1 /* 2 * x_tables core - Backend for {ip,ip6,arp}_tables 3 * 4 * Copyright (C) 2006-2006 Harald Welte <laforge@netfilter.org> 5 * 6 * Based on existing ip_tables code which is 7 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling 8 * Copyright (C) 2000-2005 Netfilter Core Team <coreteam@netfilter.org> 9 * 10 * This program is free software; you can redistribute it and/or modify 11 * it under the terms of the GNU General Public License version 2 as 12 * published by the Free Software Foundation. 13 * 14 */ 15 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 16 #include <linux/kernel.h> 17 #include <linux/module.h> 18 #include <linux/socket.h> 19 #include <linux/net.h> 20 #include <linux/proc_fs.h> 21 #include <linux/seq_file.h> 22 #include <linux/string.h> 23 #include <linux/vmalloc.h> 24 #include <linux/mutex.h> 25 #include <linux/mm.h> 26 #include <linux/slab.h> 27 #include <linux/audit.h> 28 #include <net/net_namespace.h> 29 30 #include <linux/netfilter/x_tables.h> 31 #include <linux/netfilter_arp.h> 32 #include <linux/netfilter_ipv4/ip_tables.h> 33 #include <linux/netfilter_ipv6/ip6_tables.h> 34 #include <linux/netfilter_arp/arp_tables.h> 35 36 MODULE_LICENSE("GPL"); 37 MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>"); 38 MODULE_DESCRIPTION("{ip,ip6,arp,eb}_tables backend module"); 39 40 #define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1)) 41 42 struct compat_delta { 43 unsigned int offset; /* offset in kernel */ 44 int delta; /* delta in 32bit user land */ 45 }; 46 47 struct xt_af { 48 struct mutex mutex; 49 struct list_head match; 50 struct list_head target; 51 #ifdef CONFIG_COMPAT 52 struct mutex compat_mutex; 53 struct compat_delta *compat_tab; 54 unsigned int number; /* number of slots in compat_tab[] */ 55 unsigned int cur; /* number of used slots in compat_tab[] */ 56 #endif 57 }; 58 59 static struct xt_af *xt; 60 61 static const char *const xt_prefix[NFPROTO_NUMPROTO] = { 62 [NFPROTO_UNSPEC] = "x", 63 [NFPROTO_IPV4] = "ip", 64 [NFPROTO_ARP] = "arp", 65 [NFPROTO_BRIDGE] = "eb", 66 [NFPROTO_IPV6] = "ip6", 67 }; 68 69 /* Allow this many total (re)entries. */ 70 static const unsigned int xt_jumpstack_multiplier = 2; 71 72 /* Registration hooks for targets. */ 73 int 74 xt_register_target(struct xt_target *target) 75 { 76 u_int8_t af = target->family; 77 int ret; 78 79 ret = mutex_lock_interruptible(&xt[af].mutex); 80 if (ret != 0) 81 return ret; 82 list_add(&target->list, &xt[af].target); 83 mutex_unlock(&xt[af].mutex); 84 return ret; 85 } 86 EXPORT_SYMBOL(xt_register_target); 87 88 void 89 xt_unregister_target(struct xt_target *target) 90 { 91 u_int8_t af = target->family; 92 93 mutex_lock(&xt[af].mutex); 94 list_del(&target->list); 95 mutex_unlock(&xt[af].mutex); 96 } 97 EXPORT_SYMBOL(xt_unregister_target); 98 99 int 100 xt_register_targets(struct xt_target *target, unsigned int n) 101 { 102 unsigned int i; 103 int err = 0; 104 105 for (i = 0; i < n; i++) { 106 err = xt_register_target(&target[i]); 107 if (err) 108 goto err; 109 } 110 return err; 111 112 err: 113 if (i > 0) 114 xt_unregister_targets(target, i); 115 return err; 116 } 117 EXPORT_SYMBOL(xt_register_targets); 118 119 void 120 xt_unregister_targets(struct xt_target *target, unsigned int n) 121 { 122 while (n-- > 0) 123 xt_unregister_target(&target[n]); 124 } 125 EXPORT_SYMBOL(xt_unregister_targets); 126 127 int 128 xt_register_match(struct xt_match *match) 129 { 130 u_int8_t af = match->family; 131 int ret; 132 133 ret = mutex_lock_interruptible(&xt[af].mutex); 134 if (ret != 0) 135 return ret; 136 137 list_add(&match->list, &xt[af].match); 138 mutex_unlock(&xt[af].mutex); 139 140 return ret; 141 } 142 EXPORT_SYMBOL(xt_register_match); 143 144 void 145 xt_unregister_match(struct xt_match *match) 146 { 147 u_int8_t af = match->family; 148 149 mutex_lock(&xt[af].mutex); 150 list_del(&match->list); 151 mutex_unlock(&xt[af].mutex); 152 } 153 EXPORT_SYMBOL(xt_unregister_match); 154 155 int 156 xt_register_matches(struct xt_match *match, unsigned int n) 157 { 158 unsigned int i; 159 int err = 0; 160 161 for (i = 0; i < n; i++) { 162 err = xt_register_match(&match[i]); 163 if (err) 164 goto err; 165 } 166 return err; 167 168 err: 169 if (i > 0) 170 xt_unregister_matches(match, i); 171 return err; 172 } 173 EXPORT_SYMBOL(xt_register_matches); 174 175 void 176 xt_unregister_matches(struct xt_match *match, unsigned int n) 177 { 178 while (n-- > 0) 179 xt_unregister_match(&match[n]); 180 } 181 EXPORT_SYMBOL(xt_unregister_matches); 182 183 184 /* 185 * These are weird, but module loading must not be done with mutex 186 * held (since they will register), and we have to have a single 187 * function to use. 188 */ 189 190 /* Find match, grabs ref. Returns ERR_PTR() on error. */ 191 struct xt_match *xt_find_match(u8 af, const char *name, u8 revision) 192 { 193 struct xt_match *m; 194 int err = -ENOENT; 195 196 if (mutex_lock_interruptible(&xt[af].mutex) != 0) 197 return ERR_PTR(-EINTR); 198 199 list_for_each_entry(m, &xt[af].match, list) { 200 if (strcmp(m->name, name) == 0) { 201 if (m->revision == revision) { 202 if (try_module_get(m->me)) { 203 mutex_unlock(&xt[af].mutex); 204 return m; 205 } 206 } else 207 err = -EPROTOTYPE; /* Found something. */ 208 } 209 } 210 mutex_unlock(&xt[af].mutex); 211 212 if (af != NFPROTO_UNSPEC) 213 /* Try searching again in the family-independent list */ 214 return xt_find_match(NFPROTO_UNSPEC, name, revision); 215 216 return ERR_PTR(err); 217 } 218 EXPORT_SYMBOL(xt_find_match); 219 220 struct xt_match * 221 xt_request_find_match(uint8_t nfproto, const char *name, uint8_t revision) 222 { 223 struct xt_match *match; 224 225 match = xt_find_match(nfproto, name, revision); 226 if (IS_ERR(match)) { 227 request_module("%st_%s", xt_prefix[nfproto], name); 228 match = xt_find_match(nfproto, name, revision); 229 } 230 231 return match; 232 } 233 EXPORT_SYMBOL_GPL(xt_request_find_match); 234 235 /* Find target, grabs ref. Returns ERR_PTR() on error. */ 236 struct xt_target *xt_find_target(u8 af, const char *name, u8 revision) 237 { 238 struct xt_target *t; 239 int err = -ENOENT; 240 241 if (mutex_lock_interruptible(&xt[af].mutex) != 0) 242 return ERR_PTR(-EINTR); 243 244 list_for_each_entry(t, &xt[af].target, list) { 245 if (strcmp(t->name, name) == 0) { 246 if (t->revision == revision) { 247 if (try_module_get(t->me)) { 248 mutex_unlock(&xt[af].mutex); 249 return t; 250 } 251 } else 252 err = -EPROTOTYPE; /* Found something. */ 253 } 254 } 255 mutex_unlock(&xt[af].mutex); 256 257 if (af != NFPROTO_UNSPEC) 258 /* Try searching again in the family-independent list */ 259 return xt_find_target(NFPROTO_UNSPEC, name, revision); 260 261 return ERR_PTR(err); 262 } 263 EXPORT_SYMBOL(xt_find_target); 264 265 struct xt_target *xt_request_find_target(u8 af, const char *name, u8 revision) 266 { 267 struct xt_target *target; 268 269 target = xt_find_target(af, name, revision); 270 if (IS_ERR(target)) { 271 request_module("%st_%s", xt_prefix[af], name); 272 target = xt_find_target(af, name, revision); 273 } 274 275 return target; 276 } 277 EXPORT_SYMBOL_GPL(xt_request_find_target); 278 279 static int match_revfn(u8 af, const char *name, u8 revision, int *bestp) 280 { 281 const struct xt_match *m; 282 int have_rev = 0; 283 284 list_for_each_entry(m, &xt[af].match, list) { 285 if (strcmp(m->name, name) == 0) { 286 if (m->revision > *bestp) 287 *bestp = m->revision; 288 if (m->revision == revision) 289 have_rev = 1; 290 } 291 } 292 293 if (af != NFPROTO_UNSPEC && !have_rev) 294 return match_revfn(NFPROTO_UNSPEC, name, revision, bestp); 295 296 return have_rev; 297 } 298 299 static int target_revfn(u8 af, const char *name, u8 revision, int *bestp) 300 { 301 const struct xt_target *t; 302 int have_rev = 0; 303 304 list_for_each_entry(t, &xt[af].target, list) { 305 if (strcmp(t->name, name) == 0) { 306 if (t->revision > *bestp) 307 *bestp = t->revision; 308 if (t->revision == revision) 309 have_rev = 1; 310 } 311 } 312 313 if (af != NFPROTO_UNSPEC && !have_rev) 314 return target_revfn(NFPROTO_UNSPEC, name, revision, bestp); 315 316 return have_rev; 317 } 318 319 /* Returns true or false (if no such extension at all) */ 320 int xt_find_revision(u8 af, const char *name, u8 revision, int target, 321 int *err) 322 { 323 int have_rev, best = -1; 324 325 if (mutex_lock_interruptible(&xt[af].mutex) != 0) { 326 *err = -EINTR; 327 return 1; 328 } 329 if (target == 1) 330 have_rev = target_revfn(af, name, revision, &best); 331 else 332 have_rev = match_revfn(af, name, revision, &best); 333 mutex_unlock(&xt[af].mutex); 334 335 /* Nothing at all? Return 0 to try loading module. */ 336 if (best == -1) { 337 *err = -ENOENT; 338 return 0; 339 } 340 341 *err = best; 342 if (!have_rev) 343 *err = -EPROTONOSUPPORT; 344 return 1; 345 } 346 EXPORT_SYMBOL_GPL(xt_find_revision); 347 348 static char *textify_hooks(char *buf, size_t size, unsigned int mask) 349 { 350 static const char *const names[] = { 351 "PREROUTING", "INPUT", "FORWARD", 352 "OUTPUT", "POSTROUTING", "BROUTING", 353 }; 354 unsigned int i; 355 char *p = buf; 356 bool np = false; 357 int res; 358 359 *p = '\0'; 360 for (i = 0; i < ARRAY_SIZE(names); ++i) { 361 if (!