projects / linux-2.6-block.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
netfilter: ip6_tables: label placement
[linux-2.6-block.git] / net / ipv6 / netfilter / ip6_tables.c
CommitLineData
1da177e4
LT		 1/*
2 * Packet matching code.
3 *
4 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
6b7d31fc 5 * Copyright (C) 2000-2005 Netfilter Core Team <coreteam@netfilter.org>
f229f6ce 6 * Copyright (c) 2006-2010 Patrick McHardy <kaber@trash.net>
1da177e4
LT		 7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License version 2 as
10 * published by the Free Software Foundation.
1da177e4 11 */
a81b2ce8 12
90e7d4ab 13#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
a81b2ce8
JP		 14
15#include <linux/kernel.h>
4fc268d2 16#include <linux/capability.h>
14c85021 17#include <linux/in.h>
1da177e4
LT		 18#include <linux/skbuff.h>
19#include <linux/kmod.h>
20#include <linux/vmalloc.h>
21#include <linux/netdevice.h>
22#include <linux/module.h>
4bdbf6c0 23#include <linux/poison.h>
1da177e4 24#include <linux/icmpv6.h>
1da177e4 25#include <net/ipv6.h>
3bc3fe5e 26#include <net/compat.h>
1da177e4 27#include <asm/uaccess.h>
57b47a53 28#include <linux/mutex.h>
1da177e4 29#include <linux/proc_fs.h>
3bc3fe5e 30#include <linux/err.h>
c8923c6b 31#include <linux/cpumask.h>
1da177e4
LT		 32
33#include <linux/netfilter_ipv6/ip6_tables.h>
2e4e6a17 34#include <linux/netfilter/x_tables.h>
f01ffbd6 35#include <net/netfilter/nf_log.h>
e3eaa991 36#include "../../netfilter/xt_repldata.h"
1da177e4
LT		 37
38MODULE_LICENSE("GPL");
39MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
40MODULE_DESCRIPTION("IPv6 packet filter");
41
1da177e4
LT		 42/*#define DEBUG_IP_FIREWALL*/
43/*#define DEBUG_ALLOW_ALL*/ /* Useful for remote debugging */
44/*#define DEBUG_IP_FIREWALL_USER*/
45
46#ifdef DEBUG_IP_FIREWALL
ff67e4e4 47#define dprintf(format, args...) pr_info(format , ## args)
1da177e4
LT		 48#else
49#define dprintf(format, args...)
50#endif
51
52#ifdef DEBUG_IP_FIREWALL_USER
ff67e4e4 53#define duprintf(format, args...) pr_info(format , ## args)
1da177e4
LT		 54#else
55#define duprintf(format, args...)
56#endif
57
58#ifdef CONFIG_NETFILTER_DEBUG
af567603 59#define IP_NF_ASSERT(x) WARN_ON(!(x))
1da177e4
LT		 60#else
61#define IP_NF_ASSERT(x)
62#endif
1da177e4 63
1da177e4
LT		 64#if 0
65/* All the better to debug you with... */
66#define static
67#define inline
68#endif
69
e3eaa991
JE		 70void *ip6t_alloc_initial_table(const struct xt_table *info)
71{
72 return xt_alloc_initial_table(ip6t, IP6T);
73}
74EXPORT_SYMBOL_GPL(ip6t_alloc_initial_table);
75
6b7d31fc 76/*
1da177e4 77 We keep a set of rules for each CPU, so we can avoid write-locking
6b7d31fc
HW		 78 them in the softirq when updating the counters and therefore
79 only need to read-lock in the softirq; doing a write_lock_bh() in user
80 context stops packets coming through and allows user context to read
81 the counters or update the rules.
1da177e4 82
1da177e4
LT		 83 Hence the start of any table is given by get_table() below. */
84
1da177e4 85/* Returns whether matches rule or not. */
022748a9 86/* Performance critical - called for every packet */
1d93a9cb 87static inline bool
1da177e4
LT		 88ip6_packet_match(const struct sk_buff *skb,
89 const char *indev,
90 const char *outdev,
91 const struct ip6t_ip6 *ip6info,
92 unsigned int *protoff,
cff533ac 93 int *fragoff, bool *hotdrop)
1da177e4 94{
1da177e4 95 unsigned long ret;
0660e03f 96 const struct ipv6hdr *ipv6 = ipv6_hdr(skb);
1da177e4 97
e79ec50b 98#define FWINV(bool, invflg) ((bool) ^ !!(ip6info->invflags & (invflg)))
1da177e4 99
f2ffd9ee 100 if (FWINV(ipv6_masked_addr_cmp(&ipv6->saddr, &ip6info->smsk,
3666ed1c
JP		 101 &ip6info->src), IP6T_INV_SRCIP) ||
102 FWINV(ipv6_masked_addr_cmp(&ipv6->daddr, &ip6info->dmsk,
103 &ip6info->dst), IP6T_INV_DSTIP)) {
1da177e4
LT		 104 dprintf("Source or dest mismatch.\n");
105/*
106 dprintf("SRC: %u. Mask: %u. Target: %u.%s\n", ip->saddr,
107 ipinfo->smsk.s_addr, ipinfo->src.s_addr,
108 ipinfo->invflags & IP6T_INV_SRCIP ? " (INV)" : "");
109 dprintf("DST: %u. Mask: %u. Target: %u.%s\n", ip->daddr,
110 ipinfo->dmsk.s_addr, ipinfo->dst.s_addr,
111 ipinfo->invflags & IP6T_INV_DSTIP ? " (INV)" : "");*/
1d93a9cb 112 return false;
1da177e4
LT		 113 }
114
b8dfe498 115 ret = ifname_compare_aligned(indev, ip6info->iniface, ip6info->iniface_mask);
1da177e4
LT		 116
117 if (FWINV(ret != 0, IP6T_INV_VIA_IN)) {
118 dprintf("VIA in mismatch (%s vs %s).%s\n",
119 indev, ip6info->iniface,
120 ip6info->invflags&IP6T_INV_VIA_IN ?" (INV)":"");
1d93a9cb 121 return false;
1da177e4
LT		 122 }
123
b8dfe498 124 ret = ifname_compare_aligned(outdev, ip6info->outiface, ip6info->outiface_mask);
1da177e4
LT		 125
126 if (FWINV(ret != 0, IP6T_INV_VIA_OUT)) {
127 dprintf("VIA out mismatch (%s vs %s).%s\n",
128 outdev, ip6info->outiface,
129 ip6info->invflags&IP6T_INV_VIA_OUT ?" (INV)":"");
1d93a9cb 130 return false;
1da177e4
LT		 131 }
132
133/* ... might want to do something with class and flowlabel here ... */
134
135 /* look for the desired protocol header */
136 if((ip6info->flags & IP6T_F_PROTO)) {
b777e0ce
PM		 137 int protohdr;
138 unsigned short _frag_off;
1da177e4 139
84018f55 140 protohdr = ipv6_find_hdr(skb, protoff, -1, &_frag_off, NULL);
51d8b1a6
PM		 141 if (protohdr < 0) {
142 if (_frag_off == 0)
cff533ac 143 *hotdrop = true;
1d93a9cb 144 return false;
51d8b1a6 145 }
b777e0ce 146 *fragoff = _frag_off;
1da177e4
LT		 147
148 dprintf("Packet protocol %hi ?= %s%hi.\n",
1ab1457c 149 protohdr,
1da177e4
LT		 150 ip6info->invflags & IP6T_INV_PROTO ? "!":"",
151 ip6info->proto);
152
b777e0ce 153 if (ip6info->proto == protohdr) {
1da177e4 154 if(ip6info->invflags & IP6T_INV_PROTO) {
1d93a9cb 155 return false;
1da177e4 156 }
1d93a9cb 157 return true;
1da177e4
LT		 158 }
159
160 /* We need match for the '-p all', too! */
161 if ((ip6info->proto != 0) &&
162 !(ip6info->invflags & IP6T_INV_PROTO))
1d93a9cb 163 return false;
1da177e4 164 }
1d93a9cb 165 return true;
1da177e4
LT		 166}
167
168/* should be ip6 safe */
022748a9 169static bool
1da177e4
LT		 170ip6_checkentry(const struct ip6t_ip6 *ipv6)
171{
172 if (ipv6->flags & ~IP6T_F_MASK) {
173 duprintf("Unknown flag bits set: %08X\n",
174 ipv6->flags & ~IP6T_F_MASK);
ccb79bdc 175 return false;
1da177e4
LT		 176 }
177 if (ipv6->invflags & ~IP6T_INV_MASK) {
178 duprintf("Unknown invflag bits set: %08X\n",
179 ipv6->invflags & ~IP6T_INV_MASK);
ccb79bdc 180 return false;
1da177e4 181 }
ccb79bdc 182 return true;
1da177e4
LT		 183}
184
185static unsigned int
4b560b44 186ip6t_error(struct sk_buff *skb, const struct xt_action_param *par)
1da177e4 187{
e87cc472 188 net_info_ratelimited("error: `%s'\n", (const char *)par->targinfo);
1da177e4
LT		 189
190 return NF_DROP;
191}
192
1da177e4 193static inline struct ip6t_entry *
d5d1baa1 194get_entry(const void *base, unsigned int offset)
1da177e4
LT		 195{
196 return (struct ip6t_entry *)(base + offset);
197}
198
ba9dda3a 199/* All zeroes == unconditional rule. */
022748a9 200/* Mildly perf critical (only if packet tracing is on) */
47901dc2 201static inline bool unconditional(const struct ip6t_ip6 *ipv6)
ba9dda3a 202{
47901dc2 203 static const struct ip6t_ip6 uncond;
ba9dda3a 204
47901dc2 205 return memcmp(ipv6, &uncond, sizeof(uncond)) == 0;
ba9dda3a
JK		 206}
207
87a2e70d 208static inline const struct xt_entry_target *
d5d1baa1
JE		 209ip6t_get_target_c(const struct ip6t_entry *e)
210{
211 return ip6t_get_target((struct ip6t_entry *)e);
212}
213
07a93626 214#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE)
ba9dda3a 215/* This cries for unification! */
022748a9 216static const char *const hooknames[] = {
6e23ae2a
PM		 217 [NF_INET_PRE_ROUTING] = "PREROUTING",
218 [NF_INET_LOCAL_IN] = "INPUT",
219 [NF_INET_FORWARD] = "FORWARD",
220 [NF_INET_LOCAL_OUT] = "OUTPUT",
221 [NF_INET_POST_ROUTING] = "POSTROUTING",
ba9dda3a
JK		 222};
223
224enum nf_ip_trace_comments {
225 NF_IP6_TRACE_COMMENT_RULE,
226 NF_IP6_TRACE_COMMENT_RETURN,
227 NF_IP6_TRACE_COMMENT_POLICY,
228};
229
022748a9 230static const char *const comments[] = {
ba9dda3a
JK		 231 [NF_IP6_TRACE_COMMENT_RULE] = "rule",
232 [NF_IP6_TRACE_COMMENT_RETURN] = "return",
233 [NF_IP6_TRACE_COMMENT_POLICY] = "policy",
234};
235
236static struct nf_loginfo trace_loginfo = {
237 .type = NF_LOG_TYPE_LOG,
238 .u = {
239 .log = {
a81b2ce8 240 .level = LOGLEVEL_WARNING,
ba9dda3a
JK		 241 .logflags = NF_LOG_MASK,
242 },
243 },
244};
245
022748a9 246/* Mildly perf critical (only if packet tracing is on) */
ba9dda3a 247static inline int
d5d1baa1 248get_chainname_rulenum(const struct ip6t_entry *s, const struct ip6t_entry *e,
4f2f6f23
JE		 249 const char *hookname, const char **chainname,
250 const char **comment, unsigned int *rulenum)
ba9dda3a 251{
87a2e70d 252 const struct xt_standard_target *t = (void *)ip6t_get_target_c(s);
ba9dda3a 253
243bf6e2 254 if (strcmp(t->target.u.kernel.target->name, XT_ERROR_TARGET) == 0) {
ba9dda3a
JK		 255 /* Head of user chain: ERROR target with chainname */
256 *chainname = t->target.data;
257 (*rulenum) = 0;
258 } else if (s == e) {
259 (*rulenum)++;
260
3666ed1c
JP		 261 if (s->target_offset == sizeof(struct ip6t_entry) &&
262 strcmp(t->target.u.kernel.target->name,
243bf6e2 263 XT_STANDARD_TARGET) == 0 &&
3666ed1c
JP		 264 t->verdict < 0 &&
265 unconditional(&s->ipv6)) {
ba9dda3a
JK		 266 /* Tail of chains: STANDARD target (return/policy) */
267 *comment = *chainname == hookname
4f2f6f23
JE		 268 ? comments[NF_IP6_TRACE_COMMENT_POLICY]
269 : comments[NF_IP6_TRACE_COMMENT_RETURN];
ba9dda3a
JK		 270 }
271 return 1;
272 } else
273 (*rulenum)++;
274
275 return 0;
276}
277
9dff2c96
EB		 278static void trace_packet(struct net *net,
279 const struct sk_buff *skb,
ba9dda3a
