326 struct xt_table_info *
1327 xt_replace_table(struct xt_table *table,
1328 unsigned int num_counters,
1329 struct xt_table_info *newinfo,
1332 struct xt_table_info *private;
1336 ret = xt_jumpstack_alloc(newinfo);
1342 /* Do the substitution. */
1344 private = table->private;
1346 /* Check inside lock: is the old number correct? */
1347 if (num_counters != private->number) {
1348 pr_debug("num_counters != table->private->number (%u/%u)\n",
1349 num_counters, private->number);
1355 newinfo->initial_entries = private->initial_entries;
1357 * Ensure contents of newinfo are visible before assigning to
1361 table->private = newinfo;
1363 /* make sure all cpus see new ->private value */
1367 * Even though table entries have now been swapped, other CPU's
1368 * may still be using the old entries...
1372 /* ... so wait for even xt_recseq on all cpus */
1373 for_each_possible_cpu(cpu) {
1374 seqcount_t *s = &per_cpu(xt_recseq, cpu);
1375 u32 seq = raw_read_seqcount(s);
1381 } while (seq == raw_read_seqcount(s));
1386 if (audit_enabled) {
1387 audit_log(current->audit_context, GFP_KERNEL,
1388 AUDIT_NETFILTER_CFG,
1389 "table=%s family=%u entries=%u",
1390 table->name, table->af, private->number);
1396 EXPORT_SYMBOL_GPL(xt_replace_table);
1398 struct xt_table *xt_register_table(struct net *net,
1399 const struct xt_table *input_table,
1400 struct xt_table_info *bootstrap,
1401 struct xt_table_info *newinfo)
1404 struct xt_table_info *private;
1405 struct xt_table *t, *table;
1407 /* Don't add one object to multiple lists. */
1408 table = kmemdup(input_table, sizeof(struct xt_table), GFP_KERNEL);
1414 mutex_lock(&xt[table->af].mutex);
1415 /* Don't autoload: we'd eat our tail... */
1416 list_for_each_entry(t, &net->xt.tables[table->af], list) {
1417 if (strcmp(t->name, table->name) == 0) {
1423 /* Simplifies replace_table code. */
1424 table->private = bootstrap;
1426 if (!xt_replace_table(table, 0, newinfo, &ret))
1429 private = table->private;
1430 pr_debug("table->private->number = %u\n", private->number);
1432 /* save number of initial entries */
1433 private->initial_entries = private->number;
1435 list_add(&table->list, &net->xt.tables[table->af]);
1436 mutex_unlock(&xt[table->af].mutex);
1440 mutex_unlock(&xt[table->af].mutex);
1443 return ERR_PTR(ret);
1445 EXPORT_SYMBOL_GPL(xt_register_table);
1447 void *xt_unregister_table(struct xt_table *table)
1449 struct xt_table_info *private;
1451 mutex_lock(&xt[table->af].mutex);
1452 private = table->private;
1453 list_del(&table->list);
1454 mutex_unlock(&xt[table->af].mutex);
1459 EXPORT_SYMBOL_GPL(xt_unregister_table);
1461 #ifdef CONFIG_PROC_FS
1462 struct xt_names_priv {
1463 struct seq_net_private p;
1466 static void *xt_table_seq_start(struct seq_file *seq, loff_t *pos)
1468 struct xt_names_priv *priv = seq->private;
1469 struct net *net = seq_file_net(seq);
1470 u_int8_t af = priv->af;
1472 mutex_lock(&xt[af].mutex);
1473 return seq_list_start(&net->xt.tables[af], *pos);
1476 static void *xt_table_seq_next(struct seq_file *seq, void *v, loff_t *pos)
1478 struct xt_names_priv *priv = seq->private;
1479 struct net *net = seq_file_net(seq);
1480 u_int8_t af = priv->af;
1482 return seq_list_next(v, &net->xt.tables[af], pos);
1485 static void xt_table_seq_stop(struct seq_file *seq, void *v)
1487 struct xt_names_priv *priv = seq->private;
1488 u_int8_t af = priv->af;
1490 mutex_unlock(&xt[af].mutex);
1493 static int xt_table_seq_show(struct seq_file *seq, void *v)
1495 struct xt_table *table = list_entry(v, struct xt_table, list);
1498 seq_printf(seq, "%s\n", table->name);
1502 static const struct seq_operations xt_table_seq_ops = {
1503 .start = xt_table_seq_start,
1504 .next = xt_table_seq_next,
1505 .stop = xt_table_seq_stop,
1506 .show = xt_table_seq_show,
1509 static int xt_table_open(struct inode *inode, struct file *file)
1512 struct xt_names_priv *priv;
1514 ret = seq_open_net(inode, file, &xt_table_seq_ops,
1515 sizeof(struct xt_names_priv));
1517 priv = ((struct seq_file *)file->private_data)->private;
1518 priv->af = (unsigned long)PDE_DATA(inode);
1523 static const struct file_operations xt_table_ops = {
1524 .open = xt_table_open,
1526 .llseek = seq_lseek,
1527 .release = seq_release_net,
1531 * Traverse state for ip{,6}_{tables,matches} for helping crossing
1532 * the multi-AF mutexes.
