From: Jan Engelhardt <jengelh@medozas.de>
To: netfilter-devel@vger.kernel.org
Subject: [PATCH 056/103] netfilter: xtables2: per-rule target skeletal functions
Date: Tue, 4 Aug 2009 09:25:40 +0200 [thread overview]
Message-ID: <1249370787-17583-57-git-send-email-jengelh@medozas.de> (raw)
In-Reply-To: <1249370787-17583-1-git-send-email-jengelh@medozas.de>
This patch also introduces the possibly to use multiple targets
in a rule, an often-wanted feature (such as -j LOG -j DROP).
Loop detection and Origin Tracing is not included here yet. xt1
modules, e.g. ip6_tables, will (continue to) do the loop checking and
"comefrom" marking for the time being.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter/x_tables.h | 43 ++++++++++++++++++++++
net/netfilter/x_tables.c | 69 +++++++++++++++++++++++++++++++++++-
2 files changed, 111 insertions(+), 1 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index fbea89c..e71a84e 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -407,6 +407,14 @@ struct xt_table_info
void *entries[1];
};
+/*
+ * The use of low negative numbers means we can use IS_ERR()
+ * (See xt2_special_target below.)
+ */
+#define XT2_ACTION_JUMP ((const struct xt_target *)(-2))
+#define XT2_ACTION_GOTO ((const struct xt_target *)(-3))
+#define XT2_FINAL_VERDICT ((const struct xt_target *)(-4))
+
struct xt2_table;
enum {
@@ -416,12 +424,14 @@ enum {
/**
* @anchor: list anchor for parent (xt2_chain.rule_list)
* @match_list: list of called match extensions (xt2_entry_match)
+ * @target_list: list of called target extensions (xt2_entry_targets)
* @l4proto: layer-4 protocol used (needed for xt_check_*)
* @flags: extra flags (see above)
*/
struct xt2_rule {
struct list_head anchor;
struct list_head match_list;
+ struct list_head target_list;
struct xt2_chain *chain;
uint8_t l4proto, flags;
};
@@ -440,6 +450,25 @@ struct xt2_entry_match {
};
/**
+ * @anchor: list anchor for parent (xt2_rule.target_list)
+ * @ext: pointer to extension
+ * @data: parameter block for extension (aka. "targetinfo")
+ * @r_jump: jump target; requires that @ext is %XT2_ACTION_JUMP
+ * @r_goto: goto target; requires that @ext is %XT2_ACTION_GOTO
+ * @verdict: final verdict (%XT_* or %NF_*);
+ * requires that @ext is %XT2_FINAL_VERDICT
+ */
+struct xt2_entry_target {
+ struct list_head anchor;
+ const struct xt_target *ext;
+ union {
+ void *data;
+ const struct xt2_chain *r_jump, *r_goto;
+ unsigned int verdict;
+ };
+};
+
+/**
* @anchor: list anchor for parent (xt2_table.chain_list)
* @rule_list: list of struct xt2_rule
* @name: name of chain
@@ -640,6 +669,8 @@ extern void *xt_repldata_create(const struct xt_table *);
extern struct xt2_rule *xt2_rule_new(struct xt2_chain *);
extern int xt2_rule_add_match(struct xt2_rule *, const char *, uint8_t,
const void *, unsigned int, bool);
+extern int xt2_rule_add_target(struct xt2_rule *, const char *, uint8_t,
+ const void *, unsigned int, bool);
extern struct xt2_chain *xt2_chain_new(struct xt2_table *, const char *);
