| Home » Mailing lists » Devel » [PATCH 1/2] iptables 32bit compat layer Goto Forum:
	| 
		
			| [PATCH 1/2] iptables 32bit compat layer [message #1688] | Mon, 20 February 2006 08:10  |  
			| 
				
				
					|  Mishin Dmitry Messages: 112
 Registered: February 2006
 | Senior Member |  |  |  
	| Hello, 
 This patch set extends current iptables compatibility layer in order to get
 32bit iptables to work on 64bit kernel. Current layer is insufficient
 due to alignment checks both in kernel and user space tools.
 
 This patch introduces base compatibility interface for other ip_tables modules
 
 --
 Thanks,
 Dmitry.
 
 --- ./include/linux/netfilter/x_tables.h.iptcompat	2006-02-15 16:16:02.000000000 +0300
 +++ ./include/linux/netfilter/x_tables.h	2006-02-15 18:53:09.000000000 +0300
 @@ -80,12 +80,19 @@ struct xt_counters_info
 
 #ifdef __KERNEL__
 
 +#include <linux/config.h>
 #include <linux/netdevice.h>
 
 #define ASSERT_READ_LOCK(x)
 #define ASSERT_WRITE_LOCK(x)
 #include <linux/netfilter_ipv4/listhelp.h>
 
 +#ifdef CONFIG_COMPAT
 +#define COMPAT_TO_USER		1
 +#define COMPAT_FROM_USER	-1
 +#define COMPAT_CALC_SIZE	0
 +#endif
 +
 struct xt_match
 {
 struct list_head list;
 @@ -118,6 +125,10 @@ struct xt_match
 /* Called when entry of this type deleted. */
 void (*destroy)(void *matchinfo, unsigned int matchinfosize);
 
 +#ifdef CONFIG_COMPAT
 +	/* Called when userspace align differs from kernel space one */
 +	int (*compat)(void *match, void **dstptr, int *size, int convert);
 +#endif
 /* Set this to THIS_MODULE if you are a module, otherwise NULL */
 struct module *me;
 };
 @@ -154,6 +165,10 @@ struct xt_target
 /* Called when entry of this type deleted. */
 void (*destroy)(void *targinfo, unsigned int targinfosize);
 
 +#ifdef CONFIG_COMPAT
 +	/* Called when userspace align differs from kernel space one */
 +	int (*compat)(void *target, void **dstptr, int *size, int convert);
 +#endif
 /* Set this to THIS_MODULE if you are a module, otherwise NULL */
 struct module *me;
 };
 @@ -233,6 +248,34 @@ extern void xt_proto_fini(int af);
 extern struct xt_table_info *xt_alloc_table_info(unsigned int size);
 extern void xt_free_table_info(struct xt_table_info *info);
 
 +#ifdef CONFIG_COMPAT
 +#include <net/compat.h>
 +
 +/* FIXME: this works only on 32 bit tasks
 + * need to change whole approach in order to calculate align as function of
 + * current task alignment */
 +
 +struct compat_xt_counters
 +{
 +	u_int32_t cnt[4];
 +};
 +
 +struct compat_xt_counters_info
 +{
 +	char name[XT_TABLE_MAXNAMELEN];
 +	compat_uint_t num_counters;
 +	struct compat_xt_counters counters[0];
 +};
 +
 +#define COMPAT_XT_ALIGN(s) (((s) + (__alignof__(struct compat_xt_counters)-1)) \
 +		& ~(__alignof__(struct compat_xt_counters)-1))
 +
 +extern int ipt_match_align_compat(void *match, void **dstptr,
 +		int *size, int off, int convert);
 +extern int ipt_target_align_compat(void *target, void **dstptr,
 +		int *size, int off, int convert);
 +
 +#endif /* CONFIG_COMPAT */
 #endif /* __KERNEL__ */
 
 #endif /* _X_TABLES_H */
 --- ./include/linux/netfilter_ipv4/ip_tables.h.iptcompat	2006-02-15 16:06:41.000000000 +0300
 +++ ./include/linux/netfilter_ipv4/ip_tables.h	2006-02-15 16:37:12.000000000 +0300
 @@ -16,6 +16,7 @@
 #define _IPTABLES_H
 
 #ifdef __KERNEL__
 +#include <linux/config.h>
 #include <linux/if.h>
 #include <linux/types.h>
 #include <linux/in.h>
 @@ -364,5 +365,62 @@ extern unsigned int ipt_do_table(struct
 void *userdata);
 
 #define IPT_ALIGN(s) XT_ALIGN(s)
 +
 +#ifdef CONFIG_COMPAT
 +#include <net/compat.h>
 +
 +struct compat_ipt_getinfo
 +{
 +	char name[IPT_TABLE_MAXNAMELEN];
 +	compat_uint_t valid_hooks;
 +	compat_uint_t hook_entry[NF_IP_NUMHOOKS];
 +	compat_uint_t underflow[NF_IP_NUMHOOKS];
 +	compat_uint_t num_entries;
 +	compat_uint_t size;
 +};
 +
 +struct compat_ipt_entry
 +{
 +	struct ipt_ip ip;
 +	compat_uint_t nfcache;
 +	u_int16_t target_offset;
 +	u_int16_t next_offset;
 +	compat_uint_t comefrom;
 +	struct compat_xt_counters counters;
 +	unsigned char elems[0];
 +};
 +
 +struct compat_ipt_entry_match
 +{
 +	union {
 +		struct {
 +			u_int16_t match_size;
 +			char name[IPT_FUNCTION_MAXNAMELEN];
 +		} user;
 +		u_int16_t match_size;
 +	} u;
 +	unsigned char data[0];
 +};
 +
 +struct compat_ipt_entry_target
 +{
 +	union {
 +		struct {
 +			u_int16_t target_size;
 +			char name[IPT_FUNCTION_MAXNAMELEN];
 +		} user;
 +		u_int16_t target_size;
 +	} u;
 +	unsigned char data[0];
 +};
 +
 +#define COMPAT_IPT_ALIGN(s) 	COMPAT_XT_ALIGN(s)
 +
 +extern int ipt_match_align_compat(void *match, void **dstptr,
 +		int *size, int off, int convert);
 +extern int ipt_target_align_compat(void *target, void **dstptr,
 +		int *size, int off, int convert);
 +
 +#endif /* CONFIG_COMPAT */
 #endif /*__KERNEL__*/
 #endif /* _IPTABLES_H */
 --- ./include/net/compat.h.iptcompat	2006-01-03 06:21:10.000000000 +0300
 +++ ./include/net/compat.h	2006-02-15 18:45:49.000000000 +0300
 @@ -23,6 +23,14 @@ struct compat_cmsghdr {
 compat_int_t	cmsg_type;
 };
 
 +#if defined(CONFIG_X86_64)
 +#define is_current_32bits() (current_thread_info()->flags & _TIF_IA32)
 +#elif defined(CONFIG_IA64)
 +#define is_current_32bits() (IS_IA32_PROCESS(ia64_task_regs(current)))
 +#else
 +#define is_current_32bits()	0
 +#endif
 +
 #else /* defined(CONFIG_COMPAT) */
 #define compat_msghdr	msghdr		/* to avoid compiler warnings */
 #endif /* defined(CONFIG_COMPAT) */
 --- ./net/compat.c.iptcompat	2006-01-03 06:21:10.000000000 +0300
 +++ ./net/compat.c	2006-02-15 16:38:45.000000000 +0300
 @@ -308,107 +308,6 @@ void scm_detach_fds_compat(struct msghdr
 }
 
 /*
 - * For now, we assume that the compatibility and native version
 - * of struct ipt_entry are the same - sfr.  FIXME
 - */
 -struct compat_ipt_replace {
 -	char			name[IPT_TABLE_MAXNAMELEN];
 -	u32			valid_hooks;
 -	u32			num_entries;
 -	u32			size;
 -	u32			hook_entry[NF_IP_NUMHOOKS];
 -	u32			underflow[NF_IP_NUMHOOKS];
 -	u32			num_counters;
 -	compat_uptr_t		counters;	/* struct ipt_counters * */
 -	struct ipt_entry	entries[0];
 -};
 -
 -static int do_netfilter_replace(int fd, int level, int optname,
 -				char __user *optval, int optlen)
 -{
 -	struct compat_ipt_replace __user *urepl;
 -	struct ipt_replace __user *repl_nat;
 -	char name[IPT_TABLE_MAXNAMELEN];
 -	u32 origsize, tmp32, num_counters;
 -	unsigned int repl_nat_size;
 -	int ret;
 -	int i;
 -	compat_uptr_t ucntrs;
 -
 -	urepl = (struct compat_ipt_replace __user *)optval;
 -	if (get_user(origsize, &urepl->size))
 -		return -EFAULT;
 -
 -	/* Hack: Causes ipchains to give correct error msg --RR */
 -	if (optlen != sizeof(*urepl) + origsize)
 -		return -ENOPROTOOPT;
 -
 -	/* XXX Assumes that size of ipt_entry is the same both in
 -	 *     native and compat environments.
 -	 */
 -	repl_nat_size = sizeof(*repl_nat) + origsize;
 -	repl_nat = compat_alloc_user_space(repl_nat_size);
 -
 -	ret = -EFAULT;
 -	if (put_user(origsize, &repl_nat->size))
 -		goto out;
 -
 -	if (!access_ok(VERIFY_READ, urepl, optlen) ||
 -	    !access_ok(VERIFY_WRITE, repl_nat, optlen))
 -		goto out;
 -
 -	if (__copy_from_user(name, urepl->name, sizeof(urepl->name)) ||
 -	    __copy_to_user(repl_nat->name, name, sizeof(repl_nat->name)))
 -		goto out;
 -
 -	if (__get_user(tmp32, &urepl->valid_hooks) ||
 -	    __put_user(tmp32, &repl_nat->valid_hooks))
 -		goto out;
 -
 -	if (__get_user(tmp32, &urepl->num_entries) ||
 -	    __put_user(tmp32, &repl_nat->num_entries))
 -		goto out;
 -
 -	if (__get_user(num_counters, &urepl->num_counters) ||
 -	    __put_user(num_counters, &repl_nat->num_counters))
 -		goto out;
 -
 -	if (__get_user(ucntrs, &urepl->counters) ||
 -	    __put_user(compat_ptr(ucntrs), &repl_nat->counters))
 -		goto out;
 -
 -	if (__copy_in_user(&repl_nat->entries[0],
 -			   &urepl->entries[0],
 -			   origsize))
 -		goto out;
 -
 -	for (i = 0; i < NF_IP_NUMHOOKS; i++) {
 -		if (__get_user(tmp32, &urepl->hook_entry[i]) ||
 -		    __put_user(tmp32, &repl_nat->hook_entry[i]) ||
 -		    __get_user(tmp32, &urepl->underflow[i]) ||
 -		    __put_user(tmp32, &repl_nat->underflow[i]))
 -			goto out;
 -	}
 -
 -	/*
 -	 * Since struct ipt_counters just contains two u_int64_t members
 -	 * we can just do the access_ok check here and pass the (converted)
 -	 * pointer into the standard syscall.  We hope that the pointer is
 -	 * not misaligned ...
 -	 */
 -	if (!access_ok(VERIFY_WRITE, compat_ptr(ucntrs),
 -		       num_counters * sizeof(struct ipt_counters)))
 -		goto out;
 -
 -
 -	ret = sys_setsockopt(fd, level, optname,
 -			     (char __user *)repl_nat, repl_nat_size);
 -
 -out:
 -	return ret;
 -}
 -
 -/*
 * A struct sock_filter is architecture independent.
 */
 struct compat_sock_fprog {
 @@ -460,10 +359,6 @@ static int do_set_sock_timeout(int fd, i
 asmlinkage long compat_sys_setsockopt(int fd, int level, int optname,
 char __user *optval, int optlen)
 {
 -	/* SO_SET_REPLACE seems to be the same in all levels */
 -	if (optname == IPT_SO_SET_REPLACE)
 -		return do_netfilter_replace(fd, level, optname,
 -					    optval, optlen);
 if (level == SOL_SOCKET && optname == SO_ATTACH_FILTER)
 return do_set_attach_filter(fd, level, optname,
 optval, optlen);
 --- ./net/ipv4/netfilter/ip_tables.c.iptcompat	2006-02-15 16:06:42.000000000 +0300
 +++ ./net/ipv4/netfilter/ip_tables.c	2006-02-17 19:38:05.000000000 +0300
 @@ -24,6 +24,7 @@
 #include <linux/module.h>
 #include <linux/icmp.h>
 #include <net/ip.h>
 +#include <net/compat.h>
 #include <asm/uaccess.h>
 #include <asm/semaphore.h>
 #include <linux/proc_fs.h>
 @@ -480,7 +481,7 @@ standard_check(const struct ipt_entry_ta
 if (t->u.target_size
 != IPT_ALIGN(sizeof(struct ipt_standard_target))) {
 duprintf("standard_check: target size %u != %u\n",
 -			 t->u.target_size,
 +			 t->u.target_size, (unsigned int)
 IPT_ALIGN(sizeof(struct ipt_standard_target)));
 return 0;
 }
 @@ -790,17 +791,11 @@ get_counters(const struct xt_table_info
 }
 }
 
 -static int
 -copy_entries_to_user(unsigned int total_size,
 -		     struct ipt_table *table,
 -		     void __user *userptr)
 +static inline struct xt_counters * alloc_counters(struct ipt_table *table)
 {
 -	unsigned int off, num, countersize;
 -	struct ipt_entry *e;
 +	unsigned int countersize;
 struct xt_counters *counters;
 struct xt_table_info 
...
 
 
 |  
	|  |  |  
	|  |  
	| 
		
			| Re: [PATCH 1/2] iptables 32bit compat layer [message #1718 is a reply to message #1688] | Mon, 20 February 2006 15:55   |  
			| 
				
				
					|  Arnd Bergmann Messages: 10
 Registered: February 2006
 | Junior Member |  |  |  
	| On Monday 20 February 2006 09:10, Mishin Dmitry wrote: > ---  ./include/linux/netfilter/x_tables.h.iptcompat      2006-02- 15 16:16:02.000000000 +0300
 > +++ ./include/linux/netfilter/x_tables.h        2006-02-15 18:53:09.000000000 +0300
 >  struct xt_match
 >  {
 >         struct list_head list;
 > @@ -118,6 +125,10 @@ struct xt_match
 >         /* Called when entry of this type deleted. */
 >         void (*destroy)(void *matchinfo, unsigned int matchinfosize);
 >
 > +#ifdef CONFIG_COMPAT
 > +       /* Called when userspace align differs from kernel space one */
 > +       int (*compat)(void *match, void **dstptr, int *size, int convert);
 > +#endif
 >         /* Set this to THIS_MODULE if you are a module, otherwise NULL */
 >         struct module *me;
 >  };
 
 Is CONFIG_COMPAT the right conditional here? If the code is only used
 for architectures that have different aligments, it should not need be
 compiled in for the other architectures.
 
 > @@ -154,6 +165,10 @@ struct xt_target
 >         /* Called when entry of this type deleted. */
 >         void (*destroy)(void *targinfo, unsigned int targinfosize);
 >
 > +#ifdef CONFIG_COMPAT
 > +       /* Called when userspace align differs from kernel space one */
 > +       int (*compat)(void *target, void **dstptr, int *size, int convert);
 > +#endif
 >         /* Set this to THIS_MODULE if you are a module, otherwise NULL */
 >         struct module *me;
 >  };
 > @@ -233,6 +248,34 @@ extern void xt_proto_fini(int af);
 >  extern struct xt_table_info *xt_alloc_table_info(unsigned int size);
 >  extern void xt_free_table_info(struct xt_table_info *info);
 >
 > +#ifdef CONFIG_COMPAT
 > +#include <net/compat.h>
 > +
 > +/* FIXME: this works only on 32 bit tasks
 > + * need to change whole approach in order to calculate align as function of
 > + * current task alignment */
 > +
 > +struct compat_xt_counters
 > +{
 > +       u_int32_t cnt[4];
 > +};
 
 Hmm, maybe we should have something like
 
 typedef u64 __attribute__((aligned(4))) compat_u64;
 
 in order to get the right alignment on the architectures
 where it makes a difference. Do all compiler versions
 get that right?
 
 > ---  ./include/linux/netfilter_ipv4/ip_tables.h.iptcompat         2006-02-15 16:06:41.000000000 +0300
 > +++ ./include/linux/netfilter_ipv4/ip_tables.h  2006-02-15 16:37:12.000000000 +0300
 > @@ -364,5 +365,62 @@ extern unsigned int ipt_do_table(struct
 >                                  void *userdata);
 >
 >  #define IPT_ALIGN(s) XT_ALIGN(s)
 > +
 > +#ifdef CONFIG_COMPAT
 > +#include <net/compat.h>
 > +
 > +struct compat_ipt_getinfo
 > +{
 > +       char name[IPT_TABLE_MAXNAMELEN];
 > +       compat_uint_t valid_hooks;
 > +       compat_uint_t hook_entry[NF_IP_NUMHOOKS];
 > +       compat_uint_t underflow[NF_IP_NUMHOOKS];
 > +       compat_uint_t num_entries;
 > +       compat_uint_t size;
 > +};
 
 This structure looks like it does not need any
 conversions. You should probably just use
 struct ipt_getinfo then.
 
 > +
 > +struct compat_ipt_entry_match
 > +{
 > +       union {
 > +               struct {
 > +                       u_int16_t match_size;
 > +                       char name[IPT_FUNCTION_MAXNAMELEN];
 > +               } user;
 > +               u_int16_t match_size;
 > +       } u;
 > +       unsigned char data[0];
 > +};
 > +
 > +struct compat_ipt_entry_target
 > +{
 > +       union {
 > +               struct {
 > +                       u_int16_t target_size;
 > +                       char name[IPT_FUNCTION_MAXNAMELEN];
 > +               } user;
 > +               u_int16_t target_size;
 > +       } u;
 > +       unsigned char data[0];
 > +};
 
 Dito
 
 > +#define COMPAT_IPT_ALIGN(s)    COMPAT_XT_ALIGN(s)
 > +
 > +extern int ipt_match_align_compat(void *match, void **dstptr,
 > +               int *size, int off, int convert);
 > +extern int ipt_target_align_compat(void *target, void **dstptr,
 > +               int *size, int off, int convert);
 > +
 > +#endif /* CONFIG_COMPAT */
 >  #endif /*__KERNEL__*/
 >  #endif /* _IPTABLES_H */
 > --- ./include/net/compat.h.iptcompat    2006-01-03 06:21:10.000000000 +0300
 > +++ ./include/net/compat.h      2006-02-15 18:45:49.000000000 +0300
 > @@ -23,6 +23,14 @@ struct compat_cmsghdr {
 >         compat_int_t    cmsg_type;
 >  };
 >
 > +#if defined(CONFIG_X86_64)
 > +#define is_current_32bits() (current_thread_info()->flags & _TIF_IA32)
 > +#elif defined(CONFIG_IA64)
 > +#define is_current_32bits() (IS_IA32_PROCESS(ia64_task_regs(current)))
 > +#else
 > +#define is_current_32bits()    0
 > +#endif
 > +
 
 This definition looks very wrong to me. For x86_64, the right thing to check
 should be TS_COMPAT, no _TIF_IA32, since you can also call the 64 bit
 syscall entry point from a i386 task running on x86_64. For most other
 architectures, is_current_32bits returns something that is not reflected
 in the name. I would e.g. expect the function to return '1' on i386 and
 the correct task state on other compat platforms, instead of a bogus '0'.
 
 There have been long discussions about the inclusions of the 'is_compat_task'
 macro. Let's at least not define a second function that does almost the
 same but gets it wrong.
 
 I would much rather have either an extra 'compat' argument to to
 sock_setsockopt and proto_ops->setsockopt than to spread the use
 of is_compat_task further.
 
 >  #else /* defined(CONFIG_COMPAT) */
 >  #define compat_msghdr  msghdr          /* to avoid compiler warnings */
 >  #endif /* defined(CONFIG_COMPAT) */
 > --- ./net/compat.c.iptcompat    2006-01-03 06:21:10.000000000 +0300
 > +++ ./net/compat.c      2006-02-15 16:38:45.000000000 +0300
 > @@ -308,107 +308,6 @@ void scm_detach_fds_compat(struct msghdr
 >  }
 >
 >  /*
 > - * For now, we assume that the compatibility and native version
 > - * of struct ipt_entry are the same - sfr.  FIXME
 > - */
 > -struct compat_ipt_replace {
 > -       char                    name[IPT_TABLE_MAXNAMELEN];
 > -       u32                     valid_hooks;
 > -       u32                     num_entries;
 > -       u32                     size;
 > -       u32                     hook_entry[NF_IP_NUMHOOKS];
 > -       u32                     underflow[NF_IP_NUMHOOKS];
 > -       u32                     num_counters;
 > -       compat_uptr_t           counters;       /* struct ipt_counters * */
 > -       struct ipt_entry        entries[0];
 > -};
 
 Is the FIXME above the only reason that the code needs to be changed?
 What is the reason that you did not just address this in the
 compat_sys_setsockopt implementation?
 
 Arnd <><
 |  
	|  |  |  
	|  |  
	| 
		
			| Re:  Re: [PATCH 1/2] iptables 32bit compat layer [message #1720 is a reply to message #1718] | Tue, 21 February 2006 09:04   |  
			| 
				
				
					|  dim Messages: 344
 Registered: August 2005
 | Senior Member |  |  |  
	| On Monday 20 February 2006 18:55, Arnd Bergmann wrote: > On Monday 20 February 2006 09:10, Mishin Dmitry wrote:
 > > ---  ./include/linux/netfilter/x_tables.h.iptcompat      2006-02- 15
 > > 16:16:02.000000000 +0300 +++
 > > ./include/linux/netfilter/x_tables.h        2006-02-15 18:53:09.000000000
 > > +0300 struct xt_match
 > >  {
 > >         struct list_head list;
 > > @@ -118,6 +125,10 @@ struct xt_match
 > >         /* Called when entry of this type deleted. */
 > >         void (*destroy)(void *matchinfo, unsigned int matchinfosize);
 > >
 > > +#ifdef CONFIG_COMPAT
 > > +       /* Called when userspace align differs from kernel space one */
 > > +       int (*compat)(void *match, void **dstptr, int *size, int
 > > convert); +#endif
 > >         /* Set this to THIS_MODULE if you are a module, otherwise NULL */
 > >         struct module *me;
 > >  };
 >
 > Is CONFIG_COMPAT the right conditional here? If the code is only used
 > for architectures that have different aligments, it should not need be
 > compiled in for the other architectures.
 So, I'll define ARCH_HAS_FUNNY_64_ALIGNMENT in x86_64 and ia64 code and will
 check it, as Andi suggested.
 
 >
 > > @@ -154,6 +165,10 @@ struct xt_target
 > >         /* Called when entry of this type deleted. */
 > >         void (*destroy)(void *targinfo, unsigned int targinfosize);
 > >
 > > +#ifdef CONFIG_COMPAT
 > > +       /* Called when userspace align differs from kernel space one */
 > > +       int (*compat)(void *target, void **dstptr, int *size, int
 > > convert); +#endif
 > >         /* Set this to THIS_MODULE if you are a module, otherwise NULL */
 > >         struct module *me;
 > >  };
 > > @@ -233,6 +248,34 @@ extern void xt_proto_fini(int af);
 > >  extern struct xt_table_info *xt_alloc_table_info(unsigned int size);
 > >  extern void xt_free_table_info(struct xt_table_info *info);
 > >
 > > +#ifdef CONFIG_COMPAT
 > > +#include <net/compat.h>
 > > +
 > > +/* FIXME: this works only on 32 bit tasks
 > > + * need to change whole approach in order to calculate align as function
 > > of + * current task alignment */
 > > +
 > > +struct compat_xt_counters
 > > +{
 > > +       u_int32_t cnt[4];
 > > +};
 >
 > Hmm, maybe we should have something like
 >
 > typedef u64 __attribute__((aligned(4))) compat_u64;
 >
 > in order to get the right alignment on the architectures
 > where it makes a difference. Do all compiler versions
 > get that right?
 good point. I don't know this and that's why tried to avoid use of 'aligned'
 attribute.
 
 >
 > > ---
 > >  ./include/linux/netfilter_ipv4/ip_tables.h.iptcompat         2006-02-15
 > > 16:06:41.000000000 +0300 +++
 > > ./include/linux/netfilter_ipv4/ip_tables.h  2006-02-15 16:37:12.000000000
 > > +0300 @@ -364,5 +365,62 @@ extern unsigned int ipt_do_table(struct
 > >                                  void *userdata);
 > >
 > >  #define IPT_ALIGN(s) XT_ALIGN(s)
 > > +
 > > +#ifdef CONFIG_COMPAT
 > > +#include <net/compat.h>
 > > +
 > > +struct compat_ipt_getinfo
 > > +{
 > > +       char name[IPT_TABLE_MAXNAMELEN];
 > > +       compat_uint_t valid_hooks;
 > > +       compat_uint_t hook_entry[NF_IP_NUMHOOKS];
 > > +       compat_uint_t underflow[NF_IP_NUMHOOKS];
 > > +       compat_uint_t num_entries;
 > > +       compat_uint_t size;
 > > +};
 >
 > This structure looks like it does not need any
 > conversions. You should probably just use
 > struct ipt_getinfo then.
 I just saw compat_uint_t use in net/compat.c and thought, that it is a good
 style to use it. Does anybody know arch, where sizeof(compat_uint_t) != 4?
 
 >
 > > +
 > > +struct compat_ipt_entry_match
 > > +{
 > > +       union {
 > > +               struct {
 > > +                       u_int16_t match_size;
 > > +                       char name[IPT_FUNCTION_MAXNAMELEN];
 > > +               } user;
 > > +               u_int16_t match_size;
 > > +       } u;
 > > +       unsigned char data[0];
 > > +};
 > > +
 > > +struct compat_ipt_entry_target
 > > +{
 > > +       union {
 > > +               struct {
 > > +                       u_int16_t target_size;
 > > +                       char name[IPT_FUNCTION_MAXNAMELEN];
 > > +               } user;
 > > +               u_int16_t target_size;
 > > +       } u;
 > > +       unsigned char data[0];
 > > +};
 >
 > Dito
 Disagree, ipt_entry_match and ipt_entry_target contain pointers which make
 their alignment equal 8 byte on 64bits architectures.
 
