From: Jan Engelhardt <jengelh@medozas.de>
To: netfilter-devel@vger.kernel.org
Subject: [PATCH 076/103] netfilter: xtables2: normal->compat match data translation
Date: Tue, 4 Aug 2009 09:26:00 +0200 [thread overview]
Message-ID: <1249370787-17583-77-git-send-email-jengelh@medozas.de> (raw)
In-Reply-To: <1249370787-17583-1-git-send-email-jengelh@medozas.de>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter/x_tables.h | 5 ++++
net/ipv6/netfilter/ip6_tables.c | 1 +
net/netfilter/xt1_support.c | 43 +++++++++++++++++++++++++++++++++++-
net/netfilter/xt1_translat.c | 5 +++-
4 files changed, 52 insertions(+), 2 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 0531f0d..ccd012a 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -425,6 +425,8 @@ struct xt_table_info
* @etarget_size: size of the etarget header
* @standard_tgsize: size of the complete standard target, includes
* etarget_size and alignment padding
+ * @compat: whether requestor is in normal or compat mode
+ * affects selection of ematch->dsize vs compatsize
*/
struct xt1_xlat_info {
unsigned int marker_size;
@@ -432,6 +434,7 @@ struct xt1_xlat_info {
unsigned int ematch_size, etarget_size;
unsigned int standard_tgsize;
const char *first_match;
+ bool compat;
};
/*
@@ -740,6 +743,8 @@ extern int xts_rule_add_cmatch(struct xt2_rule *,
const struct xt_entry_match *);
extern int xts_rule_add_ctarget(struct xt2_rule *,
const struct xt_entry_target *);
+extern int xts_cmatch_to_xt1(void __user **, int *, unsigned int *,
+ const struct xt2_entry_match *);
#endif
extern struct xt2_rule *xt2_rule_new(struct xt2_chain *);
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index b0f04c7..53186a2 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -1072,6 +1072,7 @@ static const struct xt1_xlat_info ip6t_compat_xlat_info = {
.etarget_size = sizeof(struct xt_entry_target),
.standard_tgsize = COMPAT_XT_ALIGN(sizeof(struct xt_entry_target) +
sizeof(compat_uint_t)),
+ .compat = true,
#endif
};
diff --git a/net/netfilter/xt1_support.c b/net/netfilter/xt1_support.c
index be87e75..48cfaba 100644
--- a/net/netfilter/xt1_support.c
+++ b/net/netfilter/xt1_support.c
@@ -142,7 +142,14 @@ xts_blob_prep_rule(const struct xt2_rule *rule, const struct xt1_xlat_info *io,
if (ematch == quota_stop)
/* quotas included in entry_hdr */
break;
- z += io->ematch_size + ematch->dsize;
+ z += io->ematch_size;
+#ifdef CONFIG_COMPAT
+ if (ematch->ext->matchsize != -1 && io->compat &&
+ ematch->ext->compatsize != 0)
+ z += COMPAT_XT_ALIGN(ematch->ext->compatsize);
+ else
+#endif
+ z += ematch->dsize;
}
etarget = list_first_entry(&rule->target_list,
@@ -506,6 +513,40 @@ int xts_rule_add_ctarget(struct xt2_rule *rule,
return ret;
}
EXPORT_SYMBOL_GPL(xts_rule_add_ctarget);
+
+int xts_cmatch_to_xt1(void __user **user_ptr, int *len, unsigned int *z,
+ const struct xt2_entry_match *ematch)
+{
+ struct xt_entry_match blob;
+ unsigned int dsize;
+ int ret;
+
+ if (ematch->ext->compatsize == 0)
+ return xts_match_to_xt1(user_ptr, len, z, ematch);
+
+ dsize = COMPAT_XT_ALIGN(ematch->ext->compatsize);
+ blob.u.match_size = sizeof(blob) + dsize;
+ blob.u.user.revision = ematch->ext->revision;
+ strncpy(blob.u.user.name, ematch->ext->name, sizeof(blob.u.user.name));
+ ret = xts_copy_to_user(user_ptr, len, &blob, sizeof(blob), z);
+ if (ret < 0)
+ return ret;
+
+ /*
+ * The awkward semantics of compat_to_user means we cannot
+ * use xts_copy_to_user.