(mask & (1 << i))) 362 continue; 363 res = snprintf(p, size, "%s%s", np ? "/" : "", names[i]); 364 if (res > 0) { 365 size -= res; 366 p += res; 367 } 368 np = true; 369 } 370 371 return buf; 372 } 373 374 int xt_check_match(struct xt_mtchk_param *par, 375 unsigned int size, u_int8_t proto, bool inv_proto) 376 { 377 int ret; 378 379 if (XT_ALIGN(par->match->matchsize) != size && 380 par->match->matchsize != -1) { 381 /* 382 * ebt_among is exempt from centralized matchsize checking 383 * because it uses a dynamic-size data set. 384 */ 385 pr_err("%s_tables: %s.%u match: invalid size " 386 "%u (kernel) != (user) %u\n", 387 xt_prefix[par->family], par->match->name, 388 par->match->revision, 389 XT_ALIGN(par->match->matchsize), size); 390 return -EINVAL; 391 } 392 if (par->match->table != NULL && 393 strcmp(par->match->table, par->table) != 0) { 394 pr_err("%s_tables: %s match: only valid in %s table, not %s\n", 395 xt_prefix[par->family], par->match->name, 396 par->match->table, par->table); 397 return -EINVAL; 398 } 399 if (par->match->hooks && (par->hook_mask & ~par->match->hooks) != 0) { 400 char used[64], allow[64]; 401 402 pr_err("%s_tables: %s match: used from hooks %s, but only " 403 "valid from %s\n", 404 xt_prefix[par->family], par->match->name, 405 textify_hooks(used, sizeof(used), par->hook_mask), 406 textify_hooks(allow, sizeof(allow), par->match->hooks)); 407 return -EINVAL; 408 } 409 if (par->match->proto && (par->match->proto != proto || inv_proto)) { 410 pr_err("%s_tables: %s match: only valid for protocol %u\n", 411 xt_prefix[par->family], par->match->name, 412 par->match->proto); 413 return -EINVAL; 414 } 415 if (par->match->checkentry != NULL) { 416 ret = par->match->checkentry(par); 417 if (ret < 0) 418 return ret; 419 else if (ret > 0) 420 /* Flag up potential errors. */ 421 return -EIO; 422 } 423 return 0; 424 } 425 EXPORT_SYMBOL_GPL(xt_check_match); 426 427 #ifdef CONFIG_COMPAT 428 int xt_compat_add_offset(u_int8_t af, unsigned int offset, int delta) 429 { 430 struct xt_af *xp = &xt[af]; 431 432 if (!xp->compat_tab) { 433 if (!xp->number) 434 return -EINVAL; 435 xp->compat_tab = vmalloc(sizeof(struct compat_delta) * xp->number); 436 if (!xp->compat_tab) 437 return -ENOMEM; 438 xp->cur = 0; 439 } 440 441 if (xp->cur >= xp->number) 442 return -EINVAL; 443 444 if (xp->cur) 445 delta += xp->compat_tab[xp->cur - 1].delta; 446 xp->compat_tab[xp->cur].offset = offset; 447 xp->compat_tab[xp->cur].delta = delta; 448 xp->cur++; 449 return 0; 450 } 451 EXPORT_SYMBOL_GPL(xt_compat_add_offset); 452 453 void xt_compat_flush_offsets(u_int8_t af) 454 { 455 if (xt[af].compat_tab) { 456 vfree(xt[af].compat_tab); 457 xt[af].compat_tab = NULL; 458 xt[af].number = 0; 459 xt[af].cur = 0; 460 } 461 } 462 EXPORT_SYMBOL_GPL(xt_compat_flush_offsets); 463 464 int xt_compat_calc_jump(u_int8_t af, unsigned int offset) 465 { 466 struct compat_delta *tmp = xt[af].compat_tab; 467 int mid, left = 0, right = xt[af].cur - 1; 468 469 while (left <= right) { 470 mid = (left + right) >> 1; 471 if (offset > tmp[mid].offset) 472 left = mid + 1; 473 else if (offset < tmp[mid].offset) 474 right = mid - 1; 475 else 476 return mid ? tmp[mid - 1].delta : 0; 477 } 478 return left ? tmp[left - 1].delta : 0; 479 } 480 EXPORT_SYMBOL_GPL(xt_compat_calc_jump); 481 482 void xt_compat_init_offsets(u_int8_t af, unsigned int number) 483 { 484 xt[af].number = number; 485 xt[af].cur = 0; 486 } 487 EXPORT_SYMBOL(xt_compat_init_offsets); 488 489 int xt_compat_match_offset(const struct xt_match *match) 490 { 491 u_int16_t csize = match->compatsize ? : match->matchsize; 492 return XT_ALIGN(match->matchsize) - COMPAT_XT_ALIGN(csize); 493 } 494 EXPORT_SYMBOL_GPL(xt_compat_match_offset); 495 496 int xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr, 497 unsigned int *size) 498 { 499 const struct xt_match *match = m->u.kernel.match; 500 struct compat_xt_entry_match *cm = (struct compat_xt_entry_match *)m; 501 int pad, off = xt_compat_match_offset(match); 502 u_int16_t msize = cm->u.user.match_size; 503 504 m = *dstptr; 505 memcpy(m, cm, sizeof(*cm)); 506 if (match->compat_from_user) 507 match->compat_from_user(m->data, cm->data); 508 else 509 memcpy(m->data, cm->data, msize - sizeof(*cm)); 510 pad = XT_ALIGN(match->matchsize) - match->matchsize; 511 if (pad > 0) 512 memset(m->data + match->matchsize, 0, pad); 513 514 msize += off; 515 m->u.user.match_size = msize; 516 517 *size += off; 518 *dstptr += msize; 519 return 0; 520 } 521 EXPORT_SYMBOL_GPL(xt_compat_match_from_user); 522 523 int xt_compat_match_to_user(const struct xt_entry_match *m, 524 void __user **dstptr, unsigned int *size) 525 { 526 const struct xt_match *match = m->u.kernel.match; 527 struct compat_xt_entry_match __user *cm = *dstptr; 528 int off = xt_compat_match_offset(match); 529 u_int16_t