1 // SPDX-License-Identifier: GPL-2.0-only
3 * x_tables core - Backend for {ip,ip6,arp}_tables
5 * Copyright (C) 2006-2006 Harald Welte <laforge@netfilter.org>
6 * Copyright (C) 2006-2012 Patrick McHardy <kaber@trash.net>
8 * Based on existing ip_tables code which is
9 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
10 * Copyright (C) 2000-2005 Netfilter Core Team <coreteam@netfilter.org>
12 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
13 #include <linux/kernel.h>
14 #include <linux/module.h>
15 #include <linux/socket.h>
16 #include <linux/net.h>
17 #include <linux/proc_fs.h>
18 #include <linux/seq_file.h>
19 #include <linux/string.h>
20 #include <linux/vmalloc.h>
21 #include <linux/mutex.h>
23 #include <linux/slab.h>
24 #include <linux/audit.h>
25 #include <linux/user_namespace.h>
26 #include <net/net_namespace.h>
27 #include <net/netns/generic.h>
29 #include <linux/netfilter/x_tables.h>
30 #include <linux/netfilter_arp.h>
31 #include <linux/netfilter_ipv4/ip_tables.h>
32 #include <linux/netfilter_ipv6/ip6_tables.h>
33 #include <linux/netfilter_arp/arp_tables.h>
35 MODULE_LICENSE("GPL");
36 MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
37 MODULE_DESCRIPTION("{ip,ip6,arp,eb}_tables backend module");
39 #define XT_PCPU_BLOCK_SIZE 4096
40 #define XT_MAX_TABLE_SIZE (512 * 1024 * 1024)
43 struct list_head tables[NFPROTO_NUMPROTO];
47 unsigned int offset; /* offset in kernel */
48 int delta; /* delta in 32bit user land */
53 struct list_head match;
54 struct list_head target;
55 #ifdef CONFIG_NETFILTER_XTABLES_COMPAT
56 struct mutex compat_mutex;
57 struct compat_delta *compat_tab;
58 unsigned int number; /* number of slots in compat_tab[] */
59 unsigned int cur; /* number of used slots in compat_tab[] */
63 static unsigned int xt_pernet_id __read_mostly;
64 static struct xt_af *xt __read_mostly;
66 static const char *const xt_prefix[NFPROTO_NUMPROTO] = {
67 [NFPROTO_UNSPEC] = "x",
68 [NFPROTO_IPV4] = "ip",
69 [NFPROTO_ARP] = "arp",
70 [NFPROTO_BRIDGE] = "eb",
71 [NFPROTO_IPV6] = "ip6",
74 /* Registration hooks for targets. */
75 int xt_register_target(struct xt_target *target)
77 u_int8_t af = target->family;
79 mutex_lock(&xt[af].mutex);
80 list_add(&target->list, &xt[af].target);
81 mutex_unlock(&xt[af].mutex);
84 EXPORT_SYMBOL(xt_register_target);
87 xt_unregister_target(struct xt_target *target)
89 u_int8_t af = target->family;
91 mutex_lock(&xt[af].mutex);
92 list_del(&target->list);
93 mutex_unlock(&xt[af].mutex);
95 EXPORT_SYMBOL(xt_unregister_target);
98 xt_register_targets(struct xt_target *target, unsigned int n)
103 for (i = 0; i < n; i++) {
104 err = xt_register_target(&target[i]);
112 xt_unregister_targets(target, i);
115 EXPORT_SYMBOL(xt_register_targets);
118 xt_unregister_targets(struct xt_target *target, unsigned int n)
121 xt_unregister_target(&target[n]);
123 EXPORT_SYMBOL(xt_unregister_targets);
125 int xt_register_match(struct xt_match *match)
127 u_int8_t af = match->family;
129 mutex_lock(&xt[af].mutex);
130 list_add(&match->list, &xt[af].match);
131 mutex_unlock(&xt[af].mutex);
134 EXPORT_SYMBOL(xt_register_match);
137 xt_unregister_match(struct xt_match *match)
139 u_int8_t af = match->family;
141 mutex_lock(&xt[af].mutex);
142 list_del(&match->list);
143 mutex_unlock(&xt[af].mutex);
145 EXPORT_SYMBOL(xt_unregister_match);
148 xt_register_matches(struct xt_match *match, unsigned int n)
153 for (i = 0; i < n; i++) {
154 err = xt_register_match(&match[i]);
162 xt_unregister_matches(match, i);
165 EXPORT_SYMBOL(xt_register_matches);
168 xt_unregister_matches(struct xt_match *match, unsigned int n)
171 xt_unregister_match(&match[n]);
173 EXPORT_SYMBOL(xt_unregister_matches);
177 * These are weird, but module loading must not be done with mutex
178 * held (since they will register), and we have to have a single
182 /* Find match, grabs ref. Returns ERR_PTR() on error. */
183 struct xt_match *xt_find_match(u8 af, const char *name, u8 revision)
188 if (strnlen(name, XT_EXTENSION_MAXNAMELEN) == XT_EXTENSION_MAXNAMELEN)
189 return ERR_PTR(-EINVAL);
191 mutex_lock(&xt[af].mutex);
192 list_for_each_entry(m, &xt[af].match, list) {
193 if (strcmp(m->name, name) == 0) {
194 if (m->revision == revision) {
195 if (try_module_get(m->me)) {
196 mutex_unlock(&xt[af].mutex);
200 err = -EPROTOTYPE; /* Found something. */
203 mutex_unlock(&xt[af].mutex);
205 if (af != NFPROTO_UNSPEC)
206 /* Try searching again in the family-independent list */
207 return xt_find_match(NFPROTO_UNSPEC, name, revision);
211 EXPORT_SYMBOL(xt_find_match);
214 xt_request_find_match(uint8_t nfproto, const char *name, uint8_t revision)
216 struct xt_match *match;
218 if (strnlen(name, XT_EXTENSION_MAXNAMELEN) == XT_EXTENSION_MAXNAMELEN)
219 return ERR_PTR(-EINVAL);
221 match = xt_find_match(nfproto, name, revision);
223 request_module("%st_%s", xt_prefix[nfproto], name);
224 match = xt_find_match(nfproto, name, revision);
229 EXPORT_SYMBOL_GPL(xt_request_find_match);
231 /* Find target, grabs ref. Returns ERR_PTR() on error. */
232 static struct xt_target *xt_find_target(u8 af, const char *name, u8 revision)
237 if (strnlen(name, XT_EXTENSION_MAXNAMELEN) == XT_EXTENSION_MAXNAMELEN)
238 return ERR_PTR(-EINVAL);
240 mutex_lock(&xt[af].mutex);
241 list_for_each_entry(t, &xt[af].target, list) {
242 if (strcmp(t->name, name) == 0) {
243 if (t->revision == revision) {
244 if (try_module_get(t->me)) {
245 mutex_unlock(&xt[af].mutex);
249 err = -EPROTOTYPE; /* Found something. */
252 mutex_unlock(&xt[af].mutex);
254 if (af != NFPROTO_UNSPEC)
255 /* Try searching again in the family-independent list */
256 return xt_find_target(NFPROTO_UNSPEC, name, revision);
261 struct xt_target *xt_request_find_target(u8 af, const char *name, u8 revision)
263 struct xt_target *target;
265 if (strnlen(name, XT_EXTENSION_MAXNAMELEN) == XT_EXTENSION_MAXNAMELEN)
266 return ERR_PTR(-EINVAL);
268 target = xt_find_target(af, name, revision);
269 if (IS_ERR(target)) {
