2 * Packet matching code.
4 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
5 * Copyright (C) 2000-2005 Netfilter Core Team <coreteam@netfilter.org>
6 * Copyright (c) 2006-2010 Patrick McHardy <kaber@trash.net>
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License version 2 as
10 * published by the Free Software Foundation.
13 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
15 #include <linux/kernel.h>
16 #include <linux/capability.h>
18 #include <linux/skbuff.h>
19 #include <linux/kmod.h>
20 #include <linux/vmalloc.h>
21 #include <linux/netdevice.h>
22 #include <linux/module.h>
23 #include <linux/poison.h>
24 #include <linux/icmpv6.h>
26 #include <net/compat.h>
27 #include <asm/uaccess.h>
28 #include <linux/mutex.h>
29 #include <linux/proc_fs.h>
30 #include <linux/err.h>
31 #include <linux/cpumask.h>
33 #include <linux/netfilter_ipv6/ip6_tables.h>
34 #include <linux/netfilter/x_tables.h>
35 #include <net/netfilter/nf_log.h>
36 #include "../../netfilter/xt_repldata.h"
38 MODULE_LICENSE("GPL");
39 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
40 MODULE_DESCRIPTION("IPv6 packet filter");
42 #ifdef CONFIG_NETFILTER_DEBUG
43 #define IP_NF_ASSERT(x) WARN_ON(!(x))
45 #define IP_NF_ASSERT(x)
48 void *ip6t_alloc_initial_table(const struct xt_table *info)
50 return xt_alloc_initial_table(ip6t, IP6T);
52 EXPORT_SYMBOL_GPL(ip6t_alloc_initial_table);
55 We keep a set of rules for each CPU, so we can avoid write-locking
56 them in the softirq when updating the counters and therefore
57 only need to read-lock in the softirq; doing a write_lock_bh() in user
58 context stops packets coming through and allows user context to read
59 the counters or update the rules.
61 Hence the start of any table is given by get_table() below. */
63 /* Returns whether matches rule or not. */
64 /* Performance critical - called for every packet */
66 ip6_packet_match(const struct sk_buff *skb,
69 const struct ip6t_ip6 *ip6info,
70 unsigned int *protoff,
71 int *fragoff, bool *hotdrop)
74 const struct ipv6hdr *ipv6 = ipv6_hdr(skb);
76 if (NF_INVF(ip6info, IP6T_INV_SRCIP,
77 ipv6_masked_addr_cmp(&ipv6->saddr, &ip6info->smsk,
79 NF_INVF(ip6info, IP6T_INV_DSTIP,
80 ipv6_masked_addr_cmp(&ipv6->daddr, &ip6info->dmsk,
84 ret = ifname_compare_aligned(indev, ip6info->iniface, ip6info->iniface_mask);
86 if (NF_INVF(ip6info, IP6T_INV_VIA_IN, ret != 0))
89 ret = ifname_compare_aligned(outdev, ip6info->outiface, ip6info->outiface_mask);
91 if (NF_INVF(ip6info, IP6T_INV_VIA_OUT, ret != 0))
94 /* ... might want to do something with class and flowlabel here ... */
96 /* look for the desired protocol header */
97 if (ip6info->flags & IP6T_F_PROTO) {
99 unsigned short _frag_off;
101 protohdr = ipv6_find_hdr(skb, protoff, -1, &_frag_off, NULL);
107 *fragoff = _frag_off;
109 if (ip6info->proto == protohdr) {
110 if (ip6info->invflags & IP6T_INV_PROTO)
116 /* We need match for the '-p all', too! */
117 if ((ip6info->proto != 0) &&
118 !(ip6info->invflags & IP6T_INV_PROTO))
124 /* should be ip6 safe */
126 ip6_checkentry(const struct ip6t_ip6 *ipv6)
128 if (ipv6->flags & ~IP6T_F_MASK)
130 if (ipv6->invflags & ~IP6T_INV_MASK)
137 ip6t_error(struct sk_buff *skb, const struct xt_action_param *par)
139 net_info_ratelimited("error: `%s'\n", (const char *)par->targinfo);
144 static inline struct ip6t_entry *
145 get_entry(const void *base, unsigned int offset)
147 return (struct ip6t_entry *)(base + offset);
150 /* All zeroes == unconditional rule. */
151 /* Mildly perf critical (only if packet tracing is on) */
152 static inline bool unconditional(const struct ip6t_entry *e)
154 static const struct ip6t_ip6 uncond;
156 return e->target_offset == sizeof(struct ip6t_entry) &&
157 memcmp(&e->ipv6, &uncond, sizeof(uncond)) == 0;
160 static inline const struct xt_entry_target *
161 ip6t_get_target_c(const struct ip6t_entry *e)
163 return ip6t_get_target((struct ip6t_entry *)e);
166 #if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE)
167 /* This cries for unification! */
168 static const char *const hooknames[] = {
169 [NF_INET_PRE_ROUTING] = "PREROUTING",
170 [NF_INET_LOCAL_IN] = "INPUT",
171 [NF_INET_FORWARD] = "FORWARD",
172 [NF_INET_LOCAL_OUT] = "OUTPUT",
173 [NF_INET_POST_ROUTING] = "POSTROUTING",
176 enum nf_ip_trace_comments {
177 NF_IP6_TRACE_COMMENT_RULE,
178 NF_IP6_TRACE_COMMENT_RETURN,
179 NF_IP6_TRACE_COMMENT_POLICY,
182 static const char *const comments[] = {
183 [NF_IP6_TRACE_COMMENT_RULE] = "rule",
184 [NF_IP6_TRACE_COMMENT_RETURN] = "return",
185 [NF_IP6_TRACE_COMMENT_POLICY] = "policy",
188 static struct nf_loginfo trace_loginfo = {
189 .type = NF_LOG_TYPE_LOG,
192 .level = LOGLEVEL_WARNING,
193 .logflags = NF_LOG_DEFAULT_MASK,
198 /* Mildly perf critical (only if packet tracing is on) */
200 get_chainname_rulenum(const struct ip6t_entry *s, const struct ip6t_entry *e,
201 const char *hookname, const char **chainname,
202 const char **comment, unsigned int *rulenum)
204 const struct xt_standard_target *t = (void *)ip6t_get_target_c(s);
206 if (strcmp(t->target.u.kernel.target->name, XT_ERROR_TARGET) == 0) {
207 /* Head of user chain: ERROR target with chainname */
208 *chainname = t->target.data;
213 if (unconditional(s) &&
214 strcmp(t->target.u.kernel.target->name,
215 XT_STANDARD_TARGET) == 0 &&