msize = m->u.user.match_size - off; 530 531 if (copy_to_user(cm, m, sizeof(*cm)) || 532 put_user(msize, &cm->u.user.match_size) || 533 copy_to_user(cm->u.user.name, m->u.kernel.match->name, 534 strlen(m->u.kernel.match->name) + 1)) 535 return -EFAULT; 536 537 if (match->compat_to_user) { 538 if (match->compat_to_user((void __user *)cm->data, m->data)) 539 return -EFAULT; 540 } else { 541 if (copy_to_user(cm->data, m->data, msize - sizeof(*cm))) 542 return -EFAULT; 543 } 544 545 *size -= off; 546 *dstptr += msize; 547 return 0; 548 } 549 EXPORT_SYMBOL_GPL(xt_compat_match_to_user); 550 #endif /* CONFIG_COMPAT */ 551 552 int xt_check_target(struct xt_tgchk_param *par, 553 unsigned int size, u_int8_t proto, bool inv_proto) 554 { 555 int ret; 556 557 if (XT_ALIGN(par->target->targetsize) != size) { 558 pr_err("%s_tables: %s.%u target: invalid size " 559 "%u (kernel) != (user) %u\n", 560 xt_prefix[par->family], par->target->name, 561 par->target->revision, 562 XT_ALIGN(par->target->targetsize), size); 563 return -EINVAL; 564 } 565 if (par->target->table != NULL && 566 strcmp(par->target->table, par->table) != 0) { 567 pr_err("%s_tables: %s target: only valid in %s table, not %s\n", 568 xt_prefix[par->family], par->target->name, 569 par->target->table, par->table); 570 return -EINVAL; 571 } 572 if (par->target->hooks && (par->hook_mask & ~par->target->hooks) != 0) { 573 char used[64], allow[64]; 574 575 pr_err("%s_tables: %s target: used from hooks %s, but only " 576 "usable from %s\n", 577 xt_prefix[par->family], par->target->name, 578 textify_hooks(used, sizeof(used), par->hook_mask), 579 textify_hooks(allow, sizeof(allow), par->target->hooks)); 580 return -EINVAL; 581 } 582 if (par->target->proto && (par->target->proto != proto || inv_proto)) { 583 pr_err("%s_tables: %s target: only valid for protocol %u\n", 584 xt_prefix[par->family], par->target->name, 585 par->target->proto); 586 return -EINVAL; 587 } 588 if (par->target->checkentry != NULL) { 589 ret = par->target->checkentry(par); 590 if (ret < 0) 591 return ret; 592 else if (ret > 0) 593 /* Flag up potential errors. */ 594 return -EIO; 595 } 596 return 0; 597 } 598 EXPORT_SYMBOL_GPL(xt_check_target); 599 600 #ifdef CONFIG_COMPAT 601 int xt_compat_target_offset(const struct xt_target *target) 602 { 603 u_int16_t csize = target->compatsize ? : target->targetsize; 604 return XT_ALIGN(target->targetsize) - COMPAT_XT_ALIGN(csize); 605 } 606 EXPORT_SYMBOL_GPL(xt_compat_target_offset); 607 608 void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr, 609 unsigned int *size) 610 { 611 const struct xt_target *target = t->u.kernel.target; 612 struct compat_xt_entry_target *ct = (struct compat_xt_entry_target *)t; 613 int pad, off = xt_compat_target_offset(target); 614 u_int16_t tsize = ct->u.user.target_size; 615 616 t = *dstptr; 617 memcpy(t, ct, sizeof(*ct)); 618 if (target->compat_from_user) 619 target->compat_from_user(t->data, ct->data); 620 else 621 memcpy(t->data, ct->data, tsize - sizeof(*ct)); 622 pad = XT_ALIGN(target->targetsize) - target->targetsize; 623 if (pad > 0) 624 memset(t->data + target->targetsize, 0, pad); 625 626 tsize += off; 627 t->u.user.target_size = tsize; 628 629 *size += off; 630 *dstptr += tsize; 631 } 632 EXPORT_SYMBOL_GPL(xt_compat_target_from_user); 633 634 int xt_compat_target_to_user(const struct xt_entry_target *t, 635 void __user **dstptr, unsigned int *size) 636 { 637 const struct xt_target *target = t->u.kernel.target; 638 struct compat_xt_entry_target __user *ct = *dstptr; 639 int off = xt_compat_target_offset(target); 640 u_int16_t tsize = t->u.user.target_size - off; 641 642 if (copy_to_user(ct, t, sizeof(*ct)) || 643 put_user(tsize, &ct->u.user.target_size) || 644 copy_to_user(ct->u.user.name, t->u.kernel.target->name, 645 strlen(t->u.kernel.target->name) + 1)) 646 return -EFAULT; 647 648 if (target->compat_to_user) { 649 if (target->compat_to_user((void __user *)ct->data, t->data)) 650 return -EFAULT; 651 } else { 652 if (copy_to_user(ct->data, t->data, tsize - sizeof(*ct))) 653 return -EFAULT; 654 } 655 656 *size -= off; 657 *dstptr += tsize; 658 return 0; 659 } 660 EXPORT_SYMBOL_GPL(xt_compat_target_to_user); 661 #endif 662 663 struct xt_table_info *xt_alloc_table_info(unsigned int size) 664 { 665 struct xt_table_info *newinfo; 666 int cpu; 667 668 /* Pedantry: prevent them from hitting BUG() in vmalloc.c --RR */ 669 if ((SMP_ALIGN(size) >> PAGE_SHIFT) + 2 > totalram_pages) 670 return NULL; 671 672 newinfo = kzalloc(XT_TABLE_INFO_SZ, GFP_KERNEL); 673 if (!newinfo) 674 return NULL; 675 676 newinfo->size = size; 677 678 for_each_possible_cpu(cpu) { 679 if (size <= PAGE_SIZE) 680 