Merge master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6
[linux-2.6.git] / net / ipv4 / netfilter / ip_tables.c
1 /*
2  * Packet matching code.
3  *
4  * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
5  * Copyright (C) 2000-2005 Netfilter Core Team <coreteam@netfilter.org>
6  *
7  * This program is free software; you can redistribute it and/or modify
8  * it under the terms of the GNU General Public License version 2 as
9  * published by the Free Software Foundation.
10  *
11  * 19 Jan 2002 Harald Welte <laforge@gnumonks.org>
12  *      - increase module usage count as soon as we have rules inside
13  *        a table
14  * 08 Oct 2005 Harald Welte <lafore@netfilter.org>
15  *      - Generalize into "x_tables" layer and "{ip,ip6,arp}_tables"
16  */
17 #include <linux/cache.h>
18 #include <linux/capability.h>
19 #include <linux/skbuff.h>
20 #include <linux/kmod.h>
21 #include <linux/vmalloc.h>
22 #include <linux/netdevice.h>
23 #include <linux/module.h>
24 #include <linux/icmp.h>
25 #include <net/ip.h>
26 #include <net/compat.h>
27 #include <asm/uaccess.h>
28 #include <linux/mutex.h>
29 #include <linux/proc_fs.h>
30 #include <linux/err.h>
31 #include <linux/cpumask.h>
32
33 #include <linux/netfilter/x_tables.h>
34 #include <linux/netfilter_ipv4/ip_tables.h>
35
36 MODULE_LICENSE("GPL");
37 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
38 MODULE_DESCRIPTION("IPv4 packet filter");
39
40 /*#define DEBUG_IP_FIREWALL*/
41 /*#define DEBUG_ALLOW_ALL*/ /* Useful for remote debugging */
42 /*#define DEBUG_IP_FIREWALL_USER*/
43
44 #ifdef DEBUG_IP_FIREWALL
45 #define dprintf(format, args...)  printk(format , ## args)
46 #else
47 #define dprintf(format, args...)
48 #endif
49
50 #ifdef DEBUG_IP_FIREWALL_USER
51 #define duprintf(format, args...) printk(format , ## args)
52 #else
53 #define duprintf(format, args...)
54 #endif
55
56 #ifdef CONFIG_NETFILTER_DEBUG
57 #define IP_NF_ASSERT(x)                                         \
58 do {                                                            \
59         if (!(x))                                               \
60                 printk("IP_NF_ASSERT: %s:%s:%u\n",              \
61                        __FUNCTION__, __FILE__, __LINE__);       \
62 } while(0)
63 #else
64 #define IP_NF_ASSERT(x)
65 #endif
66
67 #if 0
68 /* All the better to debug you with... */
69 #define static
70 #define inline
71 #endif
72
73 /*
74    We keep a set of rules for each CPU, so we can avoid write-locking
75    them in the softirq when updating the counters and therefore
76    only need to read-lock in the softirq; doing a write_lock_bh() in user
77    context stops packets coming through and allows user context to read
78    the counters or update the rules.
79
80    Hence the start of any table is given by get_table() below.  */
81
82 /* Returns whether matches rule or not. */
83 static inline int
84 ip_packet_match(const struct iphdr *ip,
85                 const char *indev,
86                 const char *outdev,
87                 const struct ipt_ip *ipinfo,
88                 int isfrag)
89 {
90         size_t i;
91         unsigned long ret;
92
93 #define FWINV(bool,invflg) ((bool) ^ !!(ipinfo->invflags & invflg))
94
95         if (FWINV((ip->saddr&ipinfo->smsk.s_addr) != ipinfo->src.s_addr,
96                   IPT_INV_SRCIP)
97             || FWINV((ip->daddr&ipinfo->dmsk.s_addr) != ipinfo->dst.s_addr,
98                      IPT_INV_DSTIP)) {
99                 dprintf("Source or dest mismatch.\n");
100
101                 dprintf("SRC: %u.%u.%u.%u. Mask: %u.%u.%u.%u. Target: %u.%u.%u.%u.%s\n",
102                         NIPQUAD(ip->saddr),
103                         NIPQUAD(ipinfo->smsk.s_addr),
104                         NIPQUAD(ipinfo->src.s_addr),
105                         ipinfo->invflags & IPT_INV_SRCIP ? " (INV)" : "");
106                 dprintf("DST: %u.%u.%u.%u Mask: %u.%u.%u.%u Target: %u.%u.%u.%u.%s\n",
107                         NIPQUAD(ip->daddr),
108                         NIPQUAD(ipinfo->dmsk.s_addr),
109                         NIPQUAD(ipinfo->dst.s_addr),
110                         ipinfo->invflags & IPT_INV_DSTIP ? " (INV)" : "");
111                 return 0;
112         }
113
114         /* Look for ifname matches; this should unroll nicely. */
115         for (i = 0, ret = 0; i < IFNAMSIZ/sizeof(unsigned long); i++) {
116                 ret |= (((const unsigned long *)indev)[i]
117                         ^ ((const unsigned long *)ipinfo->iniface)[i])
118                         & ((const unsigned long *)ipinfo->iniface_mask)[i];
119         }
120
121         if (FWINV(ret != 0, IPT_INV_VIA_IN)) {
122                 dprintf("VIA in mismatch (%s vs %s).%s\n",
123                         indev, ipinfo->iniface,
124                         ipinfo->invflags&IPT_INV_VIA_IN ?" (INV)":"");
125                 return 0;
126         }
127
128         for (i = 0, ret = 0; i < IFNAMSIZ/sizeof(unsigned long); i++) {
129                 ret |= (((const unsigned long *)outdev)[i]
130                         ^ ((const unsigned long *)ipinfo->outiface)[i])
131                         & ((const unsigned long *)ipinfo->outiface_mask)[i];
132         }
133
134         if (FWINV(ret != 0, IPT_INV_VIA_OUT)) {
135                 dprintf("VIA out mismatch (%s vs %s).%s\n",
136                         outdev, ipinfo->outiface,
137                         ipinfo->invflags&IPT_INV_VIA_OUT ?" (INV)":"");
138                 return 0;
139         }
140
141         /* Check specific protocol */
142         if (ipinfo->proto
143             && FWINV(ip->protocol != ipinfo->proto, IPT_INV_PROTO)) {
144                 dprintf("Packet protocol %hi does not match %hi.%s\n",
145                         ip->protocol, ipinfo->proto,
146                         ipinfo->invflags&IPT_INV_PROTO ? " (INV)":"");
147                 return 0;
148         }
149
150         /* If we have a fragment rule but the packet is not a fragment
151          * then we return zero */
152         if (FWINV((ipinfo->flags&IPT_F_FRAG) && !isfrag, IPT_INV_FRAG)) {
153                 dprintf("Fragment rule but not fragment.%s\n",
154                         ipinfo->invflags & IPT_INV_FRAG ? " (INV)" : "");
155                 return 0;
156         }
157
158         return 1;
159 }
160
161 static inline int
162 ip_checkentry(const struct ipt_ip *ip)
163 {
164         if (ip->flags & ~IPT_F_MASK) {
165                 duprintf("Unknown flag bits set: %08X\n",
166                          ip->flags & ~IPT_F_MASK);
167                 return 0;
168         }
169         if (ip->invflags & ~IPT_INV_MASK) {
170                 duprintf("Unknown invflag bits set: %08X\n",
171                          ip->invflags & ~IPT_INV_MASK);
172                 return 0;
173         }
174         return 1;
175 }
176
177 static unsigned int
178 ipt_error(struct sk_buff **pskb,
179           const struct net_device *in,
180           const struct net_device *out,
181           unsigned int hooknum,
182           const struct xt_target *target,
183           const void *targinfo)
184 {
185         if (net_ratelimit())
186                 printk("ip_tables: error: `%s'\n", (char *)targinfo);
187
188         return NF_DROP;
189 }
190
191 static inline
192 int do_match(struct ipt_entry_match *m,
193              const struct sk_buff *skb,
194              const struct net_device *in,
195              const struct net_device *out,
196              int offset,
197              int *hotdrop)
198 {
199         /* Stop iteration if it doesn't match */
200         if (!m->u.kernel.match->match(skb, in, out, m->u.kernel.match, m->data,
201                                       offset, skb->nh.iph->ihl*4, hotdrop))
202                 return 1;
203         else
204                 return 0;
205 }
206
207 static inline struct ipt_entry *
208 get_entry(void *base, unsigned int offset)
209 {
210         return (struct ipt_entry *)(base + offset);
211 }
212
213 /* Returns one of the generic firewall policies, like NF_ACCEPT. */
214 unsigned int
215 ipt_do_table(struct sk_buff **pskb,
216              unsigned int hook,
217              const struct net_device *in,
218              const struct net_device *out,
219              struct ipt_table *table)
220 {
221         static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
222         u_int16_t offset;
223         struct iphdr *ip;
224         u_int16_t datalen;
225         int hotdrop = 0;
226         /* Initializing verdict to NF_DROP keeps gcc happy. */
227         unsigned int verdict = NF_DROP;
228         const char *indev, *outdev;
229         void *table_base;
230         struct ipt_entry *e, *back;
231         struct xt_table_info *private;
232
233         /* Initialization */
234         ip = (*pskb)->nh.iph;
235         datalen = (*pskb)->len - ip->ihl * 4;
236         indev = in ? in->name : nulldevname;
237         outdev = out ? out->name : nulldevname;
238         /* We handle fragments by dealing with the first fragment as
239          * if it was a normal packet.  All other fragments are treated
240          * normally, except that they will NEVER match rules that ask
241          * things we don't know, ie. tcp syn flag or ports).  If the
242          * rule is also a fragment-specific rule, non-fragments won't
243          * match it. */
244         offset = ntohs(ip->frag_off) & IP_OFFSET;
245
246         read_lock_bh(&table->lock);
247         IP_NF_ASSERT(table->valid_hooks & (1 << hook));
248         private = table->private;
249         table_base = (void *)private->entries[smp_processor_id()];
250         e = get_entry(table_base, private->hook_entry[hook]);
251
252         /* For return from builtin chain */
253         back = get_entry(table_base, private->underflow[hook]);
254
255         do {
256                 IP_NF_ASSERT(e);
257                 IP_NF_ASSERT(back);
258                 if (ip_packet_match(ip, indev, outdev, &e->ip, offset)) {
259                         struct ipt_entry_target *t;
260
261                         if (IPT_MATCH_ITERATE(e, do_match,
262                                               *pskb, in, out,
263                                               offset, &hotdrop) != 0)
264                                 goto no_match;
265
266                         ADD_COUNTER(e->counters, ntohs(ip->tot_len), 1);
267
268                         t = ipt_get_target(e);
269                         IP_NF_ASSERT(t->u.kernel.target);
270                         /* Standard target? */
271                         if (!t->u.kernel.target->target) {
272                                 int v;
273
274                                 v = ((struct ipt_standard_target *)t)->verdict;
275                                 if (v < 0) {
276                                         /* Pop from stack? */
277                                         if (v != IPT_RETURN) {
278                                                 verdict = (unsigned)(-v) - 1;
279                                                 break;
280                                         }
281                                         e = back;