extern void xt2_chain_append(struct xt2_rule *);
@@ -651,6 +682,11 @@ extern int xt2_table_register(struct net *, struct xt2_table *);
extern struct xt2_table *xt2_table_replace(struct net *, struct xt2_table *);
extern void xt2_table_destroy(struct net *, struct xt2_table *);
+static inline bool xt2_special_target(const struct xt_target *t)
+{
+ return IS_ERR(t);
+}
+
static inline int
xt2_rule_add_oldmatch(struct xt2_rule *rule, const struct xt_entry_match *m)
{
@@ -658,6 +694,13 @@ xt2_rule_add_oldmatch(struct xt2_rule *rule, const struct xt_entry_match *m)
m->data, m->u.match_size - sizeof(*m), true);
}
+static inline int
+xt2_rule_add_oldtarget(struct xt2_rule *rule, const struct xt_entry_target *t)
+{
+ return xt2_rule_add_target(rule, t->u.user.name, t->u.user.revision,
+ t->data, t->u.target_size - sizeof(*t), true);
+}
+
static inline struct xt2_table *
xt2_table_lookup(struct net *net, const char *name, uint8_t nfproto,
unsigned int lock_mask)
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 0d50942..1e57517 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -1313,6 +1313,7 @@ struct xt2_rule *xt2_rule_new(struct xt2_chain *chain)
rule->chain = chain;
INIT_LIST_HEAD(&rule->anchor);
INIT_LIST_HEAD(&rule->match_list);
+ INIT_LIST_HEAD(&rule->target_list);
return rule;
}
EXPORT_SYMBOL_GPL(xt2_rule_new);
@@ -1412,14 +1413,80 @@ int xt2_rule_add_match(struct xt2_rule *rule, const char *ext_name,
}
EXPORT_SYMBOL_GPL(xt2_rule_add_match);
+int xt2_rule_add_target(struct xt2_rule *rule, const char *ext_name,
+ uint8_t ext_rev, const void *data, unsigned int dsize,
+ bool check_pad)
+{
+ const uint8_t nfproto = rule->chain->table->nfproto;
+ struct xt2_entry_target *etarget;
+ const struct xt_target *ext;
+ struct xt_tgchk_param tgpar;
+ int ret;
+
+ ext = try_then_request_module(xt_find_target(nfproto,
+ ext_name, ext_rev), "%st_%s", xt_prefix[nfproto], ext_name);
+ if (ext == NULL)
+ return -ENOENT;
+ if (IS_ERR(ext))
+ return PTR_ERR(ext);
+
+ ret = -ENOMEM;
+ etarget = kmalloc(sizeof(*etarget), GFP_KERNEL);
+ if (etarget == NULL)
+ goto put_module;
+ etarget->ext = ext;
+ etarget->data = kmemdup(data, dsize, GFP_KERNEL);
+ if (etarget->data == NULL)
+ goto free_etarget;
+
+ tgpar.table = rule->chain->table->name;
+ tgpar.target = ext;
+ tgpar.targinfo = etarget->data;
+ tgpar.hook_mask = rule->chain->comefrom;
+ tgpar.family = rule->chain->table->nfproto;
+ ret = xt_check_target(&tgpar, dsize, rule->l4proto,
+ rule->flags & XT2_INV_L4PROTO, check_pad);
+ if (ret < 0)
+ goto free_edata;
+
+ INIT_LIST_HEAD(&etarget->anchor);
+ list_add_tail(&etarget->anchor, &rule->target_list);
+ return 0;
+
+ free_edata:
+ kfree(etarget->data);
+ free_etarget:
+ kfree(etarget);
+ put_module:
+ module_put(ext->me);
+ return ret;
+}
+EXPORT_SYMBOL_GPL(xt2_rule_add_target);
+
static void xt2_rule_free(struct xt2_rule *rule)
{
+ struct xt2_entry_target *etarget, *next_etarget;
struct xt2_entry_match *ematch, *next_ematch;
struct xt_mtdtor_param mtpar;
