// SPDX-License-Identifier: GPL-2.0-only /* * Packet matching code. * * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling * Copyright (C) 2000-2005 Netfilter Core Team <[email protected]> * Copyright (C) 2006-2010 Patrick McHardy <[email protected]> */ #define pr_fmt(fmt) … #include <linux/cache.h> #include <linux/capability.h> #include <linux/skbuff.h> #include <linux/kmod.h> #include <linux/vmalloc.h> #include <linux/netdevice.h> #include <linux/module.h> #include <net/ip.h> #include <net/compat.h> #include <linux/uaccess.h> #include <linux/mutex.h> #include <linux/proc_fs.h> #include <linux/err.h> #include <linux/cpumask.h> #include <linux/netfilter/x_tables.h> #include <linux/netfilter_ipv4/ip_tables.h> #include <net/netfilter/nf_log.h> #include "../../netfilter/xt_repldata.h" MODULE_LICENSE(…) …; MODULE_AUTHOR(…) …; MODULE_DESCRIPTION(…) …; void *ipt_alloc_initial_table(const struct xt_table *info) { … } EXPORT_SYMBOL_GPL(…); /* Returns whether matches rule or not. */ /* Performance critical - called for every packet */ static inline bool ip_packet_match(const struct iphdr *ip, const char *indev, const char *outdev, const struct ipt_ip *ipinfo, int isfrag) { … } static bool ip_checkentry(const struct ipt_ip *ip) { … } static unsigned int ipt_error(struct sk_buff *skb, const struct xt_action_param *par) { … } /* Performance critical */ static inline struct ipt_entry * get_entry(const void *base, unsigned int offset) { … } /* All zeroes == unconditional rule. */ /* Mildly perf critical (only if packet tracing is on) */ static inline bool unconditional(const struct ipt_entry *e) { … } /* for const-correctness */ static inline const struct xt_entry_target * ipt_get_target_c(const struct ipt_entry *e) { … } #if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE) static const char *const hooknames[] = …; enum nf_ip_trace_comments { … }; static const char *const comments[] = …; static const struct nf_loginfo trace_loginfo = …; /* Mildly perf critical (only if packet tracing is on) */ static inline int get_chainname_rulenum(const struct ipt_entry *s, const struct ipt_entry *e, const char *hookname, const char **chainname, const char **comment, unsigned int *rulenum) { … } static void trace_packet(struct net *net, const struct sk_buff *skb, unsigned int hook, const struct net_device *in, const struct net_device *out, const char *tablename, const struct xt_table_info *private, const struct ipt_entry *e) { … } #endif static inline struct ipt_entry *ipt_next_entry(const struct ipt_entry *entry) { … } /* Returns one of the generic firewall policies, like NF_ACCEPT. */ unsigned int ipt_do_table(void *priv, struct sk_buff *skb, const struct nf_hook_state *state) { … } /* Figures out from what hook each rule can be called: returns 0 if there are loops. Puts hook bitmask in comefrom. */ static int mark_source_chains(const struct xt_table_info *newinfo, unsigned int valid_hooks, void *entry0, unsigned int *offsets) { … } static void cleanup_match(struct xt_entry_match *m, struct net *net) { … } static int check_match(struct xt_entry_match *m, struct xt_mtchk_param *par) { … } static int find_check_match(struct xt_entry_match *m, struct xt_mtchk_param *par) { … } static int check_target(struct ipt_entry *e, struct net *net, const char *name) { … } static int find_check_entry(struct ipt_entry *e, struct net *net, const char *name, unsigned int size, struct xt_percpu_counter_alloc_state *alloc_state) { … } static bool check_underflow(const struct ipt_entry *e) { … } static int check_entry_size_and_hooks(struct ipt_entry *e, struct xt_table_info *newinfo, const unsigned char *base, const unsigned char *limit, const unsigned int *hook_entries, const unsigned int *underflows, unsigned int valid_hooks) { … } static void cleanup_entry(struct ipt_entry *e, struct net *net) { … } /* Checks