282                                         back = get_entry(table_base,
283                                                          back->comefrom);
284                                         continue;
285                                 }
286                                 if (table_base + v != (void *)e + e->next_offset
287                                     && !(e->ip.flags & IPT_F_GOTO)) {
288                                         /* Save old back ptr in next entry */
289                                         struct ipt_entry *next
290                                                 = (void *)e + e->next_offset;
291                                         next->comefrom
292                                                 = (void *)back - table_base;
293                                         /* set back pointer to next entry */
294                                         back = next;
295                                 }
296
297                                 e = get_entry(table_base, v);
298                         } else {
299                                 /* Targets which reenter must return
300                                    abs. verdicts */
301 #ifdef CONFIG_NETFILTER_DEBUG
302                                 ((struct ipt_entry *)table_base)->comefrom
303                                         = 0xeeeeeeec;
304 #endif
305                                 verdict = t->u.kernel.target->target(pskb,
306                                                                      in, out,
307                                                                      hook,
308                                                                      t->u.kernel.target,
309                                                                      t->data);
310
311 #ifdef CONFIG_NETFILTER_DEBUG
312                                 if (((struct ipt_entry *)table_base)->comefrom
313                                     != 0xeeeeeeec
314                                     && verdict == IPT_CONTINUE) {
315                                         printk("Target %s reentered!\n",
316                                                t->u.kernel.target->name);
317                                         verdict = NF_DROP;
318                                 }
319                                 ((struct ipt_entry *)table_base)->comefrom
320                                         = 0x57acc001;
321 #endif
322                                 /* Target might have changed stuff. */
323                                 ip = (*pskb)->nh.iph;
324                                 datalen = (*pskb)->len - ip->ihl * 4;
325
326                                 if (verdict == IPT_CONTINUE)
327                                         e = (void *)e + e->next_offset;
328                                 else
329                                         /* Verdict */
330                                         break;
331                         }
332                 } else {
333
334                 no_match:
335                         e = (void *)e + e->next_offset;
336                 }
337         } while (!hotdrop);
338
339         read_unlock_bh(&table->lock);
340
341 #ifdef DEBUG_ALLOW_ALL
342         return NF_ACCEPT;
343 #else
344         if (hotdrop)
345                 return NF_DROP;
346         else return verdict;
347 #endif
348 }
349
350 /* All zeroes == unconditional rule. */
351 static inline int
352 unconditional(const struct ipt_ip *ip)
353 {
354         unsigned int i;
355
356         for (i = 0; i < sizeof(*ip)/sizeof(__u32); i++)
357                 if (((__u32 *)ip)[i])
358                         return 0;
359
360         return 1;
361 }
362
363 /* Figures out from what hook each rule can be called: returns 0 if
364    there are loops.  Puts hook bitmask in comefrom. */
365 static int
366 mark_source_chains(struct xt_table_info *newinfo,
367                    unsigned int valid_hooks, void *entry0)
368 {
369         unsigned int hook;
370
371         /* No recursion; use packet counter to save back ptrs (reset
372            to 0 as we leave), and comefrom to save source hook bitmask */
373         for (hook = 0; hook < NF_IP_NUMHOOKS; hook++) {
374                 unsigned int pos = newinfo->hook_entry[hook];
375                 struct ipt_entry *e
376                         = (struct ipt_entry *)(entry0 + pos);
377
378                 if (!(valid_hooks & (1 << hook)))
379                         continue;
380
381                 /* Set initial back pointer. */
382                 e->counters.pcnt = pos;
383
384                 for (;;) {
385                         struct ipt_standard_target *t
386                                 = (void *)ipt_get_target(e);
387
388                         if (e->comefrom & (1 << NF_IP_NUMHOOKS)) {
389                                 printk("iptables: loop hook %u pos %u %08X.\n",
390                                        hook, pos, e->comefrom);
391                                 return 0;
392                         }
393                         e->comefrom
394                                 |= ((1 << hook) | (1 << NF_IP_NUMHOOKS));
395
396                         /* Unconditional return/END. */
397                         if (e->target_offset == sizeof(struct ipt_entry)
398                             && (strcmp(t->target.u.user.name,
399                                        IPT_STANDARD_TARGET) == 0)
400                             && t->verdict < 0
401                             && unconditional(&e->ip)) {
402                                 unsigned int oldpos, size;
403
404                                 /* Return: backtrack through the last
405                                    big jump. */
406                                 do {
407                                         e->comefrom ^= (1<<NF_IP_NUMHOOKS);
408 #ifdef DEBUG_IP_FIREWALL_USER
409                                         if (e->comefrom
410                                             & (1 << NF_IP_NUMHOOKS)) {
411                                                 duprintf("Back unset "
412                                                          "on hook %u "
413                                                          "rule %u\n",
414                                                          hook, pos);
415                                         }
416 #endif
417                                         oldpos = pos;
418                                         pos = e->counters.pcnt;
419                                         e->counters.pcnt = 0;
420
421                                         /* We're at the start. */
422                                         if (pos == oldpos)
423                                                 goto next;
424
425                                         e = (struct ipt_entry *)
426                                                 (entry0 + pos);
427                                 } while (oldpos == pos + e->next_offset);
428
429                                 /* Move along one */
430                                 size = e->next_offset;
431                                 e = (struct ipt_entry *)
432                                         (entry0 + pos + size);
433                                 e->counters.pcnt = pos;
434                                 pos += size;
435                         } else {
436                                 int newpos = t->verdict;
437
438                                 if (strcmp(t->target.u.user.name,
439                                            IPT_STANDARD_TARGET) == 0
440                                     && newpos >= 0) {
441                                         /* This a jump; chase it. */
442                                         duprintf("Jump rule %u -> %u\n",
443                                                  pos, newpos);
444                                 } else {
445                                         /* ... this is a fallthru */
446                                         newpos = pos + e->next_offset;
447                                 }
448                                 e = (struct ipt_entry *)
449                                         (entry0 + newpos);
450                                 e->counters.pcnt = pos;
451                                 pos = newpos;
452                         }
453                 }
454                 next:
455                 duprintf("Finished chain %u\n", hook);
456         }
457         return 1;
458 }
459
460 static inline int
461 cleanup_match(struct ipt_entry_match *m, unsigned int *i)
462 {
463         if (i && (*i)-- == 0)
464                 return 1;
465
466         if (m->u.kernel.match->destroy)
467                 m->u.kernel.match->destroy(m->u.kernel.match, m->data);
468         module_put(m->u.kernel.match->me);
469         return 0;
470 }
471
472 static inline int
473 standard_check(const struct ipt_entry_target *t,
474                unsigned int max_offset)
475 {
476         struct ipt_standard_target *targ = (void *)t;
477
478         /* Check standard info. */
479         if (targ->verdict >= 0
480             && targ->verdict > max_offset - sizeof(struct ipt_entry)) {
481                 duprintf("ipt_standard_check: bad verdict (%i)\n",
482                          targ->verdict);
483                 return 0;
484         }
485         if (targ->verdict < -NF_MAX_VERDICT - 1) {
486                 duprintf("ipt_standard_check: bad negative verdict (%i)\n",
487                          targ->verdict);
488                 return 0;
489         }
490         return 1;
491 }
492
493 static inline int
494 check_match(struct ipt_entry_match *m,
495             const char *name,
496             const struct ipt_ip *ip,
497             unsigned int hookmask,
498             unsigned int *i)
499 {
500         struct ipt_match *match;
501         int ret;
502
503         match = try_then_request_module(xt_find_match(AF_INET, m->u.user.name,
504                                                    m->u.user.revision),
505                                         "ipt_%s", m->u.user.name);
506         if (IS_ERR(match) || !match) {
507                 duprintf("check_match: `%s' not found\n", m->u.user.name);
508                 return match ? PTR_ERR(match) : -ENOENT;
509         }
510         m->u.kernel.match = match;
511
512         ret = xt_check_match(match, AF_INET, m->u.match_size - sizeof(*m),
513                              name, hookmask, ip->proto,
514                              ip->invflags & IPT_INV_PROTO);
515         if (ret)
516                 goto err;
517
518         if (m->u.kernel.match->checkentry
519             && !m->u.kernel.match->checkentry(name, ip, match, m->data,
520                                               hookmask)) {
521                 duprintf("ip_tables: check failed for `%s'.\n",
522                          m->u.kernel.match->name);
523                 ret = -EINVAL;
524                 goto err;
525         }
526
527         (*i)++;
528         return 0;
529 err:
530         module_put(m->u.kernel.match->me);
531         return ret;
532 }
533
534 static struct ipt_target ipt_standard_target;