1534 struct nf_mttg_trav {
1535 struct list_head *head, *curr;
1536 uint8_t class, nfproto;
1541 MTTG_TRAV_NFP_UNSPEC,
1546 static void *xt_mttg_seq_next(struct seq_file *seq, void *v, loff_t *ppos,
1549 static const uint8_t next_class[] = {
1550 [MTTG_TRAV_NFP_UNSPEC] = MTTG_TRAV_NFP_SPEC,
1551 [MTTG_TRAV_NFP_SPEC] = MTTG_TRAV_DONE,
1553 struct nf_mttg_trav *trav = seq->private;
1555 switch (trav->class) {
1556 case MTTG_TRAV_INIT:
1557 trav->class = MTTG_TRAV_NFP_UNSPEC;
1558 mutex_lock(&xt[NFPROTO_UNSPEC].mutex);
1559 trav->head = trav->curr = is_target ?
1560 &xt[NFPROTO_UNSPEC].target : &xt[NFPROTO_UNSPEC].match;
1562 case MTTG_TRAV_NFP_UNSPEC:
1563 trav->curr = trav->curr->next;
1564 if (trav->curr != trav->head)
1566 mutex_unlock(&xt[NFPROTO_UNSPEC].mutex);
1567 mutex_lock(&xt[trav->nfproto].mutex);
1568 trav->head = trav->curr = is_target ?
1569 &xt[trav->nfproto].target : &xt[trav->nfproto].match;
1570 trav->class = next_class[trav->class];
1572 case MTTG_TRAV_NFP_SPEC:
1573 trav->curr = trav->curr->next;
1574 if (trav->curr != trav->head)
1586 static void *xt_mttg_seq_start(struct seq_file *seq, loff_t *pos,
1589 struct nf_mttg_trav *trav = seq->private;
1592 trav->class = MTTG_TRAV_INIT;
1593 for (j = 0; j < *pos; ++j)
1594 if (xt_mttg_seq_next(seq, NULL, NULL, is_target) == NULL)
1599 static void xt_mttg_seq_stop(struct seq_file *seq, void *v)
1601 struct nf_mttg_trav *trav = seq->private;
1603 switch (trav->class) {
1604 case MTTG_TRAV_NFP_UNSPEC:
1605 mutex_unlock(&xt[NFPROTO_UNSPEC].mutex);
1607 case MTTG_TRAV_NFP_SPEC:
1608 mutex_unlock(&xt[trav->nfproto].mutex);
1613 static void *xt_match_seq_start(struct seq_file *seq, loff_t *pos)
1615 return xt_mttg_seq_start(seq, pos, false);
1618 static void *xt_match_seq_next(struct seq_file *seq, void *v, loff_t *ppos)
1620 return xt_mttg_seq_next(seq, v, ppos, false);
1623 static int xt_match_seq_show(struct seq_file *seq, void *v)
1625 const struct nf_mttg_trav *trav = seq->private;
1626 const struct xt_match *match;
1628 switch (trav->class) {
1629 case MTTG_TRAV_NFP_UNSPEC:
1630 case MTTG_TRAV_NFP_SPEC:
1631 if (trav->curr == trav->head)
1633 match = list_entry(trav->curr, struct xt_match, list);
1635 seq_printf(seq, "%s\n", match->name);
1640 static const struct seq_operations xt_match_seq_ops = {
1641 .start = xt_match_seq_start,
1642 .next = xt_match_seq_next,
1643 .stop = xt_mttg_seq_stop,
1644 .show = xt_match_seq_show,
1647 static int xt_match_open(struct inode *inode, struct file *file)
1649 struct nf_mttg_trav *trav;
1650 trav = __seq_open_private(file, &xt_match_seq_ops, sizeof(*trav));
1654 trav->nfproto = (unsigned long)PDE_DATA(inode);
1658 static const struct file_operations xt_match_ops = {
1659 .open = xt_match_open,
1661 .llseek = seq_lseek,
1662 .release = seq_release_private,
1665 static void *xt_target_seq_start(struct seq_file *seq, loff_t *pos)
1667 return xt_mttg_seq_start(seq, pos, true);
1670 static void *xt_target_seq_next(struct seq_file *seq, void *v, loff_t *ppos)
1672 return xt_mttg_seq_next(seq, v, ppos, true);
1675 static int xt_target_seq_show(struct seq_file *seq, void *v)
1677 const struct nf_mttg_trav *trav = seq->private;
1678 const struct xt_target *target;
1680 switch (trav->class) {
1681 case MTTG_TRAV_NFP_UNSPEC:
1682 case MTTG_TRAV_NFP_SPEC:
1683 if (trav->curr == trav->head)
1685 target = list_entry(trav->curr, struct xt_target, list);
1687 seq_printf(seq, "%s\n", target->name);
1692 static const struct seq_operations xt_target_seq_ops = {
1693 .start = xt_target_seq_start,
1694 .next = xt_target_seq_next,
1695 .stop = xt_mttg_seq_stop,
1696 .show = xt_target_seq_show,
1699 static int xt_target_open(struct inode *inode, struct file *file)
1701 struct nf_mttg_trav *trav;
1702 trav = __seq_open_private(file, &xt_target_seq_ops, sizeof(*trav));
1706 trav->nfproto = (unsigned long)PDE_DATA(inode);
1710 static const struct file_operations xt_target_ops = {
1711 .open = xt_target_open,
1713 .llseek = seq_lseek,
1714 .release = seq_release_private,
1717 #define FORMAT_TABLES "_tables_names"
1718 #define FORMAT_MATCHES "_tables_matches"
1719 #define FORMAT_TARGETS "_tables_targets"
1721 #endif /* CONFIG_PROC_FS */
1724 * xt_hook_ops_alloc - set up hooks for a new table
1725 * @table: table with metadata needed to set up hooks
1726 * @fn: Hook function
1728 * This function will create the nf_hook_ops that the x_table needs
1729 * to hand to xt_hook_link_net().
1731 struct nf_hook_ops *
1732 xt_hook_ops_alloc(const struct xt_table *table, nf_hookfn *fn)
1734 unsigned int hook_mask = table->valid_hooks;
1735 uint8_t i, num_hooks = hweight32(hook_mask);
1737 struct nf_hook_ops *ops;
1740 return ERR_PTR(-EINVAL);
1742 ops = kcalloc(num_hooks, sizeof(*ops), GFP_KERNEL);
1744 return ERR_PTR(-ENOMEM);
1746 for (i = 0, hooknum = 0; i < num_hooks && hook_mask != 0;
1747 hook_mask >>= 1, ++hooknum) {
1748 if (!(hook_mask & 1))
1751 ops[i].pf = table->af;
1752 ops[i].hooknum = hooknum;
1753 ops[i].priority = table->priority;
1759 EXPORT_SYMBOL_GPL(xt_hook_ops_alloc);
1761 int xt_proto_init(struct net *net, u_int8_t af)
1763 #ifdef CONFIG_PROC_FS
1764 char buf[XT_FUNCTION_MAXNAMELEN];
1765 struct proc_dir_entry *proc;
1770 if (af >= ARRAY_SIZE(xt_prefix))
1774 #ifdef CONFIG_PROC_FS
1775 root_uid = make_kuid(net->user_ns, 0);
1776 root_gid = make_kgid(net->user_ns, 0);
1778 strlcpy(buf, xt_prefix[af], sizeof(buf));
1779 strlcat(buf, FORMAT_TABLES, sizeof(buf));
1780 proc = proc_create_data(buf, 0440, net->proc_net, &xt_table_ops,
1781 (void *)(unsigned long)af);
1784 if (uid_valid(root_uid) && gid_valid(root_gid))
1785 proc_set_user(proc, root_uid, root_gid);
1787 strlcpy(buf, xt_prefix[af], sizeof(buf));
1788 strlcat(buf, FORMAT_MATCHES, sizeof(buf));
1789 proc = proc_create_data(buf, 0440, net->proc_net, &xt_match_ops,
1790 (void *)(unsigned long)af);
1792 goto out_remove_tables;
1793 if (uid_valid(root_uid) && gid_valid(root_gid))
1794 proc_set_user(proc, root_uid, root_gid);
1796 strlcpy(buf, xt_prefix[af], sizeof(buf));
1797 strlcat(buf, FORMAT_TARGETS, sizeof(buf));
1798 proc = proc_create_data(buf, 0440, net->proc_net, &xt_target_ops,
1799 (void *)(unsigned long)af);
1801 goto out_remove_matches;
1802 if (uid_valid(root_uid) && gid_valid(root_gid))
1803 proc_set_user(proc, root_uid, root_gid);
1808 #ifdef CONFIG_PROC_FS
1810 strlcpy(buf, xt_prefix[af], sizeof(buf));
1811 strlcat(buf, FORMAT_MATCHES, sizeof(buf));
1812 remove_proc_entry(buf, net->proc_net);
1815 strlcpy(buf, xt_prefix[af], sizeof(buf));
1816 strlcat(buf, FORMAT_TABLES, sizeof(buf));
