search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
[PATCH] softmac: reduce scan dwell time
[linux-2.6/sactl.git] / net / netfilter / x_tables.c
bloba657ab5394c3555f389cd7a81104f681b8621967
1 /*
2 * x_tables core - Backend for {ip,ip6,arp}_tables
3 *
4 * Copyright (C) 2006-2006 Harald Welte <laforge@netfilter.org>
5 *
6 * Based on existing ip_tables code which is
7 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
8 * Copyright (C) 2000-2005 Netfilter Core Team <coreteam@netfilter.org>
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2 as
12 * published by the Free Software Foundation.
13 *
14 */
15
16 #include <linux/config.h>
17 #include <linux/kernel.h>
18 #include <linux/socket.h>
19 #include <linux/net.h>
20 #include <linux/proc_fs.h>
21 #include <linux/seq_file.h>
22 #include <linux/string.h>
23 #include <linux/vmalloc.h>
24 #include <linux/mutex.h>
25
26 #include <linux/netfilter/x_tables.h>
27 #include <linux/netfilter_arp.h>
28
29
30 MODULE_LICENSE("GPL");
31 MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
32 MODULE_DESCRIPTION("[ip,ip6,arp]_tables backend module");
33
34 #define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
35
36 struct xt_af {
37 struct mutex mutex;
38 struct list_head match;
39 struct list_head target;
40 struct list_head tables;
41 };
42
43 static struct xt_af *xt;
44
45 #ifdef DEBUG_IP_FIREWALL_USER
46 #define duprintf(format, args...) printk(format , ## args)
47 #else
48 #define duprintf(format, args...)
49 #endif
50
51 enum {
52 TABLE,
53 TARGET,
54 MATCH,
55 };
56
57 static const char *xt_prefix[NPROTO] = {
58 [AF_INET] = "ip",
59 [AF_INET6] = "ip6",
60 [NF_ARP] = "arp",
61 };
62
63 /* Registration hooks for targets. */
64 int
65 xt_register_target(struct xt_target *target)
66 {
67 int ret, af = target->family;
68
69 ret = mutex_lock_interruptible(&xt[af].mutex);
70 if (ret != 0)
71 return ret;
72 list_add(&target->list, &xt[af].target);
73 mutex_unlock(&xt[af].mutex);
74 return ret;
75 }
76 EXPORT_SYMBOL(xt_register_target);
77
78 void
79 xt_unregister_target(struct xt_target *target)
80 {
81 int af = target->family;
82
83 mutex_lock(&xt[af].mutex);
84 LIST_DELETE(&xt[af].target, target);
85 mutex_unlock(&xt[af].mutex);
86 }
87 EXPORT_SYMBOL(xt_unregister_target);
88
89 int
90 xt_register_match(struct xt_match *match)
91 {
92 int ret, af = match->family;
93
94 ret = mutex_lock_interruptible(&xt[af].mutex);
95 if (ret != 0)
96 return ret;
97
98 list_add(&match->list, &xt[af].match);
99 mutex_unlock(&xt[af].mutex);
100
101 return ret;
102 }
103 EXPORT_SYMBOL(xt_register_match);
104
105 void
106 xt_unregister_match(struct xt_match *match)
107 {
108 int af = match->family;
109
110 mutex_lock(&xt[af].mutex);
111 LIST_DELETE(&xt[af].match, match);
112 mutex_unlock(&xt[af].mutex);
113 }
114 EXPORT_SYMBOL(xt_unregister_match);
115
116
117 /*
118 * These are weird, but module loading must not be done with mutex
119 * held (since they will register), and we have to have a single
120 * function to use try_then_request_module().
