[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
/*
|
|
|
|
* x_tables core - Backend for {ip,ip6,arp}_tables
|
|
|
|
*
|
|
|
|
* Copyright (C) 2006-2006 Harald Welte <laforge@netfilter.org>
|
2013-04-06 07:24:29 -06:00
|
|
|
* Copyright (C) 2006-2012 Patrick McHardy <kaber@trash.net>
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
*
|
|
|
|
* Based on existing ip_tables code which is
|
|
|
|
* Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
|
|
|
|
* Copyright (C) 2000-2005 Netfilter Core Team <coreteam@netfilter.org>
|
|
|
|
*
|
|
|
|
* This program is free software; you can redistribute it and/or modify
|
|
|
|
* it under the terms of the GNU General Public License version 2 as
|
|
|
|
* published by the Free Software Foundation.
|
|
|
|
*
|
|
|
|
*/
|
2010-03-17 19:22:32 -06:00
|
|
|
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
#include <linux/kernel.h>
|
2011-05-27 07:12:25 -06:00
|
|
|
#include <linux/module.h>
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
#include <linux/socket.h>
|
|
|
|
#include <linux/net.h>
|
|
|
|
#include <linux/proc_fs.h>
|
|
|
|
#include <linux/seq_file.h>
|
|
|
|
#include <linux/string.h>
|
|
|
|
#include <linux/vmalloc.h>
|
2006-03-25 02:41:10 -07:00
|
|
|
#include <linux/mutex.h>
|
2006-12-03 21:15:30 -07:00
|
|
|
#include <linux/mm.h>
|
include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h
percpu.h is included by sched.h and module.h and thus ends up being
included when building most .c files. percpu.h includes slab.h which
in turn includes gfp.h making everything defined by the two files
universally available and complicating inclusion dependencies.
percpu.h -> slab.h dependency is about to be removed. Prepare for
this change by updating users of gfp and slab facilities include those
headers directly instead of assuming availability. As this conversion
needs to touch large number of source files, the following script is
used as the basis of conversion.
http://userweb.kernel.org/~tj/misc/slabh-sweep.py
The script does the followings.
* Scan files for gfp and slab usages and update includes such that
only the necessary includes are there. ie. if only gfp is used,
gfp.h, if slab is used, slab.h.
* When the script inserts a new include, it looks at the include
blocks and try to put the new include such that its order conforms
to its surrounding. It's put in the include block which contains
core kernel includes, in the same order that the rest are ordered -
alphabetical, Christmas tree, rev-Xmas-tree or at the end if there
doesn't seem to be any matching order.
* If the script can't find a place to put a new include (mostly
because the file doesn't have fitting include block), it prints out
an error message indicating which .h file needs to be added to the
file.
The conversion was done in the following steps.
1. The initial automatic conversion of all .c files updated slightly
over 4000 files, deleting around 700 includes and adding ~480 gfp.h
and ~3000 slab.h inclusions. The script emitted errors for ~400
files.
2. Each error was manually checked. Some didn't need the inclusion,
some needed manual addition while adding it to implementation .h or
embedding .c file was more appropriate for others. This step added
inclusions to around 150 files.
3. The script was run again and the output was compared to the edits
from #2 to make sure no file was left behind.
4. Several build tests were done and a couple of problems were fixed.
e.g. lib/decompress_*.c used malloc/free() wrappers around slab
APIs requiring slab.h to be added manually.
5. The script was run on all .h files but without automatically
editing them as sprinkling gfp.h and slab.h inclusions around .h
files could easily lead to inclusion dependency hell. Most gfp.h
inclusion directives were ignored as stuff from gfp.h was usually
wildly available and often used in preprocessor macros. Each
slab.h inclusion directive was examined and added manually as
necessary.
6. percpu.h was updated not to include slab.h.
7. Build test were done on the following configurations and failures
were fixed. CONFIG_GCOV_KERNEL was turned off for all tests (as my
distributed build env didn't work with gcov compiles) and a few
more options had to be turned off depending on archs to make things
build (like ipr on powerpc/64 which failed due to missing writeq).
* x86 and x86_64 UP and SMP allmodconfig and a custom test config.
* powerpc and powerpc64 SMP allmodconfig
* sparc and sparc64 SMP allmodconfig
* ia64 SMP allmodconfig
* s390 SMP allmodconfig
* alpha SMP allmodconfig
* um on x86_64 SMP allmodconfig
8. percpu.h modifications were reverted so that it could be applied as
a separate patch and serve as bisection point.
Given the fact that I had only a couple of failures from tests on step
6, I'm fairly confident about the coverage of this conversion patch.
If there is a breakage, it's likely to be something in one of the arch
headers which should be easily discoverable easily on most builds of
the specific arch.
Signed-off-by: Tejun Heo <tj@kernel.org>
Guess-its-ok-by: Christoph Lameter <cl@linux-foundation.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
2010-03-24 02:04:11 -06:00
|
|
|
#include <linux/slab.h>
|
2011-01-16 10:12:59 -07:00
|
|
|
#include <linux/audit.h>
|
2015-11-22 04:35:07 -07:00
|
|
|
#include <linux/user_namespace.h>
|
2007-09-12 04:01:34 -06:00
|
|
|
#include <net/net_namespace.h>
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
|
|
|
|
#include <linux/netfilter/x_tables.h>
|
|
|
|
#include <linux/netfilter_arp.h>
|
2009-06-17 14:14:54 -06:00
|
|
|
#include <linux/netfilter_ipv4/ip_tables.h>
|
|
|
|
#include <linux/netfilter_ipv6/ip6_tables.h>
|
|
|
|
#include <linux/netfilter_arp/arp_tables.h>
|
2006-03-25 02:41:10 -07:00
|
|
|
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
MODULE_LICENSE("GPL");
|
|
|
|
MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
|
2008-10-08 03:35:15 -06:00
|
|
|
MODULE_DESCRIPTION("{ip,ip6,arp,eb}_tables backend module");
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
|
2016-11-22 06:44:19 -07:00
|
|
|
#define XT_PCPU_BLOCK_SIZE 4096
|
2018-02-27 11:42:31 -07:00
|
|
|
#define XT_MAX_TABLE_SIZE (512 * 1024 * 1024)
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
|
2007-12-17 22:47:48 -07:00
|
|
|
struct compat_delta {
|
2010-12-18 10:35:15 -07:00
|
|
|
unsigned int offset; /* offset in kernel */
|
|
|
|
int delta; /* delta in 32bit user land */
|
2007-12-17 22:47:48 -07:00
|
|
|
};
|
|
|
|
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
struct xt_af {
|
2006-03-25 02:41:10 -07:00
|
|
|
struct mutex mutex;
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
struct list_head match;
|
|
|
|
struct list_head target;
|
2007-12-17 22:47:48 -07:00
|
|
|
#ifdef CONFIG_COMPAT
|
2006-04-01 03:25:19 -07:00
|
|
|
struct mutex compat_mutex;
|
2010-12-18 10:35:15 -07:00
|
|
|
struct compat_delta *compat_tab;
|
|
|
|
unsigned int number; /* number of slots in compat_tab[] */
|
|
|
|
unsigned int cur; /* number of used slots in compat_tab[] */
|
2007-12-17 22:47:48 -07:00
|
|
|
#endif
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
};
|
|
|
|
|
|
|
|
static struct xt_af *xt;
|
|
|
|
|
2008-10-08 03:35:00 -06:00
|
|
|
static const char *const xt_prefix[NFPROTO_NUMPROTO] = {
|
|
|
|
[NFPROTO_UNSPEC] = "x",
|
|
|
|
[NFPROTO_IPV4] = "ip",
|
|
|
|
[NFPROTO_ARP] = "arp",
|
|
|
|
[NFPROTO_BRIDGE] = "eb",
|
|
|
|
[NFPROTO_IPV6] = "ip6",
|
2006-03-20 18:59:06 -07:00
|
|
|
};
|
|
|
|
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
/* Registration hooks for targets. */
|
2014-07-31 12:38:46 -06:00
|
|
|
int xt_register_target(struct xt_target *target)
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
{
|
2008-10-08 03:35:00 -06:00
|
|
|
u_int8_t af = target->family;
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
|
2014-07-31 12:38:46 -06:00
|
|
|
mutex_lock(&xt[af].mutex);
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
list_add(&target->list, &xt[af].target);
|
2006-03-25 02:41:10 -07:00
|
|
|
mutex_unlock(&xt[af].mutex);
|
2014-07-31 12:38:46 -06:00
|
|
|
return 0;
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
}
|
|
|
|
EXPORT_SYMBOL(xt_register_target);
|
|
|
|
|
|
|
|
void
|
2006-03-22 14:55:40 -07:00
|
|
|
xt_unregister_target(struct xt_target *target)
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
{
|
2008-10-08 03:35:00 -06:00
|
|
|
u_int8_t af = target->family;
|
2006-03-22 14:55:40 -07:00
|
|
|
|
2006-03-25 02:41:10 -07:00
|
|
|
mutex_lock(&xt[af].mutex);
|
2006-09-20 12:57:53 -06:00
|
|
|
list_del(&target->list);
|
2006-03-25 02:41:10 -07:00
|
|
|
mutex_unlock(&xt[af].mutex);
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
}
|
|
|
|
EXPORT_SYMBOL(xt_unregister_target);
|
|
|
|
|
2006-08-22 01:33:45 -06:00
|
|
|
int
|
|
|
|
xt_register_targets(struct xt_target *target, unsigned int n)
|
|
|
|
{
|
|
|
|
unsigned int i;
|
|
|
|
int err = 0;
|
|
|
|
|
|
|
|
for (i = 0; i < n; i++) {
|
|
|
|
err = xt_register_target(&target[i]);
|
|
|
|
if (err)
|
|
|
|
goto err;
|
|
|
|
}
|
|
|
|
return err;
|
|
|
|
|
|
|
|
err:
|
|
|
|
if (i > 0)
|
|
|
|
xt_unregister_targets(target, i);
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL(xt_register_targets);
|
|
|
|
|
|
|
|
void
|
|
|
|
xt_unregister_targets(struct xt_target *target, unsigned int n)
|
|
|
|
{
|
2010-10-04 14:24:12 -06:00
|
|
|
while (n-- > 0)
|
|
|
|
xt_unregister_target(&target[n]);
|
2006-08-22 01:33:45 -06:00
|
|
|
}
|
|
|
|
EXPORT_SYMBOL(xt_unregister_targets);
|
|
|
|
|
2014-07-31 12:38:46 -06:00
|
|
|
int xt_register_match(struct xt_match *match)
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
{
|
2008-10-08 03:35:00 -06:00
|
|
|
u_int8_t af = match->family;
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
|
2014-07-31 12:38:46 -06:00
|
|
|
mutex_lock(&xt[af].mutex);
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
list_add(&match->list, &xt[af].match);
|
2006-03-25 02:41:10 -07:00
|
|
|
mutex_unlock(&xt[af].mutex);
|
2014-07-31 12:38:46 -06:00
|
|
|
return 0;
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
}
|
|
|
|
EXPORT_SYMBOL(xt_register_match);
|
|
|
|
|
|
|
|
void
|
2006-03-22 14:55:40 -07:00
|
|
|
xt_unregister_match(struct xt_match *match)
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
{
|
2008-10-08 03:35:00 -06:00
|
|
|
u_int8_t af = match->family;
|
2006-03-22 14:55:40 -07:00
|
|
|
|
2006-03-25 02:41:10 -07:00
|
|
|
mutex_lock(&xt[af].mutex);
|
2006-09-20 12:57:53 -06:00
|
|
|
list_del(&match->list);
|
2006-03-25 02:41:10 -07:00
|
|
|
mutex_unlock(&xt[af].mutex);
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
}
|
|
|
|
EXPORT_SYMBOL(xt_unregister_match);
|
|
|
|
|
2006-08-22 01:33:45 -06:00
|
|
|
int
|
|
|
|
xt_register_matches(struct xt_match *match, unsigned int n)
|
|
|
|
{
|
|
|
|
unsigned int i;
|
|
|
|
int err = 0;
|
|
|
|
|
|
|
|
for (i = 0; i < n; i++) {
|
|
|
|
err = xt_register_match(&match[i]);
|
|
|
|
if (err)
|
|
|
|
goto err;
|
|
|
|
}
|
|
|
|
return err;
|
|
|
|
|
|
|
|
err:
|
|
|
|
if (i > 0)
|
|
|
|
xt_unregister_matches(match, i);
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL(xt_register_matches);
|
|
|
|
|
|
|
|
void
|
|
|
|
xt_unregister_matches(struct xt_match *match, unsigned int n)
|
|
|
|
{
|
2010-10-04 14:24:12 -06:00
|
|
|
while (n-- > 0)
|
|
|
|
xt_unregister_match(&match[n]);
|
2006-08-22 01:33:45 -06:00
|
|
|
}
|
|
|
|
EXPORT_SYMBOL(xt_unregister_matches);
|
|
|
|
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
|
|
|
|
/*
|
|
|
|
* These are weird, but module loading must not be done with mutex
|
|
|
|
* held (since they will register), and we have to have a single
|
2011-03-09 06:14:26 -07:00
|
|
|
* function to use.
