2 * Packet matching code.
4 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
5 * Copyright (C) 2000-2005 Netfilter Core Team <coreteam@netfilter.org>
6 * Copyright (c) 2006-2010 Patrick McHardy <kaber@trash.net>
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License version 2 as
10 * published by the Free Software Foundation.
13 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
15 #include <linux/kernel.h>
16 #include <linux/capability.h>
18 #include <linux/skbuff.h>
19 #include <linux/kmod.h>
20 #include <linux/vmalloc.h>
21 #include <linux/netdevice.h>
22 #include <linux/module.h>
23 #include <linux/poison.h>
24 #include <linux/icmpv6.h>
26 #include <net/compat.h>
27 #include <asm/uaccess.h>
28 #include <linux/mutex.h>
29 #include <linux/proc_fs.h>
30 #include <linux/err.h>
31 #include <linux/cpumask.h>
33 #include <linux/netfilter_ipv6/ip6_tables.h>
34 #include <linux/netfilter/x_tables.h>
35 #include <net/netfilter/nf_log.h>
36 #include "../../netfilter/xt_repldata.h"
38 MODULE_LICENSE("GPL");
39 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
40 MODULE_DESCRIPTION("IPv6 packet filter");
42 #ifdef CONFIG_NETFILTER_DEBUG
43 #define IP_NF_ASSERT(x) WARN_ON(!(x))
45 #define IP_NF_ASSERT(x)
48 void *ip6t_alloc_initial_table(const struct xt_table *info)
50 return xt_alloc_initial_table(ip6t, IP6T);
52 EXPORT_SYMBOL_GPL(ip6t_alloc_initial_table);
55 We keep a set of rules for each CPU, so we can avoid write-locking
56 them in the softirq when updating the counters and therefore
57 only need to read-lock in the softirq; doing a write_lock_bh() in user
58 context stops packets coming through and allows user context to read
59 the counters or update the rules.
61 Hence the start of any table is given by get_table() below. */
63 /* Returns whether matches rule or not. */
64 /* Performance critical - called for every packet */
66 ip6_packet_match(const struct sk_buff *skb,
69 const struct ip6t_ip6 *ip6info,
70 unsigned int *protoff,
71 int *fragoff, bool *hotdrop)
74 const struct ipv6hdr *ipv6 = ipv6_hdr(skb);
76 if (NF_INVF(ip6info, IP6T_INV_SRCIP,
77 ipv6_masked_addr_cmp(&ipv6->saddr, &ip6info->smsk,
79 NF_INVF(ip6info, IP6T_INV_DSTIP,
80 ipv6_masked_addr_cmp(&ipv6->daddr, &ip6info->dmsk,
84 ret = ifname_compare_aligned(indev, ip6info->iniface, ip6info->iniface_mask);
86 if (NF_INVF(ip6info, IP6T_INV_VIA_IN, ret != 0))
89 ret = ifname_compare_aligned(outdev, ip6info->outiface, ip6info->outiface_mask);
91 if (NF_INVF(ip6info, IP6T_INV_VIA_OUT, ret != 0))
94 /* ... might want to do something with class and flowlabel here ... */
96 /* look for the desired protocol header */
97 if (ip6info->flags & IP6T_F_PROTO) {
99 unsigned short _frag_off;
101 protohdr = ipv6_find_hdr(skb, protoff, -1, &_frag_off, NULL);
107 *fragoff = _frag_off;
109 if (ip6info->proto == protohdr) {
110 if (ip6info->invflags & IP6T_INV_PROTO)
116 /* We need match for the '-p all', too! */
117 if ((ip6info->proto != 0) &&
118 !(ip6info->invflags & IP6T_INV_PROTO))
124 /* should be ip6 safe */
126 ip6_checkentry(const struct ip6t_ip6 *ipv6)
128 if (ipv6->flags & ~IP6T_F_MASK)
130 if (ipv6->invflags & ~IP6T_INV_MASK)
137 ip6t_error(struct sk_buff *skb, const struct xt_action_param *par)
139 net_info_ratelimited("error: `%s'\n", (const char *)par->targinfo);
144 static inline struct ip6t_entry *
145 get_entry(const void *base, unsigned int offset)
147 return (struct ip6t_entry *)(base + offset);
150 /* All zeroes == unconditional rule. */
151 /* Mildly perf critical (only if packet tracing is on) */
152 static inline bool unconditional(const struct ip6t_entry *e)
154 static const struct ip6t_ip6 uncond;
156 return e->target_offset == sizeof(struct ip6t_entry) &&
157 memcmp(&e->ipv6, &uncond, sizeof(uncond)) == 0;
160 static inline const struct xt_entry_target *
161 ip6t_get_target_c(const struct ip6t_entry *e)
163 return ip6t_get_target((struct ip6t_entry *)e);
166 #if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE)
167 /* This cries for unification! */
168 static const char *const hooknames[] = {
169 [NF_INET_PRE_ROUTING] = "PREROUTING",
170 [NF_INET_LOCAL_IN] = "INPUT",
171 [NF_INET_FORWARD] = "FORWARD",
172 [NF_INET_LOCAL_OUT] = "OUTPUT",
173 [NF_INET_POST_ROUTING] = "POSTROUTING",
176 enum nf_ip_trace_comments {
177 NF_IP6_TRACE_COMMENT_RULE,
178 NF_IP6_TRACE_COMMENT_RETURN,
179 NF_IP6_TRACE_COMMENT_POLICY,
182 static const char *const comments[] = {
183 [NF_IP6_TRACE_COMMENT_RULE] = "rule",
184 [NF_IP6_TRACE_COMMENT_RETURN] = "return",
185 [NF_IP6_TRACE_COMMENT_POLICY] = "policy",
188 static struct nf_loginfo trace_loginfo = {
189 .type = NF_LOG_TYPE_LOG,
192 .level = LOGLEVEL_WARNING,
193 .logflags = NF_LOG_DEFAULT_MASK,
198 /* Mildly perf critical (only if packet tracing is on) */
200 get_chainname_rulenum(const struct ip6t_entry *s, const struct ip6t_entry *e,
201 const char *hookname, const char **chainname,
202 const char **comment, unsigned int *rulenum)
204 const struct xt_standard_target *t = (void *)ip6t_get_target_c(s);
206 if (strcmp(t->target.u.kernel.target->name, XT_ERROR_TARGET) == 0) {
207 /* Head of user chain: ERROR target with chainname */
208 *chainname = t->target.data;
213 if (unconditional(s) &&
214 strcmp(t->target.u.kernel.target->name,
215 XT_STANDARD_TARGET) == 0 &&
217 /* Tail of chains: STANDARD target (return/policy) */