121 */
122
123 /* Find match, grabs ref. Returns ERR_PTR() on error. */
124 struct xt_match *xt_find_match(int af, const char *name, u8 revision)
125 {
126 struct xt_match *m;
127 int err = 0;
128
129 if (mutex_lock_interruptible(&xt[af].mutex) != 0)
130 return ERR_PTR(-EINTR);
131
132 list_for_each_entry(m, &xt[af].match, list) {
133 if (strcmp(m->name, name) == 0) {
134 if (m->revision == revision) {
135 if (try_module_get(m->me)) {
136 mutex_unlock(&xt[af].mutex);
137 return m;
138 }
139 } else
140 err = -EPROTOTYPE; /* Found something. */
141 }
142 }
143 mutex_unlock(&xt[af].mutex);
144 return ERR_PTR(err);
145 }
146 EXPORT_SYMBOL(xt_find_match);
147
148 /* Find target, grabs ref. Returns ERR_PTR() on error. */
149 struct xt_target *xt_find_target(int af, const char *name, u8 revision)
150 {
151 struct xt_target *t;
152 int err = 0;
153
154 if (mutex_lock_interruptible(&xt[af].mutex) != 0)
155 return ERR_PTR(-EINTR);
156
157 list_for_each_entry(t, &xt[af].target, list) {
158 if (strcmp(t->name, name) == 0) {
159 if (t->revision == revision) {
160 if (try_module_get(t->me)) {
161 mutex_unlock(&xt[af].mutex);
162 return t;
163 }
164 } else
165 err = -EPROTOTYPE; /* Found something. */
166 }
167 }
168 mutex_unlock(&xt[af].mutex);
169 return ERR_PTR(err);
170 }
171 EXPORT_SYMBOL(xt_find_target);
172
173 struct xt_target *xt_request_find_target(int af, const char *name, u8 revision)
174 {
175 struct xt_target *target;
176
177 target = try_then_request_module(xt_find_target(af, name, revision),
178 "%st_%s", xt_prefix[af], name);
179 if (IS_ERR(target) || !target)
180 return NULL;
181 return target;
182 }
183 EXPORT_SYMBOL_GPL(xt_request_find_target);
184
185 static int match_revfn(int af, const char *name, u8 revision, int *bestp)
186 {
187 struct xt_match *m;
188 int have_rev = 0;
189
190 list_for_each_entry(m, &xt[af].match, list) {
191 if (strcmp(m->name, name) == 0) {
192 if (m->revision > *bestp)
193 *bestp = m->revision;
194 if (m->revision == revision)
195 have_rev = 1;
196 }
197 }
198 return have_rev;
199 }
200
201 static int target_revfn(int af, const char *name, u8 revision, int *bestp)
202 {
203 struct xt_target *t;
204 int have_rev = 0;
205
206 list_for_each_entry(t, &xt[af].target, list) {
207 if (strcmp(t->name, name) == 0) {
208 if (t->revision > *bestp)
209 *bestp = t->revision;
210 if (t->revision == revision)
211 have_rev = 1;
212 }
213 }
214 return have_rev;
215 }
216
217 /* Returns true or false (if no such extension at all) */
218 int xt_find_revision(int af, const char *name, u8 revision, int target,
219 int *err)
220 {
221 int have_rev, best = -1;
222
223 if (mutex_lock_interruptible(&xt[af].mutex) != 0) {
224 *err = -EINTR;
225 return 1;
226 }
227 if (target == 1)
228 have_rev = target_revfn(af, name, revision, &best);
229 else
230 have_rev = match_revfn(af, name, revision, &best);
231 mutex_unlock(&xt[af].mutex);
232
233 /* Nothing at all? Return 0 to try loading module. */
234 if (best == -1) {
235 *err = -ENOENT;
236 return 0;
237 }
238
239 *err = best;
240 if (!have_rev)
241 *err = -EPROTONOSUPPORT;
242 return 1;
243 }
244 EXPORT_SYMBOL_GPL(xt_find_revision);
245
246 int xt_check_match(const struct xt_match *match, unsigned short family,
247 unsigned int size, const char *table, unsigned int hook_mask,
248 unsigned short proto, int inv_proto)
249 {
250 if (XT_ALIGN(match->matchsize) != size) {
251 printk("%s_tables: %s match: invalid size %Zu != %u\n",
252 xt_prefix[family], match->name,
253 XT_ALIGN(match->matchsize), size);
254 return -EINVAL;
255 }
256 if (match->table && strcmp(match->table, table)) {
257 printk("%s_tables: %s match: only valid in %s table, not %s\n",
258 xt_prefix[family], match->name, match->table, table);