JK		 280 unsigned int hook,
281 const struct net_device *in,
282 const struct net_device *out,
ecb6f85e 283 const char *tablename,
d5d1baa1
JE		 284 const struct xt_table_info *private,
285 const struct ip6t_entry *e)
ba9dda3a 286{
5452e425 287 const struct ip6t_entry *root;
4f2f6f23 288 const char *hookname, *chainname, *comment;
72b2b1dd 289 const struct ip6t_entry *iter;
ba9dda3a
JK		 290 unsigned int rulenum = 0;
291
482cfc31 292 root = get_entry(private->entries, private->hook_entry[hook]);
ba9dda3a 293
4f2f6f23
JE		 294 hookname = chainname = hooknames[hook];
295 comment = comments[NF_IP6_TRACE_COMMENT_RULE];
ba9dda3a 296
72b2b1dd
JE		 297 xt_entry_foreach(iter, root, private->size - private->hook_entry[hook])
298 if (get_chainname_rulenum(iter, e, hookname,
299 &chainname, &comment, &rulenum) != 0)
300 break;
ba9dda3a 301
4017a7ee
PNA		 302 nf_log_trace(net, AF_INET6, hook, skb, in, out, &trace_loginfo,
303 "TRACE: %s:%s:%s:%u ",
304 tablename, chainname, comment, rulenum);
ba9dda3a
JK		 305}
306#endif
307
6c7941de 308static inline struct ip6t_entry *
98e86403
JE		 309ip6t_next_entry(const struct ip6t_entry *entry)
310{
311 return (void *)entry + entry->next_offset;
312}
313
1da177e4
LT		 314/* Returns one of the generic firewall policies, like NF_ACCEPT. */
315unsigned int
3db05fea 316ip6t_do_table(struct sk_buff *skb,
8f8a3715 317 const struct nf_hook_state *state,
fe1cb108 318 struct xt_table *table)
1da177e4 319{
6cb8ff3f 320 unsigned int hook = state->hook;
6b7d31fc 321 static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
1da177e4
LT		 322 /* Initializing verdict to NF_DROP keeps gcc happy. */
323 unsigned int verdict = NF_DROP;
324 const char *indev, *outdev;
d5d1baa1 325 const void *table_base;
f3c5c1bf 326 struct ip6t_entry *e, **jumpstack;
7814b6ec 327 unsigned int stackidx, cpu;
d5d1baa1 328 const struct xt_table_info *private;
de74c169 329 struct xt_action_param acpar;
7f5c6d4f 330 unsigned int addend;
1da177e4
LT		 331
332 /* Initialization */
7814b6ec 333 stackidx = 0;
8f8a3715
DM		 334 indev = state->in ? state->in->name : nulldevname;
335 outdev = state->out ? state->out->name : nulldevname;
1da177e4
LT		 336 /* We handle fragments by dealing with the first fragment as
337 * if it was a normal packet. All other fragments are treated
338 * normally, except that they will NEVER match rules that ask
339 * things we don't know, ie. tcp syn flag or ports). If the
340 * rule is also a fragment-specific rule, non-fragments won't
341 * match it. */
b4ba2611 342 acpar.hotdrop = false;
156c196f 343 acpar.net = state->net;
8f8a3715
DM		 344 acpar.in = state->in;
345 acpar.out = state->out;
de74c169
JE		 346 acpar.family = NFPROTO_IPV6;
347 acpar.hooknum = hook;
1da177e4 348
1da177e4 349 IP_NF_ASSERT(table->valid_hooks & (1 << hook));
78454473 350
7f5c6d4f
ED		 351 local_bh_disable();
352 addend = xt_write_recseq_begin();
942e4a2b 353 private = table->private;
b416c144
WD		 354 /*
355 * Ensure we load private-> members after we've fetched the base
356 * pointer.
357 */
358 smp_read_barrier_depends();
f3c5c1bf 359 cpu = smp_processor_id();
482cfc31 360 table_base = private->entries;
f3c5c1bf 361 jumpstack = (struct ip6t_entry **)private->jumpstack[cpu];
7814b6ec
FW		 362
363 /* Switch to alternate jumpstack if we're being invoked via TEE.
364 * TEE issues XT_CONTINUE verdict on original skb so we must not
365 * clobber the jumpstack.
366 *
367 * For recursion via REJECT or SYNPROXY the stack will be clobbered
368 * but it is no problem since absolute verdict is issued by these.
369 */
dcebd315
FW		 370 if (static_key_false(&xt_tee_enabled))
371 jumpstack += private->stacksize * __this_cpu_read(nf_skb_duplicated);
78454473 372
2e4e6a17 373 e = get_entry(table_base, private->hook_entry[hook]);
1da177e4 374
1da177e4 375 do {
87a2e70d 376 const struct xt_entry_target *t;
dcea992a 377 const struct xt_entry_match *ematch;
71ae0dff 378 struct xt_counters *counter;
a1ff4ac8 379
1da177e4 380 IP_NF_ASSERT(e);
84018f55 381 acpar.thoff = 0;
a1ff4ac8 382 if (!ip6_packet_match(skb, indev, outdev, &e->ipv6,
b4ba2611 383 &acpar.thoff, &acpar.fragoff, &acpar.hotdrop)) {
dcea992a 384 no_match:
a1ff4ac8
JE		 385 e = ip6t_next_entry(e);
386 continue;
387 }
1da177e4 388
ef53d702 389 xt_ematch_foreach(ematch, e) {
de74c169
JE		 390 acpar.match = ematch->u.kernel.match;
391 acpar.matchinfo = ematch->data;
392 if (!acpar.match->match(skb, &acpar))
dcea992a 393 goto no_match;
ef53d702 394 }
dcea992a 395
71ae0dff
FW		 396 counter = xt_get_this_cpu_counter(&e->counters);
397 ADD_COUNTER(*counter, skb->len, 1);
1da177e4 398
d5d1baa1 399 t = ip6t_get_target_c(e);
a1ff4ac8 400 IP_NF_ASSERT(t->u.kernel.target);
ba9dda3a 401
07a93626 402#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE)
a1ff4ac8
JE		 403 /* The packet is traced: log it */
404 if (unlikely(skb->nf_trace))
9dff2c96
EB		 405 trace_packet(state->net, skb, hook, state->in,
406 state->out, table->name, private, e);
ba9dda3a 407#endif
a1ff4ac8
JE		 408 /* Standard target? */
409 if (!t->u.kernel.target->target) {
410 int v;
411
87a2e70d 412 v = ((struct xt_standard_target *)t)->verdict;
a1ff4ac8
JE		 413 if (v < 0) {
414 /* Pop from stack? */
243bf6e2 415 if (v != XT_RETURN) {
95c96174 416 verdict = (unsigned int)(-v) - 1;
a1ff4ac8 417 break;
1da177e4 418 }
7814b6ec 419 if (stackidx == 0)
f3c5c1bf
JE		 420 e = get_entry(table_base,
421 private->underflow[hook]);
422 else
7814b6ec 423 e = ip6t_next_entry(jumpstack[--stackidx]);
a1ff4ac8
JE		 424 continue;
425 }
3666ed1c
JP		 426 if (table_base + v != ip6t_next_entry(e) &&
427 !(e->ipv6.flags & IP6T_F_GOTO)) {
7814b6ec 428 jumpstack[stackidx++] = e;
a1ff4ac8 429 }
1da177e4 430
a1ff4ac8 431 e = get_entry(table_base, v);
7a6b1c46
JE		 432 continue;
433 }
434
de74c169
JE		 435 acpar.target = t->u.kernel.target;
436 acpar.targinfo = t->data;
7eb35586 437
de74c169 438 verdict = t->u.kernel.target->target(skb, &acpar);
243bf6e2 439 if (verdict == XT_CONTINUE)
7a6b1c46
JE		 440 e = ip6t_next_entry(e);
441 else
442 /* Verdict */
443 break;
b4ba2611 444 } while (!acpar.hotdrop);
1da177e4 445
7f5c6d4f
ED		 446 xt_write_recseq_end(addend);
447 local_bh_enable();
1da177e4
LT		 448
449#ifdef DEBUG_ALLOW_ALL
450 return NF_ACCEPT;
451#else
b4ba2611 452 if (acpar.hotdrop)
1da177e4
LT		 453 return NF_DROP;
454 else return verdict;
455#endif
456}
457
1da177e4 458/* Figures out from what hook each rule can be called: returns 0 if
98dbbfc3 459 there are loops. Puts hook bitmask in comefrom. */
1da177e4 460static int
98dbbfc3 461mark_source_chains(const struct xt_table_info *newinfo,
31836064 462 unsigned int valid_hooks, void *entry0)
1da177e4
LT		 463{
464 unsigned int hook;
465
466 /* No recursion; use packet counter to save back ptrs (reset
467 to 0 as we leave), and comefrom to save source hook bitmask */
6e23ae2a 468 for (hook = 0; hook < NF_INET_NUMHOOKS; hook++) {
1da177e4 469 unsigned int pos = newinfo->hook_entry[hook];
9c547959 470 struct ip6t_entry *e = (struct ip6t_entry *)(entry0 + pos);
1da177e4
LT		 471
472 if (!(valid_hooks & (1 << hook)))
473 continue;
474
475 /* Set initial back pointer. */
476 e->counters.pcnt = pos;
477
478 for (;;) {
87a2e70d 479 const struct xt_standard_target *t
d5d1baa1 480 = (void *)ip6t_get_target_c(e);
9c547959 481 int visited = e->comefrom & (1 << hook);
1da177e4 482
6e23ae2a 483 if (e->comefrom & (1 << NF_INET_NUMHOOKS)) {
654d0fbd 484 pr_err("iptables: loop hook %u pos %u %08X.\n",
1da177e4
LT		 485 hook, pos, e->comefrom);
486 return 0;
487 }
9c547959 488 e->comefrom |= ((1 << hook) | (1 << NF_INET_NUMHOOKS));
1da177e4
LT		 489
490 /* Unconditional return/END. */
3666ed1c
JP		 491 if ((e->target_offset == sizeof(struct ip6t_entry) &&
492 (strcmp(t->target.u.user.name,
243bf6e2 493 XT_STANDARD_TARGET) == 0) &&
3666ed1c
JP		 494 t->verdict < 0 &&
495 unconditional(&e->ipv6)) || visited) {
1da177e4
LT		 496 unsigned int oldpos, size;
497
1f9352ae 498 if ((strcmp(t->target.u.user.name,
243bf6e2 499 XT_STANDARD_TARGET) == 0) &&
1f9352ae 500 t->verdict < -NF_MAX_VERDICT - 1) {
74c9c0c1
DM		 501 duprintf("mark_source_chains: bad "
502 "negative verdict (%i)\n",
503 t->verdict);
504 return 0;
505 }
506
1da177e4
LT		 507 /* Return: backtrack through the last
508 big jump. */
509 do {
6e23ae2a 510 e->comefrom ^= (1<<NF_INET_NUMHOOKS);
1da177e4
LT		 511#ifdef DEBUG_IP_FIREWALL_USER
512 if (e->comefrom
6e23ae2a 513 & (1 << NF_INET_NUMHOOKS)) {
1da177e4
LT		 514 duprintf("Back unset "
515 "on hook %u "
516 "rule %u\n",
517 hook, pos);
518 }
519#endif
520 oldpos = pos;
521 pos = e->counters.pcnt;
522 e->counters.pcnt = 0;
523
524 /* We're at the start. */
525 if (pos == oldpos)
526 goto next;
527
528 e = (struct ip6t_entry *)
31836064 529 (entry0 + pos);
1da177e4
LT		 530 } while (oldpos == pos + e->next_offset);
531
532 /* Move along one */
533 size = e->next_offset;
534 e = (struct ip6t_entry *)
31836064 535 (entry0 + pos + size);
1da177e4
LT		 536 e->counters.pcnt = pos;
537 pos += size;
538 } else {
539 int newpos = t->verdict;
540
541 if (strcmp(t->target.u.user.name,
243bf6e2 542 XT_STANDARD_TARGET) == 0 &&
3666ed1c 543 newpos >= 0) {
74c9c0c1
DM		 544 if (newpos > newinfo->size -
545 sizeof(struct ip6t_entry)) {
546 duprintf("mark_source_chains: "
547 "bad verdict (%i)\n",
548 newpos);
549 return 0;
550 }
1da177e4
LT		 551 /* This a jump; chase it. */
552 duprintf("Jump rule %u -> %u\n",
553 pos, newpos);
554 } else {
555 /* ... this is a fallthru */
556 newpos = pos + e->next_offset;
557 }
558 e = (struct ip6t_entry *)
31836064 559 (entry0 + newpos);
1da177e4
LT		 560 e->counters.pcnt = pos;
561 pos = newpos;
562 }
563 }
6ac94619 564next:
1da177e4
LT		 565 duprintf("Finished chain %u\n", hook);
566 }