535
536 static inline int
537 check_entry(struct ipt_entry *e, const char *name, unsigned int size,
538             unsigned int *i)
539 {
540         struct ipt_entry_target *t;
541         struct ipt_target *target;
542         int ret;
543         unsigned int j;
544
545         if (!ip_checkentry(&e->ip)) {
546                 duprintf("ip_tables: ip check failed %p %s.\n", e, name);
547                 return -EINVAL;
548         }
549
550         if (e->target_offset + sizeof(struct ipt_entry_target) > e->next_offset)
551                 return -EINVAL;
552
553         j = 0;
554         ret = IPT_MATCH_ITERATE(e, check_match, name, &e->ip, e->comefrom, &j);
555         if (ret != 0)
556                 goto cleanup_matches;
557
558         t = ipt_get_target(e);
559         ret = -EINVAL;
560         if (e->target_offset + t->u.target_size > e->next_offset)
561                         goto cleanup_matches;
562         target = try_then_request_module(xt_find_target(AF_INET,
563                                                      t->u.user.name,
564                                                      t->u.user.revision),
565                                          "ipt_%s", t->u.user.name);
566         if (IS_ERR(target) || !target) {
567                 duprintf("check_entry: `%s' not found\n", t->u.user.name);
568                 ret = target ? PTR_ERR(target) : -ENOENT;
569                 goto cleanup_matches;
570         }
571         t->u.kernel.target = target;
572
573         ret = xt_check_target(target, AF_INET, t->u.target_size - sizeof(*t),
574                               name, e->comefrom, e->ip.proto,
575                               e->ip.invflags & IPT_INV_PROTO);
576         if (ret)
577                 goto err;
578
579         if (t->u.kernel.target == &ipt_standard_target) {
580                 if (!standard_check(t, size)) {
581                         ret = -EINVAL;
582                         goto err;
583                 }
584         } else if (t->u.kernel.target->checkentry
585                    && !t->u.kernel.target->checkentry(name, e, target, t->data,
586                                                       e->comefrom)) {
587                 duprintf("ip_tables: check failed for `%s'.\n",
588                          t->u.kernel.target->name);
589                 ret = -EINVAL;
590                 goto err;
591         }
592
593         (*i)++;
594         return 0;
595  err:
596         module_put(t->u.kernel.target->me);
597  cleanup_matches:
598         IPT_MATCH_ITERATE(e, cleanup_match, &j);
599         return ret;
600 }
601
602 static inline int
603 check_entry_size_and_hooks(struct ipt_entry *e,
604                            struct xt_table_info *newinfo,
605                            unsigned char *base,
606                            unsigned char *limit,
607                            const unsigned int *hook_entries,
608                            const unsigned int *underflows,
609                            unsigned int *i)
610 {
611         unsigned int h;
612
613         if ((unsigned long)e % __alignof__(struct ipt_entry) != 0
614             || (unsigned char *)e + sizeof(struct ipt_entry) >= limit) {
615                 duprintf("Bad offset %p\n", e);
616                 return -EINVAL;
617         }
618
619         if (e->next_offset
620             < sizeof(struct ipt_entry) + sizeof(struct ipt_entry_target)) {
621                 duprintf("checking: element %p size %u\n",
622                          e, e->next_offset);
623                 return -EINVAL;
624         }
625
626         /* Check hooks & underflows */
627         for (h = 0; h < NF_IP_NUMHOOKS; h++) {
628                 if ((unsigned char *)e - base == hook_entries[h])
629                         newinfo->hook_entry[h] = hook_entries[h];
630                 if ((unsigned char *)e - base == underflows[h])
631                         newinfo->underflow[h] = underflows[h];
632         }
633
634         /* FIXME: underflows must be unconditional, standard verdicts
635            < 0 (not IPT_RETURN). --RR */
636
637         /* Clear counters and comefrom */
638         e->counters = ((struct xt_counters) { 0, 0 });
639         e->comefrom = 0;
640
641         (*i)++;
642         return 0;
643 }
644
645 static inline int
646 cleanup_entry(struct ipt_entry *e, unsigned int *i)
647 {
648         struct ipt_entry_target *t;
649
650         if (i && (*i)-- == 0)
651                 return 1;
652
653         /* Cleanup all matches */
654         IPT_MATCH_ITERATE(e, cleanup_match, NULL);
655         t = ipt_get_target(e);
656         if (t->u.kernel.target->destroy)
657                 t->u.kernel.target->destroy(t->u.kernel.target, t->data);
658         module_put(t->u.kernel.target->me);
659         return 0;
660 }
661
662 /* Checks and translates the user-supplied table segment (held in
663    newinfo) */
664 static int
665 translate_table(const char *name,
666                 unsigned int valid_hooks,
667                 struct xt_table_info *newinfo,
668                 void *entry0,
669                 unsigned int size,
670                 unsigned int number,
671                 const unsigned int *hook_entries,
672                 const unsigned int *underflows)
673 {
674         unsigned int i;
675         int ret;
676
677         newinfo->size = size;
678         newinfo->number = number;
679
680         /* Init all hooks to impossible value. */
681         for (i = 0; i < NF_IP_NUMHOOKS; i++) {
682                 newinfo->hook_entry[i] = 0xFFFFFFFF;
683                 newinfo->underflow[i] = 0xFFFFFFFF;
684         }
685
686         duprintf("translate_table: size %u\n", newinfo->size);
687         i = 0;
688         /* Walk through entries, checking offsets. */
689         ret = IPT_ENTRY_ITERATE(entry0, newinfo->size,
690                                 check_entry_size_and_hooks,
691                                 newinfo,
692                                 entry0,
693                                 entry0 + size,
694                                 hook_entries, underflows, &i);
695         if (ret != 0)
696                 return ret;
697
698         if (i != number) {
699                 duprintf("translate_table: %u not %u entries\n",
700                          i, number);
701                 return -EINVAL;
702         }
703
704         /* Check hooks all assigned */
705         for (i = 0; i < NF_IP_NUMHOOKS; i++) {
706                 /* Only hooks which are valid */
707                 if (!(valid_hooks & (1 << i)))
708                         continue;
709                 if (newinfo->hook_entry[i] == 0xFFFFFFFF) {
710                         duprintf("Invalid hook entry %u %u\n",
711                                  i, hook_entries[i]);
712                         return -EINVAL;
713                 }
714                 if (newinfo->underflow[i] == 0xFFFFFFFF) {
715                         duprintf("Invalid underflow %u %u\n",
716                                  i, underflows[i]);
717                         return -EINVAL;
718                 }
719         }
720
721         /* Finally, each sanity check must pass */
722         i = 0;
723         ret = IPT_ENTRY_ITERATE(entry0, newinfo->size,
724                                 check_entry, name, size, &i);
725
726         if (ret != 0)
727                 goto cleanup;
728
729         ret = -ELOOP;
730         if (!mark_source_chains(newinfo, valid_hooks, entry0))
731                 goto cleanup;
732
733         /* And one copy for every other CPU */
734         for_each_possible_cpu(i) {
735                 if (newinfo->entries[i] && newinfo->entries[i] != entry0)
736                         memcpy(newinfo->entries[i], entry0, newinfo->size);
737         }
738
739         return 0;
740 cleanup:
741         IPT_ENTRY_ITERATE(entry0, newinfo->size, cleanup_entry, &i);
742         return ret;
743 }
744
745 /* Gets counters. */
746 static inline int
747 add_entry_to_counter(const struct ipt_entry *e,
748                      struct xt_counters total[],
749                      unsigned int *i)
750 {
751         ADD_COUNTER(total[*i], e->counters.bcnt, e->counters.pcnt);
752
753         (*i)++;
754         return 0;
755 }
756
757 static inline int
758 set_entry_to_counter(const struct ipt_entry *e,
759                      struct ipt_counters total[],
760                      unsigned int *i)
761 {
762         SET_COUNTER(total[*i], e->counters.bcnt, e->counters.pcnt);
763
764         (*i)++;
765         return 0;
766 }
767
768 static void
769 get_counters(const struct xt_table_info *t,
770              struct xt_counters counters[])
771 {
772         unsigned int cpu;
773         unsigned int i;
774         unsigned int curcpu;
775
776         /* Instead of clearing (by a previous call to memset())
777          * the counters and using adds, we set the counters
778          * with data used by 'current' CPU
779          * We dont care about preemption here.
780          */
781         curcpu = raw_smp_processor_id();
782
783         i = 0;
784         IPT_ENTRY_ITERATE(t->entries[curcpu],
785                           t->size,
786                           set_entry_to_counter,
787                           counters,
788                           &i);
789
790         for_each_possible_cpu(cpu) {
791                 if (cpu == curcpu)
792                         continue;
793                 i = 0;
794                 IPT_ENTRY_ITERATE(t->entries[cpu],
795                                   t->size,
796                                   add_entry_to_counter,
797                                   counters,
798                                   &i);
799         }
800 }
801
802 static inline struct xt_counters * alloc_counters(struct ipt_table *table)
803 {
804         unsigned int countersize;
805         struct xt_counters *counters;
806         struct xt_table_info *private = table->private;
807
808         /* We need atomic snapshot of counters: rest doesn't change
809            (other than comefrom, which userspace doesn't care
810            about). */
811         countersize = sizeof(struct xt_counters) * private->number;
812         counters = vmalloc_node(countersize, numa_node_id());
813
814         if (counters == NULL)
815                 return ERR_PTR(-ENOMEM);
816
817         /* First, sum counters... */
818         write_lock_bh(&table->lock);
819         get_counters(private, counters);
820         write_unlock_bh(&table->lock);
821
822         return counters;
823 }
824
825 static int
826 copy_entries_to_user(unsigned int total_size,
827                      struct ipt_table *table,
828                      void __user *userptr)
829 {
830         unsigned int off, num;
831         struct ipt_entry *e;
832         struct xt_counters *counters;
833         struct xt_table_info *private = table->private;
834         int ret = 0;
835         void *loc_cpu_entry;
836
837         counters = alloc_counters(table);
838         if (IS_ERR(counters))
839                 return PTR_ERR(counters);
840
841         /* choose the copy that is on our node/cpu, ...
