projects / linux-2.6-block.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
netfilter: xtables: deconstify struct xt_action_param for matches
[linux-2.6-block.git] / net / bridge / netfilter / ebtables.c
CommitLineData
1da177e4
LT		 1/*
2 * ebtables
3 *
4 * Author:
5 * Bart De Schuymer <bdschuym@pandora.be>
6 *
7 * ebtables.c,v 2.0, July, 2002
8 *
9 * This code is stongly inspired on the iptables code which is
10 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
11 *
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version.
16 */
ff67e4e4 17#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
1da177e4
LT		 18#include <linux/kmod.h>
19#include <linux/module.h>
20#include <linux/vmalloc.h>
18219d3f 21#include <linux/netfilter/x_tables.h>
1da177e4
LT		 22#include <linux/netfilter_bridge/ebtables.h>
23#include <linux/spinlock.h>
df0933dc 24#include <linux/mutex.h>
5a0e3ad6 25#include <linux/slab.h>
1da177e4
LT		 26#include <asm/uaccess.h>
27#include <linux/smp.h>
c8923c6b 28#include <linux/cpumask.h>
1da177e4
LT		 29#include <net/sock.h>
30/* needed for logical [in,out]-dev filtering */
31#include "../br_private.h"
32
1da177e4 33#define BUGPRINT(format, args...) printk("kernel msg: ebtables bug: please "\
9d6f229f 34 "report to author: "format, ## args)
1da177e4 35/* #define BUGPRINT(format, args...) */
1da177e4
LT		 36
37/*
38 * Each cpu has its own set of counters, so there is no need for write_lock in
39 * the softirq
40 * For reading or updating the counters, the user context needs to
41 * get a write_lock
42 */
43
44/* The size of each set of counters is altered to get cache alignment */
45#define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
46#define COUNTER_OFFSET(n) (SMP_ALIGN(n * sizeof(struct ebt_counter)))
47#define COUNTER_BASE(c, n, cpu) ((struct ebt_counter *)(((char *)c) + \
48 COUNTER_OFFSET(n) * cpu))
49
50
51
57b47a53 52static DEFINE_MUTEX(ebt_mutex);
1da177e4 53
81e675c2
FW		 54#ifdef CONFIG_COMPAT
55static void ebt_standard_compat_from_user(void *dst, const void *src)
56{
57 int v = *(compat_int_t *)src;
58
59 if (v >= 0)
60 v += xt_compat_calc_jump(NFPROTO_BRIDGE, v);
61 memcpy(dst, &v, sizeof(v));
62}
63
64static int ebt_standard_compat_to_user(void __user *dst, const void *src)
65{
66 compat_int_t cv = *(int *)src;
67
68 if (cv >= 0)
69 cv -= xt_compat_calc_jump(NFPROTO_BRIDGE, cv);
70 return copy_to_user(dst, &cv, sizeof(cv)) ? -EFAULT : 0;
71}
72#endif
73
74
043ef46c 75static struct xt_target ebt_standard_target = {
001a18d3
JE		 76 .name = "standard",
77 .revision = 0,
78 .family = NFPROTO_BRIDGE,
043ef46c 79 .targetsize = sizeof(int),
81e675c2
FW		 80#ifdef CONFIG_COMPAT
81 .compatsize = sizeof(compat_int_t),
82 .compat_from_user = ebt_standard_compat_from_user,
83 .compat_to_user = ebt_standard_compat_to_user,
84#endif
18219d3f 85};
1da177e4 86
7eb35586
JE		 87static inline int
88ebt_do_watcher(const struct ebt_entry_watcher *w, struct sk_buff *skb,
de74c169 89 struct xt_action_param *par)
1da177e4 90{
7eb35586
JE		 91 par->target = w->u.watcher;
92 par->targinfo = w->data;
93 w->u.watcher->target(skb, par);
1da177e4
LT		 94 /* watchers don't give a verdict */
95 return 0;
96}
97
de74c169
JE		 98static inline int
99ebt_do_match(struct ebt_entry_match *m, const struct sk_buff *skb,
100 struct xt_action_param *par)
1da177e4 101{
f7108a20
JE		 102 par->match = m->u.match;
103 par->matchinfo = m->data;
d61ba9fd 104 return m->u.match->match(skb, par) ? EBT_MATCH : EBT_NOMATCH;
1da177e4
LT		 105}
106
d5d1baa1
JE		 107static inline int
108ebt_dev_check(const char *entry, const struct net_device *device)
1da177e4
LT		 109{
110 int i = 0;
f3d8b2e4 111 const char *devname;
1da177e4
LT		 112
113 if (*entry == '\0')
114 return 0;
115 if (!device)
116 return 1;
f3d8b2e4 117 devname = device->name;
1da177e4
LT		 118 /* 1 is the wildcard token */
119 while (entry[i] != '\0' && entry[i] != 1 && entry[i] == devname[i])
120 i++;
121 return (devname[i] != entry[i] && entry[i] != 1);
122}
123
124#define FWINV2(bool,invflg) ((bool) ^ !!(e->invflags & invflg))
125/* process standard matches */
d5d1baa1
JE		 126static inline int
127ebt_basic_match(const struct ebt_entry *e, const struct ethhdr *h,
128 const struct net_device *in, const struct net_device *out)
1da177e4
LT		 129{
130 int verdict, i;
131
132 if (e->bitmask & EBT_802_3) {
133 if (FWINV2(ntohs(h->h_proto) >= 1536, EBT_IPROTO))
134 return 1;
135 } else if (!(e->bitmask & EBT_NOPROTO) &&
136 FWINV2(e->ethproto != h->h_proto, EBT_IPROTO))
137 return 1;
138
139 if (FWINV2(ebt_dev_check(e->in, in), EBT_IIN))
140 return 1;
141 if (FWINV2(ebt_dev_check(e->out, out), EBT_IOUT))
142 return 1;
143 if ((!in || !in->br_port) ? 0 : FWINV2(ebt_dev_check(
144 e->logical_in, in->br_port->br->dev), EBT_ILOGICALIN))
145 return 1;
146 if ((!out || !out->br_port) ? 0 : FWINV2(ebt_dev_check(
147 e->logical_out, out->br_port->br->dev), EBT_ILOGICALOUT))
148 return 1;
149
150 if (e->bitmask & EBT_SOURCEMAC) {
151 verdict = 0;
152 for (i = 0; i < 6; i++)
153 verdict |= (h->h_source[i] ^ e->sourcemac[i]) &
154 e->sourcemsk[i];
155 if (FWINV2(verdict != 0, EBT_ISOURCE) )
156 return 1;
157 }
158 if (e->bitmask & EBT_DESTMAC) {
159 verdict = 0;
160 for (i = 0; i < 6; i++)
161 verdict |= (h->h_dest[i] ^ e->destmac[i]) &
162 e->destmsk[i];
163 if (FWINV2(verdict != 0, EBT_IDEST) )
164 return 1;
165 }
166 return 0;
167}
168
98e86403
JE		 169static inline __pure
170struct ebt_entry *ebt_next_entry(const struct ebt_entry *entry)
171{
172 return (void *)entry + entry->next_offset;
173}
174
1da177e4 175/* Do some firewalling */
3db05fea 176unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
1da177e4
LT		 177 const struct net_device *in, const struct net_device *out,
178 struct ebt_table *table)
179{
180 int i, nentries;
181 struct ebt_entry *point;
182 struct ebt_counter *counter_base, *cb_base;
d5d1baa1 183 const struct ebt_entry_target *t;
1da177e4
LT		 184 int verdict, sp = 0;
185 struct ebt_chainstack *cs;
186 struct ebt_entries *chaininfo;
d5d1baa1
JE		 187 const char *base;
188 const struct ebt_table_info *private;
5365f802 189 bool hotdrop = false;
de74c169 190 struct xt_action_param acpar;
f7108a20 191
de74c169
JE		 192 acpar.family = NFPROTO_BRIDGE;
193 acpar.in = in;
194 acpar.out = out;
195 acpar.hotdrop = &hotdrop;
196 acpar.hooknum = hook;
1da177e4
LT		 197
198 read_lock_bh(&table->lock);
199 private = table->private;
200 cb_base = COUNTER_BASE(private->counters, private->nentries,
201 smp_processor_id());
202 if (private->chainstack)
203 cs = private->chainstack[smp_processor_id()];
204 else
205 cs = NULL;
206 chaininfo = private->hook_entry[hook];
207 nentries = private->hook_entry[hook]->nentries;
208 point = (struct ebt_entry *)(private->hook_entry[hook]->data);
209 counter_base = cb_base + private->hook_entry[hook]->counter_offset;
210 /* base for chain jumps */
211 base = private->entries;
212 i = 0;
213 while (i < nentries) {
3db05fea 214 if (ebt_basic_match(point, eth_hdr(skb), in, out))
1da177e4
LT		 215 goto letscontinue;
216
de74c169 217 if (EBT_MATCH_ITERATE(point, ebt_do_match, skb, &acpar) != 0)
1da177e4 218 goto letscontinue;
5365f802
JE		 219 if (hotdrop) {
220 read_unlock_bh(&table->lock);
221 return NF_DROP;
222 }
1da177e4
LT		 223
224 /* increase counter */
225 (*(counter_base + i)).pcnt++;
3db05fea 226 (*(counter_base + i)).bcnt += skb->len;
1da177e4
LT		 227
228 /* these should only watch: not modify, nor tell us
229 what to do with the packet */
de74c169 230 EBT_WATCHER_ITERATE(point, ebt_do_watcher, skb, &acpar);
1da177e4
LT		 231
232 t = (struct ebt_entry_target *)
233 (((char *)point) + point->target_offset);
234 /* standard target */
235 if (!t->u.target->target)
236 verdict = ((struct ebt_standard_target *)t)->verdict;
7eb35586 237 else {
de74c169
JE		 238 acpar.target = t->u.target;
239 acpar.targinfo = t->data;
240 verdict = t->u.target->target(skb, &acpar);
7eb35586 241 }
1da177e4
LT		 242 if (verdict == EBT_ACCEPT) {
243 read_unlock_bh(&table->lock);
244 return NF_ACCEPT;
245 }
246 if (verdict == EBT_DROP) {
247 read_unlock_bh(&table->lock);
248 return NF_DROP;
249 }
250 if (verdict == EBT_RETURN) {
251letsreturn:
252#ifdef CONFIG_NETFILTER_DEBUG
253 if (sp == 0) {
254 BUGPRINT("RETURN on base chain");
255 /* act like this is EBT_CONTINUE */
256 goto letscontinue;
257 }
258#endif
259 sp--;
260 /* put all the local variables right */
261 i = cs[sp].n;
262 chaininfo = cs[sp].chaininfo;
263 nentries = chaininfo->nentries;
264 point = cs[sp].e;
265 counter_base = cb_base +
266 chaininfo->counter_offset;
267 continue;
268 }
269 if (verdict == EBT_CONTINUE)
270 goto letscontinue;
271#ifdef CONFIG_NETFILTER_DEBUG
272 if (verdict < 0) {
273 BUGPRINT("bogus standard verdict\n");