567 return 1;
568}
569
87a2e70d 570static void cleanup_match(struct xt_entry_match *m, struct net *net)
1da177e4 571{
6be3d859
JE		 572 struct xt_mtdtor_param par;
573
f54e9367 574 par.net = net;
6be3d859
JE		 575 par.match = m->u.kernel.match;
576 par.matchinfo = m->data;
916a917d 577 par.family = NFPROTO_IPV6;
6be3d859
JE		 578 if (par.match->destroy != NULL)
579 par.match->destroy(&par);
580 module_put(par.match->me);
1da177e4
LT		 581}
582
022748a9 583static int
d5d1baa1 584check_entry(const struct ip6t_entry *e, const char *name)
f173c8a1 585{
87a2e70d 586 const struct xt_entry_target *t;
f173c8a1
PM		 587
588 if (!ip6_checkentry(&e->ipv6)) {
589 duprintf("ip_tables: ip check failed %p %s.\n", e, name);
590 return -EINVAL;
591 }
592
87a2e70d 593 if (e->target_offset + sizeof(struct xt_entry_target) >
f173c8a1
PM		 594 e->next_offset)
595 return -EINVAL;
596
d5d1baa1 597 t = ip6t_get_target_c(e);
f173c8a1
PM		 598 if (e->target_offset + t->u.target_size > e->next_offset)
599 return -EINVAL;
600
601 return 0;
602}
603
87a2e70d 604static int check_match(struct xt_entry_match *m, struct xt_mtchk_param *par)
f173c8a1 605{
9b4fce7a 606 const struct ip6t_ip6 *ipv6 = par->entryinfo;
f173c8a1
PM		 607 int ret;
608
9b4fce7a
JE		 609 par->match = m->u.kernel.match;
610 par->matchinfo = m->data;
611
916a917d 612 ret = xt_check_match(par, m->u.match_size - sizeof(*m),
9b4fce7a 613 ipv6->proto, ipv6->invflags & IP6T_INV_PROTO);
367c6790 614 if (ret < 0) {
f173c8a1 615 duprintf("ip_tables: check failed for `%s'.\n",
9b4fce7a 616 par.match->name);
367c6790 617 return ret;
f173c8a1 618 }
367c6790 619 return 0;
f173c8a1
PM		 620}
621
022748a9 622static int
87a2e70d 623find_check_match(struct xt_entry_match *m, struct xt_mtchk_param *par)
1da177e4 624{
6709dbbb 625 struct xt_match *match;
3cdc7c95 626 int ret;
1da177e4 627
fd0ec0e6
JE		 628 match = xt_request_find_match(NFPROTO_IPV6, m->u.user.name,
629 m->u.user.revision);
630 if (IS_ERR(match)) {
f173c8a1 631 duprintf("find_check_match: `%s' not found\n", m->u.user.name);
fd0ec0e6 632 return PTR_ERR(match);
1da177e4
LT		 633 }
634 m->u.kernel.match = match;
1da177e4 635
6bdb331b 636 ret = check_match(m, par);
3cdc7c95
PM		 637 if (ret)
638 goto err;
639
1da177e4 640 return 0;
3cdc7c95
PM		 641err:
642 module_put(m->u.kernel.match->me);
643 return ret;
1da177e4
LT		 644}
645
add67461 646static int check_target(struct ip6t_entry *e, struct net *net, const char *name)
1da177e4 647{
87a2e70d 648 struct xt_entry_target *t = ip6t_get_target(e);
af5d6dc2 649 struct xt_tgchk_param par = {
add67461 650 .net = net,
af5d6dc2
JE		 651 .table = name,
652 .entryinfo = e,
653 .target = t->u.kernel.target,
654 .targinfo = t->data,
655 .hook_mask = e->comefrom,
916a917d 656 .family = NFPROTO_IPV6,
af5d6dc2 657 };
1da177e4 658 int ret;
1da177e4 659
f173c8a1 660 t = ip6t_get_target(e);
916a917d 661 ret = xt_check_target(&par, t->u.target_size - sizeof(*t),
af5d6dc2 662 e->ipv6.proto, e->ipv6.invflags & IP6T_INV_PROTO);
367c6790 663 if (ret < 0) {
f173c8a1
PM		 664 duprintf("ip_tables: check failed for `%s'.\n",
665 t->u.kernel.target->name);
367c6790 666 return ret;
1da177e4 667 }
367c6790 668 return 0;
f173c8a1 669}
1da177e4 670
022748a9 671static int
a83d8e8d 672find_check_entry(struct ip6t_entry *e, struct net *net, const char *name,
0559518b 673 unsigned int size)
f173c8a1 674{
87a2e70d 675 struct xt_entry_target *t;
f173c8a1
PM		 676 struct xt_target *target;
677 int ret;
678 unsigned int j;
9b4fce7a 679 struct xt_mtchk_param mtpar;
dcea992a 680 struct xt_entry_match *ematch;
f173c8a1
PM		 681
682 ret = check_entry(e, name);
683 if (ret)
684 return ret;
590bdf7f 685
71ae0dff
FW		 686 e->counters.pcnt = xt_percpu_counter_alloc();
687 if (IS_ERR_VALUE(e->counters.pcnt))
688 return -ENOMEM;
689
1da177e4 690 j = 0;
a83d8e8d 691 mtpar.net = net;
9b4fce7a
JE		 692 mtpar.table = name;
693 mtpar.entryinfo = &e->ipv6;
694 mtpar.hook_mask = e->comefrom;
916a917d 695 mtpar.family = NFPROTO_IPV6;
dcea992a 696 xt_ematch_foreach(ematch, e) {
6bdb331b 697 ret = find_check_match(ematch, &mtpar);
dcea992a 698 if (ret != 0)
6bdb331b
JE		 699 goto cleanup_matches;
700 ++j;
dcea992a 701 }
1da177e4
LT		 702
703 t = ip6t_get_target(e);
d2a7b6ba
JE		 704 target = xt_request_find_target(NFPROTO_IPV6, t->u.user.name,
705 t->u.user.revision);
706 if (IS_ERR(target)) {
f173c8a1 707 duprintf("find_check_entry: `%s' not found\n", t->u.user.name);
d2a7b6ba 708 ret = PTR_ERR(target);
1da177e4
LT		 709 goto cleanup_matches;
710 }
711 t->u.kernel.target = target;
6b7d31fc 712
add67461 713 ret = check_target(e, net, name);
3cdc7c95
PM		 714 if (ret)
715 goto err;
1da177e4 716 return 0;
3cdc7c95
PM		 717 err:
718 module_put(t->u.kernel.target->me);
1da177e4 719 cleanup_matches:
6bdb331b
JE		 720 xt_ematch_foreach(ematch, e) {
721 if (j-- == 0)
dcea992a 722 break;
6bdb331b
JE		 723 cleanup_match(ematch, net);
724 }
71ae0dff
FW		 725
726 xt_percpu_counter_free(e->counters.pcnt);
727
1da177e4
LT		 728 return ret;
729}
730
d5d1baa1 731static bool check_underflow(const struct ip6t_entry *e)
e2fe35c1 732{
87a2e70d 733 const struct xt_entry_target *t;
e2fe35c1
JE		 734 unsigned int verdict;
735
736 if (!unconditional(&e->ipv6))
737 return false;
d5d1baa1 738 t = ip6t_get_target_c(e);
e2fe35c1
JE		 739 if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0)
740 return false;
87a2e70d 741 verdict = ((struct xt_standard_target *)t)->verdict;
e2fe35c1
JE		 742 verdict = -verdict - 1;
743 return verdict == NF_DROP || verdict == NF_ACCEPT;
744}
745
022748a9 746static int
1da177e4 747check_entry_size_and_hooks(struct ip6t_entry *e,
2e4e6a17 748 struct xt_table_info *newinfo,
d5d1baa1
JE		 749 const unsigned char *base,
750 const unsigned char *limit,
1da177e4
LT		 751 const unsigned int *hook_entries,
752 const unsigned int *underflows,
0559518b 753 unsigned int valid_hooks)
1da177e4
LT		 754{
755 unsigned int h;
756
3666ed1c
JP		 757 if ((unsigned long)e % __alignof__(struct ip6t_entry) != 0 ||
758 (unsigned char *)e + sizeof(struct ip6t_entry) >= limit) {
1da177e4
LT		 759 duprintf("Bad offset %p\n", e);
760 return -EINVAL;
761 }
762
763 if (e->next_offset
87a2e70d 764 < sizeof(struct ip6t_entry) + sizeof(struct xt_entry_target)) {
1da177e4
LT		 765 duprintf("checking: element %p size %u\n",
766 e, e->next_offset);
767 return -EINVAL;
768 }
769
770 /* Check hooks & underflows */
6e23ae2a 771 for (h = 0; h < NF_INET_NUMHOOKS; h++) {
a7d51738
JE		 772 if (!(valid_hooks & (1 << h)))
773 continue;
1da177e4
LT		 774 if ((unsigned char *)e - base == hook_entries[h])
775 newinfo->hook_entry[h] = hook_entries[h];
90e7d4ab 776 if ((unsigned char *)e - base == underflows[h]) {
e2fe35c1
JE		 777 if (!check_underflow(e)) {
778 pr_err("Underflows must be unconditional and "
779 "use the STANDARD target with "
780 "ACCEPT/DROP\n");
90e7d4ab
JE		 781 return -EINVAL;
782 }
1da177e4 783 newinfo->underflow[h] = underflows[h];
90e7d4ab 784 }
1da177e4
LT		 785 }
786
1da177e4 787 /* Clear counters and comefrom */
2e4e6a17 788 e->counters = ((struct xt_counters) { 0, 0 });
1da177e4 789 e->comefrom = 0;
1da177e4
LT		 790 return 0;
791}
792
0559518b 793static void cleanup_entry(struct ip6t_entry *e, struct net *net)
1da177e4 794{
a2df1648 795 struct xt_tgdtor_param par;
87a2e70d 796 struct xt_entry_target *t;
dcea992a 797 struct xt_entry_match *ematch;
1da177e4 798
1da177e4 799 /* Cleanup all matches */
dcea992a 800 xt_ematch_foreach(ematch, e)
6bdb331b 801 cleanup_match(ematch, net);
1da177e4 802 t = ip6t_get_target(e);
a2df1648 803
add67461 804 par.net = net;
a2df1648
JE		 805 par.target = t->u.kernel.target;
806 par.targinfo = t->data;
916a917d 807 par.family = NFPROTO_IPV6;
a2df1648
JE		 808 if (par.target->destroy != NULL)
809 par.target->destroy(&par);
810 module_put(par.target->me);
71ae0dff
FW		 811
812 xt_percpu_counter_free(e->counters.pcnt);
1da177e4
LT		 813}
814
815/* Checks and translates the user-supplied table segment (held in
816 newinfo) */
817static int
0f234214
JE		 818translate_table(struct net *net, struct xt_table_info *newinfo, void *entry0,
819 const struct ip6t_replace *repl)
1da177e4 820{
72b2b1dd 821 struct ip6t_entry *iter;
1da177e4 822 unsigned int i;
72b2b1dd 823 int ret = 0;
1da177e4 824
0f234214
JE		 825 newinfo->size = repl->size;
826 newinfo->number = repl->num_entries;
1da177e4
LT		 827
828 /* Init all hooks to impossible value. */
6e23ae2a 829 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1da177e4
LT		 830 newinfo->hook_entry[i] = 0xFFFFFFFF;
831 newinfo->underflow[i] = 0xFFFFFFFF;
832 }
833
834 duprintf("translate_table: size %u\n", newinfo->size);
835 i = 0;
836 /* Walk through entries, checking offsets. */
72b2b1dd
JE		 837 xt_entry_foreach(iter, entry0, newinfo->size) {
838 ret = check_entry_size_and_hooks(iter, newinfo, entry0,
6b4ff2d7
JE		 839 entry0 + repl->size,
840 repl->hook_entry,
841 repl->underflow,
842 repl->valid_hooks);
72b2b1dd 843 if (ret != 0)
0559518b
JE		 844 return ret;
845 ++i;
98dbbfc3
FW		 846 if (strcmp(ip6t_get_target(iter)->u.user.name,
847 XT_ERROR_TARGET) == 0)
848 ++newinfo->stacksize;
72b2b1dd 849 }
1da177e4 850
0f234214 851 if (i != repl->num_entries) {
1da177e4 852 duprintf("translate_table: %u not %u entries\n",
0f234214 853 i, repl->num_entries);
1da177e4
LT		 854 return -EINVAL;
855 }
856
857 /* Check hooks all assigned */
6e23ae2a 858 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1da177e4 859 /* Only hooks which are valid */
0f234214 860 if (!(repl->valid_hooks & (1 << i)))
1da177e4
LT		 861 continue;
862 if (newinfo->hook_entry[i] == 0xFFFFFFFF) {
863 duprintf("Invalid hook entry %u %u\n",
0f234214 864 i, repl->hook_entry[i]);
1da177e4
LT		 865 return -EINVAL;
866 }
