aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPatrick McHardy <kaber@trash.net>2006-03-20 20:59:06 -0500
committerDavid S. Miller <davem@davemloft.net>2006-03-20 20:59:06 -0500
commit37f9f7334b86ffc3b8a1921842ae33cb9aa22ee3 (patch)
treed207ae0a0f2eb37072dd4690de95b6cf170e4e04
parent6ea46c9c12da79ec6eead0cf4b3114143dd30bc1 (diff)
[NETFILTER]: xt_tables: add centralized error checking
Introduce new functions for common match/target checks (private data size, valid hooks, valid tables and valid protocols) to get more consistent error reporting and to avoid each module duplicating them. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--include/linux/netfilter/x_tables.h23
-rw-r--r--net/netfilter/x_tables.c72
2 files changed, 84 insertions, 11 deletions
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 6500d4e59d46..b9c37e1e6730 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -92,8 +92,6 @@ struct xt_match
92 92
93 const char name[XT_FUNCTION_MAXNAMELEN-1]; 93 const char name[XT_FUNCTION_MAXNAMELEN-1];
94 94
95 u_int8_t revision;
96
97 /* Return true or false: return FALSE and set *hotdrop = 1 to 95 /* Return true or false: return FALSE and set *hotdrop = 1 to
98 force immediate packet drop. */ 96 force immediate packet drop. */
99 /* Arguments changed since 2.6.9, as this must now handle 97 /* Arguments changed since 2.6.9, as this must now handle
@@ -120,6 +118,12 @@ struct xt_match
120 118
121 /* Set this to THIS_MODULE if you are a module, otherwise NULL */ 119 /* Set this to THIS_MODULE if you are a module, otherwise NULL */
122 struct module *me; 120 struct module *me;
121
122 char *table;
123 unsigned int matchsize;
124 unsigned int hooks;
125 unsigned short proto;
126 u_int8_t revision;
123}; 127};
124 128
125/* Registration hooks for targets. */ 129/* Registration hooks for targets. */
@@ -129,8 +133,6 @@ struct xt_target
129 133
130 const char name[XT_FUNCTION_MAXNAMELEN-1]; 134 const char name[XT_FUNCTION_MAXNAMELEN-1];
131 135
132 u_int8_t revision;
133
134 /* Returns verdict. Argument order changed since 2.6.9, as this 136 /* Returns verdict. Argument order changed since 2.6.9, as this
135 must now handle non-linear skbs, using skb_copy_bits and 137 must now handle non-linear skbs, using skb_copy_bits and
136 skb_ip_make_writable. */ 138 skb_ip_make_writable. */
@@ -156,6 +158,12 @@ struct xt_target
156 158
157 /* Set this to THIS_MODULE if you are a module, otherwise NULL */ 159 /* Set this to THIS_MODULE if you are a module, otherwise NULL */
158 struct module *me; 160 struct module *me;
161
162 char *table;
163 unsigned int targetsize;
164 unsigned int hooks;
165 unsigned short proto;
166 u_int8_t revision;
159}; 167};
160 168
161/* Furniture shopping... */ 169/* Furniture shopping... */
@@ -207,6 +215,13 @@ extern void xt_unregister_target(int af, struct xt_target *target);
207extern int xt_register_match(int af, struct xt_match *target); 215extern int xt_register_match(int af, struct xt_match *target);
208extern void xt_unregister_match(int af, struct xt_match *target); 216extern void xt_unregister_match(int af, struct xt_match *target);
209 217
218extern int xt_check_match(const struct xt_match *match, unsigned short family,
219 unsigned int size, const char *table, unsigned int hook,
220 unsigned short proto, int inv_proto);
221extern int xt_check_target(const struct xt_target *target, unsigned short family,
222 unsigned int size, const char *table, unsigned int hook,
223 unsigned short proto, int inv_proto);
224
210extern int xt_register_table(struct xt_table *table, 225extern int xt_register_table(struct xt_table *table,
211 struct xt_table_info *bootstrap, 226 struct xt_table_info *bootstrap,
212 struct xt_table_info *newinfo); 227 struct xt_table_info *newinfo);
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index d7817afc6b96..750b92829766 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -52,6 +52,12 @@ enum {
