// SPDX-License-Identifier: GPL-2.0-only /* * Packet matching code. * * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling * Copyright (C) 2000-2005 Netfilter Core Team <[email protected]> * Copyright (c) 2006-2010 Patrick McHardy <[email protected]> */ #define pr_fmt(fmt) … #include <linux/kernel.h> #include <linux/capability.h> #include <linux/in.h> #include <linux/skbuff.h> #include <linux/kmod.h> #include <linux/vmalloc.h> #include <linux/netdevice.h> #include <linux/module.h> #include <linux/poison.h> #include <net/ipv6.h> #include <net/compat.h> #include <linux/uaccess.h> #include <linux/mutex.h> #include <linux/proc_fs.h> #include <linux/err.h> #include <linux/cpumask.h> #include <linux/netfilter_ipv6/ip6_tables.h> #include <linux/netfilter/x_tables.h> #include <net/netfilter/nf_log.h> #include "../../netfilter/xt_repldata.h" MODULE_LICENSE(…) …; MODULE_AUTHOR(…) …; MODULE_DESCRIPTION(…) …; void *ip6t_alloc_initial_table(const struct xt_table *info) { … } EXPORT_SYMBOL_GPL(…); /* Returns whether matches rule or not. */ /* Performance critical - called for every packet */ static inline bool ip6_packet_match(const struct sk_buff *skb, const char *indev, const char *outdev, const struct ip6t_ip6 *ip6info, unsigned int *protoff, u16 *fragoff, bool *hotdrop) { … } /* should be ip6 safe */ static bool ip6_checkentry(const struct ip6t_ip6 *ipv6) { … } static unsigned int ip6t_error(struct sk_buff *skb, const struct xt_action_param *par) { … } static inline struct ip6t_entry * get_entry(const void *base, unsigned int offset) { … } /* All zeroes == unconditional rule. */ /* Mildly perf critical (only if packet tracing is on) */ static inline bool unconditional(const struct ip6t_entry *e) { … } static inline const struct xt_entry_target * ip6t_get_target_c(const struct ip6t_entry *e) { … } #if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE) /* This cries for unification! */ static const char *const hooknames[] = …; enum nf_ip_trace_comments { … }; static const char *const comments[] = …; static const struct nf_loginfo trace_loginfo = …; /* Mildly perf critical (only if packet tracing is on) */ static inline int get_chainname_rulenum(const struct ip6t_entry *s, const struct ip6t_entry *e, const char *hookname, const char **chainname, const char **comment, unsigned int *rulenum) { … } static void trace_packet(struct net *net, const struct sk_buff *skb, unsigned int hook, const struct net_device *in, const struct net_device *out, const char *tablename, const struct xt_table_info *private, const struct ip6t_entry *e) { … } #endif static inline struct ip6t_entry * ip6t_next_entry(const struct ip6t_entry *entry) { … } /* Returns one of the generic firewall policies, like NF_ACCEPT. */ unsigned int ip6t_do_table(void *priv, struct sk_buff *skb, const struct nf_hook_state *state) { … } /* Figures out from what hook each rule can be called: returns 0 if there are loops. Puts hook bitmask in comefrom. */ static int mark_source_chains(const struct xt_table_info *newinfo, unsigned int valid_hooks, void *entry0, unsigned int *offsets) { … } static void cleanup_match(struct xt_entry_match *m, struct net *net) { … } static int check_match(struct xt_entry_match *m, struct xt_mtchk_param *par) { … } static int find_check_match(struct xt_entry_match *m, struct xt_mtchk_param *par) { … } static int check_target(struct ip6t_entry *e, struct net *net, const char *name) { … } static int find_check_entry(struct ip6t_entry *e, struct net *net, const char *name, unsigned int size, struct xt_percpu_counter_alloc_state *alloc_state) { … } static bool check_underflow(const struct ip6t_entry *e) { … } static int check_entry_size_and_hooks(struct ip6t_entry *e, struct xt_table_info *newinfo, const unsigned char *base, const unsigned char *limit, const unsigned int *hook_entries, const unsigned int *underflows, unsigned int valid_hooks) { … } static void cleanup_entry(struct ip6t_entry *e, struct