867 if (newinfo->underflow[i] == 0xFFFFFFFF) {
868 duprintf("Invalid underflow %u %u\n",
0f234214 869 i, repl->underflow[i]);
1da177e4
LT		 870 return -EINVAL;
871 }
872 }
873
0f234214 874 if (!mark_source_chains(newinfo, repl->valid_hooks, entry0))
74c9c0c1
DM		 875 return -ELOOP;
876
1da177e4
LT		 877 /* Finally, each sanity check must pass */
878 i = 0;
72b2b1dd 879 xt_entry_foreach(iter, entry0, newinfo->size) {
0f234214 880 ret = find_check_entry(iter, net, repl->name, repl->size);
72b2b1dd
JE		 881 if (ret != 0)
882 break;
0559518b 883 ++i;
72b2b1dd 884 }
1da177e4 885
74c9c0c1 886 if (ret != 0) {
0559518b
JE		 887 xt_entry_foreach(iter, entry0, newinfo->size) {
888 if (i-- == 0)
72b2b1dd 889 break;
0559518b
JE		 890 cleanup_entry(iter, net);
891 }
74c9c0c1
DM		 892 return ret;
893 }
1da177e4 894
9c547959 895 return ret;
1da177e4
LT		 896}
897
1da177e4 898static void
2e4e6a17
HW		 899get_counters(const struct xt_table_info *t,
900 struct xt_counters counters[])
1da177e4 901{
72b2b1dd 902 struct ip6t_entry *iter;
1da177e4
LT		 903 unsigned int cpu;
904 unsigned int i;
905
6f912042 906 for_each_possible_cpu(cpu) {
7f5c6d4f 907 seqcount_t *s = &per_cpu(xt_recseq, cpu);
83723d60 908
1da177e4 909 i = 0;
482cfc31 910 xt_entry_foreach(iter, t->entries, t->size) {
71ae0dff 911 struct xt_counters *tmp;
83723d60
ED		 912 u64 bcnt, pcnt;
913 unsigned int start;
914
71ae0dff 915 tmp = xt_get_per_cpu_counter(&iter->counters, cpu);
83723d60 916 do {
7f5c6d4f 917 start = read_seqcount_begin(s);
71ae0dff
FW		 918 bcnt = tmp->bcnt;
919 pcnt = tmp->pcnt;
7f5c6d4f 920 } while (read_seqcount_retry(s, start));
83723d60
ED		 921
922 ADD_COUNTER(counters[i], bcnt, pcnt);
0559518b
JE		 923 ++i;
924 }
1da177e4 925 }
78454473
SH		 926}
927
d5d1baa1 928static struct xt_counters *alloc_counters(const struct xt_table *table)
1da177e4 929{
ed1a6f5e 930 unsigned int countersize;
2e4e6a17 931 struct xt_counters *counters;
d5d1baa1 932 const struct xt_table_info *private = table->private;
1da177e4
LT		 933
934 /* We need atomic snapshot of counters: rest doesn't change
935 (other than comefrom, which userspace doesn't care
936 about). */
2e4e6a17 937 countersize = sizeof(struct xt_counters) * private->number;
83723d60 938 counters = vzalloc(countersize);
1da177e4
LT		 939
940 if (counters == NULL)
942e4a2b 941 return ERR_PTR(-ENOMEM);
78454473 942
942e4a2b 943 get_counters(private, counters);
78454473 944
49a88d18 945 return counters;
ed1a6f5e
PM		 946}
947
948static int
949copy_entries_to_user(unsigned int total_size,
d5d1baa1 950 const struct xt_table *table,
ed1a6f5e
PM		 951 void __user *userptr)
952{
953 unsigned int off, num;
d5d1baa1 954 const struct ip6t_entry *e;
ed1a6f5e 955 struct xt_counters *counters;
5452e425 956 const struct xt_table_info *private = table->private;
ed1a6f5e 957 int ret = 0;
711bdde6 958 const void *loc_cpu_entry;
ed1a6f5e
PM		 959
960 counters = alloc_counters(table);
961 if (IS_ERR(counters))
962 return PTR_ERR(counters);
963
482cfc31 964 loc_cpu_entry = private->entries;
31836064 965 if (copy_to_user(userptr, loc_cpu_entry, total_size) != 0) {
1da177e4
LT		 966 ret = -EFAULT;
967 goto free_counters;
968 }
969
970 /* FIXME: use iterator macros --RR */
971 /* ... then go back and fix counters and names */
972 for (off = 0, num = 0; off < total_size; off += e->next_offset, num++){
973 unsigned int i;
87a2e70d
JE		 974 const struct xt_entry_match *m;
975 const struct xt_entry_target *t;
1da177e4 976
31836064 977 e = (struct ip6t_entry *)(loc_cpu_entry + off);
1da177e4
LT		 978 if (copy_to_user(userptr + off
979 + offsetof(struct ip6t_entry, counters),
980 &counters[num],
981 sizeof(counters[num])) != 0) {
982 ret = -EFAULT;
983 goto free_counters;
984 }
985
986 for (i = sizeof(struct ip6t_entry);
987 i < e->target_offset;
988 i += m->u.match_size) {
989 m = (void *)e + i;
990
991 if (copy_to_user(userptr + off + i
87a2e70d 992 + offsetof(struct xt_entry_match,
1da177e4
LT		 993 u.user.name),
994 m->u.kernel.match->name,
995 strlen(m->u.kernel.match->name)+1)
996 != 0) {
997 ret = -EFAULT;
998 goto free_counters;
999 }
1000 }
1001
d5d1baa1 1002 t = ip6t_get_target_c(e);
1da177e4 1003 if (copy_to_user(userptr + off + e->target_offset
87a2e70d 1004 + offsetof(struct xt_entry_target,
1da177e4
LT		 1005 u.user.name),
1006 t->u.kernel.target->name,
1007 strlen(t->u.kernel.target->name)+1) != 0) {
1008 ret = -EFAULT;
1009 goto free_counters;
1010 }
1011 }
1012
1013 free_counters:
1014 vfree(counters);
1015 return ret;
1016}
1017
3bc3fe5e 1018#ifdef CONFIG_COMPAT
739674fb 1019static void compat_standard_from_user(void *dst, const void *src)
3bc3fe5e
PM		 1020{
1021 int v = *(compat_int_t *)src;
1022
1023 if (v > 0)
1024 v += xt_compat_calc_jump(AF_INET6, v);
1025 memcpy(dst, &v, sizeof(v));
1026}
1027
739674fb 1028static int compat_standard_to_user(void __user *dst, const void *src)
3bc3fe5e
PM		 1029{
1030 compat_int_t cv = *(int *)src;
1031
1032 if (cv > 0)
1033 cv -= xt_compat_calc_jump(AF_INET6, cv);
1034 return copy_to_user(dst, &cv, sizeof(cv)) ? -EFAULT : 0;
1035}
1036
d5d1baa1 1037static int compat_calc_entry(const struct ip6t_entry *e,
3bc3fe5e 1038 const struct xt_table_info *info,
d5d1baa1 1039 const void *base, struct xt_table_info *newinfo)
3bc3fe5e 1040{
dcea992a 1041 const struct xt_entry_match *ematch;
87a2e70d 1042 const struct xt_entry_target *t;
3bc3fe5e
PM		 1043 unsigned int entry_offset;
1044 int off, i, ret;
1045
1046 off = sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
1047 entry_offset = (void *)e - base;
dcea992a 1048 xt_ematch_foreach(ematch, e)
6bdb331b 1049 off += xt_compat_match_offset(ematch->u.kernel.match);
d5d1baa1 1050 t = ip6t_get_target_c(e);
3bc3fe5e
PM		 1051 off += xt_compat_target_offset(t->u.kernel.target);
1052 newinfo->size -= off;
1053 ret = xt_compat_add_offset(AF_INET6, entry_offset, off);
1054 if (ret)
1055 return ret;
1056
1057 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1058 if (info->hook_entry[i] &&
1059 (e < (struct ip6t_entry *)(base + info->hook_entry[i])))
1060 newinfo->hook_entry[i] -= off;
1061 if (info->underflow[i] &&
1062 (e < (struct ip6t_entry *)(base + info->underflow[i])))
1063 newinfo->underflow[i] -= off;
1064 }
1065 return 0;
1066}
1067
1068static int compat_table_info(const struct xt_table_info *info,
1069 struct xt_table_info *newinfo)
1070{
72b2b1dd 1071 struct ip6t_entry *iter;
711bdde6 1072 const void *loc_cpu_entry;
0559518b 1073 int ret;
3bc3fe5e
PM		 1074
1075 if (!newinfo || !info)
1076 return -EINVAL;
1077
482cfc31 1078 /* we dont care about newinfo->entries */
3bc3fe5e
PM		 1079 memcpy(newinfo, info, offsetof(struct xt_table_info, entries));
1080 newinfo->initial_entries = 0;
482cfc31 1081 loc_cpu_entry = info->entries;
255d0dc3 1082 xt_compat_init_offsets(AF_INET6, info->number);
72b2b1dd
JE		 1083 xt_entry_foreach(iter, loc_cpu_entry, info->size) {
1084 ret = compat_calc_entry(iter, info, loc_cpu_entry, newinfo);
1085 if (ret != 0)
0559518b 1086 return ret;
72b2b1dd 1087 }
0559518b 1088 return 0;
3bc3fe5e
PM		 1089}
1090#endif
1091
d5d1baa1
JE		 1092static int get_info(struct net *net, void __user *user,
1093 const int *len, int compat)
433665c9 1094{
12b00c2c 1095 char name[XT_TABLE_MAXNAMELEN];
433665c9
PM		 1096 struct xt_table *t;
1097 int ret;
1098
1099 if (*len != sizeof(struct ip6t_getinfo)) {
c9d8fe13 1100 duprintf("length %u != %zu\n", *len,
433665c9
PM		 1101 sizeof(struct ip6t_getinfo));
1102 return -EINVAL;
1103 }
1104
1105 if (copy_from_user(name, user, sizeof(name)) != 0)
1106 return -EFAULT;
1107
12b00c2c 1108 name[XT_TABLE_MAXNAMELEN-1] = '\0';
3bc3fe5e
PM		 1109#ifdef CONFIG_COMPAT
1110 if (compat)
1111 xt_compat_lock(AF_INET6);
1112#endif
336b517f 1113 t = try_then_request_module(xt_find_table_lock(net, AF_INET6, name),
433665c9 1114 "ip6table_%s", name);
0cc8d8df 1115 if (!IS_ERR_OR_NULL(t)) {
433665c9 1116 struct ip6t_getinfo info;
5452e425 1117 const struct xt_table_info *private = t->private;
3bc3fe5e 1118#ifdef CONFIG_COMPAT
14c7dbe0
AD		 1119 struct xt_table_info tmp;
1120
3bc3fe5e 1121 if (compat) {
3bc3fe5e
PM		 1122 ret = compat_table_info(private, &tmp);
1123 xt_compat_flush_offsets(AF_INET6);
1124 private = &tmp;
1125 }
1126#endif
cccbe5ef 1127 memset(&info, 0, sizeof(info));
433665c9
PM		 1128 info.valid_hooks = t->valid_hooks;
1129 memcpy(info.hook_entry, private->hook_entry,
1130 sizeof(info.hook_entry));
1131 memcpy(info.underflow, private->underflow,
1132 sizeof(info.underflow));
1133 info.num_entries = private->number;
1134 info.size = private->size;
b5dd674b 1135 strcpy(info.name, name);
433665c9
PM		 1136
1137 if (copy_to_user(user, &info, *len) != 0)
1138 ret = -EFAULT;
1139 else
1140 ret = 0;
1141
1142 xt_table_unlock(t);
1143 module_put(t->me);
1144 } else
1145 ret = t ? PTR_ERR(t) : -ENOENT;
3bc3fe5e
PM		 1146#ifdef CONFIG_COMPAT
1147 if (compat)
1148 xt_compat_unlock(AF_INET6);
1149#endif
433665c9
PM		 1150 return ret;
1151}
1152
1da177e4 1153static int
d5d1baa1
JE		 1154get_entries(struct net *net, struct ip6t_get_entries __user *uptr,
1155 const int *len)
1da177e4
LT		 1156{
1157 int ret;
d924357c 1158 struct ip6t_get_entries get;
2e4e6a17 1159 struct xt_table *t;
1da177e4 1160
d924357c 1161 if (*len < sizeof(get)) {
c9d8fe13 1162 duprintf("get_entries: %u < %zu\n", *len, sizeof(get));
d924357c
PM		 1163 return -EINVAL;
1164 }
1165 if (copy_from_user(&get, uptr, sizeof(get)) != 0)
1166 return -EFAULT;
1167 if (*len != sizeof(struct ip6t_get_entries) + get.size) {
c9d8fe13
PM		 1168 duprintf("get_entries: %u != %zu\n",
1169 *len, sizeof(get) + get.size);
d924357c
PM		 1170 return -EINVAL;
1171 }
1172
336b517f 1173 t = xt_find_table_lock(net, AF_INET6, get.name);
0cc8d8df 1174 if (!IS_ERR_OR_NULL(t)) {