270 request_module("%st_%s", xt_prefix[af], name);
271 target = xt_find_target(af, name, revision);
276 EXPORT_SYMBOL_GPL(xt_request_find_target);
279 static int xt_obj_to_user(u16 __user *psize, u16 size,
280 void __user *pname, const char *name,
281 u8 __user *prev, u8 rev)
283 if (put_user(size, psize))
285 if (copy_to_user(pname, name, strlen(name) + 1))
287 if (put_user(rev, prev))
293 #define XT_OBJ_TO_USER(U, K, TYPE, C_SIZE) \
294 xt_obj_to_user(&U->u.TYPE##_size, C_SIZE ? : K->u.TYPE##_size, \
295 U->u.user.name, K->u.kernel.TYPE->name, \
296 &U->u.user.revision, K->u.kernel.TYPE->revision)
298 int xt_data_to_user(void __user *dst, const void *src,
299 int usersize, int size, int aligned_size)
301 usersize = usersize ? : size;
302 if (copy_to_user(dst, src, usersize))
304 if (usersize != aligned_size &&
305 clear_user(dst + usersize, aligned_size - usersize))
310 EXPORT_SYMBOL_GPL(xt_data_to_user);
312 #define XT_DATA_TO_USER(U, K, TYPE) \
313 xt_data_to_user(U->data, K->data, \
314 K->u.kernel.TYPE->usersize, \
315 K->u.kernel.TYPE->TYPE##size, \
316 XT_ALIGN(K->u.kernel.TYPE->TYPE##size))
318 int xt_match_to_user(const struct xt_entry_match *m,
319 struct xt_entry_match __user *u)
321 return XT_OBJ_TO_USER(u, m, match, 0) ||
322 XT_DATA_TO_USER(u, m, match);
324 EXPORT_SYMBOL_GPL(xt_match_to_user);
326 int xt_target_to_user(const struct xt_entry_target *t,
327 struct xt_entry_target __user *u)
329 return XT_OBJ_TO_USER(u, t, target, 0) ||
330 XT_DATA_TO_USER(u, t, target);
332 EXPORT_SYMBOL_GPL(xt_target_to_user);
334 static int match_revfn(u8 af, const char *name, u8 revision, int *bestp)
336 const struct xt_match *m;
339 mutex_lock(&xt[af].mutex);
340 list_for_each_entry(m, &xt[af].match, list) {
341 if (strcmp(m->name, name) == 0) {
342 if (m->revision > *bestp)
343 *bestp = m->revision;
344 if (m->revision == revision)
348 mutex_unlock(&xt[af].mutex);
350 if (af != NFPROTO_UNSPEC && !have_rev)
351 return match_revfn(NFPROTO_UNSPEC, name, revision, bestp);
356 static int target_revfn(u8 af, const char *name, u8 revision, int *bestp)
358 const struct xt_target *t;
361 mutex_lock(&xt[af].mutex);
362 list_for_each_entry(t, &xt[af].target, list) {
363 if (strcmp(t->name, name) == 0) {
364 if (t->revision > *bestp)
365 *bestp = t->revision;
366 if (t->revision == revision)
370 mutex_unlock(&xt[af].mutex);
372 if (af != NFPROTO_UNSPEC && !have_rev)
373 return target_revfn(NFPROTO_UNSPEC, name, revision, bestp);
378 /* Returns true or false (if no such extension at all) */
379 int xt_find_revision(u8 af, const char *name, u8 revision, int target,
382 int have_rev, best = -1;
385 have_rev = target_revfn(af, name, revision, &best);
387 have_rev = match_revfn(af, name, revision, &best);
389 /* Nothing at all? Return 0 to try loading module. */
397 *err = -EPROTONOSUPPORT;
400 EXPORT_SYMBOL_GPL(xt_find_revision);
403 textify_hooks(char *buf, size_t size, unsigned int mask, uint8_t nfproto)
405 static const char *const inetbr_names[] = {
406 "PREROUTING", "INPUT", "FORWARD",
407 "OUTPUT", "POSTROUTING", "BROUTING",
409 static const char *const arp_names[] = {
410 "INPUT", "FORWARD", "OUTPUT",
412 const char *const *names;
418 names = (nfproto == NFPROTO_ARP) ? arp_names : inetbr_names;
419 max = (nfproto == NFPROTO_ARP) ? ARRAY_SIZE(arp_names) :
420 ARRAY_SIZE(inetbr_names);
422 for (i = 0; i < max; ++i) {
423 if (!(mask & (1 << i)))
425 res = snprintf(p, size, "%s%s", np ? "/" : "", names[i]);
437 * xt_check_proc_name - check that name is suitable for /proc file creation
439 * @name: file name candidate
440 * @size: length of buffer
442 * some x_tables modules wish to create a file in /proc.
443 * This function makes sure that the name is suitable for this
444 * purpose, it checks that name is NUL terminated and isn't a 'special'
447 * returns negative number on error or 0 if name is useable.
449 int xt_check_proc_name(const char *name, unsigned int size)
454 if (strnlen(name, size) == size)
455 return -ENAMETOOLONG;
457 if (strcmp(name, ".") == 0 ||
458 strcmp(name, "..") == 0 ||
464 EXPORT_SYMBOL(xt_check_proc_name);
466 int xt_check_match(struct xt_mtchk_param *par,
467 unsigned int size, u16 proto, bool inv_proto)
471 if (XT_ALIGN(par->match->matchsize) != size &&
472 par->match->matchsize != -1) {
474 * ebt_among is exempt from centralized matchsize checking
475 * because it uses a dynamic-size data set.
477 pr_err_ratelimited("%s_tables: %s.%u match: invalid size %u (kernel) != (user) %u\n",
478 xt_prefix[par->family], par->match->name,
479 par->match->revision,
480 XT_ALIGN(par->match->matchsize), size);
483 if (par->match->table != NULL &&
484 strcmp(par->match->table, par->table) != 0) {
485 pr_info_ratelimited("%s_tables: %s match: only valid in %s table, not %s\n",
486 xt_prefix[par->family], par->match->name,
487 par->match->table, par->table);
490 if (par->match->hooks && (par->hook_mask & ~par->match->hooks) != 0) {
491 char used[64], allow[64];
493 pr_info_ratelimited("%s_tables: %s match: used from hooks %s, but only valid from %s\n",
494 xt_prefix[par->family], par->match->name,
495 textify_hooks(used, sizeof(used),
496 par->hook_mask, par->family),
497 textify_hooks(allow, sizeof(allow),
502 if (par->match->proto && (par->match->proto != proto || inv_proto)) {
503 pr_info_ratelimited("%s_tables: %s match: only valid for protocol %u\n",
504 xt_prefix[par->family], par->match->name,
508 if (par->match->checkentry != NULL) {
509 ret = par->match->checkentry(par);
513 /* Flag up potential errors. */
518 EXPORT_SYMBOL_GPL(xt_check_match);
520 /** xt_check_entry_match - check that matches end before start of target
522 * @match: beginning of xt_entry_match
523 * @target: beginning of this rules target (alleged end of matches)
524 * @alignment: alignment requirement of match structures
526 * Validates that all matches add up to the beginning of the target,
527 * and that each match covers at least the base structure size.