274 read_unlock_bh(&table->lock);
275 return NF_DROP;
276 }
277#endif
278 /* jump to a udc */
279 cs[sp].n = i + 1;
280 cs[sp].chaininfo = chaininfo;
98e86403 281 cs[sp].e = ebt_next_entry(point);
1da177e4
LT		 282 i = 0;
283 chaininfo = (struct ebt_entries *) (base + verdict);
284#ifdef CONFIG_NETFILTER_DEBUG
285 if (chaininfo->distinguisher) {
286 BUGPRINT("jump to non-chain\n");
287 read_unlock_bh(&table->lock);
288 return NF_DROP;
289 }
290#endif
291 nentries = chaininfo->nentries;
292 point = (struct ebt_entry *)chaininfo->data;
293 counter_base = cb_base + chaininfo->counter_offset;
294 sp++;
295 continue;
296letscontinue:
98e86403 297 point = ebt_next_entry(point);
1da177e4
LT		 298 i++;
299 }
300
301 /* I actually like this :) */
302 if (chaininfo->policy == EBT_RETURN)
303 goto letsreturn;
304 if (chaininfo->policy == EBT_ACCEPT) {
305 read_unlock_bh(&table->lock);
306 return NF_ACCEPT;
307 }
308 read_unlock_bh(&table->lock);
309 return NF_DROP;
310}
311
312/* If it succeeds, returns element and locks mutex */
313static inline void *
314find_inlist_lock_noload(struct list_head *head, const char *name, int *error,
57b47a53 315 struct mutex *mutex)
1da177e4 316{
df0933dc
PM		 317 struct {
318 struct list_head list;
319 char name[EBT_FUNCTION_MAXNAMELEN];
320 } *e;
1da177e4 321
57b47a53 322 *error = mutex_lock_interruptible(mutex);
1da177e4
LT		 323 if (*error != 0)
324 return NULL;
325
df0933dc
PM		 326 list_for_each_entry(e, head, list) {
327 if (strcmp(e->name, name) == 0)
328 return e;
1da177e4 329 }
df0933dc
PM		 330 *error = -ENOENT;
331 mutex_unlock(mutex);
332 return NULL;
1da177e4
LT		 333}
334
1da177e4
LT		 335static void *
336find_inlist_lock(struct list_head *head, const char *name, const char *prefix,
57b47a53 337 int *error, struct mutex *mutex)
1da177e4 338{
95a5afca
JB		 339 return try_then_request_module(
340 find_inlist_lock_noload(head, name, error, mutex),
341 "%s%s", prefix, name);
1da177e4 342}
1da177e4
LT		 343
344static inline struct ebt_table *
511061e2
AD		 345find_table_lock(struct net *net, const char *name, int *error,
346 struct mutex *mutex)
1da177e4 347{
511061e2
AD		 348 return find_inlist_lock(&net->xt.tables[NFPROTO_BRIDGE], name,
349 "ebtable_", error, mutex);
1da177e4
LT		 350}
351
1da177e4 352static inline int
9b4fce7a
JE		 353ebt_check_match(struct ebt_entry_match *m, struct xt_mtchk_param *par,
354 unsigned int *cnt)
1da177e4 355{
9b4fce7a 356 const struct ebt_entry *e = par->entryinfo;
043ef46c 357 struct xt_match *match;
14197d54 358 size_t left = ((char *)e + e->watchers_offset) - (char *)m;
1da177e4
LT		 359 int ret;
360
14197d54
AV		 361 if (left < sizeof(struct ebt_entry_match) ||
362 left - sizeof(struct ebt_entry_match) < m->match_size)
1da177e4 363 return -EINVAL;
043ef46c 364
fd0ec0e6 365 match = xt_request_find_match(NFPROTO_BRIDGE, m->u.name, 0);
043ef46c
JE		 366 if (IS_ERR(match))
367 return PTR_ERR(match);
043ef46c
JE		 368 m->u.match = match;
369
9b4fce7a
JE		 370 par->match = match;
371 par->matchinfo = m->data;
916a917d 372 ret = xt_check_match(par, m->match_size,
9b4fce7a 373 e->ethproto, e->invflags & EBT_IPROTO);
043ef46c
JE		 374 if (ret < 0) {
375 module_put(match->me);
376 return ret;
1da177e4 377 }
043ef46c 378
1da177e4
LT		 379 (*cnt)++;
380 return 0;
381}
382
383static inline int
af5d6dc2
JE		 384ebt_check_watcher(struct ebt_entry_watcher *w, struct xt_tgchk_param *par,
385 unsigned int *cnt)
1da177e4 386{
af5d6dc2 387 const struct ebt_entry *e = par->entryinfo;
043ef46c 388 struct xt_target *watcher;
14197d54 389 size_t left = ((char *)e + e->target_offset) - (char *)w;
1da177e4
LT		 390 int ret;
391
14197d54
AV		 392 if (left < sizeof(struct ebt_entry_watcher) ||
393 left - sizeof(struct ebt_entry_watcher) < w->watcher_size)
1da177e4 394 return -EINVAL;
043ef46c 395
d2a7b6ba 396 watcher = xt_request_find_target(NFPROTO_BRIDGE, w->u.name, 0);
043ef46c
JE		 397 if (IS_ERR(watcher))
398 return PTR_ERR(watcher);
043ef46c
JE		 399 w->u.watcher = watcher;
400
af5d6dc2
JE		 401 par->target = watcher;
402 par->targinfo = w->data;
916a917d 403 ret = xt_check_target(par, w->watcher_size,
af5d6dc2 404 e->ethproto, e->invflags & EBT_IPROTO);
043ef46c
JE		 405 if (ret < 0) {
406 module_put(watcher->me);
407 return ret;
1da177e4 408 }
043ef46c 409
1da177e4
LT		 410 (*cnt)++;
411 return 0;
412}
413
d5d1baa1 414static int ebt_verify_pointers(const struct ebt_replace *repl,
70fe9af4 415 struct ebt_table_info *newinfo)
1da177e4 416{
70fe9af4
AV		 417 unsigned int limit = repl->entries_size;
418 unsigned int valid_hooks = repl->valid_hooks;
419 unsigned int offset = 0;
1da177e4
LT		 420 int i;
421
e4fd77de
AV		 422 for (i = 0; i < NF_BR_NUMHOOKS; i++)
423 newinfo->hook_entry[i] = NULL;
424
425 newinfo->entries_size = repl->entries_size;
426 newinfo->nentries = repl->nentries;
427
70fe9af4
AV		 428 while (offset < limit) {
429 size_t left = limit - offset;
430 struct ebt_entry *e = (void *)newinfo->entries + offset;
bb2ef25c 431
70fe9af4 432 if (left < sizeof(unsigned int))
1da177e4 433 break;
70fe9af4
AV		 434
435 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
436 if ((valid_hooks & (1 << i)) == 0)
437 continue;
1e419cd9
AV		 438 if ((char __user *)repl->hook_entry[i] ==
439 repl->entries + offset)
70fe9af4
AV		 440 break;
441 }
442
443 if (i != NF_BR_NUMHOOKS || !(e->bitmask & EBT_ENTRY_OR_ENTRIES)) {
444 if (e->bitmask != 0) {
445 /* we make userspace set this right,
446 so there is no misunderstanding */
447 BUGPRINT("EBT_ENTRY_OR_ENTRIES shouldn't be set "
448 "in distinguisher\n");
449 return -EINVAL;
450 }
451 if (i != NF_BR_NUMHOOKS)
452 newinfo->hook_entry[i] = (struct ebt_entries *)e;
453 if (left < sizeof(struct ebt_entries))
454 break;
455 offset += sizeof(struct ebt_entries);
456 } else {
457 if (left < sizeof(struct ebt_entry))
458 break;
459 if (left < e->next_offset)
460 break;
1756de26
FW		 461 if (e->next_offset < sizeof(struct ebt_entry))
462 return -EINVAL;
70fe9af4 463 offset += e->next_offset;
1da177e4 464 }
22b440bf 465 }
70fe9af4
AV		 466 if (offset != limit) {
467 BUGPRINT("entries_size too small\n");
468 return -EINVAL;
469 }
e4fd77de
AV		 470
471 /* check if all valid hooks have a chain */
472 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
473 if (!newinfo->hook_entry[i] &&
474 (valid_hooks & (1 << i))) {
475 BUGPRINT("Valid hook without chain\n");
476 return -EINVAL;
477 }
478 }
22b440bf 479 return 0;
22b440bf
AV		 480}
481
482/*
483 * this one is very careful, as it is the first function
484 * to parse the userspace data
485 */
486static inline int
d5d1baa1
JE		 487ebt_check_entry_size_and_hooks(const struct ebt_entry *e,
488 const struct ebt_table_info *newinfo,
0e795531
AV		 489 unsigned int *n, unsigned int *cnt,
490 unsigned int *totalcnt, unsigned int *udc_cnt)
22b440bf 491{
22b440bf
AV		 492 int i;
493
494 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
0e795531 495 if ((void *)e == (void *)newinfo->hook_entry[i])
22b440bf
AV		 496 break;
497 }
498 /* beginning of a new chain
499 if i == NF_BR_NUMHOOKS it must be a user defined chain */
500 if (i != NF_BR_NUMHOOKS || !e->bitmask) {
1da177e4
LT		 501 /* this checks if the previous chain has as many entries
502 as it said it has */
503 if (*n != *cnt) {
504 BUGPRINT("nentries does not equal the nr of entries "
9d6f229f 505 "in the chain\n");
1da177e4
LT		 506 return -EINVAL;
507 }
1da177e4
LT		 508 if (((struct ebt_entries *)e)->policy != EBT_DROP &&
509 ((struct ebt_entries *)e)->policy != EBT_ACCEPT) {
510 /* only RETURN from udc */
511 if (i != NF_BR_NUMHOOKS ||
512 ((struct ebt_entries *)e)->policy != EBT_RETURN) {
513 BUGPRINT("bad policy\n");
514 return -EINVAL;
515 }
516 }
517 if (i == NF_BR_NUMHOOKS) /* it's a user defined chain */
518 (*udc_cnt)++;
1da177e4
LT		 519 if (((struct ebt_entries *)e)->counter_offset != *totalcnt) {
520 BUGPRINT("counter_offset != totalcnt");
521 return -EINVAL;
522 }
523 *n = ((struct ebt_entries *)e)->nentries;
524 *cnt = 0;
525 return 0;
526 }
527 /* a plain old entry, heh */
528 if (sizeof(struct ebt_entry) > e->watchers_offset ||
529 e->watchers_offset > e->target_offset ||
530 e->target_offset >= e->next_offset) {
531 BUGPRINT("entry offsets not in right order\n");
532 return -EINVAL;
533 }
534 /* this is not checked anywhere else */
535 if (e->next_offset - e->target_offset < sizeof(struct ebt_entry_target)) {
536 BUGPRINT("target size too small\n");
537 return -EINVAL;
538 }
1da177e4
LT		 539 (*cnt)++;
540 (*totalcnt)++;
541 return 0;
542}
543
544struct ebt_cl_stack
545{
546 struct ebt_chainstack cs;
547 int from;
548 unsigned int hookmask;
549};
550
551/*
552 * we need these positions to check that the jumps to a different part of the
553 * entries is a jump to the beginning of a new chain.