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
*/
|
|
|
|
|
|
|
|
/* Find match, grabs ref. Returns ERR_PTR() on error. */
|
2008-10-08 03:35:00 -06:00
|
|
|
struct xt_match *xt_find_match(u8 af, const char *name, u8 revision)
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
{
|
|
|
|
struct xt_match *m;
|
2011-03-14 12:11:44 -06:00
|
|
|
int err = -ENOENT;
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
|
2018-04-25 05:38:47 -06:00
|
|
|
if (strnlen(name, XT_EXTENSION_MAXNAMELEN) == XT_EXTENSION_MAXNAMELEN)
|
|
|
|
return ERR_PTR(-EINVAL);
|
|
|
|
|
2014-07-31 12:38:46 -06:00
|
|
|
mutex_lock(&xt[af].mutex);
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
list_for_each_entry(m, &xt[af].match, list) {
|
|
|
|
if (strcmp(m->name, name) == 0) {
|
|
|
|
if (m->revision == revision) {
|
|
|
|
if (try_module_get(m->me)) {
|
2006-03-25 02:41:10 -07:00
|
|
|
mutex_unlock(&xt[af].mutex);
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
return m;
|
|
|
|
}
|
|
|
|
} else
|
|
|
|
err = -EPROTOTYPE; /* Found something. */
|
|
|
|
}
|
|
|
|
}
|
2006-03-25 02:41:10 -07:00
|
|
|
mutex_unlock(&xt[af].mutex);
|
2008-10-08 03:35:01 -06:00
|
|
|
|
|
|
|
if (af != NFPROTO_UNSPEC)
|
|
|
|
/* Try searching again in the family-independent list */
|
|
|
|
return xt_find_match(NFPROTO_UNSPEC, name, revision);
|
|
|
|
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
return ERR_PTR(err);
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL(xt_find_match);
|
|
|
|
|
2009-07-10 11:27:47 -06:00
|
|
|
struct xt_match *
|
|
|
|
xt_request_find_match(uint8_t nfproto, const char *name, uint8_t revision)
|
|
|
|
{
|
|
|
|
struct xt_match *match;
|
|
|
|
|
2018-01-24 18:16:09 -07:00
|
|
|
if (strnlen(name, XT_EXTENSION_MAXNAMELEN) == XT_EXTENSION_MAXNAMELEN)
|
|
|
|
return ERR_PTR(-EINVAL);
|
|
|
|
|
2011-03-09 06:14:26 -07:00
|
|
|
match = xt_find_match(nfproto, name, revision);
|
|
|
|
if (IS_ERR(match)) {
|
|
|
|
request_module("%st_%s", xt_prefix[nfproto], name);
|
|
|
|
match = xt_find_match(nfproto, name, revision);
|
|
|
|
}
|
|
|
|
|
|
|
|
return match;
|
2009-07-10 11:27:47 -06:00
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(xt_request_find_match);
|
|
|
|
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
/* Find target, grabs ref. Returns ERR_PTR() on error. */
|
2008-10-08 03:35:00 -06:00
|
|
|
struct xt_target *xt_find_target(u8 af, const char *name, u8 revision)
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
{
|
|
|
|
struct xt_target *t;
|
2011-03-14 12:11:44 -06:00
|
|
|
int err = -ENOENT;
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
|
2018-04-25 05:38:47 -06:00
|
|
|
if (strnlen(name, XT_EXTENSION_MAXNAMELEN) == XT_EXTENSION_MAXNAMELEN)
|
|
|
|
return ERR_PTR(-EINVAL);
|
|
|
|
|
2014-07-31 12:38:46 -06:00
|
|
|
mutex_lock(&xt[af].mutex);
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
list_for_each_entry(t, &xt[af].target, list) {
|
|
|
|
if (strcmp(t->name, name) == 0) {
|
|
|
|
if (t->revision == revision) {
|
|
|
|
if (try_module_get(t->me)) {
|
2006-03-25 02:41:10 -07:00
|
|
|
mutex_unlock(&xt[af].mutex);
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
return t;
|
|
|
|
}
|
|
|
|
} else
|
|
|
|
err = -EPROTOTYPE; /* Found something. */
|
|
|
|
}
|
|
|
|
}
|
2006-03-25 02:41:10 -07:00
|
|
|
mutex_unlock(&xt[af].mutex);
|
2008-10-08 03:35:01 -06:00
|
|
|
|
|
|
|
if (af != NFPROTO_UNSPEC)
|
|
|
|
/* Try searching again in the family-independent list */
|
|
|
|
return xt_find_target(NFPROTO_UNSPEC, name, revision);
|
|
|
|
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
return ERR_PTR(err);
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL(xt_find_target);
|
|
|
|
|
2008-10-08 03:35:00 -06:00
|
|
|
struct xt_target *xt_request_find_target(u8 af, const char *name, u8 revision)
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
{
|
|
|
|
struct xt_target *target;
|
|
|
|
|
2018-01-24 18:16:09 -07:00
|
|
|
if (strnlen(name, XT_EXTENSION_MAXNAMELEN) == XT_EXTENSION_MAXNAMELEN)
|
|
|
|
return ERR_PTR(-EINVAL);
|
|
|
|
|
2011-03-09 06:14:26 -07:00
|
|
|
target = xt_find_target(af, name, revision);
|
|
|
|
if (IS_ERR(target)) {
|
|
|
|
request_module("%st_%s", xt_prefix[af], name);
|
|
|
|
target = xt_find_target(af, name, revision);
|
|
|
|
}
|
|
|
|
|
|
|
|
return target;
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(xt_request_find_target);
|
|
|
|
|
2017-01-02 15:19:40 -07:00
|
|
|
|
|
|
|
static int xt_obj_to_user(u16 __user *psize, u16 size,
|
|
|
|
void __user *pname, const char *name,
|
|
|
|
u8 __user *prev, u8 rev)
|
|
|
|
{
|
|
|
|
if (put_user(size, psize))
|
|
|
|
return -EFAULT;
|
|
|
|
if (copy_to_user(pname, name, strlen(name) + 1))
|
|
|
|
return -EFAULT;
|
|
|
|
if (put_user(rev, prev))
|
|
|
|
return -EFAULT;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
#define XT_OBJ_TO_USER(U, K, TYPE, C_SIZE) \
|
|
|
|
xt_obj_to_user(&U->u.TYPE##_size, C_SIZE ? : K->u.TYPE##_size, \
|
|
|
|
U->u.user.name, K->u.kernel.TYPE->name, \
|
|
|
|
&U->u.user.revision, K->u.kernel.TYPE->revision)
|
|
|
|
|
|
|
|
int xt_data_to_user(void __user *dst, const void *src,
|
2017-05-09 14:17:37 -06:00
|
|
|
int usersize, int size, int aligned_size)
|
2017-01-02 15:19:40 -07:00
|
|
|
{
|
|
|
|
usersize = usersize ? : size;
|
|
|
|
if (copy_to_user(dst, src, usersize))
|
|
|
|
return -EFAULT;
|
2017-05-09 14:17:37 -06:00
|
|
|
if (usersize != aligned_size &&
|
|
|
|
clear_user(dst + usersize, aligned_size - usersize))
|
2017-01-02 15:19:40 -07:00
|
|
|
return -EFAULT;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(xt_data_to_user);
|
|
|
|
|
2017-05-17 09:24:47 -06:00
|
|
|
#define XT_DATA_TO_USER(U, K, TYPE) \
|
2017-01-02 15:19:40 -07:00
|
|
|
xt_data_to_user(U->data, K->data, \
|
|
|
|
K->u.kernel.TYPE->usersize, \
|
2017-05-17 09:24:47 -06:00
|
|
|
K->u.kernel.TYPE->TYPE##size, \
|
|
|
|
XT_ALIGN(K->u.kernel.TYPE->TYPE##size))
|
2017-01-02 15:19:40 -07:00
|
|
|
|
|
|
|
int xt_match_to_user(const struct xt_entry_match *m,
|
|
|
|
struct xt_entry_match __user *u)
|
|
|
|
{
|
|
|
|
return XT_OBJ_TO_USER(u, m, match, 0) ||
|
2017-05-17 09:24:47 -06:00
|
|
|
XT_DATA_TO_USER(u, m, match);
|
2017-01-02 15:19:40 -07:00
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(xt_match_to_user);
|
|
|
|
|
|
|
|
int xt_target_to_user(const struct xt_entry_target *t,
|
|
|
|
struct xt_entry_target __user *u)
|
|
|
|
{
|
|
|
|
return XT_OBJ_TO_USER(u, t, target, 0) ||
|
2017-05-17 09:24:47 -06:00
|
|
|
XT_DATA_TO_USER(u, t, target);
|
2017-01-02 15:19:40 -07:00
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(xt_target_to_user);
|
|
|
|
|
2008-10-08 03:35:00 -06:00
|
|
|
static int match_revfn(u8 af, const char *name, u8 revision, int *bestp)
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
{
|
2008-04-14 03:15:35 -06:00
|
|
|
const struct xt_match *m;
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
int have_rev = 0;
|
|
|
|
|
|
|
|
list_for_each_entry(m, &xt[af].match, list) {
|
|
|
|
if (strcmp(m->name, name) == 0) {
|
|
|
|
if (m->revision > *bestp)
|
|
|
|
*bestp = m->revision;
|
|
|
|
if (m->revision == revision)
|
|
|
|
have_rev = 1;
|
|
|
|
}
|
|
|
|
}
|
2009-01-11 17:06:04 -07:00
|
|
|
|
|
|
|
if (af != NFPROTO_UNSPEC && !have_rev)
|
|
|
|
return match_revfn(NFPROTO_UNSPEC, name, revision, bestp);
|
|
|
|
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
return have_rev;
|
|
|
|
}
|
|
|
|
|
2008-10-08 03:35:00 -06:00
|
|
|
static int target_revfn(u8 af, const char *name, u8 revision, int *bestp)
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
{
|
2008-04-14 03:15:35 -06:00
|
|
|
const struct xt_target *t;
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
int have_rev = 0;
|
|
|
|
|
|
|
|
list_for_each_entry(t, &xt[af].target, list) {
|
|
|
|
if (strcmp(t->name, name) == 0) {
|
|
|
|
if (t->revision > *bestp)
|
|
|
|
*bestp = t->revision;
|
|
|
|
if (t->revision == revision)
|
|
|
|
have_rev = 1;
|
|
|
|
}
|
|
|
|
}
|
2009-01-11 17:06:04 -07:00
|
|
|
|
|
|
|
if (af != NFPROTO_UNSPEC && !have_rev)
|
|
|
|
return target_revfn(NFPROTO_UNSPEC, name, revision, bestp);
|
|
|
|
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
return have_rev;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Returns true or false (if no such extension at all) */
|
2008-10-08 03:35:00 -06:00
|
|
|
int xt_find_revision(u8 af, const char *name, u8 revision, int target,
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
int *err)
|
|
|
|
{
|
|
|
|
int have_rev, best = -1;
|
|
|
|
|
2014-07-31 12:38:46 -06:00
|
|
|
mutex_lock(&xt[af].mutex);
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
if (target == 1)
|
|
|
|
have_rev = target_revfn(af, name, revision, &best);
|
|
|
|
else
|
|
|
|
have_rev = match_revfn(af, name, revision, &best);
|
2006-03-25 02:41:10 -07:00
|
|
|
mutex_unlock(&xt[af].mutex);
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
|
|
|
|
/* Nothing at all? Return 0 to try loading module. */
|
|
|
|
if (best == -1) {
|
|
|
|
*err = -ENOENT;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
*err = best;
|
|
|
|
if (!have_rev)
|
|
|
|
*err = -EPROTONOSUPPORT;
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(xt_find_revision);
|
|
|
|
|
2013-01-10 05:30:05 -07:00
|
|
|
static char *
|
|
|
|
textify_hooks(char *buf, size_t size, unsigned int mask, uint8_t nfproto)
|
2009-04-05 02:43:09 -06:00
|
|
|
{
|
2013-01-10 05:30:05 -07:00
|
|
|
static const char *const inetbr_names[] = {
|
2009-04-05 02:43:09 -06:00
|
|
|
"PREROUTING", "INPUT", "FORWARD",
|
|
|
|
"OUTPUT", "POSTROUTING", "BROUTING",
|
|
|
|
};
|
2013-01-10 05:30:05 -07:00
|
|
|
static const char *const arp_names[] = {
|
|
|
|
"INPUT", "FORWARD", "OUTPUT",
|
|
|
|
};
|
|
|
|
const char *const *names;
|
|
|
|
unsigned int i, max;
|
2009-04-05 02:43:09 -06:00
|
|
|
char *p = buf;
|
|
|
|
bool np = false;
|
|
|
|
int res;
|
|
|
|
|
2013-01-10 05:30:05 -07:00
|
|
|
names = (nfproto == NFPROTO_ARP) ? arp_names : inetbr_names;
|
|
|
|
max = (nfproto == NFPROTO_ARP) ? ARRAY_SIZE(arp_names) :
|
|
|
|
ARRAY_SIZE(inetbr_names);
|
2009-04-05 02:43:09 -06:00
|
|
|
*p = '\0';
|
2013-01-10 05:30:05 -07:00
|
|
|
for (i = 0; i < max; ++i) {
|
2009-04-05 02:43:09 -06:00
|
|
|
if (!(mask & (1 << i)))
|
|
|
|
continue;
|
|
|
|
res = snprintf(p, size, "%s%s", np ? "/" : "", names[i]);
|
|
|
|
if (res > 0) {
|
|
|
|
size -= res;
|
|
|
|
p += res;
|
|
|
|
}
|
|
|
|
np = true;
|
|
|
|
}
|
|
|
|
|
|
|
|
return buf;
|
|
|
|
}
|
|
|
|
|
2018-03-09 17:15:45 -07:00
|
|
|
/**
|
|
|
|
* xt_check_proc_name - check that name is suitable for /proc file creation
|
|
|
|
*
|
|
|
|
* @name: file name candidate
|
|
|
|
* @size: length of buffer
|
|
|
|
*
|
|
|
|
* some x_tables modules wish to create a file in /proc.
|
|
|
|
* This function makes sure that the name is suitable for this
|
|
|
|
* purpose, it checks that name is NUL terminated and isn't a 'special'
|
|
|
|
* name, like "..".
|
|
|
|
*
|
|
|
|
* returns negative number on error or 0 if name is useable.
|
|
|
|
*/
|
|
|
|
int xt_check_proc_name(const char *name, unsigned int size)
|
|
|
|
{
|
|
|
|
if (name[0] == '\0')
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
if (strnlen(name, size) == size)
|
|
|
|
return -ENAMETOOLONG;
|
|
|
|
|
|
|
|
if (strcmp(name, ".") == 0 ||
|
|
|
|
strcmp(name, "..") == 0 ||
|
|
|
|
strchr(name, '/'))
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL(xt_check_proc_name);
|
|
|
|
|
2008-10-08 03:35:20 -06:00
|
|
|
int xt_check_match(struct xt_mtchk_param *par,
|
2008-10-08 03:35:18 -06:00
|
|
|
unsigned int size, u_int8_t proto, bool inv_proto)
|
2006-03-20 18:59:06 -07:00
|
|
|
{
|
2010-03-23 09:35:56 -06:00
|
|
|
int ret;
|
|
|
|
|
2008-10-08 03:35:18 -06:00
|
|
|
if (XT_ALIGN(par->match->matchsize) != size &&
|
|
|
|
par->match->matchsize != -1) {
|
2008-10-08 03:35:15 -06:00
|
|
|
/*
|
|
|
|
* ebt_among is exempt from centralized matchsize checking
|
|
|
|
* because it uses a dynamic-size data set.
|
|
|
|
*/
|
2018-02-09 07:52:00 -07:00
|
|
|
pr_err_ratelimited("%s_tables: %s.%u match: invalid size %u (kernel) != (user) %u\n",
|
|
|
|
xt_prefix[par->family], par->match->name,
|
|
|
|
par->match->revision,
|
|
|
|
XT_ALIGN(par->match->matchsize), size);
|
2006-03-20 18:59:06 -07:00
|
|
|
return -EINVAL;
|
|
|
|
}
|
2008-10-08 03:35:18 -06:00
|
|
|
if (par->match->table != NULL &&
|
|
|
|
strcmp(par->match->table, par->table) != 0) {
|
2018-02-09 07:52:00 -07:00
|
|
|
pr_info_ratelimited("%s_tables: %s match: only valid in %s table, not %s\n",
|
|
|
|
xt_prefix[par->family], par->match->name,
|
|
|
|
par->match->table, par->table);
|
2006-03-20 18:59:06 -07:00
|
|
|
return -EINVAL;
|
|
|
|
}
|
2008-10-08 03:35:18 -06:00
|
|
|
if (par->match->hooks && (par->hook_mask & ~par->match->hooks) != 0) {
|
2009-04-05 02:43:09 -06:00
|
|
|
char used[64], allow[64];
|
|
|
|
|
2018-02-09 07:52:00 -07:00
|
|
|
pr_info_ratelimited("%s_tables: %s match: used from hooks %s, but only valid from %s\n",
|
|
|
|
xt_prefix[par->family], par->match->name,
|
|
|
|
textify_hooks(used, sizeof(used),
|
|
|
|
par->hook_mask, par->family),
|
|
|
|
textify_hooks(allow, sizeof(allow),
|
|
|
|
par->match->hooks,
|
|
|
|
par->family));
|
2006-03-20 18:59:06 -07:00
|
|
|
return -EINVAL;
|
|
|
|
}
|
2008-10-08 03:35:18 -06:00
|
|
|
if (par->match->proto && (par->match->proto != proto || inv_proto)) {
|
2018-02-09 07:52:00 -07:00
|
|
|
pr_info_ratelimited("%s_tables: %s match: only valid for protocol %u\n",
|
|
|
|
xt_prefix[par->family], par->match->name,
|
|
|
|
par->match->proto);
|
2006-03-20 18:59:06 -07:00
|
|
|
return -EINVAL;
|
|
|
|
}
|
2010-03-23 09:35:56 -06:00
|
|
|
if (par->match->checkentry != NULL) {
|
|
|
|
ret = par->match->checkentry(par);
|
|
|
|
if (ret < 0)
|
|
|
|
return ret;
|
|
|
|
else if (ret > 0)
|
|
|
|
/* Flag up potential errors. */
|
|
|
|
return -EIO;
|
|
|
|
}
|
2006-03-20 18:59:06 -07:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(xt_check_match);
|
|
|
|
|
2016-04-01 06:17:29 -06:00
|
|
|
/** xt_check_entry_match - check that matches end before start of target
|
|
|
|
*
|
|
|
|
* @match: beginning of xt_entry_match
|
|
|
|
* @target: beginning of this rules target (alleged end of matches)
|
|
|
|
* @alignment: alignment requirement of match structures
|
|
|
|
*
|
|
|
|
* Validates that all matches add up to the beginning of the target,
|
|
|
|
* and that each match covers at least the base structure size.
|
|
|
|
*
|
|
|
|
* Return: 0 on success, negative errno on failure.
|
|
|
|
*/
|
|
|
|
static int xt_check_entry_match(const char *match, const char *target,
|
|
|
|
const size_t alignment)
|
|
|
|
{
|
|
|
|
const struct xt_entry_match *pos;
|
|
|
|
int length = target - match;
|
|
|
|
|
|
|
|
if (length == 0) /* no matches */
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
pos = (struct xt_entry_match *)match;
|
|
|
|
do {
|
|
|
|
if ((unsigned long)pos % alignment)
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
if (length < (int)sizeof(struct xt_entry_match))
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
if (pos->u.match_size < sizeof(struct xt_entry_match))
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
if (pos->u.match_size > length)
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
length -= pos->u.match_size;
|
|
|
|
pos = ((void *)((char *)(pos) + (pos)->u.match_size));
|
|
|
|
} while (length > 0);
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2018-02-27 11:42:29 -07:00
|
|
|
/** xt_check_table_hooks - check hook entry points are sane
|
|
|
|
*
|
|
|
|
* @info xt_table_info to check
|
|
|
|
* @valid_hooks - hook entry points that we can enter from
|
|
|
|
*
|
|
|
|
* Validates that the hook entry and underflows points are set up.
|
|
|
|
*
|
|
|
|
* Return: 0 on success, negative errno on failure.