259 return -EINVAL;
260 }
261 if (match->hooks && (hook_mask & ~match->hooks) != 0) {
262 printk("%s_tables: %s match: bad hook_mask %u\n",
263 xt_prefix[family], match->name, hook_mask);
264 return -EINVAL;
265 }
266 if (match->proto && (match->proto != proto || inv_proto)) {
267 printk("%s_tables: %s match: only valid for protocol %u\n",
268 xt_prefix[family], match->name, match->proto);
269 return -EINVAL;
270 }
271 return 0;
272 }
273 EXPORT_SYMBOL_GPL(xt_check_match);
274
275 int xt_check_target(const struct xt_target *target, unsigned short family,
276 unsigned int size, const char *table, unsigned int hook_mask,
277 unsigned short proto, int inv_proto)
278 {
279 if (XT_ALIGN(target->targetsize) != size) {
280 printk("%s_tables: %s target: invalid size %Zu != %u\n",
281 xt_prefix[family], target->name,
282 XT_ALIGN(target->targetsize), size);
283 return -EINVAL;
284 }
285 if (target->table && strcmp(target->table, table)) {
286 printk("%s_tables: %s target: only valid in %s table, not %s\n",
287 xt_prefix[family], target->name, target->table, table);
288 return -EINVAL;
289 }
290 if (target->hooks && (hook_mask & ~target->hooks) != 0) {
291 printk("%s_tables: %s target: bad hook_mask %u\n",
292 xt_prefix[family], target->name, hook_mask);
293 return -EINVAL;
294 }
295 if (target->proto && (target->proto != proto || inv_proto)) {
296 printk("%s_tables: %s target: only valid for protocol %u\n",
297 xt_prefix[family], target->name, target->proto);
298 return -EINVAL;
299 }
300 return 0;
301 }
302 EXPORT_SYMBOL_GPL(xt_check_target);
303
304 struct xt_table_info *xt_alloc_table_info(unsigned int size)
305 {
306 struct xt_table_info *newinfo;
307 int cpu;
308
309 /* Pedantry: prevent them from hitting BUG() in vmalloc.c --RR */
310 if ((SMP_ALIGN(size) >> PAGE_SHIFT) + 2 > num_physpages)
311 return NULL;
312
313 newinfo = kzalloc(sizeof(struct xt_table_info), GFP_KERNEL);
314 if (!newinfo)
315 return NULL;
316
317 newinfo->size = size;
318
319 for_each_cpu(cpu) {
320 if (size <= PAGE_SIZE)
321 newinfo->entries[cpu] = kmalloc_node(size,
322 GFP_KERNEL,
323 cpu_to_node(cpu));
324 else
325 newinfo->entries[cpu] = vmalloc_node(size,
326 cpu_to_node(cpu));
327
328 if (newinfo->entries[cpu] == NULL) {
329 xt_free_table_info(newinfo);
330 return NULL;
331 }
332 }
333
334 return newinfo;
335 }
336 EXPORT_SYMBOL(xt_alloc_table_info);
337
338 void xt_free_table_info(struct xt_table_info *info)
339 {
340 int cpu;
341
342 for_each_cpu(cpu) {
343 if (info->size <= PAGE_SIZE)
344 kfree(info->entries[cpu]);
345 else
346 vfree(info->entries[cpu]);
347 }
348 kfree(info);
349 }
350 EXPORT_SYMBOL(xt_free_table_info);
351
352 /* Find table by name, grabs mutex & ref. Returns ERR_PTR() on error. */
353 struct xt_table *xt_find_table_lock(int af, const char *name)
354 {
355 struct xt_table *t;
356
357 if (mutex_lock_interruptible(&xt[af].mutex) != 0)
358 return ERR_PTR(-EINTR);
359
360 list_for_each_entry(t, &xt[af].tables, list)
361 if (strcmp(t->name, name) == 0 && try_module_get(t->me))
362 return t;
363 mutex_unlock(&xt[af].mutex);
364 return NULL;
365 }
366 EXPORT_SYMBOL_GPL(xt_find_table_lock);
367
368 void xt_table_unlock(struct xt_table *table)
369 {
370 mutex_unlock(&xt[table->af].mutex);
371 }
372 EXPORT_SYMBOL_GPL(xt_table_unlock);
373
374
375 struct xt_table_info *
376 xt_replace_table(struct xt_table *table,
377 unsigned int num_counters,
378 struct xt_table_info *newinfo,
379 int *error)
380 {
381 struct xt_table_info *oldinfo, *private;
382
383 /* Do the substitution. */
384 write_lock_bh(&table->lock);
385 private = table->private;
386 /* Check inside lock: is the old number correct? */