554 */
555static inline int
556ebt_get_udc_positions(struct ebt_entry *e, struct ebt_table_info *newinfo,
177abc34 557 unsigned int *n, struct ebt_cl_stack *udc)
1da177e4
LT		 558{
559 int i;
560
561 /* we're only interested in chain starts */
40642f95 562 if (e->bitmask)
1da177e4
LT		 563 return 0;
564 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
1da177e4
LT		 565 if (newinfo->hook_entry[i] == (struct ebt_entries *)e)
566 break;
567 }
568 /* only care about udc */
569 if (i != NF_BR_NUMHOOKS)
570 return 0;
571
572 udc[*n].cs.chaininfo = (struct ebt_entries *)e;
573 /* these initialisations are depended on later in check_chainloops() */
574 udc[*n].cs.n = 0;
575 udc[*n].hookmask = 0;
576
577 (*n)++;
578 return 0;
579}
580
581static inline int
f54e9367 582ebt_cleanup_match(struct ebt_entry_match *m, struct net *net, unsigned int *i)
1da177e4 583{
6be3d859
JE		 584 struct xt_mtdtor_param par;
585
1da177e4
LT		 586 if (i && (*i)-- == 0)
587 return 1;
1da177e4 588
f54e9367 589 par.net = net;
6be3d859
JE		 590 par.match = m->u.match;
591 par.matchinfo = m->data;
916a917d 592 par.family = NFPROTO_BRIDGE;
6be3d859
JE		 593 if (par.match->destroy != NULL)
594 par.match->destroy(&par);
595 module_put(par.match->me);
1da177e4
LT		 596 return 0;
597}
598
599static inline int
add67461 600ebt_cleanup_watcher(struct ebt_entry_watcher *w, struct net *net, unsigned int *i)
1da177e4 601{
a2df1648
JE		 602 struct xt_tgdtor_param par;
603
1da177e4
LT		 604 if (i && (*i)-- == 0)
605 return 1;
1da177e4 606
add67461 607 par.net = net;
a2df1648
JE		 608 par.target = w->u.watcher;
609 par.targinfo = w->data;
916a917d 610 par.family = NFPROTO_BRIDGE;
a2df1648
JE		 611 if (par.target->destroy != NULL)
612 par.target->destroy(&par);
613 module_put(par.target->me);
1da177e4
LT		 614 return 0;
615}
616
617static inline int
f54e9367 618ebt_cleanup_entry(struct ebt_entry *e, struct net *net, unsigned int *cnt)
1da177e4 619{
a2df1648 620 struct xt_tgdtor_param par;
1da177e4
LT		 621 struct ebt_entry_target *t;
622
40642f95 623 if (e->bitmask == 0)
1da177e4
LT		 624 return 0;
625 /* we're done */
626 if (cnt && (*cnt)-- == 0)
627 return 1;
add67461 628 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, net, NULL);
f54e9367 629 EBT_MATCH_ITERATE(e, ebt_cleanup_match, net, NULL);
1da177e4 630 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
1da177e4 631
add67461 632 par.net = net;
a2df1648
JE		 633 par.target = t->u.target;
634 par.targinfo = t->data;
916a917d 635 par.family = NFPROTO_BRIDGE;
a2df1648
JE		 636 if (par.target->destroy != NULL)
637 par.target->destroy(&par);
638 module_put(par.target->me);
1da177e4
LT		 639 return 0;
640}
641
642static inline int
d5d1baa1
JE		 643ebt_check_entry(struct ebt_entry *e, struct net *net,
644 const struct ebt_table_info *newinfo,
f7da79d9 645 const char *name, unsigned int *cnt,
1da177e4
LT		 646 struct ebt_cl_stack *cl_s, unsigned int udc_cnt)
647{
648 struct ebt_entry_target *t;
043ef46c 649 struct xt_target *target;
1da177e4 650 unsigned int i, j, hook = 0, hookmask = 0;
44f9a2fd 651 size_t gap;
1da177e4 652 int ret;
6be3d859 653 struct xt_mtchk_param mtpar;
af5d6dc2 654 struct xt_tgchk_param tgpar;
1da177e4
LT		 655
656 /* don't mess with the struct ebt_entries */
40642f95 657 if (e->bitmask == 0)
1da177e4
LT		 658 return 0;
659
660 if (e->bitmask & ~EBT_F_MASK) {
661 BUGPRINT("Unknown flag for bitmask\n");
662 return -EINVAL;
663 }
664 if (e->invflags & ~EBT_INV_MASK) {
665 BUGPRINT("Unknown flag for inv bitmask\n");
666 return -EINVAL;
667 }
668 if ( (e->bitmask & EBT_NOPROTO) && (e->bitmask & EBT_802_3) ) {
669 BUGPRINT("NOPROTO & 802_3 not allowed\n");
670 return -EINVAL;
671 }
672 /* what hook do we belong to? */
673 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
f7da79d9 674 if (!newinfo->hook_entry[i])
1da177e4
LT		 675 continue;
676 if ((char *)newinfo->hook_entry[i] < (char *)e)
677 hook = i;
678 else
679 break;
680 }
681 /* (1 << NF_BR_NUMHOOKS) tells the check functions the rule is on
682 a base chain */
683 if (i < NF_BR_NUMHOOKS)
684 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
685 else {
686 for (i = 0; i < udc_cnt; i++)
687 if ((char *)(cl_s[i].cs.chaininfo) > (char *)e)
688 break;
689 if (i == 0)
690 hookmask = (1 << hook) | (1 << NF_BR_NUMHOOKS);
691 else
692 hookmask = cl_s[i - 1].hookmask;
693 }
694 i = 0;
9b4fce7a 695
add67461 696 mtpar.net = tgpar.net = net;
af5d6dc2
JE		 697 mtpar.table = tgpar.table = name;
698 mtpar.entryinfo = tgpar.entryinfo = e;
699 mtpar.hook_mask = tgpar.hook_mask = hookmask;
916a917d 700 mtpar.family = tgpar.family = NFPROTO_BRIDGE;
6be3d859 701 ret = EBT_MATCH_ITERATE(e, ebt_check_match, &mtpar, &i);
1da177e4
LT		 702 if (ret != 0)
703 goto cleanup_matches;
704 j = 0;
af5d6dc2 705 ret = EBT_WATCHER_ITERATE(e, ebt_check_watcher, &tgpar, &j);
1da177e4
LT		 706 if (ret != 0)
707 goto cleanup_watchers;
708 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
44f9a2fd 709 gap = e->next_offset - e->target_offset;
1da177e4 710
d2a7b6ba 711 target = xt_request_find_target(NFPROTO_BRIDGE, t->u.name, 0);
043ef46c
JE		 712 if (IS_ERR(target)) {
713 ret = PTR_ERR(target);
001a18d3 714 goto cleanup_watchers;
001a18d3
JE		 715 }
716
1da177e4
LT		 717 t->u.target = target;
718 if (t->u.target == &ebt_standard_target) {
14197d54 719 if (gap < sizeof(struct ebt_standard_target)) {
1da177e4
LT		 720 BUGPRINT("Standard target size too big\n");
721 ret = -EFAULT;
722 goto cleanup_watchers;
723 }
724 if (((struct ebt_standard_target *)t)->verdict <
725 -NUM_STANDARD_TARGETS) {
726 BUGPRINT("Invalid standard target\n");
727 ret = -EFAULT;
728 goto cleanup_watchers;
729 }
18219d3f
JE		 730 } else if (t->target_size > gap - sizeof(struct ebt_entry_target)) {
731 module_put(t->u.target->me);
732 ret = -EFAULT;
733 goto cleanup_watchers;
043ef46c
JE		 734 }
735
af5d6dc2
JE		 736 tgpar.target = target;
737 tgpar.targinfo = t->data;
916a917d 738 ret = xt_check_target(&tgpar, t->target_size,
af5d6dc2 739 e->ethproto, e->invflags & EBT_IPROTO);
043ef46c
JE		 740 if (ret < 0) {
741 module_put(target->me);
18219d3f 742 goto cleanup_watchers;
1da177e4
LT		 743 }
744 (*cnt)++;
745 return 0;
746cleanup_watchers:
add67461 747 EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, net, &j);
1da177e4 748cleanup_matches:
f54e9367 749 EBT_MATCH_ITERATE(e, ebt_cleanup_match, net, &i);
1da177e4
LT		 750 return ret;
751}
752
753/*
754 * checks for loops and sets the hook mask for udc
755 * the hook mask for udc tells us from which base chains the udc can be
756 * accessed. This mask is a parameter to the check() functions of the extensions
757 */
d5d1baa1 758static int check_chainloops(const struct ebt_entries *chain, struct ebt_cl_stack *cl_s,
1da177e4
LT		 759 unsigned int udc_cnt, unsigned int hooknr, char *base)
760{
761 int i, chain_nr = -1, pos = 0, nentries = chain->nentries, verdict;
d5d1baa1
JE		 762 const struct ebt_entry *e = (struct ebt_entry *)chain->data;
763 const struct ebt_entry_target *t;
1da177e4
LT		 764
765 while (pos < nentries || chain_nr != -1) {
766 /* end of udc, go back one 'recursion' step */
767 if (pos == nentries) {
768 /* put back values of the time when this chain was called */
769 e = cl_s[chain_nr].cs.e;
770 if (cl_s[chain_nr].from != -1)
771 nentries =
772 cl_s[cl_s[chain_nr].from].cs.chaininfo->nentries;
773 else
774 nentries = chain->nentries;
775 pos = cl_s[chain_nr].cs.n;
776 /* make sure we won't see a loop that isn't one */
777 cl_s[chain_nr].cs.n = 0;
778 chain_nr = cl_s[chain_nr].from;
779 if (pos == nentries)
780 continue;
781 }
782 t = (struct ebt_entry_target *)
783 (((char *)e) + e->target_offset);
784 if (strcmp(t->u.name, EBT_STANDARD_TARGET))
785 goto letscontinue;
786 if (e->target_offset + sizeof(struct ebt_standard_target) >
787 e->next_offset) {
788 BUGPRINT("Standard target size too big\n");
789 return -1;
790 }
791 verdict = ((struct ebt_standard_target *)t)->verdict;
792 if (verdict >= 0) { /* jump to another chain */
793 struct ebt_entries *hlp2 =
794 (struct ebt_entries *)(base + verdict);
795 for (i = 0; i < udc_cnt; i++)
796 if (hlp2 == cl_s[i].cs.chaininfo)
797 break;
798 /* bad destination or loop */
799 if (i == udc_cnt) {
800 BUGPRINT("bad destination\n");
801 return -1;
802 }
803 if (cl_s[i].cs.n) {
804 BUGPRINT("loop\n");
805 return -1;
806 }
98a0824a
AV		 807 if (cl_s[i].hookmask & (1 << hooknr))
808 goto letscontinue;
809 /* this can't be 0, so the loop test is correct */
1da177e4
LT		 810 cl_s[i].cs.n = pos + 1;
811 pos = 0;
98e86403 812 cl_s[i].cs.e = ebt_next_entry(e);
1da177e4
LT		 813 e = (struct ebt_entry *)(hlp2->data);
814 nentries = hlp2->nentries;
815 cl_s[i].from = chain_nr;
816 chain_nr = i;
817 /* this udc is accessible from the base chain for hooknr */
818 cl_s[i].hookmask |= (1 << hooknr);
819 continue;
820 }
821letscontinue:
98e86403 822 e = ebt_next_entry(e);
1da177e4
LT		 823 pos++;
824 }
825 return 0;
826}
827
828/* do the parsing of the table/chains/entries/matches/watchers/targets, heh */
d5d1baa1 829static int translate_table(struct net *net, const char *name,
a83d8e8d 830 struct ebt_table_info *newinfo)
1da177e4
LT		 831{
832 unsigned int i, j, k, udc_cnt;
833 int ret;
834 struct ebt_cl_stack *cl_s = NULL; /* used in the checking for chain loops */
835
836 i = 0;
1f072c96 837 while (i < NF_BR_NUMHOOKS && !newinfo->hook_entry[i])
1da177e4
LT		 838 i++;
839 if (i == NF_BR_NUMHOOKS) {
840 BUGPRINT("No valid hooks specified\n");
841 return -EINVAL;
842 }
1f072c96 843 if (newinfo->hook_entry[i] != (struct ebt_entries *)newinfo->entries) {
1da177e4
LT		 844 BUGPRINT("Chains don't start at beginning\n");
845 return -EINVAL;
846 }
847 /* make sure chains are ordered after each other in same order
848 as their corresponding hooks */
849 for (j = i + 1; j < NF_BR_NUMHOOKS; j++) {
1f072c96 850 if (!newinfo->hook_entry[j])
1da177e4 851 continue;
1f072c96 852 if (newinfo->hook_entry[j] <= newinfo->hook_entry[i]) {
1da177e4
LT		 853 BUGPRINT("Hook order must be followed\n");
854 return -EINVAL;
855 }
856 i = j;
857 }
858
1da177e4
LT		 859 /* do some early checkings and initialize some things */
860 i = 0; /* holds the expected nr. of entries for the chain */
861 j = 0; /* holds the up to now counted entries for the chain */
862 k = 0; /* holds the total nr. of entries, should equal
9d6f229f 863 newinfo->nentries afterwards */
1da177e4
LT		 864 udc_cnt = 0; /* will hold the nr. of user defined chains (udc) */
865 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
0e795531
AV		 866 ebt_check_entry_size_and_hooks, newinfo,
867 &i, &j, &k, &udc_cnt);
1da177e4
LT		 868
869 if (ret != 0)
870 return ret;
871
872 if (i != j) {
873 BUGPRINT("nentries does not equal the nr of entries in the "
9d6f229f 874 "(last) chain\n");
1da177e4
LT		 875 return -EINVAL;
876 }
877 if (k != newinfo->nentries) {
878 BUGPRINT("Total nentries is wrong\n");
879 return -EINVAL;
880 }
881
1da177e4
LT		 882 /* get the location of the udc, put them in an array
883 while we're at it, allocate the chainstack */