529 * Return: 0 on success, negative errno on failure.
531 static int xt_check_entry_match(const char *match, const char *target,
532 const size_t alignment)
534 const struct xt_entry_match *pos;
535 int length = target - match;
537 if (length == 0) /* no matches */
540 pos = (struct xt_entry_match *)match;
542 if ((unsigned long)pos % alignment)
545 if (length < (int)sizeof(struct xt_entry_match))
548 if (pos->u.match_size < sizeof(struct xt_entry_match))
551 if (pos->u.match_size > length)
554 length -= pos->u.match_size;
555 pos = ((void *)((char *)(pos) + (pos)->u.match_size));
556 } while (length > 0);
561 /** xt_check_table_hooks - check hook entry points are sane
563 * @info xt_table_info to check
564 * @valid_hooks - hook entry points that we can enter from
566 * Validates that the hook entry and underflows points are set up.
568 * Return: 0 on success, negative errno on failure.
570 int xt_check_table_hooks(const struct xt_table_info *info, unsigned int valid_hooks)
572 const char *err = "unsorted underflow";
573 unsigned int i, max_uflow, max_entry;
574 bool check_hooks = false;
576 BUILD_BUG_ON(ARRAY_SIZE(info->hook_entry) != ARRAY_SIZE(info->underflow));
581 for (i = 0; i < ARRAY_SIZE(info->hook_entry); i++) {
582 if (!(valid_hooks & (1 << i)))
585 if (info->hook_entry[i] == 0xFFFFFFFF)
587 if (info->underflow[i] == 0xFFFFFFFF)
591 if (max_uflow > info->underflow[i])
594 if (max_uflow == info->underflow[i]) {
595 err = "duplicate underflow";
598 if (max_entry > info->hook_entry[i]) {
599 err = "unsorted entry";
602 if (max_entry == info->hook_entry[i]) {
603 err = "duplicate entry";
607 max_entry = info->hook_entry[i];
608 max_uflow = info->underflow[i];
614 pr_err_ratelimited("%s at hook %d\n", err, i);
617 EXPORT_SYMBOL(xt_check_table_hooks);
619 static bool verdict_ok(int verdict)
625 int v = -verdict - 1;
627 if (verdict == XT_RETURN)
631 case NF_ACCEPT: return true;
632 case NF_DROP: return true;
633 case NF_QUEUE: return true;
644 static bool error_tg_ok(unsigned int usersize, unsigned int kernsize,
645 const char *msg, unsigned int msglen)
647 return usersize == kernsize && strnlen(msg, msglen) < msglen;
650 #ifdef CONFIG_NETFILTER_XTABLES_COMPAT
651 int xt_compat_add_offset(u_int8_t af, unsigned int offset, int delta)
653 struct xt_af *xp = &xt[af];
655 WARN_ON(!mutex_is_locked(&xt[af].compat_mutex));
657 if (WARN_ON(!xp->compat_tab))
660 if (xp->cur >= xp->number)
664 delta += xp->compat_tab[xp->cur - 1].delta;
665 xp->compat_tab[xp->cur].offset = offset;
666 xp->compat_tab[xp->cur].delta = delta;
670 EXPORT_SYMBOL_GPL(xt_compat_add_offset);
672 void xt_compat_flush_offsets(u_int8_t af)
674 WARN_ON(!mutex_is_locked(&xt[af].compat_mutex));
676 if (xt[af].compat_tab) {
677 vfree(xt[af].compat_tab);
678 xt[af].compat_tab = NULL;
683 EXPORT_SYMBOL_GPL(xt_compat_flush_offsets);
685 int xt_compat_calc_jump(u_int8_t af, unsigned int offset)
687 struct compat_delta *tmp = xt[af].compat_tab;
688 int mid, left = 0, right = xt[af].cur - 1;
690 while (left <= right) {
691 mid = (left + right) >> 1;
692 if (offset > tmp[mid].offset)
694 else if (offset < tmp[mid].offset)
697 return mid ? tmp[mid - 1].delta : 0;
699 return left ? tmp[left - 1].delta : 0;
701 EXPORT_SYMBOL_GPL(xt_compat_calc_jump);
703 int xt_compat_init_offsets(u8 af, unsigned int number)
707 WARN_ON(!mutex_is_locked(&xt[af].compat_mutex));
709 if (!number || number > (INT_MAX / sizeof(struct compat_delta)))
712 if (WARN_ON(xt[af].compat_tab))
715 mem = sizeof(struct compat_delta) * number;
716 if (mem > XT_MAX_TABLE_SIZE)
719 xt[af].compat_tab = vmalloc(mem);
720 if (!xt[af].compat_tab)
723 xt[af].number = number;
728 EXPORT_SYMBOL(xt_compat_init_offsets);
730 int xt_compat_match_offset(const struct xt_match *match)
732 u_int16_t csize = match->compatsize ? : match->matchsize;
733 return XT_ALIGN(match->matchsize) - COMPAT_XT_ALIGN(csize);
735 EXPORT_SYMBOL_GPL(xt_compat_match_offset);
737 void xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr,
740 const struct xt_match *match = m->u.kernel.match;
741 struct compat_xt_entry_match *cm = (struct compat_xt_entry_match *)m;
742 int off = xt_compat_match_offset(match);
743 u_int16_t msize = cm->u.user.match_size;
744 char name[sizeof(m->u.user.name)];
747 memcpy(m, cm, sizeof(*cm));
748 if (match->compat_from_user)
749 match->compat_from_user(m->data, cm->data);
751 memcpy(m->data, cm->data, msize - sizeof(*cm));
754 m->u.user.match_size = msize;
755 strlcpy(name, match->name, sizeof(name));
756 module_put(match->me);
757 strncpy(m->u.user.name, name, sizeof(m->u.user.name));
762 EXPORT_SYMBOL_GPL(xt_compat_match_from_user);
764 #define COMPAT_XT_DATA_TO_USER(U, K, TYPE, C_SIZE) \
765 xt_data_to_user(U->data, K->data, \
766 K->u.kernel.TYPE->usersize, \
768 COMPAT_XT_ALIGN(C_SIZE))
770 int xt_compat_match_to_user(const struct xt_entry_match *m,
771 void __user **dstptr, unsigned int *size)
773 const struct xt_match *match = m->u.kernel.match;
774 struct compat_xt_entry_match __user *cm = *dstptr;
775 int off = xt_compat_match_offset(match);
776 u_int16_t msize = m->u.user.match_size - off;
778 if (XT_OBJ_TO_USER(cm, m, match, msize))
781 if (match->compat_to_user) {
782 if (match->compat_to_user((void __user *)cm->data, m->data))
785 if (COMPAT_XT_DATA_TO_USER(cm, m, match, msize - sizeof(*cm)))
793 EXPORT_SYMBOL_GPL(xt_compat_match_to_user);
795 /* non-compat version may have padding after verdict */
796 struct compat_xt_standard_target {
797 struct compat_xt_entry_target t;
798 compat_uint_t verdict;
801 struct compat_xt_error_target {
802 struct compat_xt_entry_target t;
803 char errorname[XT_FUNCTION_MAXNAMELEN];
806 int xt_compat_check_entry_offsets(const void *base, const char *elems,
807 unsigned int target_offset,
808 unsigned int next_offset)
810 long size_of_base_struct = elems - (const char *)base;
811 const struct compat_xt_entry_target *t;
812 const char *e = base;
814 if (target_offset < size_of_base_struct)
817 if (target_offset + sizeof(*t) > next_offset)
820 t = (void *)(e + target_offset);
821 if (t->u.target_size < sizeof(*t))
824 if (target_offset + t->u.target_size > next_offset)
827 if (strcmp(t->u.user.name, XT_STANDARD_TARGET) == 0) {
828 const struct compat_xt_standard_target *st = (const void *)t;
830 if (COMPAT_XT_ALIGN(target_offset + sizeof(*st)) != next_offset)
833 if (!verdict_ok(st->verdict))
835 } else if (strcmp(t->u.user.name, XT_ERROR_TARGET) == 0) {
836 const struct compat_xt_error_target *et = (const void *)t;
838 if (!error_tg_ok(t->u.target_size, sizeof(*et),
839 et->errorname, sizeof(et->errorname)))
843 /* compat_xt_entry match has less strict alignment requirements,
844 * otherwise they are identical. In case of padding differences
845 * we need to add compat version of xt_check_entry_match.