+ */
+ if (*len < dsize)
+ return -ENOSPC;
+ ret = ematch->ext->compat_to_user(*user_ptr, ematch->data);
+ if (ret < 0)
+ return ret;
+ *user_ptr += dsize;
+ *z += dsize;
+ *len -= dsize;
+ return 0;
+}
+EXPORT_SYMBOL_GPL(xts_cmatch_to_xt1);
#endif
MODULE_LICENSE("GPL");
diff --git a/net/netfilter/xt1_translat.c b/net/netfilter/xt1_translat.c
index 469490d..ebcc3df 100644
--- a/net/netfilter/xt1_translat.c
+++ b/net/netfilter/xt1_translat.c
@@ -19,9 +19,11 @@
#ifdef XTSUB_DO_COMPAT
# define xtsub_rule_add_match xts_rule_add_cmatch
# define xtsub_rule_add_target xts_rule_add_ctarget
+# define xtsub_match_to_xt1 xts_cmatch_to_xt1
#else
# define xtsub_rule_add_match xt2_rule_add_oldmatch
# define xtsub_rule_add_target xt2_rule_add_oldtarget
+# define xtsub_match_to_xt1 xts_match_to_xt1
#endif
#ifdef XTSUB_NFPROTO_IPV6
@@ -480,7 +482,7 @@ XTSUB2(rule_to_xt1)(void __user **user_ptr, int *len, unsigned int *z,
list_for_each_entry_continue(ematch, &rule->match_list, anchor) {
if (ematch == quota_ematch)
break;
- ret = xts_match_to_xt1(user_ptr, len, z, ematch);
+ ret = xtsub_match_to_xt1(user_ptr, len, z, ematch);
if (ret < 0)
return ret;
}
@@ -597,3 +599,4 @@ XTSUB2(do_replace)(struct net *net, const void __user *user, unsigned int len)
#undef xtsub_rule_add_match
#undef xtsub_rule_add_target
+#undef xtsub_match_to_xt1
--
1.6.3.3
next prev parent reply other threads:[~2009-08-04 7:27 UTC|newest]
Thread overview: 118+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-08-04 7:24 Xtables2 snapshot 20090804 Jan Engelhardt
2009-08-04 7:24 ` [PATCH 001/103] netfilter: xtables: remove xt_TOS v0 Jan Engelhardt
2009-08-04 7:24 ` [PATCH 002/103] netfilter: xtables: remove xt_CONNMARK v0 Jan Engelhardt
2009-08-04 7:24 ` [PATCH 003/103] netfilter: xtables: remove xt_MARK v0, v1 Jan Engelhardt
2009-08-04 7:24 ` [PATCH 004/103] netfilter: xtables: remove xt_connmark v0 Jan Engelhardt
2009-08-10 8:41 ` Patrick McHardy
2009-08-10 9:01 ` Patrick McHardy
2009-08-04 7:24 ` [PATCH 005/103] netfilter: xtables: remove xt_conntrack v0 Jan Engelhardt
2009-08-04 7:24 ` [PATCH 006/103] netfilter: xtables: remove xt_iprange v0 Jan Engelhardt
2009-08-04 7:24 ` [PATCH 007/103] netfilter: xtables: remove xt_mark v0 Jan Engelhardt
2009-08-04 7:24 ` [PATCH 008/103] netfilter: xtables: remove obsolete /proc/net/ipt_recent Jan Engelhardt
2009-08-10 8:46 ` Patrick McHardy
2009-08-04 7:24 ` [PATCH 009/103] netfilter: xtables: remove xt_owner v0 Jan Engelhardt
2009-08-04 7:24 ` [PATCH 010/103] netfilter: xtables: remove redirecting header files Jan Engelhardt
2009-08-04 7:24 ` [PATCH 011/103] netfilter: conntrack: switch hook PFs to nfproto Jan Engelhardt
2009-08-04 7:24 ` [PATCH 012/103] netfilter: xtables: " Jan Engelhardt
2009-08-04 7:24 ` [PATCH 013/103] netfilter: xtables: switch table AFs " Jan Engelhardt
2009-08-04 7:24 ` [PATCH 014/103] netfilter: xtables: remove unneeded gotos in table error paths Jan Engelhardt
2009-08-10 8:48 ` Patrick McHardy
2009-08-04 7:24 ` [PATCH 015/103] netfilter: xtables: realign struct xt_target_param Jan Engelhardt
2009-08-04 7:25 ` [PATCH 016/103] netfilter: iptables: remove unused datalen variable Jan Engelhardt