842          * This choice is lazy (because current thread is
843          * allowed to migrate to another cpu)
844          */
845         loc_cpu_entry = private->entries[raw_smp_processor_id()];
846         /* ... then copy entire thing ... */
847         if (copy_to_user(userptr, loc_cpu_entry, total_size) != 0) {
848                 ret = -EFAULT;
849                 goto free_counters;
850         }
851
852         /* FIXME: use iterator macros --RR */
853         /* ... then go back and fix counters and names */
854         for (off = 0, num = 0; off < total_size; off += e->next_offset, num++){
855                 unsigned int i;
856                 struct ipt_entry_match *m;
857                 struct ipt_entry_target *t;
858
859                 e = (struct ipt_entry *)(loc_cpu_entry + off);
860                 if (copy_to_user(userptr + off
861                                  + offsetof(struct ipt_entry, counters),
862                                  &counters[num],
863                                  sizeof(counters[num])) != 0) {
864                         ret = -EFAULT;
865                         goto free_counters;
866                 }
867
868                 for (i = sizeof(struct ipt_entry);
869                      i < e->target_offset;
870                      i += m->u.match_size) {
871                         m = (void *)e + i;
872
873                         if (copy_to_user(userptr + off + i
874                                          + offsetof(struct ipt_entry_match,
875                                                     u.user.name),
876                                          m->u.kernel.match->name,
877                                          strlen(m->u.kernel.match->name)+1)
878                             != 0) {
879                                 ret = -EFAULT;
880                                 goto free_counters;
881                         }
882                 }
883
884                 t = ipt_get_target(e);
885                 if (copy_to_user(userptr + off + e->target_offset
886                                  + offsetof(struct ipt_entry_target,
887                                             u.user.name),
888                                  t->u.kernel.target->name,
889                                  strlen(t->u.kernel.target->name)+1) != 0) {
890                         ret = -EFAULT;
891                         goto free_counters;
892                 }
893         }
894
895  free_counters:
896         vfree(counters);
897         return ret;
898 }
899
900 #ifdef CONFIG_COMPAT
901 struct compat_delta {
902         struct compat_delta *next;
903         u_int16_t offset;
904         short delta;
905 };
906
907 static struct compat_delta *compat_offsets = NULL;
908
909 static int compat_add_offset(u_int16_t offset, short delta)
910 {
911         struct compat_delta *tmp;
912
913         tmp = kmalloc(sizeof(struct compat_delta), GFP_KERNEL);
914         if (!tmp)
915                 return -ENOMEM;
916         tmp->offset = offset;
917         tmp->delta = delta;
918         if (compat_offsets) {
919                 tmp->next = compat_offsets->next;
920                 compat_offsets->next = tmp;
921         } else {
922                 compat_offsets = tmp;
923                 tmp->next = NULL;
924         }
925         return 0;
926 }
927
928 static void compat_flush_offsets(void)
929 {
930         struct compat_delta *tmp, *next;
931
932         if (compat_offsets) {
933                 for(tmp = compat_offsets; tmp; tmp = next) {
934                         next = tmp->next;
935                         kfree(tmp);
936                 }
937                 compat_offsets = NULL;
938         }
939 }
940
941 static short compat_calc_jump(u_int16_t offset)
942 {
943         struct compat_delta *tmp;
944         short delta;
945
946         for(tmp = compat_offsets, delta = 0; tmp; tmp = tmp->next)
947                 if (tmp->offset < offset)
948                         delta += tmp->delta;
949         return delta;
950 }
951
952 static void compat_standard_from_user(void *dst, void *src)
953 {
954         int v = *(compat_int_t *)src;
955
956         if (v > 0)
957                 v += compat_calc_jump(v);
958         memcpy(dst, &v, sizeof(v));
959 }
960
961 static int compat_standard_to_user(void __user *dst, void *src)
962 {
963         compat_int_t cv = *(int *)src;
964
965         if (cv > 0)
966                 cv -= compat_calc_jump(cv);
967         return copy_to_user(dst, &cv, sizeof(cv)) ? -EFAULT : 0;
968 }
969
970 static inline int
971 compat_calc_match(struct ipt_entry_match *m, int * size)
972 {
973         *size += xt_compat_match_offset(m->u.kernel.match);
974         return 0;
975 }
976
977 static int compat_calc_entry(struct ipt_entry *e, struct xt_table_info *info,
978                 void *base, struct xt_table_info *newinfo)
979 {
980         struct ipt_entry_target *t;
981         u_int16_t entry_offset;
982         int off, i, ret;
983
984         off = 0;
985         entry_offset = (void *)e - base;
986         IPT_MATCH_ITERATE(e, compat_calc_match, &off);
987         t = ipt_get_target(e);
988         off += xt_compat_target_offset(t->u.kernel.target);
989         newinfo->size -= off;
990         ret = compat_add_offset(entry_offset, off);
991         if (ret)
992                 return ret;
993
994         for (i = 0; i< NF_IP_NUMHOOKS; i++) {
995                 if (info->hook_entry[i] && (e < (struct ipt_entry *)
996                                 (base + info->hook_entry[i])))
997                         newinfo->hook_entry[i] -= off;
998                 if (info->underflow[i] && (e < (struct ipt_entry *)
999                                 (base + info->underflow[i])))
1000                         newinfo->underflow[i] -= off;
1001         }
1002         return 0;
1003 }
1004
1005 static int compat_table_info(struct xt_table_info *info,
1006                 struct xt_table_info *newinfo)
1007 {
1008         void *loc_cpu_entry;
1009         int i;
1010
1011         if (!newinfo || !info)
1012                 return -EINVAL;
1013
1014         memset(newinfo, 0, sizeof(struct xt_table_info));
1015         newinfo->size = info->size;
1016         newinfo->number = info->number;
1017         for (i = 0; i < NF_IP_NUMHOOKS; i++) {
1018                 newinfo->hook_entry[i] = info->hook_entry[i];
1019                 newinfo->underflow[i] = info->underflow[i];
1020         }
1021         loc_cpu_entry = info->entries[raw_smp_processor_id()];
1022         return IPT_ENTRY_ITERATE(loc_cpu_entry, info->size,
1023                         compat_calc_entry, info, loc_cpu_entry, newinfo);
1024 }
1025 #endif
1026
1027 static int get_info(void __user *user, int *len, int compat)
1028 {
1029         char name[IPT_TABLE_MAXNAMELEN];
1030         struct ipt_table *t;
1031         int ret;
1032
1033         if (*len != sizeof(struct ipt_getinfo)) {
1034                 duprintf("length %u != %u\n", *len,
1035                         (unsigned int)sizeof(struct ipt_getinfo));
1036                 return -EINVAL;
1037         }
1038
1039         if (copy_from_user(name, user, sizeof(name)) != 0)
1040                 return -EFAULT;
1041
1042         name[IPT_TABLE_MAXNAMELEN-1] = '\0';
1043 #ifdef CONFIG_COMPAT
1044         if (compat)
1045                 xt_compat_lock(AF_INET);
1046 #endif
1047         t = try_then_request_module(xt_find_table_lock(AF_INET, name),
1048                         "iptable_%s", name);
1049         if (t && !IS_ERR(t)) {
1050                 struct ipt_getinfo info;
1051                 struct xt_table_info *private = t->private;
1052
1053 #ifdef CONFIG_COMPAT
1054                 if (compat) {
1055                         struct xt_table_info tmp;
1056                         ret = compat_table_info(private, &tmp);
1057                         compat_flush_offsets();
1058                         private =  &tmp;
1059                 }
1060 #endif
1061                 info.valid_hooks = t->valid_hooks;
1062                 memcpy(info.hook_entry, private->hook_entry,
1063                                 sizeof(info.hook_entry));
1064                 memcpy(info.underflow, private->underflow,
1065                                 sizeof(info.underflow));
1066                 info.num_entries = private->number;
1067                 info.size = private->size;
1068                 strcpy(info.name, name);
1069
1070                 if (copy_to_user(user, &info, *len) != 0)
1071                         ret = -EFAULT;
1072                 else
1073                         ret = 0;
1074
1075                 xt_table_unlock(t);
1076                 module_put(t->me);
1077         } else
1078                 ret = t ? PTR_ERR(t) : -ENOENT;
1079 #ifdef CONFIG_COMPAT
1080         if (compat)
1081                 xt_compat_unlock(AF_INET);
1082 #endif
1083         return ret;
1084 }
1085
1086 static int
1087 get_entries(struct ipt_get_entries __user *uptr, int *len)
1088 {
1089         int ret;
1090         struct ipt_get_entries get;
1091         struct ipt_table *t;
1092
1093         if (*len < sizeof(get)) {
1094                 duprintf("get_entries: %u < %d\n", *len,
1095                                 (unsigned int)sizeof(get));
1096                 return -EINVAL;
1097         }
1098         if (copy_from_user(&get, uptr, sizeof(get)) != 0)
1099                 return -EFAULT;
1100         if (*len != sizeof(struct ipt_get_entries) + get.size) {
1101                 duprintf("get_entries: %u != %u\n", *len,
1102                                 (unsigned int)(sizeof(struct ipt_get_entries) +
1103                                 get.size));
1104                 return -EINVAL;
1105         }
1106
1107         t = xt_find_table_lock(AF_INET, get.name);
1108         if (t && !IS_ERR(t)) {
1109                 struct xt_table_info *private = t->private;
1110                 duprintf("t->private->number = %u\n",
1111                          private->number);
1112                 if (get.size == private->size)
1113                         ret = copy_entries_to_user(private->size,
1114                                                    t, uptr->entrytable);
1115                 else {
1116                         duprintf("get_entries: I've got %u not %u!\n",
1117                                  private->size,
1118                                  get.size);