387 if (num_counters != private->number) {
388 duprintf("num_counters != table->private->number (%u/%u)\n",
389 num_counters, private->number);
390 write_unlock_bh(&table->lock);
391 *error = -EAGAIN;
392 return NULL;
393 }
394 oldinfo = private;
395 table->private = newinfo;
396 newinfo->initial_entries = oldinfo->initial_entries;
397 write_unlock_bh(&table->lock);
398
399 return oldinfo;
400 }
401 EXPORT_SYMBOL_GPL(xt_replace_table);
402
403 int xt_register_table(struct xt_table *table,
404 struct xt_table_info *bootstrap,
405 struct xt_table_info *newinfo)
406 {
407 int ret;
408 struct xt_table_info *private;
409
410 ret = mutex_lock_interruptible(&xt[table->af].mutex);
411 if (ret != 0)
412 return ret;
413
414 /* Don't autoload: we'd eat our tail... */
415 if (list_named_find(&xt[table->af].tables, table->name)) {
416 ret = -EEXIST;
417 goto unlock;
418 }
419
420 /* Simplifies replace_table code. */
421 table->private = bootstrap;
422 if (!xt_replace_table(table, 0, newinfo, &ret))
423 goto unlock;
424
425 private = table->private;
426 duprintf("table->private->number = %u\n", private->number);
427
428 /* save number of initial entries */
429 private->initial_entries = private->number;
430
431 rwlock_init(&table->lock);
432 list_prepend(&xt[table->af].tables, table);
433
434 ret = 0;
435 unlock:
436 mutex_unlock(&xt[table->af].mutex);
437 return ret;
438 }
439 EXPORT_SYMBOL_GPL(xt_register_table);
440
441 void *xt_unregister_table(struct xt_table *table)
442 {
443 struct xt_table_info *private;
444
445 mutex_lock(&xt[table->af].mutex);
446 private = table->private;
447 LIST_DELETE(&xt[table->af].tables, table);
448 mutex_unlock(&xt[table->af].mutex);
449
450 return private;
451 }
452 EXPORT_SYMBOL_GPL(xt_unregister_table);
453
454 #ifdef CONFIG_PROC_FS
455 static char *xt_proto_prefix[NPROTO] = {
456 [AF_INET] = "ip",
457 [AF_INET6] = "ip6",
458 [NF_ARP] = "arp",
459 };
460
461 static struct list_head *xt_get_idx(struct list_head *list, struct seq_file *seq, loff_t pos)
462 {
463 struct list_head *head = list->next;
464
465 if (!head || list_empty(list))
466 return NULL;
467
468 while (pos && (head = head->next)) {
469 if (head == list)
470 return NULL;
471 pos--;
472 }
473 return pos ? NULL : head;
474 }
475
476 static struct list_head *type2list(u_int16_t af, u_int16_t type)
477 {
478 struct list_head *list;
479
480 switch (type) {
481 case TARGET:
482 list = &xt[af].target;
483 break;
484 case MATCH:
485 list = &xt[af].match;
486 break;
487 case TABLE:
488 list = &xt[af].tables;
489 break;
490 default:
491 list = NULL;
492 break;
493 }
494
495 return list;
496 }
497
498 static void *xt_tgt_seq_start(struct seq_file *seq, loff_t *pos)
499 {
500 struct proc_dir_entry *pde = (struct proc_dir_entry *) seq->private;
501 u_int16_t af = (unsigned long)pde->data & 0xffff;
502 u_int16_t type = (unsigned long)pde->data >> 16;
503 struct list_head *list;
504
505 if (af >= NPROTO)
506 return NULL;
507
508 list = type2list(af, type);
509 if (!list)
510 return NULL;
511
512 if (mutex_lock_interruptible(&xt[af].mutex) != 0)
513 return NULL;
514
515 return xt_get_idx(list, seq, *pos);
516 }
517
518 static void *xt_tgt_seq_next(struct seq_file *seq, void *v, loff_t *pos)
519 {
520 struct proc_dir_entry *pde = seq->private;
521 u_int16_t af = (unsigned long)pde->data & 0xffff;
522 u_int16_t type = (unsigned long)pde->data >> 16;
523 struct list_head *list;
524
525 if (af >= NPROTO)
526 return NULL;
527
528 list = type2list(af, type);
529 if (!list)
530 return NULL;
531
532 (*pos)++;
533 return xt_get_idx(list, seq, *pos);
534 }
535
536 static void xt_tgt_seq_stop(struct seq_file *seq, void *v)
537 {
538 struct proc_dir_entry *pde = seq->private;