2009-08-04 7:25 ` [PATCH 017/103] netfilter: xtables: use better unconditional check Jan Engelhardt
2009-08-10 8:54 ` Patrick McHardy
2009-08-10 9:27 ` Jan Engelhardt
2009-08-10 9:31 ` Patrick McHardy
2009-08-04 7:25 ` [PATCH 018/103] netfilter: xtables: ignore unassigned hooks in check_entry_size_and_hooks Jan Engelhardt
2009-08-04 7:25 ` [PATCH 019/103] netfilter: xtables: check for unconditionality of policies Jan Engelhardt
2009-08-10 8:55 ` Patrick McHardy
2009-08-04 7:25 ` [PATCH 020/103] netfilter: xtables: check for standard verdicts in policies Jan Engelhardt
2009-08-04 7:25 ` [PATCH 021/103] netfilter: xtables: consolidate table hook functions Jan Engelhardt
2009-08-10 8:58 ` Patrick McHardy
2009-08-10 9:36 ` Jan Engelhardt
2009-08-10 9:51 ` Patrick McHardy
2009-08-04 7:25 ` [PATCH 022/103] netfilter: xtables: compact " Jan Engelhardt
2009-08-04 7:25 ` [PATCH 023/103] netfilter: xtables: generate nf_hook_ops on-demand Jan Engelhardt
2009-08-04 7:25 ` [PATCH 024/103] netfilter: xtables: mark table constant for registering functions Jan Engelhardt
2009-08-04 7:25 ` [PATCH 025/103] netfilter: xtables: constify initial table data Jan Engelhardt
2009-08-04 7:25 ` [PATCH 026/103] netfilter: xtables: use xt_table for hook instantiation Jan Engelhardt
2009-08-04 7:25 ` [PATCH 027/103] netfilter: xtables: generate initial table on-demand Jan Engelhardt
2009-08-04 7:25 ` [PATCH 028/103] netfilter: reduce NF_HOOK by one argument Jan Engelhardt
2009-08-04 7:25 ` [PATCH 029/103] netfilter: get rid of the grossness in netfilter.h Jan Engelhardt
2009-08-04 7:25 ` [PATCH 030/103] netfilter: xtables: print details on size mismatch Jan Engelhardt
2009-08-04 7:25 ` [PATCH 031/103] netfilter: xtables: constify args in compat copying functions Jan Engelhardt
2009-08-04 7:25 ` [PATCH 032/103] netfilter: xtables: add const qualifiers Jan Engelhardt
2009-08-04 7:25 ` [PATCH 033/103] netfilter: xtables: replace XT_ENTRY_ITERATE macro Jan Engelhardt
2009-08-04 7:25 ` [PATCH 034/103] netfilter: xtables: optimize call flow around xt_entry_foreach Jan Engelhardt
2009-08-04 7:25 ` [PATCH 035/103] netfilter: xtables: replace XT_MATCH_ITERATE macro Jan Engelhardt
2009-08-04 7:25 ` [PATCH 036/103] netfilter: xtables: optimize call flow around xt_ematch_foreach Jan Engelhardt
2009-08-04 7:25 ` [PATCH 037/103] netfilter: xtables: reduce arguments to translate_table Jan Engelhardt
2009-08-04 7:25 ` [PATCH 038/103] netfilter: xtables2: make ip_tables reentrant Jan Engelhardt
2009-08-04 7:25 ` [PATCH 039/103] netfilter: xtables: dissolve do_match function Jan Engelhardt
2009-08-04 7:25 ` [PATCH 040/103] netfilter: xtables: combine struct xt_match_param and xt_target_param Jan Engelhardt
2009-08-04 7:25 ` [PATCH 041/103] netfilter: xtables: substitute temporary defines by final name Jan Engelhardt
2009-08-04 7:25 ` [PATCH 042/103] netfilter: xtables: make use of xt_request_find_target Jan Engelhardt
2009-08-04 7:25 ` [PATCH 043/103] netfilter: xtables: consolidate code into xt_request_find_match Jan Engelhardt
2009-08-04 7:25 ` [PATCH 044/103] netfilter: xtables: deconstify struct xt_action_param for matches Jan Engelhardt