884 if (udc_cnt) {
885 /* this will get free'd in do_replace()/ebt_register_table()
886 if an error occurs */
7ad4d2f6 887 newinfo->chainstack =
53b8a315 888 vmalloc(nr_cpu_ids * sizeof(*(newinfo->chainstack)));
1da177e4
LT		 889 if (!newinfo->chainstack)
890 return -ENOMEM;
6f912042 891 for_each_possible_cpu(i) {
1da177e4 892 newinfo->chainstack[i] =
18bc89aa 893 vmalloc(udc_cnt * sizeof(*(newinfo->chainstack[0])));
1da177e4
LT		 894 if (!newinfo->chainstack[i]) {
895 while (i)
896 vfree(newinfo->chainstack[--i]);
897 vfree(newinfo->chainstack);
898 newinfo->chainstack = NULL;
899 return -ENOMEM;
900 }
901 }
902
18bc89aa 903 cl_s = vmalloc(udc_cnt * sizeof(*cl_s));
1da177e4
LT		 904 if (!cl_s)
905 return -ENOMEM;
906 i = 0; /* the i'th udc */
907 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
177abc34 908 ebt_get_udc_positions, newinfo, &i, cl_s);
1da177e4
LT		 909 /* sanity check */
910 if (i != udc_cnt) {
911 BUGPRINT("i != udc_cnt\n");
912 vfree(cl_s);
913 return -EFAULT;
914 }
915 }
916
917 /* Check for loops */
918 for (i = 0; i < NF_BR_NUMHOOKS; i++)
1f072c96 919 if (newinfo->hook_entry[i])
1da177e4
LT		 920 if (check_chainloops(newinfo->hook_entry[i],
921 cl_s, udc_cnt, i, newinfo->entries)) {
68d31872 922 vfree(cl_s);
1da177e4
LT		 923 return -EINVAL;
924 }
925
96de0e25 926 /* we now know the following (along with E=mc²):
1da177e4
LT		 927 - the nr of entries in each chain is right
928 - the size of the allocated space is right
929 - all valid hooks have a corresponding chain
930 - there are no loops
931 - wrong data can still be on the level of a single entry
932 - could be there are jumps to places that are not the
933 beginning of a chain. This can only occur in chains that
934 are not accessible from any base chains, so we don't care. */
935
936 /* used to know what we need to clean up if something goes wrong */
937 i = 0;
938 ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
a83d8e8d 939 ebt_check_entry, net, newinfo, name, &i, cl_s, udc_cnt);
1da177e4
LT		 940 if (ret != 0) {
941 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
f54e9367 942 ebt_cleanup_entry, net, &i);
1da177e4 943 }
68d31872 944 vfree(cl_s);
1da177e4
LT		 945 return ret;
946}
947
948/* called under write_lock */
d5d1baa1 949static void get_counters(const struct ebt_counter *oldcounters,
1da177e4
LT		 950 struct ebt_counter *counters, unsigned int nentries)
951{
952 int i, cpu;
953 struct ebt_counter *counter_base;
954
955 /* counters of cpu 0 */
956 memcpy(counters, oldcounters,
c8923c6b
DM		 957 sizeof(struct ebt_counter) * nentries);
958
1da177e4 959 /* add other counters to those of cpu 0 */
6f912042 960 for_each_possible_cpu(cpu) {
c8923c6b
DM		 961 if (cpu == 0)
962 continue;
1da177e4
LT		 963 counter_base = COUNTER_BASE(oldcounters, nentries, cpu);
964 for (i = 0; i < nentries; i++) {
965 counters[i].pcnt += counter_base[i].pcnt;
966 counters[i].bcnt += counter_base[i].bcnt;
967 }
968 }
969}
970
e788759f
FW		 971static int do_replace_finish(struct net *net, struct ebt_replace *repl,
972 struct ebt_table_info *newinfo)
1da177e4 973{
e788759f 974 int ret, i;
1da177e4
LT		 975 struct ebt_counter *counterstmp = NULL;
976 /* used to be able to unlock earlier */
977 struct ebt_table_info *table;
e788759f 978 struct ebt_table *t;
1da177e4
LT		 979
980 /* the user wants counters back
981 the check on the size is done later, when we have the lock */
e788759f
FW		 982 if (repl->num_counters) {
983 unsigned long size = repl->num_counters * sizeof(*counterstmp);
984 counterstmp = vmalloc(size);
985 if (!counterstmp)
986 return -ENOMEM;
1da177e4 987 }
1da177e4 988
1da177e4 989 newinfo->chainstack = NULL;
e788759f 990 ret = ebt_verify_pointers(repl, newinfo);
1bc2326c
AV		 991 if (ret != 0)
992 goto free_counterstmp;
993
e788759f 994 ret = translate_table(net, repl->name, newinfo);
1da177e4
LT		 995
996 if (ret != 0)
997 goto free_counterstmp;
998
e788759f 999 t = find_table_lock(net, repl->name, &ret, &ebt_mutex);
1da177e4
LT		 1000 if (!t) {
1001 ret = -ENOENT;
1002 goto free_iterate;
1003 }
1004
1005 /* the table doesn't like it */
e788759f 1006 if (t->check && (ret = t->check(newinfo, repl->valid_hooks)))
1da177e4
LT		 1007 goto free_unlock;
1008
e788759f 1009 if (repl->num_counters && repl->num_counters != t->private->nentries) {
1da177e4
LT		 1010 BUGPRINT("Wrong nr. of counters requested\n");
1011 ret = -EINVAL;
1012 goto free_unlock;
1013 }
1014
1015 /* we have the mutex lock, so no danger in reading this pointer */
1016 table = t->private;
1017 /* make sure the table can only be rmmod'ed if it contains no rules */
1018 if (!table->nentries && newinfo->nentries && !try_module_get(t->me)) {
1019 ret = -ENOENT;
1020 goto free_unlock;
1021 } else if (table->nentries && !newinfo->nentries)
1022 module_put(t->me);
1023 /* we need an atomic snapshot of the counters */
1024 write_lock_bh(&t->lock);
e788759f 1025 if (repl->num_counters)
1da177e4
LT		 1026 get_counters(t->private->counters, counterstmp,
1027 t->private->nentries);
1028
1029 t->private = newinfo;
1030 write_unlock_bh(&t->lock);
57b47a53 1031 mutex_unlock(&ebt_mutex);
1da177e4
LT		 1032 /* so, a user can change the chains while having messed up her counter
1033 allocation. Only reason why this is done is because this way the lock
1034 is held only once, while this doesn't bring the kernel into a
1035 dangerous state. */
e788759f
FW		 1036 if (repl->num_counters &&
1037 copy_to_user(repl->counters, counterstmp,
1038 repl->num_counters * sizeof(struct ebt_counter))) {
1da177e4
LT		 1039 ret = -EFAULT;
1040 }
1041 else
1042 ret = 0;
1043
1044 /* decrease module count and free resources */
1045 EBT_ENTRY_ITERATE(table->entries, table->entries_size,
f54e9367 1046 ebt_cleanup_entry, net, NULL);
1da177e4
LT		 1047
1048 vfree(table->entries);
1049 if (table->chainstack) {
6f912042 1050 for_each_possible_cpu(i)
1da177e4
LT		 1051 vfree(table->chainstack[i]);
1052 vfree(table->chainstack);
1053 }
1054 vfree(table);
1055
68d31872 1056 vfree(counterstmp);
1da177e4
LT		 1057 return ret;
1058
1059free_unlock:
57b47a53 1060 mutex_unlock(&ebt_mutex);
1da177e4
LT		 1061free_iterate:
1062 EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size,
f54e9367 1063 ebt_cleanup_entry, net, NULL);
1da177e4 1064free_counterstmp:
68d31872 1065 vfree(counterstmp);
1da177e4
LT		 1066 /* can be initialized in translate_table() */
1067 if (newinfo->chainstack) {
6f912042 1068 for_each_possible_cpu(i)
1da177e4
LT		 1069 vfree(newinfo->chainstack[i]);
1070 vfree(newinfo->chainstack);
1071 }
e788759f
FW		 1072 return ret;
1073}
1074
1075/* replace the table */
1076static int do_replace(struct net *net, const void __user *user,
1077 unsigned int len)
1078{
1079 int ret, countersize;
1080 struct ebt_table_info *newinfo;
1081 struct ebt_replace tmp;
1082
1083 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
1084 return -EFAULT;
1085
1086 if (len != sizeof(tmp) + tmp.entries_size) {
1087 BUGPRINT("Wrong len argument\n");
1088 return -EINVAL;
1089 }
1090
1091 if (tmp.entries_size == 0) {
1092 BUGPRINT("Entries_size never zero\n");
1093 return -EINVAL;
1094 }
1095 /* overflow check */
1096 if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) /
1097 NR_CPUS - SMP_CACHE_BYTES) / sizeof(struct ebt_counter))
1098 return -ENOMEM;
1099 if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
1100 return -ENOMEM;
1101
1102 countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
1103 newinfo = vmalloc(sizeof(*newinfo) + countersize);
1104 if (!newinfo)
1105 return -ENOMEM;
1106
1107 if (countersize)
1108 memset(newinfo->counters, 0, countersize);
1109
1110 newinfo->entries = vmalloc(tmp.entries_size);
1111 if (!newinfo->entries) {
1112 ret = -ENOMEM;
1113 goto free_newinfo;
1114 }
1115 if (copy_from_user(
1116 newinfo->entries, tmp.entries, tmp.entries_size) != 0) {
1117 BUGPRINT("Couldn't copy entries from userspace\n");
1118 ret = -EFAULT;
1119 goto free_entries;
1120 }
1121
1122 ret = do_replace_finish(net, &tmp, newinfo);
1123 if (ret == 0)
1124 return ret;
1da177e4 1125free_entries:
68d31872 1126 vfree(newinfo->entries);
1da177e4 1127free_newinfo:
68d31872 1128 vfree(newinfo);
1da177e4
LT		 1129 return ret;
1130}
1131
35aad0ff
JE		 1132struct ebt_table *
1133ebt_register_table(struct net *net, const struct ebt_table *input_table)
1da177e4
LT		 1134{
1135 struct ebt_table_info *newinfo;
35aad0ff 1136 struct ebt_table *t, *table;
1e419cd9 1137 struct ebt_replace_kernel *repl;
1da177e4 1138 int ret, i, countersize;
df07a81e 1139 void *p;
1da177e4 1140
35aad0ff
JE		 1141 if (input_table == NULL || (repl = input_table->table) == NULL ||
1142 repl->entries == 0 || repl->entries_size == 0 ||
1143 repl->counters != NULL || input_table->private != NULL) {
1da177e4 1144 BUGPRINT("Bad table data for ebt_register_table!!!\n");
6beceee5
AD		 1145 return ERR_PTR(-EINVAL);
1146 }
1147
1148 /* Don't add one table to multiple lists. */
35aad0ff 1149 table = kmemdup(input_table, sizeof(struct ebt_table), GFP_KERNEL);
6beceee5
AD		 1150 if (!table) {
1151 ret = -ENOMEM;
1152 goto out;
1da177e4
LT		 1153 }
1154
53b8a315 1155 countersize = COUNTER_OFFSET(repl->nentries) * nr_cpu_ids;
18bc89aa 1156 newinfo = vmalloc(sizeof(*newinfo) + countersize);
1da177e4
LT		 1157 ret = -ENOMEM;
1158 if (!newinfo)
6beceee5 1159 goto free_table;
1da177e4 1160
df07a81e
AV		 1161 p = vmalloc(repl->entries_size);
1162 if (!p)
1da177e4
LT		 1163 goto free_newinfo;
1164
df07a81e
AV		 1165 memcpy(p, repl->entries, repl->entries_size);
1166 newinfo->entries = p;
1167
1168 newinfo->entries_size = repl->entries_size;
1169 newinfo->nentries = repl->nentries;
1da177e4
LT		 1170
1171 if (countersize)
1172 memset(newinfo->counters, 0, countersize);
1173
1174 /* fill in newinfo and parse the entries */
1175 newinfo->chainstack = NULL;
df07a81e
AV		 1176 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
1177 if ((repl->valid_hooks & (1 << i)) == 0)
1178 newinfo->hook_entry[i] = NULL;
1179 else
1180 newinfo->hook_entry[i] = p +
1181 ((char *)repl->hook_entry[i] - repl->entries);
1182 }
a83d8e8d 1183 ret = translate_table(net, repl->name, newinfo);
1da177e4
LT		 1184 if (ret != 0) {
1185 BUGPRINT("Translate_table failed\n");
1186 goto free_chainstack;
1187 }
1188
1189 if (table->check && table->check(newinfo, table->valid_hooks)) {
1190 BUGPRINT("The table doesn't like its own initial data, lol\n");
6beceee5 1191 return ERR_PTR(-EINVAL);
1da177e4
LT		 1192 }
1193
1194 table->private = newinfo;
1195 rwlock_init(&table->lock);
57b47a53 1196 ret = mutex_lock_interruptible(&ebt_mutex);
1da177e4
LT		 1197 if (ret != 0)
1198 goto free_chainstack;
1199
511061e2 1200 list_for_each_entry(t, &net->xt.tables[NFPROTO_BRIDGE], list) {
df0933dc
PM		 1201 if (strcmp(t->name, table->name) == 0) {
1202 ret = -EEXIST;
1203 BUGPRINT("Table name already exists\n");
1204 goto free_unlock;
1205 }
1da177e4
LT		 1206 }
1207
1208 /* Hold a reference count if the chains aren't empty */
1209 if (newinfo->nentries && !try_module_get(table->me)) {
