ip_tables.c

Revision 12420, 56.2 kB (checked in by BrainSlayer, 5 months ago)
conntrack flush for 2.6

Line
1	/*
2	* Packet matching code.
3	*
4	* Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
5	* Copyright (C) 2000-2005 Netfilter Core Team <coreteam@netfilter.org>
6	*
7	* This program is free software; you can redistribute it and/or modify
8	* it under the terms of the GNU General Public License version 2 as
9	* published by the Free Software Foundation.
10	*/
11	#include <linux/cache.h>
12	#include <linux/capability.h>
13	#include <linux/skbuff.h>
14	#include <linux/kmod.h>
15	#include <linux/vmalloc.h>
16	#include <linux/netdevice.h>
17	#include <linux/module.h>
18	#include <linux/icmp.h>
19	#include <net/ip.h>
20	#include <net/compat.h>
21	#include <asm/uaccess.h>
22	#include <linux/mutex.h>
23	#include <linux/proc_fs.h>
24	#include <linux/err.h>
25	#include <linux/cpumask.h>
26
27	#include <linux/netfilter/x_tables.h>
28	#include <linux/netfilter_ipv4/ip_tables.h>
29
30	MODULE_LICENSE("GPL");
31	MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
32	MODULE_DESCRIPTION("IPv4 packet filter");
33
34	/#define DEBUG_IP_FIREWALL/
35	/#define DEBUG_ALLOW_ALL/ /* Useful for remote debugging */
36	/#define DEBUG_IP_FIREWALL_USER/
37
38	#ifdef DEBUG_IP_FIREWALL
39	#define dprintf(format, args...) printk(format , ## args)
40	#else
41	#define dprintf(format, args...)
42	#endif
43
44	#ifdef DEBUG_IP_FIREWALL_USER
45	#define duprintf(format, args...) printk(format , ## args)
46	#else
47	#define duprintf(format, args...)
48	#endif
49
50	#ifdef CONFIG_NETFILTER_DEBUG
51	#define IP_NF_ASSERT(x) \
52	do { \
53	if (!(x)) \
54	printk("IP_NF_ASSERT: %s:%s:%u\n", \
55	__FUNCTION__, __FILE__, __LINE__); \
56	} while(0)
57	#else
58	#define IP_NF_ASSERT(x)
59	#endif
60
61	#if 0
62	/* All the better to debug you with... */
63	#define static
64	#define inline
65	#endif
66
67	/*
68	We keep a set of rules for each CPU, so we can avoid write-locking
69	them in the softirq when updating the counters and therefore
70	only need to read-lock in the softirq; doing a write_lock_bh() in user
71	context stops packets coming through and allows user context to read
72	the counters or update the rules.
73
74	Hence the start of any table is given by get_table() below. */
75
76	/* Returns whether matches rule or not. */
77	static inline int
78	ip_packet_match(const struct iphdr *ip,
79	const char *indev,
80	const char *outdev,
81	const struct ipt_ip *ipinfo,
82	int isfrag)
83	{
84	size_t i;
85	unsigned long ret;
86
87	#define FWINV(bool,invflg) ((bool) ^ !!(ipinfo->invflags & invflg))
88
89	if (FWINV((ip->saddr&ipinfo->smsk.s_addr) != ipinfo->src.s_addr,
90	IPT_INV_SRCIP)
91	\|\| FWINV((ip->daddr&ipinfo->dmsk.s_addr) != ipinfo->dst.s_addr,
92	IPT_INV_DSTIP)) {
93	dprintf("Source or dest mismatch.\n");
94
95	dprintf("SRC: %u.%u.%u.%u. Mask: %u.%u.%u.%u. Target: %u.%u.%u.%u.%s\n",
96	NIPQUAD(ip->saddr),
97	NIPQUAD(ipinfo->smsk.s_addr),
98	NIPQUAD(ipinfo->src.s_addr),
99	ipinfo->invflags & IPT_INV_SRCIP ? " (INV)" : "");
100	dprintf("DST: %u.%u.%u.%u Mask: %u.%u.%u.%u Target: %u.%u.%u.%u.%s\n",
101	NIPQUAD(ip->daddr),
102	NIPQUAD(ipinfo->dmsk.s_addr),
103	NIPQUAD(ipinfo->dst.s_addr),
104	ipinfo->invflags & IPT_INV_DSTIP ? " (INV)" : "");
105	return 0;
106	}
107
108	/* Look for ifname matches; this should unroll nicely. */
109	for (i = 0, ret = 0; i < IFNAMSIZ/sizeof(unsigned long); i++) {
110	ret \|= (((const unsigned long *)indev)[i]
111	^ ((const unsigned long *)ipinfo->iniface)[i])
112	& ((const unsigned long *)ipinfo->iniface_mask)[i];
113	}
114
115	if (FWINV(ret != 0, IPT_INV_VIA_IN)) {
116	dprintf("VIA in mismatch (%s vs %s).%s\n",
117	indev, ipinfo->iniface,
118	ipinfo->invflags&IPT_INV_VIA_IN ?" (INV)":"");
119	return 0;
120	}
121
122	for (i = 0, ret = 0; i < IFNAMSIZ/sizeof(unsigned long); i++) {
123	ret \|= (((const unsigned long *)outdev)[i]
124	^ ((const unsigned long *)ipinfo->outiface)[i])
125	& ((const unsigned long *)ipinfo->outiface_mask)[i];
126	}
127
128	if (FWINV(ret != 0, IPT_INV_VIA_OUT)) {
129	dprintf("VIA out mismatch (%s vs %s).%s\n",
130	outdev, ipinfo->outiface,
131	ipinfo->invflags&IPT_INV_VIA_OUT ?" (INV)":"");
132	return 0;
133	}
134
135	/* Check specific protocol */
136	if (ipinfo->proto
137	&& FWINV(ip->protocol != ipinfo->proto, IPT_INV_PROTO)) {
138	dprintf("Packet protocol %hi does not match %hi.%s\n",
139	ip->protocol, ipinfo->proto,
140	ipinfo->invflags&IPT_INV_PROTO ? " (INV)":"");
141	return 0;
142	}
143
144	/* If we have a fragment rule but the packet is not a fragment
145	* then we return zero */
146	if (FWINV((ipinfo->flags&IPT_F_FRAG) && !isfrag, IPT_INV_FRAG)) {
147	dprintf("Fragment rule but not fragment.%s\n",
148	ipinfo->invflags & IPT_INV_FRAG ? " (INV)" : "");
149	return 0;
150	}
151
152	return 1;
153	}
154
155	static inline bool
156	ip_checkentry(const struct ipt_ip *ip)
157	{
158	if (ip->flags & ~IPT_F_MASK) {
159	duprintf("Unknown flag bits set: %08X\n",
160	ip->flags & ~IPT_F_MASK);
161	return false;
162	}
163	if (ip->invflags & ~IPT_INV_MASK) {
164	duprintf("Unknown invflag bits set: %08X\n",
165	ip->invflags & ~IPT_INV_MASK);
166	return false;
167	}
168	return true;
169	}
170
171	static unsigned int
172	ipt_error(struct sk_buff **pskb,
173	const struct net_device *in,
174	const struct net_device *out,
175	unsigned int hooknum,
176	const struct xt_target *target,
177	const void *targinfo)
178	{
179	if (net_ratelimit())
180	printk("ip_tables: error: `%s'\n", (char *)targinfo);
181
182	return NF_DROP;
183	}
184
185	static inline
186	bool do_match(struct ipt_entry_match *m,
187	const struct sk_buff *skb,
188	const struct net_device *in,
189	const struct net_device *out,
190	int offset,
191	bool *hotdrop)
192	{
193	/* Stop iteration if it doesn't match */
194	if (!m->u.kernel.match->match(skb, in, out, m->u.kernel.match, m->data,
195	offset, ip_hdrlen(skb), hotdrop))
196	return true;
197	else
198	return false;
199	}
200
201	static inline struct ipt_entry *
202	get_entry(void *base, unsigned int offset)
203	{
204	return (struct ipt_entry *)(base + offset);
205	}
206
207	/* All zeroes == unconditional rule. */
208	static inline int
209	unconditional(const struct ipt_ip *ip)
210	{
211	unsigned int i;
212
213	for (i = 0; i < sizeof(*ip)/sizeof(__u32); i++)
214	if (((__u32 *)ip)[i])
215	return 0;
216
217	return 1;
218	}
219
220	#if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) \|\| \
221	defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE)
222	static const char *hooknames[] = {
223	[NF_IP_PRE_ROUTING] = "PREROUTING",
224	[NF_IP_LOCAL_IN] = "INPUT",
225	[NF_IP_FORWARD] = "FORWARD",
226	[NF_IP_LOCAL_OUT] = "OUTPUT",
227	[NF_IP_POST_ROUTING] = "POSTROUTING",
228	};
229
230	enum nf_ip_trace_comments {
231	NF_IP_TRACE_COMMENT_RULE,
232	NF_IP_TRACE_COMMENT_RETURN,
233	NF_IP_TRACE_COMMENT_POLICY,
234	};
235
236	static const char *comments[] = {
237	[NF_IP_TRACE_COMMENT_RULE] = "rule",
238	[NF_IP_TRACE_COMMENT_RETURN] = "return",
239	[NF_IP_TRACE_COMMENT_POLICY] = "policy",
240	};
241
242	static struct nf_loginfo trace_loginfo = {
243	.type = NF_LOG_TYPE_LOG,
244	.u = {
245	.log = {
246	.level = 4,
247	.logflags = NF_LOG_MASK,
248	},
249	},
250	};
251
252	static inline int
253	get_chainname_rulenum(struct ipt_entry s, struct ipt_entry e,
254	char hookname, char *chainname,
255	char *comment, unsigned int rulenum)
256	{
257	struct ipt_standard_target t = (void )ipt_get_target(s);
258
259	if (strcmp(t->target.u.kernel.target->name, IPT_ERROR_TARGET) == 0) {
260	/* Head of user chain: ERROR target with chainname */
261	*chainname = t->target.data;
262	(*rulenum) = 0;
263	} else if (s == e) {
264	(*rulenum)++;
265
266	if (s->target_offset == sizeof(struct ipt_entry)
267	&& strcmp(t->target.u.kernel.target->name,
268	IPT_STANDARD_TARGET) == 0
269	&& t->verdict < 0
270	&& unconditional(&s->ip)) {
271	/* Tail of chains: STANDARD target (return/policy) */
272	comment = chainname == hookname
273	? (char *)comments[NF_IP_TRACE_COMMENT_POLICY]
274	: (char *)comments[NF_IP_TRACE_COMMENT_RETURN];
275	}
276	return 1;
277	} else
278	(*rulenum)++;