|
|
|
|
*/
|
|
|
|
int xt_check_table_hooks(const struct xt_table_info *info, unsigned int valid_hooks)
|
|
|
|
{
|
2018-02-27 11:42:30 -07:00
|
|
|
const char *err = "unsorted underflow";
|
|
|
|
unsigned int i, max_uflow, max_entry;
|
|
|
|
bool check_hooks = false;
|
2018-02-27 11:42:29 -07:00
|
|
|
|
|
|
|
BUILD_BUG_ON(ARRAY_SIZE(info->hook_entry) != ARRAY_SIZE(info->underflow));
|
|
|
|
|
2018-02-27 11:42:30 -07:00
|
|
|
max_entry = 0;
|
|
|
|
max_uflow = 0;
|
|
|
|
|
2018-02-27 11:42:29 -07:00
|
|
|
for (i = 0; i < ARRAY_SIZE(info->hook_entry); i++) {
|
|
|
|
if (!(valid_hooks & (1 << i)))
|
|
|
|
continue;
|
|
|
|
|
|
|
|
if (info->hook_entry[i] == 0xFFFFFFFF)
|
|
|
|
return -EINVAL;
|
|
|
|
if (info->underflow[i] == 0xFFFFFFFF)
|
|
|
|
return -EINVAL;
|
2018-02-27 11:42:30 -07:00
|
|
|
|
|
|
|
if (check_hooks) {
|
|
|
|
if (max_uflow > info->underflow[i])
|
|
|
|
goto error;
|
|
|
|
|
|
|
|
if (max_uflow == info->underflow[i]) {
|
|
|
|
err = "duplicate underflow";
|
|
|
|
goto error;
|
|
|
|
}
|
|
|
|
if (max_entry > info->hook_entry[i]) {
|
|
|
|
err = "unsorted entry";
|
|
|
|
goto error;
|
|
|
|
}
|
|
|
|
if (max_entry == info->hook_entry[i]) {
|
|
|
|
err = "duplicate entry";
|
|
|
|
goto error;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
max_entry = info->hook_entry[i];
|
|
|
|
max_uflow = info->underflow[i];
|
|
|
|
check_hooks = true;
|
2018-02-27 11:42:29 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
2018-02-27 11:42:30 -07:00
|
|
|
error:
|
|
|
|
pr_err_ratelimited("%s at hook %d\n", err, i);
|
|
|
|
return -EINVAL;
|
2018-02-27 11:42:29 -07:00
|
|
|
}
|
|
|
|
EXPORT_SYMBOL(xt_check_table_hooks);
|
|
|
|
|
2018-03-06 00:26:00 -07:00
|
|
|
static bool verdict_ok(int verdict)
|
|
|
|
{
|
|
|
|
if (verdict > 0)
|
|
|
|
return true;
|
|
|
|
|
|
|
|
if (verdict < 0) {
|
|
|
|
int v = -verdict - 1;
|
|
|
|
|
|
|
|
if (verdict == XT_RETURN)
|
|
|
|
return true;
|
|
|
|
|
|
|
|
switch (v) {
|
|
|
|
case NF_ACCEPT: return true;
|
|
|
|
case NF_DROP: return true;
|
|
|
|
case NF_QUEUE: return true;
|
|
|
|
default:
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
static bool error_tg_ok(unsigned int usersize, unsigned int kernsize,
|
|
|
|
const char *msg, unsigned int msglen)
|
|
|
|
{
|
|
|
|
return usersize == kernsize && strnlen(msg, msglen) < msglen;
|
|
|
|
}
|
|
|
|
|
2006-04-01 03:25:19 -07:00
|
|
|
#ifdef CONFIG_COMPAT
|
2010-12-18 10:35:15 -07:00
|
|
|
int xt_compat_add_offset(u_int8_t af, unsigned int offset, int delta)
|
2007-12-17 22:47:48 -07:00
|
|
|
{
|
2010-12-18 10:35:15 -07:00
|
|
|
struct xt_af *xp = &xt[af];
|
2007-12-17 22:47:48 -07:00
|
|
|
|
2018-02-27 11:42:36 -07:00
|
|
|
WARN_ON(!mutex_is_locked(&xt[af].compat_mutex));
|
|
|
|
|
2018-02-27 11:42:35 -07:00
|
|
|
if (WARN_ON(!xp->compat_tab))
|
|
|
|
return -ENOMEM;
|
2007-12-17 22:47:48 -07:00
|
|
|
|
2010-12-18 10:35:15 -07:00
|
|
|
if (xp->cur >= xp->number)
|
|
|
|
return -EINVAL;
|
2007-12-17 22:47:48 -07:00
|
|
|
|
2010-12-18 10:35:15 -07:00
|
|
|
if (xp->cur)
|
|
|
|
delta += xp->compat_tab[xp->cur - 1].delta;
|
|
|
|
xp->compat_tab[xp->cur].offset = offset;
|
|
|
|
xp->compat_tab[xp->cur].delta = delta;
|
|
|
|
xp->cur++;
|
2007-12-17 22:47:48 -07:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(xt_compat_add_offset);
|
|
|
|
|
2008-10-08 03:35:00 -06:00
|
|
|
void xt_compat_flush_offsets(u_int8_t af)
|
2007-12-17 22:47:48 -07:00
|
|
|
{
|
2018-02-27 11:42:36 -07:00
|
|
|
WARN_ON(!mutex_is_locked(&xt[af].compat_mutex));
|
|
|
|
|
2010-12-18 10:35:15 -07:00
|
|
|
if (xt[af].compat_tab) {
|
|
|
|
vfree(xt[af].compat_tab);
|
|
|
|
xt[af].compat_tab = NULL;
|
|
|
|
xt[af].number = 0;
|
2011-04-21 02:57:21 -06:00
|
|
|
xt[af].cur = 0;
|
2007-12-17 22:47:48 -07:00
|
|
|
}
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(xt_compat_flush_offsets);
|
|
|
|
|
2010-02-15 10:17:10 -07:00
|
|
|
int xt_compat_calc_jump(u_int8_t af, unsigned int offset)
|
2007-12-17 22:47:48 -07:00
|
|
|
{
|
2010-12-18 10:35:15 -07:00
|
|
|
struct compat_delta *tmp = xt[af].compat_tab;
|
|
|
|
int mid, left = 0, right = xt[af].cur - 1;
|
|
|
|
|
|
|
|
while (left <= right) {
|
|
|
|
mid = (left + right) >> 1;
|
|
|
|
if (offset > tmp[mid].offset)
|
|
|
|
left = mid + 1;
|
|
|
|
else if (offset < tmp[mid].offset)
|
|
|
|
right = mid - 1;
|
|
|
|
else
|
|
|
|
return mid ? tmp[mid - 1].delta : 0;
|
|
|
|
}
|
2011-04-21 02:57:21 -06:00
|
|
|
return left ? tmp[left - 1].delta : 0;
|
2007-12-17 22:47:48 -07:00
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(xt_compat_calc_jump);
|
|
|
|
|
2018-02-27 11:42:34 -07:00
|
|
|
int xt_compat_init_offsets(u8 af, unsigned int number)
|
2010-12-18 10:35:15 -07:00
|
|
|
{
|
2018-02-27 11:42:35 -07:00
|
|
|
size_t mem;
|
|
|
|
|
2018-02-27 11:42:36 -07:00
|
|
|
WARN_ON(!mutex_is_locked(&xt[af].compat_mutex));
|
|
|
|
|
2018-02-27 11:42:35 -07:00
|
|
|
if (!number || number > (INT_MAX / sizeof(struct compat_delta)))
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
if (WARN_ON(xt[af].compat_tab))
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
mem = sizeof(struct compat_delta) * number;
|
|
|
|
if (mem > XT_MAX_TABLE_SIZE)
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
|
|
xt[af].compat_tab = vmalloc(mem);
|
|
|
|
if (!xt[af].compat_tab)
|
|
|
|
return -ENOMEM;
|
|
|
|
|
2010-12-18 10:35:15 -07:00
|
|
|
xt[af].number = number;
|
|
|
|
xt[af].cur = 0;
|
2018-02-27 11:42:34 -07:00
|
|
|
|
|
|
|
return 0;
|
2010-12-18 10:35:15 -07:00
|
|
|
}
|
|
|
|
EXPORT_SYMBOL(xt_compat_init_offsets);
|
|
|
|
|
2008-04-14 03:15:35 -06:00
|
|
|
int xt_compat_match_offset(const struct xt_match *match)
|
2006-04-01 03:25:19 -07:00
|
|
|
{
|
2006-09-20 13:05:37 -06:00
|
|
|
u_int16_t csize = match->compatsize ? : match->matchsize;
|
|
|
|
return XT_ALIGN(match->matchsize) - COMPAT_XT_ALIGN(csize);
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(xt_compat_match_offset);
|
|
|
|
|
2016-04-01 06:17:33 -06:00
|
|
|
void xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr,
|
|
|
|
unsigned int *size)
|
2006-09-20 13:05:37 -06:00
|
|
|
{
|
2008-04-14 03:15:35 -06:00
|
|
|
const struct xt_match *match = m->u.kernel.match;
|
2006-09-20 13:05:37 -06:00
|
|
|
struct compat_xt_entry_match *cm = (struct compat_xt_entry_match *)m;
|
|
|
|
int pad, off = xt_compat_match_offset(match);
|
|
|
|
u_int16_t msize = cm->u.user.match_size;
|
netfilter: x_tables: do compat validation via translate_table
This looks like refactoring, but its also a bug fix.
Problem is that the compat path (32bit iptables, 64bit kernel) lacks a few
sanity tests that are done in the normal path.
For example, we do not check for underflows and the base chain policies.
While its possible to also add such checks to the compat path, its more
copy&pastry, for instance we cannot reuse check_underflow() helper as
e->target_offset differs in the compat case.
Other problem is that it makes auditing for validation errors harder; two
places need to be checked and kept in sync.
At a high level 32 bit compat works like this:
1- initial pass over blob:
validate match/entry offsets, bounds checking
lookup all matches and targets
do bookkeeping wrt. size delta of 32/64bit structures
assign match/target.u.kernel pointer (points at kernel
implementation, needed to access ->compatsize etc.)
2- allocate memory according to the total bookkeeping size to
contain the translated ruleset
3- second pass over original blob:
for each entry, copy the 32bit representation to the newly allocated
memory. This also does any special match translations (e.g.
adjust 32bit to 64bit longs, etc).
4- check if ruleset is free of loops (chase all jumps)
5-first pass over translated blob:
call the checkentry function of all matches and targets.
The alternative implemented by this patch is to drop steps 3&4 from the
compat process, the translation is changed into an intermediate step
rather than a full 1:1 translate_table replacement.
In the 2nd pass (step #3), change the 64bit ruleset back to a kernel
representation, i.e. put() the kernel pointer and restore ->u.user.name .
This gets us a 64bit ruleset that is in the format generated by a 64bit
iptables userspace -- we can then use translate_table() to get the
'native' sanity checks.
This has two drawbacks:
1. we re-validate all the match and target entry structure sizes even
though compat translation is supposed to never generate bogus offsets.
2. we put and then re-lookup each match and target.
THe upside is that we get all sanity tests and ruleset validations
provided by the normal path and can remove some duplicated compat code.
iptables-restore time of autogenerated ruleset with 300k chains of form
-A CHAIN0001 -m limit --limit 1/s -j CHAIN0002
-A CHAIN0002 -m limit --limit 1/s -j CHAIN0003
shows no noticeable differences in restore times:
old: 0m30.796s
new: 0m31.521s
64bit: 0m25.674s
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2016-04-01 06:17:34 -06:00
|
|
|
char name[sizeof(m->u.user.name)];
|
2006-09-20 13:05:37 -06:00
|
|
|
|
|
|
|
m = *dstptr;
|
|
|
|
memcpy(m, cm, sizeof(*cm));
|
|
|
|
if (match->compat_from_user)
|
|
|
|
match->compat_from_user(m->data, cm->data);
|
|
|
|
else
|
|
|
|
memcpy(m->data, cm->data, msize - sizeof(*cm));
|
|
|
|
pad = XT_ALIGN(match->matchsize) - match->matchsize;
|
|
|
|
if (pad > 0)
|
|
|
|
memset(m->data + match->matchsize, 0, pad);
|
|
|
|
|
|
|
|
msize += off;
|
|
|
|
m->u.user.match_size = msize;
|
netfilter: x_tables: do compat validation via translate_table
This looks like refactoring, but its also a bug fix.
Problem is that the compat path (32bit iptables, 64bit kernel) lacks a few
sanity tests that are done in the normal path.
For example, we do not check for underflows and the base chain policies.
While its possible to also add such checks to the compat path, its more
copy&pastry, for instance we cannot reuse check_underflow() helper as
e->target_offset differs in the compat case.
Other problem is that it makes auditing for validation errors harder; two
places need to be checked and kept in sync.
At a high level 32 bit compat works like this:
1- initial pass over blob:
validate match/entry offsets, bounds checking
lookup all matches and targets
do bookkeeping wrt. size delta of 32/64bit structures
assign match/target.u.kernel pointer (points at kernel
implementation, needed to access ->compatsize etc.)
2- allocate memory according to the total bookkeeping size to
contain the translated ruleset
3- second pass over original blob:
for each entry, copy the 32bit representation to the newly allocated
memory. This also does any special match translations (e.g.
adjust 32bit to 64bit longs, etc).
4- check if ruleset is free of loops (chase all jumps)
5-first pass over translated blob:
call the checkentry function of all matches and targets.
The alternative implemented by this patch is to drop steps 3&4 from the
compat process, the translation is changed into an intermediate step
rather than a full 1:1 translate_table replacement.
In the 2nd pass (step #3), change the 64bit ruleset back to a kernel
representation, i.e. put() the kernel pointer and restore ->u.user.name .
This gets us a 64bit ruleset that is in the format generated by a 64bit
iptables userspace -- we can then use translate_table() to get the
'native' sanity checks.
This has two drawbacks:
1. we re-validate all the match and target entry structure sizes even
though compat translation is supposed to never generate bogus offsets.
2. we put and then re-lookup each match and target.
THe upside is that we get all sanity tests and ruleset validations
provided by the normal path and can remove some duplicated compat code.
iptables-restore time of autogenerated ruleset with 300k chains of form
-A CHAIN0001 -m limit --limit 1/s -j CHAIN0002
-A CHAIN0002 -m limit --limit 1/s -j CHAIN0003
shows no noticeable differences in restore times:
old: 0m30.796s
new: 0m31.521s
64bit: 0m25.674s
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2016-04-01 06:17:34 -06:00
|
|
|
strlcpy(name, match->name, sizeof(name));
|
|
|
|
module_put(match->me);
|
|
|
|
strncpy(m->u.user.name, name, sizeof(m->u.user.name));
|
2006-09-20 13:05:37 -06:00
|
|
|
|
|
|
|
*size += off;
|
|
|
|
*dstptr += msize;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(xt_compat_match_from_user);
|
|
|
|
|
2017-05-17 09:24:47 -06:00
|
|
|
#define COMPAT_XT_DATA_TO_USER(U, K, TYPE, C_SIZE) \
|
|
|
|
xt_data_to_user(U->data, K->data, \
|
|
|
|
K->u.kernel.TYPE->usersize, \
|
|
|
|
C_SIZE, \
|
|
|
|
COMPAT_XT_ALIGN(C_SIZE))
|
|
|
|
|
2009-06-26 00:23:19 -06:00
|
|
|
int xt_compat_match_to_user(const struct xt_entry_match *m,
|
|
|
|
void __user **dstptr, unsigned int *size)
|
2006-09-20 13:05:37 -06:00
|
|
|
{
|
2008-04-14 03:15:35 -06:00
|
|
|
const struct xt_match *match = m->u.kernel.match;
|
2006-09-20 13:05:37 -06:00
|
|
|
struct compat_xt_entry_match __user *cm = *dstptr;
|
|
|
|
int off = xt_compat_match_offset(match);
|
|
|
|
u_int16_t msize = m->u.user.match_size - off;
|
|
|
|
|
2017-01-02 15:19:45 -07:00
|
|
|
if (XT_OBJ_TO_USER(cm, m, match, msize))
|
2007-02-12 12:15:49 -07:00
|
|
|
return -EFAULT;
|
2006-09-20 13:05:37 -06:00
|
|
|
|
|
|
|
if (match->compat_to_user) {
|
|
|
|
if (match->compat_to_user((void __user *)cm->data, m->data))
|
|
|
|
return -EFAULT;
|
|
|
|
} else {
|
2017-05-17 09:24:47 -06:00
|
|
|
if (COMPAT_XT_DATA_TO_USER(cm, m, match, msize - sizeof(*cm)))
|
2006-09-20 13:05:37 -06:00
|
|
|
return -EFAULT;
|
2006-04-01 03:25:19 -07:00
|
|
|
}
|
2006-09-20 13:05:37 -06:00
|
|
|
|
|
|
|
*size -= off;
|
|
|
|
*dstptr += msize;
|
|
|
|
return 0;
|
2006-04-01 03:25:19 -07:00
|
|
|
}
|
2006-09-20 13:05:37 -06:00
|
|
|
EXPORT_SYMBOL_GPL(xt_compat_match_to_user);
|
2016-04-01 06:17:26 -06:00
|
|
|
|
2016-04-01 06:17:27 -06:00
|
|
|
/* non-compat version may have padding after verdict */
|
|
|
|
struct compat_xt_standard_target {
|
|
|
|
struct compat_xt_entry_target t;
|
|
|
|
compat_uint_t verdict;
|
|
|
|
};
|
|
|
|
|
2018-02-27 11:42:28 -07:00
|
|
|
struct compat_xt_error_target {
|
|
|
|
struct compat_xt_entry_target t;
|
|
|
|
char errorname[XT_FUNCTION_MAXNAMELEN];
|
|
|
|
};
|
|
|
|
|
2016-04-01 06:17:28 -06:00
|
|
|
int xt_compat_check_entry_offsets(const void *base, const char *elems,
|
2016-04-01 06:17:26 -06:00
|
|
|
unsigned int target_offset,
|
|
|
|
unsigned int next_offset)
|
|
|
|
{
|
2016-04-01 06:17:28 -06:00
|
|
|
long size_of_base_struct = elems - (const char *)base;
|
2016-04-01 06:17:26 -06:00
|
|
|
const struct compat_xt_entry_target *t;
|
|
|
|
const char *e = base;
|
|
|
|
|
2016-04-01 06:17:28 -06:00
|
|
|
if (target_offset < size_of_base_struct)
|
|
|
|
return -EINVAL;
|
|
|
|
|
2016-04-01 06:17:26 -06:00
|
|
|
if (target_offset + sizeof(*t) > next_offset)
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
t = (void *)(e + target_offset);
|
|
|
|
if (t->u.target_size < sizeof(*t))
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
if (target_offset + t->u.target_size > next_offset)
|
|
|
|
return -EINVAL;
|
|
|
|
|
2018-02-27 11:42:27 -07:00
|
|
|
if (strcmp(t->u.user.name, XT_STANDARD_TARGET) == 0) {
|
|
|
|
const struct compat_xt_standard_target *st = (const void *)t;
|
|
|
|
|
|
|
|
if (COMPAT_XT_ALIGN(target_offset + sizeof(*st)) != next_offset)
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
if (!verdict_ok(st->verdict))
|
|
|
|
return -EINVAL;
|
2018-02-27 11:42:28 -07:00
|
|
|
} else if (strcmp(t->u.user.name, XT_ERROR_TARGET) == 0) {
|
|
|
|
const struct compat_xt_error_target *et = (const void *)t;
|
|
|
|
|
|
|
|
if (!error_tg_ok(t->u.target_size, sizeof(*et),
|
|
|
|
et->errorname, sizeof(et->errorname)))
|
|
|
|
return -EINVAL;
|
2018-02-27 11:42:27 -07:00
|
|
|
}
|
2016-04-01 06:17:27 -06:00
|
|
|
|
2017-02-27 15:28:58 -07:00
|
|
|
/* compat_xt_entry match has less strict alignment requirements,
|
2016-04-01 06:17:29 -06:00
|
|
|
* otherwise they are identical. In case of padding differences
|
|
|
|
* we need to add compat version of xt_check_entry_match.
|
|
|
|
*/
|
|
|
|
BUILD_BUG_ON(sizeof(struct compat_xt_entry_match) != sizeof(struct xt_entry_match));
|
|
|
|
|
|
|
|
return xt_check_entry_match(elems, base + target_offset,
|
|
|
|
__alignof__(struct compat_xt_entry_match));
|
2016-04-01 06:17:26 -06:00
|
|
|
}
|
|
|
|
EXPORT_SYMBOL(xt_compat_check_entry_offsets);
|
2006-09-20 13:05:37 -06:00
|
|
|
#endif /* CONFIG_COMPAT */
|
2006-04-01 03:25:19 -07:00
|
|
|
|
2016-04-01 06:17:23 -06:00
|
|
|
/**
|
|
|
|
* xt_check_entry_offsets - validate arp/ip/ip6t_entry
|
|
|
|
*
|
|
|
|
* @base: pointer to arp/ip/ip6t_entry
|
2016-04-01 06:17:28 -06:00
|
|
|
* @elems: pointer to first xt_entry_match, i.e. ip(6)t_entry->elems
|
2016-04-01 06:17:23 -06:00
|
|
|
* @target_offset: the arp/ip/ip6_t->target_offset
|
|
|
|
* @next_offset: the arp/ip/ip6_t->next_offset
|
|
|
|
*
|
2016-04-01 06:17:29 -06:00
|
|
|
* validates that target_offset and next_offset are sane and that all
|
|
|
|
* match sizes (if any) align with the target offset.