+ struct xt_tgdtor_param tgpar;
- mtpar.family = rule->chain->table->nfproto;
+ mtpar.family = tgpar.family = rule->chain->table->nfproto;
list_del(&rule->anchor);
+ list_for_each_entry_safe(etarget, next_etarget,
+ &rule->target_list, anchor) {
+ list_del(&etarget->anchor);
+ if (!xt2_special_target(etarget->ext)) {
+ if (etarget->ext->destroy != NULL) {
+ tgpar.target = etarget->ext;
+ tgpar.targinfo = etarget->data;
+ etarget->ext->destroy(&tgpar);
+ }
+ module_put(etarget->ext->me);
+ kfree(etarget->data);
+ }
+ kfree(etarget);
+ }
list_for_each_entry_safe(ematch, next_ematch,
&rule->match_list, anchor) {
list_del(&ematch->anchor);
--
1.6.3.3
next prev parent reply other threads:[~2009-08-04 7:27 UTC|newest]
Thread overview: 118+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
2009-08-04 7:24 ` [PATCH 001/103] netfilter: xtables: remove xt_TOS v0 Jan Engelhardt
2009-08-04 7:24 ` [PATCH 002/103] netfilter: xtables: remove xt_CONNMARK v0 Jan Engelhardt
2009-08-04 7:24 ` [PATCH 003/103] netfilter: xtables: remove xt_MARK v0, v1 Jan Engelhardt
2009-08-04 7:24 ` [PATCH 004/103] netfilter: xtables: remove xt_connmark v0 Jan Engelhardt
2009-08-10 8:41 ` Patrick McHardy
2009-08-10 9:01 ` Patrick McHardy
2009-08-04 7:24 ` [PATCH 005/103] netfilter: xtables: remove xt_conntrack v0 Jan Engelhardt
2009-08-04 7:24 ` [PATCH 006/103] netfilter: xtables: remove xt_iprange v0 Jan Engelhardt
2009-08-04 7:24 ` [PATCH 007/103] netfilter: xtables: remove xt_mark v0 Jan Engelhardt
2009-08-04 7:24 ` [PATCH 008/103] netfilter: xtables: remove obsolete /proc/net/ipt_recent Jan Engelhardt
2009-08-10 8:46 ` Patrick McHardy
2009-08-04 7:24 ` [PATCH 009/103] netfilter: xtables: remove xt_owner v0 Jan Engelhardt
2009-08-04 7:24 ` [PATCH 010/103] netfilter: xtables: remove redirecting header files Jan Engelhardt
2009-08-04 7:24 ` [PATCH 011/103] netfilter: conntrack: switch hook PFs to nfproto Jan Engelhardt
2009-08-04 7:24 ` [PATCH 012/103] netfilter: xtables: " Jan Engelhardt
2009-08-04 7:24 ` [PATCH 013/103] netfilter: xtables: switch table AFs " Jan Engelhardt
2009-08-04 7:24 ` [PATCH 014/103] netfilter: xtables: remove unneeded gotos in table error paths Jan Engelhardt
2009-08-10 8:48 ` Patrick McHardy
2009-08-04 7:24 ` [PATCH 015/103] netfilter: xtables: realign struct xt_target_param Jan Engelhardt
2009-08-04 7:25 ` [PATCH 016/103] netfilter: iptables: remove unused datalen variable Jan Engelhardt
2009-08-04 7:25 ` [PATCH 017/103] netfilter: xtables: use better unconditional check Jan Engelhardt
2009-08-10 8:54 ` Patrick McHardy
2009-08-10 9:27 ` Jan Engelhardt
2009-08-10 9:31 ` Patrick McHardy
2009-08-04 7:25 ` [PATCH 018/103] netfilter: xtables: ignore unassigned hooks in check_entry_size_and_hooks Jan Engelhardt
2009-08-04 7:25 ` [PATCH 019/103] netfilter: xtables: check for unconditionality of policies Jan Engelhardt
2009-08-10 8:55 ` Patrick McHardy
2009-08-04 7:25 ` [PATCH 020/103] netfilter: xtables: check for standard verdicts in policies Jan Engelhardt