217 /* Tail of chains: STANDARD target (return/policy) */
218 *comment = *chainname == hookname
219 ? comments[NF_IP6_TRACE_COMMENT_POLICY]
220 : comments[NF_IP6_TRACE_COMMENT_RETURN];
229 static void trace_packet(struct net *net,
230 const struct sk_buff *skb,
232 const struct net_device *in,
233 const struct net_device *out,
234 const char *tablename,
235 const struct xt_table_info *private,
236 const struct ip6t_entry *e)
238 const struct ip6t_entry *root;
239 const char *hookname, *chainname, *comment;
240 const struct ip6t_entry *iter;
241 unsigned int rulenum = 0;
243 root = get_entry(private->entries, private->hook_entry[hook]);
245 hookname = chainname = hooknames[hook];
246 comment = comments[NF_IP6_TRACE_COMMENT_RULE];
248 xt_entry_foreach(iter, root, private->size - private->hook_entry[hook])
249 if (get_chainname_rulenum(iter, e, hookname,
250 &chainname, &comment, &rulenum) != 0)
253 nf_log_trace(net, AF_INET6, hook, skb, in, out, &trace_loginfo,
254 "TRACE: %s:%s:%s:%u ",
255 tablename, chainname, comment, rulenum);
259 static inline struct ip6t_entry *
260 ip6t_next_entry(const struct ip6t_entry *entry)
262 return (void *)entry + entry->next_offset;
265 /* Returns one of the generic firewall policies, like NF_ACCEPT. */
267 ip6t_do_table(struct sk_buff *skb,
268 const struct nf_hook_state *state,
269 struct xt_table *table)
271 unsigned int hook = state->hook;
272 static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
273 /* Initializing verdict to NF_DROP keeps gcc happy. */
274 unsigned int verdict = NF_DROP;
275 const char *indev, *outdev;
276 const void *table_base;
277 struct ip6t_entry *e, **jumpstack;
278 unsigned int stackidx, cpu;
279 const struct xt_table_info *private;
280 struct xt_action_param acpar;
285 indev = state->in ? state->in->name : nulldevname;
286 outdev = state->out ? state->out->name : nulldevname;
287 /* We handle fragments by dealing with the first fragment as
288 * if it was a normal packet. All other fragments are treated
289 * normally, except that they will NEVER match rules that ask
290 * things we don't know, ie. tcp syn flag or ports). If the
291 * rule is also a fragment-specific rule, non-fragments won't
293 acpar.hotdrop = false;
296 IP_NF_ASSERT(table->valid_hooks & (1 << hook));
299 addend = xt_write_recseq_begin();
300 private = table->private;
302 * Ensure we load private-> members after we've fetched the base
305 smp_read_barrier_depends();
306 cpu = smp_processor_id();
307 table_base = private->entries;
308 jumpstack = (struct ip6t_entry **)private->jumpstack[cpu];
310 /* Switch to alternate jumpstack if we're being invoked via TEE.
311 * TEE issues XT_CONTINUE verdict on original skb so we must not
312 * clobber the jumpstack.
314 * For recursion via REJECT or SYNPROXY the stack will be clobbered
315 * but it is no problem since absolute verdict is issued by these.
317 if (static_key_false(&xt_tee_enabled))
318 jumpstack += private->stacksize * __this_cpu_read(nf_skb_duplicated);
320 e = get_entry(table_base, private->hook_entry[hook]);
323 const struct xt_entry_target *t;
324 const struct xt_entry_match *ematch;
325 struct xt_counters *counter;
329 if (!ip6_packet_match(skb, indev, outdev, &e->ipv6,
330 &acpar.thoff, &acpar.fragoff, &acpar.hotdrop)) {
332 e = ip6t_next_entry(e);
336 xt_ematch_foreach(ematch, e) {
337 acpar.match = ematch->u.kernel.match;
338 acpar.matchinfo = ematch->data;
339 if (!acpar.match->match(skb, &acpar))
343 counter = xt_get_this_cpu_counter(&e->counters);
344 ADD_COUNTER(*counter, skb->len, 1);
346 t = ip6t_get_target_c(e);
347 IP_NF_ASSERT(t->u.kernel.target);
349 #if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE)
350 /* The packet is traced: log it */
351 if (unlikely(skb->nf_trace))
352 trace_packet(state->net, skb, hook, state->in,
353 state->out, table->name, private, e);
355 /* Standard target? */
356 if (!t->u.kernel.target->target) {
359 v = ((struct xt_standard_target *)t)->verdict;
361 /* Pop from stack? */
362 if (v != XT_RETURN) {
363 verdict = (unsigned int)(-v) - 1;
367 e = get_entry(table_base,
368 private->underflow[hook]);
370 e = ip6t_next_entry(jumpstack[--stackidx]);
373 if (table_base + v != ip6t_next_entry(e) &&
374 !(e->ipv6.flags & IP6T_F_GOTO)) {
375 jumpstack[stackidx++] = e;
378 e = get_entry(table_base, v);
382 acpar.target = t->u.kernel.target;
383 acpar.targinfo = t->data;
385 verdict = t->u.kernel.target->target(skb, &acpar);
386 if (verdict == XT_CONTINUE)
387 e = ip6t_next_entry(e);
391 } while (!acpar.hotdrop);
393 xt_write_recseq_end(addend);
401 /* Figures out from what hook each rule can be called: returns 0 if
402 there are loops. Puts hook bitmask in comefrom. */
404 mark_source_chains(const struct xt_table_info *newinfo,
405 unsigned int valid_hooks, void *entry0,
406 unsigned int *offsets)
410 /* No recursion; use packet counter to save back ptrs (reset
411 to 0 as we leave), and comefrom to save source hook bitmask */
412 for (hook = 0; hook < NF_INET_NUMHOOKS; hook++) {
413 unsigned int pos = newinfo->hook_entry[hook];
414 struct ip6t_entry *e = (struct ip6t_entry *)(entry0 + pos);
416 if (!(valid_hooks & (1 << hook)))
419 /* Set initial back pointer. */
420 e->counters.pcnt = pos;
423 const struct xt_standard_target *t
424 = (void *)ip6t_get_target_c(e);