|
2016-04-01 06:17:23 -06:00
|
|
|
*
|
2016-04-01 06:17:28 -06:00
|
|
|
* This function does not validate the targets or matches themselves, it
|
2016-04-01 06:17:29 -06:00
|
|
|
* only tests that all the offsets and sizes are correct, that all
|
|
|
|
* match structures are aligned, and that the last structure ends where
|
|
|
|
* the target structure begins.
|
|
|
|
*
|
|
|
|
* Also see xt_compat_check_entry_offsets for CONFIG_COMPAT version.
|
2016-04-01 06:17:28 -06:00
|
|
|
*
|
2016-04-01 06:17:23 -06:00
|
|
|
* The arp/ip/ip6t_entry structure @base must have passed following tests:
|
|
|
|
* - it must point to a valid memory location
|
|
|
|
* - base to base + next_offset must be accessible, i.e. not exceed allocated
|
|
|
|
* length.
|
|
|
|
*
|
2016-04-01 06:17:29 -06:00
|
|
|
* A well-formed entry looks like this:
|
|
|
|
*
|
|
|
|
* ip(6)t_entry match [mtdata] match [mtdata] target [tgdata] ip(6)t_entry
|
|
|
|
* e->elems[]-----' | |
|
|
|
|
* matchsize | |
|
|
|
|
* matchsize | |
|
|
|
|
* | |
|
|
|
|
* target_offset---------------------------------' |
|
|
|
|
* next_offset---------------------------------------------------'
|
|
|
|
*
|
|
|
|
* elems[]: flexible array member at end of ip(6)/arpt_entry struct.
|
|
|
|
* This is where matches (if any) and the target reside.
|
|
|
|
* target_offset: beginning of target.
|
|
|
|
* next_offset: start of the next rule; also: size of this rule.
|
|
|
|
* Since targets have a minimum size, target_offset + minlen <= next_offset.
|
|
|
|
*
|
|
|
|
* Every match stores its size, sum of sizes must not exceed target_offset.
|
|
|
|
*
|
2016-04-01 06:17:23 -06:00
|
|
|
* Return: 0 on success, negative errno on failure.
|
|
|
|
*/
|
|
|
|
int xt_check_entry_offsets(const void *base,
|
2016-04-01 06:17:28 -06:00
|
|
|
const char *elems,
|
2016-04-01 06:17:23 -06:00
|
|
|
unsigned int target_offset,
|
|
|
|
unsigned int next_offset)
|
|
|
|
{
|
2016-04-01 06:17:28 -06:00
|
|
|
long size_of_base_struct = elems - (const char *)base;
|
2016-04-01 06:17:23 -06:00
|
|
|
const struct xt_entry_target *t;
|
|
|
|
const char *e = base;
|
|
|
|
|
2016-04-01 06:17:28 -06:00
|
|
|
/* target start is within the ip/ip6/arpt_entry struct */
|
|
|
|
if (target_offset < size_of_base_struct)
|
|
|
|
return -EINVAL;
|
|
|
|
|
2016-04-01 06:17:23 -06:00
|
|
|
if (target_offset + sizeof(*t) > next_offset)
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
t = (void *)(e + target_offset);
|
2016-04-01 06:17:25 -06:00
|
|
|
if (t->u.target_size < sizeof(*t))
|
|
|
|
return -EINVAL;
|
|
|
|
|
2016-04-01 06:17:23 -06:00
|
|
|
if (target_offset + t->u.target_size > next_offset)
|
|
|
|
return -EINVAL;
|
|
|
|
|
2018-02-27 11:42:27 -07:00
|
|
|
if (strcmp(t->u.user.name, XT_STANDARD_TARGET) == 0) {
|
|
|
|
const struct xt_standard_target *st = (const void *)t;
|
|
|
|
|
|
|
|
if (XT_ALIGN(target_offset + sizeof(*st)) != next_offset)
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
if (!verdict_ok(st->verdict))
|
|
|
|
return -EINVAL;
|
2018-02-27 11:42:28 -07:00
|
|
|
} else if (strcmp(t->u.user.name, XT_ERROR_TARGET) == 0) {
|
|
|
|
const struct xt_error_target *et = (const void *)t;
|
|
|
|
|
|
|
|
if (!error_tg_ok(t->u.target_size, sizeof(*et),
|
|
|
|
et->errorname, sizeof(et->errorname)))
|
|
|
|
return -EINVAL;
|
2018-02-27 11:42:27 -07:00
|
|
|
}
|
2016-04-01 06:17:27 -06:00
|
|
|
|
2016-04-01 06:17:29 -06:00
|
|
|
return xt_check_entry_match(elems, base + target_offset,
|
|
|
|
__alignof__(struct xt_entry_match));
|
2016-04-01 06:17:23 -06:00
|
|
|
}
|
|
|
|
EXPORT_SYMBOL(xt_check_entry_offsets);
|
|
|
|
|
2016-07-14 09:51:26 -06:00
|
|
|
/**
|
|
|
|
* xt_alloc_entry_offsets - allocate array to store rule head offsets
|
|
|
|
*
|
|
|
|
* @size: number of entries
|
|
|
|
*
|
|
|
|
* Return: NULL or kmalloc'd or vmalloc'd array
|
|
|
|
*/
|
|
|
|
unsigned int *xt_alloc_entry_offsets(unsigned int size)
|
|
|
|
{
|
2018-02-27 11:42:32 -07:00
|
|
|
if (size > XT_MAX_TABLE_SIZE / sizeof(unsigned int))
|
|
|
|
return NULL;
|
|
|
|
|
2017-05-08 16:57:27 -06:00
|
|
|
return kvmalloc_array(size, sizeof(unsigned int), GFP_KERNEL | __GFP_ZERO);
|
2016-07-14 09:51:26 -06:00
|
|
|
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL(xt_alloc_entry_offsets);
|
|
|
|
|
|
|
|
/**
|
|
|
|
* xt_find_jump_offset - check if target is a valid jump offset
|
|
|
|
*
|
|
|
|
* @offsets: array containing all valid rule start offsets of a rule blob
|
|
|
|
* @target: the jump target to search for
|
|
|
|
* @size: entries in @offset
|
|
|
|
*/
|
|
|
|
bool xt_find_jump_offset(const unsigned int *offsets,
|
|
|
|
unsigned int target, unsigned int size)
|
|
|
|
{
|
|
|
|
int m, low = 0, hi = size;
|
|
|
|
|
|
|
|
while (hi > low) {
|
|
|
|
m = (low + hi) / 2u;
|
|
|
|
|
|
|
|
if (offsets[m] > target)
|
|
|
|
hi = m;
|
|
|
|
else if (offsets[m] < target)
|
|
|
|
low = m + 1;
|
|
|
|
else
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL(xt_find_jump_offset);
|
|
|
|
|
2008-10-08 03:35:20 -06:00
|
|
|
int xt_check_target(struct xt_tgchk_param *par,
|
2008-10-08 03:35:19 -06:00
|
|
|
unsigned int size, u_int8_t proto, bool inv_proto)
|
2006-03-20 18:59:06 -07:00
|
|
|
{
|
2010-03-25 09:34:45 -06:00
|
|
|
int ret;
|
|
|
|
|
2008-10-08 03:35:19 -06:00
|
|
|
if (XT_ALIGN(par->target->targetsize) != size) {
|
2018-02-09 07:52:00 -07:00
|
|
|
pr_err_ratelimited("%s_tables: %s.%u target: invalid size %u (kernel) != (user) %u\n",
|
|
|
|
xt_prefix[par->family], par->target->name,
|
|
|
|
par->target->revision,
|
|
|
|
XT_ALIGN(par->target->targetsize), size);
|
2006-03-20 18:59:06 -07:00
|
|
|
return -EINVAL;
|
|
|
|
}
|
2008-10-08 03:35:19 -06:00
|
|
|
if (par->target->table != NULL &&
|
|
|
|
strcmp(par->target->table, par->table) != 0) {
|
2018-02-09 07:52:00 -07:00
|
|
|
pr_info_ratelimited("%s_tables: %s target: only valid in %s table, not %s\n",
|
|
|
|
xt_prefix[par->family], par->target->name,
|
|
|
|
par->target->table, par->table);
|
2006-03-20 18:59:06 -07:00
|
|
|
return -EINVAL;
|
|
|
|
}
|
2008-10-08 03:35:19 -06:00
|
|
|
if (par->target->hooks && (par->hook_mask & ~par->target->hooks) != 0) {
|
2009-04-05 02:43:09 -06:00
|
|
|
char used[64], allow[64];
|
|
|
|
|
2018-02-09 07:52:00 -07:00
|
|
|
pr_info_ratelimited("%s_tables: %s target: used from hooks %s, but only usable from %s\n",
|
|
|
|
xt_prefix[par->family], par->target->name,
|
|
|
|
textify_hooks(used, sizeof(used),
|
|
|
|
par->hook_mask, par->family),
|
|
|
|
textify_hooks(allow, sizeof(allow),
|
|
|
|
par->target->hooks,
|
|
|
|
par->family));
|
2006-03-20 18:59:06 -07:00
|
|
|
return -EINVAL;
|
|
|
|
}
|
2008-10-08 03:35:19 -06:00
|
|
|
if (par->target->proto && (par->target->proto != proto || inv_proto)) {
|
2018-02-09 07:52:00 -07:00
|
|
|
pr_info_ratelimited("%s_tables: %s target: only valid for protocol %u\n",
|
|
|
|
xt_prefix[par->family], par->target->name,
|
|
|
|
par->target->proto);
|
2006-03-20 18:59:06 -07:00
|
|
|
return -EINVAL;
|
|
|
|
}
|
2010-03-25 09:34:45 -06:00
|
|
|
if (par->target->checkentry != NULL) {
|
|
|
|
ret = par->target->checkentry(par);
|
|
|
|
if (ret < 0)
|
|
|
|
return ret;
|
|
|
|
else if (ret > 0)
|
|
|
|
/* Flag up potential errors. */
|
|
|
|
return -EIO;
|
|
|
|
}
|
2006-03-20 18:59:06 -07:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(xt_check_target);
|
|
|
|
|
2016-04-01 07:37:59 -06:00
|
|
|
/**
|
|
|
|
* xt_copy_counters_from_user - copy counters and metadata from userspace
|
|
|
|
*
|
|
|
|
* @user: src pointer to userspace memory
|
|
|
|
* @len: alleged size of userspace memory
|
|
|
|
* @info: where to store the xt_counters_info metadata
|
|
|
|
* @compat: true if we setsockopt call is done by 32bit task on 64bit kernel
|
|
|
|
*
|
|
|
|
* Copies counter meta data from @user and stores it in @info.
|
|
|
|
*
|
|
|
|
* vmallocs memory to hold the counters, then copies the counter data
|
|
|
|
* from @user to the new memory and returns a pointer to it.
|
|
|
|
*
|
|
|
|
* If @compat is true, @info gets converted automatically to the 64bit
|
|
|
|
* representation.
|
|
|
|
*
|
|
|
|
* The metadata associated with the counters is stored in @info.
|
|
|
|
*
|
|
|
|
* Return: returns pointer that caller has to test via IS_ERR().
|
|
|
|
* If IS_ERR is false, caller has to vfree the pointer.
|
|
|
|
*/
|
|
|
|
void *xt_copy_counters_from_user(const void __user *user, unsigned int len,
|
|
|
|
struct xt_counters_info *info, bool compat)
|
|
|
|
{
|
|
|
|
void *mem;
|
|
|
|
u64 size;
|
|
|
|
|
|
|
|
#ifdef CONFIG_COMPAT
|
|
|
|
if (compat) {
|
|
|
|
/* structures only differ in size due to alignment */
|
|
|
|
struct compat_xt_counters_info compat_tmp;
|
|
|
|
|
|
|
|
if (len <= sizeof(compat_tmp))
|
|
|
|
return ERR_PTR(-EINVAL);
|
|
|
|
|
|
|
|
len -= sizeof(compat_tmp);
|
|
|
|
if (copy_from_user(&compat_tmp, user, sizeof(compat_tmp)) != 0)
|
|
|
|
return ERR_PTR(-EFAULT);
|
|
|
|
|
2017-10-05 03:50:07 -06:00
|
|
|
memcpy(info->name, compat_tmp.name, sizeof(info->name) - 1);
|
2016-04-01 07:37:59 -06:00
|
|
|
info->num_counters = compat_tmp.num_counters;
|
|
|
|
user += sizeof(compat_tmp);
|
|
|
|
} else
|
|
|
|
#endif
|
|
|
|
{
|
|
|
|
if (len <= sizeof(*info))
|
|
|
|
return ERR_PTR(-EINVAL);
|
|
|
|
|
|
|
|
len -= sizeof(*info);
|
|
|
|
if (copy_from_user(info, user, sizeof(*info)) != 0)
|
|
|
|
return ERR_PTR(-EFAULT);
|
|
|
|
|
|
|
|
user += sizeof(*info);
|
|
|
|
}
|
2017-10-05 03:50:07 -06:00
|
|
|
info->name[sizeof(info->name) - 1] = '\0';
|
2016-04-01 07:37:59 -06:00
|
|
|
|
|
|
|
size = sizeof(struct xt_counters);
|
|
|
|
size *= info->num_counters;
|
|
|
|
|
|
|
|
if (size != (u64)len)
|
|
|
|
return ERR_PTR(-EINVAL);
|
|
|
|
|
|
|
|
mem = vmalloc(len);
|
|
|
|
if (!mem)
|
|
|
|
return ERR_PTR(-ENOMEM);
|
|
|
|
|
|
|
|
if (copy_from_user(mem, user, len) == 0)
|
|
|
|
return mem;
|
|
|
|
|
|
|
|
vfree(mem);
|
|
|
|
return ERR_PTR(-EFAULT);
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(xt_copy_counters_from_user);
|
|
|
|
|
2006-04-01 03:25:19 -07:00
|
|
|
#ifdef CONFIG_COMPAT
|
2008-04-14 03:15:35 -06:00
|
|
|
int xt_compat_target_offset(const struct xt_target *target)
|
2006-04-01 03:25:19 -07:00
|
|
|
{
|
2006-09-20 13:05:37 -06:00
|
|
|
u_int16_t csize = target->compatsize ? : target->targetsize;
|
|
|
|
return XT_ALIGN(target->targetsize) - COMPAT_XT_ALIGN(csize);
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(xt_compat_target_offset);
|
|
|
|
|
|
|
|
void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr,
|
2008-01-31 05:10:18 -07:00
|
|
|
unsigned int *size)
|
2006-09-20 13:05:37 -06:00
|
|
|
{
|
2008-04-14 03:15:35 -06:00
|
|
|
const struct xt_target *target = t->u.kernel.target;
|
2006-09-20 13:05:37 -06:00
|
|
|
struct compat_xt_entry_target *ct = (struct compat_xt_entry_target *)t;
|
|
|
|
int pad, off = xt_compat_target_offset(target);
|
|
|
|
u_int16_t tsize = ct->u.user.target_size;
|
netfilter: x_tables: do compat validation via translate_table
This looks like refactoring, but its also a bug fix.
Problem is that the compat path (32bit iptables, 64bit kernel) lacks a few
sanity tests that are done in the normal path.
For example, we do not check for underflows and the base chain policies.
While its possible to also add such checks to the compat path, its more
copy&pastry, for instance we cannot reuse check_underflow() helper as
e->target_offset differs in the compat case.
Other problem is that it makes auditing for validation errors harder; two
places need to be checked and kept in sync.
At a high level 32 bit compat works like this:
1- initial pass over blob:
validate match/entry offsets, bounds checking
lookup all matches and targets
do bookkeeping wrt. size delta of 32/64bit structures
assign match/target.u.kernel pointer (points at kernel
implementation, needed to access ->compatsize etc.)
2- allocate memory according to the total bookkeeping size to
contain the translated ruleset
3- second pass over original blob:
for each entry, copy the 32bit representation to the newly allocated
memory. This also does any special match translations (e.g.
adjust 32bit to 64bit longs, etc).
4- check if ruleset is free of loops (chase all jumps)
5-first pass over translated blob:
call the checkentry function of all matches and targets.
The alternative implemented by this patch is to drop steps 3&4 from the
compat process, the translation is changed into an intermediate step
rather than a full 1:1 translate_table replacement.
In the 2nd pass (step #3), change the 64bit ruleset back to a kernel
representation, i.e. put() the kernel pointer and restore ->u.user.name .
This gets us a 64bit ruleset that is in the format generated by a 64bit
iptables userspace -- we can then use translate_table() to get the
'native' sanity checks.
This has two drawbacks:
1. we re-validate all the match and target entry structure sizes even
though compat translation is supposed to never generate bogus offsets.
2. we put and then re-lookup each match and target.
THe upside is that we get all sanity tests and ruleset validations
provided by the normal path and can remove some duplicated compat code.
iptables-restore time of autogenerated ruleset with 300k chains of form
-A CHAIN0001 -m limit --limit 1/s -j CHAIN0002
-A CHAIN0002 -m limit --limit 1/s -j CHAIN0003
shows no noticeable differences in restore times:
old: 0m30.796s
new: 0m31.521s
64bit: 0m25.674s
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2016-04-01 06:17:34 -06:00
|
|
|
char name[sizeof(t->u.user.name)];
|
2006-09-20 13:05:37 -06:00
|
|
|
|
|
|
|
t = *dstptr;
|
|
|
|
memcpy(t, ct, sizeof(*ct));
|
|
|
|
if (target->compat_from_user)
|
|
|
|
target->compat_from_user(t->data, ct->data);
|
|
|
|
else
|
|
|
|
memcpy(t->data, ct->data, tsize - sizeof(*ct));
|
|
|
|
pad = XT_ALIGN(target->targetsize) - target->targetsize;
|
|
|
|
if (pad > 0)
|
|
|
|
memset(t->data + target->targetsize, 0, pad);
|
|
|
|
|
|
|
|
tsize += off;
|
|
|
|
t->u.user.target_size = tsize;
|
netfilter: x_tables: do compat validation via translate_table
This looks like refactoring, but its also a bug fix.