newinfo->entries[cpu] = kmalloc_node(size, 681 GFP_KERNEL, 682 cpu_to_node(cpu)); 683 else 684 newinfo->entries[cpu] = vmalloc_node(size, 685 cpu_to_node(cpu)); 686 687 if (newinfo->entries[cpu] == NULL) { 688 xt_free_table_info(newinfo); 689 return NULL; 690 } 691 } 692 693 return newinfo; 694 } 695 EXPORT_SYMBOL(xt_alloc_table_info); 696 697 void xt_free_table_info(struct xt_table_info *info) 698 { 699 int cpu; 700 701 for_each_possible_cpu(cpu) { 702 if (info->size <= PAGE_SIZE) 703 kfree(info->entries[cpu]); 704 else 705 vfree(info->entries[cpu]); 706 } 707 708 if (info->jumpstack != NULL) { 709 if (sizeof(void *) * info->stacksize > PAGE_SIZE) { 710 for_each_possible_cpu(cpu) 711 vfree(info->jumpstack[cpu]); 712 } else { 713 for_each_possible_cpu(cpu) 714 kfree(info->jumpstack[cpu]); 715 } 716 } 717 718 if (sizeof(void **) * nr_cpu_ids > PAGE_SIZE) 719 vfree(info->jumpstack); 720 else 721 kfree(info->jumpstack); 722 723 free_percpu(info->stackptr); 724 725 kfree(info); 726 } 727 EXPORT_SYMBOL(xt_free_table_info); 728 729 /* Find table by name, grabs mutex & ref. Returns ERR_PTR() on error. */ 730 struct xt_table *xt_find_table_lock(struct net *net, u_int8_t af, 731 const char *name) 732 { 733 struct xt_table *t; 734 735 if (mutex_lock_interruptible(&xt[af].mutex) != 0) 736 return ERR_PTR(-EINTR); 737 738 list_for_each_entry(t, &net->xt.tables[af], list) 739 if (strcmp(t->name, name) == 0 && try_module_get(t->me)) 740 return t; 741 mutex_unlock(&xt[af].mutex); 742 return NULL; 743 } 744 EXPORT_SYMBOL_GPL(xt_find_table_lock); 745 746 void xt_table_unlock(struct xt_table *table) 747 { 748 mutex_unlock(&xt[table->af].mutex); 749 } 750 EXPORT_SYMBOL_GPL(xt_table_unlock); 751 752 #ifdef CONFIG_COMPAT 753 void xt_compat_lock(u_int8_t af) 754 { 755 mutex_lock(&xt[af].compat_mutex); 756 } 757 EXPORT_SYMBOL_GPL(xt_compat_lock); 758 759 void xt_compat_unlock(u_int8_t af) 760 { 761 mutex_unlock(&xt[af].compat_mutex); 762 } 763 EXPORT_SYMBOL_GPL(xt_compat_unlock); 764 #endif 765 766 DEFINE_PER_CPU(seqcount_t, xt_recseq); 767 EXPORT_PER_CPU_SYMBOL_GPL(xt_recseq); 768 769 static int xt_jumpstack_alloc(struct xt_table_info *i) 770 { 771 unsigned int size; 772 int cpu; 773 774 i->stackptr = alloc_percpu(unsigned int); 775 if (i->stackptr == NULL) 776 return -ENOMEM; 777 778 size = sizeof(void **) * nr_cpu_ids; 779 if (size > PAGE_SIZE) 780 i->jumpstack = vzalloc(size); 781 else 782 i->jumpstack = kzalloc(size, GFP_KERNEL); 783 if (i->jumpstack == NULL) 784 return -ENOMEM; 785 786 i->stacksize *= xt_jumpstack_multiplier; 787 size = sizeof(void *) * i->stacksize; 788 for_each_possible_cpu(cpu) { 789 if (size > PAGE_SIZE) 790 i->jumpstack[cpu] = vmalloc_node(size, 791 cpu_to_node(cpu)); 792 else 793 i->jumpstack[cpu] = kmalloc_node(size, 794 GFP_KERNEL, cpu_to_node(cpu)); 795 if (i->jumpstack[cpu] == NULL) 796 /* 797 * Freeing will be done later on by the callers. The 798 * chain is: xt_replace_table -> __do_replace -> 799 * do_replace -> xt_free_table_info. 800 */ 801 return -ENOMEM; 802 } 803 804 return 0; 805 } 806 807 struct xt_table_info * 808 xt_replace_table(struct xt_table *table, 809 unsigned int num_counters, 810 struct xt_table_info *newinfo, 811 int *error) 812 { 813 struct xt_table_info *private; 814 int ret; 815 816 ret = xt_jumpstack_alloc(newinfo); 817 if (ret < 0) { 818 *error = ret; 819 return NULL; 820 } 821 822 /* Do the substitution. */ 823 local_bh_disable(); 824 private = table->private; 825 826 /* Check inside lock: is the old number correct? */ 827 if (num_counters != private->number) { 828 pr_debug("num_counters != table->private->number (%u/%u)\n", 829 num_counters, private->number); 830 local_bh_enable(); 831 *error = -EAGAIN; 832 return NULL; 833 } 834 835 table->private = newinfo; 836 newinfo->initial_entries = private->initial_entries; 837 838 /* 839 * Even though table entries have now been swapped, other CPU's 840 * may still be using the old entries. This is okay, because 841 * resynchronization happens because of the locking done 842 * during the get_counters() routine. 