425 int visited = e->comefrom & (1 << hook);
427 if (e->comefrom & (1 << NF_INET_NUMHOOKS))
430 e->comefrom |= ((1 << hook) | (1 << NF_INET_NUMHOOKS));
432 /* Unconditional return/END. */
433 if ((unconditional(e) &&
434 (strcmp(t->target.u.user.name,
435 XT_STANDARD_TARGET) == 0) &&
436 t->verdict < 0) || visited) {
437 unsigned int oldpos, size;
439 if ((strcmp(t->target.u.user.name,
440 XT_STANDARD_TARGET) == 0) &&
441 t->verdict < -NF_MAX_VERDICT - 1)
444 /* Return: backtrack through the last
447 e->comefrom ^= (1<<NF_INET_NUMHOOKS);
449 pos = e->counters.pcnt;
450 e->counters.pcnt = 0;
452 /* We're at the start. */
456 e = (struct ip6t_entry *)
458 } while (oldpos == pos + e->next_offset);
461 size = e->next_offset;
462 e = (struct ip6t_entry *)
463 (entry0 + pos + size);
464 if (pos + size >= newinfo->size)
466 e->counters.pcnt = pos;
469 int newpos = t->verdict;
471 if (strcmp(t->target.u.user.name,
472 XT_STANDARD_TARGET) == 0 &&
474 /* This a jump; chase it. */
475 if (!xt_find_jump_offset(offsets, newpos,
478 e = (struct ip6t_entry *)
481 /* ... this is a fallthru */
482 newpos = pos + e->next_offset;
483 if (newpos >= newinfo->size)
486 e = (struct ip6t_entry *)
488 e->counters.pcnt = pos;
497 static void cleanup_match(struct xt_entry_match *m, struct net *net)
499 struct xt_mtdtor_param par;
502 par.match = m->u.kernel.match;
503 par.matchinfo = m->data;
504 par.family = NFPROTO_IPV6;
505 if (par.match->destroy != NULL)
506 par.match->destroy(&par);
507 module_put(par.match->me);
510 static int check_match(struct xt_entry_match *m, struct xt_mtchk_param *par)
512 const struct ip6t_ip6 *ipv6 = par->entryinfo;
514 par->match = m->u.kernel.match;
515 par->matchinfo = m->data;
517 return xt_check_match(par, m->u.match_size - sizeof(*m),
518 ipv6->proto, ipv6->invflags & IP6T_INV_PROTO);
522 find_check_match(struct xt_entry_match *m, struct xt_mtchk_param *par)
524 struct xt_match *match;
527 match = xt_request_find_match(NFPROTO_IPV6, m->u.user.name,
530 return PTR_ERR(match);
532 m->u.kernel.match = match;
534 ret = check_match(m, par);
540 module_put(m->u.kernel.match->me);
544 static int check_target(struct ip6t_entry *e, struct net *net, const char *name)
546 struct xt_entry_target *t = ip6t_get_target(e);
547 struct xt_tgchk_param par = {
551 .target = t->u.kernel.target,
553 .hook_mask = e->comefrom,
554 .family = NFPROTO_IPV6,
557 t = ip6t_get_target(e);
558 return xt_check_target(&par, t->u.target_size - sizeof(*t),
560 e->ipv6.invflags & IP6T_INV_PROTO);
564 find_check_entry(struct ip6t_entry *e, struct net *net, const char *name,
567 struct xt_entry_target *t;
568 struct xt_target *target;
571 struct xt_mtchk_param mtpar;
572 struct xt_entry_match *ematch;
575 pcnt = xt_percpu_counter_alloc();
576 if (IS_ERR_VALUE(pcnt))
578 e->counters.pcnt = pcnt;
583 mtpar.entryinfo = &e->ipv6;
584 mtpar.hook_mask = e->comefrom;
585 mtpar.family = NFPROTO_IPV6;
586 xt_ematch_foreach(ematch, e) {
587 ret = find_check_match(ematch, &mtpar);
589 goto cleanup_matches;
593 t = ip6t_get_target(e);
594 target = xt_request_find_target(NFPROTO_IPV6, t->u.user.name,
596 if (IS_ERR(target)) {
597 ret = PTR_ERR(target);
598 goto cleanup_matches;
600 t->u.kernel.target = target;
602 ret = check_target(e, net, name);
607 module_put(t->u.kernel.target->me);
609 xt_ematch_foreach(ematch, e) {
612 cleanup_match(ematch, net);
615 xt_percpu_counter_free(e->counters.pcnt);
620 static bool check_underflow(const struct ip6t_entry *e)
622 const struct xt_entry_target *t;
623 unsigned int verdict;
625 if (!unconditional(e))
627 t = ip6t_get_target_c(e);
628 if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0)
630 verdict = ((struct xt_standard_target *)t)->verdict;
631 verdict = -verdict - 1;
632 return verdict == NF_DROP || verdict == NF_ACCEPT;
636 check_entry_size_and_hooks(struct ip6t_entry *e,
637 struct xt_table_info *newinfo,
638 const unsigned char *base,
639 const unsigned char *limit,
640 const unsigned int *hook_entries,
641 const unsigned int *underflows,
642 unsigned int valid_hooks)
647 if ((unsigned long)e % __alignof__(struct ip6t_entry) != 0 ||
648 (unsigned char *)e + sizeof(struct ip6t_entry) >= limit ||
649 (unsigned char *)e + e->next_offset > limit)
653 < sizeof(struct ip6t_entry) + sizeof(struct xt_entry_target))
656 if (!ip6_checkentry(&e->ipv6))
659 err = xt_check_entry_offsets(e, e->elems, e->target_offset,
664 /* Check hooks & underflows */
665 for (h = 0; h < NF_INET_NUMHOOKS; h++) {
666 if (!(valid_hooks & (1 << h)))
668 if ((unsigned char *)e - base == hook_entries[h])
669 newinfo->hook_entry[h] = hook_entries[h];
670 if ((unsigned char *)e - base == underflows[h]) {
671 if (!check_underflow(e))
674 newinfo->underflow[h] = underflows[h];
678 /* Clear counters and comefrom */
679 e->counters = ((struct xt_counters) { 0, 0 });
684 static void cleanup_entry(struct ip6t_entry *e, struct net *net)
686 struct xt_tgdtor_param par;
687 struct xt_entry_target *t;
688 struct xt_entry_match *ematch;
690 /* Cleanup all matches */
691 xt_ematch_foreach(ematch, e)
692 cleanup_match(ematch, net);
693 t = ip6t_get_target(e);
696 par.target = t->u.kernel.target;
697 par.targinfo = t->data;
698 par.family = NFPROTO_IPV6;
699 if (par.target->destroy != NULL)
700 par.target->destroy(&par);
701 module_put(par.target->me);