Problem is that the compat path (32bit iptables, 64bit kernel) lacks a few
sanity tests that are done in the normal path.
For example, we do not check for underflows and the base chain policies.
While its possible to also add such checks to the compat path, its more
copy&pastry, for instance we cannot reuse check_underflow() helper as
e->target_offset differs in the compat case.
Other problem is that it makes auditing for validation errors harder; two
places need to be checked and kept in sync.
At a high level 32 bit compat works like this:
1- initial pass over blob:
validate match/entry offsets, bounds checking
lookup all matches and targets
do bookkeeping wrt. size delta of 32/64bit structures
assign match/target.u.kernel pointer (points at kernel
implementation, needed to access ->compatsize etc.)
2- allocate memory according to the total bookkeeping size to
contain the translated ruleset
3- second pass over original blob:
for each entry, copy the 32bit representation to the newly allocated
memory. This also does any special match translations (e.g.
adjust 32bit to 64bit longs, etc).
4- check if ruleset is free of loops (chase all jumps)
5-first pass over translated blob:
call the checkentry function of all matches and targets.
The alternative implemented by this patch is to drop steps 3&4 from the
compat process, the translation is changed into an intermediate step
rather than a full 1:1 translate_table replacement.
In the 2nd pass (step #3), change the 64bit ruleset back to a kernel
representation, i.e. put() the kernel pointer and restore ->u.user.name .
This gets us a 64bit ruleset that is in the format generated by a 64bit
iptables userspace -- we can then use translate_table() to get the
'native' sanity checks.
This has two drawbacks:
1. we re-validate all the match and target entry structure sizes even
though compat translation is supposed to never generate bogus offsets.
2. we put and then re-lookup each match and target.
THe upside is that we get all sanity tests and ruleset validations
provided by the normal path and can remove some duplicated compat code.
iptables-restore time of autogenerated ruleset with 300k chains of form
-A CHAIN0001 -m limit --limit 1/s -j CHAIN0002
-A CHAIN0002 -m limit --limit 1/s -j CHAIN0003
shows no noticeable differences in restore times:
old: 0m30.796s
new: 0m31.521s
64bit: 0m25.674s
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2016-04-01 06:17:34 -06:00
|
|
|
strlcpy(name, target->name, sizeof(name));
|
|
|
|
module_put(target->me);
|
|
|
|
strncpy(t->u.user.name, name, sizeof(t->u.user.name));
|
2006-09-20 13:05:37 -06:00
|
|
|
|
|
|
|
*size += off;
|
|
|
|
*dstptr += tsize;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(xt_compat_target_from_user);
|
|
|
|
|
2009-06-26 00:23:19 -06:00
|
|
|
int xt_compat_target_to_user(const struct xt_entry_target *t,
|
|
|
|
void __user **dstptr, unsigned int *size)
|
2006-09-20 13:05:37 -06:00
|
|
|
{
|
2008-04-14 03:15:35 -06:00
|
|
|
const struct xt_target *target = t->u.kernel.target;
|
2006-09-20 13:05:37 -06:00
|
|
|
struct compat_xt_entry_target __user *ct = *dstptr;
|
|
|
|
int off = xt_compat_target_offset(target);
|
|
|
|
u_int16_t tsize = t->u.user.target_size - off;
|
|
|
|
|
2017-01-02 15:19:45 -07:00
|
|
|
if (XT_OBJ_TO_USER(ct, t, target, tsize))
|
2007-02-12 12:15:49 -07:00
|
|
|
return -EFAULT;
|
2006-09-20 13:05:37 -06:00
|
|
|
|
|
|
|
if (target->compat_to_user) {
|
|
|
|
if (target->compat_to_user((void __user *)ct->data, t->data))
|
|
|
|
return -EFAULT;
|
|
|
|
} else {
|
2017-05-17 09:24:47 -06:00
|
|
|
if (COMPAT_XT_DATA_TO_USER(ct, t, target, tsize - sizeof(*ct)))
|
2006-09-20 13:05:37 -06:00
|
|
|
return -EFAULT;
|
2006-04-01 03:25:19 -07:00
|
|
|
}
|
2006-09-20 13:05:37 -06:00
|
|
|
|
|
|
|
*size -= off;
|
|
|
|
*dstptr += tsize;
|
|
|
|
return 0;
|
2006-04-01 03:25:19 -07:00
|
|
|
}
|
2006-09-20 13:05:37 -06:00
|
|
|
EXPORT_SYMBOL_GPL(xt_compat_target_to_user);
|
2006-04-01 03:25:19 -07:00
|
|
|
#endif
|
|
|
|
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
struct xt_table_info *xt_alloc_table_info(unsigned int size)
|
|
|
|
{
|
2015-06-15 10:57:30 -06:00
|
|
|
struct xt_table_info *info = NULL;
|
|
|
|
size_t sz = sizeof(*info) + size;
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
|
2018-02-27 11:42:31 -07:00
|
|
|
if (sz < sizeof(*info) || sz >= XT_MAX_TABLE_SIZE)
|
2016-03-09 17:56:23 -07:00
|
|
|
return NULL;
|
|
|
|
|
2018-08-07 13:54:00 -06:00
|
|
|
info = kvmalloc(sz, GFP_KERNEL_ACCOUNT);
|
2017-07-12 15:35:37 -06:00
|
|
|
if (!info)
|
|
|
|
return NULL;
|
|
|
|
|
2015-06-15 10:57:30 -06:00
|
|
|
memset(info, 0, sizeof(*info));
|
|
|
|
info->size = size;
|
|
|
|
return info;
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
}
|
|
|
|
EXPORT_SYMBOL(xt_alloc_table_info);
|
|
|
|
|
|
|
|
void xt_free_table_info(struct xt_table_info *info)
|
|
|
|
{
|
|
|
|
int cpu;
|
|
|
|
|
2010-04-19 08:05:10 -06:00
|
|
|
if (info->jumpstack != NULL) {
|
2014-06-24 03:15:35 -06:00
|
|
|
for_each_possible_cpu(cpu)
|
|
|
|
kvfree(info->jumpstack[cpu]);
|
|
|
|
kvfree(info->jumpstack);
|
2010-04-19 08:05:10 -06:00
|
|
|
}
|
|
|
|
|
2015-06-15 10:57:30 -06:00
|
|
|
kvfree(info);
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
}
|
|
|
|
EXPORT_SYMBOL(xt_free_table_info);
|
|
|
|
|
2017-12-08 09:01:53 -07:00
|
|
|
/* Find table by name, grabs mutex & ref. Returns ERR_PTR on error. */
|
2008-10-08 03:35:00 -06:00
|
|
|
struct xt_table *xt_find_table_lock(struct net *net, u_int8_t af,
|
|
|
|
const char *name)
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
{
|
netfilter: xtables: don't hook tables by default
delay hook registration until the table is being requested inside a
namespace.
Historically, a particular table (iptables mangle, ip6tables filter, etc)
was registered on module load.
When netns support was added to iptables only the ip/ip6tables ruleset was
made namespace aware, not the actual hook points.
This means f.e. that when ipt_filter table/module is loaded on a system,
then each namespace on that system has an (empty) iptables filter ruleset.
In other words, if a namespace sends a packet, such skb is 'caught' by
netfilter machinery and fed to hooking points for that table (i.e. INPUT,
FORWARD, etc).
Thanks to Eric Biederman, hooks are no longer global, but per namespace.
This means that we can avoid allocation of empty ruleset in a namespace and
defer hook registration until we need the functionality.
We register a tables hook entry points ONLY in the initial namespace.
When an iptables get/setockopt is issued inside a given namespace, we check
if the table is found in the per-namespace list.
If not, we attempt to find it in the initial namespace, and, if found,
create an empty default table in the requesting namespace and register the
needed hooks.
Hook points are destroyed only once namespace is deleted, there is no
'usage count' (it makes no sense since there is no 'remove table' operation
in xtables api).
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2016-02-25 02:08:36 -07:00
|
|
|
struct xt_table *t, *found = NULL;
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
|
2014-07-31 12:38:46 -06:00
|
|
|
mutex_lock(&xt[af].mutex);
|
2008-01-31 05:02:13 -07:00
|
|
|
list_for_each_entry(t, &net->xt.tables[af], list)
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
if (strcmp(t->name, name) == 0 && try_module_get(t->me))
|
|
|
|
return t;
|
netfilter: xtables: don't hook tables by default
delay hook registration until the table is being requested inside a
namespace.
Historically, a particular table (iptables mangle, ip6tables filter, etc)
was registered on module load.
When netns support was added to iptables only the ip/ip6tables ruleset was
made namespace aware, not the actual hook points.
This means f.e. that when ipt_filter table/module is loaded on a system,
then each namespace on that system has an (empty) iptables filter ruleset.
In other words, if a namespace sends a packet, such skb is 'caught' by
netfilter machinery and fed to hooking points for that table (i.e. INPUT,
FORWARD, etc).
Thanks to Eric Biederman, hooks are no longer global, but per namespace.
This means that we can avoid allocation of empty ruleset in a namespace and
defer hook registration until we need the functionality.
We register a tables hook entry points ONLY in the initial namespace.
When an iptables get/setockopt is issued inside a given namespace, we check
if the table is found in the per-namespace list.
If not, we attempt to find it in the initial namespace, and, if found,
create an empty default table in the requesting namespace and register the
needed hooks.
Hook points are destroyed only once namespace is deleted, there is no
'usage count' (it makes no sense since there is no 'remove table' operation
in xtables api).
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2016-02-25 02:08:36 -07:00
|
|
|
|
|
|
|
if (net == &init_net)
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
/* Table doesn't exist in this netns, re-try init */
|
|
|
|
list_for_each_entry(t, &init_net.xt.tables[af], list) {
|
2017-12-08 09:01:53 -07:00
|
|
|
int err;
|
|
|
|
|
netfilter: xtables: don't hook tables by default
delay hook registration until the table is being requested inside a
namespace.
Historically, a particular table (iptables mangle, ip6tables filter, etc)
was registered on module load.
When netns support was added to iptables only the ip/ip6tables ruleset was
made namespace aware, not the actual hook points.
This means f.e. that when ipt_filter table/module is loaded on a system,
then each namespace on that system has an (empty) iptables filter ruleset.
In other words, if a namespace sends a packet, such skb is 'caught' by
netfilter machinery and fed to hooking points for that table (i.e. INPUT,
FORWARD, etc).
Thanks to Eric Biederman, hooks are no longer global, but per namespace.
This means that we can avoid allocation of empty ruleset in a namespace and
defer hook registration until we need the functionality.
We register a tables hook entry points ONLY in the initial namespace.
When an iptables get/setockopt is issued inside a given namespace, we check
if the table is found in the per-namespace list.
If not, we attempt to find it in the initial namespace, and, if found,
create an empty default table in the requesting namespace and register the
needed hooks.
Hook points are destroyed only once namespace is deleted, there is no
'usage count' (it makes no sense since there is no 'remove table' operation
in xtables api).
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2016-02-25 02:08:36 -07:00
|
|
|
if (strcmp(t->name, name))
|
|
|
|
continue;
|
2017-12-08 09:01:53 -07:00
|
|
|
if (!try_module_get(t->me))
|
|
|
|
goto out;
|
netfilter: xtables: don't hook tables by default
delay hook registration until the table is being requested inside a
namespace.
Historically, a particular table (iptables mangle, ip6tables filter, etc)
was registered on module load.
When netns support was added to iptables only the ip/ip6tables ruleset was
made namespace aware, not the actual hook points.
This means f.e. that when ipt_filter table/module is loaded on a system,
then each namespace on that system has an (empty) iptables filter ruleset.
In other words, if a namespace sends a packet, such skb is 'caught' by
netfilter machinery and fed to hooking points for that table (i.e. INPUT,
FORWARD, etc).
Thanks to Eric Biederman, hooks are no longer global, but per namespace.
This means that we can avoid allocation of empty ruleset in a namespace and
defer hook registration until we need the functionality.
We register a tables hook entry points ONLY in the initial namespace.
When an iptables get/setockopt is issued inside a given namespace, we check
if the table is found in the per-namespace list.
If not, we attempt to find it in the initial namespace, and, if found,
create an empty default table in the requesting namespace and register the
needed hooks.
Hook points are destroyed only once namespace is deleted, there is no
'usage count' (it makes no sense since there is no 'remove table' operation
in xtables api).
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2016-02-25 02:08:36 -07:00
|
|
|
mutex_unlock(&xt[af].mutex);
|
2017-12-08 09:01:53 -07:00
|
|
|
err = t->table_init(net);
|
|
|
|
if (err < 0) {
|
netfilter: xtables: don't hook tables by default
delay hook registration until the table is being requested inside a
namespace.
Historically, a particular table (iptables mangle, ip6tables filter, etc)
was registered on module load.
When netns support was added to iptables only the ip/ip6tables ruleset was
made namespace aware, not the actual hook points.
This means f.e. that when ipt_filter table/module is loaded on a system,
then each namespace on that system has an (empty) iptables filter ruleset.
In other words, if a namespace sends a packet, such skb is 'caught' by
netfilter machinery and fed to hooking points for that table (i.e. INPUT,
FORWARD, etc).
Thanks to Eric Biederman, hooks are no longer global, but per namespace.
This means that we can avoid allocation of empty ruleset in a namespace and
defer hook registration until we need the functionality.
We register a tables hook entry points ONLY in the initial namespace.
When an iptables get/setockopt is issued inside a given namespace, we check
if the table is found in the per-namespace list.
If not, we attempt to find it in the initial namespace, and, if found,
create an empty default table in the requesting namespace and register the
needed hooks.
Hook points are destroyed only once namespace is deleted, there is no
'usage count' (it makes no sense since there is no 'remove table' operation
in xtables api).
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2016-02-25 02:08:36 -07:00
|
|
|
module_put(t->me);
|
2017-12-08 09:01:53 -07:00
|
|
|
return ERR_PTR(err);
|
netfilter: xtables: don't hook tables by default
delay hook registration until the table is being requested inside a
namespace.
Historically, a particular table (iptables mangle, ip6tables filter, etc)
was registered on module load.
When netns support was added to iptables only the ip/ip6tables ruleset was
made namespace aware, not the actual hook points.
This means f.e. that when ipt_filter table/module is loaded on a system,
then each namespace on that system has an (empty) iptables filter ruleset.
In other words, if a namespace sends a packet, such skb is 'caught' by
netfilter machinery and fed to hooking points for that table (i.e. INPUT,
FORWARD, etc).
Thanks to Eric Biederman, hooks are no longer global, but per namespace.
This means that we can avoid allocation of empty ruleset in a namespace and
defer hook registration until we need the functionality.
We register a tables hook entry points ONLY in the initial namespace.
When an iptables get/setockopt is issued inside a given namespace, we check
if the table is found in the per-namespace list.
If not, we attempt to find it in the initial namespace, and, if found,
create an empty default table in the requesting namespace and register the
needed hooks.
Hook points are destroyed only once namespace is deleted, there is no
'usage count' (it makes no sense since there is no 'remove table' operation
in xtables api).
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2016-02-25 02:08:36 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
found = t;
|
|
|
|
|
|
|
|
mutex_lock(&xt[af].mutex);
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!found)
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
/* and once again: */
|
|
|
|
list_for_each_entry(t, &net->xt.tables[af], list)
|
|
|
|
if (strcmp(t->name, name) == 0)
|
|
|
|
return t;
|
|
|
|
|
|
|
|
module_put(found->me);
|
|
|
|
out:
|
2006-03-25 02:41:10 -07:00
|
|
|
mutex_unlock(&xt[af].mutex);
|
2017-12-08 09:01:53 -07:00
|
|
|
return ERR_PTR(-ENOENT);
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(xt_find_table_lock);
|
|
|
|
|
2017-12-08 09:01:53 -07:00
|
|
|
struct xt_table *xt_request_find_table_lock(struct net *net, u_int8_t af,
|
|
|
|
const char *name)
|
|
|
|
{
|
|
|
|
struct xt_table *t = xt_find_table_lock(net, af, name);
|
|
|
|
|
2018-01-09 06:30:48 -07:00
|
|
|
#ifdef CONFIG_MODULES
|
2017-12-08 09:01:53 -07:00
|
|
|
if (IS_ERR(t)) {
|
|
|
|
int err = request_module("%stable_%s", xt_prefix[af], name);
|
2018-01-13 06:06:08 -07:00
|
|
|
if (err < 0)
|
2017-12-08 09:01:53 -07:00
|
|
|
return ERR_PTR(err);
|
|
|
|
t = xt_find_table_lock(net, af, name);
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
|
|
|
return t;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(xt_request_find_table_lock);
|
|
|
|
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
void xt_table_unlock(struct xt_table *table)
|
|
|
|
{
|
2006-03-25 02:41:10 -07:00
|
|
|
mutex_unlock(&xt[table->af].mutex);
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(xt_table_unlock);
|
|
|
|
|
2006-04-01 03:25:19 -07:00
|
|
|
#ifdef CONFIG_COMPAT
|
2008-10-08 03:35:00 -06:00
|
|
|
void xt_compat_lock(u_int8_t af)
|
2006-04-01 03:25:19 -07:00
|
|
|
{
|
|
|
|
mutex_lock(&xt[af].compat_mutex);
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(xt_compat_lock);
|
|
|
|
|
2008-10-08 03:35:00 -06:00
|
|
|
void xt_compat_unlock(u_int8_t af)
|
2006-04-01 03:25:19 -07:00
|
|
|
{
|
|
|
|
mutex_unlock(&xt[af].compat_mutex);
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(xt_compat_unlock);
|
|
|
|
#endif
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
|
2011-04-04 09:04:03 -06:00
|
|
|
DEFINE_PER_CPU(seqcount_t, xt_recseq);
|
|
|
|
EXPORT_PER_CPU_SYMBOL_GPL(xt_recseq);
|
2009-04-28 23:36:33 -06:00
|
|
|
|
2015-07-14 09:51:09 -06:00
|
|
|
struct static_key xt_tee_enabled __read_mostly;
|
|
|
|
EXPORT_SYMBOL_GPL(xt_tee_enabled);
|
|
|
|
|
2010-04-19 08:05:10 -06:00
|
|
|
static int xt_jumpstack_alloc(struct xt_table_info *i)
|
|
|
|
{
|
|
|
|
unsigned int size;
|
|
|
|
int cpu;
|
|
|
|
|
|
|
|
size = sizeof(void **) * nr_cpu_ids;
|
|
|
|
if (size > PAGE_SIZE)
|
2017-05-08 16:57:27 -06:00
|
|
|
i->jumpstack = kvzalloc(size, GFP_KERNEL);
|
2010-04-19 08:05:10 -06:00
|
|
|
else
|
2011-05-28 11:36:35 -06:00
|
|
|
i->jumpstack = kzalloc(size, GFP_KERNEL);
|
2010-04-19 08:05:10 -06:00
|
|
|
if (i->jumpstack == NULL)
|
|
|
|
return -ENOMEM;
|
|
|
|
|
2015-07-14 09:51:06 -06:00
|
|
|
/* ruleset without jumps -- no stack needed */
|
|
|
|
if (i->stacksize == 0)
|
|
|
|
return 0;
|
|
|
|
|
netfilter: xtables: don't save/restore jumpstack offset
In most cases there is no reentrancy into ip/ip6tables.