279
280	return 0;
281	}
282
283	static void trace_packet(struct sk_buff *skb,
284	unsigned int hook,
285	const struct net_device *in,
286	const struct net_device *out,
287	char *tablename,
288	struct xt_table_info *private,
289	struct ipt_entry *e)
290	{
291	void *table_base;
292	struct ipt_entry *root;
293	char hookname, chainname, *comment;
294	unsigned int rulenum = 0;
295
296	table_base = (void *)private->entries[smp_processor_id()];
297	root = get_entry(table_base, private->hook_entry[hook]);
298
299	hookname = chainname = (char *)hooknames[hook];
300	comment = (char *)comments[NF_IP_TRACE_COMMENT_RULE];
301
302	IPT_ENTRY_ITERATE(root,
303	private->size - private->hook_entry[hook],
304	get_chainname_rulenum,
305	e, hookname, &chainname, &comment, &rulenum);
306
307	nf_log_packet(AF_INET, hook, skb, in, out, &trace_loginfo,
308	"TRACE: %s:%s:%s:%u ",
309	tablename, chainname, comment, rulenum);
310	}
311	#endif
312
313	/* Returns one of the generic firewall policies, like NF_ACCEPT. */
314	unsigned int
315	ipt_do_table(struct sk_buff **pskb,
316	unsigned int hook,
317	const struct net_device *in,
318	const struct net_device *out,
319	struct xt_table *table)
320	{
321	static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
322	u_int16_t offset;
323	struct iphdr *ip;
324	u_int16_t datalen;
325	bool hotdrop = false;
326	/* Initializing verdict to NF_DROP keeps gcc happy. */
327	unsigned int verdict = NF_DROP;
328	const char indev, outdev;
329	void *table_base;
330	struct ipt_entry e, back;
331	struct xt_table_info *private;
332
333	/* Initialization */
334	ip = ip_hdr(*pskb);
335	datalen = (pskb)->len - ip->ihl 4;
336	indev = in ? in->name : nulldevname;
337	outdev = out ? out->name : nulldevname;
338	/* We handle fragments by dealing with the first fragment as
339	* if it was a normal packet. All other fragments are treated
340	* normally, except that they will NEVER match rules that ask
341	* things we don't know, ie. tcp syn flag or ports). If the
342	* rule is also a fragment-specific rule, non-fragments won't
343	* match it. */
344	offset = ntohs(ip->frag_off) & IP_OFFSET;
345
346	read_lock_bh(&table->lock);
347	IP_NF_ASSERT(table->valid_hooks & (1 << hook));
348	private = table->private;
349	table_base = (void *)private->entries[smp_processor_id()];
350	e = get_entry(table_base, private->hook_entry[hook]);
351
352	/* For return from builtin chain */
353	back = get_entry(table_base, private->underflow[hook]);
354
355	do {
356	IP_NF_ASSERT(e);
357	IP_NF_ASSERT(back);
358	if (ip_packet_match(ip, indev, outdev, &e->ip, offset)) {
359	struct ipt_entry_target *t;
360
361	if (IPT_MATCH_ITERATE(e, do_match,
362	*pskb, in, out,
363	offset, &hotdrop) != 0)
364	goto no_match;
365
366	ADD_COUNTER(e->counters, ntohs(ip->tot_len), 1);
367
368	t = ipt_get_target(e);
369	IP_NF_ASSERT(t->u.kernel.target);
370
371	#if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) \|\| \
372	defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE)
373	/* The packet is traced: log it */
374	if (unlikely((*pskb)->nf_trace))
375	trace_packet(*pskb, hook, in, out,
376	table->name, private, e);
377	#endif
378	/* Standard target? */
379	if (!t->u.kernel.target->target) {
380	int v;
381
382	v = ((struct ipt_standard_target *)t)->verdict;
383	if (v < 0) {
384	/* Pop from stack? */
385	if (v != IPT_RETURN) {
386	verdict = (unsigned)(-v) - 1;
387	break;
388	}
389	e = back;
390	back = get_entry(table_base,
391	back->comefrom);
392	continue;
393	}
394	if (table_base + v != (void *)e + e->next_offset
395	&& !(e->ip.flags & IPT_F_GOTO)) {
396	/* Save old back ptr in next entry */
397	struct ipt_entry *next
398	= (void *)e + e->next_offset;
399	next->comefrom
400	= (void *)back - table_base;
401	/* set back pointer to next entry */
402	back = next;
403	}
404
405	e = get_entry(table_base, v);
406	} else {
407	/* Targets which reenter must return
408	abs. verdicts */
409	#ifdef CONFIG_NETFILTER_DEBUG
410	((struct ipt_entry *)table_base)->comefrom
411	= 0xeeeeeeec;
412	#endif
413	verdict = t->u.kernel.target->target(pskb,
414	in, out,
415	hook,
416	t->u.kernel.target,
417	t->data);
418
419	#ifdef CONFIG_NETFILTER_DEBUG
420	if (((struct ipt_entry *)table_base)->comefrom
421	!= 0xeeeeeeec
422	&& verdict == IPT_CONTINUE) {
423	printk("Target %s reentered!\n",
424	t->u.kernel.target->name);
425	verdict = NF_DROP;
426	}
427	((struct ipt_entry *)table_base)->comefrom
428	= 0x57acc001;
429	#endif
430	/* Target might have changed stuff. */
431	ip = ip_hdr(*pskb);
432	datalen = (pskb)->len - ip->ihl 4;
433
434	if (verdict == IPT_CONTINUE)
435	e = (void *)e + e->next_offset;
436	else
437	/* Verdict */
438	break;
439	}
440	} else {
441
442	no_match:
443	e = (void *)e + e->next_offset;
444	}
445	} while (!hotdrop);
446
447	read_unlock_bh(&table->lock);
448
449	#ifdef DEBUG_ALLOW_ALL
450	return NF_ACCEPT;
451	#else
452	if (hotdrop)
453	return NF_DROP;
454	else return verdict;
455	#endif
456	}
457
458	/* Figures out from what hook each rule can be called: returns 0 if
459	there are loops. Puts hook bitmask in comefrom. */
460	static int
461	mark_source_chains(struct xt_table_info *newinfo,
462	unsigned int valid_hooks, void *entry0)
463	{
464	unsigned int hook;
465
466	/* No recursion; use packet counter to save back ptrs (reset
467	to 0 as we leave), and comefrom to save source hook bitmask */
468	for (hook = 0; hook < NF_IP_NUMHOOKS; hook++) {
469	unsigned int pos = newinfo->hook_entry[hook];
470	struct ipt_entry *e
471	= (struct ipt_entry *)(entry0 + pos);
472
473	if (!(valid_hooks & (1 << hook)))
474	continue;
475
476	/* Set initial back pointer. */
477	e->counters.pcnt = pos;
478
479	for (;;) {
480	struct ipt_standard_target *t
481	= (void *)ipt_get_target(e);
482	int visited = e->comefrom & (1 << hook);
483
484	if (e->comefrom & (1 << NF_IP_NUMHOOKS)) {
485	printk("iptables: loop hook %u pos %u %08X.\n",
486	hook, pos, e->comefrom);
487	return 0;
488	}
489	e->comefrom
490	\|= ((1 << hook) \| (1 << NF_IP_NUMHOOKS));
491
492	/* Unconditional return/END. */
493	if ((e->target_offset == sizeof(struct ipt_entry)
494	&& (strcmp(t->target.u.user.name,
495	IPT_STANDARD_TARGET) == 0)
496	&& t->verdict < 0
497	&& unconditional(&e->ip)) \|\| visited) {
498	unsigned int oldpos, size;
499
500	if (t->verdict < -NF_MAX_VERDICT - 1) {
501	duprintf("mark_source_chains: bad "
502	"negative verdict (%i)\n",
503	t->verdict);
504	return 0;
505	}
506
507	/* Return: backtrack through the last
508	big jump. */
509	do {
510	e->comefrom ^= (1<<NF_IP_NUMHOOKS);
511	#ifdef DEBUG_IP_FIREWALL_USER
512	if (e->comefrom
513	& (1 << NF_IP_NUMHOOKS)) {
514	duprintf("Back unset "
515	"on hook %u "
516	"rule %u\n",
517	hook, pos);
518	}
519	#endif
520	oldpos = pos;
521	pos = e->counters.pcnt;
522	e->counters.pcnt = 0;
523
524	/* We're at the start. */
525	if (pos == oldpos)
526	goto next;
527
528	e = (struct ipt_entry *)
529	(entry0 + pos);
530	} while (oldpos == pos + e->next_offset);
531
532	/* Move along one */
533	size = e->next_offset;
534	e = (struct ipt_entry *)
535	(entry0 + pos + size);
536	e->counters.pcnt = pos;
537	pos += size;
538	} else {
539	int newpos = t->verdict;
540
541	if (strcmp(t->target.u.user.name,
542	IPT_STANDARD_TARGET) == 0
543	&& newpos >= 0) {
544	if (newpos > newinfo->size -
545	sizeof(struct ipt_entry)) {
546	duprintf("mark_source_chains: "
547	"bad verdict (%i)\n",
548	newpos);
549	return 0;
550	}
551	/* This a jump; chase it. */
552	duprintf("Jump rule %u -> %u\n",
553	pos, newpos);
554	} else {
555	/* ... this is a fallthru */
556	newpos = pos + e->next_offset;
557	}
558	e = (struct ipt_entry *)
559	(entry0 + newpos);
560	e->counters.pcnt = pos;
561	pos = newpos;
562	}
563	}
564	next:
565	duprintf("Finished chain %u\n", hook);
566	}
567	return 1;
568	}
569
570	static inline int
571	cleanup_match(struct ipt_entry_match m, unsigned int i)
572	{
573	if (i && (*i)-- == 0)
574	return 1;
575
576	if (m->u.kernel.match->destroy)
577	m->u.kernel.match->destroy(m->u.kernel.match, m->data);
578	module_put(m->u.kernel.match->me);
579	return 0;
580	}
581
582	static inline int