1210 ret = -ENOENT;
1211 goto free_unlock;
1212 }
511061e2 1213 list_add(&table->list, &net->xt.tables[NFPROTO_BRIDGE]);
57b47a53 1214 mutex_unlock(&ebt_mutex);
6beceee5 1215 return table;
1da177e4 1216free_unlock:
57b47a53 1217 mutex_unlock(&ebt_mutex);
1da177e4
LT		 1218free_chainstack:
1219 if (newinfo->chainstack) {
6f912042 1220 for_each_possible_cpu(i)
1da177e4
LT		 1221 vfree(newinfo->chainstack[i]);
1222 vfree(newinfo->chainstack);
1223 }
1224 vfree(newinfo->entries);
1225free_newinfo:
1226 vfree(newinfo);
6beceee5
AD		 1227free_table:
1228 kfree(table);
1229out:
1230 return ERR_PTR(ret);
1da177e4
LT		 1231}
1232
f54e9367 1233void ebt_unregister_table(struct net *net, struct ebt_table *table)
1da177e4
LT		 1234{
1235 int i;
1236
1237 if (!table) {
1238 BUGPRINT("Request to unregister NULL table!!!\n");
1239 return;
1240 }
57b47a53 1241 mutex_lock(&ebt_mutex);
df0933dc 1242 list_del(&table->list);
57b47a53 1243 mutex_unlock(&ebt_mutex);
dbcdf85a 1244 EBT_ENTRY_ITERATE(table->private->entries, table->private->entries_size,
f54e9367 1245 ebt_cleanup_entry, net, NULL);
dbcdf85a
AD		 1246 if (table->private->nentries)
1247 module_put(table->me);
68d31872 1248 vfree(table->private->entries);
1da177e4 1249 if (table->private->chainstack) {
6f912042 1250 for_each_possible_cpu(i)
1da177e4
LT		 1251 vfree(table->private->chainstack[i]);
1252 vfree(table->private->chainstack);
1253 }
1254 vfree(table->private);
6beceee5 1255 kfree(table);
1da177e4
LT		 1256}
1257
1258/* userspace just supplied us with counters */
49facff9
FW		 1259static int do_update_counters(struct net *net, const char *name,
1260 struct ebt_counter __user *counters,
1261 unsigned int num_counters,
1262 const void __user *user, unsigned int len)
1da177e4
LT		 1263{
1264 int i, ret;
1265 struct ebt_counter *tmp;
1da177e4
LT		 1266 struct ebt_table *t;
1267
49facff9 1268 if (num_counters == 0)
1da177e4
LT		 1269 return -EINVAL;
1270
49facff9
FW		 1271 tmp = vmalloc(num_counters * sizeof(*tmp));
1272 if (!tmp)
1da177e4 1273 return -ENOMEM;
1da177e4 1274
49facff9 1275 t = find_table_lock(net, name, &ret, &ebt_mutex);
1da177e4
LT		 1276 if (!t)
1277 goto free_tmp;
1278
49facff9 1279 if (num_counters != t->private->nentries) {
1da177e4
LT		 1280 BUGPRINT("Wrong nr of counters\n");
1281 ret = -EINVAL;
1282 goto unlock_mutex;
1283 }
1284
49facff9 1285 if (copy_from_user(tmp, counters, num_counters * sizeof(*counters))) {
1da177e4
LT		 1286 ret = -EFAULT;
1287 goto unlock_mutex;
1288 }
1289
1290 /* we want an atomic add of the counters */
1291 write_lock_bh(&t->lock);
1292
1293 /* we add to the counters of the first cpu */
49facff9 1294 for (i = 0; i < num_counters; i++) {
1da177e4
LT		 1295 t->private->counters[i].pcnt += tmp[i].pcnt;
1296 t->private->counters[i].bcnt += tmp[i].bcnt;
1297 }
1298
1299 write_unlock_bh(&t->lock);
1300 ret = 0;
1301unlock_mutex:
57b47a53 1302 mutex_unlock(&ebt_mutex);
1da177e4
LT		 1303free_tmp:
1304 vfree(tmp);
1305 return ret;
1306}
1307
49facff9
FW		 1308static int update_counters(struct net *net, const void __user *user,
1309 unsigned int len)
1310{
1311 struct ebt_replace hlp;
1312
1313 if (copy_from_user(&hlp, user, sizeof(hlp)))
1314 return -EFAULT;
1315
1316 if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter))
1317 return -EINVAL;
1318
1319 return do_update_counters(net, hlp.name, hlp.counters,
1320 hlp.num_counters, user, len);
1321}
1322
d5d1baa1
JE		 1323static inline int ebt_make_matchname(const struct ebt_entry_match *m,
1324 const char *base, char __user *ubase)
1da177e4 1325{
1e419cd9 1326 char __user *hlp = ubase + ((char *)m - base);
1da177e4
LT		 1327 if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN))
1328 return -EFAULT;
1329 return 0;
1330}
1331
d5d1baa1
JE		 1332static inline int ebt_make_watchername(const struct ebt_entry_watcher *w,
1333 const char *base, char __user *ubase)
1da177e4 1334{
1e419cd9 1335 char __user *hlp = ubase + ((char *)w - base);
1da177e4
LT		 1336 if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN))
1337 return -EFAULT;
1338 return 0;
1339}
1340
d5d1baa1
JE		 1341static inline int
1342ebt_make_names(struct ebt_entry *e, const char *base, char __user *ubase)
1da177e4
LT		 1343{
1344 int ret;
1e419cd9 1345 char __user *hlp;
d5d1baa1 1346 const struct ebt_entry_target *t;
1da177e4 1347
40642f95 1348 if (e->bitmask == 0)
1da177e4
LT		 1349 return 0;
1350
1e419cd9 1351 hlp = ubase + (((char *)e + e->target_offset) - base);
1da177e4 1352 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
9d6f229f 1353
1da177e4
LT		 1354 ret = EBT_MATCH_ITERATE(e, ebt_make_matchname, base, ubase);
1355 if (ret != 0)
1356 return ret;
1357 ret = EBT_WATCHER_ITERATE(e, ebt_make_watchername, base, ubase);
1358 if (ret != 0)
1359 return ret;
1360 if (copy_to_user(hlp, t->u.target->name, EBT_FUNCTION_MAXNAMELEN))
1361 return -EFAULT;
1362 return 0;
1363}
1364
837395aa
FW		 1365static int copy_counters_to_user(struct ebt_table *t,
1366 const struct ebt_counter *oldcounters,
1367 void __user *user, unsigned int num_counters,
1368 unsigned int nentries)
1369{
1370 struct ebt_counter *counterstmp;
1371 int ret = 0;
1372
1373 /* userspace might not need the counters */
1374 if (num_counters == 0)
1375 return 0;
1376
1377 if (num_counters != nentries) {
1378 BUGPRINT("Num_counters wrong\n");
1379 return -EINVAL;
1380 }
1381
1382 counterstmp = vmalloc(nentries * sizeof(*counterstmp));
1383 if (!counterstmp)
1384 return -ENOMEM;
1385
1386 write_lock_bh(&t->lock);
1387 get_counters(oldcounters, counterstmp, nentries);
1388 write_unlock_bh(&t->lock);
1389
1390 if (copy_to_user(user, counterstmp,
1391 nentries * sizeof(struct ebt_counter)))
1392 ret = -EFAULT;
1393 vfree(counterstmp);
1394 return ret;
1395}
1396
57b47a53 1397/* called with ebt_mutex locked */
1da177e4 1398static int copy_everything_to_user(struct ebt_table *t, void __user *user,
d5d1baa1 1399 const int *len, int cmd)
1da177e4
LT		 1400{
1401 struct ebt_replace tmp;
d5d1baa1 1402 const struct ebt_counter *oldcounters;
1da177e4 1403 unsigned int entries_size, nentries;
837395aa 1404 int ret;
1da177e4
LT		 1405 char *entries;
1406
1407 if (cmd == EBT_SO_GET_ENTRIES) {
1408 entries_size = t->private->entries_size;
1409 nentries = t->private->nentries;
1410 entries = t->private->entries;
1411 oldcounters = t->private->counters;
1412 } else {
1413 entries_size = t->table->entries_size;
1414 nentries = t->table->nentries;
1415 entries = t->table->entries;
1416 oldcounters = t->table->counters;
1417 }
1418
90b89af7 1419 if (copy_from_user(&tmp, user, sizeof(tmp)))
1da177e4 1420 return -EFAULT;
1da177e4
LT		 1421
1422 if (*len != sizeof(struct ebt_replace) + entries_size +
90b89af7 1423 (tmp.num_counters? nentries * sizeof(struct ebt_counter): 0))
1da177e4 1424 return -EINVAL;
1da177e4
LT		 1425
1426 if (tmp.nentries != nentries) {
1427 BUGPRINT("Nentries wrong\n");
1428 return -EINVAL;
1429 }
1430
1431 if (tmp.entries_size != entries_size) {
1432 BUGPRINT("Wrong size\n");
1433 return -EINVAL;
1434 }
1435
837395aa
FW		 1436 ret = copy_counters_to_user(t, oldcounters, tmp.counters,
1437 tmp.num_counters, nentries);
1438 if (ret)
1439 return ret;
1da177e4
LT		 1440
1441 if (copy_to_user(tmp.entries, entries, entries_size)) {
1442 BUGPRINT("Couldn't copy entries to userspace\n");
1443 return -EFAULT;
1444 }
1445 /* set the match/watcher/target names right */
1446 return EBT_ENTRY_ITERATE(entries, entries_size,
1447 ebt_make_names, entries, tmp.entries);
1448}
1449
1450static int do_ebt_set_ctl(struct sock *sk,
1451 int cmd, void __user *user, unsigned int len)
1452{
1453 int ret;
1454
dce766af
FW		 1455 if (!capable(CAP_NET_ADMIN))
1456 return -EPERM;
1457
1da177e4
LT		 1458 switch(cmd) {
1459 case EBT_SO_SET_ENTRIES:
511061e2 1460 ret = do_replace(sock_net(sk), user, len);
1da177e4
LT		 1461 break;
1462 case EBT_SO_SET_COUNTERS:
511061e2 1463 ret = update_counters(sock_net(sk), user, len);
1da177e4
LT		 1464 break;
1465 default:
1466 ret = -EINVAL;
81e675c2 1467 }
1da177e4
LT		 1468 return ret;
1469}
1470
1471static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1472{
1473 int ret;
1474 struct ebt_replace tmp;
1475 struct ebt_table *t;
1476
dce766af
FW		 1477 if (!capable(CAP_NET_ADMIN))
1478 return -EPERM;
1479
1da177e4
LT		 1480 if (copy_from_user(&tmp, user, sizeof(tmp)))
1481 return -EFAULT;
1482
511061e2 1483 t = find_table_lock(sock_net(sk), tmp.name, &ret, &ebt_mutex);
1da177e4
LT		 1484 if (!t)
1485 return ret;
1486
1487 switch(cmd) {
1488 case EBT_SO_GET_INFO:
1489 case EBT_SO_GET_INIT_INFO:
1490 if (*len != sizeof(struct ebt_replace)){
1491 ret = -EINVAL;
57b47a53 1492 mutex_unlock(&ebt_mutex);
1da177e4
LT		 1493 break;
1494 }
1495 if (cmd == EBT_SO_GET_INFO) {
1496 tmp.nentries = t->private->nentries;
1497 tmp.entries_size = t->private->entries_size;
1498 tmp.valid_hooks = t->valid_hooks;
1499 } else {
1500 tmp.nentries = t->table->nentries;
1501 tmp.entries_size = t->table->entries_size;
1502 tmp.valid_hooks = t->table->valid_hooks;
1503 }
57b47a53 1504 mutex_unlock(&ebt_mutex);
1da177e4
LT		 1505 if (copy_to_user(user, &tmp, *len) != 0){
1506 BUGPRINT("c2u Didn't work\n");
1507 ret = -EFAULT;
1508 break;
1509 }
1510 ret = 0;
1511 break;
1512
1513 case EBT_SO_GET_ENTRIES:
1514 case EBT_SO_GET_INIT_ENTRIES:
1515 ret = copy_everything_to_user(t, user, len, cmd);
57b47a53 1516 mutex_unlock(&ebt_mutex);
1da177e4
LT		 1517 break;
1518
1519 default:
57b47a53 1520 mutex_unlock(&ebt_mutex);
1da177e4
LT		 1521 ret = -EINVAL;
1522 }
1523
1524 return ret;
1525}
1526
81e675c2
FW		 1527#ifdef CONFIG_COMPAT
1528/* 32 bit-userspace compatibility definitions. */
1529struct compat_ebt_replace {
1530 char name[EBT_TABLE_MAXNAMELEN];
1531 compat_uint_t valid_hooks;
1532 compat_uint_t nentries;
1533 compat_uint_t entries_size;
1534 /* start of the chains */
1535 compat_uptr_t hook_entry[NF_BR_NUMHOOKS];
1536 /* nr of counters userspace expects back */
1537 compat_uint_t num_counters;
1538 /* where the kernel will put the old counters. */
1539 compat_uptr_t counters;
1540 compat_uptr_t entries;
1541};
1542
1543/* struct ebt_entry_match, _target and _watcher have same layout */
1544struct compat_ebt_entry_mwt {
1545 union {
1546 char name[EBT_FUNCTION_MAXNAMELEN];
1547 compat_uptr_t ptr;
1548 } u;
1549 compat_uint_t match_size;
1550 compat_uint_t data[0];
1551};
1552
1553/* account for possible padding between match_size and ->data */
1554static int ebt_compat_entry_padsize(void)
1555{
1556 BUILD_BUG_ON(XT_ALIGN(sizeof(struct ebt_entry_match)) <
1557 COMPAT_XT_ALIGN(sizeof(struct compat_ebt_entry_mwt)));
1558 return (int) XT_ALIGN(sizeof(struct ebt_entry_match)) -
1559 COMPAT_XT_ALIGN(sizeof(struct compat_ebt_entry_mwt));
1560}
1561
1562static int ebt_compat_match_offset(const struct xt_match *match,
1563 unsigned int userlen)
1564{
1565 /*
1566 * ebt_among needs special handling. The kernel .matchsize is
1567 * set to -1 at registration time; at runtime an EBT_ALIGN()ed
1568 * value is expected.