For skbs sent by REJECT or SYNPROXY targets, there is one level
of reentrancy, but its not relevant as those targets issue an absolute
verdict, i.e. the jumpstack can be clobbered since its not used
after the target issues absolute verdict (ACCEPT, DROP, STOLEN, etc).
So the only special case where it is relevant is the TEE target, which
returns XT_CONTINUE.
This patch changes ip(6)_do_table to always use the jump stack starting
from 0.
When we detect we're operating on an skb sent via TEE (percpu
nf_skb_duplicated is 1) we switch to an alternate stack to leave
the original one alone.
Since there is no TEE support for arptables, it doesn't need to
test if tee is active.
The jump stack overflow tests are no longer needed as well --
since ->stacksize is the largest call depth we cannot exceed it.
A much better alternative to the external jumpstack would be to just
declare a jumps[32] stack on the local stack frame, but that would mean
we'd have to reject iptables rulesets that used to work before.
Another alternative would be to start rejecting rulesets with a larger
call depth, e.g. 1000 -- in this case it would be feasible to allocate the
entire stack in the percpu area which would avoid one dereference.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2015-07-14 09:51:08 -06:00
|
|
|
/* Jumpstack needs to be able to record two full callchains, one
|
|
|
|
* from the first rule set traversal, plus one table reentrancy
|
|
|
|
* via -j TEE without clobbering the callchain that brought us to
|
|
|
|
* TEE target.
|
|
|
|
*
|
|
|
|
* This is done by allocating two jumpstacks per cpu, on reentry
|
|
|
|
* the upper half of the stack is used.
|
|
|
|
*
|
|
|
|
* see the jumpstack setup in ipt_do_table() for more details.
|
|
|
|
*/
|
|
|
|
size = sizeof(void *) * i->stacksize * 2u;
|
2010-04-19 08:05:10 -06:00
|
|
|
for_each_possible_cpu(cpu) {
|
2017-05-08 16:57:27 -06:00
|
|
|
i->jumpstack[cpu] = kvmalloc_node(size, GFP_KERNEL,
|
|
|
|
cpu_to_node(cpu));
|
2010-04-19 08:05:10 -06:00
|
|
|
if (i->jumpstack[cpu] == NULL)
|
|
|
|
/*
|
|
|
|
* Freeing will be done later on by the callers. The
|
|
|
|
* chain is: xt_replace_table -> __do_replace ->
|
|
|
|
* do_replace -> xt_free_table_info.
|
|
|
|
*/
|
|
|
|
return -ENOMEM;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
2009-04-28 23:36:33 -06:00
|
|
|
|
2018-02-27 11:42:33 -07:00
|
|
|
struct xt_counters *xt_counters_alloc(unsigned int counters)
|
|
|
|
{
|
|
|
|
struct xt_counters *mem;
|
|
|
|
|
|
|
|
if (counters == 0 || counters > INT_MAX / sizeof(*mem))
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
counters *= sizeof(*mem);
|
|
|
|
if (counters > XT_MAX_TABLE_SIZE)
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
return vzalloc(counters);
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL(xt_counters_alloc);
|
|
|
|
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
struct xt_table_info *
|
|
|
|
xt_replace_table(struct xt_table *table,
|
|
|
|
unsigned int num_counters,
|
|
|
|
struct xt_table_info *newinfo,
|
|
|
|
int *error)
|
|
|
|
{
|
2009-04-28 23:36:33 -06:00
|
|
|
struct xt_table_info *private;
|
2017-10-11 17:13:50 -06:00
|
|
|
unsigned int cpu;
|
2010-04-19 08:05:10 -06:00
|
|
|
int ret;
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
|
2010-04-21 06:45:51 -06:00
|
|
|
ret = xt_jumpstack_alloc(newinfo);
|
|
|
|
if (ret < 0) {
|
|
|
|
*error = ret;
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
/* Do the substitution. */
|
2009-04-28 23:36:33 -06:00
|
|
|
local_bh_disable();
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
private = table->private;
|
2009-04-28 23:36:33 -06:00
|
|
|
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
/* Check inside lock: is the old number correct? */
|
|
|
|
if (num_counters != private->number) {
|
2010-03-17 19:22:32 -06:00
|
|
|
pr_debug("num_counters != table->private->number (%u/%u)\n",
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
num_counters, private->number);
|
2009-04-28 23:36:33 -06:00
|
|
|
local_bh_enable();
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
*error = -EAGAIN;
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
2009-04-28 23:36:33 -06:00
|
|
|
newinfo->initial_entries = private->initial_entries;
|
netfilter: x_tables: fix ordering of jumpstack allocation and table update
During kernel stability testing on an SMP ARMv7 system, Yalin Wang
reported the following panic from the netfilter code:
1fe0: 0000001c 5e2d3b10 4007e779 4009e110 60000010 00000032 ff565656 ff545454
[<c06c48dc>] (ipt_do_table+0x448/0x584) from [<c0655ef0>] (nf_iterate+0x48/0x7c)
[<c0655ef0>] (nf_iterate+0x48/0x7c) from [<c0655f7c>] (nf_hook_slow+0x58/0x104)
[<c0655f7c>] (nf_hook_slow+0x58/0x104) from [<c0683bbc>] (ip_local_deliver+0x88/0xa8)
[<c0683bbc>] (ip_local_deliver+0x88/0xa8) from [<c0683718>] (ip_rcv_finish+0x418/0x43c)
[<c0683718>] (ip_rcv_finish+0x418/0x43c) from [<c062b1c4>] (__netif_receive_skb+0x4cc/0x598)
[<c062b1c4>] (__netif_receive_skb+0x4cc/0x598) from [<c062b314>] (process_backlog+0x84/0x158)
[<c062b314>] (process_backlog+0x84/0x158) from [<c062de84>] (net_rx_action+0x70/0x1dc)
[<c062de84>] (net_rx_action+0x70/0x1dc) from [<c0088230>] (__do_softirq+0x11c/0x27c)
[<c0088230>] (__do_softirq+0x11c/0x27c) from [<c008857c>] (do_softirq+0x44/0x50)
[<c008857c>] (do_softirq+0x44/0x50) from [<c0088614>] (local_bh_enable_ip+0x8c/0xd0)
[<c0088614>] (local_bh_enable_ip+0x8c/0xd0) from [<c06b0330>] (inet_stream_connect+0x164/0x298)
[<c06b0330>] (inet_stream_connect+0x164/0x298) from [<c061d68c>] (sys_connect+0x88/0xc8)
[<c061d68c>] (sys_connect+0x88/0xc8) from [<c000e340>] (ret_fast_syscall+0x0/0x30)
Code: 2a000021 e59d2028 e59de01c e59f011c (e7824103)
---[ end trace da227214a82491bd ]---
Kernel panic - not syncing: Fatal exception in interrupt
This comes about because CPU1 is executing xt_replace_table in response
to a setsockopt syscall, resulting in:
ret = xt_jumpstack_alloc(newinfo);
--> newinfo->jumpstack = kzalloc(size, GFP_KERNEL);
[...]
table->private = newinfo;
newinfo->initial_entries = private->initial_entries;
Meanwhile, CPU0 is handling the network receive path and ends up in
ipt_do_table, resulting in:
private = table->private;
[...]
jumpstack = (struct ipt_entry **)private->jumpstack[cpu];
On weakly ordered memory architectures, the writes to table->private
and newinfo->jumpstack from CPU1 can be observed out of order by CPU0.
Furthermore, on architectures which don't respect ordering of address
dependencies (i.e. Alpha), the reads from CPU0 can also be re-ordered.
This patch adds an smp_wmb() before the assignment to table->private
(which is essentially publishing newinfo) to ensure that all writes to
newinfo will be observed before plugging it into the table structure.
A dependent-read barrier is also added on the consumer sides, to ensure
the same ordering requirements are also respected there.
Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Reported-by: Wang, Yalin <Yalin.Wang@sonymobile.com>
Tested-by: Wang, Yalin <Yalin.Wang@sonymobile.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2013-10-21 06:14:53 -06:00
|
|
|
/*
|
|
|
|
* Ensure contents of newinfo are visible before assigning to
|
|
|
|
* private.
|
|
|
|
*/
|
|
|
|
smp_wmb();
|
|
|
|
table->private = newinfo;
|
2009-04-28 23:36:33 -06:00
|
|
|
|
2017-10-11 17:13:50 -06:00
|
|
|
/* make sure all cpus see new ->private value */
|
|
|
|
smp_wmb();
|
|
|
|
|
2009-04-28 23:36:33 -06:00
|
|
|
/*
|
|
|
|
* Even though table entries have now been swapped, other CPU's
|
2017-10-11 17:13:50 -06:00
|
|
|
* may still be using the old entries...
|
2009-04-28 23:36:33 -06:00
|
|
|
*/
|
|
|
|
local_bh_enable();
|
|
|
|
|
2017-10-11 17:13:50 -06:00
|
|
|
/* ... so wait for even xt_recseq on all cpus */
|
|
|
|
for_each_possible_cpu(cpu) {
|
|
|
|
seqcount_t *s = &per_cpu(xt_recseq, cpu);
|
|
|
|
u32 seq = raw_read_seqcount(s);
|
|
|
|
|
|
|
|
if (seq & 1) {
|
|
|
|
do {
|
|
|
|
cond_resched();
|
|
|
|
cpu_relax();
|
|
|
|
} while (seq == raw_read_seqcount(s));
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2011-01-16 10:12:59 -07:00
|
|
|
#ifdef CONFIG_AUDIT
|
|
|
|
if (audit_enabled) {
|
2018-05-12 19:58:20 -06:00
|
|
|
audit_log(audit_context(), GFP_KERNEL,
|
2017-08-07 07:44:25 -06:00
|
|
|
AUDIT_NETFILTER_CFG,
|
|
|
|
"table=%s family=%u entries=%u",
|
|
|
|
table->name, table->af, private->number);
|
2011-01-16 10:12:59 -07:00
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
2009-04-28 23:36:33 -06:00
|
|
|
return private;
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(xt_replace_table);
|
|
|
|
|
2009-08-24 06:56:30 -06:00
|
|
|
struct xt_table *xt_register_table(struct net *net,
|
|
|
|
const struct xt_table *input_table,
|
2008-01-31 05:01:49 -07:00
|
|
|
struct xt_table_info *bootstrap,
|
|
|
|
struct xt_table_info *newinfo)
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
{
|
|
|
|
int ret;
|
|
|
|
struct xt_table_info *private;
|
2009-08-24 06:56:30 -06:00
|
|
|
struct xt_table *t, *table;
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
|
2008-01-31 05:02:44 -07:00
|
|
|
/* Don't add one object to multiple lists. */
|
2009-08-24 06:56:30 -06:00
|
|
|
table = kmemdup(input_table, sizeof(struct xt_table), GFP_KERNEL);
|
2008-01-31 05:02:44 -07:00
|
|
|
if (!table) {
|
|
|
|
ret = -ENOMEM;
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
2014-07-31 12:38:46 -06:00
|
|
|
mutex_lock(&xt[table->af].mutex);
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
/* Don't autoload: we'd eat our tail... */
|
2008-01-31 05:02:13 -07:00
|
|
|
list_for_each_entry(t, &net->xt.tables[table->af], list) {
|
2006-09-20 12:57:53 -06:00
|
|
|
if (strcmp(t->name, table->name) == 0) {
|
|
|
|
ret = -EEXIST;
|
|
|
|
goto unlock;
|
|
|
|
}
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
/* Simplifies replace_table code. */
|
|
|
|
table->private = bootstrap;
|
2009-02-20 02:35:32 -07:00
|
|
|
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
if (!xt_replace_table(table, 0, newinfo, &ret))
|
|
|
|
goto unlock;
|
|
|
|
|
|
|
|
private = table->private;
|
2010-03-17 19:22:32 -06:00
|
|
|
pr_debug("table->private->number = %u\n", private->number);
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
|
|
|
|
/* save number of initial entries */
|
|
|
|
private->initial_entries = private->number;
|
|
|
|
|
2008-01-31 05:02:13 -07:00
|
|
|
list_add(&table->list, &net->xt.tables[table->af]);
|
2008-01-31 05:01:49 -07:00
|
|
|
mutex_unlock(&xt[table->af].mutex);
|
|
|
|
return table;
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
|
2014-07-31 12:38:46 -06:00
|
|
|
unlock:
|
2006-03-25 02:41:10 -07:00
|
|
|
mutex_unlock(&xt[table->af].mutex);
|
2008-01-31 05:02:44 -07:00
|
|
|
kfree(table);
|
2008-01-31 05:01:49 -07:00
|
|
|
out:
|
|
|
|
return ERR_PTR(ret);
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(xt_register_table);
|
|
|
|
|
|
|
|
void *xt_unregister_table(struct xt_table *table)
|
|
|
|
{
|
|
|
|
struct xt_table_info *private;
|
|
|
|
|
2006-03-25 02:41:10 -07:00
|
|
|
mutex_lock(&xt[table->af].mutex);
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
private = table->private;
|
2006-09-20 12:57:53 -06:00
|
|
|
list_del(&table->list);
|
2006-03-25 02:41:10 -07:00
|
|
|
mutex_unlock(&xt[table->af].mutex);
|
2008-01-31 05:02:44 -07:00
|
|
|
kfree(table);
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
|
|
|
|
return private;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(xt_unregister_table);
|
|
|
|
|
|
|
|
#ifdef CONFIG_PROC_FS
|
2008-01-31 05:48:54 -07:00
|
|
|
static void *xt_table_seq_start(struct seq_file *seq, loff_t *pos)
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
{
|
2008-03-25 11:36:06 -06:00
|
|
|
struct net *net = seq_file_net(seq);
|
2018-04-10 13:59:39 -06:00
|
|
|
u_int8_t af = (unsigned long)PDE_DATA(file_inode(seq->file));
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
|
2008-01-31 05:48:54 -07:00
|
|
|
mutex_lock(&xt[af].mutex);
|
2008-01-31 05:49:16 -07:00
|
|
|
return seq_list_start(&net->xt.tables[af], *pos);
|
2008-01-31 05:48:54 -07:00
|
|
|
}
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
|
2008-01-31 05:48:54 -07:00
|
|
|
static void *xt_table_seq_next(struct seq_file *seq, void *v, loff_t *pos)
|
|
|
|
{
|
2008-03-25 11:36:06 -06:00
|
|
|
struct net *net = seq_file_net(seq);
|
2018-04-10 13:59:39 -06:00
|
|
|
u_int8_t af = (unsigned long)PDE_DATA(file_inode(seq->file));
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
|
2008-01-31 05:49:16 -07:00
|
|
|
return seq_list_next(v, &net->xt.tables[af], pos);
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
}
|
|
|
|
|
2008-01-31 05:48:54 -07:00
|
|
|
static void xt_table_seq_stop(struct seq_file *seq, void *v)
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
{
|
2018-04-10 13:59:39 -06:00
|
|
|
u_int8_t af = (unsigned long)PDE_DATA(file_inode(seq->file));
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
|
2008-01-31 05:48:54 -07:00
|
|
|
mutex_unlock(&xt[af].mutex);
|
|
|
|
}
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
|
2008-01-31 05:48:54 -07:00
|
|
|
static int xt_table_seq_show(struct seq_file *seq, void *v)
|
|
|
|
{
|
|
|
|
struct xt_table *table = list_entry(v, struct xt_table, list);
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
|
2015-05-12 19:28:23 -06:00
|
|
|
if (*table->name)
|
2014-10-27 15:43:45 -06:00
|
|
|
seq_printf(seq, "%s\n", table->name);
|
2015-05-12 19:28:23 -06:00
|
|
|
return 0;
|
2008-01-31 05:48:54 -07:00
|
|
|
}
|
2007-02-12 12:15:49 -07:00
|
|
|
|
2008-01-31 05:48:54 -07:00
|
|
|
static const struct seq_operations xt_table_seq_ops = {
|
|
|
|
.start = xt_table_seq_start,
|
|
|
|
.next = xt_table_seq_next,
|
|
|
|
.stop = xt_table_seq_stop,
|
|
|
|
.show = xt_table_seq_show,
|
|
|
|
};
|
|
|
|
|
2009-02-18 08:42:19 -07:00
|
|
|
/*
|
|
|
|
* Traverse state for ip{,6}_{tables,matches} for helping crossing
|
|
|
|
* the multi-AF mutexes.