583	check_entry(struct ipt_entry e, const char name)
584	{
585	struct ipt_entry_target *t;
586
587	if (!ip_checkentry(&e->ip)) {
588	duprintf("ip_tables: ip check failed %p %s.\n", e, name);
589	return -EINVAL;
590	}
591
592	if (e->target_offset + sizeof(struct ipt_entry_target) > e->next_offset)
593	return -EINVAL;
594
595	t = ipt_get_target(e);
596	if (e->target_offset + t->u.target_size > e->next_offset)
597	return -EINVAL;
598
599	return 0;
600	}
601
602	static inline int check_match(struct ipt_entry_match m, const char name,
603	const struct ipt_ip *ip, unsigned int hookmask,
604	unsigned int *i)
605	{
606	struct xt_match *match;
607	int ret;
608
609	match = m->u.kernel.match;
610	ret = xt_check_match(match, AF_INET, m->u.match_size - sizeof(*m),
611	name, hookmask, ip->proto,
612	ip->invflags & IPT_INV_PROTO);
613	if (!ret && m->u.kernel.match->checkentry
614	&& !m->u.kernel.match->checkentry(name, ip, match, m->data,
615	hookmask)) {
616	duprintf("ip_tables: check failed for `%s'.\n",
617	m->u.kernel.match->name);
618	ret = -EINVAL;
619	}
620	if (!ret)
621	(*i)++;
622	return ret;
623	}
624
625	static inline int
626	find_check_match(struct ipt_entry_match *m,
627	const char *name,
628	const struct ipt_ip *ip,
629	unsigned int hookmask,
630	unsigned int *i)
631	{
632	struct xt_match *match;
633	int ret;
634
635	match = try_then_request_module(xt_find_match(AF_INET, m->u.user.name,
636	m->u.user.revision),
637	"ipt_%s", m->u.user.name);
638	if (IS_ERR(match) \|\| !match) {
639	duprintf("find_check_match: `%s' not found\n", m->u.user.name);
640	return match ? PTR_ERR(match) : -ENOENT;
641	}
642	m->u.kernel.match = match;
643
644	ret = check_match(m, name, ip, hookmask, i);
645	if (ret)
646	goto err;
647
648	return 0;
649	err:
650	module_put(m->u.kernel.match->me);
651	return ret;
652	}
653
654	static inline int check_target(struct ipt_entry e, const char name)
655	{
656	struct ipt_entry_target *t;
657	struct xt_target *target;
658	int ret;
659
660	t = ipt_get_target(e);
661	target = t->u.kernel.target;
662	ret = xt_check_target(target, AF_INET, t->u.target_size - sizeof(*t),
663	name, e->comefrom, e->ip.proto,
664	e->ip.invflags & IPT_INV_PROTO);
665	if (!ret && t->u.kernel.target->checkentry
666	&& !t->u.kernel.target->checkentry(name, e, target,
667	t->data, e->comefrom)) {
668	duprintf("ip_tables: check failed for `%s'.\n",
669	t->u.kernel.target->name);
670	ret = -EINVAL;
671	}
672	return ret;
673	}
674
675	static inline int
676	find_check_entry(struct ipt_entry e, const char name, unsigned int size,
677	unsigned int *i)
678	{
679	struct ipt_entry_target *t;
680	struct xt_target *target;
681	int ret;
682	unsigned int j;
683
684	ret = check_entry(e, name);
685	if (ret)
686	return ret;
687
688	j = 0;
689	ret = IPT_MATCH_ITERATE(e, find_check_match, name, &e->ip,
690	e->comefrom, &j);
691	if (ret != 0)
692	goto cleanup_matches;
693
694	t = ipt_get_target(e);
695	target = try_then_request_module(xt_find_target(AF_INET,
696	t->u.user.name,
697	t->u.user.revision),
698	"ipt_%s", t->u.user.name);
699	if (IS_ERR(target) \|\| !target) {
700	duprintf("find_check_entry: `%s' not found\n", t->u.user.name);
701	ret = target ? PTR_ERR(target) : -ENOENT;
702	goto cleanup_matches;
703	}
704	t->u.kernel.target = target;
705
706	ret = check_target(e, name);
707	if (ret)
708	goto err;
709
710	(*i)++;
711	return 0;
712	err:
713	module_put(t->u.kernel.target->me);
714	cleanup_matches:
715	IPT_MATCH_ITERATE(e, cleanup_match, &j);
716	return ret;
717	}
718
719	static inline int
720	check_entry_size_and_hooks(struct ipt_entry *e,
721	struct xt_table_info *newinfo,
722	unsigned char *base,
723	unsigned char *limit,
724	const unsigned int *hook_entries,
725	const unsigned int *underflows,
726	unsigned int *i)
727	{
728	unsigned int h;
729
730	if ((unsigned long)e % __alignof__(struct ipt_entry) != 0
731	\|\| (unsigned char *)e + sizeof(struct ipt_entry) >= limit) {
732	duprintf("Bad offset %p\n", e);
733	return -EINVAL;
734	}
735
736	if (e->next_offset
737	< sizeof(struct ipt_entry) + sizeof(struct ipt_entry_target)) {
738	duprintf("checking: element %p size %u\n",
739	e, e->next_offset);
740	return -EINVAL;
741	}
742
743	/* Check hooks & underflows */
744	for (h = 0; h < NF_IP_NUMHOOKS; h++) {
745	if ((unsigned char *)e - base == hook_entries[h])
746	newinfo->hook_entry[h] = hook_entries[h];
747	if ((unsigned char *)e - base == underflows[h])
748	newinfo->underflow[h] = underflows[h];
749	}
750
751	/* FIXME: underflows must be unconditional, standard verdicts
752	< 0 (not IPT_RETURN). --RR */
753
754	/* Clear counters and comefrom */
755	e->counters = ((struct xt_counters) { 0, 0 });
756	e->comefrom = 0;
757
758	(*i)++;
759	return 0;
760	}
761
762	static inline int
763	cleanup_entry(struct ipt_entry e, unsigned int i)
764	{
765	struct ipt_entry_target *t;
766
767	if (i && (*i)-- == 0)
768	return 1;
769
770	/* Cleanup all matches */
771	IPT_MATCH_ITERATE(e, cleanup_match, NULL);
772	t = ipt_get_target(e);
773	if (t->u.kernel.target->destroy)
774	t->u.kernel.target->destroy(t->u.kernel.target, t->data);
775	module_put(t->u.kernel.target->me);
776	return 0;
777	}
778
779	/* Checks and translates the user-supplied table segment (held in
780	newinfo) */
781	static int
782	translate_table(const char *name,
783	unsigned int valid_hooks,
784	struct xt_table_info *newinfo,
785	void *entry0,
786	unsigned int size,
787	unsigned int number,
788	const unsigned int *hook_entries,
789	const unsigned int *underflows)
790	{
791	unsigned int i;
792	int ret;
793
794	newinfo->size = size;
795	newinfo->number = number;
796
797	/* Init all hooks to impossible value. */
798	for (i = 0; i < NF_IP_NUMHOOKS; i++) {
799	newinfo->hook_entry[i] = 0xFFFFFFFF;
800	newinfo->underflow[i] = 0xFFFFFFFF;
801	}
802
803	duprintf("translate_table: size %u\n", newinfo->size);
804	i = 0;
805	/* Walk through entries, checking offsets. */
806	ret = IPT_ENTRY_ITERATE(entry0, newinfo->size,
807	check_entry_size_and_hooks,
808	newinfo,
809	entry0,
810	entry0 + size,
811	hook_entries, underflows, &i);
812	if (ret != 0)
813	return ret;
814
815	if (i != number) {
816	duprintf("translate_table: %u not %u entries\n",
817	i, number);
818	return -EINVAL;
819	}
820
821	/* Check hooks all assigned */
822	for (i = 0; i < NF_IP_NUMHOOKS; i++) {
823	/* Only hooks which are valid */
824	if (!(valid_hooks & (1 << i)))
825	continue;
826	if (newinfo->hook_entry[i] == 0xFFFFFFFF) {
827	duprintf("Invalid hook entry %u %u\n",
828	i, hook_entries[i]);
829	return -EINVAL;
830	}
831	if (newinfo->underflow[i] == 0xFFFFFFFF) {
832	duprintf("Invalid underflow %u %u\n",
833	i, underflows[i]);
834	return -EINVAL;
835	}
836	}
837
838	if (!mark_source_chains(newinfo, valid_hooks, entry0))
839	return -ELOOP;
840
841	/* Finally, each sanity check must pass */
842	i = 0;
843	ret = IPT_ENTRY_ITERATE(entry0, newinfo->size,
844	find_check_entry, name, size, &i);
845
846	if (ret != 0) {
847	IPT_ENTRY_ITERATE(entry0, newinfo->size,
848	cleanup_entry, &i);
849	return ret;
850	}
851
852	/* And one copy for every other CPU */
853	for_each_possible_cpu(i) {
854	if (newinfo->entries[i] && newinfo->entries[i] != entry0)
855	memcpy(newinfo->entries[i], entry0, newinfo->size);
856	}
857
858	return ret;
859	}
860
861	/* Gets counters. */
862	static inline int
863	add_entry_to_counter(const struct ipt_entry *e,
864	struct xt_counters total[],
865	unsigned int *i)
866	{
867	ADD_COUNTER(total[*i], e->counters.bcnt, e->counters.pcnt);
868
869	(*i)++;
870	return 0;
871	}
872
873	static inline int
874	set_entry_to_counter(const struct ipt_entry *e,
875	struct ipt_counters total[],
876	unsigned int *i)
877	{
878	SET_COUNTER(total[*i], e->counters.bcnt, e->counters.pcnt);
879
880	(*i)++;
881	return 0;
882	}
883
884	static void
885	get_counters(const struct xt_table_info *t,
886	struct xt_counters counters[])
887	{
888	unsigned int cpu;
889	unsigned int i;
890	unsigned int curcpu;
891
892	/* Instead of clearing (by a previous call to memset())
893	* the counters and using adds, we set the counters
894	* with data used by 'current' CPU
895	* We dont care about preemption here.