 >
 > > +#define COMPAT_IPT_ALIGN(s)    COMPAT_XT_ALIGN(s)
 > > +
 > > +extern int ipt_match_align_compat(void *match, void **dstptr,
 > > +               int *size, int off, int convert);
 > > +extern int ipt_target_align_compat(void *target, void **dstptr,
 > > +               int *size, int off, int convert);
 > > +
 > > +#endif /* CONFIG_COMPAT */
 > >  #endif /*__KERNEL__*/
 > >  #endif /* _IPTABLES_H */
 > > --- ./include/net/compat.h.iptcompat    2006-01-03 06:21:10.000000000
 > > +0300 +++ ./include/net/compat.h      2006-02-15 18:45:49.000000000 +0300
 > > @@ -23,6 +23,14 @@ struct compat_cmsghdr {
 > >         compat_int_t    cmsg_type;
 > >  };
 > >
 > > +#if defined(CONFIG_X86_64)
 > > +#define is_current_32bits() (current_thread_info()->flags & _TIF_IA32)
 > > +#elif defined(CONFIG_IA64)
 > > +#define is_current_32bits() (IS_IA32_PROCESS(ia64_task_regs(current)))
 > > +#else
 > > +#define is_current_32bits()    0
 > > +#endif
 > > +
 >
 > This definition looks very wrong to me. For x86_64, the right thing to
 > check should be TS_COMPAT, no _TIF_IA32, since you can also call the 64 bit
 > syscall entry point from a i386 task running on x86_64. For most other
 > architectures, is_current_32bits returns something that is not reflected in
 > the name. I would e.g. expect the function to return '1' on i386 and the
 > correct task state on other compat platforms, instead of a bogus '0'.
 >
 > There have been long discussions about the inclusions of the
 > 'is_compat_task' macro. Let's at least not define a second function that
 > does almost the same but gets it wrong.
 >
 > I would much rather have either an extra 'compat' argument to to
 > sock_setsockopt and proto_ops->setsockopt than to spread the use
 > of is_compat_task further.
 Another weak place in my code. is_compat_task() approach has one advantage -
 it doesn't require a lot of current code modifications.
 >
 > >  #else /* defined(CONFIG_COMPAT) */
 > >  #define compat_msghdr  msghdr          /* to avoid compiler warnings */
 > >  #endif /* defined(CONFIG_COMPAT) */
 > > --- ./net/compat.c.iptcompat    2006-01-03 06:21:10.000000000 +0300
 > > +++ ./net/compat.c      2006-02-15 16:38:45.000000000 +0300
 > > @@ -308,107 +308,6 @@ void scm_detach_fds_compat(struct msghdr
 > >  }
 > >
 > >  /*
 > > - * For now, we assume that the compatibility and native version
 > > - * of struct ipt_entry are the same - sfr.  FIXME
 > > - */
 > > -struct compat_ipt_replace {
 > > -       char                    name[IPT_TABLE_MAXNAMELEN];
 > > -       u32                     valid_hooks;
 > > -       u32                     num_entries;
 > > -       u32                     size;
 > > -       u32                     hook_entry[NF_IP_NUMHOOKS];
 > > -       u32                     underflow[NF_IP_NUMHOOKS];
 > > -       u32                     num_counters;
 > > -       compat_uptr_t           counters;       /* struct ipt_counters *
 > > */ -       struct ipt_entry        entries[0];
 > > -};
 >
 > Is the FIXME above the only reason that the code needs to be changed?
 > What is the reason that you did not just address this in the
 > compat_sys_setsockopt implementation?
 Code above doesn't work. iptables with version >= 1.3 does alignment checks as
 well as kernel does. So, we can't simply put entries with 8 bytes alignment
 to userspace or with 4 bytes alignment to kernel - we need translate them
 entry by entry. So, I tried to do this the most correct way - that userspace
 will hide its alignment from kernel and vice versa, with not only
 SET_REPLACE, but also GET_INFO, GET_ENTRIES and SET_COUNTERS translation.
 First implementation was exactly in compat_sys_setsockopt, but David asked me
 to do this in netfilter code itself.
 
 >
 > 	Arnd <><
 >
 --
 Thanks,
 Dmitry.
...
 
 
 |  
	|  |  |  
	| 
		
			| Re:  Re: [PATCH 1/2] iptables 32bit compat layer [message #1721 is a reply to message #1719] | Tue, 21 February 2006 09:24   |  
			| 
				
				
					|  dim Messages: 344
 Registered: August 2005
 | Senior Member |  |  |  
	| On Tuesday 21 February 2006 00:23, Andi Kleen wrote: > Mishin Dmitry <dim@openvz.org> writes:
 > > Hello,
 > >
 > > This patch set extends current iptables compatibility layer in order to
 > > get 32bit iptables to work on 64bit kernel. Current layer is insufficient
 > > due to alignment checks both in kernel and user space tools.
 > >
 > > This patch introduces base compatibility interface for other ip_tables
 > > modules
 >
 > Nice. But some issues with the implementation
 >
 >
 > +#if defined(CONFIG_X86_64)
 > +#define is_current_32bits() (current_thread_info()->flags & _TIF_IA32)
 >
 > This should be is_compat_task(). And we don't do such ifdefs
 > in generic code.  And what you actually need here is a
 > is_compat_task_with_funny_u64_alignment() (better name sought)
 >
 > So I would suggest you add macros for that to the ia64 and x86-64
 > asm/compat.hs and perhaps a ARCH_HAS_FUNNY_U64_ALIGNMENT #define in there.
 agree.
 
 >
 > +	ret = 0;
 > +	switch (convert) {
 > +		case COMPAT_TO_USER:
 > +			pt = (struct ipt_entry_target *)target;
 >
 > etc. that looks ugly. why can't you just define different functions
 > for that?  We don't really need in kernel ioctl
 3 functions and the requirement that if defined one, than defined all of them?
 
 >
 > +#ifdef CONFIG_COMPAT
 > +	down(&compat_ipt_mutex);
 > +#endif
 >
 > Why does it need an own lock?
 Because it protects only compatibility translation. We spend a lot of time in
 these cycles and I don't think that it is a good way to hold ipt_mutex for
 this. The only reason of this lock is offset list - in the first iteration I
 fill it, in the second - use it. If you know how to implement this better,
 let me know.
 
 >
 > Overall the implementation looks very complicated. Are you sure
 > it wasn't possible to do this simpler?
 ughh...
 I don't like this code as well. But seems that it is due to iptables code
 itself, which was designed with no thoughts about compatibility in minds.
 
 So, I see following approaches:
 1) do translation before pass data to original do_replace or get_entries.
 Disadvantage of such approach is additional 2 cycles through data.
 2) do translation in compat_do_replace and compat_get_entries. Avoidance of
 additional cycles, but some code duplication.
 3) remove alignment checks in kernel - than we need only first time
 translation from kernel to user. But such code will not work with both 32bit
 and 64 bit iptables at the same time.
 
 Any suggestions?
 
 >
 >
 > -Andi
 >
 --
 Thanks,
 Dmitry.
 |  
	|  |  |  
	| 
		
			| Re:  Re: [PATCH 1/2] iptables 32bit compat layer [message #1722 is a reply to message #1720] | Tue, 21 February 2006 11:56   |  
			| 
				
				
					|  Arnd Bergmann Messages: 10
 Registered: February 2006
 | Junior Member |  |  |  
	| On Tuesday 21 February 2006 10:04, Dmitry Mishin wrote: > On Monday 20 February 2006 18:55, Arnd Bergmann wrote:
 
 > > Is CONFIG_COMPAT the right conditional here? If the code is only used
 > > for architectures that have different aligments, it should not need be
 > > compiled in for the other architectures.
 > So, I'll define ARCH_HAS_FUNNY_64_ALIGNMENT in x86_64 and ia64 code and will
 > check it, as Andi suggested.
 >
 
 I think nowadays, unconditionally setting CONFIG_FUNNY_64_ALIGNMENT from
 arch/{ia64,x86_64}/Kconfig would be the preferred way to a #define in
 include/asm.
 
 > > >  #define IPT_ALIGN(s) XT_ALIGN(s)
 > > > +
 > > > +#ifdef CONFIG_COMPAT
 > > > +#include <net/compat.h>
 > > > +
 > > > +struct compat_ipt_getinfo
 > > > +{
 > > > +       char name[IPT_TABLE_MAXNAMELEN];
 > > > +       compat_uint_t valid_hooks;
 > > > +       compat_uint_t hook_entry[NF_IP_NUMHOOKS];
 > > > +       compat_uint_t underflow[NF_IP_NUMHOOKS];
 > > > +       compat_uint_t num_entries;
 > > > +       compat_uint_t size;
 > > > +};
 > >
 > > This structure looks like it does not need any
 > > conversions. You should probably just use
 > > struct ipt_getinfo then.
 > I just saw compat_uint_t use in net/compat.c and thought, that it is a good
 > style to use it. Does anybody know arch, where sizeof(compat_uint_t) != 4?
 
 No, the compat layer already heavily depends on the fact that compat_uint_t
 is always the same as unsigned int.
 
 > >
 > > Dito
 > Disagree, ipt_entry_match and ipt_entry_target contain pointers which make
 > their alignment equal 8 byte on 64bits architectures.
 
 Ah, I see.
 
 > > I would much rather have either an extra 'compat' argument to to
 > > sock_setsockopt and proto_ops->setsockopt than to spread the use
 > > of is_compat_task further.
 > Another weak place in my code. is_compat_task() approach has one advantage -
 > it doesn't require a lot of current code modifications.
 > >
 > > Is the FIXME above the only reason that the code needs to be changed?
 > > What is the reason that you did not just address this in the
 > > compat_sys_setsockopt implementation?
 > Code above doesn't work. iptables with version >= 1.3 does alignment checks as
 > well as kernel does. So, we can't simply put entries with 8 bytes alignment
 > to userspace or with 4 bytes alignment to kernel - we need translate them
 > entry by entry. So, I tried to do this the most correct way - that userspace
 > will hide its alignment from kernel and vice versa, with not only
 > SET_REPLACE, but also GET_INFO, GET_ENTRIES and SET_COUNTERS translation.
 > First implementation was exactly in compat_sys_setsockopt, but David asked me
 > to do this in netfilter code itself.
 
 Ok, I see the point there. It's probably best to push down all the conversions
 from compat_sys_setsockopt down to the protocol specific parts, similar to what
 we do for the ioctl handlers.
 
 I'm thinking of something like
 
 int compat_sock_setsockopt(struct socket *sock, int level, int optname,
 char __user *optval, int optlen)
 {
 switch (optname) {
 case SO_ATTACH_FILTER:
 return do_set_attach_filter(fd, level, optname,
 optval, optlen);
 case SO_SNDTIMEO:
 return do_set_sock_timeout(fd, level, optname,
 optval, optlen);
 default:
 break;
 }
 return sock_setsockopt(sock, level, optname, optval, optlen);
 }
 
 asmlinkage long compat_sys_setsockopt(int fd, int level, int optname,
 char __user *optval, int optlen)
 {
 int err;
 struct socket *sock;
 
 if (optlen < 0)
 return -EINVAL;
 
 if ((sock = sockfd_lookup(fd, &err))!=NULL)
 {
 err = security_socket_setsockopt(sock,level,optname);
 if (err) {
 sockfd_put(sock);
 return err;
 }
 
 if (level == SOL_SOCKET)
 err = compat_sock_setsockopt(sock, level,
 optname, optval, optlen);
 else if (sock->ops->compat_setsockopt)
 err = sock->ops->compat_setsockopt(sock, level,
 optname, optval, optlen);
 else
 err = sock->ops->setsockopt(sock, level,
 optname, optval, optlen);
 sockfd_put(sock);
 }
 return err;
 }
 
 int tcp_setsockopt(struct sock *sk, int level, int optname, char __user *optval, int optlen)
 {
 int err = 0;
 
 err = ip_setsockopt(sk, level, optname, optval, optlen);
 
 #ifdef CONFIG_NETFILTER
 if (err = -ENOPROTOOPT) {
 lock_sock(sk);
 err = nf_setsockopt(sk, PF_INET, optname, optval, optlen);
 release_sock(sk);
 }
 #endif
 return err;
 }
 
 int compat_tcp_setsockopt(struct sock *sk, int level, int optname, char __user *optval, int optlen)
 {
 int err = 0;
 
 err = ip_setsockopt(sk, level, optname, optval, optlen);
 
 #ifdef CONFIG_NETFILTER
 if (err = -ENOPROTOOPT) {
 lock_sock(sk);
 err = compat_nf_setsockopt(sk, PF_INET, optname, optval, optlen);
 release_sock(sk);
 }
 #endif
 return err;
 }
 
 And the same for udp, raw, ipv6, decnet and each of those with getsockopt.
 It is a bigger change, but it puts all the handlers where they belong
 and it is more extensible to other sockopt handlers if we find more
 fsckup in some of them.
 
 Arnd <><
 |  
	|  |  |  
	| 
		
			| {get|set}sockopt compat layer [message #1925 is a reply to message #1722] | Tue, 07 March 2006 14:07   |  
			| 
				
				
					|  Mishin Dmitry Messages: 112
 Registered: February 2006
 | Senior Member |  |  |  
	| Hello, Arnd! 
 Sorry for such delay, was on vacancy. Here is a patch, introducing
 compat_(get|set)sockopt handlers, as you proposed.
 
 On Tuesday 21 February 2006 14:56, Arnd Bergmann wrote:
 > On Tuesday 21 February 2006 10:04, Dmitry Mishin wrote:
 > > On Monday 20 February 2006 18:55, Arnd Bergmann wrote:
 > > > Is CONFIG_COMPAT the right conditional here? If the code is only used
 > > > for architectures that have different aligments, it should not need be
 > > > compiled in for the other architectures.
 > >
 > > So, I'll define ARCH_HAS_FUNNY_64_ALIGNMENT in x86_64 and ia64 code and
 > > will check it, as Andi suggested.
 >
 > I think nowadays, unconditionally setting CONFIG_FUNNY_64_ALIGNMENT from
 > arch/{ia64,x86_64}/Kconfig would be the preferred way to a #define in
 > include/asm.
 >
 > > > >  #define IPT_ALIGN(s) XT_ALIGN(s)
 > > > > +
 > > > > +#ifdef CONFIG_COMPAT
 > > > > +#include <net/compat.h>
 > > > > +
 > > > > +struct compat_ipt_getinfo
 > > > > +{
 > > > > +       char name[IPT_TABLE_MAXNAMELEN];
 > > > > +       compat_uint_t valid_hooks;
 > > > > +       compat_uint_t hook_entry[NF_IP_NUMHOOKS];
 > > > > +       compat_uint_t underflow[NF_IP_NUMHOOKS];
 > > > > +       compat_uint_t num_entries;
 > > > > +       compat_uint_t size;
 > > > > +};
 > > >
 > > > This structure looks like it does not need any
 > > > conversions. You should probably just use
 > > > struct ipt_getinfo then.
 > >
 > > I just saw compat_uint_t use in net/compat.c and thought, that it is a
 > > good style to use it. Does anybody know arch, where sizeof(compat_uint_t)
 > > != 4?
 >
 > No, the compat layer already heavily depends on the fact that compat_uint_t
 > is always the same as unsigned int.
 >
 > > > Dito
 > >
 > > Disagree, ipt_entry_match and ipt_entry_target contain pointers which
 > > make their alignment equal 8 byte on 64bits architectures.
 >
 > Ah, I see.
 >
 > > > I would much rather have either an extra 'compat' argument to to
 > > > sock_setsockopt and proto_ops->setsockopt than to spread the use
 > > > of is_compat_task further.
 > >
 > > Another weak place in my code. is_compat_task() approach has one
 > > advantage - it doesn't require a lot of current code modifications.
 > >
 > > > Is the FIXME above the only reason that the code needs to be changed?
 > > > What is the reason that you did not just address this in the
 > > > compat_sys_setsockopt implementation?
 > >
 > > Code above doesn't work. iptables with version >= 1.3 does alignment
 > > checks as well as kernel does. So, we can't simply put entries with 8
 > > bytes alignment to userspace or with 4 bytes alignment to kernel - we
 > > need translate them entry by entry. So, I tried to do this the most
 > > correct way - that userspace will hide its alignment from kernel and vice
 > > versa, with not only SET_REPLACE, but also GET_INFO, GET_ENTRIES and
 > > SET_COUNTERS translation. First implementation was exactly in
 > > compat_sys_setsockopt, but David asked me to do this in netfilter code
 > > itself.
 >
 > Ok, I see the point there. It's probably best to push down all the
 > conversions from compat_sys_setsockopt down to the protocol specific parts,
 > similar to what we do for the ioctl handlers.
 >
 > I'm thinking of something like
 >
 > int compat_sock_setsockopt(struct socket *sock, int level, int optname,
 > 		    char __user *optval, int optlen)
 > {
 > 	switch (optname) {
 > 	case SO_ATTACH_FILTER:
 > 		return do_set_attach_filter(fd, level, optname,
 > 					    optval, optlen);
 > 	case SO_SNDTIMEO:
 > 		return do_set_sock_timeout(fd, level, optname,
 > 					   optval, optlen);
 > 	default:
 > 		break;
 > 	}
 > 	return sock_setsockopt(sock, level, optname, optval, optlen);
 > }
 >
 > asmlinkage long compat_sys_setsockopt(int fd, int level, int optname,
 > 				char __user *optval, int optlen)
 > {
 > 	int err;
 > 	struct socket *sock;
 >
 > 	if (optlen < 0)
 > 		return -EINVAL;
 >
 > 	if ((sock = sockfd_lookup(fd, &err))!=NULL)
 > 	{
 > 		err = security_socket_setsockopt(sock,level,optname);
 > 		if (err) {
 > 			sockfd_put(sock);
 > 			return err;
 > 		}
 >
 > 		if (level == SOL_SOCKET)
 > 			err = compat_sock_setsockopt(sock, level,
 > 					optname, optval, optlen);
 > 		else if (sock->ops->compat_setsockopt)
 > 			err = sock->ops->compat_setsockopt(sock, level,
 > 					optname, optval, optlen);
 > 		else
 > 			err = sock->ops->setsockopt(sock, level,
 > 					optname, optval, optlen);
 > 		sockfd_put(sock);
 > 	}
 > 	return err;
 > }
 >
 > int tcp_setsockopt(struct sock *sk, int level, int optname, char __user
 > *optval, int optlen) {
 > 	int err = 0;
 >
 > 	err = ip_setsockopt(sk, level, optname, optval, optlen);
 >
 > #ifdef CONFIG_NETFILTER
 > 	if (err = -ENOPROTOOPT) {
 > 		lock_sock(sk);
 > 		err = nf_setsockopt(sk, PF_INET, optname, optval, optlen);
 > 		release_sock(sk);
 > 	}
 > #endif
 > 	return err;
 > }
 >
 > int compat_tcp_setsockopt(struct sock *sk, int level, int optname, char
 > __user *optval, int optlen) {
 > 	int err = 0;
 >
 > 	err = ip_setsockopt(sk, level, optname, optval, optlen);
 >
 > #ifdef CONFIG_NETFILTER
 > 	if (err = -ENOPROTOOPT) {
 > 		lock_sock(sk);
 > 		err = compat_nf_setsockopt(sk, PF_INET, optname, optval, optlen);
 > 		release_sock(sk);
 > 	}
 > #endif
 > 	return err;
 > }
 >
 > And the same for udp, raw, ipv6, decnet and each of those with getsockopt.
 > It is a bigger change, but it puts all the handlers where they belong
 > and it is more extensible to other sockopt handlers if we find more
 > fsckup in some of them.
 >
 > 	Arnd <><
 
 --
 Thanks,
 Dmitry.
 
 --- ./include/linux/net.h.compat	2006-03-07 11:22:27.000000000 +0300
 +++ ./include/linux/net.h	2006-03-07 11:20:07.000000000 +0300
 @@ -149,6 +149,12 @@ struct proto_ops {
 int optname, char __user *optval, int optlen);
 int		(*getsockopt)(struct socket *sock, int level,
 int optname, char __user *optval, int __user *optlen);
 +#ifdef CONFIG_COMPAT
 +	int		(*compat_setsockopt)(struct socket *sock, int level,
 +				      int optname, char __user *optval, int optlen);
 +	int		(*compat_getsockopt)(struct socket *sock, int level,
 +				      int optname, char __user *optval, int __user *optlen);
 +#endif
 int		(*sendmsg)   (struct kiocb *iocb, struct socket *sock,
 struct msghdr *m, size_t total_len);
 int		(*recvmsg)   (struct kiocb *iocb, struct socket *sock,
 --- ./include/linux/netfilter.h.compat	2006-03-06 12:06:34.000000000 +0300
 +++ ./include/linux/netfilter.h	2006-03-07 15:00:14.000000000 +0300
 @@ -2,6 +2,7 @@
 #define __LINUX_NETFILTER_H
 
 #ifdef __KERNEL__
 +#include <linux/config.h>
 #include <linux/init.h>
 #include <linux/types.h>
 #include <linux/skbuff.h>
 @@ -80,10 +81,18 @@ struct nf_sockopt_ops
 int set_optmin;
 int set_optmax;
 int (*set)(struct sock *sk, int optval, void __user *user, unsigned int len);
 +#ifdef CONFIG_COMPAT
 +	int (*compat_set)(struct sock *sk, int optval,
 +			void __user *user, unsigned int len);
 +#endif
 
 int get_optmin;
 int get_optmax;
 int (*get)(struct sock *sk, int optval, void __user *user, int *len);
 +#ifdef CONFIG_COMPAT
 +	int (*compat_get)(struct sock *sk, int optval,
 +			void __user *user, int *len);
 +#endif
 
 /* Number of users inside set() or get(). */
 unsigned int use;
 @@ -246,6 +255,13 @@ int nf_setsockopt(struct sock *sk, int p
 int nf_getsockopt(struct sock *sk, int pf, int optval, char __user *opt,
 int *len);
 
 +#ifdef CONFIG_COMPAT
 +int compat_nf_setsockopt(struct sock *sk, int pf, int optval,
 +		char __user *opt, int len);
 +int compat_nf_getsockopt(struct sock *sk, int pf, int optval,
 +		char __user *opt, int *len);
 +#endif
 +
 /* Packet queuing */
 struct nf_queue_handler {
 int (*outfn)(struct sk_buff *skb, struct nf_info *info,
 --- ./include/net/inet_connection_sock.h.compat	2006-03-06 12:06:34.000000000 +0300
 +++ ./include/net/inet_connection_sock.h	2006-03-07 15:46:20.000000000 +0300
 @@ -15,6 +15,7 @@
 #ifndef _INET_CONNECTION_SOCK_H
 #define _INET_CONNECTION_SOCK_H
 
 +#include <linux/config.h>
 #include <linux/compiler.h>
 #include <linux/string.h>
 #include <linux/timer.h>
 @@ -50,6 +51,14 @@ struct inet_connection_sock_af_ops {
 char __user *optval, int optlen);
 int	    (*getsockopt)(struct sock *sk, int level, int optname,
 char __user *optval, int __user *optlen);
 +#ifdef CONFIG_COMPAT
 +	int	    (*compat_setsockopt)(struct sock *sk,
 +				int level, int optname,
 +				char __user *optval, int optlen);
 +	int	    (*compat_getsockopt)(struct sock *sk,
 +				int level, int optname,
 +				char __user *optval, int __user *optlen);
 +#endif
 void	    (*addr2sockaddr)(struct sock *sk, struct sockaddr *);
 int sockaddr_len;
 };
 --- ./include/net/ip.h.compat	2006-03-06 12:06:34.000000000 +0300
 +++ ./include/net/ip.h	2006-03-07 14:38:54.000000000 +0300
 @@ -356,6 +356,12 @@ extern void	ip_cmsg_recv(struct msghdr *
 extern int	ip_cmsg_send(struct msghdr *msg, struct ipcm_cookie *ipc);
 extern int	ip_setsockopt(struct sock *sk, int level, int optname, char __user *optval, int optlen);
 extern int	ip_getsockopt(struct sock *sk, int level, int optname, char __user *optval, int __user *optlen);
 +#ifdef CONFIG_COMPAT
 +extern int	compat_ip_setsockopt(struct sock *sk, int level,
 +			int optname, char __user *optval, int optlen);
 +extern int	compat_ip_getsocko
...
 
 
 |  
	|  |  |  
	| 
		
			| Re: {get|set}sockopt compat layer [message #1926 is a reply to message #1925] | Tue, 07 March 2006 15:05   |  
			| 
				
				
					|  Arnd Bergmann Messages: 10
 Registered: February 2006
 | Junior Member |  |  |  
	| On Tuesday 07 March 2006 15:07, Dmitry Mishin wrote: > Sorry for such delay, was on vacancy. Here is a patch, introducing
 > compat_(get|set)sockopt handlers, as you proposed.
 
 Looks pretty good to me, just a few nits I like to pick:
 
 > --- ./include/linux/net.h.compat        2006-03-07 11:22:27.000000000 +0300
 > +++ ./include/linux/net.h       2006-03-07 11:20:07.000000000 +0300
 > @@ -149,6 +149,12 @@ struct proto_ops {
 >                                       int optname, char __user *optval, int optlen);
 >         int             (*getsockopt)(struct socket *sock, int level,
 >                                       int optname, char __user *optval, int __user *optlen);
 > +#ifdef CONFIG_COMPAT
 > +       int             (*compat_setsockopt)(struct socket *sock, int level,
 > +                                     int optname, char __user *optval, int optlen);
 > +       int             (*compat_getsockopt)(struct socket *sock, int level,
 > +                                     int optname, char __user *optval, int __user *optlen);
 > +#endif
 >         int             (*sendmsg)   (struct kiocb *iocb, struct socket *sock,
 >                                       struct msghdr *m, size_t total_len);
 >         int             (*recvmsg)   (struct kiocb *iocb, struct socket *sock,
 
 For the compat_ioctl stuff, we don't have the function pointer inside an
 #ifdef, the overhead is relatively small since there is only one of these
 structures per module implementing a protocol, but it avoids having to
 rebuild everything when changing CONFIG_COMPAT.
 
 It's probably not a big issue either way, maybe davem has a stronger opinion
 on it either way.
 
 > --- ./include/linux/netfilter.h.compat  2006-03-06 12:06:34.000000000 +0300
 > +++ ./include/linux/netfilter.h 2006-03-07 15:00:14.000000000 +0300
 > @@ -2,6 +2,7 @@
 >  #define __LINUX_NETFILTER_H
 >
 >  #ifdef __KERNEL__
 > +#include <linux/config.h>
 >  #include <linux/init.h>
 >  #include <linux/types.h>
 >  #include <linux/skbuff.h>
 
 You don't need to add new <linux/config.h> includes any more, these are
 automatic now.
 
 > @@ -80,10 +81,18 @@ struct nf_sockopt_ops
 >         int set_optmin;
 >         int set_optmax;
 >         int (*set)(struct sock *sk, int optval, void __user *user, unsigned int len);
 > +#ifdef CONFIG_COMPAT
 > +       int (*compat_set)(struct sock *sk, int optval,
 > +                       void __user *user, unsigned int len);
 > +#endif
 >
 >         int get_optmin;
 >         int get_optmax;
 >         int (*get)(struct sock *sk, int optval, void __user *user, int *len);
 > +#ifdef CONFIG_COMPAT
 > +       int (*compat_get)(struct sock *sk, int optval,
 > +                       void __user *user, int *len);
 > +#endif
 >
 >         /* Number of users inside set() or get(). */
 >         unsigned int use;
 
 see above, same for some more of these.
 