703 xt_percpu_counter_free(e->counters.pcnt);
706 /* Checks and translates the user-supplied table segment (held in
709 translate_table(struct net *net, struct xt_table_info *newinfo, void *entry0,
710 const struct ip6t_replace *repl)
712 struct ip6t_entry *iter;
713 unsigned int *offsets;
717 newinfo->size = repl->size;
718 newinfo->number = repl->num_entries;
720 /* Init all hooks to impossible value. */
721 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
722 newinfo->hook_entry[i] = 0xFFFFFFFF;
723 newinfo->underflow[i] = 0xFFFFFFFF;
726 offsets = xt_alloc_entry_offsets(newinfo->number);
730 /* Walk through entries, checking offsets. */
731 xt_entry_foreach(iter, entry0, newinfo->size) {
732 ret = check_entry_size_and_hooks(iter, newinfo, entry0,
739 if (i < repl->num_entries)
740 offsets[i] = (void *)iter - entry0;
742 if (strcmp(ip6t_get_target(iter)->u.user.name,
743 XT_ERROR_TARGET) == 0)
744 ++newinfo->stacksize;
748 if (i != repl->num_entries)
751 /* Check hooks all assigned */
752 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
753 /* Only hooks which are valid */
754 if (!(repl->valid_hooks & (1 << i)))
756 if (newinfo->hook_entry[i] == 0xFFFFFFFF)
758 if (newinfo->underflow[i] == 0xFFFFFFFF)
762 if (!mark_source_chains(newinfo, repl->valid_hooks, entry0, offsets)) {
768 /* Finally, each sanity check must pass */
770 xt_entry_foreach(iter, entry0, newinfo->size) {
771 ret = find_check_entry(iter, net, repl->name, repl->size);
778 xt_entry_foreach(iter, entry0, newinfo->size) {
781 cleanup_entry(iter, net);
793 get_counters(const struct xt_table_info *t,
794 struct xt_counters counters[])
796 struct ip6t_entry *iter;
800 for_each_possible_cpu(cpu) {
801 seqcount_t *s = &per_cpu(xt_recseq, cpu);
804 xt_entry_foreach(iter, t->entries, t->size) {
805 struct xt_counters *tmp;
809 tmp = xt_get_per_cpu_counter(&iter->counters, cpu);
811 start = read_seqcount_begin(s);
814 } while (read_seqcount_retry(s, start));
816 ADD_COUNTER(counters[i], bcnt, pcnt);
822 static struct xt_counters *alloc_counters(const struct xt_table *table)
824 unsigned int countersize;
825 struct xt_counters *counters;
826 const struct xt_table_info *private = table->private;
828 /* We need atomic snapshot of counters: rest doesn't change
829 (other than comefrom, which userspace doesn't care
831 countersize = sizeof(struct xt_counters) * private->number;
832 counters = vzalloc(countersize);
834 if (counters == NULL)
835 return ERR_PTR(-ENOMEM);
837 get_counters(private, counters);
843 copy_entries_to_user(unsigned int total_size,
844 const struct xt_table *table,
845 void __user *userptr)
847 unsigned int off, num;
848 const struct ip6t_entry *e;
849 struct xt_counters *counters;
850 const struct xt_table_info *private = table->private;
852 const void *loc_cpu_entry;
854 counters = alloc_counters(table);
855 if (IS_ERR(counters))
856 return PTR_ERR(counters);
858 loc_cpu_entry = private->entries;
859 if (copy_to_user(userptr, loc_cpu_entry, total_size) != 0) {
864 /* FIXME: use iterator macros --RR */
865 /* ... then go back and fix counters and names */
866 for (off = 0, num = 0; off < total_size; off += e->next_offset, num++){
868 const struct xt_entry_match *m;
869 const struct xt_entry_target *t;
871 e = (struct ip6t_entry *)(loc_cpu_entry + off);
872 if (copy_to_user(userptr + off
873 + offsetof(struct ip6t_entry, counters),
875 sizeof(counters[num])) != 0) {
880 for (i = sizeof(struct ip6t_entry);
881 i < e->target_offset;
882 i += m->u.match_size) {
885 if (copy_to_user(userptr + off + i
886 + offsetof(struct xt_entry_match,
888 m->u.kernel.match->name,
889 strlen(m->u.kernel.match->name)+1)
896 t = ip6t_get_target_c(e);
897 if (copy_to_user(userptr + off + e->target_offset
898 + offsetof(struct xt_entry_target,
900 t->u.kernel.target->name,
901 strlen(t->u.kernel.target->name)+1) != 0) {
913 static void compat_standard_from_user(void *dst, const void *src)
915 int v = *(compat_int_t *)src;
918 v += xt_compat_calc_jump(AF_INET6, v);
919 memcpy(dst, &v, sizeof(v));
922 static int compat_standard_to_user(void __user *dst, const void *src)
924 compat_int_t cv = *(int *)src;
927 cv -= xt_compat_calc_jump(AF_INET6, cv);
928 return copy_to_user(dst, &cv, sizeof(cv)) ? -EFAULT : 0;
931 static int compat_calc_entry(const struct ip6t_entry *e,
932 const struct xt_table_info *info,
933 const void *base, struct xt_table_info *newinfo)
935 const struct xt_entry_match *ematch;
936 const struct xt_entry_target *t;
937 unsigned int entry_offset;
940 off = sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
941 entry_offset = (void *)e - base;
942 xt_ematch_foreach(ematch, e)
943 off += xt_compat_match_offset(ematch->u.kernel.match);
944 t = ip6t_get_target_c(e);
945 off += xt_compat_target_offset(t->u.kernel.target);
946 newinfo->size -= off;
947 ret = xt_compat_add_offset(AF_INET6, entry_offset, off);
951 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
952 if (info->hook_entry[i] &&
953 (e < (struct ip6t_entry *)(base + info->hook_entry[i])))
954 newinfo->hook_entry[i] -= off;
955 if (info->underflow[i] &&
956 (e < (struct ip6t_entry *)(base + info->underflow[i])))
957 newinfo->underflow[i] -= off;
962 static int compat_table_info(const struct xt_table_info *info,
963 struct xt_table_info *newinfo)
965 struct ip6t_entry *iter;