847 BUILD_BUG_ON(sizeof(struct compat_xt_entry_match) != sizeof(struct xt_entry_match));
849 return xt_check_entry_match(elems, base + target_offset,
850 __alignof__(struct compat_xt_entry_match));
852 EXPORT_SYMBOL(xt_compat_check_entry_offsets);
853 #endif /* CONFIG_NETFILTER_XTABLES_COMPAT */
856 * xt_check_entry_offsets - validate arp/ip/ip6t_entry
858 * @base: pointer to arp/ip/ip6t_entry
859 * @elems: pointer to first xt_entry_match, i.e. ip(6)t_entry->elems
860 * @target_offset: the arp/ip/ip6_t->target_offset
861 * @next_offset: the arp/ip/ip6_t->next_offset
863 * validates that target_offset and next_offset are sane and that all
864 * match sizes (if any) align with the target offset.
866 * This function does not validate the targets or matches themselves, it
867 * only tests that all the offsets and sizes are correct, that all
868 * match structures are aligned, and that the last structure ends where
869 * the target structure begins.
871 * Also see xt_compat_check_entry_offsets for CONFIG_NETFILTER_XTABLES_COMPAT version.
873 * The arp/ip/ip6t_entry structure @base must have passed following tests:
874 * - it must point to a valid memory location
875 * - base to base + next_offset must be accessible, i.e. not exceed allocated
878 * A well-formed entry looks like this:
880 * ip(6)t_entry match [mtdata] match [mtdata] target [tgdata] ip(6)t_entry
881 * e->elems[]-----' | |
885 * target_offset---------------------------------' |
886 * next_offset---------------------------------------------------'
888 * elems[]: flexible array member at end of ip(6)/arpt_entry struct.
889 * This is where matches (if any) and the target reside.
890 * target_offset: beginning of target.
891 * next_offset: start of the next rule; also: size of this rule.
892 * Since targets have a minimum size, target_offset + minlen <= next_offset.
894 * Every match stores its size, sum of sizes must not exceed target_offset.
896 * Return: 0 on success, negative errno on failure.
898 int xt_check_entry_offsets(const void *base,
900 unsigned int target_offset,
901 unsigned int next_offset)
903 long size_of_base_struct = elems - (const char *)base;
904 const struct xt_entry_target *t;
905 const char *e = base;
907 /* target start is within the ip/ip6/arpt_entry struct */
908 if (target_offset < size_of_base_struct)
911 if (target_offset + sizeof(*t) > next_offset)
914 t = (void *)(e + target_offset);
915 if (t->u.target_size < sizeof(*t))
918 if (target_offset + t->u.target_size > next_offset)
921 if (strcmp(t->u.user.name, XT_STANDARD_TARGET) == 0) {
922 const struct xt_standard_target *st = (const void *)t;
924 if (XT_ALIGN(target_offset + sizeof(*st)) != next_offset)
927 if (!verdict_ok(st->verdict))
929 } else if (strcmp(t->u.user.name, XT_ERROR_TARGET) == 0) {
930 const struct xt_error_target *et = (const void *)t;
932 if (!error_tg_ok(t->u.target_size, sizeof(*et),
933 et->errorname, sizeof(et->errorname)))
937 return xt_check_entry_match(elems, base + target_offset,
938 __alignof__(struct xt_entry_match));
940 EXPORT_SYMBOL(xt_check_entry_offsets);
943 * xt_alloc_entry_offsets - allocate array to store rule head offsets
945 * @size: number of entries
947 * Return: NULL or zeroed kmalloc'd or vmalloc'd array
949 unsigned int *xt_alloc_entry_offsets(unsigned int size)
951 if (size > XT_MAX_TABLE_SIZE / sizeof(unsigned int))
954 return kvcalloc(size, sizeof(unsigned int), GFP_KERNEL);
957 EXPORT_SYMBOL(xt_alloc_entry_offsets);
960 * xt_find_jump_offset - check if target is a valid jump offset
962 * @offsets: array containing all valid rule start offsets of a rule blob
963 * @target: the jump target to search for
964 * @size: entries in @offset
966 bool xt_find_jump_offset(const unsigned int *offsets,
967 unsigned int target, unsigned int size)
969 int m, low = 0, hi = size;
974 if (offsets[m] > target)
976 else if (offsets[m] < target)
984 EXPORT_SYMBOL(xt_find_jump_offset);
986 int xt_check_target(struct xt_tgchk_param *par,
987 unsigned int size, u16 proto, bool inv_proto)
991 if (XT_ALIGN(par->target->targetsize) != size) {
992 pr_err_ratelimited("%s_tables: %s.%u target: invalid size %u (kernel) != (user) %u\n",
993 xt_prefix[par->family], par->target->name,
994 par->target->revision,
995 XT_ALIGN(par->target->targetsize), size);
998 if (par->target->table != NULL &&
999 strcmp(par->target->table, par->table) != 0) {
1000 pr_info_ratelimited("%s_tables: %s target: only valid in %s table, not %s\n",
1001 xt_prefix[par->family], par->target->name,
1002 par->target->table, par->table);
1005 if (par->target->hooks && (par->hook_mask & ~par->target->hooks) != 0) {
1006 char used[64], allow[64];
1008 pr_info_ratelimited("%s_tables: %s target: used from hooks %s, but only usable from %s\n",
1009 xt_prefix[par->family], par->target->name,
1010 textify_hooks(used, sizeof(used),
1011 par->hook_mask, par->family),
1012 textify_hooks(allow, sizeof(allow),
1017 if (par->target->proto && (par->target->proto != proto || inv_proto)) {
1018 pr_info_ratelimited("%s_tables: %s target: only valid for protocol %u\n",
1019 xt_prefix[par->family], par->target->name,
1020 par->target->proto);
1023 if (par->target->checkentry != NULL) {
1024 ret = par->target->checkentry(par);
1028 /* Flag up potential errors. */
1033 EXPORT_SYMBOL_GPL(xt_check_target);
1036 * xt_copy_counters - copy counters and metadata from a sockptr_t
1039 * @len: alleged size of userspace memory
1040 * @info: where to store the xt_counters_info metadata
1042 * Copies counter meta data from @user and stores it in @info.