539 u_int16_t af = (unsigned long)pde->data & 0xffff;
540
541 mutex_unlock(&xt[af].mutex);
542 }
543
544 static int xt_name_seq_show(struct seq_file *seq, void *v)
545 {
546 char *name = (char *)v + sizeof(struct list_head);
547
548 if (strlen(name))
549 return seq_printf(seq, "%s\n", name);
550 else
551 return 0;
552 }
553
554 static struct seq_operations xt_tgt_seq_ops = {
555 .start = xt_tgt_seq_start,
556 .next = xt_tgt_seq_next,
557 .stop = xt_tgt_seq_stop,
558 .show = xt_name_seq_show,
559 };
560
561 static int xt_tgt_open(struct inode *inode, struct file *file)
562 {
563 int ret;
564
565 ret = seq_open(file, &xt_tgt_seq_ops);
566 if (!ret) {
567 struct seq_file *seq = file->private_data;
568 struct proc_dir_entry *pde = PDE(inode);
569
570 seq->private = pde;
571 }
572
573 return ret;
574 }
575
576 static struct file_operations xt_file_ops = {
577 .owner = THIS_MODULE,
578 .open = xt_tgt_open,
579 .read = seq_read,
580 .llseek = seq_lseek,
581 .release = seq_release,
582 };
583
584 #define FORMAT_TABLES "_tables_names"
585 #define FORMAT_MATCHES "_tables_matches"
586 #define FORMAT_TARGETS "_tables_targets"
587
588 #endif /* CONFIG_PROC_FS */
589
590 int xt_proto_init(int af)
591 {
592 #ifdef CONFIG_PROC_FS
593 char buf[XT_FUNCTION_MAXNAMELEN];
594 struct proc_dir_entry *proc;
595 #endif
596
597 if (af >= NPROTO)
598 return -EINVAL;
599
600
601 #ifdef CONFIG_PROC_FS
602 strlcpy(buf, xt_proto_prefix[af], sizeof(buf));
603 strlcat(buf, FORMAT_TABLES, sizeof(buf));
604 proc = proc_net_fops_create(buf, 0440, &xt_file_ops);
605 if (!proc)
606 goto out;
607 proc->data = (void *) ((unsigned long) af | (TABLE << 16));
608
609
610 strlcpy(buf, xt_proto_prefix[af], sizeof(buf));
611 strlcat(buf, FORMAT_MATCHES, sizeof(buf));
612 proc = proc_net_fops_create(buf, 0440, &xt_file_ops);
613 if (!proc)
614 goto out_remove_tables;
615 proc->data = (void *) ((unsigned long) af | (MATCH << 16));
616
617 strlcpy(buf, xt_proto_prefix[af], sizeof(buf));
618 strlcat(buf, FORMAT_TARGETS, sizeof(buf));
619 proc = proc_net_fops_create(buf, 0440, &xt_file_ops);
620 if (!proc)
621 goto out_remove_matches;
622 proc->data = (void *) ((unsigned long) af | (TARGET << 16));
623 #endif
624
625 return 0;
626
627 #ifdef CONFIG_PROC_FS
628 out_remove_matches:
629 strlcpy(buf, xt_proto_prefix[af], sizeof(buf));
630 strlcat(buf, FORMAT_MATCHES, sizeof(buf));
631 proc_net_remove(buf);
632
633 out_remove_tables:
634 strlcpy(buf, xt_proto_prefix[af], sizeof(buf));
635 strlcat(buf, FORMAT_TABLES, sizeof(buf));
636 proc_net_remove(buf);
637 out:
638 return -1;
639 #endif
640 }
641 EXPORT_SYMBOL_GPL(xt_proto_init);
642
643 void xt_proto_fini(int af)
644 {
645 #ifdef CONFIG_PROC_FS
646 char buf[XT_FUNCTION_MAXNAMELEN];
647
648 strlcpy(buf, xt_proto_prefix[af], sizeof(buf));
649 strlcat(buf, FORMAT_TABLES, sizeof(buf));
650 proc_net_remove(buf);
651
652 strlcpy(buf, xt_proto_prefix[af], sizeof(buf));
653 strlcat(buf, FORMAT_TARGETS, sizeof(buf));
654 proc_net_remove(buf);
655
656 strlcpy(buf, xt_proto_prefix[af], sizeof(buf));
657 strlcat(buf, FORMAT_MATCHES, sizeof(buf));
658 proc_net_remove(buf);
659 #endif /*CONFIG_PROC_FS*/
660 }
661 EXPORT_SYMBOL_GPL(xt_proto_fini);
662
663
664 static int __init xt_init(void)
665 {
666 int i;
667
668 xt = kmalloc(sizeof(struct xt_af) * NPROTO, GFP_KERNEL);
669 if (!xt)
670 return -ENOMEM;
671
672 for (i = 0; i < NPROTO; i++) {
673 mutex_init(&xt[i].mutex);
674 INIT_LIST_HEAD(&xt[i].target);
675 INIT_LIST_HEAD(&xt[i].match);
676 INIT_LIST_HEAD(&xt[i].tables);
677 }
678 return 0;
679 }
680
681 static void __exit xt_fini(void)
682 {
683 kfree(xt);
684 }
685
686 module_init(xt_init);
687 module_exit(xt_fini);
688
SocketAccessConTroL development