966 const void *loc_cpu_entry;
969 if (!newinfo || !info)
972 /* we dont care about newinfo->entries */
973 memcpy(newinfo, info, offsetof(struct xt_table_info, entries));
974 newinfo->initial_entries = 0;
975 loc_cpu_entry = info->entries;
976 xt_compat_init_offsets(AF_INET6, info->number);
977 xt_entry_foreach(iter, loc_cpu_entry, info->size) {
978 ret = compat_calc_entry(iter, info, loc_cpu_entry, newinfo);
986 static int get_info(struct net *net, void __user *user,
987 const int *len, int compat)
989 char name[XT_TABLE_MAXNAMELEN];
993 if (*len != sizeof(struct ip6t_getinfo))
996 if (copy_from_user(name, user, sizeof(name)) != 0)
999 name[XT_TABLE_MAXNAMELEN-1] = '\0';
1000 #ifdef CONFIG_COMPAT
1002 xt_compat_lock(AF_INET6);
1004 t = try_then_request_module(xt_find_table_lock(net, AF_INET6, name),
1005 "ip6table_%s", name);
1006 if (!IS_ERR_OR_NULL(t)) {
1007 struct ip6t_getinfo info;
1008 const struct xt_table_info *private = t->private;
1009 #ifdef CONFIG_COMPAT
1010 struct xt_table_info tmp;
1013 ret = compat_table_info(private, &tmp);
1014 xt_compat_flush_offsets(AF_INET6);
1018 memset(&info, 0, sizeof(info));
1019 info.valid_hooks = t->valid_hooks;
1020 memcpy(info.hook_entry, private->hook_entry,
1021 sizeof(info.hook_entry));
1022 memcpy(info.underflow, private->underflow,
1023 sizeof(info.underflow));
1024 info.num_entries = private->number;
1025 info.size = private->size;
1026 strcpy(info.name, name);
1028 if (copy_to_user(user, &info, *len) != 0)
1036 ret = t ? PTR_ERR(t) : -ENOENT;
1037 #ifdef CONFIG_COMPAT
1039 xt_compat_unlock(AF_INET6);
1045 get_entries(struct net *net, struct ip6t_get_entries __user *uptr,
1049 struct ip6t_get_entries get;
1052 if (*len < sizeof(get))
1054 if (copy_from_user(&get, uptr, sizeof(get)) != 0)
1056 if (*len != sizeof(struct ip6t_get_entries) + get.size)
1059 get.name[sizeof(get.name) - 1] = '\0';
1061 t = xt_find_table_lock(net, AF_INET6, get.name);
1062 if (!IS_ERR_OR_NULL(t)) {
1063 struct xt_table_info *private = t->private;
1064 if (get.size == private->size)
1065 ret = copy_entries_to_user(private->size,
1066 t, uptr->entrytable);
1073 ret = t ? PTR_ERR(t) : -ENOENT;
1079 __do_replace(struct net *net, const char *name, unsigned int valid_hooks,
1080 struct xt_table_info *newinfo, unsigned int num_counters,
1081 void __user *counters_ptr)
1085 struct xt_table_info *oldinfo;
1086 struct xt_counters *counters;
1087 struct ip6t_entry *iter;
1090 counters = vzalloc(num_counters * sizeof(struct xt_counters));
1096 t = try_then_request_module(xt_find_table_lock(net, AF_INET6, name),
1097 "ip6table_%s", name);
1098 if (IS_ERR_OR_NULL(t)) {
1099 ret = t ? PTR_ERR(t) : -ENOENT;
1100 goto free_newinfo_counters_untrans;
1104 if (valid_hooks != t->valid_hooks) {
1109 oldinfo = xt_replace_table(t, num_counters, newinfo, &ret);
1113 /* Update module usage count based on number of rules */
1114 if ((oldinfo->number > oldinfo->initial_entries) ||
1115 (newinfo->number <= oldinfo->initial_entries))
1117 if ((oldinfo->number > oldinfo->initial_entries) &&
1118 (newinfo->number <= oldinfo->initial_entries))
1121 /* Get the old counters, and synchronize with replace */
1122 get_counters(oldinfo, counters);
1124 /* Decrease module usage counts and free resource */
1125 xt_entry_foreach(iter, oldinfo->entries, oldinfo->size)
1126 cleanup_entry(iter, net);
1128 xt_free_table_info(oldinfo);
1129 if (copy_to_user(counters_ptr, counters,
1130 sizeof(struct xt_counters) * num_counters) != 0) {
1131 /* Silent error, can't fail, new table is already in place */
1132 net_warn_ratelimited("ip6tables: counters copy to user failed while replacing table\n");
1141 free_newinfo_counters_untrans:
1148 do_replace(struct net *net, const void __user *user, unsigned int len)
1151 struct ip6t_replace tmp;
1152 struct xt_table_info *newinfo;
1153 void *loc_cpu_entry;
1154 struct ip6t_entry *iter;
1156 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
1159 /* overflow check */
1160 if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
1162 if (tmp.num_counters == 0)
1165 tmp.name[sizeof(tmp.name)-1] = 0;
1167 newinfo = xt_alloc_table_info(tmp.size);
1171 loc_cpu_entry = newinfo->entries;
1172 if (copy_from_user(loc_cpu_entry, user + sizeof(tmp),
1178 ret = translate_table(net, newinfo, loc_cpu_entry, &tmp);
1182 ret = __do_replace(net, tmp.name, tmp.valid_hooks, newinfo,
1183 tmp.num_counters, tmp.counters);
1185 goto free_newinfo_untrans;
1188 free_newinfo_untrans:
1189 xt_entry_foreach(iter, loc_cpu_entry, newinfo->size)
1190 cleanup_entry(iter, net);
1192 xt_free_table_info(newinfo);
1197 do_add_counters(struct net *net, const void __user *user, unsigned int len,
1201 struct xt_counters_info tmp;
1202 struct xt_counters *paddc;
1204 const struct xt_table_info *private;
1206 struct ip6t_entry *iter;
1207 unsigned int addend;
1209 paddc = xt_copy_counters_from_user(user, len, &tmp, compat);
1211 return PTR_ERR(paddc);
1212 t = xt_find_table_lock(net, AF_INET6, tmp.name);
1213 if (IS_ERR_OR_NULL(t)) {
1214 ret = t ? PTR_ERR(t) : -ENOENT;
1219 private = t->private;
1220 if (private->number != tmp.num_counters) {
1222 goto unlock_up_free;
1226 addend = xt_write_recseq_begin();
1227 xt_entry_foreach(iter, private->entries, private->size) {
1228 struct xt_counters *tmp;