843 */ 844 local_bh_enable(); 845 846 #ifdef CONFIG_AUDIT 847 if (audit_enabled) { 848 struct audit_buffer *ab; 849 850 ab = audit_log_start(current->audit_context, GFP_KERNEL, 851 AUDIT_NETFILTER_CFG); 852 if (ab) { 853 audit_log_format(ab, "table=%s family=%u entries=%u", 854 table->name, table->af, 855 private->number); 856 audit_log_end(ab); 857 } 858 } 859 #endif 860 861 return private; 862 } 863 EXPORT_SYMBOL_GPL(xt_replace_table); 864 865 struct xt_table *xt_register_table(struct net *net, 866 const struct xt_table *input_table, 867 struct xt_table_info *bootstrap, 868 struct xt_table_info *newinfo) 869 { 870 int ret; 871 struct xt_table_info *private; 872 struct xt_table *t, *table; 873 874 /* Don't add one object to multiple lists. */ 875 table = kmemdup(input_table, sizeof(struct xt_table), GFP_KERNEL); 876 if (!table) { 877 ret = -ENOMEM; 878 goto out; 879 } 880 881 ret = mutex_lock_interruptible(&xt[table->af].mutex); 882 if (ret != 0) 883 goto out_free; 884 885 /* Don't autoload: we'd eat our tail... */ 886 list_for_each_entry(t, &net->xt.tables[table->af], list) { 887 if (strcmp(t->name, table->name) == 0) { 888 ret = -EEXIST; 889 goto unlock; 890 } 891 } 892 893 /* Simplifies replace_table code. */ 894 table->private = bootstrap; 895 896 if (!xt_replace_table(table, 0, newinfo, &ret)) 897 goto unlock; 898 899 private = table->private; 900 pr_debug("table->private->number = %u\n", private->number); 901 902 /* save number of initial entries */ 903 private->initial_entries = private->number; 904 905 list_add(&table->list, &net->xt.tables[table->af]); 906 mutex_unlock(&xt[table->af].mutex); 907 return table; 908 909 unlock: 910 mutex_unlock(&xt[table->af].mutex); 911 out_free: 912 kfree(table); 913 out: 914 return ERR_PTR(ret); 915 } 916 EXPORT_SYMBOL_GPL(xt_register_table); 917 918 void *xt_unregister_table(struct xt_table *table) 919 { 920 struct xt_table_info *private; 921 922 mutex_lock(&xt[table->af].mutex); 923 private = table->private; 924 list_del(&table->list); 925 mutex_unlock(&xt[table->af].mutex); 926 kfree(table); 927 928 return private; 929 } 930 EXPORT_SYMBOL_GPL(xt_unregister_table); 931 932 #ifdef CONFIG_PROC_FS 933 struct xt_names_priv { 934 struct seq_net_private p; 935 u_int8_t af; 936 }; 937 static void *xt_table_seq_start(struct seq_file *seq, loff_t *pos) 938 { 939 struct xt_names_priv *priv = seq->private; 940 struct net *net = seq_file_net(seq); 941 u_int8_t af = priv->af; 942 943 mutex_lock(&xt[af].mutex); 944 return seq_list_start(&net->xt.tables[af], *pos); 945 } 946 947 static void *xt_table_seq_next(struct seq_file *seq, void *v, loff_t *pos) 948 { 949 struct xt_names_priv *priv = seq->private; 950 struct net *net = seq_file_net(seq); 951 u_int8_t af = priv->af; 952 953 return seq_list_next(v, &net->xt.tables[af], pos); 954 } 955 956 static void xt_table_seq_stop(struct seq_file *seq, void *v) 957 { 958 struct xt_names_priv *priv = seq->private; 959 u_int8_t af = priv->af; 960 961 mutex_unlock(&xt[af].mutex); 962 } 963 964 static int xt_table_seq_show(struct seq_file *seq, void *v) 965 { 966 struct xt_table *table = list_entry(v, struct xt_table, list); 967 968 if (strlen(table->name)) 969 return seq_printf(seq, "%s\n", table->name); 970 else 971 return 0; 972 } 973 974 static const struct seq_operations xt_table_seq_ops = { 975 .start = xt_table_seq_start, 976 .next = xt_table_seq_next, 977 .stop = xt_table_seq_stop, 978 .show = xt_table_seq_show, 979 }; 980 981 static int xt_table_open(struct inode *inode, struct file *file) 982 { 983 int ret; 984 struct xt_names_priv *priv; 985 986 ret = seq_open_net(inode, file, &xt_table_seq_ops, 987 sizeof(struct xt_names_priv)); 988 if (!ret) { 989 priv = ((struct seq_file *)file->private_data)->private; 990 priv->af = (unsigned long)PDE(inode)->data; 991 } 992 return ret; 993 } 994 995 static const struct file_operations xt_table_ops = { 996 .owner = THIS_MODULE, 997 .open = xt_table_open, 998 .read = seq_read, 999 .llseek = seq_lseek, 1000 .release = seq_release_net, 1001 }; 1002 1003 /* 1004 * Traverse state for ip{,6}_{tables,matches} for helping crossing 1005 * the multi-AF mutexes. 1006 */ 1007 struct nf_mttg_trav { 1008 struct list_head *head, *curr; 1009 uint8_t class, nfproto; 1010 }; 1011 1012 enum { 1013 MTTG_TRAV_INIT, 1014 MTTG_TRAV_NFP_UNSPEC, 1015 MTTG_TRAV_NFP_SPEC, 1016 MTTG_TRAV_DONE, 1017 }; 1018 1019 static void *xt_mttg_seq_next(struct seq_file *seq, void *v, loff_t *ppos, 1020 bool is_target) 1021 { 1022 static const uint8_t next_class[] = { 1023 [MTTG_TRAV_NFP_UNSPEC] = MTTG_TRAV_NFP_SPEC, 1024 [MTTG_TRAV_NFP_SPEC] = MTTG_TRAV_DONE, 1025 }; 1026 struct nf_mttg_trav *trav = seq->private; 1027 1028 switch (trav->class) { 1029 case MTTG_TRAV_INIT: 1030 trav->class = MTTG_TRAV_NFP_UNSPEC; 1031 mutex_lock(&xt[NFPROTO_UNSPEC].mutex); 1032 trav->head = trav->curr = is_target ? 1033 &xt[NFPROTO_UNSPEC].target : &xt[NFPROTO_UNSPEC].match; 1034 break; 1035 case MTTG_TRAV_NFP_UNSPEC: 1036 trav->curr = trav->curr->next; 1037 if (trav->curr != trav->head) 1038 break; 1039 mutex_unlock(&xt[NFPROTO_UNSPEC].mutex); 1040 mutex_lock(&xt[trav->nfproto].mutex); 1041 trav->head = trav->curr = is_target ? 