1/* 2 * x_tables core - Backend for {ip,ip6,arp}_tables 3 * 4 * Copyright (C) 2006-2006 Harald Welte <laforge@netfilter.org> 5 * Copyright (C) 2006-2012 Patrick McHardy <kaber@trash.net> 6 * 7 * Based on existing ip_tables code which is 8 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling 9 * Copyright (C) 2000-2005 Netfilter Core Team <coreteam@netfilter.org> 10 * 11 * This program is free software; you can redistribute it and/or modify 12 * it under the terms of the GNU General Public License version 2 as 13 * published by the Free Software Foundation. 14 * 15 */ 16#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 17#include <linux/kernel.h> 18#include <linux/module.h> 19#include <linux/socket.h> 20#include <linux/net.h> 21#include <linux/proc_fs.h> 22#include <linux/seq_file.h> 23#include <linux/string.h> 24#include <linux/vmalloc.h> 25#include <linux/mutex.h> 26#include <linux/mm.h> 27#include <linux/slab.h> 28#include <linux/audit.h> 29#include <net/net_namespace.h> 30 31#include <linux/netfilter/x_tables.h> 32#include <linux/netfilter_arp.h> 33#include <linux/netfilter_ipv4/ip_tables.h> 34#include <linux/netfilter_ipv6/ip6_tables.h> 35#include <linux/netfilter_arp/arp_tables.h> 36 37MODULE_LICENSE("GPL"); 38MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>"); 39MODULE_DESCRIPTION("{ip,ip6,arp,eb}_tables backend module"); 40 41#define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1)) 42 43struct compat_delta { 44 unsigned int offset; /* offset in kernel */ 45 int delta; /* delta in 32bit user land */ 46}; 47 48struct xt_af { 49 struct mutex mutex; 50 struct list_head match; 51 struct list_head target; 52#ifdef CONFIG_COMPAT 53 struct mutex compat_mutex; 54 struct compat_delta *compat_tab; 55 unsigned int number; /* number of slots in compat_tab[] */ 56 unsigned int cur; /* number of used slots in compat_tab[] */ 57#endif 58}; 59 60static struct xt_af *xt; 61 62static const char *const xt_prefix[NFPROTO_NUMPROTO] = { 63 [NFPROTO_UNSPEC] = "x", 64 [NFPROTO_IPV4] = "ip", 65 [NFPROTO_ARP] = "arp", 66 [NFPROTO_BRIDGE] = "eb", 67 [NFPROTO_IPV6] = "ip6", 68}; 69 70/* Allow this many total (re)entries. */ 71static const unsigned int xt_jumpstack_multiplier = 2; 72 73/* Registration hooks for targets. */ 74int xt_register_target(struct xt_target *target) 75{ 76 u_int8_t af = target->family; 77 78 mutex_lock(&xt[af].mutex); 79 list_add(&target->list, &xt[af].target); 80 mutex_unlock(&xt[af].mutex); 81 return 0; 82} 83EXPORT_SYMBOL(xt_register_target); 84 85void 86xt_unregister_target(struct xt_target *target) 87{ 88 u_int8_t af = target->family; 89 90 mutex_lock(&xt[af].mutex); 91 list_del(&target->list); 92 mutex_unlock(&xt[af].mutex); 93} 94EXPORT_SYMBOL(xt_unregister_target); 95 96int 97xt_register_targets(struct xt_target *target, unsigned int n) 98{ 99 unsigned int i; 100 int err = 0; 101 102 for (i = 0; i < n; i++) { 103 err = xt_register_target(&target[i]); 104 if (err) 105 goto err; 106 } 107 return err; 108 109err: 110 if (i > 0) 111 xt_unregister_targets(target, i); 112 return err; 113} 114EXPORT_SYMBOL(xt_register_targets); 115 116void 117xt_unregister_targets(struct xt_target *target, unsigned int n) 118{ 119 while (n-- > 0) 120 xt_unregister_target(&target[n]); 121} 122EXPORT_SYMBOL(xt_unregister_targets); 123 124int xt_register_match(struct xt_match *match) 125{ 126 u_int8_t af = match->family; 127 128 mutex_lock(&xt[af].mutex); 129 list_add(&match->list, &xt[af].match); 130 mutex_unlock(&xt[af].mutex); 131 return 0; 132} 133EXPORT_SYMBOL(xt_register_match); 134 135void 136xt_unregister_match(struct xt_match *match) 137{ 138 u_int8_t af = match->family; 139 140 mutex_lock(&xt[af].mutex); 141 list_del(&match->list); 142 mutex_unlock(&xt[af].mutex); 143} 144EXPORT_SYMBOL(xt_unregister_match); 145 146int 147xt_register_matches(struct xt_match *match, unsigned int n) 148{ 149 unsigned int i; 150 int err = 0; 151 152 for (i = 0; i < n; i++) { 153 err = xt_register_match(&match[i]); 154 if (err) 155 goto err; 156 } 157 return err; 158 159err: 160 if (i > 0) 161 xt_unregister_matches(match, i); 162 return err; 163} 164EXPORT_SYMBOL(xt_register_matches); 165 166void 167xt_unregister_matches(struct xt_match *match, unsigned int n) 168{ 169 while (n-- > 0) 170 xt_unregister_match(&match[n]); 171} 172EXPORT_SYMBOL(xt_unregister_matches); 173 174 175/* 176 * These are weird, but module loading must not be done with mutex 177 * held (since they will register), and we have to have a single 178 * function to use. 179 */ 180 181/* Find match, grabs ref. Returns