and translates the user-supplied table segment (held in newinfo) */ static int translate_table(struct net *net, struct xt_table_info *newinfo, void *entry0, const struct ipt_replace *repl) { … } static void get_counters(const struct xt_table_info *t, struct xt_counters counters[]) { … } static void get_old_counters(const struct xt_table_info *t, struct xt_counters counters[]) { … } static struct xt_counters *alloc_counters(const struct xt_table *table) { … } static int copy_entries_to_user(unsigned int total_size, const struct xt_table *table, void __user *userptr) { … } #ifdef CONFIG_NETFILTER_XTABLES_COMPAT static void compat_standard_from_user(void *dst, const void *src) { … } static int compat_standard_to_user(void __user *dst, const void *src) { … } static int compat_calc_entry(const struct ipt_entry *e, const struct xt_table_info *info, const void *base, struct xt_table_info *newinfo) { … } static int compat_table_info(const struct xt_table_info *info, struct xt_table_info *newinfo) { … } #endif static int get_info(struct net *net, void __user *user, const int *len) { … } static int get_entries(struct net *net, struct ipt_get_entries __user *uptr, const int *len) { … } static int __do_replace(struct net *net, const char *name, unsigned int valid_hooks, struct xt_table_info *newinfo, unsigned int num_counters, void __user *counters_ptr) { … } static int do_replace(struct net *net, sockptr_t arg, unsigned int len) { … } static int do_add_counters(struct net *net, sockptr_t arg, unsigned int len) { … } #ifdef CONFIG_NETFILTER_XTABLES_COMPAT struct compat_ipt_replace { … }; static int compat_copy_entry_to_user(struct ipt_entry *e, void __user **dstptr, unsigned int *size, struct xt_counters *counters, unsigned int i) { … } static int compat_find_calc_match(struct xt_entry_match *m, const struct ipt_ip *ip, int *size) { … } static void compat_release_entry(struct compat_ipt_entry *e) { … } static int check_compat_entry_size_and_hooks(struct compat_ipt_entry *e, struct xt_table_info *newinfo, unsigned int *size, const unsigned char *base, const unsigned char *limit) { … } static void compat_copy_entry_from_user(struct compat_ipt_entry *e, void **dstptr, unsigned int *size, struct xt_table_info *newinfo, unsigned char *base) { … } static int translate_compat_table(struct net *net, struct xt_table_info **pinfo, void **pentry0, const struct compat_ipt_replace *compatr) { … } static int compat_do_replace(struct net *net, sockptr_t arg, unsigned int len) { … } struct compat_ipt_get_entries { … }; static int compat_copy_entries_to_user(unsigned int total_size, struct xt_table *table, void __user *userptr) { … } static int compat_get_entries(struct net *net, struct compat_ipt_get_entries __user *uptr, int *len) { … } #endif static int do_ipt_set_ctl(struct sock *sk, int cmd, sockptr_t arg, unsigned int len) { … } static int do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len) { … } static void __ipt_unregister_table(struct net *net, struct xt_table *table) { … } int ipt_register_table(struct net *net, const struct xt_table *table, const struct ipt_replace *repl, const struct nf_hook_ops *template_ops) { … } void ipt_unregister_table_pre_exit(struct net *net, const char *name) { … } void ipt_unregister_table_exit(struct net *net, const char *name) { … } static struct xt_target ipt_builtin_tg[] __read_mostly = …; static struct nf_sockopt_ops ipt_sockopts = …; static int __net_init ip_tables_net_init(struct net *net) { … } static void __net_exit ip_tables_net_exit(struct net *net) { … } static struct pernet_operations ip_tables_net_ops = …; static int __init ip_tables_init(void) { … } static void __exit ip_tables_fini(void) { … } EXPORT_SYMBOL(…); EXPORT_SYMBOL(…); EXPORT_SYMBOL(…); EXPORT_SYMBOL(…); module_init(…) …; module_exit(ip_tables_fini);
Codebase Browser
linux