 > @@ -816,6 +826,12 @@ extern int sock_common_recvmsg(struct ki
 >                                struct msghdr *msg, size_t size, int flags);
 >  extern int sock_common_setsockopt(struct socket *sock, int level, int optname,
 >                                   char __user *optval, int optlen);
 > +#ifdef CONFIG_COMPAT
 > +extern int compat_sock_common_getsockopt(struct socket *sock, int level,
 > +               int optname, char __user *optval, int __user *optlen);
 > +extern int compat_sock_common_setsockopt(struct socket *sock, int level,
 > +               int optname, char __user *optval, int optlen);
 > +#endif
 >
 >  extern void sk_common_release(struct sock *sk);
 >
 
 Declarations don't belong inside #ifdef.
 
 Arnd <><
 |  
	|  |  |  
	| 
		
			| Re: {get|set}sockopt compat layer [message #1941 is a reply to message #1926] | Thu, 09 March 2006 10:23   |  
			| 
				
				
					|  Mishin Dmitry Messages: 112
 Registered: February 2006
 | Senior Member |  |  |  
	| Hello, Arnd! 
 > For the compat_ioctl stuff, we don't have the function pointer inside an
 > #ifdef, the overhead is relatively small since there is only one of these
 > structures per module implementing a protocol, but it avoids having to
 > rebuild everything when changing CONFIG_COMPAT.
 >
 > It's probably not a big issue either way, maybe davem has a stronger
 > opinion on it either way.
 >
 Done.
 
 --
 Thanks,
 Dmitry.
 
 --- ./include/linux/net.h.compat	2006-03-09 12:57:53.000000000 +0300
 +++ ./include/linux/net.h	2006-03-09 12:58:53.000000000 +0300
 @@ -149,6 +149,10 @@ struct proto_ops {
 int optname, char __user *optval, int optlen);
 int		(*getsockopt)(struct socket *sock, int level,
 int optname, char __user *optval, int __user *optlen);
 +	int		(*compat_setsockopt)(struct socket *sock, int level,
 +				      int optname, char __user *optval, int optlen);
 +	int		(*compat_getsockopt)(struct socket *sock, int level,
 +				      int optname, char __user *optval, int __user *optlen);
 int		(*sendmsg)   (struct kiocb *iocb, struct socket *sock,
 struct msghdr *m, size_t total_len);
 int		(*recvmsg)   (struct kiocb *iocb, struct socket *sock,
 --- ./include/linux/netfilter.h.compat	2006-03-09 12:57:53.000000000 +0300
 +++ ./include/linux/netfilter.h	2006-03-09 12:59:44.000000000 +0300
 @@ -80,10 +80,14 @@ struct nf_sockopt_ops
 int set_optmin;
 int set_optmax;
 int (*set)(struct sock *sk, int optval, void __user *user, unsigned int len);
 +	int (*compat_set)(struct sock *sk, int optval,
 +			void __user *user, unsigned int len);
 
 int get_optmin;
 int get_optmax;
 int (*get)(struct sock *sk, int optval, void __user *user, int *len);
 +	int (*compat_get)(struct sock *sk, int optval,
 +			void __user *user, int *len);
 
 /* Number of users inside set() or get(). */
 unsigned int use;
 @@ -246,6 +250,11 @@ int nf_setsockopt(struct sock *sk, int p
 int nf_getsockopt(struct sock *sk, int pf, int optval, char __user *opt,
 int *len);
 
 +int compat_nf_setsockopt(struct sock *sk, int pf, int optval,
 +		char __user *opt, int len);
 +int compat_nf_getsockopt(struct sock *sk, int pf, int optval,
 +		char __user *opt, int *len);
 +
 /* Packet queuing */
 struct nf_queue_handler {
 int (*outfn)(struct sk_buff *skb, struct nf_info *info,
 --- ./include/net/inet_connection_sock.h.compat	2006-03-09 12:57:53.000000000 +0300
 +++ ./include/net/inet_connection_sock.h	2006-03-09 12:59:58.000000000 +0300
 @@ -50,6 +50,12 @@ struct inet_connection_sock_af_ops {
 char __user *optval, int optlen);
 int	    (*getsockopt)(struct sock *sk, int level, int optname,
 char __user *optval, int __user *optlen);
 +	int	    (*compat_setsockopt)(struct sock *sk,
 +				int level, int optname,
 +				char __user *optval, int optlen);
 +	int	    (*compat_getsockopt)(struct sock *sk,
 +				int level, int optname,
 +				char __user *optval, int __user *optlen);
 void	    (*addr2sockaddr)(struct sock *sk, struct sockaddr *);
 int sockaddr_len;
 };
 --- ./include/net/ip.h.compat	2006-03-09 12:57:53.000000000 +0300
 +++ ./include/net/ip.h	2006-03-09 13:00:15.000000000 +0300
 @@ -356,6 +356,10 @@ extern void	ip_cmsg_recv(struct msghdr *
 extern int	ip_cmsg_send(struct msghdr *msg, struct ipcm_cookie *ipc);
 extern int	ip_setsockopt(struct sock *sk, int level, int optname, char __user *optval, int optlen);
 extern int	ip_getsockopt(struct sock *sk, int level, int optname, char __user *optval, int __user *optlen);
 +extern int	compat_ip_setsockopt(struct sock *sk, int level,
 +			int optname, char __user *optval, int optlen);
 +extern int	compat_ip_getsockopt(struct sock *sk, int level,
 +			int optname, char __user *optval, int __user *optlen);
 extern int	ip_ra_control(struct sock *sk, unsigned char on, void (*destructor)(struct sock *));
 
 extern int 	ip_recv_error(struct sock *sk, struct msghdr *msg, int len);
 --- ./include/net/sctp/structs.h.compat	2006-03-09 12:57:53.000000000 +0300
 +++ ./include/net/sctp/structs.h	2006-03-09 13:00:36.000000000 +0300
 @@ -514,6 +514,16 @@ struct sctp_af {
 int optname,
 char __user *optval,
 int __user *optlen);
 +	int		(*compat_setsockopt)	(struct sock *sk,
 +					 int level,
 +					 int optname,
 +					 char __user *optval,
 +					 int optlen);
 +	int		(*compat_getsockopt)	(struct sock *sk,
 +					 int level,
 +					 int optname,
 +					 char __user *optval,
 +					 int __user *optlen);
 struct dst_entry *(*get_dst)	(struct sctp_association *asoc,
 union sctp_addr *daddr,
 union sctp_addr *saddr);
 --- ./include/net/sock.h.compat	2006-03-09 12:57:53.000000000 +0300
 +++ ./include/net/sock.h	2006-03-09 13:01:10.000000000 +0300
 @@ -520,6 +520,14 @@ struct proto {
 int			(*getsockopt)(struct sock *sk, int level,
 int optname, char __user *optval,
 int __user *option);
 +	int			(*compat_setsockopt)(struct sock *sk,
 +					int level,
 +					int optname, char __user *optval,
 +					int optlen);
 +	int			(*compat_getsockopt)(struct sock *sk,
 +					int level,
 +					int optname, char __user *optval,
 +					int __user *option);
 int			(*sendmsg)(struct kiocb *iocb, struct sock *sk,
 struct msghdr *msg, size_t len);
 int			(*recvmsg)(struct kiocb *iocb, struct sock *sk,
 @@ -816,6 +824,10 @@ extern int sock_common_recvmsg(struct ki
 struct msghdr *msg, size_t size, int flags);
 extern int sock_common_setsockopt(struct socket *sock, int level, int optname,
 char __user *optval, int optlen);
 +extern int compat_sock_common_getsockopt(struct socket *sock, int level,
 +		int optname, char __user *optval, int __user *optlen);
 +extern int compat_sock_common_setsockopt(struct socket *sock, int level,
 +		int optname, char __user *optval, int optlen);
 
 extern void sk_common_release(struct sock *sk);
 
 --- ./include/net/tcp.h.compat	2006-03-09 12:57:53.000000000 +0300
 +++ ./include/net/tcp.h	2006-03-09 13:02:50.000000000 +0300
 @@ -347,6 +347,12 @@ extern int			tcp_getsockopt(struct sock
 extern int			tcp_setsockopt(struct sock *sk, int level,
 int optname, char __user *optval,
 int optlen);
 +extern int			compat_tcp_getsockopt(struct sock *sk,
 +					int level, int optname,
 +					char __user *optval, int __user *optlen);
 +extern int			compat_tcp_setsockopt(struct sock *sk,
 +					int level, int optname,
 +					char __user *optval, int optlen);
 extern void			tcp_set_keepalive(struct sock *sk, int val);
 extern int			tcp_recvmsg(struct kiocb *iocb, struct sock *sk,
 struct msghdr *msg,
 --- ./net/compat.c.compat	2006-03-09 12:57:54.000000000 +0300
 +++ ./net/compat.c	2006-03-09 12:58:23.000000000 +0300
 @@ -416,7 +416,7 @@ struct compat_sock_fprog {
 compat_uptr_t	filter;		/* struct sock_filter * */
 };
 
 -static int do_set_attach_filter(int fd, int level, int optname,
 +static int do_set_attach_filter(struct socket *sock, int level, int optname,
 char __user *optval, int optlen)
 {
 struct compat_sock_fprog __user *fprog32 = (struct compat_sock_fprog __user *)optval;
 @@ -432,11 +432,12 @@ static int do_set_attach_filter(int fd,
 __put_user(compat_ptr(ptr), &kfprog->filter))
 return -EFAULT;
 
 -	return sys_setsockopt(fd, level, optname, (char __user *)kfprog,
 +	return sock_setsockopt(sock, level, optname, (char __user *)kfprog,
 sizeof(struct sock_fprog));
 }
 
 -static int do_set_sock_timeout(int fd, int level, int optname, char __user *optval, int optlen)
 +static int do_set_sock_timeout(struct socket *sock, int level,
 +		int optname, char __user *optval, int optlen)
 {
 struct compat_timeval __user *up = (struct compat_timeval __user *) optval;
 struct timeval ktime;
 @@ -451,30 +452,61 @@ static int do_set_sock_timeout(int fd, i
 return -EFAULT;
 old_fs = get_fs();
 set_fs(KERNEL_DS);
 -	err = sys_setsockopt(fd, level, optname, (char *) &ktime, sizeof(ktime));
 +	err = sock_setsockopt(sock, level, optname, (char *) &ktime, sizeof(ktime));
 set_fs(old_fs);
 
 return err;
 }
 
 +static int compat_sock_setsockopt(struct socket *sock, int level, int optname,
 +				char __user *optval, int optlen)
 +{
 +	if (optname == SO_ATTACH_FILTER)
 +		return do_set_attach_filter(sock, level, optname,
 +					    optval, optlen);
 +	if (optname == SO_RCVTIMEO || optname == SO_SNDTIMEO)
 +		return do_set_sock_timeout(sock, level, optname, optval, optlen);
 +
 +	return sock_setsockopt(sock, level, optname, optval, optlen);
 +}
 +
 asmlinkage long compat_sys_setsockopt(int fd, int level, int optname,
 char __user *optval, int optlen)
 {
 +	int err;
 +	struct socket *sock;
 +
 /* SO_SET_REPLACE seems to be the same in all levels */
 if (optname == IPT_SO_SET_REPLACE)
 return do_netfilter_replace(fd, level, optname,
 optval, optlen);
 -	if (level == SOL_SOCKET && optname == SO_ATTACH_FILTER)
 -		return do_set_attach_filter(fd, level, optname,
 -					    optval, optlen);
 -	if (level == SOL_SOCKET &&
 -	    (optname == SO_RCVTIMEO || optname == SO_SNDTIMEO))
 -		return do_set_sock_timeout(fd, level, optname, optval, optlen);
 
 -	return sys_setsockopt(fd, level, optname, optval, optlen);
 +	if (optlen < 0)
 +		return -EINVAL;
 +
 +	if ((sock = sockfd_lookup(fd, &err))!=NULL)
 +	{
 +		err = security_socket_setsockopt(sock,level,optname);
 +		if (err) {
 +			sockfd_put(sock);
 +			return err;
 +		}
 +
 +		if (level == SOL_SOCKET)
 +			err = compat_sock_setsockopt(sock, level,
 +					optname, optval, optlen);
 +		else if (sock->ops->compat_setsockopt)
 +			err = sock->ops->compat_setsockopt(sock, level,
 +					optname, optval, optlen);
 +		else
 +			err = sock->ops->setsockopt(sock, level,
 +					optname, optval, optlen);
 +		sockfd_put(sock);
 +	}
 +	return err;
 }
 
 -static int do_get_sock_timeout(int fd, int level, int optname,
 +static int do_get_sock_timeout(struct socket *sock, int level, int optname,
 char __user *optval, int __user *optlen)
 {
 struct compat_timeval __user *up;
 @@ -490,7 +522,7 @@ static int do_get_sock_timeout(int fd, i
 len = sizeof(ktime);
 old
...
 
 
 |  
	|  |  |  
	|  |  
	| 
		
			| [PATCH] {get|set}sockopt compatibility layer [message #1973 is a reply to message #1954] | Fri, 10 March 2006 11:21   |  
			| 
				
				
					|  Mishin Dmitry Messages: 112
 Registered: February 2006
 | Senior Member |  |  |  
	| This patch extends {get|set}sockopt compatibility layer in order to move protocol specific parts to their place and avoid  huge universal net/compat.c
 file in the future.
 
 Signed-off-by: Dmitry Mishin <dim@openvz.org>
 
 --
 Thanks,
 Dmitry.
 
 --- ./include/linux/net.h.compat	2006-03-10 11:58:11.000000000 +0300
 +++ ./include/linux/net.h	2006-03-10 12:24:11.000000000 +0300
 @@ -149,6 +149,10 @@ struct proto_ops {
 int optname, char __user *optval, int optlen);
 int		(*getsockopt)(struct socket *sock, int level,
 int optname, char __user *optval, int __user *optlen);
 +	int		(*compat_setsockopt)(struct socket *sock, int level,
 +				      int optname, char __user *optval, int optlen);
 +	int		(*compat_getsockopt)(struct socket *sock, int level,
 +				      int optname, char __user *optval, int __user *optlen);
 int		(*sendmsg)   (struct kiocb *iocb, struct socket *sock,
 struct msghdr *m, size_t total_len);
 int		(*recvmsg)   (struct kiocb *iocb, struct socket *sock,
 --- ./include/linux/netfilter.h.compat	2006-03-10 11:58:11.000000000 +0300
 +++ ./include/linux/netfilter.h	2006-03-10 12:24:11.000000000 +0300
 @@ -80,10 +80,14 @@ struct nf_sockopt_ops
 int set_optmin;
 int set_optmax;
 int (*set)(struct sock *sk, int optval, void __user *user, unsigned int len);
 +	int (*compat_set)(struct sock *sk, int optval,
 +			void __user *user, unsigned int len);
 
 int get_optmin;
 int get_optmax;
 int (*get)(struct sock *sk, int optval, void __user *user, int *len);
 +	int (*compat_get)(struct sock *sk, int optval,
 +			void __user *user, int *len);
 
 /* Number of users inside set() or get(). */
 unsigned int use;
 @@ -246,6 +250,11 @@ int nf_setsockopt(struct sock *sk, int p
 int nf_getsockopt(struct sock *sk, int pf, int optval, char __user *opt,
 int *len);
 
 +int compat_nf_setsockopt(struct sock *sk, int pf, int optval,
 +		char __user *opt, int len);
 +int compat_nf_getsockopt(struct sock *sk, int pf, int optval,
 +		char __user *opt, int *len);
 +
 /* Packet queuing */
 struct nf_queue_handler {
 int (*outfn)(struct sk_buff *skb, struct nf_info *info,
 --- ./include/net/inet_connection_sock.h.compat	2006-03-10 11:58:11.000000000 +0300
 +++ ./include/net/inet_connection_sock.h	2006-03-10 12:24:11.000000000 +0300
 @@ -50,6 +50,12 @@ struct inet_connection_sock_af_ops {
 char __user *optval, int optlen);
 int	    (*getsockopt)(struct sock *sk, int level, int optname,
 char __user *optval, int __user *optlen);
 +	int	    (*compat_setsockopt)(struct sock *sk,
 +				int level, int optname,
 +				char __user *optval, int optlen);
 +	int	    (*compat_getsockopt)(struct sock *sk,
 +				int level, int optname,
 +				char __user *optval, int __user *optlen);
 void	    (*addr2sockaddr)(struct sock *sk, struct sockaddr *);
 int sockaddr_len;
 };
 --- ./include/net/ip.h.compat	2006-03-10 11:58:11.000000000 +0300
 +++ ./include/net/ip.h	2006-03-10 12:24:11.000000000 +0300
 @@ -356,6 +356,10 @@ extern void	ip_cmsg_recv(struct msghdr *
 extern int	ip_cmsg_send(struct msghdr *msg, struct ipcm_cookie *ipc);
 extern int	ip_setsockopt(struct sock *sk, int level, int optname, char __user *optval, int optlen);
 extern int	ip_getsockopt(struct sock *sk, int level, int optname, char __user *optval, int __user *optlen);
 +extern int	compat_ip_setsockopt(struct sock *sk, int level,
 +			int optname, char __user *optval, int optlen);
 +extern int	compat_ip_getsockopt(struct sock *sk, int level,
 +			int optname, char __user *optval, int __user *optlen);
 extern int	ip_ra_control(struct sock *sk, unsigned char on, void (*destructor)(struct sock *));
 
 extern int 	ip_recv_error(struct sock *sk, struct msghdr *msg, int len);
 --- ./include/net/ipv6.h.compat	2006-03-10 11:58:11.000000000 +0300
 +++ ./include/net/ipv6.h	2006-03-10 13:16:18.000000000 +0300
 @@ -520,6 +520,16 @@ extern int			ipv6_getsockopt(struct sock
 int optname,
 char __user *optval,
 int __user *optlen);
 +extern int			compat_ipv6_setsockopt(struct sock *sk,
 +						int level,
 +						int optname,
 +						char __user *optval,
 +						int optlen);
 +extern int			compat_ipv6_getsockopt(struct sock *sk,
 +						int level,
 +						int optname,
 +						char __user *optval,
 +						int __user *optlen);
 
 extern void			ipv6_packet_init(void);
 
 --- ./include/net/sctp/structs.h.compat	2006-03-10 11:58:11.000000000 +0300
 +++ ./include/net/sctp/structs.h	2006-03-10 12:24:11.000000000 +0300
 @@ -514,6 +514,16 @@ struct sctp_af {
 int optname,
 char __user *optval,
 int __user *optlen);
 +	int		(*compat_setsockopt)	(struct sock *sk,
 +					 int level,
 +					 int optname,
 +					 char __user *optval,
 +					 int optlen);
 +	int		(*compat_getsockopt)	(struct sock *sk,
 +					 int level,
 +					 int optname,
 +					 char __user *optval,
 +					 int __user *optlen);
 struct dst_entry *(*get_dst)	(struct sctp_association *asoc,
 union sctp_addr *daddr,
 union sctp_addr *saddr);
 --- ./include/net/sock.h.compat	2006-03-10 11:58:11.000000000 +0300
 +++ ./include/net/sock.h	2006-03-10 12:24:11.000000000 +0300
 @@ -520,6 +520,14 @@ struct proto {
 int			(*getsockopt)(struct sock *sk, int level,
 int optname, char __user *optval,
 int __user *option);
 +	int			(*compat_setsockopt)(struct sock *sk,
 +					int level,
 +					int optname, char __user *optval,
 +					int optlen);
 +	int			(*compat_getsockopt)(struct sock *sk,
 +					int level,
 +					int optname, char __user *optval,
 +					int __user *option);
 int			(*sendmsg)(struct kiocb *iocb, struct sock *sk,
 struct msghdr *msg, size_t len);
 int			(*recvmsg)(struct kiocb *iocb, struct sock *sk,
 @@ -816,6 +824,10 @@ extern int sock_common_recvmsg(struct ki
 struct msghdr *msg, size_t size, int flags);
 extern int sock_common_setsockopt(struct socket *sock, int level, int optname,
 char __user *optval, int optlen);
 +extern int compat_sock_common_getsockopt(struct socket *sock, int level,
 +		int optname, char __user *optval, int __user *optlen);
 +extern int compat_sock_common_setsockopt(struct socket *sock, int level,
 +		int optname, char __user *optval, int optlen);
 
 extern void sk_common_release(struct sock *sk);
 
 --- ./include/net/tcp.h.compat	2006-03-10 11:58:11.000000000 +0300
 +++ ./include/net/tcp.h	2006-03-10 12:24:11.000000000 +0300
 @@ -352,6 +352,12 @@ extern int			tcp_getsockopt(struct sock
 extern int			tcp_setsockopt(struct sock *sk, int level,
 int optname, char __user *optval,
 int optlen);
 +extern int			compat_tcp_getsockopt(struct sock *sk,
 +					int level, int optname,
 +					char __user *optval, int __user *optlen);
 +extern int			compat_tcp_setsockopt(struct sock *sk,
 +					int level, int optname,
 +					char __user *optval, int optlen);
 extern void			tcp_set_keepalive(struct sock *sk, int val);
 extern int			tcp_recvmsg(struct kiocb *iocb, struct sock *sk,
 struct msghdr *msg,
 --- ./net/compat.c.compat	2006-03-10 11:58:11.000000000 +0300
 +++ ./net/compat.c	2006-03-10 12:24:11.000000000 +0300
 @@ -416,7 +416,7 @@ struct compat_sock_fprog {
 compat_uptr_t	filter;		/* struct sock_filter * */
 };
 
 -static int do_set_attach_filter(int fd, int level, int optname,
 +static int do_set_attach_filter(struct socket *sock, int level, int optname,
 char __user *optval, int optlen)
 {
 struct compat_sock_fprog __user *fprog32 = (struct compat_sock_fprog __user *)optval;
 @@ -432,11 +432,12 @@ static int do_set_attach_filter(int fd,
 __put_user(compat_ptr(ptr), &kfprog->filter))
 return -EFAULT;
 
 -	return sys_setsockopt(fd, level, optname, (char __user *)kfprog,
 +	return sock_setsockopt(sock, level, optname, (char __user *)kfprog,
 sizeof(struct sock_fprog));
 }
 
 -static int do_set_sock_timeout(int fd, int level, int optname, char __user *optval, int optlen)
 +static int do_set_sock_timeout(struct socket *sock, int level,
 +		int optname, char __user *optval, int optlen)
 {
 struct compat_timeval __user *up = (struct compat_timeval __user *) optval;
 struct timeval ktime;
 @@ -451,30 +452,61 @@ static int do_set_sock_timeout(int fd, i
 return -EFAULT;
 old_fs = get_fs();
 set_fs(KERNEL_DS);
 -	err = sys_setsockopt(fd, level, optname, (char *) &ktime, sizeof(ktime));
 +	err = sock_setsockopt(sock, level, optname, (char *) &ktime, sizeof(ktime));
 set_fs(old_fs);
 
 return err;
 }
 
 +static int compat_sock_setsockopt(struct socket *sock, int level, int optname,
 +				char __user *optval, int optlen)
 +{
 +	if (optname == SO_ATTACH_FILTER)
 +		return do_set_attach_filter(sock, level, optname,
 +					    optval, optlen);
 +	if (optname == SO_RCVTIMEO || optname == SO_SNDTIMEO)
 +		return do_set_sock_timeout(sock, level, optname, optval, optlen);
 +
 +	return sock_setsockopt(sock, level, optname, optval, optlen);
 +}
 +
 asmlinkage long compat_sys_setsockopt(int fd, int level, int optname,
 char __user *optval, int optlen)
 {
 +	int err;
 +	struct socket *sock;
 +
 /* SO_SET_REPLACE seems to be the same in all levels */
 if (optname == IPT_SO_SET_REPLACE)
 return do_netfilter_replace(fd, level, optname,
 optval, optlen);
 -	if (level == SOL_SOCKET && optname == SO_ATTACH_FILTER)
 -		return do_set_attach_filter(fd, level, optname,
 -					    optval, optlen);
 -	if (level == SOL_SOCKET &&
 -	    (optname == SO_RCVTIMEO || optname == SO_SNDTIMEO))
 -		return do_set_sock_timeout(fd, level, optname, optval, optlen);
 
 -	return sys_setsockopt(fd, level, optname, optval, optlen);
 +	if (optlen < 0)
 +		return -EINVAL;
 +
 +	if ((sock = sockfd_lookup(fd, &err))!=NULL)
 +	{
 +		err = security_socket_setsockopt(sock,level,optname);
 +		if (err) {
 +			sockfd_put(sock);
 +			return err;
 +		}
 +
 +		if (level == SOL_SOCKET)
 +			err = compat_sock_setsockopt(sock, level,
 +					optname, optval, optlen);
 +		else if (sock->ops->compat_setsockopt)
 +			err = sock->ops->compat_setsockopt(sock, level,
 +					optname, optval, optlen);
 +		else
 +			err = sock->ops->setso
...
 
 
 |  
	|  |  |  
	|  |  
	| 
		
			| [PATCH] iptables 32bit compat layer [message #2163 is a reply to message #1688] | Thu, 23 March 2006 10:24   |  
			| 
				
				
					|  Mishin Dmitry Messages: 112
 Registered: February 2006
 | Senior Member |  |  |  
	| This patch extends current iptables compatibility layer in order to get 32bit iptables to work on 64bit kernel. Current layer is insufficient due to
 alignment checks both in kernel and user space tools.
 
 Patch is for current net-2.6.17 with addition of move of ipt_entry_{match|
 target} definitions to xt_entry_{match|target}.
 
 Signed-off-by: Dmitry Mishin <dim@openvz.org>
 Acked-off-by: Kirill Korotaev <dev@openvz.org>
 
 --
 Thanks,
 Dmitry.
 
 diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
 index ad72a4f..9d4fa6d 100644
 --- a/include/linux/netfilter/x_tables.h
 +++ b/include/linux/netfilter/x_tables.h
 @@ -142,6 +142,12 @@ struct xt_counters_info
 #define ASSERT_WRITE_LOCK(x)
 #include <linux/netfilter_ipv4/listhelp.h>
 
 +#ifdef CONFIG_COMPAT
 +#define COMPAT_TO_USER		1
 +#define COMPAT_FROM_USER	-1
 +#define COMPAT_CALC_SIZE	0
 +#endif
 +
 struct xt_match
 {
 struct list_head list;
 @@ -175,6 +181,9 @@ struct xt_match
 void (*destroy)(const struct xt_match *match, void *matchinfo,
 unsigned int matchinfosize);
 
 +	/* Called when userspace align differs from kernel space one */
 +	int (*compat)(void *match, void **dstptr, int *size, int convert);
 +
 /* Set this to THIS_MODULE if you are a module, otherwise NULL */
 struct module *me;
 
 @@ -220,6 +229,9 @@ struct xt_target
 void (*destroy)(const struct xt_target *target, void *targinfo,
 unsigned int targinfosize);
 
 +	/* Called when userspace align differs from kernel space one */
 +	int (*compat)(void *target, void **dstptr, int *size, int convert);
 +
 /* Set this to THIS_MODULE if you are a module, otherwise NULL */
 struct module *me;
 
 @@ -314,6 +326,61 @@ extern void xt_proto_fini(int af);
 extern struct xt_table_info *xt_alloc_table_info(unsigned int size);
 extern void xt_free_table_info(struct xt_table_info *info);
 
 +#ifdef CONFIG_COMPAT
 +#include <net/compat.h>
 +
 +struct compat_xt_entry_match
 +{
 +	union {
 +		struct {
 +			u_int16_t match_size;
 +			char name[XT_FUNCTION_MAXNAMELEN - 1];
 +			u_int8_t revision;
 +		} user;
 +		u_int16_t match_size;
 +	} u;
 +	unsigned char data[0];
 +};
 +
 +struct compat_xt_entry_target
 +{
 +	union {
 +		struct {
 +			u_int16_t target_size;
 +			char name[XT_FUNCTION_MAXNAMELEN - 1];
 +			u_int8_t revision;
 +		} user;
 +		u_int16_t target_size;
 +	} u;
 +	unsigned char data[0];
 +};
 +
 +/* FIXME: this works only on 32 bit tasks
 + * need to change whole approach in order to calculate align as function of
 + * current task alignment */
 +
 +struct compat_xt_counters
 +{
 +	u_int32_t cnt[4];
 +};
 +
 +struct compat_xt_counters_info
 +{
 +	char name[XT_TABLE_MAXNAMELEN];
 +	compat_uint_t num_counters;
 +	struct compat_xt_counters counters[0];
 +};
 +
 +#define COMPAT_XT_ALIGN(s) (((s) + (__alignof__(struct compat_xt_counters)-1)) \
 +		& ~(__alignof__(struct compat_xt_counters)-1))
 +
 +extern void xt_compat_lock(int af);
 +extern void xt_compat_unlock(int af);
 +extern int xt_compat_match(void *match, void **dstptr, int *size, int convert);
 +extern int xt_compat_target(void *target, void **dstptr, int *size,
 +		int convert);
 +
 +#endif /* CONFIG_COMPAT */
 #endif /* __KERNEL__ */
 
 #endif /* _X_TABLES_H */
 diff --git a/include/linux/netfilter_ipv4/ip_tables.h b/include/linux/netfilter_ipv4/ip_tables.h
 index 56eebc6..9e11e32 100644
 --- a/include/linux/netfilter_ipv4/ip_tables.h
 +++ b/include/linux/netfilter_ipv4/ip_tables.h
 @@ -312,5 +312,23 @@ extern unsigned int ipt_do_table(struct
 void *userdata);
 
 #define IPT_ALIGN(s) XT_ALIGN(s)
 +
 +#ifdef CONFIG_COMPAT
 +#include <net/compat.h>
 +
 +struct compat_ipt_entry
 +{
 +	struct ipt_ip ip;
 +	compat_uint_t nfcache;
 +	u_int16_t target_offset;
 +	u_int16_t next_offset;
 +	compat_uint_t comefrom;
 +	struct compat_xt_counters counters;
 +	unsigned char elems[0];
 +};
 +
 +#define COMPAT_IPT_ALIGN(s) 	COMPAT_XT_ALIGN(s)
 +
 +#endif /* CONFIG_COMPAT */
 #endif /*__KERNEL__*/
 #endif /* _IPTABLES_H */
 diff --git a/net/compat.c b/net/compat.c
 index 13177a1..6a7028e 100644
 --- a/net/compat.c
 +++ b/net/compat.c
 @@ -476,8 +476,7 @@ asmlinkage long compat_sys_setsockopt(in
 int err;
 struct socket *sock;
 
 -	/* SO_SET_REPLACE seems to be the same in all levels */
 -	if (optname == IPT_SO_SET_REPLACE)
 +	if (level == SOL_IPV6 && optname == IPT_SO_SET_REPLACE)
 return do_netfilter_replace(fd, level, optname,
 optval, optlen);
 
 diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
 index 39705f9..9149b24 100644
 --- a/net/ipv4/netfilter/ip_tables.c
 +++ b/net/ipv4/netfilter/ip_tables.c
 @@ -24,6 +24,7 @@
 #include <linux/module.h>
 #include <linux/icmp.h>
 #include <net/ip.h>
 +#include <net/compat.h>
 #include <asm/uaccess.h>
 #include <linux/mutex.h>
 #include <linux/proc_fs.h>
 @@ -799,17 +800,11 @@ get_counters(const struct xt_table_info
 }
 }
 
 -static int
 -copy_entries_to_user(unsigned int total_size,
 -		     struct ipt_table *table,
 -		     void __user *userptr)
 +static inline struct xt_counters * alloc_counters(struct ipt_table *table)
 {
 -	unsigned int off, num, countersize;
 -	struct ipt_entry *e;
 +	unsigned int countersize;
 struct xt_counters *counters;
 struct xt_table_info *private = table->private;
 -	int ret = 0;
 -	void *loc_cpu_entry;
 
 /* We need atomic snapshot of counters: rest doesn't change
 (other than comefrom, which userspace doesn't care
 @@ -818,13 +813,32 @@ copy_entries_to_user(unsigned int total_
 counters = vmalloc_node(countersize, numa_node_id());
 
 if (counters == NULL)
 -		return -ENOMEM;
 +		return ERR_PTR(-ENOMEM);
 
 /* First, sum counters... */
 write_lock_bh(&table->lock);
 get_counters(private, counters);
 write_unlock_bh(&table->lock);
 
 +	return counters;
 +}
 +
 +static int
 +copy_entries_to_user(unsigned int total_size,
 +		     struct ipt_table *table,
 +		     void __user *userptr)
 +{
 +	unsigned int off, num;
 +	struct ipt_entry *e;
 +	struct xt_counters *counters;
 +	struct xt_table_info *private = table->private;
 +	int ret = 0;
 +	void *loc_cpu_entry;
 +
 +	counters = alloc_counters(table);
 +	if (IS_ERR(counters))
 +		return PTR_ERR(counters);
 +
 /* choose the copy that is on our node/cpu, ...
 * This choice is lazy (because current thread is
 * allowed to migrate to another cpu)
 @@ -884,44 +898,899 @@ copy_entries_to_user(unsigned int total_
 return ret;
 }
 
 +#ifdef CONFIG_COMPAT
 +struct compat_delta {
 +	struct compat_delta *next;
 +	u_int16_t offset;
 +	short delta;
 +};
 +
 +static struct compat_delta *compat_offsets = NULL;
 +
 +static int compat_add_offset(u_int16_t offset, short delta)
 +{
 +	struct compat_delta *tmp;
 +
 +	tmp = kmalloc(sizeof(struct compat_delta), GFP_KERNEL);
 +	if (!tmp)
 +		return -ENOMEM;
 +	tmp->offset = offset;
 +	tmp->delta = delta;
 +	if (compat_offsets) {
 +		tmp->next = compat_offsets->next;
 +		compat_offsets->next = tmp;
 +	} else {
 +		compat_offsets = tmp;
 +		tmp->next = NULL;
 +	}
 +	return 0;
 +}
 +
 +static void compat_flush_offsets(void)
 +{
 +	struct compat_delta *tmp, *next;
 +
 +	if (compat_offsets) {
 +		for(tmp = compat_offsets; tmp; tmp = next) {
 +			next = tmp->next;
 +			kfree(tmp);
 +		}
 +		compat_offsets = NULL;
 +	}
 +}
 +
 +static short compat_calc_jump(u_int16_t offset)
 +{
 +	struct compat_delta *tmp;
 +	short delta;
 +
 +	for(tmp = compat_offsets, delta = 0; tmp; tmp = tmp->next)
 +		if (tmp->offset < offset)
 +			delta += tmp->delta;
 +	return delta;
 +}
 +
 +struct compat_ipt_standard_target
 +{
 +	struct compat_xt_entry_target target;
 +	compat_int_t verdict;
 +};
 +
 +#define IPT_ST_OFFSET	(sizeof(struct ipt_standard_target) - \
 +				sizeof(struct compat_ipt_standard_target))
 +
 +struct compat_ipt_standard
 +{
 +	struct compat_ipt_entry entry;
 +	struct compat_ipt_standard_target target;
 +};
 +
 +static int compat_ipt_standard_fn(void *target,
 +		void **dstptr, int *size, int convert)
 +{
 +	struct compat_ipt_standard_target compat_st, *pcompat_st;
 +	struct ipt_standard_target st, *pst;
 +	int ret;
 +
 +	ret = 0;
 +	switch (convert) {
 +		case COMPAT_TO_USER:
 +			pst = (struct ipt_standard_target *)target;
 +			memcpy(&compat_st.target, &pst->target,
 +					sizeof(struct ipt_entry_target));
 +			compat_st.verdict = pst->verdict;
 +			if (compat_st.verdict > 0)
 +				compat_st.verdict -=
 +					compat_calc_jump(compat_st.verdict);
 +			compat_st.target.u.user.target_size =
 +			sizeof(struct compat_ipt_standard_target);
 +			if (__copy_to_user(*dstptr, &compat_st,
 +				sizeof(struct compat_ipt_standard_target)))
 +				ret = -EFAULT;
 +			*size -= IPT_ST_OFFSET;
 +			*dstptr += sizeof(struct compat_ipt_standard_target);
 +			break;
 +		case COMPAT_FROM_USER:
 +			pcompat_st =
 +				(struct compat_ipt_standard_target *)target;
 +			memcpy(&st.target, &pcompat_st->target,
 +					sizeof(struct ipt_entry_target));
 +			st.verdict = pcompat_st->verdict;
 +			if (st.verdict > 0)
 +				st.verdict += compat_calc_jump(st.verdict);
 +			st.target.u.user.target_size =
 +			sizeof(struct ipt_standard_target);
 +			memcpy(*dstptr, &st,
 +					sizeof(struct ipt_standard_target));
 +			*size += IPT_ST_OFFSET;
 +			*dstptr += sizeof(struct ipt_standard_target);
 +			break;
 +		case COMPAT_CALC_SIZE:
 +			*size += IPT_ST_OFFSET;
 +			break;
 +		default:
 +			ret = -ENOPROTOOPT;
 +			break;
 +	}
 +	return ret;
 +}
 +
 +static inline int
 +compat_calc_match(struct ipt_entry_match *m, int * size)
 +{
 +	if (m->u.kernel.match->compat)
 +		m->u.kernel.match->compat(m, NULL, size, COMPAT_CALC_SIZE);
 +	else
 +		xt_compat_match(m, NULL, size, COMPAT_CALC_SIZE);
 +	return 0;
 +}
 +
 +static int compat_calc_entry(struct ipt_entry *e, struct xt_table_info *info,
 +		void *base, struct xt_table_info *newinfo)
 +{
 +	struct ipt_entry_target *t;
 +	u_int16_t entry_offset;
 +	int off, i, ret;
 +
 +	off = 0;
 +	entry_offset = (void *)e - base;
 +	IPT_MATCH_ITERATE(e, compat_calc_match, &off);
 +	t = ipt_get_target(e);
 +	if (t->u.kernel.target->compat)
 +		t->u.kernel.target->compat(t, NULL, &off, COMPAT_CALC_SIZE);
 +	else
 +		xt_compat_target(t, NULL, &off, COMPAT_CALC_SIZE);
 +	newinfo->size -= off;
 +	ret = compat_add_offset(entry_offset, off);
 +	if (ret)
 +		return ret;
 +
 +	for (i = 0; i< NF_IP_NUMHOOKS; i++) {
 +		if (info->hook_entry[i] && (e < (struct ipt_entry *)
 +				(base + info->hook_entry[i])))
 +			newinfo->hook_entry[i] -= off;
 +		if (info->underflow[i] && (e < (struct ipt_entry *)
 +				(base + info->underflow[i])))
 +			newinfo->underflow[i] -= off;
 +	}
 +	return 0;
 +}
 +
 +static int compat_table_info(struct xt_table_info *info,
 +		struct xt_table_info *newinfo)
 +{
 +	void *loc_cpu_entry;
 +	int i;
 +
 +	if (!newinfo || !info)
 +		return -EINVAL;
 +
 +	memset(newinfo, 0, sizeof(struct xt_table_info));
 +	newinfo->size = info->size;
 +	newinfo->number = info->number;
 +	for (i = 0; i < NF_IP_NUMHOOKS; i++) {
 +		newinfo->hook_entry[i] = info->hook_entry[i];
 +		newinfo->underflow[i] = info->underflow[i];
 +	}
 +	loc_cpu_entry = info->entries[raw_smp_processor_id()];
 +	return IPT_ENTRY_ITERATE(loc_cpu_entry, info->size,
 +			compat_calc_entry, info, loc_cpu_entry, newinfo);
 +}
 +#endif
 +
 +static int get_info(void __user *user, int *len, int compat)
 +{
 +	char name[IPT_TABLE_MAXNAMELEN];
 +	struct ipt_table *t;
 +	int ret;
 +
 +	if (*len != sizeof(struct ipt_getinfo)) {
 +		duprintf("length %u != %u\n", *len,
 +			(unsigned int)sizeof(struct ipt_getinfo));
 +		return -EINVAL;
 +	}
 +
 +	if (copy_from_user(name, user, sizeof(name)) != 0)
 +		return -EFAULT;
 +
 +	name[IPT_TABLE_MAXNAMELEN-1] = '\0';
 +#ifdef CONFIG_COMPAT
 +	if (compat)
 +		xt_compat_lock(AF_INET);
 +#endif
 +	t = try_then_request_module(xt_find_table_lock(AF_INET, name),
 +			"iptable_%s", name);
 +	if (t && !IS_ERR(t)) {
 +		struct ipt_getinfo info;
 +		struct xt_table_info *private = t->private;
 +
 +#ifdef CONFIG_COMPAT
 +		if (compat) {
 +			struct xt_table_info tmp;
 +			ret = compat_table_info(private, &tmp);
 +			compat_flush_offsets();
 +			private =  &tmp;
 +		}
 +#endif
 +		info.valid_hooks = t->valid_hooks;
 +		memcpy(info.hook_entry, private->hook_entry,
 +				sizeof(info.hook_entry));
 +		memcpy(info.underflow, private->underflow,
 +				sizeof(info.underflow));
 +		info.num_entries = private->number;
 +		info.size = private->size;
 +		strcpy(info.name, name);
 +
 +		if (copy_to_user(user, &info, *len) != 0)
 +			ret = -EFAULT;
 +		else
 +			ret = 0;
 +
 +		xt_table_unlock(t);
 +		module_put(t->me);
 +	} else
 +		ret = t ? PTR_ERR(t) : -ENOENT;
 +#ifdef CONFIG_COMPAT
 +	if (compat)
 +		xt_compat_unlock(AF_INET);
 +#endif
 +	return ret;
 +}
 +
 +static int
 +get_entries(struct ipt_get_entries __user *uptr, int *len)
 +{
 +	int ret;
 +	struct ipt_get_entries get;
 +	struct ipt_table *t;
 +
 +	if (*len < sizeof(get)) {
 +		duprintf("get_entries: %u < %d\n", *len,
 +				(unsigned int)sizeof(get));
 +		return -EINVAL;
 +	}
 +	if (copy_from_user(&get, uptr, sizeof(get)) != 0)
 +		return -EFAULT;
 +	if (*len != sizeof(struct ipt_get_entries) + get.size) {
 +		duprintf("get_entries: %u != %u\n", *len,
 +				(unsigned int)(sizeof(struct ipt_get_entries) +
 +				get.size));
 +		return -EINVAL;
 +	}
 +
 +	t = xt_find_table_lock(AF_INET, get.name);
 +	if (t && !IS_ERR(t)) {
 +		struct xt_table_info *private = t->private;
 +		duprintf("t->private->number = %u\n",
 +			 private->number);
 +		if (get.size == private->size)
 +			ret = copy_entries_to_user(private->size,
 +						   t, uptr->entrytable);
 +		else {
 +			duprintf("get_entries: I've got %u not %u!\n",
 +				 private->size,
 +				 get.size);
 +			ret = -EINVAL;
 +		}
 +		module_put(t->me);
 +		xt_table_unlock(t);
 +	} else
 +		ret = t ? PTR_ERR(t) : -ENOENT;
 +
 +	return ret;
 +}
 +
 +static int
 +__do_replace(const char *name, unsigned int valid_hooks,
 +		struct xt_table_info *newinfo, unsigned int num_counters,
 +		void __user *counters_ptr)
 +{
 +	int ret;
 +	struct ipt_table *t;
 +	struct xt_table_info *oldinfo;
 +	struct xt_counters *counters;
 +	void *loc_cpu_old_entry;
 +
 +	ret = 0;
 +	counters = vmalloc(num_counters * sizeof(struct xt_counters));
 +	if (!counters) {
 +		ret = -ENOMEM;
 +		goto out;
 +	}
 +
 +	t = try_then_request_module(xt_find_table_lock(AF_INET, name),
 +				    "iptable_%s", name);
 +	if (!t || IS_ERR(t)) {
 +		ret = t ? PTR_ERR(t) : -ENOENT;
 +		goto free_newinfo_counters_untrans;
 +	}
 +
 +	/* You lied! */
 +	if (valid_hooks != t->valid_hooks) {
 +		duprintf("Valid hook crap: %08X vs %08X\n",
 +			 valid_hooks, t->valid_hooks);
 +		ret = -EINVAL;
 +		goto put_module;
 +	}
 +
 +	oldinfo = xt_replace_table(t, num_counters, newinfo, &ret);
 +	if (!oldinfo)
 +		goto put_module;
 +
 +	/* Update module usage count based on number of rules */
 +	duprintf("do_replace: oldnum=%u, initnum=%u, newnum=%u\n",
 +		oldinfo->number, oldinfo->initial_entries, newinfo->number);
 +	if ((oldinfo->number > oldinfo->initial_entries) ||
 +	    (newinfo->number <= oldinfo->initial_entries))
 +		module_put(t->me);
 +	if ((oldinfo->number > oldinfo->initial_entries) &&
 +	    (newinfo->number <= oldinfo->initial_entries))
 +		module_put(t->me);
 +
 +	/* Get the old counters. */
 +	get_counters(oldinfo, counters);
 +	/* Decrease module usage counts and free resource */
 +	loc_cpu_old_entry = oldinfo->entries[raw_smp_processor_id()];
 +	IPT_ENTRY_ITERATE(loc_cpu_old_entry, oldinfo->size, cleanup_entry,NULL);
 +	xt_free_table_info(oldinfo);
 +	if (copy_to_user(counters_ptr, counters,
 +			 sizeof(struct xt_counters) * num_counters) != 0)
 +		ret = -EFAULT;
 +	vfree(counters);
 +	xt_table_unlock(t);
 +	return ret;
 +
 + put_module:
 +	module_put(t->me);
 +	xt_table_unlock(t);
 + free_newinfo_counters_untrans:
 +	vfree(counters);
 + out:
 +	return ret;
 +}
 +
 +static int
 +do_replace(void __user *user, unsigned int len)
 +{
 +	int ret;
 +	struct ipt_replace tmp;
 +	struct xt_table_info *newinfo;
 +	void *loc_cpu_entry;
 +
 +	if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
 +		return -EFAULT;
 +
 +	/* Hack: Causes ipchains to give correct error msg --RR */
 +	if (len != sizeof(tmp) + tmp.size)
 +		return -ENOPROTOOPT;
 +
 +	/* overflow check */
 +	if (tmp.size >= (INT_MAX - sizeof(struct xt_table_info)) / NR_CPUS -
 +			SMP_CACHE_BYTES)
 +		return -ENOMEM;
 +	if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
 +		return -ENOMEM;
 +
 +	newinfo = xt_alloc_table_info(tmp.size);
 +	if (!newinfo)
 +		return -ENOMEM;
 +
 +	/* choose the copy that is our node/cpu */
 +	loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
 +	if (copy_from_user(loc_cpu_entry, user + sizeof(tmp),
 +			   tmp.size) != 0) {
 +		ret = -EFAULT;
 +		goto free_newinfo;
 +	}
 +
 +	ret = translate_table(tmp.name, tmp.valid_hooks,
 +			      newinfo, loc_cpu_entry, tmp.size, tmp.num_entries,
 +			      tmp.hook_entry, tmp.underflow);
 +	if (ret != 0)
 +		goto free_newinfo;
 +
 +	duprintf("ip_tables: Translated table\n");
 +
 +	ret = __do_replace(tmp.name, tmp.valid_hooks,
 +			      newinfo, tmp.num_counters,
 +			      tmp.counters);
 +	if (ret)
 +		goto free_newinfo_untrans;
 +	return 0;
 +
 + free_newinfo_untrans:
 +	IPT_ENTRY_ITERATE(loc_cpu_entry, newinfo->size, cleanup_entry,NULL);
 + free_newinfo:
 +	xt_free_table_info(newinfo);
 +	return ret;
 +}
 +
 +/* We're lazy, and add to the first CPU; overflow works its fey magic
 + * and everything is OK. */
 +static inline int
 +add_counter_to_entry(struct ipt_entry *e,
 +		     const struct xt_counters addme[],
 +		     unsigned int *i)
 +{
 +#if 0
 +	duprintf("add_counter: Entry %u %lu/%lu + %lu/%lu\n",
 +		 *i,
 +		 (long unsigned int)e->counters.pcnt,
 +		 (long unsigned int)e->counters.bcnt,
 +		 (long unsigned int)addme[*i].pcnt,
 +		 (long unsigned int)addme[*i].bcnt);
 +#endif
 +
 +	ADD_COUNTER(e->counters, addme[*i].bcnt, addme[*i].pcnt);
 +
 +	(*i)++;
 +	return 0;
 +}
 +
 +static int
 +do_add_counters(void __user *user, unsigned int len, int compat)
 +{
 +	unsigned int i;
 +	struct xt_counters_info tmp;
 +	struct xt_counters *paddc;
 +	unsigned int num_counters;
 +	char *name;
 +	int size;
 +	void *ptmp;
 +	struct ipt_table *t;
 +	struct xt_table_info *private;
 +	int ret = 0;
 +	void *loc_cpu_entry;
 +#ifdef CONFIG_COMPAT
 +	struct compat_xt_counters_info compat_tmp;
 +
 +	if (compat) {
 +		ptmp = &compat_tmp;
 +		size = sizeof(struct compat_xt_counters_info);
 +	} else
 +#endif
 +	{
 +		ptmp = &tmp;
 +		size = sizeof(struct xt_counters_info);
 +	}
 +
 +	if (copy_from_user(ptmp, user, size) != 0)
 +		return -EFAULT;
 +
 +#ifdef CONFIG_COMPAT
 +	if (compat) {
 +		num_counters = compat_tmp.num_counters;
 +		name = compat_tmp.name;
 +	} else
 +#endif
 +	{
 +		num_counters = tmp.num_counters;
 +		name = tmp.name;
 +	}
 +
 +	if (len != size + num_counters * sizeof(struct xt_counters))
 +		return -EINVAL;
 +
 +	paddc = vmalloc_node(len - size, numa_node_id());
 +	if (!paddc)
 +		return -ENOMEM;
 +
 +	if (copy_from_user(paddc, user + size, len - size) != 0) {
 +		ret = -EFAULT;
 +		goto free;
 +	}
 +
 +	t = xt_find_table_lock(AF_INET, name);
 +	if (!t || IS_ERR(t)) {
 +		ret = t ? PTR_ERR(t) : -ENOENT;
 +		goto free;
 +	}
 +
 +	write_lock_bh(&t->lock);
 +	private = t->private;
 +	if (private->number != num_counters) {
 +		ret = -EINVAL;
 +		goto unlock_up_free;
 +	}
 +
 +	i = 0;
 +	/* Choose the copy that is on our node */
 +	loc_cpu_entry = private->entries[raw_smp_processor_id()];
 +	IPT_ENTRY_ITERATE(loc_cpu_entry,
 +			  private->size,
 +			  add_counter_to_entry,
 +			  paddc,
 +			  &i);
 + unlock_up_free:
 +	write_unlock_bh(&t->lock);
 +	xt_table_unlock(t);
 +	module_put(t->me);
 + free:
 +	vfree(paddc);
 +
 +	return ret;
 +}
 +
 +#ifdef CONFIG_COMPAT
 +struct compat_ipt_replace {
 +	char			name[IPT_TABLE_MAXNAMELEN];
 +	u32			valid_hooks;
 +	u32			num_entries;
 +	u32			size;
 +	u32			hook_entry[NF_IP_NUMHOOKS];
 +	u32			underflow[NF_IP_NUMHOOKS];
 +	u32			num_counters;
 +	compat_uptr_t		counters;	/* struct ipt_counters * */
 +	struct compat_ipt_entry	entries[0];
 +};
 +
 +static inline int compat_copy_match_to_user(struct ipt_entry_match *m,
 +		void __user **dstptr, compat_uint_t *size)
 +{
 +	if (m->u.kernel.match->compat)
 +		return m->u.kernel.match->compat(m, dstptr, size,
 +				COMPAT_TO_USER);
 +	else
 +		return xt_compat_match(m, dstptr, size, COMPAT_TO_USER);
 +}
 +
 +static int compat_copy_entry_to_user(struct ipt_entry *e,
 +		void __user **dstptr, compat_uint_t *size)
 +{
 +	struct ipt_entry_target __user *t;
 +	struct compat_ipt_entry __user *ce;
 +	u_int16_t target_offset, next_offset;
 +	compat_uint_t origsize;
 +	int ret;
 +
 +	ret = -EFAULT;
 +	origsize = *size;
 +	ce = (struct compat_ipt_entry __user *)*dstptr;
 +	if (__copy_to_user(ce, e, sizeof(struct ipt_entry)))
 +		goto out;
 +
 +	*dstptr += sizeof(struct compat_ipt_entry);
 +	ret = IPT_MATCH_ITERATE(e, compat_copy_match_to_user, dstptr, size);
 +	target_offset = e->target_offset - (origsize - *size);
 +	if (ret)
 +		goto out;
 +	t = ipt_get_target(e);
 +	if (t->u.kernel.target->compat)
 +		ret = t->u.kernel.target->compat(t, dstptr, size,
 +				COMPAT_TO_USER);
 +	else
 +		ret = xt_compat_target(t, dstptr, size, COMPAT_TO_USER);
 +	if (ret)
 +		goto out;
 +	ret = -EFAULT;
 +	next_offset = e->next_offset - (origsize - *size);
 +	if (__put_user(target_offset, &ce->target_offset))
 +		goto out;
 +	if (__put_user(next_offset, &ce->next_offset))
 +		goto out;
 +	return 0;
 +out:
 +	return ret;
 +}
 +
 +static inline int
 +compat_check_calc_match(struct ipt_entry_match *m,
 +	    const char *name,
 +	    const struct ipt_ip *ip,
 +	    unsigned int hookmask,
 +	    int *size, int *i)
 +{
 +	struct ipt_match *match;
 +
 +	match = try_then_request_module(xt_find_match(AF_INET, m->u.user.name,
 +						   m->u.user.revision),
 +					"ipt_%s", m->u.user.name);
 +	if (IS_ERR(match) || !match) {
 +		duprintf("compat_check_calc_match: `%s' not found\n",
 +				m->u.user.name);
 +		return match ? PTR_ERR(match) : -ENOENT;
 +	}
 +	m->u.kernel.match = match;
 +
 +	if (m->u.kernel.match->compat)
 +		m->u.kernel.match->compat(m, NULL, size, COMPAT_CALC_SIZE);
 +	else
 +		xt_compat_match(m, NULL, size, COMPAT_CALC_SIZE);
 +
 +	(*i)++;
 +	return 0;
 +}
 +
 +static inline int
 +check_compat_entry_size_and_hooks(struct ipt_entry *e,
 +			   struct xt_table_info *newinfo,
 +			   unsigned int *size,
 +			   unsigned char *base,
 +			   unsigned char *limit,
 +			   unsigned int *hook_entries,
 +			   unsigned int *underflows,
 +			   unsigned int *i,
 +			   const char *name)
 +{
 +	struct ipt_entry_target *t;
 +	struct ipt_target *target;
 +	u_int16_t entry_offset;
 +	int ret, off, h, j;
 +
 +	duprintf("check_compat_entry_size_and_hooks %p\n", e);
 +	if ((unsigned long)e % __alignof__(struct compat_ipt_entry) != 0
 +	    || (unsigned char *)e + sizeof(struct compat_ipt_entry) >= limit) {
 +		duprintf("Bad offset %p, limit = %p\n", e, limit);
 +		return -EINVAL;
 +	}
 +
 +	if (e->next_offset < sizeof(struct compat_ipt_entry) +
 +			sizeof(struct compat_xt_entry_target)) {
 +		duprintf("checking: element %p size %u\n",
 +			 e, e->next_offset);
 +		return -EINVAL;
 +	}
 +
 +	if (!ip_checkentry(&e->ip)) {
 +		duprintf("ip_tables: ip check failed %p %s.\n", e, name);
 +		return -EINVAL;
 +	}
 +
 +	off = 0;
 +	entry_offset = (void *)e - (void *)base;
 +	j = 0;
 +	ret = IPT_MATCH_ITERATE(e, compat_check_calc_match, name, &e->ip,
 +			e->comefrom, &off, &j);
 +	if (ret != 0)
 +		goto out;
 +
 +	t = ipt_get_target(e);
 +	target = try_then_request_module(xt_find_target(AF_INET,
 +						     t->u.user.name,
 +						     t->u.user.revision),
 +					 "ipt_%s", t->u.user.name);
 +	if (IS_ERR(target) || !target) {
 +		duprintf("check_entry: `%s' not found\n", t->u.user.name);
 +		ret = target ? PTR_ERR(target) : -ENOENT;
 +		goto out;
 +	}
 +	t->u.kernel.target = target;
 +
 +	if (t->u.kernel.target->compat)
 +		t->u.kernel.target->compat(t, NULL, &off, COMPAT_CALC_SIZE);
 +	else
 +		xt_compat_target(t, NULL, &off, COMPAT_CALC_SIZE);
 +	*size += off;
 +	ret = compat_add_offset(entry_offset, off);
 +	if (ret)
 +		goto out;
 +
 +	/* Check hooks & underflows */
 +	for (h = 0; h < NF_IP_NUMHOOKS; h++) {
 +		if ((unsigned char *)e - base == hook_entries[h])
 +			newinfo->hook_entry[h] = hook_entries[h];
 +		if ((unsigned char *)e - base == underflows[h])
 +			newinfo->underflow[h] = underflows[h];
 +	}
 +
 +	/* Clear counters and comefrom */
 +	e->counters = ((struct ipt_counters) { 0, 0 });
 +	e->comefrom = 0;
 +
 +	(*i)++;
 +	return 0;
 +out:
 +	IPT_MATCH_ITERATE(e, cleanup_match, &j);
 +	return ret;
 +}
 +
 +static inline int compat_copy_match_from_user(struct ipt_entry_match *m,
 +	void **dstptr, compat_uint_t *size, const char *name,
 +	const struct ipt_ip *ip, unsigned int hookmask)
 +{
 +	struct ipt_entry_match *dm;
 +	struct ipt_match *match;
 +	int ret;
 +
 +	dm = (struct ipt_entry_match *)*dstptr;
 +	match = m->u.kernel.match;
 +	if (match->compat)
 +		match->compat(m, dstptr, size, COMPAT_FROM_USER);
 +	else
 +		xt_compat_match(m, dstptr, size, COMPAT_FROM_USER);
 +
 +	ret = xt_check_match(match, AF_INET, dm->u.match_size - sizeof(*dm),
 +			     name, hookmask, ip->proto,
 +			     ip->invflags & IPT_INV_PROTO);
 +	if (ret)
 +		return ret;
 +
 +	if (m->u.kernel.match->checkentry
 +	    && !m->u.kernel.match->checkentry(name, ip, match, dm->data,
 +					      dm->u.match_size - sizeof(*dm),
 +					      hookmask)) {
 +		duprintf("ip_tables: check failed for `%s'.\n",
 +			 m->u.kernel.match->name);
 +		return -EINVAL;
 +	}
 +	return 0;
 +}
 +
 +static int compat_copy_entry_from_user(struct ipt_entry *e, void **dstptr,
 +	unsigned int *size, const char *name,
 +	struct xt_table_info *newinfo, unsigned char *base)
 +{
 +	struct ipt_entry_target *t;
 +	struct ipt_target *target;
 +	struct ipt_entry *de;
 +	unsigned int origsize;
 +	int ret, h;
 +
 +	ret = 0;
 +	origsize = *size;
 +	de = (struct ipt_entry *)*dstptr;
 +	memcpy(de, e, sizeof(struct ipt_entry));
 +
 +	*dstptr += sizeof(struct compat_ipt_entry);
 +	ret = IPT_MATCH_ITERATE(e, compat_copy_match_from_user, dstptr, size,
 +			name, &de->ip, de->comefrom);
 +	if (ret)
 +		goto out;
 +	de->target_offset = e->target_offset - (origsize - *size);
 +	t = ipt_get_target(e);
 +	target = t->u.kernel.target;
 +	if (target->compat)
 +		target->compat(t, dstptr, size, COMPAT_FROM_USER);
 +	else
 +		xt_compat_target(t, dstptr, size, COMPAT_FROM_USER);
 +
 +	de->next_offset = e->next_offset - (origsize - *size);
 +	for (h = 0; h < NF_IP_NUMHOOKS; h++) {
 +		if ((unsigned char *)de - base < newinfo->hook_entry[h])
 +			newinfo->hook_entry[h] -= origsize - *size;
 +		if ((unsigned char *)de - base < newinfo->underflow[h])
 +			newinfo->underflow[h] -= origsize - *size;
 +	}
 +
 +	t = ipt_get_target(de);
 +	target = t->u.kernel.target;
 +	ret = xt_check_target(target, AF_INET, t->u.target_size - sizeof(*t),
 +			      name, e->comefrom, e->ip.proto,
 +			      e->ip.invflags & IPT_INV_PROTO);
 +	if (ret)
 +		goto out;
 +
 +	ret = -EINVAL;
 +	if (t->u.kernel.target == &ipt_standard_target) {
 +		if (!standard_check(t, *size))
 +			goto out;
 +	} else if (t->u.kernel.target->checkentry
 +		   && !t->u.kernel.target->checkentry(name, de, target,
 +				t->data, t->u.target_size - sizeof(*t),
 +				de->comefrom)) {
 +		duprintf("ip_tables: compat: check failed for `%s'.\n",
 +			 t->u.kernel.target->name);
 +		goto out;
 +	}
 +	ret = 0;
 +out:
 +	return ret;
 +}
 +
 static int
 -get_entries(const struct ipt_get_entries *entries,
 -	    struct ipt_get_entries __user *uptr)
 +translate_compat_table(const char *name,
 +		unsigned int valid_hooks,
 +		struct xt_table_info **pinfo,
 +		void **pentry0,
 +		unsigned int total_size,
 +		unsigned int number,
 +		unsigned int *hook_entries,
 +		unsigned int *underflows)
 {
 +	unsigned int i;
 +	struct xt_table_info *newinfo, *info;
 +	void *pos, *entry0, *entry1;
 +	unsigned int size;
 int ret;
 -	struct ipt_table *t;
 
 -	t = xt_find_table_lock(AF_INET, entries->name);
 -	if (t && !IS_ERR(t)) {
 -		struct xt_table_info *private = t->private;
 -		duprintf("t->private->number = %u\n",
 -			 private->number);
 -		if (entries->size == private->size)
 -			ret = copy_entries_to_user(private->size,
 -						   t, uptr->entrytable);
 -		else {
 -			duprintf("get_entries: I've got %u not %u!\n",
 -				 private->size,
 -				 entries->size);
 -			ret = -EINVAL;
 +	info = *pinfo;
 +	entry0 = *pentry0;
 +	size = total_size;
 +	info->number = number;
 +
 +	/* Init all hooks to impossible value. */
 +	for (i = 0; i < NF_IP_NUMHOOKS; i++) {
 +		info->hook_entry[i] = 0xFFFFFFFF;
 +		info->underflow[i] = 0xFFFFFFFF;
 +	}
 +
 +	duprintf("translate_compat_table: size %u\n", info->size);
 +	i = 0;
 +	xt_compat_lock(AF_INET);
 +	/* Walk through entries, checking offsets. */
 +	ret = IPT_ENTRY_ITERATE(entry0, total_size,
 +				check_compat_entry_size_and_hooks,
 +				info, &size, entry0,
 +				entry0 + total_size,
 +				hook_entries, underflows, &i, name);
 +	if (ret != 0)
 +		goto out_unlock;
 +
 +	ret = -EINVAL;
 +	if (i != number) {
 +		duprintf("translate_compat_table: %u not %u entries\n",
 +			 i, number);
 +		goto out_unlock;
 +	}
 +
 +	/* Check hooks all assigned */
 +	for (i = 0; i < NF_IP_NUMHOOKS; i++) {
 +		/* Only hooks which are valid */
 +		if (!(valid_hooks & (1 << i)))
 +			continue;
 +		if (info->hook_entry[i] == 0xFFFFFFFF) {
 +			duprintf("Invalid hook entry %u %u\n",
 +				 i, hook_entries[i]);
 +			goto out_unlock;
 }
 -		module_put(t->me);
 -		xt_table_unlock(t);
 -	} else
 -		ret = t ? PTR_ERR(t) : -ENOENT;
 +		if (info->underflow[i] == 0xFFFFFFFF) {
 +			duprintf("Invalid underflow %u %u\n",
 +				 i, underflows[i]);
 +			goto out_unlock;
 +		}
 +	}
 +
 +	ret = -ENOMEM;
 +	newinfo = xt_alloc_table_info(size);
 +	if (!newinfo)
 +		goto out_unlock;
 +
 +	newinfo->number = number;
 +	for (i = 0; i < NF_IP_NUMHOOKS; i++) {
 +		newinfo->hook_entry[i] = info->hook_entry[i];
 +		newinfo->underflow[i] = info->underflow[i];
 +	}
 +	entry1 = newinfo->entries[raw_smp_processor_id()];
 +	pos = entry1;
 +	size =  total_size;
 +	ret = IPT_ENTRY_ITERATE(entry0, total_size,
 +			compat_copy_entry_from_user, &pos, &size,
 +			name, newinfo, entry1);
 +	compat_flush_offsets();
 +	xt_compat_unlock(AF_INET);
 +	if (ret)
 +		goto free_newinfo;
 +
 +	ret = -ELOOP;
 +	if (!mark_source_chains(newinfo, valid_hooks, entry1))
 +		goto free_newinfo;
 +
 +	/* And one copy for every other CPU */
 +	for_each_cpu(i)
 +		if (newinfo->entries[i] && newinfo->entries[i] != entry1)
 +			memcpy(newinfo->entries[i], entry1, newinfo->size);
 +
 +	*pinfo = newinfo;
 +	*pentry0 = entry1;
 +	xt_free_table_info(info);
 +	return 0;
 
 +free_newinfo:
 +	xt_free_table_info(newinfo);
 +out:
 return ret;
 +out_unlock:
 +	xt_compat_unlock(AF_INET);
 +	goto out;
 }
 
 static int
 -do_replace(void __user *user, unsigned int len)
 +compat_do_replace(void __user *user, unsigned int len)
 {
 int ret;
 -	struct ipt_replace tmp;
 -	struct ipt_table *t;
 -	struct xt_table_info *newinfo, *oldinfo;
 -	struct xt_counters *counters;
 -	void *loc_cpu_entry, *loc_cpu_old_entry;
 +	struct compat_ipt_replace tmp;
 +	struct xt_table_info *newinfo;
 +	void *loc_cpu_entry;
 
 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
 return -EFAULT;
 @@ -949,151 +1818,201 @@ do_replace(void __user *user, unsigned i
 goto free_newinfo;
 }
 
 -	counters = vmalloc(tmp.num_counters * sizeof(struct xt_counters));
 -	if (!counters) {
 -		ret = -ENOMEM;
 +	ret = translate_compat_table(tmp.name, tmp.valid_hooks,
 +			      &newinfo, &loc_cpu_entry, tmp.size,
 +			      tmp.num_entries, tmp.hook_entry, tmp.underflow);
 +	if (ret != 0)
 goto free_newinfo;
 -	}
 
 -	ret = translate_table(tmp.name, tmp.valid_hooks,
 -			      newinfo, loc_cpu_entry, tmp.size, tmp.num_entries,
 -			      tmp.hook_entry, tmp.underflow);
 -	if (ret != 0)
 -		goto free_newinfo_counters;
 +	duprintf("compat_do_replace: Translated table\n");
 
 -	duprintf("ip_tables: Translated table\n");
 +	ret = __do_replace(tmp.name, tmp.valid_hooks,
 +			      newinfo, tmp.num_counters,
 +			      compat_ptr(tmp.counters));
 +	if (ret)
 +		goto free_newinfo_untrans;
 +	return 0;
 
 -	t = try_then_request_module(xt_find_table_lock(AF_INET, tmp.name),
 -				    "iptable_%s", tmp.name);
 -	if (!t || IS_ERR(t)) {
 -		ret = t ? PTR_ERR(t) : -ENOENT;
 -		goto free_newinfo_counters_untrans;
 -	}
 + free_newinfo_untrans:
 +	IPT_ENTRY_ITERATE(loc_cpu_entry, newinfo->size, cleanup_entry,NULL);
 + free_newinfo:
 +	xt_free_table_info(newinfo);
 +	return ret;
 +}
 
 -	/* You lied! */
 -	if (tmp.valid_hooks != t->valid_hooks) {
 -		duprintf("Valid hook crap: %08X vs %08X\n",
 -			 tmp.valid_hooks, t->valid_hooks);
 -		ret = -EINVAL;
 -		goto put_module;
 -	}
 +static int
 +compat_do_ipt_set_ctl(struct sock *sk,	int cmd, void __user *user,
 +		unsigned int len)
 +{
 +	int ret;
 
 -	oldinfo = xt_replace_table(t, tmp.num_counters, newinfo, &ret);
 -	if (!oldinfo)
 -		goto put_module;
 +	if (!capable(CAP_NET_ADMIN))
 +		return -EPERM;
 
 -	/* Update module usage count based on number of rules */
 -	duprintf("do_replace: oldnum=%u, initnum=%u, newnum=%u\n",
 -		oldinfo->number, oldinfo->initial_entries, newinfo->number);
 -	if ((oldinfo->number > oldinfo->initial_entries) ||
 -	    (newinfo->number <= oldinfo->initial_entries))
 -		module_put(t->me);
 -	if ((oldinfo->number > oldinfo->initial_entries) &&
 -	    (newinfo->number <= oldinfo->initial_entries))
 -		module_put(t->me);
 +	switch (cmd) {
 +	case IPT_SO_SET_REPLACE:
 +		ret = compat_do_replace(user, len);
 +		break;
 
 -	/* Get the old counters. */
 -	get_counters(oldinfo, counters);
 -	/* Decrease module usage counts and free resource */
 -	loc_cpu_old_entry = oldinfo->entries[raw_smp_processor_id()];
 -	IPT_ENTRY_ITERATE(loc_cpu_old_entry, oldinfo->size, cleanup_entry,NULL);
 -	xt_free_table_info(oldinfo);
 -	if (copy_to_user(tmp.counters, counters,
 -			 sizeof(struct xt_counters) * tmp.num_counters) != 0)
 -		ret = -EFAULT;
 -	vfree(counters);
 -	xt_table_unlock(t);
 -	return ret;
 +	case IPT_SO_SET_ADD_COUNTERS:
 +		ret = do_add_counters(user, len, 1);
 +		break;
 +
 +	default:
 +		duprintf("do_ipt_set_ctl:  unknown request %i\n", cmd);
 +		ret = -EINVAL;
 +	}
 
 - put_module:
 -	module_put(t->me);
 -	xt_table_unlock(t);
 - free_newinfo_counters_untrans:
 -	IPT_ENTRY_ITERATE(loc_cpu_entry, newinfo->size, cleanup_entry,NULL);
 - free_newinfo_counters:
 -	vfree(counters);
 - free_newinfo:
 -	xt_free_table_info(newinfo);
 return ret;
 }
 
 -/* We're lazy, and add to the first CPU; overflow works its fey magic
 - * and everything is OK. */
 -static inline int
 -add_counter_to_entry(struct ipt_entry *e,
 -		     const struct xt_counters addme[],
 -		     unsigned int *i)
 +struct compat_ipt_get_entries
 {
 -#if 0
 -	duprintf("add_counter: Entry %u %lu/%lu + %lu/%lu\n",
 -		 *i,
 -		 (long unsigned int)e->counters.pcnt,
 -		 (long unsigned int)e->counters.bcnt,
 -		 (long unsigned int)addme[*i].pcnt,
 -		 (long unsigned int)addme[*i].bcnt);
 -#endif
 +	char name[IPT_TABLE_MAXNAMELEN];
 +	compat_uint_t size;
 +	struct compat_ipt_entry entrytable[0];
 +};
 
 -	ADD_COUNTER(e->counters, addme[*i].bcnt, addme[*i].pcnt);
 +static int compat_copy_entries_to_user(unsigned int total_size,
 +		     struct ipt_table *table, void __user *userptr)
 +{
 +	unsigned int off, num;
 +	struct compat_ipt_entry e;
 +	struct xt_counters *counters;
 +	struct xt_table_info *private = table->private;
 +	void __user *pos;
 +	unsigned int size;
 +	int ret = 0;
 +	void *loc_cpu_entry;
 
 -	(*i)++;
 -	return 0;
 +	counters = alloc_counters(table);
 +	if (IS_ERR(counters))
 +		return PTR_ERR(counters);
 +
 +	/* choose the copy that is on our node/cpu, ...
 +	 * This choice is lazy (because current thread is
 +	 * allowed to migrate to another cpu)
 +	 */
 +	loc_cpu_entry = private->entries[raw_smp_processor_id()];
 +	pos = userptr;
 +	size = total_size;
 +	ret = IPT_ENTRY_ITERATE(loc_cpu_entry, total_size,
 +			compat_copy_entry_to_user, &pos, &size);
 +	if (ret)
 +		goto free_counters;
 +
 +	/* ... then go back and fix counters and names */
 +	for (off = 0, num = 0; off < size; off += e.next_offset, num++) {
 +		unsigned int i;
 +		struct ipt_entry_match m;
 +		struct ipt_entry_target t;
 +
 +		ret = -EFAULT;
 +		if (copy_from_user(&e, userptr + off,
 +					sizeof(struct compat_ipt_entry)))
 +			goto free_counters;
 +		if (copy_to_user(userptr + off +
 +			offsetof(struct compat_ipt_entry, counters),
 +			 &counters[num], sizeof(counters[num])))
 +			goto free_counters;
 +
 +		for (i = sizeof(struct compat_ipt_entry);
 +				i < e.target_offset; i += m.u.match_size) {
 +			if (copy_from_user(&m, userptr + off + i,
 +					sizeof(struct ipt_entry_match)))
 +				goto free_counters;
 +			if (copy_to_user(userptr + off + i +
 +				offsetof(struct ipt_entry_match, u.user.name),
 +				m.u.kernel.match->name,
 +				strlen(m.u.kernel.match->name) + 1))
 +				goto free_counters;
 +		}
 +
 +		if (copy_from_user(&t, userptr + off + e.target_offset,
 +					sizeof(struct ipt_entry_target)))
 +			goto free_counters;
 +		if (copy_to_user(userptr + off + e.target_offset +
 +			offsetof(struct ipt_entry_target, u.user.name),
 +			t.u.kernel.target->name,
 +			strlen(t.u.kernel.target->name) + 1))
 +			goto free_counters;
 +	}
 +	ret = 0;
 +free_counters:
 +	vfree(counters);
 +	return ret;
 }
 
 static int
 -do_add_counters(void __user *user, unsigned int len)
 +compat_get_entries(struct compat_ipt_get_entries __user *uptr, int *len)
 {
 -	unsigned int i;
 -	struct xt_counters_info tmp, *paddc;
 +	int ret;
 +	struct compat_ipt_get_entries get;
 struct ipt_table *t;
 -	struct xt_table_info *private;
 -	int ret = 0;
 -	void *loc_cpu_entry;
 
 -	if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
 -		return -EFAULT;
 
 -	if (len != sizeof(tmp) + tmp.num_counters*sizeof(struct xt_counters))
 +	if (*len < sizeof(get)) {
 +		duprintf("compat_get_entries: %u < %u\n",
 +				*len, (unsigned int)sizeof(get));
 return -EINVAL;
 +	}
 
 -	paddc = vmalloc_node(len, numa_node_id());
 -	if (!paddc)
 -		return -ENOMEM;
 +	if (copy_from_user(&get, uptr, sizeof(get)) != 0)
 +		return -EFAULT;
 
 -	if (copy_from_user(paddc, user, len) != 0) {
 -		ret = -EFAULT;
 -		goto free;
 +	if (*len != sizeof(struct compat_ipt_get_entries) + get.size) {
 +		duprintf("compat_get_entries: %u != %u\n", *len,
 +			(unsigned int)(sizeof(struct compat_ipt_get_entries) +
 +			get.size));
 +		return -EINVAL;
 }
 
 -	t = xt_find_table_lock(AF_INET, tmp.name);
 -	if (!t || IS_ERR(t)) {
 +	xt_compat_lock(AF_INET);
 +	t = xt_find_table_lock(AF_INET, get.name);
 +	if (t && !IS_ERR(t)) {
 +		struct xt_table_info *private = t->private;
 +		struct xt_table_info info;
 +		duprintf("t->private->number = %u\n",
 +			 private->number);
 +		ret = compat_table_info(private, &info);
 +		if (!ret && get.size == info.size) {
 +			ret = compat_copy_entries_to_user(private->size,
 +						   t, uptr->entrytable);
 +		} else if (!ret) {
 +			duprintf("compat_get_entries: I've got %u not %u!\n",
 +				 private->size,
 +				 get.size);
 +			ret = -EINVAL;
 +		}
 +		compat_flush_offsets();
 +		module_put(t->me);
 +		xt_table_unlock(t);
 +	} else
 ret = t ? PTR_ERR(t) : -ENOENT;
 -		goto free;
 -	}
 
 -	write_lock_bh(&t->lock);
 -	private = t->private;
 -	if (private->number != paddc->num_counters) {
 -		ret = -EINVAL;
 -		goto unlock_up_free;
 -	}
 +	xt_compat_unlock(AF_INET);
 +	return ret;
 +}
 
 -	i = 0;
 -	/* Choose the copy that is on our node */
 -	loc_cpu_entry = private->entries[raw_smp_processor_id()];
 -	IPT_ENTRY_ITERATE(loc_cpu_entry,
 -			  private->size,
 -			  add_counter_to_entry,
 -			  paddc->counters,
 -			  &i);
 - unlock_up_free:
 -	write_unlock_bh(&t->lock);
 -	xt_table_unlock(t);
 -	module_put(t->me);
 - free:
 -	vfree(paddc);
 +static int
 +compat_do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
 +{
 +	int ret;
 
 +	switch (cmd) {
 +	case IPT_SO_GET_INFO:
 +		ret = get_info(user, len, 1);
 +		break;
 +	case IPT_SO_GET_ENTRIES:
 +		ret = compat_get_entries(user, len);
 +		break;
 +	default:
 +		duprintf("compat_do_ipt_get_ctl: unknown request %i\n", cmd);
 +		ret = -EINVAL;
 +	}
 return ret;
 }
 +#endif
 
 static int
 do_ipt_set_ctl(struct sock *sk,	int cmd, void __user *user, unsigned int len)
 @@ -1109,7 +2028,7 @@ do_ipt_set_ctl(struct sock *sk,	int cmd,
 break;
 
 case IPT_SO_SET_ADD_COUNTERS:
 -		ret = do_add_counters(user, len);
 +		ret = do_add_counters(user, len, 0);
 break;
 
 default:
 @@ -1129,65 +2048,13 @@ do_ipt_get_ctl(struct sock *sk, int cmd,
 return -EPERM;
 
 switch (cmd) {
 -	case IPT_SO_GET_INFO: {
 -		char name[IPT_TABLE_MAXNAMELEN];
 -		struct ipt_table *t;
 -
 -		if (*len != sizeof(struct ipt_getinfo)) {
 -			duprintf("length %u != %u\n", *len,
 -				 sizeof(struct ipt_getinfo));
 -			ret = -EINVAL;
 -			break;
 -		}
 -
 -		if (copy_from_user(name, user, sizeof(name)) != 0) {
 -			ret = -EFAULT;
 -			break;
 -		}
 -		name[IPT_TABLE_MAXNAMELEN-1] = '\0';
 -
 -		t = try_then_request_module(xt_find_table_lock(AF_INET, name),
 -					    "iptable_%s", name);
 -		if (t && !IS_ERR(t)) {
 -			struct ipt_getinfo info;
 -			struct xt_table_info *private = t->private;
 -
 -			info.valid_hooks = t->valid_hooks;
 -			memcpy(info.hook_entry, private->hook_entry,
 -			       sizeof(info.hook_entry));
 -			memcpy(info.underflow, private->underflow,
 -			       sizeof(info.underflow));
 -			info.num_entries = private->number;
 -			info.size = private->size;
 -			memcpy(info.name, name, sizeof(info.name));
 -
 -			if (copy_to_user(user, &info, *len) != 0)
 -				ret = -EFAULT;
 -			else
 -				ret = 0;
 -			xt_table_unlock(t);
 -			module_put(t->me);
 -		} else
 -			ret = t ? PTR_ERR(t) : -ENOENT;
 -	}
 -	break;
 -
 -	case IPT_SO_GET_ENTRIES: {
 -		struct ipt_get_entries get;
 +	case IPT_SO_GET_INFO:
 +		ret = get_info(user, len, 0);
 +		break;
 
 -		if (*len < sizeof(get)) {
 -			duprintf("get_entries: %u < %u\n", *len, sizeof(get));
 -			ret = -EINVAL;
 -		} else if (copy_from_user(&get, user, sizeof(get)) != 0) {
 -			ret = -EFAULT;
 -		} else if (*len != sizeof(struct ipt_get_entries) + get.size) {
 -			duprintf("get_entries: %u != %u\n", *len,
 -				 sizeof(struct ipt_get_entries) + get.size);
 -			ret = -EINVAL;
 -		} else
 -			ret = get_entries(&get, user);
 +	case IPT_SO_GET_ENTRIES:
 +		ret = get_entries(user, len);
 break;
 -	}
 
 case IPT_SO_GET_REVISION_MATCH:
 case IPT_SO_GET_REVISION_TARGET: {
 @@ -1335,6 +2202,9 @@ icmp_checkentry(const char *tablename,
 static struct ipt_target ipt_standard_target = {
 .name		= IPT_STANDARD_TARGET,
 .targetsize	= sizeof(int),
 +#ifdef CONFIG_COMPAT
 +	.compat		= &compat_ipt_standard_fn,
 +#endif
 };
 
 static struct ipt_target ipt_error_target = {
 @@ -1348,9 +2218,11 @@ static struct nf_sockopt_ops ipt_sockopt
 .set_optmin	= IPT_BASE_CTL,
 .set_optmax	= IPT_SO_SET_MAX+1,
 .set		= do_ipt_set_ctl,
 +	.compat_set	= compat_do_ipt_set_ctl,
 .get_optmin	= IPT_BASE_CTL,
 .get_optmax	= IPT_SO_GET_MAX+1,
 .get		= do_ipt_get_ctl,
 +	.compat_get	= compat_do_ipt_get_ctl,
 };
 
 static struct ipt_match icmp_matchstruct = {
 diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
 index 750b928..72b8928 100644
 --- a/net/netfilter/x_tables.c
 +++ b/net/netfilter/x_tables.c
 @@ -36,6 +36,7 @@ struct xt_af {
 struct list_head match;
 struct list_head target;
 struct list_head tables;
 +	struct semaphore compat_mutex;
 };
 
 static struct xt_af *xt;
 @@ -266,6 +267,54 @@ int xt_check_match(const struct xt_match
 }
 EXPORT_SYMBOL_GPL(xt_check_match);
 
 +#ifdef CONFIG_COMPAT
 +int xt_compat_match(void *match, void **dstptr, int *size, int convert)
 +{
 +	struct xt_match *m;
 +	struct compat_xt_entry_match *pcompat_m;
 +	struct xt_entry_match *pm;
 +	u_int16_t msize;
 +	int off, ret;
 +
 +	ret = 0;
 +	m = ((struct xt_entry_match *)match)->u.kernel.match;
 +	off = XT_ALIGN(m->matchsize) - COMPAT_XT_ALIGN(m->matchsize);
 +	switch (convert) {
 +		case COMPAT_TO_USER:
 +			pm = (struct xt_entry_match *)match;
 +			msize = pm->u.user.match_size;
 +			if (__copy_to_user(*dstptr, pm, msize)) {
 +				ret = -EFAULT;
 +				break;
 +			}
 +			msize -= off;
 +			if (put_user(msize, (u_int16_t *)*dstptr))
 +				ret = -EFAULT;
 +			*size -= off;
 +			*dstptr += msize;
 +			break;
 +		case COMPAT_FROM_USER:
 +			pcompat_m = (struct compat_xt_entry_match *)match;
 +			pm = (struct xt_entry_match *)*dstptr;
 +			msize = pcompat_m->u.user.match_size;
 +			memcpy(pm, pcompat_m, msize);
 +			msize += off;
 +			pm->u.user.match_size = msize;
 +			*size += off;
 +			*dstptr += msize;
 +			break;
 +		case COMPAT_CALC_SIZE:
 +			*size += off;
 +			break;
 +		default:
 +			ret = -ENOPROTOOPT;
 +			break;
 +	}
 +	return ret;
 +}
 +EXPORT_SYMBOL_GPL(xt_compat_match);
 +#endif
 +
 int xt_check_target(const struct xt_target *target, unsigned short family,
 unsigned int size, const char *table, unsigned int hook_mask,
 unsigned short proto, int inv_proto)
 @@ -295,6 +344,54 @@ int xt_check_target(const struct xt_targ
 }
 EXPORT_SYMBOL_GPL(xt_check_target);
 
 +#ifdef CONFIG_COMPAT
 +int xt_compat_target(void *target, void **dstptr, int *size, int convert)
 +{
 +	struct xt_target *t;
 +	struct compat_xt_entry_target *pcompat;
 +	struct xt_entry_target *pt;
 +	u_int16_t tsize;
 +	int off, ret;
 +
 +	ret = 0;
 +	t = ((struct xt_entry_target *)target)->u.kernel.target;
 +	off = XT_ALIGN(t->targetsize) - COMPAT_XT_ALIGN(t->targetsize);
 +	switch (convert) {
 +		case COMPAT_TO_USER:
 +			pt = (struct xt_entry_target *)target;
 +			tsize = pt->u.user.target_size;
 +			if (__copy_to_user(*dstptr, pt, tsize)) {
 +				ret = -EFAULT;
 +				break;
 +			}
 +			tsize -= off;
 +			if (put_user(tsize, (u_int16_t *)*dstptr))
 +				ret = -EFAULT;
 +			*size -= off;
 +			*dstptr += tsize;
 +			break;
 +		case COMPAT_FROM_USER:
 +			pcompat = (struct compat_xt_entry_target *)target;
 +			pt = (struct xt_entry_target *)*dstptr;
 +			tsize = pcompat->u.user.target_size;
 +			memcpy(pt, pcompat, tsize);
 +			tsize += off;
 +			pt->u.user.target_size = tsize;
 +			*size += off;
 +			*dstptr += tsize;
 +			break;
 +		case COMPAT_CALC_SIZE:
 +			*size += off;
 +			break;
 +		default:
 +			ret = -ENOPROTOOPT;
 +			break;
 +	}
 +	return ret;
 +}
 +EXPORT_SYMBOL_GPL(xt_compat_target);
 +#endif
 +
 struct xt_table_info *xt_alloc_table_info(unsigned int size)
 {
 struct xt_table_info *newinfo;
 @@ -365,6 +462,19 @@ void xt_table_unlock(struct xt_table *ta
 }
 EXPORT_SYMBOL_GPL(xt_table_unlock);
 
 +#ifdef CONFIG_COMPAT
 +void xt_compat_lock(int af)
 +{
 +	down(&xt[af].compat_mutex);
 +}
 +EXPORT_SYMBOL_GPL(xt_compat_lock);
 +
 +void xt_compat_unlock(int af)
 +{
 +	up(&xt[af].compat_mutex);
 +}
 +EXPORT_SYMBOL_GPL(xt_compat_unlock);
 +#endif
 
 struct xt_table_info *
 xt_replace_table(struct xt_table *table,
 @@ -665,6 +775,9 @@ static int __init xt_init(void)
 
 for (i = 0; i < NPROTO; i++) {
 init_MUTEX(&xt[i].mutex);
 +#ifdef CONFIG_COMPAT
 +		init_MUTEX(&xt[i].compat_mutex);
 +#endif
 INIT_LIST_HEAD(&xt[i].target);
 INIT_LIST_HEAD(&xt[i].match);
 INIT_LIST_HEAD(&xt[i].tables);
 |  
	|  |  |  
	| 
		
			| Re: [PATCH] iptables 32bit compat layer [message #2325 is a reply to message #2163] | Wed, 29 March 2006 09:28   |  
			| 
				
				
					|  Patrick McHardy Messages: 107
 Registered: March 2006
 | Senior Member |  |  |  
	| Dmitry Mishin wrote: > This patch extends current iptables compatibility layer in order to get
 > 32bit iptables to work on 64bit kernel. Current layer is insufficient due to
 > alignment checks both in kernel and user space tools.
 >
 > Patch is for current net-2.6.17 with addition of move of ipt_entry_{match|
 > target} definitions to xt_entry_{match|target}.
 
 Thanks, this looks good. Two small issues so far:
 
 
 > diff --git a/net/compat.c b/net/compat.c
 > index 13177a1..6a7028e 100644
 > --- a/net/compat.c
 > +++ b/net/compat.c
 > @@ -476,8 +476,7 @@ asmlinkage long compat_sys_setsockopt(in
 >  	int err;
 >  	struct socket *sock;
 >
 > -	/* SO_SET_REPLACE seems to be the same in all levels */
 > -	if (optname == IPT_SO_SET_REPLACE)
 > +	if (level == SOL_IPV6 && optname == IPT_SO_SET_REPLACE)
 >  		return do_netfilter_replace(fd, level, optname,
 >  					    optval, optlen);
 
 I don't understand the reason for this change. If its not a mistake,
 it would make more sense to check for IP6T_SO_SET_REPLACE I guess ..
 
 
 > +#ifdef CONFIG_COMPAT
 > +void xt_compat_lock(int af)
 > +{
 > +	down(&xt[af].compat_mutex);
 > +}
 > +EXPORT_SYMBOL_GPL(xt_compat_lock);
 > +
 > +void xt_compat_unlock(int af)
 > +{
 > +	up(&xt[af].compat_mutex);
 > +}
 > +EXPORT_SYMBOL_GPL(xt_compat_unlock);
 > +#endif
 
 Won't a seperate compat-mutex introduce races between compat- and
 non-compat users? BTW, the up/down calls have been replaced by the
 new mutex API in Linus' tree, please resend the patch against the
 current tree.
 |  
	|  |  |  
	| 
		
			| Re: [PATCH] iptables 32bit compat layer [message #2327 is a reply to message #2325] | Wed, 29 March 2006 11:36   |  
			| 
				
				
					|  Mishin Dmitry Messages: 112
 Registered: February 2006
 | Senior Member |  |  |  
	| On Wednesday 29 March 2006 13:28, Patrick McHardy wrote: > Dmitry Mishin wrote:
 > > This patch extends current iptables compatibility layer in order to get
 > > 32bit iptables to work on 64bit kernel. Current layer is insufficient due
 > > to alignment checks both in kernel and user space tools.
 > >
 > > Patch is for current net-2.6.17 with addition of move of
 > > ipt_entry_{match| target} definitions to xt_entry_{match|target}.
 >
 > Thanks, this looks good. Two small issues so far:
 > > diff --git a/net/compat.c b/net/compat.c
 > > index 13177a1..6a7028e 100644
 > > --- a/net/compat.c
 > > +++ b/net/compat.c
 > > @@ -476,8 +476,7 @@ asmlinkage long compat_sys_setsockopt(in
 > >  	int err;
 > >  	struct socket *sock;
 > >
 > > -	/* SO_SET_REPLACE seems to be the same in all levels */
 > > -	if (optname == IPT_SO_SET_REPLACE)
 > > +	if (level == SOL_IPV6 && optname == IPT_SO_SET_REPLACE)
 > >  		return do_netfilter_replace(fd, level, optname,
 > >  					    optval, optlen);
 >
 > I don't understand the reason for this change. If its not a mistake,
 > it would make more sense to check for IP6T_SO_SET_REPLACE I guess ..
 IP6T_SO_SET_REPLACE == IPT_SO_SET_REPLACE == XT_SO_SET_REPLACE.
 Rename will require respective #include directive rename, so, I just leave
 this as it is. BTW, I'll make respective patch for IPV6 in the near future
 and this hunk will be removed at all.
 
 >
 > > +#ifdef CONFIG_COMPAT
 > > +void xt_compat_lock(int af)
 > > +{
 > > +	down(&xt[af].compat_mutex);
 > > +}
 > > +EXPORT_SYMBOL_GPL(xt_compat_lock);
 > > +
 > > +void xt_compat_unlock(int af)
 > > +{
 > > +	up(&xt[af].compat_mutex);
 > > +}
 > > +EXPORT_SYMBOL_GPL(xt_compat_unlock);
 > > +#endif
 >
 > Won't a seperate compat-mutex introduce races between compat- and
 > non-compat users? BTW, the up/down calls have been replaced by the
 > new mutex API in Linus' tree, please resend the patch against the
 > current tree.
 compat_mutex is always over xt[af].mutex and can't be taken under the last
 one, so, there should be no races.
 New patch is attached.
 
 --
 Thanks,
 Dmitry.
 
 diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
 index 1350e47..f6bdef8 100644
 --- a/include/linux/netfilter/x_tables.h
 +++ b/include/linux/netfilter/x_tables.h
 @@ -142,6 +142,12 @@ struct xt_counters_info
 #define ASSERT_WRITE_LOCK(x)
 #include <linux/netfilter_ipv4/listhelp.h>
 
 +#ifdef CONFIG_COMPAT
 +#define COMPAT_TO_USER		1
 +#define COMPAT_FROM_USER	-1
 +#define COMPAT_CALC_SIZE	0
 +#endif
 +
 struct xt_match
 {
 struct list_head list;
 @@ -175,6 +181,9 @@ struct xt_match
 void (*destroy)(const struct xt_match *match, void *matchinfo,
 unsigned int matchinfosize);
 
 +	/* Called when userspace align differs from kernel space one */
 +	int (*compat)(void *match, void **dstptr, int *size, int convert);
 +
 /* Set this to THIS_MODULE if you are a module, otherwise NULL */
 struct module *me;
 
 @@ -220,6 +229,9 @@ struct xt_target
 void (*destroy)(const struct xt_target *target, void *targinfo,
 unsigned int targinfosize);
 
 +	/* Called when userspace align differs from kernel space one */
 +	int (*compat)(void *target, void **dstptr, int *size, int convert);
 +
 /* Set this to THIS_MODULE if you are a module, otherwise NULL */
 struct module *me;
 
 @@ -314,6 +326,61 @@ extern void xt_proto_fini(int af);
 extern struct xt_table_info *xt_alloc_table_info(unsigned int size);
 extern void xt_free_table_info(struct xt_table_info *info);
 
 +#ifdef CONFIG_COMPAT
 +#include <net/compat.h>
 +
 +struct compat_xt_entry_match
 +{
 +	union {
 +		struct {
 +			u_int16_t match_size;
 +			char name[XT_FUNCTION_MAXNAMELEN - 1];
 +			u_int8_t revision;
 +		} user;
 +		u_int16_t match_size;
 +	} u;
 +	unsigned char data[0];
 +};
 +
 +struct compat_xt_entry_target
 +{
 +	union {
 +		struct {
 +			u_int16_t target_size;
 +			char name[XT_FUNCTION_MAXNAMELEN - 1];
 +			u_int8_t revision;
 +		} user;
 +		u_int16_t target_size;
 +	} u;
 +	unsigned char data[0];
 +};
 +
 +/* FIXME: this works only on 32 bit tasks
 + * need to change whole approach in order to calculate align as function of
 + * current task alignment */
 +
 +struct compat_xt_counters
 +{
 +	u_int32_t cnt[4];
 +};
 +
 +struct compat_xt_counters_info
 +{
 +	char name[XT_TABLE_MAXNAMELEN];
 +	compat_uint_t num_counters;
 +	struct compat_xt_counters counters[0];
 +};
 +
 +#define COMPAT_XT_ALIGN(s) (((s) + (__alignof__(struct compat_xt_counters)-1)) \
 +		& ~(__alignof__(struct compat_xt_counters)-1))
 +
 +extern void xt_compat_lock(int af);
 +extern void xt_compat_unlock(int af);
 +extern int xt_compat_match(void *match, void **dstptr, int *size, int convert);
 +extern int xt_compat_target(void *target, void **dstptr, int *size,
 +		int convert);
 +
 +#endif /* CONFIG_COMPAT */
 #endif /* __KERNEL__ */
 
 #endif /* _X_TABLES_H */
 diff --git a/include/linux/netfilter_ipv4/ip_tables.h b/include/linux/netfilter_ipv4/ip_tables.h
 index d5b8c0d..c0dac16 100644
 --- a/include/linux/netfilter_ipv4/ip_tables.h
 +++ b/include/linux/netfilter_ipv4/ip_tables.h
 @@ -316,5 +316,23 @@ extern unsigned int ipt_do_table(struct
 void *userdata);
 
 #define IPT_ALIGN(s) XT_ALIGN(s)
 +
 +#ifdef CONFIG_COMPAT
 +#include <net/compat.h>
 +
 +struct compat_ipt_entry
 +{
 +	struct ipt_ip ip;
 +	compat_uint_t nfcache;
 +	u_int16_t target_offset;
 +	u_int16_t next_offset;
 +	compat_uint_t comefrom;
 +	struct compat_xt_counters counters;
 +	unsigned char elems[0];
 +};
 +
 +#define COMPAT_IPT_ALIGN(s) 	COMPAT_XT_ALIGN(s)
 +
 +#endif /* CONFIG_COMPAT */
 #endif /*__KERNEL__*/
 #endif /* _IPTABLES_H */
 diff --git a/net/compat.c b/net/compat.c
 index 8fd37cd..d5d69fa 100644
 --- a/net/compat.c
 +++ b/net/compat.c
 @@ -476,8 +476,7 @@ asmlinkage long compat_sys_setsockopt(in
 int err;
 struct socket *sock;
 
 -	/* SO_SET_REPLACE seems to be the same in all levels */
 -	if (optname == IPT_SO_SET_REPLACE)
 +	if (level == SOL_IPV6 && optname == IPT_SO_SET_REPLACE)
 return do_netfilter_replace(fd, level, optname,
 optval, optlen);
 
 diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
 index a7b194c..34df287 100644
 --- a/net/ipv4/netfilter/ip_tables.c
 +++ b/net/ipv4/netfilter/ip_tables.c
 @@ -24,6 +24,7 @@
 #include <linux/module.h>
 #include <linux/icmp.h>
 #include <net/ip.h>
 +#include <net/compat.h>
 #include <asm/uaccess.h>
 #include <linux/mutex.h>
 #include <linux/proc_fs.h>
 @@ -799,17 +800,11 @@ get_counters(const struct xt_table_info
 }
 }
 
 -static int
 -copy_entries_to_user(unsigned int total_size,
 -		     struct ipt_table *table,
 -		     void __user *userptr)
 +static inline struct xt_counters * alloc_counters(struct ipt_table *table)
 {
 -	unsigned int off, num, countersize;
 -	struct ipt_entry *e;
 +	unsigned int countersize;
 struct xt_counters *counters;
 struct xt_table_info *private = table->private;
 -	int ret = 0;
 -	void *loc_cpu_entry;
 
 /* We need atomic snapshot of counters: rest doesn't change
 (other than comefrom, which userspace doesn't care
 @@ -818,13 +813,32 @@ copy_entries_to_user(unsigned int total_
 counters = vmalloc_node(countersize, numa_node_id());
 
 if (counters == NULL)
 -		return -ENOMEM;
 +		return ERR_PTR(-ENOMEM);
 
 /* First, sum counters... */
 write_lock_bh(&table->lock);
 get_counters(private, counters);
 write_unlock_bh(&table->lock);
 
 +	return counters;
 +}
 +
 +static int
 +copy_entries_to_user(unsigned int total_size,
 +		     struct ipt_table *table,
 +		     void __user *userptr)
 +{
 +	unsigned int off, num;
 +	struct ipt_entry *e;
 +	struct xt_counters *counters;
 +	struct xt_table_info *private = table->private;
 +	int ret = 0;
 +	void *loc_cpu_entry;
 +
 +	counters = alloc_counters(table);
 +	if (IS_ERR(counters))
 +		return PTR_ERR(counters);
 +
 /* choose the copy that is on our node/cpu, ...
 * This choice is lazy (because current thread is
 * allowed to migrate to another cpu)
 @@ -878,50 +892,905 @@ copy_entries_to_user(unsigned int total_
 goto free_counters;
 }
 }
 -
 - free_counters:
 -	vfree(counters);
 +
 + free_counters:
 +	vfree(counters);
 +	return ret;
 +}
 +
 +#ifdef CONFIG_COMPAT
 +struct compat_delta {
 +	struct compat_delta *next;
 +	u_int16_t offset;
 +	short delta;
 +};
 +
 +static struct compat_delta *compat_offsets = NULL;
 +
 +static int compat_add_offset(u_int16_t offset, short delta)
 +{
 +	struct compat_delta *tmp;
 +
 +	tmp = kmalloc(sizeof(struct compat_delta), GFP_KERNEL);
 +	if (!tmp)
 +		return -ENOMEM;
 +	tmp->offset = offset;
 +	tmp->delta = delta;
 +	if (compat_offsets) {
 +		tmp->next = compat_offsets->next;
 +		compat_offsets->next = tmp;
 +	} else {
 +		compat_offsets = tmp;
 +		tmp->next = NULL;
 +	}
 +	return 0;
 +}
 +
 +static void compat_flush_offsets(void)
 +{
 +	struct compat_delta *tmp, *next;
 +
 +	if (compat_offsets) {
 +		for(tmp = compat_offsets; tmp; tmp = next) {
 +			next = tmp->next;
 +			kfree(tmp);
 +		}
 +		compat_offsets = NULL;
 +	}
 +}
 +
 +static short compat_calc_jump(u_int16_t offset)
 +{
 +	struct compat_delta *tmp;
 +	short delta;
 +
 +	for(tmp = compat_offsets, delta = 0; tmp; tmp = tmp->next)
 +		if (tmp->offset < offset)
 +			delta += tmp->delta;
 +	return delta;
 +}
 +
 +struct compat_ipt_standard_target
 +{
 +	struct compat_xt_entry_target target;
 +	compat_int_t verdict;
 +};
 +
 +#define IPT_ST_OFFSET	(sizeof(struct ipt_standard_target) - \
 +				sizeof(struct compat_ipt_standard_target))
 +
 +struct compat_ipt_standard
 +{
 +	struct compat_ipt_entry entry;
 +	struct compat_ipt_standard_target target;
 +};
 +
 +static int compat_ipt_standard_fn(void *target,
 +		void **dstptr, int *size, int convert)
 +{
 +	struct compat_ipt_standard_target compat_st, *pcompat_st;
 +	struct ipt_standard_target st, *pst;
 +	int ret;
 +
 +	ret = 0;
 +	switch (convert) {
 +		case COMPAT_TO_USER:
 +			pst = (struct ipt_standard_target *)target;
 +			memcpy(&compat_st.target, &pst->target,
 +					sizeof(struct ipt_entry_target));
 +			compat_st.verdict = pst->verdict;
 +			if (compat_st.verdict > 0)
 +				compat_st.verdict -=
 +					compat_calc_jump(compat_st.verdict);
 +			compat_st.target.u.user.target_size =
 +			sizeof(struct compat_ipt_standard_target);
 +			if (__copy_to_user(*dstptr, &compat_st,
 +				sizeof(struct compat_ipt_standard_target)))
 +				ret = -EFAULT;
 +			*size -= IPT_ST_OFFSET;
 +			*dstptr += sizeof(struct compat_ipt_standard_target);
 +			break;
 +		case COMPAT_FROM_USER:
 +			pcompat_st =
 +				(struct compat_ipt_standard_target *)target;
 +			memcpy(&st.target, &pcompat_st->target,
 +					sizeof(struct ipt_entry_target));
 +			st.verdict = pcompat_st->verdict;
 +			if (st.verdict > 0)
 +				st.verdict += compat_calc_jump(st.verdict);
 +			st.target.u.user.target_size =
 +			sizeof(struct ipt_standard_target);
 +			memcpy(*dstptr, &st,
 +					sizeof(struct ipt_standard_target));
 +			*size += IPT_ST_OFFSET;
 +			*dstptr += sizeof(struct ipt_standard_target);
 +			break;
 +		case COMPAT_CALC_SIZE:
 +			*size += IPT_ST_OFFSET;
 +			break;
 +		default:
 +			ret = -ENOPROTOOPT;
 +			break;
 +	}
 +	return ret;
 +}
 +
 +static inline int
 +compat_calc_match(struct ipt_entry_match *m, int * size)
 +{
 +	if (m->u.kernel.match->compat)
 +		m->u.kernel.match->compat(m, NULL, size, COMPAT_CALC_SIZE);
 +	else
 +		xt_compat_match(m, NULL, size, COMPAT_CALC_SIZE);
 +	return 0;
 +}
 +
 +static int compat_calc_entry(struct ipt_entry *e, struct xt_table_info *info,
 +		void *base, struct xt_table_info *newinfo)
 +{
 +	struct ipt_entry_target *t;
 +	u_int16_t entry_offset;
 +	int off, i, ret;
 +
 +	off = 0;
 +	entry_offset = (void *)e - base;
 +	IPT_MATCH_ITERATE(e, compat_calc_match, &off);
 +	t = ipt_get_target(e);
 +	if (t->u.kernel.target->compat)
 +		t->u.kernel.target->compat(t, NULL, &off, COMPAT_CALC_SIZE);
 +	else
 +		xt_compat_target(t, NULL, &off, COMPAT_CALC_SIZE);
 +	newinfo->size -= off;
 +	ret = compat_add_offset(entry_offset, off);
 +	if (ret)
 +		return ret;
 +
 +	for (i = 0; i< NF_IP_NUMHOOKS; i++) {
 +		if (info->hook_entry[i] && (e < (struct ipt_entry *)
 +				(base + info->hook_entry[i])))
 +			newinfo->hook_entry[i] -= off;
 +		if (info->underflow[i] && (e < (struct ipt_entry *)
 +				(base + info->underflow[i])))
 +			newinfo->underflow[i] -= off;
 +	}
 +	return 0;
 +}
 +
 +static int compat_table_info(struct xt_table_info *info,
 +		struct xt_table_info *newinfo)
 +{
 +	void *loc_cpu_entry;
 +	int i;
 +
 +	if (!newinfo || !info)
 +		return -EINVAL;
 +
 +	memset(newinfo, 0, sizeof(struct xt_table_info));
 +	newinfo->size = info->size;
 +	newinfo->number = info->number;
 +	for (i = 0; i < NF_IP_NUMHOOKS; i++) {
 +		newinfo->hook_entry[i] = info->hook_entry[i];
 +		newinfo->underflow[i] = info->underflow[i];
 +	}
 +	loc_cpu_entry = info->entries[raw_smp_processor_id()];
 +	return IPT_ENTRY_ITERATE(loc_cpu_entry, info->size,
 +			compat_calc_entry, info, loc_cpu_entry, newinfo);
 +}
 +#endif
 +
 +static int get_info(void __user *user, int *len, int compat)
 +{
 +	char name[IPT_TABLE_MAXNAMELEN];
 +	struct ipt_table *t;
 +	int ret;
 +
 +	if (*len != sizeof(struct ipt_getinfo)) {
 +		duprintf("length %u != %u\n", *len,
 +			(unsigned int)sizeof(struct ipt_getinfo));
 +		return -EINVAL;
 +	}
 +
 +	if (copy_from_user(name, user, sizeof(name)) != 0)
 +		return -EFAULT;
 +
 +	name[IPT_TABLE_MAXNAMELEN-1] = '\0';
 +#ifdef CONFIG_COMPAT
 +	if (compat)
 +		xt_compat_lock(AF_INET);
 +#endif
 +	t = try_then_request_module(xt_find_table_lock(AF_INET, name),
 +			"iptable_%s", name);
 +	if (t && !IS_ERR(t)) {
 +		struct ipt_getinfo info;
 +		struct xt_table_info *private = t->private;
 +
 +#ifdef CONFIG_COMPAT
 +		if (compat) {
 +			struct xt_table_info tmp;
 +			ret = compat_table_info(private, &tmp);
 +			compat_flush_offsets();
 +			private =  &tmp;
 +		}
 +#endif
 +		info.valid_hooks = t->valid_hooks;
 +		memcpy(info.hook_entry, private->hook_entry,
 +				sizeof(info.hook_entry));
 +		memcpy(info.underflow, private->underflow,
 +				sizeof(info.underflow));
 +		info.num_entries = private->number;
 +		info.size = private->size;
 +		strcpy(info.name, name);
 +
 +		if (copy_to_user(user, &info, *len) != 0)
 +			ret = -EFAULT;
 +		else
 +			ret = 0;
 +
 +		xt_table_unlock(t);
 +		module_put(t->me);
 +	} else
 +		ret = t ? PTR_ERR(t) : -ENOENT;
 +#ifdef CONFIG_COMPAT
 +	if (compat)
 +		xt_compat_unlock(AF_INET);
 +#endif
 +	return ret;
 +}
 +
 +static int
 +get_entries(struct ipt_get_entries __user *uptr, int *len)
 +{
 +	int ret;
 +	struct ipt_get_entries get;
 +	struct ipt_table *t;
 +
 +	if (*len < sizeof(get)) {
 +		duprintf("get_entries: %u < %d\n", *len,
 +				(unsigned int)sizeof(get));
 +		return -EINVAL;
 +	}
 +	if (copy_from_user(&get, uptr, sizeof(get)) != 0)
 +		return -EFAULT;
 +	if (*len != sizeof(struct ipt_get_entries) + get.size) {
 +		duprintf("get_entries: %u != %u\n", *len,
 +				(unsigned int)(sizeof(struct ipt_get_entries) +
 +				get.size));
 +		return -EINVAL;
 +	}
 +
 +	t = xt_find_table_lock(AF_INET, get.name);
 +	if (t && !IS_ERR(t)) {
 +		struct xt_table_info *private = t->private;
 +		duprintf("t->private->number = %u\n",
 +			 private->number);
 +		if (get.size == private->size)
 +			ret = copy_entries_to_user(private->size,
 +						   t, uptr->entrytable);
 +		else {
 +			duprintf("get_entries: I've got %u not %u!\n",
 +				 private->size,
 +				 get.size);
 +			ret = -EINVAL;
 +		}
 +		module_put(t->me);
 +		xt_table_unlock(t);
 +	} else
 +		ret = t ? PTR_ERR(t) : -ENOENT;
 +
 +	return ret;
 +}
 +
 +static int
 +__do_replace(const char *name, unsigned int valid_hooks,
 +		struct xt_table_info *newinfo, unsigned int num_counters,
 +		void __user *counters_ptr)
 +{
 +	int ret;
 +	struct ipt_table *t;
 +	struct xt_table_info *oldinfo;
 +	struct xt_counters *counters;
 +	void *loc_cpu_old_entry;
 +
 +	ret = 0;
 +	counters = vmalloc(num_counters * sizeof(struct xt_counters));
 +	if (!counters) {
 +		ret = -ENOMEM;
 +		goto out;
 +	}
 +
 +	t = try_then_request_module(xt_find_table_lock(AF_INET, name),
 +				    "iptable_%s", name);
 +	if (!t || IS_ERR(t)) {
 +		ret = t ? PTR_ERR(t) : -ENOENT;
 +		goto free_newinfo_counters_untrans;
 +	}
 +
 +	/* You lied! */
 +	if (valid_hooks != t->valid_hooks) {
 +		duprintf("Valid hook crap: %08X vs %08X\n",
 +			 valid_hooks, t->valid_hooks);
 +		ret = -EINVAL;
 +		goto put_module;
 +	}
 +
 +	oldinfo = xt_replace_table(t, num_counters, newinfo, &ret);
 +	if (!oldinfo)
 +		goto put_module;
 +
 +	/* Update module usage count based on number of rules */
 +	duprintf("do_replace: oldnum=%u, initnum=%u, newnum=%u\n",
 +		oldinfo->number, oldinfo->initial_entries, newinfo->number);
 +	if ((oldinfo->number > oldinfo->initial_entries) ||
 +	    (newinfo->number <= oldinfo->initial_entries))
 +		module_put(t->me);
 +	if ((oldinfo->number > oldinfo->initial_entries) &&
 +	    (newinfo->number <= oldinfo->initial_entries))
 +		module_put(t->me);
 +
 +	/* Get the old counters. */
 +	get_counters(oldinfo, counters);
 +	/* Decrease module usage counts and free resource */
 +	loc_cpu_old_entry = oldinfo->entries[raw_smp_processor_id()];
 +	IPT_ENTRY_ITERATE(loc_cpu_old_entry, oldinfo->size, cleanup_entry,NULL);
 +	xt_free_table_info(oldinfo);
 +	if (copy_to_user(counters_ptr, counters,
 +			 sizeof(struct xt_counters) * num_counters) != 0)
 +		ret = -EFAULT;
 +	vfree(counters);
 +	xt_table_unlock(t);
 +	return ret;
 +
 + put_module:
 +	module_put(t->me);
 +	xt_table_unlock(t);
 + free_newinfo_counters_untrans:
 +	vfree(counters);
 + out:
 +	return ret;
 +}
 +
 +static int
 +do_replace(void __user *user, unsigned int len)
 +{
 +	int ret;
 +	struct ipt_replace tmp;
 +	struct xt_table_info *newinfo;
 +	void *loc_cpu_entry;
 +
 +	if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
 +		return -EFAULT;
 +
 +	/* Hack: Causes ipchains to give correct error msg --RR */
 +	if (len != sizeof(tmp) + tmp.size)
 +		return -ENOPROTOOPT;
 +
 +	/* overflow check */
 +	if (tmp.size >= (INT_MAX - sizeof(struct xt_table_info)) / NR_CPUS -
 +			SMP_CACHE_BYTES)
 +		return -ENOMEM;
 +	if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
 +		return -ENOMEM;
 +
 +	newinfo = xt_alloc_table_info(tmp.size);
 +	if (!newinfo)
 +		return -ENOMEM;
 +
 +	/* choose the copy that is our node/cpu */
 +	loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
 +	if (copy_from_user(loc_cpu_entry, user + sizeof(tmp),
 +			   tmp.size) != 0) {
 +		ret = -EFAULT;
 +		goto free_newinfo;
 +	}
 +
 +	ret = translate_table(tmp.name, tmp.valid_hooks,
 +			      newinfo, loc_cpu_entry, tmp.size, tmp.num_entries,
 +			      tmp.hook_entry, tmp.underflow);
 +	if (ret != 0)
 +		goto free_newinfo;
 +
 +	duprintf("ip_tables: Translated table\n");
 +
 +	ret = __do_replace(tmp.name, tmp.valid_hooks,
 +			      newinfo, tmp.num_counters,
 +			      tmp.counters);
 +	if (ret)
 +		goto free_newinfo_untrans;
 +	return 0;
 +
 + free_newinfo_untrans:
 +	IPT_ENTRY_ITERATE(loc_cpu_entry, newinfo->size, cleanup_entry,NULL);
 + free_newinfo:
 +	xt_free_table_info(newinfo);
 +	return ret;
 +}
 +
 +/* We're lazy, and add to the first CPU; overflow works its fey magic
 + * and everything is OK. */
 +static inline int
 +add_counter_to_entry(struct ipt_entry *e,
 +		     const struct xt_counters addme[],
 +		     unsigned int *i)
 +{
 +#if 0
 +	duprintf("add_counter: Entry %u %lu/%lu + %lu/%lu\n",
 +		 *i,
 +		 (long unsigned int)e->counters.pcnt,
 +		 (long unsigned int)e->counters.bcnt,
 +		 (long unsigned int)addme[*i].pcnt,
 +		 (long unsigned int)addme[*i].bcnt);
 +#endif
 +
 +	ADD_COUNTER(e->counters, addme[*i].bcnt, addme[*i].pcnt);
 +
 +	(*i)++;
 +	return 0;
 +}
 +
 +static int
 +do_add_counters(void __user *user, unsigned int len, int compat)
 +{
 +	unsigned int i;
 +	struct xt_counters_info tmp;
 +	struct xt_counters *paddc;
 +	unsigned int num_counters;
 +	char *name;
 +	int size;
 +	void *ptmp;
 +	struct ipt_table *t;
 +	struct xt_table_info *private;
 +	int ret = 0;
 +	void *loc_cpu_entry;
 +#ifdef CONFIG_COMPAT
 +	struct compat_xt_counters_info compat_tmp;
 +
 +	if (compat) {
 +		ptmp = &compat_tmp;
 +		size = sizeof(struct compat_xt_counters_info);
 +	} else
 +#endif
 +	{
 +		ptmp = &tmp;
 +		size = sizeof(struct xt_counters_info);
 +	}
 +
 +	if (copy_from_user(ptmp, user, size) != 0)
 +		return -EFAULT;
 +
 +#ifdef CONFIG_COMPAT
 +	if (compat) {
 +		num_counters = compat_tmp.num_counters;
 +		name = compat_tmp.name;
 +	} else
 +#endif
 +	{
 +		num_counters = tmp.num_counters;
 +		name = tmp.name;
 +	}
 +
 +	if (len != size + num_counters * sizeof(struct xt_counters))
 +		return -EINVAL;
 +
 +	paddc = vmalloc_node(len - size, numa_node_id());
 +	if (!paddc)
 +		return -ENOMEM;
 +
 +	if (copy_from_user(paddc, user + size, len - size) != 0) {
 +		ret = -EFAULT;
 +		goto free;
 +	}
 +
 +	t = xt_find_table_lock(AF_INET, name);
 +	if (!t || IS_ERR(t)) {
 +		ret = t ? PTR_ERR(t) : -ENOENT;
 +		goto free;
 +	}
 +
 +	write_lock_bh(&t->lock);
 +	private = t->private;
 +	if (private->number != num_counters) {
 +		ret = -EINVAL;
 +		goto unlock_up_free;
 +	}
 +
 +	i = 0;
 +	/* Choose the copy that is on our node */
 +	loc_cpu_entry = private->entries[raw_smp_processor_id()];
 +	IPT_ENTRY_ITERATE(loc_cpu_entry,
 +			  private->size,
 +			  add_counter_to_entry,
 +			  paddc,
 +			  &i);
 + unlock_up_free:
 +	write_unlock_bh(&t->lock);
 +	xt_table_unlock(t);
 +	module_put(t->me);
 + free:
 +	vfree(paddc);
 +
 +	return ret;
 +}
 +
 +#ifdef CONFIG_COMPAT
 +struct compat_ipt_replace {
 +	char			name[IPT_TABLE_MAXNAMELEN];
 +	u32			valid_hooks;
 +	u32			num_entries;
 +	u32			size;
 +	u32			hook_entry[NF_IP_NUMHOOKS];
 +	u32			underflow[NF_IP_NUMHOOKS];
 +	u32			num_counters;
 +	compat_uptr_t		counters;	/* struct ipt_counters * */
 +	struct compat_ipt_entry	entries[0];
 +};
 +
 +static inline int compat_copy_match_to_user(struct ipt_entry_match *m,
 +		void __user **dstptr, compat_uint_t *size)
 +{
 +	if (m->u.kernel.match->compat)
 +		return m->u.kernel.match->compat(m, dstptr, size,
 +				COMPAT_TO_USER);
 +	else
 +		return xt_compat_match(m, dstptr, size, COMPAT_TO_USER);
 +}
 +
 +static int compat_copy_entry_to_user(struct ipt_entry *e,
 +		void __user **dstptr, compat_uint_t *size)
 +{
 +	struct ipt_entry_target __user *t;
 +	struct compat_ipt_entry __user *ce;
 +	u_int16_t target_offset, next_offset;
 +	compat_uint_t origsize;
 +	int ret;
 +
 +	ret = -EFAULT;
 +	origsize = *size;
 +	ce = (struct compat_ipt_entry __user *)*dstptr;
 +	if (__copy_to_user(ce, e, sizeof(struct ipt_entry)))
 +		goto out;
 +
 +	*dstptr += sizeof(struct compat_ipt_entry);
 +	ret = IPT_MATCH_ITERATE(e, compat_copy_match_to_user, dstptr, size);
 +	target_offset = e->target_offset - (origsize - *size);
 +	if (ret)
 +		goto out;
 +	t = ipt_get_target(e);
 +	if (t->u.kernel.target->compat)
 +		ret = t->u.kernel.target->compat(t, dstptr, size,
 +				COMPAT_TO_USER);
 +	else
 +		ret = xt_compat_target(t, dstptr, size, COMPAT_TO_USER);
 +	if (ret)
 +		goto out;
 +	ret = -EFAULT;
 +	next_offset = e->next_offset - (origsize - *size);
 +	if (__put_user(target_offset, &ce->target_offset))
 +		goto out;
 +	if (__put_user(next_offset, &ce->next_offset))
 +		goto out;
 +	return 0;
 +out:
 +	return ret;
 +}
 +
 +static inline int
 +compat_check_calc_match(struct ipt_entry_match *m,
 +	    const char *name,
 +	    const struct ipt_ip *ip,
 +	    unsigned int hookmask,
 +	    int *size, int *i)
 +{
 +	struct ipt_match *match;
 +
 +	match = try_then_request_module(xt_find_match(AF_INET, m->u.user.name,
 +						   m->u.user.revision),
 +					"ipt_%s", m->u.user.name);
 +	if (IS_ERR(match) || !match) {
 +		duprintf("compat_check_calc_match: `%s' not found\n",
 +				m->u.user.name);
 +		return match ? PTR_ERR(match) : -ENOENT;
 +	}
 +	m->u.kernel.match = match;
 +
 +	if (m->u.kernel.match->compat)
 +		m->u.kernel.match->compat(m, NULL, size, COMPAT_CALC_SIZE);
 +	else
 +		xt_compat_match(m, NULL, size, COMPAT_CALC_SIZE);
 +
 +	(*i)++;
 +	return 0;
 +}
 +
 +static inline int
 +check_compat_entry_size_and_hooks(struct ipt_entry *e,
 +			   struct xt_table_info *newinfo,
 +			   unsigned int *size,
 +			   unsigned char *base,
 +			   unsigned char *limit,
 +			   unsigned int *hook_entries,
 +			   unsigned int *underflows,
 +			   unsigned int *i,
 +			   const char *name)
 +{
 +	struct ipt_entry_target *t;
 +	struct ipt_target *target;
 +	u_int16_t entry_offset;
 +	int ret, off, h, j;
 +
 +	duprintf("check_compat_entry_size_and_hooks %p\n", e);
 +	if ((unsigned long)e % __alignof__(struct compat_ipt_entry) != 0
 +	    || (unsigned char *)e + sizeof(struct compat_ipt_entry) >= limit) {
 +		duprintf("Bad offset %p, limit = %p\n", e, limit);
 +		return -EINVAL;
 +	}
 +
 +	if (e->next_offset < sizeof(struct compat_ipt_entry) +
 +			sizeof(struct compat_xt_entry_target)) {
 +		duprintf("checking: element %p size %u\n",
 +			 e, e->next_offset);
 +		return -EINVAL;
 +	}
 +
 +	if (!ip_checkentry(&e->ip)) {
 +		duprintf("ip_tables: ip check failed %p %s.\n", e, name);
 +		return -EINVAL;
 +	}
 +
 +	off = 0;
 +	entry_offset = (void *)e - (void *)base;
 +	j = 0;
 +	ret = IPT_MATCH_ITERATE(e, compat_check_calc_match, name, &e->ip,
 +			e->comefrom, &off, &j);
 +	if (ret != 0)
 +		goto out;
 +
 +	t = ipt_get_target(e);
 +	target = try_then_request_module(xt_find_target(AF_INET,
 +						     t->u.user.name,
 +						     t->u.user.revision),
 +					 "ipt_%s", t->u.user.name);
 +	if (IS_ERR(target) || !target) {
 +		duprintf("check_entry: `%s' not found\n", t->u.user.name);
 +		ret = target ? PTR_ERR(target) : -ENOENT;
 +		goto out;
 +	}
 +	t->u.kernel.target = target;
 +
 +	if (t->u.kernel.target->compat)
 +		t->u.kernel.target->compat(t, NULL, &off, COMPAT_CALC_SIZE);
 +	else
 +		xt_compat_target(t, NULL, &off, COMPAT_CALC_SIZE);
 +	*size += off;
 +	ret = compat_add_offset(entry_offset, off);
 +	if (ret)
 +		goto out;
 +
 +	/* Check hooks & underflows */
 +	for (h = 0; h < NF_IP_NUMHOOKS; h++) {
 +		if ((unsigned char *)e - base == hook_entries[h])
 +			newinfo->hook_entry[h] = hook_entries[h];
 +		if ((unsigned char *)e - base == underflows[h])
 +			newinfo->underflow[h] = underflows[h];
 +	}
 +
 +	/* Clear counters and comefrom */
 +	e->counters = ((struct ipt_counters) { 0, 0 });
 +	e->comefrom = 0;
 +
 +	(*i)++;
 +	return 0;
 +out:
 +	IPT_MATCH_ITERATE(e, cleanup_match, &j);
 +	return ret;
 +}
 +
 +static inline int compat_copy_match_from_user(struct ipt_entry_match *m,
 +	void **dstptr, compat_uint_t *size, const char *name,
 +	const struct ipt_ip *ip, unsigned int hookmask)
 +{
 +	struct ipt_entry_match *dm;
 +	struct ipt_match *match;
 +	int ret;
 +
 +	dm = (struct ipt_entry_match *)*dstptr;
 +	match = m->u.kernel.match;
 +	if (match->compat)
 +		match->compat(m, dstptr, size, COMPAT_FROM_USER);
 +	else
 +		xt_compat_match(m, dstptr, size, COMPAT_FROM_USER);
 +
 +	ret = xt_check_match(match, AF_INET, dm->u.match_size - sizeof(*dm),
 +			     name, hookmask, ip->proto,
 +			     ip->invflags & IPT_INV_PROTO);
 +	if (ret)
 +		return ret;
 +
 +	if (m->u.kernel.match->checkentry
 +	    && !m->u.kernel.match->checkentry(name, ip, match, dm->data,
 +					      dm->u.match_size - sizeof(*dm),
 +					      hookmask)) {
 +		duprintf("ip_tables: check failed for `%s'.\n",
 +			 m->u.kernel.match->name);
 +		return -EINVAL;
 +	}
 +	return 0;
 +}
 +
 +static int compat_copy_entry_from_user(struct ipt_entry *e, void **dstptr,
 +	unsigned int *size, const char *name,
 +	struct xt_table_info *newinfo, unsigned char *base)
 +{
 +	struct ipt_entry_target *t;
 +	struct ipt_target *target;
 +	struct ipt_entry *de;
 +	unsigned int origsize;
 +	int ret, h;
 +
 +	ret = 0;
 +	origsize = *size;
 +	de = (struct ipt_entry *)*dstptr;
 +	memcpy(de, e, sizeof(struct ipt_entry));
 +
 +	*dstptr += sizeof(struct compat_ipt_entry);
 +	ret = IPT_MATCH_ITERATE(e, compat_copy_match_from_user, dstptr, size,
 +			name, &de->ip, de->comefrom);
 +	if (ret)
 +		goto out;
 +	de->target_offset = e->target_offset - (origsize - *size);
 +	t = ipt_get_target(e);
 +	target = t->u.kernel.target;
 +	if (target->compat)
 +		target->compat(t, dstptr, size, COMPAT_FROM_USER);
 +	else
 +		xt_compat_target(t, dstptr, size, COMPAT_FROM_USER);
 +
 +	de->next_offset = e->next_offset - (origsize - *size);
 +	for (h = 0; h < NF_IP_NUMHOOKS; h++) {
 +		if ((unsigned char *)de - base < newinfo->hook_entry[h])
 +			newinfo->hook_entry[h] -= origsize - *size;
 +		if ((unsigned char *)de - base < newinfo->underflow[h])
 +			newinfo->underflow[h] -= origsize - *size;
 +	}
 +
 +	t = ipt_get_target(de);
 +	target = t->u.kernel.target;
 +	ret = xt_check_target(target, AF_INET, t->u.target_size - sizeof(*t),
 +			      name, e->comefrom, e->ip.proto,
 +			      e->ip.invflags & IPT_INV_PROTO);
 +	if (ret)
 +		goto out;
 +
 +	ret = -EINVAL;
 +	if (t->u.kernel.target == &ipt_standard_target) {
 +		if (!standard_check(t, *size))
 +			goto out;
 +	} else if (t->u.kernel.target->checkentry
 +		   && !t->u.kernel.target->checkentry(name, de, target,
 +				t->data, t->u.target_size - sizeof(*t),
 +				de->comefrom)) {
 +		duprintf("ip_tables: compat: check failed for `%s'.\n",
 +			 t->u.kernel.target->name);
 +		goto out;
 +	}
 +	ret = 0;
 +out:
 return ret;
 }
 
 static int
 -get_entries(const struct ipt_get_entries *entries,
 -	    struct ipt_get_entries __user *uptr)
 +translate_compat_table(const char *name,
 +		unsigned int valid_hooks,
 +		struct xt_table_info **pinfo,
 +		void **pentry0,
 +		unsigned int total_size,
 +		unsigned int number,
 +		unsigned int *hook_entries,
 +		unsigned int *underflows)
 {
 +	unsigned int i;
 +	struct xt_table_info *newinfo, *info;
 +	void *pos, *entry0, *entry1;
 +	unsigned int size;
 int ret;
 -	struct ipt_table *t;
 
 -	t = xt_find_table_lock(AF_INET, entries->name);
 -	if (t && !IS_ERR(t)) {
 -		struct xt_table_info *private = t->private;
 -		duprintf("t->private->number = %u\n",
 -			 private->number);
 -		if (entries->size == private->size)
 -			ret = copy_entries_to_user(private->size,
 -						   t, uptr->entrytable);
 -		else {
 -			duprintf("get_entries: I've got %u not %u!\n",
 -				 private->size,
 -				 entries->size);
 -			ret = -EINVAL;
 +	info = *pinfo;
 +	entry0 = *pentry0;
 +	size = total_size;
 +	info->number = number;
 +
 +	/* Init all hooks to impossible value. */
 +	for (i = 0; i < NF_IP_NUMHOOKS; i++) {
 +		info->hook_entry[i] = 0xFFFFFFFF;
 +		info->underflow[i] = 0xFFFFFFFF;
 +	}
 +
 +	duprintf("translate_compat_table: size %u\n", info->size);
 +	i = 0;
 +	xt_compat_lock(AF_INET);
 +	/* Walk through entries, checking offsets. */
 +	ret = IPT_ENTRY_ITERATE(entry0, total_size,
 +				check_compat_entry_size_and_hooks,
 +				info, &size, entry0,
 +				entry0 + total_size,
 +				hook_entries, underflows, &i, name);
 +	if (ret != 0)
 +		goto out_unlock;
 +
 +	ret = -EINVAL;
 +	if (i != number) {
 +		duprintf("translate_compat_table: %u not %u entries\n",
 +			 i, number);
 +		goto out_unlock;
 +	}
 +
 +	/* Check hooks all assigned */
 +	for (i = 0; i < NF_IP_NUMHOOKS; i++) {
 +		/* Only hooks which are valid */
 +		if (!(valid_hooks & (1 << i)))
 +			continue;
 +		if (info->hook_entry[i] == 0xFFFFFFFF) {
 +			duprintf("Invalid hook entry %u %u\n",
 +				 i, hook_entries[i]);
 +			goto out_unlock;
 }
 -		module_put(t->me);
 -		xt_table_unlock(t);
 -	} else
 -		ret = t ? PTR_ERR(t) : -ENOENT;
 +		if (info->underflow[i] == 0xFFFFFFFF) {
 +			duprintf("Invalid underflow %u %u\n",
 +				 i, underflows[i]);
 +			goto out_unlock;
 +		}
 +	}
 +
 +	ret = -ENOMEM;
 +	newinfo = xt_alloc_table_info(size);
 +	if (!newinfo)
 +		goto out_unlock;
 +
 +	newinfo->number = number;
 +	for (i = 0; i < NF_IP_NUMHOOKS; i++) {
 +		newinfo->hook_entry[i] = info->hook_entry[i];
 +		newinfo->underflow[i] = info->underflow[i];
 +	}
 +	entry1 = newinfo->entries[raw_smp_processor_id()];
 +	pos = entry1;
 +	size =  total_size;
 +	ret = IPT_ENTRY_ITERATE(entry0, total_size,
 +			compat_copy_entry_from_user, &pos, &size,
 +			name, newinfo, entry1);
 +	compat_flush_offsets();
 +	xt_compat_unlock(AF_INET);
 +	if (ret)
 +		goto free_newinfo;
 +
 +	ret = -ELOOP;
 +	if (!mark_source_chains(newinfo, valid_hooks, entry1))
 +		goto free_newinfo;
 +
 +	/* And one copy for every other CPU */
 +	for_each_cpu(i)
 +		if (newinfo->entries[i] && newinfo->entries[i] != entry1)
 +			memcpy(newinfo->entries[i], entry1, newinfo->size);
 +
 +	*pinfo = newinfo;
 +	*pentry0 = entry1;
 +	xt_free_table_info(info);
 +	return 0;
 
 +free_newinfo:
 +	xt_free_table_info(newinfo);
 +out:
 return ret;
 +out_unlock:
 +	xt_compat_unlock(AF_INET);
 +	goto out;
 }
 
 static int
 -do_replace(void __user *user, unsigned int len)
 +compat_do_replace(void __user *user, unsigned int len)
 {
 int ret;
 -	struct ipt_replace tmp;
 -	struct ipt_table *t;
 -	struct xt_table_info *newinfo, *oldinfo;
 -	struct xt_counters *counters;
 -	void *loc_cpu_entry, *loc_cpu_old_entry;
 +	struct compat_ipt_replace tmp;
 +	struct xt_table_info *newinfo;
 +	void *loc_cpu_entry;
 