1042 &xt[trav->nfproto].target : &xt[trav->nfproto].match; 1043 trav->class = next_class[trav->class]; 1044 break; 1045 case MTTG_TRAV_NFP_SPEC: 1046 trav->curr = trav->curr->next; 1047 if (trav->curr != trav->head) 1048 break; 1049 /* fallthru, _stop will unlock */ 1050 default: 1051 return NULL; 1052 } 1053 1054 if (ppos != NULL) 1055 ++*ppos; 1056 return trav; 1057 } 1058 1059 static void *xt_mttg_seq_start(struct seq_file *seq, loff_t *pos, 1060 bool is_target) 1061 { 1062 struct nf_mttg_trav *trav = seq->private; 1063 unsigned int j; 1064 1065 trav->class = MTTG_TRAV_INIT; 1066 for (j = 0; j < *pos; ++j) 1067 if (xt_mttg_seq_next(seq, NULL, NULL, is_target) == NULL) 1068 return NULL; 1069 return trav; 1070 } 1071 1072 static void xt_mttg_seq_stop(struct seq_file *seq, void *v) 1073 { 1074 struct nf_mttg_trav *trav = seq->private; 1075 1076 switch (trav->class) { 1077 case MTTG_TRAV_NFP_UNSPEC: 1078 mutex_unlock(&xt[NFPROTO_UNSPEC].mutex); 1079 break; 1080 case MTTG_TRAV_NFP_SPEC: 1081 mutex_unlock(&xt[trav->nfproto].mutex); 1082 break; 1083 } 1084 } 1085 1086 static void *xt_match_seq_start(struct seq_file *seq, loff_t *pos) 1087 { 1088 return xt_mttg_seq_start(seq, pos, false); 1089 } 1090 1091 static void *xt_match_seq_next(struct seq_file *seq, void *v, loff_t *ppos) 1092 { 1093 return xt_mttg_seq_next(seq, v, ppos, false); 1094 } 1095 1096 static int xt_match_seq_show(struct seq_file *seq, void *v) 1097 { 1098 const struct nf_mttg_trav *trav = seq->private; 1099 const struct xt_match *match; 1100 1101 switch (trav->class) { 1102 case MTTG_TRAV_NFP_UNSPEC: 1103 case MTTG_TRAV_NFP_SPEC: 1104 if (trav->curr == trav->head) 1105 return 0; 1106 match = list_entry(trav->curr, struct xt_match, list); 1107 return (*match->name == '\0') ? 0 : 1108 seq_printf(seq, "%s\n", match->name); 1109 } 1110 return 0; 1111 } 1112 1113 static const struct seq_operations xt_match_seq_ops = { 1114 .start = xt_match_seq_start, 1115 .next = xt_match_seq_next, 1116 .stop = xt_mttg_seq_stop, 1117 .show = xt_match_seq_show, 1118 }; 1119 1120 static int xt_match_open(struct inode *inode, struct file *file) 1121 { 1122 struct seq_file *seq; 1123 struct nf_mttg_trav *trav; 1124 int ret; 1125 1126 trav = kmalloc(sizeof(*trav), GFP_KERNEL); 1127 if (trav == NULL) 1128 return -ENOMEM; 1129 1130 ret = seq_open(file, &xt_match_seq_ops); 1131 if (ret < 0) { 1132 kfree(trav); 1133 return ret; 1134 } 1135 1136 seq = file->private_data; 1137 seq->private = trav; 1138 trav->nfproto = (unsigned long)PDE(inode)->data; 1139 return 0; 1140 } 1141 1142 static const struct file_operations xt_match_ops = { 1143 .owner = THIS_MODULE, 1144 .open = xt_match_open, 1145 .read = seq_read, 1146 .llseek = seq_lseek, 1147 .release = seq_release_private, 1148 }; 1149 1150 static void *xt_target_seq_start(struct seq_file *seq, loff_t *pos) 1151 { 1152 return xt_mttg_seq_start(seq, pos, true); 1153 } 1154 1155 static void *xt_target_seq_next(struct seq_file *seq, void *v, loff_t *ppos) 1156 { 1157 return xt_mttg_seq_next(seq, v, ppos, true); 1158 } 1159 1160 static int xt_target_seq_show(struct seq_file *seq, void *v) 1161 { 1162 const struct nf_mttg_trav *trav = seq->private; 1163 const struct xt_target *target; 1164 1165 switch (trav->class) { 1166 case MTTG_TRAV_NFP_UNSPEC: 1167 case MTTG_TRAV_NFP_SPEC: 1168 if (trav->curr == trav->head) 1169 return 0; 1170 target = list_entry(trav->curr, struct xt_target, list); 1171 return (*target->name == '\0') ? 0 : 1172 seq_printf(seq, "%s\n", target->name); 1173 } 1174 return 0; 1175 } 1176 1177 static const struct seq_operations xt_target_seq_ops = { 1178 .start = xt_target_seq_start, 1179 .next = xt_target_seq_next, 1180 .stop = xt_mttg_seq_stop, 1181 .show = xt_target_seq_show, 1182 }; 1183 1184 static int xt_target_open(struct inode *inode, struct file *file) 1185 { 1186 struct seq_file *seq; 1187 struct nf_mttg_trav *trav; 1188 int ret; 1189 1190 trav = kmalloc(sizeof(*trav), GFP_KERNEL); 1191 if (trav == NULL) 1192 return -ENOMEM; 1193 1194 ret = seq_open(file, &xt_target_seq_ops); 1195 if (ret < 0) { 1196 kfree(trav); 1197 return ret; 1198 } 1199 1200 seq = file->private_data; 1201 seq->private = trav; 1202 trav->nfproto = (unsigned long)PDE(inode)->data; 1203 return 0; 1204 } 1205 1206 static const struct file_operations xt_target_ops = { 1207 .owner = THIS_MODULE, 1208 .open = xt_target_open, 1209 .read = seq_read, 1210 .llseek = seq_lseek, 1211 .release = seq_release_private, 1212 }; 1213 1214 #define FORMAT_TABLES "_tables_names" 1215 #define FORMAT_MATCHES "_tables_matches" 1216 #define FORMAT_TARGETS "_tables_targets" 1217 1218 #endif /* CONFIG_PROC_FS */ 1219 1220 /** 1221 * xt_hook_link - set up hooks for a new table 1222 * @table: table with metadata needed to set up hooks 1223 * @fn: Hook function 1224 * 1225 * This function will take care of creating and registering the necessary 1226 * Netfilter hooks for XT tables. 1227 */ 1228 struct nf_hook_ops *xt_hook_link(const struct xt_table *table, nf_hookfn *fn) 1229 { 1230 unsigned int hook_mask = table->valid_hooks; 1231 uint8_t i, num_hooks = hweight32(hook_mask); 1232 uint8_t hooknum; 1233 struct nf_hook_ops *ops; 1234 int ret; 1235 1236 ops = kmalloc(sizeof(*ops) * num_hooks, GFP_KERNEL); 1237 if (ops == NULL) 1238 return ERR_PTR(-ENOMEM); 1239 1240 for (i = 0, hooknum = 0; i < num_hooks && hook_mask != 0; 1241 hook_mask >>= 1, ++hooknum) { 1242 if (!(hook_mask & 1)) 1243 continue; 1244 ops[i].hook = fn; 1245 ops[i].owner = table->me; 1246 ops[i].pf = table->af; 1247 ops[i].hooknum = hooknum; 1248 ops[i].priority = table->priority; 1249 ++i; 1250 } 1251 1252 ret = nf_register_hooks(ops, num_hooks); 1253 if (ret < 0) { 1254 kfree(ops); 1255 return ERR_PTR(ret); 1256 } 1257 1258 return ops; 1259 } 1260 EXPORT_SYMBOL_GPL(xt_hook_link); 1261 1262 /** 1263 * xt_hook_unlink - remove hooks for a table 1264 * @ops: nf_hook_ops array as returned by nf_hook_link 1265 * @hook_mask: the very same mask that was passed to nf_hook_link 1266 */ 1267 void xt_hook_unlink(const struct xt_table *table, struct nf_hook_ops *ops) 1268 { 1269 nf_unregister_hooks(ops, hweight32(table->valid_hooks)); 1270 kfree(ops); 1271 } 1272 EXPORT_SYMBOL_GPL(xt_hook_unlink); 1273 1274 int xt_proto_init(struct net *net, u_int8_t af) 1275 { 1276 #ifdef CONFIG_PROC_FS 1277 char buf[XT_FUNCTION_MAXNAMELEN]; 1278 struct proc_dir_entry *proc; 1279 #endif 1280 1281 if (af >= ARRAY_SIZE(xt_prefix)) 1282 return -EINVAL; 1283 1284 1285 #ifdef CONFIG_PROC_FS 1286 strlcpy(buf, xt_prefix[af], sizeof(buf)); 1287 strlcat(buf, FORMAT_TABLES, sizeof(buf)); 1288 proc = proc_create_data(buf, 0440, net->proc_net, &xt_table_ops, 1289 (void *)(unsigned long)af); 1290 if (!proc) 1291 goto out; 1292 1293 strlcpy(buf, xt_prefix[af], sizeof(buf)); 1294 strlcat(buf, FORMAT_MATCHES, sizeof(buf)); 1295 proc = proc_create_data(buf, 0440, net->proc_net, &xt_match_ops, 1296 (void *)(unsigned long)af); 1297 if (!proc) 1298 goto out_remove_tables; 1299 1300 strlcpy(buf, xt_prefix[af], sizeof(buf)); 1301 strlcat(buf, FORMAT_TARGETS, sizeof(buf)); 1302 proc = proc_create_data(buf, 0440, net->proc_net, &xt_target_ops, 1303 (void *)(unsigned long)af); 1304 if (!proc) 1305 goto out_remove_matches; 1306 #endif 1307 1308 return 0; 1309 1310 #ifdef CONFIG_PROC_FS 1311 out_remove_matches: 1312 strlcpy(buf, xt_prefix[af], sizeof(buf)); 1313 strlcat(buf, FORMAT_MATCHES, sizeof(buf)); 1314 proc_net_remove(net, buf); 1315 1316 out_remove_tables: 1317 strlcpy(buf, xt_prefix[af], sizeof(buf)); 1318 strlcat(buf, FORMAT_TABLES, sizeof(buf)); 1319 proc_net_remove(net, buf); 1320 out: 1321 return -1; 1322 #endif 1323 } 1324 EXPORT_SYMBOL_GPL(xt_proto_init); 1325 1326 void xt_proto_fini(struct net *net, u_int8_t af) 1327 { 1328 #ifdef CONFIG_PROC_FS 1329 char buf[XT_FUNCTION_MAXNAMELEN]; 1330 1331 strlcpy(buf, xt_prefix[af], sizeof(buf)); 1332 strlcat(buf, FORMAT_TABLES, sizeof(buf)); 1333 proc_net_remove(net, buf); 1334 1335 strlcpy(buf, xt_prefix[af], sizeof(buf)); 1336 strlcat(buf, FORMAT_TARGETS, sizeof(buf)); 1337 proc_net_remove(net, buf); 1338 1339 strlcpy(buf, xt_prefix[af], sizeof(buf)); 1340 strlcat(buf, FORMAT_MATCHES, sizeof(buf)); 1341 proc_net_remove(net, buf); 1342 #endif /*CONFIG_PROC_FS*/ 1343 } 1344 EXPORT_SYMBOL_GPL(xt_proto_fini); 1345 1346 static int __net_init xt_net_init(struct net *net) 1347 { 1348 int i; 1349 1350 for (i = 0; i < NFPROTO_NUMPROTO; i++) 1351 INIT_LIST_HEAD(&net->xt.tables[i]); 1352 return 0; 1353 } 1354 1355 static struct pernet_operations xt_net_ops = { 1356 .init = xt_net_init, 1357 }; 1358 1359 static int __init xt_init(void) 1360 { 1361 unsigned int i; 1362 int rv; 1363 1364 for_each_possible_cpu(i) { 1365 seqcount_init(&per_cpu(xt_recseq, i)); 1366 } 1367 1368 xt = kmalloc(sizeof(struct xt_af) * NFPROTO_NUMPROTO, GFP_KERNEL); 1369 if (!xt) 1370 return -ENOMEM; 1371 1372 for (i = 0; i < NFPROTO_NUMPROTO; i++) { 1373 mutex_init(&xt[i].mutex); 1374 #ifdef CONFIG_COMPAT 1375 mutex_init(&xt[i].compat_mutex); 1376 xt[i].compat_tab = NULL; 1377 #endif 1378 INIT_LIST_HEAD(&xt[i].target); 1379 INIT_LIST_HEAD(&xt[i].match); 1380 } 1381 rv = register_pernet_subsys(&xt_net_ops); 1382 if (rv < 0) 1383 kfree(xt); 1384 return rv; 1385 } 1386 1387 static void __exit xt_fini(void) 1388 { 1389 unregister_pernet_subsys(&xt_net_ops); 1390 kfree(xt); 1391 } 1392 1393 module_init(xt_init); 1394 module_exit(xt_fini); 1395 1396