diff options
-rw-r--r-- | include/linux/netfilter/x_tables.h | 23 | ||||
-rw-r--r-- | net/netfilter/x_tables.c | 72 |
2 files changed, 84 insertions, 11 deletions
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h index 6500d4e59d46..b9c37e1e6730 100644 --- a/include/linux/netfilter/x_tables.h +++ b/include/linux/netfilter/x_tables.h | |||
@@ -92,8 +92,6 @@ struct xt_match | |||
92 | 92 | ||
93 | const char name[XT_FUNCTION_MAXNAMELEN-1]; | 93 | const char name[XT_FUNCTION_MAXNAMELEN-1]; |
94 | 94 | ||
95 | u_int8_t revision; | ||
96 | |||
97 | /* Return true or false: return FALSE and set *hotdrop = 1 to | 95 | /* Return true or false: return FALSE and set *hotdrop = 1 to |
98 | force immediate packet drop. */ | 96 | force immediate packet drop. */ |
99 | /* Arguments changed since 2.6.9, as this must now handle | 97 | /* Arguments changed since 2.6.9, as this must now handle |
@@ -120,6 +118,12 @@ struct xt_match | |||
120 | 118 | ||
121 | /* Set this to THIS_MODULE if you are a module, otherwise NULL */ | 119 | /* Set this to THIS_MODULE if you are a module, otherwise NULL */ |
122 | struct module *me; | 120 | struct module *me; |
121 | |||
122 | char *table; | ||
123 | unsigned int matchsize; | ||
124 | unsigned int hooks; | ||
125 | unsigned short proto; | ||
126 | u_int8_t revision; | ||
123 | }; | 127 | }; |
124 | 128 | ||
125 | /* Registration hooks for targets. */ | 129 | /* Registration hooks for targets. */ |
@@ -129,8 +133,6 @@ struct xt_target | |||
129 | 133 | ||
130 | const char name[XT_FUNCTION_MAXNAMELEN-1]; | 134 | const char name[XT_FUNCTION_MAXNAMELEN-1]; |
131 | 135 | ||
132 | u_int8_t revision; | ||
133 | |||
134 | /* Returns verdict. Argument order changed since 2.6.9, as this | 136 | /* Returns verdict. Argument order changed since 2.6.9, as this |
135 | must now handle non-linear skbs, using skb_copy_bits and | 137 | must now handle non-linear skbs, using skb_copy_bits and |
136 | skb_ip_make_writable. */ | 138 | skb_ip_make_writable. */ |
@@ -156,6 +158,12 @@ struct xt_target | |||
156 | 158 | ||
157 | /* Set this to THIS_MODULE if you are a module, otherwise NULL */ | 159 | /* Set this to THIS_MODULE if you are a module, otherwise NULL */ |
158 | struct module *me; | 160 | struct module *me; |
161 | |||
162 | char *table; | ||
163 | unsigned int targetsize; | ||
164 | unsigned int hooks; | ||
165 | unsigned short proto; | ||
166 | u_int8_t revision; | ||
159 | }; | 167 | }; |
160 | 168 | ||
161 | /* Furniture shopping... */ | 169 | /* Furniture shopping... */ |
@@ -207,6 +215,13 @@ extern void xt_unregister_target(int af, struct xt_target *target); | |||
207 | extern int xt_register_match(int af, struct xt_match *target); | 215 | extern int xt_register_match(int af, struct xt_match *target); |
208 | extern void xt_unregister_match(int af, struct xt_match *target); | 216 | extern void xt_unregister_match(int af, struct xt_match *target); |
209 | 217 | ||
218 | extern int xt_check_match(const struct xt_match *match, unsigned short family, | ||
219 | unsigned int size, const char *table, unsigned int hook, | ||
220 | unsigned short proto, int inv_proto); | ||
221 | extern int xt_check_target(const struct xt_target *target, unsigned short family, | ||
222 | unsigned int size, const char *table, unsigned int hook, | ||
223 | unsigned short proto, int inv_proto); | ||
224 | |||
210 | extern int xt_register_table(struct xt_table *table, | 225 | extern int xt_register_table(struct xt_table *table, |
211 | struct xt_table_info *bootstrap, | 226 | struct xt_table_info *bootstrap, |
212 | struct xt_table_info *newinfo); | 227 | struct xt_table_info *newinfo); |
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c index d7817afc6b96..750b92829766 100644 --- a/net/netfilter/x_tables.c +++ b/net/netfilter/x_tables.c | |||
@@ -52,6 +52,12 @@ enum { | |||
52 | MATCH, | 52 | MATCH, |
53 | }; | 53 | }; |
54 | 54 | ||
55 | static const char *xt_prefix[NPROTO] = { | ||
56 | [AF_INET] = "ip", | ||
57 | [AF_INET6] = "ip6", | ||
58 | [NF_ARP] = "arp", | ||
59 | }; | ||
60 | |||
55 | /* Registration hooks for targets. */ | 61 | /* Registration hooks for targets. */ |
56 | int | 62 | int |