1569 * Example: userspace sends 4500, ebt_among.c wants 4504.
1570 */
1571 if (unlikely(match->matchsize == -1))
1572 return XT_ALIGN(userlen) - COMPAT_XT_ALIGN(userlen);
1573 return xt_compat_match_offset(match);
1574}
1575
1576static int compat_match_to_user(struct ebt_entry_match *m, void __user **dstptr,
1577 unsigned int *size)
1578{
1579 const struct xt_match *match = m->u.match;
1580 struct compat_ebt_entry_mwt __user *cm = *dstptr;
1581 int off = ebt_compat_match_offset(match, m->match_size);
1582 compat_uint_t msize = m->match_size - off;
1583
1584 BUG_ON(off >= m->match_size);
1585
1586 if (copy_to_user(cm->u.name, match->name,
1587 strlen(match->name) + 1) || put_user(msize, &cm->match_size))
1588 return -EFAULT;
1589
1590 if (match->compat_to_user) {
1591 if (match->compat_to_user(cm->data, m->data))
1592 return -EFAULT;
1593 } else if (copy_to_user(cm->data, m->data, msize))
1594 return -EFAULT;
1595
1596 *size -= ebt_compat_entry_padsize() + off;
1597 *dstptr = cm->data;
1598 *dstptr += msize;
1599 return 0;
1600}
1601
1602static int compat_target_to_user(struct ebt_entry_target *t,
1603 void __user **dstptr,
1604 unsigned int *size)
1605{
1606 const struct xt_target *target = t->u.target;
1607 struct compat_ebt_entry_mwt __user *cm = *dstptr;
1608 int off = xt_compat_target_offset(target);
1609 compat_uint_t tsize = t->target_size - off;
1610
1611 BUG_ON(off >= t->target_size);
1612
1613 if (copy_to_user(cm->u.name, target->name,
1614 strlen(target->name) + 1) || put_user(tsize, &cm->match_size))
1615 return -EFAULT;
1616
1617 if (target->compat_to_user) {
1618 if (target->compat_to_user(cm->data, t->data))
1619 return -EFAULT;
1620 } else if (copy_to_user(cm->data, t->data, tsize))
1621 return -EFAULT;
1622
1623 *size -= ebt_compat_entry_padsize() + off;
1624 *dstptr = cm->data;
1625 *dstptr += tsize;
1626 return 0;
1627}
1628
1629static int compat_watcher_to_user(struct ebt_entry_watcher *w,
1630 void __user **dstptr,
1631 unsigned int *size)
1632{
1633 return compat_target_to_user((struct ebt_entry_target *)w,
1634 dstptr, size);
1635}
1636
1637static int compat_copy_entry_to_user(struct ebt_entry *e, void __user **dstptr,
1638 unsigned int *size)
1639{
1640 struct ebt_entry_target *t;
1641 struct ebt_entry __user *ce;
1642 u32 watchers_offset, target_offset, next_offset;
1643 compat_uint_t origsize;
1644 int ret;
1645
1646 if (e->bitmask == 0) {
1647 if (*size < sizeof(struct ebt_entries))
1648 return -EINVAL;
1649 if (copy_to_user(*dstptr, e, sizeof(struct ebt_entries)))
1650 return -EFAULT;
1651
1652 *dstptr += sizeof(struct ebt_entries);
1653 *size -= sizeof(struct ebt_entries);
1654 return 0;
1655 }
1656
1657 if (*size < sizeof(*ce))
1658 return -EINVAL;
1659
1660 ce = (struct ebt_entry __user *)*dstptr;
1661 if (copy_to_user(ce, e, sizeof(*ce)))
1662 return -EFAULT;
1663
1664 origsize = *size;
1665 *dstptr += sizeof(*ce);
1666
1667 ret = EBT_MATCH_ITERATE(e, compat_match_to_user, dstptr, size);
1668 if (ret)
1669 return ret;
1670 watchers_offset = e->watchers_offset - (origsize - *size);
1671
1672 ret = EBT_WATCHER_ITERATE(e, compat_watcher_to_user, dstptr, size);
1673 if (ret)
1674 return ret;
1675 target_offset = e->target_offset - (origsize - *size);
1676
1677 t = (struct ebt_entry_target *) ((char *) e + e->target_offset);
1678
1679 ret = compat_target_to_user(t, dstptr, size);
1680 if (ret)
1681 return ret;
1682 next_offset = e->next_offset - (origsize - *size);
1683
1684 if (put_user(watchers_offset, &ce->watchers_offset) ||
1685 put_user(target_offset, &ce->target_offset) ||
1686 put_user(next_offset, &ce->next_offset))
1687 return -EFAULT;
1688
1689 *size -= sizeof(*ce);
1690 return 0;
1691}
1692
1693static int compat_calc_match(struct ebt_entry_match *m, int *off)
1694{
1695 *off += ebt_compat_match_offset(m->u.match, m->match_size);
1696 *off += ebt_compat_entry_padsize();
1697 return 0;
1698}
1699
1700static int compat_calc_watcher(struct ebt_entry_watcher *w, int *off)
1701{
1702 *off += xt_compat_target_offset(w->u.watcher);
1703 *off += ebt_compat_entry_padsize();
1704 return 0;
1705}
1706
1707static int compat_calc_entry(const struct ebt_entry *e,
1708 const struct ebt_table_info *info,
1709 const void *base,
1710 struct compat_ebt_replace *newinfo)
1711{
1712 const struct ebt_entry_target *t;
1713 unsigned int entry_offset;
1714 int off, ret, i;
1715
1716 if (e->bitmask == 0)
1717 return 0;
1718
1719 off = 0;
1720 entry_offset = (void *)e - base;
1721
1722 EBT_MATCH_ITERATE(e, compat_calc_match, &off);
1723 EBT_WATCHER_ITERATE(e, compat_calc_watcher, &off);
1724
1725 t = (const struct ebt_entry_target *) ((char *) e + e->target_offset);
1726
1727 off += xt_compat_target_offset(t->u.target);
1728 off += ebt_compat_entry_padsize();
1729
1730 newinfo->entries_size -= off;
1731
1732 ret = xt_compat_add_offset(NFPROTO_BRIDGE, entry_offset, off);
1733 if (ret)
1734 return ret;
1735
1736 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
1737 const void *hookptr = info->hook_entry[i];
1738 if (info->hook_entry[i] &&
1739 (e < (struct ebt_entry *)(base - hookptr))) {
1740 newinfo->hook_entry[i] -= off;
1741 pr_debug("0x%08X -> 0x%08X\n",
1742 newinfo->hook_entry[i] + off,
1743 newinfo->hook_entry[i]);
1744 }
1745 }
1746
1747 return 0;
1748}
1749
1750
1751static int compat_table_info(const struct ebt_table_info *info,
1752 struct compat_ebt_replace *newinfo)
1753{
1754 unsigned int size = info->entries_size;
1755 const void *entries = info->entries;
1756
1757 newinfo->entries_size = size;
1758
1759 return EBT_ENTRY_ITERATE(entries, size, compat_calc_entry, info,
1760 entries, newinfo);
1761}
1762
1763static int compat_copy_everything_to_user(struct ebt_table *t,
1764 void __user *user, int *len, int cmd)
1765{
1766 struct compat_ebt_replace repl, tmp;
1767 struct ebt_counter *oldcounters;
1768 struct ebt_table_info tinfo;
1769 int ret;
1770 void __user *pos;
1771
1772 memset(&tinfo, 0, sizeof(tinfo));
1773
1774 if (cmd == EBT_SO_GET_ENTRIES) {
1775 tinfo.entries_size = t->private->entries_size;
1776 tinfo.nentries = t->private->nentries;
1777 tinfo.entries = t->private->entries;
1778 oldcounters = t->private->counters;
1779 } else {
1780 tinfo.entries_size = t->table->entries_size;
1781 tinfo.nentries = t->table->nentries;
1782 tinfo.entries = t->table->entries;
1783 oldcounters = t->table->counters;
1784 }
1785
1786 if (copy_from_user(&tmp, user, sizeof(tmp)))
1787 return -EFAULT;
1788
1789 if (tmp.nentries != tinfo.nentries ||
1790 (tmp.num_counters && tmp.num_counters != tinfo.nentries))
1791 return -EINVAL;
1792
1793 memcpy(&repl, &tmp, sizeof(repl));
1794 if (cmd == EBT_SO_GET_ENTRIES)
1795 ret = compat_table_info(t->private, &repl);
1796 else
1797 ret = compat_table_info(&tinfo, &repl);
1798 if (ret)
1799 return ret;
1800
1801 if (*len != sizeof(tmp) + repl.entries_size +
1802 (tmp.num_counters? tinfo.nentries * sizeof(struct ebt_counter): 0)) {
1803 pr_err("wrong size: *len %d, entries_size %u, replsz %d\n",
1804 *len, tinfo.entries_size, repl.entries_size);
1805 return -EINVAL;
1806 }
1807
1808 /* userspace might not need the counters */
1809 ret = copy_counters_to_user(t, oldcounters, compat_ptr(tmp.counters),
1810 tmp.num_counters, tinfo.nentries);
1811 if (ret)
1812 return ret;
1813
1814 pos = compat_ptr(tmp.entries);
1815 return EBT_ENTRY_ITERATE(tinfo.entries, tinfo.entries_size,
1816 compat_copy_entry_to_user, &pos, &tmp.entries_size);
1817}
1818
1819struct ebt_entries_buf_state {
1820 char *buf_kern_start; /* kernel buffer to copy (translated) data to */
1821 u32 buf_kern_len; /* total size of kernel buffer */
1822 u32 buf_kern_offset; /* amount of data copied so far */
1823 u32 buf_user_offset; /* read position in userspace buffer */
1824};
1825
1826static int ebt_buf_count(struct ebt_entries_buf_state *state, unsigned int sz)
1827{
1828 state->buf_kern_offset += sz;
1829 return state->buf_kern_offset >= sz ? 0 : -EINVAL;
1830}
1831
1832static int ebt_buf_add(struct ebt_entries_buf_state *state,
1833 void *data, unsigned int sz)
1834{
1835 if (state->buf_kern_start == NULL)
1836 goto count_only;
1837
1838 BUG_ON(state->buf_kern_offset + sz > state->buf_kern_len);
1839
1840 memcpy(state->buf_kern_start + state->buf_kern_offset, data, sz);
1841
1842 count_only:
1843 state->buf_user_offset += sz;
1844 return ebt_buf_count(state, sz);
1845}
1846
1847static int ebt_buf_add_pad(struct ebt_entries_buf_state *state, unsigned int sz)
1848{
1849 char *b = state->buf_kern_start;
1850
1851 BUG_ON(b && state->buf_kern_offset > state->buf_kern_len);
1852
1853 if (b != NULL && sz > 0)
1854 memset(b + state->buf_kern_offset, 0, sz);
1855 /* do not adjust ->buf_user_offset here, we added kernel-side padding */
1856 return ebt_buf_count(state, sz);
1857}
1858
1859enum compat_mwt {
1860 EBT_COMPAT_MATCH,
1861 EBT_COMPAT_WATCHER,
1862 EBT_COMPAT_TARGET,
1863};
1864
1865static int compat_mtw_from_user(struct compat_ebt_entry_mwt *mwt,
1866 enum compat_mwt compat_mwt,
1867 struct ebt_entries_buf_state *state,
1868 const unsigned char *base)
1869{
1870 char name[EBT_FUNCTION_MAXNAMELEN];
1871 struct xt_match *match;
1872 struct xt_target *wt;
1873 void *dst = NULL;
1874 int off, pad = 0, ret = 0;
1875 unsigned int size_kern, entry_offset, match_size = mwt->match_size;
1876
1877 strlcpy(name, mwt->u.name, sizeof(name));
1878
1879 if (state->buf_kern_start)
1880 dst = state->buf_kern_start + state->buf_kern_offset;
1881
1882 entry_offset = (unsigned char *) mwt - base;
1883 switch (compat_mwt) {
1884 case EBT_COMPAT_MATCH:
1885 match = try_then_request_module(xt_find_match(NFPROTO_BRIDGE,
1886 name, 0), "ebt_%s", name);
1887 if (match == NULL)
1888 return -ENOENT;
1889 if (IS_ERR(match))
1890 return PTR_ERR(match);
1891
1892 off = ebt_compat_match_offset(match, match_size);
1893 if (dst) {
1894 if (match->compat_from_user)
1895 match->compat_from_user(dst, mwt->data);
1896 else
1897 memcpy(dst, mwt->data, match_size);
1898 }
1899
1900 size_kern = match->matchsize;
1901 if (unlikely(size_kern == -1))
1902 size_kern = match_size;
1903 module_put(match->me);
1904 break;
1905 case EBT_COMPAT_WATCHER: /* fallthrough */
1906 case EBT_COMPAT_TARGET:
1907 wt = try_then_request_module(xt_find_target(NFPROTO_BRIDGE,
1908 name, 0), "ebt_%s", name);
1909 if (wt == NULL)
1910 return -ENOENT;
1911 if (IS_ERR(wt))
1912 return PTR_ERR(wt);
1913 off = xt_compat_target_offset(wt);
1914
1915 if (dst) {
1916 if (wt->compat_from_user)
1917 wt->compat_from_user(dst, mwt->data);
1918 else
1919 memcpy(dst, mwt->data, match_size);
1920 }
1921
1922 size_kern = wt->targetsize;
1923 module_put(wt->me);
1924 break;
1925 }
1926
1927 if (!dst) {
1928 ret = xt_compat_add_offset(NFPROTO_BRIDGE, entry_offset,
1929 off + ebt_compat_entry_padsize());
1930 if (ret < 0)
1931 return ret;
1932 }
1933
1934 state->buf_kern_offset += match_size + off;
1935 state->buf_user_offset += match_size;
1936 pad = XT_ALIGN(size_kern) - size_kern;
1937
1938 if (pad > 0 && dst) {
1939 BUG_ON(state->buf_kern_len <= pad);
1940 BUG_ON(state->buf_kern_offset - (match_size + off) + size_kern > state->buf_kern_len - pad);
1941 memset(dst + size_kern, 0, pad);
1942 }
1943 return off + match_size;
1944}
1945
1946/*
1947 * return size of all matches, watchers or target, including necessary
1948 * alignment and padding.
1949 */
1950static int ebt_size_mwt(struct compat_ebt_entry_mwt *match32,
1951 unsigned int size_left, enum compat_mwt type,
1952 struct ebt_entries_buf_state *state, const void *base)
1953{
1954 int growth = 0;
1955 char *buf;
1956
1957 if (size_left == 0)
1958 return 0;
1959
1960 buf = (char *) match32;
1961
1962 while (size_left >= sizeof(*match32)) {
1963 struct ebt_entry_match *match_kern;
1964 int ret;
1965
1966 match_kern = (struct ebt_entry_match *) state->buf_kern_start;
1967 if (match_kern) {
1968 char *tmp;
1969 tmp = state->buf_kern_start + state->buf_kern_offset;
1970 match_kern = (struct ebt_entry_match *) tmp;
1971 }
1972 ret = ebt_buf_add(state, buf, sizeof(*match32));
1973 if (ret < 0)
1974 return ret;
1975 size_left -= sizeof(*match32);
1976
1977 /* add padding before match->data (if any) */
1978 ret = ebt_buf_add_pad(state, ebt_compat_entry_padsize());
1979 if (ret < 0)
1980 return ret;
1981
1982 if (match32->match_size > size_left)
1983 return -EINVAL;
1984
1985 size_left -= match32->match_size;
1986
1987 ret = compat_mtw_from_user(match32, type, state, base);
1988 if (ret < 0)
1989 return ret;
1990
1991 BUG_ON(ret < match32->match_size);
1992 growth += ret - match32->match_size;
1993 growth += ebt_compat_entry_padsize();
1994
1995 buf += sizeof(*match32);
1996 buf += match32->match_size;
1997
1998 if (match_kern)
1999 match_kern->match_size = ret;
2000
2001 WARN_ON(type == EBT_COMPAT_TARGET && size_left);
2002 match32 = (struct compat_ebt_entry_mwt *) buf;
2003 }
2004
2005 return growth;
2006}
2007
2008#define EBT_COMPAT_WATCHER_ITERATE(e, fn, args...) \
2009({ \
2010 unsigned int __i; \
2011 int __ret = 0; \
2012 struct compat_ebt_entry_mwt *__watcher; \
2013 \
2014 for (__i = e->watchers_offset; \
2015 __i < (e)->target_offset; \
2016 __i += __watcher->watcher_size + \
2017 sizeof(struct compat_ebt_entry_mwt)) { \
2018 __watcher = (void *)(e) + __i; \
2019 __ret = fn(__watcher , ## args); \
2020 if (__ret != 0) \
2021 break; \
2022 } \
2023 if (__ret == 0) { \
2024 if (__i != (e)->target_offset) \
2025 __ret = -EINVAL; \
2026 } \
2027 __ret; \
2028})
2029
2030#define EBT_COMPAT_MATCH_ITERATE(e, fn, args...) \
2031({ \
2032 unsigned int __i; \
2033 int __ret = 0; \
2034 struct compat_ebt_entry_mwt *__match; \
2035 \
2036 for (__i = sizeof(struct ebt_entry); \
2037 __i < (e)->watchers_offset; \
2038 __i += __match->match_size + \
2039 sizeof(struct compat_ebt_entry_mwt)) { \
2040 __match = (void *)(e) + __i; \
2041 __ret = fn(__match , ## args); \
2042 if (__ret != 0) \
2043 break; \
2044 } \
2045 if (__ret == 0) { \
2046 if (__i != (e)->watchers_offset) \
2047 __ret = -EINVAL; \
2048 } \
2049 __ret; \
2050})
2051
2052/* called for all ebt_entry structures. */
2053static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base,
2054 unsigned int *total,
2055 struct ebt_entries_buf_state *state)
2056{
2057 unsigned int i, j, startoff, new_offset = 0;
2058 /* stores match/watchers/targets & offset of next struct ebt_entry: */
2059 unsigned int offsets[4];
2060 unsigned int *offsets_update = NULL;
2061 int ret;
2062 char *buf_start;
2063
2064 if (*total < sizeof(struct ebt_entries))
2065 return -EINVAL;
2066
2067 if (!entry->bitmask) {
2068 *total -= sizeof(struct ebt_entries);
2069 return ebt_buf_add(state, entry, sizeof(struct ebt_entries));
2070 }
2071 if (*total < sizeof(*entry) || entry->next_offset < sizeof(*entry))
2072 return -EINVAL;
2073
2074 startoff = state->buf_user_offset;
2075 /* pull in most part of ebt_entry, it does not need to be changed. */
2076 ret = ebt_buf_add(state, entry,
2077 offsetof(struct ebt_entry, watchers_offset));
2078 if (ret < 0)
2079 return ret;
2080
2081 offsets[0] = sizeof(struct ebt_entry); /* matches come first */
2082 memcpy(&offsets[1], &entry->watchers_offset,
2083 sizeof(offsets) - sizeof(offsets[0]));
2084
2085 if (state->buf_kern_start) {
2086 buf_start = state->buf_kern_start + state->buf_kern_offset;
2087 offsets_update = (unsigned int *) buf_start;
2088 }
2089 ret = ebt_buf_add(state, &offsets[1],
2090 sizeof(offsets) - sizeof(offsets[0]));
2091 if (ret < 0)
2092 return ret;
2093 buf_start = (char *) entry;
2094 /*
2095 * 0: matches offset, always follows ebt_entry.
2096 * 1: watchers offset, from ebt_entry structure
2097 * 2: target offset, from ebt_entry structure
2098 * 3: next ebt_entry offset, from ebt_entry structure
2099 *
2100 * offsets are relative to beginning of struct ebt_entry (i.e., 0).
2101 */
2102 for (i = 0, j = 1 ; j < 4 ; j++, i++) {
2103 struct compat_ebt_entry_mwt *match32;
2104 unsigned int size;
2105 char *buf = buf_start;
2106
2107 buf = buf_start + offsets[i];
2108 if (offsets[i] > offsets[j])
2109 return -EINVAL;
2110
2111 match32 = (struct compat_ebt_entry_mwt *) buf;
2112 size = offsets[j] - offsets[i];
2113 ret = ebt_size_mwt(match32, size, i, state, base);
2114 if (ret < 0)
2115 return ret;
2116 new_offset += ret;
2117 if (offsets_update && new_offset) {
ff67e4e4 2118 pr_debug("change offset %d to %d\n",
81e675c2
FW		 2119 offsets_update[i], offsets[j] + new_offset);
2120 offsets_update[i] = offsets[j] + new_offset;
2121 }
2122 }
2123
2124 startoff = state->buf_user_offset - startoff;
2125
2126 BUG_ON(*total < startoff);
2127 *total -= startoff;
2128 return 0;
2129}
2130
2131/*
2132 * repl->entries_size is the size of the ebt_entry blob in userspace.
2133 * It might need more memory when copied to a 64 bit kernel in case
2134 * userspace is 32-bit. So, first task: find out how much memory is needed.