896	*/
897	curcpu = raw_smp_processor_id();
898
899	i = 0;
900	IPT_ENTRY_ITERATE(t->entries[curcpu],
901	t->size,
902	set_entry_to_counter,
903	counters,
904	&i);
905
906	for_each_possible_cpu(cpu) {
907	if (cpu == curcpu)
908	continue;
909	i = 0;
910	IPT_ENTRY_ITERATE(t->entries[cpu],
911	t->size,
912	add_entry_to_counter,
913	counters,
914	&i);
915	}
916	}
917
918	static inline struct xt_counters * alloc_counters(struct xt_table *table)
919	{
920	unsigned int countersize;
921	struct xt_counters *counters;
922	struct xt_table_info *private = table->private;
923
924	/* We need atomic snapshot of counters: rest doesn't change
925	(other than comefrom, which userspace doesn't care
926	about). */
927	countersize = sizeof(struct xt_counters) * private->number;
928	counters = vmalloc_node(countersize, numa_node_id());
929
930	if (counters == NULL)
931	return ERR_PTR(-ENOMEM);
932
933	/* First, sum counters... */
934	write_lock_bh(&table->lock);
935	get_counters(private, counters);
936	write_unlock_bh(&table->lock);
937
938	return counters;
939	}
940
941	static int
942	copy_entries_to_user(unsigned int total_size,
943	struct xt_table *table,
944	void __user *userptr)
945	{
946	unsigned int off, num;
947	struct ipt_entry *e;
948	struct xt_counters *counters;
949	struct xt_table_info *private = table->private;
950	int ret = 0;
951	void *loc_cpu_entry;
952
953	counters = alloc_counters(table);
954	if (IS_ERR(counters))
955	return PTR_ERR(counters);
956
957	/* choose the copy that is on our node/cpu, ...
958	* This choice is lazy (because current thread is
959	* allowed to migrate to another cpu)
960	*/
961	loc_cpu_entry = private->entries[raw_smp_processor_id()];
962	/* ... then copy entire thing ... */
963	if (copy_to_user(userptr, loc_cpu_entry, total_size) != 0) {
964	ret = -EFAULT;
965	goto free_counters;
966	}
967
968	/* FIXME: use iterator macros --RR */
969	/* ... then go back and fix counters and names */
970	for (off = 0, num = 0; off < total_size; off += e->next_offset, num++){
971	unsigned int i;
972	struct ipt_entry_match *m;
973	struct ipt_entry_target *t;
974
975	e = (struct ipt_entry *)(loc_cpu_entry + off);
976	if (copy_to_user(userptr + off
977	+ offsetof(struct ipt_entry, counters),
978	&counters[num],
979	sizeof(counters[num])) != 0) {
980	ret = -EFAULT;
981	goto free_counters;
982	}
983
984	for (i = sizeof(struct ipt_entry);
985	i < e->target_offset;
986	i += m->u.match_size) {
987	m = (void *)e + i;
988
989	if (copy_to_user(userptr + off + i
990	+ offsetof(struct ipt_entry_match,
991	u.user.name),
992	m->u.kernel.match->name,
993	strlen(m->u.kernel.match->name)+1)
994	!= 0) {
995	ret = -EFAULT;
996	goto free_counters;
997	}
998	}
999
1000	t = ipt_get_target(e);
1001	if (copy_to_user(userptr + off + e->target_offset
1002	+ offsetof(struct ipt_entry_target,
1003	u.user.name),
1004	t->u.kernel.target->name,
1005	strlen(t->u.kernel.target->name)+1) != 0) {
1006	ret = -EFAULT;
1007	goto free_counters;
1008	}
1009	}
1010
1011	free_counters:
1012	vfree(counters);
1013	return ret;
1014	}
1015
1016	#ifdef CONFIG_COMPAT
1017	struct compat_delta {
1018	struct compat_delta *next;
1019	unsigned int offset;
1020	short delta;
1021	};
1022
1023	static struct compat_delta *compat_offsets = NULL;
1024
1025	static int compat_add_offset(unsigned int offset, short delta)
1026	{
1027	struct compat_delta *tmp;
1028
1029	tmp = kmalloc(sizeof(struct compat_delta), GFP_KERNEL);
1030	if (!tmp)
1031	return -ENOMEM;
1032	tmp->offset = offset;
1033	tmp->delta = delta;
1034	if (compat_offsets) {
1035	tmp->next = compat_offsets->next;
1036	compat_offsets->next = tmp;
1037	} else {
1038	compat_offsets = tmp;
1039	tmp->next = NULL;
1040	}
1041	return 0;
1042	}
1043
1044	static void compat_flush_offsets(void)
1045	{
1046	struct compat_delta tmp, next;
1047
1048	if (compat_offsets) {
1049	for(tmp = compat_offsets; tmp; tmp = next) {
1050	next = tmp->next;
1051	kfree(tmp);
1052	}
1053	compat_offsets = NULL;
1054	}
1055	}
1056
1057	static short compat_calc_jump(unsigned int offset)
1058	{
1059	struct compat_delta *tmp;
1060	short delta;
1061
1062	for(tmp = compat_offsets, delta = 0; tmp; tmp = tmp->next)
1063	if (tmp->offset < offset)
1064	delta += tmp->delta;
1065	return delta;
1066	}
1067
1068	static void compat_standard_from_user(void dst, void src)
1069	{
1070	int v = (compat_int_t )src;
1071
1072	if (v > 0)
1073	v += compat_calc_jump(v);
1074	memcpy(dst, &v, sizeof(v));
1075	}
1076
1077	static int compat_standard_to_user(void __user dst, void src)
1078	{
1079	compat_int_t cv = (int )src;
1080
1081	if (cv > 0)
1082	cv -= compat_calc_jump(cv);
1083	return copy_to_user(dst, &cv, sizeof(cv)) ? -EFAULT : 0;
1084	}
1085
1086	static inline int
1087	compat_calc_match(struct ipt_entry_match m, int size)
1088	{
1089	*size += xt_compat_match_offset(m->u.kernel.match);
1090	return 0;
1091	}
1092
1093	static int compat_calc_entry(struct ipt_entry e, struct xt_table_info info,
1094	void base, struct xt_table_info newinfo)
1095	{
1096	struct ipt_entry_target *t;
1097	unsigned int entry_offset;
1098	int off, i, ret;
1099
1100	off = 0;
1101	entry_offset = (void *)e - base;
1102	IPT_MATCH_ITERATE(e, compat_calc_match, &off);
1103	t = ipt_get_target(e);
1104	off += xt_compat_target_offset(t->u.kernel.target);
1105	newinfo->size -= off;
1106	ret = compat_add_offset(entry_offset, off);
1107	if (ret)
1108	return ret;
1109
1110	for (i = 0; i< NF_IP_NUMHOOKS; i++) {
1111	if (info->hook_entry[i] && (e < (struct ipt_entry *)
1112	(base + info->hook_entry[i])))
1113	newinfo->hook_entry[i] -= off;
1114	if (info->underflow[i] && (e < (struct ipt_entry *)
1115	(base + info->underflow[i])))
1116	newinfo->underflow[i] -= off;
1117	}
1118	return 0;
1119	}
1120
1121	static int compat_table_info(struct xt_table_info *info,
1122	struct xt_table_info *newinfo)
1123	{
1124	void *loc_cpu_entry;
1125	int i;
1126
1127	if (!newinfo \|\| !info)
1128	return -EINVAL;
1129
1130	memset(newinfo, 0, sizeof(struct xt_table_info));
1131	newinfo->size = info->size;
1132	newinfo->number = info->number;
1133	for (i = 0; i < NF_IP_NUMHOOKS; i++) {
1134	newinfo->hook_entry[i] = info->hook_entry[i];
1135	newinfo->underflow[i] = info->underflow[i];
1136	}
1137	loc_cpu_entry = info->entries[raw_smp_processor_id()];
1138	return IPT_ENTRY_ITERATE(loc_cpu_entry, info->size,
1139	compat_calc_entry, info, loc_cpu_entry, newinfo);
1140	}
1141	#endif
1142
1143	static int get_info(void __user user, int len, int compat)
1144	{
1145	char name[IPT_TABLE_MAXNAMELEN];
1146	struct xt_table *t;
1147	int ret;
1148
1149	if (*len != sizeof(struct ipt_getinfo)) {
1150	duprintf("length %u != %u\n", *len,
1151	(unsigned int)sizeof(struct ipt_getinfo));
1152	return -EINVAL;
1153	}
1154
1155	if (copy_from_user(name, user, sizeof(name)) != 0)
1156	return -EFAULT;
1157
1158	name[IPT_TABLE_MAXNAMELEN-1] = '\0';
1159	#ifdef CONFIG_COMPAT
1160	if (compat)
1161	xt_compat_lock(AF_INET);
1162	#endif
1163	t = try_then_request_module(xt_find_table_lock(AF_INET, name),
1164	"iptable_%s", name);
1165	if (t && !IS_ERR(t)) {
1166	struct ipt_getinfo info;
1167	struct xt_table_info *private = t->private;
1168
1169	#ifdef CONFIG_COMPAT
1170	if (compat) {
1171	struct xt_table_info tmp;
1172	ret = compat_table_info(private, &tmp);
1173	compat_flush_offsets();
1174	private = &tmp;
1175	}
1176	#endif
1177	info.valid_hooks = t->valid_hooks;
1178	memcpy(info.hook_entry, private->hook_entry,
1179	sizeof(info.hook_entry));
1180	memcpy(info.underflow, private->underflow,
1181	sizeof(info.underflow));
1182	info.num_entries = private->number;
1183	info.size = private->size;
1184	strcpy(info.name, name);
1185
1186	if (copy_to_user(user, &info, *len) != 0)
1187	ret = -EFAULT;
1188	else
1189	ret = 0;
1190
1191	xt_table_unlock(t);
1192	module_put(t->me);
1193	} else
1194	ret = t ? PTR_ERR(t) : -ENOENT;
1195	#ifdef CONFIG_COMPAT
1196	if (compat)
1197	xt_compat_unlock(AF_INET);
1198	#endif
1199	return ret;
1200	}
1201
1202	static int