57 | xt_register_target(int af, struct xt_target *target) | 63 | xt_register_target(int af, struct xt_target *target) |
@@ -158,18 +164,12 @@ struct xt_target *xt_find_target(int af, const char *name, u8 revision) | |||
158 | } | 164 | } |
159 | EXPORT_SYMBOL(xt_find_target); | 165 | EXPORT_SYMBOL(xt_find_target); |
160 | 166 | ||
161 | static const char *xt_prefix[NPROTO] = { | ||
162 | [AF_INET] = "ipt_%s", | ||
163 | [AF_INET6] = "ip6t_%s", | ||
164 | [NF_ARP] = "arpt_%s", | ||
165 | }; | ||
166 | |||
167 | struct xt_target *xt_request_find_target(int af, const char *name, u8 revision) | 167 | struct xt_target *xt_request_find_target(int af, const char *name, u8 revision) |
168 | { | 168 | { |
169 | struct xt_target *target; | 169 | struct xt_target *target; |
170 | 170 | ||
171 | target = try_then_request_module(xt_find_target(af, name, revision), | 171 | target = try_then_request_module(xt_find_target(af, name, revision), |
172 | xt_prefix[af], name); | 172 | "%st_%s", xt_prefix[af], name); |
173 | if (IS_ERR(target) || !target) | 173 | if (IS_ERR(target) || !target) |
174 | return NULL; | 174 | return NULL; |
175 | return target; | 175 | return target; |
@@ -237,6 +237,64 @@ int xt_find_revision(int af, const char *name, u8 revision, int target, | |||
237 | } | 237 | } |
238 | EXPORT_SYMBOL_GPL(xt_find_revision); | 238 | EXPORT_SYMBOL_GPL(xt_find_revision); |
239 | 239 | ||
240 | int xt_check_match(const struct xt_match *match, unsigned short family, | ||
241 | unsigned int size, const char *table, unsigned int hook_mask, | ||
242 | unsigned short proto, int inv_proto) | ||
243 | { | ||
244 | if (XT_ALIGN(match->matchsize) != size) { | ||
245 | printk("%s_tables: %s match: invalid size %Zu != %u\n", | ||
246 | xt_prefix[family], match->name, | ||
247 | XT_ALIGN(match->matchsize), size); | ||
248 | return -EINVAL; | ||
249 | } | ||
250 | if (match->table && strcmp(match->table, table)) { | ||
251 | printk("%s_tables: %s match: only valid in %s table, not %s\n", | ||
252 | xt_prefix[family], match->name, match->table, table); | ||
253 | return -EINVAL; | ||
254 | } | ||
255 | if (match->hooks && (hook_mask & ~match->hooks) != 0) { | ||
256 | printk("%s_tables: %s match: bad hook_mask %u\n", | ||
257 | xt_prefix[family], match->name, hook_mask); | ||
258 | return -EINVAL; | ||
259 | } | ||
260 | if (match->proto && (match->proto != proto || inv_proto)) { | ||
261 | printk("%s_tables: %s match: only valid for protocol %u\n", | ||
262 | xt_prefix[family], match->name, match->proto); | ||
263 | return -EINVAL; | ||
264 | } | ||
265 | return 0; | ||
266 | } | ||
267 | EXPORT_SYMBOL_GPL(xt_check_match); | ||
268 | |||
269 | int xt_check_target(const struct xt_target *target, unsigned short family, | ||
270 | unsigned int size, const char *table, unsigned int hook_mask, | ||
271 | unsigned short proto, int inv_proto) | ||
272 | { | ||
273 | if (XT_ALIGN(target->targetsize) != size) { | ||
274 | printk("%s_tables: %s target: invalid size %Zu != %u\n", | ||
275 | xt_prefix[family], target->name, | ||
276 | XT_ALIGN(target->targetsize), size); | ||
277 | return -EINVAL; | ||
278 | } | ||
279 | if (target->table && strcmp(target->table, table)) { | ||
280 | printk("%s_tables: %s target: only valid in %s table, not %s\n", | ||
281 | xt_prefix[family], target->name, target->table, table); | ||
282 | return -EINVAL; | ||
283 | } | ||
284 | if (target->hooks && (hook_mask & ~target->hooks) != 0) { | ||
285 | printk("%s_tables: %s target: bad hook_mask %u\n", | ||
286 | xt_prefix[family], target->name, hook_mask); | ||
287 | return -EINVAL; | ||
288 | } | ||
289 | if (target->proto && (target->proto != proto || inv_proto)) { | ||
290 | printk("%s_tables: %s target: only valid for protocol %u\n", | ||
291 | xt_prefix[family], target->name, target->proto); | ||
292 | return -EINVAL; | ||
293 | } | ||
294 | return 0; | ||
295 | } | ||
296 | EXPORT_SYMBOL_GPL(xt_check_target); | ||
297 | |||
240 | struct xt_table_info *xt_alloc_table_info(unsigned int size) | 298 | struct xt_table_info *xt_alloc_table_info(unsigned int size) |
241 | { | 299 | { |
242 | struct xt_table_info *newinfo; | 300 | struct xt_table_info *newinfo; |