2e4e6a17
HW		 1175 struct xt_table_info *private = t->private;
1176 duprintf("t->private->number = %u\n", private->number);
d924357c 1177 if (get.size == private->size)
2e4e6a17 1178 ret = copy_entries_to_user(private->size,
1da177e4
LT		 1179 t, uptr->entrytable);
1180 else {
1181 duprintf("get_entries: I've got %u not %u!\n",
9c547959 1182 private->size, get.size);
544473c1 1183 ret = -EAGAIN;
1da177e4 1184 }
6b7d31fc 1185 module_put(t->me);
2e4e6a17 1186 xt_table_unlock(t);
1da177e4 1187 } else
6b7d31fc 1188 ret = t ? PTR_ERR(t) : -ENOENT;
1da177e4
LT		 1189
1190 return ret;
1191}
1192
1193static int
336b517f 1194__do_replace(struct net *net, const char *name, unsigned int valid_hooks,
3bc3fe5e
PM		 1195 struct xt_table_info *newinfo, unsigned int num_counters,
1196 void __user *counters_ptr)
1da177e4
LT		 1197{
1198 int ret;
2e4e6a17 1199 struct xt_table *t;
3bc3fe5e 1200 struct xt_table_info *oldinfo;
2e4e6a17 1201 struct xt_counters *counters;
72b2b1dd 1202 struct ip6t_entry *iter;
1da177e4 1203
3bc3fe5e 1204 ret = 0;
83723d60 1205 counters = vzalloc(num_counters * sizeof(struct xt_counters));
1da177e4
LT		 1206 if (!counters) {
1207 ret = -ENOMEM;
3bc3fe5e 1208 goto out;
1da177e4 1209 }
1da177e4 1210
336b517f 1211 t = try_then_request_module(xt_find_table_lock(net, AF_INET6, name),
3bc3fe5e 1212 "ip6table_%s", name);
0cc8d8df 1213 if (IS_ERR_OR_NULL(t)) {
6b7d31fc 1214 ret = t ? PTR_ERR(t) : -ENOENT;
1da177e4 1215 goto free_newinfo_counters_untrans;
6b7d31fc 1216 }
1da177e4
LT		 1217
1218 /* You lied! */
3bc3fe5e 1219 if (valid_hooks != t->valid_hooks) {
1da177e4 1220 duprintf("Valid hook crap: %08X vs %08X\n",
3bc3fe5e 1221 valid_hooks, t->valid_hooks);
1da177e4 1222 ret = -EINVAL;
6b7d31fc 1223 goto put_module;
1da177e4
LT		 1224 }
1225
3bc3fe5e 1226 oldinfo = xt_replace_table(t, num_counters, newinfo, &ret);
1da177e4
LT		 1227 if (!oldinfo)
1228 goto put_module;
1229
1230 /* Update module usage count based on number of rules */
1231 duprintf("do_replace: oldnum=%u, initnum=%u, newnum=%u\n",
1232 oldinfo->number, oldinfo->initial_entries, newinfo->number);
1ab1457c
YH		 1233 if ((oldinfo->number > oldinfo->initial_entries) ||
1234 (newinfo->number <= oldinfo->initial_entries))
1da177e4
LT		 1235 module_put(t->me);
1236 if ((oldinfo->number > oldinfo->initial_entries) &&
1237 (newinfo->number <= oldinfo->initial_entries))
1238 module_put(t->me);
1239
942e4a2b 1240 /* Get the old counters, and synchronize with replace */
1da177e4 1241 get_counters(oldinfo, counters);
942e4a2b 1242
1da177e4 1243 /* Decrease module usage counts and free resource */
482cfc31 1244 xt_entry_foreach(iter, oldinfo->entries, oldinfo->size)
0559518b 1245 cleanup_entry(iter, net);
72b2b1dd 1246
2e4e6a17 1247 xt_free_table_info(oldinfo);
3bc3fe5e 1248 if (copy_to_user(counters_ptr, counters,
c58dd2dd
TG		 1249 sizeof(struct xt_counters) * num_counters) != 0) {
1250 /* Silent error, can't fail, new table is already in place */
1251 net_warn_ratelimited("ip6tables: counters copy to user failed while replacing table\n");
1252 }
1da177e4 1253 vfree(counters);
2e4e6a17 1254 xt_table_unlock(t);
1da177e4
LT		 1255 return ret;
1256
1257 put_module:
1258 module_put(t->me);
2e4e6a17 1259 xt_table_unlock(t);
1da177e4 1260 free_newinfo_counters_untrans:
1da177e4 1261 vfree(counters);
3bc3fe5e
PM		 1262 out:
1263 return ret;
1264}
1265
1266static int
d5d1baa1 1267do_replace(struct net *net, const void __user *user, unsigned int len)
3bc3fe5e
PM		 1268{
1269 int ret;
1270 struct ip6t_replace tmp;
1271 struct xt_table_info *newinfo;
1272 void *loc_cpu_entry;
72b2b1dd 1273 struct ip6t_entry *iter;
3bc3fe5e
PM		 1274
1275 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
1276 return -EFAULT;
1277
1278 /* overflow check */
1279 if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
1280 return -ENOMEM;
1086bbe9
DJ		 1281 if (tmp.num_counters == 0)
1282 return -EINVAL;
1283
6a8ab060 1284 tmp.name[sizeof(tmp.name)-1] = 0;
3bc3fe5e
PM		 1285
1286 newinfo = xt_alloc_table_info(tmp.size);
1287 if (!newinfo)
1288 return -ENOMEM;
1289
482cfc31 1290 loc_cpu_entry = newinfo->entries;
3bc3fe5e
PM		 1291 if (copy_from_user(loc_cpu_entry, user + sizeof(tmp),
1292 tmp.size) != 0) {
1293 ret = -EFAULT;
1294 goto free_newinfo;
1295 }
1296
0f234214 1297 ret = translate_table(net, newinfo, loc_cpu_entry, &tmp);
3bc3fe5e
PM		 1298 if (ret != 0)
1299 goto free_newinfo;
1300
1301 duprintf("ip_tables: Translated table\n");
1302
336b517f 1303 ret = __do_replace(net, tmp.name, tmp.valid_hooks, newinfo,
3bc3fe5e
PM		 1304 tmp.num_counters, tmp.counters);
1305 if (ret)
1306 goto free_newinfo_untrans;
1307 return 0;
1308
1309 free_newinfo_untrans:
72b2b1dd 1310 xt_entry_foreach(iter, loc_cpu_entry, newinfo->size)
0559518b 1311 cleanup_entry(iter, net);
1da177e4 1312 free_newinfo:
2e4e6a17 1313 xt_free_table_info(newinfo);
1da177e4
LT		 1314 return ret;
1315}
1316
1da177e4 1317static int
d5d1baa1 1318do_add_counters(struct net *net, const void __user *user, unsigned int len,
336b517f 1319 int compat)
1da177e4 1320{
482cfc31 1321 unsigned int i;
3bc3fe5e
PM		 1322 struct xt_counters_info tmp;
1323 struct xt_counters *paddc;
1324 unsigned int num_counters;
1325 char *name;
1326 int size;
1327 void *ptmp;
2e4e6a17 1328 struct xt_table *t;
5452e425 1329 const struct xt_table_info *private;
6b7d31fc 1330 int ret = 0;
72b2b1dd 1331 struct ip6t_entry *iter;
7f5c6d4f 1332 unsigned int addend;
3bc3fe5e
PM		 1333#ifdef CONFIG_COMPAT
1334 struct compat_xt_counters_info compat_tmp;
1da177e4 1335
3bc3fe5e
PM		 1336 if (compat) {
1337 ptmp = &compat_tmp;
1338 size = sizeof(struct compat_xt_counters_info);
1339 } else
1340#endif
1341 {
1342 ptmp = &tmp;
1343 size = sizeof(struct xt_counters_info);
1344 }
1345
1346 if (copy_from_user(ptmp, user, size) != 0)
1da177e4
LT		 1347 return -EFAULT;
1348
3bc3fe5e
PM		 1349#ifdef CONFIG_COMPAT
1350 if (compat) {
1351 num_counters = compat_tmp.num_counters;
1352 name = compat_tmp.name;
1353 } else
1354#endif
1355 {
1356 num_counters = tmp.num_counters;
1357 name = tmp.name;
1358 }
1359
1360 if (len != size + num_counters * sizeof(struct xt_counters))
1da177e4
LT		 1361 return -EINVAL;
1362
e12f8e29 1363 paddc = vmalloc(len - size);
1da177e4
LT		 1364 if (!paddc)
1365 return -ENOMEM;
1366
3bc3fe5e 1367 if (copy_from_user(paddc, user + size, len - size) != 0) {
1da177e4
LT		 1368 ret = -EFAULT;
1369 goto free;
1370 }
1371
336b517f 1372 t = xt_find_table_lock(net, AF_INET6, name);
0cc8d8df 1373 if (IS_ERR_OR_NULL(t)) {
6b7d31fc 1374 ret = t ? PTR_ERR(t) : -ENOENT;
1da177e4 1375 goto free;
6b7d31fc 1376 }
1da177e4 1377
942e4a2b 1378 local_bh_disable();
2e4e6a17 1379 private = t->private;
3bc3fe5e 1380 if (private->number != num_counters) {
1da177e4
LT		 1381 ret = -EINVAL;
1382 goto unlock_up_free;
1383 }
1384
1385 i = 0;
7f5c6d4f 1386 addend = xt_write_recseq_begin();
482cfc31 1387 xt_entry_foreach(iter, private->entries, private->size) {
71ae0dff
FW		 1388 struct xt_counters *tmp;
1389
1390 tmp = xt_get_this_cpu_counter(&iter->counters);
1391 ADD_COUNTER(*tmp, paddc[i].bcnt, paddc[i].pcnt);
0559518b
JE		 1392 ++i;
1393 }
7f5c6d4f 1394 xt_write_recseq_end(addend);
1da177e4 1395 unlock_up_free:
942e4a2b 1396 local_bh_enable();
2e4e6a17 1397 xt_table_unlock(t);
6b7d31fc 1398 module_put(t->me);
1da177e4
LT		 1399 free:
1400 vfree(paddc);
1401
1402 return ret;
1403}
1404
3bc3fe5e
PM		 1405#ifdef CONFIG_COMPAT
1406struct compat_ip6t_replace {
12b00c2c 1407 char name[XT_TABLE_MAXNAMELEN];
3bc3fe5e
PM		 1408 u32 valid_hooks;
1409 u32 num_entries;
1410 u32 size;
1411 u32 hook_entry[NF_INET_NUMHOOKS];
1412 u32 underflow[NF_INET_NUMHOOKS];
1413 u32 num_counters;
87a2e70d 1414 compat_uptr_t counters; /* struct xt_counters * */
3bc3fe5e
PM		 1415 struct compat_ip6t_entry entries[0];
1416};
1417
1418static int
1419compat_copy_entry_to_user(struct ip6t_entry *e, void __user **dstptr,
b0a6363c 1420 unsigned int *size, struct xt_counters *counters,
0559518b 1421 unsigned int i)
3bc3fe5e 1422{
87a2e70d 1423 struct xt_entry_target *t;
3bc3fe5e
PM		 1424 struct compat_ip6t_entry __user *ce;
1425 u_int16_t target_offset, next_offset;
1426 compat_uint_t origsize;
dcea992a
JE		 1427 const struct xt_entry_match *ematch;
1428 int ret = 0;
3bc3fe5e 1429
3bc3fe5e
PM		 1430 origsize = *size;
1431 ce = (struct compat_ip6t_entry __user *)*dstptr;
0559518b
JE		 1432 if (copy_to_user(ce, e, sizeof(struct ip6t_entry)) != 0 ||
1433 copy_to_user(&ce->counters, &counters[i],
1434 sizeof(counters[i])) != 0)
1435 return -EFAULT;
3bc3fe5e
PM		 1436
1437 *dstptr += sizeof(struct compat_ip6t_entry);
1438 *size -= sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
1439
dcea992a
JE		 1440 xt_ematch_foreach(ematch, e) {
1441 ret = xt_compat_match_to_user(ematch, dstptr, size);
1442 if (ret != 0)
6bdb331b 1443 return ret;
dcea992a 1444 }
3bc3fe5e 1445 target_offset = e->target_offset - (origsize - *size);
3bc3fe5e
PM		 1446 t = ip6t_get_target(e);
1447 ret = xt_compat_target_to_user(t, dstptr, size);
1448 if (ret)
0559518b 1449 return ret;
3bc3fe5e 1450 next_offset = e->next_offset - (origsize - *size);
0559518b
JE		 1451 if (put_user(target_offset, &ce->target_offset) != 0 ||
1452 put_user(next_offset, &ce->next_offset) != 0)
1453 return -EFAULT;
3bc3fe5e 1454 return 0;
3bc3fe5e
PM		 1455}
1456
022748a9 1457static int
87a2e70d 1458compat_find_calc_match(struct xt_entry_match *m,
3bc3fe5e
PM		 1459 const char *name,
1460 const struct ip6t_ip6 *ipv6,
6bdb331b 1461 int *size)
3bc3fe5e
PM		 1462{
1463 struct xt_match *match;
1464
fd0ec0e6
JE		 1465 match = xt_request_find_match(NFPROTO_IPV6, m->u.user.name,
1466 m->u.user.revision);
1467 if (IS_ERR(match)) {
3bc3fe5e
PM		 1468 duprintf("compat_check_calc_match: `%s' not found\n",
