xtables: extend matches and targets with .usersize

In matches and targets that define a kernel-only tail to their
xt_match and xt_target data structs, add a field .usersize that
specifies up to where data is to be shared with userspace.

Performed a search for comment "Used internally by the kernel" to find
relevant matches and targets. Manually inspected the structs to derive
a valid offsetof.

Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/net/bridge/netfilter/ebt_limit.c b/net/bridge/netfilter/ebt_limit.c
index 517e78befcb2688a76e307ba7e7064e334700cb1..61a9f1be1263afc95dfbc43cdffe5d0a6e8e7246 100644 (file)
--- a/net/bridge/netfilter/ebt_limit.c
+++ b/net/bridge/netfilter/ebt_limit.c
@@ -105,6 +105,7 @@ static struct xt_match ebt_limit_mt_reg __read_mostly = {
        .match          = ebt_limit_mt,
        .checkentry     = ebt_limit_mt_check,
        .matchsize      = sizeof(struct ebt_limit_info),
+       .usersize       = offsetof(struct ebt_limit_info, prev),
 #ifdef CONFIG_COMPAT
        .compatsize     = sizeof(struct ebt_compat_limit_info),
 #endif

diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index 21db00d0362bb60d48aed2c900b857f86cef5793..8a3d20ebb815718aff9085be8770518f62064807 100644 (file)
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -468,6 +468,7 @@ static struct xt_target clusterip_tg_reg __read_mostly = {
        .checkentry     = clusterip_tg_check,
        .destroy        = clusterip_tg_destroy,
        .targetsize     = sizeof(struct ipt_clusterip_tgt_info),
+       .usersize       = offsetof(struct ipt_clusterip_tgt_info, config),
 #ifdef CONFIG_COMPAT
        .compatsize     = sizeof(struct compat_ipt_clusterip_tgt_info),
 #endif /* CONFIG_COMPAT */

diff --git a/net/ipv6/netfilter/ip6t_NPT.c b/net/ipv6/netfilter/ip6t_NPT.c
index 590f767db5d4df887c201597ee22f395d8a6869b..a379d2f79b19f00b1053dc4bc21bbd1638546d4f 100644 (file)
--- a/net/ipv6/netfilter/ip6t_NPT.c
+++ b/net/ipv6/netfilter/ip6t_NPT.c
@@ -112,6 +112,7 @@ static struct xt_target ip6t_npt_target_reg[] __read_mostly = {
                .table          = "mangle",
                .target         = ip6t_snpt_tg,
                .targetsize     = sizeof(struct ip6t_npt_tginfo),
+               .usersize       = offsetof(struct ip6t_npt_tginfo, adjustment),
                .checkentry     = ip6t_npt_checkentry,
                .family         = NFPROTO_IPV6,
                .hooks          = (1 << NF_INET_LOCAL_IN) |
@@ -123,6 +124,7 @@ static struct xt_target ip6t_npt_target_reg[] __read_mostly = {
                .table          = "mangle",
                .target         = ip6t_dnpt_tg,
                .targetsize     = sizeof(struct ip6t_npt_tginfo),
+               .usersize       = offsetof(struct ip6t_npt_tginfo, adjustment),
                .checkentry     = ip6t_npt_checkentry,
                .family         = NFPROTO_IPV6,
                .hooks          = (1 << NF_INET_PRE_ROUTING) |

diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c
index 95c75035874758ce56c8656b859204bf8f10e6cf..26b0bccfa0c5de8585c9d82d10b718d9bd75ce79 100644 (file)
--- a/net/netfilter/xt_CT.c
+++ b/net/netfilter/xt_CT.c
@@ -373,6 +373,7 @@ static struct xt_target xt_ct_tg_reg[] __read_mostly = {
                .name           = "CT",
                .family         = NFPROTO_UNSPEC,
                .targetsize     = sizeof(struct xt_ct_target_info),
+               .usersize       = offsetof(struct xt_ct_target_info, ct),
                .checkentry     = xt_ct_tg_check_v0,
                .destroy        = xt_ct_tg_destroy_v0,
                .target         = xt_ct_target_v0,
@@ -384,6 +385,7 @@ static struct xt_target xt_ct_tg_reg[] __read_mostly = {
                .family         = NFPROTO_UNSPEC,
                .revision       = 1,
                .targetsize     = sizeof(struct xt_ct_target_info_v1),
+               .usersize       = offsetof(struct xt_ct_target_info, ct),
                .checkentry     = xt_ct_tg_check_v1,
                .destroy        = xt_ct_tg_destroy_v1,
                .target         = xt_ct_target_v1,
@@ -395,6 +397,7 @@ static struct xt_target xt_ct_tg_reg[] __read_mostly = {
                .family         = NFPROTO_UNSPEC,
                .revision       = 2,
                .targetsize     = sizeof(struct xt_ct_target_info_v1),
+               .usersize       = offsetof(struct xt_ct_target_info, ct),
                .checkentry     = xt_ct_tg_check_v2,
                .destroy        = xt_ct_tg_destroy_v1,
                .target         = xt_ct_target_v1,