1119                         ret = -EINVAL;
1120                 }
1121                 module_put(t->me);
1122                 xt_table_unlock(t);
1123         } else
1124                 ret = t ? PTR_ERR(t) : -ENOENT;
1125
1126         return ret;
1127 }
1128
1129 static int
1130 __do_replace(const char *name, unsigned int valid_hooks,
1131                 struct xt_table_info *newinfo, unsigned int num_counters,
1132                 void __user *counters_ptr)
1133 {
1134         int ret;
1135         struct ipt_table *t;
1136         struct xt_table_info *oldinfo;
1137         struct xt_counters *counters;
1138         void *loc_cpu_old_entry;
1139
1140         ret = 0;
1141         counters = vmalloc(num_counters * sizeof(struct xt_counters));
1142         if (!counters) {
1143                 ret = -ENOMEM;
1144                 goto out;
1145         }
1146
1147         t = try_then_request_module(xt_find_table_lock(AF_INET, name),
1148                                     "iptable_%s", name);
1149         if (!t || IS_ERR(t)) {
1150                 ret = t ? PTR_ERR(t) : -ENOENT;
1151                 goto free_newinfo_counters_untrans;
1152         }
1153
1154         /* You lied! */
1155         if (valid_hooks != t->valid_hooks) {
1156                 duprintf("Valid hook crap: %08X vs %08X\n",
1157                          valid_hooks, t->valid_hooks);
1158                 ret = -EINVAL;
1159                 goto put_module;
1160         }
1161
1162         oldinfo = xt_replace_table(t, num_counters, newinfo, &ret);
1163         if (!oldinfo)
1164                 goto put_module;
1165
1166         /* Update module usage count based on number of rules */
1167         duprintf("do_replace: oldnum=%u, initnum=%u, newnum=%u\n",
1168                 oldinfo->number, oldinfo->initial_entries, newinfo->number);
1169         if ((oldinfo->number > oldinfo->initial_entries) ||
1170             (newinfo->number <= oldinfo->initial_entries))
1171                 module_put(t->me);
1172         if ((oldinfo->number > oldinfo->initial_entries) &&
1173             (newinfo->number <= oldinfo->initial_entries))
1174                 module_put(t->me);
1175
1176         /* Get the old counters. */
1177         get_counters(oldinfo, counters);
1178         /* Decrease module usage counts and free resource */
1179         loc_cpu_old_entry = oldinfo->entries[raw_smp_processor_id()];
1180         IPT_ENTRY_ITERATE(loc_cpu_old_entry, oldinfo->size, cleanup_entry,NULL);
1181         xt_free_table_info(oldinfo);
1182         if (copy_to_user(counters_ptr, counters,
1183                          sizeof(struct xt_counters) * num_counters) != 0)
1184                 ret = -EFAULT;
1185         vfree(counters);
1186         xt_table_unlock(t);
1187         return ret;
1188
1189  put_module:
1190         module_put(t->me);
1191         xt_table_unlock(t);
1192  free_newinfo_counters_untrans:
1193         vfree(counters);
1194  out:
1195         return ret;
1196 }
1197
1198 static int
1199 do_replace(void __user *user, unsigned int len)
1200 {
1201         int ret;
1202         struct ipt_replace tmp;
1203         struct xt_table_info *newinfo;
1204         void *loc_cpu_entry;
1205
1206         if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
1207                 return -EFAULT;
1208
1209         /* Hack: Causes ipchains to give correct error msg --RR */
1210         if (len != sizeof(tmp) + tmp.size)
1211                 return -ENOPROTOOPT;
1212
1213         /* overflow check */
1214         if (tmp.size >= (INT_MAX - sizeof(struct xt_table_info)) / NR_CPUS -
1215                         SMP_CACHE_BYTES)
1216                 return -ENOMEM;
1217         if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
1218                 return -ENOMEM;
1219
1220         newinfo = xt_alloc_table_info(tmp.size);
1221         if (!newinfo)
1222                 return -ENOMEM;
1223
1224         /* choose the copy that is our node/cpu */
1225         loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
1226         if (copy_from_user(loc_cpu_entry, user + sizeof(tmp),
1227                            tmp.size) != 0) {
1228                 ret = -EFAULT;
1229                 goto free_newinfo;
1230         }
1231
1232         ret = translate_table(tmp.name, tmp.valid_hooks,
1233                               newinfo, loc_cpu_entry, tmp.size, tmp.num_entries,
1234                               tmp.hook_entry, tmp.underflow);
1235         if (ret != 0)
1236                 goto free_newinfo;
1237
1238         duprintf("ip_tables: Translated table\n");
1239
1240         ret = __do_replace(tmp.name, tmp.valid_hooks,
1241                               newinfo, tmp.num_counters,
1242                               tmp.counters);
1243         if (ret)
1244                 goto free_newinfo_untrans;
1245         return 0;
1246
1247  free_newinfo_untrans:
1248         IPT_ENTRY_ITERATE(loc_cpu_entry, newinfo->size, cleanup_entry,NULL);
1249  free_newinfo:
1250         xt_free_table_info(newinfo);
1251         return ret;
1252 }
1253
1254 /* We're lazy, and add to the first CPU; overflow works its fey magic
1255  * and everything is OK. */
1256 static inline int
1257 add_counter_to_entry(struct ipt_entry *e,
1258                      const struct xt_counters addme[],
1259                      unsigned int *i)
1260 {
1261 #if 0
1262         duprintf("add_counter: Entry %u %lu/%lu + %lu/%lu\n",
1263                  *i,
1264                  (long unsigned int)e->counters.pcnt,
1265                  (long unsigned int)e->counters.bcnt,
1266                  (long unsigned int)addme[*i].pcnt,
1267                  (long unsigned int)addme[*i].bcnt);
1268 #endif
1269
1270         ADD_COUNTER(e->counters, addme[*i].bcnt, addme[*i].pcnt);
1271
1272         (*i)++;
1273         return 0;
1274 }
1275
1276 static int
1277 do_add_counters(void __user *user, unsigned int len, int compat)
1278 {
1279         unsigned int i;
1280         struct xt_counters_info tmp;
1281         struct xt_counters *paddc;
1282         unsigned int num_counters;
1283         char *name;
1284         int size;
1285         void *ptmp;
1286         struct ipt_table *t;
1287         struct xt_table_info *private;
1288         int ret = 0;
1289         void *loc_cpu_entry;
1290 #ifdef CONFIG_COMPAT
1291         struct compat_xt_counters_info compat_tmp;
1292
1293         if (compat) {
1294                 ptmp = &compat_tmp;
1295                 size = sizeof(struct compat_xt_counters_info);
1296         } else
1297 #endif
1298         {
1299                 ptmp = &tmp;
1300                 size = sizeof(struct xt_counters_info);
1301         }
1302
1303         if (copy_from_user(ptmp, user, size) != 0)
1304                 return -EFAULT;
1305
1306 #ifdef CONFIG_COMPAT
1307         if (compat) {
1308                 num_counters = compat_tmp.num_counters;
1309                 name = compat_tmp.name;
1310         } else
1311 #endif
1312         {
1313                 num_counters = tmp.num_counters;
1314                 name = tmp.name;
1315         }
1316
1317         if (len != size + num_counters * sizeof(struct xt_counters))
1318                 return -EINVAL;
1319
1320         paddc = vmalloc_node(len - size, numa_node_id());
1321         if (!paddc)
1322                 return -ENOMEM;
1323
1324         if (copy_from_user(paddc, user + size, len - size) != 0) {
1325                 ret = -EFAULT;
1326                 goto free;
1327         }
1328
1329         t = xt_find_table_lock(AF_INET, name);
1330         if (!t || IS_ERR(t)) {
1331                 ret = t ? PTR_ERR(t) : -ENOENT;
1332                 goto free;
1333         }
1334
1335         write_lock_bh(&t->lock);
1336         private = t->private;
1337         if (private->number != num_counters) {
1338                 ret = -EINVAL;
1339                 goto unlock_up_free;
1340         }
1341
1342         i = 0;
1343         /* Choose the copy that is on our node */
1344         loc_cpu_entry = private->entries[raw_smp_processor_id()];
1345         IPT_ENTRY_ITERATE(loc_cpu_entry,
1346                           private->size,
1347                           add_counter_to_entry,
1348                           paddc,
1349                           &i);
1350  unlock_up_free:
1351         write_unlock_bh(&t->lock);
1352         xt_table_unlock(t);
1353         module_put(t->me);
1354  free:
1355         vfree(paddc);
1356
1357         return ret;
1358 }
1359
1360 #ifdef CONFIG_COMPAT
1361 struct compat_ipt_replace {
1362         char                    name[IPT_TABLE_MAXNAMELEN];
1363         u32                     valid_hooks;
1364         u32                     num_entries;
1365         u32                     size;
1366         u32                     hook_entry[NF_IP_NUMHOOKS];
1367         u32                     underflow[NF_IP_NUMHOOKS];
1368         u32                     num_counters;
1369         compat_uptr_t           counters;       /* struct ipt_counters * */
1370         struct compat_ipt_entry entries[0];
1371 };
1372
1373 static inline int compat_copy_match_to_user(struct ipt_entry_match *m,
1374                 void __user **dstptr, compat_uint_t *size)
1375 {
1376         return xt_compat_match_to_user(m, dstptr, size);
1377 }
1378
1379 static int compat_copy_entry_to_user(struct ipt_entry *e,
1380                 void __user **dstptr, compat_uint_t *size)
1381 {
1382         struct ipt_entry_target *t;
1383         struct compat_ipt_entry __user *ce;
1384         u_int16_t target_offset, next_offset;
1385         compat_uint_t origsize;
1386         int ret;
1387
1388         ret = -EFAULT;
1389         origsize = *size;
1390         ce = (struct compat_ipt_entry __user *)*dstptr;
1391         if (copy_to_user(ce, e, sizeof(struct ipt_entry)))
1392                 goto out;
1393
1394         *dstptr += sizeof(struct compat_ipt_entry);
1395         ret = IPT_MATCH_ITERATE(e, compat_copy_match_to_user, dstptr, size);
1396         target_offset = e->target_offset - (origsize - *size);
1397         if (ret)
1398                 goto out;
1399         t = ipt_get_target(e);
1400         ret = xt_compat_target_to_user(t, dstptr, size);
1401         if (ret)
1402                 goto out;
1403         ret = -EFAULT;
1404         next_offset = e->next_offset - (origsize - *size);
1405         if (put_user(target_offset, &ce->target_offset))