1044 * vmallocs memory to hold the counters, then copies the counter data
1045 * from @user to the new memory and returns a pointer to it.
1047 * If called from a compat syscall, @info gets converted automatically to the
1048 * 64bit representation.
1050 * The metadata associated with the counters is stored in @info.
1052 * Return: returns pointer that caller has to test via IS_ERR().
1053 * If IS_ERR is false, caller has to vfree the pointer.
1055 void *xt_copy_counters(sockptr_t arg, unsigned int len,
1056 struct xt_counters_info *info)
1062 #ifdef CONFIG_NETFILTER_XTABLES_COMPAT
1063 if (in_compat_syscall()) {
1064 /* structures only differ in size due to alignment */
1065 struct compat_xt_counters_info compat_tmp;
1067 if (len <= sizeof(compat_tmp))
1068 return ERR_PTR(-EINVAL);
1070 len -= sizeof(compat_tmp);
1071 if (copy_from_sockptr(&compat_tmp, arg, sizeof(compat_tmp)) != 0)
1072 return ERR_PTR(-EFAULT);
1074 memcpy(info->name, compat_tmp.name, sizeof(info->name) - 1);
1075 info->num_counters = compat_tmp.num_counters;
1076 offset = sizeof(compat_tmp);
1080 if (len <= sizeof(*info))
1081 return ERR_PTR(-EINVAL);
1083 len -= sizeof(*info);
1084 if (copy_from_sockptr(info, arg, sizeof(*info)) != 0)
1085 return ERR_PTR(-EFAULT);
1087 offset = sizeof(*info);
1089 info->name[sizeof(info->name) - 1] = '\0';
1091 size = sizeof(struct xt_counters);
1092 size *= info->num_counters;
1094 if (size != (u64)len)
1095 return ERR_PTR(-EINVAL);
1099 return ERR_PTR(-ENOMEM);
1101 if (copy_from_sockptr_offset(mem, arg, offset, len) == 0)
1105 return ERR_PTR(-EFAULT);
1107 EXPORT_SYMBOL_GPL(xt_copy_counters);
1109 #ifdef CONFIG_NETFILTER_XTABLES_COMPAT
1110 int xt_compat_target_offset(const struct xt_target *target)
1112 u_int16_t csize = target->compatsize ? : target->targetsize;
1113 return XT_ALIGN(target->targetsize) - COMPAT_XT_ALIGN(csize);
1115 EXPORT_SYMBOL_GPL(xt_compat_target_offset);
1117 void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr,
1120 const struct xt_target *target = t->u.kernel.target;
1121 struct compat_xt_entry_target *ct = (struct compat_xt_entry_target *)t;
1122 int off = xt_compat_target_offset(target);
1123 u_int16_t tsize = ct->u.user.target_size;
1124 char name[sizeof(t->u.user.name)];
1127 memcpy(t, ct, sizeof(*ct));
1128 if (target->compat_from_user)
1129 target->compat_from_user(t->data, ct->data);
1131 memcpy(t->data, ct->data, tsize - sizeof(*ct));
1134 t->u.user.target_size = tsize;
1135 strlcpy(name, target->name, sizeof(name));
1136 module_put(target->me);
1137 strncpy(t->u.user.name, name, sizeof(t->u.user.name));
1142 EXPORT_SYMBOL_GPL(xt_compat_target_from_user);
1144 int xt_compat_target_to_user(const struct xt_entry_target *t,
1145 void __user **dstptr, unsigned int *size)
1147 const struct xt_target *target = t->u.kernel.target;
1148 struct compat_xt_entry_target __user *ct = *dstptr;
1149 int off = xt_compat_target_offset(target);
1150 u_int16_t tsize = t->u.user.target_size - off;
1152 if (XT_OBJ_TO_USER(ct, t, target, tsize))
1155 if (target->compat_to_user) {
1156 if (target->compat_to_user((void __user *)ct->data, t->data))
1159 if (COMPAT_XT_DATA_TO_USER(ct, t, target, tsize - sizeof(*ct)))
1167 EXPORT_SYMBOL_GPL(xt_compat_target_to_user);
1170 struct xt_table_info *xt_alloc_table_info(unsigned int size)
1172 struct xt_table_info *info = NULL;
1173 size_t sz = sizeof(*info) + size;
1175 if (sz < sizeof(*info) || sz >= XT_MAX_TABLE_SIZE)
1178 info = kvmalloc(sz, GFP_KERNEL_ACCOUNT);
1182 memset(info, 0, sizeof(*info));
1186 EXPORT_SYMBOL(xt_alloc_table_info);
1188 void xt_free_table_info(struct xt_table_info *info)
1192 if (info->jumpstack != NULL) {
1193 for_each_possible_cpu(cpu)
1194 kvfree(info->jumpstack[cpu]);
1195 kvfree(info->jumpstack);
1200 EXPORT_SYMBOL(xt_free_table_info);
1202 struct xt_table *xt_find_table(struct net *net, u8 af, const char *name)
1204 struct xt_pernet *xt_net = net_generic(net, xt_pernet_id);
1207 mutex_lock(&xt[af].mutex);
1208 list_for_each_entry(t, &xt_net->tables[af], list) {
1209 if (strcmp(t->name, name) == 0) {
1210 mutex_unlock(&xt[af].mutex);
1214 mutex_unlock(&xt[af].mutex);
1217 EXPORT_SYMBOL(xt_find_table);
1219 /* Find table by name, grabs mutex & ref. Returns ERR_PTR on error. */
1220 struct xt_table *xt_find_table_lock(struct net *net, u_int8_t af,
1223 struct xt_pernet *xt_net = net_generic(net, xt_pernet_id);
1224 struct xt_table *t, *found = NULL;
1226 mutex_lock(&xt[af].mutex);
1227 list_for_each_entry(t, &xt_net->tables[af], list)
1228 if (strcmp(t->name, name) == 0 && try_module_get(t->me))
1231 if (net == &init_net)
1234 /* Table doesn't exist in this netns, re-try init */
1235 xt_net = net_generic(&init_net, xt_pernet_id);
1236 list_for_each_entry(t, &xt_net->tables[af], list) {
1239 if (strcmp(t->name, name))
1241 if (!try_module_get(t->me))
1243 mutex_unlock(&xt[af].mutex);
1244 err = t->table_init(net);
1247 return ERR_PTR(err);
1252 mutex_lock(&xt[af].mutex);
1259 xt_net = net_generic(net, xt_pernet_id);
1260 /* and once again: */
1261 list_for_each_entry(t, &xt_net->tables[af], list)
1262 if (strcmp(t->name, name) == 0)
1265 module_put(found->me);
1267 mutex_unlock(&xt[af].mutex);
1268 return ERR_PTR(-ENOENT);
1270 EXPORT_SYMBOL_GPL(xt_find_table_lock);
1272 struct xt_table *xt_request_find_table_lock(struct net *net, u_int8_t af,
1275 struct xt_table *t = xt_find_table_lock(net, af, name);
1277 #ifdef CONFIG_MODULES
1279 int err = request_module("%stable_%s", xt_prefix[af], name);
1281 return ERR_PTR(err);
1282 t = xt_find_table_lock(net, af, name);
1288 EXPORT_SYMBOL_GPL(xt_request_find_table_lock);
1290 void xt_table_unlock(struct xt_table *table)
1292 mutex_unlock(&xt[table->af].mutex);
1294 EXPORT_SYMBOL_GPL(xt_table_unlock);
1296 #ifdef CONFIG_NETFILTER_XTABLES_COMPAT