2009-08-04 7:25 ` [PATCH 021/103] netfilter: xtables: consolidate table hook functions Jan Engelhardt
2009-08-10 8:58 ` Patrick McHardy
2009-08-10 9:36 ` Jan Engelhardt
2009-08-10 9:51 ` Patrick McHardy
2009-08-04 7:25 ` [PATCH 022/103] netfilter: xtables: compact " Jan Engelhardt
2009-08-04 7:25 ` [PATCH 023/103] netfilter: xtables: generate nf_hook_ops on-demand Jan Engelhardt
2009-08-04 7:25 ` [PATCH 024/103] netfilter: xtables: mark table constant for registering functions Jan Engelhardt
2009-08-04 7:25 ` [PATCH 025/103] netfilter: xtables: constify initial table data Jan Engelhardt
2009-08-04 7:25 ` [PATCH 026/103] netfilter: xtables: use xt_table for hook instantiation Jan Engelhardt
2009-08-04 7:25 ` [PATCH 027/103] netfilter: xtables: generate initial table on-demand Jan Engelhardt
2009-08-04 7:25 ` [PATCH 028/103] netfilter: reduce NF_HOOK by one argument Jan Engelhardt
2009-08-04 7:25 ` [PATCH 029/103] netfilter: get rid of the grossness in netfilter.h Jan Engelhardt
2009-08-04 7:25 ` [PATCH 030/103] netfilter: xtables: print details on size mismatch Jan Engelhardt
2009-08-04 7:25 ` [PATCH 031/103] netfilter: xtables: constify args in compat copying functions Jan Engelhardt
2009-08-04 7:25 ` [PATCH 032/103] netfilter: xtables: add const qualifiers Jan Engelhardt
2009-08-04 7:25 ` [PATCH 033/103] netfilter: xtables: replace XT_ENTRY_ITERATE macro Jan Engelhardt
2009-08-04 7:25 ` [PATCH 034/103] netfilter: xtables: optimize call flow around xt_entry_foreach Jan Engelhardt
2009-08-04 7:25 ` [PATCH 035/103] netfilter: xtables: replace XT_MATCH_ITERATE macro Jan Engelhardt
2009-08-04 7:25 ` [PATCH 036/103] netfilter: xtables: optimize call flow around xt_ematch_foreach Jan Engelhardt
2009-08-04 7:25 ` [PATCH 037/103] netfilter: xtables: reduce arguments to translate_table Jan Engelhardt
2009-08-04 7:25 ` [PATCH 038/103] netfilter: xtables2: make ip_tables reentrant Jan Engelhardt
2009-08-04 7:25 ` [PATCH 039/103] netfilter: xtables: dissolve do_match function Jan Engelhardt
2009-08-04 7:25 ` [PATCH 040/103] netfilter: xtables: combine struct xt_match_param and xt_target_param Jan Engelhardt
2009-08-04 7:25 ` [PATCH 041/103] netfilter: xtables: substitute temporary defines by final name Jan Engelhardt
2009-08-04 7:25 ` [PATCH 042/103] netfilter: xtables: make use of xt_request_find_target Jan Engelhardt
2009-08-04 7:25 ` [PATCH 043/103] netfilter: xtables: consolidate code into xt_request_find_match Jan Engelhardt
2009-08-04 7:25 ` [PATCH 044/103] netfilter: xtables: deconstify struct xt_action_param for matches Jan Engelhardt
2009-08-04 7:25 ` [PATCH 045/103] netfilter: xtables: change hotdrop pointer to direct modification Jan Engelhardt
2009-08-04 7:25 ` [PATCH 046/103] netfilter: xtables: combine built-in extension structs Jan Engelhardt
2009-08-04 7:25 ` [PATCH 047/103] netfilter: xtables: move functions around Jan Engelhardt
2009-08-04 7:25 ` [PATCH 048/103] netfilter: ebtables: change ebt_basic_match to xt convention Jan Engelhardt