218 *comment = *chainname == hookname
219 ? comments[NF_IP6_TRACE_COMMENT_POLICY]
220 : comments[NF_IP6_TRACE_COMMENT_RETURN];
229 static void trace_packet(struct net *net,
230 const struct sk_buff *skb,
232 const struct net_device *in,
233 const struct net_device *out,
234 const char *tablename,
235 const struct xt_table_info *private,
236 const struct ip6t_entry *e)
238 const struct ip6t_entry *root;
239 const char *hookname, *chainname, *comment;
240 const struct ip6t_entry *iter;
241 unsigned int rulenum = 0;
243 root = get_entry(private->entries, private->hook_entry[hook]);
245 hookname = chainname = hooknames[hook];
246 comment = comments[NF_IP6_TRACE_COMMENT_RULE];
248 xt_entry_foreach(iter, root, private->size - private->hook_entry[hook])
249 if (get_chainname_rulenum(iter, e, hookname,
250 &chainname, &comment, &rulenum) != 0)
253 nf_log_trace(net, AF_INET6, hook, skb, in, out, &trace_loginfo,
254 "TRACE: %s:%s:%s:%u ",
255 tablename, chainname, comment, rulenum);
259 static inline struct ip6t_entry *
260 ip6t_next_entry(const struct ip6t_entry *entry)
262 return (void *)entry + entry->next_offset;
265 /* Returns one of the generic firewall policies, like NF_ACCEPT. */
267 ip6t_do_table(struct sk_buff *skb,
268 const struct nf_hook_state *state,
269 struct xt_table *table)
271 unsigned int hook = state->hook;
272 static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
273 /* Initializing verdict to NF_DROP keeps gcc happy. */
274 unsigned int verdict = NF_DROP;
275 const char *indev, *outdev;
276 const void *table_base;
277 struct ip6t_entry *e, **jumpstack;
278 unsigned int stackidx, cpu;
279 const struct xt_table_info *private;
280 struct xt_action_param acpar;
285 indev = state->in ? state->in->name : nulldevname;
286 outdev = state->out ? state->out->name : nulldevname;
287 /* We handle fragments by dealing with the first fragment as
288 * if it was a normal packet. All other fragments are treated
289 * normally, except that they will NEVER match rules that ask
290 * things we don't know, ie. tcp syn flag or ports). If the
291 * rule is also a fragment-specific rule, non-fragments won't
294 acpar.hotdrop = false;
295 acpar.net = state->net;
296 acpar.in = state->in;
297 acpar.out = state->out;
298 acpar.family = NFPROTO_IPV6;
299 acpar.hooknum = hook;
301 IP_NF_ASSERT(table->valid_hooks & (1 << hook));
304 addend = xt_write_recseq_begin();
305 private = table->private;
307 * Ensure we load private-> members after we've fetched the base
310 smp_read_barrier_depends();
311 cpu = smp_processor_id();
312 table_base = private->entries;
313 jumpstack = (struct ip6t_entry **)private->jumpstack[cpu];
315 /* Switch to alternate jumpstack if we're being invoked via TEE.
316 * TEE issues XT_CONTINUE verdict on original skb so we must not
317 * clobber the jumpstack.
319 * For recursion via REJECT or SYNPROXY the stack will be clobbered
320 * but it is no problem since absolute verdict is issued by these.
322 if (static_key_false(&xt_tee_enabled))
323 jumpstack += private->stacksize * __this_cpu_read(nf_skb_duplicated);
325 e = get_entry(table_base, private->hook_entry[hook]);
328 const struct xt_entry_target *t;
329 const struct xt_entry_match *ematch;
330 struct xt_counters *counter;
334 if (!ip6_packet_match(skb, indev, outdev, &e->ipv6,
335 &acpar.thoff, &acpar.fragoff, &acpar.hotdrop)) {
337 e = ip6t_next_entry(e);
341 xt_ematch_foreach(ematch, e) {
342 acpar.match = ematch->u.kernel.match;
343 acpar.matchinfo = ematch->data;
344 if (!acpar.match->match(skb, &acpar))
348 counter = xt_get_this_cpu_counter(&e->counters);
349 ADD_COUNTER(*counter, skb->len, 1);
351 t = ip6t_get_target_c(e);
352 IP_NF_ASSERT(t->u.kernel.target);
354 #if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE)
355 /* The packet is traced: log it */
356 if (unlikely(skb->nf_trace))
357 trace_packet(state->net, skb, hook, state->in,
358 state->out, table->name, private, e);
360 /* Standard target? */
361 if (!t->u.kernel.target->target) {
364 v = ((struct xt_standard_target *)t)->verdict;
366 /* Pop from stack? */
367 if (v != XT_RETURN) {
368 verdict = (unsigned int)(-v) - 1;
372 e = get_entry(table_base,
373 private->underflow[hook]);
375 e = ip6t_next_entry(jumpstack[--stackidx]);
378 if (table_base + v != ip6t_next_entry(e) &&
379 !(e->ipv6.flags & IP6T_F_GOTO)) {
380 if (unlikely(stackidx >= private->stacksize)) {
384 jumpstack[stackidx++] = e;
387 e = get_entry(table_base, v);
391 acpar.target = t->u.kernel.target;
392 acpar.targinfo = t->data;
394 verdict = t->u.kernel.target->target(skb, &acpar);
395 if (verdict == XT_CONTINUE)
396 e = ip6t_next_entry(e);
400 } while (!acpar.hotdrop);
402 xt_write_recseq_end(addend);
410 /* Figures out from what hook each rule can be called: returns 0 if
411 there are loops. Puts hook bitmask in comefrom. */
413 mark_source_chains(const struct xt_table_info *newinfo,
414 unsigned int valid_hooks, void *entry0,
415 unsigned int *offsets)
419 /* No recursion; use packet counter to save back ptrs (reset
420 to 0 as we leave), and comefrom to save source hook bitmask */
421 for (hook = 0; hook < NF_INET_NUMHOOKS; hook++) {
422 unsigned int pos = newinfo->hook_entry[hook];
423 struct ip6t_entry *e = (struct ip6t_entry *)(entry0 + pos);
425 if (!(valid_hooks & (1 << hook)))
428 /* Set initial back pointer. */
429 e->counters.pcnt = pos;