1297 void xt_compat_lock(u_int8_t af)
1299 mutex_lock(&xt[af].compat_mutex);
1301 EXPORT_SYMBOL_GPL(xt_compat_lock);
1303 void xt_compat_unlock(u_int8_t af)
1305 mutex_unlock(&xt[af].compat_mutex);
1307 EXPORT_SYMBOL_GPL(xt_compat_unlock);
1310 DEFINE_PER_CPU(seqcount_t, xt_recseq);
1311 EXPORT_PER_CPU_SYMBOL_GPL(xt_recseq);
1313 struct static_key xt_tee_enabled __read_mostly;
1314 EXPORT_SYMBOL_GPL(xt_tee_enabled);
1316 static int xt_jumpstack_alloc(struct xt_table_info *i)
1321 size = sizeof(void **) * nr_cpu_ids;
1322 if (size > PAGE_SIZE)
1323 i->jumpstack = kvzalloc(size, GFP_KERNEL);
1325 i->jumpstack = kzalloc(size, GFP_KERNEL);
1326 if (i->jumpstack == NULL)
1329 /* ruleset without jumps -- no stack needed */
1330 if (i->stacksize == 0)
1333 /* Jumpstack needs to be able to record two full callchains, one
1334 * from the first rule set traversal, plus one table reentrancy
1335 * via -j TEE without clobbering the callchain that brought us to
1338 * This is done by allocating two jumpstacks per cpu, on reentry
1339 * the upper half of the stack is used.
1341 * see the jumpstack setup in ipt_do_table() for more details.
1343 size = sizeof(void *) * i->stacksize * 2u;
1344 for_each_possible_cpu(cpu) {
1345 i->jumpstack[cpu] = kvmalloc_node(size, GFP_KERNEL,
1347 if (i->jumpstack[cpu] == NULL)
1349 * Freeing will be done later on by the callers. The
1350 * chain is: xt_replace_table -> __do_replace ->
1351 * do_replace -> xt_free_table_info.
1359 struct xt_counters *xt_counters_alloc(unsigned int counters)
1361 struct xt_counters *mem;
1363 if (counters == 0 || counters > INT_MAX / sizeof(*mem))
1366 counters *= sizeof(*mem);
1367 if (counters > XT_MAX_TABLE_SIZE)
1370 return vzalloc(counters);
1372 EXPORT_SYMBOL(xt_counters_alloc);
1374 struct xt_table_info *
1375 xt_replace_table(struct xt_table *table,
1376 unsigned int num_counters,
1377 struct xt_table_info *newinfo,
1380 struct xt_table_info *private;
1384 ret = xt_jumpstack_alloc(newinfo);
1390 /* Do the substitution. */
1392 private = table->private;
1394 /* Check inside lock: is the old number correct? */
1395 if (num_counters != private->number) {
1396 pr_debug("num_counters != table->private->number (%u/%u)\n",
1397 num_counters, private->number);
1403 newinfo->initial_entries = private->initial_entries;
1405 * Ensure contents of newinfo are visible before assigning to
1409 table->private = newinfo;
1411 /* make sure all cpus see new ->private value */
1415 * Even though table entries have now been swapped, other CPU's
1416 * may still be using the old entries...
1420 /* ... so wait for even xt_recseq on all cpus */
1421 for_each_possible_cpu(cpu) {
1422 seqcount_t *s = &per_cpu(xt_recseq, cpu);
1423 u32 seq = raw_read_seqcount(s);
1429 } while (seq == raw_read_seqcount(s));
1433 audit_log_nfcfg(table->name, table->af, private->number,
1434 !private->number ? AUDIT_XT_OP_REGISTER :
1435 AUDIT_XT_OP_REPLACE,
1439 EXPORT_SYMBOL_GPL(xt_replace_table);
1441 struct xt_table *xt_register_table(struct net *net,
1442 const struct xt_table *input_table,
1443 struct xt_table_info *bootstrap,
1444 struct xt_table_info *newinfo)
1446 struct xt_pernet *xt_net = net_generic(net, xt_pernet_id);
1447 struct xt_table_info *private;
1448 struct xt_table *t, *table;
1451 /* Don't add one object to multiple lists. */
1452 table = kmemdup(input_table, sizeof(struct xt_table), GFP_KERNEL);
1458 mutex_lock(&xt[table->af].mutex);
1459 /* Don't autoload: we'd eat our tail... */
1460 list_for_each_entry(t, &xt_net->tables[table->af], list) {
1461 if (strcmp(t->name, table->name) == 0) {
1467 /* Simplifies replace_table code. */
1468 table->private = bootstrap;
1470 if (!xt_replace_table(table, 0, newinfo, &ret))
1473 private = table->private;
1474 pr_debug("table->private->number = %u\n", private->number);
1476 /* save number of initial entries */
1477 private->initial_entries = private->number;
1479 list_add(&table->list, &xt_net->tables[table->af]);
1480 mutex_unlock(&xt[table->af].mutex);
1484 mutex_unlock(&xt[table->af].mutex);
1487 return ERR_PTR(ret);
1489 EXPORT_SYMBOL_GPL(xt_register_table);
1491 void *xt_unregister_table(struct xt_table *table)
1493 struct xt_table_info *private;
1495 mutex_lock(&xt[table->af].mutex);
1496 private = table->private;
1497 list_del(&table->list);
1498 mutex_unlock(&xt[table->af].mutex);
1499 audit_log_nfcfg(table->name, table->af, private->number,
1500 AUDIT_XT_OP_UNREGISTER, GFP_KERNEL);
1506 EXPORT_SYMBOL_GPL(xt_unregister_table);
1508 #ifdef CONFIG_PROC_FS
1509 static void *xt_table_seq_start(struct seq_file *seq, loff_t *pos)
1511 u8 af = (unsigned long)PDE_DATA(file_inode(seq->file));
1512 struct net *net = seq_file_net(seq);
1513 struct xt_pernet *xt_net;
1515 xt_net = net_generic(net, xt_pernet_id);
1517 mutex_lock(&xt[af].mutex);
1518 return seq_list_start(&xt_net->tables[af], *pos);
1521 static void *xt_table_seq_next(struct seq_file *seq, void *v, loff_t *pos)
1523 u8 af = (unsigned long)PDE_DATA(file_inode(seq->file));
1524 struct net *net = seq_file_net(seq);
1525 struct xt_pernet *xt_net;
1527 xt_net = net_generic(net, xt_pernet_id);
1529 return seq_list_next(v, &xt_net->tables[af], pos);
1532 static void xt_table_seq_stop(struct seq_file *seq, void *v)
1534 u_int8_t af = (unsigned long)PDE_DATA(file_inode(seq->file));
1536 mutex_unlock(&xt[af].mutex);
1539 static int xt_table_seq_show(struct seq_file *seq, void *v)
1541 struct xt_table *table = list_entry(v, struct xt_table, list);
1544 seq_printf(seq, "%s\n", table->name);
1548 static const struct seq_operations xt_table_seq_ops = {
1549 .start = xt_table_seq_start,
1550 .next = xt_table_seq_next,
1551 .stop = xt_table_seq_stop,
1552 .show = xt_table_seq_show,
1556 * Traverse state for ip{,6}_{tables,matches} for helping crossing
1557 * the multi-AF mutexes.