1230 tmp = xt_get_this_cpu_counter(&iter->counters);
1231 ADD_COUNTER(*tmp, paddc[i].bcnt, paddc[i].pcnt);
1234 xt_write_recseq_end(addend);
1245 #ifdef CONFIG_COMPAT
1246 struct compat_ip6t_replace {
1247 char name[XT_TABLE_MAXNAMELEN];
1251 u32 hook_entry[NF_INET_NUMHOOKS];
1252 u32 underflow[NF_INET_NUMHOOKS];
1254 compat_uptr_t counters; /* struct xt_counters * */
1255 struct compat_ip6t_entry entries[0];
1259 compat_copy_entry_to_user(struct ip6t_entry *e, void __user **dstptr,
1260 unsigned int *size, struct xt_counters *counters,
1263 struct xt_entry_target *t;
1264 struct compat_ip6t_entry __user *ce;
1265 u_int16_t target_offset, next_offset;
1266 compat_uint_t origsize;
1267 const struct xt_entry_match *ematch;
1271 ce = (struct compat_ip6t_entry __user *)*dstptr;
1272 if (copy_to_user(ce, e, sizeof(struct ip6t_entry)) != 0 ||
1273 copy_to_user(&ce->counters, &counters[i],
1274 sizeof(counters[i])) != 0)
1277 *dstptr += sizeof(struct compat_ip6t_entry);
1278 *size -= sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
1280 xt_ematch_foreach(ematch, e) {
1281 ret = xt_compat_match_to_user(ematch, dstptr, size);
1285 target_offset = e->target_offset - (origsize - *size);
1286 t = ip6t_get_target(e);
1287 ret = xt_compat_target_to_user(t, dstptr, size);
1290 next_offset = e->next_offset - (origsize - *size);
1291 if (put_user(target_offset, &ce->target_offset) != 0 ||
1292 put_user(next_offset, &ce->next_offset) != 0)
1298 compat_find_calc_match(struct xt_entry_match *m,
1299 const struct ip6t_ip6 *ipv6,
1302 struct xt_match *match;
1304 match = xt_request_find_match(NFPROTO_IPV6, m->u.user.name,
1305 m->u.user.revision);
1307 return PTR_ERR(match);
1309 m->u.kernel.match = match;
1310 *size += xt_compat_match_offset(match);
1314 static void compat_release_entry(struct compat_ip6t_entry *e)
1316 struct xt_entry_target *t;
1317 struct xt_entry_match *ematch;
1319 /* Cleanup all matches */
1320 xt_ematch_foreach(ematch, e)
1321 module_put(ematch->u.kernel.match->me);
1322 t = compat_ip6t_get_target(e);
1323 module_put(t->u.kernel.target->me);
1327 check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e,
1328 struct xt_table_info *newinfo,
1330 const unsigned char *base,
1331 const unsigned char *limit)
1333 struct xt_entry_match *ematch;
1334 struct xt_entry_target *t;
1335 struct xt_target *target;
1336 unsigned int entry_offset;
1340 if ((unsigned long)e % __alignof__(struct compat_ip6t_entry) != 0 ||
1341 (unsigned char *)e + sizeof(struct compat_ip6t_entry) >= limit ||
1342 (unsigned char *)e + e->next_offset > limit)
1345 if (e->next_offset < sizeof(struct compat_ip6t_entry) +
1346 sizeof(struct compat_xt_entry_target))
1349 if (!ip6_checkentry(&e->ipv6))
1352 ret = xt_compat_check_entry_offsets(e, e->elems,
1353 e->target_offset, e->next_offset);
1357 off = sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
1358 entry_offset = (void *)e - (void *)base;
1360 xt_ematch_foreach(ematch, e) {
1361 ret = compat_find_calc_match(ematch, &e->ipv6, &off);
1363 goto release_matches;
1367 t = compat_ip6t_get_target(e);
1368 target = xt_request_find_target(NFPROTO_IPV6, t->u.user.name,
1369 t->u.user.revision);
1370 if (IS_ERR(target)) {
1371 ret = PTR_ERR(target);
1372 goto release_matches;
1374 t->u.kernel.target = target;
1376 off += xt_compat_target_offset(target);
1378 ret = xt_compat_add_offset(AF_INET6, entry_offset, off);
1385 module_put(t->u.kernel.target->me);
1387 xt_ematch_foreach(ematch, e) {
1390 module_put(ematch->u.kernel.match->me);
1396 compat_copy_entry_from_user(struct compat_ip6t_entry *e, void **dstptr,
1398 struct xt_table_info *newinfo, unsigned char *base)
1400 struct xt_entry_target *t;
1401 struct ip6t_entry *de;
1402 unsigned int origsize;
1404 struct xt_entry_match *ematch;
1407 de = (struct ip6t_entry *)*dstptr;
1408 memcpy(de, e, sizeof(struct ip6t_entry));
1409 memcpy(&de->counters, &e->counters, sizeof(e->counters));
1411 *dstptr += sizeof(struct ip6t_entry);
1412 *size += sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
1414 xt_ematch_foreach(ematch, e)
1415 xt_compat_match_from_user(ematch, dstptr, size);
1417 de->target_offset = e->target_offset - (origsize - *size);
1418 t = compat_ip6t_get_target(e);
1419 xt_compat_target_from_user(t, dstptr, size);
1421 de->next_offset = e->next_offset - (origsize - *size);
1422 for (h = 0; h < NF_INET_NUMHOOKS; h++) {
1423 if ((unsigned char *)de - base < newinfo->hook_entry[h])
1424 newinfo->hook_entry[h] -= origsize - *size;
1425 if ((unsigned char *)de - base < newinfo->underflow[h])
1426 newinfo->underflow[h] -= origsize - *size;
1431 translate_compat_table(struct net *net,
1432 struct xt_table_info **pinfo,
1434 const struct compat_ip6t_replace *compatr)
1437 struct xt_table_info *newinfo, *info;
1438 void *pos, *entry0, *entry1;
1439 struct compat_ip6t_entry *iter0;
1440 struct ip6t_replace repl;
1446 size = compatr->size;
1447 info->number = compatr->num_entries;
1450 xt_compat_lock(AF_INET6);
1451 xt_compat_init_offsets(AF_INET6, compatr->num_entries);
1452 /* Walk through entries, checking offsets. */
1453 xt_entry_foreach(iter0, entry0, compatr->size) {
1454 ret = check_compat_entry_size_and_hooks(iter0, info, &size,
1456 entry0 + compatr->size);
1463 if (j != compatr->num_entries)
1467 newinfo = xt_alloc_table_info(size);