432 const struct xt_standard_target *t
433 = (void *)ip6t_get_target_c(e);
434 int visited = e->comefrom & (1 << hook);
436 if (e->comefrom & (1 << NF_INET_NUMHOOKS))
439 e->comefrom |= ((1 << hook) | (1 << NF_INET_NUMHOOKS));
441 /* Unconditional return/END. */
442 if ((unconditional(e) &&
443 (strcmp(t->target.u.user.name,
444 XT_STANDARD_TARGET) == 0) &&
445 t->verdict < 0) || visited) {
446 unsigned int oldpos, size;
448 if ((strcmp(t->target.u.user.name,
449 XT_STANDARD_TARGET) == 0) &&
450 t->verdict < -NF_MAX_VERDICT - 1)
453 /* Return: backtrack through the last
456 e->comefrom ^= (1<<NF_INET_NUMHOOKS);
458 pos = e->counters.pcnt;
459 e->counters.pcnt = 0;
461 /* We're at the start. */
465 e = (struct ip6t_entry *)
467 } while (oldpos == pos + e->next_offset);
470 size = e->next_offset;
471 e = (struct ip6t_entry *)
472 (entry0 + pos + size);
473 if (pos + size >= newinfo->size)
475 e->counters.pcnt = pos;
478 int newpos = t->verdict;
480 if (strcmp(t->target.u.user.name,
481 XT_STANDARD_TARGET) == 0 &&
483 /* This a jump; chase it. */
484 if (!xt_find_jump_offset(offsets, newpos,
487 e = (struct ip6t_entry *)
490 /* ... this is a fallthru */
491 newpos = pos + e->next_offset;
492 if (newpos >= newinfo->size)
495 e = (struct ip6t_entry *)
497 e->counters.pcnt = pos;
506 static void cleanup_match(struct xt_entry_match *m, struct net *net)
508 struct xt_mtdtor_param par;
511 par.match = m->u.kernel.match;
512 par.matchinfo = m->data;
513 par.family = NFPROTO_IPV6;
514 if (par.match->destroy != NULL)
515 par.match->destroy(&par);
516 module_put(par.match->me);
519 static int check_match(struct xt_entry_match *m, struct xt_mtchk_param *par)
521 const struct ip6t_ip6 *ipv6 = par->entryinfo;
523 par->match = m->u.kernel.match;
524 par->matchinfo = m->data;
526 return xt_check_match(par, m->u.match_size - sizeof(*m),
527 ipv6->proto, ipv6->invflags & IP6T_INV_PROTO);
531 find_check_match(struct xt_entry_match *m, struct xt_mtchk_param *par)
533 struct xt_match *match;
536 match = xt_request_find_match(NFPROTO_IPV6, m->u.user.name,
539 return PTR_ERR(match);
541 m->u.kernel.match = match;
543 ret = check_match(m, par);
549 module_put(m->u.kernel.match->me);
553 static int check_target(struct ip6t_entry *e, struct net *net, const char *name)
555 struct xt_entry_target *t = ip6t_get_target(e);
556 struct xt_tgchk_param par = {
560 .target = t->u.kernel.target,
562 .hook_mask = e->comefrom,
563 .family = NFPROTO_IPV6,
566 t = ip6t_get_target(e);
567 return xt_check_target(&par, t->u.target_size - sizeof(*t),
569 e->ipv6.invflags & IP6T_INV_PROTO);
573 find_check_entry(struct ip6t_entry *e, struct net *net, const char *name,
575 struct xt_percpu_counter_alloc_state *alloc_state)
577 struct xt_entry_target *t;
578 struct xt_target *target;
581 struct xt_mtchk_param mtpar;
582 struct xt_entry_match *ematch;
584 if (!xt_percpu_counter_alloc(alloc_state, &e->counters))
588 memset(&mtpar, 0, sizeof(mtpar));
591 mtpar.entryinfo = &e->ipv6;
592 mtpar.hook_mask = e->comefrom;
593 mtpar.family = NFPROTO_IPV6;
594 xt_ematch_foreach(ematch, e) {
595 ret = find_check_match(ematch, &mtpar);
597 goto cleanup_matches;
601 t = ip6t_get_target(e);
602 target = xt_request_find_target(NFPROTO_IPV6, t->u.user.name,
604 if (IS_ERR(target)) {
605 ret = PTR_ERR(target);
606 goto cleanup_matches;
608 t->u.kernel.target = target;
610 ret = check_target(e, net, name);
615 module_put(t->u.kernel.target->me);
617 xt_ematch_foreach(ematch, e) {
620 cleanup_match(ematch, net);
623 xt_percpu_counter_free(&e->counters);
628 static bool check_underflow(const struct ip6t_entry *e)
630 const struct xt_entry_target *t;
631 unsigned int verdict;
633 if (!unconditional(e))
635 t = ip6t_get_target_c(e);
636 if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0)
638 verdict = ((struct xt_standard_target *)t)->verdict;
639 verdict = -verdict - 1;
640 return verdict == NF_DROP || verdict == NF_ACCEPT;
644 check_entry_size_and_hooks(struct ip6t_entry *e,
645 struct xt_table_info *newinfo,
646 const unsigned char *base,
647 const unsigned char *limit,
648 const unsigned int *hook_entries,
649 const unsigned int *underflows,
650 unsigned int valid_hooks)
655 if ((unsigned long)e % __alignof__(struct ip6t_entry) != 0 ||
656 (unsigned char *)e + sizeof(struct ip6t_entry) >= limit ||
657 (unsigned char *)e + e->next_offset > limit)
661 < sizeof(struct ip6t_entry) + sizeof(struct xt_entry_target))
664 if (!ip6_checkentry(&e->ipv6))
667 err = xt_check_entry_offsets(e, e->elems, e->target_offset,
672 /* Check hooks & underflows */
673 for (h = 0; h < NF_INET_NUMHOOKS; h++) {
674 if (!(valid_hooks & (1 << h)))
676 if ((unsigned char *)e - base == hook_entries[h])
677 newinfo->hook_entry[h] = hook_entries[h];
678 if ((unsigned char *)e - base == underflows[h]) {
679 if (!check_underflow(e))
682 newinfo->underflow[h] = underflows[h];
686 /* Clear counters and comefrom */
687 e->counters = ((struct xt_counters) { 0, 0 });
692 static void cleanup_entry(struct ip6t_entry *e, struct net *net)
694 struct xt_tgdtor_param par;
695 struct xt_entry_target *t;
696 struct xt_entry_match *ematch;
698 /* Cleanup all matches */
699 xt_ematch_foreach(ematch, e)
700 cleanup_match(ematch, net);
701 t = ip6t_get_target(e);
704 par.target = t->u.kernel.target;
705 par.targinfo = t->data;
706 par.family = NFPROTO_IPV6;