1559 struct nf_mttg_trav {
1560 struct list_head *head, *curr;
1566 MTTG_TRAV_NFP_UNSPEC,
1571 static void *xt_mttg_seq_next(struct seq_file *seq, void *v, loff_t *ppos,
1574 static const uint8_t next_class[] = {
1575 [MTTG_TRAV_NFP_UNSPEC] = MTTG_TRAV_NFP_SPEC,
1576 [MTTG_TRAV_NFP_SPEC] = MTTG_TRAV_DONE,
1578 uint8_t nfproto = (unsigned long)PDE_DATA(file_inode(seq->file));
1579 struct nf_mttg_trav *trav = seq->private;
1584 switch (trav->class) {
1585 case MTTG_TRAV_INIT:
1586 trav->class = MTTG_TRAV_NFP_UNSPEC;
1587 mutex_lock(&xt[NFPROTO_UNSPEC].mutex);
1588 trav->head = trav->curr = is_target ?
1589 &xt[NFPROTO_UNSPEC].target : &xt[NFPROTO_UNSPEC].match;
1591 case MTTG_TRAV_NFP_UNSPEC:
1592 trav->curr = trav->curr->next;
1593 if (trav->curr != trav->head)
1595 mutex_unlock(&xt[NFPROTO_UNSPEC].mutex);
1596 mutex_lock(&xt[nfproto].mutex);
1597 trav->head = trav->curr = is_target ?
1598 &xt[nfproto].target : &xt[nfproto].match;
1599 trav->class = next_class[trav->class];
1601 case MTTG_TRAV_NFP_SPEC:
1602 trav->curr = trav->curr->next;
1603 if (trav->curr != trav->head)
1612 static void *xt_mttg_seq_start(struct seq_file *seq, loff_t *pos,
1615 struct nf_mttg_trav *trav = seq->private;
1618 trav->class = MTTG_TRAV_INIT;
1619 for (j = 0; j < *pos; ++j)
1620 if (xt_mttg_seq_next(seq, NULL, NULL, is_target) == NULL)
1625 static void xt_mttg_seq_stop(struct seq_file *seq, void *v)
1627 uint8_t nfproto = (unsigned long)PDE_DATA(file_inode(seq->file));
1628 struct nf_mttg_trav *trav = seq->private;
1630 switch (trav->class) {
1631 case MTTG_TRAV_NFP_UNSPEC:
1632 mutex_unlock(&xt[NFPROTO_UNSPEC].mutex);
1634 case MTTG_TRAV_NFP_SPEC:
1635 mutex_unlock(&xt[nfproto].mutex);
1640 static void *xt_match_seq_start(struct seq_file *seq, loff_t *pos)
1642 return xt_mttg_seq_start(seq, pos, false);
1645 static void *xt_match_seq_next(struct seq_file *seq, void *v, loff_t *ppos)
1647 return xt_mttg_seq_next(seq, v, ppos, false);
1650 static int xt_match_seq_show(struct seq_file *seq, void *v)
1652 const struct nf_mttg_trav *trav = seq->private;
1653 const struct xt_match *match;
1655 switch (trav->class) {
1656 case MTTG_TRAV_NFP_UNSPEC:
1657 case MTTG_TRAV_NFP_SPEC:
1658 if (trav->curr == trav->head)
1660 match = list_entry(trav->curr, struct xt_match, list);
1662 seq_printf(seq, "%s\n", match->name);
1667 static const struct seq_operations xt_match_seq_ops = {
1668 .start = xt_match_seq_start,
1669 .next = xt_match_seq_next,
1670 .stop = xt_mttg_seq_stop,
1671 .show = xt_match_seq_show,
1674 static void *xt_target_seq_start(struct seq_file *seq, loff_t *pos)
1676 return xt_mttg_seq_start(seq, pos, true);
1679 static void *xt_target_seq_next(struct seq_file *seq, void *v, loff_t *ppos)
1681 return xt_mttg_seq_next(seq, v, ppos, true);
1684 static int xt_target_seq_show(struct seq_file *seq, void *v)
1686 const struct nf_mttg_trav *trav = seq->private;
1687 const struct xt_target *target;
1689 switch (trav->class) {
1690 case MTTG_TRAV_NFP_UNSPEC:
1691 case MTTG_TRAV_NFP_SPEC:
1692 if (trav->curr == trav->head)
1694 target = list_entry(trav->curr, struct xt_target, list);
1696 seq_printf(seq, "%s\n", target->name);
1701 static const struct seq_operations xt_target_seq_ops = {
1702 .start = xt_target_seq_start,
1703 .next = xt_target_seq_next,
1704 .stop = xt_mttg_seq_stop,
1705 .show = xt_target_seq_show,
1708 #define FORMAT_TABLES "_tables_names"
1709 #define FORMAT_MATCHES "_tables_matches"
1710 #define FORMAT_TARGETS "_tables_targets"
1712 #endif /* CONFIG_PROC_FS */
1715 * xt_hook_ops_alloc - set up hooks for a new table
1716 * @table: table with metadata needed to set up hooks
1717 * @fn: Hook function
1719 * This function will create the nf_hook_ops that the x_table needs
1720 * to hand to xt_hook_link_net().