|
|
|
|
*/
|
|
|
|
struct nf_mttg_trav {
|
|
|
|
struct list_head *head, *curr;
|
2018-04-10 13:59:39 -06:00
|
|
|
uint8_t class;
|
2009-02-18 08:42:19 -07:00
|
|
|
};
|
|
|
|
|
|
|
|
enum {
|
|
|
|
MTTG_TRAV_INIT,
|
|
|
|
MTTG_TRAV_NFP_UNSPEC,
|
|
|
|
MTTG_TRAV_NFP_SPEC,
|
|
|
|
MTTG_TRAV_DONE,
|
|
|
|
};
|
|
|
|
|
|
|
|
static void *xt_mttg_seq_next(struct seq_file *seq, void *v, loff_t *ppos,
|
|
|
|
bool is_target)
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
{
|
2009-02-18 08:42:19 -07:00
|
|
|
static const uint8_t next_class[] = {
|
|
|
|
[MTTG_TRAV_NFP_UNSPEC] = MTTG_TRAV_NFP_SPEC,
|
|
|
|
[MTTG_TRAV_NFP_SPEC] = MTTG_TRAV_DONE,
|
|
|
|
};
|
2018-04-10 13:59:39 -06:00
|
|
|
uint8_t nfproto = (unsigned long)PDE_DATA(file_inode(seq->file));
|
2009-02-18 08:42:19 -07:00
|
|
|
struct nf_mttg_trav *trav = seq->private;
|
|
|
|
|
|
|
|
switch (trav->class) {
|
|
|
|
case MTTG_TRAV_INIT:
|
|
|
|
trav->class = MTTG_TRAV_NFP_UNSPEC;
|
|
|
|
mutex_lock(&xt[NFPROTO_UNSPEC].mutex);
|
|
|
|
trav->head = trav->curr = is_target ?
|
|
|
|
&xt[NFPROTO_UNSPEC].target : &xt[NFPROTO_UNSPEC].match;
|
|
|
|
break;
|
|
|
|
case MTTG_TRAV_NFP_UNSPEC:
|
|
|
|
trav->curr = trav->curr->next;
|
|
|
|
if (trav->curr != trav->head)
|
|
|
|
break;
|
|
|
|
mutex_unlock(&xt[NFPROTO_UNSPEC].mutex);
|
2018-04-10 13:59:39 -06:00
|
|
|
mutex_lock(&xt[nfproto].mutex);
|
2009-02-18 08:42:19 -07:00
|
|
|
trav->head = trav->curr = is_target ?
|
2018-04-10 13:59:39 -06:00
|
|
|
&xt[nfproto].target : &xt[nfproto].match;
|
2009-02-18 08:42:19 -07:00
|
|
|
trav->class = next_class[trav->class];
|
|
|
|
break;
|
|
|
|
case MTTG_TRAV_NFP_SPEC:
|
|
|
|
trav->curr = trav->curr->next;
|
|
|
|
if (trav->curr != trav->head)
|
|
|
|
break;
|
2017-11-07 07:19:29 -07:00
|
|
|
/* fall through */
|
2009-02-18 08:42:19 -07:00
|
|
|
default:
|
|
|
|
return NULL;
|
|
|
|
}
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
|
2009-02-18 08:42:19 -07:00
|
|
|
if (ppos != NULL)
|
|
|
|
++*ppos;
|
|
|
|
return trav;
|
2008-01-31 05:48:54 -07:00
|
|
|
}
|
2007-02-12 12:15:49 -07:00
|
|
|
|
2009-02-18 08:42:19 -07:00
|
|
|
static void *xt_mttg_seq_start(struct seq_file *seq, loff_t *pos,
|
|
|
|
bool is_target)
|
2008-01-31 05:48:54 -07:00
|
|
|
{
|
2009-02-18 08:42:19 -07:00
|
|
|
struct nf_mttg_trav *trav = seq->private;
|
|
|
|
unsigned int j;
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
|
2009-02-18 08:42:19 -07:00
|
|
|
trav->class = MTTG_TRAV_INIT;
|
|
|
|
for (j = 0; j < *pos; ++j)
|
|
|
|
if (xt_mttg_seq_next(seq, NULL, NULL, is_target) == NULL)
|
|
|
|
return NULL;
|
|
|
|
return trav;
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
}
|
|
|
|
|
2009-02-18 08:42:19 -07:00
|
|
|
static void xt_mttg_seq_stop(struct seq_file *seq, void *v)
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
{
|
2018-04-10 13:59:39 -06:00
|
|
|
uint8_t nfproto = (unsigned long)PDE_DATA(file_inode(seq->file));
|
2009-02-18 08:42:19 -07:00
|
|
|
struct nf_mttg_trav *trav = seq->private;
|
|
|
|
|
|
|
|
switch (trav->class) {
|
|
|
|
case MTTG_TRAV_NFP_UNSPEC:
|
|
|
|
mutex_unlock(&xt[NFPROTO_UNSPEC].mutex);
|
|
|
|
break;
|
|
|
|
case MTTG_TRAV_NFP_SPEC:
|
2018-04-10 13:59:39 -06:00
|
|
|
mutex_unlock(&xt[nfproto].mutex);
|
2009-02-18 08:42:19 -07:00
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
|
2009-02-18 08:42:19 -07:00
|
|
|
static void *xt_match_seq_start(struct seq_file *seq, loff_t *pos)
|
|
|
|
{
|
|
|
|
return xt_mttg_seq_start(seq, pos, false);
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
}
|
|
|
|
|
2009-02-18 08:42:19 -07:00
|
|
|
static void *xt_match_seq_next(struct seq_file *seq, void *v, loff_t *ppos)
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
{
|
2009-02-18 08:42:19 -07:00
|
|
|
return xt_mttg_seq_next(seq, v, ppos, false);
|
|
|
|
}
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
|
2009-02-18 08:42:19 -07:00
|
|
|
static int xt_match_seq_show(struct seq_file *seq, void *v)
|
|
|
|
{
|
|
|
|
const struct nf_mttg_trav *trav = seq->private;
|
|
|
|
const struct xt_match *match;
|
|
|
|
|
|
|
|
switch (trav->class) {
|
|
|
|
case MTTG_TRAV_NFP_UNSPEC:
|
|
|
|
case MTTG_TRAV_NFP_SPEC:
|
|
|
|
if (trav->curr == trav->head)
|
|
|
|
return 0;
|
|
|
|
match = list_entry(trav->curr, struct xt_match, list);
|
2015-05-12 19:28:23 -06:00
|
|
|
if (*match->name)
|
|
|
|
seq_printf(seq, "%s\n", match->name);
|
2009-02-18 08:42:19 -07:00
|
|
|
}
|
|
|
|
return 0;
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
}
|
|
|
|
|
2008-01-31 05:48:54 -07:00
|
|
|
static const struct seq_operations xt_match_seq_ops = {
|
|
|
|
.start = xt_match_seq_start,
|
|
|
|
.next = xt_match_seq_next,
|
2009-02-18 08:42:19 -07:00
|
|
|
.stop = xt_mttg_seq_stop,
|
2008-01-31 05:48:54 -07:00
|
|
|
.show = xt_match_seq_show,
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
};
|
|
|
|
|
2008-01-31 05:48:54 -07:00
|
|
|
static void *xt_target_seq_start(struct seq_file *seq, loff_t *pos)
|
|
|
|
{
|
2009-02-18 08:42:19 -07:00
|
|
|
return xt_mttg_seq_start(seq, pos, true);
|
2008-01-31 05:48:54 -07:00
|
|
|
}
|
|
|
|
|
2009-02-18 08:42:19 -07:00
|
|
|
static void *xt_target_seq_next(struct seq_file *seq, void *v, loff_t *ppos)
|
2008-01-31 05:48:54 -07:00
|
|
|
{
|
2009-02-18 08:42:19 -07:00
|
|
|
return xt_mttg_seq_next(seq, v, ppos, true);
|
2008-01-31 05:48:54 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
static int xt_target_seq_show(struct seq_file *seq, void *v)
|
|
|
|
{
|
2009-02-18 08:42:19 -07:00
|
|
|
const struct nf_mttg_trav *trav = seq->private;
|
|
|
|
const struct xt_target *target;
|
|
|
|
|
|
|
|
switch (trav->class) {
|
|
|
|
case MTTG_TRAV_NFP_UNSPEC:
|
|
|
|
case MTTG_TRAV_NFP_SPEC:
|
|
|
|
if (trav->curr == trav->head)
|
|
|
|
return 0;
|
|
|
|
target = list_entry(trav->curr, struct xt_target, list);
|
2015-05-12 19:28:23 -06:00
|
|
|
if (*target->name)
|
|
|
|
seq_printf(seq, "%s\n", target->name);
|
2009-02-18 08:42:19 -07:00
|
|
|
}
|
|
|
|
return 0;
|
2008-01-31 05:48:54 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
static const struct seq_operations xt_target_seq_ops = {
|
|
|
|
.start = xt_target_seq_start,
|
|
|
|
.next = xt_target_seq_next,
|
2009-02-18 08:42:19 -07:00
|
|
|
.stop = xt_mttg_seq_stop,
|
2008-01-31 05:48:54 -07:00
|
|
|
.show = xt_target_seq_show,
|
|
|
|
};
|
|
|
|
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
#define FORMAT_TABLES "_tables_names"
|
|
|
|
#define FORMAT_MATCHES "_tables_matches"
|
|
|
|
#define FORMAT_TARGETS "_tables_targets"
|
|
|
|
|
|
|
|
#endif /* CONFIG_PROC_FS */
|
|
|
|
|
2009-06-17 05:57:48 -06:00
|
|
|
/**
|
netfilter: xtables: don't hook tables by default
delay hook registration until the table is being requested inside a
namespace.
Historically, a particular table (iptables mangle, ip6tables filter, etc)
was registered on module load.
When netns support was added to iptables only the ip/ip6tables ruleset was
made namespace aware, not the actual hook points.
This means f.e. that when ipt_filter table/module is loaded on a system,
then each namespace on that system has an (empty) iptables filter ruleset.
In other words, if a namespace sends a packet, such skb is 'caught' by
netfilter machinery and fed to hooking points for that table (i.e. INPUT,
FORWARD, etc).
Thanks to Eric Biederman, hooks are no longer global, but per namespace.
This means that we can avoid allocation of empty ruleset in a namespace and
defer hook registration until we need the functionality.
We register a tables hook entry points ONLY in the initial namespace.
When an iptables get/setockopt is issued inside a given namespace, we check
if the table is found in the per-namespace list.
If not, we attempt to find it in the initial namespace, and, if found,
create an empty default table in the requesting namespace and register the
needed hooks.
Hook points are destroyed only once namespace is deleted, there is no
'usage count' (it makes no sense since there is no 'remove table' operation
in xtables api).
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2016-02-25 02:08:36 -07:00
|
|
|
* xt_hook_ops_alloc - set up hooks for a new table
|
2009-06-17 05:57:48 -06:00
|
|
|
* @table: table with metadata needed to set up hooks
|
|
|
|
* @fn: Hook function
|
|
|
|
*
|
netfilter: xtables: don't hook tables by default
delay hook registration until the table is being requested inside a
namespace.
Historically, a particular table (iptables mangle, ip6tables filter, etc)
was registered on module load.
When netns support was added to iptables only the ip/ip6tables ruleset was
made namespace aware, not the actual hook points.
This means f.e. that when ipt_filter table/module is loaded on a system,
then each namespace on that system has an (empty) iptables filter ruleset.
In other words, if a namespace sends a packet, such skb is 'caught' by
netfilter machinery and fed to hooking points for that table (i.e. INPUT,
FORWARD, etc).
Thanks to Eric Biederman, hooks are no longer global, but per namespace.
This means that we can avoid allocation of empty ruleset in a namespace and
defer hook registration until we need the functionality.
We register a tables hook entry points ONLY in the initial namespace.
When an iptables get/setockopt is issued inside a given namespace, we check
if the table is found in the per-namespace list.
If not, we attempt to find it in the initial namespace, and, if found,
create an empty default table in the requesting namespace and register the
needed hooks.
Hook points are destroyed only once namespace is deleted, there is no
'usage count' (it makes no sense since there is no 'remove table' operation
in xtables api).
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2016-02-25 02:08:36 -07:00
|
|
|
* This function will create the nf_hook_ops that the x_table needs
|
|
|
|
* to hand to xt_hook_link_net().
|
2009-06-17 05:57:48 -06:00
|
|
|
*/
|
netfilter: xtables: don't hook tables by default
delay hook registration until the table is being requested inside a
namespace.
Historically, a particular table (iptables mangle, ip6tables filter, etc)
was registered on module load.
When netns support was added to iptables only the ip/ip6tables ruleset was
made namespace aware, not the actual hook points.
This means f.e. that when ipt_filter table/module is loaded on a system,
then each namespace on that system has an (empty) iptables filter ruleset.
In other words, if a namespace sends a packet, such skb is 'caught' by
netfilter machinery and fed to hooking points for that table (i.e. INPUT,
FORWARD, etc).
Thanks to Eric Biederman, hooks are no longer global, but per namespace.
This means that we can avoid allocation of empty ruleset in a namespace and
defer hook registration until we need the functionality.
We register a tables hook entry points ONLY in the initial namespace.
When an iptables get/setockopt is issued inside a given namespace, we check
if the table is found in the per-namespace list.
If not, we attempt to find it in the initial namespace, and, if found,
create an empty default table in the requesting namespace and register the
needed hooks.
Hook points are destroyed only once namespace is deleted, there is no
'usage count' (it makes no sense since there is no 'remove table' operation
in xtables api).
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2016-02-25 02:08:36 -07:00
|
|
|
struct nf_hook_ops *
|
|
|
|
xt_hook_ops_alloc(const struct xt_table *table, nf_hookfn *fn)
|
2009-06-17 05:57:48 -06:00
|
|
|
{
|
|
|
|
unsigned int hook_mask = table->valid_hooks;
|
|
|
|
uint8_t i, num_hooks = hweight32(hook_mask);
|
|
|
|
uint8_t hooknum;
|
|
|
|
struct nf_hook_ops *ops;
|
|
|
|
|
2016-06-01 20:59:56 -06:00
|
|
|
if (!num_hooks)
|
|
|
|
return ERR_PTR(-EINVAL);
|
|
|
|
|
2016-10-17 13:50:23 -06:00
|
|
|
ops = kcalloc(num_hooks, sizeof(*ops), GFP_KERNEL);
|
2009-06-17 05:57:48 -06:00
|
|
|
if (ops == NULL)
|
|
|
|
return ERR_PTR(-ENOMEM);
|
|
|
|
|
|
|
|
for (i = 0, hooknum = 0; i < num_hooks && hook_mask != 0;
|
|
|
|
hook_mask >>= 1, ++hooknum) {
|
|
|
|
if (!(hook_mask & 1))
|
|
|
|
continue;
|
|
|
|
ops[i].hook = fn;
|
|
|
|
ops[i].pf = table->af;
|
|
|
|
ops[i].hooknum = hooknum;
|
|
|
|
ops[i].priority = table->priority;
|
|
|
|
++i;
|
|
|
|
}
|
|
|
|
|
|
|
|
return ops;
|
|
|
|
}
|
netfilter: xtables: don't hook tables by default
delay hook registration until the table is being requested inside a
namespace.
Historically, a particular table (iptables mangle, ip6tables filter, etc)
was registered on module load.
When netns support was added to iptables only the ip/ip6tables ruleset was
made namespace aware, not the actual hook points.
This means f.e. that when ipt_filter table/module is loaded on a system,
then each namespace on that system has an (empty) iptables filter ruleset.
In other words, if a namespace sends a packet, such skb is 'caught' by
netfilter machinery and fed to hooking points for that table (i.e. INPUT,
FORWARD, etc).
Thanks to Eric Biederman, hooks are no longer global, but per namespace.
This means that we can avoid allocation of empty ruleset in a namespace and
defer hook registration until we need the functionality.
We register a tables hook entry points ONLY in the initial namespace.
When an iptables get/setockopt is issued inside a given namespace, we check
if the table is found in the per-namespace list.
If not, we attempt to find it in the initial namespace, and, if found,
create an empty default table in the requesting namespace and register the
needed hooks.
Hook points are destroyed only once namespace is deleted, there is no
'usage count' (it makes no sense since there is no 'remove table' operation
in xtables api).