net *net) { … } /* Checks and translates the user-supplied table segment (held in newinfo) */ static int translate_table(struct net *net, struct xt_table_info *newinfo, void *entry0, const struct ip6t_replace *repl) { … } static void get_counters(const struct xt_table_info *t, struct xt_counters counters[]) { … } static void get_old_counters(const struct xt_table_info *t, struct xt_counters counters[]) { … } static struct xt_counters *alloc_counters(const struct xt_table *table) { … } static int copy_entries_to_user(unsigned int total_size, const struct xt_table *table, void __user *userptr) { … } #ifdef CONFIG_NETFILTER_XTABLES_COMPAT static void compat_standard_from_user(void *dst, const void *src) { … } static int compat_standard_to_user(void __user *dst, const void *src) { … } static int compat_calc_entry(const struct ip6t_entry *e, const struct xt_table_info *info, const void *base, struct xt_table_info *newinfo) { … } static int compat_table_info(const struct xt_table_info *info, struct xt_table_info *newinfo) { … } #endif static int get_info(struct net *net, void __user *user, const int *len) { … } static int get_entries(struct net *net, struct ip6t_get_entries __user *uptr, const int *len) { … } static int __do_replace(struct net *net, const char *name, unsigned int valid_hooks, struct xt_table_info *newinfo, unsigned int num_counters, void __user *counters_ptr) { … } static int do_replace(struct net *net, sockptr_t arg, unsigned int len) { … } static int do_add_counters(struct net *net, sockptr_t arg, unsigned int len) { … } #ifdef CONFIG_NETFILTER_XTABLES_COMPAT struct compat_ip6t_replace { … }; static int compat_copy_entry_to_user(struct ip6t_entry *e, void __user **dstptr, unsigned int *size, struct xt_counters *counters, unsigned int i) { … } static int compat_find_calc_match(struct xt_entry_match *m, const struct ip6t_ip6 *ipv6, int *size) { … } static void compat_release_entry(struct compat_ip6t_entry *e) { … } static int check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e, struct xt_table_info *newinfo, unsigned int *size, const unsigned char *base, const unsigned char *limit) { … } static void compat_copy_entry_from_user(struct compat_ip6t_entry *e, void **dstptr, unsigned int *size, struct xt_table_info *newinfo, unsigned char *base) { … } static int translate_compat_table(struct net *net, struct xt_table_info **pinfo, void **pentry0, const struct compat_ip6t_replace *compatr) { … } static int compat_do_replace(struct net *net, sockptr_t arg, unsigned int len) { … } struct compat_ip6t_get_entries { … }; static int compat_copy_entries_to_user(unsigned int total_size, struct xt_table *table, void __user *userptr) { … } static int compat_get_entries(struct net *net, struct compat_ip6t_get_entries __user *uptr, int *len) { … } #endif static int do_ip6t_set_ctl(struct sock *sk, int cmd, sockptr_t arg, unsigned int len) { … } static int do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len) { … } static void __ip6t_unregister_table(struct net *net, struct xt_table *table) { … } int ip6t_register_table(struct net *net, const struct xt_table *table, const struct ip6t_replace *repl, const struct nf_hook_ops *template_ops) { … } void ip6t_unregister_table_pre_exit(struct net *net, const char *name) { … } void ip6t_unregister_table_exit(struct net *net, const char *name) { … } /* The built-in targets: standard (NULL) and error. */ static struct xt_target ip6t_builtin_tg[] __read_mostly = …; static struct nf_sockopt_ops ip6t_sockopts = …; static int __net_init ip6_tables_net_init(struct net *net) { … } static void __net_exit ip6_tables_net_exit(struct net *net) { … } static struct pernet_operations ip6_tables_net_ops = …; static int __init ip6_tables_init(void) { … } static void __exit ip6_tables_fini(void) { … } EXPORT_SYMBOL(…); EXPORT_SYMBOL(…); EXPORT_SYMBOL(…); EXPORT_SYMBOL(…); module_init(…) …; module_exit(ip6_tables_fini);
Codebase Browser
linux