1469 m->u.user.name);
fd0ec0e6 1470 return PTR_ERR(match);
3bc3fe5e
PM		 1471 }
1472 m->u.kernel.match = match;
1473 *size += xt_compat_match_offset(match);
3bc3fe5e
PM		 1474 return 0;
1475}
1476
0559518b 1477static void compat_release_entry(struct compat_ip6t_entry *e)
3bc3fe5e 1478{
87a2e70d 1479 struct xt_entry_target *t;
dcea992a 1480 struct xt_entry_match *ematch;
3bc3fe5e 1481
3bc3fe5e 1482 /* Cleanup all matches */
dcea992a 1483 xt_ematch_foreach(ematch, e)
6bdb331b 1484 module_put(ematch->u.kernel.match->me);
3bc3fe5e
PM		 1485 t = compat_ip6t_get_target(e);
1486 module_put(t->u.kernel.target->me);
3bc3fe5e
PM		 1487}
1488
022748a9 1489static int
3bc3fe5e
PM		 1490check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e,
1491 struct xt_table_info *newinfo,
1492 unsigned int *size,
d5d1baa1
JE		 1493 const unsigned char *base,
1494 const unsigned char *limit,
1495 const unsigned int *hook_entries,
1496 const unsigned int *underflows,
3bc3fe5e
PM		 1497 const char *name)
1498{
dcea992a 1499 struct xt_entry_match *ematch;
87a2e70d 1500 struct xt_entry_target *t;
3bc3fe5e
PM		 1501 struct xt_target *target;
1502 unsigned int entry_offset;
b0a6363c
PM		 1503 unsigned int j;
1504 int ret, off, h;
3bc3fe5e
PM		 1505
1506 duprintf("check_compat_entry_size_and_hooks %p\n", e);
3666ed1c
JP		 1507 if ((unsigned long)e % __alignof__(struct compat_ip6t_entry) != 0 ||
1508 (unsigned char *)e + sizeof(struct compat_ip6t_entry) >= limit) {
3bc3fe5e
PM		 1509 duprintf("Bad offset %p, limit = %p\n", e, limit);
1510 return -EINVAL;
1511 }
1512
1513 if (e->next_offset < sizeof(struct compat_ip6t_entry) +
1514 sizeof(struct compat_xt_entry_target)) {
1515 duprintf("checking: element %p size %u\n",
1516 e, e->next_offset);
1517 return -EINVAL;
1518 }
1519
1520 /* For purposes of check_entry casting the compat entry is fine */
1521 ret = check_entry((struct ip6t_entry *)e, name);
1522 if (ret)
1523 return ret;
1524
1525 off = sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
1526 entry_offset = (void *)e - (void *)base;
1527 j = 0;
dcea992a 1528 xt_ematch_foreach(ematch, e) {
2f06550b 1529 ret = compat_find_calc_match(ematch, name, &e->ipv6, &off);
dcea992a 1530 if (ret != 0)
6bdb331b
JE		 1531 goto release_matches;
1532 ++j;
dcea992a 1533 }
3bc3fe5e
PM		 1534
1535 t = compat_ip6t_get_target(e);
d2a7b6ba
JE		 1536 target = xt_request_find_target(NFPROTO_IPV6, t->u.user.name,
1537 t->u.user.revision);
1538 if (IS_ERR(target)) {
3bc3fe5e
PM		 1539 duprintf("check_compat_entry_size_and_hooks: `%s' not found\n",
1540 t->u.user.name);
d2a7b6ba 1541 ret = PTR_ERR(target);
3bc3fe5e
PM		 1542 goto release_matches;
1543 }
1544 t->u.kernel.target = target;
1545
1546 off += xt_compat_target_offset(target);
1547 *size += off;
1548 ret = xt_compat_add_offset(AF_INET6, entry_offset, off);
1549 if (ret)
1550 goto out;
1551
1552 /* Check hooks & underflows */
1553 for (h = 0; h < NF_INET_NUMHOOKS; h++) {
1554 if ((unsigned char *)e - base == hook_entries[h])
1555 newinfo->hook_entry[h] = hook_entries[h];
1556 if ((unsigned char *)e - base == underflows[h])
1557 newinfo->underflow[h] = underflows[h];
1558 }
1559
1560 /* Clear counters and comefrom */
1561 memset(&e->counters, 0, sizeof(e->counters));
1562 e->comefrom = 0;
3bc3fe5e
PM		 1563 return 0;
1564
1565out:
1566 module_put(t->u.kernel.target->me);
1567release_matches:
6bdb331b
JE		 1568 xt_ematch_foreach(ematch, e) {
1569 if (j-- == 0)
dcea992a 1570 break;
6bdb331b
JE		 1571 module_put(ematch->u.kernel.match->me);
1572 }
3bc3fe5e
PM		 1573 return ret;
1574}
1575
1576static int
1577compat_copy_entry_from_user(struct compat_ip6t_entry *e, void **dstptr,
1578 unsigned int *size, const char *name,
1579 struct xt_table_info *newinfo, unsigned char *base)
1580{
87a2e70d 1581 struct xt_entry_target *t;
3bc3fe5e
PM		 1582 struct ip6t_entry *de;
1583 unsigned int origsize;
1584 int ret, h;
dcea992a 1585 struct xt_entry_match *ematch;
3bc3fe5e
PM		 1586
1587 ret = 0;
1588 origsize = *size;
1589 de = (struct ip6t_entry *)*dstptr;
1590 memcpy(de, e, sizeof(struct ip6t_entry));
1591 memcpy(&de->counters, &e->counters, sizeof(e->counters));
1592
1593 *dstptr += sizeof(struct ip6t_entry);
1594 *size += sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
1595
dcea992a
JE		 1596 xt_ematch_foreach(ematch, e) {
1597 ret = xt_compat_match_from_user(ematch, dstptr, size);
1598 if (ret != 0)
6bdb331b 1599 return ret;
dcea992a 1600 }
3bc3fe5e
PM		 1601 de->target_offset = e->target_offset - (origsize - *size);
1602 t = compat_ip6t_get_target(e);
3bc3fe5e
PM		 1603 xt_compat_target_from_user(t, dstptr, size);
1604
1605 de->next_offset = e->next_offset - (origsize - *size);
1606 for (h = 0; h < NF_INET_NUMHOOKS; h++) {
1607 if ((unsigned char *)de - base < newinfo->hook_entry[h])
1608 newinfo->hook_entry[h] -= origsize - *size;
1609 if ((unsigned char *)de - base < newinfo->underflow[h])
1610 newinfo->underflow[h] -= origsize - *size;
1611 }
1612 return ret;
1613}
1614
f54e9367 1615static int compat_check_entry(struct ip6t_entry *e, struct net *net,
0559518b 1616 const char *name)
3bc3fe5e 1617{
b0a6363c 1618 unsigned int j;
dcea992a 1619 int ret = 0;
9b4fce7a 1620 struct xt_mtchk_param mtpar;
dcea992a 1621 struct xt_entry_match *ematch;
3bc3fe5e 1622
71ae0dff
FW		 1623 e->counters.pcnt = xt_percpu_counter_alloc();
1624 if (IS_ERR_VALUE(e->counters.pcnt))
1625 return -ENOMEM;
3bc3fe5e 1626 j = 0;
f54e9367 1627 mtpar.net = net;
9b4fce7a
JE		 1628 mtpar.table = name;
1629 mtpar.entryinfo = &e->ipv6;
1630 mtpar.hook_mask = e->comefrom;
916a917d 1631 mtpar.family = NFPROTO_IPV6;
dcea992a 1632 xt_ematch_foreach(ematch, e) {
6bdb331b 1633 ret = check_match(ematch, &mtpar);
dcea992a 1634 if (ret != 0)
6bdb331b
JE		 1635 goto cleanup_matches;
1636 ++j;
dcea992a 1637 }
3bc3fe5e 1638
add67461 1639 ret = check_target(e, net, name);
3bc3fe5e
PM		 1640 if (ret)
1641 goto cleanup_matches;
3bc3fe5e
PM		 1642 return 0;
1643
1644 cleanup_matches:
6bdb331b
JE		 1645 xt_ematch_foreach(ematch, e) {
1646 if (j-- == 0)
dcea992a 1647 break;
6bdb331b
JE		 1648 cleanup_match(ematch, net);
1649 }
71ae0dff
FW		 1650
1651 xt_percpu_counter_free(e->counters.pcnt);
1652
3bc3fe5e
PM		 1653 return ret;
1654}
1655
1656static int
f54e9367
AD		 1657translate_compat_table(struct net *net,
1658 const char *name,
3bc3fe5e
PM		 1659 unsigned int valid_hooks,
1660 struct xt_table_info **pinfo,
1661 void **pentry0,
1662 unsigned int total_size,
1663 unsigned int number,
1664 unsigned int *hook_entries,
1665 unsigned int *underflows)
1666{
1667 unsigned int i, j;
1668 struct xt_table_info *newinfo, *info;
1669 void *pos, *entry0, *entry1;
72b2b1dd
JE		 1670 struct compat_ip6t_entry *iter0;
1671 struct ip6t_entry *iter1;
3bc3fe5e 1672 unsigned int size;
72b2b1dd 1673 int ret = 0;
3bc3fe5e
PM		 1674
1675 info = *pinfo;
1676 entry0 = *pentry0;
1677 size = total_size;
1678 info->number = number;
1679
1680 /* Init all hooks to impossible value. */
1681 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1682 info->hook_entry[i] = 0xFFFFFFFF;
1683 info->underflow[i] = 0xFFFFFFFF;
1684 }
1685
1686 duprintf("translate_compat_table: size %u\n", info->size);
1687 j = 0;
1688 xt_compat_lock(AF_INET6);
255d0dc3 1689 xt_compat_init_offsets(AF_INET6, number);
3bc3fe5e 1690 /* Walk through entries, checking offsets. */
72b2b1dd
JE		 1691 xt_entry_foreach(iter0, entry0, total_size) {
1692 ret = check_compat_entry_size_and_hooks(iter0, info, &size,
6b4ff2d7
JE		 1693 entry0,
1694 entry0 + total_size,
1695 hook_entries,
1696 underflows,
1697 name);
72b2b1dd 1698 if (ret != 0)
0559518b
JE		 1699 goto out_unlock;
1700 ++j;
72b2b1dd 1701 }
3bc3fe5e
PM		 1702
1703 ret = -EINVAL;
1704 if (j != number) {
1705 duprintf("translate_compat_table: %u not %u entries\n",
1706 j, number);
1707 goto out_unlock;
1708 }
1709
1710 /* Check hooks all assigned */
1711 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1712 /* Only hooks which are valid */
1713 if (!(valid_hooks & (1 << i)))
1714 continue;
1715 if (info->hook_entry[i] == 0xFFFFFFFF) {
1716 duprintf("Invalid hook entry %u %u\n",
1717 i, hook_entries[i]);
1718 goto out_unlock;
1719 }
1720 if (info->underflow[i] == 0xFFFFFFFF) {
1721 duprintf("Invalid underflow %u %u\n",
1722 i, underflows[i]);
1723 goto out_unlock;
1724 }
1725 }
1726
1727 ret = -ENOMEM;
1728 newinfo = xt_alloc_table_info(size);
1729 if (!newinfo)
1730 goto out_unlock;
1731
1732 newinfo->number = number;
1733 for (i = 0; i < NF_INET_NUMHOOKS; i++) {
1734 newinfo->hook_entry[i] = info->hook_entry[i];
1735 newinfo->underflow[i] = info->underflow[i];
1736 }
482cfc31 1737 entry1 = newinfo->entries;
3bc3fe5e
PM		 1738 pos = entry1;
1739 size = total_size;
72b2b1dd 1740 xt_entry_foreach(iter0, entry0, total_size) {
6b4ff2d7
JE		 1741 ret = compat_copy_entry_from_user(iter0, &pos, &size,
1742 name, newinfo, entry1);
72b2b1dd
JE		 1743 if (ret != 0)
1744 break;
1745 }
3bc3fe5e
PM		 1746 xt_compat_flush_offsets(AF_INET6);
1747 xt_compat_unlock(AF_INET6);
1748 if (ret)
1749 goto free_newinfo;
1750
1751 ret = -ELOOP;
1752 if (!mark_source_chains(newinfo, valid_hooks, entry1))
1753 goto free_newinfo;
1754
1755 i = 0;
72b2b1dd 1756 xt_entry_foreach(iter1, entry1, newinfo->size) {
0559518b 1757 ret = compat_check_entry(iter1, net, name);
72b2b1dd
JE		 1758 if (ret != 0)
1759 break;
0559518b 1760 ++i;
98dbbfc3
FW		 1761 if (strcmp(ip6t_get_target(iter1)->u.user.name,
1762 XT_ERROR_TARGET) == 0)
1763 ++newinfo->stacksize;
72b2b1dd 1764 }
3bc3fe5e 1765 if (ret) {
72b2b1dd
JE		 1766 /*
1767 * The first i matches need cleanup_entry (calls ->destroy)
1768 * because they had called ->check already. The other j-i
1769 * entries need only release.