1722 struct nf_hook_ops *
1723 xt_hook_ops_alloc(const struct xt_table *table, nf_hookfn *fn)
1725 unsigned int hook_mask = table->valid_hooks;
1726 uint8_t i, num_hooks = hweight32(hook_mask);
1728 struct nf_hook_ops *ops;
1731 return ERR_PTR(-EINVAL);
1733 ops = kcalloc(num_hooks, sizeof(*ops), GFP_KERNEL);
1735 return ERR_PTR(-ENOMEM);
1737 for (i = 0, hooknum = 0; i < num_hooks && hook_mask != 0;
1738 hook_mask >>= 1, ++hooknum) {
1739 if (!(hook_mask & 1))
1742 ops[i].pf = table->af;
1743 ops[i].hooknum = hooknum;
1744 ops[i].priority = table->priority;
1750 EXPORT_SYMBOL_GPL(xt_hook_ops_alloc);
1752 int xt_proto_init(struct net *net, u_int8_t af)
1754 #ifdef CONFIG_PROC_FS
1755 char buf[XT_FUNCTION_MAXNAMELEN];
1756 struct proc_dir_entry *proc;
1761 if (af >= ARRAY_SIZE(xt_prefix))
1765 #ifdef CONFIG_PROC_FS
1766 root_uid = make_kuid(net->user_ns, 0);
1767 root_gid = make_kgid(net->user_ns, 0);
1769 strlcpy(buf, xt_prefix[af], sizeof(buf));
1770 strlcat(buf, FORMAT_TABLES, sizeof(buf));
1771 proc = proc_create_net_data(buf, 0440, net->proc_net, &xt_table_seq_ops,
1772 sizeof(struct seq_net_private),
1773 (void *)(unsigned long)af);
1776 if (uid_valid(root_uid) && gid_valid(root_gid))
1777 proc_set_user(proc, root_uid, root_gid);
1779 strlcpy(buf, xt_prefix[af], sizeof(buf));
1780 strlcat(buf, FORMAT_MATCHES, sizeof(buf));
1781 proc = proc_create_seq_private(buf, 0440, net->proc_net,
1782 &xt_match_seq_ops, sizeof(struct nf_mttg_trav),
1783 (void *)(unsigned long)af);
1785 goto out_remove_tables;
1786 if (uid_valid(root_uid) && gid_valid(root_gid))
1787 proc_set_user(proc, root_uid, root_gid);
1789 strlcpy(buf, xt_prefix[af], sizeof(buf));
1790 strlcat(buf, FORMAT_TARGETS, sizeof(buf));
1791 proc = proc_create_seq_private(buf, 0440, net->proc_net,
1792 &xt_target_seq_ops, sizeof(struct nf_mttg_trav),
1793 (void *)(unsigned long)af);
1795 goto out_remove_matches;
1796 if (uid_valid(root_uid) && gid_valid(root_gid))
1797 proc_set_user(proc, root_uid, root_gid);
1802 #ifdef CONFIG_PROC_FS
1804 strlcpy(buf, xt_prefix[af], sizeof(buf));
1805 strlcat(buf, FORMAT_MATCHES, sizeof(buf));
1806 remove_proc_entry(buf, net->proc_net);
1809 strlcpy(buf, xt_prefix[af], sizeof(buf));
1810 strlcat(buf, FORMAT_TABLES, sizeof(buf));
1811 remove_proc_entry(buf, net->proc_net);
1816 EXPORT_SYMBOL_GPL(xt_proto_init);
1818 void xt_proto_fini(struct net *net, u_int8_t af)
1820 #ifdef CONFIG_PROC_FS
1821 char buf[XT_FUNCTION_MAXNAMELEN];
1823 strlcpy(buf, xt_prefix[af], sizeof(buf));
1824 strlcat(buf, FORMAT_TABLES, sizeof(buf));
1825 remove_proc_entry(buf, net->proc_net);
1827 strlcpy(buf, xt_prefix[af], sizeof(buf));
1828 strlcat(buf, FORMAT_TARGETS, sizeof(buf));
1829 remove_proc_entry(buf, net->proc_net);
1831 strlcpy(buf, xt_prefix[af], sizeof(buf));
1832 strlcat(buf, FORMAT_MATCHES, sizeof(buf));
1833 remove_proc_entry(buf, net->proc_net);
1834 #endif /*CONFIG_PROC_FS*/
1836 EXPORT_SYMBOL_GPL(xt_proto_fini);
1839 * xt_percpu_counter_alloc - allocate x_tables rule counter
1841 * @state: pointer to xt_percpu allocation state
1842 * @counter: pointer to counter struct inside the ip(6)/arpt_entry struct
1844 * On SMP, the packet counter [ ip(6)t_entry->counters.pcnt ] will then
1845 * contain the address of the real (percpu) counter.
1847 * Rule evaluation needs to use xt_get_this_cpu_counter() helper
1848 * to fetch the real percpu counter.
1850 * To speed up allocation and improve data locality, a 4kb block is
1851 * allocated. Freeing any counter may free an entire block, so all
1852 * counters allocated using the same state must be freed at the same
1855 * xt_percpu_counter_alloc_state contains the base address of the
1856 * allocated page and the current sub-offset.
1858 * returns false on error.
1860 bool xt_percpu_counter_alloc(struct xt_percpu_counter_alloc_state *state,
1861 struct xt_counters *counter)
1863 BUILD_BUG_ON(XT_PCPU_BLOCK_SIZE < (sizeof(*counter) * 2));
1865 if (nr_cpu_ids <= 1)
1869 state->mem = __alloc_percpu(XT_PCPU_BLOCK_SIZE,
1870 XT_PCPU_BLOCK_SIZE);
1874 counter->pcnt = (__force unsigned long)(state->mem + state->off);
1875 state->off += sizeof(*counter);
1876 if (state->off > (XT_PCPU_BLOCK_SIZE - sizeof(*counter))) {
1882 EXPORT_SYMBOL_GPL(xt_percpu_counter_alloc);
1884 void xt_percpu_counter_free(struct xt_counters *counters)
1886 unsigned long pcnt = counters->pcnt;
1888 if (nr_cpu_ids > 1 && (pcnt & (XT_PCPU_BLOCK_SIZE - 1)) == 0)
1889 free_percpu((void __percpu *)pcnt);
1891 EXPORT_SYMBOL_GPL(xt_percpu_counter_free);
1893 static int __net_init xt_net_init(struct net *net)
1895 struct xt_pernet *xt_net = net_generic(net, xt_pernet_id);
1898 for (i = 0; i < NFPROTO_NUMPROTO; i++)
1899 INIT_LIST_HEAD(&xt_net->tables[i]);
1903 static void __net_exit xt_net_exit(struct net *net)
1905 struct xt_pernet *xt_net = net_generic(net, xt_pernet_id);
1908 for (i = 0; i < NFPROTO_NUMPROTO; i++)
1909 WARN_ON_ONCE(!list_empty(&xt_net->tables[i]));
1912 static struct pernet_operations xt_net_ops = {
1913 .init = xt_net_init,
1914 .exit = xt_net_exit,
1915 .id = &xt_pernet_id,
1916 .size = sizeof(struct xt_pernet),
1919 static int __init xt_init(void)
1924 for_each_possible_cpu(i) {
1925 seqcount_init(&per_cpu(xt_recseq, i));
1928 xt = kcalloc(NFPROTO_NUMPROTO, sizeof(struct xt_af), GFP_KERNEL);
1932 for (i = 0; i < NFPROTO_NUMPROTO; i++) {
1933 mutex_init(&xt[i].mutex);
1934 #ifdef CONFIG_NETFILTER_XTABLES_COMPAT
1935 mutex_init(&xt[i].compat_mutex);
1936 xt[i].compat_tab = NULL;
1938 INIT_LIST_HEAD(&xt[i].target);
1939 INIT_LIST_HEAD(&xt[i].match);
1941 rv = register_pernet_subsys(&xt_net_ops);
1947 static void __exit xt_fini(void)
1949 unregister_pernet_subsys(&xt_net_ops);
1953 module_init(xt_init);
1954 module_exit(xt_fini);
projects / linux-2.6-microblaze.git / blob