1471 newinfo->number = compatr->num_entries;
1472 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1473 newinfo->hook_entry[i] = compatr->hook_entry[i];
1474 newinfo->underflow[i] = compatr->underflow[i];
1476 entry1 = newinfo->entries;
1478 size = compatr->size;
1479 xt_entry_foreach(iter0, entry0, compatr->size)
1480 compat_copy_entry_from_user(iter0, &pos, &size,
1483 /* all module references in entry0 are now gone. */
1484 xt_compat_flush_offsets(AF_INET6);
1485 xt_compat_unlock(AF_INET6);
1487 memcpy(&repl, compatr, sizeof(*compatr));
1489 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1490 repl.hook_entry[i] = newinfo->hook_entry[i];
1491 repl.underflow[i] = newinfo->underflow[i];
1494 repl.num_counters = 0;
1495 repl.counters = NULL;
1496 repl.size = newinfo->size;
1497 ret = translate_table(net, newinfo, entry1, &repl);
1503 xt_free_table_info(info);
1507 xt_free_table_info(newinfo);
1510 xt_compat_flush_offsets(AF_INET6);
1511 xt_compat_unlock(AF_INET6);
1512 xt_entry_foreach(iter0, entry0, compatr->size) {
1515 compat_release_entry(iter0);
1521 compat_do_replace(struct net *net, void __user *user, unsigned int len)
1524 struct compat_ip6t_replace tmp;
1525 struct xt_table_info *newinfo;
1526 void *loc_cpu_entry;
1527 struct ip6t_entry *iter;
1529 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
1532 /* overflow check */
1533 if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
1535 if (tmp.num_counters == 0)
1538 tmp.name[sizeof(tmp.name)-1] = 0;
1540 newinfo = xt_alloc_table_info(tmp.size);
1544 loc_cpu_entry = newinfo->entries;
1545 if (copy_from_user(loc_cpu_entry, user + sizeof(tmp),
1551 ret = translate_compat_table(net, &newinfo, &loc_cpu_entry, &tmp);
1555 ret = __do_replace(net, tmp.name, tmp.valid_hooks, newinfo,
1556 tmp.num_counters, compat_ptr(tmp.counters));
1558 goto free_newinfo_untrans;
1561 free_newinfo_untrans:
1562 xt_entry_foreach(iter, loc_cpu_entry, newinfo->size)
1563 cleanup_entry(iter, net);
1565 xt_free_table_info(newinfo);
1570 compat_do_ip6t_set_ctl(struct sock *sk, int cmd, void __user *user,
1575 if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
1579 case IP6T_SO_SET_REPLACE:
1580 ret = compat_do_replace(sock_net(sk), user, len);
1583 case IP6T_SO_SET_ADD_COUNTERS:
1584 ret = do_add_counters(sock_net(sk), user, len, 1);
1594 struct compat_ip6t_get_entries {
1595 char name[XT_TABLE_MAXNAMELEN];
1597 struct compat_ip6t_entry entrytable[0];
1601 compat_copy_entries_to_user(unsigned int total_size, struct xt_table *table,
1602 void __user *userptr)
1604 struct xt_counters *counters;
1605 const struct xt_table_info *private = table->private;
1610 struct ip6t_entry *iter;
1612 counters = alloc_counters(table);
1613 if (IS_ERR(counters))
1614 return PTR_ERR(counters);
1618 xt_entry_foreach(iter, private->entries, total_size) {
1619 ret = compat_copy_entry_to_user(iter, &pos,
1620 &size, counters, i++);
1630 compat_get_entries(struct net *net, struct compat_ip6t_get_entries __user *uptr,
1634 struct compat_ip6t_get_entries get;
1637 if (*len < sizeof(get))
1640 if (copy_from_user(&get, uptr, sizeof(get)) != 0)
1643 if (*len != sizeof(struct compat_ip6t_get_entries) + get.size)
1646 get.name[sizeof(get.name) - 1] = '\0';
1648 xt_compat_lock(AF_INET6);
1649 t = xt_find_table_lock(net, AF_INET6, get.name);
1650 if (!IS_ERR_OR_NULL(t)) {
1651 const struct xt_table_info *private = t->private;
1652 struct xt_table_info info;
1653 ret = compat_table_info(private, &info);
1654 if (!ret && get.size == info.size)
1655 ret = compat_copy_entries_to_user(private->size,
1656 t, uptr->entrytable);
1660 xt_compat_flush_offsets(AF_INET6);
1664 ret = t ? PTR_ERR(t) : -ENOENT;
1666 xt_compat_unlock(AF_INET6);
1670 static int do_ip6t_get_ctl(struct sock *, int, void __user *, int *);
1673 compat_do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1677 if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
1681 case IP6T_SO_GET_INFO:
1682 ret = get_info(sock_net(sk), user, len, 1);
1684 case IP6T_SO_GET_ENTRIES:
1685 ret = compat_get_entries(sock_net(sk), user, len);
1688 ret = do_ip6t_get_ctl(sk, cmd, user, len);
1695 do_ip6t_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
1699 if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
1703 case IP6T_SO_SET_REPLACE:
1704 ret = do_replace(sock_net(sk), user, len);
1707 case IP6T_SO_SET_ADD_COUNTERS:
1708 ret = do_add_counters(sock_net(sk), user, len, 0);
1719 do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1723 if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
1727 case IP6T_SO_GET_INFO:
1728 ret = get_info(sock_net(sk), user, len, 0);
1731 case IP6T_SO_GET_ENTRIES:
1732 ret = get_entries(sock_net(sk), user, len);
1735 case IP6T_SO_GET_REVISION_MATCH:
1736 case IP6T_SO_GET_REVISION_TARGET: {
1737 struct xt_get_revision rev;
1740 if (*len != sizeof(rev)) {
1744 if (copy_from_user(&rev, user, sizeof(rev)) != 0) {
1748 rev.name[sizeof(rev.name)-1] = 0;
1750 if (cmd == IP6T_SO_GET_REVISION_TARGET)
1755 try_then_request_module(xt_find_revision(AF_INET6, rev.name,
1758 "ip6t_%s", rev.name);
1769 static void __ip6t_unregister_table(struct net *net, struct xt_table *table)
1771 struct xt_table_info *private;
1772 void *loc_cpu_entry;
1773 struct module *table_owner = table->me;
1774 struct ip6t_entry *iter;