2009-08-04 7:25 ` [PATCH 049/103] netfilter: xtables: convert basic nfproto match functions into xt matches Jan Engelhardt
2009-08-04 7:25 ` [PATCH 050/103] netfilter: xtables2: initial table skeletal functions Jan Engelhardt
2009-08-04 7:25 ` [PATCH 051/103] netfilter: xtables2: initial chain " Jan Engelhardt
2009-08-04 7:25 ` [PATCH 052/103] netfilter: xtables2: initial rule " Jan Engelhardt
2009-08-04 7:25 ` [PATCH 053/103] netfilter: xtables: alternate size checking in xt_check_match Jan Engelhardt
2009-08-04 7:25 ` [PATCH 054/103] netfilter: xtables: alternate size checking in xt_check_target Jan Engelhardt
2009-08-04 7:25 ` [PATCH 055/103] netfilter: xtables2: per-rule match skeletal functions Jan Engelhardt
2009-08-04 7:25 ` Jan Engelhardt [this message]
2009-08-04 7:25 ` [PATCH 057/103] netfilter: xtables2: xt_check_target in combination with xt2 contexts Jan Engelhardt
2009-08-04 7:25 ` [PATCH 058/103] netfilter: xtables2: jumpstack (de)allocation functions Jan Engelhardt
2009-08-04 7:25 ` [PATCH 059/103] netfilter: xtables2: table traversal Jan Engelhardt
2009-08-04 7:25 ` [PATCH 060/103] netfilter: xt_quota: fix wrong return value (error case) Jan Engelhardt
2009-08-04 7:25 ` [PATCH 061/103] netfilter: xtables: add xt_quota revision 3 Jan Engelhardt
2009-08-04 7:25 ` [PATCH 062/103] netfilter: xtables2: make a copy of the ipv6_filter table Jan Engelhardt
2009-08-04 7:25 ` [PATCH 063/103] netfilter: xtables2: initial xt1->xt2 translation for tables Jan Engelhardt
2009-08-04 7:25 ` [PATCH 064/103] netfilter: xtables2: xt2->xt1 translation - GET_INFO support Jan Engelhardt
2009-08-04 7:25 ` [PATCH 065/103] netfilter: xtables2: xt2->xt1 translation - GET_ENTRIES support Jan Engelhardt
2009-08-04 7:25 ` [PATCH 066/103] netfilter: xtables2: xt1->xt2 translation - SET_REPLACE support Jan Engelhardt
2009-08-04 7:25 ` [PATCH 067/103] netfilter: xtables2: return counters after SET_REPLACE Jan Engelhardt
2009-08-04 7:25 ` [PATCH 068/103] netfilter: xtables2: xt1->xt2 translation - ADD_COUNTERS support Jan Engelhardt
2009-08-04 7:25 ` [PATCH 069/103] netfilter: xtables2: xt2->xt1 translation - compat GET_INFO support Jan Engelhardt
2009-08-04 7:25 ` [PATCH 070/103] netfilter: xtables: use compat_u64 inside struct compat_xt_counters Jan Engelhardt
2009-08-04 7:25 ` [PATCH 071/103] netfilter: ip6tables: move mark_chains to xt1_perproto.c Jan Engelhardt
2009-08-04 7:25 ` [PATCH 072/103] netfilter: xtables2: xt2<->xt1 translation - compat GET_ENTRIES/SET_REPLACE support Jan Engelhardt
2009-08-04 7:25 ` [PATCH 073/103] netfilter: xtables2: compat->normal match data translation Jan Engelhardt
2009-08-04 7:25 ` [PATCH 074/103] netfilter: xtables2: compat->normal target " Jan Engelhardt
2009-08-04 7:25 ` [PATCH 075/103] netfilter: xtables2: outsource code into xts_match_to_xt1 function Jan Engelhardt
2009-08-04 7:26 ` [PATCH 076/103] netfilter: xtables2: normal->compat match data translation Jan Engelhardt