1203	get_entries(struct ipt_get_entries __user uptr, int len)
1204	{
1205	int ret;
1206	struct ipt_get_entries get;
1207	struct xt_table *t;
1208
1209	if (*len < sizeof(get)) {
1210	duprintf("get_entries: %u < %d\n", *len,
1211	(unsigned int)sizeof(get));
1212	return -EINVAL;
1213	}
1214	if (copy_from_user(&get, uptr, sizeof(get)) != 0)
1215	return -EFAULT;
1216	if (*len != sizeof(struct ipt_get_entries) + get.size) {
1217	duprintf("get_entries: %u != %u\n", *len,
1218	(unsigned int)(sizeof(struct ipt_get_entries) +
1219	get.size));
1220	return -EINVAL;
1221	}
1222
1223	t = xt_find_table_lock(AF_INET, get.name);
1224	if (t && !IS_ERR(t)) {
1225	struct xt_table_info *private = t->private;
1226	duprintf("t->private->number = %u\n",
1227	private->number);
1228	if (get.size == private->size)
1229	ret = copy_entries_to_user(private->size,
1230	t, uptr->entrytable);
1231	else {
1232	duprintf("get_entries: I've got %u not %u!\n",
1233	private->size,
1234	get.size);
1235	ret = -EINVAL;
1236	}
1237	module_put(t->me);
1238	xt_table_unlock(t);
1239	} else
1240	ret = t ? PTR_ERR(t) : -ENOENT;
1241
1242	return ret;
1243	}
1244
1245	static int
1246	__do_replace(const char *name, unsigned int valid_hooks,
1247	struct xt_table_info *newinfo, unsigned int num_counters,
1248	void __user *counters_ptr)
1249	{
1250	int ret;
1251	struct xt_table *t;
1252	struct xt_table_info *oldinfo;
1253	struct xt_counters *counters;
1254	void *loc_cpu_old_entry;
1255
1256	ret = 0;
1257	counters = vmalloc(num_counters * sizeof(struct xt_counters));
1258	if (!counters) {
1259	ret = -ENOMEM;
1260	goto out;
1261	}
1262
1263	t = try_then_request_module(xt_find_table_lock(AF_INET, name),
1264	"iptable_%s", name);
1265	if (!t \|\| IS_ERR(t)) {
1266	ret = t ? PTR_ERR(t) : -ENOENT;
1267	goto free_newinfo_counters_untrans;
1268	}
1269
1270	/* You lied! */
1271	if (valid_hooks != t->valid_hooks) {
1272	duprintf("Valid hook crap: %08X vs %08X\n",
1273	valid_hooks, t->valid_hooks);
1274	ret = -EINVAL;
1275	goto put_module;
1276	}
1277
1278	oldinfo = xt_replace_table(t, num_counters, newinfo, &ret);
1279	if (!oldinfo)
1280	goto put_module;
1281
1282	/* Update module usage count based on number of rules */
1283	duprintf("do_replace: oldnum=%u, initnum=%u, newnum=%u\n",
1284	oldinfo->number, oldinfo->initial_entries, newinfo->number);
1285	if ((oldinfo->number > oldinfo->initial_entries) \|\|
1286	(newinfo->number <= oldinfo->initial_entries))
1287	module_put(t->me);
1288	if ((oldinfo->number > oldinfo->initial_entries) &&
1289	(newinfo->number <= oldinfo->initial_entries))
1290	module_put(t->me);
1291
1292	/* Get the old counters. */
1293	get_counters(oldinfo, counters);
1294	/* Decrease module usage counts and free resource */
1295	loc_cpu_old_entry = oldinfo->entries[raw_smp_processor_id()];
1296	IPT_ENTRY_ITERATE(loc_cpu_old_entry, oldinfo->size, cleanup_entry,NULL);
1297	xt_free_table_info(oldinfo);
1298	if (copy_to_user(counters_ptr, counters,
1299	sizeof(struct xt_counters) * num_counters) != 0)
1300	ret = -EFAULT;
1301	vfree(counters);
1302	xt_table_unlock(t);
1303	return ret;
1304
1305	put_module:
1306	module_put(t->me);
1307	xt_table_unlock(t);
1308	free_newinfo_counters_untrans:
1309	vfree(counters);
1310	out:
1311	return ret;
1312	}
1313
1314	static int
1315	do_replace(void __user *user, unsigned int len)
1316	{
1317	int ret;
1318	struct ipt_replace tmp;
1319	struct xt_table_info *newinfo;
1320	void *loc_cpu_entry;
1321
1322	if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
1323	return -EFAULT;
1324
1325	/* Hack: Causes ipchains to give correct error msg --RR */
1326	if (len != sizeof(tmp) + tmp.size)
1327	return -ENOPROTOOPT;
1328
1329	/* overflow check */
1330	if (tmp.size >= (INT_MAX - sizeof(struct xt_table_info)) / NR_CPUS -
1331	SMP_CACHE_BYTES)
1332	return -ENOMEM;
1333	if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
1334	return -ENOMEM;
1335
1336	newinfo = xt_alloc_table_info(tmp.size);
1337	if (!newinfo)
1338	return -ENOMEM;
1339
1340	/* choose the copy that is our node/cpu */
1341	loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
1342	if (copy_from_user(loc_cpu_entry, user + sizeof(tmp),
1343	tmp.size) != 0) {
1344	ret = -EFAULT;
1345	goto free_newinfo;
1346	}
1347
1348	ret = translate_table(tmp.name, tmp.valid_hooks,
1349	newinfo, loc_cpu_entry, tmp.size, tmp.num_entries,
1350	tmp.hook_entry, tmp.underflow);
1351	if (ret != 0)
1352	goto free_newinfo;
1353
1354	duprintf("ip_tables: Translated table\n");
1355
1356	ret = __do_replace(tmp.name, tmp.valid_hooks,
1357	newinfo, tmp.num_counters,
1358	tmp.counters);
1359	if (ret)
1360	goto free_newinfo_untrans;
1361	return 0;
1362
1363	free_newinfo_untrans:
1364	IPT_ENTRY_ITERATE(loc_cpu_entry, newinfo->size, cleanup_entry,NULL);
1365	free_newinfo:
1366	xt_free_table_info(newinfo);
1367	return ret;
1368	}
1369
1370	/* We're lazy, and add to the first CPU; overflow works its fey magic
1371	* and everything is OK. */
1372	static inline int
1373	add_counter_to_entry(struct ipt_entry *e,
1374	const struct xt_counters addme[],
1375	unsigned int *i)
1376	{
1377	#if 0
1378	duprintf("add_counter: Entry %u %lu/%lu + %lu/%lu\n",
1379	*i,
1380	(long unsigned int)e->counters.pcnt,
1381	(long unsigned int)e->counters.bcnt,
1382	(long unsigned int)addme[*i].pcnt,
1383	(long unsigned int)addme[*i].bcnt);
1384	#endif
1385
1386	ADD_COUNTER(e->counters, addme[i].bcnt, addme[i].pcnt);
1387
1388	(*i)++;
1389	return 0;
1390	}
1391
1392	static int
1393	do_add_counters(void __user *user, unsigned int len, int compat)
1394	{
1395	unsigned int i;
1396	struct xt_counters_info tmp;
1397	struct xt_counters *paddc;
1398	unsigned int num_counters;
1399	char *name;
1400	int size;
1401	void *ptmp;
1402	struct xt_table *t;
1403	struct xt_table_info *private;
1404	int ret = 0;
1405	void *loc_cpu_entry;
1406	#ifdef CONFIG_COMPAT
1407	struct compat_xt_counters_info compat_tmp;
1408
1409	if (compat) {
1410	ptmp = &compat_tmp;
1411	size = sizeof(struct compat_xt_counters_info);
1412	} else
1413	#endif
1414	{
1415	ptmp = &tmp;
1416	size = sizeof(struct xt_counters_info);
1417	}
1418
1419	if (copy_from_user(ptmp, user, size) != 0)
1420	return -EFAULT;
1421
1422	#ifdef CONFIG_COMPAT
1423	if (compat) {
1424	num_counters = compat_tmp.num_counters;
1425	name = compat_tmp.name;
1426	} else
1427	#endif
1428	{
1429	num_counters = tmp.num_counters;
1430	name = tmp.name;
1431	}
1432
1433	if (len != size + num_counters * sizeof(struct xt_counters))
1434	return -EINVAL;
1435
1436	paddc = vmalloc_node(len - size, numa_node_id());
1437	if (!paddc)
1438	return -ENOMEM;
1439
1440	if (copy_from_user(paddc, user + size, len - size) != 0) {
1441	ret = -EFAULT;
1442	goto free;
1443	}
1444
1445	t = xt_find_table_lock(AF_INET, name);
1446	if (!t \|\| IS_ERR(t)) {
1447	ret = t ? PTR_ERR(t) : -ENOENT;
1448	goto free;
1449	}
1450
1451	write_lock_bh(&t->lock);
1452	private = t->private;
1453	if (private->number != num_counters) {
1454	ret = -EINVAL;
1455	goto unlock_up_free;
1456	}
1457
1458	i = 0;
1459	/* Choose the copy that is on our node */
1460	loc_cpu_entry = private->entries[raw_smp_processor_id()];
1461	IPT_ENTRY_ITERATE(loc_cpu_entry,
1462	private->size,
1463	add_counter_to_entry,
1464	paddc,
1465	&i);
1466	unlock_up_free:
1467	write_unlock_bh(&t->lock);
1468	xt_table_unlock(t);
1469	module_put(t->me);
1470	free:
1471	vfree(paddc);
1472
1473	return ret;
1474	}
1475
1476	#ifdef CONFIG_COMPAT
1477	struct compat_ipt_replace {
1478	char name[IPT_TABLE_MAXNAMELEN];
1479	u32 valid_hooks;
1480	u32 num_entries;
1481	u32 size;
1482	u32 hook_entry[NF_IP_NUMHOOKS];
1483	u32 underflow[NF_IP_NUMHOOKS];
1484	u32 num_counters;
1485	compat_uptr_t counters; /* struct ipt_counters * */
1486	struct compat_ipt_entry entries[0];
1487	};
1488
1489	static inline int compat_copy_match_to_user(struct ipt_entry_match *m,
1490	void __user *dstptr, compat_uint_t size)
1491	{
1492	return xt_compat_match_to_user(m, dstptr, size);
1493	}
1494