1406                 goto out;
1407         if (put_user(next_offset, &ce->next_offset))
1408                 goto out;
1409         return 0;
1410 out:
1411         return ret;
1412 }
1413
1414 static inline int
1415 compat_check_calc_match(struct ipt_entry_match *m,
1416             const char *name,
1417             const struct ipt_ip *ip,
1418             unsigned int hookmask,
1419             int *size, int *i)
1420 {
1421         struct ipt_match *match;
1422
1423         match = try_then_request_module(xt_find_match(AF_INET, m->u.user.name,
1424                                                    m->u.user.revision),
1425                                         "ipt_%s", m->u.user.name);
1426         if (IS_ERR(match) || !match) {
1427                 duprintf("compat_check_calc_match: `%s' not found\n",
1428                                 m->u.user.name);
1429                 return match ? PTR_ERR(match) : -ENOENT;
1430         }
1431         m->u.kernel.match = match;
1432         *size += xt_compat_match_offset(match);
1433
1434         (*i)++;
1435         return 0;
1436 }
1437
1438 static inline int
1439 check_compat_entry_size_and_hooks(struct ipt_entry *e,
1440                            struct xt_table_info *newinfo,
1441                            unsigned int *size,
1442                            unsigned char *base,
1443                            unsigned char *limit,
1444                            unsigned int *hook_entries,
1445                            unsigned int *underflows,
1446                            unsigned int *i,
1447                            const char *name)
1448 {
1449         struct ipt_entry_target *t;
1450         struct ipt_target *target;
1451         u_int16_t entry_offset;
1452         int ret, off, h, j;
1453
1454         duprintf("check_compat_entry_size_and_hooks %p\n", e);
1455         if ((unsigned long)e % __alignof__(struct compat_ipt_entry) != 0
1456             || (unsigned char *)e + sizeof(struct compat_ipt_entry) >= limit) {
1457                 duprintf("Bad offset %p, limit = %p\n", e, limit);
1458                 return -EINVAL;
1459         }
1460
1461         if (e->next_offset < sizeof(struct compat_ipt_entry) +
1462                         sizeof(struct compat_xt_entry_target)) {
1463                 duprintf("checking: element %p size %u\n",
1464                          e, e->next_offset);
1465                 return -EINVAL;
1466         }
1467
1468         if (!ip_checkentry(&e->ip)) {
1469                 duprintf("ip_tables: ip check failed %p %s.\n", e, name);
1470                 return -EINVAL;
1471         }
1472
1473         if (e->target_offset + sizeof(struct compat_xt_entry_target) >
1474                                                                 e->next_offset)
1475                 return -EINVAL;
1476
1477         off = 0;
1478         entry_offset = (void *)e - (void *)base;
1479         j = 0;
1480         ret = IPT_MATCH_ITERATE(e, compat_check_calc_match, name, &e->ip,
1481                         e->comefrom, &off, &j);
1482         if (ret != 0)
1483                 goto cleanup_matches;
1484
1485         t = ipt_get_target(e);
1486         ret = -EINVAL;
1487         if (e->target_offset + t->u.target_size > e->next_offset)
1488                         goto cleanup_matches;
1489         target = try_then_request_module(xt_find_target(AF_INET,
1490                                                      t->u.user.name,
1491                                                      t->u.user.revision),
1492                                          "ipt_%s", t->u.user.name);
1493         if (IS_ERR(target) || !target) {
1494                 duprintf("check_entry: `%s' not found\n", t->u.user.name);
1495                 ret = target ? PTR_ERR(target) : -ENOENT;
1496                 goto cleanup_matches;
1497         }
1498         t->u.kernel.target = target;
1499
1500         off += xt_compat_target_offset(target);
1501         *size += off;
1502         ret = compat_add_offset(entry_offset, off);
1503         if (ret)
1504                 goto out;
1505
1506         /* Check hooks & underflows */
1507         for (h = 0; h < NF_IP_NUMHOOKS; h++) {
1508                 if ((unsigned char *)e - base == hook_entries[h])
1509                         newinfo->hook_entry[h] = hook_entries[h];
1510                 if ((unsigned char *)e - base == underflows[h])
1511                         newinfo->underflow[h] = underflows[h];
1512         }
1513
1514         /* Clear counters and comefrom */
1515         e->counters = ((struct ipt_counters) { 0, 0 });
1516         e->comefrom = 0;
1517
1518         (*i)++;
1519         return 0;
1520
1521 out:
1522         module_put(t->u.kernel.target->me);
1523 cleanup_matches:
1524         IPT_MATCH_ITERATE(e, cleanup_match, &j);
1525         return ret;
1526 }
1527
1528 static inline int compat_copy_match_from_user(struct ipt_entry_match *m,
1529         void **dstptr, compat_uint_t *size, const char *name,
1530         const struct ipt_ip *ip, unsigned int hookmask)
1531 {
1532         struct ipt_entry_match *dm;
1533         struct ipt_match *match;
1534         int ret;
1535
1536         dm = (struct ipt_entry_match *)*dstptr;
1537         match = m->u.kernel.match;
1538         xt_compat_match_from_user(m, dstptr, size);
1539
1540         ret = xt_check_match(match, AF_INET, dm->u.match_size - sizeof(*dm),
1541                              name, hookmask, ip->proto,
1542                              ip->invflags & IPT_INV_PROTO);
1543         if (!ret && m->u.kernel.match->checkentry
1544             && !m->u.kernel.match->checkentry(name, ip, match, dm->data,
1545                                               hookmask)) {
1546                 duprintf("ip_tables: check failed for `%s'.\n",
1547                          m->u.kernel.match->name);
1548                 ret = -EINVAL;
1549         }
1550         return ret;
1551 }
1552
1553 static int compat_copy_entry_from_user(struct ipt_entry *e, void **dstptr,
1554         unsigned int *size, const char *name,
1555         struct xt_table_info *newinfo, unsigned char *base)
1556 {
1557         struct ipt_entry_target *t;
1558         struct ipt_target *target;
1559         struct ipt_entry *de;
1560         unsigned int origsize;
1561         int ret, h;
1562
1563         ret = 0;
1564         origsize = *size;
1565         de = (struct ipt_entry *)*dstptr;
1566         memcpy(de, e, sizeof(struct ipt_entry));
1567
1568         *dstptr += sizeof(struct compat_ipt_entry);
1569         ret = IPT_MATCH_ITERATE(e, compat_copy_match_from_user, dstptr, size,
1570                         name, &de->ip, de->comefrom);
1571         if (ret)
1572                 goto err;
1573         de->target_offset = e->target_offset - (origsize - *size);
1574         t = ipt_get_target(e);
1575         target = t->u.kernel.target;
1576         xt_compat_target_from_user(t, dstptr, size);
1577
1578         de->next_offset = e->next_offset - (origsize - *size);
1579         for (h = 0; h < NF_IP_NUMHOOKS; h++) {
1580                 if ((unsigned char *)de - base < newinfo->hook_entry[h])
1581                         newinfo->hook_entry[h] -= origsize - *size;
1582                 if ((unsigned char *)de - base < newinfo->underflow[h])
1583                         newinfo->underflow[h] -= origsize - *size;
1584         }
1585
1586         t = ipt_get_target(de);
1587         target = t->u.kernel.target;
1588         ret = xt_check_target(target, AF_INET, t->u.target_size - sizeof(*t),
1589                               name, e->comefrom, e->ip.proto,
1590                               e->ip.invflags & IPT_INV_PROTO);
1591         if (ret)
1592                 goto err;
1593
1594         ret = -EINVAL;
1595         if (t->u.kernel.target == &ipt_standard_target) {
1596                 if (!standard_check(t, *size))
1597                         goto err;
1598         } else if (t->u.kernel.target->checkentry
1599                    && !t->u.kernel.target->checkentry(name, de, target,
1600                                                       t->data, de->comefrom)) {
1601                 duprintf("ip_tables: compat: check failed for `%s'.\n",
1602                          t->u.kernel.target->name);
1603                 goto err;
1604         }
1605         ret = 0;
1606 err:
1607         return ret;
1608 }
1609
1610 static int
1611 translate_compat_table(const char *name,
1612                 unsigned int valid_hooks,
1613                 struct xt_table_info **pinfo,
1614                 void **pentry0,
1615                 unsigned int total_size,
1616                 unsigned int number,
1617                 unsigned int *hook_entries,
1618                 unsigned int *underflows)
1619 {
1620         unsigned int i, j;
1621         struct xt_table_info *newinfo, *info;
1622         void *pos, *entry0, *entry1;
1623         unsigned int size;
1624         int ret;
1625
1626         info = *pinfo;
1627         entry0 = *pentry0;
1628         size = total_size;
1629         info->number = number;
1630
1631         /* Init all hooks to impossible value. */
1632         for (i = 0; i < NF_IP_NUMHOOKS; i++) {
1633                 info->hook_entry[i] = 0xFFFFFFFF;
1634                 info->underflow[i] = 0xFFFFFFFF;
1635         }
1636
1637         duprintf("translate_compat_table: size %u\n", info->size);
1638         j = 0;
1639         xt_compat_lock(AF_INET);
1640         /* Walk through entries, checking offsets. */
1641         ret = IPT_ENTRY_ITERATE(entry0, total_size,
1642                                 check_compat_entry_size_and_hooks,
1643                                 info, &size, entry0,
1644                                 entry0 + total_size,
1645                                 hook_entries, underflows, &j, name);
1646         if (ret != 0)
1647                 goto out_unlock;
1648
1649         ret = -EINVAL;
1650         if (j != number) {
1651                 duprintf("translate_compat_table: %u not %u entries\n",
1652                          j, number);
1653                 goto out_unlock;
1654         }
1655
1656         /* Check hooks all assigned */
1657         for (i = 0; i < NF_IP_NUMHOOKS; i++) {
1658                 /* Only hooks which are valid */
1659                 if (!(valid_hooks & (1 << i)))
1660                         continue;