1770 */
1771 int skip = i;
3bc3fe5e 1772 j -= i;
72b2b1dd
JE		 1773 xt_entry_foreach(iter0, entry0, newinfo->size) {
1774 if (skip-- > 0)
1775 continue;
0559518b 1776 if (j-- == 0)
72b2b1dd 1777 break;
0559518b 1778 compat_release_entry(iter0);
72b2b1dd 1779 }
0559518b
JE		 1780 xt_entry_foreach(iter1, entry1, newinfo->size) {
1781 if (i-- == 0)
72b2b1dd 1782 break;
0559518b
JE		 1783 cleanup_entry(iter1, net);
1784 }
3bc3fe5e
PM		 1785 xt_free_table_info(newinfo);
1786 return ret;
1787 }
1788
3bc3fe5e
PM		 1789 *pinfo = newinfo;
1790 *pentry0 = entry1;
1791 xt_free_table_info(info);
1792 return 0;
1793
1794free_newinfo:
1795 xt_free_table_info(newinfo);
1796out:
0559518b
JE		 1797 xt_entry_foreach(iter0, entry0, total_size) {
1798 if (j-- == 0)
72b2b1dd 1799 break;
0559518b
JE		 1800 compat_release_entry(iter0);
1801 }
3bc3fe5e
PM		 1802 return ret;
1803out_unlock:
1804 xt_compat_flush_offsets(AF_INET6);
1805 xt_compat_unlock(AF_INET6);
1806 goto out;
1807}
1808
1809static int
336b517f 1810compat_do_replace(struct net *net, void __user *user, unsigned int len)
3bc3fe5e
PM		 1811{
1812 int ret;
1813 struct compat_ip6t_replace tmp;
1814 struct xt_table_info *newinfo;
1815 void *loc_cpu_entry;
72b2b1dd 1816 struct ip6t_entry *iter;
3bc3fe5e
PM		 1817
1818 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
1819 return -EFAULT;
1820
1821 /* overflow check */
1822 if (tmp.size >= INT_MAX / num_possible_cpus())
1823 return -ENOMEM;
1824 if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
1825 return -ENOMEM;
1086bbe9
DJ		 1826 if (tmp.num_counters == 0)
1827 return -EINVAL;
1828
6a8ab060 1829 tmp.name[sizeof(tmp.name)-1] = 0;
3bc3fe5e
PM		 1830
1831 newinfo = xt_alloc_table_info(tmp.size);
1832 if (!newinfo)
1833 return -ENOMEM;
1834
482cfc31 1835 loc_cpu_entry = newinfo->entries;
3bc3fe5e
PM		 1836 if (copy_from_user(loc_cpu_entry, user + sizeof(tmp),
1837 tmp.size) != 0) {
1838 ret = -EFAULT;
1839 goto free_newinfo;
1840 }
1841
f54e9367 1842 ret = translate_compat_table(net, tmp.name, tmp.valid_hooks,
3bc3fe5e
PM		 1843 &newinfo, &loc_cpu_entry, tmp.size,
1844 tmp.num_entries, tmp.hook_entry,
1845 tmp.underflow);
1846 if (ret != 0)
1847 goto free_newinfo;
1848
1849 duprintf("compat_do_replace: Translated table\n");
1850
336b517f 1851 ret = __do_replace(net, tmp.name, tmp.valid_hooks, newinfo,
3bc3fe5e
PM		 1852 tmp.num_counters, compat_ptr(tmp.counters));
1853 if (ret)
1854 goto free_newinfo_untrans;
1855 return 0;
1856
1857 free_newinfo_untrans:
72b2b1dd 1858 xt_entry_foreach(iter, loc_cpu_entry, newinfo->size)
0559518b 1859 cleanup_entry(iter, net);
3bc3fe5e
PM		 1860 free_newinfo:
1861 xt_free_table_info(newinfo);
1862 return ret;
1863}
1864
1865static int
1866compat_do_ip6t_set_ctl(struct sock *sk, int cmd, void __user *user,
1867 unsigned int len)
1868{
1869 int ret;
1870
af31f412 1871 if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
3bc3fe5e
PM		 1872 return -EPERM;
1873
1874 switch (cmd) {
1875 case IP6T_SO_SET_REPLACE:
3b1e0a65 1876 ret = compat_do_replace(sock_net(sk), user, len);
3bc3fe5e
PM		 1877 break;
1878
1879 case IP6T_SO_SET_ADD_COUNTERS:
3b1e0a65 1880 ret = do_add_counters(sock_net(sk), user, len, 1);
3bc3fe5e
PM		 1881 break;
1882
1883 default:
1884 duprintf("do_ip6t_set_ctl: unknown request %i\n", cmd);
1885 ret = -EINVAL;
1886 }
1887
1888 return ret;
1889}
1890
1891struct compat_ip6t_get_entries {
12b00c2c 1892 char name[XT_TABLE_MAXNAMELEN];
3bc3fe5e
PM		 1893 compat_uint_t size;
1894 struct compat_ip6t_entry entrytable[0];
1895};
1896
1897static int
1898compat_copy_entries_to_user(unsigned int total_size, struct xt_table *table,
1899 void __user *userptr)
1900{
1901 struct xt_counters *counters;
5452e425 1902 const struct xt_table_info *private = table->private;
3bc3fe5e
PM		 1903 void __user *pos;
1904 unsigned int size;
1905 int ret = 0;
3bc3fe5e 1906 unsigned int i = 0;
72b2b1dd 1907 struct ip6t_entry *iter;
3bc3fe5e
PM		 1908
1909 counters = alloc_counters(table);
1910 if (IS_ERR(counters))
1911 return PTR_ERR(counters);
1912
3bc3fe5e
PM		 1913 pos = userptr;
1914 size = total_size;
482cfc31 1915 xt_entry_foreach(iter, private->entries, total_size) {
72b2b1dd 1916 ret = compat_copy_entry_to_user(iter, &pos,
6b4ff2d7 1917 &size, counters, i++);
72b2b1dd
JE		 1918 if (ret != 0)
1919 break;
1920 }
3bc3fe5e
PM		 1921
1922 vfree(counters);
1923 return ret;
1924}
1925
1926static int
336b517f
AD		 1927compat_get_entries(struct net *net, struct compat_ip6t_get_entries __user *uptr,
1928 int *len)
3bc3fe5e
PM		 1929{
1930 int ret;
1931 struct compat_ip6t_get_entries get;
1932 struct xt_table *t;
1933
1934 if (*len < sizeof(get)) {
c9d8fe13 1935 duprintf("compat_get_entries: %u < %zu\n", *len, sizeof(get));
3bc3fe5e
PM		 1936 return -EINVAL;
1937 }
1938
1939 if (copy_from_user(&get, uptr, sizeof(get)) != 0)
1940 return -EFAULT;
1941
1942 if (*len != sizeof(struct compat_ip6t_get_entries) + get.size) {
c9d8fe13
PM		 1943 duprintf("compat_get_entries: %u != %zu\n",
1944 *len, sizeof(get) + get.size);
3bc3fe5e
PM		 1945 return -EINVAL;
1946 }
1947
1948 xt_compat_lock(AF_INET6);
336b517f 1949 t = xt_find_table_lock(net, AF_INET6, get.name);
0cc8d8df 1950 if (!IS_ERR_OR_NULL(t)) {
5452e425 1951 const struct xt_table_info *private = t->private;
3bc3fe5e 1952 struct xt_table_info info;
9c547959 1953 duprintf("t->private->number = %u\n", private->number);
3bc3fe5e
PM		 1954 ret = compat_table_info(private, &info);
1955 if (!ret && get.size == info.size) {
1956 ret = compat_copy_entries_to_user(private->size,
1957 t, uptr->entrytable);
1958 } else if (!ret) {
1959 duprintf("compat_get_entries: I've got %u not %u!\n",
9c547959 1960 private->size, get.size);
544473c1 1961 ret = -EAGAIN;
3bc3fe5e
PM		 1962 }
1963 xt_compat_flush_offsets(AF_INET6);
1964 module_put(t->me);
1965 xt_table_unlock(t);
1966 } else
1967 ret = t ? PTR_ERR(t) : -ENOENT;
1968
1969 xt_compat_unlock(AF_INET6);
1970 return ret;
1971}
1972
1973static int do_ip6t_get_ctl(struct sock *, int, void __user *, int *);
1974
1975static int
1976compat_do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1977{
1978 int ret;
1979
af31f412 1980 if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
3bc3fe5e
PM		 1981 return -EPERM;
1982
1983 switch (cmd) {
1984 case IP6T_SO_GET_INFO:
3b1e0a65 1985 ret = get_info(sock_net(sk), user, len, 1);
3bc3fe5e
PM		 1986 break;
1987 case IP6T_SO_GET_ENTRIES:
3b1e0a65 1988 ret = compat_get_entries(sock_net(sk), user, len);
3bc3fe5e
PM		 1989 break;
1990 default:
1991 ret = do_ip6t_get_ctl(sk, cmd, user, len);
1992 }
1993 return ret;
1994}
1995#endif
1996
1da177e4
LT		 1997static int
1998do_ip6t_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
1999{
2000 int ret;
2001
af31f412 2002 if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
1da177e4
LT		 2003 return -EPERM;
2004
2005 switch (cmd) {
2006 case IP6T_SO_SET_REPLACE:
3b1e0a65 2007 ret = do_replace(sock_net(sk), user, len);
1da177e4
LT		 2008 break;
2009
2010 case IP6T_SO_SET_ADD_COUNTERS:
3b1e0a65 2011 ret = do_add_counters(sock_net(sk), user, len, 0);
1da177e4
LT		 2012 break;
2013
2014 default:
2015 duprintf("do_ip6t_set_ctl: unknown request %i\n", cmd);
2016 ret = -EINVAL;
2017 }
2018
2019 return ret;
2020}
2021
2022static int
2023do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
2024{
2025 int ret;
2026
af31f412 2027 if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
1da177e4
LT		 2028 return -EPERM;
2029
2030 switch (cmd) {
433665c9 2031 case IP6T_SO_GET_INFO:
3b1e0a65 2032 ret = get_info(sock_net(sk), user, len, 0);
433665c9 2033 break;
1da177e4 2034
d924357c 2035 case IP6T_SO_GET_ENTRIES:
3b1e0a65 2036 ret = get_entries(sock_net(sk), user, len);
1da177e4 2037 break;
1da177e4 2038
6b7d31fc
HW		 2039 case IP6T_SO_GET_REVISION_MATCH:
2040 case IP6T_SO_GET_REVISION_TARGET: {
12b00c2c 2041 struct xt_get_revision rev;
2e4e6a17 2042 int target;
6b7d31fc
HW		 2043
2044 if (*len != sizeof(rev)) {
2045 ret = -EINVAL;
2046 break;
2047 }
2048 if (copy_from_user(&rev, user, sizeof(rev)) != 0) {
