xtables: extend matches and targets with .usersize

In matches and targets that define a kernel-only tail to their
xt_match and xt_target data structs, add a field .usersize that
specifies up to where data is to be shared with userspace.

Performed a search for comment "Used internally by the kernel" to find
relevant matches and targets. Manually inspected the structs to derive
a valid offsetof.

Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
Willem de Bruijn 2017-01-02 17:19:46 -05:00 коммит произвёл Pablo Neira Ayuso
Родитель 4915f7bbc4
Коммит ec23189049
14 изменённых файлов: 23 добавлений и 0 удалений

Просмотреть файл

@ -105,6 +105,7 @@ static struct xt_match ebt_limit_mt_reg __read_mostly = {
.match = ebt_limit_mt, .match = ebt_limit_mt,
.checkentry = ebt_limit_mt_check, .checkentry = ebt_limit_mt_check,
.matchsize = sizeof(struct ebt_limit_info), .matchsize = sizeof(struct ebt_limit_info),
.usersize = offsetof(struct ebt_limit_info, prev),
#ifdef CONFIG_COMPAT #ifdef CONFIG_COMPAT
.compatsize = sizeof(struct ebt_compat_limit_info), .compatsize = sizeof(struct ebt_compat_limit_info),
#endif #endif

Просмотреть файл

@ -468,6 +468,7 @@ static struct xt_target clusterip_tg_reg __read_mostly = {
.checkentry = clusterip_tg_check, .checkentry = clusterip_tg_check,
.destroy = clusterip_tg_destroy, .destroy = clusterip_tg_destroy,
.targetsize = sizeof(struct ipt_clusterip_tgt_info), .targetsize = sizeof(struct ipt_clusterip_tgt_info),
.usersize = offsetof(struct ipt_clusterip_tgt_info, config),
#ifdef CONFIG_COMPAT #ifdef CONFIG_COMPAT
.compatsize = sizeof(struct compat_ipt_clusterip_tgt_info), .compatsize = sizeof(struct compat_ipt_clusterip_tgt_info),
#endif /* CONFIG_COMPAT */ #endif /* CONFIG_COMPAT */

Просмотреть файл

@ -112,6 +112,7 @@ static struct xt_target ip6t_npt_target_reg[] __read_mostly = {
.table = "mangle", .table = "mangle",
.target = ip6t_snpt_tg, .target = ip6t_snpt_tg,
.targetsize = sizeof(struct ip6t_npt_tginfo), .targetsize = sizeof(struct ip6t_npt_tginfo),
.usersize = offsetof(struct ip6t_npt_tginfo, adjustment),
.checkentry = ip6t_npt_checkentry, .checkentry = ip6t_npt_checkentry,
.family = NFPROTO_IPV6, .family = NFPROTO_IPV6,
.hooks = (1 << NF_INET_LOCAL_IN) | .hooks = (1 << NF_INET_LOCAL_IN) |
@ -123,6 +124,7 @@ static struct xt_target ip6t_npt_target_reg[] __read_mostly = {
.table = "mangle", .table = "mangle",
.target = ip6t_dnpt_tg, .target = ip6t_dnpt_tg,
.targetsize = sizeof(struct ip6t_npt_tginfo), .targetsize = sizeof(struct ip6t_npt_tginfo),
.usersize = offsetof(struct ip6t_npt_tginfo, adjustment),
.checkentry = ip6t_npt_checkentry, .checkentry = ip6t_npt_checkentry,
.family = NFPROTO_IPV6, .family = NFPROTO_IPV6,
.hooks = (1 << NF_INET_PRE_ROUTING) | .hooks = (1 << NF_INET_PRE_ROUTING) |

Просмотреть файл

@ -373,6 +373,7 @@ static struct xt_target xt_ct_tg_reg[] __read_mostly = {
.name = "CT", .name = "CT",
.family = NFPROTO_UNSPEC, .family = NFPROTO_UNSPEC,
.targetsize = sizeof(struct xt_ct_target_info), .targetsize = sizeof(struct xt_ct_target_info),
.usersize = offsetof(struct xt_ct_target_info, ct),
.checkentry = xt_ct_tg_check_v0, .checkentry = xt_ct_tg_check_v0,
.destroy = xt_ct_tg_destroy_v0, .destroy = xt_ct_tg_destroy_v0,
.target = xt_ct_target_v0, .target = xt_ct_target_v0,
@ -384,6 +385,7 @@ static struct xt_target xt_ct_tg_reg[] __read_mostly = {
.family = NFPROTO_UNSPEC, .family = NFPROTO_UNSPEC,
.revision = 1, .revision = 1,
.targetsize = sizeof(struct xt_ct_target_info_v1), .targetsize = sizeof(struct xt_ct_target_info_v1),
.usersize = offsetof(struct xt_ct_target_info, ct),
.checkentry = xt_ct_tg_check_v1, .checkentry = xt_ct_tg_check_v1,
.destroy = xt_ct_tg_destroy_v1, .destroy = xt_ct_tg_destroy_v1,
.target = xt_ct_target_v1, .target = xt_ct_target_v1,
@ -395,6 +397,7 @@ static struct xt_target xt_ct_tg_reg[] __read_mostly = {
.family = NFPROTO_UNSPEC, .family = NFPROTO_UNSPEC,
.revision = 2, .revision = 2,
.targetsize = sizeof(struct xt_ct_target_info_v1), .targetsize = sizeof(struct xt_ct_target_info_v1),
.usersize = offsetof(struct xt_ct_target_info, ct),
.checkentry = xt_ct_tg_check_v2, .checkentry = xt_ct_tg_check_v2,
.destroy = xt_ct_tg_destroy_v1, .destroy = xt_ct_tg_destroy_v1,
.target = xt_ct_target_v1, .target = xt_ct_target_v1,

Просмотреть файл

@ -162,6 +162,7 @@ static struct xt_target xt_rateest_tg_reg __read_mostly = {
.checkentry = xt_rateest_tg_checkentry, .checkentry = xt_rateest_tg_checkentry,
.destroy = xt_rateest_tg_destroy, .destroy = xt_rateest_tg_destroy,
.targetsize = sizeof(struct xt_rateest_target_info), .targetsize = sizeof(struct xt_rateest_target_info),
.usersize = offsetof(struct xt_rateest_target_info, est),
.me = THIS_MODULE, .me = THIS_MODULE,
}; };

Просмотреть файл

@ -133,6 +133,7 @@ static struct xt_target tee_tg_reg[] __read_mostly = {
.family = NFPROTO_IPV4, .family = NFPROTO_IPV4,
.target = tee_tg4, .target = tee_tg4,
.targetsize = sizeof(struct xt_tee_tginfo), .targetsize = sizeof(struct xt_tee_tginfo),
.usersize = offsetof(struct xt_tee_tginfo, priv),
.checkentry = tee_tg_check, .checkentry = tee_tg_check,
.destroy = tee_tg_destroy, .destroy = tee_tg_destroy,
.me = THIS_MODULE, .me = THIS_MODULE,
@ -144,6 +145,7 @@ static struct xt_target tee_tg_reg[] __read_mostly = {
.family = NFPROTO_IPV6, .family = NFPROTO_IPV6,
.target = tee_tg6, .target = tee_tg6,
.targetsize = sizeof(struct xt_tee_tginfo), .targetsize = sizeof(struct xt_tee_tginfo),
.usersize = offsetof(struct xt_tee_tginfo, priv),
.checkentry = tee_tg_check, .checkentry = tee_tg_check,
.destroy = tee_tg_destroy, .destroy = tee_tg_destroy,
.me = THIS_MODULE, .me = THIS_MODULE,

Просмотреть файл

@ -110,6 +110,7 @@ static struct xt_match bpf_mt_reg[] __read_mostly = {
.match = bpf_mt, .match = bpf_mt,
.destroy = bpf_mt_destroy, .destroy = bpf_mt_destroy,
.matchsize = sizeof(struct xt_bpf_info), .matchsize = sizeof(struct xt_bpf_info),
.usersize = offsetof(struct xt_bpf_info, filter),
.me = THIS_MODULE, .me = THIS_MODULE,
}, },
{ {
@ -120,6 +121,7 @@ static struct xt_match bpf_mt_reg[] __read_mostly = {
.match = bpf_mt_v1, .match = bpf_mt_v1,
.destroy = bpf_mt_destroy_v1, .destroy = bpf_mt_destroy_v1,
.matchsize = sizeof(struct xt_bpf_info_v1), .matchsize = sizeof(struct xt_bpf_info_v1),
.usersize = offsetof(struct xt_bpf_info_v1, filter),
.me = THIS_MODULE, .me = THIS_MODULE,
}, },
}; };

Просмотреть файл

@ -122,6 +122,7 @@ static struct xt_match cgroup_mt_reg[] __read_mostly = {
.checkentry = cgroup_mt_check_v1, .checkentry = cgroup_mt_check_v1,
.match = cgroup_mt_v1, .match = cgroup_mt_v1,
.matchsize = sizeof(struct xt_cgroup_info_v1), .matchsize = sizeof(struct xt_cgroup_info_v1),
.usersize = offsetof(struct xt_cgroup_info_v1, priv),
.destroy = cgroup_mt_destroy_v1, .destroy = cgroup_mt_destroy_v1,
.me = THIS_MODULE, .me = THIS_MODULE,
.hooks = (1 << NF_INET_LOCAL_OUT) | .hooks = (1 << NF_INET_LOCAL_OUT) |

Просмотреть файл

@ -431,6 +431,7 @@ static struct xt_match connlimit_mt_reg __read_mostly = {
.checkentry = connlimit_mt_check, .checkentry = connlimit_mt_check,
.match = connlimit_mt, .match = connlimit_mt,
.matchsize = sizeof(struct xt_connlimit_info), .matchsize = sizeof(struct xt_connlimit_info),
.usersize = offsetof(struct xt_connlimit_info, data),
.destroy = connlimit_mt_destroy, .destroy = connlimit_mt_destroy,
.me = THIS_MODULE, .me = THIS_MODULE,
}; };