2009-08-04 7:25 ` [PATCH 045/103] netfilter: xtables: change hotdrop pointer to direct modification Jan Engelhardt
2009-08-04 7:25 ` [PATCH 046/103] netfilter: xtables: combine built-in extension structs Jan Engelhardt
2009-08-04 7:25 ` [PATCH 047/103] netfilter: xtables: move functions around Jan Engelhardt
2009-08-04 7:25 ` [PATCH 048/103] netfilter: ebtables: change ebt_basic_match to xt convention Jan Engelhardt
2009-08-04 7:25 ` [PATCH 049/103] netfilter: xtables: convert basic nfproto match functions into xt matches Jan Engelhardt
2009-08-04 7:25 ` [PATCH 050/103] netfilter: xtables2: initial table skeletal functions Jan Engelhardt
2009-08-04 7:25 ` [PATCH 051/103] netfilter: xtables2: initial chain " Jan Engelhardt
2009-08-04 7:25 ` [PATCH 052/103] netfilter: xtables2: initial rule " Jan Engelhardt
2009-08-04 7:25 ` [PATCH 053/103] netfilter: xtables: alternate size checking in xt_check_match Jan Engelhardt
2009-08-04 7:25 ` [PATCH 054/103] netfilter: xtables: alternate size checking in xt_check_target Jan Engelhardt
2009-08-04 7:25 ` [PATCH 055/103] netfilter: xtables2: per-rule match skeletal functions Jan Engelhardt
2009-08-04 7:25 ` [PATCH 056/103] netfilter: xtables2: per-rule target " Jan Engelhardt
2009-08-04 7:25 ` [PATCH 057/103] netfilter: xtables2: xt_check_target in combination with xt2 contexts Jan Engelhardt
2009-08-04 7:25 ` [PATCH 058/103] netfilter: xtables2: jumpstack (de)allocation functions Jan Engelhardt
2009-08-04 7:25 ` [PATCH 059/103] netfilter: xtables2: table traversal Jan Engelhardt
2009-08-04 7:25 ` [PATCH 060/103] netfilter: xt_quota: fix wrong return value (error case) Jan Engelhardt
2009-08-04 7:25 ` [PATCH 061/103] netfilter: xtables: add xt_quota revision 3 Jan Engelhardt
2009-08-04 7:25 ` [PATCH 062/103] netfilter: xtables2: make a copy of the ipv6_filter table Jan Engelhardt
2009-08-04 7:25 ` [PATCH 063/103] netfilter: xtables2: initial xt1->xt2 translation for tables Jan Engelhardt
2009-08-04 7:25 ` [PATCH 064/103] netfilter: xtables2: xt2->xt1 translation - GET_INFO support Jan Engelhardt
2009-08-04 7:25 ` [PATCH 065/103] netfilter: xtables2: xt2->xt1 translation - GET_ENTRIES support Jan Engelhardt
2009-08-04 7:25 ` [PATCH 066/103] netfilter: xtables2: xt1->xt2 translation - SET_REPLACE support Jan Engelhardt
2009-08-04 7:25 ` [PATCH 067/103] netfilter: xtables2: return counters after SET_REPLACE Jan Engelhardt
2009-08-04 7:25 ` [PATCH 068/103] netfilter: xtables2: xt1->xt2 translation - ADD_COUNTERS support Jan Engelhardt
2009-08-04 7:25 ` [PATCH 069/103] netfilter: xtables2: xt2->xt1 translation - compat GET_INFO support Jan Engelhardt
2009-08-04 7:25 ` [PATCH 070/103] netfilter: xtables: use compat_u64 inside struct compat_xt_counters Jan Engelhardt
2009-08-04 7:25 ` [PATCH 071/103] netfilter: ip6tables: move mark_chains to xt1_perproto.c Jan Engelhardt
2009-08-04 7:25 ` [PATCH 072/103] netfilter: xtables2: xt2<->xt1 translation - compat GET_ENTRIES/SET_REPLACE support Jan Engelhardt
2009-08-04 7:25 ` [PATCH 073/103] netfilter: xtables2: compat->normal match data translation Jan Engelhardt
2009-08-04 7:25 ` [PATCH 074/103] netfilter: xtables2: compat->normal target " Jan Engelhardt