1495	static int compat_copy_entry_to_user(struct ipt_entry *e,
1496	void __user *dstptr, compat_uint_t size)
1497	{
1498	struct ipt_entry_target *t;
1499	struct compat_ipt_entry __user *ce;
1500	u_int16_t target_offset, next_offset;
1501	compat_uint_t origsize;
1502	int ret;
1503
1504	ret = -EFAULT;
1505	origsize = *size;
1506	ce = (struct compat_ipt_entry __user )dstptr;
1507	if (copy_to_user(ce, e, sizeof(struct ipt_entry)))
1508	goto out;
1509
1510	*dstptr += sizeof(struct compat_ipt_entry);
1511	ret = IPT_MATCH_ITERATE(e, compat_copy_match_to_user, dstptr, size);
1512	target_offset = e->target_offset - (origsize - *size);
1513	if (ret)
1514	goto out;
1515	t = ipt_get_target(e);
1516	ret = xt_compat_target_to_user(t, dstptr, size);
1517	if (ret)
1518	goto out;
1519	ret = -EFAULT;
1520	next_offset = e->next_offset - (origsize - *size);
1521	if (put_user(target_offset, &ce->target_offset))
1522	goto out;
1523	if (put_user(next_offset, &ce->next_offset))
1524	goto out;
1525	return 0;
1526	out:
1527	return ret;
1528	}
1529
1530	static inline int
1531	compat_find_calc_match(struct ipt_entry_match *m,
1532	const char *name,
1533	const struct ipt_ip *ip,
1534	unsigned int hookmask,
1535	int size, int i)
1536	{
1537	struct xt_match *match;
1538
1539	match = try_then_request_module(xt_find_match(AF_INET, m->u.user.name,
1540	m->u.user.revision),
1541	"ipt_%s", m->u.user.name);
1542	if (IS_ERR(match) \|\| !match) {
1543	duprintf("compat_check_calc_match: `%s' not found\n",
1544	m->u.user.name);
1545	return match ? PTR_ERR(match) : -ENOENT;
1546	}
1547	m->u.kernel.match = match;
1548	*size += xt_compat_match_offset(match);
1549
1550	(*i)++;
1551	return 0;
1552	}
1553
1554	static inline int
1555	compat_release_match(struct ipt_entry_match m, unsigned int i)
1556	{
1557	if (i && (*i)-- == 0)
1558	return 1;
1559
1560	module_put(m->u.kernel.match->me);
1561	return 0;
1562	}
1563
1564	static inline int
1565	compat_release_entry(struct ipt_entry e, unsigned int i)
1566	{
1567	struct ipt_entry_target *t;
1568
1569	if (i && (*i)-- == 0)
1570	return 1;
1571
1572	/* Cleanup all matches */
1573	IPT_MATCH_ITERATE(e, compat_release_match, NULL);
1574	t = ipt_get_target(e);
1575	module_put(t->u.kernel.target->me);
1576	return 0;
1577	}
1578
1579	static inline int
1580	check_compat_entry_size_and_hooks(struct ipt_entry *e,
1581	struct xt_table_info *newinfo,
1582	unsigned int *size,
1583	unsigned char *base,
1584	unsigned char *limit,
1585	unsigned int *hook_entries,
1586	unsigned int *underflows,
1587	unsigned int *i,
1588	const char *name)
1589	{
1590	struct ipt_entry_target *t;
1591	struct xt_target *target;
1592	unsigned int entry_offset;
1593	int ret, off, h, j;
1594
1595	duprintf("check_compat_entry_size_and_hooks %p\n", e);
1596	if ((unsigned long)e % __alignof__(struct compat_ipt_entry) != 0
1597	\|\| (unsigned char *)e + sizeof(struct compat_ipt_entry) >= limit) {
1598	duprintf("Bad offset %p, limit = %p\n", e, limit);
1599	return -EINVAL;
1600	}
1601
1602	if (e->next_offset < sizeof(struct compat_ipt_entry) +
1603	sizeof(struct compat_xt_entry_target)) {
1604	duprintf("checking: element %p size %u\n",
1605	e, e->next_offset);
1606	return -EINVAL;
1607	}
1608
1609	ret = check_entry(e, name);
1610	if (ret)
1611	return ret;
1612
1613	off = 0;
1614	entry_offset = (void )e - (void )base;
1615	j = 0;
1616	ret = IPT_MATCH_ITERATE(e, compat_find_calc_match, name, &e->ip,
1617	e->comefrom, &off, &j);
1618	if (ret != 0)
1619	goto release_matches;
1620
1621	t = ipt_get_target(e);
1622	target = try_then_request_module(xt_find_target(AF_INET,
1623	t->u.user.name,
1624	t->u.user.revision),
1625	"ipt_%s", t->u.user.name);
1626	if (IS_ERR(target) \|\| !target) {
1627	duprintf("check_compat_entry_size_and_hooks: `%s' not found\n",
1628	t->u.user.name);
1629	ret = target ? PTR_ERR(target) : -ENOENT;
1630	goto release_matches;
1631	}
1632	t->u.kernel.target = target;
1633
1634	off += xt_compat_target_offset(target);
1635	*size += off;
1636	ret = compat_add_offset(entry_offset, off);
1637	if (ret)
1638	goto out;
1639
1640	/* Check hooks & underflows */
1641	for (h = 0; h < NF_IP_NUMHOOKS; h++) {
1642	if ((unsigned char *)e - base == hook_entries[h])
1643	newinfo->hook_entry[h] = hook_entries[h];
1644	if ((unsigned char *)e - base == underflows[h])
1645	newinfo->underflow[h] = underflows[h];
1646	}
1647
1648	/* Clear counters and comefrom */
1649	e->counters = ((struct ipt_counters) { 0, 0 });
1650	e->comefrom = 0;
1651
1652	(*i)++;
1653	return 0;
1654
1655	out:
1656	module_put(t->u.kernel.target->me);
1657	release_matches:
1658	IPT_MATCH_ITERATE(e, compat_release_match, &j);
1659	return ret;
1660	}
1661
1662	static inline int compat_copy_match_from_user(struct ipt_entry_match *m,
1663	void *dstptr, compat_uint_t size, const char *name,
1664	const struct ipt_ip *ip, unsigned int hookmask)
1665	{
1666	xt_compat_match_from_user(m, dstptr, size);
1667	return 0;
1668	}
1669
1670	static int compat_copy_entry_from_user(struct ipt_entry e, void *dstptr,
1671	unsigned int size, const char name,
1672	struct xt_table_info newinfo, unsigned char base)
1673	{
1674	struct ipt_entry_target *t;
1675	struct xt_target *target;
1676	struct ipt_entry *de;
1677	unsigned int origsize;
1678	int ret, h;
1679
1680	ret = 0;
1681	origsize = *size;
1682	de = (struct ipt_entry )dstptr;
1683	memcpy(de, e, sizeof(struct ipt_entry));
1684
1685	*dstptr += sizeof(struct compat_ipt_entry);
1686	ret = IPT_MATCH_ITERATE(e, compat_copy_match_from_user, dstptr, size,
1687	name, &de->ip, de->comefrom);
1688	if (ret)
1689	return ret;
1690	de->target_offset = e->target_offset - (origsize - *size);
1691	t = ipt_get_target(e);
1692	target = t->u.kernel.target;
1693	xt_compat_target_from_user(t, dstptr, size);
1694
1695	de->next_offset = e->next_offset - (origsize - *size);
1696	for (h = 0; h < NF_IP_NUMHOOKS; h++) {
1697	if ((unsigned char *)de - base < newinfo->hook_entry[h])
1698	newinfo->hook_entry[h] -= origsize - *size;
1699	if ((unsigned char *)de - base < newinfo->underflow[h])
1700	newinfo->underflow[h] -= origsize - *size;
1701	}
1702	return ret;
1703	}
1704
1705	static inline int compat_check_entry(struct ipt_entry e, const char name,
1706	unsigned int *i)
1707	{
1708	int j, ret;
1709
1710	j = 0;
1711	ret = IPT_MATCH_ITERATE(e, check_match, name, &e->ip, e->comefrom, &j);
1712	if (ret)
1713	goto cleanup_matches;
1714
1715	ret = check_target(e, name);
1716	if (ret)
1717	goto cleanup_matches;
1718
1719	(*i)++;
1720	return 0;
1721
1722	cleanup_matches:
1723	IPT_MATCH_ITERATE(e, cleanup_match, &j);
1724	return ret;
1725	}
1726
1727	static int
1728	translate_compat_table(const char *name,
1729	unsigned int valid_hooks,
1730	struct xt_table_info **pinfo,
1731	void **pentry0,
1732	unsigned int total_size,
1733	unsigned int number,
1734	unsigned int *hook_entries,
1735	unsigned int *underflows)
1736	{
1737	unsigned int i, j;
1738	struct xt_table_info newinfo, info;
1739	void pos, entry0, *entry1;
1740	unsigned int size;
1741	int ret;
1742
1743	info = *pinfo;
1744	entry0 = *pentry0;
1745	size = total_size;
1746	info->number = number;
1747
1748	/* Init all hooks to impossible value. */
1749	for (i = 0; i < NF_IP_NUMHOOKS; i++) {
1750	info->hook_entry[i] = 0xFFFFFFFF;
1751	info->underflow[i] = 0xFFFFFFFF;
1752	}
1753
1754	duprintf("translate_compat_table: size %u\n", info->size);
1755	j = 0;
1756	xt_compat_lock(AF_INET);
1757	/* Walk through entries, checking offsets. */
1758	ret = IPT_ENTRY_ITERATE(entry0, total_size,
1759	check_compat_entry_size_and_hooks,
1760	info, &size, entry0,
1761	entry0 + total_size,
1762	hook_entries, underflows, &j, name);
1763	if (ret != 0)
1764	goto out_unlock;
1765
1766	ret = -EINVAL;
1767	if (j != number) {
1768	duprintf("translate_compat_table: %u not %u entries\n",
1769	j, number);
1770	goto out_unlock;
1771	}
1772
1773	/* Check hooks all assigned */
1774	for (i = 0; i < NF_IP_NUMHOOKS; i++) {
1775	/* Only hooks which are valid */
1776	if (!(valid_hooks & (1 << i)))
1777	continue;