707 if (par.target->destroy != NULL)
708 par.target->destroy(&par);
709 module_put(par.target->me);
710 xt_percpu_counter_free(&e->counters);
713 /* Checks and translates the user-supplied table segment (held in
716 translate_table(struct net *net, struct xt_table_info *newinfo, void *entry0,
717 const struct ip6t_replace *repl)
719 struct xt_percpu_counter_alloc_state alloc_state = { 0 };
720 struct ip6t_entry *iter;
721 unsigned int *offsets;
725 newinfo->size = repl->size;
726 newinfo->number = repl->num_entries;
728 /* Init all hooks to impossible value. */
729 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
730 newinfo->hook_entry[i] = 0xFFFFFFFF;
731 newinfo->underflow[i] = 0xFFFFFFFF;
734 offsets = xt_alloc_entry_offsets(newinfo->number);
738 /* Walk through entries, checking offsets. */
739 xt_entry_foreach(iter, entry0, newinfo->size) {
740 ret = check_entry_size_and_hooks(iter, newinfo, entry0,
747 if (i < repl->num_entries)
748 offsets[i] = (void *)iter - entry0;
750 if (strcmp(ip6t_get_target(iter)->u.user.name,
751 XT_ERROR_TARGET) == 0)
752 ++newinfo->stacksize;
756 if (i != repl->num_entries)
759 /* Check hooks all assigned */
760 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
761 /* Only hooks which are valid */
762 if (!(repl->valid_hooks & (1 << i)))
764 if (newinfo->hook_entry[i] == 0xFFFFFFFF)
766 if (newinfo->underflow[i] == 0xFFFFFFFF)
770 if (!mark_source_chains(newinfo, repl->valid_hooks, entry0, offsets)) {
776 /* Finally, each sanity check must pass */
778 xt_entry_foreach(iter, entry0, newinfo->size) {
779 ret = find_check_entry(iter, net, repl->name, repl->size,
787 xt_entry_foreach(iter, entry0, newinfo->size) {
790 cleanup_entry(iter, net);
802 get_counters(const struct xt_table_info *t,
803 struct xt_counters counters[])
805 struct ip6t_entry *iter;
809 for_each_possible_cpu(cpu) {
810 seqcount_t *s = &per_cpu(xt_recseq, cpu);
813 xt_entry_foreach(iter, t->entries, t->size) {
814 struct xt_counters *tmp;
818 tmp = xt_get_per_cpu_counter(&iter->counters, cpu);
820 start = read_seqcount_begin(s);
823 } while (read_seqcount_retry(s, start));
825 ADD_COUNTER(counters[i], bcnt, pcnt);
831 static struct xt_counters *alloc_counters(const struct xt_table *table)
833 unsigned int countersize;
834 struct xt_counters *counters;
835 const struct xt_table_info *private = table->private;
837 /* We need atomic snapshot of counters: rest doesn't change
838 (other than comefrom, which userspace doesn't care
840 countersize = sizeof(struct xt_counters) * private->number;
841 counters = vzalloc(countersize);
843 if (counters == NULL)
844 return ERR_PTR(-ENOMEM);
846 get_counters(private, counters);
852 copy_entries_to_user(unsigned int total_size,
853 const struct xt_table *table,
854 void __user *userptr)
856 unsigned int off, num;
857 const struct ip6t_entry *e;
858 struct xt_counters *counters;
859 const struct xt_table_info *private = table->private;
861 const void *loc_cpu_entry;
863 counters = alloc_counters(table);
864 if (IS_ERR(counters))
865 return PTR_ERR(counters);
867 loc_cpu_entry = private->entries;
868 if (copy_to_user(userptr, loc_cpu_entry, total_size) != 0) {
873 /* FIXME: use iterator macros --RR */
874 /* ... then go back and fix counters and names */
875 for (off = 0, num = 0; off < total_size; off += e->next_offset, num++){
877 const struct xt_entry_match *m;
878 const struct xt_entry_target *t;
880 e = (struct ip6t_entry *)(loc_cpu_entry + off);
881 if (copy_to_user(userptr + off
882 + offsetof(struct ip6t_entry, counters),
884 sizeof(counters[num])) != 0) {
889 for (i = sizeof(struct ip6t_entry);
890 i < e->target_offset;
891 i += m->u.match_size) {
894 if (copy_to_user(userptr + off + i
895 + offsetof(struct xt_entry_match,
897 m->u.kernel.match->name,
898 strlen(m->u.kernel.match->name)+1)
905 t = ip6t_get_target_c(e);
906 if (copy_to_user(userptr + off + e->target_offset
907 + offsetof(struct xt_entry_target,
909 t->u.kernel.target->name,
910 strlen(t->u.kernel.target->name)+1) != 0) {
922 static void compat_standard_from_user(void *dst, const void *src)
924 int v = *(compat_int_t *)src;
927 v += xt_compat_calc_jump(AF_INET6, v);
928 memcpy(dst, &v, sizeof(v));
931 static int compat_standard_to_user(void __user *dst, const void *src)
933 compat_int_t cv = *(int *)src;
936 cv -= xt_compat_calc_jump(AF_INET6, cv);
937 return copy_to_user(dst, &cv, sizeof(cv)) ? -EFAULT : 0;
940 static int compat_calc_entry(const struct ip6t_entry *e,
941 const struct xt_table_info *info,
942 const void *base, struct xt_table_info *newinfo)
944 const struct xt_entry_match *ematch;
945 const struct xt_entry_target *t;
946 unsigned int entry_offset;
949 off = sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
950 entry_offset = (void *)e - base;
951 xt_ematch_foreach(ematch, e)
952 off += xt_compat_match_offset(ematch->u.kernel.match);
953 t = ip6t_get_target_c(e);
954 off += xt_compat_target_offset(t->u.kernel.target);
955 newinfo->size -= off;
956 ret = xt_compat_add_offset(AF_INET6, entry_offset, off);
960 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
961 if (info->hook_entry[i] &&
962 (e < (struct ip6t_entry *)(base + info->hook_entry[i])))
963 newinfo->hook_entry[i] -= off;
964 if (info->underflow[i] &&
965 (e < (struct ip6t_entry *)(base + info->underflow[i])))
966 newinfo->underflow[i] -= off;
971 static int compat_table_info(const struct xt_table_info *info,
972 struct xt_table_info *newinfo)
974 struct ip6t_entry *iter;
975 const void *loc_cpu_entry;
978 if (!newinfo || !info)
981 /* we dont care about newinfo->entries */
982 memcpy(newinfo, info, offsetof(struct xt_table_info, entries));
983 newinfo->initial_entries = 0;
984 loc_cpu_entry = info->entries;
985 xt_compat_init_offsets(AF_INET6, info->number);
986 xt_entry_foreach(iter, loc_cpu_entry, info->size) {
987 ret = compat_calc_entry(iter, info, loc_cpu_entry, newinfo);
995 static int get_info(struct net *net, void __user *user,
996 const int *len, int compat)
998 char name[XT_TABLE_MAXNAMELEN];
1002 if (*len != sizeof(struct ip6t_getinfo))
1005 if (copy_from_user(name, user, sizeof(name)) != 0)
1008 name[XT_TABLE_MAXNAMELEN-1] = '\0';
1009 #ifdef CONFIG_COMPAT
1011 xt_compat_lock(AF_INET6);
1013 t = try_then_request_module(xt_find_table_lock(net, AF_INET6, name),
1014 "ip6table_%s", name);
1015 if (!IS_ERR_OR_NULL(t)) {
1016 struct ip6t_getinfo info;
1017 const struct xt_table_info *private = t->private;
1018 #ifdef CONFIG_COMPAT
1019 struct xt_table_info tmp;
1022 ret = compat_table_info(private, &tmp);
1023 xt_compat_flush_offsets(AF_INET6);
1027 memset(&info, 0, sizeof(info));
1028 info.valid_hooks = t->valid_hooks;
1029 memcpy(info.hook_entry, private->hook_entry,
1030 sizeof(info.hook_entry));
1031 memcpy(info.underflow, private->underflow,
1032 sizeof(info.underflow));
1033 info.num_entries = private->number;
1034 info.size = private->size;
1035 strcpy(info.name, name);
1037 if (copy_to_user(user, &info, *len) != 0)
1045 ret = t ? PTR_ERR(t) : -ENOENT;
1046 #ifdef CONFIG_COMPAT
1048 xt_compat_unlock(AF_INET6);
1054 get_entries(struct net *net, struct ip6t_get_entries __user *uptr,
1058 struct ip6t_get_entries get;
1061 if (*len < sizeof(get))
1063 if (copy_from_user(&get, uptr, sizeof(get)) != 0)
1065 if (*len != sizeof(struct ip6t_get_entries) + get.size)
1068 get.name[sizeof(get.name) - 1] = '\0';
1070 t = xt_find_table_lock(net, AF_INET6, get.name);
1071 if (!IS_ERR_OR_NULL(t)) {
1072 struct xt_table_info *private = t->private;
1073 if (get.size == private->size)
1074 ret = copy_entries_to_user(private->size,
1075 t, uptr->entrytable);
1082 ret = t ? PTR_ERR(t) : -ENOENT;
1088 __do_replace(struct net *net, const char *name, unsigned int valid_hooks,
1089 struct xt_table_info *newinfo, unsigned int num_counters,
1090 void __user *counters_ptr)
1094 struct xt_table_info *oldinfo;
1095 struct xt_counters *counters;
1096 struct ip6t_entry *iter;
1099 counters = vzalloc(num_counters * sizeof(struct xt_counters));
1105 t = try_then_request_module(xt_find_table_lock(net, AF_INET6, name),
1106 "ip6table_%s", name);
1107 if (IS_ERR_OR_NULL(t)) {
1108 ret = t ? PTR_ERR(t) : -ENOENT;
1109 goto free_newinfo_counters_untrans;
1113 if (valid_hooks != t->valid_hooks) {
1118 oldinfo = xt_replace_table(t, num_counters, newinfo, &ret);
1122 /* Update module usage count based on number of rules */
1123 if ((oldinfo->number > oldinfo->initial_entries) ||
1124 (newinfo->number <= oldinfo->initial_entries))
1126 if ((oldinfo->number > oldinfo->initial_entries) &&
1127 (newinfo->number <= oldinfo->initial_entries))
1130 /* Get the old counters, and synchronize with replace */
1131 get_counters(oldinfo, counters);
1133 /* Decrease module usage counts and free resource */
1134 xt_entry_foreach(iter, oldinfo->entries, oldinfo->size)
1135 cleanup_entry(iter, net);
1137 xt_free_table_info(oldinfo);
1138 if (copy_to_user(counters_ptr, counters,
1139 sizeof(struct xt_counters) * num_counters) != 0) {
1140 /* Silent error, can't fail, new table is already in place */
1141 net_warn_ratelimited("ip6tables: counters copy to user failed while replacing table\n");
1150 free_newinfo_counters_untrans:
1157 do_replace(struct net *net, const void __user *user, unsigned int len)
1160 struct ip6t_replace tmp;
1161 struct xt_table_info *newinfo;
1162 void *loc_cpu_entry;
1163 struct ip6t_entry *iter;
1165 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
1168 /* overflow check */
1169 if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
1171 if (tmp.num_counters == 0)
1174 tmp.name[sizeof(tmp.name)-1] = 0;
1176 newinfo = xt_alloc_table_info(tmp.size);
1180 loc_cpu_entry = newinfo->entries;
1181 if (copy_from_user(loc_cpu_entry, user + sizeof(tmp),
1187 ret = translate_table(net, newinfo, loc_cpu_entry, &tmp);
1191 ret = __do_replace(net, tmp.name, tmp.valid_hooks, newinfo,
1192 tmp.num_counters, tmp.counters);
1194 goto free_newinfo_untrans;
1197 free_newinfo_untrans:
1198 xt_entry_foreach(iter, loc_cpu_entry, newinfo->size)
1199 cleanup_entry(iter, net);
1201 xt_free_table_info(newinfo);
1206 do_add_counters(struct net *net, const void __user *user, unsigned int len,
1210 struct xt_counters_info tmp;
1211 struct xt_counters *paddc;
1213 const struct xt_table_info *private;
1215 struct ip6t_entry *iter;
1216 unsigned int addend;
1218 paddc = xt_copy_counters_from_user(user, len, &tmp, compat);
1220 return PTR_ERR(paddc);
1221 t = xt_find_table_lock(net, AF_INET6, tmp.name);
1222 if (IS_ERR_OR_NULL(t)) {
1223 ret = t ? PTR_ERR(t) : -ENOENT;
1228 private = t->private;
1229 if (private->number != tmp.num_counters) {
1231 goto unlock_up_free;
1235 addend = xt_write_recseq_begin();
1236 xt_entry_foreach(iter, private->entries, private->size) {
1237 struct xt_counters *tmp;
1239 tmp = xt_get_this_cpu_counter(&iter->counters);
1240 ADD_COUNTER(*tmp, paddc[i].bcnt, paddc[i].pcnt);
1243 xt_write_recseq_end(addend);
1254 #ifdef CONFIG_COMPAT
1255 struct compat_ip6t_replace {
1256 char name[XT_TABLE_MAXNAMELEN];
1260 u32 hook_entry[NF_INET_NUMHOOKS];
1261 u32 underflow[NF_INET_NUMHOOKS];
1263 compat_uptr_t counters; /* struct xt_counters * */
1264 struct compat_ip6t_entry entries[0];
1268 compat_copy_entry_to_user(struct ip6t_entry *e, void __user **dstptr,
1269 unsigned int *size, struct xt_counters *counters,
1272 struct xt_entry_target *t;
1273 struct compat_ip6t_entry __user *ce;
1274 u_int16_t target_offset, next_offset;
1275 compat_uint_t origsize;
1276 const struct xt_entry_match *ematch;
1280 ce = (struct compat_ip6t_entry __user *)*dstptr;
1281 if (copy_to_user(ce, e, sizeof(struct ip6t_entry)) != 0 ||
1282 copy_to_user(&ce->counters, &counters[i],
1283 sizeof(counters[i])) != 0)
1286 *dstptr += sizeof(struct compat_ip6t_entry);
1287 *size -= sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
1289 xt_ematch_foreach(ematch, e) {
1290 ret = xt_compat_match_to_user(ematch, dstptr, size);
1294 target_offset = e->target_offset - (origsize - *size);
1295 t = ip6t_get_target(e);
1296 ret = xt_compat_target_to_user(t, dstptr, size);
1299 next_offset = e->next_offset - (origsize - *size);
1300 if (put_user(target_offset, &ce->target_offset) != 0 ||
1301 put_user(next_offset, &ce->next_offset) != 0)
1307 compat_find_calc_match(struct xt_entry_match *m,
1308 const struct ip6t_ip6 *ipv6,
1311 struct xt_match *match;
1313 match = xt_request_find_match(NFPROTO_IPV6, m->u.user.name,
1314 m->u.user.revision);
1316 return PTR_ERR(match);
1318 m->u.kernel.match = match;
1319 *size += xt_compat_match_offset(match);
1323 static void compat_release_entry(struct compat_ip6t_entry *e)
1325 struct xt_entry_target *t;
1326 struct xt_entry_match *ematch;
1328 /* Cleanup all matches */
1329 xt_ematch_foreach(ematch, e)
1330 module_put(ematch->u.kernel.match->me);
1331 t = compat_ip6t_get_target(e);
1332 module_put(t->u.kernel.target->me);
1336 check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e,
1337 struct xt_table_info *newinfo,
1339 const unsigned char *base,
1340 const unsigned char *limit)
1342 struct xt_entry_match *ematch;
1343 struct xt_entry_target *t;
1344 struct xt_target *target;
1345 unsigned int entry_offset;
1349 if ((unsigned long)e % __alignof__(struct compat_ip6t_entry) != 0 ||
1350 (unsigned char *)e + sizeof(struct compat_ip6t_entry) >= limit ||
1351 (unsigned char *)e + e->next_offset > limit)
1354 if (e->next_offset < sizeof(struct compat_ip6t_entry) +
1355 sizeof(struct compat_xt_entry_target))
1358 if (!ip6_checkentry(&e->ipv6))
1361 ret = xt_compat_check_entry_offsets(e, e->elems,
1362 e->target_offset, e->next_offset);
1366 off = sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
1367 entry_offset = (void *)e - (void *)base;
1369 xt_ematch_foreach(ematch, e) {
1370 ret = compat_find_calc_match(ematch, &e->ipv6, &off);
1372 goto release_matches;
1376 t = compat_ip6t_get_target(e);
1377 target = xt_request_find_target(NFPROTO_IPV6, t->u.user.name,
1378 t->u.user.revision);
1379 if (IS_ERR(target)) {
1380 ret = PTR_ERR(target);
1381 goto release_matches;
1383 t->u.kernel.target = target;
1385 off += xt_compat_target_offset(target);
1387 ret = xt_compat_add_offset(AF_INET6, entry_offset, off);
1394 module_put(t->u.kernel.target->me);
1396 xt_ematch_foreach(ematch, e) {
1399 module_put(ematch->u.kernel.match->me);
1405 compat_copy_entry_from_user(struct compat_ip6t_entry *e, void **dstptr,
1407 struct xt_table_info *newinfo, unsigned char *base)
1409 struct xt_entry_target *t;
1410 struct ip6t_entry *de;
1411 unsigned int origsize;
1413 struct xt_entry_match *ematch;
1416 de = (struct ip6t_entry *)*dstptr;
1417 memcpy(de, e, sizeof(struct ip6t_entry));
1418 memcpy(&de->counters, &e->counters, sizeof(e->counters));
1420 *dstptr += sizeof(struct ip6t_entry);
1421 *size += sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
1423 xt_ematch_foreach(ematch, e)
1424 xt_compat_match_from_user(ematch, dstptr, size);
1426 de->target_offset = e->target_offset - (origsize - *size);
1427 t = compat_ip6t_get_target(e);
1428 xt_compat_target_from_user(t, dstptr, size);
1430 de->next_offset = e->next_offset - (origsize - *size);
1431 for (h = 0; h < NF_INET_NUMHOOKS; h++) {
1432 if ((unsigned char *)de - base < newinfo->hook_entry[h])
1433 newinfo->hook_entry[h] -= origsize - *size;
1434 if ((unsigned char *)de - base < newinfo->underflow[h])
1435 newinfo->underflow[h] -= origsize - *size;
1440 translate_compat_table(struct net *net,
1441 struct xt_table_info **pinfo,
1443 const struct compat_ip6t_replace *compatr)
1446 struct xt_table_info *newinfo, *info;
1447 void *pos, *entry0, *entry1;
1448 struct compat_ip6t_entry *iter0;
1449 struct ip6t_replace repl;
1455 size = compatr->size;
1456 info->number = compatr->num_entries;
1459 xt_compat_lock(AF_INET6);
1460 xt_compat_init_offsets(AF_INET6, compatr->num_entries);
1461 /* Walk through entries, checking offsets. */
1462 xt_entry_foreach(iter0, entry0, compatr->size) {
1463 ret = check_compat_entry_size_and_hooks(iter0, info, &size,
1465 entry0 + compatr->size);
1472 if (j != compatr->num_entries)
1476 newinfo = xt_alloc_table_info(size);
1480 memset(newinfo->entries, 0, size);
1482 newinfo->number = compatr->num_entries;
1483 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1484 newinfo->hook_entry[i] = compatr->hook_entry[i];
1485 newinfo->underflow[i] = compatr->underflow[i];
1487 entry1 = newinfo->entries;
1489 size = compatr->size;
1490 xt_entry_foreach(iter0, entry0, compatr->size)
1491 compat_copy_entry_from_user(iter0, &pos, &size,
1494 /* all module references in entry0 are now gone. */
1495 xt_compat_flush_offsets(AF_INET6);
1496 xt_compat_unlock(AF_INET6);
1498 memcpy(&repl, compatr, sizeof(*compatr));
1500 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1501 repl.hook_entry[i] = newinfo->hook_entry[i];
1502 repl.underflow[i] = newinfo->underflow[i];
1505 repl.num_counters = 0;
1506 repl.counters = NULL;
1507 repl.size = newinfo->size;
1508 ret = translate_table(net, newinfo, entry1, &repl);
1514 xt_free_table_info(info);
1518 xt_free_table_info(newinfo);
1521 xt_compat_flush_offsets(AF_INET6);
1522 xt_compat_unlock(AF_INET6);
1523 xt_entry_foreach(iter0, entry0, compatr->size) {
1526 compat_release_entry(iter0);
1532 compat_do_replace(struct net *net, void __user *user, unsigned int len)
1535 struct compat_ip6t_replace tmp;
1536 struct xt_table_info *newinfo;
1537 void *loc_cpu_entry;
1538 struct ip6t_entry *iter;
1540 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
1543 /* overflow check */
1544 if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
1546 if (tmp.num_counters == 0)
1549 tmp.name[sizeof(tmp.name)-1] = 0;
1551 newinfo = xt_alloc_table_info(tmp.size);
1555 loc_cpu_entry = newinfo->entries;
1556 if (copy_from_user(loc_cpu_entry, user + sizeof(tmp),
1562 ret = translate_compat_table(net, &newinfo, &loc_cpu_entry, &tmp);
1566 ret = __do_replace(net, tmp.name, tmp.valid_hooks, newinfo,
1567 tmp.num_counters, compat_ptr(tmp.counters));
1569 goto free_newinfo_untrans;
1572 free_newinfo_untrans:
1573 xt_entry_foreach(iter, loc_cpu_entry, newinfo->size)
1574 cleanup_entry(iter, net);
1576 xt_free_table_info(newinfo);
1581 compat_do_ip6t_set_ctl(struct sock *sk, int cmd, void __user *user,
1586 if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
1590 case IP6T_SO_SET_REPLACE:
1591 ret = compat_do_replace(sock_net(sk), user, len);
1594 case IP6T_SO_SET_ADD_COUNTERS:
1595 ret = do_add_counters(sock_net(sk), user, len, 1);
1605 struct compat_ip6t_get_entries {
1606 char name[XT_TABLE_MAXNAMELEN];
1608 struct compat_ip6t_entry entrytable[0];
1612 compat_copy_entries_to_user(unsigned int total_size, struct xt_table *table,
1613 void __user *userptr)
1615 struct xt_counters *counters;
1616 const struct xt_table_info *private = table->private;
1621 struct ip6t_entry *iter;
1623 counters = alloc_counters(table);
1624 if (IS_ERR(counters))
1625 return PTR_ERR(counters);
1629 xt_entry_foreach(iter, private->entries, total_size) {
1630 ret = compat_copy_entry_to_user(iter, &pos,
1631 &size, counters, i++);
1641 compat_get_entries(struct net *net, struct compat_ip6t_get_entries __user *uptr,
1645 struct compat_ip6t_get_entries get;
1648 if (*len < sizeof(get))
1651 if (copy_from_user(&get, uptr, sizeof(get)) != 0)
1654 if (*len != sizeof(struct compat_ip6t_get_entries) + get.size)
1657 get.name[sizeof(get.name) - 1] = '\0';
1659 xt_compat_lock(AF_INET6);
1660 t = xt_find_table_lock(net, AF_INET6, get.name);
1661 if (!IS_ERR_OR_NULL(t)) {
1662 const struct xt_table_info *private = t->private;
1663 struct xt_table_info info;
1664 ret = compat_table_info(private, &info);
1665 if (!ret && get.size == info.size)
1666 ret = compat_copy_entries_to_user(private->size,
1667 t, uptr->entrytable);
1671 xt_compat_flush_offsets(AF_INET6);
1675 ret = t ? PTR_ERR(t) : -ENOENT;
1677 xt_compat_unlock(AF_INET6);
1681 static int do_ip6t_get_ctl(struct sock *, int, void __user *, int *);
1684 compat_do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1688 if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
1692 case IP6T_SO_GET_INFO:
1693 ret = get_info(sock_net(sk), user, len, 1);
1695 case IP6T_SO_GET_ENTRIES:
1696 ret = compat_get_entries(sock_net(sk), user, len);
1699 ret = do_ip6t_get_ctl(sk, cmd, user, len);
1706 do_ip6t_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
1710 if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
1714 case IP6T_SO_SET_REPLACE:
1715 ret = do_replace(sock_net(sk), user, len);
1718 case IP6T_SO_SET_ADD_COUNTERS:
1719 ret = do_add_counters(sock_net(sk), user, len, 0);
1730 do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1734 if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
1738 case IP6T_SO_GET_INFO:
1739 ret = get_info(sock_net(sk), user, len, 0);
1742 case IP6T_SO_GET_ENTRIES:
1743 ret = get_entries(sock_net(sk), user, len);
1746 case IP6T_SO_GET_REVISION_MATCH:
1747 case IP6T_SO_GET_REVISION_TARGET: {
1748 struct xt_get_revision rev;
1751 if (*len != sizeof(rev)) {
1755 if (copy_from_user(&rev, user, sizeof(rev)) != 0) {
1759 rev.name[sizeof(rev.name)-1] = 0;
1761 if (cmd == IP6T_SO_GET_REVISION_TARGET)
1766 try_then_request_module(xt_find_revision(AF_INET6, rev.name,
1769 "ip6t_%s", rev.name);
1780 static void __ip6t_unregister_table(struct net *net, struct xt_table *table)
1782 struct xt_table_info *private;
1783 void *loc_cpu_entry;
1784 struct module *table_owner = table->me;
1785 struct ip6t_entry *iter;
1787 private = xt_unregister_table(table);
1789 /* Decrease module usage counts and free resources */
1790 loc_cpu_entry = private->entries;
1791 xt_entry_foreach(iter, loc_cpu_entry, private->size)
1792 cleanup_entry(iter, net);
1793 if (private->number > private->initial_entries)
1794 module_put(table_owner);
1795 xt_free_table_info(private);
1798 int ip6t_register_table(struct net *net, const struct xt_table *table,
1799 const struct ip6t_replace *repl,
1800 const struct nf_hook_ops *ops,
1801 struct xt_table **res)
1804 struct xt_table_info *newinfo;
1805 struct xt_table_info bootstrap = {0};
1806 void *loc_cpu_entry;
1807 struct xt_table *new_table;
1809 newinfo = xt_alloc_table_info(repl->size);
1813 loc_cpu_entry = newinfo->entries;
1814 memcpy(loc_cpu_entry, repl->entries, repl->size);
1816 ret = translate_table(net, newinfo, loc_cpu_entry, repl);
1820 new_table = xt_register_table(net, table, &bootstrap, newinfo);
1821 if (IS_ERR(new_table)) {
1822 ret = PTR_ERR(new_table);
1826 /* set res now, will see skbs right after nf_register_net_hooks */
1827 WRITE_ONCE(*res, new_table);
1829 ret = nf_register_net_hooks(net, ops, hweight32(table->valid_hooks));
1831 __ip6t_unregister_table(net, new_table);
1838 xt_free_table_info(newinfo);
1842 void ip6t_unregister_table(struct net *net, struct xt_table *table,
1843 const struct nf_hook_ops *ops)
1845 nf_unregister_net_hooks(net, ops, hweight32(table->valid_hooks));
1846 __ip6t_unregister_table(net, table);
1849 /* Returns 1 if the type and code is matched by the range, 0 otherwise */
1851 icmp6_type_code_match(u_int8_t test_type, u_int8_t min_code, u_int8_t max_code,
1852 u_int8_t type, u_int8_t code,
1855 return (type == test_type && code >= min_code && code <= max_code)
1860 icmp6_match(const struct sk_buff *skb, struct xt_action_param *par)
1862 const struct icmp6hdr *ic;
1863 struct icmp6hdr _icmph;
1864 const struct ip6t_icmp *icmpinfo = par->matchinfo;
1866 /* Must not be a fragment. */
1867 if (par->fragoff != 0)
1870 ic = skb_header_pointer(skb, par->thoff, sizeof(_icmph), &_icmph);
1872 /* We've been asked to examine this packet, and we
1873 * can't. Hence, no choice but to drop.
1875 par->hotdrop = true;
1879 return icmp6_type_code_match(icmpinfo->type,
1882 ic->icmp6_type, ic->icmp6_code,
1883 !!(icmpinfo->invflags&IP6T_ICMP_INV));
1886 /* Called when user tries to insert an entry of this type. */
1887 static int icmp6_checkentry(const struct xt_mtchk_param *par)
1889 const struct ip6t_icmp *icmpinfo = par->matchinfo;
1891 /* Must specify no unknown invflags */
1892 return (icmpinfo->invflags & ~IP6T_ICMP_INV) ? -EINVAL : 0;
1895 /* The built-in targets: standard (NULL) and error. */
1896 static struct xt_target ip6t_builtin_tg[] __read_mostly = {
1898 .name = XT_STANDARD_TARGET,
1899 .targetsize = sizeof(int),
1900 .family = NFPROTO_IPV6,
1901 #ifdef CONFIG_COMPAT
1902 .compatsize = sizeof(compat_int_t),
1903 .compat_from_user = compat_standard_from_user,
1904 .compat_to_user = compat_standard_to_user,
1908 .name = XT_ERROR_TARGET,
1909 .target = ip6t_error,
1910 .targetsize = XT_FUNCTION_MAXNAMELEN,
1911 .family = NFPROTO_IPV6,
1915 static struct nf_sockopt_ops ip6t_sockopts = {
1917 .set_optmin = IP6T_BASE_CTL,
1918 .set_optmax = IP6T_SO_SET_MAX+1,
1919 .set = do_ip6t_set_ctl,
1920 #ifdef CONFIG_COMPAT
1921 .compat_set = compat_do_ip6t_set_ctl,
1923 .get_optmin = IP6T_BASE_CTL,
1924 .get_optmax = IP6T_SO_GET_MAX+1,
1925 .get = do_ip6t_get_ctl,
1926 #ifdef CONFIG_COMPAT
1927 .compat_get = compat_do_ip6t_get_ctl,
1929 .owner = THIS_MODULE,
1932 static struct xt_match ip6t_builtin_mt[] __read_mostly = {
1935 .match = icmp6_match,
1936 .matchsize = sizeof(struct ip6t_icmp),
1937 .checkentry = icmp6_checkentry,
1938 .proto = IPPROTO_ICMPV6,
1939 .family = NFPROTO_IPV6,
1944 static int __net_init ip6_tables_net_init(struct net *net)
1946 return xt_proto_init(net, NFPROTO_IPV6);
1949 static void __net_exit ip6_tables_net_exit(struct net *net)
1951 xt_proto_fini(net, NFPROTO_IPV6);
1954 static struct pernet_operations ip6_tables_net_ops = {
1955 .init = ip6_tables_net_init,
1956 .exit = ip6_tables_net_exit,
1959 static int __init ip6_tables_init(void)
1963 ret = register_pernet_subsys(&ip6_tables_net_ops);
1967 /* No one else will be downing sem now, so we won't sleep */
1968 ret = xt_register_targets(ip6t_builtin_tg, ARRAY_SIZE(ip6t_builtin_tg));
1971 ret = xt_register_matches(ip6t_builtin_mt, ARRAY_SIZE(ip6t_builtin_mt));
1975 /* Register setsockopt */
1976 ret = nf_register_sockopt(&ip6t_sockopts);
1980 pr_info("(C) 2000-2006 Netfilter Core Team\n");
1984 xt_unregister_matches(ip6t_builtin_mt, ARRAY_SIZE(ip6t_builtin_mt));
1986 xt_unregister_targets(ip6t_builtin_tg, ARRAY_SIZE(ip6t_builtin_tg));
1988 unregister_pernet_subsys(&ip6_tables_net_ops);
1993 static void __exit ip6_tables_fini(void)
1995 nf_unregister_sockopt(&ip6t_sockopts);
1997 xt_unregister_matches(ip6t_builtin_mt, ARRAY_SIZE(ip6t_builtin_mt));
1998 xt_unregister_targets(ip6t_builtin_tg, ARRAY_SIZE(ip6t_builtin_tg));
1999 unregister_pernet_subsys(&ip6_tables_net_ops);
2002 EXPORT_SYMBOL(ip6t_register_table);
2003 EXPORT_SYMBOL(ip6t_unregister_table);
2004 EXPORT_SYMBOL(ip6t_do_table);
2006 module_init(ip6_tables_init);
2007 module_exit(ip6_tables_fini);
projects / releases.git / blob