 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
 return -EFAULT;
 @@ -949,151 +1818,201 @@ do_replace(void __user *user, unsigned i
 goto free_newinfo;
 }
 
 -	counters = vmalloc(tmp.num_counters * sizeof(struct xt_counters));
 -	if (!counters) {
 -		ret = -ENOMEM;
 +	ret = translate_compat_table(tmp.name, tmp.valid_hooks,
 +			      &newinfo, &loc_cpu_entry, tmp.size,
 +			      tmp.num_entries, tmp.hook_entry, tmp.underflow);
 +	if (ret != 0)
 goto free_newinfo;
 -	}
 
 -	ret = translate_table(tmp.name, tmp.valid_hooks,
 -			      newinfo, loc_cpu_entry, tmp.size, tmp.num_entries,
 -			      tmp.hook_entry, tmp.underflow);
 -	if (ret != 0)
 -		goto free_newinfo_counters;
 +	duprintf("compat_do_replace: Translated table\n");
 
 -	duprintf("ip_tables: Translated table\n");
 +	ret = __do_replace(tmp.name, tmp.valid_hooks,
 +			      newinfo, tmp.num_counters,
 +			      compat_ptr(tmp.counters));
 +	if (ret)
 +		goto free_newinfo_untrans;
 +	return 0;
 
 -	t = try_then_request_module(xt_find_table_lock(AF_INET, tmp.name),
 -				    "iptable_%s", tmp.name);
 -	if (!t || IS_ERR(t)) {
 -		ret = t ? PTR_ERR(t) : -ENOENT;
 -		goto free_newinfo_counters_untrans;
 -	}
 + free_newinfo_untrans:
 +	IPT_ENTRY_ITERATE(loc_cpu_entry, newinfo->size, cleanup_entry,NULL);
 + free_newinfo:
 +	xt_free_table_info(newinfo);
 +	return ret;
 +}
 
 -	/* You lied! */
 -	if (tmp.valid_hooks != t->valid_hooks) {
 -		duprintf("Valid hook crap: %08X vs %08X\n",
 -			 tmp.valid_hooks, t->valid_hooks);
 -		ret = -EINVAL;
 -		goto put_module;
 -	}
 +static int
 +compat_do_ipt_set_ctl(struct sock *sk,	int cmd, void __user *user,
 +		unsigned int len)
 +{
 +	int ret;
 
 -	oldinfo = xt_replace_table(t, tmp.num_counters, newinfo, &ret);
 -	if (!oldinfo)
 -		goto put_module;
 +	if (!capable(CAP_NET_ADMIN))
 +		return -EPERM;
 
 -	/* Update module usage count based on number of rules */
 -	duprintf("do_replace: oldnum=%u, initnum=%u, newnum=%u\n",
 -		oldinfo->number, oldinfo->initial_entries, newinfo->number);
 -	if ((oldinfo->number > oldinfo->initial_entries) ||
 -	    (newinfo->number <= oldinfo->initial_entries))
 -		module_put(t->me);
 -	if ((oldinfo->number > oldinfo->initial_entries) &&
 -	    (newinfo->number <= oldinfo->initial_entries))
 -		module_put(t->me);
 +	switch (cmd) {
 +	case IPT_SO_SET_REPLACE:
 +		ret = compat_do_replace(user, len);
 +		break;
 
 -	/* Get the old counters. */
 -	get_counters(oldinfo, counters);
 -	/* Decrease module usage counts and free resource */
 -	loc_cpu_old_entry = oldinfo->entries[raw_smp_processor_id()];
 -	IPT_ENTRY_ITERATE(loc_cpu_old_entry, oldinfo->size, cleanup_entry,NULL);
 -	xt_free_table_info(oldinfo);
 -	if (copy_to_user(tmp.counters, counters,
 -			 sizeof(struct xt_counters) * tmp.num_counters) != 0)
 -		ret = -EFAULT;
 -	vfree(counters);
 -	xt_table_unlock(t);
 -	return ret;
 +	case IPT_SO_SET_ADD_COUNTERS:
 +		ret = do_add_counters(user, len, 1);
 +		break;
 +
 +	default:
 +		duprintf("do_ipt_set_ctl:  unknown request %i\n", cmd);
 +		ret = -EINVAL;
 +	}
 
 - put_module:
 -	module_put(t->me);
 -	xt_table_unlock(t);
 - free_newinfo_counters_untrans:
 -	IPT_ENTRY_ITERATE(loc_cpu_entry, newinfo->size, cleanup_entry,NULL);
 - free_newinfo_counters:
 -	vfree(counters);
 - free_newinfo:
 -	xt_free_table_info(newinfo);
 return ret;
 }
 
 -/* We're lazy, and add to the first CPU; overflow works its fey magic
 - * and everything is OK. */
 -static inline int
 -add_counter_to_entry(struct ipt_entry *e,
 -		     const struct xt_counters addme[],
 -		     unsigned int *i)
 +struct compat_ipt_get_entries
 {
 -#if 0
 -	duprintf("add_counter: Entry %u %lu/%lu + %lu/%lu\n",
 -		 *i,
 -		 (long unsigned int)e->counters.pcnt,
 -		 (long unsigned int)e->counters.bcnt,
 -		 (long unsigned int)addme[*i].pcnt,
 -		 (long unsigned int)addme[*i].bcnt);
 -#endif
 +	char name[IPT_TABLE_MAXNAMELEN];
 +	compat_uint_t size;
 +	struct compat_ipt_entry entrytable[0];
 +};
 
 -	ADD_COUNTER(e->counters, addme[*i].bcnt, addme[*i].pcnt);
 +static int compat_copy_entries_to_user(unsigned int total_size,
 +		     struct ipt_table *table, void __user *userptr)
 +{
 +	unsigned int off, num;
 +	struct compat_ipt_entry e;
 +	struct xt_counters *counters;
 +	struct xt_table_info *private = table->private;
 +	void __user *pos;
 +	unsigned int size;
 +	int ret = 0;
 +	void *loc_cpu_entry;
 
 -	(*i)++;
 -	return 0;
 +	counters = alloc_counters(table);
 +	if (IS_ERR(counters))
 +		return PTR_ERR(counters);
 +
 +	/* choose the copy that is on our node/cpu, ...
 +	 * This choice is lazy (because current thread is
 +	 * allowed to migrate to another cpu)
 +	 */
 +	loc_cpu_entry = private->entries[raw_smp_processor_id()];
 +	pos = userptr;
 +	size = total_size;
 +	ret = IPT_ENTRY_ITERATE(loc_cpu_entry, total_size,
 +			compat_copy_entry_to_user, &pos, &size);
 +	if (ret)
 +		goto free_counters;
 +
 +	/* ... then go back and fix counters and names */
 +	for (off = 0, num = 0; off < size; off += e.next_offset, num++) {
 +		unsigned int i;
 +		struct ipt_entry_match m;
 +		struct ipt_entry_target t;
 +
 +		ret = -EFAULT;
 +		if (copy_from_user(&e, userptr + off,
 +					sizeof(struct compat_ipt_entry)))
 +			goto free_counters;
 +		if (copy_to_user(userptr + off +
 +			offsetof(struct compat_ipt_entry, counters),
 +			 &counters[num], sizeof(counters[num])))
 +			goto free_counters;
 +
 +		for (i = sizeof(struct compat_ipt_entry);
 +				i < e.target_offset; i += m.u.match_size) {
 +			if (copy_from_user(&m, userptr + off + i,
 +					sizeof(struct ipt_entry_match)))
 +				goto free_counters;
 +			if (copy_to_user(userptr + off + i +
 +				offsetof(struct ipt_entry_match, u.user.name),
 +				m.u.kernel.match->name,
 +				strlen(m.u.kernel.match->name) + 1))
 +				goto free_counters;
 +		}
 +
 +		if (copy_from_user(&t, userptr + off + e.target_offset,
 +					sizeof(struct ipt_entry_target)))
 +			goto free_counters;
 +		if (copy_to_user(userptr + off + e.target_offset +
 +			offsetof(struct ipt_entry_target, u.user.name),
 +			t.u.kernel.target->name,
 +			strlen(t.u.kernel.target->name) + 1))
 +			goto free_counters;
 +	}
 +	ret = 0;
 +free_counters:
 +	vfree(counters);
 +	return ret;
 }
 
 static int
 -do_add_counters(void __user *user, unsigned int len)
 +compat_get_entries(struct compat_ipt_get_entries __user *uptr, int *len)
 {
 -	unsigned int i;
 -	struct xt_counters_info tmp, *paddc;
 +	int ret;
 +	struct compat_ipt_get_entries get;
 struct ipt_table *t;
 -	struct xt_table_info *private;
 -	int ret = 0;
 -	void *loc_cpu_entry;
 
 -	if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
 -		return -EFAULT;
 
 -	if (len != sizeof(tmp) + tmp.num_counters*sizeof(struct xt_counters))
 +	if (*len < sizeof(get)) {
 +		duprintf("compat_get_entries: %u < %u\n",
 +				*len, (unsigned int)sizeof(get));
 return -EINVAL;
 +	}
 
 -	paddc = vmalloc_node(len, numa_node_id());
 -	if (!paddc)
 -		return -ENOMEM;
 +	if (copy_from_user(&get, uptr, sizeof(get)) != 0)
 +		return -EFAULT;
 
 -	if (copy_from_user(paddc, user, len) != 0) {
 -		ret = -EFAULT;
 -		goto free;
 +	if (*len != sizeof(struct compat_ipt_get_entries) + get.size) {
 +		duprintf("compat_get_entries: %u != %u\n", *len,
 +			(unsigned int)(sizeof(struct compat_ipt_get_entries) +
 +			get.size));
 +		return -EINVAL;
 }
 
 -	t = xt_find_table_lock(AF_INET, tmp.name);
 -	if (!t || IS_ERR(t)) {
 +	xt_compat_lock(AF_INET);
 +	t = xt_find_table_lock(AF_INET, get.name);
 +	if (t && !IS_ERR(t)) {
 +		struct xt_table_info *private = t->private;
 +		struct xt_table_info info;
 +		duprintf("t->private->number = %u\n",
 +			 private->number);
 +		ret = compat_table_info(private, &info);
 +		if (!ret && get.size == info.size) {
 +			ret = compat_copy_entries_to_user(private->size,
 +						   t, uptr->entrytable);
 +		} else if (!ret) {
 +			duprintf("compat_get_entries: I've got %u not %u!\n",
 +				 private->size,
 +				 get.size);
 +			ret = -EINVAL;
 +		}
 +		compat_flush_offsets();
 +		module_put(t->me);
 +		xt_table_unlock(t);
 +	} else
 ret = t ? PTR_ERR(t) : -ENOENT;
 -		goto free;
 -	}
 
 -	write_lock_bh(&t->lock);
 -	private = t->private;
 -	if (private->number != paddc->num_counters) {
 -		ret = -EINVAL;
 -		goto unlock_up_free;
 -	}
 +	xt_compat_unlock(AF_INET);
 +	return ret;
 +}
 
 -	i = 0;
 -	/* Choose the copy that is on our node */
 -	loc_cpu_entry = private->entries[raw_smp_processor_id()];
 -	IPT_ENTRY_ITERATE(loc_cpu_entry,
 -			  private->size,
 -			  add_counter_to_entry,
 -			  paddc->counters,
 -			  &i);
 - unlock_up_free:
 -	write_unlock_bh(&t->lock);
 -	xt_table_unlock(t);
 -	module_put(t->me);
 - free:
 -	vfree(paddc);
 +static int
 +compat_do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
 +{
 +	int ret;
 
 +	switch (cmd) {
 +	case IPT_SO_GET_INFO:
 +		ret = get_info(user, len, 1);
 +		break;
 +	case IPT_SO_GET_ENTRIES:
 +		ret = compat_get_entries(user, len);
 +		break;
 +	default:
 +		duprintf("compat_do_ipt_get_ctl: unknown request %i\n", cmd);
 +		ret = -EINVAL;
 +	}
 return ret;
 }
 +#endif
 
 static int
 do_ipt_set_ctl(struct sock *sk,	int cmd, void __user *user, unsigned int len)
 @@ -1109,7 +2028,7 @@ do_ipt_set_ctl(struct sock *sk,	int cmd,
 break;
 
 case IPT_SO_SET_ADD_COUNTERS:
 -		ret = do_add_counters(user, len);
 +		ret = do_add_counters(user, len, 0);
 break;
 
 default:
 @@ -1129,65 +2048,13 @@ do_ipt_get_ctl(struct sock *sk, int cmd,
 return -EPERM;
 
 switch (cmd) {
 -	case IPT_SO_GET_INFO: {
 -		char name[IPT_TABLE_MAXNAMELEN];
 -		struct ipt_table *t;
 -
 -		if (*len != sizeof(struct ipt_getinfo)) {
 -			duprintf("length %u != %u\n", *len,
 -				 sizeof(struct ipt_getinfo));
 -			ret = -EINVAL;
 -			break;
 -		}
 -
 -		if (copy_from_user(name, user, sizeof(name)) != 0) {
 -			ret = -EFAULT;
 -			break;
 -		}
 -		name[IPT_TABLE_MAXNAMELEN-1] = '\0';
 -
 -		t = try_then_request_module(xt_find_table_lock(AF_INET, name),
 -					    "iptable_%s", name);
 -		if (t && !IS_ERR(t)) {
 -			struct ipt_getinfo info;
 -			struct xt_table_info *private = t->private;
 -
 -			info.valid_hooks = t->valid_hooks;
 -			memcpy(info.hook_entry, private->hook_entry,
 -			       sizeof(info.hook_entry));
 -			memcpy(info.underflow, private->underflow,
 -			       sizeof(info.underflow));
 -			info.num_entries = private->number;
 -			info.size = private->size;
 -			memcpy(info.name, name, sizeof(info.name));
 -
 -			if (copy_to_user(user, &info, *len) != 0)
 -				ret = -EFAULT;
 -			else
 -				ret = 0;
 -			xt_table_unlock(t);
 -			module_put(t->me);
 -		} else
 -			ret = t ? PTR_ERR(t) : -ENOENT;
 -	}
 -	break;
 -
 -	case IPT_SO_GET_ENTRIES: {
 -		struct ipt_get_entries get;
 +	case IPT_SO_GET_INFO:
 +		ret = get_info(user, len, 0);
 +		break;
 
 -		if (*len < sizeof(get)) {
 -			duprintf("get_entries: %u < %u\n", *len, sizeof(get));
 -			ret = -EINVAL;
 -		} else if (copy_from_user(&get, user, sizeof(get)) != 0) {
 -			ret = -EFAULT;
 -		} else if (*len != sizeof(struct ipt_get_entries) + get.size) {
 -			duprintf("get_entries: %u != %u\n", *len,
 -				 sizeof(struct ipt_get_entries) + get.size);
 -			ret = -EINVAL;
 -		} else
 -			ret = get_entries(&get, user);
 +	case IPT_SO_GET_ENTRIES:
 +		ret = get_entries(user, len);
 break;
 -	}
 
 case IPT_SO_GET_REVISION_MATCH:
 case IPT_SO_GET_REVISION_TARGET: {
 @@ -1336,6 +2203,9 @@ static struct ipt_target ipt_standard_ta
 .name		= IPT_STANDARD_TARGET,
 .targetsize	= sizeof(int),
 .family		= AF_INET,
 +#ifdef CONFIG_COMPAT
 +	.compat		= &compat_ipt_standard_fn,
 +#endif
 };
 
 static struct ipt_target ipt_error_target = {
 @@ -1350,9 +2220,11 @@ static struct nf_sockopt_ops ipt_sockopt
 .set_optmin	= IPT_BASE_CTL,
 .set_optmax	= IPT_SO_SET_MAX+1,
 .set		= do_ipt_set_ctl,
 +	.compat_set	= compat_do_ipt_set_ctl,
 .get_optmin	= IPT_BASE_CTL,
 .get_optmax	= IPT_SO_GET_MAX+1,
 .get		= do_ipt_get_ctl,
 +	.compat_get	= compat_do_ipt_get_ctl,
 };
 
 static struct ipt_match icmp_matchstruct = {
 diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
 index a657ab5..feb8a9e 100644
 --- a/net/netfilter/x_tables.c
 +++ b/net/netfilter/x_tables.c
 @@ -38,6 +38,7 @@ struct xt_af {
 struct list_head match;
 struct list_head target;
 struct list_head tables;
 +	struct mutex compat_mutex;
 };
 
 static struct xt_af *xt;
 @@ -272,6 +273,54 @@ int xt_check_match(const struct xt_match
 }
 EXPORT_SYMBOL_GPL(xt_check_match);
 
 +#ifdef CONFIG_COMPAT
 +int xt_compat_match(void *match, void **dstptr, int *size, int convert)
 +{
 +	struct xt_match *m;
 +	struct compat_xt_entry_match *pcompat_m;
 +	struct xt_entry_match *pm;
 +	u_int16_t msize;
 +	int off, ret;
 +
 +	ret = 0;
 +	m = ((struct xt_entry_match *)match)->u.kernel.match;
 +	off = XT_ALIGN(m->matchsize) - COMPAT_XT_ALIGN(m->matchsize);
 +	switch (convert) {
 +		case COMPAT_TO_USER:
 +			pm = (struct xt_entry_match *)match;
 +			msize = pm->u.user.match_size;
 +			if (__copy_to_user(*dstptr, pm, msize)) {
 +				ret = -EFAULT;
 +				break;
 +			}
 +			msize -= off;
 +			if (put_user(msize, (u_int16_t *)*dstptr))
 +				ret = -EFAULT;
 +			*size -= off;
 +			*dstptr += msize;
 +			break;
 +		case COMPAT_FROM_USER:
 +			pcompat_m = (struct compat_xt_entry_match *)match;
 +			pm = (struct xt_entry_match *)*dstptr;
 +			msize = pcompat_m->u.user.match_size;
 +			memcpy(pm, pcompat_m, msize);
 +			msize += off;
 +			pm->u.user.match_size = msize;
 +			*size += off;
 +			*dstptr += msize;
 +			break;
 +		case COMPAT_CALC_SIZE:
 +			*size += off;
 +			break;
 +		default:
 +			ret = -ENOPROTOOPT;
 +			break;
 +	}
 +	return ret;
 +}
 +EXPORT_SYMBOL_GPL(xt_compat_match);
 +#endif
 +
 int xt_check_target(const struct xt_target *target, unsigned short family,
 unsigned int size, const char *table, unsigned int hook_mask,
 unsigned short proto, int inv_proto)
 @@ -301,6 +350,54 @@ int xt_check_target(const struct xt_targ
 }
 EXPORT_SYMBOL_GPL(xt_check_target);
 
 +#ifdef CONFIG_COMPAT
 +int xt_compat_target(void *target, void **dstptr, int *size, int convert)
 +{
 +	struct xt_target *t;
 +	struct compat_xt_entry_target *pcompat;
 +	struct xt_entry_target *pt;
 +	u_int16_t tsize;
 +	int off, ret;
 +
 +	ret = 0;
 +	t = ((struct xt_entry_target *)target)->u.kernel.target;
 +	off = XT_ALIGN(t->targetsize) - COMPAT_XT_ALIGN(t->targetsize);
 +	switch (convert) {
 +		case COMPAT_TO_USER:
 +			pt = (struct xt_entry_target *)target;
 +			tsize = pt->u.user.target_size;
 +			if (__copy_to_user(*dstptr, pt, tsize)) {
 +				ret = -EFAULT;
 +				break;
 +			}
 +			tsize -= off;
 +			if (put_user(tsize, (u_int16_t *)*dstptr))
 +				ret = -EFAULT;
 +			*size -= off;
 +			*dstptr += tsize;
 +			break;
 +		case COMPAT_FROM_USER:
 +			pcompat = (struct compat_xt_entry_target *)target;
 +			pt = (struct xt_entry_target *)*dstptr;
 +			tsize = pcompat->u.user.target_size;
 +			memcpy(pt, pcompat, tsize);
 +			tsize += off;
 +			pt->u.user.target_size = tsize;
 +			*size += off;
 +			*dstptr += tsize;
 +			break;
 +		case COMPAT_CALC_SIZE:
 +			*size += off;
 +			break;
 +		default:
 +			ret = -ENOPROTOOPT;
 +			break;
 +	}
 +	return ret;
 +}
 +EXPORT_SYMBOL_GPL(xt_compat_target);
 +#endif
 +
 struct xt_table_info *xt_alloc_table_info(unsigned int size)
 {
 struct xt_table_info *newinfo;
 @@ -371,6 +468,19 @@ void xt_table_unlock(struct xt_table *ta
 }
 EXPORT_SYMBOL_GPL(xt_table_unlock);
 
 +#ifdef CONFIG_COMPAT
 +void xt_compat_lock(int af)
 +{
 +	mutex_lock(&xt[af].compat_mutex);
 +}
 +EXPORT_SYMBOL_GPL(xt_compat_lock);
 +
 +void xt_compat_unlock(int af)
 +{
 +	mutex_unlock(&xt[af].compat_mutex);
 +}
 +EXPORT_SYMBOL_GPL(xt_compat_unlock);
 +#endif
 
 struct xt_table_info *
 xt_replace_table(struct xt_table *table,
 @@ -671,6 +781,9 @@ static int __init xt_init(void)
 
 for (i = 0; i < NPROTO; i++) {
 mutex_init(&xt[i].mutex);
 +#ifdef CONFIG_COMPAT
 +		mutex_init(&xt[i].compat_mutex);
 +#endif
 INIT_LIST_HEAD(&xt[i].target);
 INIT_LIST_HEAD(&xt[i].match);
 INIT_LIST_HEAD(&xt[i].tables);
 |  
	|  |  |  
	| 
		
			| Re: [PATCH] iptables 32bit compat layer [message #2329 is a reply to message #2327] | Wed, 29 March 2006 12:32   |  
			| 
				
				
					|  Patrick McHardy Messages: 107
 Registered: March 2006
 | Senior Member |  |  |  
	| Dmitry Mishin wrote: > On Wednesday 29 March 2006 13:28, Patrick McHardy wrote:
 >
 >>>diff --git a/net/compat.c b/net/compat.c
 >>>index 13177a1..6a7028e 100644
 >>>--- a/net/compat.c
 >>>+++ b/net/compat.c
 >>>@@ -476,8 +476,7 @@ asmlinkage long compat_sys_setsockopt(in
 >>> 	int err;
 >>> 	struct socket *sock;
 >>>
 >>>-	/* SO_SET_REPLACE seems to be the same in all levels */
 >>>-	if (optname == IPT_SO_SET_REPLACE)
 >>>+	if (level == SOL_IPV6 && optname == IPT_SO_SET_REPLACE)
 >>> 		return do_netfilter_replace(fd, level, optname,
 >>> 					    optval, optlen);
 >>
 >>I don't understand the reason for this change. If its not a mistake,
 >>it would make more sense to check for IP6T_SO_SET_REPLACE I guess ..
 >
 > IP6T_SO_SET_REPLACE == IPT_SO_SET_REPLACE == XT_SO_SET_REPLACE.
 > Rename will require respective #include directive rename, so, I just leave
 > this as it is. BTW, I'll make respective patch for IPV6 in the near future
 > and this hunk will be removed at all.
 
 I know, but SOL_IPV6 implies IP6T_* - but please don't bother sending
 a new patch for this :) So the point of the change is to exclude IPv6
 from the compat layer because its not implemented yet?
 |  
	|  |  |  
	| 
		
			| Re: [PATCH] iptables 32bit compat layer [message #2330 is a reply to message #2329] | Wed, 29 March 2006 12:38   |  
			| 
				
				
					|  Mishin Dmitry Messages: 112
 Registered: February 2006
 | Senior Member |  |  |  
	| On Wednesday 29 March 2006 16:32, Patrick McHardy wrote: > Dmitry Mishin wrote:
 > > On Wednesday 29 March 2006 13:28, Patrick McHardy wrote:
 > >>>diff --git a/net/compat.c b/net/compat.c
 > >>>index 13177a1..6a7028e 100644
 > >>>--- a/net/compat.c
 > >>>+++ b/net/compat.c
 > >>>@@ -476,8 +476,7 @@ asmlinkage long compat_sys_setsockopt(in
 > >>> 	int err;
 > >>> 	struct socket *sock;
 > >>>
 > >>>-	/* SO_SET_REPLACE seems to be the same in all levels */
 > >>>-	if (optname == IPT_SO_SET_REPLACE)
 > >>>+	if (level == SOL_IPV6 && optname == IPT_SO_SET_REPLACE)
 > >>> 		return do_netfilter_replace(fd, level, optname,
 > >>> 					    optval, optlen);
 > >>
 > >>I don't understand the reason for this change. If its not a mistake,
 > >>it would make more sense to check for IP6T_SO_SET_REPLACE I guess ..
 > >
 > > IP6T_SO_SET_REPLACE == IPT_SO_SET_REPLACE == XT_SO_SET_REPLACE.
 > > Rename will require respective #include directive rename, so, I just
 > > leave this as it is. BTW, I'll make respective patch for IPV6 in the near
 > > future and this hunk will be removed at all.
 >
 > I know, but SOL_IPV6 implies IP6T_* - but please don't bother sending
 > a new patch for this :) So the point of the change is to exclude IPv6
 > from the compat layer because its not implemented yet?
 Exactly. Because do_netfilter_replace still works for some cases, but newer
 replacement isn't ready yet.
 
 --
 Thanks,
 Dmitry.
 |  
	|  |  |  
	|  |  
	|  |  
	| 
		
			| Re: [PATCH] iptables 32bit compat layer [message #2349 is a reply to message #2347] | Wed, 29 March 2006 23:01  |  
			| 
				
				
					|  Patrick McHardy Messages: 107
 Registered: March 2006
 | Senior Member |  |  |  
	| David S. Miller wrote: > From: Martin Josefsson <gandalf@wlug.westbo.se>
 > Date: Wed, 29 Mar 2006 21:04:45 +0200
 >
 >
 >>That machine (an old ultra1) hasn't seen electricity in a long time,
 >>I'll see if I can dig it out this weekend unless someone else (dave?)
 >>beats me to testing the patch.
 >
 >
 > I think such userland hacks should not be worried about
 > and we should put the new correct kernel compat netfilter
 > stuff in.
 >
 > If anything explodes on sparc64 for whatever reason, I will take care
 > of it. :-)
 
 Fine with me :) I've added it to my tree, I'll pass it on a couple of
 hours.
 |  
	|  |  | 
 
 
 Current Time: Sun Oct 26 22:31:29 GMT 2025 
 Total time taken to generate the page: 0.16991 seconds |