1778	if (info->hook_entry[i] == 0xFFFFFFFF) {
1779	duprintf("Invalid hook entry %u %u\n",
1780	i, hook_entries[i]);
1781	goto out_unlock;
1782	}
1783	if (info->underflow[i] == 0xFFFFFFFF) {
1784	duprintf("Invalid underflow %u %u\n",
1785	i, underflows[i]);
1786	goto out_unlock;
1787	}
1788	}
1789
1790	ret = -ENOMEM;
1791	newinfo = xt_alloc_table_info(size);
1792	if (!newinfo)
1793	goto out_unlock;
1794
1795	newinfo->number = number;
1796	for (i = 0; i < NF_IP_NUMHOOKS; i++) {
1797	newinfo->hook_entry[i] = info->hook_entry[i];
1798	newinfo->underflow[i] = info->underflow[i];
1799	}
1800	entry1 = newinfo->entries[raw_smp_processor_id()];
1801	pos = entry1;
1802	size = total_size;
1803	ret = IPT_ENTRY_ITERATE(entry0, total_size,
1804	compat_copy_entry_from_user, &pos, &size,
1805	name, newinfo, entry1);
1806	compat_flush_offsets();
1807	xt_compat_unlock(AF_INET);
1808	if (ret)
1809	goto free_newinfo;
1810
1811	ret = -ELOOP;
1812	if (!mark_source_chains(newinfo, valid_hooks, entry1))
1813	goto free_newinfo;
1814
1815	i = 0;
1816	ret = IPT_ENTRY_ITERATE(entry1, newinfo->size, compat_check_entry,
1817	name, &i);
1818	if (ret) {
1819	j -= i;
1820	IPT_ENTRY_ITERATE_CONTINUE(entry1, newinfo->size, i,
1821	compat_release_entry, &j);
1822	IPT_ENTRY_ITERATE(entry1, newinfo->size, cleanup_entry, &i);
1823	xt_free_table_info(newinfo);
1824	return ret;
1825	}
1826
1827	/* And one copy for every other CPU */
1828	for_each_possible_cpu(i)
1829	if (newinfo->entries[i] && newinfo->entries[i] != entry1)
1830	memcpy(newinfo->entries[i], entry1, newinfo->size);
1831
1832	*pinfo = newinfo;
1833	*pentry0 = entry1;
1834	xt_free_table_info(info);
1835	return 0;
1836
1837	free_newinfo:
1838	xt_free_table_info(newinfo);
1839	out:
1840	IPT_ENTRY_ITERATE(entry0, total_size, compat_release_entry, &j);
1841	return ret;
1842	out_unlock:
1843	compat_flush_offsets();
1844	xt_compat_unlock(AF_INET);
1845	goto out;
1846	}
1847
1848	static int
1849	compat_do_replace(void __user *user, unsigned int len)
1850	{
1851	int ret;
1852	struct compat_ipt_replace tmp;
1853	struct xt_table_info *newinfo;
1854	void *loc_cpu_entry;
1855
1856	if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
1857	return -EFAULT;
1858
1859	/* Hack: Causes ipchains to give correct error msg --RR */
1860	if (len != sizeof(tmp) + tmp.size)
1861	return -ENOPROTOOPT;
1862
1863	/* overflow check */
1864	if (tmp.size >= (INT_MAX - sizeof(struct xt_table_info)) / NR_CPUS -
1865	SMP_CACHE_BYTES)
1866	return -ENOMEM;
1867	if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
1868	return -ENOMEM;
1869
1870	newinfo = xt_alloc_table_info(tmp.size);
1871	if (!newinfo)
1872	return -ENOMEM;
1873
1874	/* choose the copy that is our node/cpu */
1875	loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
1876	if (copy_from_user(loc_cpu_entry, user + sizeof(tmp),
1877	tmp.size) != 0) {
1878	ret = -EFAULT;
1879	goto free_newinfo;
1880	}
1881
1882	ret = translate_compat_table(tmp.name, tmp.valid_hooks,
1883	&newinfo, &loc_cpu_entry, tmp.size,
1884	tmp.num_entries, tmp.hook_entry, tmp.underflow);
1885	if (ret != 0)
1886	goto free_newinfo;
1887
1888	duprintf("compat_do_replace: Translated table\n");
1889
1890	ret = __do_replace(tmp.name, tmp.valid_hooks,
1891	newinfo, tmp.num_counters,
1892	compat_ptr(tmp.counters));
1893	if (ret)
1894	goto free_newinfo_untrans;
1895	return 0;
1896
1897	free_newinfo_untrans:
1898	IPT_ENTRY_ITERATE(loc_cpu_entry, newinfo->size, cleanup_entry,NULL);
1899	free_newinfo:
1900	xt_free_table_info(newinfo);
1901	return ret;
1902	}
1903
1904	static int
1905	compat_do_ipt_set_ctl(struct sock sk, int cmd, void __user user,
1906	unsigned int len)
1907	{
1908	int ret;
1909
1910	if (!capable(CAP_NET_ADMIN))
1911	return -EPERM;
1912
1913	switch (cmd) {
1914	case IPT_SO_SET_REPLACE:
1915	ret = compat_do_replace(user, len);
1916	break;
1917
1918	case IPT_SO_SET_ADD_COUNTERS:
1919	ret = do_add_counters(user, len, 1);
1920	break;
1921
1922	default:
1923	duprintf("do_ipt_set_ctl: unknown request %i\n", cmd);
1924	ret = -EINVAL;
1925	}
1926
1927	return ret;
1928	}
1929
1930	struct compat_ipt_get_entries
1931	{
1932	char name[IPT_TABLE_MAXNAMELEN];
1933	compat_uint_t size;
1934	struct compat_ipt_entry entrytable[0];
1935	};
1936
1937	static int compat_copy_entries_to_user(unsigned int total_size,
1938	struct xt_table table, void __user userptr)
1939	{
1940	unsigned int off, num;
1941	struct compat_ipt_entry e;
1942	struct xt_counters *counters;
1943	struct xt_table_info *private = table->private;
1944	void __user *pos;
1945	unsigned int size;
1946	int ret = 0;
1947	void *loc_cpu_entry;
1948
1949	counters = alloc_counters(table);
1950	if (IS_ERR(counters))
1951	return PTR_ERR(counters);
1952
1953	/* choose the copy that is on our node/cpu, ...
1954	* This choice is lazy (because current thread is
1955	* allowed to migrate to another cpu)
1956	*/
1957	loc_cpu_entry = private->entries[raw_smp_processor_id()];
1958	pos = userptr;
1959	size = total_size;
1960	ret = IPT_ENTRY_ITERATE(loc_cpu_entry, total_size,
1961	compat_copy_entry_to_user, &pos, &size);
1962	if (ret)
1963	goto free_counters;
1964
1965	/* ... then go back and fix counters and names */
1966	for (off = 0, num = 0; off < size; off += e.next_offset, num++) {
1967	unsigned int i;
1968	struct ipt_entry_match m;
1969	struct ipt_entry_target t;
1970
1971	ret = -EFAULT;
1972	if (copy_from_user(&e, userptr + off,
1973	sizeof(struct compat_ipt_entry)))
1974	goto free_counters;
1975	if (copy_to_user(userptr + off +
1976	offsetof(struct compat_ipt_entry, counters),
1977	&counters[num], sizeof(counters[num])))
1978	goto free_counters;
1979
1980	for (i = sizeof(struct compat_ipt_entry);
1981	i < e.target_offset; i += m.u.match_size) {
1982	if (copy_from_user(&m, userptr + off + i,
1983	sizeof(struct ipt_entry_match)))
1984	goto free_counters;
1985	if (copy_to_user(userptr + off + i +
1986	offsetof(struct ipt_entry_match, u.user.name),
1987	m.u.kernel.match->name,
1988	strlen(m.u.kernel.match->name) + 1))
1989	goto free_counters;
1990	}
1991
1992	if (copy_from_user(&t, userptr + off + e.target_offset,
1993	sizeof(struct ipt_entry_target)))
1994	goto free_counters;
1995	if (copy_to_user(userptr + off + e.target_offset +
1996	offsetof(struct ipt_entry_target, u.user.name),
1997	t.u.kernel.target->name,
1998	strlen(t.u.kernel.target->name) + 1))
1999	goto free_counters;
2000	}
2001	ret = 0;
2002	free_counters:
2003	vfree(counters);
2004	return ret;
2005	}
2006
2007	static int
2008	compat_get_entries(struct compat_ipt_get_entries __user uptr, int len)
2009	{
2010	int ret;
2011	struct compat_ipt_get_entries get;
2012	struct xt_table *t;
2013
2014
2015	if (*len < sizeof(get)) {
2016	duprintf("compat_get_entries: %u < %u\n",
2017	*len, (unsigned int)sizeof(get));
2018	return -EINVAL;
2019	}
2020
2021	if (copy_from_user(&get, uptr, sizeof(get)) != 0)
2022	return -EFAULT;
2023
2024	if (*len != sizeof(struct compat_ipt_get_entries) + get.size) {
2025	duprintf("compat_get_entries: %u != %u\n", *len,
2026	(unsigned int)(sizeof(struct compat_ipt_get_entries) +
2027	get.size));
2028	return -EINVAL;
2029	}
2030
2031	xt_compat_lock(AF_INET);
2032	t = xt_find_table_lock(AF_INET, get.name);
2033	if (t && !IS_ERR(t)) {
2034	struct xt_table_info *private = t->private;
2035	struct xt_table_info info;
2036	duprintf("t->private->number = %u\n",
2037	private->number);
2038	ret = compat_table_info(private, &info);
2039	if (!ret && get.size == info.size) {
2040	ret = compat_copy_entries_to_user(private->size,
2041	t, uptr->entrytable);
2042	} else if (!ret) {
2043	duprintf("compat_get_entries: I've got %u not %u!\n",
2044	private->size,
2045	get.size);
2046	ret = -EINVAL;
2047	}
2048	compat_flush_offsets();
2049	module_put(t->me);
2050	xt_table_unlock(t);
2051	} else
2052	ret = t ? PTR_ERR(t) : -ENOENT;
2053
2054	xt_compat_unlock(AF_INET);
2055	return ret;
2056	}
2057
2058	static int do_ipt_get_ctl(struct sock , int, void __user , int *);
2059
2060	static int