diff --git a/net/netfilter/xt_RATEEST.c b/net/netfilter/xt_RATEEST.c
index 91a373a3f534de8d8641341c33c08d8fc49cbd29..498b54fd04d7fae9b37909260bfb08ca256fd6ba 100644 (file)
--- a/net/netfilter/xt_RATEEST.c
+++ b/net/netfilter/xt_RATEEST.c
@@ -162,6 +162,7 @@ static struct xt_target xt_rateest_tg_reg __read_mostly = {
        .checkentry = xt_rateest_tg_checkentry,
        .destroy    = xt_rateest_tg_destroy,
        .targetsize = sizeof(struct xt_rateest_target_info),
+       .usersize   = offsetof(struct xt_rateest_target_info, est),
        .me         = THIS_MODULE,
 };
 

diff --git a/net/netfilter/xt_TEE.c b/net/netfilter/xt_TEE.c
index 1c57ace75ae62be26e4a5b26ded9d84fb5b377a0..86b0580b2216bb475717f4d64332320cff42cc3e 100644 (file)
--- a/net/netfilter/xt_TEE.c
+++ b/net/netfilter/xt_TEE.c
@@ -133,6 +133,7 @@ static struct xt_target tee_tg_reg[] __read_mostly = {
                .family     = NFPROTO_IPV4,
                .target     = tee_tg4,
                .targetsize = sizeof(struct xt_tee_tginfo),
+               .usersize   = offsetof(struct xt_tee_tginfo, priv),
                .checkentry = tee_tg_check,
                .destroy    = tee_tg_destroy,
                .me         = THIS_MODULE,
@@ -144,6 +145,7 @@ static struct xt_target tee_tg_reg[] __read_mostly = {
                .family     = NFPROTO_IPV6,
                .target     = tee_tg6,
                .targetsize = sizeof(struct xt_tee_tginfo),
+               .usersize   = offsetof(struct xt_tee_tginfo, priv),
                .checkentry = tee_tg_check,
                .destroy    = tee_tg_destroy,
                .me         = THIS_MODULE,

diff --git a/net/netfilter/xt_bpf.c b/net/netfilter/xt_bpf.c
index 2dedaa23ab0aa035982b6fcb33666cba5e8a54f6..38986a95216cd2c3f7a0f83deedcb42153f5a937 100644 (file)
--- a/net/netfilter/xt_bpf.c
+++ b/net/netfilter/xt_bpf.c
@@ -110,6 +110,7 @@ static struct xt_match bpf_mt_reg[] __read_mostly = {
                .match          = bpf_mt,
                .destroy        = bpf_mt_destroy,
                .matchsize      = sizeof(struct xt_bpf_info),
+               .usersize       = offsetof(struct xt_bpf_info, filter),
                .me             = THIS_MODULE,
        },
        {
@@ -120,6 +121,7 @@ static struct xt_match bpf_mt_reg[] __read_mostly = {
                .match          = bpf_mt_v1,
                .destroy        = bpf_mt_destroy_v1,
                .matchsize      = sizeof(struct xt_bpf_info_v1),
+               .usersize       = offsetof(struct xt_bpf_info_v1, filter),
                .me             = THIS_MODULE,
        },
 };

diff --git a/net/netfilter/xt_cgroup.c b/net/netfilter/xt_cgroup.c
index a086a914865f7ed305c1f9cff78210613eebb855..1db1ce59079fba704ed7f5333dd4ebf014383d71 100644 (file)
--- a/net/netfilter/xt_cgroup.c
+++ b/net/netfilter/xt_cgroup.c
@@ -122,6 +122,7 @@ static struct xt_match cgroup_mt_reg[] __read_mostly = {
                .checkentry     = cgroup_mt_check_v1,
                .match          = cgroup_mt_v1,
                .matchsize      = sizeof(struct xt_cgroup_info_v1),
+               .usersize       = offsetof(struct xt_cgroup_info_v1, priv),
                .destroy        = cgroup_mt_destroy_v1,
                .me             = THIS_MODULE,
                .hooks          = (1 << NF_INET_LOCAL_OUT) |

diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c
index 660b61dbd77614259ff1f4c1639b4bba500d5fbc..b8fd4ab762edba5061e36e305c8048cf7a6fe846 100644 (file)
--- a/net/netfilter/xt_connlimit.c
+++ b/net/netfilter/xt_connlimit.c
@@ -431,6 +431,7 @@ static struct xt_match connlimit_mt_reg __read_mostly = {
        .checkentry = connlimit_mt_check,
        .match      = connlimit_mt,
        .matchsize  = sizeof(struct xt_connlimit_info),
+       .usersize   = offsetof(struct xt_connlimit_info, data),
        .destroy    = connlimit_mt_destroy,
        .me         = THIS_MODULE,
 };

diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
index 10063408141d25bdd0f1a1241ffe6395bae753f6..26ef70c50e3b3e6b1b2fa71f76a3ecb25768f140 100644 (file)
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@@ -838,6 +838,7 @@ static struct xt_match hashlimit_mt_reg[] __read_mostly = {
                .family         = NFPROTO_IPV4,
                .match          = hashlimit_mt_v1,
                .matchsize      = sizeof(struct xt_hashlimit_mtinfo1),
+               .usersize       = offsetof(struct xt_hashlimit_mtinfo1, hinfo),
                .checkentry     = hashlimit_mt_check_v1,
                .destroy        = hashlimit_mt_destroy_v1,
                .me             = THIS_MODULE,
@@ -848,6 +849,7 @@ static struct xt_match hashlimit_mt_reg[] __read_mostly = {
                .family         = NFPROTO_IPV4,
                .match          = hashlimit_mt,
                .matchsize      = sizeof(struct xt_hashlimit_mtinfo2),
+               .usersize       = offsetof(struct xt_hashlimit_mtinfo2, hinfo),
                .checkentry     = hashlimit_mt_check,
                .destroy        = hashlimit_mt_destroy,
                .me             = THIS_MODULE,
@@ -859,6 +861,7 @@ static struct xt_match hashlimit_mt_reg[] __read_mostly = {
                .family         = NFPROTO_IPV6,
                .match          = hashlimit_mt_v1,
                .matchsize      = sizeof(struct xt_hashlimit_mtinfo1),
+               .usersize       = offsetof(struct xt_hashlimit_mtinfo1, hinfo),
                .checkentry     = hashlimit_mt_check_v1,
                .destroy        = hashlimit_mt_destroy_v1,
                .me             = THIS_MODULE,
@@ -869,6 +872,7 @@ static struct xt_match hashlimit_mt_reg[] __read_mostly = {
                .family         = NFPROTO_IPV6,
                .match          = hashlimit_mt,
                .matchsize      = sizeof(struct xt_hashlimit_mtinfo2),
+               .usersize       = offsetof(struct xt_hashlimit_mtinfo2, hinfo),
                .checkentry     = hashlimit_mt_check,
                .destroy        = hashlimit_mt_destroy,
                .me             = THIS_MODULE,

diff --git a/net/netfilter/xt_limit.c b/net/netfilter/xt_limit.c
index bef85059655892982da73cc694183afc7399782c..dab962df178795612580a1c8e22257213bdab07d 100644 (file)
--- a/net/netfilter/xt_limit.c
+++ b/net/netfilter/xt_limit.c
@@ -192,6 +192,8 @@ static struct xt_match limit_mt_reg __read_mostly = {
        .compatsize       = sizeof(struct compat_xt_rateinfo),
        .compat_from_user = limit_mt_compat_from_user,
        .compat_to_user   = limit_mt_compat_to_user,
+#else
+       .usersize         = offsetof(struct xt_rateinfo, prev),
 #endif
        .me               = THIS_MODULE,
 };

diff --git a/net/netfilter/xt_quota.c b/net/netfilter/xt_quota.c
index 44c8eb4c9d6680aef8f3473ca0b677f3888a68ca..10d61a6eed712442c14cc1011341c2dff5890c2d 100644 (file)
--- a/net/netfilter/xt_quota.c
+++ b/net/netfilter/xt_quota.c
@@ -73,6 +73,7 @@ static struct xt_match quota_mt_reg __read_mostly = {
        .checkentry = quota_mt_check,
        .destroy    = quota_mt_destroy,
        .matchsize  = sizeof(struct xt_quota_info),
+       .usersize   = offsetof(struct xt_quota_info, master),
        .me         = THIS_MODULE,
 };
 

diff --git a/net/netfilter/xt_rateest.c b/net/netfilter/xt_rateest.c
index 1db02f6fca54d7eb5d60c2d8c5cb8ab11656fbcb..755d2f6693a2ff39b975996b8d0a2fb65073a812 100644 (file)
--- a/net/netfilter/xt_rateest.c
+++ b/net/netfilter/xt_rateest.c
@@ -133,6 +133,7 @@ static struct xt_match xt_rateest_mt_reg __read_mostly = {
        .checkentry = xt_rateest_mt_checkentry,
        .destroy    = xt_rateest_mt_destroy,
        .matchsize  = sizeof(struct xt_rateest_match_info),
+       .usersize   = offsetof(struct xt_rateest_match_info, est1),
        .me         = THIS_MODULE,
 };
 

diff --git a/net/netfilter/xt_string.c b/net/netfilter/xt_string.c
index 0bc3460319c8bd565cc11564180d566f3f89488e..423293ee57c22f1bc4ed445e525c11eadc2c2272 100644 (file)
--- a/net/netfilter/xt_string.c
+++ b/net/netfilter/xt_string.c
@@ -77,6 +77,7 @@ static struct xt_match xt_string_mt_reg __read_mostly = {
        .match      = string_mt,
        .destroy    = string_mt_destroy,
        .matchsize  = sizeof(struct xt_string_info),
+       .usersize   = offsetof(struct xt_string_info, config),
        .me         = THIS_MODULE,
 };