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2016-02-25 02:08:36 -07:00
|
|
|
EXPORT_SYMBOL_GPL(xt_hook_ops_alloc);
|
2009-06-17 05:57:48 -06:00
|
|
|
|
2008-10-08 03:35:00 -06:00
|
|
|
int xt_proto_init(struct net *net, u_int8_t af)
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
{
|
|
|
|
#ifdef CONFIG_PROC_FS
|
|
|
|
char buf[XT_FUNCTION_MAXNAMELEN];
|
|
|
|
struct proc_dir_entry *proc;
|
2015-11-22 04:35:07 -07:00
|
|
|
kuid_t root_uid;
|
|
|
|
kgid_t root_gid;
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
#endif
|
|
|
|
|
2008-10-08 03:35:00 -06:00
|
|
|
if (af >= ARRAY_SIZE(xt_prefix))
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
|
|
|
|
#ifdef CONFIG_PROC_FS
|
2015-11-22 04:35:07 -07:00
|
|
|
root_uid = make_kuid(net->user_ns, 0);
|
|
|
|
root_gid = make_kgid(net->user_ns, 0);
|
|
|
|
|
2007-03-14 17:36:16 -06:00
|
|
|
strlcpy(buf, xt_prefix[af], sizeof(buf));
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
strlcat(buf, FORMAT_TABLES, sizeof(buf));
|
2018-04-10 11:42:55 -06:00
|
|
|
proc = proc_create_net_data(buf, 0440, net->proc_net, &xt_table_seq_ops,
|
|
|
|
sizeof(struct seq_net_private),
|
|
|
|
(void *)(unsigned long)af);
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
if (!proc)
|
|
|
|
goto out;
|
2015-11-22 04:35:07 -07:00
|
|
|
if (uid_valid(root_uid) && gid_valid(root_gid))
|
|
|
|
proc_set_user(proc, root_uid, root_gid);
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
|
2007-03-14 17:36:16 -06:00
|
|
|
strlcpy(buf, xt_prefix[af], sizeof(buf));
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
strlcat(buf, FORMAT_MATCHES, sizeof(buf));
|
2018-04-15 02:36:56 -06:00
|
|
|
proc = proc_create_seq_private(buf, 0440, net->proc_net,
|
|
|
|
&xt_match_seq_ops, sizeof(struct nf_mttg_trav),
|
|
|
|
(void *)(unsigned long)af);
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
if (!proc)
|
|
|
|
goto out_remove_tables;
|
2015-11-22 04:35:07 -07:00
|
|
|
if (uid_valid(root_uid) && gid_valid(root_gid))
|
|
|
|
proc_set_user(proc, root_uid, root_gid);
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
|
2007-03-14 17:36:16 -06:00
|
|
|
strlcpy(buf, xt_prefix[af], sizeof(buf));
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
strlcat(buf, FORMAT_TARGETS, sizeof(buf));
|
2018-04-15 02:36:56 -06:00
|
|
|
proc = proc_create_seq_private(buf, 0440, net->proc_net,
|
|
|
|
&xt_target_seq_ops, sizeof(struct nf_mttg_trav),
|
|
|
|
(void *)(unsigned long)af);
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
if (!proc)
|
|
|
|
goto out_remove_matches;
|
2015-11-22 04:35:07 -07:00
|
|
|
if (uid_valid(root_uid) && gid_valid(root_gid))
|
|
|
|
proc_set_user(proc, root_uid, root_gid);
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
#endif
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
#ifdef CONFIG_PROC_FS
|
|
|
|
out_remove_matches:
|
2007-03-14 17:36:16 -06:00
|
|
|
strlcpy(buf, xt_prefix[af], sizeof(buf));
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
strlcat(buf, FORMAT_MATCHES, sizeof(buf));
|
2013-02-17 18:34:56 -07:00
|
|
|
remove_proc_entry(buf, net->proc_net);
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
|
|
|
|
out_remove_tables:
|
2007-03-14 17:36:16 -06:00
|
|
|
strlcpy(buf, xt_prefix[af], sizeof(buf));
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
strlcat(buf, FORMAT_TABLES, sizeof(buf));
|
2013-02-17 18:34:56 -07:00
|
|
|
remove_proc_entry(buf, net->proc_net);
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
out:
|
|
|
|
return -1;
|
|
|
|
#endif
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(xt_proto_init);
|
|
|
|
|
2008-10-08 03:35:00 -06:00
|
|
|
void xt_proto_fini(struct net *net, u_int8_t af)
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
{
|
|
|
|
#ifdef CONFIG_PROC_FS
|
|
|
|
char buf[XT_FUNCTION_MAXNAMELEN];
|
|
|
|
|
2007-03-14 17:36:16 -06:00
|
|
|
strlcpy(buf, xt_prefix[af], sizeof(buf));
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
strlcat(buf, FORMAT_TABLES, sizeof(buf));
|
2013-02-17 18:34:56 -07:00
|
|
|
remove_proc_entry(buf, net->proc_net);
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
|
2007-03-14 17:36:16 -06:00
|
|
|
strlcpy(buf, xt_prefix[af], sizeof(buf));
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
strlcat(buf, FORMAT_TARGETS, sizeof(buf));
|
2013-02-17 18:34:56 -07:00
|
|
|
remove_proc_entry(buf, net->proc_net);
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
|
2007-03-14 17:36:16 -06:00
|
|
|
strlcpy(buf, xt_prefix[af], sizeof(buf));
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
strlcat(buf, FORMAT_MATCHES, sizeof(buf));
|
2013-02-17 18:34:56 -07:00
|
|
|
remove_proc_entry(buf, net->proc_net);
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
#endif /*CONFIG_PROC_FS*/
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(xt_proto_fini);
|
|
|
|
|
2016-11-22 06:44:18 -07:00
|
|
|
/**
|
|
|
|
* xt_percpu_counter_alloc - allocate x_tables rule counter
|
|
|
|
*
|
2016-11-22 06:44:19 -07:00
|
|
|
* @state: pointer to xt_percpu allocation state
|
2016-11-22 06:44:18 -07:00
|
|
|
* @counter: pointer to counter struct inside the ip(6)/arpt_entry struct
|
|
|
|
*
|
|
|
|
* On SMP, the packet counter [ ip(6)t_entry->counters.pcnt ] will then
|
|
|
|
* contain the address of the real (percpu) counter.
|
|
|
|
*
|
|
|
|
* Rule evaluation needs to use xt_get_this_cpu_counter() helper
|
|
|
|
* to fetch the real percpu counter.
|
|
|
|
*
|
2016-11-22 06:44:19 -07:00
|
|
|
* To speed up allocation and improve data locality, a 4kb block is
|
2018-03-29 08:12:41 -06:00
|
|
|
* allocated. Freeing any counter may free an entire block, so all
|
|
|
|
* counters allocated using the same state must be freed at the same
|
|
|
|
* time.
|
2016-11-22 06:44:19 -07:00
|
|
|
*
|
|
|
|
* xt_percpu_counter_alloc_state contains the base address of the
|
|
|
|
* allocated page and the current sub-offset.
|
|
|
|
*
|
2016-11-22 06:44:18 -07:00
|
|
|
* returns false on error.
|
|
|
|
*/
|
2016-11-22 06:44:19 -07:00
|
|
|
bool xt_percpu_counter_alloc(struct xt_percpu_counter_alloc_state *state,
|
|
|
|
struct xt_counters *counter)
|
2016-11-22 06:44:18 -07:00
|
|
|
{
|
2016-11-22 06:44:19 -07:00
|
|
|
BUILD_BUG_ON(XT_PCPU_BLOCK_SIZE < (sizeof(*counter) * 2));
|
2016-11-22 06:44:18 -07:00
|
|
|
|
|
|
|
if (nr_cpu_ids <= 1)
|
|
|
|
return true;
|
|
|
|
|
2016-11-22 06:44:19 -07:00
|
|
|
if (!state->mem) {
|
|
|
|
state->mem = __alloc_percpu(XT_PCPU_BLOCK_SIZE,
|
|
|
|
XT_PCPU_BLOCK_SIZE);
|
|
|
|
if (!state->mem)
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
counter->pcnt = (__force unsigned long)(state->mem + state->off);
|
|
|
|
state->off += sizeof(*counter);
|
|
|
|
if (state->off > (XT_PCPU_BLOCK_SIZE - sizeof(*counter))) {
|
|
|
|
state->mem = NULL;
|
|
|
|
state->off = 0;
|
|
|
|
}
|
2016-11-22 06:44:18 -07:00
|
|
|
return true;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(xt_percpu_counter_alloc);
|
|
|
|
|
2016-11-22 06:44:17 -07:00
|
|
|
void xt_percpu_counter_free(struct xt_counters *counters)
|
|
|
|
{
|
|
|
|
unsigned long pcnt = counters->pcnt;
|
|
|
|
|
2016-11-22 06:44:19 -07:00
|
|
|
if (nr_cpu_ids > 1 && (pcnt & (XT_PCPU_BLOCK_SIZE - 1)) == 0)
|
2016-11-22 06:44:17 -07:00
|
|
|
free_percpu((void __percpu *)pcnt);
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(xt_percpu_counter_free);
|
|
|
|
|
2008-01-31 05:02:13 -07:00
|
|
|
static int __net_init xt_net_init(struct net *net)
|
|
|
|
{
|
|
|
|
int i;
|
|
|
|
|
2008-10-08 03:35:00 -06:00
|
|
|
for (i = 0; i < NFPROTO_NUMPROTO; i++)
|
2008-01-31 05:02:13 -07:00
|
|
|
INIT_LIST_HEAD(&net->xt.tables[i]);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2017-11-12 04:32:37 -07:00
|
|
|
static void __net_exit xt_net_exit(struct net *net)
|
|
|
|
{
|
|
|
|
int i;
|
|
|
|
|
|
|
|
for (i = 0; i < NFPROTO_NUMPROTO; i++)
|
|
|
|
WARN_ON_ONCE(!list_empty(&net->xt.tables[i]));
|
|
|
|
}
|
|
|
|
|
2008-01-31 05:02:13 -07:00
|
|
|
static struct pernet_operations xt_net_ops = {
|
|
|
|
.init = xt_net_init,
|
2017-11-12 04:32:37 -07:00
|
|
|
.exit = xt_net_exit,
|
2008-01-31 05:02:13 -07:00
|
|
|
};
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
|
|
|
|
static int __init xt_init(void)
|
|
|
|
{
|
2009-04-28 23:36:33 -06:00
|
|
|
unsigned int i;
|
|
|
|
int rv;
|
|
|
|
|
|
|
|
for_each_possible_cpu(i) {
|
2011-04-04 09:04:03 -06:00
|
|
|
seqcount_init(&per_cpu(xt_recseq, i));
|
2009-04-28 23:36:33 -06:00
|
|
|
}
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
|
treewide: kmalloc() -> kmalloc_array()
The kmalloc() function has a 2-factor argument form, kmalloc_array(). This
patch replaces cases of:
kmalloc(a * b, gfp)
with:
kmalloc_array(a * b, gfp)
as well as handling cases of:
kmalloc(a * b * c, gfp)
with:
kmalloc(array3_size(a, b, c), gfp)
as it's slightly less ugly than:
kmalloc_array(array_size(a, b), c, gfp)
This does, however, attempt to ignore constant size factors like:
kmalloc(4 * 1024, gfp)
though any constants defined via macros get caught up in the conversion.
Any factors with a sizeof() of "unsigned char", "char", and "u8" were
dropped, since they're redundant.
The tools/ directory was manually excluded, since it has its own
implementation of kmalloc().
The Coccinelle script used for this was:
// Fix redundant parens around sizeof().
@@
type TYPE;
expression THING, E;
@@
(
kmalloc(
- (sizeof(TYPE)) * E
+ sizeof(TYPE) * E
, ...)
|
kmalloc(
- (sizeof(THING)) * E
+ sizeof(THING) * E
, ...)
)
// Drop single-byte sizes and redundant parens.
@@
expression COUNT;
typedef u8;
typedef __u8;
@@
(
kmalloc(
- sizeof(u8) * (COUNT)
+ COUNT
, ...)
|
kmalloc(
- sizeof(__u8) * (COUNT)
+ COUNT
, ...)
|
kmalloc(
- sizeof(char) * (COUNT)
+ COUNT
, ...)
|
kmalloc(
- sizeof(unsigned char) * (COUNT)
+ COUNT
, ...)
|
kmalloc(
- sizeof(u8) * COUNT
+ COUNT
, ...)
|
kmalloc(
- sizeof(__u8) * COUNT
+ COUNT
, ...)
|
kmalloc(
- sizeof(char) * COUNT
+ COUNT
, ...)
|
kmalloc(
- sizeof(unsigned char) * COUNT
+ COUNT
, ...)
)
// 2-factor product with sizeof(type/expression) and identifier or constant.
@@
type TYPE;
expression THING;
identifier COUNT_ID;
constant COUNT_CONST;
@@
(
- kmalloc
+ kmalloc_array
(
- sizeof(TYPE) * (COUNT_ID)
+ COUNT_ID, sizeof(TYPE)
, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(TYPE) * COUNT_ID
+ COUNT_ID, sizeof(TYPE)
, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(TYPE) * (COUNT_CONST)
+ COUNT_CONST, sizeof(TYPE)
, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(TYPE) * COUNT_CONST
+ COUNT_CONST, sizeof(TYPE)
, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(THING) * (COUNT_ID)
+ COUNT_ID, sizeof(THING)
, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(THING) * COUNT_ID
+ COUNT_ID, sizeof(THING)
, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(THING) * (COUNT_CONST)
+ COUNT_CONST, sizeof(THING)
, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(THING) * COUNT_CONST
+ COUNT_CONST, sizeof(THING)
, ...)
)
// 2-factor product, only identifiers.
@@
identifier SIZE, COUNT;
@@
- kmalloc
+ kmalloc_array
(
- SIZE * COUNT
+ COUNT, SIZE
, ...)
// 3-factor product with 1 sizeof(type) or sizeof(expression), with
// redundant parens removed.
@@
expression THING;
identifier STRIDE, COUNT;
type TYPE;
@@
(
kmalloc(
- sizeof(TYPE) * (COUNT) * (STRIDE)
+ array3_size(COUNT, STRIDE, sizeof(TYPE))
, ...)
|
kmalloc(
- sizeof(TYPE) * (COUNT) * STRIDE
+ array3_size(COUNT, STRIDE, sizeof(TYPE))
, ...)
|
kmalloc(
- sizeof(TYPE) * COUNT * (STRIDE)
+ array3_size(COUNT, STRIDE, sizeof(TYPE))
, ...)
|
kmalloc(
- sizeof(TYPE) * COUNT * STRIDE
+ array3_size(COUNT, STRIDE, sizeof(TYPE))
, ...)
|
kmalloc(
- sizeof(THING) * (COUNT) * (STRIDE)
+ array3_size(COUNT, STRIDE, sizeof(THING))
, ...)
|
kmalloc(
- sizeof(THING) * (COUNT) * STRIDE
+ array3_size(COUNT, STRIDE, sizeof(THING))
, ...)
|
kmalloc(
- sizeof(THING) * COUNT * (STRIDE)
+ array3_size(COUNT, STRIDE, sizeof(THING))
, ...)
|
kmalloc(
- sizeof(THING) * COUNT * STRIDE
+ array3_size(COUNT, STRIDE, sizeof(THING))
, ...)
)
// 3-factor product with 2 sizeof(variable), with redundant parens removed.
@@
expression THING1, THING2;
identifier COUNT;
type TYPE1, TYPE2;
@@
(
kmalloc(
- sizeof(TYPE1) * sizeof(TYPE2) * COUNT
+ array3_size(COUNT, sizeof(TYPE1), sizeof(TYPE2))
, ...)
|
kmalloc(
- sizeof(TYPE1) * sizeof(THING2) * (COUNT)
+ array3_size(COUNT, sizeof(TYPE1), sizeof(TYPE2))
, ...)
|
kmalloc(
- sizeof(THING1) * sizeof(THING2) * COUNT
+ array3_size(COUNT, sizeof(THING1), sizeof(THING2))
, ...)
|
kmalloc(
- sizeof(THING1) * sizeof(THING2) * (COUNT)
+ array3_size(COUNT, sizeof(THING1), sizeof(THING2))
, ...)
|
kmalloc(
- sizeof(TYPE1) * sizeof(THING2) * COUNT
+ array3_size(COUNT, sizeof(TYPE1), sizeof(THING2))
, ...)
|
kmalloc(
- sizeof(TYPE1) * sizeof(THING2) * (COUNT)
+ array3_size(COUNT, sizeof(TYPE1), sizeof(THING2))
, ...)
)
// 3-factor product, only identifiers, with redundant parens removed.
@@
identifier STRIDE, SIZE, COUNT;
@@
(
kmalloc(
- (COUNT) * STRIDE * SIZE
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
|
kmalloc(
- COUNT * (STRIDE) * SIZE
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
|
kmalloc(
- COUNT * STRIDE * (SIZE)
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
|
kmalloc(
- (COUNT) * (STRIDE) * SIZE
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
|
kmalloc(
- COUNT * (STRIDE) * (SIZE)
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
|
kmalloc(
- (COUNT) * STRIDE * (SIZE)
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
|
kmalloc(
- (COUNT) * (STRIDE) * (SIZE)
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
|
kmalloc(
- COUNT * STRIDE * SIZE
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
)
// Any remaining multi-factor products, first at least 3-factor products,
// when they're not all constants...
@@
expression E1, E2, E3;
constant C1, C2, C3;
@@
(
kmalloc(C1 * C2 * C3, ...)
|
kmalloc(
- (E1) * E2 * E3
+ array3_size(E1, E2, E3)
, ...)
|
kmalloc(
- (E1) * (E2) * E3
+ array3_size(E1, E2, E3)
, ...)
|
kmalloc(
- (E1) * (E2) * (E3)
+ array3_size(E1, E2, E3)
, ...)
|
kmalloc(
- E1 * E2 * E3
+ array3_size(E1, E2, E3)
, ...)
)
// And then all remaining 2 factors products when they're not all constants,
// keeping sizeof() as the second factor argument.
@@
expression THING, E1, E2;
type TYPE;
constant C1, C2, C3;
@@
(
kmalloc(sizeof(THING) * C2, ...)
|
kmalloc(sizeof(TYPE) * C2, ...)
|
kmalloc(C1 * C2 * C3, ...)
|
kmalloc(C1 * C2, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(TYPE) * (E2)
+ E2, sizeof(TYPE)
, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(TYPE) * E2
+ E2, sizeof(TYPE)
, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(THING) * (E2)
+ E2, sizeof(THING)
, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(THING) * E2
+ E2, sizeof(THING)
, ...)
|
- kmalloc
+ kmalloc_array
(
- (E1) * E2
+ E1, E2
, ...)
|
- kmalloc
+ kmalloc_array
(
- (E1) * (E2)
+ E1, E2
, ...)
|
- kmalloc
+ kmalloc_array
(
- E1 * E2
+ E1, E2
, ...)
)
Signed-off-by: Kees Cook <keescook@chromium.org>
2018-06-12 14:55:00 -06:00
|
|
|
xt = kmalloc_array(NFPROTO_NUMPROTO, sizeof(struct xt_af), GFP_KERNEL);
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
if (!xt)
|
|
|
|
return -ENOMEM;
|
|
|
|
|
2008-10-08 03:35:00 -06:00
|
|
|
for (i = 0; i < NFPROTO_NUMPROTO; i++) {
|
2006-03-25 02:41:10 -07:00
|
|
|
mutex_init(&xt[i].mutex);
|
2006-04-01 03:25:19 -07:00
|
|
|
#ifdef CONFIG_COMPAT
|
|
|
|
mutex_init(&xt[i].compat_mutex);
|
2010-12-18 10:35:15 -07:00
|
|
|
xt[i].compat_tab = NULL;
|
2006-04-01 03:25:19 -07:00
|
|
|
#endif
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
INIT_LIST_HEAD(&xt[i].target);
|
|
|
|
INIT_LIST_HEAD(&xt[i].match);
|
|
|
|
}
|
2008-01-31 05:02:13 -07:00
|
|
|
rv = register_pernet_subsys(&xt_net_ops);
|
|
|
|
if (rv < 0)
|
|
|
|
kfree(xt);
|
|
|
|
return rv;
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
static void __exit xt_fini(void)
|
|
|
|
{
|
2008-01-31 05:02:13 -07:00
|
|
|
unregister_pernet_subsys(&xt_net_ops);
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 14:30:04 -07:00
|
|
|
kfree(xt);
|
|
|
|
}
|
|
|
|
|
|
|
|
module_init(xt_init);
|
|
|
|
module_exit(xt_fini);
|
|
|
|
|