2061	compat_do_ipt_get_ctl(struct sock sk, int cmd, void __user user, int *len)
2062	{
2063	int ret;
2064
2065	if (!capable(CAP_NET_ADMIN))
2066	return -EPERM;
2067
2068	switch (cmd) {
2069	case IPT_SO_GET_INFO:
2070	ret = get_info(user, len, 1);
2071	break;
2072	case IPT_SO_GET_ENTRIES:
2073	ret = compat_get_entries(user, len);
2074	break;
2075	default:
2076	ret = do_ipt_get_ctl(sk, cmd, user, len);
2077	}
2078	return ret;
2079	}
2080	#endif
2081
2082	static int
2083	do_ipt_set_ctl(struct sock sk, int cmd, void __user user, unsigned int len)
2084	{
2085	int ret;
2086
2087	if (!capable(CAP_NET_ADMIN))
2088	return -EPERM;
2089
2090	switch (cmd) {
2091	case IPT_SO_SET_REPLACE:
2092	ret = do_replace(user, len);
2093	break;
2094
2095	case IPT_SO_SET_ADD_COUNTERS:
2096	ret = do_add_counters(user, len, 0);
2097	break;
2098
2099	default:
2100	duprintf("do_ipt_set_ctl: unknown request %i\n", cmd);
2101	ret = -EINVAL;
2102	}
2103
2104	return ret;
2105	}
2106
2107	static int
2108	do_ipt_get_ctl(struct sock sk, int cmd, void __user user, int *len)
2109	{
2110	int ret;
2111
2112	if (!capable(CAP_NET_ADMIN))
2113	return -EPERM;
2114
2115	switch (cmd) {
2116	case IPT_SO_GET_INFO:
2117	ret = get_info(user, len, 0);
2118	break;
2119
2120	case IPT_SO_GET_ENTRIES:
2121	ret = get_entries(user, len);
2122	break;
2123
2124	case IPT_SO_GET_REVISION_MATCH:
2125	case IPT_SO_GET_REVISION_TARGET: {
2126	struct ipt_get_revision rev;
2127	int target;
2128
2129	if (*len != sizeof(rev)) {
2130	ret = -EINVAL;
2131	break;
2132	}
2133	if (copy_from_user(&rev, user, sizeof(rev)) != 0) {
2134	ret = -EFAULT;
2135	break;
2136	}
2137
2138	if (cmd == IPT_SO_GET_REVISION_TARGET)
2139	target = 1;
2140	else
2141	target = 0;
2142
2143	try_then_request_module(xt_find_revision(AF_INET, rev.name,
2144	rev.revision,
2145	target, &ret),
2146	"ipt_%s", rev.name);
2147	break;
2148	}
2149
2150	default:
2151	duprintf("do_ipt_get_ctl: unknown request %i\n", cmd);
2152	ret = -EINVAL;
2153	}
2154
2155	return ret;
2156	}
2157
2158	int ipt_register_table(struct xt_table table, const struct ipt_replace repl)
2159	{
2160	int ret;
2161	struct xt_table_info *newinfo;
2162	static struct xt_table_info bootstrap
2163	= { 0, 0, 0, { 0 }, { 0 }, { } };
2164	void *loc_cpu_entry;
2165
2166	newinfo = xt_alloc_table_info(repl->size);
2167	if (!newinfo)
2168	return -ENOMEM;
2169
2170	/* choose the copy on our node/cpu
2171	* but dont care of preemption
2172	*/
2173	loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
2174	memcpy(loc_cpu_entry, repl->entries, repl->size);
2175
2176	ret = translate_table(table->name, table->valid_hooks,
2177	newinfo, loc_cpu_entry, repl->size,
2178	repl->num_entries,
2179	repl->hook_entry,
2180	repl->underflow);
2181	if (ret != 0) {
2182	xt_free_table_info(newinfo);
2183	return ret;
2184	}
2185
2186	ret = xt_register_table(table, &bootstrap, newinfo);
2187	if (ret != 0) {
2188	xt_free_table_info(newinfo);
2189	return ret;
2190	}
2191
2192	return 0;
2193	}
2194
2195	void ipt_unregister_table(struct xt_table *table)
2196	{
2197	struct xt_table_info *private;
2198	void *loc_cpu_entry;
2199
2200	private = xt_unregister_table(table);
2201
2202	/* Decrease module usage counts and free resources */
2203	loc_cpu_entry = private->entries[raw_smp_processor_id()];
2204	IPT_ENTRY_ITERATE(loc_cpu_entry, private->size, cleanup_entry, NULL);
2205	xt_free_table_info(private);
2206	}
2207
2208	/* Returns 1 if the type and code is matched by the range, 0 otherwise */
2209	static inline bool
2210	icmp_type_code_match(u_int8_t test_type, u_int8_t min_code, u_int8_t max_code,
2211	u_int8_t type, u_int8_t code,
2212	bool invert)
2213	{
2214	return ((test_type == 0xFF) \|\| (type == test_type && code >= min_code && code <= max_code))
2215	^ invert;
2216	}
2217
2218	static bool
2219	icmp_match(const struct sk_buff *skb,
2220	const struct net_device *in,
2221	const struct net_device *out,
2222	const struct xt_match *match,
2223	const void *matchinfo,
2224	int offset,
2225	unsigned int protoff,
2226	bool *hotdrop)
2227	{
2228	struct icmphdr _icmph, *ic;
2229	const struct ipt_icmp *icmpinfo = matchinfo;
2230
2231	/* Must not be a fragment. */
2232	if (offset)
2233	return false;
2234
2235	ic = skb_header_pointer(skb, protoff, sizeof(_icmph), &_icmph);
2236	if (ic == NULL) {
2237	/* We've been asked to examine this packet, and we
2238	* can't. Hence, no choice but to drop.
2239	*/
2240	duprintf("Dropping evil ICMP tinygram.\n");
2241	*hotdrop = true;
2242	return false;
2243	}
2244
2245	return icmp_type_code_match(icmpinfo->type,
2246	icmpinfo->code[0],
2247	icmpinfo->code[1],
2248	ic->type, ic->code,
2249	!!(icmpinfo->invflags&IPT_ICMP_INV));
2250	}
2251
2252	/* Called when user tries to insert an entry of this type. */
2253	static bool
2254	icmp_checkentry(const char *tablename,
2255	const void *info,
2256	const struct xt_match *match,
2257	void *matchinfo,
2258	unsigned int hook_mask)
2259	{
2260	const struct ipt_icmp *icmpinfo = matchinfo;
2261
2262	/* Must specify no unknown invflags */
2263	return !(icmpinfo->invflags & ~IPT_ICMP_INV);
2264	}
2265
2266	/* The built-in targets: standard (NULL) and error. */
2267	static struct xt_target ipt_standard_target __read_mostly = {
2268	.name = IPT_STANDARD_TARGET,
2269	.targetsize = sizeof(int),
2270	.family = AF_INET,
2271	#ifdef CONFIG_COMPAT
2272	.compatsize = sizeof(compat_int_t),
2273	.compat_from_user = compat_standard_from_user,
2274	.compat_to_user = compat_standard_to_user,
2275	#endif
2276	};
2277
2278	static struct xt_target ipt_error_target __read_mostly = {
2279	.name = IPT_ERROR_TARGET,
2280	.target = ipt_error,
2281	.targetsize = IPT_FUNCTION_MAXNAMELEN,
2282	.family = AF_INET,
2283	};
2284
2285	static struct nf_sockopt_ops ipt_sockopts = {
2286	.pf = PF_INET,
2287	.set_optmin = IPT_BASE_CTL,
2288	.set_optmax = IPT_SO_SET_MAX+1,
2289	.set = do_ipt_set_ctl,
2290	#ifdef CONFIG_COMPAT
2291	.compat_set = compat_do_ipt_set_ctl,
2292	#endif
2293	.get_optmin = IPT_BASE_CTL,
2294	.get_optmax = IPT_SO_GET_MAX+1,
2295	.get = do_ipt_get_ctl,
2296	#ifdef CONFIG_COMPAT
2297	.compat_get = compat_do_ipt_get_ctl,
2298	#endif
2299	.owner = THIS_MODULE,
2300	};
2301
2302	static struct xt_match icmp_matchstruct __read_mostly = {
2303	.name = "icmp",
2304	.match = icmp_match,
2305	.matchsize = sizeof(struct ipt_icmp),
2306	.proto = IPPROTO_ICMP,
2307	.family = AF_INET,
2308	.checkentry = icmp_checkentry,
2309	};
2310
2311	static int __init ip_tables_init(void)
2312	{
2313	int ret;
2314
2315	ret = xt_proto_init(AF_INET);
2316	if (ret < 0)
2317	goto err1;
2318
2319	/* Noone else will be downing sem now, so we won't sleep */
2320	ret = xt_register_target(&ipt_standard_target);
2321	if (ret < 0)
2322	goto err2;
2323	ret = xt_register_target(&ipt_error_target);
2324	if (ret < 0)
2325	goto err3;
2326	ret = xt_register_match(&icmp_matchstruct);
2327	if (ret < 0)
2328	goto err4;
2329
2330	/* Register setsockopt */
2331	ret = nf_register_sockopt(&ipt_sockopts);
2332	if (ret < 0)
2333	goto err5;
2334
2335	printk(KERN_INFO "ip_tables: (C) 2000-2006 Netfilter Core Team\n");
2336	return 0;
2337
2338	err5:
2339	xt_unregister_match(&icmp_matchstruct);
2340	err4:
2341	xt_unregister_target(&ipt_error_target);
2342	err3:
2343	xt_unregister_target(&ipt_standard_target);
2344	err2:
2345	xt_proto_fini(AF_INET);
2346	err1:
2347	return ret;
2348	}
2349
2350	static void __exit ip_tables_fini(void)
2351	{
2352	nf_unregister_sockopt(&ipt_sockopts);
2353
2354	xt_unregister_match(&icmp_matchstruct);
2355	xt_unregister_target(&ipt_error_target);
2356	xt_unregister_target(&ipt_standard_target);
2357
2358	xt_proto_fini(AF_INET);
2359	}
2360
2361	EXPORT_SYMBOL(ipt_register_table);
2362	EXPORT_SYMBOL(ipt_unregister_table);
2363	EXPORT_SYMBOL(ipt_do_table);
2364	module_init(ip_tables_init);
2365	module_exit(ip_tables_fini);

Note: See TracBrowser for help on using the browser.

root/src/linux/rt2880/linux-2.6.23/net/ipv4/netfilter/ip_tables.c

Download in other formats: