| /* |
| * x_tables core - Backend for {ip,ip6,arp}_tables |
| * |
| * Copyright (C) 2006-2006 Harald Welte <laforge@netfilter.org> |
| * Copyright (C) 2006-2012 Patrick McHardy <kaber@trash.net> |
| * |
| * Based on existing ip_tables code which is |
| * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling |
| * Copyright (C) 2000-2005 Netfilter Core Team <coreteam@netfilter.org> |
| * |
| * This program is free software; you can redistribute it and/or modify |
| * it under the terms of the GNU General Public License version 2 as |
| * published by the Free Software Foundation. |
| * |
| */ |
| #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt |
| #include <linux/kernel.h> |
| #include <linux/module.h> |
| #include <linux/socket.h> |
| #include <linux/net.h> |
| #include <linux/proc_fs.h> |
| #include <linux/seq_file.h> |
| #include <linux/string.h> |
| #include <linux/vmalloc.h> |
| #include <linux/mutex.h> |
| #include <linux/mm.h> |
| #include <linux/slab.h> |
| #include <linux/audit.h> |
| #include <linux/user_namespace.h> |
| #include <net/net_namespace.h> |
| |
| #include <linux/netfilter/x_tables.h> |
| #include <linux/netfilter_arp.h> |
| #include <linux/netfilter_ipv4/ip_tables.h> |
| #include <linux/netfilter_ipv6/ip6_tables.h> |
| #include <linux/netfilter_arp/arp_tables.h> |
| |
| MODULE_LICENSE("GPL"); |
| MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>"); |
| MODULE_DESCRIPTION("{ip,ip6,arp,eb}_tables backend module"); |
| |
| #define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1)) |
| |
| struct compat_delta { |
| unsigned int offset; /* offset in kernel */ |
| int delta; /* delta in 32bit user land */ |
| }; |
| |
| struct xt_af { |
| struct mutex mutex; |
| struct list_head match; |
| struct list_head target; |
| #ifdef CONFIG_COMPAT |
| struct mutex compat_mutex; |
| struct compat_delta *compat_tab; |
| unsigned int number; /* number of slots in compat_tab[] */ |
| unsigned int cur; /* number of used slots in compat_tab[] */ |
| #endif |
| }; |
| |
| static struct xt_af *xt; |
| |
| static const char *const xt_prefix[NFPROTO_NUMPROTO] = { |
| [NFPROTO_UNSPEC] = "x", |
| [NFPROTO_IPV4] = "ip", |
| [NFPROTO_ARP] = "arp", |
| [NFPROTO_BRIDGE] = "eb", |
| [NFPROTO_IPV6] = "ip6", |
| }; |
| |
| /* Registration hooks for targets. */ |
| int xt_register_target(struct xt_target *target) |
| { |
| u_int8_t af = target->family; |
| |
| mutex_lock(&xt[af].mutex); |
| list_add(&target->list, &xt[af].target); |
| mutex_unlock(&xt[af].mutex); |
| return 0; |
| } |
| EXPORT_SYMBOL(xt_register_target); |
| |
| void |
| xt_unregister_target(struct xt_target *target) |
| { |
| u_int8_t af = target->family; |
| |
| mutex_lock(&xt[af].mutex); |
| list_del(&target->list); |
| mutex_unlock(&xt[af].mutex); |
| } |
| EXPORT_SYMBOL(xt_unregister_target); |
| |
| int |
| xt_register_targets(struct xt_target *target, unsigned int n) |
| { |
| unsigned int i; |
| int err = 0; |
| |
| for (i = 0; i < n; i++) { |
| err = xt_register_target(&target[i]); |
| if (err) |
| goto err; |
| } |
| return err; |
| |
| err: |
| if (i > 0) |
| xt_unregister_targets(target, i); |
| return err; |
| } |
| EXPORT_SYMBOL(xt_register_targets); |
| |
| void |
| xt_unregister_targets(struct xt_target *target, unsigned int n) |
| { |
| while (n-- > 0) |
| xt_unregister_target(&target[n]); |
| } |
| EXPORT_SYMBOL(xt_unregister_targets); |
| |
| int xt_register_match(struct xt_match *match) |
| { |
| u_int8_t af = match->family; |
| |
| mutex_lock(&xt[af].mutex); |
| list_add(&match->list, &xt[af].match); |
| mutex_unlock(&xt[af].mutex); |
| return 0; |
| } |
| EXPORT_SYMBOL(xt_register_match); |
| |
| void |
| xt_unregister_match(struct xt_match *match) |
| { |
| u_int8_t af = match->family; |
| |
| mutex_lock(&xt[af].mutex); |
| list_del(&match->list); |
| mutex_unlock(&xt[af].mutex); |
| } |
| EXPORT_SYMBOL(xt_unregister_match); |
| |
| int |
| xt_register_matches(struct xt_match *match, unsigned int n) |
| { |
| unsigned int i; |
| int err = 0; |
| |
| for (i = 0; i < n; i++) { |
| err = xt_register_match(&match[i]); |
| if (err) |
| goto err; |
| } |
| return err; |
| |
| err: |
| if (i > 0) |
| xt_unregister_matches(match, i); |
| return err; |
| } |
| EXPORT_SYMBOL(xt_register_matches); |
| |
| void |
| xt_unregister_matches(struct xt_match *match, unsigned int n) |
| { |
| while (n-- > 0) |
| xt_unregister_match(&match[n]); |
| } |
| EXPORT_SYMBOL(xt_unregister_matches); |
| |
| |
| /* |
| * These are weird, but module loading must not be done with mutex |
| * held (since they will register), and we have to have a single |
| * function to use. |
| */ |
| |
| /* Find match, grabs ref. Returns ERR_PTR() on error. */ |
| struct xt_match *xt_find_match(u8 af, const char *name, u8 revision) |
| { |
| struct xt_match *m; |
| int err = -ENOENT; |
| |
| mutex_lock(&xt[af].mutex); |
| list_for_each_entry(m, &xt[af].match, list) { |
| if (strcmp(m->name, name) == 0) { |
| if (m->revision == revision) { |
| if (try_module_get(m->me)) { |
| mutex_unlock(&xt[af].mutex); |
| return m; |
| } |
| } else |
| err = -EPROTOTYPE; /* Found something. */ |
| } |
| } |
| mutex_unlock(&xt[af].mutex); |
| |
| if (af != NFPROTO_UNSPEC) |
| /* Try searching again in the family-independent list */ |
| return xt_find_match(NFPROTO_UNSPEC, name, revision); |
| |
| return ERR_PTR(err); |
| } |
| EXPORT_SYMBOL(xt_find_match); |
| |
| struct xt_match * |
| xt_request_find_match(uint8_t nfproto, const char *name, uint8_t revision) |
| { |
| struct xt_match *match; |
| |
| match = xt_find_match(nfproto, name, revision); |
| if (IS_ERR(match)) { |
| request_module("%st_%s", xt_prefix[nfproto], name); |
| match = xt_find_match(nfproto, name, revision); |
| } |
| |
| return match; |
| } |
| EXPORT_SYMBOL_GPL(xt_request_find_match); |
| |
| /* Find target, grabs ref. Returns ERR_PTR() on error. */ |
| struct xt_target *xt_find_target(u8 af, const char *name, u8 revision) |
| { |
| struct xt_target *t; |
| int err = -ENOENT; |
| |
| mutex_lock(&xt[af].mutex); |
| list_for_each_entry(t, &xt[af].target, list) { |
| if (strcmp(t->name, name) == 0) { |
| if (t->revision == revision) { |
| if (try_module_get(t->me)) { |
| mutex_unlock(&xt[af].mutex); |
| return t; |
| } |
| } else |
| err = -EPROTOTYPE; /* Found something. */ |
| } |
| } |
| mutex_unlock(&xt[af].mutex); |
| |
| if (af != NFPROTO_UNSPEC) |
| /* Try searching again in the family-independent list */ |
| return xt_find_target(NFPROTO_UNSPEC, name, revision); |
| |
| return ERR_PTR(err); |
| } |
| EXPORT_SYMBOL(xt_find_target); |
| |
| struct xt_target *xt_request_find_target(u8 af, const char *name, u8 revision) |
| { |
| struct xt_target *target; |
| |
| target = xt_find_target(af, name, revision); |
| if (IS_ERR(target)) { |
| request_module("%st_%s", xt_prefix[af], name); |
| target = xt_find_target(af, name, revision); |
| } |
| |
| return target; |
| } |
| EXPORT_SYMBOL_GPL(xt_request_find_target); |
| |
| static int match_revfn(u8 af, const char *name, u8 revision, int *bestp) |
| { |
| const struct xt_match *m; |
| int have_rev = 0; |
| |
| list_for_each_entry(m, &xt[af].match, list) { |
| if (strcmp(m->name, name) == 0) { |
| if (m->revision > *bestp) |
| *bestp = m->revision; |
| if (m->revision == revision) |
| have_rev = 1; |
| } |
| } |
| |
| if (af != NFPROTO_UNSPEC && !have_rev) |
| return match_revfn(NFPROTO_UNSPEC, name, revision, bestp); |
| |
| return have_rev; |
| } |
| |
| static int target_revfn(u8 af, const char *name, u8 revision, int *bestp) |
| { |
| const struct xt_target *t; |
| int have_rev = 0; |
| |
| list_for_each_entry(t, &xt[af].target, list) { |
| if (strcmp(t->name, name) == 0) { |
| if (t->revision > *bestp) |
| *bestp = t->revision; |
| if (t->revision == revision) |
| have_rev = 1; |
| } |
| } |
| |
| if (af != NFPROTO_UNSPEC && !have_rev) |
| return target_revfn(NFPROTO_UNSPEC, name, revision, bestp); |
| |
| return have_rev; |
| } |
| |
| /* Returns true or false (if no such extension at all) */ |
| int xt_find_revision(u8 af, const char *name, u8 revision, int target, |
| int *err) |
| { |
| int have_rev, best = -1; |
| |
| mutex_lock(&xt[af].mutex); |
| if (target == 1) |
| have_rev = target_revfn(af, name, revision, &best); |
| else |
| have_rev = match_revfn(af, name, revision, &best); |
| mutex_unlock(&xt[af].mutex); |
| |
| /* Nothing at all? Return 0 to try loading module. */ |
| if (best == -1) { |
| *err = -ENOENT; |
| return 0; |
| } |
| |
| *err = best; |
| if (!have_rev) |
| *err = -EPROTONOSUPPORT; |
| return 1; |
| } |
| EXPORT_SYMBOL_GPL(xt_find_revision); |
| |
| static char * |
| textify_hooks(char *buf, size_t size, unsigned int mask, uint8_t nfproto) |
| { |
| static const char *const inetbr_names[] = { |
| "PREROUTING", "INPUT", "FORWARD", |
| "OUTPUT", "POSTROUTING", "BROUTING", |
| }; |
| static const char *const arp_names[] = { |
| "INPUT", "FORWARD", "OUTPUT", |
| }; |
| const char *const *names; |
| unsigned int i, max; |
| char *p = buf; |
| bool np = false; |
| int res; |
| |
| names = (nfproto == NFPROTO_ARP) ? arp_names : inetbr_names; |
| max = (nfproto == NFPROTO_ARP) ? ARRAY_SIZE(arp_names) : |
| ARRAY_SIZE(inetbr_names); |
| *p = '\0'; |
| for (i = 0; i < max; ++i) { |
| if (!(mask & (1 << i))) |
| continue; |
| res = snprintf(p, size, "%s%s", np ? "/" : "", names[i]); |
| if (res > 0) { |
| size -= res; |
| p += res; |
| } |
| np = true; |
| } |
| |
| return buf; |
| } |
| |
| int xt_check_match(struct xt_mtchk_param *par, |
| unsigned int size, u_int8_t proto, bool inv_proto) |
| { |
| int ret; |
| |
| if (XT_ALIGN(par->match->matchsize) != size && |
| par->match->matchsize != -1) { |
| /* |
| * ebt_among is exempt from centralized matchsize checking |
| * because it uses a dynamic-size data set. |
| */ |
| pr_err("%s_tables: %s.%u match: invalid size " |
| "%u (kernel) != (user) %u\n", |
| xt_prefix[par->family], par->match->name, |
| par->match->revision, |
| XT_ALIGN(par->match->matchsize), size); |
| return -EINVAL; |
| } |
| if (par->match->table != NULL && |
| strcmp(par->match->table, par->table) != 0) { |
| pr_err("%s_tables: %s match: only valid in %s table, not %s\n", |
| xt_prefix[par->family], par->match->name, |
| par->match->table, par->table); |
| return -EINVAL; |
| } |
| if (par->match->hooks && (par->hook_mask & ~par->match->hooks) != 0) { |
| char used[64], allow[64]; |
| |
| pr_err("%s_tables: %s match: used from hooks %s, but only " |
| "valid from %s\n", |
| xt_prefix[par->family], par->match->name, |
| textify_hooks(used, sizeof(used), par->hook_mask, |
| par->family), |
| textify_hooks(allow, sizeof(allow), par->match->hooks, |
| par->family)); |
| return -EINVAL; |
| } |
| if (par->match->proto && (par->match->proto != proto || inv_proto)) { |
| pr_err("%s_tables: %s match: only valid for protocol %u\n", |
| xt_prefix[par->family], par->match->name, |
| par->match->proto); |
| return -EINVAL; |
| } |
| if (par->match->checkentry != NULL) { |
| ret = par->match->checkentry(par); |
| if (ret < 0) |
| return ret; |
| else if (ret > 0) |
| /* Flag up potential errors. */ |
| return -EIO; |
| } |
| return 0; |
| } |
| EXPORT_SYMBOL_GPL(xt_check_match); |
| |
| #ifdef CONFIG_COMPAT |
| int xt_compat_add_offset(u_int8_t af, unsigned int offset, int delta) |
| { |
| struct xt_af *xp = &xt[af]; |
| |
| if (!xp->compat_tab) { |
| if (!xp->number) |
| return -EINVAL; |
| xp->compat_tab = vmalloc(sizeof(struct compat_delta) * xp->number); |
| if (!xp->compat_tab) |
| return -ENOMEM; |
| xp->cur = 0; |
| } |
| |
| if (xp->cur >= xp->number) |
| return -EINVAL; |
| |
| if (xp->cur) |
| delta += xp->compat_tab[xp->cur - 1].delta; |
| xp->compat_tab[xp->cur].offset = offset; |
| xp->compat_tab[xp->cur].delta = delta; |
| xp->cur++; |
| return 0; |
| } |
| EXPORT_SYMBOL_GPL(xt_compat_add_offset); |
| |
| void xt_compat_flush_offsets(u_int8_t af) |
| { |
| if (xt[af].compat_tab) { |
| vfree(xt[af].compat_tab); |
| xt[af].compat_tab = NULL; |
| xt[af].number = 0; |
| xt[af].cur = 0; |
| } |
| } |
| EXPORT_SYMBOL_GPL(xt_compat_flush_offsets); |
| |
| int xt_compat_calc_jump(u_int8_t af, unsigned int offset) |
| { |
| struct compat_delta *tmp = xt[af].compat_tab; |
| int mid, left = 0, right = xt[af].cur - 1; |
| |
| while (left <= right) { |
| mid = (left + right) >> 1; |
| if (offset > tmp[mid].offset) |
| left = mid + 1; |
| else if (offset < tmp[mid].offset) |
| right = mid - 1; |
| else |
| return mid ? tmp[mid - 1].delta : 0; |
| } |
| return left ? tmp[left - 1].delta : 0; |
| } |
| EXPORT_SYMBOL_GPL(xt_compat_calc_jump); |
| |
| void xt_compat_init_offsets(u_int8_t af, unsigned int number) |
| { |
| xt[af].number = number; |
| xt[af].cur = 0; |
| } |
| EXPORT_SYMBOL(xt_compat_init_offsets); |
| |
| int xt_compat_match_offset(const struct xt_match *match) |
| { |
| u_int16_t csize = match->compatsize ? : match->matchsize; |
| return XT_ALIGN(match->matchsize) - COMPAT_XT_ALIGN(csize); |
| } |
| EXPORT_SYMBOL_GPL(xt_compat_match_offset); |
| |
| int xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr, |
| unsigned int *size) |
| { |
| const struct xt_match *match = m->u.kernel.match; |
| struct compat_xt_entry_match *cm = (struct compat_xt_entry_match *)m; |
| int pad, off = xt_compat_match_offset(match); |
| u_int16_t msize = cm->u.user.match_size; |
| |
| m = *dstptr; |
| memcpy(m, cm, sizeof(*cm)); |
| if (match->compat_from_user) |
| match->compat_from_user(m->data, cm->data); |
| else |
| memcpy(m->data, cm->data, msize - sizeof(*cm)); |
| pad = XT_ALIGN(match->matchsize) - match->matchsize; |
| if (pad > 0) |
| memset(m->data + match->matchsize, 0, pad); |
| |
| msize += off; |
| m->u.user.match_size = msize; |
| |
| *size += off; |
| *dstptr += msize; |
| return 0; |
| } |
| EXPORT_SYMBOL_GPL(xt_compat_match_from_user); |
| |
| int xt_compat_match_to_user(const struct xt_entry_match *m, |
| void __user **dstptr, unsigned int *size) |
| { |
| const struct xt_match *match = m->u.kernel.match; |
| struct compat_xt_entry_match __user *cm = *dstptr; |
| int off = xt_compat_match_offset(match); |
| u_int16_t msize = m->u.user.match_size - off; |
| |
| if (copy_to_user(cm, m, sizeof(*cm)) || |
| put_user(msize, &cm->u.user.match_size) || |
| copy_to_user(cm->u.user.name, m->u.kernel.match->name, |
| strlen(m->u.kernel.match->name) + 1)) |
| return -EFAULT; |
| |
| if (match->compat_to_user) { |
| if (match->compat_to_user((void __user *)cm->data, m->data)) |
| return -EFAULT; |
| } else { |
| if (copy_to_user(cm->data, m->data, msize - sizeof(*cm))) |
| return -EFAULT; |
| } |
| |
| *size -= off; |
| *dstptr += msize; |
| return 0; |
| } |
| EXPORT_SYMBOL_GPL(xt_compat_match_to_user); |
| #endif /* CONFIG_COMPAT */ |
| |
| int xt_check_target(struct xt_tgchk_param *par, |
| unsigned int size, u_int8_t proto, bool inv_proto) |
| { |
| int ret; |
| |
| if (XT_ALIGN(par->target->targetsize) != size) { |
| pr_err("%s_tables: %s.%u target: invalid size " |
| "%u (kernel) != (user) %u\n", |
| xt_prefix[par->family], par->target->name, |
| par->target->revision, |
| XT_ALIGN(par->target->targetsize), size); |
| return -EINVAL; |
| } |
| if (par->target->table != NULL && |
| strcmp(par->target->table, par->table) != 0) { |
| pr_err("%s_tables: %s target: only valid in %s table, not %s\n", |
| xt_prefix[par->family], par->target->name, |
| par->target->table, par->table); |
| return -EINVAL; |
| } |
| if (par->target->hooks && (par->hook_mask & ~par->target->hooks) != 0) { |
| char used[64], allow[64]; |
| |
| pr_err("%s_tables: %s target: used from hooks %s, but only " |
| "usable from %s\n", |
| xt_prefix[par->family], par->target->name, |
| textify_hooks(used, sizeof(used), par->hook_mask, |
| par->family), |
| textify_hooks(allow, sizeof(allow), par->target->hooks, |
| par->family)); |
| return -EINVAL; |
| } |
| if (par->target->proto && (par->target->proto != proto || inv_proto)) { |
| pr_err("%s_tables: %s target: only valid for protocol %u\n", |
| xt_prefix[par->family], par->target->name, |
| par->target->proto); |
| return -EINVAL; |
| } |
| if (par->target->checkentry != NULL) { |
| ret = par->target->checkentry(par); |
| if (ret < 0) |
| return ret; |
| else if (ret > 0) |
| /* Flag up potential errors. */ |
| return -EIO; |
| } |
| return 0; |
| } |
| EXPORT_SYMBOL_GPL(xt_check_target); |
| |
| #ifdef CONFIG_COMPAT |
| int xt_compat_target_offset(const struct xt_target *target) |
| { |
| u_int16_t csize = target->compatsize ? : target->targetsize; |
| return XT_ALIGN(target->targetsize) - COMPAT_XT_ALIGN(csize); |
| } |
| EXPORT_SYMBOL_GPL(xt_compat_target_offset); |
| |
| void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr, |
| unsigned int *size) |
| { |
| const struct xt_target *target = t->u.kernel.target; |
| struct compat_xt_entry_target *ct = (struct compat_xt_entry_target *)t; |
| int pad, off = xt_compat_target_offset(target); |
| u_int16_t tsize = ct->u.user.target_size; |
| |
| t = *dstptr; |
| memcpy(t, ct, sizeof(*ct)); |
| if (target->compat_from_user) |
| target->compat_from_user(t->data, ct->data); |
| else |
| memcpy(t->data, ct->data, tsize - sizeof(*ct)); |
| pad = XT_ALIGN(target->targetsize) - target->targetsize; |
| if (pad > 0) |
| memset(t->data + target->targetsize, 0, pad); |
| |
| tsize += off; |
| t->u.user.target_size = tsize; |
| |
| *size += off; |
| *dstptr += tsize; |
| } |
| EXPORT_SYMBOL_GPL(xt_compat_target_from_user); |
| |
| int xt_compat_target_to_user(const struct xt_entry_target *t, |
| void __user **dstptr, unsigned int *size) |
| { |
| const struct xt_target *target = t->u.kernel.target; |
| struct compat_xt_entry_target __user *ct = *dstptr; |
| int off = xt_compat_target_offset(target); |
| u_int16_t tsize = t->u.user.target_size - off; |
| |
| if (copy_to_user(ct, t, sizeof(*ct)) || |
| put_user(tsize, &ct->u.user.target_size) || |
| copy_to_user(ct->u.user.name, t->u.kernel.target->name, |
| strlen(t->u.kernel.target->name) + 1)) |
| return -EFAULT; |
| |
| if (target->compat_to_user) { |
| if (target->compat_to_user((void __user *)ct->data, t->data)) |
| return -EFAULT; |
| } else { |
| if (copy_to_user(ct->data, t->data, tsize - sizeof(*ct))) |
| return -EFAULT; |
| } |
| |
| *size -= off; |
| *dstptr += tsize; |
| return 0; |
| } |
| EXPORT_SYMBOL_GPL(xt_compat_target_to_user); |
| #endif |
| |
| struct xt_table_info *xt_alloc_table_info(unsigned int size) |
| { |
| struct xt_table_info *info = NULL; |
| size_t sz = sizeof(*info) + size; |
| |
| /* Pedantry: prevent them from hitting BUG() in vmalloc.c --RR */ |
| if ((SMP_ALIGN(size) >> PAGE_SHIFT) + 2 > totalram_pages) |
| return NULL; |
| |
| if (sz <= (PAGE_SIZE << PAGE_ALLOC_COSTLY_ORDER)) |
| info = kmalloc(sz, GFP_KERNEL | __GFP_NOWARN | __GFP_NORETRY); |
| if (!info) { |
| info = vmalloc(sz); |
| if (!info) |
| return NULL; |
| } |
| memset(info, 0, sizeof(*info)); |
| info->size = size; |
| return info; |
| } |
| EXPORT_SYMBOL(xt_alloc_table_info); |
| |
| void xt_free_table_info(struct xt_table_info *info) |
| { |
| int cpu; |
| |
| if (info->jumpstack != NULL) { |
| for_each_possible_cpu(cpu) |
| kvfree(info->jumpstack[cpu]); |
| kvfree(info->jumpstack); |
| } |
| |
| kvfree(info); |
| } |
| EXPORT_SYMBOL(xt_free_table_info); |
| |
| /* Find table by name, grabs mutex & ref. Returns ERR_PTR() on error. */ |
| struct xt_table *xt_find_table_lock(struct net *net, u_int8_t af, |
| const char *name) |
| { |
| struct xt_table *t; |
| |
| mutex_lock(&xt[af].mutex); |
| list_for_each_entry(t, &net->xt.tables[af], list) |
| if (strcmp(t->name, name) == 0 && try_module_get(t->me)) |
| return t; |
| mutex_unlock(&xt[af].mutex); |
| return NULL; |
| } |
| EXPORT_SYMBOL_GPL(xt_find_table_lock); |
| |
| void xt_table_unlock(struct xt_table *table) |
| { |
| mutex_unlock(&xt[table->af].mutex); |
| } |
| EXPORT_SYMBOL_GPL(xt_table_unlock); |
| |
| #ifdef CONFIG_COMPAT |
| void xt_compat_lock(u_int8_t af) |
| { |
| mutex_lock(&xt[af].compat_mutex); |
| } |
| EXPORT_SYMBOL_GPL(xt_compat_lock); |
| |
| void xt_compat_unlock(u_int8_t af) |
| { |
| mutex_unlock(&xt[af].compat_mutex); |
| } |
| EXPORT_SYMBOL_GPL(xt_compat_unlock); |
| #endif |
| |
| DEFINE_PER_CPU(seqcount_t, xt_recseq); |
| EXPORT_PER_CPU_SYMBOL_GPL(xt_recseq); |
| |
| struct static_key xt_tee_enabled __read_mostly; |
| EXPORT_SYMBOL_GPL(xt_tee_enabled); |
| |
| static int xt_jumpstack_alloc(struct xt_table_info *i) |
| { |
| unsigned int size; |
| int cpu; |
| |
| size = sizeof(void **) * nr_cpu_ids; |
| if (size > PAGE_SIZE) |
| i->jumpstack = vzalloc(size); |
| else |
| i->jumpstack = kzalloc(size, GFP_KERNEL); |
| if (i->jumpstack == NULL) |
| return -ENOMEM; |
| |
| /* ruleset without jumps -- no stack needed */ |
| if (i->stacksize == 0) |
| return 0; |
| |
| /* Jumpstack needs to be able to record two full callchains, one |
| * from the first rule set traversal, plus one table reentrancy |
| * via -j TEE without clobbering the callchain that brought us to |
| * TEE target. |
| * |
| * This is done by allocating two jumpstacks per cpu, on reentry |
| * the upper half of the stack is used. |
| * |
| * see the jumpstack setup in ipt_do_table() for more details. |
| */ |
| size = sizeof(void *) * i->stacksize * 2u; |
| for_each_possible_cpu(cpu) { |
| if (size > PAGE_SIZE) |
| i->jumpstack[cpu] = vmalloc_node(size, |
| cpu_to_node(cpu)); |
| else |
| i->jumpstack[cpu] = kmalloc_node(size, |
| GFP_KERNEL, cpu_to_node(cpu)); |
| if (i->jumpstack[cpu] == NULL) |
| /* |
| * Freeing will be done later on by the callers. The |
| * chain is: xt_replace_table -> __do_replace -> |
| * do_replace -> xt_free_table_info. |
| */ |
| return -ENOMEM; |
| } |
| |
| return 0; |
| } |
| |
| struct xt_table_info * |
| xt_replace_table(struct xt_table *table, |
| unsigned int num_counters, |
| struct xt_table_info *newinfo, |
| int *error) |
| { |
| struct xt_table_info *private; |
| int ret; |
| |
| ret = xt_jumpstack_alloc(newinfo); |
| if (ret < 0) { |
| *error = ret; |
| return NULL; |
| } |
| |
| /* Do the substitution. */ |
| local_bh_disable(); |
| private = table->private; |
| |
| /* Check inside lock: is the old number correct? */ |
| if (num_counters != private->number) { |
| pr_debug("num_counters != table->private->number (%u/%u)\n", |
| num_counters, private->number); |
| local_bh_enable(); |
| *error = -EAGAIN; |
| return NULL; |
| } |
| |
| newinfo->initial_entries = private->initial_entries; |
| /* |
| * Ensure contents of newinfo are visible before assigning to |
| * private. |
| */ |
| smp_wmb(); |
| table->private = newinfo; |
| |
| /* |
| * Even though table entries have now been swapped, other CPU's |
| * may still be using the old entries. This is okay, because |
| * resynchronization happens because of the locking done |
| * during the get_counters() routine. |
| */ |
| local_bh_enable(); |
| |
| #ifdef CONFIG_AUDIT |
| if (audit_enabled) { |
| struct audit_buffer *ab; |
| |
| ab = audit_log_start(current->audit_context, GFP_KERNEL, |
| AUDIT_NETFILTER_CFG); |
| if (ab) { |
| audit_log_format(ab, "table=%s family=%u entries=%u", |
| table->name, table->af, |
| private->number); |
| audit_log_end(ab); |
| } |
| } |
| #endif |
| |
| return private; |
| } |
| EXPORT_SYMBOL_GPL(xt_replace_table); |
| |
| struct xt_table *xt_register_table(struct net *net, |
| const struct xt_table *input_table, |
| struct xt_table_info *bootstrap, |
| struct xt_table_info *newinfo) |
| { |
| int ret; |
| struct xt_table_info *private; |
| struct xt_table *t, *table; |
| |
| /* Don't add one object to multiple lists. */ |
| table = kmemdup(input_table, sizeof(struct xt_table), GFP_KERNEL); |
| if (!table) { |
| ret = -ENOMEM; |
| goto out; |
| } |
| |
| mutex_lock(&xt[table->af].mutex); |
| /* Don't autoload: we'd eat our tail... */ |
| list_for_each_entry(t, &net->xt.tables[table->af], list) { |
| if (strcmp(t->name, table->name) == 0) { |
| ret = -EEXIST; |
| goto unlock; |
| } |
| } |
| |
| /* Simplifies replace_table code. */ |
| table->private = bootstrap; |
| |
| if (!xt_replace_table(table, 0, newinfo, &ret)) |
| goto unlock; |
| |
| private = table->private; |
| pr_debug("table->private->number = %u\n", private->number); |
| |
| /* save number of initial entries */ |
| private->initial_entries = private->number; |
| |
| list_add(&table->list, &net->xt.tables[table->af]); |
| mutex_unlock(&xt[table->af].mutex); |
| return table; |
| |
| unlock: |
| mutex_unlock(&xt[table->af].mutex); |
| kfree(table); |
| out: |
| return ERR_PTR(ret); |
| } |
| EXPORT_SYMBOL_GPL(xt_register_table); |
| |
| void *xt_unregister_table(struct xt_table *table) |
| { |
| struct xt_table_info *private; |
| |
| mutex_lock(&xt[table->af].mutex); |
| private = table->private; |
| list_del(&table->list); |
| mutex_unlock(&xt[table->af].mutex); |
| kfree(table); |
| |
| return private; |
| } |
| EXPORT_SYMBOL_GPL(xt_unregister_table); |
| |
| #ifdef CONFIG_PROC_FS |
| struct xt_names_priv { |
| struct seq_net_private p; |
| u_int8_t af; |
| }; |
| static void *xt_table_seq_start(struct seq_file *seq, loff_t *pos) |
| { |
| struct xt_names_priv *priv = seq->private; |
| struct net *net = seq_file_net(seq); |
| u_int8_t af = priv->af; |
| |
| mutex_lock(&xt[af].mutex); |
| return seq_list_start(&net->xt.tables[af], *pos); |
| } |
| |
| static void *xt_table_seq_next(struct seq_file *seq, void *v, loff_t *pos) |
| { |
| struct xt_names_priv *priv = seq->private; |
| struct net *net = seq_file_net(seq); |
| u_int8_t af = priv->af; |
| |
| return seq_list_next(v, &net->xt.tables[af], pos); |
| } |
| |
| static void xt_table_seq_stop(struct seq_file *seq, void *v) |
| { |
| struct xt_names_priv *priv = seq->private; |
| u_int8_t af = priv->af; |
| |
| mutex_unlock(&xt[af].mutex); |
| } |
| |
| static int xt_table_seq_show(struct seq_file *seq, void *v) |
| { |
| struct xt_table *table = list_entry(v, struct xt_table, list); |
| |
| if (*table->name) |
| seq_printf(seq, "%s\n", table->name); |
| return 0; |
| } |
| |
| static const struct seq_operations xt_table_seq_ops = { |
| .start = xt_table_seq_start, |
| .next = xt_table_seq_next, |
| .stop = xt_table_seq_stop, |
| .show = xt_table_seq_show, |
| }; |
| |
| static int xt_table_open(struct inode *inode, struct file *file) |
| { |
| int ret; |
| struct xt_names_priv *priv; |
| |
| ret = seq_open_net(inode, file, &xt_table_seq_ops, |
| sizeof(struct xt_names_priv)); |
| if (!ret) { |
| priv = ((struct seq_file *)file->private_data)->private; |
| priv->af = (unsigned long)PDE_DATA(inode); |
| } |
| return ret; |
| } |
| |
| static const struct file_operations xt_table_ops = { |
| .owner = THIS_MODULE, |
| .open = xt_table_open, |
| .read = seq_read, |
| .llseek = seq_lseek, |
| .release = seq_release_net, |
| }; |
| |
| /* |
| * Traverse state for ip{,6}_{tables,matches} for helping crossing |
| * the multi-AF mutexes. |
| */ |
| struct nf_mttg_trav { |
| struct list_head *head, *curr; |
| uint8_t class, nfproto; |
| }; |
| |
| enum { |
| MTTG_TRAV_INIT, |
| MTTG_TRAV_NFP_UNSPEC, |
| MTTG_TRAV_NFP_SPEC, |
| MTTG_TRAV_DONE, |
| }; |
| |
| static void *xt_mttg_seq_next(struct seq_file *seq, void *v, loff_t *ppos, |
| bool is_target) |
| { |
| static const uint8_t next_class[] = { |
| [MTTG_TRAV_NFP_UNSPEC] = MTTG_TRAV_NFP_SPEC, |
| [MTTG_TRAV_NFP_SPEC] = MTTG_TRAV_DONE, |
| }; |
| struct nf_mttg_trav *trav = seq->private; |
| |
| switch (trav->class) { |
| case MTTG_TRAV_INIT: |
| trav->class = MTTG_TRAV_NFP_UNSPEC; |
| mutex_lock(&xt[NFPROTO_UNSPEC].mutex); |
| trav->head = trav->curr = is_target ? |
| &xt[NFPROTO_UNSPEC].target : &xt[NFPROTO_UNSPEC].match; |
| break; |
| case MTTG_TRAV_NFP_UNSPEC: |
| trav->curr = trav->curr->next; |
| if (trav->curr != trav->head) |