2135 *
2136 * Called before validation is performed.
2137 */
2138static int compat_copy_entries(unsigned char *data, unsigned int size_user,
2139 struct ebt_entries_buf_state *state)
2140{
2141 unsigned int size_remaining = size_user;
2142 int ret;
2143
2144 ret = EBT_ENTRY_ITERATE(data, size_user, size_entry_mwt, data,
2145 &size_remaining, state);
2146 if (ret < 0)
2147 return ret;
2148
2149 WARN_ON(size_remaining);
2150 return state->buf_kern_offset;
2151}
2152
2153
2154static int compat_copy_ebt_replace_from_user(struct ebt_replace *repl,
2155 void __user *user, unsigned int len)
2156{
2157 struct compat_ebt_replace tmp;
2158 int i;
2159
2160 if (len < sizeof(tmp))
2161 return -EINVAL;
2162
2163 if (copy_from_user(&tmp, user, sizeof(tmp)))
2164 return -EFAULT;
2165
2166 if (len != sizeof(tmp) + tmp.entries_size)
2167 return -EINVAL;
2168
2169 if (tmp.entries_size == 0)
2170 return -EINVAL;
2171
2172 if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) /
2173 NR_CPUS - SMP_CACHE_BYTES) / sizeof(struct ebt_counter))
2174 return -ENOMEM;
2175 if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
2176 return -ENOMEM;
2177
2178 memcpy(repl, &tmp, offsetof(struct ebt_replace, hook_entry));
2179
2180 /* starting with hook_entry, 32 vs. 64 bit structures are different */
2181 for (i = 0; i < NF_BR_NUMHOOKS; i++)
2182 repl->hook_entry[i] = compat_ptr(tmp.hook_entry[i]);
2183
2184 repl->num_counters = tmp.num_counters;
2185 repl->counters = compat_ptr(tmp.counters);
2186 repl->entries = compat_ptr(tmp.entries);
2187 return 0;
2188}
2189
2190static int compat_do_replace(struct net *net, void __user *user,
2191 unsigned int len)
2192{
2193 int ret, i, countersize, size64;
2194 struct ebt_table_info *newinfo;
2195 struct ebt_replace tmp;
2196 struct ebt_entries_buf_state state;
2197 void *entries_tmp;
2198
2199 ret = compat_copy_ebt_replace_from_user(&tmp, user, len);
90b89af7
FW		 2200 if (ret) {
2201 /* try real handler in case userland supplied needed padding */
2202 if (ret == -EINVAL && do_replace(net, user, len) == 0)
2203 ret = 0;
81e675c2 2204 return ret;
90b89af7 2205 }
81e675c2
FW		 2206
2207 countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
2208 newinfo = vmalloc(sizeof(*newinfo) + countersize);
2209 if (!newinfo)
2210 return -ENOMEM;
2211
2212 if (countersize)
2213 memset(newinfo->counters, 0, countersize);
2214
2215 memset(&state, 0, sizeof(state));
2216
2217 newinfo->entries = vmalloc(tmp.entries_size);
2218 if (!newinfo->entries) {
2219 ret = -ENOMEM;
2220 goto free_newinfo;
2221 }
2222 if (copy_from_user(
2223 newinfo->entries, tmp.entries, tmp.entries_size) != 0) {
2224 ret = -EFAULT;
2225 goto free_entries;
2226 }
2227
2228 entries_tmp = newinfo->entries;
2229
2230 xt_compat_lock(NFPROTO_BRIDGE);
2231
2232 ret = compat_copy_entries(entries_tmp, tmp.entries_size, &state);
2233 if (ret < 0)
2234 goto out_unlock;
2235
2236 pr_debug("tmp.entries_size %d, kern off %d, user off %d delta %d\n",
2237 tmp.entries_size, state.buf_kern_offset, state.buf_user_offset,
2238 xt_compat_calc_jump(NFPROTO_BRIDGE, tmp.entries_size));
2239
2240 size64 = ret;
2241 newinfo->entries = vmalloc(size64);
2242 if (!newinfo->entries) {
2243 vfree(entries_tmp);
2244 ret = -ENOMEM;
2245 goto out_unlock;
2246 }
2247
2248 memset(&state, 0, sizeof(state));
2249 state.buf_kern_start = newinfo->entries;
2250 state.buf_kern_len = size64;
2251
2252 ret = compat_copy_entries(entries_tmp, tmp.entries_size, &state);
2253 BUG_ON(ret < 0); /* parses same data again */
2254
2255 vfree(entries_tmp);
2256 tmp.entries_size = size64;
2257
2258 for (i = 0; i < NF_BR_NUMHOOKS; i++) {
2259 char __user *usrptr;
2260 if (tmp.hook_entry[i]) {
2261 unsigned int delta;
2262 usrptr = (char __user *) tmp.hook_entry[i];
2263 delta = usrptr - tmp.entries;
2264 usrptr += xt_compat_calc_jump(NFPROTO_BRIDGE, delta);
2265 tmp.hook_entry[i] = (struct ebt_entries __user *)usrptr;
2266 }
2267 }
2268
2269 xt_compat_flush_offsets(NFPROTO_BRIDGE);
2270 xt_compat_unlock(NFPROTO_BRIDGE);
2271
2272 ret = do_replace_finish(net, &tmp, newinfo);
2273 if (ret == 0)
2274 return ret;
2275free_entries:
2276 vfree(newinfo->entries);
2277free_newinfo:
2278 vfree(newinfo);
2279 return ret;
2280out_unlock:
2281 xt_compat_flush_offsets(NFPROTO_BRIDGE);
2282 xt_compat_unlock(NFPROTO_BRIDGE);
2283 goto free_entries;
2284}
2285
2286static int compat_update_counters(struct net *net, void __user *user,
2287 unsigned int len)
2288{
2289 struct compat_ebt_replace hlp;
2290
2291 if (copy_from_user(&hlp, user, sizeof(hlp)))
2292 return -EFAULT;
2293
90b89af7 2294 /* try real handler in case userland supplied needed padding */
81e675c2 2295 if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter))
90b89af7 2296 return update_counters(net, user, len);
81e675c2
FW		 2297
2298 return do_update_counters(net, hlp.name, compat_ptr(hlp.counters),
2299 hlp.num_counters, user, len);
2300}
2301
2302static int compat_do_ebt_set_ctl(struct sock *sk,
2303 int cmd, void __user *user, unsigned int len)
2304{
2305 int ret;
2306
2307 if (!capable(CAP_NET_ADMIN))
2308 return -EPERM;
2309
2310 switch (cmd) {
2311 case EBT_SO_SET_ENTRIES:
2312 ret = compat_do_replace(sock_net(sk), user, len);
2313 break;
2314 case EBT_SO_SET_COUNTERS:
2315 ret = compat_update_counters(sock_net(sk), user, len);
2316 break;
2317 default:
2318 ret = -EINVAL;
2319 }
2320 return ret;
2321}
2322
2323static int compat_do_ebt_get_ctl(struct sock *sk, int cmd,
2324 void __user *user, int *len)
2325{
2326 int ret;
2327 struct compat_ebt_replace tmp;
2328 struct ebt_table *t;
2329
2330 if (!capable(CAP_NET_ADMIN))
2331 return -EPERM;
2332
90b89af7 2333 /* try real handler in case userland supplied needed padding */
81e675c2
FW		 2334 if ((cmd == EBT_SO_GET_INFO ||
2335 cmd == EBT_SO_GET_INIT_INFO) && *len != sizeof(tmp))
90b89af7 2336 return do_ebt_get_ctl(sk, cmd, user, len);
81e675c2
FW		 2337
2338 if (copy_from_user(&tmp, user, sizeof(tmp)))
2339 return -EFAULT;
2340
2341 t = find_table_lock(sock_net(sk), tmp.name, &ret, &ebt_mutex);
2342 if (!t)
2343 return ret;
2344
2345 xt_compat_lock(NFPROTO_BRIDGE);
2346 switch (cmd) {
2347 case EBT_SO_GET_INFO:
2348 tmp.nentries = t->private->nentries;
2349 ret = compat_table_info(t->private, &tmp);
2350 if (ret)
2351 goto out;
2352 tmp.valid_hooks = t->valid_hooks;
2353
2354 if (copy_to_user(user, &tmp, *len) != 0) {
2355 ret = -EFAULT;
2356 break;
2357 }
2358 ret = 0;
2359 break;
2360 case EBT_SO_GET_INIT_INFO:
2361 tmp.nentries = t->table->nentries;
2362 tmp.entries_size = t->table->entries_size;
2363 tmp.valid_hooks = t->table->valid_hooks;
2364
2365 if (copy_to_user(user, &tmp, *len) != 0) {
2366 ret = -EFAULT;
2367 break;
2368 }
2369 ret = 0;
2370 break;
2371 case EBT_SO_GET_ENTRIES:
2372 case EBT_SO_GET_INIT_ENTRIES:
90b89af7
FW		 2373 /*
2374 * try real handler first in case of userland-side padding.
2375 * in case we are dealing with an 'ordinary' 32 bit binary
2376 * without 64bit compatibility padding, this will fail right
2377 * after copy_from_user when the *len argument is validated.
2378 *
2379 * the compat_ variant needs to do one pass over the kernel
2380 * data set to adjust for size differences before it the check.
2381 */
2382 if (copy_everything_to_user(t, user, len, cmd) == 0)
2383 ret = 0;
2384 else
2385 ret = compat_copy_everything_to_user(t, user, len, cmd);
81e675c2
FW		 2386 break;
2387 default:
2388 ret = -EINVAL;
2389 }
2390 out:
2391 xt_compat_flush_offsets(NFPROTO_BRIDGE);
2392 xt_compat_unlock(NFPROTO_BRIDGE);
2393 mutex_unlock(&ebt_mutex);
2394 return ret;
2395}
2396#endif
2397
1da177e4 2398static struct nf_sockopt_ops ebt_sockopts =
74ca4e5a
AM		 2399{
2400 .pf = PF_INET,
2401 .set_optmin = EBT_BASE_CTL,
2402 .set_optmax = EBT_SO_SET_MAX + 1,
2403 .set = do_ebt_set_ctl,
81e675c2
FW		 2404#ifdef CONFIG_COMPAT
2405 .compat_set = compat_do_ebt_set_ctl,
2406#endif
74ca4e5a
AM		 2407 .get_optmin = EBT_BASE_CTL,
2408 .get_optmax = EBT_SO_GET_MAX + 1,
2409 .get = do_ebt_get_ctl,
81e675c2
FW		 2410#ifdef CONFIG_COMPAT
2411 .compat_get = compat_do_ebt_get_ctl,
2412#endif
16fcec35 2413 .owner = THIS_MODULE,
1da177e4
LT		 2414};
2415
65b4b4e8 2416static int __init ebtables_init(void)
1da177e4
LT		 2417{
2418 int ret;
2419
043ef46c
JE		 2420 ret = xt_register_target(&ebt_standard_target);
2421 if (ret < 0)
1da177e4 2422 return ret;
043ef46c
JE		 2423 ret = nf_register_sockopt(&ebt_sockopts);
2424 if (ret < 0) {
2425 xt_unregister_target(&ebt_standard_target);
2426 return ret;
2427 }
1da177e4 2428
a887c1c1 2429 printk(KERN_INFO "Ebtables v2.0 registered\n");
1da177e4
LT		 2430 return 0;
2431}
2432
65b4b4e8 2433static void __exit ebtables_fini(void)
1da177e4
LT		 2434{
2435 nf_unregister_sockopt(&ebt_sockopts);
043ef46c 2436 xt_unregister_target(&ebt_standard_target);
a887c1c1 2437 printk(KERN_INFO "Ebtables v2.0 unregistered\n");
1da177e4
LT		 2438}
2439
2440EXPORT_SYMBOL(ebt_register_table);
2441EXPORT_SYMBOL(ebt_unregister_table);
1da177e4 2442EXPORT_SYMBOL(ebt_do_table);
65b4b4e8
AM		 2443module_init(ebtables_init);
2444module_exit(ebtables_fini);
1da177e4 2445MODULE_LICENSE("GPL");
Linux 6.x block layer and io_uring tree(s)