2009-08-04 7:26 ` [PATCH 077/103] netfilter: xtables2: normal->compat target " Jan Engelhardt
2009-08-04 7:26 ` [PATCH 078/103] netfilter: xtables2: packet tracing Jan Engelhardt
2009-08-04 7:26 ` [PATCH 079/103] netfilter: xtables: turn procfs entries to walk xt2 table list Jan Engelhardt
2009-08-04 7:26 ` [PATCH 080/103] netfilter: xtables2: switch ip6's tables to the xt2 table format Jan Engelhardt
2009-08-04 7:26 ` [PATCH 081/103] netfilter: ip6tables: remove obsolete packet tracing Jan Engelhardt
2009-08-04 7:26 ` [PATCH 082/103] netfilter: ip6tables: remove xt1 GET_INFO code Jan Engelhardt
2009-08-04 7:26 ` [PATCH 083/103] netfilter: ip6tables: remove xt1 GET_ENTRIES code Jan Engelhardt
2009-08-04 7:26 ` [PATCH 084/103] netfilter: ip6tables: remove unused functions (GET_ENTRIES) Jan Engelhardt
2009-08-04 7:26 ` [PATCH 085/103] netfilter: ip6tables: remove xt1 SET_REPLACE code Jan Engelhardt
2009-08-04 7:26 ` [PATCH 086/103] netfilter: ip6tables: remove unused functions (SET_REPLACE) Jan Engelhardt
2009-08-04 7:26 ` [PATCH 087/103] netfilter: ip6tables: remove xt1 ADD_COUNTERS code Jan Engelhardt
2009-08-04 7:26 ` [PATCH 088/103] netfilter: ip6tables: remove xt1/ipv6 registration functions Jan Engelhardt
2009-08-04 7:26 ` [PATCH 089/103] netfilter: ip6tables: remove remaining xt1 code Jan Engelhardt
2009-08-04 7:26 ` [PATCH 090/103] netfilter: iptables: include xt1_perproto code in ip_tables Jan Engelhardt
2009-08-04 7:26 ` [PATCH 091/103] netfilter: iptables: switch to xt2 tables Jan Engelhardt
2009-08-04 7:26 ` [PATCH 092/103] netfilter: iptables: remove unused functions Jan Engelhardt
2009-08-04 7:26 ` [PATCH 093/103] netfilter: iptables: remove xt1/ipv4 registration functions Jan Engelhardt
2009-08-04 7:26 ` [PATCH 094/103] netfilter: iptables: remove remaining xt1 code Jan Engelhardt
2009-08-04 7:26 ` [PATCH 095/103] netfilter: xt_quota: enable module lookup via arpt Jan Engelhardt
2009-08-04 7:26 ` [PATCH 096/103] netfilter: arptables: include xt1_perproto in arp_tables Jan Engelhardt
2009-08-04 7:26 ` [PATCH 097/103] netfilter: arptables: switch to xt2 tables Jan Engelhardt
2009-08-04 7:26 ` [PATCH 098/103] netfilter: arptables: remove unused functions Jan Engelhardt
2009-08-04 7:26 ` [PATCH 099/103] netfilter: arptables: remove xt1/arp registration functions Jan Engelhardt
2009-08-04 7:26 ` [PATCH 100/103] netfilter: arptables: remove remaining xt1 code Jan Engelhardt
2009-08-04 7:26 ` [PATCH 101/103] netfilter: xtables1: remove xt1 table handling Jan Engelhardt
2009-08-04 7:26 ` [PATCH 102/103] netfilter: xtables1: remove info lock Jan Engelhardt
2009-08-04 7:26 ` [PATCH 103/103] netfilter: xtables1: remove compat-userspace code Jan Engelhardt
2009-08-04 12:47 ` Xtables2 snapshot 20090804 Patrick McHardy
2009-08-04 13:26 ` Jan Engelhardt
2009-08-04 13:16 ` Jan Engelhardt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1249370787-17583-57-git-send-email-jengelh@medozas.de \
--to=jengelh@medozas.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).