1817 remove_proc_entry(buf, net->proc_net);
1822 EXPORT_SYMBOL_GPL(xt_proto_init);
1824 void xt_proto_fini(struct net *net, u_int8_t af)
1826 #ifdef CONFIG_PROC_FS
1827 char buf[XT_FUNCTION_MAXNAMELEN];
1829 strlcpy(buf, xt_prefix[af], sizeof(buf));
1830 strlcat(buf, FORMAT_TABLES, sizeof(buf));
1831 remove_proc_entry(buf, net->proc_net);
1833 strlcpy(buf, xt_prefix[af], sizeof(buf));
1834 strlcat(buf, FORMAT_TARGETS, sizeof(buf));
1835 remove_proc_entry(buf, net->proc_net);
1837 strlcpy(buf, xt_prefix[af], sizeof(buf));
1838 strlcat(buf, FORMAT_MATCHES, sizeof(buf));
1839 remove_proc_entry(buf, net->proc_net);
1840 #endif /*CONFIG_PROC_FS*/
1842 EXPORT_SYMBOL_GPL(xt_proto_fini);
1845 * xt_percpu_counter_alloc - allocate x_tables rule counter
1847 * @state: pointer to xt_percpu allocation state
1848 * @counter: pointer to counter struct inside the ip(6)/arpt_entry struct
1850 * On SMP, the packet counter [ ip(6)t_entry->counters.pcnt ] will then
1851 * contain the address of the real (percpu) counter.
1853 * Rule evaluation needs to use xt_get_this_cpu_counter() helper
1854 * to fetch the real percpu counter.
1856 * To speed up allocation and improve data locality, a 4kb block is
1857 * allocated. Freeing any counter may free an entire block, so all
1858 * counters allocated using the same state must be freed at the same
1861 * xt_percpu_counter_alloc_state contains the base address of the
1862 * allocated page and the current sub-offset.
1864 * returns false on error.
1866 bool xt_percpu_counter_alloc(struct xt_percpu_counter_alloc_state *state,
1867 struct xt_counters *counter)
1869 BUILD_BUG_ON(XT_PCPU_BLOCK_SIZE < (sizeof(*counter) * 2));
1871 if (nr_cpu_ids <= 1)
1875 state->mem = __alloc_percpu(XT_PCPU_BLOCK_SIZE,
1876 XT_PCPU_BLOCK_SIZE);
1880 counter->pcnt = (__force unsigned long)(state->mem + state->off);
1881 state->off += sizeof(*counter);
1882 if (state->off > (XT_PCPU_BLOCK_SIZE - sizeof(*counter))) {
1888 EXPORT_SYMBOL_GPL(xt_percpu_counter_alloc);
1890 void xt_percpu_counter_free(struct xt_counters *counters)
1892 unsigned long pcnt = counters->pcnt;
1894 if (nr_cpu_ids > 1 && (pcnt & (XT_PCPU_BLOCK_SIZE - 1)) == 0)
1895 free_percpu((void __percpu *)pcnt);
1897 EXPORT_SYMBOL_GPL(xt_percpu_counter_free);
1899 static int __net_init xt_net_init(struct net *net)
1903 for (i = 0; i < NFPROTO_NUMPROTO; i++)
1904 INIT_LIST_HEAD(&net->xt.tables[i]);
1908 static void __net_exit xt_net_exit(struct net *net)
1912 for (i = 0; i < NFPROTO_NUMPROTO; i++)
1913 WARN_ON_ONCE(!list_empty(&net->xt.tables[i]));
1916 static struct pernet_operations xt_net_ops = {
1917 .init = xt_net_init,
1918 .exit = xt_net_exit,
1922 static int __init xt_init(void)
1927 for_each_possible_cpu(i) {
1928 seqcount_init(&per_cpu(xt_recseq, i));
1931 xt = kmalloc(sizeof(struct xt_af) * NFPROTO_NUMPROTO, GFP_KERNEL);
1935 for (i = 0; i < NFPROTO_NUMPROTO; i++) {
1936 mutex_init(&xt[i].mutex);
1937 #ifdef CONFIG_COMPAT
1938 mutex_init(&xt[i].compat_mutex);
1939 xt[i].compat_tab = NULL;
1941 INIT_LIST_HEAD(&xt[i].target);
1942 INIT_LIST_HEAD(&xt[i].match);
1944 rv = register_pernet_subsys(&xt_net_ops);
1950 static void __exit xt_fini(void)
1952 unregister_pernet_subsys(&xt_net_ops);
1956 module_init(xt_init);
1957 module_exit(xt_fini);