ERR_PTR() on error. */ 182struct xt_match *xt_find_match(u8 af, const char *name, u8 revision) 183{ 184 struct xt_match *m; 185 int err = -ENOENT; 186 187 mutex_lock(&xt[af].mutex); 188 list_for_each_entry(m, &xt[af].match, list) { 189 if (strcmp(m->name, name) == 0) { 190 if (m->revision == revision) { 191 if (try_module_get(m->me)) { 192 mutex_unlock(&xt[af].mutex); 193 return m; 194 } 195 } else 196 err = -EPROTOTYPE; /* Found something. */ 197 } 198 } 199 mutex_unlock(&xt[af].mutex); 200 201 if (af != NFPROTO_UNSPEC) 202 /* Try searching again in the family-independent list */ 203 return xt_find_match(NFPROTO_UNSPEC, name, revision); 204 205 return ERR_PTR(err); 206} 207EXPORT_SYMBOL(xt_find_match); 208 209struct xt_match * 210xt_request_find_match(uint8_t nfproto, const char *name, uint8_t revision) 211{ 212 struct xt_match *match; 213 214 match = xt_find_match(nfproto, name, revision); 215 if (IS_ERR(match)) { 216 request_module("%st_%s", xt_prefix[nfproto], name); 217 match = xt_find_match(nfproto, name, revision); 218 } 219 220 return match; 221} 222EXPORT_SYMBOL_GPL(xt_request_find_match); 223 224/* Find target, grabs ref. Returns ERR_PTR() on error. */ 225struct xt_target *xt_find_target(u8 af, const char *name, u8 revision) 226{ 227 struct xt_target *t; 228 int err = -ENOENT; 229 230 mutex_lock(&xt[af].mutex); 231 list_for_each_entry(t, &xt[af].target, list) { 232 if (strcmp(t->name, name) == 0) { 233 if (t->revision == revision) { 234 if (try_module_get(t->me)) { 235 mutex_unlock(&xt[af].mutex); 236 return t; 237 } 238 } else 239 err = -EPROTOTYPE; /* Found something. */ 240 } 241 } 242 mutex_unlock(&xt[af].mutex); 243 244 if (af != NFPROTO_UNSPEC) 245 /* Try searching again in the family-independent list */ 246 return xt_find_target(NFPROTO_UNSPEC, name, revision); 247 248 return ERR_PTR(err); 249} 250EXPORT_SYMBOL(xt_find_target); 251 252struct xt_target *xt_request_find_target(u8 af, const char *name, u8 revision) 253{ 254 struct xt_target *target; 255 256 target = xt_find_target(af, name, revision); 257 if (IS_ERR(target)) { 258 request_module("%st_%s", xt_prefix[af], name); 259 target = xt_find_target(af, name, revision); 260 } 261 262 return target; 263} 264EXPORT_SYMBOL_GPL(xt_request_find_target); 265 266static int match_revfn(u8 af, const char *name, u8 revision, int *bestp) 267{ 268 const struct xt_match *m; 269 int have_rev = 0; 270 271 list_for_each_entry(m, &xt[af].match, list) { 272 if (strcmp(m->name, name) == 0) { 273 if (m->revision > *bestp) 274 *bestp = m->revision; 275 if (m->revision == revision) 276 have_rev = 1; 277 } 278 } 279 280 if (af != NFPROTO_UNSPEC && !have_rev) 281 return match_revfn(NFPROTO_UNSPEC, name, revision, bestp); 282 283 return have_rev; 284} 285 286static int target_revfn(u8 af, const char *name, u8 revision, int *bestp) 287{ 288 const struct xt_target *t; 289 int have_rev = 0; 290 291 list_for_each_entry(t, &xt[af].target, list) { 292 if (strcmp(t->name, name) == 0) { 293 if (t->revision > *bestp) 294 *bestp = t->revision; 295 if (t->revision == revision) 296 have_rev = 1; 297 } 298 } 299 300 if (af != NFPROTO_UNSPEC && !have_rev) 301 return target_revfn(NFPROTO_UNSPEC, name, revision, bestp); 302 303 return have_rev; 304} 305 306/* Returns true or false (if no such extension at all) */ 307int xt_find_revision(u8 af, const char *name, u8 revision, int target, 308 int *err) 309{ 310 int have_rev, best = -1; 311 312 mutex_lock(&xt[af].mutex); 313 if (target == 1) 314 have_rev = target_revfn(af, name, revision, &best); 315 else 316 have_rev = match_revfn(af, name, revision, &best); 317 mutex_unlock(&xt[af].mutex); 318 319 /* Nothing at all? Return 0 to try loading module. */ 320 if (best == -1) { 321 *err = -ENOENT; 322 return 0; 323 } 324 325 *err = best; 326 if (!have_rev) 327 *err = -EPROTONOSUPPORT; 328 return 1; 329} 330EXPORT_SYMBOL_GPL(xt_find_revision); 331 332static char * 333textify_hooks(char *buf, size_t size, unsigned int mask, uint8_t nfproto) 334{ 335 static const char *const inetbr_names[] = { 336 "PREROUTING", "INPUT", "FORWARD", 337 "OUTPUT", "POSTROUTING", "BROUTING", 338 }; 339 static const char *const arp_names[] = { 340 "INPUT", "FORWARD", "OUTPUT", 341 }; 342 const char *const *names; 343 unsigned int i, max; 344 char *p = buf; 345 bool np = false; 346 int res; 347 348 names = (nfproto == NFPROTO_ARP) ? arp_names : inetbr_names; 349 max = (nfproto == NFPROTO_ARP) ? ARRAY_SIZE(arp_names) : 350 ARRAY_SIZE(inetbr_names); 351 *p = '\0'; 352 for (i = 0; i < max; ++i) { 353 if (!