52 MATCH, 52 MATCH,
53}; 53};
54 54
55static const char *xt_prefix[NPROTO] = {
56 [AF_INET] = "ip",
57 [AF_INET6] = "ip6",
58 [NF_ARP] = "arp",
59};
60
55/* Registration hooks for targets. */ 61/* Registration hooks for targets. */
56int 62int
57xt_register_target(int af, struct xt_target *target) 63xt_register_target(int af, struct xt_target *target)
@@ -158,18 +164,12 @@ struct xt_target *xt_find_target(int af, const char *name, u8 revision)
158} 164}
159EXPORT_SYMBOL(xt_find_target); 165EXPORT_SYMBOL(xt_find_target);
160 166
161static const char *xt_prefix[NPROTO] = {
162 [AF_INET] = "ipt_%s",
163 [AF_INET6] = "ip6t_%s",
164 [NF_ARP] = "arpt_%s",
165};
166
167struct xt_target *xt_request_find_target(int af, const char *name, u8 revision) 167struct xt_target *xt_request_find_target(int af, const char *name, u8 revision)
168{ 168{
169 struct xt_target *target; 169 struct xt_target *target;
170 170
171 target = try_then_request_module(xt_find_target(af, name, revision), 171 target = try_then_request_module(xt_find_target(af, name, revision),
172 xt_prefix[af], name); 172 "%st_%s", xt_prefix[af], name);
173 if (IS_ERR(target) || !target) 173 if (IS_ERR(target) || !target)
174 return NULL; 174 return NULL;
175 return target; 175 return target;
@@ -237,6 +237,64 @@ int xt_find_revision(int af, const char *name, u8 revision, int target,
237} 237}
238EXPORT_SYMBOL_GPL(xt_find_revision); 238EXPORT_SYMBOL_GPL(xt_find_revision);
239 239
240int xt_check_match(const struct xt_match *match, unsigned short family,
241 unsigned int size, const char *table, unsigned int hook_mask,
242 unsigned short proto, int inv_proto)
243{
244 if (XT_ALIGN(match->matchsize) != size) {
245 printk("%s_tables: %s match: invalid size %Zu != %u\n",
246 xt_prefix[family], match->name,
247 XT_ALIGN(match->matchsize), size);
248 return -EINVAL;
249 }
250 if (match->table && strcmp(match->table, table)) {
251 printk("%s_tables: %s match: only valid in %s table, not %s\n",
252 xt_prefix[family], match->name, match->table, table);
253 return -EINVAL;
254 }
255 if (match->hooks && (hook_mask & ~match->hooks) != 0) {
256 printk("%s_tables: %s match: bad hook_mask %u\n",
257 xt_prefix[family], match->name, hook_mask);
258 return -EINVAL;
259 }
260 if (match->proto && (match->proto != proto || inv_proto)) {
261 printk("%s_tables: %s match: only valid for protocol %u\n",
262 xt_prefix[family], match->name, match->proto);
263 return -EINVAL;
264 }
265 return 0;
266}
267EXPORT_SYMBOL_GPL(xt_check_match);
268
269int xt_check_target(const struct xt_target *target, unsigned short family,
270 unsigned int size, const char *table, unsigned int hook_mask,
271 unsigned short proto, int inv_proto)
272{
273 if (XT_ALIGN(target->targetsize) != size) {
274 printk("%s_tables: %s target: invalid size %Zu != %u\n",
275 xt_prefix[family], target->name,
276 XT_ALIGN(target->targetsize), size);
277 return -EINVAL;
278 }
279 if (target->table && strcmp(target->table, table)) {
280 printk("%s_tables: %s target: only valid in %s table, not %s\n",
281 xt_prefix[family], target->name, target->table, table);
282 return -EINVAL;
283 }
284 if (target->hooks && (hook_mask & ~target->hooks) != 0) {
285 printk("%s_tables: %s target: bad hook_mask %u\n",
286 xt_prefix[family], target->name, hook_mask);
287 return -EINVAL;
288 }
289 if (target->proto && (target->proto != proto || inv_proto)) {
290 printk("%s_tables: %s target: only valid for protocol %u\n",
291 xt_prefix[family], target->name, target->proto);
292 return -EINVAL;
293 }
294 return 0;
295}
296EXPORT_SYMBOL_GPL(xt_check_target);
297
240struct xt_table_info *xt_alloc_table_info(unsigned int size) 298struct xt_table_info *xt_alloc_table_info(unsigned int size)
241{ 299{
242 struct xt_table_info *newinfo; 300 struct xt_table_info *newinfo;