2049 ret = -EFAULT;
2050 break;
2051 }
6a8ab060 2052 rev.name[sizeof(rev.name)-1] = 0;
6b7d31fc
HW		 2053
2054 if (cmd == IP6T_SO_GET_REVISION_TARGET)
2e4e6a17 2055 target = 1;
6b7d31fc 2056 else
2e4e6a17 2057 target = 0;
6b7d31fc 2058
2e4e6a17
HW		 2059 try_then_request_module(xt_find_revision(AF_INET6, rev.name,
2060 rev.revision,
2061 target, &ret),
6b7d31fc
HW		 2062 "ip6t_%s", rev.name);
2063 break;
2064 }
2065
1da177e4
LT		 2066 default:
2067 duprintf("do_ip6t_get_ctl: unknown request %i\n", cmd);
2068 ret = -EINVAL;
2069 }
2070
2071 return ret;
2072}
2073
35aad0ff
JE		 2074struct xt_table *ip6t_register_table(struct net *net,
2075 const struct xt_table *table,
336b517f 2076 const struct ip6t_replace *repl)
1da177e4
LT		 2077{
2078 int ret;
2e4e6a17 2079 struct xt_table_info *newinfo;
f3c5c1bf 2080 struct xt_table_info bootstrap = {0};
31836064 2081 void *loc_cpu_entry;
a98da11d 2082 struct xt_table *new_table;
1da177e4 2083
2e4e6a17 2084 newinfo = xt_alloc_table_info(repl->size);
44d34e72
AD		 2085 if (!newinfo) {
2086 ret = -ENOMEM;
2087 goto out;
2088 }
1da177e4 2089
482cfc31 2090 loc_cpu_entry = newinfo->entries;
31836064 2091 memcpy(loc_cpu_entry, repl->entries, repl->size);
1da177e4 2092
0f234214 2093 ret = translate_table(net, newinfo, loc_cpu_entry, repl);
44d34e72
AD		 2094 if (ret != 0)
2095 goto out_free;
1da177e4 2096
336b517f 2097 new_table = xt_register_table(net, table, &bootstrap, newinfo);
a98da11d 2098 if (IS_ERR(new_table)) {
44d34e72
AD		 2099 ret = PTR_ERR(new_table);
2100 goto out_free;
1da177e4 2101 }
44d34e72 2102 return new_table;
1da177e4 2103
44d34e72
AD		 2104out_free:
2105 xt_free_table_info(newinfo);
2106out:
2107 return ERR_PTR(ret);
1da177e4
LT		 2108}
2109
f54e9367 2110void ip6t_unregister_table(struct net *net, struct xt_table *table)
1da177e4 2111{
2e4e6a17 2112 struct xt_table_info *private;
31836064 2113 void *loc_cpu_entry;
df200969 2114 struct module *table_owner = table->me;
72b2b1dd 2115 struct ip6t_entry *iter;
31836064 2116
2e4e6a17 2117 private = xt_unregister_table(table);
1da177e4
LT		 2118
2119 /* Decrease module usage counts and free resources */
482cfc31 2120 loc_cpu_entry = private->entries;
72b2b1dd 2121 xt_entry_foreach(iter, loc_cpu_entry, private->size)
0559518b 2122 cleanup_entry(iter, net);
df200969
AD		 2123 if (private->number > private->initial_entries)
2124 module_put(table_owner);
2e4e6a17 2125 xt_free_table_info(private);
1da177e4
LT		 2126}
2127
2128/* Returns 1 if the type and code is matched by the range, 0 otherwise */
ccb79bdc 2129static inline bool
1da177e4
LT		 2130icmp6_type_code_match(u_int8_t test_type, u_int8_t min_code, u_int8_t max_code,
2131 u_int8_t type, u_int8_t code,
ccb79bdc 2132 bool invert)
1da177e4
LT		 2133{
2134 return (type == test_type && code >= min_code && code <= max_code)
2135 ^ invert;
2136}
2137
1d93a9cb 2138static bool
62fc8051 2139icmp6_match(const struct sk_buff *skb, struct xt_action_param *par)
1da177e4 2140{
5452e425
JE		 2141 const struct icmp6hdr *ic;
2142 struct icmp6hdr _icmph;
f7108a20 2143 const struct ip6t_icmp *icmpinfo = par->matchinfo;
1da177e4
LT		 2144
2145 /* Must not be a fragment. */
f7108a20 2146 if (par->fragoff != 0)
1d93a9cb 2147 return false;
1da177e4 2148
f7108a20 2149 ic = skb_header_pointer(skb, par->thoff, sizeof(_icmph), &_icmph);
1da177e4
LT		 2150 if (ic == NULL) {
2151 /* We've been asked to examine this packet, and we
9c547959
PM		 2152 * can't. Hence, no choice but to drop.
2153 */
1da177e4 2154 duprintf("Dropping evil ICMP tinygram.\n");
b4ba2611 2155 par->hotdrop = true;
1d93a9cb 2156 return false;
1da177e4
LT		 2157 }
2158
2159 return icmp6_type_code_match(icmpinfo->type,
2160 icmpinfo->code[0],
2161 icmpinfo->code[1],
2162 ic->icmp6_type, ic->icmp6_code,
2163 !!(icmpinfo->invflags&IP6T_ICMP_INV));
2164}
2165
2166/* Called when user tries to insert an entry of this type. */
b0f38452 2167static int icmp6_checkentry(const struct xt_mtchk_param *par)
1da177e4 2168{
9b4fce7a 2169 const struct ip6t_icmp *icmpinfo = par->matchinfo;
1da177e4 2170
7f939713 2171 /* Must specify no unknown invflags */
bd414ee6 2172 return (icmpinfo->invflags & ~IP6T_ICMP_INV) ? -EINVAL : 0;
1da177e4
LT		 2173}
2174
2175/* The built-in targets: standard (NULL) and error. */
4538506b
JE		 2176static struct xt_target ip6t_builtin_tg[] __read_mostly = {
2177 {
243bf6e2 2178 .name = XT_STANDARD_TARGET,
4538506b
JE		 2179 .targetsize = sizeof(int),
2180 .family = NFPROTO_IPV6,
3bc3fe5e 2181#ifdef CONFIG_COMPAT
4538506b
JE		 2182 .compatsize = sizeof(compat_int_t),
2183 .compat_from_user = compat_standard_from_user,
2184 .compat_to_user = compat_standard_to_user,
3bc3fe5e 2185#endif
4538506b
JE		 2186 },
2187 {
243bf6e2 2188 .name = XT_ERROR_TARGET,
4538506b 2189 .target = ip6t_error,
12b00c2c 2190 .targetsize = XT_FUNCTION_MAXNAMELEN,
4538506b
JE		 2191 .family = NFPROTO_IPV6,
2192 },
1da177e4
LT		 2193};
2194
2195static struct nf_sockopt_ops ip6t_sockopts = {
2196 .pf = PF_INET6,
2197 .set_optmin = IP6T_BASE_CTL,
2198 .set_optmax = IP6T_SO_SET_MAX+1,
2199 .set = do_ip6t_set_ctl,
3bc3fe5e
PM		 2200#ifdef CONFIG_COMPAT
2201 .compat_set = compat_do_ip6t_set_ctl,
2202#endif
1da177e4
LT		 2203 .get_optmin = IP6T_BASE_CTL,
2204 .get_optmax = IP6T_SO_GET_MAX+1,
2205 .get = do_ip6t_get_ctl,
3bc3fe5e
PM		 2206#ifdef CONFIG_COMPAT
2207 .compat_get = compat_do_ip6t_get_ctl,
2208#endif
16fcec35 2209 .owner = THIS_MODULE,
1da177e4
LT		 2210};
2211
4538506b
JE		 2212static struct xt_match ip6t_builtin_mt[] __read_mostly = {
2213 {
2214 .name = "icmp6",
2215 .match = icmp6_match,
2216 .matchsize = sizeof(struct ip6t_icmp),
2217 .checkentry = icmp6_checkentry,
2218 .proto = IPPROTO_ICMPV6,
2219 .family = NFPROTO_IPV6,
2220 },
1da177e4
LT		 2221};
2222
3cb609d5
AD		 2223static int __net_init ip6_tables_net_init(struct net *net)
2224{
383ca5b8 2225 return xt_proto_init(net, NFPROTO_IPV6);
3cb609d5
AD		 2226}
2227
2228static void __net_exit ip6_tables_net_exit(struct net *net)
2229{
383ca5b8 2230 xt_proto_fini(net, NFPROTO_IPV6);
3cb609d5
AD		 2231}
2232
2233static struct pernet_operations ip6_tables_net_ops = {
2234 .init = ip6_tables_net_init,
2235 .exit = ip6_tables_net_exit,
2236};
2237
65b4b4e8 2238static int __init ip6_tables_init(void)
1da177e4
LT		 2239{
2240 int ret;
2241
3cb609d5 2242 ret = register_pernet_subsys(&ip6_tables_net_ops);
0eff66e6
PM		 2243 if (ret < 0)
2244 goto err1;
2e4e6a17 2245
25985edc 2246 /* No one else will be downing sem now, so we won't sleep */
4538506b 2247 ret = xt_register_targets(ip6t_builtin_tg, ARRAY_SIZE(ip6t_builtin_tg));
0eff66e6
PM		 2248 if (ret < 0)
2249 goto err2;
4538506b 2250 ret = xt_register_matches(ip6t_builtin_mt, ARRAY_SIZE(ip6t_builtin_mt));
0eff66e6
PM		 2251 if (ret < 0)
2252 goto err4;
1da177e4
LT		 2253
2254 /* Register setsockopt */
2255 ret = nf_register_sockopt(&ip6t_sockopts);
0eff66e6
PM		 2256 if (ret < 0)
2257 goto err5;
1da177e4 2258
ff67e4e4 2259 pr_info("(C) 2000-2006 Netfilter Core Team\n");
1da177e4 2260 return 0;
0eff66e6
PM		 2261
2262err5:
4538506b 2263 xt_unregister_matches(ip6t_builtin_mt, ARRAY_SIZE(ip6t_builtin_mt));
0eff66e6 2264err4:
4538506b 2265 xt_unregister_targets(ip6t_builtin_tg, ARRAY_SIZE(ip6t_builtin_tg));
0eff66e6 2266err2:
3cb609d5 2267 unregister_pernet_subsys(&ip6_tables_net_ops);
0eff66e6
PM		 2268err1:
2269 return ret;
1da177e4
LT		 2270}
2271
65b4b4e8 2272static void __exit ip6_tables_fini(void)
1da177e4
LT		 2273{
2274 nf_unregister_sockopt(&ip6t_sockopts);
9c547959 2275
4538506b
JE		 2276 xt_unregister_matches(ip6t_builtin_mt, ARRAY_SIZE(ip6t_builtin_mt));
2277 xt_unregister_targets(ip6t_builtin_tg, ARRAY_SIZE(ip6t_builtin_tg));
3cb609d5 2278 unregister_pernet_subsys(&ip6_tables_net_ops);
1da177e4
LT		 2279}
2280
2281EXPORT_SYMBOL(ip6t_register_table);
2282EXPORT_SYMBOL(ip6t_unregister_table);
2283EXPORT_SYMBOL(ip6t_do_table);
1da177e4 2284
65b4b4e8
AM		 2285module_init(ip6_tables_init);
2286module_exit(ip6_tables_fini);
Linux 6.x block layer and io_uring tree(s)