Просмотреть файл

@ -838,6 +838,7 @@ static struct xt_match hashlimit_mt_reg[] __read_mostly = {
.family = NFPROTO_IPV4, .family = NFPROTO_IPV4,
.match = hashlimit_mt_v1, .match = hashlimit_mt_v1,
.matchsize = sizeof(struct xt_hashlimit_mtinfo1), .matchsize = sizeof(struct xt_hashlimit_mtinfo1),
.usersize = offsetof(struct xt_hashlimit_mtinfo1, hinfo),
.checkentry = hashlimit_mt_check_v1, .checkentry = hashlimit_mt_check_v1,
.destroy = hashlimit_mt_destroy_v1, .destroy = hashlimit_mt_destroy_v1,
.me = THIS_MODULE, .me = THIS_MODULE,
@ -848,6 +849,7 @@ static struct xt_match hashlimit_mt_reg[] __read_mostly = {
.family = NFPROTO_IPV4, .family = NFPROTO_IPV4,
.match = hashlimit_mt, .match = hashlimit_mt,
.matchsize = sizeof(struct xt_hashlimit_mtinfo2), .matchsize = sizeof(struct xt_hashlimit_mtinfo2),
.usersize = offsetof(struct xt_hashlimit_mtinfo2, hinfo),
.checkentry = hashlimit_mt_check, .checkentry = hashlimit_mt_check,
.destroy = hashlimit_mt_destroy, .destroy = hashlimit_mt_destroy,
.me = THIS_MODULE, .me = THIS_MODULE,
@ -859,6 +861,7 @@ static struct xt_match hashlimit_mt_reg[] __read_mostly = {
.family = NFPROTO_IPV6, .family = NFPROTO_IPV6,
.match = hashlimit_mt_v1, .match = hashlimit_mt_v1,
.matchsize = sizeof(struct xt_hashlimit_mtinfo1), .matchsize = sizeof(struct xt_hashlimit_mtinfo1),
.usersize = offsetof(struct xt_hashlimit_mtinfo1, hinfo),
.checkentry = hashlimit_mt_check_v1, .checkentry = hashlimit_mt_check_v1,
.destroy = hashlimit_mt_destroy_v1, .destroy = hashlimit_mt_destroy_v1,
.me = THIS_MODULE, .me = THIS_MODULE,
@ -869,6 +872,7 @@ static struct xt_match hashlimit_mt_reg[] __read_mostly = {
.family = NFPROTO_IPV6, .family = NFPROTO_IPV6,
.match = hashlimit_mt, .match = hashlimit_mt,
.matchsize = sizeof(struct xt_hashlimit_mtinfo2), .matchsize = sizeof(struct xt_hashlimit_mtinfo2),
.usersize = offsetof(struct xt_hashlimit_mtinfo2, hinfo),
.checkentry = hashlimit_mt_check, .checkentry = hashlimit_mt_check,
.destroy = hashlimit_mt_destroy, .destroy = hashlimit_mt_destroy,
.me = THIS_MODULE, .me = THIS_MODULE,

Просмотреть файл

@ -192,6 +192,8 @@ static struct xt_match limit_mt_reg __read_mostly = {
.compatsize = sizeof(struct compat_xt_rateinfo), .compatsize = sizeof(struct compat_xt_rateinfo),
.compat_from_user = limit_mt_compat_from_user, .compat_from_user = limit_mt_compat_from_user,
.compat_to_user = limit_mt_compat_to_user, .compat_to_user = limit_mt_compat_to_user,
#else
.usersize = offsetof(struct xt_rateinfo, prev),
#endif #endif
.me = THIS_MODULE, .me = THIS_MODULE,
}; };

Просмотреть файл

@ -73,6 +73,7 @@ static struct xt_match quota_mt_reg __read_mostly = {
.checkentry = quota_mt_check, .checkentry = quota_mt_check,
.destroy = quota_mt_destroy, .destroy = quota_mt_destroy,
.matchsize = sizeof(struct xt_quota_info), .matchsize = sizeof(struct xt_quota_info),
.usersize = offsetof(struct xt_quota_info, master),
.me = THIS_MODULE, .me = THIS_MODULE,
}; };

Просмотреть файл

@ -133,6 +133,7 @@ static struct xt_match xt_rateest_mt_reg __read_mostly = {
.checkentry = xt_rateest_mt_checkentry, .checkentry = xt_rateest_mt_checkentry,
.destroy = xt_rateest_mt_destroy, .destroy = xt_rateest_mt_destroy,
.matchsize = sizeof(struct xt_rateest_match_info), .matchsize = sizeof(struct xt_rateest_match_info),
.usersize = offsetof(struct xt_rateest_match_info, est1),
.me = THIS_MODULE, .me = THIS_MODULE,
}; };

Просмотреть файл

@ -77,6 +77,7 @@ static struct xt_match xt_string_mt_reg __read_mostly = {
.match = string_mt, .match = string_mt,
.destroy = string_mt_destroy, .destroy = string_mt_destroy,
.matchsize = sizeof(struct xt_string_info), .matchsize = sizeof(struct xt_string_info),
.usersize = offsetof(struct xt_string_info, config),
.me = THIS_MODULE, .me = THIS_MODULE,
}; };