2009-08-04 7:25 ` [PATCH 075/103] netfilter: xtables2: outsource code into xts_match_to_xt1 function Jan Engelhardt
2009-08-04 7:26 ` Jan Engelhardt [this message]
2009-08-04 7:26 ` [PATCH 077/103] netfilter: xtables2: normal->compat target data translation Jan Engelhardt
2009-08-04 7:26 ` [PATCH 078/103] netfilter: xtables2: packet tracing Jan Engelhardt
2009-08-04 7:26 ` [PATCH 079/103] netfilter: xtables: turn procfs entries to walk xt2 table list Jan Engelhardt
2009-08-04 7:26 ` [PATCH 080/103] netfilter: xtables2: switch ip6's tables to the xt2 table format Jan Engelhardt
2009-08-04 7:26 ` [PATCH 081/103] netfilter: ip6tables: remove obsolete packet tracing Jan Engelhardt
2009-08-04 7:26 ` [PATCH 082/103] netfilter: ip6tables: remove xt1 GET_INFO code Jan Engelhardt
2009-08-04 7:26 ` [PATCH 083/103] netfilter: ip6tables: remove xt1 GET_ENTRIES code Jan Engelhardt
2009-08-04 7:26 ` [PATCH 084/103] netfilter: ip6tables: remove unused functions (GET_ENTRIES) Jan Engelhardt
2009-08-04 7:26 ` [PATCH 085/103] netfilter: ip6tables: remove xt1 SET_REPLACE code Jan Engelhardt
2009-08-04 7:26 ` [PATCH 086/103] netfilter: ip6tables: remove unused functions (SET_REPLACE) Jan Engelhardt
2009-08-04 7:26 ` [PATCH 087/103] netfilter: ip6tables: remove xt1 ADD_COUNTERS code Jan Engelhardt
2009-08-04 7:26 ` [PATCH 088/103] netfilter: ip6tables: remove xt1/ipv6 registration functions Jan Engelhardt
2009-08-04 7:26 ` [PATCH 089/103] netfilter: ip6tables: remove remaining xt1 code Jan Engelhardt
2009-08-04 7:26 ` [PATCH 090/103] netfilter: iptables: include xt1_perproto code in ip_tables Jan Engelhardt
2009-08-04 7:26 ` [PATCH 091/103] netfilter: iptables: switch to xt2 tables Jan Engelhardt
2009-08-04 7:26 ` [PATCH 092/103] netfilter: iptables: remove unused functions Jan Engelhardt
2009-08-04 7:26 ` [PATCH 093/103] netfilter: iptables: remove xt1/ipv4 registration functions Jan Engelhardt
2009-08-04 7:26 ` [PATCH 094/103] netfilter: iptables: remove remaining xt1 code Jan Engelhardt
2009-08-04 7:26 ` [PATCH 095/103] netfilter: xt_quota: enable module lookup via arpt Jan Engelhardt
2009-08-04 7:26 ` [PATCH 096/103] netfilter: arptables: include xt1_perproto in arp_tables Jan Engelhardt
2009-08-04 7:26 ` [PATCH 097/103] netfilter: arptables: switch to xt2 tables Jan Engelhardt
2009-08-04 7:26 ` [PATCH 098/103] netfilter: arptables: remove unused functions Jan Engelhardt
2009-08-04 7:26 ` [PATCH 099/103] netfilter: arptables: remove xt1/arp registration functions Jan Engelhardt
2009-08-04 7:26 ` [PATCH 100/103] netfilter: arptables: remove remaining xt1 code Jan Engelhardt
2009-08-04 7:26 ` [PATCH 101/103] netfilter: xtables1: remove xt1 table handling Jan Engelhardt
2009-08-04 7:26 ` [PATCH 102/103] netfilter: xtables1: remove info lock Jan Engelhardt
2009-08-04 7:26 ` [PATCH 103/103] netfilter: xtables1: remove compat-userspace code Jan Engelhardt
2009-08-04 12:47 ` Xtables2 snapshot 20090804 Patrick McHardy
2009-08-04 13:26 ` Jan Engelhardt
2009-08-04 13:16 ` Jan Engelhardt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1249370787-17583-77-git-send-email-jengelh@medozas.de \
--to=jengelh@medozas.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).