1661                 if (info->hook_entry[i] == 0xFFFFFFFF) {
1662                         duprintf("Invalid hook entry %u %u\n",
1663                                  i, hook_entries[i]);
1664                         goto out_unlock;
1665                 }
1666                 if (info->underflow[i] == 0xFFFFFFFF) {
1667                         duprintf("Invalid underflow %u %u\n",
1668                                  i, underflows[i]);
1669                         goto out_unlock;
1670                 }
1671         }
1672
1673         ret = -ENOMEM;
1674         newinfo = xt_alloc_table_info(size);
1675         if (!newinfo)
1676                 goto out_unlock;
1677
1678         newinfo->number = number;
1679         for (i = 0; i < NF_IP_NUMHOOKS; i++) {
1680                 newinfo->hook_entry[i] = info->hook_entry[i];
1681                 newinfo->underflow[i] = info->underflow[i];
1682         }
1683         entry1 = newinfo->entries[raw_smp_processor_id()];
1684         pos = entry1;
1685         size =  total_size;
1686         ret = IPT_ENTRY_ITERATE(entry0, total_size,
1687                         compat_copy_entry_from_user, &pos, &size,
1688                         name, newinfo, entry1);
1689         compat_flush_offsets();
1690         xt_compat_unlock(AF_INET);
1691         if (ret)
1692                 goto free_newinfo;
1693
1694         ret = -ELOOP;
1695         if (!mark_source_chains(newinfo, valid_hooks, entry1))
1696                 goto free_newinfo;
1697
1698         /* And one copy for every other CPU */
1699         for_each_possible_cpu(i)
1700                 if (newinfo->entries[i] && newinfo->entries[i] != entry1)
1701                         memcpy(newinfo->entries[i], entry1, newinfo->size);
1702
1703         *pinfo = newinfo;
1704         *pentry0 = entry1;
1705         xt_free_table_info(info);
1706         return 0;
1707
1708 free_newinfo:
1709         xt_free_table_info(newinfo);
1710 out:
1711         IPT_ENTRY_ITERATE(entry0, total_size, cleanup_entry, &j);
1712         return ret;
1713 out_unlock:
1714         compat_flush_offsets();
1715         xt_compat_unlock(AF_INET);
1716         goto out;
1717 }
1718
1719 static int
1720 compat_do_replace(void __user *user, unsigned int len)
1721 {
1722         int ret;
1723         struct compat_ipt_replace tmp;
1724         struct xt_table_info *newinfo;
1725         void *loc_cpu_entry;
1726
1727         if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
1728                 return -EFAULT;
1729
1730         /* Hack: Causes ipchains to give correct error msg --RR */
1731         if (len != sizeof(tmp) + tmp.size)
1732                 return -ENOPROTOOPT;
1733
1734         /* overflow check */
1735         if (tmp.size >= (INT_MAX - sizeof(struct xt_table_info)) / NR_CPUS -
1736                         SMP_CACHE_BYTES)
1737                 return -ENOMEM;
1738         if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
1739                 return -ENOMEM;
1740
1741         newinfo = xt_alloc_table_info(tmp.size);
1742         if (!newinfo)
1743                 return -ENOMEM;
1744
1745         /* choose the copy that is our node/cpu */
1746         loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
1747         if (copy_from_user(loc_cpu_entry, user + sizeof(tmp),
1748                            tmp.size) != 0) {
1749                 ret = -EFAULT;
1750                 goto free_newinfo;
1751         }
1752
1753         ret = translate_compat_table(tmp.name, tmp.valid_hooks,
1754                               &newinfo, &loc_cpu_entry, tmp.size,
1755                               tmp.num_entries, tmp.hook_entry, tmp.underflow);
1756         if (ret != 0)
1757                 goto free_newinfo;
1758
1759         duprintf("compat_do_replace: Translated table\n");
1760
1761         ret = __do_replace(tmp.name, tmp.valid_hooks,
1762                               newinfo, tmp.num_counters,
1763                               compat_ptr(tmp.counters));
1764         if (ret)
1765                 goto free_newinfo_untrans;
1766         return 0;
1767
1768  free_newinfo_untrans:
1769         IPT_ENTRY_ITERATE(loc_cpu_entry, newinfo->size, cleanup_entry,NULL);
1770  free_newinfo:
1771         xt_free_table_info(newinfo);
1772         return ret;
1773 }
1774
1775 static int
1776 compat_do_ipt_set_ctl(struct sock *sk,  int cmd, void __user *user,
1777                 unsigned int len)
1778 {
1779         int ret;
1780
1781         if (!capable(CAP_NET_ADMIN))
1782                 return -EPERM;
1783
1784         switch (cmd) {
1785         case IPT_SO_SET_REPLACE:
1786                 ret = compat_do_replace(user, len);
1787                 break;
1788
1789         case IPT_SO_SET_ADD_COUNTERS:
1790                 ret = do_add_counters(user, len, 1);
1791                 break;
1792
1793         default:
1794                 duprintf("do_ipt_set_ctl:  unknown request %i\n", cmd);
1795                 ret = -EINVAL;
1796         }
1797
1798         return ret;
1799 }
1800
1801 struct compat_ipt_get_entries
1802 {
1803         char name[IPT_TABLE_MAXNAMELEN];
1804         compat_uint_t size;
1805         struct compat_ipt_entry entrytable[0];
1806 };
1807
1808 static int compat_copy_entries_to_user(unsigned int total_size,
1809                      struct ipt_table *table, void __user *userptr)
1810 {
1811         unsigned int off, num;
1812         struct compat_ipt_entry e;
1813         struct xt_counters *counters;
1814         struct xt_table_info *private = table->private;
1815         void __user *pos;
1816         unsigned int size;
1817         int ret = 0;
1818         void *loc_cpu_entry;
1819
1820         counters = alloc_counters(table);
1821         if (IS_ERR(counters))
1822                 return PTR_ERR(counters);
1823
1824         /* choose the copy that is on our node/cpu, ...
1825          * This choice is lazy (because current thread is
1826          * allowed to migrate to another cpu)
1827          */
1828         loc_cpu_entry = private->entries[raw_smp_processor_id()];
1829         pos = userptr;
1830         size = total_size;
1831         ret = IPT_ENTRY_ITERATE(loc_cpu_entry, total_size,
1832                         compat_copy_entry_to_user, &pos, &size);
1833         if (ret)
1834                 goto free_counters;
1835
1836         /* ... then go back and fix counters and names */
1837         for (off = 0, num = 0; off < size; off += e.next_offset, num++) {
1838                 unsigned int i;
1839                 struct ipt_entry_match m;
1840                 struct ipt_entry_target t;
1841
1842                 ret = -EFAULT;
1843                 if (copy_from_user(&e, userptr + off,
1844                                         sizeof(struct compat_ipt_entry)))
1845                         goto free_counters;
1846                 if (copy_to_user(userptr + off +
1847                         offsetof(struct compat_ipt_entry, counters),
1848                          &counters[num], sizeof(counters[num])))
1849                         goto free_counters;
1850
1851                 for (i = sizeof(struct compat_ipt_entry);
1852                                 i < e.target_offset; i += m.u.match_size) {
1853                         if (copy_from_user(&m, userptr + off + i,
1854                                         sizeof(struct ipt_entry_match)))
1855                                 goto free_counters;
1856                         if (copy_to_user(userptr + off + i +
1857                                 offsetof(struct ipt_entry_match, u.user.name),
1858                                 m.u.kernel.match->name,
1859                                 strlen(m.u.kernel.match->name) + 1))
1860                                 goto free_counters;
1861                 }
1862
1863                 if (copy_from_user(&t, userptr + off + e.target_offset,
1864                                         sizeof(struct ipt_entry_target)))
1865                         goto free_counters;
1866                 if (copy_to_user(userptr + off + e.target_offset +
1867                         offsetof(struct ipt_entry_target, u.user.name),
1868                         t.u.kernel.target->name,
1869                         strlen(t.u.kernel.target->name) + 1))
1870                         goto free_counters;
1871         }
1872         ret = 0;
1873 free_counters:
1874         vfree(counters);
1875         return ret;
1876 }
1877
1878 static int
1879 compat_get_entries(struct compat_ipt_get_entries __user *uptr, int *len)
1880 {
1881         int ret;
1882         struct compat_ipt_get_entries get;
1883         struct ipt_table *t;
1884
1885
1886         if (*len < sizeof(get)) {
1887                 duprintf("compat_get_entries: %u < %u\n",
1888                                 *len, (unsigned int)sizeof(get));
1889                 return -EINVAL;
1890         }
1891
1892         if (copy_from_user(&get, uptr, sizeof(get)) != 0)
1893                 return -EFAULT;
1894
1895         if (*len != sizeof(struct compat_ipt_get_entries) + get.size) {
1896                 duprintf("compat_get_entries: %u != %u\n", *len,
1897                         (unsigned int)(sizeof(struct compat_ipt_get_entries) +
1898                         get.size));
1899                 return -EINVAL;
1900         }
1901
1902         xt_compat_lock(AF_INET);
1903         t = xt_find_table_lock(AF_INET, get.name);
1904         if (t && !IS_ERR(t)) {
1905                 struct xt_table_info *private = t->private;
1906                 struct xt_table_info info;
1907                 duprintf("t->private->number = %u\n",
1908                          private->number);
1909                 ret = compat_table_info(private, &info);
1910                 if (!ret && get.size == info.size) {
1911                         ret = compat_copy_entries_to_user(private->size,
1912                                                    t, uptr->entrytable);
1913                 } else if (!ret) {
1914                         duprintf("compat_get_entries: I've got %u not %u!\n",
1915                                  private->size,
1916                                  get.size);
1917                         ret = -EINVAL;
1918                 }
1919                 compat_flush_offsets();
1920                 module_put(t->me);
1921                 xt_table_unlock(t);
1922         } else
1923                 ret = t ? PTR_ERR(t) : -ENOENT;
1924
1925         xt_compat_unlock(AF_INET);
1926         return ret;
1927 }
1928
1929 static int do_ipt_get_ctl(struct sock *, int, void __user *, int *);
1930
1931 static int
1932 compat_do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1933 {
1934         int ret;
1935
1936         if (!capable(CAP_NET_ADMIN))
1937                 return -EPERM;
1938
1939         switch (cmd) {
1940         case IPT_SO_GET_INFO:
1941                 ret = get_info(user, len, 1);
1942                 break;
1943         case IPT_SO_GET_ENTRIES:
1944                 ret = compat_get_entries(user, len);
1945                 break;
1946         default:
1947                 ret = do_ipt_get_ctl(sk, cmd, user, len);
1948         }
1949         return ret;
1950 }
1951 #endif
1952
1953 static int
1954 do_ipt_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
1955 {
1956         int ret;
1957
1958         if (!capable(CAP_NET_ADMIN))
1959                 return -EPERM;
1960
1961         switch (cmd) {
1962         case IPT_SO_SET_REPLACE:
1963                 ret = do_replace(user, len);
1964                 break;
1965
1966         case IPT_SO_SET_ADD_COUNTERS:
1967                 ret = do_add_counters(user, len, 0);
1968                 break;
1969
1970         default:
1971                 duprintf("do_ipt_set_ctl:  unknown request %i\n", cmd);
1972                 ret = -EINVAL;
1973         }
1974
1975         return ret;
1976 }
1977
1978 static int
1979 do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1980 {
1981         int ret;
1982
1983         if (!capable(CAP_NET_ADMIN))
1984                 return -EPERM;
1985
1986         switch (cmd) {
1987         case IPT_SO_GET_INFO:
1988                 ret = get_info(user, len, 0);
1989                 break;
1990
1991         case IPT_SO_GET_ENTRIES:
1992                 ret = get_entries(user, len);
1993                 break;
1994
1995         case IPT_SO_GET_REVISION_MATCH:
1996         case IPT_SO_GET_REVISION_TARGET: {
1997                 struct ipt_get_revision rev;
1998                 int target;
1999
2000                 if (*len != sizeof(rev)) {
2001                         ret = -EINVAL;
2002                         break;
2003                 }
2004                 if (copy_from_user(&rev, user, sizeof(rev)) != 0) {
2005                         ret = -EFAULT;
2006                         break;
2007                 }
2008
2009                 if (cmd == IPT_SO_GET_REVISION_TARGET)
2010                         target = 1;
2011                 else
2012                         target = 0;
2013
2014                 try_then_request_module(xt_find_revision(AF_INET, rev.name,
2015                                                          rev.revision,
2016                                                          target, &ret),
2017                                         "ipt_%s", rev.name);
2018                 break;
2019         }
2020
2021         default:
2022                 duprintf("do_ipt_get_ctl: unknown request %i\n", cmd);
2023                 ret = -EINVAL;
2024         }
2025
2026         return ret;
2027 }
2028
2029 int ipt_register_table(struct xt_table *table, const struct ipt_replace *repl)
2030 {
2031         int ret;
2032         struct xt_table_info *newinfo;
2033         static struct xt_table_info bootstrap
2034                 = { 0, 0, 0, { 0 }, { 0 }, { } };
2035         void *loc_cpu_entry;
2036
2037         newinfo = xt_alloc_table_info(repl->size);
2038         if (!newinfo)
2039                 return -ENOMEM;
2040
2041         /* choose the copy on our node/cpu
2042          * but dont care of preemption
2043          */
2044         loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
2045         memcpy(loc_cpu_entry, repl->entries, repl->size);
2046
2047         ret = translate_table(table->name, table->valid_hooks,
2048                               newinfo, loc_cpu_entry, repl->size,
2049                               repl->num_entries,
2050                               repl->hook_entry,
2051                               repl->underflow);
2052         if (ret != 0) {
2053                 xt_free_table_info(newinfo);
2054                 return ret;
2055         }
2056
2057         ret = xt_register_table(table, &bootstrap, newinfo);
2058         if (ret != 0) {
2059                 xt_free_table_info(newinfo);
2060                 return ret;
2061         }
2062
2063         return 0;
2064 }
2065
2066 void ipt_unregister_table(struct ipt_table *table)
2067 {
2068         struct xt_table_info *private;
2069         void *loc_cpu_entry;
2070
2071         private = xt_unregister_table(table);
2072
2073         /* Decrease module usage counts and free resources */
2074         loc_cpu_entry = private->entries[raw_smp_processor_id()];
2075         IPT_ENTRY_ITERATE(loc_cpu_entry, private->size, cleanup_entry, NULL);
2076         xt_free_table_info(private);
2077 }
2078
2079 /* Returns 1 if the type and code is matched by the range, 0 otherwise */
2080 static inline int
2081 icmp_type_code_match(u_int8_t test_type, u_int8_t min_code, u_int8_t max_code,
2082                      u_int8_t type, u_int8_t code,
2083                      int invert)
2084 {
2085         return ((test_type == 0xFF) || (type == test_type && code >= min_code && code <= max_code))
2086                 ^ invert;
2087 }
2088
2089 static int
2090 icmp_match(const struct sk_buff *skb,
2091            const struct net_device *in,
2092            const struct net_device *out,
2093            const struct xt_match *match,
2094            const void *matchinfo,
2095            int offset,
2096            unsigned int protoff,
2097            int *hotdrop)
2098 {
2099         struct icmphdr _icmph, *ic;
2100         const struct ipt_icmp *icmpinfo = matchinfo;
2101
2102         /* Must not be a fragment. */
2103         if (offset)
2104                 return 0;
2105
2106         ic = skb_header_pointer(skb, protoff, sizeof(_icmph), &_icmph);
2107         if (ic == NULL) {
2108                 /* We've been asked to examine this packet, and we
2109                  * can't.  Hence, no choice but to drop.
2110                  */
2111                 duprintf("Dropping evil ICMP tinygram.\n");
2112                 *hotdrop = 1;
2113                 return 0;
2114         }
2115
2116         return icmp_type_code_match(icmpinfo->type,
2117                                     icmpinfo->code[0],
2118                                     icmpinfo->code[1],
2119                                     ic->type, ic->code,
2120                                     !!(icmpinfo->invflags&IPT_ICMP_INV));
2121 }
2122
2123 /* Called when user tries to insert an entry of this type. */
2124 static int
2125 icmp_checkentry(const char *tablename,
2126            const void *info,
2127            const struct xt_match *match,
2128            void *matchinfo,
2129            unsigned int hook_mask)
2130 {
2131         const struct ipt_icmp *icmpinfo = matchinfo;
2132
2133         /* Must specify no unknown invflags */
2134         return !(icmpinfo->invflags & ~IPT_ICMP_INV);
2135 }
2136
2137 /* The built-in targets: standard (NULL) and error. */
2138 static struct ipt_target ipt_standard_target = {
2139         .name           = IPT_STANDARD_TARGET,
2140         .targetsize     = sizeof(int),
2141         .family         = AF_INET,
2142 #ifdef CONFIG_COMPAT
2143         .compatsize     = sizeof(compat_int_t),
2144         .compat_from_user = compat_standard_from_user,
2145         .compat_to_user = compat_standard_to_user,
2146 #endif
2147 };
2148
2149 static struct ipt_target ipt_error_target = {
2150         .name           = IPT_ERROR_TARGET,
2151         .target         = ipt_error,
2152         .targetsize     = IPT_FUNCTION_MAXNAMELEN,
2153         .family         = AF_INET,
2154 };
2155
2156 static struct nf_sockopt_ops ipt_sockopts = {
2157         .pf             = PF_INET,
2158         .set_optmin     = IPT_BASE_CTL,
2159         .set_optmax     = IPT_SO_SET_MAX+1,
2160         .set            = do_ipt_set_ctl,
2161 #ifdef CONFIG_COMPAT
2162         .compat_set     = compat_do_ipt_set_ctl,
2163 #endif
2164         .get_optmin     = IPT_BASE_CTL,
2165         .get_optmax     = IPT_SO_GET_MAX+1,
2166         .get            = do_ipt_get_ctl,
2167 #ifdef CONFIG_COMPAT
2168         .compat_get     = compat_do_ipt_get_ctl,
2169 #endif
2170 };
2171
2172 static struct ipt_match icmp_matchstruct = {
2173         .name           = "icmp",
2174         .match          = icmp_match,
2175         .matchsize      = sizeof(struct ipt_icmp),
2176         .proto          = IPPROTO_ICMP,
2177         .family         = AF_INET,
2178         .checkentry     = icmp_checkentry,
2179 };
2180
2181 static int __init ip_tables_init(void)
2182 {
2183         int ret;
2184
2185         ret = xt_proto_init(AF_INET);
2186         if (ret < 0)
2187                 goto err1;
2188
2189         /* Noone else will be downing sem now, so we won't sleep */
2190         ret = xt_register_target(&ipt_standard_target);
2191         if (ret < 0)
2192                 goto err2;
2193         ret = xt_register_target(&ipt_error_target);
2194         if (ret < 0)
2195                 goto err3;
2196         ret = xt_register_match(&icmp_matchstruct);
2197         if (ret < 0)
2198                 goto err4;
2199
2200         /* Register setsockopt */
2201         ret = nf_register_sockopt(&ipt_sockopts);
2202         if (ret < 0)
2203                 goto err5;
2204
2205         printk("ip_tables: (C) 2000-2006 Netfilter Core Team\n");
2206         return 0;
2207
2208 err5:
2209         xt_unregister_match(&icmp_matchstruct);
2210 err4:
2211         xt_unregister_target(&ipt_error_target);
2212 err3:
2213         xt_unregister_target(&ipt_standard_target);
2214 err2:
2215         xt_proto_fini(AF_INET);
2216 err1:
2217         return ret;
2218 }
2219
2220 static void __exit ip_tables_fini(void)
2221 {
2222         nf_unregister_sockopt(&ipt_sockopts);
2223
2224         xt_unregister_match(&icmp_matchstruct);
2225         xt_unregister_target(&ipt_error_target);
2226         xt_unregister_target(&ipt_standard_target);
2227
2228         xt_proto_fini(AF_INET);
2229 }
2230
2231 EXPORT_SYMBOL(ipt_register_table);
2232 EXPORT_SYMBOL(ipt_unregister_table);
2233 EXPORT_SYMBOL(ipt_do_table);
2234 module_init(ip_tables_init);
2235 module_exit(ip_tables_fini);