1776 private = xt_unregister_table(table);
1778 /* Decrease module usage counts and free resources */
1779 loc_cpu_entry = private->entries;
1780 xt_entry_foreach(iter, loc_cpu_entry, private->size)
1781 cleanup_entry(iter, net);
1782 if (private->number > private->initial_entries)
1783 module_put(table_owner);
1784 xt_free_table_info(private);
1787 int ip6t_register_table(struct net *net, const struct xt_table *table,
1788 const struct ip6t_replace *repl,
1789 const struct nf_hook_ops *ops,
1790 struct xt_table **res)
1793 struct xt_table_info *newinfo;
1794 struct xt_table_info bootstrap = {0};
1795 void *loc_cpu_entry;
1796 struct xt_table *new_table;
1798 newinfo = xt_alloc_table_info(repl->size);
1802 loc_cpu_entry = newinfo->entries;
1803 memcpy(loc_cpu_entry, repl->entries, repl->size);
1805 ret = translate_table(net, newinfo, loc_cpu_entry, repl);
1809 new_table = xt_register_table(net, table, &bootstrap, newinfo);
1810 if (IS_ERR(new_table)) {
1811 ret = PTR_ERR(new_table);
1815 /* set res now, will see skbs right after nf_register_net_hooks */
1816 WRITE_ONCE(*res, new_table);
1818 ret = nf_register_net_hooks(net, ops, hweight32(table->valid_hooks));
1820 __ip6t_unregister_table(net, new_table);
1827 xt_free_table_info(newinfo);
1831 void ip6t_unregister_table(struct net *net, struct xt_table *table,
1832 const struct nf_hook_ops *ops)
1834 nf_unregister_net_hooks(net, ops, hweight32(table->valid_hooks));
1835 __ip6t_unregister_table(net, table);
1838 /* Returns 1 if the type and code is matched by the range, 0 otherwise */
1840 icmp6_type_code_match(u_int8_t test_type, u_int8_t min_code, u_int8_t max_code,
1841 u_int8_t type, u_int8_t code,
1844 return (type == test_type && code >= min_code && code <= max_code)
1849 icmp6_match(const struct sk_buff *skb, struct xt_action_param *par)
1851 const struct icmp6hdr *ic;
1852 struct icmp6hdr _icmph;
1853 const struct ip6t_icmp *icmpinfo = par->matchinfo;
1855 /* Must not be a fragment. */
1856 if (par->fragoff != 0)
1859 ic = skb_header_pointer(skb, par->thoff, sizeof(_icmph), &_icmph);
1861 /* We've been asked to examine this packet, and we
1862 * can't. Hence, no choice but to drop.
1864 par->hotdrop = true;
1868 return icmp6_type_code_match(icmpinfo->type,
1871 ic->icmp6_type, ic->icmp6_code,
1872 !!(icmpinfo->invflags&IP6T_ICMP_INV));
1875 /* Called when user tries to insert an entry of this type. */
1876 static int icmp6_checkentry(const struct xt_mtchk_param *par)
1878 const struct ip6t_icmp *icmpinfo = par->matchinfo;
1880 /* Must specify no unknown invflags */
1881 return (icmpinfo->invflags & ~IP6T_ICMP_INV) ? -EINVAL : 0;
1884 /* The built-in targets: standard (NULL) and error. */
1885 static struct xt_target ip6t_builtin_tg[] __read_mostly = {
1887 .name = XT_STANDARD_TARGET,
1888 .targetsize = sizeof(int),
1889 .family = NFPROTO_IPV6,
1890 #ifdef CONFIG_COMPAT
1891 .compatsize = sizeof(compat_int_t),
1892 .compat_from_user = compat_standard_from_user,
1893 .compat_to_user = compat_standard_to_user,
1897 .name = XT_ERROR_TARGET,
1898 .target = ip6t_error,
1899 .targetsize = XT_FUNCTION_MAXNAMELEN,
1900 .family = NFPROTO_IPV6,
1904 static struct nf_sockopt_ops ip6t_sockopts = {
1906 .set_optmin = IP6T_BASE_CTL,
1907 .set_optmax = IP6T_SO_SET_MAX+1,
1908 .set = do_ip6t_set_ctl,
1909 #ifdef CONFIG_COMPAT
1910 .compat_set = compat_do_ip6t_set_ctl,
1912 .get_optmin = IP6T_BASE_CTL,
1913 .get_optmax = IP6T_SO_GET_MAX+1,
1914 .get = do_ip6t_get_ctl,
1915 #ifdef CONFIG_COMPAT
1916 .compat_get = compat_do_ip6t_get_ctl,
1918 .owner = THIS_MODULE,
1921 static struct xt_match ip6t_builtin_mt[] __read_mostly = {
1924 .match = icmp6_match,
1925 .matchsize = sizeof(struct ip6t_icmp),
1926 .checkentry = icmp6_checkentry,
1927 .proto = IPPROTO_ICMPV6,
1928 .family = NFPROTO_IPV6,
1932 static int __net_init ip6_tables_net_init(struct net *net)
1934 return xt_proto_init(net, NFPROTO_IPV6);
1937 static void __net_exit ip6_tables_net_exit(struct net *net)
1939 xt_proto_fini(net, NFPROTO_IPV6);
1942 static struct pernet_operations ip6_tables_net_ops = {
1943 .init = ip6_tables_net_init,
1944 .exit = ip6_tables_net_exit,
1947 static int __init ip6_tables_init(void)
1951 ret = register_pernet_subsys(&ip6_tables_net_ops);
1955 /* No one else will be downing sem now, so we won't sleep */
1956 ret = xt_register_targets(ip6t_builtin_tg, ARRAY_SIZE(ip6t_builtin_tg));
1959 ret = xt_register_matches(ip6t_builtin_mt, ARRAY_SIZE(ip6t_builtin_mt));
1963 /* Register setsockopt */
1964 ret = nf_register_sockopt(&ip6t_sockopts);
1968 pr_info("(C) 2000-2006 Netfilter Core Team\n");
1972 xt_unregister_matches(ip6t_builtin_mt, ARRAY_SIZE(ip6t_builtin_mt));
1974 xt_unregister_targets(ip6t_builtin_tg, ARRAY_SIZE(ip6t_builtin_tg));
1976 unregister_pernet_subsys(&ip6_tables_net_ops);
1981 static void __exit ip6_tables_fini(void)
1983 nf_unregister_sockopt(&ip6t_sockopts);
1985 xt_unregister_matches(ip6t_builtin_mt, ARRAY_SIZE(ip6t_builtin_mt));
1986 xt_unregister_targets(ip6t_builtin_tg, ARRAY_SIZE(ip6t_builtin_tg));
1987 unregister_pernet_subsys(&ip6_tables_net_ops);
1990 EXPORT_SYMBOL(ip6t_register_table);
1991 EXPORT_SYMBOL(ip6t_unregister_table);
1992 EXPORT_SYMBOL(ip6t_do_table);
1994 module_init(ip6_tables_init);
1995 module_exit(ip6_tables_fini);
OSDN Git Service