(mask & (1 << i))) 354 continue; 355 res = snprintf(p, size, "%s%s", np ? "/" : "", names[i]); 356 if (res > 0) { 357 size -= res; 358 p += res; 359 } 360 np = true; 361 } 362 363 return buf; 364} 365 366int xt_check_match(struct xt_mtchk_param *par, 367 unsigned int size, u_int8_t proto, bool inv_proto) 368{ 369 int ret; 370 371 if (XT_ALIGN(par->match->matchsize) != size && 372 par->match->matchsize != -1) { 373 /* 374 * ebt_among is exempt from centralized matchsize checking 375 * because it uses a dynamic-size data set. 376 */ 377 pr_err("%s_tables: %s.%u match: invalid size " 378 "%u (kernel) != (user) %u\n", 379 xt_prefix[par->family], par->match->name, 380 par->match->revision, 381 XT_ALIGN(par->match->matchsize), size); 382 return -EINVAL; 383 } 384 if (par->match->table != NULL && 385 strcmp(par->match->table, par->table) != 0) { 386 pr_err("%s_tables: %s match: only valid in %s table, not %s\n", 387 xt_prefix[par->family], par->match->name, 388 par->match->table, par->table); 389 return -EINVAL; 390 } 391 if (par->match->hooks && (par->hook_mask & ~par->match->hooks) != 0) { 392 char used[64], allow[64]; 393 394 pr_err("%s_tables: %s match: used from hooks %s, but only " 395 "valid from %s\n", 396 xt_prefix[par->family], par->match->name, 397 textify_hooks(used, sizeof(used), par->hook_mask, 398 par->family), 399 textify_hooks(allow, sizeof(allow), par->match->hooks, 400 par->family)); 401 return -EINVAL; 402 } 403 if (par->match->proto && (par->match->proto != proto || inv_proto)) { 404 pr_err("%s_tables: %s match: only valid for protocol %u\n", 405 xt_prefix[par->family], par->match->name, 406 par->match->proto); 407 return -EINVAL; 408 } 409 if (par->match->checkentry != NULL) { 410 ret = par->match->checkentry(par); 411 if (ret < 0) 412 return ret; 413 else if (ret > 0) 414 /* Flag up potential errors. */ 415 return -EIO; 416 } 417 return 0; 418} 419EXPORT_SYMBOL_GPL(xt_check_match); 420 421#ifdef CONFIG_COMPAT 422int xt_compat_add_offset(u_int8_t af, unsigned int offset, int delta) 423{ 424 struct xt_af *xp = &xt[af]; 425 426 if (!xp->compat_tab) { 427 if (!xp->number) 428 return -EINVAL; 429 xp->compat_tab = vmalloc(sizeof(struct compat_delta) * xp->number); 430 if (!xp->compat_tab) 431 return -ENOMEM; 432 xp->cur = 0; 433 } 434 435 if (xp->cur >= xp->number) 436 return -EINVAL; 437 438 if (xp->cur) 439 delta += xp->compat_tab[xp->cur - 1].delta; 440 xp->compat_tab[xp->cur].offset = offset; 441 xp->compat_tab[xp->cur].delta = delta; 442 xp->cur++; 443 return 0; 444} 445EXPORT_SYMBOL_GPL(xt_compat_add_offset); 446 447void xt_compat_flush_offsets(u_int8_t af) 448{ 449 if (xt[af].compat_tab) { 450 vfree(xt[af].compat_tab); 451 xt[af].compat_tab = NULL; 452 xt[af].number = 0; 453 xt[af].cur = 0; 454 } 455} 456EXPORT_SYMBOL_GPL(xt_compat_flush_offsets); 457 458int xt_compat_calc_jump(u_int8_t af, unsigned int offset) 459{ 460 struct compat_delta *tmp = xt[af].compat_tab; 461 int mid, left = 0, right = xt[af].cur - 1; 462 463 while (left <= right) { 464 mid = (left + right) >> 1; 465 if (offset > tmp[mid].offset) 466 left = mid + 1; 467 else if (offset < tmp[mid].offset) 468 right = mid - 1; 469 else 470 return mid ? tmp[mid - 1].delta : 0; 471 } 472 return left ? tmp[left - 1].delta : 0; 473} 474EXPORT_SYMBOL_GPL(xt_compat_calc_jump); 475 476void xt_compat_init_offsets(u_int8_t af, unsigned int number) 477{ 478 xt[af].number = number; 479 xt[af].cur = 0; 480} 481EXPORT_SYMBOL(xt_compat_init_offsets); 482 483int xt_compat_match_offset(const struct xt_match *match) 484{ 485 u_int16_t csize = match->compatsize ? : match->matchsize; 486 return XT_ALIGN(match->matchsize) - COMPAT_XT_ALIGN(csize); 487} 488EXPORT_SYMBOL_GPL(xt_compat_match_offset); 489 490int xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr, 491 unsigned int *size) 492{ 493 const struct xt_match *match = m->u.kernel.match; 494 struct compat_xt_entry_match *cm = (struct compat_xt_entry_match *)m; 495 int pad, off = xt_compat_match_offset(match); 496 u_int16_t msize = cm->u.user.match_size; 497 498 m = *dstptr; 499 memcpy(m, cm, sizeof(*cm)); 500 if (match->compat_from_user) 501 match->compat_from_user(m->data, cm->data); 502 else 503 memcpy(m->data, cm->data, msize - sizeof(*cm)); 504 pad = XT_ALIGN(match->matchsize) - match->matchsize; 505 if (pad > 0) 506 memset(m->data + match->matchsize, 0, pad); 507 508 msize += off; 509 m->u.user.match_size = msize; 510 511 *size += off; 512 *dstptr += msize; 513 return 0; 514} 515EXPORT_SYMBOL_GPL(xt_compat_match_from_user); 516 517int xt_compat_match_to_user(const struct xt_entry_match *m, 518 void __user **dstptr, unsigned int *size) 519{ 520 const struct xt_match *match = m->u.kernel.match; 521 struct compat_xt_entry_match __user *cm = *dstptr; 522 int off = xt_compat_match_offset(match); 523 u_int16_t msize = m->u.user.match_size - off; 524 525 if (copy_to_user(cm, m, sizeof(*cm)) || 526 put_user(msize, &cm->u.user.match_size) || 527 copy_to_user(cm->u.user.name, m->u.kernel.match->name, 528 strlen(m->u.kernel.match->name) + 1)) 529 return -EFAULT; 530 531 if (match->compat_to_user) { 532 if (match->compat_to_user((void __user *)cm->data, m->data)) 533 return -EFAULT; 534 } else { 535 if (copy_to_user(cm->data, m->data, msize - sizeof(*cm))) 536 return -EFAULT; 537 } 538 539 *size -= off; 540 *dstptr += msize; 541 return 0; 542} 543EXPORT_SYMBOL_GPL(xt_compat_match_to_user); 544#endif /* CONFIG_COMPAT */ 545 546int xt_check_target(struct xt_tgchk_param *par, 547 unsigned int size, u_int8_t proto, bool inv_proto) 548{ 549 int ret; 550 551 if (XT_ALIGN(par->target->targetsize) != size) { 552 pr_err("%s_tables: %s.%u target: invalid size " 553 "%u (kernel) != (user) %u\n", 554 xt_prefix[par->family], par->target->name, 555 par->target->revision, 556 XT_ALIGN(par->target->targetsize), size); 557 return -EINVAL; 558 } 559 if (par->target->table != NULL && 560 strcmp(par->target->table, par->table) != 0) { 561 pr_err("%s_tables: %s target: only valid in %s table, not %s\n", 562 xt_prefix[par->family], par->target->name, 563 par->target->table, par->table); 564 return -EINVAL; 565 } 566 if (par->target->hooks && (par->hook_mask & ~par->target->hooks) != 0) { 567 char used[64], allow[64]; 568 569 pr_err("%s_tables: %s target: used from hooks %s, but only " 570 "usable from %s\n", 571 xt_prefix[par->family], par->target->name, 572 textify_hooks(used, sizeof(used), par->hook_mask, 573 par->family), 574 textify_hooks(allow, sizeof(allow), par->target->hooks, 575 par->family)); 576 return -EINVAL; 577 } 578 if (par->target->proto && (par->target->proto != proto || inv_proto)) { 579 pr_err("%s_tables: %s target: only valid for protocol %u\n", 580 xt_prefix[par->family], par->target->name, 581 par->target->proto); 582 return -EINVAL; 583 } 584 if (par->target->checkentry != NULL) { 585 ret = par->target->checkentry(par); 586 if (ret < 0) 587 return ret; 588 else if (ret > 0) 589 /* Flag up potential errors. */ 590 return -EIO; 591 } 592 return 0; 593} 594EXPORT_SYMBOL_GPL(xt_check_target); 595 596#ifdef CONFIG_COMPAT 597int xt_compat_target_offset(const struct xt_target *target) 598{ 599 u_int16_t csize = target->compatsize ? : target->targetsize; 600 return XT_ALIGN(target->targetsize) - COMPAT_XT_ALIGN(csize); 601} 602EXPORT_SYMBOL_GPL(xt_compat_target_offset); 603 604void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr, 605 unsigned int *size) 606{ 607 const struct xt_target *target = t->u.kernel.target; 608 struct compat_xt_entry_target *ct = (struct compat_xt_entry_target *)t; 609 int pad, off = xt_compat_target_offset(target); 610 u_int16_t tsize = ct->u.user.target_size; 611 612 t = *dstptr; 613 memcpy(t, ct, sizeof(*ct)); 614 if (target->compat_from_user) 615 target->compat_from_user(t->data, ct->data); 616 else 617 memcpy(t->data, ct->data, tsize - sizeof(*ct)); 618 pad = XT_ALIGN(target->targetsize) - target->targetsize; 619 if (pad > 0) 620 memset(t->data + target->targetsize, 0, pad); 621 622 tsize += off; 623 t->u.user.target_size = tsize; 624 625 *size += off; 626 *dstptr += tsize; 627} 628EXPORT_SYMBOL_GPL(xt_compat_target_from_user); 629 630int xt_compat_target_to_user(const struct xt_entry_target *t, 631 void __user **dstptr, unsigned int *size) 632{ 633 const struct xt_target *target = t->u.kernel.target; 634 struct compat_xt_entry_target __user *ct = *dstptr; 635 int off = xt_compat_target_offset(target); 636 u_int16_t tsize = t->u.user.target_size - off; 637 638 if (copy_to_user(ct, t, sizeof(*ct)) || 639 put_user(tsize, &ct->u.user.target_size) || 640 copy_to_user(ct->u.user.name, t->u.kernel.target->name, 641 strlen(t->u.kernel.target->name) + 1)) 642 return -EFAULT; 643 644 if (target->compat_to_user) { 645 if (target->compat_to_user((void __user *)ct->data, t->data)) 646 return -EFAULT; 647 } else { 648 if (copy_to_user(ct->data, t->data, tsize - sizeof(*ct))) 649 return -EFAULT; 650 } 651 652 *size -= off; 653 *dstptr += tsize; 654 return 0; 655} 656EXPORT_SYMBOL_GPL(xt_compat_target_to_user); 657#endif 658 659struct xt_table_info *xt_alloc_table_info(unsigned int size) 660{ 661 struct xt_table_info *newinfo; 662 int cpu; 663 664 /* Pedantry: prevent them from hitting BUG() in vmalloc.c --RR */ 665 if ((SMP_ALIGN(size) >> PAGE_SHIFT) + 2 > totalram_pages) 666 return NULL; 667 668 newinfo = kzalloc(XT_TABLE_INFO_SZ, GFP_KERNEL); 669 if (!newinfo) 670 return NULL; 671 672 newinfo->size = size; 673 674 for_each_possible_cpu(cpu) { 675 if (size <= PAGE_SIZE) 676 newinfo->entries[cpu] = kmalloc_node(size, 677 GFP_KERNEL, 678 cpu_to_node(cpu)); 679 else 680 newinfo->entries[cpu] = vmalloc_node(size, 681 cpu_to_node(cpu)); 682 683 if (newinfo->entries[cpu] == NULL) { 684 xt_free_table_info(newinfo); 685 return NULL; 686 } 687 } 688 689 return newinfo; 690} 691EXPORT_SYMBOL(xt_alloc_table_info); 692 693void xt_free_table_info(struct xt_table_info *info) 694{ 695 int cpu; 696 697 for_each_possible_cpu(cpu) 698 kvfree(info->entries[cpu]); 699 700 if (info->jumpstack != NULL) { 701 for_each_possible_cpu(cpu) 702 kvfree(info->jumpstack[cpu]); 703 kvfree(info->jumpstack); 704 } 705 706 free_percpu(info->stackptr); 707 708 kfree(info); 709} 710EXPORT_SYMBOL(xt_free_table_info); 711 712/* Find table by name, grabs mutex & ref. Returns ERR_PTR() on error. */ 713struct xt_table *xt_find_table_lock(struct net *net, u_int8_t af, 714 const char *name) 715{ 716 struct xt_table *t; 717 718 mutex_lock(&xt[af].mutex); 719 list_for_each_entry(t, &net->xt.tables[af], list) 720 if (strcmp(t->name, name) == 0 && try_module_get(t->me)) 721 return t; 722 mutex_unlock(&xt[af].mutex); 723 return NULL; 724} 725EXPORT_SYMBOL_GPL(xt_find_table_lock); 726 727void xt_table_unlock(struct xt_table *table) 728{ 729 mutex_unlock(&xt[table->af].mutex); 730} 731EXPORT_SYMBOL_GPL(xt_table_unlock); 732 733#ifdef CONFIG_COMPAT 734void xt_compat_lock(u_int8_t af) 735{ 736 mutex_lock(&xt[af].compat_mutex); 737} 738EXPORT_SYMBOL_GPL(xt_compat_lock); 739 740void xt_compat_unlock(u_int8_t af) 741{ 742 mutex_unlock(&xt[af].compat_mutex); 743} 744EXPORT_SYMBOL_GPL(xt_compat_unlock); 745#endif 746 747DEFINE_PER_CPU(seqcount_t, xt_recseq); 748EXPORT_PER_CPU_SYMBOL_GPL(xt_recseq); 749 750static int xt_jumpstack_alloc(struct xt_table_info *i) 751{ 752 unsigned int size; 753 int cpu; 754 755 i->stackptr = alloc_percpu(unsigned int); 756 if (i->stackptr == NULL) 757 return -ENOMEM; 758 759 size = sizeof(void **) * nr_cpu_ids; 760 if (size > PAGE_SIZE) 761 i->jumpstack = vzalloc(size); 762 else 763 i->jumpstack = kzalloc(size, GFP_KERNEL); 764 if (i->jumpstack == NULL) 765 return -ENOMEM; 766 767 i->stacksize *= xt_jumpstack_multiplier; 768 size = sizeof(void *) * i->stacksize; 769 for_each_possible_cpu(cpu) { 770 if (size > PAGE_SIZE) 771 i->jumpstack[cpu] = vmalloc_node(size, 772 cpu_to_node(cpu)); 773 else 774 i->jumpstack[cpu] = kmalloc_node(size, 775 GFP_KERNEL, cpu_to_node(cpu)); 776 if (i->jumpstack[cpu] == NULL) 777 /* 778 * Freeing will be done later on by the callers. The 779 * chain is: xt_replace_table -> __do_replace -> 780 * do_replace -> xt_free_table_info. 781 */ 782 return -ENOMEM; 783 } 784 785 return 0; 786} 787 788struct xt_table_info * 789xt_replace_table(struct xt_table *table, 790 unsigned int num_counters, 791 struct xt_table_info *newinfo, 792 int *error) 793{ 794 struct xt_table_info *private; 795 int ret; 796 797 ret = xt_jumpstack_alloc(newinfo); 798 if (ret < 0) { 799 *error = ret; 800 return NULL; 801 } 802 803 /* Do the substitution. */ 804 local_bh_disable(); 805 private = table->private; 806 807 /* Check inside lock: is the old number correct? */ 808 if (num_counters != private->number) { 809 pr_debug("num_counters != table->private->number (%u/%u)\n", 810 num_counters, private->number); 811 local_bh_enable(); 812 *error = -EAGAIN; 813 return NULL; 814 } 815 816 newinfo->initial_entries = private->initial_entries; 817 /* 818 * Ensure contents of newinfo are visible before assigning to 819 * private. 820 */ 821 smp_wmb(); 822 table->private = newinfo; 823 824 /* 825 * Even though table entries have now been swapped, other CPU's 826 * may still be using the old entries. This is okay, because 827 * resynchronization happens because of the locking done 828 * during the get_counters() routine. 829 */ 830 local_bh_enable(); 831 832#ifdef CONFIG_AUDIT 833 if (audit_enabled) { 834 struct audit_buffer *ab; 835 836 ab = audit_log_start(current->audit_context, GFP_KERNEL, 837 AUDIT_NETFILTER_CFG); 838 if (ab) { 839 audit_log_format(ab, "table=%s family=%u entries=%u", 840 table->name, table->af, 841 private->number); 842 audit_log_end(ab); 843 } 844 } 845#endif 846 847 return private; 848} 849EXPORT_SYMBOL_GPL(xt_replace_table); 850 851struct xt_table *xt_register_table(struct net *net, 852 const struct xt_table *input_table, 853 struct xt_table_info *bootstrap, 854 struct xt_table_info *newinfo) 855{ 856 int ret; 857 struct xt_table_info *private; 858 struct xt_table *t, *table; 859 860 /* Don't add one object to multiple lists. */ 861 table = kmemdup(input_table, sizeof(struct xt_table), GFP_KERNEL); 862 if (!table) { 863 ret = -ENOMEM; 864 goto out; 865 } 866 867 mutex_lock(&xt[table->af].mutex); 868 /* Don't autoload: we'd eat our tail... */ 869 list_for_each_entry(t, &net->xt.tables[table->af], list) { 870 if (strcmp(t->name, table->name) == 0) { 871 ret = -EEXIST; 872 goto unlock; 873 } 874 } 875 876 /* Simplifies replace_table code. */ 877 table->private = bootstrap; 878 879 if (!xt_replace_table(table, 0, newinfo, &ret)) 880 goto unlock; 881 882 private = table->private; 883 pr_debug("table->private->number = %u\n", private->number); 884 885 /* save number of initial entries */ 886 private->initial_entries = private->number; 887 888 list_add(&table->list, &net->xt.tables[table->af]); 889 mutex_unlock(&xt[table->af].mutex); 890 return table; 891 892unlock: 893 mutex_unlock(&xt[table->af].mutex); 894 kfree(table); 895out: 896 return ERR_PTR(ret); 897} 898EXPORT_SYMBOL_GPL(xt_register_table); 899 900void *xt_unregister_table(struct xt_table *table) 901{ 902 struct xt_table_info *private; 903 904 mutex_lock(&xt[table->af].mutex); 905 private = table->private; 906 list_del(&table->list); 907 mutex_unlock(&xt[table->af].mutex); 908 kfree(table); 909 910 return private; 911} 912EXPORT_SYMBOL_GPL(xt_unregister_table); 913 914#ifdef CONFIG_PROC_FS 915struct xt_names_priv { 916 struct seq_net_private p; 917 u_int8_t af; 918}; 919static void *xt_table_seq_start(struct seq_file *seq, loff_t *pos) 920{ 921 struct xt_names_priv *priv = seq->private; 922 struct net *net = seq_file_net(seq); 923 u_int8_t af = priv->af; 924 925 mutex_lock(&xt[af].mutex); 926 return seq_list_start(&net->xt.tables[af], *pos); 927} 928 929static void *xt_table_seq_next(struct seq_file *seq, void *v, loff_t *pos) 930{ 931 struct xt_names_priv *priv = seq->private; 932 struct net *net = seq_file_net(seq); 933 u_int8_t af = priv->af; 934 935 return seq_list_next(v, &net->xt.tables[af], pos); 936} 937 938static void xt_table_seq_stop(struct seq_file *seq, void *v) 939{ 940 struct xt_names_priv *priv = seq->private; 941 u_int8_t af = priv->af; 942 943 mutex_unlock(&xt[af].mutex); 944} 945 946static int xt_table_seq_show(struct seq_file *seq, void *v) 947{ 948 struct xt_table *table = list_entry(v, struct xt_table, list); 949 950 if (strlen(table->name)) { 951 seq_printf(seq, "%s\n", table->name); 952 return seq_has_overflowed(seq); 953 } else 954 return 0; 955} 956 957static const struct seq_operations xt_table_seq_ops = { 958 .start = xt_table_seq_start, 959 .next = xt_table_seq_next, 960 .stop = xt_table_seq_stop, 961 .show = xt_table_seq_show, 962}; 963 964static int xt_table_open(struct inode *inode, struct file *file) 965{ 966 int ret; 967 struct xt_names_priv *priv; 968 969 ret = seq_open_net(inode, file, &xt_table_seq_ops, 970 sizeof(struct xt_names_priv)); 971 if (!ret) { 972 priv = ((struct seq_file *)file->private_data)->private; 973 priv->af = (unsigned long)PDE_DATA(inode); 974 } 975 return ret; 976} 977 978static const struct file_operations xt_table_ops = { 979 .owner = THIS_MODULE, 980 .open = xt_table_open, 981 .read = seq_read, 982 .llseek = seq_lseek, 983 .release = seq_release_net, 984}; 985 986/* 987 * Traverse state for ip{,6}_{tables,matches} for helping crossing 988 * the multi-AF mutexes. 989 */ 990struct nf_mttg_trav { 991 struct list_head *head, *curr; 992 uint8_t class, nfproto; 993}; 994 995enum { 996 MTTG_TRAV_INIT, 997 MTTG_TRAV_NFP_UNSPEC, 998 MTTG_TRAV_NFP_SPEC, 999 MTTG_TRAV_DONE, 1000}; 1001 1002static void *xt_mttg_seq_next(struct seq_file *seq, void *v, loff_t *ppos, 1003 bool is_target) 1004{ 1005 static const uint8_t next_class[] = { 1006 [MTTG_TRAV_NFP_UNSPEC] = MTTG_TRAV_NFP_SPEC, 1007 [MTTG_TRAV_NFP_SPEC] = MTTG_TRAV_DONE, 1008 }; 1009 struct nf_mttg_trav *trav = seq->private; 1010 1011 switch (trav->class) { 1012 case MTTG_TRAV_INIT: 1013 trav->class = MTTG_TRAV_NFP_UNSPEC; 1014 mutex_lock(&xt[NFPROTO_UNSPEC].mutex); 1015 trav->head = trav->curr = is_target ? 1016 &xt[NFPROTO_UNSPEC].target : &xt[NFPROTO_UNSPEC].match; 1017 break; 1018 case MTTG_TRAV_NFP_UNSPEC: 1019 trav->curr = trav->curr->next; 1020 if (trav->curr != trav->head) 1021 break; 1022 mutex_unlock(&xt[NFPROTO_UNSPEC].mutex); 1023 mutex_lock(&xt[trav->nfproto].mutex); 1024 trav->head = trav->curr = is_target ? 1025 &xt[trav->nfproto].target : &xt[trav->nfproto].match; 1026 trav->class = next_class[trav->class]; 1027 break; 1028 case MTTG_TRAV_NFP_SPEC: 1029 trav->curr = trav->curr->next; 1030 if (trav->curr != trav->head) 1031 break; 1032 /* fallthru, _stop will unlock */ 1033 default: 1034 return NULL; 1035 } 1036 1037 if (ppos != NULL) 1038 ++*ppos; 1039 return trav; 1040} 1041 1042static void *xt_mttg_seq_start(struct seq_file *seq, loff_t *pos, 1043 bool is_target) 1044{ 1045 struct nf_mttg_trav *trav = seq->private; 1046 unsigned int j; 1047 1048 trav->class = MTTG_TRAV_INIT; 1049 for (j = 0; j < *pos; ++j) 1050 if (xt_mttg_seq_next(seq, NULL, NULL, is_target) == NULL) 1051 return NULL; 1052 return trav; 1053} 1054 1055static void xt_mttg_seq_stop(struct seq_file *seq, void *v) 1056{ 1057 struct nf_mttg_trav *trav = seq->private; 1058 1059 switch (trav->class) { 1060 case MTTG_TRAV_NFP_UNSPEC: 1061 mutex_unlock(&xt[NFPROTO_UNSPEC].mutex); 1062 break; 1063 case MTTG_TRAV_NFP_SPEC: 1064 mutex_unlock(&xt[trav->nfproto].mutex); 1065 break; 1066 } 1067} 1068 1069static void *xt_match_seq_start(struct seq_file *seq, loff_t *pos) 1070{ 1071 return xt_mttg_seq_start(seq, pos, false); 1072} 1073 1074static void *xt_match_seq_next(struct seq_file *seq, void *v, loff_t *ppos) 1075{ 1076 return xt_mttg_seq_next(seq, v, ppos, false); 1077} 1078 1079static int xt_match_seq_show(struct seq_file *seq, void *v) 1080{ 1081 const struct nf_mttg_trav *trav = seq->private; 1082 const struct xt_match *match; 1083 1084 switch (trav->class) { 1085 case MTTG_TRAV_NFP_UNSPEC: 1086 case MTTG_TRAV_NFP_SPEC: 1087 if (trav->curr == trav->head) 1088 return 0; 1089 match = list_entry(trav->curr, struct xt_match, list); 1090 if (*match->name == '\0') 1091 return 0; 1092 seq_printf(seq, "%s\n", match->name); 1093 return seq_has_overflowed(seq); 1094 } 1095 return 0; 1096} 1097 1098static const struct seq_operations xt_match_seq_ops = { 1099 .start = xt_match_seq_start, 1100 .next = xt_match_seq_next, 1101 .stop = xt_mttg_seq_stop, 1102 .show = xt_match_seq_show, 1103}; 1104 1105static int xt_match_open(struct inode *inode, struct file *file) 1106{ 1107 struct nf_mttg_trav *trav; 1108 trav = __seq_open_private(file, &xt_match_seq_ops, sizeof(*trav)); 1109 if (!trav) 1110 return -ENOMEM; 1111 1112 trav->nfproto = (unsigned long)PDE_DATA(inode); 1113 return 0; 1114} 1115 1116static const struct file_operations xt_match_ops = { 1117 .owner = THIS_MODULE, 1118 .open = xt_match_open, 1119 .read = seq_read, 1120 .llseek = seq_lseek, 1121 .release = seq_release_private, 1122}; 1123 1124static void *xt_target_seq_start(struct seq_file *seq, loff_t *pos) 1125{ 1126 return xt_mttg_seq_start(seq, pos, true); 1127} 1128 1129static void *xt_target_seq_next(struct seq_file *seq, void *v, loff_t *ppos) 1130{ 1131 return xt_mttg_seq_next(seq, v, ppos, true); 1132} 1133 1134static int xt_target_seq_show(struct seq_file *seq, void *v) 1135{ 1136 const struct nf_mttg_trav *trav = seq->private; 1137 const struct xt_target *target; 1138 1139 switch (trav->class) { 1140 case MTTG_TRAV_NFP_UNSPEC: 1141 case MTTG_TRAV_NFP_SPEC: 1142 if (trav->curr == trav->head) 1143 return 0; 1144 target = list_entry(trav->curr, struct xt_target, list); 1145 if (*target->name == '\0') 1146 return 0; 1147 seq_printf(seq, "%s\n", target->name); 1148 return seq_has_overflowed(seq); 1149 } 1150 return 0; 1151} 1152 1153static const struct seq_operations xt_target_seq_ops = { 1154 .start = xt_target_seq_start, 1155 .next = xt_target_seq_next, 1156 .stop = xt_mttg_seq_stop, 1157 .show = xt_target_seq_show, 1158}; 1159 1160static int xt_target_open(struct inode *inode, struct file *file) 1161{ 1162 struct nf_mttg_trav *trav; 1163 trav = __seq_open_private(file, &xt_target_seq_ops, sizeof(*trav)); 1164 if (!trav) 1165 return -ENOMEM; 1166 1167 trav->nfproto = (unsigned long)PDE_DATA(inode); 1168 return 0; 1169} 1170 1171static const struct file_operations xt_target_ops = { 1172 .owner = THIS_MODULE, 1173 .open = xt_target_open, 1174 .read = seq_read, 1175 .llseek = seq_lseek, 1176 .release = seq_release_private, 1177}; 1178 1179#define FORMAT_TABLES "_tables_names" 1180#define FORMAT_MATCHES "_tables_matches" 1181#define FORMAT_TARGETS "_tables_targets" 1182 1183#endif /* CONFIG_PROC_FS */ 1184 1185/** 1186 * xt_hook_link - set up hooks for a new table 1187 * @table: table with metadata needed to set up hooks 1188 * @fn: Hook function 1189 * 1190 * This function will take care of creating and registering the necessary 1191 * Netfilter hooks for XT tables. 1192 */ 1193struct nf_hook_ops *xt_hook_link(const struct xt_table *table, nf_hookfn *fn) 1194{ 1195 unsigned int hook_mask = table->valid_hooks; 1196 uint8_t i, num_hooks = hweight32(hook_mask); 1197 uint8_t hooknum; 1198 struct nf_hook_ops *ops; 1199 int ret; 1200 1201 ops = kmalloc(sizeof(*ops) * num_hooks, GFP_KERNEL); 1202 if (ops == NULL) 1203 return ERR_PTR(-ENOMEM); 1204 1205 for (i = 0, hooknum = 0; i < num_hooks && hook_mask != 0; 1206 hook_mask >>= 1, ++hooknum) { 1207 if (!(hook_mask & 1)) 1208 continue; 1209 ops[i].hook = fn; 1210 ops[i].owner = table->me; 1211 ops[i].pf = table->af; 1212 ops[i].hooknum = hooknum; 1213 ops[i].priority = table->priority; 1214 ++i; 1215 } 1216 1217 ret = nf_register_hooks(ops, num_hooks); 1218 if (ret < 0) { 1219 kfree(ops); 1220 return ERR_PTR(ret); 1221 } 1222 1223 return ops; 1224} 1225EXPORT_SYMBOL_GPL(xt_hook_link); 1226 1227/** 1228 * xt_hook_unlink - remove hooks for a table 1229 * @ops: nf_hook_ops array as returned by nf_hook_link 1230 * @hook_mask: the very same mask that was passed to nf_hook_link 1231 */ 1232void xt_hook_unlink(const struct xt_table *table, struct nf_hook_ops *ops) 1233{ 1234 nf_unregister_hooks(ops, hweight32(table->valid_hooks)); 1235 kfree(ops); 1236} 1237EXPORT_SYMBOL_GPL(xt_hook_unlink); 1238 1239int xt_proto_init(struct net *net, u_int8_t af) 1240{ 1241#ifdef CONFIG_PROC_FS 1242 char buf[XT_FUNCTION_MAXNAMELEN]; 1243 struct proc_dir_entry *proc; 1244#endif 1245 1246 if (af >= ARRAY_SIZE(xt_prefix)) 1247 return -EINVAL; 1248 1249 1250#ifdef CONFIG_PROC_FS 1251 strlcpy(buf, xt_prefix[af], sizeof(buf)); 1252 strlcat(buf, FORMAT_TABLES, sizeof(buf)); 1253 proc = proc_create_data(buf, 0440, net->proc_net, &xt_table_ops, 1254 (void *)(unsigned long)af); 1255 if (!proc) 1256 goto out; 1257 1258 strlcpy(buf, xt_prefix[af], sizeof(buf)); 1259 strlcat(buf, FORMAT_MATCHES, sizeof(buf)); 1260 proc = proc_create_data(buf, 0440, net->proc_net, &xt_match_ops, 1261 (void *)(unsigned long)af); 1262 if (!proc) 1263 goto out_remove_tables; 1264 1265 strlcpy(buf, xt_prefix[af], sizeof(buf)); 1266 strlcat(buf, FORMAT_TARGETS, sizeof(buf)); 1267 proc = proc_create_data(buf, 0440, net->proc_net, &xt_target_ops, 1268 (void *)(unsigned long)af); 1269 if (!proc) 1270 goto out_remove_matches; 1271#endif 1272 1273 return 0; 1274 1275#ifdef CONFIG_PROC_FS 1276out_remove_matches: 1277 strlcpy(buf, xt_prefix[af], sizeof(buf)); 1278 strlcat(buf, FORMAT_MATCHES, sizeof(buf)); 1279 remove_proc_entry(buf, net->proc_net); 1280 1281out_remove_tables: 1282 strlcpy(buf, xt_prefix[af], sizeof(buf)); 1283 strlcat(buf, FORMAT_TABLES, sizeof(buf)); 1284 remove_proc_entry(buf, net->proc_net); 1285out: 1286 return -1; 1287#endif 1288} 1289EXPORT_SYMBOL_GPL(xt_proto_init); 1290 1291void xt_proto_fini(struct net *net, u_int8_t af) 1292{ 1293#ifdef CONFIG_PROC_FS 1294 char buf[XT_FUNCTION_MAXNAMELEN]; 1295 1296 strlcpy(buf, xt_prefix[af], sizeof(buf)); 1297 strlcat(buf, FORMAT_TABLES, sizeof(buf)); 1298 remove_proc_entry(buf, net->proc_net); 1299 1300 strlcpy(buf, xt_prefix[af], sizeof(buf)); 1301 strlcat(buf, FORMAT_TARGETS, sizeof(buf)); 1302 remove_proc_entry(buf, net->proc_net); 1303 1304 strlcpy(buf, xt_prefix[af], sizeof(buf)); 1305 strlcat(buf, FORMAT_MATCHES, sizeof(buf)); 1306 remove_proc_entry(buf, net->proc_net); 1307#endif /*CONFIG_PROC_FS*/ 1308} 1309EXPORT_SYMBOL_GPL(xt_proto_fini); 1310 1311static int __net_init xt_net_init(struct net *net) 1312{ 1313 int i; 1314 1315 for (i = 0; i < NFPROTO_NUMPROTO; i++) 1316 INIT_LIST_HEAD(&net->xt.tables[i]); 1317 return 0; 1318} 1319 1320static struct pernet_operations xt_net_ops = { 1321 .init = xt_net_init, 1322}; 1323 1324static int __init xt_init(void) 1325{ 1326 unsigned int i; 1327 int rv; 1328 1329 for_each_possible_cpu(i) { 1330 seqcount_init(&per_cpu(xt_recseq, i)); 1331 } 1332 1333 xt = kmalloc(sizeof(struct xt_af) * NFPROTO_NUMPROTO, GFP_KERNEL); 1334 if (!xt) 1335 return -ENOMEM; 1336 1337 for (i = 0; i < NFPROTO_NUMPROTO; i++) { 1338 mutex_init(&xt[i].mutex); 1339#ifdef CONFIG_COMPAT 1340 mutex_init(&xt[i].compat_mutex); 1341 xt[i].compat_tab = NULL; 1342#endif 1343 INIT_LIST_HEAD(&xt[i].target); 1344 INIT_LIST_HEAD(&xt[i].match); 1345 } 1346 rv = register_pernet_subsys(&xt_net_ops); 1347 if (rv < 0) 1348 kfree(xt); 1349 return rv; 1350} 1351 1352static void __exit xt_fini(void) 1353{ 1354 unregister_pernet_subsys(&xt_net_ops); 1355 kfree(xt); 1356} 1357 1358module_init(xt_init); 1359module_exit(xt_fini); 1360 1361