| break; |
| mutex_unlock(&xt[NFPROTO_UNSPEC].mutex); |
| mutex_lock(&xt[trav->nfproto].mutex); |
| trav->head = trav->curr = is_target ? |
| &xt[trav->nfproto].target : &xt[trav->nfproto].match; |
| trav->class = next_class[trav->class]; |
| break; |
| case MTTG_TRAV_NFP_SPEC: |
| trav->curr = trav->curr->next; |
| if (trav->curr != trav->head) |
| break; |
| /* fallthru, _stop will unlock */ |
| default: |
| return NULL; |
| } |
| |
| if (ppos != NULL) |
| ++*ppos; |
| return trav; |
| } |
| |
| static void *xt_mttg_seq_start(struct seq_file *seq, loff_t *pos, |
| bool is_target) |
| { |
| struct nf_mttg_trav *trav = seq->private; |
| unsigned int j; |
| |
| trav->class = MTTG_TRAV_INIT; |
| for (j = 0; j < *pos; ++j) |
| if (xt_mttg_seq_next(seq, NULL, NULL, is_target) == NULL) |
| return NULL; |
| return trav; |
| } |
| |
| static void xt_mttg_seq_stop(struct seq_file *seq, void *v) |
| { |
| struct nf_mttg_trav *trav = seq->private; |
| |
| switch (trav->class) { |
| case MTTG_TRAV_NFP_UNSPEC: |
| mutex_unlock(&xt[NFPROTO_UNSPEC].mutex); |
| break; |
| case MTTG_TRAV_NFP_SPEC: |
| mutex_unlock(&xt[trav->nfproto].mutex); |
| break; |
| } |
| } |
| |
| static void *xt_match_seq_start(struct seq_file *seq, loff_t *pos) |
| { |
| return xt_mttg_seq_start(seq, pos, false); |
| } |
| |
| static void *xt_match_seq_next(struct seq_file *seq, void *v, loff_t *ppos) |
| { |
| return xt_mttg_seq_next(seq, v, ppos, false); |
| } |
| |
| static int xt_match_seq_show(struct seq_file *seq, void *v) |
| { |
| const struct nf_mttg_trav *trav = seq->private; |
| const struct xt_match *match; |
| |
| switch (trav->class) { |
| case MTTG_TRAV_NFP_UNSPEC: |
| case MTTG_TRAV_NFP_SPEC: |
| if (trav->curr == trav->head) |
| return 0; |
| match = list_entry(trav->curr, struct xt_match, list); |
| if (*match->name) |
| seq_printf(seq, "%s\n", match->name); |
| } |
| return 0; |
| } |
| |
| static const struct seq_operations xt_match_seq_ops = { |
| .start = xt_match_seq_start, |
| .next = xt_match_seq_next, |
| .stop = xt_mttg_seq_stop, |
| .show = xt_match_seq_show, |
| }; |
| |
| static int xt_match_open(struct inode *inode, struct file *file) |
| { |
| struct nf_mttg_trav *trav; |
| trav = __seq_open_private(file, &xt_match_seq_ops, sizeof(*trav)); |
| if (!trav) |
| return -ENOMEM; |
| |
| trav->nfproto = (unsigned long)PDE_DATA(inode); |
| return 0; |
| } |
| |
| static const struct file_operations xt_match_ops = { |
| .owner = THIS_MODULE, |
| .open = xt_match_open, |
| .read = seq_read, |
| .llseek = seq_lseek, |
| .release = seq_release_private, |
| }; |
| |
| static void *xt_target_seq_start(struct seq_file *seq, loff_t *pos) |
| { |
| return xt_mttg_seq_start(seq, pos, true); |
| } |
| |
| static void *xt_target_seq_next(struct seq_file *seq, void *v, loff_t *ppos) |
| { |
| return xt_mttg_seq_next(seq, v, ppos, true); |
| } |
| |
| static int xt_target_seq_show(struct seq_file *seq, void *v) |
| { |
| const struct nf_mttg_trav *trav = seq->private; |
| const struct xt_target *target; |
| |
| switch (trav->class) { |
| case MTTG_TRAV_NFP_UNSPEC: |
| case MTTG_TRAV_NFP_SPEC: |
| if (trav->curr == trav->head) |
| return 0; |
| target = list_entry(trav->curr, struct xt_target, list); |
| if (*target->name) |
| seq_printf(seq, "%s\n", target->name); |
| } |
| return 0; |
| } |
| |
| static const struct seq_operations xt_target_seq_ops = { |
| .start = xt_target_seq_start, |
| .next = xt_target_seq_next, |
| .stop = xt_mttg_seq_stop, |
| .show = xt_target_seq_show, |
| }; |
| |
| static int xt_target_open(struct inode *inode, struct file *file) |
| { |
| struct nf_mttg_trav *trav; |
| trav = __seq_open_private(file, &xt_target_seq_ops, sizeof(*trav)); |
| if (!trav) |
| return -ENOMEM; |
| |
| trav->nfproto = (unsigned long)PDE_DATA(inode); |
| return 0; |
| } |
| |
| static const struct file_operations xt_target_ops = { |
| .owner = THIS_MODULE, |
| .open = xt_target_open, |
| .read = seq_read, |
| .llseek = seq_lseek, |
| .release = seq_release_private, |
| }; |
| |
| #define FORMAT_TABLES "_tables_names" |
| #define FORMAT_MATCHES "_tables_matches" |
| #define FORMAT_TARGETS "_tables_targets" |
| |
| #endif /* CONFIG_PROC_FS */ |
| |
| /** |
| * xt_hook_link - set up hooks for a new table |
| * @table: table with metadata needed to set up hooks |
| * @fn: Hook function |
| * |
| * This function will take care of creating and registering the necessary |
| * Netfilter hooks for XT tables. |
| */ |
| struct nf_hook_ops *xt_hook_link(const struct xt_table *table, nf_hookfn *fn) |
| { |
| unsigned int hook_mask = table->valid_hooks; |
| uint8_t i, num_hooks = hweight32(hook_mask); |
| uint8_t hooknum; |
| struct nf_hook_ops *ops; |
| int ret; |
| |
| ops = kmalloc(sizeof(*ops) * num_hooks, GFP_KERNEL); |
| if (ops == NULL) |
| return ERR_PTR(-ENOMEM); |
| |
| for (i = 0, hooknum = 0; i < num_hooks && hook_mask != 0; |
| hook_mask >>= 1, ++hooknum) { |
| if (!(hook_mask & 1)) |
| continue; |
| ops[i].hook = fn; |
| ops[i].pf = table->af; |
| ops[i].hooknum = hooknum; |
| ops[i].priority = table->priority; |
| ++i; |
| } |
| |
| ret = nf_register_hooks(ops, num_hooks); |
| if (ret < 0) { |
| kfree(ops); |
| return ERR_PTR(ret); |
| } |
| |
| return ops; |
| } |
| EXPORT_SYMBOL_GPL(xt_hook_link); |
| |
| /** |
| * xt_hook_unlink - remove hooks for a table |
| * @ops: nf_hook_ops array as returned by nf_hook_link |
| * @hook_mask: the very same mask that was passed to nf_hook_link |
| */ |
| void xt_hook_unlink(const struct xt_table *table, struct nf_hook_ops *ops) |
| { |
| nf_unregister_hooks(ops, hweight32(table->valid_hooks)); |
| kfree(ops); |
| } |
| EXPORT_SYMBOL_GPL(xt_hook_unlink); |
| |
| int xt_proto_init(struct net *net, u_int8_t af) |
| { |
| #ifdef CONFIG_PROC_FS |
| char buf[XT_FUNCTION_MAXNAMELEN]; |
| struct proc_dir_entry *proc; |
| kuid_t root_uid; |
| kgid_t root_gid; |
| #endif |
| |
| if (af >= ARRAY_SIZE(xt_prefix)) |
| return -EINVAL; |
| |
| |
| #ifdef CONFIG_PROC_FS |
| root_uid = make_kuid(net->user_ns, 0); |
| root_gid = make_kgid(net->user_ns, 0); |
| |
| strlcpy(buf, xt_prefix[af], sizeof(buf)); |
| strlcat(buf, FORMAT_TABLES, sizeof(buf)); |
| proc = proc_create_data(buf, 0440, net->proc_net, &xt_table_ops, |
| (void *)(unsigned long)af); |
| if (!proc) |
| goto out; |
| if (uid_valid(root_uid) && gid_valid(root_gid)) |
| proc_set_user(proc, root_uid, root_gid); |
| |
| strlcpy(buf, xt_prefix[af], sizeof(buf)); |
| strlcat(buf, FORMAT_MATCHES, sizeof(buf)); |
| proc = proc_create_data(buf, 0440, net->proc_net, &xt_match_ops, |
| (void *)(unsigned long)af); |
| if (!proc) |
| goto out_remove_tables; |
| if (uid_valid(root_uid) && gid_valid(root_gid)) |
| proc_set_user(proc, root_uid, root_gid); |
| |
| strlcpy(buf, xt_prefix[af], sizeof(buf)); |
| strlcat(buf, FORMAT_TARGETS, sizeof(buf)); |
| proc = proc_create_data(buf, 0440, net->proc_net, &xt_target_ops, |
| (void *)(unsigned long)af); |
| if (!proc) |
| goto out_remove_matches; |
| if (uid_valid(root_uid) && gid_valid(root_gid)) |
| proc_set_user(proc, root_uid, root_gid); |
| #endif |
| |
| return 0; |
| |
| #ifdef CONFIG_PROC_FS |
| out_remove_matches: |
| strlcpy(buf, xt_prefix[af], sizeof(buf)); |
| strlcat(buf, FORMAT_MATCHES, sizeof(buf)); |
| remove_proc_entry(buf, net->proc_net); |
| |
| out_remove_tables: |
| strlcpy(buf, xt_prefix[af], sizeof(buf)); |
| strlcat(buf, FORMAT_TABLES, sizeof(buf)); |
| remove_proc_entry(buf, net->proc_net); |
| out: |
| return -1; |
| #endif |
| } |
| EXPORT_SYMBOL_GPL(xt_proto_init); |
| |
| void xt_proto_fini(struct net *net, u_int8_t af) |
| { |
| #ifdef CONFIG_PROC_FS |
| char buf[XT_FUNCTION_MAXNAMELEN]; |
| |
| strlcpy(buf, xt_prefix[af], sizeof(buf)); |
| strlcat(buf, FORMAT_TABLES, sizeof(buf)); |
| remove_proc_entry(buf, net->proc_net); |
| |
| strlcpy(buf, xt_prefix[af], sizeof(buf)); |
| strlcat(buf, FORMAT_TARGETS, sizeof(buf)); |
| remove_proc_entry(buf, net->proc_net); |
| |
| strlcpy(buf, xt_prefix[af], sizeof(buf)); |
| strlcat(buf, FORMAT_MATCHES, sizeof(buf)); |
| remove_proc_entry(buf, net->proc_net); |
| #endif /*CONFIG_PROC_FS*/ |
| } |
| EXPORT_SYMBOL_GPL(xt_proto_fini); |
| |
| static int __net_init xt_net_init(struct net *net) |
| { |
| int i; |
| |
| for (i = 0; i < NFPROTO_NUMPROTO; i++) |
| INIT_LIST_HEAD(&net->xt.tables[i]); |
| return 0; |
| } |
| |
| static struct pernet_operations xt_net_ops = { |
| .init = xt_net_init, |
| }; |
| |
| static int __init xt_init(void) |
| { |
| unsigned int i; |
| int rv; |
| |
| for_each_possible_cpu(i) { |
| seqcount_init(&per_cpu(xt_recseq, i)); |
| } |
| |
| xt = kmalloc(sizeof(struct xt_af) * NFPROTO_NUMPROTO, GFP_KERNEL); |
| if (!xt) |
| return -ENOMEM; |
| |
| for (i = 0; i < NFPROTO_NUMPROTO; i++) { |
| mutex_init(&xt[i].mutex); |
| #ifdef CONFIG_COMPAT |
| mutex_init(&xt[i].compat_mutex); |
| xt[i].compat_tab = NULL; |
| #endif |
| INIT_LIST_HEAD(&xt[i].target); |
| INIT_LIST_HEAD(&xt[i].match); |
| } |
| rv = register_pernet_subsys(&xt_net_ops); |
| if (rv < 0) |
| kfree(xt); |
| return rv; |
| } |
| |
| static void __exit xt_fini(void) |
| { |
| unregister_pernet_subsys(&xt_net_ops); |
| kfree(xt); |
| } |
| |
| module_init(xt_init); |
| module_exit(xt_fini); |
| |